Compare commits
19 Commits
Author | SHA1 | Date |
---|---|---|
Miroslav Grepl | 9c179d530d | |
Dan Walsh | 20f67e146b | |
Dan Walsh | c9bfabd023 | |
Dan Walsh | 8ca7711380 | |
Dan Walsh | 712853f687 | |
Dan Walsh | 13e355977e | |
Dan Walsh | 5a07a81733 | |
Dan Walsh | a06dee90e4 | |
Dan Walsh | 8c581a5cd4 | |
Dan Walsh | 8ba90df46e | |
Dan Walsh | 667e3a73a2 | |
Dan Walsh | c54495df05 | |
Dan Walsh | a6d8d01cf8 | |
Dan Walsh | 7bc4b0c5ce | |
Dan Walsh | 94fb5c6aa1 | |
Dan Walsh | 07948c9d82 | |
Dan Walsh | e3137d55a1 | |
Dan Walsh | a81f5f5513 | |
Dan Walsh | 378ad5cdba |
|
@ -0,0 +1,62 @@
|
|||
From 8b8915f36a1db76bbdd9695f0bb450132b67f2ca Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 30 Apr 2014 21:59:37 -0700
|
||||
Subject: [PATCH 1/3] seunshare: Try to use setcurrent before setexec
|
||||
|
||||
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
|
||||
libcap-ng set, setexeccon will cause execve to fail. This also
|
||||
makes setting selinux context the very last action taken by
|
||||
seunshare prior to exec, as it may otherwise cause things to fail.
|
||||
|
||||
Note that this won't work without adjusting the system policy to
|
||||
allow this use of setcurrent. This rule appears to work:
|
||||
|
||||
allow unconfined_t sandbox_t:process dyntransition;
|
||||
|
||||
although a better rule would probably relax the unconfined_t
|
||||
restriction.
|
||||
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
---
|
||||
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||
index 97f3920..fe40757 100644
|
||||
--- a/policycoreutils/sandbox/seunshare.c
|
||||
+++ b/policycoreutils/sandbox/seunshare.c
|
||||
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
|
||||
goto childerr;
|
||||
}
|
||||
|
||||
- /* selinux context */
|
||||
- if (execcon && setexeccon(execcon) != 0) {
|
||||
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
- goto childerr;
|
||||
- }
|
||||
-
|
||||
if (chdir(pwd->pw_dir)) {
|
||||
perror(_("Failed to change dir to homedir"));
|
||||
goto childerr;
|
||||
}
|
||||
setsid();
|
||||
+
|
||||
+ /* selinux context */
|
||||
+ if (execcon) {
|
||||
+ /* try dyntransition, since no_new_privs can interfere
|
||||
+ * with setexeccon */
|
||||
+ if (setcon(execcon) != 0) {
|
||||
+ /* failed; fall back to setexeccon */
|
||||
+ if (setexeccon(execcon) != 0) {
|
||||
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
+ goto childerr;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
execv(argv[optind], argv + optind);
|
||||
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
||||
childerr:
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
From 84bff58282256f52a25cec2f36c9831daea48987 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Tue, 6 May 2014 14:38:41 -0400
|
||||
Subject: [PATCH 2/3] at_console should not be used any longer
|
||||
|
||||
---
|
||||
policycoreutils/sepolicy/org.selinux.conf | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sepolicy/org.selinux.conf b/policycoreutils/sepolicy/org.selinux.conf
|
||||
index a350978..1ae079d 100644
|
||||
--- a/policycoreutils/sepolicy/org.selinux.conf
|
||||
+++ b/policycoreutils/sepolicy/org.selinux.conf
|
||||
@@ -12,12 +12,8 @@
|
||||
|
||||
<!-- Allow anyone to invoke methods on the interfaces,
|
||||
authorization is performed by PolicyKit -->
|
||||
- <policy at_console="true">
|
||||
- <allow send_destination="org.selinux"/>
|
||||
- </policy>
|
||||
<policy context="default">
|
||||
- <allow send_destination="org.selinux"
|
||||
- send_interface="org.freedesktop.DBus.Introspectable"/>
|
||||
+ <allow send_destination="org.selinux"/>
|
||||
</policy>
|
||||
|
||||
</busconfig>
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
From 7a69cd9e185055fc8e096b466923d8712263a9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Wed, 7 May 2014 10:18:57 +0200
|
||||
Subject: [PATCH 3/3] Apply patch for org.selinux.policy to not be desktop
|
||||
centric from stefw@redhat.com
|
||||
|
||||
---
|
||||
policycoreutils/sepolicy/org.selinux.policy | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
|
||||
index 4023bca..ddd9caa 100644
|
||||
--- a/policycoreutils/sepolicy/org.selinux.policy
