diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata index 53b33c9..c722103 100644 --- a/.policycoreutils.metadata +++ b/.policycoreutils.metadata @@ -1,5 +1,5 @@ 425ab5ad02cf2195d63fad5578b23a615eb95c21 SOURCES/policycoreutils-2.5.tar.gz -2c34c01bc3099571ce2d39e93653c11f1f32f89d SOURCES/policycoreutils-po.tgz +6bd495adbfa037c233eaa0973d74614922e3a551 SOURCES/policycoreutils-po.tgz be6e4cb77bb89b98ecb246f03780389b30646198 SOURCES/policycoreutils_man_ru2.tar.bz2 a7af25afd151ccf688a59e7764604b05e738e0e3 SOURCES/sepolgen-1.2.3.tar.gz d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz diff --git a/SOURCES/policycoreutils-rhel.patch b/SOURCES/policycoreutils-rhel.patch index 6682859..e7a37da 100644 --- a/SOURCES/policycoreutils-rhel.patch +++ b/SOURCES/policycoreutils-rhel.patch @@ -2926,10 +2926,10 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git policycoreutils-2.5/semanage/semanage policycoreutils-2.5/semanage/semanage -index 7489955..37b5d70 100644 +index 7489955..72dbd9d 100644 --- policycoreutils-2.5/semanage/semanage +++ policycoreutils-2.5/semanage/semanage -@@ -23,6 +23,11 @@ +@@ -23,8 +23,12 @@ # # @@ -2939,9 +2939,11 @@ index 7489955..37b5d70 100644 + pass + import argparse - import seobject +-import seobject import sys -@@ -45,25 +50,31 @@ except IOError: + import gettext + PROGNAME = "policycoreutils" +@@ -45,28 +49,34 @@ except IOError: __builtin__.__dict__['_'] = unicode # define custom usages for selected main actions @@ -2979,22 +2981,117 @@ index 7489955..37b5d70 100644 +usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] [" usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} - import sepolicy -@@ -144,6 +155,13 @@ def port_ini(): - OBJECT = seobject.portRecords(store) +-import sepolicy ++ + + + class CheckRole(argparse.Action): +@@ -75,7 +85,11 @@ class CheckRole(argparse.Action): + newval = getattr(namespace, self.dest) + if not newval: + newval = [] +- roles = sepolicy.get_all_roles() ++ try: ++ import sepolicy ++ roles = sepolicy.get_all_roles() ++ except ValueError: ++ roles = [] + for v in value.split(): + if v not in roles: + raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (v, ", ".join(roles))) +@@ -90,6 +104,13 @@ class SetStore(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + global store + store = values ++ ++ # set store value as soon as possible so that seobject (sepolicy) can be imported successfully ++ import selinux ++ rc, localstore = selinux.selinux_getpolicytype() ++ if store not in ["", localstore]: ++ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), store)) ++ + setattr(namespace, self.dest, values) + + +@@ -131,62 +152,80 @@ class SetImportFile(argparse.Action): + + + def login_ini(): +- OBJECT = seobject.loginRecords(store) ++ from seobject import loginRecords ++ OBJECT = loginRecords(store) + return OBJECT + + + def user_ini(): +- OBJECT = seobject.seluserRecords(store) ++ from seobject import seluserRecords ++ OBJECT = seluserRecords(store) + return OBJECT + + + def port_ini(): +- OBJECT = seobject.portRecords(store) ++ from seobject import portRecords ++ OBJECT = portRecords(store) return OBJECT +def ibpkey_ini(): -+ OBJECT = seobject.ibpkeyRecords(store) ++ from seobject import ibpkeyRecords ++ OBJECT = ibpkeyRecords(store) + return OBJECT + +def ibendport_ini(): -+ OBJECT = seobject.ibendportRecords(store) ++ from seobject import ibendportRecords ++ OBJECT = ibendportRecords(store) + return OBJECT def module_ini(): - OBJECT = seobject.moduleRecords(store) -@@ -180,13 +198,12 @@ def dontaudit_ini(): +- OBJECT = seobject.moduleRecords(store) ++ from seobject import moduleRecords ++ OBJECT = moduleRecords(store) + return OBJECT + + + def interface_ini(): +- OBJECT = seobject.interfaceRecords(store) ++ from seobject import interfaceRecords ++ OBJECT = interfaceRecords(store) + return OBJECT + + + def node_ini(): +- OBJECT = seobject.nodeRecords(store) ++ from seobject import nodeRecords ++ OBJECT = nodeRecords(store) + return OBJECT + + + def fcontext_ini(): +- OBJECT = seobject.fcontextRecords(store) ++ from seobject import fcontextRecords ++ OBJECT = fcontextRecords(store) + return OBJECT + + + def boolean_ini(): +- OBJECT = seobject.booleanRecords(store) ++ from seobject import booleanRecords ++ OBJECT = booleanRecords(store) + return OBJECT + + + def permissive_ini(): +- OBJECT = seobject.permissiveRecords(store) ++ from seobject import permissiveRecords ++ OBJECT = permissiveRecords(store) + return OBJECT + + + def dontaudit_ini(): +- OBJECT = seobject.dontauditClass(store) ++ from seobject import dontauditClass ++ OBJECT = dontauditClass(store) return OBJECT # define dictonary for seobject OBEJCTS @@ -3010,7 +3107,7 @@ index 7489955..37b5d70 100644 sorted_keys.append(i) sorted_keys.sort() for k in sorted_keys: -@@ -202,7 +219,7 @@ def handle_opts(args, dict, target_key): +@@ -202,7 +241,7 @@ def handle_opts(args, dict, target_key): # {action:[conflict_opts,require_opts]} # first we need to catch conflicts @@ -3019,7 +3116,7 @@ index 7489955..37b5d70 100644 try: if k in dict[target_key][0] and args.__dict__[k]: print("%s option can not be used with --%s" % (target_key, k)) -@@ -210,7 +227,7 @@ def handle_opts(args, dict, target_key): +@@ -210,7 +249,7 @@ def handle_opts(args, dict, target_key): except KeyError: continue @@ -3028,7 +3125,7 @@ index 7489955..37b5d70 100644 try: if k in dict[target_key][1] and not args.__dict__[k]: print("%s option is needed for %s" % (k, target_key)) -@@ -272,16 +289,15 @@ def parser_add_type(parser, name): +@@ -272,16 +311,15 @@ def parser_add_type(parser, name): def parser_add_level(parser, name): @@ -3047,7 +3144,7 @@ index 7489955..37b5d70 100644 ''')) -@@ -291,6 +307,15 @@ def parser_add_proto(parser, name): +@@ -291,6 +329,15 @@ def parser_add_proto(parser, name): version for the specified node (ipv4|ipv6). ''')) @@ -3063,7 +3160,7 @@ index 7489955..37b5d70 100644 def parser_add_modify(parser, name): parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name) -@@ -382,13 +407,14 @@ def handleFcontext(args): +@@ -382,13 +429,14 @@ def handleFcontext(args): def setupFcontextParser(subparsers): ftype_help = ''' @@ -3085,7 +3182,7 @@ index 7489955..37b5d70 100644 ''' generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict) fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions")) -@@ -513,6 +539,95 @@ def setupPortParser(subparsers): +@@ -513,6 +561,95 @@ def setupPortParser(subparsers): portParser.set_defaults(func=handlePort) @@ -3181,7 +3278,7 @@ index 7489955..37b5d70 100644 def handleInterface(args): interface_args = {'list': [('interface'), ('')], 'add': [('locallist'), ('type', 'interface')], 'modify': [('locallist'), ('type', 'interface')], 'delete': [('locallist'), ('interface')], 'extract': [('locallist', 'interface', 'type'), ('')], 'deleteall': [('locallist'), ('')]} -@@ -524,7 +639,7 @@ def handleInterface(args): +@@ -524,7 +661,7 @@ def handleInterface(args): if args.action is "add": OBJECT.add(args.interface, args.range, args.type) if args.action is "modify": @@ -3190,7 +3287,17 @@ index 7489955..37b5d70 100644 if args.action is "delete": OBJECT.delete(args.interface) if args.action is "list": -@@ -607,7 +722,7 @@ def handleNode(args): +@@ -558,7 +695,8 @@ def setupInterfaceParser(subparsers): + + + def handleModule(args): +- OBJECT = seobject.moduleRecords(store) ++ from seobject import moduleRecords ++ OBJECT = moduleRecords(store) + OBJECT.set_reload(args.noreload) + if args.action == "add": + OBJECT.add(args.module_name, args.priority) +@@ -607,7 +745,7 @@ def handleNode(args): if args.action is "add": OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) if args.action is "modify": @@ -3199,7 +3306,26 @@ index 7489955..37b5d70 100644 if args.action is "delete": OBJECT.delete(args.node, args.netmask, args.proto) if args.action is "list": -@@ -839,7 +954,7 @@ def handleImport(args): +@@ -746,7 +884,7 @@ def setupDontauditParser(subparsers): + + + def handleExport(args): +- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module"] ++ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"] + for i in manageditems: + print("%s -D" % i) + for i in manageditems: +@@ -814,7 +952,8 @@ def mkargv(line): + + + def handleImport(args): +- trans = seobject.semanageRecords(store) ++ from seobject import semanageRecords ++ trans = semanageRecords(store) + trans.start() + + for l in sys.stdin.readlines(): +@@ -839,7 +978,7 @@ def handleImport(args): def setupImportParser(subparsers): @@ -3208,7 +3334,7 @@ index 7489955..37b5d70 100644 parser_add_noreload(importParser, "import") parser_add_store(importParser, "import") importParser.add_argument('-f', '--input_file', dest='input_file', action=SetImportFile, help=_('Input file')) -@@ -860,6 +975,8 @@ def createCommandParser(): +@@ -860,6 +999,8 @@ def createCommandParser(): setupLoginParser(subparsers) setupUserParser(subparsers) setupPortParser(subparsers) @@ -3217,7 +3343,7 @@ index 7489955..37b5d70 100644 setupInterfaceParser(subparsers) setupModuleParser(subparsers) setupNodeParser(subparsers) -@@ -894,6 +1011,8 @@ def make_io_args(args): +@@ -894,6 +1035,8 @@ def make_io_args(args): def make_args(sys_args): @@ -3606,7 +3732,7 @@ index 0fad36c..6032b41 100644 .SH "AUTHOR" This man page was written by Daniel Walsh diff --git policycoreutils-2.5/semanage/seobject.py policycoreutils-2.5/semanage/seobject.py -index 3b0b108..c49f0d6 100644 +index 3b0b108..04cf03b 100644 --- policycoreutils-2.5/semanage/seobject.py +++ policycoreutils-2.5/semanage/seobject.py @@ -30,12 +30,13 @@ import os @@ -3697,7 +3823,16 @@ index 3b0b108..c49f0d6 100644 def commit(self, success): pass -@@ -384,8 +412,13 @@ class moduleRecords(semanageRecords): +@@ -217,6 +245,8 @@ class semanageRecords: + if store == "" or store == localstore: + self.mylog = logger() + else: ++ sepolicy.load_store_policy(self.store) ++ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store)) + self.mylog = nulllogger() + + def set_reload(self, load): +@@ -384,8 +414,13 @@ class moduleRecords(semanageRecords): raise ValueError(_("Could not disable module %s") % m) self.commit() @@ -3712,7 +3847,7 @@ index 3b0b108..c49f0d6 100644 if rc >= 0: self.commit() -@@ -557,7 +590,6 @@ class loginRecords(semanageRecords): +@@ -557,7 +592,6 @@ class loginRecords(semanageRecords): semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -3720,7 +3855,7 @@ index 3b0b108..c49f0d6 100644 def add(self, name, sename, serange): try: -@@ -565,7 +597,6 @@ class loginRecords(semanageRecords): +@@ -565,7 +599,6 @@ class loginRecords(semanageRecords): self.__add(name, sename, serange) self.commit() except ValueError, error: @@ -3728,7 +3863,7 @@ index 3b0b108..c49f0d6 100644 raise error def __modify(self, name, sename="", serange=""): -@@ -617,7 +648,6 @@ class loginRecords(semanageRecords): +@@ -617,7 +650,6 @@ class loginRecords(semanageRecords): semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -3736,7 +3871,7 @@ index 3b0b108..c49f0d6 100644 def modify(self, name, sename="", serange=""): try: -@@ -625,7 +655,6 @@ class loginRecords(semanageRecords): +@@ -625,7 +657,6 @@ class loginRecords(semanageRecords): self.