[policycoreutils] Update to upstream sepolgen * better analysis of why things broke policycoreutils * Remove excess
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 21 18:18:03 UTC 2011
commit 414b6a904d4ef6e44c1c9482bdebec37ab5c1af1
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Dec 21 18:18:01 2011 +0000
Update to upstream
sepolgen
* better analysis of why things broke
policycoreutils
* Remove excess whitespace
* sandbox: Add back in . functions to sandbox.init script
* Fix Makefile to match other policycoreutils Makefiles
* semanage: drop unused translation getopt
policycoreutils-rhat.patch | 172 +--------------------------------------
policycoreutils-sepolgen.patch | 133 -------------------------------
policycoreutils.spec | 20 ++++-
sources | 4 +-
4 files changed, 22 insertions(+), 307 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 73e48c2..a544da3 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -84,40 +84,6 @@ index 9db766c..068e24c 100644
return 0;
} /* main() */
-diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
-index 7789d23..b817364 100644
---- a/policycoreutils/sandbox/Makefile
-+++ b/policycoreutils/sandbox/Makefile
-@@ -8,13 +8,13 @@ SBINDIR ?= $(PREFIX)/sbin
- MANDIR ?= $(PREFIX)/share/man
- LOCALEDIR ?= /usr/share/locale
- SHAREDIR ?= $(PREFIX)/share/sandbox
--override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
--LDLIBS += -lcgroup -lselinux -lcap-ng
-+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W
-+LDLIBS += -lcgroup -lselinux -lcap-ng -L$(LIBDIR)
-+SEUNSHARE_OBJS = seunshare.o
-
- all: sandbox seunshare sandboxX.sh start
-
--seunshare: seunshare.o $(EXTRA_OBJS)
-- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) -L$(LIBDIR)
-+seunshare: $(SEUNSHARE_OBJS)
-
- install: all
- -mkdir -p $(BINDIR)
-diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
-index 8aed876..b3979bf 100644
---- a/policycoreutils/sandbox/sandbox.init
-+++ b/policycoreutils/sandbox/sandbox.init
-@@ -19,6 +19,7 @@
- #
-
- # Source function library.
-+. /etc/init.d/functions
-
- LOCKFILE=/var/lock/subsys/sandbox
-
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
index ab696a7..58b19cd 100644
--- a/policycoreutils/scripts/genhomedircon
@@ -271,7 +237,7 @@ index 0000000..e2befdb
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
-index 48d7baa..2c0cfdd 100644
+index 0c7c186..aaba8b1 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -20,6 +20,7 @@
@@ -291,96 +257,8 @@ index 48d7baa..2c0cfdd 100644
codeset = 'utf-8')
except IOError:
import __builtin__
-@@ -283,11 +284,14 @@ Object-specific Options (see above):
- equal = a
-
- if o == "--enable":
-- set_action(o)
-+ if disable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
-+
- enable = True
-
- if o == "--disable":
-- set_action(o)
-+ if enable:
-+ raise ValueError(_("You can't disable and enable at the same time"))
- disable = True
-
- if o == "-F" or o == "--file":
-@@ -504,31 +508,36 @@ Object-specific Options (see above):
- if len(sys.argv) < 3:
- usage(_("Requires 2 or more arguments"))
-
-- gopts, cmds = getopt.getopt(sys.argv[1:],
-- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
-- ['add',
-- 'delete',
-- 'deleteall',
-- 'ftype=',
-- 'file',
-- 'help',
-- 'input=',
-- 'list',
-- 'modify',
-- 'noheading',
-- 'localist',
-- 'off',
-- 'on',
-- 'output=',
-- 'proto=',
-- 'seuser=',
-- 'store=',
-- 'range=',
-- 'level=',
-- 'roles=',
-- 'type=',
-- 'prefix='
-- ])
-+ try:
-+ gopts, cmds = getopt.getopt(sys.argv[1:],
-+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
-+ ['add',
-+ 'delete',
-+ 'deleteall',
-+ 'ftype=',
-+ 'file',
-+ 'help',
-+ 'input=',
-+ 'list',
-+ 'modify',
-+ 'noheading',
-+ 'localist',
-+ 'off',
-+ 'on',
-+ 'output=',
-+ 'proto=',
-+ 'seuser=',
-+ 'store=',
-+ 'range=',
-+ 'level=',
-+ 'roles=',
-+ 'type=',
-+ 'trans=',
-+ 'prefix='
-+ ])
-+ except getopt.error, error:
-+ usage(_("Options Error %s ") % error.msg)
-+
- for o, a in gopts:
- if o == "-S" or o == '--store':
- store = a
-@@ -558,8 +567,6 @@ Object-specific Options (see above):
- else:
- process_args(sys.argv[1:])
-
-- except getopt.error, error:
-- usage(_("Options Error %s ") % error.msg)
- except ValueError, error:
- errorExit(error.args[0])
- except KeyError, error:
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
-index 2628645..e5b6303 100644