|
||||
+++ b/policycoreutils/sepolicy/org.selinux.policy
|
||||
@@ -11,7 +11,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents restorecon access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -20,7 +20,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents setenforce access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -29,7 +29,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents semanage access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -38,8 +38,8 @@
|
||||
<description>SELinux Read access</description>
|
||||
<message>System policy prevents read access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
- <allow_inactive>no</allow_inactive>
|
||||
+ <allow_any>yes</allow_any>
|
||||
+ <allow_inactive>yes</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
@@ -47,8 +47,8 @@
|
||||
<description>SELinux list modules access</description>
|
||||
<message>System policy prevents read access to SELinux modules</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
- <allow_inactive>no</allow_inactive>
|
||||
+ <allow_any>yes</allow_any>
|
||||
+ <allow_inactive>yes</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
@@ -56,7 +56,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents relabel_on_boot access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -65,7 +65,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -74,7 +74,7 @@
|
||||
<description>Change SELinux default enforcing mode</description>
|
||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
--
|
||||
1.9.0
|
||||
|
1052277
policycoreutils-rhat.patch
1052277
policycoreutils-rhat.patch
File diff suppressed because it is too large
Load Diff
|
@ -1,131 +1,13 @@
|
|||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
||||
index d636091..56919be 100644
|
||||
--- a/sepolgen/src/sepolgen/audit.py
|
||||
+++ b/sepolgen/src/sepolgen/audit.py
|
||||
@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
|
||||
raise ValueError("Error during access vector computation")
|
||||
|
||||
if self.type == audit2why.CONSTRAINT:
|
||||
- self.data = []
|
||||
+ self.data = [ self.data ]
|
||||
if self.scontext.user != self.tcontext.user:
|
||||
- self.data.append("user")
|
||||
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
|
||||
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
||||
- self.data.append("role")
|
||||
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
|
||||
if self.scontext.level != self.tcontext.level:
|
||||
- self.data.append("level")
|
||||
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
|
||||
|
||||
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
||||
|
||||
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
||||
index cc9f8ea..ce643e5 100644
|
||||
--- a/sepolgen/src/sepolgen/policygen.py
|
||||
+++ b/sepolgen/src/sepolgen/policygen.py
|
||||
@@ -161,21 +161,21 @@ class PolicyGenerator:
|
||||
if self.explain:
|
||||
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
|
||||
if av.type == audit2why.ALLOW:
|
||||
- rule.comment += "#!!!! This avc is allowed in the current policy\n"
|
||||
+ rule.comment += "\n#!!!! This avc is allowed in the current policy"
|
||||
if av.type == audit2why.DONTAUDIT:
|
||||
- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||
+ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
|
||||
|
||||
if av.type == audit2why.BOOLEAN:
|
||||
if len(av.data) > 1:
|
||||
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
|
||||
+ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data))
|
||||
else:
|
||||
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
||||
+ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
|
||||
|
||||
if av.type == audit2why.CONSTRAINT:
|
||||
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
- rule.comment += "#Constraint rule: "
|
||||
- for reason in av.data:
|
||||
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
||||
+ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
|
||||
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
|
||||
+ for reason in av.data[1:]:
|
||||
+ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
|
||||
|
||||
try:
|
||||
