[policycoreutils: 2/4] Allow users with symlinked homedirs to work. call realpath on homedir
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Feb 28 20:31:40 UTC 2013
commit 4cc4167518fd81e466751f2cb132cb8d774a2534
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Feb 28 14:24:35 2013 -0500
Allow users with symlinked homedirs to work. call realpath on homedir
- Fix sepolicy reorganization of helper functions.
policycoreutils-rhat.patch | 600 +++++++++++++++++++++++++++++++++++++++++++-
policycoreutils.spec | 6 +-
2 files changed, 592 insertions(+), 14 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 1431b4c..99a228c 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -65,6 +65,19 @@ index 8e0c396..9bd66f5 100644
help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args()
+diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
+index a854a45..bc70938 100644
+--- a/policycoreutils/audit2allow/audit2allow.1
++++ b/policycoreutils/audit2allow/audit2allow.1
+@@ -171,7 +171,7 @@ $ semodule -i local.pp
+
+ .B Using audit2allow to generate and build module policy
+ $ cat /var/log/audit/audit.log | audit2allow -M local
+-Generating type enforcment file: local.te
++Generating type enforcement file: local.te
+ Compiling policy: checkmodule -M -m -o local.mod local.te
+ Building package: semodule_package -o local.pp -m local.mod
+
diff --git a/policycoreutils/audit2allow/audit2why.1 b/policycoreutils/audit2allow/audit2why.1
new file mode 100644
index 0000000..a9e8893
@@ -356,6 +369,32 @@ diff --git a/policycoreutils/gui/system-config-selinux.png b/policycoreutils/gui
new file mode 100644
index 0000000..68ffcb7
Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ
+diff --git a/policycoreutils/load_policy/load_policy.8 b/policycoreutils/load_policy/load_policy.8
+index f9ca36e..a86073f 100644
+--- a/policycoreutils/load_policy/load_policy.8
++++ b/policycoreutils/load_policy/load_policy.8
+@@ -19,7 +19,7 @@ values in the policy file.
+ suppress warning messages.
+ .TP
+ .B \-i
+-inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
++initial policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
+
+ .SH "EXIT STATUS"
+ .TP
+diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
+index 4963cdc..a55dbed 100644
+--- a/policycoreutils/man/man5/selinux_config.5
++++ b/policycoreutils/man/man5/selinux_config.5
+@@ -92,7 +92,7 @@ The binary policy name has by convention the SELinux policy version that it supp
+ .RS
+ This entry is deprecated and should be removed or set to \fI0\fR.
+ .sp
+-If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customisation for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)).
++If set to \fI1\fR, then \fBselinux_mkload_policy\fR(3) will read the local customization for booleans (see \fBbooleans\fR(5)) and users (see \fBlocal.users\fR(5)).
+ .RE
+ .sp
+ .B REQUIRESEUSERS
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 8fbf2d0..3510f12 100644
--- a/policycoreutils/newrole/newrole.c
@@ -488,6 +527,393 @@ index a377996..9c1486e 100644
refresh-po: Makefile
for cat in $(POFILES); do \
+diff --git a/policycoreutils/po/es.po b/policycoreutils/po/es.po
+index e84995e..a60b20e 100644
+--- a/policycoreutils/po/es.po
++++ b/policycoreutils/po/es.po
+@@ -3,7 +3,9 @@
+ # This file is distributed under the same license as the PACKAGE package.
+ #
+ # Translators:
++# Adolfo Jayme Barrientos <fitoschido at gmail.com>, 2013.
+ # Domingo Becker <domingobecker at gmail.com>, 2006, 2008.
++# <ehespinosa at ya.com>, 2013.
+ # Gladys Guerrero <gguerrer at redhat.com>, 2010,2012.
+ # Héctor Daniel Cabrera <logan at fedoraproject.org>, 2010.
