[policycoreutils/f19] Move audit2allow back into policycoreutils-python package
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Sep 4 12:40:45 UTC 2013
commit 0378c325522e3411652d7e79baaa10126e5757db
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Sep 4 08:40:20 2013 -0400
Move audit2allow back into policycoreutils-python package
- Fix semanage logging to syslog
- Fix setsebool error handling
- Fix fixfiles scripts to work as documentet
policycoreutils-f20.patch | 488 ++++++++++++++++++++++++++++++++++-----------
policycoreutils.spec | 7 +-
2 files changed, 376 insertions(+), 119 deletions(-)
---
diff --git a/policycoreutils-f20.patch b/policycoreutils-f20.patch
index 19587a9..3627471 100644
--- a/policycoreutils-f20.patch
+++ b/policycoreutils-f20.patch
@@ -1,6 +1,6 @@
diff -up policycoreutils-2.1.14/po/fr.po.f20 policycoreutils-2.1.14/po/fr.po
---- policycoreutils-2.1.14/po/fr.po.f20 2013-06-21 07:49:23.462732372 -0400
-+++ policycoreutils-2.1.14/po/fr.po 2013-06-21 07:49:23.570732956 -0400
+--- policycoreutils-2.1.14/po/fr.po.f20 2013-08-28 11:15:51.973175537 -0400
++++ policycoreutils-2.1.14/po/fr.po 2013-08-28 11:15:52.077176362 -0400
@@ -1,7 +1,7 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
@@ -2105,8 +2105,8 @@ diff -up policycoreutils-2.1.14/po/fr.po.f20 policycoreutils-2.1.14/po/fr.po
-#~ "processus."
+msgstr "Autoriser ZoneMinder à modifier les fichiers publics utilisés pour les services de transfert de fichiers publics."
diff -up policycoreutils-2.1.14/po/hu.po.f20 policycoreutils-2.1.14/po/hu.po
---- policycoreutils-2.1.14/po/hu.po.f20 2013-06-21 07:49:23.474732437 -0400
-+++ policycoreutils-2.1.14/po/hu.po 2013-06-21 07:49:23.572732967 -0400
+--- policycoreutils-2.1.14/po/hu.po.f20 2013-08-28 11:15:51.985175632 -0400
++++ policycoreutils-2.1.14/po/hu.po 2013-08-28 11:15:52.079176378 -0400
@@ -1,7 +1,7 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
@@ -4403,8 +4403,8 @@ diff -up policycoreutils-2.1.14/po/hu.po.f20 policycoreutils-2.1.14/po/hu.po
-#~ "végre az összes folyamaton."
+msgstr "Engedélyezi a ZoneMinder számára hogy módosíthassa a publikus fájlokat a nyílt fájlátviteli szolgáltatásoknál."
diff -up policycoreutils-2.1.14/po/kn.po.f20 policycoreutils-2.1.14/po/kn.po
---- policycoreutils-2.1.14/po/kn.po.f20 2013-06-21 07:49:23.487732507 -0400
-+++ policycoreutils-2.1.14/po/kn.po 2013-06-21 07:49:23.575732983 -0400
+--- policycoreutils-2.1.14/po/kn.po.f20 2013-08-28 11:15:51.998175735 -0400
++++ policycoreutils-2.1.14/po/kn.po 2013-08-28 11:15:52.081176394 -0400
@@ -1,8 +1,9 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
@@ -6086,8 +6086,8 @@ diff -up policycoreutils-2.1.14/po/kn.po.f20 policycoreutils-2.1.14/po/kn.po
-#~ msgstr "sysadm ಎಲ್ಲಾ ಪ್ರಕ್ರಿಯೆಗಳ ದೋಷನಿವಾರಣೆ ಅಥವ ptrace ಮಾಡಲು ಅನುಮತಿಸು."