if ( av.type == audit2why.TERULE and
|
||||
@@ -189,9 +189,9 @@ class PolicyGenerator:
|
||||
if i not in self.domains:
|
||||
types.append(i)
|
||||
if len(types) == 1:
|
||||
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
elif len(types) >= 1:
|
||||
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
except:
|
||||
pass
|
||||
self.module.children.append(rule)
|
||||
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
|
||||
index 7b76261..a05d9d1 100644
|
||||
--- a/sepolgen/src/sepolgen/refparser.py
|
||||
+++ b/sepolgen/src/sepolgen/refparser.py
|
||||
@@ -65,6 +65,7 @@ tokens = (
|
||||
'BAR',
|
||||
'EXPL',
|
||||
'EQUAL',
|
||||
+ 'FILENAME',
|
||||
'IDENTIFIER',
|
||||
'NUMBER',
|
||||
'PATH',
|
||||
@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
|
||||
t.lexer.lineno += 1
|
||||
|
||||
def t_IDENTIFIER(t):
|
||||
- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
|
||||
+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
|
||||
# Handle any keywords
|
||||
t.type = reserved.get(t.value,'IDENTIFIER')
|
||||
return t
|
||||
|
||||
+def t_FILENAME(t):
|
||||
+ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
|
||||
+ # Handle any keywords
|
||||
+ t.type = reserved.get(t.value,'FILENAME')
|
||||
+ return t
|
||||
+
|
||||
def t_comment(t):
|
||||
r'\#.*\n'
|
||||
# Ignore all comments
|
||||
@@ -450,6 +457,7 @@ def p_interface_call_param(p):
|
||||
| nested_id_set
|
||||
| TRUE
|
||||
| FALSE
|
||||
+ | FILENAME
|
||||
'''
|
||||
# Intentionally let single identifiers pass through
|
||||
# List means set, non-list identifier
|
||||
@@ -461,6 +469,7 @@ def p_interface_call_param(p):
|
||||
def p_interface_call_param_list(p):
|
||||
'''interface_call_param_list : interface_call_param
|
||||
| interface_call_param_list COMMA interface_call_param
|
||||
+ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
|
||||
'''
|
||||
if len(p) == 2:
|
||||
p[0] = [p[1]]
|
||||
@@ -787,6 +796,7 @@ def p_avrule_def(p):
|
||||
|
||||
def p_typerule_def(p):
|
||||
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
|
||||
+ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
|
||||
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
|
||||
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
|
||||
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
|
||||
@@ -800,6 +810,7 @@ def p_typerule_def(p):
|
||||
t.tgt_types = p[3]
|
||||
t.obj_classes = p[5]
|
||||
t.dest_type = p[6]
|
||||
+ t.file_name = p[7]
|
||||
p[0] = t
|
||||
|
||||
def p_bool(p):
|
||||
diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
|
||||
index 3258684..88a6dc3 100644
|
||||
--- a/sepolgen/src/sepolgen/interfaces.py
|
||||
+++ b/sepolgen/src/sepolgen/interfaces.py
|
||||
@@ -276,7 +276,7 @@ class InterfaceVector:
|
||||
if attributes:
|
||||
for typeattribute in interface.typeattributes():
|
||||
for attr in typeattribute.attributes:
|
||||
- if not attributes.has_key(attr):
|
||||
+ if not attributes.attributes.has_key(attr):
|
||||
# print "missing attribute " + attr
|
||||
continue
|
||||
attr_vec = attributes.attributes[attr]
|
||||
|
|
|
@ -2,12 +2,12 @@
|
|||
%global libsepolver 2.1.9-1
|
||||
%global libsemanagever 2.1.10-1
|
||||
%global libselinuxver 2.1.13-1
|
||||
%global sepolgenver 1.1.9
|
||||
%global sepolgenver 1.2.1
|
||||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.1.14
|
||||
Release: 75%{?dist}
|
||||
Version: 2.2.5
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
|
@ -16,8 +16,12 @@ Source1:git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
|
|||
URL: http://www.selinuxproject.org
|
||||
Source2: policycoreutils_man_ru2.tar.bz2
|
||||
Source3: system-config-selinux.png
|
||||
Source4: sepolicy-icons.tgz
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: policycoreutils-sepolgen.patch
|
||||
Patch1: 0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
|
||||
Patch2: 0002-at_console-should-not-be-used-any-longer.patch
|
||||
Patch3: 0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
|
||||
#Patch1: policycoreutils-sepolgen.patch
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3
|
||||
Provides: /sbin/fixfiles
|
||||
|
@ -48,10 +52,14 @@ to switch roles.
