From 577b79db7e7fdb69f07cd87189805a246f008a76 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Nov 21 2022 15:06:48 +0000 Subject: policycoreutils-3.4-7 - Rebase on upstream f56a72ac9e86 - sepolicy: fix sepolicy manpage -w - sandbox: add -R option to alternate XDG_RUNTIME_DIR - Remove dependency on the Python module distutils --- diff --git a/0001-libselinux-declare-return-value-of-context_str-3-con.patch b/0001-libselinux-declare-return-value-of-context_str-3-con.patch new file mode 100644 index 0000000..bcd29f7 --- /dev/null +++ b/0001-libselinux-declare-return-value-of-context_str-3-con.patch @@ -0,0 +1,36 @@ +From dd98fa322766760c4e1f029cf19d2515a583304f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 20 May 2022 15:16:10 +0200 +Subject: [PATCH] libselinux: declare return value of context_str(3) const +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + +context_str(3) returns a string representation of the given context. +This string is owned by the context and free'd on context_free(3). +Declare it const, as already done in the man page, since it must not be +free'd by the caller. + +Signed-off-by: Christian Göttsche +Acked-by: Nicolas Iooss +--- + policycoreutils/newrole/newrole.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c +index ae37d7253761..c2afa37e0ac3 100644 +--- a/policycoreutils/newrole/newrole.c ++++ b/policycoreutils/newrole/newrole.c +@@ -842,7 +842,7 @@ static int parse_command_line_arguments(int argc, char **argv, char *ttyn, + char *type_ptr = NULL; /* stores malloc'd data from get_default_type */ + char *level_s = NULL; /* level spec'd by user in argv[] */ + char *range_ptr = NULL; +- char *new_con = NULL; ++ const char *new_con = NULL; + char *tty_con = NULL; + context_t context = NULL; /* manipulatable form of new_context */ + const struct option long_options[] = { +-- +2.38.1 + diff --git a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch deleted file mode 100644 index 1b5b9c9..0000000 --- a/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f361ee407490bc74b43ec408b1edc70cd647d4e0 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 20 Aug 2015 12:58:41 +0200 -Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in - recent Fedoras -Content-type: text/plain - ---- - sandbox/sandboxX.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index eaa500d08143..4774528027ef 100644 ---- a/sandbox/sandboxX.sh -+++ b/sandbox/sandboxX.sh -@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF - - EOF - --(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do -+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF - #!/bin/sh --- -2.35.1 - diff --git a/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch deleted file mode 100644 index 998345e..0000000 --- a/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 71a2f14767c0ec70c23ecce43d7cbc5404c95552 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Mon, 21 Apr 2014 13:54:40 -0400 -Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages -Content-type: text/plain - -Signed-off-by: Miroslav Grepl ---- - python/sepolicy/sepolicy/manpage.py | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3e61e333193f..82338aeeef32 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -737,10 +737,13 @@ Default Defined Ports:""") - - def _file_context(self): - flist = [] -+ flist_non_exec = [] - mpaths = [] - for f in self.all_file_types: - if f.startswith(self.domainname): - flist.append(f) -+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): -+ flist_non_exec.append(f) - if f in self.fcdict: - mpaths = mpaths + self.fcdict[f]["regex"] - if len(mpaths) == 0: -@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d - SELinux defines the file context types for the %(domainname)s, if you wanted to - store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. - --.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' -+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' - .br - .B restorecon -R -v /srv/my%(domainname)s_content - - Note: SELinux often uses regular expressions to specify labels that match multiple files. --""" % {'domainname': self.domainname, "type": flist[0]}) -+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]}) - - self.fd.write(r""" - .I The following file types are defined for %(domainname)s: --- -2.35.1 - diff --git a/0002-semodule-avoid-toctou-on-output-module.patch b/0002-semodule-avoid-toctou-on-output-module.patch new file mode 100644 index 0000000..6518d4a --- /dev/null +++ b/0002-semodule-avoid-toctou-on-output-module.patch @@ -0,0 +1,49 @@ +From 6d02b2fa29954e239721907e1fce238f25ea4f2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 20 May 2022 15:19:52 +0200 +Subject: [PATCH] semodule: avoid toctou on output module +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + +Do not check for file existence and open afterwards, open with the +exclusive flag (supported in Glibc and musl 0.9.6 and also standardized +in C11). + +Found by GitHub CodeQL. + +Signed-off-by: Christian Göttsche +Acked-by: Nicolas Iooss +--- + policycoreutils/semodule/semodule.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 1ed8e69054e0..48bc28dd0973 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -550,15 +550,12 @@ int main(int argc, char *argv[]) + goto cleanup_extract; + } + +- if (access(output_path, F_OK) == 0) { +- fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); +- result = -1; +- goto cleanup_extract; +- } +- +- output_fd = fopen(output_path, "w"); ++ output_fd = fopen(output_path, "wx"); + if (output_fd == NULL) { +- fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path); ++ if (errno == EEXIST) ++ fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext); ++ else ++ fprintf(stderr, "%s: Unable to open %s: %s\n", argv[0], output_path, strerror(errno)); + result = -1; + goto cleanup_extract; + } +-- +2.38.1 + diff --git a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch deleted file mode 100644 index aca9199..0000000 --- a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d55a06c002641dce1301b9b5639bd8e206460724 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Mon, 12 May 2014 14:11:22 +0200 -Subject: [PATCH] If there is no executable we don't want to print a part of - STANDARD FILE CONTEXT -Content-type: text/plain - ---- - python/sepolicy/sepolicy/manpage.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 82338aeeef32..ec8aa1cb94a2 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d - .PP - """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) - -- self.fd.write(r""" -+ if flist_non_exec: -+ self.fd.write(r""" - .PP - .B STANDARD FILE CONTEXT - --- -2.35.1 - diff --git a/0003-python-Split-semanage-import-into-two-transactions.patch b/0003-python-Split-semanage-import-into-two-transactions.patch new file mode 100644 index 0000000..8506690 --- /dev/null +++ b/0003-python-Split-semanage-import-into-two-transactions.patch @@ -0,0 +1,65 @@ +From abaf812c3877f6b595eb8643582eacef2dd4df3f Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 30 May 2022 14:20:21 +0200 +Subject: [PATCH] python: Split "semanage import" into two transactions +Content-type: text/plain + +First transaction applies all deletion operations, so that there are no +collisions when applying the rest of the changes. + +Fixes: + # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 + # semanage export | semanage import + ValueError: Port tcp/3024 already defined + +Signed-off-by: Vit Mojzis +--- + python/semanage/semanage | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 8f4e44a7a9cd..1d8281281d05 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -852,10 +852,29 @@ def handleImport(args): + trans = seobject.semanageRecords(args) + trans.start() + ++ deleteCommands = [] ++ commands = [] ++ # separate commands for deletion from the rest so they can be ++ # applied in a separate transaction + for l in sys.stdin.readlines(): + if len(l.strip()) == 0: + continue ++ if "-d" in l or "-D" in l: ++ deleteCommands.append(l) ++ else: ++ commands.append(l) ++ ++ if deleteCommands: ++ importHelper(deleteCommands) ++ trans.finish() ++ trans.start() ++ ++ importHelper(commands) ++ trans.finish() + ++ ++def importHelper(commands): ++ for l in commands: + try: + commandParser = createCommandParser() + args = commandParser.parse_args(mkargv(l)) +@@ -869,8 +888,6 @@ def handleImport(args): + except KeyboardInterrupt: + sys.exit(0) + +- trans.finish() +- + + def setupImportParser(subparsers): + importParser = subparsers.add_parser('import', help=_('Import local customizations')) +-- +2.38.1 + diff --git a/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch deleted file mode 100644 index 045c033..0000000 --- a/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ /dev/null @@ -1,170 +0,0 @@ -From b180f7679c5e09535416f47d48afd0c0738f5fa9 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Thu, 19 Feb 2015 17:45:15 +0100 -Subject: [PATCH] Simplication of sepolicy-manpage web functionality. - system_release is no longer hardcoded and it creates only index.html and html - man pages in the directory for the system release. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/__init__.py | 25 +++-------- - python/sepolicy/sepolicy/manpage.py | 65 +++------------------------- - 2 files changed, 13 insertions(+), 77 deletions(-) - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 203ca25f4210..9447812b7450 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -1225,27 +1225,14 @@ def boolean_desc(boolean): - - - def get_os_version(): -- os_version = "" -- pkg_name = "selinux-policy" -+ system_release = "" - try: -- try: -- from commands import getstatusoutput -- except ImportError: -- from subprocess import getstatusoutput -- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) -- if rc == 0: -- os_version = output.split(".")[-2] -- except: -- os_version = "" -- -- if os_version[0:2] == "fc": -- os_version = "Fedora" + os_version[2:] -- elif os_version[0:2] == "el": -- os_version = "RHEL" + os_version[2:] -- else: -- os_version = "" -+ with open('/etc/system-release') as f: -+ system_release = f.readline() -+ except IOError: -+ system_release = "Misc" - -- return os_version -+ return system_release - - - def reinit(): -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index ec8aa1cb94a2..c632d05dbb1b 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -151,10 +151,6 @@ def prettyprint(f, trim): - manpage_domains = [] - manpage_roles = [] - --fedora_releases = ["Fedora17", "Fedora18"] --rhel_releases = ["RHEL6", "RHEL7"] -- -- - def get_alphabet_manpages(manpage_list): - alphabet_manpages = dict.fromkeys(string.ascii_letters, []) - for i in string.ascii_letters: -@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage): - class HTMLManPages: - - """ -- Generate a HHTML Manpages on an given SELinux domains -+ Generate a HTML Manpages on an given SELinux domains - """ - - def __init__(self, manpage_roles, manpage_domains, path, os_version): -@@ -192,9 +188,9 @@ class HTMLManPages: - self.manpage_domains = get_alphabet_manpages(manpage_domains) - self.os_version = os_version - self.old_path = path + "/" -- self.new_path = self.old_path + self.os_version + "/" -+ self.new_path = self.old_path - -- if self.os_version in fedora_releases or self.os_version in rhel_releases: -+ if self.os_version: - self.__gen_html_manpages() - else: - print("SELinux HTML man pages can not be generated for this %s" % os_version) -@@ -203,7 +199,6 @@ class HTMLManPages: - def __gen_html_manpages(self): - self._write_html_manpage() - self._gen_index() -- self._gen_body() - self._gen_css() - - def _write_html_manpage(self): -@@ -221,67 +216,21 @@ class HTMLManPages: - convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) - - def _gen_index(self): -- index = self.old_path + "index.html" -- fd = open(index, 'w') -- fd.write(""" -- -- -- -- SELinux man pages online -- -- --

SELinux man pages

--

--Fedora or Red Hat Enterprise Linux Man Pages. --

--
--

Fedora

-- -- --
--
--
--""")
--        for f in fedora_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (f, f, f, f))
--
--        fd.write("""
--
--
--

RHEL

-- -- --
--
--
--""")
--        for r in rhel_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (r, r, r, r))
--
--        fd.write("""
--
-- """) -- fd.close() -- print("%s has been created" % index) -- -- def _gen_body(self): - html = self.new_path + self.os_version + ".html" - fd = open(html, 'w') - fd.write(""" - - -- -- Linux man-pages online for Fedora18 -+ -+ SELinux man pages online - - --

