rpms/policycoreutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-3.5-0.rc1.1

Browse Source 
- SELinux userspace 3.5-rc1 release
This commit is contained in:
Petr Lautrbach 2022-12-23 17:33:59 +01:00
parent 8d6bfd9e4e
commit 9c3b4420da
29 changed files with 28 additions and 1923 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -344,3 +344,4 @@ policycoreutils-2.0.83.tgz
/selinux-3.4-rc2.tar.gz
/selinux-3.4-rc3.tar.gz
/selinux-3.4.tar.gz
/selinux-3.5-rc1.tar.gz

36
0001-libselinux-declare-return-value-of-context_str-3-con.patch
View File

@ -1,36 +0,0 @@
From dd98fa322766760c4e1f029cf19d2515a583304f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:16:10 +0200
Subject: [PATCH] libselinux: declare return value of context_str(3) const
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
context_str(3) returns a string representation of the given context.
This string is owned by the context and free'd on context_free(3).
Declare it const, as already done in the man page, since it must not be
free'd by the caller.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/newrole/newrole.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index ae37d7253761..c2afa37e0ac3 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -842,7 +842,7 @@ static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
char *type_ptr = NULL; /* stores malloc'd data from get_default_type */
char *level_s = NULL; /* level spec'd by user in argv[] */
char *range_ptr = NULL;
- char *new_con = NULL;
+ const char *new_con = NULL;
char *tty_con = NULL;
context_t context = NULL; /* manipulatable form of new_context */
const struct option long_options[] = {
--
2.38.1

2
0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch → 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
View File

@ -1,4 +1,4 @@
From 1b9bc42461589e49cd68727ea479cc820e55a2d7 Mon Sep 17 00:00:00 2001
From 55bc2013b480f5a33803f4b41505ac2a535d2bdf Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in

4
0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch → 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
View File

@ -1,4 +1,4 @@
From 30f3eca067ace9f73ad7612377675e5f777ea869 Mon Sep 17 00:00:00 2001
From c803df861395e181ed7476df10c04a5ed0dfcdd8 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
@ -9,7 +9,7 @@ Content-type: text/plain
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index c72ca0eb9d61..163ebcd1f232 100755
index 166af6f360a2..ebe64563c7d7 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {

49
0002-semodule-avoid-toctou-on-output-module.patch
View File

@ -1,49 +0,0 @@
From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 15:19:52 +0200
Subject: [PATCH] semodule: avoid toctou on output module
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 1ed8e69054e0..48bc28dd0973 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -550,15 +550,12 @@ int main(int argc, char *argv[])
goto cleanup_extract;
}
- if (access(output_path, F_OK) == 0) {
- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
- result = -1;
- goto cleanup_extract;
- }
-
- output_fd = fopen(output_path, "w");
+ output_fd = fopen(output_path, "wx");
if (output_fd == NULL) {
- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
+ if (errno == EEXIST)
+ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
+ else
+ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno));
result = -1;
goto cleanup_extract;
}
--
2.38.1

65
0003-python-Split-semanage-import-into-two-transactions.patch
View File

@ -1,65 +0,0 @@
From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 30 May 2022 14:20:21 +0200
Subject: [PATCH] python: Split "semanage import" into two transactions
Content-type: text/plain
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 8f4e44a7a9cd..1d8281281d05 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -852,10 +852,29 @@ def handleImport(args):
trans = seobject.semanageRecords(args)
trans.start()
+ deleteCommands = []
+ commands = []
+ # separate commands for deletion from the rest so they can be
+ # applied in a separate transaction
for l in sys.stdin.readlines():
if len(l.strip()) == 0:
continue
+ if "-d" in l or "-D" in l:
+ deleteCommands.append(l)
+ else:
+ commands.append(l)
+
+ if deleteCommands:
+ importHelper(deleteCommands)
+ trans.finish()
+ trans.start()
+
+ importHelper(commands)
+ trans.finish()
+
+def importHelper(commands):
+ for l in commands:
try:
commandParser = createCommandParser()
args = commandParser.parse_args(mkargv(l))
@@ -869,8 +888,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.finish()
-
def setupImportParser(subparsers):
importParser = subparsers.add_parser('import', help=_('Import local customizations'))
--
2.38.1

4
0020-sepolicy-generate-Handle-more-reserved-port-types.patch → 0003-sepolicy-generate-Handle-more-reserved-port-types.patch
View File

@ -1,4 +1,4 @@
From f2a1b0dc836ebcf2ef418cd0c85fcea949b556eb Mon Sep 17 00:00:00 2001
From fb3038c1159ce6bb5094bc2f9feb48554ec8081e Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 3717d5d4ed78..eff3a8973917 100644
index b6df3e91160b..36a3ea1196b1 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports():

50
0004-python-audit2allow-close-file-stream-on-error.patch
View File

@ -1,50 +0,0 @@
From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 20 May 2022 14:51:07 +0200
Subject: [PATCH] python/audit2allow: close file stream on error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
sepolgen-ifgen-attr-helper.c: In function load_policy:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE fp [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 6f3ba96260de..5e6cffc1887d 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename)
policydb = malloc(sizeof(policydb_t));
if (policydb == NULL) {
fprintf(stderr, "Out of memory!\n");
+ fclose(fp);
return NULL;
}
if (policydb_init(policydb)) {
fprintf(stderr, "Out of memory!\n");
free(policydb);
+ fclose(fp);
return NULL;
}
@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename)
fprintf(stderr,
"error(s) encountered while parsing configuration\n");
free(policydb);
+ fclose(fp);
return NULL;
}
--
2.38.1

4
0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch → 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
View File

