diff --git a/policycoreutils-fedora.patch b/policycoreutils-fedora.patch index ddaea6b..3999d29 100644 --- a/policycoreutils-fedora.patch +++ b/policycoreutils-fedora.patch @@ -107,6 +107,50 @@ index bdfc99d..b6fa825 100644 return -1; } else if (!len) /* BUF_LEN too small? */ +diff --git policycoreutils-2.6/run_init/open_init_pty.c policycoreutils-2.6/run_init/open_init_pty.c +index 6e25ea3..150cb45 100644 +--- policycoreutils-2.6/run_init/open_init_pty.c ++++ policycoreutils-2.6/run_init/open_init_pty.c +@@ -191,6 +191,28 @@ static void setfd_nonblock(int fd) + } + } + ++static void setfd_block(int fd) ++{ ++ int fsflags = fcntl(fd, F_GETFL); ++ ++ if (fsflags < 0) { ++ fprintf(stderr, "fcntl(%d, F_GETFL): %s\n", fd, strerror(errno)); ++ exit(EX_IOERR); ++ } ++ ++ if (fcntl(fd, F_SETFL, fsflags & ~O_NONBLOCK) < 0) { ++ fprintf(stderr, "fcntl(%d, F_SETFL, ... & ~O_NONBLOCK): %s\n", fd, strerror(errno)); ++ exit(EX_IOERR); ++ } ++} ++ ++static void setfd_atexit(void) ++{ ++ setfd_block(STDIN_FILENO); ++ setfd_block(STDOUT_FILENO); ++ return; ++} ++ + static void sigchld_handler(int asig __attribute__ ((unused))) + { + } +@@ -280,6 +302,10 @@ int main(int argc, char *argv[]) + setfd_nonblock(pty_master); + setfd_nonblock(STDIN_FILENO); + setfd_nonblock(STDOUT_FILENO); ++ if (atexit(setfd_atexit) < 0) { ++ perror("atexit()"); ++ exit(EXIT_FAILURE); ++ } + + if (isatty(STDIN_FILENO)) { + if (tty_semi_raw(STDIN_FILENO) < 0) { diff --git policycoreutils-2.6/sandbox/sandboxX.sh policycoreutils-2.6/sandbox/sandboxX.sh index eaa500d..4774528 100644 --- policycoreutils-2.6/sandbox/sandboxX.sh @@ -121,82 +165,275 @@ index eaa500d..4774528 100644 cat > ~/seremote << __EOF #!/bin/sh diff --git policycoreutils-2.6/scripts/fixfiles policycoreutils-2.6/scripts/fixfiles -index fa43a53..cc504b7 100755 +index fa43a53..7ec0396 100755 --- policycoreutils-2.6/scripts/fixfiles +++ policycoreutils-2.6/scripts/fixfiles -@@ -116,14 +116,11 @@ exclude_dirs() { +@@ -20,6 +20,8 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + ++set -o nounset ++ + # + # seclabel support was added in 2.6.30. This function will return a positive + # number if the current kernel version is greater than 2.6.30, a negative +@@ -91,44 +93,30 @@ exclude_dirs_from_relabelling() { + # skip not absolute path + # skip not directory + [ -z "${i}" ] && continue +- [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue ++ [[ "${i}" =~ ^[[:blank:]]*# ]] && continue + [[ ! "${i}" =~ ^/.* ]] && continue + [[ ! -d "${i}" ]] && continue + exclude_from_relabelling="$exclude_from_relabelling -e $i" +- logit "skipping the directory $i" + done < /etc/selinux/fixfiles_exclude_dirs + fi + echo "$exclude_from_relabelling" + } + +-exclude_dirs() { +- exclude= +- for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do +- [ -e $i ] && exclude="$exclude -e $i"; +- done +- exclude="$exclude `exclude_dirs_from_relabelling`" +- echo "$exclude" +-} +- + # + # Set global Variables + # fullFlag=0 BOOTTIME="" VERBOSE="-p" +[ -t 1 ] || VERBOSE="" FORCEFLAG="" - DIRS="" - RPMILES="" +-DIRS="" +-RPMILES="" -LOGFILE=`tty` -if [ $? != 0 ]; then - LOGFILE="/dev/null" -fi -LOGGER=/usr/sbin/logger -+LOGFILE=/proc/self/fd/1 ++RPMFILES="" ++PREFC="" ++RESTORE_MODE="DEFAULT" SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` -@@ -137,12 +134,15 @@ else - FC=/etc/security/selinux/file_contexts + FILESYSTEMSRO=`get_ro_labeled_mounts` +-FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO" + SELINUXTYPE="targeted" + if [ -e /etc/selinux/config ]; then + . /etc/selinux/config +@@ -138,23 +126,34 @@ else fi -+FC_SUB_DIST=${FC}.subs_dist -+FC_SUB=${FC}.subs -+FC_HOMEDIRS=${FC}.homedirs # -# Log to either syslog or a LOGFILE -+# Write to LOGFILE ++# Log all Read Only file systems # - logit () { - if [ -n $LOGFILE ]; then +-logit () { +-if [ -n $LOGFILE ]; then - echo $1 >> $LOGFILE -+ echo $1 >> "$LOGFILE" ++LogReadOnly() { ++if [ ! -z "$FILESYSTEMSRO" ]; then ++ echo "Warning: Skipping the following R/O filesystems:" ++ echo "$FILESYSTEMSRO" fi } - # -@@ -244,20 +244,24 @@ then - logit "skipping the directory ${p}" - done - FC=$TEMPFCFILE -+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit -+/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit -+/bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit + - fi - if [ ! -z "$RPMFILES" ]; then - for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do -- rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE -+ rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - >>$LOGFILE 2>&1 - done - exit $? - fi - if [ ! -z "$FILEPATH" ]; then -- ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE -+ ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* -- "$FILEPATH" >>$LOGFILE 2>&1 - return - fi - if [ -n "${FILESYSTEMSRW}" ]; then - echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" -- ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE -+ ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} >>$LOGFILE 2>&1 - else - echo >&2 "fixfiles: No suitable file systems found" - fi -@@ -265,7 +269,7 @@ if [ ${OPTION} != "Relabel" ]; then - return - fi - echo "Cleaning up labels on /tmp" --rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE -+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs ++# ++# Log directories excluded from relabelling by configuration file ++# ++LogExcluded() { ++for i in ${EXCLUDEDIRS//-e / }; do ++ echo "skipping the directory $i" ++done ++} ++ + # + # Find files newer then the passed in date and fix the label + # + newer() { + DATE=$1 + shift ++ LogReadOnly + for m in `echo $FILESYSTEMSRW`; do + find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - + done; +- + } - UNDEFINED=`get_undefined_type` || exit $? - UNLABELED=`get_unlabeled_type` || exit $? -@@ -314,7 +318,7 @@ process() { + # +@@ -162,6 +161,12 @@ newer() { + # run restorecon on all files affected by the differences. + # + diff_filecontext() { ++EXCLUDEDIRS="`exclude_dirs_from_relabelling`" ++for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do ++ [ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i"; ++done ++LogExcluded ++ + if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + TEMPFILE=`mktemp ${FC}.XXXXXXXXXX` + test -z "$TEMPFILE" && exit +@@ -191,19 +196,10 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + esac; \ + fi; \ + done | \ +- ${RESTORECON} ${VERBOSE} -i -f - -R $* `exclude_dirs`; \ ++ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \ + rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } +-# +-# Log all Read Only file systems +-# +-LogReadOnly() { +-if [ ! -z "$FILESYSTEMSRO" ]; then +- logit "Warning: Skipping the following R/O filesystems:" +- logit "$FILESYSTEMSRO" +-fi +-} + + rpmlist() { + rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' ' +@@ -218,79 +214,72 @@ restore () { + OPTION=$1 + shift + +-if [ ! -z "$PREFC" ]; then +- diff_filecontext $* +- exit $? +-fi +-if [ ! -z "$BOOTTIME" ]; then +- newer $BOOTTIME $* +- exit $? +-fi ++case "$RESTORE_MODE" in ++ PREFC) ++ diff_filecontext $* ++ return ++ ;; ++ BOOTTIME) ++ newer $BOOTTIME $* ++ return ++ ;; ++esac ++ + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon +-LogReadOnly +-# +-exclude_dirs="`exclude_dirs_from_relabelling $OPTION`" +-if [ -n "${exclude_dirs}" ] +-then +- TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX` +- test -z "$TEMPFCFILE" && exit +- /bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit +- tmpdirs=${tempdirs//-e/} +- for p in ${tmpdirs} +- do +- p="${p%/}" +- p1="${p}(/.*)? -- <>" +- echo "${p1}" >> $TEMPFCFILE +- logit "skipping the directory ${p}" ++ ++EXCLUDEDIRS="`exclude_dirs_from_relabelling`" ++LogExcluded ++ ++case "$RESTORE_MODE" in ++ RPMFILES) ++ for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do ++ rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f - + done +-FC=$TEMPFCFILE +-fi +-if [ ! -z "$RPMFILES" ]; then +- for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +- rpmlist $i | ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} $* -R -i -f - 2>&1 | cat >> $LOGFILE +- done +- exit $? +-fi +-if [ ! -z "$FILEPATH" ]; then +- ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE +- return +-fi +-if [ -n "${FILESYSTEMSRW}" ]; then +- echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" +- ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE +-else +- echo >&2 "fixfiles: No suitable file systems found" +-fi +-if [ ${OPTION} != "Relabel" ]; then +- return +-fi +-echo "Cleaning up labels on /tmp" +-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE +- +-UNDEFINED=`get_undefined_type` || exit $? +-UNLABELED=`get_unlabeled_type` || exit $? +-find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete +-find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; +-find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; +-find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; +-[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; +-exit 0 ++ ;; ++ FILEPATH) ++ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" ++ ;; ++ DEFAULT) ++ if [ -n "${FILESYSTEMSRW}" ]; then ++ LogReadOnly ++ echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" ++ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} ++ else ++ echo >&2 "fixfiles: No suitable file systems found" ++ fi ++ if [ ${OPTION} != "Relabel" ]; then ++ return ++ fi ++ echo "Cleaning up labels on /tmp" ++ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* ++ ++ UNDEFINED=`get_undefined_type` || exit $? ++ UNLABELED=`get_unlabeled_type` || exit $? ++ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete ++ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /tmp {} \; ++ find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \; ++ find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/run {} \; ++ [ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib {} \; ++ ;; ++esac + } + + fullrelabel() { +- logit "Cleaning out /tmp" ++ echo "Cleaning out /tmp" + find /tmp/ -mindepth 1 -delete +- LogReadOnly + restore Relabel + } + ++ + relabel() { +- if [ ! -z "$RPMFILES" ]; then +- restore Relabel ++ if [ "$RESTORE_MODE" != DEFAULT ]; then ++ usage ++ exit 1 + fi + + if [ $fullFlag == 1 ]; then + fullrelabel ++ return + fi + + echo -n " +@@ -314,9 +303,13 @@ process() { case "$1" in restore) restore Relabel;; check) VERBOSE="-v"; restore Check -n;; @@ -204,40 +441,187 @@ index fa43a53..cc504b7 100755 + verify) restore Verify -n;; relabel) relabel;; onboot) ++ if [ "$RESTORE_MODE" != DEFAULT ]; then ++ usage ++ exit 1 ++ fi > /.autorelabel -@@ -382,8 +386,8 @@ done + [ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel + [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel +@@ -331,9 +324,13 @@ esac + } + usage() { + echo $""" +-Usage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ] ++Usage: $0 [-v] [-F] [-f] relabel ++or ++Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } ++or ++Usage: $0 [-v] [-F] { check | restore | verify } dir/file ... + or +-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify } ++Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } + or + Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } + or +@@ -341,37 +338,52 @@ Usage: $0 [-F] [-B] onboot + """ + } + +-if [ $# = 0 ]; then ++if [ $# -eq 0 ]; then + usage + exit 1 + fi + ++set_restore_mode() { ++ if [ "$RESTORE_MODE" != DEFAULT ]; then ++ # can't specify two different modes ++ usage ++ exit 1 ++ fi ++ RESTORE_MODE="$1" ++} ++ + # See how we were called. + while getopts "N:BC:FfR:l:v" i; do + case "$i" in + B) + BOOTTIME=`/bin/who -b | awk '{print $3}'` ++ set_restore_mode BOOTTIME + ;; +- f) +- fullFlag=1 +- ;; +- v) +- VERBOSE="-v" ++ N) ++ BOOTTIME=$OPTARG ++ set_restore_mode BOOTTIME + ;; + R) + RPMFILES=$OPTARG +- ;; +- l) +- LOGFILE=$OPTARG ++ set_restore_mode RPMFILES + ;; + C) + PREFC=$OPTARG ++ set_restore_mode PREFC ++ ;; ++ v) ++ VERBOSE="-v" ++ ;; ++ l) ++ # Old scripts use obsolete option `-l logfile` ++ echo "Redirecting output to $OPTARG" ++ exec >>"$OPTARG" 2>&1 + ;; + F) + FORCEFLAG="-F" + ;; +- N) +- BOOTTIME=$OPTARG ++ f) ++ fullFlag=1 + ;; + *) + usage +@@ -382,32 +394,23 @@ done shift $(( OPTIND - 1 )) # Check for the command -command=$1 -if [ -z $command ]; then -+command="$1" -+if [ -z "$command" ]; then ++if [ $# -eq 0 ]; then usage ++ exit 1 fi ++command="$1" -@@ -395,17 +399,17 @@ shift - # + # Move out command from arguments + shift - if [ ! -z "$RPMFILES" ]; then +-# +-# check if they specified both DIRS and RPMFILES +-# +- +-if [ ! -z "$RPMFILES" ]; then - process $command -+ process "$command" - if [ $# -gt 0 ]; then - usage - fi +- if [ $# -gt 0 ]; then +- usage +- fi ++if [ $# -gt 0 ]; then ++ set_restore_mode FILEPATH ++ while [ $# -gt 0 ]; do ++ FILEPATH="$1" ++ process "$command" || exit $? ++ shift ++ done else - if [ -z "$1" ]; then +- if [ -z "$1" ]; then - process $command -+ process "$command" - else - while [ -n "$1" ]; do +- else +- while [ -n "$1" ]; do - FILEPATH=$1 - process $command -+ FILEPATH="$1" -+ process "$command" - shift - done - fi +- shift +- done +- fi ++ process "$command" + fi +-exit $? ++ +diff --git policycoreutils-2.6/scripts/fixfiles.8 policycoreutils-2.6/scripts/fixfiles.8 +index 1b9a2d6..3049404 100644 +--- policycoreutils-2.6/scripts/fixfiles.8 ++++ policycoreutils-2.6/scripts/fixfiles.8 +@@ -3,18 +3,27 @@ + fixfiles \- fix file SELinux security contexts. + + .SH "SYNOPSIS" ++.na + +-.B fixfiles +-.I [\-v] [\-F] [-B] [ -N time ] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ] ++.B fixfiles ++.I [\-v] [\-F] [\-f] relabel + +-.B fixfiles +-.I [\-v] [\-F] [ \-R rpmpackagename[,rpmpackagename...] ] [\-l logfile ] { check | restore | verify } ++.B fixfiles ++.I [\-v] [\-F] { check | restore | verify } dir/file ... ++ ++.B fixfiles ++.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify } + + .B fixfiles +-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT [\-l logfile ] { check | restore | verify } ++.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify } + +-.B fixfiles [-F] [-B] +-.I onboot ++.B fixfiles ++.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } ++ ++.B fixfiles ++.I [-F] [-B] onboot ++ ++.ad + + .SH "DESCRIPTION" + This manual page describes the +@@ -40,9 +49,6 @@ will setup the machine to relabel on the next reboot. + .B \-B + If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today. + .TP +-.B \-l logfile +-Save the output to the specified logfile +-.TP + .B \-F + Force reset of context to match file_context for customizable files + diff --git policycoreutils-2.6/secon/secon.c policycoreutils-2.6/secon/secon.c index 134f4ee..c29d9fb 100644 --- policycoreutils-2.6/secon/secon.c @@ -525,10 +909,35 @@ index 2e67456..0c5f998 100644 .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] .br diff --git policycoreutils-2.6/sepolicy/sepolicy.py policycoreutils-2.6/sepolicy/sepolicy.py -index 3e502a7..5bf9b52 100755 +index 3e502a7..141f64e 100755 --- policycoreutils-2.6/sepolicy/sepolicy.py +++ policycoreutils-2.6/sepolicy/sepolicy.py -@@ -262,7 +262,7 @@ def _print_net(src, protocol, perm): +@@ -241,19 +241,13 @@ def generate_custom_usage(usage_text, usage_dict): + + return usage_text + +- +-def numcmp(val1, val2): ++# expects formats: ++# "22 (sshd_t)", "80, 8080 (httpd_t)", "all ports (port_type)" ++def port_string_to_num(val): + try: +- v1 = int(val1.split(",")[0].split("-")[0]) +- v2 = int(val2.split(",")[0].split("-")[0]) +- if v1 > v2: +- return 1 +- if v1 == v2: +- return 0 +- if v1 < v2: +- return -1 ++ return int(val.split(" ")[0].split(",")[0].split("-")[0]) + except: +- return cmp(val1, val2) ++ return 99999999 + + + def _print_net(src, protocol, perm): +@@ -262,7 +256,7 @@ def _print_net(src, protocol, perm): if len(portdict) > 0: bold_start = "\033[1m" bold_end = "\033[0;0m" @@ -537,16 +946,19 @@ index 3e502a7..5bf9b52 100755 port_strings = [] boolean_text = "" for p in portdict: -@@ -275,7 +275,7 @@ def _print_net(src, protocol, perm): +@@ -273,9 +267,9 @@ def _print_net(src, protocol, perm): + port_strings.append("%s (%s) %s" % (", ".join(recs), t, boolean_text)) + else: port_strings.append("%s (%s)" % (", ".join(recs), t)) - port_strings.sort(numcmp) +- port_strings.sort(numcmp) ++ port_strings.sort(key=lambda param: port_string_to_num(param)) for p in port_strings: - print "\t" + p + print("\t" + p) def network(args): -@@ -286,7 +286,7 @@ def network(args): +@@ -286,7 +280,7 @@ def network(args): if i[0] not in all_ports: all_ports.append(i[0]) all_ports.sort() @@ -555,7 +967,7 @@ index 3e502a7..5bf9b52 100755 for port in args.port: found = False -@@ -297,18 +297,18 @@ def network(args): +@@ -297,18 +291,18 @@ def network(args): else: range = "%s-%s" % (i[0], i[1]) found = True @@ -579,7 +991,7 @@ index 3e502a7..5bf9b52 100755 for a in args.applications: d = sepolicy.get_init_transtype(a) -@@ -357,7 +357,7 @@ def manpage(args): +@@ -357,7 +351,7 @@ def manpage(args): for domain in test_domains: m = ManPage(domain, path, args.root, args.source_files, args.web) @@ -588,7 +1000,7 @@ index 3e502a7..5bf9b52 