From a69630b7b6b8fca7fa127562cdfe7d93f80a4820 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Dec 14 2015 19:38:46 +0000 Subject: policycoreutils-2.4-20.fc24 - Fix 'semanage permissive -l' subcommand (#1286325) - Several 'sepolicy gui' fixes (#1281309,#1281309,#1282382) --- diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 285b324..b8c7877 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1358,7 +1358,7 @@ index 37c1472..9854fb2 100644 False diff --git a/policycoreutils-2.4/gui/polgengui.py b/policycoreutils-2.4/gui/polgengui.py -index 0f0e564..1b88c47 100644 +index 0f0e564..ac8f78f 100644 --- a/policycoreutils-2.4/gui/polgengui.py +++ b/policycoreutils-2.4/gui/polgengui.py @@ -30,29 +30,15 @@ import gnome @@ -1445,6 +1445,15 @@ index 0f0e564..1b88c47 100644 self.error(e.message) def delete(self, args): +@@ -668,7 +654,7 @@ class childWindow: + entry.set_text("") + return False + if name in self.all_modules: +- if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: ++ if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: + entry.set_text("") + return False + @@ -687,7 +673,7 @@ class childWindow: try: generate.verify_ports(self.in_tcp_entry.get_text()) @@ -655466,7 +655475,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils-2.4/semanage/semanage b/policycoreutils-2.4/semanage/semanage -index dd63010..69b9c49 100644 +index dd63010..852fecf 100644 --- a/policycoreutils-2.4/semanage/semanage +++ b/policycoreutils-2.4/semanage/semanage @@ -1,4 +1,4 @@ @@ -655688,16 +655697,37 @@ index dd63010..69b9c49 100644 def setupBooleanParser(subparsers): generated_usage = generate_custom_usage(usage_boolean, usage_boolean_dict) -@@ -652,7 +666,7 @@ def setupPermissiveParser(subparsers): - parser_add_noheading(permissiveParser, "permissive") - parser_add_noreload(permissiveParser, "permissive") +@@ -632,12 +646,17 @@ def handlePermissive(args): + OBJECT = object_dict['permissive']() + OBJECT.set_reload(args.noreload) + +- if args.action is "add": +- OBJECT.add(args.type) + if args.action is "list": + OBJECT.list(args.noheading) +- if args.action is "delete": +- OBJECT.delete(args.type) ++ elif args.type != None: ++ if args.action is "add": ++ OBJECT.add(args.type) ++ if args.action is "delete": ++ OBJECT.delete(args.type) ++ else: ++ args.parser.print_usage(sys.stderr) ++ sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n')) ++ sys.exit(1) + + def setupPermissiveParser(subparsers): + permissiveParser = subparsers.add_parser('permissive', help=_('Manage process type enforcement mode')) +@@ -654,6 +673,7 @@ def setupPermissiveParser(subparsers): parser_add_store(permissiveParser, "permissive") -- permissiveParser.add_argument('type', nargs='?', default=None, help=_('type')) -+ permissiveParser.add_argument('type', nargs='+', default=None, help=_('type')) + permissiveParser.add_argument('type', nargs='?', default=None, help=_('type')) permissiveParser.set_defaults(func=handlePermissive) ++ permissiveParser.set_defaults(parser=permissiveParser) def handleDontaudit(args): -@@ -670,11 +684,11 @@ def setupDontauditParser(subparsers): + OBJECT = object_dict['dontaudit']() +@@ -670,11 +690,11 @@ def setupDontauditParser(subparsers): def handleExport(args): manageditems=[ "boolean", "login", "interface", "user", "port", "node", "fcontext", "module"] for i in manageditems: @@ -655711,7 +655741,7 @@ index dd63010..69b9c49 100644 sys.exit(0) -@@ -743,10 +757,10 @@ def