policycoreutils-2.8-13
- chcat: use check_call instead of getstatusoutput - Use matchbox-window-manager instead of openbox - Use ipaddress python module instead of IPy - semanage: Fix handling of -a/-e/-d/-r options - semanage: Use standard argparse.error() method
This commit is contained in:
parent
3183fc4035
commit
a56e58893b
@ -12,7 +12,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.8
|
Version: 2.8
|
||||||
Release: 12%{?dist}
|
Release: 13%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
|
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
|
||||||
@ -37,7 +37,7 @@ Source22: gui-po.tgz
|
|||||||
Source23: sandbox-po.tgz
|
Source23: sandbox-po.tgz
|
||||||
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
||||||
# run:
|
# run:
|
||||||
# HEAD https://github.com/fedora-selinux/selinux/commit/f63677145675024f6a1dbdab595c0be1403bd592
|
# HEAD https://github.com/fedora-selinux/selinux/commit/2fee0bccb66a6cafcf0d178b8c75c23ebd3f9924
|
||||||
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
|
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
|
||||||
# VERSION=2.8 ./make-fedora-selinux-patch.sh $i
|
# VERSION=2.8 ./make-fedora-selinux-patch.sh $i
|
||||||
# done
|
# done
|
||||||
@ -276,7 +276,6 @@ Requires:policycoreutils = %{version}-%{release}
|
|||||||
Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
|
Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
|
||||||
# no python3-audit-libs yet
|
# no python3-audit-libs yet
|
||||||
Requires:audit-libs-python3 >= %{libauditver}
|
Requires:audit-libs-python3 >= %{libauditver}
|
||||||
Requires: python3-IPy
|
|
||||||
Requires: checkpolicy
|
Requires: checkpolicy
|
||||||
Requires: python3-setools >= 4.1.1
|
Requires: python3-setools >= 4.1.1
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
@ -374,7 +373,7 @@ The policycoreutils-devel package contains the management tools use to develop p
|
|||||||
Summary: SELinux sandbox utilities
|
Summary: SELinux sandbox utilities
|
||||||
Requires: python3-policycoreutils = %{version}-%{release}
|
Requires: python3-policycoreutils = %{version}-%{release}
|
||||||
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
|
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
|
||||||
Requires: openbox
|
Requires: matchbox-window-manager
|
||||||
BuildRequires: libcap-ng-devel
|
BuildRequires: libcap-ng-devel
|
||||||
|
|
||||||
%description sandbox
|
%description sandbox
|
||||||
@ -531,6 +530,13 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
|
||||||
|
- chcat: use check_call instead of getstatusoutput
|
||||||
|
- Use matchbox-window-manager instead of openbox
|
||||||
|
- Use ipaddress python module instead of IPy
|
||||||
|
- semanage: Fix handling of -a/-e/-d/-r options
|
||||||
|
- semanage: Use standard argparse.error() method
|
||||||
|
|
||||||
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
|
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
|
||||||
- sepolicy,semanage: replace aliases with corresponding type names
|
- sepolicy,semanage: replace aliases with corresponding type names
|
||||||
- sepolicy-generate: Handle more reserved port types
|
- sepolicy-generate: Handle more reserved port types
|
||||||
|
@ -195,6 +195,37 @@ index 0000000..1795c5c
|
|||||||
+../system-config-selinux.py
|
+../system-config-selinux.py
|
||||||
+../system-config-selinux.ui
|
+../system-config-selinux.ui
|
||||||
+../usersPage.py
|
+../usersPage.py
|
||||||
|
diff --git selinux-gui-2.8/polgen.ui selinux-gui-2.8/polgen.ui
|
||||||
|
index aa4c70a..6a8c067 100644
|
||||||
|
--- selinux-gui-2.8/polgen.ui
|
||||||
|
+++ selinux-gui-2.8/polgen.ui
|
||||||
|
@@ -1975,7 +1975,7 @@ Tab</property>
|
||||||
|
<object class="GtkLabel" id="label17">
|
||||||
|
<property name="visible">True</property>
