Hello community,
here is the log from the commit of package policycoreutils for openSUSE:Factory
checked in at 2020-10-06 17:08:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old)
and /work/SRC/openSUSE:Factory/.policycoreutils.new.4249 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils"
Tue Oct 6 17:08:16 2020 rev:56 rq:835124 version:3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes
2020-06-05 20:08:40.161437663 +0200
+++
/work/SRC/openSUSE:Factory/.policycoreutils.new.4249/policycoreutils.changes
2020-10-06 17:10:10.165478520 +0200
@@ -1,0 +2,39 @@
+Thu Sep 10 09:00:45 UTC 2020 - Johannes Segitz <jseg...@suse.com>
+
+- Add get_os_version.patch
+ get_os_version is implemented in a very RH/Fedora specific way.
+ Ensure that it returns a valid string for SUSE by changing the
+ default. Also remove the RH specific logic when generating HTML
+ versions of the SELinux documentation
+
+-------------------------------------------------------------------
+Wed Jul 29 13:09:39 UTC 2020 - Thorsten Kukuk <ku...@suse.com>
+
+- Align more with Fedora spec file to get rid of python dependencies
+ in the core system
+ - create new python-utils sub-package
+ - move some tools to devel sub-package
+- Cleanup dependencies
+
+-------------------------------------------------------------------
+Fri Jul 17 09:35:08 UTC 2020 - Johannes Segitz <jseg...@suse.com>
+
+- Proper default permissions for newrole (4755)
+
+-------------------------------------------------------------------
+Tue Jul 14 08:28:44 UTC 2020 - Johannes Segitz <jseg...@suse.com>
+
+- Update to version 3.1
+ * New `setfiles -E` option - treat conflicting specifications as errors, such
+ as where two hardlinks for the same inode have different contexts.
+ * `setsebool -V` reports errors from commit phase
+ * matchpathcon related interfaces are deprecated
+ * New `restorecon -x` option which prevents it from crossing file system
+ * boundaries.
+ * `sepolgen-ifgen` parses a gen_tunable statement as bool
+ * Removed Requires for python3-ipy as the ipaddress module is used. No
+ requires for python-ipaddress as it's assumed this is used only on recent
+ systems
+ * Drop chcat_join.patch, is upstream
+
+-------------------------------------------------------------------
Old:
----
chcat_join.patch
policycoreutils-3.0.tar.gz
selinux-python-3.0.tar.gz
semodule-utils-3.0.tar.gz
New:
----
get_os_version.patch
policycoreutils-3.1.tar.gz
selinux-python-3.1.tar.gz
semodule-utils-3.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.grMClM/_old 2020-10-06 17:10:20.737487651 +0200
+++ /var/tmp/diff_new_pack.grMClM/_new 2020-10-06 17:10:20.745487658 +0200
@@ -17,13 +17,13 @@
%define libaudit_ver 2.2
-%define libsepol_ver 3.0
-%define libsemanage_ver 3.0
-%define libselinux_ver 3.0
+%define libsepol_ver 3.1
+%define libsemanage_ver 3.1
+%define libselinux_ver 3.1
%define setools_ver 4.1.1
-%define tstamp 20191204
+%define tstamp 20200710
Name: policycoreutils
-Version: 3.0
+Version: 3.1
Release: 0
Summary: SELinux policy core utilities
License: GPL-2.0-or-later
@@ -41,7 +41,7 @@
Source9: newrole.pam
Patch0: make_targets.patch
Patch1: run_init_use_pam_keyinit.patch
-Patch2: chcat_join.patch
+Patch2: get_os_version.patch
BuildRequires: audit-devel >= %{libaudit_ver}
BuildRequires: bison
BuildRequires: dbus-1-glib-devel
@@ -61,25 +61,13 @@
BuildRequires: python-rpm-macros
BuildRequires: python3
BuildRequires: python3-setools >= %{setools_ver}
-BuildRequires: systemd-rpm-macros
BuildRequires: update-desktop-files
BuildRequires: xmlto
-Requires: checkpolicy
Requires: gawk
Requires: libsepol1 >= %{libsepol_ver}
-Requires: python3-%{name}
-Requires: python3-ipy
-Requires: python3-networkx
-Requires: python3-selinux
-Requires: python3-semanage
Requires: rpm
+Requires: selinux-tools
Requires: util-linux
-# we need selinuxenabled
-Requires(post): selinux-tools
-Requires(pre): %fillup_prereq
-Requires(pre): permissions
-Obsoletes: policycoreutils-python
-%{?systemd_requires}
%description
policycoreutils contains the policy core utilities that are required
@@ -102,15 +90,28 @@
Requires: checkpolicy
Requires: python3-audit >= %{libaudit_ver}
Requires: python3-selinux
+Requires: python3-semanage
Requires: python3-setools >= %{setools_ver}
Requires: python3-setuptools
Provides: policycoreutils-python = %{version}-%{release}
Obsoletes: policycoreutils-python < %{version}
+BuildArch: noarch
%description -n python3-%{name}
The python-policycoreutils package contains the interfaces that can be used
by python in an SELinux environment.
+%package python-utils
+Summary: SELinux policy core python utilities
+Group: Productivity/Security
+Requires: python3-policycoreutils = %{version}-%{release}
+BuildArch: noarch
+Obsoletes: policycoreutils-python
+
+%description python-utils
+The policycoreutils-python-utils package contains the management tools
+use to manage an SELinux environment.