+ msgid ""
+@@ -11,8 +13,8 @@ msgstr ""
+ "Project-Id-Version: Policycoreutils\n"
+ "Report-Msgid-Bugs-To: \n"
+ "POT-Creation-Date: 2013-01-04 12:01-0500\n"
+-"PO-Revision-Date: 2013-01-04 17:02+0000\n"
+-"Last-Translator: dwalsh <dwalsh at redhat.com>\n"
++"PO-Revision-Date: 2013-02-23 11:46+0000\n"
++"Last-Translator: vareli <ehespinosa at ya.com>\n"
+ "Language-Team: Spanish <trans-es at lists.fedoraproject.org>\n"
+ "MIME-Version: 1.0\n"
+ "Content-Type: text/plain; charset=UTF-8\n"
+@@ -288,7 +290,7 @@ msgstr "Rango MLS/MCS"
+
+ #: ../semanage/seobject.py:672
+ msgid "Service"
+-msgstr ""
++msgstr "Servicio"
+
+ #: ../semanage/seobject.py:698 ../semanage/seobject.py:729
+ #: ../semanage/seobject.py:796 ../semanage/seobject.py:853
+@@ -425,7 +427,7 @@ msgstr "Se requiere tipo"
+ #: ../semanage/seobject.py:1814
+ #, python-format
+ msgid "Type %s is invalid, must be a port type"
+-msgstr ""
++msgstr "Tipo %s es no válido, debe ser un tipo de puerto"
+
+ #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062
+ #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123
+@@ -547,12 +549,12 @@ msgstr "Falta el protocolo o es desconocido"
+
+ #: ../semanage/seobject.py:1256
+ msgid "SELinux node type is required"
+-msgstr ""
++msgstr "Se requiere tipo de nodo SELinux"
+
+ #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327
+ #, python-format
+ msgid "Type %s is invalid, must be a node type"
+-msgstr ""
++msgstr "Tipo %s es no válido, debe ser un tipo nodo"
+
+ #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331
+ #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465
+@@ -786,7 +788,7 @@ msgstr "La especificación de archivo %s choca con la regla de equivalencia '%s
+ #: ../semanage/seobject.py:1755
+ #, python-format
+ msgid "Type %s is invalid, must be a file or device type"
+-msgstr ""
++msgstr "Tipo %s es no válido, debe ser un tipo fichero o dispositivo"
+
+ #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768
+ #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906
+@@ -2174,11 +2176,11 @@ msgstr "La ruta en la cual se almacenarán las páginas de manual generadas "
+
+ #: ../sepolicy/sepolicy.py:207
+ msgid "name of the OS for man pages"
+-msgstr ""
++msgstr "nombre del SO para las páginas de manual"
+
+ #: ../sepolicy/sepolicy.py:209
+ msgid "Generate HTML man pages structure for selected SELinux man page"
+-msgstr ""
++msgstr "General páginas de manual de estructura HTML para la página de manual SELinux seleccionada"
+
+ #: ../sepolicy/sepolicy.py:213
+ msgid "All domains"
+@@ -2226,7 +2228,7 @@ msgstr "Solicita la política de SELinux para ver la descripción de booleanos"
+
+ #: ../sepolicy/sepolicy.py:280
+ msgid "get all booleans descriptions"
+-msgstr ""
++msgstr "obtiene todas las descripciones booleanas"
+
+ #: ../sepolicy/sepolicy.py:282
+ msgid "boolean to get description"
+@@ -2248,11 +2250,11 @@ msgstr "Dominio de proceso de destino"
+
+ #: ../sepolicy/sepolicy.py:327
+ msgid "Command required for this type of policy"
+-msgstr ""
++msgstr "Comando requerido para este tipo de política"
+
+ #: ../sepolicy/sepolicy.py:347
+ msgid "List SELinux Policy interfaces"
+-msgstr ""
++msgstr "Lista las interfaces de la Política SELinux"
+
+ #: ../sepolicy/sepolicy.py:362
+ msgid "Generate SELinux Policy module template"
