packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
dogsheng 2019-12-25 17:13:11 +08:00
parent c74b42c929
commit 3c7a4fce87
50 changed files with 4540 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
README.en.md
View File

@ -1,36 +0,0 @@
# policycoreutils
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

39
README.md
View File

@ -1,39 +0,0 @@
# policycoreutils
#### 介绍
{**以下是码云平台说明,您可以替换此简介**
码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN。专为开发者提供稳定、高效、安全的云端软件开发协作平台
无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
#### 软件架构
软件架构说明
#### 安装教程
1. xxxx
2. xxxx
3. xxxx
#### 使用说明
1. xxxx
2. xxxx
3. xxxx
#### 参与贡献
1. Fork 本仓库
2. 新建 Feat_xxx 分支
3. 提交代码
4. 新建 Pull Request
#### 码云特技
1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com)
3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目
5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

25
fix-fixfiles-N-date-function-two.patch Normal file
View File

@ -0,0 +1,25 @@
From bb3c1505cffc35e1ea310605f0bb9266d52b36b0 Mon Sep 17 00:00:00 2001
From: gulining <gulining1@huawei.com>
Date: Mon, 8 Jul 2019 11:50:39 +0800
Subject: [PATCH] fix fixfiles -N date function
reason: fix fixfiles -N date function
Signed-off-by: gulining <gulining1@huawei.com>
---
policycoreutils-2.8/scripts/fixfiles | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles
index 48897c3..be51913 100755
--- a/policycoreutils-2.8/scripts/fixfiles
+++ b/policycoreutils-2.8/scripts/fixfiles
@@ -152,7 +152,7 @@ newer() {
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
done;
}

25
fix-fixfiles-N-date-function.patch Normal file
View File

@ -0,0 +1,25 @@
From 859bba9dd82ea6fb101ae9686c98a811e3bf98b3 Mon Sep 17 00:00:00 2001
From: gulining <gulining1@huawei.com>
Date: Fri, 5 Jul 2019 16:19:32 +0800
Subject: [PATCH] fix fixfiles -N date function
reason: fix fixfiles -N date function
Signed-off-by: gulining <gulining1@huawei.com>
---
policycoreutils-2.8/scripts/fixfiles | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles
index 53d28c7..48897c3 100755
--- a/policycoreutils-2.8/scripts/fixfiles
+++ b/policycoreutils-2.8/scripts/fixfiles
@@ -148,7 +148,7 @@ done
# Find files newer then the passed in date and fix the label
#
newer() {
- DATE=$1
+ DATE="$1 $2"
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do

BIN
gui-po.tgz Normal file
View File

Binary file not shown.

BIN
policycoreutils-2.8.tar.gz Normal file
View File

Binary file not shown.

139
policycoreutils-fedora.patch Normal file
View File

@ -0,0 +1,139 @@
diff --git policycoreutils-2.8/newrole/newrole.1 policycoreutils-2.8/newrole/newrole.1
index 0d9738a..893c42f 100644
--- policycoreutils-2.8/newrole/newrole.1
+++ policycoreutils-2.8/newrole/newrole.1
@@ -44,7 +44,7 @@ specified by that range. If the
or
.B --preserve-environment
option is specified, the shell with the new SELinux context will preserve environment variables,
-otherwise a new minimal enviroment is created.
+otherwise a new minimal environment is created.
.PP
Additional arguments
.I ARGS
diff --git policycoreutils-2.8/po/Makefile policycoreutils-2.8/po/Makefile
index 575e143..18bc1df 100644
--- policycoreutils-2.8/po/Makefile
+++ policycoreutils-2.8/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git policycoreutils-2.8/po/POTFILES policycoreutils-2.8/po/POTFILES
new file mode 100644
index 0000000..12237dc
--- /dev/null
+++ policycoreutils-2.8/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git policycoreutils-2.8/scripts/fixfiles policycoreutils-2.8/scripts/fixfiles
index b277958..53d28c7 100755
--- policycoreutils-2.8/scripts/fixfiles
+++ policycoreutils-2.8/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
RPMFILES=""
PREFC=""

BIN
policycoreutils-po.tgz Normal file
View File

Binary file not shown.

28
policycoreutils-secon-free-scon_trans-before-returni.patch Normal file
View File

@ -0,0 +1,28 @@
From b614069e66eb0cd1d3f8d0c9d0a02db9a63aba0a Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 3 Jun 2018 18:25:40 +0200
Subject: [PATCH 016/170] policycoreutils/secon: free scon_trans before
returning
disp_con() leaks scon_trans if it returns early.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/secon/secon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
index 60781394..477057a6 100644
--- a/policycoreutils-2.8/secon/secon.c
+++ b/policycoreutils-2.8/secon/secon.c
@@ -646,6 +646,7 @@ static void disp_con(security_context_t scon_raw)
disp__con_val("clearance", NULL, &color);
if (opts->disp_mlsr)
disp__con_val("mls-range", NULL, &color);
+ freecon(scon_trans);
return;
}
--
2.19.1

