Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2020-10-23 12:20:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new.3463 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "selinux-policy" Fri Oct 23 12:20:12 2020 rev:3 rq:842814 version:20201016 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2020-10-07 14:18:29.829486196 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new.3463/selinux-policy.changes 2020-10-23 12:20:39.572611671 +0200 @@ -1,0 +2,9 @@ +Fri Oct 16 08:50:06 UTC 2020 - Thorsten Kukuk <[email protected]> + +- Update to version 20201016 +- Use python3 to build (fc_sort.c was replaced by fc_sort.py which + uses python3) +- Drop SELINUX=disabled, "selinux=0" kernel commandline option has + to be used instead. New default is "permissive" [bsc#1176923]. + +------------------------------------------------------------------- Old: ---- fedora-policy.20200910.tar.bz2 New: ---- fedora-policy.20201016.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.uMJA1v/_old 2020-10-23 12:20:41.580613087 +0200 +++ /var/tmp/diff_new_pack.uMJA1v/_new 2020-10-23 12:20:41.584613090 +0200 @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,9 +12,10 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # + # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat @@ -32,7 +33,7 @@ License: GPL-2.0-or-later Group: System/Management Name: selinux-policy -Version: 20200910 +Version: 20201016 Release: 0 Source: fedora-policy.%{version}.tar.bz2 Source1: selinux-policy-rpmlintrc @@ -131,7 +132,7 @@ Patch100: sedoctool.patch -Url: https://github.com/fedora-selinux/selinux-policy.git +URL: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: checkpolicy @@ -139,8 +140,9 @@ BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils -BuildRequires: python3-policycoreutils BuildRequires: policycoreutils-devel +BuildRequires: python3 +BuildRequires: python3-policycoreutils # we need selinuxenabled Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config @@ -355,6 +357,7 @@ %package sandbox Summary: SELinux policy sandbox +Group: System/Management Requires(pre): selinux-policy-targeted = %{version}-%{release} %description sandbox @@ -455,7 +458,6 @@ mkdir -p %{buildroot}%{_datadir}/selinux/packages - mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do cp $i selinux_config @@ -522,11 +524,13 @@ else echo " # This file controls the state of SELinux on the system. +# SELinux can be completly disabled with the \"selinux=0\" kernel +# commandline option. +# # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=disabled +SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. @@ -553,9 +557,7 @@ if [ "$SELINUXTYPE" = "$2" ]; then \ %{_sbindir}/setenforce 0 2> /dev/null \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ - else \ - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \ + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config \ fi \ fi \ pam-config -d --selinux \ @@ -565,15 +567,12 @@ %postun if [ $1 = 0 ]; then %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + if [ -s %{_sysconfdir}/selinux/config ]; then + sed -i 's/^SELINUX=.*/SELINUX=permissive/g' %{_sysconfdir}/selinux/config fi fi exit 0 - %package devel Summary: SELinux policy devel Group: System/Management @@ -651,7 +650,6 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} - %description minimum SELinux Reference policy minimum base module. ++++++ fedora-policy.20200910.tar.bz2 -> fedora-policy.20201016.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/.travis.yml new/fedora-policy/.travis.yml --- old/fedora-policy/.travis.yml 2020-09-10 09:16:25.451521424 +0200 +++ new/fedora-policy/.travis.yml 2020-10-16 10:49:06.569324706 +0200 @@ -5,16 +5,31 @@ services: - docker +env: + # Expected name of target branch - this branch is fetched also from -contrib + # Remember to update it when creating a new release branch (CI will warn you + # in case you forget :) + # It is necessary so that people running the CI on their forks also get the + # right branch + - TARGET_BRANCH=rawhide + before_install: + - | + if [ "$TRAVIS_REPO_SLUG" = "fedora-selinux/selinux-policy" ] && \ + [ "$TARGET_BRANCH" != "$TRAVIS_BRANCH" ]; then + echo "TARGET_BRANCH in .travis.yml ($TARGET_BRANCH) doesn't match TRAVIS_BRANCH ($TRAVIS_BRANCH)!" + exit 2 + fi - cd ../ - rm -rf selinux-policy/policy/modules/contrib - - git clone https://github.com/fedora-selinux/selinux-policy-contrib.git selinux-policy/policy/modules/contrib; + - git clone https://github.com/fedora-selinux/selinux-policy-contrib.git + -b "$TARGET_BRANCH" selinux-policy/policy/modules/contrib; - git clone https://github.com/containers/container-selinux.git - cp container-selinux/container.* selinux-policy/policy/modules/contrib; - docker pull fedora:rawhide script: - - docker run -v $PWD:/root/build/ fedora:rawhide /bin/sh -c "dnf install --nogpgcheck -y checkpolicy policycoreutils-devel make m4 git findutils gcc ; cd /root/build/selinux-policy; make policy -j \$(nproc)" + - docker run -v $PWD:/root/build/ fedora:rawhide /bin/sh -c "dnf install --nogpgcheck -y checkpolicy policycoreutils-devel make m4 findutils ; cd /root/build/selinux-policy; make policy -j \$(nproc)" notifications: emails: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/INSTALL new/fedora-policy/INSTALL --- old/fedora-policy/INSTALL 2020-09-10 09:16:25.451521424 +0200 +++ new/fedora-policy/INSTALL 2020-10-16 10:49:06.569324706 +0200 @@ -4,7 +4,7 @@ * checkpolicy 2.1.8 * policycoreutils 2.1.10 * Python PyXML - * GCC + * Python >= 3.4 To install Reference Policy sources into /etc/selinux/refpolicy/src/policy: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/Makefile new/fedora-policy/Makefile --- old/fedora-policy/Makefile 2020-09-10 09:16:25.451521424 +0200 +++ new/fedora-policy/Makefile 2020-10-16 10:49:06.569324706 +0200 @@ -77,8 +77,6 @@ SORT ?= LC_ALL=C sort UMASK ?