[policycoreutils] Upgrade to policycoreutils upstream * sandbox: Maintain the LANG environment into the sandbox * au
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 4 14:47:47 UTC 2011
commit 2c4e323ce58aeb58127f32f07723976325acaa1e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 4 10:47:42 2011 -0400
Upgrade to policycoreutils upstream
* sandbox: Maintain the LANG environment into the sandbox
* audit2allow: use audit2why internally
* fixfiles: label /root but not /var/lib/BackupPC
* semanage: update local boolean settings is dealing with localstore
* semanage: missing modify=True
* semanage: set modified correctly
* restorecond: make restorecond dbuss-able
* restorecon: Always check return code on asprintf
* restorecond: make restorecond -u exit when terminal closes
* sandbox: introduce package name and language stuff
* semodule_package: remove semodule_unpackage on clean
* fix sandbox Makefile to support DESTDIR
* semanage: Add -o description to the semanage man page
* make use of the new realpath_not_final function
* setfiles: close /proc/mounts file when finished
* semodule: Document semodule -p in man page
* setfiles: fix use before initialized
* restorecond: Add .local/share as a directory to watch
Upgrade to sepolgen upstream
* Ignore permissive qualifier if found in an interface
* Return name field in avc data
policycoreutils-rhat.patch | 1717 ++++------------------------------------
policycoreutils-sepolgen.patch | 69 +--
policycoreutils.spec | 43 +-
sources | 4 +-
4 files changed, 198 insertions(+), 1635 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index db02944..0e418a1 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -8,38 +8,6 @@ index 7244a36..3e95698 100644
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
-index e9c80f0..e9d5882 100644
---- a/policycoreutils/audit2allow/audit2allow
-+++ b/policycoreutils/audit2allow/audit2allow
-@@ -235,25 +235,10 @@ class AuditToPolicy:
- import selinux
- import seobject
- for i in self.__parser.avc_msgs:
-- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
-+ rc = i.type
-+ bools = i.bools
- if rc >= 0:
- print "%s\n\tWas caused by:" % i.message
-- if rc == audit2why.NOPOLICY:
-- raise RuntimeError("Must call policy_init first")
-- if rc == audit2why.BADTCON:
-- print "Invalid Target Context %s\n" % i.tcontext
-- continue
-- if rc == audit2why.BADSCON:
-- print "Invalid Source Context %s\n" % i.scontext
-- continue
-- if rc == audit2why.BADSCON:
-- print "Invalid Type Class %s\n" % i.tclass
-- continue
-- if rc == audit2why.BADPERM:
-- print "Invalid permission %s\n" % i.accesses
-- continue
-- if rc == audit2why. BADCOMPUTE:
-- raise RuntimeError("Error during access vector computation")
- if rc == audit2why.ALLOW:
- print "\t\tUnknown - would be allowed by active policy\n",
- print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 99d0ed7..19e20a8 100644
--- a/policycoreutils/newrole/newrole.c
@@ -74,1260 +42,26 @@ index 99d0ed7..19e20a8 100644
if (set_signal_handles())
return -1;
-diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
-index 3f235e6..03a4544 100644
---- a/policycoreutils/restorecond/Makefile
-+++ b/policycoreutils/restorecond/Makefile
-@@ -1,17 +1,28 @@
- # Installation directories.
- PREFIX ?= ${DESTDIR}/usr
- SBINDIR ?= $(PREFIX)/sbin
-+LIBDIR ?= $(PREFIX)/lib
- MANDIR = $(PREFIX)/share/man
-+AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
-+DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
-+
-+autostart_DATA = sealertauto.desktop
- INITDIR = $(DESTDIR)/etc/rc.d/init.d
- SELINUXDIR = $(DESTDIR)/etc/selinux
-
-+DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
-+DBUSLIB = -ldbus-glib-1 -ldbus-1
-+
- CFLAGS ?= -g -Werror -Wall -W
--override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
--LDLIBS += -lselinux -L$(PREFIX)/lib
-+override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
-+
-+LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
-
- all: restorecond
-
--restorecond: restorecond.o utmpwatcher.o stringslist.o
-+restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
-+
-+restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
-
- install: all
-@@ -22,7 +33,12 @@ install: all
- -mkdir -p $(INITDIR)
- install -m 755 restorecond.init $(INITDIR)/restorecond
- -mkdir -p $(SELINUXDIR)
-- install -m 600 restorecond.conf $(SELINUXDIR)/restorecond.conf
-+ install -m 644 restorecond.conf $(SELINUXDIR)/restorecond.conf
-+ install -m 644 restorecond_user.conf $(SELINUXDIR)/restorecond_user.conf
-+ -mkdir -p $(AUTOSTARTDIR)
-+ install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop
-+ -mkdir -p $(DBUSSERVICEDIR)
-+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service
-
- relabel: install
- /sbin/restorecon $(SBINDIR)/restorecond
-diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service
-new file mode 100644
-index 0000000..0ef5f0b
---- /dev/null
-+++ b/policycoreutils/restorecond/org.selinux.Restorecond.service
-@@ -0,0 +1,3 @@
-+[D-BUS Service]
-+Name=org.selinux.Restorecond
-+Exec=/usr/sbin/restorecond -u
-diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8
-index b149dcb..4622d2b 100644
---- a/policycoreutils/restorecond/restorecond.8
-+++ b/policycoreutils/restorecond/restorecond.8
-@@ -3,7 +3,7 @@
- restorecond \- daemon that watches for file creation and then sets the default SELinux file context
-
- .SH "SYNOPSIS"
--.B restorecond [\-d]
-+.B restorecond [\-d] [\-f restorecond_file ] [\-u] [\-v]
- .P
-
- .SH "DESCRIPTION"
-@@ -19,13 +19,22 @@ the correct file context associated with the policy.
- .B \-d
- Turns on debugging mode. Application will stay in the foreground and lots of
- debugs messages start printing.
-+.TP
-+.B \-f restorecond_file
-+Use alternative restorecond.conf file.
-+.TP
-+.B \-u
-+Turns on user mode. Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf. Uses dbus to make sure only one restorecond is running per user session.
-+.TP
-+.B \-v
-+Turns on verbose debugging. (Report missing files)
-
- .SH "AUTHOR"
--This man page was written by Dan Walsh <dwalsh at redhat.com>.
--The program was written by Dan Walsh <dwalsh at redhat.com>.
-+This man page and program was written by Dan Walsh <dwalsh at redhat.com>.
-
- .SH "FILES"
- /etc/selinux/restorecond.conf
-+/etc/selinux/restorecond_user.conf
-
- .SH "SEE ALSO"
- .BR restorecon (8),
diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c
-index 4952632..89f5d97 100644
+index 89f5d97..dfd9629 100644
--- a/policycoreutils/restorecond/restorecond.c
+++ b/policycoreutils/restorecond/restorecond.c
-@@ -30,9 +30,11 @@
- * and makes sure that there security context matches the systems defaults
- *
- * USAGE:
-- * restorecond [-d] [-v]
-+ * restorecond [-d] [-u] [-v] [-f restorecond_file ]
- *
- * -d Run in debug mode
-+ * -f Use alternative restorecond_file
-+ * -u Run in user mode
- * -v Run in verbose mode (Report missing files)
- *
- * EXAMPLE USAGE:
-@@ -48,297 +50,38 @@
- #include <signal.h>
- #include <string.h>
- #include <unistd.h>
--#include <ctype.h>
-+#include "../setfiles/restore.h"
- #include <sys/types.h>
--#include <sys/stat.h>
- #include <syslog.h>
- #include <limits.h>
-+#include <pwd.h>
-+#include <sys/stat.h>
-+#include <string.h>
-+#include <stdio.h>
- #include <fcntl.h>
--
- #include "restorecond.h"
--#include "stringslist.h"
- #include "utmpwatcher.h"
-
--extern char *dirname(char *path);
-+const char *homedir;
- static int master_fd = -1;
--static int master_wd = -1;
--static int terminate = 0;
--
--#include <selinux/selinux.h>
--#include <utmp.h>
--
--/* size of the event structure, not counting name */
--#define EVENT_SIZE (sizeof (struct inotify_event))
--/* reasonable guess as to size of 1024 events */
--#define BUF_LEN (1024 * (EVENT_SIZE + 16))
--
--static int debug_mode = 0;
--static int verbose_mode = 0;
--
--static void restore(const char *filename, int exact);
--
--struct watchList {
-- struct watchList *next;
-- int wd;
-- char *dir;
-- struct stringsList *files;
--};
--struct watchList *firstDir = NULL;
--
--/* Compare two contexts to see if their differences are "significant",
-- * or whether the only difference is in the user. */
--static int only_changed_user(const char *a, const char *b)
--{
-- char *rest_a, *rest_b; /* Rest of the context after the user */
-- if (!a || !b)
-- return 0;
-- rest_a = strchr(a, ':');
-- rest_b = strchr(b, ':');
-- if (!rest_a || !rest_b)
-- return 0;
-- return (strcmp(rest_a, rest_b) == 0);
--}
--
--/*
-- A file was in a direcroty has been created. This function checks to
-- see if it is one that we are watching.