+@@ -2260,15 +2262,15 @@ msgstr "Generar plantilla para módulo de política SELinux"
+
+ #: ../sepolicy/sepolicy.py:365
+ msgid "Enter domain type which you will be extending"
+-msgstr ""
++msgstr "Introduzca el tipo de dominio que usted estaría extendiendo"
+
+ #: ../sepolicy/sepolicy.py:368
+ msgid "Enter SELinux user(s) which will transition to this domain"
+-msgstr ""
++msgstr "Introduzca el usuario(s) SELinux que transicionará a este dominio"
+
+ #: ../sepolicy/sepolicy.py:371
+ msgid "Enter domain(s) that this confined admin will administrate"
+-msgstr ""
++msgstr "Introduzca el dominio(s) que este administrador confinado administrará"
+
+ #: ../sepolicy/sepolicy.py:374
+ msgid "name of policy to generate"
+@@ -2276,7 +2278,7 @@ msgstr "Nombre de política a generar"
+
+ #: ../sepolicy/sepolicy.py:378
+ msgid "path in which the generated policy files will be stored"
+-msgstr ""
++msgstr "ruta en la que los ficheros de política generados serán almacenados"
+
+ #: ../sepolicy/sepolicy.py:380
+ msgid "executable to confine"
+@@ -2290,7 +2292,7 @@ msgstr "Ejecutable a confinar"
+ #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417
+ #, python-format
+ msgid "Generate Policy for %s"
+-msgstr ""
++msgstr "Generar Política para %s"
+
+ #: ../sepolicy/sepolicy.py:422
+ msgid "commands"
+@@ -2298,16 +2300,16 @@ msgstr "Comandos"
+
+ #: ../sepolicy/sepolicy.py:425
+ msgid "Alternate SELinux policy, defaults to /sys/fs/selinux/policy"
+-msgstr ""
++msgstr "Política SELinux suplente, por defecto a /sys/fs/selinux/policy"
+
+ #: ../sepolicy/sepolicy/__init__.py:48
+ msgid "No SELinux Policy installed"
+-msgstr ""
++msgstr "No hay Política SELinux instalada"
+
+ #: ../sepolicy/sepolicy/__init__.py:54
+ #, python-format
+ msgid "Failed to read %s policy file"
+-msgstr ""
++msgstr "Fallo al leer el fichero de política %s"
+
+ #: ../sepolicy/sepolicy/__init__.py:127
+ msgid "unknown"
+@@ -2319,27 +2321,27 @@ msgstr "Demonio de los servicios de Internet"
+
+ #: ../sepolicy/sepolicy/generate.py:177
+ msgid "Existing Domain Type"
+-msgstr ""
++msgstr "Tipo de Dominio Existente"
+
+ #: ../sepolicy/sepolicy/generate.py:178
+ msgid "Minimal Terminal Login User Role"
+-msgstr ""
++msgstr "Rol de Acceso de Usuario de Terminal Mínimo"
+
+ #: ../sepolicy/sepolicy/generate.py:179
+ msgid "Minimal X Windows Login User Role"
+-msgstr ""
++msgstr "Rol de Acceso de Usuario de X Windows Mínima"
+
+ #: ../sepolicy/sepolicy/generate.py:180
+ msgid "Desktop Login User Role"
+-msgstr ""
++msgstr "Rol de Acceso de Usuario a Escritorio"
+
+ #: ../sepolicy/sepolicy/generate.py:181
+ msgid "Administrator Login User Role"
+-msgstr ""
++msgstr "Rol de Acceso de Usuario Administrador"
+
+ #: ../sepolicy/sepolicy/generate.py:182
+ msgid "Confined Root Administrator Role"
+-msgstr ""
++msgstr "Rol de Administrador Confinado Root"
+
+ #: ../sepolicy/sepolicy/generate.py:187
+ msgid "Valid Types:\n"
+@@ -2352,12 +2354,12 @@ msgstr "Los puertos deben ser números o rangos de números entre 1 y %d"
+
+ #: ../sepolicy/sepolicy/generate.py:231
+ msgid "You must enter a valid policy type"
+-msgstr ""
++msgstr "Debe introducir un tipo válido de política"
+
+ #: ../sepolicy/sepolicy/generate.py:234
+ #, python-format
+ msgid "You must enter a name for your policy module for your %s."