+
%package devel
Summary: SELinux policy core policy devel utilities
Group: Productivity/Security
@@ -134,7 +135,10 @@
Summary: The newrole application for RBAC/MLS
Group: Productivity/Security
Requires: %{name} = %{version}
-Requires(pre): permissions
+# we need both, else permissions could be de-installed
+# and verify failed
+Requires: permissions
+Requires(post): permissions
%description newrole
RBAC/MLS policy machines require newrole as a way of changing the role
@@ -188,7 +192,6 @@
rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
-mkdir -p %{buildroot}%{_fillupdir}/
mkdir -p %{buildroot}%{_libexecdir}/selinux/hll/
mkdir -p %{buildroot}%{_localstatedir}/lib/sepolgen
cp %{python3_sitearch}/setools/perm_map
%{buildroot}%{_localstatedir}/lib/sepolgen
@@ -210,10 +213,6 @@
%endif
cp -f %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/newrole
-%post -n python3-%{name}
-selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] &&
%{_bindir}/sepolgen-ifgen 2>/dev/null
-exit 0
-
%post newrole
%set_permissions %{_bindir}/newrole
@@ -224,21 +223,12 @@
/sbin/restorecon
/sbin/setfiles
/sbin/restorecon_xattr
-%{_bindir}/audit2allow
-%{_bindir}/audit2why
-%{_bindir}/chcat
-%{_bindir}/sepolgen
-%{_bindir}/sepolgen-ifgen
-%{_bindir}/sepolgen-ifgen-attr-helper
-%{_bindir}/sepolicy
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
-%{_sbindir}/semanage
%{_sbindir}/fixfiles
%{_sbindir}/load_policy
-%dir %{_localstatedir}/lib/sepolgen
%dir %{_libexecdir}/selinux
%dir %{_libexecdir}/selinux/hll
%{_libexecdir}/selinux/hll/pp
@@ -251,19 +241,44 @@
%{_bindir}/secon
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
-%{_mandir}/man8/*
-%{_mandir}/ru/man8/*
+%{_mandir}/man8/fixfiles.8%{?ext_man}
+%{_mandir}/man8/genhomedircon.8%{?ext_man}
+%{_mandir}/man8/load_policy.8%{?ext_man}
+%{_mandir}/man8/open_init_pty.8%{?ext_man}
+%{_mandir}/man8/restorecon.8%{?ext_man}
+%{_mandir}/man8/restorecon_xattr.8%{?ext_man}
+%{_mandir}/man8/run_init.8%{?ext_man}
+%{_mandir}/man8/semodule.8%{?ext_man}
+%{_mandir}/man8/semodule_expand.8%{?ext_man}
+%{_mandir}/man8/semodule_link.8%{?ext_man}
+%{_mandir}/man8/semodule_package.8%{?ext_man}
+%{_mandir}/man8/semodule_unpackage.8%{?ext_man}
+%{_mandir}/man8/sestatus.8%{?ext_man}
+%{_mandir}/man8/setfiles.8%{?ext_man}
+%{_mandir}/man8/setsebool.8%{?ext_man}
+%{_mandir}/ru/man8/fixfiles.8%{?ext_man}
+%{_mandir}/ru/man8/genhomedircon.8%{?ext_man}
+%{_mandir}/ru/man8/load_policy.8%{?ext_man}
+%{_mandir}/ru/man8/open_init_pty.8%{?ext_man}
+%{_mandir}/ru/man8/restorecon.8%{?ext_man}
+%{_mandir}/ru/man8/restorecon_xattr.8%{?ext_man}
+%{_mandir}/ru/man8/run_init.8%{?ext_man}
+%{_mandir}/ru/man8/semodule.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_expand.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_link.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_package.8%{?ext_man}
+%{_mandir}/ru/man8/semodule_unpackage.8%{?ext_man}
+%{_mandir}/ru/man8/sepolgen.8%{?ext_man}
+%{_mandir}/ru/man8/sestatus.8%{?ext_man}
+%{_mandir}/ru/man8/setfiles.8%{?ext_man}
+%{_mandir}/ru/man8/setsebool.8%{?ext_man}
%{_mandir}/man5/selinux_config.5%{?ext_man}
%{_mandir}/man5/sestatus.conf.5%{?ext_man}
%{_mandir}/ru/man5/selinux_config.5%{?ext_man}
%{_mandir}/ru/man5/sestatus.conf.5%{?ext_man}
%{_mandir}/man1/secon.1%{?ext_man}
-%{_mandir}/man1/audit2allow.1%{?ext_man}
-%{_mandir}/man1/audit2why.1%{?ext_man}
%{_mandir}/ru/man1/secon.1%{?ext_man}
-%{_mandir}/ru/man1/audit2allow.1%{?ext_man}
-%{_mandir}/ru/man1/audit2why.1%{?ext_man}
-%{_datadir}/bash-completion/completions/*
+%{_datadir}/bash-completion/completions/setsebool
%files -n python3-%{name}
%{python3_sitelib}/*
@@ -271,12 +286,52 @@
%files lang -f %{name}.lang
+%files python-utils
+%{_bindir}/audit2allow
+%{_bindir}/audit2why
+%{_bindir}/chcat
+%{_sbindir}/semanage
+%{_mandir}/man1/audit2allow.1%{?ext_man}
+%{_mandir}/ru/man1/audit2allow.1%{?ext_man}
+%{_mandir}/man1/audit2why.1%{?ext_man}
+%{_mandir}/ru/man1/audit2why.1%{?ext_man}
+%{_mandir}/man8/chcat.8%{?ext_man}
+%{_mandir}/ru/man8/chcat.8%{?ext_man}
+%{_mandir}/man8/semanage*.8%{?ext_man}
+%{_mandir}/ru/man8/semanage*.8%{?ext_man}
+%{_datadir}/bash-completion/completions/semanage
+
%files devel
+%{_bindir}/sepolgen
+%{_bindir}/sepolgen-ifgen
+%{_bindir}/sepolgen-ifgen-attr-helper
+%{_bindir}/sepolicy
+%{_mandir}/man8/sepolicy-booleans.8%{?ext_man}
+%{_mandir}/man8/sepolicy-communicate.8%{?ext_man}
+%{_mandir}/man8/sepolicy-generate.8%{?ext_man}
+%{_mandir}/man8/sepolicy-gui.8%{?ext_man}
+%{_mandir}/man8/sepolicy-interface.8%{?ext_man}
+%{_mandir}/man8/sepolicy-manpage.8%{?ext_man}
+%{_mandir}/man8/sepolicy-network.8%{?ext_man}
+%{_mandir}/man8/sepolicy-transition.8%{?ext_man}
+%{_mandir}/man8/sepolicy.8%{?ext_man}
+%{_mandir}/man8/sepolgen.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-booleans.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-communicate.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-generate.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-gui.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-interface.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-manpage.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-network.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy-transition.8%{?ext_man}
+%{_mandir}/ru/man8/sepolicy.8%{?ext_man}
+%{_mandir}/ru/man8/sepolgen.8%{?ext_man}
%dir %{_localstatedir}/lib/sepolgen
%{_localstatedir}/lib/sepolgen/perm_map
+%{_datadir}/bash-completion/completions/sepolicy
%files newrole
-%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
+%verify(not mode) %attr(4755,root,root) %{_bindir}/newrole
%{_mandir}/man1/newrole.1%{?ext_man}
%{_mandir}/ru/man1/newrole.1%{?ext_man}
%config(noreplace) %{_sysconfdir}/pam.d/newrole
++++++ get_os_version.patch ++++++
Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py
===================================================================
--- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/__init__.py
+++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py
@@ -1226,7 +1226,8 @@ def get_os_version():
elif os_version[0:2] == "el":
os_version = "RHEL" + os_version[2:]
else:
- os_version = ""
+ # make SUSE the default return value on SUSE systems
+ os_version = "SUSE"
return os_version
Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py
===================================================================
--- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py
@@ -192,11 +192,7 @@ class HTMLManPages:
self.old_path = path + "/"
self.new_path = self.old_path + self.os_version + "/"
- if self.os_version in fedora_releases or self.os_version in
rhel_releases:
- self.__gen_html_manpages()
- else:
- print("SELinux HTML man pages can not be generated for this %s" %
os_version)
- exit(1)
+ self.__gen_html_manpages()
def __gen_html_manpages(self):
self._write_html_manpage()
++++++ policycoreutils-3.0.tar.gz -> policycoreutils-3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/VERSION
new/policycoreutils-3.1/VERSION
--- old/policycoreutils-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100
+++ new/policycoreutils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
@@ -1 +1 @@
-3.0
+3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/newrole/hashtab.c
new/policycoreutils-3.1/newrole/hashtab.c
--- old/policycoreutils-3.0/newrole/hashtab.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/newrole/hashtab.c 2020-07-10 17:17:15.000000000
+0200
@@ -112,48 +112,6 @@
return HASHTAB_SUCCESS;
}
-int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
- void (*destroy) (hashtab_key_t k,
- hashtab_datum_t d, void *args), void *args)
-{
- int hvalue;
- hashtab_ptr_t prev, cur, newnode;
-
- if (!h)
- return HASHTAB_OVERFLOW;
-
- hvalue = h->hash_value(h, key);
- prev = NULL;
- cur = h->htable[hvalue];
- while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
- prev = cur;
- cur = cur->next;
- }
-
- if (cur && (h->keycmp(h, key, cur->key) == 0)) {
- if (destroy)
- destroy(cur->key, cur->datum, args);
- cur->key = key;
- cur->datum = datum;
- } else {
- newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
- if (newnode == NULL)
- return HASHTAB_OVERFLOW;
- memset(newnode, 0, sizeof(struct hashtab_node));
- newnode->key = key;
- newnode->datum = datum;
- if (prev) {
- newnode->next = prev->next;
- prev->next = newnode;
- } else {
- newnode->next = h->htable[hvalue];
- h->htable[hvalue] = newnode;
- }
- }
-
- return HASHTAB_SUCCESS;
-}
-
hashtab_datum_t hashtab_search(hashtab_t h, const_hashtab_key_t key)
{
@@ -220,49 +178,6 @@
return HASHTAB_SUCCESS;
}
-void hashtab_map_remove_on_error(hashtab_t h,
- int (*apply) (hashtab_key_t k,
- hashtab_datum_t d,
- void *args),
- void (*destroy) (hashtab_key_t k,
- hashtab_datum_t d,
- void *args), void *args)
-{
- unsigned int i;
- int ret;
- hashtab_ptr_t last, cur, temp;
-
- if (!h)
- return;
-
- for (i = 0; i < h->size; i++) {
- last = NULL;
- cur = h->htable[i];
- while (cur != NULL) {
- ret = apply(cur->key, cur->datum, args);
- if (ret) {
- if (last) {
- last->next = cur->next;
- } else {
- h->htable[i] = cur->next;
- }
-
- temp = cur;
- cur = cur->next;
- if (destroy)
- destroy(temp->key, temp->datum, args);
- free(temp);
- h->nel--;
- } else {
- last = cur;
- cur = cur->next;
- }
- }
- }
-
- return;
-}
-
void hashtab_hash_eval(hashtab_t h, char *tag)
{
unsigned int i;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/newrole/hashtab.h
new/policycoreutils-3.1/newrole/hashtab.h
--- old/policycoreutils-3.0/newrole/hashtab.h 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/newrole/hashtab.h 2020-07-10 17:17:15.000000000
+0200
@@ -82,20 +82,6 @@
void *args), void *args);
/*
- Insert or replace the specified (key, datum) pair in the specified
- hash table. If an entry for the specified key already exists,
- then the specified destroy function is applied to (key,datum,args)
- for the entry prior to replacing the entry's contents.
-
- Returns HASHTAB_OVERFLOW if insufficient space is available or
- HASHTAB_SUCCESS otherwise.
- */
-extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
- void (*destroy) (hashtab_key_t k,
- hashtab_datum_t d,
- void *args), void *args);
-
-/*
Searches for the entry with the specified key in the hash table.
Returns NULL if no entry has the specified key or
@@ -124,20 +110,6 @@
hashtab_datum_t d,
void *args), void *args);
-/*
- Same as hashtab_map, except that if apply returns a non-zero status,
- then the (key,datum) pair will be removed from the hashtab and the
- destroy function will be applied to (key,datum,args).
- */
-extern void hashtab_map_remove_on_error(hashtab_t h,
- int (*apply) (hashtab_key_t k,
- hashtab_datum_t d,
- void *args),
- void (*destroy) (hashtab_key_t k,
- hashtab_datum_t d,
- void *args),
- void *args);
-
extern void hashtab_hash_eval(hashtab_t h, char *tag);
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/newrole/newrole.c
new/policycoreutils-3.1/newrole/newrole.c
--- old/policycoreutils-3.0/newrole/newrole.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/newrole/newrole.c 2020-07-10 17:17:15.000000000
+0200
@@ -643,8 +643,8 @@
#ifdef AUDIT_LOG_PRIV
/* Send audit message */
static
-int send_audit_message(int success, security_context_t old_context,
- security_context_t new_context, const char *ttyn)
+int send_audit_message(int success, const char *old_context,
+ const char *new_context, const char *ttyn)
{
char *msg = NULL;
int rc;
@@ -677,9 +677,9 @@
#else
static inline
int send_audit_message(int success __attribute__ ((unused)),
- security_context_t old_context
+ const char *old_context
__attribute__ ((unused)),
- security_context_t new_context
+ const char *new_context
__attribute__ ((unused)), const char *ttyn
__attribute__ ((unused)))
{
@@ -695,14 +695,14 @@
* This function will not fail if it can not relabel the tty when selinux is
* in permissive mode.
