Hello community,
here is the log from the commit of package policycoreutils for openSUSE:Factory
checked in at Tue Mar 9 16:18:22 CET 2010.
--------
--- policycoreutils/policycoreutils.changes 2009-07-15 13:31:32.000000000 +0200
+++ /mounts/work_src_done/STABLE/policycoreutils/policycoreutils.changes 2010-02-25 16:28:44.000000000 +0100
@@ -1,0 +2,6 @@
+Thu Feb 25 15:28:18 UTC 2010 - prusnak@suse.cz
+
+- updated to 2.0.79
+ * changes too numerous to list
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
policycoreutils-2.0.62.tar.bz2
policycoreutils-rhat.patch
sepolgen-1.0.16.tar.bz2
New:
----
policycoreutils-2.0.79.tar.bz2
policycoreutils-rhat.patch.bz2
policycoreutils-setup_py-prefix.patch
sandbox.init
sepolgen-1.0.19.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.EeVjxU/_old 2010-03-09 16:18:05.000000000 +0100
+++ /var/tmp/diff_new_pack.EeVjxU/_new 2010-03-09 16:18:05.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package policycoreutils (Version 2.0.62)
+# spec file for package policycoreutils (Version 2.0.79)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,16 +18,16 @@
# norootforbuild
%define libaudit_ver 1.4.2
-%define libsepol_ver 2.0.19
-%define libsemanage_ver 2.0.28
-%define libselinux_ver 2.0.46
-%define sepolgen_ver 1.0.16
+%define libsepol_ver 2.0.41
+%define libsemanage_ver 2.0.43
+%define libselinux_ver 2.0.90
+%define sepolgen_ver 1.0.19
Name: policycoreutils
-Version: 2.0.62
-Release: 2
+Version: 2.0.79
+Release: 1
Url: http://www.nsa.gov/selinux/
-License: GPL v2 or later
+License: GPLv2+
Group: Productivity/Security
Summary: SELinux policy core utilities
Source: %{name}-%{version}.tar.bz2
@@ -39,68 +39,42 @@
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
-Patch0: policycoreutils-rhat.patch
+Source9: sandbox.init
+Patch0: policycoreutils-rhat.patch.bz2
Patch1: policycoreutils-po.patch.bz2
Patch2: policycoreutils-gui.patch.bz2
Patch3: policycoreutils-sepolgen.patch
Patch4: policycoreutils-initscript.patch
Patch5: policycoreutils-pam-common.patch
+Patch6: policycoreutils-setup_py-prefix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: gettext libcap-devel pam-devel python-devel update-desktop-files
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: libsemanage-devel >= %{libsemanage_ver}
BuildRequires: libselinux-devel >= %{libselinux_ver}
BuildRequires: audit-devel >= %{libaudit_ver}
+BuildRequires: libcap-ng-devel
+BuildRequires: dbus-1-glib-devel
PreReq: %insserv_prereq %fillup_prereq permissions
Requires: util-linux gawk rpm checkpolicy python-selinux audit-libs-python
%description
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux. The Security-enhanced Linux
+Security-enhanced Linux is a feature of the Linux(R) kernel and a number
+of utilities with enhanced security functionality designed to add
+mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
+improve the security of the Flask operating system. These
+architectural components provide general support for the enforcement
+of many kinds of mandatory access control policies, including those
+based on the concepts of Type Enforcement(R), Role-based Access
+Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required
for basic operation of a SELinux system. These utilities include
-load_policy to load policies, setfiles to label filesystems, newrole to
-switch roles, and run_init to run /etc/init.d scripts in the proper
+load_policy to load policies, setfiles to label filesystems, newrole
+to switch roles, and run_init to run /etc/init.d scripts in the proper
context.
