diff --git a/fix-fixfiles-N-date-function-two.patch b/fix-fixfiles-N-date-function-two.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bfcf425fece7fd29b79d7c5c4697773188c62d4 --- /dev/null +++ b/fix-fixfiles-N-date-function-two.patch @@ -0,0 +1,25 @@ +From bb3c1505cffc35e1ea310605f0bb9266d52b36b0 Mon Sep 17 00:00:00 2001 +From: gulining +Date: Mon, 8 Jul 2019 11:50:39 +0800 +Subject: [PATCH] fix fixfiles -N date function + +reason: fix fixfiles -N date function + +Signed-off-by: gulining +--- + policycoreutils-2.8/scripts/fixfiles | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles +index 48897c3..be51913 100755 +--- a/policycoreutils-2.8/scripts/fixfiles ++++ b/policycoreutils-2.8/scripts/fixfiles +@@ -152,7 +152,7 @@ newer() { + shift + LogReadOnly + for m in `echo $FILESYSTEMSRW`; do +- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - ++ find $m -mount -newermt "$DATE" -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - + done; + } + diff --git a/fix-fixfiles-N-date-function.patch b/fix-fixfiles-N-date-function.patch new file mode 100644 index 0000000000000000000000000000000000000000..62c6c0978363948580887b03f6e572a678b7d696 --- /dev/null +++ b/fix-fixfiles-N-date-function.patch @@ -0,0 +1,25 @@ +From 859bba9dd82ea6fb101ae9686c98a811e3bf98b3 Mon Sep 17 00:00:00 2001 +From: gulining +Date: Fri, 5 Jul 2019 16:19:32 +0800 +Subject: [PATCH] fix fixfiles -N date function + +reason: fix fixfiles -N date function + +Signed-off-by: gulining +--- + policycoreutils-2.8/scripts/fixfiles | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/policycoreutils-2.8/scripts/fixfiles b/policycoreutils-2.8/scripts/fixfiles +index 53d28c7..48897c3 100755 +--- a/policycoreutils-2.8/scripts/fixfiles ++++ b/policycoreutils-2.8/scripts/fixfiles +@@ -148,7 +148,7 @@ done + # Find files newer then the passed in date and fix the label + # + newer() { +- DATE=$1 ++ DATE="$1 $2" + shift + LogReadOnly + for m in `echo $FILESYSTEMSRW`; do diff --git a/policycoreutils-2.8.tar.gz b/policycoreutils-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b9490ce5b54306d447c4647e550385d59c53ae41 Binary files /dev/null and b/policycoreutils-2.8.tar.gz differ diff --git a/policycoreutils-2.9.tar.gz b/policycoreutils-2.9.tar.gz deleted file mode 100644 index b9fa67d959c955906d0b0f5d1bb7d74256a894e5..0000000000000000000000000000000000000000 Binary files a/policycoreutils-2.9.tar.gz and /dev/null differ diff --git a/policycoreutils-secon-free-scon_trans-before-returni.patch b/policycoreutils-secon-free-scon_trans-before-returni.patch new file mode 100644 index 0000000000000000000000000000000000000000..ca0dc4151659963d8ff5406d83e2c51ffb6eb876 --- /dev/null +++ b/policycoreutils-secon-free-scon_trans-before-returni.patch @@ -0,0 +1,28 @@ +From b614069e66eb0cd1d3f8d0c9d0a02db9a63aba0a Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 3 Jun 2018 18:25:40 +0200 +Subject: [PATCH 016/170] policycoreutils/secon: free scon_trans before + returning + +disp_con() leaks scon_trans if it returns early. + +Signed-off-by: Nicolas Iooss +--- + policycoreutils/secon/secon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policycoreutils/secon/secon.c b/policycoreutils/secon/secon.c +index 60781394..477057a6 100644 +--- a/policycoreutils-2.8/secon/secon.c ++++ b/policycoreutils-2.8/secon/secon.c +@@ -646,6 +646,7 @@ static void disp_con(security_context_t scon_raw) + disp__con_val("clearance", NULL, &color); + if (opts->disp_mlsr) + disp__con_val("mls-range", NULL, &color); ++ freecon(scon_trans); + return; + } + +-- +2.19.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index beda26e393b3804ea7c7f01d8800ca5c77826f59..9ddbef5910132bf1886030a1e0ffd5ef5399b3c0 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,17 +1,41 @@ %global _python_bytecompile_extra 0 Name: policycoreutils -Version: 2.9 -Release: 1 +Version: 2.8 +Release: 12 Summary: Policy core utilities of selinux License: GPLv2 URL: https://github.com/SELinuxProject -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz -Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz -Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz -Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz -Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz -Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz +Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz +Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-python-2.8.tar.gz +Source3: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-sandbox-2.8.tar.gz +Source4: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/selinux-dbus-2.8.tar.gz +Source5: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/semodule-utils-2.8.tar.gz +Source6: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/restorecond-2.8.tar.gz + +Patch6000: python-sepolgen-fix-typo-in-PathChoooser-name.patch +Patch6001: policycoreutils-secon-free-scon_trans-before-returni.patch +Patch6002: python-sepolicy-fix-procotol-misspelling.patch +Patch6003: restorecond-Do-not-ignore-the-f-option.patch +Patch6004: python-sepolicy-Fix-info-to-search-aliases-as-well.patch +Patch6005: python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch +Patch6006: python-semanage-Stop-rejecting-aliases-in-semanage-c.patch +Patch6007: python-chcat-use-check_call-instead-of-getstatusoutp.patch +Patch6008: python-chcat-fix-removing-categories-on-users-with-F.patch +Patch6009: python-sepolicy-search-also-for-dontaudit-rules.patch +Patch6010: python-semanage-move-valid_types-initialisations-to-.patch +Patch6011: python-sepolicy-Add-sepolicy.load_store_policy-store.patch +Patch6012: python-semanage-Load-a-store-policy-and-set-the-stor.patch +Patch6013: python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch +Patch6014: python-audit2allow-allow-using-audit2why-as-non-root.patch +Patch6015: python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch +Patch6016: setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch +Patch6017: python-use-or-when-comparing-a-variable-with-a-strin.patch +Patch6018: python-sepolicy-fix-variable-name.patch +Patch6019: python-semanage-seobject-Fix-listing-boolean-values.patch +Patch6020: python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch +Patch9021: fix-fixfiles-N-date-function.patch +Patch9022: fix-fixfiles-N-date-function-two.patch BuildRequires: pam-devel libsepol-static libsemanage-static libselinux-devel libcap-devel audit-libs-devel gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel python2-devel python3-devel libcap-ng-devel @@ -29,6 +53,26 @@ Provides: /sbin/restorecon %description It contains the selinux policy core utilities +%package -n python2-policycoreutils +Summary: python2 utilities for seLinux policy core +%{?python_provide:%python_provide python2-policycoreutils} +Requires: policycoreutils = %{version}-%{release} +Requires: python2-libselinux python2-libsemanage +Requires: audit-libs-python2 +Requires: python2-IPy +Requires: checkpolicy +Requires: python2-setools >= 4.1.1 +BuildArch: noarch + +Provides: %{name}-python = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +Obsoletes: policycoreutils < 2.0.61-2 + +%description -n python2-policycoreutils +It contains the python2 policy core utilities for selinux + + + %package -n python3-policycoreutils Summary: python3 utilities for seLinux policy core %{?python_provide:%python_provide python3-policycoreutils} @@ -102,21 +146,22 @@ This contains man files for the using of selinux. %build export PYTHON=%{__python3} -make -C policycoreutils-2.9 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C selinux-python-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C semodule-utils-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C restorecond-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C selinux-sandbox-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all -make -C selinux-dbus-2.9 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C policycoreutils-2.8 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-python-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C semodule-utils-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C restorecond-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-sandbox-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all +make -C selinux-dbus-2.8 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all %install mkdir -p %{buildroot}/%{_defaultdocdir}/%{name}/ -make -C policycoreutils-2.9 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C selinux-python-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C semodule-utils-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C restorecond-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C selinux-sandbox-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install -make -C selinux-dbus-2.9 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C policycoreutils-2.8 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-python-2.8 PYTHON=%{__python2} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-python-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C semodule-utils-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C restorecond-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-sandbox-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install +make -C selinux-dbus-2.8 PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond @@ -127,9 +172,14 @@ rm -f %{buildroot}/%{_mandir}/ru/man8/run_init.8* rm -f %{buildroot}/%{_mandir}/man8/run_init.8* rm -f %{buildroot}/etc/pam.d/run_init* +rm -f %{buildroot}%{python2_sitelib}/sepolicy/gui.* +rm -f %{buildroot}%{python2_sitelib}/sepolicy/sepolicy.glade +rm -rf %{buildroot}%{python2_sitelib}/sepolicy/help + rm -f %{buildroot}%{python3_sitelib}/sepolicy/gui.* rm -f %{buildroot}%{python3_sitelib}/sepolicy/sepolicy.glade +pathfix.py -i "%{__python2} -Es" -p %{buildroot}%{python2_sitelib} pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroot}%{_bindir}/sandbox \ %{buildroot}%{_bindir}/chcat %{buildroot}%{_bindir}/audit2allow \ @@ -138,7 +188,7 @@ pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{_sbindir}/semanage %{buildroo %{buildroot}%{_datadir}/system-config-selinux/selinux_server.py -find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ +find %{buildroot}%{python2_sitelib} %{buildroot}%{python3_sitelib} %{buildroot}%{python2_sitearch} %{buildroot}%{python3_sitearch} \ %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} -type f -name '*~' | xargs rm -f %py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux @@ -156,7 +206,7 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %files -f %{name}.lang -%license policycoreutils-2.9/COPYING +%license policycoreutils-2.8/COPYING %doc %{_usr}/share/doc/%{name} %config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/pam.d/newrole @@ -194,6 +244,22 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %dir %{_datadir}/system-config-selinux/__pycache__ %{_datadir}/system-config-selinux/__pycache__/selinux_server.* +%files -n python2-policycoreutils +%{python2_sitelib}/seobject.py* +%{python2_sitelib}/sepolgen +%dir %{python2_sitelib}/sepolicy +%{python2_sitelib}/sepolicy/__init__.py* +%{python2_sitelib}/sepolicy/booleans.py* +%{python2_sitelib}/sepolicy/communicate.py* +%{python2_sitelib}/sepolicy/network.py* +%{python2_sitelib}/sepolicy/transition.py* +%{python2_sitelib}/sepolicy/sedbus.py* +%{python2_sitelib}/sepolicy*.egg-info +%{python2_sitelib}/sepolicy/generate.py* +%{python2_sitelib}/sepolicy/interface.py* +%{python2_sitelib}/sepolicy/manpage.py* +%{python2_sitelib}/sepolicy/templates + %files -n python3-policycoreutils %{python3_sitelib}/__pycache__ %{python3_sitelib}/sepolgen @@ -231,8 +297,8 @@ find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ %{_mandir}/* %changelog -* Tue Jan 14 2019 openEuler Buildteam - 2.9-1 -- update to 2.9 +* Wed Jan 15 2020 openEuler Buildteam - 2.8-12 +- clean code * Fri Dec 20 2019 openEuler Buildteam - 2.8-11 - Simplify functions diff --git a/python-audit2allow-allow-using-audit2why-as-non-root.patch b/python-audit2allow-allow-using-audit2why-as-non-root.patch new file mode 100644 index 0000000000000000000000000000000000000000..433e8f7291e5a015aa5be39b51039f60f1532e66 --- /dev/null +++ b/python-audit2allow-allow-using-audit2why-as-non-root.patch @@ -0,0 +1,54 @@ +From b2a54258b40b298037cc8ae686d31d7bab714720 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 21 Dec 2018 21:43:33 +0100 +Subject: [PATCH 114/170] python/audit2allow: allow using audit2why as non-root + user + +Importing sepolicy as non-root on a system with SELinux causes the +following exception to be raised: + + ValueError: No SELinux Policy installed + +Ignore this when using audit2why, which allows using it with option +--policy as a non-root user. + +Signed-off-by: Nicolas Iooss +--- + python/audit2allow/audit2allow | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/selinux-python-2.8/audit2allow/audit2allow b/selinux-python-2.8/audit2allow/audit2allow +index 195f151c..18fe0a53 100644 +--- a/selinux-python-2.8/audit2allow/audit2allow ++++ b/selinux-python-2.8/audit2allow/audit2allow +@@ -242,7 +242,10 @@ class AuditToPolicy: + + def __output_audit2why(self): + import selinux +- import sepolicy ++ try: ++ import sepolicy ++ except (ImportError, ValueError): ++ sepolicy = None + for i in self.__parser.avc_msgs: + rc = i.type + data = i.data +@@ -262,11 +265,13 @@ class AuditToPolicy: + if len(data) > 1: + print("\tOne of the following booleans was set incorrectly.") + for b in data: +- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0])) ++ if sepolicy is not None: ++ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0])) + print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) + else: + print("\tThe boolean %s was set incorrectly. " % (data[0][0])) +- print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0])) ++ if sepolicy is not None: ++ print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0])) + print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) + continue + +-- +2.19.1 + diff --git a/python-chcat-fix-removing-categories-on-users-with-F.patch b/python-chcat-fix-removing-categories-on-users-with-F.patch new file mode 100644 index 0000000000000000000000000000000000000000..7fc086ee8627cd6d24e490faf166049a24712962 --- /dev/null +++ b/python-chcat-fix-removing-categories-on-users-with-F.patch @@ -0,0 +1,62 @@ +From f39c0ac63749c1c5c140f1b1ad65d5e536bbe894 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 9 Dec 2018 15:23:23 +0100 +Subject: [PATCH 091/170] python/chcat: fix removing categories on users with + Fedora default setup + +Using Vagrant with fedora/28-cloud-base image, SELinux logins are +configured this way: + + # semanage login -l + Login Name SELinux User MLS/MCS Range Service + + __default__ unconfined_u s0-s0:c0.c1023 * + root unconfined_u s0-s0:c0.c1023 * + vagrant unconfined_u s0-s0:c0.c1023 * + +Using "chcat -l +c42 vagrant" successfully adds the category to user +vagrant, but "chcat -l -- -c42 vagrant" fails to remove it. +semanage login -l returns: + + vagrant unconfined_u s0-s0:c0.c1023,c42 * + +This issue is caused by expandCats(), which refuses to return a list of +more than 25 categories. This causes chcat_user_remove() to work with +cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to +it not been able to remove 'c42' from the list. + +Fix this issue by splitting the list of categories before calling +expandCats(). + +Signed-off-by: Nicolas Iooss +--- + python/chcat/chcat | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat +index 73f75725..5bef0073 100755 +--- a/selinux-python-2.8/chcat/chcat ++++ b/selinux-python-2.8/chcat/chcat +@@ -82,8 +82,7 @@ def chcat_user_add(newcat, users): + if len(serange) > 1: + top = serange[1].split(":") + if len(top) > 1: +- cats.append(top[1]) +- cats = expandCats(cats) ++ cats = expandCats(top[1].split(',')) + + for i in newcat[1:]: + if i not in cats: +@@ -163,8 +162,7 @@ def chcat_user_remove(newcat, users): + if len(serange) > 1: + top = serange[1].split(":") + if len(top) > 1: +- cats.append(top[1]) +- cats = expandCats(cats) ++ cats = expandCats(top[1].split(',')) + + for i in newcat[1:]: + if i in cats: +-- +2.19.1 + diff --git a/python-chcat-use-check_call-instead-of-getstatusoutp.patch b/python-chcat-use-check_call-instead-of-getstatusoutp.patch new file mode 100644 index 0000000000000000000000000000000000000000..8fa705c358a5b8f0bec256d0229af0e4df96e391 --- /dev/null +++ b/python-chcat-use-check_call-instead-of-getstatusoutp.patch @@ -0,0 +1,162 @@ +From 2923d9d21ee51cbd210c87a1c5bdbd891b332296 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 4 Dec 2018 11:35:40 +0100 +Subject: [PATCH 089/170] python/chcat: use check_call instead of + getstatusoutput + +Use "check_call" instead of "getstatusoutput" in order for special +characters and spaces in filenames to be handled correctly. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774 + +Signed-off-by: Vit Mojzis +--- + python/chcat/chcat | 78 ++++++++++++++++++++++------------------------ + 1 file changed, 38 insertions(+), 40 deletions(-) + +diff --git a/selinux-python-2.8/chcat/chcat b/selinux-python-2.8/chcat/chcat +index 4bd9fc6a..1de92306 100755 +--- a/selinux-python-2.8/chcat/chcat ++++ b/selinux-python-2.8/chcat/chcat +@@ -22,10 +22,7 @@ + # 02111-1307 USA + # + # +-try: +- from subprocess import getstatusoutput +-except ImportError: +- from commands import getstatusoutput ++import subprocess + import sys + import os + import pwd +@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users): + new_serange = "%s-%s" % (serange[0], top[0]) + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + + return errors +@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind): + cat_string = "%s,%s" % (cat_string, c) + else: + cat_string = cat +- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ ++ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users): + new_serange = "%s-%s" % (serange[0], top[0]) + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 ++ + return errors + + +@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind): + continue + + if len(cat) == 0: +- cmd = 'chcon -l %s %s' % (sensitivity, f) ++ new_serange = sensitivity + else: +- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ new_serange = '%s:%s' % (sensitivity, cat) ++ ++ cmd = ["chcon", "-l", new_serange, f] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users): + add_ind = 1 + user = seusers["__default__"] + serange = user[1].split("-") +- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ",")) ++ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:])) + if new_serange[-1:] == ":": + new_serange = new_serange[:-1] + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind): + return chcat_user_replace(newcat, objects) + errors = 0 + if len(newcat) == 1: +- sensitivity = newcat[0] +- cmd = 'chcon -l %s ' % newcat[0] ++ new_serange = newcat[0] + else: +- sensitivity = newcat[0] +- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1]) ++ new_serange = "%s:%s" % (newcat[0], newcat[1]) + for cat in newcat[2:]: +- cmd = '%s,%s' % (cmd, cat) ++ new_serange = '%s,%s' % (new_serange, cat) + +- for f in objects: +- cmd = "%s %s" % (cmd, f) +- +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["chcon", "-l", new_serange] + objects ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + + return errors +-- +2.19.1 + diff --git a/python-semanage-Load-a-store-policy-and-set-the-stor.patch b/python-semanage-Load-a-store-policy-and-set-the-stor.patch new file mode 100644 index 0000000000000000000000000000000000000000..380741d917b73bfad53e8ec7c56844fe56169bf9 --- /dev/null +++ b/python-semanage-Load-a-store-policy-and-set-the-stor.patch @@ -0,0 +1,58 @@ +From 2d825c616d3d7a7ceee80125e1eff12ad46d2623 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 3 Jan 2019 13:03:39 +0100 +Subject: [PATCH 108/170] python/semanage: Load a store policy and set the + store SELinux policy root + +When "store" is set, sepolicy needs to load a new policy file and selinux module +needs to set the new store root path. + +With this patch, semanage is able to work correctly with non-default -S +even when the default policy is not installed yet. + +Fixes: +$ sudo semanage login -S minimum -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +libsemanage.dbase_llist_query: could not query record value +OSError: [Errno 0] Error + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861 + +Signed-off-by: Petr Lautrbach +--- + selinux-python-2.8/semanage/seobject.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py +index 4490e03f..556d3ba5 100644 +--- a/selinux-python-2.8/semanage/seobject.py ++++ b/selinux-python-2.8/semanage/seobject.py +@@ -260,6 +260,8 @@ class semanageRecords: + if self.store == "" or self.store == localstore: + self.mylog = logger() + else: ++ sepolicy.load_store_policy(self.store) ++ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store)) + self.mylog = nulllogger() + + def set_reload(self, load): +@@ -1329,7 +1331,7 @@ class ibpkeyRecords(semanageRecords): + def __init__(self, args = None): + semanageRecords.__init__(self, args) + try: +- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"]) + self.valid_types = sorted(str(t) for t in q.results()) + except: + pass +@@ -1589,7 +1591,7 @@ class ibendportRecords(semanageRecords): + def __init__(self, args = None): + semanageRecords.__init__(self, args) + try: +- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"]) + self.valid_types = set(str(t) for t in q.results()) + except: + pass +-- +2.19.1 + diff --git a/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch b/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..7c03222db77e96acad20b3c56e4fed2771595fb2 --- /dev/null +++ b/python-semanage-Stop-rejecting-aliases-in-semanage-c.patch @@ -0,0 +1,129 @@ +From 48aeea9ce623ee31e7699181e37221d03d8a1af1 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 16 Oct 2018 12:05:33 +0200 +Subject: [PATCH 075/170] python/semanage: Stop rejecting aliases in semanage + commands + +Resolves: + +\# semanage fcontext -a -t svirt_sandbox_file_t /pokus +ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type +\# semanage fcontext -d -t svirt_sandbox_file_t /pokus +ValueError: File context for /pokus is not defined + +\# seinfo -tsvirt_sandbox_file_t -x + TypeName container_file_t + Aliases + svirt_sandbox_file_t + svirt_lxc_file_t + +Signed-off-by: Vit Mojzis +--- + selinux-python-2.8/semanage/seobject.py | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py +index c1467185..5d34cdbe 100644 +--- a/selinux-python-2.8/semanage/seobject.py ++++ b/selinux-python-2.8/semanage/seobject.py +@@ -1081,7 +1081,7 @@ class portRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a port type") % type) + + (k, proto_d, low, high) = self.__genkey(port, proto) +@@ -1145,7 +1145,7 @@ class portRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a port type") % setype) + + (k, proto_d, low, high) = self.__genkey(port, proto) +@@ -1349,7 +1349,7 @@ class ibpkeyRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) + + (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) +@@ -1411,7 +1411,7 @@ class ibpkeyRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) + + (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) +@@ -1597,7 +1597,7 @@ class ibendportRecords(semanageRecords): + if type == "": + raise ValueError(_("Type is required")) + +- if type not in self.valid_types: ++ if sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) + (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) + +@@ -1658,7 +1658,7 @@ class ibendportRecords(semanageRecords): + else: + raise ValueError(_("Requires setype")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) + + (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) +@@ -1847,7 +1847,7 @@ class nodeRecords(semanageRecords): + if ctype == "": + raise ValueError(_("SELinux node type is required")) + +- if ctype not in self.valid_types: ++ if sepolicy.get_real_type_name(ctype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a node type") % ctype) + + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) +@@ -1916,7 +1916,7 @@ class nodeRecords(semanageRecords): + if serange == "" and setype == "": + raise ValueError(_("Requires setype or serange")) + +- if setype and setype not in self.valid_types: ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a node type") % setype) + + (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) +@@ -2235,7 +2235,6 @@ class fcontextRecords(semanageRecords): + try: + valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) + valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) +- valid_types.append("<>") + except