diff --git a/fix-fixfiles-N-date-function-two.patch b/fix-fixfiles-N-date-function-two.patch deleted file mode 100644 index 6bfcf425fece7fd29b79d7c5c4697773188c62d4..0000000000000000000000000000000000000000 --- a/fix-fixfiles-N-date-function-two.patch +++ /dev/null @@ -1,25 +0,0 @@ -From bb3c1505cffc35e1ea310605f0bb9266d52b36b0 Mon Sep 17 00:00:00 2001 -From: gulining -Date: Mon, 8 Jul 2019 11:50:39 +0800 -Subject: [PATCH] fix fixfiles -N date function - -reason: fix fixfiles -N date function - -Signed-off-by: gulining ---- - policycoreutils-2.8/scripts/fixfiles | 2 +- - 1 file changed, 1 insertions(+), 1 deletions(-) - -diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles -index 48897c3..be51913 100755 ---- a/policycoreutils-2.8/scripts/fixfiles -+++ b/policycoreutils-2.8/scripts/fixfiles -@@ -152,7 +152,7 @@ newer() { - shift - LogReadOnly - for m in `echo $FILESYSTEMSRW`; do -- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - -+ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - - done; - } - diff --git a/fix-fixfiles-N-date-function.patch b/fix-fixfiles-N-date-function.patch deleted file mode 100644 index 62c6c0978363948580887b03f6e572a678b7d696..0000000000000000000000000000000000000000 --- a/fix-fixfiles-N-date-function.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 859bba9dd82ea6fb101ae9686c98a811e3bf98b3 Mon Sep 17 00:00:00 2001 -From: gulining -Date: Fri, 5 Jul 2019 16:19:32 +0800 -Subject: [PATCH] fix fixfiles -N date function - -reason: fix fixfiles -N date function - -Signed-off-by: gulining ---- - policycoreutils-2.8/scripts/fixfiles | 2 +- - 1 file changed, 1 insertions(+), 1 deletions(-) - -diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles -index 53d28c7..48897c3 100755 ---- a/policycoreutils-2.8/scripts/fixfiles -+++ b/policycoreutils-2.8/scripts/fixfiles -@@ -148,7 +148,7 @@ done - # Find files newer then the passed in date and fix the label - # - newer() { -- DATE=$1 -+ DATE="$1 $2" - shift - LogReadOnly - for m in `echo $FILESYSTEMSRW`; do diff --git a/policycoreutils-2.8.tar.gz b/policycoreutils-2.8.tar.gz deleted file mode 100644 index b9490ce5b54306d447c4647e550385d59c53ae41..0000000000000000000000000000000000000000 Binary files a/policycoreutils-2.8.tar.gz and /dev/null differ diff --git a/policycoreutils-3.1.tar.gz b/policycoreutils-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..761ceb91b4a555698fdee318dc215d0e96ea8452 Binary files /dev/null and b/policycoreutils-3.1.tar.gz differ diff --git a/policycoreutils-secon-free-scon_trans-before-returni.patch b/policycoreutils-secon-free-scon_trans-before-returni.patch deleted file mode 100644 index ca0dc4151659963d8ff5406d83e2c51ffb6eb876..0000000000000000000000000000000000000000 --- a/policycoreutils-secon-free-scon_trans-before-returni.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b614069e66eb0cd1d3f8d0c9d0a02db9a63aba0a Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sun, 3 Jun 2018 18:25:40 +0200 -Subject: [PATCH 016/170] policycoreutils/secon: free scon_trans before - returning - -disp_con() leaks scon_trans if it returns early. - -Signed-off-by: Nicolas Iooss ---- - policycoreutils/secon/secon.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c -index 60781394..477057a6 100644 ---- a/policycoreutils-2.8/secon/secon.c -+++ b/policycoreutils-2.8/secon/secon.c -@@ -646,6 +646,7 @@ static void disp_con(security_context_t scon_raw) - disp__con_val("clearance", NULL, &color); - if (opts->disp_mlsr) - disp__con_val("mls-range", NULL, &color); -+ freecon(scon_trans); - return; - } - --- -2.19.1 - diff --git a/policycoreutils.spec b/policycoreutils.spec index ce97b1774a130ad93bc767b543c398a10a32b8d1..38ed2b7c53229bc9ef2348a5d8352b0739bd7d25 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,60 +2,35 @@ %bcond_with sandbox Name: policycoreutils -Version: 2.8 -Release: 14 +Version: 3.1 +Release: 1 Summary: Policy core utilities of selinux License: GPLv2 URL: https://github.com/SELinuxProject -Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz -Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-python-2.8.tar.gz -Source3: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-sandbox-2.8.tar.gz -Source4: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz -Source5: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz -Source6: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz +Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz +Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz +Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz +Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz Source7: selinux-autorelabel Source8: selinux-autorelabel.service Source9: selinux-autorelabel-mark.service Source10: selinux-autorelabel.target Source11: selinux-autorelabel-generator.sh -Patch0: python-sepolgen-fix-typo-in-PathChoooser-name.patch -Patch1: policycoreutils-secon-free-scon_trans-before-returni.patch -Patch2: python-sepolicy-fix-procotol-misspelling.patch -Patch3: restorecond-Do-not-ignore-the-f-option.patch -Patch4: python-sepolicy-Fix-info-to-search-aliases-as-well.patch -Patch5: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch -Patch6: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch -Patch7: python-chcat-use-check_call-instead-of-getstatusoutp.patch -Patch8: python-chcat-fix-removing-categories-on-users-with-F.patch -Patch9: python-sepolicy-search-also-for-dontaudit-rules.patch -Patch10: python-semanage-move-valid_types-initialisations-to-.patch -Patch11: python-sepolicy-Add-sepolicy.load_store_policy-store.patch -Patch12: python-semanage-Load-a-store-policy-and-set-the-stor.patch -Patch13: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch -Patch14: python-audit2allow-allow-using-audit2why-as-non-root.patch -Patch15: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch -Patch16: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch -Patch17: python-use-or-when-comparing-a-variable-with-a-strin.patch -Patch18: python-sepolicy-fix-variable-name.patch -Patch19: python-semanage-seobject-Fix-listing-boolean-values.patch -Patch20: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch -Patch21: fix-fixfiles-N-date-function.patch -Patch22: fix-fixfiles-N-date-function-two.patch - BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel libcap-ng-devel BuildRequires: systemd systemd-units Requires: libsepol libselinux-utils util-linux grep gawk diffutils rpm sed coreutils -Provides: %{name}-restorecond -Obsoletes: %{name}-restorecond -Provides: %{name}-newrole -Obsoletes: %{name}-newrole +Provides: %{name}-restorecond = %{version}-%{release} +Obsoletes: %{name}-restorecond < %{version}-%{release} +Provides: %{name}-newrole = %{version}-%{release} +Obsoletes: %{name}-newrole < %{version}-%{release} Provides: /sbin/fixfiles Provides: /sbin/restorecon - %description It contains the selinux policy core utilities @@ -154,26 +129,26 @@ This contains man files for the using of selinux. %build export PYTHON=%{__python3} -make -C policycoreutils-2.8 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C selinux-python-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C semodule-utils-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C restorecond-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C policycoreutils-3.1 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-python-3.1 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C semodule-utils-3.1 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C restorecond-3.1 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all %if %{with sandbox} -make -C selinux-sandbox-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-sandbox-3.1 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all %endif -make -C selinux-dbus-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-dbus-3.1 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all %install mkdir -p %{buildroot}/%{_defaultdocdir}/%{name}/ -make -C policycoreutils-2.8 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C selinux-python-2.8 PYTHON=%{__python2} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C