+-msgstr ""
++msgstr "Debe introducir un nombre para su módulo de política para su %s."
+
+ #: ../sepolicy/sepolicy/generate.py:355
+ msgid ""
+@@ -2396,7 +2398,7 @@ msgstr "USER Types automáticamente obtiene un tipo tmp"
+ #: ../sepolicy/sepolicy/generate.py:857
+ #, python-format
+ msgid "%s policy modules require existing domains"
+-msgstr ""
++msgstr "%s módulo de política requieren dominios existentes"
+
+ #: ../sepolicy/sepolicy/generate.py:1059
+ msgid "You must enter the executable path for your confined process"
+@@ -2416,7 +2418,7 @@ msgstr "Archivo de contextos de archivo"
+
+ #: ../sepolicy/sepolicy/generate.py:1324
+ msgid "Spec file"
+-msgstr ""
++msgstr "Fichero spec"
+
+ #: ../sepolicy/sepolicy/generate.py:1325
+ msgid "Setup Script"
+@@ -2438,11 +2440,11 @@ msgstr "Permite a amavis usar un compilador de JIT"
+
+ #: booleans.py:4
+ msgid "Allow antivirus programs to read non security files on a system"
+-msgstr ""
++msgstr "Permitir a programas antivirus leer ficheros no asegurados sobre un sistema"
+
+ #: booleans.py:5
+ msgid "Allow auditadm to exec content"
+-msgstr ""
++msgstr "Permitir al administrador de auditoria ejecutar contenido"
+
+ #: booleans.py:6
+ msgid ""
+@@ -2456,11 +2458,11 @@ msgstr "Permite a usuarios iniciar sesión mediante un servidor Radius"
+
+ #: booleans.py:8
+ msgid "Allow users to login using a yubikey server"
+-msgstr ""
++msgstr "Permite a los usuario acceder usando una servidor yubikey"
+
+ #: booleans.py:9
+ msgid "Allow awstats to purge Apache logs"
+-msgstr ""
++msgstr "Permitir a awstats purgar los registros de Apache"
+
+ #: booleans.py:10
+ msgid ""
+@@ -2528,11 +2530,11 @@ msgstr "Permite a todos los demonios la lectura y escritura de terminales"
+
+ #: booleans.py:25
+ msgid "Allow dan to manage user files"
+-msgstr ""
++msgstr "Permitir a dan gestionar los archivos del usuario"
+
+ #: booleans.py:26
+ msgid "Allow dan to read user files"
+-msgstr ""
++msgstr "Permitir a dan leer los archivos del usuario"
+
+ #: booleans.py:27
+ msgid "Allow dbadm to manage files in users home directories"
+@@ -2599,7 +2601,7 @@ msgstr "Permite al dominio en valla ejecutar ssh."
+
+ #: booleans.py:42
+ msgid "Allow all domains to execute in fips_mode"
+-msgstr ""
++msgstr "Permite ejecutar todos los dominios en modo fips"
+
+ #: booleans.py:43
+ msgid "Allow ftp to read and write files in the user home directories"
+@@ -2699,7 +2701,7 @@ msgstr "Permite a GSSD leer el directorio temp. Para acceder a kerberos tgt."
+
+ #: booleans.py:64
+ msgid "Allow guest to exec content"
+-msgstr ""
++msgstr "Permite al invitado ejecutar contenido"
+
+ #: booleans.py:65
+ msgid ""
+@@ -2854,7 +2856,7 @@ msgstr "Permite a HTTPD acceder a puertos Openstack"
+
+ #: booleans.py:100
+ msgid "Allow Apache to query NS records"
+-msgstr ""
++msgstr "Permite a Apache consultar registros NS"
+
+ #: booleans.py:101
+ msgid "Allow icecast to connect to all ports, not just sound ports."