-
-
-%package gui
-License: GPL v2 or later
-Summary: SELinux policy core utilities
-Group: Productivity/Security
-Requires: policycoreutils = %{version}-%{release}
-Requires: python python-gnome python-gtk
-# Requires: usermode-gtk
-Requires: setools-console
-
-%description gui
-Security-enhanced Linux is a feature of the Linux(R) kernel and a
-number of utilities with enhanced security functionality designed to
-add mandatory access controls to Linux. The Security-enhanced Linux
-kernel contains new architectural components originally developed to
-improve the security of the Flask operating system. These architectural
-components provide general support for the enforcement of many kinds of
-mandatory access control policies, including those based on the
-concepts of Type Enforcement(R), Role-based Access Control, and
-Multi-level Security.
-
-policycoreutils contains the policy core utilities that are required
-for basic operation of a SELinux system. These utilities include
-load_policy to load policies, setfiles to label filesystems, newrole to
-switch roles, and run_init to run /etc/init.d scripts in the proper
-context.
-
-
-
%prep
%setup -q -a 1
%patch0 -p1
@@ -109,120 +83,254 @@
%patch3 -p1
%patch4
%patch5
+%patch6
sleep 1
touch po/policycoreutils.pot
sleep 1
%build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
-make -C sepolgen-%{sepolgen_ver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="$RPM_OPT_FLAGS -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
+export SUSE_ASNEEDED=0
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
+make -C sepolgen-%{sepolgen_ver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/init.d
-mkdir -p $RPM_BUILD_ROOT/var/lib/selinux
-mkdir -p $RPM_BUILD_ROOT%{_bindir}
-mkdir -p $RPM_BUILD_ROOT%{_sbindir}
-mkdir -p $RPM_BUILD_ROOT/sbin
-mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{1,8}
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
-#mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps
-make LSPP_PRIV=y DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" INITDIR="$RPM_BUILD_ROOT%{_sysconfdir}/init.d" install
-make -C sepolgen-%{sepolgen_ver} DESTDIR="$RPM_BUILD_ROOT" LIBDIR="$RPM_BUILD_ROOT%{_libdir}" install
-install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/pixmaps/system-config-selinux.png
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-config-selinux
-install -m 644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/selinux-polgengui
-# install -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps/system-config-selinux
-# install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{_sysconfdir}/security/console.apps/selinux-polgengui
-tar -jxf %{SOURCE8} -C $RPM_BUILD_ROOT/
-ln -sf consolehelper $RPM_BUILD_ROOT%{_bindir}/system-config-selinux
-ln -sf consolehelper $RPM_BUILD_ROOT%{_bindir}/selinux-polgengui
-ln -sf ../../etc/init.d/restorecond $RPM_BUILD_ROOT%{_sbindir}/rcrestorecond
+mkdir -p %{buildroot}/var/lib/selinux
+mkdir -p %{buildroot}%{_bindir}
+mkdir -p %{buildroot}%{_sbindir}
+mkdir -p %{buildroot}/sbin
+mkdir -p %{buildroot}%{_mandir}/man1
+mkdir -p %{buildroot}%{_mandir}/man8
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
+mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
+install -D -m 0755 %{SOURCE9} %{buildroot}/%{_initddir}/sandbox
+make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" INITDIR="%{buildroot}%{_initddir}" install
+make -C sepolgen-%{sepolgen_ver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
+install -D -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps/system-config-selinux.png
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
+install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
+install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/security/console.apps/selinux-polgengui
+tar -jxf %{SOURCE8} -C %{buildroot}/
+rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
+ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
+ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
+ln -sf %{_initddir}/restorecond %{buildroot}%{_sbindir}/rcrestorecond
+ln -sf %{_initddir}/sandbox %{buildroot}%{_sbindir}/rcsandbox
%suse_update_desktop_file -i system-config-selinux System Security Settings
%suse_update_desktop_file -i selinux-polgengui System Security Settings
%find_lang %{name}
-%clean
-rm -rf $RPM_BUILD_ROOT
+%package python
+License: GPLv2+
+Summary: SELinux policy core python utilities
+Group: Productivity/Security
+Requires: policycoreutils = %{version}
+Requires: python-semanage >= %{libsemanage_ver}
+Requires: python-selinux >= %{libselinux_ver}
+Requires: audit-libs-python >= %{libaudit_ver}
+Requires: python-setools
-%preun
+%description python
+The policycoreutils-python package contains the management tools use to manage an SELinux environment.
