packages/policycoreutils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 2.9

Browse Source
This commit is contained in:
guoxiaoqi 2020-01-14 22:24:18 +08:00
parent e4e9ae9ad8
commit 8d1061d813
36 changed files with 25 additions and 1790 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
fix-fixfiles-N-date-function-two.patch
View File

@ -1,25 +0,0 @@
From bb3c1505cffc35e1ea310605f0bb9266d52b36b0 Mon Sep 17 00:00:00 2001
From: gulining <gulining1@huawei.com>
Date: Mon, 8 Jul 2019 11:50:39 +0800
Subject: [PATCH] fix fixfiles -N date function
reason: fix fixfiles -N date function
Signed-off-by: gulining <gulining1@huawei.com>
---
policycoreutils-2.8/scripts/fixfiles | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles
index 48897c3..be51913 100755
--- a/policycoreutils-2.8/scripts/fixfiles
+++ b/policycoreutils-2.8/scripts/fixfiles
@@ -152,7 +152,7 @@ newer() {
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
done;
}

25
fix-fixfiles-N-date-function.patch
View File

@ -1,25 +0,0 @@
From 859bba9dd82ea6fb101ae9686c98a811e3bf98b3 Mon Sep 17 00:00:00 2001
From: gulining <gulining1@huawei.com>
Date: Fri, 5 Jul 2019 16:19:32 +0800
Subject: [PATCH] fix fixfiles -N date function
reason: fix fixfiles -N date function
Signed-off-by: gulining <gulining1@huawei.com>
---
policycoreutils-2.8/scripts/fixfiles | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles
index 53d28c7..48897c3 100755
--- a/policycoreutils-2.8/scripts/fixfiles
+++ b/policycoreutils-2.8/scripts/fixfiles
@@ -148,7 +148,7 @@ done
# Find files newer then the passed in date and fix the label
#
newer() {
- DATE=$1
+ DATE="$1 $2"
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do

BIN
policycoreutils-2.8.tar.gz
View File

Binary file not shown.

BIN
policycoreutils-2.9.tar.gz Normal file
View File

Binary file not shown.

28
policycoreutils-secon-free-scon_trans-before-returni.patch
View File

@ -1,28 +0,0 @@
From b614069e66eb0cd1d3f8d0c9d0a02db9a63aba0a Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 3 Jun 2018 18:25:40 +0200
Subject: [PATCH 016/170] policycoreutils/secon: free scon_trans before
returning
disp_con() leaks scon_trans if it returns early.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
policycoreutils/secon/secon.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c
index 60781394..477057a6 100644
--- a/policycoreutils-2.8/secon/secon.c
+++ b/policycoreutils-2.8/secon/secon.c
@@ -646,6 +646,7 @@ static void disp_con(security_context_t scon_raw)
disp__con_val("clearance", NULL, &color);
if (opts->disp_mlsr)
disp__con_val("mls-range", NULL, &color);
+ freecon(scon_trans);
return;
}
--
2.19.1