442
policycoreutils.spec Normal file
View File

@ -0,0 +1,442 @@
%global _python_bytecompile_extra 0
Name: policycoreutils
Version: 2.8
Release: 10
Summary: Policy core utilities of selinux
License: GPLv2
URL: https://github.com/SELinuxProject
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-python-2.8.tar.gz
Source2: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-gui-2.8.tar.gz
Source3: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-sandbox-2.8.tar.gz
Source4: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz
Source5: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz
Source6: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz
Source7: policycoreutils_man_ru2.tar.bz2
Source8: system-config-selinux.png
Source9: sepolicy-icons.tgz
Source10: selinux-autorelabel
Source11: selinux-autorelabel.service
Source12: selinux-autorelabel-mark.service
Source13: selinux-autorelabel.target
Source14: selinux-autorelabel-generator.sh
Source15: policycoreutils-po.tgz
Source16: python-po.tgz
Source17: gui-po.tgz
Source18: sandbox-po.tgz
Patch0: policycoreutils-fedora.patch
Patch1: selinux-python-fedora.patch
Patch2: selinux-gui-fedora.patch
Patch3: selinux-sandbox-fedora.patch
Patch4: selinux-dbus-fedora.patch
Patch6000: python-sepolgen-fix-typo-in-PathChoooser-name.patch
Patch6001: policycoreutils-secon-free-scon_trans-before-returni.patch
Patch6002: python-sepolicy-fix-procotol-misspelling.patch
Patch6003: restorecond-Do-not-ignore-the-f-option.patch
Patch6004: python-sepolicy-Fix-info-to-search-aliases-as-well.patch
Patch6005: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch
Patch6006: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch
Patch6007: python-chcat-use-check_call-instead-of-getstatusoutp.patch
Patch6008: python-chcat-fix-removing-categories-on-users-with-F.patch
Patch6009: python-sepolicy-search-also-for-dontaudit-rules.patch
Patch6010: python-semanage-move-valid_types-initialisations-to-.patch
Patch6011: python-sepolicy-Add-sepolicy.load_store_policy-store.patch
Patch6012: python-semanage-Load-a-store-policy-and-set-the-stor.patch
Patch6013: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch
Patch6014: python-audit2allow-allow-using-audit2why-as-non-root.patch
Patch6015: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch
Patch6016: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch
Patch6017: python-use-or-when-comparing-a-variable-with-a-strin.patch
Patch6018: python-sepolicy-fix-variable-name.patch
Patch6019: python-semanage-seobject-Fix-listing-boolean-values.patch
Patch6020: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch
Patch9021: fix-fixfiles-N-date-function.patch
Patch9022: fix-fixfiles-N-date-function-two.patch
BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel libcap-devel audit-libs-devel gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel
BuildRequires: systemd systemd-units
Requires: libsepol libselinux-utils util-linux grep gawk diffutils rpm sed coreutils
Provides: %{name}-restorecond
Obsoletes: %{name}-restorecond
Provides: %{name}-newrole
Obsoletes: %{name}-newrole
Provides: /sbin/fixfiles
Provides: /sbin/restorecon
%description
It contains the selinux policy core utilities
%package -n python2-policycoreutils
Summary: python2 utilities for seLinux policy core
%{?python_provide:%python_provide python2-policycoreutils}
Requires: policycoreutils = %{version}-%{release}
Requires: python2-libselinux python2-libsemanage
Requires: audit-libs-python2
Requires: python2-IPy
Requires: checkpolicy
Requires: python2-setools >= 4.1.1
BuildArch: noarch
Provides: %{name}-python = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Obsoletes: policycoreutils < 2.0.61-2
%description -n python2-policycoreutils
It contains the python2 policy core utilities for selinux
%package -n python3-policycoreutils
Summary: python3 utilities for seLinux policy core
%{?python_provide:%python_provide python3-policycoreutils}
Requires: policycoreutils = %{version}-%{release}
Requires: python3-libselinux python3-libsemanage
Requires: audit-libs-python3
Requires: python3-IPy
Requires: checkpolicy
Requires: python3-setools >= 4.1.1
BuildArch: noarch
Provides: %{name}-python3 = %{version}-%{release}
Obsoletes: %{name}-python3 < %{version}-%{release}
%description -n python3-policycoreutils
It contains the python3 policy core utilities for selinux
%package python-utils
Summary: Policy core python utilities for selinux
Requires: python3-policycoreutils = %{version}-%{release}
Obsoletes: policycoreutils-python <= 2.4-4
BuildArch: noarch
%description python-utils
It contains the python utilities for selinux
%package dbus
Summary: Policy core DBUS for selinux
Requires: python3-policycoreutils = %{version}-%{release} python3-slip-dbus
BuildArch: noarch
%description dbus
It contains policy core DBUS for selinux
%package devel
Summary: Policy core devel utilities for selinux
Requires: policycoreutils-python-utils = %{version}-%{release}
Requires: /usr/bin/make
Requires: selinux-policy-devel
%description devel
It contains policy core devel utilities for selinux
%package gui
Summary: configuration gui for selinux
BuildRequires: desktop-file-utils
Requires: policycoreutils-devel = %{version}-%{release}, python3-policycoreutils = %{version}-%{release}
Requires: policycoreutils-dbus = %{version}-%{release}
Requires: gtk3, python3-gobject
BuildArch: noarch
%description gui
It contains configuration gui for selinux
%package sandbox
Summary: Sandbox utilities for selinux
BuildRequires: libcap-ng-devel
Requires: python3-policycoreutils = %{version}-%{release}
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
Requires: openbox
%description sandbox
It contains sandbox utilities for selinux
%package help
Summary: Including man files for selinux
Requires: man
%description help
This contains man files for the using of selinux.
%prep
%setup -q -c -n selinux
%setup -q -T -D -a 1 -n selinux
%setup -q -T -D -a 2 -n selinux
%setup -q -T -D -a 3 -n selinux
%setup -q -T -D -a 4 -n selinux
%setup -q -T -D -a 5 -n selinux
%setup -q -T -D -a 6 -n selinux
%patch0 -p0 -b .policycoreutils-fedora
cp %{SOURCE8} selinux-gui-2.8/
tar -xvf %{SOURCE9} -C selinux-python-2.8/sepolicy/
%patch1 -p0 -b .selinux-python
%patch2 -p0 -b .selinux-gui
%patch3 -p0 -b .selinux-sandbox
%patch4 -p0 -b .selinux-dbus
%patch6000 -p1
%patch6001 -p1
%patch6002 -p1
%patch6003 -p1
%patch6004 -p1
%patch6005 -p1
%patch6006 -p1
%patch6007 -p1
%patch6008 -p1
%patch6009 -p1
%patch6010 -p1
%patch6011 -p1
%patch6012 -p1
%patch6013 -p1
%patch6014 -p1
%patch6015 -p1
%patch6016 -p1
%patch6017 -p1
%patch6018 -p1
%patch6019 -p1
%patch6020 -p1
%patch9021 -p1
%patch9022 -p1
tar -x -f %{SOURCE15} -C policycoreutils-2.8 -z
tar -x -f %{SOURCE16} -C selinux-python-2.8 -z
tar -x -f %{SOURCE17} -C selinux-gui-2.8 -z
tar -x -f %{SOURCE18} -C selinux-sandbox-2.8 -z
%build
export PYTHON=%{__python3}
make -C policycoreutils-2.8 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C semodule-utils-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C restorecond-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-python-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-gui-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-sandbox-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-dbus-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
%install
mkdir -p %{buildroot}/%{_defaultdocdir}/%{name}/
make -C policycoreutils-2.8 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-python-2.8 PYTHON=%{__python2} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-python-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C semodule-utils-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C restorecond-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-gui-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-sandbox-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-dbus-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
tar -jxf %{SOURCE7} -C %{buildroot}/
rm -f %{buildroot}/%{_sbindir}/open_init_pty
rm -f %{buildroot}/%{_sbindir}/run_init
rm -f %{buildroot}/%{_mandir}/man8/open_init_pty.8
rm -f %{buildroot}/%{_mandir}/ru/man8/run_init.8*
rm -f %{buildroot}/%{_mandir}/man8/run_init.8*
rm -f %{buildroot}/etc/pam.d/run_init*
ln -sf %{_datarootdir}/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
desktop-file-install --dir %{buildroot}%{_datadir}/applications --add-category Settings \
%{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
desktop-file-install --dir %{buildroot}%{_datadir}/applications --add-category Settings \
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop
desktop-file-install --dir %{buildroot}%{_datadir}/applications \
%{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
rm -f %{buildroot}%{python2_sitelib}/sepolicy/gui.*
rm -f %{buildroot}%{python2_sitelib}/sepolicy/sepolicy.glade
rm -rf %{buildroot}%{python2_sitelib}/sepolicy/help
install -m 644 -p %{SOURCE11} %{buildroot}/%{_unitdir}/
install -m 644 -p %{SOURCE12} %{buildroot}/%{_unitdir}/
install -m 644 -p %{SOURCE13} %{buildroot}/%{_unitdir}/
install -D -m 755 -p %{SOURCE14} %{buildroot}/%{_systemdgeneratordir}/%{basename:%{SOURCE14}}
install -m 755 -p %{SOURCE10} %{buildroot}/%{_libexecdir}/selinux/
pathfix.py -i "%{__python2} -Es" -p %{buildroot}%{python2_sitelib}
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroot}%{_bindir}/sandbox \
%{buildroot}%{_bindir}/chcat %{buildroot}%{_bindir}/audit2allow \
%{buildroot}%{_bindir}/sepolicy %{buildroot}%{_bindir}/sepolgen-ifgen \
%{buildroot}%{_datadir}/sandbox/start \
%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
%{buildroot}%{_datadir}/system-config-selinux/polgengui.py
find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%{python2_sitearch} %{buildroot}%{python3_sitearch} \
%{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} -type f -name '*~' | xargs rm -f
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
%find_lang selinux-gui
%find_lang selinux-sandbox
%find_lang policycoreutils
%find_lang selinux-python
%post
%systemd_post selinux-autorelabel-mark.service restorecond.service
%preun
%systemd_preun selinux-autorelabel-mark.service restorecond.service
%postun
%systemd_postun_with_restart restorecond.service
%files -f %{name}.lang
%license policycoreutils-2.8/COPYING
%doc %{_usr}/share/doc/%{name}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
%{_sbindir}/*
%exclude %{_sbindir}/{seunshare,semanage}
%{_bindir}/secon
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
%{_libexecdir}/selinux/hll
%{_libexecdir}/selinux/selinux-autorelabel
%{_unitdir}/selinux-autorelabel-mark.service
%{_unitdir}/selinux-autorelabel.service
%{_unitdir}/selinux-autorelabel.target
%{_unitdir}/restorecond.service
%{_systemdgeneratordir}/selinux-autorelabel-generator.sh
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%dir %{_datadir}/bash-completion
%{_datadir}/bash-completion/completions/setsebool
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
%files python-utils
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_sbindir}/semanage
%{_bindir}/chcat
%{_bindir}/sandbox
%{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%{_datadir}/bash-completion/completions/semanage
%files dbus
%{_datadir}/system-config-selinux/selinux_server.py
%{_datadir}/polkit-1/actions/org.selinux.policy
%{_datadir}/polkit-1/actions/org.selinux.config.policy
%{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%{_datadir}/dbus-1/system-services/org.selinux.service
%dir %{_datadir}/system-config-selinux/__pycache__
%{_datadir}/system-config-selinux/__pycache__/selinux_server.*
%exclude %{_datadir}/system-config-selinux/{selinux-polgengui.desktop,sepolicy.desktop,system-config-selinux.desktop}
%files -n python2-policycoreutils
%{python2_sitelib}/seobject.py*
%{python2_sitelib}/sepolgen
%dir %{python2_sitelib}/sepolicy
%{python2_sitelib}/sepolicy/__init__.py*
%{python2_sitelib}/sepolicy/booleans.py*
%{python2_sitelib}/sepolicy/communicate.py*
%{python2_sitelib}/sepolicy/network.py*
%{python2_sitelib}/sepolicy/transition.py*
%{python2_sitelib}/sepolicy/sedbus.py*
%{python2_sitelib}/sepolicy*.egg-info
%{python2_sitelib}/sepolicy/generate.py*
%{python2_sitelib}/sepolicy/interface.py*
%{python2_sitelib}/sepolicy/manpage.py*
%{python2_sitelib}/sepolicy/templates
%files -f selinux-python.lang -n python3-policycoreutils
%{python3_sitelib}/__pycache__
%{python3_sitelib}/sepolgen
%dir %{python3_sitelib}/sepolicy
%{python3_sitelib}/sepolicy/templates
%dir %{python3_sitelib}/sepolicy/help
%{python3_sitelib}/sepolicy/help/*
%{python3_sitelib}/sepolicy/__init__.py*
%{python3_sitelib}/sepolicy/__pycache__
%{python3_sitelib}/sepolicy/manpage.py*
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy/booleans.py*
%{python3_sitelib}/sepolicy/communicate.py*
%{python3_sitelib}/sepolicy/generate.py*
%{python3_sitelib}/sepolicy/interface.py*
%{python3_sitelib}/seobject.py*
%files devel
%{_bindir}/sepolicy
%{_bindir}/sepolgen
%{_bindir}/sepolgen-*
%{_usr}/share/bash-completion/completions/sepolicy
%dir /var/lib/sepolgen
/var/lib/sepolgen/perm_map
%files -f selinux-sandbox.lang sandbox
%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
%{_datadir}/sandbox/{start,sandboxX.sh}
%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%files -f selinux-gui.lang gui
%{_bindir}/system-config-selinux
%{_bindir}/selinux-polgengui
%{_datadir}/applications/*.desktop
%{_datadir}/pixmaps/system-config-selinux.png
%{_datadir}/icons/hicolor/24x24/apps/*.png
%dir %{_datadir}/system-config-selinux
%dir %{_datadir}/system-config-selinux/__pycache__
%{_datadir}/system-config-selinux/system-config-selinux.png
%{_datadir}/system-config-selinux/*Page.py
%{_datadir}/system-config-selinux/__pycache__/polgengui.*
%{_datadir}/system-config-selinux/system-config-selinux.py
%{_datadir}/system-config-selinux/__pycache__/*Page.*
%{_datadir}/system-config-selinux/html_util.py
%{_datadir}/system-config-selinux/__pycache__/system-config-selinux.*
%{_datadir}/system-config-selinux/*.ui
%{_datadir}/system-config-selinux/__pycache__/html_util.*
%{_datadir}/system-config-selinux/polgengui.py
%{python3_sitelib}/sepolicy/gui.py*
%{python3_sitelib}/sepolicy/sepolicy.glade
%{_datadir}/pixmaps/sepolicy.png
%{_datadir}/icons/hicolor/*/apps/sepolicy.png
%files help
%{_mandir}/*
%exclude %{_mandir}/ru/man8/{genhomedircon.8.gz,open_init_pty.8.gz,semodule_deps.8.gz}
%changelog
* Fri Dec 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.8-10
- Delete unused patch
* Wed Sep 11 2019 zhanghaibo <ted.zhang@huawei.com> - 2.8-9
- Package init

