rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

SELinux userspace 3.2-rc1 release 

https://lore.kernel.org/selinux/87a6t36bpp.fsf@redhat.com/T/#u
This commit is contained in:
Petr Lautrbach 2021-01-20 20:44:33 +01:00
parent d56dce0a5d
commit b96da65939
28 changed files with 111 additions and 638 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitignore vendored
View File

@ -322,3 +322,10 @@ policycoreutils-2.0.83.tgz
/selinux-python-3.1.tar.gz
/selinux-sandbox-3.1.tar.gz
/semodule-utils-3.1.tar.gz
/policycoreutils-3.2-rc1.tar.gz
/restorecond-3.2-rc1.tar.gz
/selinux-dbus-3.2-rc1.tar.gz
/selinux-gui-3.2-rc1.tar.gz
/selinux-python-3.2-rc1.tar.gz
/selinux-sandbox-3.2-rc1.tar.gz
/semodule-utils-3.2-rc1.tar.gz

34
0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
View File

@ -1,34 +0,0 @@
From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
From: "W. Michael Petullo" <mike@flyn.org>
Date: Thu, 16 Jul 2020 15:29:20 -0500
Subject: [PATCH] python/audit2allow: add #include <limits.h> to
sepolgen-ifgen-attr-helper.c
I found that building on OpenWrt/musl failed with:
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
Musl is less "generous" than glibc in recursively including header
files, and I suspect this is the reason for this error. Explicitly
including limits.h fixes the problem.
Signed-off-by: W. Michael Petullo <mike@flyn.org>
---
python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 53f20818722a..f010c9584c1f 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -28,6 +28,7 @@
#include <selinux/selinux.h>
+#include <limits.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
--
2.29.0

4
0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch → 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
View File

@ -1,4 +1,4 @@
From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
From 560cf8a87edbae33ed5320355890e11c4e1227f5 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
cat > ~/seremote << __EOF
#!/bin/sh
--
2.29.0
2.30.0

10
0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch → 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
View File

@ -1,4 +1,4 @@
From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
From ba8c8a07d0ba68035acc9bd5340910588064f6f7 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@ -9,10 +9,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3e8a3be907e3..a1d70623cff0 100755
index 2f847abb87e2..dccd778ed4be 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -735,10 +735,13 @@ Default Defined Ports:""")
@@ -737,10 +737,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
@ -26,7 +26,7 @@ index 3e8a3be907e3..a1d70623cff0 100755
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.29.0
2.30.0

26
0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
View File

@ -1,26 +0,0 @@
From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Thu, 16 Jul 2020 14:22:13 +0200
Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
restorecond.desktop file
This completely inactivate the .desktop file incase the user session is
managed by systemd as restorecond also provide a service file
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
restorecond/restorecond.desktop | 1 +
1 file changed, 1 insertion(+)
diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
index af7286801c24..7df854727a3f 100644
--- a/restorecond/restorecond.desktop
+++ b/restorecond/restorecond.desktop
@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
Type=Application
StartupNotify=false
X-GNOME-Autostart-enabled=false
+X-GNOME-HiddenUnderSystemd=true
--
2.29.0

8
0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch → 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
View File

@ -1,4 +1,4 @@
From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
From 27d137d07e9e6a57a2a962aa9c7f37f48dbf960f Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
@ -9,10 +9,10 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index a1d70623cff0..2d33eabb2536 100755
index dccd778ed4be..81333928d552 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755
.B STANDARD FILE CONTEXT
--
2.29.0
2.30.0