*/
-static int relabel_tty(const char *ttyn, security_context_t new_context,
- security_context_t * tty_context,
- security_context_t * new_tty_context)
+static int relabel_tty(const char *ttyn, const char *new_context,
+ char **tty_context,
+ char **new_tty_context)
{
int fd, rc;
int enforcing = security_getenforce();
- security_context_t tty_con = NULL;
- security_context_t new_tty_con = NULL;
+ char *tty_con = NULL;
+ char *new_tty_con = NULL;
if (!ttyn)
return 0;
@@ -775,11 +775,11 @@
* Returns zero on success, non-zero otherwise
*/
static int restore_tty_label(int fd, const char *ttyn,
- security_context_t tty_context,
- security_context_t new_tty_context)
+ const char *tty_context,
+ const char *new_tty_context)
{
int rc = 0;
- security_context_t chk_tty_context = NULL;
+ char *chk_tty_context = NULL;
if (!ttyn)
goto skip_relabel;
@@ -816,8 +816,8 @@
* Returns zero on success, non-zero otherwise.
*/
static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
- security_context_t old_context,
- security_context_t * new_context,
+ const char *old_context,
+ char **new_context,
int *preserve_environment)
{
int flag_index; /* flag index in argv[] */
@@ -827,8 +827,8 @@
char *type_ptr = NULL; /* stores malloc'd data from get_default_type */
char *level_s = NULL; /* level spec'd by user in argv[] */
char *range_ptr = NULL;
- security_context_t new_con = NULL;
- security_context_t tty_con = NULL;
+ char *new_con = NULL;
+ char *tty_con = NULL;
context_t context = NULL; /* manipulatable form of new_context */
const struct option long_options[] = {
{"role", 1, 0, 'r'},
@@ -1021,10 +1021,10 @@
int main(int argc, char *argv[])
{
- security_context_t new_context = NULL; /* target security context */
- security_context_t old_context = NULL; /* original securiy context */
- security_context_t tty_context = NULL; /* current context of tty */
- security_context_t new_tty_context = NULL; /* new context of tty */
+ char *new_context = NULL; /* target security context */
+ char *old_context = NULL; /* original securiy context */
+ char *tty_context = NULL; /* current context of tty */
+ char *new_tty_context = NULL; /* new context of tty */
struct passwd pw; /* struct derived from passwd file line */
char *ttyn = NULL; /* tty path */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/run_init/run_init.c
new/policycoreutils-3.1/run_init/run_init.c
--- old/policycoreutils-3.0/run_init/run_init.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/run_init/run_init.c 2020-07-10 17:17:15.000000000
+0200
@@ -303,7 +303,7 @@
* out: The CONTEXT associated with the context.
* return: 0 on success, -1 on failure.
*/
-int get_init_context(security_context_t * context)
+int get_init_context(char **context)
{
FILE *fp;
@@ -354,7 +354,7 @@
extern char *optarg; /* used by getopt() for arg strings */
extern int opterr; /* controls getopt() error messages */
- security_context_t new_context; /* context for the init script context
*/
+ char *new_context; /* context for the init script context */
#ifdef USE_NLS
setlocale(LC_ALL, "");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/secon/secon.c
new/policycoreutils-3.1/secon/secon.c
--- old/policycoreutils-3.0/secon/secon.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/secon/secon.c 2020-07-10 17:17:15.000000000
+0200
@@ -341,7 +341,7 @@
errx(EXIT_FAILURE, "SELinux is not enabled");
}
-static int my_getXcon_raw(pid_t pid, security_context_t * con, const char *val)
+static int my_getXcon_raw(pid_t pid, char **con, const char *val)
{
char buf[4096];
FILE *fp = NULL;
@@ -371,23 +371,23 @@
return (0);
}
-static int my_getpidexeccon_raw(pid_t pid, security_context_t * con)
+static int my_getpidexeccon_raw(pid_t pid, char **con)
{
return (my_getXcon_raw(pid, con, "exec"));
}
-static int my_getpidfscreatecon_raw(pid_t pid, security_context_t * con)
+static int my_getpidfscreatecon_raw(pid_t pid, char **con)
{
return (my_getXcon_raw(pid, con, "fscreate"));
}
-static int my_getpidkeycreatecon_raw(pid_t pid, security_context_t * con)
+static int my_getpidkeycreatecon_raw(pid_t pid, char **con)
{
return (my_getXcon_raw(pid, con, "keycreate"));
}
-static security_context_t get_scon(void)
+static char *get_scon(void)
{
static char dummy_NIL[1] = "";
- security_context_t con = NULL, con_tmp;
+ char *con = NULL, *con_tmp;
int ret = -1;
switch (opts->from_type) {
@@ -620,9 +620,10 @@
done = TRUE;
}
-static void disp_con(security_context_t scon_raw)
+static void disp_con(const char *scon_raw)
{
- security_context_t scon_trans, scon;
+ char *scon_trans;
+ const char *scon;
context_t con = NULL;
char *color_str = NULL;
struct context_color_t color = { .valid = 0 };
@@ -748,7 +749,7 @@
int main(int argc, char *argv[])
{
- security_context_t scon_raw = NULL;
+ char *scon_raw = NULL;
cmd_line(argc, argv);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/semodule/genhomedircon.8
new/policycoreutils-3.1/semodule/genhomedircon.8
--- old/policycoreutils-3.0/semodule/genhomedircon.8 2019-11-28
13:46:48.000000000 +0100
+++ new/policycoreutils-3.1/semodule/genhomedircon.8 2020-07-10
17:17:15.000000000 +0200
@@ -16,6 +16,9 @@
although this default behavior can be optionally modified by setting to "true"
the
"disable-genhomedircon" in /etc/selinux/semanage.conf.
+Directories can be excluded from the list of home directories by the setting
"ignoredirs"
+in /etc/selinux/semanage.conf.
