- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal
When a user tried to remove a policy module with priority other than 400 via
GUI, it failed with a message:
libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
"semodule -r NAME".
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1740936
Using patches from git makes it clean which changes are included in Fedora
New workflow:
1. clone https://github.com/fedora-selinux/selinux
2. create patchset
$ git format-patch 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
3. update spec file
$ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# deleted: restorecond-fedora.patch
See 028e473158?branch=master
commit 028e4731581214841455233a656912241a5a8b69 (HEAD -> master, origin/master)
Author: Petr Lautrbach <plautrba@redhat.com>
Date: Wed Mar 13 11:23:00 2019 +0100
Apply "generic" and "fedora" tags
Tests tagged as "generic" is supposed to be used on a generic system like Fedora
or Red Hat Enterprise Linux, while tests with "fedora" tag is for Fedora only.
Usage:
List only "generic" tests:
$ fmf show --filter "tier: 1 | component: policycoreutils & tags: generic"
List all "generic" and "fedora" tests:
$ fmf show --filter "tier: 1 | component: policycoreutils & tags: generic, fedora"
- setsebool: support use of -P on SELinux-disabled hosts
- sepolicy: initialize mislabeled_files in __init__()
- audit2allow: use local sepolgen-ifgen-attr-helper for tests
- audit2allow: allow using audit2why as non-root user
- audit2allow/sepolgen-ifgen: show errors on stderr
- audit2allow/sepolgen-ifgen: add missing \n to error message
- sepolgen: close /etc/selinux/sepolgen.conf after parsing it
- sepolicy: Make policy files sorting more robust
- semanage: Load a store policy and set the store SELinux policy root
- chcat: fix removing categories on users with Fedora default setup
- semanage: Include MCS/MLS range when exporting local customizations
- semanage: Start exporting "ibendport" and "ibpkey" entries
- semanage: do not show "None" levels when using a non-MLS policy
- sepolicy: Add sepolicy.load_store_policy(store)
- semanage: import sepolicy only when it's needed
- semanage: move valid_types initialisations to class constructors
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
There is a new feature in the Standard Test Roles which allows to
use an FMF filter instead of listing all tests manually. All tier
one selinux tests are selected as well, thus extending requires.
- semanage: "semanage user" does not use -s, fix documentation
- semanage: add a missing space in ibendport help
- sepolicy: Update to work with setools-4.2.0
- Fix typo in newrole.1 manpage
- sepolgen: print all AV rules correctly
- sepolgen: fix access vector initialization
- Add xperms support to audit2allow
- semanage: Stop logging loginRecords changes
- semanage: Fix logger class definition
- semanage: Replace bare except with specific one
- semanage: fix Python syntax of catching several exceptions
- sepolgen: return NotImplemented instead of raising it
- sepolgen: fix refpolicy parsing of "permissive"
For the new grub auto-hide feature:
https://fedoraproject.org/wiki/Changes/HiddenGrubMenu
Grub needs to know if the previous boot succeeded. This is tracked
through flags in the grub environment.
A selinux autorelabel is special, because it reboots the machine without
completing the boot in the normal manner.
grub checks the (new) boot_indeterminate grub environment variable to deal
with this. This is a variable containing a count of special boots since
the last successful normal boot. If this variable is 1 then it also treats
the previous boot as successful. The idea is that an autorelabel (or
offline updates) increments boot_indeterminate, so normally after a reboot
it will be 1 and the grub menu stays hidden. But if we end up in a selinux
autorelabel loop for some reason, then it will be bigger then 1 (*) and
the grub menu will be shown allowing the user to try and fix things.
*) grub itself will also increment it if it is 1 so that even if it gets
incremented only once, that still only makes 1 boot count as successful.
This commit makes the selinux-autorelabel script call:
grub2-editenv - incr boot_indeterminate
for proper integration with this new grub feature.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
plymouth by defaults waits for 5 seconds before showing the splash so
that the splash simply gets skipped on real quick boots.
In my testing it seems that --hide-splash is a no-op when run before
the 5 seconds have passed and the splash is shown, causing the splash
to still be there during a relabel. Note this problem only shows when
*not* using disk-encryption.
Switching to plymouth --quit fixes this.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
This can be useful when user has this UEFI boot order e.g.:
Windows | grub | Linux
And decides to boot into grub/Linux. In case the autorelabel service
is being run after the boot into grub, then the reboot after the
autorelabel is done will cause user to boot into Windows again...
This change should make the behaviour more intuitive for the user.
Signed-off-by: David Kaspar [Dee'Kej] <dkaspar@redhat.com>
- sepolicy: Fix translated strings with parameters
- sepolicy: Support non-MLS policy
- sepolicy: Initialize policy.ports as a dict in generate.py
- gui/polgengui.py: Use stop_emission_by_name instead of emit_stop_by_name
- Minor update for bash completion
- semodule_package: fix semodule_unpackage man page
- gui/semanagePage: Close "edit" and "add" dialogues when successfull
- gui/fcontextPage: Set default object class in addDialog\
- sepolgen: fix typo in PolicyGenerator
- build: follow standard semantics for DESTDIR and PREFIX
- use pathfix.py instead of sed
- clean up '*~' files
Fixes:
policycoreutils has broken dependencies in the rawhide tree:
On i386:
python2-policycoreutils-2.7-11.fc28.i686 requires /usr/bin/python22
On armhfp:
python2-policycoreutils-2.7-11.fc28.armv7hl requires /usr/bin/python22
- gui/polgengui.py: Fix sepolicy.generate import in polgengui.py
- gui/polgengui.py: Convert polgen.glade to Builder format polgen.ui
- python/sepolicy: Use list instead of map
- python/sepolicy: Do not use types.BooleanType
The playbook includes Tier1 level test cases that have been tested in
the following contexts and is passing reliably on Classic.
Test logs are stored in the Artifacts directory.
The following steps are used to execute the tests using the standard test interface:
Classic
sudo ANSIBLE_INVENTORY=$(test -e inventory && echo inventory || echo /usr/share/ansible/inventory) TEST_SUBJECTS="" TEST_ARTIFACTS=$PWD/artifacts ansible-playbook --tags classic tests.yml
It's based on
https://src.fedoraproject.org/rpms/policycoreutils/pull-request/1 from Merlin Mathesius <merlinm@redhat.com>
Known issues:
policycoreutils.spec: W: invalid-url Source14: sepolicy-icons.tgz
The value should be a valid, public HTTP, HTTPS, or FTP URL.
policycoreutils.spec: W: invalid-url Source12:
policycoreutils_man_ru2.tar.bz2
The value should be a valid, public HTTP, HTTPS, or FTP URL.
- sepolicy: Fix sepolicy manpage
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
- restorecond: check write() and daemon() results
- sepolicy: do not fail when file_contexts.local or .subs do not exist
- sepolicy: remove stray space in section "SEE ALSO"
- sepolicy: fix misspelling of _ra_content_t suffix
- gui: port to Python 3 by migrating to PyGI
- gui: remove the status bar
- gui: fix parsing of "semodule -lfull" in tab Modules
- gui: delete overridden definition of usersPage.delete()
- Enable listing file_contexts.homedirs (#1409813)
- remove semodule_deps
- Make 'sepolicy manpage' and 'sepolicy transition' faster
- open_init_pty: restore stdin/stdout to blocking upon exit
- fixfiles: do not dereference link files in tmp
- fixfiles: use a consistent order for options to restorecon
- fixfiles: don't ignore `-F` when run in `-C` mode
- fixfiles: remove bad modes of "relabel" command
- fixfiles: refactor into the `set -u` dialect
- fixfiles: if restorecon aborts, we should too
- fixfiles: usage errors are fatal
- fixfiles: syntax error
- fixfiles: remove two unused variables
- fixfiles: tidy up usage(), manpage synopsis
- fixfiles: deprecate -l option
- fixfiles: move logit call outside of redirected function
- fixfiles: fix logging about R/O filesystems
- fixfiles: clarify exclude_dirs()
- fixfiles: remove (broken) redundant code
- semanage: Unify argument handling (#1398987)
- setfiles: set up a logging callback for libselinux
- setfiles: Fix setfiles progress indicator
- setfiles: stdout messages don't need program prefix
- setfiles: don't scramble stdout and stderr together (#1435894)
- restorecond: Decrease loglevel of termination message (#1264505)
- fixfiles should handle path arguments more robustly
- fixfiles: handle unexpected spaces in command
- fixfiles: remove useless use of cat (#1435894)
- semanage: Add checks if a module name is passed in (#1420707)
- semanage: fix export of fcontext socket entries (#1435127)
- selinux-autorelabel: remove incorrect redirection to /dev/null (#1415674)
This code is currently incorrect. Currently redirecting `fixfiles` to
/dev/null will have very little effect. Two messages will be suppressed,
but both the percentage progress indicator, and any errors from
the setfiles/restorecon binary will still be shown.