100755 if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) -@@ -418,7 +418,7 @@ def communicate(args): +@@ -418,7 +412,7 @@ def communicate(args): out = list(set(writable) & set(readable)) for t in out: @@ -597,7 +1009,7 @@ index 3e502a7..5bf9b52 100755 def gen_communicate_args(parser): -@@ -445,7 +445,7 @@ def booleans(args): +@@ -445,7 +439,7 @@ def booleans(args): args.booleans.sort() for b in args.booleans: @@ -606,7 +1018,7 @@ index 3e502a7..5bf9b52 100755 def gen_booleans_args(parser): -@@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""): +@@ -484,16 +478,16 @@ def print_interfaces(interfaces, args, append=""): for i in interfaces: if args.verbose: try: @@ -627,7 +1039,7 @@ index 3e502a7..5bf9b52 100755 def interface(args): -@@ -565,7 +565,7 @@ def generate(args): +@@ -565,7 +559,7 @@ def generate(args): if args.policytype in APPLICATIONS: mypolicy.gen_writeable() mypolicy.gen_symbols() @@ -636,7 +1048,7 @@ index 3e502a7..5bf9b52 100755 def gen_interface_args(parser): -@@ -698,12 +698,12 @@ if __name__ == '__main__': +@@ -698,12 +692,12 @@ if __name__ == '__main__': args = parser.parse_args(args=parser_args) args.func(args) sys.exit(0) @@ -653,18 +1065,105 @@ index 3e502a7..5bf9b52 100755 + print("Out") sys.exit(0) diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py -index 8fbd5b4..254fc67 100644 +index 8fbd5b4..a10dbcd 100644 --- policycoreutils-2.6/sepolicy/sepolicy/__init__.py +++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py -@@ -171,6 +171,7 @@ def info(setype, name=None): - 'aliases': map(str, x.aliases()), +@@ -99,6 +99,7 @@ local_files = None + fcdict = None + methods = [] + all_types = None ++all_types_info = None + user_types = None + role_allows = None + portrecs = None +@@ -113,6 +114,8 @@ bools = None + all_attributes = None + booleans = None + booleans_dict = None ++all_allow_rules = None ++all_transitions = None + + + def get_installed_policy(root="/"): +@@ -168,9 +171,10 @@ def info(setype, name=None): + q.name = name + + return ({ +- 'aliases': map(str, x.aliases()), ++ 'aliases': list(map(str, x.aliases())), 'name': str(x), 'permissive': bool(x.ispermissive), -+ 'attributes': map(str, x.attributes()) ++ 'attributes': list(map(str, x.attributes())) } for x in q.results()) elif setype == ROLE: -@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm): +@@ -180,8 +184,8 @@ def info(setype, name=None): + + return ({ + 'name': str(x), +- 'roles': map(str, x.expand()), +- 'types': map(str, x.types()), ++ 'roles': list(map(str, x.expand())), ++ 'types': list(map(str, x.types())), + } for x in q.results()) + + elif setype == ATTRIBUTE: +@@ -191,7 +195,7 @@ def info(setype, name=None): + + return ({ + 'name': str(x), +- 'types': map(str, x.expand()), ++ 'types': list(map(str, x.expand())), + } for x in q.results()) + + elif setype == PORT: +@@ -219,7 +223,7 @@ def info(setype, name=None): + return ({ + 'range': str(x.mls_range), + 'name': str(x), +- 'roles': map(str, x.roles), ++ 'roles': list(map(str, x.roles)), + 'level': str(x.mls_level), + } for x in q.results()) + +@@ -361,17 +365,26 @@ def search(types, seinfo=None): + def get_conditionals(src, dest, tclass, perm): + tdict = {} + tlist = [] +- if dest.endswith("_t"): +- allows = search([ALLOW], {SOURCE: src, TARGET: dest, CLASS: tclass, PERMS: perm}) +- else: +- # to include attribute +- allows = search([ALLOW], {SOURCE: src, CLASS: tclass, PERMS: perm}) +- for i in allows: +- if i['target'] == dest: +- allows = [] +- allows.append(i) ++ src_list = [src] ++ dest_list = [dest] ++ # add assigned attributes ++ try: ++ src_list += list(filter(lambda x: x['name'] == src, get_all_types_info()))[0]['attributes'] ++ except: ++ pass + try: +- for i in map(lambda y: (y), filter(lambda x: set(perm).issubset(x[PERMS]) and x['boolean'], allows)): ++ dest_list += list(filter(lambda x: x['name'] == dest, get_all_types_info()))[0]['attributes'] ++ except: ++ pass ++ allows = map(lambda y: y, filter(lambda x: ++ x['source'] in src_list and ++ x['target'] in dest_list and ++ set(perm).issubset(x[PERMS]) and ++ 'boolean' in x, ++ get_all_allow_rules())) ++ ++ try: ++ for i in allows: + tdict.update({'source': i['source'], 'boolean': i['boolean']}) + if tdict not in tlist: + tlist.append(tdict) +@@ -383,7 +396,12 @@ def get_conditionals(src, dest, tclass, perm): def get_conditionals_format_text(cond): @@ -678,7 +1177,7 @@ index 8fbd5b4..254fc67 100644 return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) -@@ -465,7 +471,7 @@ def find_file(reg): +@@ -465,7 +483,7 @@ def find_file(reg): try: pat = re.compile(r"%s$" % reg) @@ -687,7 +1186,7 @@ index 8fbd5b4..254fc67 100644 except: return [] -@@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): +@@ -589,7 +607,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): def get_transitions_into(setype): try: @@ -696,7 +1195,7 @@ index 8fbd5b4..254fc67 100644 except (TypeError, AttributeError): pass return None -@@ -605,7 +611,7 @@ def get_transitions(setype): +@@ -605,7 +623,7 @@ def get_transitions(setype): def get_file_transitions(setype): try: @@ -705,7 +1204,7 @@ index 8fbd5b4..254fc67 100644 except (TypeError, AttributeError): pass return None -@@ -663,6 +669,23 @@ def get_init_entrypoint(transtype): +@@ -663,6 +681,23 @@ def get_init_entrypoint(transtype): return entrypoints @@ -729,7 +1228,7 @@ index 8fbd5b4..254fc67 100644 def get_init_entrypoint_target(entrypoint): try: -@@ -695,7 +718,7 @@ def get_methods(): +@@ -695,7 +730,7 @@ def get_methods(): # List of per_role_template interfaces ifs = interfaces.InterfaceSet() ifs.from_file(fd) @@ -738,7 +1237,19 @@ index 8fbd5b4..254fc67 100644 fd.close() except: sys.stderr.write("could not open interface info [%s]\n" % fn) -@@ -725,7 +748,7 @@ def get_all_role_allows(): +@@ -711,6 +746,11 @@ def get_all_types(): + all_types = [x['name'] for x in info(TYPE)] + return all_types + ++def get_all_types_info(): ++ global all_types_info ++ if all_types_info is None: ++ all_types_info = list(info(TYPE)) ++ return all_types_info + + def get_user_types(): + global user_types +@@ -725,7 +765,7 @@ def get_all_role_allows(): return role_allows role_allows = {} @@ -747,7 +1258,7 @@ index 8fbd5b4..254fc67 100644 for r in q.results(): src = str(r.source) tgt = str(r.target) -@@ -752,7 +775,10 @@ def get_all_entrypoint_domains(): +@@ -752,7 +792,10 @@ def get_all_entrypoint_domains(): def gen_interfaces(): @@ -759,7 +1270,7 @@ index 8fbd5b4..254fc67 100644 ifile = defaults.interface_info() headers = defaults.headers() try: -@@ -763,7 +789,7 @@ def gen_interfaces(): +@@ -763,7 +806,7 @@ def gen_interfaces(): if os.getuid() != 0: raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) @@ -768,7 +1279,32 @@ index 8fbd5b4..254fc67 100644 def gen_port_dict(): -@@ -1082,24 +1108,14 @@ def boolean_desc(boolean): +@@ -992,12 +1035,23 @@ def gen_short_name(setype): + short_name = domainname + "_" + return (domainname, short_name) + ++def get_all_allow_rules(): ++ global all_allow_rules ++ if not all_allow_rules: ++ all_allow_rules = search([ALLOW]) ++ return all_allow_rules ++ ++def get_all_transitions(): ++ global all_transitions ++ if not all_transitions: ++ all_transitions = list(search([TRANSITION])) ++ return all_transitions + + def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW], {'source': setype}))): ++ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())): + for b in i: + if not isinstance(b, tuple): + continue +@@ -1082,24 +1136,14 @@ def boolean_desc(boolean): def get_os_version(): @@ -1267,9 +1803,27 @@ index 7f1888c..bc6c2b1 100644 self.set_enforce_text(button.get_active()) diff --git policycoreutils-2.6/sepolicy/sepolicy/interface.py policycoreutils-2.6/sepolicy/sepolicy/interface.py -index c2cb971..8956f39 100644 +index c2cb971..c64122e 100644 --- policycoreutils-2.6/sepolicy/sepolicy/interface.py +++ policycoreutils-2.6/sepolicy/sepolicy/interface.py +@@ -171,7 +171,7 @@ def get_interface_format_text(interface, path="/usr/share/selinux/devel/policy.x + + + def get_interface_compile_format_text(interfaces_dict, interface): +- from templates import test_module ++ from .templates import test_module + param_tmp = [] + for i in interfaces_dict[interface][0]: + param_tmp.append(test_module.dict_values[i]) +@@ -181,7 +181,7 @@ def get_interface_compile_format_text(interfaces_dict, interface): + + + def generate_compile_te(interface, idict, name="compiletest"): +- from templates import test_module ++ from .templates import test_module + te = "" + te += re.sub("TEMPLATETYPE", name, test_module.te_test_module) + te += get_interface_compile_format_text(idict, interface) @@ -192,10 +192,13 @@ def generate_compile_te(interface, idict, name="compiletest"): def get_xml_file(if_file): """ Returns xml format of interfaces for given .if policy file""" @@ -1308,7 +1862,7 @@ index c2cb971..8956f39 100644 sys.stderr.write(output) sys.stderr.write(_("\nCompile test for %s failed.