[policycoreutils/f18] Back more sepolicy fixes from Rawhide
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Mar 8 21:41:40 UTC 2013
commit ad1b1a7e9463ce9d63e1ca987381ed6d05aa55a0
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Mar 8 16:41:33 2013 -0500
Back more sepolicy fixes from Rawhide
policycoreutils-rawhide.patch | 2406 ++++++++++++++++++++++++++---------------
policycoreutils.spec | 7 +-
2 files changed, 1516 insertions(+), 897 deletions(-)
---
diff --git a/policycoreutils-rawhide.patch b/policycoreutils-rawhide.patch
index 5a115cb..f9a6d4d 100644
--- a/policycoreutils-rawhide.patch
+++ b/policycoreutils-rawhide.patch
@@ -1,261 +1,764 @@
-diff -r -u policycoreutils-2.1.13/sepolicy/info.c ../master/policycoreutils-2.1.14/sepolicy/info.c
---- policycoreutils-2.1.13/sepolicy/info.c 2013-02-08 13:11:51.890426890 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/info.c 2013-02-07 12:21:11.000000000 -0500
-@@ -988,39 +988,51 @@
- {
- PyObject* output = NULL;
+diff -up policycoreutils-2.1.13/gui/domainsPage.py.f19 policycoreutils-2.1.13/gui/domainsPage.py
+--- policycoreutils-2.1.13/gui/domainsPage.py.f19 2013-03-08 16:38:34.368361145 -0500
++++ policycoreutils-2.1.13/gui/domainsPage.py 2013-03-08 16:38:34.680362210 -0500
+@@ -26,7 +26,7 @@ import sys
+ import seobject
+ import selinux
+ from semanagePage import *;
+-from sepolicy.generate import get_all_domains
++from sepolicy import get_all_entrypoint_domains
-+ switch(type) {
- /* display requested info */
-- if (type == TYPE)
-+ case TYPE:
- output = get_types(name, policy);
--
-- if (type == ATTRIBUTE)
-+ break;
-+ case ATTRIBUTE:
- output = get_attribs(name, policy);
--
-- if (type == ROLE)
-+ break;
-+ case ROLE:
- output = get_roles(name, policy);
--
-- if (type == USER)
-+ break;
-+ case USER:
- output = get_users(name, policy);
--
-- if (type == CLASS)
-+ break;
-+ case CLASS:
- output = get_classes(name, policy);
--
-- if (type == BOOLEAN)
-+ break;
-+ case BOOLEAN:
- output = get_booleans(name, policy);
+ ##
+ ## I18N
+@@ -68,7 +68,7 @@ class domainsPage(semanagePage):
+ self.permissive_button = xml.get_widget("permissiveButton")
+ self.enforcing_button = xml.get_widget("enforcingButton")
+
+- self.domains=get_all_domains()
++ self.domains=get_all_entrypoint_domains()
+ self.load()
+
+ def get_modules(self):
+diff -up policycoreutils-2.1.13/gui/statusPage.py.f19 policycoreutils-2.1.13/gui/statusPage.py
+--- policycoreutils-2.1.13/gui/statusPage.py.f19 2013-03-08 16:38:34.376361172 -0500
++++ policycoreutils-2.1.13/gui/statusPage.py 2013-03-08 16:38:34.680362210 -0500
+@@ -177,7 +177,11 @@ class statusPage:
+
+ def read_selinux_config(self):
+ self.initialtype = selinux.selinux_getpolicytype()[1]
+- self.initEnabled = selinux.selinux_getenforcemode()[1]
++ try:
++ self.initEnabled = selinux.selinux_getenforcemode()[1]
++ except:
++ self.initEnabled = False
++ pass
+ self.enabled = self.initEnabled
+ self.enabledOptionMenu.set_active(self.enabled + 1 )
+
+diff -up policycoreutils-2.1.13/restorecond/Makefile.f19 policycoreutils-2.1.13/restorecond/Makefile
+--- policycoreutils-2.1.13/restorecond/Makefile.f19 2012-09-25 16:17:37.000000000 -0400
++++ policycoreutils-2.1.13/restorecond/Makefile 2013-03-08 16:38:34.681362214 -0500
+@@ -5,6 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
+ MANDIR = $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
++SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
+
+ autostart_DATA = sealertauto.desktop
+ INITDIR = $(DESTDIR)/etc/rc.d/init.d
+@@ -39,7 +40,8 @@ install: all
+ install -m 644 restorecond.desktop $(AUTOSTARTDIR)/restorecond.desktop
+ -mkdir -p $(DBUSSERVICEDIR)
+ install -m 600 org.selinux.Restorecond.service $(DBUSSERVICEDIR)/org.selinux.Restorecond.service
-
-- if (type == PORT)
-+ break;
-+ case PORT:
- output = get_ports(name, policy);
-+ break;
-+ default:
-+ errno = EINVAL;
-+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
-+ break;
-+ }
++ -mkdir -p $(SYSTEMDDIR)/system
++ install -m 644 restorecond.service $(SYSTEMDDIR)/system/
+ relabel: install
+ /sbin/restorecon $(SBINDIR)/restorecond
+
+diff -up policycoreutils-2.1.13/restorecond/restorecond.conf.f19 policycoreutils-2.1.13/restorecond/restorecond.conf
+--- policycoreutils-2.1.13/restorecond/restorecond.conf.f19 2013-03-08 16:38:34.602361944 -0500
++++ policycoreutils-2.1.13/restorecond/restorecond.conf 2013-03-08 16:38:34.682362217 -0500
+@@ -1,6 +1,7 @@
+ /etc/services
+ /etc/resolv.conf
+ /etc/samba/secrets.tdb
++/etc/updatedb.conf
+ /var/run/utmp
+ /var/log/wtmp
+ /root/*
+diff -up policycoreutils-2.1.13/restorecond/user.c.f19 policycoreutils-2.1.13/restorecond/user.c
+--- policycoreutils-2.1.13/restorecond/user.c.f19 2012-09-25 16:17:37.000000000 -0400
++++ policycoreutils-2.1.13/restorecond/user.c 2013-03-08 16:38:34.682362217 -0500
+@@ -54,6 +54,7 @@ static const char *PATH="/org/selinux/Re
+ static const char *INTERFACE="org.selinux.RestorecondIface";
+ static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
- return output;
++static int local_lock_fd = -1;
+
+ static DBusHandlerResult
+ signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
+@@ -201,17 +202,18 @@ static int local_server() {
+ perror("asprintf");
+ return -1;
+ }
+- int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
++ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
+ if (debug_mode)
+ g_warning ("Lock file: %s", ptr);
+
+ free(ptr);
+- if (fd < 0) {
++ if (local_lock_fd < 0) {
+ if (debug_mode)
+ perror("open");
+ return -1;
+ }
+- if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
++ if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) {
++ close(local_lock_fd);
+ if (debug_mode)
+ perror("flock");
+ return -1;
+@@ -226,6 +228,12 @@ static int local_server() {
+ return 0;
}
- PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
-- unsigned int type;
-- char *name;
-+ int type;
-+ const char *name;
-
-+ if (!policy) {
-+ PyErr_SetString(PyExc_RuntimeError,"Policy not loaded");
-+ return NULL;
-+ }
++static void end_local_server(void) {
++ if (local_lock_fd >= 0)
++ close(local_lock_fd);
++ local_lock_fd = -1;
++}
+
- if (!PyArg_ParseTuple(args, "iz", &type, &name))
- return NULL;
+ int server(int master_fd, const char *watch_file) {
+ GMainLoop *loop;
-- return Py_BuildValue("N",info(type, name));
-+ return info(type, name);
+@@ -253,6 +261,7 @@ int server(int master_fd, const char *wa
+ g_main_loop_run (loop);
+
+ end:
++ end_local_server();
+ g_main_loop_unref (loop);
+ return 0;
}
+diff -up policycoreutils-2.1.13/sandbox/seunshare.c.f19 policycoreutils-2.1.13/sandbox/seunshare.c
+--- policycoreutils-2.1.13/sandbox/seunshare.c.f19 2013-03-08 16:38:34.603361947 -0500
++++ policycoreutils-2.1.13/sandbox/seunshare.c 2013-03-08 16:38:34.683362221 -0500
+@@ -31,12 +31,6 @@
+ #include <selinux/context.h> /* for context-mangling functions */
+ #include <dirent.h>
- void init_info (PyObject *m) {
-diff -r -u policycoreutils-2.1.13/sepolicy/Makefile ../master/policycoreutils-2.1.14/sepolicy/Makefile
---- policycoreutils-2.1.13/sepolicy/Makefile 2013-02-08 13:11:51.888426884 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/Makefile 2013-02-07 12:21:11.000000000 -0500
-@@ -23,10 +23,10 @@
- -rm -rf build *~ \#* *pyc .#*
+-
+-/*
+- * Note setfsuid never returns an error code. But the compiler complains if
+- * I do not check, so I am checking for -1, which should never happen.