= umask -CFLAGS += -Wall - # policy source layout poldir := policy moddir := $(poldir)/modules @@ -99,7 +97,7 @@ gendoc := $(PYTHON) -E $(support)/sedoctool.py genperm := $(PYTHON) -E $(support)/genclassperms.py policyvers := $(PYTHON) -E $(support)/policyvers.py -fcsort := $(tmpdir)/fc_sort +fcsort := $(PYTHON) -E $(support)/fc_sort.py setbools := $(AWK) -f $(support)/set_bools_tuns.awk get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed @@ -398,13 +396,6 @@ ######################################## # -# Generate the fc_sort program -# -$(fcsort) : $(support)/fc_sort.c - $(verbose) $(CC) $(CFLAGS) $^ -o $@ - -######################################## -# # Documentation generation # $(layerxml): %.xml: $(all_metaxml) $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods)) $(subst .te,.if, $(filter $(addprefix $(moddir)/, $(notdir $*))%, $(detected_mods))) @@ -622,7 +613,6 @@ #rm -f $(tags) # don't remove these files if we're given a local root ifndef LOCAL_ROOT - rm -f $(fcsort) rm -f $(support)/*.pyc ifneq ($(generated_te),) rm -f $(generated_te) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/Rules.modular new/fedora-policy/Rules.modular --- old/fedora-policy/Rules.modular 2020-09-10 09:16:25.451521424 +0200 +++ new/fedora-policy/Rules.modular 2020-10-16 10:49:06.573324706 +0200 @@ -179,7 +179,7 @@ # # Construct a base.fc # -$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort) +$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(verbose) $(fcsort) $< $@ $(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/Rules.monolithic new/fedora-policy/Rules.monolithic --- old/fedora-policy/Rules.monolithic 2020-09-10 09:16:25.451521424 +0200 +++ new/fedora-policy/Rules.monolithic 2020-10-16 10:49:06.573324706 +0200 @@ -176,7 +176,7 @@ # # Construct file_contexts # -$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) +$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(verbose) $(fcsort) $< $@ $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/chronyd.if new/fedora-policy/policy/modules/contrib/chronyd.if --- old/fedora-policy/policy/modules/contrib/chronyd.if 2020-09-10 09:16:28.143566036 +0200 +++ new/fedora-policy/policy/modules/contrib/chronyd.if 2020-10-16 10:49:08.437324805 +0200 @@ -236,6 +236,25 @@ manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) ') +###################################### +## <summary> +## Create objects in /var/run +## with chronyd runtime private file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`chronyd_pid_filetrans',` + gen_require(` + type chronyd_var_run_t; + ') + + files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") +') + #################################### ## <summary> ## All of the rules required to diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/chronyd.te new/fedora-policy/policy/modules/contrib/chronyd.te --- old/fedora-policy/policy/modules/contrib/chronyd.te 2020-09-10 09:16:28.143566036 +0200 +++ new/fedora-policy/policy/modules/contrib/chronyd.te 2020-10-16 10:49:08.437324805 +0200 @@ -52,6 +52,7 @@ allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal }; allow chronyd_t self:shm create_shm_perms; allow chronyd_t self:udp_socket create_socket_perms; +allow chronyd_t self:tcp_socket { accept listen }; allow chronyd_t self:unix_dgram_socket { create_socket_perms sendto }; allow chronyd_t self:fifo_file rw_fifo_file_perms; @@ -111,6 +112,9 @@ corenet_udp_bind_chronyd_port(chronyd_t) corenet_udp_sendrecv_chronyd_port(chronyd_t) +corenet_tcp_bind_ntske_port(chronyd_t) +corenet_tcp_connect_ntske_port(chronyd_t) + domain_dontaudit_getsession_all_domains(chronyd_t) userdom_dontaudit_list_user_home_dirs(chronyd_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/container.te new/fedora-policy/policy/modules/contrib/container.te --- old/fedora-policy/policy/modules/contrib/container.te 2020-09-10 09:16:29.243584266 +0200 +++ new/fedora-policy/policy/modules/contrib/container.te 2020-10-16 10:49:09.821324878 +0200 @@ -1,4 +1,4 @@ -policy_module(container, 2.144.0) +policy_module(container, 2.148.0) gen_require(` class passwd rootok; ') @@ -104,6 +104,7 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(container_runtime_t, container_runtime_exec_t, s0 - mls_systemhigh) ') +mls_trusted_object(container_runtime_t) ######################################## @@ -115,6 +116,7 @@ allow container_runtime_domain self:process ~setcurrent; allow container_runtime_domain self:passwd rootok; allow container_runtime_domain self:fd use; +allow container_runtime_domain self:dir mounton; allow container_runtime_domain self:file mounton; allow container_runtime_domain self:fifo_file rw_fifo_file_perms; @@ -147,13 +149,17 @@ corenet_tcp_connect_all_ports(container_runtime_domain) corenet_sctp_bind_all_ports(container_net_domain) corenet_sctp_connect_all_ports(container_net_domain) +corenet_rw_tun_tap_dev(container_runtime_domain) container_auth_stream_connect(container_runtime_domain) +manage_files_pattern(container_runtime_domain, container_file_t, container_file_t) +manage_lnk_files_pattern(container_runtime_domain, container_file_t, container_file_t) manage_blk_files_pattern(container_runtime_domain, container_file_t, container_file_t) +allow container_runtime_domain container_domain:key manage_key_perms; manage_sock_files_pattern(container_runtime_domain, container_file_t, container_file_t) -allow container_runtime_domain container_file_t:dir {relabelfrom relabelto execmod}; -allow container_runtime_domain container_file_t:chr_file mmap_file_perms; +allow container_runtime_domain container_file_t:dir_file_class_set {relabelfrom relabelto execmod}; +allow container_runtime_domain container_file_t:dir_file_class_set mmap_file_perms; manage_files_pattern(container_runtime_domain, container_home_t, container_home_t) manage_dirs_pattern(container_runtime_domain, container_home_t, container_home_t) @@ -181,7 +187,6 @@ manage_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) manage_sock_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) manage_lnk_files_pattern(container_runtime_domain, container_runtime_tmp_t, container_runtime_tmp_t) -files_tmp_filetrans(container_runtime_domain, container_runtime_tmp_t, { dir file lnk_file }) manage_dirs_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) manage_files_pattern(container_runtime_domain, container_runtime_tmpfs_t, container_runtime_tmpfs_t) @@ -225,6 +230,7 @@ manage_sock_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) manage_lnk_files_pattern(container_runtime_domain, container_var_run_t, container_var_run_t) files_pid_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) +files_tmp_filetrans(container_runtime_domain, container_var_run_t, { dir file lnk_file sock_file }) allow container_runtime_domain container_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms }; term_create_pty(container_runtime_domain, container_devpts_t) @@ -237,6 +243,9 @@ kernel_setsched(container_runtime_domain) kernel_rw_all_sysctls(container_runtime_domain) +domain_obj_id_change_exemption(container_runtime_t) +domain_subj_id_change_exemption(container_runtime_t) +domain_role_change_exemption(container_runtime_t) domain_use_interactive_fds(container_runtime_domain) domain_dontaudit_read_all_domains_state(container_runtime_domain) domain_sigchld_all_domains(container_runtime_domain) @@ -244,6 +253,13 @@ domain_read_all_domains_state(container_runtime_domain) domain_getattr_all_domains(container_runtime_domain) +userdom_map_tmp_files(container_runtime_domain) + +optional_policy(` + gnome_map_generic_data_home_files(container_runtime_domain) + allow container_runtime_domain data_home_t:dir { relabelfrom relabelto }; +') + gen_require(` attribute domain; ') @@ -382,6 +398,7 @@ kernel_dontaudit_setattr_proc_dirs(container_runtime_domain) kernel_dontaudit_write_usermodehelper_state(container_runtime_domain) +dev_setattr_null_dev(container_runtime_t) dev_getattr_all(container_runtime_domain) dev_getattr_sysfs_fs(container_runtime_domain) dev_read_rand(container_runtime_domain) @@ -413,14 +430,13 @@ fs_relabelfrom_xattr_fs(container_runtime_domain) fs_relabelfrom_tmpfs(container_runtime_domain) fs_read_tmpfs_symlinks(container_runtime_domain) -fs_list_hugetlbfs(container_runtime_domain) fs_getattr_all_fs(container_runtime_domain) fs_list_inotifyfs(container_runtime_domain) fs_rw_inherited_tmpfs_files(container_runtime_domain) -fs_read_hugetlbfs_files(container_runtime_domain) fs_read_tmpfs_symlinks(container_runtime_domain) fs_search_tmpfs(container_runtime_domain) -fs_rw_hugetlbfs_files(container_runtime_domain) +fs_list_hugetlbfs(container_runtime_domain) +fs_manage_hugetlbfs_files(container_runtime_domain) term_use_generic_ptys(container_runtime_domain) @@ -444,6 +460,7 @@ userdom_relabel_user_tmp_dirs(container_runtime_domain) userdom_use_inherited_user_terminals(container_runtime_domain) userdom_use_user_ptys(container_runtime_domain) +userdom_connectto_stream(container_runtime_domain) tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(container_runtime_domain) @@ -482,6 +499,8 @@ fs_mount_fusefs(container_runtime_domain) fs_unmount_fusefs(container_runtime_domain) fs_exec_fusefs_files(container_runtime_domain) +storage_rw_fuse(container_runtime_domain) + optional_policy(` files_search_all(container_domain) @@ -507,6 +526,7 @@ optional_policy(` dbus_system_bus_client(container_runtime_domain) + dbus_session_bus_client(container_runtime_domain) init_dbus_chat(container_runtime_domain) init_start_transient_unit(container_runtime_domain) @@ -541,6 +561,13 @@ ') optional_policy(` + gen_require(` + role staff_r; + ') + role_transition staff_r container_runtime_exec_t system_r; +') + +optional_policy(` unconfined_stub_role() unconfined_domain(container_runtime_t) unconfined_run_to(container_runtime_t, container_runtime_exec_t) @@ -587,6 +614,8 @@ domtrans_pattern(container_runtime_domain, container_ro_file_t, spc_t) domtrans_pattern(container_runtime_domain, container_var_lib_t, spc_t) +domtrans_pattern(container_runtime_domain, fusefs_t, spc_t) + allow container_runtime_domain spc_t:process2 nnp_transition; admin_pattern(spc_t, kubernetes_file_t) @@ -725,7 +754,7 @@ allow container_domain self:shm create_shm_perms; allow container_domain self:socket create_socket_perms; allow container_domain self:tcp_socket create_socket_perms; -allow container_domain self:tun_socket create_socket_perms; +allow container_domain self:tun_socket { create_socket_perms relabelfrom relabelto }; allow container_domain self:udp_socket create_socket_perms; allow container_domain self:unix_dgram_socket create_socket_perms; allow container_domain self:unix_stream_socket create_stream_socket_perms; @@ -794,10 +823,10 @@ fs_getattr_all_fs(container_domain) fs_list_inotifyfs(container_domain) fs_rw_inherited_tmpfs_files(container_domain) -fs_read_hugetlbfs_files(container_domain) fs_read_tmpfs_symlinks(container_domain) fs_search_tmpfs(container_domain) -fs_rw_hugetlbfs_files(container_domain) +fs_list_hugetlbfs(container_domain) +fs_manage_hugetlbfs_files(container_domain) fs_exec_hugetlbfs_files(container_domain) fs_dontaudit_getattr_all_dirs(container_domain) fs_dontaudit_getattr_all_files(container_domain) @@ -807,6 +836,7 @@ userdom_use_user_ptys(container_domain) userdom_rw_inherited_user_pipes(container_domain) +domain_user_exemption_target(container_t) domain_dontaudit_link_all_domains_keyrings(container_domain) domain_dontaudit_search_all_domains_keyrings(container_domain) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/openvswitch.te new/fedora-policy/policy/modules/contrib/openvswitch.te --- old/fedora-policy/policy/modules/contrib/openvswitch.te 2020-09-10 09:16:28.175566567 +0200 +++ new/fedora-policy/policy/modules/contrib/openvswitch.te 2020-10-16 10:49:08.489324808 +0200 @@ -32,7 +32,7 @@ # openvswitch local policy # -allow openvswitch_t self:capability { dac_override dac_read_search net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; +allow openvswitch_t self:capability { dac_override dac_read_search fowner net_broadcast net_admin ipc_lock sys_module sys_nice sys_rawio sys_resource chown setgid setpcap setuid kill }; allow openvswitch_t self:capability2 block_suspend; allow openvswitch_t self:process { fork setsched setrlimit signal setcap }; allow openvswitch_t self:fifo_file rw_fifo_file_perms; @@ -41,6 +41,7 @@ allow openvswitch_t self:netlink_socket create_socket_perms; allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms; allow openvswitch_t self:netlink_generic_socket create_socket_perms; +allow openvswitch_t self:netlink_netfilter_socket create_socket_perms; allow openvswitch_t