113
policycoreutils.spec
View File

@ -1,41 +1,17 @@
%global _python_bytecompile_extra 0
Name: policycoreutils
Version: 2.8
Release: 11
Version: 2.9
Release: 1
Summary: Policy core utilities of selinux
License: GPLv2
URL: https://github.com/SELinuxProject
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-python-2.8.tar.gz
Source3: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-sandbox-2.8.tar.gz
Source4: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz
Source5: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz
Source6: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz
Patch6000: python-sepolgen-fix-typo-in-PathChoooser-name.patch
Patch6001: policycoreutils-secon-free-scon_trans-before-returni.patch
Patch6002: python-sepolicy-fix-procotol-misspelling.patch
Patch6003: restorecond-Do-not-ignore-the-f-option.patch
Patch6004: python-sepolicy-Fix-info-to-search-aliases-as-well.patch
Patch6005: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch
Patch6006: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch
Patch6007: python-chcat-use-check_call-instead-of-getstatusoutp.patch
Patch6008: python-chcat-fix-removing-categories-on-users-with-F.patch
Patch6009: python-sepolicy-search-also-for-dontaudit-rules.patch
Patch6010: python-semanage-move-valid_types-initialisations-to-.patch
Patch6011: python-sepolicy-Add-sepolicy.load_store_policy-store.patch
Patch6012: python-semanage-Load-a-store-policy-and-set-the-stor.patch
Patch6013: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch
Patch6014: python-audit2allow-allow-using-audit2why-as-non-root.patch
Patch6015: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch
Patch6016: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch
Patch6017: python-use-or-when-comparing-a-variable-with-a-strin.patch
Patch6018: python-sepolicy-fix-variable-name.patch
Patch6019: python-semanage-seobject-Fix-listing-boolean-values.patch
Patch6020: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch
Patch9021: fix-fixfiles-N-date-function.patch
Patch9022: fix-fixfiles-N-date-function-two.patch
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz
Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz
Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz
Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz
Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz
BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel libcap-devel audit-libs-devel gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel libcap-ng-devel
@ -53,26 +29,6 @@ Provides: /sbin/restorecon
%description
It contains the selinux policy core utilities
%package -n python2-policycoreutils
Summary: python2 utilities for seLinux policy core
%{?python_provide:%python_provide python2-policycoreutils}
Requires: policycoreutils = %{version}-%{release}
Requires: python2-libselinux python2-libsemanage
Requires: audit-libs-python2
Requires: python2-IPy
Requires: checkpolicy
Requires: python2-setools >= 4.1.1
BuildArch: noarch
Provides: %{name}-python = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Obsoletes: policycoreutils < 2.0.61-2
%description -n python2-policycoreutils
It contains the python2 policy core utilities for selinux
%package -n python3-policycoreutils
Summary: python3 utilities for seLinux policy core
%{?python_provide:%python_provide python3-policycoreutils}
@ -146,22 +102,21 @@ This contains man files for the using of selinux.
%build
export PYTHON=%{__python3}
make -C policycoreutils-2.8 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-python-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C semodule-utils-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C restorecond-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-sandbox-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-dbus-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C policycoreutils-2.9 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-python-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C semodule-utils-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C restorecond-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-sandbox-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
make -C selinux-dbus-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
%install
mkdir -p %{buildroot}/%{_defaultdocdir}/%{name}/
make -C policycoreutils-2.8 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-python-2.8 PYTHON=%{__python2} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-python-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C semodule-utils-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C restorecond-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-sandbox-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-dbus-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C policycoreutils-2.9 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-python-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C semodule-utils-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C restorecond-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-sandbox-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
make -C selinux-dbus-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
@ -172,14 +127,9 @@ rm -f %{buildroot}/%{_mandir}/ru/man8/run_init.8*
rm -f %{buildroot}/%{_mandir}/man8/run_init.8*
rm -f %{buildroot}/etc/pam.d/run_init*
rm -f %{buildroot}%{python2_sitelib}/sepolicy/gui.*
rm -f %{buildroot}%{python2_sitelib}/sepolicy/sepolicy.glade
rm -rf %{buildroot}%{python2_sitelib}/sepolicy/help
rm -f %{buildroot}%{python3_sitelib}/sepolicy/gui.*
rm -f %{buildroot}%{python3_sitelib}/sepolicy/sepolicy.glade
pathfix.py -i "%{__python2} -Es" -p %{buildroot}%{python2_sitelib}
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroot}%{_bindir}/sandbox \
%{buildroot}%{_bindir}/chcat %{buildroot}%{_bindir}/audit2allow \
@ -188,7 +138,7 @@ pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroo
%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py
find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%{python2_sitearch} %{buildroot}%{python3_sitearch} \
find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \
%{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} -type f -name '*~' | xargs rm -f
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux
@ -206,7 +156,7 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%
%files -f %{name}.lang
%license policycoreutils-2.8/COPYING
%license policycoreutils-2.9/COPYING
%doc %{_usr}/share/doc/%{name}
%config(noreplace) %{_sysconfdir}/sestatus.conf
%config(noreplace) %{_sysconfdir}/pam.d/newrole
@ -244,22 +194,6 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%
%dir %{_datadir}/system-config-selinux/__pycache__
%{_datadir}/system-config-selinux/__pycache__/selinux_server.*
%files -n python2-policycoreutils
%{python2_sitelib}/seobject.py*
%{python2_sitelib}/sepolgen
%dir %{python2_sitelib}/sepolicy
%{python2_sitelib}/sepolicy/__init__.py*
%{python2_sitelib}/sepolicy/booleans.py*
%{python2_sitelib}/sepolicy/communicate.py*
%{python2_sitelib}/sepolicy/network.py*
%{python2_sitelib}/sepolicy/transition.py*
%{python2_sitelib}/sepolicy/sedbus.py*
%{python2_sitelib}/sepolicy*.egg-info
%{python2_sitelib}/sepolicy/generate.py*
%{python2_sitelib}/sepolicy/interface.py*
%{python2_sitelib}/sepolicy/manpage.py*
%{python2_sitelib}/sepolicy/templates
%files -n python3-policycoreutils
%{python3_sitelib}/__pycache__
%{python3_sitelib}/sepolgen
@ -297,6 +231,9 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%
%{_mandir}/*
%changelog
* Tue Jan 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.9-1
- update to 2.9
* Fri Dec 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.8-11
- Simplify functions

54
python-audit2allow-allow-using-audit2why-as-non-root.patch
View File

@ -1,54 +0,0 @@
From b2a54258b40b298037cc8ae686d31d7bab714720 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 21 Dec 2018 21:43:33 +0100
Subject: [PATCH 114/170] python/audit2allow: allow using audit2why as non-root
user
Importing sepolicy as non-root on a system with SELinux causes the
following exception to be raised:
ValueError: No SELinux Policy installed
Ignore this when using audit2why, which allows using it with option
--policy as a non-root user.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/audit2allow/audit2allow | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/audit2allow/audit2allow b/selinux-python-2.8/audit2allow/audit2allow
index 195f151c..18fe0a53 100644
--- a/selinux-python-2.8/audit2allow/audit2allow
+++ b/selinux-python-2.8/audit2allow/audit2allow
@@ -242,7 +242,10 @@ class AuditToPolicy:
def __output_audit2why(self):
import selinux
- import sepolicy
+ try:
+ import sepolicy
+ except (ImportError, ValueError):
+ sepolicy = None
for i in self.__parser.avc_msgs:
rc = i.type
data = i.data
@@ -262,11 +265,13 @@ class AuditToPolicy:
if len(data) > 1:
print("\tOne of the following booleans was set incorrectly.")
for b in data:
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]))
else:
print("\tThe boolean %s was set incorrectly. " % (data[0][0]))
- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
+ if sepolicy is not None:
+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]))
continue
--
2.19.1

