From f0c25ad0a9af19f5abeb39492c16d1384450f97d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 16:06:57 +0000 Subject: import policycoreutils-2.2.5-20.el7 --- diff --git a/SOURCES/0010-Cover-file_context.XXX.homedir.patch b/SOURCES/0010-Cover-file_context.XXX.homedir.patch new file mode 100644 index 0000000..11d0a95 --- /dev/null +++ b/SOURCES/0010-Cover-file_context.XXX.homedir.patch @@ -0,0 +1,51 @@ +commit 36883e30182f443d8c93905748fd059c6c480a58 +Author: Petr Lautrbach +Date: Sat Jul 4 11:10:58 2015 +0200 + + fixfiles: Cover file_context.XXX.homedir + + We need to cover file_context.XXX.homedir to have fixfiles with + exclude_dirs working correctly. + + From github fedora-selinux/selinux: + 40f8d680431e3e4f59e276455ff660c57dab2c3e + afe098c7201d274dcbea6ef4d5465a702e3c1271 + 2a0a68edde30f4e3254dcee63a892de1aa6ab69a + + Resolves: rhbz#1186640 + +diff --git a/scripts/fixfiles b/scripts/fixfiles +index df4298a..7a158d1 100755 +--- a/scripts/fixfiles ++++ b/scripts/fixfiles +@@ -139,7 +139,7 @@ fi + + FC_SUB_DIST=${FC}.subs_dist + FC_SUB=${FC}.subs +- ++FC_HOMEDIRS=${FC}.homedirs + # + # Log to either syslog or a LOGFILE + # +@@ -246,10 +246,10 @@ then + logit "skipping the directory ${p}" + done + FC=$TEMPFCFILE +-/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit + /bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit +-/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs &>/dev/null || exit + /bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit ++/bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit ++ + fi + if [ ! -z "$RPMFILES" ]; then + for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +@@ -271,7 +271,7 @@ if [ ${OPTION} != "Relabel" ]; then + return + fi + echo "Cleaning up labels on /tmp" +-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs + + UNDEFINED=`get_undefined_type` || exit $? + UNLABELED=`get_unlabeled_type` || exit $? diff --git a/SOURCES/0011-semanage-Use-OrderedDict-for-list-of-fcontexts.patch b/SOURCES/0011-semanage-Use-OrderedDict-for-list-of-fcontexts.patch new file mode 100644 index 0000000..13b08aa --- /dev/null +++ b/SOURCES/0011-semanage-Use-OrderedDict-for-list-of-fcontexts.patch @@ -0,0 +1,43 @@ +commit 658a17d73e0b0df4b533efa38634420c9b97ba66 +Author: Petr Lautrbach +Date: Tue Jul 7 07:38:31 2015 +0200 + + semanage: Use OrderedDict for list of fcontexts + + semanage-fcontext shows which file contexts are defined and + do a sort which does not follow real order. It could be confusing for + users therefore we need to use OrderedDict and preserve the order. + + Resolves: rhbz#1206769 + +diff --git a/semanage/seobject/__init__.py b/semanage/seobject/__init__.py +index 08bf736..1e0bbfc 100644 +--- a/semanage/seobject/__init__.py ++++ b/semanage/seobject/__init__.py +@@ -2003,7 +2003,9 @@ class fcontextRecords(semanageRecords): + + self.flist += fclocal + +- ddict = {} ++ from collections import OrderedDict ++ ddict = OrderedDict() ++ + for fcontext in self.flist: + expr = semanage_fcontext_get_expr(fcontext) + ftype = semanage_fcontext_get_type(fcontext) +@@ -2020,7 +2022,6 @@ class fcontextRecords(semanageRecords): + l = [] + fcon_dict = self.get_all(True) + keys = list(fcon_dict.keys()) +- keys.sort() + for k in keys: + if fcon_dict[k]: + l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) +@@ -2034,7 +2035,6 @@ class fcontextRecords(semanageRecords): + fcon_dict = self.get_all(locallist) + keys = list(fcon_dict.keys()) + if len(keys) != 0: +- keys.sort() + if heading: + print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))) + for k in keys: diff --git a/SOURCES/0012-Fix-handling-of-Forking-daemon-to-allow-systemd-to-h.patch b/SOURCES/0012-Fix-handling-of-Forking-daemon-to-allow-systemd-to-h.patch new file mode 