BIN
policycoreutils_man_ru2.tar.bz2 Normal file
View File

Binary file not shown.

54
python-audit2allow-allow-using-audit2why-as-non-root.patch Normal file
View File

@ -0,0 +1,54 @@
From b2a54258b40b298037cc8ae686d31d7bab714720 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 21 Dec 2018 21:43:33 +0100
Subject: [PATCH 114/170] python/audit2allow: allow using audit2why as non-root
user
Importing sepolicy as non-root on a system with SELinux causes the
following exception to be raised:
ValueError: No SELinux Policy installed
Ignore this when using audit2why, which allows using it with option
--policy as a non-root user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/audit2allow/audit2allow | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/audit2allow/audit2allow b/selinux-python-2.8/audit2allow/audit2allow
index 195f151c..18fe0a53 100644
--- a/selinux-python-2.8/audit2allow/audit2allow
+++ b/selinux-python-2.8/audit2allow/audit2allow
@@ -242,7 +242,10 @@ class AuditToPolicy:
def __output_audit2why(self):
import selinux
- import sepolicy
+ try:
+ import sepolicy
+ except (ImportError, ValueError):
+ sepolicy = None
for i in self.__parser.avc_msgs:
rc = i.type
data = i.data
@@ -262,11 +265,13 @@ class AuditToPolicy:
if len(data) > 1:
print("\tOne of the following booleans was set incorrectly.")
for b in data:
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]))
else:
print("\tThe boolean %s was set incorrectly. " % (data[0][0]))
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]))
continue
--
2.19.1

62
python-chcat-fix-removing-categories-on-users-with-F.patch Normal file
View File

@ -0,0 +1,62 @@
From f39c0ac63749c1c5c140f1b1ad65d5e536bbe894 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 9 Dec 2018 15:23:23 +0100
Subject: [PATCH 091/170] python/chcat: fix removing categories on users with
Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
vagrant unconfined_u s0-s0:c0.c1023 *
Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:
vagrant unconfined_u s0-s0:c0.c1023,c42 *
This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.
Fix this issue by splitting the list of categories before calling
expandCats().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/chcat/chcat | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat
index 73f75725..5bef0073 100755
--- a/selinux-python-2.8/chcat/chcat
+++ b/selinux-python-2.8/chcat/chcat
@@ -82,8 +82,7 @@ def chcat_user_add(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
- cats.append(top[1])
- cats = expandCats(cats)
+ cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i not in cats:
@@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
- cats.append(top[1])
- cats = expandCats(cats)
+ cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i in cats:
--
2.19.1

