[policycoreutils] sepolicy manpage:
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Mar 19 20:58:39 UTC 2013
commit 8be0816a9837f75352266e909d5c3ccf5fa955ff
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Mar 19 16:58:35 2013 -0400
sepolicy manpage:
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
policycoreutils-rhat.patch | 408 ++++++++++++++++++++++++++++++++++++----
policycoreutils-sepolgen.patch | 34 +++-
policycoreutils.spec | 30 +++-
3 files changed, 428 insertions(+), 44 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 6ea005d..43b2bc2 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -34,7 +34,7 @@ index 88635d4..fc290ea 100644
clean:
rm -f *~
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
-index 8e0c396..9bd66f5 100644
+index 8e0c396..d282eee 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -18,7 +18,7 @@
@@ -65,6 +65,23 @@ index 8e0c396..9bd66f5 100644
help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args()
+@@ -267,12 +268,10 @@ class AuditToPolicy:
+ continue
+
+ if rc == audit2why.CONSTRAINT:
+- print "\t\tPolicy constraint violation.\n"
+- print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
+- print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
+- for reason in data:
+- print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
+- continue
++ print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
++ print "#Constraint rule: \n\t" + data[0]
++ for reason in data[1:]:
++ print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
+
+ if rc == audit2why.RBAC:
+ print "\t\tMissing role allow rule.\n"
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..bc70938 100644
--- a/policycoreutils/audit2allow/audit2allow.1
@@ -396,10 +413,30 @@ index 4963cdc..a55dbed 100644
.sp
.B REQUIRESEUSERS
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 8fbf2d0..3510f12 100644
+index 8fbf2d0..4e59a06 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
-@@ -576,19 +576,22 @@ static int drop_capabilities(int full)
+@@ -547,9 +547,7 @@ static int drop_capabilities(int full)
+ if (!uid) return 0;
+
+ capng_setpid(getpid());
+- capng_clear(CAPNG_SELECT_BOTH);
+- if (capng_lock() < 0)
+- return -1;
++ capng_clear(CAPNG_SELECT_CAPS);
+
+ /* Change uid */
+ if (setresuid(uid, uid, uid)) {
+@@ -558,7 +556,7 @@ static int drop_capabilities(int full)
+ }
+ if (! full)
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
+- return capng_apply(CAPNG_SELECT_BOTH);
++ return capng_apply(CAPNG_SELECT_CAPS);
+ }
+ #elif defined(NAMESPACE_PRIV)
+ /**
+@@ -576,20 +574,21 @@ static int drop_capabilities(int full)
*/
static int drop_capabilities(int full)
{
@@ -407,9 +444,10 @@ index 8fbf2d0..3510f12 100644
+ if (!uid) return 0;
+
capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0)
- return -1;
+- capng_clear(CAPNG_SELECT_BOTH);
+- if (capng_lock() < 0)
+- return -1;
++ capng_clear(CAPNG_SELECT_CAPS);
- uid_t uid = getuid();
/* Change uid */
@@ -419,12 +457,14 @@ index 8fbf2d0..3510f12 100644
}
if (! full)
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
-+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1);
+- return capng_apply(CAPNG_SELECT_BOTH);
++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1);
+
- return capng_apply(CAPNG_SELECT_BOTH);
++ return capng_apply(CAPNG_SELECT_CAPS);
}
-@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+ #else
+@@ -680,7 +679,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
security_context_t * tty_context,
security_context_t * new_tty_context)
{
@@ -433,7 +473,7 @@ index 8fbf2d0..3510f12 100644
int enforcing = security_getenforce();
security_context_t tty_con = NULL;
security_context_t new_tty_con = NULL;
-@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+@@ -699,7 +698,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
return fd;
}
@@ -448,7 +488,7 @@ index 8fbf2d0..3510f12 100644
if (fgetfilecon(fd, &tty_con) < 0) {
fprintf(stderr, _("%s! Could not get current context "
-@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[])
+@@ -1010,9 +1015,9 @@ int main(int argc, char *argv[])
int fd;
pid_t childPid = 0;
char *shell_argv0 = NULL;
@@ -459,7 +499,7 @@ index 8fbf2d0..3510f12 100644
int pam_status; /* pam return code */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
