- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
When a user tried to remove a policy module with priority other than 400 via
GUI, it failed with a message:
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
"semodule -r NAME".
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1740936
Using patches from git makes it clean which changes are included in Fedora
New workflow:
1. clone https://github.com/fedora-selinux/selinux
2. create patchset
$ git format-patch 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
3. update spec file
$ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# deleted: restorecond-fedora.patch
See 028e473158
commit 028e4731581214841455233a656912241a5a8b69 (HEAD -> master, origin/master)
Author: Petr Lautrbach <plautrba@redhat.com>
Date: Wed Mar 13 11:23:00 2019 +0100
Apply "generic" and "fedora" tags
Tests tagged as "generic" is supposed to be used on a generic system like Fedora
or Red Hat Enterprise Linux, while tests with "fedora" tag is for Fedora only.
Usage:
List only "generic" tests:
$ fmf show --filter "tier: 1 | component: policycoreutils & tags: generic"
List all "generic" and "fedora" tests:
$ fmf show --filter "tier: 1 | component: policycoreutils & tags: generic, fedora"
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
- chcat: fix removing categories on users with Fedora default setup
- semanage: Include MCS/MLS range when exporting local customizations
- semanage: Start exporting "ibendport" and "ibpkey" entries
- semanage: do not show "None" levels when using a non-MLS policy
- sepolicy: Add sepolicy.load_store_policy(store)
- semanage: import sepolicy only when it's needed
- semanage: move valid_types initialisations to class constructors
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
There is a new feature in the Standard Test Roles which allows to
use an FMF filter instead of listing all tests manually. All tier
one selinux tests are selected as well, thus extending requires.
- semanage: "semanage user" does not use -s, fix documentation
- semanage: add a missing space in ibendport help
- sepolicy: Update to work with setools-4.2.0
- Fix typo in newrole.1 manpage
- sepolgen: print all AV rules correctly
- sepolgen: fix access vector initialization
- Add xperms support to audit2allow
- semanage: Stop logging loginRecords changes
- semanage: Fix logger class definition
- semanage: Replace bare except with specific one
- semanage: fix Python syntax of catching several exceptions
- sepolgen: return NotImplemented instead of raising it
- sepolgen: fix refpolicy parsing of "permissive"
For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu
Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.
A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.
grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.
*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.
This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
plymouth by defaults waits for 5 seconds before showing the splash so
that the splash simply gets skipped on real quick boots.
In my testing it seems that --hide-splash is a no-op when run before
the 5 seconds have passed and the splash is shown, causing the splash
to still be there during a relabel. Note this problem only shows when
*not* using disk-encryption.
Switching to plymouth --quit fixes this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This can be useful when user has this UEFI boot order e.g.:
Windows | grub | Linux
And decides to boot into grub/Linux. In case the autorelabel service
is being run after the boot into grub, then the reboot after the
autorelabel is done will cause user to boot into Windows again...
This change should make the behaviour more intuitive for the user.
Signed-off-by: David Kaspar [Dee'Kej] <dkaspar@redhat.com>
- sepolicy: Fix translated strings with parameters
- sepolicy: Support non-MLS policy
- sepolicy: Initialize policy.ports as a dict in generate.py
- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
- Minor update for bash completion
- semodule_package: fix semodule_unpackage man page
- gui/semanagePage: Close "edit" and "add" dialogues when successfull
- gui/fcontextPage: Set default object class in addDialog\
- sepolgen: fix typo in PolicyGenerator
- build: follow standard semantics for DESTDIR and PREFIX
- use pathfix.py instead of sed
- clean up '*~' files
Fixes:
policycoreutils has broken dependencies in the rawhide tree:
On i386:
python2-policycoreutils-2.7-11.fc28.i686 requires /usr/bin/python22
On armhfp:
python2-policycoreutils-2.7-11.fc28.armv7hl requires /usr/bin/python22
- gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
- gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
- python/sepolicy: Use list instead of map
- python/sepolicy: Do not use types.BooleanType
The playbook includes Tier1 level test cases that have been tested in
the following contexts and is passing reliably on Classic.
Test logs are stored in the Artifacts directory.
The following steps are used to execute the tests using the standard test interface:
Classic
sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS="" TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags classic tests.yml
It's based on
https://src.fedoraproject.org/rpms/policycoreutils/pull-request/1 from Merlin Mathesius <merlinm@redhat.com>
Known issues:
policycoreutils.spec: W: invalid-url Source14: sepolicy-icons.tgz
The value should be a valid, public HTTP, HTTPS, or FTP URL.
policycoreutils.spec: W: invalid-url Source12:
policycoreutils_man_ru2.tar.bz2
The value should be a valid, public HTTP, HTTPS, or FTP URL.
