Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package policycoreutils for openSUSE:Factory
checked in at 2021-03-24 16:08:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old)
and /work/SRC/openSUSE:Factory/.policycoreutils.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils"
Wed Mar 24 16:08:49 2021 rev:57 rq:878579 version:3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes
2020-10-06 17:10:10.165478520 +0200
+++
/work/SRC/openSUSE:Factory/.policycoreutils.new.2401/policycoreutils.changes
2021-03-24 16:08:51.875681622 +0100
@@ -1,0 +2,10 @@
+Tue Mar 9 09:18:36 UTC 2021 - Johannes Segitz <[email protected]>
+
+- Update to version 3.2
+ * Tools using sepolgen, e.g. audit2allow, print extended permissions in
+ hexadecimal
+ * sepolgen sorts extended rules like normal ones
+ * `setfiles` doesn't abort on labeling errors
+- Refreshed get_os_version.patch
+
+-------------------------------------------------------------------
Old:
----
policycoreutils-3.1.tar.gz
selinux-python-3.1.tar.gz
semodule-utils-3.1.tar.gz
New:
----
policycoreutils-3.2.tar.gz
selinux-python-3.2.tar.gz
semodule-utils-3.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.d9kp1E/_old 2021-03-24 16:08:52.703682491 +0100
+++ /var/tmp/diff_new_pack.d9kp1E/_new 2021-03-24 16:08:52.703682491 +0100
@@ -1,7 +1,7 @@
#
# spec file for package policycoreutils
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,27 +17,26 @@
%define libaudit_ver 2.2
-%define libsepol_ver 3.1
-%define libsemanage_ver 3.1
-%define libselinux_ver 3.1
+%define libsepol_ver 3.2
+%define libsemanage_ver 3.2
+%define libselinux_ver 3.2
%define setools_ver 4.1.1
-%define tstamp 20200710
Name: policycoreutils
-Version: 3.1
+Version: 3.2
Release: 0
Summary: SELinux policy core utilities
License: GPL-2.0-or-later
Group: Productivity/Security
URL: https://github.com/SELinuxProject/selinux
-Source0:
https://github.com/SELinuxProject/selinux/releases/download/%{tstamp}/%{name}-%{version}.tar.gz
-Source1:
https://github.com/SELinuxProject/selinux/releases/download/%{tstamp}/selinux-python-%{version}.tar.gz
+Source0:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Source1:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-python-%{version}.tar.gz
Source2: system-config-selinux.png
Source3: system-config-selinux.desktop
Source4: system-config-selinux.pam
Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
-Source8:
https://github.com/SELinuxProject/selinux/releases/download/%{tstamp}/semodule-utils-%{version}.tar.gz
+Source8:
https://github.com/SELinuxProject/selinux/releases/download/%{version}/semodule-utils-%{version}.tar.gz
Source9: newrole.pam
Patch0: make_targets.patch
Patch1: run_init_use_pam_keyinit.patch
@@ -64,7 +63,7 @@
BuildRequires: update-desktop-files
BuildRequires: xmlto
Requires: gawk
-Requires: libsepol1 >= %{libsepol_ver}
+Requires: libsepol2 >= %{libsepol_ver}
Requires: rpm
Requires: selinux-tools
Requires: util-linux
@@ -90,7 +89,7 @@
Requires: checkpolicy
Requires: python3-audit >= %{libaudit_ver}
Requires: python3-selinux
-Requires: python3-semanage
+Requires: python3-semanage >= %{libsepol_ver}
Requires: python3-setools >= %{setools_ver}
Requires: python3-setuptools
Provides: policycoreutils-python = %{version}-%{release}
@@ -236,6 +235,7 @@
%{_sbindir}/setsebool
%{_sbindir}/semodule
%{_sbindir}/sestatus
+%{_bindir}/sestatus
%{_sbindir}/run_init
%{_sbindir}/open_init_pty
%{_bindir}/secon
++++++ get_os_version.patch ++++++
--- /var/tmp/diff_new_pack.d9kp1E/_old 2021-03-24 16:08:52.731682520 +0100
+++ /var/tmp/diff_new_pack.d9kp1E/_new 2021-03-24 16:08:52.735682525 +0100
@@ -1,8 +1,8 @@
-Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py
+Index: policycoreutils-3.2/selinux-python-3.2/sepolicy/sepolicy/__init__.py
===================================================================
---- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/__init__.py
-+++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/__init__.py
-@@ -1226,7 +1226,8 @@ def get_os_version():
+--- policycoreutils-3.2.orig/selinux-python-3.2/sepolicy/sepolicy/__init__.py
++++ policycoreutils-3.2/selinux-python-3.2/sepolicy/sepolicy/__init__.py