136
0003-fixfiles-correctly-restore-context-of-mountpoints.patch
View File

@ -1,136 +0,0 @@
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
From: bauen1 <j2468h@googlemail.com>
Date: Thu, 6 Aug 2020 16:48:36 +0200
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
By bind mounting every filesystem we want to relabel we can access all
files without anything hidden due to active mounts.
This comes at the cost of user experience, because setfiles only
displays the percentage if no path is given or the path is /
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
2 files changed, 31 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 5d7770348349..30dadb4f4cb6 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -112,6 +112,7 @@ FORCEFLAG=""
RPMFILES=""
PREFC=""
RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+ else
+ # we bind mount so we can fix the labels of files that have already been
+ # mounted over
+ for m in `echo $FILESYSTEMSRW`; do
+ TMP_MOUNT="$(mktemp -d)"
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ umount "${TMP_MOUNT}${m}" || exit 1
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+ done;
+ fi
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -313,6 +330,7 @@ case "$1" in
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
# Force full relabel if SELinux is not enabled
selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
@@ -324,7 +342,7 @@ esac
}
usage() {
echo $"""
-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
or
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
or
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
or
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
"""
}
@@ -353,7 +371,7 @@ set_restore_mode() {
}
# See how we were called.
-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
echo "Redirecting output to $OPTARG"
exec >>"$OPTARG" 2>&1
;;
+ M)
+ BIND_MOUNT_FILESYSTEMS="-M"
+ ;;
F)
FORCEFLAG="-F"
;;
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9f447f03d444..123425308416 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
.na
.B fixfiles
-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
.B fixfiles
.I [\-v] [\-F] { check | restore | verify } dir/file ...
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
.B fixfiles
-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
.ad
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
Only act on files created after the specified date. Date must be specified in
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
+.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
+
.TP
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--
2.29.0

16
0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch → 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
View File

@ -1,4 +1,4 @@
From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
From e39c09c55ed98490b2f73e6564abca93f36ee81c Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@ -49,10 +49,10 @@ index e4540977d042..ad718797ca68 100644
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 2d33eabb2536..acc77f368d95 100755
index 81333928d552..dc3e5207c57c 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
@@ -151,10 +151,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
@ -63,7 +63,7 @@ index 2d33eabb2536..acc77f368d95 100755
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
@ -72,7 +72,7 @@ index 2d33eabb2536..acc77f368d95 100755
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -190,9 +186,9 @@ class HTMLManPages:
@@ -192,9 +188,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
@ -84,7 +84,7 @@ index 2d33eabb2536..acc77f368d95 100755
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -201,7 +197,6 @@ class HTMLManPages:
@@ -203,7 +199,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
@ -92,7 +92,7 @@ index 2d33eabb2536..acc77f368d95 100755
self._gen_css()
def _write_html_manpage(self):
@@ -219,67 +214,21 @@ class HTMLManPages:
@@ -221,67 +216,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755
if len(self.manpage_roles[letter]):
fd.write("""
--
2.29.0
2.30.0

112
0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
View File

@ -1,112 +0,0 @@
From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 19 Aug 2020 17:05:33 +0200
Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
python/sepolgen/tests/test_access.py | 10 +++++-----
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 43cecfc77385..747636875ef7 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -407,10 +407,9 @@ class XpermSet():
# print single value without braces
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
- return compl + str(self.ranges[0][0])
+ return compl + hex(self.ranges[0][0])
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
- self.ranges)
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
return "%s{ %s }" % (compl, " ".join(vals))
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
index 73a5407df617..623588e09aeb 100644
--- a/python/sepolgen/tests/test_access.py
+++ b/python/sepolgen/tests/test_access.py
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
class TestUtilFunctions(unittest.TestCase):
def test_is_idparam(self):
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
index 4b50c8aada96..c7219fd568e9 100644
--- a/python/sepolgen/tests/test_refpolicy.py
+++ b/python/sepolgen/tests/test_refpolicy.py
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
a.complement = True
self.assertEqual(a.to_string(), "")
a.add(1234)
- self.assertEqual(a.to_string(), "~ 1234")
+ self.assertEqual(a.to_string(), "~ 0x4d2")
a.complement = False
- self.assertEqual(a.to_string(), "1234")
+ self.assertEqual(a.to_string(), "0x4d2")
a.add(2345)
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
a.complement = True
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
a.add(42,64)
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
a.complement = False
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
class TestSecurityContext(unittest.TestCase):
def test_init(self):
--
2.29.0

4
0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch → 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
View File

@ -1,4 +1,4 @@
From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
From 5c45c9cc13529ba6cb840010a3feda31b7c0fe78 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
system_release = "Misc"
--
2.29.0
2.30.0