62
python-chcat-fix-removing-categories-on-users-with-F.patch
View File

@ -1,62 +0,0 @@
From f39c0ac63749c1c5c140f1b1ad65d5e536bbe894 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 9 Dec 2018 15:23:23 +0100
Subject: [PATCH 091/170] python/chcat: fix removing categories on users with
Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:
# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
vagrant unconfined_u s0-s0:c0.c1023 *
Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:
vagrant unconfined_u s0-s0:c0.c1023,c42 *
This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.
Fix this issue by splitting the list of categories before calling
expandCats().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/chcat/chcat | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat
index 73f75725..5bef0073 100755
--- a/selinux-python-2.8/chcat/chcat
+++ b/selinux-python-2.8/chcat/chcat
@@ -82,8 +82,7 @@ def chcat_user_add(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
- cats.append(top[1])
- cats = expandCats(cats)
+ cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i not in cats:
@@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users):
if len(serange) > 1:
top = serange[1].split(":")
if len(top) > 1:
- cats.append(top[1])
- cats = expandCats(cats)
+ cats = expandCats(top[1].split(','))
for i in newcat[1:]:
if i in cats:
--
2.19.1

162
python-chcat-use-check_call-instead-of-getstatusoutp.patch
View File

@ -1,162 +0,0 @@
From 2923d9d21ee51cbd210c87a1c5bdbd891b332296 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 4 Dec 2018 11:35:40 +0100
Subject: [PATCH 089/170] python/chcat: use check_call instead of
getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/chcat/chcat | 78 ++++++++++++++++++++++------------------------
1 file changed, 38 insertions(+), 40 deletions(-)
diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat
index 4bd9fc6a..1de92306 100755
--- a/selinux-python-2.8/chcat/chcat
+++ b/selinux-python-2.8/chcat/chcat
@@ -22,10 +22,7 @@
# 02111-1307 USA
#
#
-try:
- from subprocess import getstatusoutput
-except ImportError:
- from commands import getstatusoutput
+import subprocess
import sys
import os
import pwd
@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind):
cat_string = "%s,%s" % (cat_string, c)
else:
cat_string = cat
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+
+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
+
return errors
@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
continue
if len(cat) == 0:
- cmd = 'chcon -l %s %s' % (sensitivity, f)
+ new_serange = sensitivity
else:
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ new_serange = '%s:%s' % (sensitivity, cat)
+
+ cmd = ["chcon", "-l", new_serange, f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users):
add_ind = 1
user = seusers["__default__"]
serange = user[1].split("-")
- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
if new_serange[-1:] == ":":
new_serange = new_serange[:-1]
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind):
return chcat_user_replace(newcat, objects)
errors = 0
if len(newcat) == 1:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s ' % newcat[0]
+ new_serange = newcat[0]
else:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
+ new_serange = "%s:%s" % (newcat[0], newcat[1])
for cat in newcat[2:]:
- cmd = '%s,%s' % (cmd, cat)
+ new_serange = '%s,%s' % (new_serange, cat)
- for f in objects:
- cmd = "%s %s" % (cmd, f)
-
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["chcon", "-l", new_serange] + objects
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
--
2.19.1

58
python-semanage-Load-a-store-policy-and-set-the-stor.patch
View File

@ -1,58 +0,0 @@
From 2d825c616d3d7a7ceee80125e1eff12ad46d2623 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:39 +0100
Subject: [PATCH 108/170] python/semanage: Load a store policy and set the
store SELinux policy root
When "store" is set, sepolicy needs to load a new policy file and selinux module
needs to set the new store root path.
With this patch, semanage is able to work correctly with non-default -S <store>
even when the default policy is not installed yet.
Fixes:
$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__
libsemanage.dbase_llist_query: could not query record value
OSError: [Errno 0] Error
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index 4490e03f..556d3ba5 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -260,6 +260,8 @@ class semanageRecords:
if self.store == "" or self.store == localstore:
self.mylog = logger()
else:
+ sepolicy.load_store_policy(self.store)
+ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store))
self.mylog = nulllogger()
def set_reload(self, load):
@@ -1329,7 +1331,7 @@ class ibpkeyRecords(semanageRecords):
def __init__(self, args = None):
semanageRecords.__init__(self, args)
try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"])
self.valid_types = sorted(str(t) for t in q.results())
except:
pass
@@ -1589,7 +1591,7 @@ class ibendportRecords(semanageRecords):
def __init__(self, args = None):
semanageRecords.__init__(self, args)
try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"])
self.valid_types = set(str(t) for t in q.results())
except:
pass
--
2.19.1

129
python-semanage-Stop-rejecting-aliases-in-semanage-c.patch
View File

@ -1,129 +0,0 @@
From 48aeea9ce623ee31e7699181e37221d03d8a1af1 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 16 Oct 2018 12:05:33 +0200
Subject: [PATCH 075/170] python/semanage: Stop rejecting aliases in semanage
commands
Resolves:
\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined
\# seinfo -tsvirt_sandbox_file_t -x
TypeName container_file_t
Aliases
svirt_sandbox_file_t
svirt_lxc_file_t
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index c1467185..5d34cdbe 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -1081,7 +1081,7 @@ class portRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1145,7 +1145,7 @@ class portRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
(k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1349,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1411,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
(k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1597,7 +1597,7 @@ class ibendportRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
- if type not in self.valid_types:
+ if sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1658,7 +1658,7 @@ class ibendportRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
(k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1847,7 +1847,7 @@ class nodeRecords(semanageRecords):
if ctype == "":
raise ValueError(_("SELinux node type is required"))
- if ctype not in self.valid_types:
+ if sepolicy.get_real_type_name(ctype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1916,7 +1916,7 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
- if setype and setype not in self.valid_types:
+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2235,7 +2235,6 @@ class fcontextRecords(semanageRecords):
try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
- valid_types.append("<<none>>")
except RuntimeError:
valid_types = []
@@ -2363,7 +2362,7 @@ class fcontextRecords(semanageRecords):
if type == "":
raise ValueError(_("SELinux Type is required"))
- if type not in self.valid_types:
+ if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2426,7 +2425,7 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
- if setype and setype not in self.valid_types:
+ if setype not in ["", "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
self.validate(target)
--
2.19.1

