rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.6-3 

- Fix several issues in gui and 'sepolicy manpage' (#1416372)
This commit is contained in:
Petr Lautrbach 2017-02-28 21:57:37 +01:00
parent fbd38097f4
commit c12014f9e3
2 changed files with 129 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
policycoreutils-fedora.patch
View File

@ -393,10 +393,18 @@ index 3e502a7..5bf9b52 100755
+ print("Out") + print("Out")
sys.exit(0) sys.exit(0)
diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py
index 8fbd5b4..43144c1 100644 index 8fbd5b4..254fc67 100644
--- policycoreutils-2.6/sepolicy/sepolicy/__init__.py --- policycoreutils-2.6/sepolicy/sepolicy/__init__.py
+++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py +++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py
@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm): @@ -171,6 +171,7 @@ def info(setype, name=None):
'aliases': map(str, x.aliases()),
'name': str(x),
'permissive': bool(x.ispermissive),
+ 'attributes': map(str, x.attributes())
} for x in q.results())
elif setype == ROLE:
@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm):
def get_conditionals_format_text(cond): def get_conditionals_format_text(cond):
@ -410,7 +418,7 @@ index 8fbd5b4..43144c1 100644
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
@@ -465,7 +470,7 @@ def find_file(reg): @@ -465,7 +471,7 @@ def find_file(reg):
try: try:
pat = re.compile(r"%s$" % reg) pat = re.compile(r"%s$" % reg)
@ -419,7 +427,7 @@ index 8fbd5b4..43144c1 100644
except: except:
return [] return []
@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): @@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
def get_transitions_into(setype): def get_transitions_into(setype):
try: try:
@ -428,7 +436,7 @@ index 8fbd5b4..43144c1 100644
except (TypeError, AttributeError): except (TypeError, AttributeError):
pass pass
return None return None
@@ -605,7 +610,7 @@ def get_transitions(setype): @@ -605,7 +611,7 @@ def get_transitions(setype):
def get_file_transitions(setype): def get_file_transitions(setype):
try: try:
@ -437,7 +445,7 @@ index 8fbd5b4..43144c1 100644
except (TypeError, AttributeError): except (TypeError, AttributeError):
pass pass
return None return None
@@ -663,6 +668,23 @@ def get_init_entrypoint(transtype): @@ -663,6 +669,23 @@ def get_init_entrypoint(transtype):
return entrypoints return entrypoints
@ -461,7 +469,7 @@ index 8fbd5b4..43144c1 100644
def get_init_entrypoint_target(entrypoint): def get_init_entrypoint_target(entrypoint):
try: try:
@@ -695,7 +717,7 @@ def get_methods(): @@ -695,7 +718,7 @@ def get_methods():
# List of per_role_template interfaces # List of per_role_template interfaces
ifs = interfaces.InterfaceSet() ifs = interfaces.InterfaceSet()
ifs.from_file(fd) ifs.from_file(fd)
@ -470,7 +478,16 @@ index 8fbd5b4..43144c1 100644
fd.close() fd.close()
except: except:
sys.stderr.write("could not open interface info [%s]\n" % fn) sys.stderr.write("could not open interface info [%s]\n" % fn)
@@ -752,7 +774,10 @@ def get_all_entrypoint_domains(): @@ -725,7 +748,7 @@ def get_all_role_allows():
return role_allows
role_allows = {}
- q = setools.RBACRuleQuery(_pol, ruletype='allow')
+ q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
for r in q.results():
src = str(r.source)
tgt = str(r.target)
@@ -752,7 +775,10 @@ def get_all_entrypoint_domains():
def gen_interfaces(): def gen_interfaces():
@ -482,7 +499,7 @@ index 8fbd5b4..43144c1 100644
ifile = defaults.interface_info() ifile = defaults.interface_info()
headers = defaults.headers() headers = defaults.headers()
try: try:
@@ -763,7 +788,7 @@ def gen_interfaces(): @@ -763,7 +789,7 @@ def gen_interfaces():
if os.getuid() != 0: if os.getuid() != 0:
raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
@ -491,7 +508,7 @@ index 8fbd5b4..43144c1 100644
def gen_port_dict(): def gen_port_dict():
@@ -1082,24 +1107,14 @@ def boolean_desc(boolean): @@ -1082,24 +1108,14 @@ def boolean_desc(boolean):
def get_os_version(): def get_os_version():
@ -1031,7 +1048,7 @@ index c2cb971..8956f39 100644
sys.stderr.write(output) sys.stderr.write(output)
sys.stderr.write(_("\nCompile test for %s failed.\n") % interface) sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py