+
.SH AUTHOR
This manual page was written by
.I Dan Walsh <dwa...@redhat.com>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restore.c
new/policycoreutils-3.1/setfiles/restore.c
--- old/policycoreutils-3.0/setfiles/restore.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/setfiles/restore.c 2020-07-10 17:17:15.000000000
+0200
@@ -41,7 +41,7 @@
opts->xdev | opts->abort_on_error |
opts->syslog_changes | opts->log_matches |
opts->ignore_noent | opts->ignore_mounts |
- opts->mass_relabel;
+ opts->mass_relabel | opts->conflict_error;
/* Use setfiles, restorecon and restorecond own handles */
selinux_restorecon_set_sehandle(opts->hnd);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restore.h
new/policycoreutils-3.1/setfiles/restore.h
--- old/policycoreutils-3.0/setfiles/restore.h 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/setfiles/restore.h 2020-07-10 17:17:15.000000000
+0200
@@ -34,6 +34,7 @@
unsigned int log_matches;
unsigned int ignore_noent;
unsigned int ignore_mounts;
+ unsigned int conflict_error;
/* restorecon_flags holds | of above for restore_init() */
unsigned int restorecon_flags;
char *rootpath;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restorecon.8
new/policycoreutils-3.1/setfiles/restorecon.8
--- old/policycoreutils-3.0/setfiles/restorecon.8 2019-11-28
13:46:48.000000000 +0100
+++ new/policycoreutils-3.1/setfiles/restorecon.8 2020-07-10
17:17:15.000000000 +0200
@@ -13,6 +13,7 @@
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
+.RB [ \-x ]
.RB [ \-e
.IR directory ]
.IR pathname \ ...
@@ -31,6 +32,7 @@
.RB [ \-F ]
.RB [ \-W ]
.RB [ \-I | \-D ]
+.RB [ \-x ]
.SH "DESCRIPTION"
This manual page describes the
@@ -153,14 +155,21 @@
.B find
produces input suitable for this mode.
.TP
+.B \-x
+prevent
+.B restorecon
+from crossing file system boundaries.
+.TP
.SH "ARGUMENTS"
.IR pathname \ ...
The pathname for the file(s) to be relabeled.
.SH "NOTES"
.IP "1." 4
.B restorecon
-does not follow symbolic links and by default it does not
-operate recursively on directories.
+by default does not operate recursively on directories. Paths leading up the
+final component of the file(s) are canonicalized using
+.BR realpath (3)
+before labeling.
.IP "2." 4
If the
.I pathname
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setfiles/setfiles.8
new/policycoreutils-3.1/setfiles/setfiles.8
--- old/policycoreutils-3.0/setfiles/setfiles.8 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/setfiles/setfiles.8 2020-07-10 17:17:15.000000000
+0200
@@ -12,6 +12,7 @@
.RB [ \-n ]
.RB [ \-e
.IR directory ]
+.RB [ \-E ]
.RB [ \-p ]
.RB [ \-s ]
.RB [ \-v ]
@@ -62,6 +63,10 @@
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
.TP
+.BI \-E
+treat conflicting specifications as errors, such as where two hardlinks for
+the same inode have different contexts.
+.TP
.BI \-f \ infilename
.I infilename
contains a list of files to be processed. Use
@@ -209,7 +214,8 @@
.SH "NOTES"
.IP "1." 4
.B setfiles
-follows symbolic links and operates recursively on directories.
+operates recursively on directories. Paths leading up the final
+component of the file(s) are not canonicalized before labeling.
.IP "2." 4
If the
.I pathname
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setfiles/setfiles.c
new/policycoreutils-3.1/setfiles/setfiles.c
--- old/policycoreutils-3.0/setfiles/setfiles.c 2019-11-28 13:46:48.000000000
+0100
+++ new/policycoreutils-3.1/setfiles/setfiles.c 2020-07-10 17:17:15.000000000
+0200
@@ -43,16 +43,15 @@
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iIDFmnprRv0] [-e excludedir]
pathname...\n"
- "usage: %s [-iIDFmnprRv0] [-e excludedir] -f
filename\n",
+ "usage: %s [-iIDFmnprRv0x] [-e excludedir]
pathname...\n"
+ "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f
filename\n",
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r
alt_root_path] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r
alt_root_path] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n"
- "usage: %s -c policyfile spec_file\n",
- name, name, name, name);
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r
alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r
alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ name, name, name);
}
exit(-1);
}
@@ -168,8 +167,8 @@
size_t buf_len;
const char *base;
int errors = 0;
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0";
- const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0";
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
const char *opts;
union selinux_callback cb;
@@ -313,6 +312,10 @@
r_opts.syslog_changes =
SELINUX_RESTORECON_SYSLOG_CHANGES;
break;
+ case 'E':
+ r_opts.conflict_error =
+ SELINUX_RESTORECON_CONFLICT_ERROR;
+ break;
case 'F':
r_opts.set_specctx =
SELINUX_RESTORECON_SET_SPECFILE_CTX;
@@ -382,6 +385,13 @@
case '0':
null_terminated = 1;
break;
+ case 'x':
+ if (iamrestorecon) {
+ r_opts.xdev = SELINUX_RESTORECON_XDEV;
+ } else {
+ usage(argv[0]);
+ }
+ break;
case 'h':
case '?':
usage(argv[0]);
@@ -398,7 +408,7 @@
if (!iamrestorecon) {
if (policyfile) {
- if (optind != (argc - 1))
+ if (optind > (argc - 1))
usage(argv[0]);
} else if (use_input_file) {
if (optind != (argc - 1)) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.0/setsebool/setsebool.c
new/policycoreutils-3.1/setsebool/setsebool.c
--- old/policycoreutils-3.0/setsebool/setsebool.c 2019-11-28
13:46:48.000000000 +0100
+++ new/policycoreutils-3.1/setsebool/setsebool.c 2020-07-10
17:17:15.000000000 +0200
@@ -200,8 +200,10 @@
if (no_reload)
semanage_set_reload(handle, 0);
- if (semanage_commit(handle) < 0)
+ if (semanage_commit(handle) < 0) {
+ fprintf(stderr, "Failed to commit changes to booleans: %m\n");
goto err;
+ }
semanage_disconnect(handle);
semanage_handle_destroy(handle);
++++++ selinux-python-3.0.tar.gz -> selinux-python-3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/VERSION
new/selinux-python-3.1/VERSION
--- old/selinux-python-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100
+++ new/selinux-python-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
@@ -1 +1 @@
-3.0
+3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/audit2allow/Makefile
new/selinux-python-3.1/audit2allow/Makefile
--- old/selinux-python-3.0/audit2allow/Makefile 2019-11-28 13:46:48.000000000
+0100
+++ new/selinux-python-3.1/audit2allow/Makefile 2020-07-10 17:17:15.000000000
+0200
@@ -19,7 +19,7 @@
all: audit2why sepolgen-ifgen-attr-helper
sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA)
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) -lselinux
audit2why:
ln -sf audit2allow audit2why
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/audit2allow/sepolgen-ifgen