-@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[])
+@@ -1226,15 +1231,23 @@ int main(int argc, char *argv[])
fd = open(ttyn, O_RDONLY | O_NONBLOCK);
if (fd != 0)
goto err_close_pam;
@@ -486,6 +526,35 @@ index 8fbf2d0..3510f12 100644
}
/*
+@@ -1268,19 +1281,24 @@ int main(int argc, char *argv[])
+ }
+ #endif
+
+- if (send_audit_message(1, old_context, new_context, ttyn))
++ if (send_audit_message(1, old_context, new_context, ttyn)) {
++ fprintf(stderr, _("Failed to send audit message"));
+ goto err_close_pam_session;
++ }
+ freecon(old_context); old_context=NULL;
+ freecon(new_context); new_context=NULL;
+
+ #ifdef NAMESPACE_PRIV
+- if (transition_to_caller_uid())
++ if (transition_to_caller_uid()) {
++ fprintf(stderr, _("Failed to transition to namespace\n"));
+ goto err_close_pam_session;
++ }
+ #endif
+
+- if (drop_capabilities(TRUE))
++ if (drop_capabilities(TRUE)) {
++ fprintf(stderr, _("Failed to drop capabilities %m\n"));
+ goto err_close_pam_session;
+-
++ }
+ /* Handle environment changes */
+ if (restore_environment(preserve_environment, old_environ, &pw)) {
+ fprintf(stderr, _("Unable to restore the environment, "
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
index d1b435c..de3582f 100644
--- a/policycoreutils/newrole/newrole.pamd
@@ -1776,6 +1845,28 @@ index 6c30734..5e7f885 100644
.B secon
will try reading a context from stdin, if that is not a tty, otherwise
.B secon
+diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
+index 24d6a21..b797d83 100644
+--- a/policycoreutils/semanage/Makefile
++++ b/policycoreutils/semanage/Makefile
+@@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+ PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
+ PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
++BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+
+ TARGETS=semanage
+
+@@ -21,7 +21,7 @@ install: all
+ test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
+ install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
+ -mkdir -p $(BASHCOMPLETIONDIR)
+- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
++ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
+
+ clean:
+
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644
index 0000000..e15a877
@@ -2139,10 +2230,19 @@ index 62dd53e..d6e1be0 100644
.SH SYNOPSIS
.B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
-index 11b534f..eb86eae 100644
+index 11b534f..ae064c4 100644
--- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile
-@@ -22,10 +22,14 @@ clean:
+@@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= /usr/share/locale
+ PYTHON ?= /usr/bin/python
+-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
++BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+
+@@ -22,11 +22,15 @@ clean:
$(PYTHON) setup.py clean
-rm -rf build *~ \#* *pyc .#*
@@ -2157,6 +2257,8 @@ index 11b534f..eb86eae 100644
-mkdir -p $(MANDIR)/man8
install -m 644 *.8 $(MANDIR)/man8
-mkdir -p $(BASHCOMPLETIONDIR)
+- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
++ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/sepolicy
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..eeee0ab 100644
--- a/policycoreutils/sepolicy/policy.c
@@ -2200,6 +2302,39 @@ index 82fea52..29f9428 100644
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
return 0
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
+diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
+index fb84af6..c2fa601 100644
+--- a/policycoreutils/sepolicy/sepolicy-generate.8
++++ b/policycoreutils/sepolicy/sepolicy-generate.8
+@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
+ .B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
+
+ .SH "DESCRIPTION"
+-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
++Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
++
++If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
++
+
+ .B Type Enforcing File NAME.te
+ .br
+ This file can be used to define all the types rules for a particular domain.
+
++.I Note:
++Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
++
+ .B Interface File NAME.if
+ .br
+ This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
+@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
+
+ .B RPM Spec File NAME_selinux.spec
+ .br
+-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page.
