Hello community,
here is the log from the commit of package policycoreutils for openSUSE:Factory
checked in at 2017-12-11 18:56:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old)
and /work/SRC/openSUSE:Factory/.policycoreutils.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils"
Mon Dec 11 18:56:12 2017 rev:42 rq:546989 version:2.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes
2017-06-30 18:43:44.570478466 +0200
+++ /work/SRC/openSUSE:Factory/.policycoreutils.new/policycoreutils.changes
2017-12-11 18:56:16.083233030 +0100
@@ -1,0 +2,31 @@
+Mon Nov 27 14:23:12 UTC 2017 - rbr...@suse.com
+
+- Replace references to /var/adm/fillup-templates with new
+ %_fillupdir macro (boo#1069468)
+
+-------------------------------------------------------------------
+Fri Nov 24 09:21:51 UTC 2017 - jseg...@suse.com
+
+- Update to policycoreutils version 2.6. Notable changes:
+ * setfiles: reverse the sense of -D option
+ * sandbox: Use dbus-run-session instead of dbus-launch when available
+ * setfiles: Utility to find security.restorecon_last entries
+ * setfiles: Add option to stop setting the digest
+ * hll/pp: Change warning for module name not matching filename to match new
behavior
+ * sepolicy: convert to setools4
+ * sandbox: create a new session for sandboxed processes
+ * sandbox: do not try to setup directories without -X or -M
+ * sandbox: do not run xmodmap in a new X session
+ * sandbox: fix file labels on copied files
+ * semanage: Fix semanage fcontext -D
+ * semanage: Default serange to "s0" for port modify
+ * semanage: Use socket.getprotobyname for protocol
+ * semanage: Add auditing of changes in records
+ * Improve compatibility with Python 3
+ * Update sandbox types in sandbox manual
+ * hll/pp: Warn if module name different than output filename
+- Update to sepolgen version 2.6. Notable changes:
+ * Add support for TYPEBOUNDS statement in INTERFACE policy files
+- Dropped CVE-2016-7545_sandbox_escape.patch
+
+-------------------------------------------------------------------
Old:
----
CVE-2016-7545_sandbox_escape.patch
policycoreutils-2.5.tar.gz
sepolgen-1.2.3.tar.gz
New:
----
policycoreutils-2.6.tar.gz
sepolgen-2.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.b1vKfS/_old 2017-12-11 18:56:16.951191689 +0100
+++ /var/tmp/diff_new_pack.b1vKfS/_new 2017-12-11 18:56:16.955191499 +0100
@@ -16,20 +16,25 @@
#
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+ %define _fillupdir /var/adm/fillup-templates
+%endif
+
%define libaudit_ver 2.2
-%define libsepol_ver 2.5
-%define libsemanage_ver 2.5
-%define libselinux_ver 2.5
-%define sepolgen_ver 1.2.3
+%define libsepol_ver 2.6
+%define libsemanage_ver 2.6
+%define libselinux_ver 2.6
+%define sepolgen_ver 2.6
Name: policycoreutils
-Version: 2.5
+Version: 2.6
Release: 0
Summary: SELinux policy core utilities
License: GPL-2.0+
Group: Productivity/Security
Url: https://github.com/SELinuxProject/selinux
-Source:
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
-Source1:
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/sepolgen-%{sepolgen_ver}.tar.gz
+Source:
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz
+Source1:
https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/sepolgen-%{sepolgen_ver}.tar.gz
Source2: system-config-selinux.png
Source3: system-config-selinux.desktop
Source4: system-config-selinux.pam
@@ -40,7 +45,6 @@
Patch4: policycoreutils-initscript.patch
Patch5: policycoreutils-pam-common.patch
Patch10: loadpolicy_path.patch
-Patch11: CVE-2016-7545_sandbox_escape.patch
BuildRequires: audit-devel >= %{libaudit_ver}
BuildRequires: dbus-1-glib-devel
BuildRequires: fdupes
@@ -141,7 +145,6 @@
%patch4
%patch5
%patch10 -p1
-%patch11 -p1
%build
export SUSE_ASNEEDED=0
@@ -176,8 +179,8 @@
rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
-mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates/
-mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox
%{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox
+mkdir -p %{buildroot}%{_fillupdir}/
+mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox
%{buildroot}%{_fillupdir}/sysconfig.sandbox
rmdir %{buildroot}/%{_sysconfdir}/sysconfig
%suse_update_desktop_file -i system-config-selinux System Security Settings
%suse_update_desktop_file -i sepolicy System Security Settings
@@ -234,6 +237,7 @@
/sbin/fixfiles
/sbin/setfiles
/sbin/load_policy
+/sbin/restorecon_xattr
%{_sbindir}/genhomedircon
%{_sbindir}/load_policy
%{_sbindir}/restorecond
@@ -268,6 +272,7 @@
%dir %{_mandir}/ru
%dir %{_mandir}/ru/man1
%dir %{_mandir}/ru/man8
+%{_mandir}/man8/restorecon_xattr.8*
%{_mandir}/man5/selinux_config.5*
%{_mandir}/man5/sestatus.conf.5*
%{_mandir}/man8/semodule_unpackage.8*
@@ -318,9 +323,8 @@
%{_bindir}/sepolgen-ifgen-attr-helper
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
-%{python_sitearch}/sepolicy
-%{python_sitearch}/sepolicy*.egg-info
-#%{python_sitearch}/%{name}*.egg-info
+/usr/lib*/python2.7/site-packages/sepolicy
+/usr/lib*/python2.7/site-packages/sepolicy*.egg-info
%dir %{_localstatedir}/lib/sepolgen
%dir %{_localstatedir}/lib/selinux
%{_localstatedir}/lib/sepolgen/perm_map
@@ -345,7 +349,7 @@
%dir %{_datadir}/sandbox
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
-%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox
+%{_fillupdir}/sysconfig.sandbox
%{_mandir}/man8/seunshare.8*
%files newrole
++++++ policycoreutils-2.5.tar.gz -> policycoreutils-2.6.tar.gz ++++++
++++ 87444 lines of diff (skipped)
++++++ sepolgen-1.2.3.tar.gz -> sepolgen-2.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/ChangeLog new/sepolgen-2.6/ChangeLog
--- old/sepolgen-1.2.3/ChangeLog 2016-02-23 17:31:41.000000000 +0100
+++ new/sepolgen-2.6/ChangeLog 2016-10-14 17:31:26.000000000 +0200
@@ -1,3 +1,7 @@
+2.6 2016-10-14
+ * Remove additional files when cleaning, from Nicolas Iooss.
+ * Add support for TYPEBOUNDS statement in INTERFACE policy files, from
Miroslav Grepl.
+
1.2.3 2016-02-23
* Support latest refpolicy interfaces, from Nicolas Iooss.
