rpms/setroubleshoot
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources

Browse Source 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/setroubleshoot.git#e538407cbb691d66476486c508a8426b6292e2a6
This commit is contained in:
DistroBaker 2021-03-14 19:57:56 +00:00
parent 4abd313890
commit 7d7044a7bf
7 changed files with 12 additions and 9064 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -209,3 +209,4 @@ setroubleshoot-2.2.93.tar.gz
/setroubleshoot-3.3.22.tar.gz
/setroubleshoot-3.3.23.tar.gz
/setroubleshoot-3.3.24.tar.gz
/setroubleshoot-3.3.25.tar.gz

8846
0001-framework-Update-translations.patch
View File

File diff suppressed because it is too large Load Diff

153
0002-framework-util-optimize-get_rpm_nvr_by_type-by-addin.patch
View File

@ -1,153 +0,0 @@
From 6fbf777bc59c005e04d4616b9aebeb7c7f0866c0 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 13 Jan 2021 12:43:54 +0100
Subject: [PATCH] framework/util: optimize get_rpm_nvr_by_type by adding a
cache
The cache build could be optimized by assuming that all modules with
priority 100 are part of selinux-policy-<policytype> package. This way
the cache would only have to contain types from modules of other
priorities.
Another optimization would be making the cache persistent. This way it
would only have to be rebuild on policy reload (sedispatch could trigger
cache rebuild over dbus).
My testing shows significant time save when processing multiple AVCs:
setroubleshoot-server-3.3.24-1.el8:
real 2m26.075s
user 2m17.989s
sys 0m5.916s
Cache:
real 0m15.337s
user 0m11.004s
sys 0m3.995s
But curiously, there is also a small time save for individual AVCs
(measured by forcing the cache rebuild for each call of
get_rpm_nvr_by_type):
real 1m40.393s
user 1m32.830s
sys 0m5.960s
It could be caused by processing policy modules by lines, which quickly
eliminates all lines not starting by "(type " (as opposed to comparing
the regular expression with the whole file).
---
framework/src/setroubleshoot/util.py | 86 +++++++++++++++++++++-------
1 file changed, 65 insertions(+), 21 deletions(-)
diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py
index 023d1c4..657c882 100755
--- a/framework/src/setroubleshoot/util.py
+++ b/framework/src/setroubleshoot/util.py
@@ -114,6 +114,12 @@ hex_re = re.compile('^[A-Fa-f0-9]+$')
href_re = re.compile(r'<a\s*href="([^"]+)"[^<]*</a>')
name_at_domain_re = re.compile(r'^([^\s@]+)@([^\s@]+)$')
audit_decode_re = re.compile(r'^\s*"([^"]+)"\s*$')
+# regexp matching lines containing type definitions, eg. (type lib_t)
+# contains only 1 group that matches the type name
+typedef_regexp = re.compile(r"\s*\(\s*type\s+([\w-]+)\s*\)\s*")
+#Dictionary with all types defined in the module store as keys
+#and corresponding module paths as values. Used by get_package_nvr_by_name
+module_type_cache = None
log_level = syslog.LOG_WARNING
@@ -425,33 +431,71 @@ Finds an SELinux module which defines given SELinux type
'mysql-selinux-...
"""
+
+ if module_type_cache is None:
+ build_module_type_cache()
+ if module_type_cache is None:
+ return None
+
+ path = module_type_cache.get(selinux_type, None)
+
+ return get_package_nvr_by_file_path(path)
+
+# check if given string represents an integer
+def __str_is_int(str):
+ try:
+ int(str)
+ return True
+ except:
+ return False
+
+def build_module_type_cache():
+ """
+Creates a dictionary with all types defined in the module store as keys
+and corresponding module paths as values.
+The dictionary is stored in "module_type_cache" to be used by
+"get_rpm_nvr_by_type"
+ """
retval, policytype = selinux.selinux_getpolicytype()
+
if retval != 0:
- return None
- typedef = "(type {})\n".format(selinux_type)
- modules = []
- for (dirpath, dirnames, filenames) in os.walk("/var/lib/selinux/{}/active/modules".format(policytype)):
- if "cil" in filenames:
- try:
- defined = False
+ return
+
+ module_type_dict = dict()
+
+ priorities = []
+
+ # get list of module priorities, present in the module store, sorted by integer value
+ with os.scandir("/var/lib/selinux/{}/active/modules".format(policytype)) as module_store:
+ priorities = sorted([x.name for x in module_store if x.is_dir() and __str_is_int(x.name)], key = lambda x: int(x))
+
+ for dir in priorities:
+ # find individual modules in each priority and identify type definitions
+ for (dirpath, dirnames, filenames) in os.walk("/var/lib/selinux/{}/active/modules/{}".format(policytype,dir)):
+ if "cil" in filenames:
try:
- # cil files are bzip2'ed by default
- defined = typedef.encode() in bz2.open("{}/cil".format(dirpath))
- except:
- # maybe cil file is not bzip2'ed, try plain text
- defined = typedef in open("{}/cil".format(dirpath))
+ try:
+ # cil files are bzip2'ed by default
+ f = bz2.open("{}/cil".format(dirpath), mode = 'rt')
- if defined:
- modules.append(dirpath)
- except:
- # something's wrong, move on
- # FIXME: log a problem?
- pass
+ except:
+ # maybe cil file is not bzip2'ed, try plain text
+ f = open("{}/cil".format(dirpath))
- if len(modules) > 0:
- return get_package_nvr_by_file_path(sorted(modules)[-1])
+ for line in f:
+ result = typedef_regexp.match(line)
+ if result:
+ module_type_dict[result.group(1)] = dirpath
- return None
+ f.close()
+
+ except:
+ # something's wrong, move on
+ # FIXME: log a problem?
+ pass
+
+ global module_type_cache
+ module_type_cache = module_type_dict
def get_rpm_nvr_by_scontext(scontext, use_dbus=False):
"""
--
2.29.2

