Compare commits
12 Commits
Author | SHA1 | Date |
---|---|---|
Vit Mojzis | cebd1aaa1d | |
Vit Mojzis | 53ce27ce13 | |
Petr Lautrbach | e7422a061b | |
Petr Lautrbach | 2bcd80cca7 | |
Petr Lautrbach | f081be772a | |
Petr Lautrbach | d18ae09b2e | |
Petr Lautrbach | 27ad9af598 | |
Petr Lautrbach | 8373c69e96 | |
Petr Lautrbach | a0d1081a64 | |
Petr Lautrbach | 86c197c03d | |
Petr Lautrbach | 3b8e7af10e | |
Petr Lautrbach | 5e5eff56ff |
|
@ -239,86 +239,3 @@ policycoreutils-2.0.83.tgz
|
|||
/policycoreutils-2.5-rc1.tar.gz
|
||||
/policycoreutils-2.5.tar.gz
|
||||
/sepolgen-1.2.3.tar.gz
|
||||
/policycoreutils-2.6.tar.gz
|
||||
/sepolgen-2.6.tar.gz
|
||||
/policycoreutils-2.7.tar.gz
|
||||
/selinux-python-2.7.tar.gz
|
||||
/selinux-gui-2.7.tar.gz
|
||||
/selinux-sandbox-2.7.tar.gz
|
||||
/selinux-dbus-2.7.tar.gz
|
||||
/semodule-utils-2.7.tar.gz
|
||||
/restorecond-2.7.tar.gz
|
||||
/policycoreutils-2.8-rc1.tar.gz
|
||||
/restorecond-2.8-rc1.tar.gz
|
||||
/selinux-dbus-2.8-rc1.tar.gz
|
||||
/selinux-gui-2.8-rc1.tar.gz
|
||||
/selinux-python-2.8-rc1.tar.gz
|
||||
/selinux-sandbox-2.8-rc1.tar.gz
|
||||
/semodule-utils-2.8-rc1.tar.gz
|
||||
/policycoreutils-2.8-rc2.tar.gz
|
||||
/restorecond-2.8-rc2.tar.gz
|
||||
/selinux-dbus-2.8-rc2.tar.gz
|
||||
/selinux-gui-2.8-rc2.tar.gz
|
||||
/selinux-python-2.8-rc2.tar.gz
|
||||
/selinux-sandbox-2.8-rc2.tar.gz
|
||||
/semodule-utils-2.8-rc2.tar.gz
|
||||
/policycoreutils-2.8-rc3.tar.gz
|
||||
/restorecond-2.8-rc3.tar.gz
|
||||
/selinux-dbus-2.8-rc3.tar.gz
|
||||
/selinux-gui-2.8-rc3.tar.gz
|
||||
/selinux-python-2.8-rc3.tar.gz
|
||||
/selinux-sandbox-2.8-rc3.tar.gz
|
||||
/semodule-utils-2.8-rc3.tar.gz
|
||||
/policycoreutils-2.8.tar.gz
|
||||
/restorecond-2.8.tar.gz
|
||||
/selinux-dbus-2.8.tar.gz
|
||||
/selinux-gui-2.8.tar.gz
|
||||
/selinux-python-2.8.tar.gz
|
||||
/selinux-sandbox-2.8.tar.gz
|
||||
/semodule-utils-2.8.tar.gz
|
||||
/gui-po.tgz
|
||||
/policycoreutils-po.tgz
|
||||
/python-po.tgz
|
||||
/sandbox-po.tgz
|
||||
/policycoreutils-2.9-rc1.tar.gz
|
||||
/selinux-python-2.9-rc1.tar.gz
|
||||
/selinux-gui-2.9-rc1.tar.gz
|
||||
/selinux-sandbox-2.9-rc1.tar.gz
|
||||
/selinux-dbus-2.9-rc1.tar.gz
|
||||
/semodule-utils-2.9-rc1.tar.gz
|
||||
/restorecond-2.9-rc1.tar.gz
|
||||
/policycoreutils-2.9-rc2.tar.gz
|
||||
/restorecond-2.9-rc2.tar.gz
|
||||
/selinux-dbus-2.9-rc2.tar.gz
|
||||
/selinux-gui-2.9-rc2.tar.gz
|
||||
/selinux-python-2.9-rc2.tar.gz
|
||||
/selinux-sandbox-2.9-rc2.tar.gz
|
||||
/semodule-utils-2.9-rc2.tar.gz
|
||||
/policycoreutils-2.9.tar.gz
|
||||
/restorecond-2.9.tar.gz
|
||||
/selinux-dbus-2.9.tar.gz
|
||||
/selinux-gui-2.9.tar.gz
|
||||
/selinux-python-2.9.tar.gz
|
||||
/selinux-sandbox-2.9.tar.gz
|
||||
/semodule-utils-2.9.tar.gz
|
||||
/policycoreutils-3.0-rc1.tar.gz
|
||||
/restorecond-3.0-rc1.tar.gz
|
||||
/selinux-dbus-3.0-rc1.tar.gz
|
||||
/selinux-gui-3.0-rc1.tar.gz
|
||||
/selinux-python-3.0-rc1.tar.gz
|
||||
/selinux-sandbox-3.0-rc1.tar.gz
|
||||
/semodule-utils-3.0-rc1.tar.gz
|
||||
/policycoreutils-3.0.tar.gz
|
||||
/restorecond-3.0.tar.gz
|
||||
/selinux-dbus-3.0.tar.gz
|
||||
/selinux-gui-3.0.tar.gz
|
||||
/selinux-python-3.0.tar.gz
|
||||
/selinux-sandbox-3.0.tar.gz
|
||||
/semodule-utils-3.0.tar.gz
|
||||
/policycoreutils-3.1.tar.gz
|
||||
/restorecond-3.1.tar.gz
|
||||
/selinux-dbus-3.1.tar.gz
|
||||
/selinux-gui-3.1.tar.gz
|
||||
/selinux-python-3.1.tar.gz
|
||||
/selinux-sandbox-3.1.tar.gz
|
||||
/semodule-utils-3.1.tar.gz
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
|
||||
From: "W. Michael Petullo" <mike@flyn.org>
|
||||
Date: Thu, 16 Jul 2020 15:29:20 -0500
|
||||
Subject: [PATCH] python/audit2allow: add #include <limits.h> to
|
||||
sepolgen-ifgen-attr-helper.c
|
||||
|
||||
I found that building on OpenWrt/musl failed with:
|
||||
|
||||
sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
|
||||
|
||||
Musl is less "generous" than glibc in recursively including header
|
||||
files, and I suspect this is the reason for this error. Explicitly
|
||||
including limits.h fixes the problem.
|
||||
|
||||
Signed-off-by: W. Michael Petullo <mike@flyn.org>
|
||||
---
|
||||
python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
index 53f20818722a..f010c9584c1f 100644
|
||||
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
|
||||
@@ -28,6 +28,7 @@
|
||||
|
||||
#include <selinux/selinux.h>
|
||||
|
||||
+#include <limits.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
|
||||
From: Laurent Bigonville <bigon@bigon.be>
|
||||
Date: Thu, 16 Jul 2020 14:22:13 +0200
|
||||
Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
|
||||
restorecond.desktop file
|
||||
|
||||
This completely inactivate the .desktop file incase the user session is
|
||||
managed by systemd as restorecond also provide a service file
|
||||
|
||||
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
|
||||
---
|
||||
restorecond/restorecond.desktop | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
|
||||
index af7286801c24..7df854727a3f 100644
|
||||
--- a/restorecond/restorecond.desktop
|
||||
+++ b/restorecond/restorecond.desktop
|
||||
@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
|
||||
Type=Application
|
||||
StartupNotify=false
|
||||
X-GNOME-Autostart-enabled=false
|
||||
+X-GNOME-HiddenUnderSystemd=true
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,136 +0,0 @@
|
|||
From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
|
||||
From: bauen1 <j2468h@googlemail.com>
|
||||
Date: Thu, 6 Aug 2020 16:48:36 +0200
|
||||
Subject: [PATCH] fixfiles: correctly restore context of mountpoints
|
||||
|
||||
By bind mounting every filesystem we want to relabel we can access all
|
||||
files without anything hidden due to active mounts.
|
||||
|
||||
This comes at the cost of user experience, because setfiles only
|
||||
displays the percentage if no path is given or the path is /
|
||||
|
||||
Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 29 +++++++++++++++++++++++++----
|
||||
policycoreutils/scripts/fixfiles.8 | 8 ++++++--
|
||||
2 files changed, 31 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index 5d7770348349..30dadb4f4cb6 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -112,6 +112,7 @@ FORCEFLAG=""
|
||||
RPMFILES=""
|
||||
PREFC=""
|
||||
RESTORE_MODE=""
|
||||
+BIND_MOUNT_FILESYSTEMS=""
|
||||
SETFILES=/sbin/setfiles
|
||||
RESTORECON=/sbin/restorecon
|
||||
FILESYSTEMSRW=`get_rw_labeled_mounts`
|
||||
@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
|
||||
if [ -n "${FILESYSTEMSRW}" ]; then
|
||||
LogReadOnly
|
||||
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
|
||||
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||
+
|
||||
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
|
||||
+ else
|
||||
+ # we bind mount so we can fix the labels of files that have already been
|
||||
+ # mounted over
|
||||
+ for m in `echo $FILESYSTEMSRW`; do
|
||||
+ TMP_MOUNT="$(mktemp -d)"
|
||||
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
|
||||
+
|
||||
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
|
||||
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
|
||||
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
|
||||
+ umount "${TMP_MOUNT}${m}" || exit 1
|
||||
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
|
||||
+ done;
|
||||
+ fi
|
||||
else
|
||||
echo >&2 "fixfiles: No suitable file systems found"
|
||||
fi
|
||||
@@ -313,6 +330,7 @@ case "$1" in
|
||||
> /.autorelabel || exit $?
|
||||
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
|
||||
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
|
||||
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
|
||||
# Force full relabel if SELinux is not enabled
|
||||
selinuxenabled || echo -F > /.autorelabel
|
||||
echo "System will relabel on next boot"
|
||||
@@ -324,7 +342,7 @@ esac
|
||||
}
|
||||
usage() {
|
||||
echo $"""
|
||||
-Usage: $0 [-v] [-F] [-f] relabel
|
||||
+Usage: $0 [-v] [-F] [-M] [-f] relabel
|
||||
or
|
||||
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
|
||||
or
|
||||
@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
|
||||
or
|
||||
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
or
|
||||
-Usage: $0 [-F] [-B] onboot
|
||||
+Usage: $0 [-F] [-M] [-B] onboot
|
||||
"""
|
||||
}
|
||||
|
||||
@@ -353,7 +371,7 @@ set_restore_mode() {
|
||||
}
|
||||
|
||||
# See how we were called.
|
||||
-while getopts "N:BC:FfR:l:v" i; do
|
||||
+while getopts "N:BC:FfR:l:vM" i; do
|
||||
case "$i" in
|
||||
B)
|
||||
BOOTTIME=`/bin/who -b | awk '{print $3}'`
|
||||
@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
|
||||
echo "Redirecting output to $OPTARG"
|
||||
exec >>"$OPTARG" 2>&1
|
||||
;;
|
||||
+ M)
|
||||
+ BIND_MOUNT_FILESYSTEMS="-M"
|
||||
+ ;;
|
||||
F)
|
||||
FORCEFLAG="-F"
|
||||
;;
|
||||
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
|
||||
index 9f447f03d444..123425308416 100644
|
||||
--- a/policycoreutils/scripts/fixfiles.8
|
||||
+++ b/policycoreutils/scripts/fixfiles.8
|
||||
@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||
.na
|
||||
|
||||
.B fixfiles
|
||||
-.I [\-v] [\-F] [\-f] relabel
|
||||
+.I [\-v] [\-F] [-M] [\-f] relabel
|
||||
|
||||
.B fixfiles
|
||||
.I [\-v] [\-F] { check | restore | verify } dir/file ...
|
||||
@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
|
||||
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
|
||||
|
||||
.B fixfiles
|
||||
-.I [-F] [-B] onboot
|
||||
+.I [-F] [-M] [-B] onboot
|
||||
|
||||
.ad
|
||||
|
||||
@@ -68,6 +68,10 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
|
||||
Only act on files created after the specified date. Date must be specified in
|
||||
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt command.
|
||||
|
||||
+.TP
|
||||
+.B \-M
|
||||
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
|
||||
+
|
||||
.TP
|
||||
.B -v
|
||||
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,112 +0,0 @@
|
|||
From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Wed, 19 Aug 2020 17:05:33 +0200
|
||||
Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
All tools like ausearch(8) or sesearch(1) and online documentation[1]
|
||||
use hexadecimal values for extended permissions.
|
||||
Hence use them, e.g. for audit2allow output, as well.
|
||||
|
||||
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
|
||||
python/sepolgen/tests/test_access.py | 10 +++++-----
|
||||
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
|
||||
3 files changed, 13 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
index 43cecfc77385..747636875ef7 100644
|
||||
--- a/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
|
||||
@@ -407,10 +407,9 @@ class XpermSet():
|
||||
|
||||
# print single value without braces
|
||||
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
|
||||
- return compl + str(self.ranges[0][0])
|
||||
+ return compl + hex(self.ranges[0][0])
|
||||
|
||||
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
|
||||
- self.ranges)
|
||||
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
|
||||
|
||||
return "%s{ %s }" % (compl, " ".join(vals))
|
||||
|
||||
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
|
||||
index 73a5407df617..623588e09aeb 100644
|
||||
--- a/python/sepolgen/tests/test_access.py
|
||||
+++ b/python/sepolgen/tests/test_access.py
|
||||
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def text_merge_xperm2(self):
|
||||
"""Test merging AV that does not contain xperms with AV that does"""
|
||||
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def test_merge_xperm_diff_op(self):
|
||||
"""Test merging two AVs that contain xperms with different operation"""
|
||||
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(list(a.perms), ["read"])
|
||||
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
|
||||
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
|
||||
|
||||
def test_merge_xperm_same_op(self):
|
||||
"""Test merging two AVs that contain xperms with same operation"""
|
||||
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
|
||||
a.merge(b)
|
||||
self.assertEqual(list(a.perms), ["read"])
|
||||
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
|
||||
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
|
||||
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
|
||||
|
||||
class TestUtilFunctions(unittest.TestCase):
|
||||
def test_is_idparam(self):
|
||||
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
|
||||
index 4b50c8aada96..c7219fd568e9 100644
|
||||
--- a/python/sepolgen/tests/test_refpolicy.py
|
||||
+++ b/python/sepolgen/tests/test_refpolicy.py
|
||||
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
|
||||
a.complement = True
|
||||
self.assertEqual(a.to_string(), "")
|
||||
a.add(1234)
|
||||
- self.assertEqual(a.to_string(), "~ 1234")
|
||||
+ self.assertEqual(a.to_string(), "~ 0x4d2")
|
||||
a.complement = False
|
||||
- self.assertEqual(a.to_string(), "1234")
|
||||
+ self.assertEqual(a.to_string(), "0x4d2")
|
||||
a.add(2345)
|
||||
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
|
||||
a.complement = True
|
||||
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
|
||||
a.add(42,64)
|
||||
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
|
||||
a.complement = False
|
||||
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
|
||||
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
|
||||
|
||||
class TestSecurityContext(unittest.TestCase):
|
||||
def test_init(self):
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,109 +0,0 @@
|
|||
From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Wed, 19 Aug 2020 17:05:34 +0200
|
||||
Subject: [PATCH] sepolgen: sort extended rules like normal ones
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently:
|
||||
|
||||
#============= sshd_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t ptmx_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||
|
||||
#============= user_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t devtty_t:chr_file ioctl;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||
|
||||
Changed:
|
||||
|
||||
#============= sshd_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t ptmx_t:chr_file ioctl;
|
||||
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t sshd_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow sshd_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
|
||||
|
||||
#============= user_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t devtty_t:chr_file ioctl;
|
||||
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
#!!!! This av rule may have been overridden by an extended permission av rule
|
||||
allow user_t user_devpts_t:chr_file ioctl;
|
||||
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
python/sepolgen/src/sepolgen/output.py | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
|
||||
index 3a21b64c19f7..aeeaafc889e7 100644
|
||||
--- a/python/sepolgen/src/sepolgen/output.py
|
||||
+++ b/python/sepolgen/src/sepolgen/output.py
|
||||
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
|
||||
return ret
|
||||
|
||||
# At this point, who cares - just return something
|
||||
- return cmp(len(a.perms), len(b.perms))
|
||||
+ return 0
|
||||
|
||||
# Compare two interface calls
|
||||
def ifcall_cmp(a, b):
|
||||
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
|
||||
else:
|
||||
return id_set_cmp([a.args[0]], b.src_types)
|
||||
else:
|
||||
- if isinstance(b, refpolicy.AVRule):
|
||||
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
|
||||
return avrule_cmp(a,b)
|
||||
else:
|
||||
return id_set_cmp(a.src_types, [b.args[0]])
|
||||
@@ -130,6 +130,7 @@ def sort_filter(module):
|
||||
# we assume is the first argument for interfaces).
|
||||
rules = []
|
||||
rules.extend(node.avrules())
|
||||
+ rules.extend(node.avextrules())
|
||||
rules.extend(node.interface_calls())
|
||||
rules.sort(key=util.cmp_to_key(rule_cmp))
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
|
||||
From: Dominick Grift <dominick.grift@defensec.nl>
|
||||
Date: Tue, 1 Sep 2020 18:16:41 +0200
|
||||
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
|
||||
|
||||
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
|
||||
|
||||
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
|
||||
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||
---
|
||||
policycoreutils/newrole/Makefile | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
|
||||
index 73ebd413da85..0e7ebce3dd56 100644
|
||||
--- a/policycoreutils/newrole/Makefile
|
||||
+++ b/policycoreutils/newrole/Makefile
|
||||
@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
|
||||
MANDIR ?= $(PREFIX)/share/man
|
||||
ETCDIR ?= /etc
|
||||
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
|
||||
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
|
||||
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
|
||||
+INCLUDEDIR ?= $(PREFIX)/include
|
||||
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
|
||||
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
|
||||
# Enable capabilities to permit newrole to generate audit records.
|
||||
# This will make newrole a setuid root program.
|
||||
# The capabilities used are: CAP_AUDIT_WRITE.
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
||||
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
||||
recent Fedoras
|
||||
|
||||
---
|
||||
sandbox/sandboxX.sh | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
||||
index eaa500d08143..4774528027ef 100644
|
||||
--- a/sandbox/sandboxX.sh
|
||||
+++ b/sandbox/sandboxX.sh
|
||||
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
|
||||
</openbox_config>
|
||||
EOF
|
||||
|
||||
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
export DISPLAY=:$D
|
||||
cat > ~/seremote << __EOF
|
||||
#!/bin/sh
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Mon, 21 Apr 2014 13:54:40 -0400
|
||||
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
|
||||
|
||||
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 3e8a3be907e3..a1d70623cff0 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -735,10 +735,13 @@ Default Defined Ports:""")
|
||||
|
||||
def _file_context(self):
|
||||
flist = []
|
||||
+ flist_non_exec = []
|
||||
mpaths = []
|
||||
for f in self.all_file_types:
|
||||
if f.startswith(self.domainname):
|
||||
flist.append(f)
|
||||
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
|
||||
+ flist_non_exec.append(f)
|
||||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
if len(mpaths) == 0:
|
||||
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
SELinux defines the file context types for the %(domainname)s, if you wanted to
|
||||
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
|
||||
|
||||
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
|
||||
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
|
||||
.br
|
||||
.B restorecon -R -v /srv/my%(domainname)s_content
|
||||
|
||||
Note: SELinux often uses regular expressions to specify labels that match multiple files.
