rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.7-2.fc27 

- sepolicy: Fix sepolicy manpage.
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
- semanage: Don't use global setup variable
- semanage: drop *_ini functions
- semanage: Enable listing file_contexts.homedirs
- semanage: make seobject.py backward compatible
- gui: remove mappingsPage
- gui: delete overridden definition of usersPage.delete()
- gui: fix parsing of "semodule -lfull" in tab Modules
- gui: remove the status bar
- sepolicy: support non-MLS policy in gui
- sepolicy: ignore comments and empty lines in file_contexts.subs_dist
- gui: port to Python 3 by migrating to PyGI
- sepolicy: do not fail when file_contexts.local or .subs do not exist
- restorecond: check write() and daemon() results
- sepolicy: remove stray space in section "SEE ALSO"
- sepolicy: support non-MCS policy in manpage
- sepolicy: support non-MLS policy in manpage
- sepolicy: fix misspelling of _ra_content_t suffix
- sepolicy: do not fail when file_contexts.local does not exist
This commit is contained in:
Petr Lautrbach 2017-11-24 14:17:33 +01:00
parent dfbde08bc9
commit c83a9507f0
5 changed files with 4290 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
policycoreutils-fedora.patch
View File

@ -1,3 +1,35 @@
diff --git policycoreutils-2.7/load_policy/load_policy.8 policycoreutils-2.7/load_policy/load_policy.8
index 5f5550d..0810995 100644
--- policycoreutils-2.7/load_policy/load_policy.8
+++ policycoreutils-2.7/load_policy/load_policy.8
@@ -39,4 +39,4 @@ Initial policy load failed and enforcing mode requested
.SH AUTHORS
.nf
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
+The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
diff --git policycoreutils-2.7/newrole/hashtab.c policycoreutils-2.7/newrole/hashtab.c
index 77ed143..24c65c4 100644
--- policycoreutils-2.7/newrole/hashtab.c
+++ policycoreutils-2.7/newrole/hashtab.c
@@ -1,5 +1,5 @@
-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
/* FLASK */
diff --git policycoreutils-2.7/newrole/hashtab.h policycoreutils-2.7/newrole/hashtab.h
index 9f737df..3790f0a 100644
--- policycoreutils-2.7/newrole/hashtab.h
+++ policycoreutils-2.7/newrole/hashtab.h
@@ -1,5 +1,5 @@
-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
/* FLASK */
diff --git policycoreutils-2.7/scripts/fixfiles policycoreutils-2.7/scripts/fixfiles
index 1aa330f..7ec0396 100755
--- policycoreutils-2.7/scripts/fixfiles
@ -10,3 +42,16 @@ index 1aa330f..7ec0396 100755
FORCEFLAG=""
RPMFILES=""
PREFC=""
diff --git policycoreutils-2.7/setfiles/setfiles.8 policycoreutils-2.7/setfiles/setfiles.8
index 9501845..ccaaf4d 100644
--- policycoreutils-2.7/setfiles/setfiles.8
+++ policycoreutils-2.7/setfiles/setfiles.8
@@ -255,7 +255,7 @@ being updated provided there are no errors.
.SH "AUTHOR"
This man page was written by Russell Coker <russell@coker.com.au>.
-The program was written by Stephen Smalley <sds@epoch.ncsc.mil>
+The program was written by Stephen Smalley <sds@tycho.nsa.gov>
.SH "SEE ALSO"
.BR restorecon (8),

42
policycoreutils.spec
View File

@ -1,7 +1,7 @@
%global libauditver 2.1.3-4
%global libsepolver 2.7-1
%global libsemanagever 2.7-1
%global libselinuxver 2.7-1
%global libsepolver 2.7-2
%global libsemanagever 2.7-2
%global libselinuxver 2.7-3
%global sepolgenver 2.7
%global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -9,7 +9,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.7
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -31,8 +31,10 @@ Source18: selinux-autorelabel.target
Source19: selinux-autorelabel-generator.sh
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# $ VERSION=2.7 ./make-fedora-selinux-patch.sh policycoreutils
# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9
# HEAD https://github.com/fedora-selinux/selinux/commit/e5a6540888e254b245d42b7cecf0b895d64ddc43
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
# BRANCH=f27 VERSION=2.7 ./make-fedora-selinux-patch.sh $i
# done
Patch: policycoreutils-fedora.patch
# $ VERSION=2.7 ./make-fedora-selinux-patch.sh selinux-python
Patch1: selinux-python-fedora.patch
@ -40,7 +42,7 @@ Patch2: selinux-gui-fedora.patch
Patch3: selinux-sandbox-fedora.patch
Patch4: selinux-dbus-fedora.patch
# Patch5: semodule-utils-fedora.patch
# Patch6: restorecond
Patch6: restorecond-fedora.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@ -185,6 +187,7 @@ sed -i '1s%\(#! *\)/usr/bin/python\([^3].*\|\)$%\1%{__python3}\2%' \
%{buildroot}%{_bindir}/audit2why \
%{buildroot}%{_bindir}/sepolicy \
%{buildroot}%{_bindir}/sepolgen{,-ifgen} \
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
%nil
@ -400,6 +403,7 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/system-config-selinux/polgengui.py*
%{_datadir}/system-config-selinux/system-config-selinux.py*
%{_datadir}/system-config-selinux/*.glade
%{_datadir}/system-config-selinux/*.ui
%{python_sitelib}/sepolicy/gui.py*
%{python_sitelib}/sepolicy/sepolicy.glade
%dir %{python_sitelib}/sepolicy/help
@ -498,6 +502,30 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Fri Nov 24 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
- sepolicy: Fix sepolicy manpage.