|
|||
%prep
|
||||
%setup -q -a 1
|
||||
%patch -p2 -b .rhat
|
||||
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
||||
%patch1 -p2 -b .seunshare
|
||||
%patch2 -p2 -b .at_console
|
||||
%patch3 -p2 -b .org.selinux
|
||||
#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
||||
cp %{SOURCE3} gui/
|
||||
tar xvf %{SOURCE4}
|
||||
|
||||
%build
|
||||
cp %{SOURCE3} gui/
|
||||
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
|
||||
make -C sepolgen-%{sepolgenver} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
|
||||
|
||||
|
@ -84,10 +92,15 @@ desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \
|
|||
--add-category Settings \
|
||||
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop
|
||||
|
||||
desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \
|
||||
--add-category Settings \
|
||||
%{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
|
||||
|
||||
desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \
|
||||
%{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
|
||||
|
||||
rm -f %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
|
||||
rm -f %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
|
||||
rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop
|
||||
|
||||
%find_lang %{name}
|
||||
|
@ -99,6 +112,7 @@ Requires:policycoreutils = %{version}-%{release}
|
|||
Requires:libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
|
||||
Requires:audit-libs-python >= %{libauditver}
|
||||
Requires(pre): python >= 2.6
|
||||
Requires: checkpolicy
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Requires: python-IPy yum
|
||||
|
||||
|
@ -114,8 +128,13 @@ an SELinux environment.
|
|||
%{_bindir}/audit2why
|
||||
%{_mandir}/man1/audit2allow.1*
|
||||
%{_mandir}/ru/man1/audit2allow.1*
|
||||
%{_bindir}/semodule_package
|
||||
%{_mandir}/man8/semodule_package.8*
|
||||
%{_mandir}/ru/man8/semodule_package.8*
|
||||
%{_mandir}/man1/audit2why.1*
|
||||
%{python_sitearch}/seobject.py*
|
||||
%dir %{python_sitelib}/seobject
|
||||
%{python_sitelib}/seobject/__init__.py*
|
||||
%{python_sitelib}/seobject*.egg-info
|
||||
%{python_sitearch}/sepolgen
|
||||
%dir %{python_sitearch}/sepolicy
|
||||
%{python_sitearch}/sepolicy/*so
|
||||
|
@ -138,10 +157,6 @@ an SELinux environment.