+
+%files python
+%defattr(-,root,root,-)
+%{_sbindir}/semanage
+%{_bindir}/audit2allow
+%{_bindir}/audit2why
+%{_bindir}/chcat
+%{_bindir}/sandbox
+%{_bindir}/sepolgen-ifgen
+%{python_sitearch}/seobject.py*
+%{python_sitearch}/sepolgen
+%{python_sitearch}/%{name}
+%{python_sitearch}/%{name}*.egg-info
+%dir /var/lib/sepolgen
+%dir /var/lib/selinux
+/var/lib/sepolgen/perm_map
+%{_mandir}/man1/audit2allow.1*
+%{_mandir}/ru/man1/audit2allow.1*
+%{_mandir}/man1/audit2why.1*
+%{_mandir}/man8/chcat.8*
+%{_mandir}/ru/man8/chcat.8*
+%{_mandir}/man8/sandbox.8*
+%{_mandir}/man8/semanage.8*
+%{_mandir}/ru/man8/semanage.8*
+
+%post python
+[ -f %{_datadir}/selinux/devel/include/build.conf ] && %{_bindir}/sepolgen-ifgen > /dev/null
+exit 0
+
+%package sandbox
+License: GPLv2+
+Summary: SELinux sandbox utilities
+Group: System Environment/Base
+Requires: policycoreutils-python = %{version}
+# Requires: xorg-x11-server-Xephyr
+# Requires: matchbox-window-manager
+
+%description sandbox
+The sandbox package contains the scripts to create graphical sandboxes
+
+%files sandbox
+%defattr(-,root,root,-)
+%{_initddir}/sandbox
+%{_sbindir}/rcsandbox
+%attr(0755,root,root) %{_sbindir}/seunshare
+%dir %{_datadir}/sandbox
+%{_datadir}/sandbox/sandboxX.sh
+
+%post sandbox
+%fillup_and_insserv sandbox
+
+%preun sandbox
if [ "$1" -eq "0" ]; then
- %stop_on_removal restorecond
+ %stop_on_removal sandbox
%insserv_cleanup
fi
-%post
-%run_permissions
-%fillup_and_insserv restorecond
-[ -f %{_datadir}/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen > /dev/null
-exit 0
-
-%postun
+%postun sandbox
if [ "$1" -ge "1" ]; then
- %restart_on_update rsyncd
+ %restart_on_update sandbox
%insserv_cleanup
fi
+
+%package newrole
+License: GPLv2+
+Summary: The newrole application for RBAC/MLS
+Group: Producitvity/Security
+Requires: policycoreutils = %{version}
+
+%description newrole
+RBAC/MLS policy machines require newrole as a way of changing the role
+or level of a logged in user.
+
+%files newrole
+%defattr(-,root,root)
+%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
+%{_mandir}/man1/newrole.1.gz
+
+%post newrole
+%run_permissions
+
%verifyscript
%verify_permissions -e %{_bindir}/newrole
+%package gui
+License: GPLv2+
+Summary: SELinux configuration GUI
+Group: Producitvity/Security
+Requires: policycoreutils-python = %{version}
+Requires: python-gnome
+Requires: python-gtk
+# Requires: gnome-python2-canvas
+Requires: usermode-gtk
+Requires: setools-console
+Requires: selinux-policy
+Requires: python
+
+%description gui
+system-config-selinux is a utility for managing the SELinux environment
+
+%files gui
+%defattr(-,root,root)
+%{_bindir}/system-config-selinux
+%{_bindir}/selinux-polgengui
+%{_bindir}/sepolgen
+%dir %{_datadir}/system-config-selinux
+%dir %{_datadir}/system-config-selinux/templates
+%{_datadir}/system-config-selinux/*.py*
+%{_datadir}/system-config-selinux/selinux.tbl
+%{_datadir}/system-config-selinux/*.glade
+%{_datadir}/system-config-selinux/templates/*.py*
+%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
+%config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
+%dir %{_sysconfdir}/security/console.apps