RuntimeError: + valid_types = [] + +@@ -2363,7 +2362,7 @@ class fcontextRecords(semanageRecords): + if type == "": + raise ValueError(_("SELinux Type is required")) + +- if type not in self.valid_types: ++ if type != "<>" and sepolicy.get_real_type_name(type) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a file or device type") % type) + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) +@@ -2426,7 +2425,7 @@ class fcontextRecords(semanageRecords): + def __modify(self, target, setype, ftype, serange, seuser): + if serange == "" and setype == "" and seuser == "": + raise ValueError(_("Requires setype, serange or seuser")) +- if setype and setype not in self.valid_types: ++ if setype not in ["", "<>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: + raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + + self.validate(target) +-- +2.19.1 + diff --git a/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch b/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch new file mode 100644 index 0000000000000000000000000000000000000000..e40b64969c399c5d6460bb7985629aa288d8be99 --- /dev/null +++ b/python-semanage-module-Fix-handling-of-a-e-d-r-optio.patch @@ -0,0 +1,82 @@ +From 60a928578689126f573618064fd8814445238d3a Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 15 Feb 2019 17:00:25 +0100 +Subject: [PATCH 157/170] python/semanage module: Fix handling of -a/-e/-d/-r + options + +Previous code traceback-ed when one of the mentioned option was used without +any argument as this state was not handled by the argument parser. + +action='store' stores arguments as a list while the original +action='store_const' used str therefore it's needed to convert list to str +before it's sent to moduleRecords class. + +Fixes: +^_^ semanage module -a +Traceback (most recent call last): + File "/usr/sbin/semanage", line 963, in + do_parser() + File "/usr/sbin/semanage", line 942, in do_parser + args.func(args) + File "/usr/sbin/semanage", line 608, in handleModule + OBJECT.add(args.module_name, args.priority) + File "/usr/lib/python3.7/site-packages/seobject.py", line 402, in add + if not os.path.exists(file): + File "/usr/lib64/python3.7/genericpath.py", line 19, in exists + os.stat(path) +TypeError: stat: path should be string, bytes, os.PathLike or integer, not NoneType + +Signed-off-by: Petr Lautrbach +--- + selinux-python-2.8/semanage/semanage | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage +index 18191c13..d6d68248 100644 +--- a/selinux-python-2.8/semanage/semanage ++++ b/selinux-python-2.8/semanage/semanage +@@ -609,14 +609,14 @@ def setupInterfaceParser(subparsers): + + def handleModule(args): + OBJECT = seobject.moduleRecords(args) +- if args.action == "add": +- OBJECT.add(args.module_name, args.priority) +- if args.action == "enable": +- OBJECT.set_enabled(args.module_name, True) +- if args.action == "disable": +- OBJECT.set_enabled(args.module_name, False) +- if args.action == "remove": +- OBJECT.delete(args.module_name, args.priority) ++ if args.action_add: ++ OBJECT.add(args.action_add[0], args.priority) ++ if args.action_enable: ++ OBJECT.set_enabled(" ".join(args.action_enable), True) ++ if args.action_disable: ++ OBJECT.set_enabled(" ".join(args.action_disable), False) ++ if args.action_remove: ++ OBJECT.delete(" ".join(args.action_remove), args.priority) + if args.action == "deleteall": + OBJECT.deleteall() + if args.action == "list": +@@ -635,14 +635,13 @@ def setupModuleParser(subparsers): + parser_add_priority(moduleParser, "module") + + mgroup = moduleParser.add_mutually_exclusive_group(required=True) +- parser_add_add(mgroup, "module") + parser_add_list(mgroup, "module") + parser_add_extract(mgroup, "module") + parser_add_deleteall(mgroup, "module") +- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module")) +- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module")) +- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module")) +- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on')) ++ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module")) ++ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module")) ++ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module")) ++ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module")) + moduleParser.set_defaults(func=handleModule) + + +-- +2.19.1 + diff --git a/python-semanage-move-valid_types-initialisations-to-.patch b/python-semanage-move-valid_types-initialisations-to-.patch new file mode 100644 index 0000000000000000000000000000000000000000..983887e789db46e0181a80f1ddf9f42829888405 --- /dev/null +++ b/python-semanage-move-valid_types-initialisations-to-.patch @@ -0,0 +1,145 @@ +From a73b0bba1a52adec3cfe654f726388a68b73e2d3 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 3 Jan 2019 13:03:36 +0100 +Subject: [PATCH 105/170] python/semanage: move valid_types initialisations to + class constructors + +Based on idea from Nicolas Iooss + +Fixes: +$ sudo semanage +Traceback (most recent call last): + File "/usr/sbin/semanage", line 28, in + import seobject + File "/usr/lib/python3.7/site-packages/seobject.py", line 1045, in + class portRecords(semanageRecords): + File "/usr/lib/python3.7/site-packages/seobject.py", line 1047, in portRecords + valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) + File "/usr/lib/python3.7/site-packages/sepolicy/__init__.py", line 203, in + return ({ + File "/usr/lib64/python3.7/site-packages/setools/typeattrquery.py", line 65, in results + for attr in self.policy.typeattributes(): +AttributeError: 'NoneType' object has no attribute 'typeattributes' + +https://github.com/SELinuxProject/selinux/issues/81 + +Signed-off-by: Petr Lautrbach +--- + selinux-python-2.8/semanage/seobject.py | 57 ++++++++++++++++++++++--------------- + 1 file changed, 34 insertions(+), 23 deletions(-) + +diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py +index efec0a55..4490e03f 100644 +--- a/selinux-python-2.8/semanage/seobject.py ++++ b/selinux-python-2.8/semanage/seobject.py +@@ -1043,13 +1043,15 @@ class seluserRecords(semanageRecords): + + + class portRecords(semanageRecords): +- try: +- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) +- except RuntimeError: +- valid_types = [] ++ ++ valid_types = [] + + def __init__(self, args = None): + semanageRecords.__init__(self, args) ++ try: ++ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"]) ++ except RuntimeError: ++ pass + + def __genkey(self, port, proto): + if proto == "tcp": +@@ -1321,14 +1323,16 @@ class portRecords(semanageRecords): + print(rec) + + class ibpkeyRecords(semanageRecords): +- try: +- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) +- valid_types = sorted(str(t) for t in q.results()) +- except: +- valid_types = [] ++ ++ valid_types = [] + + def __init__(self, args = None): + semanageRecords.__init__(self, args) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) ++ self.valid_types = sorted(str(t) for t in q.results()) ++ except: ++ pass + + def __genkey(self, pkey, subnet_prefix): + if subnet_prefix == "": +@@ -1579,14 +1583,16 @@ class ibpkeyRecords(semanageRecords): + print(rec) + + class ibendportRecords(semanageRecords): +- try: +- q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) +- valid_types = set(str(t) for t in q.results()) +- except: +- valid_types = [] ++ ++ valid_types = [] + + def __init__(self, args = None): + semanageRecords.__init__(self, args) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) ++ self.valid_types = set(str(t) for t in q.results()) ++ except: ++ pass + + def __genkey(self, ibendport, ibdev_name): + if ibdev_name == "": +@@ -1823,14 +1829,16 @@ class ibendportRecords(semanageRecords): + print(rec) + + class nodeRecords(semanageRecords): +- try: +- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"]) +- except RuntimeError: +- valid_types = [] ++ ++ valid_types = [] + + def __init__(self, args = None): + semanageRecords.