Compare commits
18 Commits
Author | SHA1 | Date |
---|---|---|
Petr Lautrbach | 8be71ebc82 | |
Fedora Release Engineering | 1ddbcb0893 | |
Petr Lautrbach | 2ffe12911e | |
Petr Lautrbach | a5f1b8ddc2 | |
Petr Lautrbach | dfa7890c72 | |
Petr Lautrbach | 4ae915ba4e | |
Ondrej Mosnacek | ad77419a1d | |
Petr Lautrbach | ea27f43a6d | |
Petr Lautrbach | 5da4fbf19c | |
Fedora Release Engineering | 9dd12dbbe5 | |
Python Maint | e3fdda47ee | |
Petr Lautrbach | d7133c7185 | |
Vit Mojzis | 4e05786ea5 | |
Petr Lautrbach | 65687b17c1 | |
Zbigniew Jędrzejewski-Szmek | 2304844e56 | |
Petr Lautrbach | 8c9bb8afaf | |
Fedora Release Engineering | 3ec9603c09 | |
Petr Lautrbach | b96da65939 |
|
@ -322,3 +322,21 @@ policycoreutils-2.0.83.tgz
|
|||
/selinux-python-3.1.tar.gz
|
||||
/selinux-sandbox-3.1.tar.gz
|
||||
/semodule-utils-3.1.tar.gz
|
||||
/policycoreutils-3.2-rc1.tar.gz
|
||||
/restorecond-3.2-rc1.tar.gz
|
||||
/selinux-dbus-3.2-rc1.tar.gz
|
||||
/selinux-gui-3.2-rc1.tar.gz
|
||||
/selinux-python-3.2-rc1.tar.gz
|
||||
/selinux-sandbox-3.2-rc1.tar.gz
|
||||
/semodule-utils-3.2-rc1.tar.gz
|
||||
/policycoreutils-3.2-rc2.tar.gz
|
||||
/restorecond-3.2-rc2.tar.gz
|
||||
/selinux-dbus-3.2-rc2.tar.gz
|
||||
/selinux-gui-3.2-rc2.tar.gz
|
||||
/selinux-python-3.2-rc2.tar.gz
|
||||
/selinux-sandbox-3.2-rc2.tar.gz
|
||||
/semodule-utils-3.2-rc2.tar.gz
|
||||
/selinux-3.2.tar.gz
|
||||
/selinux-3.3-rc2.tar.gz
|
||||
/selinux-3.3-rc3.tar.gz
|
||||
/selinux-3.3.tar.gz
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
|
||||
From: "W. Michael Petullo" <mike@flyn.org>
|
||||
Date: Thu, 16 Jul 2020 15:29:20 -0500
|
||||
Subject: [PATCH] python/audit2allow: add #include <limits.h> to
|
||||
sepolgen-ifgen-attr-helper.c
|
||||
|
||||
I found that building on OpenWrt/musl failed with:
|
||||
|
||||
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
|
||||
|
||||
Musl is less "generous" than glibc in recursively including header
|
||||
files, and I suspect this is the reason for this error. Explicitly
|
||||
including limits.h fixes the problem.
|
||||
|
||||
Signed-off-by: W. Michael Petullo <mike@flyn.org>
|
||||
---
|
||||
python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
index 53f20818722a..f010c9584c1f 100644
|
||||
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <selinux/selinux.h>
|
||||
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
|
||||
From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
||||
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
||||
|
@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
|
|||
cat > ~/seremote << __EOF
|
||||
#!/bin/sh
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
|
||||
From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Mon, 21 Apr 2014 13:54:40 -0400
|
||||
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
|
||||
|
@ -9,10 +9,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
|
|||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 3e8a3be907e3..a1d70623cff0 100755
|
||||
index 2f847abb87e2..dccd778ed4be 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -735,10 +735,13 @@ Default Defined Ports:""")
|
||||
@@ -737,10 +737,13 @@ Default Defined Ports:""")
|
||||
|
||||
def _file_context(self):
|
||||
flist = []
|
||||
|
@ -26,9 +26,9 @@ index 3e8a3be907e3..a1d70623cff0 100755
|
|||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
if len(mpaths) == 0:
|
||||
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
SELinux defines the file context types for the %(domainname)s, if you wanted to
|
||||
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
|
||||
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
|
||||
|
||||
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
|
||||
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
|
||||
|
@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755
|
|||
self.fd.write(r"""
|
||||
.I The following file types are defined for %(domainname)s:
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
|
||||
From: Laurent Bigonville <bigon@bigon.be>
|
||||
Date: Thu, 16 Jul 2020 14:22:13 +0200
|
||||
Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
|
||||
restorecond.desktop file
|
||||
|
||||
This completely inactivate the .desktop file incase the user session is
|
||||
managed by systemd as restorecond also provide a service file
|
||||
|
||||
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
|
||||
---
|
||||
restorecond/restorecond.desktop | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
|
||||
index af7286801c24..7df854727a3f 100644
|
||||
--- a/restorecond/restorecond.desktop
|
||||
+++ b/restorecond/restorecond.desktop
|
||||
@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
|
||||
Type=Application
|
||||
StartupNotify=false
|
||||
X-GNOME-Autostart-enabled=false
|
||||
+X-GNOME-HiddenUnderSystemd=true
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
|
||||
From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Mon, 12 May 2014 14:11:22 +0200
|
||||
Subject: [PATCH] If there is no executable we don't want to print a part of
|
||||
|
@ -9,10 +9,10 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
|
|||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index a1d70623cff0..2d33eabb2536 100755
|
||||
index dccd778ed4be..81333928d552 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
.PP
|
||||
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
|
||||
|
||||
|
@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755
|
|||
.B STANDARD FILE CONTEXT
|
||||
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,136 +0,0 @@
|
|||
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
|
||||
From: bauen1 <j2468h@googlemail.com>
|
||||
Date: Thu, 6 Aug 2020 16:48:36 +0200
|
||||
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
|
||||
|
||||
By bind mounting every filesystem we want to relabel we can access all
|
||||
files without anything hidden due to active mounts.
|
||||
|
||||
This comes at the cost of user experience, because setfiles only
|
||||
displays the percentage if no path is given or the path is /
|
||||
|
||||
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
|
||||
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
|
||||
2 files changed, 31 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index 5d7770348349..30dadb4f4cb6 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -112,6 +112,7 @@ FORCEFLAG=""
|
||||
RPMFILES=""
|
||||
PREFC=""
|
||||
RESTORE_MODE=""
|
||||
+BIND_MOUNT_FILESYSTEMS=""
|
||||
SETFILES=/sbin/setfiles
|
||||
RESTORECON=/sbin/restorecon
|
||||
FILESYSTEMSRW=`get_rw_labeled_mounts`
|
||||
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
|
||||
if [ -n "${FILESYSTEMSRW}" ]; then
|
||||
LogReadOnly
|
||||
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
|
||||
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||
+
|
||||
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||
+ else
|
||||
+ # we bind mount so we can fix the labels of files that have already been
|
||||
+ # mounted over
|
||||
+ for m in `echo $FILESYSTEMSRW`; do
|
||||
+ TMP_MOUNT="$(mktemp -d)"
|
||||
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
|
||||
+
|
||||
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
|
||||
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
||||
+ umount "${TMP_MOUNT}${m}" || exit 1
|
||||
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
|
||||
+ done;
|
||||
+ fi
|
||||
else
|
||||
echo >&2 "fixfiles: No suitable file systems found"
|
||||
fi
|
||||
@@ -313,6 +330,7 @@ case "$1" in
|
||||
> /.autorelabel || exit $?
|
||||
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
|
||||
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
|
||||
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
|
||||
# Force full relabel if SELinux is not enabled
|
||||
selinuxenabled || echo -F > /.autorelabel
|
||||
echo "System will relabel on next boot"
|
||||
@@ -324,7 +342,7 @@ esac
|
||||
}
|
||||
usage() {
|
||||
echo $"""
|
||||
-Usage: $0 [-v] [-F] [-f] relabel
|
||||
+Usage: $0 [-v] [-F] [-M] [-f] relabel
|
||||
or
|
||||
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
|
||||
or
|
||||
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
||||
or
|
||||
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
or
|
||||
-Usage: $0 [-F] [-B] onboot
|
||||
+Usage: $0 [-F] [-M] [-B] onboot
|
||||
"""
|
||||
}
|
||||
|
||||
@@ -353,7 +371,7 @@ set_restore_mode() {
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
-while getopts "N:BC:FfR:l:v" i; do
|
||||
+while getopts "N:BC:FfR:l:vM" i; do
|
||||
case "$i" in
|
||||
B)
|
||||
BOOTTIME=`/bin/who -b | awk '{print $3}'`
|
||||
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
|
||||
echo "Redirecting output to $OPTARG"
|
||||
exec >>"$OPTARG" 2>&1
|
||||
;;
|
||||
+ M)
|
||||
+ BIND_MOUNT_FILESYSTEMS="-M"
|
||||
+ ;;
|
||||
F)
|
||||
FORCEFLAG="-F"
|
||||
;;
|
||||
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
|
||||
index 9f447f03d444..123425308416 100644
|
||||
--- a/policycoreutils/scripts/fixfiles.8
|
||||
+++ b/policycoreutils/scripts/fixfiles.8
|
||||
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||
.na
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] [\-f] relabel
|
||||
+.I [\-v] [\-F] [-M] [\-f] relabel
|
||||
|
||||
.B fixfiles
|
||||
.I [\-v] [\-F] { check | restore | verify } dir/file ...
|
||||
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
|
||||
.B fixfiles
|
||||
-.I [-F] [-B] onboot
|
||||
+.I [-F] [-M] [-B] onboot
|
||||
|
||||
.ad
|
||||
|
||||
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
|
||||
Only act on files created after the specified date. Date must be specified in
|
||||
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
|
||||
|
||||
+.TP
|
||||
+.B \-M
|
||||
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
|
||||
+
|
||||
.TP
|
||||
.B -v
|
||||
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
|
||||
From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu, 19 Feb 2015 17:45:15 +0100
|
||||
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
||||
|
@ -11,10 +11,10 @@ Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
|||
2 files changed, 13 insertions(+), 77 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index e4540977d042..ad718797ca68 100644
|
||||
index e8654abbceb3..a2475d22547a 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
|
||||
@@ -1225,27 +1225,14 @@ def boolean_desc(boolean):
|
||||
|
||||
|
||||
def get_os_version():
|
||||
|
@ -49,10 +49,10 @@ index e4540977d042..ad718797ca68 100644
|
|||
|
||||
def reinit():
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 2d33eabb2536..acc77f368d95 100755
|
||||
index 81333928d552..dc3e5207c57c 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
|
||||
@@ -151,10 +151,6 @@ def prettyprint(f, trim):
|
||||
manpage_domains = []
|
||||
manpage_roles = []
|
||||
|
||||
|
@ -63,7 +63,7 @@ index 2d33eabb2536..acc77f368d95 100755
|
|||
def get_alphabet_manpages(manpage_list):
|
||||
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
|
||||
for i in string.ascii_letters:
|
||||
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
|
||||
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
|
||||
class HTMLManPages:
|
||||
|
||||
"""
|
||||
|
@ -72,7 +72,7 @@ index 2d33eabb2536..acc77f368d95 100755
|
|||
"""
|
||||
|
||||
def __init__(self, manpage_roles, manpage_domains, path, os_version):
|
||||
@@ -190,9 +186,9 @@ class HTMLManPages:
|
||||
@@ -192,9 +188,9 @@ class HTMLManPages:
|
||||
self.manpage_domains = get_alphabet_manpages(manpage_domains)
|
||||
self.os_version = os_version
|
||||
self.old_path = path + "/"
|
||||
|
@ -84,7 +84,7 @@ index 2d33eabb2536..acc77f368d95 100755
|
|||
self.__gen_html_manpages()
|
||||
else:
|
||||
print("SELinux HTML man pages can not be generated for this %s" % os_version)
|
||||
@@ -201,7 +197,6 @@ class HTMLManPages:
|
||||
@@ -203,7 +199,6 @@ class HTMLManPages:
|
||||
def __gen_html_manpages(self):
|
||||
self._write_html_manpage()
|
||||
self._gen_index()
|
||||
|
@ -92,7 +92,7 @@ index 2d33eabb2536..acc77f368d95 100755
|
|||
self._gen_css()
|
||||
|
||||
def _write_html_manpage(self):
|
||||
@@ -219,67 +214,21 @@ class HTMLManPages:
|
||||
@@ -221,67 +216,21 @@ class HTMLManPages:
|
||||
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
|
||||
|
||||
def _gen_index(self):
|
||||
|
@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755
|
|||
if len(self.manpage_roles[letter]):
|
||||
fd.write("""
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,112 +0,0 @@
|
|||
From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Wed, 19 Aug 2020 17:05:33 +0200
|
||||
Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
All tools like ausearch(8) or sesearch(1) and online documentation[1]
|
||||
use hexadecimal values for extended permissions.
|
||||
Hence use them, e.g. for audit2allow output, as well.