+msgstr "ಸಾರ್ವಜನಿಕ ಕಡತ ವರ್ಗಾವಣೆಗಳಲ್ಲಿ ಬಳಸಲಾಗುವ ಸಾರ್ವಜನಿಕ ಕಡತಗಳನ್ನು ಮಾರ್ಪಡಿಸಲು ZoneMinder ಗೆ ಅನುಮತಿಸು."
diff -up policycoreutils-2.1.14/po/zh_TW.po.f20 policycoreutils-2.1.14/po/zh_TW.po
---- policycoreutils-2.1.14/po/zh_TW.po.f20 2013-06-21 07:49:23.549732843 -0400
-+++ policycoreutils-2.1.14/po/zh_TW.po 2013-06-21 07:49:23.576732989 -0400
+--- policycoreutils-2.1.14/po/zh_TW.po.f20 2013-08-28 11:15:52.058176211 -0400
++++ policycoreutils-2.1.14/po/zh_TW.po 2013-08-28 11:15:52.082176402 -0400
@@ -1,24 +1,24 @@
# SOME DESCRIPTIVE TITLE.
# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
@@ -6892,8 +6892,8 @@ diff -up policycoreutils-2.1.14/po/zh_TW.po.f20 policycoreutils-2.1.14/po/zh_TW.
-#~ msgid "Allow sysadm to debug or ptrace all processes."
-#~ msgstr "允許 sysadm 進行除錯或是 ptrace 所有程序。"
diff -up policycoreutils-2.1.14/sandbox/sandbox.f20 policycoreutils-2.1.14/sandbox/sandbox
---- policycoreutils-2.1.14/sandbox/sandbox.f20 2013-06-21 07:53:55.739204298 -0400
-+++ policycoreutils-2.1.14/sandbox/sandbox 2013-06-21 07:54:11.416289013 -0400
+--- policycoreutils-2.1.14/sandbox/sandbox.f20 2013-08-28 11:15:52.059176219 -0400
++++ policycoreutils-2.1.14/sandbox/sandbox 2013-08-28 11:15:52.082176402 -0400
@@ -170,7 +170,6 @@ def fullpath(cmd):
return cmd
@@ -6911,18 +6911,172 @@ diff -up policycoreutils-2.1.14/sandbox/sandbox.f20 policycoreutils-2.1.14/sandb
parser.disable_interspersed_args()
parser.add_option("-i", "--include",
action="callback", callback=self.__include,
+diff -up policycoreutils-2.1.14/scripts/fixfiles.8.f20 policycoreutils-2.1.14/scripts/fixfiles.8
+--- policycoreutils-2.1.14/scripts/fixfiles.8.f20 2013-09-04 08:36:56.488634838 -0400
++++ policycoreutils-2.1.14/scripts/fixfiles.8 2013-09-04 08:37:01.754655706 -0400
+@@ -5,15 +5,15 @@ fixfiles \- fix file SELinux security co
+ .SH "SYNOPSIS"
+
+ .B fixfiles
+-.I [\-v] [\-F] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ]
++.I [\-v] [\-F] [-B] [ -N time ] [\-l logfile ] { check | restore|[\-f] relabel | verify } [[dir/file] ... ]
+
+ .B fixfiles
+ .I [\-v] [\-F] [ \-R rpmpackagename[,rpmpackagename...] ] [\-l logfile ] { check | restore | verify }
+
+ .B fixfiles
+-.I [\-v] [ \-C PREVIOUS_FILECONTEXT ] [\-l logfile ] { check | restore | verify }
++.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT [\-l logfile ] { check | restore | verify }
+
+-.B fixfiles
++.B fixfiles [-F] [-B]
+ .I onboot
+
+ .SH "DESCRIPTION"
+@@ -37,6 +37,9 @@ will setup the machine to relabel on the
+
+ .SH "OPTIONS"
+ .TP
++.B \-B
++If specified with onboot, this fixfiles will record the current date in the /.autorelabel file, so that it can be used later to speed up labeling. If used with restore, the restore will only affect files that were modified today.
++.TP
+ .B \-l logfile
+ Save the output to the specified logfile
+ .TP
+@@ -55,6 +58,11 @@ Use the rpm database to discover all fil
+ Run a diff on the PREVIOUS_FILECONTEXT file to the currently installed one, and restore the context of all affected files.
+
+ .TP
++.B \-N time
++Only act on files created after the specified date. Date must be specified in
++"YYYY-MM-DD HH:MM" format. Date field will be passed to find --newermt command.
