[policycoreutils] Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Apr 3 15:19:52 UTC 2013
commit d4ae6ccd6648591cddec5c8bf0b3bace75ab5297
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Apr 3 11:18:44 2013 -0400
Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel
- Apply Miroslav Grepl Patches for sepolicy
policycoreutils-rhat.patch | 113 ++++++++++++++++++++++++++++++++------------
policycoreutils.spec | 18 +++++--
2 files changed, 96 insertions(+), 35 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 6b650af..061dd5b 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -3646,7 +3646,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index b25d3b2..c353021 100755
+index b25d3b2..7443ae0 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@@ -3658,7 +3658,17 @@ index b25d3b2..c353021 100755
from sepolicy import get_os_version
import argparse
import gettext
-@@ -45,7 +47,7 @@ class CheckPath(argparse.Action):
+@@ -37,6 +39,9 @@ except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
++usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
++usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
++
+ class CheckPath(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ if not os.path.exists(values):
+@@ -45,7 +50,7 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@@ -3667,7 +3677,7 @@ index b25d3b2..c353021 100755
if isinstance(values,str):
setattr(namespace, self.dest, values)
-@@ -58,9 +60,30 @@ class CheckType(argparse.Action):
+@@ -58,9 +63,30 @@ class CheckType(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
@@ -3699,7 +3709,7 @@ index b25d3b2..c353021 100755
if isinstance(values,str):
if values not in domains:
-@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
+@@ -80,7 +106,6 @@ class CheckDomain(argparse.Action):
all_classes = None
class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@@ -3707,7 +3717,7 @@ index b25d3b2..c353021 100755
global all_classes
if not all_classes:
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
-@@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
+@@ -114,7 +139,7 @@ class CheckPort(argparse.Action):
class CheckPortType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@@ -3716,7 +3726,7 @@ index b25d3b2..c353021 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
-@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action):
+@@ -140,19 +165,30 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@@ -3751,7 +3761,7 @@ index b25d3b2..c353021 100755
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
-@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm):
+@@ -160,7 +196,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
@@ -3760,7 +3770,7 @@ index b25d3b2..c353021 100755
if args.list_ports:
all_ports = []
for i in portrecs:
-@@ -201,41 +234,41 @@ def manpage(args):
+@@ -201,41 +237,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@@ -3825,7 +3835,7 @@ index b25d3b2..c353021 100755
def gen_network_args(parser):
net = parser.add_parser("network",
-@@ -283,7 +316,6 @@ def gen_communicate_args(parser):
+@@ -283,7 +319,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@@ -3833,7 +3843,7 @@ index b25d3b2..c353021 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
-@@ -300,6 +332,7 @@ def gen_booleans_args(parser):
+@@ -300,6 +335,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@@ -3841,7 +3851,7 @@ index b25d3b2..c353021 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
-@@ -320,7 +353,7 @@ def gen_transition_args(parser):
+@@ -320,7 +356,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
@@ -3850,7 +3860,7 @@ index b25d3b2..c353021 100755
if args.list_admin:
for a in get_admin():
print a
-@@ -328,13 +361,16 @@ def interface(args):
+@@ -328,13 +364,25 @@ def interface(args):
for a in get_user():
print a
if args.list:
@@ -3864,13 +3874,22 @@ index b25d3b2..c353021 100755
cmd = None
- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
+# numbers present POLTYPE defined in sepolicy.generate
-+ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)}
++ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER, EUSER,)}
++ error_text = ""
++
++ if args.policytype is None:
++ generate_usage = generate_custom_usage(usage, usage_dict)
++ for k in usage_dict:
++ error_text += "%s" % (k)
++ print(generate_usage)
++ print(_("sepolicy generate: error: one of the arguments %s is required") % error_text)
++ sys.exit(1)
+
+ if args.policytype in APPLICATIONS:
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
-@@ -346,8 +382,18 @@ def generate(args):
+@@ -346,8 +394,18 @@ def generate(args):
mypolicy.set_program(cmd)
if args.types:
@@ -3889,7 +3908,7 @@ index b25d3b2..c353021 100755
for p in args.writepaths:
if os.path.isdir(p):
mypolicy.add_dir(p)
-@@ -368,10 +414,10 @@ def gen_interface_args(parser):
+@@ -368,10 +426,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@@ -3902,21 +3921,19 @@ index b25d3b2..c353021 100755
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
-@@ -379,7 +425,12 @@ def gen_interface_args(parser):
+@@ -379,7 +437,10 @@ def gen_interface_args(parser):
def gen_generate_args(parser):
from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
- pol = parser.add_parser("generate",
+
-+ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
-+ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
-+ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict)
++ generate_usage = generate_custom_usage(usage, usage_dict)
+
+ pol = parser.add_parser("generate", usage = generate_usage,
help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*",
-@@ -397,53 +448,57 @@ def gen_generate_args(parser):
+@@ -397,53 +458,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType,
@@ -3931,7 +3948,7 @@ index b25d3b2..c353021 100755
- group = pol.add_mutually_exclusive_group(required=False)
- group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
+ cmdtype = pol.add_argument_group(_("Policy types which require a command"))
-+ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True)
++ cmdgroup = cmdtype.add_mutually_exclusive_group(required=False)
+ cmdgroup.add_argument("--application", dest="policytype", const=USER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[NEWTYPE])
@@ -3956,7 +3973,7 @@ index b25d3b2..c353021 100755