selinux-python-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C semodule-utils-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C restorecond-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C policycoreutils-3.1 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-python-3.1 PYTHON=%{__python2} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-python-3.1 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C semodule-utils-3.1 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C restorecond-3.1 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install %if %{with sandbox} -make -C selinux-sandbox-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-sandbox-3.1 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install %endif -make -C selinux-dbus-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-dbus-3.1 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond @@ -227,7 +202,7 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}% %files -f %{name}.lang -%license policycoreutils-2.8/COPYING +%license policycoreutils-3.1/COPYING %doc %{_usr}/share/doc/%{name} %config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/pam.d/newrole @@ -244,6 +219,7 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}% %dir %{_datadir}/bash-completion %{_datadir}/bash-completion/completions/setsebool %{_unitdir}/restorecond.service +%{_userunitdir}/restorecond_user.service %{_sysconfdir}/xdg/autostart/restorecond.desktop %{_datadir}/dbus-1/services/org.selinux.Restorecond.service %attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole @@ -327,6 +303,9 @@ find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}% %{_mandir}/* %changelog +* Fri Jul 17 2020 openEuler Buildteam - 3.1-1 +- update to 3.1 + * Thu Mar 5 2020 openEuler Buildteam - 2.8-14 - Build without sandbox diff --git a/python-audit2allow-allow-using-audit2why-as-non-root.patch b/python-audit2allow-allow-using-audit2why-as-non-root.patch deleted file mode 100644 index 433e8f7291e5a015aa5be39b51039f60f1532e66..0000000000000000000000000000000000000000 --- a/python-audit2allow-allow-using-audit2why-as-non-root.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b2a54258b40b298037cc8ae686d31d7bab714720 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Fri, 21 Dec 2018 21:43:33 +0100 -Subject: [PATCH 114/170] python/audit2allow: allow using audit2why as non-root - user - -Importing sepolicy as non-root on a system with SELinux causes the -following exception to be raised: - - ValueError: No SELinux Policy installed - -Ignore this when using audit2why, which allows using it with option ---policy as a non-root user. - -Signed-off-by: Nicolas Iooss ---- - python/audit2allow/audit2allow | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/selinux-python-2.8/audit2allow/audit2allow b/selinux-python-2.8/audit2allow/audit2allow -index 195f151c..18fe0a53 100644 ---- a/selinux-python-2.8/audit2allow/audit2allow -+++ b/selinux-python-2.8/audit2allow/audit2allow -@@ -242,7 +242,10 @@ class AuditToPolicy: - - def __output_audit2why(self): - import selinux -- import sepolicy -+ try: -+ import sepolicy -+ except (ImportError, ValueError): -+ sepolicy = None - for i in self.__parser.avc_msgs: - rc = i.type - data = i.data -@@ -262,11 +265,13 @@ class AuditToPolicy: - if len(data) > 1: - print("\tOne of the following booleans was set incorrectly.") - for b in data: -- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0])) -+ if sepolicy is not None: -+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) - else: - print("\tThe boolean %s was set incorrectly. " % (data[0][0])) -- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0])) -+ if sepolicy is not None: -+ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) - continue - --- -2.19.1 - diff --git a/python-chcat-fix-removing-categories-on-users-with-F.patch b/python-chcat-fix-removing-categories-on-users-with-F.patch deleted file mode 100644 index 7fc086ee8627cd6d24e490faf166049a24712962..0000000000000000000000000000000000000000 --- a/python-chcat-fix-removing-categories-on-users-with-F.patch +++ /dev/null @@ -1,62 +0,0 @@ -From f39c0ac63749c1c5c140f1b1ad65d5e536bbe894 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sun, 9 Dec 2018 15:23:23 +0100 -Subject: [PATCH 091/170] python/chcat: fix removing categories on users with - Fedora default setup - -Using Vagrant with fedora/28-cloud-base image, SELinux logins are -configured this way: - - # semanage login -l - Login Name SELinux User MLS/MCS Range Service - - __default__ unconfined_u s0-s0:c0.c1023 * - root unconfined_u s0-s0:c0.c1023 * - vagrant unconfined_u s0-s0:c0.c1023 * - -Using "chcat -l +c42 vagrant" successfully adds the category to user -vagrant, but "chcat -l -- -c42 vagrant" fails to remove it. -semanage login -l returns: - - vagrant unconfined_u s0-s0:c0.c1023,c42 * - -This issue is caused by expandCats(), which refuses to return a list of -more than 25 categories. This causes chcat_user_remove() to work with -cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to -it not been able to remove 'c42' from the list. - -Fix this issue by splitting the list of categories before calling -expandCats(). - -Signed-off-by: Nicolas Iooss ---- - python/chcat/chcat | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat -index 73f75725..5bef0073 100755 ---- a/selinux-python-2.8/chcat/chcat -+++ b/selinux-python-2.8/chcat/chcat -@@ -82,8 +82,7 @@ def chcat_user_add(newcat, users): - if len(serange) > 1: - top = serange[1].split(":") - if len(top) > 1: -- cats.append(top[1]) -- cats = expandCats(cats) -+ cats = expandCats(top[1].split(',')) - - for i in newcat[1:]: - if i not in cats: -@@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users): - if len(serange) > 1: - top = serange[1].split(":") - if len(top) > 1: -- cats.append(top[1]) -- cats = expandCats(cats) -+ cats = expandCats(top[1].split(',')) - - for i in newcat[1:]: - if i in cats: --- -2.19.1 - diff --git a/python-chcat-use-check_call-instead-of-getstatusoutp.patch b/python-chcat-use-check_call-instead-of-getstatusoutp.patch deleted file mode 100644 index 8fa705c358a5b8f0bec256d0229af0e4df96e391..0000000000000000000000000000000000000000 --- a/python-chcat-use-check_call-instead-of-getstatusoutp.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 2923d9d21ee51cbd210c87a1c5bdbd891b332296 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 4 Dec 2018 11:35:40 +0100 -Subject: [PATCH 089/170] python/chcat: use check_call instead of - getstatusoutput - -Use "check_call" instead of "getstatusoutput" in order for special -characters and spaces in filenames to be handled correctly. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774 - -Signed-off-by: Vit Mojzis ---- - python/chcat/chcat | 78 ++++++++++++++++++++++------------------------ - 1 file changed, 38 insertions(+), 40 deletions(-) - -diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat -index 4bd9fc6a..1de92306 100755 ---- a/selinux-python-2.8/chcat/chcat -+++ b/selinux-python-2.8/chcat/chcat -@@ -22,10 +22,7 @@ - # 02111-1307 USA - # - # --try: -- from subprocess import getstatusoutput --except ImportError: -- from commands import getstatusoutput -+import subprocess - import sys - import os - import pwd -@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users): - new_serange = "%s-%s" % (serange[0], top[0]) - - if add_ind: -- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) -+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] - else: -- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 - - return errors -@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind): - cat_string = "%s,%s" % (cat_string, c) - else: - cat_string = cat -- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f) -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ -+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f] -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 - return errors - -@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users): - new_serange = "%s-%s" % (serange[0], top[0]) - - if