- sepolicy: Fix sepolicy manpage
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
- restorecond: check write() and daemon() results
- sepolicy: do not fail when file_contexts.local or .subs do not exist
- sepolicy: remove stray space in section "SEE ALSO"
- sepolicy: fix misspelling of _ra_content_t suffix
- gui: port to Python 3 by migrating to PyGI
- gui: remove the status bar
- gui: fix parsing of "semodule -lfull" in tab Modules
- gui: delete overridden definition of usersPage.delete()
- Enable listing file_contexts.homedirs (#1409813)
- remove semodule_deps
- Make 'sepolicy manpage' and 'sepolicy transition' faster
- open_init_pty: restore stdin/stdout to blocking upon exit
- fixfiles: do not dereference link files in tmp
- fixfiles: use a consistent order for options to restorecon
- fixfiles: don't ignore `-F` when run in `-C` mode
- fixfiles: remove bad modes of "relabel" command
- fixfiles: refactor into the `set -u` dialect
- fixfiles: if restorecon aborts, we should too
- fixfiles: usage errors are fatal
- fixfiles: syntax error
- fixfiles: remove two unused variables
- fixfiles: tidy up usage(), manpage synopsis
- fixfiles: deprecate -l option
- fixfiles: move logit call outside of redirected function
- fixfiles: fix logging about R/O filesystems
- fixfiles: clarify exclude_dirs()
- fixfiles: remove (broken) redundant code
- semanage: Unify argument handling (#1398987)
- setfiles: set up a logging callback for libselinux
- setfiles: Fix setfiles progress indicator
- setfiles: stdout messages don't need program prefix
- setfiles: don't scramble stdout and stderr together (#1435894)
- restorecond: Decrease loglevel of termination message (#1264505)
- fixfiles should handle path arguments more robustly
- fixfiles: handle unexpected spaces in command
- fixfiles: remove useless use of cat (#1435894)
- semanage: Add checks if a module name is passed in (#1420707)
- semanage: fix export of fcontext socket entries (#1435127)
- selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674)
This code is currently incorrect. Currently redirecting `fixfiles` to
/dev/null will have very little effect. Two messages will be suppressed,
but both the percentage progress indicator, and any errors from
the setfiles/restorecon binary will still be shown.
The fact that fixfiles redirected its log output to stdin (!) was purely
an implementation artefact. It was used to write log messages even inside
shell functions whose output is captured e.g. `RESULT=$(shell_func)`.
When fixfiles is fixed to support output redirection normally, this code
would now behave incorrectly. It would suppress all percentage progress
messages for this long-running process.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
- seobject: Handle python error returns correctly
- policycoreutils/sepolicy/gui: fix current selinux state radiobutton
- policycoreutils: semodule_package: do not fail with an empty fc file
- sandbox: Use dbus-run-session instead of dbus-launch when available
- hll/pp: Change warning for module name not matching filename to match new behavior
- Remove LDFLAGS from CFLAGS
- sandbox: create a new session for sandboxed processes
- sandbox: do not try to setup directories without -X or -M
- sandbox: do not run xmodmap in a new X session
- sandbox: Use GObject introspection binding instead of pygtk2
- sandbox: fix file labels on copied files
- sandbox: tests - close stdout of p
- sandbox: tests - use sandbox from cwd
- audit2allow: tests should use local copy not system
- audit2allow: fix audit2why import from seobject
- audit2allow: remove audit2why so that it gets symlinked
- semanage: fix man page and help message for import option
- semanage: fix error message for fcontext -m
- semanage: Fix semanage fcontext -D
- semanage: Correct fcontext auditing
- semanage: Default serange to "s0" for port modify
- semanage: Use socket.getprotobyname for protocol
- semanage: fix modify action in node and interface
- fixfiles: Pass -n to restorecon for fixfiles check
- sepolicy: Check get_rpm_nvr_list() return value
- Don't use subprocess.getstatusoutput() in Python 2 code
- semanage: Add auditing of changes in records
- Remove unused 'q' from semodule getopt string
- Fix typos in semanage manpages
- Fix the documentation of -l,--list for semodule
- Minor fix in a French translation
- Fix the extract example in semodule.8
- Update sandbox.8 man page
- Remove typos from chcat --help
- sepolgen: Remove additional files when cleaning
initscripts package is being slowly removed so fedora-autorelabel
utility and systemd unit files need a new home.