SELinux man pages for Fedora18

-+

SELinux man pages for %s

-
- -
-

SELinux roles

--""") -+""" % self.os_version) - for letter in self.manpage_roles: - if len(self.manpage_roles[letter]): - fd.write(""" --- -2.35.1 - diff --git a/0004-python-audit2allow-close-file-stream-on-error.patch b/0004-python-audit2allow-close-file-stream-on-error.patch new file mode 100644 index 0000000..1995aec --- /dev/null +++ b/0004-python-audit2allow-close-file-stream-on-error.patch @@ -0,0 +1,50 @@ +From c14a86af9a2304175e54897634f808b42345325b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 20 May 2022 14:51:07 +0200 +Subject: [PATCH] python/audit2allow: close file stream on error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + + sepolgen-ifgen-attr-helper.c: In function ‘load_policy’: + sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak] + 196 | fprintf(stderr, "Out of memory!\n"); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + python/audit2allow/sepolgen-ifgen-attr-helper.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c +index 6f3ba96260de..5e6cffc1887d 100644 +--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c ++++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c +@@ -194,12 +194,14 @@ static policydb_t *load_policy(const char *filename) + policydb = malloc(sizeof(policydb_t)); + if (policydb == NULL) { + fprintf(stderr, "Out of memory!\n"); ++ fclose(fp); + return NULL; + } + + if (policydb_init(policydb)) { + fprintf(stderr, "Out of memory!\n"); + free(policydb); ++ fclose(fp); + return NULL; + } + +@@ -208,6 +210,7 @@ static policydb_t *load_policy(const char *filename) + fprintf(stderr, + "error(s) encountered while parsing configuration\n"); + free(policydb); ++ fclose(fp); + return NULL; + } + +-- +2.38.1 + diff --git a/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch deleted file mode 100644 index 948881f..0000000 --- a/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 1747f59fece8183772e5591ce5b5feb5f421f602 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Fri, 20 Feb 2015 16:42:01 +0100 -Subject: [PATCH] We want to remove the trailing newline for - /etc/system_release. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/__init__.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 9447812b7450..aa8beda313c8 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -1228,7 +1228,7 @@ def get_os_version(): - system_release = "" - try: - with open('/etc/system-release') as f: -- system_release = f.readline() -+ system_release = f.readline().rstrip() - except IOError: - system_release = "Misc" - --- -2.35.1 - diff --git a/0005-gettext-handle-unsupported-languages-properly.patch b/0005-gettext-handle-unsupported-languages-properly.patch new file mode 100644 index 0000000..c0d405a --- /dev/null +++ b/0005-gettext-handle-unsupported-languages-properly.patch @@ -0,0 +1,349 @@ +From 344463076b2a91e1d2c7f5cc3835dc1a53a05e88 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 24 Jun 2022 16:24:25 +0200 +Subject: [PATCH] gettext: handle unsupported languages properly +Content-type: text/plain + +With "fallback=True" gettext.translation behaves the same as +gettext.install and uses NullTranslations in case the +translation file for given language was not found (as opposed to +throwing an exception). + +Fixes: + # LANG is set to any "unsupported" language, e.g. en_US.UTF-8 + $ chcat --help + Traceback (most recent call last): + File "/usr/bin/chcat", line 39, in + t = gettext.translation(PROGNAME, + File "/usr/lib64/python3.9/gettext.py", line 592, in translation + raise FileNotFoundError(ENOENT, + FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python' + +Signed-off-by: Vit Mojzis +Reviewed-by: Daniel Burgener +Acked-by: Petr Lautrbach +--- + gui/booleansPage.py | 3 ++- + gui/domainsPage.py | 3 ++- + gui/fcontextPage.py | 3 ++- + gui/loginsPage.py | 3 ++- + gui/modulesPage.py | 3 ++- + gui/polgengui.py | 3 ++- + gui/portsPage.py | 3 ++- + gui/semanagePage.py | 3 ++- + gui/statusPage.py | 3 ++- + gui/system-config-selinux.py | 3 ++- + gui/usersPage.py | 3 ++- + python/chcat/chcat | 5 +++-- + python/semanage/semanage | 3 ++- + python/semanage/seobject.py | 3 ++- + python/sepolgen/src/sepolgen/sepolgeni18n.py | 4 +++- + python/sepolicy/sepolicy.py | 3 ++- + python/sepolicy/sepolicy/__init__.py | 3 ++- + python/sepolicy/sepolicy/generate.py | 3 ++- + python/sepolicy/sepolicy/gui.py | 3 ++- + python/sepolicy/sepolicy/interface.py | 3 ++- + sandbox/sandbox | 3 ++- + 21 files changed, 44 insertions(+), 22 deletions(-) + +diff --git a/gui/booleansPage.py b/gui/booleansPage.py +index 5beec58bc360..ad11a9b24c79 100644 +--- a/gui/booleansPage.py ++++ b/gui/booleansPage.py +@@ -46,7 +46,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/domainsPage.py b/gui/domainsPage.py +index e08f34b4d3a9..e6eadd61c1bc 100644 +--- a/gui/domainsPage.py ++++ b/gui/domainsPage.py +@@ -38,7 +38,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py +index bac2bec3ebbd..767664f26ec8 100644 +--- a/gui/fcontextPage.py ++++ b/gui/fcontextPage.py +@@ -55,7 +55,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/loginsPage.py b/gui/loginsPage.py +index 18b93d8c9756..7e08232a90b5 100644 +--- a/gui/loginsPage.py ++++ b/gui/loginsPage.py +@@ -37,7 +37,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/modulesPage.py b/gui/modulesPage.py +index c546d455d4cd..02b79f150a13 100644 +--- a/gui/modulesPage.py ++++ b/gui/modulesPage.py +@@ -38,7 +38,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/polgengui.py b/gui/polgengui.py +index a18f1cba17b9..7a3ecd50c91c 100644 +--- a/gui/polgengui.py ++++ b/gui/polgengui.py +@@ -71,7 +71,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/portsPage.py b/gui/portsPage.py +index 54aa80ded327..bee2bdf17b99 100644 +--- a/gui/portsPage.py ++++ b/gui/portsPage.py +@@ -43,7 +43,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/semanagePage.py b/gui/semanagePage.py +index 1371d4e7dabe..efad14d9b375 100644 +--- a/gui/semanagePage.py ++++ b/gui/semanagePage.py +@@ -30,7 +30,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/statusPage.py b/gui/statusPage.py +index c241ef83dfa0..832849e60d60 100644 +--- a/gui/statusPage.py ++++ b/gui/statusPage.py +@@ -43,7 +43,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py +index 1b460c99363b..9f53b7fe9020 100644 +--- a/gui/system-config-selinux.py ++++ b/gui/system-config-selinux.py +@@ -53,7 +53,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/gui/usersPage.py b/gui/usersPage.py +index d51bd968b77e..9acd3b844056 100644 +--- a/gui/usersPage.py ++++ b/gui/usersPage.py +@@ -37,7 +37,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/chcat/chcat b/python/chcat/chcat +index e779fcc6ebd7..952cb8187599 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -38,9 +38,10 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext +-except ImportError: ++except: + try: + import builtins + builtins.__dict__['_'] = str +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 1d8281281d05..4e8d64d6863a 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -38,7 +38,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index ff8f4e9c3008..0782c082dc0c 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -42,7 +42,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py +index 56ebd807c69c..1ff307d9b27d 100644 +--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py ++++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py +@@ -19,7 +19,9 @@ + + try: + import gettext +- t = gettext.translation( 'selinux-python' ) ++ t = gettext.translation("selinux-python", ++ localedir="/usr/share/locale", ++ fallback=True) + _ = t.gettext + except: + def _(str): +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 7ebe0efa88a1..c7a70e094b0c 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -36,7 +36,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 7208234b4a4a..9c3caa05b80b 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -31,7 +31,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 67189fc36b99..3717d5d4ed78 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -56,7 +56,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py +index b0263740a79f..5bdbfebade1d 100644 +--- a/python/sepolicy/sepolicy/gui.py ++++ b/python/sepolicy/sepolicy/gui.py +@@ -49,7 +49,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py +index 599f97fdc6e7..43f86443f2c8 100644 +--- a/python/sepolicy/sepolicy/interface.py ++++ b/python/sepolicy/sepolicy/interface.py +@@ -38,7 +38,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +diff --git a/sandbox/sandbox b/sandbox/sandbox +index cd5709fb07df..789621e136da 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -45,7 +45,8 @@ try: + kwargs['unicode'] = True + t = gettext.translation(PROGNAME, + localedir="/usr/share/locale", +- **kwargs) ++ **kwargs, ++ fallback=True) + _ = t.gettext + except: + try: +-- +2.38.1 + diff --git a/0006-Fix-title-in-manpage.py-to-not-contain-online.patch b/0006-Fix-title-in-manpage.py-to-not-contain-online.patch deleted file mode 100644 index 9b31464..0000000 --- a/0006-Fix-title-in-manpage.py-to-not-contain-online.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0bd28bc715034c644405d3c03f160d69ae710500 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Fri, 20 Feb 2015 16:42:53 +0100 -Subject: [PATCH] Fix title in manpage.py to not contain 'online'. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/manpage.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index c632d05dbb1b..3ae2f42b2fdf 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -222,7 +222,7 @@ class HTMLManPages: - - - -- SELinux man pages online -+ SELinux man pages - - -