|
||||||
|
<property name="can_focus">False</property>
|
||||||
|
- <property name="label">Add File</property>
|
||||||
|
+ <property name="label" translatable="yes">Add File</property>
|
||||||
|
<property name="use_underline">True</property>
|
||||||
|
</object>
|
||||||
|
<packing>
|
||||||
|
@@ -2028,7 +2028,7 @@ Tab</property>
|
||||||
|
<object class="GtkLabel" id="label16">
|
||||||
|
<property name="visible">True</property>
|
||||||
|
<property name="can_focus">False</property>
|
||||||
|
- <property name="label">Add Directory</property>
|
||||||
|
+ <property name="label" translatable="yes">Add Directory</property>
|
||||||
|
<property name="use_underline">True</property>
|
||||||
|
</object>
|
||||||
|
<packing>
|
||||||
|
@@ -2176,7 +2176,7 @@ Tab</property>
|
||||||
|
<object class="GtkLabel" id="label3">
|
||||||
|
<property name="visible">True</property>
|
||||||
|
<property name="can_focus">False</property>
|
||||||
|
- <property name="label">Add Boolean</property>
|
||||||
|
+ <property name="label" translatable="yes">Add Boolean</property>
|
||||||
|
<property name="use_underline">True</property>
|
||||||
|
</object>
|
||||||
|
<packing>
|
||||||
diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py
|
diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py
|
||||||
index 1601dbe..7e0d9d0 100644
|
index 1601dbe..7e0d9d0 100644
|
||||||
--- selinux-gui-2.8/polgengui.py
|
--- selinux-gui-2.8/polgengui.py
|
||||||
|
@ -75,10 +75,22 @@ index a826a9f..4427dea 100644
|
|||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
unittest.main()
|
unittest.main()
|
||||||
diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat
|
diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat
|
||||||
index 4bd9fc6..edfe571 100755
|
index 4bd9fc6..a2cc9fa 100755
|
||||||
--- selinux-python-2.8/chcat/chcat
|
--- selinux-python-2.8/chcat/chcat
|
||||||
+++ selinux-python-2.8/chcat/chcat
|
+++ selinux-python-2.8/chcat/chcat
|
||||||
@@ -34,7 +34,7 @@ import getopt
|
@@ -22,10 +22,7 @@
|
||||||
|
# 02111-1307 USA
|
||||||
|
#
|
||||||
|
#
|
||||||
|
-try:
|
||||||
|
- from subprocess import getstatusoutput
|
||||||
|
-except ImportError:
|
||||||
|
- from commands import getstatusoutput
|
||||||
|
+import subprocess
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
import pwd
|
||||||
|
@@ -34,7 +31,7 @@ import getopt
|
||||||
import selinux
|
import selinux
|
||||||
import seobject
|
import seobject
|
||||||
|
|
||||||
@ -87,6 +99,133 @@ index 4bd9fc6..edfe571 100755
|
|||||||
try:
|
try:
|
||||||
import gettext
|
import gettext
|
||||||
kwargs = {}
|
kwargs = {}
|
||||||
|
@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users):
|
||||||
|
new_serange = "%s-%s" % (serange[0], top[0])
|
||||||
|
|
||||||
|
if add_ind:
|
||||||
|
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
|
||||||
|
else:
|
||||||
|
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
|
||||||
|
return errors
|
||||||
|
@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind):
|
||||||
|
cat_string = "%s,%s" % (cat_string, c)
|
||||||
|
else:
|
||||||
|
cat_string = cat
|
||||||
|
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+
|
||||||
|
+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
return errors
|
||||||
|
|
||||||
|
@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users):
|
||||||
|
new_serange = "%s-%s" % (serange[0], top[0])
|
||||||
|
|
||||||
|
if add_ind:
|
||||||
|
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
|
||||||
|
else:
|
||||||
|
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
|
||||||
|
+
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
+
|
||||||
|
return errors
|
||||||
|
|
||||||
|
|
||||||
|
@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
