Hello community,
here is the log from the commit of package policycoreutils.3164 for
openSUSE:12.3:Update checked in at 2014-11-13 15:22:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/policycoreutils.3164 (Old)
and /work/SRC/openSUSE:12.3:Update/.policycoreutils.3164.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils.3164"
Changes:
--------
New Changes file:
--- /dev/null 2014-10-24 22:03:51.036034256 +0200
+++
/work/SRC/openSUSE:12.3:Update/.policycoreutils.3164.new/policycoreutils.changes
2014-11-13 15:22:06.000000000 +0100
@@ -0,0 +1,188 @@
+-------------------------------------------------------------------
+Wed Nov 5 14:06:48 UTC 2014 - [email protected]
+
+- added Requires: python-yum, yum-metadata-parser to fix sepolicy
+ (bnc#903841)
+
+-------------------------------------------------------------------
+Tue Dec 11 15:11:12 UTC 2012 - [email protected]
+
+- added service unit for restorecond
+
+-------------------------------------------------------------------
+Wed Dec 5 13:41:33 UTC 2012 - [email protected]
+
+- semanage needs python-xml and python-ipy to run
+
+-------------------------------------------------------------------
+Sat Nov 17 06:58:05 UTC 2012 - [email protected]
+
+- Fix compilation with glibc 2.17 (add patch policycoreutils-glibc217.patch
+ extracted from Fedora)
+
+-------------------------------------------------------------------
+Tue Aug 7 15:30:58 UTC 2012 - [email protected]
+
+- updated policycoreutils to 2.1.10
+ - adapated patches
+- updated sepolgen to 1.1.5
+
+-------------------------------------------------------------------
+Tue Feb 14 09:57:15 UTC 2012 - [email protected]
+
+- fix seceral rpmlint errors and warnings
+ * use /var/adm/fillup-template for sandbox
+ * don't use /var/lock/subsys in any of init script
+ * use set_permissions macro and add correct Requires(pre)
+ * fix the languages to new -lang package
+ * fix policycoreutils-sandbox Group
+ * remove runlevel 4 from inint scripts
+
+-------------------------------------------------------------------
+Mon Feb 13 10:53:53 UTC 2012 - [email protected]
+
+- patch license to follow spdx.org standard
+
+-------------------------------------------------------------------
+Mon Mar 14 15:16:51 UTC 2011 - [email protected]
+
+- updated to 2.0.85
+ * changes too numerous to list
+
+-------------------------------------------------------------------
+Fri Feb 4 00:09:42 UTC 2011 - [email protected]
+
+- fix a typo in the package group
+
+-------------------------------------------------------------------
+Fri Jun 4 13:19:27 UTC 2010 - [email protected]
+
+- remove usermode-gtk from Requires of -gui subpackage
+
+-------------------------------------------------------------------
+Fri May 7 14:01:05 CEST 2010 - [email protected]
+
+- remove incorrect and unnecessary rpmlintrc.
+
+-------------------------------------------------------------------
+Mon Mar 22 15:47:14 UTC 2010 - [email protected]
+
+- fix build by moving _GNU_SOURCE define (gnusource.patch), thx darix
+
+-------------------------------------------------------------------
+Thu Feb 25 15:28:18 UTC 2010 - [email protected]
+
+- updated to 2.0.79
+ * changes too numerous to list
+
+-------------------------------------------------------------------
+Wed Jul 15 13:31:00 CEST 2009 - [email protected]
+
+- disable Requires usermode-gtk
+
+-------------------------------------------------------------------
+Fri Jun 19 13:42:09 CEST 2009 - [email protected]
+
+- added libsepol-static-devel to BuildRequires
+
+-------------------------------------------------------------------
+Wed May 27 14:24:47 CEST 2009 - [email protected]
+
+- updated to 2.0.62
+ * Add btrfs to fixfiles from Dan Walsh.
+ * Remove restorecond error for matching globs with multiple hard links
+ and fix some error messages from Dan Walsh.
+ * Make removing a non-existant module a warning rather than an error
+ from Dan Walsh.
+ * Man page fixes from Dan Walsh.