__init__(self, args) + self.protocol = ["ipv4", "ipv6"] ++ try: ++ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"]) ++ except RuntimeError: ++ pass + + def validate(self, addr, mask, protocol): + newaddr = addr +@@ -2264,14 +2272,17 @@ class interfaceRecords(semanageRecords): + + + class fcontextRecords(semanageRecords): +- try: +- valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) +- valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) +- except RuntimeError: +- valid_types = [] ++ ++ valid_types = [] + + def __init__(self, args = None): + semanageRecords.__init__(self, args) ++ try: ++ self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) ++ self.valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) ++ except RuntimeError: ++ pass ++ + self.equiv = {} + self.equiv_dist = {} + self.equal_ind = False +-- +2.19.1 + diff --git a/python-semanage-seobject-Fix-listing-boolean-values.patch b/python-semanage-seobject-Fix-listing-boolean-values.patch new file mode 100644 index 0000000000000000000000000000000000000000..8c873c447fd8e07557085420d8e2540ffe99097c --- /dev/null +++ b/python-semanage-seobject-Fix-listing-boolean-values.patch @@ -0,0 +1,52 @@ +From 259ab083fa02aaa9eb385cf6b0de30a1919a817b Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 1 Feb 2019 17:49:40 +0100 +Subject: [PATCH 144/170] python/semanage/seobject: Fix listing boolean values + +Fix gathering boolean values by fixing always False if condition +(determining whether the values are listed from local store). + +Fix listing boolean values by printing the correct values and not +forcing the use of security_get_boolean_active (which causes +crash when listing booleans that are not present in active policy). + +Fixes: + # dnf install selinux-policy-mls + # cat > mypolicy.cil + (boolean xyz false) + + # semodule -i mypolicy.cil -s mls + + # semanage boolean -l -S mls + ... + irssi_use_full_network (off , off) Allow the Irssi IRC Client to connect to any port, and to bind to any unreserved port. + mozilla_plugin_use_bluejeans (off , off) Allow mozilla plugin to use Bluejeans. + OSError: No such file or directory + +Signed-off-by: Vit Mojzis +--- + selinux-python-2.8/semanage/seobject.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/selinux-python-2.8/semanage/seobject.py b/selinux-python-2.8/semanage/seobject.py +index 556d3ba5..b31a90c1 100644 +--- a/selinux-python-2.8/semanage/seobject.py ++++ b/selinux-python-2.8/semanage/seobject.py +@@ -2807,7 +2807,7 @@ class booleanRecords(semanageRecords): + value = [] + name = semanage_bool_get_name(boolean) + value.append(semanage_bool_get_value(boolean)) +- if self.modify_local and boolean in self.current_booleans: ++ if self.modify_local and name in self.current_booleans: + value.append(selinux.security_get_boolean_pending(name)) + value.append(selinux.security_get_boolean_active(name)) + else: +@@ -2849,4 +2849,4 @@ class booleanRecords(semanageRecords): + print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description"))) + for k in sorted(ddict.keys()): + if ddict[k]: +- print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k))) ++ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k))) +-- +2.19.1 + diff --git a/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch b/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch new file mode 100644 index 0000000000000000000000000000000000000000..93bf430570ca48a4e1d543b41907f29edef158d4 --- /dev/null +++ b/python-sepolgen-close-etc-selinux-sepolgen.conf-afte.patch @@ -0,0 +1,47 @@ +From 33d7a761e53c7828ab89821fd7f7b5c6ada81635 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 21 Dec 2018 21:43:30 +0100 +Subject: [PATCH 111/170] python/sepolgen: close /etc/selinux/sepolgen.conf + after parsing it + +sepolgen testsuite reports the following warning on a system with +/etc/selinux/sepolgen.conf: + + .../src/./sepolgen/defaults.py:35: ResourceWarning: unclosed file + <_io.TextIOWrapper name='/etc/selinux/sepolgen.conf' mode='r' + encoding='UTF-8'> + +Fix this by properly closing the file in PathChooser.__init__(). + +Signed-off-by: Nicolas Iooss +--- + python/sepolgen/src/sepolgen/defaults.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +index 199acfaf..533a9041 100644 +--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py ++++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +@@ -32,12 +32,13 @@ class PathChooser(object): + self.config_pathname = pathname + ignore = re.compile(r"^\s*(?:#.+)?$") + consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$") +- for lineno, line in enumerate(open(pathname)): +- if ignore.match(line): continue +- mo = consider.match(line) +- if not mo: +- raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1)) +- self.config[mo.group(1)] = mo.group(2) ++ with open(pathname, "r") as fd: ++ for lineno, line in enumerate(fd): ++ if ignore.match(line): continue ++ mo = consider.match(line) ++ if not mo: ++ raise ValueError("%s:%d: line is not in key = value format" % (pathname, lineno+1)) ++ self.config[mo.group(1)] = mo.group(2) + + # We're only exporting one useful function, so why not be a function + def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"): +-- +2.19.1 + diff --git a/python-sepolgen-fix-typo-in-PathChoooser-name.patch b/python-sepolgen-fix-typo-in-PathChoooser-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..421c9d3e849c122dbc3c80129637f841b4564e0d --- /dev/null +++ b/python-sepolgen-fix-typo-in-PathChoooser-name.patch @@ -0,0 +1,39 @@ +From 91ef21e31fac00607112f41027053dc1120a7e14 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sun, 3 Jun 2018 18:25:38 +0200 +Subject: [PATCH 014/170] python/sepolgen: fix typo in PathChoooser name + +Signed-off-by: Nicolas Iooss +--- + selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +index 95910639..199acfaf 100644 +--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py ++++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +@@ -22,7 +22,7 @@ import re + + # Select the correct location for the development files based on a + # path variable (optionally read from a configuration file) +-class PathChoooser(object): ++class PathChooser(object): + def __init__(self, pathname): + self.config = dict() + if not os.path.exists(pathname): +@@ -68,10 +68,10 @@ def attribute_info(): + return data_dir() + "/attribute_info" + + def refpolicy_makefile(): +- chooser = PathChoooser("/etc/selinux/sepolgen.conf") ++ chooser = PathChooser("/etc/selinux/sepolgen.conf") + return chooser("Makefile") + + def headers(): +- chooser = PathChoooser("/etc/selinux/sepolgen.conf") ++ chooser = PathChooser("/etc/selinux/sepolgen.conf") + return chooser("include") + +-- +2.19.1 + diff --git a/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch b/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch new file mode 100644 index 0000000000000000000000000000000000000000..527492d0dbe8087dfb6db45bcfcab4cbe793e7e3 --- /dev/null +++ b/python-sepolgen-refpolicy-installs-its-Makefile-in-i.patch @@ -0,0 +1,35 @@ +From 916640d786b5896fbf75d219e16422c9a48529ab Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sat, 5 Jan 2019 20:37:58 +0100 +Subject: [PATCH 119/170] python/sepolgen: refpolicy installs its Makefile in + include/Makefile + +When running "make install-headers" on refpolicy, +/usr/share/selinux/refpolicy/Makefile does not exist but +/usr/share/selinux/refpolicy/include/Makefile does. Use it when +available. + +Signed-off-by: Nicolas Iooss +--- + selinux-python-2.8/sepolgen/src/sepolgen/defaults.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +index 533a9041..6e800695 100644 +--- a/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py ++++ b/selinux-python-2.8/sepolgen/src/sepolgen/defaults.py +@@ -70,7 +70,10 @@ def attribute_info(): + + def refpolicy_makefile(): + chooser = PathChooser("/etc/selinux/sepolgen.conf") +- return chooser("Makefile") ++ result = chooser("Makefile") ++ if not os.path.exists(result): ++ result = chooser("include/Makefile") ++ return result + + def headers(): + chooser = PathChooser("/etc/selinux/sepolgen.conf") +-- +2.19.1 + diff --git a/python-sepolicy-Add-sepolicy.load_store_policy-store.patch b/python-sepolicy-Add-sepolicy.load_store_policy-store.