[policycoreutils/f18] Back port lots of fixes from Rawhide
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Feb 8 18:31:40 UTC 2013
commit a2d10dce216de5ca1e9e0777da7d123a30c844f2
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Feb 8 13:31:37 2013 -0500
Back port lots of fixes from Rawhide
* Cleanup python problems
* setfiles: estimate percent progress
* sandbox: use sepolicy to look for sandbox_t
* gui: switch to use sepolicy
* gui: sepolgen: use sepolicy to generate
* semanage: use sepolicy for boolean dictionary
* semanage: seobject verify policy types before allowing you to assign them.
* semanage: good error message is sepolgen python module missing
* restorecond: remove /etc/mtab from default list
* restorecond: Add /etc/udpatedb.conf to restorecond.conf
* sandbox: seunshare: do not reassign realloc value
* seunshare: do checking on setfsuid
policycoreutils-rawhide.patch | 1929 +++++++++++++++++++++++++++++++++++++++++
policycoreutils.spec | 19 +-
2 files changed, 1947 insertions(+), 1 deletions(-)
---
diff --git a/policycoreutils-rawhide.patch b/policycoreutils-rawhide.patch
new file mode 100644
index 0000000..f68b3f9
--- /dev/null
+++ b/policycoreutils-rawhide.patch
@@ -0,0 +1,1929 @@
+diff -r -u policycoreutils-2.1.13/sepolicy/info.c ../master/policycoreutils-2.1.14/sepolicy/info.c
+--- policycoreutils-2.1.13/sepolicy/info.c 2013-02-08 13:11:51.890426890 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/info.c 2013-02-07 12:21:11.000000000 -0500
+@@ -988,39 +988,51 @@
+ {
+ PyObject* output = NULL;
+
++ switch(type) {
+ /* display requested info */
+- if (type == TYPE)
++ case TYPE:
+ output = get_types(name, policy);
+-
+- if (type == ATTRIBUTE)
++ break;
++ case ATTRIBUTE:
+ output = get_attribs(name, policy);
+-
+- if (type == ROLE)
++ break;
++ case ROLE:
+ output = get_roles(name, policy);
+-
+- if (type == USER)
++ break;
++ case USER:
+ output = get_users(name, policy);
+-
+- if (type == CLASS)
++ break;
++ case CLASS:
+ output = get_classes(name, policy);
+-
+- if (type == BOOLEAN)
++ break;
++ case BOOLEAN:
+ output = get_booleans(name, policy);
+-
+- if (type == PORT)
++ break;
++ case PORT:
+ output = get_ports(name, policy);
++ break;
++ default:
++ errno = EINVAL;
++ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++ break;
++ }
+
+ return output;
+ }
+
+ PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+- unsigned int type;
+- char *name;
++ int type;
++ const char *name;
+
++ if (!policy) {
++ PyErr_SetString(PyExc_RuntimeError,"Policy not loaded");
++ return NULL;
++ }
++
+ if (!PyArg_ParseTuple(args, "iz", &type, &name))
+ return NULL;
+
+- return Py_BuildValue("N",info(type, name));
++ return info(type, name);
+ }
+
+ void init_info (PyObject *m) {
+diff -r -u policycoreutils-2.1.13/sepolicy/Makefile ../master/policycoreutils-2.1.14/sepolicy/Makefile
+--- policycoreutils-2.1.13/sepolicy/Makefile 2013-02-08 13:11:51.888426884 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/Makefile 2013-02-07 12:21:11.000000000 -0500
+@@ -23,10 +23,10 @@
+ -rm -rf build *~ \#* *pyc .#*
+
+ install:
+- [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
+ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
++ -mkdir -p $(MANDIR)/man8
++ install -m 644 *.8 $(MANDIR)/man8
+ -mkdir -p $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+- install -m 644 *.8 $(MANDIR)/man8
+diff -r -u policycoreutils-2.1.13/sepolicy/search.c ../master/policycoreutils-2.1.14/sepolicy/search.c
+--- policycoreutils-2.1.13/sepolicy/search.c 2013-02-08 13:11:51.891426893 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/search.c 2013-02-07 12:21:11.000000000 -0500
+@@ -204,14 +204,14 @@
+ goto err;
+
+ rt = py_append_obj(output, dict);
+- Py_DECREF(dict); dict=NULL;
+ if (rt) goto err;
++ py_decref(dict); dict=NULL;
+ }
+ goto cleanup;
+ err:
+ error = errno;
+ PyErr_SetString(PyExc_RuntimeError,strerror(error));
+- Py_DECREF(dict); dict=NULL;
++ py_decref(dict);
+
+ cleanup:
+ errno = error;
+@@ -329,7 +329,8 @@
+ if (expr_type != QPOL_COND_EXPR_BOOL) {
+ obj = PyString_FromString(apol_cond_expr_type_to_str(expr_type));
+ if (!obj) goto err;
+- py_append_obj(boollist, obj);
++ if (py_append_obj(boollist, obj))
++ goto err;
+ } else {
+ tuple = PyTuple_New(2);
+ if (!tuple) goto err;
+@@ -405,7 +406,7 @@
+ obj = get_bool(q, cond, enabled);
+ if (!obj) goto err;
+ rt = PyDict_SetItemString(dict, "boolean", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+ }
+
+ if (qpol_terule_get_rule_type(q, rule, &rule_type))
+@@ -529,9 +530,8 @@
+ }
+ }
+
+- if (apol_filename_trans_get_by_query(policy, ftq, v)) {
+- error = errno;
+- }
++ if (apol_filename_trans_get_by_query(policy, ftq, v))
++ goto err;
+
+ apol_filename_trans_query_destroy(&ftq);
+ return 0;
+@@ -713,6 +713,7 @@
+ s = NULL;
+ }
+ free(tmp);
++ tmp = NULL;
+ }
+
+ if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
+@@ -828,13 +829,14 @@
+
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
+ const char *perm_name = NULL;
+- qpol_iterator_get_item(iter, (void **)&perm_name);
++ if (qpol_iterator_get_item(iter, (void **)&perm_name))
++ goto err;
+ if (py_append_string(permlist, perm_name))
+ goto err;
+ }
+
+ rt = PyDict_SetItemString(dict, "permlist", permlist);
+- Py_DECREF(permlist); permlist=NULL;
++ py_decref(permlist); permlist=NULL;
+ if (rt) goto err;
+
+ if (qpol_avrule_get_cond(q, rule, &cond))
+@@ -844,17 +846,17 @@
+
+ obj = PyBool_FromLong(enabled);
+ rt = PyDict_SetItemString(dict, "enabled", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+
+ if (cond) {
+ obj = get_bool(q, cond, enabled);
+ if (!obj) goto err;