+
+-------------------------------------------------------------------
+Wed Feb 11 01:09:12 CET 2009 - [email protected]
+
+- use sr@latin instead of sr@Latn
+
+-------------------------------------------------------------------
+Wed Jan 14 14:12:53 CET 2009 - [email protected]
+
+- updated to 2.0.61
+ * semanage: use semanage_mls_enabled() from Stephen Smalley
+ * fix error checking in restorecond, for inotify_add_watch
+ * change md5 to hashlib.md5 in sepolgen
+ * fix Japanese translations
+ * fix audit2allow man page
+ * don't error out when removing a non existing module
+ * chcat: cut categories at arbitrary point (25) from Dan Walsh
+ * semodule: use new interfaces in libsemanage for compressed
+ files from Dan Walsh
+ * audit2allow: string changes for usage
+
+-------------------------------------------------------------------
+Mon Dec 1 11:23:02 CET 2008 - [email protected]
+
+- updated to 2.0.59
+ * Fix text in newrole
+ * Fix revertbutton on booleans page in system-config-selinux
+ * Fix system-config-selinux booleanspage throwing and exception
+ * Allow addition of local modifications of fcontext policy
+ * Handle selinux disabled correctly
+ * Handle manipulation of fcontext file correctly
+ * Fix traceback in audit2why
+
+-------------------------------------------------------------------
+Mon Nov 10 16:51:16 CET 2008 - [email protected]
+
+- package "newrole" with permissions matching
+ "secure" permissions mode
+
+-------------------------------------------------------------------
+Fri Nov 7 02:44:25 CET 2008 - [email protected]
+
+- buildfix: prevent regeneration of policycoreutils.pot
+
+-------------------------------------------------------------------
+Fri Oct 31 15:57:57 CET 2008 - [email protected]
+
+- use permissions for newrole
+
+-------------------------------------------------------------------
+Mon Oct 20 11:48:40 CEST 2008 - [email protected]
+
+- updated to 2.0.57
+ * Update po files from Dan Walsh.
+- updated to 2.0.56
+ * fixfiles will now remove all files in /tmp and will check for
+ unlabeled_t in /tmp and /var/tmp from Dan Walsh.
+ * add glob support to restorecond from Dan Walsh.
+ * allow semanage to handle multi-line commands in a single transaction
+ from Dan Walsh.
+
+-------------------------------------------------------------------
+Mon Sep 8 14:18:48 CEST 2008 - [email protected]
+
+- fix scriptlets
+
+-------------------------------------------------------------------
+Tue Sep 2 12:25:39 CEST 2008 - [email protected]
+
+- updated to 2.0.55
+ * Merged semanage node support from Christian Kuester.
+- updated to 2.0.54
+ * Add support for boolean files and group support for seusers from Dan Walsh.
+ * Ensure that setfiles -p output is newline terminated from Russell Coker.
+- updated to 2.0.53
+ * Change setfiles to validate all file_contexts files when using -c from
Stephen Smalley.
+- updated sepolgen to 1.0.13
+ * Only append s0 suffix if MLS is enabled from Karl MacMillan.
+- added missing preun/post/postun scriptlets
+
+-------------------------------------------------------------------
+Mon Aug 4 01:00:45 CEST 2008 - [email protected]
+
+- add directory to filelist to fix build
+
+-------------------------------------------------------------------
+Tue Jul 15 18:11:09 CEST 2008 - [email protected]
+
+- initial version 2.0.52
+ * based on Fedora package by Dan Walsh <[email protected]>
+
New:
----
policycoreutils-2.1.10.tar.gz
policycoreutils-glibc217.patch
policycoreutils-gui.patch.bz2
policycoreutils-initscript.patch
policycoreutils-pam-common.patch
policycoreutils-po.patch.bz2
policycoreutils.changes
policycoreutils.spec
policycoreutils_man_ru2.tar.bz2
restorecond.service
selinux-polgengui.console
selinux-polgengui.desktop
sepolgen-1.1.5.tar.gz
system-config-selinux.console
system-config-selinux.desktop
system-config-selinux.pam
system-config-selinux.png
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ policycoreutils.spec ++++++
#
# spec file for package policycoreutils
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define libaudit_ver 1.4.2
%define libsepol_ver 2.1.4
%define libsemanage_ver 2.0.43
%define libselinux_ver 2.0.90
%define sepolgen_ver 1.1.5
Name: policycoreutils
Version: 2.1.10
Release: 0
Url: http://userspace.selinuxproject.org/
Summary: SELinux policy core utilities
License: GPL-2.0+
Group: Productivity/Security
Source:
http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz
Source1:
http://userspace.selinuxproject.org/releases/20120216/sepolgen-%{sepolgen_ver}.tar.gz
Source2: system-config-selinux.png
Source3: system-config-selinux.desktop
Source4: system-config-selinux.pam
Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Source9: restorecond.service
Patch1: policycoreutils-po.patch.bz2
Patch2: policycoreutils-gui.patch.bz2
Patch4: policycoreutils-initscript.patch
Patch5: policycoreutils-pam-common.patch
Patch6: policycoreutils-glibc217.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: audit-devel >= %{libaudit_ver}
BuildRequires: dbus-1-glib-devel
BuildRequires: fdupes
BuildRequires: gettext
BuildRequires: libcap-devel
BuildRequires: libcap-ng-devel
BuildRequires: libcgroup-devel
BuildRequires: libselinux-devel >= %{libselinux_ver}
BuildRequires: libsemanage-devel >= %{libsemanage_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: pam-devel
BuildRequires: python-devel
BuildRequires: update-desktop-files
%if 0%{?suse_version} > 1140
BuildRequires: systemd
%endif
Requires(pre): %insserv_prereq %fillup_prereq permissions
Requires: audit-libs-python
Requires: checkpolicy
Requires: gawk
Requires: python-selinux
Requires: rpm
Requires: util-linux
%{?systemd_requires}
Recommends: %{name}-lang
%description
Security-enhanced Linux is a feature of the Linux(R) kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement(R), Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required
for basic operation of a SELinux system. These utilities include
load_policy to load policies, setfiles to label filesystems, newrole
to switch roles, and run_init to run /etc/init.d scripts in the proper
context.