162
python-chcat-use-check_call-instead-of-getstatusoutp.patch Normal file
View File

@ -0,0 +1,162 @@
From 2923d9d21ee51cbd210c87a1c5bdbd891b332296 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 4 Dec 2018 11:35:40 +0100
Subject: [PATCH 089/170] python/chcat: use check_call instead of
getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/chcat/chcat | 78 ++++++++++++++++++++++------------------------
1 file changed, 38 insertions(+), 40 deletions(-)
diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat
index 4bd9fc6a..1de92306 100755
--- a/selinux-python-2.8/chcat/chcat
+++ b/selinux-python-2.8/chcat/chcat
@@ -22,10 +22,7 @@
# 02111-1307 USA
#
#
-try:
- from subprocess import getstatusoutput
-except ImportError:
- from commands import getstatusoutput
+import subprocess
import sys
import os
import pwd
@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind):
cat_string = "%s,%s" % (cat_string, c)
else:
cat_string = cat
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+
+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
+
return errors
@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
continue
if len(cat) == 0:
- cmd = 'chcon -l %s %s' % (sensitivity, f)
+ new_serange = sensitivity
else:
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ new_serange = '%s:%s' % (sensitivity, cat)
+
+ cmd = ["chcon", "-l", new_serange, f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users):
add_ind = 1
user = seusers["__default__"]
serange = user[1].split("-")
- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
if new_serange[-1:] == ":":
new_serange = new_serange[:-1]
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind):
return chcat_user_replace(newcat, objects)
errors = 0
if len(newcat) == 1:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s ' % newcat[0]
+ new_serange = newcat[0]
else:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
+ new_serange = "%s:%s" % (newcat[0], newcat[1])
for cat in newcat[2:]:
- cmd = '%s,%s' % (cmd, cat)
+ new_serange = '%s,%s' % (new_serange, cat)
- for f in objects:
- cmd = "%s %s" % (cmd, f)
-
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["chcon", "-l", new_serange] + objects
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
--
2.19.1

BIN
python-po.tgz Normal file
View File

Binary file not shown.

58
python-semanage-Load-a-store-policy-and-set-the-stor.patch Normal file
View File

@ -0,0 +1,58 @@
From 2d825c616d3d7a7ceee80125e1eff12ad46d2623 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:39 +0100
Subject: [PATCH 108/170] python/semanage: Load a store policy and set the
store SELinux policy root
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.
With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.
Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index 4490e03f..556d3ba5 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -260,6 +260,8 @@ class semanageRecords:
if self.store == "" or self.store == localstore:
self.mylog = logger()
else:
+ sepolicy.load_store_policy(self.store)
+ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store))
self.mylog = nulllogger()
def set_reload(self, load):
@@ -1329,7 +1331,7 @@ class ibpkeyRecords(semanageRecords):
def __init__(self, args = None):
semanageRecords.__init__(self, args)
try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"])
self.valid_types = sorted(str(t) for t in q.results())
except:
pass
@@ -1589,7 +1591,7 @@ class ibendportRecords(semanageRecords):
def __init__(self, args = None):
semanageRecords.__init__(self, args)
try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"])
self.valid_types = set(str(t) for t in q.results())
except:
pass
--
2.19.1

129
python-semanage-Stop-rejecting-aliases-in-semanage-c.patch Normal file
View File

@ -0,0 +1,129 @@
From 48aeea9ce623ee31e7699181e37221d03d8a1af1 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 16 Oct 2018 12:05:33 +0200
Subject: [PATCH 075/170] python/semanage: Stop rejecting aliases in semanage
commands
Resolves:
\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined
\# seinfo -tsvirt_sandbox_file_t -x
TypeName container_file_t
Aliases
svirt_sandbox_file_t
svirt_lxc_file_t
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index c1467185..5d34cdbe 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -1081,7 +1081,7 @@ class portRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1145,7 +1145,7 @@ class portRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1349,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1411,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1597,7 +1597,7 @@ class ibendportRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1658,7 +1658,7 @@ class ibendportRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1847,7 +1847,7 @@ class nodeRecords(semanageRecords):
if ctype == "":
raise ValueError(_("SELinux node type is required"))
- if ctype not in self.valid_types:
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1916,7 +1916,7 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2235,7 +2235,6 @@ class fcontextRecords(semanageRecords):
try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
- valid_types.append("<<none>>")
except RuntimeError:
valid_types = []
@@ -2363,7 +2362,7 @@ class fcontextRecords(semanageRecords):
if type == "":
raise ValueError(_("SELinux Type is required"))
- if type not in self.valid_types:
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2426,7 +2425,7 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
- if setype and setype not in self.valid_types:
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target)
--
2.19.1

82
python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch Normal file
View File

@ -0,0 +1,82 @@
From 60a928578689126f573618064fd8814445238d3a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 15 Feb 2019 17:00:25 +0100
Subject: [PATCH 157/170] python/semanage module: Fix handling of -a/-e/-d/-r
options
Previous code traceback-ed when one of the mentioned option was used without
any argument as this state was not handled by the argument parser.
action='store' stores arguments as a list while the original
action='store_const' used str therefore it's needed to convert list to str
before it's sent to moduleRecords class.
Fixes:
^_^ semanage module -a
Traceback (most recent call last):
File "/usr/sbin/semanage", line 963, in <module>
do_parser()
File "/usr/sbin/semanage", line 942, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 608, in handleModule
OBJECT.add(args.module_name, args.priority)
File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add
if not os.path.exists(file):
File "/usr/lib64/python3.7/genericpath.py", line 19, in exists
os.stat(path)
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/semanage | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage
index 18191c13..d6d68248 100644
--- a/selinux-python-2.8/semanage/semanage
+++ b/selinux-python-2.8/semanage/semanage
@@ -609,14 +609,14 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
OBJECT = seobject.moduleRecords(args)
- if args.action == "add":
- OBJECT.add(args.module_name, args.priority)
- if args.action == "enable":
- OBJECT.set_enabled(args.module_name, True)
- if args.action == "disable":
- OBJECT.set_enabled(args.module_name, False)
- if args.action == "remove":
- OBJECT.delete(args.module_name, args.priority)
+ if args.action_add:
+ OBJECT.add(args.action_add[0], args.priority)
+ if args.action_enable:
+ OBJECT.set_enabled(" ".join(args.action_enable), True)
+ if args.action_disable:
+ OBJECT.set_enabled(" ".join(args.action_disable), False)
+ if args.action_remove:
+ OBJECT.delete(" ".join(args.action_remove), args.priority)
if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
@@ -635,14 +635,13 @@ def setupModuleParser(subparsers):
parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
- parser_add_add(mgroup, "module")
parser_add_list(mgroup, "module")
parser_add_extract(mgroup, "module")
parser_add_deleteall(mgroup, "module")
- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module"))
- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module"))
- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module"))
- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on'))
+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
moduleParser.set_defaults(func=handleModule)
--
2.19.1

145
python-semanage-move-valid_types-initialisations-to-.patch Normal file
View File