The fact that fixfiles redirected its log output to stdin (!) was purely
an implementation artefact. It was used to write log messages even inside
shell functions whose output is captured e.g. `RESULT=$(shell_func)`.
When fixfiles is fixed to support output redirection normally, this code
would now behave incorrectly. It would suppress all percentage progress
messages for this long-running process.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
- seobject: Handle python error returns correctly
- policycoreutils/sepolicy/gui: fix current selinux state radiobutton
- policycoreutils: semodule_package: do not fail with an empty fc file
- sandbox: Use dbus-run-session instead of dbus-launch when available
- hll/pp: Change warning for module name not matching filename to match new behavior
- Remove LDFLAGS from CFLAGS
- sandbox: create a new session for sandboxed processes
- sandbox: do not try to setup directories without -X or -M
- sandbox: do not run xmodmap in a new X session
- sandbox: Use GObject introspection binding instead of pygtk2
- sandbox: fix file labels on copied files
- sandbox: tests - close stdout of p
- sandbox: tests - use sandbox from cwd
- audit2allow: tests should use local copy not system
- audit2allow: fix audit2why import from seobject
- audit2allow: remove audit2why so that it gets symlinked
- semanage: fix man page and help message for import option
- semanage: fix error message for fcontext -m
- semanage: Fix semanage fcontext -D
- semanage: Correct fcontext auditing
- semanage: Default serange to "s0" for port modify
- semanage: Use socket.getprotobyname for protocol
- semanage: fix modify action in node and interface
- fixfiles: Pass -n to restorecon for fixfiles check
- sepolicy: Check get_rpm_nvr_list() return value
- Don't use subprocess.getstatusoutput() in Python 2 code
- semanage: Add auditing of changes in records
- Remove unused 'q' from semodule getopt string
- Fix typos in semanage manpages
- Fix the documentation of -l,--list for semodule
- Minor fix in a French translation
- Fix the extract example in semodule.8
- Update sandbox.8 man page
- Remove typos from chcat --help
- sepolgen: Remove additional files when cleaning
initscripts package is being slowly removed so fedora-autorelabel
utility and systemd unit files need a new home.
At the same time, "fedora-" prefix is changed to general "selinux-".
/lib/systemd/fedora-autorelabel -> /usr/libexec/selinux/selinux-autorelabel
fedora-autorelabel.service -> selinux-autorelabel.service
fedora-autorelabel-mark.service -> selinux-autorelabel-mark.service
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1328825
Fixes:
# semanage boolean -m --on polyinstantiation_enabled
ValueError: Boolean polyinstantiation_enabled is not defined
# semanage login -a -s staff_u -r s0-s0:c0.c1023 yeti
libsemanage.dbase_llist_query: could not query record value (No such
file or directory).
FileNotFoundError: [Errno 2] No such file or directory
- Fix another python3 issues mainly in sepolicy (#1247039,#1247575,#1251713)
- The functionality of audit2allow which was disabled in the previous
commit should be available again
- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564)
FIXME: some functionality of audit2allow was temporarily disabled until sepolicy is
ported to python 3
commit 2ff279e21e4715ac49e094b5fae8bc8e84b9e417 ("policycoreutils:
semanage: update to new source policy infrastructure") introduced
new methods for enabling/disabling modules but failed to update
the deleteall method of class moduleRecords to use the new method.
The deleteall method was introduced by commit
3dafb1046d847783f1e761535925ea79d69d3305 ("Add deleteall customizations
field for modules.") as a way to re-enable all locally disabled modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fedora-selinux/selinux.git:
ab77906ea96a10bcbefee06ab7d32af853d4cf33
adffc5e277f5c5a99771439f793b7aa91be59f31
Conflict with selinux-policy causes deadlocks in buildroots when
there's no selinux-policy available. selinux-policy-base is provided by
targeted, mls and minimum subpackages which are not installed to
buildroots.
- add make-rhat-patches.sh script which creates policycoreutils-rhat.patch and sepolgen-rhat.patch patches
- use source files from https://github.com/SELinuxProject/selinux/wiki/Releases
- extract sources to selinux/ directory and build them there
Create -rhat patches from
c83f4d17e7
- Add support for Fedora22 man pages. We need to fix it to not using hardcoding.
- Print usage for all mutually exclusive options.
- Fix selinux man page to refer seinfo and sesearch tools.
* If there is no executable we don't want to print a part of STANDARD FILE CON
* Add-manpages-for-typealiased-types
* Make fixfiles_exclude_dirs working if there is a substituion for the given d
* If there is no executable we don't want to print a part of STANDARD FILE CON
* Add-manpages-for-typealiased-types
* Make fixfiles_exclude_dirs working if there is a substituion for the given d
* Add -P semodule option to man page from Dan Walsh.
* selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
* Add new icons for sepolicy gui from Dan Walsh.
* Only return writeable files that are enabled from Dan Walsh.
* Add domain to short list of domains, when -t and -d from Dan Walsh.
* Fix up desktop files to match current standards from Dan Walsh.
* Add support to return sensitivities and categories for python from Dan Walsh.
* Cleanup whitespace from Dan Walsh.
* Add message to tell user to install sandbox policy from Dan Walsh.
* Add systemd unit file for mcstrans from Laurent Bigonville.
* Improve restorecond systemd unit file from Laurent Bigonville.
* Minor man pages improvements from Laurent Bigonville.
* Add -P semodule option to man page from Dan Walsh.
* selinux_current_policy_path will return none on a disabled SELinux system from Dan Walsh.
* Add new icons for sepolicy gui from Dan Walsh.
* Only return writeable files that are enabled from Dan Walsh.
* Add domain to short list of domains, when -t and -d from Dan Walsh.
* Fix up desktop files to match current standards from Dan Walsh.
* Add support to return sensitivities and categories for python from Dan Walsh.
* Cleanup whitespace from Dan Walsh.
* Add message to tell user to install sandbox policy from Dan Walsh.
* Add systemd unit file for mcstrans from Laurent Bigonville.
* Improve restorecond systemd unit file from Laurent Bigonville.
* Minor man pages improvements from Laurent Bigonville.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
- Make selinux-policy build working also on another architectures related to s
- Miroslav grepl patch to fix the creation of man pages on different architectures.
- Add ability to list the actual active modules
- Fix spelling mistake on sesearch in generate man pages.
* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
- Add patches for sepolicy gui from mgrepl to
Fix advanced_item_button_push() to allow to select an application in advanced search menu
Fix previously_modified_initialize() to show modified changes properly for all selections
* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
- Clean up ports screen to only show enabled ports.
- Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
* Properly build the swig exception file from Laurent Bigonville.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville.
