[policycoreutils] Sepolixy should not throw an exception on an SELinux disabled machine
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Feb 21 17:26:18 UTC 2013
commit 92a9b8454b249e54b06567c58b6b46246a34c0fb
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Feb 21 18:26:12 2013 +0100
Sepolixy should not throw an exception on an SELinux disabled machine
- Switch from using console app to using pkexec, so we will work better
with policykit.
- Add missing import to fix system-config-selinux startup
- Add comment to pamd files about pam_rootok.so
- Fix sepolicy generate to not comment out the first line
policycoreutils-rhat.patch | 127 ++++++++++++++++++++++++++++++++------------
policycoreutils.spec | 22 +++++---
2 files changed, 105 insertions(+), 44 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 04d36ac..3c32795 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -112,21 +112,20 @@ index a9e8893..0000000
@@ -1 +0,0 @@
-.so man1/audit2allow.1
diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile
-index b5abbb9..7218c3e 100644
+index b5abbb9..513f2c4 100644
--- a/policycoreutils/gui/Makefile
+++ b/policycoreutils/gui/Makefile
-@@ -1,7 +1,10 @@
+@@ -1,7 +1,9 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
+SYSCONFDIR ?= ${DESTDIR}/etc
BINDIR ?= $(PREFIX)/bin
SHAREDIR ?= $(PREFIX)/share/system-config-selinux
+DATADIR ?= $(PREFIX)/share
-+PAMDIR ?= $(SYSCONFDIR)/pam.d
TARGETS= \
booleansPage.py \
-@@ -16,6 +19,7 @@ portsPage.py \
+@@ -16,6 +18,7 @@ portsPage.py \
semanagePage.py \
statusPage.py \
system-config-selinux.glade \
@@ -134,28 +133,56 @@ index b5abbb9..7218c3e 100644
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
-@@ -23,10 +27,20 @@ all: $(TARGETS) system-config-selinux.py polgengui.py
+@@ -23,11 +26,19 @@ all: $(TARGETS) system-config-selinux.py polgengui.py
install: all
-mkdir -p $(SHAREDIR)
-mkdir -p $(BINDIR)
+ -mkdir -p $(DATADIR)/pixmaps
+ -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps
+ -mkdir -p $(SYSCONFDIR)
-+ -mkdir -p $(PAMDIR)
-+ -mkdir -p $(SYSCONFDIR)/security/console.apps/system-config-selinux
++ -mkdir -p $(DATADIR)/polkit-1/actions/
install -m 755 system-config-selinux.py $(SHAREDIR)
++ install -m 755 system-config-selinux $(BINDIR)
install -m 755 polgengui.py $(SHAREDIR)
- install -m 755 sepolgen $(BINDIR)
install -m 644 $(TARGETS) $(SHAREDIR)
+-
+ install -m 644 system-config-selinux.png $(DATADIR)/pixmaps
+ install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps
+ install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux
+ install -m 644 *.desktop $(DATADIR)/system-config-selinux
-+ install -m 644 system-config-selinux.pam $(PAMDIR)/system-config-selinux
-+ install -m 644 system-config-selinux.console $(SYSCONFDIR)/security/console.apps/system-config-selinux
-
++ install -m 644 org.fedoraproject.config.selinux.policy $(DATADIR)/polkit-1/actions/
clean:
+ indent:
+diff --git a/policycoreutils/gui/org.fedoraproject.config.selinux.policy b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
+new file mode 100644
+index 0000000..fcfa81d
+--- /dev/null
++++ b/policycoreutils/gui/org.fedoraproject.config.selinux.policy
+@@ -0,0 +1,22 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE policyconfig PUBLIC
++"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
++"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
++<policyconfig>
++
++ <vendor>System Config SELinux</vendor>
++ <vendor_url>http://fedorahosted.org/system-config-selinux</vendor_url>
++
++ <action id="org.fedoraproject.config.selinux.pkexec.run">
++ <description>Run System Config SELinux</description>
++ <message>Authentication is required to run system-config-selinux</message>
++ <icon_name>system-selinux</icon_name>
++ <defaults>
++ <allow_any>no</allow_any>