+@@ -1233,7 +1233,8 @@ def get_os_version():
elif os_version[0:2] == "el":
os_version = "RHEL" + os_version[2:]
else:
@@ -12,11 +12,11 @@
return os_version
-Index: policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py
+Index: policycoreutils-3.2/selinux-python-3.2/sepolicy/sepolicy/manpage.py
===================================================================
---- policycoreutils-3.1.orig/selinux-python-3.1/sepolicy/sepolicy/manpage.py
-+++ policycoreutils-3.1/selinux-python-3.1/sepolicy/sepolicy/manpage.py
-@@ -192,11 +192,7 @@ class HTMLManPages:
+--- policycoreutils-3.2.orig/selinux-python-3.2/sepolicy/sepolicy/manpage.py
++++ policycoreutils-3.2/selinux-python-3.2/sepolicy/sepolicy/manpage.py
+@@ -194,11 +194,7 @@ class HTMLManPages:
self.old_path = path + "/"
self.new_path = self.old_path + self.os_version + "/"
++++++ policycoreutils-3.1.tar.gz -> policycoreutils-3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/VERSION
new/policycoreutils-3.2/VERSION
--- old/policycoreutils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
+++ new/policycoreutils-3.2/VERSION 2021-03-04 16:42:59.000000000 +0100
@@ -1 +1 @@
-3.1
+3.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/man/man5/selinux_config.5
new/policycoreutils-3.2/man/man5/selinux_config.5
--- old/policycoreutils-3.1/man/man5/selinux_config.5 2020-07-10
17:17:15.000000000 +0200
+++ new/policycoreutils-3.2/man/man5/selinux_config.5 2021-03-04
16:42:59.000000000 +0100
@@ -48,7 +48,7 @@
.IP \fIpermissive\fR 4
SELinux security policy is not enforced but logs the warnings (i.e. the action
is allowed to proceed).
.IP \fIdisabled\fR
-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded. This option was used to disable SELinux
completely, which is now deprecated. Use the \fBselinux=0\fR kernel boot
option instead (see \fBselinux\fR(8)).
.RE
.sp
The entry can be determined using the \fBsestatus\fR(8) command or
\fBselinux_getenforcemode\fR(3).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/newrole/Makefile
new/policycoreutils-3.2/newrole/Makefile
--- old/policycoreutils-3.1/newrole/Makefile 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/newrole/Makefile 2021-03-04 16:42:59.000000000
+0100
@@ -5,8 +5,9 @@
MANDIR ?= $(PREFIX)/share/man
ETCDIR ?= /etc
LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+INCLUDEDIR ?= $(PREFIX)/include
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
# Enable capabilities to permit newrole to generate audit records.
# This will make newrole a setuid root program.
# The capabilities used are: CAP_AUDIT_WRITE.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/scripts/fixfiles
new/policycoreutils-3.2/scripts/fixfiles
--- old/policycoreutils-3.1/scripts/fixfiles 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/scripts/fixfiles 2021-03-04 16:42:59.000000000
+0100
@@ -112,6 +112,7 @@
RPMFILES=""
PREFC=""
RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -243,7 +244,23 @@
if [ -n "${FILESYSTEMSRW}" ]; then
LogReadOnly
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC}
${FILESYSTEMSRW}
+
+ if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC}
${FILESYSTEMSRW}
+ else
+ # we bind mount so we can fix the labels of files that have
already been
+ # mounted over
+ for m in `echo $FILESYSTEMSRW`; do
+ TMP_MOUNT="$(mktemp -d)"
+ test -z ${TMP_MOUNT+x} && echo "Unable to find temporary
directory!" && exit 1
+
+ mkdir -p "${TMP_MOUNT}${m}" || exit 1
+ mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q
${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ umount "${TMP_MOUNT}${m}" || exit 1
+ rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+ done;
+ fi
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -313,6 +330,7 @@
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
# Force full relabel if SELinux is not enabled
selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
@@ -324,7 +342,7 @@
}
usage() {
echo $"""
-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
or
Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
or
@@ -334,7 +352,7 @@
or
Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
"""