|
|||
%{_mandir}/man8/sandbox.8*
|
||||
%{_mandir}/man8/semanage*.8*
|
||||
%{_mandir}/ru/man8/semanage.8*
|
||||
%{_datadir}/system-config-selinux/selinux_server.py
|
||||
%{_datadir}/dbus-1/system-services/org.selinux.service
|
||||
%{_datadir}/polkit-1/actions/org.selinux.policy
|
||||
%{_datadir}/polkit-1/actions/org.fedoraproject.config.selinux.policy
|
||||
%{_datadir}/bash-completion/completions/semanage
|
||||
%{_datadir}/bash-completion/completions/setsebool
|
||||
|
||||
|
@ -150,7 +165,6 @@ Summary: SELinux policy core policy devel utilities
|
|||
Group: System Environment/Base
|
||||
Requires: policycoreutils-python = %{version}-%{release}
|
||||
Requires: /usr/bin/make
|
||||
Requires: checkpolicy
|
||||
Requires: selinux-policy-devel
|
||||
|
||||
%description devel
|
||||
|
@ -174,6 +188,17 @@ The policycoreutils-devel package contains the management tools use to develop p
|
|||
%{_mandir}/man8/sepolicy-manpage.8*
|
||||
%{_mandir}/man8/sepolicy-transition.8*
|
||||
%{_usr}/share/bash-completion/completions/sepolicy
|
||||
%{_bindir}/semodule_deps
|
||||
%{_bindir}/semodule_expand
|
||||
%{_bindir}/semodule_link
|
||||
%{_bindir}/semodule_unpackage
|
||||
%{_mandir}/man8/semodule_deps.8*
|
||||
%{_mandir}/ru/man8/semodule_deps.8*
|
||||
%{_mandir}/man8/semodule_expand.8*
|
||||
%{_mandir}/ru/man8/semodule_expand.8*
|
||||
%{_mandir}/man8/semodule_link.8*
|
||||
%{_mandir}/ru/man8/semodule_link.8*
|
||||
%{_mandir}/man8/semodule_unpackage.8*
|
||||
|
||||
%package sandbox
|
||||
Summary: SELinux sandbox utilities
|
||||
|
@ -207,9 +232,12 @@ or level of a logged in user.
|
|||
|
||||
%files newrole
|
||||
%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
|
||||
|
||||
%{_sbindir}/run_init
|
||||
%{_mandir}/man8/run_init.8*
|
||||
%{_mandir}/ru/man8/run_init.8*
|
||||
%{_mandir}/man1/newrole.1.gz
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/newrole
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/run_init
|
||||
|
||||
%package gui
|
||||
Summary: SELinux configuration GUI
|
||||
|
@ -226,20 +254,28 @@ system-config-selinux is a utility for managing the SELinux environment
|
|||
%files gui
|
||||
%{_bindir}/system-config-selinux
|
||||
%{_bindir}/selinux-polgengui
|
||||
%{_datadir}/applications/sepolicy.desktop
|
||||
%{_datadir}/applications/system-config-selinux.desktop
|
||||
%{_datadir}/applications/selinux-polgengui.desktop
|
||||
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
|
||||
%{_datadir}/pixmaps/system-config-selinux.png
|
||||
%{_datadir}/polkit-1/actions/org.selinux.policy
|
||||
%dir %{_datadir}/system-config-selinux
|
||||
%{_datadir}/system-config-selinux/system-config-selinux.png
|
||||
%{_datadir}/system-config-selinux/*.py*
|
||||
%{_datadir}/system-config-selinux/*.glade
|
||||
%{python_sitearch}/sepolicy/gui.py*
|
||||
%{python_sitearch}/sepolicy/sepolicy.glade
|
||||
%dir %{python_sitearch}/sepolicy/help
|
||||
%{python_sitearch}/sepolicy/help/*
|
||||
%{_datadir}/icons/hicolor/*/apps/sepolicy.png
|
||||
%{_datadir}/pixmaps/sepolicy.png
|
||||
%{_mandir}/man8/system-config-selinux.8*
|
||||
%{_mandir}/man8/selinux-polgengui.8*
|
||||
%{_mandir}/man8/sepolicy-gui.8*
|
||||
%{_datadir}/system-config-selinux/selinux_server.py
|
||||
%{_datadir}/dbus-1/system-services/org.selinux.service
|
||||
%{_datadir}/polkit-1/actions/org.selinux.policy
|
||||
%{_datadir}/polkit-1/actions/org.selinux.config.policy
|
||||
|
||||
%post gui