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
- semanage: Don't use global setup variable
- semanage: drop *_ini functions
- semanage: Enable listing file_contexts.homedirs
- semanage: make seobject.py backward compatible
- gui: remove mappingsPage
- gui: delete overridden definition of usersPage.delete()
- gui: fix parsing of "semodule -lfull" in tab Modules
- gui: remove the status bar
- sepolicy: support non-MLS policy in gui
- sepolicy: ignore comments and empty lines in file_contexts.subs_dist
- gui: port to Python 3 by migrating to PyGI
- sepolicy: do not fail when file_contexts.local or .subs do not exist
- restorecond: check write() and daemon() results
- sepolicy: remove stray space in section "SEE ALSO"
- sepolicy: support non-MCS policy in manpage
- sepolicy: support non-MLS policy in manpage
- sepolicy: fix misspelling of _ra_content_t suffix
- sepolicy: do not fail when file_contexts.local does not exist
* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
- Update to upstream release 2017-08-04
- Move DBUS API from -gui to -dbus package

29
restorecond-fedora.patch Normal file
View File

@ -0,0 +1,29 @@
diff --git restorecond-2.7/restorecond.c restorecond-2.7/restorecond.c
index f379db1..6fbbd35 100644
--- restorecond-2.7/restorecond.c
+++ restorecond-2.7/restorecond.c
@@ -103,7 +103,10 @@ static int write_pid_file(void)
pidfile = 0;
return 1;
}
- (void)write(pidfd, val, (unsigned int)len);
+ if (write(pidfd, val, (unsigned int)len) != len) {
+ syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
+ return 1;
+ }
close(pidfd);
return 0;
}
@@ -204,8 +207,10 @@ int main(int argc, char **argv)
watch_file = server_watch_file;
read_config(master_fd, watch_file);
- if (!debug_mode)
- daemon(0, 0);
+ if (!debug_mode) {
+ if (daemon(0, 0) < 0)
+ exitApp("daemon");
+ }
write_pid_file();

3355
selinux-gui-fedora.patch
View File

File diff suppressed because it is too large Load Diff

847
selinux-python-fedora.patch
View File

@ -1,3 +1,270 @@
diff --git selinux-python-2.7/semanage/semanage selinux-python-2.7/semanage/semanage
index 313537c..8d8a086 100644
--- selinux-python-2.7/semanage/semanage
+++ selinux-python-2.7/semanage/semanage
@@ -89,16 +89,6 @@ class CheckRole(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
-store = ''
-
-
-class SetStore(argparse.Action):
-
- def __call__(self, parser, namespace, values, option_string=None):
- global store
- store = values
- setattr(namespace, self.dest, values)
-
class seParser(argparse.ArgumentParser):
@@ -134,67 +124,21 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
-# functions for OBJECT initialization
-
-
-def login_ini():
- OBJECT = seobject.loginRecords(store)
- return OBJECT
-
-
-def user_ini():
- OBJECT = seobject.seluserRecords(store)
- return OBJECT
-
-
-def port_ini():
- OBJECT = seobject.portRecords(store)
- return OBJECT
-
-def ibpkey_ini():
- OBJECT = seobject.ibpkeyRecords(store)
- return OBJECT
-
-def ibendport_ini():
- OBJECT = seobject.ibendportRecords(store)
- return OBJECT
-
-def module_ini():
- OBJECT = seobject.moduleRecords(store)
- return OBJECT
-
-
-def interface_ini():
- OBJECT = seobject.interfaceRecords(store)
- return OBJECT
-
-
-def node_ini():
- OBJECT = seobject.nodeRecords(store)
- return OBJECT
-
-
-def fcontext_ini():
- OBJECT = seobject.fcontextRecords(store)
- return OBJECT
-
-
-def boolean_ini():
- OBJECT = seobject.booleanRecords(store)
- return OBJECT
-
-
-def permissive_ini():
- OBJECT = seobject.permissiveRecords(store)
- return OBJECT
-
-
-def dontaudit_ini():
- OBJECT = seobject.dontauditClass(store)
- return OBJECT
-
# define dictonary for seobject OBEJCTS
-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini}
+object_dict = {
+ 'login': seobject.loginRecords,
+ 'user': seobject.seluserRecords,
+ 'port': seobject.portRecords,
+ 'module': seobject.moduleRecords,
+ 'interface': seobject.interfaceRecords,
+ 'node': seobject.nodeRecords,
+ 'fcontext': seobject.fcontextRecords,
+ 'boolean': seobject.booleanRecords,
+ 'permissive': seobject.permissiveRecords,
+ 'dontaudit': seobject.dontauditClass,
+ 'ibpkey': seobject.ibpkeyRecords,
+ 'ibendport': seobject.ibendportRecords