|
||||
-""" % {'domainname': self.domainname, "type": flist[0]})
|
||||
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
|
||||
|
||||
self.fd.write(r"""
|
||||
.I The following file types are defined for %(domainname)s:
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Mon, 12 May 2014 14:11:22 +0200
|
||||
Subject: [PATCH] If there is no executable we don't want to print a part of
|
||||
STANDARD FILE CONTEXT
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index a1d70623cff0..2d33eabb2536 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
.PP
|
||||
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
|
||||
|
||||
- self.fd.write(r"""
|
||||
+ if flist_non_exec:
|
||||
+ self.fd.write(r"""
|
||||
.PP
|
||||
.B STANDARD FILE CONTEXT
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,169 +0,0 @@
|
|||
From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Thu, 19 Feb 2015 17:45:15 +0100
|
||||
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
|
||||
system_release is no longer hardcoded and it creates only index.html and html
|
||||
man pages in the directory for the system release.
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/__init__.py | 25 +++--------
|
||||
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
|
||||
2 files changed, 13 insertions(+), 77 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index e4540977d042..ad718797ca68 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
|
||||
|
||||
|
||||
def get_os_version():
|
||||
- os_version = ""
|
||||
- pkg_name = "selinux-policy"
|
||||
+ system_release = ""
|
||||
try:
|
||||
- try:
|
||||
- from commands import getstatusoutput
|
||||
- except ImportError:
|
||||
- from subprocess import getstatusoutput
|
||||
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
|
||||
- if rc == 0:
|
||||
- os_version = output.split(".")[-2]
|
||||
- except:
|
||||
- os_version = ""
|
||||
-
|
||||
- if os_version[0:2] == "fc":
|
||||
- os_version = "Fedora" + os_version[2:]
|
||||
- elif os_version[0:2] == "el":
|
||||
- os_version = "RHEL" + os_version[2:]
|
||||
- else:
|
||||
- os_version = ""
|
||||
+ with open('/etc/system-release') as f:
|
||||
+ system_release = f.readline()
|
||||
+ except IOError:
|
||||
+ system_release = "Misc"
|
||||
|
||||
- return os_version
|
||||
+ return system_release
|
||||
|
||||
|
||||
def reinit():
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 2d33eabb2536..acc77f368d95 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -149,10 +149,6 @@ def prettyprint(f, trim):
|
||||
manpage_domains = []
|
||||
manpage_roles = []
|
||||
|
||||
-fedora_releases = ["Fedora17", "Fedora18"]
|
||||
-rhel_releases = ["RHEL6", "RHEL7"]
|
||||
-
|
||||
-
|
||||
def get_alphabet_manpages(manpage_list):
|
||||
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
|
||||
for i in string.ascii_letters:
|
||||
@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
|
||||
class HTMLManPages:
|
||||
|
||||
"""
|
||||
- Generate a HHTML Manpages on an given SELinux domains
|
||||
+ Generate a HTML Manpages on an given SELinux domains
|
||||
"""
|
||||
|
||||
def __init__(self, manpage_roles, manpage_domains, path, os_version):
|
||||
@@ -190,9 +186,9 @@ class HTMLManPages:
|
||||
self.manpage_domains = get_alphabet_manpages(manpage_domains)
|
||||
self.os_version = os_version
|
||||
self.old_path = path + "/"
|
||||
- self.new_path = self.old_path + self.os_version + "/"
|
||||
+ self.new_path = self.old_path
|
||||
|
||||
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
|
||||
+ if self.os_version:
|
||||
self.__gen_html_manpages()
|
||||
else:
|
||||
print("SELinux HTML man pages can not be generated for this %s" % os_version)
|
||||
@@ -201,7 +197,6 @@ class HTMLManPages:
|
||||
def __gen_html_manpages(self):
|
||||
self._write_html_manpage()
|
||||
self._gen_index()
|
||||
- self._gen_body()
|
||||
self._gen_css()
|
||||
|
||||
def _write_html_manpage(self):
|
||||
@@ -219,67 +214,21 @@ class HTMLManPages:
|
||||
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
|
||||
|
||||
def _gen_index(self):
|
||||
- index = self.old_path + "index.html"
|
||||
- fd = open(index, 'w')
|
||||
- fd.write("""
|
||||
-<html>
|
||||
-<head>
|
||||
- <link rel=stylesheet type="text/css" href="style.css" title="style">
|
||||
- <title>SELinux man pages online</title>
|
||||
-</head>
|
||||
-<body>
|
||||
-<h1>SELinux man pages</h1>
|
||||
-<br></br>
|
||||
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
|
||||
-<br></br>
|
||||
-<hr>
|
||||
-<h3>Fedora</h3>
|
||||
-<table><tr>
|
||||
-<td valign="middle">
|
||||
-</td>
|
||||
-</tr></table>
|
||||
-<pre>
|
||||
-""")
|
||||
- for f in fedora_releases:
|
||||
- fd.write("""
|
||||
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
|
||||
-
|
||||
- fd.write("""
|
||||
-</pre>
|
||||
-<hr>
|
||||
-<h3>RHEL</h3>
|
||||
-<table><tr>
|
||||
-<td valign="middle">
|
||||
-</td>
|
||||
-</tr></table>
|
||||
-<pre>
|
||||
-""")
|
||||
- for r in rhel_releases:
|
||||
- fd.write("""
|
||||
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
|
||||
-
|
||||
- fd.write("""
|
||||
-</pre>
|
||||
- """)
|
||||
- fd.close()
|
||||
- print("%s has been created" % index)
|
||||
-
|
||||
- def _gen_body(self):
|
||||
html = self.new_path + self.os_version + ".html"
|
||||
fd = open(html, 'w')
|
||||
fd.write("""
|
||||
<html>
|
||||
<head>
|
||||
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
|
||||
- <title>Linux man-pages online for Fedora18</title>
|
||||
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
|
||||
+ <title>SELinux man pages online</title>
|
||||
</head>
|
||||
<body>
|
||||
-<h1>SELinux man pages for Fedora18</h1>
|
||||
+<h1>SELinux man pages for %s</h1>
|
||||
<hr>
|
||||
<table><tr>
|
||||
<td valign="middle">
|
||||
<h3>SELinux roles</h3>
|
||||
-""")
|
||||
+""" % self.os_version)
|
||||
for letter in self.manpage_roles:
|
||||
if len(self.manpage_roles[letter]):
|
||||
fd.write("""
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:01 +0100
|
||||
Subject: [PATCH] We want to remove the trailing newline for
|
||||
/etc/system_release.
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/__init__.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index ad718797ca68..ea05d892bf3b 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -1211,7 +1211,7 @@ def get_os_version():
|
||||
system_release = ""
|
||||
try:
|
||||
with open('/etc/system-release') as f:
|
||||
- system_release = f.readline()
|
||||
+ system_release = f.readline().rstrip()
|
||||
except IOError:
|
||||
system_release = "Misc"
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Fri, 20 Feb 2015 16:42:53 +0100
|
||||
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index acc77f368d95..4aeb3e2e51ba 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -220,7 +220,7 @@ class HTMLManPages:
|
||||
<html>
|
||||
<head>
|
||||
<link rel=stylesheet type="text/css" href="style.css" title="style">
|
||||
- <title>SELinux man pages online</title>
|
||||
+ <title>SELinux man pages</title>
|
||||
</head>
|
||||
<body>
|
||||
<h1>SELinux man pages for %s</h1>
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
||||
Subject: [PATCH] Don't be verbose if you are not on a tty
|
||||
|
||||
---
|
||||
policycoreutils/scripts/fixfiles | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||
index 30dadb4f4cb6..e73bb81c3336 100755
|
||||
--- a/policycoreutils/scripts/fixfiles
|
||||
+++ b/policycoreutils/scripts/fixfiles
|
||||
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
||||
fullFlag=0
|
||||
BOOTTIME=""
|
||||
VERBOSE="-p"
|
||||
+[ -t 1 ] || VERBOSE=""
|
||||
FORCEFLAG=""
|
||||
RPMFILES=""
|
||||
PREFC=""
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 27 Feb 2017 17:12:39 +0100
|
||||
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
|
||||
file_type_is_entrypoint(f)
|
||||
|
||||
- use direct queries
|
||||
- load exec_types and entry_types only once
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
|
||||
1 file changed, 20 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 4aeb3e2e51ba..330b055af214 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -125,8 +125,24 @@ def gen_domains():
|
||||
domains.sort()
|
||||
return domains
|
||||
|
||||
-types = None
|
||||
|
||||
+exec_types = None
|
||||
+
|
||||
+def _gen_exec_types():
|
||||
+ global exec_types
|
||||
+ if exec_types is None:
|
||||
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
|
||||
+ return exec_types
|
||||
+
|
||||
+entry_types = None
|
||||
+
|
||||
+def _gen_entry_types():
|
||||
+ global entry_types
|
||||
+ if entry_types is None:
|
||||
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
|
||||
+ return entry_types
|
||||
+
|
||||
+types = None
|
||||
|
||||
def _gen_types():
|
||||
global types
|
||||
@@ -372,6 +388,8 @@ class ManPage:
|
||||
self.all_file_types = sepolicy.get_all_file_types()
|
||||
self.role_allows = sepolicy.get_all_role_allows()
|
||||
self.types = _gen_types()
|
||||
+ self.exec_types = _gen_exec_types()
|
||||
+ self.entry_types = _gen_entry_types()
|
||||
|
||||
if self.source_files:
|
||||
self.fcpath = self.root + "file_contexts"
|
||||
@@ -689,7 +707,7 @@ Default Defined Ports:""")
|
||||
for f in self.all_file_types:
|
||||
if f.startswith(self.domainname):
|
||||
flist.append(f)
|
||||
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
|
||||
+ if not f in self.exec_types or not f in self.entry_types:
|
||||
flist_non_exec.append(f)
|
||||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Tue, 28 Feb 2017 21:29:46 +0100
|
||||
Subject: [PATCH] sepolicy: Another small optimization for mcs types
|
||||
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
|
||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 330b055af214..f8584436960d 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -142,6 +142,15 @@ def _gen_entry_types():
|
||||
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
|
||||
return entry_types
|
||||
|
||||
+mcs_constrained_types = None
|
||||
+
|
||||
+def _gen_mcs_constrained_types():
|
||||
+ global mcs_constrained_types
|
||||
+ if mcs_constrained_types is None:
|
||||
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
|
||||
+ return mcs_constrained_types
|
||||
+
|
||||
+
|
||||
types = None
|
||||
|
||||
def _gen_types():
|
||||
@@ -390,6 +399,7 @@ class ManPage:
|
||||
self.types = _gen_types()
|
||||
self.exec_types = _gen_exec_types()
|
||||
self.entry_types = _gen_entry_types()
|
||||
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
|
||||
|
||||
if self.source_files:
|
||||
self.fcpath = self.root + "file_contexts"
|
||||
@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
|
||||
%s""" % ", ".join(paths))
|
||||
|
||||
def _mcs_types(self):
|
||||
- try:
|
||||
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
|
||||
- except StopIteration:
|
||||
- return
|
||||
- if self.type not in mcs_constrained_type['types']:
|
||||
+ if self.type not in self.mcs_constrained_types['types']:
|
||||
return
|
||||
self.fd.write ("""
|
||||
.SH "MCS Constrained"
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,515 +0,0 @@
|
|||
From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:23:00 +0200
|
||||
Subject: [PATCH] Move po/ translation files into the right sub-directories
|
||||
|
||||
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
|
||||
sub-directories, po/ translation files stayed in policycoreutils/.
|
||||
|
||||
This commit split original policycoreutils/po directory into
|
||||
policycoreutils/po
|
||||
python/po
|
||||
gui/po
|
||||
sandbox/po
|
||||
|
||||
See https://github.com/fedora-selinux/selinux/issues/43
|
||||
---
|
||||
gui/Makefile | 3 ++
|
||||
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
|
||||
gui/po/POTFILES | 17 ++++++++
|
||||
policycoreutils/po/Makefile | 70 ++-----------------------------
|
||||
policycoreutils/po/POTFILES | 9 ++++
|
||||
python/Makefile | 2 +-
|
||||
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
|
||||
python/po/POTFILES | 10 +++++
|
||||
sandbox/Makefile | 2 +
|
||||
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
|
||||
sandbox/po/POTFILES | 1 +
|
||||
11 files changed, 293 insertions(+), 68 deletions(-)
|
||||
create mode 100644 gui/po/Makefile
|
||||
create mode 100644 gui/po/POTFILES
|
||||
create mode 100644 policycoreutils/po/POTFILES
|
||||
create mode 100644 python/po/Makefile
|
||||
create mode 100644 python/po/POTFILES
|
||||
create mode 100644 sandbox/po/Makefile
|
||||
create mode 100644 sandbox/po/POTFILES
|
||||
|
||||
diff --git a/gui/Makefile b/gui/Makefile
|
||||
index ca965c942912..5a5bf6dcae19 100644
|
||||
--- a/gui/Makefile
|
||||
+++ b/gui/Makefile
|
||||
@@ -22,6 +22,7 @@ system-config-selinux.ui \
|
||||
usersPage.py
|
||||
|
||||
all: $(TARGETS) system-config-selinux.py polgengui.py
|
||||
+ (cd po && $(MAKE) $@)
|
||||
|
||||
install: all
|
||||
-mkdir -p $(DESTDIR)$(MANDIR)/man8
|
||||
@@ -54,6 +55,8 @@ install: all
|
||||
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
|
||||
done
|
||||
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
|
||||
+ (cd po && $(MAKE) $@)
|
||||
+
|
||||
clean:
|
||||
|
||||
indent:
|
||||
diff --git a/gui/po/Makefile b/gui/po/Makefile
|
||||
new file mode 100644
|
||||
index 000000000000..a0f5439f2d1c
|
||||
--- /dev/null
|
||||
+++ b/gui/po/Makefile
|
||||
@@ -0,0 +1,82 @@
|
||||
+#
|
||||
+# Makefile for the PO files (translation) catalog
|
||||
+#
|
||||
+
|
||||
+PREFIX ?= /usr
|
||||
+
|
||||
+# What is this package?