SELinux man pages for %s

--- -2.35.1 - diff --git a/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch b/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch new file mode 100644 index 0000000..9dbbe35 --- /dev/null +++ b/0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch @@ -0,0 +1,82 @@ +From 8cc529af51e8aa68a167ce78cf92687604f98619 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 8 Jun 2022 19:09:54 +0200 +Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh +Content-type: text/plain + +After the last commit this option's name and description no longer +matches the semantic, so give it a new one and update the descriptions. +The old name is still recognized and aliased to the new one for +backwards compatibility. + +Signed-off-by: Ondrej Mosnacek +Acked-by: Nicolas Iooss +--- + policycoreutils/semodule/semodule.8 | 12 ++++++------ + policycoreutils/semodule/semodule.c | 13 ++++++++++--- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 +index d1735d216276..c56e580f27b8 100644 +--- a/policycoreutils/semodule/semodule.8 ++++ b/policycoreutils/semodule/semodule.8 +@@ -23,12 +23,12 @@ force a reload of policy + .B \-B, \-\-build + force a rebuild of policy (also reloads unless \-n is used) + .TP +-.B \-\-rebuild-if-modules-changed +-Force a rebuild of the policy if any changes to module content are detected +-(by comparing with checksum from the last transaction). One can use this +-instead of \-B to ensure that any changes to the module store done by an +-external tool (e.g. a package manager) are applied, while automatically +-skipping the rebuild if there are no new changes. ++.B \-\-refresh ++Like \-\-build, but reuses existing linked policy if no changes to module ++files are detected (by comparing with checksum from the last transaction). ++One can use this instead of \-B to ensure that any changes to the module ++store done by an external tool (e.g. a package manager) are applied, while ++automatically skipping the module re-linking if there are no module changes. + .TP + .B \-D, \-\-disable_dontaudit + Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt +diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c +index 48bc28dd0973..ebe062bf4c6c 100644 +--- a/policycoreutils/semodule/semodule.c ++++ b/policycoreutils/semodule/semodule.c +@@ -150,9 +150,12 @@ static void usage(char *progname) + printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); + printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); + printf(" -m, --checksum print module checksum (SHA256).\n"); +- printf(" --rebuild-if-modules-changed\n" +- " force policy rebuild if module content changed since\n" +- " last rebuild (based on checksum)\n"); ++ printf(" --refresh like --build, but reuses existing linked policy if no\n" ++ " changes to module files are detected (via checksum)\n"); ++ printf("Deprecated options:\n"); ++ printf(" -b,--base same as --install\n"); ++ printf(" --rebuild-if-modules-changed\n" ++ " same as --refresh\n"); + } + + /* Sets the global mode variable to new_mode, but only if no other +@@ -185,6 +188,7 @@ static void parse_command_line(int argc, char **argv) + { + static struct option opts[] = { + {"rebuild-if-modules-changed", 0, NULL, '\0'}, ++ {"refresh", 0, NULL, '\0'}, + {"store", required_argument, NULL, 's'}, + {"base", required_argument, NULL, 'b'}, + {"help", 0, NULL, 'h'}, +@@ -225,6 +229,9 @@ static void parse_command_line(int argc, char **argv) + case '\0': + switch(longind) { + case 0: /* --rebuild-if-modules-changed */ ++ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n"); ++ /* fallthrough */ ++ case 1: /* --refresh */ + check_ext_changes = 1; + break; + default: +-- +2.38.1 + diff --git a/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch deleted file mode 100644 index ba39b4d..0000000 --- a/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f204dd292340689c2d7ab75612b9fd81337fcbc3 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Fri, 14 Feb 2014 12:32:12 -0500 -Subject: [PATCH] Don't be verbose if you are not on a tty -Content-type: text/plain - ---- - policycoreutils/scripts/fixfiles | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index c72ca0eb9d61..163ebcd1f232 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { - fullFlag=0 - BOOTTIME="" - VERBOSE="-p" -+[ -t 1 ] || VERBOSE="" - FORCEFLAG="" - THREADS="" - RPMFILES="" --- -2.35.1 - diff --git a/0007-python-remove-IOError-in-certain-cases.patch b/0007-python-remove-IOError-in-certain-cases.patch new file mode 100644 index 0000000..039293c --- /dev/null +++ b/0007-python-remove-IOError-in-certain-cases.patch @@ -0,0 +1,57 @@ +From ebb4a170c024d4bf0d2773b93d916e77a87393d9 Mon Sep 17 00:00:00 2001 +From: Elijah Conners +Date: Wed, 15 Jun 2022 22:13:31 -0700 +Subject: [PATCH] python: remove IOError in certain cases +Content-type: text/plain + +In certain cases, IOError caused the much more general exception OSError +to be unreachable. + +Signed-off-by: Elijah Conners +Acked-by: Petr Lautrbach +--- + python/semanage/semanage | 7 ++----- + sandbox/sandbox | 2 -- + 2 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 4e8d64d6863a..10ab3fa67d7f 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -971,8 +971,8 @@ def do_parser(): + devnull = os.open(os.devnull, os.O_WRONLY) + os.dup2(devnull, sys.stdout.fileno()) + sys.exit(1) +- except IOError as e: +- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) ++ except OSError as e: ++ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1])) + sys.exit(1) + except KeyboardInterrupt: + sys.exit(0) +@@ -982,9 +982,6 @@ def do_parser(): + except KeyError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0])) + sys.exit(1) +- except OSError as e: +- sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[1])) +- sys.exit(1) + except RuntimeError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, e.args[0])) + sys.exit(1) +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 789621e136da..ffac70232875 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -534,8 +534,6 @@ if __name__ == '__main__': + error_exit(error.args[0]) + except KeyError as error: + error_exit(_("Invalid value %s") % error.args[0]) +- except IOError as error: +- error_exit(error) + except KeyboardInterrupt: + rc = 0 + +-- +2.38.1 + diff --git a/0008-restorecond-use-strict-function-prototype-for-defini.patch b/0008-restorecond-use-strict-function-prototype-for-defini.patch new file mode 100644 index 0000000..29a6ea7 --- /dev/null +++ b/0008-restorecond-use-strict-function-prototype-for-defini.patch @@ -0,0 +1,39 @@ +From b5b3afbaed29895d37f6160cc0847ef5de7538ed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 8 Aug 2022 19:36:20 +0200 +Subject: [PATCH] restorecond: use strict function prototype for definition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + +Clang 15 starts to complain about non strict function definitions: + + user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] + int start() { + ^ + void + +Signed-off-by: Christian Göttsche +Reviewed-by: Daniel Burgener +Acked-by: James Carter +--- + restorecond/user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/restorecond/user.c b/restorecond/user.c +index 47b86823ff79..3ae3ebbb7230 100644 +--- a/restorecond/user.c ++++ b/restorecond/user.c +@@ -169,7 +169,7 @@ io_channel_callback + return TRUE; + } + +-int start() { ++int start(void) { + #ifdef HAVE_DBUS + GDBusConnection *bus; + GError *err = NULL; +-- +2.38.1 + diff --git a/0008-sepolicy-generate-Handle-more-reserved-port-types.patch b/0008-sepolicy-generate-Handle-more-reserved-port-types.patch deleted file mode 100644 index 0e45be3..0000000 --- a/0008-sepolicy-generate-Handle-more-reserved-port-types.patch +++ /dev/null @@ -1,72 +0,0 @@ -From d8f51aa7d299383247213b69ec7cbb68c1fa3bc4 Mon Sep 17 00:00:00 2001 -From: Masatake YAMATO -Date: Thu, 14 Dec 2017 15:57:58 +0900 -Subject: [PATCH] sepolicy-generate: Handle more reserved port types -Content-type: text/plain - -Currently only reserved_port_t, port_t and hi_reserved_port_t are -handled as special when making a ports-dictionary. However, as fas as -corenetwork.te.in of serefpolicy, unreserved_port_t and -ephemeral_port_t should be handled in the same way, too. - -(Details) I found the need of this change when I was using -selinux-polgengui. Though tcp port 12345, which my application may -use, was given to the gui, selinux-polgengui generates expected te -file and sh file which didn't utilize the tcp port. - -selinux-polgengui checks whether a port given via gui is already typed -or not. - -If it is already typed, selinux-polgengui generates a te file having -rules to allow the application to use the port. (A) - -If not, it seems for me that selinux-polgengui is designed to generate -a te file having rules to allow the application to own(?) the port; -and a sh file having a command line to assign the application own type -to the port. (B) - -As we can see the output of `semanage port -l' some of ports for -specified purpose have types already. The important point is that the -rest of ports also have types already: - - hi_reserved_port_t tcp 512-1023 - hi_reserved_port_t udp 512-1023 - unreserved_port_t tcp 1024-32767, 61001-65535 - unreserved_port_t udp 1024-32767, 61001-65535 - ephemeral_port_t tcp 32768-61000 - ephemeral_port_t udp 32768-61000 - -As my patch shows, the original selinux-polgengui ignored -hi_reserved_port_t; though hi_reserved_port_t is assigned, -selinux-polgengui considered ports 512-1023 are not used. As the -result selinux-polgengui generates file sets of (B). - -For the purpose of selinux-polgengui, I think unreserved_port_t and -ephemeral_port_t are treated as the same as hi_reserved_port_t. - -Signed-off-by: Masatake YAMATO - -Fedora only patch: -https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ ---- - python/sepolicy/sepolicy/generate.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 43180ca6fda4..d60a08e1d72c 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -99,7 +99,9 @@ def get_all_ports(): - for p in sepolicy.info(sepolicy.PORT): - if p['type'] == "reserved_port_t" or \ - p['type'] == "port_t" or \ -- p['type'] == "hi_reserved_port_t": -+ p['type'] == "hi_reserved_port_t" or \ -+ p['type'] == "ephemeral_port_t" or \ -+ p['type'] == "unreserved_port_t": - continue - dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) - return dict --- -2.35.1 - diff --git a/0009-Ignore-egg-info-directories-and-clean-them.patch b/0009-Ignore-egg-info-directories-and-clean-them.patch new file mode 100644 index 0000000..80f7b39 --- /dev/null +++ b/0009-Ignore-egg-info-directories-and-clean-them.patch @@ -0,0 +1,56 @@ +From c2d58b378b3cf350d042a7b657e2b7f5861c5f26 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Mon, 8 Aug 2022 19:36:55 +0200 +Subject: [PATCH] Ignore egg-info directories and clean them +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Content-type: text/plain + + Test .gitignore and make clean distclean + error: missing .gitignore entry for libselinux/src/selinux.egg-info/ + error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/ + Error: Process completed with exit code 1. + + error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO + error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt + error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt + error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt + error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO + error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt + error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt + error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt + Error: Process completed with exit code 1. + +Signed-off-by: Christian Göttsche +Acked-by: James Carter +--- + python/sepolicy/.gitignore | 1 + + python/sepolicy/Makefile | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/.gitignore b/python/sepolicy/.gitignore +index 3186c860ec0d..32fb47f92a9d 100644 +--- a/python/sepolicy/.gitignore ++++ b/python/sepolicy/.gitignore +@@ -1,3 +1,4 @@ + build + tmp + *.bak ++sepolicy.egg-info/ +diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile +index 3361be4ef0bc..d983e409e5e6 100644 +--- a/python/sepolicy/Makefile ++++ b/python/sepolicy/Makefile +@@ -18,7 +18,7 @@ python-build: + + clean: + $(PYTHON) setup.py clean +- -rm -rf build *~ \#* *pyc .#* ++ -rm -rf build *~ \#* *pyc .#* sepolicy.egg-info/ + + sepolgen: + ln -sf sepolicy sepolgen +-- +2.38.1 + diff --git a/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch deleted file mode 100644 index e8a52b2..0000000 --- a/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 8054dc44cf105b959864a1424fe857fac3ba3d73 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 18 Jul 2018 09:09:35 +0200 -Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox -Content-type: text/plain - ---- - sandbox/sandbox | 4 ++-- - sandbox/sandbox.8 | 2 +- - sandbox/sandboxX.sh | 14 -------------- - 3 files changed, 3 insertions(+), 17 deletions(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 16c43b51eaaa..7709a6585665 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -268,7 +268,7 @@ class Sandbox: - copyfile(f, "/tmp", self.__tmpdir) - copyfile(f, "/var/tmp", self.__tmpdir) - -- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): -+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): - execfile = self.__homedir + "/.sandboxrc" - fd = open(execfile, "w+") - if self.__options.session: -@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - - parser.add_option("-W", "--windowmanager", dest="wm", - type="string", -- default="/usr/bin/openbox", -+ default="/usr/bin/matchbox-window-manager", - help=_("alternate window manager")) - - parser.add_option("-l", "--level", dest="level", -diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 -index d83fee76f335..90ef4951c8c2 100644 ---- a/sandbox/sandbox.8 -+++ b/sandbox/sandbox.8 -@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz - \fB\-W\fR \fB\-\-windowmanager\fR - Select alternative window manager to run within - .B sandbox \-X. --Default to /usr/bin/openbox. -+Default to /usr/bin/matchbox-window-manager. - .TP - \fB\-X\fR - Create an X based Sandbox for gui apps, temporary files for -diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index 4774528027ef..c211ebc14549 100644 ---- a/sandbox/sandboxX.sh -+++ b/sandbox/sandboxX.sh -@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 - [ -z $2 ] && export DPI="96" || export DPI="$2" - trap "exit 0" HUP - --mkdir -p ~/.config/openbox --cat > ~/.config/openbox/rc.xml << EOF -- -- -- -- no -- all -- yes -- -- -- --EOF -- - (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF --- -2.35.1 - diff --git a/0010-Use-SHA-2-instead-of-SHA-1.patch b/0010-Use-SHA-2-instead-of-SHA-1.patch deleted file mode 100644 index 812028f..0000000 --- a/0010-Use-SHA-2-instead-of-SHA-1.