+%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
+%config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
+%{_datadir}/applications/selinux-polgengui.desktop
+%{_datadir}/applications/system-config-selinux.desktop
+%{_datadir}/pixmaps/system-config-selinux.png
+
+%clean
+rm -rf %{buildroot}
+
%files -f %{name}.lang
%defattr(-,root,root)
/sbin/restorecon
/sbin/fixfiles
/sbin/setfiles
+/sbin/load_policy
%{_sbindir}/genhomedircon
+%{_sbindir}/load_policy
%{_sbindir}/restorecond
%{_sbindir}/setsebool
%{_sbindir}/semodule
-%{_sbindir}/semanage
-%{_sbindir}/load_policy
%{_sbindir}/sestatus
%{_sbindir}/run_init
%{_sbindir}/open_init_pty
-%{_bindir}/sepolgen-ifgen
-%{_bindir}/audit2allow
-%{_bindir}/audit2why
-%{_bindir}/chcat
%{_bindir}/secon
%{_bindir}/semodule_deps
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
-%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
-%{_mandir}/man1/*
-%{_mandir}/man8/*
-%dir %{_mandir}/ru
-%dir %{_mandir}/ru/man1
-%dir %{_mandir}/ru/man8
-%{_mandir}/ru/man1/*
-%{_mandir}/ru/man8/*
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
-%{py_sitedir}/seobject.py*
-%attr(755,root,root) %{_sysconfdir}/init.d/restorecond
+%attr(755,root,root) %{_initddir}/restorecond
%{_sbindir}/rcrestorecond
-%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
-%dir %{py_sitedir}/sepolgen
-%{py_sitedir}/sepolgen/*
-%dir /var/lib/sepolgen
-%dir /var/lib/selinux
-/var/lib/sepolgen/perm_map
+%config(noreplace) /etc/selinux/restorecond.conf
+%config(noreplace) /etc/selinux/restorecond_user.conf
+%{_sysconfdir}/xdg/autostart/restorecond.desktop
+%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
+# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
+%dir %{_mandir}/ru
+%dir %{_mandir}/ru/man1
+%dir %{_mandir}/ru/man8
+%{_mandir}/man8/fixfiles.8*
+%{_mandir}/ru/man8/fixfiles.8*
+%{_mandir}/man8/load_policy.8*
+%{_mandir}/ru/man8/load_policy.8*
+%{_mandir}/man8/open_init_pty.8*
+%{_mandir}/ru/man8/open_init_pty.8*
+%{_mandir}/man8/restorecon.8*
+%{_mandir}/ru/man8/restorecon.8*
+%{_mandir}/man8/restorecond.8*
+%{_mandir}/ru/man8/restorecond.8*
+%{_mandir}/man8/run_init.8*
+%{_mandir}/ru/man8/run_init.8*
+%{_mandir}/man8/semodule.8*
+%{_mandir}/ru/man8/semodule.8*
+%{_mandir}/man8/semodule_deps.8*
+%{_mandir}/ru/man8/semodule_deps.8*
+%{_mandir}/man8/semodule_expand.8*
+%{_mandir}/ru/man8/semodule_expand.8*
+%{_mandir}/man8/semodule_link.8*
+%{_mandir}/ru/man8/semodule_link.8*
+%{_mandir}/man8/semodule_package.8*
+%{_mandir}/ru/man8/semodule_package.8*
+%{_mandir}/man8/sestatus.8*
+%{_mandir}/ru/man8/sestatus.8*
+%{_mandir}/man8/setfiles.8*
+%{_mandir}/ru/man8/setfiles.8*
+%{_mandir}/man8/setsebool.8*
+%{_mandir}/ru/man8/setsebool.8*
+%{_mandir}/man1/secon.1*
+%{_mandir}/ru/man1/secon.1*
-%files gui
-%defattr(-,root,root)
-%{_bindir}/system-config-selinux
-%{_bindir}/selinux-polgengui
-%{_datadir}/applications/*.desktop
-%{_datadir}/pixmaps/*
-%dir %{_datadir}/system-config-selinux
-%dir %{_datadir}/system-config-selinux/templates
-%{_datadir}/system-config-selinux/*.py*
-%{_datadir}/system-config-selinux/selinux.tbl
-%{_datadir}/system-config-selinux/*.glade