--*/
--
--static int watch_list_find(int wd, const char *file)
--{
-- struct watchList *ptr = NULL;
-- ptr = firstDir;
--
-- if (debug_mode)
-- printf("%d: File=%s\n", wd, file);
-- while (ptr != NULL) {
-- if (ptr->wd == wd) {
-- int exact=0;
-- if (strings_list_find(ptr->files, file, &exact) == 0) {
-- char *path = NULL;
-- if (asprintf(&path, "%s/%s", ptr->dir, file) <
-- 0)
-- exitApp("Error allocating memory.");
-- restore(path, exact);
-- free(path);
-- return 0;
-- }
-- if (debug_mode)
-- strings_list_print(ptr->files);
--
-- /* Not found in this directory */
-- return -1;
-- }
-- ptr = ptr->next;
-- }
-- /* Did not find a directory */
-- return -1;
--}
--
--static void watch_list_free(int fd)
--{
-- struct watchList *ptr = NULL;
-- struct watchList *prev = NULL;
-- ptr = firstDir;
--
-- while (ptr != NULL) {
-- inotify_rm_watch(fd, ptr->wd);
-- strings_list_free(ptr->files);
-- free(ptr->dir);
-- prev = ptr;
-- ptr = ptr->next;
-- free(prev);
-- }
-- firstDir = NULL;
--}
--
--/*
-- Set the file context to the default file context for this system.
-- Same as restorecon.
--*/
--static void restore(const char *filename, int exact)
--{
-- int retcontext = 0;
-- security_context_t scontext = NULL;
-- security_context_t prev_context = NULL;
-- struct stat st;
-- int fd = -1;
-- if (debug_mode)
-- printf("restore %s\n", filename);
--
-- fd = open(filename, O_NOFOLLOW | O_RDONLY);
-- if (fd < 0) {
-- if (verbose_mode)
-- syslog(LOG_ERR, "Unable to open file (%s) %s\n",
-- filename, strerror(errno));
-- return;
-- }
--
-- if (fstat(fd, &st) != 0) {
-- syslog(LOG_ERR, "Unable to stat file (%s) %s\n", filename,
-- strerror(errno));
-- close(fd);
-- return;
-- }
--
-- if (!(st.st_mode & S_IFDIR) && st.st_nlink > 1) {
-- if (exact) {
-- syslog(LOG_ERR,
-- "Will not restore a file with more than one hard link (%s) %s\n",
-- filename, strerror(errno));
-- }
-- close(fd);
-- return;
-- }
--
-- if (matchpathcon(filename, st.st_mode, &scontext) < 0) {
-- if (errno == ENOENT)
-- return;
-- syslog(LOG_ERR, "matchpathcon(%s) failed %s\n", filename,
-- strerror(errno));
-- return;
-- }
-- retcontext = fgetfilecon_raw(fd, &prev_context);
--
-- if (retcontext >= 0 || errno == ENODATA) {
-- if (retcontext < 0)
-- prev_context = NULL;
-- if (retcontext < 0 || (strcmp(prev_context, scontext) != 0)) {
--
-- if (only_changed_user(scontext, prev_context) != 0) {
-- free(scontext);
-- free(prev_context);
-- close(fd);
-- return;
-- }
--
-- if (fsetfilecon(fd, scontext) < 0) {
-- if (errno != EOPNOTSUPP)
-- syslog(LOG_ERR,
-- "set context %s->%s failed:'%s'\n",
-- filename, scontext, strerror(errno));
-- if (retcontext >= 0)
-- free(prev_context);
-- free(scontext);
-- close(fd);
-- return;
-- }
-- syslog(LOG_WARNING, "Reset file context %s: %s->%s\n",
-- filename, prev_context, scontext);
-- }
-- if (retcontext >= 0)
-- free(prev_context);
-- } else {
-- if (errno != EOPNOTSUPP)
-- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
-- filename, strerror(errno));
-- }
-- free(scontext);
-- close(fd);
--}
--
--static void process_config(int fd, FILE * cfg)
--{
-- char *line_buf = NULL;
-- size_t len = 0;
--
-- while (getline(&line_buf, &len, cfg) > 0) {
-- char *buffer = line_buf;
-- while (isspace(*buffer))
-- buffer++;
-- if (buffer[0] == '#')
-- continue;
-- int l = strlen(buffer) - 1;
-- if (l <= 0)
-- continue;
-- buffer[l] = 0;
-- if (buffer[0] == '~')
-- utmpwatcher_add(fd, &buffer[1]);
-- else {
-- watch_list_add(fd, buffer);
-- }
-- }
-- free(line_buf);
--}
--
--/*
-- Read config file ignoring Comment lines
-- Files specified one per line. Files with "~" will be expanded to the logged in users
-- homedirs.
--*/
--
--static void read_config(int fd)
--{
-- char *watch_file_path = "/etc/selinux/restorecond.conf";
--
-- FILE *cfg = NULL;
-- if (debug_mode)
-- printf("Read Config\n");
-
-- watch_list_free(fd);
-+static char *server_watch_file = "/etc/selinux/restorecond.conf";
-+static char *user_watch_file = "/etc/selinux/restorecond_user.conf";
-+static char *watch_file;
-+static struct restore_opts r_opts;
-
-- cfg = fopen(watch_file_path, "r");
-- if (!cfg)
-- exitApp("Error reading config file.");
-- process_config(fd, cfg);
-- fclose(cfg);
--
-- inotify_rm_watch(fd, master_wd);
-- master_wd =
-- inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
-- if (master_wd == -1)
-- exitApp("Error watching config file.");
--}
--
--/*
-- Inotify watch loop
--*/
--static int watch(int fd)
--{
-- char buf[BUF_LEN];
-- int len, i = 0;
-- len = read(fd, buf, BUF_LEN);
-- if (len < 0) {
-- if (terminate == 0) {
-- syslog(LOG_ERR, "Read error (%s)", strerror(errno));
-- return 0;
-- }
-- syslog(LOG_ERR, "terminated");
-- return -1;
-- } else if (!len)
-- /* BUF_LEN too small? */
-- return -1;
-- while (i < len) {
-- struct inotify_event *event;
-- event = (struct inotify_event *)&buf[i];
-- if (debug_mode)
-- printf("wd=%d mask=%u cookie=%u len=%u\n",
-- event->wd, event->mask,
-- event->cookie, event->len);
--
-- if (event->mask & ~IN_IGNORED) {
-- if (event->wd == master_wd)
-- read_config(fd);
-- else {
-- switch (utmpwatcher_handle(fd, event->wd)) {
-- case -1: /* Message was not for utmpwatcher */
-- if (event->len)
-- watch_list_find(event->wd, event->name);
-- break;
-+#include <selinux/selinux.h>
-
-- case 1: /* utmp has changed need to reload */
-- read_config(fd);
-- break;
-+int debug_mode = 0;
-+int terminate = 0;
-+int master_wd = -1;
-+int run_as_user = 0;
-
-- default: /* No users logged in or out */
-- break;
-- }
-- }
-- }
--
-- i += EVENT_SIZE + event->len;
-- }
-- return 0;
-+static void done(void) {
-+ watch_list_free(master_fd);
-+ close(master_fd);
-+ utmpwatcher_free();
-+ matchpathcon_fini();
- }
-
- static const char *pidfile = "/var/run/restorecond.pid";
-@@ -377,7 +120,7 @@ static void term_handler()
-
- static void usage(char *program)
- {
-- printf("%s [-d] [-v] \n", program);
-+ printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
- exit(0);
- }
-
-@@ -393,74 +136,35 @@ void exitApp(const char *msg)
- to see if it is one that we are watching.