109
0005-sepolgen-sort-extended-rules-like-normal-ones.patch
View File

@ -1,109 +0,0 @@
From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Wed, 19 Aug 2020 17:05:34 +0200
Subject: [PATCH] sepolgen: sort extended rules like normal ones
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
python/sepolgen/src/sepolgen/output.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
index 3a21b64c19f7..aeeaafc889e7 100644
--- a/python/sepolgen/src/sepolgen/output.py
+++ b/python/sepolgen/src/sepolgen/output.py
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
return ret
# At this point, who cares - just return something
- return cmp(len(a.perms), len(b.perms))
+ return 0
# Compare two interface calls
def ifcall_cmp(a, b):
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
else:
return id_set_cmp([a.args[0]], b.src_types)
else:
- if isinstance(b, refpolicy.AVRule):
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
return avrule_cmp(a,b)
else:
return id_set_cmp(a.src_types, [b.args[0]])
@@ -130,6 +130,7 @@ def sort_filter(module):
# we assume is the first argument for interfaces).
rules = []
rules.extend(node.avrules())
+ rules.extend(node.avextrules())
rules.extend(node.interface_calls())
rules.sort(key=util.cmp_to_key(rule_cmp))
--
2.29.0

8
0012-Fix-title-in-manpage.py-to-not-contain-online.patch → 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
View File

@ -1,4 +1,4 @@
From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
From b7cbbf2d25e2321b9af64db908947877771af257 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@ -8,10 +8,10 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index acc77f368d95..4aeb3e2e51ba 100755
index dc3e5207c57c..6420ebe2e08e 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -220,7 +220,7 @@ class HTMLManPages:
@@ -222,7 +222,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755
<body>
<h1>SELinux man pages for %s</h1>
--
2.29.0
2.30.0

32
0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
View File

@ -1,32 +0,0 @@
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Tue, 1 Sep 2020 18:16:41 +0200
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
policycoreutils/newrole/Makefile | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 73ebd413da85..0e7ebce3dd56 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
MANDIR ?= $(PREFIX)/share/man
ETCDIR ?= /etc
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+INCLUDEDIR ?= $(PREFIX)/include
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
# Enable capabilities to permit newrole to generate audit records.
# This will make newrole a setuid root program.
# The capabilities used are: CAP_AUDIT_WRITE.
--
2.29.0

4
0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch → 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
View File

@ -1,4 +1,4 @@
From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
From fb167fc5660dbc83cd516579d73507b0969b5544 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty
@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755
RPMFILES=""
PREFC=""
--
2.29.0
2.30.0

12
0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch → 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
View File

@ -1,4 +1,4 @@
From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
From 0b37889f3032e4f456edad469786f72ad344ec8c Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@ -11,10 +11,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 4aeb3e2e51ba..330b055af214 100755
index 6420ebe2e08e..d15522135288 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -125,8 +125,24 @@ def gen_domains():
@@ -127,8 +127,24 @@ def gen_domains():
domains.sort()
return domains
@ -40,7 +40,7 @@ index 4aeb3e2e51ba..330b055af214 100755
def _gen_types():
global types
@@ -372,6 +388,8 @@ class ManPage:
@@ -374,6 +390,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
@ -49,7 +49,7 @@ index 4aeb3e2e51ba..330b055af214 100755
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -689,7 +707,7 @@ Default Defined Ports:""")
@@ -691,7 +709,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.29.0
2.30.0

12
0015-sepolicy-Another-small-optimization-for-mcs-types.patch → 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
View File

@ -1,4 +1,4 @@
From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
From 268cd1b3a346db400eedb66db6a7d0aac192cd5e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types
@ -8,10 +8,10 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 330b055af214..f8584436960d 100755
index d15522135288..ffcedb547993 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -142,6 +142,15 @@ def _gen_entry_types():
@@ -144,6 +144,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
@ -27,7 +27,7 @@ index 330b055af214..f8584436960d 100755
types = None
def _gen_types():
@@ -390,6 +399,7 @@ class ManPage:
@@ -392,6 +401,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
%s""" % ", ".join(paths))
def _mcs_types(self):
@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755
self.fd.write ("""
.SH "MCS Constrained"
--
2.29.0
2.30.0

