diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 2770354..3f5008d 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -248304,7 +248304,7 @@ index d1b435c..1c323d2 100644 account include system-auth password include system-auth diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox -index b629006..6631c2d 100644 +index b629006..49f735a 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -243,7 +243,7 @@ class Sandbox: @@ -248325,6 +248325,17 @@ index b629006..6631c2d 100644 help=_("alternate window manager")) parser.add_option("-l", "--level", dest="level", +@@ -403,9 +403,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile + + con = selinux.getcon()[1].split(":") + self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level) +- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r", +- "%s_file_t" % self.setype[:-2], +- level) ++ self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) + def __setup_dir(self): + if self.__options.level or self.__options.session: + return diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 index 521afcd..0c8cd1e 100644 --- a/policycoreutils/sandbox/sandbox.8 @@ -249866,18 +249877,70 @@ index 82fea52..6efd463 100644 fi COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 -index fb84af6..c2fa601 100644 +index fb84af6..84a96f1 100644 --- a/policycoreutils/sepolicy/sepolicy-generate.8 +++ b/policycoreutils/sepolicy/sepolicy-generate.8 -@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template. - .B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] +@@ -4,16 +4,69 @@ sepolicy-generate \- Generate an initial SELinux policy module template. + + .SH "SYNOPSIS" + ++Common options ++ ++.B sepolicy generate [\-h ] [\-p PATH] ++ ++.br ++ ++Confined Applications ++ ++.br ++.B sepolicy generate \-\-application [\-n NAME] [\-w WRITE_PATH ] command ++.br ++.B sepolicy generate \-\-init [\-n NAME] [\-w WRITE_PATH ] command ++.br ++.B sepolicy generate \-\-cgi [\-n NAME] [\-w WRITE_PATH ] command ++.br ++.B sepolicy generate \-\-dbus [\-n NAME] [\-w WRITE_PATH ] command ++.br ++.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command ++.br ++.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command ++.br ++ ++Confined Users ++ ++.br ++.B sepolicy generate \-\-admin_user \-n NAME ++.br ++.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-p PATH] ++.br ++.B sepolicy generate \-\-desktop_user \-n NAME [\-p PATH] ++.br ++.B sepolicy generate \-\-term_user \-n NAME [\-p PATH] ++.br ++.B sepolicy generate \-\-x_user \-n NAME [\-p PATH] + .br +-.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] ++ ++Miscellaneous Policy ++ ++.br ++.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN] ++.br ++.B sepolicy generate \-\-newtype \-t type \-n NAME ++.br ++.B sepolicy generate \-\-sandbox \-n NAME .SH "DESCRIPTION" -Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files. -+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files. ++Use \fBsepolicy generate\fP to generate an SELinux policy Module. + -+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files. ++.br ++\fBsepolicy generate\fP will create 5 files. + ++When specifying a \fBconfined application\fP you must specify a ++path. \fBsepolicy generate\fP will use the rpm payload of the ++application along with \fBnm -D APPLICATION\fP to help it generate ++types and policy rules for your policy files. .B Type Enforcing File NAME.te .br @@ -249889,7 +249952,7 @@ index fb84af6..c2fa601 100644 .B Interface File NAME.if .br This file defines the interfaces for the types generated in the te file, which can be used by other policy domains. -@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to +@@ -25,7 +78,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to .B RPM Spec File NAME_selinux.spec .br @@ -249898,6 +249961,27 @@ index fb84af6..c2fa601 100644 .B Shell File NAME.sh .br +@@ -39,13 +92,19 @@ If a generate is possible, this tool will print out all generate paths from the + .I \-h, \-\-help + Display help message + .TP ++.I \-d, \-\-domain ++Enter domain type(s) which you will be extending ++.TP + .I \-n, \-\-name +-Specify alternate name of policy. The policy will default to the executable or name specified. ++Specify alternate name of policy. The policy will default to the executable or name specified + .TP + .I \-p, \-\-path + Specify the directory to store the created policy files. (Default to current working directory ) + optional arguments: + .TP ++.I \-t, \-\-type ++Enter type(s) for which you will generate new definition and rule(s) ++.TP + .I \-u, \-\-user + SELinux user(s) which will transition to this domain + .TP diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8 index 4fc9792..02c4c1a 100644 --- a/policycoreutils/sepolicy/sepolicy-interface.8 @@ -250657,7 +250741,7 @@ index a179d95..9b9a09a 100755 tlist = [] for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py -index 26f8390..4739025 100644 +index 26f8390..837d3e3 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py @@ -63,20 +63,6 @@ except IOError: @@ -250811,6 +250895,38 @@ index 26f8390..4739025 100644 for u in self.transition_users: tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans) newsh += re.sub("USER", u, tmp) +@@ -1143,6 +1145,8 @@ allow %s_t %s_t:%s_socket name_%s; + newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp) + else: + newsh = re.sub("TEMPLATEFILE", self.file_name, temp) ++ newsh += re.sub("DOMAINTYPE", self.name, script.manpage) ++ + if self.program: + newsh += re.sub("FILENAME", self.program, script.restorecon) + if self.initscript != "": +@@ -1165,6 +1169,7 @@ allow %s_t %s_t:%s_socket name_%s; + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + newsh += self.generate_user_sh() ++ newsh += re.sub("TEMPLATETYPE", self.name, script.rpm) + + return newsh + +@@ -1198,7 +1203,13 @@ allow %s_t %s_t:%s_socket name_%s; + if self.type not in APPLICATIONS: + newspec = re.sub("%relabel_files", "", newspec) + +- return newspec ++ # Remove man pages from EUSER spec file ++ if self.type == EUSER: ++ newspec = re.sub(".