diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b334830 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +SOURCES/policycoreutils-2.5.tar.gz +SOURCES/policycoreutils-po.tgz +SOURCES/policycoreutils_man_ru2.tar.bz2 +SOURCES/sepolgen-1.2.3.tar.gz +SOURCES/sepolicy-icons.tgz +SOURCES/system-config-selinux.png diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata new file mode 100644 index 0000000..194b00d --- /dev/null +++ b/.policycoreutils.metadata @@ -0,0 +1,6 @@ +425ab5ad02cf2195d63fad5578b23a615eb95c21 SOURCES/policycoreutils-2.5.tar.gz +ef05bb48b9ee13532b53fab2bd3dea4141a8f324 SOURCES/policycoreutils-po.tgz +be6e4cb77bb89b98ecb246f03780389b30646198 SOURCES/policycoreutils_man_ru2.tar.bz2 +a7af25afd151ccf688a59e7764604b05e738e0e3 SOURCES/sepolgen-1.2.3.tar.gz +d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz +611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png diff --git a/SOURCES/policycoreutils-preserve-timestamps-for-.py-files.patch b/SOURCES/policycoreutils-preserve-timestamps-for-.py-files.patch new file mode 100644 index 0000000..8a0937a --- /dev/null +++ b/SOURCES/policycoreutils-preserve-timestamps-for-.py-files.patch @@ -0,0 +1,61 @@ +From 86f7072e9e76e4c0391eff3323cb9d8843e1b78d Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 3 Aug 2016 09:12:24 +0200 +Subject: [PATCH] policycoreutils: preserve timestamps for .py files + +Mainly in in gui/ and sepolicy/ to avoid python multilib issues reported +by rpmdiff. +--- + policycoreutils/gui/Makefile | 22 +++++++++++----------- + policycoreutils/sepolicy/Makefile | 2 +- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile +index 0c2b390..4feacc5 100644 +--- a/policycoreutils/gui/Makefile ++++ b/policycoreutils/gui/Makefile +@@ -31,17 +31,17 @@ install: all + -mkdir -p $(DATADIR)/icons/hicolor/24x24/apps + -mkdir -p $(SYSCONFDIR) + -mkdir -p $(DATADIR)/polkit-1/actions/ +- install -m 755 system-config-selinux.py $(SHAREDIR) +- install -m 755 system-config-selinux $(BINDIR) +- install -m 755 polgengui.py $(SHAREDIR) +- install -m 644 $(TARGETS) $(SHAREDIR) +- install -m 644 system-config-selinux.8 $(MANDIR)/man8 +- install -m 644 selinux-polgengui.8 $(MANDIR)/man8 +- install -m 644 system-config-selinux.png $(DATADIR)/pixmaps +- install -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps +- install -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux +- install -m 644 *.desktop $(DATADIR)/system-config-selinux +- install -m 644 org.selinux.config.policy $(DATADIR)/polkit-1/actions/ ++ install -p -m 755 system-config-selinux.py $(SHAREDIR) ++ install -p -m 755 system-config-selinux $(BINDIR) ++ install -p -m 755 polgengui.py $(SHAREDIR) ++ install -p -m 644 $(TARGETS) $(SHAREDIR) ++ install -p -m 644 system-config-selinux.8 $(MANDIR)/man8 ++ install -p -m 644 selinux-polgengui.8 $(MANDIR)/man8 ++ install -p -m 644 system-config-selinux.png $(DATADIR)/pixmaps ++ install -p -m 644 system-config-selinux.png $(DATADIR)/icons/hicolor/24x24/apps ++ install -p -m 644 system-config-selinux.png $(DATADIR)/system-config-selinux ++ install -p -m 644 *.desktop $(DATADIR)/system-config-selinux ++ install -p -m 644 org.selinux.config.policy $(DATADIR)/polkit-1/actions/ + clean: + + indent: +diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile +index 39d46e8..5491d79 100644 +--- a/policycoreutils/sepolicy/Makefile ++++ b/policycoreutils/sepolicy/Makefile +@@ -47,7 +47,7 @@ install: + -mkdir -p $(DESTDIR)/usr/share/polkit-1/actions/ + install -m 644 org.selinux.policy $(DESTDIR)/usr/share/polkit-1/actions/ + -mkdir -p $(DESTDIR)/usr/share/system-config-selinux +- install -m 755 selinux_server.py $(DESTDIR)/usr/share/system-config-selinux ++ install -p -m 755 selinux_server.py $(DESTDIR)/usr/share/system-config-selinux + install -m 644 *.desktop $(DATADIR)/system-config-selinux + -mkdir -p $(DESTDIR) $(DATADIR)/pixmaps + install -m 644 sepolicy_256.png $(DATADIR)/pixmaps/sepolicy.png +-- +1.8.3.1 + diff --git a/SOURCES/policycoreutils-rhel.patch b/SOURCES/policycoreutils-rhel.patch new file mode 100644 index 0000000..e7a37da --- /dev/null +++ b/SOURCES/policycoreutils-rhel.patch @@ -0,0 +1,11581 @@ +diff --git policycoreutils-2.5/ChangeLog policycoreutils-2.5/ChangeLog +index d8fb067..10f0cab 100644 +--- policycoreutils-2.5/ChangeLog ++++ policycoreutils-2.5/ChangeLog +@@ -1,3 +1,34 @@ ++ * sandbox: create a new session for sandboxed processes, from Petr Lautrbach. ++ * sandbox: do not try to setup directories without -X or -M, from Petr Lautrbach. ++ * audit2allow: tests should use local copy not system, from Jason Zaman. ++ * audit2allow: fix audit2why import from seobject, from Jason Zaman. ++ * audit2allow: remove audit2why so that it gets symlinked, from Jason Zaman. ++ * semanage: fix man page and help message for import option, from AJ. ++ * semanage: fix error message for fcontext -m, from Miroslav Vadkerti. ++ * semanage: Fix semanage fcontext -D, from Stephen Smalley. ++ * semanage: Correct fcontext auditing, from Miroslav Vadkerti. ++ * semanage: Default serange to "s0" for port modify, from Miroslav Vadkerti. ++ * semanage: Use socket.getprotobyname for protocol, from Miroslav Vadkerti. ++ * semanage: fix modify action in node and interface, from Miroslav Vadkerti. ++ * fixfiles: Pass -n to restorecon for fixfiles check, from Petr Lautrbach. ++ * sepolicy: Check get_rpm_nvr_list() return value, from Vit Mojzis. ++ * Don't use subprocess.getstatusoutput() in Python 2 code, from Petr Lautrbach. ++ * semanage: Add auditing of changes in records, from Miroslav Vadkerti. ++ * Remove unused 'q' from semodule getopt string, from Petr Lautrbach. ++ * Remove unused autoconf files from po/, from Petr Lautrbach. ++ * Remove duplicate, empty translation files, from Piotr Drąg. ++ * open_init_pty: Do not error on EINTR, from Jason Zaman. ++ * Fix [-s STORE] typos in semanage, from Petr Lautrbach. ++ * Update sandbox types in sandbox manual, from Michael De La Rue. ++ * Fix typos in semanage manpages, from Philipp Gesang. ++ * Fix the documentation of -l,--list for semodule, from Petr Lautrbach. ++ * Minor fix in a French translation, from Laurent Bigonville. ++ * Fix the extract example in semodule.8, from Petr Lautrbach. ++ * Update sandbox.8 man page, from Petr Lautrbach. ++ * Remove typos from chcat --help, from Petr Lautrbach. ++ * Fix multiple spelling errors, from Laurent Bigonville. ++ * hll/pp: Warn if module name different than output filename, from James Carter ++ + 2.5 2016-02-23 + * sepolicy: Do not overwrite CFLAGS, from Nicolas Iooss. + * sepolicy: Rename policy global variable conflict, from Nicolas Iooss. +diff --git policycoreutils-2.5/Makefile policycoreutils-2.5/Makefile +index 962ac12..6a9c40c 100644 +--- policycoreutils-2.5/Makefile ++++ policycoreutils-2.5/Makefile +@@ -1,4 +1,4 @@ +-SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll ++SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll semanage/default_encoding + + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) + +diff --git policycoreutils-2.5/audit2allow/audit2why policycoreutils-2.5/audit2allow/audit2why +deleted file mode 100644 +index b1489ed..0000000 +--- policycoreutils-2.5/audit2allow/audit2why ++++ /dev/null +@@ -1,364 +0,0 @@ +-#! /usr/bin/python -Es +-# Authors: Karl MacMillan +-# Authors: Dan Walsh +-# +-# Copyright (C) 2006-2013 Red Hat +-# see file 'COPYING' for use and warranty information +-# +-# This program is free software; you can redistribute it and/or +-# modify it under the terms of the GNU General Public License as +-# published by the Free Software Foundation; version 2 only +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +-# +- +-import sys +-import os +- +-import sepolgen.audit as audit +-import sepolgen.policygen as policygen +-import sepolgen.interfaces as interfaces +-import sepolgen.output as output +-import sepolgen.objectmodel as objectmodel +-import sepolgen.defaults as defaults +-import sepolgen.module as module +-from sepolgen.sepolgeni18n import _ +-import selinux.audit2why as audit2why +-import locale +-try: +- locale.setlocale(locale.LC_ALL, '') +-except: +- pass +- +- +-class AuditToPolicy: +- VERSION = "%prog .1" +- SYSLOG = "/var/log/messages" +- +- def __init__(self): +- self.__options = None +- self.__parser = None +- self.__avs = None +- +- def __parse_options(self): +- from optparse import OptionParser +- +- parser = OptionParser(version=self.VERSION) +- parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False, +- help="audit messages since last boot conflicts with -i") +- parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, +- help="read input from audit log - conflicts with -i") +- parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis") +- parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, +- help="read input from dmesg - conflicts with --all and --input") +- parser.add_option("-i", "--input", dest="input", +- help="read input from - conflicts with -a") +- parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, +- help="read input only after the last reload") +- parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False, +- help="generate require statements for rules") +- parser.add_option("-m", "--module", dest="module", +- help="set the module name - implies --requires") +- parser.add_option("-M", "--module-package", dest="module_package", +- help="generate a module package - conflicts with -o and -m") +- parser.add_option("-o", "--output", dest="output", +- help="append output to , conflicts with -M") +- parser.add_option("-D", "--dontaudit", action="store_true", +- dest="dontaudit", default=False, +- help="generate policy with dontaudit rules") +- parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", +- default=True, help="generate refpolicy style output") +- +- parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", +- default=False, help="do not generate refpolicy style output") +- parser.add_option("-v", "--verbose", action="store_true", dest="verbose", +- default=False, help="explain generated output") +- parser.add_option("-e", "--explain", action="store_true", dest="explain_long", +- default=False, help="fully explain generated output") +- parser.add_option("-t", "--type", help="only process messages with a type that matches this regex", +- dest="type") +- parser.add_option("--perm-map", dest="perm_map", help="file name of perm map") +- parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") +- parser.add_option("--debug", dest="debug", action="store_true", default=False, +- help="leave generated modules for -M") +- parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"), +- help="Translates SELinux audit messages into a description of why the access was denied") +- +- options, args = parser.parse_args() +- +- # Make -d, -a, and -i conflict +- if options.audit is True or options.boot: +- if options.input is not None: +- sys.stderr.write("error: --all/--boot conflicts with --input\n") +- if options.dmesg is True: +- sys.stderr.write("error: --all/--boot conflicts with --dmesg\n") +- if options.input is not None and options.dmesg is True: +- sys.stderr.write("error: --input conflicts with --dmesg\n") +- +- # Turn on requires generation if a module name is given. Also verify +- # the module name. +- if options.module: +- name = options.module +- else: +- name = options.module_package +- if name: +- options.requires = True +- if not module.is_valid_name(name): +- sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n') +- sys.exit(2) +- +- # Make -M and -o conflict +- if options.module_package: +- if options.output: +- sys.stderr.write("error: --module-package conflicts with --output\n") +- sys.exit(2) +- if options.module: +- sys.stderr.write("error: --module-package conflicts with --module\n") +- sys.exit(2) +- +- self.__options = options +- +- def __read_input(self): +- parser = audit.AuditParser(last_load_only=self.__options.lastreload) +- +- filename = None +- messages = None +- f = None +- +- # Figure out what input we want +- if self.__options.input is not None: +- filename = self.__options.input +- elif self.__options.dmesg: +- messages = audit.get_dmesg_msgs() +- elif self.__options.audit: +- try: +- messages = audit.get_audit_msgs() +- except OSError as e: +- sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) +- sys.exit(1) +- elif self.__options.boot: +- try: +- messages = audit.get_audit_boot_msgs() +- except OSError as e: +- sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) +- sys.exit(1) +- else: +- # This is the default if no input is specified +- f = sys.stdin +- +- # Get the input +- if filename is not None: +- try: +- f = open(filename) +- except IOError as e: +- sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e))) +- sys.exit(1) +- +- if f is not None: +- parser.parse_file(f) +- f.close() +- +- if messages is not None: +- parser.parse_string(messages) +- +- self.__parser = parser +- +- def __process_input(self): +- if self.__options.type: +- avcfilter = audit.AVCTypeFilter(self.__options.type) +- self.__avs = self.__parser.to_access(avcfilter) +- csfilter = audit.ComputeSidTypeFilter(self.__options.type) +- self.__role_types = self.__parser.to_role(csfilter) +- else: +- self.__avs = self.__parser.to_access() +- self.__role_types = self.__parser.to_role() +- +- def __load_interface_info(self): +- # Load interface info file +- if self.__options.interface_info: +- fn = self.__options.interface_info +- else: +- fn = defaults.interface_info() +- try: +- fd = open(fn) +- except: +- sys.stderr.write("could not open interface info [%s]\n" % fn) +- sys.exit(1) +- +- ifs = interfaces.InterfaceSet() +- ifs.from_file(fd) +- fd.close() +- +- # Also load perm maps +- if self.__options.perm_map: +- fn = self.__options.perm_map +- else: +- fn = defaults.perm_map() +- try: +- fd = open(fn) +- except: +- sys.stderr.write("could not open perm map [%s]\n" % fn) +- sys.exit(1) +- +- perm_maps = objectmodel.PermMappings() +- perm_maps.from_file(fd) +- +- return (ifs, perm_maps) +- +- def __output_modulepackage(self, writer, generator): +- generator.set_module_name(self.__options.module_package) +- filename = self.__options.module_package + ".te" +- packagename = self.__options.module_package + ".pp" +- +- try: +- fd = open(filename, "w") +- except IOError as e: +- sys.stderr.write("could not write output file: %s\n" % str(e)) +- sys.exit(1) +- +- writer.write(generator.get_module(), fd) +- fd.close() +- +- mc = module.ModuleCompiler() +- +- try: +- mc.create_module_package(filename, self.__options.refpolicy) +- except RuntimeError as e: +- print(e) +- sys.exit(1) +- +- sys.stdout.write(_("******************** IMPORTANT ***********************\n")) +- sys.stdout.write((_("To make this policy package active, execute:" + +- "\n\nsemodule -i %s\n\n") % packagename)) +- +- def __output_audit2why(self): +- import selinux +- import seobject +- for i in self.__parser.avc_msgs: +- rc = i.type +- data = i.data +- if rc >= 0: +- print("%s\n\tWas caused by:" % i.message) +- if rc == audit2why.ALLOW: +- print("\t\tUnknown - would be allowed by active policy") +- print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") +- print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") +- continue +- if rc == audit2why.DONTAUDIT: +- print("\t\tUnknown - should be dontaudit'd by active policy") +- print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") +- print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") +- continue +- if rc == audit2why.BOOLEAN: +- if len(data) > 1: +- print("\tOne of the following booleans was set incorrectly.") +- for b in data: +- print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])) +- print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) +- else: +- print("\tThe boolean %s was set incorrectly. " % (data[0][0])) +- print("\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0])) +- print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) +- continue +- +- if rc == audit2why.TERULE: +- print("\t\tMissing type enforcement (TE) allow rule.\n") +- print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n") +- continue +- +- if rc == audit2why.CONSTRAINT: +- print() # !!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" +- print("#Constraint rule: \n\t" + data[0]) +- for reason in data[1:]: +- print("#\tPossible cause is the source %s and target %s are different.\n\b" % reason) +- +- if rc == audit2why.RBAC: +- print("\t\tMissing role allow rule.\n") +- print("\t\tAdd an allow rule for the role pair.\n") +- continue +- +- audit2why.finish() +- return +- +- def __output(self): +- +- if self.__options.audit2why: +- try: +- return self.__output_audit2why() +- except RuntimeError as e: +- print(e) +- sys.exit(1) +- +- g = policygen.PolicyGenerator() +- +- g.set_gen_dontaudit(self.__options.dontaudit) +- +- if self.__options.module: +- g.set_module_name(self.__options.module) +- +- # Interface generation +- if self.__options.refpolicy: +- ifs, perm_maps = self.__load_interface_info() +- g.set_gen_refpol(ifs, perm_maps) +- +- # Explanation +- if self.__options.verbose: +- g.set_gen_explain(policygen.SHORT_EXPLANATION) +- if self.__options.explain_long: +- g.set_gen_explain(policygen.LONG_EXPLANATION) +- +- # Requires +- if self.__options.requires: +- g.set_gen_requires(True) +- +- # Generate the policy +- g.add_access(self.__avs) +- g.add_role_types(self.__role_types) +- +- # Output +- writer = output.ModuleWriter() +- +- # Module package +- if self.__options.module_package: +- self.__output_modulepackage(writer, g) +- else: +- # File or stdout +- if self.__options.module: +- g.set_module_name(self.__options.module) +- +- if self.__options.output: +- fd = open(self.__options.output, "a") +- else: +- fd = sys.stdout +- writer.write(g.get_module(), fd) +- +- def main(self): +- try: +- self.__parse_options() +- if self.__options.policy: +- audit2why.init(self.__options.policy) +- else: +- audit2why.init() +- +- self.__read_input() +- self.__process_input() +- self.__output() +- except KeyboardInterrupt: +- sys.exit(0) +- except ValueError as e: +- print(e) +- sys.exit(1) +- except IOError as e: +- print(e) +- sys.exit(1) +- +-if __name__ == "__main__": +- app = AuditToPolicy() +- app.main() +diff --git policycoreutils-2.5/audit2allow/audit2why policycoreutils-2.5/audit2allow/audit2why +new file mode 120000 +index 0000000..9cddcf5 +--- /dev/null ++++ policycoreutils-2.5/audit2allow/audit2why +@@ -0,0 +1 @@ ++audit2allow +\ No newline at end of file +diff --git policycoreutils-2.5/audit2allow/test_audit2allow.py policycoreutils-2.5/audit2allow/test_audit2allow.py +index 765c9ea..a826a9f 100644 +--- policycoreutils-2.5/audit2allow/test_audit2allow.py ++++ policycoreutils-2.5/audit2allow/test_audit2allow.py +@@ -33,7 +33,7 @@ class Audit2allowTests(unittest.TestCase): + + def test_audit2allow(self): + "Verify audit2allow works" +- p = Popen(['audit2allow', "-i", "test.log"], stdout=PIPE) ++ p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE) + out, err = p.communicate() + if err: + print(out, err) +@@ -41,7 +41,7 @@ class Audit2allowTests(unittest.TestCase): + + def test_audit2why(self): + "Verify audit2why works" +- p = Popen(['audit2why', "-i", "test.log"], stdout=PIPE) ++ p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE) + out, err = p.communicate() + if err: + print(out, err) +diff --git policycoreutils-2.5/gui/Makefile policycoreutils-2.5/gui/Makefile +index 9d9f820..0c2b390 100644 +--- policycoreutils-2.5/gui/Makefile ++++ policycoreutils-2.5/gui/Makefile +@@ -12,7 +12,6 @@ domainsPage.py \ + fcontextPage.py \ + html_util.py \ + loginsPage.py \ +-mappingsPage.py \ + modulesPage.py \ + polgen.glade \ + portsPage.py \ +diff --git policycoreutils-2.5/gui/booleansPage.py policycoreutils-2.5/gui/booleansPage.py +index 507a79d..7fbd50c 100644 +--- policycoreutils-2.5/gui/booleansPage.py ++++ policycoreutils-2.5/gui/booleansPage.py +@@ -18,23 +18,20 @@ + # You should have received a copy of the GNU General Public License + # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + # +-import string + import gtk + import gtk.glade +-import os + import gobject + import sys +-import tempfile + import seobject + import semanagePage + + INSTALLPATH = '/usr/share/system-config-selinux' + sys.path.append(INSTALLPATH) + +-import commands +-ENFORCING = 0 +-PERMISSIVE = 1 +-DISABLED = 2 ++import subprocess ++ENFORCING=0 ++PERMISSIVE=1 ++DISABLED=2 + + ## + ## I18N +@@ -50,10 +47,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode +- +-from glob import fnmatch ++ import builtins ++ builtins.__dict__['_'] = str + + + class Modifier: +@@ -109,8 +104,6 @@ class booleansPage: + self.revertButton = xml.get_widget("booleanRevertButton") + self.revertButton.set_sensitive(self.local) + self.revertButton.connect("clicked", self.on_revert_clicked) +- listStore = gtk.ListStore(gobject.TYPE_STRING) +- cell = gtk.CellRendererText() + + self.store = gtk.ListStore(gobject.TYPE_BOOLEAN, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) + self.store.set_sort_column_id(1, gtk.SORT_ASCENDING) +@@ -176,16 +169,15 @@ class booleansPage: + # change cursor + if boolean == None: + return ++ self.wait() + try: +- self.wait() +- (rc, out) = commands.getstatusoutput("semanage boolean -d %s" % boolean) +- +- self.ready() +- if rc != 0: +- return self.error(out) ++ subprocess.check_output("semanage boolean -d %s" % boolean, ++ stderr=subprocess.STDOUT, ++ shell=True) + self.load(self.filter) +- except ValueError, e: +- self.error(e.args[0]) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def filter_changed(self, *arg): + filter = arg[0].get_text() +@@ -228,18 +220,26 @@ class booleansPage: + key = self.store.get_value(iter, BOOLEAN) + self.store.set_value(iter, ACTIVE, not val) + self.wait() +- setsebool = "/usr/sbin/setsebool -P %s %d" % (key, not val) +- rc, out = commands.getstatusoutput(setsebool) +- if rc != 0: +- self.error(out) +- self.load(self.filter) ++ setsebool="/usr/sbin/setsebool -P %s %d" % (key, not val) ++ try: ++ subprocess.check_output(setsebool, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.load(self.filter) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) + self.ready() + + def on_revert_clicked(self, button): + self.wait() +- setsebool = "semanage boolean --deleteall" +- commands.getstatusoutput(setsebool) +- self.load(self.filter) ++ setsebool="semanage boolean --deleteall" ++ try: ++ subprocess.check_output(setsebool, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.load(self.filter) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) + self.ready() + + def on_local_clicked(self, button): +diff --git policycoreutils-2.5/gui/domainsPage.py policycoreutils-2.5/gui/domainsPage.py +index 56c66fe..f4a281f 100644 +--- policycoreutils-2.5/gui/domainsPage.py ++++ policycoreutils-2.5/gui/domainsPage.py +@@ -20,7 +20,7 @@ import string + import gtk + import gtk.glade + import os +-import commands ++import subprocess + import gobject + import sys + import seobject +@@ -41,8 +41,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + class domainsPage(semanagePage): +@@ -117,18 +117,17 @@ class domainsPage(semanagePage): + selection = self.view.get_selection() + store, iter = selection.get_selected() + domain = store.get_value(iter, 0) ++ self.wait() ++ cmd = "semanage permissive -d %s_t" % domain + try: +- self.wait() +- status, output = commands.getstatusoutput("semanage permissive -d %s_t" % domain) +- self.ready() +- if status != 0: +- self.error(output) +- else: +- domain = store.set_value(iter, 1, "") +- self.itemSelected(selection) +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ domain = store.set_value(iter, 1, "") ++ self.itemSelected(selection) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def propertiesDialog(self): + # Do nothing +@@ -142,15 +141,14 @@ class domainsPage(semanagePage): + selection = self.view.get_selection() + store, iter = selection.get_selected() + domain = store.get_value(iter, 0) ++ self.wait() ++ cmd = "semanage permissive -a %s_t" % domain + try: +- self.wait() +- status, output = commands.getstatusoutput("semanage permissive -a %s_t" % domain) +- self.ready() +- if status != 0: +- self.error(output) +- else: +- domain = store.set_value(iter, 1, _("Permissive")) +- self.itemSelected(selection) +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ domain = store.set_value(iter, 1, _("Permissive")) ++ self.itemSelected(selection) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() +diff --git policycoreutils-2.5/gui/fcontextPage.py policycoreutils-2.5/gui/fcontextPage.py +index c8d6ba8..154e8e2 100644 +--- policycoreutils-2.5/gui/fcontextPage.py ++++ policycoreutils-2.5/gui/fcontextPage.py +@@ -18,10 +18,9 @@ + ## Author: Dan Walsh + import gtk + import gtk.glade +-import os + import gobject + import seobject +-import commands ++import subprocess + from semanagePage import * + + SPEC_COL = 0 +@@ -57,8 +56,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + class fcontextPage(semanagePage): +@@ -99,17 +98,17 @@ class fcontextPage(semanagePage): + self.fcontextFileTypeCombo = xml.get_widget("fcontextFileTypeCombo") + liststore = self.fcontextFileTypeCombo.get_model() + for k in seobject.file_types: +- if len(k) > 0 and k[0] != '-': +- iter = liststore.append() +- liststore.set_value(iter, 0, k) +- iter = liststore.get_iter_first() +- self.fcontextFileTypeCombo.set_active_iter(iter) ++ if len(k) > 0 and k[0] != '-': ++ it=liststore.append() ++ liststore.set_value(it, 0, k) ++ it = liststore.get_iter_first() ++ self.fcontextFileTypeCombo.set_active_iter(it) + self.fcontextTypeEntry = xml.get_widget("fcontextTypeEntry") + self.fcontextMLSEntry = xml.get_widget("fcontextMLSEntry") + +- def match(self, fcon_dict, k, filter): ++ def match(self, fcon_dict, k, filt): + try: +- f = filter.lower() ++ f=filt.lower() + for con in k: + k = con.lower() + if k.find(f) >= 0: +@@ -122,46 +121,46 @@ class fcontextPage(semanagePage): + pass + return False + +- def load(self, filter=""): +- self.filter = filter +- self.fcontext = seobject.fcontextRecords() ++ def load(self, filt=""): ++ self.filter=filt ++ self.fcontext=seobject.fcontextRecords() + self.store.clear() +- fcon_dict = self.fcontext.get_all(self.local) +- keys = fcon_dict.keys() ++ fcon_dict=self.fcontext.get_all(self.local) ++ keys = list(fcon_dict.keys()) + keys.sort() + for k in keys: +- if not self.match(fcon_dict, k, filter): ++ if not self.match(fcon_dict, k, filt): + continue +- iter = self.store.append() +- self.store.set_value(iter, SPEC_COL, k[0]) +- self.store.set_value(iter, FTYPE_COL, k[1]) ++ it=self.store.append() ++ self.store.set_value(it, SPEC_COL, k[0]) ++ self.store.set_value(it, FTYPE_COL, k[1]) + if fcon_dict[k]: + rec = "%s:%s" % (fcon_dict[k][2], seobject.translate(fcon_dict[k][3], False)) + else: +- rec = "<>" +- self.store.set_value(iter, TYPE_COL, rec) +- self.view.get_selection().select_path((0,)) ++ rec="<>" ++ self.store.set_value(it, TYPE_COL, rec) ++ self.view.get_selection().select_path ((0,)) + + def filter_changed(self, *arg): +- filter = arg[0].get_text() +- if filter != self.filter: +- self.load(filter) ++ filt = arg[0].get_text() ++ if filt != self.filter: ++ self.load(filt) + + def dialogInit(self): +- store, iter = self.view.get_selection().get_selected() +- self.fcontextEntry.set_text(store.get_value(iter, SPEC_COL)) ++ store, it = self.view.get_selection().get_selected() ++ self.fcontextEntry.set_text(store.get_value(it, SPEC_COL)) + self.fcontextEntry.set_sensitive(False) +- scontext = store.get_value(iter, TYPE_COL) +- scon = context(scontext) ++ scontext = store.get_value(it, TYPE_COL) ++ scon=context(scontext) + self.fcontextTypeEntry.set_text(scon.type) + self.fcontextMLSEntry.set_text(scon.mls) +- type = store.get_value(iter, FTYPE_COL) +- liststore = self.fcontextFileTypeCombo.get_model() +- iter = liststore.get_iter_first() +- while iter != None and liststore.get_value(iter, 0) != type: +- iter = liststore.iter_next(iter) +- if iter != None: +- self.fcontextFileTypeCombo.set_active_iter(iter) ++ setype=store.get_value(it, FTYPE_COL) ++ liststore=self.fcontextFileTypeCombo.get_model() ++ it = liststore.get_iter_first() ++ while it != None and liststore.get_value(it,0) != setype: ++ it = liststore.iter_next(it) ++ if it != None: ++ self.fcontextFileTypeCombo.set_active_iter(it) + self.fcontextFileTypeCombo.set_sensitive(False) + + def dialogClear(self): +@@ -172,55 +171,60 @@ class fcontextPage(semanagePage): + self.fcontextMLSEntry.set_text("s0") + + def delete(self): +- store, iter = self.view.get_selection().get_selected() ++ store, it = self.view.get_selection().get_selected() ++ fspec=store.get_value(it, SPEC_COL) ++ ftype=store.get_value(it, FTYPE_COL) ++ self.wait() + try: +- fspec = store.get_value(iter, SPEC_COL) +- ftype = store.get_value(iter, FTYPE_COL) +- self.wait() +- (rc, out) = commands.getstatusoutput("semanage fcontext -d -f '%s' '%s'" % (ftype, fspec)) +- self.ready() +- +- if rc != 0: +- return self.error(out) +- store.remove(iter) +- self.view.get_selection().select_path((0,)) +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output("semanage fcontext -d -f '%s' '%s'" % (ftype, fspec), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ store.remove(it) ++ self.view.get_selection().select_path ((0,)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def add(self): +- ftype = ["", "--", "-d", "-c", "-b", "-s", "-l", "-p"] +- fspec = self.fcontextEntry.get_text().strip() +- type = self.fcontextTypeEntry.get_text().strip() +- mls = self.fcontextMLSEntry.get_text().strip() +- list_model = self.fcontextFileTypeCombo.get_model() ++ ftype=["", "--", "-d", "-c", "-b", "-s", "-l", "-p" ] ++ fspec=self.fcontextEntry.get_text().strip() ++ setype=self.fcontextTypeEntry.get_text().strip() ++ mls=self.fcontextMLSEntry.get_text().strip() ++ list_model=self.fcontextFileTypeCombo.get_model() + active = self.fcontextFileTypeCombo.get_active() + self.wait() +- (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (type, mls, ftype[active], fspec)) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (setype, mls, ftype[active], fspec), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ it=self.store.append() ++ self.store.set_value(it, SPEC_COL, fspec) ++ self.store.set_value(it, FTYPE_COL, ftype) ++ self.store.set_value(it, TYPE_COL, "%s:%s" % (setype, mls)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False + +- iter = self.store.append() +- self.store.set_value(iter, SPEC_COL, fspec) +- self.store.set_value(iter, FTYPE_COL, ftype) +- self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) +- + def modify(self): +- fspec = self.fcontextEntry.get_text().strip() +- type = self.fcontextTypeEntry.get_text().strip() +- mls = self.fcontextMLSEntry.get_text().strip() +- list_model = self.fcontextFileTypeCombo.get_model() +- iter = self.fcontextFileTypeCombo.get_active_iter() +- ftype = list_model.get_value(iter, 0) ++ fspec=self.fcontextEntry.get_text().strip() ++ setype=self.fcontextTypeEntry.get_text().strip() ++ mls=self.fcontextMLSEntry.get_text().strip() ++ list_model=self.fcontextFileTypeCombo.get_model() ++ it = self.fcontextFileTypeCombo.get_active_iter() ++ ftype=list_model.get_value(it,0) + self.wait() +- (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (type, mls, ftype, fspec)) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (setype, mls, ftype, fspec), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ store, it = self.view.get_selection().get_selected() ++ self.store.set_value(it, SPEC_COL, fspec) ++ self.store.set_value(it, FTYPE_COL, ftype) ++ self.store.set_value(it, TYPE_COL, "%s:%s" % (setype, mls)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- +- store, iter = self.view.get_selection().get_selected() +- self.store.set_value(iter, SPEC_COL, fspec) +- self.store.set_value(iter, FTYPE_COL, ftype) +- self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) +diff --git policycoreutils-2.5/gui/html_util.py policycoreutils-2.5/gui/html_util.py +index 5a596bc..ad6c534 100644 +--- policycoreutils-2.5/gui/html_util.py ++++ policycoreutils-2.5/gui/html_util.py +@@ -30,7 +30,8 @@ import htmllib + import formatter as Formatter + import string + from types import * +-import StringIO ++import io ++import collections + + #------------------------------------------------------------------------------ + +@@ -127,7 +128,7 @@ def unescape_html(s): + + def html_to_text(html, maxcol=80): + try: +- buffer = StringIO.StringIO() ++ buffer = io.StringIO() + formatter = Formatter.AbstractFormatter(TextWriter(buffer, maxcol)) + parser = HTMLParserAnchor(formatter) + parser.feed(html) +@@ -135,7 +136,7 @@ def html_to_text(html, maxcol=80): + text = buffer.getvalue() + buffer.close() + return text +- except Exception, e: ++ except Exception as e: + log_program.error('cannot convert html to text: %s' % e) + return None + +@@ -158,7 +159,7 @@ def html_document(*body_components): + elif type(body_component) in [TupleType, ListType]: + for item in body_component: + doc += item +- elif callable(body_component): ++ elif isinstance(body_component, collections.Callable): + result = body_component() + if type(result) in [TupleType, ListType]: + for item in result: +diff --git policycoreutils-2.5/gui/loginsPage.py policycoreutils-2.5/gui/loginsPage.py +index 982e252..fbc26e0 100644 +--- policycoreutils-2.5/gui/loginsPage.py ++++ policycoreutils-2.5/gui/loginsPage.py +@@ -16,13 +16,10 @@ + ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + ## Author: Dan Walsh +-import string + import gtk + import gtk.glade +-import os + import gobject +-import sys +-import commands ++import subprocess + import seobject + from semanagePage import * + +@@ -39,8 +36,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + class loginsPage(semanagePage): +@@ -70,21 +67,21 @@ class loginsPage(semanagePage): + self.filter = filter + self.login = seobject.loginRecords() + dict = self.login.get_all(0) +- keys = dict.keys() ++ keys = list(dict.keys()) + keys.sort() + self.store.clear() + for k in keys: + range = seobject.translate(dict[k][1]) + if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter)): + continue +- iter = self.store.append() +- self.store.set_value(iter, 0, k) +- self.store.set_value(iter, 1, dict[k][0]) +- self.store.set_value(iter, 2, range) +- self.view.get_selection().select_path((0,)) ++ it = self.store.append() ++ self.store.set_value(it, 0, k) ++ self.store.set_value(it, 1, dict[k][0]) ++ self.store.set_value(it, 2, range) ++ self.view.get_selection().select_path ((0,)) + + def __dialogSetup(self): +- if self.firstTime == True: ++ if self.firstTime: + return + self.firstTime = True + liststore = gtk.ListStore(gobject.TYPE_STRING) +@@ -94,31 +91,31 @@ class loginsPage(semanagePage): + self.loginsSelinuxUserCombo.add_attribute(cell, 'text', 0) + + selusers = seobject.seluserRecords().get_all(0) +- keys = selusers.keys() ++ keys = list(selusers.keys()) + keys.sort() + for k in keys: + if k != "system_u": + self.loginsSelinuxUserCombo.append_text(k) + +- iter = liststore.get_iter_first() +- while liststore.get_value(iter, 0) != "user_u": +- iter = liststore.iter_next(iter) +- self.loginsSelinuxUserCombo.set_active_iter(iter) ++ it = liststore.get_iter_first() ++ while liststore.get_value(it,0) != "user_u": ++ it = liststore.iter_next(it) ++ self.loginsSelinuxUserCombo.set_active_iter(it) + + def dialogInit(self): + self.__dialogSetup() +- store, iter = self.view.get_selection().get_selected() +- self.loginsNameEntry.set_text(store.get_value(iter, 0)) ++ store, it = self.view.get_selection().get_selected() ++ self.loginsNameEntry.set_text(store.get_value(it, 0)) + self.loginsNameEntry.set_sensitive(False) + +- self.loginsMLSEntry.set_text(store.get_value(iter, 2)) +- seuser = store.get_value(iter, 1) ++ self.loginsMLSEntry.set_text(store.get_value(it, 2)) ++ seuser = store.get_value(it, 1) + liststore = self.loginsSelinuxUserCombo.get_model() +- iter = liststore.get_iter_first() +- while iter != None and liststore.get_value(iter, 0) != seuser: +- iter = liststore.iter_next(iter) +- if iter != None: +- self.loginsSelinuxUserCombo.set_active_iter(iter) ++ it = liststore.get_iter_first() ++ while it != None and liststore.get_value(it,0) != seuser: ++ it = liststore.iter_next(it) ++ if it != None: ++ self.loginsSelinuxUserCombo.set_active_iter(it) + + def dialogClear(self): + self.__dialogSetup() +@@ -127,59 +124,69 @@ class loginsPage(semanagePage): + self.loginsMLSEntry.set_text("s0") + + def delete(self): +- store, iter = self.view.get_selection().get_selected() ++ store, it = self.view.get_selection().get_selected() + try: +- login = store.get_value(iter, 0) ++ login=store.get_value(it, 0) + if login == "root" or login == "__default__": + raise ValueError(_("Login '%s' is required") % login) + + self.wait() +- (rc, out) = commands.getstatusoutput("semanage login -d %s" % login) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage login -d %s" % login, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ store.remove(it) ++ self.view.get_selection().select_path ((0,)) ++ except subprocess.CalledProcessError as e: ++ self.ready() ++ self.error(e.output) + return False +- store.remove(iter) +- self.view.get_selection().select_path((0,)) +- except ValueError, e: ++ except ValueError as e: + self.error(e.args[0]) + + def add(self): + target = self.loginsNameEntry.get_text().strip() + serange = self.loginsMLSEntry.get_text().strip() + if serange == "": +- serange = "s0" +- list_model = self.loginsSelinuxUserCombo.get_model() +- iter = self.loginsSelinuxUserCombo.get_active_iter() +- seuser = list_model.get_value(iter, 0) ++ serange="s0" ++ list_model=self.loginsSelinuxUserCombo.get_model() ++ it = self.loginsSelinuxUserCombo.get_active_iter() ++ seuser = list_model.get_value(it,0) + self.wait() +- (rc, out) = commands.getstatusoutput("semanage login -a -s %s -r %s %s" % (seuser, serange, target)) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage login -a -s %s -r %s %s" % (seuser, serange, target), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ it = self.store.append() ++ self.store.set_value(it, 0, target) ++ self.store.set_value(it, 1, seuser) ++ self.store.set_value(it, 2, seobject.translate(serange)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False + +- iter = self.store.append() +- self.store.set_value(iter, 0, target) +- self.store.set_value(iter, 1, seuser) +- self.store.set_value(iter, 2, seobject.translate(serange)) +- + def modify(self): + target = self.loginsNameEntry.get_text().strip() + serange = self.loginsMLSEntry.get_text().strip() + if serange == "": + serange = "s0" + list_model = self.loginsSelinuxUserCombo.get_model() +- iter = self.loginsSelinuxUserCombo.get_active_iter() +- seuser = list_model.get_value(iter, 0) ++ it = self.loginsSelinuxUserCombo.get_active_iter() ++ seuser=list_model.get_value(it,0) + self.wait() +- (rc, out) = commands.getstatusoutput("semanage login -m -s %s -r %s %s" % (seuser, serange, target)) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage login -m -s %s -r %s %s" % (seuser, serange, target), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ store, it = self.view.get_selection().get_selected() ++ self.store.set_value(it, 0, target) ++ self.store.set_value(it, 1, seuser) ++ self.store.set_value(it, 2, seobject.translate(serange)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- +- store, iter = self.view.get_selection().get_selected() +- self.store.set_value(iter, 0, target) +- self.store.set_value(iter, 1, seuser) +- self.store.set_value(iter, 2, seobject.translate(serange)) +diff --git policycoreutils-2.5/gui/modulesPage.py policycoreutils-2.5/gui/modulesPage.py +index 3b83e45..3feb2ba 100644 +--- policycoreutils-2.5/gui/modulesPage.py ++++ policycoreutils-2.5/gui/modulesPage.py +@@ -20,7 +20,7 @@ import string + import gtk + import gtk.glade + import os +-import commands ++import subprocess + import gobject + import sys + import seobject +@@ -41,8 +41,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + class modulesPage(semanagePage): +@@ -87,8 +87,8 @@ class modulesPage(semanagePage): + except: + return 0 + +- def load(self, filter=""): +- self.filter = filter ++ def load(self, filt=""): ++ self.filter=filt + self.store.clear() + try: + fd = Popen("semodule -l", shell=True, stdout=PIPE).stdout +@@ -96,11 +96,11 @@ class modulesPage(semanagePage): + fd.close() + for i in l: + module, ver, newline = i.split('\t') +- if not (self.match(module, filter) or self.match(ver, filter)): ++ if not (self.match(module, filt) or self.match(ver, filt)): + continue +- iter = self.store.append() +- self.store.set_value(iter, 0, module.strip()) +- self.store.set_value(iter, 1, ver.strip()) ++ it = self.store.append() ++ self.store.set_value(it, 0, module.strip()) ++ self.store.set_value(it, 1, ver.strip()) + except: + pass + self.view.get_selection().select_path((0,)) +@@ -108,53 +108,51 @@ class modulesPage(semanagePage): + def new_module(self, args): + try: + Popen(["/usr/share/system-config-selinux/polgengui.py"]) +- except ValueError, e: ++ except ValueError as e: + self.error(e.args[0]) + + def delete(self): +- store, iter = self.view.get_selection().get_selected() +- module = store.get_value(iter, 0) ++ store, it = self.view.get_selection().get_selected() ++ module = store.get_value(it, 0) ++ self.wait() + try: +- self.wait() +- status, output = commands.getstatusoutput("semodule -r %s" % module) +- self.ready() +- if status != 0: +- self.error(output) +- else: +- store.remove(iter) +- self.view.get_selection().select_path((0,)) +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output("semodule -r %s" % module, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ store.remove(it) ++ self.view.get_selection().select_path ((0,)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def enable_audit(self, button): + self.audit_enabled = not self.audit_enabled ++ if self.audit_enabled: ++ cmd = "semodule -DB" ++ label = _("Disable Audit") ++ else: ++ cmd = "semodule -B" ++ label = _("Enable Audit") ++ self.wait() + try: +- self.wait() +- if self.audit_enabled: +- status, output = commands.getstatusoutput("semodule -DB") +- button.set_label(_("Disable Audit")) +- else: +- status, output = commands.getstatusoutput("semodule -B") +- button.set_label(_("Enable Audit")) +- self.ready() +- +- if status != 0: +- self.error(output) +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ button.set_label(label) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def disable_audit(self, button): ++ self.wait() ++ cmd = "semodule -B" + try: +- self.wait() +- status, output = commands.getstatusoutput("semodule -B") +- self.ready() +- if status != 0: +- self.error(output) +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def propertiesDialog(self): + # Do nothing +@@ -168,10 +166,10 @@ class modulesPage(semanagePage): + gtk.STOCK_OPEN, gtk.RESPONSE_OK)) + dialog.set_default_response(gtk.RESPONSE_OK) + +- filter = gtk.FileFilter() +- filter.set_name("Policy Files") +- filter.add_pattern("*.pp") +- dialog.add_filter(filter) ++ filt = gtk.FileFilter() ++ filt.set_name("Policy Files") ++ filt.add_pattern("*.pp") ++ dialog.add_filter(filt) + + response = dialog.run() + if response == gtk.RESPONSE_OK: +@@ -179,14 +177,14 @@ class modulesPage(semanagePage): + dialog.destroy() + + def add(self, file): ++ self.wait() ++ cmd = "semodule -i %s" % file + try: +- self.wait() +- status, output = commands.getstatusoutput("semodule -i %s" % file) +- self.ready() +- if status != 0: +- self.error(output) +- else: +- self.load() +- +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.load() ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() ++ +diff --git policycoreutils-2.5/gui/polgen.glade policycoreutils-2.5/gui/polgen.glade +index 37c1472..a712c57 100644 +--- policycoreutils-2.5/gui/polgen.glade ++++ policycoreutils-2.5/gui/polgen.glade +@@ -758,7 +758,7 @@ + True + False + True +- ++ + + + 2 +@@ -840,7 +840,7 @@ + True + False + True +- ++ + + + 2 +@@ -1983,7 +1983,7 @@ Tab + True + True + False +- ++ + + + True +@@ -2011,7 +2011,7 @@ Tab + + True + False +- Add File ++ Add File + True + + +@@ -2036,7 +2036,7 @@ Tab + True + True + False +- ++ + + + True +@@ -2064,7 +2064,7 @@ Tab + + True + False +- Add Directory ++ Add Directory + True + + +@@ -2091,7 +2091,7 @@ Tab + True + False + True +- ++ + + + +@@ -2188,7 +2188,7 @@ Tab + True + True + False +- ++ + + + True +@@ -2216,7 +2216,7 @@ Tab + + True + False +- Add Boolean ++ Add Boolean + True + + +@@ -2243,7 +2243,7 @@ Tab + True + False + True +- ++ + + + +@@ -2414,7 +2414,7 @@ Tab + True + False + True +- ++ + + + False +@@ -2430,7 +2430,7 @@ Tab + True + False + True +- ++ + + + False +@@ -2446,7 +2446,7 @@ Tab + True + False + True +- ++ + + + False +diff --git policycoreutils-2.5/gui/polgengui.py policycoreutils-2.5/gui/polgengui.py +index 0a153c6..f6511db 100644 +--- policycoreutils-2.5/gui/polgengui.py ++++ policycoreutils-2.5/gui/polgengui.py +@@ -30,30 +30,15 @@ import gnome + import sys + try: + from sepolicy import generate +-except ValueError, e: ++except ValueError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) +- ++ + import sepolicy.interface +-import commands ++import subprocess + + import re + +- +-def get_all_modules(): +- try: +- all_modules = [] +- rc, output = commands.getstatusoutput("semodule -l 2>/dev/null") +- if rc == 0: +- l = output.split("\n") +- for i in l: +- all_modules.append(i.split()[0]) +- except: +- pass +- +- return all_modules +- +- + ## + ## I18N + ## +@@ -68,8 +53,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + gnome.program_init("SELinux Policy Generation Tool", "5") + +@@ -195,10 +180,10 @@ class childWindow: + + try: + self.all_types = generate.get_all_types() +- self.all_modules = get_all_modules() ++ self.all_modules = sepolicy.get_all_modules() + self.all_roles = generate.get_all_roles() + self.all_users = generate.get_all_users() +- except RuntimeError, e: ++ except RuntimeError as e: + self.all_types = [] + self.all_modules = [] + self.all_roles = [] +@@ -265,8 +250,8 @@ class childWindow: + self.out_udp_entry = self.xml.get_widget("out_udp_entry") + self.network_buttons[self.out_udp_all_checkbutton] = [self.out_udp_entry] + +- for b in self.network_buttons.keys(): +- b.connect("clicked", self.network_all_clicked) ++ for b in list(self.network_buttons.keys()): ++ b.connect("clicked",self.network_all_clicked) + + self.boolean_treeview = self.xml.get_widget("boolean_treeview") + self.boolean_store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING) +@@ -336,7 +321,7 @@ class childWindow: + for a in sepolicy.interface.get_admin(): + iter = self.admin_store.append() + self.admin_store.set_value(iter, 0, a) +- except ValueError, e: ++ except ValueError as e: + self.error(e.message) + + def confine_application(self): +@@ -522,7 +507,7 @@ class childWindow: + + self.info(my_policy.generate(outputdir)) + return False +- except ValueError, e: ++ except ValueError as e: + self.error(e.message) + + def delete(self, args): +@@ -671,7 +656,7 @@ class childWindow: + entry.set_text("") + return False + if name in self.all_modules: +- if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: ++ if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: + entry.set_text("") + return False + +@@ -690,7 +675,7 @@ class childWindow: + try: + generate.verify_ports(self.in_tcp_entry.get_text()) + generate.verify_ports(self.in_udp_entry.get_text()) +- except ValueError, e: ++ except ValueError as e: + self.error(e.message) + return True + +@@ -698,7 +683,7 @@ class childWindow: + try: + generate.verify_ports(self.out_tcp_entry.get_text()) + generate.verify_ports(self.out_udp_entry.get_text()) +- except ValueError, e: ++ except ValueError as e: + self.error(e.message) + return True + +@@ -737,12 +722,12 @@ class childWindow: + policy.set_program(exe) + policy.gen_writeable() + policy.gen_symbols() +- for f in policy.files.keys(): ++ for f in list(policy.files.keys()): + iter = self.store.append() + self.store.set_value(iter, 0, f) + self.store.set_value(iter, 1, FILE) + +- for f in policy.dirs.keys(): ++ for f in list(policy.dirs.keys()): + iter = self.store.append() + self.store.set_value(iter, 0, f) + self.store.set_value(iter, 1, DIR) +diff --git policycoreutils-2.5/gui/portsPage.py policycoreutils-2.5/gui/portsPage.py +index 8e74ac0..e8737b0 100644 +--- policycoreutils-2.5/gui/portsPage.py ++++ policycoreutils-2.5/gui/portsPage.py +@@ -16,14 +16,11 @@ + ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + ## Author: Dan Walsh +-import string + import gtk + import gtk.glade +-import os + import gobject +-import sys + import seobject +-import commands ++import subprocess + from semanagePage import * + + ## +@@ -43,8 +40,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + class portsPage(semanagePage): +@@ -64,19 +61,19 @@ class portsPage(semanagePage): + self.ports_properties_button = xml.get_widget("portsPropertiesButton") + self.ports_delete_button = xml.get_widget("portsDeleteButton") + liststore = self.ports_protocol_combo.get_model() +- iter = liststore.get_iter_first() +- self.ports_protocol_combo.set_active_iter(iter) ++ it = liststore.get_iter_first() ++ self.ports_protocol_combo.set_active_iter(it) + self.init_store() + self.edit = True + self.load() + + def filter_changed(self, *arg): +- filter = arg[0].get_text() +- if filter != self.filter: ++ filt = arg[0].get_text() ++ if filt != self.filter: + if self.edit: +- self.load(filter) ++ self.load(filt) + else: +- self.group_load(filter) ++ self.group_load(filt) + + def init_store(self): + self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING, gobject.TYPE_STRING) +@@ -118,63 +115,63 @@ class portsPage(semanagePage): + except: + return 0 + +- def load(self, filter=""): +- self.filter = filter ++ def load(self,filt = ""): ++ self.filter=filt + self.port = seobject.portRecords() +- dict = self.port.get_all(self.local) +- keys = dict.keys() ++ pdict = self.port.get_all(self.local) ++ keys = list(pdict.keys()) + keys.sort() + self.store.clear() + for k in keys: +- if not (self.match(str(k[0]), filter) or self.match(dict[k][0], filter) or self.match(k[2], filter) or self.match(dict[k][1], filter) or self.match(dict[k][1], filter)): ++ if not (self.match(str(k[0]), filt) or self.match(pdict[k][0], filt) or self.match(k[2], filt) or self.match(pdict[k][1], filt) or self.match(pdict[k][1], filt)): + continue +- iter = self.store.append() ++ it = self.store.append() + if k[0] == k[1]: +- self.store.set_value(iter, PORT_COL, k[0]) ++ self.store.set_value(it, PORT_COL, k[0]) + else: + rec = "%s-%s" % k[:2] +- self.store.set_value(iter, PORT_COL, rec) +- self.store.set_value(iter, TYPE_COL, dict[k][0]) +- self.store.set_value(iter, PROTOCOL_COL, k[2]) +- self.store.set_value(iter, MLS_COL, dict[k][1]) +- self.view.get_selection().select_path((0,)) ++ self.store.set_value(it, PORT_COL, rec) ++ self.store.set_value(it, TYPE_COL, pdict[k][0]) ++ self.store.set_value(it, PROTOCOL_COL, k[2]) ++ self.store.set_value(it, MLS_COL, pdict[k][1]) ++ self.view.get_selection().select_path ((0,)) + +- def group_load(self, filter=""): +- self.filter = filter ++ def group_load(self, filt = ""): ++ self.filter=filt + self.port = seobject.portRecords() +- dict = self.port.get_all_by_type(self.local) +- keys = dict.keys() ++ pdict = self.port.get_all_by_type(self.local) ++ keys = list(pdict.keys()) + keys.sort() + self.store.clear() + for k in keys: +- ports_string = ", ".join(dict[k]) +- if not (self.match(ports_string, filter) or self.match(k[0], filter) or self.match(k[1], filter)): ++ ports_string = ", ".join(pdict[k]) ++ if not (self.match(ports_string, filt) or self.match(k[0], filt) or self.match(k[1], filt) ): + continue +- iter = self.store.append() +- self.store.set_value(iter, TYPE_COL, k[0]) +- self.store.set_value(iter, PROTOCOL_COL, k[1]) +- self.store.set_value(iter, PORT_COL, ports_string) +- self.store.set_value(iter, MLS_COL, "") +- self.view.get_selection().select_path((0,)) ++ it = self.store.append() ++ self.store.set_value(it, TYPE_COL, k[0]) ++ self.store.set_value(it, PROTOCOL_COL, k[1]) ++ self.store.set_value(it, PORT_COL, ports_string) ++ self.store.set_value(it, MLS_COL, "") ++ self.view.get_selection().select_path ((0,)) + + def propertiesDialog(self): + if self.edit: + semanagePage.propertiesDialog(self) + + def dialogInit(self): +- store, iter = self.view.get_selection().get_selected() +- self.ports_number_entry.set_text(store.get_value(iter, PORT_COL)) ++ store, it = self.view.get_selection().get_selected() ++ self.ports_number_entry.set_text(store.get_value(it, PORT_COL)) + self.ports_number_entry.set_sensitive(False) + self.ports_protocol_combo.set_sensitive(False) +- self.ports_name_entry.set_text(store.get_value(iter, TYPE_COL)) +- self.ports_mls_entry.set_text(store.get_value(iter, MLS_COL)) +- protocol = store.get_value(iter, PROTOCOL_COL) ++ self.ports_name_entry.set_text(store.get_value(it, TYPE_COL)) ++ self.ports_mls_entry.set_text(store.get_value(it, MLS_COL)) ++ protocol = store.get_value(it, PROTOCOL_COL) + liststore = self.ports_protocol_combo.get_model() +- iter = liststore.get_iter_first() +- while iter != None and liststore.get_value(iter, 0) != protocol: +- iter = liststore.iter_next(iter) +- if iter != None: +- self.ports_protocol_combo.set_active_iter(iter) ++ it = liststore.get_iter_first() ++ while it != None and liststore.get_value(it,0) != protocol: ++ it = liststore.iter_next(it) ++ if it != None: ++ self.ports_protocol_combo.set_active_iter(it) + + def dialogClear(self): + self.ports_number_entry.set_text("") +@@ -184,19 +181,20 @@ class portsPage(semanagePage): + self.ports_mls_entry.set_text("s0") + + def delete(self): +- store, iter = self.view.get_selection().get_selected() +- port = store.get_value(iter, PORT_COL) +- protocol = store.get_value(iter, 1) ++ store, it = self.view.get_selection().get_selected() ++ port = store.get_value(it, PORT_COL) ++ protocol = store.get_value(it, 1) ++ self.wait() ++ cmd = "semanage port -d -p %s %s" % (protocol, port) + try: +- self.wait() +- (rc, out) = commands.getstatusoutput("semanage port -d -p %s %s" % (protocol, port)) +- self.ready() +- if rc != 0: +- return self.error(out) +- store.remove(iter) +- self.view.get_selection().select_path((0,)) +- except ValueError, e: +- self.error(e.args[0]) ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ store.remove(it) ++ self.view.get_selection().select_path ((0,)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + + def add(self): + target = self.ports_name_entry.get_text().strip() +@@ -209,39 +207,47 @@ class portsPage(semanagePage): + self.error(_("Port number \"%s\" is not valid. 