++This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
+
+ .B Shell File NAME.sh
+ .br
diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8
index b6abdf5..c05c943 100644
--- a/policycoreutils/sepolicy/sepolicy-manpage.8
@@ -2224,7 +2359,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index b25d3b2..2bbea35 100755
+index b25d3b2..6e71f00 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@@ -2245,8 +2380,31 @@ index b25d3b2..2bbea35 100755
if isinstance(values,str):
setattr(namespace, self.dest, values)
-@@ -60,7 +62,7 @@ class CheckType(argparse.Action):
-
+@@ -58,9 +60,30 @@ class CheckType(argparse.Action):
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+
++class CheckBoolean(argparse.Action):
++ def __call__(self, parser, namespace, values, option_string=None):
++ booleans = sepolicy.get_all_booleans()
++ newval = getattr(namespace, self.dest)
++ if not newval:
++ newval = []
++
++ if isinstance(values,str):
++ v = selinux.selinux_boolean_sub(values)
++ if v not in booleans:
++ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(booleans)))
++ newval.append(v)
++ setattr(namespace, self.dest, newval)
++ else:
++ for value in values:
++ v = selinux.selinux_boolean_sub(value)
++ if v not in booleans:
++ raise ValueError("%s must be an SELinux boolean:\nValid boolean: %s" % (v, ", ".join(booleans)))
++ newval.append(v)
++ setattr(namespace, self.dest, newval)
++
class CheckDomain(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import domains
@@ -2254,7 +2412,7 @@ index b25d3b2..2bbea35 100755
if isinstance(values,str):
if values not in domains:
-@@ -80,7 +82,6 @@ class CheckDomain(argparse.Action):
+@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
all_classes = None
class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@@ -2262,7 +2420,7 @@ index b25d3b2..2bbea35 100755
global all_classes
if not all_classes:
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
-@@ -114,7 +115,7 @@ class CheckPort(argparse.Action):
+@@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
class CheckPortType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@@ -2271,7 +2429,7 @@ index b25d3b2..2bbea35 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
-@@ -140,19 +141,18 @@ class CheckPolicyType(argparse.Action):
+@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@@ -2294,7 +2452,7 @@ index b25d3b2..2bbea35 100755
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
-@@ -160,7 +160,7 @@ def _print_net(src, protocol, perm):
+@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
@@ -2303,7 +2461,7 @@ index b25d3b2..2bbea35 100755
if args.list_ports:
all_ports = []
for i in portrecs:
-@@ -201,41 +201,41 @@ def manpage(args):
+@@ -201,41 +222,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@@ -2368,7 +2526,7 @@ index b25d3b2..2bbea35 100755
def gen_network_args(parser):
net = parser.add_parser("network",
-@@ -283,7 +283,6 @@ def gen_communicate_args(parser):
+@@ -283,7 +304,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@@ -2376,7 +2534,15 @@ index b25d3b2..2bbea35 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
-@@ -320,7 +319,7 @@ def gen_transition_args(parser):
+@@ -300,6 +320,7 @@ def gen_booleans_args(parser):
+ action="store_true",
+ help=_("get all booleans descriptions"))
+ group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
++ action=CheckBoolean, required=False,
+ help=_("boolean to get description"))
+ bools.set_defaults(func=booleans)
+
+@@ -320,7 +341,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
@@ -2385,7 +2551,7 @@ index b25d3b2..2bbea35 100755
if args.list_admin:
for a in get_admin():
print a
-@@ -328,7 +327,7 @@ def interface(args):
+@@ -328,7 +349,7 @@ def interface(args):
for a in get_user():
print a
if args.list:
@@ -2394,7 +2560,7 @@ index b25d3b2..2bbea35 100755
print m
def generate(args):
-@@ -368,10 +367,10 @@ def gen_interface_args(parser):
+@@ -368,10 +389,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@@ -2407,7 +2573,7 @@ index b25d3b2..2bbea35 100755
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
-@@ -461,7 +460,10 @@ if __name__ == '__main__':
+@@ -461,7 +482,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@@ -2420,7 +2586,7 @@ index b25d3b2..2bbea35 100755
sys.exit(0)
except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
-index 5e7415c..35c3758 100644
+index 5e7415c..5267ed9 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
@@ -2552,7 +2718,7 @@ index 5e7415c..35c3758 100644
return all_domains
roles = None
-@@ -139,49 +215,42 @@ def get_all_attributes():
