policycoreutils-3.2-2

- Do not use Python slip
- dbus: use GLib.MainLoop
- fixfiles: do not exclude /dev and /run in -C mode

0018-Do-not-use-Python-slip.patch

@@ -0,0 +1,217 @@
+From 02fd46cee210fc693ddf985d7d03674397f8342f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 15 Apr 2021 17:39:39 +0200
+Subject: [PATCH] Do not use Python slip
+
+Python slip is not actively maintained anymore and it was use just as
+polkit proxy. It looks like polkit dbus interface is quite simple to use
+it directly via python dbus module.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ dbus/selinux_server.py             | 69 ++++++++++++++++++------------
+ python/sepolicy/sepolicy/sedbus.py |  9 ----
+ 2 files changed, 41 insertions(+), 37 deletions(-)
+
+diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
+index be4f4557a9fa..b7c9378bcb5d 100644
+--- a/dbus/selinux_server.py
++++ b/dbus/selinux_server.py
+@@ -4,26 +4,33 @@ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+ from gi.repository import GObject
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import os
+ import selinux
+ from subprocess import Popen, PIPE, STDOUT
+ 
+ 
+-class selinux_server(slip.dbus.service.Object):
++class selinux_server(dbus.service.Object):
+     default_polkit_auth_required = "org.selinux.semanage"
+ 
+     def __init__(self, *p, **k):
+         super(selinux_server, self).__init__(*p, **k)
+ 
++    def is_authorized(self, sender, action_id):
++        bus = dbus.SystemBus()
++        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
++        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
++        subject = ('system-bus-name', {'name': sender})
++        result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
++        return result[0]
++
+     #
+     # The semanage method runs a transaction on a series of semanage commands,
+     # these commands can take the output of customized
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.semanage")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def semanage(self, buf):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def semanage(self, buf, sender):
++        if not self.is_authorized(sender, "org.selinux.semanage"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
+         p.stdin.write(buf)
+         output = p.communicate()
+@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
+     # on the server.  This output can be used with the semanage method on
+     # another server to make the two systems have duplicate policy.
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.customized")
+-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+-    def customized(self):
++    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
++    def customized(self, sender):
++        if not self.is_authorized(sender, "org.selinux.customized"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
+@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
+     # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
+     # since this is a readonly behaviour
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
+-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+-    def semodule_list(self):
++    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
++    def semodule_list(self, sender):
++        if not self.is_authorized(sender, "org.selinux.semodule_list"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
+@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The restorecon method modifies any file path to the default system label
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.restorecon")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def restorecon(self, path):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def restorecon(self, path, sender):
++        if not self.is_authorized(sender, "org.selinux.restorecon"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         selinux.restorecon(str(path), recursive=1)
+ 
+     #
+     # The setenforce method turns off the current enforcement of SELinux
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.setenforce")
+-    @dbus.service.method("org.selinux", in_signature='i')
+-    def setenforce(self, value):
++    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
++    def setenforce(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.setenforce"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         selinux.security_setenforce(value)
+ 
+     #
+     # The setenforce method turns off the current enforcement of SELinux
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
+-    @dbus.service.method("org.selinux", in_signature='i')
+-    def relabel_on_boot(self, value):
++    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
++    def relabel_on_boot(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         if value == 1:
+             fd = open("/.autorelabel", "w")
+             fd.close()
+@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The change_default_enforcement modifies the current enforcement mode
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def change_default_mode(self, value):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def change_default_mode(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.change_default_mode"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         values = ["enforcing", "permissive", "disabled"]
+         if value not in values:
+             raise ValueError("Enforcement mode must be %s" % ", ".join(values))
+@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The change_default_policy method modifies the policy type
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def change_default_policy(self, value):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def change_default_policy(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.change_default_policy"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         path = selinux.selinux_path() + value
+         if os.path.isdir(path):
+             return self.write_selinux_config(policy=value)
+@@ -136,5 +150,4 @@ if __name__ == "__main__":
+     system_bus = dbus.SystemBus()
+     name = dbus.service.BusName("org.selinux", system_bus)
+     object = selinux_server(system_bus, "/org/selinux/object")
+-    slip.dbus.service.set_mainloop(mainloop)
+     mainloop.run()
+diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
+index 76b259ae27e8..39b53d47753a 100644
+--- a/python/sepolicy/sepolicy/sedbus.py
++++ b/python/sepolicy/sepolicy/sedbus.py
+@@ -2,7 +2,6 @@ import sys
+ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+-from slip.dbus import polkit
+ 
+ 
+ class SELinuxDBus (object):
+@@ -11,42 +10,34 @@ class SELinuxDBus (object):
+         self.bus = dbus.SystemBus()
+         self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
+ 
+-    @polkit.enable_proxy
+     def semanage(self, buf):
+         ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def restorecon(self, path):
+         ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def setenforce(self, value):
+         ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def customized(self):
+         ret = self.dbus_object.customized(dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def semodule_list(self):
+         ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def relabel_on_boot(self, value):
+         ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def change_default_mode(self, value):
+         ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def change_default_policy(self, value):
+         ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
+         return ret
+-- 
+2.31.1
+