|
||||||
|
continue
|
||||||
|
|
||||||
|
if len(cat) == 0:
|
||||||
|
- cmd = 'chcon -l %s %s' % (sensitivity, f)
|
||||||
|
+ new_serange = sensitivity
|
||||||
|
else:
|
||||||
|
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+ new_serange = '%s:%s' % (sensitivity, cat)
|
||||||
|
+
|
||||||
|
+ cmd = ["chcon", "-l", new_serange, f]
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
return errors
|
||||||
|
|
||||||
|
@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users):
|
||||||
|
add_ind = 1
|
||||||
|
user = seusers["__default__"]
|
||||||
|
serange = user[1].split("-")
|
||||||
|
- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
|
||||||
|
+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
|
||||||
|
if new_serange[-1:] == ":":
|
||||||
|
new_serange = new_serange[:-1]
|
||||||
|
|
||||||
|
if add_ind:
|
||||||
|
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
|
||||||
|
else:
|
||||||
|
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
return errors
|
||||||
|
|
||||||
|
@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind):
|
||||||
|
return chcat_user_replace(newcat, objects)
|
||||||
|
errors = 0
|
||||||
|
if len(newcat) == 1:
|
||||||
|
- sensitivity = newcat[0]
|
||||||
|
- cmd = 'chcon -l %s ' % newcat[0]
|
||||||
|
+ new_serange = newcat[0]
|
||||||
|
else:
|
||||||
|
- sensitivity = newcat[0]
|
||||||
|
- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
|
||||||
|
+ new_serange = "%s:%s" % (newcat[0], newcat[1])
|
||||||
|
for cat in newcat[2:]:
|
||||||
|
- cmd = '%s,%s' % (cmd, cat)
|
||||||
|
+ new_serange = '%s,%s' % (new_serange, cat)
|
||||||
|
|
||||||
|
- for f in objects:
|
||||||
|
- cmd = "%s %s" % (cmd, f)
|
||||||
|
-
|
||||||
|
- rc = getstatusoutput(cmd)
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- print(rc[1])
|
||||||
|
+ cmd = ["chcon", "-l", new_serange] + objects
|
||||||
|
+ try:
|
||||||
|
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
errors += 1
|
||||||
|
|
||||||
|
return errors
|
||||||
diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile
|
diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..4e052d5
|
index 0000000..4e052d5
|
||||||
@ -193,7 +332,7 @@ index 0000000..128eb87
|
|||||||
+../sepolicy/sepolicy/interface.py
|
+../sepolicy/sepolicy/interface.py
|
||||||
+../sepolicy/sepolicy.py
|
+../sepolicy/sepolicy.py
|
||||||
diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage
|
diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage
|
||||||
index 8d8a086..4ced085 100644
|
index 8d8a086..26fa46a 100644
|
||||||
--- selinux-python-2.8/semanage/semanage
|
--- selinux-python-2.8/semanage/semanage
|
||||||
+++ selinux-python-2.8/semanage/semanage
|
+++ selinux-python-2.8/semanage/semanage
|
||||||
@@ -27,7 +27,7 @@ import traceback
|
@@ -27,7 +27,7 @@ import traceback
|
||||||
@ -232,6 +371,66 @@ index 8d8a086..4ced085 100644
|
|||||||
'''))
|
'''))
|
||||||
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
|
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
|
||||||
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
|
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
|
||||||
|
@@ -604,19 +604,19 @@ def setupInterfaceParser(subparsers):
|
||||||
|
|
||||||
|
def handleModule(args):
|
||||||
|
OBJECT = seobject.moduleRecords(args)
|
||||||
|
- if args.action == "add":
|
||||||
|
- OBJECT.add(args.module_name, args.priority)
|
||||||
|
- if args.action == "enable":
|
||||||
|
- OBJECT.set_enabled(args.module_name, True)
|
||||||
|
- if args.action == "disable":
|
||||||
|
- OBJECT.set_enabled(args.module_name, False)
|
||||||
|
- if args.action == "remove":
|
||||||
|
- OBJECT.delete(args.module_name, args.priority)
|
||||||
|
- if args.action is "deleteall":
|
||||||
|