|
||||
|
||||
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
|
||||
python/sepolgen/tests/test_access.py | 10 +++++-----
|
||||
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
|
||||
3 files changed, 13 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
index 43cecfc77385..747636875ef7 100644
|
||||
--- a/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
@@ -407,10 +407,9 @@ class XpermSet():
|
||||
|
||||
# print single value without braces
|
||||
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
|
||||
- return compl + str(self.ranges[0][0])
|
||||
+ return compl + hex(self.ranges[0][0])
|
||||
|
||||
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
|
||||
- self.ranges)
|
||||
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
|
||||
|
||||
return "%s{ %s }" % (compl, " ".join(vals))
|
||||
|
||||
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
|
||||
index 73a5407df617..623588e09aeb 100644
|
||||
--- a/python/sepolgen/tests/test_access.py
|
||||
+++ b/python/sepolgen/tests/test_access.py
|
||||
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def text_merge_xperm2(self):
|
||||
"""Test merging AV that does not contain xperms with AV that does"""
|
||||
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def test_merge_xperm_diff_op(self):
|
||||
"""Test merging two AVs that contain xperms with different operation"""
|
||||
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(list(a.perms), ["read"])
|
||||
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
|
||||
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def test_merge_xperm_same_op(self):
|
||||
"""Test merging two AVs that contain xperms with same operation"""
|
||||
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(list(a.perms), ["read"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
|
||||
|
||||
class TestUtilFunctions(unittest.TestCase):
|
||||
def test_is_idparam(self):
|
||||
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
|
||||
index 4b50c8aada96..c7219fd568e9 100644
|
||||
--- a/python/sepolgen/tests/test_refpolicy.py
|
||||
+++ b/python/sepolgen/tests/test_refpolicy.py
|
||||
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
|
||||
a.complement = True
|
||||
self.assertEqual(a.to_string(), "")
|
||||
a.add(1234)
|
||||
- self.assertEqual(a.to_string(), "~ 1234")
|
||||
+ self.assertEqual(a.to_string(), "~ 0x4d2")
|
||||
a.complement = False
|
||||
- self.assertEqual(a.to_string(), "1234")
|
||||
+ self.assertEqual(a.to_string(), "0x4d2")
|
||||
a.add(2345)
|
||||
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
|
||||
a.complement = True
|
||||
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
|
||||
a.add(42,64)
|
||||
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
|
||||
a.complement = False
|
||||
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
|
||||
|
||||
class TestSecurityContext(unittest.TestCase):
|
||||
def test_init(self):
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
|
||||
From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:01 +0100
|
||||
Subject: [PATCH] We want to remove the trailing newline for
|
||||
|
@ -9,10 +9,10 @@ Subject: [PATCH] We want to remove the trailing newline for
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index ad718797ca68..ea05d892bf3b 100644
|
||||
index a2475d22547a..8055a12f6020 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -1211,7 +1211,7 @@ def get_os_version():
|
||||
@@ -1228,7 +1228,7 @@ def get_os_version():
|
||||
system_release = ""
|
||||
try:
|
||||
with open('/etc/system-release') as f:
|
||||
|
@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
|
|||
system_release = "Misc"
|
||||
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,109 +0,0 @@
|
|||
From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Wed, 19 Aug 2020 17:05:34 +0200
|
||||
Subject: [PATCH] sepolgen: sort extended rules like normal ones
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently:
|
||||
|
||||
#============= sshd_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t ptmx_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||
|
||||
#============= user_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t devtty_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||
|
||||
Changed:
|
||||
|
||||
#============= sshd_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t ptmx_t:chr_file ioctl;
|
||||
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||
|
||||
#============= user_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t devtty_t:chr_file ioctl;
|
||||
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
python/sepolgen/src/sepolgen/output.py | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
|
||||
index 3a21b64c19f7..aeeaafc889e7 100644
|
||||
--- a/python/sepolgen/src/sepolgen/output.py
|
||||
+++ b/python/sepolgen/src/sepolgen/output.py
|
||||
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
|
||||
return ret
|
||||
|
||||
# At this point, who cares - just return something
|
||||
- return cmp(len(a.perms), len(b.perms))
|
||||
+ return 0
|
||||
|
||||
# Compare two interface calls
|
||||
def ifcall_cmp(a, b):
|
||||
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
|
||||
else:
|
||||
return id_set_cmp([a.args[0]], b.src_types)
|
||||
else:
|
||||
- if isinstance(b, refpolicy.AVRule):
|
||||
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
|
||||
return avrule_cmp(a,b)
|
||||
else:
|
||||
return id_set_cmp(a.src_types, [b.args[0]])
|
||||
@@ -130,6 +130,7 @@ def sort_filter(module):
|
||||
# we assume is the first argument for interfaces).
|
||||
rules = []
|
||||
rules.extend(node.avrules())
|
||||
+ rules.extend(node.avextrules())
|
||||
rules.extend(node.interface_calls())
|
||||
rules.sort(key=util.cmp_to_key(rule_cmp))
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
|
||||
From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:53 +0100
|
||||
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
||||
|
@ -8,10 +8,10 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index acc77f368d95..4aeb3e2e51ba 100755
|
||||
index dc3e5207c57c..6420ebe2e08e 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -220,7 +220,7 @@ class HTMLManPages:
|
||||
@@ -222,7 +222,7 @@ class HTMLManPages:
|
||||
<html>
|
||||
<head>
|
||||
<link rel=stylesheet type="text/css" href="style.css" title="style">
|
||||
|
@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755
|
|||
<body>
|
||||
<h1>SELinux man pages for %s</h1>
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
|
||||
From: Dominick Grift <dominick.grift@defensec.nl>
|
||||
Date: Tue, 1 Sep 2020 18:16:41 +0200
|
||||
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
|
||||
|
||||
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
|
||||
|
||||
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
policycoreutils/newrole/Makefile | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
|
||||
index 73ebd413da85..0e7ebce3dd56 100644
|
||||
--- a/policycoreutils/newrole/Makefile
|
||||
+++ b/policycoreutils/newrole/Makefile
|
||||
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
|
||||
MANDIR ?= $(PREFIX)/share/man
|
||||
ETCDIR ?= /etc
|
||||
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
|
||||
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
|
||||
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
|
||||
+INCLUDEDIR ?= $(PREFIX)/include
|
||||
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
|
||||
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
|
||||
# Enable capabilities to permit newrole to generate audit records.
|
||||
# This will make newrole a setuid root program.
|
||||
# The capabilities used are: CAP_AUDIT_WRITE.
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
|
||||
From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
||||
Subject: [PATCH] Don't be verbose if you are not on a tty
|
||||
|
@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
|
|||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index 30dadb4f4cb6..e73bb81c3336 100755
|
||||
index 6fb12e0451a9..cb20002ab613 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
||||
|
@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755
|
|||
RPMFILES=""
|
||||
PREFC=""
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
|
||||
From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 27 Feb 2017 17:12:39 +0100
|
||||
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
||||
|
@ -11,10 +11,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
|||
1 file changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 4aeb3e2e51ba..330b055af214 100755
|
||||
index 6420ebe2e08e..d15522135288 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -125,8 +125,24 @@ def gen_domains():
|
||||
@@ -127,8 +127,24 @@ def gen_domains():
|
||||
domains.sort()
|
||||
return domains
|
||||
|
||||
|
@ -40,7 +40,7 @@ index 4aeb3e2e51ba..330b055af214 100755
|
|||
|
||||
def _gen_types():
|
||||
global types
|
||||
@@ -372,6 +388,8 @@ class ManPage:
|
||||
@@ -374,6 +390,8 @@ class ManPage:
|
||||
self.all_file_types = sepolicy.get_all_file_types()
|
||||
self.role_allows = sepolicy.get_all_role_allows()
|
||||
self.types = _gen_types()
|
||||
|
@ -49,7 +49,7 @@ index 4aeb3e2e51ba..330b055af214 100755
|
|||
|
||||
if self.source_files:
|
||||
self.fcpath = self.root + "file_contexts"
|
||||
@@ -689,7 +707,7 @@ Default Defined Ports:""")
|
||||
@@ -691,7 +709,7 @@ Default Defined Ports:""")
|
||||
for f in self.all_file_types:
|
||||
if f.startswith(self.domainname):
|
||||
flist.append(f)
|
||||
|
@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755
|
|||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
|
||||
From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 28 Feb 2017 21:29:46 +0100
|
||||
Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
||||
|
@ -8,10 +8,10 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
|||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 330b055af214..f8584436960d 100755
|
||||
index d15522135288..ffcedb547993 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -142,6 +142,15 @@ def _gen_entry_types():
|
||||
@@ -144,6 +144,15 @@ def _gen_entry_types():
|
||||
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
|
||||
return entry_types
|
||||
|
||||
|
@ -27,7 +27,7 @@ index 330b055af214..f8584436960d 100755
|
|||
types = None
|
||||
|
||||
def _gen_types():
|
||||
@@ -390,6 +399,7 @@ class ManPage:
|
||||
@@ -392,6 +401,7 @@ class ManPage:
|
||||
self.types = _gen_types()
|
||||
self.exec_types = _gen_exec_types()
|
||||
self.entry_types = _gen_entry_types()
|
||||
|
@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755
|
|||
|
||||
if self.source_files:
|
||||
self.fcpath = self.root + "file_contexts"
|
||||
@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
|
||||
@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
|
||||
%s""" % ", ".join(paths))
|
||||
|
||||
def _mcs_types(self):
|
||||
|
@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755
|
|||
self.fd.write ("""
|
||||
.SH "MCS Constrained"
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
|
||||
From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:23:00 +0200
|
||||
Subject: [PATCH] Move po/ translation files into the right sub-directories
|
||||
|
@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
|
|||
@@ -0,0 +1 @@
|
||||
+../sandbox
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
|
||||
From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:37:07 +0200
|
||||
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
|
||||
|
@ -55,7 +55,7 @@ index bad5140d8c59..6bbe4de5884f 100644
|
|||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
|
||||
index 370bbee40786..e424366da26f 100644
|
||||
index d26aa1b405a9..52292cae01d2 100644
|
||||
--- a/gui/fcontextPage.py
|
||||
+++ b/gui/fcontextPage.py
|
||||
@@ -47,7 +47,7 @@ class context:
|
||||
|
@ -185,20 +185,20 @@ index fdd2e46ee3f9..839ddd3b54b6 100755
|
|||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
||||
index b2fabea67a87..3cc30a160a74 100644
|
||||
index 18a2710531ca..0980aecb6311 100644
|
||||
--- a/python/semanage/semanage
|
||||
+++ b/python/semanage/semanage
|
||||
@@ -27,7 +27,7 @@ import traceback
|
||||
import argparse
|
||||
import seobject
|
||||
@@ -30,7 +30,7 @@ import seobject
|
||||
import sys
|
||||
import traceback
|
||||
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 6a14f7b47dd5..b51a7e3e7ca3 100644
|
||||
index 21adbf6eb74f..69e60db80060 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -29,7 +29,7 @@ import sys
|
||||
|
@ -208,8 +208,8 @@ index 6a14f7b47dd5..b51a7e3e7ca3 100644
|
|||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
import sepolicy
|
||||
import setools
|
||||
import ipaddress
|
||||
from setools.policyrep import SELinuxPolicy
|
||||
from setools.typequery import TypeQuery
|
||||
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
|
||||
index 998c4356415c..56ebd807c69c 100644
|
||||
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
|
||||
|
@ -237,12 +237,12 @@ index 7b2230651099..32956e58f52e 100755
|
|||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index ea05d892bf3b..9a9c2ae9f237 100644
|
||||
index 8055a12f6020..aa8beda313c8 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -13,7 +13,7 @@ import os
|
||||
import re
|
||||
import gzip
|
||||
@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery
|
||||
from setools.typequery import TypeQuery
|
||||
from setools.userquery import UserQuery
|
||||
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
|
@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
|
|||
import gettext
|
||||
kwargs = {}
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
|
||||
From a4183d4c2d335fca940f741bec1f1839394ea783 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 14:23:19 +0200
|
||||
Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
|
||||
|
@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
|
|||
+msgid "Invalid value %s"
|
||||
+msgstr ""
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
|
||||
From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 21 Mar 2018 08:51:31 +0100
|
||||
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
|
||||
|
@ -13,18 +13,18 @@ Resolves: rhbz#1271327
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
|
||||
index e328a5628682..02e0960289d3 100644
|
||||
index 4d28bc9a95c1..8e6c4ab94841 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.8
|
||||
+++ b/policycoreutils/setfiles/setfiles.8
|
||||
@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
|
||||
@@ -57,7 +57,7 @@ option will force a replacement of the entire context.
|
||||
check the validity of the contexts against the specified binary policy.
|
||||
.TP
|
||||
.B \-d
|
||||
show what specification matched each file (do not abort validation
|
||||
-after ABORT_ON_ERRORS errors).
|
||||
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
|
||||
-show what specification matched each file.
|
||||
+show what specification matched each file. Not affected by "\-q".
|
||||
.TP
|
||||
.BI \-e \ directory
|
||||
directory to exclude (repeat option for more than one directory).
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
|
||||
From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001
|
||||
From: Masatake YAMATO <yamato@redhat.com>
|
||||
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
||||
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
||||
|
@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
|
|||
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
||||
return dict
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
|
||||
From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 8 Nov 2018 09:20:58 +0100
|
||||
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
||||
|
@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
|
|||
}
|
||||
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
|
||||
From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
||||
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
||||
|
@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
|
|||
export DISPLAY=:$D
|
||||
cat > ~/seremote << __EOF
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
|
||||
From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Tue, 28 Jul 2020 14:37:13 +0200
|
||||
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
|
||||
|
@ -20,10 +20,10 @@ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
|||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index f8584436960d..6a3e08fca58c 100755
|
||||
index ffcedb547993..c013c0d48502 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -717,7 +717,7 @@ Default Defined Ports:""")
|
||||
@@ -719,7 +719,7 @@ Default Defined Ports:""")
|
||||
for f in self.all_file_types:
|
||||
if f.startswith(self.domainname):
|
||||
flist.append(f)
|
||||
|
@ -32,7 +32,7 @@ index f8584436960d..6a3e08fca58c 100755
|
|||
flist_non_exec.append(f)
|
||||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
|
||||
|
||||
if flist_non_exec:
|
||||
|
@ -42,5 +42,5 @@ index f8584436960d..6a3e08fca58c 100755
|
|||
.B STANDARD FILE CONTEXT
|
||||
|
||||
--
|
||||
2.29.0
|
||||
2.32.0
|
||||
|
|
@ -0,0 +1,297 @@
|
|||
From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Fri, 30 Jul 2021 14:14:37 +0200
|
||||
Subject: [PATCH] Use SHA-2 instead of SHA-1
|
||||
|
||||
The use of SHA-1 in RHEL9 is deprecated
|
||||
---
|
||||
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
|
||||
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
|
||||
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
|
||||
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++----
|
||||
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
|
||||
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++----
|
||||
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
|
||||
7 files changed, 33 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
|
||||
index 668486f66113..a8900f02b3f3 100644
|
||||
--- a/policycoreutils/setfiles/restorecon.8
|
||||
+++ b/policycoreutils/setfiles/restorecon.8
|
||||
@@ -93,14 +93,14 @@ display usage information and exit.
|
||||
ignore files that do not exist.