%lang_package
%prep
%setup -q -a 1
#%patch0 -p2
%patch1 -p1
%patch2 -p1
%patch4
%patch5
%patch6 -p2
# sleep 5
# touch po/policycoreutils.pot
# sleep 5
%build
export SUSE_ASNEEDED=0
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie
-Wl,-z,relro" all
make -C sepolgen-%{sepolgen_ver} LSPP_PRIV=y LIBDIR="%{_libdir}"
CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
mkdir -p {buildroot}%{_initddir}
mkdir -p %{buildroot}/var/lib/selinux
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/sbin
mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}"
INITDIR="%{buildroot}%{_initddir}" install
make -C sepolgen-%{sepolgen_ver} DESTDIR="%{buildroot}"
LIBDIR="%{buildroot}%{_libdir}" install
install -D -m 644 %{SOURCE2}
%{buildroot}%{_datadir}/pixmaps/system-config-selinux.png
%if 0%{?suse_version} > 1140
install -D -m 0644 %SOURCE9 %{buildroot}/%{_unitdir}/restorecond.service
%endif
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
install -m 644 %{SOURCE5}
%{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
install -m 644 %{SOURCE7}
%{buildroot}%{_sysconfdir}/security/console.apps/selinux-polgengui
tar -jxf %{SOURCE8} -C %{buildroot}/
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
ln -sf %{_initddir}/restorecond %{buildroot}%{_sbindir}/rcrestorecond
ln -sf %{_initddir}/sandbox %{buildroot}%{_sbindir}/rcsandbox
mkdir -p %{buildroot}/var/adm/fillup-templates/
mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox
%{buildroot}/var/adm/fillup-templates/sysconfig.sandbox
rmdir %{buildroot}/%{_sysconfdir}/sysconfig
%suse_update_desktop_file -i system-config-selinux System Security Settings
%suse_update_desktop_file -i selinux-polgengui System Security Settings
%find_lang %{name}
%fdupes -s %{buildroot}/%{_datadir}
%package python
Summary: SELinux policy core python utilities
Group: Productivity/Security
Requires: audit-libs-python >= %{libaudit_ver}
Requires: policycoreutils = %{version}
Requires: python-ipy
Requires: python-selinux >= %{libselinux_ver}
Requires: python-semanage >= %{libsemanage_ver}
Requires: python-setools
Requires: python-xml
Requires: python-yum
Requires: yum-metadata-parser
%description python
The policycoreutils-python package contains the management tools used to manage
an SELinux environment.