++
++.TP
+ .B -v
+ Modify verbosity from progress to verbose. (Run restorecon with -v instead of -p)
+
+diff -up policycoreutils-2.1.14/scripts/fixfiles.f20 policycoreutils-2.1.14/scripts/fixfiles
+--- policycoreutils-2.1.14/scripts/fixfiles.f20 2013-09-04 08:36:31.997537866 -0400
++++ policycoreutils-2.1.14/scripts/fixfiles 2013-09-04 08:36:37.394559233 -0400
+@@ -115,7 +115,6 @@ exclude_dirs() {
+ #
+ fullFlag=0
+ BOOTTIME=""
+-FORCEFLAG=""
+ VERBOSE="-p"
+ FORCEFLAG=""
+ DIRS=""
+@@ -152,7 +151,7 @@ fi
+ newer() {
+ DATE=$1
+ for m in `echo $FILESYSTEMSRW`; do
+- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${VERBOSE} -i -0 -f -
++ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f -
+ done;
+
+ }
+@@ -215,6 +214,9 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}
+ # if called with -n will only check file context
+ #
+ restore () {
++OPTION=$1
++shift
++
+ if [ ! -z "$PREFC" ]; then
+ diff_filecontext $*
+ exit $?
+@@ -253,11 +255,15 @@ then
+ FC=$TEMPFCFILE
+ fi
+ if [ -n "${FILESYSTEMSRW}" ]; then
+- echo "Relabeling `echo ${FILESYSTEMSRW}`"
++ echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+ ${SETFILES} ${VERBOSE} $exclude_dirs -q ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 | cat >> $LOGFILE
+ else
+ echo >&2 "fixfiles: No suitable file systems found"
+ fi
++if [ ${OPTION} .ne "Relabel" ]; then
++ return
++fi
++echo "Cleaning up labels on /tmp"
+ rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+
+ UNDEFINED=`get_undefined_type` || exit $?
+@@ -266,7 +272,7 @@ find /tmp \( -context "*:${UNLABELED}*"
+ find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \;
+ find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \;
+ find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \;
+-[ -e /var/lib/debug ] && find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
++[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \;
+ exit $?
+ }
+
+@@ -274,12 +280,12 @@ fullrelabel() {
+ logit "Cleaning out /tmp"
+ find /tmp/ -mindepth 1 -delete
+ LogReadOnly
+- restore
++ restore Relabel
+ }
+
+ relabel() {
+ if [ ! -z "$RPMFILES" ]; then
+- restore
++ restore Relabel
+ fi
+
+ if [ $fullFlag == 1 ]; then
+@@ -296,7 +302,7 @@ relabel() {
+ if [ "$answer" = y -o "$answer" = Y ]; then
+ fullrelabel
+ else
+- restore
++ restore Relabel
+ fi
+ }
+
+@@ -305,9 +311,9 @@ process() {
+ # Make sure they specified one of the three valid commands
+ #
+ case "$1" in
+- restore) restore;;
+- check) restore -n -v;;
+- verify) restore -n -o -;;
++ restore) restore Relabel;;
++ check) restore Check -n -v;;
++ verify) restore Verify -n -o -;;
+ relabel) relabel;;
+ onboot)
+ > /.autorelabel
+@@ -324,13 +330,13 @@ esac
+ }
+ usage() {
+ echo $"""
+-Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
++Usage: $0 [-v] [-F] [-N time ] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
+ or
+-Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
++Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
+ or
+-Usage: $0 [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
++Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+ or
+-Usage: $0 onboot
++Usage: $0 [-F] [-B] onboot
+ """
+ }
+
+@@ -344,7 +350,6 @@ while getopts "N:BC:FfR:l:v" i; do
+ case "$i" in
+ B)
+ BOOTTIME=`/bin/who -b | awk '{print $3}'`
+- echo $BOOTTIME
+ ;;
+ f)
+ fullFlag=1
diff -up policycoreutils-2.1.14/semanage/seobject.py.f20 policycoreutils-2.1.14/semanage/seobject.py
---- policycoreutils-2.1.14/semanage/seobject.py.f20 2013-06-21 07:51:45.454499992 -0400
-+++ policycoreutils-2.1.14/semanage/seobject.py 2013-06-21 07:52:59.309899228 -0400
-@@ -88,7 +88,7 @@ except:
- self.log_list=[]
-
- def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
-- message = " %s name=%s" % (msg, name)