+- */
+-
+ #ifdef USE_NLS
+ #include <locale.h> /* for setlocale() */
+ #include <libintl.h> /* for gettext() */
+@@ -623,13 +617,17 @@ static int cleanup_tmpdir(const char *tm
+ free(cmdbuf); cmdbuf = NULL;
- install:
-- [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
- [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
- install -m 755 sepolicy.py $(BINDIR)/sepolicy
-+ -mkdir -p $(MANDIR)/man8
-+ install -m 644 *.8 $(MANDIR)/man8
- -mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
-- install -m 644 *.8 $(MANDIR)/man8
-diff -r -u policycoreutils-2.1.13/sepolicy/search.c ../master/policycoreutils-2.1.14/sepolicy/search.c
---- policycoreutils-2.1.13/sepolicy/search.c 2013-02-08 13:11:51.891426893 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/search.c 2013-02-07 12:21:11.000000000 -0500
-@@ -204,14 +204,14 @@
- goto err;
+ /* remove runtime temporary directory */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid) {
++ fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
+ rc++;
++ }
- rt = py_append_obj(output, dict);
-- Py_DECREF(dict); dict=NULL;
- if (rt) goto err;
-+ py_decref(dict); dict=NULL;
- }
- goto cleanup;
- err:
- error = errno;
- PyErr_SetString(PyExc_RuntimeError,strerror(error));
-- Py_DECREF(dict); dict=NULL;
-+ py_decref(dict);
+ if (rmdir(tmpdir) == -1)
+ fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
++ fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
+ rc++;
++ }
- cleanup:
- errno = error;
-@@ -329,7 +329,8 @@
- if (expr_type != QPOL_COND_EXPR_BOOL) {
- obj = PyString_FromString(apol_cond_expr_type_to_str(expr_type));
- if (!obj) goto err;
-- py_append_obj(boollist, obj);
-+ if (py_append_obj(boollist, obj))
-+ goto err;
- } else {
- tuple = PyTuple_New(2);
- if (!tuple) goto err;
-@@ -405,7 +406,7 @@
- obj = get_bool(q, cond, enabled);
- if (!obj) goto err;
- rt = PyDict_SetItemString(dict, "boolean", obj);
-- Py_DECREF(obj);
-+ py_decref(obj);
- }
+ return rc;
+ }
+@@ -651,7 +649,7 @@ static char *create_tmpdir(const char *s
- if (qpol_terule_get_rule_type(q, rule, &rule_type))
-@@ -529,9 +530,8 @@
+ /* get selinux context */
+ if (execcon) {
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
+ goto err;
+
+ if ((fd_s = open(src, O_RDONLY)) < 0) {
+@@ -672,7 +670,7 @@ static char *create_tmpdir(const char *s
}
- }
-- if (apol_filename_trans_get_by_query(policy, ftq, v)) {
-- error = errno;
-- }
-+ if (apol_filename_trans_get_by_query(policy, ftq, v))
-+ goto err;
+ /* ok to not reach this if there is an error */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid)
+ goto err;
+ }
- apol_filename_trans_query_destroy(&ftq);
- return 0;
-@@ -713,6 +713,7 @@
- s = NULL;
+@@ -728,7 +726,7 @@ static char *create_tmpdir(const char *s
}
- free(tmp);
-+ tmp = NULL;
}
- if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
-@@ -828,13 +829,14 @@
-
- for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
- const char *perm_name = NULL;
-- qpol_iterator_get_item(iter, (void **)&perm_name);
-+ if (qpol_iterator_get_item(iter, (void **)&perm_name))
-+ goto err;
- if (py_append_string(permlist, perm_name))
- goto err;
- }
+- if (setfsuid(pwd->pw_uid) < 0)
++ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
+ goto err;
- rt = PyDict_SetItemString(dict, "permlist", permlist);
-- Py_DECREF(permlist); permlist=NULL;
-+ py_decref(permlist); permlist=NULL;
- if (rt) goto err;
+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
+@@ -736,7 +734,7 @@ static char *create_tmpdir(const char *s
+ }
- if (qpol_avrule_get_cond(q, rule, &cond))
-@@ -844,17 +846,17 @@
+ /* ok to not reach this if there is an error */
+- if (setfsuid(0) < 0)
++ if ((uid_t)setfsuid(0) != pwd->pw_uid)
+ goto err;
- obj = PyBool_FromLong(enabled);
- rt = PyDict_SetItemString(dict, "enabled", obj);
-- Py_DECREF(obj);
-+ py_decref(obj);
+ if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
+@@ -788,10 +786,13 @@ killall (security_context_t execcon)
+ continue;
- if (cond) {
- obj = get_bool(q, cond, enabled);
- if (!obj) goto err;
- rt = PyDict_SetItemString(dict, "boolean", obj);
-- Py_DECREF(obj);
-+ py_decref(obj);
+ if (pids == max_pids) {
+- if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
++ pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t));
++ if (!new_pid_table) {
++ free(pid_table);
+ (void)closedir(dir);
+ return -1;
+ }
++ pid_table = new_pid_table;
+ max_pids *= 2;
}
+ pid_table[pids++] = pid;
+@@ -930,7 +931,7 @@ int main(int argc, char **argv) {
+ /* Changing fsuid is usually required when user-specified directory is
+ * on an NFS mount. It's also desired to avoid leaking info about
+ * existence of the files not accessible to the user. */
+- if (setfsuid(uid) < 0)
++ if ((uid_t)setfsuid(uid) != 0)
+ return -1;
- rt = py_append_obj(output, dict);
-- Py_DECREF(dict); dict=NULL;
-+ py_decref(dict); dict=NULL;
- if (rt) goto err;
+ /* verify homedir and tmpdir */
+@@ -940,7 +941,7 @@ int main(int argc, char **argv) {
+ if (tmpdir_s && (
+ verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
+ check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+- if (setfsuid(0) < 0) return -1;
++ if ((uid_t)setfsuid(0) != uid) return -1;
- free(rule_str); rule_str = NULL;
-@@ -912,15 +914,8 @@
- cmd_opts.perm_vector = apol_vector_create(free);
- cmd_opts.permlist = strdup(permlist);
- }
-- int pol_opt = 0;
-- if (!(cmd_opts.nallow || cmd_opts.all))
-- pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
+ /* create runtime tmpdir */
+ if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
+@@ -961,7 +962,7 @@ int main(int argc, char **argv) {
+ char *LANG = NULL;
+ int rc = -1;
+
+- if (unshare(CLONE_NEWNS) < 0) {
++ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
+ perror(_("Failed to unshare"));
+ goto childerr;
+ }
+@@ -974,7 +975,7 @@ int main(int argc, char **argv) {
+ }
+
+ /* assume fsuid==ruid after this point */
+- if (setfsuid(uid) < 0) goto childerr;
++ if ((uid_t)setfsuid(uid) != 0) goto childerr;
+
+ /* mount homedir and tmpdir, in this order */
+ if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
+@@ -991,7 +992,7 @@ int main(int argc, char **argv) {
+ goto childerr;
+ }
+ }
+-
++
+ /* construct a new environment */
+ if ((LANG = getenv("LANG")) != NULL) {
+ if ((LANG = strdup(LANG)) == NULL) {
+@@ -999,14 +1000,14 @@ int main(int argc, char **argv) {
+ goto childerr;
+ }
+ }
+-
++
+ if ((rc = clearenv()) != 0) {
+ perror(_("Failed to clear environment"));
+ goto childerr;
+ }
+ if (display)
+ rc |= setenv("DISPLAY", display, 1);
+- if (LANG)
++ if (LANG)
+ rc |= setenv("LANG", LANG, 1);
+ rc |= setenv("HOME", pwd->pw_dir, 1);
+ rc |= setenv("SHELL", pwd->pw_shell, 1);
+diff -up policycoreutils-2.1.13/semanage/semanage.f19 policycoreutils-2.1.13/semanage/semanage
+--- policycoreutils-2.1.13/semanage/semanage.f19 2013-03-08 16:38:34.608361965 -0500
++++ policycoreutils-2.1.13/semanage/semanage 2013-03-08 16:38:34.684362224 -0500
+@@ -376,11 +376,8 @@ Object-specific Options (see above):
+ OBJECT = seobject.moduleRecords(store)
+
+ if object == "permissive":
+- try:
+- OBJECT = seobject.permissiveRecords(store)
+- except ImportError:
+- raise ValueError(_("Additional packages are required to setup permissive domains.\nYou must execute the following:\n# yum install policycoreutils-devel"))
+-
++ OBJECT = seobject.permissiveRecords(store)
++
+ if object == "dontaudit":
+ OBJECT = seobject.dontauditClass(store)
+
+diff -up policycoreutils-2.1.13/semanage/seobject.py.f19 policycoreutils-2.1.13/semanage/seobject.py
+--- policycoreutils-2.1.13/semanage/seobject.py.f19 2013-03-08 16:38:34.610361971 -0500
++++ policycoreutils-2.1.13/semanage/seobject.py 2013-03-08 16:38:34.685362227 -0500
+@@ -373,7 +373,11 @@ class permissiveRecords(semanageRecords)
+
+ def add(self, type):
+ import glob
+- import sepolgen.module as module
++ try:
++ import sepolgen.module as module
++ except ImportError:
++ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
++
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+@@ -949,7 +953,10 @@ class seluserRecords(semanageRecords):
+ print "%-15s %s" % (k, ddict[k][3])
+
+ class portRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self, store)
+@@ -1212,7 +1219,10 @@ class portRecords(semanageRecords):
+ print rec
+
+ class nodeRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self,store)
+@@ -1634,8 +1644,11 @@ class interfaceRecords(semanageRecords):
+ print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
+
+ class fcontextRecords(semanageRecords):
+- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
+- valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
++ try:
++ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
++ valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
++ except RuntimeError:
++ valid_types = []
+
+ def __init__(self, store = ""):
+ semanageRecords.__init__(self, store)
+diff -up policycoreutils-2.1.13/sepolicy/info.c.f19 policycoreutils-2.1.13/sepolicy/info.c
+--- policycoreutils-2.1.13/sepolicy/info.c.f19 2013-03-08 16:38:34.613361982 -0500
++++ policycoreutils-2.1.13/sepolicy/info.c 2013-03-08 16:38:34.687362234 -0500
+@@ -988,39 +988,51 @@ PyObject* info( int type, const char *na
+ {
+ PyObject* output = NULL;
+
++ switch(type) {
+ /* display requested info */
+- if (type == TYPE)
++ case TYPE:
+ output = get_types(name, policy);
-
-- pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+- if (type == ATTRIBUTE)
++ break;
++ case ATTRIBUTE:
+ output = get_attribs(name, policy);
-
- if (!cmd_opts.semantic && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
- if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(policy))) {
-- apol_policy_destroy(&policy);
- PyErr_SetString(PyExc_RuntimeError,"Query failed");
- goto cleanup;
- }
-@@ -989,8 +984,8 @@
- apol_vector_destroy(&cmd_opts.perm_vector);
- apol_vector_destroy(&cmd_opts.class_vector);
+- if (type == ROLE)
++ break;
++ case ROLE:
+ output = get_roles(name, policy);
+-
+- if (type == USER)
++ break;
++ case USER:
+ output = get_users(name, policy);
+-
+- if (type == CLASS)
++ break;
++ case CLASS:
+ output = get_classes(name, policy);
+-
+- if (type == BOOLEAN)
++ break;
++ case BOOLEAN:
+ output = get_booleans(name, policy);
+-
+- if (type == PORT)
++ break;
++ case PORT:
+ output = get_ports(name, policy);
++ break;
++ default:
++ errno = EINVAL;
++ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++ break;
++ }
-- if (PyList_GET_SIZE(output) == 0) {
-- Py_DECREF(output);
-+ if (output && PyList_GET_SIZE(output) == 0) {
-+ py_decref(output);
- return Py_None;
- }
return output;
-@@ -1021,10 +1016,14 @@
- int transition = Dict_ContainsInt(dict, "transition");
- int role_allow = Dict_ContainsInt(dict, "role_allow");
+ }
+ PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+- unsigned int type;
+- char *name;
++ int type;
++ const char *name;
+
+ if (!policy) {
+ PyErr_SetString(PyExc_RuntimeError,"Policy not loaded");
+ return NULL;
+ }
- const char *src_name = Dict_ContainsString(dict, "source");
- const char *tgt_name = Dict_ContainsString(dict, "target");
- const char *class_name = Dict_ContainsString(dict, "class");
- const char *permlist = Dict_ContainsString(dict, "permlist");
++
+ if (!PyArg_ParseTuple(args, "iz", &type, &name))
+ return NULL;