add_ind: -- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) -+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] - else: -- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] -+ -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 -+ - return errors - - -@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind): - continue - - if len(cat) == 0: -- cmd = 'chcon -l %s %s' % (sensitivity, f) -+ new_serange = sensitivity - else: -- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f) -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ new_serange = '%s:%s' % (sensitivity, cat) -+ -+ cmd = ["chcon", "-l", new_serange, f] -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 - return errors - -@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users): - add_ind = 1 - user = seusers["__default__"] - serange = user[1].split("-") -- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ",")) -+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:])) - if new_serange[-1:] == ":": - new_serange = new_serange[:-1] - - if add_ind: -- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) -+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] - else: -- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 - return errors - -@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind): - return chcat_user_replace(newcat, objects) - errors = 0 - if len(newcat) == 1: -- sensitivity = newcat[0] -- cmd = 'chcon -l %s ' % newcat[0] -+ new_serange = newcat[0] - else: -- sensitivity = newcat[0] -- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1]) -+ new_serange = "%s:%s" % (newcat[0], newcat[1]) - for cat in newcat[2:]: -- cmd = '%s,%s' % (cmd, cat) -+ new_serange = '%s,%s' % (new_serange, cat) - -- for f in objects: -- cmd = "%s %s" % (cmd, f) -- -- rc = getstatusoutput(cmd) -- if rc[0] != 0: -- print(rc[1]) -+ cmd = ["chcon", "-l", new_serange] + objects -+ try: -+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) -+ except subprocess.CalledProcessError as e: - errors += 1 - - return errors --- -2.19.1 - diff --git a/python-semanage-Load-a-store-policy-and-set-the-stor.patch b/python-semanage-Load-a-store-policy-and-set-the-stor.patch deleted file mode 100644 index 380741d917b73bfad53e8ec7c56844fe56169bf9..0000000000000000000000000000000000000000 --- a/python-semanage-Load-a-store-policy-and-set-the-stor.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2d825c616d3d7a7ceee80125e1eff12ad46d2623 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 3 Jan 2019 13:03:39 +0100 -Subject: [PATCH 108/170] python/semanage: Load a store policy and set the - store SELinux policy root - -When "store" is set, sepolicy needs to load a new policy file and selinux module -needs to set the new store root path. - -With this patch, semanage is able to work correctly with non-default -S -even when the default policy is not installed yet. - -Fixes: -$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -libsemanage.dbase_llist_query: could not query record value -OSError: [Errno 0] Error - -Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861 - -Signed-off-by: Petr Lautrbach ---- - selinux-python-2.8/semanage/seobject.py | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py -index 4490e03f..556d3ba5 100644 ---- a/selinux-python-2.8/semanage/seobject.py -+++ b/selinux-python-2.8/semanage/seobject.py -@@ -260,6 +260,8 @@ class semanageRecords: - if self.store == "" or self.store == localstore: - self.mylog = logger() - else: -+ sepolicy.load_store_policy(self.store) -+ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store)) - self.mylog = nulllogger() - - def set_reload(self, load): -@@ -1329,7 +1331,7 @@ class ibpkeyRecords(semanageRecords): - def __init__(self, args = None): - semanageRecords.__init__(self, args) - try: -- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"]) - self.valid_types = sorted(str(t) for t in q.results()) - except: - pass -@@ -1589,7 +1591,7 @@ class ibendportRecords(semanageRecords): - def __init__(self, args = None): - semanageRecords.__init__(self, args) - try: -- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"]) - self.valid_types = set(str(t) for t in q.results()) - except: - pass --- -2.19.1 - diff --git a/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch b/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch deleted file mode 100644 index 7c03222db77e96acad20b3c56e4fed2771595fb2..0000000000000000000000000000000000000000 --- a/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 48aeea9ce623ee31e7699181e37221d03d8a1af1 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 16 Oct 2018 12:05:33 +0200 -Subject: [PATCH 075/170] python/semanage: Stop rejecting aliases in semanage - commands - -Resolves: - -\# semanage fcontext -a -t svirt_sandbox_file_t /pokus -ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type -\# semanage fcontext -d -t svirt_sandbox_file_t /pokus -ValueError: File context for /pokus is not defined - -\# seinfo -tsvirt_sandbox_file_t -x - TypeName container_file_t - Aliases - svirt_sandbox_file_t - svirt_lxc_file_t - -Signed-off-by: Vit Mojzis ---- - selinux-python-2.8/semanage/seobject.py | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py -index c1467185..5d34cdbe 100644 ---- a/selinux-python-2.8/semanage/seobject.py -+++ b/selinux-python-2.8/semanage/seobject.py -@@ -1081,7 +1081,7 @@ class portRecords(semanageRecords): - if type == "": - raise ValueError(_("Type is required")) - -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a port type") % type) - - (k, proto_d, low, high) = self.__genkey(port, proto) -@@ -1145,7 +1145,7 @@ class portRecords(semanageRecords): - else: - raise ValueError(_("Requires setype")) - -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a port type") % setype) - - (k, proto_d, low, high) = self.__genkey(port, proto) -@@ -1349,7 +1349,7 @@ class ibpkeyRecords(semanageRecords): - if type == "": - raise ValueError(_("Type is required")) - -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) - - (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) -@@ -1411,7 +1411,7 @@ class ibpkeyRecords(semanageRecords): - else: - raise ValueError(_("Requires setype")) - -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) - - (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) -@@ -1597,7 +1597,7 @@ class ibendportRecords(semanageRecords): - if type == "": - raise ValueError(_("Type is required")) - -- if type not in self.valid_types: -+ if sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) - (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) - -@@ -1658,7 +1658,7 @@ class ibendportRecords(semanageRecords): - else: - raise ValueError(_("Requires setype")) - -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) - - (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) -@@ -1847,7 +1847,7 @@ class nodeRecords(semanageRecords): - if ctype == "": - raise ValueError(_("SELinux node type is required")) - -- if ctype not in self.valid_types: -+ if sepolicy.get_real_type_name(ctype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a node type") % ctype) - - (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -1916,7 +1916,7 @@ class nodeRecords(semanageRecords): - if serange == "" and setype == "": - raise ValueError(_("Requires setype or serange")) - -- if setype and setype not in self.valid_types: -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a node type") % setype) - - (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -@@ -2235,7 +2235,6 @@ class fcontextRecords(semanageRecords): - try: - valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) - valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) -- valid_types.append("<>") - except RuntimeError: - valid_types = [] - -@@ -2363,7 +2362,7 @@ class fcontextRecords(semanageRecords): - if type == "": - raise ValueError(_("SELinux Type is required")) - -- if type not in self.valid_types: -+ if type != "<>" and sepolicy.get_real_type_name(type) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % type) - - (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -@@ -2426,7 +2425,7 @@ class fcontextRecords(semanageRecords): - def __modify(self, target, setype, ftype, serange, seuser): - if serange == "" and setype == "" and seuser == "": - raise ValueError(_("Requires setype, serange or seuser")) -- if setype and setype not in self.valid_types: -+ if setype not in ["", "<>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: - raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) - - self.validate(target) --- -2.19.1 - diff --git a/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch b/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch deleted file mode 100644 index e40b64969c399c5d6460bb7985629aa288d8be99..0000000000000000000000000000000000000000 --- a/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 60a928578689126f573618064fd8814445238d3a Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 15 Feb 2019 17:00:25 +0100 -Subject: [PATCH 157/170] python/semanage module: Fix handling of -a/-e/-d/-r - options - -Previous code traceback-ed when one of the mentioned option was used without -any argument as this state was not handled by the argument parser. - -action='store' stores arguments as a list while the original -action='store_const' used str therefore it's needed to convert list to str -before it's sent to moduleRecords class. - -Fixes: -^_^ semanage module -a -Traceback (most recent call last): - File "/usr/sbin/semanage", line 963, in - do_parser() - File "/usr/sbin/semanage", line 942, in do_parser - args.func(args) - File "/usr/sbin/semanage", line 608, in handleModule - OBJECT.add(args.module_name, args.priority) - File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add - if not os.path.exists(file): - File "/usr/lib64/python3.7/genericpath.py", line 19, in exists - os.stat(path) -TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType - -Signed-off-by: Petr Lautrbach ---- - selinux-python-2.8/semanage/semanage | 25 ++++++++++++------------- - 1 file changed, 12 insertions(+), 13 deletions(-) - -diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage -index 18191c13..d6d68248 100644 ---- a/selinux-python-2.8/semanage/semanage -+++ b/selinux-python-2.8/semanage/semanage -@@ -609,14 +609,14 @@ def setupInterfaceParser(subparsers): - - def handleModule(args): - OBJECT = seobject.moduleRecords(args) -- if args.action == "add": -- OBJECT.add(args.module_name, args.priority) -- if args.action == "enable": -- OBJECT.set_enabled(args.module_name, True) -- if args.action == "disable": -- OBJECT.set_enabled(args.module_name, False) -- if args.action == "remove": -- OBJECT.delete(args.module_name, args.priority) -+ if args.action_add: -+ OBJECT.add(args.action_add[0], args.priority) -+ if args.action_enable: -+ OBJECT.set_enabled(" ".join(args.action_enable), True) -+ if args.action_disable: -+ OBJECT.set_enabled(" ".join(args.action_disable), False) -+ if args.action_remove: -+ OBJECT.delete(" ".join(args.action_remove), args.priority) - if args.action == "deleteall": - OBJECT.deleteall() - if args.action == "list": -@@ -635,14 +635,13 @@ def setupModuleParser(subparsers): - parser_add_priority(moduleParser, "module") - - mgroup = moduleParser.add_mutually_exclusive_group(required=True) -- parser_add_add(mgroup, "module") - parser_add_list(mgroup, "module") - parser_add_extract(mgroup, "module") - parser_add_deleteall(mgroup, "module") -- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module")) -- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module")) -- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module")) -- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on')) -+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module")) -+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module")) -+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module")) -+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module")) - moduleParser.set_defaults(func=handleModule) - - --- -2.19.1 - diff --git a/python-semanage-move-valid_types-initialisations-to-.patch b/python-semanage-move-valid_types-initialisations-to-.patch deleted file mode 100644 index 983887e789db46e0181a80f1ddf9f42829888405..0000000000000000000000000000000000000000 --- a/python-semanage-move-valid_types-initialisations-to-.patch +++ /dev/null @@ -1,145 +0,0 @@ -From a73b0bba1a52adec3cfe654f726388a68b73e2d3 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 3 Jan 2019 13:03:36 +0100 -Subject: [PATCH 105/170] python/semanage: move valid_types initialisations to - class constructors - -Based on idea from Nicolas Iooss - -Fixes: -$ sudo semanage -Traceback (most recent call last): - File "/usr/sbin/semanage", line 28, in - import seobject - File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in - class portRecords(semanageRecords): - File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords - valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) - File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in - return ({ - File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results - for attr in self.policy.typeattributes(): -AttributeError: 'NoneType' object has no attribute 'typeattributes' - -https://github.com/SELinuxProject/selinux/issues/81 - -Signed-off-by: Petr Lautrbach ---- - selinux-python-2.8/semanage/seobject.py | 57 ++++++++++++++++++++++--------------- - 1 file changed, 34 insertions(+), 23 deletions(-) - -diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py -index efec0a55..4490e03f 100644 ---- a/selinux-python-2.8/semanage/seobject.py -+++ b/selinux-python-2.8/semanage/seobject.py -@@ -1043,13 +1043,15 @@ class seluserRecords(semanageRecords): - - - class portRecords(semanageRecords): -- try: -- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) -- except RuntimeError: -- valid_types = [] -+ -+ valid_types = [] - - def __init__(self, args = None): - semanageRecords.__init__(self, args) -+ try: -+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) -+ except RuntimeError: -+ pass - - def __genkey(self, port, proto): - if proto == "tcp": -@@ -1321,14 +1323,16 @@ class portRecords(semanageRecords): - print(rec) - - class ibpkeyRecords(semanageRecords): -- try: -- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) -- valid_types = sorted(str(t) for t in q.results()) -- except: -- valid_types = [] -+ -+ valid_types = [] - - def __init__(self, args = None): - semanageRecords.__init__(self, args) -+ try: -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) -+ self.valid_types = sorted(str(t) for t in q.results()) -+ except: -+ pass - - def __genkey(self, pkey, subnet_prefix): - if subnet_prefix == "": -@@ -1579,14 +1583,16 @@ class ibpkeyRecords(semanageRecords): - print(rec) - - class ibendportRecords(semanageRecords): -- try: -- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) -- valid_types = set(str(t) for t in q.results()) -- except: -- valid_types = [] -+ -+ valid_types = [] - - def __init__(self, args = None): - semanageRecords.__init__(self, args) -+ try: -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) -+ self.valid_types = set(str(t) for t in q.results()) -+ except: -+ pass - - def __genkey(self, ibendport, ibdev_name): - if ibdev_name == "": -@@ -1823,14 +1829,16 @@ class ibendportRecords(semanageRecords): - print(rec) - - class nodeRecords(semanageRecords): -- try: -- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"]) -- except RuntimeError: -- valid_types = [] -+ -+ valid_types = [] - - def __init__(self, args = None): - semanageRecords.__init__(self, args) - self.protocol = ["ipv4", "ipv6"] -+ try: -+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"]) -+ except RuntimeError: -+ pass - - def validate(self, addr, mask, protocol): - newaddr = addr -@@ -2264,14 +2272,17 @@ class interfaceRecords(semanageRecords): - - - class fcontextRecords(semanageRecords): -- try: -- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) -- valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) -- except RuntimeError: -- valid_types = [] -+ -+ valid_types = [] - - def __init__(self, args = None): - semanageRecords.