@ -0,0 +1,145 @@
From a73b0bba1a52adec3cfe654f726388a68b73e2d3 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:36 +0100
Subject: [PATCH 105/170] python/semanage: move valid_types initialisations to
class constructors
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Fixes:
$ sudo semanage
Traceback (most recent call last):
File "/usr/sbin/semanage", line 28, in <module>
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
class portRecords(semanageRecords):
File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
return ({
File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'
https://github.com/SELinuxProject/selinux/issues/81
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 57 ++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 23 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index efec0a55..4490e03f 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -1043,13 +1043,15 @@ class seluserRecords(semanageRecords):
class portRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
+ except RuntimeError:
+ pass
def __genkey(self, port, proto):
if proto == "tcp":
@@ -1321,14 +1323,16 @@ class portRecords(semanageRecords):
print(rec)
class ibpkeyRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
- valid_types = sorted(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
+ self.valid_types = sorted(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, pkey, subnet_prefix):
if subnet_prefix == "":
@@ -1579,14 +1583,16 @@ class ibpkeyRecords(semanageRecords):
print(rec)
class ibendportRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
- valid_types = set(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
+ self.valid_types = set(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, ibendport, ibdev_name):
if ibdev_name == "":
@@ -1823,14 +1829,16 @@ class ibendportRecords(semanageRecords):
print(rec)
class nodeRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
self.protocol = ["ipv4", "ipv6"]
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
+ except RuntimeError:
+ pass
def validate(self, addr, mask, protocol):
newaddr = addr
@@ -2264,14 +2272,17 @@ class interfaceRecords(semanageRecords):
class fcontextRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
- valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
+ self.valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
+ except RuntimeError:
+ pass
+
self.equiv = {}
self.equiv_dist = {}
self.equal_ind = False
--
2.19.1

52
python-semanage-seobject-Fix-listing-boolean-values.patch Normal file
View File

@ -0,0 +1,52 @@
From 259ab083fa02aaa9eb385cf6b0de30a1919a817b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 1 Feb 2019 17:49:40 +0100
Subject: [PATCH 144/170] python/semanage/seobject: Fix listing boolean values
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).
Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).
Fixes:
# dnf install selinux-policy-mls
# cat > mypolicy.cil
(boolean xyz false)
# semodule -i mypolicy.cil -s mls
# semanage boolean -l -S mls
...
irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans.
OSError: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index 556d3ba5..b31a90c1 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -2807,7 +2807,7 @@ class booleanRecords(semanageRecords):
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
- if self.modify_local and boolean in self.current_booleans:
+ if self.modify_local and name in self.current_booleans:
value.append(selinux.security_get_boolean_pending(name))
value.append(selinux.security_get_boolean_active(name))
else:
@@ -2849,4 +2849,4 @@ class booleanRecords(semanageRecords):
print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description")))
for k in sorted(ddict.keys()):
if ddict[k]:
- print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)))
+ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k)))
--
2.19.1

47
python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch Normal file
View File

@ -0,0 +1,47 @@
From 33d7a761e53c7828ab89821fd7f7b5c6ada81635 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 21 Dec 2018 21:43:30 +0100
Subject: [PATCH 111/170] python/sepolgen: close /etc/selinux/sepolgen.conf
after parsing it
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:
.../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
<_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
encoding='UTF-8'>
Fix this by properly closing the file in PathChooser.__init__().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/sepolgen/src/sepolgen/defaults.py | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 199acfaf..533a9041 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -32,12 +32,13 @@ class PathChooser(object):
self.config_pathname = pathname
ignore = re.compile(r"^\s*(?:#.+)?$")
consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
- for lineno, line in enumerate(open(pathname)):
- if ignore.match(line): continue
- mo = consider.match(line)
- if not mo:
- raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
- self.config[mo.group(1)] = mo.group(2)
+ with open(pathname, "r") as fd:
+ for lineno, line in enumerate(fd):
+ if ignore.match(line): continue
+ mo = consider.match(line)
+ if not mo:
+ raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
+ self.config[mo.group(1)] = mo.group(2)
# We're only exporting one useful function, so why not be a function
def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
--
2.19.1

39
python-sepolgen-fix-typo-in-PathChoooser-name.patch Normal file
View File

@ -0,0 +1,39 @@
From 91ef21e31fac00607112f41027053dc1120a7e14 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 3 Jun 2018 18:25:38 +0200
Subject: [PATCH 014/170] python/sepolgen: fix typo in PathChoooser name
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 95910639..199acfaf 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -22,7 +22,7 @@ import re
# Select the correct location for the development files based on a
# path variable (optionally read from a configuration file)
-class PathChoooser(object):
+class PathChooser(object):
def __init__(self, pathname):
self.config = dict()
if not os.path.exists(pathname):
@@ -68,10 +68,10 @@ def attribute_info():
return data_dir() + "/attribute_info"
def refpolicy_makefile():
- chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ chooser = PathChooser("/etc/selinux/sepolgen.conf")
return chooser("Makefile")
def headers():
- chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ chooser = PathChooser("/etc/selinux/sepolgen.conf")
return chooser("include")
--
2.19.1

35
python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch Normal file
View File

@ -0,0 +1,35 @@
From 916640d786b5896fbf75d219e16422c9a48529ab Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 5 Jan 2019 20:37:58 +0100
Subject: [PATCH 119/170] python/sepolgen: refpolicy installs its Makefile in
include/Makefile
When running "make install-headers" on refpolicy,
/usr/share/selinux/refpolicy/Makefile does not exist but
/usr/share/selinux/refpolicy/include/Makefile does. Use it when
available.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 533a9041..6e800695 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -70,7 +70,10 @@ def attribute_info():
def refpolicy_makefile():
chooser = PathChooser("/etc/selinux/sepolgen.conf")
- return chooser("Makefile")
+ result = chooser("Makefile")
+ if not os.path.exists(result):
+ result = chooser("include/Makefile")
+ return result
def headers():
chooser = PathChooser("/etc/selinux/sepolgen.conf")
--
2.19.1

50
python-sepolicy-Add-sepolicy.load_store_policy-store.patch Normal file
View File

@ -0,0 +1,50 @@
From ef359c97c98a8b347c7379a605acff1b2305ee28 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:38 +0100
Subject: [PATCH 107/170] python/sepolicy: Add
sepolicy.load_store_policy(store)
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index fbeb731d..b69a6b94 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -129,6 +129,13 @@ def get_installed_policy(root="/"):
pass
raise ValueError(_("No SELinux Policy installed"))
+def get_store_policy(store, root="/"):
+ try:
+ policies = glob.glob("%s%s/policy/policy.*" % (selinux.selinux_path(), store))
+ policies.sort()
+ return policies[-1]
+ except:
+ return None
def policy(policy_file):
global all_domains
@@ -156,6 +163,11 @@ def policy(policy_file):
except:
raise ValueError(_("Failed to read %s policy file") % policy_file)
+def load_store_policy(store):
+ policy_file = get_store_policy(store)
+ if not policy_file:
+ return None
+ policy(policy_file)
try:
policy_file = get_installed_policy()
--
2.19.1

44
python-sepolicy-Fix-info-to-search-aliases-as-well.patch Normal file
View File

@ -0,0 +1,44 @@
From 448f5a9257f76645bcff6881de3bb9a0f313c545 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 16 Oct 2018 12:05:31 +0200
Subject: [PATCH 073/170] python/sepolicy: Fix "info" to search aliases as well
Restore previous behaviour of "sepolicy.info()".
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 5d0535b9..d8c9decc 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -168,15 +168,21 @@ except ValueError as e:
def info(setype, name=None):
if setype == TYPE:
q = setools.TypeQuery(_pol)
- if name:
- q.name = name
+ q.name = name
+ results = list(q.results())
+
+ if name and len(results) < 1:
+ # type not found, try alias
+ q.name = None
+ q.alias = name
+ results = list(q.results())
return ({
'aliases': list(map(str, x.aliases())),
'name': str(x),
'permissive': bool(x.ispermissive),
'attributes': list(map(str, x.attributes()))
- } for x in q.results())
+ } for x in results)
elif setype == ROLE:
q = setools.RoleQuery(_pol)
--
2.19.1

96
python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch Normal file
View File