}
@@ -353,7 +371,7 @@
}
# See how we were called.
-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -379,6 +397,9 @@
echo "Redirecting output to $OPTARG"
exec >>"$OPTARG" 2>&1
;;
+ M)
+ BIND_MOUNT_FILESYSTEMS="-M"
+ ;;
F)
FORCEFLAG="-F"
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/scripts/fixfiles.8
new/policycoreutils-3.2/scripts/fixfiles.8
--- old/policycoreutils-3.1/scripts/fixfiles.8 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/scripts/fixfiles.8 2021-03-04 16:42:59.000000000
+0100
@@ -6,7 +6,7 @@
.na
.B fixfiles
-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
.B fixfiles
.I [\-v] [\-F] { check | restore | verify } dir/file ...
@@ -21,7 +21,7 @@
.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
.B fixfiles
-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
.ad
@@ -35,8 +35,8 @@
.P
It can also be run at any time to relabel when adding support for
new policy, or just check whether the file contexts are all
-as you expect. By default it will relabel all mounted ext2, ext3, xfs and
-jfs file systems as long as they do not have a security context mount
+as you expect. By default it will relabel all mounted ext2, ext3, ext4, gfs2,
xfs,
+jfs and btrfs file systems as long as they do not have a security context mount
option. You can use the \-R flag to use rpmpackages as an alternative.
The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories
excluded from relabeling.
@@ -69,13 +69,17 @@
"YYYY\-MM\-DD HH:MM" format. Date field will be passed to find \-\-newermt
command.
.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context
of files or directories that have been mounted over.
+
+.TP
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of
\-p)
.SH "ARGUMENTS"
One of:
.TP
-.B check
+.B check | verify
print any incorrect file context labels, showing old and new context, but do
not change them.
.TP
.B restore
@@ -84,9 +88,6 @@
.B relabel
Prompt for removal of contents of /tmp directory and then change any incorrect
file context labels to match the install file_contexts file.
.TP
-.B verify
-List out files with incorrect file context labels, but do not change them.
-.TP
.B [[dir/file] ... ]
List of files or directories trees that you wish to check file context on.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/sestatus/Makefile
new/policycoreutils-3.2/sestatus/Makefile
--- old/policycoreutils-3.1/sestatus/Makefile 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/sestatus/Makefile 2021-03-04 16:42:59.000000000
+0100
@@ -1,6 +1,7 @@
# Installation directories.
LINGUAS ?= ru
PREFIX ?= /usr
+BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
ETCDIR ?= /etc
@@ -16,8 +17,13 @@
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
[ -d $(DESTDIR)$(MANDIR)/man5 ] || mkdir -p $(DESTDIR)$(MANDIR)/man5
+ -mkdir -p $(DESTDIR)$(BINDIR)
-mkdir -p $(DESTDIR)$(SBINDIR)
- install -m 755 sestatus $(DESTDIR)$(SBINDIR)
+ # Some tools hard code /usr/sbin/sestatus ; add a compatibility symlink
+ # install will overwrite a symlink, so create the symlink before calling
+ # install to allow distributions with BINDIR == SBINDIR
+ ln -sf --relative $(DESTDIR)$(BINDIR)/sestatus $(DESTDIR)$(SBINDIR)
+ install -m 755 sestatus $(DESTDIR)$(BINDIR)
install -m 644 sestatus.8 $(DESTDIR)$(MANDIR)/man8
install -m 644 sestatus.conf.5 $(DESTDIR)$(MANDIR)/man5
for lang in $(LINGUAS) ; do \
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/setfiles/Makefile
new/policycoreutils-3.2/setfiles/Makefile
--- old/policycoreutils-3.1/setfiles/Makefile 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/setfiles/Makefile 2021-03-04 16:42:59.000000000
+0100
@@ -5,8 +5,6 @@
MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S
'{ print $$3 }')
-
CFLAGS ?= -g -Werror -Wall -W
override LDLIBS += -lselinux -lsepol
@@ -26,7 +24,6 @@
man:
@cp -af setfiles.8 setfiles.8.man
- @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/setfiles/restorecon_xattr.c
new/policycoreutils-3.2/setfiles/restorecon_xattr.c
--- old/policycoreutils-3.1/setfiles/restorecon_xattr.c 2020-07-10
17:17:15.000000000 +0200