%files python
%defattr(-,root,root,-)
%{_sbindir}/semanage
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/sepolgen-ifgen
%{_bindir}/sepolgen-ifgen-attr-helper
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
#%{python_sitearch}/%{name}
#%{python_sitearch}/%{name}*.egg-info
%dir /var/lib/sepolgen
%dir /var/lib/selinux
/var/lib/sepolgen/perm_map
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man5/sandbox*
%{_mandir}/man8/semanage.8*
%{_mandir}/ru/man8/semanage.8*
%post python
selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] &&
%{_bindir}/sepolgen-ifgen 2>/dev/null
exit 0
%package sandbox
Summary: SELinux sandbox utilities
Group: Productivity/Security
Requires: policycoreutils-python = %{version}
Requires: xorg-x11-server-extra
# Requires: matchbox-window-manager
%description sandbox
The sandbox package contains the scripts to create graphical sandboxes
%files sandbox
%defattr(-,root,root,-)
%{_initddir}/sandbox
%{_sbindir}/rcsandbox
%attr(0755,root,root) %{_sbindir}/seunshare
%dir %{_datadir}/sandbox
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
/var/adm/fillup-templates/sysconfig.sandbox
%doc %{_mandir}/man8/seunshare.8*
%post sandbox
%fillup_and_insserv sandbox
%preun sandbox
if [ "$1" -eq "0" ]; then
%stop_on_removal sandbox
%insserv_cleanup
fi
%postun sandbox
if [ "$1" -ge "1" ]; then
%restart_on_update sandbox
%insserv_cleanup
fi
%package newrole
Summary: The newrole application for RBAC/MLS
Group: Productivity/Security
Requires: policycoreutils = %{version}
Requires(pre): permissions
%description newrole
RBAC/MLS policy machines require newrole as a way of changing the role
or level of a logged in user.
%files newrole
%defattr(-,root,root)
%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
%{_mandir}/man1/newrole.1.gz
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%post newrole
%set_permissions %{_bindir}/newrole
%verifyscript
%verify_permissions -e %{_bindir}/newrole
%package gui
Summary: SELinux configuration GUI
Group: Productivity/Security
Requires: policycoreutils-python = %{version}
Requires: python-gnome
Requires: python-gtk
# Requires: gnome-python2-canvas
# Requires: usermode-gtk
Requires: python
Requires: selinux-policy
Requires: setools-console
%description gui
system-config-selinux is a utility for managing the SELinux environment
%files gui
%defattr(-,root,root)
%{_bindir}/system-config-selinux
%{_bindir}/selinux-polgengui
#%{_bindir}/sepolgen
%{_datadir}/applications/selinux-polgengui.desktop
%{_datadir}/applications/system-config-selinux.desktop
%{_datadir}/pixmaps/system-config-selinux.png
#%dir %{_datadir}/system-config-selinux
#%dir %{_datadir}/system-config-selinux/templates
#%{_datadir}/system-config-selinux/*.py*
#%{_datadir}/system-config-selinux/selinux.tbl
#%{_datadir}/system-config-selinux/*.glade
#%{_datadir}/system-config-selinux/templates/*.py*
%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
%config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
%dir %{_sysconfdir}/security/console.apps
%config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
/sbin/restorecon
/sbin/fixfiles
/sbin/setfiles
/sbin/load_policy
%{_sbindir}/genhomedircon
%{_sbindir}/load_policy
%{_sbindir}/restorecond
%{_sbindir}/setsebool
%{_sbindir}/semodule
%{_sbindir}/sestatus
%{_sbindir}/run_init
%{_sbindir}/open_init_pty
%{_bindir}/secon
%{_bindir}/semodule_deps
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
%if 0%{?suse_version} > 1140
%{_unitdir}/restorecond.service
%endif
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
%attr(755,root,root) %{_initddir}/restorecond
%{_sbindir}/rcrestorecond
%config(noreplace) /etc/selinux/restorecond.conf
%config(noreplace) /etc/selinux/restorecond_user.conf
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
# selinux-policy Requires: policycoreutils, so we own this set of directories
and our files within them
%dir %{_mandir}/ru
%dir %{_mandir}/ru/man1
%dir %{_mandir}/ru/man8
%{_mandir}/man5/selinux_config.5*
%{_mandir}/man5/sestatus.conf.5*
%{_mandir}/man8/semodule_unpackage.8*
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/open_init_pty.8*
%{_mandir}/ru/man8/open_init_pty.8*
%{_mandir}/man8/restorecon.8*
%{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{_mandir}/man8/run_init.8*
%{_mandir}/ru/man8/run_init.8*
%{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/semodule_deps.8*
%{_mandir}/ru/man8/semodule_deps.8*
%{_mandir}/man8/semodule_expand.8*
%{_mandir}/ru/man8/semodule_expand.8*
%{_mandir}/man8/semodule_link.8*
%{_mandir}/ru/man8/semodule_link.8*
%{_mandir}/man8/semodule_package.8*
%{_mandir}/ru/man8/semodule_package.8*
%{_mandir}/man8/sestatus.8*
%{_mandir}/ru/man8/sestatus.8*
%{_mandir}/man8/setfiles.8*
%{_mandir}/ru/man8/setfiles.8*
%{_mandir}/man8/setsebool.8*
%{_mandir}/ru/man8/setsebool.8*
%{_mandir}/man1/secon.1*
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man8/genhomedircon.8*
%files lang -f %{name}.lang
%pre
%if 0%{?suse_version} > 1140
%service_add_pre restorecond.service
%endif
%post
%fillup_and_insserv restorecond
%if 0%{?suse_version} > 1140
%service_add_post restorecond.service
%endif
%preun
if [ "$1" -eq "0" ]; then
%stop_on_removal restorecond
%insserv_cleanup
fi
%if 0%{?suse_version} > 1140
%service_del_preun restorecond.service
%endif
%postun
if [ "$1" -ge "1" ]; then
%restart_on_update restorecond
%insserv_cleanup
fi
%if 0%{?suse_version} > 1140
%service_del_postun restorecond.service
%endif
%changelog
++++++ policycoreutils-glibc217.patch ++++++
diff --git a/policycoreutils/sandbox/seunshare.c
b/policycoreutils/sandbox/seunshare.c
index 3bb3c4b..d16e331 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -31,6 +31,12 @@
#include <selinux/context.h> /* for context-mangling functions */
#include <dirent.h>
+
+/*
+ * Note setfsuid never returns an error code. But the compiler complains if
+ * I do not check, so I am checking for -1, which should never happen.