+}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
@@ -238,8 +182,7 @@ def handleLogin(args):
handle_opts(args, login_args, args.action)
- OBJECT = object_dict['login']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['login'](args)
if args.action is "add":
OBJECT.add(args.login, args.seuser, args.range)
@@ -257,7 +200,7 @@ def handleLogin(args):
def parser_add_store(parser, name):
- parser.add_argument('-S', '--store', action=SetStore, help=_("Select an alternate SELinux Policy Store to manage"))
+ parser.add_argument('-S', '--store', default='', help=_("Select an alternate SELinux Policy Store to manage"))
def parser_add_priority(parser, name):
@@ -269,7 +212,7 @@ def parser_add_noheading(parser, name):
def parser_add_noreload(parser, name):
- parser.add_argument('-N', '--noreload', action='store_false', default=True, help=_('Do not reload policy after commit'))
+ parser.add_argument('-N', '--noreload', action='store_true', default=False, help=_('Do not reload policy after commit'))
def parser_add_locallist(parser, name):
@@ -372,8 +315,7 @@ def handleFcontext(args):
else:
handle_opts(args, fcontext_args, args.action)
- OBJECT = object_dict['fcontext']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['fcontext'](args)
if args.action is "add":
if args.equal:
@@ -441,8 +383,7 @@ def handleUser(args):
handle_opts(args, user_args, args.action)
- OBJECT = object_dict['user']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['user'](args)
if args.action is "add":
OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
@@ -492,8 +433,7 @@ def handlePort(args):
handle_opts(args, port_args, args.action)
- OBJECT = object_dict['port']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['port'](args)
if args.action is "add":
OBJECT.add(args.port, args.proto, args.range, args.type)
@@ -538,8 +478,7 @@ def handlePkey(args):
handle_opts(args, ibpkey_args, args.action)
- OBJECT = object_dict['ibpkey']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['ibpkey'](args)
if args.action is "add":
OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
@@ -582,8 +521,7 @@ def handleIbendport(args):
handle_opts(args, ibendport_args, args.action)
- OBJECT = object_dict['ibendport']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['ibendport'](args)
if args.action is "add":
OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
@@ -626,8 +564,7 @@ def handleInterface(args):
handle_opts(args, interface_args, args.action)
- OBJECT = object_dict['interface']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['interface'](args)
if args.action is "add":
OBJECT.add(args.interface, args.range, args.type)
@@ -666,8 +603,7 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
- OBJECT = seobject.moduleRecords(store)
- OBJECT.set_reload(args.noreload)
+ OBJECT = seobject.moduleRecords(args)
if args.action == "add":
OBJECT.add(args.module_name, args.priority)
if args.action == "enable":
@@ -709,8 +645,7 @@ def handleNode(args):
node_args = {'list': [('node', 'type', 'proto', 'netmask'), ('')], 'add': [('locallist'), ('type', 'node', 'proto', 'netmask')], 'modify': [('locallist'), ('node', 'netmask', 'proto')], 'delete': [('locallist'), ('node', 'netmask', 'prototype')], 'extract': [('locallist', 'node', 'type', 'proto', 'netmask'), ('')], 'deleteall': [('locallist'), ('')]}
handle_opts(args, node_args, args.action)
- OBJECT = object_dict['node']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['node'](args)
if args.action is "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
@@ -756,8 +691,7 @@ def handleBoolean(args):
handle_opts(args, boolean_args, args.action)
- OBJECT = object_dict['boolean']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['boolean'](args)
if args.action is "modify":
if args.boolean:
@@ -795,8 +729,7 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
- OBJECT = object_dict['permissive']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['permissive'](args)
if args.action is "list":
OBJECT.list(args.noheading)
@@ -830,8 +763,7 @@ def setupPermissiveParser(subparsers):
def handleDontaudit(args):
- OBJECT = object_dict['dontaudit']()