+@@ -139,48 +215,48 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@@ -2617,10 +2783,15 @@ index 5e7415c..35c3758 100644
-def info(setype, name=None):
- dict_list = _policy.info(setype, name)
- return dict_list
--
++booleans = None
++def get_all_booleans():
++ global booleans
++ if not booleans:
++ booleans = selinux.security_get_boolean_names()[1]
++ return booleans
+
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
- global booleans_dict
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..898ec43 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
@@ -2726,10 +2897,10 @@ index 8b063ca..c9036c3 100644
trans_list.append(m[0])
return trans_list
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
-index 25062da..b3c24e6 100755
+index 25062da..f184b0c 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
-@@ -28,7 +28,7 @@ import string
+@@ -28,12 +28,12 @@ import string
import argparse
import selinux
import sepolicy
@@ -2738,7 +2909,32 @@ index 25062da..b3c24e6 100755
import commands
import sys, os, re, time
-@@ -416,40 +416,33 @@ class ManPage:
+
+-equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
++equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
+
+ equiv_dirs=[ "/var" ]
+ modules_dict = None
+@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
+ return alphabet_manpages
+
+ def convert_manpage_to_html(html_manpage,manpage):
+- fd = open(html_manpage,'w')
+- rc, output = commands.getstatusoutput("man2html -r %s" % manpage)
++ rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
+ if rc == 0:
++ print html_manpage, " has been created"
++ fd = open(html_manpage,'w')
+ fd.write(output)
+- else:
+- fd.write("Man page does not exist")
+-
+- fd.close()
++ fd.close()
+
+ class HTMLManPages:
+ """
+@@ -416,40 +414,33 @@ class ManPage:
"""
Generate a Manpage on an SELinux domain in the specified path
"""
@@ -2797,7 +2993,110 @@ index 25062da..b3c24e6 100755
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
-@@ -947,13 +940,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
+@@ -459,7 +450,10 @@ class ManPage:
+
+ if self.domainname + "_t" not in self.all_domains:
+ raise ValueError("domain %s_t does not exist" % self.domainname)
+- self.short_name = self.domainname
++ if self.domainname[-1]=='d':
++ self.short_name = self.domainname[:-1] + "_"
++ else:
++ self.short_name = self.domainname + "_"
+
+ self.type = self.domainname + "_t"
+ self._gen_bools()
+@@ -483,16 +477,23 @@ class ManPage:
+ def _gen_bools(self):
+ self.bools=[]
+ self.domainbools=[]
+- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))):
+- for b in i:
+- if not isinstance(b,tuple):
+- continue
+- if b[0].startswith(self.short_name):
+- if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
+- self.domainbools.append(b)
+- else:
+- if b not in self.bools and (b[0], not b[1]) not in self.bools:
+- self.bools.append(b)
++ types = [self.type]
++ if self.domainname in equiv_dict:
++ for t in equiv_dict[self.domainname]:
++ if t + "_t" in self.all_domains:
++ types.append(t+"_t")
++
++ for t in types:
++ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))):
++ for b in i:
++ if not isinstance(b,tuple):
++ continue
++ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname):
++ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
++ self.domainbools.append(b)
++ else:
++ if b not in self.bools and (b[0], not b[1]) not in self.bools:
++ self.bools.append(b)
+
+ self.bools.sort()
+ self.domainbools.sort()
+@@ -538,9 +539,6 @@ class ManPage:
+ print path
+
+ def __gen_man_page(self):
+- if self.domainname[-1]=='d':
+- self.short_name = self.domainname[:-1]
+-
+ self.anon_list = []
+
+ self.attributes = {}
+@@ -563,19 +561,8 @@ class ManPage:
+
+ def _get_ptypes(self):
+ for f in self.all_domains:
+- if f.startswith(self.short_name):
+- self.ptypes.append(f)
+-
+- def __whoami(self):
+- import pwd
+- fd = open("/proc/self/loginuid", "r")
+- uid = int(fd.read())
+- fd.close()
+- pw = pwd.getpwuid(uid)
+- if len(pw.pw_gecos) > 0:
+- return pw.pw_gecos
+- else:
+- return pw.pw_name
++ if f.startswith(self.short_name) or f.startswith(self.domainname):
++ self.ptypes.append(f)
+
+ def _header(self):
+ self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy documentation for %(domainname)s"'
+@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
+ def _port_types(self):
+ self.ports = []
+ for f in self.all_port_types:
+- if f.startswith(self.short_name):
++ if f.startswith(self.short_name) or f.startswith(self.domainname):
+ self.ports.append(f)
+
+ if len(self.ports) == 0:
+@@ -923,13 +910,12 @@ to apply the labels.