+ */
+
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
@@ -617,12 +623,15 @@ static int cleanup_tmpdir(const char *tmpdir, const char
*src,
free(cmdbuf); cmdbuf = NULL;
/* remove runtime temporary directory */
- setfsuid(0);
+ if (setfsuid(0) < 0)
+ rc++;
+
if (rmdir(tmpdir) == -1)
fprintf(stderr, _("Failed to remove directory %s: %s\n"),
tmpdir, strerror(errno));
- setfsuid(pwd->pw_uid);
+ if (setfsuid(pwd->pw_uid) < 0)
+ rc++;
- return 0;
+ return rc;
}
/**
@@ -642,7 +651,9 @@ static char *create_tmpdir(const char *src, struct stat
*src_st,
/* get selinux context */
if (execcon) {
- setfsuid(pwd->pw_uid);
+ if (setfsuid(pwd->pw_uid) < 0)
+ goto err;
+
if ((fd_s = open(src, O_RDONLY)) < 0) {
fprintf(stderr, _("Failed to open directory %s: %s\n"),
src, strerror(errno));
goto err;
@@ -661,7 +672,8 @@ static char *create_tmpdir(const char *src, struct stat
*src_st,
}
/* ok to not reach this if there is an error */
- setfsuid(0);
+ if (setfsuid(0) < 0)
+ goto err;
}
if (asprintf(&tmpdir, "/tmp/.sandbox-%s-XXXXXX", pwd->pw_name) == -1) {
@@ -716,14 +728,16 @@ static char *create_tmpdir(const char *src, struct stat
*src_st,
}
}
- setfsuid(pwd->pw_uid);
+ if (setfsuid(pwd->pw_uid) < 0)
+ goto err;
if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
goto err;
}
/* ok to not reach this if there is an error */
- setfsuid(0);
+ if (setfsuid(0) < 0)
+ goto err;
if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
fprintf(stderr, _("Failed to populate runtime temporary
directory\n"));
@@ -916,7 +930,8 @@ int main(int argc, char **argv) {
/* Changing fsuid is usually required when user-specified directory is
* on an NFS mount. It's also desired to avoid leaking info about
* existence of the files not accessible to the user. */
- setfsuid(uid);
+ if (setfsuid(uid) < 0)
+ return -1;
/* verify homedir and tmpdir */
if (homedir_s && (
@@ -925,7 +940,7 @@ int main(int argc, char **argv) {
if (tmpdir_s && (
verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
- setfsuid(0);
+ if (setfsuid(0) < 0) return -1;
/* create runtime tmpdir */
if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
@@ -959,7 +974,7 @@ int main(int argc, char **argv) {
}
/* assume fsuid==ruid after this point */
- setfsuid(uid);
+ if (setfsuid(uid) < 0) goto childerr;
/* mount homedir and tmpdir, in this order */
if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
@@ -1005,7 +1020,7 @@ int main(int argc, char **argv) {
/* selinux context */
if (execcon && setexeccon(execcon) != 0) {
- fprintf(stderr, _("Could not set exec context to
%s.\n"), execcon);
+ fprintf(stderr, _("Could not set exec context to %s.
