rpms/policycoreutils/devel .cvsignore, 1.194, 1.195 policycoreutils-rhat.patch, 1.419, 1.420 policycoreutils.spec, 1.606, 1.607 sources, 1.200, 1.201
Daniel J Walsh
dwalsh at fedoraproject.org
Fri May 22 18:00:32 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5057
Modified Files:
.cvsignore policycoreutils-rhat.patch policycoreutils.spec
sources
Log Message:
* Wed May 20 2009 Dan Walsh <dwalsh at redhat.com> 2.0.63-1
- Update to upstream
* Fix transaction checking from Dan Walsh.
* Make fixfiles -R (for rpm) recursive.
* Make semanage permissive clean up after itself from Dan Walsh.
* add /root/.ssh/* to restorecond.conf
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/.cvsignore,v
retrieving revision 1.194
retrieving revision 1.195
diff -u -p -r1.194 -r1.195
--- .cvsignore 18 Feb 2009 21:54:32 -0000 1.194
+++ .cvsignore 22 May 2009 18:00:00 -0000 1.195
@@ -197,3 +197,4 @@ policycoreutils-2.0.61.tgz
sepolgen-1.0.15.tgz
policycoreutils-2.0.62.tgz
sepolgen-1.0.16.tgz
+policycoreutils-2.0.63.tgz
policycoreutils-rhat.patch:
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.419
retrieving revision 1.420
diff -u -p -r1.419 -r1.420
--- policycoreutils-rhat.patch 12 May 2009 19:32:50 -0000 1.419
+++ policycoreutils-rhat.patch 22 May 2009 18:00:00 -0000 1.420
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.62/audit2allow/audit2allow
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.63/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.62/audit2allow/audit2allow 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/audit2allow/audit2allow 2009-05-22 13:40:04.000000000 -0400
@@ -126,6 +126,7 @@
elif self.__options.audit:
try:
@@ -9,18 +9,18 @@ diff --exclude-from=exclude --exclude=se
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.62/Makefile
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.63/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/Makefile 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/Makefile 2009-05-22 13:40:04.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.62/restorecond/Makefile
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.63/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-02-18 16:44:47.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/Makefile 2009-05-12 15:17:52.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/Makefile 2009-05-22 13:40:04.000000000 -0400
@@ -2,16 +2,23 @@
PREFIX ?= ${DESTDIR}/usr
SBINDIR ?= $(PREFIX)/sbin
@@ -62,16 +62,16 @@ diff --exclude-from=exclude --exclude=se
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.62/restorecond/restorecond.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.63/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 16:44:47.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/restorecond.c 2009-05-12 15:18:05.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/restorecond.c 2009-05-22 13:40:04.000000000 -0400
@@ -48,294 +48,37 @@
#include <signal.h>
#include <string.h>
@@ -540,19 +540,22 @@ diff --exclude-from=exclude --exclude=se
}
+
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf
---- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 16:44:47.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-05-04 13:40:26.000000000 -0400
-@@ -4,4 +4,5 @@
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.63/restorecond/restorecond.conf
+--- nsapolicycoreutils/restorecond/restorecond.conf 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/restorecond.conf 2009-05-22 13:40:04.000000000 -0400
+@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
/var/log/wtmp
-~/*
+-/root/.ssh
+/root/*
-+/root/.ssh/*
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.62/restorecond/restorecond.desktop
+ /root/.ssh/*
+-
+-
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.63/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/restorecond.desktop 2009-05-06 14:10:09.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/restorecond.desktop 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@@ -561,9 +564,9 @@ diff --exclude-from=exclude --exclude=se