-+ message += " %s name=%s" % (msg, name)
- if sename != "":
- message += " sename=" + sename
- if oldsename != "":
+--- policycoreutils-2.1.14/semanage/seobject.py.f20 2013-08-28 11:15:52.062176243 -0400
++++ policycoreutils-2.1.14/semanage/seobject.py 2013-08-28 16:03:36.499121361 -0400
@@ -376,7 +376,7 @@ class permissiveRecords(semanageRecords)
try:
import sepolgen.module as module
@@ -6985,8 +7139,8 @@ diff -up policycoreutils-2.1.14/semanage/seobject.py.f20 policycoreutils-2.1.14/
def list(self, heading = True, locallist = False, use_file = False):
diff -up policycoreutils-2.1.14/semodule/genhomedircon.8.f20 policycoreutils-2.1.14/semodule/genhomedircon.8
---- policycoreutils-2.1.14/semodule/genhomedircon.8.f20 2013-06-21 07:55:09.826604744 -0400
-+++ policycoreutils-2.1.14/semodule/genhomedircon.8 2013-06-21 07:55:22.620673910 -0400
+--- policycoreutils-2.1.14/semodule/genhomedircon.8.f20 2013-08-28 11:15:52.062176243 -0400
++++ policycoreutils-2.1.14/semodule/genhomedircon.8 2013-08-28 11:15:52.083176410 -0400
@@ -1,7 +1,7 @@
.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
.SH NAME
@@ -6996,21 +7150,95 @@ diff -up policycoreutils-2.1.14/semodule/genhomedircon.8.f20 policycoreutils-2.1
.B genhomedircon
is a script that executes
.B semodule
-diff -up policycoreutils-2.1.14/sepolicy/sepolicy/generate.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy/generate.py
---- policycoreutils-2.1.14/sepolicy/sepolicy/generate.py.f20 2013-06-21 07:49:39.234817647 -0400
-+++ policycoreutils-2.1.14/sepolicy/sepolicy/generate.py 2013-06-21 07:50:02.180941703 -0400
-@@ -751,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
+diff -up policycoreutils-2.1.14/sepolicy/sepolicy.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy.py
+--- policycoreutils-2.1.14/sepolicy/sepolicy.py.f20 2013-08-28 11:15:52.064176259 -0400
++++ policycoreutils-2.1.14/sepolicy/sepolicy.py 2013-08-28 11:15:52.084176417 -0400
+@@ -40,7 +40,7 @@ except IOError:
+ __builtin__.__dict__['_'] = unicode
- return newte
+ usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
+-usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
++usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('[-r TRANSITION_ROLE ]',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
-- if self.type == RUSER or self.type == AUSER:
-+ if self.type == RUSER:
- newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
+ class CheckPath(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+@@ -174,6 +174,17 @@ class CheckUser(argparse.Action):
+ newval.append(value)
+ setattr(namespace, self.dest, newval)
- for app in self.admin_domains:
++class CheckRole(argparse.Action):
++ def __call__(self, parser, namespace, value, option_string=None):
++ newval = getattr(namespace, self.dest)
++ if not newval:
++ newval = []
++ roles = sepolicy.get_all_roles()
++ if value not in roles:
++ raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (value, ", ".join(roles)))
++ newval.append(value[:-2])
++ setattr(namespace, self.dest, newval)
++
+ class InterfaceInfo(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ from sepolicy.interface import get_interface_dict
+@@ -196,14 +207,31 @@ def generate_custom_usage(usage_text,usa
+
+ return usage_text
+
++def numcmp(val1,val2):
++ try:
++ v1 = int(val1.split(",")[0].split("-")[0])
++ v2 = int(val2.split(",")[0].split("-")[0])
++ if v1 > v2:
++ return 1
++ if v1 == v2:
++ return 0
++ if v1 < v2:
++ return -1
++ except:
++ return cmp(val1,val2)
++
+ def _print_net(src, protocol, perm):
+ import sepolicy.network
+ portdict = sepolicy.network.get_network_connect(src, protocol, perm)
+ if len(portdict) > 0:
+ print "%s: %s %s" % (src, protocol, perm)
++ port_strings=[]