++ <allow_inactive>no</allow_inactive>
++ <allow_active>auth_admin</allow_active>
++ </defaults>
++ <annotate key="org.freedesktop.policykit.exec.path">/usr/share/system-config-selinux/system-config-selinux.py</annotate>
++ <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
++ </action>
++</policyconfig>
diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop
new file mode 100644
index 0000000..0c2f399
@@ -237,15 +264,15 @@ index 2f0c1cc..0000000
@@ -1,2 +0,0 @@
-#!/bin/sh
-sepolicy generate $*
-diff --git a/policycoreutils/gui/system-config-selinux.console b/policycoreutils/gui/system-config-selinux.console
-new file mode 100644
-index 0000000..42b48a3
+diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux
+new file mode 100755
+index 0000000..5be5ccd
--- /dev/null
-+++ b/policycoreutils/gui/system-config-selinux.console
++++ b/policycoreutils/gui/system-config-selinux
@@ -0,0 +1,3 @@
-+USER=root
-+PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py
-+SESSION=true
++#!/bin/sh
++
++exec /usr/bin/pkexec /usr/share/system-config-selinux/system-config-selinux.py
diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop
new file mode 100644
index 0000000..8822ce2
@@ -319,20 +346,6 @@ index 0000000..8822ce2
+Categories=System;Security;
+X-Desktop-File-Install-Version=0.2
+Keywords=policy;security;selinux;avc;permission;mac;
-diff --git a/policycoreutils/gui/system-config-selinux.pam b/policycoreutils/gui/system-config-selinux.pam
-new file mode 100644
-index 0000000..6a8c230
---- /dev/null
-+++ b/policycoreutils/gui/system-config-selinux.pam
-@@ -0,0 +1,8 @@
-+#%PAM-1.0
-+auth sufficient pam_rootok.so
-+auth sufficient pam_timestamp.so
-+auth include system-auth
-+session required pam_permit.so
-+session optional pam_xauth.so
-+session optional pam_timestamp.so
-+account required pam_permit.so
diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui/system-config-selinux.png
new file mode 100644
index 0000000..68ffcb7
@@ -428,6 +441,17 @@ index 8fbf2d0..3510f12 100644
}
/*
+diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
+index d1b435c..de3582f 100644
+--- a/policycoreutils/newrole/newrole.pamd
++++ b/policycoreutils/newrole/newrole.pamd
+@@ -1,4 +1,6 @@
+ #%PAM-1.0
++# Uncomment the next line if you do not want to enter your passwd everytime
++# auth sufficient pam_rootok.so
+ auth include system-auth
+ account include system-auth
+ password include system-auth
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index a377996..9c1486e 100644
--- a/policycoreutils/po/Makefile
@@ -856,6 +880,17 @@ index 00a646f..2c28676 100644
g_main_loop_unref (loop);
return 0;
}
+diff --git a/policycoreutils/run_init/run_init.pamd b/policycoreutils/run_init/run_init.pamd
+index d1b435c..1c323d2 100644
+--- a/policycoreutils/run_init/run_init.pamd
++++ b/policycoreutils/run_init/run_init.pamd
+@@ -1,4 +1,6 @@
+ #%PAM-1.0
++# Uncomment the next line if you do not want to enter your passwd everytime
++#auth sufficient pam_rootok.so
+ auth include system-auth
+ account include system-auth
+ password include system-auth
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index b629006..6631c2d 100644
--- a/policycoreutils/sandbox/sandbox
@@ -1485,7 +1520,7 @@ index b25d3b2..7a15d88 100755
sys.exit(0)
except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
-index 5e7415c..10abeec 100644
+index 5e7415c..b9cb9cc 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -37,9 +37,30 @@ CLASS = 'class'
@@ -1521,7 +1556,15 @@ index 5e7415c..10abeec 100644
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
-@@ -85,7 +106,7 @@ all_domains = None
+@@ -71,6 +92,7 @@ def get_all_role_allows():
+ return role_allows
+
+ def get_all_entrypoint_domains():
++ import re
+ all_domains = []
+ types=get_all_types()