-%{_datadir}/system-config-selinux/templates/*.py*
-%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
-%config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
-# %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
-# %config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
+%post
+%fillup_and_insserv restorecond
+
+%preun
+if [ "$1" -eq "0" ]; then
+ %stop_on_removal restorecond
+ %insserv_cleanup
+fi
+
+%postun
+if [ "$1" -ge "1" ]; then
+ %restart_on_update restorecond
+ %insserv_cleanup
+fi
%changelog
++++++ policycoreutils-2.0.62.tar.bz2 -> policycoreutils-2.0.79.tar.bz2 ++++++
++++ 282258 lines of diff (skipped)
++++++ policycoreutils-gui.patch.bz2 ++++++
++++ 1961 lines (skipped)
++++ between policycoreutils/policycoreutils-gui.patch.bz2
++++ and /mounts/work_src_done/STABLE/policycoreutils/policycoreutils-gui.patch.bz2
++++++ policycoreutils-initscript.patch ++++++
--- /var/tmp/diff_new_pack.EeVjxU/_old 2010-03-09 16:18:06.000000000 +0100
+++ /var/tmp/diff_new_pack.EeVjxU/_new 2010-03-09 16:18:06.000000000 +0100
@@ -1,4 +1,6 @@
---- restorecond/restorecond.init
+Index: restorecond/restorecond.init
+===================================================================
+--- restorecond/restorecond.init.orig
+++ restorecond/restorecond.init
@@ -1,14 +1,23 @@
#!/bin/sh
@@ -116,48 +118,29 @@
{
stop
start
-@@ -65,26 +93,27 @@
-
- # See how we were called.
- case "$1" in
-- start)
-- start
-+ start)
-+ start
-+ ;;
-+ stop)
-+ stop
+@@ -72,18 +100,20 @@ case "$1" in
+ stop
;;
-- stop)
-- stop
-+ status)
+ status)
+- status restorecond
+- RETVAL=$?
+ echo -n $"Checking for restorecond: "
+ checkproc -p $LOCK_FILE $PROG_BIN
+ rc_status -v
-+ ;;
-+ restart|reload)
-+ restart
-+ ;;
-+ condrestart)
-+ [ -e $LOCK_FILE ] && restart || :
- ;;
-- status)
-- status restorecond
-- RETVAL=$?
-- ;;
-- restart|reload)
-- restart
-- ;;
-- condrestart)
+ ;;
+ force-reload|restart|reload)
+ restart
+ ;;
+ condrestart)
- [ -e /var/lock/subsys/restorecond ] && restart || :
-- ;;
++ [ -e $LOCK_FILE ] && restart || :
+ ;;
*)
- echo $"Usage: $0 {start|stop|restart|reload|condrestart}"
+ echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
- RETVAL=3
+ rc_failed 3
+ rc_status -v
esac
-exit $RETVAL
--
+rc_exit
++++++ policycoreutils-po.patch.bz2 ++++++
++++ 447416 lines (skipped)
++++ between policycoreutils/policycoreutils-po.patch.bz2
++++ and /mounts/work_src_done/STABLE/policycoreutils/policycoreutils-po.patch.bz2
++++++ policycoreutils-rhat.patch.bz2 ++++++
++++ 5361 lines (skipped)
++++ between policycoreutils/policycoreutils-rhat.patch
++++ and /mounts/work_src_done/STABLE/policycoreutils/policycoreutils-rhat.patch.bz2
++++++ policycoreutils-sepolgen.patch ++++++
--- /var/tmp/diff_new_pack.EeVjxU/_old 2010-03-09 16:18:07.000000000 +0100
+++ /var/tmp/diff_new_pack.EeVjxU/_new 2010-03-09 16:18:07.000000000 +0100
@@ -1,19 +1,91 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py
---- nsasepolgen/src/sepolgen/access.py 2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py 2009-04-21 14:54:12.000000000 -0400
-@@ -313,7 +313,7 @@
-
- def __len__(self):
- """Return the unique number of role allow statements."""