handleImport(args): +@@ -743,10 +763,10 @@ def handleImport(args): commandParser = createCommandParser() args = commandParser.parse_args(mkargv(l)) args.func(args) @@ -655724,7 +655754,7 @@ index dd63010..69b9c49 100644 sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) sys.exit(1) except KeyboardInterrupt: -@@ -764,11 +778,11 @@ def setupImportParser(subparsers): +@@ -764,11 +784,11 @@ def setupImportParser(subparsers): def createCommandParser(): commandParser = seParser(prog='semanage', @@ -655741,7 +655771,7 @@ index dd63010..69b9c49 100644 #To add a new subcommand define the parser for it in a function above and call it here. subparsers = commandParser.add_subparsers(dest='subcommand') setupImportParser(subparsers) -@@ -788,7 +802,7 @@ def createCommandParser(): +@@ -788,7 +808,7 @@ def createCommandParser(): def make_io_args(args): # import/export backward compability @@ -655750,7 +655780,7 @@ index dd63010..69b9c49 100644 args_file = [] args_ie = [] args_subcommand = [] -@@ -808,6 +822,8 @@ def make_io_args(args): +@@ -808,6 +828,8 @@ def make_io_args(args): return args_subcommand+args_ie+args_file def make_args(sys_args): @@ -655759,7 +655789,7 @@ index dd63010..69b9c49 100644 args = [] if "-o" in sys_args[1:] or "-i" in sys_args[1:]: args=make_io_args(sys_args[1:]) -@@ -822,21 +838,21 @@ def do_parser(): +@@ -822,21 +844,21 @@ def do_parser(): args = commandParser.parse_args(make_args(sys.argv)) args.func(args) sys.exit(0) @@ -658725,7 +658755,7 @@ index 458a4d2..b6088af 100644 + except dbus.DBusException as e: + print(e) diff --git a/policycoreutils-2.4/sepolicy/selinux_server.py b/policycoreutils-2.4/sepolicy/selinux_server.py -index e94c38f..671be1a 100644 +index e94c38f..6e8d9b2 100644 --- a/policycoreutils-2.4/sepolicy/selinux_server.py +++ b/policycoreutils-2.4/sepolicy/selinux_server.py @@ -1,9 +1,9 @@ @@ -658740,7 +658770,7 @@ index e94c38f..671be1a 100644 import slip.dbus.service from slip.dbus import polkit import os -@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object): +@@ -18,45 +18,45 @@ class selinux_server(slip.dbus.service.Object): # # The semanage method runs a transaction on a series of semanage commands, # these commnds can take the output of customized @@ -658749,7 +658779,9 @@ index e94c38f..671be1a 100644 @slip.dbus.polkit.require_auth("org.selinux.semanage") @dbus.service.method("org.selinux", in_signature='s') def semanage(self, buf): -@@ -27,10 +27,10 @@ class selinux_server(slip.dbus.service.Object): +- p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE) ++ p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) + p.stdin.write(buf) output = p.communicate() if p.returncode and p.returncode != 0: raise dbus.exceptions.DBusException(output[1]) @@ -658762,16 +658794,29 @@ index e94c38f..671be1a 100644 # another server to make the two systems have duplicate policy. # @slip.dbus.polkit.require_auth("org.selinux.customized") -@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object): + @dbus.service.method("org.selinux", in_signature='', out_signature='s') + def customized(self): +- p = Popen(["/usr/sbin/semanage", "export"],stdout=PIPE, stderr=PIPE) ++ p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() if p.returncode and p.returncode != 0: raise OSError("Failed to read SELinux configuration: %s", output) return buf - + # - # The semodule_list method will return the output of semodule -l, using the customized polkit, +- # The