+ for p in portdict:
+- for recs in portdict[p]:
+- print "\t" + recs
++ for t, recs in portdict[p]:
++ port_strings.append(", ".join(recs))
++ port_strings.sort(numcmp)
++ for p in port_strings:
++ print "\t" + p
+
+ def network(args):
+ portrecs, portrecsbynum = sepolicy.gen_port_dict()
+@@ -438,6 +466,7 @@ def generate(args):
+ mypolicy.add_file(p)
+
+ mypolicy.set_transition_users(args.user)
++ mypolicy.set_admin_roles(args.role)
+ mypolicy.set_admin_domains(args.admin_domain)
+ mypolicy.set_existing_domains(args.domain)
+
+@@ -484,9 +513,12 @@ def gen_generate_args(parser):
+ pol.add_argument("-u", "--user", dest="user", default=[],
+ action=CheckUser,
+ help=_("Enter SELinux user(s) which will transition to this domain"))
++ pol.add_argument("-r", "--role", dest="role", default=[],
++ action=CheckRole,
++ help=_("Enter SELinux role(s) to which the administror domain will transition"))
+ pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
+ action=CheckAdmin,
+- help=_("Enter domain(s) that this confined admin will administrate"))
++ help=_("Enter domain(s) which this confined admin will administrate"))
+ pol.add_argument("-n", "--name", dest="name",
+ default=None,
+ help=_("name of policy to generate"))
diff -up policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py
---- policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py.f20 2013-06-21 07:49:23.556732881 -0400
-+++ policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py 2013-06-21 17:08:46.257133137 -0400
+--- policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py.f20 2013-08-28 11:15:52.064176259 -0400
++++ policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py 2013-08-28 11:15:52.083176410 -0400
@@ -61,6 +61,62 @@ def search(types, info = {} ):
dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
return dict_list
@@ -7192,9 +7420,21 @@ diff -up policycoreutils-2.1.14/sepolicy/sepolicy/__init__.py.f20 policycoreutil
booleans = None
def get_all_booleans():
global booleans
+diff -up policycoreutils-2.1.14/sepolicy/sepolicy/generate.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy/generate.py
+--- policycoreutils-2.1.14/sepolicy/sepolicy/generate.py.f20 2013-08-28 11:15:52.065176267 -0400
++++ policycoreutils-2.1.14/sepolicy/sepolicy/generate.py 2013-08-28 11:15:52.083176410 -0400
+@@ -751,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
+
+ return newte
+
+- if self.type == RUSER or self.type == AUSER:
++ if self.type == RUSER:
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
+
+ for app in self.admin_domains:
diff -up policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py
---- policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py.f20 2013-06-21 07:49:57.346915569 -0400
-+++ policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py 2013-06-21 17:08:27.155986171 -0400
+--- policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py.f20 2013-08-28 11:15:52.065176267 -0400
++++ policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py 2013-08-28 11:15:52.083176410 -0400
@@ -114,39 +114,6 @@ def gen_domains():
domains.sort()
return domains
@@ -7355,8 +7595,8 @@ diff -up policycoreutils-2.1.14/sepolicy/sepolicy/manpage.py.f20 policycoreutils
def _home_exec(self):
permlist = sepolicy.search([sepolicy.ALLOW],{'source':self.type,'target':'user_home_type', 'class':'file', 'permlist':['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']})
diff -up policycoreutils-2.1.14/sepolicy/sepolicy/network.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy/network.py
---- policycoreutils-2.1.14/sepolicy/sepolicy/network.py.f20 2013-06-21 07:50:19.219033821 -0400
-+++ policycoreutils-2.1.14/sepolicy/sepolicy/network.py 2013-06-21 07:50:24.899064524 -0400
