rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.8-13 

- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
This commit is contained in:
Petr Lautrbach 2018-12-10 18:00:15 +01:00
parent 3183fc4035
commit a56e58893b
4 changed files with 368 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
policycoreutils.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.8 Version: 2.8
Release: 12%{?dist} Release: 13%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -37,7 +37,7 @@ Source22: gui-po.tgz
Source23: sandbox-po.tgz Source23: sandbox-po.tgz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# HEAD https://github.com/fedora-selinux/selinux/commit/f63677145675024f6a1dbdab595c0be1403bd592 # HEAD https://github.com/fedora-selinux/selinux/commit/2fee0bccb66a6cafcf0d178b8c75c23ebd3f9924
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do # $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
# VERSION=2.8 ./make-fedora-selinux-patch.sh $i # VERSION=2.8 ./make-fedora-selinux-patch.sh $i
# done # done
@ -276,7 +276,6 @@ Requires:policycoreutils = %{version}-%{release}
Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
# no python3-audit-libs yet # no python3-audit-libs yet
Requires:audit-libs-python3 >= %{libauditver} Requires:audit-libs-python3 >= %{libauditver}
Requires: python3-IPy
Requires: checkpolicy Requires: checkpolicy
Requires: python3-setools >= 4.1.1 Requires: python3-setools >= 4.1.1
BuildArch: noarch BuildArch: noarch
@ -374,7 +373,7 @@ The policycoreutils-devel package contains the management tools use to develop p
Summary: SELinux sandbox utilities Summary: SELinux sandbox utilities
Requires: python3-policycoreutils = %{version}-%{release} Requires: python3-policycoreutils = %{version}-%{release}
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
Requires: openbox Requires: matchbox-window-manager
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
%description sandbox %description sandbox
@ -531,6 +530,13 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12 * Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names - sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types - sepolicy-generate: Handle more reserved port types

31
selinux-gui-fedora.patch
View File

@ -195,6 +195,37 @@ index 0000000..1795c5c
+../system-config-selinux.py +../system-config-selinux.py
+../system-config-selinux.ui +../system-config-selinux.ui
+../usersPage.py +../usersPage.py
diff --git selinux-gui-2.8/polgen.ui selinux-gui-2.8/polgen.ui
index aa4c70a..6a8c067 100644
--- selinux-gui-2.8/polgen.ui
+++ selinux-gui-2.8/polgen.ui
@@ -1975,7 +1975,7 @@ Tab</property>
<object class="GtkLabel" id="label17">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add File</property>
+ <property name="label" translatable="yes">Add File</property>
<property name="use_underline">True</property>
</object>
<packing>
@@ -2028,7 +2028,7 @@ Tab</property>
<object class="GtkLabel" id="label16">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Directory</property>
+ <property name="label" translatable="yes">Add Directory</property>
<property name="use_underline">True</property>
</object>
<packing>
@@ -2176,7 +2176,7 @@ Tab</property>
<object class="GtkLabel" id="label3">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Boolean</property>
+ <property name="label" translatable="yes">Add Boolean</property>
<property name="use_underline">True</property>
</object>
<packing>
diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py
index 1601dbe..7e0d9d0 100644 index 1601dbe..7e0d9d0 100644
--- selinux-gui-2.8/polgengui.py --- selinux-gui-2.8/polgengui.py