82
python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch
View File

@ -1,82 +0,0 @@
From 60a928578689126f573618064fd8814445238d3a Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 15 Feb 2019 17:00:25 +0100
Subject: [PATCH 157/170] python/semanage module: Fix handling of -a/-e/-d/-r
options
Previous code traceback-ed when one of the mentioned option was used without
any argument as this state was not handled by the argument parser.
action='store' stores arguments as a list while the original
action='store_const' used str therefore it's needed to convert list to str
before it's sent to moduleRecords class.
Fixes:
^_^ semanage module -a
Traceback (most recent call last):
File "/usr/sbin/semanage", line 963, in <module>
do_parser()
File "/usr/sbin/semanage", line 942, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 608, in handleModule
OBJECT.add(args.module_name, args.priority)
File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add
if not os.path.exists(file):
File "/usr/lib64/python3.7/genericpath.py", line 19, in exists
os.stat(path)
TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/semanage | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage
index 18191c13..d6d68248 100644
--- a/selinux-python-2.8/semanage/semanage
+++ b/selinux-python-2.8/semanage/semanage
@@ -609,14 +609,14 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
OBJECT = seobject.moduleRecords(args)
- if args.action == "add":
- OBJECT.add(args.module_name, args.priority)
- if args.action == "enable":
- OBJECT.set_enabled(args.module_name, True)
- if args.action == "disable":
- OBJECT.set_enabled(args.module_name, False)
- if args.action == "remove":
- OBJECT.delete(args.module_name, args.priority)
+ if args.action_add:
+ OBJECT.add(args.action_add[0], args.priority)
+ if args.action_enable:
+ OBJECT.set_enabled(" ".join(args.action_enable), True)
+ if args.action_disable:
+ OBJECT.set_enabled(" ".join(args.action_disable), False)
+ if args.action_remove:
+ OBJECT.delete(" ".join(args.action_remove), args.priority)
if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
@@ -635,14 +635,13 @@ def setupModuleParser(subparsers):
parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
- parser_add_add(mgroup, "module")
parser_add_list(mgroup, "module")
parser_add_extract(mgroup, "module")
parser_add_deleteall(mgroup, "module")
- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module"))
- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module"))
- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module"))
- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on'))
+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
moduleParser.set_defaults(func=handleModule)
--
2.19.1

145
python-semanage-move-valid_types-initialisations-to-.patch
View File

@ -1,145 +0,0 @@
From a73b0bba1a52adec3cfe654f726388a68b73e2d3 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:36 +0100
Subject: [PATCH 105/170] python/semanage: move valid_types initialisations to
class constructors
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Fixes:
$ sudo semanage
Traceback (most recent call last):
File "/usr/sbin/semanage", line 28, in <module>
import seobject
File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in <module>
class portRecords(semanageRecords):
File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in <genexpr>
return ({
File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results
for attr in self.policy.typeattributes():
AttributeError: 'NoneType' object has no attribute 'typeattributes'
https://github.com/SELinuxProject/selinux/issues/81
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 57 ++++++++++++++++++++++---------------
1 file changed, 34 insertions(+), 23 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index efec0a55..4490e03f 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -1043,13 +1043,15 @@ class seluserRecords(semanageRecords):
class portRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
+ except RuntimeError:
+ pass
def __genkey(self, port, proto):
if proto == "tcp":
@@ -1321,14 +1323,16 @@ class portRecords(semanageRecords):
print(rec)
class ibpkeyRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
- valid_types = sorted(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"])
+ self.valid_types = sorted(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, pkey, subnet_prefix):
if subnet_prefix == "":
@@ -1579,14 +1583,16 @@ class ibpkeyRecords(semanageRecords):
print(rec)
class ibendportRecords(semanageRecords):
- try:
- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
- valid_types = set(str(t) for t in q.results())
- except:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"])
+ self.valid_types = set(str(t) for t in q.results())
+ except:
+ pass
def __genkey(self, ibendport, ibdev_name):
if ibdev_name == "":
@@ -1823,14 +1829,16 @@ class ibendportRecords(semanageRecords):
print(rec)
class nodeRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
self.protocol = ["ipv4", "ipv6"]
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
+ except RuntimeError:
+ pass
def validate(self, addr, mask, protocol):
newaddr = addr
@@ -2264,14 +2272,17 @@ class interfaceRecords(semanageRecords):
class fcontextRecords(semanageRecords):
- try:
- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
- valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
- except RuntimeError:
- valid_types = []
+
+ valid_types = []
def __init__(self, args = None):
semanageRecords.__init__(self, args)
+ try:
+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
+ self.valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
+ except RuntimeError:
+ pass
+
self.equiv = {}
self.equiv_dist = {}
self.equal_ind = False
--
2.19.1