-- return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
-+ return search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist);
+- return Py_BuildValue("N",info(type, name));
++ return info(type, name);
}
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/generate.py
---- policycoreutils-2.1.13/sepolicy/sepolicy/generate.py 2013-02-08 13:11:51.899426920 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/generate.py 2013-02-07 12:21:11.000000000 -0500
-@@ -24,6 +24,7 @@
- import os, sys, stat
- import re
- import sepolicy
-+from sepolicy import get_all_types, get_all_attributes, get_all_roles
- import time
- import yum
-@@ -101,13 +102,6 @@
-
- return nvr
+ void init_info (PyObject *m) {
+diff -up policycoreutils-2.1.13/sepolicy/Makefile.f19 policycoreutils-2.1.13/sepolicy/Makefile
+--- policycoreutils-2.1.13/sepolicy/Makefile.f19 2013-03-08 16:38:34.611361975 -0500
++++ policycoreutils-2.1.13/sepolicy/Makefile 2013-03-08 16:38:34.687362234 -0500
+@@ -23,10 +23,10 @@ clean:
+ -rm -rf build *~ \#* *pyc .#*
--all_types = None
--def get_all_types():
-- global all_types
-- if all_types == None:
-- all_types = map(lambda x: x['name'], sepolicy.info(sepolicy.TYPE))
-- return all_types
--
- def get_all_ports():
- dict = {}
- for p in sepolicy.info(sepolicy.PORT):
-@@ -118,28 +112,6 @@
- dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range'])
- return dict
+ install:
+- [ -d $(MANDIR)/man8 ] || mkdir -p $(MANDIR)/man8
+ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
++ -mkdir -p $(MANDIR)/man8
++ install -m 644 *.8 $(MANDIR)/man8
+ -mkdir -p $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+- install -m 644 *.8 $(MANDIR)/man8
+diff -up policycoreutils-2.1.13/sepolicy/policy.c.f19 policycoreutils-2.1.13/sepolicy/policy.c
+--- policycoreutils-2.1.13/sepolicy/policy.c.f19 2013-03-08 16:38:34.613361982 -0500
++++ policycoreutils-2.1.13/sepolicy/policy.c 2013-03-08 16:38:34.688362238 -0500
+@@ -66,7 +66,6 @@ PyObject *wrap_policy(PyObject *UNUSED(s
+ }
+ apol_vector_destroy(&mod_paths);
+
+- policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+ policy = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
+ apol_policy_path_destroy(&pol_path);
+ if (!policy) {
+diff -up policycoreutils-2.1.13/sepolicy/search.c.f19 policycoreutils-2.1.13/sepolicy/search.c
+--- policycoreutils-2.1.13/sepolicy/search.c.f19 2013-03-08 16:38:34.615361989 -0500
++++ policycoreutils-2.1.13/sepolicy/search.c 2013-03-08 16:38:34.689362241 -0500
+@@ -204,14 +204,14 @@ static PyObject* get_ra_results(const ap
+ goto err;
--def get_all_roles():
-- roles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE))
+ rt = py_append_obj(output, dict);
+- Py_DECREF(dict); dict=NULL;
+ if (rt) goto err;
++ py_decref(dict); dict=NULL;
+ }
+ goto cleanup;
+ err:
+ error = errno;
+ PyErr_SetString(PyExc_RuntimeError,strerror(error));
+- Py_DECREF(dict); dict=NULL;
++ py_decref(dict);
+
+ cleanup:
+ errno = error;
+@@ -329,7 +329,8 @@ static PyObject* get_bool(const qpol_pol
+ if (expr_type != QPOL_COND_EXPR_BOOL) {
+ obj = PyString_FromString(apol_cond_expr_type_to_str(expr_type));
+ if (!obj) goto err;
+- py_append_obj(boollist, obj);
++ if (py_append_obj(boollist, obj))
++ goto err;
+ } else {
+ tuple = PyTuple_New(2);
+ if (!tuple) goto err;
+@@ -405,7 +406,7 @@ static PyObject* get_te_results(const ap
+ obj = get_bool(q, cond, enabled);
+ if (!obj) goto err;
+ rt = PyDict_SetItemString(dict, "boolean", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+ }
+
+ if (qpol_terule_get_rule_type(q, rule, &rule_type))
+@@ -529,9 +530,8 @@ static int perform_ft_query(const apol_p
+ }
+ }
+
+- if (apol_filename_trans_get_by_query(policy, ftq, v)) {
+- error = errno;
+- }
++ if (apol_filename_trans_get_by_query(policy, ftq, v))
++ goto err;
+
+ apol_filename_trans_query_destroy(&ftq);
+ return 0;
+@@ -713,6 +713,7 @@ static int perform_av_query(const apol_p
+ s = NULL;
+ }
+ free(tmp);
++ tmp = NULL;
+ }
+
+ if (!(opt->semantic) && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
+@@ -828,13 +829,14 @@ static PyObject* get_av_results(const ap
+
+ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
+ const char *perm_name = NULL;
+- qpol_iterator_get_item(iter, (void **)&perm_name);
++ if (qpol_iterator_get_item(iter, (void **)&perm_name))
++ goto err;
+ if (py_append_string(permlist, perm_name))
+ goto err;
+ }
+
+ rt = PyDict_SetItemString(dict, "permlist", permlist);
+- Py_DECREF(permlist); permlist=NULL;
++ py_decref(permlist); permlist=NULL;
+ if (rt) goto err;
+
+ if (qpol_avrule_get_cond(q, rule, &cond))
+@@ -844,17 +846,17 @@ static PyObject* get_av_results(const ap
+
+ obj = PyBool_FromLong(enabled);
+ rt = PyDict_SetItemString(dict, "enabled", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+
+ if (cond) {
+ obj = get_bool(q, cond, enabled);
+ if (!obj) goto err;
+ rt = PyDict_SetItemString(dict, "boolean", obj);
+- Py_DECREF(obj);
++ py_decref(obj);
+ }
+
+ rt = py_append_obj(output, dict);
+- Py_DECREF(dict); dict=NULL;
++ py_decref(dict); dict=NULL;
+ if (rt) goto err;
+
+ free(rule_str); rule_str = NULL;
+@@ -912,15 +914,8 @@ PyObject* search(bool allow,
+ cmd_opts.perm_vector = apol_vector_create(free);
+ cmd_opts.permlist = strdup(permlist);
+ }
+- int pol_opt = 0;
+- if (!(cmd_opts.nallow || cmd_opts.all))
+- pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
+-
+- pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+-
+ if (!cmd_opts.semantic && qpol_policy_has_capability(apol_policy_get_qpol(policy), QPOL_CAP_SYN_RULES)) {
+ if (qpol_policy_build_syn_rule_table(apol_policy_get_qpol(policy))) {
+- apol_policy_destroy(&policy);
+ PyErr_SetString(PyExc_RuntimeError,"Query failed");
+ goto cleanup;
+ }
+@@ -989,8 +984,8 @@ PyObject* search(bool allow,
+ apol_vector_destroy(&cmd_opts.perm_vector);
+ apol_vector_destroy(&cmd_opts.class_vector);
+
+- if (PyList_GET_SIZE(output) == 0) {
+- Py_DECREF(output);
++ if (output && PyList_GET_SIZE(output) == 0) {
++ py_decref(output);
+ return Py_None;
+ }
+ return output;
+@@ -1021,10 +1016,14 @@ PyObject *wrap_search(PyObject *UNUSED(s
+ int transition = Dict_ContainsInt(dict, "transition");
+ int role_allow = Dict_ContainsInt(dict, "role_allow");
+
++ if (!policy) {
++ PyErr_SetString(PyExc_RuntimeError,"Policy not loaded");
++ return NULL;
++ }
+ const char *src_name = Dict_ContainsString(dict, "source");
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
+
+- return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
++ return search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist);
+ }
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh.f19 policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh
+--- policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh.f19 2013-03-08 16:38:34.615361989 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh 2013-03-08 16:38:34.689362241 -0500
+@@ -45,6 +45,9 @@ __get_all_user_role_interaces () {
+ __get_all_user_domains () {
+ seinfo -auserdomain -x 2> /dev/null | tail -n +2
+ }
++__get_all_users () {
++ seinfo -u 2> /dev/null | tail -n +2
++}
+ __get_all_classes () {
+ seinfo -c 2> /dev/null | tail -n +2
+ }
+@@ -57,9 +60,6 @@ __get_all_domain_types () {
+ __get_all_domains () {
+ seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
+ }
+-__get_all_generate_types () {
+- seinfo -agenerate_type -x 2>/dev/null | tail -n +2
+-}
+ _sepolicy () {
+ local command=${COMP_WORDS[1]}
+ local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
+@@ -79,9 +79,9 @@ _sepolicy () {
+ local -A OPTS=(
+ [booleans]='-h --help -p --path -a -all -b --boolean'
+ [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess'
+- [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name -p --path --sandbox -T --test --term_user -u --user --x_user'
++ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user'
+ [interface]='-h --help -a --list_admin" -u --list_user -l --list'
+- [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web'
++ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web -r --root'
+ [network]='-h --help -d --domain -l --list -p --port -t --type '
+ [transition]='-h --help -s --source -t --target'
+ )
+@@ -126,6 +126,10 @@ _sepolicy () {
+ COMPREPLY=( $( compgen -d -- "$cur") )
+ compopt -o filenames
+ return 0
++ elif test "$prev" = "-w" || test "$prev" = "--writepath" ; then
++ COMPREPLY=( $( compgen -d -- "$cur") )
++ compopt -o filenames
++ return 0
+ elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then
+ COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") )
+ return 0
+@@ -136,7 +140,7 @@ _sepolicy () {
+ COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") )
+ return 0
+ elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then
+- COMPREPLY=( $(compgen -W "$( __get_all_user_domains ) " -- "$cur") )
++ COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
+ return 0
+ elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then
+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
+@@ -152,6 +156,10 @@ _sepolicy () {
+ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
+ return 0
++ elif test "$prev" = "-r" || test "$prev" = "--root" ; then
++ COMPREPLY=( $( compgen -d -- "$cur") )
++ compopt -o filenames
++ return 0
+ elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
+ return 0
+ elif test "$prev" = "-p" || test "$prev" = "--path" ; then
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy-generate.8.f19 policycoreutils-2.1.13/sepolicy/sepolicy-generate.8
+--- policycoreutils-2.1.13/sepolicy/sepolicy-generate.8.f19 2013-03-08 16:38:34.617361995 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy-generate.8 2013-03-08 16:38:34.690362244 -0500
+@@ -5,15 +5,21 @@ sepolicy-generate \- Generate an initial
+ .SH "SYNOPSIS"
+
+ .br
+-.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
++.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
+
+ .SH "DESCRIPTION"
+-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
++Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
++
++If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
++
+
+ .B Type Enforcing File NAME.te
+ .br
+ This file can be used to define all the types rules for a particular domain.
+
++.I Note:
++Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
++
+ .B Interface File NAME.if
+ .br
+ This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+@@ -25,7 +31,7 @@ file paths to the types. Tools like res
+
+ .B RPM Spec File NAME_selinux.spec
+ .br
+-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page.
++This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
+
+ .B Shell File NAME.sh
+ .br
+@@ -46,6 +52,15 @@ Specify alternate name of policy. The po
+ Specify the directory to store the created policy files. (Default to current working directory )
+ optional arguments:
+ .TP
++.I \-u, \-\-user
++SELinux user(s) which will transition to this domain
++.TP
++.I \-w, \-\-writepath
++Path(s) which the confined processes need to write
++.TP
++.I \-a, \-\-admin
++Domain(s) that this confined admin will administrate
++.TP
+ .I \-\-admin_user
+ Generate Policy for Administrator Login User Role
+ .TP
+@@ -73,6 +88,9 @@ Generate Policy for Internet Services Da
+ .I \-\-init
+ Generate Policy for Standard Init Daemon (Default)
+ .TP
++.I \-\-newtype
++Generate new policy for new types to add to an existing policy.