+Encoding=UTF-8
+Type=Application
+StartupNotify=false
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.62/restorecond/restorecond.h
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.63/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/restorecond/restorecond.h 2009-05-12 15:13:35.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/restorecond.h 2009-05-22 13:40:04.000000000 -0400
@@ -24,7 +24,22 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@@ -589,15 +592,15 @@ diff --exclude-from=exclude --exclude=se
+extern void watch_list_free(int fd);
#endif
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.62/restorecond/restorecond_user.conf
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.63/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/restorecond_user.conf 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/restorecond_user.conf 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.62/restorecond/user.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.63/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/user.c 2009-05-12 15:15:38.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/user.c 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,220 @@
+/*
+ * restorecond
@@ -819,9 +822,43 @@ diff --exclude-from=exclude --exclude=se
+ return 0;
+}
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.62/restorecond/watch.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/walk.c policycoreutils-2.0.63/restorecond/walk.c
+--- nsapolicycoreutils/restorecond/walk.c 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.63/restorecond/walk.c 2009-05-22 13:40:04.000000000 -0400
+@@ -0,0 +1,30 @@
++#define _XOPEN_SOURCE 500
++#include <ftw.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++int ctr=0;
++static int
++display_info(const char *fpath, const struct stat *sb,
++ int tflag, struct FTW *ftwbuf)
++{
++ if (tflag == FTW_D) {
++ printf(" %-40s %d %s\n",
++ fpath, ftwbuf->base, fpath + ftwbuf->base);
++ ctr++;
++ }
++ return 0; /* To tell nftw() to continue */
++}
++
++int
++main(int argc, char *argv[])
++{
++ int flags = 0;
++
++ flags = FTW_PHYS | FTW_MOUNT;
++
++ nftw((argc < 2) ? "." : argv[1], display_info, 20, flags);
++ printf("Total Dirs %d\n",ctr);
++ exit(EXIT_SUCCESS);
++}
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.63/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/restorecond/watch.c 2009-05-12 15:12:28.000000000 -0400
++++ policycoreutils-2.0.63/restorecond/watch.c 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,346 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
@@ -1169,9 +1206,9 @@ diff --exclude-from=exclude --exclude=se
+ exitApp("Error watching config file.");
+}
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.62/scripts/chcat
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.63/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.62/scripts/chcat 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/scripts/chcat 2009-05-22 13:46:01.000000000 -0400
@@ -281,14 +281,14 @@
def expandCats(cats):
newcats = []
@@ -1195,9 +1232,9 @@ diff --exclude-from=exclude --exclude=se
if i not in newcats:
newcats.append(i)
if len(newcats) > 25:
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles
---- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500
-+++ policycoreutils-2.0.62/scripts/fixfiles 2009-05-05 10:47:08.000000000 -0400
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.63/scripts/fixfiles
+--- nsapolicycoreutils/scripts/fixfiles 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.63/scripts/fixfiles 2009-05-22 13:40:04.000000000 -0400
@@ -89,7 +89,7 @@
fi; \
done | \
@@ -1207,15 +1244,7 @@ diff --exclude-from=exclude --exclude=se
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
done 2> /dev/null | \
${RESTORECON} $* -0 -f -
-@@ -122,14 +122,14 @@
- fi
- if [ ! -z "$RPMFILES" ]; then
- for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
-- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE
-+ rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE
- done
- exit $?