|
||||
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
|
||||
|
@ -257,42 +293,24 @@ fi
|
|||
%{_sbindir}/restorecon
|
||||
%{_sbindir}/fixfiles
|
||||
%{_sbindir}/setfiles
|
||||
%{_sbindir}/run_init
|
||||
%{_sbindir}/load_policy
|
||||
%{_sbindir}/genhomedircon
|
||||
%{_sbindir}/setsebool
|
||||
%{_sbindir}/semodule
|
||||
%{_sbindir}/sestatus
|
||||
%{_bindir}/secon
|
||||
%{_bindir}/semodule_deps
|
||||
%{_bindir}/semodule_expand
|
||||
%{_bindir}/semodule_link
|
||||
%{_bindir}/semodule_package
|
||||
%{_bindir}/semodule_unpackage
|
||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/run_init
|
||||
# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
|
||||
%{_mandir}/man5/selinux_config.5.gz
|
||||
%{_mandir}/man5/sestatus.conf.5.gz
|
||||
%{_mandir}/man8/fixfiles.8*
|
||||
%{_mandir}/ru/man8/fixfiles.8*
|
||||
%{_mandir}/man8/run_init.8*
|
||||
%{_mandir}/ru/man8/run_init.8*
|
||||
%{_mandir}/man8/load_policy.8*
|
||||
%{_mandir}/ru/man8/load_policy.8*
|
||||
%{_mandir}/man8/restorecon.8*
|
||||
%{_mandir}/ru/man8/restorecon.8*
|
||||
%{_mandir}/man8/semodule.8*
|
||||
%{_mandir}/ru/man8/semodule.8*
|
||||
%{_mandir}/man8/semodule_deps.8*
|
||||
%{_mandir}/ru/man8/semodule_deps.8*
|
||||
%{_mandir}/man8/semodule_expand.8*
|
||||
%{_mandir}/ru/man8/semodule_expand.8*
|
||||
%{_mandir}/man8/semodule_link.8*
|
||||
%{_mandir}/ru/man8/semodule_link.8*
|
||||
%{_mandir}/man8/semodule_package.8*
|
||||
%{_mandir}/man8/semodule_unpackage.8*
|
||||
%{_mandir}/ru/man8/semodule_package.8*
|
||||
%{_mandir}/man8/sestatus.8*
|
||||
%{_mandir}/ru/man8/sestatus.8*
|
||||
%{_mandir}/man8/setfiles.8*
|
||||
|
@ -335,7 +353,199 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Wed Aug 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-75
|
||||
* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.5-4
|
||||
- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com
|
||||
- at_console should not be used any longer
|
||||
- seunshare: Use setcurrent before setexec
|
||||
|
||||
* Thu Jan 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-3
|
||||
- Add Miroslav patch to
|
||||
- Fix previously_modified_initialize() to show modified changes properly for all selections
|
||||
|
||||
* Wed Jan 8 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-2
|
||||
- Do not require /usr/share/selinux/devel/Makefile to build permissive domains
|
||||
|
||||
* Mon Jan 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-1
|
||||
- Update to upstream
|
||||
* Ignore selevel/serange if MLS is disabled from Sven Vermeulen.
|
||||
|
||||
* Fri Jan 3 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-8
|
||||
- Update Tranlations
|
||||
- Patch from Yuri Chornoivan to fix typos
|
||||
|
||||
* Fri Jan 3 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-7
|
||||
- Fixes Customized booleans causing a crash of the sepolicy gui
|
||||
|
||||
* Thu Jan 2 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-6
|
||||
- Fix sepolicy gui selection for advanced screen
|
||||
- Update Translations
|
||||
- Move requires checkpolicy requirement into policycoreutils-python
|
||||
|
||||
* Mon Dec 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-5
|
||||
- Fix semanage man page description of import command
|
||||
- Fix policy kit file to allow changing to permissive mode
|
||||
|
||||
* Mon Dec 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-4
|
||||
- Fix broken dependencies.