301
selinux-python-fedora.patch
View File

@ -75,10 +75,22 @@ index a826a9f..4427dea 100644
if __name__ == "__main__": if __name__ == "__main__":
unittest.main() unittest.main()
diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat
index 4bd9fc6..edfe571 100755 index 4bd9fc6..a2cc9fa 100755
--- selinux-python-2.8/chcat/chcat --- selinux-python-2.8/chcat/chcat
+++ selinux-python-2.8/chcat/chcat +++ selinux-python-2.8/chcat/chcat
@@ -34,7 +34,7 @@ import getopt @@ -22,10 +22,7 @@
# 02111-1307 USA
#
#
-try:
- from subprocess import getstatusoutput
-except ImportError:
- from commands import getstatusoutput
+import subprocess
import sys
import os
import pwd
@@ -34,7 +31,7 @@ import getopt
import selinux import selinux
import seobject import seobject
@ -87,6 +99,133 @@ index 4bd9fc6..edfe571 100755
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind):
cat_string = "%s,%s" % (cat_string, c)
else:
cat_string = cat
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+
+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
+
return errors
@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
continue
if len(cat) == 0:
- cmd = 'chcon -l %s %s' % (sensitivity, f)
+ new_serange = sensitivity
else:
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ new_serange = '%s:%s' % (sensitivity, cat)
+
+ cmd = ["chcon", "-l", new_serange, f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users):
add_ind = 1
user = seusers["__default__"]
serange = user[1].split("-")
- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
if new_serange[-1:] == ":":
new_serange = new_serange[:-1]
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind):
return chcat_user_replace(newcat, objects)
errors = 0
if len(newcat) == 1:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s ' % newcat[0]
+ new_serange = newcat[0]
else:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
+ new_serange = "%s:%s" % (newcat[0], newcat[1])
for cat in newcat[2:]:
- cmd = '%s,%s' % (cmd, cat)
+ new_serange = '%s,%s' % (new_serange, cat)
- for f in objects:
- cmd = "%s %s" % (cmd, f)
-
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["chcon", "-l", new_serange] + objects
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile
new file mode 100644 new file mode 100644
index 0000000..4e052d5 index 0000000..4e052d5
@ -193,7 +332,7 @@ index 0000000..128eb87
+../sepolicy/sepolicy/interface.py +../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py +../sepolicy/sepolicy.py
diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage
index 8d8a086..4ced085 100644 index 8d8a086..26fa46a 100644
--- selinux-python-2.8/semanage/semanage --- selinux-python-2.8/semanage/semanage
+++ selinux-python-2.8/semanage/semanage +++ selinux-python-2.8/semanage/semanage
@@ -27,7 +27,7 @@ import traceback @@ -27,7 +27,7 @@ import traceback
@ -232,6 +371,66 @@ index 8d8a086..4ced085 100644
''')) '''))
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS) userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name')) userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
@@ -604,19 +604,19 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
OBJECT = seobject.moduleRecords(args)
- if args.action == "add":
- OBJECT.add(args.module_name, args.priority)
- if args.action == "enable":
- OBJECT.set_enabled(args.module_name, True)
- if args.action == "disable":
- OBJECT.set_enabled(args.module_name, False)
- if args.action == "remove":
- OBJECT.delete(args.module_name, args.priority)
- if args.action is "deleteall":
+ if args.action_add:
+ OBJECT.add(args.action_add, args.priority)
+ if args.action_enable:
+ OBJECT.set_enabled(args.action_enable, True)
+ if args.action_disable:
+ OBJECT.set_enabled(args.action_disable, False)
+ if args.action_remove:
+ OBJECT.delete(args.action_remove, args.priority)
+ if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("module %s" % str(i))
@@ -630,14 +630,13 @@ def setupModuleParser(subparsers):
parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
- parser_add_add(mgroup, "module")
parser_add_list(mgroup, "module")
parser_add_extract(mgroup, "module")
parser_add_deleteall(mgroup, "module")
- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module"))
- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module"))
- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module"))
- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on'))
+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
moduleParser.set_defaults(func=handleModule)
@@ -739,9 +738,7 @@ def handlePermissive(args):
if args.action is "delete":
OBJECT.delete(args.type)
else:
- args.parser.print_usage(sys.stderr)
- sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n'))
- sys.exit(1)
+ args.parser.error(message=_('semanage permissive: error: the following argument is required: type\n'))
def setupPermissiveParser(subparsers):
diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8 diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8
index 30bc670..23fec69 100644 index 30bc670..23fec69 100644
--- selinux-python-2.8/semanage/semanage-user.8 --- selinux-python-2.8/semanage/semanage-user.8
@ -262,10 +461,10 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..972d5af 100644 index c76dce8..a0cdeb7 100644
--- selinux-python-2.8/semanage/seobject.py --- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py
@@ -30,7 +30,7 @@ import sys @@ -30,10 +30,10 @@ import sys
import stat import stat
import socket import socket
from semanage import * from semanage import *
@ -273,7 +472,11 @@ index c76dce8..972d5af 100644
+PROGNAME = "selinux-python" +PROGNAME = "selinux-python"
import sepolicy import sepolicy
import setools import setools
from IPy import IP -from IPy import IP
+import ipaddress
try:
import gettext
@@ -101,6 +101,8 @@ ftype_to_audit = {"": "any", @@ -101,6 +101,8 @@ ftype_to_audit = {"": "any",
try: try:
@ -292,7 +495,38 @@ index c76dce8..972d5af 100644
class logger: class logger:
def __init__(self): def __init__(self):
@@ -593,7 +595,6 @@ class loginRecords(semanageRecords): @@ -397,6 +399,8 @@ class moduleRecords(semanageRecords):
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
def add(self, file, priority):
+ if type(file) == list:
+ file = file[0]
if not os.path.exists(file):
raise ValueError(_("Module does not exist: %s ") % file)
@@ -409,7 +413,9 @@ class moduleRecords(semanageRecords):
self.commit()
def set_enabled(self, module, enable):
- for m in module.split():
+ if type(module) == str:
+ module = module.split()
+ for m in module:
rc, key = semanage_module_key_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create module key"))
@@ -431,7 +437,9 @@ class moduleRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
- for m in module.split():
+ if type(module) == str:
+ module = module.split()
+ for m in module:
rc = semanage_module_remove(self.sh, m)
if rc < 0 and rc != -2:
raise ValueError(_("Could not remove module %s (remove failed)") % m)
@@ -593,7 +601,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k) semanage_seuser_key_free(k)
semanage_seuser_free(u) semanage_seuser_free(u)
@ -300,7 +534,7 @@ index c76dce8..972d5af 100644
def add(self, name, sename, serange): def add(self, name, sename, serange):
try: try:
@@ -601,7 +602,6 @@ class loginRecords(semanageRecords): @@ -601,7 +608,6 @@ class loginRecords(semanageRecords):
self.__add(name, sename, serange) self.__add(name, sename, serange)
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -308,7 +542,7 @@ index c76dce8..972d5af 100644
raise error raise error
def __modify(self, name, sename="", serange=""): def __modify(self, name, sename="", serange=""):
@@ -653,7 +653,6 @@ class loginRecords(semanageRecords): @@ -653,7 +659,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k) semanage_seuser_key_free(k)
semanage_seuser_free(u) semanage_seuser_free(u)
@ -316,7 +550,7 @@ index c76dce8..972d5af 100644
def modify(self, name, sename="", serange=""): def modify(self, name, sename="", serange=""):
try: try:
@@ -661,7 +660,6 @@ class loginRecords(semanageRecords): @@ -661,7 +666,6 @@ class loginRecords(semanageRecords):
self.__modify(name, sename, serange) self.__modify(name, sename, serange)
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -324,7 +558,7 @@ index c76dce8..972d5af 100644
raise error raise error
def __delete(self, name): def __delete(self, name):
@@ -694,8 +692,6 @@ class loginRecords(semanageRecords): @@ -694,8 +698,6 @@ class loginRecords(semanageRecords):
rec, self.sename, self.serange = selinux.getseuserbyname("__default__") rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
range, (rc, serole) = userrec.get(self.sename) range, (rc, serole) = userrec.get(self.sename)
@ -333,7 +567,7 @@ index c76dce8..972d5af 100644
def delete(self, name): def delete(self, name):
try: try:
self.begin() self.begin()
@@ -703,7 +699,6 @@ class loginRecords(semanageRecords): @@ -703,7 +705,6 @@ class loginRecords(semanageRecords):
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -341,7 +575,7 @@ index c76dce8..972d5af 100644
raise error raise error
def deleteall(self): def deleteall(self):
@@ -717,7 +712,6 @@ class loginRecords(semanageRecords): @@ -717,7 +718,6 @@ class loginRecords(semanageRecords):
self.__delete(semanage_seuser_get_name(u)) self.__delete(semanage_seuser_get_name(u))
self.commit() self.commit()
except ValueError as error: except ValueError as error:
@ -349,7 +583,7 @@ index c76dce8..972d5af 100644
raise error raise error
def get_all_logins(self): def get_all_logins(self):
@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords): @@ -1087,6 +1087,8 @@ class portRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -358,7 +592,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type) raise ValueError(_("Type %s is invalid, must be a port type") % type)
@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords): @@ -1151,6 +1153,7 @@ class portRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -366,7 +600,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype) raise ValueError(_("Type %s is invalid, must be a port type") % setype)
@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords): @@ -1355,6 +1358,8 @@ class ibpkeyRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -375,7 +609,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords): @@ -1417,6 +1422,8 @@ class ibpkeyRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -384,7 +618,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords): @@ -1603,6 +1610,8 @@ class ibendportRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("Type is required")) raise ValueError(_("Type is required"))
@ -393,7 +627,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types: if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name) (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords): @@ -1664,6 +1673,8 @@ class ibendportRecords(semanageRecords):
else: else:
raise ValueError(_("Requires setype")) raise ValueError(_("Requires setype"))
@ -402,7 +636,26 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords): @@ -1826,13 +1837,13 @@ class nodeRecords(semanageRecords):
# verify valid comination
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ if newmask == "0.0.0.0" and i.version == 6:
newmask = "::"
- protocol = "ipv%d" % i.version()
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
@@ -1853,6 +1864,8 @@ class nodeRecords(semanageRecords):
if ctype == "": if ctype == "":
raise ValueError(_("SELinux node type is required")) raise ValueError(_("SELinux node type is required"))
@ -411,7 +664,7 @@ index c76dce8..972d5af 100644
if ctype not in self.valid_types: if ctype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype) raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords): @@ -1922,6 +1935,8 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "": if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange")) raise ValueError(_("Requires setype or serange"))
@ -420,7 +673,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types: if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype) raise ValueError(_("Type %s is invalid, must be a node type") % setype)
@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords): @@ -2241,7 +2256,6 @@ class fcontextRecords(semanageRecords):
try: try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
@ -428,7 +681,7 @@ index c76dce8..972d5af 100644
except RuntimeError: except RuntimeError:
valid_types = [] valid_types = []
@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords): @@ -2369,8 +2383,10 @@ class fcontextRecords(semanageRecords):
if type == "": if type == "":
raise ValueError(_("SELinux Type is required")) raise ValueError(_("SELinux Type is required"))
@ -441,7 +694,7 @@ index c76dce8..972d5af 100644
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0: if rc < 0:
@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords): @@ -2432,8 +2448,10 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser): def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "": if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser")) raise ValueError(_("Requires setype, serange or seuser"))

