[policycoreutils/f20] Fix semanage man page description of import command
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Dec 16 18:31:37 UTC 2013
commit 5a07a81733f7879d1470c1462b75ac7bb3fbb08c
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Dec 16 13:31:42 2013 -0500
Fix semanage man page description of import command
- Fix policy kit file to allow changing to permissive mode
policycoreutils-rhat.patch | 205 +++++++++++++-------------------------------
policycoreutils.spec | 32 ++++++-
sources | 2 +-
3 files changed, 87 insertions(+), 152 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 0937df8..bc33423 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -253789,12 +253789,25 @@ index 36b41cd..c46c9e5 100644
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0]))
sys.exit(1)
+diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
+index cba2c9c..fd27cf2 100644
+--- a/policycoreutils/semanage/semanage.8
++++ b/policycoreutils/semanage/semanage.8
+@@ -8,7 +8,7 @@ semanage \- SELinux Policy Management tool
+ .B positional arguments:
+
+ .B import
+-Output local customizations
++Import local customizations
+
+ .B export
+ Output local customizations
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
deleted file mode 100644
-index b3018f3..0000000
+index 00b085e..0000000
--- a/policycoreutils/semanage/seobject.py
+++ /dev/null
-@@ -1,2223 +0,0 @@
+@@ -1,2217 +0,0 @@
-#! /usr/bin/python -Es
-# Copyright (C) 2005-2013 Red Hat
-# see file 'COPYING' for use and warranty information
@@ -255585,15 +255598,9 @@ index b3018f3..0000000
- raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'; Try adding '%s' instead") % (target, i, fdict[i], t))
-
-
-- def __add(self, target, type, ftype = "", serange = "s0", seuser = "system_u"):
+- def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
- self.validate(target)
-
-- if seuser == "":
-- seuser = "system_u"
--
-- if serange == "":
-- serange = "s0"
--
- if is_mls_enabled == 1:
- serange = untranslate(serange)
-
@@ -256020,7 +256027,7 @@ index b3018f3..0000000
- print "%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k))
diff --git a/policycoreutils/semanage/seobject/__init__.py b/policycoreutils/semanage/seobject/__init__.py
new file mode 100644
-index 0000000..5835ab1
+index 0000000..3a96810
--- /dev/null
+++ b/policycoreutils/semanage/seobject/__init__.py
@@ -0,0 +1,2243 @@
@@ -256443,7 +256450,7 @@ index 0000000..5835ab1
+ import glob
+ if setype not in sepolicy.get_all_domains():
+ raise ValueError(_("%s is not a domain type") % setype )
-+
++
+ try:
+ import sepolgen.module as module
+ except ImportError:
@@ -257839,12 +257846,12 @@ index 0000000..5835ab1
+ if seuser == "":
+ seuser = "system_u"
+
-+ if not serange:
-+ serange = "s0"
-+
+ if is_mls_enabled == 1:
+ serange = untranslate(serange)
+
++ if not serange:
++ serange = "s0"
++
+ if type == "":
+ raise ValueError(_("SELinux Type is required"))
+
@@ -258981,99 +258988,22 @@ index cd1026a..ac44dfe 100644
+ PyModule_AddIntConstant(m, "CATS", CATS);
}
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
-index c0a730c..44ae625 100644
+index 44ae625..4023bca 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
-@@ -11,8 +11,8 @@
- <description>SELinux write access</description>
- <message>System policy prevents restorecon access to SELinux</message>
- <defaults>
-- <allow_any>auth_admin_keep</allow_any>
-- <allow_inactive>auth_admin_keep</allow_inactive>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
-@@ -20,8 +20,8 @@
- <description>SELinux write access</description>
- <message>System policy prevents setenforce access to SELinux</message>
- <defaults>
-- <allow_any>auth_admin_keep</allow_any>
-- <allow_inactive>auth_admin_keep</allow_inactive>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
-@@ -29,8 +29,8 @@
- <description>SELinux write access</description>
- <message>System policy prevents semanage access to SELinux</message>
- <defaults>
-- <allow_any>auth_admin_keep</allow_any>
-- <allow_inactive>auth_admin_keep</allow_inactive>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
-@@ -38,8 +38,8 @@
- <description>SELinux Read access</description>
- <message>System policy prevents read access to SELinux</message>
- <defaults>
-- <allow_any>yes</allow_any>
-- <allow_inactive>yes</allow_inactive>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-@@ -47,8 +47,8 @@
- <description>SELinux list modules access</description>
- <message>System policy prevents read access to SELinux modules</message>
- <defaults>
-- <allow_any>yes</allow_any>
-- <allow_inactive>yes</allow_inactive>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