\n") % interface) diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py -index 7365f93..703cce2 100755 +index 7365f93..7bb455b 100755 --- policycoreutils-2.6/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py @@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d @@ -1532,6 +2086,24 @@ index 7365f93..703cce2 100755 domainname_body += "%s_selinux(8) - Security Enhanced Linux Policy for the %s SELinux processes\n" % (letter, domainname, domainname, domainname) fd.write("""%s +@@ -324,7 +307,7 @@ Fedora or Red Hat Enterprise Linux Man Pages. + """ % domainname_body) + + fd.close() +- print("%s has been created") % html ++ print("%s has been created" % html) + + def _gen_css(self): + style_css = self.old_path + "style.css" +@@ -387,7 +370,7 @@ pre.code { + """) + + fd.close() +- print("%s has been created") % style_css ++ print("%s has been created" % style_css) + + + class ManPage: @@ -414,6 +397,9 @@ class ManPage: self.all_file_types = sepolicy.get_all_file_types() self.role_allows = sepolicy.get_all_role_allows() @@ -1632,7 +2204,7 @@ index 7365f93..703cce2 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: -@@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -741,23 +770,25 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) @@ -1656,19 +2228,28 @@ index 7365f93..703cce2 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -@@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) + """ % {'domainname': self.domainname}) ++ flist.sort() + for f in flist: + self.fd.write(""" + +@@ -889,9 +920,12 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) return True def _entrypoints(self): - try: - entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})) - except: -+ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})] ++ entrypoints = [x['target'] for x in filter(lambda y: ++ y['source'] == self.type and y['class'] == 'file' and 'entrypoint' in y['permlist'], ++ sepolicy.get_all_allow_rules() ++ )] ++ + if len(entrypoints) == 0: return self.fd.write(""" -@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a +@@ -920,16 +954,34 @@ All executeables with the default executable label, usually stored in /usr/bin a self.fd.write(""" %s""" % ", ".join(paths)) @@ -1683,9 +2264,45 @@ index 7365f93..703cce2 100755 +""" % {'type': self.domainname}) + def _writes(self): - permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) +- permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) ++ # add assigned attributes ++ src_list = [self.type] ++ try: ++ src_list += list(filter(lambda x: x['name'] == self.type, sepolicy.get_all_types_info()))[0]['attributes'] ++ except: ++ pass ++ ++ permlist = list(filter(lambda x: ++ x['source'] in src_list and ++ set(['open', 'write']).issubset(x['permlist']) and ++ x['class'] == 'file', ++ sepolicy.get_all_allow_rules())) if permlist is None or len(permlist) == 0: -@@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program. + return + + all_writes = [] + attributes = ["proc_type", "sysctl_type"] +- for i in permlist: +- if not i['target'].endswith("_t"): +- attributes.append(i['target']) + + for i in permlist: + if self._valid_write(i['target'], attributes): +@@ -1128,7 +1180,12 @@ The SELinux user %s_u is able to connect to the following tcp ports. + """ % ",".join(ports)) + + def _home_exec(self): +- permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'target': 'user_home_type', 'class': 'file', 'permlist': ['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']}) ++ permlist = list(filter(lambda x: ++ x['source'] == self.type and ++ x['target'] == 'user_home_type' and ++ x['class'] == 'file' and ++ set(['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']).issubset(set(x['permlist'])), ++ sepolicy.get_all_allow_rules())) + self.fd.write(""" + .SH HOME_EXEC + """) +@@ -1156,7 +1213,7 @@ Three things can happen when %(type)s attempts to execute a program. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: @@ -1694,7 +2311,7 @@ index 7365f93..703cce2 100755 .TP -@@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut +@@ -1164,7 +1221,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut Execute the following to see the types that the SELinux user %(type)s can execute and transition: @@ -1976,6 +2593,45 @@ index 4b9534d..f267993 100644 """ if_initscript_admin_types=""" +diff --git policycoreutils-2.6/sepolicy/sepolicy/transition.py policycoreutils-2.6/sepolicy/sepolicy/transition.py +index ad53cef..7dea805 100755 +--- policycoreutils-2.6/sepolicy/sepolicy/transition.py ++++ policycoreutils-2.6/sepolicy/sepolicy/transition.py +@@ -30,7 +30,9 @@ def _entrypoint(src): + + + def _get_trans(src): +- return sepolicy.search([sepolicy.TRANSITION], {sepolicy.SOURCE: src, sepolicy.CLASS: "process"}) ++ src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes'] ++ trans_list = list(filter(lambda x: x['source'] in src_list and x['class'] == 'process', sepolicy.get_all_transitions())) ++ return trans_list + + + class setrans: +@@ -53,8 +55,8 @@ class setrans: + if not self.dest: + self.sdict[source]["map"] = trans + else: +- self.sdict[source]["map"] = map(lambda y: y, filter(lambda x: x["transtype"] == self.dest, trans)) +- self.sdict[source]["child"] = map(lambda y: y["transtype"], filter(lambda x: x["transtype"] not in [self.dest, source], trans)) ++ self.sdict[source]["map"] = list(map(lambda y: y, filter(lambda x: x["transtype"] == self.dest, trans))) ++ self.sdict[source]["child"] = list(map(lambda y: y["transtype"], filter(lambda x: x["transtype"] not in [self.dest, source], trans))) + for s in self.sdict[source]["child"]: + self._process(s) + +diff --git policycoreutils-2.6/sepolicy/test_sepolicy.py policycoreutils-2.6/sepolicy/test_sepolicy.py +index 61dfb45..e7b8294 100644 +--- policycoreutils-2.6/sepolicy/test_sepolicy.py ++++ policycoreutils-2.6/sepolicy/test_sepolicy.py +@@ -60,7 +60,7 @@ class SepolicyTests(unittest.TestCase): + self.assertSuccess(p.returncode, err) + + def test_transition_s(self): +- "Verify sepolicy transition -l works" ++ "Verify sepolicy transition -s works" + p = Popen(['sepolicy', 'transition', '-s', 'httpd_t'], stdout=PIPE) + out, err = p.communicate() + self.assertSuccess(p.returncode, err) diff --git policycoreutils-2.6/setfiles/.gitignore policycoreutils-2.6/setfiles/.gitignore index 583eb6c..5e899c9 100644 --- policycoreutils-2.6/setfiles/.gitignore diff --git a/policycoreutils.spec b/policycoreutils.spec index 542ef68..a7f4e52 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -9,7 +9,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.6 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -27,7 +27,7 @@ Source9: selinux-autorelabel-generator.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.6 ./make-fedora-selinux-patch.sh policycoreutils -# HEAD https://github.com/fedora-selinux/selinux/commit/8a1941594a7221ec948b82b26636ad5a0d2dc724 +# HEAD https://github.com/fedora-selinux/selinux/commit/601a1d1363fe4137ff3a2991c546f7a0ccfec4cb Patch: policycoreutils-fedora.patch # $ VERSION=2.6 ./make-fedora-selinux-patch.sh sepolgen # Patch1: sepolgen-fedora.patch @@ -445,6 +445,25 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Jul 31 2017 Petr Lautrbach - 2.6-6 +- Make 'sepolicy manpage' and 'sepolicy transition' faster +- open_init_pty: restore stdin/stdout to blocking upon exit +- fixfiles: do not dereference link files in tmp +- fixfiles: use a consistent order for options to restorecon +- fixfiles: don't ignore `-F` when run in `-C` mode +- fixfiles: remove bad modes of "relabel" command +- fixfiles: refactor into the `set -u` dialect +- fixfiles: if restorecon aborts, we should too +- fixfiles: usage errors are fatal +- fixfiles: syntax error +- fixfiles: remove two unused variables +- fixfiles: tidy up usage(), manpage synopsis +- fixfiles: deprecate -l option +- fixfiles: move logit call outside of redirected function +- fixfiles: fix logging about R/O filesystems +- fixfiles: clarify exclude_dirs() +- fixfiles: remove (broken) redundant code + * Thu Apr 06 2017 Petr Lautrbach - 2.6-5 - semanage: Unify argument handling (#1398987) - setfiles: set up a logging callback for libselinux