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ef018ae7f887706956f0cbfc9383eb2d8cee6bd --- /dev/null +++ b/python-sepolicy-Add-sepolicy.load_store_policy-store.patch @@ -0,0 +1,50 @@ +From ef359c97c98a8b347c7379a605acff1b2305ee28 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 3 Jan 2019 13:03:38 +0100 +Subject: [PATCH 107/170] python/sepolicy: Add + sepolicy.load_store_policy(store) + +load_store_policy() allows to (re)load SELinux policy based on a store name. It +is useful when SELinux is disabled and default policy is not installed; or when +a user wants to query or manipulate another policy. + +Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861 + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/__init__.py | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +index fbeb731d..b69a6b94 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +@@ -129,6 +129,13 @@ def get_installed_policy(root="/"): + pass + raise ValueError(_("No SELinux Policy installed")) + ++def get_store_policy(store, root="/"): ++ try: ++ policies = glob.glob("%s%s/policy/policy.*" % (selinux.selinux_path(), store)) ++ policies.sort() ++ return policies[-1] ++ except: ++ return None + + def policy(policy_file): + global all_domains +@@ -156,6 +163,11 @@ def policy(policy_file): + except: + raise ValueError(_("Failed to read %s policy file") % policy_file) + ++def load_store_policy(store): ++ policy_file = get_store_policy(store) ++ if not policy_file: ++ return None ++ policy(policy_file) + + try: + policy_file = get_installed_policy() +-- +2.19.1 + diff --git a/python-sepolicy-Fix-info-to-search-aliases-as-well.patch b/python-sepolicy-Fix-info-to-search-aliases-as-well.patch new file mode 100644 index 0000000000000000000000000000000000000000..43af592b36a49161cd0d226421da19c4d84cf267 --- /dev/null +++ b/python-sepolicy-Fix-info-to-search-aliases-as-well.patch @@ -0,0 +1,44 @@ +From 448f5a9257f76645bcff6881de3bb9a0f313c545 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 16 Oct 2018 12:05:31 +0200 +Subject: [PATCH 073/170] python/sepolicy: Fix "info" to search aliases as well + +Restore previous behaviour of "sepolicy.info()". + +Signed-off-by: Vit Mojzis +--- + python/sepolicy/sepolicy/__init__.py | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +index 5d0535b9..d8c9decc 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +@@ -168,15 +168,21 @@ except ValueError as e: + def info(setype, name=None): + if setype == TYPE: + q = setools.TypeQuery(_pol) +- if name: +- q.name = name ++ q.name = name ++ results = list(q.results()) ++ ++ if name and len(results) < 1: ++ # type not found, try alias ++ q.name = None ++ q.alias = name ++ results = list(q.results()) + + return ({ + 'aliases': list(map(str, x.aliases())), + 'name': str(x), + 'permissive': bool(x.ispermissive), + 'attributes': list(map(str, x.attributes())) +- } for x in q.results()) ++ } for x in results) + + elif setype == ROLE: + q = setools.RoleQuery(_pol) +-- +2.19.1 + diff --git a/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch b/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch new file mode 100644 index 0000000000000000000000000000000000000000..61d8276151ea5d4ecb4803b4e9e4d807cefccc04 --- /dev/null +++ b/python-sepolicy-Stop-rejecting-aliases-in-sepolicy-c.patch @@ -0,0 +1,96 @@ +From 4c63b8e7b691bf8fc09ccd5a35ce420effaeb16b Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 22 Oct 2018 17:43:12 +0200 +Subject: [PATCH 074/170] python/sepolicy: Stop rejecting aliases in sepolicy + commands + +Fix CheckDomain and CheckPortType classes to properly deal with aliases. + +Resolves: + https://bugzilla.redhat.com/show_bug.cgi?id=1600009 + +Signed-off-by: Vit Mojzis +--- + selinux-python-2.8/sepolicy/sepolicy.py | 8 +++----- + selinux-python-2.8/sepolicy/sepolicy/__init__.py | 18 +++++++++++++++++- + 2 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/selinux-python-2.8/sepolicy/sepolicy.py b/selinux-python-2.8/sepolicy/sepolicy.py +index a000c1ad..01380fbe 100755 +--- a/selinux-python-2.8/sepolicy/sepolicy.py ++++ b/selinux-python-2.8/sepolicy/sepolicy.py +@@ -60,8 +60,6 @@ class CheckPath(argparse.Action): + class CheckType(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): +- domains = sepolicy.get_all_domains() +- + if isinstance(values, str): + setattr(namespace, self.dest, values) + else: +@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action): + domains = sepolicy.get_all_domains() + + if isinstance(values, str): +- if values not in domains: ++ if sepolicy.get_real_type_name(values) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) + setattr(namespace, self.dest, values) + else: +@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action): + newval = [] + + for v in values: +- if v not in domains: ++ if sepolicy.get_real_type_name(v) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) + newval.append(v) + setattr(namespace, self.dest, newval) +@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action): + if not newval: + newval = [] + for v in values: +- if v not in port_types: ++ if sepolicy.get_real_type_name(v) not in port_types: + raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) + newval.append(v) + setattr(namespace, self.dest, values) +diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +index d8c9decc..b18683e4 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +@@ -447,6 +447,22 @@ def get_file_types(setype): + return mpaths + + ++def get_real_type_name(name): ++ """Return the real name of a type ++ ++ * If 'name' refers to a type, return the same name. ++ * If 'name' refers to a type alias, return the corresponding type name. ++ * Otherwise return None. ++ """ ++ if not name: ++ return None ++ ++ try: ++ return next(info(TYPE, name))["name"] ++ except (RuntimeError, StopIteration): ++ return None ++ ++ + def get_writable_files(setype): + file_types = get_all_file_types() + all_writes = [] +@@ -1061,7 +1077,7 @@ def gen_short_name(setype): + domainname = setype[:-2] + else: + domainname = setype +- if domainname + "_t" not in all_domains: ++ if get_real_type_name(domainname + "_t") not in all_domains: + raise ValueError("domain %s_t does not exist" % domainname) + if domainname[-1] == 'd': + short_name = domainname[:-1] + "_" +-- +2.19.1 + diff --git a/python-sepolicy-fix-procotol-misspelling.patch b/python-sepolicy-fix-procotol-misspelling.patch new file mode 100644 index 0000000000000000000000000000000000000000..55942349e0141f7684111b7757572a310a84859d --- /dev/null +++ b/python-sepolicy-fix-procotol-misspelling.patch @@ -0,0 +1,32 @@ +From 8fac024785299725b714ad6ac8a265e16bc125c9 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sat, 4 Aug 2018 14:07:47 +0200 +Subject: [PATCH 042/170] python/sepolicy: fix "procotol" misspelling + +procotol -> protocol + +This issue has been found using flake8. This Python linter reported: + + python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol' + +Signed-off-by: Nicolas Iooss +--- + python/sepolicy/sepolicy/gui.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py +index 16f24a0a..6933f6a1 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py +@@ -2522,7 +2522,7 @@ class SELinuxGui(): + if self.cur_dict[k][(port, protocol)]["action"] == "-d": + update_buffer += "port -d -p %s %s\n" % (protocol, port) + else: +- update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], procotol, port) ++ update_buffer += "port %s -t %s -p %s %s\n" % (self.cur_dict[k][f]["action"], self.cur_dict[k][f]["type"], protocol, port) + + return update_buffer + +-- +2.19.1 + diff --git a/python-sepolicy-fix-variable-name.patch b/python-sepolicy-fix-variable-name.patch new file mode 100644 index 0000000000000000000000000000000000000000..b712d044be3aa54de582c0a8b2f8c03bb67a2a9e --- /dev/null +++ b/python-sepolicy-fix-variable-name.patch @@ -0,0 +1,33 @@ +From ae03c821b798b346d1012d1defd61e665bb0d890 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Thu, 31 Jan 2019 20:46:40 +0100 +Subject: [PATCH 136/170] python/sepolicy: fix variable name + +modify_button_clicked() used variable "type" in a comparison instead of +"ftype". This is a bug, which has been found with flake8 3.7.0. This +linter reported: + + python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type' + {0} referenced before assignment + +Signed-off-by: Nicolas Iooss +--- + selinux-python-2.8/sepolicy/sepolicy/gui.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selinux-python-2.8/sepolicy/sepolicy/gui.py b/selinux-python-2.8/sepolicy/sepolicy/gui.py +index fde233ad..d4bf3b48 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/gui.