- */
-
--void watch_list_add(int fd, const char *path)
--{
-- struct watchList *ptr = NULL;
-- struct watchList *prev = NULL;
-- char *x = strdup(path);
-- if (!x)
-- exitApp("Out of Memory");
-- char *dir = dirname(x);
-- char *file = basename(path);
-- ptr = firstDir;
--
-- restore(path, 1);
--
-- while (ptr != NULL) {
-- if (strcmp(dir, ptr->dir) == 0) {
-- strings_list_add(&ptr->files, file);
-- free(x);
-- return;
-- }
-- prev = ptr;
-- ptr = ptr->next;
-- }
-- ptr = calloc(1, sizeof(struct watchList));
--
-- if (!ptr)
-- exitApp("Out of Memory");
--
-- ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
-- if (ptr->wd == -1) {
-- free(ptr);
-- syslog(LOG_ERR, "Unable to watch (%s) %s\n",
-- path, strerror(errno));
-- return;
-- }
--
-- ptr->dir = strdup(dir);
-- if (!ptr->dir)
-- exitApp("Out of Memory");
--
-- strings_list_add(&ptr->files, file);
-- if (prev)
-- prev->next = ptr;
-- else
-- firstDir = ptr;
--
-- if (debug_mode)
-- printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file);
--
-- free(x);
--}
--
- int main(int argc, char **argv)
+@@ -140,6 +140,7 @@ int main(int argc, char **argv)
{
int opt;
struct sigaction sa;
++ const char *null_array[1] = { NULL };
--#ifndef DEBUG
-- /* Make sure we are root */
-- if (getuid() != 0) {
-- fprintf(stderr, "You must be root to run this program.\n");
-- return 1;
-- }
--#endif
-- /* Make sure we are root */
-- if (is_selinux_enabled() != 1) {
-- fprintf(stderr, "Daemon requires SELinux be enabled to run.\n");
-- return 1;
-- }
-+ memset(&r_opts, 0, sizeof(r_opts));
-+
-+ r_opts.progress = 0;
-+ r_opts.count = 0;
-+ r_opts.debug = 0;
-+ r_opts.change = 1;
-+ r_opts.verbose = 0;
-+ r_opts.logging = 0;
-+ r_opts.rootpath = NULL;
-+ r_opts.rootpathlen = 0;
-+ r_opts.outfile = NULL;
-+ r_opts.force = 0;
-+ r_opts.hard_links = 0;
-+ r_opts.abort_on_error = 0;
-+ r_opts.add_assoc = 0;
-+ r_opts.expand_realpath = 0;
-+ r_opts.fts_flags = FTS_PHYSICAL;
-+ r_opts.selabel_opt_validate = NULL;
-+ r_opts.selabel_opt_path = NULL;
-+ r_opts.ignore_enoent = 1;
-+
-+ restore_init(&r_opts);
-+ /* If we are not running SELinux then just exit */
-+ if (is_selinux_enabled() != 1) return 0;
-
- /* Register sighandlers */
- sa.sa_flags = 0;
-@@ -470,36 +174,59 @@ int main(int argc, char **argv)
-
- set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
-
-- master_fd = inotify_init();
-- if (master_fd < 0)
-- exitApp("inotify_init");
--
-- while ((opt = getopt(argc, argv, "dv")) > 0) {
-+ exclude_non_seclabel_mounts();
-+ atexit( done );
-+ while ((opt = getopt(argc, argv, "df:uv")) > 0) {
- switch (opt) {
- case 'd':
- debug_mode = 1;
- break;
-+ case 'f':
-+ watch_file = optarg;
-+ break;
-+ case 'u':
-+ run_as_user = 1;
-+ break;
- case 'v':
-- verbose_mode = 1;
-+ r_opts.verbose++;
- break;
- case '?':
- usage(argv[0]);
- }
- }
-- read_config(master_fd);
-+
-+ master_fd = inotify_init();
-+ if (master_fd < 0)
-+ exitApp("inotify_init");
-+
-+ uid_t uid = getuid();
-+ struct passwd *pwd = getpwuid(uid);
-+ if (!pwd)
-+ exitApp("getpwuid");
-+
-+ homedir = pwd->pw_dir;
-+ if (uid != 0) {
-+ if (run_as_user)
-+ return server(master_fd, user_watch_file);
-+ if (start() != 0)
-+ return server(master_fd, user_watch_file);
-+ return 0;
-+ }
-+
-+ watch_file = server_watch_file;
-+ read_config(master_fd, watch_file);
-
- if (!debug_mode)
- daemon(0, 0);
-
- write_pid_file();
-
-- while (watch(master_fd) == 0) {
-+ while (watch(master_fd, watch_file) == 0) {
- };
-
- watch_list_free(master_fd);
- close(master_fd);
- matchpathcon_fini();
-- utmpwatcher_free();
- if (pidfile)
- unlink(pidfile);
-
-diff --git a/policycoreutils/restorecond/restorecond.conf b/policycoreutils/restorecond/restorecond.conf
-index 3fc9376..58b723a 100644
---- a/policycoreutils/restorecond/restorecond.conf
-+++ b/policycoreutils/restorecond/restorecond.conf
-@@ -4,8 +4,5 @@
- /etc/mtab
- /var/run/utmp
- /var/log/wtmp
--~/*
--/root/.ssh
-+/root/*
- /root/.ssh/*
--
--
-diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop
-new file mode 100644
-index 0000000..23ff89d
---- /dev/null
-+++ b/policycoreutils/restorecond/restorecond.desktop
-@@ -0,0 +1,7 @@
-+[Desktop Entry]
-+Name=File Context maintainer
-+Exec=/usr/sbin/restorecond -u
-+Comment=Fix file context in owned by the user
-+Encoding=UTF-8
-+Type=Application
-+StartupNotify=false
-diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h
-index e1666bf..8c85ef0 100644
---- a/policycoreutils/restorecond/restorecond.h
-+++ b/policycoreutils/restorecond/restorecond.h
-@@ -24,7 +24,22 @@
- #ifndef RESTORED_CONFIG_H
- #define RESTORED_CONFIG_H
-
--void exitApp(const char *msg);
--void watch_list_add(int inotify_fd, const char *path);
-+extern int debug_mode;
-+extern const char *homedir;
-+extern int terminate;
-+extern int master_wd;
-+extern int run_as_user;
-+
-+extern int start(void);
-+extern int server(int, const char *watch_file);
-+
-+extern void exitApp(const char *msg);
-+extern void read_config(int fd, const char *watch_file);
-+
-+extern int watch(int fd, const char *watch_file);
-+extern void watch_list_add(int inotify_fd, const char *path);
-+extern int watch_list_find(int wd, const char *file);
-+extern void watch_list_free(int fd);
-+extern int watch_list_isempty();
-
- #endif
-diff --git a/policycoreutils/restorecond/restorecond.init b/policycoreutils/restorecond/restorecond.init
-index b966db6..775c52b 100644
---- a/policycoreutils/restorecond/restorecond.init
-+++ b/policycoreutils/restorecond/restorecond.init
-@@ -26,7 +26,7 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin
- # Source function library.
- . /etc/rc.d/init.d/functions
+ memset(&r_opts, 0, sizeof(r_opts));
--[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 0
-+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+@@ -160,6 +161,7 @@ int main(int argc, char **argv)
+ r_opts.fts_flags = FTS_PHYSICAL;
+ r_opts.selabel_opt_validate = NULL;
+ r_opts.selabel_opt_path = NULL;
++ r_opts.selabel_opt_prefixes = null_array;
+ r_opts.ignore_enoent = 1;
- # Check that we are root ... so non-root users stop here
- test $EUID = 0 || exit 4
-@@ -75,16 +75,15 @@ case "$1" in
- status restorecond
- RETVAL=$?
- ;;
-- restart|reload)
-+ force-reload|restart|reload)
- restart
- ;;
- condrestart)
- [ -e /var/lock/subsys/restorecond ] && restart || :
- ;;
- *)
-- echo $"Usage: $0 {start|stop|restart|reload|condrestart}"
-+ echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
- RETVAL=3
- esac
-
- exit $RETVAL
--
-diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf
-new file mode 100644
-index 0000000..b4debed
---- /dev/null
-+++ b/policycoreutils/restorecond/restorecond_user.conf
-@@ -0,0 +1,8 @@
-+~/*
-+~/public_html/*
-+~/.gnome2/*
-+~/local/*
-+~/.fonts/*
-+~/.cache/*
-+~/.config/*
-+~/.local/share/*
-diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c
-new file mode 100644
-index 0000000..4257058
---- /dev/null
-+++ b/policycoreutils/restorecond/user.c
-@@ -0,0 +1,259 @@
-+/*
-+ * restorecond
-+ *
-+ * Copyright (C) 2006-2009 Red Hat
-+ * see file 'COPYING' for use and warranty information
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation; either version 2 of
-+ * the License, or (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+.*
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-+ * 02111-1307 USA
-+ *
-+ * Authors:
-+ * Dan Walsh <dwalsh at redhat.com>
-+ *
-+*/
-+
-+#define _GNU_SOURCE
-+#include <sys/inotify.h>
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <signal.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <ctype.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <syslog.h>
-+#include <limits.h>
-+#include <fcntl.h>
-+
-+#include "restorecond.h"
-+#include "stringslist.h"
-+#include <glib.h>
-+#ifdef HAVE_DBUS
-+#include <dbus/dbus.h>
-+#include <dbus/dbus-glib.h>
-+#include <dbus/dbus-glib-lowlevel.h>
-+