+ if args.action_add:
|
||||||
|
+ OBJECT.add(args.action_add, args.priority)
|
||||||
|
+ if args.action_enable:
|
||||||
|
+ OBJECT.set_enabled(args.action_enable, True)
|
||||||
|
+ if args.action_disable:
|
||||||
|
+ OBJECT.set_enabled(args.action_disable, False)
|
||||||
|
+ if args.action_remove:
|
||||||
|
+ OBJECT.delete(args.action_remove, args.priority)
|
||||||
|
+ if args.action == "deleteall":
|
||||||
|
OBJECT.deleteall()
|
||||||
|
if args.action == "list":
|
||||||
|
OBJECT.list(args.noheading, args.locallist)
|
||||||
|
- if args.action is "extract":
|
||||||
|
+ if args.action == "extract":
|
||||||
|
for i in OBJECT.customized():
|
||||||
|
print("module %s" % str(i))
|
||||||
|
|
||||||
|
@@ -630,14 +630,13 @@ def setupModuleParser(subparsers):
|
||||||
|
parser_add_priority(moduleParser, "module")
|
||||||
|
|
||||||
|
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
|
||||||
|
- parser_add_add(mgroup, "module")
|
||||||
|
parser_add_list(mgroup, "module")
|
||||||
|
parser_add_extract(mgroup, "module")
|
||||||
|
parser_add_deleteall(mgroup, "module")
|
||||||
|
- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module"))
|
||||||
|
- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module"))
|
||||||
|
- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module"))
|
||||||
|
- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on'))
|
||||||
|
+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
|
||||||
|
+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
|
||||||
|
+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
|
||||||
|
+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
|
||||||
|
moduleParser.set_defaults(func=handleModule)
|
||||||
|
|
||||||
|
|
||||||
|
@@ -739,9 +738,7 @@ def handlePermissive(args):
|
||||||
|
if args.action is "delete":
|
||||||
|
OBJECT.delete(args.type)
|
||||||
|
else:
|
||||||
|
- args.parser.print_usage(sys.stderr)
|
||||||
|
- sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n'))
|
||||||
|
- sys.exit(1)
|
||||||
|
+ args.parser.error(message=_('semanage permissive: error: the following argument is required: type\n'))
|
||||||
|
|
||||||
|
|
||||||
|
def setupPermissiveParser(subparsers):
|
||||||
diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8
|
diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8
|
||||||
index 30bc670..23fec69 100644
|
index 30bc670..23fec69 100644
|
||||||
--- selinux-python-2.8/semanage/semanage-user.8
|
--- selinux-python-2.8/semanage/semanage-user.8
|
||||||
@ -262,10 +461,10 @@ index 0bdb90f..0cdcfcc 100644
|
|||||||
user identities to authorized role sets. In most cases, only the
|
user identities to authorized role sets. In most cases, only the
|
||||||
former mapping needs to be adjusted by the administrator; the latter
|
former mapping needs to be adjusted by the administrator; the latter
|
||||||
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
|
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
|
||||||
index c76dce8..972d5af 100644
|
index c76dce8..a0cdeb7 100644
|
||||||
--- selinux-python-2.8/semanage/seobject.py
|
--- selinux-python-2.8/semanage/seobject.py
|
||||||
+++ selinux-python-2.8/semanage/seobject.py
|
+++ selinux-python-2.8/semanage/seobject.py
|
||||||
@@ -30,7 +30,7 @@ import sys
|
@@ -30,10 +30,10 @@ import sys
|
||||||
import stat
|
import stat
|
||||||
import socket
|
import socket
|
||||||
from semanage import *
|
from semanage import *
|
||||||
@ -273,7 +472,11 @@ index c76dce8..972d5af 100644
|
|||||||
+PROGNAME = "selinux-python"
|
+PROGNAME = "selinux-python"
|
||||||
import sepolicy
|
import sepolicy
|
||||||
import setools
|
import setools
|
||||||
from IPy import IP
|
-from IPy import IP
|
||||||
|
+import ipaddress
|
||||||
|
|
||||||
|
try:
|
