commit: 685aedaac01af5646f14c545bd81c7d4d6069dd8 Author: Jason Zaman <perfinion <AT> gentoo <DOT> org> AuthorDate: Thu Sep 1 15:54:03 2016 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Sep 1 16:28:20 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=685aedaa
sys-libs/libsemanage: Remove unneeded patch Package-Manager: portage-2.2.28 ...-do-not-copy-contexts-in-semanage_migrate.patch | 208 --------------------- sys-libs/libsemanage/libsemanage-9999.ebuild | 4 - 2 files changed, 212 deletions(-) diff --git a/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch b/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch deleted file mode 100644 index 8e523dc..00000000 --- a/sys-libs/libsemanage/files/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch +++ /dev/null @@ -1,208 +0,0 @@ -From 9caebebd598de737f27cdc8d5253a2cebd67d5a9 Mon Sep 17 00:00:00 2001 -From: Jason Zaman <[email protected]> -Date: Wed, 22 Apr 2015 18:27:09 +0400 -Subject: [PATCH] libsemanage: do not copy contexts in semanage_migrate_store - -The modules from the old store were previously copied to the new one -using setfscreatecon and shutil.copy2(). Now that refpolicy has rules -about the new policy location[1], copying the contexts is redundant. - -More importantly, the setcreatefscon caused a constraint violation[2] -which made the migration fail. In python3, shutil.copy2() copies xattrs -as well which again causes problems. shutil.copy() is enough for our -needs here as it will copy the file and permissions in both py2 and 3. -We do not need the extra things that copy2() does (mtime, xattr, etc). - -[1] http://oss.tresys.com/pipermail/refpolicy/2014-December/007511.html - -[2] -type=AVC msg=audit(1429438272.872:1869): avc: denied { create } for pid=28739 comm="semanage_migrat" name="strict" scontext=staff_u:sysadm_r:semanage_t tcontext=system_u:object_r:semanage_store_t tclass=dir permissive=0 - constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED -allow semanage_t semanage_store_t:dir create; - -Signed-off-by: Jason Zaman <[email protected]> ---- - libsemanage/utils/semanage_migrate_store | 77 ++++++++------------------------ - 1 file changed, 18 insertions(+), 59 deletions(-) - -diff --git a/libsemanage/utils/semanage_migrate_store b/libsemanage/utils/semanage_migrate_store -index 03b492e..2f85e9c 100755 ---- a/libsemanage/utils/semanage_migrate_store -+++ b/libsemanage/utils/semanage_migrate_store -@@ -8,7 +8,6 @@ import shutil - import sys - from optparse import OptionParser - --import bz2 - import ctypes - - sepol = ctypes.cdll.LoadLibrary('libsepol.so') -@@ -21,41 +20,20 @@ except: - exit(1) - - -- -- --# For some reason this function doesn't exist in libselinux :\ --def copy_with_context(src, dst): -+def copy_file(src, dst): - if DEBUG: - print("copying %s to %s" % (src, dst)) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- except: -- print("Could not get file context of %s" % src, file=sys.stderr) -- exit(1) -- -- try: -- selinux.setfscreatecon_raw(con) -- except: -- print("Could not set fs create context: %s" %con, file=sys.stderr) -- exit(1) -- -- try: -- shutil.copy2(src, dst) -+ shutil.copy(src, dst) - except OSError as the_err: - (err, strerr) = the_err.args - print("Could not copy %s to %s, %s" %(src, dst, strerr), file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def create_dir_from(src, dst, mode): -+def create_dir(dst, mode): - if DEBUG: print("Making directory %s" % dst) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- selinux.setfscreatecon_raw(con) - os.makedirs(dst, mode) - except OSError as the_err: - (err, stderr) = the_err.args -@@ -65,28 +43,18 @@ def create_dir_from(src, dst, mode): - print("Error creating %s" % dst, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def create_file_from(src, dst): -+def create_file(dst): - if DEBUG: print("Making file %s" % dst) - try: -- con = selinux.lgetfilecon_raw(src)[1] -- selinux.setfscreatecon_raw(con) - open(dst, 'a').close() - except OSError as the_err: - (err, stderr) = the_err.args - print("Error creating %s" % dst, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def