|
||||
.TP
|
||||
.B \-I
|
||||
-ignore digest to force checking of labels even if the stored SHA1 digest
|
||||
-matches the specfiles SHA1 digest. The digest will then be updated provided
|
||||
+ignore digest to force checking of labels even if the stored SHA256 digest
|
||||
+matches the specfiles SHA256 digest. The digest will then be updated provided
|
||||
there are no errors. See the
|
||||
.B NOTES
|
||||
section for further details.
|
||||
.TP
|
||||
.B \-D
|
||||
-Set or update any directory SHA1 digests. Use this option to
|
||||
+Set or update any directory SHA256 digests. Use this option to
|
||||
enable usage of the
|
||||
.IR security.sehash
|
||||
extended attribute.
|
||||
@@ -191,7 +191,7 @@ the
|
||||
.B \-D
|
||||
option to
|
||||
.B restorecon
|
||||
-will cause it to store a SHA1 digest of the default specfiles set in an extended
|
||||
+will cause it to store a SHA256 digest of the default specfiles set in an extended
|
||||
attribute named
|
||||
.IR security.sehash
|
||||
on each directory specified in
|
||||
@@ -208,7 +208,7 @@ for further details.
|
||||
.sp
|
||||
The
|
||||
.B \-I
|
||||
-option will ignore the SHA1 digest from each directory specified in
|
||||
+option will ignore the SHA256 digest from each directory specified in
|
||||
.IR pathname \ ...
|
||||
and provided the
|
||||
.B \-n
|
||||
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
|
||||
index e04528e60824..4b1ce304d995 100644
|
||||
--- a/policycoreutils/setfiles/restorecon_xattr.8
|
||||
+++ b/policycoreutils/setfiles/restorecon_xattr.8
|
||||
@@ -23,7 +23,7 @@ or
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
.B restorecon_xattr
|
||||
-will display the SHA1 digests added to extended attributes
|
||||
+will display the SHA256 digests added to extended attributes
|
||||
.I security.sehash
|
||||
or delete the attribute completely. These attributes are set by
|
||||
.BR restorecon (8)
|
||||
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
|
||||
.sp
|
||||
By default
|
||||
.B restorecon_xattr
|
||||
-will display the SHA1 digests with "Match" appended if they match the default
|
||||
+will display the SHA256 digests with "Match" appended if they match the default
|
||||
specfile set or the
|
||||
.I specfile
|
||||
set used with the
|
||||
.B \-f
|
||||
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
|
||||
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
|
||||
This feature can be disabled by the
|
||||
.B \-n
|
||||
option.
|
||||
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
|
||||
recursively descend directories.
|
||||
.TP
|
||||
.B \-v
|
||||
-display SHA1 digest generated by specfile set (Note that this digest is not
|
||||
+display SHA256 digest generated by specfile set (Note that this digest is not
|
||||
used to match the
|
||||
.I security.sehash
|
||||
directory digest entries, and is shown for reference only).
|
||||
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
|
||||
index 31fb82fd2099..bc22d3fd4560 100644
|
||||
--- a/policycoreutils/setfiles/restorecon_xattr.c
|
||||
+++ b/policycoreutils/setfiles/restorecon_xattr.c
|
||||
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
|
||||
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
|
||||
unsigned int delete_all_digests = 0, ignore_mounts = 0;
|
||||
bool display_digest = false;
|
||||
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
|
||||
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
|
||||
unsigned char *fc_digest = NULL;
|
||||
size_t i, fc_digest_len = 0, num_specfiles;
|
||||
|
||||
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
- sha1_buf = malloc(fc_digest_len * 2 + 1);
|
||||
- if (!sha1_buf) {
|
||||
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
|
||||
+ if (!sha256_buf) {
|
||||
fprintf(stderr,
|
||||
"Error allocating digest buffer: %s\n",
|
||||
strerror(errno));
|
||||
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
|
||||
}
|
||||
|
||||
for (i = 0; i < fc_digest_len; i++)
|
||||
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
|
||||
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
|
||||
|
||||
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
|
||||
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
|
||||
|
||||
printf("calculated using the following specfile(s):\n");
|
||||
if (specfiles) {
|
||||
for (i = 0; i < num_specfiles; i++)
|
||||
printf("%s\n", specfiles[i]);
|
||||
}
|
||||
- free(sha1_buf);
|
||||
+ free(sha256_buf);
|
||||
printf("\n");
|
||||
}
|
||||
|
||||
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
|
||||
index 9be3a63db356..745135020f4b 100644
|
||||
--- a/policycoreutils/setfiles/ru/restorecon.8
|
||||
+++ b/policycoreutils/setfiles/ru/restorecon.8
|
||||
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
|
||||
игнорировать файлы, которые не существуют.
|
||||
.TP
|
||||
.B \-I
|
||||
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
|
||||
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
|
||||
.B ПРИМЕЧАНИЯ.
|
||||
.TP
|
||||
.B \-D
|
||||
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
|
||||
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
|
||||
.IR security.restorecon_last.
|
||||
.TP
|
||||
.B \-m
|
||||
@@ -159,7 +159,7 @@ GNU
|
||||
.B \-D
|
||||
команды
|
||||
.B restorecon
|
||||
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
|
||||
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
|
||||
.IR security.restorecon_last
|
||||
для каталогов, указанных в соответствующих путях
|
||||
.IR pathname \ ...
|
||||
@@ -173,7 +173,7 @@ GNU
|
||||
.sp
|
||||
Параметр
|
||||
.B \-I
|
||||
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
|
||||
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
|
||||
.IR pathname \ ...
|
||||
, и, при условии, что НЕ установлен параметр
|
||||
.B \-n
|
||||
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
|
||||
index 41c441b8c5c2..25c4c3033334 100644
|
||||
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
|
||||
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
|
||||
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
|
||||
|
||||
.SH "ОПИСАНИЕ"
|
||||
.B restorecon_xattr
|
||||
-покажет дайджесты SHA1, добавленные в расширенные атрибуты
|
||||
+покажет дайджесты SHA256, добавленные в расширенные атрибуты
|
||||
.I security.restorecon_last,
|
||||
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
|
||||
.BR restorecon (8)
|
||||
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
|
||||
.sp
|
||||
По умолчанию
|
||||
.B restorecon_xattr
|
||||
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
|
||||
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
|
||||
.I specfile,
|
||||
который установлен с помощью параметра
|
||||
.B \-f.
|
||||
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
|
||||
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
|
||||
Эту возможность можно отключить с помощью параметра
|
||||
.B \-n.
|
||||
|
||||
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
|
||||
рекурсивно спускаться по каталогам.
|
||||
.TP
|
||||
.B \-v
|
||||
-показать дайджест SHA1, созданный установленным файлом спецификации.
|
||||
+показать дайджест SHA256, созданный установленным файлом спецификации.
|
||||
.TP
|
||||
.B \-e
|
||||
.I directory
|
||||
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
|
||||
.BR file_contexts (5).
|
||||
Он будет использоваться
|
||||
.BR selabel_open (3)
|
||||
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
|
||||
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
|
||||
.BR selabel_digest (3).
|
||||
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
|
||||
|
||||
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
|
||||
index 910101452625..7f2daa09191b 100644
|
||||
--- a/policycoreutils/setfiles/ru/setfiles.8
|
||||
+++ b/policycoreutils/setfiles/ru/setfiles.8
|
||||
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
|
||||
игнорировать файлы, которые не существуют.
|
||||
.TP
|
||||
.B \-I
|
||||
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
|
||||
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
|
||||
.B ПРИМЕЧАНИЯ.
|
||||
.TP
|
||||
.B \-D
|
||||
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
|
||||
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
|
||||
.IR security.restorecon_last.
|
||||
.TP
|
||||
.B \-l
|
||||
@@ -186,7 +186,7 @@ GNU
|
||||
.B \-D
|
||||
команды
|
||||
.B setfiles .
|
||||
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
|
||||
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации
|
||||
.B spec_file
|
||||
в расширенном атрибуте с именем
|
||||
.IR security.restorecon_last
|
||||
@@ -204,7 +204,7 @@ GNU
|
||||
.sp
|
||||
Параметр
|
||||
.B \-I
|
||||
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
|
||||
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
|
||||
.IR pathname \ ...
|
||||
, и, при условии, что НЕ установлен параметр
|
||||
.B \-n
|
||||
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
|
||||
index 8e6c4ab94841..0692121f2f4d 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.8
|
||||
+++ b/policycoreutils/setfiles/setfiles.8
|
||||
@@ -85,14 +85,14 @@ display usage information and exit.
|
||||
ignore files that do not exist.
|
||||
.TP
|
||||
.B \-I
|
||||
-ignore digest to force checking of labels even if the stored SHA1 digest
|
||||
-matches the specfiles SHA1 digest. The digest will then be updated provided
|
||||
+ignore digest to force checking of labels even if the stored SHA256 digest
|
||||
+matches the specfiles SHA256 digest. The digest will then be updated provided
|
||||
there are no errors. See the
|
||||
.B NOTES
|
||||
section for further details.
|
||||
.TP
|
||||
.B \-D
|
||||
-Set or update any directory SHA1 digests. Use this option to
|
||||
+Set or update any directory SHA256 digests. Use this option to
|
||||
enable usage of the
|
||||
.IR security.sehash
|
||||
extended attribute.
|
||||
@@ -230,7 +230,7 @@ the
|
||||
.B \-D
|
||||
option to
|
||||
.B setfiles
|
||||
-will cause it to store a SHA1 digest of the
|
||||
+will cause it to store a SHA256 digest of the
|
||||
.B spec_file
|
||||
set in an extended attribute named
|
||||
.IR security.sehash
|
||||
@@ -251,7 +251,7 @@ for further details.
|
||||
.sp
|
||||
The
|
||||
.B \-I
|
||||
-option will ignore the SHA1 digest from each directory specified in
|
||||
+option will ignore the SHA256 digest from each directory specified in
|
||||
.IR pathname \ ...
|
||||
and provided the
|
||||
.B \-n
|
||||
--
|
||||
2.32.0
|
||||
|
|
@ -0,0 +1,253 @@
|
|||
From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Tue, 26 Oct 2021 13:52:39 +0200
|
||||
Subject: [PATCH] setfiles/restorecon: support parallel relabeling
|
||||
|
||||
Use the newly introduced selinux_restorecon_parallel(3) in
|
||||
setfiles/restorecon and a -T option to both to allow enabling parallel
|
||||
relabeling. The default behavior without specifying the -T option is to
|
||||
use 1 thread; parallel relabeling must be requested explicitly by
|
||||
passing -T 0 (which will use as many threads as there are available CPU
|
||||
cores) or -T <N>, which will use <N> threads.
|
||||
|
||||
=== Benchmarks ===
|
||||
As measured on a 32-core cloud VM with Fedora 34. Not a fully
|
||||
representative environment, but still the scaling is quite good.
|
||||
|
||||
WITHOUT PATCHES:
|
||||
$ time restorecon -rn /usr
|
||||
|
||||
real 0m21.689s
|
||||
user 0m21.070s
|
||||
sys 0m0.494s
|
||||
|
||||
WITH PATCHES:
|
||||
$ time restorecon -rn /usr
|
||||
|
||||
real 0m23.940s
|
||||
user 0m23.127s
|
||||
sys 0m0.653s
|
||||
$ time restorecon -rn -T 2 /usr
|
||||
|
||||
real 0m13.145s
|
||||
user 0m25.306s
|
||||
sys 0m0.695s
|
||||
$ time restorecon -rn -T 4 /usr
|
||||
|
||||
real 0m7.559s
|
||||
user 0m28.470s
|
||||
sys 0m1.099s
|
||||
$ time restorecon -rn -T 8 /usr
|
||||
|
||||
real 0m5.186s
|
||||
user 0m37.450s
|
||||
sys 0m2.094s
|
||||
$ time restorecon -rn -T 16 /usr
|
||||
|
||||
real 0m3.831s
|
||||
user 0m51.220s
|
||||
sys 0m4.895s
|
||||
$ time restorecon -rn -T 32 /usr
|
||||
|
||||
real 0m2.650s
|
||||
user 1m5.136s
|
||||
sys 0m6.614s
|
||||
|
||||
Note that the benchmarks were performed in read-only mode (-n), so the
|
||||
labels were only read and looked up in the database, not written. When
|
||||
fixing labels on a heavily mislabeled system, the scaling would likely
|
||||
be event better, since a larger % of work could be done in parallel.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policycoreutils/setfiles/Makefile | 2 +-
|
||||
policycoreutils/setfiles/restore.c | 7 ++++---
|
||||
policycoreutils/setfiles/restore.h | 2 +-
|
||||
policycoreutils/setfiles/restorecon.8 | 9 +++++++++
|
||||
policycoreutils/setfiles/setfiles.8 | 9 +++++++++
|
||||
policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++-----------
|
||||
6 files changed, 41 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
|
||||
index 63d818509791..d7670a8ff54b 100644
|
||||
--- a/policycoreutils/setfiles/Makefile
|
||||
+++ b/policycoreutils/setfiles/Makefile
|
||||
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
|
||||
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
|
||||
|
||||
CFLAGS ?= -g -Werror -Wall -W
|
||||
-override LDLIBS += -lselinux -lsepol
|
||||
+override LDLIBS += -lselinux -lsepol -lpthread
|
||||
|
||||
ifeq ($(AUDITH), y)
|
||||
override CFLAGS += -DUSE_AUDIT
|
||||
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
|
||||
index 9d688c609f79..74d48bb3752d 100644
|
||||
--- a/policycoreutils/setfiles/restore.c
|
||||
+++ b/policycoreutils/setfiles/restore.c
|
||||
@@ -72,7 +72,7 @@ void restore_finish(void)
|
||||
}
|
||||
}
|
||||
|
||||
-int process_glob(char *name, struct restore_opts *opts)
|
||||
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads)
|
||||
{
|
||||
glob_t globbuf;
|
||||
size_t i = 0;
|
||||
@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts)
|
||||
continue;
|
||||
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
|
||||
continue;
|
||||
- rc = selinux_restorecon(globbuf.gl_pathv[i],
|
||||
- opts->restorecon_flags);
|
||||
+ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
|
||||
+ opts->restorecon_flags,
|
||||
+ nthreads);
|
||||
if (rc < 0)
|
||||
errors = rc;
|
||||
}
|
||||
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
|
||||
index ac6ad6809f4f..bb35a1db9e34 100644
|
||||
--- a/policycoreutils/setfiles/restore.h
|
||||
+++ b/policycoreutils/setfiles/restore.h
|
||||
@@ -49,7 +49,7 @@ struct restore_opts {
|
||||
void restore_init(struct restore_opts *opts);
|
||||
void restore_finish(void);
|
||||
void add_exclude(const char *directory);
|
||||
-int process_glob(char *name, struct restore_opts *opts);
|
||||
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads);
|
||||
extern char **exclude_list;
|
||||
|
||||
#endif
|
||||
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
|
||||
index a8900f02b3f3..dbd55ce7c512 100644
|
||||
--- a/policycoreutils/setfiles/restorecon.8
|
||||
+++ b/policycoreutils/setfiles/restorecon.8
|
||||
@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts.