- OBJECT.set_reload(args.noreload)
+ OBJECT = object_dict['dontaudit'](args)
OBJECT.toggle(args.action)
@@ -848,7 +780,7 @@ def handleExport(args):
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
- OBJECT = object_dict[i]()
+ OBJECT = object_dict[i](args)
for c in OBJECT.customized():
print("%s %s" % (i, str(c)))
@@ -912,7 +844,7 @@ def mkargv(line):
def handleImport(args):
- trans = seobject.semanageRecords(store)
+ trans = seobject.semanageRecords(args)
trans.start()
for l in sys.stdin.readlines():
@@ -932,7 +864,6 @@ def handleImport(args):
except KeyboardInterrupt:
sys.exit(0)
- trans.set_reload(args.noreload)
trans.finish()
diff --git selinux-python-2.7/semanage/semanage.8 selinux-python-2.7/semanage/semanage.8
index 0bdb90f..0cdcfcc 100644
--- selinux-python-2.7/semanage/semanage.8
@ -15,10 +282,67 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.7/semanage/seobject.py selinux-python-2.7/semanage/seobject.py
index 70fd192..af88126 100644
index 70fd192..99e1cd8 100644
--- selinux-python-2.7/semanage/seobject.py
+++ selinux-python-2.7/semanage/seobject.py
@@ -386,6 +386,8 @@ class moduleRecords(semanageRecords):
@@ -238,21 +238,28 @@ class semanageRecords:
transaction = False
handle = None
store = None
+ args = None
- def __init__(self, store):
+ def __init__(self, args = None):
global handle
- self.load = True
- self.sh = self.get_handle(store)
+ if args:
+ # legacy code - args was store originally
+ if type(args) == str:
+ self.store = args
+ else:
+ self.args = args
+ self.noreload = getattr(args, "noreload", False)
+ if not self.store:
+ self.store = getattr(args, "store", "")
+
+ self.sh = self.get_handle(self.store)
rc, localstore = selinux.selinux_getpolicytype()
- if store == "" or store == localstore:
+ if self.store == "" or self.store == localstore:
self.mylog = logger()
else:
self.mylog = nulllogger()
- def set_reload(self, load):
- self.load = load
-
def get_handle(self, store):
global is_mls_enabled
@@ -312,7 +319,8 @@ class semanageRecords:
if semanageRecords.transaction:
return
- semanage_set_reload(self.sh, self.load)
+ if self.noreload:
+ semanage_set_reload(self.sh, 0)
rc = semanage_commit(self.sh)
if rc < 0:
self.mylog.commit(0)
@@ -328,8 +336,8 @@ class semanageRecords:
class moduleRecords(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def get_all(self):
l = []
@@ -386,6 +394,8 @@ class moduleRecords(semanageRecords):
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
def add(self, file, priority):
@ -27,7 +351,7 @@ index 70fd192..af88126 100644
if not os.path.exists(file):
raise ValueError(_("Module does not exist: %s ") % file)
@@ -398,6 +400,8 @@ class moduleRecords(semanageRecords):
@@ -398,6 +408,8 @@ class moduleRecords(semanageRecords):
self.commit()
def set_enabled(self, module, enable):
@ -36,7 +360,7 @@ index 70fd192..af88126 100644
for m in module.split():
rc, key = semanage_module_key_create(self.sh)
if rc < 0:
@@ -416,11 +420,15 @@ class moduleRecords(semanageRecords):
@@ -416,11 +428,15 @@ class moduleRecords(semanageRecords):
self.commit()
def modify(self, file):
@ -52,11 +376,372 @@ index 70fd192..af88126 100644
rc = semanage_set_default_priority(self.sh, priority)
if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
@@ -440,8 +456,8 @@ class moduleRecords(semanageRecords):
class dontauditClass(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def toggle(self, dontaudit):
if dontaudit not in ["on", "off"]:
@@ -453,8 +469,8 @@ class dontauditClass(semanageRecords):
class permissiveRecords(semanageRecords):
- def __init__(self, store):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def get_all(self):
l = []
@@ -522,8 +538,8 @@ class permissiveRecords(semanageRecords):
class loginRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
self.oldsename = None
self.oldserange = None
self.sename = None
@@ -534,7 +550,7 @@ class loginRecords(semanageRecords):
if sename == "":
sename = "user_u"
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
range, (rc, serole) = userrec.get(sename)
@@ -603,7 +619,7 @@ class loginRecords(semanageRecords):
if sename == "" and serange == "":