*%s_selinux.8.*" % self.name,"", newspec) ++ # Remove user context file from non users spec file ++ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER): ++ newspec = re.sub(".*%s_u.*" % self.name,"", newspec) ++ return newspec + + def write_spec(self, out_dir): + specfile = "%s/%s_selinux.spec" % (out_dir, self.file_name) diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py index 8b063ca..c7dac62 100644 --- a/policycoreutils/sepolicy/sepolicy/interface.py @@ -251345,6 +251461,111 @@ index 66efe26..a446d68 100755 d={} tlist = get_types(src, "%s_socket" % protocol, [perm]) if len(tlist) > 0: +diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py +index c139070..54fd40a 100644 +--- a/policycoreutils/sepolicy/sepolicy/templates/script.py ++++ b/policycoreutils/sepolicy/sepolicy/templates/script.py +@@ -66,14 +66,17 @@ set -x + make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit + /usr/sbin/semodule -i TEMPLATEFILE.pp + +-# Generate a man page off the installed module +-sepolicy manpage -p . -d DOMAINTYPE_t +- ++""" ++rpm="""\ + # Generate a rpm package for the newly generated policy + + pwd=$(pwd) + rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba TEMPLATETYPE_selinux.spec ++""" + ++manpage="""\ ++# Generate a man page off the installed module ++sepolicy manpage -p . -d DOMAINTYPE_t + """ + + restorecon="""\ +@@ -107,8 +110,7 @@ admin_trans="""\ + """ + + min_login_user_default_context="""\ +-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then +-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF ++cat > TEMPLATETYPE_u << _EOF + TEMPLATETYPE_r:TEMPLATETYPE_t:s0 TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t +@@ -116,12 +118,13 @@ system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t + _EOF ++if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then ++ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/ + fi + """ + + x_login_user_default_context="""\ +-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then +-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF ++cat > TEMPLATETYPE_u << _EOF + TEMPLATETYPE_r:TEMPLATETYPE_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t +@@ -130,5 +133,7 @@ system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t + system_r:xdm_t TEMPLATETYPE_r:TEMPLATETYPE_t + _EOF ++if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then ++ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/ + fi + """ +diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py +index dbddf39..d8ee42f 100644 +--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py ++++ b/policycoreutils/sepolicy/sepolicy/templates/spec.py +@@ -18,6 +18,7 @@ URL: http://HOSTNAME + Source0: MODULENAME.pp + Source1: MODULENAME.if + Source2: DOMAINNAME_selinux.8 ++Source3: DOMAINNAME_u + + Requires: policycoreutils, libselinux-utils + Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils +@@ -36,13 +37,16 @@ install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages + install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib + install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ + install -d %{buildroot}%{_mandir}/man8/ +-install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ ++install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8 ++install -d %{buildroot}/etc/selinux/targeted/contexts/users/ ++install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u + + %post + semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp + if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files ++ /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u + fi; + exit 0 + +@@ -52,6 +56,7 @@ if [ $1 -eq 0 ]; then + if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files ++ /usr/sbin/semanage user -d DOMAINNAME_u + fi; + fi; + exit 0 +@@ -60,6 +65,7 @@ exit 0 + %attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp + %{_datadir}/selinux/devel/include/contrib/MODULENAME.if + %{_mandir}/man8/DOMAINNAME_selinux.8.* ++/etc/selinux/targeted/contexts/users/DOMAINNAME_u + + %changelog + * TODAYSDATE YOUR NAME 1.0-1 diff --git a/policycoreutils/sepolicy/sepolicy/templates/test_module.py b/policycoreutils/sepolicy/sepolicy/templates/test_module.py new file mode 100644 index 0000000..3a3faa6 @@ -251470,6 +251691,63 @@ index 0000000..3a3faa6 +# + +""" +diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py +index 79f3997..9c9439c 100644 +--- a/policycoreutils/sepolicy/sepolicy/templates/user.py ++++ b/policycoreutils/sepolicy/sepolicy/templates/user.py +@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE) + te_admin_user_types="""\ + policy_module(TEMPLATETYPE, 1.0.0) + ++## ++##