0 < PORT_NUMBER < 65536 ") % port_number) + return False + list_model = self.ports_protocol_combo.get_model() +- iter = self.ports_protocol_combo.get_active_iter() +- protocol = list_model.get_value(iter, 0) ++ it = self.ports_protocol_combo.get_active_iter() ++ protocol = list_model.get_value(it,0) + self.wait() +- (rc, out) = commands.getstatusoutput("semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) ++ cmd = "semanage port -a -p %s -r %s -t %s %s" % (protocol, mls, target, port_number) ++ try: ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ it = self.store.append() ++ self.store.set_value(it, TYPE_COL, target) ++ self.store.set_value(it, PORT_COL, port_number) ++ self.store.set_value(it, PROTOCOL_COL, protocol) ++ self.store.set_value(it, MLS_COL, mls) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) + self.ready() +- if rc != 0: +- self.error(out) +- return False +- iter = self.store.append() +- +- self.store.set_value(iter, TYPE_COL, target) +- self.store.set_value(iter, PORT_COL, port_number) +- self.store.set_value(iter, PROTOCOL_COL, protocol) +- self.store.set_value(iter, MLS_COL, mls) + + def modify(self): + target = self.ports_name_entry.get_text().strip() + mls = self.ports_mls_entry.get_text().strip() + port_number = self.ports_number_entry.get_text().strip() + list_model = self.ports_protocol_combo.get_model() +- iter = self.ports_protocol_combo.get_active_iter() +- protocol = list_model.get_value(iter, 0) ++ it = self.ports_protocol_combo.get_active_iter() ++ protocol = list_model.get_value(it,0) + self.wait() +- (rc, out) = commands.getstatusoutput("semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number)) +- self.ready() +- if rc != 0: +- self.error(out) ++ cmd = "semanage port -m -p %s -r %s -t %s %s" % (protocol, mls, target, port_number) ++ try: ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ store, it = self.view.get_selection().get_selected() ++ self.store.set_value(it, TYPE_COL, target) ++ self.store.set_value(it, PORT_COL, port_number) ++ self.store.set_value(it, PROTOCOL_COL, protocol) ++ self.store.set_value(it, MLS_COL, mls) ++ self.ready() ++ return True ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- store, iter = self.view.get_selection().get_selected() +- self.store.set_value(iter, TYPE_COL, target) +- self.store.set_value(iter, PORT_COL, port_number) +- self.store.set_value(iter, PROTOCOL_COL, protocol) +- self.store.set_value(iter, MLS_COL, mls) + + def on_group_clicked(self, button): + self.ports_add_button.set_sensitive(self.group) +diff --git policycoreutils-2.5/gui/semanagePage.py policycoreutils-2.5/gui/semanagePage.py +index 5d7f2cf..1c5b095 100644 +--- policycoreutils-2.5/gui/semanagePage.py ++++ policycoreutils-2.5/gui/semanagePage.py +@@ -37,8 +37,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + def idle_func(): +@@ -80,9 +80,9 @@ class semanagePage: + return + + def filter_changed(self, *arg): +- filter = arg[0].get_text() +- if filter != self.filter: +- self.load(filter) ++ filt = arg[0].get_text() ++ if filt != self.filter: ++ self.load(filt) + + def search(self, model, col, key, i): + sort_col = self.store.get_sort_column_id()[0] +@@ -125,13 +125,37 @@ class semanagePage: + dlg.destroy() + + def deleteDialog(self): +- store, iter = self.view.get_selection().get_selected() +- if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(iter, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES: ++ store, it = self.view.get_selection().get_selected() ++ if self.verify(_("Are you sure you want to delete %s '%s'?" % (self.description, store.get_value(it, 0))), _("Delete %s" % self.description)) == gtk.RESPONSE_YES: + self.delete() + + def use_menus(self): + return True + ++ def load(self, filt): ++ raise RuntimeError("load method not implemented in parent class"); ++ ++ def filter(self): ++ raise RuntimeError("filter method not implemented in parent class"); ++ ++ def store(self): ++ raise RuntimeError("store method not implemented in parent class"); ++ ++ def add(self): ++ raise RuntimeError("add method not implemented"); ++ ++ def modify(self): ++ raise RuntimeError("modify method not implemented"); ++ ++ def delete(self): ++ raise RuntimeError("delete method not implemented"); ++ ++ def dialogInit(self): ++ raise RuntimeError("dialogInit method not implemented"); ++ ++ def dialogClear(self): ++ raise RuntimeError("dialogClear method not implemented"); ++ + def addDialog(self): + self.dialogClear() + self.dialog.set_title(_("Add %s" % self.description)) +@@ -139,10 +163,10 @@ class semanagePage: + + while self.dialog.run() == gtk.RESPONSE_OK: + try: +- if self.add() == False: ++ if not self.add(): + continue +- break +- except ValueError, e: ++ break; ++ except ValueError as e: + self.error(e.args[0]) + self.dialog.hide() + +@@ -152,10 +176,10 @@ class semanagePage: + self.dialog.set_position(gtk.WIN_POS_MOUSE) + while self.dialog.run() == gtk.RESPONSE_OK: + try: +- if self.modify() == False: ++ if not self.modify(): + continue +- break +- except ValueError, e: ++ break; ++ except ValueError as e: + self.error(e.args[0]) + self.dialog.hide() + +diff --git policycoreutils-2.5/gui/statusPage.py policycoreutils-2.5/gui/statusPage.py +index 991d8f3..782d186 100644 +--- policycoreutils-2.5/gui/statusPage.py ++++ policycoreutils-2.5/gui/statusPage.py +@@ -16,18 +16,14 @@ + ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + ## Author: Dan Walsh +-import string + import gtk + import gtk.glade + import os +-import gobject + import sys +-import tempfile + + INSTALLPATH = '/usr/share/system-config-selinux' + sys.path.append(INSTALLPATH) + +-import commands + ENFORCING = 1 + PERMISSIVE = 0 + DISABLED = -1 +@@ -47,8 +43,8 @@ import selinux + try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = unicode + + + class statusPage: +@@ -129,21 +125,21 @@ class statusPage: + return rc + + def typemenu_changed(self, menu): +- type = self.get_type() ++ setype = self.get_type() + enabled = self.enabledOptionMenu.get_active() +- if self.initialtype != type: ++ if self.initialtype != setype: + if self.verify(_("Changing the policy type will cause a relabel of the entire file system on the next boot. Relabeling takes a long time depending on the size of the file system. Do you wish to continue?")) == gtk.RESPONSE_NO: + menu.set_active(self.typeHistory) + return None + + self.relabel_checkbutton.set_active(True) + +- self.write_selinux_config(modearray[enabled], type) ++ self.write_selinux_config(modearray[enabled], setype ) + self.typeHistory = menu.get_active() + + def enabled_changed(self, combo): + enabled = combo.get_active() +- type = self.get_type() ++ setype = self.get_type() + + if self.initEnabled != DISABLED and enabled == DISABLED: + if self.verify(_("Changing to SELinux disabled requires a reboot. It is not recommended. If you later decide to turn SELinux back on, the system will be required to relabel. If you just want to see if SELinux is causing a problem on your system, you can go to permissive mode which will only log errors and not enforce SELinux policy. Permissive mode does not require a reboot Do you wish to continue?")) == gtk.RESPONSE_NO: +@@ -156,10 +152,10 @@ class statusPage: + return None + self.relabel_checkbutton.set_active(True) + +- self.write_selinux_config(modearray[enabled], type) ++ self.write_selinux_config(modearray[enabled], setype ) + self.enabled = enabled + +- def write_selinux_config(self, enforcing, type): ++ def write_selinux_config(self, enforcing, setype): + path = selinux.selinux_path() + "config" + backup_path = path + ".bck" + fd = open(path) +@@ -171,7 +167,7 @@ class statusPage: + fd.write("SELINUX=%s\n" % enforcing) + continue + if l.startswith("SELINUXTYPE="): +- fd.write("SELINUXTYPE=%s\n" % type) ++ fd.write("SELINUXTYPE=%s\n" % setype) + continue + fd.write(l) + fd.close() +diff --git policycoreutils-2.5/gui/system-config-selinux.py policycoreutils-2.5/gui/system-config-selinux.py +index 7d342d0..563bb49 100644 +--- policycoreutils-2.5/gui/system-config-selinux.py ++++ policycoreutils-2.5/gui/system-config-selinux.py +@@ -25,10 +25,10 @@ import string + import sys + try: + import gtk +-except RuntimeError, e: +- print "system-config-selinux:", e +- print "This is a graphical application and requires DISPLAY to be set." +- sys.exit(1) ++except RuntimeError as e: ++ print("system-config-selinux:", e) ++ print("This is a graphical application and requires DISPLAY to be set.") ++ sys.exit (1) + + import gtk.glade + import os +@@ -57,8 +57,8 @@ try: + unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + gnome.program_init("SELinux Management Tool", "5") + +@@ -94,9 +94,9 @@ class childWindow: + self.add_page(loginsPage.loginsPage(xml)) + self.add_page(usersPage.usersPage(xml)) + self.add_page(portsPage.portsPage(xml)) +- self.add_page(modulesPage.modulesPage(xml)) # modules +- self.add_page(domainsPage.domainsPage(xml)) # domains +- except ValueError, e: ++ self.add_page(modulesPage.modulesPage(xml)) # modules ++ self.add_page(domainsPage.domainsPage(xml)) # domains ++ except ValueError as e: + self.error(e.message) + + xml.signal_connect("on_quit_activate", self.destroy) +diff --git policycoreutils-2.5/gui/usersPage.py policycoreutils-2.5/gui/usersPage.py +index abf8d3b..f50fcb2 100644 +--- policycoreutils-2.5/gui/usersPage.py ++++ policycoreutils-2.5/gui/usersPage.py +@@ -16,13 +16,10 @@ + ## Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + ## Author: Dan Walsh +-import string + import gtk + import gtk.glade +-import os + import gobject +-import sys +-import commands ++import subprocess + import seobject + from semanagePage import * + +@@ -36,8 +33,8 @@ gettext.textdomain(PROGNAME) + try: + gettext.install(PROGNAME, localedir="/usr/share/locale", unicode=1) + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = unicode + + + class usersPage(semanagePage): +@@ -67,34 +64,30 @@ class usersPage(semanagePage): + self.mlsRangeEntry = xml.get_widget("mlsRangeEntry") + self.selinuxRolesEntry = xml.get_widget("selinuxRolesEntry") + +- def load(self, filter=""): +- self.filter = filter ++ def load(self, filt = ""): ++ self.filter=filt + self.user = seobject.seluserRecords() +- dict = self.user.get_all() +- keys = dict.keys() ++ udict = self.user.get_all() ++ keys = list(udict.keys()) + keys.sort() + self.store.clear() + for k in keys: +- range = seobject.translate(dict[k][2]) +- if not (self.match(k, filter) or self.match(dict[k][0], filter) or self.match(range, filter) or self.match(dict[k][3], filter)): ++ serange = seobject.translate(udict[k][2]) ++ if not (self.match(k, filt) or self.match(udict[k][0], filter) or self.match(serange, filt) or self.match(udict[k][3], filt)): + continue + +- iter = self.store.append() +- self.store.set_value(iter, 0, k) +- self.store.set_value(iter, 1, range) +- self.store.set_value(iter, 2, dict[k][3]) +- self.view.get_selection().select_path((0,)) +- +- def delete(self): +- if semanagePage.delete(self) == gtk.RESPONSE_NO: +- return None ++ it = self.store.append() ++ self.store.set_value(it, 0, k) ++ self.store.set_value(it, 1, serange) ++ self.store.set_value(it, 2, udict[k][3]) ++ self.view.get_selection().select_path ((0,)) + + def dialogInit(self): +- store, iter = self.view.get_selection().get_selected() +- self.selinuxUserEntry.set_text(store.get_value(iter, 0)) ++ store, it = self.view.get_selection().get_selected() ++ self.selinuxUserEntry.set_text(store.get_value(it, 0)) + self.selinuxUserEntry.set_sensitive(False) +- self.mlsRangeEntry.set_text(store.get_value(iter, 1)) +- self.selinuxRolesEntry.set_text(store.get_value(iter, 2)) ++ self.mlsRangeEntry.set_text(store.get_value(it, 1)) ++ self.selinuxRolesEntry.set_text(store.get_value(it, 2)) + + def dialogClear(self): + self.selinuxUserEntry.set_text("") +@@ -104,48 +97,62 @@ class usersPage(semanagePage): + + def add(self): + user = self.selinuxUserEntry.get_text() +- range = self.mlsRangeEntry.get_text() ++ serange = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + self.wait() +- (rc, out) = commands.getstatusoutput("semanage user -a -R '%s' -r %s %s" % (roles, range, user)) +- self.ready() +- if rc != 0: +- self.error(out) ++ try: ++ subprocess.check_output("semanage user -a -R '%s' -r %s %s" % (roles, serange, user), ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ it = self.store.append() ++ self.store.set_value(it, 0, user) ++ self.store.set_value(it, 1, serange) ++ self.store.set_value(it, 2, roles) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- iter = self.store.append() +- self.store.set_value(iter, 0, user) +- self.store.set_value(iter, 1, range) +- self.store.set_value(iter, 2, roles) + + def modify(self): + user = self.selinuxUserEntry.get_text() +- range = self.mlsRangeEntry.get_text() ++ serange = self.mlsRangeEntry.get_text() + roles = self.selinuxRolesEntry.get_text() + + self.wait() +- (rc, out) = commands.getstatusoutput("semanage user -m -R '%s' -r %s %s" % (roles, range, user)) +- self.ready() +- +- if rc != 0: +- self.error(out) ++ cmd = "semanage user -m -R '%s' -r %s %s" % (roles, serange, user) ++ try: ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ self.load(self.filter) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- self.load(self.filter) ++ return True + + def delete(self): +- store, iter = self.view.get_selection().get_selected() ++ store, it = self.view.get_selection().get_selected() + try: +- user = store.get_value(iter, 0) ++ user=store.get_value(it, 0) + if user == "root" or user == "user_u": + raise ValueError(_("SELinux user '%s' is required") % user) + + self.wait() +- (rc, out) = commands.getstatusoutput("semanage user -d %s" % user) +- self.ready() +- if rc != 0: +- self.error(out) ++ cmd = "semanage user -d %s" % user ++ try: ++ subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ self.ready() ++ store.remove(it) ++ self.view.get_selection().select_path ((0,)) ++ except subprocess.CalledProcessError as e: ++ self.error(e.output) ++ self.ready() + return False +- store.remove(iter) +- self.view.get_selection().select_path((0,)) +- except ValueError, e: ++ except ValueError as e: + self.error(e.args[0]) +diff --git policycoreutils-2.5/hll/pp/pp.c policycoreutils-2.5/hll/pp/pp.c +index 866734f..49ca05e 100644 +--- policycoreutils-2.5/hll/pp/pp.c ++++ policycoreutils-2.5/hll/pp/pp.c +@@ -28,6 +28,7 @@ + + #include + #include ++#include + + char *progname; + +@@ -68,6 +69,8 @@ int main(int argc, char **argv) + { NULL, 0, NULL, 0 } + }; + struct sepol_module_package *mod_pkg = NULL; ++ char *ifile = NULL; ++ char *ofile = NULL; + FILE *in = NULL; + FILE *out = NULL; + int outfd = -1; +@@ -89,20 +92,23 @@ int main(int argc, char **argv) + } + + if (argc >= optind + 1 && strcmp(argv[1], "-") != 0) { +- in = fopen(argv[1], "rb"); ++ ifile = argv[1]; ++ in = fopen(ifile, "rb"); + if (in == NULL) { +- log_err("Failed to open %s: %s", argv[1], strerror(errno)); ++ log_err("Failed to open %s: %s", ifile, strerror(errno)); + rc = -1; + goto exit; + } + } else { ++ ifile = "stdin"; + in = stdin; + } + + if (argc >= optind + 2 && strcmp(argv[2], "-") != 0) { +- out = fopen(argv[2], "w"); ++ ofile = argv[2]; ++ out = fopen(ofile, "w"); + if (out == NULL) { +- log_err("Failed to open %s: %s", argv[2], strerror(errno)); ++ log_err("Failed to open %s: %s", ofile, strerror(errno)); + rc = -1; + goto exit; + } +@@ -122,6 +128,25 @@ int main(int argc, char **argv) + fclose(in); + in = NULL; + ++ if (ofile) { ++ char *mod_name = mod_pkg->policy->p.name; ++ char *cil_path = strdup(ofile); ++ if (cil_path == NULL) { ++ log_err("No memory available for strdup\n"); ++ rc = -1; ++ goto exit; ++ } ++ char *cil_name = basename(cil_path); ++ char *separator = strrchr(cil_name, '.'); ++ if (separator) { ++ *separator = '\0'; ++ } ++ if (mod_name && strcmp(mod_name, cil_name) != 0) { ++ fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, cil_name, mod_name); ++ } ++ free(cil_path); ++ } ++ + rc = sepol_module_package_to_cil(out, mod_pkg); + if (rc != 0) { + goto exit; +diff --git policycoreutils-2.5/po/Makefile policycoreutils-2.5/po/Makefile +index a693823..555f381 100644 +--- policycoreutils-2.5/po/Makefile ++++ policycoreutils-2.5/po/Makefile +@@ -28,7 +28,7 @@ POTFILES = \ + ../run_init/run_init.c \ + ../semodule_link/semodule_link.c \ + ../audit2allow/audit2allow \ +- ../semanage/seobject.py \ ++ ../semanage/seobject/__init__.py \ + ../setsebool/setsebool.c \ + ../newrole/newrole.c \ + ../load_policy/load_policy.c \ +@@ -49,7 +49,6 @@ POTFILES = \ + ../gui/booleansPage.py \ + ../gui/fcontextPage.py \ + ../gui/loginsPage.py \ +- ../gui/mappingsPage.py \ + ../gui/modulesPage.py \ + ../gui/polgen.glade \ + ../gui/polgengui.py \ +@@ -61,6 +60,36 @@ POTFILES = \ + ../gui/usersPage.py \ + ../secon/secon.c \ + booleans.py \ ++ ../sepolicy/sepolicy/help/booleans_more_show.txt \ ++ ../sepolicy/sepolicy/help/booleans_more.txt \ ++ ../sepolicy/sepolicy/help/booleans_toggled.txt \ ++ ../sepolicy/sepolicy/help/booleans.txt \ ++ ../sepolicy/sepolicy/help/file_equiv.txt \ ++ ../sepolicy/sepolicy/help/files_apps.txt \ ++ ../sepolicy/sepolicy/help/files_exec.txt \ ++ ../sepolicy/sepolicy/help/files_write.txt \ ++ ../sepolicy/sepolicy/help/lockdown_permissive.txt \ ++ ../sepolicy/sepolicy/help/lockdown_ptrace.txt \ ++ ../sepolicy/sepolicy/help/lockdown.txt \ ++ ../sepolicy/sepolicy/help/lockdown_unconfined.txt \ ++ ../sepolicy/sepolicy/help/login_default.txt \ ++ ../sepolicy/sepolicy/help/login.txt \ ++ ../sepolicy/sepolicy/help/ports_inbound.txt \ ++ ../sepolicy/sepolicy/help/ports_outbound.txt \ ++ ../sepolicy/sepolicy/help/start.txt \ ++ ../sepolicy/sepolicy/help/system_boot_mode.txt \ ++ ../sepolicy/sepolicy/help/system_current_mode.txt \ ++ ../sepolicy/sepolicy/help/system_export.txt \ ++ ../sepolicy/sepolicy/help/system_policy_type.txt \ ++ ../sepolicy/sepolicy/help/system_relabel.txt \ ++ ../sepolicy/sepolicy/help/system.txt \ ++ ../sepolicy/sepolicy/help/transition_file.txt \ ++ ../sepolicy/sepolicy/help/transition_from_boolean_1.txt \ ++ ../sepolicy/sepolicy/help/transition_from_boolean_2.txt \ ++ ../sepolicy/sepolicy/help/transition_from_boolean.txt \ ++ ../sepolicy/sepolicy/help/transition_from.txt \ ++ ../sepolicy/sepolicy/help/transition_to.txt \ ++ ../sepolicy/sepolicy/help/users.txt \ + ../sepolicy/info.c \ + ../sepolicy/search.c \ + ../sepolicy/sepolicy.py \ +diff --git policycoreutils-2.5/restorecond/watch.c policycoreutils-2.5/restorecond/watch.c +index 10978cb..80b0ee7 100644 +--- policycoreutils-2.5/restorecond/watch.c ++++ policycoreutils-2.5/restorecond/watch.c +@@ -174,7 +174,7 @@ int watch(int fd, const char *watch_file) + syslog(LOG_ERR, "Read error (%s)", strerror(errno)); + return 0; + } +- syslog(LOG_ERR, "terminated"); ++ syslog(LOG_INFO, "terminated"); + return -1; + } else if (!len) + /* BUF_LEN too small? */ +diff --git policycoreutils-2.5/run_init/open_init_pty.c policycoreutils-2.5/run_init/open_init_pty.c +index 37805bf..6e25ea3 100644 +--- policycoreutils-2.5/run_init/open_init_pty.c ++++ policycoreutils-2.5/run_init/open_init_pty.c +@@ -327,8 +327,9 @@ int main(int argc, char *argv[]) + break; + } + ++ errno = 0; + int select_rc = select(pty_master + 1, &readfds, &writefds, NULL, NULL); +- if (select_rc < 0) { ++ if (select_rc < 0 && errno != EINTR) { + perror("select()"); + exit(EX_IOERR); + } +diff --git policycoreutils-2.5/sandbox/sandbox policycoreutils-2.5/sandbox/sandbox +index 9e0024f..5b73629 100644 +--- policycoreutils-2.5/sandbox/sandbox ++++ policycoreutils-2.5/sandbox/sandbox +@@ -108,30 +108,29 @@ def copyfile(file, srcdir, dest): + + + def savefile(new, orig, X_ind): +- copy = False +- if(X_ind): +- import gtk +- dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, +- gtk.BUTTONS_YES_NO, +- _("Do you want to save changes to '%s' (Y/N): ") % orig) +- dlg.set_title(_("Sandbox Message")) +- dlg.set_position(gtk.WIN_POS_MOUSE) +- dlg.show_all() +- rc = dlg.run() +- dlg.destroy() +- if rc == gtk.RESPONSE_YES: +- copy = True +- else: +- try: +- input = raw_input +- except NameError: +- pass +- ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) +- if(re.match(_("[yY]"), ans)): +- copy = True +- if(copy): +- shutil.copy2(new, orig) +- ++ copy = False ++ if(X_ind): ++ from gi.repository import Gtk ++ dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO, ++ Gtk.ButtonsType.YES_NO, ++ _("Do you want to save changes to '%s' (Y/N): ") % orig) ++ dlg.set_title(_("Sandbox Message")) ++ dlg.set_position(Gtk.WindowPosition.MOUSE) ++ dlg.show_all() ++ rc = dlg.run() ++ dlg.destroy() ++ if rc == Gtk.ResponseType.YES: ++ copy = True ++ else: ++ try: ++ input = raw_input ++ except NameError: ++ pass ++ ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig) ++ if(re.match(_("[yY]"),ans)): ++ copy = True ++ if(copy): ++ shutil.copy2(new,orig) + + def reserve(level): + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +@@ -265,7 +264,7 @@ class Sandbox: + copyfile(f, "/tmp", self.__tmpdir) + copyfile(f, "/var/tmp", self.__tmpdir) + +- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): ++ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): + execfile = self.__homedir + "/.sandboxrc" + fd = open(execfile, "w+") + if self.__options.session: +@@ -355,7 +354,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", +- default="/usr/bin/openbox", ++ default="/usr/bin/matchbox-window-manager", + help=_("alternate window manager")) + + parser.add_option("-l", "--level", dest="level", +@@ -467,10 +466,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + cmds += ["--"] + self.__paths + return subprocess.Popen(cmds).wait() + +- selinux.setexeccon(self.__execcon) +- rc = subprocess.Popen(self.__cmds).wait() +- selinux.setexeccon(None) +- return rc ++ pid = os.fork() ++ if pid == 0: ++ rc = os.setsid() ++ if rc: ++ return rc ++ selinux.setexeccon(self.__execcon) ++ os.execv(self.__cmds[0], self.__cmds) ++ rc = os.waitpid(pid, 0) ++ return os.WEXITSTATUS(rc[1]) + + finally: + for i in self.__paths: +@@ -499,7 +503,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + try: + self.__parse_options() + self.__gen_context() +- self.__setup_dir() ++ if self.__mount: ++ self.__setup_dir() + return self.__execute() + except KeyboardInterrupt: + sys.exit(0) +diff --git policycoreutils-2.5/sandbox/sandbox.8 policycoreutils-2.5/sandbox/sandbox.8 +index 0c8cd1e..90ef495 100644 +--- policycoreutils-2.5/sandbox/sandbox.8 ++++ policycoreutils-2.5/sandbox/sandbox.8 +@@ -3,11 +3,11 @@ + sandbox \- Run cmd under an SELinux sandbox + .SH SYNOPSIS + .B sandbox +-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd + + .br + .B sandbox +-[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S ++[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S + .br + .SH DESCRIPTION + .PP +@@ -24,10 +24,10 @@ allows you to run X applications within a sandbox. These applications will star + If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels. + .PP + .TP +-\fB\-h\ \fB\\-\-help\fR ++\fB\-h\ \fB\-\-help\fR + display usage message + .TP +-\fB\-H\ \fB\\-\-homedir\fR ++\fB\-H\ \fB\-\-homedir\fR + Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M. + .TP + \fB\-i\fR \fB\-\-include\fR +@@ -55,11 +55,13 @@ sandbox_t \- No X, No Network Access, No Open, read/write on passed in file desc + .br + sandbox_min_t \- No Network Access + .br +-sandbox_x_t \- Printer Ports ++sandbox_x_t \- Ports for X applications to run locally + .br + sandbox_web_t \- Ports required for web browsing + .br +-sandbox_net_t \- All network ports ++sandbox_net_t \- Network ports (for server software) ++.br ++sandbox_net_client_t \- All network ports + + .TP + \fB\-T\fR \fB\-\-tmpdir\fR +@@ -75,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz + \fB\-W\fR \fB\-\-windowmanager\fR + Select alternative window manager to run within + .B sandbox \-X. +-Default to /usr/bin/openbox. ++Default to /usr/bin/matchbox-window-manager. + .TP + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for +@@ -84,9 +86,6 @@ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t + \fB\-d\fR \fB\-\-dpi\fR + Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI. + .TP +-\fB\-c\fR \fB\-\-cgroups\fR +-Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +-.TP + \fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the + sandbox. By default applications executed within the sandbox will not + be allowed to use capabilities (setuid apps), with the \-C flag, you +diff --git policycoreutils-2.5/sandbox/sandboxX.sh policycoreutils-2.5/sandbox/sandboxX.sh +index eaa500d..4774528 100644 +--- policycoreutils-2.5/sandbox/sandboxX.sh ++++ policycoreutils-2.5/sandbox/sandboxX.sh +@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF + + EOF + +-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do ++(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF + #!/bin/sh +diff --git policycoreutils-2.5/sandbox/seunshare.8 policycoreutils-2.5/sandbox/seunshare.8 +index 76b75c8..9e105a1 100644 +--- policycoreutils-2.5/sandbox/seunshare.8 ++++ policycoreutils-2.5/sandbox/seunshare.8 +@@ -25,7 +25,7 @@ Allow apps executed within the namespace to use capabilities. Default is no cap + Kill all processes with matching MCS level. + .TP + \fB\-Z\ context +-Use alternate SELinux context while runing the executable. ++Use alternate SELinux context while running the executable. + .TP + \fB\-v\fR + Verbose output +diff --git policycoreutils-2.5/sandbox/start policycoreutils-2.5/sandbox/start +index fc406e1..18d5859 100644 +--- policycoreutils-2.5/sandbox/start ++++ policycoreutils-2.5/sandbox/start +@@ -1,10 +1,12 @@ + #! /usr/bin/python -Es +-import gtk +-import subprocess ++try: ++ from subprocess import getstatusoutput ++except ImportError: ++ from commands import getstatusoutput + import sys +-rc = [-1, ''] ++rc = [-1,''] + try: +- rc = subprocess.getstatusoutput(sys.argv[1]) ++ rc = getstatusoutput(sys.argv[1]) + except: + pass + if rc[0] == 0: +diff --git policycoreutils-2.5/scripts/chcat policycoreutils-2.5/scripts/chcat +index 472785c..f33a0ea 100755 +--- policycoreutils-2.5/scripts/chcat ++++ policycoreutils-2.5/scripts/chcat +@@ -22,7 +22,10 @@ + # 02111-1307 USA + # + # +-import subprocess ++try: ++ from subprocess import getstatusoutput ++except ImportError: ++ from commands import getstatusoutput + import sys + import os + import pwd +@@ -92,7 +95,7 @@ def chcat_user_add(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -131,7 +134,7 @@ def chcat_add(orig, newcat, objects, login_ind): + else: + cat_string = cat + cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -172,7 +175,7 @@ def chcat_user_remove(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -217,7 +220,7 @@ def chcat_remove(orig, newcat, objects, login_ind): + cmd = 'chcon -l %s %s' % (sensitivity, f) + else: + cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -245,7 +248,7 @@ def chcat_user_replace(newcat, users): + cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) + else: + cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -268,7 +271,7 @@ def chcat_replace(newcat, objects, login_ind): + for f in objects: + cmd = "%s %s" % (cmd, f) + +- rc = subprocess.getstatusoutput(cmd) ++ rc = getstatusoutput(cmd) + if rc[0] != 0: + print(rc[1]) + errors += 1 +@@ -346,8 +349,8 @@ def translate(cats): + def usage(): + print(_("Usage %s CATEGORY File ...") % sys.argv[0]) + print(_("Usage %s -l CATEGORY user ...") % sys.argv[0]) +- print(_("Usage %s [[+|-]CATEGORY],...]q File ...") % sys.argv[0]) +- print(_("Usage %s -l [[+|-]CATEGORY],...]q user ...") % sys.argv[0]) ++ print(_("Usage %s [[+|-]CATEGORY],...] File ...") % sys.argv[0]) ++ print(_("Usage %s -l [[+|-]CATEGORY],...] user ...") % sys.argv[0]) + print(_("Usage %s -d File ...") % sys.argv[0]) + print(_("Usage %s -l -d user ...") % sys.argv[0]) + print(_("Usage %s -L") % sys.argv[0]) +diff --git policycoreutils-2.5/scripts/fixfiles policycoreutils-2.5/scripts/fixfiles +index 5c29eb9..3aeda48 100755 +--- policycoreutils-2.5/scripts/fixfiles ++++ policycoreutils-2.5/scripts/fixfiles +@@ -116,6 +116,7 @@ exclude_dirs() { + fullFlag=0 + BOOTTIME="" + VERBOSE="-p" ++[ -t 1 ] || VERBOSE="" + FORCEFLAG="" + DIRS="" + RPMILES="" +@@ -137,6 +138,10 @@ else + FC=/etc/security/selinux/file_contexts + fi + ++FC_SUB_DIST=${FC}.subs_dist ++FC_SUB=${FC}.subs ++FC_HOMEDIRS=${FC}.homedirs ++FC_LOCAL=${FC}.local + # + # Log to either syslog or a LOGFILE + # +@@ -150,8 +155,9 @@ fi + # + newer() { + DATE=$1 ++ shift + for m in `echo $FILESYSTEMSRW`; do +- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} -i -0 -f - ++ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - + done; + + } +@@ -190,7 +196,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + esac; \ + fi; \ + done | \ +- ${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \ ++ ${RESTORECON} ${VERBOSE} -i -f - -R $* `exclude_dirs`; \ + rm -f ${TEMPFILE} ${PREFCTEMPFILE} + fi + } +@@ -222,7 +228,7 @@ if [ ! -z "$PREFC" ]; then + exit $? + fi + if [ ! -z "$BOOTTIME" ]; then +- newer $BOOTTIME ++ newer $BOOTTIME $* + exit $? + fi + [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon +@@ -242,7 +248,13 @@ then + echo "${p1}" >> $TEMPFCFILE + logit "skipping the directory ${p}" + done +-FC=$TEMPFCFILE ++ FC=$TEMPFCFILE ++ /bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit ++ /bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit ++ /bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit ++ # file_contexts.local does not always exist ++ /bin/cp -p ${FC_LOCAL} ${TEMPFCFILE}.local &>/dev/null ++ + fi + if [ ! -z "$RPMFILES" ]; then + for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do +@@ -251,7 +263,7 @@ if [ ! -z "$RPMFILES" ]; then + exit $? + fi + if [ ! -z "$FILEPATH" ]; then +- ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* $FILEPATH 2>&1 | cat >> $LOGFILE ++ ${RESTORECON} $exclude_dirs ${FORCEFLAG} ${VERBOSE} -R $* "$FILEPATH" 2>&1 | cat >> $LOGFILE + return + fi + if [ -n "${FILESYSTEMSRW}" ]; then +@@ -264,15 +276,15 @@ if [ ${OPTION} != "Relabel" ]; then + return + fi + echo "Cleaning up labels on /tmp" +-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs ${TEMPFCFILE}.local + + UNDEFINED=`get_undefined_type` || exit $? + UNLABELED=`get_unlabeled_type` || exit $? + find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) \( -type s -o -type p \) -delete +-find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /tmp {} \; +-find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/tmp {} \; +-find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /var/run {} \; +-[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --reference /lib {} \; ++find /tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /tmp {} \; ++find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \; ++find /var/run \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/run {} \; ++[ ! -e /var/lib/debug ] || find /var/lib/debug \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /lib {} \; + exit 0 + } + +diff --git policycoreutils-2.5/semanage/Makefile policycoreutils-2.5/semanage/Makefile +index 60c36a3..c5e4808 100644 +--- policycoreutils-2.5/semanage/Makefile ++++ policycoreutils-2.5/semanage/Makefile +@@ -20,8 +20,7 @@ install: all + -mkdir -p $(SBINDIR) + install -m 755 semanage $(SBINDIR) + install -m 644 *.8 $(MANDIR)/man8 +- test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages +- install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages ++ LDFLAGS="" ${PYTHON} setup.py install --install-lib=$(PYTHONLIBDIR)/site-packages + -mkdir -p $(BASHCOMPLETIONDIR) + install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage + +diff --git policycoreutils-2.5/semanage/default_encoding/Makefile policycoreutils-2.5/semanage/default_encoding/Makefile +new file mode 100644 +index 0000000..e15a877 +--- /dev/null ++++ policycoreutils-2.5/semanage/default_encoding/Makefile +@@ -0,0 +1,8 @@ ++all: ++ LDFLAGS="" python setup.py build ++ ++install: all ++ LDFLAGS="" python setup.py install --root=$(DESTDIR)/ ++ ++clean: ++ rm -rf build *~ +diff --git policycoreutils-2.5/semanage/default_encoding/default_encoding.c policycoreutils-2.5/semanage/default_encoding/default_encoding.c +new file mode 100644 +index 0000000..023b8f4 +--- /dev/null ++++ policycoreutils-2.5/semanage/default_encoding/default_encoding.c +@@ -0,0 +1,57 @@ ++/* ++ * Authors: ++ * John Dennis ++ * ++ * Copyright (C) 2009 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ */ ++ ++#include ++ ++PyDoc_STRVAR(setdefaultencoding_doc, ++"setdefaultencoding(encoding='utf-8')\n\ ++\n\ ++Set the current default string encoding used by the Unicode implementation.\n\ ++Defaults to utf-8." ++); ++ ++static PyObject * ++setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds) ++{ ++ static char *kwlist[] = {"utf-8", NULL}; ++ char *encoding; ++ ++ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding)) ++ return NULL; ++ ++ if (PyUnicode_SetDefaultEncoding(encoding)) ++ return NULL; ++ ++ Py_RETURN_NONE; ++} ++ ++static PyMethodDef methods[] = { ++ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc}, ++ {NULL, NULL} /* sentinel */ ++}; ++ ++ ++PyMODINIT_FUNC ++initdefault_encoding_utf8(void) ++{ ++ PyUnicode_SetDefaultEncoding("utf-8"); ++ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); ++} +diff --git policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py +new file mode 100644 +index 0000000..ccb6b8b +--- /dev/null ++++ policycoreutils-2.5/semanage/default_encoding/policycoreutils/__init__.py +@@ -0,0 +1,17 @@ ++# ++# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++# +diff --git policycoreutils-2.5/semanage/default_encoding/setup.py policycoreutils-2.5/semanage/default_encoding/setup.py +new file mode 100644 +index 0000000..e2befdb +--- /dev/null ++++ policycoreutils-2.5/semanage/default_encoding/setup.py +@@ -0,0 +1,38 @@ ++# Authors: ++# John Dennis ++# ++# Copyright (C) 2009 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ ++from distutils.core import setup, Extension ++ ++default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c']) ++ ++setup(name = 'policycoreutils-default-encoding', ++ version = '0.1', ++ description = 'Forces the default encoding in Python to be utf-8', ++ long_description = 'Forces the default encoding in Python to be utf-8', ++ author = 'John Dennis', ++ author_email = 'jdennis@redhat.com', ++ maintainer = 'John Dennis', ++ maintainer_email = 'jdennis@redhat.com', ++ license = 'GPLv3+', ++ platforms = 'posix', ++ url = '', ++ download_url = '', ++ ext_modules = [default_encoding_utf8], ++ packages=["policycoreutils"], ++) +diff --git policycoreutils-2.5/semanage/semanage policycoreutils-2.5/semanage/semanage +index 7489955..72dbd9d 100644 +--- policycoreutils-2.5/semanage/semanage ++++ policycoreutils-2.5/semanage/semanage +@@ -23,8 +23,12 @@ + # + # + ++try: ++ import policycoreutils.default_encoding_utf8 ++except ImportError: ++ pass ++ + import argparse +-import seobject + import sys + import gettext + PROGNAME = "policycoreutils" +@@ -45,28 +49,34 @@ except IOError: + __builtin__.__dict__['_'] = unicode + + # define custom usages for selected main actions +-usage_login = "semanage login [-h] [-n] [-N] [-s STORE] [" ++usage_login = "semanage login [-h] [-n] [-N] [-S STORE] [" + usage_login_dict = {' --add': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --modify': ('-s SEUSER', '-r RANGE', 'LOGIN',), ' --delete': ('LOGIN',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-s STORE] [" ++usage_fcontext = "semanage fcontext [-h] [-n] [-N] [-S STORE] [" + usage_fcontext_dict = {' --add': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --delete': ('(', '-t TYPE', '-f FTYPE', '|', '-e EQUAL', ')', 'FILE_SPEC', ')',), ' --modify': ('(', '-t TYPE', '-f FTYPE', '-r RANGE', '-s SEUSER', '|', '-e EQUAL', ')', 'FILE_SPEC )',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_user = "semanage user [-h] [-n] [-N] [-s STORE] [" ++usage_user = "semanage user [-h] [-n] [-N] [-S STORE] [" + usage_user_dict = {' --add': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name'')'), ' --delete': ('selinux_name',), ' --modify': ('(', '-L LEVEL', '-R ROLES', '-r RANGE', '-s SEUSER', 'selinux_name', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_port = "semanage port [-h] [-n] [-N] [-s STORE] [" ++usage_port = "semanage port [-h] [-n] [-N] [-S STORE] [" + usage_port_dict = {' --add': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --modify': ('-t TYPE', '-p PROTOCOL', '-r RANGE', '(', 'port_name', '|', 'port_range', ')'), ' --delete': ('-p PROTOCOL', '(', 'port_name', '|', 'port_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_node = "semanage node [-h] [-n] [-N] [-s STORE] [" ++usage_ibpkey = "semanage ibpkey [-h] [-n] [-N] [-s STORE] [" ++usage_ibpkey_dict = {' --add': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --modify': ('-t TYPE', '-x SUBNET_PREFIX', '-r RANGE', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --delete': ('-x SUBNET_PREFIX', '(', 'ibpkey_name', '|', 'pkey_range', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} ++ ++usage_ibendport = "semanage ibendport [-h] [-n] [-N] [-s STORE] [" ++usage_ibendport_dict = {' --add': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --modify': ('-t TYPE', '-z IBDEV_NAME', '-r RANGE', '(', 'port', ')'), ' --delete': ('-z IBDEV_NAME', '-r RANGE''(', 'port', ')'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} ++ ++usage_node = "semanage node [-h] [-n] [-N] [-S STORE] [" + usage_node_dict = {' --add': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --modify': ('-M NETMASK', '-p PROTOCOL', '-t TYPE', '-r RANGE', 'node'), ' --delete': ('-M NETMASK', '-p PROTOCOL', 'node'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_interface = "semanage interface [-h] [-n] [-N] [-s STORE] [" ++usage_interface = "semanage interface [-h] [-n] [-N] [-S STORE] [" + usage_interface_dict = {' --add': ('-t TYPE', '-r RANGE', 'interface'), ' --modify': ('-t TYPE', '-r RANGE', 'interface'), ' --delete': ('interface',), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] [" ++usage_boolean = "semanage boolean [-h] [-n] [-N] [-S STORE] [" + usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)} + +-import sepolicy ++ + + + class CheckRole(argparse.Action): +@@ -75,7 +85,11 @@ class CheckRole(argparse.Action): + newval = getattr(namespace, self.dest) + if not newval: + newval = [] +- roles = sepolicy.get_all_roles() ++ try: ++ import sepolicy ++ roles = sepolicy.get_all_roles() ++ except ValueError: ++ roles = [] + for v in value.split(): + if v not in roles: + raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (v, ", ".join(roles))) +@@ -90,6 +104,13 @@ class SetStore(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + global store + store = values ++ ++ # set store value as soon as possible so that seobject (sepolicy) can be imported successfully ++ import selinux ++ rc, localstore = selinux.selinux_getpolicytype() ++ if store not in ["", localstore]: ++ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), store)) ++ + setattr(namespace, self.dest, values) + + +@@ -131,62 +152,80 @@ class SetImportFile(argparse.Action): + + + def login_ini(): +- OBJECT = seobject.loginRecords(store) ++ from seobject import loginRecords ++ OBJECT = loginRecords(store) + return OBJECT + + + def user_ini(): +- OBJECT = seobject.seluserRecords(store) ++ from seobject import seluserRecords ++ OBJECT = seluserRecords(store) + return OBJECT + + + def port_ini(): +- OBJECT = seobject.portRecords(store) ++ from seobject import portRecords ++ OBJECT = portRecords(store) + return OBJECT + ++def ibpkey_ini(): ++ from seobject import ibpkeyRecords ++ OBJECT = ibpkeyRecords(store) ++ return OBJECT ++ ++def ibendport_ini(): ++ from seobject import ibendportRecords ++ OBJECT = ibendportRecords(store) ++ return OBJECT + + def module_ini(): +- OBJECT = seobject.moduleRecords(store) ++ from seobject import moduleRecords ++ OBJECT = moduleRecords(store) + return OBJECT + + + def interface_ini(): +- OBJECT = seobject.interfaceRecords(store) ++ from seobject import interfaceRecords ++ OBJECT = interfaceRecords(store) + return OBJECT + + + def node_ini(): +- OBJECT = seobject.nodeRecords(store) ++ from seobject import nodeRecords ++ OBJECT = nodeRecords(store) + return OBJECT + + + def fcontext_ini(): +- OBJECT = seobject.fcontextRecords(store) ++ from seobject import fcontextRecords ++ OBJECT = fcontextRecords(store) + return OBJECT + + + def boolean_ini(): +- OBJECT = seobject.booleanRecords(store) ++ from seobject import booleanRecords ++ OBJECT = booleanRecords(store) + return OBJECT + + + def permissive_ini(): +- OBJECT = seobject.permissiveRecords(store) ++ from seobject import permissiveRecords ++ OBJECT = permissiveRecords(store) + return OBJECT + + + def dontaudit_ini(): +- OBJECT = seobject.dontauditClass(store) ++ from seobject import dontauditClass ++ OBJECT = dontauditClass(store) + return OBJECT + + # define dictonary for seobject OBEJCTS +-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini} +- ++object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini} + + def generate_custom_usage(usage_text, usage_dict): + # generate custom usage from given text and dictonary + sorted_keys = [] +- for i in usage_dict.keys(): ++ for i in list(usage_dict.keys()): + sorted_keys.append(i) + sorted_keys.sort() + for k in sorted_keys: +@@ -202,7 +241,7 @@ def handle_opts(args, dict, target_key): + # {action:[conflict_opts,require_opts]} + + # first we need to catch conflicts +- for k in args.__dict__.keys(): ++ for k in list(args.__dict__.keys()): + try: + if k in dict[target_key][0] and args.__dict__[k]: + print("%s option can not be used with --%s" % (target_key, k)) +@@ -210,7 +249,7 @@ def handle_opts(args, dict, target_key): + except KeyError: + continue + +- for k in args.__dict__.keys(): ++ for k in list(args.__dict__.keys()): + try: + if k in dict[target_key][1] and not args.__dict__[k]: + print("%s option is needed for %s" % (k, target_key)) +@@ -272,16 +311,15 @@ def parser_add_type(parser, name): + + + def parser_add_level(parser, name): +- parser.add_argument('-L', '--level', default='s0', help=_('Default SELinux Level for SELinux user, s0 Default. (MLS/MCS Systems only)')) ++ parser.add_argument('-L', '--level', default='', help=_('Default SELinux Level for SELinux user. (MLS/MCS Systems only)')) + + + def parser_add_range(parser, name): +- parser.add_argument('-r', '--range', default="s0", ++ parser.add_argument('-r', '--range', default="", + help=_(''' + MLS/MCS Security Range (MLS/MCS Systems only) + SELinux Range for SELinux login mapping + defaults to the SELinux user record range. +-SELinux Range for SELinux user defaults to s0. + ''')) + + +@@ -291,6 +329,15 @@ def parser_add_proto(parser, name): + version for the specified node (ipv4|ipv6). + ''')) + ++def parser_add_subnet_prefix(parser, name): ++ parser.add_argument('-x', '--subnet_prefix', help=_(''' ++ Subnet prefix for the specified infiniband ibpkey. ++''')) ++ ++def parser_add_ibdev_name(parser, name): ++ parser.add_argument('-z', '--ibdev_name', help=_(''' ++ Name for the specified infiniband end port. ++''')) + + def parser_add_modify(parser, name): + parser.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help=_("Modify a record of the %s object type") % name) +@@ -382,13 +429,14 @@ def handleFcontext(args): + + def setupFcontextParser(subparsers): + ftype_help = ''' +-File Type. This is used with fcontext. Requires a file type +-as shown in the mode field by ls, e.g. use -d to match only +-directories or -- to match only regular files. The following +-file type options can be passed: +--- (regular file),-d (directory),-c (character device), +--b (block device),-s (socket),-l (symbolic link),-p (named pipe) +-If you do not specify a file type, the file type will default to "all files". ++File Type. This is used with fcontext. Requires a file ++type as shown in the mode field by ls, e.g. use 'd' to ++match only directories or 'f' to match only regular ++files. The following file type options can be passed: ++f (regular file),d (directory),c (character device), ++b (block device),s (socket),l (symbolic link), ++p (named pipe). If you do not specify a file type, ++the file type will default to "all files". + ''' + generate_usage = generate_custom_usage(usage_fcontext, usage_fcontext_dict) + fcontextParser = subparsers.add_parser('fcontext', usage=generate_usage, help=_("Manage file context mapping definitions")) +@@ -513,6 +561,95 @@ def setupPortParser(subparsers): + portParser.set_defaults(func=handlePort) + + ++ ++def handlePkey(args): ++ ibpkey_args = {'list': [('ibpkey', 'type', 'subnet_prefix'), ('')], 'add': [('locallist'), ('type', 'ibpkey', 'subnet_prefix')], 'modify': [('localist'), ('ibpkey', 'subnet_prefix')], 'delete': [('locallist'), ('ibpkey', 'subnet_prefix')], 'extract': [('locallist', 'ibpkey', 'type', 'subnet prefix'), ('')], 'deleteall': [('locallist'), ('')]} ++ ++ handle_opts(args, ibpkey_args, args.action) ++ ++ OBJECT = object_dict['ibpkey']() ++ OBJECT.set_reload(args.noreload) ++ ++ if args.action is "add": ++ OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type) ++ if args.action is "modify": ++ OBJECT.modify(args.ibpkey, args.subnet_prefix, args.range, args.type) ++ if args.action is "delete": ++ OBJECT.delete(args.ibpkey, args.subnet_prefix) ++ if args.action is "list": ++ OBJECT.list(args.noheading, args.locallist) ++ if args.action is "deleteall": ++ OBJECT.deleteall() ++ if args.action is "extract": ++ for i in OBJECT.customized(): ++ print("ibpkey %s" % str(i)) ++ ++ ++def setupPkeyParser(subparsers): ++ generated_usage = generate_custom_usage(usage_ibpkey, usage_ibpkey_dict) ++ ibpkeyParser = subparsers.add_parser('ibpkey', usage=generated_usage, help=_('Manage infiniband ibpkey type definitions')) ++ parser_add_locallist(ibpkeyParser, "ibpkey") ++ parser_add_noheading(ibpkeyParser, "ibpkey") ++ parser_add_noreload(ibpkeyParser, "ibpkey") ++ parser_add_store(ibpkeyParser, "ibpkey") ++ ++ ibpkey_action = ibpkeyParser.add_mutually_exclusive_group(required=True) ++ parser_add_add(ibpkey_action, "ibpkey") ++ parser_add_delete(ibpkey_action, "ibpkey") ++ parser_add_modify(ibpkey_action, "ibpkey") ++ parser_add_list(ibpkey_action, "ibpkey") ++ parser_add_extract(ibpkey_action, "ibpkey") ++ parser_add_deleteall(ibpkey_action, "ibpkey") ++ parser_add_type(ibpkeyParser, "ibpkey") ++ parser_add_range(ibpkeyParser, "ibpkey") ++ parser_add_subnet_prefix(ibpkeyParser, "ibpkey") ++ ibpkeyParser.add_argument('ibpkey', nargs='?', default=None, help=_('pkey | pkey_range')) ++ ibpkeyParser.set_defaults(func=handlePkey) ++ ++def handleIbendport(args): ++ ibendport_args = {'list': [('ibendport', 'type', 'ibdev_name'), ('')], 'add': [('locallist'), ('type', 'ibendport', 'ibdev_name'), ('')], 'modify': [('localist'), ('ibendport', 'ibdev_name')], 'delete': [('locallist'), ('ibendport', 'ibdev_name')], 'extract': [('locallist', 'ibendport', 'type', 'ibdev_name'), ('')], 'deleteall': [('locallist'), ('')]} ++ ++ handle_opts(args, ibendport_args, args.action) ++ ++ OBJECT = object_dict['ibendport']() ++ OBJECT.set_reload(args.noreload) ++ ++ if args.action is "add": ++ OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type) ++ if args.action is "modify": ++ OBJECT.modify(args.ibendport, args.ibdev_name, args.range, args.type) ++ if args.action is "delete": ++ OBJECT.delete(args.ibendport, args.ibdev_name) ++ if args.action is "list": ++ OBJECT.list(args.noheading, args.locallist) ++ if args.action is "deleteall": ++ OBJECT.deleteall() ++ if args.action is "extract": ++ for i in OBJECT.customized(): ++ print("ibendport %s" % str(i)) ++ ++ ++def setupIbendportParser(subparsers): ++ generated_usage = generate_custom_usage(usage_ibendport, usage_ibendport_dict) ++ ibendportParser = subparsers.add_parser('ibendport', usage=generated_usage, help=_('Manage infiniband end port type definitions')) ++ parser_add_locallist(ibendportParser, "ibendport") ++ parser_add_noheading(ibendportParser, "ibendport") ++ parser_add_noreload(ibendportParser, "ibendport") ++ parser_add_store(ibendportParser, "ibendport") ++ ++ ibendport_action = ibendportParser.add_mutually_exclusive_group(required=True) ++ parser_add_add(ibendport_action, "ibendport") ++ parser_add_delete(ibendport_action, "ibendport") ++ parser_add_modify(ibendport_action, "ibendport") ++ parser_add_list(ibendport_action, "ibendport") ++ parser_add_extract(ibendport_action, "ibendport") ++ parser_add_deleteall(ibendport_action, "ibendport") ++ parser_add_type(ibendportParser, "ibendport") ++ parser_add_range(ibendportParser, "ibendport") ++ parser_add_ibdev_name(ibendportParser, "ibendport") ++ ibendportParser.add_argument('ibendport', nargs='?', default=None, help=_('ibendport')) ++ ibendportParser.set_defaults(func=handleIbendport) ++ + def handleInterface(args): + interface_args = {'list': [('interface'), ('')], 'add': [('locallist'), ('type', 'interface')], 'modify': [('locallist'), ('type', 'interface')], 'delete': [('locallist'), ('interface')], 'extract': [('locallist', 'interface', 'type'), ('')], 'deleteall': [('locallist'), ('')]} + +@@ -524,7 +661,7 @@ def handleInterface(args): + if args.action is "add": + OBJECT.add(args.interface, args.range, args.type) + if args.action is "modify": +- OBJECT.add(args.interface, args.range, args.type) ++ OBJECT.modify(args.interface, args.range, args.type) + if args.action is "delete": + OBJECT.delete(args.interface) + if args.action is "list": +@@ -558,7 +695,8 @@ def setupInterfaceParser(subparsers): + + + def handleModule(args): +- OBJECT = seobject.moduleRecords(store) ++ from seobject import moduleRecords ++ OBJECT = moduleRecords(store) + OBJECT.set_reload(args.noreload) + if args.action == "add": + OBJECT.add(args.module_name, args.priority) +@@ -607,7 +745,7 @@ def handleNode(args): + if args.action is "add": + OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) + if args.action is "modify": +- OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type) ++ OBJECT.modify(args.node, args.netmask, args.proto, args.range, args.type) + if args.action is "delete": + OBJECT.delete(args.node, args.netmask, args.proto) + if args.action is "list": +@@ -746,7 +884,7 @@ def setupDontauditParser(subparsers): + + + def handleExport(args): +- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module"] ++ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"] + for i in manageditems: + print("%s -D" % i) + for i in manageditems: +@@ -814,7 +952,8 @@ def mkargv(line): + + + def handleImport(args): +- trans = seobject.semanageRecords(store) ++ from seobject import semanageRecords ++ trans = semanageRecords(store) + trans.start() + + for l in sys.stdin.readlines(): +@@ -839,7 +978,7 @@ def handleImport(args): + + + def setupImportParser(subparsers): +- importParser = subparsers.add_parser('import', help=_('Output local customizations')) ++ importParser = subparsers.add_parser('import', help=_('Import local customizations')) + parser_add_noreload(importParser, "import") + parser_add_store(importParser, "import") + importParser.add_argument('-f', '--input_file', dest='input_file', action=SetImportFile, help=_('Input file')) +@@ -860,6 +999,8 @@ def createCommandParser(): + setupLoginParser(subparsers) + setupUserParser(subparsers) + setupPortParser(subparsers) ++ setupPkeyParser(subparsers) ++ setupIbendportParser(subparsers) + setupInterfaceParser(subparsers) + setupModuleParser(subparsers) + setupNodeParser(subparsers) +@@ -894,6 +1035,8 @@ def make_io_args(args): + + + def make_args(sys_args): ++ if len(sys_args) == 1: ++ return [ "-h" ] + args = [] + if "-o" in sys_args[1:] or "-i" in sys_args[1:]: + args = make_io_args(sys_args[1:]) +diff --git policycoreutils-2.5/semanage/semanage-boolean.8 policycoreutils-2.5/semanage/semanage-boolean.8 +index 6eb6b69..0c48587 100644 +--- policycoreutils-2.5/semanage/semanage-boolean.8 ++++ policycoreutils-2.5/semanage/semanage-boolean.