At the same time, "fedora-" prefix is changed to general "selinux-".
/lib/systemd/fedora-autorelabel -> /usr/libexec/selinux/selinux-autorelabel
fedora-autorelabel.service -> selinux-autorelabel.service
fedora-autorelabel-mark.service -> selinux-autorelabel-mark.service
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1328825
Fixes:
# semanage boolean -m --on polyinstantiation_enabled
ValueError: Boolean polyinstantiation_enabled is not defined
# semanage login -a -s staff_u -r s0-s0:c0.c1023 yeti
libsemanage.dbase_llist_query: could not query record value (No such
file or directory).
FileNotFoundError: [Errno 2] No such file or directory
- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713)
- The functionality of audit2allow which was disabled in the previous
commit should be available again
- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564)
FIXME: some functionality of audit2allow was temporarily disabled until sepolicy is
ported to python 3
commit 2ff279e21e4715ac49e094b5fae8bc8e84b9e417 ("policycoreutils:
semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d847783f1e761535925ea79d69d3305 ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fedora-selinux/selinux.git:
ab77906ea96a10bcbefee06ab7d32af853d4cf33
adffc5e277f5c5a99771439f793b7aa91be59f31
Conflict with selinux-policy causes deadlocks in buildroots when
there's no selinux-policy available. selinux-policy-base is provided by
targeted, mls and minimum subpackages which are not installed to
buildroots.
- add make-rhat-patches.sh script which creates policycoreutils-rhat.patch and sepolgen-rhat.patch patches
- use source files from https://github.com/SELinuxProject/selinux/wiki/Releases
- extract sources to selinux/ directory and build them there
Create -rhat patches from
c83f4d17e7
- Add support for Fedora22 man pages. We need to fix it to not using hardcoding.
- Print usage for all mutually exclusive options.
- Fix selinux man page to refer seinfo and sesearch tools.
* If there is no executable we don't want to print a part of STANDARD FILE CON
* Add-manpages-for-typealiased-types
* Make fixfiles_exclude_dirs working if there is a substituion for the given d
* If there is no executable we don't want to print a part of STANDARD FILE CON
* Add-manpages-for-typealiased-types
* Make fixfiles_exclude_dirs working if there is a substituion for the given d
* Add -P semodule option to man page from Dan Walsh.
* selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
* Add new icons for sepolicy gui from Dan Walsh.
* Only return writeable files that are enabled from Dan Walsh.
* Add domain to short list of domains, when -t and -d from Dan Walsh.
* Fix up desktop files to match current standards from Dan Walsh.
* Add support to return sensitivities and categories for python from Dan Walsh.
* Cleanup whitespace from Dan Walsh.
* Add message to tell user to install sandbox policy from Dan Walsh.
* Add systemd unit file for mcstrans from Laurent Bigonville.
* Improve restorecond systemd unit file from Laurent Bigonville.
* Minor man pages improvements from Laurent Bigonville.
* Add -P semodule option to man page from Dan Walsh.
* selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
* Add new icons for sepolicy gui from Dan Walsh.
* Only return writeable files that are enabled from Dan Walsh.
* Add domain to short list of domains, when -t and -d from Dan Walsh.
* Fix up desktop files to match current standards from Dan Walsh.
* Add support to return sensitivities and categories for python from Dan Walsh.
* Cleanup whitespace from Dan Walsh.
* Add message to tell user to install sandbox policy from Dan Walsh.
* Add systemd unit file for mcstrans from Laurent Bigonville.
* Improve restorecond systemd unit file from Laurent Bigonville.
* Minor man pages improvements from Laurent Bigonville.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
- Add patches for sepolicy gui from mgrepl to
Fix advanced_item_button_push() to allow to select an application in advanced search menu
Fix previously_modified_initialize() to show modified changes properly for all selections
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
* Properly build the swig exception file from Laurent Bigonville.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville.
* Fix init_policy warning from Laurent Bigonville.
* Fix semanage logging from Laurent Bigonville.
* Open newrole stdin as read/write from Sven Vermeulen.
* Fix sepolicy transition from Sven Vermeulen.
* Support overriding CFLAGS from Simon Ruderich.
* Create correct man directory for run_init from Russell Coker.
* restorecon GLOB_BRACE change from Michal Trunecka.
* Extend audit2why to report additional constraint information.
