diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index a1d9971..04d36ac 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1335,11 +1335,144 @@ index 0000000..3ecf3eb +++ b/policycoreutils/sepolicy/sepolgen.8 @@ -0,0 +1 @@ +.so man8/sepolicy-generate.8 +diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh +index 82fea52..29f9428 100644 +--- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh ++++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh +@@ -81,7 +81,7 @@ _sepolicy () { + [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' + [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newtype -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user' + [interface]='-h --help -a --list_admin" -u --list_user -l --list' +- [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' ++ [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web -r --root' + [network]='-h --help -d --domain -l --list -p --port -t --type ' + [transition]='-h --help -s --source -t --target' + ) +@@ -156,6 +156,10 @@ _sepolicy () { + if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then + COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) + return 0 ++ elif test "$prev" = "-r" || test "$prev" = "--root" ; then ++ COMPREPLY=( $( compgen -d -- "$cur") ) ++ compopt -o filenames ++ return 0 + elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then + return 0 + elif test "$prev" = "-p" || test "$prev" = "--path" ; then +diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8 +index b6abdf5..c05c943 100644 +--- a/policycoreutils/sepolicy/sepolicy-manpage.8 ++++ b/policycoreutils/sepolicy/sepolicy-manpage.8 +@@ -5,7 +5,7 @@ sepolicy-manpage \- Generate a man page based on the installed SELinux Policy + .SH "SYNOPSIS" + + .br +-.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-a | \-d ] ++.B sepolicy manpage [\-w] [\-h] [\-p PATH ] [\-r ROOTDIR ] [\-a | \-d ] + + .SH "DESCRIPTION" + Use sepolicy manpage to generate manpages based on SELinux Policy. +@@ -24,6 +24,9 @@ Display help message + .I \-p, \-\-path + Specify the directory to store the created man pages. (Default to /tmp) + .TP ++.I \-r, \-\-root ++Specify alternate root directory to generate man pages from. (Default to /) ++.TP + .I \-w, \-\-web + Generate an additional HTML man pages for the specified domain(s). + diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..e120959 100755 +index b25d3b2..7a15d88 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py -@@ -461,7 +461,10 @@ if __name__ == '__main__': +@@ -22,6 +22,8 @@ + # + # + import os, sys ++import selinux ++import sepolicy + from sepolicy import get_os_version + import argparse + import gettext +@@ -198,44 +200,44 @@ def network(args): + _print_net(d, net, "name_bind") + + def manpage(args): +- from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains ++ from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains, get_all_domains + + path = args.path +- if args.policy: +- for f in ( "policy.xml", "file_context", "file_context.homedirs"): +- if not os.path.exists(path + f): +- raise ValueError("manpage creation with alternate policy requires the %s file exist" % (path + f)) +- ++ if not args.policy and args.root != "/": ++ sepolicy.policy(sepolicy.get_installed_policy(args.root)) ++ + if args.all: + test_domains = gen_domains() + else: + test_domains = args.domain + + for domain in test_domains: +- m = ManPage(domain, path, args.web) ++ m = ManPage(domain, path, args.root, args.web) + print m.get_man_page_path() + + if args.web: + HTMLManPages(manpage_roles, manpage_domains, path, args.os) + + def gen_manpage_args(parser): +- man = parser.add_parser("manpage", +- help=_('Generate SELinux man pages')) +- +- man.add_argument("-p", "--path", dest="path", default="/tmp", +- help=_("path in which the generated SELinux man pages will be stored")) +- man.add_argument("-o", "--os", dest="os", default=get_os_version(), +- help=_("name of the OS for man pages")) +- man.add_argument("-w", "--web", dest="web", default=False, action="store_true", +- help=_("Generate HTML man pages structure for selected SELinux man page")) +- group = man.add_mutually_exclusive_group(required=True) +- group.add_argument("-a", "--all", dest="all", default=False, +- action="store_true", +- help=_("All domains")) +- group.add_argument("-d", "--domain", nargs="+", +- action=CheckDomain, +- help=_("Domain name(s) of man pages to be created")) +- man.set_defaults(func=manpage) ++ man = parser.add_parser("manpage", ++ help=_('Generate SELinux man pages')) ++ ++ man.add_argument("-p", "--path", dest="path", default="/tmp", ++ help=_("path in which the generated SELinux man pages will be stored")) ++ man.add_argument("-o", "--os", dest="os", default=get_os_version(), ++ help=_("name of the OS for man pages")) ++ man.add_argument("-w", "--web", dest="web", default=False, action="store_true", ++ help=_("Generate HTML man pages structure for selected SELinux man page")) ++ man.add_argument("-r", "--root", dest="root", default="/", ++ help=_("Alternate root directory, defaults to /")) ++ group = man.add_mutually_exclusive_group(required=True) ++ group.add_argument("-a", "--all", dest="all", default=False, ++ action="store_true", ++ help=_("All domains")) ++ group.add_argument("-d", "--domain", nargs="+", ++ action=CheckDomain, ++ help=_("Domain name(s) of man pages to be created")) ++ man.set_defaults(func=manpage) + + def gen_network_args(parser): + net = parser.add_parser("network", +@@ -283,7 +285,6 @@ def gen_communicate_args(parser): + comm.set_defaults(func=communicate) + + def booleans(args): +- import selinux + from sepolicy import boolean_desc + if args.all: + rc, args.booleans = selinux.security_get_boolean_names() +@@ -461,7 +462,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: @@ -1352,13 +1485,14 @@ index b25d3b2..e120959 100755 sys.exit(0) except ValueError,e: diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..1d77fa9 100644 +index 5e7415c..10abeec 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -37,6 +37,27 @@ CLASS = 'class' +@@ -37,9 +37,30 @@ CLASS = 'class' TRANSITION = 'transition' ROLE_ALLOW = 'role_allow' +-def __get_installed_policy(): +def info(setype, name=None): + dict_list = _policy.info(setype, name) + return dict_list @@ -1380,10 +1514,47 @@ index 5e7415c..1d77fa9 100644 + dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) + return dict_list + - def __get_installed_policy(): ++def get_installed_policy(root = "/"): + try: +- path = selinux.selinux_binary_policy_path() ++ path = root + selinux.selinux_binary_policy_path() + policies = glob.glob ("%s.