|
||||
.RB [ \-W ]
|
||||
.RB [ \-I | \-D ]
|
||||
.RB [ \-x ]
|
||||
+.RB [ \-T
|
||||
+.IR nthreads ]
|
||||
|
||||
.SH "DESCRIPTION"
|
||||
This manual page describes the
|
||||
@@ -160,6 +162,13 @@ prevent
|
||||
.B restorecon
|
||||
from crossing file system boundaries.
|
||||
.TP
|
||||
+.BI \-T \ nthreads
|
||||
+use up to
|
||||
+.I nthreads
|
||||
+threads. Specify 0 to create as many threads as there are available
|
||||
+CPU cores; 1 to use only a single thread (default); or any positive
|
||||
+number to use the given number of threads (if possible).
|
||||
+.TP
|
||||
.SH "ARGUMENTS"
|
||||
.IR pathname \ ...
|
||||
The pathname for the file(s) to be relabeled.
|
||||
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
|
||||
index 0692121f2f4d..8ef9f602e843 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.8
|
||||
+++ b/policycoreutils/setfiles/setfiles.8
|
||||
@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts.
|
||||
.RB [ \-W ]
|
||||
.RB [ \-F ]
|
||||
.RB [ \-I | \-D ]
|
||||
+.RB [ \-T
|
||||
+.IR nthreads ]
|
||||
.I spec_file
|
||||
.IR pathname \ ...
|
||||
|
||||
@@ -161,6 +163,13 @@ quote marks or backslashes. The
|
||||
option of GNU
|
||||
.B find
|
||||
produces input suitable for this mode.
|
||||
+.TP
|
||||
+.BI \-T \ nthreads
|
||||
+use up to
|
||||
+.I nthreads
|
||||
+threads. Specify 0 to create as many threads as there are available
|
||||
+CPU cores; 1 to use only a single thread (default); or any positive
|
||||
+number to use the given number of threads (if possible).
|
||||
|
||||
.SH "ARGUMENTS"
|
||||
.TP
|
||||
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
||||
index f018d161aa9e..2313a21fa0f3 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.c
|
||||
+++ b/policycoreutils/setfiles/setfiles.c
|
||||
@@ -1,4 +1,5 @@
|
||||
#include "restore.h"
|
||||
+#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <stdio_ext.h>
|
||||
@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
|
||||
{
|
||||
if (iamrestorecon) {
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
|
||||
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
|
||||
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
|
||||
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
|
||||
name, name);
|
||||
} else {
|
||||
fprintf(stderr,
|
||||
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
|
||||
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
|
||||
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
|
||||
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
|
||||
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
|
||||
+ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n",
|
||||
name, name, name);
|
||||
}
|
||||
exit(-1);
|
||||
@@ -144,12 +145,12 @@ int main(int argc, char **argv)
|
||||
int opt, i = 0;
|
||||
const char *input_filename = NULL;
|
||||
int use_input_file = 0;
|
||||
- char *buf = NULL;
|
||||
- size_t buf_len;
|
||||
+ char *buf = NULL, *endptr;
|
||||
+ size_t buf_len, nthreads = 1;
|
||||
const char *base;
|
||||
int errors = 0;
|
||||
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
|
||||
- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
|
||||
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
|
||||
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:";
|
||||
const char *opts;
|
||||
union selinux_callback cb;
|
||||
|
||||
@@ -370,6 +371,11 @@ int main(int argc, char **argv)
|
||||
usage(argv[0]);
|
||||
}
|
||||
break;
|
||||
+ case 'T':
|
||||
+ nthreads = strtoull(optarg, &endptr, 10);
|
||||
+ if (*optarg == '\0' || *endptr != '\0')
|
||||
+ usage(argv[0]);
|
||||
+ break;
|
||||
case 'h':
|
||||
case '?':
|
||||
usage(argv[0]);
|
||||
@@ -448,13 +454,13 @@ int main(int argc, char **argv)
|
||||
buf[len - 1] = 0;
|
||||
if (!strcmp(buf, "/"))
|
||||
r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
|
||||
- errors |= process_glob(buf, &r_opts) < 0;
|
||||
+ errors |= process_glob(buf, &r_opts, nthreads) < 0;
|
||||
}
|
||||
if (strcmp(input_filename, "-") != 0)
|
||||
fclose(f);
|
||||
} else {
|
||||
for (i = optind; i < argc; i++)
|
||||
- errors |= process_glob(argv[i], &r_opts) < 0;
|
||||
+ errors |= process_glob(argv[i], &r_opts, nthreads) < 0;
|
||||
}
|
||||
|
||||
maybe_audit_mass_relabel(r_opts.mass_relabel, errors);
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -0,0 +1,674 @@
|
|||
From 4e6165719d3315b6502f3d290a549f9fa14c3238 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 16 Nov 2021 14:27:11 +0100
|
||||
Subject: [PATCH] semodule: add -m | --checksum option
|
||||
|
||||
Since cil doesn't store module name and module version in module itself,
|
||||
there's no simple way how to compare that installed module is the same
|
||||
version as the module which is supposed to be installed. Even though the
|
||||
version was not used by semodule itself, it was apparently used by some
|
||||
team.
|
||||
|
||||
With `semodule -l --checksum` users get SHA256 hashes of modules and
|
||||
could compare them with their files which is faster than installing
|
||||
modules again and again.
|
||||
|
||||
E.g.
|
||||
|
||||
# time (
|
||||
semodule -l --checksum | grep localmodule
|
||||
/usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
|
||||
)
|
||||
localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
|
||||
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd -
|
||||
|
||||
real 0m0.876s
|
||||
user 0m0.849s
|
||||
sys 0m0.028s
|
||||
|
||||
vs
|
||||
|
||||
# time semodule -i localmodule.pp
|
||||
|
||||
real 0m6.147s
|
||||
user 0m5.800s
|
||||
sys 0m0.231s
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
policycoreutils/semodule/Makefile | 2 +-
|
||||
policycoreutils/semodule/semodule.8 | 6 +
|
||||
policycoreutils/semodule/semodule.c | 95 ++++++++-
|
||||
policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++
|
||||
policycoreutils/semodule/sha256.h | 89 +++++++++
|
||||
5 files changed, 480 insertions(+), 6 deletions(-)
|
||||
create mode 100644 policycoreutils/semodule/sha256.c
|
||||
create mode 100644 policycoreutils/semodule/sha256.h
|
||||
|
||||
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
|
||||
index 73801e487a76..9875ac383280 100644
|
||||
--- a/policycoreutils/semodule/Makefile
|
||||
+++ b/policycoreutils/semodule/Makefile
|
||||
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
|
||||
|
||||
CFLAGS ?= -Werror -Wall -W
|
||||
override LDLIBS += -lsepol -lselinux -lsemanage
|
||||
-SEMODULE_OBJS = semodule.o
|
||||
+SEMODULE_OBJS = semodule.o sha256.o
|
||||
|
||||
all: semodule genhomedircon
|
||||
|
||||
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
|
||||
index 18d4f708661c..3a2fb21c2481 100644
|
||||
--- a/policycoreutils/semodule/semodule.8
|
||||
+++ b/policycoreutils/semodule/semodule.8
|
||||
@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
|
||||
.B \-H,\-\-hll
|
||||
Extract module as an HLL file. This only affects the \-\-extract option and
|
||||
only modules listed in \-\-extract after this option.
|
||||
+.TP
|
||||
+.B \-m,\-\-checksum
|
||||
+Add SHA256 checksum of modules to the list output.
|
||||
|
||||
.SH EXAMPLE
|
||||
.nf
|
||||
@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
|
||||
# Write the HLL version of puppet and the CIL version of wireshark
|
||||
# modules at priority 400 to the current working directory
|
||||
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
|
||||
+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
|
||||
+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
|
||||
+$ semodule -l -m | grep localmodule
|
||||
.fi
|
||||
|
||||
.SH SEE ALSO
|
||||
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
|
||||
index c815f01546b4..ddbf10455abf 100644
|
||||
--- a/policycoreutils/semodule/semodule.c
|
||||
+++ b/policycoreutils/semodule/semodule.c
|
||||
@@ -25,6 +25,8 @@
|
||||
#include <sepol/cil/cil.h>
|
||||
#include <semanage/modules.h>
|
||||
|
||||
+#include "sha256.h"
|
||||
+
|
||||
enum client_modes {
|
||||
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
|
||||
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
|
||||
@@ -57,6 +59,7 @@ static semanage_handle_t *sh = NULL;
|
||||
static char *store;
|
||||
static char *store_root;
|
||||
int extract_cil = 0;
|
||||
+static int checksum = 0;
|
||||
|
||||
extern char *optarg;
|
||||
extern int optind;
|
||||
@@ -147,6 +150,7 @@ static void usage(char *progname)
|
||||
printf(" -S,--store-path use an alternate path for the policy store root\n");
|
||||
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
|
||||
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
|
||||
+ printf(" -m, --checksum print module checksum (SHA256).\n");
|
||||
}
|
||||
|
||||
/* Sets the global mode variable to new_mode, but only if no other
|
||||
@@ -200,6 +204,7 @@ static void parse_command_line(int argc, char **argv)
|
||||
{"disable", required_argument, NULL, 'd'},
|
||||
{"path", required_argument, NULL, 'p'},
|
||||
{"store-path", required_argument, NULL, 'S'},
|
||||
+ {"checksum", 0, NULL, 'm'},
|
||||
{NULL, 0, NULL, 0}
|
||||
};
|
||||
int extract_selected = 0;
|
||||
@@ -210,7 +215,7 @@ static void parse_command_line(int argc, char **argv)
|
||||
no_reload = 0;
|
||||
priority = 400;
|
||||
while ((i =
|
||||
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
|
||||
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
|
||||
NULL)) != -1) {
|
||||
switch (i) {
|
||||
case 'b':
|
||||
@@ -287,6 +292,9 @@ static void parse_command_line(int argc, char **argv)
|
||||
case 'd':
|
||||
set_mode(DISABLE_M, optarg);
|
||||
break;
|
||||
+ case 'm':
|
||||
+ checksum = 1;
|
||||
+ break;
|
||||
case '?':
|
||||
default:{
|
||||
usage(argv[0]);
|
||||
@@ -338,6 +346,61 @@ static void parse_command_line(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
+/* Get module checksum */
|
||||
+static char *hash_module_data(const char *module_name, const int prio) {
|
||||
+ semanage_module_info_t *extract_info = NULL;
|
||||
+ semanage_module_key_t *modkey = NULL;
|
||||
+ Sha256Context context;
|
||||
+ uint8_t sha256_hash[SHA256_HASH_SIZE];
|
||||
+ char *sha256_buf = NULL;
|
||||
+ void *data;
|
||||
+ size_t data_len = 0, i;
|
||||
+ int result;
|
||||
+
|
||||
+ result = semanage_module_key_create(sh, &modkey);
|
||||
+ if (result != 0) {
|
||||
+ goto cleanup_extract;
|
||||
+ }
|
||||
+
|
||||
+ result = semanage_module_key_set_name(sh, modkey, module_name);
|
||||
+ if (result != 0) {
|
||||
+ goto cleanup_extract;
|
||||
+ }
|
||||
+
|
||||
+ result = semanage_module_key_set_priority(sh, modkey, prio);
|
||||
+ if (result != 0) {
|
||||
+ goto cleanup_extract;
|
||||
+ }
|
||||
+
|
||||
+ result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
|
||||
+ &extract_info);
|
||||
+ if (result != 0) {
|
||||
+ goto cleanup_extract;
|
||||
+ }
|
||||
+
|
||||
+ Sha256Initialise(&context);
|
||||
+ Sha256Update(&context, data, data_len);
|
||||
+
|
||||
+ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
|
||||
+
|
||||
+ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
|
||||
+
|
||||
+ if (sha256_buf == NULL)
|
||||
+ goto cleanup_extract;
|
||||
+
|
||||
+ for (i = 0; i < SHA256_HASH_SIZE; i++) {
|
||||
+ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
|
||||
+ }
|
||||
+ sha256_buf[i * 2] = 0;
|
||||
+
|
||||
+cleanup_extract:
|
||||
+ semanage_module_info_destroy(sh, extract_info);
|
||||
+ free(extract_info);
|
||||
+ semanage_module_key_destroy(sh, modkey);
|
||||
+ free(modkey);
|
||||
+ return sha256_buf;
|
||||
+}
|
||||
+
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int i, commit = 0;
|
||||
@@ -546,6 +609,8 @@ cleanup_extract:
|
||||
int modinfos_len = 0;
|
||||
semanage_module_info_t *m = NULL;
|
||||
int j = 0;
|
||||
+ char *module_checksum = NULL;
|
||||
+ uint16_t pri = 0;
|
||||
|
||||
if (verbose) {
|
||||
printf
|
||||
@@ -570,7 +635,18 @@ cleanup_extract:
|
||||
result = semanage_module_info_get_name(sh, m, &name);
|
||||
if (result != 0) goto cleanup_list;
|
||||
|
||||
- printf("%s\n", name);
|
||||
+ result = semanage_module_info_get_priority(sh, m, &pri);
|
||||
+ if (result != 0) goto cleanup_list;
|
||||
+
|
||||
+ printf("%s", name);
|
||||
+ if (checksum) {
|
||||
+ module_checksum = hash_module_data(name, pri);
|
||||
+ if (module_checksum) {
|
||||
+ printf(" %s", module_checksum);
|
||||
+ free(module_checksum);
|
||||
+ }
|
||||
+ }
|
||||
+ printf("\n");
|
||||
}
|
||||
}
|
||||
else if (strcmp(mode_arg, "full") == 0) {
|
||||
@@ -585,11 +661,12 @@ cleanup_extract:
|
||||
}
|
||||
|
||||
/* calculate column widths */
|
||||
- size_t column[4] = { 0, 0, 0, 0 };
|
||||
+ size_t column[5] = { 0, 0, 0, 0, 0 };
|
||||
|
||||
/* fixed width columns */
|
||||
column[0] = sizeof("000") - 1;
|
||||
column[3] = sizeof("disabled") - 1;
|
||||
+ column[4] = 64; /* SHA256_HASH_SIZE * 2 */
|
||||
|
||||
/* variable width columns */
|
||||
const char *tmp = NULL;
|
||||
@@ -612,7 +689,6 @@ cleanup_extract:
|
||||
|
||||
/* print out each module */
|
||||
for (j = 0; j < modinfos_len; j++) {
|
||||
- uint16_t pri = 0;
|
||||
const char *name = NULL;
|
||||
int enabled = 0;
|
||||
const char *lang_ext = NULL;
|
||||
@@ -631,11 +707,20 @@ cleanup_extract:
|
||||
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
|
||||
if (result != 0) goto cleanup_list;
|
||||
|
||||
- printf("%0*u %-*s %-*s %-*s\n",
|
||||
+ printf("%0*u %-*s %-*s %-*s",
|
||||
(int)column[0], pri,
|
||||
(int)column[1], name,
|
||||
(int)column[2], lang_ext,
|
||||
(int)column[3], enabled ? "" : "disabled");
|
||||
+ if (checksum) {
|
||||
+ module_checksum = hash_module_data(name, pri);
|
||||
+ if (module_checksum) {
|
||||
+ printf(" %-*s", (int)column[4], module_checksum);
|
||||
+ free(module_checksum);
|
||||
+ }
|
||||
+ }
|
||||
+ printf("\n");
|
||||
+
|
||||
}
|
||||
}
|
||||
else {
|
||||
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
|
||||
new file mode 100644
|
||||
index 000000000000..fe2aeef07f53
|
||||
--- /dev/null
|
||||
+++ b/policycoreutils/semodule/sha256.c
|
||||
@@ -0,0 +1,294 @@
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// WjCryptLib_Sha256
|
||||
+//
|
||||
+// Implementation of SHA256 hash function.