+--- policycoreutils-2.1.14/sepolicy/sepolicy/network.py.f20 2013-08-28 11:15:52.065176267 -0400
++++ policycoreutils-2.1.14/sepolicy/sepolicy/network.py 2013-08-28 11:15:52.084176417 -0400
@@ -41,7 +41,7 @@ def get_network_connect(src, protocol, p
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
@@ -7388,89 +7628,103 @@ diff -up policycoreutils-2.1.14/sepolicy/sepolicy/network.py.f20 policycoreutils
except KeyError:
pass
return d
-diff -up policycoreutils-2.1.14/sepolicy/sepolicy.py.f20 policycoreutils-2.1.14/sepolicy/sepolicy.py
---- policycoreutils-2.1.14/sepolicy/sepolicy.py.f20 2013-06-21 07:49:23.555732875 -0400
-+++ policycoreutils-2.1.14/sepolicy/sepolicy.py 2013-06-21 17:08:10.999861863 -0400
-@@ -40,7 +40,7 @@ except IOError:
- __builtin__.__dict__['_'] = unicode
+diff -up policycoreutils-2.1.14/setsebool/setsebool.8.f20 policycoreutils-2.1.14/setsebool/setsebool.8
+--- policycoreutils-2.1.14/setsebool/setsebool.8.f20 2013-09-04 08:38:22.984977317 -0400
++++ policycoreutils-2.1.14/setsebool/setsebool.8 2013-09-04 08:38:36.948032606 -0400
+@@ -4,7 +4,7 @@ setsebool \- set SELinux boolean value
- usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
--usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
-+usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('[-r TRANSITION_ROLE ]',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
+ .SH "SYNOPSIS"
+ .B setsebool
+-.I "[ \-PN ] boolean value | bool1=val1 bool2=val2 ..."
++.I "[ \-PNV ] boolean value | bool1=val1 bool2=val2 ..."
- class CheckPath(argparse.Action):
- def __call__(self, parser, namespace, values, option_string=None):
-@@ -174,6 +174,17 @@ class CheckUser(argparse.Action):
- newval.append(value)
- setattr(namespace, self.dest, newval)
+ .SH "DESCRIPTION"
+ .B setsebool
+@@ -20,10 +20,12 @@ the policy file on disk. So they will be
-+class CheckRole(argparse.Action):
-+ def __call__(self, parser, namespace, value, option_string=None):
-+ newval = getattr(namespace, self.dest)
-+ if not newval:
-+ newval = []
-+ roles = sepolicy.get_all_roles()
-+ if value not in roles:
-+ raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (value, ", ".join(roles)))
-+ newval.append(value[:-2])
-+ setattr(namespace, self.dest, newval)
-+
- class InterfaceInfo(argparse.Action):
- def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.interface import get_interface_dict
-@@ -196,14 +207,31 @@ def generate_custom_usage(usage_text,usa
+ If the \-N option is given, the policy on disk is not reloaded into the kernel.
- return usage_text
-
-+def numcmp(val1,val2):
-+ try:
-+ v1 = int(val1.split(",")[0].split("-")[0])
-+ v2 = int(val2.split(",")[0].split("-")[0])
-+ if v1 > v2:
-+ return 1
-+ if v1 == v2:
-+ return 0
-+ if v1 < v2:
-+ return -1
-+ except:
-+ return cmp(val1,val2)
++If the \-V option is given, verbose error messages will be printed from semanage libraries.
+
- def _print_net(src, protocol, perm):
- import sepolicy.network
- portdict = sepolicy.network.get_network_connect(src, protocol, perm)
- if len(portdict) > 0:
- print "%s: %s %s" % (src, protocol, perm)
-+ port_strings=[]
- for p in portdict:
-- for recs in portdict[p]:
-- print "\t" + recs
-+ for t, recs in portdict[p]:
-+ port_strings.append(", ".join(recs))
-+ port_strings.sort(numcmp)
-+ for p in port_strings:
-+ print "\t" + p
-
- def network(args):
- portrecs, portrecsbynum = sepolicy.gen_port_dict()
-@@ -438,6 +466,7 @@ def generate(args):
- mypolicy.add_file(p)
- mypolicy.set_transition_users(args.user)
-+ mypolicy.set_admin_roles(args.role)
- mypolicy.set_admin_domains(args.admin_domain)
- mypolicy.set_existing_domains(args.domain)
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+ The program was written by Tresys Technology.