||||||
|
import gettext
|
||||||
@@ -101,6 +101,8 @@ ftype_to_audit = {"": "any",
|
@@ -101,6 +101,8 @@ ftype_to_audit = {"": "any",
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@ -292,7 +495,38 @@ index c76dce8..972d5af 100644
|
|||||||
class logger:
|
class logger:
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
@@ -593,7 +595,6 @@ class loginRecords(semanageRecords):
|
@@ -397,6 +399,8 @@ class moduleRecords(semanageRecords):
|
||||||
|
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
|
||||||
|
|
||||||
|
def add(self, file, priority):
|
||||||
|
+ if type(file) == list:
|
||||||
|
+ file = file[0]
|
||||||
|
if not os.path.exists(file):
|
||||||
|
raise ValueError(_("Module does not exist: %s ") % file)
|
||||||
|
|
||||||
|
@@ -409,7 +413,9 @@ class moduleRecords(semanageRecords):
|
||||||
|
self.commit()
|
||||||
|
|
||||||
|
def set_enabled(self, module, enable):
|
||||||
|
- for m in module.split():
|
||||||
|
+ if type(module) == str:
|
||||||
|
+ module = module.split()
|
||||||
|
+ for m in module:
|
||||||
|
rc, key = semanage_module_key_create(self.sh)
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Could not create module key"))
|
||||||
|
@@ -431,7 +437,9 @@ class moduleRecords(semanageRecords):
|
||||||
|
if rc < 0:
|
||||||
|
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
|
||||||
|
|
||||||
|
- for m in module.split():
|
||||||
|
+ if type(module) == str:
|
||||||
|
+ module = module.split()
|
||||||
|
+ for m in module:
|
||||||
|
rc = semanage_module_remove(self.sh, m)
|
||||||
|
if rc < 0 and rc != -2:
|
||||||
|
raise ValueError(_("Could not remove module %s (remove failed)") % m)
|
||||||
|
@@ -593,7 +601,6 @@ class loginRecords(semanageRecords):
|
||||||
|
|
||||||
semanage_seuser_key_free(k)
|
semanage_seuser_key_free(k)
|
||||||
semanage_seuser_free(u)
|
semanage_seuser_free(u)
|
||||||
@ -300,7 +534,7 @@ index c76dce8..972d5af 100644
|
|||||||
|
|
||||||
def add(self, name, sename, serange):
|
def add(self, name, sename, serange):
|
||||||
try:
|
try:
|
||||||
@@ -601,7 +602,6 @@ class loginRecords(semanageRecords):
|
@@ -601,7 +608,6 @@ class loginRecords(semanageRecords):
|
||||||
self.__add(name, sename, serange)
|
self.__add(name, sename, serange)
|
||||||
self.commit()
|
self.commit()
|
||||||
except ValueError as error:
|
except ValueError as error:
|
||||||
@ -308,7 +542,7 @@ index c76dce8..972d5af 100644
|
|||||||
raise error
|
raise error
|
||||||
|
|
||||||
def __modify(self, name, sename="", serange=""):
|
def __modify(self, name, sename="", serange=""):
|
||||||
@@ -653,7 +653,6 @@ class loginRecords(semanageRecords):
|
@@ -653,7 +659,6 @@ class loginRecords(semanageRecords):
|
||||||
|
|
||||||
semanage_seuser_key_free(k)
|
semanage_seuser_key_free(k)
|
||||||
semanage_seuser_free(u)
|
semanage_seuser_free(u)
|
||||||
@ -316,7 +550,7 @@ index c76dce8..972d5af 100644
|
|||||||
|
|
||||||
def modify(self, name, sename="", serange=""):
|
def modify(self, name, sename="", serange=""):
|
||||||
try:
|
try:
|
||||||
@@ -661,7 +660,6 @@ class loginRecords(semanageRecords):
|
@@ -661,7 +666,6 @@ class loginRecords(semanageRecords):
|
||||||
self.__modify(name, sename, serange)
|
self.__modify(name, sename, serange)
|
||||||
self.commit()
|
self.commit()
|
||||||
except ValueError as error:
|
except ValueError as error:
|
||||||
@ -324,7 +558,7 @@ index c76dce8..972d5af 100644
|
|||||||
raise error
|
raise error
|
||||||
|
|
||||||
def __delete(self, name):
|
def __delete(self, name):
|
||||||
@@ -694,8 +692,6 @@ class loginRecords(semanageRecords):
|
@@ -694,8 +698,6 @@ class loginRecords(semanageRecords):
|
||||||
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
|
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
|
||||||