|
||||
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
|
||||
+// Modified by WaterJuice retaining Public Domain license.
|
||||
+//
|
||||
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// IMPORTS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+#include "sha256.h"
|
||||
+#include <memory.h>
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// MACROS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
|
||||
+
|
||||
+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
|
||||
+
|
||||
+#define STORE32H(x, y) \
|
||||
+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
|
||||
+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
|
||||
+
|
||||
+#define LOAD32H(x, y) \
|
||||
+ { x = ((uint32_t)((y)[0] & 255)<<24) | \
|
||||
+ ((uint32_t)((y)[1] & 255)<<16) | \
|
||||
+ ((uint32_t)((y)[2] & 255)<<8) | \
|
||||
+ ((uint32_t)((y)[3] & 255)); }
|
||||
+
|
||||
+#define STORE64H(x, y) \
|
||||
+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
|
||||
+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
|
||||
+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
|
||||
+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// CONSTANTS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+// The K array
|
||||
+static const uint32_t K[64] = {
|
||||
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
|
||||
+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
|
||||
+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
|
||||
+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
|
||||
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
|
||||
+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
|
||||
+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
|
||||
+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
|
||||
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
|
||||
+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
|
||||
+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
|
||||
+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
|
||||
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
|
||||
+};
|
||||
+
|
||||
+#define BLOCK_SIZE 64
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// INTERNAL FUNCTIONS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+// Various logical functions
|
||||
+#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
|
||||
+#define Maj( x, y, z ) (((x | y) & z) | (x & y))
|
||||
+#define S( x, n ) ror((x),(n))
|
||||
+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
|
||||
+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
|
||||
+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
|
||||
+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
|
||||
+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
|
||||
+
|
||||
+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
|
||||
+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
|
||||
+ t1 = Sigma0(a) + Maj(a, b, c); \
|
||||
+ d += t0; \
|
||||
+ h = t0 + t1;
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// TransformFunction
|
||||
+//
|
||||
+// Compress 512-bits
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+static
|
||||
+void
|
||||
+ TransformFunction
|
||||
+ (
|
||||
+ Sha256Context* Context,
|
||||
+ uint8_t const* Buffer
|
||||
+ )
|
||||
+{
|
||||
+ uint32_t S[8];
|
||||
+ uint32_t W[64];
|
||||
+ uint32_t t0;
|
||||
+ uint32_t t1;
|
||||
+ uint32_t t;
|
||||
+ int i;
|
||||
+
|
||||
+ // Copy state into S
|
||||
+ for( i=0; i<8; i++ )
|
||||
+ {
|
||||
+ S[i] = Context->state[i];
|
||||
+ }
|
||||
+
|
||||
+ // Copy the state into 512-bits into W[0..15]
|
||||
+ for( i=0; i<16; i++ )
|
||||
+ {
|
||||
+ LOAD32H( W[i], Buffer + (4*i) );
|
||||
+ }
|
||||
+
|
||||
+ // Fill W[16..63]
|
||||
+ for( i=16; i<64; i++ )
|
||||
+ {
|
||||
+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
|
||||
+ }
|
||||
+
|
||||
+ // Compress
|
||||
+ for( i=0; i<64; i++ )
|
||||
+ {
|
||||
+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
|
||||
+ t = S[7];
|
||||
+ S[7] = S[6];
|
||||
+ S[6] = S[5];
|
||||
+ S[5] = S[4];
|
||||
+ S[4] = S[3];
|
||||
+ S[3] = S[2];
|
||||
+ S[2] = S[1];
|
||||
+ S[1] = S[0];
|
||||
+ S[0] = t;
|
||||
+ }
|
||||
+
|
||||
+ // Feedback
|
||||
+ for( i=0; i<8; i++ )
|
||||
+ {
|
||||
+ Context->state[i] = Context->state[i] + S[i];
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// PUBLIC FUNCTIONS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Initialise
|
||||
+//
|
||||
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Initialise
|
||||
+ (
|
||||
+ Sha256Context* Context // [out]
|
||||
+ )
|
||||
+{
|
||||
+ Context->curlen = 0;
|
||||
+ Context->length = 0;
|
||||
+ Context->state[0] = 0x6A09E667UL;
|
||||
+ Context->state[1] = 0xBB67AE85UL;
|
||||
+ Context->state[2] = 0x3C6EF372UL;
|
||||
+ Context->state[3] = 0xA54FF53AUL;
|
||||
+ Context->state[4] = 0x510E527FUL;
|
||||
+ Context->state[5] = 0x9B05688CUL;
|
||||
+ Context->state[6] = 0x1F83D9ABUL;
|
||||
+ Context->state[7] = 0x5BE0CD19UL;
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Update
|
||||
+//
|
||||
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
|
||||
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Update
|
||||
+ (
|
||||
+ Sha256Context* Context, // [in out]
|
||||
+ void const* Buffer, // [in]
|
||||
+ uint32_t BufferSize // [in]
|
||||
+ )
|
||||
+{
|
||||
+ uint32_t n;
|
||||
+
|
||||
+ if( Context->curlen > sizeof(Context->buf) )
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ while( BufferSize > 0 )
|
||||
+ {
|
||||
+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
|
||||
+ {
|
||||
+ TransformFunction( Context, (uint8_t*)Buffer );
|
||||
+ Context->length += BLOCK_SIZE * 8;
|
||||
+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
|
||||
+ BufferSize -= BLOCK_SIZE;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
|
||||
+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
|
||||
+ Context->curlen += n;
|
||||
+ Buffer = (uint8_t*)Buffer + n;
|
||||
+ BufferSize -= n;
|
||||
+ if( Context->curlen == BLOCK_SIZE )
|
||||
+ {
|
||||
+ TransformFunction( Context, Context->buf );
|
||||
+ Context->length += 8*BLOCK_SIZE;
|
||||
+ Context->curlen = 0;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Finalise
|
||||
+//
|
||||
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
|
||||
+// calling this, Sha256Initialised must be used to reuse the context.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Finalise
|
||||
+ (
|
||||
+ Sha256Context* Context, // [in out]
|
||||
+ SHA256_HASH* Digest // [out]
|
||||
+ )
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ if( Context->curlen >= sizeof(Context->buf) )
|
||||
+ {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ // Increase the length of the message
|
||||
+ Context->length += Context->curlen * 8;
|
||||
+
|
||||
+ // Append the '1' bit
|
||||
+ Context->buf[Context->curlen++] = (uint8_t)0x80;
|
||||
+
|
||||
+ // if the length is currently above 56 bytes we append zeros
|
||||
+ // then compress. Then we can fall back to padding zeros and length
|
||||
+ // encoding like normal.
|
||||
+ if( Context->curlen > 56 )
|
||||
+ {
|
||||
+ while( Context->curlen < 64 )
|
||||
+ {
|
||||
+ Context->buf[Context->curlen++] = (uint8_t)0;
|
||||
+ }
|
||||
+ TransformFunction(Context, Context->buf);
|
||||
+ Context->curlen = 0;
|
||||
+ }
|
||||
+
|
||||
+ // Pad up to 56 bytes of zeroes
|
||||
+ while( Context->curlen < 56 )
|
||||
+ {
|
||||
+ Context->buf[Context->curlen++] = (uint8_t)0;
|
||||
+ }
|
||||
+
|
||||
+ // Store length
|
||||
+ STORE64H( Context->length, Context->buf+56 );
|
||||
+ TransformFunction( Context, Context->buf );
|
||||
+
|
||||
+ // Copy output
|
||||
+ for( i=0; i<8; i++ )
|
||||
+ {
|
||||
+ STORE32H( Context->state[i], Digest->bytes+(4*i) );
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Calculate
|
||||
+//
|
||||
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
|
||||
+// buffer.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Calculate
|
||||
+ (
|
||||
+ void const* Buffer, // [in]
|
||||
+ uint32_t BufferSize, // [in]
|
||||
+ SHA256_HASH* Digest // [in]
|
||||
+ )
|
||||
+{
|
||||
+ Sha256Context context;
|
||||
+
|
||||
+ Sha256Initialise( &context );
|
||||
+ Sha256Update( &context, Buffer, BufferSize );
|
||||
+ Sha256Finalise( &context, Digest );
|
||||
+}
|
||||
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
|
||||
new file mode 100644
|
||||
index 000000000000..406ed869cd82
|
||||
--- /dev/null
|
||||
+++ b/policycoreutils/semodule/sha256.h
|
||||
@@ -0,0 +1,89 @@
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// WjCryptLib_Sha256
|
||||
+//
|
||||
+// Implementation of SHA256 hash function.
|
||||
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
|
||||
+// Modified by WaterJuice retaining Public Domain license.
|
||||
+//
|
||||
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+#pragma once
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// IMPORTS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+#include <stdint.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+typedef struct
|
||||
+{
|
||||
+ uint64_t length;
|
||||
+ uint32_t state[8];
|
||||
+ uint32_t curlen;
|
||||
+ uint8_t buf[64];
|
||||
+} Sha256Context;
|
||||
+
|
||||
+#define SHA256_HASH_SIZE ( 256 / 8 )
|
||||
+
|
||||
+typedef struct
|
||||
+{
|
||||
+ uint8_t bytes [SHA256_HASH_SIZE];
|
||||
+} SHA256_HASH;
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// PUBLIC FUNCTIONS
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Initialise
|
||||
+//
|
||||
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Initialise
|
||||
+ (
|
||||
+ Sha256Context* Context // [out]
|
||||
+ );
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Update
|
||||
+//
|
||||
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
|
||||
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Update
|
||||
+ (
|
||||
+ Sha256Context* Context, // [in out]
|
||||
+ void const* Buffer, // [in]
|
||||
+ uint32_t BufferSize // [in]
|
||||
+ );
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Finalise
|
||||
+//
|
||||
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
|
||||
+// calling this, Sha256Initialised must be used to reuse the context.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Finalise
|
||||
+ (
|
||||
+ Sha256Context* Context, // [in out]
|
||||
+ SHA256_HASH* Digest // [out]
|
||||
+ );
|
||||
+
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+// Sha256Calculate
|
||||
+//
|
||||
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
|
||||
+// buffer.
|
||||
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
+void
|
||||
+ Sha256Calculate
|
||||
+ (
|
||||
+ void const* Buffer, // [in]
|
||||
+ uint32_t BufferSize, // [in]
|
||||
+ SHA256_HASH* Digest // [in]
|
||||
+ );
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From 7537374e7f5802852c0c64b4cb2a9646402e3cba Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 16 Nov 2021 16:11:22 +0100
|
||||
Subject: [PATCH] semodule: Fix lang_ext column index
|
||||
|
||||
lang_ext is 3. column - index number 2.
