diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 1056618..1658f04 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,5 +1,132 @@ ---- policycoreutils-1.17.6/scripts/fixfiles.rhat 2004-10-06 09:47:47.000000000 -0400 -+++ policycoreutils-1.17.6/scripts/fixfiles 2004-10-12 11:14:29.468471753 -0400 +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.8 policycoreutils-1.17.6/restorecon/restorecon.8 +--- nsapolicycoreutils/restorecon/restorecon.8 2004-10-06 09:47:27.000000000 -0400 ++++ policycoreutils-1.17.6/restorecon/restorecon.8 2004-10-22 15:32:09.757994544 -0400 +@@ -7,7 +7,7 @@ + .I [\-o outfilename ] [\-R] [\-n] [\-v] pathname... + .P + .B restorecon +-.I \-f infilename [\-o outfilename ] [\-R] [\-n] [\-v] ++.I \-f infilename [\-o outfilename ] [\-F] [\-R] [\-n] [\-v] + + .SH "DESCRIPTION" + This manual page describes the +@@ -26,6 +26,9 @@ + .B \-f infilename + infilename contains a list of files to be processed by application. Use \- for stdin. + .TP ++.B \-F ++restore file context even if admin customized file context. ++.TP + .B \-R + change files and directories file labels recursively + .TP +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.17.6/restorecon/restorecon.c +--- nsapolicycoreutils/restorecon/restorecon.c 2004-10-06 09:47:28.000000000 -0400 ++++ policycoreutils-1.17.6/restorecon/restorecon.c 2004-10-22 15:35:25.200282800 -0400 +@@ -8,11 +8,14 @@ + * to match the specification returned by matchpathcon. + * + * USAGE: +- * restorecon [-Rnv] pathname... ++ * restorecon [-FRnv] [-f inputfile ] [ -o outputfile ] pathname... + * ++ * -R recurse + * -n Do not change any file labels. + * -v Show changes in file labels. +- * -o filename save list of files with incorrect context ++ * -o filename save list of files with incorrect context ++ * -F Restore file context even if the customize flag is set ++ * -f filename to read from for changing filecontext + * + * pathname... The file(s) to label + * +@@ -42,11 +45,12 @@ + static char *progname; + static int errors=0; + static int recurse; ++static int force=0; + + void usage(const char * const name) + { + fprintf(stderr, +- "usage: %s [-Rnv] [-f filename | pathname... ]\n", name); ++ "usage: %s [-FRnv] [-f filename | pathname... ]\n", name); + exit(1); + } + int restore(char *filename) { +@@ -54,6 +58,8 @@ + int retval=0; + security_context_t scontext; + security_context_t prev_context; ++ unsigned int customized=0; ++ unsigned int flag=0; + int len=strlen(filename); + struct stat st; + char path[PATH_MAX+1]; +@@ -109,14 +115,27 @@ + return 0; + } + retcontext=lgetfilecon(filename,&prev_context); +- ++ + if (retcontext >= 0 || errno == ENODATA) { + if (retcontext < 0 || strcmp(prev_context,scontext) != 0) { +- if (outfile) { +- fprintf(outfile, "%s\n", filename); +- } ++ lgetfileconflag(filename, &flag); ++ customized=flag & SELINUX_CUSTOMIZE; ++ if (outfile && (!customized || force)) ++ fprintf(outfile, "%s\n", filename); + if (change) { +- retval=lsetfilecon(filename,scontext); ++ if (customized) { ++ if (force) { ++ retval=lsetfilecon(filename,scontext); ++ if (retval >= 0) ++ lsetfileconflag(filename, flag & !SELINUX_CUSTOMIZE); ++ } else { ++ if (verbose) ++ fprintf(stderr,"%s did not reset context for %s, marked flaganent\n", ++ progname, filename); ++ } ++ } else { ++ retval=lsetfilecon(filename,scontext); ++ } + } + if (retval<0) { + fprintf(stderr,"%s set context %s->%s failed:'%s'\n", +@@ -126,7 +145,7 @@ + freecon(scontext); + return 1; + } else +- if (verbose) ++ if (verbose && (!customized || force)) + fprintf(stderr,"%s reset context %s->%s\n", + progname, filename, scontext); + } +@@ -179,7 +198,7 @@ + + memset(buf,0, sizeof(buf)); + +- while ((opt = getopt(argc, argv, "Rnvf:o:")) > 0) { ++ while ((opt = getopt(argc, argv, "FRnvf:o:")) > 0) { + switch (opt) { + case 