@ -1,4 +1,4 @@
From 239f039edd2c4030d373baa31f42651075b5927b Mon Sep 17 00:00:00 2001
From 09bf2a4318b44c895ea68d13988cb5c3dfa119ba Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -11,7 +11,7 @@ Content-type: text/plain
3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 770807345858..df3af9260c7f 100644
index a2762a7d215a..a32a33ea3cf6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -270,7 +270,7 @@ class Sandbox:

2
0022-Use-SHA-2-instead-of-SHA-1.patch → 0005-Use-SHA-2-instead-of-SHA-1.patch
View File

@ -1,4 +1,4 @@
From e5a015f1edd5e7ed87f6f4ec6ddb45637fa178ab Mon Sep 17 00:00:00 2001
From 7fb581c76b547b20a149c6dad3d7c51075192bd8 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1

349
0005-gettext-handle-unsupported-languages-properly.patch
View File

@ -1,349 +0,0 @@
From 344463076b2a91e1d2c7f5cc3835dc1a53a05e88 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 24 Jun 2022 16:24:25 +0200
Subject: [PATCH] gettext: handle unsupported languages properly
Content-type: text/plain
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).
Fixes:
# LANG is set to any "unsupported" language, e.g. en_US.UTF-8
$ chcat --help
Traceback (most recent call last):
File "/usr/bin/chcat", line 39, in <module>
t = gettext.translation(PROGNAME,
File "/usr/lib64/python3.9/gettext.py", line 592, in translation
raise FileNotFoundError(ENOENT,
FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
gui/booleansPage.py | 3 ++-
gui/domainsPage.py | 3 ++-
gui/fcontextPage.py | 3 ++-
gui/loginsPage.py | 3 ++-
gui/modulesPage.py | 3 ++-
gui/polgengui.py | 3 ++-
gui/portsPage.py | 3 ++-
gui/semanagePage.py | 3 ++-
gui/statusPage.py | 3 ++-
gui/system-config-selinux.py | 3 ++-
gui/usersPage.py | 3 ++-
python/chcat/chcat | 5 +++--
python/semanage/semanage | 3 ++-
python/semanage/seobject.py | 3 ++-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 4 +++-
python/sepolicy/sepolicy.py | 3 ++-
python/sepolicy/sepolicy/__init__.py | 3 ++-
python/sepolicy/sepolicy/generate.py | 3 ++-
python/sepolicy/sepolicy/gui.py | 3 ++-
python/sepolicy/sepolicy/interface.py | 3 ++-
sandbox/sandbox | 3 ++-
21 files changed, 44 insertions(+), 22 deletions(-)
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 5beec58bc360..ad11a9b24c79 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -46,7 +46,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index e08f34b4d3a9..e6eadd61c1bc 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -38,7 +38,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index bac2bec3ebbd..767664f26ec8 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -55,7 +55,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index 18b93d8c9756..7e08232a90b5 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -37,7 +37,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index c546d455d4cd..02b79f150a13 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -38,7 +38,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/polgengui.py b/gui/polgengui.py
index a18f1cba17b9..7a3ecd50c91c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -71,7 +71,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 54aa80ded327..bee2bdf17b99 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -43,7 +43,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 1371d4e7dabe..efad14d9b375 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -30,7 +30,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/statusPage.py b/gui/statusPage.py
index c241ef83dfa0..832849e60d60 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -43,7 +43,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 1b460c99363b..9f53b7fe9020 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -53,7 +53,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/gui/usersPage.py b/gui/usersPage.py
index d51bd968b77e..9acd3b844056 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -37,7 +37,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/chcat/chcat b/python/chcat/chcat
index e779fcc6ebd7..952cb8187599 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -38,9 +38,10 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
-except ImportError:
+except:
try:
import builtins
builtins.__dict__['_'] = str
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 1d8281281d05..4e8d64d6863a 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -38,7 +38,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index ff8f4e9c3008..0782c082dc0c 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -42,7 +42,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 56ebd807c69c..1ff307d9b27d 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,9 @@
try:
import gettext
- t = gettext.translation( 'selinux-python' )
+ t = gettext.translation("selinux-python",
+ localedir="/usr/share/locale",
+ fallback=True)
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 7ebe0efa88a1..c7a70e094b0c 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -36,7 +36,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 7208234b4a4a..9c3caa05b80b 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -31,7 +31,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 67189fc36b99..3717d5d4ed78 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -56,7 +56,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index b0263740a79f..5bdbfebade1d 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -49,7 +49,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index 599f97fdc6e7..43f86443f2c8 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -38,7 +38,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
diff --git a/sandbox/sandbox b/sandbox/sandbox
index cd5709fb07df..789621e136da 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -45,7 +45,8 @@ try:
kwargs['unicode'] = True
t = gettext.translation(PROGNAME,
localedir="/usr/share/locale",
- **kwargs)
+ **kwargs,
+ fallback=True)
_ = t.gettext
except:
try:
--
2.38.1