+ rt = PyDict_SetItemString(dict, "boolean", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+ }
+
+ rt = py_append_obj(output, dict);
+- Py_DECREF(dict); dict=NULL;
++ py_decref(dict); dict=NULL;
+ if (rt) goto err;
+
+ free(rule_str); rule_str = NULL;
+@@ -912,15 +914,8 @@
+ cmd_opts.perm_vector = apol_vector_create(free);
+ cmd_opts.permlist = strdup(permlist);
+ }
+- int pol_opt = 0;
+- if (!(cmd_opts.nallow || cmd_opts.all))
+- pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
+-
+- pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+-
+ if (!cmd_opts.semantic && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
+ if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(policy))) {
+- apol_policy_destroy(&policy);
+ PyErr_SetString(PyExc_RuntimeError,"Query failed");
+ goto cleanup;
+ }
+@@ -989,8 +984,8 @@
+ apol_vector_destroy(&cmd_opts.perm_vector);
+ apol_vector_destroy(&cmd_opts.class_vector);
+
+- if (PyList_GET_SIZE(output) == 0) {
+- Py_DECREF(output);
++ if (output && PyList_GET_SIZE(output) == 0) {
++ py_decref(output);
+ return Py_None;
+ }
+ return output;
+@@ -1021,10 +1016,14 @@
+ int transition = Dict_ContainsInt(dict, "transition");
+ int role_allow = Dict_ContainsInt(dict, "role_allow");
+
++ if (!policy) {
++ PyErr_SetString(PyExc_RuntimeError,"Policy not loaded");
++ return NULL;
++ }
+ const char *src_name = Dict_ContainsString(dict, "source");
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
+
+- return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
++ return search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist);
+ }
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/generate.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/generate.py 2013-02-08 13:11:51.899426920 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/generate.py 2013-02-07 12:21:11.000000000 -0500
+@@ -24,6 +24,7 @@
+ import os, sys, stat
+ import re
+ import sepolicy
++from sepolicy import get_all_types, get_all_attributes, get_all_roles
+ import time
+ import yum
+
+@@ -101,13 +102,6 @@
+
+ return nvr
+
+-all_types = None
+-def get_all_types():
+- global all_types
+- if all_types == None:
+- all_types = map(lambda x: x['name'], sepolicy.info(sepolicy.TYPE))
+- return all_types
+-
+ def get_all_ports():
+ dict = {}
+ for p in sepolicy.info(sepolicy.PORT):
+@@ -118,28 +112,6 @@
+ dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range'])
+ return dict
+
+-def get_all_roles():
+- roles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE))
+- roles.remove("object_r")
+- roles.sort()
+- return roles
+-
+-def get_all_attributes():
+- attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
+- attributes.sort()
+- return attributes
+-
+-def get_all_domains():
+- all_domains = []
+- types=get_all_types()
+- types.sort()
+- for i in types:
+- m = re.findall("(.*)%s" % "_exec_t$", i)
+- if len(m) > 0:
+- if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains:
+- all_domains.append(m[0])
+- return all_domains
+-
+ def get_all_users():
+ users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER))
+ users.remove("system_u")
+@@ -166,6 +138,7 @@
+ LUSER = 9
+ AUSER = 10
+ RUSER = 11
++NEWTYPE = 12
+
+ poltype={}
+ poltype[DAEMON] = _("Standard Init Daemon")
+@@ -180,6 +153,7 @@
+ poltype[LUSER] = _("Desktop Login User Role")
+ poltype[AUSER] = _("Administrator Login User Role")
+ poltype[RUSER] = _("Confined Root Administrator Role")
++poltype[NEWTYPE] = _("Module information for a new type")
+
+ def get_poltype_desc():
+ keys = poltype.keys()
+@@ -226,6 +200,7 @@
+ self.rpms = []
+ self.ports = []
+ self.all_roles = get_all_roles()
++ self.types = []
+
+ if type not in poltype:
+ raise ValueError(_("You must enter a valid policy type"))
+@@ -336,6 +311,16 @@
+ self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run];
+ self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool];
+
++ self.DEFAULT_EXT = {}
++ self.DEFAULT_EXT["_tmp_t"] = tmp;
++ self.DEFAULT_EXT["_unit_file_t"] = unit_file;
++ self.DEFAULT_EXT["_var_cache_t"] = var_cache;
++ self.DEFAULT_EXT["_var_lib_t"] = var_lib;
++ self.DEFAULT_EXT["_var_log_t"] = var_log;
++ self.DEFAULT_EXT["_var_run_t"] = var_run;
++ self.DEFAULT_EXT["_var_spool_t"] = var_spool;
++ self.DEFAULT_EXT["port_t"] = network;
++
+ self.DEFAULT_KEYS=["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool", "/etc/systemd/system", "/usr/lib/systemd/system", "/lib/systemd/system" ]
+
+ self.DEFAULT_TYPES = (\
+@@ -350,7 +335,8 @@
+ ( self.generate_x_login_user_types, self.generate_x_login_user_rules), \
+ ( self.generate_login_user_types, self.generate_login_user_rules), \
+ ( self.generate_admin_user_types, self.generate_login_user_rules), \
+-( self.generate_root_user_types, self.generate_root_user_rules))
++( self.generate_root_user_types, self.generate_root_user_rules), \
++( self.generate_new_types, self.generate_new_rules))
+ if not re.match(r"^[a-zA-Z0-9-_]+$", name):
+ raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
+
+@@ -365,7 +351,7 @@
+ self.processes = []
+ self.type = type
+ self.initscript = ""
+- self.program = ""
++ self.program = None
+ self.in_tcp = [False, False, False, []]
+ self.in_udp = [False, False, False, []]
+ self.out_tcp = [False, False, False, []]
+@@ -379,9 +365,9 @@
+ self.use_pam = False
+ self.use_dbus = False
+ self.use_audit = False
+- self.use_etc = self.type != EUSER
+- self.use_localization = self.type != EUSER
+- self.use_fd = self.type != EUSER
++ self.use_etc = self.type not in [ EUSER, NEWTYPE ]
++ self.use_localization = self.type not in [ EUSER, NEWTYPE ]
++ self.use_fd = self.type not in [ EUSER, NEWTYPE ]
+ self.use_terminal = False