|
||||
|
||||
* Fri Dec 13 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-3
|
||||
- Break out python3 code into separate package
|
||||
|
||||
* Fri Dec 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-2
|
||||
- Add mgrepl patch
|
||||
- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
|
||||
|
||||
* Tue Dec 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-1
|
||||
- Update to upstream
|
||||
* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
|
||||
- Add patches for sepolicy gui from mgrepl to
|
||||
Fix advanced_item_button_push() to allow to select an application in advanced search menu
|
||||
Fix previously_modified_initialize() to show modified changes properly for all selections
|
||||
|
||||
* Fri Nov 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.3-1
|
||||
- Update to upstream
|
||||
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
|
||||
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
|
||||
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
|
||||
|
||||
* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
|
||||
- Fix selinux-polgengui, get_all_modules call
|
||||
|
||||
* Fri Nov 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1
|
||||
- Speed up startup time of sepolicy gui
|
||||
- Clean up ports screen to only show enabled ports.
|
||||
- Update to upstream
|
||||
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
|
||||
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
|
||||
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
|
||||
|
||||
* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-2
|
||||
- Shift around some of the files to more appropriate packages.
|
||||
* semodule_* packages are required for devel.
|
||||
* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
|
||||
- Update to upstream
|
||||
* Properly build the swig exception file from Laurent Bigonville.
|
||||
* Fix man pages from Laurent Bigonville.
|
||||
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
|
||||
* Fix LDFLAGS usage from Laurent Bigonville.
|
||||
* Fix init_policy warning from Laurent Bigonville.
|
||||
* Fix semanage logging from Laurent Bigonville.
|
||||
* Open newrole stdin as read/write from Sven Vermeulen.
|
||||
* Fix sepolicy transition from Sven Vermeulen.
|
||||
* Support overriding CFLAGS from Simon Ruderich.
|
||||
* Create correct man directory for run_init from Russell Coker.
|
||||
* restorecon GLOB_BRACE change from Michal Trunecka.
|
||||
* Extend audit2why to report additional constraint information.
|
||||
* Catch IOError errors within audit2allow from Dan Walsh.
|
||||
* semanage export/import fixes from Dan Walsh.
|
||||
* Improve setfiles progress reporting from Dan Walsh.
|
||||
* Document setfiles -o option in usage from Dan Walsh.
|
||||
* Change setfiles to always return -1 on failure from Dan Walsh.
|
||||
* Improve setsebool error r eporting from Dan Walsh.
|
||||
* Major overhaul of gui from Dan Walsh.
|
||||
* Fix sepolicy handling of non-MLS policy from Dan Walsh.
|
||||
* Support returning type aliases from Dan Walsh.
|
||||
* Add sepolicy tests from Dan Walsh.
|
||||
* Add org.selinux.config.policy from Dan Walsh.
|
||||
* Improve range and user input checking by semanage from Dan Walsh.
|
||||
* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
|
||||
* Allow use of <<none>> for semanage fcontext from Dan Walsh.
|
||||
* Report customized user levels from Dan Walsh.
|
||||
* Support deleteall for restoring disabled modules from Dan Walsh.
|
||||
* Improve semanage error reporting from Dan Walsh.
|
||||
* Only list disabled modules for module locallist from Dan Walsh.
|
||||
* Fix logging from Dan Walsh.
|
||||
* Define new constants for file type character codes from Dan Walsh.
|
||||
* Improve bash completions from Dan Walsh.
|
||||
* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
|
||||
* Add semanage tests from Dan Walsh.
|
||||
* Split semanage man pages from Dan Walsh.
|
||||
* Move bash completion scripts from Dan Walsh.
|
||||
* Replace genhomedircon script with a link to semodule from Dan Walsh.
|
||||
* Fix fixfiles from Dan Walsh.
|
||||
* Add support for systemd service for restorecon from Dan Walsh.
|
||||
* Spelling corrections from Dan Walsh.
