policycoreutils-2.6-3

- Fix several issues in gui and 'sepolicy manpage' (#1416372)
2017-02-28 21:57:37 +01:00 · 2017-02-28 21:57:37 +01:00 · c12014f9e3
parent fbd38097f4
commit c12014f9e3
2 changed files with 129 additions and 30 deletions
--- a/policycoreutils-fedora.patch
+++ b/policycoreutils-fedora.patch
@ -393,10 +393,18 @@ index 3e502a7..5bf9b52 100755
 +        print("Out")
         sys.exit(0)
 diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py
-index 8fbd5b4..43144c1 100644
+index 8fbd5b4..254fc67 100644
 --- policycoreutils-2.6/sepolicy/sepolicy/__init__.py
 +++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py
-@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm):
+@@ -171,6 +171,7 @@ def info(setype, name=None):
+             'aliases': map(str, x.aliases()),
+             'name': str(x),
+             'permissive': bool(x.ispermissive),
+            'attributes': map(str, x.attributes())
+         } for x in q.results())
+ 
+     elif setype == ROLE:
+@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm):
 
 
 def get_conditionals_format_text(cond):
@ -410,7 +418,7 @@ index 8fbd5b4..43144c1 100644
     return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
 
 
-@@ -465,7 +470,7 @@ def find_file(reg):
+@@ -465,7 +471,7 @@ def find_file(reg):
 
     try:
         pat = re.compile(r"%s$" % reg)
@ -419,7 +427,7 @@ index 8fbd5b4..43144c1 100644
     except:
         return []
 
-@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
+@@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
 
 def get_transitions_into(setype):
     try:
@ -428,7 +436,7 @@ index 8fbd5b4..43144c1 100644
     except (TypeError, AttributeError):
         pass
     return None
-@@ -605,7 +610,7 @@ def get_transitions(setype):
+@@ -605,7 +611,7 @@ def get_transitions(setype):
 
 def get_file_transitions(setype):
     try:
@ -437,7 +445,7 @@ index 8fbd5b4..43144c1 100644
     except (TypeError, AttributeError):
         pass
     return None
-@@ -663,6 +668,23 @@ def get_init_entrypoint(transtype):
+@@ -663,6 +669,23 @@ def get_init_entrypoint(transtype):
 
     return entrypoints
 
@ -461,7 +469,7 @@ index 8fbd5b4..43144c1 100644
 
 def get_init_entrypoint_target(entrypoint):
     try:
-@@ -695,7 +717,7 @@ def get_methods():
+@@ -695,7 +718,7 @@ def get_methods():
     # List of per_role_template interfaces
         ifs = interfaces.InterfaceSet()
         ifs.from_file(fd)
@ -470,7 +478,16 @@ index 8fbd5b4..43144c1 100644
         fd.close()
     except:
         sys.stderr.write("could not open interface info [%s]\n" % fn)
-@@ -752,7 +774,10 @@ def get_all_entrypoint_domains():
+@@ -725,7 +748,7 @@ def get_all_role_allows():
+         return role_allows
+     role_allows = {}
+ 
+-    q = setools.RBACRuleQuery(_pol, ruletype='allow')
+    q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
+     for r in q.results():
+         src = str(r.source)
+         tgt = str(r.target)
+@@ -752,7 +775,10 @@ def get_all_entrypoint_domains():
 
 
 def gen_interfaces():
@ -482,7 +499,7 @@ index 8fbd5b4..43144c1 100644
     ifile = defaults.interface_info()
     headers = defaults.headers()
     try:
-@@ -763,7 +788,7 @@ def gen_interfaces():
+@@ -763,7 +789,7 @@ def gen_interfaces():
 
     if os.getuid() != 0:
         raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
@ -491,7 +508,7 @@ index 8fbd5b4..43144c1 100644
 
 
 def gen_port_dict():
-@@ -1082,24 +1107,14 @@ def boolean_desc(boolean):
+@@ -1082,24 +1108,14 @@ def boolean_desc(boolean):
 
