rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.4-18.fc24 

- Improve sepolicy command line interface
- Fix sandbox to propagate specified MCS/MLS Security Level. (#1279006)
- Fix 'audit2allow -R' (#1280418)
This commit is contained in:
Petr Lautrbach 2015-11-16 22:16:24 +01:00
parent 70c2813895
commit 426d89c7eb
3 changed files with 77 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
policycoreutils-rhat.patch
View File

@ -654841,7 +654841,7 @@ index b306041..16eb50b 100644
msgid "Loss of data Dialog"
msgstr ""
diff --git a/policycoreutils-2.4/sandbox/sandbox b/policycoreutils-2.4/sandbox/sandbox
index 3678c5d..5109eca 100644
index 3678c5d..163afa0 100644
--- a/policycoreutils-2.4/sandbox/sandbox
+++ b/policycoreutils-2.4/sandbox/sandbox
@@ -1,4 +1,4 @@
@ -654941,7 +654941,17 @@ index 3678c5d..5109eca 100644
def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message))
@@ -431,8 +437,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -400,9 +406,6 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
def __setup_dir(self):
- if self.__options.level or self.__options.session:
- return
-
if self.__options.homedir:
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
self.__homedir = self.__options.homedir
@@ -431,8 +434,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
if self.__options.dpi:
dpi = self.__options.dpi
else:
@ -654952,7 +654962,7 @@ index 3678c5d..5109eca 100644
xmodmapfile = self.__homedir + "/.xmodmap"
xd = open(xmodmapfile,"w")
@@ -492,13 +498,13 @@ if __name__ == '__main__':
@@ -492,13 +495,13 @@ if __name__ == '__main__':
try:
sandbox = Sandbox()
rc = sandbox.main()
@ -658883,7 +658893,7 @@ index 2e67456..0c5f998 100644
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
.br
diff --git a/policycoreutils-2.4/sepolicy/sepolicy.py b/policycoreutils-2.4/sepolicy/sepolicy.py
index 74fb347..50c10d0 100755
index 74fb347..ec02fb2 100755
--- a/policycoreutils-2.4/sepolicy/sepolicy.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
@ -659175,8 +659185,18 @@ index 74fb347..50c10d0 100755
group.add_argument("--admin_user", dest="policytype", const=AUSER,
action="store_const",
help=_("Generate '%s' policy") % poltype[AUSER])
@@ -642,12 +646,12 @@ if __name__ == '__main__':
args = parser.parse_args()
@@ -637,17 +641,20 @@ if __name__ == '__main__':
try:
if os.path.basename(sys.argv[0]) == "sepolgen":
- args = parser.parse_args([ "generate" ] + sys.argv[1:])
+ parser_args = [ "generate" ] + sys.argv[1:]
+ elif len(sys.argv) > 1:
+ parser_args = sys.argv[1:]
else:
- args = parser.parse_args()
+ parser_args = ["-h"]
+ args = parser.parse_args(args=parser_args)
args.func(args)
sys.exit(0)
- except ValueError,e:
@ -659192,7 +659212,7 @@ index 74fb347..50c10d0 100755
+ print("Out")
sys.exit(0)
diff --git a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
index 679725d..2e1bfec 100644
index 679725d..b540180 100644
--- a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
@@ -1,25 +1,30 @@
@ -659353,7 +659373,7 @@ index 679725d..2e1bfec 100644
+ fd.close()
+ modules = modules[0].split(" ")[:-1]
+ for m in modules:
+ mod_temp.append(m[:-3])
+ mod_temp.append(m)
+ all_modules.extend(mod_temp)
+ mod_temp = []
+ except:
@ -661522,7 +661542,7 @@ index 5ca87b9..4437d9e 100644
def confirmation_close(self, button, *args):
diff --git a/policycoreutils-2.4/sepolicy/sepolicy/interface.py b/policycoreutils-2.4/sepolicy/sepolicy/interface.py
index bbabb3b..29370ee 100644
index bbabb3b..cc1260e 100644
--- a/policycoreutils-2.4/sepolicy/sepolicy/interface.py
+++ b/policycoreutils-2.4/sepolicy/sepolicy/interface.py
@@ -1,4 +1,4 @@
@ -661586,7 +661606,7 @@ index bbabb3b..29370ee 100644
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
else:
@@ -115,12 +119,20 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
@@ -115,12 +119,19 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
global interface_dict
import os
import xml.etree.ElementTree
@ -661598,16 +661618,15 @@ index bbabb3b..29370ee 100644
interface_dict = {}
param_list = []
+ if get_all_modules_from_mod_lst():
+ active_modules = get_all_modules_from_mod_lst()
+ else:
+ active_modules = get_all_modules_from_mod_lst()
+ if active_modules is None:
+ print((_("Using only non-base modules.")))
+ active_modules = get_all_modules()
+
xml_path = """<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
<policy>
<layer name="admin">
@@ -138,17 +150,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
@@ -138,17 +149,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
tree = xml.etree.ElementTree.fromstring(xml_path)
for l in tree.findall("layer"):
for m in l.findall("module"):
@ -661637,7 +661656,7 @@ index bbabb3b..29370ee 100644
pass
return interface_dict
@@ -159,7 +172,7 @@ def get_interface_format_text(interface,path = "/usr/share/selinux/devel/policy.
@@ -159,7 +171,7 @@ def get_interface_format_text(interface,path = "/usr/share/selinux/devel/policy.
return interface_text
def get_interface_compile_format_text(interfaces_dict, interface):
@ -661646,7 +661665,7 @@ index bbabb3b..29370ee 100644
param_tmp = []
for i in interfaces_dict[interface][0]:
param_tmp.append(test_module.dict_values[i])
@@ -168,7 +181,7 @@ def get_interface_compile_format_text(interfaces_dict, interface):
@@ -168,7 +180,7 @@ def get_interface_compile_format_text(interfaces_dict, interface):
return interface_text
def generate_compile_te(interface, idict, name="compiletest"):
@ -661655,7 +661674,7 @@ index bbabb3b..29370ee 100644
te = ""
te += re.sub("TEMPLATETYPE", name, test_module.te_test_module )
te += get_interface_compile_format_text(idict,interface)
@@ -177,39 +190,45 @@ def generate_compile_te(interface, idict, name="compiletest"):
@@ -177,39 +189,45 @@ def generate_compile_te(interface, idict, name="compiletest"):
def get_xml_file(if_file):
""" Returns xml format of interfaces for given .if policy file"""