* Fix init_policy warning from Laurent Bigonville.
* Fix semanage logging from Laurent Bigonville.
* Open newrole stdin as read/write from Sven Vermeulen.
* Fix sepolicy transition from Sven Vermeulen.
* Support overriding CFLAGS from Simon Ruderich.
* Create correct man directory for run_init from Russell Coker.
* restorecon GLOB_BRACE change from Michal Trunecka.
* Extend audit2why to report additional constraint information.
* Catch IOError errors within audit2allow from Dan Walsh.
* semanage export/import fixes from Dan Walsh.
* Improve setfiles progress reporting from Dan Walsh.
* Document setfiles -o option in usage from Dan Walsh.
* Change setfiles to always return -1 on failure from Dan Walsh.
* Improve setsebool error r eporting from Dan Walsh.
* Major overhaul of gui from Dan Walsh.
* Fix sepolicy handling of non-MLS policy from Dan Walsh.
* Support returning type aliases from Dan Walsh.
* Add sepolicy tests from Dan Walsh.
* Add org.selinux.config.policy from Dan Walsh.
* Improve range and user input checking by semanage from Dan Walsh.
* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
* Allow use of <<none>> for semanage fcontext from Dan Walsh.
* Report customized user levels from Dan Walsh.
* Support deleteall for restoring disabled modules from Dan Walsh.
* Improve semanage error reporting from Dan Walsh.
* Only list disabled modules for module locallist from Dan Walsh.
* Fix logging from Dan Walsh.
* Define new constants for file type character codes from Dan Walsh.
* Improve bash completions from Dan Walsh.
* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
* Add semanage tests from Dan Walsh.
* Split semanage man pages from Dan Walsh.
* Move bash completion scripts from Dan Walsh.
* Replace genhomedircon script with a link to semodule from Dan Walsh.
* Fix fixfiles from Dan Walsh.
* Add support for systemd service for restorecon from Dan Walsh.
* Spelling corrections from Dan Walsh.
* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
* Switch sandbox to openbox window manager from Dan Walsh.
* Coalesce audit2why and audit2allow from Dan Walsh.
* Change audit2allow to append to output file from Dan Walsh.
* Update translations from Dan Walsh.
* Change audit2why to use selinux_current_policy_path from Dan Walsh.
* Properly build the swig exception file from Laurent Bigonville.
* Fix man pages from Laurent Bigonville.
* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
* Fix LDFLAGS usage from Laurent Bigonville.
* Fix init_policy warning from Laurent Bigonville.
* Fix semanage logging from Laurent Bigonville.
* Open newrole stdin as read/write from Sven Vermeulen.
* Fix sepolicy transition from Sven Vermeulen.
* Support overriding CFLAGS from Simon Ruderich.
* Create correct man directory for run_init from Russell Coker.
* restorecon GLOB_BRACE change from Michal Trunecka.
* Extend audit2why to report additional constraint information.
* Catch IOError errors within audit2allow from Dan Walsh.
* semanage export/import fixes from Dan Walsh.
* Improve setfiles progress reporting from Dan Walsh.
* Document setfiles -o option in usage from Dan Walsh.
* Change setfiles to always return -1 on failure from Dan Walsh.
* Improve setsebool error r eporting from Dan Walsh.
* Major overhaul of gui from Dan Walsh.
* Fix sepolicy handling of non-MLS policy from Dan Walsh.
* Support returning type aliases from Dan Walsh.
* Add sepolicy tests from Dan Walsh.
* Add org.selinux.config.policy from Dan Walsh.
* Improve range and user input checking by semanage from Dan Walsh.
* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
* Allow use of <<none>> for semanage fcontext from Dan Walsh.
* Report customized user levels from Dan Walsh.
* Support deleteall for restoring disabled modules from Dan Walsh.
* Improve semanage error reporting from Dan Walsh.
* Only list disabled modules for module locallist from Dan Walsh.
* Fix logging from Dan Walsh.
* Define new constants for file type character codes from Dan Walsh.
* Improve bash completions from Dan Walsh.
* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
* Add semanage tests from Dan Walsh.
* Split semanage man pages from Dan Walsh.
* Move bash completion scripts from Dan Walsh.
* Replace genhomedircon script with a link to semodule from Dan Walsh.
* Fix fixfiles from Dan Walsh.
* Add support for systemd service for restorecon from Dan Walsh.
* Spelling corrections from Dan Walsh.
* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
* Switch sandbox to openbox window manager from Dan Walsh.
* Coalesce audit2why and audit2allow from Dan Walsh.
* Change audit2allow to append to output file from Dan Walsh.
* Update translations from Dan Walsh.
* Change audit2why to use selinux_current_policy_path from Dan Walsh.
- Add more help information
- Cleanup code
- Add deny_ptrace on lockdown screen
- Make unconfined/permissivedomains lockdown work
- Add more support for file equivalency
- Update translations
- Fix sepolicy generate --admin_user man page again
- Fix setsebool to print less verbose error messages by default, add -V for ve
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Add support for compressed policy.xml
- Miroslav Grepl patch to allow sepolicy interface on individual interface fil
- Also add capability to test interfaces for correctness.
- Generate Man pages for everydomain, not just ones with exec_t entrypoints
- sepolicy comunicate should return ValueError not TypeError
- Trim header line in sepolicy manpage to use less space
- Add missing options to restorecon man page
- Generate Man pages for everydomain, not just ones with exec_t entrypoints
- sepolicy comunicate should return ValueError not TypeError
- Trim header line in sepolicy manpage to use less space
- Add missing options to restorecon man page
- Apply Miroslav Grepl Patches for sepolicy
-- Fix generate mutually groups option handling
-- EUSER is used for existing policy
-- customize options can be used together with admin_domain option
-- Fix manpage.py to generate correct man pages for SELinux users
-- Fix policy *.te file generated by customize+writepaths options
-- Fix install script for confined_admin option
- Apply Miroslav Grepl patch to clean up sepolicy generate usage
- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
- Update Tranlslations
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
- fixfiles onboot will write any flags handed to it to /.autorelabel.
- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore
- * This should allow fixfiles -F onboot, to force a hard relabel.
- Add -p to show progress on full relabel.
- fixfiles onboot will write any flags handed to it to /.autorelabel.
- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore
- * This should allow fixfiles -F onboot, to force a hard relabel.
- Add -p to show progress on full relabel.
- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil
- a policy write to generate types after the initial policy has been written a
- will autogenerate all of the interfaces.
- I also added a -w options to allow policy writers from the command line to s
- the writable directories of files.
-
- Modify network.py to include interface definitions for newly created port type
- Standardize of te_types just like all of the other templates.
- update sepolicy manpage to generate fcontext equivalence data and to list
default file context paths.
- Add ability to generate policy for confined admins and domains like puppet.
- Print warning message if program does not exists when generating policy, and do not attempt to run nm command
- Fix sepolicy generate -T to not take an argument, and supress the help message
- Since this is really just a testing tool
- Update translations
- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name
- Fix kill function call should indicate signal_perms not kill capability
- Error out cleanly in system-config-selinux, if it can not contact XServer
- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name
- Fix kill function call should indicate signal_perms not kill capability
- Error out cleanly in system-config-selinux, if it can not contact XServer
- Fix load_file Makefile to use SBINDIR rather then real OS.
- Fix man pages in setfiles and restorecon to reflect what happens when you relabel the entire OS.
* genhomedircon: manual page improvements
* setfiles/restorecon minor improvements
* run_init: If open_init_pty is not available then just use exec
* newrole: do not drop capabilities when newrole is run as
* restorecon: only update type by default
* scripts: Don't syslog setfiles changes on a fixfiles restore
* setfiles: do not syslog if no changes
* Disable user restorecond by default
* Make restorecon return 0 when a file has changed context
* setfiles: Fix process_glob error handling
* semanage: allow enable/disable under -m
* add .tx to gitignore
* translations: commit translations from Fedora community
* po: silence build process
* gui: Checking in policy to support polgengui and sepolgen.
