Hello community, here is the log from the commit of package policycoreutils for openSUSE:Factory checked in at 2020-10-06 17:08:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old) and /work/SRC/openSUSE:Factory/.policycoreutils.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils" Tue Oct 6 17:08:16 2020 rev:56 rq:835124 version:3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes 2020-06-05 20:08:40.161437663 +0200 +++ /work/SRC/openSUSE:Factory/.policycoreutils.new.4249/policycoreutils.changes 2020-10-06 17:10:10.165478520 +0200 @@ -1,0 +2,39 @@ +Thu Sep 10 09:00:45 UTC 2020 - Johannes Segitz <jseg...@suse.com> + +- Add get_os_version.patch + get_os_version is implemented in a very RH/Fedora specific way. + Ensure that it returns a valid string for SUSE by changing the + default. Also remove the RH specific logic when generating HTML + versions of the SELinux documentation + +------------------------------------------------------------------- +Wed Jul 29 13:09:39 UTC 2020 - Thorsten Kukuk <ku...@suse.com> + +- Align more with Fedora spec file to get rid of python dependencies + in the core system + - create new python-utils sub-package + - move some tools to devel sub-package +- Cleanup dependencies + +------------------------------------------------------------------- +Fri Jul 17 09:35:08 UTC 2020 - Johannes Segitz <jseg...@suse.com> + +- Proper default permissions for newrole (4755) + +------------------------------------------------------------------- +Tue Jul 14 08:28:44 UTC 2020 - Johannes Segitz <jseg...@suse.com> + +- Update to version 3.1 + * New `setfiles -E` option - treat conflicting specifications as errors, such + as where two hardlinks for the same inode have different contexts. + * `setsebool -V` reports errors from commit phase + * matchpathcon related interfaces are deprecated + * New `restorecon -x` option which prevents it from crossing file system + * boundaries. + * `sepolgen-ifgen` parses a gen_tunable statement as bool + * Removed Requires for python3-ipy as the ipaddress module is used. No + requires for python-ipaddress as it's assumed this is used only on recent + systems + * Drop chcat_join.patch, is upstream + +------------------------------------------------------------------- Old: ---- chcat_join.patch policycoreutils-3.0.tar.gz selinux-python-3.0.tar.gz semodule-utils-3.0.tar.gz New: ---- get_os_version.patch policycoreutils-3.1.tar.gz selinux-python-3.1.tar.gz semodule-utils-3.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ policycoreutils.spec ++++++ --- /var/tmp/diff_new_pack.grMClM/_old 2020-10-06 17:10:20.737487651 +0200 +++ /var/tmp/diff_new_pack.grMClM/_new 2020-10-06 17:10:20.745487658 +0200 @@ -17,13 +17,13 @@ %define libaudit_ver 2.2 -%define libsepol_ver 3.0 -%define libsemanage_ver 3.0 -%define libselinux_ver 3.0 +%define libsepol_ver 3.1 +%define libsemanage_ver 3.1 +%define libselinux_ver 3.1 %define setools_ver 4.1.1 -%define tstamp 20191204 +%define tstamp 20200710 Name: policycoreutils -Version: 3.0 +Version: 3.1 Release: 0 Summary: SELinux policy core utilities License: GPL-2.0-or-later @@ -41,7 +41,7 @@ Source9: newrole.pam Patch0: make_targets.patch Patch1: run_init_use_pam_keyinit.patch -Patch2: chcat_join.patch +Patch2: get_os_version.patch BuildRequires: audit-devel >= %{libaudit_ver} BuildRequires: bison BuildRequires: dbus-1-glib-devel @@ -61,25 +61,13 @@ BuildRequires: python-rpm-macros BuildRequires: python3 BuildRequires: python3-setools >= %{setools_ver} -BuildRequires: systemd-rpm-macros BuildRequires: update-desktop-files BuildRequires: xmlto -Requires: checkpolicy Requires: gawk Requires: libsepol1 >= %{libsepol_ver} -Requires: python3-%{name} -Requires: python3-ipy -Requires: python3-networkx -Requires: python3-selinux -Requires: python3-semanage Requires: rpm +Requires: selinux-tools Requires: util-linux -# we need selinuxenabled -Requires(post): selinux-tools -Requires(pre): %fillup_prereq -Requires(pre): permissions -Obsoletes: policycoreutils-python -%{?systemd_requires} %description policycoreutils contains the policy core utilities that are required @@ -102,15 +90,28 @@ Requires: checkpolicy Requires: python3-audit >= %{libaudit_ver} Requires: python3-selinux +Requires: python3-semanage Requires: python3-setools >= %{setools_ver} Requires: python3-setuptools Provides: policycoreutils-python = %{version}-%{release} Obsoletes: policycoreutils-python < %{version} +BuildArch: noarch %description -n python3-%{name} The python-policycoreutils package contains the interfaces that can be used by python in an SELinux environment. +%package python-utils +Summary: SELinux policy core python utilities +Group: Productivity/Security +Requires: python3-policycoreutils = %{version}-%{release} +BuildArch: noarch +Obsoletes: policycoreutils-python + +%description python-utils +The policycoreutils-python-utils package contains the management tools +use to manage an SELinux environment. + %package devel Summary: SELinux policy core policy devel utilities Group: Productivity/Security @@ -134,7 +135,10 @@ Summary: The newrole application for RBAC/MLS Group: Productivity/Security Requires: %{name} = %{version} -Requires(pre): permissions +# we need both, else permissions could be de-installed +# and verify failed +Requires: permissions +Requires(post): permissions %description newrole RBAC/MLS policy machines require newrole as a way of changing the role @@ -188,7 +192,6 @@ rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui -mkdir -p %{buildroot}%{_fillupdir}/ mkdir -p %{buildroot}%{_libexecdir}/selinux/hll/ mkdir -p %{buildroot}%{_localstatedir}/lib/sepolgen cp %{python3_sitearch}/setools/perm_map %{buildroot}%{_localstatedir}/lib/sepolgen @@ -210,10 +213,6 @@ %endif cp -f %{SOURCE9} %{buildroot}%{_sysconfdir}/pam.d/newrole -%post -n