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/gui.py +@@ -1545,7 +1545,7 @@ class SELinuxGui(): + path = self.executable_files_liststore.get_value(iter, 0) + self.files_path_entry.set_text(path) + ftype = self.executable_files_liststore.get_value(iter, 1) +- if type != None: ++ if ftype != None: + self.combo_set_active_text(self.files_type_combobox, ftype) + tclass = self.executable_files_liststore.get_value(iter, 2) + if tclass != None: +-- +2.19.1 + diff --git a/python-sepolicy-search-also-for-dontaudit-rules.patch b/python-sepolicy-search-also-for-dontaudit-rules.patch new file mode 100644 index 0000000000000000000000000000000000000000..1e9be934e200981a995641e5c2ce31042365d65f --- /dev/null +++ b/python-sepolicy-search-also-for-dontaudit-rules.patch @@ -0,0 +1,34 @@ +From 5013d2ba9774b876d906f9196fc6f75b1f2f5237 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 18 Sep 2018 15:12:59 +0200 +Subject: [PATCH 093/170] python/sepolicy: search() also for dontaudit rules + +dontaudit rules were accidentally dropped during rewrite to SETools 4 API in +97d5f6a2 + +Fixes: +>>> import sepolicy +>>> sepolicy.search(['dontaudit']) +[] + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/__init__.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/selinux-python-2.8/sepolicy/sepolicy/__init__.py b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +index cd7af7cf..fbeb731d 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/__init__.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/__init__.py +@@ -344,6 +344,8 @@ def search(types, seinfo=None): + tertypes.append(NEVERALLOW) + if AUDITALLOW in types: + tertypes.append(AUDITALLOW) ++ if DONTAUDIT in types: ++ tertypes.append(DONTAUDIT) + + if len(tertypes) > 0: + q = setools.TERuleQuery(_pol, +-- +2.19.1 + diff --git a/python-use-or-when-comparing-a-variable-with-a-strin.patch b/python-use-or-when-comparing-a-variable-with-a-strin.patch new file mode 100644 index 0000000000000000000000000000000000000000..a9f76166d6f2ad398075d14c7586fc0d479651b8 --- /dev/null +++ b/python-use-or-when-comparing-a-variable-with-a-strin.patch @@ -0,0 +1,344 @@ +From f906ae66a4362345cccf2b93feccd4c045894ed7 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Thu, 31 Jan 2019 20:44:44 +0100 +Subject: [PATCH 135/170] python: use == or != when comparing a variable with a + string or a integer + +Flake8 3.7.0 added a new fatal error message when parsing Python files: + + python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals + python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals + ... + python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals + python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals + python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals + python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals + python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals + +Fix all these warnings. + +Signed-off-by: Nicolas Iooss +--- + selinux-python-2.8/semanage/semanage | 118 ++++++++++++------------- + selinux-python-2.8/sepolgen/src/sepolgen/output.py | 6 +- + selinux-python-2.8/sepolicy/sepolicy/generate.py | 4 +- + 3 files changed, 64 insertions(+), 64 deletions(-) + +diff --git a/selinux-python-2.8/semanage/semanage b/selinux-python-2.8/semanage/semanage +index 49add51e..6afeac14 100644 +--- a/selinux-python-2.8/semanage/semanage ++++ b/selinux-python-2.8/semanage/semanage +@@ -109,7 +109,7 @@ class SetExportFile(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): + if values: +- if values is not "-": ++ if values != "-": + try: + sys.stdout = open(values, 'w') + except: +@@ -121,7 +121,7 @@ class SetExportFile(argparse.Action): + class SetImportFile(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): +- if values and values is not "-": ++ if values and values != "-": + try: + sys.stdin = open(values, 'r') + except IOError as e: +@@ -189,17 +189,17 @@ def handleLogin(args): + + OBJECT = object_dict['login'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.login, args.seuser, args.range) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.login, args.seuser, args.range) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.login) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("login %s" % (str(i))) + +@@ -322,26 +322,26 @@ def handleFcontext(args): + + OBJECT = object_dict['fcontext'](args) + +- if args.action is "add": ++ if args.action == "add": + if args.equal: + OBJECT.add_equal(args.file_spec, args.equal) + else: + OBJECT.add(args.file_spec, args.type, args.ftype, args.range, args.seuser) +- if args.action is "modify": ++ if args.action == "modify": + if args.equal: + OBJECT.add_equal(args.file_spec, args.equal) + else: + OBJECT.modify(args.file_spec, args.type, args.ftype, args.range, args.seuser) +- if args.action is "delete": ++ if args.action == "delete": + if args.equal: + OBJECT.delete(args.file_spec, args.equal) + else: + OBJECT.delete(args.file_spec, args.ftype) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("fcontext %s" % str(i)) + +@@ -390,17 +390,17 @@ def handleUser(args): + + OBJECT = object_dict['user'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.selinux_name, args.roles, args.level, args.range, args.prefix) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.selinux_name) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("user %s" % str(i)) + +@@ -440,17 +440,17 @@ def handlePort(args): + + OBJECT = object_dict['port'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.port, args.proto, args.range, args.type) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.port, args.proto, args.range, args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.port, args.proto) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("port %s" % str(i)) + +@@ -485,17 +485,17 @@ def handlePkey(args): + + OBJECT = object_dict['ibpkey'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.ibpkey, args.subnet_prefix) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("ibpkey %s" % str(i)) + +@@ -528,17 +528,17 @@ def handleIbendport(args): + + OBJECT = object_dict['ibendport'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.ibendport, args.ibdev_name) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("ibendport %s" % str(i)) + +@@ -571,17 +571,17 @@ def handleInterface(args): + + OBJECT = object_dict['interface'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.interface, args.range, args.type) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.interface, args.range, args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.interface) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("interface %s" % str(i)) + +@@ -617,11 +617,11 @@ def handleModule(args): + OBJECT.set_enabled(args.module_name, False) + if args.action == "remove": + OBJECT.delete(args.module_name, args.priority) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() + if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("module %s" % str(i)) + +@@ -652,17 +652,17 @@ def handleNode(args): + + OBJECT = object_dict['node'](args) + +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) +- if args.action is "modify": ++ if args.action == "modify": + OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.node, args.netmask, args.proto) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("node %s" % str(i)) + +@@ -698,14 +698,14 @@ def handleBoolean(args): + + OBJECT = object_dict['boolean'](args) + +- if args.action is "modify": ++ if args.action == "modify": + if args.boolean: + OBJECT.modify(args.boolean, args.state, False) +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "deleteall": ++ if args.action == "deleteall": + OBJECT.deleteall() +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("boolean %s" % str(i)) + +@@ -736,12 +736,12 @@ def setupBooleanParser(subparsers): + def handlePermissive(args): + OBJECT = object_dict['permissive'](args) + +- if args.action is "list": ++ if args.action == "list": + OBJECT.list(args.noheading) + elif args.type is not None: +- if args.action is "add": ++ if args.action == "add": + OBJECT.add(args.type) +- if args.action is "delete": ++ if