* gui: polgen: search for systemd subpackage when generating policy
* gui: for exploring booleans
* gui: system-config-selinux gui
* Add Makefiles to support new gui code
* gui: remove lockdown wizard
* return equivalency records in fcontext customized
* semanage: option to not load new policy into kernel after
* sandbox: manpage update to describe standard types
* setsebool: -N should not reload policy on changes
* semodule: Add -N qualifier to no reload kernel policy
* gui: polgen: sort selinux types of user controls
* gui: polgen: follow symlinks and get the real path to
* gui: Fix missing error function
* setfiles: return errors when bad paths are given
* fixfiles: tell restorecon to ignore missing paths
* setsebool: error when setting multiple options
* semanage: use boolean subs.
* sandbox: Make sure Xephyr never listens on tcp ports
* sepolgen: return and output constraint violation information
* semanage: skip comments while reading external configuration files
* restorecond: relabel all mount runtime files in the restorecond example
* genhomedircon: dynamically create genhomedircon
* Allow returning of bastard matches
* sepolgen: return and output constraint violation information
* audit2allow: one role/type pair per line
- policycoreutils
* restorecond: wrong options should exit with non-zero error code
* restorecond: Add -h option to get usage command
* resorecond: user: fix fd leak
* mcstrans: add -f to run in foreground
* semanage: fix man page range and level defaults
* semanage: bash completion for modules should include -a,-m, -d
* semanage: manpage update for -e
* semanage: dontaudit off should work
* semanage: locallist option does not take an argument
* sepolgen: Make use of setools optional within sepolgen
- sepolgen
* Make use of setools optional within sepolgen
* We need to support files that have a + in them
- policycoreutils
* sandbox: do not propogate inside mounts outside
* sandbox: Removing sandbox init script, should no longer be necessary
* restorecond: Stop using deprecated interfaces for g_io
* semanage: proper auditting of user changes for LSPP
* semanage: audit message to show what record(s) and item(s) have chaged
* scripts: Update Makefiles to handle /usrmove
* mcstrans: Version should have been bumped on last check in
* seunshare: Only drop caps not the Bounding Set from seunshare
* Add bash-completion scripts for setsebool and semanage
* newrole: Use correct capng calls in newrole
* Fix infinite loop with inotify on 2.6.31 kernels
* fix ftbfs with hardening flags
* Only run setfiles if we found read-write filesystems to run it on
* update .po files
* remove empty po files
* do not fail to install if unable to make load_policy lnk file
This patch is needed for the /usr-move feature
https://fedoraproject.org/wiki/Features/UsrMove
This package requires now 'filesystem' >= 3, which is only installable
on a system which has /bin, /sbin, /lib, /lib64 as symlinks to /usr and
not regular directories. The 'filesystem' package acts as a guard, to
prevent *this* package to be installed on old unconverted systems.
New installations will have the 'filesystem' >=3 layout right away, old
installations need to be converted with anaconda or dracut first; only
after that, the 'filesystem' package, and also *this* package can be
installed.
Packages *should* not install files in /bin, /sbin, /lib, /lib64, but
only in the corresponding directories in /usr. Packages *must* not
install conflicting files with the same names in the corresponding
directories in / and /usr. Especially compatibilty symlinks must not be
installed.
Feel free to modify any of the changes to the spec file, but keep the
above in mind.
sepolgen
* better analysis of why things broke
policycoreutils
* Remove excess whitespace
* sandbox: Add back in . functions to sandbox.init script
* Fix Makefile to match other policycoreutils Makefiles
* semanage: drop unused translation getopt
* sandbox: move sandbox.conf.5 to just sandbox.5
* po: Makefile use -p to preserve times to allow multilib simultatious installs
* of po files
* sandbox: Allow user to specify the DPI value for X in a sandbox
* sandbox: make sure the domain launching sandbox has at least 100 categories
* sandbox: do not try forever to find available category set
* sandbox: only complain if sandbox unable to launch
* sandbox: init script run twice is still successful
* semanage: print local and dristo equiv rules
* semanage: check file equivalence rules for conflict
* semanage: Make sure semanage fcontext -l -C prints even if local keys
* are not defined
* semanage: change src,dst to target,substitute for equivalency
* sestatus: Updated sestatus and man pages.
* Added SELinux config file man page.
* add clean target to man Makefile
Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence
Allow ~ as a valid part of a filename in sepolgen
* sandbox: Maintain the LANG environment into the sandbox
* audit2allow: use audit2why internally
* fixfiles: label /root but not /var/lib/BackupPC
* semanage: update local boolean settings is dealing with localstore
* semanage: missing modify=True
* semanage: set modified correctly
* restorecond: make restorecond dbuss-able
* restorecon: Always check return code on asprintf
* restorecond: make restorecond -u exit when terminal closes
* sandbox: introduce package name and language stuff
* semodule_package: remove semodule_unpackage on clean
* fix sandbox Makefile to support DESTDIR
* semanage: Add -o description to the semanage man page
* make use of the new realpath_not_final function
* setfiles: close /proc/mounts file when finished
* semodule: Document semodule -p in man page
* setfiles: fix use before initialized
* restorecond: Add .local/share as a directory to watch
Upgrade to sepolgen upstream
* Ignore permissive qualifier if found in an interface
* Return name field in avc data
policycoreutils-2.1.6
* sepolgen-ifgen: new attr-helper does something
* audit2allow: use alternate policy file
* audit2allow: sepolgen-ifgen use the attr helper
* setfiles: switch from stat to stat64
* setfiles: Fix potential crash using dereferenced ftsent
* setfiles: do not wrap * output at 80 characters
* sandbox: add -Wall and -Werror to makefile
* sandbox: add sandbox cgroup support
* sandbox: rewrite /tmp handling
* sandbox: do not bind mount so much
* sandbox: add level based kill option
* sandbox: cntrl-c should kill entire process control group
* Create a new preserve_tunables flag in sepol_handle_t.