|
||||
* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
|
||||
* Switch sandbox to openbox window manager from Dan Walsh.
|
||||
* Coalesce audit2why and audit2allow from Dan Walsh.
|
||||
* Change audit2allow to append to output file from Dan Walsh.
|
||||
* Update translations from Dan Walsh.
|
||||
* Change audit2why to use selinux_current_policy_path from Dan Walsh.
|
||||
|
||||
* Fri Oct 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-89
|
||||
- Fix handling of man pages.
|
||||
|
||||
* Wed Oct 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-88
|
||||
- Cleanup errors found by pychecker
|
||||
- Apply patch from Michal Trunecka to allow restorecon to handle {} in globs
|
||||
|
||||
* Fri Oct 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-87
|
||||
- sepolicy gui
|
||||
- mgrepl fixes for users and login
|
||||
- Update Translations.
|
||||
|
||||
* Fri Oct 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-86
|
||||
- sepolicy gui
|
||||
- mgrepl added delete screens for users and login
|
||||
- Fix lots of bugs.
|
||||
- Update Translations.
|
||||
|
||||
|
||||
* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-85
|
||||
- Fixes for fixfiles
|
||||
* exclude_from_dirs should apply to all types of restorecon calls
|
||||
* fixfiles check now works
|
||||
* exit with the correct status
|
||||
|
||||
- semanage no longer import selinux
|
||||
|
||||
* Wed Oct 2 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-84
|
||||
- Fixes for sepolicy gui
|
||||
- Fix setsebool to return 0 on success
|
||||
- Update Po
|
||||
|
||||
* Mon Sep 30 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-83
|
||||
- Fix sizes of help screens in sepolicy gui
|
||||
|
||||
* Sat Sep 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-82
|
||||
- Improvements to sepolicy gui
|
||||
- Add more help information
|
||||
- Cleanup code
|
||||
- Add deny_ptrace on lockdown screen
|
||||
- Make unconfined/permissivedomains lockdown work
|
||||
- Add more support for file equivalency
|
||||
|
||||
* Wed Sep 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-81
|
||||
- Add back in the help png files
|
||||
- Begin Adding support for file equivalency.
|
||||
|
||||
* Wed Sep 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-80
|
||||
- Random fixes for sepolicy gui
|
||||
* Do not prompt for password until you make a change
|
||||
* Add user mappings and selinux users page
|
||||
* lots of code cleanup
|
||||
|
||||
- Verify homedir is owned by user before mounting over it with seunshare
|
||||
- Fix fixfiles to handle Relabel properly
|
||||
- Fix semanage fcontext -e / command to allow "/"
|
||||
|
||||
* Wed Sep 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-79
|
||||
- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names
|
||||
- Additional help screens for sepolicy gui
|
||||
|
||||
* Tue Sep 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-78
|
||||
- Random fixes for sepolicy gui
|
||||
- Update Translations
|
||||
|
||||
* Fri Aug 30 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-77
|
||||
- Add help screens for each page
|
||||
- Fixes for system page
|
||||
|
||||
* Mon Aug 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-76
|
||||
- Add Miroslav Grepl Patch to handle semanage -i and semanage -o better
|
||||
- Update Translations
|
||||
|
||||
* Thu Aug 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-75
|
||||
- Update sepolicy gui code, cleanups and add file transition tab
|
||||
- Fix semanage fcontext -a --ftype code to work.
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
4
sources
4
sources
|
@ -1,3 +1,3 @@
|
|||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||
22cb999c28b40b59a9d6b11824480ab8 policycoreutils-2.1.14.tgz
|
||||
960f29b498ba7efaa3aeb5e3796a1ba3 sepolgen-1.1.9.tgz
|
||||
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
|
||||
15340f6e3bdc703e2f960cd2dbff9019 policycoreutils-2.2.5.tgz
|
||||
|
|
Loading…
Reference in New Issue