+index 17afe23..e5b6303 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -30,11 +30,10 @@ from IPy import IP
@@ -420,15 +298,7 @@ index 2628645..e5b6303 100644
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
-@@ -1136,7 +1138,6 @@ class nodeRecords(semanageRecords):
- return newaddr, newmask, newprotocol
-
- def __add(self, addr, mask, proto, serange, ctype):
--
- addr, mask, proto = self.validate(addr, mask, proto)
-
- if is_mls_enabled == 1:
-@@ -1156,7 +1157,8 @@ class nodeRecords(semanageRecords):
+@@ -1155,7 +1157,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@@ -438,31 +308,7 @@ index 2628645..e5b6303 100644
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
-@@ -1172,7 +1174,6 @@ class nodeRecords(semanageRecords):
- if rc < 0:
- raise ValueError(_("Could not set mask for %s") % addr)
-
--
- rc = semanage_context_set_user(self.sh, con, "system_u")
- if rc < 0:
- raise ValueError(_("Could not set user in addr context for %s") % addr)
-@@ -1208,7 +1209,6 @@ class nodeRecords(semanageRecords):
- self.commit()
-
- def __modify(self, addr, mask, proto, serange, setype):
--
- addr, mask, proto = self.validate(addr, mask, proto)
-
- if serange == "" and setype == "":
-@@ -1229,7 +1229,6 @@ class nodeRecords(semanageRecords):
- raise ValueError(_("Could not query addr %s") % addr)
-
- con = semanage_node_get_con(node)
--
- if serange != "":
- semanage_context_set_mls(self.sh, con, untranslate(serange))
- if setype != "":
-@@ -1357,7 +1356,8 @@ class interfaceRecords(semanageRecords):
+@@ -1353,7 +1356,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@@ -472,7 +318,7 @@ index 2628645..e5b6303 100644
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
-@@ -1640,7 +1640,8 @@ class fcontextRecords(semanageRecords):
+@@ -1636,7 +1640,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -482,14 +328,6 @@ index 2628645..e5b6303 100644
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
-@@ -1734,7 +1735,6 @@ class fcontextRecords(semanageRecords):
- self.begin()
- self.__modify(target, setype, ftype, serange, seuser)
- self.commit()
--
-
- def deleteall(self):
- (rc, flist) = semanage_fcontext_list_local(self.sh)
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9a7d315..e57d34f 100644
--- a/policycoreutils/setfiles/restore.c
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index d71fa33..5c7af1d 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -1,72 +1,3 @@
-diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index 898fbc3..9fdfafa 100644
---- a/sepolgen/src/sepolgen/audit.py
-+++ b/sepolgen/src/sepolgen/audit.py
-@@ -127,6 +127,9 @@ class PathMessage(AuditMessage):
- if fields[0] == "path":
- self.path = fields[1][1:-1]
- return
-+import selinux.audit2why as audit2why
-+
-+avcdict = {}
-
- class AVCMessage(AuditMessage):
- """AVC message representing an access denial or granted message.
-@@ -168,6 +171,8 @@ class AVCMessage(AuditMessage):
- self.name = ""
- self.accesses = []
- self.denial = True
-+ self.type = audit2why.TERULE
-+ self.bools = []
-
- def __parse_access(self, recs, start):
- # This is kind of sucky - the access that is in a space separated
-@@ -229,7 +234,31 @@ class AVCMessage(AuditMessage):
-
- if not found_src or not found_tgt or not found_class or not found_access:
- raise ValueError("AVC message in invalid format [%s]\n" % self.message)
--
-+ self.analyze()
-+
-+ def analyze(self):
-+ tcontext = self.tcontext.to_string()
-+ scontext = self.scontext.to_string()
-+ access_tuple = tuple( self.accesses)
-+ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
-+ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
-+ else:
-+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
-+ if self.type == audit2why.NOPOLICY:
-+ self.type = audit2why.TERULE
-+ if self.type == audit2why.BADTCON:
-+ raise ValueError("Invalid Target Context %s\n" % tcontext)
-+ if self.type == audit2why.BADSCON:
-+ raise ValueError("Invalid Source Context %s\n" % scontext)
-+ if self.type == audit2why.BADSCON:
-+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
-+ if self.type == audit2why.BADPERM:
-+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
-+ if self.type == audit2why.BADCOMPUTE:
-+ raise ValueError("Error during access vector computation")
-+
-+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
-+
- class PolicyLoadMessage(AuditMessage):
- """Audit message indicating that the policy was reloaded."""
