rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.461, 1.462 policycoreutils-sepolgen.patch, 1.32, 1.33 policycoreutils.spec, 1.669, 1.670
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Jan 8 14:37:35 UTC 2010
- Previous message (by thread): rpms/bip/EL-5 .cvsignore,1.6,1.7 bip.spec,1.9,1.10 sources,1.6,1.7
- Next message (by thread): rpms/policycoreutils/F-12 policycoreutils-rhat.patch, 1.456, 1.457 policycoreutils-sepolgen.patch, 1.30, 1.31 policycoreutils.spec, 1.662, 1.663
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/pkgs/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14864
Modified Files:
policycoreutils-rhat.patch policycoreutils-sepolgen.patch
policycoreutils.spec
Log Message:
* Fri Jan 8 2010 Dan Walsh <dwalsh at redhat.com> 2.0.78-9
- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/audit2allow | 64 +---
restorecond/Makefile | 24 +
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.8 | 15
restorecond/restorecond.c | 429 +++++-----------------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 19 +
restorecond/restorecond.init | 5
restorecond/restorecond_user.conf | 2
restorecond/user.c | 239 +++++++++++++++
restorecond/watch.c | 260 ++++++++++++++++
sandbox/Makefile | 31 ++
sandbox/deliverables/README | 32 ++
sandbox/deliverables/basicwrapper | 4
sandbox/deliverables/run-in-sandbox.py | 49 +++
sandbox/deliverables/sandbox | 216 ++++++++++++++
sandbox/sandbox | 318 ++++++++++++++++++++
sandbox/sandbox.8 | 50 +++
sandbox/sandboxX.sh | 16 +
sandbox/seunshare.c | 265 +++++++++++++++++
semanage/semanage | 124 ++++++--
semanage/semanage.8 | 10
semanage/seobject.py | 397 ++++++++++++++++++++-----
semodule/semodule.8 | 6
semodule/semodule.c | 53 +++
setfiles/restore.c | 73 ++++
setfiles/restore.h | 3
setfiles/restorecon.8 | 7
setfiles/setfiles.8 | 3
setfiles/setfiles.c | 73 ----
32 files changed, 2221 insertions(+), 583 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/pkgs/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.461
retrieving revision 1.462
diff -u -p -r1.461 -r1.462
--- policycoreutils-rhat.patch 21 Dec 2009 21:56:27 -0000 1.461
+++ policycoreutils-rhat.patch 8 Jan 2010 14:37:32 -0000 1.462
@@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500
@@ -28,6 +28,7 @@
import sepolgen.defaults as defaults
import sepolgen.module as module
@@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=se
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
-@@ -80,11 +83,11 @@
+@@ -58,6 +61,9 @@
+ help="generate a module package - conflicts with -o and -m")
+ parser.add_option("-o", "--output", dest="output",
+ help="append output to <filename>, conflicts with -M")
++ parser.add_option("-D", "--dontaudit", action="store_true",
++ dest="dontaudit", default=False,
++ help="generate policy with dontaudit rules")
+ parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
+ default=True, help="generate refpolicy style output")
+
+@@ -80,11 +86,11 @@
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=se
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
-@@ -129,6 +132,12 @@
+@@ -129,6 +135,12 @@
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
@@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=se
else:
# This is the default if no input is specified
f = sys.stdin
-@@ -220,63 +229,44 @@
+@@ -220,63 +232,44 @@
def __output_audit2why(self):
import selinux
@@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=se
print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n"
continue
-@@ -344,5 +334,6 @@
+@@ -314,7 +307,7 @@
+ g.set_gen_requires(True)
+
+ # Generate the policy
+- g.add_access(self.__avs)
++ g.add_access(self.__avs, self.__options.dontaudit)
+ g.add_role_types(self.__role_types)
+
+ # Output
+@@ -344,5 +337,6 @@
sys.exit(0)
if __name__ == "__main__":
@@ -2346,8 +2365,8 @@ diff --exclude-from=exclude --exclude=se
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
-+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
-@@ -32,23 +32,32 @@
++++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500
+@@ -32,25 +32,34 @@
try:
gettext.install(PROGNAME,
localedir="/usr/share/locale",
@@ -2381,8 +2400,11 @@ diff --exclude-from=exclude --exclude=se
semanage interface -{a|d|m} [-tr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
- semanage fcontext -{a|d|m} [-frst] file_spec
+-semanage fcontext -{a|d|m} [-frst] file_spec
++semanage fcontext -{a|d|m} [-efrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
+ semanage permissive -{d|a} type
+ semanage dontaudit [ on | off ]
@@ -61,7 +70,9 @@
-d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME
@@ -2397,7 +2419,7 @@ diff --exclude-from=exclude --exclude=se
-F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask
-+ -e, --equal Make target equal to this paths labeling
++ -e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
@@ -2675,6 +2697,40 @@ diff --exclude-from=exclude --exclude=se
process_args(mkargv(l))
trans.finish()
else:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
+--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500
++++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500
+@@ -19,6 +19,8 @@
+ .br
+ .B semanage fcontext \-{a|d|m} [\-frst] file_spec
+ .br
++.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
++.br
+ .B semanage permissive \-{a|d} type
+ .br
+ .B semanage dontaudit [ on | off ]
+@@ -52,6 +54,12 @@
+ .I \-D, \-\-deleteall
+ Remove all OBJECTS local customizations
+ .TP
++.I \-e, \-\-equal
++Substitute src path for targetpath when labeling. This is used with
++fcontext. Requires source and destination path arguments. The context
++labeling for the destination subtree is made equivalent to that
++defined for the source.