new/selinux-python-3.1/audit2allow/sepolgen-ifgen
--- old/selinux-python-3.0/audit2allow/sepolgen-ifgen 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/audit2allow/sepolgen-ifgen 2020-07-10
17:17:15.000000000 +0200
@@ -27,7 +27,6 @@
import sys
-import os
import tempfile
import subprocess
@@ -65,37 +64,18 @@
return options
-def get_policy():
- p = selinux.selinux_current_policy_path()
- if p and os.path.exists(p):
- return p
- i = selinux.security_policyvers()
- p = selinux.selinux_binary_policy_path() + "." + str(i)
- while i > 0 and not os.path.exists(p):
- i = i - 1
- p = selinux.selinux_binary_policy_path() + "." + str(i)
- if i > 0:
- return p
- return None
-
-
def get_attrs(policy_path, attr_helper):
try:
- if not policy_path:
- policy_path = get_policy()
- if not policy_path:
- sys.stderr.write("No installed policy to check\n")
- return None
outfile = tempfile.NamedTemporaryFile()
except IOError as e:
sys.stderr.write("could not open attribute output file\n")
return None
- except OSError:
- # SELinux Disabled Machine
- return None
fd = open("/dev/null", "w")
- ret = subprocess.Popen([attr_helper, policy_path, outfile.name],
stdout=fd).wait()
+ if policy_path:
+ ret = subprocess.Popen([attr_helper, outfile.name, policy_path],
stdout=fd).wait()
+ else:
+ ret = subprocess.Popen([attr_helper, outfile.name], stdout=fd).wait()
fd.close()
if ret != 0:
sys.stderr.write("could not run attribute helper\n")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.0/audit2allow/sepolgen-ifgen-attr-helper.c
new/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
--- old/selinux-python-3.0/audit2allow/sepolgen-ifgen-attr-helper.c
2019-11-28 13:46:48.000000000 +0100
+++ new/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
2020-07-10 17:17:15.000000000 +0200
@@ -26,6 +26,8 @@
#include <sepol/policydb/avtab.h>
#include <sepol/policydb/util.h>
+#include <selinux/selinux.h>
+
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
@@ -147,8 +149,36 @@
policydb_t *policydb;
struct policy_file pf;
FILE *fp;
+ char pathname[PATH_MAX];
+ int suffix_ver;
int ret;
+ /* no explicit policy name given, try loaded policy on a SELinux
enabled system */
+ if (!filename) {
+ filename = selinux_current_policy_path();
+ }
+
+ /*
+ * Fallback to default store paths with version suffixes,
+ * starting from the maximum supported policy version.
+ */
+ if (!filename) {
+ for (suffix_ver = sepol_policy_kern_vers_max(); suffix_ver > 0;
suffix_ver--) {
+ snprintf(pathname, sizeof(pathname), "%s.%d",
selinux_binary_policy_path(), suffix_ver);
+
+ if (access(pathname, F_OK) == 0) {
+ filename = pathname;
+ break;
+ }
+ }
+
+ if (!filename) {
+ fprintf(stderr, "Can't find any policy at '%s'\n",
+ selinux_binary_policy_path());
+ return NULL;
+ }
+ }
+
fp = fopen(filename, "r");
if (fp == NULL) {
fprintf(stderr, "Can't open '%s': %s\n",
@@ -188,7 +218,7 @@
void usage(char *progname)
{
- printf("usage: %s policy_file out_file\n", progname);
+ printf("usage: %s out_file [policy_file]\n", progname);
}
int main(int argc, char **argv)
@@ -197,18 +227,18 @@
struct callback_data cb_data;
FILE *fp;
- if (argc != 3) {
+ if (argc != 2 && argc != 3) {
usage(argv[0]);
return -1;
}
/* Open the policy. */
- p = load_policy(argv[1]);
+ p = load_policy(argv[2]);
if (p == NULL)
return -1;
/* Open the output policy. */
- fp = fopen(argv[2], "w");
+ fp = fopen(argv[1], "w");
if (fp == NULL) {
fprintf(stderr, "error opening output file\n");
policydb_destroy(p);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.0/semanage/semanage-bash-completion.sh
new/selinux-python-3.1/semanage/semanage-bash-completion.sh
--- old/selinux-python-3.0/semanage/semanage-bash-completion.sh 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/semanage/semanage-bash-completion.sh 2020-07-10
17:17:15.000000000 +0200
@@ -54,6 +54,9 @@
__get_all_stores () {
dir -1 -F /etc/selinux/ | grep '/' | cut -d'/' -f 1
}
+__get_all_modules () {
+ semodule -l
+}
__get_import_opts () { echo '$ALL_OPTS --f --input_file' ; }
__get_export_opts () { echo '$ALL_OPTS --f --output_file' ; }
__get_boolean_opts () { echo '$ALL_OPTS --on -off -1 -0' ; }
@@ -88,6 +91,13 @@
if [ "$prev" = "-a" -a "$command" = "permissive" ]; then
COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
return 0
+ elif [ "$command" = "module" ]; then
+ if [ "$prev" = "-d" ] || [ "$prev" = "--disable" ] \
+ || [ "$prev" = "-e" ] || [ "$prev" = "--enable" ] \
+ || [ "$prev" = "-r" ] || [ "$prev" = "--remove" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_modules ) " --
"$cur") )
+ return 0
+ fi
fi
if [ "$verb" = "" -a "$prev" = "semanage" ]; then
comps="${VERBS[*]}"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/semanage/semanage-node.8
new/selinux-python-3.1/semanage/semanage-node.8
--- old/selinux-python-3.0/semanage/semanage-node.8 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/semanage/semanage-node.8 2020-07-10
17:17:15.000000000 +0200
@@ -45,7 +45,7 @@
Remove all local customizations
.TP
.I \-M NETMASK, \-\-netmask NETMASK
-Network Mask
+Network Mask, either in CIDR (/16) or address mask notation (255.255.0.0,
ffff::)
.TP
.I \-t TYPE, \-\-type TYPE
SELinux type for the object
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/semanage/seobject.py
new/selinux-python-3.1/semanage/seobject.py
--- old/selinux-python-3.0/semanage/seobject.py 2019-11-28 13:46:48.000000000
+0100
+++ new/selinux-python-3.1/semanage/seobject.py 2020-07-10 17:17:15.000000000
+0200
@@ -32,7 +32,7 @@
PROGNAME = "policycoreutils"
import sepolicy
import setools
-from IPy import IP
+import ipaddress
try:
import gettext
@@ -1070,7 +1070,11 @@
if port == "":
raise ValueError(_("Port is required"))
- ports = port.split("-")
+ if isinstance(port, str):
+ ports = port.split('-', 1)
+ else:
+ ports = (port,)
+
if len(ports) == 1:
high = low = int(ports[0])
else:
@@ -1854,25 +1858,34 @@
if addr == "":
raise ValueError(_("Node Address is required"))
- # verify valid combination
+ # verify that (addr, mask) is either a IP address (without a mask) or
a valid network mask
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
- newmask = "::"
-
- protocol = "ipv%d" % i.version()
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
except:
raise ValueError(_("Unknown or missing protocol"))
- return newaddr, newmask, newprotocol
+ try:
+ audit_protocol = socket.getprotobyname(protocol)
+ except:
+ # Entry for "ipv4" not found in /etc/protocols on (at
+ # least) Debian? To ensure audit log compatibility, let's
+ # use the same numeric value as Fedora: 4, which is
+ # actually understood by kernel as IP over IP.