-- return len(self.role_type.keys())
-+ return len(self.role_types.keys())
-
- def add(self, role, type):
- if self.role_types.has_key(role):
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py
---- nsasepolgen/src/sepolgen/audit.py 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py 2009-04-24 13:19:39.000000000 -0400
-@@ -47,6 +47,17 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:05:49.000000000 -0500
+@@ -32,6 +32,7 @@
+ """
+
+ import refpolicy
++from selinux import audit2why
+
+ def is_idparam(id):
+ """Determine if an id is a paramater in the form $N, where N is
+@@ -85,6 +86,8 @@
+ self.obj_class = None
+ self.perms = refpolicy.IdSet()
+ self.audit_msgs = []
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ # The direction of the information flow represented by this
+ # access vector - used for matching
+@@ -127,7 +130,7 @@
+ return self.to_string()
+
+ def to_string(self):
+- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
++ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
+ self.obj_class, self.perms.to_space_str())
+
+ def __cmp__(self, other):
+@@ -253,20 +256,22 @@
+ for av in l:
+ self.add_av(AccessVector(av))
+
+- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
++ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
+ """Add an access vector to the set.
+ """
+ tgt = self.src.setdefault(src_type, { })
+ cls = tgt.setdefault(tgt_type, { })
+
+- if cls.has_key(obj_class):
+- access = cls[obj_class]
++ if cls.has_key((obj_class, avc_type)):
++ access = cls[obj_class, avc_type]
+ else:
+ access = AccessVector()
+ access.src_type = src_type
+ access.tgt_type = tgt_type
+ access.obj_class = obj_class
+- cls[obj_class] = access
++ access.bools = bools
++ access.type = avc_type
++ cls[obj_class, avc_type] = access
+
+ access.perms.update(perms)
+ if audit_msg:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2010-01-06 09:52:35.000000000 -0500
+@@ -23,6 +23,27 @@
+
+ # Convenience functions
+
++def get_audit_boot_msgs():
++ """Obtain all of the avc and policy load messages from the audit
++ log. This function uses ausearch and requires that the current
++ process have sufficient rights to run ausearch.
++
++ Returns:
++ string contain all of the audit messages returned by ausearch.
++ """
++ import subprocess
++ import time
++ fd=open("/proc/uptime", "r")
++ off=float(fd.read().split()[0])
++ fd.close
++ s = time.localtime(time.time() - off)
++ date = time.strftime("%D/%Y", s).split("/")
++ bootdate="%s/%s/%s" % (date[0], date[1], date[3])
++ boottime = time.strftime("%X", s)
++ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
++ stdout=subprocess.PIPE).communicate()[0]
++ return output
++
+ def get_audit_msgs():
+ """Obtain all of the avc and policy load messages from the audit
+ log. This function uses ausearch and requires that the current
+@@ -47,6 +68,17 @@
stdout=subprocess.PIPE).communicate()[0]
return output
@@ -31,15 +103,230 @@
# Classes representing audit messages
class AuditMessage:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py
---- nsasepolgen/src/sepolgen/refparser.py 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py 2009-04-21 14:54:12.000000000 -0400
-@@ -919,7 +919,7 @@
+@@ -106,6 +138,9 @@
+ if fields[0] == "path":
+ self.path = fields[1][1:-1]
+ return
++import selinux.audit2why as audit2why
++
++avcdict = {}
+
+ class AVCMessage(AuditMessage):
+ """AVC message representing an access denial or granted message.