+++ new/policycoreutils-3.2/setfiles/restorecon_xattr.c 2021-03-04
16:42:59.000000000 +0100
@@ -38,7 +38,7 @@
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL;
+ char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -163,7 +163,16 @@
xattr_flags = delete_digest | delete_all_digests |
ignore_mounts | recurse;
- if (selinux_restorecon_xattr(argv[optind], xattr_flags, &xattr_list)) {
+ pathname = realpath(argv[optind], NULL);
+ if (!pathname) {
+ fprintf(stderr,
+ "restorecon_xattr: realpath(%s) failed: %s\n",
+ argv[optind], strerror(errno));
+ rc = -1;
+ goto out;
+ }
+
+ if (selinux_restorecon_xattr(pathname, xattr_flags, &xattr_list)) {
fprintf(stderr,
"Error selinux_restorecon_xattr: %s\n",
strerror(errno));
@@ -215,6 +224,7 @@
rc = 0;
out:
+ free(pathname);
selabel_close(hnd);
restore_finish();
return rc;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/setfiles/ru/setfiles.8
new/policycoreutils-3.2/setfiles/ru/setfiles.8
--- old/policycoreutils-3.1/setfiles/ru/setfiles.8 2020-07-10
17:17:15.000000000 +0200
+++ new/policycoreutils-3.2/setfiles/ru/setfiles.8 2021-03-04
16:42:59.000000000 +0100
@@ -47,7 +47,7 @@
?????????????????? ???????????????????????????????? ????????????????????
???????????????????????? ?????????????????? ???????????????? ????????????????.
.TP
.B \-d
-????????????????, ?????????? ????????????????????????
?????????????????????????? ?????????????? ???? ???????????? (????
???????????????????? ???????????????? ?????????? ??????????????????
???????????? ABORT_ON_ERRORS).
+????????????????, ?????????? ????????????????????????
?????????????????????????? ?????????????? ???? ????????????.
.TP
.BI \-e \ directory
?????????????????? ?????????????? (?????????? ?????????????????? ??????????
???????????? ????????????????, ???????? ???????????????? ????????????????????
???????????????????????? ?????????????????????????????? ????????????????????
??????).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/setfiles/setfiles.8
new/policycoreutils-3.2/setfiles/setfiles.8
--- old/policycoreutils-3.1/setfiles/setfiles.8 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/setfiles/setfiles.8 2021-03-04 16:42:59.000000000
+0100
@@ -57,8 +57,7 @@
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file (do not abort validation
-after ABORT_ON_ERRORS errors).
+show what specification matched each file.
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/policycoreutils-3.1/setfiles/setfiles.c
new/policycoreutils-3.2/setfiles/setfiles.c
--- old/policycoreutils-3.1/setfiles/setfiles.c 2020-07-10 17:17:15.000000000
+0200
+++ new/policycoreutils-3.2/setfiles/setfiles.c 2021-03-04 16:42:59.000000000
+0100
@@ -19,18 +19,9 @@
static int null_terminated;
static int request_digest;
static struct restore_opts r_opts;
-static int nerr;
#define STAT_BLOCK_SIZE 1
-/* setfiles will abort its operation after reaching the
- * following number of errors (e.g. invalid contexts),
- * unless it is used in "debug" mode (-d option).
- */
-#ifndef ABORT_ON_ERRORS
-#define ABORT_ON_ERRORS 10
-#endif
-
#define SETFILES "setfiles"
#define RESTORECON "restorecon"
static int iamrestorecon;
@@ -56,15 +47,6 @@
exit(-1);
}
-void inc_err(void)
-{
- nerr++;
- if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
- fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
- exit(-1);
- }
-}
-
void set_rootpath(const char *arg)
{
if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
@@ -97,7 +79,6 @@
*contextp = tmpcon;
} else if (errno != ENOENT) {
rc = -1;
- inc_err();
}
return rc;
@@ -179,8 +160,8 @@
warn_no_match = 0;
request_digest = 0;
policyfile = NULL;
- nerr = 0;
+ r_opts.abort_on_error = 0;
r_opts.progname = strdup(argv[0]);
if (!r_opts.progname) {
fprintf(stderr, "%s: Out of memory!\n", argv[0]);
@@ -193,7 +174,6 @@
* setfiles:
* Recursive descent,
* Does not expand paths via realpath,
- * Aborts on errors during the file tree walk,
* Try to track inode associations for conflict detection,
* Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
* Validates all file contexts at init time.