+@@ -2951,7 +2953,7 @@ msgstr "Permite a las aplicaciones confinadas usar memoria compartida NSCD "
+
+ #: booleans.py:122
+ msgid "Allow openshift to lockdown app"
+-msgstr ""
++msgstr "Permite openshift para lockdown app"
+
+ #: booleans.py:123
+ msgid "Allow openvpn to read home directories"
+@@ -3116,7 +3118,7 @@ msgstr "Permite a SASL leer sombra"
+
+ #: booleans.py:161
+ msgid "Allow secadm to exec content"
+-msgstr ""
++msgstr "Permita a secadm ejecutar contenido"
+
+ #: booleans.py:162
+ msgid ""
+@@ -3188,7 +3190,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
+
+ #: booleans.py:174
+ msgid "Allow user to use ssh chroot environment."
+-msgstr ""
++msgstr "Permite al usuario usar el entorno ssh chroot"
+
+ #: booleans.py:175
+ msgid "Allow user music sharing"
+@@ -3270,7 +3272,7 @@ msgstr "Permitir ingresos ssh como sysadm_r:sysadm_t"
+
+ #: booleans.py:191
+ msgid "Allow staff to exec content"
+-msgstr ""
++msgstr "Permite a staff ejecutar contenido"
+
+ #: booleans.py:192
+ msgid "allow staff user to create and transition to svirt domains."
+@@ -3278,7 +3280,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
+
+ #: booleans.py:193
+ msgid "Allow sysadm to exec content"
+-msgstr ""
++msgstr "Permite a sysadm ejecutar contenido"
+
+ #: booleans.py:194
+ msgid ""
+@@ -3297,7 +3299,7 @@ msgstr "Permite a tftp modificar los archivos públicos utilizados para servicio
+
+ #: booleans.py:197
+ msgid "Allow tftp to read and write files in the user home directories"
+-msgstr ""
++msgstr "Permite a tftp leer y escribir archivos en los directorios home de usuario"
+
+ #: booleans.py:198
+ msgid "Allow tor daemon to bind tcp sockets to all unreserved ports."
+@@ -3305,7 +3307,7 @@ msgstr "Permite a scripts y módulos HTTPD la conexión al puerto LDAP"
+
+ #: booleans.py:199
+ msgid "Allow tor to act as a relay"
+-msgstr ""
++msgstr "Permite a tor actuar como relé"
+
+ #: booleans.py:200
+ msgid ""
+@@ -3353,7 +3355,7 @@ msgstr "Soporta directorios principales de Samba"
+
+ #: booleans.py:210
+ msgid "Allow user to exec content"
+-msgstr ""
++msgstr "Permite al usuario ejecutar contenido"
+
+ #: booleans.py:211
+ msgid "Allow varnishd to connect to all ports, not just HTTP."
+@@ -3383,7 +3385,7 @@ msgstr "Permite a los huéspedes virtuales confinados administrar archivos NFS"
+
+ #: booleans.py:217
+ msgid "Allow confined virtual guests to interact with rawip sockets"
+-msgstr ""
++msgstr "Permite a los invitados virtuales confinados interactuar con sockets rawip"
+
+ #: booleans.py:218
+ msgid "Allow confined virtual guests to manage cifs files"
+@@ -3447,7 +3449,7 @@ msgstr "Permite a los usuario xguest configurar el Network Manager y conectar
+
+ #: booleans.py:232
+ msgid "Allow xguest to exec content"
+-msgstr ""
++msgstr "Permite a xguest ejecutar contenido"
+
+ #: booleans.py:233
+ msgid "Allow xguest users to mount removable media"
diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po
index 72ae12d..649d288 100644
--- a/policycoreutils/po/ja.po
@@ -920,10 +1346,19 @@ index b629006..6631c2d 100644
parser.add_option("-l", "--level", dest="level",
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
-index 521afcd..a50eef2 100644
+index 521afcd..ef90ce6 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
-@@ -70,7 +70,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
+@@ -59,7 +59,7 @@ sandbox_net_t - All network ports
+
+ .TP
+ \fB\-T\ tmpdir
+-Use alternate tempory directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
++Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires -X or -M.
+ .TP
+ \fB\-S
+ Run a full desktop session, Requires level, and home and tmpdir.
+@@ -70,14 +70,14 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W windowmanager\fR
Select alternative window manager to run within
.B sandbox -X.