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 53d085d8d6edc05886d473e412a8025b7f8d9ce4 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 30 Jul 2021 14:14:37 +0200 -Subject: [PATCH] Use SHA-2 instead of SHA-1 -Content-type: text/plain - -The use of SHA-1 in RHEL9 is deprecated ---- - policycoreutils/setfiles/restorecon.8 | 10 +++++----- - policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- - policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ - policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- - policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- - policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- - policycoreutils/setfiles/setfiles.8 | 10 +++++----- - 7 files changed, 33 insertions(+), 33 deletions(-) - -diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 -index e07db2c87dc4..dbd55ce7c512 100644 ---- a/policycoreutils/setfiles/restorecon.8 -+++ b/policycoreutils/setfiles/restorecon.8 -@@ -95,14 +95,14 @@ display usage information and exit. - ignore files that do not exist. - .TP - .B \-I --ignore digest to force checking of labels even if the stored SHA1 digest --matches the specfiles SHA1 digest. The digest will then be updated provided -+ignore digest to force checking of labels even if the stored SHA256 digest -+matches the specfiles SHA256 digest. The digest will then be updated provided - there are no errors. See the - .B NOTES - section for further details. - .TP - .B \-D --Set or update any directory SHA1 digests. Use this option to -+Set or update any directory SHA256 digests. Use this option to - enable usage of the - .IR security.sehash - extended attribute. -@@ -200,7 +200,7 @@ the - .B \-D - option to - .B restorecon --will cause it to store a SHA1 digest of the default specfiles set in an extended -+will cause it to store a SHA256 digest of the default specfiles set in an extended - attribute named - .IR security.sehash - on each directory specified in -@@ -217,7 +217,7 @@ for further details. - .sp - The - .B \-I --option will ignore the SHA1 digest from each directory specified in -+option will ignore the SHA256 digest from each directory specified in - .IR pathname \ ... - and provided the - .B \-n -diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 -index e04528e60824..4b1ce304d995 100644 ---- a/policycoreutils/setfiles/restorecon_xattr.8 -+++ b/policycoreutils/setfiles/restorecon_xattr.8 -@@ -23,7 +23,7 @@ or - - .SH "DESCRIPTION" - .B restorecon_xattr --will display the SHA1 digests added to extended attributes -+will display the SHA256 digests added to extended attributes - .I security.sehash - or delete the attribute completely. These attributes are set by - .BR restorecon (8) -@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. - .sp - By default - .B restorecon_xattr --will display the SHA1 digests with "Match" appended if they match the default -+will display the SHA256 digests with "Match" appended if they match the default - specfile set or the - .I specfile - set used with the - .B \-f --option. Non-matching SHA1 digests will be displayed with "No Match" appended. -+option. Non-matching SHA256 digests will be displayed with "No Match" appended. - This feature can be disabled by the - .B \-n - option. -@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. - recursively descend directories. - .TP - .B \-v --display SHA1 digest generated by specfile set (Note that this digest is not -+display SHA256 digest generated by specfile set (Note that this digest is not - used to match the - .I security.sehash - directory digest entries, and is shown for reference only). -diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c -index 31fb82fd2099..bc22d3fd4560 100644 ---- a/policycoreutils/setfiles/restorecon_xattr.c -+++ b/policycoreutils/setfiles/restorecon_xattr.c -@@ -38,7 +38,7 @@ int main(int argc, char **argv) - unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; - unsigned int delete_all_digests = 0, ignore_mounts = 0; - bool display_digest = false; -- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; -+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; - unsigned char *fc_digest = NULL; - size_t i, fc_digest_len = 0, num_specfiles; - -@@ -133,8 +133,8 @@ int main(int argc, char **argv) - exit(-1); - } - -- sha1_buf = malloc(fc_digest_len * 2 + 1); -- if (!sha1_buf) { -+ sha256_buf = malloc(fc_digest_len * 2 + 1); -+ if (!sha256_buf) { - fprintf(stderr, - "Error allocating digest buffer: %s\n", - strerror(errno)); -@@ -143,16 +143,16 @@ int main(int argc, char **argv) - } - - for (i = 0; i < fc_digest_len; i++) -- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); -+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); - -- printf("specfiles SHA1 digest: %s\n", sha1_buf); -+ printf("specfiles SHA256 digest: %s\n", sha256_buf); - - printf("calculated using the following specfile(s):\n"); - if (specfiles) { - for (i = 0; i < num_specfiles; i++) - printf("%s\n", specfiles[i]); - } -- free(sha1_buf); -+ free(sha256_buf); - printf("\n"); - } - -diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 -index 9be3a63db356..745135020f4b 100644 ---- a/policycoreutils/setfiles/ru/restorecon.8 -+++ b/policycoreutils/setfiles/ru/restorecon.8 -@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас - игнорировать файлы, которые не существуют. - .TP - .B \-I --игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе -+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе - .B ПРИМЕЧАНИЯ. - .TP - .B \-D --установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута -+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута - .IR security.restorecon_last. - .TP - .B \-m -@@ -159,7 +159,7 @@ GNU - .B \-D - команды - .B restorecon --обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем -+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем - .IR security.restorecon_last - для каталогов, указанных в соответствующих путях - .IR pathname \ ... -@@ -173,7 +173,7 @@ GNU - .sp - Параметр - .B \-I --позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в -+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в - .IR pathname \ ... - , и, при условии, что НЕ установлен параметр - .B \-n -diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 -index 41c441b8c5c2..25c4c3033334 100644 ---- a/policycoreutils/setfiles/ru/restorecon_xattr.8 -+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 -@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных - - .SH "ОПИСАНИЕ" - .B restorecon_xattr --покажет дайджесты SHA1, добавленные в расширенные атрибуты -+покажет дайджесты SHA256, добавленные в расширенные атрибуты - .I security.restorecon_last, - или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой - .BR restorecon (8) -@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных - .sp - По умолчанию - .B restorecon_xattr --показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации -+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации - .I specfile, - который установлен с помощью параметра - .B \-f. --Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. -+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. - Эту возможность можно отключить с помощью параметра - .B \-n. - -@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных - рекурсивно спускаться по каталогам. - .TP - .B \-v --показать дайджест SHA1, созданный установленным файлом спецификации. -+показать дайджест SHA256, созданный установленным файлом спецификации. - .TP - .B \-e - .I directory -@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных - .BR file_contexts (5). - Он будет использоваться - .BR selabel_open (3) --для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью -+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью - .BR selabel_digest (3). - Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. - -diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 -index 910101452625..7f2daa09191b 100644 ---- a/policycoreutils/setfiles/ru/setfiles.8 -+++ b/policycoreutils/setfiles/ru/setfiles.8 -@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос - игнорировать файлы, которые не существуют. - .TP - .B \-I --игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе -+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе - .B ПРИМЕЧАНИЯ. - .TP - .B \-D --установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута -+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута - .IR security.restorecon_last. - .TP - .B \-l -@@ -186,7 +186,7 @@ GNU - .B \-D - команды - .B setfiles . --Он обеспечивает сохранение дайджеста SHA1 файла спецификации -+Он обеспечивает сохранение дайджеста SHA256 файла спецификации - .B spec_file - в расширенном атрибуте с именем - .IR security.restorecon_last -@@ -204,7 +204,7 @@ GNU - .sp - Параметр - .B \-I --позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в -+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в - .IR pathname \ ... - , и, при условии, что НЕ установлен параметр - .B \-n -diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index 19b59a2cc90d..bad9f37a9ac4 100644 ---- a/policycoreutils/setfiles/setfiles.8 -+++ b/policycoreutils/setfiles/setfiles.8 -@@ -87,14 +87,14 @@ display usage information and exit. - ignore files that do not exist. - .TP - .B \-I --ignore digest to force checking of labels even if the stored SHA1 digest --matches the specfiles SHA1 digest. The digest will then be updated provided -+ignore digest to force checking of labels even if the stored SHA256 digest -+matches the specfiles SHA256 digest. The digest will then be updated provided - there are no errors. See the - .B NOTES - section for further details. - .TP - .B \-D --Set or update any directory SHA1 digests. Use this option to -+Set or update any directory SHA256 digests. Use this option to - enable usage of the - .IR security.sehash - extended attribute. -@@ -239,7 +239,7 @@ the - .B \-D - option to - .B setfiles --will cause it to store a SHA1 digest of the -+will cause it to store a SHA256 digest of the - .B spec_file - set in an extended attribute named - .IR security.sehash -@@ -260,7 +260,7 @@ for further details. - .sp - The - .B \-I --option will ignore the SHA1 digest from each directory specified in -+option will ignore the SHA256 digest from each directory specified in - .IR pathname \ ... - and provided the - .B \-n --- -2.35.1 - diff --git a/0011-docs-provide-a-top-level-LICENSE-file.patch b/0011-docs-provide-a-top-level-LICENSE-file.patch new file mode 100644 index 0000000..4234674 --- /dev/null +++ b/0011-docs-provide-a-top-level-LICENSE-file.patch @@ -0,0 +1,68 @@ +From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Fri, 30 Sep 2022 17:44:12 -0400 +Subject: [PATCH] docs: provide a top level LICENSE file +Content-type: text/plain + +Provide a top level LICENSE file explaining how multiple the SELinux +userspace is released under multiple different licenses. Also ensure +that all the different license files share a consistent file name, +LICENSE, to make it easier for people to identify the license files. + +This is to help meet the OpenSSF Best Practices requirements. + +Signed-off-by: Paul Moore +--- + dbus/{COPYING => LICENSE} | 0 + gui/{COPYING => LICENSE} | 0 + policycoreutils/{COPYING => LICENSE} | 0 + python/{COPYING => LICENSE} | 0 + python/sepolgen/{COPYING => LICENSE} | 0 + restorecond/{COPYING => LICENSE} | 0 + sandbox/{COPYING => LICENSE} | 0 + semodule-utils/{COPYING => LICENSE} | 0 + 8 files changed, 0 insertions(+), 0 deletions(-) + rename dbus/{COPYING => LICENSE} (100%) + rename gui/{COPYING => LICENSE} (100%) + rename policycoreutils/{COPYING => LICENSE} (100%) + rename python/{COPYING => LICENSE} (100%) + rename python/sepolgen/{COPYING => LICENSE} (100%) + rename restorecond/{COPYING => LICENSE} (100%) + rename sandbox/{COPYING => LICENSE} (100%) + rename semodule-utils/{COPYING => LICENSE} (100%) + +diff --git a/dbus/COPYING b/dbus/LICENSE +similarity index 100% +rename from dbus/COPYING +rename to dbus/LICENSE +diff --git a/gui/COPYING b/gui/LICENSE +similarity index 100% +rename from gui/COPYING +rename to gui/LICENSE +diff --git a/policycoreutils/COPYING b/policycoreutils/LICENSE +similarity index 100% +rename from policycoreutils/COPYING +rename to policycoreutils/LICENSE +diff --git a/python/COPYING b/python/LICENSE +similarity index 100% +rename from python/COPYING +rename to python/LICENSE +diff --git a/python/sepolgen/COPYING b/python/sepolgen/LICENSE +similarity index 100% +rename from python/sepolgen/COPYING +rename to python/sepolgen/LICENSE +diff --git a/restorecond/COPYING b/restorecond/LICENSE +similarity index 100% +rename from restorecond/COPYING +rename to restorecond/LICENSE +diff --git a/sandbox/COPYING b/sandbox/LICENSE +similarity index 100% +rename from sandbox/COPYING +rename to sandbox/LICENSE +diff --git a/semodule-utils/COPYING b/semodule-utils/LICENSE +similarity index 100% +rename from semodule-utils/COPYING +rename to semodule-utils/LICENSE +-- +2.38.1 + diff --git a/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch deleted file mode 100644 index c4e1fe1..0000000 --- a/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 3748b7eab7434698998edfcf613fe738cf19d5c9 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 27 Feb 2017 17:12:39 +0100 -Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and - file_type_is_entrypoint(f) -Content-type: text/plain - -- use direct queries -- load exec_types and entry_types only once ---- - python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3ae2f42b2fdf..5a434bd360ae 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -127,8 +127,24 @@ def gen_domains(): - domains.sort() - return domains - --types = None - -+exec_types = None -+ -+def _gen_exec_types(): -+ global exec_types -+ if exec_types is None: -+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] -+ return exec_types -+ -+entry_types = None -+ -+def _gen_entry_types(): -+ global entry_types -+ if entry_types is None: -+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] -+ return entry_types -+ -+types = None - - def _gen_types(): - global types -@@ -374,6 +390,8 @@ class ManPage: - self.all_file_types = sepolicy.get_all_file_types() - self.role_allows = sepolicy.get_all_role_allows() - self.types = _gen_types() -+ self.exec_types = _gen_exec_types() -+ self.entry_types = _gen_entry_types() - - if self.source_files: - self.fcpath = self.root + "file_contexts" -@@ -691,7 +709,7 @@ Default Defined Ports:""") - for f in self.all_file_types: - if f.startswith(self.domainname): - flist.append(f) -- if not file_type_is_executable(f) or not file_type_is_entrypoint(f): -+ if f not in self.exec_types or f not in self.entry_types: - flist_non_exec.append(f) - if f in self.fcdict: - mpaths = mpaths + self.fcdict[f]["regex"] --- -2.35.1 - diff --git a/0012-gettext-handle-unsupported-languages-properly.patch b/0012-gettext-handle-unsupported-languages-properly.patch deleted file mode 100644 index 8c72c26..0000000 --- a/0012-gettext-handle-unsupported-languages-properly.patch +++ /dev/null @@ -1,349 +0,0 @@ -From ff2aba6d202f49749cbb19a84bf0e1cdae54c5e9 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 24 Jun 2022 16:24:25 +0200 -Subject: [PATCH] gettext: handle unsupported languages properly -Content-type: text/plain - -With "fallback=True" gettext.translation behaves the same as -gettext.install and uses NullTranslations in case the -translation file for given language was not found (as opposed to -throwing an exception). - -Fixes: - # LANG is set to any "unsupported" language, e.g. en_US.UTF-8 - $ chcat --help - Traceback (most recent call last): - File "/usr/bin/chcat", line 39, in - t = gettext.translation(PROGNAME, - File "/usr/lib64/python3.9/gettext.py", line 592, in translation - raise FileNotFoundError(ENOENT, - FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python' - -Signed-off-by: Vit Mojzis -Reviewed-by: Daniel Burgener -Acked-by: Petr Lautrbach ---- - gui/booleansPage.py | 3 ++- - gui/domainsPage.py | 3 ++- - gui/fcontextPage.py | 3 ++- - gui/loginsPage.py | 3 ++- - gui/modulesPage.py | 3 ++- - gui/polgengui.py | 3 ++- - gui/portsPage.py | 3 ++- - gui/semanagePage.py | 3 ++- - gui/statusPage.py | 3 ++- - gui/system-config-selinux.py | 3 ++- - gui/usersPage.py | 3 ++- - python/chcat/chcat | 5 +++-- - python/semanage/semanage | 3 ++- - python/semanage/seobject.py | 3 ++- - python/sepolgen/src/sepolgen/sepolgeni18n.py | 4 +++- - python/sepolicy/sepolicy.py | 3 ++- - python/sepolicy/sepolicy/__init__.py | 3 ++- - python/sepolicy/sepolicy/generate.py | 3 ++- - python/sepolicy/sepolicy/gui.py | 3 ++- - python/sepolicy/sepolicy/interface.py | 3 ++- - sandbox/sandbox | 3 ++- - 21 files changed, 44 insertions(+), 22 deletions(-) - -diff --git a/gui/booleansPage.py b/gui/booleansPage.py -index 5beec58bc360..ad11a9b24c79 100644 ---- a/gui/booleansPage.py -+++ b/gui/booleansPage.py -@@ -46,7 +46,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/domainsPage.py b/gui/domainsPage.py -index e08f34b4d3a9..e6eadd61c1bc 100644 ---- a/gui/domainsPage.py -+++ b/gui/domainsPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py -index bac2bec3ebbd..767664f26ec8 100644 ---- a/gui/fcontextPage.py -+++ b/gui/fcontextPage.py -@@ -55,7 +55,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/loginsPage.py b/gui/loginsPage.py -index 18b93d8c9756..7e08232a90b5 100644 ---- a/gui/loginsPage.py -+++ b/gui/loginsPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/modulesPage.py b/gui/modulesPage.py -index c546d455d4cd..02b79f150a13 100644 ---- a/gui/modulesPage.py -+++ b/gui/modulesPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/polgengui.py b/gui/polgengui.py -index a18f1cba17b9..7a3ecd50c91c 100644 ---- a/gui/polgengui.py -+++ b/gui/polgengui.py -@@ -71,7 +71,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/portsPage.py b/gui/portsPage.py -index 54aa80ded327..bee2bdf17b99 100644 ---- a/gui/portsPage.py -+++ b/gui/portsPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/semanagePage.py b/gui/semanagePage.py -index 1371d4e7dabe..efad14d9b375 100644 ---- a/gui/semanagePage.py -+++ b/gui/semanagePage.py -@@ -30,7 +30,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/statusPage.py b/gui/statusPage.py -index c241ef83dfa0..832849e60d60 100644 ---- a/gui/statusPage.py -+++ b/gui/statusPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py -index 1b460c99363b..9f53b7fe9020 100644 ---- a/gui/system-config-selinux.py -+++ b/gui/system-config-selinux.py -@@ -53,7 +53,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/usersPage.py b/gui/usersPage.py -index d51bd968b77e..9acd3b844056 100644 ---- a/gui/usersPage.py -+++ b/gui/usersPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/chcat/chcat b/python/chcat/chcat -index e779fcc6ebd7..952cb8187599 100755 ---- a/python/chcat/chcat -+++ b/python/chcat/chcat -@@ -38,9 +38,10 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext --except ImportError: -+except: - try: - import builtins - builtins.