+ if (protocol == "ipv4"):
+ audit_protocol = socket.IPPROTO_IPIP
+ else:
+ raise ValueError(_("Unknown or missing protocol"))
+
+ return newaddr, newmask, newprotocol, audit_protocol
def __add(self, addr, mask, proto, serange, ctype):
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
if is_mls_enabled == 1:
if serange == "":
@@ -1891,10 +1904,10 @@
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
- if rc < 0:
- raise ValueError(_("Could not check if addr %s is defined") % addr)
(rc, exists) = semanage_node_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if addr %s is defined") % addr)
if exists:
raise ValueError(_("Addr %s already defined") % addr)
@@ -1941,7 +1954,7 @@
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s
tcontext=%s:%s:%s:%s" % (addr, mask,
socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype,
serange))
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s
tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r",
ctype, serange))
def add(self, addr, mask, proto, serange, ctype):
self.begin()
@@ -1949,7 +1962,7 @@
self.commit()
def __modify(self, addr, mask, proto, serange, setype):
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -1986,7 +1999,7 @@
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype,
serange))
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u",
"object_r", setype, serange))
def modify(self, addr, mask, proto, serange, setype):
self.begin()
@@ -1994,8 +2007,7 @@
self.commit()
def __delete(self, addr, mask, proto):
-
- addr, mask, proto = self.validate(addr, mask, proto)
+ addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
@@ -2019,7 +2031,7 @@
semanage_node_key_free(k)
- self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
proto=%s" % (addr, mask, audit_proto))
def delete(self, addr, mask, proto):
self.begin()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/semanage/test-semanage.py
new/selinux-python-3.1/semanage/test-semanage.py
--- old/selinux-python-3.0/semanage/test-semanage.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/semanage/test-semanage.py 2020-07-10
17:17:15.000000000 +0200
@@ -233,7 +233,7 @@
def semanage_run_test(suite):
- unittest.TextTestRunner(verbosity=2).run(suite)
+ return unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful()
class CheckTest(argparse.Action):
@@ -255,9 +255,9 @@
for i in semanage_test_list:
print(i)
if args.all:
- semanage_run_test(semanage_suite())
+ return semanage_run_test(semanage_suite())
if args.test:
- semanage_run_test(semanage_custom_suite(args.test))
+ return semanage_run_test(semanage_custom_suite(args.test))
def gen_semanage_test_args(parser):
@@ -281,8 +281,10 @@
gen_semanage_test_args(parser)
try:
args = parser.parse_args()
- args.func(args)
- sys.exit(0)
+ if args.func(args):
+ sys.exit(0)
+ else:
+ sys.exit(1)
except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolgen/VERSION
new/selinux-python-3.1/sepolgen/VERSION
--- old/selinux-python-3.0/sepolgen/VERSION 2019-11-28 13:46:48.000000000
+0100
+++ new/selinux-python-3.1/sepolgen/VERSION 2020-07-10 17:17:15.000000000
+0200
@@ -1 +1 @@
-3.0
+3.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.0/sepolgen/src/sepolgen/refparser.py
new/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py
--- old/selinux-python-3.0/sepolgen/src/sepolgen/refparser.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py 2020-07-10
17:17:15.000000000 +0200
@@ -126,6 +126,7 @@
'GEN_REQ',
'TEMPLATE',
'GEN_CONTEXT',
+ 'GEN_TUNABLE',
# m4
'IFELSE',
'IFDEF',
@@ -192,6 +193,7 @@
'gen_require' : 'GEN_REQ',
'template' : 'TEMPLATE',
'gen_context' : 'GEN_CONTEXT',
+ 'gen_tunable' : 'GEN_TUNABLE',
# M4
'ifelse' : 'IFELSE',
'ifndef' : 'IFNDEF',
@@ -518,6 +520,7 @@
| range_transition_def
| role_transition_def
| bool
+ | gen_tunable
| define
| initial_sid
| genfscon
@@ -844,6 +847,17 @@
b.state = False
p[0] = b
+def p_gen_tunable(p):
+ '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE
CPAREN
+ | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE
CPAREN'''
+ b = refpolicy.Bool()
+ b.name = p[4]
+ if p[7] == "true":
+ b.state = True
+ else:
+ b.state = False
+ p[0] = b
+
def p_conditional(p):
''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
| IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE
ELSE OBRACE interface_stmts CBRACE
@@ -1134,6 +1148,6 @@
status.step()
if len(failures):
- o("failed to parse some headers: %s" % ", ".join(failures))
+ o("failed to parse some headers: %s\n" % ", ".join(failures))
return headers
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/Makefile
new/selinux-python-3.1/sepolicy/Makefile
--- old/selinux-python-3.0/sepolicy/Makefile 2019-11-28 13:46:48.000000000
+0100
+++ new/selinux-python-3.1/sepolicy/Makefile 2020-07-10 17:17:15.000000000
+0200
@@ -27,7 +27,7 @@
@$(PYTHON) test_sepolicy.py -v
install:
- $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" &&
echo --root $(DESTDIR)`
+ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" &&
echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy
(cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/generate.py
new/selinux-python-3.1/sepolicy/sepolicy/generate.py
--- old/selinux-python-3.0/sepolicy/sepolicy/generate.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolicy/sepolicy/generate.py 2020-07-10
17:17:15.000000000 +0200
@@ -340,7 +340,7 @@
(self.generate_root_user_types, self.generate_root_user_rules),
(self.generate_new_types, self.generate_new_rules))
if not re.match(r"^[a-zA-Z0-9-_]+$", name):
- raise ValueError(_("Name must be alpha numeric with no spaces.