 
 def get_os_version():
@ -1031,7 +1048,7 @@ index c2cb971..8956f39 100644
                 sys.stderr.write(output)
                 sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
 diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py
-index 7365f93..9d54ab0 100755
+index 7365f93..5103272 100755
 --- policycoreutils-2.6/sepolicy/sepolicy/manpage.py
 +++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py
@@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d
@ -1054,7 +1071,55 @@ index 7365f93..9d54ab0 100755
 
 equiv_dirs = ["/var"]
 modules_dict = None
-@@ -144,10 +150,6 @@ def prettyprint(f, trim):
+@@ -88,11 +94,10 @@ def get_all_users_info():
+ 
+ all_entrypoints = None
+ 
+-
+ def get_entrypoints():
+     global all_entrypoints
+     if not all_entrypoints:
+-        all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"]
+        all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+     return all_entrypoints
+ 
+ domains = None
+@@ -120,8 +125,33 @@ def gen_domains():
+     domains.sort()
+     return domains
+ 
+-types = None
+ 
+exec_types = None
+
+def _gen_exec_types():
+    global exec_types
+    if exec_types is None:
+        exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+    return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+    global entry_types
+    if entry_types is None:
+        entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+    return entry_types
+
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+    global mcs_constrained_types
+    if mcs_constrained_types is None:
+        mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+    return mcs_constrained_types
+
+
+types = None
+ 
+ def _gen_types():
+     global types
+@@ -144,10 +174,6 @@ def prettyprint(f, trim):
 manpage_domains = []
 manpage_roles = []
 
@ -1065,7 +1130,7 @@ index 7365f93..9d54ab0 100755
 def get_alphabet_manpages(manpage_list):
     alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
     for i in string.ascii_letters:
-@@ -162,7 +164,11 @@ def get_alphabet_manpages(manpage_list):
+@@ -162,7 +188,11 @@ def get_alphabet_manpages(manpage_list):
 
 
 def convert_manpage_to_html(html_manpage, manpage):
@ -1078,7 +1143,7 @@ index 7365f93..9d54ab0 100755
     if rc == 0:
         print(html_manpage, "has been created")
         fd = open(html_manpage, 'w')
-@@ -173,7 +179,7 @@ def convert_manpage_to_html(html_manpage, manpage):
+@@ -173,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
 class HTMLManPages:
 
     """
@ -1087,7 +1152,7 @@ index 7365f93..9d54ab0 100755
     """
 
     def __init__(self, manpage_roles, manpage_domains, path, os_version):
-@@ -181,9 +187,9 @@ class HTMLManPages:
+@@ -181,9 +211,9 @@ class HTMLManPages:
         self.manpage_domains = get_alphabet_manpages(manpage_domains)
         self.os_version = os_version
         self.old_path = path + "/"
@ -1099,7 +1164,7 @@ index 7365f93..9d54ab0 100755
             self.__gen_html_manpages()
         else:
             print("SELinux HTML man pages can not be generated for this %s" % os_version)
-@@ -192,7 +198,6 @@ class HTMLManPages:
+@@ -192,7 +222,6 @@ class HTMLManPages:
     def __gen_html_manpages(self):
         self._write_html_manpage()
         self._gen_index()
@ -1107,7 +1172,7 @@ index 7365f93..9d54ab0 100755
         self._gen_css()
 
     def _write_html_manpage(self):
-@@ -210,67 +215,21 @@ class HTMLManPages:
+@@ -210,67 +239,21 @@ class HTMLManPages:
                     convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r)
 