82
0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch
View File

@ -1,82 +0,0 @@
From 8cc529af51e8aa68a167ce78cf92687604f98619 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 8 Jun 2022 19:09:54 +0200
Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh
Content-type: text/plain
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/semodule/semodule.8 | 12 ++++++------
policycoreutils/semodule/semodule.c | 13 ++++++++++---
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index d1735d216276..c56e580f27b8 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,12 +23,12 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
-.B \-\-rebuild-if-modules-changed
-Force a rebuild of the policy if any changes to module content are detected
-(by comparing with checksum from the last transaction). One can use this
-instead of \-B to ensure that any changes to the module store done by an
-external tool (e.g. a package manager) are applied, while automatically
-skipping the rebuild if there are no new changes.
+.B \-\-refresh
+Like \-\-build, but reuses existing linked policy if no changes to module
+files are detected (by comparing with checksum from the last transaction).
+One can use this instead of \-B to ensure that any changes to the module
+store done by an external tool (e.g. a package manager) are applied, while
+automatically skipping the module re-linking if there are no module changes.
.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 48bc28dd0973..ebe062bf4c6c 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -150,9 +150,12 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
- printf(" --rebuild-if-modules-changed\n"
- " force policy rebuild if module content changed since\n"
- " last rebuild (based on checksum)\n");
+ printf(" --refresh like --build, but reuses existing linked policy if no\n"
+ " changes to module files are detected (via checksum)\n");
+ printf("Deprecated options:\n");
+ printf(" -b,--base same as --install\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " same as --refresh\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -185,6 +188,7 @@ static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
{"rebuild-if-modules-changed", 0, NULL, '\0'},
+ {"refresh", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -225,6 +229,9 @@ static void parse_command_line(int argc, char **argv)
case '\0':
switch(longind) {
case 0: /* --rebuild-if-modules-changed */
+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n");
+ /* fallthrough */
+ case 1: /* --refresh */
check_ext_changes = 1;
break;
default:
--
2.38.1

57
0007-python-remove-IOError-in-certain-cases.patch
View File

@ -1,57 +0,0 @@
From ebb4a170c024d4bf0d2773b93d916e77a87393d9 Mon Sep 17 00:00:00 2001
From: Elijah Conners <business@elijahpepe.com>
Date: Wed, 15 Jun 2022 22:13:31 -0700
Subject: [PATCH] python: remove IOError in certain cases
Content-type: text/plain
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/semanage | 7 ++-----
sandbox/sandbox | 2 --
2 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 4e8d64d6863a..10ab3fa67d7f 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -971,8 +971,8 @@ def do_parser():
devnull = os.open(os.devnull, os.O_WRONLY)
os.dup2(devnull, sys.stdout.fileno())
sys.exit(1)
- except IOError as e:
- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ except OSError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1]))
sys.exit(1)
except KeyboardInterrupt:
sys.exit(0)
@@ -982,9 +982,6 @@ def do_parser():
except KeyError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
sys.exit(1)
- except OSError as e:
- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1]))
- sys.exit(1)
except RuntimeError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
sys.exit(1)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 789621e136da..ffac70232875 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -534,8 +534,6 @@ if __name__ == '__main__':
error_exit(error.args[0])
except KeyError as error:
error_exit(_("Invalid value %s") % error.args[0])
- except IOError as error:
- error_exit(error)
except KeyboardInterrupt:
rc = 0
--
2.38.1

39
0008-restorecond-use-strict-function-prototype-for-defini.patch
View File

@ -1,39 +0,0 @@
From b5b3afbaed29895d37f6160cc0847ef5de7538ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 8 Aug 2022 19:36:20 +0200
Subject: [PATCH] restorecond: use strict function prototype for definition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Clang 15 starts to complain about non strict function definitions:
user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int start() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
restorecond/user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/restorecond/user.c b/restorecond/user.c
index 47b86823ff79..3ae3ebbb7230 100644
--- a/restorecond/user.c
+++ b/restorecond/user.c
@@ -169,7 +169,7 @@ io_channel_callback
return TRUE;
}
-int start() {
+int start(void) {
#ifdef HAVE_DBUS
GDBusConnection *bus;
GError *err = NULL;
--
2.38.1

56
0009-Ignore-egg-info-directories-and-clean-them.patch
View File

@ -1,56 +0,0 @@
From c2d58b378b3cf350d042a7b657e2b7f5861c5f26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 8 Aug 2022 19:36:55 +0200
Subject: [PATCH] Ignore egg-info directories and clean them
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-type: text/plain
Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/sepolicy/.gitignore | 1 +
python/sepolicy/Makefile | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/.gitignore b/python/sepolicy/.gitignore
index 3186c860ec0d..32fb47f92a9d 100644
--- a/python/sepolicy/.gitignore
+++ b/python/sepolicy/.gitignore
@@ -1,3 +1,4 @@
build
tmp
*.bak
+sepolicy.egg-info/
diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
index 3361be4ef0bc..d983e409e5e6 100644
--- a/python/sepolicy/Makefile
+++ b/python/sepolicy/Makefile
@@ -18,7 +18,7 @@ python-build:
clean:
$(PYTHON) setup.py clean
- -rm -rf build *~ \#* *pyc .#*
+ -rm -rf build *~ \#* *pyc .#* sepolicy.egg-info/
sepolgen:
ln -sf sepolicy sepolgen
--
2.38.1