4
0016-Move-po-translation-files-into-the-right-sub-directo.patch → 0010-Move-po-translation-files-into-the-right-sub-directo.patch
View File

@ -1,4 +1,4 @@
From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
From 8ea45198560652813d2dad26e28a4220ed690afa Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories
@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
@@ -0,0 +1 @@
+../sandbox
--
2.29.0
2.30.0

12
0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch → 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
View File

@ -1,4 +1,4 @@
From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
From 773adcbd26efe16b5738dcf40e9ec757101417d5 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@ -185,13 +185,13 @@ index fdd2e46ee3f9..839ddd3b54b6 100755
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b2fabea67a87..3cc30a160a74 100644
index 125271df5265..026502b537cb 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -27,7 +27,7 @@ import traceback
import argparse
import seobject
@@ -30,7 +30,7 @@ import seobject
import sys
import traceback
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
import gettext
kwargs = {}
--
2.29.0
2.30.0

4
0018-Initial-.pot-files-for-gui-python-sandbox.patch → 0012-Initial-.pot-files-for-gui-python-sandbox.patch
View File

@ -1,4 +1,4 @@
From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
From cfa051df61b1901f5e1012877965b632d287d5a7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 14:23:19 +0200
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
+msgid "Invalid value %s"
+msgstr ""
--
2.29.0
2.30.0

4
0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch → 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
View File

@ -1,4 +1,4 @@
From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
From 37a871b6138f9783d832d2fa6f5482fb648c4928 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.29.0
2.30.0

4
0020-sepolicy-generate-Handle-more-reserved-port-types.patch → 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
View File

@ -1,4 +1,4 @@
From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
From 649f11933105597d23cf4c4abc3a895fd0ae1f3e Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.29.0
2.30.0

4
0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch → 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
View File

@ -1,4 +1,4 @@
From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
From e6821b5aa7f631efaceffd8de130f83c56a5c81a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
}
--
2.29.0
2.30.0

4
0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch → 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
View File

@ -1,4 +1,4 @@
From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
From df67934eb3bf24e38b11278b06db816a069fab3f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.29.0
2.30.0

10
0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch → 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
View File

@ -1,4 +1,4 @@
From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
From a7e9864865f3f72f51d943ff5bf684638cc7e921 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 28 Jul 2020 14:37:13 +0200
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
@ -20,10 +20,10 @@ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index f8584436960d..6a3e08fca58c 100755
index ffcedb547993..c013c0d48502 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -717,7 +717,7 @@ Default Defined Ports:""")
@@ -719,7 +719,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
@ -32,7 +32,7 @@ index f8584436960d..6a3e08fca58c 100755
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
if flist_non_exec:
@ -42,5 +42,5 @@ index f8584436960d..6a3e08fca58c 100755
.B STANDARD FILE CONTEXT
--
2.29.0
2.30.0

29
0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
View File

@ -1,29 +0,0 @@
From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 11 Nov 2020 17:23:40 +0100
Subject: [PATCH] selinux_config(5): add a note that runtime disable is
deprecated
...and refer to selinux(8), which explains it further.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/man/man5/selinux_config.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
index 1ffade150128..58b42a0e234d 100644
--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
.IP \fIpermissive\fR 4
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
.IP \fIdisabled\fR
-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
.RE
.sp
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
--
2.29.2

51
0025-python-sepolicy-allow-to-override-manpage-date.patch
View File

@ -1,51 +0,0 @@
From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Fri, 30 Oct 2020 22:53:09 +0100
Subject: [PATCH] python/sepolicy: allow to override manpage date
in order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.
This patch was done while working on reproducible builds for openSUSE.
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
---
python/sepolicy/sepolicy/manpage.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 6a3e08fca58c..c013c0d48502 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -39,6 +39,8 @@ typealias_types = {
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
+man_date = time.strftime("%y-%m-%d", time.gmtime(
+ int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
modules_dict = None
@@ -546,7 +548,7 @@ class ManPage:
def _typealias(self,typealias):
self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+ % {'typealias':typealias, 'date': man_date})
self.fd.write(r"""
.SH "NAME"
%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
@@ -565,7 +567,7 @@ man page for more details.
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
- % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
+ % {'domainname': self.domainname, 'date': man_date})
self.fd.write(r"""
.SH "NAME"
%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
--
2.29.2

