diff --git a/SOURCES/policycoreutils-rhel.patch b/SOURCES/policycoreutils-rhel.patch index 461e662..acc7cbd 100644 --- a/SOURCES/policycoreutils-rhel.patch +++ b/SOURCES/policycoreutils-rhel.patch @@ -682202,7 +682202,7 @@ index 0fad36c..75b782f 100644 while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the diff --git policycoreutils-2.5/semanage/seobject.py policycoreutils-2.5/semanage/seobject.py -index 3b0b108..4dc1971 100644 +index 3b0b108..77ef626 100644 --- policycoreutils-2.5/semanage/seobject.py +++ policycoreutils-2.5/semanage/seobject.py @@ -30,7 +30,7 @@ import os @@ -682433,7 +682433,24 @@ index 3b0b108..4dc1971 100644 self.validate(target) -@@ -1939,6 +2001,11 @@ class fcontextRecords(semanageRecords): +@@ -1904,10 +1966,12 @@ class fcontextRecords(semanageRecords): + if not exists: + raise ValueError(_("File context for %s is not defined") % target) + +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- if rc < 0: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) +- if rc < 0: ++ try: ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) ++ except OSError: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: + raise ValueError(_("Could not query file context for %s") % target) + + if setype != "<>": +@@ -1939,6 +2003,11 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) semanage_fcontext_free(fcontext) @@ -682445,7 +682462,7 @@ index 3b0b108..4dc1971 100644 def modify(self, target, setype, ftype, serange, seuser): self.begin() self.__modify(target, setype, ftype, serange, seuser) -@@ -1964,6 +2031,8 @@ class fcontextRecords(semanageRecords): +@@ -1964,6 +2033,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -682454,7 +682471,7 @@ index 3b0b108..4dc1971 100644 self.equiv = {} self.equal_ind = True self.commit() -@@ -1972,6 +2041,9 @@ class fcontextRecords(semanageRecords): +@@ -1972,6 +2043,9 @@ class fcontextRecords(semanageRecords): if target in self.equiv.keys(): self.equiv.pop(target) self.equal_ind = True @@ -682464,7 +682481,7 @@ index 3b0b108..4dc1971 100644 return (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -@@ -1996,6 +2068,8 @@ class fcontextRecords(semanageRecords): +@@ -1996,6 +2070,8 @@ class fcontextRecords(semanageRecords): semanage_fcontext_key_free(k) @@ -682475,10 +682492,10 @@ index 3b0b108..4dc1971 100644 self.__delete(target, ftype) diff --git policycoreutils-2.5/semanage/seobject/__init__.py policycoreutils-2.5/semanage/seobject/__init__.py new file mode 100644 -index 0000000..26d47d5 +index 0000000..d0b7e8d --- /dev/null +++ policycoreutils-2.5/semanage/seobject/__init__.py -@@ -0,0 +1,2342 @@ +@@ -0,0 +1,2344 @@ +#! /usr/bin/python -Es +# Copyright (C) 2005-2013 Red Hat +# see file 'COPYING' for use and warranty information @@ -684466,10 +684483,12 @@ index 0000000..26d47d5 + if not exists: + raise ValueError(_("File context for %s is not defined") % target) + -+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) -+ if rc < 0: -+ (rc, fcontext) = semanage_fcontext_query(self.sh, k) -+ if rc < 0: ++ try: ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) ++ except OSError: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: + raise ValueError(_("Could not query file context for %s") % target) + + if setype != "<>": @@ -684908,7 +684927,7 @@ index 6db390c..0c5fdf7 100644 .SH SEE ALSO diff --git policycoreutils-2.5/semodule/semodule.c policycoreutils-2.5/semodule/semodule.c -index bcfaa2b..ce048bc 100644 +index bcfaa2b..7b763fd 100644 --- policycoreutils-2.5/semodule/semodule.c +++ policycoreutils-2.5/semodule/semodule.c @@ -127,7 +127,7 @@ static void usage(char *progname) @@ -684929,6 +684948,30 @@ index bcfaa2b..ce048bc 100644 