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
policycoreutils/semodule/semodule.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
|
||||
index ddbf10455abf..57f005ce2c62 100644
|
||||
--- a/policycoreutils/semodule/semodule.c
|
||||
+++ b/policycoreutils/semodule/semodule.c
|
||||
@@ -684,7 +684,7 @@ cleanup_extract:
|
||||
if (result != 0) goto cleanup_list;
|
||||
|
||||
size = strlen(tmp);
|
||||
- if (size > column[3]) column[3] = size;
|
||||
+ if (size > column[2]) column[2] = size;
|
||||
}
|
||||
|
||||
/* print out each module */
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From 0c4e5d70fde006977e798d6cc7d80db2e8af7bb9 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 23 Nov 2021 17:38:51 +0100
|
||||
Subject: [PATCH] semodule: Don't forget to munmap() data
|
||||
|
||||
semanage_module_extract() mmap()'s the module raw data but it leaves on
|
||||
the caller to munmap() them.
|
||||
|
||||
Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
policycoreutils/semodule/semodule.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
|
||||
index 57f005ce2c62..94a9d131bb79 100644
|
||||
--- a/policycoreutils/semodule/semodule.c
|
||||
+++ b/policycoreutils/semodule/semodule.c
|
||||
@@ -394,6 +394,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
|
||||
sha256_buf[i * 2] = 0;
|
||||
|
||||
cleanup_extract:
|
||||
+ if (data_len > 0) {
|
||||
+ munmap(data, data_len);
|
||||
+ }
|
||||
semanage_module_info_destroy(sh, extract_info);
|
||||
free(extract_info);
|
||||
semanage_module_key_destroy(sh, modkey);
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -0,0 +1,539 @@
|
|||
From 7809f29b68e17a455478990ae9b22728381a126b Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 17:53:23 +0100
|
||||
Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage
|
||||
|
||||
The main goal of this move is to have the SHA-256 implementation under
|
||||
libsemanage, since upcoming patches will make use of SHA-256 for a
|
||||
different (but similar) purpose in libsemanage. Having the hashing code
|
||||
in libsemanage will reduce code duplication and allow for easier hash
|
||||
algorithm upgrade in the future.
|
||||
|
||||
Note that libselinux currently also contains a hash function
|
||||
implementation (for yet another different purpose). This patch doesn't
|
||||
make any effort to address that duplicity yet.
|
||||
|
||||
This patch also changes the format of the hash string printed by
|
||||
semodule to include the name of the hash. The intent is to avoid
|
||||
ambiguity and potential collisions when the algorithm is potentially
|
||||
changed in the future.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policycoreutils/semodule/Makefile | 2 +-
|
||||
policycoreutils/semodule/semodule.c | 53 ++---
|
||||
policycoreutils/semodule/sha256.c | 294 ----------------------------
|
||||
policycoreutils/semodule/sha256.h | 89 ---------
|
||||
4 files changed, 17 insertions(+), 421 deletions(-)
|
||||
delete mode 100644 policycoreutils/semodule/sha256.c
|
||||
delete mode 100644 policycoreutils/semodule/sha256.h
|
||||
|
||||
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
|
||||
index 9875ac383280..73801e487a76 100644
|
||||
--- a/policycoreutils/semodule/Makefile
|
||||
+++ b/policycoreutils/semodule/Makefile
|
||||
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
|
||||
|
||||
CFLAGS ?= -Werror -Wall -W
|
||||
override LDLIBS += -lsepol -lselinux -lsemanage
|
||||
-SEMODULE_OBJS = semodule.o sha256.o
|
||||
+SEMODULE_OBJS = semodule.o
|
||||
|
||||
all: semodule genhomedircon
|
||||
|
||||
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
|
||||
index 94a9d131bb79..f4a76289efa3 100644
|
||||
--- a/policycoreutils/semodule/semodule.c
|
||||
+++ b/policycoreutils/semodule/semodule.c
|
||||
@@ -25,8 +25,6 @@
|
||||
#include <sepol/cil/cil.h>
|
||||
#include <semanage/modules.h>
|
||||
|
||||
-#include "sha256.h"
|
||||
-
|
||||
enum client_modes {
|
||||
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
|
||||
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
|
||||
@@ -348,60 +346,38 @@ static void parse_command_line(int argc, char **argv)
|
||||
|
||||
/* Get module checksum */
|
||||
static char *hash_module_data(const char *module_name, const int prio) {
|
||||
- semanage_module_info_t *extract_info = NULL;
|
||||
semanage_module_key_t *modkey = NULL;
|
||||
- Sha256Context context;
|
||||
- uint8_t sha256_hash[SHA256_HASH_SIZE];
|
||||
- char *sha256_buf = NULL;
|
||||
- void *data;
|
||||
- size_t data_len = 0, i;
|
||||
+ char *hash_str = NULL;
|
||||
+ void *hash = NULL;
|
||||
+ size_t hash_len = 0;
|
||||
int result;
|
||||
|
||||
result = semanage_module_key_create(sh, &modkey);
|
||||
if (result != 0) {
|
||||
- goto cleanup_extract;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
result = semanage_module_key_set_name(sh, modkey, module_name);
|
||||
if (result != 0) {
|
||||
- goto cleanup_extract;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
result = semanage_module_key_set_priority(sh, modkey, prio);
|
||||
if (result != 0) {
|
||||
- goto cleanup_extract;
|
||||
+ goto cleanup;
|
||||
}
|
||||
|
||||
- result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
|
||||
- &extract_info);
|
||||
+ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
|
||||
+ &hash_len);
|
||||
if (result != 0) {
|
||||
- goto cleanup_extract;
|
||||
- }
|
||||
-
|
||||
- Sha256Initialise(&context);
|
||||
- Sha256Update(&context, data, data_len);
|
||||
-
|
||||
- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
|
||||
-
|
||||
- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
|
||||
-
|
||||
- if (sha256_buf == NULL)
|
||||
- goto cleanup_extract;
|
||||
-
|
||||
- for (i = 0; i < SHA256_HASH_SIZE; i++) {
|
||||
- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
|
||||
+ goto cleanup;
|
||||
}
|
||||
- sha256_buf[i * 2] = 0;
|
||||
|
||||
-cleanup_extract:
|
||||
- if (data_len > 0) {
|
||||
- munmap(data, data_len);
|
||||
- }
|
||||
- semanage_module_info_destroy(sh, extract_info);
|
||||
- free(extract_info);
|
||||
+cleanup:
|
||||
+ free(hash);
|
||||
semanage_module_key_destroy(sh, modkey);
|
||||
free(modkey);
|
||||
- return sha256_buf;
|
||||
+ return hash_str;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
@@ -669,7 +645,10 @@ cleanup_extract:
|
||||
/* fixed width columns */
|
||||
column[0] = sizeof("000") - 1;
|
||||
column[3] = sizeof("disabled") - 1;
|
||||
- column[4] = 64; /* SHA256_HASH_SIZE * 2 */
|
||||
+
|
||||
+ result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
|
||||
+ &column[4]);
|
||||
+ if (result != 0) goto cleanup_list;
|
||||
|
||||
/* variable width columns */
|
||||
const char *tmp = NULL;
|
||||
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
|
||||
deleted file mode 100644
|
||||
index fe2aeef07f53..000000000000
|
||||
--- a/policycoreutils/semodule/sha256.c
|
||||
+++ /dev/null
|
||||
@@ -1,294 +0,0 @@
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// WjCryptLib_Sha256
|
||||
-//
|
||||
-// Implementation of SHA256 hash function.
|
||||
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
|
||||
-// Modified by WaterJuice retaining Public Domain license.
|
||||
-//
|
||||
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// IMPORTS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-#include "sha256.h"
|
||||
-#include <memory.h>
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// MACROS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
|
||||
-
|
||||
-#define MIN(x, y) ( ((x)<(y))?(x):(y) )
|
||||
-
|
||||
-#define STORE32H(x, y) \
|
||||
- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
|
||||
- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
|
||||
-
|
||||
-#define LOAD32H(x, y) \
|
||||
- { x = ((uint32_t)((y)[0] & 255)<<24) | \
|
||||
- ((uint32_t)((y)[1] & 255)<<16) | \
|
||||
- ((uint32_t)((y)[2] & 255)<<8) | \
|
||||
- ((uint32_t)((y)[3] & 255)); }
|
||||
-
|
||||
-#define STORE64H(x, y) \
|
||||
- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
|
||||
- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
|
||||
- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
|
||||
- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// CONSTANTS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-// The K array
|
||||
-static const uint32_t K[64] = {
|
||||
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
|
||||
- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
|
||||
- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
|
||||
- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
|
||||
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
|
||||
- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
|
||||
- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
|
||||
- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
|
||||
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
|
||||
- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
|
||||
- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
|
||||
- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
|
||||
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
|
||||
-};
|
||||
-
|
||||
-#define BLOCK_SIZE 64
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// INTERNAL FUNCTIONS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-// Various logical functions
|
||||
-#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
|
||||
-#define Maj( x, y, z ) (((x | y) & z) | (x & y))
|
||||
-#define S( x, n ) ror((x),(n))
|
||||
-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
|
||||
-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
|
||||
-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
|
||||
-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
|
||||
-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
|
||||
-
|
||||
-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
|
||||
- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
|
||||
- t1 = Sigma0(a) + Maj(a, b, c); \
|
||||
- d += t0; \
|
||||
- h = t0 + t1;
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// TransformFunction
|
||||
-//
|
||||
-// Compress 512-bits
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-static
|
||||
-void
|
||||
- TransformFunction
|
||||
- (
|
||||
- Sha256Context* Context,
|
||||
- uint8_t const* Buffer
|
||||
- )
|
||||
-{
|
||||
- uint32_t S[8];
|
||||
- uint32_t W[64];
|
||||
- uint32_t t0;
|
||||
- uint32_t t1;
|
||||
- uint32_t t;
|
||||
- int i;
|
||||
-
|
||||
- // Copy state into S
|
||||
- for( i=0; i<8; i++ )
|
||||
- {
|
||||
- S[i] = Context->state[i];
|
||||
- }
|
||||
-
|
||||
- // Copy the state into 512-bits into W[0..15]
|
||||
- for( i=0; i<16; i++ )
|
||||
- {
|
||||
- LOAD32H( W[i], Buffer + (4*i) );
|
||||
- }
|
||||
-
|
||||
- // Fill W[16..63]
|
||||
- for( i=16; i<64; i++ )
|
||||
- {
|
||||
- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
|
||||
- }
|
||||
-
|
||||
- // Compress
|
||||
- for( i=0; i<64; i++ )
|
||||
- {
|
||||
- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
|
||||
- t = S[7];
|
||||
- S[7] = S[6];
|
||||
- S[6] = S[5];
|
||||
- S[5] = S[4];
|
||||
- S[4] = S[3];
|
||||
- S[3] = S[2];
|
||||
- S[2] = S[1];
|
||||
- S[1] = S[0];
|
||||
- S[0] = t;
|
||||
- }
|
||||
-
|
||||
- // Feedback
|
||||
- for( i=0; i<8; i++ )
|
||||
- {
|
||||
- Context->state[i] = Context->state[i] + S[i];
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// PUBLIC FUNCTIONS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Initialise
|
||||
-//
|
||||
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Initialise
|
||||
- (
|
||||
- Sha256Context* Context // [out]
|
||||
- )
|
||||
-{
|
||||
- Context->curlen = 0;
|
||||
- Context->length = 0;
|
||||
- Context->state[0] = 0x6A09E667UL;
|
||||
- Context->state[1] = 0xBB67AE85UL;
|
||||
- Context->state[2] = 0x3C6EF372UL;
|
||||
- Context->state[3] = 0xA54FF53AUL;
|
||||
- Context->state[4] = 0x510E527FUL;
|
||||
- Context->state[5] = 0x9B05688CUL;
|
||||
- Context->state[6] = 0x1F83D9ABUL;
|
||||
- Context->state[7] = 0x5BE0CD19UL;
|
||||
-}
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Update
|
||||
-//
|
||||
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
|
||||
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Update
|
||||
- (
|
||||
- Sha256Context* Context, // [in out]
|
||||
- void const* Buffer, // [in]
|
||||
- uint32_t BufferSize // [in]
|
||||
- )
|
||||
-{
|
||||
- uint32_t n;
|
||||
-
|
||||
- if( Context->curlen > sizeof(Context->buf) )
|
||||
- {
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- while( BufferSize > 0 )
|
||||
- {
|
||||
- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
|
||||
- {
|
||||
- TransformFunction( Context, (uint8_t*)Buffer );
|
||||
- Context->length += BLOCK_SIZE * 8;
|
||||
- Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
|
||||
- BufferSize -= BLOCK_SIZE;
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
|
||||
- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
|
||||
- Context->curlen += n;
|
||||
- Buffer = (uint8_t*)Buffer + n;
|
||||
- BufferSize -= n;
|
||||
- if( Context->curlen == BLOCK_SIZE )
|
||||
- {
|
||||
- TransformFunction( Context, Context->buf );
|
||||
- Context->length += 8*BLOCK_SIZE;
|
||||
- Context->curlen = 0;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Finalise
|
||||
-//
|
||||
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
|
||||
-// calling this, Sha256Initialised must be used to reuse the context.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Finalise
|
||||
- (
|
||||
- Sha256Context* Context, // [in out]
|
||||
- SHA256_HASH* Digest // [out]
|
||||
- )
|
||||
-{
|
||||
- int i;
|
||||
-
|
||||
- if( Context->curlen >= sizeof(Context->buf) )
|
||||
- {
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- // Increase the length of the message
|
||||
- Context->length += Context->curlen * 8;
|
||||
-
|
||||
- // Append the '1' bit
|
||||
- Context->buf[Context->curlen++] = (uint8_t)0x80;
|
||||
-
|
||||
- // if the length is currently above 56 bytes we append zeros
|
||||
- // then compress. Then we can fall back to padding zeros and length
|
||||
- // encoding like normal.
|
||||
- if( Context->curlen > 56 )
|
||||
- {
|
||||
- while( Context->curlen < 64 )
|
||||
- {
|
||||
- Context->buf[Context->curlen++] = (uint8_t)0;
|
||||
- }
|
||||
- TransformFunction(Context, Context->buf);
|
||||
- Context->curlen = 0;
|
||||
- }
|
||||
-
|
||||
- // Pad up to 56 bytes of zeroes
|
||||
- while( Context->curlen < 56 )
|
||||
- {
|
||||
- Context->buf[Context->curlen++] = (uint8_t)0;
|
||||
- }
|
||||
-
|
||||
- // Store length
|
||||
- STORE64H( Context->length, Context->buf+56 );
|
||||
- TransformFunction( Context, Context->buf );
|
||||
-
|
||||
- // Copy output
|
||||
- for( i=0; i<8; i++ )
|
||||
- {
|
||||
- STORE32H( Context->state[i], Digest->bytes+(4*i) );
|
||||
- }
|
||||
-}
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Calculate
|
||||
-//
|
||||
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
|
||||
-// buffer.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Calculate
|
||||
- (
|
||||
- void const* Buffer, // [in]
|
||||
- uint32_t BufferSize, // [in]
|
||||
- SHA256_HASH* Digest // [in]
|
||||
- )
|
||||
-{
|
||||
- Sha256Context context;
|
||||
-
|
||||
- Sha256Initialise( &context );
|
||||
- Sha256Update( &context, Buffer, BufferSize );
|
||||
- Sha256Finalise( &context, Digest );
|
||||
-}
|
||||
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
|
||||
deleted file mode 100644
|
||||
index 406ed869cd82..000000000000
|
||||
--- a/policycoreutils/semodule/sha256.h
|
||||
+++ /dev/null
|
||||
@@ -1,89 +0,0 @@
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// WjCryptLib_Sha256
|
||||
-//
|
||||
-// Implementation of SHA256 hash function.