++.TP
+ .I \-\-sandbox
+ Generate Policy for Sandbox
+ .TP
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/generate.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/generate.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/generate.py.f19 2013-03-08 16:38:34.623362016 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/generate.py 2013-03-08 16:38:34.691362248 -0500
+@@ -24,6 +24,7 @@
+ import os, sys, stat
+ import re
+ import sepolicy
++from sepolicy import get_all_types, get_all_attributes, get_all_roles
+ import time
+ import yum
+
+@@ -62,20 +63,6 @@ except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+-user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"]
+-methods = []
+-fn = defaults.interface_info()
+-try:
+- fd = open(fn)
+- # List of per_role_template interfaces
+- ifs = interfaces.InterfaceSet()
+- ifs.from_file(fd)
+- methods = ifs.interfaces.keys()
+- fd.close()
+-except:
+- sys.stderr.write("could not open interface info [%s]\n" % fn)
+- sys.exit(1)
+-
+ def get_rpm_nvr_from_header(hdr):
+ 'Given an RPM header return the package NVR as a string'
+ name = hdr['name']
+@@ -101,13 +88,6 @@ def get_rpm_nvr_list(package):
+
+ return nvr
+
+-all_types = None
+-def get_all_types():
+- global all_types
+- if all_types == None:
+- all_types = map(lambda x: x['name'], sepolicy.info(sepolicy.TYPE))
+- return all_types
+-
+ def get_all_ports():
+ dict = {}
+ for p in sepolicy.info(sepolicy.PORT):
+@@ -118,28 +98,6 @@ def get_all_ports():
+ dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range'])
+ return dict
+
+-def get_all_roles():
+- roles = map(lambda x: x['name'], sepolicy.info(sepolicy.ROLE))
- roles.remove("object_r")
- roles.sort()
- return roles
@@ -279,7 +782,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def get_all_users():
users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER))
users.remove("system_u")
-@@ -166,6 +138,7 @@
+@@ -166,6 +124,7 @@ XUSER = 8
LUSER = 9
AUSER = 10
RUSER = 11
@@ -287,7 +790,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
poltype={}
poltype[DAEMON] = _("Standard Init Daemon")
-@@ -180,6 +153,7 @@
+@@ -180,6 +139,7 @@ poltype[XUSER] = _("Minimal X Windows Lo
poltype[LUSER] = _("Desktop Login User Role")
poltype[AUSER] = _("Administrator Login User Role")
poltype[RUSER] = _("Confined Root Administrator Role")
@@ -295,7 +798,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def get_poltype_desc():
keys = poltype.keys()
-@@ -226,6 +200,7 @@
+@@ -226,6 +186,7 @@ class policy:
self.rpms = []
self.ports = []
self.all_roles = get_all_roles()
@@ -303,7 +806,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
if type not in poltype:
raise ValueError(_("You must enter a valid policy type"))
-@@ -336,6 +311,16 @@
+@@ -336,6 +297,16 @@ class policy:
self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run];
self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool];
@@ -320,7 +823,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
self.DEFAULT_KEYS=["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool", "/etc/systemd/system", "/usr/lib/systemd/system", "/lib/systemd/system" ]
self.DEFAULT_TYPES = (\
-@@ -350,7 +335,8 @@
+@@ -350,7 +321,8 @@ class policy:
( self.generate_x_login_user_types, self.generate_x_login_user_rules), \
( self.generate_login_user_types, self.generate_login_user_rules), \
( self.generate_admin_user_types, self.generate_login_user_rules), \
@@ -330,7 +833,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
if not re.match(r"^[a-zA-Z0-9-_]+$", name):
raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
-@@ -365,7 +351,7 @@
+@@ -365,7 +337,7 @@ class policy:
self.processes = []
self.type = type
self.initscript = ""
@@ -339,7 +842,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
self.in_tcp = [False, False, False, []]
self.in_udp = [False, False, False, []]
self.out_tcp = [False, False, False, []]
-@@ -379,9 +365,9 @@
+@@ -379,9 +351,9 @@ class policy:
self.use_pam = False
self.use_dbus = False
self.use_audit = False
@@ -352,7 +855,16 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
self.use_terminal = False
self.use_mail = False
self.booleans = {}
-@@ -647,7 +633,7 @@
+@@ -601,7 +573,7 @@ class policy:
+ def generate_network_action(self, protocol, action, port_name):
+ line = ""
+ method = "corenet_%s_%s_%s" % (protocol, action, port_name)
+- if method in methods:
++ if method in sepolicy.get_methods():
+ line = "%s(%s_t)\n" % (method, self.name)
+ else:
+ line = """
+@@ -647,7 +619,7 @@ allow %s_t %s_t:%s_socket name_%s;
self.found_udp_ports.append(line)
if self.need_udp_type == True or self.need_tcp_type == True:
@@ -361,7 +873,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
return ""
def __find_path(self, file):
-@@ -662,6 +648,9 @@
+@@ -662,6 +634,9 @@ allow %s_t %s_t:%s_socket name_%s;
if capability not in self.capabilities:
self.capabilities.append(capability)
@@ -371,7 +883,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def add_process(self, process):
if process not in self.processes:
self.processes.append(process)
-@@ -876,6 +865,27 @@
+@@ -876,6 +851,27 @@ allow %s_t %s_t:%s_socket name_%s;
def generate_root_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types)
@@ -399,7 +911,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def generate_daemon_types(self):
newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types)
if self.initscript != "":
-@@ -912,6 +922,16 @@
+@@ -912,6 +908,16 @@ allow %s_t %s_t:%s_socket name_%s;
return newif
@@ -416,7 +928,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def generate_login_user_rules(self):
return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules)
-@@ -963,7 +983,7 @@
+@@ -963,7 +969,7 @@ allow %s_t %s_t:%s_socket name_%s;
def generate_if(self):
newif = ""
newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
@@ -425,7 +937,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules)
if self.initscript != "":
newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules)
-@@ -979,6 +999,8 @@
+@@ -979,6 +985,8 @@ allow %s_t %s_t:%s_socket name_%s;
newif += self.generate_dbus_if()
newif += self.generate_admin_if()
newif += self.generate_sandbox_if()
@@ -434,7 +946,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
return newif
-@@ -986,7 +1008,9 @@
+@@ -986,7 +994,9 @@ allow %s_t %s_t:%s_socket name_%s;
return self.DEFAULT_TYPES[self.type][0]()
def generate_default_rules(self):
@@ -445,7 +957,17 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
def generate_roles_rules(self):
newte = ""
-@@ -1054,12 +1078,13 @@
+@@ -1013,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s;
+ ########################################
+ #
+ # %s local policy
+-#""" % self.name
++#
++""" % self.name
+ newte += self.generate_capabilities()
+ newte += self.generate_process()
+ newte += self.generate_network_types()
+@@ -1054,12 +1065,13 @@ allow %s_t %s_t:%s_socket name_%s;
newfc = ""
fclist = []
if self.type in USERS + [ SANDBOX ]:
@@ -463,7 +985,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
if self.initscript != "":
t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript)
-@@ -1118,7 +1143,7 @@
+@@ -1118,7 +1130,7 @@ allow %s_t %s_t:%s_socket name_%s;
newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
else:
newsh = re.sub("TEMPLATEFILE", self.file_name, temp)
@@ -472,7 +994,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
newsh += re.sub("FILENAME", self.program, script.restorecon)
if self.initscript != "":
newsh += re.sub("FILENAME", self.initscript, script.restorecon)
-@@ -1152,7 +1177,7 @@
+@@ -1152,7 +1164,7 @@ allow %s_t %s_t:%s_socket name_%s;
newspec += spec.header_comment_section
if self.type in APPLICATIONS:
newspec += spec.define_relabel_files_begin
@@ -481,13 +1003,76 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/generate.py ../master/policy
newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end)
if self.initscript != "":
newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end)
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py
---- policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py 2013-02-08 13:11:51.897426914 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py 2013-02-07 12:21:11.000000000 -0500
-@@ -47,6 +47,97 @@
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py.f19 2013-03-08 16:38:34.621362009 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py 2013-03-08 16:38:34.692362252 -0500
+@@ -7,6 +7,9 @@ import _policy
+ import selinux, glob
+ PROGNAME="policycoreutils"
+ import gettext
++import sepolgen.defaults as defaults
++import sepolgen.interfaces as interfaces
++import sys
+ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+ gettext.textdomain(PROGNAME)
+ try:
+@@ -37,9 +40,30 @@ CLASS = 'class'
+ TRANSITION = 'transition'
+ ROLE_ALLOW = 'role_allow'
+
+-def __get_installed_policy():
++def info(setype, name=None):
++ dict_list = _policy.info(setype, name)
++ return dict_list
++
++def search(types, info = {} ):
++ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
++ for type in types:
++ if type not in valid_types:
++ raise ValueError("Type has to be in %s" % valid_types)
++ info[type] = True
++
++ perms = []
++ if PERMS in info:
++ perms = info[PERMS]
++ info[PERMS] = ",".join(info[PERMS])
++
++ dict_list = _policy.search(info)
++ if dict_list and len(perms) != 0:
++ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
++ return dict_list
++
++def get_installed_policy(root = "/"):
+ try:
+- path = selinux.selinux_binary_policy_path()
++ path = root + selinux.selinux_binary_policy_path()
+ policies = glob.glob ("%s.*" % path )
+ policies.sort()
+ return policies[-1]
+@@ -47,50 +71,186 @@ def __get_installed_policy():
pass
raise ValueError(_("No SELinux Policy installed"))
++methods = []
++def get_methods():
++ global methods
++ if len(methods) > 0:
++ return methods
++ fn = defaults.interface_info()
++ try:
++ fd = open(fn)
++ # List of per_role_template interfaces
++ ifs = interfaces.InterfaceSet()
++ ifs.from_file(fd)
++ methods = ifs.interfaces.keys()
++ fd.close()
++ except:
++ sys.stderr.write("could not open interface info [%s]\n" % fn)
++ sys.exit(1)
++
++ methods.sort()
++ return methods
++
+all_types = None
+def get_all_types():
+ global all_types
@@ -495,6 +1080,13 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policy
+ all_types = map(lambda x: x['name'], info(TYPE))
+ return all_types
+
++user_types = None
++def get_user_types():
++ global user_types
++ if user_types == None:
++ user_types = info(ATTRIBUTE,"userdomain")[0]["types"]
++ return user_types
++
+role_allows = None
+def get_all_role_allows():
+ global role_allows
@@ -512,6 +1104,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policy
+ return role_allows
+
+def get_all_entrypoint_domains():
++ import re
+ all_domains = []
+ types=get_all_types()
+ types.sort()
@@ -522,11 +1115,35 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policy
+ all_domains.append(m[0])
+ return all_domains
+
++portrecs = None
++portrecsbynum = None
++
++def gen_port_dict():
++ global portrecs
++ global portrecsbynum
++ if portrecs:
++ return ( portrecs, portrecsbynum )
++ portrecsbynum = {}
++ portrecs = {}
++ for i in info(PORT):
++ if i['low'] == i['high']:
++ port = str(i['low'])
++ else:
++ port = "%s-%s" % (str(i['low']), str(i['high']))
++
++ if (i['type'], i['protocol']) in portrecs:
++ portrecs [(i['type'], i['protocol'])].append(port)
++ else:
++ portrecs [(i['type'], i['protocol'])] = [port]
++
++ portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
++ return ( portrecs, portrecsbynum )
++
+all_domains = None
+def get_all_domains():
+ global all_domains
+ if not all_domains:
-+ all_domains = info(ATTRIBUTE,"domain")[0]["types"]
++ all_domains = info(ATTRIBUTE,"domain")[0]["types"]
+ return all_domains
+
+roles = None
@@ -580,21 +1197,165 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/__init__.py ../master/policy
+ return all_attributes
+
def policy(policy_file):
++ global all_domains
++ global all_attributes
++ global bools
++ global all_types
++ global role_allows
++ global users
++ global roles
++ global file_types
++ global port_types
++ all_domains = None
++ all_attributes = None
++ bools = None
++ all_types = None
++ role_allows = None
++ users = None
++ roles = None
++ file_types = None
++ port_types = None
try:
_policy.policy(policy_file)
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py
---- policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py 2013-02-08 13:11:51.901426927 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py 2013-02-07 12:21:11.000000000 -0500
-@@ -28,7 +28,7 @@
- import argparse
- import selinux
+ except:
+ raise ValueError(_("Failed to read %s policy file") % policy_file)
+
+-
+-policy_file = selinux.selinux_current_policy_path()
+-if not policy_file:
+- policy_file = __get_installed_policy()
+-
+ try:
++ policy_file = get_installed_policy()
+ policy(policy_file)
+ except ValueError, e:
+ if selinux.is_selinux_enabled() == 1:
+ raise e
+
+-def search(types, info = {} ):
+- valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
+- for type in types:
+- if type not in valid_types:
+- raise ValueError("Type has to be in %s" % valid_types)
+- info[type] = True
+-
+- perms = []
+- if PERMS in info:
+- perms = info[PERMS]
+- info[PERMS] = ",".join(info[PERMS])
+-
+- dict_list = _policy.search(info)
+- if dict_list and len(perms) != 0:
+- dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+- return dict_list
+-
+ def _dict_has_perms(dict, perms):
+ for perm in perms:
+ if perm not in dict[PERMS]:
+ return False
+ return True
+
+-def info(setype, name=None):
+- dict_list = _policy.info(setype, name)
+- return dict_list
+-
+ booleans_dict = None
+ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
+ global booleans_dict
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/interface.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/interface.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/interface.py.f19 2013-03-08 16:38:34.623362016 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/interface.py 2013-03-08 16:38:34.692362252 -0500
+@@ -22,14 +22,12 @@
+ #
+ #
+ import re
+-
+-import sepolgen.interfaces as interfaces
+-import sepolgen.defaults as defaults
++import sepolicy
+ ADMIN_TRANSITION_INTERFACE = "_admin$"
+ USER_TRANSITION_INTERFACE = "_role$"
+-from sepolicy.generate import get_all_types
++import selinux
+
+-__all__ = [ 'get', 'get_admin', 'get_user' ]
++__all__ = [ 'get_admin', 'get_user' ]
+
+ ##
+ ## I18N
+@@ -48,24 +46,10 @@ except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+-def get():
+- """ Get all Methods """
+- fn = defaults.interface_info()
+- try:
+- fd = open(fn)
+- ifs = interfaces.InterfaceSet()
+- ifs.from_file(fd)
+- methods = ifs.interfaces.keys()
+- fd.close()
+- except:
+- raise ValueError(_("could not open interface info [%s]\n") % fn)
+-
+- return methods
+-
+ def get_admin():
+ """ Get all domains with an admin interface"""
+ admin_list = []
+- for i in get():
++ for i in sepolicy.get_methods():
+ if i.endswith("_admin"):
+ admin_list.append(i.split("_admin")[0])
+ return admin_list
+@@ -73,9 +57,9 @@ def get_admin():
+ def get_user():
+ """ Get all domains with SELinux user role interface"""
+ trans_list = []
+- for i in get():
++ for i in sepolicy.get_methods():
+ m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
+ if len(m) > 0:
+- if "%s_exec_t" % m[0] in get_all_types():
++ if "%s_exec_t" % m[0] in sepolicy.get_all_types():
+ trans_list.append(m[0])
+ return trans_list
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy-manpage.8.f19 policycoreutils-2.1.13/sepolicy/sepolicy-manpage.8
+--- policycoreutils-2.1.13/sepolicy/sepolicy-manpage.8.f19 2013-03-08 16:39:04.991465713 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy-manpage.8 2013-03-08 16:39:23.219527940 -0500
+@@ -5,7 +5,7 @@ sepolicy-manpage \- Generate a man page
+ .SH "SYNOPSIS"
+
+ .br
+-.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-a | \-d ]
++.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ]
+
+ .SH "DESCRIPTION"
+ Use sepolicy manpage to generate manpages based on SELinux Policy.