30
0003-framework-sealert-exit-on-any-connection-close.patch
View File

@ -1,30 +0,0 @@
From e339956442fb7284bce31e132b0be7ad0f3badc5 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 2 Feb 2021 13:18:49 +0100
Subject: [PATCH] framework/sealert: exit on any connection close
SECommandLine is only connecting to setroubleshootd for a short time.
Therefore any connection close from "server" side should be treated as
error.
This prevents "sealert" from hanging when setroubleshootd crashes.
---
framework/src/sealert | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/src/sealert b/framework/src/sealert
index 7839367..bae0c81 100755
--- a/framework/src/sealert
+++ b/framework/src/sealert
@@ -488,7 +488,7 @@ class SECommandLine(object):
def on_connection_state_change(self, connection, connection_state, flags, flags_added, flags_removed):
log_debug("%s.on_connection_state_change: connection_state=%s flags_added=%s flags_removed=%s address=%s" % (self.__class__.__name__, connection_state, connection_state.flags_to_string(flags_added), connection_state.flags_to_string(flags_removed), connection.socket_address))
- if flags_added & ConnectionState.ERROR:
+ if (flags_added & (ConnectionState.ERROR | ConnectionState.HUP)) or (flags_removed & ConnectionState.OPEN):
errno, strerror = connection_state.get_result()
print("failed to connect to server: %s" % (strerror), file=sys.stderr)
sys.exit(1)
--
2.29.2

26
setroubleshoot-po.patch
View File

@ -1,26 +0,0 @@
diff -up setroubleshoot-3.2.14/po/bn_IN.po~ setroubleshoot-3.2.14/po/bn_IN.po
--- setroubleshoot-3.2.14/po/bn_IN.po~ 2013-11-20 10:01:40.717181224 -0500
+++ setroubleshoot-3.2.14/po/bn_IN.po 2013-11-20 10:02:47.154195170 -0500
@@ -165,9 +165,7 @@ msgstr "উৎসের পà§<C3A0>রকà§<C3A0>à
#: ../src/browser.py:269
msgid "Attempted Access"
-msgstr ""
-"\n"
-"বà§<C3A0>যবহারের পà§<C3A0>রয়াস\n"
+msgstr "বà§<C3A0>যবহারের পà§<C3A0>রয়াস"
#: ../src/browser.py:269
msgid "On this"
@@ -222,9 +220,8 @@ msgstr ""
msgid ""
"Report\n"
"Bug"
-msgstr ""
-"বাগ সমà§<C3A0>পরà§<C3A0>কে\n"
-"সূচিত করà§<C3A0>ন\n"
+msgstr "বাগ সমà§<C3A0>পরà§<C3A0>কে\n"
+"সূচিত করà§<C3A0>ন"
#: ../src/browser.py:543
#, python-format

18
setroubleshoot.spec
View File

@ -3,27 +3,24 @@
Summary: Helps troubleshoot SELinux problems
Name: setroubleshoot
Version: 3.3.24
Release: 4%{?dist}
Version: 3.3.25
Release: 1%{?dist}
License: GPLv2+
URL: https://pagure.io/setroubleshoot
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
Source1: %{name}.tmpfiles
# git format-patch -N setroubleshoot-3.3.24 -- framework
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
Patch0001: 0001-framework-Update-translations.patch
Patch0002: 0002-framework-util-optimize-get_rpm_nvr_by_type-by-addin.patch
Patch0003: 0003-framework-sealert-exit-on-any-connection-close.patch
BuildRequires: gcc
BuildRequires: make
BuildRequires: libcap-ng-devel
BuildRequires: intltool gettext python3 python3-devel
BuildRequires: desktop-file-utils dbus-glib-devel gtk2-devel libnotify-devel audit-libs-devel libselinux-devel polkit-devel
BuildRequires: python3-libselinux python3-pydbus python3-gobject gtk3-devel
BuildRequires: python3-libselinux python3-dasbus python3-gobject gtk3-devel
Requires: %{name}-server = %{version}-%{release}
Requires: gtk3, libnotify
Requires: libreport-gtk >= 2.2.1-2, python3-libreport
Requires: python3-gobject, python3-pydbus
Requires: python3-gobject, python3-dasbus
Requires(post): desktop-file-utils
Requires(post): dbus
Requires(postun): desktop-file-utils
@ -101,7 +98,7 @@ BuildRequires: python3-devel
Requires: python3-slip-dbus systemd-python3 >= 206-1
Requires: python3-gobject-base >= 3.11
Requires: dbus
Requires: python3-dbus python3-pydbus
Requires: python3-dbus python3-dasbus
Requires: polkit
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
@ -191,6 +188,11 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
%changelog
* Wed Mar 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3.25-1
- Use Python dasbus instead of pydbus
- Optimize get_rpm_nvr_by_type by adding a cache
- Update translations
* Tue Feb 02 2021 Vit Mojzis <vmojzis@redhat.com> - 3.3.24-4
- sealert: exit on any connection close

2
sources
View File

@ -1 +1 @@
SHA512 (setroubleshoot-3.3.24.tar.gz) = ba96206fe135a719b685c825a69ebf7f9f6d99c6a24fb135763da9cee5ad14b1afdca5da1465374d327eb51ff830727a20b79ec51902e50f2e790661c63c0a0d
SHA512 (setroubleshoot-3.3.25.tar.gz) = cbac9ef9ccbc192e8043a606366bda7c26989e2b144b619d78dd2cf8ed9a22844e509cd8666392f6cca5c6e37421d04745a731a34e073a54c2e857932c9e93e0