Hello community, here is the log from the commit of package policycoreutils for openSUSE:Factory checked in at 2017-12-11 18:56:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old) and /work/SRC/openSUSE:Factory/.policycoreutils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "policycoreutils" Mon Dec 11 18:56:12 2017 rev:42 rq:546989 version:2.6 Changes: -------- --- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes 2017-06-30 18:43:44.570478466 +0200 +++ /work/SRC/openSUSE:Factory/.policycoreutils.new/policycoreutils.changes 2017-12-11 18:56:16.083233030 +0100 @@ -1,0 +2,31 @@ +Mon Nov 27 14:23:12 UTC 2017 - rbr...@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Fri Nov 24 09:21:51 UTC 2017 - jseg...@suse.com + +- Update to policycoreutils version 2.6. Notable changes: + * setfiles: reverse the sense of -D option + * sandbox: Use dbus-run-session instead of dbus-launch when available + * setfiles: Utility to find security.restorecon_last entries + * setfiles: Add option to stop setting the digest + * hll/pp: Change warning for module name not matching filename to match new behavior + * sepolicy: convert to setools4 + * sandbox: create a new session for sandboxed processes + * sandbox: do not try to setup directories without -X or -M + * sandbox: do not run xmodmap in a new X session + * sandbox: fix file labels on copied files + * semanage: Fix semanage fcontext -D + * semanage: Default serange to "s0" for port modify + * semanage: Use socket.getprotobyname for protocol + * semanage: Add auditing of changes in records + * Improve compatibility with Python 3 + * Update sandbox types in sandbox manual + * hll/pp: Warn if module name different than output filename +- Update to sepolgen version 2.6. Notable changes: + * Add support for TYPEBOUNDS statement in INTERFACE policy files +- Dropped CVE-2016-7545_sandbox_escape.patch + +------------------------------------------------------------------- Old: ---- CVE-2016-7545_sandbox_escape.patch policycoreutils-2.5.tar.gz sepolgen-1.2.3.tar.gz New: ---- policycoreutils-2.6.tar.gz sepolgen-2.6.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ policycoreutils.spec ++++++ --- /var/tmp/diff_new_pack.b1vKfS/_old 2017-12-11 18:56:16.951191689 +0100 +++ /var/tmp/diff_new_pack.b1vKfS/_new 2017-12-11 18:56:16.955191499 +0100 @@ -16,20 +16,25 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %define libaudit_ver 2.2 -%define libsepol_ver 2.5 -%define libsemanage_ver 2.5 -%define libselinux_ver 2.5 -%define sepolgen_ver 1.2.3 +%define libsepol_ver 2.6 +%define libsemanage_ver 2.6 +%define libselinux_ver 2.6 +%define sepolgen_ver 2.6 Name: policycoreutils -Version: 2.5 +Version: 2.6 Release: 0 Summary: SELinux policy core utilities License: GPL-2.0+ Group: Productivity/Security Url: https://github.com/SELinuxProject/selinux -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz -Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/sepolgen-%{sepolgen_ver}.tar.gz +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/%{name}-%{version}.tar.gz +Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/sepolgen-%{sepolgen_ver}.tar.gz Source2: system-config-selinux.png Source3: system-config-selinux.desktop Source4: system-config-selinux.pam @@ -40,7 +45,6 @@ Patch4: policycoreutils-initscript.patch Patch5: policycoreutils-pam-common.patch Patch10: loadpolicy_path.patch -Patch11: CVE-2016-7545_sandbox_escape.patch BuildRequires: audit-devel >= %{libaudit_ver} BuildRequires: dbus-1-glib-devel BuildRequires: fdupes @@ -141,7 +145,6 @@ %patch4 %patch5 %patch10 -p1 -%patch11 -p1 %build export SUSE_ASNEEDED=0 @@ -176,8 +179,8 @@ rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui -mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates/ -mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox +mkdir -p %{buildroot}%{_fillupdir}/ +mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox %{buildroot}%{_fillupdir}/sysconfig.sandbox rmdir %{buildroot}/%{_sysconfdir}/sysconfig %suse_update_desktop_file -i system-config-selinux System Security Settings %suse_update_desktop_file -i sepolicy System Security Settings @@ -234,6 +237,7 @@ /sbin/fixfiles /sbin/setfiles /sbin/load_policy +/sbin/restorecon_xattr %{_sbindir}/genhomedircon %{_sbindir}/load_policy %{_sbindir}/restorecond @@ -268,6 +272,7 @@ %dir %{_mandir}/ru %dir %{_mandir}/ru/man1 %dir %{_mandir}/ru/man8 +%{_mandir}/man8/restorecon_xattr.8* %{_mandir}/man5/selinux_config.5* %{_mandir}/man5/sestatus.conf.5* %{_mandir}/man8/semodule_unpackage.8* @@ -318,9 +323,8 @@ %{_bindir}/sepolgen-ifgen-attr-helper %{python_sitearch}/seobject.py* %{python_sitearch}/sepolgen -%{python_sitearch}/sepolicy -%{python_sitearch}/sepolicy*.egg-info -#%{python_sitearch}/%{name}*.egg-info +/usr/lib*/python2.7/site-packages/sepolicy +/usr/lib*/python2.7/site-packages/sepolicy*.egg-info %dir %{_localstatedir}/lib/sepolgen %dir %{_localstatedir}/lib/selinux %{_localstatedir}/lib/sepolgen/perm_map @@ -345,7 +349,7 @@ %dir %{_datadir}/sandbox %{_datadir}/sandbox/sandboxX.sh %{_datadir}/sandbox/start -%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox +%{_fillupdir}/sysconfig.sandbox %{_mandir}/man8/seunshare.8* %files newrole ++++++ policycoreutils-2.5.tar.gz -> policycoreutils-2.6.tar.gz ++++++ ++++ 87444 lines of diff (skipped) ++++++ sepolgen-1.2.3.tar.gz -> sepolgen-2.