- fi
+@@ -129,7 +129,7 @@
if [ ! -z "$FILEPATH" ]; then
if [ -x /usr/bin/find ]; then
/usr/bin/find "$FILEPATH" \
@@ -1224,9 +1253,276 @@ diff --exclude-from=exclude --exclude=se
${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
else
${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
---- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500
-+++ policycoreutils-2.0.62/semanage/semanage 2009-05-04 13:40:26.000000000 -0400
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.63/scripts/Makefile
+--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
++++ policycoreutils-2.0.63/scripts/Makefile 2009-05-22 13:43:33.000000000 -0400
+@@ -5,11 +5,12 @@
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= /usr/share/locale
+
+-all: fixfiles genhomedircon
++all: fixfiles genhomedircon sandbox chcat
+
+ install: all
+ -mkdir -p $(BINDIR)
+ install -m 755 chcat $(BINDIR)
++ install -m 755 sandbox $(BINDIR)
+ install -m 755 fixfiles $(DESTDIR)/sbin
+ install -m 755 genhomedircon $(SBINDIR)
+ -mkdir -p $(MANDIR)/man8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
+--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400
+@@ -0,0 +1,149 @@
++#!/usr/bin/python -E
++import os, sys, getopt, socket, random, fcntl
++import selinux
++
++PROGNAME = "policycoreutils"
++
++import gettext
++gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
++gettext.textdomain(PROGNAME)
++
++try:
++ gettext.install(PROGNAME,
++ localedir = "/usr/share/locale",
++ unicode=False,
++ codeset = 'utf-8')
++except IOError:
++ import __builtin__
++ __builtin__.__dict__['_'] = unicode
++
++
++random.seed(None)
++
++def error_exit(msg):
++ sys.stderr.write("%s: " % sys.argv[0])
++ sys.stderr.write("%s\n" % msg)
++ sys.stderr.flush()
++ sys.exit(1)
++
++def mount(context):
++ if os.getuid() != 0:
++ usage(_("Mount options require root privileges"))
++ destdir = "/mnt/%s" % context
++ os.mkdir(destdir)
++ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
++ selinux.setfilecon(destdir, context)
++ if rc != 0:
++ sys.exit(rc)
++ os.chdir(destdir)
++
++def umount(dest):
++ os.chdir("/")
++ destdir = "/mnt/%s" % dest
++ os.system('/bin/umount %s' % (destdir))
++ os.rmdir(destdir)
++
++
++def reserve(mcs):
++ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
++ sock.bind("\0%s" % mcs)
++ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
++
++def gen_context(setype):
++ while True:
++ i1 = random.randrange(0, 1024)
++ i2 = random.randrange(0, 1024)
++ if i1 == i2:
++ continue
++ if i1 > i2:
++ tmp = i1
++ i1 = i2
++ i2 = tmp
++ mcs = "s0:c%d,c%d" % (i1, i2)
++ reserve(mcs)
++ try:
++ reserve(mcs)
++ except:
++ continue
++ break
++ con = selinux.getcon()[1].split(":")
++
++ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
++
++ filecon = "%s:%s:%s:%s" % (con[0],
++ "object_r",
++ "%s_file_t" % setype[:-2],
++ mcs)
++ return execcon, filecon
++
++
++if __name__ == '__main__':
++ if selinux.is_selinux_enabled() != 1:
++ error_exit("Requires an SELinux enabled system")
++
++ def usage(message = ""):
++ text = _("""
++sandbox [ -m ] [ -t type ] command
++""")
++ error_exit("%s\n%s" % (message, text))
++
++ setype = "sandbox_t"
++ mount_ind = False
++ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
++ ["type=",
++ "mount"])
++ for o, a in gopts:
++ if o == "-t" or o == "--type":
++ setype = a
++
++ if o == "-m" or o == "--mount":
++ mount_ind = True
++
++
++ if len(cmds) == 0:
++ usage(_("Command required"))
++
++ os.chdir("/")
++ execcon, filecon = gen_context(setype)
++ rc = -1
++ try:
++ if mount_ind:
++ mount(filecon)
++
++ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
++ for i in os.environ["PATH"].split(':'):
++ f = "%s/%s" % (i, cmds[0])
++ if os.access(f, os.X_OK):
++ cmds[0] = f
++ break
++
++ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
++ if setype == "user_home_t" or setype == "user_tmp_t":
++ error_exit(_("""
++Sandboxed applications can not read/execute files labeled as user content; (%s)
++Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
++
++chcon -t bin_t %s
++
++restorecon %s
++
++Will set the executable back to the correct context.
++""") % (setype, cmds[0], cmds[0], cmds[0]) )
++
++ selinux.setexeccon(execcon)
++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++ selinux.setexeccon(None)
++
++ if mount_ind:
++ umount(filecon)
++
++ except getopt.error, error:
++ usage(_("Options Error %s ") % error.msg)
++ except ValueError, error:
++ error_exit(error.args[0])
++ except KeyError, error:
++ error_exit(_("Invalid value %s") % error.args[0])
++ except IOError, error:
++ error_exit(error.args[1])
++
++ sys.exit(rc)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8
+--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.63/scripts/sandbox.8 2009-05-22 13:43:03.000000000 -0400
+@@ -0,0 +1,22 @@
++.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
++.SH NAME
++sandbox \- Run cmd under an SELinux sandbox
++.SH SYNOPSIS
++.B sandbox
++[ -M ] [ -t type ] cmd
++.br
++.SH DESCRIPTION
++.PP
++Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
++.PP
++.TP
++\fB\-m\fR
++Mount a temporary file system and change working directory to it, files will be removed when job completes.