self:tun_socket { create_socket_perms relabelfrom relabelto }; allow openvswitch_t self:system { module_load }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/redis.if new/fedora-policy/policy/modules/contrib/redis.if --- old/fedora-policy/policy/modules/contrib/redis.if 2020-09-10 09:16:28.183566699 +0200 +++ new/fedora-policy/policy/modules/contrib/redis.if 2020-10-16 10:49:08.505324809 +0200 @@ -203,11 +203,11 @@ # interface(`redis_stream_connect',` gen_require(` - type redisd_t, redis_var_run_t; + type redis_t, redis_var_run_t; ') files_search_pids($1) - stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redisd_t) + stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redis_t) ') ######################################## diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/contrib/rshd.fc new/fedora-policy/policy/modules/contrib/rshd.fc --- old/fedora-policy/policy/modules/contrib/rshd.fc 2020-09-10 09:16:28.187566766 +0200 +++ new/fedora-policy/policy/modules/contrib/rshd.fc 2020-10-16 10:49:08.509324809 +0200 @@ -1,4 +1,3 @@ - /usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0) /usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/kernel/corenetwork.te.in new/fedora-policy/policy/modules/kernel/corenetwork.te.in --- old/fedora-policy/policy/modules/kernel/corenetwork.te.in 2020-09-10 09:16:25.459521557 +0200 +++ new/fedora-policy/policy/modules/kernel/corenetwork.te.in 2020-10-16 10:49:06.593324707 +0200 @@ -262,6 +262,7 @@ network_port(nsca, tcp,5667,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) +network_port(ntske, tcp,4460,s0) network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(oa_system, tcp,8022,s0, udp,8022,s0) network_port(ocsp, tcp,9080,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/kernel/devices.fc new/fedora-policy/policy/modules/kernel/devices.fc --- old/fedora-policy/policy/modules/kernel/devices.fc 2020-09-10 09:16:25.459521557 +0200 +++ new/fedora-policy/policy/modules/kernel/devices.fc 2020-10-16 10:49:06.593324707 +0200 @@ -260,7 +260,6 @@ /var/named/chroot_sdb/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot_sdb/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /var/named/chroot_sdb/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) -/ /var/spool/postfix/dev -d gen_context(system_u:object_r:device_t,s0) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/kernel/domain.te new/fedora-policy/policy/modules/kernel/domain.te --- old/fedora-policy/policy/modules/kernel/domain.te 2020-09-10 09:16:25.459521557 +0200 +++ new/fedora-policy/policy/modules/kernel/domain.te 2020-10-16 10:49:06.597324707 +0200 @@ -570,6 +570,12 @@ ') optional_policy(` + # A workaround to handle additional permissions check + # introduced as an involuntary result of a kernel change + automount_write_pipes(domain) +') + +optional_policy(` sosreport_append_tmp_files(domain) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/kernel/kernel.te new/fedora-policy/policy/modules/kernel/kernel.te --- old/fedora-policy/policy/modules/kernel/kernel.te 2020-09-10 09:16:25.463521623 +0200 +++ new/fedora-policy/policy/modules/kernel/kernel.te 2020-10-16 10:49:06.597324707 +0200 @@ -392,9 +392,9 @@ ') optional_policy(` + init_dbus_chat(kernel_t) init_sigchld(kernel_t) init_dyntrans(kernel_t) - init_dontaudit_dbus_chat(kernel_t) ') optional_policy(` diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/roles/unconfineduser.te new/fedora-policy/policy/modules/roles/unconfineduser.te --- old/fedora-policy/policy/modules/roles/unconfineduser.te 2020-09-10 09:16:25.463521623 +0200 +++ new/fedora-policy/policy/modules/roles/unconfineduser.te 2020-10-16 10:49:06.601324708 +0200 @@ -91,6 +91,8 @@ systemd_config_all_services(unconfined_t) +ssh_dyntransition_to(unconfined_t) + unconfined_domain_noaudit(unconfined_t) domain_named_filetrans(unconfined_t) domain_transition_all(unconfined_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/services/xserver.te new/fedora-policy/policy/modules/services/xserver.te --- old/fedora-policy/policy/modules/services/xserver.te 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/services/xserver.te 2020-10-16 10:49:06.605324708 +0200 @@ -640,7 +640,7 @@ files_read_etc_runtime_files(xdm_t) files_exec_etc_files(xdm_t) files_list_mnt(xdm_t) -files_mounton_all_mountpoints(xdm_t) +files_mounton_non_security(xdm_t) # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme... files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm @@ -667,6 +667,8 @@ fs_dontaudit_read_noxattr_fs_files(xdm_t) fs_manage_cgroup_dirs(xdm_t) fs_manage_cgroup_files(xdm_t) +fs_getattr_nsfs_files(xdm_t) + mount_read_pid_files(xdm_t) mls_socket_write_to_clearance(xdm_t) @@ -681,6 +683,7 @@ storage_dontaudit_rw_scsi_generic(xdm_t) storage_dontaudit_rw_fuse(xdm_t) +term_mount_pty_fs(xdm_t) term_setattr_console(xdm_t) term_setattr_unallocated_ttys(xdm_t) term_use_all_terms(xdm_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/authlogin.fc new/fedora-policy/policy/modules/system/authlogin.fc --- old/fedora-policy/policy/modules/system/authlogin.fc 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/authlogin.fc 2020-10-16 10:49:06.605324708 +0200 @@ -76,8 +76,8 @@ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0) /var/run/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0) -/var/run/motd -- gen_context(system_u:object_r:pam_var_run_t,s0) -/var/run/motd\.d(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) +/var/run/motd -- gen_context(system_u:object_r:motd_var_run_t,s0) +/var/run/motd\.d(/.*)? gen_context(system_u:object_r:motd_var_run_t,s0) /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/pam_timestamp(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) @@ -85,3 +85,7 @@ /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) + +# Allow services not running as root to write MOTD messages via symlink +# out of /run/motd.d/. https://github.com/coreos/zincati/pull/276 +/var/run/zincati/public/motd\.d(/.