* Catch IOError errors within audit2allow from Dan Walsh.
* semanage export/import fixes from Dan Walsh.
* Improve setfiles progress reporting from Dan Walsh.
* Document setfiles -o option in usage from Dan Walsh.
* Change setfiles to always return -1 on failure from Dan Walsh.
* Improve setsebool error r eporting from Dan Walsh.
* Major overhaul of gui from Dan Walsh.
* Fix sepolicy handling of non-MLS policy from Dan Walsh.
* Support returning type aliases from Dan Walsh.
* Add sepolicy tests from Dan Walsh.
* Add org.selinux.config.policy from Dan Walsh.
* Improve range and user input checking by semanage from Dan Walsh.
* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
* Allow use of <<none>> for semanage fcontext from Dan Walsh.
* Report customized user levels from Dan Walsh.
* Support deleteall for restoring disabled modules from Dan Walsh.
* Improve semanage error reporting from Dan Walsh.
* Only list disabled modules for module locallist from Dan Walsh.
* Fix logging from Dan Walsh.
* Define new constants for file type character codes from Dan Walsh.
* Improve bash completions from Dan Walsh.
* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
* Add semanage tests from Dan Walsh.
* Split semanage man pages from Dan Walsh.
* Move bash completion scripts from Dan Walsh.
* Replace genhomedircon script with a link to semodule from Dan Walsh.
* Fix fixfiles from Dan Walsh.
* Add support for systemd service for restorecon from Dan Walsh.
* Spelling corrections from Dan Walsh.
* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
* Switch sandbox to openbox window manager from Dan Walsh.
* Coalesce audit2why and audit2allow from Dan Walsh.
* Change audit2allow to append to output file from Dan Walsh.
* Update translations from Dan Walsh.
* Change audit2why to use selinux_current_policy_path from Dan Walsh.
* Properly build the swig exception file from Laurent Bigonville.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville.
* Fix init_policy warning from Laurent Bigonville.
* Fix semanage logging from Laurent Bigonville.
* Open newrole stdin as read/write from Sven Vermeulen.
* Fix sepolicy transition from Sven Vermeulen.
* Support overriding CFLAGS from Simon Ruderich.
* Create correct man directory for run_init from Russell Coker.
* restorecon GLOB_BRACE change from Michal Trunecka.
* Extend audit2why to report additional constraint information.
* Catch IOError errors within audit2allow from Dan Walsh.
* semanage export/import fixes from Dan Walsh.
* Improve setfiles progress reporting from Dan Walsh.
* Document setfiles -o option in usage from Dan Walsh.
* Change setfiles to always return -1 on failure from Dan Walsh.
* Improve setsebool error r eporting from Dan Walsh.
* Major overhaul of gui from Dan Walsh.
* Fix sepolicy handling of non-MLS policy from Dan Walsh.
* Support returning type aliases from Dan Walsh.
* Add sepolicy tests from Dan Walsh.
* Add org.selinux.config.policy from Dan Walsh.
* Improve range and user input checking by semanage from Dan Walsh.
* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
* Allow use of <<none>> for semanage fcontext from Dan Walsh.
* Report customized user levels from Dan Walsh.
* Support deleteall for restoring disabled modules from Dan Walsh.
* Improve semanage error reporting from Dan Walsh.
* Only list disabled modules for module locallist from Dan Walsh.
* Fix logging from Dan Walsh.
* Define new constants for file type character codes from Dan Walsh.
* Improve bash completions from Dan Walsh.
* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
* Add semanage tests from Dan Walsh.
* Split semanage man pages from Dan Walsh.
* Move bash completion scripts from Dan Walsh.
* Replace genhomedircon script with a link to semodule from Dan Walsh.
* Fix fixfiles from Dan Walsh.
* Add support for systemd service for restorecon from Dan Walsh.
* Spelling corrections from Dan Walsh.
* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
* Switch sandbox to openbox window manager from Dan Walsh.
* Coalesce audit2why and audit2allow from Dan Walsh.
* Change audit2allow to append to output file from Dan Walsh.
* Update translations from Dan Walsh.
* Change audit2why to use selinux_current_policy_path from Dan Walsh.