semodule_list method will return the output of semodule -l, using the customized polkit, ++ # The semodule_list method will return the output of semodule --list=full, using the customized polkit, # since this is a readonly behaviour -@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object): + # + @slip.dbus.polkit.require_auth("org.selinux.semodule_list") + @dbus.service.method("org.selinux", in_signature='', out_signature='s') + def semodule_list(self): +- p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE) ++ p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() if p.returncode and p.returncode != 0: raise OSError("Failed to list SELinux modules: %s", output) return buf @@ -659221,7 +659266,7 @@ index 74fb347..ec02fb2 100755 + print("Out") sys.exit(0) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py -index 679725d..b540180 100644 +index 679725d..7499c1c 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py @@ -1,25 +1,30 @@ @@ -659354,7 +659399,7 @@ index 679725d..b540180 100644 +def get_all_modules(): + all_modules = [] -+ cmd = "semodule -l 2>/dev/null" ++ cmd = "semodule --list=full 2>/dev/null" + try: + output = subprocess.check_output(cmd, + stderr=subprocess.STDOUT, @@ -659367,7 +659412,7 @@ index 679725d..b540180 100644 + + for i in l: + if len(i): -+ all_modules.append(i.split()[0]) ++ all_modules.append(i.split()[1]) + + return all_modules + @@ -660956,7 +661001,7 @@ index 6b53035..a06c6c4 100644 out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file")) out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/gui.py b/policycoreutils-2.4/sepolicy/sepolicy/gui.py -index 5ca87b9..4437d9e 100644 +index 5ca87b9..23a6c33 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy/gui.py +++ b/policycoreutils-2.4/sepolicy/sepolicy/gui.py @@ -1,4 +1,4 @@ @@ -661132,6 +661177,18 @@ index 5ca87b9..4437d9e 100644 "on_info_button_button_press_event" : self.on_help_button, "on_back_button_clicked" : self.on_help_back_clicked, "on_forward_button_clicked" : self.on_help_forward_clicked, +@@ -668,9 +663,9 @@ class SELinuxGui(): + self.module_dict = {} + for m in self.dbus.semodule_list().split("\n"): + mod = m.split() +- if len(mod) < 2: ++ if len(mod) < 3: + continue +- self.module_dict[mod[0]] = { "version": mod[1], "Disabled" : (len(mod) > 2) } ++ self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) } + + self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"]) + self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"]) @@ -703,7 +698,7 @@ class SELinuxGui(): def match_func(self, completion, key_string, iter, func_data): @@ -661294,16 +661351,21 @@ index 5ca87b9..4437d9e 100644 self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) if self.transitions_radio_button.get_active(): -@@ -1441,7 +1436,7 @@ class SELinuxGui(): +@@ -1440,8 +1435,12 @@ class SELinuxGui(): + def stripsort(self, model, row1, row2, user_data): sort_column, _ = model.get_sort_column_id() val1 = self.unmarkup(model.get_value(row1, sort_column)) ++ if val1 is None: ++ val1 = "" val2 = self.unmarkup(model.get_value(row2, sort_column)) - return cmp(val1,val2) ++ if val2 is None: ++ val2 = "" + return (val1 > val2) - (val1 < val2) def display_more_detail(self, windows, path): it = self.boolean_filter.get_iter(path) -@@ -1627,7 +1622,7 @@ class SELinuxGui(): +@@ -1627,7 +1626,7 @@ class SELinuxGui(): self.files_type_combolist.clear() self.files_class_combolist.clear() compare = self.strip_domain(self.application) @@ -661312,7 +661374,7 @@ index 5ca87b9..4437d9e 100644 if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"): exclude_list.append(self.strip_domain(d[0])) -@@ -1638,7 +1633,7 @@ class SELinuxGui(): +@@ -1638,7 +1637,7 @@ class SELinuxGui(): self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files]) if ipage == EXE_PAGE and self.entrypoints != None: @@ -661321,7 +661383,7 @@ index 5ca87b9..4437d9e 100644 if exe.startswith(compare): iter = self.files_type_combolist.append() self.files_type_combolist.set_value(iter, 0, exe) -@@ -1648,7 +1643,7 @@ class SELinuxGui(): +@@ -1648,7 +1647,7 @@ class SELinuxGui(): self.files_class_combobox.set_sensitive(False) elif ipage == WRITABLE_PAGE and self.writable_files != None: @@ -661330,7 +661392,7 @@ index 5ca87b9..4437d9e 100644 if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types: iter = self.files_type_combolist.append() self.files_type_combolist.set_value(iter, 0, write) -@@ -1665,7 +1660,7 @@ class SELinuxGui(): +@@ -1665,7 +1664,7 @@ class SELinuxGui(): self.more_types_files_liststore.set_value(iter, 0, app) self.files_class_combobox.set_active(0) except AttributeError: @@ -661339,7 +661401,7 @@ index 5ca87b9..4437d9e 100644 pass self.files_type_combobox.set_active(0) self.files_mls_entry.set_text("s0") -@@ -1706,13 +1701,13 @@ class SELinuxGui(): +@@ -1706,13 +1705,13 @@ class SELinuxGui(): try: if ipage == OUTBOUND_PAGE: @@ -661357,7 +661419,7 @@ index 5ca87b9..4437d9e 100644 for t,ports in netd[k]: if t not in port_types + ["port_t", "unreserved_port_t"]: if t.endswith("_type"): -@@ -1807,7 +1802,7 @@ class SELinuxGui(): +@@ -1807,7 +1806,7 @@ class SELinuxGui(): self.wait_mouse() try: self.dbus.semanage(update_buffer) @@ -661366,7 +661428,7 @@ index 5ca87b9..4437d9e 100644 self.error(e) self.ready_mouse() -@@ -1885,7 +1880,7 @@ class SELinuxGui(): +@@ -1885,7 +1884,7 @@ class SELinuxGui(): tree.set_value(iter, 2, fclass) def restore_to_default(self, *args): @@ -661375,7 +661437,7 @@ index 5ca87b9..4437d9e 100644 def invalid_entry_retry(self, *args): self.closewindow(self.error_check_window) -@@ -2138,7 +2133,7 @@ class SELinuxGui(): +@@ -2138,7 +2137,7 @@ class SELinuxGui(): def on_save_delete_file_equiv_clicked(self, *args): for delete in self.files_delete_liststore: @@ -661384,7 +661446,7 @@ index 5ca87b9..4437d9e 100644 def on_toggle_update(self, cell, path, model): model[path][0] = not model[path][0] -@@ -2180,7 +2175,6 @@ class SELinuxGui(): +@@ -2180,7 +2179,6 @@ class SELinuxGui(): self.update = True self.update_treestore.clear() for bools in self.cur_dict["boolean"]: @@ -661392,7 +661454,7 @@ index 5ca87b9..4437d9e 100644 iter = self.update_treestore.append(None) self.update_treestore.set_value(iter, 0, True) self.update_treestore.set_value(iter, 1, sepolicy.boolean_desc(bools)) -@@ -2411,8 +2405,11 @@ class SELinuxGui(): +@@ -2411,8 +2409,11 @@ class SELinuxGui(): cur = selinux.getfilecon(path)[1].split(":")[2] con = selinux.matchpathcon(path,0)[1].split(":")[2] if self.verify(_("Run restorecon on %(PATH)s to change its type from %(CUR_CONTEXT)s to the default %(DEF_CONTEXT)s?") % {"PATH":path, "CUR_CONTEXT": cur, "DEF_CONTEXT": con}, title="restorecon dialog") == Gtk.ResponseType.YES: @@ -661406,7 +661468,7 @@ index 5ca87b9..4437d9e 100644 def new_updates(self, *args): self.update_button.set_sensitive(self.modified()) -@@ -2446,8 +2443,8 @@ class