++.TP
++\fB\-t type\fR
++Use alternate sandbox type, defaults to sandbox_t
++.TP
++.SH "SEE ALSO"
++.TP
++runcon(1)
++.PP
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.63/scripts/sandbox.py
+--- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.63/scripts/sandbox.py 2009-05-22 13:40:04.000000000 -0400
+@@ -0,0 +1,67 @@
++#!/usr/bin/python
++import os, sys, getopt, socket, random, fcntl
++import selinux
++
++random.seed(None)
++
++def mount(src, context):
++ destdir="/mnt/%s" % context
++ os.mkdir(destdir)
++ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir)
++ os.chdir(destdir)
++
++def umount(dest):
++ os.chdir("/")
++ destdir="/mnt/%s" % dest
++ print ('umount -n %s' % destdir)
++ os.rmdir(destdir)
++
++
++def reserve(mcs):
++ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
++ sock.bind("\0%s" % mcs)
++ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
++
++def gen_context(type):
++ while True:
++ i1 = random.randrange(0,1024)
++ i2 = random.randrange(0,1024)
++ if i1 == i2:
++ continue
++ if i1 > i2:
++ tmp = i1
++ i1 = i2
++ i2 = tmp
++ mcs = "s0:c%d,c%d" % (i1, i2)
++ reserve(mcs)
++ try:
++ reserve(mcs)
++ except:
++ continue
++ break
++ con = selinux.getcon()[1].split(":")
++
++ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs)
++
++ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs)
++ return execcon, filecon
++
++
++type = "sandbox_t"
++mount_src = None
++gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:",
++ ["type",
++ "mount"])
++for o, a in gopts:
++ if o == "-t" or o == "--type":
++ type = a
++ if o == "-m" or o == "--mount":
++ mount_src = a
++
++execcon, filecon = gen_context(type)
++selinux.setexeccon(execcon)
++
++if mount_src != None:
++ mount(mount_src, filecon)
++ umount(filecon)
++os.execvp(cmds[0], cmds)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.63/semanage/semanage
+--- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.63/semanage/semanage 2009-05-22 13:40:04.000000000 -0400
@@ -44,16 +44,17 @@
text = _("""
semanage [ -S store ] -i [ input_file | - ]
@@ -1405,22 +1701,9 @@ diff --exclude-from=exclude --exclude=se
elif object == "node":
OBJECT.delete(target, mask, proto)
-@@ -464,10 +505,10 @@
- else:
- fd = open(input, 'r')
- trans = seobject.semanageRecords(store)
-- trans.begin()
-+ trans.start()
- for l in fd.readlines():
- process_args(mkargv(l))
-- trans.commit()
-+ trans.finish()
- else:
- process_args(sys.argv[1:])
-
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.62/semanage/semanage.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.63/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/semanage/semanage.8 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/semanage/semanage.8 2009-05-22 13:40:04.000000000 -0400
@@ -21,6 +21,8 @@
.br
.B semanage permissive \-{a|d} type
@@ -1430,9 +1713,9 @@ diff --exclude-from=exclude --exclude=se
.B semanage translation \-{a|d|m} [\-T] level
.P
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
---- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500
-+++ policycoreutils-2.0.62/semanage/seobject.py 2009-05-05 16:49:09.000000000 -0400
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.63/semanage/seobject.py
+--- nsapolicycoreutils/semanage/seobject.py 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.63/semanage/seobject.py 2009-05-22 13:40:04.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
@@ -1535,40 +1818,19 @@ diff --exclude-from=exclude --exclude=se
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-@@ -281,15 +282,20 @@
- global handle
-
+@@ -283,7 +284,7 @@
if handle != None:
-- self.transaction = True