* semanage: show running and disk setting for booleans
* semanage: Dont print heading if no items selected
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled
* More files to ignore
* tree: default make target to all not install
* sandbox: do not load unused generic init functions
sepolgen-1.1.2
* src: sepolgen: add attribute storing infrastructure
* Change perm-map and add open to try to get better results on
* look for booleans that might solve problems
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* tree: default make target to all not install
* policycoreutils
* setfiles: Fix process_glob to handle error situations
* sandbox: Allow seunshare to run as root
* sandbox: trap sigterm to make sure sandbox
* sandbox: pass DPI from the desktop
* sandbox: seunshare: introduce helper spawn_command
* sandbox: seunshare: introduce new filesystem helpers
* sandbox: add -C option to not drop
* sandbox: split seunshare caps dropping
* sandbox: use dbus-launch
* sandbox: numerous simple updates to sandbox
* sandbox: do not require selinux context
* sandbox: Makefile: new man pages
* sandbox: rename dir to srcdir
* sandbox: allow users specify sandbox window size
* sandbox: check for paths up front
* sandbox: use defined values for paths rather
* sandbox: move seunshare globals to the top
* sandbox: whitespace fix
* semodule_package: Add semodule_unpackage executable
* setfiles: get rid of some stupid globals
* setfiles: move exclude_non_seclabel_mounts to a generic location
* sepolgen
* refparser: include open among valid permissions
* refparser: add support for filename_trans rules
2.1.4 2011-08-17
* run_init: clarification of the usage in the
* semanage: fix usage header around booleans
* semanage: remove useless empty lines
* semanage: update man page with new examples
* semanage: update usage text
* semanage: introduce file context equivalencies
* semanage: enable and disable modules
* semanage: output all local modifications
* semanage: introduce extraction of local configuration
* semanage: cleanup error on invalid operation
* semanage: handle being called with no arguments
* semanage: return sooner to save CPU time
* semanage: surround getopt with try/except
* semanage: use define/raise instead of lots of
* semanage: some options are only valid for
* semanage: introduce better deleteall support
* semanage: do not allow spaces in file
* semanage: distinguish between builtin and local permissive
* semanage: centralized ip node handling
* setfiles: make the restore function exclude() non-static
* setfiles: use glob to handle ~ and
* fixfiles: do not hard code types
* fixfiles: stop trying to be smart about
* fixfiles: use new kernel seclabel option
* fixfiles: pipe everything to cat before sending
* fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
* semodule: support for alternative root paths
2.1.4 2011-08-17
* run_init: clarification of the usage in the
* semanage: fix usage header around booleans
* semanage: remove useless empty lines
* semanage: update man page with new examples
* semanage: update usage text
* semanage: introduce file context equivalencies
* semanage: enable and disable modules
* semanage: output all local modifications
* semanage: introduce extraction of local configuration
* semanage: cleanup error on invalid operation
* semanage: handle being called with no arguments
* semanage: return sooner to save CPU time
* semanage: surround getopt with try/except
* semanage: use define/raise instead of lots of
* semanage: some options are only valid for
* semanage: introduce better deleteall support
* semanage: do not allow spaces in file
* semanage: distinguish between builtin and local permissive
* semanage: centralized ip node handling
* setfiles: make the restore function exclude() non-static
* setfiles: use glob to handle ~ and
* fixfiles: do not hard code types
* fixfiles: stop trying to be smart about
* fixfiles: use new kernel seclabel option
* fixfiles: pipe everything to cat before sending
* fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs
* semodule: support for alternative root paths
- Update to upstream
* Fixed bug preventing semanage node -a from working
from Chad Sellers
* Fixed bug preventing semanage fcontext -l from working
from Chad Sellers
- Change semanage to use unicode
- Update to upstream
* Fixed bug preventing semanage node -a from working
from Chad Sellers
* Fixed bug preventing semanage fcontext -l from working
from Chad Sellers
- Change semanage to use unicode
- Update to upstream
* Remove setrans management from semanage, as it does not work
from Dan Walsh.
* Move load_policy from /usr/sbin to /sbin from Dan Walsh.
- Allow semanage -i and semanage -o to generate customization files.
- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration
- Update to upstream
* Change semodule upgrade behavior to install even if the module
is not present from Dan Walsh.
* Make setfiles label if selinux is disabled and a seclabel aware
kernel is running from Caleb Case.
* Clarify forkpty() error message in run_init from Manoj Srivastava.
- Update to upstream
* Add semanage dontaudit to turn off dontaudits from Dan Walsh.
* Fix semanage to set correct mode for setrans file from Dan Walsh.
* Fix malformed dictionary in portRecord from Dan Walsh.
* Restore symlink handling support to restorecon based on a patch by
Martin Orr. This fixes the restorecon /dev/stdin performed by Debian
udev scripts that was broken by policycoreutils 2.0.70.
- Update to upstream
* Add semanage dontaudit to turn off dontaudits from Dan Walsh.
* Fix semanage to set correct mode for setrans file from Dan Walsh.
* Fix malformed dictionary in portRecord from Dan Walsh.
* Restore symlink handling support to restorecon based on a patch by
Martin Orr. This fixes the restorecon /dev/stdin performed by Debian
udev scripts that was broken by policycoreutils 2.0.70.
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Fix chcat to report error on non existing file
- Update to upstream
* Modify setfiles/restorecon checking of exclude paths. Only check
user-supplied exclude paths (not automatically generated ones based on
lack of seclabel support), don't require them to be directories, and
ignore permission denied errors on them (it is ok to exclude a path to
which the caller lacks permission).
- Update to upstream
* Modify restorecon to only call realpath() on user-supplied pathnames
from Stephen Smalley.
* Fix typo in fixfiles that prevented it from relabeling btrfs
filesystems from Dan Walsh.
- Fix location of man pages
- Update to upstream
* Modify setfiles to exclude mounts without seclabel option in
/proc/mounts on kernels >= 2.6.30 from Thomas Liu.
* Re-enable disable_dontaudit rules upon semodule -B from Christopher
Pardy and Dan Walsh.
* setfiles converted to fts from Thomas Liu.
- Fix location of man pages
- Update to upstream
* Modify setfiles to exclude mounts without seclabel option in
/proc/mounts on kernels >= 2.6.30 from Thomas Liu.
* Re-enable disable_dontaudit rules upon semodule -B from Christopher
Pardy and Dan Walsh.
* setfiles converted to fts from Thomas Liu.
- Update to upstream
* Keep setfiles from spamming console from Dan Walsh.
* Fix chcat's category expansion for users from Dan Walsh.
- Update po files
- Fix sepolgen
- Update to upstream
* Keep setfiles from spamming console from Dan Walsh.
* Fix chcat's category expansion for users from Dan Walsh.
- Update po files
- Fix sepolgen
- Update to upstream
* Fix transaction checking from Dan Walsh.
* Make fixfiles -R (for rpm) recursive.
* Make semanage permissive clean up after itself from Dan Walsh.
* add /root/.ssh/* to restorecond.conf
- Update to upstream
* Add btrfs to fixfiles from Dan Walsh.
* Remove restorecond error for matching globs with multiple hard links
and fix some error messages from Dan Walsh.
* Make removing a non-existant module a warning rather than an error
from Dan Walsh.
* Man page fixes from Dan Walsh.
- Update to upstream
* chcat: cut categories at arbitrary point (25) from Dan Walsh
* semodule: use new interfaces in libsemanage for compressed files
from Dan Walsh
* audit2allow: string changes for usage
- Update to upstream
* chcat: cut categories at arbitrary point (25) from Dan Walsh
* semodule: use new interfaces in libsemanage for compressed files
from Dan Walsh
* audit2allow: string changes for usage
- Fix semanage help display
- Update to upstream
* fixfiles will now remove all files in /tmp and will check for
unlabeled_t in /tmp and /var/tmp from Dan Walsh.
* add glob support to restorecond from Dan Walsh.
* allow semanage to handle multi-line commands in a single transaction
from Dan Walsh.
- Update to upstream
* Add support for boolean files and group support for seusers from Dan Walsh.
* Ensure that setfiles -p output is newline terminated from Russell Coker.
- Update to upstream
* Remove security_check_context calls for prefix validation from semanage.
* Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified.
- Update to upstream
* Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh.
* Merged a second fixfiles -C fix from Marshall Miller.
- Update to upstream
* Merged audit2allow cleanups and boolean descriptions from Dan Walsh.
* Merged setfiles -0 support by Benny Amorsen via Dan Walsh.
* Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh.
- Update to upstream
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
- Fix sepolgen to be able to parse Fedora 9 policy
Handle ifelse statements
Handle refpolicywarn inside of define
Add init.if and inetd.if into parse
Add parse_file to syntax error message
- Fix sepolgen to be able to parse Fedora 9 policy
Handle ifelse statements
Handle refpolicywarn inside of define
Add init.if and inetd.if into parse
Add parse_file to syntax error message
- Upgrade from NSA
* Drop verbose output on fixfiles -C from Dan Walsh.
* Fix argument handling in fixfiles from Dan Walsh.
* Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh.
- Fix handling of final screen in polgengui
- Upgrade from NSA
* Drop verbose output on fixfiles -C from Dan Walsh.
* Fix argument handling in fixfiles from Dan Walsh.
* Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh.
- Fix handling of final screen in polgengui
- Remove no.po
- Update to upstream
* Fix semodule option handling from Dan Walsh.
