policycoreutils-2.3-8.fc21

- add make-rhat-patches.sh script which creates policycoreutils-rhat.patch and sepolgen-rhat.patch patches
- use source files from https://github.com/SELinuxProject/selinux/wiki/Releases
- extract sources to selinux/ directory and build them there

Create -rhat patches from
399c6647b1

(cherry picked from commit 9d99a57696)

.gitignore

@@ -231,3 +231,5 @@ policycoreutils-2.0.83.tgz
 /sepolgen-1.1.1.tgz
 /sepolgen-1.1.2.tgz
 /policycoreutils-2.1.6.tgz
+/policycoreutils-2.3.tar.gz
+/sepolgen-1.2.1.tar.gz

make-rhat-patches.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+POLICYCOREUTILS_VERSION=2.3
+SEPOLGEN_VERSION=1.2.1
+BRANCH=f21
+
+REBASEDIR=`mktemp -d rebase.XXXXXX`
+pushd $REBASEDIR
+
+git clone git@github.com:fedora-selinux/selinux.git
+pushd selinux; git checkout $BRANCH; COMMIT=`git rev-parse --verify HEAD`; popd
+
+# prepare policycoreutils-rhat.patch
+tar xfz ../policycoreutils-$POLICYCOREUTILS_VERSION.tar.gz
+pushd policycoreutils-$POLICYCOREUTILS_VERSION
+
+git init; git add .; git commit -m "init"
+cp -r ../selinux/policycoreutils/* .
+git add -A .
+
+git diff --cached --src-prefix=a/policycoreutils-$POLICYCOREUTILS_VERSION/ --dst-prefix=b/policycoreutils-$POLICYCOREUTILS_VERSION/ > ../../policycoreutils-rhat.patch
+
+popd
+
+#prepare sepolgen-rhat.patch
+tar xfz ../sepolgen-$SEPOLGEN_VERSION.tar.gz
+pushd sepolgen-$SEPOLGEN_VERSION
+
+git init; git add .; git commit -m "init"
+cp -r ../selinux/sepolgen/* .
+git add -A .
+
+git diff --cached --src-prefix=a/sepolgen-$SEPOLGEN_VERSION/ --dst-prefix=b/sepolgen-$SEPOLGEN_VERSION/ > ../../sepolgen-rhat.patch
+
+popd
+
+popd
+# echo rm -rf $REBASEDIR
+
+echo policycoreutils-rhat.patch and sepolgen-rhat.patch created against https://github.com/fedora-selinux/selinux/commit/$COMMIT

policycoreutils.spec

@@ -7,18 +7,19 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.3
-Release: 6%{?dist}
+Release: 8%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
-# Based on git repository with tag 20101221
-Source:	git://oss.tresys.com/git/selinux/policycoreutils-%{version}.tgz
-Source1:git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+Source:	https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140506/policycoreutils-%{version}.tar.gz
+Source1:https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140506/sepolgen-%{sepolgenver}.tar.gz
 URL:	 http://www.selinuxproject.org
 Source2: policycoreutils_man_ru2.tar.bz2
 Source3: system-config-selinux.png
 Source4: sepolicy-icons.tgz
+# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
 Patch:	 policycoreutils-rhat.patch
-Patch1:  0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch
+Patch1:  sepolgen-rhat.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3
 Provides: /sbin/fixfiles
@@ -47,15 +48,19 @@ load_policy to load policies, setfiles to label filesystems, newrole
 to switch roles.
 