__modify(name, sename, serange) self.commit() except ValueError, error: @@ -3744,7 +3879,7 @@ index 3b0b108..c49f0d6 100644 raise error def __delete(self, name): -@@ -658,8 +687,6 @@ class loginRecords(semanageRecords): +@@ -658,8 +689,6 @@ class loginRecords(semanageRecords): rec, self.sename, self.serange = selinux.getseuserbyname("__default__") range, (rc, serole) = userrec.get(self.sename) @@ -3753,7 +3888,7 @@ index 3b0b108..c49f0d6 100644 def delete(self, name): try: self.begin() -@@ -667,7 +694,6 @@ class loginRecords(semanageRecords): +@@ -667,7 +696,6 @@ class loginRecords(semanageRecords): self.commit() except ValueError, error: @@ -3761,7 +3896,7 @@ index 3b0b108..c49f0d6 100644 raise error def deleteall(self): -@@ -681,7 +707,6 @@ class loginRecords(semanageRecords): +@@ -681,7 +709,6 @@ class loginRecords(semanageRecords): self.__delete(semanage_seuser_get_name(u)) self.commit() except ValueError, error: @@ -3769,7 +3904,50 @@ index 3b0b108..c49f0d6 100644 raise error def get_all_logins(self): -@@ -1109,6 +1134,8 @@ class portRecords(semanageRecords): +@@ -719,7 +746,10 @@ class loginRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ if ddict[k][1]: ++ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ else: ++ l.append("-a -s %s %s" % (ddict[k][0], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -991,7 +1021,10 @@ class seluserRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ if ddict[k][1] or ddict[k][2]: ++ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -R '%s' %s" % (ddict[k][3], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -1015,13 +1048,14 @@ class seluserRecords(semanageRecords): + + + class portRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] ++ except RuntimeError: ++ pass + + def __genkey(self, port, proto): + if proto == "tcp": +@@ -1109,6 +1143,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) @@ -3778,7 +3956,7 @@ index 3b0b108..c49f0d6 100644 def add(self, port, proto, serange, type): self.begin() self.__add(port, proto, serange, type) -@@ -1138,8 +1165,11 @@ class portRecords(semanageRecords): +@@ -1138,8 +1174,11 @@ class portRecords(semanageRecords): con = semanage_port_get_con(p) @@ -3792,7 +3970,7 @@ index 3b0b108..c49f0d6 100644 if setype != "": semanage_context_set_type(self.sh, con, setype) -@@ -1150,6 +1180,8 @@ class portRecords(semanageRecords): +@@ -1150,6 +1189,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) semanage_port_free(p) @@ -3801,7 +3979,7 @@ index 3b0b108..c49f0d6 100644 def modify(self, port, proto, serange, setype): self.begin() self.__modify(port, proto, serange, setype) -@@ -1168,6 +1200,7 @@ class portRecords(semanageRecords): +@@ -1168,6 +1209,7 @@ class portRecords(semanageRecords): low = semanage_port_get_low(port) high = semanage_port_get_high(port) port_str = "%s-%s" % (low, high) @@ -3809,7 +3987,7 @@ index 3b0b108..c49f0d6 100644 (k, proto_d, low, high) = self.__genkey(port_str, proto_str) if rc < 0: raise ValueError(_("Could not create a key for %s") % port_str) -@@ -1177,6 +1210,11 @@ class portRecords(semanageRecords): +@@ -1177,6 +1219,11 @@ class portRecords(semanageRecords): raise ValueError(_("Could not delete the port %s") % port_str) semanage_port_key_free(k) @@ -3821,7 +3999,7 @@ index 3b0b108..c49f0d6 100644 self.commit() def __delete(self, port, proto): -@@ -1199,6 +1237,8 @@ class portRecords(semanageRecords): +@@ -1199,6 +1246,8 @@ class portRecords(semanageRecords): semanage_port_key_free(k) @@ -3830,19 +4008,35 @@ index 3b0b108..c49f0d6 100644 def delete(self, port, proto): self.begin() self.__delete(port, proto) -@@ -1276,6 +1316,499 @@ class portRecords(semanageRecords): +@@ -1254,10 +1303,11 @@ class portRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- if k[0] == k[1]: +- l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0])) ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -p %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) + else: +- l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], port)) + return l + + def list(self, heading=1, locallist=0): +@@ -1276,16 +1326,516 @@ class portRecords(semanageRecords): rec += ", %s" % p print rec +class ibpkeyRecords(semanageRecords): -+ try: -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibpkey_type"]) -+ valid_types = sorted(str(t) for t in q.results()) -+ except: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"]) ++ self.valid_types = sorted(str(t) for t in q.results()) ++ except: ++ pass + + def __genkey(self, pkey, subnet_prefix): + if subnet_prefix == "": @@ -4067,10 +4261,11 @@ index 3b0b108..c49f0d6 100644 + keys = ddict.keys() + keys.sort() + for k in keys: -+ if k[0] == k[1]: -+ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0])) ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -x %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) + else: -+ l.append("-a -t %s -x %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], port)) + return l + + def list(self, heading=1, locallist=0): @@ -4090,14 +4285,15 @@ index 3b0b108..c49f0d6 100644 + print rec + +class ibendportRecords(semanageRecords): -+ try: -+ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_policy()), attrs=["ibendport_type"]) -+ valid_types = set(str(t) for t in q.results()) -+ except: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"]) ++ self.valid_types = set(str(t) for t in q.results()) ++ except: ++ pass + + def __genkey(self, ibendport, ibdev_name): + if ibdev_name == "": @@ -4309,7 +4505,10 @@ index 3b0b108..c49f0d6 100644 + keys = ddict.keys() + keys.sort() + for k in keys: -+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ else: ++ l.append("-a -t %s -z %s %s" % (ddict[k][0], k[1], k[0])) + return l + + def list(self, heading=1, locallist=0): @@ -4329,8 +4528,23 @@ index 3b0b108..c49f0d6 100644 + print rec class nodeRecords(semanageRecords): - try: -@@ -1380,6 +1913,8 @@ class nodeRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) + self.protocol = ["ipv4", "ipv6"] ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] ++ except RuntimeError: ++ pass + + def validate(self, addr, mask, protocol): + newaddr = addr +@@ -1380,6 +1930,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) @@ -4339,7 +4553,7 @@ index 3b0b108..c49f0d6 100644 def add(self, addr, mask, proto, serange, ctype): self.begin() self.__add(addr, mask, proto, serange, ctype) -@@ -1421,6 +1956,8 @@ class nodeRecords(semanageRecords): +@@ -1421,6 +1973,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) semanage_node_free(node) @@ -4348,7 +4562,7 @@ index 3b0b108..c49f0d6 100644 def modify(self, addr, mask, proto, serange, setype): self.begin() self.__modify(addr, mask, proto, serange, setype) -@@ -1452,6 +1989,8 @@ class nodeRecords(semanageRecords): +@@ -1452,6 +2006,8 @@ class nodeRecords(semanageRecords): semanage_node_key_free(k) @@ -4357,7 +4571,19 @@ index 3b0b108..c49f0d6 100644 def delete(self, addr, mask, proto): self.begin() self.__delete(addr, mask, proto) -@@ -1581,6 +2120,8 @@ class interfaceRecords(semanageRecords): +@@ -1491,7 +2047,10 @@ class nodeRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) ++ if ddict[k][3]: ++ l.append("-a -M %s -p %s -t %s -r '%s' %s" % (k[1], k[2], ddict[k][2], ddict[k][3], k[0])) ++ else: ++ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) + return l + + def list(self, heading=1, locallist=0): +@@ -1581,6 +2140,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) @@ -4366,7 +4592,7 @@ index 3b0b108..c49f0d6 100644 def add(self, interface, serange, ctype): self.begin() self.__add(interface, serange, ctype) -@@ -1618,6 +2159,8 @@ class interfaceRecords(semanageRecords): +@@ -1618,6 +2179,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) semanage_iface_free(iface) @@ -4375,7 +4601,7 @@ index 3b0b108..c49f0d6 100644 def modify(self, interface, serange, setype): self.begin() self.__modify(interface, serange, setype) -@@ -1646,6 +2189,8 @@ class interfaceRecords(semanageRecords): +@@ -1646,6 +2209,8 @@ class interfaceRecords(semanageRecords): semanage_iface_key_free(k) @@ -4384,7 +4610,43 @@ index 3b0b108..c49f0d6 100644 def delete(self, interface): self.begin() self.__delete(interface) -@@ -1775,6 +2320,8 @@ class fcontextRecords(semanageRecords): +@@ -1682,7 +2247,10 @@ class interfaceRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -t %s %s" % (ddict[k][2], k)) ++ if ddict[k][3]: ++ l.append("-a -t %s -r '%s' %s" % (ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -t %s %s" % (ddict[k][2], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -1703,15 +2271,17 @@ class interfaceRecords(semanageRecords): + + + class fcontextRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] +- valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] +- valid_types.append("<>") +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] ++ self.valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] ++ self.valid_types.append("<>") ++ except RuntimeError: ++ pass ++ + self.equiv = {} + self.equiv_dist = {} + self.equal_ind = False +@@ -1775,6 +2345,8 @@ class fcontextRecords(semanageRecords): if i.startswith(target + "/"): raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i])) @@ -4393,7 +4655,7 @@ index 3b0b108..c49f0d6 100644 self.equiv[target] = substitute self.equal_ind = True self.commit() -@@ -1785,6 +2332,9 @@ class fcontextRecords(semanageRecords): +@@ -1785,6 +2357,9 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Equivalence class for %s does not exists") % target) self.equiv[target] = substitute self.equal_ind = True @@ -4403,7 +4665,7 @@ index 3b0b108..c49f0d6 100644 self.commit() def createcon(self, target, seuser="system_u"): -@@ -1879,6 +2429,11 @@ class fcontextRecords(semanageRecords): +@@ -1879,6 +2454,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) @@ -4415,7 +4677,7 @@ index 3b0b108..c49f0d6 100644 def add(self, target, type, ftype="", serange="", seuser="system_u"): self.begin() self.__add(target, type, ftype, serange, seuser) -@@ -1888,7 +2443,7 @@ class fcontextRecords(semanageRecords): +@@ -1888,7 +2468,7 @@ class fcontextRecords(semanageRecords): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) if setype and setype not in self.valid_types: @@ -4424,7 +4686,7 @@ index 3b0b108..c49f0d6 100644 self.validate(target) -@@ -1904,10 +2459,12 @@ class fcontextRecords(semanageRecords): +@@ -1904,10 +2484,12 @@ class fcontextRecords(semanageRecords): if not exists: raise ValueError(_("File context for %s is not defined") % target) @@ -4441,7 +4703,7 @@ index 3b0b108..c49f0d6 100644 raise ValueError(_("Could not query file context for %s") % target) if setype != "<>": -@@ -1939,6 +2496,11 @@ class fcontextRecords(semanageRecords): +@@ -1939,6 +2521,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) @@ -4453,7 +4715,7 @@ index 3b0b108..c49f0d6 100644 def modify(self, target, setype, ftype, serange, seuser): self.begin() self.__modify(target, setype, ftype, serange, seuser) -@@ -1964,6 +2526,8 @@ class fcontextRecords(semanageRecords): +@@ -1964,6 +2551,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -4462,7 +4724,7 @@ index 3b0b108..c49f0d6 100644 self.equiv = {} self.equal_ind = True self.commit() -@@ -1972,6 +2536,9 @@ class fcontextRecords(semanageRecords): +@@ -1972,6 +2561,9 @@ class fcontextRecords(semanageRecords): if target in self.equiv.keys(): self.equiv.pop(target) self.equal_ind = True @@ -4472,7 +4734,7 @@ index 3b0b108..c49f0d6 100644 return (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -@@ -1996,6 +2563,8 @@ class fcontextRecords(semanageRecords): +@@ -1996,6 +2588,8 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) @@ -4481,7 +4743,7 @@ index 3b0b108..c49f0d6 100644 def delete(self, target, ftype): self.begin() self.