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + semanage\-boolean \- SELinux Policy Management boolean tool + .SH "SYNOPSIS" +-.B semanage boolean [\-h] [\-n] [\-N] [\-s STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ] ++.B semanage boolean [\-h] [\-n] [\-N] [\-S STORE] [ \-\-extract | \-\-deleteall | \-\-list [\-C] | \-\-modify ( \-\-on | \-\-off ) boolean ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +diff --git policycoreutils-2.5/semanage/semanage-dontaudit.8 policycoreutils-2.5/semanage/semanage-dontaudit.8 +index 122780d..3d29911 100644 +--- policycoreutils-2.5/semanage/semanage-dontaudit.8 ++++ policycoreutils-2.5/semanage/semanage-dontaudit.8 +@@ -8,7 +8,7 @@ + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation + from policy sources. semanage dontaudit toggles whether or not dontaudit rules will be in the policy. Policy writers use dontaudit rules to cause +-confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not relize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. ++confined applications to use alternative paths. Dontaudit rules are denied but not reported in the logs. Some times dontaudit rules can cause bugs in applications but policy writers will not realize it since the AVC is not audited. Turning off dontaudit rules with this command to see if the kernel is blocking an access. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-export.8 policycoreutils-2.5/semanage/semanage-export.8 +index 469b1bb..d688224 100644 +--- policycoreutils-2.5/semanage/semanage-export.8 ++++ policycoreutils-2.5/semanage/semanage-export.8 +@@ -7,7 +7,7 @@ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-fcontext.8 policycoreutils-2.5/semanage/semanage-fcontext.8 +index 7bbb0af..07c2831 100644 +--- policycoreutils-2.5/semanage/semanage-fcontext.8 ++++ policycoreutils-2.5/semanage/semanage-fcontext.8 +@@ -3,7 +3,7 @@ + semanage\-fcontext \- SELinux Policy Management file context tool + + .SH "SYNOPSIS" +-.B semanage fcontext [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ] ++.B semanage fcontext [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) | \-\-delete ( \-t TYPE \-f FTYPE | \-e EQUAL ) FILE_SPEC ) | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-t TYPE \-f FTYPE \-r RANGE \-s SEUSER | \-e EQUAL ) FILE_SPEC ) ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +diff --git policycoreutils-2.5/semanage/semanage-ibendport.8 policycoreutils-2.5/semanage/semanage-ibendport.8 +new file mode 100644 +index 0000000..0a29eae +--- /dev/null ++++ policycoreutils-2.5/semanage/semanage-ibendport.8 +@@ -0,0 +1,66 @@ ++.TH "semanage-ibendport" "8" "20170508" "" "" ++.SH "NAME" ++.B semanage\-ibendport \- SELinux Policy Management ibendport mapping tool ++.SH "SYNOPSIS" ++.B semanage ibendport [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-z IBDEV_NAME \-r RANGE port | \-\-delete \-z IBDEV_NAME port | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-z IBDEV_NAME \-r RANGE port ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibendport controls the ibendport number to ibendport type definitions. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all local customizations ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++.TP ++.I \-z IBDEV_NAME, \-\-ibdev_name IBDEV_NAME ++The name of the infiniband device for the port to be labeled. (ex. mlx5_0) ++ ++.SH EXAMPLE ++.nf ++List all ibendport definitions ++# semanage ibendport \-l ++Label mlx4_0 port 2. ++# semanage ibendport \-a \-t allowed_ibendport_t \-z mlx4_0 2 ++ ++.SH "SEE ALSO" ++.BR selinux (8), ++.BR semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Jurgens +diff --git policycoreutils-2.5/semanage/semanage-ibpkey.8 policycoreutils-2.5/semanage/semanage-ibpkey.8 +new file mode 100644 +index 0000000..51f455a +--- /dev/null ++++ policycoreutils-2.5/semanage/semanage-ibpkey.8 +@@ -0,0 +1,66 @@ ++.TH "semanage-ibpkey" "8" "20170508" "" "" ++.SH "NAME" ++.B semanage\-ibpkey \- SELinux Policy Management ibpkey mapping tool ++.SH "SYNOPSIS" ++.B semanage ibpkey [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range | \-\-delete \-x SUBNET_PREFIX ibpkey_name | ibpkey_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-x SUBNET_PREFIX \-r RANGE ibpkey_name | ibpkey_range ] ++ ++.SH "DESCRIPTION" ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage ibpkey controls the ibpkey number to ibpkey type definitions. ++ ++.SH "OPTIONS" ++.TP ++.I \-h, \-\-help ++show this help message and exit ++.TP ++.I \-n, \-\-noheading ++Do not print heading when listing the specified object type ++.TP ++.I \-N, \-\-noreload ++Do not reload policy after commit ++.TP ++.I \-S STORE, \-\-store STORE ++Select an alternate SELinux Policy Store to manage ++.TP ++.I \-C, \-\-locallist ++List local customizations ++.TP ++.I \-a, \-\-add ++Add a record of the specified object type ++.TP ++.I \-d, \-\-delete ++Delete a record of the specified object type ++.TP ++.I \-m, \-\-modify ++Modify a record of the specified object type ++.TP ++.I \-l, \-\-list ++List records of the specified object type ++.TP ++.I \-E, \-\-extract ++Extract customizable commands, for use within a transaction ++.TP ++.I \-D, \-\-deleteall ++Remove all local customizations ++.TP ++.I \-t TYPE, \-\-type TYPE ++SELinux type for the object ++.TP ++.I \-r RANGE, \-\-range RANGE ++MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login mapping defaults to the SELinux user record range. SELinux Range for SELinux user defaults to s0. ++.TP ++.I \-x SUBNET_PREFIX, \-\-subnet_prefix SUBNET_PREFIX ++Subnet prefix for the specified pkey or range of pkeys. ++ ++.SH EXAMPLE ++.nf ++List all ibpkey definitions ++# semanage ibpkey \-l ++Label pkey 0x8FFF (limited membership default pkey) as a default pkey type ++# semanage ibpkey \-a \-t default_ibpkey_t \-x fe80:: 0x8FFF ++ ++.SH "SEE ALSO" ++.BR selinux (8), ++.BR semanage (8) ++ ++.SH "AUTHOR" ++This man page was written by Daniel Jurgens +diff --git policycoreutils-2.5/semanage/semanage-import.8 policycoreutils-2.5/semanage/semanage-import.8 +index 5437de3..4a9b3e7 100644 +--- policycoreutils-2.5/semanage/semanage-import.8 ++++ policycoreutils-2.5/semanage/semanage-import.8 +@@ -7,7 +7,7 @@ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +-from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a hole group of semanage commands within a file and apply them to a machine in a single transaction. ++from policy sources. semanage import and export can be used to extract the SELinux modifications from one machine and apply them to another. You can put a whole group of semanage commands within a file and apply them to a machine in a single transaction. + + .SH "OPTIONS" + .TP +diff --git policycoreutils-2.5/semanage/semanage-interface.8 policycoreutils-2.5/semanage/semanage-interface.8 +index d318bb8..fbab4b9 100644 +--- policycoreutils-2.5/semanage/semanage-interface.8 ++++ policycoreutils-2.5/semanage/semanage-interface.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-interface \- SELinux Policy Management network interface tool + .SH "SYNOPSIS" +-.B semanage interface [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ] ++.B semanage interface [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-r RANGE interface | \-\-delete interface | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-r RANGE interface ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +@@ -52,7 +52,7 @@ MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for SELinux login ma + + .SH EXAMPLE + .nf +-list all interface defitions ++list all interface definitions + # semanage interface \-l + + .SH "SEE ALSO" +diff --git policycoreutils-2.5/semanage/semanage-login.8 policycoreutils-2.5/semanage/semanage-login.8 +index 7cc5fde..a2397a0 100644 +--- policycoreutils-2.5/semanage/semanage-login.8 ++++ policycoreutils-2.5/semanage/semanage-login.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-login \- SELinux Policy Management linux user to SELinux User mapping tool + .SH "SYNOPSIS" +-.B semanage login [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ] ++.B semanage login [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-s SEUSER \-r RANGE LOGIN | \-\-delete LOGIN | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-s SEUSER \-r RANGE LOGIN ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +diff --git policycoreutils-2.5/semanage/semanage-node.8 policycoreutils-2.5/semanage/semanage-node.8 +index 0a2160d..e0b0e56 100644 +--- policycoreutils-2.5/semanage/semanage-node.8 ++++ policycoreutils-2.5/semanage/semanage-node.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-node \- SELinux Policy Management node mapping tool + .SH "SYNOPSIS" +-.B semanage node [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ] ++.B semanage node [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node | \-\-delete \-M NETMASK \-p PROTOCOL node | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-M NETMASK \-p PROTOCOL \-t TYPE \-r RANGE node ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +diff --git policycoreutils-2.5/semanage/semanage-port.8 policycoreutils-2.5/semanage/semanage-port.8 +index 3f067c5..397cb00 100644 +--- policycoreutils-2.5/semanage/semanage-port.8 ++++ policycoreutils-2.5/semanage/semanage-port.8 +@@ -2,11 +2,14 @@ + .SH "NAME" + .B semanage\-port \- SELinux Policy Management port mapping tool + .SH "SYNOPSIS" +-.B semanage port [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ] ++.B semanage port [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range | \-\-delete \-p PROTOCOL port_name | port_range | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify \-t TYPE \-p PROTOCOL \-r RANGE port_name | port_range ] + + .SH "DESCRIPTION" +-semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage port controls the port number to port type definitions. +- ++semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. \fBsemanage port\fP controls the port number to port type definitions. ++.TP ++Default port definitions are contained in policy modules and can't be removed without removing corresponding module. Therefore \fBsemanage port\fP uses so called local definitions, which are assigned higher priority and override default definitions for the same port. ++.TP ++\fBsemanage port -l\fP lists all port definitions (both default and local) which can result in seemingly conflicting or duplicate entries. Use \fBsemanage port -l -C\fP to only list local definitions. + .SH "OPTIONS" + .TP + .I \-h, \-\-help +@@ -53,7 +56,7 @@ Protocol for the specified port (tcp|udp) or internet protocol version for the s + + .SH EXAMPLE + .nf +-List all port defitions ++List all port definitions + # semanage port \-l + Allow Apache to listen on tcp port 81 + # semanage port \-a \-t http_port_t \-p tcp 81 +diff --git policycoreutils-2.5/semanage/semanage-user.8 policycoreutils-2.5/semanage/semanage-user.8 +index 0e29334..288ae0c 100644 +--- policycoreutils-2.5/semanage/semanage-user.8 ++++ policycoreutils-2.5/semanage/semanage-user.8 +@@ -2,7 +2,7 @@ + .SH "NAME" + .B semanage\-user \- SELinux Policy Management SELinux User mapping tool + .SH "SYNOPSIS" +-.B semanage user [\-h] [\-n] [\-N] [\-s STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ] ++.B semanage user [\-h] [\-n] [\-N] [\-S STORE] [ \-\-add ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name) | \-\-delete selinux_name | \-\-deleteall | \-\-extract | \-\-list [\-C] | \-\-modify ( \-L LEVEL \-R ROLES \-r RANGE \-s SEUSER selinux_name ) ] + + .SH "DESCRIPTION" + semanage is used to configure certain elements of +@@ -62,6 +62,23 @@ Modify groups for staff_u user + Add level for TopSecret Users + # semanage user \-a \-R "staff_r" \-rs0\-TopSecret topsecret_u + ++.SH "NOTES" ++SELinux users defined in the policy cannot be removed or directly altered. When the ++.I -m ++switch is used on such a user, semanage creates a local SELinux user of the same name, which overrides the original SELinux user. ++.P ++As long as a login entry exists that links local SELinux user to a Linux user, given local SELinux user cannot be removed (even if it represents local modification of a SELinux user defined in policy). ++In case you want to remove local modification of a SELinux user, you need to remove any related login mapping first. Follow these steps: ++.IP ++.nf ++1) Remove all login entries concerning the SELinux user. ++ To list local customizations of login entries execute: ++ # semanage login -l -C ++ or for semanage command form: ++ # semanage login --extract ++2) Remove the SELinux user ++3) Optionally reintroduce removed login entries ++ + .SH "SEE ALSO" + .B selinux (8), + .B semanage (8) +diff --git policycoreutils-2.5/semanage/semanage.8 policycoreutils-2.5/semanage/semanage.8 +index 0fad36c..6032b41 100644 +--- policycoreutils-2.5/semanage/semanage.8 ++++ policycoreutils-2.5/semanage/semanage.8 +@@ -3,12 +3,12 @@ + semanage \- SELinux Policy Management tool + + .SH "SYNOPSIS" +-.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit} ++.B semanage {import,export,login,user,port,interface,module,node,fcontext,boolean,permissive,dontaudit,ibpkey,ibendport} + ... + .B positional arguments: + + .B import +-Output local customizations ++Import local customizations + + .B export + Output local customizations +@@ -43,6 +43,12 @@ Manage process type enforcement mode + .B dontaudit + Disable/Enable dontaudit rules in policy + ++.B ibpkey ++Manage infiniband pkey type definitions ++ ++.B ibendport ++Manage infiniband end port type definitions ++ + .SH "DESCRIPTION" + semanage is used to configure certain elements of + SELinux policy without requiring modification to or recompilation +@@ -50,9 +56,9 @@ from policy sources. This includes the mapping from Linux usernames + to SELinux user identities (which controls the initial security context + assigned to Linux users when they login and bounds their authorized role set) + as well as security context mappings for various kinds of objects, such +-as network ports, interfaces, and nodes (hosts) as well as the file +-context mapping. See the EXAMPLES section below for some examples +-of common usage. Note that the semanage login command deals with the ++as network ports, interfaces, infiniband pkeys and endports, and nodes (hosts) ++as well as the file context mapping. See the EXAMPLES section below for some ++examples of common usage. Note that the semanage login command deals with the + mapping from Linux usernames (logins) to SELinux user identities, + while the semanage user command deals with the mapping from SELinux + user identities to authorized role sets. In most cases, only the +@@ -79,6 +85,8 @@ List help information + .B semanage-permissive (8), + .B semanage-port (8), + .B semanage-user (8) ++.B semanage-ibkey (8), ++.B semanage-ibendport (8), + + .SH "AUTHOR" + This man page was written by Daniel Walsh +diff --git policycoreutils-2.5/semanage/seobject.py policycoreutils-2.5/semanage/seobject.py +index 3b0b108..04cf03b 100644 +--- policycoreutils-2.5/semanage/seobject.py ++++ policycoreutils-2.5/semanage/seobject.py +@@ -30,12 +30,13 @@ import os + import re + import sys + import stat +-import shutil ++import socket + from semanage import * + PROGNAME = "policycoreutils" + import sepolicy + from sepolicy import boolean_desc, boolean_category, gen_bool_dict + gen_bool_dict() ++import setools + from IPy import IP + + import gettext +@@ -79,17 +80,31 @@ file_type_str_to_option = {"all files": "a", + "directory": "d", + "character device": "c", + "block device": "b", +- "socket file": "s", ++ "socket": "s", + "symbolic link": "l", + "named pipe": "p"} ++ ++ftype_to_audit = {"": "any", ++ "a" : "any", ++ "b": "block", ++ "c": "char", ++ "d": "dir", ++ "f": "file", ++ "l": "symlink", ++ "p": "pipe", ++ "s": "socket"} ++ + try: + import audit ++ #test if audit module is enabled ++ audit.audit_close(audit.audit_open()) + + class logger: + + def __init__(self): + self.audit_fd = audit.audit_open() + self.log_list = [] ++ self.log_change_list = [] + + def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + +@@ -109,11 +124,18 @@ try: + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) + ++ def log_change(self, msg): ++ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""]) ++ + def commit(self, success): + for l in self.log_list: + audit.audit_log_semanage_message(*(l + [success])) ++ for l in self.log_change_list: ++ audit.audit_log_user_comm_message(*(l + [success])) ++ + self.log_list = [] +-except: ++ self.log_change_list = [] ++except (OSError, ImportError): + class logger: + + def __init__(self): +@@ -138,6 +160,9 @@ except: + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) + ++ def log_change(self, msg): ++ self.log_list.append(" %s" % msg) ++ + def commit(self, success): + if success == 1: + message = "Successful: " +@@ -155,6 +180,9 @@ class nulllogger: + def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): + pass + ++ def log_change(self, msg): ++ pass ++ + def commit(self, success): + pass + +@@ -217,6 +245,8 @@ class semanageRecords: + if store == "" or store == localstore: + self.mylog = logger() + else: ++ sepolicy.load_store_policy(self.store) ++ selinux.selinux_set_policy_root("%s%s" % (selinux.selinux_path(), self.store)) + self.mylog = nulllogger() + + def set_reload(self, load): +@@ -384,8 +414,13 @@ class moduleRecords(semanageRecords): + raise ValueError(_("Could not disable module %s") % m) + self.commit() + ++ # Obsolete - "add()" does the same while allowing the user to set priority + def modify(self, file): +- rc = semanage_module_update_file(self.sh, file) ++ if not os.path.exists(file): ++ raise ValueError(_("Module does not exists %s ") % file) ++ ++ # Priority was left unchanged, default is 400 ++ rc = semanage_module_install_file(self.sh, file) + if rc >= 0: + self.commit() + +@@ -557,7 +592,6 @@ class loginRecords(semanageRecords): + + semanage_seuser_key_free(k) + semanage_seuser_free(u) +- self.mylog.log("login", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange) + + def add(self, name, sename, serange): + try: +@@ -565,7 +599,6 @@ class loginRecords(semanageRecords): + self.__add(name, sename, serange) + self.commit() + except ValueError, error: +- self.mylog.commit(0) + raise error + + def __modify(self, name, sename="", serange=""): +@@ -617,7 +650,6 @@ class loginRecords(semanageRecords): + + semanage_seuser_key_free(k) + semanage_seuser_free(u) +- self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange) + + def modify(self, name, sename="", serange=""): + try: +@@ -625,7 +657,6 @@ class loginRecords(semanageRecords): + self.__modify(name, sename, serange) + self.commit() + except ValueError, error: +- self.mylog.commit(0) + raise error + + def __delete(self, name): +@@ -658,8 +689,6 @@ class loginRecords(semanageRecords): + rec, self.sename, self.serange = selinux.getseuserbyname("__default__") + range, (rc, serole) = userrec.get(self.sename) + +- self.mylog.log_remove("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange) +- + def delete(self, name): + try: + self.begin() +@@ -667,7 +696,6 @@ class loginRecords(semanageRecords): + self.commit() + + except ValueError, error: +- self.mylog.commit(0) + raise error + + def deleteall(self): +@@ -681,7 +709,6 @@ class loginRecords(semanageRecords): + self.__delete(semanage_seuser_get_name(u)) + self.commit() + except ValueError, error: +- self.mylog.commit(0) + raise error + + def get_all_logins(self): +@@ -719,7 +746,10 @@ class loginRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ if ddict[k][1]: ++ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ else: ++ l.append("-a -s %s %s" % (ddict[k][0], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -991,7 +1021,10 @@ class seluserRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ if ddict[k][1] or ddict[k][2]: ++ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -R '%s' %s" % (ddict[k][3], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -1015,13 +1048,14 @@ class seluserRecords(semanageRecords): + + + class portRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] ++ except RuntimeError: ++ pass + + def __genkey(self, port, proto): + if proto == "tcp": +@@ -1109,6 +1143,8 @@ class portRecords(semanageRecords): + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) ++ + def add(self, port, proto, serange, type): + self.begin() + self.__add(port, proto, serange, type) +@@ -1138,8 +1174,11 @@ class portRecords(semanageRecords): + + con = semanage_port_get_con(p) + +- if (is_mls_enabled == 1) and (serange != ""): +- semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) + if setype != "": + semanage_context_set_type(self.sh, con, setype) + +@@ -1150,6 +1189,8 @@ class portRecords(semanageRecords): + semanage_port_key_free(k) + semanage_port_free(p) + ++ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange)) ++ + def modify(self, port, proto, serange, setype): + self.begin() + self.__modify(port, proto, serange, setype) +@@ -1168,6 +1209,7 @@ class portRecords(semanageRecords): + low = semanage_port_get_low(port) + high = semanage_port_get_high(port) + port_str = "%s-%s" % (low, high) ++ + (k, proto_d, low, high) = self.__genkey(port_str, proto_str) + if rc < 0: + raise ValueError(_("Could not create a key for %s") % port_str) +@@ -1177,6 +1219,11 @@ class portRecords(semanageRecords): + raise ValueError(_("Could not delete the port %s") % port_str) + semanage_port_key_free(k) + ++ if low == high: ++ port_str = low ++ ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str))) ++ + self.commit() + + def __delete(self, port, proto): +@@ -1199,6 +1246,8 @@ class portRecords(semanageRecords): + + semanage_port_key_free(k) + ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto))) ++ + def delete(self, port, proto): + self.begin() + self.__delete(port, proto) +@@ -1254,10 +1303,11 @@ class portRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- if k[0] == k[1]: +- l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], k[0])) ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -p %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) + else: +- l.append("-a -t %s -p %s %s-%s" % (ddict[k][0], k[2], k[0], k[1])) ++ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], port)) + return l + + def list(self, heading=1, locallist=0): +@@ -1276,16 +1326,516 @@ class portRecords(semanageRecords): + rec += ", %s" % p + print rec + ++class ibpkeyRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibpkey_type"]) ++ self.valid_types = sorted(str(t) for t in q.results()) ++ except: ++ pass ++ ++ def __genkey(self, pkey, subnet_prefix): ++ if subnet_prefix == "": ++ raise ValueError(_("Subnet Prefix is required")) ++ ++ pkeys = pkey.split("-") ++ if len(pkeys) == 1: ++ high = low = int(pkeys[0], 0) ++ else: ++ low = int(pkeys[0], 0) ++ high = int(pkeys[1], 0) ++ ++ if high > 65535: ++ raise ValueError(_("Invalid Pkey")) ++ ++ (rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey)) ++ return (k, subnet_prefix, low, high) ++ ++ def __add(self, pkey, subnet_prefix, serange, type): ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) ++ ++ if type == "": ++ raise ValueError(_("Type is required")) ++ ++ if type not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) ++ ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if exists: ++ raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey)) ++ ++ (rc, p) = semanage_ibpkey_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix) ++ semanage_ibpkey_set_range(p, low, high) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_set_con(self.sh, p, con) ++ if rc < 0: ++ raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_context_free(con) ++ semanage_ibpkey_key_free(k) ++ semanage_ibpkey_free(p) ++ ++ def add(self, pkey, subnet_prefix, serange, type): ++ self.begin() ++ self.__add(pkey, subnet_prefix, serange, type) ++ self.commit() ++ ++ def __modify(self, pkey, subnet_prefix, serange, setype): ++ if serange == "" and setype == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires setype or serange")) ++ else: ++ raise ValueError(_("Requires setype")) ++ ++ if setype and setype not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) ++ ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey)) ++ ++ (rc, p) = semanage_ibpkey_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ con = semanage_ibpkey_get_con(p) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_ibpkey_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_key_free(k) ++ semanage_ibpkey_free(p) ++ ++ def modify(self, pkey, subnet_prefix, serange, setype): ++ self.begin() ++ self.__modify(pkey, subnet_prefix, serange, setype) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, plist) = semanage_ibpkey_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the ibpkeys")) ++ ++ self.begin() ++ ++ for ibpkey in plist: ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ pkey_str = "%s-%s" % (low, high) ++ (k, subnet_prefix, low, high) = self.__genkey(pkey_str, subnet_prefix) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % pkey_str) ++ ++ rc = semanage_ibpkey_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the ibpkey %s") % pkey_str) ++ semanage_ibpkey_key_free(k) ++ ++ self.commit() ++ ++ def __delete(self, pkey, subnet_prefix): ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey)) ++ ++ (rc, exists) = semanage_ibpkey_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_key_free(k) ++ ++ def delete(self, pkey, subnet_prefix): ++ self.begin() ++ self.__delete(pkey, subnet_prefix) ++ self.commit() ++ ++ def get_all(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibpkey_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibpkey_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibpkeys")) ++ ++ for ibpkey in self.plist: ++ con = semanage_ibpkey_get_con(ibpkey) ++ ctype = semanage_context_get_type(con) ++ if ctype == "reserved_ibpkey_t": ++ continue ++ level = semanage_context_get_mls(con) ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ ddict[(low, high, subnet_prefix)] = (ctype, level) ++ return ddict ++ ++ def get_all_by_type(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibpkey_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibpkey_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibpkeys")) ++ ++ for ibpkey in self.plist: ++ con = semanage_ibpkey_get_con(ibpkey) ++ ctype = semanage_context_get_type(con) ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ if (ctype, subnet_prefix) not in ddict.keys(): ++ ddict[(ctype, subnet_prefix)] = [] ++ if low == high: ++ ddict[(ctype, subnet_prefix)].append("0x%x" % low) ++ else: ++ ddict[(ctype, subnet_prefix)].append("0x%x-0x%x" % (low, high)) ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -x %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) ++ else: ++ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], port)) ++ return l ++ ++ def list(self, heading=1, locallist=0): ++ ddict = self.get_all_by_type(locallist) ++ keys = ddict.keys() ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print "%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number")) ++ for i in keys: ++ rec = "%-30s %-18s " % i ++ rec += "%s" % ddict[i][0] ++ for p in ddict[i][1:]: ++ rec += ", %s" % p ++ print rec ++ ++class ibendportRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ q = setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_store_policy(self.store)), attrs=["ibendport_type"]) ++ self.valid_types = set(str(t) for t in q.results()) ++ except: ++ pass ++ ++ def __genkey(self, ibendport, ibdev_name): ++ if ibdev_name == "": ++ raise ValueError(_("IB device name is required")) ++ ++ port = int(ibendport) ++ ++ if port > 255 or port < 1: ++ raise ValueError(_("Invalid Port Number")) ++ ++ (rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport)) ++ return (k, ibdev_name, port) ++ ++ def __add(self, ibendport, ibdev_name, serange, type): ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) ++ ++ if type == "": ++ raise ValueError(_("Type is required")) ++ ++ if type not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) ++ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) ++ ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port)) ++ if exists: ++ raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port)) ++ ++ (rc, p) = semanage_ibendport_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port)) ++ ++ semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name) ++ semanage_ibendport_set_port(p, port) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_ibendport_set_con(self.sh, p, con) ++ if rc < 0: ++ raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_ibendport_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port)) ++ ++ semanage_context_free(con) ++ semanage_ibendport_key_free(k) ++ semanage_ibendport_free(p) ++ ++ def add(self, ibendport, ibdev_name, serange, type): ++ self.begin() ++ self.__add(ibendport, ibdev_name, serange, type) ++ self.commit() ++ ++ def __modify(self, ibendport, ibdev_name, serange, setype): ++ if serange == "" and setype == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires setype or serange")) ++ else: ++ raise ValueError(_("Requires setype")) ++ ++ if setype and setype not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) ++ ++ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) ++ ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport)) ++ ++ (rc, p) = semanage_ibendport_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ con = semanage_ibendport_get_con(p) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_ibendport_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ semanage_ibendport_key_free(k) ++ semanage_ibendport_free(p) ++ ++ def modify(self, ibendport, ibdev_name, serange, setype): ++ self.begin() ++ self.__modify(ibendport, ibdev_name, serange, setype) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, plist) = semanage_ibendport_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the ibendports")) ++ ++ self.begin() ++ ++ for ibendport in plist: ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ (k, ibdev_name, port) = self.__genkey(str(port), ibdev_name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port)) ++ ++ rc = semanage_ibendport_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port)) ++ semanage_ibendport_key_free(k) ++ ++ self.commit() ++ ++ def __delete(self, ibendport, ibdev_name): ++ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport)) ++ ++ (rc, exists) = semanage_ibendport_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport)) ++ ++ rc = semanage_ibendport_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ semanage_ibendport_key_free(k) ++ ++ def delete(self, ibendport, ibdev_name): ++ self.begin() ++ self.__delete(ibendport, ibdev_name) ++ self.commit() ++ ++ def get_all(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibendport_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibendport_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibendports")) ++ ++ for ibendport in self.plist: ++ con = semanage_ibendport_get_con(ibendport) ++ ctype = semanage_context_get_type(con) ++ if ctype == "reserved_ibendport_t": ++ continue ++ level = semanage_context_get_mls(con) ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ ddict[(port, ibdev_name)] = (ctype, level) ++ return ddict ++ ++ def get_all_by_type(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibendport_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibendport_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibendports")) ++ ++ for ibendport in self.plist: ++ con = semanage_ibendport_get_con(ibendport) ++ ctype = semanage_context_get_type(con) ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ if (ctype, ibdev_name) not in ddict.keys(): ++ ddict[(ctype, ibdev_name)] = [] ++ ddict[(ctype, ibdev_name)].append("0x%x" % port) ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ else: ++ l.append("-a -t %s -z %s %s" % (ddict[k][0], k[1], k[0])) ++ return l ++ ++ def list(self, heading=1, locallist=0): ++ ddict = self.get_all_by_type(locallist) ++ keys = ddict.keys() ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print "%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number")) ++ for i in keys: ++ rec = "%-30s %-18s " % i ++ rec += "%s" % ddict[i][0] ++ for p in ddict[i][1:]: ++ rec += ", %s" % p ++ print rec + + class nodeRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) + self.protocol = ["ipv4", "ipv6"] ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] ++ except RuntimeError: ++ pass + + def validate(self, addr, mask, protocol): + newaddr = addr +@@ -1380,6 +1930,8 @@ class nodeRecords(semanageRecords): + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) ++ + def add(self, addr, mask, proto, serange, ctype): + self.begin() + self.__add(addr, mask, proto, serange, ctype) +@@ -1421,6 +1973,8 @@ class nodeRecords(semanageRecords): + semanage_node_key_free(k) + semanage_node_free(node) + ++ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) ++ + def modify(self, addr, mask, proto, serange, setype): + self.begin() + self.__modify(addr, mask, proto, serange, setype) +@@ -1452,6 +2006,8 @@ class nodeRecords(semanageRecords): + + semanage_node_key_free(k) + ++ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) ++ + def delete(self, addr, mask, proto): + self.begin() + self.__delete(addr, mask, proto) +@@ -1491,7 +2047,10 @@ class nodeRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) ++ if ddict[k][3]: ++ l.append("-a -M %s -p %s -t %s -r '%s' %s" % (k[1], k[2], ddict[k][2], ddict[k][3], k[0])) ++ else: ++ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) + return l + + def list(self, heading=1, locallist=0): +@@ -1581,6 +2140,8 @@ class interfaceRecords(semanageRecords): + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) ++ + def add(self, interface, serange, ctype): + self.begin() + self.__add(interface, serange, ctype) +@@ -1618,6 +2179,8 @@ class interfaceRecords(semanageRecords): + semanage_iface_key_free(k) + semanage_iface_free(iface) + ++ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) ++ + def modify(self, interface, serange, setype): + self.begin() + self.__modify(interface, serange, setype) +@@ -1646,6 +2209,8 @@ class interfaceRecords(semanageRecords): + + semanage_iface_key_free(k) + ++ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) ++ + def delete(self, interface): + self.begin() + self.__delete(interface) +@@ -1682,7 +2247,10 @@ class interfaceRecords(semanageRecords): + keys = ddict.keys() + keys.sort() + for k in keys: +- l.append("-a -t %s %s" % (ddict[k][2], k)) ++ if ddict[k][3]: ++ l.append("-a -t %s -r '%s' %s" % (ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -t %s %s" % (ddict[k][2], k)) + return l + + def list(self, heading=1, locallist=0): +@@ -1703,15 +2271,17 @@ class interfaceRecords(semanageRecords): + + + class fcontextRecords(semanageRecords): +- try: +- valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] +- valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] +- valid_types.append("<>") +- except RuntimeError: +- valid_types = [] ++ valid_types = [] + + def __init__(self, store=""): + semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] ++ self.valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] ++ self.valid_types.append("<>") ++ except RuntimeError: ++ pass ++ + self.equiv = {} + self.equiv_dist = {} + self.equal_ind = False +@@ -1775,6 +2345,8 @@ class fcontextRecords(semanageRecords): + if i.startswith(target + "/"): + raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i])) + ++ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ + self.equiv[target] = substitute + self.equal_ind = True + self.commit() +@@ -1785,6 +2357,9 @@ class fcontextRecords(semanageRecords): + raise ValueError(_("Equivalence class for %s does not exists") % target) + self.equiv[target] = substitute + self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ + self.commit() + + def createcon(self, target, seuser="system_u"): +@@ -1879,6 +2454,11 @@ class fcontextRecords(semanageRecords): + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) ++ + def add(self, target, type, ftype="", serange="", seuser="system_u"): + self.begin() + self.__add(target, type, ftype, serange, seuser) +@@ -1888,7 +2468,7 @@ class fcontextRecords(semanageRecords): + if serange == "" and setype == "" and seuser == "": + raise ValueError(_("Requires setype, serange or seuser")) + if setype and setype not in self.valid_types: +- raise ValueError(_("Type %s is invalid, must be a port type") % setype) ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) + + self.validate(target) + +@@ -1904,10 +2484,12 @@ class fcontextRecords(semanageRecords): + if not exists: + raise ValueError(_("File context for %s is not defined") % target) + +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- if rc < 0: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) +- if rc < 0: ++ try: ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) ++ except OSError: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: + raise ValueError(_("Could not query file context for %s") % target) + + if setype != "<>": +@@ -1939,6 +2521,11 @@ class fcontextRecords(semanageRecords): + semanage_fcontext_key_free(k) + semanage_fcontext_free(fcontext) + ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange)) ++ + def modify(self, target, setype, ftype, serange, seuser): + self.begin() + self.__modify(target, setype, ftype, serange, seuser) +@@ -1964,6 +2551,8 @@ class fcontextRecords(semanageRecords): + raise ValueError(_("Could not delete the file context %s") % target) + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) ++ + self.equiv = {} + self.equal_ind = True + self.commit() +@@ -1972,6 +2561,9 @@ class fcontextRecords(semanageRecords): + if target in self.equiv.keys(): + self.equiv.pop(target) + self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) ++ + return + + (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) +@@ -1996,6 +2588,8 @@ class fcontextRecords(semanageRecords): + + semanage_fcontext_key_free(k) + ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) ++ + def delete(self, target, ftype): + self.begin() + self.__delete(target, ftype) +@@ -2009,10 +2603,15 @@ class fcontextRecords(semanageRecords): + if rc < 0: + raise ValueError(_("Could not list file contexts")) + ++ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list file contexts for home directories")) ++ + (rc, fclocal) = semanage_fcontext_list_local(self.sh) + if rc < 0: + raise ValueError(_("Could not list local file contexts")) + ++ self.flist += fchomedirs + self.flist += fclocal + + ddict = {} +@@ -2035,7 +2634,10 @@ class fcontextRecords(semanageRecords): + keys.sort() + for k in keys: + if fcon_dict[k]: +- l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) ++ if fcon_dict[k][3]: ++ l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0])) ++ else: ++ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) + + if len(self.equiv): + for target in self.equiv.keys(): +@@ -2202,7 +2804,7 @@ class booleanRecords(semanageRecords): + value = [] + name = semanage_bool_get_name(boolean) + value.append(semanage_bool_get_value(boolean)) +- if self.modify_local and boolean in self.current_booleans: ++ if self.modify_local and name in self.current_booleans: + value.append(selinux.security_get_boolean_pending(name)) + value.append(selinux.security_get_boolean_active(name)) + else: +@@ -2248,4 +2850,4 @@ class booleanRecords(semanageRecords): + print "%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description")) + for k in keys: + if ddict[k]: +- print "%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k)) ++ print "%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k)) +diff --git policycoreutils-2.5/semanage/seobject/__init__.py policycoreutils-2.5/semanage/seobject/__init__.py +new file mode 100644 +index 0000000..d8880cd +--- /dev/null ++++ policycoreutils-2.5/semanage/seobject/__init__.py +@@ -0,0 +1,2863 @@ ++#! /usr/bin/python -Es ++# Copyright (C) 2005-2013 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# semanage is a tool for managing SELinux configuration files ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation; either version 2 of ++# the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++# 02111-1307 USA ++# ++# ++import pwd ++import grp ++import string ++import selinux ++import tempfile ++import os ++import re ++import sys ++import stat ++import shutil ++import socket ++from semanage import * ++PROGNAME = "policycoreutils" ++import sepolicy ++from sepolicy import boolean_desc, boolean_category, gen_bool_dict ++gen_bool_dict() ++from IPy import IP ++ ++import gettext ++gettext.bindtextdomain(PROGNAME, "/usr/share/locale") ++gettext.textdomain(PROGNAME) ++try: ++ gettext.install(PROGNAME, ++ unicode=True, ++ codeset = 'utf-8') ++except TypeError: ++ # Failover to python3 install ++ gettext.install(PROGNAME, ++ codeset = 'utf-8') ++except IOError: ++ import builtins ++ builtins.__dict__['_'] = str ++ ++is_mls_enabled = True ++ ++import syslog ++ ++file_types = {} ++file_types[""] = SEMANAGE_FCONTEXT_ALL ++file_types["all files"] = SEMANAGE_FCONTEXT_ALL ++file_types["a"] = SEMANAGE_FCONTEXT_ALL ++file_types["regular file"] = SEMANAGE_FCONTEXT_REG ++file_types["--"] = SEMANAGE_FCONTEXT_REG ++file_types["f"] = SEMANAGE_FCONTEXT_REG ++file_types["-d"] = SEMANAGE_FCONTEXT_DIR ++file_types["directory"] = SEMANAGE_FCONTEXT_DIR ++file_types["d"] = SEMANAGE_FCONTEXT_DIR ++file_types["-c"] = SEMANAGE_FCONTEXT_CHAR ++file_types["character device"] = SEMANAGE_FCONTEXT_CHAR ++file_types["c"] = SEMANAGE_FCONTEXT_CHAR ++file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK ++file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK ++file_types["b"] = SEMANAGE_FCONTEXT_BLOCK ++file_types["-s"] = SEMANAGE_FCONTEXT_SOCK ++file_types["socket"] = SEMANAGE_FCONTEXT_SOCK ++file_types["s"] = SEMANAGE_FCONTEXT_SOCK ++file_types["-l"] = SEMANAGE_FCONTEXT_LINK ++file_types["l"] = SEMANAGE_FCONTEXT_LINK ++file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK ++file_types["p"] = SEMANAGE_FCONTEXT_PIPE ++file_types["-p"] = SEMANAGE_FCONTEXT_PIPE ++file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE ++ ++file_type_str_to_option = {"all files": "a", ++ "regular file":"f", ++ "directory":"d", ++ "character device":"c", ++ "block device":"b", ++ "socket":"s", ++ "symbolic link":"l", ++ "named pipe":"p"} ++ ++ftype_to_audit = {"": "any", ++ "a": "any", ++ "b": "block", ++ "c": "char", ++ "d": "dir", ++ "f": "file", ++ "l": "symlink", ++ "p": "pipe", ++ "s": "socket"} ++ ++try: ++ import audit ++ #test if audit module is enabled ++ audit.audit_close(audit.audit_open()) ++ ++ class logger: ++ def __init__(self): ++ self.audit_fd = audit.audit_open() ++ self.log_list = [] ++ self.log_change_list = [] ++ ++ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ ++ sep = "-" ++ if sename != oldsename: ++ msg += sep + "sename" ++ sep = "," ++ if serole != oldserole: ++ msg += sep + "role" ++ sep = "," ++ if serange != oldserange: ++ msg += sep + "range" ++ sep = "," ++ ++ self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_ASSIGN, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) ++ ++ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""]) ++ ++ def log_change(self, msg): ++ self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", "", "", ""]) ++ ++ def commit(self, success): ++ for l in self.log_list: ++ audit.audit_log_semanage_message(*(l + [success])) ++ for l in self.log_change_list: ++ audit.audit_log_user_comm_message(*(l + [success])) ++ self.log_list = [] ++ self.log_change_list = [] ++except OSError, ImportError: ++ class logger: ++ def __init__(self): ++ self.log_list = [] ++ ++ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ message = " %s name=%s" % (msg, name) ++ if sename != "": ++ message += " sename=" + sename ++ if oldsename != "": ++ message += " oldsename=" + oldsename ++ if serole != "": ++ message += " role=" + serole ++ if oldserole != "": ++ message += " old_role=" + oldserole ++ if serange != "" and serange != None: ++ message += " MLSRange=" + serange ++ if oldserange != "" and oldserange != None: ++ message += " old_MLSRange=" + oldserange ++ self.log_list.append(message) ++ ++ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange) ++ ++ def log_change(self, msg): ++ self.log_list.append(" %s" % msg) ++ ++ def commit(self, success): ++ if success == 1: ++ message = "Successful: " ++ else: ++ message = "Failed: " ++ for l in self.log_list: ++ syslog.syslog(syslog.LOG_INFO, message + l) ++ ++class nulllogger: ++ def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ pass ++ ++ def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""): ++ pass ++ ++ def log_change(self, msg): ++ pass ++ ++ def commit(self, success): ++ pass ++ ++def validate_level(raw): ++ sensitivity = "s[0-9]*" ++ category = "c[0-9]*" ++ cat_range = category + "(\." + category +")?" ++ categories = cat_range + "(\," + cat_range + ")*" ++ reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?" ++ return re.search("^" + reg +"$", raw) ++ ++def translate(raw, prepend=1): ++ filler = "a:b:c:" ++ if prepend == 1: ++ context = "%s%s" % (filler, raw) ++ else: ++ context = raw ++ (rc, trans) = selinux.selinux_raw_to_trans_context(context) ++ if rc != 0: ++ return raw ++ if prepend: ++ trans = trans[len(filler):] ++ if trans == "": ++ return raw ++ else: ++ return trans ++ ++def untranslate(trans, prepend=1): ++ filler = "a:b:c:" ++ if prepend == 1: ++ context = "%s%s" % (filler, trans) ++ else: ++ context = trans ++ ++ (rc, raw) = selinux.selinux_trans_to_raw_context(context) ++ if rc != 0: ++ return trans ++ if prepend: ++ raw = raw[len(filler):] ++ if raw == "": ++ return trans ++ else: ++ return raw ++ ++ ++class semanageRecords: ++ transaction = False ++ handle = None ++ store = None ++ ++ def __init__(self, store): ++ global handle ++ self.noreload = False ++ self.sh = self.get_handle(store) ++ ++ rc, localstore = selinux.selinux_getpolicytype() ++ if store == "" or store == localstore: ++ self.mylog = logger() ++ else: ++ self.mylog = nulllogger() ++ ++ def set_reload(self, load): ++ if not load: ++ self.noreload = True ++ ++ def get_handle(self, store): ++ global is_mls_enabled ++ ++ if semanageRecords.handle: ++ return semanageRecords.handle ++ ++ handle = semanage_handle_create() ++ if not handle: ++ raise ValueError(_("Could not create semanage handle")) ++ ++ if not semanageRecords.transaction and store != "": ++ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT) ++ semanageRecords.store = store ++ ++ if not semanage_is_managed(handle): ++ semanage_handle_destroy(handle) ++ raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) ++ ++ rc = semanage_access_check(handle) ++ if rc < SEMANAGE_CAN_READ: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Cannot read policy store.")) ++ ++ rc = semanage_connect(handle) ++ if rc < 0: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Could not establish semanage connection")) ++ ++ is_mls_enabled = semanage_mls_enabled(handle) ++ if is_mls_enabled < 0: ++ semanage_handle_destroy(handle) ++ raise ValueError(_("Could not test MLS enabled status")) ++ ++ semanageRecords.handle = handle ++ return semanageRecords.handle ++ ++ def deleteall(self): ++ raise ValueError(_("Not yet implemented")) ++ ++ def start(self): ++ if semanageRecords.transaction: ++ raise ValueError(_("Semanage transaction already in progress")) ++ self.begin() ++ semanageRecords.transaction = True ++ ++ def begin(self): ++ if semanageRecords.transaction: ++ return ++ rc = semanage_begin_transaction(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not start semanage transaction")) ++ ++ def customized(self): ++ raise ValueError(_("Not yet implemented")) ++ ++ def commit(self): ++ if semanageRecords.transaction: ++ return ++ ++ if self.noreload: ++ semanage_set_reload(self.sh, 0) ++ rc = semanage_commit(self.sh) ++ if rc < 0: ++ self.mylog.commit(0) ++ raise ValueError(_("Could not commit semanage transaction")) ++ self.mylog.commit(1) ++ ++ def finish(self): ++ if not semanageRecords.transaction: ++ raise ValueError(_("Semanage transaction not in progress")) ++ semanageRecords.transaction = False ++ self.commit() ++ ++ ++class moduleRecords(semanageRecords): ++ ++ def __init__(self, store): ++ semanageRecords.__init__(self, store) ++ ++ def get_all(self): ++ l = [] ++ (rc, mlist, number) = semanage_module_list_all(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list SELinux modules")) ++ ++ for i in range(number): ++ mod = semanage_module_list_nth(mlist, i) ++ ++ rc, name = semanage_module_info_get_name(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module name")) ++ ++ rc, enabled = semanage_module_info_get_enabled(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module enabled")) ++ ++ rc, priority = semanage_module_info_get_priority(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module priority")) ++ ++ rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod) ++ if rc < 0: ++ raise ValueError(_("Could not get module lang_ext")) ++ ++ l.append((name, enabled, priority, lang_ext)) ++ ++ # sort the list so they are in name order, but with higher priorities coming first ++ l.sort(key=lambda t: t[3], reverse=True) ++ l.sort(key=lambda t: t[0]) ++ return l ++ ++ def customized(self): ++ ALL = self.get_all() ++ if len(ALL) == 0: ++ return ++ return ["-d %s" % x[0] for x in [t for t in ALL if t[1] == 0]] ++ ++ def list(self, heading=True, locallist=False): ++ ALL = self.get_all() ++ if len(ALL) == 0: ++ return ++ ++ if heading: ++ print("\n%-25s %-9s %s\n" % (_("Module Name"), _("Priority"), _("Language"))) ++ for t in ALL: ++ if t[1] == 0: ++ disabled = _("Disabled") ++ else: ++ if locallist: ++ continue ++ disabled = "" ++ print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) ++ ++ def add(self, module, priority): ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ if not os.path.exists(module): ++ raise ValueError(_("Module does not exists %s ") % module) ++ ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ ++ rc = semanage_module_install_file(self.sh, module) ++ if rc >= 0: ++ self.commit() ++ ++ def set_enabled(self, module, enable): ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ for m in module.split(): ++ rc, key = semanage_module_key_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create module key")) ++ ++ rc = semanage_module_key_set_name(self.sh, key, m) ++ if rc < 0: ++ raise ValueError(_("Could not set module key name")) ++ ++ rc = semanage_module_set_enabled(self.sh, key, enable) ++ if rc < 0: ++ if enable: ++ raise ValueError(_("Could not enable module %s") % m) ++ else: ++ raise ValueError(_("Could not disable module %s") % m) ++ self.commit() ++ ++ # Obsolete - "add()" does the same while allowing the user to set priority ++ def modify(self, file): ++ if not os.path.exists(file): ++ raise ValueError(_("Module does not exists %s ") % file) ++ ++ # Priority was left unchanged, default is 400 ++ rc = semanage_module_install_file(self.sh, file) ++ if rc >= 0: ++ self.commit() ++ ++ def delete(self, module, priority): ++ if not module: ++ raise ValueError(_("You did not define module name.")) ++ rc = semanage_set_default_priority(self.sh, priority) ++ if rc < 0: ++ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) ++ ++ for m in module.split(): ++ rc = semanage_module_remove(self.sh, m) ++ if rc < 0 and rc != -2: ++ raise ValueError(_("Could not remove module %s (remove failed)") % m) ++ ++ self.commit() ++ ++ def deleteall(self): ++ l = [x[0] for x in [t for t in self.get_all() if t[1] == 0]] ++ for m in l: ++ self.set_enabled(m, True) ++ ++ ++class dontauditClass(semanageRecords): ++ ++ def __init__(self, store): ++ semanageRecords.__init__(self, store) ++ ++ def toggle(self, dontaudit): ++ if dontaudit not in ["on", "off"]: ++ raise ValueError(_("dontaudit requires either 'on' or 'off'")) ++ self.begin() ++ rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") ++ self.commit() ++ ++ ++class permissiveRecords(semanageRecords): ++ ++ def __init__(self, store): ++ semanageRecords.__init__(self, store) ++ ++ def get_all(self): ++ l = [] ++ (rc, mlist, number) = semanage_module_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list SELinux modules")) ++ ++ for i in range(number): ++ mod = semanage_module_list_nth(mlist, i) ++ name = semanage_module_get_name(mod) ++ if name and name.startswith("permissive_"): ++ l.append(name.split("permissive_")[1]) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ALL = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]] ++ if len(ALL) == 0: ++ return ++ ++ customized = self.get_all() ++ if heading: ++ print("\n%-25s\n" % (_("Customized Permissive Types"))) ++ for t in customized: ++ print(t) ++ ++ if locallist: ++ return ++ ++ if heading: ++ print("\n%-25s\n" % (_("Builtin Permissive Types"))) ++ ++ for t in ALL: ++ if t not in customized: ++ print(t) ++ ++ def add(self, setype): ++ import glob ++ if setype not in sepolicy.get_all_domains(): ++ raise ValueError(_("%s is not a domain type") % setype ) ++ ++ try: ++ import sepolgen.module as module ++ except ImportError: ++ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) ++ ++ name = "permissive_%s" % setype ++ modtxt = "(typepermissive %s)" % setype ++ ++ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil") ++ if rc >= 0: ++ self.commit() ++ ++ if rc < 0: ++ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) ++ ++ def delete(self, name): ++ for n in name.split(): ++ rc = semanage_module_remove(self.sh, "permissive_%s" % n) ++ if rc < 0: ++ raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) ++ ++ self.commit() ++ ++ def deleteall(self): ++ l = self.get_all() ++ if len(l) > 0: ++ self.delete(" ".join(l)) ++ ++class loginRecords(semanageRecords): ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ self.oldsename = None ++ self.oldserange = None ++ self.sename = None ++ self.serange = None ++ ++ def __add(self, name, sename, serange): ++ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name) ++ if sename == "": ++ sename = "user_u" ++ ++ userrec = seluserRecords() ++ (rc, oldserole) = userrec.get(self.oldsename)[1] ++ RANGE, (rc, serole) = userrec.get(sename) ++ ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = RANGE ++ ++ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if login mapping for %s is defined") % name) ++ if exists: ++ semanage_seuser_key_free(k) ++ return self.