* Make sepolgen-ifgen output deterministic with Python>=3.3, from
Nicolas Iooss.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/VERSION new/sepolgen-2.6/VERSION
--- old/sepolgen-1.2.3/VERSION 2016-02-23 17:31:41.000000000 +0100
+++ new/sepolgen-2.6/VERSION 2016-10-14 17:31:26.000000000 +0200
@@ -1 +1 @@
-1.2.3
+2.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/Makefile
new/sepolgen-2.6/src/sepolgen/Makefile
--- old/sepolgen-1.2.3/src/sepolgen/Makefile 2016-02-23 17:31:41.000000000
+0100
+++ new/sepolgen-2.6/src/sepolgen/Makefile 2016-10-14 17:31:26.000000000
+0200
@@ -11,5 +11,4 @@
clean:
rm -f parser.out parsetab.py
rm -f *~ *.pyc
-
-
+ rm -rf __pycache__
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/refparser.py
new/sepolgen-2.6/src/sepolgen/refparser.py
--- old/sepolgen-1.2.3/src/sepolgen/refparser.py 2016-02-23
17:31:41.000000000 +0100
+++ new/sepolgen-2.6/src/sepolgen/refparser.py 2016-10-14 17:31:26.000000000
+0200
@@ -113,6 +113,7 @@
'AUDITALLOW',
'NEVERALLOW',
'PERMISSIVE',
+ 'TYPEBOUNDS',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
@@ -178,6 +179,7 @@
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
'permissive' : 'PERMISSIVE',
+ 'typebounds' : 'TYPEBOUNDS',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
@@ -502,6 +504,7 @@
'''policy_stmt : gen_require
| avrule_def
| typerule_def
+ | typebound_def
| typeattribute_def
| roleattribute_def
| interface_call
@@ -823,6 +826,13 @@
t.file_name = p[7]
p[0] = t
+def p_typebound_def(p):
+ '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
+ t = refpolicy.TypeBound()
+ t.type = p[2]
+ t.tgt_types.update(p[3])
+ p[0] = t
+
def p_bool(p):
'''bool : BOOL IDENTIFIER TRUE SEMI
| BOOL IDENTIFIER FALSE SEMI'''
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/refpolicy.py
new/sepolgen-2.6/src/sepolgen/refpolicy.py
--- old/sepolgen-1.2.3/src/sepolgen/refpolicy.py 2016-02-23
17:31:41.000000000 +0100
+++ new/sepolgen-2.6/src/sepolgen/refpolicy.py 2016-10-14 17:31:26.000000000
+0200
@@ -112,6 +112,9 @@
def typerules(self):
return filter(lambda x: isinstance(x, TypeRule), walktree(self))
+ def typebounds(self):
+ return filter(lambda x: isinstance(x, TypeBound), walktree(self))
+
def typeattributes(self):
"""Iterate over all of the TypeAttribute children of this Interface."""
return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
@@ -522,6 +525,19 @@
self.tgt_types.to_space_str(),
self.obj_classes.to_space_str(),
self.dest_type)
+class TypeBound(Leaf):
+ """SElinux typebound statement.
+
+ This class represents a typebound statement.
+ """
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.type = ""
+ self.tgt_types = IdSet()
+
+ def to_string(self):
+ return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
+
class RoleAllow(Leaf):
def __init__(self, parent=None):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/tests/.gitignore
new/sepolgen-2.6/tests/.gitignore
--- old/sepolgen-1.2.3/tests/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/sepolgen-2.6/tests/.gitignore 2016-10-14 17:31:26.000000000 +0200
@@ -0,0 +1,4 @@
+module_compile_test.fc
+module_compile_test.if
+output
+tmp/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/tests/Makefile
new/sepolgen-2.6/tests/Makefile
--- old/sepolgen-1.2.3/tests/Makefile 2016-02-23 17:31:41.000000000 +0100
+++ new/sepolgen-2.6/tests/Makefile 2016-10-14 17:31:26.000000000 +0200
@@ -4,8 +4,11 @@
rm -f *~ *.pyc
rm -f parser.out parsetab.py
rm -f out.txt
+ rm -f module_compile_test.fc
+ rm -f module_compile_test.if
rm -f module_compile_test.pp
rm -f output
+ rm -rf __pycache__ tmp
test:
$(PYTHON) run-tests.py
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sepolgen-1.2.3/tests/module_compile_test.te
new/sepolgen-2.6/tests/module_compile_test.te
--- old/sepolgen-1.2.3/tests/module_compile_test.te 2016-02-23
17:31:41.000000000 +0100
+++ new/sepolgen-2.6/tests/module_compile_test.te 2016-10-14
17:31:26.000000000 +0200
@@ -1,8 +1,8 @@
-module foo 1.0;
+module module_compile_test 1.0;
require {
type foo, bar;
class file { read write };
}
-allow foo bar : file { read write };
\ No newline at end of file
+allow foo bar : file { read write };