+
+ .SH "SEE ALSO"
+-getsebool(8), booleans(8), togglesebool(8)
++getsebool(8), booleans(8), togglesebool(8), semanage(8)
+diff -up policycoreutils-2.1.14/setsebool/setsebool.c.f20 policycoreutils-2.1.14/setsebool/setsebool.c
+--- policycoreutils-2.1.14/setsebool/setsebool.c.f20 2013-09-04 08:38:05.805909297 -0400
++++ policycoreutils-2.1.14/setsebool/setsebool.c 2013-09-04 08:38:13.856941184 -0400
+@@ -10,6 +10,7 @@
+ #include <pwd.h>
+ #include <selinux/selinux.h>
+ #include <semanage/handle.h>
++#include <semanage/debug.h>
+ #include <semanage/booleans_local.h>
+ #include <semanage/booleans_active.h>
+ #include <semanage/boolean_record.h>
+@@ -17,13 +18,14 @@
+
+ int permanent = 0;
+ int reload = 1;
++int verbose = 0;
+
+ int setbool(char **list, size_t start, size_t end);
+
+ void usage(void)
+ {
+ fputs
+- ("\nUsage: setsebool [ -NP ] boolean value | bool1=val1 bool2=val2...\n\n",
++ ("\nUsage: setsebool [ -NPV ] boolean value | bool1=val1 bool2=val2...\n\n",
+ stderr);
+ exit(1);
+ }
+@@ -41,7 +43,7 @@ int main(int argc, char **argv)
+ }
+
+ while (1) {
+- clflag = getopt(argc, argv, "PN");
++ clflag = getopt(argc, argv, "PNV");
+ if (clflag == -1)
+ break;
+
+@@ -52,6 +54,9 @@ int main(int argc, char **argv)
+ case 'N':
+ reload = 0;
+ break;
++ case 'V':
++ verbose = 1;
++ break;
+ default:
+ usage();
+ break;
+@@ -130,6 +135,10 @@ static int semanage_set_boolean_list(siz
+ goto err;
+ }
+
++ if (! verbose) {
++ semanage_msg_set_callback(handle,NULL, NULL);
++ }
++
+ managed = semanage_is_managed(handle);
+ if (managed < 0) {
+ fprintf(stderr,
+@@ -172,7 +181,7 @@ static int semanage_set_boolean_list(siz
+ goto err;
+
+ if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+- fprintf(stderr, "Could not change boolean %s\n",
++ fprintf(stderr, "Failed to change boolean %s: %m\n",
+ boollist[j].name);
+ goto err;
+ }
+@@ -194,7 +203,6 @@ static int semanage_set_boolean_list(siz
+ semanage_bool_key_free(bool_key);
+ semanage_bool_free(boolean);
+ semanage_handle_destroy(handle);
+- fprintf(stderr, "Could not change policy booleans\n");
+ return -1;
+ }
-@@ -484,9 +513,12 @@ def gen_generate_args(parser):
- pol.add_argument("-u", "--user", dest="user", default=[],
- action=CheckUser,
- help=_("Enter SELinux user(s) which will transition to this domain"))
-+ pol.add_argument("-r", "--role", dest="role", default=[],
-+ action=CheckRole,
-+ help=_("Enter SELinux role(s) to which the administror domain will transition"))
- pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
- action=CheckAdmin,
-- help=_("Enter domain(s) that this confined admin will administrate"))
-+ help=_("Enter domain(s) which this confined admin will administrate"))
- pol.add_argument("-n", "--name", dest="name",
- default=None,
- help=_("name of policy to generate"))
diff --git a/policycoreutils.spec b/policycoreutils.spec
index d52ae28..7556955 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 46.4%{?dist}
+Release: 46.5%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -311,8 +311,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
-* Fri Jun 21 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-46.5
+* Wed Set 4 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-46.5
- Move audit2allow back into policycoreutils-python package
+- Fix semanage logging to syslog
+- Fix setsebool error handling
+- Fix fixfiles scripts to work as documentet
* Fri Jun 21 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-46.4
- Fix generation of booleans in man pages
More information about the scm-commits
mailing list