|
||||
+NLSPACKAGE = gui
|
||||
+POTFILE = $(NLSPACKAGE).pot
|
||||
+INSTALL = /usr/bin/install -c -p
|
||||
+INSTALL_DATA = $(INSTALL) -m 644
|
||||
+INSTALL_DIR = /usr/bin/install -d
|
||||
+
|
||||
+# destination directory
|
||||
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
|
||||
+
|
||||
+# PO catalog handling
|
||||
+MSGMERGE = msgmerge
|
||||
+MSGMERGE_FLAGS = -q
|
||||
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
|
||||
+MSGFMT = msgfmt
|
||||
+
|
||||
+# All possible linguas
|
||||
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
|
||||
+
|
||||
+# Only the files matching what the user has set in LINGUAS
|
||||
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
|
||||
+
|
||||
+# if no valid LINGUAS, build all languages
|
||||
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
|
||||
+
|
||||
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
|
||||
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
|
||||
+POTFILES = $(shell cat POTFILES)
|
||||
+
|
||||
+#default:: clean
|
||||
+
|
||||
+all:: $(MOFILES)
|
||||
+
|
||||
+$(POTFILE): $(POTFILES)
|
||||
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
|
||||
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
|
||||
+ rm -f $(NLSPACKAGE).po; \
|
||||
+ else \
|
||||
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
|
||||
+ fi; \
|
||||
+
|
||||
+
|
||||
+refresh-po: Makefile
|
||||
+ for cat in $(POFILES); do \
|
||||
+ lang=`basename $$cat .po`; \
|
||||
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
|
||||
+ mv -f $$lang.pot $$lang.po ; \
|
||||
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
|
||||
+ else \
|
||||
+ echo "$(MSGMERGE) of $$lang failed" ; \
|
||||
+ rm -f $$lang.pot ; \
|
||||
+ fi \
|
||||
+ done
|
||||
+
|
||||
+clean:
|
||||
+ @rm -fv *mo *~ .depend
|
||||
+ @rm -rf tmp
|
||||
+
|
||||
+install: $(MOFILES)
|
||||
+ @for n in $(MOFILES); do \
|
||||
+ l=`basename $$n .mo`; \
|
||||
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
|
||||
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
|
||||
+ done
|
||||
+
|
||||
+%.mo: %.po
|
||||
+ $(MSGFMT) -o $@ $<
|
||||
+report:
|
||||
+ @for cat in $(wildcard *.po); do \
|
||||
+ echo -n "$$cat: "; \
|
||||
+ msgfmt -v --statistics -o /dev/null $$cat; \
|
||||
+ done
|
||||
+
|
||||
+.PHONY: missing depend
|
||||
+
|
||||
+relabel:
|
||||
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
|
||||
new file mode 100644
|
||||
index 000000000000..1795c5c1951b
|
||||
--- /dev/null
|
||||
+++ b/gui/po/POTFILES
|
||||
@@ -0,0 +1,17 @@
|
||||
+../booleansPage.py
|
||||
+../domainsPage.py
|
||||
+../fcontextPage.py
|
||||
+../loginsPage.py
|
||||
+../modulesPage.py
|
||||
+../org.selinux.config.policy
|
||||
+../polgengui.py
|
||||
+../polgen.ui
|
||||
+../portsPage.py
|
||||
+../selinux-polgengui.desktop
|
||||
+../semanagePage.py
|
||||
+../sepolicy.desktop
|
||||
+../statusPage.py
|
||||
+../system-config-selinux.desktop
|
||||
+../system-config-selinux.py
|
||||
+../system-config-selinux.ui
|
||||
+../usersPage.py
|
||||
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
|
||||
index 575e143122e6..18bc1dff8d1f 100644
|
||||
--- a/policycoreutils/po/Makefile
|
||||
+++ b/policycoreutils/po/Makefile
|
||||
@@ -3,7 +3,6 @@
|
||||
#
|
||||
|
||||
PREFIX ?= /usr
|
||||
-TOP = ../..
|
||||
|
||||
# What is this package?
|
||||
NLSPACKAGE = policycoreutils
|
||||
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
|
||||
|
||||
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
|
||||
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
|
||||
-POTFILES = \
|
||||
- ../run_init/open_init_pty.c \
|
||||
- ../run_init/run_init.c \
|
||||
- ../semodule_link/semodule_link.c \
|
||||
- ../audit2allow/audit2allow \
|
||||
- ../semanage/seobject.py \
|
||||
- ../setsebool/setsebool.c \
|
||||
- ../newrole/newrole.c \
|
||||
- ../load_policy/load_policy.c \
|
||||
- ../sestatus/sestatus.c \
|
||||
- ../semodule/semodule.c \
|
||||
- ../setfiles/setfiles.c \
|
||||
- ../semodule_package/semodule_package.c \
|
||||
- ../semodule_deps/semodule_deps.c \
|
||||
- ../semodule_expand/semodule_expand.c \
|
||||
- ../scripts/chcat \
|
||||
- ../scripts/fixfiles \
|
||||
- ../restorecond/stringslist.c \
|
||||
- ../restorecond/restorecond.h \
|
||||
- ../restorecond/utmpwatcher.h \
|
||||
- ../restorecond/stringslist.h \
|
||||
- ../restorecond/restorecond.c \
|
||||
- ../restorecond/utmpwatcher.c \
|
||||
- ../gui/booleansPage.py \
|
||||
- ../gui/fcontextPage.py \
|
||||
- ../gui/loginsPage.py \
|
||||
- ../gui/mappingsPage.py \
|
||||
- ../gui/modulesPage.py \
|
||||
- ../gui/polgen.glade \
|
||||
- ../gui/polgengui.py \
|
||||
- ../gui/portsPage.py \
|
||||
- ../gui/semanagePage.py \
|
||||
- ../gui/statusPage.py \
|
||||
- ../gui/system-config-selinux.glade \
|
||||
- ../gui/system-config-selinux.py \
|
||||
- ../gui/usersPage.py \
|
||||
- ../secon/secon.c \
|
||||
- booleans.py \
|
||||
- ../sepolicy/sepolicy.py \
|
||||
- ../sepolicy/sepolicy/communicate.py \
|
||||
- ../sepolicy/sepolicy/__init__.py \
|
||||
- ../sepolicy/sepolicy/network.py \
|
||||
- ../sepolicy/sepolicy/generate.py \
|
||||
- ../sepolicy/sepolicy/sepolicy.glade \
|
||||
- ../sepolicy/sepolicy/gui.py \
|
||||
- ../sepolicy/sepolicy/manpage.py \
|
||||
- ../sepolicy/sepolicy/transition.py \
|
||||
- ../sepolicy/sepolicy/templates/executable.py \
|
||||
- ../sepolicy/sepolicy/templates/__init__.py \
|
||||
- ../sepolicy/sepolicy/templates/network.py \
|
||||
- ../sepolicy/sepolicy/templates/rw.py \
|
||||
- ../sepolicy/sepolicy/templates/script.py \
|
||||
- ../sepolicy/sepolicy/templates/semodule.py \
|
||||
- ../sepolicy/sepolicy/templates/tmp.py \
|
||||
- ../sepolicy/sepolicy/templates/user.py \
|
||||
- ../sepolicy/sepolicy/templates/var_lib.py \
|
||||
- ../sepolicy/sepolicy/templates/var_log.py \
|
||||
- ../sepolicy/sepolicy/templates/var_run.py \
|
||||
- ../sepolicy/sepolicy/templates/var_spool.py
|
||||
+POTFILES = $(shell cat POTFILES)
|
||||
|
||||
#default:: clean
|
||||
|
||||
-all:: $(MOFILES)
|
||||
+all:: $(POTFILE) $(MOFILES)
|
||||
|
||||
-booleans.py:
|
||||
- sepolicy booleans -a > booleans.py
|
||||
-
|
||||
-$(POTFILE): $(POTFILES) booleans.py
|
||||
+$(POTFILE): $(POTFILES)
|
||||
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
|
||||
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
|
||||
rm -f $(NLSPACKAGE).po; \
|
||||
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
|
||||
mv -f $(NLSPACKAGE).po $(POTFILE); \
|
||||
fi; \
|
||||
|
||||
-update-po: Makefile $(POTFILE) refresh-po
|
||||
- @rm -f booleans.py
|
||||
|
||||
refresh-po: Makefile
|
||||
for cat in $(POFILES); do \
|
||||
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
|
||||
new file mode 100644
|
||||
index 000000000000..12237dc61ee4
|
||||
--- /dev/null
|
||||
+++ b/policycoreutils/po/POTFILES
|
||||
@@ -0,0 +1,9 @@
|
||||
+../run_init/open_init_pty.c
|
||||
+../run_init/run_init.c
|
||||
+../setsebool/setsebool.c
|
||||
+../newrole/newrole.c
|
||||
+../load_policy/load_policy.c
|
||||
+../sestatus/sestatus.c
|
||||
+../semodule/semodule.c
|
||||
+../setfiles/setfiles.c
|
||||
+../secon/secon.c
|
||||
diff --git a/python/Makefile b/python/Makefile
|
||||
index 9b66d52fbd4d..00312dbdb5c6 100644
|
||||
--- a/python/Makefile
|
||||
+++ b/python/Makefile
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
|
||||
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
|
||||
|
||||
all install relabel clean indent test:
|
||||
@for subdir in $(SUBDIRS); do \
|
||||
diff --git a/python/po/Makefile b/python/po/Makefile
|
||||
new file mode 100644
|
||||
index 000000000000..4e052d5a2bd7
|
||||
--- /dev/null
|
||||
+++ b/python/po/Makefile
|
||||
@@ -0,0 +1,83 @@
|
||||
+#
|
||||
+# Makefile for the PO files (translation) catalog
|
||||
+#
|
||||
+
|
||||
+PREFIX ?= /usr
|
||||
+
|
||||
+# What is this package?
|
||||
+NLSPACKAGE = python
|
||||
+POTFILE = $(NLSPACKAGE).pot
|
||||
+INSTALL = /usr/bin/install -c -p
|
||||
+INSTALL_DATA = $(INSTALL) -m 644
|
||||
+INSTALL_DIR = /usr/bin/install -d
|
||||
+
|
||||
+# destination directory
|
||||
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
|
||||
+
|
||||
+# PO catalog handling
|
||||
+MSGMERGE = msgmerge
|
||||
+MSGMERGE_FLAGS = -q
|
||||
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
|
||||
+MSGFMT = msgfmt
|
||||
+
|
||||
+# All possible linguas
|
||||
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
|
||||
+
|
||||
+# Only the files matching what the user has set in LINGUAS
|
||||
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
|
||||
+
|
||||
+# if no valid LINGUAS, build all languages
|
||||
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
|
||||
+
|
||||
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
|
||||
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
|
||||
+POTFILES = $(shell cat POTFILES)
|
||||
+
|
||||
+#default:: clean
|
||||
+
|
||||
+all:: $(MOFILES)
|
||||
+
|
||||
+$(POTFILE): $(POTFILES)
|
||||
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
|
||||
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
|
||||
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
|
||||
+ rm -f $(NLSPACKAGE).po; \
|
||||
+ else \
|
||||
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
|
||||
+ fi; \
|
||||
+
|
||||
+
|
||||
+refresh-po: Makefile
|
||||
+ for cat in $(POFILES); do \
|
||||
+ lang=`basename $$cat .po`; \
|
||||
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
|
||||
+ mv -f $$lang.pot $$lang.po ; \
|
||||
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
|
||||
+ else \
|
||||
+ echo "$(MSGMERGE) of $$lang failed" ; \
|
||||
+ rm -f $$lang.pot ; \
|
||||
+ fi \
|
||||
+ done
|
||||
+
|
||||
+clean:
|
||||
+ @rm -fv *mo *~ .depend
|
||||
+ @rm -rf tmp
|
||||
+
|
||||
+install: $(MOFILES)
|
||||
+ @for n in $(MOFILES); do \
|
||||
+ l=`basename $$n .mo`; \
|
||||
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
|
||||
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
|
||||
+ done
|
||||
+
|
||||
+%.mo: %.po
|
||||
+ $(MSGFMT) -o $@ $<
|
||||
+report:
|
||||
+ @for cat in $(wildcard *.po); do \
|
||||
+ echo -n "$$cat: "; \
|
||||
+ msgfmt -v --statistics -o /dev/null $$cat; \
|
||||
+ done
|
||||
+
|
||||
+.PHONY: missing depend
|
||||
+
|
||||
+relabel:
|
||||
diff --git a/python/po/POTFILES b/python/po/POTFILES
|
||||
new file mode 100644
|
||||
index 000000000000..128eb870a69e
|
||||
--- /dev/null
|
||||
+++ b/python/po/POTFILES
|
||||
@@ -0,0 +1,10 @@
|
||||
+../audit2allow/audit2allow
|
||||
+../chcat/chcat
|
||||
+../semanage/semanage
|
||||
+../semanage/seobject.py
|
||||
+../sepolgen/src/sepolgen/interfaces.py
|
||||
+../sepolicy/sepolicy/generate.py
|
||||
+../sepolicy/sepolicy/gui.py
|
||||
+../sepolicy/sepolicy/__init__.py
|
||||
+../sepolicy/sepolicy/interface.py
|
||||
+../sepolicy/sepolicy.py
|
||||
diff --git a/sandbox/Makefile b/sandbox/Makefile
|
||||
index 9da5e58db9e6..b817824e2102 100644
|
||||
--- a/sandbox/Makefile
|
||||
+++ b/sandbox/Makefile
|
||||
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
|
||||
SEUNSHARE_OBJS = seunshare.o
|
||||
|
||||
all: sandbox seunshare sandboxX.sh start
|
||||
+ (cd po && $(MAKE) $@)
|
||||
|
||||
seunshare: $(SEUNSHARE_OBJS)
|
||||
|
||||
@@ -39,6 +40,7 @@ install: all
|
||||
install -m 755 start $(DESTDIR)$(SHAREDIR)
|
||||
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
|
||||
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
|
||||
+ (cd po && $(MAKE) $@)
|
||||
|
||||
test:
|
||||
@$(PYTHON) test_sandbox.py -v
|
||||
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
|
||||
new file mode 100644
|
||||
index 000000000000..0556bbe953f0
|
||||
--- /dev/null
|
||||
+++ b/sandbox/po/Makefile
|
||||
@@ -0,0 +1,82 @@
|
||||
+#
|
||||
+# Makefile for the PO files (translation) catalog
|
||||
+#
|
||||
+
|
||||
+PREFIX ?= /usr
|
||||
+
|
||||
+# What is this package?