self.sh = handle
else:
- self.sh=get_handle(store)
-- self.transaction = False
+ self.sh = get_handle(store)
-+ self.transaction = False
+ self.transaction = False
def deleteall(self):
- raise ValueError(_("Not yet implemented"))
-
-+ def start(self):
-+ if self.transaction:
-+ raise ValueError(_("Semanage transaction already in progress"))
-+ self.begin()
-+ self.transaction = True
-+
- def begin(self):
- if self.transaction:
- return
-@@ -303,6 +309,55 @@
- if rc < 0:
- raise ValueError(_("Could not commit semanage transaction"))
+@@ -314,6 +315,49 @@
+ self.transaction = False
+ self.commit()
-+ def finish(self):
-+ if not self.transaction:
-+ raise ValueError(_("Semanage transaction not in progress"))
-+ self.transaction = False
-+ self.commit()
-+
+class moduleRecords(semanageRecords):
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
@@ -1615,7 +1877,7 @@ diff --exclude-from=exclude --exclude=se
class permissiveRecords(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
-@@ -320,7 +375,7 @@
+@@ -331,7 +375,7 @@
l.append(name.split("permissive_")[1])
return l
@@ -1624,15 +1886,7 @@ diff --exclude-from=exclude --exclude=se
if heading:
print "\n%-25s\n" % (_("Permissive Types"))
for t in self.get_all():
-@@ -328,6 +383,7 @@
-
-
- def add(self, type):
-+ import glob
- name = "permissive_%s" % type
- dirname = "/var/lib/selinux"
- os.chdir(dirname)
-@@ -341,7 +397,7 @@
+@@ -353,7 +397,7 @@
permissive %s;
""" % (name, type, type)
@@ -1641,32 +1895,16 @@ diff --exclude-from=exclude --exclude=se
fd.write(modtxt)
fd.close()
mc = module.ModuleCompiler()
-@@ -351,16 +407,19 @@
- fd.close()
-
- rc = semanage_module_install(self.sh, data, len(data));
-- if rc < 0:
-- raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
--
-- self.commit()
-+ if rc >= 0:
-+ self.commit()
+@@ -366,7 +410,7 @@
+ if rc >= 0:
+ self.commit()
- for root, dirs, files in os.walk("tmp", topdown=False):
+ for root, dirs, files in os.walk("tmp", topdown = False):
for name in files:
os.remove(os.path.join(root, name))
for name in dirs:
- os.rmdir(os.path.join(root, name))
-+ os.removedirs("tmp")
-+ for i in glob.glob("permissive_%s.*" % type):
-+ os.remove(i)
-+ if rc < 0:
-+ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
-
- def delete(self, name):
- for n in name.split():
-@@ -390,11 +449,11 @@
+@@ -405,11 +449,11 @@
if sename == "":
sename = "user_u"
@@ -1680,7 +1918,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
-@@ -410,7 +469,7 @@
+@@ -425,7 +469,7 @@
except:
raise ValueError(_("Linux User %s does not exist") % name)
@@ -1689,7 +1927,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create login mapping for %s") % name)
-@@ -450,17 +509,17 @@
+@@ -465,17 +509,17 @@
if sename == "" and serange == "":
raise ValueError(_("Requires seuser or serange"))
@@ -1710,7 +1948,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query seuser for %s") % name)
-@@ -483,7 +542,7 @@
+@@ -498,7 +542,7 @@
semanage_seuser_key_free(k)
semanage_seuser_free(u)
@@ -1719,7 +1957,7 @@ diff --exclude-from=exclude --exclude=se
def modify(self, name, sename = "", serange = ""):
try:
-@@ -492,21 +551,21 @@
+@@ -507,21 +551,21 @@
self.commit()
except ValueError, error:
@@ -1745,7 +1983,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if not exists:
-@@ -525,10 +584,10 @@
+@@ -540,10 +584,10 @@
self.commit()
except ValueError, error:
@@ -1758,7 +1996,7 @@ diff --exclude-from=exclude --exclude=se
def get_all(self, locallist = 0):
ddict = {}
-@@ -578,17 +637,17 @@
+@@ -593,17 +637,17 @@
if len(roles) < 1:
raise ValueError(_("You must add at least one role for %s") % name)