- def __init__(self, message):
-@@ -472,10 +501,10 @@ class AuditParser:
- if avc_filter:
- if avc_filter.filter(avc):
- av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-- avc.accesses, avc)
-+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
- else:
- av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-- avc.accesses, avc)
-+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
- return av_set
-
- class AVCTypeFilter:
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
@@ -99,67 +30,3 @@ index 1a9a3e5..d56dd92 100644
def __iter__(self):
return iter(self.children)
-diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
-index 0e6b502..4882999 100644
---- a/sepolgen/src/sepolgen/policygen.py
-+++ b/sepolgen/src/sepolgen/policygen.py
-@@ -29,6 +29,8 @@ import objectmodel
- import access
- import interfaces
- import matching
-+import selinux.audit2why as audit2why
-+from setools import *
-
- # Constants for the level of explanation from the generation
- # routines
-@@ -77,6 +79,7 @@ class PolicyGenerator:
-
- self.dontaudit = False
-
-+ self.domains = None
- def set_gen_refpol(self, if_set=None, perm_maps=None):
- """Set whether reference policy interfaces are generated.
-
-@@ -151,8 +154,41 @@ class PolicyGenerator:
- rule = refpolicy.AVRule(av)
- if self.dontaudit:
- rule.rule_type = rule.DONTAUDIT
-+ rule.comment = ""
- if self.explain:
-- rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
-+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
-+ if av.type == audit2why.ALLOW:
-+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
-+ if av.type == audit2why.DONTAUDIT:
-+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
-+
-+ if av.type == audit2why.BOOLEAN:
-+ if len(av.bools) > 1:
-+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
-+ else:
-+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
-+
-+ if av.type == audit2why.CONSTRAINT:
-+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
-+ rule.comment += "#Constraint rule: "
-+
-+ if av.type == audit2why.TERULE:
-+ if "write" in av.perms:
-+ if "dir" in av.obj_class or "open" in av.perms:
-+ if not self.domains:
-+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
-+ types=[]
-+
-+ try:
-+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
-+ if i not in self.domains:
-+ types.append(i)
-+ if len(types) == 1:
-+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+ elif len(types) >= 1:
-+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+ except:
-+ pass
- self.module.children.append(rule)
-
-
diff --git a/policycoreutils.spec b/policycoreutils.spec
index a2a1254..85ba308 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -1,13 +1,13 @@
%define libauditver 2.1.3-4
-%define libsepolver 2.1.4-4
+%define libsepolver 2.1.4-5
%define libsemanagever 2.1.5-1
-%define libselinuxver 2.1.7-2
-%define sepolgenver 1.1.4
+%define libselinuxver 2.1.8-5
+%define sepolgenver 1.1.5
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.1.9
-Release: 4%{?dist}
+Version: 2.1.10
+Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -355,6 +355,16 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Wed Dec 21 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.10-1
+-Update to upstream
+- sepolgen
+ * better analysis of why things broke
+- policycoreutils
+ * Remove excess whitespace
+ * sandbox: Add back in . functions to sandbox.init script
+ * Fix Makefile to match other policycoreutils Makefiles
+ * semanage: drop unused translation getopt
+
* Thu Dec 15 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.9-3
- Bump libsepol version requires rebuild
diff --git a/sources b/sources
index 91b04fe..902efac 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
-c7d17d1cb82dcb6f0dc15d3ce2203f27 policycoreutils-2.1.9.tgz
-fb184a69c16fd775527e0ca3176a422d sepolgen-1.1.4.tgz
+86d10b576c95d220bd2e27cc387e67da policycoreutils-2.1.10.tgz
+34b1f6599517f80c9b7cfa2dc22826db sepolgen-1.1.5.tgz
More information about the scm-commits
mailing list