52
python-semanage-seobject-Fix-listing-boolean-values.patch
View File

@ -1,52 +0,0 @@
From 259ab083fa02aaa9eb385cf6b0de30a1919a817b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 1 Feb 2019 17:49:40 +0100
Subject: [PATCH 144/170] python/semanage/seobject: Fix listing boolean values
Fix gathering boolean values by fixing always False if condition
(determining whether the values are listed from local store).
Fix listing boolean values by printing the correct values and not
forcing the use of security_get_boolean_active (which causes
crash when listing booleans that are not present in active policy).
Fixes:
# dnf install selinux-policy-mls
# cat > mypolicy.cil
(boolean xyz false)
# semodule -i mypolicy.cil -s mls
# semanage boolean -l -S mls
...
irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port.
mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans.
OSError: No such file or directory
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/semanage/seobject.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py
index 556d3ba5..b31a90c1 100644
--- a/selinux-python-2.8/semanage/seobject.py
+++ b/selinux-python-2.8/semanage/seobject.py
@@ -2807,7 +2807,7 @@ class booleanRecords(semanageRecords):
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
- if self.modify_local and boolean in self.current_booleans:
+ if self.modify_local and name in self.current_booleans:
value.append(selinux.security_get_boolean_pending(name))
value.append(selinux.security_get_boolean_active(name))
else:
@@ -2849,4 +2849,4 @@ class booleanRecords(semanageRecords):
print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description")))
for k in sorted(ddict.keys()):
if ddict[k]:
- print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)))
+ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k)))
--
2.19.1

47
python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch
View File

@ -1,47 +0,0 @@
From 33d7a761e53c7828ab89821fd7f7b5c6ada81635 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Fri, 21 Dec 2018 21:43:30 +0100
Subject: [PATCH 111/170] python/sepolgen: close /etc/selinux/sepolgen.conf
after parsing it
sepolgen testsuite reports the following warning on a system with
/etc/selinux/sepolgen.conf:
.../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file
<_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r'
encoding='UTF-8'>
Fix this by properly closing the file in PathChooser.__init__().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/sepolgen/src/sepolgen/defaults.py | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 199acfaf..533a9041 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -32,12 +32,13 @@ class PathChooser(object):
self.config_pathname = pathname
ignore = re.compile(r"^\s*(?:#.+)?$")
consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
- for lineno, line in enumerate(open(pathname)):
- if ignore.match(line): continue
- mo = consider.match(line)
- if not mo:
- raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
- self.config[mo.group(1)] = mo.group(2)
+ with open(pathname, "r") as fd:
+ for lineno, line in enumerate(fd):
+ if ignore.match(line): continue
+ mo = consider.match(line)
+ if not mo:
+ raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1))
+ self.config[mo.group(1)] = mo.group(2)
# We're only exporting one useful function, so why not be a function
def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
--
2.19.1

39
python-sepolgen-fix-typo-in-PathChoooser-name.patch
View File

@ -1,39 +0,0 @@
From 91ef21e31fac00607112f41027053dc1120a7e14 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sun, 3 Jun 2018 18:25:38 +0200
Subject: [PATCH 014/170] python/sepolgen: fix typo in PathChoooser name
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 95910639..199acfaf 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -22,7 +22,7 @@ import re
# Select the correct location for the development files based on a
# path variable (optionally read from a configuration file)
-class PathChoooser(object):
+class PathChooser(object):
def __init__(self, pathname):
self.config = dict()
if not os.path.exists(pathname):
@@ -68,10 +68,10 @@ def attribute_info():
return data_dir() + "/attribute_info"
def refpolicy_makefile():
- chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ chooser = PathChooser("/etc/selinux/sepolgen.conf")
return chooser("Makefile")
def headers():
- chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ chooser = PathChooser("/etc/selinux/sepolgen.conf")
return chooser("include")
--
2.19.1

35
python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch
View File

@ -1,35 +0,0 @@
From 916640d786b5896fbf75d219e16422c9a48529ab Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 5 Jan 2019 20:37:58 +0100
Subject: [PATCH 119/170] python/sepolgen: refpolicy installs its Makefile in
include/Makefile
When running "make install-headers" on refpolicy,
/usr/share/selinux/refpolicy/Makefile does not exist but
/usr/share/selinux/refpolicy/include/Makefile does. Use it when
available.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
index 533a9041..6e800695 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py
@@ -70,7 +70,10 @@ def attribute_info():
def refpolicy_makefile():
chooser = PathChooser("/etc/selinux/sepolgen.conf")
- return chooser("Makefile")
+ result = chooser("Makefile")
+ if not os.path.exists(result):
+ result = chooser("include/Makefile")
+ return result
def headers():
chooser = PathChooser("/etc/selinux/sepolgen.conf")
--
2.19.1

50
python-sepolicy-Add-sepolicy.load_store_policy-store.patch
View File

@ -1,50 +0,0 @@
From ef359c97c98a8b347c7379a605acff1b2305ee28 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 3 Jan 2019 13:03:38 +0100
Subject: [PATCH 107/170] python/sepolicy: Add
sepolicy.load_store_policy(store)
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index fbeb731d..b69a6b94 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -129,6 +129,13 @@ def get_installed_policy(root="/"):
pass
raise ValueError(_("No SELinux Policy installed"))
+def get_store_policy(store, root="/"):
+ try:
+ policies = glob.glob("%s%s/policy/policy.*" % (selinux.selinux_path(), store))
+ policies.sort()
+ return policies[-1]
+ except:
+ return None
def policy(policy_file):
global all_domains
@@ -156,6 +163,11 @@ def policy(policy_file):
except:
raise ValueError(_("Failed to read %s policy file") % policy_file)
+def load_store_policy(store):
+ policy_file = get_store_policy(store)
+ if not policy_file:
+ return None
+ policy(policy_file)
try:
policy_file = get_installed_policy()
--
2.19.1