@ -0,0 +1,96 @@
From 4c63b8e7b691bf8fc09ccd5a35ce420effaeb16b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 22 Oct 2018 17:43:12 +0200
Subject: [PATCH 074/170] python/sepolicy: Stop rejecting aliases in sepolicy
commands
Fix CheckDomain and CheckPortType classes to properly deal with aliases.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1600009
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/sepolicy/sepolicy.py | 8 +++-----
selinux-python-2.8/sepolicy/sepolicy/__init__.py | 18 +++++++++++++++++-
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy.py b/selinux-python-2.8/sepolicy/sepolicy.py
index a000c1ad..01380fbe 100755
--- a/selinux-python-2.8/sepolicy/sepolicy.py
+++ b/selinux-python-2.8/sepolicy/sepolicy.py
@@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- domains = sepolicy.get_all_domains()
-
if isinstance(values, str):
setattr(namespace, self.dest, values)
else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains()
if isinstance(values, str):
- if values not in domains:
+ if sepolicy.get_real_type_name(values) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values)
else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
newval = []
for v in values:
- if v not in domains:
+ if sepolicy.get_real_type_name(v) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
if not newval:
newval = []
for v in values:
- if v not in port_types:
+ if sepolicy.get_real_type_name(v) not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v)
setattr(namespace, self.dest, values)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index d8c9decc..b18683e4 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -447,6 +447,22 @@ def get_file_types(setype):
return mpaths
+def get_real_type_name(name):
+ """Return the real name of a type
+
+ * If 'name' refers to a type, return the same name.
+ * If 'name' refers to a type alias, return the corresponding type name.
+ * Otherwise return None.
+ """
+ if not name:
+ return None
+
+ try:
+ return next(info(TYPE, name))["name"]
+ except (RuntimeError, StopIteration):
+ return None
+
+
def get_writable_files(setype):
file_types = get_all_file_types()
all_writes = []
@@ -1061,7 +1077,7 @@ def gen_short_name(setype):
domainname = setype[:-2]
else:
domainname = setype
- if domainname + "_t" not in all_domains:
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
--
2.19.1

32
python-sepolicy-fix-procotol-misspelling.patch Normal file
View File

@ -0,0 +1,32 @@
From 8fac024785299725b714ad6ac8a265e16bc125c9 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 4 Aug 2018 14:07:47 +0200
Subject: [PATCH 042/170] python/sepolicy: fix "procotol" misspelling
procotol -> protocol
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/sepolicy/sepolicy/gui.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 16f24a0a..6933f6a1 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py
@@ -2522,7 +2522,7 @@ class SELinuxGui():
if self.cur_dict[k][(port, protocol)]["action"] == "-d":
update_buffer += "port -d -p %s %s\n" % (protocol, port)
else:
- update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], procotol, port)
+ update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], protocol, port)
return update_buffer
--
2.19.1

33
python-sepolicy-fix-variable-name.patch Normal file
View File

@ -0,0 +1,33 @@
From ae03c821b798b346d1012d1defd61e665bb0d890 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 31 Jan 2019 20:46:40 +0100
Subject: [PATCH 136/170] python/sepolicy: fix variable name
modify_button_clicked() used variable "type" in a comparison instead of
"ftype". This is a bug, which has been found with flake8 3.7.0. This
linter reported:
python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type'
{0} referenced before assignment
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolicy/sepolicy/gui.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/gui.py b/selinux-python-2.8/sepolicy/sepolicy/gui.py
index fde233ad..d4bf3b48 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py
@@ -1545,7 +1545,7 @@ class SELinuxGui():
path = self.executable_files_liststore.get_value(iter, 0)
self.files_path_entry.set_text(path)
ftype = self.executable_files_liststore.get_value(iter, 1)
- if type != None:
+ if ftype != None:
self.combo_set_active_text(self.files_type_combobox, ftype)
tclass = self.executable_files_liststore.get_value(iter, 2)
if tclass != None:
--
2.19.1

34
python-sepolicy-search-also-for-dontaudit-rules.patch Normal file
View File

@ -0,0 +1,34 @@
From 5013d2ba9774b876d906f9196fc6f75b1f2f5237 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 18 Sep 2018 15:12:59 +0200
Subject: [PATCH 093/170] python/sepolicy: search() also for dontaudit rules
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2
Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index cd7af7cf..fbeb731d 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -344,6 +344,8 @@ def search(types, seinfo=None):
tertypes.append(NEVERALLOW)
if AUDITALLOW in types:
tertypes.append(AUDITALLOW)
+ if DONTAUDIT in types:
+ tertypes.append(DONTAUDIT)
if len(tertypes) > 0:
q = setools.TERuleQuery(_pol,
--
2.19.1

344
python-use-or-when-comparing-a-variable-with-a-strin.patch Normal file
View File

@ -0,0 +1,344 @@
From f906ae66a4362345cccf2b93feccd4c045894ed7 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 31 Jan 2019 20:44:44 +0100
Subject: [PATCH 135/170] python: use == or != when comparing a variable with a
string or a integer
Flake8 3.7.0 added a new fatal error message when parsing Python files:
python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
...
python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals
Fix all these warnings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/semanage/semanage | 118 ++++++++++++-------------
selinux-python-2.8/sepolgen/src/sepolgen/output.py | 6 +-
selinux-python-2.8/sepolicy/sepolicy/generate.py | 4 +-
3 files changed, 64 insertions(+), 64 deletions(-)
diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage
index 49add51e..6afeac14 100644
--- a/selinux-python-2.8/semanage/semanage
+++ b/selinux-python-2.8/semanage/semanage
@@ -109,7 +109,7 @@ class SetExportFile(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
if values:
- if values is not "-":
+ if values != "-":
try:
sys.stdout = open(values, 'w')
except:
@@ -121,7 +121,7 @@ class SetExportFile(argparse.Action):
class SetImportFile(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- if values and values is not "-":
+ if values and values != "-":
try:
sys.stdin = open(values, 'r')
except IOError as e:
@@ -189,17 +189,17 @@ def handleLogin(args):
OBJECT = object_dict['login'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.login, args.seuser, args.range)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.login, args.seuser, args.range)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.login)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("login %s" % (str(i)))
@@ -322,26 +322,26 @@ def handleFcontext(args):
OBJECT = object_dict['fcontext'](args)
- if args.action is "add":
+ if args.action == "add":
if args.equal:
OBJECT.add_equal(args.file_spec, args.equal)
else:
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
- if args.action is "modify":
+ if args.action == "modify":
if args.equal:
OBJECT.add_equal(args.file_spec, args.equal)
else:
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
- if args.action is "delete":
+ if args.action == "delete":
if args.equal:
OBJECT.delete(args.file_spec, args.equal)
else:
OBJECT.delete(args.file_spec, args.ftype)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("fcontext %s" % str(i))
@@ -390,17 +390,17 @@ def handleUser(args):
OBJECT = object_dict['user'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.selinux_name, args.roles, args.level, args.range, args.prefix)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.selinux_name)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("user %s" % str(i))
@@ -440,17 +440,17 @@ def handlePort(args):
OBJECT = object_dict['port'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.port, args.proto, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.port, args.proto, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.port, args.proto)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("port %s" % str(i))
@@ -485,17 +485,17 @@ def handlePkey(args):
OBJECT = object_dict['ibpkey'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.ibpkey, args.subnet_prefix)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("ibpkey %s" % str(i))
@@ -528,17 +528,17 @@ def handleIbendport(args):
OBJECT = object_dict['ibendport'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.ibendport, args.ibdev_name)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("ibendport %s" % str(i))
@@ -571,17 +571,17 @@ def handleInterface(args):
OBJECT = object_dict['interface'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.interface, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.interface, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.interface)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("interface %s" % str(i))
@@ -617,11 +617,11 @@ def handleModule(args):
OBJECT.set_enabled(args.module_name, False)
if args.action == "remove":
OBJECT.delete(args.module_name, args.priority)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("module %s" % str(i))
@@ -652,17 +652,17 @@ def handleNode(args):
OBJECT = object_dict['node'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.node, args.netmask, args.proto)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("node %s" % str(i))
@@ -698,14 +698,14 @@ def handleBoolean(args):
OBJECT = object_dict['boolean'](args)
- if args.action is "modify":
+ if args.action == "modify":
if args.boolean:
OBJECT.modify(args.boolean, args.state, False)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("boolean %s" % str(i))
@@ -736,12 +736,12 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
OBJECT = object_dict['permissive'](args)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading)
elif args.type is not None:
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.type)
else:
args.parser.print_usage(sys.stderr)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/output.py b/selinux-python-2.8/sepolgen/src/sepolgen/output.py
index 7a83aee4..3a21b64c 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/output.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/output.py
@@ -74,13 +74,13 @@ def id_set_cmp(x, y):
# Compare two avrules
def avrule_cmp(a, b):
ret = id_set_cmp(a.src_types, b.src_types)
- if ret is not 0:
+ if ret != 0:
return ret
ret = id_set_cmp(a.tgt_types, b.tgt_types)
- if ret is not 0:
+ if ret != 0:
return ret
ret = id_set_cmp(a.obj_classes, b.obj_classes)
- if ret is not 0:
+ if ret != 0:
return ret
# At this point, who cares - just return something
diff --git a/selinux-python-2.8/sepolicy/sepolicy/generate.py b/selinux-python-2.8/sepolicy/sepolicy/generate.py
index 37ddfc7a..5a2195b8 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/generate.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/generate.py
@@ -643,7 +643,7 @@ allow %s_t %s_t:%s_socket name_%s;
def __find_path(self, file):
for d in self.DEFAULT_DIRS:
- if file.find(d) is 0:
+ if file.find(d) == 0:
self.DEFAULT_DIRS[d][1].append(file)
return self.DEFAULT_DIRS[d]
self.DEFAULT_DIRS["rw"][1].append(file)
@@ -1346,7 +1346,7 @@ allow %s_t %s_t:%s_socket name_%s;
else:
continue
- if len(temp_dirs) is not 0:
+ if len(temp_dirs) != 0:
for i in temp_dirs:
if i in self.dirs.keys():
del(self.dirs[i])
--
2.19.1