* Add deleteall support for ports and fcontexts in semanage from Dan Walsh.
- Remove no.po
- Update to upstream
* Fix semodule option handling from Dan Walsh.
* Add deleteall support for ports and fcontexts in semanage from Dan Walsh.
- Update to upstream
* Update semodule man page for -D from Dan Walsh.
* Add boolean, locallist, deleteall, and store support to semanage from Dan Walsh.
- Upgrade version of sepolgen from NSA
* Expand the sepolgen parser to parse all current refpolicy modules from Karl MacMillan.
* Suppress generation of rules for non-denials from Karl MacMillan (take 3).
- Update semodule man page
* Fix genhomedircon searching for USER from Todd Miller
* Install run_init with mode 0755 from Dan Walsh.
* Fix chcat from Dan Walsh.
* Fix fixfiles pattern expansion and error reporting from Dan Walsh.
* Optimize genhomedircon to compile regexes once from Dan Walsh.
* Fix semanage gettext call from Dan Walsh.
- Update to match NSA
* Merged genhomedircon fixes from Dan Walsh.
* Merged setfiles -c usage fix from Dan Walsh.
* Merged restorecon fix from Yuichi Nakamura.
* Dropped -lsepol where no longer needed.
- Updated version of policycoreutils
* Merged support for modifying the prefix via semanage from Dan Walsh.
- Fixed genhomedircon to find homedirs correctly.
- Updated version of policycoreutils
* Merged setsebool patch to only use libsemanage for persistent boolean changes from Stephen Smalley.
* Merged genhomedircon patch to use the __default__ setting from Dan Walsh.
* Dropped -b option from load_policy in preparation for always preserving booleans across reloads in the kernel.
- Updated version of sepolgen
* Merged updates to sepolgen-ifgen from Karl MacMillan.
* Merged updates to sepolgen parser and tools from Karl MacMillan.
This includes improved debugging support, handling of interface
calls with list parameters, support for role transition rules,
updated range transition rule support, and looser matching.
- Update to upstream
* Merged restorecond init script LSB compliance patch from Steve Grubb.
-sepolgen
* Merged better matching for refpolicy style from Karl MacMillan
* Merged support for extracting interface paramaters from interface calls from Karl MacMillan
* Merged support for parsing USER_AVC audit messages from Karl MacMillan.
- Update to upstream
- policycoreutils
* Merged newrole O_NONBLOCK fix from Linda Knippers.
* Merged sepolgen and audit2allow patches to leave generated files
in the current directory from Karl MacMillan.
* Merged restorecond memory leak fix from Steve Grubb.
-sepolgen
* Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan.
* Merged patch to make run-tests.py use unittest.main from Karl MacMillan.
* Merged patch to update PLY from Karl MacMillan.
* Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan.
- Update to upstream
- policycoreutils
* Merged newrole O_NONBLOCK fix from Linda Knippers.
* Merged sepolgen and audit2allow patches to leave generated files
in the current directory from Karl MacMillan.
* Merged restorecond memory leak fix from Steve Grubb.
-sepolgen
* Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan.
* Merged patch to make run-tests.py use unittest.main from Karl MacMillan.
* Merged patch to update PLY from Karl MacMillan.
* Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan.
- Update to upstream
* Merged translations update from Dan Walsh.
* Merged chcat fixes from Dan Walsh.
* Merged man page fixes from Dan Walsh.
* Merged seobject prefix validity checking from Dan Walsh.
* Merged Makefile and refparser.py patch from Dan Walsh.
Fixes PYTHONLIBDIR definition and error handling on interface files.
- Update to upstream
* Merged translations update from Dan Walsh.
* Merged chcat fixes from Dan Walsh.
* Merged man page fixes from Dan Walsh.
* Merged seobject prefix validity checking from Dan Walsh.
* Merged Makefile and refparser.py patch from Dan Walsh.
Fixes PYTHONLIBDIR definition and error handling on interface files.
- Update to upstream
* Merged new audit2allow from Karl MacMillan.
This audit2allow depends on the new sepolgen python module.
Note that you must run the sepolgen-ifgen tool to generate
the data needed by audit2allow to generate refpolicy.
* Fixed newrole non-pam build.
- Fix Changelog and spelling error in man page
- Update to upstream
* Merged new audit2allow from Karl MacMillan.
This audit2allow depends on the new sepolgen python module.
Note that you must run the sepolgen-ifgen tool to generate
the data needed by audit2allow to generate refpolicy.
* Fixed newrole non-pam build.
- Fix Changelog and spelling error in man page
- Update to upstream
* Merged new audit2allow from Karl MacMillan.
This audit2allow depends on the new sepolgen python module.
Note that you must run the sepolgen-ifgen tool to generate
the data needed by audit2allow to generate refpolicy.
* Fixed newrole non-pam build.
- Update to upstream
* Merged unicode-to-string fix for seobject audit from Dan Walsh.
* Merged man page updates to make "apropos selinux" work from Dan Walsh.
* Tue Jan 16 2007 Dan Walsh <dwalsh@redhat.com> 1.33.14-1
* Merged newrole man page patch from Michael Thompson.
* Merged patch to fix python unicode problem from Dan Walsh.
- Want to update to match api
- Update to upstream
* Merged newrole securetty check from Dan Walsh.
* Merged semodule patch to generalize list support from Karl MacMillan.
Resolves: #200110
- Update to upstream
* Merged patch to correctly handle a failure during semanage handle
creation from Karl MacMillan.
* Merged patch to fix seobject role modification from Dan Walsh.
- Update to upstream
* Merged patches from Dan Walsh to:
- omit the optional name from audit2allow
- use the installed python version in the Makefiles
- re-open the tty with O_RDWR in newrole
- Upstream accepted my patches
* Merged setsebool patch from Karl MacMillan.
This fixes a bug reported by Yuichi Nakamura with
always setting booleans persistently on an unmanaged system.
- Add newrole audit patch from sgrubb
- Update to upstream
* Merged audit2allow -l fix from Yuichi Nakamura.
* Merged restorecon -i and -o - support from Karl MacMillan.
* Merged semanage/seobject fix from Dan Walsh.
* Merged fixfiles -R and verify changes from Dan Walsh.
- Add newrole audit patch from sgrubb
- Update to upstream
* Merged audit2allow -l fix from Yuichi Nakamura.
* Merged restorecon -i and -o - support from Karl MacMillan.
* Merged semanage/seobject fix from Dan Walsh.
* Merged fixfiles -R and verify changes from Dan Walsh.
- Change setfiles and restorecon to use stderr except for -o flag
- Also -o flag will now output files
* Thu Sep 7 2006 Dan Walsh <dwalsh@redhat.com> 1.30.28-5
- Put back Erich's change
- Security fixes to run python in a more locked down manner
- More Translations
- Update to upstream
* Merged fix for restorecon // handling from Erich Schubert.
* Merged translations update and fixfiles fix from Dan Walsh.
- Update to upstream
* Merged patch from Dan Walsh with:
* audit2allow: process MAC_POLICY_LOAD events
* newrole: run shell with - prefix to start a login shell
* po: po file updates
* restorecond: bail if SELinux not enabled
* fixfiles: omit -q
* genhomedircon: fix exit code if non-root
* semodule_deps: install man page
* Merged secon Makefile fix from Joshua Brindle.
* Merged netfilter contexts support patch from Chris PeBenito.
- Update to upstream
* Merged restorecond size_t fix from Joshua Brindle.
* Merged secon keycreate patch from Michael LeMay.
* Merged restorecond fixes from Dan Walsh.
Merged updated po files from Dan Walsh.
* Merged python gettext patch from Stephen Bennett.
* Merged semodule_deps from Karl MacMillan.
- Update to upstream
* Lindent.