+
+ def _see_also(self):
+ ret = ""
+- prefix = self.short_name.split("_")[0]
+ for d in self.domains:
+ if d == self.domainname:
+ continue
+- if d.startswith(prefix):
++ if d.startswith(self.short_name):
+ ret += ", %s_selinux(8)" % d
+- if self.domainname.startswith(d):
++ if d.startswith(self.domainname + "_"):
+ ret += ", %s_selinux(8)" % d
+ self.fd.write(ret)
+
+@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s
.pp
.TP
@@ -2814,7 +3113,22 @@ index 25062da..b3c24e6 100755
""" % {'domainname':self.domainname})
for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
-@@ -1230,6 +1224,7 @@ The SELinux user %s_u is not able to terminal login.
+@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
+
+ .SH AUTHOR
+ This manual page was auto-generated using
+-.B "sepolicy manpage"
+-by %s.
++.B "sepolicy manpage".
+
+ .SH "SEE ALSO"
+ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+-""" % (self.__whoami(), self.domainname))
++""" % (self.domainname))
+
+ if self.booltext != "":
+ self.fd.write(", setsebool(8)")
+@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname)
def _network(self):
@@ -3058,3 +3372,25 @@ index b11e49f..ac1c39a 100644
- exit(errors);
+ exit(errors ? -1: 0);
}
+diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
+index a6addc5..45d6538 100644
+--- a/policycoreutils/setsebool/Makefile
++++ b/policycoreutils/setsebool/Makefile
+@@ -4,7 +4,7 @@ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR = $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
++BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(INCLUDEDIR)
+@@ -23,7 +23,7 @@ install: all
+ -mkdir -p $(MANDIR)/man8
+ install -m 644 setsebool.8 $(MANDIR)/man8/
+ -mkdir -p $(BASHCOMPLETIONDIR)
+- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
++ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/setsebool
+
+ relabel:
+
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index 2ac2cb0..05dba05 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -1,13 +1,41 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index d636091..9ca35a7 100644
+index d636091..56919be 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
-@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
+@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
raise ValueError("Error during access vector computation")
if self.type == audit2why.CONSTRAINT:
- self.data = []
+ self.data = [ self.data ]
if self.scontext.user != self.tcontext.user:
- self.data.append("user")
+- self.data.append("user")
++ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
+- self.data.append("role")
++ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
+ if self.scontext.level != self.tcontext.level:
+- self.data.append("level")
++ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
+
+diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
+index cc9f8ea..24062a1 100644
+--- a/sepolgen/src/sepolgen/policygen.py
++++ b/sepolgen/src/sepolgen/policygen.py
+@@ -172,10 +172,10 @@ class PolicyGenerator:
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
+
+ if av.type == audit2why.CONSTRAINT:
+- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+- rule.comment += "#Constraint rule: "
+- for reason in av.data:
+- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
++ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
++ rule.comment += "#Constraint rule: \n\t" + av.data[0]
++ for reason in av.data[1:]:
++ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
+
+ try:
+ if ( av.type == audit2why.TERULE and
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 4dcf691..2252080 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 19%{?dist}
+Release: 23%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -129,10 +129,9 @@ an SELinux environment.
%{_mandir}/man8/sepolicy*.8*
%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/semanage.8*
-%dir %{_sysconfdir}/bash_completion.d
-%{_sysconfdir}/bash_completion.d/semanage-bash-completion.sh
-%{_sysconfdir}/bash_completion.d/sepolicy-bash-completion.sh
-%{_sysconfdir}/bash_completion.d/setsebool-bash-completion.sh
+%{_usr}/share/bash-completion/completions/semanage
+%{_usr}/share/bash-completion/completions/setsebool
+%{_usr}/share/bash-completion/completions/sepolicy
%package devel
Summary: SELinux policy core policy devel utilities
@@ -310,6 +309,27 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Tue Mar 19 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-23
+- sepolicy manpage:
+- use nroff instead of man2html
+- Remove checking for name of person who created the man page
+- audit2allow
+- Fix output to show the level that is different.
+
+* Thu Mar 14 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-22
+- Fix newrole to not drop capabilities from the bounding set.
+- Stop dropping capabilities from its children.
+- Add better error messages.
+- Change location of bash_completion files to /usr/share/bash-completion/compl
+
+* Mon Mar 11 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-21
+- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page
+
+* Thu Mar 7 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-20
+- Mention creation of permissive domains in sepolicy generate man page
+- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain.
+- Fix audit2allow to show better information on constraint violations.
+
* Wed Mar 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-19
- Have restorecon exit -1 on errors for consistancy.
More information about the scm-commits
mailing list