@@ -932,6 +1367,14 @@ index 521afcd..a50eef2 100644
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
+ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+ .TP
+ \fB\-d\fR
+-Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
++Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
+ .TP
+ \fB\-c\fR
+ Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
diff --git a/policycoreutils/sandbox/sandboxX.sh b/policycoreutils/sandbox/sandboxX.sh
index 23de6f6..171bb05 100644
--- a/policycoreutils/sandbox/sandboxX.sh
@@ -958,18 +1401,40 @@ index 23de6f6..171bb05 100644
export DISPLAY=:$D
cat > ~/seremote << __EOF
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index dbd5977..f10df39 100644
+index dbd5977..68a80c7 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
-@@ -962,7 +962,7 @@ int main(int argc, char **argv) {
+@@ -961,8 +961,9 @@ int main(int argc, char **argv) {
+ char *display = NULL;
char *LANG = NULL;
int rc = -1;
++ char *resolved_path = NULL;
- if (unshare(CLONE_NEWNS) < 0) {
+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
perror(_("Failed to unshare"));
goto childerr;
}
+@@ -977,8 +978,10 @@ int main(int argc, char **argv) {
+ /* assume fsuid==ruid after this point */
+ if ((uid_t)setfsuid(uid) != 0) goto childerr;
+
++ resolved_path = realpath(pwd->pw_dir,NULL);
++ if (! resolved_path) goto childerr;
+ /* mount homedir and tmpdir, in this order */
+- if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
++ if (homedir_s && seunshare_mount(homedir_s, resolved_path,
+ &st_homedir) != 0) goto childerr;
+ if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp",
+ &st_tmpdir_r) != 0) goto childerr;
+@@ -1033,6 +1036,7 @@ int main(int argc, char **argv) {
+ execv(argv[optind], argv + optind);
+ fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
++ free(resolved_path);
+ free(display);
+ free(LANG);
+ exit(-1);
diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
index 201a988..f5d6e9d 100644
--- a/policycoreutils/scripts/Makefile
@@ -998,6 +1463,28 @@ index 201a988..f5d6e9d 100644
install -m 644 chcat.8 $(MANDIR)/man8/
clean:
+diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
+index 9ab7334..f263805 100644
+--- a/policycoreutils/scripts/fixfiles.8
++++ b/policycoreutils/scripts/fixfiles.8
+@@ -30,7 +30,7 @@ as you expect. By default it will relabel all mounted ext2, ext3, xfs and
+ jfs file systems as long as they do not have a security context mount
+ option. You can use the -R flag to use rpmpackages as an alternative.
+ The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
+-excluded from relabelling.
++excluded from relabeling.
+ .P
+ .B fixfiles onboot
+ will setup the machine to relabel on the next reboot.
+@@ -56,7 +56,7 @@ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and
+
+ .TP
+ .B -v
+-Modify verbosity from progess to verbose. (Run restorecon with -v instead of -p)
++Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p)
+
+ .SH "ARGUMENTS"
+ One of:
diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
deleted file mode 100644
index 8ec509c..0000000
@@ -1028,6 +1515,19 @@ index 8ec509c..0000000
-
-.SH "SEE ALSO"
-semanage.conf(5), semodule(8), semanage(8), getpwent(3), getpwent_r(3)
+diff --git a/policycoreutils/secon/secon.1 b/policycoreutils/secon/secon.1
+index 6c30734..5e7f885 100644
+--- a/policycoreutils/secon/secon.1
++++ b/policycoreutils/secon/secon.1
+@@ -96,7 +96,7 @@ If that argument is
+ .I -
+ then the context will be read from stdin.
+ .br
+-If there is no arugment,
++If there is no argument,
+ .B secon
+ will try reading a context from stdin, if that is not a tty, otherwise
+ .B secon
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644
index 0000000..e15a877
@@ -1350,6 +1850,18 @@ index 17b4fa5..6947b37 100644
parse_command_line(argc, argv);
if (build)
+diff --git a/policycoreutils/semodule_package/semodule_unpackage.8 b/policycoreutils/semodule_package/semodule_unpackage.8
+index 62dd53e..d6e1be0 100644
+--- a/policycoreutils/semodule_package/semodule_unpackage.8
++++ b/policycoreutils/semodule_package/semodule_unpackage.8
+@@ -1,6 +1,6 @@
+ .TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA
+ .SH NAME
+-semodule_unpackage \- Extract polciy module and file context file from an SELinux policy module unpackage.