100644 index 0000000..b265986 --- /dev/null +++ b/SOURCES/0012-Fix-handling-of-Forking-daemon-to-allow-systemd-to-h.patch @@ -0,0 +1,35 @@ +From 7ea191268262d8c45ed152120a1d9da49fcac21e Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Tue, 7 Jul 2015 16:14:52 +0200 +Subject: [PATCH] Fix handling of Forking daemon, to allow systemd to handle it + better + +Charry picked from github fedora-selinux/selinux.git +7a8dd47ed587341db71dfac06fccfeabc299183e + +Resolves: rhbz#1186648 +--- + restorecond/restorecond.service | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service +index f560b05..460a49f 100644 +--- a/restorecond/restorecond.service ++++ b/restorecond/restorecond.service +@@ -4,10 +4,9 @@ After=syslog.target + ConditionPathExists=/etc/selinux/restorecond.conf + + [Service] +-Environment=LANG=C +- +-ExecStart=/usr/sbin/restorecond -d +-ExecStop=/bin/kill -WINCH ${MAINPID} ++Type=forking ++ExecStart=/usr/sbin/restorecond ++PIDFile=/var/run/restorecond.pid + + [Install] + WantedBy=multi-user.target +-- +2.4.3 + diff --git a/SOURCES/0013-Fix-typo-in-semanage-args-for-minimum-policy-store.patch b/SOURCES/0013-Fix-typo-in-semanage-args-for-minimum-policy-store.patch new file mode 100644 index 0000000..8b40142 --- /dev/null +++ b/SOURCES/0013-Fix-typo-in-semanage-args-for-minimum-policy-store.patch @@ -0,0 +1,21 @@ +commit 9454d7dde9ee382858dd23e7e4ff03738a158b9e +Author: Petr Lautrbach +Date: Thu Jul 9 10:07:09 2015 +0200 + + Fix typo in semanage args for minimum policy store + + Resolves: rhbz#1208797 + +diff --git a/semanage/semanage b/semanage/semanage +index 27d0571..920f308 100644 +--- a/semanage/semanage ++++ b/semanage/semanage +@@ -793,7 +793,7 @@ def createCommandParser(): + + def make_io_args(args): + # import/export backward compability +- args_origin = ["-S", "-o", "-i", "targeted", "minumum", "mls"] ++ args_origin = ["-S", "-o", "-i", "targeted", "minimum", "mls"] + args_file = [] + args_ie = [] + args_subcommand = [] diff --git a/SOURCES/0014-Allow-to-define-sock-file-in-etc-directory.patch b/SOURCES/0014-Allow-to-define-sock-file-in-etc-directory.patch new file mode 100644 index 0000000..16c35ab --- /dev/null +++ b/SOURCES/0014-Allow-to-define-sock-file-in-etc-directory.patch @@ -0,0 +1,25 @@ +From ae6f0f8121cc3551bb0b0d415b91010b9ba6848f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 9 Jul 2015 15:46:32 +0200 +Subject: [PATCH] Allow to define sock file in /etc directory + +Resolves: rhbz#1188360 +--- + sepolicy/sepolicy/templates/etc_rw.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sepolicy/sepolicy/templates/etc_rw.py b/sepolicy/sepolicy/templates/etc_rw.py +index dcf445e..b0ee119 100644 +--- a/sepolicy/sepolicy/templates/etc_rw.py ++++ b/sepolicy/sepolicy/templates/etc_rw.py +@@ -137,3 +137,7 @@ FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) + fc_dir="""\ + FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) + """ ++ ++fc_sock_file="""\ ++FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) ++""" +-- +2.4.3 + diff --git a/SOURCES/0015-seunshare-Try-to-use-setcurrent-before-setexec.patch b/SOURCES/0015-seunshare-Try-to-use-setcurrent-before-setexec.patch new file mode 100644 index 0000000..c0f3d2a --- /dev/null +++ b/SOURCES/0015-seunshare-Try-to-use-setcurrent-before-setexec.patch @@ -0,0 +1,62 @@ +From 74d27a97338649951108727a0a142b260ce9a28b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 12 May 2014 13:19:21 -0400 +Subject: [PATCH] seunshare: Try to use setcurrent before setexec + +If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of +libcap-ng set, setexeccon will cause execve to fail. This also +makes setting selinux context the very last action taken by +seunshare prior to exec, as it may otherwise cause things to fail. + +Note