+@@ -24,6 +24,9 @@ Display help message
+ .I \-p, \-\-path
+ Specify the directory to store the created man pages. (Default to /tmp)
+ .TP
++.I \-r, \-\-root
++Specify alternate root directory to generate man pages from. (Default to /)
++.TP
+ .I \-w, \-\-web
+ Generate an additional HTML man pages for the specified domain(s).
+
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py.f19 2013-03-08 16:38:34.624362019 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py 2013-03-08 16:38:34.694362258 -0500
+@@ -28,7 +28,7 @@ import string
+ import argparse
+ import selinux
import sepolicy
-from sepolicy import network, gen_bool_dict
-+from sepolicy import network, gen_bool_dict, get_all_file_types, get_all_domains, get_all_roles, get_all_users, get_all_port_types, get_all_bools, get_all_attributes, get_all_role_allows
++from sepolicy import *
import commands
import sys, os, re, time
-@@ -61,12 +61,28 @@
+@@ -61,12 +61,28 @@ def gen_modules_dict(path = "/usr/share/
pass
return modules_dict
@@ -629,7 +1390,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
all_entrypoints = None
def get_entrypoints():
-@@ -75,25 +91,6 @@
+@@ -75,25 +91,6 @@ def get_entrypoints():
all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
return all_entrypoints
@@ -655,7 +1416,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
domains = None
def gen_domains():
global domains
-@@ -110,9 +107,9 @@
+@@ -110,9 +107,9 @@ def gen_domains():
domains.append(domain)
for role in get_all_roles():
@@ -667,7 +1428,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
domains.sort()
return domains
-@@ -150,45 +147,6 @@
+@@ -150,45 +147,6 @@ def _gen_fcdict(fc_path = selinux.selinu
fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
return fcdict
@@ -713,7 +1474,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
types = None
def _gen_types():
global types
-@@ -203,31 +161,6 @@
+@@ -203,31 +161,6 @@ def _gen_types():
types[rec["name"]] = []
return types
@@ -745,18 +1506,65 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
def prettyprint(f,trim):
return " ".join(f[:-len(trim)].split("_"))
-@@ -488,8 +421,8 @@
- all_bools = get_all_bools()
- all_port_types = get_all_port_types()
- all_roles = get_all_roles()
+@@ -483,40 +416,33 @@ class ManPage:
+ """
+ Generate a Manpage on an SELinux domain in the specified path
+ """
+- all_attributes = get_all_attributes()
+- all_domains = get_all_domains()
+- all_bools = get_all_bools()
+- all_port_types = get_all_port_types()
+- all_roles = get_all_roles()
- all_users = get_all_users()[0]
- all_users_range = get_all_users()[1]
-+ all_users = get_all_users_info()[0]
-+ all_users_range = get_all_users_info()[1]
- all_file_types = get_all_file_types()
- types = _gen_types()
+- all_file_types = get_all_file_types()
+- types = _gen_types()
modules_dict = None
-@@ -532,7 +465,7 @@
+- domains = gen_domains()
+- role_allows = get_all_role_allows()
+ enabled_str = ["Disabled", "Enabled"]
+
+- def __init__(self, domainname, path = "/tmp", html = False):
++ def __init__(self, domainname, path = "/tmp", root="/", html = False):
+ self.html = html
+- self.portrecs = network.portrecs
++ self.root = root
++ self.portrecs = gen_port_dict()[0]
++ self.domains = gen_domains()
++ self.all_domains = get_all_domains()
++ self.all_attributes = get_all_attributes()
++ self.all_bools = get_all_bools()
++ self.all_port_types = get_all_port_types()
++ self.all_roles = get_all_roles()
++ self.all_users = get_all_users_info()[0]
++ self.all_users_range = get_all_users_info()[1]
++ self.all_file_types = get_all_file_types()
++ self.role_allows = get_all_role_allows()
++ self.types = _gen_types()
+
+- fcpath = path + "/file_contexts"
+- if os.path.exists(fcpath):
+- self.fcpath = fcpath
+- else:
+- self.fcpath = selinux.selinux_file_context_path()
++ self.fcpath = self.root + selinux.selinux_file_context_path()
+ self.fcdict = _gen_fcdict(self.fcpath)
+
+ if not os.path.exists(path):
+ os.makedirs(path)
+- self.path = path
+
+- xmlpath = path + "/policy.xml"
+- if os.path.exists(xmlpath):
+- self.xmlpath = xmlpath
+- else:
+- self.xmlpath = "/usr/share/selinux/devel/policy.xml"
++ self.path = path
++ self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml"
+ self.booleans_dict = gen_bool_dict(self.xmlpath)
+
+ if domainname.endswith("_t"):
+@@ -532,7 +458,7 @@ class ManPage:
self._gen_bools()
self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
self.fd = open(self.man_page_path, 'w')
@@ -765,7 +1573,16 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
self.__gen_user_man_page()
if self.html:
manpage_roles.append(self.man_page_path)
-@@ -802,7 +735,7 @@
+@@ -606,7 +532,7 @@ class ManPage:
+
+ def __gen_man_page(self):
+ if self.domainname[-1]=='d':
+- self.short_name = self.domainname[:-1]
++ self.short_name = self.domainname[:-1]+"_"
+
+ self.anon_list = []
+
+@@ -802,7 +728,7 @@ SELinux policy is customizable based on
.SH NSSWITCH DOMAIN
""")
for b in nsswitch_booleans:
@@ -774,10 +1591,434 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/manpage.py ../master/policyc
.PP
If you want to %s for the %s, you must turn on the %s boolean.
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/executable.py
---- policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py 2013-02-08 13:11:51.903426934 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/executable.py 2013-02-07 12:21:11.000000000 -0500
-@@ -446,7 +446,7 @@
+@@ -1014,13 +940,14 @@ semanage fcontext -a -t public_content_t
+ .B restorecon -F -R -v /var/%(domainname)s
+ .pp
+ .TP
+-Allow %(domainname)s servers to read and write /var/tmp/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. This also requires the allow_%(domainname)sd_anon_write boolean to be set.
++Allow %(domainname)s servers to read and write /var/%(domainname)s/incoming by adding the public_content_rw_t type to the directory and by restoring the file type. You also need to turn on the %(domainname)s_anon_write boolean.
+ .PP
+ .B
+ semanage fcontext -a -t public_content_rw_t "/var/%(domainname)s/incoming(/.*)?"