'n': + change = 0; +@@ -187,6 +206,9 @@ + case 'R': + recurse = 1; + break; ++ case 'F': ++ force = 1; ++ break; + case 'o': + outfile = fopen(optarg,"w"); + if (!outfile) { +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.17.6/scripts/fixfiles +--- nsapolicycoreutils/scripts/fixfiles 2004-10-06 09:47:28.000000000 -0400 ++++ policycoreutils-1.17.6/scripts/fixfiles 2004-10-22 15:32:09.759994240 -0400 @@ -31,6 +31,8 @@ outfileFlag=0 OUTFILES="" @@ -103,19 +230,9 @@ if [ $checkFlag = 1 ]; then checkLabels $rpmFiles fi ---- policycoreutils-1.17.6/scripts/Makefile.rhat 2004-10-06 09:47:47.000000000 -0400 -+++ policycoreutils-1.17.6/scripts/Makefile 2004-10-06 09:56:23.000000000 -0400 -@@ -12,7 +12,7 @@ - -mkdir -p $(BINDIR) - install -m 755 $(TARGETS) $(BINDIR) - install -m 755 fixfiles $(DESTDIR)/sbin -- install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron -+ install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron - -mkdir -p $(MANDIR)/man8 - install -m 644 fixfiles.8.gz $(MANDIR)/man8/ - ---- policycoreutils-1.17.6/scripts/fixfiles.cron.rhat 2004-10-06 09:47:47.000000000 -0400 -+++ policycoreutils-1.17.6/scripts/fixfiles.cron 2004-10-12 10:50:35.247751062 -0400 +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles.cron policycoreutils-1.17.6/scripts/fixfiles.cron +--- nsapolicycoreutils/scripts/fixfiles.cron 2004-09-10 11:25:57.000000000 -0400 ++++ policycoreutils-1.17.6/scripts/fixfiles.cron 2004-10-22 15:32:09.760994088 -0400 @@ -21,7 +21,8 @@ mail ${CRONMAILTO} -s "Invalid File Contexts" < $OUTFILE rm -f $OUTFILE @@ -126,3 +243,151 @@ fi else rm -f $OUTFILE +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-1.17.6/scripts/Makefile +--- nsapolicycoreutils/scripts/Makefile 2004-09-10 11:25:57.000000000 -0400 ++++ policycoreutils-1.17.6/scripts/Makefile 2004-10-22 15:32:09.761993936 -0400 +@@ -12,7 +12,7 @@ + -mkdir -p $(BINDIR) + install -m 755 $(TARGETS) $(BINDIR) + install -m 755 fixfiles $(DESTDIR)/sbin +- install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.daily/fixfiles.cron ++ install -D -m 755 fixfiles.cron $(DESTDIR)/etc/cron.weekly/fixfiles.cron + -mkdir -p $(MANDIR)/man8 + install -m 644 fixfiles.8.gz $(MANDIR)/man8/ + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-1.17.6/setfiles/setfiles.8 +--- nsapolicycoreutils/setfiles/setfiles.8 2004-10-06 09:47:28.000000000 -0400 ++++ policycoreutils-1.17.6/setfiles/setfiles.8 2004-10-22 15:32:09.761993936 -0400 +@@ -4,7 +4,7 @@ + + .SH "SYNOPSIS" + .B setfiles +-.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-W] spec_file pathname... ++.I [\-d] [\-l] [\-n] [\-e directory ] [\-o filename ] [\-q] [\-s] [\-v] [\-vv] [\-F] [\-W] spec_file pathname... + .SH "DESCRIPTION" + This manual page describes the + .BR setfiles +@@ -47,6 +47,9 @@ + .B \-vv + show changes in file labels, if type, role, or user are changing. + .TP ++.B \-F ++set file context even if admin customized file context. ++.TP + .B \-W + display warnings about entries that had no matching files. + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-1.17.6/setfiles/setfiles.c +--- nsapolicycoreutils/setfiles/setfiles.c 2004-10-06 09:47:28.000000000 -0400 ++++ policycoreutils-1.17.6/setfiles/setfiles.c 2004-10-22 15:36:18.282213120 -0400 +@@ -12,7 +12,7 @@ + * the user. The program does not cross file system boundaries. + * + * USAGE: +- * setfiles [-dnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname... ++ * setfiles [-FdnpqsvW] [-e directory ] [-c policy] [-o filename ] spec_file pathname... + * + * -e Specify directory to exclude + * -c Verify the specification file using a binary policy +@@ -24,6 +24,7 @@ + * -s Use stdin for a list of files instead of searching a partition. + * -v Show changes in file labels. + * -W Warn about entries that have no matching file. ++ * -F reset file context even if the customize flag is set + * -o filename write out file names with wrong context. + * + * spec_file The specification file. +@@ -96,6 +97,7 @@ + static int use_stdin = 0; + static int verbose = 0; + static int log = 0; ++static int force = 0; + static int warn_no_match = 0; + static char *rootpath = NULL; + static int rootpathlen = 0; +@@ -515,9 +517,9 @@ + void usage(const char * const name) + { + fprintf(stderr, +- "usage: %s [-dnqvW] [-o filename] spec_file pathname...