*)? gen_context(system_u:object_r:motd_var_run_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/authlogin.te new/fedora-policy/policy/modules/system/authlogin.te --- old/fedora-policy/policy/modules/system/authlogin.te 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/authlogin.te 2020-10-16 10:49:06.605324708 +0200 @@ -77,6 +77,11 @@ type pam_var_run_t; files_pid_file(pam_var_run_t) +# For MOTD files read by login programs, e.g. sshd, located in +# /run/motd.d/, or symlinked out from /run/motd.d/ +type motd_var_run_t; +files_type(motd_var_run_t); + type shadow_t; files_auth_file(shadow_t) neverallow ~can_read_shadow_passwords shadow_t:file read; @@ -641,6 +646,10 @@ auth_manage_faillog(login_pgm) auth_manage_pam_pid(login_pgm) +list_dirs_pattern(login_pgm, motd_var_run_t, motd_var_run_t); +read_files_pattern(login_pgm, motd_var_run_t, motd_var_run_t); +read_lnk_files_pattern(login_pgm, motd_var_run_t, motd_var_run_t); + init_rw_utmp(login_pgm) logging_set_loginuid(login_pgm) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/fstools.if new/fedora-policy/policy/modules/system/fstools.if --- old/fedora-policy/policy/modules/system/fstools.if 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/fstools.if 2020-10-16 10:49:06.605324708 +0200 @@ -157,6 +157,42 @@ ######################################## ## <summary> +## Read swapfile +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fstools_read_swap_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 swapfile_t:file read_file_perms; +') + +######################################## +## <summary> +## Read/Write swapfile +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`fstools_rw_swap_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 swapfile_t:file rw_file_perms; +') + +######################################## +## <summary> ## Create, read, write, and delete the FSADM pid files. ## </summary> ## <param name="domain"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/init.te new/fedora-policy/policy/modules/system/init.te --- old/fedora-policy/policy/modules/system/init.te 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/init.te 2020-10-16 10:49:06.609324708 +0200 @@ -1210,6 +1210,10 @@ ') optional_policy(` + chronyd_pid_filetrans(initrc_t) + ') + + optional_policy(` cyrus_write_data(initrc_t) ') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/ipsec.fc new/fedora-policy/policy/modules/system/ipsec.fc --- old/fedora-policy/policy/modules/system/ipsec.fc 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/ipsec.fc 2020-10-16 10:49:06.609324708 +0200 @@ -50,7 +50,7 @@ /usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/libexec/strongimcv/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0) -/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) +/usr/sbin/charon-systemd -- gen_context(system_u:object_r:ipsec_exec_t,s0) /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) /usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0) /usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/lvm.if new/fedora-policy/policy/modules/system/lvm.if --- old/fedora-policy/policy/modules/system/lvm.if 2020-09-10 09:16:25.467521689 +0200 +++ new/fedora-policy/policy/modules/system/lvm.if 2020-10-16 10:49:06.613324708 +0200 @@ -452,4 +452,40 @@ ') +######################################## +## <summary> +## Allow dbus send for lvm dbus API (only send needed) +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_dbus_send_msg',` + gen_require(` + type lvm_t; + class dbus send_msg; + ') + allow $1 lvm_t:dbus send_msg; +') + +######################################## +## <summary> +## Allow lvm hints file access +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`lvm_rw_var_run',` + gen_require(` + type lvm_t; + type lvm_var_run_t; + ') + allow $1 lvm_var_run_t:file { rw_file_perms }; + +') diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/systemd.fc new/fedora-policy/policy/modules/system/systemd.fc --- old/fedora-policy/policy/modules/system/systemd.fc 2020-09-10 09:16:25.471521755 +0200 +++ new/fedora-policy/policy/modules/system/systemd.fc 2020-10-16 10:49:06.613324708 +0200 @@ -68,6 +68,7 @@ /usr/lib/systemd/system-generators/systemd-gpt-auto-generator -- gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0) /usr/lib/systemd/systemd-resolve(d|-host) gen_context(system_u:object_r:systemd_resolved_exec_t,s0) /usr/lib/systemd/systemd-importd -- gen_context(system_u:object_r:systemd_importd_exec_t,s0) +/usr/lib/systemd/systemd-sleep -- gen_context(system_u:object_r:systemd_sleep_exec_t,s0) /var/lib/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_lib_t,s0) /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/systemd.te new/fedora-policy/policy/modules/system/systemd.te --- old/fedora-policy/policy/modules/system/systemd.te 2020-09-10 09:16:25.471521755 +0200 +++ new/fedora-policy/policy/modules/system/systemd.te 2020-10-16 10:49:06.617324708 +0200 @@ -189,6 +189,8 @@ type systemd_userdbd_runtime_t; files_pid_file(systemd_userdbd_runtime_t) +systemd_domain_template(systemd_sleep) + ####################################### # # Systemd_logind local policy @@ -353,6 +355,10 @@ ') optional_policy(` + fstools_read_swap_files(systemd_logind_t) +') + +optional_policy(` fwupd_dbus_chat(systemd_logind_t) ') @@ -1266,3 +1272,17 @@ logging_send_syslog_msg(systemd_userdbd_t) systemd_read_efivarfs(systemd_userdbd_t) + +######################################## +# +# systemd_sleep local policy +# + +allow systemd_sleep_t self:capability sys_resource; + +kernel_dgram_send(systemd_sleep_t) + +dev_rw_sysfs(systemd_sleep_t) +dev_write_kmsg(systemd_sleep_t) + +fstools_rw_swap_files(systemd_sleep_t) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/policy/modules/system/userdomain.if new/fedora-policy/policy/modules/system/userdomain.if --- old/fedora-policy/policy/modules/system/userdomain.if 2020-09-10 09:16:25.471521755 +0200 +++ new/fedora-policy/policy/modules/system/userdomain.if 2020-10-16 10:49:06.617324708 +0200 @@ -1685,10 +1685,12 @@ # Manage almost all files files_manage_non_security_dirs($1_t) files_manage_non_security_files($1_t) + # Map almost all files + files_map_non_security_files($1_t) # Relabel almost all files files_relabel_non_security_files($1_t) - files_mounton_rootfs($1_t) + files_mounton_rootfs($1_t) init_telinit($1_t) @@ -4825,7 +4827,6 @@ gen_require(` attribute