44
python-sepolicy-Fix-info-to-search-aliases-as-well.patch
View File

@ -1,44 +0,0 @@
From 448f5a9257f76645bcff6881de3bb9a0f313c545 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 16 Oct 2018 12:05:31 +0200
Subject: [PATCH 073/170] python/sepolicy: Fix "info" to search aliases as well
Restore previous behaviour of "sepolicy.info()".
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index 5d0535b9..d8c9decc 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -168,15 +168,21 @@ except ValueError as e:
def info(setype, name=None):
if setype == TYPE:
q = setools.TypeQuery(_pol)
- if name:
- q.name = name
+ q.name = name
+ results = list(q.results())
+
+ if name and len(results) < 1:
+ # type not found, try alias
+ q.name = None
+ q.alias = name
+ results = list(q.results())
return ({
'aliases': list(map(str, x.aliases())),
'name': str(x),
'permissive': bool(x.ispermissive),
'attributes': list(map(str, x.attributes()))
- } for x in q.results())
+ } for x in results)
elif setype == ROLE:
q = setools.RoleQuery(_pol)
--
2.19.1

96
python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch
View File

@ -1,96 +0,0 @@
From 4c63b8e7b691bf8fc09ccd5a35ce420effaeb16b Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 22 Oct 2018 17:43:12 +0200
Subject: [PATCH 074/170] python/sepolicy: Stop rejecting aliases in sepolicy
commands
Fix CheckDomain and CheckPortType classes to properly deal with aliases.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1600009
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
selinux-python-2.8/sepolicy/sepolicy.py | 8 +++-----
selinux-python-2.8/sepolicy/sepolicy/__init__.py | 18 +++++++++++++++++-
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy.py b/selinux-python-2.8/sepolicy/sepolicy.py
index a000c1ad..01380fbe 100755
--- a/selinux-python-2.8/sepolicy/sepolicy.py
+++ b/selinux-python-2.8/sepolicy/sepolicy.py
@@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- domains = sepolicy.get_all_domains()
-
if isinstance(values, str):
setattr(namespace, self.dest, values)
else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
domains = sepolicy.get_all_domains()
if isinstance(values, str):
- if values not in domains:
+ if sepolicy.get_real_type_name(values) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
setattr(namespace, self.dest, values)
else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
newval = []
for v in values:
- if v not in domains:
+ if sepolicy.get_real_type_name(v) not in domains:
raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
if not newval:
newval = []
for v in values:
- if v not in port_types:
+ if sepolicy.get_real_type_name(v) not in port_types:
raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
newval.append(v)
setattr(namespace, self.dest, values)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index d8c9decc..b18683e4 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -447,6 +447,22 @@ def get_file_types(setype):
return mpaths
+def get_real_type_name(name):
+ """Return the real name of a type
+
+ * If 'name' refers to a type, return the same name.
+ * If 'name' refers to a type alias, return the corresponding type name.
+ * Otherwise return None.
+ """
+ if not name:
+ return None
+
+ try:
+ return next(info(TYPE, name))["name"]
+ except (RuntimeError, StopIteration):
+ return None
+
+
def get_writable_files(setype):
file_types = get_all_file_types()
all_writes = []
@@ -1061,7 +1077,7 @@ def gen_short_name(setype):
domainname = setype[:-2]
else:
domainname = setype
- if domainname + "_t" not in all_domains:
+ if get_real_type_name(domainname + "_t") not in all_domains:
raise ValueError("domain %s_t does not exist" % domainname)
if domainname[-1] == 'd':
short_name = domainname[:-1] + "_"
--
2.19.1

32
python-sepolicy-fix-procotol-misspelling.patch
View File

@ -1,32 +0,0 @@
From 8fac024785299725b714ad6ac8a265e16bc125c9 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 4 Aug 2018 14:07:47 +0200
Subject: [PATCH 042/170] python/sepolicy: fix "procotol" misspelling
procotol -> protocol
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
python/sepolicy/sepolicy/gui.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 16f24a0a..6933f6a1 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py
@@ -2522,7 +2522,7 @@ class SELinuxGui():
if self.cur_dict[k][(port, protocol)]["action"] == "-d":
update_buffer += "port -d -p %s %s\n" % (protocol, port)
else:
- update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], procotol, port)
+ update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], protocol, port)
return update_buffer
--
2.19.1

33
python-sepolicy-fix-variable-name.patch
View File

@ -1,33 +0,0 @@
From ae03c821b798b346d1012d1defd61e665bb0d890 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 31 Jan 2019 20:46:40 +0100
Subject: [PATCH 136/170] python/sepolicy: fix variable name
modify_button_clicked() used variable "type" in a comparison instead of
"ftype". This is a bug, which has been found with flake8 3.7.0. This
linter reported:
python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type'
{0} referenced before assignment
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/sepolicy/sepolicy/gui.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/gui.py b/selinux-python-2.8/sepolicy/sepolicy/gui.py
index fde233ad..d4bf3b48 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py
@@ -1545,7 +1545,7 @@ class SELinuxGui():
path = self.executable_files_liststore.get_value(iter, 0)
self.files_path_entry.set_text(path)
ftype = self.executable_files_liststore.get_value(iter, 1)
- if type != None:
+ if ftype != None:
self.combo_set_active_text(self.files_type_combobox, ftype)
tclass = self.executable_files_liststore.get_value(iter, 2)
if tclass != None:
--
2.19.1

34
python-sepolicy-search-also-for-dontaudit-rules.patch
View File

@ -1,34 +0,0 @@
From 5013d2ba9774b876d906f9196fc6f75b1f2f5237 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 18 Sep 2018 15:12:59 +0200
Subject: [PATCH 093/170] python/sepolicy: search() also for dontaudit rules
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2
Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
python/sepolicy/sepolicy/__init__.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
index cd7af7cf..fbeb731d 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py
@@ -344,6 +344,8 @@ def search(types, seinfo=None):
tertypes.append(NEVERALLOW)
if AUDITALLOW in types:
tertypes.append(AUDITALLOW)
+ if DONTAUDIT in types:
+ tertypes.append(DONTAUDIT)
if len(tertypes) > 0:
q = setools.TERuleQuery(_pol,
--
2.19.1