__delete(target, ftype) -@@ -2009,10 +2578,15 @@ class fcontextRecords(semanageRecords): +@@ -2009,10 +2603,15 @@ class fcontextRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not list file contexts")) @@ -4497,12 +4759,39 @@ index 3b0b108..c49f0d6 100644 self.flist += fclocal ddict = {} +@@ -2035,7 +2634,10 @@ class fcontextRecords(semanageRecords): + keys.sort() + for k in keys: + if fcon_dict[k]: +- l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) ++ if fcon_dict[k][3]: ++ l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0])) ++ else: ++ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) + + if len(self.equiv): + for target in self.equiv.keys(): +@@ -2202,7 +2804,7 @@ class booleanRecords(semanageRecords): + value = [] + name = semanage_bool_get_name(boolean) + value.append(semanage_bool_get_value(boolean)) +- if self.modify_local and boolean in self.current_booleans: ++ if self.modify_local and name in self.current_booleans: + value.append(selinux.security_get_boolean_pending(name)) + value.append(selinux.security_get_boolean_active(name)) + else: +@@ -2248,4 +2850,4 @@ class booleanRecords(semanageRecords): + print "%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description")) + for k in keys: + if ddict[k]: +- print "%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)) ++ print "%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k)) diff --git policycoreutils-2.5/semanage/seobject/__init__.py policycoreutils-2.5/semanage/seobject/__init__.py new file mode 100644 -index 0000000..bd05764 +index 0000000..d8880cd --- /dev/null +++ policycoreutils-2.5/semanage/seobject/__init__.py -@@ -0,0 +1,2836 @@ +@@ -0,0 +1,2863 @@ +#! /usr/bin/python -Es +# Copyright (C) 2005-2013 Red Hat +# see file 'COPYING' for use and warranty information @@ -4742,18 +5031,18 @@ index 0000000..bd05764 + store = None + + def __init__(self, store): -+ global handle -+ self.noreload = False -+ self.sh = self.get_handle(store) ++ global handle ++ self.noreload = False ++ self.sh = self.get_handle(store) + -+ rc, localstore = selinux.selinux_getpolicytype() -+ if store == "" or store == localstore: -+ self.mylog = logger() -+ else: -+ self.mylog = nulllogger() ++ rc, localstore = selinux.selinux_getpolicytype() ++ if store == "" or store == localstore: ++ self.mylog = logger() ++ else: ++ self.mylog = nulllogger() + + def set_reload(self, load): -+ if not load: ++ if not load: + self.noreload = True + + def get_handle(self, store): @@ -4793,23 +5082,23 @@ index 0000000..bd05764 + return semanageRecords.handle + + def deleteall(self): -+ raise ValueError(_("Not yet implemented")) ++ raise ValueError(_("Not yet implemented")) + + def start(self): -+ if semanageRecords.transaction: -+ raise ValueError(_("Semanage transaction already in progress")) -+ self.begin() -+ semanageRecords.transaction = True ++ if semanageRecords.transaction: ++ raise ValueError(_("Semanage transaction already in progress")) ++ self.begin() ++ semanageRecords.transaction = True + + def begin(self): -+ if semanageRecords.transaction: -+ return -+ rc = semanage_begin_transaction(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not start semanage transaction")) -+ ++ if semanageRecords.transaction: ++ return ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not start semanage transaction")) ++ + def customized(self): -+ raise ValueError(_("Not yet implemented")) ++ raise ValueError(_("Not yet implemented")) + + def commit(self): + if semanageRecords.transaction: @@ -4824,48 +5113,48 @@ index 0000000..bd05764 + self.mylog.commit(1) + + def finish(self): -+ if not semanageRecords.transaction: -+ raise ValueError(_("Semanage transaction not in progress")) -+ semanageRecords.transaction = False -+ self.commit() ++ if not semanageRecords.transaction: ++ raise ValueError(_("Semanage transaction not in progress")) ++ semanageRecords.transaction = False ++ self.commit() + + +class moduleRecords(semanageRecords): + + def __init__(self, store): -+ semanageRecords.__init__(self, store) ++ semanageRecords.__init__(self, store) + + def get_all(self): -+ l = [] -+ (rc, mlist, number) = semanage_module_list_all(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list SELinux modules")) ++ l = [] ++ (rc, mlist, number) = semanage_module_list_all(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list SELinux modules")) + -+ for i in range(number): -+ mod = semanage_module_list_nth(mlist, i) ++ for i in range(number): ++ mod = semanage_module_list_nth(mlist, i) + -+ rc, name = semanage_module_info_get_name(self.sh, mod) -+ if rc < 0: -+ raise ValueError(_("Could not get module name")) ++ rc, name = semanage_module_info_get_name(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module name")) + -+ rc, enabled = semanage_module_info_get_enabled(self.sh, mod) -+ if rc < 0: -+ raise ValueError(_("Could not get module enabled")) ++ rc, enabled = semanage_module_info_get_enabled(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module enabled")) + -+ rc, priority = semanage_module_info_get_priority(self.sh, mod) -+ if rc < 0: -+ raise ValueError(_("Could not get module priority")) ++ rc, priority = semanage_module_info_get_priority(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module priority")) + -+ rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod) -+ if rc < 0: -+ raise ValueError(_("Could not get module lang_ext")) ++ rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module lang_ext")) + -+ l.append((name, enabled, priority, lang_ext)) ++ l.append((name, enabled, priority, lang_ext)) + -+ # sort the list so they are in name order, but with higher priorities coming first -+ l.sort(key=lambda t: t[3], reverse=True) -+ l.sort(key=lambda t: t[0]) -+ return l ++ # sort the list so they are in name order, but with higher priorities coming first ++ l.sort(key=lambda t: t[3], reverse=True) ++ l.sort(key=lambda t: t[0]) ++ return l + + def customized(self): + ALL = self.get_all() @@ -4881,71 +5170,71 @@ index 0000000..bd05764 + if heading: + print("\n%-25s %-9s %s\n" % (_("Module Name"), _("Priority"), _("Language"))) + for t in ALL: -+ if t[1] == 0: -+ disabled = _("Disabled") -+ else: -+ if locallist: -+ continue -+ disabled = "" -+ print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) ++ if t[1] == 0: ++ disabled = _("Disabled") ++ else: ++ if locallist: ++ continue ++ disabled = "" ++ print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) + + def add(self, module, priority): -+ if not module: -+ raise ValueError(_("You did not define module name.")) -+ if not os.path.exists(module): -+ raise ValueError(_("Module does not exists %s ") % module) ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ if not os.path.exists(module): ++ raise ValueError(_("Module does not exists %s ") % module) + -+ rc = semanage_set_default_priority(self.sh, priority) -+ if rc < 0: -+ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) + -+ rc = semanage_module_install_file(self.sh, module) -+ if rc >= 0: -+ self.commit() ++ rc = semanage_module_install_file(self.sh, module) ++ if rc >= 0: ++ self.commit() + + def set_enabled(self, module, enable): -+ if not module: -+ raise ValueError(_("You did not define module name.")) -+ for m in module.split(): -+ rc, key = semanage_module_key_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create module key")) -+ -+ rc = semanage_module_key_set_name(self.sh, key, m) -+ if rc < 0: -+ raise ValueError(_("Could not set module key name")) -+ -+ rc = semanage_module_set_enabled(self.sh, key, enable) -+ if rc < 0: -+ if enable: -+ raise ValueError(_("Could not enable module %s") % m) -+ else: -+ raise ValueError(_("Could not disable module %s") % m) -+ self.commit() ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ for m in module.split(): ++ rc, key = semanage_module_key_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create module key")) ++ ++ rc = semanage_module_key_set_name(self.sh, key, m) ++ if rc < 0: ++ raise ValueError(_("Could not set module key name")) ++ ++ rc = semanage_module_set_enabled(self.sh, key, enable) ++ if rc < 0: ++ if enable: ++ raise ValueError(_("Could not enable module %s") % m) ++ else: ++ raise ValueError(_("Could not disable module %s") % m) ++ self.commit() + + # Obsolete - "add()" does the same while allowing the user to set priority + def modify(self, file): -+ if not os.path.exists(file): -+ raise ValueError(_("Module does not exists %s ") % file) ++ if not os.path.exists(file): ++ raise ValueError(_("Module does not exists %s ") % file) + -+ # Priority was left unchanged, default is 400 -+ rc = semanage_module_install_file(self.sh, file) -+ if rc >= 0: -+ self.commit() ++ # Priority was left unchanged, default is 400 ++ rc = semanage_module_install_file(self.sh, file) ++ if rc >= 0: ++ self.commit() + + def delete(self, module, priority): -+ if not module: -+ raise ValueError(_("You did not define module name.")) -+ rc = semanage_set_default_priority(self.sh, priority) -+ if rc < 0: -+ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) + -+ for m in module.split(): -+ rc = semanage_module_remove(self.sh, m) -+ if rc < 0 and rc != -2: -+ raise ValueError(_("Could not remove module %s (remove failed)") % m) ++ for m in module.split(): ++ rc = semanage_module_remove(self.sh, m) ++ if rc < 0 and rc != -2: ++ raise ValueError(_("Could not remove module %s (remove failed)") % m) + -+ self.commit() ++ self.commit() + + def deleteall(self): + l = [x[0] for x in [t for t in self.get_all() if t[1] == 0]] @@ -4956,33 +5245,33 @@ index 0000000..bd05764 +class dontauditClass(semanageRecords): + + def __init__(self, store): -+ semanageRecords.__init__(self, store) ++ semanageRecords.__init__(self, store) + + def toggle(self, dontaudit): -+ if dontaudit not in ["on", "off"]: -+ raise ValueError(_("dontaudit requires either 'on' or 'off'")) -+ self.begin() -+ rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") -+ self.commit() ++ if dontaudit not in ["on", "off"]: ++ raise ValueError(_("dontaudit requires either 'on' or 'off'")) ++ self.begin() ++ rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") ++ self.commit() + + +class permissiveRecords(semanageRecords): + + def __init__(self, store): -+ semanageRecords.__init__(self, store) ++ semanageRecords.