+ self.use_mail = False
+ self.booleans = {}
+@@ -647,7 +633,7 @@
+ self.found_udp_ports.append(line)
+
+ if self.need_udp_type == True or self.need_tcp_type == True:
+- return re.sub("TEMPLATETYPE", self.name, network.te_port_types)
++ return re.sub("TEMPLATETYPE", self.name, network.te_types)
+ return ""
+
+ def __find_path(self, file):
+@@ -662,6 +648,9 @@
+ if capability not in self.capabilities:
+ self.capabilities.append(capability)
+
++ def set_types(self, types):
++ self.types = types
++
+ def add_process(self, process):
+ if process not in self.processes:
+ self.processes.append(process)
+@@ -876,6 +865,27 @@
+ def generate_root_user_types(self):
+ return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types)
+
++ def generate_new_types(self):
++ newte = ""
++ if len(self.types) == 0:
++ raise ValueError(_("Type field required"))
++
++ for t in self.types:
++ for i in self.DEFAULT_EXT:
++ if t.endswith(i):
++ newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
++ break
++ return newte
++
++ def generate_new_rules(self):
++ newte = ""
++ for t in self.types:
++ for i in self.DEFAULT_EXT:
++ if t.endswith(i):
++ newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_rules)
++ break
++ return newte
++
+ def generate_daemon_types(self):
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types)
+ if self.initscript != "":
+@@ -912,6 +922,16 @@
+
+ return newif
+
++ def generate_new_type_if(self):
++ newif = ""
++ for t in self.types:
++ for i in self.DEFAULT_EXT:
++ if t.endswith(i):
++ reqtype = t[:-len(i)] + "_t"
++ newif += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].if_rules)
++ break
++ return newif
++
+ def generate_login_user_rules(self):
+ return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules)
+
+@@ -963,7 +983,7 @@
+ def generate_if(self):
+ newif = ""
+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
+- if self.program != "":
++ if self.program:
+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules)
+ if self.initscript != "":
+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules)
+@@ -979,6 +999,8 @@
+ newif += self.generate_dbus_if()
+ newif += self.generate_admin_if()
+ newif += self.generate_sandbox_if()
++ newif += self.generate_new_type_if()
++ newif += self.generate_new_rules()
+
+ return newif
+
+@@ -986,7 +1008,9 @@
+ return self.DEFAULT_TYPES[self.type][0]()
+
+ def generate_default_rules(self):
+- return self.DEFAULT_TYPES[self.type][1]()
++ if self.DEFAULT_TYPES[self.type][1]:
++ return self.DEFAULT_TYPES[self.type][1]()
++ return ""
+
+ def generate_roles_rules(self):
+ newte = ""
+@@ -1054,12 +1078,13 @@
+ newfc = ""
+ fclist = []
+ if self.type in USERS + [ SANDBOX ]:
+- return re.sub("EXECUTABLE", self.program, executable.fc_user)
+- if self.program == "":
++ return executable.fc_user
++ if self.type != NEWTYPE and not self.program:
+ raise ValueError(_("You must enter the executable path for your confined process"))
+
+- t1 = re.sub("EXECUTABLE", self.program, executable.fc_program)
+- fclist.append(re.sub("TEMPLATETYPE", self.name, t1))
++ if self.program:
++ t1 = re.sub("EXECUTABLE", self.program, executable.fc_program)
++ fclist.append(re.sub("TEMPLATETYPE", self.name, t1))
+
+ if self.initscript != "":
+ t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript)
+@@ -1118,7 +1143,7 @@
+ newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
+ else:
+ newsh = re.sub("TEMPLATEFILE", self.file_name, temp)
+- if self.program != "":
++ if self.program:
+ newsh += re.sub("FILENAME", self.program, script.restorecon)
+ if self.initscript != "":
+ newsh += re.sub("FILENAME", self.initscript, script.restorecon)
+@@ -1152,7 +1177,7 @@
+ newspec += spec.header_comment_section
+ if self.type in APPLICATIONS:
+ newspec += spec.define_relabel_files_begin
+- if self.program != "":
++ if self.program:
+ newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end)
+ if self.initscript != "":
+ newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end)
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py 2013-02-08 13:11:51.897426914 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py 2013-02-07 12:21:11.000000000 -0500
+@@ -47,6 +47,97 @@
+ pass
+ raise ValueError(_("No SELinux Policy installed"))
+
++all_types = None
++def get_all_types():
++ global all_types
++ if all_types == None:
++ all_types = map(lambda x: x['name'], info(TYPE))
++ return all_types
++
++role_allows = None
++def get_all_role_allows():
++ global role_allows
++ if role_allows:
++ return role_allows
++ role_allows = {}
++ for r in search([ROLE_ALLOW]):
++ if r["source"] == "system_r" or r["target"] == "system_r":
++ continue
++ if r["source"] in role_allows:
++ role_allows[r["source"]].append(r["target"])
++ else:
++ role_allows[r["source"]] = [ r["target"] ]
++
++ return role_allows
++
++def get_all_entrypoint_domains():
++ all_domains = []
++ types=get_all_types()
++ types.sort()
++ for i in types:
++ m = re.findall("(.*)%s" % "_exec_t$", i)
++ if len(m) > 0:
++ if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains:
++ all_domains.append(m[0])
++ return all_domains
++
++all_domains = None
++def get_all_domains():
++ global all_domains
++ if not all_domains:
++ all_domains = info(ATTRIBUTE,"domain")[0]["types"]
++ return all_domains
++
++roles = None
++def get_all_roles():
++ global roles
++ if roles:
++ return roles
++ roles = map(lambda x: x['name'], info(ROLE))
++ roles.remove("object_r")
++ roles.sort()
++ return roles
++
++users = None
++def get_all_users():
++ global users
++ if users:
++ return users
++ users = map(lambda x: x['name'], info(USER))
++ return users
++
++file_types = None