@@ -1779,7 +2017,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
-@@ -612,7 +671,7 @@
+@@ -627,7 +671,7 @@
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
@@ -1788,7 +2026,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not extract key for %s") % name)
-@@ -645,17 +704,17 @@
+@@ -660,17 +704,17 @@
else:
raise ValueError(_("Requires prefix or roles"))
@@ -1809,7 +2047,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query user for %s") % name)
-@@ -703,17 +762,17 @@
+@@ -718,17 +762,17 @@
raise error
def __delete(self, name):
@@ -1830,7 +2068,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if not exists:
-@@ -795,7 +854,7 @@
+@@ -810,7 +854,7 @@
low = int(ports[0])
high = int(ports[1])
@@ -1839,7 +2077,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
return ( k, proto_d, low, high )
-@@ -812,13 +871,13 @@
+@@ -827,13 +871,13 @@
( k, proto_d, low, high ) = self.__genkey(port, proto)
@@ -1855,7 +2093,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
-@@ -871,13 +930,13 @@
+@@ -886,13 +930,13 @@
( k, proto_d, low, high ) = self.__genkey(port, proto)
@@ -1871,7 +2109,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query port %s/%s") % (proto, port))
-@@ -926,13 +985,13 @@
+@@ -941,13 +985,13 @@
def __delete(self, port, proto):
( k, proto_d, low, high ) = self.__genkey(port, proto)
@@ -1887,7 +2125,16 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
-@@ -1038,17 +1097,17 @@
+@@ -983,7 +1027,7 @@
+ proto_str = semanage_port_get_proto_str(proto)
+ low = semanage_port_get_low(port)
+ high = semanage_port_get_high(port)
+- ddict[(low, high)] = (ctype, proto_str, level)
++ ddict[(low, high, proto_str)] = (ctype, level)
+ return ddict
+
+ def get_all_by_type(self, locallist = 0):
+@@ -1053,17 +1097,17 @@
if ctype == "":
raise ValueError(_("SELinux Type is required"))
@@ -1908,7 +2155,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create addr for %s") % addr)
-@@ -1113,17 +1172,17 @@
+@@ -1128,17 +1172,17 @@
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -1929,7 +2176,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query addr %s") % addr)
-@@ -1160,17 +1219,17 @@
+@@ -1175,17 +1219,17 @@
else:
raise ValueError(_("Unknown or missing protocol"))
@@ -1950,7 +2197,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
if not exists:
-@@ -1240,17 +1299,17 @@
+@@ -1255,17 +1299,17 @@
if ctype == "":
raise ValueError(_("SELinux Type is required"))
@@ -1971,7 +2218,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
-@@ -1301,17 +1360,17 @@
+@@ -1316,17 +1360,17 @@
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@@ -1992,7 +2239,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query interface %s") % interface)
-@@ -1335,17 +1394,17 @@
+@@ -1350,17 +1394,17 @@
self.commit()
def __delete(self, interface):
@@ -2013,7 +2260,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
-@@ -1393,6 +1452,48 @@
+@@ -1408,6 +1452,48 @@
class fcontextRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
@@ -2062,7 +2309,7 @@ diff --exclude-from=exclude --exclude=se
def createcon(self, target, seuser = "system_u"):
(rc, con) = semanage_context_create(self.sh)
-@@ -1429,23 +1530,23 @@
+@@ -1444,23 +1530,23 @@
if type == "":
raise ValueError(_("SELinux Type is required"))
@@ -2090,7 +2337,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
-@@ -1486,21 +1587,21 @@
+@@ -1501,21 +1587,21 @@
raise ValueError(_("Requires setype, serange or seuser"))
self.validate(target)
@@ -2117,7 +2364,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query file context for %s") % target)
-@@ -1550,7 +1651,7 @@
+@@ -1565,7 +1651,7 @@