@@ -201,7 +181,6 @@
iamrestorecon = 0;
r_opts.recurse = SELINUX_RESTORECON_RECURSE;
r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
- r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
/* FTS_PHYSICAL and FTS_NOCHDIR are always set by
selinux_restorecon(3) */
r_opts.xdev = SELINUX_RESTORECON_XDEV;
@@ -225,7 +204,6 @@
iamrestorecon = 1;
r_opts.recurse = 0;
r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
- r_opts.abort_on_error = 0;
r_opts.add_assoc = 0;
r_opts.xdev = 0;
r_opts.ignore_mounts = 0;
@@ -447,9 +425,6 @@
r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
r_opts.selabel_opt_path = altpath;
- if (nerr)
- exit(-1);
-
restore_init(&r_opts);
if (use_input_file) {
++++++ selinux-python-3.1.tar.gz -> selinux-python-3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/VERSION
new/selinux-python-3.2/VERSION
--- old/selinux-python-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
+++ new/selinux-python-3.2/VERSION 2021-03-04 16:42:59.000000000 +0100
@@ -1 +1 @@
-3.1
+3.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
new/selinux-python-3.2/audit2allow/sepolgen-ifgen-attr-helper.c
--- old/selinux-python-3.1/audit2allow/sepolgen-ifgen-attr-helper.c
2020-07-10 17:17:15.000000000 +0200
+++ new/selinux-python-3.2/audit2allow/sepolgen-ifgen-attr-helper.c
2021-03-04 16:42:59.000000000 +0100
@@ -28,6 +28,7 @@
#include <selinux/selinux.h>
+#include <limits.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/semanage/semanage
new/selinux-python-3.2/semanage/semanage
--- old/selinux-python-3.1/semanage/semanage 2020-07-10 17:17:15.000000000
+0200
+++ new/selinux-python-3.2/semanage/semanage 2021-03-04 16:42:59.000000000
+0100
@@ -23,10 +23,13 @@
#
#
-import traceback
import argparse
+import os
+import re
import seobject
import sys
+import traceback
+
PROGNAME = "policycoreutils"
try:
import gettext
@@ -376,7 +379,7 @@
parser_add_seuser(fcontextParser, "fcontext")
parser_add_type(fcontextParser, "fcontext")
parser_add_range(fcontextParser, "fcontext")
- fcontextParser.add_argument('file_spec', nargs='?', default=None,
help=_('file_spec'))
+ fcontextParser.add_argument('file_spec', nargs='?', default=None,
help=_('Path to be labeled (may be in the form of a Perl compatible regular
expression)'))
fcontextParser.set_defaults(func=handleFcontext)
@@ -797,8 +800,6 @@
exportParser.add_argument('-f', '--output_file', dest='output_file',
action=SetExportFile, help=_('Output file'))
exportParser.set_defaults(func=handleExport)
-import re
-
def mkargv(line):
dquote = "\""
@@ -945,6 +946,13 @@
args = commandParser.parse_args(make_args(sys.argv))
args.func(args)
sys.exit(0)
+ except BrokenPipeError as e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ # Python flushes standard streams on exit; redirect remaining output
+ # to devnull to avoid another BrokenPipeError at shutdown
+ devnull = os.open(os.devnull, os.O_WRONLY)
+ os.dup2(devnull, sys.stdout.fileno())
+ sys.exit(1)
except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/semanage/semanage-fcontext.8
new/selinux-python-3.2/semanage/semanage-fcontext.8
--- old/selinux-python-3.1/semanage/semanage-fcontext.8 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/semanage/semanage-fcontext.8 2021-03-04
16:42:59.000000000 +0100
@@ -11,6 +11,24 @@
from policy sources. semanage fcontext is used to manage the default
file system labeling on an SELinux system. This command maps file paths using
regular expressions to SELinux labels.