 %prep
-%setup -q -a 1
-%patch -p2 -b .rhat
-%patch1 -p2 -b .setfiles
-
-cp %{SOURCE3} gui/
-tar xvf %{SOURCE4}
+# create selinux/ directory and extract %{SOURCE0} there
+%setup -q -c -n selinux
+%patch -p1 -b .policycoreutils-rhat
+pushd policycoreutils-%{version}/
+popd
+cp %{SOURCE3} policycoreutils-%{version}/gui/
+tar -xvf %{SOURCE4} -C policycoreutils-%{version}/
+# extract {%SOURCE1} in selinux/ directory
+%setup -T -D -a 1 -n selinux
+%patch1 -p1 -b .sepolgen-rhat
 
 %build
-make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
+make -C policycoreutils-%{version} LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
 make -C sepolgen-%{sepolgenver} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
 
 %install
@@ -66,10 +71,9 @@ mkdir -p %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_mandir}/man8
 %{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
-cp COPYING %{buildroot}/%{_usr}/share/doc/%{name}/
 
-make LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
-make PYTHON=python3 LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
+make -C policycoreutils-%{version} LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
+make -C policycoreutils-%{version} PYTHON=python3 LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
 
 # Systemd
 rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
@@ -239,7 +243,6 @@ Group:	 System Environment/Base
 Requires: policycoreutils-python = %{version}-%{release}
 Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
 Requires: openbox
-BuildRequires: openbox
 BuildRequires: libcap-ng-devel
 
 %description sandbox
@@ -352,6 +355,9 @@ fi
 %{_mandir}/ru/man1/secon.1*
 %{_mandir}/man8/genhomedircon.8*
 %doc %{_usr}/share/doc/%{name}
+%{!?_licensedir:%global license %%doc}
+%license policycoreutils-%{version}/COPYING
+%doc %{_usr}/share/doc/%{name}
 
 %package restorecond
 Summary: SELinux restorecond utilities
@@ -370,6 +376,8 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_datadir}/dbus-1/services/org.selinux.Restorecond.service
 %{_mandir}/man8/restorecond.8*
 %{_mandir}/ru/man8/restorecond.8*
+%{!?_licensedir:%global license %%doc}
+%license policycoreutils-%{version}/COPYING
 
 %post restorecond
 %systemd_post restorecond.service
@@ -381,6 +389,19 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Fri Jun 26 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-8
+- setfiles/restorecon: fix -r/-R option (#1211721)
+- We need to cover file_context.XXX.homedir to have fixfiles with exclude_dirs working correctly
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-7.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Aug 6 2014  Dan Walsh <dwalsh@redhat.com> - 2.3-6.2
+- Remove build requires for openbox, not needed
+
+* Thu Jul 31 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-6.1
+- fix license handling
+
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 