python3-%{name} -selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] && %{_bindir}/sepolgen-ifgen 2>/dev/null -exit 0 - %post newrole %set_permissions %{_bindir}/newrole @@ -224,21 +223,12 @@ /sbin/restorecon /sbin/setfiles /sbin/restorecon_xattr -%{_bindir}/audit2allow -%{_bindir}/audit2why -%{_bindir}/chcat -%{_bindir}/sepolgen -%{_bindir}/sepolgen-ifgen -%{_bindir}/sepolgen-ifgen-attr-helper -%{_bindir}/sepolicy %{_bindir}/semodule_expand %{_bindir}/semodule_link %{_bindir}/semodule_package %{_bindir}/semodule_unpackage -%{_sbindir}/semanage %{_sbindir}/fixfiles %{_sbindir}/load_policy -%dir %{_localstatedir}/lib/sepolgen %dir %{_libexecdir}/selinux %dir %{_libexecdir}/selinux/hll %{_libexecdir}/selinux/hll/pp @@ -251,19 +241,44 @@ %{_bindir}/secon %config(noreplace) %{_sysconfdir}/pam.d/run_init %config(noreplace) %{_sysconfdir}/sestatus.conf -%{_mandir}/man8/* -%{_mandir}/ru/man8/* +%{_mandir}/man8/fixfiles.8%{?ext_man} +%{_mandir}/man8/genhomedircon.8%{?ext_man} +%{_mandir}/man8/load_policy.8%{?ext_man} +%{_mandir}/man8/open_init_pty.8%{?ext_man} +%{_mandir}/man8/restorecon.8%{?ext_man} +%{_mandir}/man8/restorecon_xattr.8%{?ext_man} +%{_mandir}/man8/run_init.8%{?ext_man} +%{_mandir}/man8/semodule.8%{?ext_man} +%{_mandir}/man8/semodule_expand.8%{?ext_man} +%{_mandir}/man8/semodule_link.8%{?ext_man} +%{_mandir}/man8/semodule_package.8%{?ext_man} +%{_mandir}/man8/semodule_unpackage.8%{?ext_man} +%{_mandir}/man8/sestatus.8%{?ext_man} +%{_mandir}/man8/setfiles.8%{?ext_man} +%{_mandir}/man8/setsebool.8%{?ext_man} +%{_mandir}/ru/man8/fixfiles.8%{?ext_man} +%{_mandir}/ru/man8/genhomedircon.8%{?ext_man} +%{_mandir}/ru/man8/load_policy.8%{?ext_man} +%{_mandir}/ru/man8/open_init_pty.8%{?ext_man} +%{_mandir}/ru/man8/restorecon.8%{?ext_man} +%{_mandir}/ru/man8/restorecon_xattr.8%{?ext_man} +%{_mandir}/ru/man8/run_init.8%{?ext_man} +%{_mandir}/ru/man8/semodule.8%{?ext_man} +%{_mandir}/ru/man8/semodule_expand.8%{?ext_man} +%{_mandir}/ru/man8/semodule_link.8%{?ext_man} +%{_mandir}/ru/man8/semodule_package.8%{?ext_man} +%{_mandir}/ru/man8/semodule_unpackage.8%{?ext_man} +%{_mandir}/ru/man8/sepolgen.8%{?ext_man} +%{_mandir}/ru/man8/sestatus.8%{?ext_man} +%{_mandir}/ru/man8/setfiles.8%{?ext_man} +%{_mandir}/ru/man8/setsebool.8%{?ext_man} %{_mandir}/man5/selinux_config.5%{?ext_man} %{_mandir}/man5/sestatus.conf.5%{?ext_man} %{_mandir}/ru/man5/selinux_config.5%{?ext_man} %{_mandir}/ru/man5/sestatus.conf.5%{?ext_man} %{_mandir}/man1/secon.1%{?ext_man} -%{_mandir}/man1/audit2allow.1%{?ext_man} -%{_mandir}/man1/audit2why.1%{?ext_man} %{_mandir}/ru/man1/secon.1%{?ext_man} -%{_mandir}/ru/man1/audit2allow.1%{?ext_man} -%{_mandir}/ru/man1/audit2why.1%{?ext_man} -%{_datadir}/bash-completion/completions/* +%{_datadir}/bash-completion/completions/setsebool %files -n python3-%{name} %{python3_sitelib}/* @@ -271,12 +286,52 @@ %files lang -f %{name}.lang +%files python-utils +%{_bindir}/audit2allow +%{_bindir}/audit2why +%{_bindir}/chcat +%{_sbindir}/semanage +%{_mandir}/man1/audit2allow.1%{?ext_man} +%{_mandir}/ru/man1/audit2allow.1%{?ext_man} +%{_mandir}/man1/audit2why.1%{?ext_man} +%{_mandir}/ru/man1/audit2why.1%{?ext_man} +%{_mandir}/man8/chcat.8%{?ext_man} +%{_mandir}/ru/man8/chcat.8%{?ext_man} +%{_mandir}/man8/semanage*.8%{?ext_man} +%{_mandir}/ru/man8/semanage*.8%{?ext_man} +%{_datadir}/bash-completion/completions/semanage + %files devel +%{_bindir}/sepolgen +%{_bindir}/sepolgen-ifgen +%{_bindir}/sepolgen-ifgen-attr-helper +%{_bindir}/sepolicy +%{_mandir}/man8/sepolicy-booleans.8%{?ext_man} +%{_mandir}/man8/sepolicy-communicate.8%{?ext_man} +%{_mandir}/man8/sepolicy-generate.8%{?ext_man} +%{_mandir}/man8/sepolicy-gui.8%{?ext_man} +%{_mandir}/man8/sepolicy-interface.8%{?ext_man} +%{_mandir}/man8/sepolicy-manpage.8%{?ext_man} +%{_mandir}/man8/sepolicy-network.8%{?ext_man} +%{_mandir}/man8/sepolicy-transition.8%{?ext_man} +%{_mandir}/man8/sepolicy.8%{?ext_man} +%{_mandir}/man8/sepolgen.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-booleans.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-communicate.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-generate.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-gui.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-interface.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-manpage.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-network.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy-transition.8%{?ext_man} +%{_mandir}/ru/man8/sepolicy.8%{?ext_man} +%{_mandir}/ru/man8/sepolgen.8%{?ext_man} %dir %{_localstatedir}/lib/sepolgen %{_localstatedir}/lib/sepolgen/perm_map +%{_datadir}/bash-completion/completions/sepolicy %files newrole -%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole +%verify(not mode) %attr(4755,root,root) %{_bindir}/newrole %{_mandir}/man1/newrole.1%{?ext_man} %{_mandir}/ru/man1/newrole.1%{?ext_man} %config(noreplace) %{_sysconfdir}/pam.d/newrole ++++++ get_os_version.patch ++++++ Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py =================================================================== --- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/__init__.py +++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py @@ -1226,7 +1226,8 @@ def get_os_version(): elif os_version[0:2] == "el": os_version = "RHEL" + os_version[2:] else: - os_version = "" + # make SUSE the default return value on SUSE systems + os_version = "SUSE" return os_version Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py =================================================================== --- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/manpage.py +++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py @@ -192,11 +192,7 @@ class HTMLManPages: self.old_path = path + "/" self.new_path = self.old_path + self.os_version + "/" - if self.os_version in fedora_releases or self.os_version in rhel_releases: - self.