-+static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data);
-+
-+static const char *PATH="/org/selinux/Restorecond";
-+//static const char *BUSNAME="org.selinux.Restorecond";
-+static const char *INTERFACE="org.selinux.RestorecondIface";
-+static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
-+
-+
-+static DBusHandlerResult
-+signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
-+{
-+ /* User data is the event loop we are running in */
-+ GMainLoop *loop = user_data;
-+
-+ /* A signal from the bus saying we are about to be disconnected */
-+ if (dbus_message_is_signal
-+ (message, INTERFACE, "Stop")) {
-+
-+ /* Tell the main loop to quit */
-+ g_main_loop_quit (loop);
-+ /* We have handled this message, don't pass it on */
-+ return DBUS_HANDLER_RESULT_HANDLED;
-+ }
-+ /* A Ping signal on the com.burtonini.dbus.Signal interface */
-+ else if (dbus_message_is_signal (message, INTERFACE, "Start")) {
-+ DBusError error;
-+ dbus_error_init (&error);
-+ g_print("Start received\n");
-+ return DBUS_HANDLER_RESULT_HANDLED;
-+ }
-+ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
-+}
-+
-+static int dbus_server(GMainLoop *loop) {
-+ DBusConnection *bus;
-+ DBusError error;
-+ dbus_error_init (&error);
-+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
-+ if (bus) {
-+ dbus_connection_setup_with_g_main (bus, NULL);
-+
-+ /* listening to messages from all objects as no path is specified */
-+ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey
-+ dbus_connection_add_filter (bus, signal_filter, loop, NULL);
-+ return 0;
-+ }
-+ return -1;
-+}
-+
-+#endif
-+#include <selinux/selinux.h>
-+#include <sys/file.h>
-+
-+/* size of the event structure, not counting name */
-+#define EVENT_SIZE (sizeof (struct inotify_event))
-+/* reasonable guess as to size of 1024 events */
-+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
-+
-+static gboolean
-+io_channel_callback
-+ (GIOChannel *source,
-+ GIOCondition condition,
-+ gpointer data __attribute__((__unused__)))
-+{
-+
-+ char buffer[BUF_LEN+1];
-+ gsize bytes_read;
-+ unsigned int i = 0;
-+
-+ if (condition & G_IO_IN) {
-+ /* Data is available. */
-+ g_io_channel_read
-+ (source, buffer,
-+ sizeof (buffer),
-+ &bytes_read);
-+
-+ if (! bytes_read) {
-+ /* Sesssion/Terminal Ended */
-+ exit(0);
-+ }
-+
-+ while (i < bytes_read) {
-+ struct inotify_event *event;
-+ event = (struct inotify_event *)&buffer[i];
-+ if (debug_mode)
-+ printf("wd=%d mask=%u cookie=%u len=%u\n",
-+ event->wd, event->mask,
-+ event->cookie, event->len);
-+ if (event->len)
-+ watch_list_find(event->wd, event->name);
-+
-+ i += EVENT_SIZE + event->len;
-+ }
-+ }
-+
-+ /* An error happened while reading
-+ the file. */
-+
-+ if (condition & G_IO_NVAL)
-+ return FALSE;
-+
-+ /* We have reached the end of the
-+ file. */
-+
-+ if (condition & G_IO_HUP) {
-+ g_io_channel_close (source);
-+ exit(0);
-+ return FALSE;
-+ }
-+
-+ /* Returning TRUE will make sure
-+ the callback remains associated
-+ to the channel. */
-+
-+ return TRUE;
-+}
-+
-+int start() {
-+#ifdef HAVE_DBUS
-+ DBusConnection *bus;
-+ DBusError error;
-+ DBusMessage *message;
-+
-+ /* Get a connection to the session bus */
-+ dbus_error_init (&error);
-+ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
-+ if (!bus) {
-+ if (debug_mode)
-+ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message);
-+ dbus_error_free (&error);
-+ return 1;
-+ }
-+
-+
-+ /* Create a new signal "Start" on the interface,
-+ * from the object */
-+ message = dbus_message_new_signal (PATH,
-+ INTERFACE, "Start");
-+ /* Send the signal */
-+ dbus_connection_send (bus, message, NULL);
-+ /* Free the signal now we have finished with it */
-+ dbus_message_unref (message);
-+#endif /* HAVE_DBUS */
-+ return 0;
-+}
-+
-+static int local_server() {
-+ // ! dbus, run as local service
-+ char *ptr=NULL;
-+ if (asprintf(&ptr, "%s/.restorecond", homedir) < 0) {
-+ if (debug_mode)
-+ perror("asprintf");
-+ return -1;
-+ }
-+ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR);
-+ if (debug_mode)
-+ g_warning ("Lock file: %s", ptr);
-+
-+ free(ptr);
-+ if (fd < 0) {
-+ if (debug_mode)
-+ perror("open");
-+ return -1;
-+ }
-+ if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
-+ if (debug_mode)
-+ perror("flock");
-+ return -1;
-+ }
-+ /* watch for stdin/terminal going away */
-+ GIOChannel *in = g_io_channel_unix_new(0);
-+ g_io_add_watch_full( in,
-+ G_PRIORITY_HIGH,
-+ G_IO_IN|G_IO_ERR|G_IO_HUP,
-+ io_channel_callback, NULL, NULL);
-+
-+ return 0;
-+}
-+
-+int server(int master_fd, const char *watch_file) {
-+ GMainLoop *loop;
-+
-+ loop = g_main_loop_new (NULL, FALSE);
-+
-+#ifdef HAVE_DBUS
-+ if (dbus_server(loop) != 0)
-+#endif /* HAVE_DBUS */
-+ if (local_server())
-+ goto end;
-+
-+ read_config(master_fd, watch_file);
-+
-+ if (watch_list_isempty()) goto end;
-+
-+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
-+
-+ GIOChannel *c = g_io_channel_unix_new(master_fd);
-+
-+ g_io_add_watch_full( c,
-+ G_PRIORITY_HIGH,
-+ G_IO_IN|G_IO_ERR|G_IO_HUP,
-+ io_channel_callback, NULL, NULL);
-+
-+ g_main_loop_run (loop);
-+
-+end:
-+ g_main_loop_unref (loop);
-+ return 0;
-+}
-+
-diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c
-new file mode 100644
-index 0000000..6a833c3
---- /dev/null
-+++ b/policycoreutils/restorecond/watch.c
-@@ -0,0 +1,272 @@
-+#define _GNU_SOURCE
-+#include <sys/inotify.h>
-+#include <errno.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+#include <ctype.h>
-+#include <sys/types.h>
-+#include <syslog.h>
-+#include "../setfiles/restore.h"
-+#include <glob.h>
-+#include <libgen.h>
-+#include <sys/stat.h>
-+#include <string.h>
-+#include <stdio.h>
-+#include <fcntl.h>
-+#include <selinux/selinux.h>
-+#include "restorecond.h"
-+#include "stringslist.h"
-+#include "utmpwatcher.h"
-+
-+/* size of the event structure, not counting name */
-+#define EVENT_SIZE (sizeof (struct inotify_event))
-+/* reasonable guess as to size of 1024 events */
-+#define BUF_LEN (1024 * (EVENT_SIZE + 16))
-+
-+
-+struct watchList {
-+ struct watchList *next;
-+ int wd;
-+ char *dir;
-+ struct stringsList *files;
-+};
-+struct watchList *firstDir = NULL;
-+
-+int watch_list_isempty() {
-+ return firstDir == NULL;
-+}
-+
-+void watch_list_add(int fd, const char *path)
-+{
-+ struct watchList *ptr = NULL;
-+ size_t i = 0;
-+ struct watchList *prev = NULL;
-+ glob_t globbuf;
-+ char *x = strdup(path);
-+ if (!x) exitApp("Out of Memory");
-+ char *file = basename(x);
-+ char *dir = dirname(x);
-+ ptr = firstDir;
-+
-+ if (exclude(path)) goto end;
-+
-+ globbuf.gl_offs = 1;
-+ if (glob(path,
-+ GLOB_TILDE | GLOB_PERIOD,
-+ NULL,
-+ &globbuf) >= 0) {
-+ for (i=0; i < globbuf.gl_pathc; i++) {
-+ int len = strlen(globbuf.gl_pathv[i]) -2;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue;
-+ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue;
-+ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0)
-+ process_one_realpath(globbuf.gl_pathv[i], 1);
-+ }
-+ globfree(&globbuf);
-+ }
-+
-+ while (ptr != NULL) {
-+ if (strcmp(dir, ptr->dir) == 0) {
-+ strings_list_add(&ptr->files, file);
-+ goto end;
-+ }
-+ prev = ptr;
-+ ptr = ptr->next;
-+ }
-+ ptr = calloc(1, sizeof(struct watchList));
-+
-+ if (!ptr) exitApp("Out of Memory");
-+
-+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
-+ if (ptr->wd == -1) {
-+ free(ptr);
-+ if (! run_as_user)
-+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
-+ path, strerror(errno));
-+ goto end;
-+ }
-+
-+ ptr->dir = strdup(dir);
-+ if (!ptr->dir)
-+ exitApp("Out of Memory");
-+
-+ strings_list_add(&ptr->files, file);
-+ if (prev)
-+ prev->next = ptr;
-+ else
-+ firstDir = ptr;
-+
-+ if (debug_mode)
-+ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file);
-+
-+end:
-+ free(x);
-+ return;
-+}
-+
-+/*
-+ A file was in a direcroty has been created. This function checks to
-+ see if it is one that we are watching.