|
||||
+NLSPACKAGE = sandbox
|
||||
+POTFILE = $(NLSPACKAGE).pot
|
||||
+INSTALL = /usr/bin/install -c -p
|
||||
+INSTALL_DATA = $(INSTALL) -m 644
|
||||
+INSTALL_DIR = /usr/bin/install -d
|
||||
+
|
||||
+# destination directory
|
||||
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
|
||||
+
|
||||
+# PO catalog handling
|
||||
+MSGMERGE = msgmerge
|
||||
+MSGMERGE_FLAGS = -q
|
||||
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
|
||||
+MSGFMT = msgfmt
|
||||
+
|
||||
+# All possible linguas
|
||||
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
|
||||
+
|
||||
+# Only the files matching what the user has set in LINGUAS
|
||||
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
|
||||
+
|
||||
+# if no valid LINGUAS, build all languages
|
||||
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
|
||||
+
|
||||
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
|
||||
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
|
||||
+POTFILES = $(shell cat POTFILES)
|
||||
+
|
||||
+#default:: clean
|
||||
+
|
||||
+all:: $(POTFILE) $(MOFILES)
|
||||
+
|
||||
+$(POTFILE): $(POTFILES)
|
||||
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
|
||||
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
|
||||
+ rm -f $(NLSPACKAGE).po; \
|
||||
+ else \
|
||||
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
|
||||
+ fi; \
|
||||
+
|
||||
+
|
||||
+refresh-po: Makefile
|
||||
+ for cat in $(POFILES); do \
|
||||
+ lang=`basename $$cat .po`; \
|
||||
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
|
||||
+ mv -f $$lang.pot $$lang.po ; \
|
||||
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
|
||||
+ else \
|
||||
+ echo "$(MSGMERGE) of $$lang failed" ; \
|
||||
+ rm -f $$lang.pot ; \
|
||||
+ fi \
|
||||
+ done
|
||||
+
|
||||
+clean:
|
||||
+ @rm -fv *mo *~ .depend
|
||||
+ @rm -rf tmp
|
||||
+
|
||||
+install: $(MOFILES)
|
||||
+ @for n in $(MOFILES); do \
|
||||
+ l=`basename $$n .mo`; \
|
||||
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
|
||||
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
|
||||
+ done
|
||||
+
|
||||
+%.mo: %.po
|
||||
+ $(MSGFMT) -o $@ $<
|
||||
+report:
|
||||
+ @for cat in $(wildcard *.po); do \
|
||||
+ echo -n "$$cat: "; \
|
||||
+ msgfmt -v --statistics -o /dev/null $$cat; \
|
||||
+ done
|
||||
+
|
||||
+.PHONY: missing depend
|
||||
+
|
||||
+relabel:
|
||||
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
|
||||
new file mode 100644
|
||||
index 000000000000..deff3f2f4656
|
||||
--- /dev/null
|
||||
+++ b/sandbox/po/POTFILES
|
||||
@@ -0,0 +1 @@
|
||||
+../sandbox
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,306 +0,0 @@
|
|||
From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Mon, 6 Aug 2018 13:37:07 +0200
|
||||
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
|
||||
|
||||
https://github.com/fedora-selinux/selinux/issues/43
|
||||
---
|
||||
gui/booleansPage.py | 2 +-
|
||||
gui/domainsPage.py | 2 +-
|
||||
gui/fcontextPage.py | 2 +-
|
||||
gui/loginsPage.py | 2 +-
|
||||
gui/modulesPage.py | 2 +-
|
||||
gui/polgengui.py | 2 +-
|
||||
gui/portsPage.py | 2 +-
|
||||
gui/semanagePage.py | 2 +-
|
||||
gui/statusPage.py | 2 +-
|
||||
gui/system-config-selinux.py | 2 +-
|
||||
gui/usersPage.py | 2 +-
|
||||
python/chcat/chcat | 2 +-
|
||||
python/semanage/semanage | 2 +-
|
||||
python/semanage/seobject.py | 2 +-
|
||||
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
|
||||
python/sepolicy/sepolicy.py | 2 +-
|
||||
python/sepolicy/sepolicy/__init__.py | 2 +-
|
||||
python/sepolicy/sepolicy/generate.py | 2 +-
|
||||
python/sepolicy/sepolicy/gui.py | 2 +-
|
||||
python/sepolicy/sepolicy/interface.py | 2 +-
|
||||
sandbox/sandbox | 2 +-
|
||||
21 files changed, 21 insertions(+), 21 deletions(-)
|
||||
|
||||
diff --git a/gui/booleansPage.py b/gui/booleansPage.py
|
||||
index 7849bea26a06..dd12b6d6ab86 100644
|
||||
--- a/gui/booleansPage.py
|
||||
+++ b/gui/booleansPage.py
|
||||
@@ -38,7 +38,7 @@ DISABLED = 2
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
|
||||
index bad5140d8c59..6bbe4de5884f 100644
|
||||
--- a/gui/domainsPage.py
|
||||
+++ b/gui/domainsPage.py
|
||||
@@ -30,7 +30,7 @@ from semanagePage import *
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
|
||||
index 370bbee40786..e424366da26f 100644
|
||||
--- a/gui/fcontextPage.py
|
||||
+++ b/gui/fcontextPage.py
|
||||
@@ -47,7 +47,7 @@ class context:
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
|
||||
index b67eb8bc42af..cbfb0cc23f65 100644
|
||||
--- a/gui/loginsPage.py
|
||||
+++ b/gui/loginsPage.py
|
||||
@@ -29,7 +29,7 @@ from semanagePage import *
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
|
||||
index 0584acf9b3a4..35a0129bab9c 100644
|
||||
--- a/gui/modulesPage.py
|
||||
+++ b/gui/modulesPage.py
|
||||
@@ -30,7 +30,7 @@ from semanagePage import *
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/polgengui.py b/gui/polgengui.py
|
||||
index d284ded65279..01f541bafae8 100644
|
||||
--- a/gui/polgengui.py
|
||||
+++ b/gui/polgengui.py
|
||||
@@ -63,7 +63,7 @@ def get_all_modules():
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/portsPage.py b/gui/portsPage.py
|
||||
index 30f58383bc1d..a537ecc8c0a1 100644
|
||||
--- a/gui/portsPage.py
|
||||
+++ b/gui/portsPage.py
|
||||
@@ -35,7 +35,7 @@ from semanagePage import *
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
|
||||
index 4127804fbbee..5361d69c1313 100644
|
||||
--- a/gui/semanagePage.py
|
||||
+++ b/gui/semanagePage.py
|
||||
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/statusPage.py b/gui/statusPage.py
|
||||
index 766854b19cba..a8f079b9b163 100644
|
||||
--- a/gui/statusPage.py
|
||||
+++ b/gui/statusPage.py
|
||||
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
|
||||
index 3f70122b87e8..8c46c987b974 100644
|
||||
--- a/gui/system-config-selinux.py
|
||||
+++ b/gui/system-config-selinux.py
|
||||
@@ -45,7 +45,7 @@ import selinux
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/gui/usersPage.py b/gui/usersPage.py
|
||||
index 26794ed5c3f3..d15d4c5a71dd 100644
|
||||
--- a/gui/usersPage.py
|
||||
+++ b/gui/usersPage.py
|
||||
@@ -29,7 +29,7 @@ from semanagePage import *
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-gui"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/chcat/chcat b/python/chcat/chcat
|
||||
index fdd2e46ee3f9..839ddd3b54b6 100755
|
||||
--- a/python/chcat/chcat
|
||||
+++ b/python/chcat/chcat
|
||||
@@ -30,7 +30,7 @@ import getopt
|
||||
import selinux
|
||||
import seobject
|
||||
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
||||
index b2fabea67a87..3cc30a160a74 100644
|
||||
--- a/python/semanage/semanage
|
||||
+++ b/python/semanage/semanage
|
||||
@@ -27,7 +27,7 @@ import traceback
|
||||
import argparse
|
||||
import seobject
|
||||
import sys
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
|
||||
index 6a14f7b47dd5..b51a7e3e7ca3 100644
|
||||
--- a/python/semanage/seobject.py
|
||||
+++ b/python/semanage/seobject.py
|
||||
@@ -29,7 +29,7 @@ import sys
|
||||
import stat
|
||||
import socket
|
||||
from semanage import *
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
import sepolicy
|
||||
import setools
|
||||
import ipaddress
|
||||
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
|
||||
index 998c4356415c..56ebd807c69c 100644
|
||||
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
|
||||
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
|
||||
@@ -19,7 +19,7 @@
|
||||
|
||||
try:
|
||||
import gettext
|
||||
- t = gettext.translation( 'yumex' )
|
||||
+ t = gettext.translation( 'selinux-python' )
|
||||
_ = t.gettext
|
||||
except:
|
||||
def _(str):
|
||||
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
|
||||
index 7b2230651099..32956e58f52e 100755
|
||||
--- a/python/sepolicy/sepolicy.py
|
||||
+++ b/python/sepolicy/sepolicy.py
|
||||
@@ -28,7 +28,7 @@ import sepolicy
|
||||
from multiprocessing import Pool
|
||||
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
|
||||
import argparse
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
|
||||
index ea05d892bf3b..9a9c2ae9f237 100644
|
||||
--- a/python/sepolicy/sepolicy/__init__.py
|
||||
+++ b/python/sepolicy/sepolicy/__init__.py
|
||||
@@ -13,7 +13,7 @@ import os
|
||||
import re
|
||||
import gzip
|
||||
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||
index 4e1ed4e9dc31..43180ca6fda4 100644
|
||||
--- a/python/sepolicy/sepolicy/generate.py
|
||||
+++ b/python/sepolicy/sepolicy/generate.py
|
||||
@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
|
||||
index 1e86422b864a..c9ca158ddd09 100644
|
||||
--- a/python/sepolicy/sepolicy/gui.py
|
||||
+++ b/python/sepolicy/sepolicy/gui.py
|
||||
@@ -41,7 +41,7 @@ import os
|
||||
import re
|
||||
import unicodedata
|
||||
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
|
||||
index bdffb770f364..9d40aea1498d 100644
|
||||
--- a/python/sepolicy/sepolicy/interface.py
|
||||
+++ b/python/sepolicy/sepolicy/interface.py
|
||||
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
|
||||
##
|
||||
## I18N
|
||||
##
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-python"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
||||
index ca5f1e030a51..16c43b51eaaa 100644
|
||||
--- a/sandbox/sandbox
|
||||
+++ b/sandbox/sandbox
|
||||
@@ -37,7 +37,7 @@ import sepolicy
|
||||
|
||||
SEUNSHARE = "/usr/sbin/seunshare"
|
||||
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
|
||||
-PROGNAME = "policycoreutils"
|
||||
+PROGNAME = "selinux-sandbox"
|
||||
try:
|
||||
import gettext
|
||||
kwargs = {}
|
||||
--
|
||||
2.29.0
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -1,30 +0,0 @@
|
|||
From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 21 Mar 2018 08:51:31 +0100
|
||||
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
|
||||
|
||||
The "-q" switch is becoming obsolete (completely unused in fedora) and
|
||||
debug output ("-d" switch) makes sense in any scenario. Therefore both
|
||||
options can be specified at once.
|
||||
|
||||
Resolves: rhbz#1271327
|
||||
---
|
||||
policycoreutils/setfiles/setfiles.8 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
|
||||
index e328a5628682..02e0960289d3 100644
|
||||
--- a/policycoreutils/setfiles/setfiles.8
|
||||
+++ b/policycoreutils/setfiles/setfiles.8
|
||||
@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
|
||||
.TP
|
||||
.B \-d
|
||||
show what specification matched each file (do not abort validation
|
||||
-after ABORT_ON_ERRORS errors).
|
||||
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
|
||||
.TP
|
||||
.BI \-e \ directory
|
||||
directory to exclude (repeat option for more than one directory).
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
|
||||
From: Masatake YAMATO <yamato@redhat.com>
|
||||
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
||||
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
||||
|
||||
Currently only reserved_port_t, port_t and hi_reserved_port_t are
|
||||
handled as special when making a ports-dictionary. However, as fas as
|
||||
corenetwork.te.in of serefpolicy, unreserved_port_t and
|
||||
ephemeral_port_t should be handled in the same way, too.
|
||||
|
||||
(Details) I found the need of this change when I was using
|
||||
selinux-polgengui. Though tcp port 12345, which my application may
|
||||
use, was given to the gui, selinux-polgengui generates expected te
|
||||
file and sh file which didn't utilize the tcp port.
|
||||
|
||||
selinux-polgengui checks whether a port given via gui is already typed
|
||||
or not.
|
||||
|
||||
If it is already typed, selinux-polgengui generates a te file having
|
||||
rules to allow the application to use the port. (A)
|
||||
|
||||
If not, it seems for me that selinux-polgengui is designed to generate
|
||||
a te file having rules to allow the application to own(?) the port;
|
||||
and a sh file having a command line to assign the application own type
|
||||
to the port. (B)
|
||||
|
||||
As we can see the output of `semanage port -l' some of ports for
|
||||
specified purpose have types already. The important point is that the
|
||||
rest of ports also have types already:
|
||||
|
||||
hi_reserved_port_t tcp 512-1023
|
||||
hi_reserved_port_t udp 512-1023
|
||||
unreserved_port_t tcp 1024-32767, 61001-65535
|
||||
unreserved_port_t udp 1024-32767, 61001-65535
|
||||
ephemeral_port_t tcp 32768-61000
|
||||
ephemeral_port_t udp 32768-61000
|
||||
|
||||
As my patch shows, the original selinux-polgengui ignored
|
||||
hi_reserved_port_t; though hi_reserved_port_t is assigned,
|
||||
selinux-polgengui considered ports 512-1023 are not used. As the
|
||||
result selinux-polgengui generates file sets of (B).
|
||||
|
||||
For the purpose of selinux-polgengui, I think unreserved_port_t and
|
||||
ephemeral_port_t are treated as the same as hi_reserved_port_t.
|
||||
|
||||
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
|
||||
|
||||
Fedora only patch:
|
||||
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
|
||||
---
|
||||
python/sepolicy/sepolicy/generate.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||
index 43180ca6fda4..d60a08e1d72c 100644
|
||||
--- a/python/sepolicy/sepolicy/generate.py
|
||||
+++ b/python/sepolicy/sepolicy/generate.py
|
||||
@@ -99,7 +99,9 @@ def get_all_ports():
|
||||
for p in sepolicy.info(sepolicy.PORT):
|
||||
if p['type'] == "reserved_port_t" or \
|
||||
p['type'] == "port_t" or \
|
||||
- p['type'] == "hi_reserved_port_t":
|
||||
+ p['type'] == "hi_reserved_port_t" or \
|
||||
+ p['type'] == "ephemeral_port_t" or \
|
||||
+ p['type'] == "unreserved_port_t":
|
||||
continue
|
||||
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
||||
return dict
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Thu, 8 Nov 2018 09:20:58 +0100
|
||||
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
|
||||
|
||||
---
|
||||
semodule-utils/semodule_package/semodule_package.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
|
||||
index 3515234e36de..7b75b3fd9bb4 100644
|
||||
--- a/semodule-utils/semodule_package/semodule_package.c
|
||||
+++ b/semodule-utils/semodule_package/semodule_package.c
|
||||
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
|
||||
}
|
||||
if (!sb.st_size) {
|
||||
*len = 0;
|
||||
+ close(fd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,74 +0,0 @@
|
|||
From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
||||
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
||||
|
||||
---
|
||||
sandbox/sandbox | 4 ++--
|
||||
sandbox/sandbox.8 | 2 +-
|
||||
sandbox/sandboxX.sh | 14 --------------
|
||||
3 files changed, 3 insertions(+), 17 deletions(-)
|
||||
|
||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
||||
index 16c43b51eaaa..7709a6585665 100644
|
||||
--- a/sandbox/sandbox
|
||||
+++ b/sandbox/sandbox
|
||||
@@ -268,7 +268,7 @@ class Sandbox:
|
||||
copyfile(f, "/tmp", self.__tmpdir)
|
||||
copyfile(f, "/var/tmp", self.__tmpdir)
|
||||
|
||||
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
|
||||
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
|
||||
execfile = self.__homedir + "/.sandboxrc"
|
||||
fd = open(execfile, "w+")
|
||||
if self.__options.session:
|
||||
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||
|
||||
parser.add_option("-W", "--windowmanager", dest="wm",
|
||||
type="string",
|
||||
- default="/usr/bin/openbox",
|
||||
+ default="/usr/bin/matchbox-window-manager",
|
||||
help=_("alternate window manager"))
|
||||
|
||||
parser.add_option("-l", "--level", dest="level",
|
||||
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
|
||||
index d83fee76f335..90ef4951c8c2 100644
|
||||
--- a/sandbox/sandbox.8
|
||||
+++ b/sandbox/sandbox.8
|
||||
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
|
||||
\fB\-W\fR \fB\-\-windowmanager\fR
|
||||
Select alternative window manager to run within
|
||||
.B sandbox \-X.
|
||||
-Default to /usr/bin/openbox.
|
||||
+Default to /usr/bin/matchbox-window-manager.
|
||||
.TP
|
||||
\fB\-X\fR
|
||||
Create an X based Sandbox for gui apps, temporary files for
|
||||
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
||||
index 4774528027ef..c211ebc14549 100644
|
||||
--- a/sandbox/sandboxX.sh
|
||||
+++ b/sandbox/sandboxX.sh
|
||||
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
|
||||
[ -z $2 ] && export DPI="96" || export DPI="$2"
|
||||
trap "exit 0" HUP
|
||||
|
||||
-mkdir -p ~/.config/openbox
|
||||
-cat > ~/.config/openbox/rc.xml << EOF
|
||||
-<openbox_config xmlns="http://openbox.org/3.4/rc"
|
||||
- xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
-<applications>
|
||||
- <application class="*">
|
||||
- <decor>no</decor>
|
||||
- <desktop>all</desktop>
|
||||
- <maximized>yes</maximized>
|
||||
- </application>
|
||||
-</applications>
|
||||
-</openbox_config>
|
||||
-EOF
|
||||
-
|
||||
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
export DISPLAY=:$D
|
||||
cat > ~/seremote << __EOF
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Tue, 28 Jul 2020 14:37:13 +0200
|
||||
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
|
||||
|
||||
Fixes:
|
||||
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
|
||||
Analyzing 187 Python scripts
|
||||
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
|
||||
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
|
||||
./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
|
||||
./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
|
||||
./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
|
||||
./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
|
||||
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index f8584436960d..6a3e08fca58c 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -717,7 +717,7 @@ Default Defined Ports:""")
|
||||
for f in self.all_file_types:
|
||||
if f.startswith(self.domainname):
|
||||
flist.append(f)
|
||||
- if not f in self.exec_types or not f in self.entry_types:
|
||||
+ if f not in self.exec_types or f not in self.entry_types:
|
||||
flist_non_exec.append(f)
|
||||
if f in self.fcdict:
|
||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
||||
@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
||||
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
|
||||
|
||||
if flist_non_exec:
|
||||
- self.fd.write(r"""
|
||||
+ self.fd.write(r"""
|
||||
.PP
|
||||
.B STANDARD FILE CONTEXT
|
||||
|
||||
--
|
||||
2.29.0
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
|
||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
Date: Wed, 11 Nov 2020 17:23:40 +0100
|
||||
Subject: [PATCH] selinux_config(5): add a note that runtime disable is
|
||||
deprecated
|
||||
|
||||
...and refer to selinux(8), which explains it further.
|
||||
|
||||
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
policycoreutils/man/man5/selinux_config.5 | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
|
||||
index 1ffade150128..58b42a0e234d 100644
|
||||
--- a/policycoreutils/man/man5/selinux_config.5
|
||||
+++ b/policycoreutils/man/man5/selinux_config.5
|
||||
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
|
||||
.IP \fIpermissive\fR 4
|
||||
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
|
||||
.IP \fIdisabled\fR
|
||||
-SELinux is disabled and no policy is loaded.
|
||||
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
|
||||
.RE
|
||||
.sp
|
||||
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
|
||||
--
|
||||
2.29.2
|
||||
|
|
@ -1,51 +0,0 @@
|
|||
From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
|
||||
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
|
||||
Date: Fri, 30 Oct 2020 22:53:09 +0100
|
||||
Subject: [PATCH] python/sepolicy: allow to override manpage date
|
||||
|
||||
in order to make builds reproducible.
|
||||
See https://reproducible-builds.org/ for why this is good
|
||||
and https://reproducible-builds.org/specs/source-date-epoch/
|
||||
for the definition of this variable.
|
||||
|
||||
This patch was done while working on reproducible builds for openSUSE.
|
||||
|
||||
Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
|
||||
---
|
||||
python/sepolicy/sepolicy/manpage.py | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
|
||||
index 6a3e08fca58c..c013c0d48502 100755
|
||||
--- a/python/sepolicy/sepolicy/manpage.py
|
||||
+++ b/python/sepolicy/sepolicy/manpage.py
|
||||
@@ -39,6 +39,8 @@ typealias_types = {
|
||||
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
|
||||
|
||||
equiv_dirs = ["/var"]
|
||||
+man_date = time.strftime("%y-%m-%d", time.gmtime(
|
||||
+ int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
|
||||
modules_dict = None
|
||||
|
||||
|
||||
@@ -546,7 +548,7 @@ class ManPage:
|
||||
|
||||
def _typealias(self,typealias):
|
||||
self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
|
||||
- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
|
||||
+ % {'typealias':typealias, 'date': man_date})
|
||||
self.fd.write(r"""
|
||||
.SH "NAME"
|
||||
%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
|
||||
@@ -565,7 +567,7 @@ man page for more details.