raise ValueError(_("Requires seuser or serange"))
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
if sename != "":
@@ -660,7 +676,7 @@ class loginRecords(semanageRecords):
def __delete(self, name):
rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
- userrec = seluserRecords()
+ userrec = seluserRecords(self.args)
range, (rc, oldserole) = userrec.get(self.oldsename)
(rc, k) = semanage_seuser_key_create(self.sh, name)
@@ -779,8 +795,8 @@ class loginRecords(semanageRecords):
class seluserRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def get(self, name):
(rc, k) = semanage_user_key_create(self.sh, name)
@@ -1042,8 +1058,8 @@ class portRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def __genkey(self, port, proto):
if proto == "tcp":
@@ -1317,8 +1333,8 @@ class ibpkeyRecords(semanageRecords):
except:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def __genkey(self, pkey, subnet_prefix):
if subnet_prefix == "":
@@ -1540,9 +1556,8 @@ class ibpkeyRecords(semanageRecords):
def customized(self):
l = []
ddict = self.get_all(True)
- keys = ddict.keys()
- keys.sort()
- for k in keys:
+
+ for k in sorted(ddict.keys()):
if k[0] == k[1]:
l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
else:
@@ -1554,11 +1569,10 @@ class ibpkeyRecords(semanageRecords):
keys = ddict.keys()
if len(keys) == 0:
return
- keys.sort()
if heading:
print("%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number")))
- for i in keys:
+ for i in sorted(keys):
rec = "%-30s %-18s " % i
rec += "%s" % ddict[i][0]
for p in ddict[i][1:]:
@@ -1572,8 +1586,8 @@ class ibendportRecords(semanageRecords):
except:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def __genkey(self, ibendport, ibdev_name):
if ibdev_name == "":
@@ -1782,10 +1796,9 @@ class ibendportRecords(semanageRecords):
def customized(self):
l = []
ddict = self.get_all(True)
- keys = ddict.keys()
- keys.sort()
- for k in keys:
- l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
+
+ for k in sorted(ddict.keys()):
+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
return l
def list(self, heading=1, locallist=0):
@@ -1793,11 +1806,10 @@ class ibendportRecords(semanageRecords):
keys = ddict.keys()
if len(keys) == 0:
return
- keys.sort()
if heading:
print("%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number")))
- for i in keys:
+ for i in sorted(keys):
rec = "%-30s %-18s " % i
rec += "%s" % ddict[i][0]
for p in ddict[i][1:]:
@@ -1810,8 +1822,8 @@ class nodeRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
self.protocol = ["ipv4", "ipv6"]
def validate(self, addr, mask, protocol):
@@ -2046,8 +2058,8 @@ class nodeRecords(semanageRecords):
class interfaceRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
def __add(self, interface, serange, ctype):
if is_mls_enabled == 1:
@@ -2243,8 +2255,8 @@ class fcontextRecords(semanageRecords):
except RuntimeError:
valid_types = []
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
self.equiv = {}
self.equiv_dist = {}
self.equal_ind = False
@@ -2566,10 +2578,15 @@ class fcontextRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not list file contexts"))
+ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list file contexts for home directories"))
+
(rc, fclocal) = semanage_fcontext_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list local file contexts"))
+ self.flist += fchomedirs
self.flist += fclocal
ddict = {}
@@ -2627,8 +2644,8 @@ class fcontextRecords(semanageRecords):
class booleanRecords(semanageRecords):
- def __init__(self, store=""):
- semanageRecords.__init__(self, store)
+ def __init__(self, args = None):
+ semanageRecords.__init__(self, args)
self.dict = {}
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
diff --git selinux-python-2.7/sepolicy/sepolicy.8 selinux-python-2.7/sepolicy/sepolicy.8
index 7900586..09d2b24 100644
--- selinux-python-2.7/sepolicy/sepolicy.8
+++ selinux-python-2.7/sepolicy/sepolicy.8
@@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate with each other
.br
.B generate
-.br
.br
Generate SELinux Policy module template
-.B gui
+.B sepolicy-generate(8)
.br
+
+.B gui
.br
Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package.