\n" ++ "usage: %s [-FdnqvW] [-o filename] spec_file pathname...\n" + "usage: %s [-c policyfile] spec_file\n" +- "usage: %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name); ++ "usage: %s -s [-FdnqvW] [-o filename ] spec_file\n", name, name, name); + exit(1); + } + +@@ -603,6 +605,8 @@ + struct stat my_sb; + int i, ret; + char *context; ++ unsigned int customize=0; ++ unsigned int fileconflag=0; + + /* Skip the extra slash at the beginning, if present. */ + if (file[0] == '/' && file[1] == '/') +@@ -675,7 +679,9 @@ + return 0; + } + +- if (verbose) { ++ lgetfileconflag(my_file, &fileconflag); ++ customize=fileconflag & SELINUX_CUSTOMIZE; ++ if (verbose && (!customize || force)) { + /* If we're just doing "-v", trim out any relabels where + * the user has changed but the role and type are the + * same. For "-vv", emit everything. */ +@@ -686,22 +692,22 @@ + } + } + +- if (log && ++ if (log && (!customize || force) && + !only_changed_user(context, spec_arr[i].context)) { + syslog(LOG_INFO, "relabeling %s from %s to %s\n", + my_file, context, spec_arr[i].context); + } + +- if (outfile && ++ if (outfile && (!customize || force) && + !only_changed_user(context, spec_arr[i].context)) + fprintf(outfile, "%s\n", my_file); + + freecon(context); + + /* +- * Do not relabel the file if -n was used. ++ * Do not relabel the file if -n was used or if customized. + */ +- if (!change) ++ if (!change || (customize && !force)) + return 0; + + /* +@@ -714,6 +720,7 @@ + progname, my_file, spec_arr[i].context); + return 0; + } ++ lsetfileconflag(my_file, fileconflag & !SELINUX_CUSTOMIZE); + + return 0; + } +@@ -775,7 +782,7 @@ + memset(excludeArray,0, sizeof(excludeArray)); + + /* Process any options. */ +- while ((opt = getopt(argc, argv, "c:dlnqrsvWe:o:")) > 0) { ++ while ((opt = getopt(argc, argv, "Fc:dlnqrsvWe:o:")) > 0) { + switch (opt) { + case 'c': + { +@@ -837,6 +844,9 @@ + case 'l': + log = 1; + break; ++ case 'F': ++ force = 1; ++ break; + case 'n': + change = 0; + break; diff --git a/policycoreutils.spec b/policycoreutils.spec index 8802e2d..296072b 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,11 +1,11 @@ Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.17.6 -Release: 2 +Version: 1.17.7 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -Patch: policycoreutils-rhat.patch +#Patch: policycoreutils-rhat.patch Prefix: %{_prefix} BuildRequires: libselinux-devel >= 1.15.3 pam-devel libsepol-devel >= 1.1.1 @@ -32,7 +32,7 @@ context. %prep %setup -q -%patch -p1 -b .rhat +#%patch -p1 -b .rhat %build make CFLAGS="%{optflags}" all @@ -46,6 +46,7 @@ mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man1 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d make DESTDIR="${RPM_BUILD_ROOT}" install +rm -f ${RPM_BUILD_ROOT}%{_sysconfdir}/cron.weekly/fixfiles.cron %find_lang %{name} @@ -68,7 +69,6 @@ rm -rf ${RPM_BUILD_ROOT} %{_bindir}/newrole %{_bindir}/audit2allow %{_mandir}/man1/newrole.1.gz -%{_sysconfdir}/cron.weekly/fixfiles.cron %config %{_sysconfdir}/pam.d/newrole %{_sbindir}/run_init %config %{_sysconfdir}/pam.d/run_init @@ -77,6 +77,10 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Fri Oct 22 2004 Dan Walsh 1.17.7-1 +- Update to latest from NSA +- Eliminate fixfiles.cron + * Tue Oct 12 2004 Dan Walsh 1.17.6-2 - Only run fixfiles.cron once a week, and eliminate null message