that this won't work without adjusting the system policy to +allow this use of setcurrent. This rule appears to work: + + allow unconfined_t sandbox_t:process dyntransition; + +although a better rule would probably relax the unconfined_t +restriction. + +Signed-off-by: Andy Lutomirski +--- + policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c +index a221920..c92e394 100644 +--- a/policycoreutils/sandbox/seunshare.c ++++ b/policycoreutils/sandbox/seunshare.c +@@ -826,17 +826,25 @@ int main(int argc, char **argv) { + goto childerr; + } + +- /* selinux context */ +- if (execcon && setexeccon(execcon) != 0) { +- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); +- goto childerr; +- } +- + if (chdir(pwd->pw_dir)) { + perror(_("Failed to change dir to homedir")); + goto childerr; + } + setsid(); ++ ++ /* selinux context */ ++ if (execcon) { ++ /* try dyntransition, since no_new_privs can interfere ++ * with setexeccon */ ++ if (setcon(execcon) != 0) { ++ /* failed; fall back to setexeccon */ ++ if (setexeccon(execcon) != 0) { ++ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); ++ goto childerr; ++ } ++ } ++ } ++ + execv(argv[optind], argv + optind); + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); + childerr: +-- +2.6.0 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index 2b2e35b..1b0052b 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.2.5 -Release: 15%{?dist} +Release: 20%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -31,6 +31,18 @@ Patch10: 0006-restorecon-1082956.patch Patch11: 0007-semanage-man-subpages-s-STORE-to-S-STORE.patch Patch12: 0008-fix-semanage-help-message-to-S-STORE.patch Patch13: 0009-Fix-sepolicy.search-to-get-good-results-everytime.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1186640 +Patch14: 0010-Cover-file_context.XXX.homedir.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1206769 +Patch15: 0011-semanage-Use-OrderedDict-for-list-of-fcontexts.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1186648 +Patch16: 0012-Fix-handling-of-Forking-daemon-to-allow-systemd-to-h.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1208797 +Patch17: 0013-Fix-typo-in-semanage-args-for-minimum-policy-store.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1188360 +Patch18: 0014-Allow-to-define-sock-file-in-etc-directory.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1268813 +Patch19: 0015-seunshare-Try-to-use-setcurrent-before-setexec.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3 @@ -76,6 +88,13 @@ to switch roles. %patch11 -p2 -b .1085246 %patch12 -p2 -b .1085246 %patch13 -p2 -b .1092356 +%patch14 -p1 -b .1186640 +%patch15 -p1 -b .1206769 +%patch16 -p1 -b .1186648 +%patch17 -p1 -b .1208797 +%patch18 -p1 -b .1188360 +%patch19 -p2 -b .1268813 + cp %{SOURCE3} gui/ tar xvf %{SOURCE4} @@ -371,6 +390,31 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue Oct 06 2015 Petr Lautrbach 2.2.5-20 +- seunshare: Try to use setcurrent before setexec +Resolves: rhbz#1268813 + +* Wed Aug 19 2015 Petr Lautrbach 2.2.5-19 +- Revert previous changes + +* Fri Jul 10 2015 Petr Lautrbach 2.2.5-18 +- fixfiles: Fix several spellcheck warnings + +* Thu Jul 09 2015 Petr Lautrbach 2.2.5-17 +- Fix handling of Forking daemon, to allow systemd to handle it better +Resolves: rhbz#1186648 +- Fix typo in semanage args for minimum policy store +Resolves: rhbz#1208797 +- Allow to define sock file in /etc directory +Resolves: rhbz#1188360 + +* Tue Jul 07 2015 Petr Lautrbach 2.2.5-16 +- semanage: Use OrderedDict for list of fcontexts +Resolves: rhbz#1206769 +- fixfiles: Cover file_context.XXX.homedir +Resolves: rhbz#1186640 + + * Mon Nov 10 2014 Miroslav Grepl 2.2.5-15 - Fix sepolicy.search() to get good results everytime. Resolves:#1092356