__dict__['_'] = str -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 8f4e44a7a9cd..f45061a601f9 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index ff8f4e9c3008..0782c082dc0c 100644 ---- a/python/semanage/seobject.py -+++ b/python/semanage/seobject.py -@@ -42,7 +42,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py -index 56ebd807c69c..1ff307d9b27d 100644 ---- a/python/sepolgen/src/sepolgen/sepolgeni18n.py -+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py -@@ -19,7 +19,9 @@ - - try: - import gettext -- t = gettext.translation( 'selinux-python' ) -+ t = gettext.translation("selinux-python", -+ localedir="/usr/share/locale", -+ fallback=True) - _ = t.gettext - except: - def _(str): -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index 7ebe0efa88a1..c7a70e094b0c 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -36,7 +36,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 95520f9bc35d..6bde1971fd7c 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -31,7 +31,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 3e8b9f9c291d..eff3a8973917 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -56,7 +56,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index b0263740a79f..5bdbfebade1d 100644 ---- a/python/sepolicy/sepolicy/gui.py -+++ b/python/sepolicy/sepolicy/gui.py -@@ -49,7 +49,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py -index 599f97fdc6e7..43f86443f2c8 100644 ---- a/python/sepolicy/sepolicy/interface.py -+++ b/python/sepolicy/sepolicy/interface.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 3ef444a12561..53cc504149c9 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -45,7 +45,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: --- -2.36.1 - diff --git a/0012-gui-Fix-export-file-chooser-dialog.patch b/0012-gui-Fix-export-file-chooser-dialog.patch new file mode 100644 index 0000000..4fde689 --- /dev/null +++ b/0012-gui-Fix-export-file-chooser-dialog.patch @@ -0,0 +1,38 @@ +From bba6225abc6c7d8f1642d0c04c819ddc74d426c0 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 11 Oct 2022 16:36:23 +0200 +Subject: [PATCH] gui: Fix export file chooser dialog +Content-type: text/plain + +It wasn't possible to choose a directory in filechooser dialog using +double-click - the dialog returned the directory name instead of +listing the directory. + +Fixes: +Traceback (most recent call last): + File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2593, in on_browse_select + self.export_config(filename) + File "/usr/lib/python3.10/site-packages/sepolicy/gui.py", line 2668, in export_config + fd = open(filename, 'w') +IsADirectoryError: [Errno 21] Is a directory: '/root/Downloads' + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/sepolicy.glade | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade +index 52407887fcfc..0724d6c8caa4 100644 +--- a/python/sepolicy/sepolicy/sepolicy.glade ++++ b/python/sepolicy/sepolicy/sepolicy.glade +@@ -168,7 +168,6 @@ + + False + vertical +- + + + False +-- +2.38.1 + diff --git a/0013-python-Do-not-query-the-local-database-if-the-fconte.patch b/0013-python-Do-not-query-the-local-database-if-the-fconte.patch new file mode 100644 index 0000000..2f557b0 --- /dev/null +++ b/0013-python-Do-not-query-the-local-database-if-the-fconte.patch @@ -0,0 +1,66 @@ +From 7238ad32a3171d82bba9b99660e55399161236fc Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 19 Oct 2022 14:20:11 -0400 +Subject: [PATCH] python: Do not query the local database if the fcontext is + non-local +Content-type: text/plain + +Vit Mojzis reports that an error message is produced when modifying +a non-local fcontext. + +He gives the following example: + # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd + libsemanage.dbase_llist_query: could not query record value (No such file or directory). + +When modifying an fcontext, the non-local database is checked for the +key and then, if it is not found there, the local database is checked. +If the key doesn't exist, then an error is raised. If the key exists +then the local database is queried first and, if that fails, the non- +local database is queried. + +The error is from querying the local database when the fcontext is in +the non-local database. + +Instead, if the fcontext is in the non-local database, just query +the non-local database. Only query the local database if the +fcontext was found in it. + +Reported-by: Vit Mojzis +Signed-off-by: James Carter +--- + python/semanage/seobject.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 0782c082dc0c..d82da4942987 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -2504,16 +2504,19 @@ class fcontextRecords(semanageRecords): + (rc, exists) = semanage_fcontext_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) +- if not exists: ++ if exists: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ else: + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: + raise ValueError(_("File context for %s is not defined") % target) +- +- try: +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- except OSError: + try: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + raise ValueError(_("Could not query file context for %s") % target) + +-- +2.38.1 + diff --git a/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch b/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch deleted file mode 100644 index abb3572..0000000 --- a/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch +++ /dev/null @@ -1,82 +0,0 @@ -From afafe02fa9b6b7fdcce883c5e873d46b9d811d66 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 8 Jun 2022 19:09:54 +0200 -Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh -Content-type: text/plain - -After the last commit this option's name and description no longer -matches the semantic, so give it a new one and update the descriptions. -The old name is still recognized and aliased to the new one for -backwards compatibility. - -Signed-off-by: Ondrej Mosnacek -Acked-by: Nicolas Iooss ---- - policycoreutils/semodule/semodule.8 | 12 ++++++------ - policycoreutils/semodule/semodule.c | 13 ++++++++++--- - 2 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 -index d1735d216276..c56e580f27b8 100644 ---- a/policycoreutils/semodule/semodule.8 -+++ b/policycoreutils/semodule/semodule.8 -@@ -23,12 +23,12 @@ force a reload of policy - .B \-B, \-\-build - force a rebuild of policy (also reloads unless \-n is used) - .TP --.B \-\-rebuild-if-modules-changed --Force a rebuild of the policy if any changes to module content are detected --(by comparing with checksum from the last transaction). One can use this --instead of \-B to ensure that any changes to the module store done by an --external tool (e.g. a package manager) are applied, while automatically --skipping the rebuild if there are no new changes. -+.B \-\-refresh -+Like \-\-build, but reuses existing linked policy if no changes to module -+files are detected (by comparing with checksum from the last transaction). -+One can use this instead of \-B to ensure that any changes to the module -+store done by an external tool (e.g. a package manager) are applied, while -+automatically skipping the module re-linking if there are no module changes. - .TP - .B \-D, \-\-disable_dontaudit - Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 1ed8e69054e0..ec0794866daa 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -150,9 +150,12 @@ static void usage(char *progname) - printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); - printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); - printf(" -m, --checksum print module checksum (SHA256).\n"); -- printf(" --rebuild-if-modules-changed\n" -- " force policy rebuild if module content changed since\n" -- " last rebuild (based on checksum)\n"); -+ printf(" --refresh like --build, but reuses existing linked policy if no\n" -+ " changes to module files are detected (via checksum)\n"); -+ printf("Deprecated options:\n"); -+ printf(" -b,--base same as --install\n"); -+ printf(" --rebuild-if-modules-changed\n" -+ " same as --refresh\n"); - } - - /* Sets the global mode variable to new_mode, but only if no other -@@ -185,6 +188,7 @@ static void parse_command_line(int argc, char **argv) - { - static struct option opts[] = { - {"rebuild-if-modules-changed", 0, NULL, '\0'}, -+ {"refresh", 0, NULL, '\0'}, - {"store", required_argument, NULL, 's'}, - {"base", required_argument, NULL, 'b'}, - {"help", 0, NULL, 'h'}, -@@ -225,6 +229,9 @@ static void parse_command_line(int argc, char **argv) - case '\0': - switch(longind) { - case 0: /* --rebuild-if-modules-changed */ -+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n"); -+ /* fallthrough */ -+ case 1: /* --refresh */ - check_ext_changes = 1; - break; - default: --- -2.36.1 - diff --git a/0014-python-Split-semanage-import-into-two-transactions.patch b/0014-python-Split-semanage-import-into-two-transactions.patch deleted file mode 100644 index 2cb27e6..0000000 --- a/0014-python-Split-semanage-import-into-two-transactions.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4a53c0c3ee0edba37ba8e62064175c4928f761a8 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 30 May 2022 14:20:21 +0200 -Subject: [PATCH] python: Split "semanage import" into two transactions -Content-type: text/plain - -First transaction applies all deletion operations, so that there are no -collisions when applying the rest of the changes. - -Fixes: - # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 - # semanage export | semanage import - ValueError: Port tcp/3024 already defined - -Signed-off-by: Vit Mojzis ---- - python/semanage/semanage | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index f45061a601f9..4e8d64d6863a 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -853,10 +853,29 @@ def handleImport(args): - trans = seobject.semanageRecords(args) - trans.start() - -+ deleteCommands = [] -+ commands = [] -+ # separate commands for deletion from the rest so they can be -+ # applied in a separate transaction - for l in sys.stdin.readlines(): - if len(l.strip()) == 0: - continue -+ if "-d" in l or "-D" in l: -+ deleteCommands.append(l) -+ else: -+ commands.append(l) -+ -+ if deleteCommands: -+ importHelper(deleteCommands) -+ trans.finish() -+ trans.start() -+ -+ importHelper(commands) -+ trans.finish() - -+ -+def importHelper(commands): -+ for l in commands: - try: - commandParser = createCommandParser() - args = commandParser.parse_args(mkargv(l)) -@@ -870,8 +889,6 @@ def handleImport(args): - except KeyboardInterrupt: - sys.exit(0) - -- trans.finish() -- - - def setupImportParser(subparsers): - importParser = subparsers.add_parser('import', help=_('Import local customizations')) --- -2.36.1 - diff --git a/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch b/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch new file mode 100644 index 0000000..6b4830a --- /dev/null +++ b/0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch @@ -0,0 +1,35 @@ +From 0fb988c86b66ede7723e179699e29f00000fc57b Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 13 Oct 2022 15:23:11 +0200 +Subject: [PATCH] sandbox: Do not try to remove tmpdir twice if uid == 0 +Content-type: text/plain + +If the user is root, tmpdir is already wiped out. + +Fixes: + # sandbox -T /root/tmp -- id + uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:sandbox_t:s0:c696,c756 + Failed to remove directory /tmp/.sandbox-root-KIlB59: No such file or directory + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + sandbox/seunshare.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c +index 8917a0f9bd42..dd1d7ddbdc89 100644 +--- a/sandbox/seunshare.c ++++ b/sandbox/seunshare.c +@@ -414,7 +414,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src, + rc++; + } + +- if (rmdir(tmpdir) == -1) ++ if (pwd->pw_uid != 0 && rmdir(tmpdir) == -1) + fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno)); + if ((uid_t)setfsuid(pwd->pw_uid) != 0) { + fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n")); +-- +2.38.1 + diff --git a/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch b/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch new file mode 100644 index 0000000..ada2342 --- /dev/null +++ b/0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch @@ -0,0 +1,245 @@ +From ecfcb1d6a8ecb914f2a7c72453c872b5f0099f4d Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 13 Oct 2022 15:23:12 +0200 +Subject: [PATCH] sandbox: Use temporary directory for XDG_RUNTIME_DIR +Content-type: text/plain + +XDG_RUNTIME_DIR (/run/user/$UID) is used for user-specific data files +such as sockets, named pipes and so on. Therefore, it should not be +available to sandboxed processes. + +Usage: + # ls -a $XDG_RUNTIME_DIR + . .. bus pipewire-0 systemd + # sandbox -R /root/sandbox/user -- sh -c "ls -a $XDG_RUNTIME_DIR" + . .. + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + sandbox/sandbox | 15 ++++++++++++++- + sandbox/sandbox.8 | 7 +++++-- + sandbox/seunshare.8 | 3 +++ + sandbox/seunshare.c | 45 +++++++++++++++++++++++++++++++++++---------- + 4 files changed, 57 insertions(+), 13 deletions(-) + +diff --git a/sandbox/sandbox b/sandbox/sandbox +index ffac70232875..770807345858 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -209,6 +209,7 @@ class Sandbox: + self.__level = None + self.__homedir = None + self.__tmpdir = None ++ self.__runuserdir = None + + def __validate_mount(self): + if self.__options.level: +@@ -357,6 +358,11 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + action="callback", callback=self.__validdir, + help=_("alternate /tmp directory to use for mounting")) + ++ parser.add_option("-R", "--runuserdir", dest="runuserdir", ++ type="string", ++ action="callback", callback=self.__validdir, ++ help=_("alternate XDG_RUNTIME_DIR - /run/user/$UID - directory to use for mounting")) ++ + parser.add_option("-w", "--windowsize", dest="windowsize", + type="string", default=DEFAULT_WINDOWSIZE, + help="size of the sandbox window") +@@ -401,10 +407,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + self.__options.X_ind = True + self.__homedir = self.__options.homedir + self.__tmpdir = self.__options.tmpdir ++ self.__runuserdir = self.__options.runuserdir + else: + if self.__options.level: + self.__homedir = self.__options.homedir + self.__tmpdir = self.__options.tmpdir ++ self.__runuserdir = self.__options.runuserdir + + if len(cmds) == 0: + self.usage(_("Command required")) +@@ -442,9 +450,14 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + self.__tmpdir = self.__options.tmpdir + else: + self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") ++ if self.__options.runuserdir: ++ self.__runuserdir = self.__options.runuserdir ++ else: ++ self.__runuserdir = mkdtemp(dir="/tmp", prefix=".sandbox_runuser_") + self.__copyfiles() + selinux.chcon(self.__homedir, self.__filecon, recursive=True) + selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) ++ selinux.chcon(self.__runuserdir, self.