+ .br
+ .B restorecon -F -R -v /var/%(domainname)s/incoming
+-
++.br
++.B setsebool -P %(domainname)s_anon_write 1
+ """ % {'domainname':self.domainname})
+ for b in self.anon_list:
+ desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
+@@ -1297,6 +1224,7 @@ The SELinux user %s_u is not able to ter
+ """ % self.domainname)
+
+ def _network(self):
++ from sepolicy import network
+ self.fd.write("""
+ .SH NETWORK
+ """)
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/network.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/network.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/network.py.f19 2013-03-08 16:38:34.625362023 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/network.py 2013-03-08 16:38:34.694362258 -0500
+@@ -25,27 +25,6 @@ import sepolicy
+ search=sepolicy.search
+ info=sepolicy.info
+
+-def _gen_port_dict():
+- portrecsbynum = {}
+- portrecs = {}
+- for i in info(sepolicy.PORT):
+- if i['low'] == i['high']:
+- port = str(i['low'])
+- else:
+- port = "%s-%s" % (str(i['low']), str(i['high']))
+-
+- if (i['type'], i['protocol']) in portrecs:
+- portrecs [(i['type'], i['protocol'])].append(port)
+- else:
+- portrecs [(i['type'], i['protocol'])] = [port]
+-
+- portrecsbynum[(i['low'], i['high'],i['protocol'])] = (i['type'], i['range'])
+- return ( portrecs, portrecsbynum )
+-portrecs, portrecsbynum = _gen_port_dict()
+-
+-port_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
+-domains = sepolicy.info(sepolicy.ATTRIBUTE,"domain")[0]["types"]
+-
+ def get_types(src, tclass, perm):
+ allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm})
+ nlist=[]
+@@ -57,6 +36,7 @@ def get_types(src, tclass, perm):
+
+
+ def get_network_connect(src, protocol, perm):
++ portrecs, portrecsbynum = sepolicy.gen_port_dict()
+ d={}
+ tlist = get_types(src, "%s_socket" % protocol, [perm])
+ if len(tlist) > 0:
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy.py.f19 2013-03-08 16:38:34.620362006 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy.py 2013-03-08 16:38:34.695362262 -0500
+@@ -22,6 +22,8 @@
+ #
+ #
+ import os, sys
++import selinux
++import sepolicy
+ from sepolicy import get_os_version
+ import argparse
+ import gettext
+@@ -43,13 +45,28 @@ class CheckPath(argparse.Action):
+ raise ValueError("%s does not exist" % values)
+ setattr(namespace, self.dest, values)
+
++class CheckType(argparse.Action):
++ def __call__(self, parser, namespace, values, option_string=None):
++ domains = sepolicy.get_all_domains()
++
++ if isinstance(values,str):
++ setattr(namespace, self.dest, values)
++ else:
++ newval = getattr(namespace, self.dest)
++ if not newval:
++ newval = []
++
++ for v in values:
++ newval.append(v)
++ setattr(namespace, self.dest, newval)
++
+ class CheckDomain(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- from sepolicy.network import domains
++ domains = sepolicy.get_all_domains()
+
+ if isinstance(values,str):
+ if values not in domains:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
+ setattr(namespace, self.dest, values)
+ else:
+ newval = getattr(namespace, self.dest)
+@@ -58,19 +75,19 @@ class CheckDomain(argparse.Action):
+
+ for v in values:
+ if v not in domains:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+
+ all_classes = None
+ class CheckClass(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- import sepolicy
+ global all_classes
+ if not all_classes:
+ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
+ if values not in all_classes:
+- raise ValueError("%s must be an SELinux process domain" % values)
++ raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes)))
++
+ setattr(namespace, self.dest, values)
+
+ class CheckAdmin(argparse.Action):
+@@ -81,7 +98,7 @@ class CheckAdmin(argparse.Action):
+ newval = []
+ admins = get_admin()
+ if values not in admins:
+- raise ValueError("%s must be an SELinux admin domain" % values)
++ raise ValueError("%s must be an SELinux admin domain:\nValid admin domains: %s" % (values, ", ".join(admins)))
+ newval.append(values)
+ setattr(namespace, self.dest, newval)
+
+@@ -98,13 +115,13 @@ class CheckPort(argparse.Action):
+
+ class CheckPortType(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+- from sepolicy.network import port_types
++ port_types = sepolicy.get_all_port_types()
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+ for v in values:
+ if v not in port_types:
+- raise ValueError("%s must be an SELinux port type" % values)
++ raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
+ newval.append(v)
+ setattr(namespace, self.dest, values)
+
+@@ -124,19 +141,18 @@ class CheckPolicyType(argparse.Action):
+
+ class CheckUser(argparse.Action):
+ def __call__(self, parser, namespace, value, option_string=None):
+- from sepolicy.generate import get_all_users
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+- users = get_all_users()
++ users = sepolicy.get_all_users()
+ if value not in users:
+- raise ValueError("%s must be an SELinux user" % value)
++ raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users)))
+ newval.append(value)
+ setattr(namespace, self.dest, newval)
+
+ def _print_net(src, protocol, perm):
+- from sepolicy.network import get_network_connect
+- portdict = get_network_connect(src, protocol, perm)
++ import sepolicy.network
++ portdict = sepolicy.network.get_network_connect(src, protocol, perm)
+ if len(portdict) > 0:
+ print "%s: %s %s" % (src, protocol, perm)
+ for p in portdict:
+@@ -144,7 +160,7 @@ def _print_net(src, protocol, perm):
+ print "\t" + recs
+
+ def network(args):
+- from sepolicy.network import portrecsbynum, portrecs, get_network_connect
++ portrecs, portrecsbynum = sepolicy.gen_port_dict()
+ if args.list_ports:
+ all_ports = []
+ for i in portrecs:
+@@ -185,41 +201,41 @@ def manpage(args):
+ from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
+
+ path = args.path
+- if args.policy:
+- for f in ( "policy.xml", "file_context", "file_context.homedirs"):
+- if not os.path.exists(path + f):
+- raise ValueError("manpage creation with alternate policy requires the %s file exist" % (path + f))
+-
++ if not args.policy and args.root != "/":
++ sepolicy.policy(sepolicy.get_installed_policy(args.root))
++
+ if args.all:
+ test_domains = gen_domains()
+ else:
+ test_domains = args.domain
+
+ for domain in test_domains:
+- m = ManPage(domain, path, args.web)
++ m = ManPage(domain, path, args.root, args.web)
+ print m.get_man_page_path()
+
+ if args.web:
+ HTMLManPages(manpage_roles, manpage_domains, path, args.os)
+
+ def gen_manpage_args(parser):
+- man = parser.add_parser("manpage",
+- help=_('Generate SELinux man pages'))
++ man = parser.add_parser("manpage",
++ help=_('Generate SELinux man pages'))
+
+- man.add_argument("-p", "--path", dest="path", default="/tmp",
+- help=_("path in which the generated SELinux man pages will be stored"))
+- man.add_argument("-o", "--os", dest="os", default=get_os_version(),
+- help=_("name of the OS for man pages"))
+- man.add_argument("-w", "--web", dest="web", default=False, action="store_true",
+- help=_("Generate HTML man pages structure for selected SELinux man page"))
+- group = man.add_mutually_exclusive_group(required=True)
+- group.add_argument("-a", "--all", dest="all", default=False,
+- action="store_true",
+- help=_("All domains"))
+- group.add_argument("-d", "--domain", nargs="+",
+- action=CheckDomain,
+- help=_("Domain name(s) of man pages to be created"))
+- man.set_defaults(func=manpage)
++ man.add_argument("-p", "--path", dest="path", default="/tmp",
++ help=_("path in which the generated SELinux man pages will be stored"))
++ man.add_argument("-o", "--os", dest="os", default=get_os_version(),
++ help=_("name of the OS for man pages"))
++ man.add_argument("-w", "--web", dest="web", default=False, action="store_true",
++ help=_("Generate HTML man pages structure for selected SELinux man page"))
++ man.add_argument("-r", "--root", dest="root", default="/",
++ help=_("Alternate root directory, defaults to /"))
++ group = man.add_mutually_exclusive_group(required=True)
++ group.add_argument("-a", "--all", dest="all", default=False,
++ action="store_true",
++ help=_("All domains"))
++ group.add_argument("-d", "--domain", nargs="+",
++ action=CheckDomain,
++ help=_("Domain name(s) of man pages to be created"))
++ man.set_defaults(func=manpage)
+
+ def gen_network_args(parser):
+ net = parser.add_parser("network",
+@@ -267,7 +283,6 @@ def gen_communicate_args(parser):
+ comm.set_defaults(func=communicate)
+
+ def booleans(args):
+- import selinux
+ from sepolicy import boolean_desc
+ if args.all:
+ rc, args.booleans = selinux.security_get_boolean_names()
+@@ -304,7 +319,7 @@ def gen_transition_args(parser):
+ trans.set_defaults(func=transition)
+
+ def interface(args):
+- from sepolicy.interface import get_admin, get, get_user
++ from sepolicy.interface import get_admin, get_user
+ if args.list_admin:
+ for a in get_admin():
+ print a
+@@ -312,28 +327,37 @@ def interface(args):
+ for a in get_user():
+ print a
+ if args.list:
+- for m in get():
++ for m in sepolicy.get_methods():
+ print m
+
+ def generate(args):
+- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS
++ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+ cmd = None
+- if args.type not in USERS + [ SANDBOX ]:
++ if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
+ if not args.command:
+ raise ValueError(_("Command required for this type of policy"))
+ cmd = os.path.realpath(args.command)
+ if not args.name:
+ args.name = os.path.basename(cmd).replace("-","_")
+
+- mypolicy = policy(args.name, args.type)
++ mypolicy = policy(args.name, args.policytype)
+ if cmd:
+ mypolicy.set_program(cmd)
+
++ if args.types:
++ mypolicy.set_types(args.types)
++
++ for p in args.writepaths:
++ if os.path.isdir(p):
++ mypolicy.add_dir(p)
++ else:
++ mypolicy.add_file(p)
++
+ mypolicy.set_transition_users(args.user)
+ mypolicy.set_admin_domains(args.admin_domain)
+ mypolicy.set_existing_domains(args.domain)
+
+- if args.type in APPLICATIONS:
++ if args.policytype in APPLICATIONS:
+ mypolicy.gen_writeable()
+ mypolicy.gen_symbols()
+ print mypolicy.generate(args.path)
+@@ -343,26 +367,26 @@ def gen_interface_args(parser):
+ help=_('List SELinux Policy interfaces'))
+ group = itf.add_mutually_exclusive_group(required=True)
+ group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
+- help="List all domains with admin interface")
++ help="List all domains with admin interface - DOMAIN_admin()")
+ group.add_argument("-u", "--list_user", dest="list_user",action="store_true",
+ default=False,
+- help="List all domains with SELinux user role interface")
++ help="List all domains with SELinux user role interface - DOMAIN_role()")
+ group.add_argument("-l", "--list", dest="list",action="store_true",
+ default=False,
+ help="List all interfaces")
+ itf.set_defaults(func=interface)
+
+ def gen_generate_args(parser):
+- from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER
++ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
+ pol = parser.add_parser("generate",
+ help=_('Generate SELinux Policy module template'))
+- pol.add_argument("-d", "--domain", dest="domain",
+- action=CheckDomain, default=None,
++ pol.add_argument("-d", "--domain", dest="domain", default=[],
++ action=CheckDomain, nargs="*",
+ help=_("Enter domain type which you will be extending"))
+- pol.add_argument("-u", "--user", dest="user",
++ pol.add_argument("-u", "--user", dest="user", default=[],
+ action=CheckUser,
+ help=_("Enter SELinux user(s) which will transition to this domain"))
+- pol.add_argument("-a", "--admin", dest="admin_domain",
++ pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
+ action=CheckAdmin,
+ help=_("Enter domain(s) that this confined admin will administrate"))
+ pol.add_argument("-n", "--name", dest="name",
+@@ -370,45 +394,53 @@ def gen_generate_args(parser):
+ help=_("name of policy to generate"))
+ pol.add_argument("-T", "--test", dest="test", default=False, action="store_true",
+ help=argparse.SUPPRESS)
++ pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
++ action=CheckType,
++ help=argparse.SUPPRESS)
+ pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
+ help=_("path in which the generated policy files will be stored"))
++ pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [],
++ help=_("path to which the confined processes will need to write"))
+ pol.add_argument("command",nargs="?", default=None,
+ help=_("executable to confine"))
+ group = pol.add_mutually_exclusive_group(required=False)
+- group.add_argument("--admin_user", dest="type", const=AUSER,
++ group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
++ action="store_const",
++ help=_("Generate Policy for %s") % poltype[NEWTYPE])
++ group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[AUSER])
+- group.add_argument("--application", dest="type", const=USER,
++ group.add_argument("--application", dest="policytype", const=USER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[USER])
+- group.add_argument("--cgi", dest="type", const=CGI,