- <allow_active>yes</allow_active>
- </defaults>
- </action>
-@@ -56,25 +56,27 @@
- <description>SELinux write access</description>
- <message>System policy prevents relabel_on_boot access to SELinux</message>
- <defaults>
-- <allow_any>yes</allow_any>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
-+ <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
- <action id="org.selinux.change_default_policy">
- <description>SELinux write access</description>
- <message>System policy prevents change_default_policy access to SELinux</message>
- <defaults>
-- <allow_any>auth_admin_keep</allow_any>
-- <allow_inactive>auth_admin_keep</allow_inactive>
-- <allow_active>auth_admin_keep</allow_active>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
-+ <allow_active>auth_admin_keep</allow_active>
+@@ -70,9 +70,9 @@
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
- <action id="org.selinux.change_policy_type">
- <description>SELinux write access</description>
- <message>System policy prevents change_policy_type access to SELinux</message>
+- <action id="org.selinux.change_policy_type">
+- <description>SELinux write access</description>
+- <message>System policy prevents change_policy_type access to SELinux</message>
++ <action id="org.selinux.change_default_mode">
++ <description>Change SELinux default enforcing mode</description>
++ <message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
-- <allow_any>auth_admin_keep</allow_any>
-- <allow_inactive>auth_admin_keep</allow_inactive>
-- <allow_active>auth_admin_keep</allow_active>
-+ <allow_any>no</allow_any>
-+ <allow_inactive>no</allow_inactive>
-+ <allow_active>auth_admin_keep</allow_active>
- </defaults>
- </action>
- </policyconfig>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 2a9e1c7..365e622 100644
--- a/policycoreutils/sepolicy/policy.c
@@ -259309,7 +259239,7 @@ index 458a4d2..b6088af 100644
+ except dbus.DBusException as e:
+ print(e)
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
-index 98dbff4..3cfdc94 100644
+index e94c38f..3cfdc94 100644
--- a/policycoreutils/sepolicy/selinux_server.py
+++ b/policycoreutils/sepolicy/selinux_server.py
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
@@ -259334,7 +259264,7 @@ index 98dbff4..3cfdc94 100644
# another server to make the two systems have duplicate policy.
#
@slip.dbus.polkit.require_auth("org.selinux.customized")
-@@ -42,12 +42,12 @@ class selinux_server(slip.dbus.service.Object):
+@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0:
raise OSError("Failed to read SELinux configuration: %s", output)
return buf
@@ -259343,13 +259273,7 @@ index 98dbff4..3cfdc94 100644
#
# The semodule_list method will return the output of semodule -l, using the customized polkit,
# since this is a readonly behaviour
- #
-- @slip.dbus.polkit.require_auth("org.selinux.customized")
-+ @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def semodule_list(self):
- p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
-@@ -56,10 +56,11 @@ class selinux_server(slip.dbus.service.Object):
+@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0:
raise OSError("Failed to list SELinux modules: %s", output)
return buf
@@ -259358,27 +259282,7 @@ index 98dbff4..3cfdc94 100644
#
# The restorecon method modifies any file path to the default system label
#
-+ @slip.dbus.polkit.require_auth("org.selinux.restorecon")
- @dbus.service.method("org.selinux", in_signature='s')
- def restorecon(self, path):
- selinux.restorecon(str(path), recursive=1)
-@@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object):
- #
- # The setenforce method turns off the current enforcement of SELinux
- #
-+ @slip.dbus.polkit.require_auth("org.selinux.setenforce")
- @dbus.service.method("org.selinux", in_signature='i')
- def setenforce(self, value):
- selinux.security_setenforce(value)
-@@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object):
- #
- # The setenforce method turns off the current enforcement of SELinux
- #
-+ @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
- @dbus.service.method("org.selinux", in_signature='i')
- def relabel_on_boot(self, value):
- if value == 1:
-@@ -83,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
+@@ -86,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
os.unlink("/.autorelabel")
def write_selinux_config(self, enforcing=None, policy=None):
@@ -259387,17 +259291,16 @@ index 98dbff4..3cfdc94 100644
backup_path = path + ".bck"
fd = open(path)
lines = fd.readlines()
-@@ -101,26 +104,28 @@ class selinux_server(slip.dbus.service.Object):
+@@ -104,7 +104,7 @@ class selinux_server(slip.dbus.service.Object):