+FILE_SPEC may contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
+
+Note, that file context definitions specified using 'semanage fcontext'
+(i.e. local file context modifications stored in file_contexts.local)
+have higher priority than those specified in policy modules.
+This means that whenever a match for given file path is found in
+file_contexts.local, no other file context definitions are considered.
+Entries in file_contexts.local are processed from most recent one to the
oldest,
+with first match being used (as opposed to the most specific match,
+which is used when matching other file context definitions).
+All regular expressions should therefore be as specific as possible,
+to avoid unintentionally impacting other parts of the filesystem.
+
.SH "OPTIONS"
.TP
.I \-h, \-\-help
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolgen/VERSION
new/selinux-python-3.2/sepolgen/VERSION
--- old/selinux-python-3.1/sepolgen/VERSION 2020-07-10 17:17:15.000000000
+0200
+++ new/selinux-python-3.2/sepolgen/VERSION 2021-03-04 16:42:59.000000000
+0100
@@ -1 +1 @@
-3.1
+3.2
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolgen/src/sepolgen/output.py
new/selinux-python-3.2/sepolgen/src/sepolgen/output.py
--- old/selinux-python-3.1/sepolgen/src/sepolgen/output.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolgen/src/sepolgen/output.py 2021-03-04
16:42:59.000000000 +0100
@@ -84,7 +84,7 @@
return ret
# At this point, who cares - just return something
- return cmp(len(a.perms), len(b.perms))
+ return 0
# Compare two interface calls
def ifcall_cmp(a, b):
@@ -100,7 +100,7 @@
else:
return id_set_cmp([a.args[0]], b.src_types)
else:
- if isinstance(b, refpolicy.AVRule):
+ if isinstance(b, refpolicy.AVRule) or isinstance(b,
refpolicy.AVExtRule):
return avrule_cmp(a,b)
else:
return id_set_cmp(a.src_types, [b.args[0]])
@@ -130,6 +130,7 @@
# we assume is the first argument for interfaces).
rules = []
rules.extend(node.avrules())
+ rules.extend(node.avextrules())
rules.extend(node.interface_calls())
rules.sort(key=util.cmp_to_key(rule_cmp))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py
new/selinux-python-3.2/sepolgen/src/sepolgen/refparser.py
--- old/selinux-python-3.1/sepolgen/src/sepolgen/refparser.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolgen/src/sepolgen/refparser.py 2021-03-04
16:42:59.000000000 +0100
@@ -433,9 +433,9 @@
def p_ifdef(p):
- '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts
SQUOTE CPAREN optional_semi
- | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts
SQUOTE CPAREN optional_semi
- | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts
SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+ '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements
SQUOTE CPAREN optional_semi
+ | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements
SQUOTE CPAREN optional_semi
+ | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements
SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
'''
x = refpolicy.IfDef(p[4])
if p[1] == 'ifdef':
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/selinux-python-3.1/sepolgen/src/sepolgen/refpolicy.py
new/selinux-python-3.2/sepolgen/src/sepolgen/refpolicy.py
--- old/selinux-python-3.1/sepolgen/src/sepolgen/refpolicy.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolgen/src/sepolgen/refpolicy.py 2021-03-04
16:42:59.000000000 +0100
@@ -407,10 +407,9 @@
# print single value without braces
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
- return compl + str(self.ranges[0][0])
+ return compl + hex(self.ranges[0][0])
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
- self.ranges)
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" %
(hex(x[0]), hex(x[1]), ), self.ranges)
return "%s{ %s }" % (compl, " ".join(vals))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolgen/tests/test_access.py
new/selinux-python-3.2/sepolgen/tests/test_access.py
--- old/selinux-python-3.1/sepolgen/tests/test_access.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolgen/tests/test_access.py 2021-03-04
16:42:59.000000000 +0100
@@ -171,7 +171,7 @@
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
@@ -185,7 +185,7 @@
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
@@ -203,8 +203,8 @@