++.TP
+ .I \-f, \-\-ftype
+ File Type. This is used with fcontext.
+ Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+@@ -110,6 +118,8 @@
+ $ semanage login -a -s user_u %clerks
+ # Add file-context for everything under /web (used by restorecon)
+ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
++# Make /home1 labeling equivalent to /home (used by restorecon)
++$ semanage fcontext -a -e /home1 /home
+ # Allow Apache to listen on port 81
+ $ semanage port -a -t http_port_t -p tcp 81
+ # Change apache to a permissive domain
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
policycoreutils-sepolgen.patch:
access.py | 15 +++++++----
audit.py | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
policygen.py | 39 ++++++++++++++++++++++++++----
refparser.py | 2 -
refpolicy.py | 14 +++++++----
5 files changed, 124 insertions(+), 21 deletions(-)
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/pkgs/rpms/policycoreutils/devel/policycoreutils-sepolgen.patch,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -p -r1.32 -r1.33
--- policycoreutils-sepolgen.patch 6 Jan 2010 20:49:27 -0000 1.32
+++ policycoreutils-sepolgen.patch 8 Jan 2010 14:37:35 -0000 1.33
@@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsa
-
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
@@ -29,6 +29,8 @@
import access
import interfaces
@@ -221,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsa
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
-@@ -144,8 +146,35 @@
- def __add_allow_rules(self, avs):
+@@ -141,15 +143,42 @@
+ """Return the generated module"""
+ return self.module
+
+- def __add_allow_rules(self, avs):
++ def __add_allow_rules(self, avs, dontaudit):
for av in avs:
- rule = refpolicy.AVRule(av)
+- rule = refpolicy.AVRule(av)
++ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+ rule.comment = ""
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
@@ -257,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsa
self.module.children.append(rule)
+- def add_access(self, av_set):
++ def add_access(self, av_set, dontaudit=False):
+ """Add the access from the access vector set to this
+ module.
+ """
+@@ -165,7 +194,7 @@
+ raw_allow = av_set
+
+ # Generate the raw allow rules from the filtered list
+- self.__add_allow_rules(raw_allow)
++ self.__add_allow_rules(raw_allow, dontaudit)
+
+ def add_role_types(self, role_type_set):
+ for role_type in role_type_set:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@@ -271,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsa
for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@
return "attribute %s;" % self.name
@@ -280,12 +299,22 @@ diff --exclude-from=exclude -N -u -r nsa
class AVRule(Leaf):
"""SELinux access vector (AV) rule.
-@@ -426,15 +427,17 @@
+@@ -420,21 +421,26 @@
+ AUDITALLOW = 2
+ NEVERALLOW = 3
+
+- def __init__(self, av=None, parent=None):
++ def __init__(self, av=None, parent=None, dontaudit=False):
+ Leaf.__init__(self, parent)
+ self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
-+ self.rule_type = audit2why.TERULE
++ if dontaudit:
++ self.rule_type = audit2why.DONTAUDIT
++ else:
++ self.rule_type = audit2why.TERULE
if av:
self.from_av(av)
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/pkgs/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.669
retrieving revision 1.670
diff -u -p -r1.669 -r1.670
--- policycoreutils.spec 6 Jan 2010 20:51:36 -0000 1.669
+++ policycoreutils.spec 8 Jan 2010 14:37:35 -0000 1.670
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.78
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -297,6 +297,10 @@ fi
exit 0
%changelog
+* Fri Jan 8 2010 Dan Walsh <dwalsh at redhat.com> 2.0.78-9
+- Add -e to semanage man page
+- Add -D qualifier to audit2allow to generate dontaudit rules
+
* Wed Jan 6 2010 Dan Walsh <dwalsh at redhat.com> 2.0.78-8
- Speed up audit2allow processing of audit2why comments
- Previous message (by thread): rpms/bip/EL-5 .cvsignore,1.6,1.7 bip.spec,1.9,1.10 sources,1.6,1.7
- Next message (by thread): rpms/policycoreutils/F-12 policycoreutils-rhat.patch, 1.456, 1.457 policycoreutils-sepolgen.patch, 1.30, 1.31 policycoreutils.spec, 1.662, 1.663
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list