+ help=_("Generate '%s' policy") % poltype[DAEMON])
+
+ type = pol.add_argument_group("Policy types which do not require a command")
-+ group = type.add_mutually_exclusive_group(required=True)
++ group = type.add_mutually_exclusive_group(required=False)
+ group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ action="store_const",
+ help=_("Generate '%s' policy") % poltype[AUSER])
@@ -4000,7 +4017,7 @@ index b25d3b2..c353021 100755
pol.set_defaults(func=generate)
if __name__ == '__main__':
-@@ -461,7 +516,10 @@ if __name__ == '__main__':
+@@ -461,7 +526,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@@ -4220,7 +4237,7 @@ index 5e7415c..5267ed9 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
-index 26f8390..c83883f 100644
+index 26f8390..4739025 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@@ -4285,6 +4302,15 @@ index 26f8390..c83883f 100644
return newte
def generate_new_rules(self):
+@@ -1014,7 +1007,7 @@ allow %s_t %s_t:%s_socket name_%s;
+
+ def generate_roles_rules(self):
+ newte = ""
+- if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER):
++ if self.type in ( TUSER, XUSER, AUSER, LUSER ):
+ roles = ""
+ if len(self.roles) > 0:
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules)
@@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s;
if len(self.DEFAULT_DIRS[d][1]) > 0:
# CGI scripts already have a rw_t
@@ -4303,7 +4329,7 @@ index 26f8390..c83883f 100644
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
-@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1048,11 +1042,22 @@ allow %s_t %s_t:%s_socket name_%s;
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
@@ -4313,8 +4339,10 @@ index 26f8390..c83883f 100644
- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
- break
+ if self.type == EUSER:
++ newte_tmp = ""
+ for domain in self.existing_domains:
-+ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules)
++ newte_tmp += re.sub("TEMPLATETYPE_t", domain[:-2]+"_t", self.DEFAULT_DIRS[d][2].te_rules)
++ newte += re.sub("TEMPLATETYPE_rw_t", self.name+"_rw_t", newte_tmp)
+ else:
+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
+ for i in self.DEFAULT_DIRS[d][1]:
@@ -4329,7 +4357,7 @@ index 26f8390..c83883f 100644
newte += self.generate_tmp_rules()
newte += self.generate_network_rules()
-@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1079,7 +1084,7 @@ allow %s_t %s_t:%s_socket name_%s;
fclist = []
if self.type in USERS + [ SANDBOX ]:
return executable.fc_user
@@ -4338,8 +4366,24 @@ index 26f8390..c83883f 100644
raise ValueError(_("You must enter the executable path for your confined process"))
if self.program:
-@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s;
- tmp = re.sub("TEMPLATETYPE", self.name, script.users)
+@@ -1109,7 +1114,7 @@ allow %s_t %s_t:%s_socket name_%s;
+
+ def generate_user_sh(self):
+ newsh = ""
+- if self.type not in ( TUSER, XUSER, AUSER, LUSER, EUSER):
++ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
+ return newsh
+
+ roles = ""
+@@ -1117,13 +1122,10 @@ allow %s_t %s_t:%s_socket name_%s;
+ roles += " %s_r" % role
+ if roles != "":
+ roles += " system_r"
+- if self.type == EUSER:
+- tmp = re.sub("TEMPLATETYPE", self.name, script.eusers)
+- else:
+- tmp = re.sub("TEMPLATETYPE", self.name, script.users)
++ tmp = re.sub("TEMPLATETYPE", self.name, script.users)
newsh += re.sub("ROLES", roles, tmp)
- if self.type == RUSER:
@@ -4408,7 +4452,7 @@ index 8b063ca..c9036c3 100644
trans_list.append(m[0])
return trans_list
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
-index 25062da..f184b0c 100755
+index 25062da..2747e4f 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string
@@ -4504,7 +4548,7 @@ index 25062da..f184b0c 100755
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
-@@ -459,7 +450,10 @@ class ManPage:
+@@ -459,13 +450,16 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
@@ -4516,6 +4560,13 @@ index 25062da..f184b0c 100755
self.type = self.domainname + "_t"
self._gen_bools()
+ self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
+ self.fd = open(self.man_page_path, 'w')
+- if domainname + "_r" in self.all_roles:
++ if self.domainname + "_r" in self.all_roles:
+ self.__gen_user_man_page()
+ if self.html:
+ manpage_roles.append(self.man_page_path)
@@ -483,16 +477,23 @@ class ManPage:
def _gen_bools(self):
self.bools=[]
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b8e7f8b..d1b05cc 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -114,7 +114,6 @@ an SELinux environment.
%{_sbindir}/semanage
%{_bindir}/chcat
%{_bindir}/sandbox
-%{_bindir}/sepolicy
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
%{python_sitearch}/sepolicy
@@ -126,12 +125,9 @@ an SELinux environment.
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man8/semanage.8*
-%{_mandir}/man8/sepolicy*.8*
-%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/semanage.8*
%{_usr}/share/bash-completion/completions/semanage
%{_usr}/share/bash-completion/completions/setsebool
-%{_usr}/share/bash-completion/completions/sepolicy
%package devel
Summary: SELinux policy core policy devel utilities
@@ -155,6 +151,10 @@ The policycoreutils-devel package contains the management tools use to develop p
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
+%{_bindir}/sepolicy
+%{_mandir}/man8/sepolicy*.8*
+%{_mandir}/man8/sepolgen.8*
+%{_usr}/share/bash-completion/completions/sepolicy
%post devel
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
@@ -321,6 +321,16 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Wed Apr 3 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-32
+- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel
+- Apply Miroslav Grepl Patches for sepolicy
+* Fix generate mutually groups option handling
+* EUSER is used for existing policy
+* customize options can be used together with admin_domain option
+* Fix manpage.py to generate correct man pages for SELinux users
+* Fix policy *.te file generated by customize+writepaths options
+* Fix install script for confined_admin option
+
* Mon Apr 1 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-31
- Add post install scripts for gui to make sure Icon Cache is refreshed.
- Fix grammar issue in secon man page
More information about the scm-commits
mailing list