-+*/
-+
-+int watch_list_find(int wd, const char *file)
-+{
-+ struct watchList *ptr = NULL;
-+ ptr = firstDir;
-+ if (debug_mode)
-+ printf("%d: File=%s\n", wd, file);
-+ while (ptr != NULL) {
-+ if (ptr->wd == wd) {
-+ int exact=0;
-+ if (strings_list_find(ptr->files, file, &exact) == 0) {
-+ char *path = NULL;
-+ if (asprintf(&path, "%s/%s", ptr->dir, file) <
-+ 0)
-+ exitApp("Error allocating memory.");
-+
-+ process_one_realpath(path, 0);
-+ free(path);
-+ return 0;
-+ }
-+ if (debug_mode)
-+ strings_list_print(ptr->files);
-+
-+ /* Not found in this directory */
-+ return -1;
-+ }
-+ ptr = ptr->next;
-+ }
-+ /* Did not find a directory */
-+ return -1;
-+}
-+
-+void watch_list_free(int fd)
-+{
-+ struct watchList *ptr = NULL;
-+ struct watchList *prev = NULL;
-+ ptr = firstDir;
-+
-+ while (ptr != NULL) {
-+ inotify_rm_watch(fd, ptr->wd);
-+ strings_list_free(ptr->files);
-+ free(ptr->dir);
-+ prev = ptr;
-+ ptr = ptr->next;
-+ free(prev);
-+ }
-+ firstDir = NULL;
-+}
-+
-+/*
-+ Inotify watch loop
-+*/
-+int watch(int fd, const char *watch_file)
-+{
-+ char buf[BUF_LEN];
-+ int len, i = 0;
-+ if (firstDir == NULL) return 0;
-+
-+ len = read(fd, buf, BUF_LEN);
-+ if (len < 0) {
-+ if (terminate == 0) {
-+ syslog(LOG_ERR, "Read error (%s)", strerror(errno));
-+ return 0;
-+ }
-+ syslog(LOG_ERR, "terminated");
-+ return -1;
-+ } else if (!len)
-+ /* BUF_LEN too small? */
-+ return -1;
-+ while (i < len) {
-+ struct inotify_event *event;
-+ event = (struct inotify_event *)&buf[i];
-+ if (debug_mode)
-+ printf("wd=%d mask=%u cookie=%u len=%u\n",
-+ event->wd, event->mask,
-+ event->cookie, event->len);
-+ if (event->wd == master_wd)
-+ read_config(fd, watch_file);
-+ else {
-+ switch (utmpwatcher_handle(fd, event->wd)) {
-+ case -1: /* Message was not for utmpwatcher */
-+ if (event->len)
-+ watch_list_find(event->wd, event->name);
-+ break;
-+ case 1: /* utmp has changed need to reload */
-+ read_config(fd, watch_file);
-+ break;
-+
-+ default: /* No users logged in or out */
-+ break;
-+ }
-+ }
-+
-+ i += EVENT_SIZE + event->len;
-+ }
-+ return 0;
-+}
-+
-+static void process_config(int fd, FILE * cfg)
-+{
-+ char *line_buf = NULL;
-+ size_t len = 0;
-+
-+ while (getline(&line_buf, &len, cfg) > 0) {
-+ char *buffer = line_buf;
-+ while (isspace(*buffer))
-+ buffer++;
-+ if (buffer[0] == '#')
-+ continue;
-+ int l = strlen(buffer) - 1;
-+ if (l <= 0)
-+ continue;
-+ buffer[l] = 0;
-+ if (buffer[0] == '~') {
-+ if (run_as_user) {
-+ char *ptr=NULL;
-+ if (asprintf(&ptr, "%s%s", homedir, &buffer[1]) < 0)
-+ exitApp("Error allocating memory.");
-+
-+ watch_list_add(fd, ptr);
-+ free(ptr);
-+ } else {
-+ utmpwatcher_add(fd, &buffer[1]);
-+ }
-+ } else {
-+ watch_list_add(fd, buffer);
-+ }
-+ }
-+ free(line_buf);
-+}
-+
-+/*
-+ Read config file ignoring Comment lines
-+ Files specified one per line. Files with "~" will be expanded to the logged in users
-+ homedirs.
-+*/
-+
-+void read_config(int fd, const char *watch_file_path)
-+{
-+
-+ FILE *cfg = NULL;
-+ if (debug_mode)
-+ printf("Read Config\n");
-+
-+ watch_list_free(fd);
-+
-+ cfg = fopen(watch_file_path, "r");
-+ if (!cfg){
-+ perror(watch_file_path);
-+ exitApp("Error reading config file");
-+ }
-+ process_config(fd, cfg);
-+ fclose(cfg);
-+
-+ inotify_rm_watch(fd, master_wd);
-+ master_wd =
-+ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
-+ if (master_wd == -1)
-+ exitApp("Error watching config file.");
-+}
+ restore_init(&r_opts);
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 9db766c..068e24c 100644
--- a/policycoreutils/run_init/run_init.c
@@ -1351,10 +85,10 @@ index 9db766c..068e24c 100644
} /* main() */
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
-index 4764987..924999d 100644
+index 1c458f1..36042a2 100644
--- a/policycoreutils/sandbox/Makefile
+++ b/policycoreutils/sandbox/Makefile
-@@ -22,7 +22,7 @@ install: all
+@@ -23,7 +23,7 @@ install: all
install -m 644 sandbox.8 $(MANDIR)/man8/
install -m 644 seunshare.8 $(MANDIR)/man8/
-mkdir -p $(MANDIR)/man5
@@ -1375,96 +109,14 @@ index d1ccdc2..11c391c 100644
LOCKFILE=/var/lock/subsys/sandbox
-diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index a52b6f1..c493e98 100644
---- a/policycoreutils/sandbox/seunshare.c
-+++ b/policycoreutils/sandbox/seunshare.c
-@@ -1,3 +1,8 @@
-+/*
-+ * Authors: Dan Walsh <dwalsh at redhat.com>
-+ * Authors: Thomas Liu <tliu at fedoraproject.org>
-+ */
-+
- #define _GNU_SOURCE
- #include <signal.h>
- #include <sys/fsuid.h>
-@@ -42,6 +47,10 @@
- #define MS_PRIVATE 1<<18
- #endif
-
-+#ifndef PACKAGE
-+#define PACKAGE "policycoreutils" /* the name of this package lang translation */
-+#endif
-+
- #define BUF_SIZE 1024
- #define DEFAULT_PATH "/usr/bin:/bin"
- #define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -c ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
-@@ -848,6 +857,12 @@ int main(int argc, char **argv) {
- }
- */
-
-+#ifdef USE_NLS
-+ setlocale(LC_ALL, "");
-+ bindtextdomain(PACKAGE, LOCALEDIR);
-+ textdomain(PACKAGE);
-+#endif
+diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
+index ab696a7..58b19cd 100644
+--- a/policycoreutils/scripts/genhomedircon
++++ b/policycoreutils/scripts/genhomedircon
+@@ -1,2 +1,3 @@
+ #!/bin/sh
+
- struct passwd *pwd=getpwuid(uid);
- if (!pwd) {
- perror(_("getpwduid failed"));
-@@ -944,6 +959,7 @@ int main(int argc, char **argv) {
-
- if (child == 0) {
- char *display = NULL;
-+ char *LANG = NULL;
- int rc = -1;
-
- if (unshare(CLONE_NEWNS) < 0) {
-@@ -969,12 +985,23 @@ int main(int argc, char **argv) {
- goto childerr;
- }
- }
-+
-+ /* construct a new environment */
-+ if ((LANG = getenv("LANG")) != NULL) {
-+ if ((LANG = strdup(LANG)) == NULL) {
-+ perror(_("Out of memory"));
-+ goto childerr;
-+ }
-+ }
-+
- if ((rc = clearenv()) != 0) {
- perror(_("Failed to clear environment"));
- goto childerr;
- }
- if (display)
- rc |= setenv("DISPLAY", display, 1);
-+ if (LANG)
-+ rc |= setenv("LANG", LANG, 1);
- rc |= setenv("HOME", pwd->pw_dir, 1);
- rc |= setenv("SHELL", pwd->pw_shell, 1);
- rc |= setenv("USER", pwd->pw_name, 1);
-@@ -1000,6 +1027,7 @@ int main(int argc, char **argv) {
- fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
- childerr:
- free(display);
-+ free(LANG);
- exit(-1);
- }
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index e4e5f0d..27dcccf 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -103,7 +103,7 @@ exclude_dirs_from_relabelling() {
-
- exclude_dirs() {
- exclude=
-- for i in /home /root /tmp /dev; do
-+ for i in /var/lib/BackupPC /home /tmp /dev; do
- [ -e $i ] && exclude="$exclude -e $i";
- done
- exclude="$exclude `exclude_dirs_from_relabelling`"
+ /usr/sbin/semodule -Bn
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644
index 0000000..e15a877
@@ -1610,7 +262,7 @@ index 0000000..e2befdb
+ packages=["policycoreutils"],
+)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
-index ee4d077..2c0cfdd 100644
+index 48d7baa..2c0cfdd 100644
--- a/policycoreutils/semanage/semanage
+++ b/policycoreutils/semanage/semanage
@@ -20,6 +20,7 @@
@@ -1647,28 +299,7 @@ index ee4d077..2c0cfdd 100644
disable = True
if o == "-F" or o == "--file":
-@@ -338,9 +342,11 @@ Object-specific Options (see above):
-
- if o == "--on" or o == "-1":
- value = "on"
-+ modify = True
-
- if o == "--off" or o == "-0":
- value = "off"
-+ modify = True
-
- if object == "login":
- OBJECT = seobject.loginRecords(store)
-@@ -362,6 +368,8 @@ Object-specific Options (see above):
-
- if object == "boolean":
- OBJECT = seobject.booleanRecords(store)
-+ if use_file:
-+ modify = True
-
- if object == "module":
- OBJECT = seobject.moduleRecords(store)
-@@ -500,31 +508,36 @@ Object-specific Options (see above):
+@@ -504,31 +508,36 @@ Object-specific Options (see above):
if len(sys.argv) < 3:
usage(_("Requires 2 or more arguments"))
@@ -1730,7 +361,7 @@ index ee4d077..2c0cfdd 100644
for o, a in gopts:
if o == "-S" or o == '--store':
store = a
-@@ -554,8 +567,6 @@ Object-specific Options (see above):
+@@ -558,8 +567,6 @@ Object-specific Options (see above):
else:
process_args(sys.argv[1:])
@@ -1739,22 +370,8 @@ index ee4d077..2c0cfdd 100644
except ValueError, error:
errorExit(error.args[0])
except KeyError, error:
-diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
-index adcb416..c5e18d9 100644
---- a/policycoreutils/semanage/semanage.8
-+++ b/policycoreutils/semanage/semanage.8
-@@ -163,6 +163,9 @@ SELinux Type for the object
- .I \-i, \-\-input
- Take a set of commands from a specified file and load them in a single
- transaction.