- Add more help information
- Cleanup code
- Add deny_ptrace on lockdown screen
- Make unconfined/permissivedomains lockdown work
- Add more support for file equivalency
- Update translations
- Fix sepolicy generate --admin_user man page again
- Fix setsebool to print less verbose error messages by default, add -V for ve
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Generate Man pages for everydomain, not just ones with exec_t entrypoints
- sepolicy comunicate should return ValueError not TypeError
- Trim header line in sepolicy manpage to use less space
- Add missing options to restorecon man page
- Generate Man pages for everydomain, not just ones with exec_t entrypoints
- sepolicy comunicate should return ValueError not TypeError
- Trim header line in sepolicy manpage to use less space
- Add missing options to restorecon man page
- Apply Miroslav Grepl Patches for sepolicy
-- Fix generate mutually groups option handling
-- EUSER is used for existing policy
-- customize options can be used together with admin_domain option
-- Fix manpage.py to generate correct man pages for SELinux users
-- Fix policy *.te file generated by customize+writepaths options
-- Fix install script for confined_admin option
- Apply Miroslav Grepl patch to clean up sepolicy generate usage
- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
- Update Tranlslations
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- fixfiles onboot will write any flags handed to it to /.autorelabel.
- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore
- * This should allow fixfiles -F onboot, to force a hard relabel.
- Add -p to show progress on full relabel.
- fixfiles onboot will write any flags handed to it to /.autorelabel.
- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore
- * This should allow fixfiles -F onboot, to force a hard relabel.
- Add -p to show progress on full relabel.
- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil
- a policy write to generate types after the initial policy has been written a
- will autogenerate all of the interfaces.
- I also added a -w options to allow policy writers from the command line to s
- the writable directories of files.
-
- Modify network.py to include interface definitions for newly created port type
- Standardize of te_types just like all of the other templates.
- update sepolicy manpage to generate fcontext equivalence data and to list
default file context paths.
- Add ability to generate policy for confined admins and domains like puppet.
- Print warning message if program does not exists when generating policy, and do not attempt to run nm command
- Fix sepolicy generate -T to not take an argument, and supress the help message
- Since this is really just a testing tool
- Update translations
- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name
- Fix kill function call should indicate signal_perms not kill capability
- Error out cleanly in system-config-selinux, if it can not contact XServer
- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name
- Fix kill function call should indicate signal_perms not kill capability
- Error out cleanly in system-config-selinux, if it can not contact XServer
- Fix load_file Makefile to use SBINDIR rather then real OS.
- Fix man pages in setfiles and restorecon to reflect what happens when you relabel the entire OS.
* genhomedircon: manual page improvements
* setfiles/restorecon minor improvements
* run_init: If open_init_pty is not available then just use exec
* newrole: do not drop capabilities when newrole is run as
* restorecon: only update type by default
* scripts: Don't syslog setfiles changes on a fixfiles restore
* setfiles: do not syslog if no changes
* Disable user restorecond by default
* Make restorecon return 0 when a file has changed context
* setfiles: Fix process_glob error handling
* semanage: allow enable/disable under -m
* add .tx to gitignore
* translations: commit translations from Fedora community
* po: silence build process
* gui: Checking in policy to support polgengui and sepolgen.
* gui: polgen: search for systemd subpackage when generating policy
* gui: for exploring booleans
* gui: system-config-selinux gui
* Add Makefiles to support new gui code
* gui: remove lockdown wizard
* return equivalency records in fcontext customized
* semanage: option to not load new policy into kernel after
* sandbox: manpage update to describe standard types
* setsebool: -N should not reload policy on changes
* semodule: Add -N qualifier to no reload kernel policy
* gui: polgen: sort selinux types of user controls
* gui: polgen: follow symlinks and get the real path to
* gui: Fix missing error function
* setfiles: return errors when bad paths are given
* fixfiles: tell restorecon to ignore missing paths
* setsebool: error when setting multiple options
* semanage: use boolean subs.
