Hello community, here is the log from the commit of package policycoreutils for openSUSE:Factory checked in at 2013-03-08 09:38:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old) and /work/SRC/openSUSE:Factory/.policycoreutils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes 2012-12-19 11:51:43.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.policycoreutils.new/policycoreutils.changes 2013-03-08 09:38:49.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Jan 30 12:10:23 UTC 2013 - [email protected] + +- update to 2.1.13 + - drop policycoreutils-po.patch.bz2 (updated upstream) + - drop policycoreutils-gui.patch.bz2 (added to upstream) + - drop sandbox init scripts (shouldn't be needed anymore) + - numerous other changes + +------------------------------------------------------------------- Old: ---- policycoreutils-2.1.10.tar.gz sepolgen-1.1.5.tar.gz New: ---- policycoreutils-2.1.13.tar.gz sepolgen-1.1.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ policycoreutils.spec ++++++ --- /var/tmp/diff_new_pack.0QOGkD/_old 2013-03-08 09:38:50.000000000 +0100 +++ /var/tmp/diff_new_pack.0QOGkD/_new 2013-03-08 09:38:50.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package policycoreutils # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,13 @@ %define libaudit_ver 1.4.2 -%define libsepol_ver 2.1.4 -%define libsemanage_ver 2.0.43 -%define libselinux_ver 2.0.90 -%define sepolgen_ver 1.1.5 +%define libsepol_ver 2.1.8 +%define libsemanage_ver 2.1.9 +%define libselinux_ver 2.1.12 +%define sepolgen_ver 1.1.8 Name: policycoreutils -Version: 2.1.10 +Version: 2.1.13 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux policy core utilities @@ -39,8 +39,6 @@ Source7: selinux-polgengui.console Source8: policycoreutils_man_ru2.tar.bz2 Source9: restorecond.service -Patch1: policycoreutils-po.patch.bz2 -Patch2: policycoreutils-gui.patch.bz2 Patch4: policycoreutils-initscript.patch Patch5: policycoreutils-pam-common.patch Patch6: policycoreutils-glibc217.patch @@ -68,6 +66,9 @@ Requires: python-selinux Requires: rpm Requires: util-linux +# we need selinuxenabled +Requires(post): selinux-tools + %{?systemd_requires} Recommends: %{name}-lang @@ -92,9 +93,6 @@ %prep %setup -q -a 1 -#%patch0 -p2 -%patch1 -p1 -%patch2 -p1 %patch4 %patch5 %patch6 -p2 @@ -132,7 +130,6 @@ ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui ln -sf %{_initddir}/restorecond %{buildroot}%{_sbindir}/rcrestorecond -ln -sf %{_initddir}/sandbox %{buildroot}%{_sbindir}/rcsandbox mkdir -p %{buildroot}/var/adm/fillup-templates/ mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox %{buildroot}/var/adm/fillup-templates/sysconfig.sandbox rmdir %{buildroot}/%{_sysconfdir}/sysconfig @@ -180,6 +177,9 @@ %{_mandir}/man5/sandbox* %{_mandir}/man8/semanage.8* %{_mandir}/ru/man8/semanage.8* +%dir %{_sysconfdir}/bash_completion.d +%{_sysconfdir}/bash_completion.d/semanage-bash-completion.sh +%{_sysconfdir}/bash_completion.d/setsebool-bash-completion.sh %post python selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] && %{_bindir}/sepolgen-ifgen 2>/dev/null @@ -197,8 +197,6 @@ %files sandbox %defattr(-,root,root,-) -%{_initddir}/sandbox -%{_sbindir}/rcsandbox %attr(0755,root,root) %{_sbindir}/seunshare %dir %{_datadir}/sandbox %{_datadir}/sandbox/sandboxX.sh @@ -206,21 +204,6 @@ /var/adm/fillup-templates/sysconfig.sandbox %doc %{_mandir}/man8/seunshare.8* -%post sandbox -%fillup_and_insserv sandbox - -%preun sandbox -if [ "$1" -eq "0" ]; then - %stop_on_removal sandbox - %insserv_cleanup -fi - -%postun sandbox -if [ "$1" -ge "1" ]; then - %restart_on_update sandbox - %insserv_cleanup -fi - %package newrole Summary: The newrole application for RBAC/MLS Group: Productivity/Security @@ -262,16 +245,16 @@ %defattr(-,root,root) %{_bindir}/system-config-selinux %{_bindir}/selinux-polgengui -#%{_bindir}/sepolgen +%{_bindir}/sepolgen %{_datadir}/applications/selinux-polgengui.desktop %{_datadir}/applications/system-config-selinux.desktop %{_datadir}/pixmaps/system-config-selinux.png -#%dir %{_datadir}/system-config-selinux -#%dir %{_datadir}/system-config-selinux/templates -#%{_datadir}/system-config-selinux/*.py* +%dir %{_datadir}/system-config-selinux +%dir %{_datadir}/system-config-selinux/templates +%{_datadir}/system-config-selinux/*.py* #%{_datadir}/system-config-selinux/selinux.tbl -#%{_datadir}/system-config-selinux/*.glade -#%{_datadir}/system-config-selinux/templates/*.py* +%{_datadir}/system-config-selinux/*.glade +%{_datadir}/system-config-selinux/templates/*.py* %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux %config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui %dir %{_sysconfdir}/security/console.apps ++++++ policycoreutils-2.1.10.tar.gz -> policycoreutils-2.1.13.tar.gz ++++++ ++++ 305745 lines of diff (skipped) ++++++ sepolgen-1.1.5.tar.gz -> sepolgen-1.1.