344
python-use-or-when-comparing-a-variable-with-a-strin.patch
View File

@ -1,344 +0,0 @@
From f906ae66a4362345cccf2b93feccd4c045894ed7 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Thu, 31 Jan 2019 20:44:44 +0100
Subject: [PATCH 135/170] python: use == or != when comparing a variable with a
string or a integer
Flake8 3.7.0 added a new fatal error message when parsing Python files:
python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
...
python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals
Fix all these warnings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
selinux-python-2.8/semanage/semanage | 118 ++++++++++++-------------
selinux-python-2.8/sepolgen/src/sepolgen/output.py | 6 +-
selinux-python-2.8/sepolicy/sepolicy/generate.py | 4 +-
3 files changed, 64 insertions(+), 64 deletions(-)
diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage
index 49add51e..6afeac14 100644
--- a/selinux-python-2.8/semanage/semanage
+++ b/selinux-python-2.8/semanage/semanage
@@ -109,7 +109,7 @@ class SetExportFile(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
if values:
- if values is not "-":
+ if values != "-":
try:
sys.stdout = open(values, 'w')
except:
@@ -121,7 +121,7 @@ class SetExportFile(argparse.Action):
class SetImportFile(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- if values and values is not "-":
+ if values and values != "-":
try:
sys.stdin = open(values, 'r')
except IOError as e:
@@ -189,17 +189,17 @@ def handleLogin(args):
OBJECT = object_dict['login'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.login, args.seuser, args.range)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.login, args.seuser, args.range)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.login)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("login %s" % (str(i)))
@@ -322,26 +322,26 @@ def handleFcontext(args):
OBJECT = object_dict['fcontext'](args)
- if args.action is "add":
+ if args.action == "add":
if args.equal:
OBJECT.add_equal(args.file_spec, args.equal)
else:
OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser)
- if args.action is "modify":
+ if args.action == "modify":
if args.equal:
OBJECT.add_equal(args.file_spec, args.equal)
else:
OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser)
- if args.action is "delete":
+ if args.action == "delete":
if args.equal:
OBJECT.delete(args.file_spec, args.equal)
else:
OBJECT.delete(args.file_spec, args.ftype)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("fcontext %s" % str(i))
@@ -390,17 +390,17 @@ def handleUser(args):
OBJECT = object_dict['user'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.selinux_name, args.roles, args.level, args.range, args.prefix)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.selinux_name)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("user %s" % str(i))
@@ -440,17 +440,17 @@ def handlePort(args):
OBJECT = object_dict['port'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.port, args.proto, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.port, args.proto, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.port, args.proto)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("port %s" % str(i))
@@ -485,17 +485,17 @@ def handlePkey(args):
OBJECT = object_dict['ibpkey'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.ibpkey, args.subnet_prefix)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("ibpkey %s" % str(i))
@@ -528,17 +528,17 @@ def handleIbendport(args):
OBJECT = object_dict['ibendport'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.ibendport, args.ibdev_name)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("ibendport %s" % str(i))
@@ -571,17 +571,17 @@ def handleInterface(args):
OBJECT = object_dict['interface'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.interface, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.interface, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.interface)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("interface %s" % str(i))
@@ -617,11 +617,11 @@ def handleModule(args):
OBJECT.set_enabled(args.module_name, False)
if args.action == "remove":
OBJECT.delete(args.module_name, args.priority)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("module %s" % str(i))
@@ -652,17 +652,17 @@ def handleNode(args):
OBJECT = object_dict['node'](args)
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
- if args.action is "modify":
+ if args.action == "modify":
OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.node, args.netmask, args.proto)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("node %s" % str(i))
@@ -698,14 +698,14 @@ def handleBoolean(args):
OBJECT = object_dict['boolean'](args)
- if args.action is "modify":
+ if args.action == "modify":
if args.boolean:
OBJECT.modify(args.boolean, args.state, False)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "deleteall":
+ if args.action == "deleteall":
OBJECT.deleteall()
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("boolean %s" % str(i))
@@ -736,12 +736,12 @@ def setupBooleanParser(subparsers):
def handlePermissive(args):
OBJECT = object_dict['permissive'](args)
- if args.action is "list":
+ if args.action == "list":
OBJECT.list(args.noheading)
elif args.type is not None:
- if args.action is "add":
+ if args.action == "add":
OBJECT.add(args.type)
- if args.action is "delete":
+ if args.action == "delete":
OBJECT.delete(args.type)
else:
args.parser.print_usage(sys.stderr)
diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/output.py b/selinux-python-2.8/sepolgen/src/sepolgen/output.py
index 7a83aee4..3a21b64c 100644
--- a/selinux-python-2.8/sepolgen/src/sepolgen/output.py
+++ b/selinux-python-2.8/sepolgen/src/sepolgen/output.py
@@ -74,13 +74,13 @@ def id_set_cmp(x, y):
# Compare two avrules
def avrule_cmp(a, b):
ret = id_set_cmp(a.src_types, b.src_types)
- if ret is not 0:
+ if ret != 0:
return ret
ret = id_set_cmp(a.tgt_types, b.tgt_types)
- if ret is not 0:
+ if ret != 0:
return ret
ret = id_set_cmp(a.obj_classes, b.obj_classes)
- if ret is not 0:
+ if ret != 0:
return ret
# At this point, who cares - just return something
diff --git a/selinux-python-2.8/sepolicy/sepolicy/generate.py b/selinux-python-2.8/sepolicy/sepolicy/generate.py
index 37ddfc7a..5a2195b8 100644
--- a/selinux-python-2.8/sepolicy/sepolicy/generate.py
+++ b/selinux-python-2.8/sepolicy/sepolicy/generate.py
@@ -643,7 +643,7 @@ allow %s_t %s_t:%s_socket name_%s;
def __find_path(self, file):
for d in self.DEFAULT_DIRS:
- if file.find(d) is 0:
+ if file.find(d) == 0:
self.DEFAULT_DIRS[d][1].append(file)
return self.DEFAULT_DIRS[d]
self.DEFAULT_DIRS["rw"][1].append(file)
@@ -1346,7 +1346,7 @@ allow %s_t %s_t:%s_socket name_%s;
else:
continue
- if len(temp_dirs) is not 0:
+ if len(temp_dirs) != 0:
for i in temp_dirs:
if i in self.dirs.keys():
del(self.dirs[i])
--
2.19.1