68
0011-docs-provide-a-top-level-LICENSE-file.patch
View File

@ -1,68 +0,0 @@
From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001
From: Paul Moore <paul@paul-moore.com>
Date: Fri, 30 Sep 2022 17:44:12 -0400
Subject: [PATCH] docs: provide a top level LICENSE file
Content-type: text/plain
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses. Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.
This is to help meet the OpenSSF Best Practices requirements.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
dbus/{COPYING => LICENSE} | 0
gui/{COPYING => LICENSE} | 0
policycoreutils/{COPYING => LICENSE} | 0
python/{COPYING => LICENSE} | 0
python/sepolgen/{COPYING => LICENSE} | 0
restorecond/{COPYING => LICENSE} | 0
sandbox/{COPYING => LICENSE} | 0
semodule-utils/{COPYING => LICENSE} | 0
8 files changed, 0 insertions(+), 0 deletions(-)
rename dbus/{COPYING => LICENSE} (100%)
rename gui/{COPYING => LICENSE} (100%)
rename policycoreutils/{COPYING => LICENSE} (100%)
rename python/{COPYING => LICENSE} (100%)
rename python/sepolgen/{COPYING => LICENSE} (100%)
rename restorecond/{COPYING => LICENSE} (100%)
rename sandbox/{COPYING => LICENSE} (100%)
rename semodule-utils/{COPYING => LICENSE} (100%)
diff --git a/dbus/COPYING b/dbus/LICENSE
similarity index 100%
rename from dbus/COPYING
rename to dbus/LICENSE
diff --git a/gui/COPYING b/gui/LICENSE
similarity index 100%
rename from gui/COPYING
rename to gui/LICENSE
diff --git a/policycoreutils/COPYING b/policycoreutils/LICENSE
similarity index 100%
rename from policycoreutils/COPYING
rename to policycoreutils/LICENSE
diff --git a/python/COPYING b/python/LICENSE
similarity index 100%
rename from python/COPYING
rename to python/LICENSE
diff --git a/python/sepolgen/COPYING b/python/sepolgen/LICENSE
similarity index 100%
rename from python/sepolgen/COPYING
rename to python/sepolgen/LICENSE
diff --git a/restorecond/COPYING b/restorecond/LICENSE
similarity index 100%
rename from restorecond/COPYING
rename to restorecond/LICENSE
diff --git a/sandbox/COPYING b/sandbox/LICENSE
similarity index 100%
rename from sandbox/COPYING
rename to sandbox/LICENSE
diff --git a/semodule-utils/COPYING b/semodule-utils/LICENSE
similarity index 100%
rename from semodule-utils/COPYING
rename to semodule-utils/LICENSE
--
2.38.1

38
0012-gui-Fix-export-file-chooser-dialog.patch
View File

@ -1,38 +0,0 @@
From bba6225abc6c7d8f1642d0c04c819ddc74d426c0 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 11 Oct 2022 16:36:23 +0200
Subject: [PATCH] gui: Fix export file chooser dialog
Content-type: text/plain
It wasn't possible to choose a directory in filechooser dialog using
double-click - the dialog returned the directory name instead of
listing the directory.
Fixes:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select
self.export_config(filename)
File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config
fd = open(filename, 'w')
IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/sepolicy.glade | 1 -
1 file changed, 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade
index 52407887fcfc..0724d6c8caa4 100644
--- a/python/sepolicy/sepolicy/sepolicy.glade
+++ b/python/sepolicy/sepolicy/sepolicy.glade
@@ -168,7 +168,6 @@
<object class="GtkBox" id="filechooserdialog-vbox1">
<property name="can_focus">False</property>
<property name="orientation">vertical</property>
- <signal name="button-press-event" handler="on_choose_file" swapped="no"/>
<child internal-child="action_area">
<object class="GtkButtonBox" id="filechooserdialog-action_area1">
<property name="can_focus">False</property>
--
2.38.1

66
0013-python-Do-not-query-the-local-database-if-the-fconte.patch
View File

@ -1,66 +0,0 @@
From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 19 Oct 2022 14:20:11 -0400
Subject: [PATCH] python: Do not query the local database if the fcontext is
non-local
Content-type: text/plain
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
python/semanage/seobject.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 0782c082dc0c..d82da4942987 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords):
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
- if not exists:
+ if exists:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+ else:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
-
- try:
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- except OSError:
try:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
except OSError:
raise ValueError(_("Could not query file context for %s") % target)
--
2.38.1

35
0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch
View File

@ -1,35 +0,0 @@
From 0fb988c86b66ede7723e179699e29f00000fc57b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 13 Oct 2022 15:23:11 +0200
Subject: [PATCH] sandbox: Do not try to remove tmpdir twice if uid == 0
Content-type: text/plain
If the user is root, tmpdir is already wiped out.
Fixes:
# sandbox -T /root/tmp -- id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756
Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
sandbox/seunshare.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index 8917a0f9bd42..dd1d7ddbdc89 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -414,7 +414,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
rc++;
}
- if (rmdir(tmpdir) == -1)
+ if (pwd->pw_uid != 0 && rmdir(tmpdir) == -1)
fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
--
2.38.1