sepolgen-rhat.patch

@@ -0,0 +1,244 @@
+diff --git a/sepolgen-1.2.1/src/sepolgen/access.py b/sepolgen-1.2.1/src/sepolgen/access.py
+index cf13210..9154887 100644
+--- a/sepolgen-1.2.1/src/sepolgen/access.py
++++ b/sepolgen-1.2.1/src/sepolgen/access.py
+@@ -88,6 +88,8 @@ class AccessVector:
+             self.audit_msgs = []
+             self.type = audit2why.TERULE
+             self.data = []
++            self.obj_path = None
++            self.base_type = None
+ 
+         # The direction of the information flow represented by this
+         # access vector - used for matching
+@@ -133,6 +135,11 @@ class AccessVector:
+         return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
+                                         self.obj_class, self.perms.to_space_str())
+ 
++    def base_file_type(self):
++        base_type_array = []
++        base_type_array = [self.base_type, self.tgt_type, self.src_type]
++        return base_type_array
++
+     def __cmp__(self, other):
+         if self.src_type != other.src_type:
+             return cmp(self.src_type, other.src_type)
+@@ -256,7 +263,8 @@ class AccessVectorSet:
+         for av in l:
+             self.add_av(AccessVector(av))
+ 
+-    def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
++    def add(self, src_type, tgt_type, obj_class, perms, obj_path=None,
++            base_type=None, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
+         """Add an access vector to the set.
+         """
+         tgt = self.src.setdefault(src_type, { })
+@@ -269,7 +277,9 @@ class AccessVectorSet:
+             access.src_type = src_type
+             access.tgt_type = tgt_type
+             access.obj_class = obj_class
++            access.obj_path = obj_path
+             access.data = data
++            access.base_type = base_type
+             access.type = avc_type
+             cls[obj_class, avc_type] = access
+ 
+diff --git a/sepolgen-1.2.1/src/sepolgen/audit.py b/sepolgen-1.2.1/src/sepolgen/audit.py
+index 56919be..57263d0 100644
+--- a/sepolgen-1.2.1/src/sepolgen/audit.py
++++ b/sepolgen-1.2.1/src/sepolgen/audit.py
+@@ -169,6 +169,7 @@ class AVCMessage(AuditMessage):
+         self.exe = ""
+         self.path = ""
+         self.name = ""
++        self.ino = ""
+         self.accesses = []
+         self.denial = True
+         self.type = audit2why.TERULE
+@@ -230,6 +231,10 @@ class AVCMessage(AuditMessage):
+                 self.exe = fields[1][1:-1]
+             elif fields[0] == "name":
+                 self.name = fields[1][1:-1]
++            elif fields[0] == "path":
++                self.path = fields[1][1:-1]
++            elif fields[0] == "ino":
++                self.ino = fields[1]
+ 
+         if not found_src or not found_tgt or not found_class or not found_access:
+             raise ValueError("AVC message in invalid format [%s]\n" % self.message)
+@@ -354,7 +359,9 @@ class AuditParser:
+         self.path_msgs = []
+         self.by_header = { }
+         self.check_input_file = False
+-                
++        self.inode_dict = { }
++        self.__store_base_types()
++
+     # Low-level parsing function - tries to determine if this audit
+     # message is an SELinux related message and then parses it into
+     # the appropriate AuditMessage subclass. This function deliberately
+@@ -492,6 +499,60 @@ class AuditParser:
+         
+         return role_types
+ 
++    def __restore_path(self, name, inode):
++        import subprocess
++        import os
++        path = ""
++        # Optimizing
++        if name == "" or inode == "":
++            return path
++        for d in self.inode_dict:
++            if d == inode and self.inode_dict[d] == name:
++                return path
++            if d == inode and self.inode_dict[d] != name:
++                return self.inode_dict[d]
++        if inode not in self.inode_dict.keys():
++            self.inode_dict[inode] = name
++
++        command = "locate -b '\%s'" % name
++        try:
++            output = subprocess.check_output(command,
++                                             stderr=subprocess.STDOUT,
++                                             shell=True)
++            try:
++                ino = int(inode)
++            except ValueError:
++                pass
++            for file in output.split("\n"):
++                try:
++                    if int(os.lstat(file).st_ino) == ino:
++                        self.inode_dict[inode] = path = file
++                        return path
++                except:
++                    pass
++        except subprocess.CalledProcessError as e:
++            pass
++        return path
++
++    def __store_base_types(self):
++        import sepolicy
++        self.base_types = sepolicy.get_types_from_attribute("base_file_type")
++
++    def __get_base_type(self, tcontext, scontext):
++        import sepolicy
++        # Prevent unnecessary searching
++        if (self.old_scontext == scontext and
++            self.old_tcontext == tcontext):
++            return
++        self.old_scontext = scontext
++        self.old_tcontext = tcontext
++        for btype in self.base_types:
++            if btype == tcontext:
++                for writable in sepolicy.get_writable_files(scontext):
++                    if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