%s\n"), execcon, strerror(errno));
goto childerr;
}
++++++ policycoreutils-gui.patch.bz2 ++++++
++++ 14269 lines (skipped)
++++++ policycoreutils-initscript.patch ++++++
Index: restorecond/restorecond.init
===================================================================
--- restorecond/restorecond.init.orig
+++ restorecond/restorecond.init
@@ -1,14 +1,23 @@
#!/bin/sh
#
-# restorecond: Daemon used to maintain path file context
+# /etc/init.d/restorecond
#
-# chkconfig: - 12 87
-# description: restorecond uses inotify to look for creation of new files \
-# listed in the /etc/selinux/restorecond.conf file, and restores the \
-# correct security context.
+### BEGIN INIT INFO
+# Provides: restorecond
+# Required-Start: $remote_fs
+# Should-Start:
+# Required-Stop: $remote_fs
+# Should-Stop:
+# Default-Start: 3 4 5
+# Default-Stop: 0 1 2 3 4 6
+# Short-Description: Daemon used to maintain path file context
+# Description: Restorecond uses inotify to look for creation of new files
+# listed in the /etc/selinux/restorecond.conf file, and restores the correct
+# security context.
+### END INIT INFO
#
# processname: /usr/sbin/restorecond
-# config: /etc/selinux/restorecond.conf
+# config: /etc/selinux/restorecond.conf
# pidfile: /var/run/restorecond.pid
#
# Return values according to LSB for all commands but status:
@@ -22,42 +31,61 @@
# 7 - program is not running
PATH=/sbin:/bin:/usr/bin:/usr/sbin
+PROG_BIN=/usr/sbin/restorecond
+LOCK_FILE=/var/lock/restorecond
+PROG_CONF=/etc/selinux/restorecond.conf
# Source function library.
-. /etc/rc.d/init.d/functions
+. /etc/rc.status
-[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+# Check whether SELinux is enabled
+if [ ! -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled ; then
+ echo $"SELinux should be enabled to run this daemon"
+ rc_failed 1
+ rc_status -v
+ rc_exit
+fi
# Check that we are root ... so non-root users stop here
-test $EUID = 0 || exit 4
+if [ $EUID -ne 0 ] ; then
+ echo $"Access denied. Only root can run this daemon"
+ rc_failed 4
+ rc_status -v
+ rc_exit
+fi
+
+# Check whether program binary exists
+if [ ! -x $PROG_BIN ] ; then
+ echo $"$PROG_BIN does not exist or has no executable permission"
+ rc_failed 5
+ rc_status -v
+ rc_exit
+fi
+
+# Check whether the required conf file exists
+if [ ! -f $PROG_CONF ] ; then
+ echo $"$PROG_CONF not found"
+ rc_failed 6
+ rc_status -v
+ rc_exit
+fi
-test -x /usr/sbin/restorecond || exit 5
-test -f /etc/selinux/restorecond.conf || exit 6
-
-RETVAL=0
-
-start()
+start()
{
- echo -n $"Starting restorecond: "
- unset HOME MAIL USER USERNAME
- daemon /usr/sbin/restorecond
- RETVAL=$?
- touch /var/lock/subsys/restorecond
- echo
- return $RETVAL
+ echo -n $"Starting restorecond: "
+ unset HOME MAIL USER USERNAME
+ startproc -p $LOCK_FILE $PROG_BIN
+ rc_status -v
}
-stop()
+stop()
{
- echo -n $"Shutting down restorecond: "
- killproc restorecond
- RETVAL=$?
- rm -f /var/lock/subsys/restorecond
- echo
- return $RETVAL
+ echo -n $"Shutting down restorecond: "
+ killproc -p $LOCK_FILE -TERM $PROG_BIN
+ rc_status -v
}
-restart()
+restart()
{
stop
start
@@ -72,18 +100,20 @@ case "$1" in
stop
;;
status)
- status restorecond
- RETVAL=$?
+ echo -n $"Checking for restorecond: "
+ checkproc -p $LOCK_FILE $PROG_BIN
+ rc_status -v
;;
force-reload|restart|reload)
restart
;;
condrestart)
- [ -e /var/lock/subsys/restorecond ] && restart || :
+ [ -e $LOCK_FILE ] && restart || :
;;
*)
- echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
- RETVAL=3
+ echo $"Usage: $0
{start|stop|restart|reload|force-reload|status|condrestart}"
+ rc_failed 3
+ rc_status -v
esac
-exit $RETVAL
+rc_exit
Index: sandbox/sandbox.init
===================================================================
--- sandbox/sandbox.init.orig
+++ sandbox/sandbox.init
@@ -1,11 +1,22 @@
#!/bin/bash
-## BEGIN INIT INFO
+### BEGIN INIT INFO
# Provides: sandbox
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 3 4 6
-# Required-Start:
+# Required-Start: $remote_fs
+# Should-Start:
+# Required-Stop: $remote_fs
+# Should-Stop:
+# Default-Start: 3 5
+# Default-Stop: 0 1 2 3 6
+# Required-Start: Set up / mountpoint to be shared, /var/tmp, /tmp,
/home/sandbox unshared
+# Short-Description:
+# Description: sandbox, xguest and other apps that want to use pam_namespace \
+# require this script be run at boot. This service script does \
+# not actually run any service but sets up: \
+# / to be shared by any app that starts a separate namespace
+# If you do not use sandbox, xguest or pam_namespace you can turn
\
+# this service off.\
#
-## END INIT INFO
+### END INIT INFO
# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp,
/home/sandbox unshared
#
# chkconfig: 345 1 99
@@ -19,9 +30,9 @@
#
# Source function library.
-. /etc/init.d/functions
+. /etc/rc.status
-LOCKFILE=/var/lock/subsys/sandbox
+LOCKFILE=/var/lock/sandbox
base=${0##*/}
@@ -31,7 +42,7 @@ start() {
[ -f "$LOCKFILE" ] && return 0
touch $LOCKFILE
- mount --make-rshared / || return $?
+ mount --make-rshared / || return $?
return 0
}
@@ -68,9 +79,13 @@ case "$1" in
status)
status
;;
+ reload)
+ # unused
+ exit 3
+ ;;
*)
- echo $"Usage: $0 {start|stop|status|restart}"
+ echo $"Usage: $0 {start|stop|status|restart|reload}"
exit 3
;;
esac
Index: mcstrans/src/mcstrans.init
===================================================================
--- mcstrans/src/mcstrans.init.orig
+++ mcstrans/src/mcstrans.init
@@ -20,7 +20,7 @@
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="mcstransd"
-lockfile=/var/lock/subsys/$prog
+lockfile=/var/lock/$prog
# Source function library.
. /etc/init.d/functions
++++++ policycoreutils-pam-common.patch ++++++
--- newrole/newrole-lspp.pamd
+++ newrole/newrole-lspp.pamd
@@ -1,5 +1,5 @@
#%PAM-1.0
-auth include system-auth
-account include system-auth
-password include system-auth
+auth include common-auth
+account include common-account
+password include common-password
session required pam_namespace.so unmnt_remnt no_unmount_on_close
--- newrole/newrole.pamd
+++ newrole/newrole.pamd
@@ -1,6 +1,6 @@
#%PAM-1.0
-auth include system-auth
-account include system-auth
-password include system-auth
-session include system-auth
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
session optional pam_xauth.so
--- run_init/run_init.pamd
+++ run_init/run_init.pamd
@@ -1,6 +1,6 @@
#%PAM-1.0
-auth include system-auth
-account include system-auth
-password include system-auth
-session include system-auth
+auth include common-auth
+account include common-account
+password include common-password
+session include common-session
session optional pam_xauth.so
++++++ policycoreutils-po.patch.bz2 ++++++
++++ 292857 lines (skipped)
++++++ restorecond.service ++++++
[Unit]
Description=Restorecon maintaining path file context
After=syslog.target
ConditionPathExists=/etc/selinux/restorecond.conf
[Service]
Type=oneshot
ExecStart=/usr/sbin/restorecond
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
++++++ selinux-polgengui.console ++++++
USER=root
PROGRAM=/usr/share/system-config-selinux/polgengui.py
SESSION=true
++++++ selinux-polgengui.desktop ++++++
[Desktop Entry]
Name=SELinux Policy Generation Tool
Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
Name[ca]=Eina de generació de polítiques del SELinux
Name[de]=Tool zur Erstellung von SELinux-Richtlinien
Name[es]=Generador de Políticas de SELinux
Name[fi]=SELinux-käytäntöjen generointityökalu
Name[fr]=Outil de génération de stratégies SELinux
Name[gu]=SELinux પોલિસી બનાવટ સાધન
Name[hi]=SELinux पॉलिसी जनन औजार
Name[it]=Tool di generazione della policy di SELinux
Name[ja]=SELinux ポリシー生成ツール
Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ
Name[ko]=SELinux 정책 생성 도구
Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം
Name[mr]=SELinux करार निर्माण साधन
Name[nl]=SELinux tactiek generatie gereedschap
Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ
Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ
Name[pl]=Narzędzie tworzenia polityki SELinuksa
Name[pt]=Ferramenta de Geração de Políticas SELinux
Name[pt_BR]=Ferramenta de criação de políticas do SELinux
Name[ru]=Средство создания политики SELinux
Name[sv]=Genereringsverktyg för SELinuxpolicy
Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
Name[te]=SELinux నిర్వహణ
Name[uk]=Утиліта генерації політики SELinux
Name[zh_CN]=SELinux 策略生成工具
Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool)
GenericName=SELinux
Comment=Generate SELinux policy modules
Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