++ group.add_argument("--cgi", dest="policytype", const=CGI,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[CGI])
+- group.add_argument("--confined_admin", dest="type", const=RUSER,
++ group.add_argument("--confined_admin", dest="policytype", const=RUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[RUSER])
+- group.add_argument("--customize", dest="type", const=EUSER,
++ group.add_argument("--customize", dest="policytype", const=EUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[EUSER])
+- group.add_argument("--dbus", dest="type", const=DBUS,
++ group.add_argument("--dbus", dest="policytype", const=DBUS,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[DBUS])
+- group.add_argument("--desktop_user", dest="type", const=LUSER,
++ group.add_argument("--desktop_user", dest="policytype", const=LUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[LUSER])
+- group.add_argument("--inetd", dest="type", const=INETD,
++ group.add_argument("--inetd", dest="policytype", const=INETD,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[INETD])
+- group.add_argument("--init", dest="type", const=DAEMON,
++ group.add_argument("--init", dest="policytype", const=DAEMON,
+ action="store_const", default=DAEMON,
+ help=_("Generate Policy for %s") % poltype[DAEMON])
+- group.add_argument("--sandbox", dest="type", const=SANDBOX,
++ group.add_argument("--sandbox", dest="policytype", const=SANDBOX,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[SANDBOX])
+- group.add_argument("--term_user", dest="type", const=TUSER,
++ group.add_argument("--term_user", dest="policytype", const=TUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[TUSER])
+- group.add_argument("--x_user", dest="type", const=XUSER,
++ group.add_argument("--x_user", dest="policytype", const=XUSER,
+ action="store_const",
+ help=_("Generate Policy for %s") % poltype[XUSER])
+ pol.set_defaults(func=generate)
+@@ -428,7 +460,10 @@ if __name__ == '__main__':
+ gen_transition_args(subparsers)
+
+ try:
+- args = parser.parse_args()
++ if os.path.basename(sys.argv[0]) == "sepolgen":
++ args = parser.parse_args([ "generate" ] + sys.argv[1:])
++ else:
++ args = parser.parse_args()
+ args.func(args)
+ sys.exit(0)
+ except ValueError,e:
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py.f19 2013-03-08 16:38:34.627362029 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py 2013-03-08 16:38:34.696362265 -0500
+@@ -446,7 +446,7 @@ EXECUTABLE -- gen_context(system_u:obje
"""
fc_user="""\
@@ -786,9 +2027,9 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/executable.py ../m
"""
fc_initscript="""\
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/network.py
---- policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py 2013-02-08 13:11:51.904426937 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy/templates/network.py 2013-02-07 12:21:11.000000000 -0500
+diff -up policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py.f19 policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py
+--- policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py.f19 2013-03-08 16:38:34.627362029 -0500
++++ policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py 2013-03-08 16:38:34.696362265 -0500
@@ -20,7 +20,7 @@
#
#
@@ -798,7 +2039,7 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py ../mast
type TEMPLATETYPE_port_t;
corenet_port(TEMPLATETYPE_port_t)
"""
-@@ -99,3 +99,482 @@
+@@ -99,3 +99,482 @@ corenet_udp_bind_all_rpc_ports(TEMPLATET
te_in_unreserved_ports_udp="""\
corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
"""
@@ -1281,628 +2522,3 @@ diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy/templates/network.py ../mast
+ allow $1 TEMPLATETYPE_server_packet_t:packet relabelto;
+')
+"""
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh ../master/policycoreutils-2.1.14/sepolicy/sepolicy-bash-completion.sh
---- policycoreutils-2.1.13/sepolicy/sepolicy-bash-completion.sh 2013-02-08 13:11:51.892426897 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy-bash-completion.sh 2013-02-07 12:21:11.000000000 -0500
-@@ -45,6 +45,9 @@
- __get_all_user_domains () {
- seinfo -auserdomain -x 2> /dev/null | tail -n +2
- }
-+__get_all_users () {
-+ seinfo -u 2> /dev/null | tail -n +2
-+}
- __get_all_classes () {
- seinfo -c 2> /dev/null | tail -n +2
- }
-@@ -57,9 +60,6 @@
- __get_all_domains () {
- seinfo -adomain -x 2>/dev/null | sed 's/_t$//g'
- }
--__get_all_generate_types () {
-- seinfo -agenerate_type -x 2>/dev/null | tail -n +2
--}
- _sepolicy () {
- local command=${COMP_WORDS[1]}
- local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
-@@ -79,7 +79,7 @@
- local -A OPTS=(
- [booleans]='-h --help -p --path -a -all -b --boolean'
- [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess'
-- [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name -p --path --sandbox -T --test --term_user -u --user --x_user'
-+ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user'
- [interface]='-h --help -a --list_admin" -u --list_user -l --list'
- [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web'
- [network]='-h --help -d --domain -l --list -p --port -t --type '
-@@ -126,6 +126,10 @@
- COMPREPLY=( $( compgen -d -- "$cur") )
- compopt -o filenames
- return 0
-+ elif test "$prev" = "-w" || test "$prev" = "--writepath" ; then
-+ COMPREPLY=( $( compgen -d -- "$cur") )
-+ compopt -o filenames
-+ return 0
- elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then
- COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") )
- return 0
-@@ -136,7 +140,7 @@
- COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") )
- return 0
- elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then
-- COMPREPLY=( $(compgen -W "$( __get_all_user_domains ) " -- "$cur") )
-+ COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
- return 0
- elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then
- COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy-generate.8 ../master/policycoreutils-2.1.14/sepolicy/sepolicy-generate.8
---- policycoreutils-2.1.13/sepolicy/sepolicy-generate.8 2013-02-08 13:11:51.893426900 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy-generate.8 2013-02-07 12:21:11.000000000 -0500
-@@ -5,7 +5,7 @@
- .SH "SYNOPSIS"
-
- .br
--.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
-+.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
-
- .SH "DESCRIPTION"
- Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
-@@ -46,6 +46,15 @@
- Specify the directory to store the created policy files. (Default to current working directory )
- optional arguments:
- .TP
-+.I \-u, \-\-user
-+SELinux user(s) which will transition to this domain
-+.TP
-+.I \-w, \-\-writepath
-+Path(s) which the confined processes need to write
-+.TP
-+.I \-a, \-\-admin
-+Domain(s) that this confined admin will administrate
-+.TP
- .I \-\-admin_user
- Generate Policy for Administrator Login User Role
- .TP
-@@ -73,6 +82,9 @@
- .I \-\-init
- Generate Policy for Standard Init Daemon (Default)
- .TP
-+.I \-\-newtype
-+Generate new policy for new types to add to an existing policy.
-+.TP
- .I \-\-sandbox
- Generate Policy for Sandbox
- .TP
-diff -r -u policycoreutils-2.1.13/sepolicy/sepolicy.py ../master/policycoreutils-2.1.14/sepolicy/sepolicy.py
---- policycoreutils-2.1.13/sepolicy/sepolicy.py 2013-02-08 13:11:51.896426910 -0500
-+++ ../master/policycoreutils-2.1.14/sepolicy/sepolicy.py 2013-02-07 12:21:11.000000000 -0500
-@@ -43,13 +43,28 @@
- raise ValueError("%s does not exist" % values)
- setattr(namespace, self.dest, values)
-
-+class CheckType(argparse.Action):
-+ def __call__(self, parser, namespace, values, option_string=None):
-+ from sepolicy.network import domains
-+
-+ if isinstance(values,str):
-+ setattr(namespace, self.dest, values)
-+ else:
-+ newval = getattr(namespace, self.dest)
-+ if not newval:
-+ newval = []
-+
-+ for v in values:
-+ newval.append(v)
-+ setattr(namespace, self.dest, newval)
-+
- class CheckDomain(argparse.Action):
- def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import domains
-
- if isinstance(values,str):
- if values not in domains:
-- raise ValueError("%s must be an SELinux process domain" % values)
-+ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
- setattr(namespace, self.dest, values)
- else:
- newval = getattr(namespace, self.dest)
-@@ -58,7 +73,7 @@
-
- for v in values:
- if v not in domains:
-- raise ValueError("%s must be an SELinux process domain" % values)
-+ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
- newval.append(v)
- setattr(namespace, self.dest, newval)
-
-@@ -70,7 +85,8 @@
- if not all_classes:
- all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
- if values not in all_classes:
-- raise ValueError("%s must be an SELinux process domain" % values)
-+ raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes)))
-+
- setattr(namespace, self.dest, values)
-
- class CheckAdmin(argparse.Action):
-@@ -81,7 +97,7 @@
- newval = []
- admins = get_admin()
- if values not in admins:
-- raise ValueError("%s must be an SELinux admin domain" % values)
-+ raise ValueError("%s must be an SELinux admin domain:\nValid admin domains: %s" % (values, ", ".join(admins)))
- newval.append(values)
- setattr(namespace, self.dest, newval)
-
-@@ -104,7 +120,7 @@
- newval = []
- for v in values:
- if v not in port_types:
-- raise ValueError("%s must be an SELinux port type" % values)
-+ raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
- newval.append(v)
- setattr(namespace, self.dest, values)
-
-@@ -124,13 +140,13 @@
-
- class CheckUser(argparse.Action):
- def __call__(self, parser, namespace, value, option_string=None):
-- from sepolicy.generate import get_all_users
-+ from sepolicy import get_all_users
- newval = getattr(namespace, self.dest)
- if not newval:
- newval = []
- users = get_all_users()
- if value not in users:
-- raise ValueError("%s must be an SELinux user" % value)
-+ raise ValueError("%s must be an SELinux user:\nValid users: %s" % (value, ", ".join(users)))
- newval.append(value)
- setattr(namespace, self.dest, newval)
-
-@@ -316,24 +332,33 @@
- print m
-
- def generate(args):
-- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS
-+ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
- cmd = None
-- if args.type not in USERS + [ SANDBOX ]:
-+ if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
- if not args.command:
- raise ValueError(_("Command required for this type of policy"))
- cmd = os.path.realpath(args.command)
- if not args.name:
- args.name = os.path.basename(cmd).replace("-","_")
-
-- mypolicy = policy(args.name, args.type)
-+ mypolicy = policy(args.name, args.policytype)
- if cmd:
- mypolicy.set_program(cmd)
-
-+ if args.types:
-+ mypolicy.set_types(args.types)
-+
-+ for p in args.writepaths:
-+ if os.path.isdir(p):
-+ mypolicy.add_dir(p)
-+ else:
-+ mypolicy.add_file(p)
-+
- mypolicy.set_transition_users(args.user)
- mypolicy.set_admin_domains(args.admin_domain)
- mypolicy.set_existing_domains(args.domain)
-
-- if args.type in APPLICATIONS:
-+ if args.policytype in APPLICATIONS:
- mypolicy.gen_writeable()
- mypolicy.gen_symbols()
- print mypolicy.generate(args.path)
-@@ -353,16 +378,16 @@
- itf.set_defaults(func=interface)
-
- def gen_generate_args(parser):
-- from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER
-+ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
- pol = parser.add_parser("generate",
- help=_('Generate SELinux Policy module template'))
-- pol.add_argument("-d", "--domain", dest="domain",
-- action=CheckDomain, default=None,
-+ pol.add_argument("-d", "--domain", dest="domain", default=[],
-+ action=CheckDomain, nargs="*",
- help=_("Enter domain type which you will be extending"))
-- pol.add_argument("-u", "--user", dest="user",
-+ pol.add_argument("-u", "--user", dest="user", default=[],
- action=CheckUser,
- help=_("Enter SELinux user(s) which will transition to this domain"))
-- pol.add_argument("-a", "--admin", dest="admin_domain",
-+ pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
- action=CheckAdmin,
- help=_("Enter domain(s) that this confined admin will administrate"))
- pol.add_argument("-n", "--name", dest="name",
-@@ -370,45 +395,53 @@
- help=_("name of policy to generate"))
- pol.add_argument("-T", "--test", dest="test", default=False, action="store_true",
- help=argparse.SUPPRESS)
-+ pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
-+ action=CheckType,
-+ help=argparse.SUPPRESS)
- pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
- help=_("path in which the generated policy files will be stored"))
-+ pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [],
-+ help=_("path to which the confined processes will need to write"))
- pol.add_argument("command",nargs="?", default=None,
- help=_("executable to confine"))
- group = pol.add_mutually_exclusive_group(required=False)
-- group.add_argument("--admin_user", dest="type", const=AUSER,
-+ group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
-+ action="store_const",
-+ help=_("Generate Policy for %s") % poltype[NEWTYPE])