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/ChangeLog new/sepolgen-2.6/ChangeLog --- old/sepolgen-1.2.3/ChangeLog 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/ChangeLog 2016-10-14 17:31:26.000000000 +0200 @@ -1,3 +1,7 @@ +2.6 2016-10-14 + * Remove additional files when cleaning, from Nicolas Iooss. + * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl. + 1.2.3 2016-02-23 * Support latest refpolicy interfaces, from Nicolas Iooss. * Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/VERSION new/sepolgen-2.6/VERSION --- old/sepolgen-1.2.3/VERSION 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/VERSION 2016-10-14 17:31:26.000000000 +0200 @@ -1 +1 @@ -1.2.3 +2.6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/Makefile new/sepolgen-2.6/src/sepolgen/Makefile --- old/sepolgen-1.2.3/src/sepolgen/Makefile 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/src/sepolgen/Makefile 2016-10-14 17:31:26.000000000 +0200 @@ -11,5 +11,4 @@ clean: rm -f parser.out parsetab.py rm -f *~ *.pyc - - + rm -rf __pycache__ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/refparser.py new/sepolgen-2.6/src/sepolgen/refparser.py --- old/sepolgen-1.2.3/src/sepolgen/refparser.py 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/src/sepolgen/refparser.py 2016-10-14 17:31:26.000000000 +0200 @@ -113,6 +113,7 @@ 'AUDITALLOW', 'NEVERALLOW', 'PERMISSIVE', + 'TYPEBOUNDS', 'TYPE_TRANSITION', 'TYPE_CHANGE', 'TYPE_MEMBER', @@ -178,6 +179,7 @@ 'auditallow' : 'AUDITALLOW', 'neverallow' : 'NEVERALLOW', 'permissive' : 'PERMISSIVE', + 'typebounds' : 'TYPEBOUNDS', 'type_transition' : 'TYPE_TRANSITION', 'type_change' : 'TYPE_CHANGE', 'type_member' : 'TYPE_MEMBER', @@ -502,6 +504,7 @@ '''policy_stmt : gen_require | avrule_def | typerule_def + | typebound_def | typeattribute_def | roleattribute_def | interface_call @@ -823,6 +826,13 @@ t.file_name = p[7] p[0] = t +def p_typebound_def(p): + '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI''' + t = refpolicy.TypeBound() + t.type = p[2] + t.tgt_types.update(p[3]) + p[0] = t + def p_bool(p): '''bool : BOOL IDENTIFIER TRUE SEMI | BOOL IDENTIFIER FALSE SEMI''' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/src/sepolgen/refpolicy.py new/sepolgen-2.6/src/sepolgen/refpolicy.py --- old/sepolgen-1.2.3/src/sepolgen/refpolicy.py 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/src/sepolgen/refpolicy.py 2016-10-14 17:31:26.000000000 +0200 @@ -112,6 +112,9 @@ def typerules(self): return filter(lambda x: isinstance(x, TypeRule), walktree(self)) + def typebounds(self): + return filter(lambda x: isinstance(x, TypeBound), walktree(self)) + def typeattributes(self): """Iterate over all of the TypeAttribute children of this Interface.""" return filter(lambda x: isinstance(x, TypeAttribute), walktree(self)) @@ -522,6 +525,19 @@ self.tgt_types.to_space_str(), self.obj_classes.to_space_str(), self.dest_type) +class TypeBound(Leaf): + """SElinux typebound statement. + + This class represents a typebound statement. + """ + def __init__(self, parent=None): + Leaf.__init__(self, parent) + self.type = "" + self.tgt_types = IdSet() + + def to_string(self): + return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str()) + class RoleAllow(Leaf): def __init__(self, parent=None): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/tests/.gitignore new/sepolgen-2.6/tests/.gitignore --- old/sepolgen-1.2.3/tests/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/sepolgen-2.6/tests/.gitignore 2016-10-14 17:31:26.000000000 +0200 @@ -0,0 +1,4 @@ +module_compile_test.fc +module_compile_test.if +output +tmp/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/tests/Makefile new/sepolgen-2.6/tests/Makefile --- old/sepolgen-1.2.3/tests/Makefile 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/tests/Makefile 2016-10-14 17:31:26.000000000 +0200 @@ -4,8 +4,11 @@ rm -f *~ *.pyc rm -f parser.out parsetab.py rm -f out.txt + rm -f module_compile_test.fc + rm -f module_compile_test.if rm -f module_compile_test.pp rm -f output + rm -rf __pycache__ tmp test: $(PYTHON) run-tests.py diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.2.3/tests/module_compile_test.te new/sepolgen-2.6/tests/module_compile_test.te --- old/sepolgen-1.2.3/tests/module_compile_test.te 2016-02-23 17:31:41.000000000 +0100 +++ new/sepolgen-2.6/tests/module_compile_test.te 2016-10-14 17:31:26.000000000 +0200 @@ -1,8 +1,8 @@ -module foo 1.0; +module module_compile_test 1.0; require { type foo, bar; class file { read write }; } -allow foo bar : file { read write }; \ No newline at end of file +allow foo bar : file { read write };