Consider using option \"-n MODULENAME\""))
+ raise ValueError(_("Name must be alphanumeric with no spaces.
Consider using option \"-n MODULENAME\""))
if type == CGI:
self.name = "httpd_%s_script" % name
@@ -438,7 +438,7 @@
def set_init_script(self, initscript):
if self.type != DAEMON:
- raise ValueError(_("Only Daemon apps can use an init script.."))
+ raise ValueError(_("Only Daemon apps can use an init script."))
self.initscript = initscript
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/interface.py
new/selinux-python-3.1/sepolicy/sepolicy/interface.py
--- old/selinux-python-3.0/sepolicy/sepolicy/interface.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolicy/sepolicy/interface.py 2020-07-10
17:17:15.000000000 +0200
@@ -146,12 +146,12 @@
tree = xml.etree.ElementTree.fromstring(xml_path)
for l in tree.findall("layer"):
for m in l.findall("module"):
- for i in m.getiterator('interface'):
+ for i in m.iter('interface'):
for e in i.findall("param"):
param_list.append(e.get('name'))
interface_dict[(i.get("name"))] = [param_list,
(i.find('summary').text), "interface"]
param_list = []
- for i in m.getiterator('template'):
+ for i in m.iter('template'):
for e in i.findall("param"):
param_list.append(e.get('name'))
interface_dict[(i.get("name"))] = [param_list,
(i.find('summary').text), "template"]
@@ -198,7 +198,7 @@
filename = os.path.basename(if_file).split(".")[0]
rc, output = getstatusoutput("/usr/bin/python3
/usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % (basedir +
filename))
if rc != 0:
- sys.stderr.write("\n Could not proceed selected interface file.\n")
+ sys.stderr.write("\n Could not process selected interface file.\n")
sys.stderr.write("\n%s" % output)
sys.exit(1)
else:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/manpage.py
new/selinux-python-3.1/sepolicy/sepolicy/manpage.py
--- old/selinux-python-3.0/sepolicy/sepolicy/manpage.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolicy/sepolicy/manpage.py 2020-07-10
17:17:15.000000000 +0200
@@ -1074,7 +1074,7 @@
.B semanage login -m -s %(user)s_u __default__
-""" % {'desc': self.desc, 'type': self.type, 'user': self.domainname, 'range':
self._get_users_range()})
+""" % {'desc': self.desc, 'user': self.domainname, 'range':
self._get_users_range()})
if "login_userdomain" in self.attributes and "login_userdomain" in
self.all_attributes:
self.fd.write("""
@@ -1245,7 +1245,7 @@
.B $ sesearch -A -s %(type)s -c process -p transition
-""" % {'user': self.domainname, 'type': self.type})
+""" % {'type': self.type})
def _role_header(self):
self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s"
"mgr...@redhat.com" "%(user)s SELinux Policy documentation"'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/network.py
new/selinux-python-3.1/sepolicy/sepolicy/network.py
--- old/selinux-python-3.0/sepolicy/sepolicy/network.py 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolicy/sepolicy/network.py 2020-07-10
17:17:15.000000000 +0200
@@ -49,15 +49,15 @@
if "port_t" in tlist:
continue
if i == "port_t":
- d[(src, protocol, perm)].append((i, ["all ports with out
defined types"]))
+ d[(src, protocol, perm)].append((i, ["all ports without
defined types"]))
if i == "port_type":
d[(src, protocol, perm)].append((i, ["all ports"]))
elif i == "unreserved_port_type":
- d[(src, protocol, perm)].append((i, ["all ports > 1024"]))
+ d[(src, protocol, perm)].append((i, ["all ports >= 1024"]))
elif i == "reserved_port_type":
d[(src, protocol, perm)].append((i, ["all ports < 1024"]))
elif i == "rpc_port_type":
- d[(src, protocol, perm)].append((i, ["all ports > 500 and <
1024"]))
+ d[(src, protocol, perm)].append((i, ["all ports >= 512 and <
1024"]))
else:
try:
d[(src, protocol, perm)].append((i, portrecs[(i,
protocol)]))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/sepolicy.glade
new/selinux-python-3.1/sepolicy/sepolicy/sepolicy.glade
--- old/selinux-python-3.0/sepolicy/sepolicy/sepolicy.glade 2019-11-28
13:46:48.000000000 +0100
+++ new/selinux-python-3.1/sepolicy/sepolicy/sepolicy.glade 2020-07-10
17:17:15.000000000 +0200
@@ -2877,19 +2877,9 @@
</object>
</child>
<child>
- <object class="GtkTreeViewColumn"
id="treeviewcolumn27">
- <child>
- <object
class="GtkCellRendererText" id="cellrenderertext34"/>
- <attributes>
- <attribute
name="text">1</attribute>
- </attributes>
- </child>
- </object>
- </child>
- <child>
<object class="GtkTreeViewColumn"
id="executable_file_from">
<property
name="resizable">True</property>
- <property name="title"
translatable="yes">Boolean name</property>
+ <property name="title"
translatable="yes">Executable File</property>
<property
name="expand">True</property>
<property
name="clickable">True</property>
<property
name="reorderable">True</property>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.0/sepolicy/setup.py
new/selinux-python-3.1/sepolicy/setup.py
--- old/selinux-python-3.0/sepolicy/setup.py 2019-11-28 13:46:48.000000000
+0100
+++ new/selinux-python-3.1/sepolicy/setup.py 2020-07-10 17:17:15.000000000
+0200
@@ -6,7 +6,7 @@
setup(
name="sepolicy",
- version="3.0",
+ version="3.1",
description="Python SELinux Policy Analyses bindings",
author="Daniel Walsh",
author_email="dwa...@redhat.com",
++++++ semodule-utils-3.0.tar.gz -> semodule-utils-3.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/semodule-utils-3.0/VERSION
new/semodule-utils-3.1/VERSION
--- old/semodule-utils-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100
+++ new/semodule-utils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
@@ -1 +1 @@
-3.0
+3.1
