* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.9-1
- Update to match NSA * Changed setfiles -c to translate the context to raw format prior to calling libsepol.
This commit is contained in:
Daniel J Walsh
parent
dd855d4916
commit
7800ad0dc0
|
|
@ -46,3 +46,4 @@ policycoreutils-1.25.4.tgz
|
|||
policycoreutils-1.25.5.tgz
|
||||
policycoreutils-1.25.6.tgz
|
||||
policycoreutils-1.25.7.tgz
|
||||
policycoreutils-1.25.9.tgz
|
||||
|
|
|
|||
|
|
@ -1,24 +1,169 @@
|
|||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.25.7/restorecon/restorecon.c
|
||||
--- nsapolicycoreutils/restorecon/restorecon.c 2005-07-27 09:58:39.000000000 -0400
|
||||
+++ policycoreutils-1.25.7/restorecon/restorecon.c 2005-08-26 14:20:10.000000000 -0400
|
||||
@@ -186,7 +186,7 @@
|
||||
freecon(scontext);
|
||||
return 0;
|
||||
}
|
||||
- retcontext=lgetfilecon(filename,&prev_context);
|
||||
+ retcontext=lgetfilecon_raw(filename,&prev_context);
|
||||
|
||||
if (retcontext >= 0 || errno == ENODATA) {
|
||||
int customizable=0;
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.25.7/setfiles/setfiles.c
|
||||
--- nsapolicycoreutils/setfiles/setfiles.c 2005-04-11 16:00:46.000000000 -0400
|
||||
+++ policycoreutils-1.25.7/setfiles/setfiles.c 2005-08-26 14:20:28.000000000 -0400
|
||||
@@ -285,7 +285,7 @@
|
||||
}
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.25.7/scripts/fixfiles
|
||||
--- nsapolicycoreutils/scripts/fixfiles 2005-08-25 16:18:08.000000000 -0400
|
||||
+++ policycoreutils-1.25.7/scripts/fixfiles 2005-08-26 16:05:39.000000000 -0400
|
||||
@@ -61,7 +61,11 @@
|
||||
if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
|
||||
TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
|
||||
test -z "$TEMPFILE" && exit
|
||||
- /usr/bin/diff $PREFC $FC | grep '^[<>]'|cut -c3-| grep ^/ | \
|
||||
+ PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
|
||||
+ sed -r -e 's,:s0[[:space:]], ,g' $PREFC > ${PREFCTEMPFILE}
|
||||
+ sed -r -e 's,:s0[[:space:]], ,g' $FC | \
|
||||
+ /usr/bin/diff -b ${PREFCTEMPFILE} - | \
|
||||
+ grep '^[<>]'|cut -c3-| grep ^/ | \
|
||||
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
|
||||
sed -r -e 's,[[:blank:]].*,,g' \
|
||||
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
|
||||
@@ -85,7 +89,7 @@
|
||||
while read pattern ; do find $pattern \( -fstype ext2 -o -fstype ext3 -o -fstype jfs -o -fstype xfs \) -print; done 2> /dev/null | \
|
||||
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
|
||||
${RESTORECON} $2 -v -f -
|
||||
- rm -f ${TEMPFILE}
|
||||
+ rm -f ${TEMPFILE} ${PREFCTEMPFILE}
|
||||
fi
|
||||
}
|
||||
#
|
||||
--- nsapolicycoreutils/semodule_package/Makefile 2005-07-28 09:46:02.000000000 -0400
|
||||
+++ policycoreutils-1.25.7/semodule_package/Makefile 2005-08-30 10:31:41.000000000 -0400
|
||||
@@ -3,6 +3,7 @@
|
||||
INCLUDEDIR ?= $(PREFIX)/include
|
||||
BINDIR ?= $(PREFIX)/bin
|
||||
LIBDIR ?= ${PREFIX}/lib
|
||||
+SELINUXDIR ?= ${DESTDIR}/etc/selinux
|
||||
|
||||
/* Get the current context of the file. */
|
||||
- ret = lgetfilecon(my_file, &context);
|
||||
+ ret = lgetfilecon_raw(my_file, &context);
|
||||
if (ret < 0) {
|
||||
if (errno == ENODATA) {
|
||||
context = malloc(10);
|
||||
CFLAGS ?= -Werror -Wall -W
|
||||
override CFLAGS += -I$(INCLUDEDIR)
|
||||
@@ -14,7 +15,9 @@
|
||||
|
||||
install: all
|
||||
-mkdir -p $(BINDIR)
|
||||
+ -mkdir -p $(SELINUXDIR)
|
||||
install -m 755 semodule_package $(BINDIR)
|
||||
+ install -m 640 semod.conf $(SELINUXDIR)/semod.conf
|
||||
|
||||
relabel:
|
||||
|
||||
--- nsapolicycoreutils/semodule_package/semod.conf 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-1.25.7/semodule_package/semod.conf 2005-08-30 10:24:54.000000000 -0400
|
||||
@@ -0,0 +1,96 @@
|
||||
+# Authors: Jason Tang <jtang@tresys.com>
|
||||
+#
|
||||
+# Copyright (C) 2004-2005 Tresys Technology, LLC
|
||||
+#
|
||||
+# This library is free software; you can redistribute it and/or
|
||||
+# modify it under the terms of the GNU Lesser General Public
|
||||
+# License as published by the Free Software Foundation; either
|
||||
+# version 2.1 of the License, or (at your option) any later version.