+@@ -146,6 +181,8 @@
+ self.path = ""
+ self.accesses = []
+ self.denial = True
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ def __parse_access(self, recs, start):
+ # This is kind of sucky - the access that is in a space separated
+@@ -205,7 +242,31 @@
+
+ if not found_src or not found_tgt or not found_class or not found_access:
+ raise ValueError("AVC message in invalid format [%s]\n" % self.message)
+-
++ self.analyze()
++
++ def analyze(self):
++ tcontext = self.tcontext.to_string()
++ scontext = self.scontext.to_string()
++ access_tuple = tuple( self.accesses)
++ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
++ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
++ else:
++ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
++ if self.type == audit2why.NOPOLICY:
++ raise ValueError("Must call policy_init first")
++ if self.type == audit2why.BADTCON:
++ raise ValueError("Invalid Target Context %s\n" % tcontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Source Context %s\n" % scontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Type Class %s\n" % self.tclass)
++ if self.type == audit2why.BADPERM:
++ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
++ if self.type == audit2why.BADCOMPUTE:
++ raise ValueError("Error during access vector computation")
++
++ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
++
+ class PolicyLoadMessage(AuditMessage):
+ """Audit message indicating that the policy was reloaded."""
+ def __init__(self, message):
+@@ -285,6 +346,9 @@
+
+ def __initialize(self):
+ self.avc_msgs = []
++ self.constraint_msgs = []
++ self.dontaudit_msgs = []
++ self.rbac_msgs = []
+ self.compute_sid_msgs = []
+ self.invalid_msgs = []
+ self.policy_load_msgs = []
+@@ -314,7 +378,7 @@
+ elif i == "security_compute_sid:":
+ msg = ComputeSidMessage(line)
+ found = True
+- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
++ elif i == "type=MAC_POLICY_LOAD":
+ msg = PolicyLoadMessage(line)
+ found = True
+ elif i == "type=AVC_PATH":
+@@ -442,16 +506,17 @@
+ audit logs parsed by this object.
+ """
+ av_set = access.AccessVectorSet()
++
+ for avc in self.avc_msgs:
+ if avc.denial != True and only_denials:
+ continue
+ if avc_filter:
+ if avc_filter.filter(avc):
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ else:
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ return av_set
+
+ class AVCTypeFilter:
+@@ -477,5 +542,3 @@
+ if self.regex.match(avc.tcontext.type):
+ return True
+ return False
+-
+-
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
+@@ -29,6 +29,8 @@
+ import access
+ import interfaces
+ import matching
++import selinux.audit2why as audit2why
++from setools import *
+
+ # Constants for the level of explanation from the generation
+ # routines
+@@ -74,7 +76,7 @@
+ self.moduel = module
+ else:
+ self.module = refpolicy.Module()
+-
++ self.domains = None
+ def set_gen_refpol(self, if_set=None, perm_maps=None):
+ """Set whether reference policy interfaces are generated.
+
+@@ -141,15 +143,42 @@
+ """Return the generated module"""
+ return self.module
+
+- def __add_allow_rules(self, avs):
++ def __add_allow_rules(self, avs, dontaudit):
+ for av in avs:
+- rule = refpolicy.AVRule(av)
++ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
++ rule.comment = ""
+ if self.explain:
+ rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++ if av.type == audit2why.ALLOW:
++ rule.comment += "#!!!! This avc is allowed in the current policy\n"
++ if av.type == audit2why.DONTAUDIT:
++ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++ if av.type == audit2why.BOOLEAN:
++ if len(av.bools) > 1:
++ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
++ else:
++ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
++
++ if av.type == audit2why.CONSTRAINT:
++ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
++ if av.type == audit2why.TERULE:
++ if "write" in av.perms:
++ if "dir" in av.obj_class or "open" in av.perms:
++ if not self.domains:
++ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
++ types=[]
++ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
++ if i not in self.domains:
++ types.append(i)
++ if len(types) == 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++ elif len(types) >= 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++
+ self.module.children.append(rule)
+
+
+- def add_access(self, av_set):
++ def add_access(self, av_set, dontaudit=False):
+ """Add the access from the access vector set to this
+ module.
+ """
+@@ -165,7 +194,7 @@
+ raw_allow = av_set
+
+ # Generate the raw allow rules from the filtered list
+- self.__add_allow_rules(raw_allow)
++ self.__add_allow_rules(raw_allow, dontaudit)
+
+ def add_role_types(self, role_type_set):
+ for role_type in role_type_set:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
+--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
+@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
support_macros = None
- blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
-+ blacklist = ["uml.if", "thunderbird.if"]
++ blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
+--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
+@@ -398,6 +398,7 @@
+ return "attribute %s;" % self.name
+
+ # Classes representing rules
++import selinux.audit2why as audit2why
+
+ class AVRule(Leaf):
+ """SELinux access vector (AV) rule.