|
||||
|
||||
def _header(self):
|
||||
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
|
||||
- % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
|
||||
+ % {'domainname': self.domainname, 'date': man_date})
|
||||
self.fd.write(r"""
|
||||
.SH "NAME"
|
||||
%(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
|
||||
--
|
||||
2.29.2
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
policycoreutils translations currently live in the following locations:
|
||||
|
||||
- https://fedora.zanata.org/project/view/selinux
|
||||
- contains translations for both stable (Red Hat Enterprise Linux) and master (Fedora) branches
|
||||
- maintains large number of languages (several of which do not actually contain any translated strings)
|
||||
- updated by community and partially by RH localization effort
|
||||
|
||||
- selinux source repository (https://github.com/fedora-selinux/selinux)
|
||||
- is kept up-to-date with fedora.zanata
|
||||
|
||||
How to update source files on fedora.zanata:
|
||||
$ git clone git@github.com:fedora-selinux/selinux.git
|
||||
$ cd selinux
|
||||
|
||||
# generate new potfile
|
||||
$ for p in policycoreutils python gui sandbox; do
|
||||
cd $p/po
|
||||
make $p.pot
|
||||
cd -
|
||||
done
|
||||
|
||||
# Push potfiles to zanata
|
||||
$ zanata-cli push --push-type source
|
||||
|
||||
How to pull new translations from zanata
|
||||
$ git clone git@github.com:fedora-selinux/selinux.git
|
||||
$ cd selinux
|
||||
# Make sure "zanata.xml" file pointing to corresponding translations branch is present
|
||||
# Optionally update source files on zanata
|
||||
# Pull new translations from zanata
|
||||
$ zanata-cli -e pull --pull-type trans
|
||||
|
||||
How to update translations *-po.tgz files
|
||||
$ mkdir zanata
|
||||
$ cd zanata
|
||||
$ zanata-cli -e pull --project-config ../zanata.xml --pull-type both
|
||||
$ for p in policycoreutils python gui sandbox; do
|
||||
cd $p
|
||||
tar -c -f ../../$p-po.tgz -z .
|
||||
cd -
|
||||
done
|
16
gating.yaml
16
gating.yaml
|
@ -1,16 +0,0 @@
|
|||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_testing
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- fedora-*
|
||||
decision_context: bodhi_update_push_stable
|
||||
subject_type: koji_build
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
2426
policycoreutils.spec
2426
policycoreutils.spec
File diff suppressed because it is too large
Load Diff
|
@ -1,73 +0,0 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Do automatic relabelling
|
||||
#
|
||||
|
||||
# . /etc/init.d/functions
|
||||
|
||||
# If the user has this (or similar) UEFI boot order:
|
||||
#
|
||||
# Windows | grub | Linux
|
||||
#
|
||||
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
|
||||
# would cause the system to boot into Windows again, if the autorelabel was run.
|
||||
#
|
||||
# This function restores the UEFI boot order, so the user will boot into the
|
||||
# previously set (and expected) partition.
|
||||
efi_set_boot_next() {
|
||||
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
|
||||
# succeed even on system which is not EFI-enabled...
|
||||
if ! efibootmgr > /dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
|
||||
# NOTE: It it possible that some other services might be setting the
|
||||
# 'BootNext' item for any reasons, and we shouldn't override it if so.
|
||||
if ! efibootmgr | grep --quiet -e 'BootNext'; then
|
||||
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
|
||||
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
|
||||
fi
|
||||
}
|
||||
|
||||
relabel_selinux() {
|
||||
# if /sbin/init is not labeled correctly this process is running in the
|
||||
# wrong context, so a reboot will be required after relabel
|
||||
AUTORELABEL=
|
||||
. /etc/selinux/config
|
||||
echo "0" > /sys/fs/selinux/enforce
|
||||
[ -x /bin/plymouth ] && plymouth --quit
|
||||
|
||||
if [ "$AUTORELABEL" = "0" ]; then
|
||||
echo
|
||||
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
|
||||
echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
|
||||
echo $"*** problems. Dropping you to a shell; the system will reboot"
|
||||
echo $"*** when you leave the shell."
|
||||
sulogin
|
||||
|
||||
else
|
||||
echo
|
||||
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
|
||||
echo $"*** Relabeling could take a very long time, depending on file"
|
||||
echo $"*** system size and speed of hard drives."
|
||||
|
||||
FORCE=`cat /.autorelabel`
|
||||
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
|
||||
/sbin/fixfiles $FORCE restore
|
||||
fi
|
||||
|
||||
rm -f /.autorelabel
|
||||
/usr/lib/dracut/dracut-initramfs-restore
|
||||
efi_set_boot_next
|
||||
if [ -x /usr/bin/grub2-editenv ]; then
|
||||
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
|
||||
fi
|
||||
sync
|
||||
systemctl --force reboot
|
||||
}
|
||||
|
||||
# Check to see if a full relabel is needed
|
||||
if [ "$READONLY" != "yes" ]; then
|
||||
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
|
||||
relabel_selinux
|
||||
fi
|
|
@ -1,29 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This systemd.generator(7) detects if SELinux is running and if the
|
||||
# user requested an autorelabel, and if so sets the default target to
|
||||
# selinux-autorelabel.target, which will cause the filesystem to be
|
||||
# relabelled and then the system will reboot again and boot into the
|
||||
# real default target.
|
||||
|
||||
PATH=/usr/sbin:$PATH
|
||||
unitdir=/usr/lib/systemd/system
|
||||
|
||||
# If invoked with no arguments (for testing) write to /tmp.
|
||||
earlydir="/tmp"
|
||||
if [ -n "$2" ]; then
|
||||
earlydir="$2"
|
||||
fi
|
||||
|
||||
set_target ()
|
||||
{
|
||||
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
|
||||
}
|
||||
|
||||
if selinuxenabled; then
|
||||
if test -f /.autorelabel; then
|
||||
set_target
|
||||
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
|
||||
set_target
|
||||
fi
|
||||
fi
|
|
@ -1,18 +0,0 @@
|
|||
[Unit]
|
||||
Description=Mark the need to relabel after reboot
|
||||
DefaultDependencies=no
|
||||
Requires=local-fs.target
|
||||
Conflicts=shutdown.target
|
||||
After=local-fs.target
|
||||
Before=sysinit.target shutdown.target
|
||||
ConditionSecurity=!selinux
|
||||
ConditionPathIsDirectory=/etc/selinux
|
||||
ConditionPathExists=!/.autorelabel
|
||||
|
||||
[Service]
|
||||
ExecStart=-/bin/touch /.autorelabel
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
|
@ -1,14 +0,0 @@
|
|||
[Unit]
|
||||
Description=Relabel all filesystems
|
||||
DefaultDependencies=no
|
||||
Conflicts=shutdown.target
|
||||
After=sysinit.target
|
||||
Before=shutdown.target
|
||||
ConditionSecurity=selinux
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/libexec/selinux/selinux-autorelabel
|
||||
Type=oneshot
|
||||
TimeoutSec=0
|
||||
RemainAfterExit=yes
|
||||
StandardOutput=journal+console
|
|
@ -1,7 +0,0 @@
|
|||
[Unit]
|
||||
Description=Relabel all filesystems and reboot
|
||||
DefaultDependencies=no
|
||||
Requires=sysinit.target selinux-autorelabel.service
|
||||
Conflicts=shutdown.target
|
||||
After=sysinit.target selinux-autorelabel.service
|
||||
ConditionSecurity=selinux
|
|
@ -0,0 +1,394 @@
|
|||
diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog
|
||||
index 7cc0a18..bda7a2e 100644
|
||||
--- sepolgen-1.2.3/ChangeLog
|
||||
+++ sepolgen-1.2.3/ChangeLog
|
||||
@@ -1,3 +1,6 @@
|
||||
+ * Remove additional files when cleaning, from Nicolas Iooss.
|
||||
+ * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
|
||||
+
|
||||
1.2.3 2016-02-23
|
||||
* Support latest refpolicy interfaces, from Nicolas Iooss.
|
||||
* Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss.
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/Makefile sepolgen-1.2.3/src/sepolgen/Makefile
|
||||
index 9ac7651..d3aa771 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/Makefile
|
||||
+++ sepolgen-1.2.3/src/sepolgen/Makefile
|
||||
@@ -11,5 +11,4 @@ install: all
|
||||
clean:
|
||||
rm -f parser.out parsetab.py
|
||||
rm -f *~ *.pyc
|
||||
-
|
||||
-
|
||||
+ rm -rf __pycache__
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py
|
||||
index a5d8698..7606561 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/access.py
|
||||
+++ sepolgen-1.2.3/src/sepolgen/access.py
|
||||
@@ -90,6 +90,8 @@ class AccessVector(util.Comparison):
|
||||
self.audit_msgs = []
|
||||
self.type = audit2why.TERULE
|
||||
self.data = []
|
||||
+ self.obj_path = None
|
||||
+ self.base_type = None
|
||||
# when implementing __eq__ also __hash__ is needed on py2
|
||||
# if object is muttable __hash__ should be None
|
||||
self.__hash__ = None
|
||||
@@ -138,6 +140,29 @@ class AccessVector(util.Comparison):
|
||||
return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
|
||||
self.obj_class, self.perms.to_space_str())
|
||||
|
||||
+ def base_file_type(self):
|
||||
+ base_type_array = []
|
||||
+ base_type_array = [self.base_type, self.tgt_type, self.src_type]
|
||||
+ return base_type_array
|
||||
+
|
||||
+ def __cmp__(self, other):
|
||||
+ if self.src_type != other.src_type:
|
||||
+ return cmp(self.src_type, other.src_type)
|
||||
+ if self.tgt_type != other.tgt_type:
|
||||
+ return cmp(self.tgt_type, other.tgt_type)
|
||||
+ if self.obj_class != self.obj_class:
|
||||
+ return cmp(self.obj_class, other.obj_class)
|
||||
+ if len(self.perms) != len(other.perms):
|
||||
+ return cmp(len(self.perms), len(other.perms))
|
||||
+ x = list(self.perms)
|
||||
+ x.sort()
|
||||
+ y = list(other.perms)
|
||||
+ y.sort()
|
||||
+ for pa, pb in zip(x, y):
|
||||
+ if pa != pb:
|
||||
+ return cmp(pa, pb)
|
||||
+ return 0
|
||||
+
|
||||
def _compare(self, other, method):
|
||||
try:
|
||||
x = list(self.perms)
|
||||
@@ -257,7 +282,8 @@ class AccessVectorSet:
|
||||
for av in l:
|
||||
self.add_av(AccessVector(av))
|
||||
|
||||
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
||||
+ def add(self, src_type, tgt_type, obj_class, perms, obj_path=None,
|
||||
+ base_type=None, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
||||
"""Add an access vector to the set.
|
||||
"""
|
||||
tgt = self.src.setdefault(src_type, { })
|
||||
@@ -270,7 +296,9 @@ class AccessVectorSet:
|
||||
access.src_type = src_type
|
||||
access.tgt_type = tgt_type
|
||||
access.obj_class = obj_class
|
||||
+ access.obj_path = obj_path
|
||||
access.data = data
|
||||
+ access.base_type = base_type
|
||||
access.type = avc_type
|
||||
cls[obj_class, avc_type] = access
|
||||
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/audit.py sepolgen-1.2.3/src/sepolgen/audit.py
|
||||
index 724d3ea..dad0724 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/audit.py
|
||||
+++ sepolgen-1.2.3/src/sepolgen/audit.py
|
||||
@@ -176,6 +176,7 @@ class AVCMessage(AuditMessage):
|
||||
self.exe = ""
|
||||
self.path = ""
|
||||
self.name = ""
|
||||
+ self.ino = ""
|
||||
self.accesses = []
|
||||
self.denial = True
|
||||
self.type = audit2why.TERULE
|
||||
@@ -237,6 +238,10 @@ class AVCMessage(AuditMessage):
|
||||
self.exe = fields[1][1:-1]
|
||||
elif fields[0] == "name":
|
||||
self.name = fields[1][1:-1]
|
||||
+ elif fields[0] == "path":
|
||||
+ self.path = fields[1][1:-1]
|
||||
+ elif fields[0] == "ino":
|
||||
+ self.ino = fields[1]
|
||||
|
||||
if not found_src or not found_tgt or not found_class or not found_access:
|
||||
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||
@@ -361,7 +366,9 @@ class AuditParser:
|
||||
self.path_msgs = []
|
||||
self.by_header = { }
|
||||
self.check_input_file = False
|
||||
-
|
||||
+ self.inode_dict = { }
|
||||
+ self.__store_base_types()
|
||||
+
|
||||
# Low-level parsing function - tries to determine if this audit
|
||||
# message is an SELinux related message and then parses it into
|
||||
# the appropriate AuditMessage subclass. This function deliberately
|
||||
@@ -499,6 +506,61 @@ class AuditParser:
|
||||
|
||||
return role_types
|
||||
|
||||
+ def __restore_path(self, name, inode):
|
||||
+ import subprocess
|
||||
+ import os
|
||||
+ path = ""
|
||||
+ # Optimizing
|
||||
+ if name == "" or inode == "":
|
||||
+ return path
|
||||
+ for d in self.inode_dict:
|
||||
+ if d == inode and self.inode_dict[d] == name:
|
||||
+ return path
|
||||
+ if d == inode and self.inode_dict[d] != name:
|
||||
+ return self.inode_dict[d]
|
||||
+ if inode not in self.inode_dict.keys():
|
||||
+ self.inode_dict[inode] = name
|
||||
+
|
||||
+ command = "locate -b '\%s'" % name
|
||||
+ try:
|
||||
+ output = subprocess.check_output(command,
|
||||
+ stderr=subprocess.STDOUT,
|
||||
+ shell=True,
|
||||
+ universal_newlines=True)
|
||||
+ try:
|
||||
+ ino = int(inode)
|
||||
+ except ValueError:
|
||||
+ pass
|
||||
+ for file in output.split("\n"):
|
||||
+ try:
|
||||
+ if int(os.lstat(file).st_ino) == ino:
|
||||
+ self.inode_dict[inode] = path = file
|
||||
+ return path
|
||||
+ except:
|
||||
+ pass
|
||||
+ except subprocess.CalledProcessError as e:
|
||||
+ pass
|
||||
+ return path
|
||||
+
|
||||
+ def __store_base_types(self):
|
||||
+ import sepolicy
|
||||
+ self.base_types = sepolicy.get_types_from_attribute("base_file_type")
|
||||
+
|
||||
+ def __get_base_type(self, tcontext, scontext):
|
||||
+ import sepolicy
|
||||
+ # Prevent unnecessary searching
|
||||
+ if (self.old_scontext == scontext and
|
||||
+ self.old_tcontext == tcontext):
|
||||
+ return
|
||||
+ self.old_scontext = scontext
|
||||
+ self.old_tcontext = tcontext
|
||||
+ for btype in self.base_types:
|
||||
+ if btype == tcontext:
|
||||
+ for writable in sepolicy.get_writable_files(scontext):
|
||||
+ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
|
||||
+ return writable
|
||||
+ return 0
|
||||
+
|
||||
def to_access(self, avc_filter=None, only_denials=True):
|
||||
"""Convert the audit logs access into a an access vector set.
|
||||
|
||||
@@ -517,16 +579,23 @@ class AuditParser:
|
||||
audit logs parsed by this object.
|
||||
"""
|
||||
av_set = access.AccessVectorSet()
|
||||
+ self.old_scontext = ""
|
||||
+ self.old_tcontext = ""
|
||||
for avc in self.avc_msgs:
|
||||
if avc.denial != True and only_denials:
|
||||
continue
|
||||
+ base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
|
||||
+ if avc.path == "":
|
||||
+ avc.path = self.__restore_path(avc.name, avc.ino)
|
||||
if avc_filter:
|
||||
if avc_filter.filter(avc):
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||
+ avc.accesses, avc.path, base_type, avc,
|
||||
+ avc_type=avc.type, data=avc.data)
|
||||
else:
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||
+ avc.accesses, avc.path, base_type, avc,
|
||||
+ avc_type=avc.type, data=avc.data)
|
||||
return av_set
|
||||
|
||||
class AVCTypeFilter:
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/policygen.py sepolgen-1.2.3/src/sepolgen/policygen.py
|
||||
index 34c8401..f374132 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/policygen.py
|
||||
+++ sepolgen-1.2.3/src/sepolgen/policygen.py
|
||||
@@ -82,8 +82,9 @@ class PolicyGenerator:
|
||||
self.module = refpolicy.Module()
|
||||
|
||||
self.dontaudit = False
|
||||
-
|
||||
+ self.mislabled = None
|
||||
self.domains = None
|
||||
+
|
||||
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||
"""Set whether reference policy interfaces are generated.