9
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.4
Release: 17%{?dist}
Release: 18%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
# HEAD https://github.com/fedora-selinux/selinux/commit/e4cbbd53b5639def20ae09f3db44afa4691c7460
# HEAD https://github.com/fedora-selinux/selinux/commit/ea4e1e35ce8a9150128484f8da20087fc01c71bb
Patch: policycoreutils-rhat.patch
Patch1: sepolgen-rhat.patch
Patch100: policycoreutils-fix-semanage-python3.patch
@ -404,6 +404,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Nov 16 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-18
- Improve sepolicy command line interface
- Fix sandbox to propagate specified MCS/MLS Security Level. (#1279006)
- Fix 'audit2allow -R' (#1280418)
* Thu Nov 12 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4-17
- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5

44
sepolgen-rhat.patch
View File

@ -977,10 +977,10 @@ index 739452d..7a83aee 100644
comment = refpolicy.Comment()
comment.lines.append("============= ROLES ==============")
diff --git a/sepolgen-1.2.2/src/sepolgen/policygen.py b/sepolgen-1.2.2/src/sepolgen/policygen.py
index 5f38577..89366df 100644
index 5f38577..ebcfcf2 100644
--- a/sepolgen-1.2.2/src/sepolgen/policygen.py
+++ b/sepolgen-1.2.2/src/sepolgen/policygen.py
@@ -24,17 +24,20 @@ classes and algorithms for the generation of SELinux policy.
@@ -24,17 +24,18 @@ classes and algorithms for the generation of SELinux policy.
import itertools
import textwrap
@ -1001,12 +1001,10 @@ index 5f38577..89366df 100644
+from . import interfaces
+from . import matching
+from . import util
+if util.PY3:
+ from .util import cmp
# Constants for the level of explanation from the generation
# routines
NO_EXPLANATION = 0
@@ -81,8 +84,9 @@ class PolicyGenerator:
@@ -81,8 +82,9 @@ class PolicyGenerator:
self.module = refpolicy.Module()
self.dontaudit = False
@ -1017,7 +1015,7 @@ index 5f38577..89366df 100644
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -152,6 +156,18 @@ class PolicyGenerator:
@@ -152,6 +154,18 @@ class PolicyGenerator:
"""Return the generated module"""
return self.module
@ -1036,7 +1034,7 @@ index 5f38577..89366df 100644
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
@@ -160,6 +176,34 @@ class PolicyGenerator:
@@ -160,6 +174,34 @@ class PolicyGenerator:
rule.comment = ""
if self.explain:
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
@ -1071,7 +1069,7 @@ index 5f38577..89366df 100644
if av.type == audit2why.ALLOW:
rule.comment += "\n#!!!! This avc is allowed in the current policy"
if av.type == audit2why.DONTAUDIT:
@@ -167,14 +211,14 @@ class PolicyGenerator:
@@ -167,14 +209,14 @@ class PolicyGenerator:
if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
@ -1088,7 +1086,7 @@ index 5f38577..89366df 100644
for reason in av.data[1:]:
rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
@@ -186,7 +230,7 @@ class PolicyGenerator:
@@ -186,7 +228,7 @@ class PolicyGenerator:
self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
types=[]
@ -1097,7 +1095,24 @@ index 5f38577..89366df 100644
if i not in self.domains:
types.append(i)
if len(types) == 1:
@@ -296,7 +340,7 @@ def call_interface(interface, av):
@@ -275,15 +317,12 @@ def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
explain_interfaces()
return s
-def param_comp(a, b):
- return cmp(b.num, a.num)
-
def call_interface(interface, av):
params = []
args = []
params.extend(interface.params.values())
- params.sort(param_comp)
+ params.sort(key=lambda param: param.num, reverse=True)
ifcall = refpolicy.InterfaceCall()
ifcall.ifname = interface.name
@@ -296,7 +335,7 @@ def call_interface(interface, av):
elif params[i].type == refpolicy.OBJ_CLASS:
ifcall.args.append(av.obj_class)
else:
@ -1106,6 +1121,15 @@ index 5f38577..89366df 100644
assert(0)
assert(len(ifcall.args) > 0)
@@ -318,7 +357,7 @@ class InterfaceGenerator:
for x in ifs.interfaces.values():
params = []
params.extend(x.params.values())
- params.sort(param_comp)
+ params.sort(key=lambda param: param.num, reverse=True)
for i in range(len(params)):
# Check that the paramater position matches
# the number (e.g., $1 is the first arg). This
diff --git a/sepolgen-1.2.2/src/sepolgen/refparser.py b/sepolgen-1.2.2/src/sepolgen/refparser.py
index b453a29..f5ff19c 100644
--- a/sepolgen-1.2.2/src/sepolgen/refparser.py