++## Allow TEMPLATETYPE to read files in the user home directory ++##

++## ++gen_tunable(TEMPLATETYPE_read_user_files, false) ++ ++## ++##

++## Allow TEMPLATETYPE to manage files in the user home directory ++##

++## ++gen_tunable(TEMPLATETYPE_manage_user_files, false) ++ + ######################################## + # + # Declarations +@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0) + # Declarations + # + +-## +-##

+-## Allow TEMPLATETYPE to read files in the user home directory +-##

+-## +-gen_tunable(TEMPLATETYPE_read_user_files, false) +- +-## +-##

+-## Allow TEMPLATETYPE to manage files in the user home directory +-##

+-## +-gen_tunable(TEMPLATETYPE_manage_user_files, false) +- + userdom_base_user_template(TEMPLATETYPE) + """ + +@@ -151,7 +151,9 @@ tunable_policy(`TEMPLATETYPE_read_user_files',` + ') + + tunable_policy(`TEMPLATETYPE_manage_user_files',` +- userdom_manage_user_home_content(TEMPLATETYPE_t) ++ userdom_manage_user_home_content_dirs(TEMPLATETYPE_t) ++ userdom_manage_user_home_content_files(TEMPLATETYPE_t) ++ userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t) + userdom_manage_user_tmp_files(TEMPLATETYPE_t) + ') + """ diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py index 5850622..5e308e3 100755 --- a/policycoreutils/sepolicy/sepolicy/transition.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 3bfe2c1..e83f675 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 43%{?dist} +Release: 45%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -308,13 +308,18 @@ The policycoreutils-restorecond package contains the restorecond service. %postun restorecond %systemd_postun_with_restart restorecond.service -%triggerun -- restorecond < 2.0.86-13 -%{_bindir}/systemd-sysv-convert --save restorecond >/dev/null 2>&1 ||: -%{_bindir}/systemctl enable restorecond.service >/dev/null 2>&1 -%{_sbindir}/chkconfig --del restorecond >/dev/null 2>&1 || : -%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : - %changelog +* Tue May 21 2013 Dan Walsh - 2.1.14-45 +- Fix sandbox to always use sandbox_file_t, so generated policy will work. +- Update Translations + +* Thu May 16 2013 Dan Walsh - 2.1.14-44 +- Fix sepolicy-generate man page to clear up options/policy type +- Add Miroslav Grepl to not generate man page when doing + sepolicy generate --customize +- Add support for executing semanage user within spec file +- Fix generation of confined admin domains, to handle booleans properly. + * Tue May 14 2013 Dan Walsh - 2.1.14-43 - Need to handle gziped policy.xml as well as not compressed.