-+.TP
-+.I \-o, \-\-output
-+Output all local customizations into a file. This file than can be used with the semanage -i command to customize other machines to match the local machine.
-
- .SH EXAMPLE
- .nf
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
-index 5847ba0..e4b6c0d 100644
+index a7008fc..e4b6c0d 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -30,11 +30,10 @@ from IPy import IP
@@ -1773,21 +390,15 @@ index 5847ba0..e4b6c0d 100644
import syslog
-@@ -161,10 +160,12 @@ def untranslate(trans, prepend = 1):
- return trans
- else:
- return raw
--
-+
- class semanageRecords:
+@@ -166,6 +165,7 @@ class semanageRecords:
transaction = False
handle = None
-+ store = None
+ store = None
+
def __init__(self, store):
global handle
-@@ -332,6 +333,7 @@ class permissiveRecords(semanageRecords):
+@@ -333,6 +333,7 @@ class permissiveRecords(semanageRecords):
name = semanage_module_get_name(mod)
if name and name.startswith("permissive_"):
l.append(name.split("permissive_")[1])
@@ -1795,7 +406,7 @@ index 5847ba0..e4b6c0d 100644
return l
def list(self, heading = 1, locallist = 0):
-@@ -430,7 +432,9 @@ class loginRecords(semanageRecords):
+@@ -431,7 +432,9 @@ class loginRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@@ -1806,7 +417,7 @@ index 5847ba0..e4b6c0d 100644
if name[0] == '%':
try:
grp.getgrnam(name[1:])
-@@ -640,7 +644,8 @@ class seluserRecords(semanageRecords):
+@@ -641,7 +644,8 @@ class seluserRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
@@ -1816,7 +427,7 @@ index 5847ba0..e4b6c0d 100644
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
-@@ -880,6 +885,7 @@ class portRecords(semanageRecords):
+@@ -881,6 +885,7 @@ class portRecords(semanageRecords):
return ( k, proto_d, low, high )
def __add(self, port, proto, serange, type):
@@ -1824,7 +435,7 @@ index 5847ba0..e4b6c0d 100644
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
-@@ -942,6 +948,7 @@ class portRecords(semanageRecords):
+@@ -943,6 +948,7 @@ class portRecords(semanageRecords):
self.commit()
def __modify(self, port, proto, serange, setype):
@@ -1832,7 +443,7 @@ index 5847ba0..e4b6c0d 100644
if serange == "" and setype == "":
if is_mls_enabled == 1:
raise ValueError(_("Requires setype or serange"))
-@@ -1155,7 +1162,8 @@ class nodeRecords(semanageRecords):
+@@ -1156,7 +1162,8 @@ class nodeRecords(semanageRecords):
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
@@ -1842,7 +453,7 @@ index 5847ba0..e4b6c0d 100644
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
-@@ -1171,7 +1179,6 @@ class nodeRecords(semanageRecords):
+@@ -1172,7 +1179,6 @@ class nodeRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not set mask for %s") % addr)
@@ -1850,7 +461,7 @@ index 5847ba0..e4b6c0d 100644
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in addr context for %s") % addr)
-@@ -1223,12 +1230,11 @@ class nodeRecords(semanageRecords):
+@@ -1224,12 +1230,11 @@ class nodeRecords(semanageRecords):
if not exists:
raise ValueError(_("Addr %s is not defined") % addr)
@@ -1864,7 +475,7 @@ index 5847ba0..e4b6c0d 100644
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
-@@ -1356,7 +1362,8 @@ class interfaceRecords(semanageRecords):
+@@ -1357,7 +1362,8 @@ class interfaceRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
@@ -1874,7 +485,7 @@ index 5847ba0..e4b6c0d 100644
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
-@@ -1617,7 +1624,8 @@ class fcontextRecords(semanageRecords):
+@@ -1618,7 +1624,8 @@ class fcontextRecords(semanageRecords):
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -1884,83 +495,8 @@ index 5847ba0..e4b6c0d 100644
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
-@@ -1842,6 +1850,18 @@ class booleanRecords(semanageRecords):
- self.dict["1"] = 1
- self.dict["0"] = 0
-
-+ try:
-+ rc, self.current_booleans = selinux.security_get_boolean_names()
-+ rc, ptype = selinux.selinux_getpolicytype()
-+ except:
-+ self.current_booleans = []
-+ ptype = None
-+
-+ if self.store == None or self.store == ptype:
-+ self.modify_local = True
-+ else:
-+ self.modify_local = False
-+
- def __mod(self, name, value):
- (rc, k) = semanage_bool_key_create(self.sh, name)
- if rc < 0:
-@@ -1861,9 +1881,10 @@ class booleanRecords(semanageRecords):
- else:
- raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
-
-- rc = semanage_bool_set_active(self.sh, k, b)
-- if rc < 0:
-- raise ValueError(_("Could not set active value of boolean %s") % name)
-+ if self.modify_local and name in self.current_booleans:
-+ rc = semanage_bool_set_active(self.sh, k, b)
-+ if rc < 0:
-+ raise ValueError(_("Could not set active value of boolean %s") % name)
- rc = semanage_bool_modify_local(self.sh, k, b)
- if rc < 0:
- raise ValueError(_("Could not modify boolean %s") % name)
-@@ -1946,8 +1967,12 @@ class booleanRecords(semanageRecords):
- value = []
- name = semanage_bool_get_name(boolean)
- value.append(semanage_bool_get_value(boolean))
-- value.append(selinux.security_get_boolean_pending(name))
-- value.append(selinux.security_get_boolean_active(name))
-+ if self.modify_local and boolean in self.current_booleans:
-+ value.append(selinux.security_get_boolean_pending(name))
-+ value.append(selinux.security_get_boolean_active(name))
-+ else:
-+ value.append(value[0])
-+ value.append(value[0])
- ddict[name] = value
-
- return ddict
-diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
-index 12191f6..9fb2b78 100644
---- a/policycoreutils/semodule/semodule.8
-+++ b/policycoreutils/semodule/semodule.8
-@@ -41,6 +41,9 @@ disable existing module
- .B \-e,\-\-enable=MODULE_NAME
- enable existing module
- .TP
-+.B \-p,\-\-path=ROOTPATH
-+use an alternate root path
-+.TP
- .B \-r,\-\-remove=MODULE_NAME
- remove existing module
- .TP
-diff --git a/policycoreutils/semodule_package/Makefile b/policycoreutils/semodule_package/Makefile
-index f84cd7e..3565f5e 100644
---- a/policycoreutils/semodule_package/Makefile
-+++ b/policycoreutils/semodule_package/Makefile
-@@ -24,7 +24,7 @@ install: all
- relabel:
-
- clean:
-- -rm -f semodule_package *.o
-+ -rm -f semodule_package semodule_unpackage *.o
-
- indent:
- ../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
-index ce44c04..373c9b9 100644
+index 9a7d315..e57d34f 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -1,5 +1,6 @@
@@ -1978,39 +514,44 @@ index ce44c04..373c9b9 100644
struct restore_opts *r_opts = NULL;
static void filespec_destroy(void);
static void filespec_eval(void);
-@@ -59,10 +59,11 @@ void restore_init(struct restore_opts *opts)
+@@ -58,11 +58,16 @@ void remove_exclude(const char *directory)
+ void restore_init(struct restore_opts *opts)
{
r_opts = opts;
- struct selinux_opt selinux_opts[] = {
+- struct selinux_opt selinux_opts[] = {
- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate },
- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }
-+ { SELABEL_OPT_VALIDATE , { r_opts->selabel_opt_validate } },
-+ { SELABEL_OPT_PATH, {r_opts->selabel_opt_path }},
-+ { SELABEL_OPT_SUBSET,{r_opts->selabel_opt_subset }}
- };
+- };
- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 2);
++ struct selinux_opt selinux_opts[3];
++
++ selinux_opts[0].type = SELABEL_OPT_VALIDATE;
++ selinux_opts[0].value = r_opts->selabel_opt_validate;
++ selinux_opts[1].type = SELABEL_OPT_PATH;
++ selinux_opts[1].value = r_opts->selabel_opt_path;
++ selinux_opts[2].type = SELABEL_OPT_PREFIXES;
++ selinux_opts[2].values = r_opts->selabel_opt_prefixes;
++
+ r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
if (!r_opts->hnd) {
perror(r_opts->selabel_opt_path);
exit(1);
-@@ -103,9 +104,8 @@ static int match(const char *name, struct stat *sb, char **con)
- static int restore(FTSENT *ftsent)
+@@ -104,8 +109,7 @@ static int restore(FTSENT *ftsent)
{
char *my_file = strdupa(ftsent->fts_path);
-- int ret;
+ int ret = -1;
- char *context, *newcon;
- int user_only_changed = 0;
-+ int ret = -1;
+ security_context_t curcon = NULL, newcon = NULL;
if (match(my_file, ftsent->fts_statp, &newcon) < 0)
/* Check for no matching specification. */
-@@ -139,74 +139,105 @@ static int restore(FTSENT *ftsent)
+@@ -139,74 +143,105 @@ static int restore(FTSENT *ftsent)
printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon);
}
-+ /*
-+ * Do not relabel if their is no default specification for this file
++ /*
++ * Do not relabel if their is no default specification for this file
+ */
+
+ if (strcmp(newcon, "<<none>>") == 0) {
@@ -2043,7 +584,7 @@ index ce44c04..373c9b9 100644
- * Do not relabel the file if the matching specification is
- * <<none>> or the file is already labeled according to the
- * specification.