__gen_html_manpages() - else: - print("SELinux HTML man pages can not be generated for this %s" % os_version) - exit(1) + self.__gen_html_manpages() def __gen_html_manpages(self): self._write_html_manpage() ++++++ policycoreutils-3.0.tar.gz -> policycoreutils-3.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/VERSION new/policycoreutils-3.1/VERSION --- old/policycoreutils-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200 @@ -1 +1 @@ -3.0 +3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/newrole/hashtab.c new/policycoreutils-3.1/newrole/hashtab.c --- old/policycoreutils-3.0/newrole/hashtab.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/newrole/hashtab.c 2020-07-10 17:17:15.000000000 +0200 @@ -112,48 +112,6 @@ return HASHTAB_SUCCESS; } -int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum, - void (*destroy) (hashtab_key_t k, - hashtab_datum_t d, void *args), void *args) -{ - int hvalue; - hashtab_ptr_t prev, cur, newnode; - - if (!h) - return HASHTAB_OVERFLOW; - - hvalue = h->hash_value(h, key); - prev = NULL; - cur = h->htable[hvalue]; - while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { - prev = cur; - cur = cur->next; - } - - if (cur && (h->keycmp(h, key, cur->key) == 0)) { - if (destroy) - destroy(cur->key, cur->datum, args); - cur->key = key; - cur->datum = datum; - } else { - newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); - if (newnode == NULL) - return HASHTAB_OVERFLOW; - memset(newnode, 0, sizeof(struct hashtab_node)); - newnode->key = key; - newnode->datum = datum; - if (prev) { - newnode->next = prev->next; - prev->next = newnode; - } else { - newnode->next = h->htable[hvalue]; - h->htable[hvalue] = newnode; - } - } - - return HASHTAB_SUCCESS; -} - hashtab_datum_t hashtab_search(hashtab_t h, const_hashtab_key_t key) { @@ -220,49 +178,6 @@ return HASHTAB_SUCCESS; } -void hashtab_map_remove_on_error(hashtab_t h, - int (*apply) (hashtab_key_t k, - hashtab_datum_t d, - void *args), - void (*destroy) (hashtab_key_t k, - hashtab_datum_t d, - void *args), void *args) -{ - unsigned int i; - int ret; - hashtab_ptr_t last, cur, temp; - - if (!h) - return; - - for (i = 0; i < h->size; i++) { - last = NULL; - cur = h->htable[i]; - while (cur != NULL) { - ret = apply(cur->key, cur->datum, args); - if (ret) { - if (last) { - last->next = cur->next; - } else { - h->htable[i] = cur->next; - } - - temp = cur; - cur = cur->next; - if (destroy) - destroy(temp->key, temp->datum, args); - free(temp); - h->nel--; - } else { - last = cur; - cur = cur->next; - } - } - } - - return; -} - void hashtab_hash_eval(hashtab_t h, char *tag) { unsigned int i; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/newrole/hashtab.h new/policycoreutils-3.1/newrole/hashtab.h --- old/policycoreutils-3.0/newrole/hashtab.h 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/newrole/hashtab.h 2020-07-10 17:17:15.000000000 +0200 @@ -82,20 +82,6 @@ void *args), void *args); /* - Insert or replace the specified (key, datum) pair in the specified - hash table. If an entry for the specified key already exists, - then the specified destroy function is applied to (key,datum,args) - for the entry prior to replacing the entry's contents. - - Returns HASHTAB_OVERFLOW if insufficient space is available or - HASHTAB_SUCCESS otherwise. - */ -extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d, - void (*destroy) (hashtab_key_t k, - hashtab_datum_t d, - void *args), void *args); - -/* Searches for the entry with the specified key in the hash table. Returns NULL if no entry has the specified key or @@ -124,20 +110,6 @@ hashtab_datum_t d, void *args), void *args); -/* - Same as hashtab_map, except that if apply returns a non-zero status, - then the (key,datum) pair will be removed from the hashtab and the - destroy function will be applied to (key,datum,args). - */ -extern void hashtab_map_remove_on_error(hashtab_t h, - int (*apply) (hashtab_key_t k, - hashtab_datum_t d, - void *args), - void (*destroy) (hashtab_key_t k, - hashtab_datum_t d, - void *args), - void *args); - extern void hashtab_hash_eval(hashtab_t h, char *tag); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/newrole/newrole.c new/policycoreutils-3.1/newrole/newrole.c --- old/policycoreutils-3.0/newrole/newrole.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/newrole/newrole.c 2020-07-10 17:17:15.000000000 +0200 @@ -643,8 +643,8 @@ #ifdef AUDIT_LOG_PRIV /* Send audit message */ static -int send_audit_message(int success, security_context_t old_context, - security_context_t new_context, const char *ttyn) +int send_audit_message(int success, const char *old_context, + const char *new_context, const char *ttyn) { char *msg = NULL; int rc; @@ -677,9 +677,9 @@ #else static inline int send_audit_message(int success __attribute__ ((unused)), - security_context_t old_context + const char *old_context __attribute__ ((unused)), - security_context_t new_context + const char *new_context __attribute__ ((unused)), const char *ttyn __attribute__ ((unused))) { @@ -695,14 +695,14 @@ * This function will not fail if it can not relabel the tty when selinux is * in permissive mode. */ -static int relabel_tty(const char *ttyn, security_context_t new_context, - security_context_t * tty_context, - security_context_t * new_tty_context) +static int relabel_tty(const char *ttyn, const char *new_context, + char **tty_context, + char **new_tty_context) { int fd, rc; int enforcing = security_getenforce(); - security_context_t tty_con = NULL; - security_context_t new_tty_con = NULL; + char *tty_con = NULL; + char *new_tty_con = NULL; if (!ttyn) return 0; @@ -775,11 +775,11 @@ * Returns zero on success, non-zero otherwise */ static int restore_tty_label(int fd, const char *ttyn, - security_context_t tty_context, - security_context_t new_tty_context) + const char *tty_context, + const char *new_tty_context) { int rc = 0; - security_context_t chk_tty_context = NULL; + char *chk_tty_context = NULL; if (!ttyn) goto skip_relabel; @@ -816,8 +816,8 @@ * Returns zero on success, non-zero otherwise. */ static int parse_command_line_arguments(int argc, char **argv, char *ttyn, - security_context_t old_context, - security_context_t * new_context, + const char *old_context, + char **new_context, int *preserve_environment) { int flag_index; /* flag index in argv[] */ @@ -827,8 +827,8 @@ char *type_ptr = NULL; /* stores malloc'd data from get_default_type */ char *level_s = NULL; /* level spec'd by user in argv[] */ char *range_ptr = NULL; - security_context_t new_con = NULL; - security_context_t tty_con = NULL; + char *new_con = NULL; + char *tty_con = NULL; context_t context = NULL; /* manipulatable form of new_context */ const struct option long_options[] = { {"role", 1, 0, 'r'}, @@ -1021,10 +1021,10 @@ int main(int argc, char *argv[]) { - security_context_t new_context = NULL; /* target security context */ - security_context_t old_context = NULL; /* original securiy context */ - security_context_t tty_context = NULL; /* current context of tty */ - security_context_t new_tty_context = NULL; /* new context of tty */ + char *new_context = NULL; /* target security context */ + char *old_context = NULL; /* original securiy context */ + char *tty_context = NULL; /* current context of tty */ + char *new_tty_context = NULL; /* new context of tty */ struct passwd pw; /* struct derived from passwd file line */ char *ttyn = NULL; /* tty path */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/run_init/run_init.c new/policycoreutils-3.1/run_init/run_init.c --- old/policycoreutils-3.0/run_init/run_init.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/run_init/run_init.c 2020-07-10 17:17:15.000000000 +0200 @@ -303,7 +303,7 @@ * out: The CONTEXT associated with the context. * return: 0 on success, -1 on failure. */ -int get_init_context(security_context_t * context) +int get_init_context(char **context) { FILE *fp; @@ -354,7 +354,7 @@ extern char *optarg; /* used by getopt() for arg strings */ extern int opterr; /* controls getopt() error messages */ - security_context_t new_context; /* context for the init script context */ + char *new_context; /* context for the init script context */ #ifdef USE_NLS setlocale(LC_ALL, ""); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/secon/secon.c new/policycoreutils-3.1/secon/secon.c --- old/policycoreutils-3.0/secon/secon.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/secon/secon.c 2020-07-10 17:17:15.000000000 +0200 @@ -341,7 +341,7 @@ errx(EXIT_FAILURE, "SELinux is not enabled"); } -static int my_getXcon_raw(pid_t pid, security_context_t * con, const char *val) +static int my_getXcon_raw(pid_t pid, char **con, const char *val) { char buf[4096]; FILE *fp = NULL; @@ -371,23 +371,23 @@ return (0); } -static int my_getpidexeccon_raw(pid_t pid, security_context_t * con) +static int my_getpidexeccon_raw(pid_t pid, char **con) { return (my_getXcon_raw(pid, con, "exec")); } -static int my_getpidfscreatecon_raw(pid_t pid, security_context_t * con) +static int my_getpidfscreatecon_raw(pid_t pid, char **con) { return (my_getXcon_raw(pid, con, "fscreate")); } -static int my_getpidkeycreatecon_raw(pid_t pid, security_context_t * con) +static int my_getpidkeycreatecon_raw(pid_t pid, char **con) { return (my_getXcon_raw(pid, con, "keycreate")); } -static security_context_t get_scon(void) +static char *get_scon(void) { static char dummy_NIL[1] = ""; - security_context_t con = NULL, con_tmp; + char *con = NULL, *con_tmp; int ret = -1; switch (opts->from_type) { @@ -620,9 +620,10 @@ done = TRUE; } -static void disp_con(security_context_t scon_raw) +static void disp_con(const char *scon_raw) { - security_context_t scon_trans, scon; + char *scon_trans; + const char *scon; context_t con = NULL; char *color_str = NULL; struct context_color_t color = { .valid = 0 }; @@ -748,7 +749,7 @@ int main(int argc, char *argv[]) { - security_context_t scon_raw = NULL; + char *scon_raw = NULL; cmd_line(argc, argv); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/semodule/genhomedircon.8 new/policycoreutils-3.1/semodule/genhomedircon.8 --- old/policycoreutils-3.0/semodule/genhomedircon.8 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/semodule/genhomedircon.8 2020-07-10 17:17:15.000000000 +0200 @@ -16,6 +16,9 @@ although this default behavior can be optionally modified by setting to "true" the "disable-genhomedircon" in /etc/selinux/semanage.conf. +Directories can be excluded from the list of home directories by the setting "ignoredirs" +in /etc/selinux/semanage.conf. + .SH AUTHOR This manual page was written by .I Dan Walsh <dwa...@redhat.com> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restore.c new/policycoreutils-3.1/setfiles/restore.c --- old/policycoreutils-3.0/setfiles/restore.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setfiles/restore.c 2020-07-10 17:17:15.000000000 +0200 @@ -41,7 +41,7 @@ opts->xdev | opts->abort_on_error | opts->syslog_changes | opts->log_matches | opts->ignore_noent | opts->ignore_mounts | - opts->mass_relabel; + opts->mass_relabel | opts->conflict_error; /* Use setfiles, restorecon and restorecond own handles */ selinux_restorecon_set_sehandle(opts->hnd); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restore.h new/policycoreutils-3.1/setfiles/restore.h --- old/policycoreutils-3.0/setfiles/restore.h 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setfiles/restore.h 2020-07-10 17:17:15.000000000 +0200 @@ -34,6 +34,7 @@ unsigned int log_matches; unsigned int ignore_noent; unsigned int ignore_mounts; + unsigned int conflict_error; /* restorecon_flags holds | of above for restore_init() */ unsigned int restorecon_flags; char *rootpath; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setfiles/restorecon.8 new/policycoreutils-3.1/setfiles/restorecon.8 --- old/policycoreutils-3.0/setfiles/restorecon.8 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setfiles/restorecon.8 2020-07-10 17:17:15.000000000 +0200 @@ -13,6 +13,7 @@ .RB [ \-F ] .RB [ \-W ] .RB [ \-I | \-D ] +.RB [ \-x ] .RB [ \-e .IR directory ] .IR pathname \ ... @@ -31,6 +32,7 @@ .RB [ \-F ] .RB [ \-W ] .RB [ \-I | \-D ] +.RB [ \-x ] .SH "DESCRIPTION" This manual page describes the @@ -153,14 +155,21 @@ .B find produces input suitable for this mode. .TP +.B \-x +prevent +.B restorecon +from crossing file system boundaries. +.TP .SH "ARGUMENTS" .IR pathname \ ... The pathname for the file(s) to be relabeled. .SH "NOTES" .IP "1." 