diff --git a/policycoreutils.spec b/policycoreutils.spec index 6fd3af7..3d504e8 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 2.1.3-4 -%global libsepolver 2.8-1 -%global libsemanagever 2.8-4 -%global libselinuxver 2.8-4 +%global libsepolver 2.8-3 +%global libsemanagever 2.8-6 +%global libselinuxver 2.8-5 %global sepolgenver 2.8 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.8 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz @@ -531,6 +531,11 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Nov 12 2018 Petr Lautrbach - 2.8-12 +- sepolicy,semanage: replace aliases with corresponding type names +- sepolicy-generate: Handle more reserved port types +- Fix RESOURCE_LEAK coverity scan defects + * Tue Oct 16 2018 Petr Lautrbach - 2.8-11 - sepolicy: Fix get_real_type_name to handle query failure properly - sepolicy: search() for dontaudit rules as well diff --git a/restorecond-fedora.patch b/restorecond-fedora.patch index e69de29..e386f21 100644 --- a/restorecond-fedora.patch +++ b/restorecond-fedora.patch @@ -0,0 +1,12 @@ +diff --git restorecond-2.8/restorecond.c restorecond-2.8/restorecond.c +index 6fbbd35..e1d26cb 100644 +--- restorecond-2.8/restorecond.c ++++ restorecond-2.8/restorecond.c +@@ -105,6 +105,7 @@ static int write_pid_file(void) + } + if (write(pidfd, val, (unsigned int)len) != len) { + syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno)); ++ close(pidfd); + return 1; + } + close(pidfd); diff --git a/selinux-python-fedora.patch b/selinux-python-fedora.patch index ecabd7d..40da556 100644 --- a/selinux-python-fedora.patch +++ b/selinux-python-fedora.patch @@ -262,7 +262,7 @@ index 0bdb90f..0cdcfcc 100644 user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py -index c76dce8..26f3376 100644 +index c76dce8..972d5af 100644 --- selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py @@ -30,7 +30,7 @@ import sys @@ -349,79 +349,78 @@ index c76dce8..26f3376 100644 raise error def get_all_logins(self): -@@ -1087,7 +1081,7 @@ class portRecords(semanageRecords): +@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ type = sepolicy.get_real_type_name(type) ++ + if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a port type") % type) - (k, proto_d, low, high) = self.__genkey(port, proto) -@@ -1151,7 +1145,7 @@ class portRecords(semanageRecords): +@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords): else: raise ValueError(_("Requires setype")) -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ setype = sepolicy.get_real_type_name(setype) + if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a port type") % setype) - (k, proto_d, low, high) = self.__genkey(port, proto) -@@ -1355,7 +1349,7 @@ class ibpkeyRecords(semanageRecords): +@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ type = sepolicy.get_real_type_name(type) ++ + if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) - (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) -@@ -1417,7 +1411,7 @@ class ibpkeyRecords(semanageRecords): +@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords): else: raise ValueError(_("Requires setype")) -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ setype = sepolicy.get_real_type_name(setype) ++ + if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) - (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) -@@ -1603,7 +1597,7 @@ class ibendportRecords(semanageRecords): +@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ type = sepolicy.get_real_type_name(type) ++ + if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) - -@@ -1664,7 +1658,7 @@ class ibendportRecords(semanageRecords): +@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords): else: raise ValueError(_("Requires setype")) -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ setype = sepolicy.get_real_type_name(setype) ++ + if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) - (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) -@@ -1853,7 +1847,7 @@ class nodeRecords(semanageRecords): +@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords): if ctype == "": raise ValueError(_("SELinux node type is required")) -- if ctype not in self.valid_types: -+ if sepolicy.get_real_type_name(ctype) not in self.valid_types: ++ ctype = sepolicy.get_real_type_name(ctype) ++ + if ctype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a node type") % ctype) - (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1922,7 +1916,7 @@ class nodeRecords(semanageRecords): +@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords): if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ setype = sepolicy.get_real_type_name(setype) ++ + if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a node type") % setype) - (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -2241,7 +2235,6 @@ class fcontextRecords(semanageRecords): +@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords): try: valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) @@ -429,24 +428,32 @@ index c76dce8..26f3376 100644 except RuntimeError: valid_types = [] -@@ -2369,7 +2362,7 @@ class fcontextRecords(semanageRecords): +@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords): if type == "": raise ValueError(_("SELinux Type is required")) - if type not in self.valid_types: -+ if type != "<>" and sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % type) +- raise ValueError(_("Type %s is invalid, must be a file or device type") % type) ++ if type != "<>": ++ type = sepolicy.get_real_type_name(type) ++ if type not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % type) (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -@@ -2432,7 +2425,7 @@ class fcontextRecords(semanageRecords): + if rc < 0: +@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords): def __modify(self, target, setype, ftype, serange, seuser): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) - if setype and