unpriv_userdomain, userdomain; ') - typeattribute $1 unpriv_userdomain; typeattribute $1 userdomain; auth_use_nsswitch($1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/support/fc_sort.c new/fedora-policy/support/fc_sort.c --- old/fedora-policy/support/fc_sort.c 2020-09-10 09:16:25.471521755 +0200 +++ new/fedora-policy/support/fc_sort.c 1970-01-01 01:00:00.000000000 +0100 @@ -1,558 +0,0 @@ -/* Copyright 2005,2013 Tresys Technology - * - * Some parts of this came from matchpathcon.c in libselinux - */ - -/* PURPOSE OF THIS PROGRAM - * The original setfiles sorting algorithm did not take into - * account regular expression specificity. With the current - * strict and targeted policies this is not an issue because - * the file contexts are partially hand sorted and concatenated - * in the right order so that the matches are generally correct. - * The way reference policy and loadable policy modules handle - * file contexts makes them come out in an unpredictable order - * and therefore setfiles (or this standalone tool) need to sort - * the regular expressions in a deterministic and stable way. - */ - -#define BUF_SIZE 4096; -#define _GNU_SOURCE - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> - -typedef unsigned char bool_t; - -/* file_context_node - * A node used in a linked list of file contexts.c - * Each node contains the regular expression, the type and - * the context, as well as information about the regular - * expression. The regular expression data (meta, stem_len - * and str_len) can be filled in by using the fc_fill_data - * function after the regular expression has been loaded. - * next points to the next node in the linked list. - */ -typedef struct file_context_node { - char *path; - char *file_type; - char *context; - bool_t meta; - int stem_len; - int str_len; - struct file_context_node *next; -} file_context_node_t; - -void file_context_node_destroy(file_context_node_t *x) -{ - free(x->path); - free(x->file_type); - free(x->context); -} - - - -/* file_context_bucket - * A node used in a linked list of buckets that contain - * file_context_node's. - * Each node contains a pointer to a file_context_node which - * is the header of its linked list. This linked list is the - * content of this bucket. - * next points to the next bucket in the linked list. - */ -typedef struct file_context_bucket { - file_context_node_t *data; - struct file_context_bucket *next; -} file_context_bucket_t; - - - -/* fc_compare - * Compares two file contexts' regular expressions and returns: - * -1 if a is less specific than b - * 0 if a and be are equally specific - * 1 if a is more specific than b - * The comparison is based on the following statements, - * in order from most important to least important, given a and b: - * If a is a regular expression and b is not, - * -> a is less specific than b. - * If a's stem length is shorter than b's stem length, - * -> a is less specific than b. - * If a's string length is shorter than b's string length, - * -> a is less specific than b. - * If a does not have a specified type and b does not, - * -> a is less specific than b. - */ -int fc_compare(file_context_node_t *a, file_context_node_t *b) -{ - /* Check to see if either a or b have meta characters - * and the other doesn't. */ - if (a->meta && !b->meta) - return -1; - if (b->meta && !a->meta) - return 1; - - /* Check to see if either a or b have a shorter stem - * length than the other. */ - if (a->stem_len < b->stem_len) - return -1; - if (b->stem_len < a->stem_len) - return 1; - - /* Check to see if either a or b have a shorter string - * length than the other. */ - if (a->str_len < b->str_len) - return -1; - if (b->str_len < a->str_len) - return 1; - - /* Check to see if either a or b has a specified type - * and the other doesn't. */ - if (!a->file_type && b->file_type) - return -1; - if (!b->file_type && a->file_type) - return 1; - - /* If none of the above conditions were satisfied, - * then a and b are equally specific. */ - return 0; -} - - - -/* fc_merge - * Merges two sorted file context linked lists into one - * sorted one. - * Pass two lists a and b, and after the completion of fc_merge, - * the final list is contained in a, and b is empty. - */ -file_context_node_t *fc_merge(file_context_node_t *a, - file_context_node_t *b) -{ - file_context_node_t *a_current; - file_context_node_t *b_current; - file_context_node_t *temp; - file_context_node_t *jumpto; - - - - /* If a is a empty list, and b is not, - * set a as b and proceed to the end. */ - if (!a && b) - a = b; - /* If b is an empty list, leave a as it is. */ - else if (!b) { - } else { - /* Make it so the list a has the lesser - * first element always. */ - if (fc_compare(a, b) == 1) { - temp = a; - a = b; - b = temp; - } - a_current = a; - b_current = b; - - /* Merge by inserting b's nodes in between a's nodes. */ - while (a_current->next && b_current) { - jumpto = a_current->next; - - /* Insert b's nodes in between the current a node - * and the next a node.*/ - while (b_current && a_current->next && - fc_compare(a_current->next, - b_current) != -1) { - - - temp = a_current->next; - a_current->next = b_current; - b_current = b_current->next; - a_current->next->next = temp; - a_current = a_current->next; - } - - /* Skip all the inserted node from b to the - * next node in the original a. */ - a_current = jumpto; - } - - - /* if there is anything left in b to be inserted, - put it on the end */ - if (b_current) { - a_current->next = b_current; - } - } - - return a; -} - - - -/* fc_merge_sort - * Sorts file contexts from least specific to more specific. - * The bucket linked list is passed and after the completion - * of the fc_merge_sort function, there is only one bucket - * (pointed to by master) that contains a linked list - * of all the file contexts, in sorted order. - * Explanation of the algorithm: - * The algorithm implemented in fc_merge_sort is an iterative - * implementation of merge sort. - * At first, each bucket has a linked list of file contexts - * that are 1 element each. - * Each pass, each odd numbered bucket is merged into the bucket - * before it. This halves the number of