* sandbox: Make sure Xephyr never listens on tcp ports
* sepolgen: return and output constraint violation information
* semanage: skip comments while reading external configuration files
* restorecond: relabel all mount runtime files in the restorecond example
* genhomedircon: dynamically create genhomedircon
* Allow returning of bastard matches
* sepolgen: return and output constraint violation information
* audit2allow: one role/type pair per line
- policycoreutils
* restorecond: wrong options should exit with non-zero error code
* restorecond: Add -h option to get usage command
* resorecond: user: fix fd leak
* mcstrans: add -f to run in foreground
* semanage: fix man page range and level defaults
* semanage: bash completion for modules should include -a,-m, -d
* semanage: manpage update for -e
* semanage: dontaudit off should work
* semanage: locallist option does not take an argument
* sepolgen: Make use of setools optional within sepolgen
- sepolgen
* Make use of setools optional within sepolgen
* We need to support files that have a + in them
- policycoreutils
* sandbox: do not propogate inside mounts outside
* sandbox: Removing sandbox init script, should no longer be necessary
* restorecond: Stop using deprecated interfaces for g_io
* semanage: proper auditting of user changes for LSPP
* semanage: audit message to show what record(s) and item(s) have chaged
* scripts: Update Makefiles to handle /usrmove
* mcstrans: Version should have been bumped on last check in
* seunshare: Only drop caps not the Bounding Set from seunshare
* Add bash-completion scripts for setsebool and semanage
* newrole: Use correct capng calls in newrole
* Fix infinite loop with inotify on 2.6.31 kernels
* fix ftbfs with hardening flags
* Only run setfiles if we found read-write filesystems to run it on
* update .po files
* remove empty po files
* do not fail to install if unable to make load_policy lnk file
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only installable
on a system which has /bin, /sbin, /lib, /lib64 as symlinks to /usr and
not regular directories. The 'filesystem' package acts as a guard, to
prevent *this* package to be installed on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away, old
installations need to be converted with anaconda or dracut first; only
after that, the 'filesystem' package, and also *this* package can be
installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64, but
only in the corresponding directories in /usr. Packages *must* not
install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibilty symlinks must not be
installed.
Feel free to modify any of the changes to the spec file, but keep the
above in mind.
sepolgen
* better analysis of why things broke
policycoreutils
* Remove excess whitespace
* sandbox: Add back in . functions to sandbox.init script
* Fix Makefile to match other policycoreutils Makefiles
* semanage: drop unused translation getopt
* sandbox: move sandbox.conf.5 to just sandbox.5
* po: Makefile use -p to preserve times to allow multilib simultatious installs
* of po files
* sandbox: Allow user to specify the DPI value for X in a sandbox
* sandbox: make sure the domain launching sandbox has at least 100 categories
* sandbox: do not try forever to find available category set
* sandbox: only complain if sandbox unable to launch
* sandbox: init script run twice is still successful
* semanage: print local and dristo equiv rules
* semanage: check file equivalence rules for conflict
* semanage: Make sure semanage fcontext -l -C prints even if local keys
* are not defined
* semanage: change src,dst to target,substitute for equivalency
* sestatus: Updated sestatus and man pages.
* Added SELinux config file man page.
* add clean target to man Makefile
Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence
Allow ~ as a valid part of a filename in sepolgen
* sandbox: Maintain the LANG environment into the sandbox
* audit2allow: use audit2why internally
* fixfiles: label /root but not /var/lib/BackupPC
* semanage: update local boolean settings is dealing with localstore
* semanage: missing modify=True
* semanage: set modified correctly
* restorecond: make restorecond dbuss-able
* restorecon: Always check return code on asprintf
* restorecond: make restorecond -u exit when terminal closes
* sandbox: introduce package name and language stuff
* semodule_package: remove semodule_unpackage on clean
* fix sandbox Makefile to support DESTDIR
* semanage: Add -o description to the semanage man page
* make use of the new realpath_not_final function
* setfiles: close /proc/mounts file when finished
* semodule: Document semodule -p in man page
* setfiles: fix use before initialized
* restorecond: Add .local/share as a directory to watch
Upgrade to sepolgen upstream
* Ignore permissive qualifier if found in an interface
* Return name field in avc data
policycoreutils-2.1.6
* sepolgen-ifgen: new attr-helper does something
* audit2allow: use alternate policy file
* audit2allow: sepolgen-ifgen use the attr helper
* setfiles: switch from stat to stat64
* setfiles: Fix potential crash using dereferenced ftsent
* setfiles: do not wrap * output at 80 characters
* sandbox: add -Wall and -Werror to makefile
* sandbox: add sandbox cgroup support
* sandbox: rewrite /tmp handling
* sandbox: do not bind mount so much
* sandbox: add level based kill option
* sandbox: cntrl-c should kill entire process control group
* Create a new preserve_tunables flag in sepol_handle_t.