|
||||
|
||||
@@ -153,6 +154,18 @@ class PolicyGenerator:
|
||||
"""Return the generated module"""
|
||||
return self.module
|
||||
|
||||
+ def __restore_label(self, av):
|
||||
+ import selinux
|
||||
+ try:
|
||||
+ context = selinux.matchpathcon(av.obj_path, 0)
|
||||
+ split = context[1].split(":")[2]
|
||||
+ if split != av.tgt_type:
|
||||
+ self.mislabled = split
|
||||
+ return
|
||||
+ except OSError:
|
||||
+ pass
|
||||
+ self.mislabled = None
|
||||
+
|
||||
def __add_allow_rules(self, avs):
|
||||
for av in avs:
|
||||
rule = refpolicy.AVRule(av)
|
||||
@@ -161,6 +174,34 @@ class PolicyGenerator:
|
||||
rule.comment = ""
|
||||
if self.explain:
|
||||
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
|
||||
+ # base_type[0] == 0 means there exists a base type but not the path
|
||||
+ # base_type[0] == None means user isn't using base type
|
||||
+ # base_type[1] contains the target context
|
||||
+ # base_type[2] contains the source type
|
||||
+ base_type = av.base_file_type()
|
||||
+ if base_type[0] == 0 and av.type != audit2why.ALLOW:
|
||||
+ rule.comment += "\n#!!!! WARNING: '%s' is a base type." % "".join(base_type[1])
|
||||
+ for perm in av.perms:
|
||||
+ if perm == "write" or perm == "create":
|
||||
+ permission = True
|
||||
+ break
|
||||
+ else:
|
||||
+ permission = False
|
||||
+
|
||||
+ # Catch perms 'write' and 'create' for base types
|
||||
+ if (base_type[0] is not None and base_type[0] != 0
|
||||
+ and permission and av.type != audit2why.ALLOW):
|
||||
+ if av.obj_class == dir:
|
||||
+ comp = "(/.*?)"
|
||||
+ else:
|
||||
+ comp = ""
|
||||
+ rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s. Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0]))
|
||||
+ if av.obj_path != "":
|
||||
+ rule.comment += "\n#!!!! $ semanage fcontext -a -t %s %s%s \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
|
||||
+
|
||||
+ self.__restore_label(av)
|
||||
+ if self.mislabled is not None and av.type != audit2why.ALLOW:
|
||||
+ rule.comment += "\n#!!!! The file '%s' is mislabeled on your system. \n#!!!! Fix with $ restorecon -R -v %s" % ("".join(av.obj_path), "".join(av.obj_path))
|
||||
if av.type == audit2why.ALLOW:
|
||||
rule.comment += "\n#!!!! This avc is allowed in the current policy"
|
||||
if av.type == audit2why.DONTAUDIT:
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py
|
||||
index 9b1d0c8..2cef8e8 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/refparser.py
|
||||
+++ sepolgen-1.2.3/src/sepolgen/refparser.py
|
||||
@@ -113,6 +113,7 @@ tokens = (
|
||||
'AUDITALLOW',
|
||||
'NEVERALLOW',
|
||||
'PERMISSIVE',
|
||||
+ 'TYPEBOUNDS',
|
||||
'TYPE_TRANSITION',
|
||||
'TYPE_CHANGE',
|
||||
'TYPE_MEMBER',
|
||||
@@ -178,6 +179,7 @@ reserved = {
|
||||
'auditallow' : 'AUDITALLOW',
|
||||
'neverallow' : 'NEVERALLOW',
|
||||
'permissive' : 'PERMISSIVE',
|
||||
+ 'typebounds' : 'TYPEBOUNDS',
|
||||
'type_transition' : 'TYPE_TRANSITION',
|
||||
'type_change' : 'TYPE_CHANGE',
|
||||
'type_member' : 'TYPE_MEMBER',
|
||||
@@ -502,6 +504,7 @@ def p_policy_stmt(p):
|
||||
'''policy_stmt : gen_require
|
||||
| avrule_def
|
||||
| typerule_def
|
||||
+ | typebound_def
|
||||
| typeattribute_def
|
||||
| roleattribute_def
|
||||
| interface_call
|
||||
@@ -823,6 +826,13 @@ def p_typerule_def(p):
|
||||
t.file_name = p[7]
|
||||
p[0] = t
|
||||
|
||||
+def p_typebound_def(p):
|
||||
+ '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
|
||||
+ t = refpolicy.TypeBound()
|
||||
+ t.type = p[2]
|
||||
+ t.tgt_types.update(p[3])
|
||||
+ p[0] = t
|
||||
+
|
||||
def p_bool(p):
|
||||
'''bool : BOOL IDENTIFIER TRUE SEMI
|
||||
| BOOL IDENTIFIER FALSE SEMI'''
|
||||
diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py
|
||||
index 31b40d8..2ee029c 100644
|
||||
--- sepolgen-1.2.3/src/sepolgen/refpolicy.py
|
||||
+++ sepolgen-1.2.3/src/sepolgen/refpolicy.py
|
||||
@@ -112,6 +112,9 @@ class Node(PolicyBase):
|
||||
def typerules(self):
|
||||
return filter(lambda x: isinstance(x, TypeRule), walktree(self))
|
||||
|
||||
+ def typebounds(self):
|
||||
+ return filter(lambda x: isinstance(x, TypeBound), walktree(self))
|
||||
+
|
||||
def typeattributes(self):
|
||||
"""Iterate over all of the TypeAttribute children of this Interface."""
|
||||
return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
|
||||
@@ -522,6 +525,19 @@ class TypeRule(Leaf):
|
||||
self.tgt_types.to_space_str(),
|
||||
self.obj_classes.to_space_str(),
|
||||
self.dest_type)
|
||||
+class TypeBound(Leaf):
|
||||
+ """SElinux typebound statement.
|
||||
+
|
||||
+ This class represents a typebound statement.
|
||||
+ """
|
||||
+ def __init__(self, parent=None):
|
||||
+ Leaf.__init__(self, parent)
|
||||
+ self.type = ""
|
||||
+ self.tgt_types = IdSet()
|
||||
+
|
||||
+ def to_string(self):
|
||||
+ return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
|
||||
+
|
||||
|
||||
class RoleAllow(Leaf):
|
||||
def __init__(self, parent=None):
|
||||
diff --git sepolgen-1.2.3/tests/.gitignore sepolgen-1.2.3/tests/.gitignore
|
||||
new file mode 100644
|
||||
index 0000000..c120af8
|
||||
--- /dev/null
|
||||
+++ sepolgen-1.2.3/tests/.gitignore
|
||||
@@ -0,0 +1,4 @@
|
||||
+module_compile_test.fc
|
||||
+module_compile_test.if
|
||||
+output
|
||||
+tmp/
|
||||
diff --git sepolgen-1.2.3/tests/Makefile sepolgen-1.2.3/tests/Makefile
|
||||
index 924a9be..e17eef2 100644
|
||||
--- sepolgen-1.2.3/tests/Makefile
|
||||
+++ sepolgen-1.2.3/tests/Makefile
|
||||
@@ -4,8 +4,11 @@ clean:
|
||||
rm -f *~ *.pyc
|
||||
rm -f parser.out parsetab.py
|
||||
rm -f out.txt
|
||||
+ rm -f module_compile_test.fc
|
||||
+ rm -f module_compile_test.if
|
||||
rm -f module_compile_test.pp
|
||||
rm -f output
|
||||
+ rm -rf __pycache__ tmp
|
||||
|
||||
test:
|
||||
$(PYTHON) run-tests.py
|
||||
diff --git sepolgen-1.2.3/tests/module_compile_test.te sepolgen-1.2.3/tests/module_compile_test.te
|
||||
index 446c8dc..b365448 100644
|
||||
--- sepolgen-1.2.3/tests/module_compile_test.te
|
||||
+++ sepolgen-1.2.3/tests/module_compile_test.te
|
||||
@@ -1,8 +1,8 @@
|
||||
-module foo 1.0;
|
||||
+module module_compile_test 1.0;
|
||||
|
||||
require {
|
||||
type foo, bar;
|
||||
class file { read write };
|
||||
}
|
||||
|
||||
-allow foo bar : file { read write };
|
||||
\ No newline at end of file
|
||||
+allow foo bar : file { read write };
|
14
sources
14
sources
|
@ -1,11 +1,3 @@
|
|||
SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
|
||||
SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
|
||||
SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
|
||||
SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
|
||||
SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
|
||||
SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
|
||||
SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
|
||||
SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
|
||||
SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
|
||||
SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
|
||||
SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
|
||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||
9ad9331b2133262fb3f774359a7f4761 policycoreutils-2.5.tar.gz
|
||||
d17b4072ed14d1f8d94ffd667ddc2864 sepolgen-1.2.3.tar.gz
|
||||
|
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||
# Description: What the test does
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: What the test does" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHEL6 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Is it possible to manage policy modules written in CIL without any compilation? Does semanage and semodule understand them?
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
|
||||
# Description: What the test does
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm $PACKAGE
|
||||
rlRun "echo '()' > empty.cil"
|
||||
rlRun "echo '(())' > invalid.cil"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "empty CIL module"
|
||||
rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
|
||||
rlRun "semodule -i empty.cil"
|
||||
rlRun "semodule -lfull | grep '400.*empty.*cil'"
|
||||
rlRun "semodule -r empty"
|
||||
rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
|
||||
rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
|
||||
rlRun "semanage module -a empty.cil"
|
||||
rlRun "semanage module -l | grep 'empty.*400.*cil'"
|
||||
rlRun "semanage module -r empty"
|
||||
rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "invalid CIL module"
|
||||
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||
rlRun "semodule -i invalid.cil" 1
|
||||
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||
rlRun "semodule -r invalid" 1
|
||||
rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
|
||||
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||
rlRun "semanage module -a invalid.cil" 1
|
||||
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||
rlRun "semanage module -r invalid" 1
|
||||
rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -f empty.cil invalid.cil"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of selinux-ansible-playbook
|
||||
# Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
||||
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2018 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation, either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=linux-system-roles.selinux-tests
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Petr Lautrbach <plautrba@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils ansible git" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2+" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of selinux-ansible-playbook
|
||||
Author: Petr Lautrbach <plautrba@redhat.com>
|
||||
|
||||
Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
|
@ -1,57 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
|
||||
# Author: Petr Lautrbach <plautrba@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2018 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or
|
||||
# modify it under the terms of the GNU General Public License as
|
||||
# published by the Free Software Foundation, either version 2 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see http://www.gnu.org/licenses/.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm $PACKAGE
|
||||
rlAssertRpm "git"
|
||||
rlAssertRpm "ansible"
|
||||
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "git clone https://github.com/linux-system-roles/selinux.git"
|
||||
rlRun "cd selinux/test"
|
||||
|
||||
for ansible_test in test_*.yml; do
|
||||
rlRun "ansible-playbook -i localhost, -c local -v $ansible_test"
|
||||
done
|
||||
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "cd ../../"
|
||||
rlRun "rm -rf selinux"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/load_policy
|
||||
# Description: Does load_policy work as expected? Does it produce correct audit messages?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/load_policy
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does load_policy work as expected? Does it produce correct audit messages?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: audit policycoreutils selinux-policy-targeted" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/load_policy
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does load_policy work as expected? Does it produce correct audit messages?
|
||||
|
|
@ -1,79 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/load_policy
|
||||
# Description: Does load_policy work as expected? Does it produce correct audit messages?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2016 Red Hat, Inc.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
if rlIsRHEL 6 ; then
|
||||
SELINUX_FS_MOUNT="/selinux"
|
||||
else # RHEL-7 and above
|
||||
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
||||
fi
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlRun "ls -l `which load_policy`"
|
||||
BINARY_POLICY=`find /etc/selinux/targeted -type f -name policy.?? | sort -n | tail -n 1`
|
||||
rlRun "ls -l ${BINARY_POLICY}"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "load_policy --xyz 2>&1 | grep \"invalid option\""
|
||||
rlRun "dmesg | grep -i selinux" 0,1
|
||||
rlRun "grep -i selinux /proc/mounts"
|
||||
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||
sleep 1
|
||||
rlRun "load_policy -q"
|
||||
rlRun "grep -i selinux /proc/mounts"
|
||||
sleep 1
|
||||
if rlIsRHEL ; then
|
||||
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
|
||||
fi
|
||||
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
|
||||
rlRun "umount ${SELINUX_FS_MOUNT}"
|
||||
rlRun "grep -i selinux /proc/mounts" 1
|
||||
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||
sleep 1
|
||||
rlRun "load_policy -i ${BINARY_POLICY}"
|
||||
rlRun "grep -i selinux /proc/mounts"
|
||||
sleep 1
|
||||
if rlIsRHEL ; then
|
||||
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
|
||||
fi
|
||||
rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
|
||||
rlRun "dmesg | grep -i selinux"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/restorecon
|
||||
# Description: does restorecon work correctly ?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/restorecon
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te testpolicy.fc
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
chcon -t bin_t runtest.sh;:
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: does restorecon work correctly ?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 15m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Requires: e2fsprogs" >> $(METADATA)
|
||||
@echo "Requires: libselinux" >> $(METADATA)
|
||||
@echo "Requires: selinux-policy-devel" >> $(METADATA)
|
||||
@echo "Requires: libselinux-utils" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/restorecon
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does restorecon work correctly?
|
||||
|
|
@ -1,367 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/restorecon
|
||||
# Description: does restorecon work correctly ?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlServiceStop mcstrans mcstransd
|
||||
rlRun "rpm -qf `which restorecon` | grep ${PACKAGE}"
|
||||
rlRun "setenforce 1"
|
||||
rlRun "sestatus"
|
||||
rlRun "setsebool allow_domain_fd_use on"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Functional test"
|
||||
|
||||
TESTDIR="/opt/restorecon_testdir"
|
||||
DIRS="correct.dir incorrect1.dir incorrect2.dir customizable.dir"
|
||||
FILES="correct.file incorrect.file customizable.file"
|
||||
|
||||
rlRun "make -f /usr/share/selinux/devel/Makefile"
|
||||
rlRun "semodule -i testpolicy.pp"
|
||||
|
||||
rlFileBackup /etc/selinux/targeted/contexts/customizable_types
|
||||
rlRun "echo 'customizable_t' >> /etc/selinux/targeted/contexts/customizable_types"
|
||||
|
||||
# Here is the testing dirs and files structure
|
||||
# all the files have initial context corresponding to their names
|
||||
|
||||
# ./
|
||||
# correct.file
|
||||
# incorrect.file
|
||||
# customizable.file
|
||||
|
||||
# correct.dir/
|
||||
# correct.file
|
||||
# incorrect.file
|
||||
# customizable.file
|
||||
|
||||
# incorrect1.dir/
|
||||
# correct.file
|
||||
# incorrect.file
|
||||
# customizable.file
|
||||
|
||||
# incorrect2.dir/
|
||||
# correct.file
|
||||
# incorrect.file
|
||||
# customizable.file
|
||||
|
||||
# customizable.dir/
|
||||
# correct.file
|
||||
# incorrect.file
|
||||
# customizable.file
|
||||
|
||||
# Function to set initial contexts
|
||||
function set_contexts {
|
||||
# Set the intended contexts
|
||||
rlLog "Setting initial contexts of testing dirs..."
|
||||
restorecon -R $TESTDIR
|
||||
for ITEM in `find . -name 'incorrect*'`; do
|
||||
chcon -t incorrect_t $ITEM
|
||||
done
|
||||
for ITEM in `find . -name 'customizable*'`; do
|
||||
chcon -t customizable_t $ITEM
|
||||
done
|
||||
}
|
||||
|
||||
# Check that files in dir $1 have the initial contexts
|
||||
function check_initial_contexts {
|
||||
if echo $1 | grep -q 'incorrect.dir'; then
|
||||
rlRun "ls -ladZ $1 | grep :incorrect_t"
|
||||
elif echo $1 | grep -q 'correct.dir'; then
|
||||
rlRun "ls -ladZ $1 | grep :correct_t"
|
||||
elif echo $1 | grep -q 'customizable.dir'; then
|
||||
rlRun "ls -ladZ $1 | grep :customizable_t"
|
||||
fi
|
||||
rlRun "ls -ladZ $1/* | grep '\<correct.file' | grep ':correct_t'"
|
||||
rlRun "ls -ladZ $1/* | grep '\<incorrect.file' | grep ':incorrect_t'"
|
||||
rlRun "ls -ladZ $1/* | grep '\<customizable.file' | grep ':customizable_t'"
|
||||
}
|
||||
|
||||
# Check that files matching with $2 in dir $1 have context $3
|
||||
function check_contexts {
|
||||
COMMAND="find $1 -name '$2'"
|
||||
for ITEM in `eval $COMMAND`; do
|
||||
rlRun "ls -ladZ $ITEM | grep :$3";
|
||||
done
|
||||
}
|
||||
|
||||
# Create the testing dirs and files
|
||||
rlRun "mkdir -p $TESTDIR"
|
||||
rlRun "pushd $TESTDIR"
|
||||
rlRun "mkdir $DIRS"
|
||||
rlRun "touch $FILES"
|
||||
for DIR in $DIRS; do
|
||||
rlRun "pushd $DIR"
|
||||
rlRun "touch $FILES"
|
||||
rlRun "popd"
|
||||
done
|
||||
|
||||
set_contexts
|
||||
|
||||
echo
|
||||
rlLog "Checking initial contexts of testing dirs..."
|
||||
# Check the contexts are set properly
|
||||
check_initial_contexts '.'