++def get_all_file_types():
++ global file_types
++ if file_types:
++ return file_types
++ file_types = info(ATTRIBUTE,"file_type")[0]["types"]
++ file_types.sort()
++ return file_types
++
++port_types = None
++def get_all_port_types():
++ global port_types
++ if port_types:
++ return port_types
++ port_types = info(ATTRIBUTE,"port_type")[0]["types"]
++ port_types.sort()
++ return port_types
++
++bools = None
++def get_all_bools():
++ global bools
++ if not bools:
++ bools = info(BOOLEAN)
++ return bools
++
++all_attributes = None
++def get_all_attributes():
++ global all_attributes
++ if not all_attributes:
++ all_attributes = map(lambda x: x['name'], info(ATTRIBUTE))
++ return all_attributes
++
+ def policy(policy_file):
+ try:
+ _policy.policy(policy_file)
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py 2013-02-08 13:11:51.901426927 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py 2013-02-07 12:21:11.000000000 -0500
+@@ -28,7 +28,7 @@
+ import argparse
+ import selinux
+ import sepolicy
+-from sepolicy import network, gen_bool_dict
++from sepolicy import network, gen_bool_dict, get_all_file_types, get_all_domains, get_all_roles, get_all_users, get_all_port_types, get_all_bools, get_all_attributes, get_all_role_allows
+
+ import commands
+ import sys, os, re, time
+@@ -61,12 +61,28 @@
+ pass
+ return modules_dict
+
+-all_attributes = None
+-def get_all_attributes():
+- global all_attributes
+- if not all_attributes:
+- all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
+- return all_attributes
++users = None
++users_range = None
++def get_all_users_info():
++ global users
++ global users_range
++ if users and users_range:
++ return users, users_range
++
++ users = []
++ users_range ={}
++ allusers = []
++ allusers_info = info(USER)
++
++ for d in allusers_info:
++ allusers.append(d['name'])
++ users_range[d['name'].split("_")[0]] = d['range']
++
++ for u in allusers:
++ if u not in [ "system_u", "root", "unconfined_u" ]:
++ users.append(u.replace("_u",""))
++ users.sort()
++ return users, users_range
+
+ all_entrypoints = None
+ def get_entrypoints():
+@@ -75,25 +91,6 @@
+ all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
+ return all_entrypoints
+
+-all_domains = None
+-def get_all_domains():
+- global all_domains
+- if not all_domains:
+- all_domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"]
+- return all_domains
+-
+-roles = None
+-def get_all_roles():
+- global roles
+- if roles:
+- return roles
+- roles = []
+- allroles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE))
+- for r in allroles:
+- if r not in [ "system_r", "object_r" ]:
+- roles.append(r[:-2])
+- return roles
+-
+ domains = None
+ def gen_domains():
+ global domains
+@@ -110,9 +107,9 @@
+ domains.append(domain)
+
+ for role in get_all_roles():
+- if role in domains:
++ if role[:-2] in domains or role == "system_r":
+ continue
+- domains.append(role)
++ domains.append(role[:-2])
+
+ domains.sort()
+ return domains
+@@ -150,45 +147,6 @@
+ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
+ return fcdict
+
+-role_allows = None
+-def get_all_role_allows():
+- global role_allows
+- if role_allows:
+- return role_allows
+- role_allows = {}
+- for r in sepolicy.search([sepolicy.ROLE_ALLOW]):
+- if r["source"] == "system_r" or r["target"] == "system_r":
+- continue
+- if r["source"] in role_allows:
+- role_allows[r["source"]].append(r["target"])
+- else:
+- role_allows[r["source"]] = [ r["target"] ]
+-
+- return role_allows
+-
+-users = None
+-users_range = None
+-def get_all_users():
+- global users
+- global users_range
+- if users and users_range:
+- return users, users_range
+-
+- users = []
+- users_range ={}
+- allusers = []
+- allusers_info = sepolicy.info(sepolicy.USER)
+-
+- for d in allusers_info:
+- allusers.append(d['name'])
+- users_range[d['name'].split("_")[0]] = d['range']
+-
+- for u in allusers:
+- if u not in [ "system_u", "root", "unconfined_u" ]:
+- users.append(u.replace("_u",""))
+- users.sort()
+- return users, users_range
+-
+ types = None
+ def _gen_types():
+ global types
+@@ -203,31 +161,6 @@
+ types[rec["name"]] = []
+ return types
+
+-file_types = None
+-def get_all_file_types():
+- global file_types
+- if file_types:
+- return file_types
+- file_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
+- file_types.sort()
+- return file_types
+-
+-port_types = None
+-def get_all_port_types():
+- global port_types
+- if port_types:
+- return port_types
+- port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
+- port_types.sort()
+- return port_types
+-
+-bools = None
+-def get_all_bools():
+- global bools
+- if not bools:
+- bools = sepolicy.info(sepolicy.BOOLEAN)
+- return bools
+-
+ def prettyprint(f,trim):
+ return " ".join(f[:-len(trim)].split("_"))
+
+@@ -488,8 +421,8 @@
+ all_bools = get_all_bools()
+ all_port_types = get_all_port_types()
+ all_roles = get_all_roles()
+- all_users = get_all_users()[0]
+- all_users_range = get_all_users()[1]
++ all_users = get_all_users_info()[0]
++ all_users_range = get_all_users_info()[1]
+ all_file_types = get_all_file_types()
+ types = _gen_types()
+ modules_dict = None
+@@ -532,7 +465,7 @@
+ self._gen_bools()
+ self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
+ self.fd = open(self.man_page_path, 'w')
+- if domainname in self.all_roles:
++ if domainname + "_r" in self.all_roles:
+ self.__gen_user_man_page()
+ if self.html:
+ manpage_roles.append(self.man_page_path)
+@@ -802,7 +735,7 @@
+ .SH NSSWITCH DOMAIN
+ """)
+ for b in nsswitch_booleans:
+- nsswitchbooltext += """
++ nsswitchbooltext += """
+ .PP
+ If you want to %s for the %s, you must turn on the %s boolean.