args.action == "delete": + OBJECT.delete(args.type) + else: + args.parser.print_usage(sys.stderr) +diff --git a/selinux-python-2.8/sepolgen/src/sepolgen/output.py b/selinux-python-2.8/sepolgen/src/sepolgen/output.py +index 7a83aee4..3a21b64c 100644 +--- a/selinux-python-2.8/sepolgen/src/sepolgen/output.py ++++ b/selinux-python-2.8/sepolgen/src/sepolgen/output.py +@@ -74,13 +74,13 @@ def id_set_cmp(x, y): + # Compare two avrules + def avrule_cmp(a, b): + ret = id_set_cmp(a.src_types, b.src_types) +- if ret is not 0: ++ if ret != 0: + return ret + ret = id_set_cmp(a.tgt_types, b.tgt_types) +- if ret is not 0: ++ if ret != 0: + return ret + ret = id_set_cmp(a.obj_classes, b.obj_classes) +- if ret is not 0: ++ if ret != 0: + return ret + + # At this point, who cares - just return something +diff --git a/selinux-python-2.8/sepolicy/sepolicy/generate.py b/selinux-python-2.8/sepolicy/sepolicy/generate.py +index 37ddfc7a..5a2195b8 100644 +--- a/selinux-python-2.8/sepolicy/sepolicy/generate.py ++++ b/selinux-python-2.8/sepolicy/sepolicy/generate.py +@@ -643,7 +643,7 @@ allow %s_t %s_t:%s_socket name_%s; + + def __find_path(self, file): + for d in self.DEFAULT_DIRS: +- if file.find(d) is 0: ++ if file.find(d) == 0: + self.DEFAULT_DIRS[d][1].append(file) + return self.DEFAULT_DIRS[d] + self.DEFAULT_DIRS["rw"][1].append(file) +@@ -1346,7 +1346,7 @@ allow %s_t %s_t:%s_socket name_%s; + else: + continue + +- if len(temp_dirs) is not 0: ++ if len(temp_dirs) != 0: + for i in temp_dirs: + if i in self.dirs.keys(): + del(self.dirs[i]) +-- +2.19.1 + diff --git a/restorecond-2.8.tar.gz b/restorecond-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ead7b620955114fa0161b12da2c7a73f66611a09 Binary files /dev/null and b/restorecond-2.8.tar.gz differ diff --git a/restorecond-2.9.tar.gz b/restorecond-2.9.tar.gz deleted file mode 100644 index cd7dd2f757e8fbc695d37762befb9373e25fc146..0000000000000000000000000000000000000000 Binary files a/restorecond-2.9.tar.gz and /dev/null differ diff --git a/restorecond-Do-not-ignore-the-f-option.patch b/restorecond-Do-not-ignore-the-f-option.patch new file mode 100644 index 0000000000000000000000000000000000000000..ae605ff2d297b360024f712b82616333fad19da7 --- /dev/null +++ b/restorecond-Do-not-ignore-the-f-option.patch @@ -0,0 +1,40 @@ +From 385ef2cdc679fdc79f0876f544c6e555ae9f59dc Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 3 Oct 2018 16:42:59 +0200 +Subject: [PATCH 064/170] restorecond: Do not ignore the -f option + +Since the default value of watch_file is set unconditionally *after* the +command-line arguments have been parsed, the -f option is (and has +always been) effectively ignored. Fix this by setting it before the +parsing. + +Fixes: 48681bb49c03 ("policycoreutils: restorecond: make restorecond dbuss-able") +Signed-off-by: Ondrej Mosnacek +--- + restorecond/restorecond.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c +index e1d26cb9..7b984b29 100644 +--- a/restorecond-2.8/restorecond.c ++++ b/restorecond-2.8/restorecond.c +@@ -148,6 +148,8 @@ int main(int argc, char **argv) + if (is_selinux_enabled() != 1) + return 0; + ++ watch_file = server_watch_file; ++ + /* Set all options to zero/NULL except for ignore_noent & digest. */ + memset(&r_opts, 0, sizeof(r_opts)); + r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY; +@@ -205,7 +207,6 @@ int main(int argc, char **argv) + return 0; + } + +- watch_file = server_watch_file; + read_config(master_fd, watch_file); + + if (!debug_mode) { +-- +2.19.1 + diff --git a/selinux-dbus-2.8.tar.gz b/selinux-dbus-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..be126a52c3a53993057695cb6911bc8557d7762f Binary files /dev/null and b/selinux-dbus-2.8.tar.gz differ diff --git a/selinux-dbus-2.9.tar.gz b/selinux-dbus-2.9.tar.gz deleted file mode 100644 index 98bcb25e1099bf2d0ea0bf8b16dba2e7887b507a..0000000000000000000000000000000000000000 Binary files a/selinux-dbus-2.9.tar.gz and /dev/null differ diff --git a/selinux-python-2.8.tar.gz b/selinux-python-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..3028de01046cff3f8490272fcc0d9226edd54ab7 Binary files /dev/null and b/selinux-python-2.8.tar.gz differ diff --git a/selinux-python-2.9.tar.gz b/selinux-python-2.9.tar.gz deleted file mode 100644 index d0ee8c25c4e356089ab5fc43183b9c9316d78148..0000000000000000000000000000000000000000 Binary files a/selinux-python-2.9.tar.gz and /dev/null differ diff --git a/selinux-sandbox-2.8.tar.gz b/selinux-sandbox-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..b73981b83f1c920d65ac3f1023531e3cb1ac0e9e Binary files /dev/null and b/selinux-sandbox-2.8.tar.gz differ diff --git a/selinux-sandbox-2.9.tar.gz b/selinux-sandbox-2.9.tar.gz deleted file mode 100644 index ebf232c8496f2e1ea82ae5ba24768b4773c82ff0..0000000000000000000000000000000000000000 Binary files a/selinux-sandbox-2.9.tar.gz and /dev/null differ diff --git a/semodule-utils-2.8.tar.gz b/semodule-utils-2.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..01f09dc2eaaa395132bd40efe84be982f3e6fdde Binary files /dev/null and b/semodule-utils-2.8.tar.gz differ diff --git a/semodule-utils-2.9.tar.gz b/semodule-utils-2.9.tar.gz deleted file mode 100644 index df7180ca0946335da5987653b0befb6122dc18b8..0000000000000000000000000000000000000000 Binary files a/semodule-utils-2.9.tar.gz and /dev/null differ diff --git a/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch b/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch new file mode 100644 index 0000000000000000000000000000000000000000..602adacf7fcd50da27a5fe4b2738d1490c1e52f7 --- /dev/null +++ b/setsebool-support-use-of-P-on-SELinux-disabled-hosts.patch @@ -0,0 +1,86 @@ +From c78f9c355fa7b8c0862149d0a69bd6e5d25bec78 Mon Sep 17 00:00:00 2001 +From: Stephen Smalley +Date: Thu, 10 Jan 2019 10:24:53 -0500 +Subject: [PATCH 124/170] setsebool: support use of -P on SELinux-disabled + hosts + +As reported in #123, setsebool immediately exits with an error if +SELinux is disabled, preventing its use for setting boolean persistent +values. In contrast, semanage boolean -m works on SELinux-disabled +hosts. Change setsebool so that it can be used with the -P option +(persistent changes) even if SELinux is disabled. In the SELinux-disabled +case, skip setting of active boolean values, but set the persistent value +in the policy store. Policy reload is automatically disabled by libsemanage +when SELinux is disabled, so we only need to call semanage_set_reload() +if -N was used. + +Fixes: https://github.com/SELinuxProject/selinux/issues/123 +Signed-off-by: Stephen Smalley +--- + policycoreutils-2.8/setsebool/setsebool.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/policycoreutils-2.8/setsebool/setsebool.c b/policycoreutils-2.8/setsebool/setsebool.c +index 53d3566c..a5157efc 100644 +--- a/policycoreutils-2.8/setsebool/setsebool.c ++++ b/policycoreutils-2.8/setsebool/setsebool.c +@@ -18,7 +18,7 @@ + #include + + int permanent = 0; +-int reload = 1; ++int no_reload = 0; + int verbose = 0; + + int setbool(char **list, size_t start, size_t end); +@@ -38,11 +38,6 @@ int main(int argc, char **argv) + if (argc < 2) + usage(); + +- if (is_selinux_enabled() <= 0) { +- fputs("setsebool: SELinux is disabled.\n", stderr); +- return 1; +- } +- + while (1) { + clflag = getopt(argc, argv, "PNV"); + if (clflag == -1) +@@ -53,7 +48,7 @@ int main(int argc, char **argv) + permanent = 1; + break; + case 'N': +- reload = 0; ++ no_reload = 1; + break; + case 'V': + verbose = 1; +@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt, + semanage_bool_key_t *bool_key = NULL; + int managed; + int result; ++ int enabled = is_selinux_enabled(); + + handle = semanage_handle_create(); + if (handle == NULL) { +@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt, + boolean) < 0) + goto err; + +- if (semanage_bool_set_active(handle, bool_key, boolean) < 0) { ++ if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) { + fprintf(stderr, "Failed to change boolean %s: %m\n", + boollist[j].name); + goto err; +@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt, + boolean = NULL; + } + +- semanage_set_reload(handle, reload); ++ if (no_reload) ++ semanage_set_reload(handle, 0); + if (semanage_commit(handle) < 0) + goto err; + +-- +2.19.1 +