__init__(self, store) + + def get_all(self): -+ l = [] -+ (rc, mlist, number) = semanage_module_list(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list SELinux modules")) -+ -+ for i in range(number): -+ mod = semanage_module_list_nth(mlist, i) -+ name = semanage_module_get_name(mod) -+ if name and name.startswith("permissive_"): -+ l.append(name.split("permissive_")[1]) -+ return l ++ l = [] ++ (rc, mlist, number) = semanage_module_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list SELinux modules")) ++ ++ for i in range(number): ++ mod = semanage_module_list_nth(mlist, i) ++ name = semanage_module_get_name(mod) ++ if name and name.startswith("permissive_"): ++ l.append(name.split("permissive_")[1]) ++ return l + + def list(self, heading=True, locallist=False): + ALL = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]] @@ -5006,37 +5295,37 @@ index 0000000..bd05764 + print(t) + + def add(self, setype): -+ import glob -+ if setype not in sepolicy.get_all_domains(): -+ raise ValueError(_("%s is not a domain type") % setype ) ++ import glob ++ if setype not in sepolicy.get_all_domains(): ++ raise ValueError(_("%s is not a domain type") % setype ) + -+ try: -+ import sepolgen.module as module -+ except ImportError: -+ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) ++ try: ++ import sepolgen.module as module ++ except ImportError: ++ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) + -+ name = "permissive_%s" % setype -+ modtxt = "(typepermissive %s)" % setype ++ name = "permissive_%s" % setype ++ modtxt = "(typepermissive %s)" % setype + -+ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil") -+ if rc >= 0: -+ self.commit() ++ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil") ++ if rc >= 0: ++ self.commit() + -+ if rc < 0: ++ if rc < 0: + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) + + def delete(self, name): -+ for n in name.split(): -+ rc = semanage_module_remove(self.sh, "permissive_%s" % n) -+ if rc < 0: -+ raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) ++ for n in name.split(): ++ rc = semanage_module_remove(self.sh, "permissive_%s" % n) ++ if rc < 0: ++ raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) + -+ self.commit() ++ self.commit() + + def deleteall(self): -+ l = self.get_all() -+ if len(l) > 0: -+ self.delete(" ".join(l)) ++ l = self.get_all() ++ if len(l) > 0: ++ self.delete(" ".join(l)) + +class loginRecords(semanageRecords): + def __init__(self, store=""): @@ -5057,9 +5346,9 @@ index 0000000..bd05764 + + if is_mls_enabled == 1: + if serange: -+ serange = untranslate(serange) ++ serange = untranslate(serange) + else: -+ serange = RANGE ++ serange = RANGE + + (rc, k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: @@ -5069,40 +5358,40 @@ index 0000000..bd05764 + if rc < 0: + raise ValueError(_("Could not check if login mapping for %s is defined") % name) + if exists: -+ semanage_seuser_key_free(k) -+ return self.__modify(name, sename, serange) ++ semanage_seuser_key_free(k) ++ return self.__modify(name, sename, serange) + + if name[0] == '%': -+ try: -+ grp.getgrnam(name[1:]) -+ except: -+ raise ValueError(_("Linux Group %s does not exist") % name[1:]) ++ try: ++ grp.getgrnam(name[1:]) ++ except: ++ raise ValueError(_("Linux Group %s does not exist") % name[1:]) + else: -+ try: -+ pwd.getpwnam(name) -+ except: -+ raise ValueError(_("Linux User %s does not exist") % name) ++ try: ++ pwd.getpwnam(name) ++ except: ++ raise ValueError(_("Linux User %s does not exist") % name) + + (rc, u) = semanage_seuser_create(self.sh) + if rc < 0: -+ raise ValueError(_("Could not create login mapping for %s") % name) ++ raise ValueError(_("Could not create login mapping for %s") % name) + + rc = semanage_seuser_set_name(self.sh, u, name) + if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) ++ raise ValueError(_("Could not set name for %s") % name) + + if serange: -+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError(_("Could not set MLS range for %s") % name) ++ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS range for %s") % name) + + rc = semanage_seuser_set_sename(self.sh, u, sename) + if rc < 0: -+ raise ValueError(_("Could not set SELinux user for %s") % name) ++ raise ValueError(_("Could not set SELinux user for %s") % name) + + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: -+ raise ValueError(_("Could not add login mapping for %s") % name) ++ raise ValueError(_("Could not add login mapping for %s") % name) + + semanage_seuser_key_free(k) + semanage_seuser_free(u) @@ -5118,7 +5407,7 @@ index 0000000..bd05764 + def __modify(self, name, sename="", serange=None): + rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name) + if sename == "" and not serange: -+ raise ValueError(_("Requires seuser or serange")) ++ raise ValueError(_("Requires seuser or serange")) + + userrec = seluserRecords() + RANGE, (rc, oldserole) = userrec.get(self.oldsename) @@ -5135,7 +5424,7 @@ index 0000000..bd05764 + + (rc, k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + + (rc, exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: @@ -5243,9 +5532,9 @@ index 0000000..bd05764 + def get_all(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.ulist) = semanage_seuser_list_local(self.sh) ++ (rc, self.ulist) = semanage_seuser_list_local(self.sh) + else: -+ (rc, self.ulist) = semanage_seuser_list(self.sh) ++ (rc, self.ulist) = semanage_seuser_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list login mappings")) + @@ -5260,7 +5549,10 @@ index 0000000..bd05764 + keys = list(ddict.keys()) + keys.sort() + for k in keys: -+ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ if ddict[k][1]: ++ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ else: ++ l.append("-a -s %s %s" % (ddict[k][0], k)) + return l + + def list(self,heading=True, locallist=False): @@ -5298,13 +5590,13 @@ index 0000000..bd05764 + def get(self, name): + (rc, k) = semanage_user_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_user_exists(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) + (rc, u) = semanage_user_query(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not query user for %s") % name) ++ raise ValueError(_("Could not query user for %s") % name) + serange = semanage_user_get_mlsrange(u) + serole = semanage_user_get_roles(self.sh, u) + semanage_user_key_free(k) @@ -5324,50 +5616,50 @@ index 0000000..bd05764 + selevel = untranslate(selevel) + + if len(roles) < 1: -+ raise ValueError(_("You must add at least one role for %s") % name) ++ raise ValueError(_("You must add at least one role for %s") % name) + + (rc, k) = semanage_user_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + + (rc, exists) = semanage_user_exists(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if exists: -+ semanage_user_key_free(k) -+ return self.__modify(name, roles, selevel, serange, prefix) ++ semanage_user_key_free(k) ++ return self.__modify(name, roles, selevel, serange, prefix) + + (rc, u) = semanage_user_create(self.sh) + if rc < 0: -+ raise ValueError(_("Could not create SELinux user for %s") % name) ++ raise ValueError(_("Could not create SELinux user for %s") % name) + + rc = semanage_user_set_name(self.sh, u, name) + if rc < 0: -+ raise ValueError(_("Could not set name for %s") % name) ++ raise ValueError(_("Could not set name for %s") % name) + + for r in roles: -+ rc = semanage_user_add_role(self.sh, u, r) -+ if rc < 0: -+ raise ValueError(_("Could not add role %(ROLE)s for %(NAME)s") % {"ROLE":r, "NAME":name}) ++ rc = semanage_user_add_role(self.sh, u, r) ++ if rc < 0: ++ raise ValueError(_("Could not add role %(ROLE)s for %(NAME)s") % {"ROLE":r, "NAME":name}) + + if is_mls_enabled == 1: -+ rc = semanage_user_set_mlsrange(self.sh, u, serange) -+ if rc < 0: -+ raise ValueError(_("Could not set MLS range for %s") % name) ++ rc = semanage_user_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS range for %s") % name) + -+ rc = semanage_user_set_mlslevel(self.sh, u, selevel) -+ if rc < 0: -+ raise ValueError(_("Could not set MLS level for %s") % name) ++ rc = semanage_user_set_mlslevel(self.sh, u, selevel) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS level for %s") % name) + rc = semanage_user_set_prefix(self.sh, u, prefix) + if rc < 0: -+ raise ValueError(_("Could not add prefix %(PREFIX)s for %(ROLE)s") % {"ROLE":r, "PREFIX": prefix}) ++ raise ValueError(_("Could not add prefix %(PREFIX)s for %(ROLE)s") % {"ROLE":r, "PREFIX": prefix}) + (rc, key) = semanage_user_key_extract(self.sh, u) + if rc < 0: -+ raise ValueError(_("Could not extract key for %s") % name) ++ raise ValueError(_("Could not extract key for %s") % name) + + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: -+ raise ValueError(_("Could not add SELinux user %s") % name) ++ raise ValueError(_("Could not add SELinux user %s") % name) + + semanage_user_key_free(k) + semanage_user_free(u) @@ -5387,49 +5679,49 @@ index 0000000..bd05764 + oldserange = "" + newroles = ' '.join(roles) + if prefix == "" and len(roles) == 0 and not serange and selevel == "": -+ if is_mls_enabled == 1: -+ raise ValueError(_("Requires prefix, roles, level or range")) -+ else: -+ raise ValueError(_("Requires prefix or roles")) ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires prefix, roles, level or range")) ++ else: ++ raise ValueError(_("Requires prefix or roles")) + + (rc, k) = semanage_user_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + + (rc, exists) = semanage_user_exists(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) + if not exists: -+ raise ValueError(_("SELinux user %s is not defined") % name) ++ raise ValueError(_("SELinux user %s is not defined") % name) + + (rc, u) = semanage_user_query(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not query user for %s") % name) ++ raise ValueError(_("Could not query user for %s") % name) + + oldserange = semanage_user_get_mlsrange(u) + (rc, rlist) = semanage_user_get_roles(self.sh, u) + if rc >= 0: -+ oldserole = ' '.join(rlist) ++ oldserole = ' '.join(rlist) + + if serange: -+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) ++ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) + if selevel != "": -+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) ++ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) + + if prefix != "": -+ semanage_user_set_prefix(self.sh, u, prefix) ++ semanage_user_set_prefix(self.sh, u, prefix) + + if len(roles) != 0: -+ for r in rlist: -+ if r not in roles: -+ semanage_user_del_role(u, r) -+ for r in roles: -+ if r not in rlist: -+ semanage_user_add_role(self.sh, u, r) ++ for r in rlist: ++ if r not in roles: ++ semanage_user_del_role(u, r) ++ for r in roles: ++ if r not in rlist: ++ semanage_user_add_role(self.sh, u, r) + + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: -+ raise ValueError(_("Could not modify SELinux user %s") % name) ++ raise ValueError(_("Could not modify SELinux user %s") % name) + + semanage_user_key_free(k) + semanage_user_free(u) @@ -5449,37 +5741,37 @@ index 0000000..bd05764 + raise error + + def __delete(self, name): -+ (rc, k) = semanage_user_key_create(self.sh, name) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) -+ -+ (rc, exists) = semanage_user_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) -+ if not exists: -+ raise ValueError(_("SELinux user %s is not defined") % name) -+ -+ (rc, exists) = semanage_user_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if SELinux user %s is defined") % name) -+ if not exists: -+ raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) -+ -+ (rc, u) = semanage_user_query(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not query user for %s") % name) -+ oldserange = semanage_user_get_mlsrange(u) -+ (rc, rlist) = semanage_user_get_roles(self.sh, u) -+ oldserole = ",".join(rlist) -+ -+ rc = semanage_user_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not delete SELinux user %s") % name) -+ -+ semanage_user_key_free(k) -+ semanage_user_free(u) -+ -+ self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole) ++ (rc, k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is not defined") % name) ++ ++ (rc, exists) = semanage_user_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) ++ ++ (rc, u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query user for %s") % name) ++ oldserange = semanage_user_get_mlsrange(u) ++ (rc, rlist) = semanage_user_get_roles(self.sh, u) ++ oldserole = ",".join(rlist) ++ ++ rc = semanage_user_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete SELinux user %s") % name) ++ ++ semanage_user_key_free(k) ++ semanage_user_free(u) ++ ++ self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole) + + def delete(self, name): + try: @@ -5511,9 +5803,9 @@ index 0000000..bd05764 + def get_all(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.ulist) = semanage_user_list_local(self.sh) ++ (rc, self.ulist) = semanage_user_list_local(self.sh) + else: -+ (rc, self.ulist) = semanage_user_list(self.sh) ++ (rc, self.ulist) = semanage_user_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list SELinux users")) + @@ -5534,7 +5826,10 @@ index 0000000..bd05764 + keys = list(ddict.keys()) + keys.sort() + for k in keys: -+ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ if ddict[k][1] or ddict[k][2]: ++ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -R '%s' %s" % (ddict[k][3], k)) + return l + + def list(self, heading=True, locallist=False): @@ -5557,13 +5852,14 @@ index 0000000..bd05764 + print("%-15s %s" % (k, ddict[k][3])) + +class portRecords(semanageRecords): -+ try: -+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] -+ except RuntimeError: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] ++ except RuntimeError: ++ pass + + def __genkey(self, port, proto): + if proto == "tcp": @@ -5653,7 +5949,7 @@ index 0000000..bd05764 + semanage_port_key_free(k) + semanage_port_free(p) + -+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) ++ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) + + def add(self, port, proto, serange, type): + self.begin() @@ -5720,15 +6016,15 @@ index 0000000..bd05764 + port_str = "%s-%s" % (low, high) + (k, proto_d, low, high) = self.