os.rename(backup_path, path)
#
- # The change_default_enforcement modifies the current enforcement mode
+ # The change_default_enforcement modifies the current enforcement mode
#
-+ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
@dbus.service.method("org.selinux", in_signature='s')
- def change_default_mode(self, value):
- values = [ "enforcing", "permissive", "disabled" ]
+@@ -113,7 +113,7 @@ class selinux_server(slip.dbus.service.Object):
if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
self.write_selinux_config(enforcing=value)
@@ -259406,11 +259309,7 @@ index 98dbff4..3cfdc94 100644
#
# The change_default_policy method modifies the policy type
- #
-+ @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_policy(self, value):
- path = selinux.selinux_path() + value
+@@ -125,7 +125,7 @@ class selinux_server(slip.dbus.service.Object):
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
raise ValueError("%s does not exist" % path)
@@ -261362,7 +261261,7 @@ index 6b53035..32ea970 100644
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
-index 0123e6c..ac3e513 100644
+index 94ddb72..ac3e513 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@@ -261844,13 +261743,11 @@ index 0123e6c..ac3e513 100644
self.dbus.setenforce(button.get_active())
self.set_enforce_text(button.get_active())
-@@ -2727,8 +2681,8 @@ class SELinuxGui():
- if not active and not exists:
+@@ -2728,7 +2682,7 @@ class SELinuxGui():
return
try:
-- self.dbus.relabel_on_boots(active)
+ self.dbus.relabel_on_boot(active)
- except dbus.exceptions.DBusException, e:
-+ self.dbus.relabel_on_boot(active)
+ except dbus.exceptions.DBusException as e:
self.error(e)
@@ -263713,7 +263610,7 @@ index 1275c7f..e3137db 100644
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
<child internal-child="selection">
diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py
-index 4b9534d..0db6b9c 100644
+index 4b9534d..4cc5bfa 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
@@ -263724,6 +263621,20 @@ index 4b9534d..0db6b9c 100644
permissive TEMPLATETYPE_t;
"""
+@@ -418,8 +419,12 @@ interface(`TEMPLATETYPE_admin',`
+ if_middle_admin="""
+ ')
+
+- allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
++ allow $1 TEMPLATETYPE_t:process { signal_perms };
+ ps_process_pattern($1, TEMPLATETYPE_t)
++
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 TEMPLATETYPE_t:process ptrace;
++ ')
+ """
+
+ if_initscript_admin_types="""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
index 16a2208..d8ee42f 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 39f3dea..a93006e 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -6,8 +6,8 @@
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.2.2
-Release: 3%{?dist}
+Version: 2.2.4
+Release: 5%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -347,8 +347,32 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
-* Mon Dec 2 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.2-3
-- Mv sepolicy help files to gui
+* Mon Dec 16 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.4-5
+- Fix semanage man page description of import command
+- Fix policy kit file to allow changing to permissive mode
+
+* Mon Dec 16 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.4-4
+- Fix broken dependencies.
+
+* Fri Dec 13 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.4-3
+- Break out python3 code into separate package
+
+* Fri Dec 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.4-2
+- Add mgrepl patch
+- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
+
+* Tue Dec 3 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.4-1
+- Update to upstream
+ * Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
+- Add patches for sepolicy gui from mgrepl to
+ Fix advanced_item_button_push() to allow to select an application in advanced search menu
+ Fix previously_modified_initialize() to show modified changes properly for all selections
+
+* Fri Nov 22 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.3-1
+- Update to upstream
+ * Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
+ * Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
+- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
* Wed Nov 20 2013 Dan Walsh <dwalsh at redhat.com> - 2.2.2-2
- Fix selinux-polgengui, get_all_modules call
diff --git a/sources b/sources
index de5e882..05a0617 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
-332411668be7367aa74257048ac762d6 policycoreutils-2.2.2.tgz
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
+afa39d869ec981f199fd8db0725a4715 policycoreutils-2.2.4.tgz
More information about the scm-commits
mailing list