-.B sepolicy-generate(8)
+.B sepolicy-gui(8)
.br
.B interface
diff --git selinux-python-2.7/sepolicy/sepolicy/__init__.py selinux-python-2.7/sepolicy/sepolicy/__init__.py
index 5cfc071..a10dbcd 100644
index 5cfc071..24e3526 100644
--- selinux-python-2.7/sepolicy/sepolicy/__init__.py
+++ selinux-python-2.7/sepolicy/sepolicy/__init__.py
@@ -1136,27 +1136,14 @@ def boolean_desc(boolean):
@@ -4,6 +4,7 @@
# Author: Ryan Hallisey <rhallise@redhat.com>
# Author: Jason Zaman <perfinion@gentoo.org>
+import errno
import selinux
import setools
import glob
@@ -207,10 +208,17 @@ def info(setype, name=None):
elif len(ports) == 1:
q.ports = (ports[0], ports[0])
+ if _pol.mls:
+ return ({
+ 'high': x.ports.high,
+ 'protocol': str(x.protocol),
+ 'range': str(x.context.range_),
+ 'type': str(x.context.type_),
+ 'low': x.ports.low,
+ } for x in q.results())
return ({
'high': x.ports.high,
'protocol': str(x.protocol),
- 'range': str(x.context.range_),
'type': str(x.context.type_),
'low': x.ports.low,
} for x in q.results())
@@ -220,11 +228,16 @@ def info(setype, name=None):
if name:
q.name = name
+ if _pol.mls:
+ return ({
+ 'range': str(x.mls_range),
+ 'name': str(x),
+ 'roles': list(map(str, x.roles)),
+ 'level': str(x.mls_level),
+ } for x in q.results())
return ({
- 'range': str(x.mls_range),
'name': str(x),
'roles': list(map(str, x.roles)),
- 'level': str(x.mls_level),
} for x in q.results())
elif setype == BOOLEAN:
@@ -511,12 +524,15 @@ def find_entrypoint_path(exe, exclude_list=[]):
def read_file_equiv(edict, fc_path, modify):
- fd = open(fc_path, "r")
- fc = fd.readlines()
- fd.close()
- for e in fc:
- f = e.split()
- edict[f[0]] = {"equiv": f[1], "modify": modify}
+ try:
+ with open(fc_path, "r") as fd:
+ for e in fd:
+ f = e.split()
+ if f and not f[0].startswith('#'):
+ edict[f[0]] = {"equiv": f[1], "modify": modify}
+ except OSError as e:
+ if e.errno != errno.ENOENT:
+ raise
return edict
@@ -543,9 +559,13 @@ def get_local_file_paths(fc_path=selinux.selinux_file_context_path()):
if local_files:
return local_files
local_files = []
- fd = open(fc_path + ".local", "r")
- fc = fd.readlines()
- fd.close()
+ try:
+ with open(fc_path + ".local", "r") as fd:
+ fc = fd.readlines()
+ except OSError as e:
+ if e.errno != errno.ENOENT:
+ raise
+ return []
for i in fc:
rec = i.split()
if len(rec) == 0:
@@ -573,9 +593,12 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
fc += fd.readlines()
fd.close()
fcdict = {}
- fd = open(fc_path + ".local", "r")
- fc += fd.readlines()
- fd.close()
+ try:
+ with open(fc_path + ".local", "r") as fd:
+ fc += fd.readlines()
+ except OSError as e:
+ if e.errno != errno.ENOENT:
+ raise
for i in fc:
rec = i.split()
@@ -856,8 +879,9 @@ def get_selinux_users():
global selinux_user_list
if not selinux_user_list:
selinux_user_list = list(info(USER))
- for x in selinux_user_list:
- x['range'] = "".join(x['range'].split(" "))
+ if _pol.mls:
+ for x in selinux_user_list:
+ x['range'] = "".join(x['range'].split(" "))
return selinux_user_list
@@ -955,7 +979,7 @@ def get_description(f, markup=markup):
if f.endswith("_db_t"):
return txt + "treat the files as %s database content." % prettyprint(f, "_db_t")
if f.endswith("_ra_content_t"):
- return txt + "treat the files as %s read/append content." % prettyprint(f, "_ra_conten_t")
+ return txt + "treat the files as %s read/append content." % prettyprint(f, "_ra_content_t")
if f.endswith("_cert_t"):
return txt + "treat the files as %s certificate data." % prettyprint(f, "_cert_t")
if f.endswith("_key_t"):
@@ -1136,27 +1160,14 @@ def boolean_desc(boolean):
def get_os_version():
@ -90,11 +775,124 @@ index 5cfc071..a10dbcd 100644
def reinit():
diff --git selinux-python-2.7/sepolicy/sepolicy/gui.py selinux-python-2.7/sepolicy/sepolicy/gui.py
index 007c94a..6562aa8 100644
--- selinux-python-2.7/sepolicy/sepolicy/gui.py
