From ea96d116614d1d559af8885f49e6be8f21fc3e66 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 21 2010 14:39:49 +0000 Subject: * Fri May 21 2010 Dan Walsh 2.0.82-22 - Fix can_exec definition in sepolgen --- diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 686b775..85a2114 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1549,8 +1549,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.82/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/Makefile 2010-04-28 17:12:19.000000000 -0400 -@@ -0,0 +1,41 @@ ++++ policycoreutils-2.0.82/sandbox/Makefile 2010-05-21 08:01:27.000000000 -0400 +@@ -0,0 +1,42 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr +INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/ @@ -1573,6 +1573,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + install -m 755 sandbox $(BINDIR) + -mkdir -p $(MANDIR)/man8 + install -m 644 sandbox.8 $(MANDIR)/man8/ ++ install -m 644 seunshare.8 $(MANDIR)/man8/ + -mkdir -p $(SBINDIR) + install -m 4755 seunshare $(SBINDIR)/ + -mkdir -p $(SHAREDIR) @@ -2028,9 +2029,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + sys.exit(rc) diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.82/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-05-19 10:15:43.000000000 -0400 -@@ -0,0 +1,57 @@ -+.TH SANDBOX "8" "May 2009" "chcat" "User Commands" ++++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-05-21 08:13:10.000000000 -0400 +@@ -0,0 +1,61 @@ ++.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" +.SH NAME +sandbox \- Run cmd under an SELinux sandbox +.SH SYNOPSIS @@ -2085,8 +2086,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.PP +.SH "SEE ALSO" +.TP -+runcon(1) ++runcon(1), seunshare(8), selinux(8) +.PP ++ ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.82/sandbox/sandbox.config --- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.82/sandbox/sandbox.config 2010-04-28 17:12:19.000000000 -0400 @@ -2190,9 +2195,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + break +done +exit 0 +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.82/sandbox/seunshare.8 +--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-05-21 08:12:39.000000000 -0400 +@@ -0,0 +1,29 @@ ++.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" ++.SH NAME ++seunshare \- Run cmd under an SELinux context ++.SH SYNOPSIS ++.B seunshare ++[ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ++.br ++.SH DESCRIPTION ++.PP ++Run the ++.I executable ++within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context. ++ ++.TP ++\fB\-h homedir\fR ++Alternate homedir to be used by the application. Homedir must be owned by the user. ++.TP ++\fB\-t\ tmpdir ++Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. ++.TP ++\fB\-v\fR ++Verbose output ++.SH "SEE ALSO" ++.TP ++runcon(1), sandbox(8), selinux(8) ++.PP ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.82/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-05-19 11:01:58.000000000 -0400 ++++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-05-21 08:02:28.000000000 -0400 @@ -0,0 +1,304 @@ +#include +#include @@ -2699,6 +2737,59 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po restore } +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-2.0.82/scripts/genhomedircon.8 +--- nsapolicycoreutils/scripts/genhomedircon.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.82/scripts/genhomedircon.8 2010-05-21 08:10:14.000000000 -0400 +@@ -0,0 +1,38 @@ ++.\" Hey, Emacs! This is an -*- nroff -*- source file. ++.\" Copyright (c) 2005 Manoj Srivastava ++.\" ++.\" This is free documentation; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License as ++.\" published by the Free Software Foundation; either version 2 of ++.\" the License, or (at your option) any later version. ++.\" ++.\" The GNU General Public License's references to "object code" ++.\" and "executables" are to be interpreted as the output of any ++.\" document formatting or typesetting system, including ++.\" intermediate and printed output. ++.\" ++.\" This manual is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public ++.\" License along with this manual; if not, write to the Free ++.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, ++.\" USA. ++.\" ++.\" ++.