SELinuxGui(): +@@ -2446,8 +2447,8 @@ class SELinuxGui(): self.wait_mouse() try: self.dbus.semanage(update_buffer) @@ -661417,7 +661479,7 @@ index 5ca87b9..4437d9e 100644 self.ready_mouse() self.init_cur() -@@ -2541,34 +2538,7 @@ class SELinuxGui(): +@@ -2541,34 +2542,7 @@ class SELinuxGui(): self.network_mls_label.set_visible(advanced) self.network_mls_entry.set_visible(advanced) @@ -661453,7 +661515,7 @@ index 5ca87b9..4437d9e 100644 if label.get_text() == ADVANCED_SEARCH_LABEL[1]: label.set_text(ADVANCED_SEARCH_LABEL[0]) self.close_popup() -@@ -2576,25 +2546,6 @@ class SELinuxGui(): +@@ -2576,25 +2550,6 @@ class SELinuxGui(): label.set_text(ADVANCED_SEARCH_LABEL[1]) self.show_popup(self.advanced_search_window) @@ -661479,7 +661541,7 @@ index 5ca87b9..4437d9e 100644 def set_enforce_text(self, value): if value: self.status_bar.push(self.context_id, _("System Status: Enforcing")) -@@ -2603,8 +2554,14 @@ class SELinuxGui(): +@@ -2603,8 +2558,14 @@ class SELinuxGui(): self.current_status_permissive.set_active(True) def set_enforce(self, button): @@ -661496,7 +661558,7 @@ index 5ca87b9..4437d9e 100644 def on_browse_select(self, *args): filename = self.file_dialog.get_filename() -@@ -2664,16 +2621,22 @@ class SELinuxGui(): +@@ -2664,16 +2625,22 @@ class SELinuxGui(): self.system_policy_type_combobox.set_active(self.typeHistory) return None @@ -661523,7 +661585,7 @@ index 5ca87b9..4437d9e 100644 def import_config_show(self, *args): self.file_dialog.set_action(Gtk.FileChooserAction.OPEN) -@@ -2730,7 +2693,7 @@ class SELinuxGui(): +@@ -2730,7 +2697,7 @@ class SELinuxGui(): return try: self.dbus.relabel_on_boot(active) @@ -661532,7 +661594,7 @@ index 5ca87b9..4437d9e 100644 self.error(e) def closewindow(self, window, *args): -@@ -2816,10 +2779,13 @@ class SELinuxGui(): +@@ -2816,10 +2783,13 @@ class SELinuxGui(): if not self.finish_init: return self.wait_mouse() @@ -663437,7 +663499,7 @@ index c6645ef..8965795 100644 + except dbus.DBusException as e: + print (e) diff --git a/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade b/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade -index 1275c7f..b848baa 100644 +index 1275c7f..83822dd 100644 --- a/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade +++ b/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade @@ -2,7 +2,7 @@ @@ -663510,6 +663572,15 @@ index 1275c7f..b848baa 100644 0.5 True +@@ -1061,7 +1043,7 @@ + + True + False +- images/booleans.png ++ help/booleans.png + + + False @@ -2948,7 +2930,7 @@ Enabled Executables which will transition to a different domain, when the 'selected domain' executes them. 1 diff --git a/policycoreutils.spec b/policycoreutils.spec index 04ef4af..ab6880f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.4 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# HEAD https://github.com/fedora-selinux/selinux/commit/d0f3cdcf325dc08aae2a2884c9cdcb35d82baf19 +# HEAD https://github.com/fedora-selinux/selinux/commit/3f154b2e8e2978ba65afbd224f4bbd64e2374a36 Patch: policycoreutils-rhat.patch Patch1: sepolgen-rhat.patch Patch100: policycoreutils-fix-semanage-python3.patch @@ -404,6 +404,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Dec 14 2015 Petr Lautrbach - 2.4-20 +- Fix 'semanage permissive -l' subcommand (#1286325) +- Several 'sepolicy gui' fixes (#1281309,#1281309,#1282382) + * Tue Nov 17 2015 Petr Lautrbach 2.4-19 - Require at least one argument for 'semanage permissive -d' (#1255676)