__modify(name, sename, serange) ++ ++ if name[0] == '%': ++ try: ++ grp.getgrnam(name[1:]) ++ except: ++ raise ValueError(_("Linux Group %s does not exist") % name[1:]) ++ else: ++ try: ++ pwd.getpwnam(name) ++ except: ++ raise ValueError(_("Linux User %s does not exist") % name) ++ ++ (rc, u) = semanage_seuser_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create login mapping for %s") % name) ++ ++ rc = semanage_seuser_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ if serange: ++ rc = semanage_seuser_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS range for %s") % name) ++ ++ rc = semanage_seuser_set_sename(self.sh, u, sename) ++ if rc < 0: ++ raise ValueError(_("Could not set SELinux user for %s") % name) ++ ++ rc = semanage_seuser_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError(_("Could not add login mapping for %s") % name) ++ ++ semanage_seuser_key_free(k) ++ semanage_seuser_free(u) ++ ++ def add(self, name, sename, serange): ++ try: ++ self.begin() ++ self.__add(name, sename, serange) ++ self.commit() ++ except ValueError as error: ++ raise error ++ ++ def __modify(self, name, sename="", serange=None): ++ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name) ++ if sename == "" and not serange: ++ raise ValueError(_("Requires seuser or serange")) ++ ++ userrec = seluserRecords() ++ RANGE, (rc, oldserole) = userrec.get(self.oldsename) ++ ++ if sename != "": ++ RANGE, (rc, serole) = userrec.get(sename) ++ else: ++ serole = oldserole ++ ++ if serange: ++ self.serange = serange ++ else: ++ self.serange = RANGE ++ ++ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if login mapping for %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Login mapping for %s is not defined") % name) ++ ++ (rc, u) = semanage_seuser_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query seuser for %s") % name) ++ ++ self.oldserange = semanage_seuser_get_mlsrange(u) ++ self.oldsename = semanage_seuser_get_sename(u) ++ if serange: ++ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) ++ ++ if sename != "": ++ semanage_seuser_set_sename(self.sh, u, sename) ++ self.sename = sename ++ else: ++ self.sename = self.oldsename ++ ++ rc = semanage_seuser_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError(_("Could not modify login mapping for %s") % name) ++ ++ semanage_seuser_key_free(k) ++ semanage_seuser_free(u) ++ ++ def modify(self, name, sename="", serange=None): ++ try: ++ self.begin() ++ self.__modify(name, sename, serange) ++ self.commit() ++ except ValueError as error: ++ raise error ++ ++ def __delete(self, name): ++ rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name) ++ userrec = seluserRecords() ++ RANGE, (rc, oldserole) = userrec.get(self.oldsename) ++ ++ (rc, k) = semanage_seuser_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_seuser_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if login mapping for %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Login mapping for %s is not defined") % name) ++ ++ (rc, exists) = semanage_seuser_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if login mapping for %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name) ++ ++ rc = semanage_seuser_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete login mapping for %s") % name) ++ ++ semanage_seuser_key_free(k) ++ ++ rec, self.sename, self.serange = selinux.getseuserbyname("__default__") ++ RANGE, (rc, serole) = userrec.get(self.sename) ++ ++ def delete(self, name): ++ try: ++ self.begin() ++ self.__delete(name) ++ self.commit() ++ ++ except ValueError as error: ++ raise error ++ ++ def deleteall(self): ++ (rc, ulist) = semanage_seuser_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list login mappings")) ++ ++ try: ++ self.begin() ++ for u in ulist: ++ self.__delete(semanage_seuser_get_name(u)) ++ self.commit() ++ except ValueError as error: ++ raise error ++ ++ def get_all_logins(self): ++ ddict = {} ++ self.logins_path = selinux.selinux_policy_root() + "/logins" ++ for path, dirs, files in os.walk(self.logins_path): ++ if path == self.logins_path: ++ for name in files: ++ try: ++ fd = open(path + "/" + name) ++ rec = fd.read().rstrip().split(":") ++ fd.close() ++ ddict[name] = (rec[1], rec[2], rec[0]) ++ except IndexError: ++ pass ++ return ddict ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.ulist) = semanage_seuser_list_local(self.sh) ++ else: ++ (rc, self.ulist) = semanage_seuser_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list login mappings")) ++ ++ for u in self.ulist: ++ name = semanage_seuser_get_name(u) ++ ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u), "*") ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k][1]: ++ l.append("-a -s %s -r '%s' %s" % (ddict[k][0], ddict[k][1], k)) ++ else: ++ l.append("-a -s %s %s" % (ddict[k][0], k)) ++ return l ++ ++ def list(self,heading=True, locallist=False): ++ ddict = self.get_all(locallist) ++ ldict = self.get_all_logins() ++ lkeys = list(ldict.keys()) ++ keys = list(ddict.keys()) ++ if len(keys) == 0 and len(lkeys) == 0: ++ return ++ keys.sort() ++ lkeys.sort() ++ ++ if is_mls_enabled == 1: ++ if heading: ++ print("\n%-20s %-20s %-20s %s\n" % (_("Login Name"), _("SELinux User"), _("MLS/MCS Range"), _("Service"))) ++ for k in keys: ++ u = ddict[k] ++ print("%-20s %-20s %-20s %s" % (k, u[0], translate(u[1]), u[2])) ++ if len(lkeys): ++ print("\nLocal customization in %s" % self.logins_path) ++ ++ for k in lkeys: ++ u = ldict[k] ++ print("%-20s %-20s %-20s %s" % (k, u[0], translate(u[1]), u[2])) ++ else: ++ if heading: ++ print("\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User"))) ++ for k in keys: ++ print("%-25s %-25s" % (k, ddict[k][0])) ++ ++class seluserRecords(semanageRecords): ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ ++ def get(self, name): ++ (rc, k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ (rc, exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ (rc, u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query user for %s") % name) ++ serange = semanage_user_get_mlsrange(u) ++ serole = semanage_user_get_roles(self.sh, u) ++ semanage_user_key_free(k) ++ semanage_user_free(u) ++ return serange, serole ++ ++ def __add(self, name, roles, selevel, serange, prefix): ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = "s0" ++ ++ if selevel == "": ++ selevel = "s0" ++ else: ++ selevel = untranslate(selevel) ++ ++ if len(roles) < 1: ++ raise ValueError(_("You must add at least one role for %s") % name) ++ ++ (rc, k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if exists: ++ semanage_user_key_free(k) ++ return self.__modify(name, roles, selevel, serange, prefix) ++ ++ (rc, u) = semanage_user_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create SELinux user for %s") % name) ++ ++ rc = semanage_user_set_name(self.sh, u, name) ++ if rc < 0: ++ raise ValueError(_("Could not set name for %s") % name) ++ ++ for r in roles: ++ rc = semanage_user_add_role(self.sh, u, r) ++ if rc < 0: ++ raise ValueError(_("Could not add role %(ROLE)s for %(NAME)s") % {"ROLE":r, "NAME":name}) ++ ++ if is_mls_enabled == 1: ++ rc = semanage_user_set_mlsrange(self.sh, u, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS range for %s") % name) ++ ++ rc = semanage_user_set_mlslevel(self.sh, u, selevel) ++ if rc < 0: ++ raise ValueError(_("Could not set MLS level for %s") % name) ++ rc = semanage_user_set_prefix(self.sh, u, prefix) ++ if rc < 0: ++ raise ValueError(_("Could not add prefix %(PREFIX)s for %(ROLE)s") % {"ROLE":r, "PREFIX": prefix}) ++ (rc, key) = semanage_user_key_extract(self.sh, u) ++ if rc < 0: ++ raise ValueError(_("Could not extract key for %s") % name) ++ ++ rc = semanage_user_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError(_("Could not add SELinux user %s") % name) ++ ++ semanage_user_key_free(k) ++ semanage_user_free(u) ++ self.mylog.log("seuser", sename=name, serole=",".join(roles), serange=serange) ++ ++ def add(self, name, roles, selevel, serange, prefix): ++ try: ++ self.begin() ++ self.__add(name, roles, selevel, serange, prefix) ++ self.commit() ++ except ValueError as error: ++ self.mylog.commit(0) ++ raise error ++ ++ def __modify(self, name, roles=[], selevel="", serange=None, prefix=""): ++ oldserole = "" ++ oldserange = "" ++ newroles = ' '.join(roles) ++ if prefix == "" and len(roles) == 0 and not serange and selevel == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires prefix, roles, level or range")) ++ else: ++ raise ValueError(_("Requires prefix or roles")) ++ ++ (rc, k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is not defined") % name) ++ ++ (rc, u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query user for %s") % name) ++ ++ oldserange = semanage_user_get_mlsrange(u) ++ (rc, rlist) = semanage_user_get_roles(self.sh, u) ++ if rc >= 0: ++ oldserole = ' '.join(rlist) ++ ++ if serange: ++ semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) ++ if selevel != "": ++ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) ++ ++ if prefix != "": ++ semanage_user_set_prefix(self.sh, u, prefix) ++ ++ if len(roles) != 0: ++ for r in rlist: ++ if r not in roles: ++ semanage_user_del_role(u, r) ++ for r in roles: ++ if r not in rlist: ++ semanage_user_add_role(self.sh, u, r) ++ ++ rc = semanage_user_modify_local(self.sh, k, u) ++ if rc < 0: ++ raise ValueError(_("Could not modify SELinux user %s") % name) ++ ++ semanage_user_key_free(k) ++ semanage_user_free(u) ++ ++ role = ",".join(newroles.split()) ++ oldserole = ",".join(oldserole.split()) ++ self.mylog.log("seuser", sename=name, oldsename=name, serole=role, serange=serange, oldserole=oldserole, oldserange=oldserange) ++ ++ ++ def modify(self, name, roles=[], selevel="", serange=None, prefix=""): ++ try: ++ self.begin() ++ self.__modify(name, roles, selevel, serange, prefix) ++ self.commit() ++ except ValueError as error: ++ self.mylog.commit(0) ++ raise error ++ ++ def __delete(self, name): ++ (rc, k) = semanage_user_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ ++ (rc, exists) = semanage_user_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is not defined") % name) ++ ++ (rc, exists) = semanage_user_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if SELinux user %s is defined") % name) ++ if not exists: ++ raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) ++ ++ (rc, u) = semanage_user_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query user for %s") % name) ++ oldserange = semanage_user_get_mlsrange(u) ++ (rc, rlist) = semanage_user_get_roles(self.sh, u) ++ oldserole = ",".join(rlist) ++ ++ rc = semanage_user_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete SELinux user %s") % name) ++ ++ semanage_user_key_free(k) ++ semanage_user_free(u) ++ ++ self.mylog.log_remove("seuser", oldsename=name, oldserange=oldserange, oldserole=oldserole) ++ ++ def delete(self, name): ++ try: ++ self.begin() ++ self.__delete(name) ++ self.commit() ++ ++ except ValueError as error: ++ self.mylog.commit(0) ++ raise error ++ ++ def deleteall(self): ++ (rc, ulist) = semanage_user_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list login mappings")) ++ ++ try: ++ self.begin() ++ for u in ulist: ++ try: ++ self.__delete(semanage_user_get_name(u)) ++ except OSError: ++ continue ++ self.commit() ++ except ValueError as error: ++ self.mylog.commit(0) ++ raise error ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.ulist) = semanage_user_list_local(self.sh) ++ else: ++ (rc, self.ulist) = semanage_user_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list SELinux users")) ++ ++ for u in self.ulist: ++ name = semanage_user_get_name(u) ++ (rc, rlist) = semanage_user_get_roles(self.sh, u) ++ if rc < 0: ++ raise ValueError(_("Could not list roles for user %s") % name) ++ ++ roles = ' '.join(rlist) ++ ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) ++ ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k][1] or ddict[k][2]: ++ l.append("-a -L %s -r %s -R '%s' %s" % (ddict[k][1], ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -R '%s' %s" % (ddict[k][3], k)) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if is_mls_enabled == 1: ++ if heading: ++ print("\n%-15s %-10s %-10s %-30s" % ("", _("Labeling"), _("MLS/"), _("MLS/"))) ++ print("%-15s %-10s %-10s %-30s %s\n" % (_("SELinux User"), _("Prefix"), _("MCS Level"), _("MCS Range"), _("SELinux Roles"))) ++ for k in keys: ++ print("%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3])) ++ else: ++ if heading: ++ print("%-15s %s\n" % (_("SELinux User"), _("SELinux Roles"))) ++ for k in keys: ++ print("%-15s %s" % (k, ddict[k][3])) ++ ++class portRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "port_type")[0]["types"] ++ except RuntimeError: ++ pass ++ ++ def __genkey(self, port, proto): ++ if proto == "tcp": ++ proto_d = SEMANAGE_PROTO_TCP ++ else: ++ if proto == "udp": ++ proto_d = SEMANAGE_PROTO_UDP ++ else: ++ raise ValueError(_("Protocol udp or tcp is required")) ++ if port == "": ++ raise ValueError(_("Port is required")) ++ ++ ports = port.split("-") ++ if len(ports) == 1: ++ high = low = int(ports[0]) ++ else: ++ low = int(ports[0]) ++ high = int(ports[1]) ++ ++ if high > 65535: ++ raise ValueError(_("Invalid Port")) ++ ++ (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %(PROTOTYPE)s/%(PORT)s") % {"PROTOTYPE": proto, "PORT":port}) ++ return (k, proto_d, low, high) ++ ++ def __add(self, port, proto, serange, type): ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = "s0" ++ ++ if type == "": ++ raise ValueError(_("Type is required")) ++ ++ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a port type") % type) ++ ++ (k, proto_d, low, high) = self.__genkey(port, proto) ++ if semanageRecords.transaction: ++ (rc, exists) = semanage_port_exists_local(self.sh, k) ++ else: ++ (rc, exists) = semanage_port_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port}) ++ if exists: ++ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s already defined") % {"PROTOCOL": proto, "PORT": port}) ++ ++ (rc, p) = semanage_port_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create port for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ semanage_port_set_proto(p, proto_d) ++ semanage_port_set_range(p, low, high) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_port_set_con(self.sh, p, con) ++ if rc < 0: ++ raise ValueError(_("Could not set port context for %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_port_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not add port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ semanage_context_free(con) ++ semanage_port_key_free(k) ++ semanage_port_free(p) ++ ++ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange)) ++ ++ def add(self, port, proto, serange, type): ++ self.begin() ++ self.__add(port, proto, serange, type) ++ self.commit() ++ ++ def __modify(self, port, proto, serange, setype): ++ if not serange and setype == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires setype or serange")) ++ else: ++ raise ValueError(_("Requires setype")) ++ ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) ++ ++ (k, proto_d, low, high) = self.__genkey(port, proto) ++ ++ (rc, exists) = semanage_port_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if port @%(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port}) ++ if not exists: ++ raise ValueError(_("Port @%(PROTOCOL)s/%(PORT)s is not defined") % {"PROTOCOL": proto, "PORT": port}) ++ ++ (rc, p) = semanage_port_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ con = semanage_port_get_con(p) ++ ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ else: ++ serange = "s0" ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_port_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not modify port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ semanage_port_key_free(k) ++ semanage_port_free(p) ++ ++ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange)) ++ ++ def modify(self, port, proto, serange, setype): ++ self.begin() ++ self.__modify(port, proto, serange, setype) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, plist) = semanage_port_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the ports")) ++ ++ self.begin() ++ ++ for port in plist: ++ proto = semanage_port_get_proto(port) ++ proto_str = semanage_port_get_proto_str(proto) ++ low = semanage_port_get_low(port) ++ high = semanage_port_get_high(port) ++ port_str = "%s-%s" % (low, high) ++ (k, proto_d, low, high) = self.__genkey(port_str , proto_str) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % port_str) ++ ++ rc = semanage_port_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the port %s") % port_str) ++ semanage_port_key_free(k) ++ ++ if low == high: ++ port_str = low ++ ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str))) ++ ++ self.commit() ++ ++ def __delete(self, port, proto): ++ (k, proto_d, low, high) = self.__genkey(port, proto) ++ (rc, exists) = semanage_port_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port}) ++ if not exists: ++ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s is not defined") % {"PROTOCOL": proto, "PORT": port}) ++ ++ (rc, exists) = semanage_port_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if port %(PROTOCOL)s/%(PORT)s is defined") % {"PROTOCOL": proto, "PORT": port}) ++ if not exists: ++ raise ValueError(_("Port %(PROTOCOL)s/%(PORT)s is defined in policy, cannot be deleted") % {"PROTOCOL": proto, "PORT": port}) ++ ++ rc = semanage_port_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete port %(PROTOCOL)s/%(PORT)s") % {"PROTOCOL": proto, "PORT": port}) ++ ++ semanage_port_key_free(k) ++ ++ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto))) ++ ++ def delete(self, port, proto): ++ self.begin() ++ self.__delete(port, proto) ++ self.commit() ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_port_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_port_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ports")) ++ ++ for port in self.plist: ++ con = semanage_port_get_con(port) ++ ctype = semanage_context_get_type(con) ++ level = semanage_context_get_mls(con) ++ proto = semanage_port_get_proto(port) ++ proto_str = semanage_port_get_proto_str(proto) ++ low = semanage_port_get_low(port) ++ high = semanage_port_get_high(port) ++ ddict[(low, high, proto_str)] = (ctype, level) ++ return ddict ++ ++ def get_all_by_type(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_port_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_port_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ports")) ++ ++ for port in self.plist: ++ con = semanage_port_get_con(port) ++ ctype = semanage_context_get_type(con) ++ proto = semanage_port_get_proto(port) ++ proto_str = semanage_port_get_proto_str(proto) ++ low = semanage_port_get_low(port) ++ high = semanage_port_get_high(port) ++ if (ctype, proto_str) not in list(ddict.keys()): ++ ddict[(ctype, proto_str)] = [] ++ if low == high: ++ ddict[(ctype, proto_str)].append("%d" % low) ++ else: ++ ddict[(ctype, proto_str)].append("%d-%d" % (low, high)) ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -p %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) ++ else: ++ l.append("-a -t %s -p %s %s" % (ddict[k][0], k[2], port)) ++ ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ddict = self.get_all_by_type(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print("%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number"))) ++ for i in keys: ++ rec = "%-30s %-8s " % i ++ rec += "%s" % ddict[i][0] ++ for p in ddict[i][1:]: ++ rec += ", %s" % p ++ print(rec) ++ ++class ibpkeyRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibpkey_type")[0]["types"]) ++ except: ++ pass ++ ++ def __genkey(self, pkey, subnet_prefix): ++ if subnet_prefix == "": ++ raise ValueError(_("Subnet Prefix is required")) ++ ++ pkeys = pkey.split("-") ++ if len(pkeys) == 1: ++ high = low = int(pkeys[0], 0) ++ else: ++ low = int(pkeys[0], 0) ++ high = int(pkeys[1], 0) ++ ++ if high > 65535: ++ raise ValueError(_("Invalid Pkey")) ++ ++ (rc, k) = semanage_ibpkey_key_create(self.sh, subnet_prefix, low, high) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s/%s") % (subnet_prefix, pkey)) ++ return (k, subnet_prefix, low, high) ++ ++ def __add(self, pkey, subnet_prefix, serange, type): ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) ++ ++ if type == "": ++ raise ValueError(_("Type is required")) ++ ++ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) ++ ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if exists: ++ raise ValueError(_("ibpkey %s/%s already defined") % (subnet_prefix, pkey)) ++ ++ (rc, p) = semanage_ibpkey_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create ibpkey for %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_set_subnet_prefix(self.sh, p, subnet_prefix) ++ semanage_ibpkey_set_range(p, low, high) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_set_con(self.sh, p, con) ++ if rc < 0: ++ raise ValueError(_("Could not set ibpkey context for %s/%s") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not add ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_context_free(con) ++ semanage_ibpkey_key_free(k) ++ semanage_ibpkey_free(p) ++ ++ def add(self, pkey, subnet_prefix, serange, type): ++ self.begin() ++ self.__add(pkey, subnet_prefix, serange, type) ++ self.commit() ++ ++ def __modify(self, pkey, subnet_prefix, serange, setype): ++ if serange == "" and setype == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires setype or serange")) ++ else: ++ raise ValueError(_("Requires setype")) ++ ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) ++ ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey)) ++ ++ (rc, p) = semanage_ibpkey_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ con = semanage_ibpkey_get_con(p) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_ibpkey_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not modify ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_key_free(k) ++ semanage_ibpkey_free(p) ++ ++ def modify(self, pkey, subnet_prefix, serange, setype): ++ self.begin() ++ self.__modify(pkey, subnet_prefix, serange, setype) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, plist) = semanage_ibpkey_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the ibpkeys")) ++ ++ self.begin() ++ ++ for ibpkey in plist: ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ pkey_str = "%s-%s" % (low, high) ++ (k, subnet_prefix, low, high) = self.__genkey(pkey_str, subnet_prefix) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % pkey_str) ++ ++ rc = semanage_ibpkey_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the ibpkey %s") % pkey_str) ++ semanage_ibpkey_key_free(k) ++ ++ self.commit() ++ ++ def __delete(self, pkey, subnet_prefix): ++ (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix) ++ (rc, exists) = semanage_ibpkey_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is not defined") % (subnet_prefix, pkey)) ++ ++ (rc, exists) = semanage_ibpkey_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibpkey %s/%s is defined") % (subnet_prefix, pkey)) ++ if not exists: ++ raise ValueError(_("ibpkey %s/%s is defined in policy, cannot be deleted") % (subnet_prefix, pkey)) ++ ++ rc = semanage_ibpkey_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete ibpkey %s/%s") % (subnet_prefix, pkey)) ++ ++ semanage_ibpkey_key_free(k) ++ ++ def delete(self, pkey, subnet_prefix): ++ self.begin() ++ self.__delete(pkey, subnet_prefix) ++ self.commit() ++ ++ def get_all(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibpkey_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibpkey_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibpkeys")) ++ ++ for ibpkey in self.plist: ++ con = semanage_ibpkey_get_con(ibpkey) ++ ctype = semanage_context_get_type(con) ++ if ctype == "reserved_ibpkey_t": ++ continue ++ level = semanage_context_get_mls(con) ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ ddict[(low, high, subnet_prefix)] = (ctype, level) ++ return ddict ++ ++ def get_all_by_type(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibpkey_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibpkey_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibpkeys")) ++ ++ for ibpkey in self.plist: ++ con = semanage_ibpkey_get_con(ibpkey) ++ ctype = semanage_context_get_type(con) ++ (rc, subnet_prefix) = semanage_ibpkey_get_subnet_prefix(self.sh, ibpkey) ++ low = semanage_ibpkey_get_low(ibpkey) ++ high = semanage_ibpkey_get_high(ibpkey) ++ if (ctype, subnet_prefix) not in ddict.keys(): ++ ddict[(ctype, subnet_prefix)] = [] ++ if low == high: ++ ddict[(ctype, subnet_prefix)].append("0x%x" % low) ++ else: ++ ddict[(ctype, subnet_prefix)].append("0x%x-0x%x" % (low, high)) ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ port = k[0] if k[0] == k[1] else "%s-%s" % (k[0], k[1]) ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -x %s %s" % (ddict[k][0], ddict[k][1], k[2], port)) ++ else: ++ l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], port)) ++ return l ++ ++ def list(self, heading=1, locallist=0): ++ ddict = self.get_all_by_type(locallist) ++ keys = ddict.keys() ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print "%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number")) ++ for i in keys: ++ rec = "%-30s %-18s " % i ++ rec += "%s" % ddict[i][0] ++ for p in ddict[i][1:]: ++ rec += ", %s" % p ++ print rec ++ ++class ibendportRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = set(str(t) for t in sepolicy.info(sepolicy.ATTRIBUTE, "ibendport_type")[0]["types"]) ++ except: ++ pass ++ ++ def __genkey(self, ibendport, ibdev_name): ++ if ibdev_name == "": ++ raise ValueError(_("IB device name is required")) ++ ++ port = int(ibendport) ++ ++ if port > 255 or port < 1: ++ raise ValueError(_("Invalid Port Number")) ++ ++ (rc, k) = semanage_ibendport_key_create(self.sh, ibdev_name, port) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for ibendport %s/%s") % (ibdev_name, ibendport)) ++ return (k, ibdev_name, port) ++ ++ def __add(self, ibendport, ibdev_name, serange, type): ++ if is_mls_enabled == 1: ++ if serange == "": ++ serange = "s0" ++ else: ++ serange = untranslate(serange) ++ ++ if type == "": ++ raise ValueError(_("Type is required")) ++ ++ if sepolicy.get_real_type_name(type) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) ++ (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) ++ ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, port)) ++ if exists: ++ raise ValueError(_("ibendport %s/%s already defined") % (ibdev_name, port)) ++ ++ (rc, p) = semanage_ibendport_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create ibendport for %s/%s") % (ibdev_name, port)) ++ ++ semanage_ibendport_set_ibdev_name(self.sh, p, ibdev_name) ++ semanage_ibendport_set_port(p, port) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_ibendport_set_con(self.sh, p, con) ++ if rc < 0: ++ raise ValueError(_("Could not set ibendport context for %s/%s") % (ibdev_name, port)) ++ ++ rc = semanage_ibendport_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not add ibendport %s/%s") % (ibdev_name, port)) ++ ++ semanage_context_free(con) ++ semanage_ibendport_key_free(k) ++ semanage_ibendport_free(p) ++ ++ def add(self, ibendport, ibdev_name, serange, type): ++ self.begin() ++ self.__add(ibendport, ibdev_name, serange, type) ++ self.commit() ++ ++ def __modify(self, ibendport, ibdev_name, serange, setype): ++ if serange == "" and setype == "": ++ if is_mls_enabled == 1: ++ raise ValueError(_("Requires setype or serange")) ++ else: ++ raise ValueError(_("Requires setype")) ++ ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) ++ ++ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) ++ ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport)) ++ ++ (rc, p) = semanage_ibendport_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ con = semanage_ibendport_get_con(p) ++ ++ if (is_mls_enabled == 1) and (serange != ""): ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_ibendport_modify_local(self.sh, k, p) ++ if rc < 0: ++ raise ValueError(_("Could not modify ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ semanage_ibendport_key_free(k) ++ semanage_ibendport_free(p) ++ ++ def modify(self, ibendport, ibdev_name, serange, setype): ++ self.begin() ++ self.__modify(ibendport, ibdev_name, serange, setype) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, plist) = semanage_ibendport_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the ibendports")) ++ ++ self.begin() ++ ++ for ibendport in plist: ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ (k, ibdev_name, port) = self.__genkey(str(port), ibdev_name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s/%d") % (ibdevname, port)) ++ ++ rc = semanage_ibendport_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the ibendport %s/%d") % (ibdev_name, port)) ++ semanage_ibendport_key_free(k) ++ ++ self.commit() ++ ++ def __delete(self, ibendport, ibdev_name): ++ (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name) ++ (rc, exists) = semanage_ibendport_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is not defined") % (ibdev_name, ibendport)) ++ ++ (rc, exists) = semanage_ibendport_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if ibendport %s/%s is defined") % (ibdev_name, ibendport)) ++ if not exists: ++ raise ValueError(_("ibendport %s/%s is defined in policy, cannot be deleted") % (ibdev_name, ibendport)) ++ ++ rc = semanage_ibendport_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete ibendport %s/%s") % (ibdev_name, ibendport)) ++ ++ semanage_ibendport_key_free(k) ++ ++ def delete(self, ibendport, ibdev_name): ++ self.begin() ++ self.__delete(ibendport, ibdev_name) ++ self.commit() ++ ++ def get_all(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibendport_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibendport_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibendports")) ++ ++ for ibendport in self.plist: ++ con = semanage_ibendport_get_con(ibendport) ++ ctype = semanage_context_get_type(con) ++ if ctype == "reserved_ibendport_t": ++ continue ++ level = semanage_context_get_mls(con) ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ ddict[(port, ibdev_name)] = (ctype, level) ++ return ddict ++ ++ def get_all_by_type(self, locallist=0): ++ ddict = {} ++ if locallist: ++ (rc, self.plist) = semanage_ibendport_list_local(self.sh) ++ else: ++ (rc, self.plist) = semanage_ibendport_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list ibendports")) ++ ++ for ibendport in self.plist: ++ con = semanage_ibendport_get_con(ibendport) ++ ctype = semanage_context_get_type(con) ++ (rc, ibdev_name) = semanage_ibendport_get_ibdev_name(self.sh, ibendport) ++ port = semanage_ibendport_get_port(ibendport) ++ if (ctype, ibdev_name) not in ddict.keys(): ++ ddict[(ctype, ibdev_name)] = [] ++ ddict[(ctype, ibdev_name)].append("0x%x" % port) ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = ddict.keys() ++ keys.sort() ++ for k in keys: ++ if ddict[k][1]: ++ l.append("-a -t %s -r '%s' -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0])) ++ else: ++ l.append("-a -t %s -z %s %s" % (ddict[k][0], k[1], k[0])) ++ return l ++ ++ def list(self, heading=1, locallist=0): ++ ddict = self.get_all_by_type(locallist) ++ keys = ddict.keys() ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print "%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number")) ++ for i in keys: ++ rec = "%-30s %-18s " % i ++ rec += "%s" % ddict[i][0] ++ for p in ddict[i][1:]: ++ rec += ", %s" % p ++ print rec ++ ++class nodeRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ self.protocol = ["ipv4", "ipv6"] ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "node_type")[0]["types"] ++ except RuntimeError: ++ pass ++ ++ def validate(self, addr, mask, protocol): ++ newaddr = addr ++ newmask = mask ++ newprotocol = "" ++ ++ if addr == "": ++ raise ValueError(_("Node Address is required")) ++ ++ # verify valid comination ++ if len(mask) == 0 or mask[0] == "/": ++ i = IP(addr + mask) ++ newaddr = i.strNormal(0) ++ newmask = str(i.netmask()) ++ if newmask == "0.0.0.0" and i.version() == 6: ++ newmask = "::" ++ ++ protocol = "ipv%d" % i.version() ++ ++ try: ++ newprotocol = self.protocol.index(protocol) ++ except: ++ raise ValueError(_("Unknown or missing protocol")) ++ ++ return newaddr, newmask, newprotocol ++ ++ def __add(self, addr, mask, proto, serange, ctype): ++ addr, mask, proto = self.validate(addr, mask, proto) ++ ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = "s0" ++ ++ if ctype == "": ++ raise ValueError(_("SELinux node type is required")) ++ ++ if sepolicy.get_real_type_name(ctype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a node type") % ctype) ++ ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if exists: ++ semanage_node_key_free(k) ++ return self.__modify(addr, mask, self.protocol[proto], serange, ctype) ++ ++ (rc, node) = semanage_node_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create addr for %s") % addr) ++ semanage_node_set_proto(node, proto) ++ ++ rc = semanage_node_set_addr(self.sh, node, proto, addr) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s") % addr) ++ ++ rc = semanage_node_set_mask(self.sh, node, proto, mask) ++ if rc < 0: ++ raise ValueError(_("Could not set mask for %s") % addr) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in addr context for %s") % addr) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in addr context for %s") % addr) ++ ++ rc = semanage_context_set_type(self.sh, con, ctype) ++ if rc < 0: ++ raise ValueError(_("Could not set type in addr context for %s") % addr) ++ ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in addr context for %s") % addr) ++ ++ rc = semanage_node_set_con(self.sh, node, con) ++ if rc < 0: ++ raise ValueError(_("Could not set addr context for %s") % addr) ++ ++ rc = semanage_node_modify_local(self.sh, k, node) ++ if rc < 0: ++ raise ValueError(_("Could not add addr %s") % addr) ++ ++ semanage_context_free(con) ++ semanage_node_key_free(k) ++ semanage_node_free(node) ++ ++ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange)) ++ ++ def add(self, addr, mask, proto, serange, ctype): ++ self.begin() ++ self.__add(addr, mask, proto, serange, ctype) ++ self.commit() ++ ++ def __modify(self, addr, mask, proto, serange, setype): ++ addr, mask, proto = self.validate(addr, mask, proto) ++ ++ if not serange and setype == "": ++ raise ValueError(_("Requires setype or serange")) ++ ++ if setype and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a node type") % setype) ++ ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) ++ ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is not defined") % addr) ++ ++ (rc, node) = semanage_node_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query addr %s") % addr) ++ ++ con = semanage_node_get_con(node) ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_node_modify_local(self.sh, k, node) ++ if rc < 0: ++ raise ValueError(_("Could not modify addr %s") % addr) ++ ++ semanage_node_key_free(k) ++ semanage_node_free(node) ++ ++ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange)) ++ ++ def modify(self, addr, mask, proto, serange, setype): ++ self.begin() ++ self.__modify(addr, mask, proto, serange, setype) ++ self.commit() ++ ++ def __delete(self, addr, mask, proto): ++ ++ addr, mask, proto = self.validate(addr, mask, proto) ++ ++ (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % addr) ++ ++ (rc, exists) = semanage_node_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is not defined") % addr) ++ ++ (rc, exists) = semanage_node_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if addr %s is defined") % addr) ++ if not exists: ++ raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr) ++ ++ rc = semanage_node_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete addr %s") % addr) ++ ++ semanage_node_key_free(k) ++ ++ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]))) ++ ++ def delete(self, addr, mask, proto): ++ self.begin() ++ self.__delete(addr, mask, proto) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, nlist) = semanage_node_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not deleteall node mappings")) ++ ++ self.begin() ++ for node in nlist: ++ self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)]) ++ self.commit() ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.ilist) = semanage_node_list_local(self.sh) ++ else: ++ (rc, self.ilist) = semanage_node_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list addrs")) ++ ++ for node in self.ilist: ++ con = semanage_node_get_con(node) ++ addr = semanage_node_get_addr(self.sh, node) ++ mask = semanage_node_get_mask(self.sh, node) ++ proto = self.protocol[semanage_node_get_proto(node)] ++ ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k][3]: ++ l.append("-a -M %s -p %s -t %s -r '%s' %s" % (k[1], k[2], ddict[k][2], ddict[k][3], k[0])) ++ else: ++ l.append("-a -M %s -p %s -t %s %s" % (k[1], k[2], ddict[k][2], k[0])) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print("%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")) ++ if is_mls_enabled: ++ for k in keys: ++ val = '' ++ for fields in k: ++ val = val + '\t' + str(fields) ++ print("%-18s %-18s %-5s %s:%s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2], translate(ddict[k][3], False))) ++ else: ++ for k in keys: ++ print("%-18s %-18s %-5s %s:%s:%s " % (k[0], k[1], k[2], ddict[k][0], ddict[k][1], ddict[k][2])) ++ ++ ++class interfaceRecords(semanageRecords): ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ ++ def __add(self, interface, serange, ctype): ++ if is_mls_enabled == 1: ++ if serange: ++ serange = untranslate(serange) ++ else: ++ serange = "s0" ++ ++ if ctype == "": ++ raise ValueError(_("SELinux Type is required")) ++ ++ (rc, k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % interface) ++ ++ (rc, exists) = semanage_iface_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if interface %s is defined") % interface) ++ if exists: ++ semanage_iface_key_free(k) ++ return self.__modify(interface, serange, ctype) ++ ++ (rc, iface) = semanage_iface_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create interface for %s") % interface) ++ ++ rc = semanage_iface_set_name(self.sh, iface, interface) ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s") % interface) ++ ++ rc = semanage_context_set_user(self.sh, con, "system_u") ++ if rc < 0: ++ raise ValueError(_("Could not set user in interface context for %s") % interface) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in interface context for %s") % interface) ++ ++ rc = semanage_context_set_type(self.sh, con, ctype) ++ if rc < 0: ++ raise ValueError(_("Could not set type in interface context for %s") % interface) ++ ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in interface context for %s") % interface) ++ ++ rc = semanage_iface_set_ifcon(self.sh, iface, con) ++ if rc < 0: ++ raise ValueError(_("Could not set interface context for %s") % interface) ++ ++ rc = semanage_iface_set_msgcon(self.sh, iface, con) ++ if rc < 0: ++ raise ValueError(_("Could not set message context for %s") % interface) ++ ++ rc = semanage_iface_modify_local(self.sh, k, iface) ++ if rc < 0: ++ raise ValueError(_("Could not add interface %s") % interface) ++ ++ semanage_context_free(con) ++ semanage_iface_key_free(k) ++ semanage_iface_free(iface) ++ ++ self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange)) ++ ++ def add(self, interface, serange, ctype): ++ self.begin() ++ self.__add(interface, serange, ctype) ++ self.commit() ++ ++ def __modify(self, interface, serange, setype): ++ if not serange and setype == "": ++ raise ValueError(_("Requires setype or serange")) ++ ++ (rc, k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % interface) ++ ++ (rc, exists) = semanage_iface_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if interface %s is defined") % interface) ++ if not exists: ++ raise ValueError(_("Interface %s is not defined") % interface) ++ ++ (rc, iface) = semanage_iface_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query interface %s") % interface) ++ ++ con = semanage_iface_get_ifcon(iface) ++ ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_iface_modify_local(self.sh, k, iface) ++ if rc < 0: ++ raise ValueError(_("Could not modify interface %s") % interface) ++ ++ semanage_iface_key_free(k) ++ semanage_iface_free(iface) ++ ++ self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange)) ++ ++ def modify(self, interface, serange, setype): ++ self.begin() ++ self.__modify(interface, serange, setype) ++ self.commit() ++ ++ def __delete(self, interface): ++ (rc, k) = semanage_iface_key_create(self.sh, interface) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % interface) ++ ++ (rc, exists) = semanage_iface_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if interface %s is defined") % interface) ++ if not exists: ++ raise ValueError(_("Interface %s is not defined") % interface) ++ ++ (rc, exists) = semanage_iface_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if interface %s is defined") % interface) ++ if not exists: ++ raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface) ++ ++ rc = semanage_iface_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete interface %s") % interface) ++ ++ semanage_iface_key_free(k) ++ ++ self.mylog.log_change("resrc=interface op=delete netif=%s" % interface) ++ ++ def delete(self, interface): ++ self.begin() ++ self.__delete(interface) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, ulist) = semanage_iface_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not delete all interface mappings")) ++ ++ self.begin() ++ for i in ulist: ++ self.__delete(semanage_iface_get_name(i)) ++ self.commit() ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.ilist) = semanage_iface_list_local(self.sh) ++ else: ++ (rc, self.ilist) = semanage_iface_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list interfaces")) ++ ++ for interface in self.ilist: ++ con = semanage_iface_get_ifcon(interface) ++ ddict[semanage_iface_get_name(interface)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ ++ return ddict ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k][3]: ++ l.append("-a -t %s -r '%s' %s" % (ddict[k][2], ddict[k][3], k)) ++ else: ++ l.append("-a -t %s %s" % (ddict[k][2], k)) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ keys.sort() ++ ++ if heading: ++ print("%-30s %s\n" % (_("SELinux Interface"), _("Context"))) ++ if is_mls_enabled: ++ for k in keys: ++ print("%-30s %s:%s:%s:%s " % (k, ddict[k][0], ddict[k][1], ddict[k][2], translate(ddict[k][3], False))) ++ else: ++ for k in keys: ++ print("%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1], ddict[k][2])) ++ ++class fcontextRecords(semanageRecords): ++ valid_types = [] ++ ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ try: ++ self.valid_types = sepolicy.info(sepolicy.ATTRIBUTE, "file_type")[0]["types"] ++ self.valid_types += sepolicy.info(sepolicy.ATTRIBUTE, "device_node")[0]["types"] ++ except RuntimeError: ++ pass ++ ++ self.equiv = {} ++ self.equiv_dist = {} ++ self.equal_ind = False ++ try: ++ fd = open(selinux.selinux_file_context_subs_path(), "r") ++ for i in fd.readlines(): ++ i = i.strip() ++ if len(i) == 0: ++ continue ++ if i.startswith("#"): ++ continue ++ target, substitute = i.split() ++ self.equiv[target] = substitute ++ fd.close() ++ except IOError: ++ pass ++ try: ++ fd = open(selinux.selinux_file_context_subs_dist_path(), "r") ++ for i in fd.readlines(): ++ i = i.strip() ++ if len(i) == 0: ++ continue ++ if i.startswith("#"): ++ continue ++ target, substitute = i.split() ++ self.equiv_dist[target] = substitute ++ fd.close() ++ except IOError: ++ pass ++ ++ def commit(self): ++ if self.equal_ind: ++ subs_file = selinux.selinux_file_context_subs_path() ++ tmpfile = "%s.tmp" % subs_file ++ fd = open(tmpfile, "w") ++ for target in list(self.equiv.keys()): ++ fd.write("%s %s\n" % (target, self.equiv[target])) ++ fd.close() ++ try: ++ os.chmod(tmpfile, os.stat(subs_file)[stat.ST_MODE]) ++ except: ++ pass ++ os.rename(tmpfile, subs_file) ++ self.equal_ind = False ++ semanageRecords.commit(self) ++ ++ def add_equal(self, target, substitute): ++ self.begin() ++ if target != "/" and target[-1] == "/": ++ raise ValueError(_("Target %s is not valid. Target is not allowed to end with '/'") % target) ++ ++ if substitute != "/" and substitute[-1] == "/": ++ raise ValueError(_("Substitute %s is not valid. Substitute is not allowed to end with '/'") % substitute) ++ ++ if target in list(self.equiv.keys()): ++ raise ValueError(_("Equivalence class for %s already exists") % target) ++ self.validate(target) ++ ++ for fdict in (self.equiv, self.equiv_dist): ++ for i in fdict: ++ if i.startswith(target + "/"): ++ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'") % {"TARGET": target, "SOURCE": i, "DEST": fdict[i]}) ++ ++ self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ ++ self.equiv[target] = substitute ++ self.equal_ind = True ++ self.commit() ++ ++ def modify_equal(self, target, substitute): ++ self.begin() ++ if target not in list(self.equiv.keys()): ++ raise ValueError(_("Equivalence class for %s does not exists") % target) ++ self.equiv[target] = substitute ++ self.equal_ind = True ++ self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0))) ++ self.commit() ++ ++ def createcon(self, target, seuser="system_u"): ++ (rc, con) = semanage_context_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create context for %s") % target) ++ if seuser == "": ++ seuser = "system_u" ++ ++ rc = semanage_context_set_user(self.sh, con, seuser) ++ if rc < 0: ++ raise ValueError(_("Could not set user in file context for %s") % target) ++ ++ rc = semanage_context_set_role(self.sh, con, "object_r") ++ if rc < 0: ++ raise ValueError(_("Could not set role in file context for %s") % target) ++ ++ if is_mls_enabled == 1: ++ rc = semanage_context_set_mls(self.sh, con, "s0") ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in file context for %s") % target) ++ ++ return con ++ ++ def validate(self, target): ++ if target == "" or target.find("\n") >= 0: ++ raise ValueError(_("Invalid file specification")) ++ if target.find(" ") != -1: ++ raise ValueError(_("File specification can not include spaces")) ++ for fdict in (self.equiv, self.equiv_dist): ++ for i in fdict: ++ if target.startswith(i + "/"): ++ t = re.sub(i, fdict[i], target) ++ raise ValueError(_("File spec %(TARGET)s conflicts with equivalency rule '%(SOURCE)s %(DEST)s'; Try adding '%(DEST1)s' instead") % {"TARGET":target, "SOURCE": i, "DEST":fdict[i], "DEST1": t}) ++ ++ ++ def __add(self, target, type, ftype="", serange=None, seuser="system_u"): ++ self.validate(target) ++ ++ if seuser == "": ++ seuser = "system_u" ++ ++ if is_mls_enabled == 1: ++ serange = untranslate(serange) ++ ++ if not serange: ++ serange = "s0" ++ ++ if type == "": ++ raise ValueError(_("SELinux Type is required")) ++ ++ if type != "<>" and sepolicy.get_real_type_name(type) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % type) ++ ++ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) ++ if rc < 0: ++ raise ValueError(_("Could not create key for %s") % target) ++ ++ (rc, exists) = semanage_fcontext_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ ++ if not exists: ++ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ ++ if exists: ++ semanage_fcontext_key_free(k) ++ return self.__modify(target, type, ftype, serange, seuser) ++ ++ (rc, fcontext) = semanage_fcontext_create(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not create file context for %s") % target) ++ ++ rc = semanage_fcontext_set_expr(self.sh, fcontext, target) ++ if type != "<>": ++ con = self.createcon(target, seuser) ++ ++ rc = semanage_context_set_type(self.sh, con, type) ++ if rc < 0: ++ raise ValueError(_("Could not set type in file context for %s") % target) ++ ++ if serange: ++ rc = semanage_context_set_mls(self.sh, con, serange) ++ if rc < 0: ++ raise ValueError(_("Could not set mls fields in file context for %s") % target) ++ rc = semanage_fcontext_set_con(self.sh, fcontext, con) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) ++ ++ semanage_fcontext_set_type(fcontext, file_types[ftype]) ++ ++ rc = semanage_fcontext_modify_local(self.sh, k, fcontext) ++ if rc < 0: ++ raise ValueError(_("Could not add file context for %s") % target) ++ ++ if type != "<>": ++ semanage_context_free(con) ++ semanage_fcontext_key_free(k) ++ semanage_fcontext_free(fcontext) ++ ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange)) ++ ++ def add(self, target, type, ftype="", serange=None, seuser="system_u"): ++ self.begin() ++ self.__add(target, type, ftype, serange, seuser) ++ self.commit() ++ ++ def __modify(self, target, setype, ftype, serange, seuser): ++ if serange and setype == "" and seuser == "": ++ raise ValueError(_("Requires setype, serange or seuser")) ++ if setype not in ["", "<>"] and sepolicy.get_real_type_name(setype) not in self.valid_types: ++ raise ValueError(_("Type %s is invalid, must be a file or device type") % setype) ++ ++ self.validate(target) ++ ++ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % target) ++ ++ (rc, exists) = semanage_fcontext_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ if not exists: ++ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if not exists: ++ raise ValueError(_("File context for %s is not defined") % target) ++ ++ try: ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) ++ except OSError: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ ++ if setype != "<>": ++ con = semanage_fcontext_get_con(fcontext) ++ ++ if con == None: ++ con = self.createcon(target) ++ ++ if serange: ++ semanage_context_set_mls(self.sh, con, untranslate(serange)) ++ if seuser != "": ++ semanage_context_set_user(self.sh, con, seuser) ++ ++ if setype != "": ++ semanage_context_set_type(self.sh, con, setype) ++ ++ rc = semanage_fcontext_set_con(self.sh, fcontext, con) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) ++ else: ++ rc = semanage_fcontext_set_con(self.sh, fcontext, None) ++ if rc < 0: ++ raise ValueError(_("Could not set file context for %s") % target) ++ ++ rc = semanage_fcontext_modify_local(self.sh, k, fcontext) ++ if rc < 0: ++ raise ValueError(_("Could not modify file context for %s") % target) ++ ++ semanage_fcontext_key_free(k) ++ semanage_fcontext_free(fcontext) ++ ++ if not seuser: ++ seuser = "system_u" ++ ++ self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange)) ++ ++ def modify(self, target, setype, ftype, serange, seuser): ++ self.begin() ++ self.__modify(target, setype, ftype, serange, seuser) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, flist) = semanage_fcontext_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list the file contexts")) ++ ++ self.begin() ++ ++ for fcontext in flist: ++ target = semanage_fcontext_get_expr(fcontext) ++ ftype = semanage_fcontext_get_type(fcontext) ++ ftype_str = semanage_fcontext_get_type_str(ftype) ++ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % target) ++ ++ rc = semanage_fcontext_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete the file context %s") % target) ++ semanage_fcontext_key_free(k) ++ ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[file_type_str_to_option[ftype_str]])) ++ ++ self.equiv = {} ++ self.equal_ind = True ++ self.commit() ++ ++ def __delete(self, target, ftype): ++ if target in list(self.equiv.keys()): ++ self.equiv.pop(target) ++ self.equal_ind = True ++ ++ self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0))) ++ ++ return ++ ++ (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % target) ++ ++ (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ if not exists: ++ (rc, exists) = semanage_fcontext_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) ++ if exists: ++ raise ValueError(_("File context for %s is defined in policy, cannot be deleted") % target) ++ else: ++ raise ValueError(_("File context for %s is not defined") % target) ++ ++ rc = semanage_fcontext_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete file context for %s") % target) ++ ++ semanage_fcontext_key_free(k) ++ ++ self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype])) ++ ++ def delete(self, target, ftype): ++ self.begin() ++ self.