__filecon, recursive=True) + selinux.setfscreatecon(None) + + def __execute(self): +@@ -453,7 +466,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + if self.__options.usecaps: + cmds.append('-C') + if self.__mount: +- cmds += ["-t", self.__tmpdir, "-h", self.__homedir] ++ cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir] + + if self.__options.X_ind: + if self.__options.dpi: +diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 +index d83fee76f335..1ee0ecea96d1 100644 +--- a/sandbox/sandbox.8 ++++ b/sandbox/sandbox.8 +@@ -3,11 +3,11 @@ + sandbox \- Run cmd under an SELinux sandbox + .SH SYNOPSIS + .B sandbox +-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd + + .br + .B sandbox +-[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [ \-R runuserdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S + .br + .SH DESCRIPTION + .PP +@@ -67,6 +67,9 @@ sandbox_net_client_t \- All network ports + \fB\-T\fR \fB\-\-tmpdir\fR + Use alternate temporary directory to mount on /tmp. Defaults to tmpfs. Requires \-X or \-M. + .TP ++\fB\-R\fR \fB\-\-runuserdir\fR ++Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). ++.TP + \fB\-S\fR \fB\-\-session\fR + Run a full desktop session, Requires level, and home and tmpdir. + .TP +diff --git a/sandbox/seunshare.8 b/sandbox/seunshare.8 +index 0da352613485..09cf7feae45d 100644 +--- a/sandbox/seunshare.8 ++++ b/sandbox/seunshare.8 +@@ -18,6 +18,9 @@ Alternate homedir to be used by the application. Homedir must be owned by the u + \fB\-t\ tmpdir + Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user. + .TP ++\fB\-r\ runuserdir ++Use alternate temporary directory to mount on XDG_RUNTIME_DIR (/run/user/$UID). runuserdir must be owned by the user. ++.TP + \fB\-C --capabilities\fR + Allow apps executed within the namespace to use capabilities. Default is no capabilities. + .TP +diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c +index dd1d7ddbdc89..1d38ea92b9ae 100644 +--- a/sandbox/seunshare.c ++++ b/sandbox/seunshare.c +@@ -52,7 +52,7 @@ + + #define BUF_SIZE 1024 + #define DEFAULT_PATH "/usr/bin:/bin" +-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ") ++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ") + + static int verbose = 0; + static int child = 0; +@@ -623,15 +623,20 @@ int main(int argc, char **argv) { + char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ + char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ + char *tmpdir_r = NULL; /* tmpdir created by seunshare */ ++ char *runuserdir_s = NULL; /* /var/run/user/UID spec'd by user in argv[] */ ++ char *runuserdir_r = NULL; /* /var/run/user/UID created by seunshare */ + + struct stat st_curhomedir; + struct stat st_homedir; + struct stat st_tmpdir_s; + struct stat st_tmpdir_r; ++ struct stat st_runuserdir_s; ++ struct stat st_runuserdir_r; + + const struct option long_options[] = { + {"homedir", 1, 0, 'h'}, + {"tmpdir", 1, 0, 't'}, ++ {"runuserdir", 1, 0, 'r'}, + {"kill", 1, 0, 'k'}, + {"verbose", 1, 0, 'v'}, + {"context", 1, 0, 'Z'}, +@@ -665,7 +670,7 @@ int main(int argc, char **argv) { + } + + while (1) { +- clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL); ++ clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL); + if (clflag == -1) + break; + +@@ -679,6 +684,9 @@ int main(int argc, char **argv) { + case 'h': + homedir_s = optarg; + break; ++ case 'r': ++ runuserdir_s = optarg; ++ break; + case 'v': + verbose++; + break; +@@ -729,6 +737,10 @@ int main(int argc, char **argv) { + if (tmpdir_s && ( + verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 || + check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1; ++ if (runuserdir_s && ( ++ verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 || ++ check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1; ++ + if ((uid_t)setfsuid(0) != uid) return -1; + + /* create runtime tmpdir */ +@@ -737,6 +749,12 @@ int main(int argc, char **argv) { + fprintf(stderr, _("Failed to create runtime temporary directory\n")); + return -1; + } ++ /* create runtime runuserdir */ ++ if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s, ++ &st_runuserdir_r, pwd, execcon)) == NULL) { ++ fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n")); ++ return -1; ++ } + + /* spawn child process */ + child = fork(); +@@ -775,7 +793,21 @@ int main(int argc, char **argv) { + if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0) + goto childerr; + +- /* mount homedir and tmpdir, in this order */ ++ if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) { ++ if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) { ++ perror(_("Out of memory")); ++ goto childerr; ++ } ++ } else { ++ if (asprintf(&RUNTIME_DIR, "/run/user/%d", uid) == -1) { ++ perror(_("Out of memory\n")); ++ goto childerr; ++ } ++ } ++ ++ /* mount homedir, runuserdir and tmpdir, in this order */ ++ if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR, ++ &st_runuserdir_s) != 0) goto childerr; + if (homedir_s && seunshare_mount(homedir_s, resolved_path, + &st_homedir) != 0) goto childerr; + if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", +@@ -799,13 +831,6 @@ int main(int argc, char **argv) { + } + } + +- if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) { +- if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) { +- perror(_("Out of memory")); +- goto childerr; +- } +- } +- + if ((rc = clearenv()) != 0) { + perror(_("Failed to clear environment")); + goto childerr; +-- +2.38.1 + diff --git a/0016-python-Remove-dependency-on-the-Python-module-distut.patch b/0016-python-Remove-dependency-on-the-Python-module-distut.patch new file mode 100644 index 0000000..81b36c2 --- /dev/null +++ b/0016-python-Remove-dependency-on-the-Python-module-distut.patch @@ -0,0 +1,81 @@ +From c08cf24f39989cfc610a481ae3dc380b61e9ca5f Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Fri, 28 Oct 2022 16:16:22 -0400 +Subject: [PATCH] python: Remove dependency on the Python module distutils +Content-type: text/plain + +The distutils package is deprecated and scheduled to be removed in +Python 3.12. Use the setuptools and sysconfig modules instead. + +Signed-off-by: James Carter +Acked-by: Petr Lautrbach +--- + python/semanage/Makefile | 2 +- + python/sepolgen/src/sepolgen/Makefile | 2 +- + python/sepolicy/sepolicy/gui.py | 4 ++-- + python/sepolicy/setup.py | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/semanage/Makefile b/python/semanage/Makefile +index 024e9640fed0..b53ee33db6ac 100644 +--- a/python/semanage/Makefile ++++ b/python/semanage/Makefile +@@ -5,7 +5,7 @@ LINGUAS ?= ru + PREFIX ?= /usr + SBINDIR ?= $(PREFIX)/sbin + MANDIR = $(PREFIX)/share/man +-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") ++PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") + PACKAGEDIR ?= $(PYTHONLIBDIR) + BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions + +diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile +index cac8def7204e..a10392273181 100644 +--- a/python/sepolgen/src/sepolgen/Makefile ++++ b/python/sepolgen/src/sepolgen/Makefile +@@ -1,6 +1,6 @@ + PREFIX ?= /usr + PYTHON ?= python3 +-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") ++PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") + PACKAGEDIR ?= /$(PYTHONLIBDIR)/sepolgen + + all: +diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py +index 5bdbfebade1d..335be582b668 100644 +--- a/python/sepolicy/sepolicy/gui.py ++++ b/python/sepolicy/sepolicy/gui.py +@@ -77,7 +77,7 @@ def cmp(a, b): + return 1 + return (a > b) - (a < b) + +-import distutils.sysconfig ++import sysconfig + ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<")) + ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<")) + OUTBOUND_PAGE = 0 +@@ -130,7 +130,7 @@ class SELinuxGui(): + self.application = app + self.filter_txt = "" + builder = Gtk.Builder() # BUILDER OBJ +- self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/" ++ self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/" + glade_file = self.code_path + "sepolicy.glade" + builder.add_from_file(glade_file) + self.outer_notebook = builder.get_object("outer_notebook") +diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py +index b0f9650df875..c82206647f9b 100644 +--- a/python/sepolicy/setup.py ++++ b/python/sepolicy/setup.py +@@ -2,7 +2,7 @@ + + # Author: Thomas Liu + # Author: Dan Walsh +-from distutils.core import setup ++from setuptools import setup + + setup( + name="sepolicy", +-- +2.38.1 + diff --git a/0017-python-Harden-tools-against-rogue-modules.patch b/0017-python-Harden-tools-against-rogue-modules.patch new file mode 100644 index 0000000..0d2d809 --- /dev/null +++ b/0017-python-Harden-tools-against-rogue-modules.patch @@ -0,0 +1,81 @@ +From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 18 Oct 2022 22:36:59 +0200 +Subject: [PATCH] python: Harden tools against "rogue" modules +Content-type: text/plain + +Python scripts present in "/usr/sbin" override regular modules. +Make sure /usr/sbin is not present in PYTHONPATH. + +Fixes: + #cat > /usr/sbin/audit.py < +Acked-by: James Carter +--- + python/audit2allow/audit2allow | 2 +- + python/audit2allow/sepolgen-ifgen | 2 +- + python/chcat/chcat | 2 +- + python/semanage/semanage | 2 +- + python/sepolicy/sepolicy.py | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow +index 09b06f664bc4..eafeea88aa21 100644 +--- a/python/audit2allow/audit2allow ++++ b/python/audit2allow/audit2allow +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Karl MacMillan + # Authors: Dan Walsh + # +diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen +index b7a04c719acc..f2cc0c32f2b0 100644 +--- a/python/audit2allow/sepolgen-ifgen ++++ b/python/audit2allow/sepolgen-ifgen +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # Authors: Karl MacMillan + # +diff --git a/python/chcat/chcat b/python/chcat/chcat +index 952cb8187599..68718ec5f102 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2005 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/python/semanage/semanage b/python/semanage/semanage +index 10ab3fa67d7f..b21d1484ab85 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012-2013 Red Hat + # AUTHOR: Miroslav Grepl + # AUTHOR: David Quigley +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index c7a70e094b0c..733d40484709 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012 Red Hat + # AUTHOR: Dan Walsh + # see file 'COPYING' for use and warranty information +-- +2.38.1 + diff --git a/0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch new file mode 100644 index 0000000..552aa2b --- /dev/null +++ b/0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -0,0 +1,27 @@ +From 1b9bc42461589e49cd68727ea479cc820e55a2d7 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 20 Aug 2015 12:58:41 +0200 +Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in + recent Fedoras +Content-type: text/plain + +--- + sandbox/sandboxX.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index eaa500d08143..4774528027ef 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF + + EOF + +-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do ++(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF + #!/bin/sh +-- +2.38.1 + diff --git a/0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch new file mode 100644 index 0000000..a6205ac --- /dev/null +++ b/0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -0,0 +1,25 @@ +From 30f3eca067ace9f73ad7612377675e5f777ea869 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Fri, 14 Feb 2014 12:32:12 -0500 +Subject: [PATCH] Don't be verbose if you are not on a tty +Content-type: text/plain + +--- + policycoreutils/scripts/fixfiles | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index c72ca0eb9d61..163ebcd1f232 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { + fullFlag=0 + BOOTTIME="" + VERBOSE="-p" ++[ -t 1 ] || VERBOSE="" + FORCEFLAG="" + THREADS="" + RPMFILES="" +-- +2.38.1 + diff --git a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch b/0020-sepolicy-generate-Handle-more-reserved-port-types.patch new file mode 100644 index 0000000..7668c70 --- /dev/null +++ b/0020-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -0,0 +1,72 @@ +From f2a1b0dc836ebcf2ef418cd0c85fcea949b556eb Mon Sep 17 00:00:00 2001 +From: Masatake YAMATO +Date: Thu, 14 Dec 2017 15:57:58 +0900 +Subject: [PATCH] sepolicy-generate: Handle more reserved port types +Content-type: text/plain + +Currently only reserved_port_t, port_t and hi_reserved_port_t are +handled as special when making a ports-dictionary. However, as fas as +corenetwork.te.in of serefpolicy, unreserved_port_t and +ephemeral_port_t should be handled in the same way, too. + +(Details) I found the need of this change when I was using +selinux-polgengui. Though tcp port 12345, which my application may +use, was given to the gui, selinux-polgengui generates expected te +file and sh file which didn't utilize the tcp port. + +selinux-polgengui checks whether a port given via gui is already typed +or not. + +If it is already typed, selinux-polgengui generates a te file having +rules to allow the application to use the port. (A) + +If not, it seems for me that selinux-polgengui is designed to generate +a te file having rules to allow the application to own(?) the port; +and a sh file having a command line to assign the application own type +to the port. (B) + +As we can see the output of `semanage port -l' some of ports for +specified purpose have types already. The important point is that the +rest of ports also have types already: + + hi_reserved_port_t tcp 512-1023 + hi_reserved_port_t udp 512-1023 + unreserved_port_t tcp 1024-32767, 61001-65535 + unreserved_port_t udp 1024-32767, 61001-65535 + ephemeral_port_t tcp 32768-61000 + ephemeral_port_t udp 32768-61000 + +As my patch shows, the original selinux-polgengui ignored +hi_reserved_port_t; though hi_reserved_port_t is assigned, +selinux-polgengui considered ports 512-1023 are not used. As the +result selinux-polgengui generates file sets of (B). + +For the purpose of selinux-polgengui, I think unreserved_port_t and +ephemeral_port_t are treated as the same as hi_reserved_port_t. + +Signed-off-by: Masatake YAMATO + +Fedora only patch: +https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ +--- + python/sepolicy/sepolicy/generate.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 3717d5d4ed78..eff3a8973917 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -100,7 +100,9 @@ def get_all_ports(): + for p in sepolicy.info(sepolicy.PORT): + if p['type'] == "reserved_port_t" or \ + p['type'] == "port_t" or \ +- p['type'] == "hi_reserved_port_t": ++ p['type'] == "hi_reserved_port_t" or \ ++ p['type'] == "ephemeral_port_t" or \ ++ p['type'] == "unreserved_port_t": + continue + dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) + return dict +-- +2.38.1 + diff --git a/0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch new file mode 100644 index 0000000..63c81d3 --- /dev/null +++ b/0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -0,0 +1,75 @@ +From 239f039edd2c4030d373baa31f42651075b5927b Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 18 Jul 2018 09:09:35 +0200 +Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox +Content-type: text/plain + +--- + sandbox/sandbox | 4 ++-- + sandbox/sandbox.8 | 2 +- + sandbox/sandboxX.sh | 14 -------------- + 3 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 770807345858..df3af9260c7f 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -270,7 +270,7 @@ class Sandbox: + copyfile(f, "/tmp", self.__tmpdir) + copyfile(f, "/var/tmp", self.__tmpdir) + +- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): ++ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): + execfile = self.__homedir + "/.sandboxrc" + fd = open(execfile, "w+") + if self.