+
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/executable.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py 2013-02-08 13:11:51.903426934 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/executable.py 2013-02-07 12:21:11.000000000 -0500
+@@ -446,7 +446,7 @@
+ """
+
+ fc_user="""\
+-# Users do not have file context, leave blank
++# No file context, leave blank
+ """
+
+ fc_initscript="""\
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/network.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py 2013-02-08 13:11:51.904426937 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/network.py 2013-02-07 12:21:11.000000000 -0500
+@@ -20,7 +20,7 @@
+ #
+ #
+ ########################### Type Enforcement File #############################
+-te_port_types="""
++te_types="""
+ type TEMPLATETYPE_port_t;
+ corenet_port(TEMPLATETYPE_port_t)
+ """
+@@ -99,3 +99,482 @@
+ te_in_unreserved_ports_udp="""\
+ corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
+ """
++
++if_rules="""\
++########################################
++## <summary>
++## Send and receive TCP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
++interface(`corenet_tcp_sendrecv_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
++## Send UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`corenet_udp_send_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:udp_socket send_msg;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_send_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket send_msg;
++')
++
++########################################
++## <summary>
++## Receive UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="read" weight="10"/>
++#
++interface(`corenet_udp_receive_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:udp_socket recv_msg;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_receive_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket recv_msg;
++')
++
++########################################
++## <summary>
++## Send and receive UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
++interface(`corenet_udp_sendrecv_TEMPLATETYPE_port',`
++ corenet_udp_send_TEMPLATETYPE_port($1)
++ corenet_udp_receive_TEMPLATETYPE_port($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send and receive
++## UDP traffic on the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_sendrecv_TEMPLATETYPE_port',`
++ corenet_dontaudit_udp_send_TEMPLATETYPE_port($1)
++ corenet_dontaudit_udp_receive_TEMPLATETYPE_port($1)
++')
++
++########################################
++## <summary>
++## Bind TCP sockets to the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_tcp_bind_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:tcp_socket name_bind;
++
++')
++
++########################################
++## <summary>
++## Bind UDP sockets to the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_udp_bind_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:udp_socket name_bind;
++
++')
++
++########################################
++## <summary>
++## Do not audit attempts to sbind to TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_udp_bind_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket name_bind;
++
++')
++
++########################################
++## <summary>
++## Make a TCP connection to the TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ allow $1 TEMPLATETYPE_port_t:tcp_socket name_connect;
++')
++########################################
++## <summary>
++## Do not audit attempts to make a TCP connection to TEMPLATETYPE port.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_tcp_connect_TEMPLATETYPE_port',`
++ gen_require(`
++ type TEMPLATETYPE_port_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_port_t:tcp_socket name_connect;
++')
++
++
++########################################
++## <summary>
++## Send TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`corenet_send_TEMPLATETYPE_client_packets',`
++ gen_require(`
++ type TEMPLATETYPE_client_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_client_packet_t:packet send;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_send_TEMPLATETYPE_client_packets',`
++ gen_require(`
++ type TEMPLATETYPE_client_packet_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_client_packet_t:packet send;
++')
++
++########################################
++## <summary>
++## Receive TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="read" weight="10"/>
++#
++interface(`corenet_receive_TEMPLATETYPE_client_packets',`
++ gen_require(`
++ type TEMPLATETYPE_client_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_client_packet_t:packet recv;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_receive_TEMPLATETYPE_client_packets',`
++ gen_require(`
++ type TEMPLATETYPE_client_packet_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_client_packet_t:packet recv;
++')
++
++########################################
++## <summary>
++## Send and receive TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
++interface(`corenet_sendrecv_TEMPLATETYPE_client_packets',`
++ corenet_send_TEMPLATETYPE_client_packets($1)
++ corenet_receive_TEMPLATETYPE_client_packets($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send and receive TEMPLATETYPE_client packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_client_packets',`
++ corenet_dontaudit_send_TEMPLATETYPE_client_packets($1)
++ corenet_dontaudit_receive_TEMPLATETYPE_client_packets($1)
++')
++
++########################################
++## <summary>
++## Relabel packets to TEMPLATETYPE_client the packet type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_relabelto_TEMPLATETYPE_client_packets',`
++ gen_require(`
++ type TEMPLATETYPE_client_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_client_packet_t:packet relabelto;
++')
++
++
++########################################
++## <summary>
++## Send TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`corenet_send_TEMPLATETYPE_server_packets',`
++ gen_require(`
++ type TEMPLATETYPE_server_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_server_packet_t:packet send;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_send_TEMPLATETYPE_server_packets',`
++ gen_require(`
++ type TEMPLATETYPE_server_packet_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_server_packet_t:packet send;
++')
++
++########################################
++## <summary>
++## Receive TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="read" weight="10"/>
++#
++interface(`corenet_receive_TEMPLATETYPE_server_packets',`
++ gen_require(`
++ type TEMPLATETYPE_server_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_server_packet_t:packet recv;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_receive_TEMPLATETYPE_server_packets',`
++ gen_require(`
++ type TEMPLATETYPE_server_packet_t;
++ ')
++
++ dontaudit $1 TEMPLATETYPE_server_packet_t:packet recv;
++')
++
++########################################
++## <summary>
++## Send and receive TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
++interface(`corenet_sendrecv_TEMPLATETYPE_server_packets',`
++ corenet_send_TEMPLATETYPE_server_packets($1)
++ corenet_receive_TEMPLATETYPE_server_packets($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to send and receive TEMPLATETYPE_server packets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++## <infoflow type="none"/>
++#
++interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_server_packets',`
++ corenet_dontaudit_send_TEMPLATETYPE_server_packets($1)
++ corenet_dontaudit_receive_TEMPLATETYPE_server_packets($1)
++')
++
++########################################
++## <summary>
++## Relabel packets to TEMPLATETYPE_server the packet type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_relabelto_TEMPLATETYPE_server_packets',`
++ gen_require(`
++ type TEMPLATETYPE_server_packet_t;
++ ')
++
++ allow $1 TEMPLATETYPE_server_packet_t:packet relabelto;
++')
++"""
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh ../master/policycoreutils-2.1.14/sepolicy/sepolicy-bash-completion.sh
+--- policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh 2013-02-08 13:11:51.892426897 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy-bash-completion.sh 2013-02-07 12:21:11.000000000 -0500
+@@ -45,6 +45,9 @@
+ __get_all_user_domains () {
+ seinfo -auserdomain -x 2> /dev/null | tail -n +2
+ }
++__get_all_users () {
++ seinfo -u 2> /dev/null | tail -n +2
++}
+ __get_all_classes () {
+ seinfo -c 2> /dev/null | tail -n +2
+ }
+@@ -57,9 +60,6 @@
+ __get_all_domains () {
+ seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
+ }
+-__get_all_generate_types () {
+- seinfo -agenerate_type -x 2>/dev/null | tail -n +2
+-}
+ _sepolicy () {
+ local command=${COMP_WORDS[1]}
+ local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
+@@ -79,7 +79,7 @@
+ local -A OPTS=(
+ [booleans]='-h --help -p --path -a -all -b --boolean'
+ [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess'
+- [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name -p --path --sandbox -T --test --term_user -u --user --x_user'
++ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user'
+ [interface]='-h --help -a --list_admin" -u --list_user -l --list'
+ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web'
+ [network]='-h --help -d --domain -l --list -p --port -t --type '
+@@ -126,6 +126,10 @@
+ COMPREPLY=( $( compgen -d -- "$cur") )
+ compopt -o filenames
+ return 0
++ elif test "$prev" = "-w" || test "$prev" = "--writepath" ; then
++ COMPREPLY=( $( compgen -d -- "$cur") )
++ compopt -o filenames
++ return 0
+ elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then
+ COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") )
+ return 0
+@@ -136,7 +140,7 @@
+ COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") )
+ return 0
+ elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then
+- COMPREPLY=( $(compgen -W "$( __get_all_user_domains ) " -- "$cur") )
++ COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
+ return 0
+ elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then
+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy-generate.8 ../master/policycoreutils-2.1.14/sepolicy/sepolicy-generate.8
+--- policycoreutils-2.1.13/sepolicy/sepolicy-generate.8 2013-02-08 13:11:51.893426900 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy-generate.8 2013-02-07 12:21:11.000000000 -0500
+@@ -5,7 +5,7 @@
+ .SH "SYNOPSIS"
+
+ .br
+-.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
++.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
+
+ .SH "DESCRIPTION"
+ Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
+@@ -46,6 +46,15 @@
+ Specify the directory to store the created policy files. (Default to current working directory )
+ optional arguments:
+ .TP
++.I \-u, \-\-user
++SELinux user(s) which will transition to this domain
++.TP
++.I \-w, \-\-writepath
++Path(s) which the confined processes need to write
++.TP
++.I \-a, \-\-admin
++Domain(s) that this confined admin will administrate
++.TP
+ .I \-\-admin_user
+ Generate Policy for Administrator Login User Role
+ .TP
+@@ -73,6 +82,9 @@
+ .I \-\-init
+ Generate Policy for Standard Init Daemon (Default)
+ .TP
++.I \-\-newtype
++Generate new policy for new types to add to an existing policy.