|
||||
check_initial_contexts 'incorrect1.dir'
|
||||
check_initial_contexts 'incorrect2.dir'
|
||||
check_initial_contexts 'correct.dir'
|
||||
check_initial_contexts 'customizable.dir'
|
||||
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||
check_contexts '.' 'correct*' 'correct_t'
|
||||
check_contexts '.' 'customizable*' 'customizable_t'
|
||||
|
||||
# -e directory
|
||||
# exclude a directory (repeat the option to exclude more than one directory).
|
||||
|
||||
echo
|
||||
rlLog "-e directory"
|
||||
set_contexts
|
||||
rlRun "restorecon -RF -e $TESTDIR/incorrect2.dir $TESTDIR"
|
||||
for ITEM in `ls *.file`; do rlRun "ls -ladZ $ITEM | grep correct_t"; done
|
||||
check_contexts 'incorrect1.dir' '*' 'correct_t'
|
||||
check_contexts 'customizable.dir' '*' 'correct_t'
|
||||
check_initial_contexts 'incorrect2.dir'
|
||||
rlRun "ls -ladZ incorrect2.dir | grep incorrect_t"
|
||||
|
||||
# -f infilename
|
||||
# infilename contains a list of files to be processed. Use - for stdin.
|
||||
|
||||
echo
|
||||
rlLog "-f filename"
|
||||
set_contexts
|
||||
rlRun "cat > ../file_list <<EOF
|
||||
./customizable.file
|
||||
./customizable.dir
|
||||
./correct.dir/customizable.file
|
||||
./incorrect1.dir/customizable.file
|
||||
./incorrect2.dir/customizable.file
|
||||
./customizable.dir/customizable.file
|
||||
EOF"
|
||||
if rlIsRHEL 5; then chcon -t file_t ../file_list ;fi
|
||||
rlRun "restorecon -F -f ../file_list"
|
||||
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||
check_contexts '.' 'correct*' 'correct_t'
|
||||
check_contexts '.' 'customizable*' 'correct_t'
|
||||
rlRun "rm -f ../file_list"
|
||||
|
||||
|
||||
echo
|
||||
rlLog "-f - Input from stdin"
|
||||
set_contexts
|
||||
rlRun "echo -e 'incorrect2.dir\ncustomizable.file\nincorrect.file' | restorecon -f -"
|
||||
check_initial_contexts 'incorrect1.dir'
|
||||
check_initial_contexts 'correct.dir'
|
||||
check_initial_contexts 'customizable.dir'
|
||||
check_contexts 'incorrect2' '*' 'correct_t'
|
||||
rlRun "ls -ladZ customizable.file | grep customizable_t"
|
||||
rlRun "ls -ladZ incorrect.file | grep :correct_t"
|
||||
|
||||
# -F Force reset of context to match file_context for customizable files, and
|
||||
# the default file context, changing the user, role, range portion as well
|
||||
# as the type.
|
||||
|
||||
echo
|
||||
rlLog "-F Force reset of customizable types"
|
||||
set_contexts
|
||||
rlRun "restorecon -RF $TESTDIR"
|
||||
check_contexts '.' '*' 'correct_t'
|
||||
|
||||
# This feature is from RHEL6 further
|
||||
if ! rlIsRHEL; then
|
||||
echo
|
||||
rlLog "-F Force reset of the whole context"
|
||||
set_contexts
|
||||
chcon -u staff_u *.file
|
||||
rlRun "ls -laZ correct.file | grep staff_u"
|
||||
rlRun "ls -laZ incorrect.file | grep staff_u"
|
||||
rlRun "ls -laZ customizable.file | grep staff_u"
|
||||
rlRun "restorecon -R $TESTDIR"
|
||||
rlRun "ls -laZ correct.file | grep staff_u"
|
||||
rlRun "ls -laZ incorrect.file | grep staff_u"
|
||||
rlRun "ls -laZ customizable.file | grep staff_u"
|
||||
rlRun "restorecon -RF $TESTDIR"
|
||||
rlRun "ls -laZ correct.file | grep system_u"
|
||||
rlRun "ls -laZ incorrect.file | grep system_u"
|
||||
rlRun "ls -laZ customizable.file | grep system_u"
|
||||
fi
|
||||
|
||||
# -i ignore files that do not exist.
|
||||
|
||||
rlRun "restorecon non-existent-file" 1-255
|
||||
rlRun "restorecon -i non-existent-file"
|
||||
|
||||
# -n don't change any file labels (passive check).
|
||||
|
||||
echo
|
||||
rlLog "-n dry-run"
|
||||
set_contexts
|
||||
rlRun "restorecon -RF -n $TESTDIR"
|
||||
check_contexts '.' 'incorrect*' 'incorrect_t'
|
||||
check_contexts '.' 'correct*' 'correct_t'
|
||||
check_contexts '.' 'customizable*' 'customizable_t'
|
||||
|
||||
# -o outfilename
|
||||
# Deprecated, SELinux policy will probably block this access. Use shell
|
||||
# redirection to save list of files with incorrect context in filename.
|
||||
|
||||
# ----not tested yet
|
||||
|
||||
# -R, -r change files and directories file labels recursively (descend directo‐
|
||||
# ries).
|
||||
# Note: restorecon reports warnings on paths without default labels only
|
||||
# if called non-recursively or in verbose mode.
|
||||
|
||||
set_contexts
|
||||
rlRun "restorecon -R $TESTDIR"
|
||||
check_contexts '.' '*corr*' 'correct_t'
|
||||
check_contexts '.' 'customizable*' 'customizable_t'
|
||||
|
||||
# ...by default it does not operate recursively on directories
|
||||
|
||||
set_contexts
|
||||
rlRun "restorecon $TESTDIR"
|
||||
check_initial_contexts 'incorrect1.dir'
|
||||
check_initial_contexts 'incorrect2.dir'
|
||||
check_initial_contexts 'correct.dir'
|
||||
check_initial_contexts 'customizable.dir'
|
||||
rlRun "ls -ladZ customizable.file | grep customizable_t"
|
||||
rlRun "ls -ladZ incorrect.file | grep :incorrect_t"
|
||||
rlRun "ls -ladZ correct.file | grep :correct_t"
|
||||
|
||||
# -v show changes in file labels, if type or role are going to be changed.
|
||||
|
||||
# ----not tested yet
|
||||
|
||||
# -0 option is not present in RHEL5
|
||||
if ! rlIsRHEL 5; then
|
||||
# -0 the separator for the input items is assumed to be the null character
|
||||
# (instead of the white space). The quotes and the backslash characters
|
||||
# are also treated as normal characters that can form valid input. This
|
||||
# option finally also disables the end of file string, which is treated
|
||||
# like any other argument. Useful when input items might contain white
|
||||
# space, quote marks or backslashes. The -print0 option of GNU find pro‐
|
||||
# duces input suitable for this mode.
|
||||
|
||||
echo
|
||||
rlLog "-0"
|
||||
set_contexts
|
||||
rlRun "find . -print0 | restorecon -f - -0"
|
||||
check_contexts '.' '*corr*' 'correct_t'
|
||||
check_contexts '.' 'customizable*' 'customizable_t'
|
||||
|
||||
echo
|
||||
rlLog "-0 with -F"
|
||||
set_contexts
|
||||
rlRun "find . -print0 | restorecon -F -f - -0"
|
||||
check_contexts '.' '*' 'correct_t'
|
||||
|
||||
fi
|
||||
|
||||
# If a file object does not have a context, restorecon will write the default
|
||||
# context to the file object's extended attributes.
|
||||
|
||||
# ----not tested yet
|
||||
|
||||
|
||||
# Cleanup
|
||||
|
||||
rlRun "popd"
|
||||
rlRun "rm -rf /opt/restorecon_testdir"
|
||||
rlFileRestore
|
||||
rlRun "semodule -r testpolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
# This is RFE from RHEL6 and further versions
|
||||
if ! rlIsRHEL 5;then
|
||||
rlPhaseStartTest
|
||||
# META-Fixed-In: policycoreutils-2.0.83-19.14.el6
|
||||
rlRun "pushd /root"
|
||||
rlRun "touch test-file"
|
||||
rlRun "mkdir test-dir"
|
||||
for ITEM in "test-file" "test-dir" ; do
|
||||
rlRun "chcon -u staff_u -t shadow_t -l s0:c1 ${ITEM}"
|
||||
rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:shadow_t:s0:c1"
|
||||
rlRun "restorecon -v ${ITEM}" 0,1
|
||||
rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:admin_home_t:s0:c1"
|
||||
rlRun "restorecon -F -v ${ITEM}" 0,1
|
||||
rlRun "ls -dZ ${ITEM} | grep system_u:object_r:admin_home_t:s0"
|
||||
done
|
||||
rlRun "rm -rf test-dir"
|
||||
rlRun "rm -f test-file"
|
||||
rlRun "popd"
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartTest
|
||||
# META-Fixed-In: policycoreutils-2.0.83-19.16.el6
|
||||
rlRun "pushd /root"
|
||||
rlRun "touch test-file"
|
||||
rlRun "mkdir test-dir"
|
||||
for ITEM in "test-file" "test-dir" ; do
|
||||
rlRun "chcon -t tmp_t ${ITEM}"
|
||||
rlRun "ls -dZ ${ITEM}"
|
||||
rlRun "chattr +i ${ITEM}"
|
||||
rlRun "restorecon -v ${ITEM}" 1-255
|
||||
rlRun "chattr -i ${ITEM}"
|
||||
rlRun "ls -dZ ${ITEM}"
|
||||
rlRun "restorecon -v ${ITEM}"
|
||||
rlRun "ls -dZ ${ITEM}"
|
||||
done
|
||||
rlRun "rm -rf test-dir"
|
||||
rlRun "rm -f test-file"
|
||||
rlRun "popd"
|
||||
rlPhaseEnd
|
||||
|
||||
# The bug was closed as NEXTRELEASE for RHEL5
|
||||
if ! rlIsRHEL 5; then
|
||||
rlPhaseStartTest
|
||||
rlRun "touch ~/test-file"
|
||||
rlRun "restorecon -vF ~/test-file"
|
||||
rlRun "restorecon -vF ~/test-file | grep \"reset.*context\"" 1
|
||||
rlRun "rm -f ~/test-file"
|
||||
|
||||
rlRun "mkdir ~/test-dir"
|
||||
rlRun "restorecon -vF ~/test-dir"
|
||||
rlRun "restorecon -vF ~/test-dir | grep \"reset.*context\"" 1
|
||||
rlRun "rm -rf ~/test-dir"
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlServiceRestore mcstrans mcstransd
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
/opt/restorecon_testdir(/.*)? system_u:object_r:correct_t:s0
|
||||
|
|
@ -1,19 +0,0 @@
|
|||
policy_module(testpolicy, 1.0)
|
||||
|
||||
require {
|
||||
attribute domain;
|
||||
type fs_t;
|
||||
}
|
||||
|
||||
type correct_t;
|
||||
files_type(correct_t)
|
||||
type incorrect_t;
|
||||
files_type(incorrect_t)
|
||||
type customizable_t;
|
||||
files_type(customizable_t)
|
||||
|
||||
|
||||
#allow domain correct_t:dir relabelto;
|
||||
#allow correct_t fs_t:filesystem associate;
|
||||
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||
# Description: Does semanage interface ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Regression/semanage-interface
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does semanage interface ... work correctly?" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 20m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||
Description: Does semanage interface ... work correctly?
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
|
@ -1,69 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-interface
|
||||
# Description: Does semanage interface ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage interface --help" 0,1
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||
continue
|
||||
fi
|
||||
rlRun "semanage interface -l -S ${POLICY_TYPE}"
|
||||
done
|
||||
if ! rlIsRHEL 5; then
|
||||
rlRun "semanage interface -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||
fi
|
||||
rlRun "semanage interface -a -t xyz_t xyz 2>&1 | grep -i -e 'not defined' -e 'error' -e 'could not'"
|
||||
rlRun "semanage interface -m xyz" 1,2
|
||||
rlRun "semanage interface -d xyz" 1
|
||||
rlRun "semanage interface -a -t netif_t xyz"
|
||||
if rlIsRHEL 5 6; then
|
||||
rlRun "semanage interface -m -r s0 xyz"
|
||||
else
|
||||
rlRun "semanage interface -m -t netif_t -r s0 xyz"
|
||||
fi
|
||||
rlRun "semanage interface -l | grep \"xyz.*:netif_t:s0\""
|
||||
rlRun "semanage interface -d xyz"
|
||||
rlRun "semanage interface -l | grep xyz" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Regression/semanage-login
|
||||
# Description: Does semanage login ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Regression/semanage-login
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does semanage login ... work correctly?" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 10m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils policycoreutils-python-utils grep shadow-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-login
|
||||
Description: Does semanage login ... work correctly?
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
|
@ -1,67 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-login
|
||||
# Description: Does semanage login ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage login --help" 0,1
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||
continue
|
||||
fi
|
||||
rlRun "semanage login -l -S ${POLICY_TYPE}"
|
||||
done
|
||||
if ! rlIsRHEL 5; then
|
||||
rlRun "semanage login -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||
fi
|
||||
rlRun "semanage login -a -s xyz_u xyz 2>&1 | grep -i -e 'does not exist' -e 'mapping.*invalid' -e 'could not query'"
|
||||
rlRun "semanage login -m xyz" 1
|
||||
rlRun "semanage login -d xyz" 1
|
||||
rlRun "useradd xyz"
|
||||
rlRun "semanage login -a -s user_u xyz"
|
||||
rlRun "semanage login -m -r s0 xyz"
|
||||
rlRun "semanage login -l | grep \"xyz.*user_u.*s0\""
|
||||
rlRun "semanage login -d xyz"
|
||||
rlRun "semanage login -l | grep xyz" 1
|
||||
rlRun "userdel -rf xyz"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,70 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||
# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
chcon -t bin_t runtest.sh; :
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: semanage permissive -d accepts more than domain types, its behavior is not reliable" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 20m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils-python-utils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils-devel" >> $(METADATA)
|
||||
@echo "Requires: selinux-policy-devel" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Requires: coreutils" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHELServer5 -RHELClient5" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does semanage permissive work correctly?
|
||||
|
|
@ -1,93 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
|
||||
# Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlRun "rpm -qf /usr/sbin/semanage"
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlRun "sestatus"
|
||||
rlPhaseEnd
|
||||
|
||||
if selinuxenabled ; then
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 7 ; then
|
||||
rlFileBackup /usr/share/selinux/default/Makefile
|
||||
rlRun "rm -rf /usr/share/selinux/default/Makefile"
|
||||
fi
|
||||
rlRun "semanage permissive -l | grep fenced" 1
|
||||
rlRun "semanage permissive -a fenced_t"
|
||||
rlRun "semanage permissive -l | grep fenced"
|
||||
rlRun "semanage permissive -d fenced_t"
|
||||
rlRun "semanage permissive -l | grep fenced" 1
|
||||
if rlIsRHEL 7 ; then
|
||||
rlFileRestore
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||
rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
|
||||
rlRun "semanage permissive -a ypbind_t"
|
||||
rlRun "semanage permissive -a ypserv_t"
|
||||
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||
rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
|
||||
rlRun "semanage permissive -d yp" 1-255
|
||||
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||
rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
|
||||
rlRun "semanage permissive -d ypbind_t"
|
||||
rlRun "semanage permissive -d ypserv_t"
|
||||
rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
|
||||
rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun -s "semanage permissive -d" 1
|
||||
rlAssertNotGrep 'traceback' $rlRun_LOG -iEq
|
||||
rlAssertGrep 'error: the following argument is required: type' $rlRun_LOG -iEq
|
||||
rm -f $rlRun_LOG
|
||||
rlPhaseEnd
|
||||
else
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage permissive -l >& ${OUTPUT_FILE}" 0,1
|
||||
rlRun "grep -C 32 -i -e exception -e traceback -e error ${OUTPUT_FILE}" 1
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rm -f ${OUTPUT_FILE}
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||
# Description: semanage accepts invalid port numbers and then cannot delete them
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
chcon -t bin_t runtest.sh;:
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: semanage accepts invalid port numbers and then cannot delete them" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 15m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils-python-utils" >> $(METADATA)
|
||||
@echo "Requires: setools-console" >> $(METADATA)
|
||||
@echo "Requires: libselinux" >> $(METADATA)
|
||||
@echo "Requires: libselinux-utils" >> $(METADATA)
|
||||
@echo "Requires: coreutils" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
semanage accepts invalid port numbers and then cannot delete them
|
||||
|
|
@ -1,137 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/rhts-library/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
|
||||
# Description: semanage accepts invalid port numbers and then cannot delete them
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2009 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
PORT_NAME="ldap_port_t"
|
||||
BAD_PORT_NUMBER="123456"
|
||||
GOOD_PORT_NUMBER="1389"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlRun "rpm -qf /usr/sbin/semanage"
|
||||
rlRun "rpm -qf /usr/bin/seinfo"
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlRun "setenforce 1"
|
||||
rlRun "sestatus"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage port -l | grep ${PORT_NAME}"
|
||||
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||
rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||
rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
|
||||
#rlRun "sort ${OUTPUT_FILE} | uniq | wc -l | grep '^2$'"
|
||||
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
|
||||
rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}"
|
||||
rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
|
||||
rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "semanage port -a -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
|
||||
rlRun "semanage port -l | grep syslogd_port_t"
|
||||
rlRun "semanage port -d -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
|
||||
rlPhaseEnd
|
||||
|
||||
if rlIsRHEL ; then
|
||||
rlPhaseStartTest
|
||||
rlRun "ps -efZ | grep -v grep | grep \"auditd_t.*auditd\""
|
||||
if rlIsRHEL 5 6; then
|
||||
PORT_TYPE="syslogd_port_t"
|
||||
else
|
||||
PORT_TYPE="commplex_link_port_t"
|
||||
fi
|
||||
|
||||
# adding a port number to a type
|
||||
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||
sleep 1
|
||||
rlRun "semanage port -a -p tcp -t $PORT_TYPE 5005"
|
||||
sleep 2
|
||||
|
||||
# Check for user_avc
|
||||
rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
|
||||
LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
|
||||
rlRun "cat ${OUTPUT_FILE}"
|
||||
rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
|
||||
|
||||
# deleting a port number from a type
|
||||
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||
sleep 1
|
||||
rlRun "semanage port -d -p tcp -t $PORT_TYPE 5005"
|
||||
sleep 2
|
||||
|
||||
# Check for user_avc
|
||||
rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
|
||||
LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
|
||||
rlRun "cat ${OUTPUT_FILE}"
|
||||
rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
if ! rlIsRHEL 5 ; then
|
||||
rlPhaseStartTest
|
||||
rlRun "seinfo --portcon | grep :hi_reserved_port_t:"
|
||||
rlRun "seinfo --portcon | grep :reserved_port_t:"
|
||||
rlRun "semanage port -l | grep ^hi_reserved_port_t"
|
||||
rlRun "semanage port -l | grep ^reserved_port_t"
|
||||
if ! rlIsRHEL 6 ; then
|
||||
rlRun "seinfo --portcon | grep :unreserved_port_t:"
|
||||
rlRun "semanage port -l | grep ^unreserved_port_t"
|
||||
fi
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartTest "manipulation with hard-wired ports"
|
||||
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||
rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
|
||||
rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
|
||||
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||
rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
|
||||
rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
|
||||
rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rm -f ${OUTPUT_FILE}
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Regression/semanage-user
|
||||
# Description: Does semanage user ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Regression/semanage-user
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
test -x runtest.sh || chcon -t bin_t runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Does semanage user ... work correctly?" >> $(METADATA)
|
||||
@echo "Type: Regression" >> $(METADATA)
|
||||
@echo "TestTime: 20m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils policycoreutils-python-utils grep selinux-policy-devel selinux-policy-minimum selinux-policy-mls selinux-policy-targeted selinux-policy-devel" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Regression/semanage-user
|
||||
Description: Does semanage user ... work correctly?