__genkey(port_str , proto_str) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % port_str) ++ raise ValueError(_("Could not create a key for %s") % port_str) + + rc = semanage_port_del_local(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not delete the port %s") % port_str) ++ raise ValueError(_("Could not delete the port %s") % port_str) + semanage_port_key_free(k) + + if low == high: -+ port_str = low ++ port_str = low + + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str))) + @@ -5764,9 +6060,9 @@ index 0000000..bd05764 + def get_all(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.plist) = semanage_port_list_local(self.sh) ++ (rc, self.plist) = semanage_port_list_local(self.sh) + else: -+ (rc, self.plist) = semanage_port_list(self.sh) ++ (rc, self.plist) = semanage_port_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list ports")) + @@ -5784,9 +6080,9 @@ index 0000000..bd05764 + def get_all_by_type(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.plist) = semanage_port_list_local(self.sh) ++ (rc, self.plist) = semanage_port_list_local(self.sh) + else: -+ (rc, self.plist) = semanage_port_list(self.sh) ++ (rc, self.plist) = semanage_port_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list ports")) + @@ -5811,10 +6107,12 @@ index 0000000..bd05764 + keys = list(ddict.keys()) + keys.sort() + for k in keys: -+ if k[0] == k[1]: -+ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0])) -+ else: -+ l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -p %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) ++ else: ++ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], port)) ++ + return l + + def list(self, heading=True, locallist=False): @@ -5834,13 +6132,14 @@ index 0000000..bd05764 + print(rec) + +class ibpkeyRecords(semanageRecords): -+ try: -+ valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibpkey_type")[0]["types"]) -+ except: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibpkey_type")[0]["types"]) ++ except: ++ pass + + def __genkey(self, pkey, subnet_prefix): + if subnet_prefix == "": @@ -6065,10 +6364,11 @@ index 0000000..bd05764 + keys = ddict.keys() + keys.sort() + for k in keys: -+ if k[0] == k[1]: -+ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0])) ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -x %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) + else: -+ l.append("-a -t %s -x %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], port)) + return l + + def list(self, heading=1, locallist=0): @@ -6088,13 +6388,14 @@ index 0000000..bd05764 + print rec + +class ibendportRecords(semanageRecords): -+ try: -+ valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibendport_type")[0]["types"]) -+ except: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibendport_type")[0]["types"]) ++ except: ++ pass + + def __genkey(self, ibendport, ibdev_name): + if ibdev_name == "": @@ -6306,7 +6607,10 @@ index 0000000..bd05764 + keys = ddict.keys() + keys.sort() + for k in keys: -+ l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ else: ++ l.append("-a -t %s -z %s %s" % (ddict[k][0], k[1], k[0])) + return l + + def list(self, heading=1, locallist=0): @@ -6326,247 +6630,251 @@ index 0000000..bd05764 + print rec + +class nodeRecords(semanageRecords): -+ try: -+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] -+ except RuntimeError: -+ valid_types = [] -+ -+ def __init__(self, store=""): -+ semanageRecords.__init__(self, store) -+ self.protocol = ["ipv4", "ipv6"] -+ -+ def validate(self, addr, mask, protocol): -+ newaddr = addr -+ newmask = mask -+ newprotocol = "" -+ -+ if addr == "": -+ raise ValueError(_("Node Address is required")) -+ -+ # verify valid comination -+ if len(mask) == 0 or mask[0] == "/": -+ i = IP(addr + mask) -+ newaddr = i.strNormal(0) -+ newmask = str(i.netmask()) -+ if newmask == "0.0.0.0" and i.version() == 6: -+ newmask = "::" -+ -+ protocol = "ipv%d" % i.version() -+ -+ try: -+ newprotocol = self.protocol.index(protocol) -+ except: -+ raise ValueError(_("Unknown or missing protocol")) -+ -+ return newaddr, newmask, newprotocol -+ -+ def __add(self, addr, mask, proto, serange, ctype): -+ addr, mask, proto = self.validate(addr, mask, proto) -+ -+ if is_mls_enabled == 1: -+ if serange: -+ serange = untranslate(serange) -+ else: -+ serange = "s0" -+ -+ if ctype == "": -+ raise ValueError(_("SELinux node type is required")) -+ -+ if sepolicy.get_real_type_name(ctype) not in self.valid_types: -+ raise ValueError(_("Type %s is invalid, must be a node type") % ctype) -+ -+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % addr) -+ if rc < 0: -+ raise ValueError(_("Could not check if addr %s is defined") % addr) -+ -+ (rc, exists) = semanage_node_exists(self.sh, k) -+ if exists: -+ semanage_node_key_free(k) -+ return self.__modify(addr, mask, self.protocol[proto], serange, ctype) -+ -+ (rc, node) = semanage_node_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create addr for %s") % addr) -+ semanage_node_set_proto(node, proto) -+ -+ rc = semanage_node_set_addr(self.sh, node, proto, addr) -+ (rc, con) = semanage_context_create(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not create context for %s") % addr) -+ -+ rc = semanage_node_set_mask(self.sh, node, proto, mask) -+ if rc < 0: -+ raise ValueError(_("Could not set mask for %s") % addr) -+ -+ rc = semanage_context_set_user(self.sh, con, "system_u") -+ if rc < 0: -+ raise ValueError(_("Could not set user in addr context for %s") % addr) -+ -+ rc = semanage_context_set_role(self.sh, con, "object_r") -+ if rc < 0: -+ raise ValueError(_("Could not set role in addr context for %s") % addr) -+ -+ rc = semanage_context_set_type(self.sh, con, ctype) -+ if rc < 0: -+ raise ValueError(_("Could not set type in addr context for %s") % addr) -+ -+ if serange: -+ rc = semanage_context_set_mls(self.sh, con, serange) -+ if rc < 0: -+ raise ValueError(_("Could not set mls fields in addr context for %s") % addr) -+ -+ rc = semanage_node_set_con(self.sh, node, con) -+ if rc < 0: -+ raise ValueError(_("Could not set addr context for %s") % addr) -+ -+ rc = semanage_node_modify_local(self.sh, k, node) -+ if rc < 0: -+ raise ValueError(_("Could not add addr %s") % addr) -+ -+ semanage_context_free(con) -+ semanage_node_key_free(k) -+ semanage_node_free(node) -+ -+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ self.protocol = ["ipv4", "ipv6"] ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] ++ except RuntimeError: ++ pass ++ ++ def validate(self, addr, mask, protocol): ++ newaddr = addr ++ newmask = mask ++ newprotocol = "" ++ ++ if addr == "": ++ raise ValueError(_("Node Address is required")) ++ ++ # verify valid comination ++ if len(mask) == 0 or mask[0] == "/": ++ i = IP(addr + mask) ++ newaddr = i.strNormal(0) ++ newmask = str(i.netmask()) ++ if newmask == "0.0.0.0" and i.version() == 6: ++ newmask = "::" ++ ++ protocol = "ipv%d" % i.version() ++ ++ try: ++ newprotocol = self.protocol.index(protocol) ++ except: ++ raise ValueError(_("Unknown or missing protocol")) ++ ++ return newaddr, newmask, newprotocol ++ ++ def __add(self, addr, mask, proto, serange, ctype): ++ addr, mask, proto = self.validate(addr, mask, proto) ++ ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = "s0" ++ ++ if ctype == "": ++ raise ValueError(_("SELinux node type is required")) ++ ++ if sepolicy.get_real_type_name(ctype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a node type") % ctype) ++ ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if exists: ++ semanage_node_key_free(k) ++ return self.__modify(addr, mask, self.protocol[proto], serange, ctype) ++ ++ (rc, node) = semanage_node_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create addr for %s") % addr) ++ semanage_node_set_proto(node, proto) ++ ++ rc = semanage_node_set_addr(self.sh, node, proto, addr) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s") % addr) ++ ++ rc = semanage_node_set_mask(self.sh, node, proto, mask) ++ if rc < 0: ++ raise ValueError(_("Could not set mask for %s") % addr) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in addr context for %s") % addr) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in addr context for %s") % addr) ++ ++ rc = semanage_context_set_type(self.sh, con, ctype) ++ if rc < 0: ++ raise ValueError(_("Could not set type in addr context for %s") % addr) ++ ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in addr context for %s") % addr) ++ ++ rc = semanage_node_set_con(self.sh, node, con) ++ if rc < 0: ++ raise ValueError(_("Could not set addr context for %s") % addr) ++ ++ rc = semanage_node_modify_local(self.sh, k, node) ++ if rc < 0: ++ raise ValueError(_("Could not add addr %s") % addr) ++ ++ semanage_context_free(con) ++ semanage_node_key_free(k) ++ semanage_node_free(node) ++ ++ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) + -+ def add(self, addr, mask, proto, serange, ctype): ++ def add(self, addr, mask, proto, serange, ctype): + self.begin() + self.