* semanage: show running and disk setting for booleans
* semanage: Dont print heading if no items selected
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled
* More files to ignore
* tree: default make target to all not install
* sandbox: do not load unused generic init functions
sepolgen-1.1.2
* src: sepolgen: add attribute storing infrastructure
* Change perm-map and add open to try to get better results on
* look for booleans that might solve problems
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* tree: default make target to all not install
* policycoreutils
* setfiles: Fix process_glob to handle error situations
* sandbox: Allow seunshare to run as root
* sandbox: trap sigterm to make sure sandbox
* sandbox: pass DPI from the desktop
* sandbox: seunshare: introduce helper spawn_command
* sandbox: seunshare: introduce new filesystem helpers
* sandbox: add -C option to not drop
* sandbox: split seunshare caps dropping
* sandbox: use dbus-launch
* sandbox: numerous simple updates to sandbox
* sandbox: do not require selinux context
* sandbox: Makefile: new man pages
* sandbox: rename dir to srcdir
* sandbox: allow users specify sandbox window size
* sandbox: check for paths up front
* sandbox: use defined values for paths rather
* sandbox: move seunshare globals to the top
* sandbox: whitespace fix
* semodule_package: Add semodule_unpackage executable
* setfiles: get rid of some stupid globals
* setfiles: move exclude_non_seclabel_mounts to a generic location
* sepolgen
* refparser: include open among valid permissions
* refparser: add support for filename_trans rules
2.1.4 2011-08-17
* run_init: clarification of the usage in the
* semanage: fix usage header around booleans
* semanage: remove useless empty lines
* semanage: update man page with new examples
* semanage: update usage text
* semanage: introduce file context equivalencies
* semanage: enable and disable modules
* semanage: output all local modifications
* semanage: introduce extraction of local configuration
* semanage: cleanup error on invalid operation
* semanage: handle being called with no arguments
* semanage: return sooner to save CPU time
* semanage: surround getopt with try/except
* semanage: use define/raise instead of lots of
* semanage: some options are only valid for
* semanage: introduce better deleteall support
* semanage: do not allow spaces in file
* semanage: distinguish between builtin and local permissive
* semanage: centralized ip node handling
* setfiles: make the restore function exclude() non-static
* setfiles: use glob to handle ~ and
* fixfiles: do not hard code types
* fixfiles: stop trying to be smart about
* fixfiles: use new kernel seclabel option
* fixfiles: pipe everything to cat before sending
* fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
* semodule: support for alternative root paths
2.1.4 2011-08-17
* run_init: clarification of the usage in the
* semanage: fix usage header around booleans
* semanage: remove useless empty lines
* semanage: update man page with new examples
* semanage: update usage text
* semanage: introduce file context equivalencies
* semanage: enable and disable modules
* semanage: output all local modifications
* semanage: introduce extraction of local configuration
* semanage: cleanup error on invalid operation
* semanage: handle being called with no arguments
* semanage: return sooner to save CPU time
* semanage: surround getopt with try/except
* semanage: use define/raise instead of lots of
* semanage: some options are only valid for
* semanage: introduce better deleteall support
* semanage: do not allow spaces in file
* semanage: distinguish between builtin and local permissive
* semanage: centralized ip node handling
* setfiles: make the restore function exclude() non-static
* setfiles: use glob to handle ~ and
* fixfiles: do not hard code types
* fixfiles: stop trying to be smart about
* fixfiles: use new kernel seclabel option
* fixfiles: pipe everything to cat before sending
* fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
* semodule: support for alternative root paths
- Update to upstream
* Fixed bug preventing semanage node -a from working
from Chad Sellers
* Fixed bug preventing semanage fcontext -l from working
from Chad Sellers
- Change semanage to use unicode
- Update to upstream
* Fixed bug preventing semanage node -a from working
from Chad Sellers
* Fixed bug preventing semanage fcontext -l from working
from Chad Sellers
- Change semanage to use unicode
- Update to upstream
* Remove setrans management from semanage, as it does not work
from Dan Walsh.
* Move load_policy from /usr/sbin to /sbin from Dan Walsh.
- Allow semanage -i and semanage -o to generate customization files.
- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration
- Update to upstream
* Change semodule upgrade behavior to install even if the module
is not present from Dan Walsh.
* Make setfiles label if selinux is disabled and a seclabel aware
kernel is running from Caleb Case.
* Clarify forkpty() error message in run_init from Manoj Srivastava.
- Update to upstream
* Add semanage dontaudit to turn off dontaudits from Dan Walsh.
* Fix semanage to set correct mode for setrans file from Dan Walsh.
* Fix malformed dictionary in portRecord from Dan Walsh.
* Restore symlink handling support to restorecon based on a patch by
Martin Orr. This fixes the restorecon /dev/stdin performed by Debian
udev scripts that was broken by policycoreutils 2.0.70.
- Update to upstream
* Add semanage dontaudit to turn off dontaudits from Dan Walsh.