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Regression/semanage-user
|
||||
# Description: Does semanage user ... work correctly?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlRun "make -f /usr/share/selinux/devel/Makefile"
|
||||
rlRun "ls -l testpolicy.pp"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
if rlIsRHEL 5 6; then
|
||||
rlRun "semanage user --help" 1
|
||||
else
|
||||
rlRun "semanage user --help" 0
|
||||
# semanage: list option can not be used with --level ("semanage user -l")
|
||||
rlRun "semanage user --help | grep fcontext" 1
|
||||
fi
|
||||
for POLICY_TYPE in minimum mls targeted ; do
|
||||
if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
|
||||
continue
|
||||
fi
|
||||
rlRun "semanage user -l -S ${POLICY_TYPE}"
|
||||
done
|
||||
if ! rlIsRHEL 5; then
|
||||
rlRun "semanage user -l -S unknown 2>&1 | grep \"store cannot be accessed\""
|
||||
fi
|
||||
rlRun "semanage user -a -P user -R xyz_r xyz_u 2>&1 | grep -i -e 'undefined' -e 'error' -e 'could not'"
|
||||
rlRun "semanage user -m xyz_u" 1
|
||||
rlRun "semanage user -d xyz_u" 1
|
||||
rlRun "semodule -i testpolicy.pp"
|
||||
rlRun "semanage user -a -P user -R xyz_r xyz_u"
|
||||
rlRun "semanage user -m -r s0 xyz_u"
|
||||
rlRun "semanage user -l | grep \"xyz_u.*s0.*s0.*xyz_r\""
|
||||
rlRun "semanage user -d xyz_u"
|
||||
rlRun "semanage user -l | grep xyz_u" 1
|
||||
rlRun "semodule -r testpolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "rm -rf tmp testpolicy.{fc,if,pp}"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
module testpolicy 1.0;
|
||||
|
||||
type xyz_t;
|
||||
role xyz_r;
|
||||
|
||||
require {
|
||||
type xyz_t;
|
||||
}
|
||||
|
||||
role xyz_r types xyz_t;
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/sepolicy-generate
|
||||
# Description: sepolicy generate sanity test
|
||||
# Author: Michal Trunecka <mtruneck@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/sepolicy-generate
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Michal Trunecka <mtruneck@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: sepolicy generate sanity test" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 115m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils policycoreutils-devel rpm-build" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4 -RHEL5 -RHEL6" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/sepolicy-generate
|
||||
Description: sepolicy generate sanity test
|
||||
Author: Michal Trunecka <mtruneck@redhat.com>
|
|
@ -1,115 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/sepolicy-generate
|
||||
# Description: sepolicy generate sanity test
|
||||
# Author: Michal Trunecka <mtruneck@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/bin/rhts-environment.sh || exit 1
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlRun "rlCheckRequirements ${PACKAGES[*]}" || rlDie "cannot continue"
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "mkdir mypolicy"
|
||||
rlRun "sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home"
|
||||
rlRun "grep 'manage_dirs_pattern(httpd_sys_script_t' mypolicy/testpolicy.te"
|
||||
rlRun "rm -rf mypolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "mkdir mypolicy"
|
||||
rlRun "touch /usr/bin/testpolicy"
|
||||
for VARIANT in " -n testpolicy --admin_user -r webadm_r" \
|
||||
" --application /usr/bin/testpolicy " \
|
||||
" -n testpolicy --confined_admin -a firewalld " \
|
||||
" -n testpolicy --confined_admin " \
|
||||
" -n testpolicy --customize -d httpd_t -a firewalld " \
|
||||
" -n testpolicy --customize -d httpd_t" \
|
||||
" --dbus /usr/bin/testpolicy " \
|
||||
" -n testpolicy --desktop_user " \
|
||||
" --inetd /usr/bin/testpolicy " \
|
||||
" --init /usr/bin/testpolicy " \
|
||||
" -n testpolicy --newtype -t newtype_var_log_t " \
|
||||
" -n testpolicy --newtype -t newtype_unit_file_t " \
|
||||
" -n testpolicy --newtype -t newtype_var_run_t " \
|
||||
" -n testpolicy --newtype -t newtype_var_cache_t " \
|
||||
" -n testpolicy --newtype -t newtype_tmp_t " \
|
||||
" -n testpolicy --newtype -t newtype_port_t " \
|
||||
" -n testpolicy --newtype -t newtype_var_spool_t " \
|
||||
" -n testpolicy --newtype -t newtype_var_lib_t " \
|
||||
" -n testpolicy --sandbox " \
|
||||
" -n testpolicy --term_user " \
|
||||
" -n testpolicy --x_user "
|
||||
# " --cgi /usr/bin/testpolicy "
|
||||
do
|
||||
rlRun "sepolicy generate -p mypolicy $VARIANT"
|
||||
rlRun "cat mypolicy/testpolicy.te"
|
||||
rlRun "cat mypolicy/testpolicy.if"
|
||||
rlRun "cat mypolicy/testpolicy.fc"
|
||||
if echo "$VARIANT" | grep -q newtype; then
|
||||
rlAssertNotExists "mypolicy/testpolicy.sh"
|
||||
rlAssertNotExists "mypolicy/testpolicy.spec"
|
||||
else
|
||||
rlRun "mypolicy/testpolicy.sh"
|
||||
rlRun "semodule -l | grep testpolicy"
|
||||
rlRun "semanage user -d testpolicy_u" 0-255
|
||||
rlRun "semodule -r testpolicy"
|
||||
fi
|
||||
|
||||
rlRun "rm -rf mypolicy/*"
|
||||
rlRun "sleep 1"
|
||||
|
||||
if ! echo "$VARIANT" | grep -q newtype; then
|
||||
rlRun "sepolicy generate -p mypolicy -w /home $VARIANT"
|
||||
rlRun "cat mypolicy/testpolicy.te"
|
||||
rlRun "cat mypolicy/testpolicy.if"
|
||||
rlRun "cat mypolicy/testpolicy.fc"
|
||||
|
||||
rlRun "mypolicy/testpolicy.sh"
|
||||
rlRun "semodule -l | grep testpolicy"
|
||||
rlRun "semanage user -d testpolicy_u" 0-255
|
||||
rlRun "semodule -r testpolicy"
|
||||
|
||||
rlRun "rm -rf mypolicy/*"
|
||||
rlRun "sleep 1"
|
||||
fi
|
||||
done
|
||||
rlRun "rm -rf mypolicy"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
|
@ -1,67 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/sestatus
|
||||
# Description: tests everything about sestatus
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/sestatus
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
chcon -t bin_t runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: tests everything about sestatus" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 5m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: grep" >> $(METADATA)
|
||||
@echo "Requires: man" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/sestatus
|
||||
Description: tests everything about sestatus
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
|
@ -1,114 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/sestatus
|
||||
# Description: tests everything about sestatus
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
if rlIsRHEL 5 6 ; then
|
||||
SELINUX_FS_MOUNT="/selinux"
|
||||
else # RHEL-7 and above
|
||||
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
||||
fi
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
rlFileBackup /etc/sestatus.conf
|
||||
rlRun "mount | grep -i selinux" 0,1
|
||||
OUTPUT_FILE=`mktemp`
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "basic use"
|
||||
rlRun "sestatus"
|
||||
rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "policy booleans" ${OUTPUT_FILE} -i
|
||||
rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "process contexts" ${OUTPUT_FILE} -i
|
||||
rlAssertGrep "file contexts" ${OUTPUT_FILE} -i
|
||||
rlAssertGrep "current context" ${OUTPUT_FILE} -i
|
||||
rlAssertGrep "init context" ${OUTPUT_FILE} -i
|
||||
rlAssertGrep "controlling term" ${OUTPUT_FILE} -i
|
||||
rlRun "sestatus --xyz 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "invalid option" ${OUTPUT_FILE} -i
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "extreme cases"
|
||||
# pretend that the config file contains an invalid section
|
||||
rlRun "sed -i 's/files/xyz/' /etc/sestatus.conf"
|
||||
rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "line not in a section" ${OUTPUT_FILE} -i
|
||||
rlRun "rm -f /etc/sestatus.conf"
|
||||
rlRun "mkdir /etc/sestatus.conf" # intentionally replaced a file with a directory
|
||||
rlRun "sestatus -v"
|
||||
# pretend that the config file is missing
|
||||
rlRun "rm -rf /etc/sestatus.conf"
|
||||
for OPTION in "-bv" "-v" ; do
|
||||
rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "unable to open /etc/sestatus.conf" ${OUTPUT_FILE} -i
|
||||
done
|
||||
rlFileRestore
|
||||
# pretend that SELinux is disabled
|
||||
rlRun "umount ${SELINUX_FS_MOUNT}"
|
||||
for OPTION in "" "-b" "-v" "-bv" ; do
|
||||
rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "selinux status.*disabled" ${OUTPUT_FILE} -i
|
||||
done
|
||||
rlRun "mount -t selinuxfs none ${SELINUX_FS_MOUNT}"
|
||||
# pretend that no booleans are defined
|
||||
rlRun "mkdir ./booleans"
|
||||
rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
|
||||
rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
|
||||
rlAssertNotGrep "booleans" ${OUTPUT_FILE} -i
|
||||
rlRun "rmdir ./booleans"
|
||||
rlPhaseEnd
|
||||
|
||||
# This bug is not worth fixing in RHEL-5
|
||||
if ! rlIsRHEL 5 ; then
|
||||
rlPhaseStartTest
|
||||
rlRun "rpm -ql ${PACKAGE} | grep /usr/sbin/sestatus"
|
||||
rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/man8/sestatus.8"
|
||||
for OPTION in b v ; do
|
||||
rlRun "sestatus --help 2>&1 | grep -- -${OPTION}"
|
||||
rlRun "man sestatus | col -b | grep -- -${OPTION}"
|
||||
done
|
||||
if ! rlIsRHEL 6 ; then
|
||||
rlRun "man -w sestatus.conf"
|
||||
fi
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlFileRestore
|
||||
rm -f ${OUTPUT_FILE}
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,65 +0,0 @@
|
|||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/policycoreutils/Sanity/setsebool
|
||||
# Description: does setsebool work correctly ?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/policycoreutils/Sanity/setsebool
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
chmod a+x runtest.sh
|
||||
chcon -t bin_t runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Milos Malik <mmalik@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: does setsebool work correctly ?" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 45m" >> $(METADATA)
|
||||
@echo "RunFor: policycoreutils" >> $(METADATA)
|
||||
@echo "Requires: audit policycoreutils libselinux-utils shadow-utils grep" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
@echo "Releases: -RHEL4" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
PURPOSE of /CoreOS/policycoreutils/Sanity/setsebool
|
||||
Author: Milos Malik <mmalik@redhat.com>
|
||||
|
||||
Does setsebool work as expected? Does it produce correct audit messages?
|
||||
|
|
@ -1,151 +0,0 @@
|
|||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool
|
||||
# Description: does setsebool work correctly ?
|
||||
# Author: Milos Malik <mmalik@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2011 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include rhts environment
|
||||
. /usr/bin/rhts-environment.sh
|
||||
. /usr/share/beakerlib/beakerlib.sh
|
||||
|
||||
PACKAGE="policycoreutils"
|
||||
USER_NAME="user${RANDOM}"
|
||||
USER_SECRET="s3kr3t${RANDOM}"
|
||||
BOOLEAN="ftpd_connect_db"
|
||||
if rlIsRHEL 5 6 ; then
|
||||
SELINUX_FS_MOUNT="/selinux"
|
||||
else # RHEL-7 and above
|
||||
SELINUX_FS_MOUNT="/sys/fs/selinux"
|
||||
fi
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm ${PACKAGE}
|
||||
OUTPUT_FILE=`mktemp`
|
||||
chcon -t tmp_t ${OUTPUT_FILE}
|
||||
|
||||
rlRun "useradd ${USER_NAME}"
|
||||
rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
for OPTION in "" "-P" ; do
|
||||
for OPERATOR in " " "=" ; do
|
||||
for VALUE in 0 1 false true off on ; do
|
||||
rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1
|
||||
if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then
|
||||
SHOWN_VALUE="off"
|
||||
elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then
|
||||
SHOWN_VALUE="on"
|
||||
else
|
||||
SHOWN_VALUE=${VALUE}
|
||||
fi
|
||||
rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\""
|
||||
done
|
||||
done
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
rlRun "setsebool" 1
|
||||
rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
||||
rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||||
rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||||
if ! rlIsRHEL 5 6 ; then
|
||||
rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
||||
rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
|
||||
fi
|
||||
rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
|
||||
rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||||
rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
|
||||
rlPhaseEnd
|
||||
|
||||
if ! rlIsRHEL 5 6 ; then
|
||||
rlPhaseStartTest
|
||||
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||||
rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||||
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||||
rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "try as root" ${OUTPUT_FILE} -i
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
for OPTION in "" "-P" ; do
|
||||
rlRun "getsebool allow_ypbind | grep nis_enabled"
|
||||
rlRun "setsebool ${OPTION} allow_ypbind on"
|
||||
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\""
|
||||
rlRun "setsebool ${OPTION} allow_ypbind off"
|
||||
rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\""
|
||||
done
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest
|
||||
# https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
|
||||
for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do
|
||||
OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1`
|
||||
NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2`
|
||||
rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}"
|
||||
rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '"
|
||||
done
|
||||
rlPhaseEnd
|
||||
fi
|
||||
|
||||
rlPhaseStartTest "audit messages"
|
||||
START_DATE_TIME=`date "+%m/%d/%Y %T"`
|
||||
sleep 1
|
||||
rlRun "setsebool ${BOOLEAN} on"
|
||||
rlRun "setsebool ${BOOLEAN} off"
|
||||
rlRun "setsebool ${BOOLEAN} on"
|
||||
sleep 1
|
||||
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\""
|
||||
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\""
|
||||
if rlIsRHEL ; then
|
||||
rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\""
|
||||
fi
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "extreme cases"
|
||||
# pretend that no booleans are defined
|
||||
rlRun "mkdir ./booleans"
|
||||
rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
|
||||
rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
||||
rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}"
|
||||
rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
|
||||
rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
|
||||
rlRun "rmdir ./booleans"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "userdel -rf ${USER_NAME}"
|
||||
rm -f ${OUTPUT_FILE}
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
||||
|
|
@ -1,23 +0,0 @@
|
|||
---
|
||||
# Tests to run in a classic environment
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
repositories:
|
||||
- repo: "https://src.fedoraproject.org/tests/selinux.git"
|
||||
dest: "selinux"
|
||||
fmf_filter: "tier: 1 | component: policycoreutils & tags: generic, fedora"
|
||||
|
||||
# Tests for atomic host
|
||||
- hosts: localhost
|
||||
tags:
|
||||
- atomic
|
||||
# no compatible tests
|
||||
|
||||
# Tests for docker container
|
||||
- hosts: localhost
|
||||
tags:
|
||||
- container
|
||||
# no compatible tests
|
|
@ -1,8 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
|
||||
<config xmlns="http://zanata.org/namespace/config/">
|
||||
<url>https://fedora.zanata.org/</url>
|
||||
<project>selinux</project>
|
||||
<project-version>master</project-version>
|
||||
<project-type>gettext</project-type>
|
||||
|
||||
</config>
|
Loading…
Reference in New Issue