|
||||
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
|
||||
-// Modified by WaterJuice retaining Public Domain license.
|
||||
-//
|
||||
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-#pragma once
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// IMPORTS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-#include <stdint.h>
|
||||
-#include <stdio.h>
|
||||
-
|
||||
-typedef struct
|
||||
-{
|
||||
- uint64_t length;
|
||||
- uint32_t state[8];
|
||||
- uint32_t curlen;
|
||||
- uint8_t buf[64];
|
||||
-} Sha256Context;
|
||||
-
|
||||
-#define SHA256_HASH_SIZE ( 256 / 8 )
|
||||
-
|
||||
-typedef struct
|
||||
-{
|
||||
- uint8_t bytes [SHA256_HASH_SIZE];
|
||||
-} SHA256_HASH;
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// PUBLIC FUNCTIONS
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Initialise
|
||||
-//
|
||||
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Initialise
|
||||
- (
|
||||
- Sha256Context* Context // [out]
|
||||
- );
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Update
|
||||
-//
|
||||
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
|
||||
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Update
|
||||
- (
|
||||
- Sha256Context* Context, // [in out]
|
||||
- void const* Buffer, // [in]
|
||||
- uint32_t BufferSize // [in]
|
||||
- );
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Finalise
|
||||
-//
|
||||
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
|
||||
-// calling this, Sha256Initialised must be used to reuse the context.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Finalise
|
||||
- (
|
||||
- Sha256Context* Context, // [in out]
|
||||
- SHA256_HASH* Digest // [out]
|
||||
- );
|
||||
-
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-// Sha256Calculate
|
||||
-//
|
||||
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
|
||||
-// buffer.
|
||||
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
-void
|
||||
- Sha256Calculate
|
||||
- (
|
||||
- void const* Buffer, // [in]
|
||||
- uint32_t BufferSize, // [in]
|
||||
- SHA256_HASH* Digest // [in]
|
||||
- );
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 11 Nov 2020 17:23:40 +0100
|
||||
Subject: [PATCH] selinux_config(5): add a note that runtime disable is
|
||||
deprecated
|
||||
|
||||
...and refer to selinux(8), which explains it further.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policycoreutils/man/man5/selinux_config.5 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
|
||||
index 1ffade150128..58b42a0e234d 100644
|
||||
--- a/policycoreutils/man/man5/selinux_config.5
|
||||
+++ b/policycoreutils/man/man5/selinux_config.5
|
||||
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
|
||||
.IP \fIpermissive\fR 4
|
||||
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
|
||||
.IP \fIdisabled\fR
|
||||
-SELinux is disabled and no policy is loaded.
|
||||
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
|
||||
.RE
|
||||
.sp
|
||||
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
|
||||
--
|
||||
2.29.2
|
||||
|
|
@ -0,0 +1,144 @@
|
|||
From 9341da3478625bb2ba2e7d4f3e227735cc9c8198 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Thu, 3 Feb 2022 17:53:27 +0100
|
||||
Subject: [PATCH] semodule: add command-line option to detect module changes
|
||||
|
||||
Add a new command-line option "--rebuild-if-modules-changed" to control
|
||||
the newly introduced check_ext_changes libsemanage flag.
|
||||
|
||||
For example, running `semodule --rebuild-if-modules-changed` will ensure
|
||||
that any externally added/removed modules (e.g. by an RPM transaction)
|
||||
are reflected in the compiled policy, while skipping the most expensive
|
||||
part of the rebuild if no module change was deteceted since the last
|
||||
libsemanage transaction.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policycoreutils/semodule/semodule.8 | 7 +++++++
|
||||
policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
|
||||
2 files changed, 32 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
|
||||
index 3a2fb21c2481..d1735d216276 100644
|
||||
--- a/policycoreutils/semodule/semodule.8
|
||||
+++ b/policycoreutils/semodule/semodule.8
|
||||
@@ -23,6 +23,13 @@ force a reload of policy
|
||||
.B \-B, \-\-build
|
||||
force a rebuild of policy (also reloads unless \-n is used)
|
||||
.TP
|
||||
+.B \-\-rebuild-if-modules-changed
|
||||
+Force a rebuild of the policy if any changes to module content are detected
|
||||
+(by comparing with checksum from the last transaction). One can use this
|
||||
+instead of \-B to ensure that any changes to the module store done by an
|
||||
+external tool (e.g. a package manager) are applied, while automatically
|
||||
+skipping the rebuild if there are no new changes.
|
||||
+.TP
|
||||
.B \-D, \-\-disable_dontaudit
|
||||
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
|
||||
.TP
|
||||
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
|
||||
index f4a76289efa3..1ed8e69054e0 100644
|
||||
--- a/policycoreutils/semodule/semodule.c
|
||||
+++ b/policycoreutils/semodule/semodule.c
|
||||
@@ -47,6 +47,7 @@ static int verbose;
|
||||
static int reload;
|
||||
static int no_reload;
|
||||
static int build;
|
||||
+static int check_ext_changes;
|
||||
static int disable_dontaudit;
|
||||
static int preserve_tunables;
|
||||
static int ignore_module_cache;
|
||||
@@ -149,6 +150,9 @@ static void usage(char *progname)
|
||||
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
|
||||
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
|
||||
printf(" -m, --checksum print module checksum (SHA256).\n");
|
||||
+ printf(" --rebuild-if-modules-changed\n"
|
||||
+ " force policy rebuild if module content changed since\n"
|
||||
+ " last rebuild (based on checksum)\n");
|
||||
}
|
||||
|
||||
/* Sets the global mode variable to new_mode, but only if no other
|
||||
@@ -180,6 +184,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
|
||||
static void parse_command_line(int argc, char **argv)
|
||||
{
|
||||
static struct option opts[] = {
|
||||
+ {"rebuild-if-modules-changed", 0, NULL, '\0'},
|
||||
{"store", required_argument, NULL, 's'},
|
||||
{"base", required_argument, NULL, 'b'},
|
||||
{"help", 0, NULL, 'h'},
|
||||
@@ -207,15 +212,26 @@ static void parse_command_line(int argc, char **argv)
|
||||
};
|
||||
int extract_selected = 0;
|
||||
int cil_hll_set = 0;
|
||||
- int i;
|
||||
+ int i, longind;
|
||||
verbose = 0;
|
||||
reload = 0;
|
||||
no_reload = 0;
|
||||
+ check_ext_changes = 0;
|
||||
priority = 400;
|
||||
while ((i =
|
||||
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
|
||||
- NULL)) != -1) {
|
||||
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
|
||||
+ opts, &longind)) != -1) {
|
||||
switch (i) {
|
||||
+ case '\0':
|
||||
+ switch(longind) {
|
||||
+ case 0: /* --rebuild-if-modules-changed */
|
||||
+ check_ext_changes = 1;
|
||||
+ break;
|
||||
+ default:
|
||||
+ usage(argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ break;
|
||||
case 'b':
|
||||
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
|
||||
set_mode(INSTALL_M, optarg);
|
||||
@@ -300,13 +316,13 @@ static void parse_command_line(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- if ((build || reload) && num_commands) {
|
||||
+ if ((build || reload || check_ext_changes) && num_commands) {
|
||||
fprintf(stderr,
|
||||
"build or reload should not be used with other commands\n");
|
||||
usage(argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
- if (num_commands == 0 && reload == 0 && build == 0) {
|
||||
+ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
|
||||
fprintf(stderr, "At least one mode must be specified.\n");
|
||||
usage(argv[0]);
|
||||
exit(1);
|
||||
@@ -395,7 +411,7 @@ int main(int argc, char *argv[])
|
||||
|
||||
cil_set_log_level(CIL_ERR + verbose);
|
||||
|
||||
- if (build)
|
||||
+ if (build || check_ext_changes)
|
||||
commit = 1;
|
||||
|
||||
sh = semanage_handle_create();
|
||||
@@ -434,7 +450,7 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
- if (build) {
|
||||
+ if (build || check_ext_changes) {
|
||||
if ((result = semanage_begin_transaction(sh)) < 0) {
|
||||
fprintf(stderr, "%s: Could not begin transaction: %s\n",
|
||||
argv[0], errno ? strerror(errno) : "");
|
||||
@@ -807,6 +823,8 @@ cleanup_disable:
|
||||
semanage_set_reload(sh, 0);
|
||||
if (build)
|
||||
semanage_set_rebuild(sh, 1);
|
||||
+ if (check_ext_changes)
|
||||
+ semanage_set_check_ext_changes(sh, 1);
|
||||
if (disable_dontaudit)
|
||||
semanage_set_disable_dontaudit(sh, 1);
|
||||
else if (build)
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -0,0 +1,180 @@
|
|||
From 09f700e9f953769d1697c46179faba32e4b80c0f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Fri, 4 Feb 2022 13:41:12 +0100
|
||||
Subject: [PATCH] policycoreutils/fixfiles: Use parallel relabeling
|
||||
|
||||
Commit 93902fc8340f ("setfiles/restorecon: support parallel relabeling")
|
||||
implemented support for parallel relabeling in setfiles. This is
|
||||
available for fixfiles now.
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 35 +++++++++++++++++-------------
|
||||
policycoreutils/scripts/fixfiles.8 | 17 ++++++++++-----
|
||||
2 files changed, 31 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index cb20002ab613..a4a419ab62de 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -110,6 +110,7 @@ BOOTTIME=""
|
||||
VERBOSE="-p"
|
||||
[ -t 1 ] || VERBOSE=""
|
||||
FORCEFLAG=""
|
||||
+THREADS=""
|
||||
RPMFILES=""
|
||||
PREFC=""
|
||||
RESTORE_MODE=""
|
||||
@@ -153,7 +154,7 @@ newer() {
|
||||
shift
|
||||
LogReadOnly
|
||||
for m in `echo $FILESYSTEMSRW`; do
|
||||
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
|
||||
+ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
|
||||
done;
|
||||
}
|
||||
|
||||
@@ -197,7 +198,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
|
||||
esac; \
|
||||
fi; \
|
||||
done | \
|
||||
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \
|
||||
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \
|
||||
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
|
||||
fi
|
||||
}
|
||||
@@ -235,11 +236,11 @@ LogExcluded
|
||||
case "$RESTORE_MODE" in
|
||||
RPMFILES)
|
||||
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
|
||||
- rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -
|
||||
+ rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -
|
||||
done
|
||||
;;
|
||||
FILEPATH)
|
||||
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
|
||||
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -R -- "$FILEPATH"
|
||||
;;
|
||||
*)
|
||||
if [ -n "${FILESYSTEMSRW}" ]; then
|
||||
@@ -247,7 +248,7 @@ case "$RESTORE_MODE" in
|
||||
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
|
||||
|
||||
if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
|
||||
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${THREADS} ${FC} ${FILESYSTEMSRW}
|
||||
else
|
||||
# we bind mount so we can fix the labels of files that have already been
|
||||
# mounted over
|
||||
@@ -257,7 +258,7 @@ case "$RESTORE_MODE" in
|
||||
|
||||
mkdir -p "${TMP_MOUNT}${m}" || exit 1
|
||||
mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
|
||||
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
||||
umount "${TMP_MOUNT}${m}" || exit 1
|
||||
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
|
||||
done;
|
||||
@@ -330,8 +331,9 @@ case "$1" in
|
||||
fi
|
||||
> /.autorelabel || exit $?
|
||||
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
|
||||
- [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
|
||||
- [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
|
||||
+ [ -z "$BOOTTIME" ] || echo -n "-N $BOOTTIME " >> /.autorelabel
|
||||
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo -n "-M " >> /.autorelabel
|
||||
+ [ -z "$THREADS" ] || echo -n "$THREADS " >> /.autorelabel
|
||||
# Force full relabel if SELinux is not enabled
|
||||
selinuxenabled || echo -F > /.autorelabel
|
||||
echo "System will relabel on next boot"
|
||||
@@ -343,17 +345,17 @@ esac
|
||||
}
|
||||
usage() {
|
||||
echo $"""
|
||||
-Usage: $0 [-v] [-F] [-M] [-f] relabel
|
||||
+Usage: $0 [-v] [-F] [-M] [-f] [-T nthreads] relabel
|
||||
or
|
||||
-Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
|
||||
+Usage: $0 [-v] [-F] [-B | -N time ] [-T nthreads] { check | restore | verify }
|
||||
or
|
||||
-Usage: $0 [-v] [-F] { check | restore | verify } dir/file ...
|
||||
+Usage: $0 [-v] [-F] [-T nthreads] { check | restore | verify } dir/file ...
|
||||
or
|
||||
-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
||||
+Usage: $0 [-v] [-F] [-T nthreads] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
||||
or
|
||||
-Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
+Usage: $0 [-v] [-F] [-T nthreads] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
or
|
||||
-Usage: $0 [-F] [-M] [-B] onboot
|
||||
+Usage: $0 [-F] [-M] [-B] [-T nthreads] onboot
|
||||
"""
|
||||
}
|
||||
|
||||
@@ -372,7 +374,7 @@ set_restore_mode() {
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
-while getopts "N:BC:FfR:l:vM" i; do
|
||||
+while getopts "N:BC:FfR:l:vMT:" i; do
|
||||
case "$i" in
|
||||
B)
|
||||
BOOTTIME=`/bin/who -b | awk '{print $3}'`
|
||||
@@ -407,6 +409,9 @@ while getopts "N:BC:FfR:l:vM" i; do
|
||||
f)
|
||||
fullFlag=1
|
||||
;;
|
||||
+ T)
|
||||
+ THREADS="-T $OPTARG"
|
||||
+ ;;
|
||||
*)
|
||||
usage
|
||||
exit 1
|
||||
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
|
||||
index c4e894e56e8f..9a317d9181e2 100644
|
||||
--- a/policycoreutils/scripts/fixfiles.8
|
||||
+++ b/policycoreutils/scripts/fixfiles.8
|
||||
@@ -6,22 +6,22 @@ fixfiles \- fix file SELinux security contexts.
|
||||
.na
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] [-M] [\-f] relabel
|
||||
+.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] { check | restore | verify } dir/file ...
|
||||
+.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ...