* Fix semanage to set correct mode for setrans file from Dan Walsh.
* Fix malformed dictionary in portRecord from Dan Walsh.
* Restore symlink handling support to restorecon based on a patch by
Martin Orr. This fixes the restorecon /dev/stdin performed by Debian
udev scripts that was broken by policycoreutils 2.0.70.
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Update to upstream
* Modify restorecon to only call realpath() on user-supplied pathnames
from Stephen Smalley.
* Fix typo in fixfiles that prevented it from relabeling btrfs
filesystems from Dan Walsh.
- Fix location of man pages
- Update to upstream
* Modify setfiles to exclude mounts without seclabel option in
/proc/mounts on kernels >= 2.6.30 from Thomas Liu.
* Re-enable disable_dontaudit rules upon semodule -B from Christopher
Pardy and Dan Walsh.
* setfiles converted to fts from Thomas Liu.
- Fix location of man pages
- Update to upstream
* Modify setfiles to exclude mounts without seclabel option in
/proc/mounts on kernels >= 2.6.30 from Thomas Liu.
* Re-enable disable_dontaudit rules upon semodule -B from Christopher
Pardy and Dan Walsh.
* setfiles converted to fts from Thomas Liu.
- Update to upstream
* Keep setfiles from spamming console from Dan Walsh.
* Fix chcat's category expansion for users from Dan Walsh.
- Update po files
- Fix sepolgen
- Update to upstream
* Keep setfiles from spamming console from Dan Walsh.
* Fix chcat's category expansion for users from Dan Walsh.
- Update po files
- Fix sepolgen
- Update to upstream
* Fix transaction checking from Dan Walsh.
* Make fixfiles -R (for rpm) recursive.
* Make semanage permissive clean up after itself from Dan Walsh.
* add /root/.ssh/* to restorecond.conf
- Update to upstream
* Add btrfs to fixfiles from Dan Walsh.
* Remove restorecond error for matching globs with multiple hard links
and fix some error messages from Dan Walsh.
* Make removing a non-existant module a warning rather than an error
from Dan Walsh.
* Man page fixes from Dan Walsh.
- Update to upstream
* chcat: cut categories at arbitrary point (25) from Dan Walsh
* semodule: use new interfaces in libsemanage for compressed files
from Dan Walsh
* audit2allow: string changes for usage
- Update to upstream
* chcat: cut categories at arbitrary point (25) from Dan Walsh
* semodule: use new interfaces in libsemanage for compressed files
from Dan Walsh
* audit2allow: string changes for usage
- Fix semanage help display
- Update to upstream
* fixfiles will now remove all files in /tmp and will check for
unlabeled_t in /tmp and /var/tmp from Dan Walsh.
* add glob support to restorecond from Dan Walsh.
* allow semanage to handle multi-line commands in a single transaction
from Dan Walsh.
- Update to upstream
* Add support for boolean files and group support for seusers from Dan Walsh.
* Ensure that setfiles -p output is newline terminated from Russell Coker.
- Update to upstream
* Remove security_check_context calls for prefix validation from semanage.
* Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified.
- Update to upstream
* Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh.
* Merged a second fixfiles -C fix from Marshall Miller.
- Update to upstream
* Merged audit2allow cleanups and boolean descriptions from Dan Walsh.
* Merged setfiles -0 support by Benny Amorsen via Dan Walsh.
* Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh.
- Update to upstream
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
- Fix sepolgen to be able to parse Fedora 9 policy
Handle ifelse statements
Handle refpolicywarn inside of define
Add init.if and inetd.if into parse
Add parse_file to syntax error message
- Fix sepolgen to be able to parse Fedora 9 policy
Handle ifelse statements
Handle refpolicywarn inside of define
Add init.if and inetd.if into parse
Add parse_file to syntax error message
- Upgrade from NSA
* Drop verbose output on fixfiles -C from Dan Walsh.
* Fix argument handling in fixfiles from Dan Walsh.
* Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh.
- Fix handling of final screen in polgengui
- Upgrade from NSA
* Drop verbose output on fixfiles -C from Dan Walsh.
* Fix argument handling in fixfiles from Dan Walsh.
* Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh.
- Fix handling of final screen in polgengui
2007-12-11 02:47:29 +00:00
89 changed files with 13262 additions and 317114 deletions
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Tue, 1 Sep 2020 18:16:41 +0200
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
.IP \fIpermissive\fR 4
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
.IP \fIdisabled\fR
-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
.RE
.sp
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.