BIN
restorecond-2.8.tar.gz Normal file
View File

Binary file not shown.

40
restorecond-Do-not-ignore-the-f-option.patch Normal file
View File

@ -0,0 +1,40 @@
From 385ef2cdc679fdc79f0876f544c6e555ae9f59dc Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 3 Oct 2018 16:42:59 +0200
Subject: [PATCH 064/170] restorecond: Do not ignore the -f option
Since the default value of watch_file is set unconditionally *after* the
command-line arguments have been parsed, the -f option is (and has
always been) effectively ignored. Fix this by setting it before the
parsing.
Fixes: 48681bb49c03 ("policycoreutils: restorecond: make restorecond dbuss-able")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
restorecond/restorecond.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
index e1d26cb9..7b984b29 100644
--- a/restorecond-2.8/restorecond.c
+++ b/restorecond-2.8/restorecond.c
@@ -148,6 +148,8 @@ int main(int argc, char **argv)
if (is_selinux_enabled() != 1)
return 0;
+ watch_file = server_watch_file;
+
/* Set all options to zero/NULL except for ignore_noent & digest. */
memset(&r_opts, 0, sizeof(r_opts));
r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY;
@@ -205,7 +207,6 @@ int main(int argc, char **argv)
return 0;
}
- watch_file = server_watch_file;
read_config(master_fd, watch_file);
if (!debug_mode) {
--
2.19.1

BIN
sandbox-po.tgz Normal file
View File

Binary file not shown.

73
selinux-autorelabel Normal file
View File

@ -0,0 +1,73 @@
#!/bin/bash
#
# Do automatic relabelling
#
# . /etc/init.d/functions
# If the user has this (or similar) UEFI boot order:
#
# Windows | grub | Linux
#
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
# would cause the system to boot into Windows again, if the autorelabel was run.
#
# This function restores the UEFI boot order, so the user will boot into the
# previously set (and expected) partition.
efi_set_boot_next() {
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
# succeed even on system which is not EFI-enabled...
if ! efibootmgr > /dev/null 2>&1; then
return
fi
# NOTE: It it possible that some other services might be setting the
# 'BootNext' item for any reasons, and we shouldn't override it if so.
if ! efibootmgr | grep --quiet -e 'BootNext'; then
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
fi
}
relabel_selinux() {
# if /sbin/init is not labeled correctly this process is running in the
# wrong context, so a reboot will be required after relabel
AUTORELABEL=
. /etc/selinux/config
echo "0" > /sys/fs/selinux/enforce
[ -x /bin/plymouth ] && plymouth --quit
if [ "$AUTORELABEL" = "0" ]; then
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
echo $"*** problems. Dropping you to a shell; the system will reboot"
echo $"*** when you leave the shell."
sulogin
else
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."
FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
fi
rm -f /.autorelabel
/usr/lib/dracut/dracut-initramfs-restore
efi_set_boot_next
if [ -x /usr/bin/grub2-editenv ]; then
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync
systemctl --force reboot
}
# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
relabel_selinux
fi

29
selinux-autorelabel-generator.sh Normal file
View File

@ -0,0 +1,29 @@
#!/bin/sh
# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
# selinux-autorelabel.target, which will cause the filesystem to be
# relabelled and then the system will reboot again and boot into the
# real default target.
PATH=/usr/sbin:$PATH
unitdir=/usr/lib/systemd/system
# If invoked with no arguments (for testing) write to /tmp.
earlydir="/tmp"
if [ -n "$2" ]; then
earlydir="$2"
fi
set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
}
if selinuxenabled; then
if test -f /.autorelabel; then
set_target
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
set_target
fi
fi

18
selinux-autorelabel-mark.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel
[Service]
ExecStart=-/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=sysinit.target

14
selinux-autorelabel.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Relabel all filesystems
DefaultDependencies=no
Conflicts=shutdown.target
After=sysinit.target
Before=shutdown.target
ConditionSecurity=selinux
[Service]
ExecStart=/usr/libexec/selinux/selinux-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardInput=tty

7
selinux-autorelabel.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Relabel all filesystems and reboot
DefaultDependencies=no
Requires=sysinit.target selinux-autorelabel.service
Conflicts=shutdown.target
After=sysinit.target selinux-autorelabel.service
ConditionSecurity=selinux

BIN
selinux-dbus-2.8.tar.gz Normal file
View File

Binary file not shown.

35
selinux-dbus-fedora.patch Normal file
View File

@ -0,0 +1,35 @@
diff --git selinux-dbus-2.8/org.selinux.conf selinux-dbus-2.8/org.selinux.conf
index a350978..1ae079d 100644
--- selinux-dbus-2.8/org.selinux.conf
+++ selinux-dbus-2.8/org.selinux.conf
@@ -12,12 +12,8 @@
<!-- Allow anyone to invoke methods on the interfaces,
authorization is performed by PolicyKit -->
- <policy at_console="true">
- <allow send_destination="org.selinux"/>
- </policy>
<policy context="default">
- <allow send_destination="org.selinux"
- send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="org.selinux"/>
</policy>
</busconfig>
diff --git selinux-dbus-2.8/org.selinux.policy selinux-dbus-2.8/org.selinux.policy
index 0126610..9772127 100644
--- selinux-dbus-2.8/org.selinux.policy
+++ selinux-dbus-2.8/org.selinux.policy
@@ -70,9 +70,9 @@
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
- <action id="org.selinux.change_policy_type">
- <description>SELinux write access</description>
- <message>System policy prevents change_policy_type access to SELinux</message>
+ <action id="org.selinux.change_default_mode">
+ <description>Change SELinux default enforcing mode</description>
+ <message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>

BIN
selinux-gui-2.8.tar.gz Normal file
View File

Binary file not shown.