__delete(target, ftype) ++ self.commit() ++ ++ def get_all(self, locallist=False): ++ if locallist: ++ (rc, self.flist) = semanage_fcontext_list_local(self.sh) ++ else: ++ (rc, self.flist) = semanage_fcontext_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list file contexts")) ++ (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list file contexts for home directories")) ++ (rc, fclocal) = semanage_fcontext_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list local file contexts")) ++ ++ self.flist += fchomedirs ++ self.flist += fclocal ++ ++ from collections import OrderedDict ++ ddict = OrderedDict() ++ ++ for fcontext in self.flist: ++ expr = semanage_fcontext_get_expr(fcontext) ++ ftype = semanage_fcontext_get_type(fcontext) ++ ftype_str = semanage_fcontext_get_type_str(ftype) ++ con = semanage_fcontext_get_con(fcontext) ++ if con: ++ ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) ++ else: ++ ddict[(expr, ftype_str)] = con ++ ++ return ddict ++ ++ def customized(self): ++ l = [] ++ fcon_dict = self.get_all(True) ++ keys = list(fcon_dict.keys()) ++ for k in keys: ++ if fcon_dict[k]: ++ if fcon_dict[k][3]: ++ l.append("-a -f %s -t %s -r '%s' '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], fcon_dict[k][3], k[0])) ++ else: ++ l.append("-a -f %s -t %s '%s'" % (file_type_str_to_option[k[1]], fcon_dict[k][2], k[0])) ++ ++ if len(self.equiv): ++ for target in list(self.equiv.keys()): ++ l.append("-a -e %s %s" % (self.equiv[target], target)) ++ return l ++ ++ def list(self, heading=True, locallist=False): ++ fcon_dict = self.get_all(locallist) ++ keys = list(fcon_dict.keys()) ++ if len(keys) != 0: ++ if heading: ++ print("%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))) ++ for k in keys: ++ if fcon_dict[k]: ++ if is_mls_enabled: ++ print("%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3], False))) ++ else: ++ print("%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2])) ++ else: ++ print("%-50s %-18s <>" % (k[0], k[1])) ++ ++ if len(self.equiv_dist): ++ if not locallist: ++ if heading: ++ print(_("\nSELinux Distribution fcontext Equivalence \n")) ++ for target in list(self.equiv_dist.keys()): ++ print("%s = %s" % (target, self.equiv_dist[target])) ++ if len(self.equiv): ++ if heading: ++ print(_("\nSELinux Local fcontext Equivalence \n")) ++ ++ for target in list(self.equiv.keys()): ++ print("%s = %s" % (target, self.equiv[target])) ++ ++class booleanRecords(semanageRecords): ++ def __init__(self, store=""): ++ semanageRecords.__init__(self, store) ++ self.dict = {} ++ self.dict["TRUE"] = 1 ++ self.dict["FALSE"] = 0 ++ self.dict["ON"] = 1 ++ self.dict["OFF"] = 0 ++ self.dict["1"] = 1 ++ self.dict["0"] = 0 ++ ++ try: ++ rc, self.current_booleans = selinux.security_get_boolean_names() ++ rc, ptype = selinux.selinux_getpolicytype() ++ except: ++ self.current_booleans = [] ++ ptype = None ++ ++ if self.store == None or self.store == ptype: ++ self.modify_local = True ++ else: ++ self.modify_local = False ++ ++ def __mod(self, name, value): ++ name = selinux.selinux_boolean_sub(name) ++ ++ (rc, k) = semanage_bool_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ (rc, exists) = semanage_bool_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if boolean %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Boolean %s is not defined") % name) ++ ++ (rc, b) = semanage_bool_query(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not query file context %s") % name) ++ ++ if value.upper() in self.dict: ++ semanage_bool_set_value(b, self.dict[value.upper()]) ++ else: ++ raise ValueError(_("You must specify one of the following values: %s") % ", ".join(list(self.dict.keys()))) ++ ++ if self.modify_local and name in self.current_booleans: ++ rc = semanage_bool_set_active(self.sh, k, b) ++ if rc < 0: ++ raise ValueError(_("Could not set active value of boolean %s") % name) ++ rc = semanage_bool_modify_local(self.sh, k, b) ++ if rc < 0: ++ raise ValueError(_("Could not modify boolean %s") % name) ++ semanage_bool_key_free(k) ++ semanage_bool_free(b) ++ ++ def modify(self, name, value=None, use_file=False): ++ self.begin() ++ if use_file: ++ fd = open(name) ++ for b in fd.read().split("\n"): ++ b = b.strip() ++ if len(b) == 0: ++ continue ++ ++ try: ++ boolname, val = b.split("=") ++ except ValueError: ++ raise ValueError(_("Bad format %(BOOLNAME)s: Record %(VALUE)s" % { "BOOLNAME": name, "VALUE": b })) ++ self.__mod(boolname.strip(), val.strip()) ++ fd.close() ++ else: ++ self.__mod(name, value) ++ ++ self.commit() ++ ++ def __delete(self, name): ++ name = selinux.selinux_boolean_sub(name) ++ ++ (rc, k) = semanage_bool_key_create(self.sh, name) ++ if rc < 0: ++ raise ValueError(_("Could not create a key for %s") % name) ++ (rc, exists) = semanage_bool_exists(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if boolean %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Boolean %s is not defined") % name) ++ ++ (rc, exists) = semanage_bool_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if boolean %s is defined") % name) ++ if not exists: ++ raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name) ++ ++ rc = semanage_bool_del_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not delete boolean %s") % name) ++ ++ semanage_bool_key_free(k) ++ ++ def delete(self, name): ++ self.begin() ++ self.__delete(name) ++ self.commit() ++ ++ def deleteall(self): ++ (rc, self.blist) = semanage_bool_list_local(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list booleans")) ++ ++ self.begin() ++ ++ for boolean in self.blist: ++ name = semanage_bool_get_name(boolean) ++ self.__delete(name) ++ ++ self.commit() ++ ++ def get_all(self, locallist=False): ++ ddict = {} ++ if locallist: ++ (rc, self.blist) = semanage_bool_list_local(self.sh) ++ else: ++ (rc, self.blist) = semanage_bool_list(self.sh) ++ if rc < 0: ++ raise ValueError(_("Could not list booleans")) ++ ++ for boolean in self.blist: ++ value = [] ++ name = semanage_bool_get_name(boolean) ++ value.append(semanage_bool_get_value(boolean)) ++ if self.modify_local and name in self.current_booleans: ++ value.append(selinux.security_get_boolean_pending(name)) ++ value.append(selinux.security_get_boolean_active(name)) ++ else: ++ value.append(value[0]) ++ value.append(value[0]) ++ ddict[name] = value ++ ++ return ddict ++ ++ def get_desc(self, name): ++ name = selinux.selinux_boolean_sub(name) ++ return boolean_desc(name) ++ ++ def get_category(self, name): ++ name = selinux.selinux_boolean_sub(name) ++ return boolean_category(name) ++ ++ def customized(self): ++ l = [] ++ ddict = self.get_all(True) ++ keys = list(ddict.keys()) ++ keys.sort() ++ for k in keys: ++ if ddict[k]: ++ l.append("-m -%s %s" % (ddict[k][2], k)) ++ return l ++ ++ def list(self, heading=True, locallist=False, use_file=False): ++ on_off = (_("off"), _("on")) ++ if use_file: ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ for k in keys: ++ if ddict[k]: ++ print("%s=%s" % (k, ddict[k][2])) ++ return ++ ddict = self.get_all(locallist) ++ keys = list(ddict.keys()) ++ if len(keys) == 0: ++ return ++ ++ if heading: ++ print("%-30s %s %s %s\n" % (_("SELinux boolean"), _("State"), _("Default"), _("Description"))) ++ for k in keys: ++ if ddict[k]: ++ print("%-30s (%-5s,%5s) %s" % (k, on_off[ddict[k][2]], on_off[ddict[k][0]], self.get_desc(k))) +diff --git policycoreutils-2.5/semanage/setup.py policycoreutils-2.5/semanage/setup.py +new file mode 100644 +index 0000000..7735c59 +--- /dev/null ++++ policycoreutils-2.5/semanage/setup.py +@@ -0,0 +1,35 @@ ++# Authors: ++# Dan Walsh ++# ++# Copyright (C) 2013 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ ++from distutils.core import setup, Extension ++ ++setup(name = 'seobject', ++ version = '0.1', ++ description = 'python bindings used by semanage and system-config-selinux', ++ long_description = 'python bindings used by semanage and system-config-selinux', ++ author = 'Dan Walsh', ++ author_email = 'dwalsh@redhat.com', ++ maintainer = 'Dan Walsh', ++ maintainer_email = 'dwalsh@redhat.com', ++ license = 'GPLv2+', ++ platforms = 'posix', ++ url = '', ++ download_url = '', ++ packages=["seobject"], ++) +diff --git policycoreutils-2.5/semodule/semodule.8 policycoreutils-2.5/semodule/semodule.8 +index 6db390c..34d34eb 100644 +--- policycoreutils-2.5/semodule/semodule.8 ++++ policycoreutils-2.5/semodule/semodule.8 +@@ -3,7 +3,7 @@ + semodule \- Manage SELinux policy modules. + + .SH SYNOPSIS +-.B semodule [options]... MODE [MODES]... ++.B semodule [option]... MODE... + .br + .SH DESCRIPTION + .PP +@@ -15,7 +15,7 @@ any other transaction. semodule acts on module packages created + by semodule_package. Conventionally, these files have a .pp suffix + (policy package), although this is not mandated in any way. + +-.SH "OPTIONS" ++.SH "MODES" + .TP + .B \-R, \-\-reload + force a reload of policy +@@ -36,16 +36,11 @@ deprecated, alias for --install + deprecated, alias for --install + .TP + .B \-r,\-\-remove=MODULE_NAME +-remove existing module ++remove existing module at desired priority (defaults to -X 400) + .TP +-.B \-l,\-\-list-modules=[KIND] ++.B \-l[KIND],\-\-list-modules[=KIND] + display list of installed modules (other than base) + .TP +-.B \-E,\-\-extract=MODULE_PKG +-Extract a module from the store as an HLL or CIL file to the current directory. +-A module is extracted as HLL by default. The name of the module written is +-. +-.TP + .B KIND: + .TP + standard +@@ -57,12 +52,18 @@ list all modules + .B \-X,\-\-priority=PRIORITY + set priority for following operations (1-999) + .TP +-.B \-e,\-\-enabled=MODULE_NAME ++.B \-e,\-\-enable=MODULE_NAME + enable module + .TP + .B \-d,\-\-disable=MODULE_NAME + disable module + .TP ++.B \-E,\-\-extract=MODULE_PKG ++Extract a module from the store as an HLL or CIL file to the current directory. ++A module is extracted as HLL by default. The name of the module written is ++. ++.SH "OPTIONS" ++.TP + .B \-s,\-\-store + name of the store to operate on + .TP +@@ -88,10 +89,12 @@ Use an alternate path for the policy store root + be verbose + .TP + .B \-c,\-\-cil +-Extract module as a CIL file. This only affects the \-\-extract option. ++Extract module as a CIL file. This only affects the \-\-extract option and ++only modules listed in \-\-extract after this option. + .TP + .B \-H,\-\-hll +-Extract module as an HLL file. This only affects the \-\-extract option. ++Extract module as an HLL file. This only affects the \-\-extract option and ++only modules listed in \-\-extract after this option. + + .SH EXAMPLE + .nf +@@ -99,29 +102,34 @@ Extract module as an HLL file. This only affects the \-\-extract option. + $ semodule \-b base.pp + # Install or replace a non-base policy package. + $ semodule \-i httpd.pp ++# Install or replace all non-base modules in the current directory. ++# This syntax can be used with -i/u/r/E, but no other option can be entered after the module names ++$ semodule \-i *.pp ++# Install or replace all modules in the current directory. ++$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i + # List non-base modules. + $ semodule \-l ++# List all modules including priorities ++$ semodule \-lfull ++# Remove a module at priority 100 ++$ semodule \-X 100 \-r wireshark + # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. + $ semodule \-DB + # Turn "dontaudit" rules back on. + $ semodule \-B +-# Install or replace all non-base modules in the current directory. +-$ semodule \-i *.pp +-# Install or replace all modules in the current directory. +-$ ls *.pp | grep \-Ev "base.pp|enableaudit.pp" | xargs /usr/sbin/semodule \-b base.pp \-i +-# Disable a module. ++# Disable a module (all instances of given module across priorities will be disabled). + $ semodule \-d alsa + # Install a module at a specific priority. + $ semodule \-X 100 \-i alsa.pp + # List all modules. +-$ semodule \-l full ++$ semodule \-\-list=full + # Set an alternate path for the policy root + $ semodule \-B \-p "/tmp" + # Set an alternate path for the policy store root + $ semodule \-B \-S "/tmp/var/lib/selinux" + # Write the HLL version of puppet and the CIL version of wireshark + # modules at priority 400 to the current working directory +-$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll ++$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark + .fi + + .SH SEE ALSO +diff --git policycoreutils-2.5/semodule/semodule.c policycoreutils-2.5/semodule/semodule.c +index bcfaa2b..d053493 100644 +--- policycoreutils-2.5/semodule/semodule.c ++++ policycoreutils-2.5/semodule/semodule.c +@@ -120,26 +120,26 @@ static void create_signal_handlers(void) + + static void usage(char *progname) + { +- printf("usage: %s [options]... MODE [MODES]...\n", progname); ++ printf("usage: %s [option]... MODE...\n", progname); + printf("Manage SELinux policy modules.\n"); + printf("MODES:\n"); + printf(" -R, --reload reload policy\n"); + printf(" -B, --build build and reload policy\n"); ++ printf(" -D,--disable_dontaudit Remove dontaudits from policy\n"); + printf(" -i,--install=MODULE_PKG install a new module\n"); +- printf(" -r,--remove=MODULE_NAME remove existing module\n"); +- printf(" -l,--list-modules=[KIND] display list of installed modules\n"); ++ printf(" -r,--remove=MODULE_NAME remove existing module at desired priority\n"); ++ printf(" -l[KIND],--list-modules[=KIND] display list of installed modules\n"); + printf(" KIND: standard list highest priority, enabled modules\n"); + printf(" full list all modules\n"); + printf(" -X,--priority=PRIORITY set priority for following operations (1-999)\n"); + printf(" -e,--enable=MODULE_NAME enable module\n"); + printf(" -d,--disable=MODULE_NAME disable module\n"); + printf(" -E,--extract=MODULE_NAME extract module\n"); +- printf("Other options:\n"); ++ printf("Options:\n"); + printf(" -s,--store name of the store to operate on\n"); + printf(" -N,-n,--noreload do not reload policy after commit\n"); + printf(" -h,--help print this message and quit\n"); + printf(" -v,--verbose be verbose\n"); +- printf(" -D,--disable_dontaudit Remove dontaudits from policy\n"); + printf(" -P,--preserve_tunables Preserve tunables in policy\n"); + printf(" -C,--ignore-module-cache Rebuild CIL modules compiled from HLL files\n"); + printf(" -p,--path use an alternate path for the policy root\n"); +@@ -209,7 +209,7 @@ static void parse_command_line(int argc, char **argv) + no_reload = 0; + priority = 400; + while ((i = +- getopt_long(argc, argv, "s:b:hi:l::vqr:u:RnNBDCPX:e:d:p:S:E:cH", opts, ++ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts, + NULL)) != -1) { + switch (i) { + case 'b': +@@ -560,6 +560,7 @@ cleanup_extract: + } + + const char *name = NULL; ++ const char *version = NULL; + + for (j = 0; j < modinfos_len; j++) { + m = semanage_module_list_nth(modinfos, j); +@@ -567,10 +568,12 @@ cleanup_extract: + result = semanage_module_info_get_name(sh, m, &name); + if (result != 0) goto cleanup_list; + +- printf("%s\n", name); ++ result = semanage_module_info_get_version(sh, m, &version); ++ if (result != 0) goto cleanup_list; ++ ++ printf("%s\t%s\n", name, version); + } +- } +- else if (strcmp(mode_arg, "full") == 0) { ++ } else if (strcmp(mode_arg, "full") == 0) { + /* get the modules */ + result = semanage_module_list_all(sh, + &modinfos, +diff --git policycoreutils-2.5/semodule_package/semodule_package.c policycoreutils-2.5/semodule_package/semodule_package.c +index d2a5fd0..e472054 100644 +--- policycoreutils-2.5/semodule_package/semodule_package.c ++++ policycoreutils-2.5/semodule_package/semodule_package.c +@@ -72,6 +72,10 @@ static int file_to_data(const char *path, char **data, size_t * len) + path, strerror(errno)); + goto err; + } ++ if (!sb.st_size) { ++ *len = 0; ++ return 0; ++ } + + *data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (*data == MAP_FAILED) { +diff --git policycoreutils-2.5/sepolicy/common.h policycoreutils-2.5/sepolicy/common.h +index dc3ce6a..3b93845 100644 +--- policycoreutils-2.5/sepolicy/common.h ++++ policycoreutils-2.5/sepolicy/common.h +@@ -9,12 +9,18 @@ + # define UNUSED(x) x + #endif + +-#define py_decref(x) { if (x) Py_DECREF(x); } ++#if PY_MAJOR_VERSION < 3 ++#define PyLong_AsLong PyInt_AsLong ++#undef PyUnicode_FromString ++#define PyUnicode_FromString PyString_FromString ++#endif ++ ++#define py_decref(x) { if (x) Py_DECREF(x); } + + static int py_append_string(PyObject *list, const char* value) + { + int rt; +- PyObject *obj = PyString_FromString(value); ++ PyObject *obj = PyUnicode_FromString(value); + if (!obj) return -1; + rt = PyList_Append(list, obj); + Py_DECREF(obj); +@@ -40,11 +46,9 @@ static int py_insert_obj(PyObject *dict, const char *name, PyObject *obj) + static int py_insert_string(PyObject *dict, const char *name, const char* value) + { + int rt; +- PyObject *obj = PyString_FromString(value); ++ PyObject *obj = PyUnicode_FromString(value); + if (!obj) return -1; + rt = PyDict_SetItemString(dict, name, obj); + Py_DECREF(obj); + return rt; + } +- +- +diff --git policycoreutils-2.5/sepolicy/info.c policycoreutils-2.5/sepolicy/info.c +index bbb6844..ceb5c9b 100644 +--- policycoreutils-2.5/sepolicy/info.c ++++ policycoreutils-2.5/sepolicy/info.c +@@ -1,12 +1,14 @@ + /** + * @file +- * Command line tool to search TE rules. ++ * Python bindings to search TE rules. + * ++ * @author Thomas Liu ++ * @author Dan Walsh ++ * ++ * Sections copied from sesearch.c in setools package + * @author Frank Mayer mayerf@tresys.com + * @author Jeremy A. Mowery jmowery@tresys.com + * @author Paul Rosenfeld prosenfeld@tresys.com +- * @author Thomas Liu +- * @author Dan Walsh + * + * Copyright (C) 2003-2008 Tresys Technology, LLC + * +@@ -52,6 +54,13 @@ + + #define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + enum input + { + TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS, SENS, CATS +@@ -94,7 +103,6 @@ static PyObject* get_sens(const char *name, const apol_policy_t * policydb) + { + PyObject *dict = NULL; + int error = 0; +- int rt = 0; + size_t i; + char *tmp = NULL; + const char *lvl_name = NULL; +@@ -126,7 +134,6 @@ static PyObject* get_sens(const char *name, const apol_policy_t * policydb) + if (py_insert_string(dict, lvl_name, tmp)) + goto err; + free(tmp); tmp = NULL; +- if (rt) goto err; + } + + if (name && !apol_vector_get_size(v)) { +@@ -408,7 +415,7 @@ cleanup: + } + + /** +- * Gets a textual representation of an attribute, and ++ * Gets a textual representation of an attribute, and + * all of that attribute's types. + * + * @param type_datum Reference to sepol type_datum +@@ -424,7 +431,7 @@ static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t * + unsigned char isattr; + int error = 0; + int rt = 0; +- PyObject *dict = PyDict_New(); ++ PyObject *dict = PyDict_New(); + if (!dict) goto err; + + if (qpol_type_get_name(q, type_datum, &attr_name)) +@@ -442,7 +449,7 @@ static PyObject* get_attr(const qpol_type_t * type_datum, const apol_policy_t * + goto err; + list = PyList_New(0); + if (!list) goto err; +- ++ + for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { + if (qpol_iterator_get_item(iter, (void **)&attr_datum)) + goto err; +@@ -601,7 +608,7 @@ static PyObject* get_type(const qpol_type_t * type_datum, const apol_policy_t * + int error = 0; + int rt; + unsigned char isalias, ispermissive, isattr; +- PyObject *dict = PyDict_New(); ++ PyObject *dict = PyDict_New(); + if (!dict) goto err; + + if (qpol_type_get_name(q, type_datum, &type_name)) +@@ -638,7 +645,7 @@ err: + py_decref(dict); dict = NULL; + + cleanup: +- errno = error; ++ errno = error; + return dict; + } + +@@ -674,7 +681,7 @@ static PyObject* get_booleans(const char *name, const apol_policy_t * policydb) + if (qpol_bool_get_state(q, bool_datum, &state)) + goto err; + +- dict = PyDict_New(); ++ dict = PyDict_New(); + if (!dict) goto err; + if (py_insert_string(dict, "name", name)) + goto err; +@@ -696,7 +703,7 @@ static PyObject* get_booleans(const char *name, const apol_policy_t * policydb) + if (qpol_bool_get_state(q, bool_datum, &state)) + goto err; + +- dict = PyDict_New(); ++ dict = PyDict_New(); + if (!dict) goto err; + if (py_insert_string(dict, "name", bool_name)) + goto err; +@@ -718,7 +725,7 @@ err: + + cleanup: + qpol_iterator_destroy(&iter); +- errno = error; ++ errno = error; + return list; + } + +@@ -750,7 +757,7 @@ static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t * + if (qpol_user_get_name(q, user_datum, &user_name)) + goto err; + +- dict = PyDict_New(); ++ dict = PyDict_New(); + if (!dict) goto err; + + if (py_insert_string(dict, "name", user_name)) +@@ -775,7 +782,7 @@ static PyObject* get_user(const qpol_user_t * user_datum, const apol_policy_t * + goto err; + free(tmp); tmp=NULL; + } +- ++ + if (qpol_user_get_role_iter(q, user_datum, &iter)) + goto err; + for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { +@@ -1000,7 +1007,7 @@ cleanup: + } + + /** +- * get a textual representation of a role, and ++ * get a textual representation of a role, and + * all of that role's types. + * + * @param type_datum Reference to sepol type_datum +@@ -1046,7 +1053,7 @@ static PyObject* get_role(const qpol_role_t * role_datum, const apol_policy_t * + if (rt) goto err; + } + qpol_iterator_destroy(&iter); +- ++ + if (qpol_role_get_type_iter(q, role_datum, &iter)) + goto err; + if (qpol_iterator_get_size(iter, &n_types)) +@@ -1129,7 +1136,9 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb) + } + + if ((ocon_proto != IPPROTO_TCP) && +- (ocon_proto != IPPROTO_UDP)) ++ (ocon_proto != IPPROTO_UDP) && ++ (ocon_proto != IPPROTO_DCCP) && ++ (ocon_proto != IPPROTO_SCTP)) + goto err; + + if (qpol_portcon_get_context(q, portcon, &ctxt)) { +@@ -1145,13 +1154,13 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb) + if ((c = apol_context_create_from_qpol_context(policydb, ctxt)) == NULL) { + goto err; + } +- ++ + if((type = apol_context_get_type(c)) == NULL) { + apol_context_destroy(&c); + goto err; + } +- +- dict = PyDict_New(); ++ ++ dict = PyDict_New(); + if (!dict) goto err; + if (py_insert_string(dict, "type", type)) + goto err; +@@ -1224,7 +1233,7 @@ static PyObject* get_roles(const char *name, const apol_policy_t * policydb) + } + obj = get_role(role_datum, policydb); + rt = py_append_obj(list, obj); +- Py_DECREF(obj); ++ Py_DECREF(obj); + if (rt) goto err; + } else { + if (qpol_policy_get_role_iter(q, &iter)) +@@ -1235,7 +1244,7 @@ static PyObject* get_roles(const char *name, const apol_policy_t * policydb) + goto err; + obj = get_role(role_datum, policydb); + rt = py_append_obj(list, obj); +- Py_DECREF(obj); ++ Py_DECREF(obj); + if (rt) goto err; + } + qpol_iterator_destroy(&iter); +@@ -1283,7 +1292,7 @@ static PyObject* get_types(const char *name, const apol_policy_t * policydb) + } + obj = get_type(type_datum, policydb); + rt = py_append_obj(list, obj); +- Py_DECREF(obj); ++ Py_DECREF(obj); + if (rt) goto err; + } else { + if (qpol_policy_get_type_iter(q, &iter)) +@@ -1294,7 +1303,7 @@ static PyObject* get_types(const char *name, const apol_policy_t * policydb) + goto err; + obj = get_type(type_datum, policydb); + rt = py_append_obj(list, obj); +- Py_DECREF(obj); ++ Py_DECREF(obj); + if (rt) goto err; + } + } +@@ -1363,7 +1372,7 @@ PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){ + } + + if (!PyArg_ParseTuple(args, "iz", &type, &name)) +- return NULL; ++ return NULL; + + return info(type, name); + } +diff --git policycoreutils-2.5/sepolicy/org.selinux.conf policycoreutils-2.5/sepolicy/org.selinux.conf +index a350978..1ae079d 100644 +--- policycoreutils-2.5/sepolicy/org.selinux.conf ++++ policycoreutils-2.5/sepolicy/org.selinux.conf +@@ -12,12 +12,8 @@ + + +- +- +- + +- ++ + + + +diff --git policycoreutils-2.5/sepolicy/org.selinux.policy policycoreutils-2.5/sepolicy/org.selinux.policy +index 0126610..9772127 100644 +--- policycoreutils-2.5/sepolicy/org.selinux.policy ++++ policycoreutils-2.5/sepolicy/org.selinux.policy +@@ -70,9 +70,9 @@ + auth_admin_keep + + +- +- SELinux write access +- System policy prevents change_policy_type access to SELinux ++ ++ Change SELinux default enforcing mode ++ System policy prevents change_default_policy access to SELinux + + no + no +diff --git policycoreutils-2.5/sepolicy/policy.c policycoreutils-2.5/sepolicy/policy.c +index b7e3536..aac3357 100644 +--- policycoreutils-2.5/sepolicy/policy.c ++++ policycoreutils-2.5/sepolicy/policy.c +@@ -3,8 +3,13 @@ + * Python bindings to search SELinux Policy rules. + * + * @author Dan Walsh ++ * Copyright (C) 2012-2013 Red Hat, INC + * +- * Copyright (C) 2012 Red Hat, INC ++ * Sections copied from setools package ++ * @author Frank Mayer mayerf@tresys.com ++ * @author Jeremy A. Mowery jmowery@tresys.com ++ * @author Paul Rosenfeld prosenfeld@tresys.com ++ * Copyright (C) 2003-2008 Tresys Technology, LLC + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by +@@ -23,6 +28,17 @@ + + #include "Python.h" + ++struct module_state { ++ PyObject *error; ++}; ++ ++#if PY_MAJOR_VERSION >= 3 ++#define GETSTATE(m) ((struct module_state*)PyModule_GetState(m)) ++#else ++#define GETSTATE(m) (&_state) ++static struct module_state _state; ++#endif ++ + #ifdef UNUSED + #elif defined(__GNUC__) + # define UNUSED(x) UNUSED_ ## x __attribute__((unused)) +@@ -35,21 +51,12 @@ + #include "policy.h" + apol_policy_t *global_policy = NULL; + +-/* other */ +-#include +-#include +-#include +-#include +-#include +- +-#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" +- + PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){ + const char *policy_file; + apol_vector_t *mod_paths = NULL; + apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; + apol_policy_path_t *pol_path = NULL; +- ++ + if (!PyArg_ParseTuple(args, "z", &policy_file)) + return NULL; + +@@ -57,7 +64,7 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){ + apol_policy_destroy(&global_policy); + + int policy_load_options = 0; +- ++ + pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); + if (!pol_path) { + apol_vector_destroy(&mod_paths); +@@ -76,7 +83,7 @@ PyObject *wrap_policy(PyObject *UNUSED(self), PyObject *args){ + return Py_None; + } + +-static PyMethodDef methods[] = { ++static PyMethodDef policy_methods[] = { + {"policy", (PyCFunction) wrap_policy, METH_VARARGS, + "Initialize SELinux policy for use with search and info"}, + {"info", (PyCFunction) wrap_info, METH_VARARGS, +@@ -86,8 +93,62 @@ static PyMethodDef methods[] = { + {NULL, NULL, 0, NULL} /* sentinel */ + }; + +-void init_policy(void) { +-PyObject *m; +-m = Py_InitModule("_policy", methods); +-init_info(m); ++#if PY_MAJOR_VERSION >= 3 ++ ++static int policy_traverse(PyObject *m, visitproc visit, void *arg) { ++ Py_VISIT(GETSTATE(m)->error); ++ return 0; ++} ++ ++static int policy_clear(PyObject *m) { ++ Py_CLEAR(GETSTATE(m)->error); ++ return 0; ++} ++ ++ ++static struct PyModuleDef moduledef = { ++ PyModuleDef_HEAD_INIT, ++ "policy", ++ NULL, ++ sizeof(struct module_state), ++ policy_methods, ++ NULL, ++ policy_traverse, ++ policy_clear, ++ NULL ++}; ++ ++#define INITERROR return NULL ++ ++PyObject * ++PyInit_policy(void) ++ ++#else ++#define INITERROR return ++ ++void ++initpolicy(void) ++#endif ++{ ++#if PY_MAJOR_VERSION >= 3 ++ PyObject *module = PyModule_Create(&moduledef); ++#else ++ PyObject *module = Py_InitModule("policy", policy_methods); ++#endif ++ ++ if (module == NULL) ++ INITERROR; ++ struct module_state *st = GETSTATE(module); ++ ++ init_info(module); ++ ++ st->error = PyErr_NewException("policy.Error", NULL, NULL); ++ if (st->error == NULL) { ++ Py_DECREF(module); ++ INITERROR; ++ } ++ ++#if PY_MAJOR_VERSION >= 3 ++ return module; ++#endif + } +diff --git policycoreutils-2.5/sepolicy/search.c policycoreutils-2.5/sepolicy/search.c +index d608006..6c23955 100644 +--- policycoreutils-2.5/sepolicy/search.c ++++ policycoreutils-2.5/sepolicy/search.c +@@ -189,7 +189,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_ + if (qpol_role_get_name(q, role, &tmp)) { + goto err; + } +- obj = PyString_FromString(tmp); ++ obj = PyUnicode_FromString(tmp); + if (py_insert_obj(dict, "source", obj)) + goto err; + +@@ -199,7 +199,7 @@ static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_ + if (qpol_role_get_name(q, role, &tmp)) { + goto err; + } +- obj = PyString_FromString(tmp); ++ obj = PyUnicode_FromString(tmp); + if (py_insert_obj(dict, "target", obj)) + goto err; + +@@ -327,7 +327,7 @@ static PyObject* get_bool(const qpol_policy_t *q, const qpol_cond_t * cond, int + goto err; + } + if (expr_type != QPOL_COND_EXPR_BOOL) { +- obj = PyString_FromString(apol_cond_expr_type_to_str(expr_type)); ++ obj = PyUnicode_FromString(apol_cond_expr_type_to_str(expr_type)); + if (!obj) goto err; + if (py_append_obj(boollist, obj)) + goto err; +@@ -341,7 +341,7 @@ static PyObject* get_bool(const qpol_policy_t *q, const qpol_cond_t * cond, int + if (qpol_bool_get_name(q, cond_bool, &bool_name)) { + goto err; + } +- obj = PyString_FromString(bool_name); ++ obj = PyUnicode_FromString(bool_name); + if (py_tuple_insert_obj(tuple, 0, obj)) + goto err; + obj = PyBool_FromLong(enabled); +@@ -994,14 +994,25 @@ PyObject* search(bool allow, + static int Dict_ContainsInt(PyObject *dict, const char *key){ + PyObject *item = PyDict_GetItemString(dict, key); + if (item) +- return PyInt_AsLong(item); ++ return PyLong_AsLong(item); + return false; + } + + static const char *Dict_ContainsString(PyObject *dict, const char *key){ + PyObject *item = PyDict_GetItemString(dict, key); +- if (item) +- return PyString_AsString(item); ++ if (item) { ++ if (PyUnicode_Check(item)) { ++ char *str = NULL; ++ PyObject *item_utf8 = PyUnicode_AsUTF8String(item); ++ if (item_utf8) { ++ str = strdup(PyBytes_AsString(item_utf8)); ++ } ++ Py_XDECREF(item_utf8); ++ return str; ++ } else { ++ return PyBytes_AsString(item); ++ } ++ } + return NULL; + } + +diff --git policycoreutils-2.5/sepolicy/selinux_client.py policycoreutils-2.5/sepolicy/selinux_client.py +index 7f4a91c..238048b 100644 +--- policycoreutils-2.5/sepolicy/selinux_client.py ++++ policycoreutils-2.5/sepolicy/selinux_client.py +@@ -35,10 +35,10 @@ def convert_customization(buf): + cust_dict["module"][rec[-1]] = {"enabled": rec[2] != "-d"} + + return cust_dict +-if __name__ == "__main__": ++if __name__ == "__main__": + try: + dbus_proxy = SELinuxDBus() + resp = dbus_proxy.customized() +- print convert_customization(resp) +- except dbus.DBusException, e: +- print e ++ print(convert_customization(resp)) ++ except dbus.DBusException as e: ++ print(e) +diff --git policycoreutils-2.5/sepolicy/selinux_server.py policycoreutils-2.5/sepolicy/selinux_server.py +index cdf4d16..e8cdff3 100644 +--- policycoreutils-2.5/sepolicy/selinux_server.py ++++ policycoreutils-2.5/sepolicy/selinux_server.py +@@ -20,45 +20,45 @@ class selinux_server(slip.dbus.service.Object): + # + # The semanage method runs a transaction on a series of semanage commands, + # these commnds can take the output of customized +- # ++ # + @slip.dbus.polkit.require_auth("org.selinux.semanage") + @dbus.service.method("org.selinux", in_signature='s') + def semanage(self, buf): +- p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE) ++ p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) + p.stdin.write(buf) + output = p.communicate() + if p.returncode and p.returncode != 0: + raise dbus.exceptions.DBusException(output[1]) +- ++ + # + # The customized method will return all of the custommizations for policy +- # on the server. This output can be used with the semanage method on ++ # on the server. This output can be used with the semanage method on + # another server to make the two systems have duplicate policy. + # + @slip.dbus.polkit.require_auth("org.selinux.customized") + @dbus.service.method("org.selinux", in_signature='', out_signature='s') + def customized(self): +- p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE) ++ p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() + if p.returncode and p.returncode != 0: + raise OSError("Failed to read SELinux configuration: %s", output) + return buf +- ++ + # +- # The semodule_list method will return the output of semodule -l, using the customized polkit, ++ # The semodule_list method will return the output of semodule --list=full, using the customized polkit, + # since this is a readonly behaviour + # + @slip.dbus.polkit.require_auth("org.selinux.semodule_list") + @dbus.service.method("org.selinux", in_signature='', out_signature='s') + def semodule_list(self): +- p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE) ++ p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() + if p.returncode and p.returncode != 0: + raise OSError("Failed to list SELinux modules: %s", output) + return buf +- ++ + # + # The restorecon method modifies any file path to the default system label + # +@@ -88,7 +88,7 @@ class selinux_server(slip.dbus.service.Object): + os.unlink("/.autorelabel") + + def write_selinux_config(self, enforcing=None, policy=None): +- path = selinux.selinux_path() + "config" ++ path = selinux.selinux_path() + "config" + backup_path = path + ".bck" + fd = open(path) + lines = fd.readlines() +@@ -106,7 +106,7 @@ class selinux_server(slip.dbus.service.Object): + os.rename(backup_path, path) + + # +- # The change_default_enforcement modifies the current enforcement mode ++ # The change_default_enforcement modifies the current enforcement mode + # + @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") + @dbus.service.method("org.selinux", in_signature='s') +@@ -126,7 +126,7 @@ class selinux_server(slip.dbus.service.Object): + if os.path.isdir(path): + return self.write_selinux_config(policy=value) + raise ValueError("%s does not exist" % path) +- ++ + if __name__ == "__main__": + mainloop = gobject.MainLoop() + dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) +diff --git policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh +index 779fd75..29ccbdf 100644 +--- policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh ++++ policycoreutils-2.5/sepolicy/sepolicy-bash-completion.sh +@@ -16,9 +16,9 @@ + # along with systemd; If not, see . + + __contains_word () { +- local word=$1; shift +- for w in $*; do [[ $w = $word ]] && return 0; done +- return 1 ++ local word=$1; shift ++ for w in $*; do [[ $w = $word ]] && return 0; done ++ return 1 + } + + __get_all_paths () { +@@ -28,37 +28,40 @@ __get_all_ftypes () { + echo '-- -d -c -b -s -l -p' + } + __get_all_networks () { +- seinfo -u 2> /dev/null | tail -n +3 ++ /usr/bin/seinfo -u 2> /dev/null | tail -n +3 + } + __get_all_booleans () { +- getsebool -a 2> /dev/null ++ /usr/bin/getsebool -a 2> /dev/null + } + __get_all_types () { +- seinfo -t 2> /dev/null | tail -n +3 ++ /usr/bin/seinfo -t 2> /dev/null | tail -n +3 ++} ++__get_all_roles () { ++ /usr/bin/seinfo -r 2> /dev/null | tail -n +3 + } + __get_all_admin_interaces () { +- awk '/InterfaceVector.*_admin /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_admin' '{ print $1 }' ++ /usr/bin/awk '/InterfaceVector.*_admin /{ print $2 }' /var/lib/sepolgen/interface_info | /usr/bin/awk -F '_admin' '{ print $1 }' + } + __get_all_user_role_interaces () { +- awk '/InterfaceVector.*_role /{ print $2 }' /var/lib/sepolgen/interface_info | awk -F '_role' '{ print $1 }' ++ /usr/bin/awk '/InterfaceVector.*_role /{ print $2 }' /var/lib/sepolgen/interface_info | /usr/bin/awk -F '_role' '{ print $1 }' + } + __get_all_user_domains () { +- seinfo -auserdomain -x 2> /dev/null | tail -n +2 ++ /usr/bin/seinfo -auserdomain -x 2> /dev/null | tail -n +2 + } + __get_all_users () { +- seinfo -u 2> /dev/null | tail -n +2 ++ /usr/bin/seinfo -u 2> /dev/null | tail -n +2 + } + __get_all_classes () { +- seinfo -c 2> /dev/null | tail -n +2 ++ /usr/bin/seinfo -c 2> /dev/null | tail -n +2 + } + __get_all_port_types () { +- seinfo -aport_type -x 2> /dev/null | tail -n +2 ++ /usr/bin/seinfo -aport_type -x 2> /dev/null | tail -n +2 + } + __get_all_domain_types () { +- seinfo -adomain -x 2> /dev/null | tail -n +2 ++ /usr/bin/seinfo -adomain -x 2> /dev/null | tail -n +2 + } + __get_all_domains () { +- seinfo -adomain -x 2>/dev/null | sed 's/_t$//g' ++ /usr/bin/seinfo -adomain -x 2>/dev/null | sed 's/_t$//g' + } + _sepolicy () { + local command=${COMP_WORDS[1]} +diff --git policycoreutils-2.5/sepolicy/sepolicy-generate.8 policycoreutils-2.5/sepolicy/sepolicy-generate.8 +index 2e67456..0c5f998 100644 +--- policycoreutils-2.5/sepolicy/sepolicy-generate.8 ++++ policycoreutils-2.5/sepolicy/sepolicy-generate.8 +@@ -13,7 +13,7 @@ Common options + Confined Applications + + .br +-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ] ++.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ] + .br + .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] + .br +diff --git policycoreutils-2.5/sepolicy/sepolicy.8 policycoreutils-2.5/sepolicy/sepolicy.8 +index 7900586..09d2b24 100644 +--- policycoreutils-2.5/sepolicy/sepolicy.8 ++++ policycoreutils-2.5/sepolicy/sepolicy.8 +@@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate with each other + .br + + .B generate +-.br + .br + Generate SELinux Policy module template +-.B gui ++.B sepolicy-generate(8) + .br ++ ++.B gui + .br + Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package. +-.B sepolicy-generate(8) ++.B sepolicy-gui(8) + .br + + .B interface +diff --git policycoreutils-2.5/sepolicy/sepolicy.py policycoreutils-2.5/sepolicy/sepolicy.py +index 7d57f6e..4a162c3 100755 +--- policycoreutils-2.5/sepolicy/sepolicy.py ++++ policycoreutils-2.5/sepolicy/sepolicy.py +@@ -26,6 +26,7 @@ import sys + import selinux + import sepolicy + from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text ++from sepolgen import util + import argparse + import gettext + PROGNAME = "policycoreutils" +@@ -33,12 +34,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: + gettext.install(PROGNAME, +- localedir="/usr/share/locale", +- unicode=False, +- codeset='utf-8') ++ unicode=True, ++ codeset = 'utf-8') ++except TypeError: ++ # Failover to python3 install ++ gettext.install(PROGNAME, ++ codeset = 'utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [" + usage_dict = {' --newtype': ('-t [TYPES [TYPES ...]]',), ' --customize': ('-d DOMAIN', '-a ADMIN_DOMAIN', "[ -w WRITEPATHS ]",), ' --admin_user': ('[-r TRANSITION_ROLE ]', "[ -w WRITEPATHS ]",), ' --application': ('COMMAND', "[ -w WRITEPATHS ]",), ' --cgi': ('COMMAND', "[ -w WRITEPATHS ]",), ' --confined_admin': ('-a ADMIN_DOMAIN', "[ -w WRITEPATHS ]",), ' --dbus': ('COMMAND', "[ -w WRITEPATHS ]",), ' --desktop_user': ('', "[ -w WRITEPATHS ]",), ' --inetd': ('COMMAND', "[ -w WRITEPATHS ]",), ' --init': ('COMMAND', "[ -w WRITEPATHS ]",), ' --sandbox': ("[ -w WRITEPATHS ]",), ' --term_user': ("[ -w WRITEPATHS ]",), ' --x_user': ("[ -w WRITEPATHS ]",)} +@@ -55,8 +59,6 @@ class CheckPath(argparse.Action): + class CheckType(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): +- domains = sepolicy.get_all_domains() +- + if isinstance(values, str): + setattr(namespace, self.dest, values) + else: +@@ -98,7 +100,7 @@ class CheckDomain(argparse.Action): + domains = sepolicy.get_all_domains() + + if isinstance(values, str): +- if values not in domains: ++ if sepolicy.get_real_type_name(values) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains))) + setattr(namespace, self.dest, values) + else: +@@ -107,7 +109,7 @@ class CheckDomain(argparse.Action): + newval = [] + + for v in values: +- if v not in domains: ++ if sepolicy.get_real_type_name(v) not in domains: + raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains))) + newval.append(v) + setattr(namespace, self.dest, newval) +@@ -120,7 +122,7 @@ class CheckClass(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + global all_classes + if not all_classes: +- all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) ++ all_classes = [x['name'] for x in sepolicy.info(sepolicy.TCLASS)] + if values not in all_classes: + raise ValueError("%s must be an SELinux class:\nValid classes: %s" % (values, ", ".join(all_classes))) + +@@ -162,7 +164,7 @@ class CheckPortType(argparse.Action): + if not newval: + newval = [] + for v in values: +- if v not in port_types: ++ if sepolicy.get_real_type_name(v) not in port_types: + raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types))) + newval.append(v) + setattr(namespace, self.dest, values) +@@ -171,7 +173,6 @@ class CheckPortType(argparse.Action): + class LoadPolicy(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): +- import sepolicy + sepolicy.policy(values) + setattr(namespace, self.dest, values) + +@@ -180,9 +181,8 @@ class CheckPolicyType(argparse.Action): + + def __call__(self, parser, namespace, values, option_string=None): + from sepolicy.generate import get_poltype_desc, poltype +- if values not in poltype.keys(): ++ if values not in list(poltype.keys()): + raise ValueError("%s invalid SELinux policy type\n%s" % (values, get_poltype_desc())) +- newval.append(v) + setattr(namespace, self.dest, values) + + +@@ -218,7 +218,7 @@ class InterfaceInfo(argparse.Action): + from sepolicy.interface import get_interface_dict + interface_dict = get_interface_dict() + for v in values: +- if v not in interface_dict.keys(): ++ if v not in list(interface_dict.keys()): + raise ValueError(_("Interface %s does not exist.") % v) + + setattr(namespace, self.dest, values) +@@ -226,7 +226,7 @@ class InterfaceInfo(argparse.Action): + + def generate_custom_usage(usage_text, usage_dict): + sorted_keys = [] +- for i in usage_dict.keys(): ++ for i in list(usage_dict.keys()): + sorted_keys.append(i) + sorted_keys.sort() + for k in sorted_keys: +@@ -248,18 +248,18 @@ def numcmp(val1, val2): + if v1 < v2: + return -1 + except: +- return cmp(val1, val2) ++ return (val1 > val2) - (val1 < val2) + + + def _print_net(src, protocol, perm): + import sepolicy.network + portdict = sepolicy.network.get_network_connect(src, protocol, perm) + if len(portdict) > 0: +- bold_start = "\033[1m" +- bold_end = "\033[0;0m" +- print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end +- port_strings = [] +- boolean_text = "" ++ bold_start="\033[1m" ++ bold_end="\033[0;0m" ++ print("\n"+bold_start+"%s: %s %s" % (src, protocol, perm) + bold_end) ++ port_strings=[] ++ boolean_text="" + for p in portdict: + for t, recs in portdict[p]: + cond = get_conditionals(src, t, "%s_socket" % protocol, [perm]) +@@ -268,9 +268,9 @@ def _print_net(src, protocol, perm): + port_strings.append("%s (%s) %s" % (", ".join(recs), t, boolean_text)) + else: + port_strings.append("%s (%s)" % (", ".join(recs), t)) +- port_strings.sort(numcmp) ++ port_strings.sort(key=util.cmp_to_key(numcmp)) + for p in port_strings: +- print "\t" + p ++ print("\t" + p) + + + def network(args): +@@ -281,29 +281,29 @@ def network(args): + if i[0] not in all_ports: + all_ports.append(i[0]) + all_ports.sort() +- print "\n".join(all_ports) ++ print("\n".join(all_ports)) + + for port in args.port: + found = False + for i in portrecsbynum: + if i[0] <= port and port <= i[1]: + if i[0] == i[1]: +- range = i[0] ++ RANGE = i[0] + else: +- range = "%s-%s" % (i[0], i[1]) ++ RANGE = "%s-%s" % (i[0], i[1]) + found = True +- print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range) ++ print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], RANGE)) + if not found: + if port < 500: +- print "Undefined reserved port type" ++ print("Undefined reserved port type") + else: +- print "Undefined port type" ++ print("Undefined port type") + + for t in args.type: +- if (t, 'tcp') in portrecs.keys(): +- print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])) +- if (t, 'udp') in portrecs.keys(): +- print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])) ++ if (t,'tcp') in list(portrecs.keys()): ++ print("%s: tcp: %s" % (t, ",".join(portrecs[t,'tcp']))) ++ if (t,'udp') in list(portrecs.keys()): ++ print("%s: udp: %s" % (t, ",".join(portrecs[t,'udp']))) + + for a in args.applications: + d = sepolicy.get_init_transtype(a) +@@ -351,8 +351,8 @@ def manpage(args): + test_domains = args.domain + + for domain in test_domains: +- m = ManPage(domain, path, args.root, args.source_files, args.web) +- print m.get_man_page_path() ++ m = ManPage(domain, path, args.root,args.source_files, args.web) ++ print(m.get_man_page_path()) + + if args.web: + HTMLManPages(manpage_roles, manpage_domains, path, args.os) +@@ -413,7 +413,7 @@ def communicate(args): + out = list(set(writable) & set(readable)) + + for t in out: +- print t ++ print(t) + + + def gen_communicate_args(parser): +@@ -437,10 +437,12 @@ def booleans(args): + from sepolicy import boolean_desc + if args.all: + rc, args.booleans = selinux.security_get_boolean_names() ++ if util.PY3: ++ args.booleans = [util.decode_input(x) for x in args.booleans] + args.booleans.sort() + + for b in args.booleans: +- print "%s=_(\"%s\")" % (b, boolean_desc(b)) ++ print("%s=_(\"%s\")" % (b, boolean_desc(b))) + + + def gen_booleans_args(parser): +@@ -479,20 +481,20 @@ def print_interfaces(interfaces, args, append=""): + for i in interfaces: + if args.verbose: + try: +- print get_interface_format_text(i + append) ++ print(get_interface_format_text(i + append)) + except KeyError: +- print i ++ print(i) + if args.compile: + try: + interface_compile_test(i) + except KeyError: +- print i ++ print(i) + else: +- print i ++ print(i) + + + def interface(args): +- from sepolicy.interface import get_admin, get_user, get_interface_dict, get_all_interfaces ++ from sepolicy.interface import get_admin, get_user, get_all_interfaces + if args.list_admin: + print_interfaces(get_admin(args.file), args, "_admin") + if args.list_user: +@@ -504,7 +506,7 @@ def interface(args): + + + def generate(args): +- from sepolicy.generate import policy, AUSER, RUSER, EUSER, USERS, SANDBOX, APPLICATIONS, NEWTYPE ++ from sepolicy.generate import policy, AUSER, RUSER, EUSER, APPLICATIONS, NEWTYPE + cmd = None + # numbers present POLTYPE defined in sepolicy.generate + conflict_args = {'TYPES': (NEWTYPE,), 'DOMAIN': (EUSER,), 'ADMIN_DOMAIN': (AUSER, RUSER, EUSER,)} +@@ -515,7 +517,7 @@ def generate(args): + for k in usage_dict: + error_text += "%s" % (k) + print(generate_usage) +- print(_("sepolicy generate: error: one of the arguments %s is required") % error_text) ++ print((_("sepolicy generate: error: one of the arguments %s is required") % error_text)) + sys.exit(1) + + if args.policytype in APPLICATIONS: +@@ -560,7 +562,7 @@ def generate(args): + if args.policytype in APPLICATIONS: + mypolicy.gen_writeable() + mypolicy.gen_symbols() +- print mypolicy.generate(args.path) ++ print(mypolicy.generate(args.path)) + + + def gen_interface_args(parser): +@@ -590,7 +592,7 @@ def gen_interface_args(parser): + + + def gen_generate_args(parser): +- from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE ++ from sepolicy.generate import DAEMON, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE + + generate_usage = generate_custom_usage(usage, usage_dict) + +@@ -638,8 +640,8 @@ def gen_generate_args(parser): + action="store_const", default=DAEMON, + help=_("Generate '%s' policy") % poltype[DAEMON]) + +- type = pol.add_argument_group("Policy types which do not require a command") +- group = type.add_mutually_exclusive_group(required=False) ++ TYPE = pol.add_argument_group("Policy types which do not require a command") ++ group = TYPE.add_mutually_exclusive_group(required=False) + group.add_argument("--admin_user", dest="policytype", const=AUSER, + action="store_const", + help=_("Generate '%s' policy") % poltype[AUSER]) +@@ -693,12 +695,12 @@ if __name__ == '__main__': + args = parser.parse_args(args=parser_args) + args.func(args) + sys.exit(0) +- except ValueError, e: ++ except ValueError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) +- except IOError, e: ++ except IOError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) + except KeyboardInterrupt: +- print "Out" ++ print("Out") + sys.exit(0) +diff --git policycoreutils-2.5/sepolicy/sepolicy/__init__.py policycoreutils-2.5/sepolicy/sepolicy/__init__.py +index 693c6fe..2841d33 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/__init__.py ++++ policycoreutils-2.5/sepolicy/sepolicy/__init__.py +@@ -3,24 +3,30 @@ + # Author: Dan Walsh + # Author: Ryan Hallisey + +-import _policy ++from . import policy as _policy ++import errno + import selinux + import glob + PROGNAME = "policycoreutils" + import gettext + import sepolgen.defaults as defaults + import sepolgen.interfaces as interfaces ++from sepolgen import util + import sys ++import subprocess + gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: + gettext.install(PROGNAME, +- localedir="/usr/share/locale", +- unicode=False, ++ unicode=True, ++ codeset='utf-8') ++except TypeError: ++ # Failover to python3 install ++ gettext.install(PROGNAME, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + TYPE = _policy.TYPE + ROLE = _policy.ROLE +@@ -29,6 +35,8 @@ PORT = _policy.PORT + USER = _policy.USER + BOOLEAN = _policy.BOOLEAN + TCLASS = _policy.CLASS ++SENS = _policy.SENS ++CATS = _policy.CATS + + ALLOW = 'allow' + AUDITALLOW = 'auditallow' +@@ -47,8 +55,12 @@ def info(setype, name=None): + return dict_list + + +-def search(types, info={}): +- seinfo = info ++def search(types, info=None): ++ if info: ++ seinfo = info ++ else: ++ seinfo = {} ++ + valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] + for setype in types: + if setype not in valid_types: +@@ -62,7 +74,7 @@ def search(types, info={}): + + dict_list = _policy.search(seinfo) + if dict_list and len(perms) != 0: +- dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) ++ dict_list = [x for x in dict_list if _dict_has_perms(x, perms)] + return dict_list + + +@@ -79,7 +91,7 @@ def get_conditionals(src, dest, tclass, perm): + allows = [] + allows.append(i) + try: +- for i in map(lambda y: (y), filter(lambda x: set(perm).issubset(x[PERMS]) and x['boolean'], allows)): ++ for i in [(y) for y in [x for x in allows if set(perm).issubset(x[PERMS]) and x['boolean']]]: + tdict.update({'source': i['source'], 'boolean': i['boolean']}) + if tdict not in tlist: + tlist.append(tdict) +@@ -91,13 +103,58 @@ def get_conditionals(src, dest, tclass, perm): + + + def get_conditionals_format_text(cond): +- enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0 +- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) ++ enabled = len([x for x in cond if x['boolean'][0][1]]) > 0 ++ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(["%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]) for x in cond]))) + + + def get_types_from_attribute(attribute): + return info(ATTRIBUTE, attribute)[0]["types"] + ++ ++def get_attributes_from_type(setype): ++ return info(TYPE, setype)[0]["attributes"] ++ ++ ++# determine if entered type is an alias ++# and return corresponding type name ++def get_real_type_name(setype): ++ try: ++ return info(TYPE, setype)[0]["name"] ++ except RuntimeError: ++ return None ++ ++ ++def file_type_is_executable(setype): ++ if "exec_type" in get_attributes_from_type(setype): ++ return True ++ else: ++ return False ++ ++ ++def file_type_is_entrypoint(setype): ++ if "entry_type" in get_attributes_from_type(setype): ++ return True ++ else: ++ return False ++ ++ ++def get_attributes_from_type(setype): ++ return info(TYPE, setype)[0]["attributes"] ++ ++ ++def file_type_is_executable(setype): ++ if "exec_type" in get_attributes_from_type(setype): ++ return True ++ else: ++ return False ++ ++ ++def file_type_is_entrypoint(setype): ++ if "entry_type" in get_attributes_from_type(setype): ++ return True ++ else: ++ return False ++ + file_type_str = {} + file_type_str["a"] = _("all files") + file_type_str["f"] = _("regular file") +@@ -119,6 +176,46 @@ trans_file_type_str["-l"] = "l" + trans_file_type_str["-p"] = "p" + + ++def get_all_modules(): ++ all_modules = [] ++ cmd = "semodule --list=full 2>/dev/null" ++ try: ++ output = subprocess.check_output(cmd, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ l = output.split("\n") ++ ++ except subprocess.CalledProcessError as e: ++ from .sedbus import SELinuxDBus ++ l = SELinuxDBus().semodule_list().split("\n") ++ ++ for i in l: ++ if len(i): ++ all_modules.append(i.split()[1]) ++ ++ return all_modules ++ ++ ++def get_all_modules_from_mod_lst(): ++ mod_lst_path = ["/usr/share/selinux/targeted/base.lst", "/usr/share/selinux/targeted/modules-base.lst", "/usr/share/selinux/targeted/modules-contrib.lst"] ++ all_modules = [] ++ mod_temp = [] ++ for i in mod_lst_path: ++ try: ++ fd = open(i, "r") ++ modules = fd.readlines() ++ fd.close() ++ modules = modules[0].split(" ")[:-1] ++ for m in modules: ++ mod_temp.append(m) ++ all_modules.extend(mod_temp) ++ mod_temp = [] ++ except: ++ all_modules = [] ++ ++ return all_modules ++ ++ + def get_file_types(setype): + flist = [] + mpaths = {} +@@ -181,7 +278,7 @@ def find_file(reg): + try: + pat = re.compile(r"%s$" % reg) + except: +- print "bad reg:", reg ++ print("bad reg:", reg) + return [] + p = reg + if p.endswith("(/.