++.TP
+ .I \-\-sandbox
+ Generate Policy for Sandbox
+ .TP
+diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy.py 2013-02-08 13:11:51.896426910 -0500
++++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy.py 2013-02-07 12:21:11.000000000 -0500
+@@ -43,13 +43,28 @@
+ raise ValueError("%s does not exist" % values)
+ setattr(namespace, self.dest, values)
+
++class CheckType(argparse.Action):
++ def __call__(self, parser, namespace, values, option_string=None):
++ from sepolicy.network import domains
++
++ if isinstance(values,str):
++ setattr(namespace, self.dest, values)
++ else:
++ newval = getattr(namespace, self.dest)
++ if not newval:
++ newval = []
++
++ for v in values:
++ newval.append(v)
++ setattr(namespace, self.dest, newval)
++
+ class CheckDomain(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ from sepolicy.network import domains
+
+ if isinstance(values,str):
+ if values not in domains:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
+ setattr(namespace, self.dest, values)
+ else:
+ newval = getattr(namespace, self.dest)
+@@ -58,7 +73,7 @@
+
+ for v in values:
+ if v not in domains:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+
+@@ -70,7 +85,8 @@
+ if not all_classes:
+ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
+ if values not in all_classes:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes)))
++
+ setattr(namespace, self.dest, values)
+
+ class CheckAdmin(argparse.Action):
+@@ -81,7 +97,7 @@
+ newval = []
+ admins = get_admin()
+ if values not in admins:
+- raise ValueError("%s must be an SELinux admin domain" % values)
++ raise ValueError("%s must be an SELinux admin domain:\nValid admin domains: %s" % (values, ", ".join(admins)))
+ newval.append(values)
+ setattr(namespace, self.dest, newval)
+
+@@ -104,7 +120,7 @@
+ newval = []
+ for v in values:
+ if v not in port_types:
+- raise ValueError("%s must be an SELinux port type" % values)
++ raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
+ newval.append(v)
+ setattr(namespace, self.dest, values)
+
+@@ -124,13 +140,13 @@
+
+ class CheckUser(argparse.Action):
+ def __call__(self, parser, namespace, value, option_string=None):
+- from sepolicy.generate import get_all_users
++ from sepolicy import get_all_users
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+ users = get_all_users()
+ if value not in users:
+- raise ValueError("%s must be an SELinux user" % value)
++ raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users)))
+ newval.append(value)
+ setattr(namespace, self.dest, newval)
+
+@@ -316,24 +332,33 @@
+ print m
+
+ def generate(args):
+- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS
++ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+ cmd = None
+- if args.type not in USERS + [ SANDBOX ]:
++ if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
+ if not args.command:
+ raise ValueError(_("Command required for this type of policy"))
+ cmd = os.path.realpath(args.command)
+ if not args.name:
+ args.name = os.path.basename(cmd).replace("-","_")
+
+- mypolicy = policy(args.name, args.type)
++ mypolicy = policy(args.name, args.policytype)
+ if cmd:
+ mypolicy.set_program(cmd)
+
++ if args.types:
++ mypolicy.set_types(args.types)
++
++ for p in args.writepaths:
++ if os.path.isdir(p):
++ mypolicy.add_dir(p)
++ else:
++ mypolicy.add_file(p)
++
+ mypolicy.set_transition_users(args.user)
+ mypolicy.set_admin_domains(args.admin_domain)
+ mypolicy.set_existing_domains(args.domain)
+
+- if args.type in APPLICATIONS:
++ if args.policytype in APPLICATIONS:
+ mypolicy.gen_writeable()
+ mypolicy.gen_symbols()
+ print mypolicy.generate(args.path)
+@@ -353,16 +378,16 @@
+ itf.set_defaults(func=interface)
+
+ def gen_generate_args(parser):
+- from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER
++ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
+ pol = parser.add_parser("generate",
+ help=_('Generate SELinux Policy module template'))
+- pol.add_argument("-d", "--domain", dest="domain",
+- action=CheckDomain, default=None,
++ pol.add_argument("-d", "--domain", dest="domain", default=[],
++ action=CheckDomain, nargs="*",
+ help=_("Enter domain type which you will be extending"))
+- pol.add_argument("-u", "--user", dest="user",
++ pol.add_argument("-u", "--user", dest="user", default=[],
+ action=CheckUser,
+ help=_("Enter SELinux user(s) which will transition to this domain"))
+- pol.add_argument("-a", "--admin", dest="admin_domain",
++ pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
+ action=CheckAdmin,
+ help=_("Enter domain(s) that this confined admin will administrate"))
+ pol.add_argument("-n", "--name", dest="name",
+@@ -370,45 +395,53 @@
+ help=_("name of policy to generate"))
+ pol.add_argument("-T", "--test", dest="test", default=False, action="store_true",
+ help=argparse.SUPPRESS)
++ pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
++ action=CheckType,
++ help=argparse.SUPPRESS)
+ pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
+ help=_("path in which the generated policy files will be stored"))
++ pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [],
++ help=_("path to which the confined processes will need to write"))
+ pol.add_argument("command",nargs="?", default=None,
+ help=_("executable to confine"))
+ group = pol.add_mutually_exclusive_group(required=False)
+- group.add_argument("--admin_user", dest="type", const=AUSER,
++ group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
++ action="store_const",
++ help=_("Generate Policy for %s") % poltype[NEWTYPE])
++ group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[AUSER])
+- group.add_argument("--application", dest="type", const=USER,
++ group.add_argument("--application", dest="policytype", const=USER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[USER])