__add(addr, mask, proto, serange, ctype) + self.commit() + -+ def __modify(self, addr, mask, proto, serange, setype): -+ addr, mask, proto = self.validate(addr, mask, proto) ++ def __modify(self, addr, mask, proto, serange, setype): ++ addr, mask, proto = self.validate(addr, mask, proto) + -+ if not serange and setype == "": -+ raise ValueError(_("Requires setype or serange")) ++ if not serange and setype == "": ++ raise ValueError(_("Requires setype or serange")) + -+ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: -+ raise ValueError(_("Type %s is invalid, must be a node type") % setype) ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a node type") % setype) + -+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % addr) ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) + -+ (rc, exists) = semanage_node_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if addr %s is defined") % addr) -+ if not exists: -+ raise ValueError(_("Addr %s is not defined") % addr) ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is not defined") % addr) + -+ (rc, node) = semanage_node_query(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not query addr %s") % addr) ++ (rc, node) = semanage_node_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query addr %s") % addr) + -+ con = semanage_node_get_con(node) -+ if serange: -+ semanage_context_set_mls(self.sh, con, untranslate(serange)) -+ if setype != "": -+ semanage_context_set_type(self.sh, con, setype) ++ con = semanage_node_get_con(node) ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) + -+ rc = semanage_node_modify_local(self.sh, k, node) -+ if rc < 0: -+ raise ValueError(_("Could not modify addr %s") % addr) ++ rc = semanage_node_modify_local(self.sh, k, node) ++ if rc < 0: ++ raise ValueError(_("Could not modify addr %s") % addr) + -+ semanage_node_key_free(k) -+ semanage_node_free(node) ++ semanage_node_key_free(k) ++ semanage_node_free(node) + -+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) ++ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) + -+ def modify(self, addr, mask, proto, serange, setype): ++ def modify(self, addr, mask, proto, serange, setype): + self.begin() + self.__modify(addr, mask, proto, serange, setype) + self.commit() + -+ def __delete(self, addr, mask, proto): ++ def __delete(self, addr, mask, proto): + -+ addr, mask, proto = self.validate(addr, mask, proto) ++ addr, mask, proto = self.validate(addr, mask, proto) + -+ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) -+ if rc < 0: -+ raise ValueError(_("Could not create key for %s") % addr) ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) + -+ (rc, exists) = semanage_node_exists(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if addr %s is defined") % addr) -+ if not exists: -+ raise ValueError(_("Addr %s is not defined") % addr) ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is not defined") % addr) + -+ (rc, exists) = semanage_node_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if addr %s is defined") % addr) -+ if not exists: -+ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr) ++ (rc, exists) = semanage_node_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr) + -+ rc = semanage_node_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not delete addr %s") % addr) ++ rc = semanage_node_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete addr %s") % addr) + -+ semanage_node_key_free(k) ++ semanage_node_key_free(k) + -+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) ++ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) + -+ def delete(self, addr, mask, proto): -+ self.begin() -+ self.__delete(addr, mask, proto) -+ self.commit() ++ def delete(self, addr, mask, proto): ++ self.begin() ++ self.__delete(addr, mask, proto) ++ self.commit() + -+ def deleteall(self): -+ (rc, nlist) = semanage_node_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not deleteall node mappings")) ++ def deleteall(self): ++ (rc, nlist) = semanage_node_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not deleteall node mappings")) + -+ self.begin() -+ for node in nlist: -+ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)]) -+ self.commit() ++ self.begin() ++ for node in nlist: ++ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)]) ++ self.commit() + -+ def get_all(self, locallist=False): -+ ddict = {} -+ if locallist: ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: + (rc, self.ilist) = semanage_node_list_local(self.sh) -+ else: ++ else: + (rc, self.ilist) = semanage_node_list(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list addrs")) -+ -+ for node in self.ilist: -+ con = semanage_node_get_con(node) -+ addr = semanage_node_get_addr(self.sh, node) -+ mask = semanage_node_get_mask(self.sh, node) -+ proto = self.protocol[semanage_node_get_proto(node)] -+ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) -+ -+ return ddict -+ -+ def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = list(ddict.keys()) -+ keys.sort() -+ for k in keys: -+ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) -+ return l -+ -+ def list(self, heading=True, locallist=False): -+ ddict = self.get_all(locallist) -+ keys = list(ddict.keys()) -+ if len(keys) == 0: -+ return -+ keys.sort() -+ -+ if heading: -+ print("%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")) -+ if is_mls_enabled: ++ if rc < 0: ++ raise ValueError(_("Could not list addrs")) ++ ++ for node in self.ilist: ++ con = semanage_node_get_con(node) ++ addr = semanage_node_get_addr(self.sh, node) ++ mask = semanage_node_get_mask(self.sh, node) ++ proto = self.protocol[semanage_node_get_proto(node)] ++ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k][3]: ++ l.append("-a -M %s -p %s -t %s -r '%s' %s" % (k[1], k[2], ddict[k][2], ddict[k][3], k[0])) ++ else: ++ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print("%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")) ++ if is_mls_enabled: + for k in keys: + val = '' + for fields in k: + val = val + '\t' + str(fields) + print("%-18s %-18s %-5s %s:%s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2], translate(ddict[k][3], False))) -+ else: -+ for k in keys: -+ print("%-18s %-18s %-5s %s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2])) ++ else: ++ for k in keys: ++ print("%-18s %-18s %-5s %s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2])) + + +class interfaceRecords(semanageRecords): @@ -6576,9 +6884,9 @@ index 0000000..bd05764 + def __add(self, interface, serange, ctype): + if is_mls_enabled == 1: + if serange: -+ serange = untranslate(serange) ++ serange = untranslate(serange) + else: -+ serange = "s0" ++ serange = "s0" + + if ctype == "": + raise ValueError(_("SELinux Type is required")) @@ -6725,9 +7033,9 @@ index 0000000..bd05764 + def get_all(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.ilist) = semanage_iface_list_local(self.sh) ++ (rc, self.ilist) = semanage_iface_list_local(self.sh) + else: -+ (rc, self.ilist) = semanage_iface_list(self.sh) ++ (rc, self.ilist) = semanage_iface_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list interfaces")) + @@ -6743,7 +7051,10 @@ index 0000000..bd05764 + keys = list(ddict.keys()) + keys.sort() + for k in keys: -+ l.append("-a -t %s %s" % (ddict[k][2], k)) ++ if ddict[k][3]: ++ l.append("-a -t %s -r '%s' %s" % (ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -t %s %s" % (ddict[k][2], k)) + return l + + def list(self, heading=True, locallist=False): @@ -6763,58 +7074,60 @@ index 0000000..bd05764 + print("%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1], ddict[k][2])) + +class fcontextRecords(semanageRecords): -+ try: -+ valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] -+ valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] -+ except RuntimeError: -+ valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] ++ self.valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] ++ except RuntimeError: ++ pass ++ + self.equiv = {} + self.equiv_dist = {} + self.equal_ind = False + try: -+ fd = open(selinux.selinux_file_context_subs_path(), "r") -+ for i in fd.readlines(): -+ i = i.strip() -+ if len(i) == 0: -+ continue -+ if i.startswith("#"): -+ continue -+ target, substitute = i.split() -+ self.equiv[target] = substitute -+ fd.close() ++ fd = open(selinux.selinux_file_context_subs_path(), "r") ++ for i in fd.readlines(): ++ i = i.strip() ++ if len(i) == 0: ++ continue ++ if i.startswith("#"): ++ continue ++ target, substitute = i.split() ++ self.equiv[target] = substitute ++ fd.close() + except IOError: -+ pass ++ pass + try: -+ fd = open(selinux.selinux_file_context_subs_dist_path(), "r") -+ for i in fd.readlines(): -+ i = i.strip() -+ if len(i) == 0: -+ continue -+ if i.startswith("#"): -+ continue -+ target, substitute = i.split() -+ self.equiv_dist[target] = substitute -+ fd.close() ++ fd = open(selinux.selinux_file_context_subs_dist_path(), "r") ++ for i in fd.readlines(): ++ i = i.strip() ++ if len(i) == 0: ++ continue ++ if i.startswith("#"): ++ continue ++ target, substitute = i.split() ++ self.equiv_dist[target] = substitute ++ fd.close() + except IOError: -+ pass ++ pass + + def commit(self): + if self.equal_ind: -+ subs_file = selinux.selinux_file_context_subs_path() -+ tmpfile = "%s.tmp" % subs_file -+ fd = open(tmpfile, "w") -+ for target in list(self.equiv.keys()): -+ fd.write("%s %s\n" % (target, self.equiv[target])) -+ fd.close() -+ try: -+ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) -+ except: -+ pass -+ os.rename(tmpfile, subs_file) -+ self.equal_ind = False ++ subs_file = selinux.selinux_file_context_subs_path() ++ tmpfile = "%s.tmp" % subs_file ++ fd = open(tmpfile, "w") ++ for target in list(self.equiv.keys()): ++ fd.write("%s %s\n" % (target, self.equiv[target])) ++ fd.close() ++ try: ++ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) ++ except: ++ pass ++ os.rename(tmpfile, subs_file) ++ self.equal_ind = False + semanageRecords.commit(self) + + def add_equal(self, target, substitute): @@ -6823,10 +7136,10 @@ index 0000000..bd05764 + raise ValueError(_("Target %s is not valid. Target is not allowed to end with '/'") % target) + + if substitute != "/" and substitute[-1] == "/": -+ raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute) ++ raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute) + + if target in list(self.equiv.keys()): -+ raise ValueError(_("Equivalence class for %s already exists") % target) ++ raise ValueError(_("Equivalence class for %s already exists") % target) + self.validate(target) + + for fdict in (self.equiv, self.equiv_dist): @@ -6843,7 +7156,7 @@ index 0000000..bd05764 + def modify_equal(self, target, substitute): + self.begin() + if target not in list(self.equiv.keys()): -+ raise ValueError(_("Equivalence class for %s does not exists") % target) ++ raise ValueError(_("Equivalence class for %s does not exists") % target) + self.equiv[target] = substitute + self.equal_ind = True + self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) @@ -6852,35 +7165,35 @@ index 0000000..bd05764 + def createcon(self, target, seuser="system_u"): + (rc, con) = semanage_context_create(self.sh) + if rc < 0: -+ raise ValueError(_("Could not create context for %s") % target) ++ raise ValueError(_("Could not create context for %s") % target) + if seuser == "": + seuser = "system_u" + + rc = semanage_context_set_user(self.sh, con, seuser) + if rc < 0: -+ raise ValueError(_("Could not set user in file context for %s") % target) ++ raise ValueError(_("Could not set user in file context for %s") % target) + + rc = semanage_context_set_role(self.sh, con, "object_r") + if rc < 0: -+ raise ValueError(_("Could not set role in file context for %s") % target) ++ raise ValueError(_("Could not set role in file context for %s") % target) + + if is_mls_enabled == 1: -+ rc = semanage_context_set_mls(self.sh, con, "s0") -+ if rc < 0: -+ raise ValueError(_("Could not set mls fields in file context for %s") % target) ++ rc = semanage_context_set_mls(self.sh, con, "s0") ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in file context for %s") % target) + + return con + + def validate(self, target): -+ if target == "" or target.find("\n") >= 0: -+ raise ValueError(_("Invalid file specification")) -+ if target.find(" ") != -1: -+ raise ValueError(_("File specification can not include spaces")) -+ for fdict in (self.equiv, self.equiv_dist): -+ for i in fdict: -+ if target.startswith(i + "/"): -+ t = re.sub(i, fdict[i], target) -+ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'; Try adding '%(DEST1)s' instead") % {"TARGET":target, "SOURCE": i, "DEST":fdict[i], "DEST1": t}) ++ if target == "" or target.find("\n") >= 0: ++ raise ValueError(_("Invalid file specification")) ++ if target.find(" ") != -1: ++ raise ValueError(_("File specification can not include spaces")) ++ for fdict in (self.equiv, self.equiv_dist): ++ for i in fdict: ++ if target.startswith(i + "/"): ++ t = re.sub(i, fdict[i], target) ++ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'; Try adding '%(DEST1)s' instead") % {"TARGET":target, "SOURCE": i, "DEST":fdict[i], "DEST1": t}) + + + def __add(self, target, type, ftype="", serange=None, seuser="system_u"): @@ -6890,10 +7203,10 @@ index 0000000..bd05764 + seuser = "system_u" + + if is_mls_enabled == 1: -+ serange = untranslate(serange) ++ serange = untranslate(serange) + -+ if not serange: -+ serange = "s0" ++ if not serange: ++ serange = "s0" + + if type == "": + raise ValueError(_("SELinux Type is required")) @@ -6910,13 +7223,13 @@ index 0000000..bd05764 + raise ValueError(_("Could not check if file context for %s is defined") % target) + + if not exists: -+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + + if exists: -+ semanage_fcontext_key_free(k) -+ return self.