* Merged patch from Dan Walsh with:
* -p option (progress) for setfiles and restorecon.
* disable context translation for setfiles and restorecon.
* on/off values for setsebool.
* Merged setfiles and semodule_link fixes from Joshua Brindle.
* Thu Jun 22 2006 Dan Walsh <dwalsh@redhat.com> 1.30.14-5
- Add progress indicator on fixfiles/setfiles/restorecon
- Update to upstream
* Merged fix for setsebool error path from Serge Hallyn.
* Merged patch from Dan Walsh with:
* Updated po files.
* Fixes for genhomedircon and seobject.
* Audit message for mass relabel by setfiles.
- Update to upstream
* Merged more translations from Dan Walsh.
* Merged patch to relocate setfiles to /sbin for early relabel
when /usr might not be mounted from Dan Walsh.
* Merged semanage/seobject patch to preserve fcontext ordering in list.
* Merged secon patch from James Antill.
- Update to upstream
* Merged more translations from Dan Walsh.
* Merged patch to relocate setfiles to /sbin for early relabel
when /usr might not be mounted from Dan Walsh.
* Merged semanage/seobject patch to preserve fcontext ordering in list.
* Merged secon patch from James Antill.
- secon fixes for --self-exec etc.
- secon change from level => sensitivity, add clearance.
- Add mass relabel AUDIT patch, but disable it until kernel problem solved.
- Update to upstream
* Fixed audit2allow and po Makefiles for DESTDIR= builds.
* Merged .po file patch from Dan Walsh.
* Merged bug fix for genhomedircon.
- Update to upstream
* Merged fix warnings patch from Karl MacMillan.
* Merged patch from Dan Walsh.
This includes audit2allow changes for analysis plugins,
internationalization support for several additional programs
and added po files, some fixes for semanage, and several cleanups.
It also adds a new secon utility.
- Update to upstream
* Merged fix warnings patch from Karl MacMillan.
* Merged patch from Dan Walsh.
This includes audit2allow changes for analysis plugins,
internationalization support for several additional programs
and added po files, some fixes for semanage, and several cleanups.
It also adds a new secon utility.
- Add /etc/samba/secrets.tdb to restorecond.conf
- Update from upstream
* Merged semanage prefix support from Russell Coker.
* Added a test to setfiles to check that the spec file is
a regular file.
- Update from upstream
* Merged audit2allow fixes for refpolicy from Dan Walsh.
* Merged fixfiles patch from Dan Walsh.
* Merged restorecond daemon from Dan Walsh.
* Merged semanage non-MLS fixes from Chris PeBenito.
* Merged semanage and semodule man page examples from Thomas Bleher.
- Update from upstream
* Merged semanage bug fix patch from Ivan Gyurdiev.
* Merged improve bindings patch from Ivan Gyurdiev.
* Merged semanage usage patch from Ivan Gyurdiev.
* Merged use PyList patch from Ivan Gyurdiev.
- Update from upstream
* Merged newrole -V/--version support from Glauber de Oliveira Costa.
* Merged genhomedircon prefix patch from Dan Walsh.
* Merged optionals in base patch from Joshua Brindle.
- Update from upstream
* Merged seuser/user_extra support patch to semodule_package
from Joshua Brindle.
* Merged getopt type fix for semodule_link/expand and sestatus
from Chris PeBenito.
- Fix genhomedircon output
- Update from upstream
* Merged newrole audit patch from Steve Grubb.
* Merged seuser -> seuser local rename patch from Ivan Gyurdiev.
* Merged semanage and semodule access check patches from Joshua Brindle.
* Wed Jan 25 2006 Dan Walsh <dwalsh@redhat.com> 1.29.12-1
- Add a default of /export/home
- Added translation support to semanage
- Update from upstream
* Modified newrole and run_init to use the loginuid when
supported to obtain the Linux user identity to re-authenticate,
and to fall back to real uid. Dropped the use of the SELinux
user identity, as Linux users are now mapped to SELinux users
via seusers and the SELinux user identity space is separate.
* Merged semanage bug fixes from Ivan Gyurdiev.
* Merged semanage fixes from Russell Coker.
* Merged chcat.8 and genhomedircon patches from Dan Walsh.
- Update to match NSA
* Merged semanage fixes from Ivan Gyurdiev.
* Merged semanage fixes from Russell Coker.
* Merged chcat, genhomedircon, and semanage diffs from Dan Walsh.
- Update to match NSA
* Merged newrole cleanup patch from Steve Grubb.
* Merged setfiles/restorecon performance patch from Russell Coker.
* Merged genhomedircon and semanage patches from Dan Walsh.
* Merged remove add_local/set_local patch from Ivan Gyurdiev.
- Update to match NSA
* Merged semanage getpwnam bug fix from Serge Hallyn (IBM).
* Merged patch series from Ivan Gyurdiev.
This includes patches to:
- cleanup setsebool
- update setsebool to apply active booleans through libsemanage
- update semodule to use the new semanage_set_rebuild() interface
- fix various bugs in semanage
* Merged patch from Dan Walsh (Red Hat).
This includes fixes for restorecon, chcat, fixfiles, genhomedircon,
and semanage.
- Update to match NSA
* Merged semanage getpwnam bug fix from Serge Hallyn (IBM).
* Merged patch series from Ivan Gyurdiev.
This includes patches to:
- cleanup setsebool
- update setsebool to apply active booleans through libsemanage
- update semodule to use the new semanage_set_rebuild() interface
- fix various bugs in semanage
* Merged patch from Dan Walsh (Red Hat).
This includes fixes for restorecon, chcat, fixfiles, genhomedircon,
and semanage.
- Add try catch for files that may not exists
* Mon Dec 19 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-3
- Remove commands from genhomedircon for installer
- Update to match NSA
* Merged fix for audit2allow long option list from Dan Walsh.
* Merged -r option for restorecon (alias for -R) from Dan Walsh.
* Merged chcat script and man page from Dan Walsh.
- Update to match NSA
* Merged fix for audit2allow long option list from Dan Walsh.
* Merged -r option for restorecon (alias for -R) from Dan Walsh.
* Merged chcat script and man page from Dan Walsh.
- Update to match NSA
- Add chcat to policycoreutils, adding +/- syntax
`
* Tue Dec 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.36-2
- Require new version of libsemanage
- Update to match NSA
- Add chcat to policycoreutils, adding +/- syntax
`
* Tue Dec 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.36-2
- Require new version of libsemanage
- Update to match NSA
* Changed genhomedircon to warn on use of ROLE in homedir_template
if using managed policy, as libsemanage does not yet support it.
* Added -B (--build) option to semodule to force a rebuild.
* Reverted setsebool patch to call semanage_set_reload_bools().
* Changed setsebool to disable policy reload and to call
security_set_boolean_list to update the runtime booleans.
* Changed setfiles -c to use new flag to set_matchpathcon_flags()
to disable context translation by matchpathcon_init().
- Update to match NSA
* Changed setfiles for the context canonicalization support.
* Changed setsebool to call semanage_is_managed() interface
and fall back to security_set_boolean_list() if policy is
not managed.
* Merged setsebool memory leak fix from Ivan Gyurdiev.
* Merged setsebool patch to call semanage_set_reload_bools()
interface from Ivan Gyurdiev.
- Update to match NSA
* Merged setsebool patch from Ivan Gyurdiev.
This moves setsebool from libselinux/utils to policycoreutils,
and rewrites it to use libsemanage for permanent boolean changes.
- Update to match NSA
* Merged setsebool patch from Ivan Gyurdiev.
This moves setsebool from libselinux/utils to policycoreutils,
and rewrites it to use libsemanage for permanent boolean changes.
- Update to match NSA
* Merged semodule support for reload, noreload, and store options
from Joshua Brindle.