range, (rc, serole) = userrec.get(self.sename)
|
range, (rc, serole) = userrec.get(self.sename)
|
||||||
|
|
||||||
@ -333,7 +567,7 @@ index c76dce8..972d5af 100644
|
|||||||
def delete(self, name):
|
def delete(self, name):
|
||||||
try:
|
try:
|
||||||
self.begin()
|
self.begin()
|
||||||
@@ -703,7 +699,6 @@ class loginRecords(semanageRecords):
|
@@ -703,7 +705,6 @@ class loginRecords(semanageRecords):
|
||||||
self.commit()
|
self.commit()
|
||||||
|
|
||||||
except ValueError as error:
|
except ValueError as error:
|
||||||
@ -341,7 +575,7 @@ index c76dce8..972d5af 100644
|
|||||||
raise error
|
raise error
|
||||||
|
|
||||||
def deleteall(self):
|
def deleteall(self):
|
||||||
@@ -717,7 +712,6 @@ class loginRecords(semanageRecords):
|
@@ -717,7 +718,6 @@ class loginRecords(semanageRecords):
|
||||||
self.__delete(semanage_seuser_get_name(u))
|
self.__delete(semanage_seuser_get_name(u))
|
||||||
self.commit()
|
self.commit()
|
||||||
except ValueError as error:
|
except ValueError as error:
|
||||||
@ -349,7 +583,7 @@ index c76dce8..972d5af 100644
|
|||||||
raise error
|
raise error
|
||||||
|
|
||||||
def get_all_logins(self):
|
def get_all_logins(self):
|
||||||
@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords):
|
@@ -1087,6 +1087,8 @@ class portRecords(semanageRecords):
|
||||||
if type == "":
|
if type == "":
|
||||||
raise ValueError(_("Type is required"))
|
raise ValueError(_("Type is required"))
|
||||||
|
|
||||||
@ -358,7 +592,7 @@ index c76dce8..972d5af 100644
|
|||||||
if type not in self.valid_types:
|
if type not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a port type") % type)
|
raise ValueError(_("Type %s is invalid, must be a port type") % type)
|
||||||
|
|
||||||
@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords):
|
@@ -1151,6 +1153,7 @@ class portRecords(semanageRecords):
|
||||||
else:
|
else:
|
||||||
raise ValueError(_("Requires setype"))
|
raise ValueError(_("Requires setype"))
|
||||||
|
|
||||||
@ -366,7 +600,7 @@ index c76dce8..972d5af 100644
|
|||||||
if setype and setype not in self.valid_types:
|
if setype and setype not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
|
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
|
||||||
|
|
||||||
@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords):
|
@@ -1355,6 +1358,8 @@ class ibpkeyRecords(semanageRecords):
|
||||||
if type == "":
|
if type == "":
|
||||||
raise ValueError(_("Type is required"))
|
raise ValueError(_("Type is required"))
|
||||||
|
|
||||||
@ -375,7 +609,7 @@ index c76dce8..972d5af 100644
|
|||||||
if type not in self.valid_types:
|
if type not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
|
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
|
||||||
|
|
||||||
@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords):
|
@@ -1417,6 +1422,8 @@ class ibpkeyRecords(semanageRecords):
|
||||||
else:
|
else:
|
||||||
raise ValueError(_("Requires setype"))
|
raise ValueError(_("Requires setype"))
|
||||||
|
|
||||||
@ -384,7 +618,7 @@ index c76dce8..972d5af 100644
|
|||||||
if setype and setype not in self.valid_types:
|
if setype and setype not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
|
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
|
||||||
|
|
||||||
@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords):
|
@@ -1603,6 +1610,8 @@ class ibendportRecords(semanageRecords):
|
||||||
if type == "":
|
if type == "":
|
||||||
raise ValueError(_("Type is required"))
|
raise ValueError(_("Type is required"))
|
||||||
|
|
||||||
@ -393,7 +627,7 @@ index c76dce8..972d5af 100644
|
|||||||
if type not in self.valid_types:
|
if type not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
|
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
|
||||||