75
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 3.0
%global libsepolver 3.1-5
%global libsemanagever 3.1-5
%global libselinuxver 3.1-5
%global libsepolver 3.2-0.rc1
%global libsemanagever 3.2-0.rc1
%global libselinuxver 3.2-0.rc1
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -10,17 +10,17 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 3.1
Release: 8%{?dist}
Version: 3.2
Release: 0.rc1.1%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz
Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz
Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz
Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz
Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/policycoreutils-3.2-rc1.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-python-3.2-rc1.tar.gz
Source2: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-gui-3.2-rc1.tar.gz
Source3: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-sandbox-3.2-rc1.tar.gz
Source4: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/selinux-dbus-3.2-rc1.tar.gz
Source5: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/semodule-utils-3.2-rc1.tar.gz
Source6: https://github.com/SELinuxProject/selinux/releases/download/3.2-rc1/restorecond-3.2-rc1.tar.gz
URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz
@ -34,34 +34,26 @@ Source21: python-po.tgz
Source22: gui-po.tgz
Source23: sandbox-po.tgz
# https://github.com/fedora-selinux/selinux
# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ git format-patch -N 3.2-rc1 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start
Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
# Patch list end
Obsoletes: policycoreutils < 2.0.61-2
@ -107,7 +99,7 @@ to switch roles.
%autosetup -S git -N -T -D -a 6 -n selinux
for i in *; do
git mv $i ${i/-%{version}/}
git mv $i ${i/-%{version}-rc1/}
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
done
@ -132,7 +124,7 @@ tar -x -f %{SOURCE23} -C sandbox -z
%set_build_flags
export PYTHON=%{__python3}
make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@ -539,6 +531,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
- SELinux userspace 3.2-rc1 release
* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
- Fix BuildRequires to libsemanage-devel

14
sources
View File

@ -1,10 +1,10 @@
SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
SHA512 (policycoreutils-3.2-rc1.tar.gz) = 91e1660542c1c050ecae3319c2227833ccab16ddb2a6a066c92598b565aafcf2d753f50ec0a7a6bc08c8e8f579d65429acf7443ad058ee1d5ab29e6340023d89
SHA512 (restorecond-3.2-rc1.tar.gz) = 34b39dfb160518e725127920898fde38aa9fc8783090836f9601c6b791fc5c29e89f7b291dad7703e30d0bbbd65761533266e6749fd1bbe05f3c95324a99b255
SHA512 (selinux-dbus-3.2-rc1.tar.gz) = e568950980d88608f236d222ecd59d1f12b64704a5dc262cdb5eb23fc6b2916ab0be06ea0c53ec51f174efa4ca9cccbd47a6fb4e7d7de7debd81d328d4c7bdb4
SHA512 (selinux-gui-3.2-rc1.tar.gz) = 71a28e44adb73677c2b7b8ba8cfcf04396a3332a9596b7260e19a5a6a1eddfb14ec2e93fa8851cdb94e2e61f8bcfee9134cb8dc073c339de8d10e1b57439588c
SHA512 (selinux-python-3.2-rc1.tar.gz) = 5996fe9e28f41b8a25e625352f0c16d1858e730aae20b590825c599e57a2c3e4288441c16759bfcadc76469d2d4b613b5e19a04ed9ea36c27205112fe2b4341c
SHA512 (selinux-sandbox-3.2-rc1.tar.gz) = 192e8f526e5d3144ce9eb7e07076011eb3b6984edbd7d3ad885d69a0cd2dd0afbd720f960f1ad5df422e48d48f23800e4cf61fccc8384b07a156c1c48d9677ba
SHA512 (semodule-utils-3.2-rc1.tar.gz) = 9e46ea1af299c272017847dd8b3bbb827af2bc685ab536a9020cf58c75f58c335b9502a135ee1a65bf21cfa5d8571840ecb3587e701e96b92b5453dada97a04d
SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be