++semodule_unpackage \- Extract policy module and file context file from an SELinux policy module unpackage.
+
+ .SH SYNOPSIS
+ .B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 11b534f..eb86eae 100644
--- a/policycoreutils/sepolicy/Makefile
@@ -1436,7 +1948,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index b25d3b2..7a15d88 100755
+index b25d3b2..600eee2 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@@ -1448,12 +1960,74 @@ index b25d3b2..7a15d88 100755
from sepolicy import get_os_version
import argparse
import gettext
-@@ -198,44 +200,44 @@ def network(args):
- _print_net(d, net, "name_bind")
-
- def manpage(args):
-- from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
-+ from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains, get_all_domains
+@@ -45,7 +47,7 @@ class CheckPath(argparse.Action):
+
+ class CheckType(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- from sepolicy.network import domains
++ domains = sepolicy.get_all_domains()
+
+ if isinstance(values,str):
+ setattr(namespace, self.dest, values)
+@@ -60,7 +62,7 @@ class CheckType(argparse.Action):
+
+ class CheckDomain(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- from sepolicy.network import domains
++ domains = sepolicy.get_all_domains()
+
+ if isinstance(values,str):
+ if values not in domains:
+@@ -80,7 +82,6 @@ class CheckDomain(argparse.Action):
+ all_classes = None
+ class CheckClass(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- import sepolicy
+ global all_classes
+ if not all_classes:
+ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
+@@ -114,7 +115,7 @@ class CheckPort(argparse.Action):
+
+ class CheckPortType(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- from sepolicy.network import port_types
++ domains = sepolicy.get_all_port_types()
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+@@ -140,19 +141,17 @@ class CheckPolicyType(argparse.Action):
+
+ class CheckUser(argparse.Action):
+ def __call__(self, parser, namespace, value, option_string=None):
+- from sepolicy import get_all_users
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+- users = get_all_users()
++ users = sepolicy.get_all_users()
+ if value not in users:
+ raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users)))
+ newval.append(value)
+ setattr(namespace, self.dest, newval)
+
+ def _print_net(src, protocol, perm):
+- from sepolicy.network import get_network_connect
+- portdict = get_network_connect(src, protocol, perm)
++ portdict = sepolicy.get_network_connect(src, protocol, perm)
+ if len(portdict) > 0:
+ print "%s: %s %s" % (src, protocol, perm)
+ for p in portdict:
+@@ -160,7 +159,7 @@ def _print_net(src, protocol, perm):
+ print "\t" + recs
+
+ def network(args):
+- from sepolicy.network import portrecsbynum, portrecs, get_network_connect
++ portrecs, portrecsbynum = sepolicy.gen_port_dict()
+ if args.list_ports:
+ all_ports = []
+ for i in portrecs:
+@@ -201,41 +200,41 @@ def manpage(args):
+ from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
- if args.policy:
@@ -1517,7 +2091,7 @@ index b25d3b2..7a15d88 100755
def gen_network_args(parser):
net = parser.add_parser("network",
-@@ -283,7 +285,6 @@ def gen_communicate_args(parser):
+@@ -283,7 +282,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@@ -1525,7 +2099,7 @@ index b25d3b2..7a15d88 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
-@@ -461,7 +462,10 @@ if __name__ == '__main__':
+@@ -461,7 +459,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 93bebf3..361e422 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -324,6 +324,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Thu Feb 28 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-14
+- Allow users with symlinked homedirs to work. call realpath on homedir
+- Fix sepolicy reorganization of helper functions.
+
* Sun Feb 24 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-13
- Update trans
- Fix sepolicy reorganization of helper functions.
More information about the scm-commits
mailing list