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
|
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
|
||||||
@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords):
|
@@ -1664,6 +1673,8 @@ class ibendportRecords(semanageRecords):
|
||||||
else:
|
else:
|
||||||
raise ValueError(_("Requires setype"))
|
raise ValueError(_("Requires setype"))
|
||||||
|
|
||||||
@ -402,7 +636,26 @@ index c76dce8..972d5af 100644
|
|||||||
if setype and setype not in self.valid_types:
|
if setype and setype not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
|
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
|
||||||
|
|
||||||
@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords):
|
@@ -1826,13 +1837,13 @@ class nodeRecords(semanageRecords):
|
||||||
|
|
||||||
|
# verify valid comination
|
||||||
|
if len(mask) == 0 or mask[0] == "/":
|
||||||
|
- i = IP(addr + mask)
|
||||||
|
- newaddr = i.strNormal(0)
|
||||||
|
- newmask = str(i.netmask())
|
||||||
|
- if newmask == "0.0.0.0" and i.version() == 6:
|
||||||
|
+ i = ipaddress.ip_network(addr + mask)
|
||||||
|
+ newaddr = str(i.network_address)
|
||||||
|
+ newmask = str(i.netmask)
|
||||||
|
+ if newmask == "0.0.0.0" and i.version == 6:
|
||||||
|
newmask = "::"
|
||||||
|
|
||||||
|
- protocol = "ipv%d" % i.version()
|
||||||
|
+ protocol = "ipv%d" % i.version
|
||||||
|
|
||||||
|
try:
|
||||||
|
newprotocol = self.protocol.index(protocol)
|
||||||
|
@@ -1853,6 +1864,8 @@ class nodeRecords(semanageRecords):
|
||||||
if ctype == "":
|
if ctype == "":
|
||||||
raise ValueError(_("SELinux node type is required"))
|
raise ValueError(_("SELinux node type is required"))
|
||||||
|
|
||||||
@ -411,7 +664,7 @@ index c76dce8..972d5af 100644
|
|||||||
if ctype not in self.valid_types:
|
if ctype not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
|
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
|
||||||
|
|
||||||
@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords):
|
@@ -1922,6 +1935,8 @@ class nodeRecords(semanageRecords):
|
||||||
if serange == "" and setype == "":
|
if serange == "" and setype == "":
|
||||||
raise ValueError(_("Requires setype or serange"))
|
raise ValueError(_("Requires setype or serange"))
|
||||||
|
|
||||||
@ -420,7 +673,7 @@ index c76dce8..972d5af 100644
|
|||||||
if setype and setype not in self.valid_types:
|
if setype and setype not in self.valid_types:
|
||||||
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
|
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
|
||||||
|
|
||||||
@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords):
|
@@ -2241,7 +2256,6 @@ class fcontextRecords(semanageRecords):
|
||||||
try:
|
try:
|
||||||
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
|
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
|
||||||
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
|
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
|
||||||
@ -428,7 +681,7 @@ index c76dce8..972d5af 100644
|
|||||||
except RuntimeError:
|
except RuntimeError:
|
||||||
valid_types = []
|
valid_types = []
|
||||||
|
|
||||||
@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords):
|
@@ -2369,8 +2383,10 @@ class fcontextRecords(semanageRecords):
|
||||||
if type == "":
|
if type == "":
|
||||||
raise ValueError(_("SELinux Type is required"))
|
raise ValueError(_("SELinux Type is required"))
|
||||||
|
|
||||||
@ -441,7 +694,7 @@ index c76dce8..972d5af 100644
|
|||||||
|
|
||||||
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
|
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
|
||||||
if rc < 0:
|
if rc < 0:
|
||||||
@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords):
|
@@ -2432,8 +2448,10 @@ class fcontextRecords(semanageRecords):
|
||||||
def __modify(self, target, setype, ftype, serange, seuser):