__init__(self, args) -+ try: -+ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) -+ self.valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) -+ except RuntimeError: -+ pass -+ - self.equiv = {} - self.equiv_dist = {} - self.equal_ind = False --- -2.19.1 - diff --git a/python-semanage-seobject-Fix-listing-boolean-values.patch b/python-semanage-seobject-Fix-listing-boolean-values.patch deleted file mode 100644 index 8c873c447fd8e07557085420d8e2540ffe99097c..0000000000000000000000000000000000000000 --- a/python-semanage-seobject-Fix-listing-boolean-values.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 259ab083fa02aaa9eb385cf6b0de30a1919a817b Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 1 Feb 2019 17:49:40 +0100 -Subject: [PATCH 144/170] python/semanage/seobject: Fix listing boolean values - -Fix gathering boolean values by fixing always False if condition -(determining whether the values are listed from local store). - -Fix listing boolean values by printing the correct values and not -forcing the use of security_get_boolean_active (which causes -crash when listing booleans that are not present in active policy). - -Fixes: - # dnf install selinux-policy-mls - # cat > mypolicy.cil - (boolean xyz false) - - # semodule -i mypolicy.cil -s mls - - # semanage boolean -l -S mls - ... - irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port. - mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans. - OSError: No such file or directory - -Signed-off-by: Vit Mojzis ---- - selinux-python-2.8/semanage/seobject.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py -index 556d3ba5..b31a90c1 100644 ---- a/selinux-python-2.8/semanage/seobject.py -+++ b/selinux-python-2.8/semanage/seobject.py -@@ -2807,7 +2807,7 @@ class booleanRecords(semanageRecords): - value = [] - name = semanage_bool_get_name(boolean) - value.append(semanage_bool_get_value(boolean)) -- if self.modify_local and boolean in self.current_booleans: -+ if self.modify_local and name in self.current_booleans: - value.append(selinux.security_get_boolean_pending(name)) - value.append(selinux.security_get_boolean_active(name)) - else: -@@ -2849,4 +2849,4 @@ class booleanRecords(semanageRecords): - print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description"))) - for k in sorted(ddict.keys()): - if ddict[k]: -- print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k))) -+ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k))) --- -2.19.1 - diff --git a/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch b/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch deleted file mode 100644 index 93bf430570ca48a4e1d543b41907f29edef158d4..0000000000000000000000000000000000000000 --- a/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 33d7a761e53c7828ab89821fd7f7b5c6ada81635 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Fri, 21 Dec 2018 21:43:30 +0100 -Subject: [PATCH 111/170] python/sepolgen: close /etc/selinux/sepolgen.conf - after parsing it - -sepolgen testsuite reports the following warning on a system with -/etc/selinux/sepolgen.conf: - - .../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file - <_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r' - encoding='UTF-8'> - -Fix this by properly closing the file in PathChooser.__init__(). - -Signed-off-by: Nicolas Iooss ---- - python/sepolgen/src/sepolgen/defaults.py | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -index 199acfaf..533a9041 100644 ---- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -@@ -32,12 +32,13 @@ class PathChooser(object): - self.config_pathname = pathname - ignore = re.compile(r"^\s*(?:#.+)?$") - consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$") -- for lineno, line in enumerate(open(pathname)): -- if ignore.match(line): continue -- mo = consider.match(line) -- if not mo: -- raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1)) -- self.config[mo.group(1)] = mo.group(2) -+ with open(pathname, "r") as fd: -+ for lineno, line in enumerate(fd): -+ if ignore.match(line): continue -+ mo = consider.match(line) -+ if not mo: -+ raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1)) -+ self.config[mo.group(1)] = mo.group(2) - - # We're only exporting one useful function, so why not be a function - def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"): --- -2.19.1 - diff --git a/python-sepolgen-fix-typo-in-PathChoooser-name.patch b/python-sepolgen-fix-typo-in-PathChoooser-name.patch deleted file mode 100644 index 421c9d3e849c122dbc3c80129637f841b4564e0d..0000000000000000000000000000000000000000 --- a/python-sepolgen-fix-typo-in-PathChoooser-name.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 91ef21e31fac00607112f41027053dc1120a7e14 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sun, 3 Jun 2018 18:25:38 +0200 -Subject: [PATCH 014/170] python/sepolgen: fix typo in PathChoooser name - -Signed-off-by: Nicolas Iooss ---- - selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -index 95910639..199acfaf 100644 ---- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -@@ -22,7 +22,7 @@ import re - - # Select the correct location for the development files based on a - # path variable (optionally read from a configuration file) --class PathChoooser(object): -+class PathChooser(object): - def __init__(self, pathname): - self.config = dict() - if not os.path.exists(pathname): -@@ -68,10 +68,10 @@ def attribute_info(): - return data_dir() + "/attribute_info" - - def refpolicy_makefile(): -- chooser = PathChoooser("/etc/selinux/sepolgen.conf") -+ chooser = PathChooser("/etc/selinux/sepolgen.conf") - return chooser("Makefile") - - def headers(): -- chooser = PathChoooser("/etc/selinux/sepolgen.conf") -+ chooser = PathChooser("/etc/selinux/sepolgen.conf") - return chooser("include") - --- -2.19.1 - diff --git a/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch b/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch deleted file mode 100644 index 527492d0dbe8087dfb6db45bcfcab4cbe793e7e3..0000000000000000000000000000000000000000 --- a/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 916640d786b5896fbf75d219e16422c9a48529ab Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sat, 5 Jan 2019 20:37:58 +0100 -Subject: [PATCH 119/170] python/sepolgen: refpolicy installs its Makefile in - include/Makefile - -When running "make install-headers" on refpolicy, -/usr/share/selinux/refpolicy/Makefile does not exist but -/usr/share/selinux/refpolicy/include/Makefile does. Use it when -available. - -Signed-off-by: Nicolas Iooss ---- - selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -index 533a9041..6e800695 100644 ---- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -+++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py -@@ -70,7 +70,10 @@ def attribute_info(): - - def refpolicy_makefile(): - chooser = PathChooser("/etc/selinux/sepolgen.conf") -- return chooser("Makefile") -+ result = chooser("Makefile") -+ if not os.path.exists(result): -+ result = chooser("include/Makefile") -+ return result - - def headers(): - chooser = PathChooser("/etc/selinux/sepolgen.conf") --- -2.19.1 - diff --git a/python-sepolicy-Add-sepolicy.load_store_policy-store.patch b/python-sepolicy-Add-sepolicy.load_store_policy-store.patch deleted file mode 100644 index 7ef018ae7f887706956f0cbfc9383eb2d8cee6bd..0000000000000000000000000000000000000000 --- a/python-sepolicy-Add-sepolicy.load_store_policy-store.patch +++ /dev/null @@ -1,50 +0,0 @@ -From ef359c97c98a8b347c7379a605acff1b2305ee28 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 3 Jan 2019 13:03:38 +0100 -Subject: [PATCH 107/170] python/sepolicy: Add - sepolicy.load_store_policy(store) - -load_store_policy() allows to (re)load SELinux policy based on a store name. It -is useful when SELinux is disabled and default policy is not installed; or when -a user wants to query or manipulate another policy. - -Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861 - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy/__init__.py | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -index fbeb731d..b69a6b94 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -@@ -129,6 +129,13 @@ def get_installed_policy(root="/"): - pass - raise ValueError(_("No SELinux Policy installed")) - -+def get_store_policy(store, root="/"): -+ try: -+ policies = glob.glob("%s%s/policy/policy.