|
||||
+#
|
||||
+# This library is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+# Lesser General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU Lesser General Public
|
||||
+# License along with this library; if not, write to the Free Software
|
||||
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
+
|
||||
+# Specify how libsemanage will interact with the module store. The three
|
||||
+# options are:
|
||||
+#
|
||||
+# "direct" - libsemanage will write directly to the store.
|
||||
+# /foo/bar - Write by way of a policy server, whose named socket
|
||||
+# is at /foo/bar. The path must begin with a '/'.
|
||||
+# foo.com:4242 - Establish a TCP connection to a remote policy server
|
||||
+# at foo.com. If there is a colon then the remainder
|
||||
+# is interpreted as a port number; otherwise default
|
||||
+# to port 4242.
|
||||
+module-store = direct
|
||||
+
|
||||
+# When generating the final linked and expanded policy, by default
|
||||
+# semodule will set the policy version to POLICYDB_VERSION_MAX, as
|
||||
+# given in <sepol/policydb.h>. Change this setting if a different
|
||||
+# version is necessary.
|
||||
+#policy-version = 19
|
||||
+
|
||||
+# After a policy has been created this library will attempt to load it
|
||||
+# by calling the load_policy utility. If there are special
|
||||
+# requirements (e.g., read booleans from a certain file) then add them
|
||||
+# here. Below are the default values. Within 'args', the special
|
||||
+# sequence "$@" will be replaced with the policy filename.
|
||||
+#[load_policy]
|
||||
+#path = /usr/sbin/load_policy
|
||||
+#args = -b $@
|
||||
+#[end]
|
||||
+
|
||||
+# In addition to loading a policy libsemanage will validate file contexts
|
||||
+# by calling the setfiles utility. As above, "$@" will be replaced
|
||||
+# with the policy filename. In addition "$<" will be replaced with
|
||||
+# the file contexts filename.
|
||||
+#[setfiles]
|
||||
+#path = /usr/sbin/setfiles
|
||||
+#args = -q -c $@ $<
|
||||
+#[end]
|
||||
+
|
||||
+# Each program specified within a [verify] block is run during
|
||||
+# committing. There are three types of verifies allowed: module,
|
||||
+# linked, and kernel. Multiple verifies may exist for a stage; place
|
||||
+# each program within its own [verify] block. For each stage the
|
||||
+# programs are executed in the order given below. If a program ever
|
||||
+# returns a non-zero value then the entire commit is aborted.
|
||||
+#
|
||||
+# Module verifies are executed for each source module prior to
|
||||
+# linking. After they have been linked each link verifier is run
|
||||
+# against the linked base module. Finally, each kernel verifier is
|
||||
+# run against the final expanded kernel policy. If these verifiers
|
||||
+# all exit with a return value of 0 then that kernel policy will be
|
||||
+# loaded.
|
||||
+#
|
||||
+# 'path' gives a path the verificaton program. 'args' is any
|
||||
+# free-form string that supplies command line arguments to the
|
||||
+# verifier. Within args single quotes, double quotes, and backslashes
|
||||
+# are metacharacters handled similarly to bash. Within 'args', the
|
||||
+# special sequence "$@" will be replaced with a filename to the entity
|
||||
+# being checked: source module for module verifiers, linked module for
|
||||
+# linked, kernel policy for kernel. The sequence "$<" will be
|
||||
+# replaced with the previous filename, if applicable. If an older
|
||||
+# version does not exist "$<" expands to an empty string.