+ types.sort()
+@@ -85,7 +107,7 @@ all_domains = None
def get_all_domains():
global all_domains
if not all_domains:
@@ -1530,7 +1573,7 @@ index 5e7415c..10abeec 100644
return all_domains
roles = None
-@@ -139,49 +160,43 @@ def get_all_attributes():
+@@ -139,49 +161,43 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@@ -1562,8 +1605,8 @@ index 5e7415c..10abeec 100644
-if not policy_file:
- policy_file = __get_installed_policy()
-
-+policy_file = get_installed_policy()
try:
++ policy_file = get_installed_policy()
policy(policy_file)
except ValueError, e:
if selinux.is_selinux_enabled() == 1:
@@ -1599,6 +1642,20 @@ index 5e7415c..10abeec 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
+diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
+index 26f8390..19f6056 100644
+--- a/policycoreutils/sepolicy/sepolicy/generate.py
++++ b/policycoreutils/sepolicy/sepolicy/generate.py
+@@ -1037,7 +1037,8 @@ allow %s_t %s_t:%s_socket name_%s;
+ ########################################
+ #
+ # %s local policy
+-#""" % self.name
++#
++""" % self.name
+ newte += self.generate_capabilities()
+ newte += self.generate_process()
+ newte += self.generate_network_types()
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..da17c48 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 726d2aa..c20b273 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -87,12 +87,7 @@ rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz
rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
rm -f %{buildroot}/usr/sbin/open_init_pty
-rm -f %{buildroot}/usr/sbin/run_init
-rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8*
-rm -f %{buildroot}/usr/share/man/man8/run_init.8*
-rm -f %{buildroot}/etc/pam.d/run_init*
-ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
desktop-file-install --vendor fedora \
@@ -234,12 +229,11 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/applications/fedora-selinux-polgengui.desktop
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
%{_datadir}/pixmaps/system-config-selinux.png
+%{_datadir}/polkit-1/actions/org.fedoraproject.config.selinux.policy
%dir %{_datadir}/system-config-selinux
%{_datadir}/system-config-selinux/system-config-selinux.png
%{_datadir}/system-config-selinux/*.py*
%{_datadir}/system-config-selinux/*.glade
-%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
-%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
%clean
rm -rf %{buildroot}
@@ -249,6 +243,7 @@ rm -rf %{buildroot}
%{_sbindir}/restorecon
%{_sbindir}/fixfiles
%{_sbindir}/setfiles
+%{_sbindir}/run_init
%{_sbindir}/load_policy
%{_sbindir}/genhomedircon
%{_sbindir}/setsebool
@@ -266,6 +261,8 @@ rm -rf %{buildroot}
%{_mandir}/man5/sestatus.conf.5.gz
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
+%{_mandir}/man8/run_init.8*
+%{_mandir}/ru/man8/run_init.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/restorecon.8*
@@ -326,11 +323,18 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Thu Feb 21 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-8
+- Sepolixy should not throw an exception on an SELinux disabled machine
+- Switch from using console app to using pkexec, so we will work better
+with policykit.
+- Add missing import to fix system-config-selinux startup
+- Add comment to pamd files about pam_rootok.so
+- Fix sepolicy generate to not comment out the first line
+
* Wed Feb 20 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-7
- Add --root/-r flag to sepolicy manpage,
- This allows us to generate man pages on the fly in the selinux-policy build
-
* Mon Feb 18 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-6
- Fix newrole to retain cap_audit_write when compiled with namespace, also
do not drop capabilities when run as root.
More information about the scm-commits
mailing list