++                        return writable
++                return 0
++
+     def to_access(self, avc_filter=None, only_denials=True):
+         """Convert the audit logs access into a an access vector set.
+ 
+@@ -510,16 +571,23 @@ class AuditParser:
+            audit logs parsed by this object.
+         """
+         av_set = access.AccessVectorSet()
++        self.old_scontext = ""
++        self.old_tcontext = ""
+         for avc in self.avc_msgs:
+             if avc.denial != True and only_denials:
+                 continue
++            base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
++            if avc.path == "":
++                avc.path = self.__restore_path(avc.name, avc.ino)
+             if avc_filter:
+                 if avc_filter.filter(avc):
+                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+-                               avc.accesses, avc, avc_type=avc.type, data=avc.data)
++                               avc.accesses, avc.path, base_type, avc,
++                               avc_type=avc.type, data=avc.data)
+             else:
+                 av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+-                           avc.accesses, avc, avc_type=avc.type, data=avc.data)
++                           avc.accesses, avc.path, base_type, avc,
++                           avc_type=avc.type, data=avc.data)
+         return av_set
+ 
+ class AVCTypeFilter:
+diff --git a/sepolgen-1.2.1/src/sepolgen/policygen.py b/sepolgen-1.2.1/src/sepolgen/policygen.py
+index 5f38577..3b9e9f4 100644
+--- a/sepolgen-1.2.1/src/sepolgen/policygen.py
++++ b/sepolgen-1.2.1/src/sepolgen/policygen.py
+@@ -81,8 +81,9 @@ class PolicyGenerator:
+             self.module = refpolicy.Module()
+ 
+         self.dontaudit = False
+-
++        self.mislabled = None
+         self.domains = None
++
+     def set_gen_refpol(self, if_set=None, perm_maps=None):
+         """Set whether reference policy interfaces are generated.
+ 
+@@ -152,6 +153,18 @@ class PolicyGenerator:
+         """Return the generated module"""
+         return self.module
+ 
++    def __restore_label(self, av):
++        import selinux
++        try:
++            context = selinux.matchpathcon(av.obj_path, 0)
++            split = context[1].split(":")[2]
++            if split != av.tgt_type:
++                self.mislabled = split
++                return
++        except OSError:
++            pass
++        self.mislabled = None
++
+     def __add_allow_rules(self, avs):
+         for av in avs:
+             rule = refpolicy.AVRule(av)
+@@ -160,6 +173,34 @@ class PolicyGenerator:
+             rule.comment = ""
+             if self.explain:
+                 rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
++            # base_type[0] == 0 means there exists a base type but not the path
++            # base_type[0] == None means user isn't using base type
++            # base_type[1] contains the target context
++            # base_type[2] contains the source type
++            base_type = av.base_file_type()
++            if base_type[0] == 0 and av.type != audit2why.ALLOW:
++                  rule.comment += "\n#!!!! WARNING: '%s' is a base type." % "".join(base_type[1])
++            for perm in av.perms:
++                if perm == "write" or perm == "create":
++                    permission = True
++                    break
++                else:
++                    permission = False
++
++            # Catch perms 'write' and 'create' for base types
++            if (base_type[0] is not None and base_type[0] != 0
++                and permission and av.type != audit2why.ALLOW):
++                if av.obj_class == dir:
++                    comp = "(/.*?)"
++                else:
++                    comp = ""
++                rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s.  Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0]))
++                if av.obj_path != "":
++                    rule.comment += "\n#!!!! $ semange fcontext -a -t %s %s%s   \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
++
++            self.__restore_label(av)
++            if self.mislabled is not None and av.type != audit2why.ALLOW:
++                rule.comment += "\n#!!!! The file '%s' is mislabeled on your system.  \n#!!!! Fix with $ restorecon -R -v %s" % ("".join(av.obj_path), "".join(av.obj_path))
+             if av.type == audit2why.ALLOW:
+                 rule.comment += "\n#!!!! This avc is allowed in the current policy"
+             if av.type == audit2why.DONTAUDIT:
+@@ -174,7 +215,7 @@ class PolicyGenerator:
+             if av.type == audit2why.CONSTRAINT:
+                 rule.comment += "\n#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access."
+                 rule.comment += "\n#Constraint rule: "
+-                rule.comment += "\n\t" + av.data[0]
++                rule.comment += "\n#\t" + av.data[0]
+                 for reason in av.data[1:]:
+                     rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
+ 

sources

@@ -1,3 +1,3 @@
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
-e9134b52e6620c14cbce9234a6b67b20  sepolgen-1.2.1.tgz
-99b6d7ceb2b58d4cd88a8ec0e7c8631a  policycoreutils-2.3.tgz
+9a5db20adfe2250f53833b277ac796ae  policycoreutils-2.3.tar.gz
+ce662a83188bc3a9b40c15792fcaf2c8  sepolgen-1.2.1.tar.gz