0019-dbus-Use-GLib.MainLoop.patch

@@ -0,0 +1,43 @@
+From 30b9e992819a2c94434a0a30d5ce96e642c84d20 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 12 May 2021 19:19:29 +0200
+Subject: [PATCH] dbus: Use GLib.MainLoop()
+
+Fixes:
+    PyGIDeprecationWarning: GObject.MainLoop is deprecated; use GLib.MainLoop instead
+---
+ dbus/selinux_server.py | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
+index b7c9378bcb5d..a969f2268ceb 100644
+--- a/dbus/selinux_server.py
++++ b/dbus/selinux_server.py
+@@ -2,8 +2,9 @@
+ 
+ import dbus
+ import dbus.service
+-import dbus.mainloop.glib
++from dbus.mainloop.glib import DBusGMainLoop
+ from gi.repository import GObject
++from gi.repository import GLib
+ import os
+ import selinux
+ from subprocess import Popen, PIPE, STDOUT
+@@ -145,9 +146,10 @@ class selinux_server(dbus.service.Object):
+         raise ValueError("%s does not exist" % path)
+ 
+ if __name__ == "__main__":
+-    mainloop = GObject.MainLoop()
+-    dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
++    DBusGMainLoop(set_as_default=True)
++    mainloop = GLib.MainLoop()
++
+     system_bus = dbus.SystemBus()
+     name = dbus.service.BusName("org.selinux", system_bus)
+-    object = selinux_server(system_bus, "/org/selinux/object")
++    server = selinux_server(system_bus, "/org/selinux/object")
+     mainloop.run()
+-- 
+2.31.1
+

