rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.8-12 

- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
This commit is contained in:
Petr Lautrbach 2018-11-12 22:02:22 +01:00
parent d0a54fbf96
commit 3183fc4035
4 changed files with 126 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4 %global libauditver 2.1.3-4
%global libsepolver 2.8-1 %global libsepolver 2.8-3
%global libsemanagever 2.8-4 %global libsemanagever 2.8-6
%global libselinuxver 2.8-4 %global libselinuxver 2.8-5
%global sepolgenver 2.8 %global sepolgenver 2.8
%global generatorsdir %{_prefix}/lib/systemd/system-generators %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -12,7 +12,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.8 Version: 2.8
Release: 11%{?dist} Release: 12%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -531,6 +531,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types
- Fix RESOURCE_LEAK coverity scan defects
* Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11 * Tue Oct 16 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-11
- sepolicy: Fix get_real_type_name to handle query failure properly - sepolicy: Fix get_real_type_name to handle query failure properly
- sepolicy: search() for dontaudit rules as well - sepolicy: search() for dontaudit rules as well

12
restorecond-fedora.patch
View File

@ -0,0 +1,12 @@
diff --git restorecond-2.8/restorecond.c restorecond-2.8/restorecond.c
index 6fbbd35..e1d26cb 100644
--- restorecond-2.8/restorecond.c
+++ restorecond-2.8/restorecond.c
@@ -105,6 +105,7 @@ static int write_pid_file(void)
}
if (write(pidfd, val, (unsigned int)len) != len) {
syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
+ close(pidfd);
return 1;
}
close(pidfd);