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
@@ -222,7 +222,7 @@
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
class TestUtilFunctions(unittest.TestCase):
def test_is_idparam(self):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolgen/tests/test_refpolicy.py
new/selinux-python-3.2/sepolgen/tests/test_refpolicy.py
--- old/selinux-python-3.1/sepolgen/tests/test_refpolicy.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolgen/tests/test_refpolicy.py 2021-03-04
16:42:59.000000000 +0100
@@ -90,17 +90,17 @@
a.complement = True
self.assertEqual(a.to_string(), "")
a.add(1234)
- self.assertEqual(a.to_string(), "~ 1234")
+ self.assertEqual(a.to_string(), "~ 0x4d2")
a.complement = False
- self.assertEqual(a.to_string(), "1234")
+ self.assertEqual(a.to_string(), "0x4d2")
a.add(2345)
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
a.complement = True
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
a.add(42,64)
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
a.complement = False
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
class TestSecurityContext(unittest.TestCase):
def test_init(self):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolicy/sepolicy/__init__.py
new/selinux-python-3.2/sepolicy/sepolicy/__init__.py
--- old/selinux-python-3.1/sepolicy/sepolicy/__init__.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolicy/sepolicy/__init__.py 2021-03-04
16:42:59.000000000 +0100
@@ -178,15 +178,15 @@
return None
policy(policy_file)
-try:
+def init_policy():
policy_file = get_installed_policy()
policy(policy_file)
-except ValueError as e:
- if selinux.is_selinux_enabled() == 1:
- raise e
-
def info(setype, name=None):
+ global _pol
+ if not _pol:
+ init_policy()
+
if setype == TYPE:
q = setools.TypeQuery(_pol)
q.name = name
@@ -337,6 +337,9 @@
def search(types, seinfo=None):
+ global _pol
+ if not _pol:
+ init_policy()
if not seinfo:
seinfo = {}
valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION,
ROLE_ALLOW])
@@ -916,6 +919,10 @@
if roles:
return roles
+ global _pol
+ if not _pol:
+ init_policy()
+
q = setools.RoleQuery(_pol)
roles = [str(x) for x in q.results() if str(x) != "object_r"]
return roles
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolicy/sepolicy/manpage.py
new/selinux-python-3.2/sepolicy/sepolicy/manpage.py
--- old/selinux-python-3.1/sepolicy/sepolicy/manpage.py 2020-07-10
17:17:15.000000000 +0200
+++ new/selinux-python-3.2/sepolicy/sepolicy/manpage.py 2021-03-04
16:42:59.000000000 +0100
@@ -39,6 +39,8 @@
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt",
"libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
+man_date = time.strftime("%y-%m-%d", time.gmtime(
+ int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
modules_dict = None
@@ -569,7 +571,7 @@
def _typealias(self,typealias):
self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s"
"%(typealias)s" "SELinux Policy %(typealias)s"'
- % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+ % {'typealias':typealias, 'date': man_date})
self.fd.write(r"""
.SH "NAME"
%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s
processes
@@ -588,7 +590,7 @@
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s"
"%(domainname)s" "SELinux Policy %(domainname)s"'
- % {'domainname': self.domainname, 'date':
time.strftime("%y-%m-%d")})
+ % {'domainname': self.domainname, 'date': man_date})
self.fd.write(r"""
.SH "NAME"
%(domainname)s_selinux \- Security Enhanced Linux Policy for the
%(domainname)s processes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/selinux-python-3.1/sepolicy/setup.py
new/selinux-python-3.2/sepolicy/setup.py
--- old/selinux-python-3.1/sepolicy/setup.py 2020-07-10 17:17:15.000000000
+0200
+++ new/selinux-python-3.2/sepolicy/setup.py 2021-03-04 16:42:59.000000000
+0100
@@ -6,7 +6,7 @@
setup(
name="sepolicy",
- version="3.1",
+ version="3.2",
description="Python SELinux Policy Analyses bindings",
author="Daniel Walsh",
author_email="[email protected]",
++++++ semodule-utils-3.1.tar.gz -> semodule-utils-3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/semodule-utils-3.1/VERSION
new/semodule-utils-3.2/VERSION
--- old/semodule-utils-3.1/VERSION 2020-07-10 17:17:15.000000000 +0200
+++ new/semodule-utils-3.2/VERSION 2021-03-04 16:42:59.000000000 +0100
@@ -1 +1 @@
-3.1
+3.2