|
||||
+#[verify module]
|
||||
+#path = /usr/bin/some_module_verifier
|
||||
+#args = -Wall -ansi -pedantic $@ $<
|
||||
+#[end]
|
||||
+
|
||||
+#[verify module]
|
||||
+#path = /another/module/verify/program
|
||||
+#args = -With -some_more arguments
|
||||
+#[end]
|
||||
+
|
||||
+#[verify linked]
|
||||
+#path = /usr/local/bin/some_link_verifier
|
||||
+#[end]
|
||||
+
|
||||
+#[verify kernel]
|
||||
+#path = /usr/sbin/kernel_verifier
|
||||
+#args = "some argument" "some other parameter" -k $@
|
||||
+#[end]
|
||||
--- nsapolicycoreutils/setfiles/setfiles.8 2005-03-17 10:29:50.000000000 -0500
|
||||
+++ policycoreutils-1.25.7/setfiles/setfiles.8 2005-08-29 12:52:49.000000000 -0400
|
||||
@@ -35,6 +35,9 @@
|
||||
.B \-q
|
||||
suppress non-error output.
|
||||
.TP
|
||||
+.B \-r
|
||||
+use an alternate root path
|
||||
+.TP
|
||||
.B \-e directory
|
||||
directory to exclude (repeat option for more than one directory.)
|
||||
.TP
|
||||
--- nsapolicycoreutils/setfiles/setfiles.c 2005-04-11 16:00:46.000000000 -0400
|
||||
+++ policycoreutils-1.25.7/setfiles/setfiles.c 2005-08-29 12:50:56.000000000 -0400
|
||||
@@ -198,8 +198,8 @@
|
||||
void usage(const char * const name)
|
||||
{
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-dnqvW] [-o filename] spec_file pathname...\n"
|
||||
- "usage: %s [-c policyfile] spec_file\n"
|
||||
+ "usage: %s [-dnqvW] [-o filename] [-r alt_root_path ] spec_file pathname...\n"
|
||||
+ "usage: %s -c policyfile spec_file\n"
|
||||
"usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
|
||||
exit(1);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,18 +1,18 @@
|
|||
%define libselinuxver 1.25.4-1
|
||||
%define libsepolver 1.7.20-1
|
||||
%define libsemanagever 1.1.3-1
|
||||
%define libselinuxver 1.25.6-1
|
||||
%define libsepolver 1.7.24-1
|
||||
%define libsemanagever 1.1.4-1
|
||||
Summary: SELinux policy core utilities.
|
||||
Name: policycoreutils
|
||||
Version: 1.25.7
|
||||
Version: 1.25.9
|
||||
Release: 1
|
||||
License: GPL
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
#Patch: policycoreutils-rhat.patch
|
||||
Patch: policycoreutils-rhat.patch
|
||||
|
||||
BuildRequires: libselinux-devel >= %{libselinuxver} pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever}
|
||||
|
||||
Requires: libselinux >= %{libselinuxver} libsepol >= %{libsepolver}
|
||||
Requires: libselinux >= %{libselinuxver} libsepol >= %{libsepolver}
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||
|
||||
|
|
@ -35,6 +35,7 @@ context.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -p1 -b .rhat
|
||||
|
||||
%build
|
||||
make LIBDIR="%{_libdir}" CFLAGS="%{optflags}" all
|
||||
|
|
@ -83,10 +84,22 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%{_mandir}/man1/audit2allow.1.gz
|
||||
%{_mandir}/man1/newrole.1.gz
|
||||
%config %{_sysconfdir}/pam.d/newrole
|
||||
%config %{_sysconfdir}/selinux/semod.conf
|
||||
%config %{_sysconfdir}/pam.d/run_init
|
||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||
|
||||
%changelog
|
||||
* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.9-1
|
||||
- Update to match NSA
|
||||
* Changed setfiles -c to translate the context to raw format
|
||||
prior to calling libsepol.
|
||||
|
||||
* Fri Aug 26 2005 Dan Walsh <dwalsh@redhat.com> 1.25.7-3
|
||||
- Use new version of libsemange and require it for install
|
||||
|
||||
* Fri Aug 26 2005 Dan Walsh <dwalsh@redhat.com> 1.25.7-2
|
||||
- Ignore s0 in file context
|
||||
|
||||
* Thu Aug 25 2005 Dan Walsh <dwalsh@redhat.com> 1.25.7-1
|
||||
- Update to match NSA
|
||||
* Merged patch for fixfiles -C from Dan Walsh.
|
||||
|
|
|
|||
Loading…
Reference in New Issue