__modify(target, type, ftype, serange, seuser) ++ semanage_fcontext_key_free(k) ++ return self.__modify(target, type, ftype, serange, seuser) + + (rc, fcontext) = semanage_fcontext_create(self.sh) + if rc < 0: @@ -6924,19 +7237,19 @@ index 0000000..bd05764 + + rc = semanage_fcontext_set_expr(self.sh, fcontext, target) + if type != "<>": -+ con = self.createcon(target, seuser) ++ con = self.createcon(target, seuser) + -+ rc = semanage_context_set_type(self.sh, con, type) -+ if rc < 0: -+ raise ValueError(_("Could not set type in file context for %s") % target) ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in file context for %s") % target) + -+ if serange: -+ rc = semanage_context_set_mls(self.sh, con, serange) -+ if rc < 0: -+ raise ValueError(_("Could not set mls fields in file context for %s") % target) -+ rc = semanage_fcontext_set_con(self.sh, fcontext, con) -+ if rc < 0: -+ raise ValueError(_("Could not set file context for %s") % target) ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in file context for %s") % target) ++ rc = semanage_fcontext_set_con(self.sh, fcontext, con) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) + + semanage_fcontext_set_type(fcontext, file_types[ftype]) + @@ -6945,7 +7258,7 @@ index 0000000..bd05764 + raise ValueError(_("Could not add file context for %s") % target) + + if type != "<>": -+ semanage_context_free(con) ++ semanage_context_free(con) + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + @@ -6975,39 +7288,39 @@ index 0000000..bd05764 + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: -+ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) -+ if not exists: -+ raise ValueError(_("File context for %s is not defined") % target) ++ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if not exists: ++ raise ValueError(_("File context for %s is not defined") % target) + + try: -+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: -+ try: -+ (rc, fcontext) = semanage_fcontext_query(self.sh, k) -+ except OSError: -+ raise ValueError(_("Could not query file context for %s") % target) ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) + + if setype != "<>": -+ con = semanage_fcontext_get_con(fcontext) ++ con = semanage_fcontext_get_con(fcontext) + -+ if con == None: -+ con = self.createcon(target) ++ if con == None: ++ con = self.createcon(target) + -+ if serange: -+ semanage_context_set_mls(self.sh, con, untranslate(serange)) -+ if seuser != "": -+ semanage_context_set_user(self.sh, con, seuser) ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if seuser != "": ++ semanage_context_set_user(self.sh, con, seuser) + -+ if setype != "": -+ semanage_context_set_type(self.sh, con, setype) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) + -+ rc = semanage_fcontext_set_con(self.sh, fcontext, con) -+ if rc < 0: -+ raise ValueError(_("Could not set file context for %s") % target) ++ rc = semanage_fcontext_set_con(self.sh, fcontext, con) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) + else: -+ rc = semanage_fcontext_set_con(self.sh, fcontext, None) -+ if rc < 0: -+ raise ValueError(_("Could not set file context for %s") % target) ++ rc = semanage_fcontext_set_con(self.sh, fcontext, None) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) + + rc = semanage_fcontext_modify_local(self.sh, k, fcontext) + if rc < 0: @@ -7034,19 +7347,19 @@ index 0000000..bd05764 + self.begin() + + for fcontext in flist: -+ target = semanage_fcontext_get_expr(fcontext) -+ ftype = semanage_fcontext_get_type(fcontext) -+ ftype_str = semanage_fcontext_get_type_str(ftype) -+ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) -+ if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % target) ++ target = semanage_fcontext_get_expr(fcontext) ++ ftype = semanage_fcontext_get_type(fcontext) ++ ftype_str = semanage_fcontext_get_type_str(ftype) ++ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % target) + -+ rc = semanage_fcontext_del_local(self.sh, k) -+ if rc < 0: -+ raise ValueError(_("Could not delete the file context %s") % target) -+ semanage_fcontext_key_free(k) ++ rc = semanage_fcontext_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the file context %s") % target) ++ semanage_fcontext_key_free(k) + -+ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) + + self.equiv = {} + self.equal_ind = True @@ -7054,12 +7367,12 @@ index 0000000..bd05764 + + def __delete(self, target, ftype): + if target in list(self.equiv.keys()): -+ self.equiv.pop(target) -+ self.equal_ind = True ++ self.equiv.pop(target) ++ self.equal_ind = True + -+ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) ++ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) + -+ return ++ return + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) + if rc < 0: @@ -7092,20 +7405,20 @@ index 0000000..bd05764 + + def get_all(self, locallist=False): + if locallist: -+ (rc, self.flist) = semanage_fcontext_list_local(self.sh) ++ (rc, self.flist) = semanage_fcontext_list_local(self.sh) + else: -+ (rc, self.flist) = semanage_fcontext_list(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list file contexts")) -+ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list file contexts for home directories")) -+ (rc, fclocal) = semanage_fcontext_list_local(self.sh) -+ if rc < 0: -+ raise ValueError(_("Could not list local file contexts")) -+ -+ self.flist += fchomedirs -+ self.flist += fclocal ++ (rc, self.flist) = semanage_fcontext_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list file contexts")) ++ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list file contexts for home directories")) ++ (rc, fclocal) = semanage_fcontext_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list local file contexts")) ++ ++ self.flist += fchomedirs ++ self.flist += fclocal + + from collections import OrderedDict + ddict = OrderedDict() @@ -7116,24 +7429,27 @@ index 0000000..bd05764 + ftype_str = semanage_fcontext_get_type_str(ftype) + con = semanage_fcontext_get_con(fcontext) + if con: -+ ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) + else: + ddict[(expr, ftype_str)] = con + + return ddict + + def customized(self): -+ l = [] -+ fcon_dict = self.get_all(True) -+ keys = list(fcon_dict.keys()) -+ for k in keys: -+ if fcon_dict[k]: -+ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) -+ -+ if len(self.equiv): -+ for target in list(self.equiv.keys()): -+ l.append("-a -e %s %s" % (self.equiv[target], target)) -+ return l ++ l = [] ++ fcon_dict = self.get_all(True) ++ keys = list(fcon_dict.keys()) ++ for k in keys: ++ if fcon_dict[k]: ++ if fcon_dict[k][3]: ++ l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0])) ++ else: ++ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) ++ ++ if len(self.equiv): ++ for target in list(self.equiv.keys()): ++ l.append("-a -e %s %s" % (self.equiv[target], target)) ++ return l + + def list(self, heading=True, locallist=False): + fcon_dict = self.get_all(locallist) @@ -7151,17 +7467,17 @@ index 0000000..bd05764 + print("%-50s %-18s <>" % (k[0], k[1])) + + if len(self.equiv_dist): -+ if not locallist: -+ if heading: -+ print(_("\nSELinux Distribution fcontext Equivalence \n")) -+ for target in list(self.equiv_dist.keys()): -+ print("%s = %s" % (target, self.equiv_dist[target])) ++ if not locallist: ++ if heading: ++ print(_("\nSELinux Distribution fcontext Equivalence \n")) ++ for target in list(self.equiv_dist.keys()): ++ print("%s = %s" % (target, self.equiv_dist[target])) + if len(self.equiv): -+ if heading: -+ print(_("\nSELinux Local fcontext Equivalence \n")) ++ if heading: ++ print(_("\nSELinux Local fcontext Equivalence \n")) + -+ for target in list(self.equiv.keys()): -+ print("%s = %s" % (target, self.equiv[target])) ++ for target in list(self.equiv.keys()): ++ print("%s = %s" % (target, self.equiv[target])) + +class booleanRecords(semanageRecords): + def __init__(self, store=""): @@ -7191,21 +7507,21 @@ index 0000000..bd05764 + + (rc, k) = semanage_bool_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_bool_exists(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not check if boolean %s is defined") % name) ++ raise ValueError(_("Could not check if boolean %s is defined") % name) + if not exists: -+ raise ValueError(_("Boolean %s is not defined") % name) ++ raise ValueError(_("Boolean %s is not defined") % name) + + (rc, b) = semanage_bool_query(self.sh, k) + if rc < 0: -+ raise ValueError(_("Could not query file context %s") % name) ++ raise ValueError(_("Could not query file context %s") % name) + + if value.upper() in self.dict: -+ semanage_bool_set_value(b, self.dict[value.upper()]) ++ semanage_bool_set_value(b, self.dict[value.upper()]) + else: -+ raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys()))) ++ raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys()))) + + if self.modify_local and name in self.current_booleans: + rc = semanage_bool_set_active(self.sh, k, b) @@ -7213,27 +7529,27 @@ index 0000000..bd05764 + raise ValueError(_("Could not set active value of boolean %s") % name) + rc = semanage_bool_modify_local(self.sh, k, b) + if rc < 0: -+ raise ValueError(_("Could not modify boolean %s") % name) ++ raise ValueError(_("Could not modify boolean %s") % name) + semanage_bool_key_free(k) + semanage_bool_free(b) + + def modify(self, name, value=None, use_file=False): + self.begin() + if use_file: -+ fd = open(name) -+ for b in fd.read().split("\n"): -+ b = b.strip() -+ if len(b) == 0: -+ continue -+ -+ try: -+ boolname, val = b.split("=") -+ except ValueError: -+ raise ValueError(_("Bad format %(BOOLNAME)s: Record %(VALUE)s" % { "BOOLNAME": name, "VALUE": b })) -+ self.__mod(boolname.strip(), val.strip()) -+ fd.close() ++ fd = open(name) ++ for b in fd.read().split("\n"): ++ b = b.strip() ++ if len(b) == 0: ++ continue ++ ++ try: ++ boolname, val = b.split("=") ++ except ValueError: ++ raise ValueError(_("Bad format %(BOOLNAME)s: Record %(VALUE)s" % { "BOOLNAME": name, "VALUE": b })) ++ self.__mod(boolname.strip(), val.strip()) ++ fd.close() + else: -+ self.__mod(name, value) ++ self.