__options.session: +@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", +- default="/usr/bin/openbox", ++ default="/usr/bin/matchbox-window-manager", + help=_("alternate window manager")) + + parser.add_option("-l", "--level", dest="level", +diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 +index 1ee0ecea96d1..775e4b231204 100644 +--- a/sandbox/sandbox.8 ++++ b/sandbox/sandbox.8 +@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz + \fB\-W\fR \fB\-\-windowmanager\fR + Select alternative window manager to run within + .B sandbox \-X. +-Default to /usr/bin/openbox. ++Default to /usr/bin/matchbox-window-manager. + .TP + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index 4774528027ef..c211ebc14549 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 + [ -z $2 ] && export DPI="96" || export DPI="$2" + trap "exit 0" HUP + +-mkdir -p ~/.config/openbox +-cat > ~/.config/openbox/rc.xml << EOF +- +- +- +- no +- all +- yes +- +- +- +-EOF +- + (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF +-- +2.38.1 + diff --git a/0022-Use-SHA-2-instead-of-SHA-1.patch b/0022-Use-SHA-2-instead-of-SHA-1.patch new file mode 100644 index 0000000..48c4627 --- /dev/null +++ b/0022-Use-SHA-2-instead-of-SHA-1.patch @@ -0,0 +1,298 @@ +From e5a015f1edd5e7ed87f6f4ec6ddb45637fa178ab Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 30 Jul 2021 14:14:37 +0200 +Subject: [PATCH] Use SHA-2 instead of SHA-1 +Content-type: text/plain + +The use of SHA-1 in RHEL9 is deprecated +--- + policycoreutils/setfiles/restorecon.8 | 10 +++++----- + policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- + policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ + policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- + policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- + policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- + policycoreutils/setfiles/setfiles.8 | 10 +++++----- + 7 files changed, 33 insertions(+), 33 deletions(-) + +diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 +index e07db2c87dc4..dbd55ce7c512 100644 +--- a/policycoreutils/setfiles/restorecon.8 ++++ b/policycoreutils/setfiles/restorecon.8 +@@ -95,14 +95,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -200,7 +200,7 @@ the + .B \-D + option to + .B restorecon +-will cause it to store a SHA1 digest of the default specfiles set in an extended ++will cause it to store a SHA256 digest of the default specfiles set in an extended + attribute named + .IR security.sehash + on each directory specified in +@@ -217,7 +217,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 +index e04528e60824..4b1ce304d995 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/restorecon_xattr.8 +@@ -23,7 +23,7 @@ or + + .SH "DESCRIPTION" + .B restorecon_xattr +-will display the SHA1 digests added to extended attributes ++will display the SHA256 digests added to extended attributes + .I security.sehash + or delete the attribute completely. These attributes are set by + .BR restorecon (8) +@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. + .sp + By default + .B restorecon_xattr +-will display the SHA1 digests with "Match" appended if they match the default ++will display the SHA256 digests with "Match" appended if they match the default + specfile set or the + .I specfile + set used with the + .B \-f +-option. Non-matching SHA1 digests will be displayed with "No Match" appended. ++option. Non-matching SHA256 digests will be displayed with "No Match" appended. + This feature can be disabled by the + .B \-n + option. +@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. + recursively descend directories. + .TP + .B \-v +-display SHA1 digest generated by specfile set (Note that this digest is not ++display SHA256 digest generated by specfile set (Note that this digest is not + used to match the + .I security.sehash + directory digest entries, and is shown for reference only). +diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c +index 31fb82fd2099..bc22d3fd4560 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.c ++++ b/policycoreutils/setfiles/restorecon_xattr.c +@@ -38,7 +38,7 @@ int main(int argc, char **argv) + unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; + unsigned int delete_all_digests = 0, ignore_mounts = 0; + bool display_digest = false; +- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; ++ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; + unsigned char *fc_digest = NULL; + size_t i, fc_digest_len = 0, num_specfiles; + +@@ -133,8 +133,8 @@ int main(int argc, char **argv) + exit(-1); + } + +- sha1_buf = malloc(fc_digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(fc_digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, + "Error allocating digest buffer: %s\n", + strerror(errno)); +@@ -143,16 +143,16 @@ int main(int argc, char **argv) + } + + for (i = 0; i < fc_digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); + +- printf("specfiles SHA1 digest: %s\n", sha1_buf); ++ printf("specfiles SHA256 digest: %s\n", sha256_buf); + + printf("calculated using the following specfile(s):\n"); + if (specfiles) { + for (i = 0; i < num_specfiles; i++) + printf("%s\n", specfiles[i]); + } +- free(sha1_buf); ++ free(sha256_buf); + printf("\n"); + } + +diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 +index 9be3a63db356..745135020f4b 100644 +--- a/policycoreutils/setfiles/ru/restorecon.8 ++++ b/policycoreutils/setfiles/ru/restorecon.8 +@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-m +@@ -159,7 +159,7 @@ GNU + .B \-D + команды + .B restorecon +-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем ++обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем + .IR security.restorecon_last + для каталогов, указанных в соответствующих путях + .IR pathname \ ... +@@ -173,7 +173,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 +index 41c441b8c5c2..25c4c3033334 100644 +--- a/policycoreutils/setfiles/ru/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 +@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных + + .SH "ОПИСАНИЕ" + .B restorecon_xattr +-покажет дайджесты SHA1, добавленные в расширенные атрибуты ++покажет дайджесты SHA256, добавленные в расширенные атрибуты + .I security.restorecon_last, + или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой + .BR restorecon (8) +@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных + .sp + По умолчанию + .B restorecon_xattr +-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации ++показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации + .I specfile, + который установлен с помощью параметра + .B \-f. +-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. ++Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. + Эту возможность можно отключить с помощью параметра + .B \-n. + +@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных + рекурсивно спускаться по каталогам. + .TP + .B \-v +-показать дайджест SHA1, созданный установленным файлом спецификации. ++показать дайджест SHA256, созданный установленным файлом спецификации. + .TP + .B \-e + .I directory +@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных + .BR file_contexts (5). + Он будет использоваться + .BR selabel_open (3) +-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью ++для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью + .BR selabel_digest (3). + Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. + +diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 +index 910101452625..7f2daa09191b 100644 +--- a/policycoreutils/setfiles/ru/setfiles.8 ++++ b/policycoreutils/setfiles/ru/setfiles.8 +@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-l +@@ -186,7 +186,7 @@ GNU + .B \-D + команды + .B setfiles . +-Он обеспечивает сохранение дайджеста SHA1 файла спецификации ++Он обеспечивает сохранение дайджеста SHA256 файла спецификации + .B spec_file + в расширенном атрибуте с именем + .IR security.restorecon_last +@@ -204,7 +204,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index bf26e161a71d..36fe6b369548 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -95,14 +95,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -261,7 +261,7 @@ the + .B \-D + option to + .B setfiles +-will cause it to store a SHA1 digest of the ++will cause it to store a SHA256 digest of the + .B spec_file + set in an extended attribute named + .IR security.sehash +@@ -282,7 +282,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +-- +2.38.1 + diff --git a/0023-python-Fix-typo-in-audit2allow.1-example.patch b/0023-python-Fix-typo-in-audit2allow.1-example.patch new file mode 100644 index 0000000..31b0081 --- /dev/null +++ b/0023-python-Fix-typo-in-audit2allow.1-example.patch @@ -0,0 +1,28 @@ +From 5e9f9478cc6eeaa46e0e8172a458a49e49d4e258 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 9 Nov 2022 11:53:28 +0100 +Subject: [PATCH] python: Fix typo in audit2allow.1 example +Content-type: text/plain + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +--- + python/audit2allow/audit2allow.1 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/python/audit2allow/audit2allow.1 b/python/audit2allow/audit2allow.1 +index c61067b33688..04ec32398011 100644 +--- a/python/audit2allow/audit2allow.1 ++++ b/python/audit2allow/audit2allow.1 +@@ -151,7 +151,7 @@ policy_module(local, 1.0) + gen_require(` + type myapp_t; + type etc_t; +- }; ++\[aq]) + + files_read_etc_files(myapp_t) + +-- +2.38.1 + diff --git a/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch b/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch new file mode 100644 index 0000000..97a224e --- /dev/null +++ b/0024-python-sepolicy-Fix-sepolicy-manpage-w.patch @@ -0,0 +1,102 @@ +From 762090ae1a67b040b37cc4863f1ceb0b45c66717 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 18 Nov 2022 13:51:52 +0100 +Subject: [PATCH] python/sepolicy: Fix sepolicy manpage -w ... +Content-type: text/plain + +Commit 7494bb1298b3 ("sepolicy: generate man pages in parallel") +improved sepolicy performance but broke `sepolicy manpage -w ...` as it +didn't collect data about domains and roles from ManPage() and so +HTMLManPages() generated only empty page. This is fixed now, domains +and roles are being collected and used for HTML pages. + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy.py | 13 +++++++++++-- + python/sepolicy/sepolicy/manpage.py | 12 +++++------- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 733d40484709..82ff6af2bc2d 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -332,9 +332,10 @@ def manpage_work(domain, path, root, source_files, web): + from sepolicy.manpage import ManPage + m = ManPage(domain, path, root, source_files, web) + print(m.get_man_page_path()) ++ return (m.manpage_domains, m.manpage_roles) + + def manpage(args): +- from sepolicy.manpage import HTMLManPages, manpage_domains, manpage_roles, gen_domains ++ from sepolicy.manpage import HTMLManPages, gen_domains + + path = args.path + if not args.policy and args.root != "/": +@@ -347,9 +348,17 @@ def manpage(args): + else: + test_domains = args.domain + ++ manpage_domains = set() ++ manpage_roles = set() + p = Pool() ++ async_results = [] + for domain in test_domains: +- p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web]) ++ async_results.append(p.apply_async(manpage_work, [domain, path, args.root, args.source_files, args.web])) ++ for result in async_results: ++ domains, roles = result.get() ++ manpage_domains.update(domains) ++ manpage_roles.update(roles) ++ + p.close() + p.join() + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 3e61e333193f..de72cb6cda5f 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -21,7 +21,7 @@ + # 02111-1307 USA + # + # +-__all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_domains'] ++__all__ = ['ManPage', 'HTMLManPages', 'gen_domains'] + + import string + import selinux +@@ -147,10 +147,6 @@ def _gen_types(): + def prettyprint(f, trim): + return " ".join(f[:-len(trim)].split("_")) + +-# for HTML man pages +-manpage_domains = [] +-manpage_roles = [] +- + fedora_releases = ["Fedora17", "Fedora18"] + rhel_releases = ["RHEL6", "RHEL7"] + +@@ -408,6 +404,8 @@ class ManPage: + """ + modules_dict = None + enabled_str = ["Disabled", "Enabled"] ++ manpage_domains = [] ++ manpage_roles = [] + + def __init__(self, domainname, path="/tmp", root="/", source_files=False, html=False): + self.html = html +@@ -453,10 +451,10 @@ class ManPage: + if self.domainname + "_r" in self.all_roles: + self.__gen_user_man_page() + if self.html: +- manpage_roles.append(self.man_page_path) ++ self.manpage_roles.append(self.man_page_path) + else: + if self.html: +- manpage_domains.append(self.man_page_path) ++ self.manpage_domains.append(self.man_page_path) + self.__gen_man_page() + self.fd.close() + +-- +2.38.1 + diff --git a/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch b/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch new file mode 100644 index 0000000..606207b --- /dev/null +++ b/0025-python-sepolicy-Use-distro-module-to-get-os-version.patch @@ -0,0 +1,57 @@ +From fe825bf76f7a6727a3654c96e7bc55ddc7069b76 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 18 Nov 2022 13:51:53 +0100 +Subject: [PATCH] python/sepolicy: Use distro module to get os version +Content-type: text/plain + +distro module uses /etc/os-release file which contains operating system +identification data, see os-release(5). Given that the mechanism doesn't +use `rpm` it should be possible to generate man pages on other +distributions. + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/__init__.py | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 9c3caa05b80b..baa4c8e62e97 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -1226,27 +1226,14 @@ def boolean_desc(boolean): + + + def get_os_version(): +- os_version = "" +- pkg_name = "selinux-policy" ++ system_release = "" + try: +- try: +- from commands import getstatusoutput +- except ImportError: +- from subprocess import getstatusoutput +- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) +- if rc == 0: +- os_version = output.split(".")[-2] +- except: +- os_version = "" +- +- if os_version[0:2] == "fc": +- os_version = "Fedora" + os_version[2:] +- elif os_version[0:2] == "el": +- os_version = "RHEL" + os_version[2:] +- else: +- os_version = "" ++ import distro ++ system_release = distro.name(pretty=True) ++ except IOError: ++ system_release = "Misc" + +- return os_version ++ return system_release + + + def reinit(): +-- +2.38.1 + diff --git a/0026-python-sepolicy-Simplify-generation-of-man-pages.patch b/0026-python-sepolicy-Simplify-generation-of-man-pages.patch new file mode 100644 index 0000000..1835db5 --- /dev/null +++ b/0026-python-sepolicy-Simplify-generation-of-man-pages.patch @@ -0,0 +1,133 @@ +From 1fad73e62fdda5290e3939464df09796fca6871d Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 18 Nov 2022 13:51:55 +0100 +Subject: [PATCH] python/sepolicy: Simplify generation of man pages +Content-type: text/plain + +And do not hardcode Fedora and RHEL versions. + +Signed-off-by: Petr Lautrbach +--- + python/sepolicy/sepolicy/manpage.py | 71 ++++------------------------- + 1 file changed, 8 insertions(+), 63 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index de72cb6cda5f..edeb3b77e759 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -147,9 +147,6 @@ def _gen_types(): + def prettyprint(f, trim): + return " ".join(f[:-len(trim)].split("_")) + +-fedora_releases = ["Fedora17", "Fedora18"] +-rhel_releases = ["RHEL6", "RHEL7"] +- + + def get_alphabet_manpages(manpage_list): + alphabet_manpages = dict.fromkeys(string.ascii_letters, []) +@@ -180,7 +177,7 @@ def convert_manpage_to_html(html_manpage, manpage): + class HTMLManPages: + + """ +- Generate a HHTML Manpages on an given SELinux domains ++ Generate a HTML Manpages on an given SELinux domains + """ + + def __init__(self, manpage_roles, manpage_domains, path, os_version): +@@ -188,18 +185,12 @@ class HTMLManPages: + self.manpage_domains = get_alphabet_manpages(manpage_domains) + self.os_version = os_version + self.old_path = path + "/" +- self.new_path = self.old_path + self.os_version + "/" +- +- if self.os_version in fedora_releases or self.os_version in rhel_releases: +- self.__gen_html_manpages() +- else: +- print("SELinux HTML man pages can not be generated for this %s" % os_version) +- exit(1) ++ self.new_path = self.old_path ++ self.__gen_html_manpages() + + def __gen_html_manpages(self): + self._write_html_manpage() + self._gen_index() +- self._gen_body() + self._gen_css() + + def _write_html_manpage(self): +@@ -217,67 +208,21 @@ class HTMLManPages: + convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) + + def _gen_index(self): +- index = self.old_path + "index.html" +- fd = open(index, 'w') +- fd.write(""" +- +- +- +- SELinux man pages online +- +- +-