160
selinux-python-fedora.patch
View File

@ -262,7 +262,7 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..26f3376 100644 index c76dce8..972d5af 100644
--- selinux-python-2.8/semanage/seobject.py --- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py
@@ -30,7 +30,7 @@ import sys @@ -30,7 +30,7 @@ import sys
@ -349,79 +349,78 @@ index c76dce8..26f3376 100644
raise error raise error
def get_all_logins(self): def get_all_logins(self):
@@ -1087,7 +1081,7 @@ class portRecords(semanageRecords): @@ -1087,6 +1081,8 @@ class portRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
- if type not in self.valid_types: + type = sepolicy.get_real_type_name(type)
+ if sepolicy.get_real_type_name(type) not in self.valid_types: +
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type) raise ValueError(_("Type %s is invalid, must be a port type") % type)
(k, proto_d, low, high) = self.__genkey(port, proto) @@ -1151,6 +1147,7 @@ class portRecords(semanageRecords):
@@ -1151,7 +1145,7 @@ class portRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types: + setype = sepolicy.get_real_type_name(setype)
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype) raise ValueError(_("Type %s is invalid, must be a port type") % setype)
(k, proto_d, low, high) = self.__genkey(port, proto) @@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords):
@@ -1355,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
- if type not in self.valid_types: + type = sepolicy.get_real_type_name(type)
+ if sepolicy.get_real_type_name(type) not in self.valid_types: +
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) @@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords):
@@ -1417,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types: + setype = sepolicy.get_real_type_name(setype)
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: +
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) @@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords):
@@ -1603,7 +1597,7 @@ class ibendportRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
- if type not in self.valid_types: + type = sepolicy.get_real_type_name(type)
+ if sepolicy.get_real_type_name(type) not in self.valid_types: +
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name) (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords):
@@ -1664,7 +1658,7 @@ class ibendportRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types: + setype = sepolicy.get_real_type_name(setype)
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: +
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) @@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords):
@@ -1853,7 +1847,7 @@ class nodeRecords(semanageRecords):
if ctype == "": if ctype == "":
raise ValueError(_("SELinux node type is required")) raise ValueError(_("SELinux node type is required"))
- if ctype not in self.valid_types: + ctype = sepolicy.get_real_type_name(ctype)
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types: +
if ctype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype) raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) @@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords):
@@ -1922,7 +1916,7 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "": if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange")) raise ValueError(_("Requires setype or serange"))
- if setype and setype not in self.valid_types: + setype = sepolicy.get_real_type_name(setype)
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: +
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype) raise ValueError(_("Type %s is invalid, must be a node type") % setype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) @@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords):
@@ -2241,7 +2235,6 @@ class fcontextRecords(semanageRecords):
try: try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
@ -429,24 +428,32 @@ index c76dce8..26f3376 100644
except RuntimeError: except RuntimeError:
valid_types = [] valid_types = []
@@ -2369,7 +2362,7 @@ class fcontextRecords(semanageRecords): @@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("SELinux Type is required")) raise ValueError(_("SELinux Type is required"))
- if type not in self.valid_types: - if type not in self.valid_types:
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
raise ValueError(_("Type %s is invalid, must be a file or device type") % type) + if type != "<<none>>":
+ type = sepolicy.get_real_type_name(type)
+ if type not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2432,7 +2425,7 @@ class fcontextRecords(semanageRecords): if rc < 0:
@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser): def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "": if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser")) raise ValueError(_("Requires setype, serange or seuser"))
- if setype and setype not in self.valid_types: - if setype and setype not in self.valid_types:
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + if setype not in ["", "<<none>>"]:
+ setype = sepolicy.get_real_type_name(setype)
+ if setype not in self.valid_types:
+ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target) self.validate(target)
diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py diff --git selinux-python-2.8/sepolgen/src/sepolgen/access.py selinux-python-2.8/sepolgen/src/sepolgen/access.py
index a5d8698..ba80f93 100644 index a5d8698..ba80f93 100644
--- selinux-python-2.8/sepolgen/src/sepolgen/access.py --- selinux-python-2.8/sepolgen/src/sepolgen/access.py
@ -1491,7 +1498,7 @@ index 16e6680..64c48df 100644
def test_init(self): def test_init(self):
a = refpolicy.TypeRule() a = refpolicy.TypeRule()
diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py diff --git selinux-python-2.8/sepolicy/sepolicy.py selinux-python-2.8/sepolicy/sepolicy.py
index 141f64e..6287502 100755 index 141f64e..5880176 100755
--- selinux-python-2.8/sepolicy/sepolicy.py --- selinux-python-2.8/sepolicy/sepolicy.py
+++ selinux-python-2.8/sepolicy/sepolicy.py +++ selinux-python-2.8/sepolicy/sepolicy.py
@@ -27,7 +27,7 @@ import selinux @@ -27,7 +27,7 @@ import selinux
@ -1512,35 +1519,37 @@ index 141f64e..6287502 100755
if isinstance(values, str): if isinstance(values, str):
setattr(namespace, self.dest, values) setattr(namespace, self.dest, values)
else: else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action): @@ -103,6 +101,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains() domains = sepolicy.get_all_domains()
if isinstance(values, str): if isinstance(values, str):
- if values not in domains: + values = sepolicy.get_real_type_name(values)
+ if sepolicy.get_real_type_name(values) not in domains: if values not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values) setattr(namespace, self.dest, values)
else: @@ -112,6 +111,7 @@ class CheckDomain(argparse.Action):
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
newval = [] newval = []
for v in values: for v in values:
- if v not in domains: + v = sepolicy.get_real_type_name(v)
+ if sepolicy.get_real_type_name(v) not in domains: if v not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v) newval.append(v)
setattr(namespace, self.dest, newval) @@ -167,10 +167,11 @@ class CheckPortType(argparse.Action):
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
if not newval: if not newval:
newval = [] newval = []
for v in values: for v in values:
- if v not in port_types: + v = sepolicy.get_real_type_name(v)
+ if sepolicy.get_real_type_name(v) not in port_types: if v not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v) newval.append(v)
setattr(namespace, self.dest, values) - setattr(namespace, self.dest, values)
+ setattr(namespace, self.dest, newval)
class LoadPolicy(argparse.Action):
diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py diff --git selinux-python-2.8/sepolicy/sepolicy/__init__.py selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 89346ab..c4f03f4 100644 index 89346ab..d1f4bf5 100644
--- selinux-python-2.8/sepolicy/sepolicy/__init__.py --- selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ selinux-python-2.8/sepolicy/sepolicy/__init__.py +++ selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -15,7 +15,7 @@ import os @@ -15,7 +15,7 @@ import os
@ -1562,7 +1571,7 @@ index 89346ab..c4f03f4 100644
+ results = list(q.results()) + results = list(q.results())
+ +
+ if name and len(results) < 1: + if name and len(results) < 1:
+ #type not found, try alias + # type not found, try alias
+ q.name = None + q.name = None
+ q.alias = name + q.alias = name
+ results = list(q.results()) + results = list(q.results())
@ -1634,31 +1643,37 @@ index 89346ab..c4f03f4 100644
if len(tertypes) > 0: if len(tertypes) > 0:
q = setools.TERuleQuery(_pol, q = setools.TERuleQuery(_pol,
@@ -437,6 +449,14 @@ def get_file_types(setype): @@ -437,6 +449,20 @@ def get_file_types(setype):
return mpaths return mpaths
+# determine if entered type is an alias
+# and return corresponding type name
+def get_real_type_name(name): +def get_real_type_name(name):
+ """Return the real name of a type
+
+ * If 'name' refers to a type alias, return the corresponding type name.
+ * Otherwise return the original name (even if the type does not exist).
+ """
+ if not name:
+ return name
+
+ try: + try:
+ return next(info(TYPE, name))["name"] + return next(info(TYPE, name))["name"]
+ except (RuntimeError, StopIteration): + except (RuntimeError, StopIteration):
+ return None + return name
+ +
def get_writable_files(setype): def get_writable_files(setype):
file_types = get_all_file_types() file_types = get_all_file_types()
all_writes = [] all_writes = []
@@ -1051,7 +1071,7 @@ def gen_short_name(setype): @@ -1048,6 +1074,8 @@ def _dict_has_perms(dict, perms):
def gen_short_name(setype):
all_domains = get_all_domains()
if setype.endswith("_t"):
+ # replace aliases with corresponding types
+ setype = get_real_type_name(setype)
domainname = setype[:-2] domainname = setype[:-2]
else: else:
domainname = setype domainname = setype
- if domainname + "_t" not in all_domains: @@ -1160,27 +1188,14 @@ def boolean_desc(boolean):
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
@@ -1160,27 +1180,14 @@ def boolean_desc(boolean):
def get_os_version(): def get_os_version():
@ -1693,7 +1708,7 @@ index 89346ab..c4f03f4 100644
def reinit(): def reinit():
diff --git selinux-python-2.8/sepolicy/sepolicy/generate.py selinux-python-2.8/sepolicy/sepolicy/generate.py diff --git selinux-python-2.8/sepolicy/sepolicy/generate.py selinux-python-2.8/sepolicy/sepolicy/generate.py
index f814e27..efab71e 100644 index f814e27..8e53033 100644
--- selinux-python-2.8/sepolicy/sepolicy/generate.py --- selinux-python-2.8/sepolicy/sepolicy/generate.py
+++ selinux-python-2.8/sepolicy/sepolicy/generate.py +++ selinux-python-2.8/sepolicy/sepolicy/generate.py
@@ -52,7 +52,7 @@ import sepolgen.defaults as defaults @@ -52,7 +52,7 @@ import sepolgen.defaults as defaults
@ -1705,6 +1720,17 @@ index f814e27..efab71e 100644
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -103,7 +103,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
- p['type'] == "hi_reserved_port_t":
+ p['type'] == "hi_reserved_port_t" or \
+ p['type'] == "ephemeral_port_t" or \
+ p['type'] == "unreserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py diff --git selinux-python-2.8/sepolicy/sepolicy/gui.py selinux-python-2.8/sepolicy/sepolicy/gui.py
index 537d516..63aa02c 100644 index 537d516..63aa02c 100644
--- selinux-python-2.8/sepolicy/sepolicy/gui.py --- selinux-python-2.8/sepolicy/sepolicy/gui.py

12
semodule-utils-fedora.patch
View File

@ -0,0 +1,12 @@
diff --git semodule-utils-2.8/semodule_package/semodule_package.c semodule-utils-2.8/semodule_package/semodule_package.c
index 3515234..7b75b3f 100644
--- semodule-utils-2.8/semodule_package/semodule_package.c
+++ semodule-utils-2.8/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}