-+ * Do not relabel the file if the file is already labeled according to
++ * Do not relabel the file if the file is already labeled according to
+ * the specification.
*/
- if ((strcmp(newcon, "<<none>>") == 0) ||
@@ -2072,8 +613,8 @@ index ce44c04..373c9b9 100644
- if (r_opts->verbose > 1 || !user_only_changed) {
- printf("%s reset %s context %s->%s\n",
- r_opts->progname, my_file, context ?: "", newcon);
-+ /*
-+ * Do not change label unless this is a force or the type is different
++ /*
++ * Do not change label unless this is a force or the type is different
+ */
+ if (!r_opts->force && curcon) {
+ int types_differ = 0;
@@ -2088,7 +629,7 @@ index ce44c04..373c9b9 100644
+ if (! conb) {
+ context_free(cona);
+ goto out;
-+ }
+ }
+
+ types_differ = strcmp(context_type_get(cona), context_type_get(conb));
+ if (types_differ) {
@@ -2102,19 +643,19 @@ index ce44c04..373c9b9 100644
+ }
+ context_free(cona);
+ context_free(conb);
-+
++
+ if (!types_differ || err) {
+ goto out;
- }
++ }
++ }
++
++ if (r_opts->verbose) {
++ printf("%s reset %s context %s->%s\n",
++ r_opts->progname, my_file, curcon ?: "", newcon);
}
- if (r_opts->logging && !user_only_changed) {
- if (context)
-+ if (r_opts->verbose) {
-+ printf("%s reset %s context %s->%s\n",
-+ r_opts->progname, my_file, curcon ?: "", newcon);
-+ }
-+
+ if (r_opts->logging) {
+ if (curcon)
syslog(LOG_INFO, "relabeling %s from %s to %s\n",
@@ -2140,16 +681,23 @@ index ce44c04..373c9b9 100644
goto out;
/*
-@@ -218,7 +249,7 @@ static int restore(FTSENT *ftsent)
- r_opts->progname, my_file, newcon, strerror(errno));
- goto skip;
+@@ -220,12 +255,15 @@ static int restore(FTSENT *ftsent)
}
-- ret = 1;
-+ ret = 0;
+ ret = 1;
out:
++ freecon(curcon);
freecon(newcon);
return ret;
-@@ -487,22 +518,6 @@ int add_exclude(const char *directory)
+ skip:
++ freecon(curcon);
+ freecon(newcon);
+ return SKIP;
+ err:
++ freecon(curcon);
+ freecon(newcon);
+ return ERR;
+ }
+@@ -447,22 +485,6 @@ int add_exclude(const char *directory)
return 0;
}
@@ -2173,19 +721,19 @@ index ce44c04..373c9b9 100644
* Evaluate the association hash table distribution.
*/
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
-index ac27222..3909d15 100644
+index ac27222..4b39972 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -40,6 +40,7 @@ struct restore_opts {
int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
const char *selabel_opt_validate;
const char *selabel_opt_path;
-+ char *selabel_opt_subset;
++ const char **selabel_opt_prefixes;
};
void restore_init(struct restore_opts *opts);
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
-index c8ea4bb..0eb7293 100644
+index c8ea4bb..65a59de 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -4,22 +4,27 @@ restorecon \- restore file(s) default SELinux security contexts.
@@ -2211,10 +759,10 @@ index c8ea4bb..0eb7293 100644
It can be run at any time to correct errors, to add support for
new policy, or with the \-n option it can just check whether the file
contexts are all as you expect.
-+.P
-+If a file object does not have a context, restorecon will write the default
-+context to the file object's extended attributes. If a file object has a
-+context, restorecon will only modify the type portion of the security context.
++.P
++If a file object does not have a context, restorecon will write the default
++context to the file object's extended attributes. If a file object has a
++context, restorecon will only modify the type portion of the security context.
+The -F option will force a replacement of the entire context.
.SH "OPTIONS"
@@ -2228,7 +776,7 @@ index c8ea4bb..0eb7293 100644
+
+# restorecon -R -v -L /dev /dev
+
-+.TP
++.TP
.B \-R \-r
change files and directories file labels recursively
.TP
@@ -2246,7 +794,7 @@ index c8ea4bb..0eb7293 100644
.SH "ARGUMENTS"
.B pathname...
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index 7f700ca..2cc3fba 100644
+index 7f700ca..2741919 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -4,7 +4,7 @@ setfiles \- set file SELinux security contexts.
@@ -2262,26 +810,27 @@ index 7f700ca..2cc3fba 100644
It can also be run at any time to correct errors, to add support for
new policy, or with the \-n option it can just check whether the file
contexts are all as you expect.
-+.P
-+If a file object does not have a context, setfiles will write the default
-+context to the file object's extended attributes. If a file object has a
-+context, setfiles will only modify the type portion of the security context.
++.P
++If a file object does not have a context, setfiles will write the default
++context to the file object's extended attributes. If a file object has a
++context, setfiles will only modify the type portion of the security context.
+The -F option will force a replacement of the entire context.
.SH "OPTIONS"
.TP
-@@ -45,7 +50,10 @@ use an alternate root path
+@@ -45,8 +50,11 @@ use an alternate root path
directory to exclude (repeat option for more than one directory.)
.TP
.B \-F
-Force reset of context to match file_context for customizable files
+Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type.
-+.TP
+ .TP
+.B \-L labelprefix
+Tells selinux to only use the file context that match this prefix for labeling, -L can be called multiple times. Can speed up labeling if you are only doing one directory.
- .TP
++.TP
.B \-o filename
save list of files with incorrect context in filename.
+ .TP
@@ -55,10 +63,7 @@ take a list of files from standard input instead of using a pathname on the
command line.
.TP
@@ -2295,7 +844,7 @@ index 7f700ca..2cc3fba 100644
.B \-W
display warnings about entries that had no matching files.