*" % (selinux.selinux_path(), store)) -+ policies.sort() -+ return policies[-1] -+ except: -+ return None - - def policy(policy_file): - global all_domains -@@ -156,6 +163,11 @@ def policy(policy_file): - except: - raise ValueError(_("Failed to read %s policy file") % policy_file) - -+def load_store_policy(store): -+ policy_file = get_store_policy(store) -+ if not policy_file: -+ return None -+ policy(policy_file) - - try: - policy_file = get_installed_policy() --- -2.19.1 - diff --git a/python-sepolicy-Fix-info-to-search-aliases-as-well.patch b/python-sepolicy-Fix-info-to-search-aliases-as-well.patch deleted file mode 100644 index 43af592b36a49161cd0d226421da19c4d84cf267..0000000000000000000000000000000000000000 --- a/python-sepolicy-Fix-info-to-search-aliases-as-well.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 448f5a9257f76645bcff6881de3bb9a0f313c545 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Tue, 16 Oct 2018 12:05:31 +0200 -Subject: [PATCH 073/170] python/sepolicy: Fix "info" to search aliases as well - -Restore previous behaviour of "sepolicy.info()". - -Signed-off-by: Vit Mojzis ---- - python/sepolicy/sepolicy/__init__.py | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -index 5d0535b9..d8c9decc 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -@@ -168,15 +168,21 @@ except ValueError as e: - def info(setype, name=None): - if setype == TYPE: - q = setools.TypeQuery(_pol) -- if name: -- q.name = name -+ q.name = name -+ results = list(q.results()) -+ -+ if name and len(results) < 1: -+ # type not found, try alias -+ q.name = None -+ q.alias = name -+ results = list(q.results()) - - return ({ - 'aliases': list(map(str, x.aliases())), - 'name': str(x), - 'permissive': bool(x.ispermissive), - 'attributes': list(map(str, x.attributes())) -- } for x in q.results()) -+ } for x in results) - - elif setype == ROLE: - q = setools.RoleQuery(_pol) --- -2.19.1 - diff --git a/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch b/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch deleted file mode 100644 index 61d8276151ea5d4ecb4803b4e9e4d807cefccc04..0000000000000000000000000000000000000000 --- a/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 4c63b8e7b691bf8fc09ccd5a35ce420effaeb16b Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 22 Oct 2018 17:43:12 +0200 -Subject: [PATCH 074/170] python/sepolicy: Stop rejecting aliases in sepolicy - commands - -Fix CheckDomain and CheckPortType classes to properly deal with aliases. - -Resolves: - https://bugzilla.redhat.com/show_bug.cgi?id=1600009 - -Signed-off-by: Vit Mojzis ---- - selinux-python-2.8/sepolicy/sepolicy.py | 8 +++----- - selinux-python-2.8/sepolicy/sepolicy/__init__.py | 18 +++++++++++++++++- - 2 files changed, 20 insertions(+), 6 deletions(-) - -diff --git a/selinux-python-2.8/sepolicy/sepolicy.py b/selinux-python-2.8/sepolicy/sepolicy.py -index a000c1ad..01380fbe 100755 ---- a/selinux-python-2.8/sepolicy/sepolicy.py -+++ b/selinux-python-2.8/sepolicy/sepolicy.py -@@ -60,8 +60,6 @@ class CheckPath(argparse.Action): - class CheckType(argparse.Action): - - def __call__(self, parser, namespace, values, option_string=None): -- domains = sepolicy.get_all_domains() -- - if isinstance(values, str): - setattr(namespace, self.dest, values) - else: -@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action): - domains = sepolicy.get_all_domains() - - if isinstance(values, str): -- if values not in domains: -+ if sepolicy.get_real_type_name(values) not in domains: - raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) - setattr(namespace, self.dest, values) - else: -@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action): - newval = [] - - for v in values: -- if v not in domains: -+ if sepolicy.get_real_type_name(v) not in domains: - raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) - newval.append(v) - setattr(namespace, self.dest, newval) -@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action): - if not newval: - newval = [] - for v in values: -- if v not in port_types: -+ if sepolicy.get_real_type_name(v) not in port_types: - raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) - newval.append(v) - setattr(namespace, self.dest, values) -diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -index d8c9decc..b18683e4 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -@@ -447,6 +447,22 @@ def get_file_types(setype): - return mpaths - - -+def get_real_type_name(name): -+ """Return the real name of a type -+ -+ * If 'name' refers to a type, return the same name. -+ * If 'name' refers to a type alias, return the corresponding type name. -+ * Otherwise return None. -+ """ -+ if not name: -+ return None -+ -+ try: -+ return next(info(TYPE, name))["name"] -+ except (RuntimeError, StopIteration): -+ return None -+ -+ - def get_writable_files(setype): - file_types = get_all_file_types() - all_writes = [] -@@ -1061,7 +1077,7 @@ def gen_short_name(setype): - domainname = setype[:-2] - else: - domainname = setype -- if domainname + "_t" not in all_domains: -+ if get_real_type_name(domainname + "_t") not in all_domains: - raise ValueError("domain %s_t does not exist" % domainname) - if domainname[-1] == 'd': - short_name = domainname[:-1] + "_" --- -2.19.1 - diff --git a/python-sepolicy-fix-procotol-misspelling.patch b/python-sepolicy-fix-procotol-misspelling.patch deleted file mode 100644 index 55942349e0141f7684111b7757572a310a84859d..0000000000000000000000000000000000000000 --- a/python-sepolicy-fix-procotol-misspelling.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8fac024785299725b714ad6ac8a265e16bc125c9 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sat, 4 Aug 2018 14:07:47 +0200 -Subject: [PATCH 042/170] python/sepolicy: fix "procotol" misspelling - -procotol -> protocol - -This issue has been found using flake8. This Python linter reported: - - python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol' - -Signed-off-by: Nicolas Iooss ---- - python/sepolicy/sepolicy/gui.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index 16f24a0a..6933f6a1 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/gui.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py -@@ -2522,7 +2522,7 @@ class SELinuxGui(): - if self.cur_dict[k][(port, protocol)]["action"] == "-d": - update_buffer += "port -d -p %s %s\n" % (protocol, port) - else: -- update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], procotol, port) -+ update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], protocol, port) - - return update_buffer - --- -2.19.1 - diff --git a/python-sepolicy-fix-variable-name.patch b/python-sepolicy-fix-variable-name.patch deleted file mode 100644 index b712d044be3aa54de582c0a8b2f8c03bb67a2a9e..0000000000000000000000000000000000000000 --- a/python-sepolicy-fix-variable-name.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ae03c821b798b346d1012d1defd61e665bb0d890 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Thu, 31 Jan 2019 20:46:40 +0100 -Subject: [PATCH 136/170] python/sepolicy: fix variable name - -modify_button_clicked() used variable "type" in a comparison instead of -"ftype". This is a bug, which has been found with flake8 3.7.0. This -linter reported: - - python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type' - {0} referenced before assignment - -Signed-off-by: Nicolas Iooss ---- - selinux-python-2.8/sepolicy/sepolicy/gui.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selinux-python-2.8/sepolicy/sepolicy/gui.py b/selinux-python-2.8/sepolicy/sepolicy/gui.py -index fde233ad..d4bf3b48 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/gui.