245
0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch
View File

@ -1,245 +0,0 @@
From ecfcb1d6a8ecb914f2a7c72453c872b5f0099f4d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 13 Oct 2022 15:23:12 +0200
Subject: [PATCH] sandbox: Use temporary directory for XDG_RUNTIME_DIR
Content-type: text/plain
XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files
such as sockets, named pipes and so on. Therefore, it should not be
available to sandboxed processes.
Usage:
# ls -a $XDG_RUNTIME_DIR
. .. bus pipewire-0 systemd
# sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR"
. ..
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
sandbox/sandbox | 15 ++++++++++++++-
sandbox/sandbox.8 | 7 +++++--
sandbox/seunshare.8 | 3 +++
sandbox/seunshare.c | 45 +++++++++++++++++++++++++++++++++++----------
4 files changed, 57 insertions(+), 13 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index ffac70232875..770807345858 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -209,6 +209,7 @@ class Sandbox:
self.__level = None
self.__homedir = None
self.__tmpdir = None
+ self.__runuserdir = None
def __validate_mount(self):
if self.__options.level:
@@ -357,6 +358,11 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
+ parser.add_option("-R", "--runuserdir", dest="runuserdir",
+ type="string",
+ action="callback", callback=self.__validdir,
+ help=_("alternate XDG_RUNTIME_DIR - /run/user/$UID - directory to use for mounting"))
+
parser.add_option("-w", "--windowsize", dest="windowsize",
type="string", default=DEFAULT_WINDOWSIZE,
help="size of the sandbox window")
@@ -401,10 +407,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__options.X_ind = True
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
+ self.__runuserdir = self.__options.runuserdir
else:
if self.__options.level:
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
+ self.__runuserdir = self.__options.runuserdir
if len(cmds) == 0:
self.usage(_("Command required"))
@@ -442,9 +450,14 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__tmpdir = self.__options.tmpdir
else:
self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
+ if self.__options.runuserdir:
+ self.__runuserdir = self.__options.runuserdir
+ else:
+ self.__runuserdir = mkdtemp(dir="/tmp", prefix=".sandbox_runuser_")
self.__copyfiles()
selinux.chcon(self.__homedir, self.__filecon, recursive=True)
selinux.chcon(self.__tmpdir, self.__filecon, recursive=True)
+ selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
selinux.setfscreatecon(None)
def __execute(self):
@@ -453,7 +466,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
if self.__options.usecaps:
cmds.append('-C')
if self.__mount:
- cmds += ["-t", self.__tmpdir, "-h", self.__homedir]
+ cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
if self.__options.X_ind:
if self.__options.dpi:
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76f335..1ee0ecea96d1 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
.br
.B sandbox
-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
+[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
.br
.SH DESCRIPTION
.PP
@@ -67,6 +67,9 @@ sandbox_net_client_t \- All network ports
\fB\-T\fR \fB\-\-tmpdir\fR
Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M.
.TP
+\fB\-R\fR \fB\-\-runuserdir\fR
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID).
+.TP
\fB\-S\fR \fB\-\-session\fR
Run a full desktop session, Requires level, and home and tmpdir.
.TP
diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8
index 0da352613485..09cf7feae45d 100644
--- a/sandbox/seunshare.8
+++ b/sandbox/seunshare.8
@@ -18,6 +18,9 @@ Alternate homedir to be used by the application. Homedir must be owned by the u
\fB\-t\ tmpdir
Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user.
.TP
+\fB\-r\ runuserdir
+Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user.
+.TP
\fB\-C --capabilities\fR
Allow apps executed within the namespace to use capabilities. Default is no capabilities.
.TP
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index dd1d7ddbdc89..1d38ea92b9ae 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -52,7 +52,7 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
static int child = 0;
@@ -623,15 +623,20 @@ int main(int argc, char **argv) {
char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
char *tmpdir_r = NULL; /* tmpdir created by seunshare */
+ char *runuserdir_s = NULL; /* /var/run/user/UID spec'd by user in argv[] */
+ char *runuserdir_r = NULL; /* /var/run/user/UID created by seunshare */
struct stat st_curhomedir;
struct stat st_homedir;
struct stat st_tmpdir_s;
struct stat st_tmpdir_r;
+ struct stat st_runuserdir_s;
+ struct stat st_runuserdir_r;
const struct option long_options[] = {
{"homedir", 1, 0, 'h'},
{"tmpdir", 1, 0, 't'},
+ {"runuserdir", 1, 0, 'r'},
{"kill", 1, 0, 'k'},
{"verbose", 1, 0, 'v'},
{"context", 1, 0, 'Z'},
@@ -665,7 +670,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -679,6 +684,9 @@ int main(int argc, char **argv) {
case 'h':
homedir_s = optarg;
break;
+ case 'r':
+ runuserdir_s = optarg;
+ break;
case 'v':
verbose++;
break;
@@ -729,6 +737,10 @@ int main(int argc, char **argv) {
if (tmpdir_s && (
verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+ if (runuserdir_s && (
+ verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 ||
+ check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1;
+
if ((uid_t)setfsuid(0) != uid) return -1;
/* create runtime tmpdir */
@@ -737,6 +749,12 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to create runtime temporary directory\n"));
return -1;
}
+ /* create runtime runuserdir */
+ if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s,
+ &st_runuserdir_r, pwd, execcon)) == NULL) {
+ fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n"));
+ return -1;
+ }
/* spawn child process */
child = fork();
@@ -775,7 +793,21 @@ int main(int argc, char **argv) {
if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0)
goto childerr;
- /* mount homedir and tmpdir, in this order */
+ if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
+ if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ } else {
+ if (asprintf(&RUNTIME_DIR, "/run/user/%d", uid) == -1) {
+ perror(_("Out of memory\n"));
+ goto childerr;
+ }
+ }
+
+ /* mount homedir, runuserdir and tmpdir, in this order */
+ if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
+ &st_runuserdir_s) != 0) goto childerr;
if (homedir_s && seunshare_mount(homedir_s, resolved_path,
&st_homedir) != 0) goto childerr;
if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp",
@@ -799,13 +831,6 @@ int main(int argc, char **argv) {
}
}
- if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
- if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
- perror(_("Out of memory"));
- goto childerr;
- }
- }
-
if ((rc = clearenv()) != 0) {
perror(_("Failed to clear environment"));
goto childerr;
--
2.38.1