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
-index fa0cd6a..4da428c 100644
+index fa0cd6a..0ec0eff 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -39,7 +39,7 @@ void usage(const char *const name)
@@ -2307,15 +856,33 @@ index fa0cd6a..4da428c 100644
name);
} else {
fprintf(stderr,
-@@ -160,6 +160,7 @@ int main(int argc, char **argv)
+@@ -137,7 +137,7 @@ static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs)
+ int main(int argc, char **argv)
+ {
+ struct stat sb;
+- int opt, i = 0;
++ int opt, i;
+ char *input_filename = NULL;
+ int use_input_file = 0;
+ char *buf = NULL;
+@@ -145,6 +145,8 @@ int main(int argc, char **argv)
+ int recurse; /* Recursive descent. */
+ char *base;
+ int mass_relabel = 0, errors = 0;
++ int num_prefixes = 0;
++ const char *null_array[1] = { NULL };
+
+ memset(&r_opts, 0, sizeof(r_opts));
+
+@@ -160,6 +162,7 @@ int main(int argc, char **argv)
r_opts.outfile = NULL;
r_opts.force = 0;
r_opts.hard_links = 1;
-+ r_opts.selabel_opt_subset = 0;
++ r_opts.selabel_opt_prefixes = null_array;
altpath = NULL;
-@@ -217,7 +218,7 @@ int main(int argc, char **argv)
+@@ -217,7 +220,7 @@ int main(int argc, char **argv)
exclude_non_seclabel_mounts();
/* Process any options. */
@@ -2324,31 +891,43 @@ index fa0cd6a..4da428c 100644
switch (opt) {
case 'c':
{
-@@ -280,6 +281,23 @@ int main(int argc, char **argv)
+@@ -280,6 +283,35 @@ int main(int argc, char **argv)
case 'n':
r_opts.change = 0;
break;
+ case 'L':
-+ if (r_opts.selabel_opt_subset) {
-+ if (asprintf((char**) &(r_opts.selabel_opt_subset),"%s:%s",r_opts.selabel_opt_subset,optarg) < 0) {
-+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
-+ optarg, strerror(errno));
-+ exit(1);
-+ }
++ {
++ char **new_prefixes;
++
++ /* we need 1 for this entry and 1 for the NULL entry */
++ new_prefixes = malloc(sizeof(*new_prefixes) * (num_prefixes + 2));
++ if (!new_prefixes) {
++ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
++ optarg, strerror(errno));
++ exit(1);
+ }
-+ else {
-+ r_opts.selabel_opt_subset = strdup(optarg);
-+ if (! r_opts.selabel_opt_subset) {
-+ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
-+ optarg, strerror(errno));
-+ exit(1);
-+ }
++
++ memcpy(new_prefixes, r_opts.selabel_opt_prefixes, sizeof(*new_prefixes) * num_prefixes);
++ new_prefixes[num_prefixes] = strdup(optarg);
++ if (!new_prefixes[num_prefixes]) {
++ fprintf(stderr, "Can't allocate memory for labeling prefix %s:%s\n",
++ optarg, strerror(errno));
++ exit(1);
+ }
++
++ new_prefixes[num_prefixes + 1] = NULL;
++ num_prefixes++;
++
++ if (r_opts.selabel_opt_prefixes != null_array)
++ free(r_opts.selabel_opt_prefixes);
++
++ r_opts.selabel_opt_prefixes = (const char **)new_prefixes;
+ break;
++ }
case 'o':
if (strcmp(optarg, "-") == 0) {
r_opts.outfile = stdout;
-@@ -433,7 +451,11 @@ int main(int argc, char **argv)
+@@ -433,7 +465,15 @@ int main(int argc, char **argv)
if (r_opts.outfile)
fclose(r_opts.outfile);
@@ -2358,7 +937,11 @@ index fa0cd6a..4da428c 100644
+ printf("\n");
+
+ free(r_opts.progname);
-+ free(r_opts.selabel_opt_subset);
++ i = 0;
++ while (r_opts.selabel_opt_prefixes[i])
++ free((void *)r_opts.selabel_opt_prefixes[i++]);
++ if (r_opts.selabel_opt_prefixes != null_array)
++ free(r_opts.selabel_opt_prefixes);
+ free(r_opts.rootpath);
exit(errors);
}
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index f4087ea..d6fdfdb 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -1,5 +1,5 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index 24e308e..1b0a8e5 100644
+index 898fbc3..631bab5 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
@@ -30,11 +30,8 @@ index 24e308e..1b0a8e5 100644
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
-@@ -165,8 +179,11 @@ class AVCMessage(AuditMessage):
- self.comm = ""
- self.exe = ""
- self.path = ""
-+ self.name = ""
+@@ -168,6 +182,8 @@ class AVCMessage(AuditMessage):
+ self.name = ""
self.accesses = []
self.denial = True
+ self.type = audit2why.TERULE
@@ -42,12 +39,7 @@ index 24e308e..1b0a8e5 100644
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
-@@ -223,10 +240,36 @@ class AVCMessage(AuditMessage):
- self.comm = fields[1][1:-1]
- elif fields[0] == "exe":
- self.exe = fields[1][1:-1]
-+ elif fields[0] == "name":
-+ self.name = fields[1][1:-1]
+@@ -229,7 +245,31 @@ class AVCMessage(AuditMessage):
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@@ -74,13 +66,13 @@ index 24e308e..1b0a8e5 100644
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
-+
++
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
-@@ -469,10 +512,10 @@ class AuditParser:
+@@ -472,10 +512,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@@ -126,7 +118,7 @@ index 1a9a3e5..d56dd92 100644
def __iter__(self):
return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
-index 0e6b502..6ce892c 100644
+index 0e6b502..4882999 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -29,6 +29,8 @@ import objectmodel
@@ -155,9 +147,9 @@ index 0e6b502..6ce892c 100644
- rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
+ if av.type == audit2why.ALLOW:
-+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
++ rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ if av.type == audit2why.DONTAUDIT:
-+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+
+ if av.type == audit2why.BOOLEAN:
+ if len(av.bools) > 1:
@@ -166,7 +158,7 @@ index 0e6b502..6ce892c 100644
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
+
+ if av.type == audit2why.CONSTRAINT:
-+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
++ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ rule.comment += "#Constraint rule: "
+
+ if av.type == audit2why.TERULE:
@@ -175,7 +167,7 @@ index 0e6b502..6ce892c 100644
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
-+
++
+ try:
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
@@ -189,42 +181,3 @@ index 0e6b502..6ce892c 100644
self.module.children.append(rule)
-diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
-index 1a2eec8..955784d 100644
---- a/sepolgen/src/sepolgen/refparser.py
-+++ b/sepolgen/src/sepolgen/refparser.py
-@@ -109,6 +109,7 @@ tokens = (
- 'DONTAUDIT',
- 'AUDITALLOW',
- 'NEVERALLOW',
-+ 'PERMISSIVE',
- 'TYPE_TRANSITION',
- 'TYPE_CHANGE',
- 'TYPE_MEMBER',
-@@ -170,6 +171,7 @@ reserved = {
- 'dontaudit' : 'DONTAUDIT',
- 'auditallow' : 'AUDITALLOW',
- 'neverallow' : 'NEVERALLOW',
-+ 'permissive' : 'PERMISSIVE',
- 'type_transition' : 'TYPE_TRANSITION',
- 'type_change' : 'TYPE_CHANGE',
- 'type_member' : 'TYPE_MEMBER',
-@@ -490,6 +492,7 @@ def p_policy_stmt(p):
- | interface_call
- | role_def
- | role_allow
-+ | permissive
- | type_def
- | typealias_def
- | attribute_def
-@@ -747,6 +750,10 @@ def p_role_allow(p):
- r.tgt_roles = p[3]
- p[0] = r
-
-+def p_permissive(p):
-+ 'permissive : PERMISSIVE names SEMI'
-+ t.skip(1)
-+
- def p_avrule_def(p):
- '''avrule_def : ALLOW names names COLON names names SEMI
- | DONTAUDIT names names COLON names names SEMI
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 423167e..1fd6fc4 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -1,13 +1,13 @@
-%define libauditver 1.4.2-1
-%define libsepolver 2.1.2-3
-%define libsemanagever 2.1.4-1
-%define libselinuxver 2.1.5-5
-%define sepolgenver 1.1.2
+%define libauditver 2.1.3-4
+%define libsepolver 2.1.3-2
+%define libsemanagever 2.1.4-3
+%define libselinuxver 2.1.7-1
+%define sepolgenver 1.1.3
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.1.7
-Release: 5%{?dist}
+Version: 2.1.8
+Release: 1%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -22,8 +22,8 @@ Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Source9: semanage-bash-completion.sh
-Patch: policycoreutils-rhat.patch
Source10: restorecond.service
+Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
Patch4: policycoreutils-sepolgen.patch
@@ -352,6 +352,33 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Nov 4 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.8-1
+- Upgrade to policycoreutils upstream
+ * sandbox: Maintain the LANG environment into the sandbox
+ * audit2allow: use audit2why internally
+ * fixfiles: label /root but not /var/lib/BackupPC
+ * semanage: update local boolean settings is dealing with localstore
+ * semanage: missing modify=True
+ * semanage: set modified correctly
+ * restorecond: make restorecond dbuss-able
+ * restorecon: Always check return code on asprintf
+ * restorecond: make restorecond -u exit when terminal closes
+ * sandbox: introduce package name and language stuff
+ * semodule_package: remove semodule_unpackage on clean
+ * fix sandbox Makefile to support DESTDIR
+ * semanage: Add -o description to the semanage man page
+ * make use of the new realpath_not_final function
+ * setfiles: close /proc/mounts file when finished
+ * semodule: Document semodule -p in man page
+ * setfiles: fix use before initialized
+ * restorecond: Add .local/share as a directory to watch
+- Upgrade to sepolgen upstream
+ * Ignore permissive qualifier if found in an interface
+ * Return name field in avc data
+
+* Mon Oct 31 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-6
+- Rebuild versus newer libsepol
+
* Fri Oct 28 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-5
- A couple of minor coverity fixes for a potential leaked file descriptor
- An an unchecked return code.
diff --git a/sources b/sources
index d79a1e8..b2af9b5 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
-c372e90a754ee87e1cc40b09134b8f31 sepolgen-1.1.2.tgz
-98688cfeab65386a0dfbd921511952ac policycoreutils-2.1.7.tgz
+135674afd4eecd02ef441a9fd1d2c08a policycoreutils-2.1.8.tgz
+3bd4588bcf8608c6e8a18ad5a8b68971 sepolgen-1.1.3.tgz
More information about the scm-commits
mailing list