target = semanage_fcontext_get_expr(fcontext)
ftype = semanage_fcontext_get_type(fcontext)
ftype_str = semanage_fcontext_get_type_str(ftype)
@@ -2126,7 +2373,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
-@@ -1558,19 +1659,26 @@
+@@ -1573,19 +1659,26 @@
if rc < 0:
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
@@ -2157,7 +2404,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
-@@ -1617,11 +1725,11 @@
+@@ -1632,11 +1725,11 @@
return ddict
def list(self, heading = 1, locallist = 0 ):
@@ -2171,7 +2418,7 @@ diff --exclude-from=exclude --exclude=se
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
-@@ -1630,11 +1738,17 @@
+@@ -1645,11 +1738,17 @@
print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
else:
print "%-50s %-18s <<None>>" % (k[0], k[1])
@@ -2190,7 +2437,7 @@ diff --exclude-from=exclude --exclude=se
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
self.dict["ON"] = 1
-@@ -1643,16 +1757,16 @@
+@@ -1658,16 +1757,16 @@
self.dict["0"] = 0
def __mod(self, name, value):
@@ -2210,7 +2457,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not query file context %s") % name)
-@@ -1670,7 +1784,7 @@
+@@ -1685,7 +1784,7 @@
semanage_bool_key_free(k)
semanage_bool_free(b)
@@ -2219,7 +2466,7 @@ diff --exclude-from=exclude --exclude=se
self.begin()
-@@ -1694,16 +1808,16 @@
+@@ -1709,16 +1808,16 @@
def __delete(self, name):
@@ -2239,7 +2486,7 @@ diff --exclude-from=exclude --exclude=se
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
-@@ -1762,7 +1876,7 @@
+@@ -1777,7 +1876,7 @@
return _("unknown")
def list(self, heading = True, locallist = False, use_file = False):
@@ -2248,9 +2495,9 @@ diff --exclude-from=exclude --exclude=se
if use_file:
ddict = self.get_all(locallist)
keys = ddict.keys()
-diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.62/setfiles/setfiles.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.63/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/setfiles/setfiles.c 2009-05-04 13:40:26.000000000 -0400
++++ policycoreutils-2.0.63/setfiles/setfiles.c 2009-05-22 13:40:04.000000000 -0400
@@ -29,6 +29,8 @@
static int mass_relabel;
static int mass_relabel_errs;
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.606
retrieving revision 1.607
diff -u -p -r1.606 -r1.607
--- policycoreutils.spec 12 May 2009 19:45:50 -0000 1.606
+++ policycoreutils.spec 22 May 2009 18:00:01 -0000 1.607
@@ -5,8 +5,8 @@
%define sepolgenver 1.0.16
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.0.62
-Release: 14%{?dist}
+Version: 2.0.63
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -113,6 +113,7 @@ The policycoreutils-python package conta
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_bindir}/chcat
+%{_bindir}/sandbox
%{_bindir}/sepolgen-ifgen
%{_libdir}/python?.?/site-packages/seobject.py*
%{_libdir}/python?.?/site-packages/sepolgen/*
@@ -225,6 +226,13 @@ else
fi
%changelog
+* Wed May 20 2009 Dan Walsh <dwalsh at redhat.com> 2.0.63-1
+- Update to upstream
+ * Fix transaction checking from Dan Walsh.
+ * Make fixfiles -R (for rpm) recursive.
+ * Make semanage permissive clean up after itself from Dan Walsh.
+ * add /root/.ssh/* to restorecond.conf
+
* Wed Apr 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/sources,v
retrieving revision 1.200
retrieving revision 1.201
diff -u -p -r1.200 -r1.201
--- sources 18 Feb 2009 21:54:40 -0000 1.200
+++ sources 22 May 2009 18:00:01 -0000 1.201
@@ -1,2 +1,2 @@
-7163e6b815bb45eb4f6a620cd8240690 policycoreutils-2.0.62.tgz
e1b5416c3e0d76e5d702b3f54f4def45 sepolgen-1.0.16.tgz
+6a45dc84a2291dc2722fc60f18fb8393 policycoreutils-2.0.63.tgz
More information about the scm-commits
mailing list