-+ group.add_argument("--admin_user", dest="policytype", const=AUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[AUSER])
-- group.add_argument("--application", dest="type", const=USER,
-+ group.add_argument("--application", dest="policytype", const=USER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[USER])
-- group.add_argument("--cgi", dest="type", const=CGI,
-+ group.add_argument("--cgi", dest="policytype", const=CGI,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[CGI])
-- group.add_argument("--confined_admin", dest="type", const=RUSER,
-+ group.add_argument("--confined_admin", dest="policytype", const=RUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[RUSER])
-- group.add_argument("--customize", dest="type", const=EUSER,
-+ group.add_argument("--customize", dest="policytype", const=EUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[EUSER])
-- group.add_argument("--dbus", dest="type", const=DBUS,
-+ group.add_argument("--dbus", dest="policytype", const=DBUS,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[DBUS])
-- group.add_argument("--desktop_user", dest="type", const=LUSER,
-+ group.add_argument("--desktop_user", dest="policytype", const=LUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[LUSER])
-- group.add_argument("--inetd", dest="type", const=INETD,
-+ group.add_argument("--inetd", dest="policytype", const=INETD,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[INETD])
-- group.add_argument("--init", dest="type", const=DAEMON,
-+ group.add_argument("--init", dest="policytype", const=DAEMON,
- action="store_const", default=DAEMON,
- help=_("Generate Policy for %s") % poltype[DAEMON])
-- group.add_argument("--sandbox", dest="type", const=SANDBOX,
-+ group.add_argument("--sandbox", dest="policytype", const=SANDBOX,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[SANDBOX])
-- group.add_argument("--term_user", dest="type", const=TUSER,
-+ group.add_argument("--term_user", dest="policytype", const=TUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[TUSER])
-- group.add_argument("--x_user", dest="type", const=XUSER,
-+ group.add_argument("--x_user", dest="policytype", const=XUSER,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[XUSER])
- pol.set_defaults(func=generate)
-diff -r -u policycoreutils-2.1.13/gui/domainsPage.py ../master/policycoreutils-2.1.14/gui/domainsPage.py
---- policycoreutils-2.1.13/gui/domainsPage.py 2013-02-08 13:11:51.662426124 -0500
-+++ ../master/policycoreutils-2.1.14/gui/domainsPage.py 2013-02-07 12:21:11.000000000 -0500
-@@ -26,7 +26,7 @@
- import seobject
- import selinux
- from semanagePage import *;
--from sepolicy.generate import get_all_domains
-+from sepolicy import get_all_entrypoint_domains
-
- ##
- ## I18N
-@@ -68,7 +68,7 @@
- self.permissive_button = xml.get_widget("permissiveButton")
- self.enforcing_button = xml.get_widget("enforcingButton")
-
-- self.domains=get_all_domains()
-+ self.domains=get_all_entrypoint_domains()
- self.load()
-
- def get_modules(self):
-diff -r -u policycoreutils-2.1.13/gui/statusPage.py ../master/policycoreutils-2.1.14/gui/statusPage.py
---- policycoreutils-2.1.13/gui/statusPage.py 2013-02-08 13:11:51.671426154 -0500
-+++ ../master/policycoreutils-2.1.14/gui/statusPage.py 2013-02-07 12:21:11.000000000 -0500
-@@ -177,7 +177,11 @@
-
- def read_selinux_config(self):
- self.initialtype = selinux.selinux_getpolicytype()[1]
-- self.initEnabled = selinux.selinux_getenforcemode()[1]
-+ try:
-+ self.initEnabled = selinux.selinux_getenforcemode()[1]
-+ except:
-+ self.initEnabled = False
-+ pass
- self.enabled = self.initEnabled
- self.enabledOptionMenu.set_active(self.enabled + 1 )
-
-diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/semanage/semanage ../master/policycoreutils-2.1.14/semanage/semanage
---- policycoreutils-2.1.13/semanage/semanage 2013-02-08 13:17:18.194524775 -0500
-+++ ../master/policycoreutils-2.1.14/semanage/semanage 2013-02-08 13:12:09.551486238 -0500
-@@ -376,11 +376,8 @@
- OBJECT = seobject.moduleRecords(store)
-
- if object == "permissive":
-- try:
-- OBJECT = seobject.permissiveRecords(store)
-- except ImportError:
-- raise ValueError(_("Additional packages are required to setup permissive domains.\nYou must execute the following:\n# yum install policycoreutils-devel"))
--
-+ OBJECT = seobject.permissiveRecords(store)
-+
- if object == "dontaudit":
- OBJECT = seobject.dontauditClass(store)
-
-diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/semanage/seobject.py ../master/policycoreutils-2.1.14/semanage/seobject.py
---- policycoreutils-2.1.13/semanage/seobject.py 2013-02-08 13:17:18.195524779 -0500
-+++ ../master/policycoreutils-2.1.14/semanage/seobject.py 2013-02-08 13:12:09.552486241 -0500
-@@ -373,7 +373,11 @@
-
- def add(self, type):
- import glob
-- import sepolgen.module as module
-+ try:
-+ import sepolgen.module as module
-+ except ImportError:
-+ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
-+
- name = "permissive_%s" % type
- dirname = "/var/lib/selinux"
- os.chdir(dirname)
-@@ -949,7 +953,10 @@
- print "%-15s %s" % (k, ddict[k][3])
-
- class portRecords(semanageRecords):
-- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
-+ try:
-+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
-+ except RuntimeError:
-+ valid_types = []
-
- def __init__(self, store = ""):
- semanageRecords.__init__(self, store)
-@@ -1212,7 +1219,10 @@
- print rec
-
- class nodeRecords(semanageRecords):
-- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
-+ try:
-+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
-+ except RuntimeError:
-+ valid_types = []
-
- def __init__(self, store = ""):
- semanageRecords.__init__(self,store)
-@@ -1634,8 +1644,11 @@
- print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
-
- class fcontextRecords(semanageRecords):
-- valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
-- valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
-+ try:
-+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
-+ valid_types += sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
-+ except RuntimeError:
-+ valid_types = []
-
- def __init__(self, store = ""):
- semanageRecords.__init__(self, store)
-diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/sandbox/seunshare.c ../master/policycoreutils-2.1.14/sandbox/seunshare.c
---- policycoreutils-2.1.13/sandbox/seunshare.c 2013-02-08 13:21:22.853351998 -0500
-+++ ../master/policycoreutils-2.1.14/sandbox/seunshare.c 2013-02-08 13:12:09.548486227 -0500
-@@ -31,12 +31,6 @@
- #include <selinux/context.h> /* for context-mangling functions */
- #include <dirent.h>
-
--
--/*
-- * Note setfsuid never returns an error code. But the compiler complains if
-- * I do not check, so I am checking for -1, which should never happen.
-- */
--
- #ifdef USE_NLS
- #include <locale.h> /* for setlocale() */
- #include <libintl.h> /* for gettext() */
-@@ -623,13 +617,17 @@
- free(cmdbuf); cmdbuf = NULL;
-
- /* remove runtime temporary directory */
-- if (setfsuid(0) < 0)
-+ if ((uid_t)setfsuid(0) != pwd->pw_uid) {
-+ fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
- rc++;
-+ }
-
- if (rmdir(tmpdir) == -1)
- fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
-- if (setfsuid(pwd->pw_uid) < 0)
-+ if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
-+ fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
- rc++;
-+ }
-
- return rc;
- }
-@@ -651,7 +649,7 @@
-
- /* get selinux context */
- if (execcon) {
-- if (setfsuid(pwd->pw_uid) < 0)
-+ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
- goto err;
-
- if ((fd_s = open(src, O_RDONLY)) < 0) {
-@@ -672,7 +670,7 @@
- }
-
- /* ok to not reach this if there is an error */
-- if (setfsuid(0) < 0)
-+ if ((uid_t)setfsuid(0) != pwd->pw_uid)
- goto err;
- }
-
-@@ -728,7 +726,7 @@
- }
- }
-
-- if (setfsuid(pwd->pw_uid) < 0)
-+ if ((uid_t)setfsuid(pwd->pw_uid) != 0)
- goto err;
-
- if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
-@@ -736,7 +734,7 @@
- }
-
- /* ok to not reach this if there is an error */
-- if (setfsuid(0) < 0)
-+ if ((uid_t)setfsuid(0) != pwd->pw_uid)
- goto err;
-
- if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
-@@ -788,10 +786,13 @@
- continue;
-
- if (pids == max_pids) {
-- if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
-+ pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t));
-+ if (!new_pid_table) {
-+ free(pid_table);
- (void)closedir(dir);
- return -1;
- }
-+ pid_table = new_pid_table;
- max_pids *= 2;
- }
- pid_table[pids++] = pid;
-@@ -930,7 +931,7 @@
- /* Changing fsuid is usually required when user-specified directory is
- * on an NFS mount. It's also desired to avoid leaking info about
- * existence of the files not accessible to the user. */
-- if (setfsuid(uid) < 0)
-+ if ((uid_t)setfsuid(uid) != 0)
- return -1;
-
- /* verify homedir and tmpdir */
-@@ -940,7 +941,7 @@
- if (tmpdir_s && (
- verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
- check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
-- if (setfsuid(0) < 0) return -1;
-+ if ((uid_t)setfsuid(0) != uid) return -1;
-
- /* create runtime tmpdir */
- if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
-@@ -961,7 +962,7 @@
- char *LANG = NULL;
- int rc = -1;
-
-- if (unshare(CLONE_NEWNS) < 0) {
-+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
- perror(_("Failed to unshare"));
- goto childerr;
- }
-@@ -974,7 +975,7 @@
- }
-
- /* assume fsuid==ruid after this point */
-- if (setfsuid(uid) < 0) goto childerr;
-+ if ((uid_t)setfsuid(uid) != 0) goto childerr;
-
- /* mount homedir and tmpdir, in this order */
- if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir,
-@@ -991,7 +992,7 @@
- goto childerr;
- }
- }
--
-+
- /* construct a new environment */
- if ((LANG = getenv("LANG")) != NULL) {
- if ((LANG = strdup(LANG)) == NULL) {
-@@ -999,14 +1000,14 @@
- goto childerr;
- }
- }
--
-+
- if ((rc = clearenv()) != 0) {
- perror(_("Failed to clear environment"));
- goto childerr;
- }
- if (display)
- rc |= setenv("DISPLAY", display, 1);
-- if (LANG)
-+ if (LANG)
- rc |= setenv("LANG", LANG, 1);
- rc |= setenv("HOME", pwd->pw_dir, 1);
- rc |= setenv("SHELL", pwd->pw_shell, 1);
-diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/restorecond/restorecond.conf ../master/policycoreutils-2.1.14/restorecond/restorecond.conf
---- policycoreutils-2.1.13/restorecond/restorecond.conf 2013-02-08 13:24:23.100961351 -0500
-+++ ../master/policycoreutils-2.1.14/restorecond/restorecond.conf 2013-02-07 12:21:11.000000000 -0500
-@@ -1,6 +1,7 @@
- /etc/services
- /etc/resolv.conf
- /etc/samba/secrets.tdb
-+/etc/updatedb.conf
- /var/run/utmp
- /var/log/wtmp
- /root/*
-Only in ../master/policycoreutils-2.1.14/restorecond/: restorecond.service
-diff '--exclude=*.rhat' -r -u policycoreutils-2.1.13/restorecond/user.c ../master/policycoreutils-2.1.14/restorecond/user.c
---- policycoreutils-2.1.13/restorecond/user.c 2012-09-25 16:17:37.000000000 -0400
-+++ ../master/policycoreutils-2.1.14/restorecond/user.c 2013-02-08 13:12:09.547486224 -0500
-@@ -54,6 +54,7 @@
- static const char *INTERFACE="org.selinux.RestorecondIface";
- static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
-
-+static int local_lock_fd = -1;
-
- static DBusHandlerResult
- signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
-@@ -201,17 +202,18 @@
- perror("asprintf");
- return -1;
- }
-- int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
-+ local_lock_fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW | O_CLOEXEC, S_IRUSR | S_IWUSR);
- if (debug_mode)
- g_warning ("Lock file: %s", ptr);
-
- free(ptr);
-- if (fd < 0) {
-+ if (local_lock_fd < 0) {
- if (debug_mode)
- perror("open");
- return -1;
- }
-- if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
-+ if (flock(local_lock_fd, LOCK_EX | LOCK_NB) < 0) {
-+ close(local_lock_fd);
- if (debug_mode)
- perror("flock");
- return -1;
-@@ -226,6 +228,12 @@
- return 0;
- }
-
-+static void end_local_server(void) {
-+ if (local_lock_fd >= 0)
-+ close(local_lock_fd);
-+ local_lock_fd = -1;
-+}
-+
- int server(int master_fd, const char *watch_file) {
- GMainLoop *loop;
-
-@@ -253,6 +261,7 @@
- g_main_loop_run (loop);
-
- end:
-+ end_local_server();
- g_main_loop_unref (loop);
- return 0;
- }
diff --git a/policycoreutils.spec b/policycoreutils.spec
index f39c8ca..724acb9 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 56%{?dist}
+Release: 57%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -64,7 +64,7 @@ to switch roles.
%setup -q -a 1
%patch -p2 -b .rhat
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
-%patch2 -p3 -b .rawhide
+%patch2 -p1 -b .f19
%build
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
@@ -340,6 +340,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Feb 8 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.12-57
+- Back more sepolicy fixes from Rawhide
+
* Fri Feb 8 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.12-56
- Back port lots of fixes from Rawhide
* Cleanup python problems
More information about the scm-commits
mailing list