*" % path ) + policies.sort() + return policies[-1] +@@ -85,7 +106,7 @@ all_domains = None + def get_all_domains(): + global all_domains + if not all_domains: +- all_domains = info(ATTRIBUTE,"domain")[0]["types"] ++ all_domains = info(ATTRIBUTE,"domain")[0]["types"] + return all_domains + + roles = None +@@ -139,49 +160,43 @@ def get_all_attributes(): + return all_attributes + + def policy(policy_file): ++ global all_domains ++ global all_attributes ++ global bools ++ global all_types ++ global role_allows ++ global users ++ global roles ++ global file_types ++ global port_types ++ all_domains = None ++ all_attributes = None ++ bools = None ++ all_types = None ++ role_allows = None ++ users = None ++ roles = None ++ file_types = None ++ port_types = None try: - path = selinux.selinux_binary_policy_path() -@@ -145,43 +166,19 @@ def policy(policy_file): + _policy.policy(policy_file) + except: raise ValueError(_("Failed to read %s policy file") % policy_file) @@ -1391,7 +1562,7 @@ index 5e7415c..1d77fa9 100644 -if not policy_file: - policy_file = __get_installed_policy() - -+policy_file = __get_installed_policy() ++policy_file = get_installed_policy() try: policy(policy_file) except ValueError, e: @@ -1429,10 +1600,15 @@ index 5e7415c..1d77fa9 100644 def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): global booleans_dict diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py -index 25062da..def78e9 100755 +index 25062da..da17c48 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -28,7 +28,7 @@ import string +@@ -24,11 +24,12 @@ + # + __all__ = [ 'ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains' ] + ++from sepolicy import network + import string import argparse import selinux import sepolicy @@ -1441,7 +1617,65 @@ index 25062da..def78e9 100755 import commands import sys, os, re, time -@@ -947,13 +947,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" +@@ -416,40 +417,33 @@ class ManPage: + """ + Generate a Manpage on an SELinux domain in the specified path + """ +- all_attributes = get_all_attributes() +- all_domains = get_all_domains() +- all_bools = get_all_bools() +- all_port_types = get_all_port_types() +- all_roles = get_all_roles() +- all_users = get_all_users_info()[0] +- all_users_range = get_all_users_info()[1] +- all_file_types = get_all_file_types() +- types = _gen_types() + modules_dict = None +- domains = gen_domains() +- role_allows = get_all_role_allows() + enabled_str = ["Disabled", "Enabled"] + +- def __init__(self, domainname, path = "/tmp", html = False): ++ def __init__(self, domainname, path = "/tmp", root="/", html = False): + self.html = html ++ self.root = root + self.portrecs = network.portrecs +- +- fcpath = path + "/file_contexts" +- if os.path.exists(fcpath): +- self.fcpath = fcpath +- else: +- self.fcpath = selinux.selinux_file_context_path() ++ self.domains = gen_domains() ++ self.all_domains = get_all_domains() ++ self.all_attributes = get_all_attributes() ++ self.all_bools = get_all_bools() ++ self.all_port_types = get_all_port_types() ++ self.all_roles = get_all_roles() ++ self.all_users = get_all_users_info()[0] ++ self.all_users_range = get_all_users_info()[1] ++ self.all_file_types = get_all_file_types() ++ self.role_allows = get_all_role_allows() ++ self.types = _gen_types() ++ ++ self.fcpath = self.root + selinux.selinux_file_context_path() + self.fcdict = _gen_fcdict(self.fcpath) + + if not os.path.exists(path): + os.makedirs(path) +- self.path = path + +- xmlpath = path + "/policy.xml" +- if os.path.exists(xmlpath): +- self.xmlpath = xmlpath +- else: +- self.xmlpath = "/usr/share/selinux/devel/policy.xml" ++ self.path = path ++ self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml" + self.booleans_dict = gen_bool_dict(self.xmlpath) + + if domainname.endswith("_t"): +@@ -947,13 +941,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" .B restorecon -F -R -v /var/%(domainname)s .pp .TP @@ -1458,6 +1692,14 @@ index 25062da..def78e9 100755 """ % {'domainname':self.domainname}) for b in self.anon_list: desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] +@@ -1230,6 +1225,7 @@ The SELinux user %s_u is not able to terminal login. + """ % self.domainname) + + def _network(self): ++ from sepolicy import network + self.fd.write(""" + .SH NETWORK + """) diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 index 80b6d6e..07c5ee2 100644 --- a/policycoreutils/setfiles/restorecon.8 diff --git a/policycoreutils.spec b/policycoreutils.spec index a5f197c..726d2aa 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -326,6 +326,11 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Feb 20 2013 Dan Walsh - 2.1.14-7 +- Add --root/-r flag to sepolicy manpage, +- This allows us to generate man pages on the fly in the selinux-policy build + + * Mon Feb 18 2013 Dan Walsh - 2.1.14-6 - Fix newrole to retain cap_audit_write when compiled with namespace, also do not drop capabilities when run as root.