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/ChangeLog new/sepolgen-1.1.8/ChangeLog --- old/sepolgen-1.1.5/ChangeLog 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/ChangeLog 2012-09-14 19:41:22.000000000 +0200 @@ -1,3 +1,18 @@ +1.1.8 2012-09-13 + * Allow returning of bastard matches + * sepolgen: return and output constraint violation information + * audit2allow: one role/type pair per line + +1.1.7 2012-06-28 + * Make use of setools optional within sepolgen + * We need to support files that have a + in them + +1.1.6 2012-03-28 + * Fix dead links to www.nsa.gov/selinux + * audit.py Dont crash if empty data is passed to sepolgen + * do not use md5 when calculating hash signatures + * fix detection of policy loads + 1.1.5 2011-12-21 * better analysis of why things broke diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/HACKING new/sepolgen-1.1.8/HACKING --- old/sepolgen-1.1.5/HACKING 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/HACKING 2012-09-14 19:41:22.000000000 +0200 @@ -76,4 +76,4 @@ is separated to keep the core from being concerned about the details of the object classes. -[selist]: http://www.nsa.gov/selinux/info/list.cfm \ No newline at end of file +[selist]: http://www.nsa.gov/research/selinux/info/list.cfm diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/VERSION new/sepolgen-1.1.8/VERSION --- old/sepolgen-1.1.5/VERSION 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/VERSION 2012-09-14 19:41:22.000000000 +0200 @@ -1 +1 @@ -1.1.5 +1.1.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/access.py new/sepolgen-1.1.8/src/sepolgen/access.py --- old/sepolgen-1.1.5/src/sepolgen/access.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/access.py 2012-09-14 19:41:22.000000000 +0200 @@ -87,7 +87,7 @@ self.perms = refpolicy.IdSet() self.audit_msgs = [] self.type = audit2why.TERULE - self.bools = [] + self.data = [] # The direction of the information flow represented by this # access vector - used for matching @@ -256,7 +256,7 @@ for av in l: self.add_av(AccessVector(av)) - def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]): + def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]): """Add an access vector to the set. """ tgt = self.src.setdefault(src_type, { }) @@ -269,7 +269,7 @@ access.src_type = src_type access.tgt_type = tgt_type access.obj_class = obj_class - access.bools = bools + access.data = data access.type = avc_type cls[obj_class, avc_type] = access diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/audit.py new/sepolgen-1.1.8/src/sepolgen/audit.py --- old/sepolgen-1.1.5/src/sepolgen/audit.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/audit.py 2012-09-14 19:41:22.000000000 +0200 @@ -20,6 +20,7 @@ import refpolicy import access import re +import sys # Convenience functions @@ -172,7 +173,6 @@ self.accesses = [] self.denial = True self.type = audit2why.TERULE - self.bools = [] def __parse_access(self, recs, start): # This is kind of sucky - the access that is in a space separated @@ -240,10 +240,12 @@ tcontext = self.tcontext.to_string() scontext = self.scontext.to_string() access_tuple = tuple( self.accesses) + self.data = [] + if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys(): - self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)] + self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)] else: - self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); + self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); if self.type == audit2why.NOPOLICY: self.type = audit2why.TERULE if self.type == audit2why.BADTCON: @@ -257,7 +259,16 @@ if self.type == audit2why.BADCOMPUTE: raise ValueError("Error during access vector computation") - avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools) + if self.type == audit2why.CONSTRAINT: + self.data = [] + if self.scontext.user != self.tcontext.user: + self.data.append("user") + if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": + self.data.append("role") + if self.scontext.level != self.tcontext.level: + self.data.append("level") + + avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) class PolicyLoadMessage(AuditMessage): """Audit message indicating that the policy was reloaded.""" @@ -343,6 +354,7 @@ self.policy_load_msgs = [] self.path_msgs = [] self.by_header = { } + self.check_input_file = False # Low-level parsing function - tries to determine if this audit # message is an SELinux related message and then parses it into @@ -378,6 +390,7 @@ found = True if found: + self.check_input_file = True try: msg.from_split_string(rec) except ValueError: @@ -447,6 +460,9 @@ while line: self.__parse(line) line = input.readline() + if not self.check_input_file: + sys.stderr.write("Nothing to do\n") + sys.exit(0) self.__post_process() def parse_string(self, input): @@ -501,10 +517,10 @@ if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) else: av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) return av_set class AVCTypeFilter: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/defaults.py new/sepolgen-1.1.8/src/sepolgen/defaults.py --- old/sepolgen-1.1.5/src/sepolgen/defaults.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/defaults.py 2012-09-14 19:41:22.000000000 +0200 @@ -1,6 +1,6 @@ # Authors: Karl MacMillan <[email protected]> # -# Copyright (C) 2006 Red Hat +# Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or @@ -17,6 +17,40 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +import os +import re + +# Select the correct location for the development files based on a +# path variable (optionally read from a configuration file) +class PathChoooser(object): + def __init__(self, pathname): + self.config = dict() + if not os.path.exists(pathname): + self.config_pathname = "(defaults)" + self.config["SELINUX_DEVEL_PATH"] = "/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel" + return + self.config_pathname = pathname + ignore = re.compile(r"^\s*(?:#.+)?$") + consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$") + for lineno, line in enumerate(open(pathname)): + if ignore.match(line): continue + mo = consider.match(line) + if not mo: + raise ValueError, "%s:%d: line is not in key = value format" % (pathname, lineno+1) + self.config[mo.group(1)] = mo.group(2) + + # We're only exporting one useful function, so why not be a function + def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"): + paths = self.config.get(pathset, None) + if paths is None: + raise ValueError, "%s was not in %s" % (pathset, self.config_pathname) + paths = paths.split(":") + for p in paths: + target = os.path.join(p, testfilename) + if os.path.exists(target): return target + return os.path.join(paths[0], testfilename) + + """ Various default settings, including file and directory locations. """ @@ -33,12 +67,11 @@ def attribute_info(): return data_dir() + "/attribute_info" -def refpolicy_devel(): - return "/usr/share/selinux/devel" - def refpolicy_makefile(): - return refpolicy_devel() + "/Makefile" + chooser = PathChoooser("/etc/selinux/sepolgen.conf") + return chooser("Makefile") def headers(): - return refpolicy_devel() + "/include" - + chooser = PathChoooser("/etc/selinux/sepolgen.conf") + return chooser("include") + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/matching.py new/sepolgen-1.1.8/src/sepolgen/matching.py --- old/sepolgen-1.1.5/src/sepolgen/matching.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/matching.py 2012-09-14 19:41:22.000000000 +0200 @@ -50,7 +50,7 @@ return 1 class MatchList: - DEFAULT_THRESHOLD = 120 + DEFAULT_THRESHOLD = 150 def __init__(self): # Match objects that pass the threshold self.children = [] @@ -63,14 +63,15 @@ def best(self): if len(self.children): return self.children[0] - else: - return None + if len(self.bastards): + return self.bastards[0] + return None def __len__(self): # Only return the length of the matches so # that this can be used to test if there is # a match. - return len(self.children) + return len(self.children) + len(self.bastards) def __iter__(self): return iter(self.children) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/policygen.py new/sepolgen-1.1.8/src/sepolgen/policygen.py --- old/sepolgen-1.1.5/src/sepolgen/policygen.