*)?"): +@@ -193,12 +290,12 @@ def find_file(reg): + if path[-1] != "/": # is pass in it breaks without try block + path += "/" + except IndexError: +- print "try failed got an IndexError" ++ print("try failed got an IndexError") + pass + + try: + pat = re.compile(r"%s$" % reg) +- return filter(pat.match, map(lambda x: path + x, os.listdir(path))) ++ return list(filter(pat.match, [path + x for x in os.listdir(path)])) + except: + return [] + +@@ -206,7 +303,7 @@ def find_file(reg): + def find_all_files(domain, exclude_list=[]): + all_entrypoints = [] + executable_files = get_entrypoints(domain) +- for exe in executable_files.keys(): ++ for exe in list(executable_files.keys()): + if exe.endswith("_exec_t") and exe not in exclude_list: + for path in executable_files[exe]: + for f in find_file(path): +@@ -230,12 +327,15 @@ def find_entrypoint_path(exe, exclude_list=[]): + + + def read_file_equiv(edict, fc_path, modify): +- fd = open(fc_path, "r") +- fc = fd.readlines() +- fd.close() +- for e in fc: +- f = e.split() +- edict[f[0]] = {"equiv": f[1], "modify": modify} ++ try: ++ with open(fc_path, "r") as fd: ++ fc = fd.readlines() ++ for e in fc: ++ f = e.split() ++ edict[f[0]] = {"equiv": f[1], "modify": modify} ++ except IOError as e: ++ if e.errno != errno.ENOENT: ++ raise + return edict + + file_equiv_modified = None +@@ -268,9 +368,13 @@ def get_local_file_paths(fc_path=selinux.selinux_file_context_path()): + if local_files: + return local_files + local_files = [] +- fd = open(fc_path + ".local", "r") +- fc = fd.readlines() +- fd.close() ++ try: ++ with open(fc_path + ".local", "r") as fd: ++ fc = fd.readlines() ++ except IOError as e: ++ if e.errno != errno.ENOENT: ++ raise ++ return [] + for i in fc: + rec = i.split() + if len(rec) == 0: +@@ -296,13 +400,19 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): + fd = open(fc_path, "r") + fc = fd.readlines() + fd.close() +- fd = open(fc_path + ".homedirs", "r") +- fc += fd.readlines() +- fd.close() ++ try: ++ with open(fc_path + ".homedirs", "r") as fd: ++ fc += fd.readlines() ++ except IOError as e: ++ if e.errno != errno.ENOENT: ++ raise + fcdict = {} +- fd = open(fc_path + ".local", "r") +- fc += fd.readlines() +- fd.close() ++ try: ++ with open(fc_path + ".local", "r") as fd: ++ fc += fd.readlines() ++ except IOError as e: ++ if e.errno != errno.ENOENT: ++ raise + + for i in fc: + rec = i.split() +@@ -334,7 +444,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): + + def get_transitions_into(setype): + try: +- return filter(lambda x: x["transtype"] == setype, search([TRANSITION], {'class': 'process'})) ++ return [x for x in search([TRANSITION], {'class': 'process'}) if x["transtype"] == setype] + except TypeError: + pass + return None +@@ -350,7 +460,7 @@ def get_transitions(setype): + + def get_file_transitions(setype): + try: +- return filter(lambda x: x['class'] != "process", search([TRANSITION], {'source': setype})) ++ return [x for x in search([TRANSITION], {'source': setype}) if x['class'] != "process"] + except TypeError: + pass + return None +@@ -377,7 +487,7 @@ def get_all_entrypoints(): + def get_entrypoint_types(setype): + entrypoints = [] + try: +- entrypoints = map(lambda x: x['target'], filter(lambda x: x['source'] == setype, search([ALLOW], {'source': setype, 'permlist': ['entrypoint'], 'class': 'file'}))) ++ entrypoints = [x['target'] for x in [x for x in search([ALLOW], {'source': setype, 'permlist': ['entrypoint'], 'class':'file'}) if x['source'] == setype]] + except TypeError: + pass + return entrypoints +@@ -386,7 +496,7 @@ def get_entrypoint_types(setype): + def get_init_transtype(path): + entrypoint = selinux.getfilecon(path)[1].split(":")[2] + try: +- entrypoints = filter(lambda x: x['target'] == entrypoint, search([TRANSITION], {'source': "init_t", 'class': 'process'})) ++ entrypoints = [x for x in search([TRANSITION], {'source': "init_t", 'class': 'process'}) if x['target'] == entrypoint] + if len(entrypoints) == 0: + return None + return entrypoints[0]["transtype"] +@@ -397,7 +507,7 @@ def get_init_transtype(path): + + def get_init_entrypoint(transtype): + try: +- entrypoints = filter(lambda x: x['transtype'] == transtype, search([TRANSITION], {'source': "init_t", 'class': 'process'})) ++ entrypoints = [x for x in search([TRANSITION], {'source': "init_t", 'class': 'process'}) if x['transtype'] == transtype] + if len(entrypoints) == 0: + return None + return entrypoints[0]["target"] +@@ -408,7 +518,7 @@ def get_init_entrypoint(transtype): + + def get_init_entrypoint_target(entrypoint): + try: +- entrypoints = map(lambda x: x['transtype'], search([TRANSITION], {'source': "init_t", 'target': entrypoint, 'class': 'process'})) ++ entrypoints = [x['transtype'] for x in search([TRANSITION], {'source': "init_t", 'target': entrypoint, 'class': 'process'})] + return entrypoints[0] + except TypeError: + pass +@@ -426,16 +536,38 @@ def get_entrypoints(setype): + return mpaths + + ++def policy_sortkey(policy_path): ++ # Parse the extension of a policy path which looks like .../policy/policy.31 ++ extension = policy_path.rsplit('/policy.', 1)[1] ++ try: ++ return int(extension), policy_path ++ except ValueError: ++ # Fallback with sorting on the full path ++ return 0, policy_path ++ ++ + def get_installed_policy(root="/"): + try: + path = root + selinux.selinux_binary_policy_path() + policies = glob.glob("%s.*" % path) +- policies.sort() ++ policies.sort(key=policy_sortkey) + return policies[-1] + except: + pass + raise ValueError(_("No SELinux Policy installed")) + ++ ++def get_store_policy(store): ++ """Get the path to the policy file located in the given store name""" ++ policies = glob.glob("%s%s/policy/policy.*" % ++ (selinux.selinux_path(), store)) ++ if not policies: ++ return None ++ # Return the policy with the higher version number ++ policies.sort(key=policy_sortkey) ++ return policies[-1] ++ ++ + methods = [] + + +@@ -450,7 +582,7 @@ def get_methods(): + # List of per_role_template interfaces + ifs = interfaces.InterfaceSet() + ifs.from_file(fd) +- methods = ifs.interfaces.keys() ++ methods = list(ifs.interfaces.keys()) + fd.close() + except: + sys.stderr.write("could not open interface info [%s]\n" % fn) +@@ -465,7 +597,7 @@ all_types = None + def get_all_types(): + global all_types + if all_types == None: +- all_types = map(lambda x: x['name'], info(TYPE)) ++ all_types = [x['name'] for x in info(TYPE)] + return all_types + + user_types = None +@@ -513,7 +645,6 @@ portrecsbynum = None + + + def gen_interfaces(): +- import commands + ifile = defaults.interface_info() + headers = defaults.headers() + rebuild = False +@@ -525,7 +656,9 @@ def gen_interfaces(): + + if os.getuid() != 0: + raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) +- print commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1] ++ print(subprocess.check_output("/usr/bin/sepolgen-ifgen", ++ stderr=subprocess.STDOUT, ++ shell=True)) + + + def gen_port_dict(): +@@ -562,6 +695,23 @@ def get_all_domains(): + all_domains = info(ATTRIBUTE, "domain")[0]["types"] + return all_domains + ++ ++def mls_cmp(x, y): ++ return (int(x[1:]) > int(y[1:])) - (int(x[1:]) < int(y[1:])) ++ ++mls_range = None ++ ++ ++def get_mls_range(): ++ global mls_range ++ if mls_range: ++ return mls_rangeroles ++ range_dict = info(SENS) ++ keys = range_dict.keys() ++ keys.sort(key=util.cmp_to_key(mls_cmp)) ++ mls_range = "%s-%s" % (keys[0], range_dict[keys[-1]]) ++ return mls_range ++ + roles = None + + +@@ -569,7 +719,7 @@ def get_all_roles(): + global roles + if roles: + return roles +- roles = map(lambda x: x['name'], info(ROLE)) ++ roles = [x['name'] for x in info(ROLE)] + roles.remove("object_r") + roles.sort() + return roles +@@ -607,7 +757,7 @@ def get_login_mappings(): + + + def get_all_users(): +- users = map(lambda x: x['name'], get_selinux_users()) ++ users = [x['name'] for x in get_selinux_users()] + users.sort() + return users + +@@ -766,7 +916,7 @@ all_attributes = None + def get_all_attributes(): + global all_attributes + if not all_attributes: +- all_attributes = map(lambda x: x['name'], info(ATTRIBUTE)) ++ all_attributes = [x['name'] for x in info(ATTRIBUTE)] + return all_attributes + + +@@ -794,10 +944,17 @@ def policy(policy_file): + except: + raise ValueError(_("Failed to read %s policy file") % policy_file) + ++ ++def load_store_policy(store): ++ policy_file = get_store_policy(store) ++ if not policy_file: ++ return None ++ policy(policy_file) ++ + try: + policy_file = get_installed_policy() + policy(policy_file) +-except ValueError, e: ++except ValueError as e: + if selinux.is_selinux_enabled() == 1: + raise e + +@@ -815,7 +972,7 @@ def gen_short_name(setype): + domainname = setype[:-2] + else: + domainname = setype +- if domainname + "_t" not in all_domains: ++ if get_real_type_name(domainname + "_t") not in all_domains: + raise ValueError("domain %s_t does not exist" % domainname) + if domainname[-1] == 'd': + short_name = domainname[:-1] + "_" +@@ -828,7 +985,7 @@ def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW], {'source': setype}))): ++ for i in [x['boolean'] for x in [x for x in search([ALLOW], {'source': setype}) if 'boolean' in x]]: + for b in i: + if not isinstance(b, tuple): + continue +@@ -851,6 +1008,8 @@ def get_all_booleans(): + global booleans + if not booleans: + booleans = selinux.security_get_boolean_names()[1] ++ if util.PY3: ++ booleans = [util.decode_input(x) for x in booleans] + return booleans + + booleans_dict = None +@@ -896,7 +1055,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): + desc = i.find("desc").find("p").text.strip("\n") + desc = re.sub("\n", " ", desc) + booleans_dict[i.get('name')] = ("global", i.get('dftval'), desc) +- except IOError, e: ++ except IOError as e: + pass + return booleans_dict + +@@ -919,24 +1078,14 @@ def boolean_desc(boolean): + + + def get_os_version(): +- os_version = "" +- pkg_name = "selinux-policy" ++ system_release = "" + try: +- import commands +- rc, output = commands.getstatusoutput("rpm -q '%s'" % pkg_name) +- if rc == 0: +- os_version = output.split(".")[-2] +- except: +- os_version = "" +- +- if os_version[0:2] == "fc": +- os_version = "Fedora" + os_version[2:] +- elif os_version[0:2] == "el": +- os_version = "RHEL" + os_version[2:] +- else: +- os_version = "" ++ with open('/etc/system-release') as f: ++ system_release = f.readline().rstrip() ++ except IOError: ++ system_release = "Misc" + +- return os_version ++ return system_release + + + def reinit(): +diff --git policycoreutils-2.5/sepolicy/sepolicy/booleans.py policycoreutils-2.5/sepolicy/sepolicy/booleans.py +index 56bef26..97236b6 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/booleans.py ++++ policycoreutils-2.5/sepolicy/sepolicy/booleans.py +@@ -39,6 +39,6 @@ def get_types(src, tclass, perm): + raise TypeError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) + + tlist = [] +- for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): ++ for l in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]: + tlist = tlist + expand_attribute(l) + return tlist +diff --git policycoreutils-2.5/sepolicy/sepolicy/communicate.py policycoreutils-2.5/sepolicy/sepolicy/communicate.py +index 9939c23..27be126 100755 +--- policycoreutils-2.5/sepolicy/sepolicy/communicate.py ++++ policycoreutils-2.5/sepolicy/sepolicy/communicate.py +@@ -47,6 +47,6 @@ def get_types(src, tclass, perm): + raise ValueError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) + + tlist = [] +- for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): ++ for l in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]: + tlist = tlist + expand_attribute(l) + return tlist +diff --git policycoreutils-2.5/sepolicy/sepolicy/generate.py policycoreutils-2.5/sepolicy/sepolicy/generate.py +index a92783a..809637b 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/generate.py ++++ policycoreutils-2.5/sepolicy/sepolicy/generate.py +@@ -28,25 +28,25 @@ import re + import sepolicy + from sepolicy import get_all_types, get_all_attributes, get_all_roles + import time +-import platform +- +-from templates import executable +-from templates import boolean +-from templates import etc_rw +-from templates import unit_file +-from templates import var_cache +-from templates import var_spool +-from templates import var_lib +-from templates import var_log +-from templates import var_run +-from templates import tmp +-from templates import rw +-from templates import network +-from templates import script +-from templates import spec +-from templates import user ++ ++from .templates import executable ++from .templates import boolean ++from .templates import etc_rw ++from .templates import unit_file ++from .templates import var_cache ++from .templates import var_spool ++from .templates import var_lib ++from .templates import var_log ++from .templates import var_run ++from .templates import tmp ++from .templates import rw ++from .templates import network ++from .templates import script ++from .templates import spec ++from .templates import user + import sepolgen.interfaces as interfaces + import sepolgen.defaults as defaults ++from sepolgen import util + + ## + ## I18N +@@ -58,12 +58,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: + gettext.install(PROGNAME, +- localedir="/usr/share/locale", +- unicode=False, ++ unicode=True, ++ codeset='utf-8') ++except TypeError: ++ # Failover to python3 install ++ gettext.install(PROGNAME, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + + def get_rpm_nvr_from_header(hdr): +@@ -71,6 +74,11 @@ def get_rpm_nvr_from_header(hdr): + name = hdr['name'] + version = hdr['version'] + release = hdr['release'] ++ if util.PY3: ++ name = util.decode_input(name) ++ version = util.decode_input(version) ++ release = util.decode_input(release) ++ + release_version = version + "-" + release.split(".")[0] + os_version = release.split(".")[1] + +@@ -87,7 +95,7 @@ def get_rpm_nvr_list(package): + nvr = get_rpm_nvr_from_header(h) + break + except: +- print("Failed to retrieve rpm info for %s") % package ++ print(("Failed to retrieve rpm info for %s") % package) + nvr = None + + return nvr +@@ -105,7 +113,7 @@ def get_all_ports(): + + + def get_all_users(): +- users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER)) ++ users = [x['name'] for x in sepolicy.info(sepolicy.USER)] + users.remove("system_u") + users.remove("root") + users.sort() +@@ -149,7 +157,7 @@ poltype[NEWTYPE] = _("Module information for a new type") + + + def get_poltype_desc(): +- keys = poltype.keys() ++ keys = list(poltype.keys()) + keys.sort() + msg = _("Valid Types:\n") + for k in keys: +@@ -163,7 +171,7 @@ USERS = [XUSER, TUSER, LUSER, AUSER, RUSER] + def verify_ports(ports): + if ports == "": + return [] +- max_port = 2 ** 16 ++ max_port = 2**16 + try: + temp = [] + for a in ports.split(","): +@@ -204,10 +212,10 @@ class policy: + raise ValueError(_("You must enter a name for your policy module for your '%s'.") % poltype[type]) + try: + self.ports = get_all_ports() +- except ValueError, e: +- print "Can not get port types, must be root for this information" +- except RuntimeError, e: +- print "Can not get port types", e ++ except ValueError as e: ++ print("Can not get port types, must be root for this information") ++ except RuntimeError as e: ++ print("Can not get port types", e) + + self.symbols = {} + self.symbols["openlog"] = "set_use_kerberos(True)" +@@ -424,7 +432,7 @@ class policy: + return self.use_tcp() or self.use_udp() + + def find_port(self, port, protocol="tcp"): +- for begin, end, p in self.ports.keys(): ++ for begin, end, p in list(self.ports.keys()): + if port >= begin and port <= end and protocol == p: + return self.ports[begin, end, protocol] + return None +@@ -850,7 +858,7 @@ allow %s_t %s_t:%s_socket name_%s; + role = d.split("_t")[0] + "_r" + if role in self.all_roles: + newte += """ +- role %s;""" % role ++ role %s;""" % role + newte += """ + ') + """ +@@ -870,7 +878,7 @@ allow %s_t %s_t:%s_socket name_%s; + for t in self.types: + for i in self.DEFAULT_EXT: + if t.endswith(i): +- print t, t[:-len(i)] ++ print(t, t[:-len(i)]) + newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types) + break + +@@ -1088,7 +1096,7 @@ allow %s_t %s_t:%s_socket name_%s; + def generate_fc(self): + newfc = "" + fclist = [] +- for i in self.files.keys(): ++ for i in list(self.files.keys()): + if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): + t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file) + else: +@@ -1096,7 +1104,7 @@ allow %s_t %s_t:%s_socket name_%s; + t2 = re.sub("FILENAME", i, t1) + fclist.append(re.sub("FILETYPE", self.files[i][0], t2)) + +- for i in self.dirs.keys(): ++ for i in list(self.dirs.keys()): + t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir) + t2 = re.sub("FILENAME", i, t1) + fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2)) +@@ -1159,10 +1167,10 @@ allow %s_t %s_t:%s_socket name_%s; + if self.initscript != "": + newsh += re.sub("FILENAME", self.initscript, script.restorecon) + +- for i in self.files.keys(): ++ for i in list(self.files.keys()): + newsh += re.sub("FILENAME", i, script.restorecon) + +- for i in self.dirs.keys(): ++ for i in list(self.dirs.keys()): + newsh += re.sub("FILENAME", i, script.restorecon) + + for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: +@@ -1176,28 +1184,31 @@ allow %s_t %s_t:%s_socket name_%s; + newsh += re.sub("TEMPLATETYPE", self.name, t1) + + newsh += self.generate_user_sh() +- if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")): +- newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm) ++ newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm) + + return newsh + + def generate_spec(self): + newspec = "" + +- selinux_policyver = get_rpm_nvr_list("selinux-policy")[1] +- POLICYCOREUTILSVER = get_rpm_nvr_list("checkpolicy")[1] ++ selinux_policynvr = get_rpm_nvr_list("selinux-policy") ++ ++ if selinux_policynvr is None: ++ selinux_policyver = "0.0.0" ++ else: ++ selinux_policyver = selinux_policynvr[1] + + newspec += spec.header_comment_section + if self.type in APPLICATIONS: + newspec += spec.define_relabel_files_begin + if self.program: + newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end) +- if self.initscript != "": +- newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end) +- for i in self.files.keys(): +- newspec += re.sub("FILENAME", i, spec.define_relabel_files_end) +- for i in self.dirs.keys(): +- newspec += re.sub("FILENAME", i, spec.define_relabel_files_end) ++ if self.initscript != "": ++ newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end) ++ for i in list(self.files.keys()): ++ newspec += re.sub("FILENAME", i, spec.define_relabel_files_end) ++ for i in list(self.dirs.keys()): ++ newspec += re.sub("FILENAME", i, spec.define_relabel_files_end) + + newspec += re.sub("VERSION", selinux_policyver, spec.base_section) + newspec = re.sub("MODULENAME", self.file_name, newspec) +@@ -1239,7 +1250,7 @@ allow %s_t %s_t:%s_socket name_%s; + fd = open(shfile, "w") + fd.write(self.generate_sh()) + fd.close() +- os.chmod(shfile, 0750) ++ os.chmod(shfile, 0o750) + return shfile + + def write_if(self, out_dir): +@@ -1287,7 +1298,7 @@ allow %s_t %s_t:%s_socket name_%s; + # some packages have own systemd subpackage + # tor-systemd for example + binary_name = self.program.split("/")[-1] +- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]): ++ for bpkg in yb.rpmdb.searchNames([ "%s-systemd" % binary_name ]): + for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist: + for b in self.DEFAULT_DIRS: + if b == "/etc": +@@ -1325,7 +1336,7 @@ allow %s_t %s_t:%s_socket name_%s; + # we don't want to have subdir in the .fc policy file + # if we already specify labeling for parent dir + temp_basepath = [] +- for p in self.DEFAULT_DIRS.keys(): ++ for p in list(self.DEFAULT_DIRS.keys()): + temp_dirs = [] + try: + temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/" +@@ -1340,9 +1351,9 @@ allow %s_t %s_t:%s_socket name_%s; + + if len(temp_dirs) is not 0: + for i in temp_dirs: +- if i in self.dirs.keys(): ++ if i in list(self.dirs.keys()): + del(self.dirs[i]) +- elif i in self.files.keys(): ++ elif i in list(self.files.keys()): + del(self.files[i]) + else: + continue +@@ -1364,7 +1375,7 @@ Warning %s does not exist + for s in fd.read().split(): + for b in self.symbols: + if s.startswith(b): +- exec "self.%s" % self.symbols[b] ++ exec("self.%s" % self.symbols[b]) + fd.close() + + def generate(self, out_dir=os.getcwd()): +@@ -1373,7 +1384,6 @@ Warning %s does not exist + out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) + out += "%s # %s\n" % (self.write_fc(out_dir), _("File Contexts file")) + if self.type != NEWTYPE: +- if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")): +- out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file")) ++ out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file")) + out += "%s # %s\n" % (self.write_sh(out_dir), _("Setup Script")) + return out +diff --git policycoreutils-2.5/sepolicy/sepolicy/gui.py policycoreutils-2.5/sepolicy/sepolicy/gui.py +index 313b77f..2ab2dce 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/gui.py ++++ policycoreutils-2.5/sepolicy/sepolicy/gui.py +@@ -48,12 +48,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: + gettext.install(PROGNAME, +- localedir="/usr/share/locale", +- unicode=False, ++ unicode=True, ++ codeset='utf-8') ++except TypeError: ++ # Failover to python3 install ++ gettext.install(PROGNAME, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = str + + reverse_file_type_str = {} + for f in sepolicy.file_type_str: +@@ -62,10 +65,6 @@ for f in sepolicy.file_type_str: + enabled = [_("No"), _("Yes")] + action = [_("Disable"), _("Enable")] + +- +-def compare(a, b): +- return cmp(a.lower(), b.lower()) +- + import distutils.sysconfig + ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<")) + ADVANCED_SEARCH_LABEL = (_("Advanced Search >>"), _("Advanced Search <<")) +@@ -106,18 +105,13 @@ class SELinuxGui(): + + def __init__(self, app=None, test=False): + self.finish_init = False ++ self.advanced_init = True + self.opage = START_PAGE + self.dbus = SELinuxDBus() + try: + customized = self.dbus.customized() +- except dbus.exceptions.DBusException, e: +- print e +- self.quit() +- +- sepolicy_domains = sepolicy.get_all_domains() +- sepolicy_domains.sort(compare) +- if app and app not in sepolicy_domains: +- self.error(_("%s is not a valid domain" % app)) ++ except dbus.exceptions.DBusException as e: ++ print(e) + self.quit() + + self.init_cur() +@@ -143,7 +137,7 @@ class SELinuxGui(): + self.files_add = False + self.network_add = False + +- self.all_list = [] ++ self.all_domains = [] + self.installed_list = [] + self.previously_modified = {} + +@@ -155,10 +149,10 @@ class SELinuxGui(): + self.invalid_entry = False + # Advanced search window **************************** + self.advanced_search_window = builder.get_object("advanced_search_window") +- self.advanced_search_liststore = builder.get_object("Advanced_search_liststore") +- self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING) + self.advanced_search_filter = builder.get_object("advanced_filter") + self.advanced_search_filter.set_visible_func(self.filter_the_data) ++ self.advanced_search_sort = builder.get_object("advanced_sort") ++ + self.advanced_filter_entry = builder.get_object("advanced_filter_entry") + self.advanced_search_treeview = builder.get_object("advanced_search_treeview") + self.advanced_search = False +@@ -427,12 +421,10 @@ class SELinuxGui(): + + # Combobox and Entry items ************************** + self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar +- self.combobox_menu_model = builder.get_object("application_liststore") ++ self.application_liststore = builder.get_object("application_liststore") + self.completion_entry = builder.get_object("completion_entry") # self.combobox_menu.get_child() +- self.completion_entry_model = builder.get_object("application_liststore") + self.entrycompletion_obj = builder.get_object("entrycompletion_obj") + #self.entrycompletion_obj = Gtk.EntryCompletion() +- self.entrycompletion_obj.set_model(self.completion_entry_model) + self.entrycompletion_obj.set_minimum_key_length(0) + self.entrycompletion_obj.set_text_column(0) + self.entrycompletion_obj.set_match_func(self.match_func, None) +@@ -487,20 +479,24 @@ class SELinuxGui(): + self.loading = 1 + path = None + if test: +- domains = ["httpd_t", "abrt_t"] +- if app and app not in domains: +- domains.append(app) ++ self.all_domains = ["httpd_t", "abrt_t"] ++ if app and app not in self.all_domains: ++ self.all_domains.append(app) + else: +- domains = sepolicy_domains +- loading_gui.show() +- length = len(domains) +- for domain in domains: ++ self.all_domains = sepolicy.get_all_domains() ++ self.all_domains.sort(key=str.lower) ++ ++ if app and app not in self.all_domains: ++ self.error(_("%s is not a valid domain" % app)) ++ self.quit() ++ ++ loading_gui.show() ++ length = len(self.all_domains) ++ for domain in self.all_domains: + # After the user selects a path in the drop down menu call + # get_init_entrypoint_target(entrypoint) to get the transtype + # which will give you the application +- self.combo_box_initialize(domain, None) +- self.advanced_search_initialize(domain) +- self.all_list.append(domain) ++ self.combo_box_add(domain, domain) + self.percentage = float(float(self.loading) / float(length)) + self.progress_bar.set_fraction(self.percentage) + self.progress_bar.set_pulse_step(self.percentage) +@@ -510,14 +506,13 @@ class SELinuxGui(): + if entrypoint: + path = sepolicy.find_entrypoint_path(entrypoint) + if path: +- self.combo_box_initialize(path, None) +- # Adds all files entrypoint paths that exists on disc +- # into the combobox +- self.advanced_search_initialize(path) ++ self.combo_box_add(path, domain) + self.installed_list.append(path) + + self.loading += 1 + loading_gui.hide() ++ self.entrycompletion_obj.set_model(self.application_liststore) ++ self.advanced_search_treeview.set_model(self.advanced_search_sort) + + dic = { + "on_combo_button_clicked": self.open_combo_menu, +@@ -549,7 +544,7 @@ class SELinuxGui(): + "on_file_equiv_button_clicked": self.show_file_equiv_page, + "on_app/system_button_clicked": self.system_interface, + "on_app/users_button_clicked": self.users_interface, +- "on_main_advanced_label_button_press_event": self.advanced_label_main, ++ "on_show_advanced_search_window": self.on_show_advanced_search_window, + + "on_Show_mislabeled_files_toggled": self.show_mislabeled_files, + "on_Browse_button_files_clicked": self.browse_for_files, +@@ -565,8 +560,6 @@ class SELinuxGui(): + "on_advanced_filter_entry_changed": self.get_advanced_filter_data, + "on_advanced_search_treeview_row_activated": self.advanced_item_selected, + "on_Select_advanced_search_clicked": self.advanced_item_button_push, +- "on_All_advanced_button_toggled": self.advanced_radio_select, +- "on_Installed_advanced_button_toggled": self.advanced_radio_select, + "on_info_button_button_press_event": self.on_help_button, + "on_back_button_clicked": self.on_help_back_clicked, + "on_forward_button_clicked": self.on_help_forward_clicked, +@@ -672,9 +665,10 @@ class SELinuxGui(): + self.module_dict = {} + for m in self.dbus.semodule_list().split("\n"): + mod = m.split() +- if len(mod) < 2: ++ if len(mod) < 3: + continue + self.module_dict[mod[0]] = {"version": mod[1], "Disabled": (len(mod) > 2)} ++ self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) } + + self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"]) + self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"]) +@@ -707,7 +701,7 @@ class SELinuxGui(): + + def match_func(self, completion, key_string, iter, func_data): + try: +- if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1: ++ if self.application_liststore.get_value(iter, 0).find(key_string) != -1: + return True + return False + except AttributeError: +@@ -818,7 +812,7 @@ class SELinuxGui(): + self.set_application_label = True + + def resize_wrap(self, *args): +- print args ++ print(args) + + def initialize_system_default_mode(self): + self.enforce_mode = selinux.selinux_getenforcemode()[1] +@@ -831,7 +825,7 @@ class SELinuxGui(): + + def populate_system_policy(self): + selinux_path = selinux.selinux_path() +- types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0] ++ types = [x[1] for x in os.walk(selinux_path) if x[0] == selinux_path][0] + types.sort() + ctr = 0 + for item in types: +@@ -856,14 +850,14 @@ class SELinuxGui(): + # Returns true if filter_txt exists within the val + if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1): + return True +- except AttributeError, TypeError: ++ except AttributeError as TypeError: + pass + except: # ValueError: + pass + return False + + def net_update(self, app, netd, protocol, direction, model): +- for k in netd.keys(): ++ for k in list(netd.keys()): + for t, ports in netd[k]: + pkey = (",".join(ports), protocol) + if pkey in self.cur_dict["port"]: +@@ -918,11 +912,11 @@ class SELinuxGui(): + self.ready_mouse() + + def network_initialize(self, app): +- netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect") ++ netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True) + self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore) +- netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind") ++ netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind", check_bools=True) + self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore) +- netd = sepolicy.network.get_network_connect(app, "udp", "name_bind") ++ netd = sepolicy.network.get_network_connect(app, "udp", "name_bind", check_bools=True) + self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore) + + def network_initial_data_insert(self, model, ports, portType, protocol): +@@ -958,12 +952,12 @@ class SELinuxGui(): + iter = liststore.get_iter(index) + return liststore.get_value(iter, 0) + +- def combo_box_initialize(self, val, desc): ++ def combo_box_add(self, val, val1): + if val == None: + return +- iter = self.combobox_menu_model.append() +- for f in val: +- self.combobox_menu_model.set_value(iter, 0, val) ++ iter = self.application_liststore.append() ++ self.application_liststore.set_value(iter, 0, val) ++ self.application_liststore.set_value(iter, 1, val1) + + def select_type_more(self, *args): + app = self.moreTypes_treeview.get_selection() +@@ -979,19 +973,18 @@ class SELinuxGui(): + model, iter = row.get_selected() + iter = model.convert_iter_to_child_iter(iter) + iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) +- app = self.advanced_search_liststore.get_value(iter, 1) ++ app = self.application_liststore.get_value(iter, 1) + if app == None: + return + self.advanced_filter_entry.set_text('') + self.advanced_search_window.hide() + self.reveal_advanced(self.main_advanced_label) + self.completion_entry.set_text(app) +- self.application_selected() + + def advanced_item_selected(self, treeview, path, *args): + iter = self.advanced_search_filter.get_iter(path) + iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) +- app = self.advanced_search_liststore.get_value(iter, 1) ++ app = self.application_liststore.get_value(iter, 1) + self.advanced_filter_entry.set_text('') + self.advanced_search_window.hide() + self.reveal_advanced(self.main_advanced_label) +@@ -1000,7 +993,7 @@ class SELinuxGui(): + + def find_application(self, app): + if app and len(app) > 0: +- for items in self.combobox_menu_model: ++ for items in self.application_liststore: + if app == items[0]: + return True + return False +@@ -1108,19 +1101,19 @@ class SELinuxGui(): + if rec[0] == "module": + self.cust_dict["module"][rec[-1]] = {"enabled": rec[2] != "-d"} + +- if "module" not in self.cust_dict: ++ for i in keys: ++ if i not in self.cust_dict: ++ self.cust_dict.update({i: {}}) ++ ++ if not self.cust_dict["module"]: + return + for semodule, button in [("unconfined", self.disable_unconfined_button), ("permissivedomains", self.disable_permissive_button)]: + if semodule in self.cust_dict["module"]: + button.set_active(self.cust_dict["module"][semodule]["enabled"]) + +- for i in keys: +- if i not in self.cust_dict: +- self.cust_dict.update({i: {}}) +- + def executable_files_initialize(self, application): + self.entrypoints = sepolicy.get_entrypoints(application) +- for exe in self.entrypoints.keys(): ++ for exe in list(self.entrypoints.keys()): + if len(self.entrypoints[exe]) == 0: + continue + file_class = self.entrypoints[exe][1] +@@ -1157,7 +1150,7 @@ class SELinuxGui(): + def writable_files_initialize(self, application): + # Traversing the dictionary data struct + self.writable_files = sepolicy.get_writable_files(application) +- for write in self.writable_files.keys(): ++ for write in list(self.writable_files.keys()): + if len(self.writable_files[write]) < 2: + self.files_initial_data_insert(self.writable_files_liststore, None, write, _("all files")) + continue +@@ -1200,7 +1193,7 @@ class SELinuxGui(): + + def application_files_initialize(self, application): + self.file_types = sepolicy.get_file_types(application) +- for app in self.file_types.keys(): ++ for app in list(self.file_types.keys()): + if len(self.file_types[app]) == 0: + continue + file_class = self.file_types[app][1] +@@ -1373,8 +1366,8 @@ class SELinuxGui(): + self.treeview = self.network_in_treeview + category = _("listen for inbound connections") + +- self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category}) +- self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category}) ++ self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) ++ self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) + self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) + + if self.transitions_radio_button.get_active(): +@@ -1444,8 +1437,12 @@ class SELinuxGui(): + def stripsort(self, model, row1, row2, user_data): + sort_column, _ = model.get_sort_column_id() + val1 = self.unmarkup(model.get_value(row1, sort_column)) ++ if val1 is None: ++ val1 = "" + val2 = self.unmarkup(model.get_value(row2, sort_column)) +- return cmp(val1, val2) ++ if val2 is None: ++ val2 = "" ++ return (val1 > val2) - (val1 < val2) + + def display_more_detail(self, windows, path): + it = self.boolean_filter.get_iter(path) +@@ -1631,7 +1628,7 @@ class SELinuxGui(): + self.files_type_combolist.clear() + self.files_class_combolist.clear() + compare = self.strip_domain(self.application) +- for d in self.completion_entry_model: ++ for d in self.application_liststore: + if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"): + exclude_list.append(self.strip_domain(d[0])) + +@@ -1642,7 +1639,7 @@ class SELinuxGui(): + self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files]) + + if ipage == EXE_PAGE and self.entrypoints != None: +- for exe in self.entrypoints.keys(): ++ for exe in list(self.entrypoints.keys()): + if exe.startswith(compare): + iter = self.files_type_combolist.append() + self.files_type_combolist.set_value(iter, 0, exe) +@@ -1652,7 +1649,7 @@ class SELinuxGui(): + self.files_class_combobox.set_sensitive(False) + + elif ipage == WRITABLE_PAGE and self.writable_files != None: +- for write in self.writable_files.keys(): ++ for write in list(self.writable_files.keys()): + if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types: + iter = self.files_type_combolist.append() + self.files_type_combolist.set_value(iter, 0, write) +@@ -1669,7 +1666,7 @@ class SELinuxGui(): + self.more_types_files_liststore.set_value(iter, 0, app) + self.files_class_combobox.set_active(0) + except AttributeError: +- print "error" ++ print("error") + pass + self.files_type_combobox.set_active(0) + self.files_mls_entry.set_text("s0") +@@ -1710,13 +1707,13 @@ class SELinuxGui(): + + try: + if ipage == OUTBOUND_PAGE: +- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect") ++ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools=True) + elif ipage == INBOUND_PAGE: +- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind") +- netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind") ++ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools=True) ++ netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools=True) + + port_types = [] +- for k in netd.keys(): ++ for k in list(netd.keys()): + for t, ports in netd[k]: + if t not in port_types + ["port_t", "unreserved_port_t"]: + if t.endswith("_type"): +@@ -1811,7 +1808,7 @@ class SELinuxGui(): + self.wait_mouse() + try: + self.dbus.semanage(update_buffer) +- except dbus.exceptions.DBusException, e: ++ except dbus.exceptions.DBusException as e: + self.error(e) + self.ready_mouse() + +@@ -1890,7 +1887,7 @@ class SELinuxGui(): + tree.set_value(iter, 2, fclass) + + def restore_to_default(self, *args): +- print "restore to defualt clicked..." ++ print("restore to defualt clicked...") + + def invalid_entry_retry(self, *args): + self.closewindow(self.error_check_window) +@@ -2143,7 +2140,7 @@ class SELinuxGui(): + + def on_save_delete_file_equiv_clicked(self, *args): + for delete in self.files_delete_liststore: +- print delete[0], delete[1], delete[2], ++ print(delete[0], delete[1], delete[2]) + + def on_toggle_update(self, cell, path, model): + model[path][0] = not model[path][0] +@@ -2185,7 +2182,6 @@ class SELinuxGui(): + self.update = True + self.update_treestore.clear() + for bools in self.cur_dict["boolean"]: +- operation = self.cur_dict["boolean"][bools]["action"] + iter = self.update_treestore.append(None) + self.update_treestore.set_value(iter, 0, True) + self.update_treestore.set_value(iter, 1, sepolicy.boolean_desc(bools)) +@@ -2416,8 +2412,11 @@ class SELinuxGui(): + cur = selinux.getfilecon(path)[1].split(":")[2] + con = selinux.matchpathcon(path, 0)[1].split(":")[2] + if self.verify(_("Run restorecon on %(PATH)s to change its type from %(CUR_CONTEXT)s to the default %(DEF_CONTEXT)s?") % {"PATH": path, "CUR_CONTEXT": cur, "DEF_CONTEXT": con}, title="restorecon dialog") == Gtk.ResponseType.YES: +- self.dbus.restorecon(path) +- self.application_selected() ++ try: ++ self.dbus.restorecon(path) ++ self.application_selected() ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + + def new_updates(self, *args): + self.update_button.set_sensitive(self.modified()) +@@ -2451,8 +2450,8 @@ class SELinuxGui(): + self.wait_mouse() + try: + self.dbus.semanage(update_buffer) +- except dbus.exceptions.DBusException, e: +- print e ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + self.ready_mouse() + self.init_cur() + +@@ -2546,34 +2545,7 @@ class SELinuxGui(): + self.network_mls_label.set_visible(advanced) + self.network_mls_entry.set_visible(advanced) + +- def advanced_search_initialize(self, path): +- try: +- if path[0] == '/': +- domain = sepolicy.get_init_transtype(path) +- else: +- domain = path +- except IndexError: +- return +- except OSError: +- return +- iter = self.advanced_search_liststore.append() +- self.advanced_search_liststore.set_value(iter, 0, path) +- self.advanced_search_liststore.set_value(iter, 1, domain) +- user_types = sepolicy.get_user_types() +- if domain in user_types + ['initrc_t']: +- return +- +- entrypoints = sepolicy.get_entrypoints(domain) +- # From entry_point = 0 to the number of keys in the dic +- for exe in entrypoints: +- if len(entrypoints[exe]): +- file_class = entrypoints[exe][1] +- for path in entrypoints[exe][0]: +- iter = self.advanced_search_liststore.append() +- self.advanced_search_liststore.set_value(iter, 1, domain) +- self.advanced_search_liststore.set_value(iter, 0, path) +- +- def advanced_label_main(self, label, *args): ++ def on_show_advanced_search_window(self, label, *args): + if label.get_text() == ADVANCED_SEARCH_LABEL[1]: + label.set_text(ADVANCED_SEARCH_LABEL[0]) + self.close_popup() +@@ -2581,25 +2553,6 @@ class SELinuxGui(): + label.set_text(ADVANCED_SEARCH_LABEL[1]) + self.show_popup(self.advanced_search_window) + +- def advanced_radio_select(self, button): +- label = "" +- if button.get_active(): +- label = button.get_label() +- if label == '': +- return +- self.advanced_search_liststore.clear() +- if label == "All": +- for items in self.all_list: +- self.advanced_search_initialize(items) +- self.idle_func() +- +- elif label == "Installed": +- if self.installed_list == []: +- return +- for items in self.installed_list: +- self.advanced_search_initialize(items) +- self.idle_func() +- + def set_enforce_text(self, value): + if value: + self.status_bar.push(self.context_id, _("System Status: Enforcing")) +@@ -2608,8 +2561,14 @@ class SELinuxGui(): + self.current_status_permissive.set_active(True) + + def set_enforce(self, button): +- self.dbus.setenforce(button.get_active()) +- self.set_enforce_text(button.get_active()) ++ if not self.finish_init: ++ return ++ ++ try: ++ self.dbus.setenforce(button.get_active()) ++ self.set_enforce_text(button.get_active()) ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + + def on_browse_select(self, *args): + filename = self.file_dialog.get_filename() +@@ -2669,16 +2628,22 @@ class SELinuxGui(): + self.system_policy_type_combobox.set_active(self.typeHistory) + return None + +- self.dbus.change_default_policy(self.combo_get_active_text(self.system_policy_type_combobox)) +- self.dbus.relabel_on_boot(True) +- self.typeHistory = self.system_policy_type_combobox.get_active() ++ try: ++ self.dbus.change_default_policy(self.combo_get_active_text(self.system_policy_type_combobox)) ++ self.dbus.relabel_on_boot(True) ++ self.typeHistory = self.system_policy_type_combobox.get_active() ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + + def change_default_mode(self, button): + if not self.finish_init: + return + self.enabled_changed(button) + if button.get_active(): +- self.dbus.change_default_mode(button.get_label().lower()) ++ try: ++ self.dbus.change_default_mode(button.get_label().lower()) ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + + def import_config_show(self, *args): + self.file_dialog.set_action(Gtk.FileChooserAction.OPEN) +@@ -2735,7 +2700,7 @@ class SELinuxGui(): + return + try: + self.dbus.relabel_on_boot(active) +- except dbus.exceptions.DBusException, e: ++ except dbus.exceptions.DBusException as e: + self.error(e) + + def closewindow(self, window, *args): +@@ -2821,10 +2786,13 @@ class SELinuxGui(): + if not self.finish_init: + return + self.wait_mouse() +- if self.enable_permissive_button.get_active(): +- self.dbus.semanage("module -e permissivedomains") +- else: +- self.dbus.semanage("module -d permissivedomains") ++ try: ++ if self.enable_permissive_button.get_active(): ++ self.dbus.semanage("module -e permissivedomains") ++ else: ++ self.dbus.semanage("module -d permissivedomains") ++ except dbus.exceptions.DBusException as e: ++ self.error(e) + self.ready_mouse() + + def confirmation_close(self, button, *args): +diff --git policycoreutils-2.5/sepolicy/sepolicy/interface.py policycoreutils-2.5/sepolicy/sepolicy/interface.py +index 69078b0..6c351ee 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/interface.py ++++ policycoreutils-2.5/sepolicy/sepolicy/interface.py +@@ -38,20 +38,24 @@ import gettext + gettext.bindtextdomain(PROGNAME, "/usr/share/locale") + gettext.textdomain(PROGNAME) + try: ++ gettext.install(PROGNAME, ++ unicode=True, ++ codeset='utf-8') ++except TypeError: ++ # Failover to python3 install + gettext.install(PROGNAME, + localedir="/usr/share/locale", +- unicode=False, + codeset='utf-8') + except IOError: +- import __builtin__ +- __builtin__.__dict__['_'] = unicode ++ import builtins ++ builtins.__dict__['_'] = unicode + + + def get_interfaces_from_xml(path): + """ Get all interfaces from given xml file""" + interfaces_list = [] + idict = get_interface_dict(path) +- for k in idict.keys(): ++ for k in list(idict.keys()): + interfaces_list.append(k) + return interfaces_list + +@@ -76,10 +80,10 @@ def get_admin(path=""): + try: + xml_path = get_xml_file(path) + idict = get_interface_dict(xml_path) +- for k in idict.keys(): ++ for k in list(idict.keys()): + if k.endswith("_admin"): + admin_list.append(k) +- except IOError, e: ++ except IOError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) + else: +@@ -98,11 +102,11 @@ def get_user(path=""): + try: + xml_path = get_xml_file(path) + idict = get_interface_dict(xml_path) +- for k in idict.keys(): ++ for k in list(idict.keys()): + if k.endswith("_role"): + if (("%s_exec_t" % k[:-5]) in sepolicy.get_all_types()): + trans_list.append(k) +- except IOError, e: ++ except IOError as e: + sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) + sys.exit(1) + else: +@@ -121,12 +125,19 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"): + global interface_dict + import os + import xml.etree.ElementTree ++ from sepolicy import get_all_modules, get_all_modules_from_mod_lst + if interface_dict: + return interface_dict + ++ active_modules = [] + interface_dict = {} + param_list = [] + ++ active_modules = get_all_modules_from_mod_lst() ++ if active_modules is None: ++ print((_("Using only non-base modules."))) ++ active_modules = get_all_modules() ++ + xml_path = """ + + +@@ -144,17 +155,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"): + tree = xml.etree.ElementTree.fromstring(xml_path) + for l in tree.findall("layer"): + for m in l.findall("module"): +- for i in m.getiterator('interface'): +- for e in i.findall("param"): +- param_list.append(e.get('name')) +- interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"] +- param_list = [] +- for i in m.getiterator('template'): +- for e in i.findall("param"): +- param_list.append(e.get('name')) +- interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"] +- param_list = [] +- except IOError, e: ++ if m.get("name") in active_modules: ++ for i in m.getiterator('interface'): ++ for e in i.findall("param"): ++ param_list.append(e.get('name')) ++ interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"] ++ param_list = [] ++ for i in m.getiterator('template'): ++ for e in i.findall("param"): ++ param_list.append(e.get('name')) ++ interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"] ++ param_list = [] ++ except IOError as e: + pass + return interface_dict + +@@ -167,7 +179,7 @@ def get_interface_format_text(interface, path="/usr/share/selinux/devel/policy.x + + + def get_interface_compile_format_text(interfaces_dict, interface): +- from templates import test_module ++ from .templates import test_module + param_tmp = [] + for i in interfaces_dict[interface][0]: + param_tmp.append(test_module.dict_values[i]) +@@ -177,7 +189,7 @@ def get_interface_compile_format_text(interfaces_dict, interface): + + + def generate_compile_te(interface, idict, name="compiletest"): +- from templates import test_module ++ from .templates import test_module + te = "" + te += re.sub("TEMPLATETYPE", name, test_module.te_test_module) + te += get_interface_compile_format_text(idict, interface) +@@ -188,41 +200,47 @@ def generate_compile_te(interface, idict, name="compiletest"): + def get_xml_file(if_file): + """ Returns xml format of interfaces for given .if policy file""" + import os +- import commands ++ import subprocess + basedir = os.path.dirname(if_file) + "/" + filename = os.path.basename(if_file).split(".")[0] +- rc, output = commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename) +- if rc != 0: ++ try: ++ output = subprocess.check_output("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ return output ++ except subprocess.CalledProcessError as e: + sys.stderr.write("\n Could not proceed selected interface file.\n") +- sys.stderr.write("\n%s" % output) ++ sys.stderr.write(e.output) + sys.exit(1) +- else: +- return output + + + def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"): + exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"] ++ exclude_interface_name = ["selinux_genbool"] + exclude_interface_type = ["template"] + +- import commands ++ import subprocess + import os + policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"} + idict = get_interface_dict(path) + +- if not (interface.split("_")[0] in exclude_interfaces or idict[interface][2] in exclude_interface_type): +- print(_("Compiling %s interface" % interface)) ++ if not (interface in exclude_interface_name or interface.split("_")[0] in exclude_interfaces or idict[interface][2] in exclude_interface_type): ++ print((_("Compiling %s interface" % interface))) + try: + fd = open(policy_files['te'], "w") + fd.write(generate_compile_te(interface, idict)) + fd.close() +- rc, output = commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp']) +- if rc != 0: +- sys.stderr.write(output) ++ try: ++ subprocess.check_output("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'], ++ stderr=subprocess.STDOUT, ++ shell=True) ++ except subprocess.CalledProcessError as e: + sys.stderr.write(_("\nCompile test for %s failed.\n") % interface) ++ sys.stderr.write(e.output) + +- except EnvironmentError, e: ++ except EnvironmentError as e: + sys.stderr.write(_("\nCompile test for %s has not run. %s\n") % (interface, e)) +- for v in policy_files.values(): ++ for v in list(policy_files.values()): + if os.path.exists(v): + os.remove(v) + +diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py +index 7de2f80..5649b06 100755 +--- policycoreutils-2.5/sepolicy/sepolicy/manpage.py ++++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py +@@ -29,14 +29,23 @@ import argparse + import selinux + import sepolicy + from sepolicy import * ++from sepolgen import util + +-import commands ++import subprocess + import sys + import os + import re + import time + +-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} ++ ++typealias_types = { ++ "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"), ++ "cluster_t": ("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"), ++ "svirt_t": ("qemu_t"), ++ "httpd_t": ("phpfpm_t"), ++} ++ ++equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} + + equiv_dirs = ["/var"] + modules_dict = None +@@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"): + name = "unconfined" + for b in m.findall("summary"): + modules_dict[name] = b.text +- except IOError, e: ++ except IOError as e: + pass + return modules_dict + +@@ -111,8 +120,8 @@ def gen_domains(): + for d in get_all_domains(): + found = False + domain = d[:-2] +-# if domain + "_exec_t" not in get_entrypoints(): +-# continue ++# if domain + "_exec_t" not in get_entrypoints(): ++# continue + if domain in domains: + continue + domains.append(domain) +@@ -149,9 +158,6 @@ def prettyprint(f, trim): + manpage_domains = [] + manpage_roles = [] + +-fedora_releases = ["Fedora17", "Fedora18"] +-rhel_releases = ["RHEL6", "RHEL7"] +- + + def get_alphabet_manpages(manpage_list): + alphabet_manpages = dict.fromkeys(string.ascii_letters, []) +@@ -167,16 +173,20 @@ def get_alphabet_manpages(manpage_list): + + + def convert_manpage_to_html(html_manpage, manpage): +- rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage) +- if rc == 0: +- print html_manpage, " has been created" +- fd = open(html_manpage, 'w') +- fd.write(output) +- fd.close() ++ try: ++ man_page = subprocess.check_output("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage, ++ stderr=subprocess.STDOUT, ++ shell=True) ++ except subprocess.CalledProcessError as e: ++ sys.stderr.write(util.decode_input(e.output)) ++ return ++ fd = open(html_manpage, 'wb') ++ fd.write(man_page) ++ fd.close() ++ print(html_manpage) + + + class HTMLManPages: +- + """ + Generate a HHTML Manpages on an given SELinux domains + """ +@@ -186,96 +196,50 @@ class HTMLManPages: + self.manpage_domains = get_alphabet_manpages(manpage_domains) + self.os_version = os_version + self.old_path = path + "/" +- self.new_path = self.old_path + self.os_version + "/" ++ self.new_path = self.old_path ++ ++ if self.os_version: + +- if self.os_version in fedora_releases or rhel_releases: + self.__gen_html_manpages() + else: +- print("SELinux HTML man pages can not be generated for this %s" % os_version) ++ print(("SELinux HTML man pages can not be generated for this %s" % os_version)) + exit(1) + + def __gen_html_manpages(self): + self._write_html_manpage() + self._gen_index() +- self._gen_body() + self._gen_css() + + def _write_html_manpage(self): + if not os.path.isdir(self.new_path): + os.mkdir(self.new_path) + +- for domain in self.manpage_domains.values(): ++ for domain in list(self.manpage_domains.values()): + if len(domain): + for d in domain: +- convert_manpage_to_html((self.new_path + d.split("_selinux")[0] + ".html"), self.old_path + d) ++ convert_manpage_to_html((self.new_path + d.rsplit("_selinux", 1)[0] + ".html"), self.old_path + d) + +- for role in self.manpage_roles.values(): ++ for role in list(self.manpage_roles.values()): + if len(role): + for r in role: +- convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r) ++ convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) + + def _gen_index(self): +- index = self.old_path + "index.html" +- fd = open(index, 'w') +- fd.write(""" +- +- +- +- SELinux man pages online +- +- +-

SELinux man pages

+-

+-Fedora or Red Hat Enterprise Linux Man Pages. +-

+-
+-

Fedora

+- +- +-
+-
+-
+-""")
+-        for f in fedora_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """  % (f, f, f, f))
+-
+-        fd.write("""
+-
+-
+-

RHEL

+- +- +-
+-
+-
+-""")
+-        for r in rhel_releases:
+-            fd.write("""
+-%s - SELinux man pages for %s """ % (r, r, r, r))
+-
+-        fd.write("""
+-
+- """) +- fd.close() +- print("%s has been created") % index +- +- def _gen_body(self): +- html = self.new_path + self.os_version + ".html" ++ html = self.new_path + "index.html" + fd = open(html, 'w') + fd.write(""" + + +- +- Linux man-pages online for Fedora18 ++ ++ SELinux man pages + + +-

SELinux man pages for Fedora18

++

SELinux man pages for %s

+
+ + +@@ -319,7 +283,7 @@ Fedora or Red Hat Enterprise Linux Man Pages. + if len(self.manpage_domains[letter]): + domainname_body += "