81
0016-python-Remove-dependency-on-the-Python-module-distut.patch
View File

@ -1,81 +0,0 @@
From c08cf24f39989cfc610a481ae3dc380b61e9ca5f Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Fri, 28 Oct 2022 16:16:22 -0400
Subject: [PATCH] python: Remove dependency on the Python module distutils
Content-type: text/plain
The distutils package is deprecated and scheduled to be removed in
Python 3.12. Use the setuptools and sysconfig modules instead.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
python/semanage/Makefile | 2 +-
python/sepolgen/src/sepolgen/Makefile | 2 +-
python/sepolicy/sepolicy/gui.py | 4 ++--
python/sepolicy/setup.py | 2 +-
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 024e9640fed0..b53ee33db6ac 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -5,7 +5,7 @@ LINGUAS ?= ru
PREFIX ?= /usr
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
PACKAGEDIR ?= $(PYTHONLIBDIR)
BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile
index cac8def7204e..a10392273181 100644
--- a/python/sepolgen/src/sepolgen/Makefile
+++ b/python/sepolgen/src/sepolgen/Makefile
@@ -1,6 +1,6 @@
PREFIX ?= /usr
PYTHON ?= python3
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))")
PACKAGEDIR ?= /$(PYTHONLIBDIR)/sepolgen
all:
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 5bdbfebade1d..335be582b668 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -77,7 +77,7 @@ def cmp(a, b):
return 1
return (a > b) - (a < b)
-import distutils.sysconfig
+import sysconfig
ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<"))
OUTBOUND_PAGE = 0
@@ -130,7 +130,7 @@ class SELinuxGui():
self.application = app
self.filter_txt = ""
builder = Gtk.Builder() # BUILDER OBJ
- self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
+ self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
glade_file = self.code_path + "sepolicy.glade"
builder.add_from_file(glade_file)
self.outer_notebook = builder.get_object("outer_notebook")
diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py
index b0f9650df875..c82206647f9b 100644
--- a/python/sepolicy/setup.py
+++ b/python/sepolicy/setup.py
@@ -2,7 +2,7 @@
# Author: Thomas Liu <tliu@redhat.com>
# Author: Dan Walsh <dwalsh@redhat.com>
-from distutils.core import setup
+from setuptools import setup
setup(
name="sepolicy",
--
2.38.1

81
0017-python-Harden-tools-against-rogue-modules.patch
View File

@ -1,81 +0,0 @@
From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 Oct 2022 22:36:59 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Content-type: text/plain
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f664bc4..eafeea88aa21 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index b7a04c719acc..f2cc0c32f2b0 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 952cb8187599..68718ec5f102 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 10ab3fa67d7f..b21d1484ab85 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index c7a70e094b0c..733d40484709 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.38.1

28
0023-python-Fix-typo-in-audit2allow.1-example.patch
View File

@ -1,28 +0,0 @@
From 5e9f9478cc6eeaa46e0e8172a458a49e49d4e258 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 9 Nov 2022 11:53:28 +0100
Subject: [PATCH] python: Fix typo in audit2allow.1 example
Content-type: text/plain
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/audit2allow.1 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1
index c61067b33688..04ec32398011 100644
--- a/python/audit2allow/audit2allow.1
+++ b/python/audit2allow/audit2allow.1
@@ -151,7 +151,7 @@ policy_module(local, 1.0)
gen_require(`
type myapp_t;
type etc_t;
- };
+\[aq])
files_read_etc_files(myapp_t)
<review local.te and customize as desired>
--
2.38.1

102
0024-python-sepolicy-Fix-sepolicy-manpage-w.patch
View File

@ -1,102 +0,0 @@
From 762090ae1a67b040b37cc4863f1ceb0b45c66717 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 18 Nov 2022 13:51:52 +0100
Subject: [PATCH] python/sepolicy: Fix sepolicy manpage -w ...
Content-type: text/plain
Commit 7494bb1298b3 ("sepolicy: generate man pages in parallel")
improved sepolicy performance but broke `sepolicy manpage -w ...` as it
didn't collect data about domains and roles from ManPage() and so
HTMLManPages() generated only empty page. This is fixed now, domains
and roles are being collected and used for HTML pages.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy.py | 13 +++++++++++--
python/sepolicy/sepolicy/manpage.py | 12 +++++-------
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 733d40484709..82ff6af2bc2d 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -332,9 +332,10 @@ def manpage_work(domain, path, root, source_files, web):
from sepolicy.manpage import ManPage
m = ManPage(domain, path, root, source_files, web)
print(m.get_man_page_path())
+ return (m.manpage_domains, m.manpage_roles)
def manpage(args):
- from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains
+ from sepolicy.manpage import HTMLManPages, gen_domains
path = args.path
if not args.policy and args.root != "/":
@@ -347,9 +348,17 @@ def manpage(args):
else:
test_domains = args.domain
+ manpage_domains = set()
+ manpage_roles = set()
p = Pool()
+ async_results = []
for domain in test_domains:
- p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])
+ async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]))
+ for result in async_results:
+ domains, roles = result.get()
+ manpage_domains.update(domains)
+ manpage_roles.update(roles)
+
p.close()
p.join()
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3e61e333193f..de72cb6cda5f 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -21,7 +21,7 @@
# 02111-1307 USA
#
#
-__all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains']
+__all__ = ['ManPage', 'HTMLManPages', 'gen_domains']
import string
import selinux
@@ -147,10 +147,6 @@ def _gen_types():
def prettyprint(f, trim):
return " ".join(f[:-len(trim)].split("_"))
-# for HTML man pages
-manpage_domains = []
-manpage_roles = []
-
fedora_releases = ["Fedora17", "Fedora18"]
rhel_releases = ["RHEL6", "RHEL7"]
@@ -408,6 +404,8 @@ class ManPage:
"""
modules_dict = None
enabled_str = ["Disabled", "Enabled"]
+ manpage_domains = []
+ manpage_roles = []
def __init__(self, domainname, path="/tmp", root="/", source_files=False, html=False):
self.html = html
@@ -453,10 +451,10 @@ class ManPage:
if self.domainname + "_r" in self.all_roles:
self.__gen_user_man_page()
if self.html:
- manpage_roles.append(self.man_page_path)
+ self.manpage_roles.append(self.man_page_path)
else:
if self.html:
- manpage_domains.append(self.man_page_path)
+ self.manpage_domains.append(self.man_page_path)
self.__gen_man_page()
self.fd.close()
--
2.38.1