BIN
restorecond-2.8.tar.gz
View File

Binary file not shown.

BIN
restorecond-2.9.tar.gz Normal file
View File

Binary file not shown.

40
restorecond-Do-not-ignore-the-f-option.patch
View File

@ -1,40 +0,0 @@
From 385ef2cdc679fdc79f0876f544c6e555ae9f59dc Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Wed, 3 Oct 2018 16:42:59 +0200
Subject: [PATCH 064/170] restorecond: Do not ignore the -f option
Since the default value of watch_file is set unconditionally *after* the
command-line arguments have been parsed, the -f option is (and has
always been) effectively ignored. Fix this by setting it before the
parsing.
Fixes: 48681bb49c03 ("policycoreutils: restorecond: make restorecond dbuss-able")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
restorecond/restorecond.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
index e1d26cb9..7b984b29 100644
--- a/restorecond-2.8/restorecond.c
+++ b/restorecond-2.8/restorecond.c
@@ -148,6 +148,8 @@ int main(int argc, char **argv)
if (is_selinux_enabled() != 1)
return 0;
+ watch_file = server_watch_file;
+
/* Set all options to zero/NULL except for ignore_noent & digest. */
memset(&r_opts, 0, sizeof(r_opts));
r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY;
@@ -205,7 +207,6 @@ int main(int argc, char **argv)
return 0;
}
- watch_file = server_watch_file;
read_config(master_fd, watch_file);
if (!debug_mode) {
--
2.19.1

BIN
selinux-dbus-2.8.tar.gz
View File

Binary file not shown.

BIN
selinux-dbus-2.9.tar.gz Normal file
View File

Binary file not shown.

BIN
selinux-python-2.8.tar.gz
View File

Binary file not shown.

BIN
selinux-python-2.9.tar.gz Normal file
View File

Binary file not shown.

BIN
selinux-sandbox-2.8.tar.gz
View File

Binary file not shown.

BIN
selinux-sandbox-2.9.tar.gz Normal file
View File

Binary file not shown.

BIN
semodule-utils-2.8.tar.gz
View File

Binary file not shown.

BIN
semodule-utils-2.9.tar.gz Normal file
View File

Binary file not shown.

86
setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch
View File

@ -1,86 +0,0 @@
From c78f9c355fa7b8c0862149d0a69bd6e5d25bec78 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 10 Jan 2019 10:24:53 -0500
Subject: [PATCH 124/170] setsebool: support use of -P on SELinux-disabled
hosts
As reported in #123, setsebool immediately exits with an error if
SELinux is disabled, preventing its use for setting boolean persistent
values. In contrast, semanage boolean -m works on SELinux-disabled
hosts. Change setsebool so that it can be used with the -P option
(persistent changes) even if SELinux is disabled. In the SELinux-disabled
case, skip setting of active boolean values, but set the persistent value
in the policy store. Policy reload is automatically disabled by libsemanage
when SELinux is disabled, so we only need to call semanage_set_reload()
if -N was used.
Fixes: https://github.com/SELinuxProject/selinux/issues/123
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
policycoreutils-2.8/setsebool/setsebool.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/policycoreutils-2.8/setsebool/setsebool.c b/policycoreutils-2.8/setsebool/setsebool.c
index 53d3566c..a5157efc 100644
--- a/policycoreutils-2.8/setsebool/setsebool.c
+++ b/policycoreutils-2.8/setsebool/setsebool.c
@@ -18,7 +18,7 @@
#include <errno.h>
int permanent = 0;
-int reload = 1;
+int no_reload = 0;
int verbose = 0;
int setbool(char **list, size_t start, size_t end);
@@ -38,11 +38,6 @@ int main(int argc, char **argv)
if (argc < 2)
usage();
- if (is_selinux_enabled() <= 0) {
- fputs("setsebool: SELinux is disabled.\n", stderr);
- return 1;
- }
-
while (1) {
clflag = getopt(argc, argv, "PNV");
if (clflag == -1)
@@ -53,7 +48,7 @@ int main(int argc, char **argv)
permanent = 1;
break;
case 'N':
- reload = 0;
+ no_reload = 1;
break;
case 'V':
verbose = 1;
@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
semanage_bool_key_t *bool_key = NULL;
int managed;
int result;
+ int enabled = is_selinux_enabled();
handle = semanage_handle_create();
if (handle == NULL) {
@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean) < 0)
goto err;
- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+ if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) {
fprintf(stderr, "Failed to change boolean %s: %m\n",
boollist[j].name);
goto err;
@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt,
boolean = NULL;
}
- semanage_set_reload(handle, reload);
+ if (no_reload)
+ semanage_set_reload(handle, 0);
if (semanage_commit(handle) < 0)
goto err;
--
2.19.1