SELinux man pages

+-

+-Fedora or Red Hat Enterprise Linux Man Pages. +-

+-
+-

Fedora

+- +- +-
+-
+-
+-""")
+-        for f in fedora_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """ % (f, f, f, f))
+-
+-        fd.write("""
+-
+-
+-

RHEL

+- +- +-
+-
+-
+-""")
+-        for r in rhel_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """ % (r, r, r, r))
+-
+-        fd.write("""
+-
+- """) +- fd.close() +- print("%s has been created" % index) +- +- def _gen_body(self): +- html = self.new_path + self.os_version + ".html" ++ html = self.new_path + "index.html" + fd = open(html, 'w') + fd.write(""" + + +- +- Linux man-pages online for Fedora18 ++ ++ SELinux man pages + + +-

SELinux man pages for Fedora18

++

SELinux man pages for %s

+
+ +
+

SELinux roles

+-""") ++""" % self.os_version) + for letter in self.manpage_roles: + if len(self.manpage_roles[letter]): + fd.write(""" +-- +2.38.1 + diff --git a/0027-Fix-E275-missing-whitespace-after-keyword.patch b/0027-Fix-E275-missing-whitespace-after-keyword.patch new file mode 100644 index 0000000..e86d3c6 --- /dev/null +++ b/0027-Fix-E275-missing-whitespace-after-keyword.patch @@ -0,0 +1,160 @@ +From 3fb03f54d0dad5119cdd3e1d2b13370b8296040b Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 21 Nov 2022 11:39:32 +0100 +Subject: [PATCH] Fix E275 missing whitespace after keyword +Content-type: text/plain + +Fixes: + ./gui/polgengui.py:484:18: E275 missing whitespace after keyword + ./gui/polgengui.py:530:18: E275 missing whitespace after keyword + ./python/sepolgen/src/sepolgen/policygen.py:327:19: E275 missing whitespace after keyword + ./python/sepolgen/src/sepolgen/policygen.py:329:11: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/__init__.py:453:15: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/generate.py:1351:28: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/generate.py:1353:28: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/gui.py:638:24: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/gui.py:863:23: E275 missing whitespace after keyword + ./python/sepolicy/sepolicy/gui.py:2177:16: E275 missing whitespace after keyword + ./sandbox/sandbox:114:7: E275 missing whitespace after keyword + ./sandbox/sandbox:134:11: E275 missing whitespace after keyword + ./sandbox/sandbox:136:7: E275 missing whitespace after keyword + +Signed-off-by: Petr Lautrbach +--- + gui/polgengui.py | 4 ++-- + python/sepolgen/src/sepolgen/policygen.py | 4 ++-- + python/sepolicy/sepolicy/__init__.py | 4 ++-- + python/sepolicy/sepolicy/generate.py | 4 ++-- + python/sepolicy/sepolicy/gui.py | 6 +++--- + sandbox/sandbox | 6 +++--- + 6 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/gui/polgengui.py b/gui/polgengui.py +index 7a3ecd50c91c..16116ba68b61 100644 +--- a/gui/polgengui.py ++++ b/gui/polgengui.py +@@ -481,7 +481,7 @@ class childWindow: + my_policy = sepolicy.generate.policy(self.get_name(), self.get_type()) + + iter = self.boolean_store.get_iter_first() +- while(iter): ++ while iter: + my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1)) + iter = self.boolean_store.iter_next(iter) + +@@ -527,7 +527,7 @@ class childWindow: + my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text()) + + iter = self.store.get_iter_first() +- while(iter): ++ while iter: + if self.store.get_value(iter, 1) == FILE: + my_policy.add_file(self.store.get_value(iter, 0)) + else: +diff --git a/python/sepolgen/src/sepolgen/policygen.py b/python/sepolgen/src/sepolgen/policygen.py +index 8f0ce26e4dc7..183b41a93d50 100644 +--- a/python/sepolgen/src/sepolgen/policygen.py ++++ b/python/sepolgen/src/sepolgen/policygen.py +@@ -324,9 +324,9 @@ def call_interface(interface, av): + ifcall.args.append(av.obj_class) + else: + print(params[i].type) +- assert(0) ++ assert 0 + +- assert(len(ifcall.args) > 0) ++ assert len(ifcall.args) > 0 + + return ifcall + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index baa4c8e62e97..68907a4f9759 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -450,9 +450,9 @@ def get_conditionals(src, dest, tclass, perm): + tlist.append(tdict) + tdict = {} + except KeyError: +- return(tlist) ++ return tlist + +- return (tlist) ++ return tlist + + + def get_conditionals_format_text(cond): +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index eff3a8973917..36a3ea1196b1 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -1348,9 +1348,9 @@ allow %s_t %s_t:%s_socket name_%s; + if len(temp_dirs) != 0: + for i in temp_dirs: + if i in self.dirs.keys(): +- del(self.dirs[i]) ++ del self.dirs[i] + elif i in self.files.keys(): +- del(self.files[i]) ++ del self.files[i] + else: + continue + +diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py +index 335be582b668..c8f33f522a2d 100644 +--- a/python/sepolicy/sepolicy/gui.py ++++ b/python/sepolicy/sepolicy/gui.py +@@ -635,7 +635,7 @@ class SELinuxGui(): + for k in self.cur_dict: + for j in self.cur_dict[k]: + if i == ctr: +- del(self.cur_dict[k][j]) ++ del self.cur_dict[k][j] + return + i += 1 + +@@ -860,7 +860,7 @@ class SELinuxGui(): + if val is True or val is False or val is None: + continue + # Returns true if filter_txt exists within the val +- if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1): ++ if val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1: + return True + except (AttributeError, TypeError): + pass +@@ -2174,7 +2174,7 @@ class SELinuxGui(): + model.set_value(iter, 0, not model.get_value(iter, 0)) + active = model.get_value(iter, 0) + if name in self.cur_dict["boolean"]: +- del(self.cur_dict["boolean"][name]) ++ del self.cur_dict["boolean"][name] + else: + self.cur_dict["boolean"][name] = {"active": active} + self.new_updates() +diff --git a/sandbox/sandbox b/sandbox/sandbox +index df3af9260c7f..a32a33ea3cf6 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -111,7 +111,7 @@ def copyfile(file, srcdir, dest): + + def savefile(new, orig, X_ind): + copy = False +- if(X_ind): ++ if X_ind: + import gi + gi.require_version('Gtk', '3.0') + from gi.repository import Gtk +@@ -131,9 +131,9 @@ def savefile(new, orig, X_ind): + except NameError: + pass + ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) +- if(re.match(_("[yY]"), ans)): ++ if re.match(_("[yY]"), ans): + copy = True +- if(copy): ++ if copy: + shutil.copy2(new, orig) + + +-- +2.38.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index 5eaa33a..d87da29 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,7 +1,7 @@ %global libauditver 3.0 -%global libsepolver 3.4-1 -%global libsemanagever 3.4-1 -%global libselinuxver 3.4-1 +%global libsepolver 3.4-4 +%global libsemanagever 3.4-6 +%global libselinuxver 3.4-6 %global generatorsdir %{_prefix}/lib/systemd/system-generators @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPL-2.0-or-later # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/selinux-3.4.tar.gz @@ -31,20 +31,33 @@ Source23: sandbox-po.tgz # $ git format-patch -N 3.4 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start -Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch -Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch -Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch -Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch -Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch -Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch -Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch -Patch0008: 0008-sepolicy-generate-Handle-more-reserved-port-types.patch -Patch0009: 0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch -Patch0010: 0010-Use-SHA-2-instead-of-SHA-1.patch -Patch0011: 0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch -Patch0012: 0012-gettext-handle-unsupported-languages-properly.patch -Patch0013: 0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch -Patch0014: 0014-python-Split-semanage-import-into-two-transactions.patch +Patch0001: 0001-libselinux-declare-return-value-of-context_str-3-con.patch +Patch0002: 0002-semodule-avoid-toctou-on-output-module.patch +Patch0003: 0003-python-Split-semanage-import-into-two-transactions.patch +Patch0004: 0004-python-audit2allow-close-file-stream-on-error.patch +Patch0005: 0005-gettext-handle-unsupported-languages-properly.patch +Patch0006: 0006-semodule-rename-rebuild-if-modules-changed-to-refres.patch +Patch0007: 0007-python-remove-IOError-in-certain-cases.patch +Patch0008: 0008-restorecond-use-strict-function-prototype-for-defini.patch +Patch0009: 0009-Ignore-egg-info-directories-and-clean-them.patch +# Patch0010: 0010-Update-translations.patch +Patch0011: 0011-docs-provide-a-top-level-LICENSE-file.patch +Patch0012: 0012-gui-Fix-export-file-chooser-dialog.patch +Patch0013: 0013-python-Do-not-query-the-local-database-if-the-fconte.patch +Patch0014: 0014-sandbox-Do-not-try-to-remove-tmpdir-twice-if-uid-0.patch +Patch0015: 0015-sandbox-Use-temporary-directory-for-XDG_RUNTIME_DIR.patch +Patch0016: 0016-python-Remove-dependency-on-the-Python-module-distut.patch +Patch0017: 0017-python-Harden-tools-against-rogue-modules.patch +Patch0018: 0018-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +Patch0019: 0019-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch +Patch0021: 0021-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +Patch0022: 0022-Use-SHA-2-instead-of-SHA-1.patch +Patch0023: 0023-python-Fix-typo-in-audit2allow.1-example.patch +Patch0024: 0024-python-sepolicy-Fix-sepolicy-manpage-w.patch +Patch0025: 0025-python-sepolicy-Use-distro-module-to-get-os-version.patch +Patch0026: 0026-python-sepolicy-Simplify-generation-of-man-pages.patch +Patch0027: 0027-Fix-E275-missing-whitespace-after-keyword.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -57,7 +70,7 @@ Provides: /sbin/restorecon BuildRequires: gcc make BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel -BuildRequires: python3-devel +BuildRequires: python3-devel python3-setuptools BuildRequires: systemd BuildRequires: git-core Requires: util-linux grep gawk diffutils rpm sed @@ -432,7 +445,7 @@ system-config-selinux is a utility for managing the SELinux environment %dir %{_datadir}/bash-completion %{_datadir}/bash-completion/completions/setsebool %{!?_licensedir:%global license %%doc} -%license policycoreutils/COPYING +%license policycoreutils/LICENSE %doc %{_usr}/share/doc/%{name} %package restorecond @@ -454,7 +467,7 @@ The policycoreutils-restorecond package contains the restorecond service. %{_mandir}/ru/man8/restorecond.8* %{!?_licensedir:%global license %%doc} -%license policycoreutils/COPYING +%license policycoreutils/LICENSE %post %systemd_post selinux-autorelabel-mark.service @@ -472,6 +485,12 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Nov 21 2022 Petr Lautrbach - 3.4-7 +- Rebase on upstream f56a72ac9e86 +- sepolicy: fix sepolicy manpage -w +- sandbox: add -R option to alternate XDG_RUNTIME_DIR +- Remove dependency on the Python module distutils + * Tue Aug 2 2022 Petr Lautrbach - 3.4-6 - Run autorelabel in parallel by default https://fedoraproject.org/wiki/Changes/SELinux_Parallel_Autorelabel