57
0025-python-sepolicy-Use-distro-module-to-get-os-version.patch
View File

@ -1,57 +0,0 @@
From fe825bf76f7a6727a3654c96e7bc55ddc7069b76 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 18 Nov 2022 13:51:53 +0100
Subject: [PATCH] python/sepolicy: Use distro module to get os version
Content-type: text/plain
distro module uses /etc/os-release file which contains operating system
identification data, see os-release(5). Given that the mechanism doesn't
use `rpm` it should be possible to generate man pages on other
distributions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 9c3caa05b80b..baa4c8e62e97 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1226,27 +1226,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ import distro
+ system_release = distro.name(pretty=True)
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
--
2.38.1

133
0026-python-sepolicy-Simplify-generation-of-man-pages.patch
View File

@ -1,133 +0,0 @@
From 1fad73e62fdda5290e3939464df09796fca6871d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 18 Nov 2022 13:51:55 +0100
Subject: [PATCH] python/sepolicy: Simplify generation of man pages
Content-type: text/plain
And do not hardcode Fedora and RHEL versions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 71 ++++-------------------------
1 file changed, 8 insertions(+), 63 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index de72cb6cda5f..edeb3b77e759 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -147,9 +147,6 @@ def _gen_types():
def prettyprint(f, trim):
return " ".join(f[:-len(trim)].split("_"))
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
@@ -180,7 +177,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -188,18 +185,12 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
-
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
- self.__gen_html_manpages()
- else:
- print("SELinux HTML man pages can not be generated for this %s" % os_version)
- exit(1)
+ self.new_path = self.old_path
+ self.__gen_html_manpages()
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -217,67 +208,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
- html = self.new_path + self.os_version + ".html"
+ html = self.new_path + "index.html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.38.1

160
0027-Fix-E275-missing-whitespace-after-keyword.patch
View File

@ -1,160 +0,0 @@
From 3fb03f54d0dad5119cdd3e1d2b13370b8296040b Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Mon, 21 Nov 2022 11:39:32 +0100
Subject: [PATCH] Fix E275 missing whitespace after keyword
Content-type: text/plain
Fixes:
./gui/polgengui.py:484:18: E275 missing whitespace after keyword
./gui/polgengui.py:530:18: E275 missing whitespace after keyword
./python/sepolgen/src/sepolgen/policygen.py:327:19: E275 missing whitespace after keyword
./python/sepolgen/src/sepolgen/policygen.py:329:11: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/__init__.py:453:15: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/generate.py:1351:28: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/generate.py:1353:28: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:638:24: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:863:23: E275 missing whitespace after keyword
./python/sepolicy/sepolicy/gui.py:2177:16: E275 missing whitespace after keyword
./sandbox/sandbox:114:7: E275 missing whitespace after keyword
./sandbox/sandbox:134:11: E275 missing whitespace after keyword
./sandbox/sandbox:136:7: E275 missing whitespace after keyword
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
gui/polgengui.py | 4 ++--
python/sepolgen/src/sepolgen/policygen.py | 4 ++--
python/sepolicy/sepolicy/__init__.py | 4 ++--
python/sepolicy/sepolicy/generate.py | 4 ++--
python/sepolicy/sepolicy/gui.py | 6 +++---
sandbox/sandbox | 6 +++---
6 files changed, 14 insertions(+), 14 deletions(-)
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 7a3ecd50c91c..16116ba68b61 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -481,7 +481,7 @@ class childWindow:
my_policy = sepolicy.generate.policy(self.get_name(), self.get_type())
iter = self.boolean_store.get_iter_first()
- while(iter):
+ while iter:
my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1))
iter = self.boolean_store.iter_next(iter)
@@ -527,7 +527,7 @@ class childWindow:
my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text())
iter = self.store.get_iter_first()
- while(iter):
+ while iter:
if self.store.get_value(iter, 1) == FILE:
my_policy.add_file(self.store.get_value(iter, 0))
else:
diff --git a/python/sepolgen/src/sepolgen/policygen.py b/python/sepolgen/src/sepolgen/policygen.py
index 8f0ce26e4dc7..183b41a93d50 100644
--- a/python/sepolgen/src/sepolgen/policygen.py
+++ b/python/sepolgen/src/sepolgen/policygen.py
@@ -324,9 +324,9 @@ def call_interface(interface, av):
ifcall.args.append(av.obj_class)
else:
print(params[i].type)
- assert(0)
+ assert 0
- assert(len(ifcall.args) > 0)
+ assert len(ifcall.args) > 0
return ifcall
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index baa4c8e62e97..68907a4f9759 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -450,9 +450,9 @@ def get_conditionals(src, dest, tclass, perm):
tlist.append(tdict)
tdict = {}
except KeyError:
- return(tlist)
+ return tlist
- return (tlist)
+ return tlist
def get_conditionals_format_text(cond):
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index eff3a8973917..36a3ea1196b1 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -1348,9 +1348,9 @@ allow %s_t %s_t:%s_socket name_%s;
if len(temp_dirs) != 0:
for i in temp_dirs:
if i in self.dirs.keys():
- del(self.dirs[i])
+ del self.dirs[i]
elif i in self.files.keys():
- del(self.files[i])
+ del self.files[i]
else:
continue
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 335be582b668..c8f33f522a2d 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -635,7 +635,7 @@ class SELinuxGui():
for k in self.cur_dict:
for j in self.cur_dict[k]:
if i == ctr:
- del(self.cur_dict[k][j])
+ del self.cur_dict[k][j]
return
i += 1
@@ -860,7 +860,7 @@ class SELinuxGui():
if val is True or val is False or val is None:
continue
# Returns true if filter_txt exists within the val
- if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1):
+ if val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1:
return True
except (AttributeError, TypeError):
pass
@@ -2174,7 +2174,7 @@ class SELinuxGui():
model.set_value(iter, 0, not model.get_value(iter, 0))
active = model.get_value(iter, 0)
if name in self.cur_dict["boolean"]:
- del(self.cur_dict["boolean"][name])
+ del self.cur_dict["boolean"][name]
else:
self.cur_dict["boolean"][name] = {"active": active}
self.new_updates()
diff --git a/sandbox/sandbox b/sandbox/sandbox
index df3af9260c7f..a32a33ea3cf6 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -111,7 +111,7 @@ def copyfile(file, srcdir, dest):
def savefile(new, orig, X_ind):
copy = False
- if(X_ind):
+ if X_ind:
import gi
gi.require_version('Gtk', '3.0')
from gi.repository import Gtk
@@ -131,9 +131,9 @@ def savefile(new, orig, X_ind):
except NameError:
pass
ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
- if(re.match(_("[yY]"), ans)):
+ if re.match(_("[yY]"), ans):
copy = True
- if(copy):
+ if copy:
shutil.copy2(new, orig)
--
2.38.1