0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch

@@ -0,0 +1,67 @@
+From d36c5c43d17896ebd655f8bdc6e0303dcbf2f47b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Fri, 19 Mar 2021 22:30:59 +0100
+Subject: [PATCH] policycoreutils/setfiles: do not create useless
+ setfiles.8.man file
+
+Seems to have been there to allow for some sed substitution over the
+text. Now that this is gone, the redundant intermediate file can be
+removed, too.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policycoreutils/setfiles/.gitignore | 1 -
+ policycoreutils/setfiles/Makefile   | 9 +++------
+ 2 files changed, 3 insertions(+), 7 deletions(-)
+ delete mode 100644 policycoreutils/setfiles/.gitignore
+
+diff --git a/policycoreutils/setfiles/.gitignore b/policycoreutils/setfiles/.gitignore
+deleted file mode 100644
+index 5e899c95af23..000000000000
+--- a/policycoreutils/setfiles/.gitignore
++++ /dev/null
+@@ -1 +0,0 @@
+-setfiles.8.man
+diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
+index a3bbbe116b7f..63d818509791 100644
+--- a/policycoreutils/setfiles/Makefile
++++ b/policycoreutils/setfiles/Makefile
+@@ -13,7 +13,7 @@ ifeq ($(AUDITH), y)
+ 	override LDLIBS += -laudit
+ endif
+ 
+-all: setfiles restorecon restorecon_xattr man
++all: setfiles restorecon restorecon_xattr
+ 
+ setfiles: setfiles.o restore.o
+ 
+@@ -22,16 +22,13 @@ restorecon: setfiles
+ 
+ restorecon_xattr: restorecon_xattr.o restore.o
+ 
+-man:
+-	@cp -af setfiles.8 setfiles.8.man
+-
+ install: all
+ 	[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
+ 	-mkdir -p $(DESTDIR)$(SBINDIR)
+ 	install -m 755 setfiles $(DESTDIR)$(SBINDIR)
+ 	(cd $(DESTDIR)$(SBINDIR) && ln -sf setfiles restorecon)
+ 	install -m 755 restorecon_xattr $(DESTDIR)$(SBINDIR)
+-	install -m 644 setfiles.8.man $(DESTDIR)$(MANDIR)/man8/setfiles.8
++	install -m 644 setfiles.8 $(DESTDIR)$(MANDIR)/man8/setfiles.8
+ 	install -m 644 restorecon.8 $(DESTDIR)$(MANDIR)/man8/restorecon.8
+ 	install -m 644 restorecon_xattr.8 $(DESTDIR)$(MANDIR)/man8/restorecon_xattr.8
+ 	for lang in $(LINGUAS) ; do \
+@@ -42,7 +39,7 @@ install: all
+ 	done
+ 
+ clean:
+-	rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
++	rm -f setfiles restorecon restorecon_xattr *.o
+ 
+ indent:
+ 	../../scripts/Lindent $(wildcard *.[ch])
+-- 
+2.31.1
+

0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch

@@ -0,0 +1,50 @@
+From 38d88fc70844b6f5b02883172af6df7bbd05de24 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Mon, 1 Mar 2021 18:19:22 +0100
+Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode
+
+I can't think of a good reason why they should be excluded. On the
+contrary, excluding them can cause trouble very easily if some labeling
+rules for these directories change. For example, we changed the label
+for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
+(updating the allow rules accordingly) and after policy update they
+ended up with an invalid context, causing denials.
+
+Thus, remove /dev and /run from the excludes. While there, also add
+/root to the basic excludes to match the regex that excludes fc rules
+(that should be effectively no functional change).
+
+I did a sanity check on my system by running `restorecon -nv /dev /run`
+and it didn't report any label differences.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index e73bb81c3336..cb20002ab613 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -163,7 +163,7 @@ newer() {
+ #
+ diff_filecontext() {
+ EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
+-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
++for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do
+     [ -e $i ]  && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
+ done
+ LogExcluded
+@@ -176,7 +176,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ 	sed -r -e 's,:s0, ,g' $FC | sort -u | \
+ 	/usr/bin/diff -b ${PREFCTEMPFILE} - | \
+ 	    grep '^[<>]'|cut -c3-| grep ^/ | \
+-	    egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
++	    egrep -v '(^/home|^/root|^/tmp)' |\
+ 	sed -r -e 's,[[:blank:]].*,,g' \
+ 	       -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+ 	       -e 's|([/[:alnum:]])\?|{\1,}|g' \
+-- 
+2.31.1
+

policycoreutils.spec

@@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz
@@ -28,7 +28,7 @@ Source21: python-po.tgz
 Source22: gui-po.tgz
 Source23: sandbox-po.tgz
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 3.2-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
 Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
@@ -48,6 +48,10 @@ Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
 Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
 Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
+Patch0018: 0018-Do-not-use-Python-slip.patch
+Patch0019: 0019-dbus-Use-GLib.MainLoop.patch
+Patch0020: 0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch
+Patch0021: 0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2
@@ -213,8 +217,8 @@ an SELinux environment.
 %package dbus
 Summary:    SELinux policy core DBUS api
 Requires:   python3-policycoreutils = %{version}-%{release}
-Requires:   python3-slip-dbus
 Requires:   python3-gobject-base
+Requires:   polkit
 BuildArch:  noarch
 
 %description dbus
@@ -510,6 +514,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
+- Do not use Python slip
+- fixfiles: do not exclude /dev and /run in -C mode
+- dbus: use GLib.MainLoop
+
 * Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
 - SELinux userspace 3.2 release