275
selinux-gui-fedora.patch Normal file
View File

@ -0,0 +1,275 @@
diff --git selinux-gui-2.8/Makefile selinux-gui-2.8/Makefile
index a72e58c..ffe8b97 100644
--- selinux-gui-2.8/Makefile
+++ selinux-gui-2.8/Makefile
@@ -21,6 +21,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -46,6 +47,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git selinux-gui-2.8/booleansPage.py selinux-gui-2.8/booleansPage.py
index 7849bea..dd12b6d 100644
--- selinux-gui-2.8/booleansPage.py
+++ selinux-gui-2.8/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/domainsPage.py selinux-gui-2.8/domainsPage.py
index bad5140..6bbe4de 100644
--- selinux-gui-2.8/domainsPage.py
+++ selinux-gui-2.8/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/fcontextPage.py selinux-gui-2.8/fcontextPage.py
index 370bbee..e424366 100644
--- selinux-gui-2.8/fcontextPage.py
+++ selinux-gui-2.8/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/loginsPage.py selinux-gui-2.8/loginsPage.py
index b67eb8b..cbfb0cc 100644
--- selinux-gui-2.8/loginsPage.py
+++ selinux-gui-2.8/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/modulesPage.py selinux-gui-2.8/modulesPage.py
index 34c5d9e..627ad95 100644
--- selinux-gui-2.8/modulesPage.py
+++ selinux-gui-2.8/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/po/Makefile selinux-gui-2.8/po/Makefile
new file mode 100644
index 0000000..a0f5439
--- /dev/null
+++ selinux-gui-2.8/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git selinux-gui-2.8/po/POTFILES selinux-gui-2.8/po/POTFILES
new file mode 100644
index 0000000..1795c5c
--- /dev/null
+++ selinux-gui-2.8/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py
index 1601dbe..7e0d9d0 100644
--- selinux-gui-2.8/polgengui.py
+++ selinux-gui-2.8/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/portsPage.py selinux-gui-2.8/portsPage.py
index 30f5838..a537ecc 100644
--- selinux-gui-2.8/portsPage.py
+++ selinux-gui-2.8/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/semanagePage.py selinux-gui-2.8/semanagePage.py
index 4127804..5361d69 100644
--- selinux-gui-2.8/semanagePage.py
+++ selinux-gui-2.8/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/statusPage.py selinux-gui-2.8/statusPage.py
index 766854b..a8f079b 100644
--- selinux-gui-2.8/statusPage.py
+++ selinux-gui-2.8/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/system-config-selinux.py selinux-gui-2.8/system-config-selinux.py
index ce7c74b..a81e9dd 100644
--- selinux-gui-2.8/system-config-selinux.py
+++ selinux-gui-2.8/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git selinux-gui-2.8/usersPage.py selinux-gui-2.8/usersPage.py
index 26794ed..d15d4c5 100644
--- selinux-gui-2.8/usersPage.py
+++ selinux-gui-2.8/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}

BIN
selinux-python-2.8.tar.gz Normal file
View File

Binary file not shown.

1665
selinux-python-fedora.patch Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
selinux-sandbox-2.8.tar.gz Normal file
View File

Binary file not shown.

141
selinux-sandbox-fedora.patch Normal file
View File

@ -0,0 +1,141 @@
diff --git selinux-sandbox-2.8/Makefile selinux-sandbox-2.8/Makefile
index 49c1d3f..9e45329 100644
--- selinux-sandbox-2.8/Makefile
+++ selinux-sandbox-2.8/Makefile
@@ -12,6 +12,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -30,6 +31,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git selinux-sandbox-2.8/po/Makefile selinux-sandbox-2.8/po/Makefile
new file mode 100644
index 0000000..0556bbe
--- /dev/null
+++ selinux-sandbox-2.8/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git selinux-sandbox-2.8/po/POTFILES selinux-sandbox-2.8/po/POTFILES
new file mode 100644
index 0000000..deff3f2
--- /dev/null
+++ selinux-sandbox-2.8/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox
index c07a1d8..a051360 100644
--- selinux-sandbox-2.8/sandbox
+++ selinux-sandbox-2.8/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh
index eaa500d..4774528 100644
--- selinux-sandbox-2.8/sandboxX.sh
+++ selinux-sandbox-2.8/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh

BIN
semodule-utils-2.8.tar.gz Normal file
View File

Binary file not shown.

BIN
sepolicy-icons.tgz Normal file
View File

Binary file not shown.

86
setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch Normal file
View File

@ -0,0 +1,86 @@
From c78f9c355fa7b8c0862149d0a69bd6e5d25bec78 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 10 Jan 2019 10:24:53 -0500
Subject: [PATCH 124/170] setsebool: support use of -P on SELinux-disabled
hosts
As reported in #123, setsebool immediately exits with an error if
SELinux is disabled, preventing its use for setting boolean persistent
values. In contrast, semanage boolean -m works on SELinux-disabled
hosts. Change setsebool so that it can be used with the -P option
(persistent changes) even if SELinux is disabled. In the SELinux-disabled
case, skip setting of active boolean values, but set the persistent value
in the policy store. Policy reload is automatically disabled by libsemanage
when SELinux is disabled, so we only need to call semanage_set_reload()
if -N was used.
Fixes: https://github.com/SELinuxProject/selinux/issues/123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
policycoreutils-2.8/setsebool/setsebool.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/policycoreutils-2.8/setsebool/setsebool.c b/policycoreutils-2.8/setsebool/setsebool.c
index 53d3566c..a5157efc 100644
--- a/policycoreutils-2.8/setsebool/setsebool.c
+++ b/policycoreutils-2.8/setsebool/setsebool.c
@@ -18,7 +18,7 @@
#include <errno.h>
int permanent = 0;
-int reload = 1;
+int no_reload = 0;
int verbose = 0;
int setbool(char **list, size_t start, size_t end);
@@ -38,11 +38,6 @@ int main(int argc, char **argv)
if (argc < 2)
usage();
- if (is_selinux_enabled() <= 0) {
- fputs("setsebool: SELinux is disabled.\n", stderr);
- return 1;
- }
-
while (1) {
clflag = getopt(argc, argv, "PNV");
if (clflag == -1)
@@ -53,7 +48,7 @@ int main(int argc, char **argv)
permanent = 1;
break;
case 'N':
- reload = 0;
+ no_reload = 1;
break;
case 'V':
verbose = 1;
@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
semanage_bool_key_t *bool_key = NULL;
int managed;
int result;
+ int enabled = is_selinux_enabled();
handle = semanage_handle_create();
if (handle == NULL) {
@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean) < 0)
goto err;
- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+ if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Failed to change boolean %s: %m\n",
boollist[j].name);
goto err;
@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean = NULL;
}
- semanage_set_reload(handle, reload);
+ if (no_reload)
+ semanage_set_reload(handle, 0);
if (semanage_commit(handle) < 0)
goto err;
--
2.19.1

BIN
system-config-selinux.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB