Update to upstream

* policycoreutils
	* setfiles: Fix process_glob to handle error situations
	* sandbox: Allow seunshare to run as root
	* sandbox: trap sigterm to make sure sandbox
	* sandbox: pass DPI from the desktop
	* sandbox: seunshare: introduce helper spawn_command
	* sandbox: seunshare: introduce new filesystem helpers
	* sandbox: add -C option to not drop
	* sandbox: split seunshare caps dropping
	* sandbox: use dbus-launch
	* sandbox: numerous simple updates to sandbox
	* sandbox: do not require selinux context
	* sandbox: Makefile: new man pages
	* sandbox: rename dir to srcdir
	* sandbox: allow users specify sandbox window size
	* sandbox: check for paths up front
	* sandbox: use defined values for paths rather
	* sandbox: move seunshare globals to the top
	* sandbox: whitespace fix
	* semodule_package: Add semodule_unpackage executable
	* setfiles: get rid of some stupid globals
	* setfiles: move exclude_non_seclabel_mounts to a generic location
* sepolgen
	* refparser: include open among valid permissions
	* refparser: add support for filename_trans rules
This commit is contained in:
Dan Walsh 2011-08-30 16:32:33 -04:00
parent 8b0727dc56
commit 42466e2b7e
5 changed files with 433 additions and 1150 deletions

2
.gitignore vendored
View File

@ -225,3 +225,5 @@ policycoreutils-2.0.83.tgz
/policycoreutils-2.0.85.tgz
/policycoreutils-2.0.86.tgz
/policycoreutils-2.1.4.tgz
/policycoreutils-2.1.5.tgz
/sepolgen-1.1.1.tgz

File diff suppressed because it is too large Load Diff

View File

@ -1,7 +1,8 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py 2011-05-25 16:11:58.150628048 -0400
@@ -32,6 +32,7 @@ in a variety of ways, but they are the f
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 3eda2fd..649735f 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -32,6 +32,7 @@ in a variety of ways, but they are the fundamental representation of access.
"""
import refpolicy
@ -45,9 +46,10 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen
access.perms.update(perms)
if audit_msg:
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py 2011-05-25 16:11:58.150628048 -0400
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 24e308e..e23725f 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
stdout=subprocess.PIPE).communicate()[0]
return output
@ -131,9 +133,10 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen p
return av_set
class AVCTypeFilter:
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py 2011-05-25 16:11:58.150628048 -0400
diff --git a/sepolgen/src/sepolgen/defaults.py b/sepolgen/src/sepolgen/defaults.py
index 45ce61a..6d511c3 100644
--- a/sepolgen/src/sepolgen/defaults.py
+++ b/sepolgen/src/sepolgen/defaults.py
@@ -30,6 +30,9 @@ def perm_map():
def interface_info():
return data_dir() + "/interface_info"
@ -144,9 +147,10 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolge
def refpolicy_devel():
return "/usr/share/selinux/devel"
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py 2011-05-25 16:11:58.151628058 -0400
diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
index d8b3e34..ae1c9c5 100644
--- a/sepolgen/src/sepolgen/interfaces.py
+++ b/sepolgen/src/sepolgen/interfaces.py
@@ -29,6 +29,8 @@ import matching
from sepolgeni18n import _
@ -156,7 +160,7 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepol
class Param:
"""
Object representing a paramater for an interface.
@@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params
@@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params):
ret = 1
return ret
@ -262,9 +266,10 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepol
self.expand_ifcalls(headers)
self.index()
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py 2011-05-25 16:11:58.151628058 -0400
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
+++ b/sepolgen/src/sepolgen/matching.py
@@ -50,7 +50,7 @@ class Match:
return 1
@ -293,9 +298,25 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolge
def __iter__(self):
return iter(self.children)
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py 2011-05-25 16:11:58.151628058 -0400
diff --git a/sepolgen/src/sepolgen/module.py b/sepolgen/src/sepolgen/module.py
index edd24c6..5818cec 100644
--- a/sepolgen/src/sepolgen/module.py
+++ b/sepolgen/src/sepolgen/module.py
@@ -37,8 +37,8 @@ import shutil
def is_valid_name(modname):
"""Check that a module name is valid.
"""
- m = re.findall("[^a-zA-Z0-9]", modname)
- if len(m) == 0:
+ m = re.findall("[^a-zA-Z0-9_\-\.]", modname)
+ if len(m) == 0 and modname[0].isalpha():
return True
else:
return False
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 0e6b502..6ce892c 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -29,6 +29,8 @@ import objectmodel
import access
import interfaces
@ -334,7 +355,7 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolg
+
+ if av.type == audit2why.CONSTRAINT:
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ rule.comment += "#Contraint rule: "
+ rule.comment += "#Constraint rule: "
+
+ if av.type == audit2why.TERULE:
+ if "write" in av.perms:
@ -356,38 +377,10 @@ diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolg
self.module.children.append(rule)
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py 2011-05-25 16:18:20.911964611 -0400
@@ -243,7 +243,7 @@ def t_refpolicywarn(t):
t.lexer.lineno += 1
def t_IDENTIFIER(t):
- r'[a-zA-Z_\$][a-zA-Z0-9_\-\.\$\*]*'
+ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
@@ -768,6 +768,7 @@ def p_avrule_def(p):
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
+ | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
'''
@@ -1044,7 +1045,7 @@ def parse_headers(root, output=None, exp
# of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
- av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
+ av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
"getattr","lock","execute","ioctl"])
can_exec.children.append(refpolicy.AVRule(av))
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map 2011-05-25 16:11:58.152628068 -0400
diff --git a/sepolgen/src/share/perm_map b/sepolgen/src/share/perm_map
index eb2e23b..ca4fa4d 100644
--- a/sepolgen/src/share/perm_map
+++ b/sepolgen/src/share/perm_map
@@ -124,7 +124,7 @@ class filesystem 10
quotamod w 1
quotaget r 1

View File

@ -1,13 +1,13 @@
%define libauditver 1.4.2-1
%define libsepolver 2.1.0-1
%define libsemanagever 2.1.0-0
%define libselinuxver 2.1.0-1
%define sepolgenver 1.0.23
%define libsepolver 2.1.2-1
%define libsemanagever 2.1.2-1
%define libselinuxver 2.1.5-1
%define sepolgenver 1.1.1
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.4
Release: 2%{?dist}
Version: 2.1.5
Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -66,10 +66,10 @@ context.
%patch -p2 -b .rhat
%patch1 -p1 -b .rhatpo
%patch3 -p1 -b .gui
%patch4 -p1 -b .sepolgen
%patch4 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
%build
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
@ -352,6 +352,34 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
-Update to upstream
* policycoreutils
* setfiles: Fix process_glob to handle error situations
* sandbox: Allow seunshare to run as root
* sandbox: trap sigterm to make sure sandbox
* sandbox: pass DPI from the desktop
* sandbox: seunshare: introduce helper spawn_command
* sandbox: seunshare: introduce new filesystem helpers
* sandbox: add -C option to not drop
* sandbox: split seunshare caps dropping
* sandbox: use dbus-launch
* sandbox: numerous simple updates to sandbox
* sandbox: do not require selinux context
* sandbox: Makefile: new man pages
* sandbox: rename dir to srcdir
* sandbox: allow users specify sandbox window size
* sandbox: check for paths up front
* sandbox: use defined values for paths rather
* sandbox: move seunshare globals to the top
* sandbox: whitespace fix
* semodule_package: Add semodule_unpackage executable
* setfiles: get rid of some stupid globals
* setfiles: move exclude_non_seclabel_mounts to a generic location
* sepolgen
* refparser: include open among valid permissions
* refparser: add support for filename_trans rules
* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
- Fix bug in glob handling for restorecon

View File

@ -1,3 +1,3 @@
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
7e1e18c09798ffb44913bce3d60c667d policycoreutils-2.1.4.tgz
fcff0d994c5106e04190432304b1e8c6 sepolgen-1.1.1.tgz
a84ec479bf09e8d2a912fd32532853e9 policycoreutils-2.1.5.tgz