+++ selinux-python-2.7/sepolicy/sepolicy/gui.py
@@ -907,8 +907,8 @@ class SELinuxGui():
if "object_r" in roles:
roles.remove("object_r")
self.user_liststore.set_value(iter, 1, ", ".join(roles))
- self.user_liststore.set_value(iter, 2, u["level"])
- self.user_liststore.set_value(iter, 3, u["range"])
+ self.user_liststore.set_value(iter, 2, u.get("level", ""))
+ self.user_liststore.set_value(iter, 3, u.get("range", ""))
self.user_liststore.set_value(iter, 4, True)
self.ready_mouse()
@@ -1755,14 +1755,14 @@ class SELinuxGui():
if self.login_mls_entry.get_text() == "":
for u in sepolicy.get_selinux_users():
if seuser == u['name']:
- self.login_mls_entry.set_text(u['range'])
+ self.login_mls_entry.set_text(u.get('range', ''))
def user_roles_combobox_change(self, combo, *args):
serole = self.combo_get_active_text(combo)
if self.user_mls_entry.get_text() == "":
for u in sepolicy.get_all_roles():
if serole == u['name']:
- self.user_mls_entry.set_text(u['range'])
+ self.user_mls_entry.set_text(u.get('range', ''))
def get_selected_iter(self):
iter = None
@@ -1973,7 +1973,10 @@ class SELinuxGui():
self.cur_dict["user"][name] = {"action": "-m", "range": mls_range, "level": level, "role": roles, "oldrange": oldrange, "oldlevel": oldlevel, "oldroles": oldroles, "oldname": oldname}
else:
iter = self.liststore.append(None)
- self.cur_dict["user"][name] = {"action": "-a", "range": mls_range, "level": level, "role": roles}
+ if mls_range or level:
+ self.cur_dict["user"][name] = {"action": "-a", "range": mls_range, "level": level, "role": roles}
+ else:
+ self.cur_dict["user"][name] = {"action": "-a", "role": roles}
self.liststore.set_value(iter, 0, name)
self.liststore.set_value(iter, 1, roles)
@@ -2089,8 +2092,8 @@ class SELinuxGui():
user_dict = self.cust_dict["user"]
for user in user_dict:
roles = user_dict[user]["role"]
- mls = user_dict[user]["range"]
- level = user_dict[user]["level"]
+ mls = user_dict[user].get("range", "")
+ level = user_dict[user].get("level", "")
iter = self.user_delete_liststore.append()
self.user_delete_liststore.set_value(iter, 1, user)
self.user_delete_liststore.set_value(iter, 2, roles)
@@ -2104,7 +2107,7 @@ class SELinuxGui():
login_dict = self.cust_dict["login"]
for login in login_dict:
seuser = login_dict[login]["seuser"]
- mls = login_dict[login]["range"]
+ mls = login_dict[login].get("range", "")
iter = self.login_delete_liststore.append()
self.login_delete_liststore.set_value(iter, 1, seuser)
self.login_delete_liststore.set_value(iter, 2, login)
@@ -2268,7 +2271,7 @@ class SELinuxGui():
self.update_treestore.set_value(niter, 3, False)
roles = self.cur_dict["user"][user]["role"]
self.update_treestore.set_value(niter, 1, (_("Roles: %s")) % roles)
- mls = self.cur_dict["user"][user]["range"]
+ mls = self.cur_dict["user"][user].get("range", "")
niter = self.update_treestore.append(iter)
self.update_treestore.set_value(niter, 3, False)
self.update_treestore.set_value(niter, 1, _("MLS/MCS Range: %s") % mls)
@@ -2293,7 +2296,7 @@ class SELinuxGui():
self.update_treestore.set_value(niter, 3, False)
seuser = self.cur_dict["login"][login]["seuser"]
self.update_treestore.set_value(niter, 1, (_("SELinux User: %s")) % seuser)
- mls = self.cur_dict["login"][login]["range"]
+ mls = self.cur_dict["login"][login].get("range", "")
niter = self.update_treestore.append(iter)
self.update_treestore.set_value(niter, 3, False)
self.update_treestore.set_value(niter, 1, _("MLS/MCS Range: %s") % mls)
@@ -2487,14 +2490,18 @@ class SELinuxGui():
for l in self.cur_dict[k]:
if self.cur_dict[k][l]["action"] == "-d":
update_buffer += "login -d %s\n" % l
- else:
+ elif "range" in self.cur_dict[k][l]:
update_buffer += "login %s -s %s -r %s %s\n" % (self.cur_dict[k][l]["action"], self.cur_dict[k][l]["seuser"], self.cur_dict[k][l]["range"], l)
+ else:
+ update_buffer += "login %s -s %s %s\n" % (self.cur_dict[k][l]["action"], self.cur_dict[k][l]["seuser"], l)
if k in "user":
for u in self.cur_dict[k]:
if self.cur_dict[k][u]["action"] == "-d":
update_buffer += "user -d %s\n" % u
- else:
+ elif "level" in self.cur_dict[k][u] and "range" in self.cur_dict[k][u]:
update_buffer += "user %s -L %s -r %s -R %s %s\n" % (self.cur_dict[k][u]["action"], self.cur_dict[k][u]["level"], self.cur_dict[k][u]["range"], self.cur_dict[k][u]["role"], u)
+ else:
+ update_buffer += "user %s -R %s %s\n" % (self.cur_dict[k][u]["action"], self.cur_dict[k][u]["role"], u)
if k in "fcontext-equiv":
for f in self.cur_dict[k]:
diff --git selinux-python-2.7/sepolicy/sepolicy/manpage.py selinux-python-2.7/sepolicy/sepolicy/manpage.py
index 4d84636..4772b50 100755
index 4d84636..b463165 100755
--- selinux-python-2.7/sepolicy/sepolicy/manpage.py
+++ selinux-python-2.7/sepolicy/sepolicy/manpage.py
@@ -125,8 +125,33 @@ def gen_domains():
@@ -84,7 +84,8 @@ def get_all_users_info():
for d in allusers_info:
allusers.append(d['name'])
- users_range[d['name'].split("_")[0]] = d['range']
+ if 'range' in d:
+ users_range[d['name'].split("_")[0]] = d['range']
for u in allusers:
if u not in ["system_u", "root", "unconfined_u"]:
@@ -125,8 +126,36 @@ def gen_domains():
domains.sort()
return domains
@ -121,7 +919,10 @@ index 4d84636..4772b50 100755
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ try:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ except StopIteration:
+ mcs_constrained_types = []
+ return mcs_constrained_types
+
+
@ -129,7 +930,7 @@ index 4d84636..4772b50 100755
def _gen_types():
global types
@@ -149,10 +174,6 @@ def prettyprint(f, trim):
@@ -149,10 +178,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
@ -140,7 +941,7 @@ index 4d84636..4772b50 100755
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -182,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
@@ -182,7 +207,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
@ -149,7 +950,7 @@ index 4d84636..4772b50 100755
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -190,9 +211,9 @@ class HTMLManPages:
@@ -190,9 +215,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
@ -161,7 +962,7 @@ index 4d84636..4772b50 100755
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -201,7 +222,6 @@ class HTMLManPages:
@@ -201,7 +226,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
@ -169,7 +970,7 @@ index 4d84636..4772b50 100755
self._gen_css()
def _write_html_manpage(self):
@@ -219,67 +239,21 @@ class HTMLManPages:
@@ -219,67 +243,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
@ -241,7 +1042,7 @@ index 4d84636..4772b50 100755
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
@@ -423,6 +397,9 @@ class ManPage:
@@ -423,6 +401,9 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
@ -251,7 +1052,7 @@ index 4d84636..4772b50 100755
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -735,10 +712,13 @@ Default Defined Ports:""")
@@ -735,10 +716,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
@ -265,7 +1066,7 @@ index 4d84636..4772b50 100755
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -790,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -790,19 +774,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
@ -289,7 +1090,17 @@ index 4d84636..4772b50 100755
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
@@ -974,8 +955,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
@@ -921,8 +906,7 @@ This manual page was auto-generated using
.B "sepolicy manpage".
.SH "SEE ALSO"
-selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-""" % (self.domainname))
+selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)""" % (self.domainname))
if self.booltext != "":
self.fd.write(", setsebool(8)")
@@ -974,8 +958,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
%s""" % ", ".join(paths))
def _mcs_types(self):