* Merged semodule_package rewrite from Joshua Brindle.
- Update to match NSA
* Merged semodule support for reload, noreload, and store options
from Joshua Brindle.
* Merged semodule_package rewrite from Joshua Brindle.
- Update to match NSA
* Cleaned up usage and error messages and releasing of memory by
semodule_* utilities.
* Corrected error reporting by semodule.
* Updated semodule_expand for change to sepol interface.
* Merged fixes for make DESTDIR= builds from Joshua Brindle.
- Update to match NSA
* Cleaned up usage and error messages and releasing of memory by
semodule_* utilities.
* Corrected error reporting by semodule.
* Updated semodule_expand for change to sepol interface.
* Merged fixes for make DESTDIR= builds from Joshua Brindle.
- Update to match NSA
* Updated semodule_expand to use get interfaces for hidden sepol_module_package type.
* Merged newrole and run_init pam config patches from Dan Walsh (Red Hat).
* Merged fixfiles patch from Dan Walsh (Red Hat).
* Updated semodule for removal of semanage_strerror.
- Update to match NSA
* Updated semodule_expand to use get interfaces for hidden sepol_module_package type.
* Merged newrole and run_init pam config patches from Dan Walsh (Red Hat).
* Merged fixfiles patch from Dan Walsh (Red Hat).
* Updated semodule for removal of semanage_strerror.
- Update to match NSA
* Updated semodule_link and semodule_expand to use shared libsepol.
Fixed audit2why to call policydb_init prior to policydb_read (still
uses the static libsepol).
- Update to match NSA
* Updated for changes to libsepol.
Changed semodule and semodule_package to use the shared libsepol.
Disabled build of semodule_link and semodule_expand for now.
Updated audit2why for relocated policydb internal headers,
still needs to be converted to a shared lib interface.
- Update to match NSA
* Merged patch to update semodule to the new libsemanage API
and improve the user interface from Karl MacMillan (Tresys).
* Modified semodule for the create/connect API split.
- Update to match NSA
* Merged patch to update semodule to the new libsemanage API
and improve the user interface from Karl MacMillan (Tresys).
* Modified semodule for the create/connect API split.
- Update to match NSA
* Merged error shadowing bug fix for restorecon from Dan Walsh.
* Merged setfiles usage/man page update for -r option from Dan Walsh.
* Merged fixfiles -C patch to ignore :s0 addition on update
to a MCS/MLS policy from Dan Walsh.
- Update to match NSA
* Merged error shadowing bug fix for restorecon from Dan Walsh.
* Merged setfiles usage/man page update for -r option from Dan Walsh.
* Merged fixfiles -C patch to ignore :s0 addition on update
to a MCS/MLS policy from Dan Walsh.
- Update to match NSA
* Updated audit2why for sepol_ prefixes on Flask types to
avoid namespace collision with libselinux, and to
include <selinux/selinux.h> now.
- Update to match NSA
* Updated audit2why for sepol_ prefixes on Flask types to
avoid namespace collision with libselinux, and to
include <selinux/selinux.h> now.
- Update to match NSA
* Updated audit2why for sepol_ prefixes on Flask types to
avoid namespace collision with libselinux, and to
include <selinux/selinux.h> now.
- Update to version from NSA
* Merged load_policy is_selinux_enabled patch from Dan Walsh.
* Merged restorecon verbose output patch from Dan Walsh.
* Merged setfiles altroot patch from Chris PeBenito.
- Update to released version from NSA
* Merged rewrite of genhomedircon by Eric Paris.
* Changed fixfiles to relabel jfs since it now supports security xattrs
(as of 2.6.11). Removed reiserfs until 2.6.12 is released with
fixed support for reiserfs and selinux.
- Apply Uli patch
* The Makefiles should use the -Wall option even if compiled in beehive
* Add -W, too
* use -Werror when used outside of beehive. This could also be used unconditionally
* setfiles/setfiles.c: fix resulting warning
* restorecon/restorecon.c: Likewise
* run_init/open_init_pty.c: argc hasn't been checked, the program would crash if
called without parameters. ignore the return value of nice properly.
* run_init: don't link with -ldl lutil
* load_policy: that's the bad bug. pointer to unsigned int is passed, size_t is
written to. fails on 64-bit archs
* sestatus: signed vs unsigned problem
* newrole: don't link with -ldl
- Update from NSA
* Merged further change to fixfiles -C from Dan Walsh.
* Merged updated fixfiles script from Dan Walsh.
- Fix error handling of restorecon
- More cleanup of sed patch
- Upgrade to latest from NSA
* Merged updated fixfiles script from Dan Walsh.
* Merged updated man page for fixfiles from Dan Walsh and re-added unzipped.
* Reverted fixfiles patch for file_contexts.local;
obsoleted by setfiles rewrite.
* Merged error handling patch for restorecon from Dan Walsh.
* Merged semi raw mode for open_init_pty helper from Manoj Srivastava.
* Rewrote setfiles to use matchpathcon and the new interfaces
exported by libselinux (>= 1.21.5).
- Fix fixfiles patch
- Upgrade to latest from NSA
* Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles
- Allow restorecon to give an warning on file not found instead of exiting
- Fix fixfiles patch
- Upgrade to latest from NSA
* Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles
- Allow restorecon to give an warning on file not found instead of exiting
- Upgrade to latest from NSA
* Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles
- Allow restorecon to give an warning on file not found instead of exiting
- Upgrade to latest from NSA
* Prevent overflow of spec array in setfiles.
- Add diff comparason between file_contexts to fixfiles
- Allow restorecon to give an warning on file not found instead of exiting
- Upgrade to latest from NSA
* Fixed restorecon to not treat errors from is_context_customizable()
as a customizable context.
* Merged setfiles/restorecon patch to not reset user field unless
-F option is specified from Dan Walsh.
* Merged open_init_pty helper for run_init from Manoj Srivastava.
* Merged audit2allow and genhomedircon man pages from Manoj Srivastava.
- Upgrade to latest from NSA
* Fixed restorecon to not treat errors from is_context_customizable()
as a customizable context.
* Merged setfiles/restorecon patch to not reset user field unless
-F option is specified from Dan Walsh.
* Merged open_init_pty helper for run_init from Manoj Srivastava.
* Merged audit2allow and genhomedircon man pages from Manoj Srivastava.
- Fix fixfiles handling of rpm
- Fix restorecon to not warn on symlinks unless -v -v
- Fix output of verbose to show old context as well as new context
- Fix fixfiles handling of rpm
- Fix restorecon to not warn on symlinks unless -v -v
- Fix output of verbose to show old context as well as new context
* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.7-1
- Update to latest from upstream
* Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
- Add Man page for load_policy
* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-2
- Only mail files less than 100 lines from fixfiles.cron
- Add Russell's fix for genhomedircon
* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
- Update from NSA
- Add cron capability to fixfiles
* Fri Jun 25 2004 Dan Walsh <dwalsh@redhat.com> 1.13.4-1
- Update from NSA
* Wed Jun 23 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-1
- Update latest from NSA
- Add -o option to setfiles to save output of any files with incorrect context.
* Tue Jun 22 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-2
- Add rpm support to fixfiles
- Update restorecon to add file input support
* Sat Jun 12 2004 Dan Walsh <dwalsh@redhat.com> 1.13.1-2
- Fix run_init to use policy formats
* Wed Jun 02 2004 Dan Walsh <dwalsh@redhat.com> 1.13.1-1
- Update from NSA
From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@defensec.nl>
Date: Tue, 1 Sep 2020 18:16:41 +0200
Subject: [PATCH] newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
@@ -48,7 +48,7 @@ SELinux security policy is enforced.
.IP \fIpermissive\fR 4
SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
.IP \fIdisabled\fR
-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded. This option was used to disable SELinux completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
.RE
.sp
The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).