55
selinux-sandbox-fedora.patch
View File

@ -114,7 +114,7 @@ index 0000000..deff3f2
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+../sandbox +../sandbox
diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox
index c07a1d8..a051360 100644 index c07a1d8..948496d 100644
--- selinux-sandbox-2.8/sandbox --- selinux-sandbox-2.8/sandbox
+++ selinux-sandbox-2.8/sandbox +++ selinux-sandbox-2.8/sandbox
@@ -37,7 +37,7 @@ import sepolicy @@ -37,7 +37,7 @@ import sepolicy
@ -126,14 +126,59 @@ index c07a1d8..a051360 100644
try: try:
import gettext import gettext
kwargs = {} kwargs = {}
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git selinux-sandbox-2.8/sandbox.8 selinux-sandbox-2.8/sandbox.8
index d83fee7..90ef495 100644
--- selinux-sandbox-2.8/sandbox.8
+++ selinux-sandbox-2.8/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh
index eaa500d..4774528 100644 index eaa500d..c211ebc 100644
--- selinux-sandbox-2.8/sandboxX.sh --- selinux-sandbox-2.8/sandboxX.sh
+++ selinux-sandbox-2.8/sandboxX.sh +++ selinux-sandbox-2.8/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF @@ -6,21 +6,7 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
</openbox_config> [ -z $2 ] && export DPI="96" || export DPI="$2"
EOF trap "exit 0" HUP
-mkdir -p ~/.config/openbox
-cat > ~/.config/openbox/rc.xml << EOF
-<openbox_config xmlns="http://openbox.org/3.4/rc"
- xmlns:xi="http://www.w3.org/2001/XInclude">
-<applications>
- <application class="*">
- <decor>no</decor>
- <desktop>all</desktop>
- <maximized>yes</maximized>
- </application>
-</applications>
-</openbox_config>
-EOF
-
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D export DISPLAY=:$D