buckets each pass. - * It will continue passing over the buckets (as described above) - * until there is only one bucket left, containing the list of - * file contexts, sorted. - */ -void fc_merge_sort(file_context_bucket_t *master) -{ - - - file_context_bucket_t *current; - file_context_bucket_t *temp; - - /* Loop until master is the only bucket left - * so that this will stop when master contains - * the sorted list. */ - while (master->next) { - current = master; - - /* This loop merges buckets two-by-two. */ - while (current) { - - if (current->next) { - - current->data = - fc_merge(current->data, - current->next->data); - - - - temp = current->next; - current->next = current->next->next; - - free(temp); - - } - - - current = current->next; - } - } - - -} - - - -/* fc_fill_data - * This processes a regular expression in a file context - * and sets the data held in file_context_node, namely - * meta, str_len and stem_len. - * The following changes are made to fc_node after the - * the completion of the function: - * fc_node->meta = 1 if path has a meta character, 0 if not. - * fc_node->str_len = The string length of the entire path - * fc_node->stem_len = The number of characters up until - * the first meta character. - */ -void fc_fill_data(file_context_node_t *fc_node) -{ - int c = 0; - - fc_node->meta = 0; - fc_node->stem_len = 0; - fc_node->str_len = 0; - - /* Process until the string termination character - * has been reached. - * Note: this while loop has been adapted from - * spec_hasMetaChars in matchpathcon.c from - * libselinux-1.22. */ - while (fc_node->path[c] != '\0') { - switch (fc_node->path[c]) { - case '.': - case '^': - case '$': - case '?': - case '*': - case '+': - case '|': - case '[': - case '(': - case '{': - /* If a meta character is found, - * set meta to one */ - fc_node->meta = 1; - break; - case '\\': - /* If a escape character is found, - * skip the next character. */ - c++; - default: - /* If no meta character has been found yet, - * add one to the stem length. */ - if (!fc_node->meta) - fc_node->stem_len++; - break; - } - - fc_node->str_len++; - c++; - } -} - -/* main - * This program takes in two arguments, the input filename and the - * output filename. The input file should be syntactically correct. - * Overall what is done in the main is read in the file and store each - * line of code, sort it, then output it to the output file. - */ -int main(int argc, char *argv[]) -{ - int lines; - size_t start, finish, regex_len, context_len; - size_t line_len, buf_len, i; - char *input_name, *output_name, *line_buf; - - file_context_node_t *temp; - file_context_node_t *head; - file_context_node_t *current; - file_context_bucket_t *master; - file_context_bucket_t *bcurrent; - - FILE *in_file, *out_file; - - - /* Check for the correct number of command line arguments. */ - if (argc != 3) { - fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]); - return 1; - } - - input_name = argv[1]; - output_name = argv[2]; - - i = lines = 0; - - /* Open the input file. */ - if (!(in_file = fopen(input_name, "r"))) { - fprintf(stderr, "Error: failure opening input file for read.\n"); - return 1; - } - - /* Initialize the head of the linked list. */ - head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t)); - - /* Parse the file into a file_context linked list. */ - line_buf = NULL; - - while ( getline(&line_buf, &buf_len, in_file) != -1 ){ - line_len = strlen(line_buf); - if( line_len == 0 || line_len == 1) - continue; - /* Get rid of whitespace from the front of the line. */ - for (i = 0; i < line_len; i++) { - if (!isspace(line_buf[i])) - break; - } - - - if (i >= line_len) - continue; - /* Check if the line isn't empty and isn't a comment */ - if (line_buf[i] == '#') - continue; - - /* We have a valid line - allocate a new node. */ - temp = (file_context_node_t *)malloc(sizeof(file_context_node_t)); - if (!temp) { - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - temp->next = NULL; - memset(temp, 0, sizeof(file_context_node_t)); - - /* Parse out the regular expression from the line. */ - start = i; - - - while (i < line_len && (!isspace(line_buf[i]))) - i++; - finish = i; - - - regex_len = finish - start; - - if (regex_len == 0) { - file_context_node_destroy(temp); - free(temp); - - - continue; - } - - temp->path = (char*)strndup(&line_buf[start], regex_len); - if (!temp->path) { - file_context_node_destroy(temp); - free(temp); - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - /* Get rid of whitespace after the regular expression. */ - for (; i < line_len; i++) { - - if (!isspace(line_buf[i])) - break; - } - - if (i == line_len) { - file_context_node_destroy(temp); - free(temp); - continue; - } - - /* Parse out the type from the line (if it - * is there). */ - if (line_buf[i] == '-') { - temp->file_type = (char *)malloc(sizeof(char) * 3); - if (!(temp->file_type)) { - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - if( i + 2 >= line_len ) { - file_context_node_destroy(temp); - free(temp); - - continue; - } - - /* Fill the type into the array. */ - temp->file_type[0] = line_buf[i]; - temp->file_type[1] = line_buf[i + 1]; - i += 2; - temp->file_type[2] = 0; - - /* Get rid of whitespace after the type. */ - for (; i < line_len; i++) { - if (!isspace(line_buf[i])) - break; - } - - if (i == line_len) { - - file_context_node_destroy(temp); - free(temp); - continue; - } - } - - /* Parse out the context from the line. */ - start = i; - while (i < line_len && (!isspace(line_buf[i]))) - i++; - finish = i; - - context_len = finish - start; - - temp->context = (char*)strndup(&line_buf[start], context_len); - if (!temp->context) { - file_context_node_destroy(temp); - free(temp); - fprintf(stderr, "Error: failure allocating memory.