Comment[ca]=Genera els mòduls de les polítiques de SELinux
Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
Comment[es]=Generar módulos de política de SELinux
Comment[fi]=Generoi SELinuxin käytäntömoduuleja
Comment[fr]=Génére des modules de stratégie SELinux
Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો
Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें
Comment[it]=Genera moduli della politica di SELinux
Comment[ja]=新しいポリシーモジュールの作成
Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು
Comment[ko]=SELinux 정책 모듈 생성
Comment[ml]=SELinux യ പോളിസി ഘങ്ങള് തയ്യാറാക്കുക
Comment[mr]=SELinux करार घटके निर्माण करा
Comment[nl]=Maak een SELinux tactiek module aan
Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ
Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ
Comment[pl]=Tworzenie nowych modułów polityki SELinuksa
Comment[pt]=Gerar módulos de políticas SELinux
Comment[pt_BR]=Gerar módulos de política do SELinux
Comment[ru]=Генерация модулей политики SELinux
Comment[sv]=Generera SELinux-policymoduler
Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும்
Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము
Comment[uk]=Створення модулів контролю доступу SELinux
Comment[zh_CN]=生成 SELinux 策略模块
Comment[zh_TW]=產生 SELinux 政策模組
StartupNotify=true
Icon=system-config-selinux
Exec=selinux-polgengui
Type=Application
Terminal=false
Categories=System;Security;Settings;
++++++ system-config-selinux.console ++++++
USER=root
PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py
SESSION=true
++++++ system-config-selinux.desktop ++++++
[Desktop Entry]
Name=SELinux Management
Name[bn_IN]=SELinux পরিচালনা
Name[de]=SELinux-Management
Name[ca]=Gestió de SELinux
Name[es]=Administración de SELinux
Name[fi]=SELinuxin ylläpito
Name[fr]=Gestion de SELinux
Name[gu]=SELinux સંચાલન
Name[hi]=SELinux प्रबंधन
Name[jp]=SELinux 管理
Name[it]=Gestione di SELinux
Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ
Name[ko]=SELinux 관리
Name[ml]=SELinux മാനേജ്മെന്റ്
Name[mr]=SELinux मॅनेजमेंट
Name[nl]=SELinux beheer
Name[or]=SELinux ପରିଚାଳନା
Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ
Name[pl]=Zarządzanie SELinuksem
Name[pt_BR]=Gerenciamento do SELinux
Name[pt]=Gestão de SELinux
Name[ru]=Управление SELinux
Name[sv]=SELinux-hantering
Name[ta]=SELinux மேலாண்மை
Name[te]=SELinux నిర్వహణ
Name[uk]=Керування SELinux
Name[zh_CN]=SELinux 管理
Name[zh_TW]=SELinux 管理
GenericName=SELinux
Comment=Configure SELinux in a graphical setting
Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
Comment[ca]=Configura SELinuc an mode de preferències gràfiques
Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
Comment[es]=Defina SELinux en una configuración de interfaz gráfica
Comment[fi]=Tee SELinuxin asetukset graafisesti
Comment[fr]=Configure SELinux dans un environnement graphique
Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો
Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें
Comment[it]=Configura SELinux in una impostazione grafica
Comment[jp]=グラフィカルな設定画面で SELinux を設定する
Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정
Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ
Comment[ml]=ഒരു ഗ്രാഫിക്കല് സജ്ജീകരണത്തില് SELinux ക്രമീകരിയ്ക്കുക
Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा
Comment[nl]=Configureer SELinux in een grafische omgeving
Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ
Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ
Comment[pl]=Konfiguracja SELinuksa w trybie graficznym
Comment[pt]=Configurar o SELinux num ambiente gráfico
Comment[pt_BR]=Configure o SELinux em uma configuração gráfica
Comment[ru]=Настройка SELinux в графическом режиме
Comment[sv]=Konfigurera SELinux i en grafisk miljö
Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும்
Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము
Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом
Comment[zh_CN]=在图形设置中配置 SELinux
Comment[zh_TW]=在圖形話設定中配置 SELinux
StartupNotify=true
Icon=system-config-selinux
Exec=system-config-selinux
Type=Application
Terminal=false
Categories=System;Security;Settings;++++++ system-config-selinux.pam ++++++
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include common-auth
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
account required pam_permit.so
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