+- group.add_argument("--cgi", dest="type", const=CGI,
++ group.add_argument("--cgi", dest="policytype", const=CGI,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[CGI])
+- group.add_argument("--confined_admin", dest="type", const=RUSER,
++ group.add_argument("--confined_admin", dest="policytype", const=RUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[RUSER])
+- group.add_argument("--customize", dest="type", const=EUSER,
++ group.add_argument("--customize", dest="policytype", const=EUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[EUSER])
+- group.add_argument("--dbus", dest="type", const=DBUS,
++ group.add_argument("--dbus", dest="policytype", const=DBUS,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[DBUS])
+- group.add_argument("--desktop_user", dest="type", const=LUSER,
++ group.add_argument("--desktop_user", dest="policytype", const=LUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[LUSER])
+- group.add_argument("--inetd", dest="type", const=INETD,
++ group.add_argument("--inetd", dest="policytype", const=INETD,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[INETD])
+- group.add_argument("--init", dest="type", const=DAEMON,
++ group.add_argument("--init", dest="policytype", const=DAEMON,
+ action="store_const", default=DAEMON,
+ help=_("Generate Policy for %s") % poltype[DAEMON])
+- group.add_argument("--sandbox", dest="type", const=SANDBOX,
++ group.add_argument("--sandbox", dest="policytype", const=SANDBOX,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[SANDBOX])
+- group.add_argument("--term_user", dest="type", const=TUSER,
++ group.add_argument("--term_user", dest="policytype", const=TUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[TUSER])
+- group.add_argument("--x_user", dest="type", const=XUSER,
++ group.add_argument("--x_user", dest="policytype", const=XUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[XUSER])
+ pol.set_defaults(func=generate)
+diff -r -u policycoreutils-2.1.13/gui/domainsPage.py ../master/policycoreutils-2.1.14/gui/domainsPage.py
+--- policycoreutils-2.1.13/gui/domainsPage.py 2013-02-08 13:11:51.662426124 -0500
++++ ../master/policycoreutils-2.1.14/gui/domainsPage.py 2013-02-07 12:21:11.000000000 -0500
+@@ -26,7 +26,7 @@
+ import seobject
+ import selinux
+ from semanagePage import *;
+-from sepolicy.generate import get_all_domains
++from sepolicy import get_all_entrypoint_domains
+
+ ##
+ ## I18N
+@@ -68,7 +68,7 @@
+ self.permissive_button = xml.get_widget("permissiveButton")
+ self.enforcing_button = xml.get_widget("enforcingButton")
+
+- self.domains=get_all_domains()
++ self.domains=get_all_entrypoint_domains()
+ self.load()
+
+ def get_modules(self):
+diff -r -u policycoreutils-2.1.13/gui/statusPage.py ../master/policycoreutils-2.1.14/gui/statusPage.py
+--- policycoreutils-2.1.13/gui/statusPage.py 2013-02-08 13:11:51.671426154 -0500
++++ ../master/policycoreutils-2.1.14/gui/statusPage.py 2013-02-07 12:21:11.000000000 -0500
+@@ -177,7 +177,11 @@
+
+ def read_selinux_config(self):
+ self.initialtype = selinux.selinux_getpolicytype()[1]
+- self.initEnabled = selinux.selinux_getenforcemode()[1]
++ try:
++ self.initEnabled = selinux.selinux_getenforcemode()[1]
++ except:
++ self.initEnabled = False
++ pass
+ self.enabled = self.initEnabled
+ self.enabledOptionMenu.set_active(self.enabled + 1 )
+
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/semanage/semanage ../master/policycoreutils-2.1.14/semanage/semanage
+--- policycoreutils-2.1.13/semanage/semanage 2013-02-08 13:17:18.194524775 -0500
++++ ../master/policycoreutils-2.1.14/semanage/semanage 2013-02-08 13:12:09.551486238 -0500
+@@ -376,11 +376,8 @@
+ OBJECT = seobject.moduleRecords(store)
+
+ if object == "permissive":
+- try:
+- OBJECT = seobject.permissiveRecords(store)
+- except ImportError:
+- raise ValueError(_("Additional packages are required to setup permissive domains.\nYou must execute the following:\n# yum install policycoreutils-devel"))
+-
++ OBJECT = seobject.permissiveRecords(store)
++
+ if object == "dontaudit":
+ OBJECT = seobject.dontauditClass(store)
+
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/semanage/seobject.py ../master/policycoreutils-2.1.14/semanage/seobject.py
+--- policycoreutils-2.1.13/semanage/seobject.py 2013-02-08 13:17:18.195524779 -0500
++++ ../master/policycoreutils-2.1.14/semanage/seobject.py 2013-02-08 13:12:09.552486241 -0500
+@@ -373,7 +373,11 @@
+
+ def add(self, type):
+ import glob
+- import sepolgen.module as module
++ try:
++ import sepolgen.module as module
++ except ImportError:
++ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
++
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+@@ -949,7 +953,10 @@
+ print "%-15s %s" % (k, ddict[k][3])
+
+ class portRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self, store)
+@@ -1212,7 +1219,10 @@
+ print rec
+
+ class nodeRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self,store)
+@@ -1634,8 +1644,11 @@
+ print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
+ class fcontextRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
+- valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
++ valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self, store)
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/sandbox/seunshare.c ../master/policycoreutils-2.1.14/sandbox/seunshare.c
+--- policycoreutils-2.1.13/sandbox/seunshare.c 2013-02-08 13:21:22.853351998 -0500
++++ ../master/policycoreutils-2.1.14/sandbox/seunshare.c 2013-02-08 13:12:09.548486227 -0500
+@@ -31,12 +31,6 @@
+ #include <selinux/context.h> /* for context-mangling functions */
+ #include <dirent.h>
+
+-
+-/*
+- * Note setfsuid never returns an error code. But the compiler complains if
+- * I do not check, so I am checking for -1, which should never happen.