\n"); - return 1; - } - - /* Set all the data about the regular - * expression. */ - fc_fill_data(temp); - - /* Link this line of code at the end of - * the linked list. */ - current->next = temp; - current = current->next; - lines++; - - - free(line_buf); - line_buf = NULL; - } - fclose(in_file); - - /* Create the bucket linked list from the earlier linked list. */ - current = head->next; - bcurrent = master = - (file_context_bucket_t *) - malloc(sizeof(file_context_bucket_t)); - - /* Go until all the nodes have been put in individual buckets. */ - while (current) { - /* Copy over the file context line into the bucket. */ - bcurrent->data = current; - current = current->next; - - /* Detatch the node in the bucket from the old list. */ - bcurrent->data->next = NULL; - - /* If there should be another bucket, put one at the end. */ - if (current) { - bcurrent->next = - (file_context_bucket_t *) - malloc(sizeof(file_context_bucket_t)); - if (!(bcurrent->next)) { - printf - ("Error: failure allocating memory.\n"); - return -1; - } - - /* Make sure the new bucket thinks it's the end of the - * list. */ - bcurrent->next->next = NULL; - - bcurrent = bcurrent->next; - } - - } - - /* Sort the bucket list. */ - fc_merge_sort(master); - - /* Open the output file. */ - if (!(out_file = fopen(output_name, "w"))) { - printf("Error: failure opening output file for write.\n"); - return -1; - } - - /* Output the sorted file_context linked list to the output file. */ - current = master->data; - while (current) { - /* Output the path. */ - fprintf(out_file, "%s\t\t", current->path); - - /* Output the type, if there is one. */ - if (current->file_type) { - fprintf(out_file, "%s\t", current->file_type); - } - - /* Output the context. */ - fprintf(out_file, "%s\n", current->context); - - /* Remove the node. */ - temp = current; - current = current->next; - - file_context_node_destroy(temp); - free(temp); - - } - free(master); - - fclose(out_file); - - return 0; -} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/fedora-policy/support/fc_sort.py new/fedora-policy/support/fc_sort.py --- old/fedora-policy/support/fc_sort.py 1970-01-01 01:00:00.000000000 +0100 +++ new/fedora-policy/support/fc_sort.py 2020-10-16 10:49:06.617324708 +0200 @@ -0,0 +1,153 @@ +#!/usr/bin/env python3 + +"""Sort file context definitions + +The original setfiles sorting algorithm did not take into +account regular expression specificity. With the current +strict and targeted policies this is not an issue because +the file contexts are partially hand sorted and concatenated +in the right order so that the matches are generally correct. +The way reference policy and loadable policy modules handle +file contexts makes them come out in an unpredictable order +and therefore setfiles (or this standalone tool) need to sort +the regular expressions in a deterministic and stable way. +""" + +import sys +import argparse +from pathlib import Path +import re + + +class FileContext(): + """ Container class for file context defintions + """ + + def __init__(self, context_line): + """ Constructor + """ + + matches = re.match(r'^(?P<path>\S+)\s+(?P<type>-.)?\s*(?P<context>.+)$', context_line) + if matches is None: + raise ValueError + + self.path, self.file_type, self.context = matches.group('path', 'type', 'context') + + self.compute_diffdata() + + def compute_diffdata(self): + """ Compute the interal values needed for comparing two file context definitions + """ + + self.meta = False + self.stem_len = 0 + self.str_len = 0 + + skip_escaped = False + + for char in self.path: + if skip_escaped: + skip_escaped = False + continue + + if char in ('.', '^', '$', '?', '*', '+', '|', '[', '(', '{',): + self.meta = True + if char == '\\': + skip_escaped = True + + if not self.meta: + self.stem_len += 1 + + self.str_len += 1 + + @staticmethod + def _compare(a, b): + """ Compare two file context definitions + + Returns: + -1 if a is less specific than b + 0 if a and be are equally specific + 1 if a is more specific than b + The comparison is based on the following statements, + in order from most important to least important, given a and b: + If a is a regular expression and b is not, + -> a is less specific than b. + If a's stem length is shorter than b's stem length, + -> a is less specific than b. + If a's string length is shorter than b's string length, + -> a is less specific than b. + If a does not have a specified type and b does, + -> a is less specific than b. + """ + + # Check to see if either a or b have meta characters and the other doesn't + if a.meta and not b.meta: + return -1 + if b.meta and not a.meta: + return 1 + + # Check to see if either a or b have a shorter stem length than the other + if a.stem_len < b.stem_len: + return -1 + if b.stem_len < a.stem_len: + return 1 + + # Check to see if either a or b have a shorter string length than the other + if a.str_len < b.str_len: + return -1 + if b.str_len < a.str_len: + return 1 + + # Check to see if either a or b has a specified type and the other doesn't + if not a.file_type and b.file_type: + return -1 + if not b.file_type and a.file_type: + return 1 + + # If none of the above conditions were satisfied, then a and b are equally specific + return 0 + + def __lt__(self, other): + return self._compare(self, other) == -1 + + def __str__(self): + if self.file_type: + return '{}\t\t{}\t{}'.format(self.path, self.file_type, self.context) + else: + return '{}\t\t{}'.format(self.path, self.context) + + +if __name__ == '__main__': + + parser = argparse.ArgumentParser(description='Sort file context definitions') + parser.add_argument('infile', metavar='INFILE', type=Path, + help='input file of the original file context definitions') + parser.add_argument('outfile', metavar='OUTFILE', nargs='?', type=Path, default=None, + help='output file for the sorted file context definitions') + args = parser.parse_args() + + file_context_definitions = [] + + # Parse the input file + with args.infile.open('r') as fd: + for lineno, line in enumerate(fd, start=1): + line = line.strip() + + # Ignore comments and empty lines + if not line or line.startswith('#'): + continue + + try: + file_context_definitions.append(FileContext(line)) + except ValueError: + print('{}:{}: unable to parse a file context line: {}'.format(args.infile, lineno, line)) + exit(1) + + # Sort + file_context_definitions.sort() + + # Print output, either to file or if no output file given to stdout + + with args.outfile.open('w') if args.outfile else sys.stdout as fd: + for fcd in file_context_definitions: + print(fcd, file=fd)