4 .B restorecon -does not follow symbolic links and by default it does not -operate recursively on directories. +by default does not operate recursively on directories. Paths leading up the +final component of the file(s) are canonicalized using +.BR realpath (3) +before labeling. .IP "2." 4 If the .I pathname diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setfiles/setfiles.8 new/policycoreutils-3.1/setfiles/setfiles.8 --- old/policycoreutils-3.0/setfiles/setfiles.8 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setfiles/setfiles.8 2020-07-10 17:17:15.000000000 +0200 @@ -12,6 +12,7 @@ .RB [ \-n ] .RB [ \-e .IR directory ] +.RB [ \-E ] .RB [ \-p ] .RB [ \-s ] .RB [ \-v ] @@ -62,6 +63,10 @@ .BI \-e \ directory directory to exclude (repeat option for more than one directory). .TP +.BI \-E +treat conflicting specifications as errors, such as where two hardlinks for +the same inode have different contexts. +.TP .BI \-f \ infilename .I infilename contains a list of files to be processed. Use @@ -209,7 +214,8 @@ .SH "NOTES" .IP "1." 4 .B setfiles -follows symbolic links and operates recursively on directories. +operates recursively on directories. Paths leading up the final +component of the file(s) are not canonicalized before labeling. .IP "2." 4 If the .I pathname diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setfiles/setfiles.c new/policycoreutils-3.1/setfiles/setfiles.c --- old/policycoreutils-3.0/setfiles/setfiles.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setfiles/setfiles.c 2020-07-10 17:17:15.000000000 +0200 @@ -43,16 +43,15 @@ { if (iamrestorecon) { fprintf(stderr, - "usage: %s [-iIDFmnprRv0] [-e excludedir] pathname...\n" - "usage: %s [-iIDFmnprRv0] [-e excludedir] -f filename\n", + "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" + "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", name, name); } else { fprintf(stderr, - "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file pathname...\n" - "usage: %s [-diIDlmnpqvFW] [-e excludedir] [-r alt_root_path] spec_file -f filename\n" - "usage: %s -s [-diIDlmnpqvFW] spec_file\n" - "usage: %s -c policyfile spec_file\n", - name, name, name, name); + "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" + "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" + "usage: %s -s [-diIDlmnpqvFW] spec_file\n", + name, name, name); } exit(-1); } @@ -168,8 +167,8 @@ size_t buf_len; const char *base; int errors = 0; - const char *ropts = "e:f:hiIDlmno:pqrsvFRW0"; - const char *sopts = "c:de:f:hiIDlmno:pqr:svFR:W0"; + const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x"; + const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0"; const char *opts; union selinux_callback cb; @@ -313,6 +312,10 @@ r_opts.syslog_changes = SELINUX_RESTORECON_SYSLOG_CHANGES; break; + case 'E': + r_opts.conflict_error = + SELINUX_RESTORECON_CONFLICT_ERROR; + break; case 'F': r_opts.set_specctx = SELINUX_RESTORECON_SET_SPECFILE_CTX; @@ -382,6 +385,13 @@ case '0': null_terminated = 1; break; + case 'x': + if (iamrestorecon) { + r_opts.xdev = SELINUX_RESTORECON_XDEV; + } else { + usage(argv[0]); + } + break; case 'h': case '?': usage(argv[0]); @@ -398,7 +408,7 @@ if (!iamrestorecon) { if (policyfile) { - if (optind != (argc - 1)) + if (optind > (argc - 1)) usage(argv[0]); } else if (use_input_file) { if (optind != (argc - 1)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/policycoreutils-3.0/setsebool/setsebool.c new/policycoreutils-3.1/setsebool/setsebool.c --- old/policycoreutils-3.0/setsebool/setsebool.c 2019-11-28 13:46:48.000000000 +0100 +++ new/policycoreutils-3.1/setsebool/setsebool.c 2020-07-10 17:17:15.000000000 +0200 @@ -200,8 +200,10 @@ if (no_reload) semanage_set_reload(handle, 0); - if (semanage_commit(handle) < 0) + if (semanage_commit(handle) < 0) { + fprintf(stderr, "Failed to commit changes to booleans: %m\n"); goto err; + } semanage_disconnect(handle); semanage_handle_destroy(handle); ++++++ selinux-python-3.0.tar.gz -> selinux-python-3.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/VERSION new/selinux-python-3.1/VERSION --- old/selinux-python-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200 @@ -1 +1 @@ -3.0 +3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/audit2allow/Makefile new/selinux-python-3.1/audit2allow/Makefile --- old/selinux-python-3.0/audit2allow/Makefile 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/audit2allow/Makefile 2020-07-10 17:17:15.000000000 +0200 @@ -19,7 +19,7 @@ all: audit2why sepolgen-ifgen-attr-helper sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA) - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) -lselinux audit2why: ln -sf audit2allow audit2why diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/audit2allow/sepolgen-ifgen new/selinux-python-3.1/audit2allow/sepolgen-ifgen --- old/selinux-python-3.0/audit2allow/sepolgen-ifgen 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/audit2allow/sepolgen-ifgen 2020-07-10 17:17:15.000000000 +0200 @@ -27,7 +27,6 @@ import sys -import os import tempfile import subprocess @@ -65,37 +64,18 @@ return options -def get_policy(): - p = selinux.selinux_current_policy_path() - if p and os.path.exists(p): - return p - i = selinux.security_policyvers() - p = selinux.selinux_binary_policy_path() + "." + str(i) - while i > 0 and not os.path.exists(p): - i = i - 1 - p = selinux.selinux_binary_policy_path() + "." + str(i) - if i > 0: - return p - return None - - def get_attrs(policy_path, attr_helper): try: - if not policy_path: - policy_path = get_policy() - if not policy_path: - sys.stderr.write("No installed policy to check\n") - return None outfile = tempfile.NamedTemporaryFile() except IOError as e: sys.stderr.write("could not open attribute output file\n") return None - except OSError: - # SELinux Disabled Machine - return None fd = open("/dev/null", "w") - ret = subprocess.Popen([attr_helper, policy_path, outfile.name], stdout=fd).wait() + if policy_path: + ret = subprocess.Popen([attr_helper, outfile.name, policy_path], stdout=fd).wait() + else: + ret = subprocess.Popen([attr_helper, outfile.name], stdout=fd).wait() fd.close() if ret != 0: sys.stderr.write("could not run attribute helper\n") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/audit2allow/sepolgen-ifgen-attr-helper.c new/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c --- old/selinux-python-3.0/audit2allow/sepolgen-ifgen-attr-helper.c 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c 2020-07-10 17:17:15.000000000 +0200 @@ -26,6 +26,8 @@ #include <sepol/policydb/avtab.h> #include <sepol/policydb/util.h> +#include <selinux/selinux.h> + #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> @@ -147,8 +149,36 @@ policydb_t *policydb; struct policy_file pf; FILE *fp; + char pathname[PATH_MAX]; + int suffix_ver; int ret; + /* no explicit policy name given, try loaded policy on a SELinux enabled system */ + if (!filename) { + filename = selinux_current_policy_path(); + } + + /* + * Fallback to default store paths with version suffixes, + * starting from the maximum supported policy version. + */ + if (!filename) { + for (suffix_ver = sepol_policy_kern_vers_max(); suffix_ver > 0; suffix_ver--) { + snprintf(pathname, sizeof(pathname), "%s.%d", selinux_binary_policy_path(), suffix_ver); + + if (access(pathname, F_OK) == 0) { + filename = pathname; + break; + } + } + + if (!filename) { + fprintf(stderr, "Can't find any policy at '%s'\n", + selinux_binary_policy_path()); + return NULL; + } + } + fp = fopen(filename, "r"); if (fp == NULL) { fprintf(stderr, "Can't open '%s': %s\n", @@ -188,7 +218,7 @@ void usage(char *progname) { - printf("usage: %s policy_file out_file\n", progname); + printf("usage: %s out_file [policy_file]\n", progname); } int main(int argc, char **argv) @@ -197,18 +227,18 @@ struct callback_data cb_data; FILE *fp; - if (argc != 3) { + if (argc != 2 && argc != 3) { usage(argv[0]); return -1; } /* Open the policy. */ - p = load_policy(argv[1]); + p = load_policy(argv[2]); if (p == NULL) return -1; /* Open the output policy. */ - fp = fopen(argv[2], "w"); + fp = fopen(argv[1], "w"); if (fp == NULL) { fprintf(stderr, "error opening output file\n"); policydb_destroy(p); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/semanage/semanage-bash-completion.sh new/selinux-python-3.1/semanage/semanage-bash-completion.sh --- old/selinux-python-3.0/semanage/semanage-bash-completion.sh 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/semanage/semanage-bash-completion.sh 2020-07-10 17:17:15.000000000 +0200 @@ -54,6 +54,9 @@ __get_all_stores () { dir -1 -F /etc/selinux/ | grep '/' | cut -d'/' -f 1 } +__get_all_modules () { + semodule -l +} __get_import_opts () { echo '$ALL_OPTS --f --input_file' ; } __get_export_opts () { echo '$ALL_OPTS --f --output_file' ; } __get_boolean_opts () { echo '$ALL_OPTS --on -off -1 -0' ; } @@ -88,6 +91,13 @@ if [ "$prev" = "-a" -a "$command" = "permissive" ]; then COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) return 0 + elif [ "$command" = "module" ]; then + if [ "$prev" = "-d" ] || [ "$prev" = "--disable" ] \ + || [ "$prev" = "-e" ] || [ "$prev" = "--enable" ] \ + || [ "$prev" = "-r" ] || [ "$prev" = "--remove" ]; then + COMPREPLY=( $(compgen -W "$( __get_all_modules ) " -- "$cur") ) + return 0 + fi fi if [ "$verb" = "" -a "$prev" = "semanage" ]; then comps="${VERBS[*]}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/semanage/semanage-node.8 new/selinux-python-3.1/semanage/semanage-node.8 --- old/selinux-python-3.0/semanage/semanage-node.8 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/semanage/semanage-node.8 2020-07-10 17:17:15.000000000 +0200 @@ -45,7 +45,7 @@ Remove all local customizations .TP .I \-M NETMASK, \-\-netmask NETMASK -Network Mask +Network Mask, either in CIDR (/16) or address mask notation (255.255.0.0, ffff::) .TP .I \-t TYPE, \-\-type TYPE SELinux type for the object diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/semanage/seobject.py new/selinux-python-3.1/semanage/seobject.py --- old/selinux-python-3.0/semanage/seobject.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/semanage/seobject.py 2020-07-10 17:17:15.000000000 +0200 @@ -32,7 +32,7 @@ PROGNAME = "policycoreutils" import sepolicy import setools -from IPy import IP +import ipaddress try: import gettext @@ -1070,7 +1070,11 @@ if port == "": raise ValueError(_("Port is required")) - ports = port.split("-") + if isinstance(port, str): + ports = port.split('-', 1) + else: + ports = (port,) + if len(ports) == 1: high = low = int(ports[0]) else: @@ -1854,25 +1858,34 @@ if addr == "": raise ValueError(_("Node Address is required")) - # verify valid combination + # verify that (addr, mask) is either a IP address (without a mask) or a valid network mask if len(mask) == 0 or mask[0] == "/": - i = IP(addr + mask) - newaddr = i.strNormal(0) - newmask = str(i.netmask()) - if newmask == "0.0.0.0" and i.version() == 6: - newmask = "::" - - protocol = "ipv%d" % i.version() + i = ipaddress.ip_network(addr + mask) + newaddr = str(i.network_address) + newmask = str(i.netmask) + protocol = "ipv%d" % i.version try: newprotocol = self.protocol.index(protocol) except: raise ValueError(_("Unknown or missing protocol")) - return newaddr, newmask, newprotocol + try: + audit_protocol = socket.getprotobyname(protocol) + except: + # Entry for "ipv4" not found in /etc/protocols on (at + # least) Debian? To ensure audit log compatibility, let's + # use the same numeric value as Fedora: 4, which is + # actually understood by kernel as IP over IP. + if (protocol == "ipv4"): + audit_protocol = socket.IPPROTO_IPIP + else: + raise ValueError(_("Unknown or missing protocol")) + + return newaddr, newmask, newprotocol, audit_protocol def __add(self, addr, mask, proto, serange, ctype): - addr, mask, proto = self.validate(addr, mask, proto) + addr, mask, proto, audit_proto = self.validate(addr, mask, proto) if is_mls_enabled == 1: if serange == "": @@ -1891,10 +1904,10 @@ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: raise ValueError(_("Could not create key for %s") % addr) - if rc < 0: - raise ValueError(_("Could not check if addr %s is defined") % addr) (rc, exists) = semanage_node_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if addr %s is defined") % addr) if exists: raise ValueError(_("Addr %s already defined") % addr) @@ -1941,7 +1954,7 @@ semanage_node_key_free(k) semanage_node_free(node) - self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange)) def add(self, addr, mask, proto, serange, ctype): self.begin() @@ -1949,7 +1962,7 @@ self.commit() def __modify(self, addr, mask, proto, serange, setype): - addr, mask, proto = self.validate(addr, mask, proto) + addr, mask, proto, audit_proto = self.validate(addr, mask, proto) if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -1986,7 +1999,7 @@ semanage_node_key_free(k) semanage_node_free(node) - self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange)) def modify(self, addr, mask, proto, serange, setype): self.begin() @@ -1994,8 +2007,7 @@ self.commit() def __delete(self, addr, mask, proto): - - addr, mask, proto = self.validate(addr, mask, proto) + addr, mask, proto, audit_proto = self.validate(addr, mask, proto) (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: @@ -2019,7 +2031,7 @@ semanage_node_key_free(k) - self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto)) def delete(self, addr, mask, proto): self.begin() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/semanage/test-semanage.py new/selinux-python-3.1/semanage/test-semanage.py --- old/selinux-python-3.0/semanage/test-semanage.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/semanage/test-semanage.py 2020-07-10 17:17:15.000000000 +0200 @@ -233,7 +233,7 @@ def semanage_run_test(suite): - unittest.TextTestRunner(verbosity=2).run(suite) + return unittest.TextTestRunner(verbosity=2).run(suite).wasSuccessful() class CheckTest(argparse.Action): @@ -255,9 +255,9 @@ for i in semanage_test_list: print(i) if args.all: - semanage_run_test(semanage_suite()) + return semanage_run_test(semanage_suite()) if args.test: - semanage_run_test(semanage_custom_suite(args.test)) + return semanage_run_test(semanage_custom_suite(args.test)) def gen_semanage_test_args(parser): @@ -281,8 +281,10 @@ gen_semanage_test_args(parser) try: args = parser.parse_args() - args.func(args) - sys.exit(0) + if args.func(args): + sys.exit(0) + else: + sys.exit(1) except ValueError as e: sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) sys.exit(1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolgen/VERSION new/selinux-python-3.1/sepolgen/VERSION --- old/selinux-python-3.0/sepolgen/VERSION 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolgen/VERSION 2020-07-10 17:17:15.000000000 +0200 @@ -1 +1 @@ -3.0 +3.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolgen/src/sepolgen/refparser.py new/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py --- old/selinux-python-3.0/sepolgen/src/sepolgen/refparser.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py 2020-07-10 17:17:15.000000000 +0200 @@ -126,6 +126,7 @@ 'GEN_REQ', 'TEMPLATE', 'GEN_CONTEXT', + 'GEN_TUNABLE', # m4 'IFELSE', 'IFDEF', @@ -192,6 +193,7 @@ 'gen_require' : 'GEN_REQ', 'template' : 'TEMPLATE', 'gen_context' : 'GEN_CONTEXT', + 'gen_tunable' : 'GEN_TUNABLE', # M4 'ifelse' : 'IFELSE', 'ifndef' : 'IFNDEF', @@ -518,6 +520,7 @@ | range_transition_def | role_transition_def | bool + | gen_tunable | define | initial_sid | genfscon @@ -844,6 +847,17 @@ b.state = False p[0] = b +def p_gen_tunable(p): + '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN + | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN''' + b = refpolicy.Bool() + b.name = p[4] + if p[7] == "true": + b.state = True + else: + b.state = False + p[0] = b + def p_conditional(p): ''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE | IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE @@ -1134,6 +1148,6 @@ status.step() if len(failures): - o("failed to parse some headers: %s" % ", ".join(failures)) + o("failed to parse some headers: %s\n" % ", ".join(failures)) return headers diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/Makefile new/selinux-python-3.1/sepolicy/Makefile --- old/selinux-python-3.0/sepolicy/Makefile 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/Makefile 2020-07-10 17:17:15.000000000 +0200 @@ -27,7 +27,7 @@ @$(PYTHON) test_sepolicy.py -v install: - $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS) [ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR) install -m 755 sepolicy.py $(DESTDIR)$(BINDIR)/sepolicy (cd $(DESTDIR)$(BINDIR); ln -sf sepolicy sepolgen) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/generate.py new/selinux-python-3.1/sepolicy/sepolicy/generate.py --- old/selinux-python-3.0/sepolicy/sepolicy/generate.