+- */
+-
+ #ifdef USE_NLS
+ #include <locale.h> /* for setlocale() */
+ #include <libintl.h> /* for gettext() */
+@@ -623,13 +617,17 @@
+ free(cmdbuf); cmdbuf = NULL;
+
+ /* remove runtime temporary directory */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid) {
++ fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
+ rc++;
++ }
+
+ if (rmdir(tmpdir) == -1)
+ fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
++ fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
+ rc++;
++ }
+
+ return rc;
+ }
+@@ -651,7 +649,7 @@
+
+ /* get selinux context */
+ if (execcon) {
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
+ goto err;
+
+ if ((fd_s = open(src, O_RDONLY)) < 0) {
+@@ -672,7 +670,7 @@
+ }
+
+ /* ok to not reach this if there is an error */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid)
+ goto err;
+ }
+
+@@ -728,7 +726,7 @@
+ }
+ }
+
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
+ goto err;
+
+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
+@@ -736,7 +734,7 @@
+ }
+
+ /* ok to not reach this if there is an error */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid)
+ goto err;
+
+ if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
+@@ -788,10 +786,13 @@
+ continue;
+
+ if (pids == max_pids) {
+- if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
++ pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t));
++ if (!new_pid_table) {
++ free(pid_table);
+ (void)closedir(dir);
+ return -1;
+ }
++ pid_table = new_pid_table;
+ max_pids *= 2;
+ }
+ pid_table[pids++] = pid;
+@@ -930,7 +931,7 @@
+ /* Changing fsuid is usually required when user-specified directory is
+ * on an NFS mount. It's also desired to avoid leaking info about
+ * existence of the files not accessible to the user. */
+- if (setfsuid(uid) < 0)
++ if ((uid_t)setfsuid(uid) != 0)
+ return -1;
+
+ /* verify homedir and tmpdir */
+@@ -940,7 +941,7 @@
+ if (tmpdir_s && (
+ verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
+ check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+- if (setfsuid(0) < 0) return -1;
++ if ((uid_t)setfsuid(0) != uid) return -1;
+
+ /* create runtime tmpdir */
+ if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
+@@ -961,7 +962,7 @@
+ char *LANG = NULL;
+ int rc = -1;
+
+- if (unshare(CLONE_NEWNS) < 0) {
++ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
+ perror(_("Failed to unshare"));
+ goto childerr;
+ }
+@@ -974,7 +975,7 @@
+ }
+
+ /* assume fsuid==ruid after this point */
+- if (setfsuid(uid) < 0) goto childerr;
++ if ((uid_t)setfsuid(uid) != 0) goto childerr;
+
+ /* mount homedir and tmpdir, in this order */
+ if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
+@@ -991,7 +992,7 @@
+ goto childerr;
+ }
+ }
+-
++
+ /* construct a new environment */
+ if ((LANG = getenv("LANG")) != NULL) {
+ if ((LANG = strdup(LANG)) == NULL) {
+@@ -999,14 +1000,14 @@
+ goto childerr;
+ }
+ }
+-
++
+ if ((rc = clearenv()) != 0) {
+ perror(_("Failed to clear environment"));
+ goto childerr;
+ }
+ if (display)
+ rc |= setenv("DISPLAY", display, 1);
+- if (LANG)
++ if (LANG)
+ rc |= setenv("LANG", LANG, 1);
+ rc |= setenv("HOME", pwd->pw_dir, 1);
+ rc |= setenv("SHELL", pwd->pw_shell, 1);
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/restorecond/Makefile ../master/policycoreutils-2.1.14/restorecond/Makefile
+--- policycoreutils-2.1.13/restorecond/Makefile 2012-09-25 16:17:37.000000000 -0400
++++ ../master/policycoreutils-2.1.14/restorecond/Makefile 2013-02-08 13:12:09.546486221 -0500
+@@ -5,6 +5,7 @@
+ MANDIR = $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
++SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
+
+ autostart_DATA = sealertauto.desktop
+ INITDIR = $(DESTDIR)/etc/rc.d/init.d
+@@ -39,7 +40,8 @@
+ install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop
+ -mkdir -p $(DBUSSERVICEDIR)
+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service
+-
++ -mkdir -p $(SYSTEMDDIR)/system
++ install -m 644 restorecond.service $(SYSTEMDDIR)/system/
+ relabel: install
+ /sbin/restorecon $(SBINDIR)/restorecond
+
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/restorecond/restorecond.conf ../master/policycoreutils-2.1.14/restorecond/restorecond.conf
+--- policycoreutils-2.1.13/restorecond/restorecond.conf 2013-02-08 13:24:23.100961351 -0500
++++ ../master/policycoreutils-2.1.14/restorecond/restorecond.conf 2013-02-07 12:21:11.000000000 -0500
+@@ -1,6 +1,7 @@
+ /etc/services
+ /etc/resolv.conf
+ /etc/samba/secrets.tdb
++/etc/updatedb.conf
+ /var/run/utmp
+ /var/log/wtmp
+ /root/*
+Only in ../master/policycoreutils-2.1.14/restorecond/: restorecond.service
+diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/restorecond/user.c ../master/policycoreutils-2.1.14/restorecond/user.c
+--- policycoreutils-2.1.13/restorecond/user.c 2012-09-25 16:17:37.000000000 -0400
++++ ../master/policycoreutils-2.1.14/restorecond/user.c 2013-02-08 13:12:09.547486224 -0500
+@@ -54,6 +54,7 @@
+ static const char *INTERFACE="org.selinux.RestorecondIface";
+ static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
+
++static int local_lock_fd = -1;
+
+ static DBusHandlerResult
+ signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
+@@ -201,17 +202,18 @@
+ perror("asprintf");
+ return -1;
+ }
+- int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
++ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (debug_mode)
+ g_warning ("Lock file: %s", ptr);
+
+ free(ptr);
+- if (fd < 0) {
++ if (local_lock_fd < 0) {
+ if (debug_mode)
+ perror("open");
+ return -1;
+ }
+- if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
++ if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) {
++ close(local_lock_fd);
+ if (debug_mode)
+ perror("flock");
+ return -1;
+@@ -226,6 +228,12 @@
+ return 0;
+ }
+
++static void end_local_server(void) {
++ if (local_lock_fd >= 0)
++ close(local_lock_fd);
++ local_lock_fd = -1;
++}
++
+ int server(int master_fd, const char *watch_file) {
+ GMainLoop *loop;
+
+@@ -253,6 +261,7 @@
+ g_main_loop_run (loop);
+
+ end:
++ end_local_server();
+ g_main_loop_unref (loop);
+ return 0;
+ }
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 5e5c95c..f39c8ca 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 55%{?dist}
+Release: 56%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -23,6 +23,7 @@ Source8: policycoreutils_man_ru2.tar.bz2
Source10: restorecond.service
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-sepolgen.patch
+Patch2: policycoreutils-rawhide.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3
Provides: /sbin/fixfiles
@@ -63,6 +64,7 @@ to switch roles.
%setup -q -a 1
%patch -p2 -b .rhat
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
+%patch2 -p3 -b .rawhide
%build
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
@@ -338,6 +340,21 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Feb 8 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.12-56
+- Back port lots of fixes from Rawhide
+ * Cleanup python problems
+ * setfiles: estimate percent progress
+ * sandbox: use sepolicy to look for sandbox_t
+ * gui: switch to use sepolicy
+ * gui: sepolgen: use sepolicy to generate
+ * semanage: use sepolicy for boolean dictionary
+ * semanage: seobject verify policy types before allowing you to assign them.
+ * semanage: good error message is sepolgen python module missing
+ * restorecond: remove /etc/mtab from default list
+ * restorecond: Add /etc/udpatedb.conf to restorecond.conf
+ * sandbox: seunshare: do not reassign realloc value
+ * seunshare: do checking on setfsuid
+
* Tue Jan 15 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.12-55
- Update Translations
- Fix handling of semanage generate --cgi -n MODULE PATHTO/CGI
More information about the scm-commits
mailing list