index 7365f93..9d54ab0 100755 index 7365f93..5103272 100755
--- policycoreutils-2.6/sepolicy/sepolicy/manpage.py --- policycoreutils-2.6/sepolicy/sepolicy/manpage.py
+++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py
@@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d @@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d
@ -1054,7 +1071,55 @@ index 7365f93..9d54ab0 100755
equiv_dirs = ["/var"] equiv_dirs = ["/var"]
modules_dict = None modules_dict = None
@@ -144,10 +150,6 @@ def prettyprint(f, trim): @@ -88,11 +94,10 @@ def get_all_users_info():
all_entrypoints = None
-
def get_entrypoints():
global all_entrypoints
if not all_entrypoints:
- all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"]
+ all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return all_entrypoints
domains = None
@@ -120,8 +125,33 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
+types = None
def _gen_types():
global types
@@ -144,10 +174,6 @@ def prettyprint(f, trim):
manpage_domains = [] manpage_domains = []
manpage_roles = [] manpage_roles = []
@ -1065,7 +1130,7 @@ index 7365f93..9d54ab0 100755
def get_alphabet_manpages(manpage_list): def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, []) alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters: for i in string.ascii_letters:
@@ -162,7 +164,11 @@ def get_alphabet_manpages(manpage_list): @@ -162,7 +188,11 @@ def get_alphabet_manpages(manpage_list):
def convert_manpage_to_html(html_manpage, manpage): def convert_manpage_to_html(html_manpage, manpage):
@ -1078,7 +1143,7 @@ index 7365f93..9d54ab0 100755
if rc == 0: if rc == 0:
print(html_manpage, "has been created") print(html_manpage, "has been created")
fd = open(html_manpage, 'w') fd = open(html_manpage, 'w')
@@ -173,7 +179,7 @@ def convert_manpage_to_html(html_manpage, manpage): @@ -173,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages: class HTMLManPages:
""" """
@ -1087,7 +1152,7 @@ index 7365f93..9d54ab0 100755
""" """
def __init__(self, manpage_roles, manpage_domains, path, os_version): def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -181,9 +187,9 @@ class HTMLManPages: @@ -181,9 +211,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains) self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version self.os_version = os_version
self.old_path = path + "/" self.old_path = path + "/"
@ -1099,7 +1164,7 @@ index 7365f93..9d54ab0 100755
self.__gen_html_manpages() self.__gen_html_manpages()
else: else:
print("SELinux HTML man pages can not be generated for this %s" % os_version) print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -192,7 +198,6 @@ class HTMLManPages: @@ -192,7 +222,6 @@ class HTMLManPages:
def __gen_html_manpages(self): def __gen_html_manpages(self):
self._write_html_manpage() self._write_html_manpage()
self._gen_index() self._gen_index()
@ -1107,7 +1172,7 @@ index 7365f93..9d54ab0 100755
self._gen_css() self._gen_css()
def _write_html_manpage(self): def _write_html_manpage(self):
@@ -210,67 +215,21 @@ class HTMLManPages: @@ -210,67 +239,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r) convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r)
def _gen_index(self): def _gen_index(self):
@ -1179,7 +1244,26 @@ index 7365f93..9d54ab0 100755
for letter in self.manpage_roles: for letter in self.manpage_roles:
if len(self.manpage_roles[letter]): if len(self.manpage_roles[letter]):
fd.write(""" fd.write("""
@@ -501,6 +460,7 @@ class ManPage: @@ -414,6 +397,9 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -485,7 +471,7 @@ class ManPage:
self.desc = "%s user role" % self.domainname
if self.domainname in self.all_users:
- self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"]
self._user_header()
self._user_attribute()
self._can_sudo()
@@ -501,6 +487,7 @@ class ManPage:
self._booleans() self._booleans()
self._port_types() self._port_types()
@ -1187,10 +1271,11 @@ index 7365f93..9d54ab0 100755
self._writes() self._writes()
self._footer() self._footer()
@@ -519,11 +479,22 @@ class ManPage: @@ -519,11 +506,22 @@ class ManPage:
self._get_ptypes() self._get_ptypes()
for domain_type in self.ptypes: for domain_type in self.ptypes:
- self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+ try: + try:
+ if typealias_types[domain_type]: + if typealias_types[domain_type]:
+ fd = self.fd + fd = self.fd
@ -1201,7 +1286,7 @@ index 7365f93..9d54ab0 100755
+ self.man_page_path = man_page_path + self.man_page_path = man_page_path
+ except KeyError: + except KeyError:
+ continue; + continue;
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] + self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"]
self._header() self._header()
self._entrypoints() self._entrypoints()
@ -1210,7 +1295,7 @@ index 7365f93..9d54ab0 100755
self._booleans() self._booleans()
self._nsswitch_domain() self._nsswitch_domain()
self._port_types() self._port_types()
@@ -537,6 +508,34 @@ class ManPage: @@ -537,6 +535,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname): if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f) self.ptypes.append(f)
@ -1245,7 +1330,7 @@ index 7365f93..9d54ab0 100755
def _header(self): def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
@@ -686,10 +685,13 @@ Default Defined Ports:""") @@ -686,10 +712,13 @@ Default Defined Ports:""")
def _file_context(self): def _file_context(self):
flist = [] flist = []
@ -1254,12 +1339,12 @@ index 7365f93..9d54ab0 100755
for f in self.all_file_types: for f in self.all_file_types:
if f.startswith(self.domainname): if f.startswith(self.domainname):
flist.append(f) flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): + if not f in self.exec_types or not f in self.entry_types:
+ flist_non_exec.append(f) + flist_non_exec.append(f)
if f in self.fcdict: if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"] mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0: if len(mpaths) == 0:
@@ -741,19 +743,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d @@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP .PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
@ -1283,13 +1368,24 @@ index 7365f93..9d54ab0 100755
self.fd.write(r""" self.fd.write(r"""
.I The following file types are defined for %(domainname)s: .I The following file types are defined for %(domainname)s:
@@ -920,6 +923,17 @@ All executeables with the default executable label, usually stored in /usr/bin a @@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
return True
def _entrypoints(self):
- try:
- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
- except:
+ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+ if len(entrypoints) == 0:
return
self.fd.write("""
@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write(""" self.fd.write("""
%s""" % ", ".join(paths)) %s""" % ", ".join(paths))
+ def _mcs_types(self): + def _mcs_types(self):
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] + if self.type not in self.mcs_constrained_types['types']:
+ if "mcs_constrained_type" not in attributes:
+ return + return
+ self.fd.write (""" + self.fd.write ("""
+.SH "MCS Constrained" +.SH "MCS Constrained"
@ -1301,7 +1397,7 @@ index 7365f93..9d54ab0 100755
def _writes(self): def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist is None or len(permlist) == 0: if permlist is None or len(permlist) == 0:
@@ -1156,7 +1170,7 @@ Three things can happen when %(type)s attempts to execute a program. @@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
@ -1310,7 +1406,7 @@ index 7365f93..9d54ab0 100755
.TP .TP
@@ -1164,7 +1178,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut @@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition: Execute the following to see the types that the SELinux user %(type)s can execute and transition:

5
policycoreutils.spec
View File

@ -9,7 +9,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.6 Version: 2.6
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -445,6 +445,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Tue Feb 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
- Fix several issues in gui and 'sepolicy manpage' (#1416372)
* Thu Feb 23 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2 * Thu Feb 23 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
- Use %{__python3} instead of python3 - Use %{__python3} instead of python3