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/sepolicy/generate.py 2020-07-10 17:17:15.000000000 +0200 @@ -340,7 +340,7 @@ (self.generate_root_user_types, self.generate_root_user_rules), (self.generate_new_types, self.generate_new_rules)) if not re.match(r"^[a-zA-Z0-9-_]+$", name): - raise ValueError(_("Name must be alpha numeric with no spaces. Consider using option \"-n MODULENAME\"")) + raise ValueError(_("Name must be alphanumeric with no spaces. Consider using option \"-n MODULENAME\"")) if type == CGI: self.name = "httpd_%s_script" % name @@ -438,7 +438,7 @@ def set_init_script(self, initscript): if self.type != DAEMON: - raise ValueError(_("Only Daemon apps can use an init script..")) + raise ValueError(_("Only Daemon apps can use an init script.")) self.initscript = initscript diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/interface.py new/selinux-python-3.1/sepolicy/sepolicy/interface.py --- old/selinux-python-3.0/sepolicy/sepolicy/interface.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/sepolicy/interface.py 2020-07-10 17:17:15.000000000 +0200 @@ -146,12 +146,12 @@ tree = xml.etree.ElementTree.fromstring(xml_path) for l in tree.findall("layer"): for m in l.findall("module"): - for i in m.getiterator('interface'): + for i in m.iter('interface'): for e in i.findall("param"): param_list.append(e.get('name')) interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"] param_list = [] - for i in m.getiterator('template'): + for i in m.iter('template'): for e in i.findall("param"): param_list.append(e.get('name')) interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"] @@ -198,7 +198,7 @@ filename = os.path.basename(if_file).split(".")[0] rc, output = getstatusoutput("/usr/bin/python3 /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % (basedir + filename)) if rc != 0: - sys.stderr.write("\n Could not proceed selected interface file.\n") + sys.stderr.write("\n Could not process selected interface file.\n") sys.stderr.write("\n%s" % output) sys.exit(1) else: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/manpage.py new/selinux-python-3.1/sepolicy/sepolicy/manpage.py --- old/selinux-python-3.0/sepolicy/sepolicy/manpage.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/sepolicy/manpage.py 2020-07-10 17:17:15.000000000 +0200 @@ -1074,7 +1074,7 @@ .B semanage login -m -s %(user)s_u __default__ -""" % {'desc': self.desc, 'type': self.type, 'user': self.domainname, 'range': self._get_users_range()}) +""" % {'desc': self.desc, 'user': self.domainname, 'range': self._get_users_range()}) if "login_userdomain" in self.attributes and "login_userdomain" in self.all_attributes: self.fd.write(""" @@ -1245,7 +1245,7 @@ .B $ sesearch -A -s %(type)s -c process -p transition -""" % {'user': self.domainname, 'type': self.type}) +""" % {'type': self.type}) def _role_header(self): self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgr...@redhat.com" "%(user)s SELinux Policy documentation"' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/network.py new/selinux-python-3.1/sepolicy/sepolicy/network.py --- old/selinux-python-3.0/sepolicy/sepolicy/network.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/sepolicy/network.py 2020-07-10 17:17:15.000000000 +0200 @@ -49,15 +49,15 @@ if "port_t" in tlist: continue if i == "port_t": - d[(src, protocol, perm)].append((i, ["all ports with out defined types"])) + d[(src, protocol, perm)].append((i, ["all ports without defined types"])) if i == "port_type": d[(src, protocol, perm)].append((i, ["all ports"])) elif i == "unreserved_port_type": - d[(src, protocol, perm)].append((i, ["all ports > 1024"])) + d[(src, protocol, perm)].append((i, ["all ports >= 1024"])) elif i == "reserved_port_type": d[(src, protocol, perm)].append((i, ["all ports < 1024"])) elif i == "rpc_port_type": - d[(src, protocol, perm)].append((i, ["all ports > 500 and < 1024"])) + d[(src, protocol, perm)].append((i, ["all ports >= 512 and < 1024"])) else: try: d[(src, protocol, perm)].append((i, portrecs[(i, protocol)])) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/sepolicy/sepolicy.glade new/selinux-python-3.1/sepolicy/sepolicy/sepolicy.glade --- old/selinux-python-3.0/sepolicy/sepolicy/sepolicy.glade 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/sepolicy/sepolicy.glade 2020-07-10 17:17:15.000000000 +0200 @@ -2877,19 +2877,9 @@ </object> </child> <child> - <object class="GtkTreeViewColumn" id="treeviewcolumn27"> - <child> - <object class="GtkCellRendererText" id="cellrenderertext34"/> - <attributes> - <attribute name="text">1</attribute> - </attributes> - </child> - </object> - </child> - <child> <object class="GtkTreeViewColumn" id="executable_file_from"> <property name="resizable">True</property> - <property name="title" translatable="yes">Boolean name</property> + <property name="title" translatable="yes">Executable File</property> <property name="expand">True</property> <property name="clickable">True</property> <property name="reorderable">True</property> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/selinux-python-3.0/sepolicy/setup.py new/selinux-python-3.1/sepolicy/setup.py --- old/selinux-python-3.0/sepolicy/setup.py 2019-11-28 13:46:48.000000000 +0100 +++ new/selinux-python-3.1/sepolicy/setup.py 2020-07-10 17:17:15.000000000 +0200 @@ -6,7 +6,7 @@ setup( name="sepolicy", - version="3.0", + version="3.1", description="Python SELinux Policy Analyses bindings", author="Daniel Walsh", author_email="dwa...@redhat.com", ++++++ semodule-utils-3.0.tar.gz -> semodule-utils-3.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/semodule-utils-3.0/VERSION new/semodule-utils-3.1/VERSION --- old/semodule-utils-3.0/VERSION 2019-11-28 13:46:48.000000000 +0100 +++ new/semodule-utils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200 @@ -1 +1 @@ -3.0 +3.1