|
def __modify(self, target, setype, ftype, serange, seuser):
|
||||||
if serange == "" and setype == "" and seuser == "":
|
if serange == "" and setype == "" and seuser == "":
|
||||||
raise ValueError(_("Requires setype, serange or seuser"))
|
raise ValueError(_("Requires setype, serange or seuser"))
|
||||||
|
@ -114,7 +114,7 @@ index 0000000..deff3f2
|
|||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+../sandbox
|
+../sandbox
|
||||||
diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox
|
diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox
|
||||||
index c07a1d8..a051360 100644
|
index c07a1d8..948496d 100644
|
||||||
--- selinux-sandbox-2.8/sandbox
|
--- selinux-sandbox-2.8/sandbox
|
||||||
+++ selinux-sandbox-2.8/sandbox
|
+++ selinux-sandbox-2.8/sandbox
|
||||||
@@ -37,7 +37,7 @@ import sepolicy
|
@@ -37,7 +37,7 @@ import sepolicy
|
||||||
@ -126,14 +126,59 @@ index c07a1d8..a051360 100644
|
|||||||
try:
|
try:
|
||||||
import gettext
|
import gettext
|
||||||
kwargs = {}
|
kwargs = {}
|
||||||
|
@@ -268,7 +268,7 @@ class Sandbox:
|
||||||
|
copyfile(f, "/tmp", self.__tmpdir)
|
||||||
|
copyfile(f, "/var/tmp", self.__tmpdir)
|
||||||
|
|
||||||
|
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
|
||||||
|
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
|
||||||
|
execfile = self.__homedir + "/.sandboxrc"
|
||||||
|
fd = open(execfile, "w+")
|
||||||
|
if self.__options.session:
|
||||||
|
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
|
|
||||||
|
parser.add_option("-W", "--windowmanager", dest="wm",
|
||||||
|
type="string",
|
||||||
|
- default="/usr/bin/openbox",
|
||||||
|
+ default="/usr/bin/matchbox-window-manager",
|
||||||
|
help=_("alternate window manager"))
|
||||||
|
|
||||||
|
parser.add_option("-l", "--level", dest="level",
|
||||||
|
diff --git selinux-sandbox-2.8/sandbox.8 selinux-sandbox-2.8/sandbox.8
|
||||||
|
index d83fee7..90ef495 100644
|
||||||
|
--- selinux-sandbox-2.8/sandbox.8
|
||||||
|
+++ selinux-sandbox-2.8/sandbox.8
|
||||||
|
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
|
||||||
|
\fB\-W\fR \fB\-\-windowmanager\fR
|
||||||
|
Select alternative window manager to run within
|
||||||
|
.B sandbox \-X.
|
||||||
|
-Default to /usr/bin/openbox.
|
||||||
|
+Default to /usr/bin/matchbox-window-manager.
|
||||||
|
.TP
|
||||||
|
\fB\-X\fR
|
||||||
|
Create an X based Sandbox for gui apps, temporary files for
|
||||||
diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh
|
diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh
|
||||||
index eaa500d..4774528 100644
|
index eaa500d..c211ebc 100644
|
||||||
--- selinux-sandbox-2.8/sandboxX.sh
|
--- selinux-sandbox-2.8/sandboxX.sh
|
||||||
+++ selinux-sandbox-2.8/sandboxX.sh
|
+++ selinux-sandbox-2.8/sandboxX.sh
|
||||||
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
|
@@ -6,21 +6,7 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
|
||||||
</openbox_config>
|
[ -z $2 ] && export DPI="96" || export DPI="$2"
|
||||||
EOF
|
trap "exit 0" HUP
|
||||||
|
|
||||||
|
-mkdir -p ~/.config/openbox
|
||||||
|
-cat > ~/.config/openbox/rc.xml << EOF
|
||||||
|
-<openbox_config xmlns="http://openbox.org/3.4/rc"
|
||||||
|
- xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||||
|
-<applications>
|
||||||
|
- <application class="*">
|
||||||
|
- <decor>no</decor>
|
||||||
|
- <desktop>all</desktop>
|
||||||
|
- <maximized>yes</maximized>
|
||||||
|
- </application>
|
||||||
|
-</applications>
|
||||||
|
-</openbox_config>
|
||||||
|
-EOF
|
||||||
|
-
|
||||||
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||||
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||||
export DISPLAY=:$D
|
export DISPLAY=:$D
|
||||||
|
Loading…
Reference in New Issue
Block a user