__mod(name, value) + + self.commit() + @@ -7242,7 +7558,7 @@ index 0000000..bd05764 + + (rc, k) = semanage_bool_key_create(self.sh, name) + if rc < 0: -+ raise ValueError(_("Could not create a key for %s") % name) ++ raise ValueError(_("Could not create a key for %s") % name) + (rc, exists) = semanage_bool_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if boolean %s is defined") % name) @@ -7274,31 +7590,31 @@ index 0000000..bd05764 + self.begin() + + for boolean in self.blist: -+ name = semanage_bool_get_name(boolean) -+ self.__delete(name) ++ name = semanage_bool_get_name(boolean) ++ self.__delete(name) + + self.commit() + + def get_all(self, locallist=False): + ddict = {} + if locallist: -+ (rc, self.blist) = semanage_bool_list_local(self.sh) ++ (rc, self.blist) = semanage_bool_list_local(self.sh) + else: -+ (rc, self.blist) = semanage_bool_list(self.sh) ++ (rc, self.blist) = semanage_bool_list(self.sh) + if rc < 0: + raise ValueError(_("Could not list booleans")) + + for boolean in self.blist: -+ value = [] -+ name = semanage_bool_get_name(boolean) -+ value.append(semanage_bool_get_value(boolean)) -+ if self.modify_local and boolean in self.current_booleans: -+ value.append(selinux.security_get_boolean_pending(name)) -+ value.append(selinux.security_get_boolean_active(name)) -+ else: -+ value.append(value[0]) -+ value.append(value[0]) -+ ddict[name] = value ++ value = [] ++ name = semanage_bool_get_name(boolean) ++ value.append(semanage_bool_get_value(boolean)) ++ if self.modify_local and name in self.current_booleans: ++ value.append(selinux.security_get_boolean_pending(name)) ++ value.append(selinux.security_get_boolean_active(name)) ++ else: ++ value.append(value[0]) ++ value.append(value[0]) ++ ddict[name] = value + + return ddict + @@ -7311,24 +7627,24 @@ index 0000000..bd05764 + return boolean_category(name) + + def customized(self): -+ l = [] -+ ddict = self.get_all(True) -+ keys = list(ddict.keys()) -+ keys.sort() -+ for k in keys: -+ if ddict[k]: -+ l.append("-m -%s %s" % (ddict[k][2], k)) -+ return l ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k]: ++ l.append("-m -%s %s" % (ddict[k][2], k)) ++ return l + + def list(self, heading=True, locallist=False, use_file=False): + on_off = (_("off"), _("on")) + if use_file: -+ ddict = self.get_all(locallist) -+ keys = list(ddict.keys()) -+ for k in keys: -+ if ddict[k]: -+ print("%s=%s" % (k, ddict[k][2])) -+ return ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ for k in keys: ++ if ddict[k]: ++ print("%s=%s" % (k, ddict[k][2])) ++ return + ddict = self.get_all(locallist) + keys = list(ddict.keys()) + if len(keys) == 0: @@ -7338,7 +7654,7 @@ index 0000000..bd05764 + print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description"))) + for k in keys: + if ddict[k]: -+ print("%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k))) ++ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k))) diff --git policycoreutils-2.5/semanage/setup.py policycoreutils-2.5/semanage/setup.py new file mode 100644 index 0000000..7735c59 @@ -8628,7 +8944,7 @@ index 7d57f6e..4a162c3 100755 + print("Out") sys.exit(0) diff --git policycoreutils-2.5/sepolicy/sepolicy/__init__.py policycoreutils-2.5/sepolicy/sepolicy/__init__.py -index 693c6fe..8c07c29 100644 +index 693c6fe..2841d33 100644 --- policycoreutils-2.5/sepolicy/sepolicy/__init__.py +++ policycoreutils-2.5/sepolicy/sepolicy/__init__.py @@ -3,24 +3,30 @@ @@ -8969,7 +9285,47 @@ index 693c6fe..8c07c29 100644 return entrypoints[0] except TypeError: pass -@@ -450,7 +560,7 @@ def get_methods(): +@@ -426,16 +536,38 @@ def get_entrypoints(setype): + return mpaths + + ++def policy_sortkey(policy_path): ++ # Parse the extension of a policy path which looks like .../policy/policy.31 ++ extension = policy_path.rsplit('/policy.', 1)[1] ++ try: ++ return int(extension), policy_path ++ except ValueError: ++ # Fallback with sorting on the full path ++ return 0, policy_path ++ ++ + def get_installed_policy(root="/"): + try: + path = root + selinux.selinux_binary_policy_path() + policies = glob.glob("%s.*" % path) +- policies.sort() ++ policies.sort(key=policy_sortkey) + return policies[-1] + except: + pass + raise ValueError(_("No SELinux Policy installed")) + ++ ++def get_store_policy(store): ++ """Get the path to the policy file located in the given store name""" ++ policies = glob.glob("%s%s/policy/policy.*" % ++ (selinux.selinux_path(), store)) ++ if not policies: ++ return None ++ # Return the policy with the higher version number ++ policies.sort(key=policy_sortkey) ++ return policies[-1] ++ ++ + methods = [] + + +@@ -450,7 +582,7 @@ def get_methods(): # List of per_role_template interfaces ifs = interfaces.InterfaceSet() ifs.from_file(fd) @@ -8978,7 +9334,7 @@ index 693c6fe..8c07c29 100644 fd.close() except: sys.stderr.write("could not open interface info [%s]\n" % fn) -@@ -465,7 +575,7 @@ all_types = None +@@ -465,7 +597,7 @@ all_types = None def get_all_types(): global all_types if all_types == None: @@ -8987,7 +9343,7 @@ index 693c6fe..8c07c29 100644 return all_types user_types = None -@@ -513,7 +623,6 @@ portrecsbynum = None +@@ -513,7 +645,6 @@ portrecsbynum = None def gen_interfaces(): @@ -8995,7 +9351,7 @@ index 693c6fe..8c07c29 100644 ifile = defaults.interface_info() headers = defaults.headers() rebuild = False -@@ -525,7 +634,9 @@ def gen_interfaces(): +@@ -525,7 +656,9 @@ def gen_interfaces(): if os.getuid() != 0: raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) @@ -9006,7 +9362,7 @@ index 693c6fe..8c07c29 100644 def gen_port_dict(): -@@ -562,6 +673,23 @@ def get_all_domains(): +@@ -562,6 +695,23 @@ def get_all_domains(): all_domains = info(ATTRIBUTE, "domain")[0]["types"] return all_domains @@ -9030,7 +9386,7 @@ index 693c6fe..8c07c29 100644 roles = None -@@ -569,7 +697,7 @@ def get_all_roles(): +@@ -569,7 +719,7 @@ def get_all_roles(): global roles if roles: return roles @@ -9039,7 +9395,7 @@ index 693c6fe..8c07c29 100644 roles.remove("object_r") roles.sort() return roles -@@ -607,7 +735,7 @@ def get_login_mappings(): +@@ -607,7 +757,7 @@ def get_login_mappings(): def get_all_users(): @@ -9048,7 +9404,7 @@ index 693c6fe..8c07c29 100644 users.sort() return users -@@ -766,7 +894,7 @@ all_attributes = None +@@ -766,7 +916,7 @@ all_attributes = None def get_all_attributes(): global all_attributes if not all_attributes: @@ -9057,7 +9413,17 @@ index 693c6fe..8c07c29 100644 return all_attributes -@@ -797,7 +925,7 @@ def policy(policy_file): +@@ -794,10 +944,17 @@ def policy(policy_file): + except: + raise ValueError(_("Failed to read %s policy file") % policy_file) + ++ ++def load_store_policy(store): ++ policy_file = get_store_policy(store) ++ if not policy_file: ++ return None ++ policy(policy_file) ++ try: policy_file = get_installed_policy() policy(policy_file) @@ -9066,7 +9432,7 @@ index 693c6fe..8c07c29 100644 if selinux.is_selinux_enabled() == 1: raise e -@@ -815,7 +943,7 @@ def gen_short_name(setype): +@@ -815,7 +972,7 @@ def gen_short_name(setype): domainname = setype[:-2] else: domainname = setype @@ -9075,7 +9441,7 @@ index 693c6fe..8c07c29 100644 raise ValueError("domain %s_t does not exist" % domainname) if domainname[-1] == 'd': short_name = domainname[:-1] + "_" -@@ -828,7 +956,7 @@ def get_bools(setype): +@@ -828,7 +985,7 @@ def get_bools(setype): bools = [] domainbools = [] domainname, short_name = gen_short_name(setype) @@ -9084,7 +9450,7 @@ index 693c6fe..8c07c29 100644 for b in i: if not isinstance(b, tuple): continue -@@ -851,6 +979,8 @@ def get_all_booleans(): +@@ -851,6 +1008,8 @@ def get_all_booleans(): global booleans if not booleans: booleans = selinux.security_get_boolean_names()[1] @@ -9093,7 +9459,7 @@ index 693c6fe..8c07c29 100644 return booleans booleans_dict = None -@@ -896,7 +1026,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): +@@ -896,7 +1055,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): desc = i.find("desc").find("p").text.strip("\n") desc = re.sub("\n", " ", desc) booleans_dict[i.get('name')] = ("global", i.get('dftval'), desc) @@ -9102,7 +9468,7 @@ index 693c6fe..8c07c29 100644 pass return booleans_dict -@@ -919,24 +1049,14 @@ def boolean_desc(boolean): +@@ -919,24 +1078,14 @@ def boolean_desc(boolean): def get_os_version(): diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index 034ada9..6604e88 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -5,10 +5,12 @@ %global sepolgenver 1.2.3 %global setoolsver 3.3.8-4 +%global _hardened_build 1 + Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 29%{?dist}.1 +Release: 33%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -19,7 +21,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz Source5: policycoreutils-po.tgz -# HEAD 3e2e1c0f8194137b2e511b6ab5ccc096894e76e5 +# HEAD ba371a0d4f3a0a70ba78fcad5c8de40a283762ae Patch0: policycoreutils-rhel.patch Patch1: sepolgen-rhel.patch Patch10: policycoreutils-preserve-timestamps-for-.py-files.patch @@ -32,6 +34,7 @@ Provides: /sbin/restorecon BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel BuildRequires: python python-devel setools-devel >= %{setoolsver} +BuildRequires: redhat-rpm-config BuildRequires: diffstat Requires: util-linux Requires: grep @@ -94,8 +97,8 @@ UpdateTimestamps -p0 %{PATCH1} %build -make -C policycoreutils-2.5 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all -make -C sepolgen-1.2.3 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all +make -C policycoreutils-2.5 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" SEMODULE_PATH="/usr/sbin" all +make -C sepolgen-1.2.3 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" all %install mkdir -p %{buildroot}%{_bindir} @@ -106,12 +109,12 @@ mkdir -p %{buildroot}%{_mandir}/man8 %{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/ mkdir -p %{buildroot}/var/lib/selinux -make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install +make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" SEMODULE_PATH="/usr/sbin" install # Systemd rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond -make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install +make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" install tar -jxf %{SOURCE2} -C %{buildroot}/ rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz @@ -390,8 +393,28 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog -* Wed Jan 16 2019 Vit Mojzis - 2.5-29.1 -- scripts/fixfiles: Do not fail on file_contexts.local (#1665813) +* Tue Jun 18 2019 Vit Mojzis - 2.5-33 +- Use flags definitions from redhat-rpm-config +- Use CFLAGS and LDFLAGS in "make install" + +* Wed Jun 12 2019 Vit Mojzis - 2.5-32 +- Update translations (#1689943) + +* Mon Mar 04 2019 Vit Mojzis - 2.5-31 +- semanage: Start exporting "ibendport" and "ibpkey" entries (#1657196) +- semanage: Do not show "None" levels when using a non-MLS policy (#1400482) +- semanage: Include MCS/MLS range when exporting local customizations (#1400482) + +* Mon Feb 25 2019 Vit Mojzis - 2.5-30 +- semanage/seobject: Fix listing boolean values (#1391605) +- sepolicy: Make policy files sorting more robust +- semanage: Fix setting alternative policy store (#1558033) +- semanage: Load a store policy and set the store SELinux policy root +- sepolicy: Add sepolicy.load_store_policy(store) +- semanage: import sepolicy only when it's needed +- semanage: move valid_types initialisations to class constructors +- semanage/seobject: Fix indentation issues +- scripts/fixfiles: Do not fail on file_contexts.local (#1647714) * Tue Sep 18 2018 Vit Mojzis - 2.5-29 - gui: Make all polgen button labels translatable (#1569451)