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify }
|
||||
+.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
|
||||
+.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
+.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
|
||||
.B fixfiles
|
||||
-.I [-F] [-M] [-B] onboot
|
||||
+.I [-F] [-M] [-B] [\-T nthreads] onboot
|
||||
|
||||
.ad
|
||||
|
||||
@@ -76,6 +76,11 @@ Bind mount filesystems before relabeling them, this allows fixing the context of
|
||||
.B -v
|
||||
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
|
||||
|
||||
+.TP
|
||||
+.B \-T nthreads
|
||||
+Use parallel relabeling, see
|
||||
+.B setfiles(8)
|
||||
+
|
||||
.SH "ARGUMENTS"
|
||||
One of:
|
||||
.TP
|
||||
--
|
||||
2.34.1
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
|
||||
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
|
||||
Date: Fri, 30 Oct 2020 22:53:09 +0100
|
||||
Subject: [PATCH] python/sepolicy: allow to override manpage date
|
||||
|
||||
in order to make builds reproducible.
|
||||
See https://reproducible-builds.org/ for why this is good
|
||||
and https://reproducible-builds.org/specs/source-date-epoch/
|
||||
for the definition of this variable.
|
||||
|
||||
This patch was done while working on reproducible builds for openSUSE.
|
||||
|
||||
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 6a3e08fca58c..c013c0d48502 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -39,6 +39,8 @@ typealias_types = {
|
||||
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
|
||||
|
||||
equiv_dirs = ["/var"]
|
||||
+man_date = time.strftime("%y-%m-%d", time.gmtime(
|
||||
+ int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
|
||||
modules_dict = None
|
||||
|
||||
|
||||
@@ -546,7 +548,7 @@ class ManPage:
|
||||
|
||||
def _typealias(self,typealias):
|
||||
self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
|
||||
- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
|
||||
+ % {'typealias':typealias, 'date': man_date})
|
||||
self.fd.write(r"""
|
||||
.SH "NAME"
|
||||
%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
|
||||
@@ -565,7 +567,7 @@ man page for more details.
|
||||
|
||||
def _header(self):
|
||||
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
|
||||
- % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
|
||||
+ % {'domainname': self.domainname, 'date': man_date})
|
||||
self.fd.write(r"""
|
||||
.SH "NAME"
|
||||
%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
|
||||
--
|
||||
2.29.2
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
%global libauditver 3.0
|
||||
%global libsepolver 3.1-5
|
||||
%global libsemanagever 3.1-5
|
||||
%global libselinuxver 3.1-5
|
||||
%global libsepolver 3.3-1
|
||||
%global libsemanagever 3.3-3
|
||||
%global libselinuxver 3.3-2
|
||||
|
||||
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||
|
||||
|
@ -10,17 +10,11 @@
|
|||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 3.1
|
||||
Release: 8%{?dist}
|
||||
Version: 3.3
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
|
||||
Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
|
||||
Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz
|
||||
Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz
|
||||
Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz
|
||||
Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz
|
||||
Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/selinux-3.3.tar.gz
|
||||
URL: https://github.com/SELinuxProject/selinux
|
||||
Source13: system-config-selinux.png
|
||||
Source14: sepolicy-icons.tgz
|
||||
|
@ -34,34 +28,34 @@ Source21: python-po.tgz
|
|||
Source22: gui-po.tgz
|
||||
Source23: sandbox-po.tgz
|
||||
# https://github.com/fedora-selinux/selinux
|
||||
# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
||||
# $ git format-patch -N 3.3 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
||||
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
|
||||
# Patch list start
|
||||
Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
|
||||
Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
|
||||
Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
|
||||
Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
|
||||
Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
|
||||
Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
|
||||
Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
|
||||
Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
|
||||
Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
|
||||
Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
|
||||
Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
|
||||
Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
|
||||
Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
||||
Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
|
||||
Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
|
||||
Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
|
||||
Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
|
||||
Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
|
||||
Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
|
||||
Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
|
||||
Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
|
||||
Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
||||
Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
|
||||
Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
|
||||
Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch
|
||||
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
|
||||
Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
|
||||
Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
|
||||
Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
|
||||
Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
|
||||
Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
|
||||
Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
||||
Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
|
||||
Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
|
||||
Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
|
||||
Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
|
||||
Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
|
||||
Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
|
||||
Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
|
||||
Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
|
||||
Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
||||
Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
|
||||
Patch0018: 0018-Use-SHA-2-instead-of-SHA-1.patch
|
||||
Patch0019: 0019-setfiles-restorecon-support-parallel-relabeling.patch
|
||||
Patch0020: 0020-semodule-add-m-checksum-option.patch
|
||||
Patch0021: 0021-semodule-Fix-lang_ext-column-index.patch
|
||||
Patch0022: 0022-semodule-Don-t-forget-to-munmap-data.patch
|
||||
Patch0023: 0023-semodule-libsemanage-move-module-hashing-into-libsem.patch
|
||||
Patch0024: 0024-semodule-add-command-line-option-to-detect-module-ch.patch
|
||||
Patch0025: 0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch
|
||||
# Patch list end
|
||||
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
|
@ -97,32 +91,15 @@ load_policy to load policies, setfiles to label filesystems, newrole
|
|||
to switch roles.
|
||||
|
||||
%prep -p /usr/bin/bash
|
||||
# create selinux/ directory and extract sources
|
||||
%autosetup -S git -N -c -n selinux
|
||||
%autosetup -S git -N -T -D -a 1 -n selinux
|
||||
%autosetup -S git -N -T -D -a 2 -n selinux
|
||||
%autosetup -S git -N -T -D -a 3 -n selinux
|
||||
%autosetup -S git -N -T -D -a 4 -n selinux
|
||||
%autosetup -S git -N -T -D -a 5 -n selinux
|
||||
%autosetup -S git -N -T -D -a 6 -n selinux
|
||||
|
||||
for i in *; do
|
||||
git mv $i ${i/-%{version}/}
|
||||
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
|
||||
done
|
||||
|
||||
for i in selinux-*; do
|
||||
git mv $i ${i#selinux-}
|
||||
git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
|
||||
done
|
||||
|
||||
git am %{_sourcedir}/[0-9]*.patch
|
||||
%autosetup -n selinux-%{version} -p 1
|
||||
|
||||
cp %{SOURCE13} gui/
|
||||
tar -xvf %{SOURCE14} -C python/sepolicy/
|
||||
|
||||
# Since patches containing translation changes were too big, translations were moved to separate tarballs
|
||||
# For more information see README.translations
|
||||
# First remove old translation files
|
||||
rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
|
||||
tar -x -f %{SOURCE20} -C policycoreutils -z
|
||||
tar -x -f %{SOURCE21} -C python -z
|
||||
tar -x -f %{SOURCE22} -C gui -z
|
||||
|
@ -132,7 +109,7 @@ tar -x -f %{SOURCE23} -C sandbox -z
|
|||
%set_build_flags
|
||||
export PYTHON=%{__python3}
|
||||
|
||||
make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
|
||||
make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
|
||||
make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
|
||||
make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
|
||||
make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
|
||||
|
@ -244,8 +221,8 @@ an SELinux environment.
|
|||
%package dbus
|
||||
Summary: SELinux policy core DBUS api
|
||||
Requires: python3-policycoreutils = %{version}-%{release}
|
||||
Requires: python3-slip-dbus
|
||||
Requires: python3-gobject-base
|
||||
Requires: polkit
|
||||
BuildArch: noarch
|
||||
|
||||
%description dbus
|
||||
|
@ -304,7 +281,7 @@ by python 3 in an SELinux environment.
|
|||
Summary: SELinux policy core policy devel utilities
|
||||
Requires: policycoreutils-python-utils = %{version}-%{release}
|
||||
Requires: /usr/bin/make dnf
|
||||
Requires: selinux-policy-devel
|
||||
Requires: (selinux-policy-devel if selinux-policy)
|
||||
|
||||
%description devel
|
||||
The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
|
||||
|
@ -415,12 +392,14 @@ system-config-selinux is a utility for managing the SELinux environment
|
|||
%{_sbindir}/genhomedircon
|
||||
%{_sbindir}/setsebool
|
||||
%{_sbindir}/semodule
|
||||
# symlink to %%{_bindir}/sestatus
|
||||
%{_sbindir}/sestatus
|
||||
%{_bindir}/secon
|
||||
%{_bindir}/semodule_expand
|
||||
%{_bindir}/semodule_link
|
||||
%{_bindir}/semodule_package
|
||||
%{_bindir}/semodule_unpackage
|
||||
%{_bindir}/sestatus
|
||||
%{_libexecdir}/selinux/hll
|
||||
%{_libexecdir}/selinux/selinux-autorelabel
|
||||
%{_unitdir}/selinux-autorelabel-mark.service
|
||||
|
@ -483,42 +462,6 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
|
||||
%{_mandir}/man8/restorecond.8*
|
||||
%{_mandir}/ru/man8/restorecond.8*
|
||||
/usr/share/man/ru/man1/audit2why.1.gz
|
||||
/usr/share/man/ru/man1/newrole.1.gz
|
||||
/usr/share/man/ru/man5/sandbox.5.gz
|
||||
/usr/share/man/ru/man5/selinux_config.5.gz
|
||||
/usr/share/man/ru/man5/sestatus.conf.5.gz
|
||||
/usr/share/man/ru/man8/genhomedircon.8.gz
|
||||
/usr/share/man/ru/man8/restorecon_xattr.8.gz
|
||||
/usr/share/man/ru/man8/sandbox.8.gz
|
||||
/usr/share/man/ru/man8/selinux-polgengui.8.gz
|
||||
/usr/share/man/ru/man8/semanage-boolean.8.gz
|
||||
/usr/share/man/ru/man8/semanage-dontaudit.8.gz
|
||||
/usr/share/man/ru/man8/semanage-export.8.gz
|
||||
/usr/share/man/ru/man8/semanage-fcontext.8.gz
|
||||
/usr/share/man/ru/man8/semanage-ibendport.8.gz
|
||||
/usr/share/man/ru/man8/semanage-ibpkey.8.gz
|
||||
/usr/share/man/ru/man8/semanage-import.8.gz
|
||||
/usr/share/man/ru/man8/semanage-interface.8.gz
|
||||
/usr/share/man/ru/man8/semanage-login.8.gz
|
||||
/usr/share/man/ru/man8/semanage-module.8.gz
|
||||
/usr/share/man/ru/man8/semanage-node.8.gz
|
||||
/usr/share/man/ru/man8/semanage-permissive.8.gz
|
||||
/usr/share/man/ru/man8/semanage-port.8.gz
|
||||
/usr/share/man/ru/man8/semanage-user.8.gz
|
||||
/usr/share/man/ru/man8/semodule_unpackage.8.gz
|
||||
/usr/share/man/ru/man8/sepolgen.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-booleans.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-communicate.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-generate.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-gui.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-interface.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-manpage.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-network.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy-transition.8.gz
|
||||
/usr/share/man/ru/man8/sepolicy.8.gz
|
||||
/usr/share/man/ru/man8/seunshare.8.gz
|
||||
/usr/share/man/ru/man8/system-config-selinux.8.gz
|
||||
|
||||
%{!?_licensedir:%global license %%doc}
|
||||
%license policycoreutils/COPYING
|
||||
|
@ -539,6 +482,59 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Sat Feb 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4
|
||||
- semodule: add command-line option to detect module changes
|
||||
- fixfiles: Use parallel relabeling
|
||||
|
||||
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
|
||||
- setfiles/restorecon: support parallel relabeling with -T <N> option
|
||||
- semodule: add -m | --checksum option
|
||||
|
||||
* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
|
||||
- SELinux userspace 3.3 release
|
||||
|
||||
* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
|
||||
- SELinux userspace 3.3-rc3 release
|
||||
|
||||
* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
|
||||
- SELinux userspace 3.3-rc2 release
|
||||
|
||||
* Tue Aug 3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
|
||||
- Drop forgotten ru/ man pages from -restorecond
|
||||
|
||||
* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
|
||||
- Rebase on upstream commit 32611aea6543
|
||||
|
||||
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
||||
|
||||
* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-3
|
||||
- Rebuilt for Python 3.10
|
||||
|
||||
* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
|
||||
- Do not use Python slip
|
||||
- fixfiles: do not exclude /dev and /run in -C mode
|
||||
- dbus: use GLib.MainLoop
|
||||
|
||||
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
|
||||
- SELinux userspace 3.2 release
|
||||
|
||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
|
||||
- Rebuilt for updated systemd-rpm-macros
|
||||
See https://pagure.io/fesco/issue/2583.
|
||||
|
||||
* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
|
||||
- SELinux userspace 3.2-rc2 release
|
||||
|
||||
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
|
||||
- SELinux userspace 3.2-rc1 release
|
||||
|
||||
* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
|
||||
- Fix BuildRequires to libsemanage-devel
|
||||
|
||||
|
|
9
sources
9
sources
|
@ -1,11 +1,6 @@
|
|||
SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
|
||||
SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
|
||||
SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
|
||||
SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
|
||||
SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
|
||||
SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
|
||||
SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
|
||||
SHA512 (selinux-3.3-rc3.tar.gz) = 239a10ce5ab31233dbd4fccf3668c2643df66e6b19065a0e57396a2b277cf4769985292613df67011b82afa25ff8dbd02123bd09d59cd8984b8b5d4d572284bc
|
||||
SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
|
||||
SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
|
||||
SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
|
||||
SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
|
||||
SHA512 (selinux-3.3.tar.gz) = 3d1ad92e63484a7533257ae65e4d35d7acb2c9f17b3900240dbfa61c7a7aa4cdf7d7c0c4077e66b30cada26026f9d2ca1ca7d194bfa990d04b0259aef53af100
|
||||
|
|
Loading…
Reference in New Issue