     def _gen_index(self):
@ -1179,7 +1244,26 @@ index 7365f93..9d54ab0 100755
         for letter in self.manpage_roles:
             if len(self.manpage_roles[letter]):
                 fd.write("""
-@@ -501,6 +460,7 @@ class ManPage:
+@@ -414,6 +397,9 @@ class ManPage:
+         self.all_file_types = sepolicy.get_all_file_types()
+         self.role_allows = sepolicy.get_all_role_allows()
+         self.types = _gen_types()
+        self.exec_types = _gen_exec_types()
+        self.entry_types = _gen_entry_types()
+        self.mcs_constrained_types = _gen_mcs_constrained_types()
+ 
+         if self.source_files:
+             self.fcpath = self.root + "file_contexts"
+@@ -485,7 +471,7 @@ class ManPage:
+             self.desc = "%s user role" % self.domainname
+ 
+         if self.domainname in self.all_users:
+-            self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+            self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"]
+             self._user_header()
+             self._user_attribute()
+             self._can_sudo()
+@@ -501,6 +487,7 @@ class ManPage:
             self._booleans()
 
         self._port_types()
@ -1187,10 +1271,11 @@ index 7365f93..9d54ab0 100755
         self._writes()
         self._footer()
 
-@@ -519,11 +479,22 @@ class ManPage:
+@@ -519,11 +506,22 @@ class ManPage:
         self._get_ptypes()
 
         for domain_type in self.ptypes:
+-            self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
 +            try:
 +                if typealias_types[domain_type]:
 +                    fd = self.fd
@ -1201,7 +1286,7 @@ index 7365f93..9d54ab0 100755
 +                    self.man_page_path = man_page_path
 +            except KeyError:
 +                continue;
-             self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+            self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"]
 
         self._header()
         self._entrypoints()
@ -1210,7 +1295,7 @@ index 7365f93..9d54ab0 100755
         self._booleans()
         self._nsswitch_domain()
         self._port_types()
-@@ -537,6 +508,34 @@ class ManPage:
+@@ -537,6 +535,34 @@ class ManPage:
             if f.startswith(self.short_name) or f.startswith(self.domainname):
                 self.ptypes.append(f)
 
@ -1245,7 +1330,7 @@ index 7365f93..9d54ab0 100755
     def _header(self):
         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
                       % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
-@@ -686,10 +685,13 @@ Default Defined Ports:""")
+@@ -686,10 +712,13 @@ Default Defined Ports:""")
 
     def _file_context(self):
         flist = []
@ -1254,12 +1339,12 @@ index 7365f93..9d54ab0 100755
         for f in self.all_file_types:
             if f.startswith(self.domainname):
                 flist.append(f)
-+                if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+                if not f in self.exec_types or not f in self.entry_types:
 +                    flist_non_exec.append(f)
                 if f in self.fcdict:
                     mpaths = mpaths + self.fcdict[f]["regex"]
         if len(mpaths) == 0:
-@@ -741,19 +743,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
 .PP
 """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
 
@ -1283,13 +1368,24 @@ index 7365f93..9d54ab0 100755
 
         self.fd.write(r"""
 .I The following file types are defined for %(domainname)s:
-@@ -920,6 +923,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
+@@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+         return True
+ 
+     def _entrypoints(self):
+-        try:
+-            entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
+-        except:
+        entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+        if len(entrypoints) == 0:
+             return
+ 
+         self.fd.write("""
+@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a
         self.fd.write("""
 %s""" % ", ".join(paths))
 
 +    def _mcs_types(self):
-+        attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
-+        if "mcs_constrained_type" not in attributes:
+        if self.type not in self.mcs_constrained_types['types']:
 +            return
 +        self.fd.write ("""
 +.SH "MCS Constrained"
@ -1301,7 +1397,7 @@ index 7365f93..9d54ab0 100755
     def _writes(self):
         permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
         if permlist is None or len(permlist) == 0:
-@@ -1156,7 +1170,7 @@ Three things can happen when %(type)s attempts to execute a program.
+@@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program.
 
 Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
 
@ -1310,7 +1406,7 @@ index 7365f93..9d54ab0 100755
 
 .TP
 
-@@ -1164,7 +1178,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
+@@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
 
 Execute the following to see the types that the SELinux user %(type)s can execute and transition:
 
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -9,7 +9,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.6
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -445,6 +445,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Tue Feb 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
+- Fix several issues in gui and 'sepolicy manpage' (#1416372)
+
 * Thu Feb 23 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
 - Use %{__python3} instead of python3