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py -@@ -1545,7 +1545,7 @@ class SELinuxGui(): - path = self.executable_files_liststore.get_value(iter, 0) - self.files_path_entry.set_text(path) - ftype = self.executable_files_liststore.get_value(iter, 1) -- if type != None: -+ if ftype != None: - self.combo_set_active_text(self.files_type_combobox, ftype) - tclass = self.executable_files_liststore.get_value(iter, 2) - if tclass != None: --- -2.19.1 - diff --git a/python-sepolicy-search-also-for-dontaudit-rules.patch b/python-sepolicy-search-also-for-dontaudit-rules.patch deleted file mode 100644 index 1e9be934e200981a995641e5c2ce31042365d65f..0000000000000000000000000000000000000000 --- a/python-sepolicy-search-also-for-dontaudit-rules.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 5013d2ba9774b876d906f9196fc6f75b1f2f5237 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Tue, 18 Sep 2018 15:12:59 +0200 -Subject: [PATCH 093/170] python/sepolicy: search() also for dontaudit rules - -dontaudit rules were accidentally dropped during rewrite to SETools 4 API in -97d5f6a2 - -Fixes: ->>> import sepolicy ->>> sepolicy.search(['dontaudit']) -[] - -Signed-off-by: Petr Lautrbach ---- - python/sepolicy/sepolicy/__init__.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -index cd7af7cf..fbeb731d 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py -@@ -344,6 +344,8 @@ def search(types, seinfo=None): - tertypes.append(NEVERALLOW) - if AUDITALLOW in types: - tertypes.append(AUDITALLOW) -+ if DONTAUDIT in types: -+ tertypes.append(DONTAUDIT) - - if len(tertypes) > 0: - q = setools.TERuleQuery(_pol, --- -2.19.1 - diff --git a/python-use-or-when-comparing-a-variable-with-a-strin.patch b/python-use-or-when-comparing-a-variable-with-a-strin.patch deleted file mode 100644 index a9f76166d6f2ad398075d14c7586fc0d479651b8..0000000000000000000000000000000000000000 --- a/python-use-or-when-comparing-a-variable-with-a-strin.patch +++ /dev/null @@ -1,344 +0,0 @@ -From f906ae66a4362345cccf2b93feccd4c045894ed7 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Thu, 31 Jan 2019 20:44:44 +0100 -Subject: [PATCH 135/170] python: use == or != when comparing a variable with a - string or a integer - -Flake8 3.7.0 added a new fatal error message when parsing Python files: - - python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals - python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals - ... - python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals - python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals - python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals - python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals - python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals - -Fix all these warnings. - -Signed-off-by: Nicolas Iooss ---- - selinux-python-2.8/semanage/semanage | 118 ++++++++++++------------- - selinux-python-2.8/sepolgen/src/sepolgen/output.py | 6 +- - selinux-python-2.8/sepolicy/sepolicy/generate.py | 4 +- - 3 files changed, 64 insertions(+), 64 deletions(-) - -diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage -index 49add51e..6afeac14 100644 ---- a/selinux-python-2.8/semanage/semanage -+++ b/selinux-python-2.8/semanage/semanage -@@ -109,7 +109,7 @@ class SetExportFile(argparse.Action): - - def __call__(self, parser, namespace, values, option_string=None): - if values: -- if values is not "-": -+ if values != "-": - try: - sys.stdout = open(values, 'w') - except: -@@ -121,7 +121,7 @@ class SetExportFile(argparse.Action): - class SetImportFile(argparse.Action): - - def __call__(self, parser, namespace, values, option_string=None): -- if values and values is not "-": -+ if values and values != "-": - try: - sys.stdin = open(values, 'r') - except IOError as e: -@@ -189,17 +189,17 @@ def handleLogin(args): - - OBJECT = object_dict['login'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.login, args.seuser, args.range) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.login, args.seuser, args.range) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.login) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("login %s" % (str(i))) - -@@ -322,26 +322,26 @@ def handleFcontext(args): - - OBJECT = object_dict['fcontext'](args) - -- if args.action is "add": -+ if args.action == "add": - if args.equal: - OBJECT.add_equal(args.file_spec, args.equal) - else: - OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser) -- if args.action is "modify": -+ if args.action == "modify": - if args.equal: - OBJECT.add_equal(args.file_spec, args.equal) - else: - OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser) -- if args.action is "delete": -+ if args.action == "delete": - if args.equal: - OBJECT.delete(args.file_spec, args.equal) - else: - OBJECT.delete(args.file_spec, args.ftype) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("fcontext %s" % str(i)) - -@@ -390,17 +390,17 @@ def handleUser(args): - - OBJECT = object_dict['user'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.selinux_name, args.roles, args.level, args.range, args.prefix) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.selinux_name) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("user %s" % str(i)) - -@@ -440,17 +440,17 @@ def handlePort(args): - - OBJECT = object_dict['port'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.port, args.proto, args.range, args.type) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.port, args.proto, args.range, args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.port, args.proto) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("port %s" % str(i)) - -@@ -485,17 +485,17 @@ def handlePkey(args): - - OBJECT = object_dict['ibpkey'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.ibpkey, args.subnet_prefix) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("ibpkey %s" % str(i)) - -@@ -528,17 +528,17 @@ def handleIbendport(args): - - OBJECT = object_dict['ibendport'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.ibendport, args.ibdev_name) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("ibendport %s" % str(i)) - -@@ -571,17 +571,17 @@ def handleInterface(args): - - OBJECT = object_dict['interface'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.interface, args.range, args.type) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.interface, args.range, args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.interface) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("interface %s" % str(i)) - -@@ -617,11 +617,11 @@ def handleModule(args): - OBJECT.set_enabled(args.module_name, False) - if args.action == "remove": - OBJECT.delete(args.module_name, args.priority) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() - if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("module %s" % str(i)) - -@@ -652,17 +652,17 @@ def handleNode(args): - - OBJECT = object_dict['node'](args) - -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) -- if args.action is "modify": -+ if args.action == "modify": - OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.node, args.netmask, args.proto) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("node %s" % str(i)) - -@@ -698,14 +698,14 @@ def handleBoolean(args): - - OBJECT = object_dict['boolean'](args) - -- if args.action is "modify": -+ if args.action == "modify": - if args.boolean: - OBJECT.modify(args.boolean, args.state, False) -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading, args.locallist) -- if args.action is "deleteall": -+ if args.action == "deleteall": - OBJECT.deleteall() -- if args.action is "extract": -+ if args.action == "extract": - for i in OBJECT.customized(): - print("boolean %s" % str(i)) - -@@ -736,12 +736,12 @@ def setupBooleanParser(subparsers): - def handlePermissive(args): - OBJECT = object_dict['permissive'](args) - -- if args.action is "list": -+ if args.action == "list": - OBJECT.list(args.noheading) - elif args.type is not None: -- if args.action is "add": -+ if args.action == "add": - OBJECT.add(args.type) -- if args.action is "delete": -+ if args.action == "delete": - OBJECT.delete(args.type) - else: - args.parser.print_usage(sys.stderr) -diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/output.py b/selinux-python-2.8/sepolgen/src/sepolgen/output.py -index 7a83aee4..3a21b64c 100644 ---- a/selinux-python-2.8/sepolgen/src/sepolgen/output.py -+++ b/selinux-python-2.8/sepolgen/src/sepolgen/output.py -@@ -74,13 +74,13 @@ def id_set_cmp(x, y): - # Compare two avrules - def avrule_cmp(a, b): - ret = id_set_cmp(a.src_types, b.src_types) -- if ret is not 0: -+ if ret != 0: - return ret - ret = id_set_cmp(a.tgt_types, b.tgt_types) -- if ret is not 0: -+ if ret != 0: - return ret - ret = id_set_cmp(a.obj_classes, b.obj_classes) -- if ret is not 0: -+ if ret != 0: - return ret - - # At this point, who cares - just return something -diff --git a/selinux-python-2.8/sepolicy/sepolicy/generate.py b/selinux-python-2.8/sepolicy/sepolicy/generate.py -index 37ddfc7a..5a2195b8 100644 ---- a/selinux-python-2.8/sepolicy/sepolicy/generate.py -+++ b/selinux-python-2.8/sepolicy/sepolicy/generate.py -@@ -643,7 +643,7 @@ allow %s_t %s_t:%s_socket name_%s; - - def __find_path(self, file): - for d in self.DEFAULT_DIRS: -- if file.find(d) is 0: -+ if file.find(d) == 0: - self.DEFAULT_DIRS[d][1].append(file) - return self.DEFAULT_DIRS[d] - self.DEFAULT_DIRS["rw"][1].append(file) -@@ -1346,7 +1346,7 @@ allow %s_t %s_t:%s_socket name_%s; - else: - continue - -- if len(temp_dirs) is not 0: -+ if len(temp_dirs) != 0: - for i in temp_dirs: - if i in self.dirs.keys(): - del(self.dirs[i]) --- -2.19.1 - diff --git a/restorecond-2.8.tar.gz b/restorecond-2.8.tar.gz deleted file mode 100644 index ead7b620955114fa0161b12da2c7a73f66611a09..0000000000000000000000000000000000000000 Binary files a/restorecond-2.8.tar.gz and /dev/null differ diff --git a/restorecond-3.1.tar.gz b/restorecond-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..90f701e461374c15b975e910c0a4005c4070064f Binary files /dev/null and b/restorecond-3.1.tar.gz differ diff --git a/restorecond-Do-not-ignore-the-f-option.patch b/restorecond-Do-not-ignore-the-f-option.patch deleted file mode 100644 index ae605ff2d297b360024f712b82616333fad19da7..0000000000000000000000000000000000000000 --- a/restorecond-Do-not-ignore-the-f-option.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 385ef2cdc679fdc79f0876f544c6e555ae9f59dc Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 3 Oct 2018 16:42:59 +0200 -Subject: [PATCH 064/170] restorecond: Do not ignore the -f option - -Since the default value of watch_file is set unconditionally *after* the -command-line arguments have been parsed, the -f option is (and has -always been) effectively ignored. Fix this by setting it before the -parsing. - -Fixes: 48681bb49c03 ("policycoreutils: restorecond: make restorecond dbuss-able") -Signed-off-by: Ondrej Mosnacek ---- - restorecond/restorecond.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c -index e1d26cb9..7b984b29 100644 ---- a/restorecond-2.8/restorecond.c -+++ b/restorecond-2.8/restorecond.c -@@ -148,6 +148,8 @@ int main(int argc, char **argv) - if (is_selinux_enabled() != 1) - return 0; - -+ watch_file = server_watch_file; -+ - /* Set all options to zero/NULL except for ignore_noent & digest. */ - memset(&r_opts, 0, sizeof(r_opts)); - r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY; -@@ -205,7 +207,6 @@ int main(int argc, char **argv) - return 0; - } - -- watch_file = server_watch_file; - read_config(master_fd, watch_file); - - if (!debug_mode) { --- -2.19.1 - diff --git a/selinux-dbus-2.8.tar.gz b/selinux-dbus-2.8.tar.gz deleted file mode 100644 index be126a52c3a53993057695cb6911bc8557d7762f..0000000000000000000000000000000000000000 Binary files a/selinux-dbus-2.8.tar.gz and /dev/null differ diff --git a/selinux-dbus-3.1.tar.gz b/selinux-dbus-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0fe9a9e0884df0eee7923ff75402de49ca760928 Binary files /dev/null and b/selinux-dbus-3.1.tar.gz differ diff --git a/selinux-python-2.8.tar.gz b/selinux-python-2.8.tar.gz deleted file mode 100644 index 3028de01046cff3f8490272fcc0d9226edd54ab7..0000000000000000000000000000000000000000 Binary files a/selinux-python-2.8.tar.gz and /dev/null differ diff --git a/selinux-python-3.1.tar.gz b/selinux-python-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..0f99365fd62e7df01cbda7b82146518436ae11aa Binary files /dev/null and b/selinux-python-3.1.tar.gz differ diff --git a/selinux-sandbox-2.8.tar.gz b/selinux-sandbox-2.8.tar.gz deleted file mode 100644 index b73981b83f1c920d65ac3f1023531e3cb1ac0e9e..0000000000000000000000000000000000000000 Binary files a/selinux-sandbox-2.8.tar.gz and /dev/null differ diff --git a/selinux-sandbox-3.1.tar.gz b/selinux-sandbox-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a61be1f91690f110982a09bdf785fba7e6c12a42 Binary files /dev/null and b/selinux-sandbox-3.1.tar.gz differ diff --git a/semodule-utils-2.8.tar.gz b/semodule-utils-2.8.tar.gz deleted file mode 100644 index 01f09dc2eaaa395132bd40efe84be982f3e6fdde..0000000000000000000000000000000000000000 Binary files a/semodule-utils-2.8.tar.gz and /dev/null differ diff --git a/semodule-utils-3.1.tar.gz b/semodule-utils-3.1.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..14293ee820b92b639d7f72066ab32b8c5368b581 Binary files /dev/null and b/semodule-utils-3.1.tar.gz differ diff --git a/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch b/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch deleted file mode 100644 index 602adacf7fcd50da27a5fe4b2738d1490c1e52f7..0000000000000000000000000000000000000000 --- a/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch +++ /dev/null @@ -1,86 +0,0 @@ -From c78f9c355fa7b8c0862149d0a69bd6e5d25bec78 Mon Sep 17 00:00:00 2001 -From: Stephen Smalley -Date: Thu, 10 Jan 2019 10:24:53 -0500 -Subject: [PATCH 124/170] setsebool: support use of -P on SELinux-disabled - hosts - -As reported in #123, setsebool immediately exits with an error if -SELinux is disabled, preventing its use for setting boolean persistent -values. In contrast, semanage boolean -m works on SELinux-disabled -hosts. Change setsebool so that it can be used with the -P option -(persistent changes) even if SELinux is disabled. In the SELinux-disabled -case, skip setting of active boolean values, but set the persistent value -in the policy store. Policy reload is automatically disabled by libsemanage -when SELinux is disabled, so we only need to call semanage_set_reload() -if -N was used. - -Fixes: https://github.com/SELinuxProject/selinux/issues/123 -Signed-off-by: Stephen Smalley ---- - policycoreutils-2.8/setsebool/setsebool.c | 15 ++++++--------- - 1 file changed, 6 insertions(+), 9 deletions(-) - -diff --git a/policycoreutils-2.8/setsebool/setsebool.c b/policycoreutils-2.8/setsebool/setsebool.c -index 53d3566c..a5157efc 100644 ---- a/policycoreutils-2.8/setsebool/setsebool.c -+++ b/policycoreutils-2.8/setsebool/setsebool.c -@@ -18,7 +18,7 @@ - #include - - int permanent = 0; --int reload = 1; -+int no_reload = 0; - int verbose = 0; - - int setbool(char **list, size_t start, size_t end); -@@ -38,11 +38,6 @@ int main(int argc, char **argv) - if (argc < 2) - usage(); - -- if (is_selinux_enabled() <= 0) { -- fputs("setsebool: SELinux is disabled.\n", stderr); -- return 1; -- } -- - while (1) { - clflag = getopt(argc, argv, "PNV"); - if (clflag == -1) -@@ -53,7 +48,7 @@ int main(int argc, char **argv) - permanent = 1; - break; - case 'N': -- reload = 0; -+ no_reload = 1; - break; - case 'V': - verbose = 1; -@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt, - semanage_bool_key_t *bool_key = NULL; - int managed; - int result; -+ int enabled = is_selinux_enabled(); - - handle = semanage_handle_create(); - if (handle == NULL) { -@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt, - boolean) < 0) - goto err; - -- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { -+ if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) { - fprintf(stderr, "Failed to change boolean %s: %m\n", - boollist[j].name); - goto err; -@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt, - boolean = NULL; - } - -- semanage_set_reload(handle, reload); -+ if (no_reload) -+ semanage_set_reload(handle, 0); - if (semanage_commit(handle) < 0) - goto err; - --- -2.19.1 -