+@@ -420,21 +421,26 @@
+ AUDITALLOW = 2
+ NEVERALLOW = 3
+
+- def __init__(self, av=None, parent=None):
++ def __init__(self, av=None, parent=None, dontaudit=False):
+ Leaf.__init__(self, parent)
+ self.src_types = IdSet()
+ self.tgt_types = IdSet()
+ self.obj_classes = IdSet()
+ self.perms = IdSet()
+- self.rule_type = self.ALLOW
++ if dontaudit:
++ self.rule_type = audit2why.DONTAUDIT
++ else:
++ self.rule_type = audit2why.TERULE
+ if av:
+ self.from_av(av)
+
+ def __rule_type_str(self):
+- if self.rule_type == self.ALLOW:
++ if self.rule_type == audit2why.TERULE:
+ return "allow"
+- elif self.rule_type == self.DONTAUDIT:
++ elif self.rule_type == audit2why.DONTAUDIT:
+ return "dontaudit"
++ elif self.rule_type == audit2why.CONSTRAINT:
++ return "#constraint allow"
+ else:
+ return "auditallow"
+
++++++ policycoreutils-setup_py-prefix.patch ++++++
Index: semanage/default_encoding/Makefile
===================================================================
--- semanage/default_encoding/Makefile.orig
+++ semanage/default_encoding/Makefile
@@ -2,7 +2,7 @@ all:
LDFLAGS="" python setup.py build
install: all
- LDFLAGS="" python setup.py install --root=$(DESTDIR)/
+ LDFLAGS="" python setup.py install --prefix=/usr --root=$(DESTDIR)/
clean:
rm -rf build *~
++++++ policycoreutils_man_ru2.tar.bz2 ++++++
Files old/usr/share/man/ru/man8/audit2why.8.gz and new/usr/share/man/ru/man8/audit2why.8.gz differ
++++++ sandbox.init ++++++
#!/bin/bash
### BEGIN INIT INFO
# Provides: sandbox
# Required-Start: $syslog $remote_fs
# Should-Start:.
# Required-Stop: $syslog $remote_fs
# Should-Stop:.
# Default-Start: 5
# Default-Stop: 0 1 2 3 4 6
# Short-Description: SELinux Sandbox
# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and
# /home/sandbox accounts. This script will setup the / mount
# point as shared and all of the subdirectories just these
# directories as unshared.
### END INIT INFO
. /etc/rc.status
rc_reset
LOCKFILE=/var/lock/subsys/sandbox
base=${0##*/}
case "$1" in
start)
[ -f "$LOCKFILE" ] && exit 0
touch $LOCKFILE
mount --make-rshared /
mount --bind /tmp /tmp
mount --bind /var/tmp /var/tmp
mount --bind /home /home
mount --make-private /home
mount --make-private /tmp
mount --make-private /var/tmp
rc_status -v
;;
status)
if [ -f "$LOCKFILE" ]; then
echo "$base is running"
else
echo "$base is stopped"
fi
rc_status -v
;;
stop)
rm -f $LOCKFILE
rc_status -v
;;
*)
echo $"Usage: $0 {start|stop|status}"
rc_status -v
;;
esac
rc_exit
++++++ sepolgen-1.0.16.tar.bz2 -> sepolgen-1.0.19.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sepolgen-1.0.16/ChangeLog new/sepolgen-1.0.19/ChangeLog
--- old/sepolgen-1.0.16/ChangeLog 2009-02-18 22:50:21.000000000 +0100
+++ new/sepolgen-1.0.19/ChangeLog 2009-12-01 21:49:11.000000000 +0100
@@ -1,3 +1,13 @@
+1.0.19 2009-11-27
+ * fix sepolgen to read a "type 1403" msg as a policy load by Stephen
+ Smalley