NULL)) != -1) { switch (i) { case 'b': +@@ -560,6 +560,7 @@ cleanup_extract: + } + + const char *name = NULL; ++ const char *version = NULL; + + for (j = 0; j < modinfos_len; j++) { + m = semanage_module_list_nth(modinfos, j); +@@ -567,10 +568,12 @@ cleanup_extract: + result = semanage_module_info_get_name(sh, m, &name); + if (result != 0) goto cleanup_list; + +- printf("%s\n", name); ++ result = semanage_module_info_get_version(sh, m, &version); ++ if (result != 0) goto cleanup_list; ++ ++ printf("%s\t%s\n", name, version); + } +- } +- else if (strcmp(mode_arg, "full") == 0) { ++ } else if (strcmp(mode_arg, "full") == 0) { + /* get the modules */ + result = semanage_module_list_all(sh, + &modinfos, diff --git policycoreutils-2.5/sepolicy/common.h policycoreutils-2.5/sepolicy/common.h index dc3ce6a..3b93845 100644 --- policycoreutils-2.5/sepolicy/common.h @@ -688255,9 +688298,18 @@ index e7bad44..9c8f21c 100644 - print "SELinux must be in enforcing mode for this test" + print("SELinux must be in enforcing mode for this test") diff --git policycoreutils-2.5/setfiles/restore.c policycoreutils-2.5/setfiles/restore.c -index 2a7cfa3..95fba09 100644 +index 2a7cfa3..1cc6a64 100644 --- policycoreutils-2.5/setfiles/restore.c +++ policycoreutils-2.5/setfiles/restore.c +@@ -118,7 +118,7 @@ static int restore(FTSENT *ftsent, int recurse) + r_opts->count++; + if (r_opts->count % STAR_COUNT == 0) { + if (r_opts->progress == 1) { +- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT ); ++ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT ); + } else { + if (r_opts->nfile > 0) { + progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100; @@ -160,6 +160,9 @@ static int restore(FTSENT *ftsent, int recurse) /* Get the current context of the file. */ ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon); diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index 9faa74c..93aa1ba 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -1,13 +1,13 @@ %global libauditver 2.1.3-4 %global libsepolver 2.5-6 -%global libsemanagever 2.5-4 +%global libsemanagever 2.5-5 %global libselinuxver 2.5-6 %global sepolgenver 1.2.3 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 9%{?dist} +Release: 11%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -17,7 +17,7 @@ URL: http://www.selinuxproject.org Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz -# HEAD b9a93db5cba0d9ea238069df45870819c187a063 +# HEAD 6fc38208400af10a79a523930971afb3a8d6064bo Patch0: policycoreutils-rhel.patch Patch1: sepolgen-rhel.patch Patch10: policycoreutils-preserve-timestamps-for-.py-files.patch @@ -93,12 +93,12 @@ mkdir -p %{buildroot}%{_mandir}/man8 %{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/ mkdir -p %{buildroot}/var/lib/selinux -make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install +make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" CFLAGS="%{optflags} -fPIE" install # Systemd rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond -make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install +make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" CFLAGS="%{optflags} -fPIE" install tar -jxf %{SOURCE2} -C %{buildroot}/ rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz @@ -377,6 +377,12 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Dec 01 2016 Petr Lautrbach - 2.5-11 +- seobject: Handle python error returns correctly (#1398427) + +* Fri Nov 18 2016 Petr Lautrbach - 2.5-10.2 +- Re-add module versions to 'semodule -l' output (#1392573) + * Wed Oct 05 2016 Petr Lautrbach 2.5-9 - sandbox: create a new session for sandboxed processes - CVE-2016-7545 - sandbox: do not try to setup directories without -X or -M