55
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 3.0
%global libsepolver 3.4-4
%global libsemanagever 3.4-6
%global libselinuxver 3.4-6
%global libsepolver 3.5-0
%global libsemanagever 3.5-0
%global libselinuxver 3.5-0
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -10,11 +10,11 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 3.4
Release: 7.1%{?dist}
Version: 3.5
Release: 0.rc1.1%{?dist}
License: GPL-2.0-or-later
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/selinux-3.4.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5-rc1/selinux-3.5-rc1.tar.gz
URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz
@ -28,36 +28,14 @@ Source21: python-po.tgz
Source22: gui-po.tgz
Source23: sandbox-po.tgz
# https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.4 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ git format-patch -N 3.5-rc1 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start
Patch0001: 0001-libselinux-declare-return-value-of-context_str-3-con.patch
Patch0002: 0002-semodule-avoid-toctou-on-output-module.patch
Patch0003: 0003-python-Split-semanage-import-into-two-transactions.patch
Patch0004: 0004-python-audit2allow-close-file-stream-on-error.patch
Patch0005: 0005-gettext-handle-unsupported-languages-properly.patch
Patch0006: 0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Patch0007: 0007-python-remove-IOError-in-certain-cases.patch
Patch0008: 0008-restorecond-use-strict-function-prototype-for-defini.patch
Patch0009: 0009-Ignore-egg-info-directories-and-clean-them.patch
# Patch0010: 0010-Update-translations.patch
Patch0011: 0011-docs-provide-a-top-level-LICENSE-file.patch
Patch0012: 0012-gui-Fix-export-file-chooser-dialog.patch
Patch0013: 0013-python-Do-not-query-the-local-database-if-the-fconte.patch
Patch0014: 0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch
Patch0015: 0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch
Patch0016: 0016-python-Remove-dependency-on-the-Python-module-distut.patch
Patch0017: 0017-python-Harden-tools-against-rogue-modules.patch
Patch0018: 0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0019: 0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0021: 0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0022: 0022-Use-SHA-2-instead-of-SHA-1.patch
Patch0023: 0023-python-Fix-typo-in-audit2allow.1-example.patch
Patch0024: 0024-python-sepolicy-Fix-sepolicy-manpage-w.patch
Patch0025: 0025-python-sepolicy-Use-distro-module-to-get-os-version.patch
Patch0026: 0026-python-sepolicy-Simplify-generation-of-man-pages.patch
Patch0027: 0027-Fix-E275-missing-whitespace-after-keyword.patch
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0002: 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0003: 0003-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0004: 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch
# Patch list end
Obsoletes: policycoreutils < 2.0.61-2
@ -70,7 +48,7 @@ Provides: /sbin/restorecon
BuildRequires: gcc make
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python3-devel python3-setuptools
BuildRequires: python3-devel python3-setuptools python3-pip
BuildRequires: systemd
BuildRequires: git-core
Requires: util-linux grep gawk diffutils rpm sed
@ -93,7 +71,7 @@ load_policy to load policies, setfiles to label filesystems, newrole
to switch roles.
%prep -p /usr/bin/bash
%autosetup -n selinux-%{version} -p 1
%autosetup -p 1 -n selinux-%{version}-rc1
cp %{SOURCE13} gui/
tar -xvf %{SOURCE14} -C python/sepolicy/
@ -106,7 +84,7 @@ tar -xvf %{SOURCE14} -C python/sepolicy/
# tar -x -f %{SOURCE20} -C policycoreutils -z
# tar -x -f %{SOURCE21} -C python -z
# tar -x -f %{SOURCE22} -C gui -z
tar -x -f %{SOURCE23} -C sandbox -z
# tar -x -f %{SOURCE23} -C sandbox -z
%build
%set_build_flags
@ -486,6 +464,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
- SELinux userspace 3.5-rc1 release
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-7.1
- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w

2
sources
View File

@ -2,4 +2,4 @@ SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda
SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
SHA512 (selinux-3.4.tar.gz) = 9b619f6b2c632cc5cfebf5e9a9c1aa4130ef1efe9b85954d5a9da4f7a9bc15e82b9efcb4aa9c7ba2e16bac79cf116163a5d4d9cb7cbba3c96c88e01509bd60ab
SHA512 (selinux-3.5-rc1.tar.gz) = 82643c99343088c7eb7d96ba9f77d463b15bd900e24f6cdb8a9730ee12db7b87d143da4bb2c706514bc2c3de3e864bc68e13e639212bd1b53acee0f0b562618f