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux" ++.SH NAME ++genhomedircon \- generate SELinux file context configuration entries for user home directories ++.SH SYNOPSIS ++.B genhomedircon ++is a script that executes semodule to rebuild policy and create the ++labels for HOMEDIRS based on home directories returned by the getpw calls. ++ ++This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf. ++ ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh ++ +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.82/scripts/Makefile +--- nsapolicycoreutils/scripts/Makefile 2010-05-19 14:45:51.000000000 -0400 ++++ policycoreutils-2.0.82/scripts/Makefile 2010-05-21 08:13:36.000000000 -0400 +@@ -14,6 +14,7 @@ + install -m 755 genhomedircon $(SBINDIR) + -mkdir -p $(MANDIR)/man8 + install -m 644 fixfiles.8 $(MANDIR)/man8/ ++ install -m 644 genhomedircon.8 $(MANDIR)/man8/ + install -m 644 chcat.8 $(MANDIR)/man8/ + + clean: diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.82/semanage/default_encoding/default_encoding.c --- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.82/semanage/default_encoding/default_encoding.c 2010-04-28 17:12:19.000000000 -0400 @@ -3406,7 +3497,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po Examples by Thomas Bleher . diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.82/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.82/semanage/seobject.py 2010-05-19 14:43:01.000000000 -0400 ++++ policycoreutils-2.0.82/semanage/seobject.py 2010-05-21 08:35:31.000000000 -0400 @@ -29,47 +29,12 @@ import gettext gettext.bindtextdomain(PROGNAME, "/usr/share/locale") @@ -3857,12 +3948,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) -@@ -1069,11 +1206,10 @@ +@@ -1068,12 +1205,11 @@ + if not exists: raise ValueError(_("Addr %s is not defined") % addr) - (rc, node) = semanage_node_query(self.sh, k) -- if rc < 0: -+ if rc < 0 or not node: +- (rc, node) = semanage_node_query(self.sh, k) ++ (rc, node) = semanage_node_query_local(self.sh, k) + if rc < 0: raise ValueError(_("Could not query addr %s") % addr) con = semanage_node_get_con(node) diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index e7f975d..ea268a3 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,5 +1,5 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py ---- nsasepolgen/src/sepolgen/access.py 2010-03-22 14:08:29.000000000 -0400 +--- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py 2010-04-28 17:12:20.000000000 -0400 @@ -32,6 +32,7 @@ """ @@ -46,7 +46,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco access.perms.update(perms) if audit_msg: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py ---- nsasepolgen/src/sepolgen/audit.py 2010-03-22 14:08:29.000000000 -0400 +--- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py 2010-04-28 17:12:20.000000000 -0400 @@ -68,6 +68,17 @@ stdout=subprocess.PIPE).communicate()[0] @@ -132,7 +132,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor class AVCTypeFilter: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py ---- nsasepolgen/src/sepolgen/defaults.py 2008-08-28 09:34:24.000000000 -0400 +--- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-04-28 17:12:20.000000000 -0400 @@ -30,6 +30,9 @@ def interface_info(): @@ -145,7 +145,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policy return "/usr/share/selinux/devel" diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py ---- nsasepolgen/src/sepolgen/interfaces.py 2008-08-28 09:34:24.000000000 -0400 +--- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-05-03 09:33:11.000000000 -0400 @@ -29,6 +29,8 @@ @@ -263,7 +263,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli self.expand_ifcalls(headers) self.index() diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py ---- nsasepolgen/src/sepolgen/matching.py 2008-08-28 09:34:24.000000000 -0400 +--- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py 2010-04-28 17:12:20.000000000 -0400 @@ -50,7 +50,7 @@ return 1 @@ -294,8 +294,8 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy def __iter__(self): return iter(self.children) diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py ---- nsasepolgen/src/sepolgen/policygen.py 2010-03-12 09:34:56.000000000 -0500 -+++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-04-28 17:12:20.000000000 -0400 +--- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400 ++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-05-21 10:36:31.000000000 -0400 @@ -29,6 +29,8 @@ import access import interfaces @@ -313,13 +313,14 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic def set_gen_refpol(self, if_set=None, perm_maps=None): """Set whether reference policy interfaces are generated. -@@ -151,8 +154,37 @@ +@@ -151,9 +154,41 @@ rule = refpolicy.AVRule(av) if self.dontaudit: rule.rule_type = rule.DONTAUDIT + rule.comment = "" if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) +- self.module.children.append(rule) + if av.type == audit2why.ALLOW: + rule.comment += "#!!!! This avc is allowed in the current policy\n" + if av.type == audit2why.DONTAUDIT: @@ -340,19 +341,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic + if not self.domains: + self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] + types=[] -+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): -+ if i not in self.domains: -+ types.append(i) -+ if len(types) == 1: -+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ elif len(types) >= 1: -+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ - self.module.children.append(rule) - - ++ ++ try: ++ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): ++ if i not in self.domains: ++ types.append(i) ++ if len(types) == 1: ++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) ++ elif len(types) >= 1: ++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) ++ except: ++ pass ++ self.module.children.append(rule) + + + def add_access(self, av_set): +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py +--- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400 ++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-05-21 10:26:43.000000000 -0400 +@@ -1044,7 +1044,7 @@ + # of misc_macros. We are just going to pretend that this is an interface + # to make the expansion work correctly. + can_exec = refpolicy.Interface("can_exec") +- av = access.AccessVector(["$1","$2","file","execute_no_trans","read", ++ av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read", + "getattr","lock","execute","ioctl"]) + + can_exec.children.append(refpolicy.AVRule(av)) diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map ---- nsasepolgen/src/share/perm_map 2008-08-28 09:34:24.000000000 -0400 +--- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map 2010-04-28 17:12:20.000000000 -0400 @@ -124,7 +124,7 @@ quotamod w 1 diff --git a/policycoreutils.spec b/policycoreutils.spec index cdb0067..4821032 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.82 -Release: 20%{?dist} +Release: 22%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -138,8 +138,10 @@ The policycoreutils-python package contains the management tools use to manage a %{_mandir}/man1/audit2why.1* %{_mandir}/man8/chcat.8* %{_mandir}/ru/man8/chcat.8* +%{_mandir}/man8/genhomedircon.8* %{_mandir}/man8/sandbox.8* %{_mandir}/man8/semanage.8* +%{_mandir}/man8/seunshare.8* %{_mandir}/ru/man8/semanage.8* %post python @@ -167,7 +169,6 @@ The policycoreutils-python package contains the scripts to create graphical sand %{_datadir}/sandbox/sandboxX.sh %triggerin python -- selinux-policy -. /etc/selinux/config selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0 @@ -307,8 +308,18 @@ fi exit 0 %changelog +* Fri May 21 2010 Dan Walsh 2.0.82-22 +- Fix can_exec definition in sepolgen + +* Fri May 21 2010 Dan Walsh 2.0.82-21 +- Add man page for seunshare and genhomedircon +Resolves: #594303 +- Fix node management via semanage +Resolves: #591135 + * Wed May 19 2010 Dan Walsh 2.0.82-20 - Fixes from upstream for sandbox command +Resolves: #580938 * Thu May 13 2010 Dan Walsh 2.0.82-18 - Fix sandbox error handling on copyfile @@ -317,15 +328,13 @@ exit 0 * Tue May 11 2010 Dan Walsh 2.0.82-17 - Fix policy tool to have correct name in menus - Fix seunshare to handle /tmp being in ~/home -Resolves: #589232 - Fix saving of altered files -Resolves: #580938 +- Update translations * Tue May 4 2010 Dan Walsh 2.0.82-15 - Allow audit2allow to specify alternative policy file for analysis * Mon May 3 2010 Dan Walsh 2.0.82-14 -- Allow audit2allow to specify alternative policy file for analysis - Update po - Fix sepolgen --no_attrs Resolves: #588280