setype not in self.valid_types: -+ if setype not in ["", "<>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) +- raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) ++ if setype not in ["", "<>"]: ++ setype = sepolicy.get_real_type_name(setype) ++ if setype not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) self.validate(target) + diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py index a5d8698..ba80f93 100644 --- selinux-python-2.8/sepolgen/src/sepolgen/access.py @@ -1491,7 +1498,7 @@ index 16e6680..64c48df 100644 def test_init(self): a = refpolicy.TypeRule() diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py -index 141f64e..6287502 100755 +index 141f64e..5880176 100755 --- selinux-python-2.8/sepolicy/sepolicy.py +++ selinux-python-2.8/sepolicy/sepolicy.py @@ -27,7 +27,7 @@ import selinux @@ -1512,35 +1519,37 @@ index 141f64e..6287502 100755 if isinstance(values, str): setattr(namespace, self.dest, values) else: -@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action): +@@ -103,6 +101,7 @@ class CheckDomain(argparse.Action): domains = sepolicy.get_all_domains() if isinstance(values, str): -- if values not in domains: -+ if sepolicy.get_real_type_name(values) not in domains: ++ values = sepolicy.get_real_type_name(values) + if values not in domains: raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) setattr(namespace, self.dest, values) - else: -@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action): +@@ -112,6 +111,7 @@ class CheckDomain(argparse.Action): newval = [] for v in values: -- if v not in domains: -+ if sepolicy.get_real_type_name(v) not in domains: ++ v = sepolicy.get_real_type_name(v) + if v not in domains: raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) newval.append(v) - setattr(namespace, self.dest, newval) -@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action): +@@ -167,10 +167,11 @@ class CheckPortType(argparse.Action): if not newval: newval = [] for v in values: -- if v not in port_types: -+ if sepolicy.get_real_type_name(v) not in port_types: ++ v = sepolicy.get_real_type_name(v) + if v not in port_types: raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) newval.append(v) - setattr(namespace, self.dest, values) +- setattr(namespace, self.dest, values) ++ setattr(namespace, self.dest, newval) + + + class LoadPolicy(argparse.Action): diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py -index 89346ab..c4f03f4 100644 +index 89346ab..d1f4bf5 100644 --- selinux-python-2.8/sepolicy/sepolicy/__init__.py +++ selinux-python-2.8/sepolicy/sepolicy/__init__.py @@ -15,7 +15,7 @@ import os @@ -1562,7 +1571,7 @@ index 89346ab..c4f03f4 100644 + results = list(q.results()) + + if name and len(results) < 1: -+ #type not found, try alias ++ # type not found, try alias + q.name = None + q.alias = name + results = list(q.results()) @@ -1634,31 +1643,37 @@ index 89346ab..c4f03f4 100644 if len(tertypes) > 0: q = setools.TERuleQuery(_pol, -@@ -437,6 +449,14 @@ def get_file_types(setype): +@@ -437,6 +449,20 @@ def get_file_types(setype): return mpaths -+# determine if entered type is an alias -+# and return corresponding type name +def get_real_type_name(name): ++ """Return the real name of a type ++ ++ * If 'name' refers to a type alias, return the corresponding type name. ++ * Otherwise return the original name (even if the type does not exist). ++ """ ++ if not name: ++ return name ++ + try: + return next(info(TYPE, name))["name"] + except (RuntimeError, StopIteration): -+ return None ++ return name + def get_writable_files(setype): file_types = get_all_file_types() all_writes = [] -@@ -1051,7 +1071,7 @@ def gen_short_name(setype): +@@ -1048,6 +1074,8 @@ def _dict_has_perms(dict, perms): + def gen_short_name(setype): + all_domains = get_all_domains() + if setype.endswith("_t"): ++ # replace aliases with corresponding types ++ setype = get_real_type_name(setype) domainname = setype[:-2] else: domainname = setype -- if domainname + "_t" not in all_domains: -+ if get_real_type_name(domainname + "_t") not in all_domains: - raise ValueError("domain %s_t does not exist" % domainname) - if domainname[-1] == 'd': - short_name = domainname[:-1] + "_" -@@ -1160,27 +1180,14 @@ def boolean_desc(boolean): +@@ -1160,27 +1188,14 @@ def boolean_desc(boolean): def get_os_version(): @@ -1693,7 +1708,7 @@ index 89346ab..c4f03f4 100644 def reinit(): diff --git selinux-python-2.8/sepolicy/sepolicy/generate.py selinux-python-2.8/sepolicy/sepolicy/generate.py -index f814e27..efab71e 100644 +index f814e27..8e53033 100644 --- selinux-python-2.8/sepolicy/sepolicy/generate.py +++ selinux-python-2.8/sepolicy/sepolicy/generate.py @@ -52,7 +52,7 @@ import sepolgen.defaults as defaults @@ -1705,6 +1720,17 @@ index f814e27..efab71e 100644 try: import gettext kwargs = {} +@@ -103,7 +103,9 @@ def get_all_ports(): + for p in sepolicy.info(sepolicy.PORT): + if p['type'] == "reserved_port_t" or \ + p['type'] == "port_t" or \ +- p['type'] == "hi_reserved_port_t": ++ p['type'] == "hi_reserved_port_t" or \ ++ p['type'] == "ephemeral_port_t" or \ ++ p['type'] == "unreserved_port_t": + continue + dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) + return dict diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py index 537d516..63aa02c 100644 --- selinux-python-2.8/sepolicy/sepolicy/gui.py diff --git a/semodule-utils-fedora.patch b/semodule-utils-fedora.patch index e69de29..cde0b2d 100644 --- a/semodule-utils-fedora.patch +++ b/semodule-utils-fedora.patch @@ -0,0 +1,12 @@ +diff --git semodule-utils-2.8/semodule_package/semodule_package.c semodule-utils-2.8/semodule_package/semodule_package.c +index 3515234..7b75b3f 100644 +--- semodule-utils-2.8/semodule_package/semodule_package.c ++++ semodule-utils-2.8/semodule_package/semodule_package.c +@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len) + } + if (!sb.st_size) { + *len = 0; ++ close(fd); + return 0; + } +