copy_module(store, name, con, base): -+def copy_module(store, name, base): - if DEBUG: print("Install module %s" % name) - (file, ext) = os.path.splitext(name) - if ext != ".pp": -@@ -94,8 +62,6 @@ def copy_module(store, name, con, base): - print("warning: %s has invalid extension, skipping" % name, file=sys.stderr) - return - try: -- selinux.setfscreatecon_raw(con) -- - if base: - root = oldstore_path(store) - else: -@@ -105,7 +71,7 @@ def copy_module(store, name, con, base): - - os.mkdir("%s/%s" % (bottomdir, file)) - -- copy_with_context(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) -+ copy_file(os.path.join(root, name), "%s/%s/hll" % (bottomdir, file)) - - # This is the ext file that will eventually be used to choose a compiler - efile = open("%s/%s/lang_ext" % (bottomdir, file), "w+", 0o600) -@@ -116,15 +82,11 @@ def copy_module(store, name, con, base): - print("Error installing module %s" % name, file=sys.stderr) - exit(1) - -- try: -- selinux.setfscreatecon_raw(None) -- except: -- print("Could not reset fs create context. May need to relabel system.", file=sys.stderr) - --def disable_module(file, root, name, disabledmodules): -+def disable_module(file, name, disabledmodules): - if DEBUG: print("Disabling %s" % name) - (disabledname, disabledext) = os.path.splitext(file) -- create_file_from(os.path.join(root, name), "%s/%s" % (disabledmodules, disabledname)) -+ create_file("%s/%s" % (disabledmodules, disabledname)) - - def migrate_store(store): - -@@ -138,17 +100,14 @@ def migrate_store(store): - print("Migrating from %s to %s" % (oldstore, newstore)) - - # Build up new directory structure -- create_dir_from(oldstore, "%s/%s" % (newroot_path(), store), 0o755) -- create_dir_from(oldstore, newstore, 0o700) -- create_dir_from(oldstore, newmodules, 0o700) -- create_dir_from(oldstore, bottomdir, 0o700) -- create_dir_from(oldstore, disabledmodules, 0o700) -- -- # use whatever the file context of bottomdir is for the module directories -- con = selinux.lgetfilecon_raw(bottomdir)[1] -+ create_dir("%s/%s" % (newroot_path(), store), 0o755) -+ create_dir(newstore, 0o700) -+ create_dir(newmodules, 0o700) -+ create_dir(bottomdir, 0o700) -+ create_dir(disabledmodules, 0o700) - - # Special case for base since it was in a different location -- copy_module(store, "base.pp", con, 1) -+ copy_module(store, "base.pp", 1) - - # Dir structure built, start copying files - for root, dirs, files in os.walk(oldstore): -@@ -161,7 +120,7 @@ def migrate_store(store): - newname = "seusers.local" - else: - newname = name -- copy_with_context(os.path.join(root, name), os.path.join(newstore, newname)) -+ copy_file(os.path.join(root, name), os.path.join(newstore, newname)) - - elif root == oldmodules: - # This should be the modules directory -@@ -171,9 +130,9 @@ def migrate_store(store): - print("Error installing module %s, name conflicts with base" % name, file=sys.stderr) - exit(1) - elif ext == ".disabled": -- disable_module(file, root, name, disabledmodules) -+ disable_module(file, name, disabledmodules) - else: -- copy_module(store, name, con, 0) -+ copy_module(store, name, 0) - - def rebuild_policy(): - # Ok, the modules are loaded, lets try to rebuild the policy -@@ -287,7 +246,7 @@ if __name__ == "__main__": - "preserve_tunables" ] - - -- create_dir_from(oldroot_path(), newroot_path(), 0o755) -+ create_dir(newroot_path(), 0o755) - - stores = None - if TYPE is not None: --- -2.0.5 - diff --git a/sys-libs/libsemanage/libsemanage-9999.ebuild b/sys-libs/libsemanage/libsemanage-9999.ebuild index aa544a3..d444574 100644 --- a/sys-libs/libsemanage/libsemanage-9999.ebuild +++ b/sys-libs/libsemanage/libsemanage-9999.ebuild @@ -72,10 +72,6 @@ src_prepare() { echo "# decompression of modules in the module store." >> "${S}/src/semanage.conf" echo "bzip-small=true" >> "${S}/src/semanage.conf" - if [[ ${PV} != 9999 ]] ; then - # If wanted for live builds, please use /etc/portage/patches - eapply "${FILESDIR}/0001-libsemanage-do-not-copy-contexts-in-semanage_migrate.patch" - fi eapply "${FILESDIR}"/${PN}-2.6-build-paths.patch eapply_user