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/policygen.py 2012-09-14 19:41:22.000000000 +0200 @@ -30,7 +30,10 @@ import interfaces import matching import selinux.audit2why as audit2why -from setools import * +try: + from setools import * +except: + pass # Constants for the level of explanation from the generation # routines @@ -163,32 +166,34 @@ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" if av.type == audit2why.BOOLEAN: - if len(av.bools) > 1: - rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools)) + if len(av.data) > 1: + rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) else: - rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0] + rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] if av.type == audit2why.CONSTRAINT: rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" rule.comment += "#Constraint rule: " + for reason in av.data: + rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason - if av.type == audit2why.TERULE: - if "write" in av.perms: - if "dir" in av.obj_class or "open" in av.perms: - if not self.domains: - self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] - types=[] - - try: - for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): - if i not in self.domains: - types.append(i) - if len(types) == 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - elif len(types) >= 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - except: - pass + try: + if ( av.type == audit2why.TERULE and + "write" in av.perms and + ( "dir" in av.obj_class or "open" in av.perms )): + if not self.domains: + self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] + types=[] + + for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): + if i not in self.domains: + types.append(i) + if len(types) == 1: + rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + elif len(types) >= 1: + rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + except: + pass self.module.children.append(rule) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/refparser.py new/sepolgen-1.1.8/src/sepolgen/refparser.py --- old/sepolgen-1.1.5/src/sepolgen/refparser.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/refparser.py 2012-09-14 19:41:22.000000000 +0200 @@ -245,7 +245,7 @@ t.lexer.lineno += 1 def t_IDENTIFIER(t): - r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"~]*' + r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*' # Handle any keywords t.type = reserved.get(t.value,'IDENTIFIER') return t diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/refpolicy.py new/sepolgen-1.1.8/src/sepolgen/refpolicy.py --- old/sepolgen-1.1.5/src/sepolgen/refpolicy.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/refpolicy.py 2012-09-14 19:41:22.000000000 +0200 @@ -363,7 +363,10 @@ self.types = IdSet() def to_string(self): - return "role %s types %s;" % (self.role, self.types.to_comma_str()) + s = "" + for t in self.types: + s += "role %s types %s;\n" % (self.role, t) + return s class Type(Leaf): def __init__(self, name="", parent=None): @@ -511,7 +514,10 @@ self.types = IdSet() def to_string(self): - return "role %s types %s;" % (self.role, self.types.to_comma_str()) + s = "" + for t in self.types: + s += "role %s types %s;\n" % (self.role, t) + return s class ModuleDeclaration(Leaf): def __init__(self, parent=None): @@ -799,7 +805,7 @@ self.types = IdSet() self.obj_classes = { } self.roles = IdSet() - self.bools = IdSet() + self.data = IdSet() self.users = IdSet() def add_obj_class(self, obj_class, perms): @@ -816,7 +822,7 @@ s.append("\tclass %s %s;" % (obj_class, perms.to_space_str())) for role in self.roles: s.append("\trole %s;" % role) - for bool in self.bools: + for bool in self.data: s.append("\tbool %s;" % bool) for user in self.users: s.append("\tuser %s;" % user) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.1.5/src/sepolgen/yacc.py new/sepolgen-1.1.8/src/sepolgen/yacc.py --- old/sepolgen-1.1.5/src/sepolgen/yacc.py 2011-12-21 18:46:04.000000000 +0100 +++ new/sepolgen-1.1.8/src/sepolgen/yacc.py 2012-09-14 19:41:22.000000000 +0200 @@ -506,7 +506,7 @@ Errorfunc = None # User defined error handler - Signature = hashlib.md5() # Digital signature of the grammar rules, precedence + Signature = hashlib.sha256() # Digital signature of the grammar rules, precedence # and other information. Used to determined when a # parsing table needs to be regenerated. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