" + for r in self.manpage_domains[letter]: +- domainname = r.split("_selinux")[0] ++ domainname = r.rsplit("_selinux", 1)[0] + domainname_body += "%s_selinux(8) - Security Enhanced Linux Policy for the %s SELinux processes\n" % (letter, domainname, domainname, domainname) + + fd.write("""%s +@@ -329,7 +293,7 @@ Fedora or Red Hat Enterprise Linux Man Pages. + """ % domainname_body) + + fd.close() +- print("%s has been created") % html ++ print(("%s has been created") % html) + + def _gen_css(self): + style_css = self.old_path + "style.css" +@@ -343,9 +307,9 @@ html, body { + } + + h1, h2, h3, h4, h5, h5 { +- color: #2d7c0b; +- font-family: arial, sans-serif; +- margin-top: 25px; ++ color: #2d7c0b; ++ font-family: arial, sans-serif; ++ margin-top: 25px; + } + + a { +@@ -392,11 +356,10 @@ pre.code { + """) + + fd.close() +- print("%s has been created") % style_css ++ print(("%s has been created") % style_css) + + + class ManPage: +- + """ + Generate a Manpage on an SELinux domain in the specified path + """ +@@ -454,7 +417,7 @@ class ManPage: + self.__gen_man_page() + self.fd.close() + +- for k in equiv_dict.keys(): ++ for k in list(equiv_dict.keys()): + if k == self.domainname: + for alias in equiv_dict[k]: + self.__gen_man_page_link(alias) +@@ -506,6 +469,7 @@ class ManPage: + self._booleans() + + self._port_types() ++ self._mcs_types() + self._writes() + self._footer() + +@@ -514,9 +478,10 @@ class ManPage: + self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w') + self.fd.write(".so man8/%s_selinux.8" % self.domainname) + self.fd.close() +- print path ++ print(path) + + def __gen_man_page(self): ++ + self.anon_list = [] + + self.attributes = {} +@@ -524,11 +489,22 @@ class ManPage: + self._get_ptypes() + + for domain_type in self.ptypes: ++ try: ++ if typealias_types[domain_type]: ++ fd = self.fd ++ man_page_path = self.man_page_path ++ for t in typealias_types[domain_type]: ++ self._typealias_gen_man(t) ++ self.fd = fd ++ self.man_page_path = man_page_path ++ except KeyError: ++ continue + self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] + + self._header() + self._entrypoints() + self._process_types() ++ self._mcs_types() + self._booleans() + self._nsswitch_domain() + self._port_types() +@@ -542,6 +518,34 @@ class ManPage: + if f.startswith(self.short_name) or f.startswith(self.domainname): + self.ptypes.append(f) + ++ def _typealias_gen_man(self, t): ++ self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2]) ++ self.ports = [] ++ self.booltext = "" ++ self.fd = open(self.man_page_path, 'w') ++ self._typealias(t[:-2]) ++ self._footer() ++ self.fd.close() ++ ++ def _typealias(self, typealias): ++ self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"' ++ % {'typealias': typealias, 'date': time.strftime("%y-%m-%d")}) ++ self.fd.write(r""" ++.SH "NAME" ++%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes ++.SH "DESCRIPTION" ++ ++%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t). ++""" % {'typealias': typealias, 'domainname': self.domainname}) ++ ++ self.fd.write(r""" ++Please see ++ ++.B %(domainname)s_selinux ++ ++man page for more details. ++""" % {'domainname': self.domainname}) ++ + def _header(self): + self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' + % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) +@@ -601,7 +605,7 @@ SELinux policy is customizable based on least access required. %s policy is ext + nsswitch_types = [] + nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled'] + nsswitchbooltext = "" +- for k in self.attributes.keys(): ++ for k in list(self.attributes.keys()): + if "nsswitch_domain" in self.attributes[k]: + nsswitch_types.append(k) + +@@ -691,10 +695,13 @@ Default Defined Ports:""") + + def _file_context(self): + flist = [] ++ flist_non_exec = [] + mpaths = [] + for f in self.all_file_types: + if f.startswith(self.domainname): + flist.append(f) ++ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): ++ flist_non_exec.append(f) + if f in self.fcdict: + mpaths = mpaths + self.fcdict[f]["regex"] + if len(mpaths) == 0: +@@ -746,19 +753,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d + .PP + """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) + +- self.fd.write(r""" ++ if flist_non_exec: ++ self.fd.write(r""" + .PP + .B STANDARD FILE CONTEXT + + SELinux defines the file context types for the %(domainname)s, if you wanted to + store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. + +-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' ++.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' + .br + .B restorecon -R -v /srv/my%(domainname)s_content + + Note: SELinux often uses regular expressions to specify labels that match multiple files. +-""" % {'domainname': self.domainname, "type": flist[0] }) ++""" % {'domainname': self.domainname, "type": flist_non_exec[-1] }) + + self.fd.write(r""" + .I The following file types are defined for %(domainname)s: +@@ -895,7 +903,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) + + def _entrypoints(self): + try: +- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})) ++ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class':'file'})] + except: + return + +@@ -911,7 +919,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) + The %s_t SELinux type can be entered via the %s. + + The default entrypoint paths for the %s_t domain are the following: +-""" % (self.domainname, entrypoints_str, self.domainname)) ++""" % (self.domainname, entrypoints_str, self.domainname)) + if "bin_t" in entrypoints: + entrypoints.remove("bin_t") + self.fd.write (""" +@@ -925,6 +933,17 @@ All executeables with the default executable label, usually stored in /usr/bin a + self.fd.write(""" + %s""" % ", ".join(paths)) + ++ def _mcs_types(self): ++ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] ++ if "mcs_constrained_type" not in attributes: ++ return ++ self.fd.write (""" ++.SH "MCS Constrained" ++The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group. ++ ++For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4 ++""" % {'type': self.domainname}) ++ + def _writes(self): + permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) + if permlist == None or len(permlist) == 0: +@@ -948,7 +967,7 @@ All executeables with the default executable label, usually stored in /usr/bin a + """) + self.fd.write (""" + The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. +-""" % self.domainname) ++""" % self.domainname) + + all_writes.sort() + if "file_type" in all_writes: +@@ -1013,7 +1032,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo + + .B $ semanage login -a -s %(user)s_u joe + +-""" % {'user': self.domainname}) ++""" % {'user': self.domainname}) + + def _can_sudo(self): + sudotype = "%s_sudo_t" % self.domainname +@@ -1161,7 +1180,7 @@ Three things can happen when %(type)s attempts to execute a program. + + Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: + +-.B search -A -s %(type)s -c file -p execute_no_trans ++.B sesearch -A -s %(type)s -c file -p execute_no_trans + + .TP + +@@ -1169,9 +1188,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut + + Execute the following to see the types that the SELinux user %(type)s can execute and transition: + +-.B $ search -A -s %(type)s -c process -p transition ++.B $ sesearch -A -s %(type)s -c process -p transition + +-""" % {'user': self.domainname, 'type': self.type}) ++""" % {'user': self.domainname, 'type': self.type}) + + def _role_header(self): + self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"' +@@ -1233,7 +1252,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use + SELinux policy also controls which roles can transition to a different role. + You can list these rules using the following command. + +-.B search --role_allow ++.B sesearch --role_allow + + SELinux policy allows the %s role%s can transition to the %s_r role. + +diff --git policycoreutils-2.5/sepolicy/sepolicy/network.py policycoreutils-2.5/sepolicy/sepolicy/network.py +index 1ca3158..ccaeff3 100755 +--- policycoreutils-2.5/sepolicy/sepolicy/network.py ++++ policycoreutils-2.5/sepolicy/sepolicy/network.py +@@ -25,20 +25,22 @@ search = sepolicy.search + info = sepolicy.info + + +-def get_types(src, tclass, perm): ++def get_types(src, tclass, perm, check_bools=False): + allows = search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm}) + nlist = [] + if allows: +- for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): ++ for i in [y[sepolicy.TARGET] for y in ++ [x for x in allows ++ if set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"])]]: + if i not in nlist: + nlist.append(i) + return nlist + + +-def get_network_connect(src, protocol, perm): ++def get_network_connect(src, protocol, perm, check_bools=False): + portrecs, portrecsbynum = sepolicy.gen_port_dict() + d = {} +- tlist = get_types(src, "%s_socket" % protocol, [perm]) ++ tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools) + if len(tlist) > 0: + d[(src, protocol, perm)] = [] + for i in tlist: +diff --git policycoreutils-2.5/sepolicy/sepolicy/sedbus.py policycoreutils-2.5/sepolicy/sepolicy/sedbus.py +index 6055294..831d775 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/sedbus.py ++++ policycoreutils-2.5/sepolicy/sepolicy/sedbus.py +@@ -56,5 +56,5 @@ if __name__ == "__main__": + dbus_proxy = SELinuxDBus() + resp = dbus_proxy.setenforce(int(sys.argv[1])) + print (resp) +- except dbus.DBusException, e: +- print e ++ except dbus.DBusException as e: ++ print (e) +diff --git policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade +index 1275c7f..83822dd 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade ++++ policycoreutils-2.5/sepolicy/sepolicy/sepolicy.glade +@@ -2,7 +2,7 @@ + + + +- ++ + + + +@@ -82,7 +82,7 @@ + + + +- ++ + + + True +@@ -225,7 +225,7 @@ + + + +- Advanced_search_liststore ++ application_liststore + + + advanced_filter +@@ -256,24 +256,6 @@ + + application_files_filter + +- +- +- +- +- +- +- +- application_liststore +- +- +- application_filter +- +- +- +- +- +- +- + + + +@@ -473,7 +455,7 @@ + False + 0 + 10 +- Add file Equivilence Mapping. Mapping will be created when Update is applied. ++ Add file Equivalence Mapping. Mapping will be created when Update is applied. + fill + True + +@@ -823,7 +805,7 @@ + True + True + False +- Select Make Path Recursive iff you want to apply this label to all children of the specified directory path. objects under the directory to have this label. ++ Select Make Path Recursive if you want to apply this label to all children of the specified directory path. objects under the directory to have this label. + 0.5 + True + +@@ -1061,7 +1043,7 @@ + + True + False +- images/booleans.png ++ help/booleans.png + + + False +@@ -2948,7 +2930,7 @@ Enabled + Executables which will transition to a different domain, when the 'selected domain' executes them. + 1 + 1 +- Applicaton Transitions From 'select domain' ++ Application Transitions From 'select domain' + + + 1 +@@ -4328,46 +4310,7 @@ allow alternative access control. + 0 + + +- +- +- All +- True +- True +- False +- 0.5 +- True +- True +- +- +- +- True +- True +- 1 +- +- +- +- +- Installed +- True +- True +- False +- 0.5 +- True +- All_advanced_button +- +- +- +- True +- True +- 2 +- +- + +- +- False +- True +- 0 +- + + + +@@ -4377,7 +4320,6 @@ allow alternative access control. + + True + True +- advanced_sort + False + + +@@ -4788,7 +4730,7 @@ allow alternative access control. + False + 0 + 10 +- Select file equivalence labeling to delete.File equivalence labeling will be deleted when update is applied. ++ Select file equivalence labeling to delete. File equivalence labeling will be deleted when update is applied. + fill + True + +diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py +index dcf445e..b0ee119 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py ++++ policycoreutils-2.5/sepolicy/sepolicy/templates/etc_rw.py +@@ -137,3 +137,7 @@ FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) + fc_dir="""\ + FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) + """ ++ ++fc_sock_file="""\ ++FILENAME -s gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) ++""" +diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py +index 4b9534d..f267993 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py ++++ policycoreutils-2.5/sepolicy/sepolicy/templates/executable.py +@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles; + type TEMPLATETYPE_t; + type TEMPLATETYPE_exec_t; + application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) ++role TEMPLATETYPE_roles types TEMPLATETYPE_t; + + permissive TEMPLATETYPE_t; + """ +@@ -219,7 +220,7 @@ if_program_rules=""" + + ######################################## + ## +-## Execute TEMPLATE in the TEMPLATETYPE domin. ++## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain. + ## + ## + ## +@@ -235,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',` + corecmd_search_bin($1) + domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t) + ') ++ ++###################################### ++## ++## Execute TEMPLATETYPE in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`TEMPLATETYPE_exec',` ++ gen_require(` ++ type TEMPLATETYPE_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, TEMPLATETYPE_exec_t) ++') + """ + + if_user_program_rules=""" +@@ -418,8 +438,12 @@ interface(`TEMPLATETYPE_admin',` + if_middle_admin=""" + ') + +- allow $1 TEMPLATETYPE_t:process { ptrace signal_perms }; ++ allow $1 TEMPLATETYPE_t:process { signal_perms }; + ps_process_pattern($1, TEMPLATETYPE_t) ++ ++ tunable_policy(`deny_ptrace',`',` ++ allow $1 TEMPLATETYPE_t:process ptrace; ++ ') + """ + + if_initscript_admin_types=""" +diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py +index 16a2208..d8ee42f 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py ++++ policycoreutils-2.5/sepolicy/sepolicy/templates/spec.py +@@ -39,7 +39,7 @@ install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ + install -d %{buildroot}%{_mandir}/man8/ + install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8 + install -d %{buildroot}/etc/selinux/targeted/contexts/users/ +-install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u ++install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u + + %post + semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp +@@ -65,7 +65,7 @@ exit 0 + %attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp + %{_datadir}/selinux/devel/include/contrib/MODULENAME.if + %{_mandir}/man8/DOMAINNAME_selinux.8.* +-/etc/selinux/targeted/contexts/users/DOMAINNAME_u ++/etc/selinux/targeted/contexts/users/DOMAINNAME_u + + %changelog + * TODAYSDATE YOUR NAME 1.0-1 +diff --git policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py +index 893a204..3a3faa6 100644 +--- policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py ++++ policycoreutils-2.5/sepolicy/sepolicy/templates/test_module.py +@@ -111,7 +111,7 @@ role sepolicy_r; + role sepolicy_source_r; + role sepolicy_target_r; + +-################################# ++################################# + # + # Local policy + # +diff --git policycoreutils-2.5/sepolicy/sepolicy/transition.py policycoreutils-2.5/sepolicy/sepolicy/transition.py +index 15b0eb1..a8edb69 100755 +--- policycoreutils-2.5/sepolicy/sepolicy/transition.py ++++ policycoreutils-2.5/sepolicy/sepolicy/transition.py +@@ -81,4 +81,4 @@ class setrans: + + def output(self): + self.seen = [] +- print self.out(self.source) ++ print(self.out(self.source)) +diff --git policycoreutils-2.5/sepolicy/setup.py policycoreutils-2.5/sepolicy/setup.py +index e74e68d..096ce1f 100644 +--- policycoreutils-2.5/sepolicy/setup.py ++++ policycoreutils-2.5/sepolicy/setup.py +@@ -4,7 +4,7 @@ + # Author: Dan Walsh + import os + from distutils.core import setup, Extension +-policy = Extension("sepolicy._policy", ++policy = Extension("sepolicy.policy", + libraries=["apol", "qpol"], + sources=["policy.c", "info.c", "search.c"] + ) +diff --git policycoreutils-2.5/sepolicy/test_sepolicy.py policycoreutils-2.5/sepolicy/test_sepolicy.py +index e7bad44..9c8f21c 100644 +--- policycoreutils-2.5/sepolicy/test_sepolicy.py ++++ policycoreutils-2.5/sepolicy/test_sepolicy.py +@@ -8,26 +8,26 @@ from subprocess import Popen, PIPE + class SepolicyTests(unittest.TestCase): + + def assertDenied(self, err): +- self.assert_('Permission denied' in err, +- '"Permission denied" not found in %r' % err) ++ self.assertTrue('Permission denied' in err, ++ '"Permission denied" not found in %r' % err) + + def assertNotFound(self, err): +- self.assert_('not found' in err, +- '"not found" not found in %r' % err) ++ self.assertTrue('not found' in err, ++ '"not found" not found in %r' % err) + + def assertFailure(self, status): +- self.assert_(status != 0, +- '"Succeeded when it should have failed') ++ self.assertTrue(status != 0, ++ '"Succeeded when it should have failed') + + def assertSuccess(self, status, err): +- self.assert_(status == 0, +- '"sepolicy should have succeeded for this test %r' % err) ++ self.assertTrue(status == 0, ++ '"sepolicy should have succeeded for this test %r' % err) + + def test_man_domain(self): + "Verify sepolicy manpage -d works" + p = Popen(['sepolicy', 'manpage', '-d', 'httpd_t'], stdout=PIPE) + out, err = p.communicate() +- print out, err ++ print(out, err) + self.assertSuccess(p.returncode, err) + + def test_man_all(self): +@@ -119,4 +119,4 @@ if __name__ == "__main__": + if selinux.security_getenforce() == 1: + unittest.main() + else: +- print "SELinux must be in enforcing mode for this test" ++ print("SELinux must be in enforcing mode for this test") +diff --git policycoreutils-2.5/setfiles/restore.c policycoreutils-2.5/setfiles/restore.c +index 2a7cfa3..1cc6a64 100644 +--- policycoreutils-2.5/setfiles/restore.c ++++ policycoreutils-2.5/setfiles/restore.c +@@ -118,7 +118,7 @@ static int restore(FTSENT *ftsent, int recurse) + r_opts->count++; + if (r_opts->count % STAR_COUNT == 0) { + if (r_opts->progress == 1) { +- fprintf(stdout, "\r%luk", (size_t) r_opts->count / STAR_COUNT ); ++ fprintf(stdout, "\r%zuk", (size_t) r_opts->count / STAR_COUNT ); + } else { + if (r_opts->nfile > 0) { + progress = (r_opts->count < r_opts->nfile) ? (100.0 * r_opts->count / r_opts->nfile) : 100; +@@ -160,6 +160,9 @@ static int restore(FTSENT *ftsent, int recurse) + /* Get the current context of the file. */ + ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon); + if (ret < 0) { ++ if (errno == ENOENT) { ++ goto out; ++ } + if (errno == ENODATA) { + curcon = NULL; + } else { +@@ -404,19 +407,18 @@ int process_one_realpath(char *name, int recurse) + "Must call initialize first!"); + return -1; + } ++ rc = lstat64(name, &sb); ++ if (rc < 0) { ++ if (r_opts->ignore_enoent && errno == ENOENT) ++ return 0; ++ fprintf(stderr, "%s: lstat(%s) failed: %s\n", ++ r_opts->progname, name, strerror(errno)); ++ return -1; ++ } + + if (!r_opts->expand_realpath) { + return process_one(name, recurse); + } else { +- rc = lstat64(name, &sb); +- if (rc < 0) { +- if (r_opts->ignore_enoent && errno == ENOENT) +- return 0; +- fprintf(stderr, "%s: lstat(%s) failed: %s\n", +- r_opts->progname, name, strerror(errno)); +- return -1; +- } +- + if (S_ISLNK(sb.st_mode)) { + char path[PATH_MAX + 1]; + +diff --git policycoreutils-2.5/setfiles/restorecon.8 policycoreutils-2.5/setfiles/restorecon.8 +index 900def5..54dd1db 100644 +--- policycoreutils-2.5/setfiles/restorecon.8 ++++ policycoreutils-2.5/setfiles/restorecon.8 +@@ -27,6 +27,12 @@ context to the file object's extended attributes. If a file object has a + context, restorecon will only modify the type portion of the security context. + The \-F option will force a replacement of the entire context. + .P ++If a file is labeled with ++.BR customizable ++SELinux type (for list of customizable ++types see /etc/selinux/{SELINUXTYPE}/contexts/customizable_types), restorecon ++won't reset the label unless the \-F option is used. ++.P + It is the same executable as + .BR setfiles + but operates in a slightly different manner depending on its argv[0]. +@@ -64,7 +70,11 @@ change files and directories file labels recursively (descend directories). + .B Note: restorecon reports warnings on paths without default labels only if called non-recursively or in verbose mode. + .TP + .B \-v +-show changes in file labels, if type or role are going to be changed. ++show changes in file labels, if type or role are going to be changed. Multiple -v options increase the verbosity. Note that the ++.B \-v ++and ++.B \-p ++options are mutually exclusive. + .TP + .B \-0 + the separator for the input items is assumed to be the null character +@@ -94,4 +104,5 @@ The program was written by Dan Walsh . + .SH "SEE ALSO" + .BR setfiles (8), + .BR load_policy (8), +-.BR checkpolicy (8) ++.BR checkpolicy (8), ++.BR customizable_types (5) +diff --git policycoreutils-2.5/setfiles/setfiles.8 policycoreutils-2.5/setfiles/setfiles.8 +index 57067d2..2ec9618 100644 +--- policycoreutils-2.5/setfiles/setfiles.8 ++++ policycoreutils-2.5/setfiles/setfiles.8 +@@ -31,7 +31,7 @@ check the validity of the contexts against the specified binary policy. + .TP + .B \-d + show what specification matched each file (do not abort validation +-after ABORT_ON_ERRORS errors). ++after ABORT_ON_ERRORS errors). Not affected by "\-q" + .TP + .B \-e directory + directory to exclude (repeat option for more than one directory). +diff --git policycoreutils-2.5/setfiles/setfiles.c policycoreutils-2.5/setfiles/setfiles.c +index 9ac3ebd..e39b500 100644 +--- policycoreutils-2.5/setfiles/setfiles.c ++++ policycoreutils-2.5/setfiles/setfiles.c +@@ -230,6 +230,11 @@ int main(int argc, char **argv) + /* This must happen before getopt. */ + r_opts.nfile = exclude_non_seclabel_mounts(); + ++ if (iamrestorecon) ++ opts = ropts; ++ else ++ opts = sopts; ++ + /* Process any options. */ + while ((opt = getopt(argc, argv, opts)) > 0) { + switch (opt) { +@@ -337,7 +342,7 @@ int main(int argc, char **argv) + if (r_opts.progress) { + fprintf(stderr, + "Progress and Verbose mutually exclusive\n"); +- exit(-1); ++ usage(argv[0]); + } + r_opts.verbose++; + break; diff --git a/SOURCES/sepolgen-rhel.patch b/SOURCES/sepolgen-rhel.patch new file mode 100644 index 0000000..59676b4 --- /dev/null +++ b/SOURCES/sepolgen-rhel.patch @@ -0,0 +1,417 @@ +diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog +index 7cc0a18..bda7a2e 100644 +--- sepolgen-1.2.3/ChangeLog ++++ sepolgen-1.2.3/ChangeLog +@@ -1,3 +1,6 @@ ++ * Remove additional files when cleaning, from Nicolas Iooss. ++ * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl. ++ + 1.2.3 2016-02-23 + * Support latest refpolicy interfaces, from Nicolas Iooss. + * Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss. +diff --git sepolgen-1.2.3/src/sepolgen/Makefile sepolgen-1.2.3/src/sepolgen/Makefile +index 9ac7651..d3aa771 100644 +--- sepolgen-1.2.3/src/sepolgen/Makefile ++++ sepolgen-1.2.3/src/sepolgen/Makefile +@@ -11,5 +11,4 @@ install: all + clean: + rm -f parser.out parsetab.py + rm -f *~ *.pyc +- +- ++ rm -rf __pycache__ +diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py +index a5d8698..7606561 100644 +--- sepolgen-1.2.3/src/sepolgen/access.py ++++ sepolgen-1.2.3/src/sepolgen/access.py +@@ -90,6 +90,8 @@ class AccessVector(util.Comparison): + self.audit_msgs = [] + self.type = audit2why.TERULE + self.data = [] ++ self.obj_path = None ++ self.base_type = None + # when implementing __eq__ also __hash__ is needed on py2 + # if object is muttable __hash__ should be None + self.__hash__ = None +@@ -138,6 +140,29 @@ class AccessVector(util.Comparison): + return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type, + self.obj_class, self.perms.to_space_str()) + ++ def base_file_type(self): ++ base_type_array = [] ++ base_type_array = [self.base_type, self.tgt_type, self.src_type] ++ return base_type_array ++ ++ def __cmp__(self, other): ++ if self.src_type != other.src_type: ++ return cmp(self.src_type, other.src_type) ++ if self.tgt_type != other.tgt_type: ++ return cmp(self.tgt_type, other.tgt_type) ++ if self.obj_class != self.obj_class: ++ return cmp(self.obj_class, other.obj_class) ++ if len(self.perms) != len(other.perms): ++ return cmp(len(self.perms), len(other.perms)) ++ x = list(self.perms) ++ x.sort() ++ y = list(other.perms) ++ y.sort() ++ for pa, pb in zip(x, y): ++ if pa != pb: ++ return cmp(pa, pb) ++ return 0 ++ + def _compare(self, other, method): + try: + x = list(self.perms) +@@ -257,7 +282,8 @@ class AccessVectorSet: + for av in l: + self.add_av(AccessVector(av)) + +- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]): ++ def add(self, src_type, tgt_type, obj_class, perms, obj_path=None, ++ base_type=None, audit_msg=None, avc_type=audit2why.TERULE, data=[]): + """Add an access vector to the set. + """ + tgt = self.src.setdefault(src_type, { }) +@@ -270,7 +296,9 @@ class AccessVectorSet: + access.src_type = src_type + access.tgt_type = tgt_type + access.obj_class = obj_class ++ access.obj_path = obj_path + access.data = data ++ access.base_type = base_type + access.type = avc_type + cls[obj_class, avc_type] = access + +diff --git sepolgen-1.2.3/src/sepolgen/audit.py sepolgen-1.2.3/src/sepolgen/audit.py +index 724d3ea..ef1f6cc 100644 +--- sepolgen-1.2.3/src/sepolgen/audit.py ++++ sepolgen-1.2.3/src/sepolgen/audit.py +@@ -176,6 +176,7 @@ class AVCMessage(AuditMessage): + self.exe = "" + self.path = "" + self.name = "" ++ self.ino = "" + self.accesses = [] + self.denial = True + self.type = audit2why.TERULE +@@ -237,6 +238,10 @@ class AVCMessage(AuditMessage): + self.exe = fields[1][1:-1] + elif fields[0] == "name": + self.name = fields[1][1:-1] ++ elif fields[0] == "path": ++ self.path = fields[1][1:-1] ++ elif fields[0] == "ino": ++ self.ino = fields[1] + + if not found_src or not found_tgt or not found_class or not found_access: + raise ValueError("AVC message in invalid format [%s]\n" % self.message) +@@ -361,7 +366,9 @@ class AuditParser: + self.path_msgs = [] + self.by_header = { } + self.check_input_file = False +- ++ self.inode_dict = { } ++ self.__store_base_types() ++ + # Low-level parsing function - tries to determine if this audit + # message is an SELinux related message and then parses it into + # the appropriate AuditMessage subclass. This function deliberately +@@ -376,7 +383,9 @@ class AuditParser: + # AuditMessage (or subclass) - object representing a parsed + # and valid audit message. + def __parse_line(self, line): +- rec = line.split() ++ # strip("\x1c\x1d\x1e\x85") is only needed for python2 ++ # since str.split() in python3 already does this ++ rec = [x.strip("\x1c\x1d\x1e\x85") for x in line.split()] + for i in rec: + found = False + if i == "avc:" or i == "message=avc:" or i == "msg='avc:": +@@ -499,6 +508,61 @@ class AuditParser: + + return role_types + ++ def __restore_path(self, name, inode): ++ import subprocess ++ import os ++ path = "" ++ # Optimizing ++ if name == "" or inode == "": ++ return path ++ for d in self.inode_dict: ++ if d == inode and self.inode_dict[d] == name: ++ return path ++ if d == inode and self.inode_dict[d] != name: ++ return self.inode_dict[d] ++ if inode not in self.inode_dict.keys(): ++ self.inode_dict[inode] = name ++ ++ command = "locate -b '\%s'" % name ++ try: ++ output = subprocess.check_output(command, ++ stderr=subprocess.STDOUT, ++ shell=True, ++ universal_newlines=True) ++ try: ++ ino = int(inode) ++ except ValueError: ++ pass ++ for file in output.split("\n"): ++ try: ++ if int(os.lstat(file).st_ino) == ino: ++ self.inode_dict[inode] = path = file ++ return path ++ except: ++ pass ++ except subprocess.CalledProcessError as e: ++ pass ++ return path ++ ++ def __store_base_types(self): ++ import sepolicy ++ self.base_types = sepolicy.get_types_from_attribute("base_file_type") ++ ++ def __get_base_type(self, tcontext, scontext): ++ import sepolicy ++ # Prevent unnecessary searching ++ if (self.old_scontext == scontext and ++ self.old_tcontext == tcontext): ++ return ++ self.old_scontext = scontext ++ self.old_tcontext = tcontext ++ for btype in self.base_types: ++ if btype == tcontext: ++ for writable in sepolicy.get_writable_files(scontext): ++ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")): ++ return writable ++ return 0 ++ + def to_access(self, avc_filter=None, only_denials=True): + """Convert the audit logs access into a an access vector set. + +@@ -517,16 +581,23 @@ class AuditParser: + audit logs parsed by this object. + """ + av_set = access.AccessVectorSet() ++ self.old_scontext = "" ++ self.old_tcontext = "" + for avc in self.avc_msgs: + if avc.denial != True and only_denials: + continue ++ base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type) ++ if avc.path == "": ++ avc.path = self.__restore_path(avc.name, avc.ino) + if avc_filter: + if avc_filter.filter(avc): + av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, +- avc.accesses, avc, avc_type=avc.type, data=avc.data) ++ avc.accesses, avc.path, base_type, avc, ++ avc_type=avc.type, data=avc.data) + else: + av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, +- avc.accesses, avc, avc_type=avc.type, data=avc.data) ++ avc.accesses, avc.path, base_type, avc, ++ avc_type=avc.type, data=avc.data) + return av_set + + class AVCTypeFilter: +diff --git sepolgen-1.2.3/src/sepolgen/policygen.py sepolgen-1.2.3/src/sepolgen/policygen.py +index 34c8401..f374132 100644 +--- sepolgen-1.2.3/src/sepolgen/policygen.py ++++ sepolgen-1.2.3/src/sepolgen/policygen.py +@@ -82,8 +82,9 @@ class PolicyGenerator: + self.module = refpolicy.Module() + + self.dontaudit = False +- ++ self.mislabled = None + self.domains = None ++ + def set_gen_refpol(self, if_set=None, perm_maps=None): + """Set whether reference policy interfaces are generated. + +@@ -153,6 +154,18 @@ class PolicyGenerator: + """Return the generated module""" + return self.module + ++ def __restore_label(self, av): ++ import selinux ++ try: ++ context = selinux.matchpathcon(av.obj_path, 0) ++ split = context[1].split(":")[2] ++ if split != av.tgt_type: ++ self.mislabled = split ++ return ++ except OSError: ++ pass ++ self.mislabled = None ++ + def __add_allow_rules(self, avs): + for av in avs: + rule = refpolicy.AVRule(av) +@@ -161,6 +174,34 @@ class PolicyGenerator: + rule.comment = "" + if self.explain: + rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) ++ # base_type[0] == 0 means there exists a base type but not the path ++ # base_type[0] == None means user isn't using base type ++ # base_type[1] contains the target context ++ # base_type[2] contains the source type ++ base_type = av.base_file_type() ++ if base_type[0] == 0 and av.type != audit2why.ALLOW: ++ rule.comment += "\n#!!!! WARNING: '%s' is a base type." % "".join(base_type[1]) ++ for perm in av.perms: ++ if perm == "write" or perm == "create": ++ permission = True ++ break ++ else: ++ permission = False ++ ++ # Catch perms 'write' and 'create' for base types ++ if (base_type[0] is not None and base_type[0] != 0 ++ and permission and av.type != audit2why.ALLOW): ++ if av.obj_class == dir: ++ comp = "(/.*?)" ++ else: ++ comp = "" ++ rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s. Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0])) ++ if av.obj_path != "": ++ rule.comment += "\n#!!!! $ semanage fcontext -a -t %s %s%s \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path)) ++ ++ self.__restore_label(av) ++ if self.mislabled is not None and av.type != audit2why.ALLOW: ++ rule.comment += "\n#!!!! The file '%s' is mislabeled on your system. \n#!!!! Fix with $ restorecon -R -v %s" % ("".join(av.obj_path), "".join(av.obj_path)) + if av.type == audit2why.ALLOW: + rule.comment += "\n#!!!! This avc is allowed in the current policy" + if av.type == audit2why.DONTAUDIT: +diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py +index 9b1d0c8..2cef8e8 100644 +--- sepolgen-1.2.3/src/sepolgen/refparser.py ++++ sepolgen-1.2.3/src/sepolgen/refparser.py +@@ -113,6 +113,7 @@ tokens = ( + 'AUDITALLOW', + 'NEVERALLOW', + 'PERMISSIVE', ++ 'TYPEBOUNDS', + 'TYPE_TRANSITION', + 'TYPE_CHANGE', + 'TYPE_MEMBER', +@@ -178,6 +179,7 @@ reserved = { + 'auditallow' : 'AUDITALLOW', + 'neverallow' : 'NEVERALLOW', + 'permissive' : 'PERMISSIVE', ++ 'typebounds' : 'TYPEBOUNDS', + 'type_transition' : 'TYPE_TRANSITION', + 'type_change' : 'TYPE_CHANGE', + 'type_member' : 'TYPE_MEMBER', +@@ -502,6 +504,7 @@ def p_policy_stmt(p): + '''policy_stmt : gen_require + | avrule_def + | typerule_def ++ | typebound_def + | typeattribute_def + | roleattribute_def + | interface_call +@@ -823,6 +826,13 @@ def p_typerule_def(p): + t.file_name = p[7] + p[0] = t + ++def p_typebound_def(p): ++ '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI''' ++ t = refpolicy.TypeBound() ++ t.type = p[2] ++ t.tgt_types.update(p[3]) ++ p[0] = t ++ + def p_bool(p): + '''bool : BOOL IDENTIFIER TRUE SEMI + | BOOL IDENTIFIER FALSE SEMI''' +diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py +index 31b40d8..352b187 100644 +--- sepolgen-1.2.3/src/sepolgen/refpolicy.py ++++ sepolgen-1.2.3/src/sepolgen/refpolicy.py +@@ -112,6 +112,9 @@ class Node(PolicyBase): + def typerules(self): + return filter(lambda x: isinstance(x, TypeRule), walktree(self)) + ++ def typebounds(self): ++ return filter(lambda x: isinstance(x, TypeBound), walktree(self)) ++ + def typeattributes(self): + """Iterate over all of the TypeAttribute children of this Interface.""" + return filter(lambda x: isinstance(x, TypeAttribute), walktree(self)) +@@ -281,6 +284,11 @@ class SecurityContext(Leaf): + + Raises ValueError if the string is not parsable as a security context. + """ ++ # try to translate the context string to raw form ++ raw = selinux.selinux_trans_to_raw_context(context) ++ if raw[0] == 0: ++ context = raw[1] ++ + fields = context.split(":") + if len(fields) < 3: + raise ValueError("context string [%s] not in a valid format" % context) +@@ -522,6 +530,19 @@ class TypeRule(Leaf): + self.tgt_types.to_space_str(), + self.obj_classes.to_space_str(), + self.dest_type) ++class TypeBound(Leaf): ++ """SElinux typebound statement. ++ ++ This class represents a typebound statement. ++ """ ++ def __init__(self, parent=None): ++ Leaf.__init__(self, parent) ++ self.type = "" ++ self.tgt_types = IdSet() ++ ++ def to_string(self): ++ return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str()) ++ + + class RoleAllow(Leaf): + def __init__(self, parent=None): +diff --git sepolgen-1.2.3/tests/.gitignore sepolgen-1.2.3/tests/.gitignore +new file mode 100644 +index 0000000..c120af8 +--- /dev/null ++++ sepolgen-1.2.3/tests/.gitignore +@@ -0,0 +1,4 @@ ++module_compile_test.fc ++module_compile_test.if ++output ++tmp/ +diff --git sepolgen-1.2.3/tests/Makefile sepolgen-1.2.3/tests/Makefile +index 924a9be..e17eef2 100644 +--- sepolgen-1.2.3/tests/Makefile ++++ sepolgen-1.2.3/tests/Makefile +@@ -4,8 +4,11 @@ clean: + rm -f *~ *.pyc + rm -f parser.out parsetab.py + rm -f out.txt ++ rm -f module_compile_test.fc ++ rm -f module_compile_test.if + rm -f module_compile_test.pp + rm -f output ++ rm -rf __pycache__ tmp + + test: + $(PYTHON) run-tests.py +diff --git sepolgen-1.2.3/tests/module_compile_test.te sepolgen-1.2.3/tests/module_compile_test.te +index 446c8dc..b365448 100644 +--- sepolgen-1.2.3/tests/module_compile_test.te ++++ sepolgen-1.2.3/tests/module_compile_test.te +@@ -1,8 +1,8 @@ +-module foo 1.0; ++module module_compile_test 1.0; + + require { + type foo, bar; + class file { read write }; + } + +-allow foo bar : file { read write }; +\ No newline at end of file ++allow foo bar : file { read write }; diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec new file mode 100644 index 0000000..2dd56e0 --- /dev/null +++ b/SPECS/policycoreutils.spec @@ -0,0 +1,5036 @@ +%global libauditver 2.1.3-4 +%global libsepolver 2.5-10 +%global libsemanagever 2.5-14 +%global libselinuxver 2.5-14 +%global sepolgenver 1.2.3 +%global setoolsver 3.3.8-4 + +%global _hardened_build 1 + +Summary: SELinux policy core utilities +Name: policycoreutils +Version: 2.5 +Release: 34%{?dist} +License: GPLv2 +Group: System Environment/Base +# https://github.com/SELinuxProject/selinux/wiki/Releases +Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/policycoreutils-2.5.tar.gz +Source1:https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/sepolgen-1.2.3.tar.gz +URL: http://www.selinuxproject.org +Source2: policycoreutils_man_ru2.tar.bz2 +Source3: system-config-selinux.png +Source4: sepolicy-icons.tgz +Source5: policycoreutils-po.tgz +# HEAD ba371a0d4f3a0a70ba78fcad5c8de40a283762ae +Patch0: policycoreutils-rhel.patch +Patch1: sepolgen-rhel.patch +Patch10: policycoreutils-preserve-timestamps-for-.py-files.patch + +Obsoletes: policycoreutils < 2.0.61-2 +Conflicts: filesystem < 3 +Provides: /sbin/fixfiles +Provides: /sbin/restorecon + +BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext +BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel +BuildRequires: python python-devel setools-devel >= %{setoolsver} +BuildRequires: redhat-rpm-config +BuildRequires: diffstat +Requires: util-linux +Requires: grep +Requires: gawk +Requires: diffutils +Requires: rpm +Requires: sed +Requires: libsepol >= %{libsepolver} +Requires: libselinux-utils >= %{libselinuxver} +Requires: libsemanage >= %{libsemanagever} +Requires: coreutils + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +policycoreutils contains the policy core utilities that are required +for basic operation of a SELinux system. These utilities include +load_policy to load policies, setfiles to label filesystems, newrole +to switch roles. + +%prep +# Update timestamps on the files touched by a patch, to avoid non-equal +# .pyc/.pyo files across the multilib peers within a build, where "Level" +# is the patch prefix option (e.g. -p1) +UpdateTimestamps() { + Level=$1 + PatchFile=$2 + # Locate the affected files: + for f in $(diffstat $Level -l $PatchFile); do + # Set the files to have the same timestamp as that of the patch: + touch -r $PatchFile $f + done +} + +# create selinux/ directory and extract %{SOURCE0} there +%setup -q -c -n selinux +# extract translations +%setup -T -D -a 5 -n selinux + +%patch0 -p0 -b .policycoreutils-rhel +UpdateTimestamps -p0 %{PATCH0} +cd policycoreutils-2.5/ +%patch10 -p2 -b .preserve-timestamps +cd .. + +cp %{SOURCE3} policycoreutils-2.5/gui/ +tar -xvf %{SOURCE4} -C policycoreutils-2.5/ +# extract {%SOURCE1} in selinux/ directory +%setup -T -D -a 1 -n selinux +%patch1 -p0 -b .sepolgen-rhel +UpdateTimestamps -p0 %{PATCH1} + + +%build +make -C policycoreutils-2.5 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" SEMODULE_PATH="/usr/sbin" all +make -C sepolgen-1.2.3 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" all + +%install +mkdir -p %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_sbindir} +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +mkdir -p %{buildroot}%{_mandir}/man8 +%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/ +mkdir -p %{buildroot}/var/lib/selinux + +make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" SEMODULE_PATH="/usr/sbin" install + +# Systemd +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond + +make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" CFLAGS="%{optflags}" LDFLAGS="%{__global_ldflags}" install + +tar -jxf %{SOURCE2} -C %{buildroot}/ +rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz +rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz +rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8 +rm -f %{buildroot}/usr/sbin/open_init_pty +rm -f %{buildroot}/usr/sbin/run_init +rm -f %{buildroot}/usr/share/man/ru/man8/run_init.8* +rm -f %{buildroot}/usr/share/man/man8/run_init.8* +rm -f %{buildroot}/etc/pam.d/run_init* + +ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui + +desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \ + --add-category Settings \ +%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop + +desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \ + --add-category Settings \ + %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop + +desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications \ +%{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop + +rm -f %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop +rm -f %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop +rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop + +%find_lang %{name} + +%package python +Summary: SELinux policy core python utilities +Group: System Environment/Base +Requires:policycoreutils = %{version}-%{release} +Requires:libsemanage-python >= %{libsemanagever} libselinux-python libcgroup +Requires:audit-libs-python >= %{libauditver} +Obsoletes: policycoreutils < 2.0.61-2 +Requires: python-IPy +Requires: checkpolicy +Requires: setools-libs >= %{setoolsver} + +%description python +The policycoreutils-python package contains the management tools use to manage +an SELinux environment. + +%files python +%{_sbindir}/semanage +%{_bindir}/chcat +%{_bindir}/sandbox +%{_bindir}/audit2allow +%{_bindir}/audit2why +%{_mandir}/man1/audit2allow.1* +%{_mandir}/ru/man1/audit2allow.1* +%{_bindir}/semodule_package +%{_mandir}/man8/semodule_package.8* +%{_mandir}/ru/man8/semodule_package.8* +%{_mandir}/man1/audit2why.1* +%dir %{python_sitearch}/seobject +%{python_sitearch}/seobject/__init__.py* +%{python_sitearch}/seobject*.egg-info +%{python_sitearch}/sepolgen +%dir %{python_sitearch}/sepolicy +%{python_sitearch}/sepolicy/*so +%{python_sitearch}/sepolicy/templates +%{python_sitearch}/sepolicy/__init__.py* +%{python_sitearch}/sepolicy/booleans.py* +%{python_sitearch}/sepolicy/communicate.py* +%{python_sitearch}/sepolicy/interface.py* +%{python_sitearch}/sepolicy/manpage.py* +%{python_sitearch}/sepolicy/network.py* +%{python_sitearch}/sepolicy/transition.py* +%{python_sitearch}/sepolicy/sedbus.py* +%{_sysconfdir}/dbus-1/system.d/org.selinux.conf +%{python_sitearch}/%{name}*.egg-info +%{python_sitearch}/sepolicy*.egg-info +%{python_sitearch}/%{name} +%dir /var/lib/selinux +%{_mandir}/man8/chcat.8* +%{_mandir}/ru/man8/chcat.8* +%{_mandir}/man8/sandbox.8* +%{_mandir}/man8/semanage*.8* +%{_mandir}/ru/man8/semanage.8* +%{_datadir}/bash-completion/completions/semanage +%{_datadir}/bash-completion/completions/setsebool + +%package devel +Summary: SELinux policy core policy devel utilities +Group: System Environment/Base +Requires: policycoreutils-python = %{version}-%{release} +Requires: make yum +Requires: selinux-policy-devel + +%description devel +The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment. + +%files devel +%{_bindir}/sepolgen +%{_bindir}/sepolgen-ifgen +%{_bindir}/sepolgen-ifgen-attr-helper +%dir /var/lib/sepolgen +/var/lib/sepolgen/perm_map +%{_bindir}/sepolicy +%{python_sitearch}/sepolicy/generate.py* +%{_mandir}/man8/sepolgen.8* +%{_mandir}/man8/sepolicy-booleans.8* +%{_mandir}/man8/sepolicy-generate.8* +%{_mandir}/man8/sepolicy-interface.8* +%{_mandir}/man8/sepolicy-network.8* +%{_mandir}/man8/sepolicy.8* +%{_mandir}/man8/sepolicy-communicate.8* +%{_mandir}/man8/sepolicy-manpage.8* +%{_mandir}/man8/sepolicy-transition.8* +%{_usr}/share/bash-completion/completions/sepolicy +%{_bindir}/semodule_deps +%{_bindir}/semodule_expand +%{_bindir}/semodule_link +%{_bindir}/semodule_unpackage +%{_mandir}/man8/semodule_deps.8* +%{_mandir}/ru/man8/semodule_deps.8* +%{_mandir}/man8/semodule_expand.8* +%{_mandir}/ru/man8/semodule_expand.8* +%{_mandir}/man8/semodule_link.8* +%{_mandir}/ru/man8/semodule_link.8* +%{_mandir}/man8/semodule_unpackage.8* + +%package sandbox +Summary: SELinux sandbox utilities +Group: System Environment/Base +Requires: policycoreutils-python = %{version}-%{release} +Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap +Requires: matchbox-window-manager +BuildRequires: libcap-ng-devel + +%description sandbox +The policycoreutils-sandbox package contains the scripts to create graphical +sandboxes + +%files sandbox +%config(noreplace) %{_sysconfdir}/sysconfig/sandbox +%{_datadir}/sandbox/sandboxX.sh +%{_datadir}/sandbox/start +%caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare +%{_mandir}/man8/seunshare.8* +%{_mandir}/man5/sandbox.5* + +%package newrole +Summary: The newrole application for RBAC/MLS +Group: System Environment/Base +Requires: policycoreutils = %{version}-%{release} + +%description newrole +RBAC/MLS policy machines require newrole as a way of changing the role +or level of a logged in user. + +%files newrole +%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole +%{_mandir}/man1/newrole.1.gz +%config(noreplace) %{_sysconfdir}/pam.d/newrole + +%package gui +Summary: SELinux configuration GUI +Group: System Environment/Base +Requires: policycoreutils-devel = %{version}-%{release} +Requires: gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas +Requires: usermode-gtk +Requires: python >= 2.6 +BuildRequires: desktop-file-utils + +%description gui +system-config-selinux is a utility for managing the SELinux environment + +%files gui +%{_bindir}/system-config-selinux +%{_bindir}/selinux-polgengui +%{_datadir}/applications/sepolicy.desktop +%{_datadir}/applications/system-config-selinux.desktop +%{_datadir}/applications/selinux-polgengui.desktop +%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png +%{_datadir}/pixmaps/system-config-selinux.png +%dir %{_datadir}/system-config-selinux +%{_datadir}/system-config-selinux/system-config-selinux.png +%{_datadir}/system-config-selinux/*.py* +%{_datadir}/system-config-selinux/*.glade +%dir %{python_sitearch}/sepolicy/help +%{python_sitearch}/sepolicy/help/* +%{python_sitearch}/sepolicy/gui.py* +%{python_sitearch}/sepolicy/sepolicy.glade +%{_datadir}/icons/hicolor/*/apps/sepolicy.png +%{_datadir}/pixmaps/sepolicy.png +%{_mandir}/man8/system-config-selinux.8* +%{_mandir}/man8/selinux-polgengui.8* +%{_mandir}/man8/sepolicy-gui.8* +%{_datadir}/system-config-selinux/selinux_server.py +%{_datadir}/dbus-1/system-services/org.selinux.service +%{_datadir}/polkit-1/actions/org.selinux.policy +%{_datadir}/polkit-1/actions/org.selinux.config.policy + +%post gui +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +%postun gui +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +fi + +%posttrans gui +/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + +%files -f %{name}.lang +%{_sbindir}/restorecon +%{_sbindir}/fixfiles +%{_sbindir}/setfiles +%{_sbindir}/load_policy +%{_sbindir}/genhomedircon +%{_sbindir}/setsebool +%{_sbindir}/semodule +%{_sbindir}/sestatus +%{_bindir}/secon +%{_libexecdir}/selinux/hll +%config(noreplace) %{_sysconfdir}/sestatus.conf +# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them +%{_mandir}/man5/selinux_config.5.gz +%{_mandir}/man5/sestatus.conf.5.gz +%{_mandir}/man8/fixfiles.8* +%{_mandir}/ru/man8/fixfiles.8* +%{_mandir}/man8/load_policy.8* +%{_mandir}/ru/man8/load_policy.8* +%{_mandir}/man8/restorecon.8* +%{_mandir}/ru/man8/restorecon.8* +%{_mandir}/man8/semodule.8* +%{_mandir}/ru/man8/semodule.8* +%{_mandir}/man8/sestatus.8* +%{_mandir}/ru/man8/sestatus.8* +%{_mandir}/man8/setfiles.8* +%{_mandir}/ru/man8/setfiles.8* +%{_mandir}/man8/setsebool.8* +%{_mandir}/ru/man8/setsebool.8* +%{_mandir}/man1/secon.1* +%{_mandir}/ru/man1/secon.1* +%{_mandir}/man8/genhomedircon.8* +%{!?_licensedir:%global license %%doc} +%license policycoreutils-2.5/COPYING +%doc %{_usr}/share/doc/%{name} + +%package restorecond +Summary: SELinux restorecond utilities +Group: System Environment/Base +BuildRequires: systemd-units +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +%description restorecond +The policycoreutils-restorecond package contains the restorecond service. + +%files restorecond +%{_sbindir}/restorecond +%{_unitdir}/restorecond.service +%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf +%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf +%{_sysconfdir}/xdg/autostart/restorecond.desktop +%{_datadir}/dbus-1/services/org.selinux.Restorecond.service +%{_mandir}/man8/restorecond.8* +%{_mandir}/ru/man8/restorecond.8* +%{!?_licensedir:%global license %%doc} +%license policycoreutils-2.5/COPYING + +%post restorecond +%systemd_post restorecond.service + +%preun restorecond +%systemd_preun restorecond.service + +%postun restorecond +%systemd_postun_with_restart restorecond.service + +%changelog +* Mon Sep 09 2019 Vit Mojzis - 2.5-34 +- Update translations (#1734011) + +* Tue Jun 18 2019 Vit Mojzis - 2.5-33 +- Use flags definitions from redhat-rpm-config +- Use CFLAGS and LDFLAGS in "make install" + +* Wed Jun 12 2019 Vit Mojzis - 2.5-32 +- Update translations (#1689943) + +* Mon Mar 04 2019 Vit Mojzis - 2.5-31 +- semanage: Start exporting "ibendport" and "ibpkey" entries (#1657196) +- semanage: Do not show "None" levels when using a non-MLS policy (#1400482) +- semanage: Include MCS/MLS range when exporting local customizations (#1400482) + +* Mon Feb 25 2019 Vit Mojzis - 2.5-30 +- semanage/seobject: Fix listing boolean values (#1391605) +- sepolicy: Make policy files sorting more robust +- semanage: Fix setting alternative policy store (#1558033) +- semanage: Load a store policy and set the store SELinux policy root +- sepolicy: Add sepolicy.load_store_policy(store) +- semanage: import sepolicy only when it's needed +- semanage: move valid_types initialisations to class constructors +- semanage/seobject: Fix indentation issues +- scripts/fixfiles: Do not fail on file_contexts.local (#1647714) + +* Tue Sep 18 2018 Vit Mojzis - 2.5-29 +- gui: Make all polgen button labels translatable (#1569451) +- Update translations (#1569451) + +* Wed Aug 29 2018 Vit Mojzis - 2.5-28 +- Require setools containing SCTP patch (#1621004) + +* Fri Aug 24 2018 Vit Mojzis - 2.5-27 +- semanage: fix Python syntax of catching several exceptions (#1598444) + +* Tue Aug 07 2018 Vit Mojzis - 2.5-26 +- Add dependency on latest libsemanage package (#1612818) + +* Fri Jul 27 2018 Vit Mojzis - 2.5-25 +- Update translations (#1569451) + +* Thu Jul 26 2018 Vit Mojzis - 2.5-24 +- Stop rejecting SCTP and DCCP in sepolicy.info +- semanage: Replace bare except with specific one (#1598444) +- semanage: Fix logger class definition (#1598444) +- semanage: Stop rejecting aliases in semanage commands (#1544793) +- sepolicy: Stop rejecting aliases in sepolicy commands (#1600009) +- semanage: Stop logging loginRecords changes (#1294663) +- Use file_contexts.local in fixfiles restore (#1559808) + +* Fri May 11 2018 Vit Mojzis - 2.5-23 +- Update translation files and remove empty ones (#1375915) +- sepolicy: Fix sepolicy manpage (#1509383) +- semanage/seobject: Fix moduleRecords.modify() (#1408331) +- semodule: Improve man page and unify it with --help (#1320565) +- setfiles: Improve description of -d switch (#1271327) +- sepolgen: Try to translate SELinux contexts to raw (#1356149) + +* Mon Dec 11 2017 Petr Lautrbach - 2.5-22 +- semanage: Fix fcontext help message (#1499259) +- semanage: Improve semanage-user.8 man page (#1079946) +- semodule: Improve man page (#1337192) + +* Thu Dec 07 2017 Petr Lautrbach - 2.5-21 +- Update translations + +* Thu Nov 30 2017 Vit Mojzis - 2.5-20 +- setfiles: Mention customizable types in restorecon man page (#1260238) +- sepolicy: do not fail when file_contexts.local or .subs do not exist (#1512590) +- semanage: Fix export of ibendport entries (#1471809) + +* Tue Nov 07 2017 Petr Lautrbach - 2.5-19 +- semanage: Call semanage_set_reload only if -N is used (#1421160) + +* Thu Oct 19 2017 Vit Mojzis - 2.5-18 +- semanage: Enable listing file_contexts.homedirs +- semanage: Fix manpage author for ibpkey and ibendport pages. +- semanage: Update man pages for infiniband +- semanage: Update semanage to allow runtime labeling of ibendports +- semanage: Update semanage to allow runtime labeling of Infiniband Pkeys +- semanage: Improve semanage-port man page +- fixfiles: do not dereference link files in tmp + +* Fri May 26 2017 Petr Lautrbach - 2.5-17.1 +- Update translations + +* Thu Mar 30 2017 Petr Lautrbach - 2.5-16 +- Strip non-printable characters when parsing audit messages (#1406328) +- Install seobject python module into arch specific path (#1061049) +- restorecond: Decrease loglevel of termination message (#1422121) +- semodule_package: do not fail with an empty fc file (#1390535) + +* Tue Mar 28 2017 Petr Lautrbach - 2.5-15 +- sepolicy: Do not fail when file_contexts.{homedirs,local} are not present (#1395778) +- fixfiles - use quotes around "$FILEPATH" (#1241946) + +* Thu Mar 23 2017 Petr Lautrbach - 2.5-14 +- Fix export of fcontext socket entries (#1435100) +- Fix checks whether a module name is passed to semanage-module (#1420527) + +* Fri Mar 03 2017 Petr Lautrbach - 2.5-13 +- hll/pp: Fix pp crash when processing base module (#1350806) +- sepolicy: fix obtaining domain name in HTMLManPages (#1174744) + +* Mon Jan 23 2017 Vit Mojzis - 2.5-12 +- semanage: don't skip reserved_port_t (#1225810) + +* Thu Dec 01 2016 Petr Lautrbach - 2.5-11 +- seobject: Handle python error returns correctly (#1398427) + +* Wed Nov 16 2016 Petr Lautrbach - 2.5-10 +- Re-add module versions to 'semodule -l' output (#1392573) + +* Wed Oct 05 2016 Petr Lautrbach 2.5-9 +- sandbox: create a new session for sandboxed processes - CVE-2016-7545 +- sandbox: do not try to setup directories without -X or -M + +* Fri Aug 26 2016 Petr Lautrbach 2.5-8 +- audit2allow: tests should use local copy not system +- audit2allow: remove audit2why so that it gets symlinked +- semanage: fix man page and help message for import option +- semanage: fix error message for fcontext -m +- semanage: Fix semanage fcontext -D +- semanage: Correct fcontext auditing +- semanage: Default serange to "s0" for port modify +- semanage: Use socket.getprotobyname for protocol +- semanage: fix modify action in node and interface + +* Wed Aug 10 2016 Petr Lautrbach 2.5-7 +- fixfiles: Pass -n to restorecon for fixfiles check +- sepolicy: Check get_rpm_nvr_list() return value +- Don't use subprocess.getstatusoutput() in Python 2 code +- semanage: Add auditing of changes in records +- Remove unused 'q' from semodule getopt string + +* Wed Aug 03 2016 Petr Lautrbach 2.5-6.2 +- open_init_pty: Do not error on EINTR +- Fix [-s STORE] typos in semanage +- Don't use subprocess.getstatusoutput() in Python 2 code + +* Thu Jul 14 2016 Petr Lautrbach - 2.5-5.1 +- Update translations + +* Thu Jul 07 2016 Petr Lautrbach - 2.5-4 +- Use patches from RHEL-7.2 to avoid some regressions + +* Mon Jun 27 2016 Petr Lautrbach - 2.5-3 +- Update sandbox types in sandbox manual +- Fix typos in semanage manpages +- Fix the documentation of -l,--list for semodule +- Minor fix in a French translation +- Fix the extract example in semodule.8 +- Update sandbox.8 man page +- Remove typos from chcat --help +- Fix multiple spelling errors +- hll/pp: Warn if module name different than output filename + +* Mon Apr 11 2016 Petr Lautrbach - 2.5-2 +- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy + files (#1319338) +- Add documentation for MCS separated domains +- Move svirt man page out of libvirt into its own + +* Tue Feb 23 2016 Petr Lautrbach 2.5-1 +- Update to upstream release 2016-02-23 + +* Tue Oct 06 2015 Petr Lautrbach 2.2.5-20 +- seunshare: Try to use setcurrent before setexec +Resolves: rhbz#1268813 + +* Wed Aug 19 2015 Petr Lautrbach 2.2.5-19 +- Revert previous changes + +* Fri Jul 10 2015 Petr Lautrbach 2.2.5-18 +- fixfiles: Fix several spellcheck warnings + +* Thu Jul 09 2015 Petr Lautrbach 2.2.5-17 +- Fix handling of Forking daemon, to allow systemd to handle it better +Resolves: rhbz#1186648 +- Fix typo in semanage args for minimum policy store +Resolves: rhbz#1208797 +- Allow to define sock file in /etc directory +Resolves: rhbz#1188360 + +* Tue Jul 07 2015 Petr Lautrbach 2.2.5-16 +- semanage: Use OrderedDict for list of fcontexts +Resolves: rhbz#1206769 +- fixfiles: Cover file_context.XXX.homedir +Resolves: rhbz#1186640 + + +* Mon Nov 10 2014 Miroslav Grepl 2.2.5-15 +- Fix sepolicy.search() to get good results everytime. +Resolves:#1092356 + +* Mon Oct 20 2014 Petr Lautrbach 2.2.5-14 +- Fix semanage's man pages and help output +Resolves: #1085246 + +* Mon Sep 29 2014 Miroslav Grepl - 2.2.5-13 +- If the user attempts to restorecon the label of a file that does not exist, do not report this as an error +Resolves:#1082956 +- Make fixfiles_exclude_dirs working if there is a substituion for the given directory +Resolves:#1082676 +- Add ability to list the actual active modules +Resolves:#1075023 +- Update XDG_RUNTIME_DIR directory +Resolves:#1112811 +- Fix semanage man page to talk about semanage-* (8) man pages. +Resolves:#1084390 + +* Fri Jun 13 2014 Miroslav Grepl - 2.2.5-12 +- Make selinux-policy build working also on another architectures related to sepolicy-manpage generate +Resolves:#1103292 + +* Fri Apr 4 2014 Dan Walsh - 2.2.5-11 +- One more time +- Update Translations +Resolves: #1030373 + +* Mon Mar 31 2014 Dan Walsh - 2.2.5-10 +- Update Translations +Resolves: #1030373 + +* Mon Mar 31 2014 Dan Walsh - 2.2.5-9 +- Update Translations +Resolves: #1030373 + +* Mon Mar 24 2014 Dan Walsh - 2.2.5-8 +- Update Translations +Resolves: #1030373 + +* Sun Mar 16 2014 Dan Walsh - 2.2.5-7 +- yum should not be required for -python package + +* Wed Feb 26 2014 Miroslav Grepl - 2.2.5-6 +Fix spec file to remove run_init which is no longer used because of systemd +Resolves:#825725 + +* Thu Jan 30 2014 Miroslav Grepl - 2.2.5-5 +- Remove default s0 range from semanage-login command. It is handled in seobject.py. +Resolves:#1028106 + +* Fri Jan 24 2014 Daniel Mach - 2.2.5-4 +- Mass rebuild 2014-01-24 + +* Thu Jan 16 2014 Dan Walsh - 2.2.5-3 +- Add Miroslav patch to +- Fix previously_modified_initialize() to show modified changes properly for all selections +Resolves: #1049977 + +* Wed Jan 8 2014 Dan Walsh - 2.2.5-2 +- Do not require /usr/share/selinux/devel/Makefile to build permissive domains + +* Mon Jan 6 2014 Dan Walsh - 2.2.5-1 +- Fix Mass Rebuild problems +- Update to upstream + * Ignore selevel/serange if MLS is disabled from Sven Vermeulen. +Resolves: #1043489 + +* Fri Jan 3 2014 Dan Walsh - 2.2.4-8 +- Update Tranlations +- Patch from Yuri Chornoivan to fix typos + +* Fri Dec 27 2013 Daniel Mach - 2.2.4-7 +- Mass rebuild 2013-12-27 + +* Fri Dec 20 2013 Dan Walsh - 2.2.4-6 +- Fix sepolicy gui selection for advanced screen +- Update Translations +- Move requires checkpolicy requirement into policycoreutils-python +Resolves: #1043489 + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-5 +- Fix semanage man page description of import command +- Fix policy kit file to allow changing to permissive mode + +* Mon Dec 16 2013 Dan Walsh - 2.2.4-4 +- Fix broken dependencies. + +* Fri Dec 13 2013 Dan Walsh - 2.2.4-3 +- Break out python3 code into separate package + +* Fri Dec 6 2013 Dan Walsh - 2.2.4-2 +- Add mgrepl patch +- ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin + +* Tue Dec 3 2013 Dan Walsh - 2.2.4-1 +- Update to upstream + * Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems. +- Add patches for sepolicy gui from mgrepl to + Fix advanced_item_button_push() to allow to select an application in advanced search menu + Fix previously_modified_initialize() to show modified changes properly for all selections + + +* Fri Nov 22 2013 Dan Walsh - 2.2.3-1 +- Update to upstream + * Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh. + * Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh. +- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate + +* Wed Nov 20 2013 Dan Walsh - 2.2.2-2 +- Fix selinux-polgengui, get_all_modules call + +* Fri Nov 15 2013 Dan Walsh - 2.2.2-1 +Resolves: #1002529 +Resolves: #924105 +Resolves: #918140 +Resolves: #1028096 + +- Speed up startup time of sepolicy gui +- Clean up ports screen to only show enabled ports. +- Update to upstream + * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. + * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh. + * Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh. + +* Wed Nov 13 2013 Dan Walsh - 2.2-2 +- Shift around some of the files to more appropriate packages. + * semodule_* packages are required for devel. + +* Wed Nov 13 2013 Dan Walsh - 2.2-1 +- Update to upstream + * Properly build the swig exception file from Laurent Bigonville. + * Fix man pages from Laurent Bigonville. + * Support overriding PATH and INITDIR in Makefile from Laurent Bigonville. + * Fix LDFLAGS usage from Laurent Bigonville. + * Fix init_policy warning from Laurent Bigonville. + * Fix semanage logging from Laurent Bigonville. + * Open newrole stdin as read/write from Sven Vermeulen. + * Fix sepolicy transition from Sven Vermeulen. + * Support overriding CFLAGS from Simon Ruderich. + * Create correct man directory for run_init from Russell Coker. + * restorecon GLOB_BRACE change from Michal Trunecka. + * Extend audit2why to report additional constraint information. + * Catch IOError errors within audit2allow from Dan Walsh. + * semanage export/import fixes from Dan Walsh. + * Improve setfiles progress reporting from Dan Walsh. + * Document setfiles -o option in usage from Dan Walsh. + * Change setfiles to always return -1 on failure from Dan Walsh. + * Improve setsebool error r eporting from Dan Walsh. + * Major overhaul of gui from Dan Walsh. + * Fix sepolicy handling of non-MLS policy from Dan Walsh. + * Support returning type aliases from Dan Walsh. + * Add sepolicy tests from Dan Walsh. + * Add org.selinux.config.policy from Dan Walsh. + * Improve range and user input checking by semanage from Dan Walsh. + * Prevent source or target arguments that end with / for substitutions from Dan Walsh. + * Allow use of <> for semanage fcontext from Dan Walsh. + * Report customized user levels from Dan Walsh. + * Support deleteall for restoring disabled modules from Dan Walsh. + * Improve semanage error reporting from Dan Walsh. + * Only list disabled modules for module locallist from Dan Walsh. + * Fix logging from Dan Walsh. + * Define new constants for file type character codes from Dan Walsh. + * Improve bash completions from Dan Walsh. + * Convert semanage to argparse from Dan Walsh (originally by Dave Quigley). + * Add semanage tests from Dan Walsh. + * Split semanage man pages from Dan Walsh. + * Move bash completion scripts from Dan Walsh. + * Replace genhomedircon script with a link to semodule from Dan Walsh. + * Fix fixfiles from Dan Walsh. + * Add support for systemd service for restorecon from Dan Walsh. + * Spelling corrections from Dan Walsh. + * Improve sandbox support for home dir symlinks and file caps from Dan Walsh. + * Switch sandbox to openbox window manager from Dan Walsh. + * Coalesce audit2why and audit2allow from Dan Walsh. + * Change audit2allow to append to output file from Dan Walsh. + * Update translations from Dan Walsh. + * Change audit2why to use selinux_current_policy_path from Dan Walsh. + +* Tue Nov 12 2013 Dan Walsh - 2.1.14-89 +- Update to latest sepolicy tool chain. +- Document semodule -P +- Verify input to semanage permissive -a is a valid domain. +- Assigning login user with semanage login, range should default to user record + +* Wed Oct 16 2013 Dan Walsh - 2.1.14-88 +- Cleanup errors found by pychecker +- Apply patch from Michal Trunecka to allow restorecon to handle {} in globs +Resolves: #1018913 + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-87 +- sepolicy gui + - mgrepl fixes for users and login +- Update Translations. + +* Fri Oct 11 2013 Dan Walsh - 2.1.14-86 +- sepolicy gui + - mgrepl added delete screens for users and login + - Fix lots of bugs. +- Update Translations. + + +* Fri Oct 4 2013 Dan Walsh - 2.1.14-85 +- Fixes for fixfiles + * exclude_from_dirs should apply to all types of restorecon calls + * fixfiles check now works + * exit with the correct status + +- semanage no longer import selinux + +* Wed Oct 2 2013 Dan Walsh - 2.1.14-84 +- Fixes for sepolicy gui +- Fix setsebool to return 0 on success +- Update Po + +* Mon Sep 30 2013 Dan Walsh - 2.1.14-83 +- Fix sizes of help screens in sepolicy gui + +* Sat Sep 28 2013 Dan Walsh - 2.1.14-82 +- Improvements to sepolicy gui + - Add more help information + - Cleanup code + - Add deny_ptrace on lockdown screen + - Make unconfined/permissivedomains lockdown work + - Add more support for file equivalency + +* Wed Sep 18 2013 Dan Walsh - 2.1.14-81 +- Add back in the help png files +- Begin Adding support for file equivalency. + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-80 +- Random fixes for sepolicy gui + * Do not prompt for password until you make a change + * Add user mappings and selinux users page + * lots of code cleanup + +- Verify homedir is owned by user before mounting over it with seunshare +- Fix fixfiles to handle Relabel properly +- Fix semanage fcontext -e / command to allow "/" + +* Wed Sep 4 2013 Dan Walsh - 2.1.14-79 +- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names +- Additional help screens for sepolicy gui + +* Tue Sep 3 2013 Dan Walsh - 2.1.14-78 +- Random fixes for sepolicy gui +- Update Translations + +* Fri Aug 30 2013 Dan Walsh - 2.1.14-77 +- Add help screens for each page +- Fixes for system page + +* Mon Aug 26 2013 Dan Walsh - 2.1.14-76 +- Add Miroslav Grepl Patch to handle semanage -i and semanage -o better +- Update Translations + +* Thu Aug 15 2013 Dan Walsh - 2.1.14-75 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage fcontext -a --ftype code to work. + +* Wed Aug 7 2013 Dan Walsh - 2.1.14-74 +- If policy is not installed get_bools should not crash + +* Tue Aug 6 2013 Dan Walsh - 2.1.14-72 +- Update sepolicy gui code, cleanups and add file transition tab +- Fix semanage argparse problems + +* Fri Aug 2 2013 Dan Walsh - 2.1.14-71 +- Update sepolicy gui code, adding dbus calls +- Update Translations + +* Fri Jul 26 2013 Dan Walsh - 2.1.14-70 +- Fix semanage argparse bugs +- Update Translations +- Add test suite for semanage command lines + +* Wed Jul 24 2013 Dan Walsh - 2.1.14-69 +- Fix semanage argparse bugs + +* Tue Jul 23 2013 Dan Walsh - 2.1.14-68 +- Fix bugs introduced by previous patch. semanage port +- Update Translations +- Add test suite for sepolicy command lines + +* Fri Jul 19 2013 Dan Walsh - 2.1.14-67 +- Fix bugs introduced by previous patch. semanage port +- Update Translations + +* Wed Jul 17 2013 Dan Walsh - 2.1.14-66 +- Rewrite argparse code in semanage and fix reload problem. + +* Tue Jul 16 2013 Dan Walsh - 2.1.14-65 +- Do not generate shell script or spec file for sepolicy generate --newtype +- Update translations +- Fix sepolicy generate --admin_user man page again +- Fix setsebool to print less verbose error messages by default, add -V for ve + +* Mon Jul 15 2013 Dan Walsh - 2.1.14-64 +- Move audit2allow and audit2why back into -python package + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-63 +- Update sepolicy gui. +- Error out of you call sepolicy gui without policycoreutils-gui package installed +- Fix semanage login -d command +- Update Translations + +* Wed Jul 10 2013 Dan Walsh - 2.1.14-62 +- Update sepolicy gui. + +* Fri Jul 5 2013 Dan Walsh - 2.1.14-61 +- Add Ryan Hallisey sepolicy gui. +- Update Translations + +* Mon Jun 24 2013 Dan Walsh - 2.1.14-60 +- Fix semanage module error handling + +* Sun Jun 23 2013 Dan Walsh - 2.1.14-59 +- Add back default exception handling for errors, which argparse rewrite removed. + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-58 +- Fix generation of booleans in man pages + +* Fri Jun 21 2013 Dan Walsh - 2.1.14-57 +- Remove requires for systemd-sysv +- Move systemd-units require to restorecond section +- Update Tranlasions +- More sepolicy interfaces for gui +- Cleanup man pages for sepolicy generate + +* Wed Jun 19 2013 Dan Walsh - 2.1.14-56 +- Fix semanage export/import commands +- Fix semange module command +- Remove --version option from sandbox + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-55 +- Add man page doc for --role and bash complestion support for sepolicy --role + +* Tue Jun 18 2013 Dan Walsh - 2.1.14-54 +- Make fcdict return a dictionary of dictionaries +- Fix for sepolicy manpage + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-53 +- Add new man pages for each semanage subsection + +* Mon Jun 17 2013 Dan Walsh - 2.1.14-52 +- Fix handling of sepolicy network sorting. +- Additional interfaces needed for sepolicy gui + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-51 +- Fix handling of semanage args + +* Thu Jun 6 2013 Dan Walsh - 2.1.14-50 +- Fix sepolicy generate --confined_admin to generate tunables +- Add new interface to generate entrypoints for use with new gui + +* Wed Jun 5 2013 Dan Walsh - 2.1.14-49 +- Fix handing of semanage with no args + +* Tue Jun 4 2013 Dan Walsh - 2.1.14-48 +- Fix audit2allow -o to open file for append +- Fix the name of the spec file generated in the build script + +* Fri May 31 2013 Dan Walsh - 2.1.14-47 +- Fix mgrepl patch to support all semanage command parsing + +* Sun May 26 2013 Dan Walsh - 2.1.14-46 +- Fix the name of the spec file generated in the build script +- Add mgrepl patch to support argparse for semanage command parsing + +* Tue May 21 2013 Dan Walsh - 2.1.14-45 +- Fix sandbox to always use sandbox_file_t, so generated policy will work. +- Update Translations + +* Thu May 16 2013 Dan Walsh - 2.1.14-44 +- Fix sepolicy-generate man page to clear up options/policy type +- Add Miroslav Grepl to not generate man page when doing + sepolicy generate --customize +- Add support for executing semanage user within spec file +- Fix generation of confined admin domains, to handle booleans properly. + +* Tue May 14 2013 Dan Walsh - 2.1.14-43 +- Need to handle gziped policy.xml as well as not compressed. + +* Tue May 14 2013 Dan Walsh - 2.1.14-42 +- Add support for Xephyr -resizable, so sandbox can now resize window +- Add support for compressed policy.xml +- Miroslav Grepl patch to allow sepolicy interface on individual interface fil +- Also add capability to test interfaces for correctness. + +* Mon May 13 2013 Dan Walsh - 2.1.14-41 +- Apply patches from Sven Vermeulen for sepolgen to fix typos. + +* Mon May 13 2013 Dan Walsh - 2.1.14-40 +- Only require selinux-policy-devel for policycoreutils-devel, this will shrink the size of the livecd. + +* Sun May 12 2013 Dan Walsh - 2.1.14-39 +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed, first time +- Add Sven Vermeulen patches to cleanup man pages + +* Fri May 10 2013 Dan Walsh - 2.1.14-38 +- No longer run sepolgen-ifgen at install time. +- Run sepolgen-ifgen in audit2allow and sepolicy generate, if needed. +- Update Translations + +* Mon Apr 22 2013 Dan Walsh - 2.1.14-37 +- Fix exceptionion hanling in audit2allow -o +- Generate Man pages for everydomain, not just ones with exec_t entrypoints +- sepolicy comunicate should return ValueError not TypeError +- Trim header line in sepolicy manpage to use less space +- Add missing options to restorecon man page + +* Thu Apr 11 2013 Dan Walsh - 2.1.14-36 +- Raise proper Exception on sepolicy communicate with invalid value + +* Wed Apr 10 2013 Dan Walsh - 2.1.14-35 +- Update translations +- Add patch by Miroslav Grepl to add compile test for sepolicy interface command. + +* Tue Apr 9 2013 Dan Walsh - 2.1.14-34 +- Update translations +- Add patch inspired by Miroslav Grepl to add extended information for sepolicy interface command. + +* Mon Apr 8 2013 Dan Walsh - 2.1.14-33 +- Update translations +- Add missing man pages and fixup existing man pages + +* Wed Apr 3 2013 Dan Walsh - 2.1.14-32 +- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel +- Apply Miroslav Grepl Patches for sepolicy +-- Fix generate mutually groups option handling +-- EUSER is used for existing policy +-- customize options can be used together with admin_domain option +-- Fix manpage.py to generate correct man pages for SELinux users +-- Fix policy *.te file generated by customize+writepaths options +-- Fix install script for confined_admin option + +* Mon Apr 1 2013 Dan Walsh - 2.1.14-31 +- Add post install scripts for gui to make sure Icon Cache is refreshed. +- Fix grammar issue in secon man page +- Update Translations + +* Thu Mar 28 2013 Dan Walsh - 2.1.14-30 +- Add buildrequires for OpenBox to prevent me from accidently building into RHEL7 +- Add support for returning alias data to sepolicy.info python bindings + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-28 +- Fix audit2allow output to better align analysys with the allow rules +- Apply Miroslav Grepl patch to clean up sepolicy generate usage +- Apply Miroslav Grepl patch to fixupt handing of admin_user generation +- Update Tranlslations + +* Wed Mar 27 2013 Dan Walsh - 2.1.14-27 +- Allow semanage fcontext -a -t "<>" ... to work + +* Mon Mar 25 2013 Dan Walsh - 2.1.14-26 +- Can not unshare IPC in sandbox, since it blows up Xephyr +- Remove bogus error message sandbox about reseting setfsuid + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-25 +- Fix sepolicy generate --customize to generate policy with -w commands + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-24 +- sepolgen-ifgen needs to handle filename transition rules containing ":" + +* Tue Mar 19 2013 Dan Walsh - 2.1.14-23 +- sepolicy manpage: +- use nroff instead of man2html +- Remove checking for name of person who created the man page +- audit2allow +- Fix output to show the level that is different. + +* Thu Mar 14 2013 Dan Walsh - 2.1.14-22 +- Fix newrole to not drop capabilities from the bounding set. +- Stop dropping capabilities from its children. +- Add better error messages. +- Change location of bash_completion files to /usr/share/bash-completion/compl + +* Mon Mar 11 2013 Dan Walsh - 2.1.14-21 +- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page + +* Thu Mar 7 2013 Dan Walsh - 2.1.14-20 +- Mention creation of permissive domains in sepolicy generate man page +- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain. +- Fix audit2allow to show better information on constraint violations. + +* Wed Mar 6 2013 Dan Walsh - 2.1.14-19 +- Have restorecon exit -1 on errors for consistancy. + +* Tue Mar 5 2013 Dan Walsh - 2.1.14-18 +- Need to provide a value to semanage boolean -m + +* Mon Mar 4 2013 Dan Walsh - 2.1.14-17 +- Fix cut and paste errors for sepolicy network command + +* Fri Mar 1 2013 Dan Walsh - 2.1.14-16 +- Fix sepoicy interface to work properly + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-15 +- Fix fixfiles to use exclude_dirs on fixfiles restore + +* Thu Feb 28 2013 Dan Walsh - 2.1.14-14 +- Allow users with symlinked homedirs to work. call realpath on homedir +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Dan Walsh - 2.1.14-13 +- Update trans +- Fix sepolicy reorganization of helper functions. + +* Sun Feb 24 2013 Rahul Sundaram - 2.1.14-13 +- remove vendor tag from desktop file. https://fedorahosted.org/fpc/ticket/247 +- clean up spec to follow current guidelines + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-12 +- Do not load interface file by default when sepolicy is called, mov get_all_methods to the sepolicy package + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-11 +- sepolgen-ifgen should use the current policy path if selinux is enabled + +* Fri Feb 22 2013 Dan Walsh - 2.1.14-10 +- Fix sepolicy to be able to work on an SELinux disabled system. +- Needed to be able to build man pages in selinux-policy package + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-9 +- Add yum to requires of policycoreutils-python since sepolicy requires it. + +* Thu Feb 21 2013 Dan Walsh - 2.1.14-8 +- Sepolixy should not throw an exception on an SELinux disabled machine +- Switch from using console app to using pkexec, so we will work better +with policykit. +- Add missing import to fix system-config-selinux startup +- Add comment to pamd files about pam_rootok.so +- Fix sepolicy generate to not comment out the first line + +* Wed Feb 20 2013 Dan Walsh - 2.1.14-7 +- Add --root/-r flag to sepolicy manpage, +- This allows us to generate man pages on the fly in the selinux-policy build + +* Mon Feb 18 2013 Dan Walsh - 2.1.14-6 +- Fix newrole to retain cap_audit_write when compiled with namespace, also +do not drop capabilities when run as root. + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-5 +- Fix man page generation and public_content description + +* Thu Feb 14 2013 Dan Walsh - 2.1.14-4 +- Revert some changes which are causing the wrong policy version file to be created +- Switch sandbox to start using openbox rather then matchbox +- Make sepolgen a symlink to sepolicy +- update translations + +* Wed Feb 13 2013 Dan Walsh - 2.1.14-3 +- Fix empty system-config-selinux.png, again + +* Tue Feb 12 2013 Dan Walsh - 2.1.14-2 +- Fix empty system-config-selinux.png + +* Thu Feb 7 2013 Dan Walsh - 2.1.14-1 +- Update to upstream + * setfiles: estimate percent progress + * load_policy: make link at the destination directory + * Rebuild polgen.glade with glade-3 + * sepolicy: new command to unite small utilities + * sepolicy: Update Makefiles and po files + * sandbox: use sepolicy to look for sandbox_t + * gui: switch to use sepolicy + * gui: sepolgen: use sepolicy to generate + * semanage: use sepolicy for boolean dictionary + * add po file configuration information + * po: stop running update-po on all + * semanage: seobject verify policy types before allowing you to assign them. + * gui: Start using Popen, instead of os.spawnl + * sandbox: Copy /var/tmp to /tmp as they are the same inside + * qualifier to shred content + * semanage: Fix handling of boolean_sub names when using the -F flag + * semanage: man: roles instead of role + * gui: system-config-selinux: Catch no DISPLAY= error + * setfiles: print error if no default label found + * semanage: list logins file entries in semanage login -l + * semanage: good error message is sepolgen python module missing + * gui: system-config-selinux: do not use lokkit + * secon: add support for setrans color information in prompt output + * restorecond: remove /etc/mtab from default list + * gui: If you are not able to read enforcemode set it to False + * genhomedircon: regenerate genhomedircon more often + * restorecond: Add /etc/udpatedb.conf to restorecond.conf + * genhomedircon generation to allow spec file to pass in SEMODULE_PATH + * fixfiles: relabel only after specific date + * po: update translations + * sandbox: seunshare: do not reassign realloc value + * seunshare: do checking on setfsuid + * sestatus: rewrite to shut up coverity + +* Thu Jan 31 2013 Dan Walsh - 2.1.12-58 +- Reorginize sepolicy so all get_all functions are in main module +- Add -B capability to fixfiles onboot and fixfiles restore, basically searches for all files created since the last boot. + +* Fri Jan 25 2013 Dan Walsh - 2.1.12-57 +- Update to latest patches from eparis/Upstream +- fixfiles onboot will write any flags handed to it to /.autorelabel. +- * Patch sent to initscripts to have fedora-autorelabel pass flags back to fixfiles restore +- * This should allow fixfiles -F onboot, to force a hard relabel. +- Add -p to show progress on full relabel. + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-56 +- Additional changes for bash completsion and generate man page to match the w +- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil +- a policy write to generate types after the initial policy has been written a +- will autogenerate all of the interfaces. +- I also added a -w options to allow policy writers from the command line to s +- the writable directories of files. +- +- Modify network.py to include interface definitions for newly created port type +- Standardize of te_types just like all of the other templates. + +- Change permissive domains creation to raise exception if sepolgen is not ins +- get_te_results no longer needs or uses the opts parameter. +- The compliler was complaining so I just removed the option. +- Start returning analysis data for audit2allow + +* Tue Jan 15 2013 Dan Walsh - 2.1.12-55 +- Update Translations +- Fix handling of semanage generate --cgi -n MODULE PATHTO/CGI +- This fixes the spec file and script file getting wrong names for modules and types. + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-54 +- Additional patch from Miroslav to handle role attributes + +* Wed Jan 9 2013 Dan Walsh - 2.1.12-53 +- Update with Miroslav patch to handle role attributes +- Update Translations +- import sepolicy will only throw exception on missing policy iff selinux is enabled + +* Sat Jan 5 2013 Dan Walsh - 2.1.12-52 +- Update to latest patches from eparis/Upstream +- secon: add support for setrans color information in prompt output +- Update translations + +* Fri Jan 4 2013 Dan Walsh - 2.1.12-51 +- Update translations +- Fix sepolicy booleans to handle autogenerated booleans descriptions +- Cleanups of sepolicy manpage +- Fix crash on git_shell man page generation + +* Thu Jan 3 2013 Dan Walsh - 2.1.12-50 +- Update translations +- update sepolicy manpage to generate fcontext equivalence data and to list +default file context paths. +- Add ability to generate policy for confined admins and domains like puppet. + +* Thu Dec 20 2012 Dan Walsh - 2.1.12-49 +- Fix semanage permissive , this time with the patch. +- Update translations + +* Wed Dec 19 2012 Dan Walsh - 2.1.12-48 +- Fix semanage permissive +- Change to use correct gtk forward button +- Update po + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-47 +- Move audit2why to -devel package + +* Mon Dec 17 2012 Dan Walsh - 2.1.12-46 +- sepolicy transition was blowing up. Also cleanup output when only source is specified. +- sepolicy generate should allow policy modules names that include - or _ + +* Mon Dec 10 2012 Dan Walsh - 2.1.12-45 +- Apply patch from Miroslav to display proper range description in man pages g +- Should print warning on missing default label when run in recusive mode iff +- Remove extra -R description, and fix recursive description + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-44 +- Additional fixes for disabled SELinux Box +- system-config-selinux no longer relies on lokkit for /etc/selinux/config + +* Thu Dec 6 2012 Dan Walsh - 2.1.12-43 +- sepolicy should failover to installed policy file on a disabled SELinux box, if it exists. + +* Wed Dec 5 2012 Dan Walsh - 2.1.12-42 +- Update Translations +- sepolicy network -d needs to accept multiple domains + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-41 +- Add --path as a parameter to sepolicy generate +- Print warning message if program does not exists when generating policy, and do not attempt to run nm command +- Fix sepolicy generate -T to not take an argument, and supress the help message +- Since this is really just a testing tool + +* Fri Nov 30 2012 Dan Walsh - 2.1.12-40 +- Fix sepolicy communicate to handle invalid input + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-39 +- Fix sepolicy network -p to handle high ports + +* Thu Nov 29 2012 Dan Walsh - 2.1.12-38 +- Fix handling of manpages without entrypoints, nsswitch domains +- Update Translations + +* Wed Nov 28 2012 Dan Walsh - 2.1.12-37 +- Move sepogen python bindings back into policycoreutils-python out of -devel, since sepolicy is using the + +* Tue Nov 27 2012 Dan Walsh - 2.1.12-36 +- Fix sepolicy/__init__.py to handle _() + +* Wed Nov 21 2012 Dan Walsh - 2.1.12-35 +- Add Miroslav Grepl patch to create etc_rw_t sock files policy + +* Fri Nov 16 2012 Dan Walsh - 2.1.12-34 +- Fix semanage to work without policycoreutils-devel installed +- Update translations + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-33 +- Fix semanage login -l to list contents of /etc/selinux/POLICY/logins directory + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-32 +- Fix booleansPage not showing booleans +- Fix audit2allow -b + +* Tue Nov 13 2012 Dan Walsh - 2.1.12-31 +- Fix sepolicy booleans again +- Fix man page + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-30 +- Move policy generation tools into policycoreutils-devel + +* Mon Nov 12 2012 Dan Walsh - 2.1.12-29 +- Document and fix sepolicy booleans +- Update Translations +- Fix several spelling mistakes + +* Wed Nov 7 2012 Dan Walsh - 2.1.12-27 +- Only report restorecon warning for missing default label, if not running +recusively +- Update translations + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-26 +- Fix semanage booleans -l, move more boolean_dict handling into sepolicy +- Update translations +- Fixup sepolicy generate to discover /var/log, /var/run and /var/lib directories if they match the name +- Fix kill function call should indicate signal_perms not kill capability +- Error out cleanly in system-config-selinux, if it can not contact XServer + +* Mon Nov 5 2012 Dan Walsh - 2.1.12-25 +- Remove run_init, no longer needed with systemd. +- Fix sepolicy generate to not include subdirs in generated fcontext file. (mgrepl patch) + +* Sat Nov 3 2012 Dan Walsh - 2.1.12-24 +- Fix manpage to generate proper man pages for alternate policy, +basically allow me to build RHEL6 man pages on a Fedora 18 box, as long as +I pull the policy, policy.xml and file_contexts and file_contexts.homedir + +* Thu Nov 1 2012 Dan Walsh - 2.1.12-23 +- Fix some build problems in sepolicy manpage and sepolicy transition + +* Tue Oct 30 2012 Dan Walsh - 2.1.12-22 +- Add alias man pages to sepolicy manpage + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-21 +- Redesign sepolicy to only read the policy file once, not for every call + +* Mon Oct 29 2012 Dan Walsh - 2.1.12-20 +- Fixes to sepolicy transition, allow it to list all transitions from a domain + +* Sat Oct 27 2012 Dan Walsh - 2.1.12-19 +- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network + +* Fri Oct 26 2012 Dan Walsh - 2.1.12-18 +- Allow sepolicy to specify the policy to generate content from + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-17 +- Fix semanage boolean -F to handle boolean subs + +* Thu Oct 25 2012 Dan Walsh - 2.1.12-16 +- Add Miroslav Grepl patch to generate html man pages +- Update Translations +- Add option to sandbox to shred files before deleting + +* Mon Oct 22 2012 Dan Walsh - 2.1.12-15 +- Add Requires(post) PKGNAME to sepolicy generate /usr/bin/pkg + +* Fri Oct 19 2012 Dan Walsh - 2.1.12-14 +- Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools. +- Fix man page generator. + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-13 +- Remove dwalsh@redhat.com from man pages +- Fix spec file for sepolicy generate + +* Wed Oct 17 2012 Dan Walsh - 2.1.12-12 +- Add missing spec.py from templates directory needed for sepolicy generate +- Add /var/tmp as collection point for sandbox apps. + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-11 +- Handle audit2allow -b in foreign locales + +* Tue Oct 16 2012 Dan Walsh - 2.1.12-10 +- Update sepolicy generate with patch to create spec file and man page. +- Patch initiated by Miroslav Grepl + +* Wed Oct 10 2012 Dan Walsh - 2.1.12-9 +- Fix semanage to verify that types are appropriate for commands. + * Patch initiated by mgrepl + * Fixes problem of specifying non file_types for fcontext, or not port_types for semanage port + +* Tue Oct 9 2012 Dan Walsh - 2.1.12-8 +- Fix typo in preunstall line for restorecond +- Add mgrepl patch to consolidate file context generated by sepolicy generate + +* Mon Oct 8 2012 Dan Walsh - 2.1.12-7 +- Fix manpage generation, missing import +- Add equiv_dict to get samba booleans into smbd_selinux +- Add proper translations for booleans and remove selinux.tbl + +* Sat Oct 6 2012 Dan Walsh - 2.1.12-6 +- Fix system-config-selinux to use sepolicy.generate instead of sepolgen + +* Thu Oct 4 2012 Dan Walsh - 2.1.12-5 +- Add sepolicy commands, and change tools to use them. + +* Tue Sep 25 2012 Dan Walsh - 2.1.12-4 +- Rebuild without bogus prebuild 64 bit seunshare app + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-3 +- Allow fixfiles to specify -v, so they can get verbosity rather then progress. +- Fix load_file Makefile to use SBINDIR rather then real OS. +- Fix man pages in setfiles and restorecon to reflect what happens when you relabel the entire OS. + +* Sun Sep 16 2012 Dan Walsh - 2.1.12-2 +- Use systemd post install scriptlets + +* Thu Sep 13 2012 Dan Walsh - 2.1.12-1 +- Update to upstream + * genhomedircon: manual page improvements + * setfiles/restorecon minor improvements + * run_init: If open_init_pty is not available then just use exec + * newrole: do not drop capabilities when newrole is run as + * restorecon: only update type by default + * scripts: Don't syslog setfiles changes on a fixfiles restore + * setfiles: do not syslog if no changes + * Disable user restorecond by default + * Make restorecon return 0 when a file has changed context + * setfiles: Fix process_glob error handling + * semanage: allow enable/disable under -m + * add .tx to gitignore + * translations: commit translations from Fedora community + * po: silence build process + * gui: Checking in policy to support polgengui and sepolgen. + * gui: polgen: search for systemd subpackage when generating policy + * gui: for exploring booleans + * gui: system-config-selinux gui + * Add Makefiles to support new gui code + * gui: remove lockdown wizard + * return equivalency records in fcontext customized + * semanage: option to not load new policy into kernel after + * sandbox: manpage update to describe standard types + * setsebool: -N should not reload policy on changes + * semodule: Add -N qualifier to no reload kernel policy + * gui: polgen: sort selinux types of user controls + * gui: polgen: follow symlinks and get the real path to + * gui: Fix missing error function + * setfiles: return errors when bad paths are given + * fixfiles: tell restorecon to ignore missing paths + * setsebool: error when setting multiple options + * semanage: use boolean subs. + * sandbox: Make sure Xephyr never listens on tcp ports + * sepolgen: return and output constraint violation information + * semanage: skip comments while reading external configuration files + * restorecond: relabel all mount runtime files in the restorecond example + * genhomedircon: dynamically create genhomedircon + * Allow returning of bastard matches + * sepolgen: return and output constraint violation information + * audit2allow: one role/type pair per line + +* Wed Aug 8 2012 Dan Walsh - 2.1.11-6 +- Change polgen to generate dbus apps as optional so they can compile on minimal policy system, patch from Miroslav Grepl + +* Fri Jul 27 2012 Dan Walsh - 2.1.11-5 +- Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly + +* Thu Jul 19 2012 Dan Walsh - 2.1.11-4 +- Fix restorecon to generate a better percentage of completion on restorecon -R /. +- Have audit2allow look at the constaint violation and tell the user whether it +- is because of user,role or level + + +* Wed Jul 11 2012 Dan Walsh - 2.1.11-3 +- userapps is generating sandbox code in polgengui + +* Thu Jul 5 2012 Dan Walsh - 2.1.11-2 +- Remove load_policy symbolic link on usrmove systems this breaks the system + +* Wed Jul 4 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * restorecond: wrong options should exit with non-zero error code + * restorecond: Add -h option to get usage command + * resorecond: user: fix fd leak + * mcstrans: add -f to run in foreground + * semanage: fix man page range and level defaults + * semanage: bash completion for modules should include -a,-m, -d + * semanage: manpage update for -e + * semanage: dontaudit off should work + * semanage: locallist option does not take an argument + * sepolgen: Make use of setools optional within sepolgen + - sepolgen + * Make use of setools optional within sepolgen + * We need to support files that have a + in them + +* Thu May 24 2012 Dan Walsh - 2.1.11-18 +- Make restorecon exit with an error on a bad path + +* Thu May 24 2012 Dan Walsh - 2.1.11-17 +- Fix setsebool command, handling of = broken. +- Add missing error option in booleansPage + +* Sun May 20 2012 Dan Walsh - 2.1.11-16 +- Fix sepolgen to use realpath on executables handed to it. - Brian Bickford + +* Fri May 18 2012 Dan Walsh - 2.1.11-15 +- Allow stream sock_files to be stored in /tmp and etc_rw_t directories by sepolgen +- Trigger on selinux-policy needs to change to selinux-policy-devel +- Update translations +- Fix semanage dontaudit off/on exception + +* Tue May 8 2012 Dan Walsh - 2.1.11-12 +- Add -N qualifier to semanage, setsebool and semodule to allow you to update +- policy without reloading it into the kernel. + +* Thu May 3 2012 Dan Walsh - 2.1.11-11 +- add some definition to the standard types available for sandboxes + +* Tue May 1 2012 Dan Walsh - 2.1.11-10 +- Remove lockdown wizard + +* Mon Apr 30 2012 Dan Walsh - 2.1.11-9 +- Fix semanage fcontext -E to extract the equivalance customizations. + +* Thu Apr 26 2012 Dan Walsh - 2.1.11-8 +- Add mgrepl patch to have sepolgen search for -systemd rpm packages + +* Tue Apr 24 2012 Dan Walsh - 2.1.11-7 +- Apply Stef Walter patch for semanage man page + +* Mon Apr 23 2012 Dan Walsh - 2.1.11-6 +- Rebuild to get latest libsepol which fixes the file_name transition problems +- Update translations +- Fix calls to close fd for restorecond + +* Fri Apr 13 2012 Dan Walsh - 2.1.11-5 +- Update translations +- Fix sepolgen to discover unit files in /lib/systemd/ + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-4 +- Update translations +- Fix segfault on restorecon + +* Tue Apr 3 2012 Dan Walsh - 2.1.11-3 +- Allow filename transitions to use + in a file name + +* Fri Mar 30 2012 Dan Walsh - 2.1.11-2 +- Change policycoreutils-python to require selinux-policy-devel package + +* Thu Mar 29 2012 Dan Walsh - 2.1.11-1 +- Update to upstream + - policycoreutils + * sandbox: do not propogate inside mounts outside + * sandbox: Removing sandbox init script, should no longer be necessary + * restorecond: Stop using deprecated interfaces for g_io + * semanage: proper auditting of user changes for LSPP + * semanage: audit message to show what record(s) and item(s) have chaged + * scripts: Update Makefiles to handle /usrmove + * mcstrans: Version should have been bumped on last check in + * seunshare: Only drop caps not the Bounding Set from seunshare + * Add bash-completion scripts for setsebool and semanage + * newrole: Use correct capng calls in newrole + * Fix infinite loop with inotify on 2.6.31 kernels + * fix ftbfs with hardening flags + * Only run setfiles if we found read-write filesystems to run it on + * update .po files + * remove empty po files + * do not fail to install if unable to make load_policy lnk file + + - sepolgen + * Fix dead links to www.nsa.gov/selinux + * audit.py Dont crash if empty data is passed to sepolgen + * do not use md5 when calculating hash signatures + * fix detection of policy loads + +* Wed Mar 28 2012 Dan Walsh - 2.1.10-30 +- Have sepolgen script specify the pp file with the make command. From mgrepl. + +* Wed Mar 21 2012 Dan Walsh - 2.1.10-29 +- Fix sepolgen handling of unit files. + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-28 +- Require selinux-policy-doc + +* Thu Mar 8 2012 Dan Walsh - 2.1.10-27 +- Fix unit file handling in sepolgen + +* Wed Feb 29 2012 Dan Walsh - 2.1.10-26 +- Add bash_command completion for setsebool/getsebool + +* Mon Feb 27 2012 Dan Walsh - 2.1.10-25 +- Disable restorecond on desktop by default +- Change seunshare to not modify the bounding set + +* Mon Feb 20 2012 Dan Walsh - 2.1.10-24 +- Stop using sandbox init in post install since it no longer exists. + +* Thu Feb 16 2012 Dan Walsh - 2.1.10-23 +- Change to use new selinux_current_policy_path() + +* Wed Feb 15 2012 Dan Walsh - 2.1.10-22 +- Change to use new selinux_binary_policy_path() +- Add systemd_passwd_agent_exec($1), and systemd_read_fifo_file_passwd_run($1) to templates for _admin interface + +* Fri Feb 3 2012 Dan Walsh - 2.1.10-21 +- On full relabels we will now show a estimated percent complete rather then +just *s. + +* Wed Feb 1 2012 Dan Walsh - 2.1.10-20 +- Add unit_file.py for sepolgen + +* Tue Jan 31 2012 Dan Walsh - 2.1.10-19 +- Change sepolgen to use sha256 instead of md5 + +* Mon Jan 30 2012 Dan Walsh - 2.1.10-18 +- Stop syslogging on full restore +- Stop syslogging when restorecon is not changing values + +* Fri Jan 27 2012 Dan Walsh - 2.1.10-17 +- Change semanage to produce proper audit records for Common Criteria +- Cleanup packaging for usrmove + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-16 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-15 +- fixed load_policy location + +* Thu Jan 26 2012 Harald Hoyer 2.1.10-14 +- fixed load_policy location + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-13 +- add filesystem guard + +* Wed Jan 25 2012 Harald Hoyer 2.1.10-12 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Tue Jan 24 2012 Dan Walsh - 2.1.10-11 +- restorecond fixes: + Stop using depracated g_io interfaces + Exit with non zero exit code if wrong options given + Add -h option + +* Thu Jan 19 2012 Dan Walsh - 2.1.10-10 +- Eliminate not needed Requires + +* Wed Jan 18 2012 Dan Walsh - 2.1.10-9 +- fix sepolgen to not crash on echo "" | audit2allow + +* Mon Jan 16 2012 Dan Walsh - 2.1.10-8 +- Remove sandbox init script, should no longer be necessary + +* Sun Jan 15 2012 Dan Walsh - 2.1.10-7 +- Add unit file support to sepolgen, and cleanup some of the output. + +* Mon Jan 9 2012 Dan Walsh - 2.1.10-5 +- Fix English in templates for sepolgen + +* Fri Dec 23 2011 Dan Walsh - 2.1.10-4 +- Fix the handling of namespaces in seunshare/sandbox. +- Currently mounting of directories within sandbox is propogating to the +- parent namesspace. + +* Thu Dec 22 2011 Dan Walsh - 2.1.10-3 +- Add umount code to seunshare to cleanup left over mounts of /var/tmp + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-2 +- Remove open_init_pty + +* Wed Dec 21 2011 Dan Walsh - 2.1.10-1 +-Update to upstream +- sepolgen + * better analysis of why things broke +- policycoreutils + * Remove excess whitespace + * sandbox: Add back in . functions to sandbox.init script + * Fix Makefile to match other policycoreutils Makefiles + * semanage: drop unused translation getopt + +* Thu Dec 15 2011 Dan Walsh - 2.1.9-3 +- Bump libsepol version requires rebuild + +* Wed Dec 7 2011 Dan Walsh - 2.1.9-2 +- Add back accidently dropped patches for semanage + +* Tue Dec 6 2011 Dan Walsh - 2.1.9-1 +- Upgrade to upstream + * sandbox: move sandbox.conf.5 to just sandbox.5 + * po: Makefile use -p to preserve times to allow multilib simultatious installs + * of po files + * sandbox: Allow user to specify the DPI value for X in a sandbox + * sandbox: make sure the domain launching sandbox has at least 100 categories + * sandbox: do not try forever to find available category set + * sandbox: only complain if sandbox unable to launch + * sandbox: init script run twice is still successful + * semanage: print local and dristo equiv rules + * semanage: check file equivalence rules for conflict + * semanage: Make sure semanage fcontext -l -C prints even if local keys + * are not defined + * semanage: change src,dst to target,substitute for equivalency + * sestatus: Updated sestatus and man pages. + * Added SELinux config file man page. + * add clean target to man Makefile + +* Wed Nov 30 2011 Dan Walsh - 2.1.8-8 +- Fix semange fcontext -a to check for more conflicts on equivalency + +* Tue Nov 29 2011 Dan Walsh - 2.1.8-7 +- Fix dpi handling in sandbox +- Make sure semanage fcontext -l -C prints if only local equiv have changed + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-6 +- Add listing of distribution equivalence class from semanage fcontext -l +- Add checking to semanage fcontext -a to guarantee a file specification will not be masked by an equivalence + +* Wed Nov 16 2011 Dan Walsh - 2.1.8-5 +- Allow ~ as a valid part of a filename in sepolgen + +* Fri Nov 11 2011 Dan Walsh - 2.1.8-4 +- sandbox init script should always return 0 +- sandbox command needs to check range of categories and report error if not big enough + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-3 +- Allow user to specify DPI when running sandbox + +* Mon Nov 7 2011 Dan Walsh - 2.1.8-2 +- Add Miroslav patch to return all attributes + +* Fri Nov 4 2011 Dan Walsh - 2.1.8-1 +- Upgrade to policycoreutils upstream + * sandbox: Maintain the LANG environment into the sandbox + * audit2allow: use audit2why internally + * fixfiles: label /root but not /var/lib/BackupPC + * semanage: update local boolean settings is dealing with localstore + * semanage: missing modify=True + * semanage: set modified correctly + * restorecond: make restorecond dbuss-able + * restorecon: Always check return code on asprintf + * restorecond: make restorecond -u exit when terminal closes + * sandbox: introduce package name and language stuff + * semodule_package: remove semodule_unpackage on clean + * fix sandbox Makefile to support DESTDIR + * semanage: Add -o description to the semanage man page + * make use of the new realpath_not_final function + * setfiles: close /proc/mounts file when finished + * semodule: Document semodule -p in man page + * setfiles: fix use before initialized + * restorecond: Add .local/share as a directory to watch +- Upgrade to sepolgen upstream + * Ignore permissive qualifier if found in an interface + * Return name field in avc data + +* Mon Oct 31 2011 Dan Walsh - 2.1.7-6 +- Rebuild versus newer libsepol + +* Fri Oct 28 2011 Dan Walsh - 2.1.7-5 +- A couple of minor coverity fixes for a potential leaked file descriptor +- An an unchecked return code. +- Add ~/.local/share/* to restorecond_user watches + +* Thu Oct 13 2011 Dan Walsh - 2.1.7-4 +- Have sepolgen return name field in AVC + +* Thu Oct 6 2011 Dan Walsh - 2.1.7-3 +- restorecond -u needs to watch terminal for exit if run outside of dbus. + +* Tue Oct 4 2011 Dan Walsh - 2.1.7-2 +- Do not drop capabilities if running newrole as root + +* Fri Sep 30 2011 Dan Walsh - 2.1.7-1 +-Update to upstream + * semanage: fix indentation error in seobject + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-3 +- Ignore permissive commands in interfaces + +* Thu Sep 29 2011 Dan Walsh - 2.1.6-2 +- Remove gnome requirement from polgengui + +* Mon Sep 19 2011 Dan Walsh - 2.1.6-1 +-Update to upstream + policycoreutils-2.1.6 + * sepolgen-ifgen: new attr-helper does something + * audit2allow: use alternate policy file + * audit2allow: sepolgen-ifgen use the attr helper + * setfiles: switch from stat to stat64 + * setfiles: Fix potential crash using dereferenced ftsent + * setfiles: do not wrap * output at 80 characters + * sandbox: add -Wall and -Werror to makefile + * sandbox: add sandbox cgroup support + * sandbox: rewrite /tmp handling + * sandbox: do not bind mount so much + * sandbox: add level based kill option + * sandbox: cntrl-c should kill entire process control group + * Create a new preserve_tunables flag in sepol_handle_t. + * semanage: show running and disk setting for booleans + * semanage: Dont print heading if no items selected + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled + * More files to ignore + * tree: default make target to all not install + * sandbox: do not load unused generic init functions + sepolgen-1.1.2 + * src: sepolgen: add attribute storing infrastructure + * Change perm-map and add open to try to get better results on + * look for booleans that might solve problems + * sepolgen: audit2allow is mistakakenly not allowing valid module names + * tree: default make target to all not install + +* Wed Sep 14 2011 Dan Walsh - 2.1.5-6 +- Change separator on -L from ; to : + +* Thu Sep 8 2011 Dan Walsh - 2.1.5-5 +- Add back lockdown wizard for booleans using pywebkitgtk + +* Wed Sep 7 2011 Dan Walsh - 2.1.5-4 +- Maintain the LANG environment Variable into the sandbox +- Change restorecon/setfiles to only change type part of the context unless + -f qualifier is given + +* Tue Sep 6 2011 Dan Walsh - 2.1.5-3 +- Remove lockdown wizard, since gtkhtml2 is no longer supported. + +* Fri Sep 2 2011 Dan Walsh - 2.1.5-2 +- Allow setfiles and restorecon to use labeledprefix to speed up processing +and limit memory. + +* Tue Aug 30 2011 Dan Walsh - 2.1.5-1 +-Update to upstream + * policycoreutils + * setfiles: Fix process_glob to handle error situations + * sandbox: Allow seunshare to run as root + * sandbox: trap sigterm to make sure sandbox + * sandbox: pass DPI from the desktop + * sandbox: seunshare: introduce helper spawn_command + * sandbox: seunshare: introduce new filesystem helpers + * sandbox: add -C option to not drop + * sandbox: split seunshare caps dropping + * sandbox: use dbus-launch + * sandbox: numerous simple updates to sandbox + * sandbox: do not require selinux context + * sandbox: Makefile: new man pages + * sandbox: rename dir to srcdir + * sandbox: allow users specify sandbox window size + * sandbox: check for paths up front + * sandbox: use defined values for paths rather + * sandbox: move seunshare globals to the top + * sandbox: whitespace fix + * semodule_package: Add semodule_unpackage executable + * setfiles: get rid of some stupid globals + * setfiles: move exclude_non_seclabel_mounts to a generic location + * sepolgen + * refparser: include open among valid permissions + * refparser: add support for filename_trans rules + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-2 +- Fix bug in glob handling for restorecon + +* Thu Aug 18 2011 Dan Walsh - 2.1.4-1 +-Update to upstream +2.1.4 2011-08-17 + * run_init: clarification of the usage in the + * semanage: fix usage header around booleans + * semanage: remove useless empty lines + * semanage: update man page with new examples + * semanage: update usage text + * semanage: introduce file context equivalencies + * semanage: enable and disable modules + * semanage: output all local modifications + * semanage: introduce extraction of local configuration + * semanage: cleanup error on invalid operation + * semanage: handle being called with no arguments + * semanage: return sooner to save CPU time + * semanage: surround getopt with try/except + * semanage: use define/raise instead of lots of + * semanage: some options are only valid for + * semanage: introduce better deleteall support + * semanage: do not allow spaces in file + * semanage: distinguish between builtin and local permissive + * semanage: centralized ip node handling + * setfiles: make the restore function exclude() non-static + * setfiles: use glob to handle ~ and + * fixfiles: do not hard code types + * fixfiles: stop trying to be smart about + * fixfiles: use new kernel seclabel option + * fixfiles: pipe everything to cat before sending + * fixfiles: introduce /etc/selinux/fixfiles_exclude_dirs + * semodule: support for alternative root paths + +2.1.3 2011-08-03 + * semanage: fix indention + * semodule_package: fix man page typo + * semodule_expand: update man page with -a + * semanage: handle os errors + * semanage: fix traceback with bad options + * semanage: show usage on -h or --help + * semanage: introduce more deleteall options + * semanage: verify ports < 65536 + * transaction into semanageRecords + * make get_handle a method of semanageRecords + * remove a needless blank line + * make process_one error if not initialized correctly + * fixfiles: correct usage for r_opts.rootpath + * put -p in help for restorecon and + * fixfiles: do not try to only label + * fixfiles clean up /var/run and /var/lib/debug + * fixfiles delete tmp sockets and pipes rather + * fixfile use find -delete instead of pipe + * chcat man page typo + * add man page for genhomedircon + * setfiles fix typo + * setsebool should inform users they need to + * setsebool typos + * open_init_tty man page typos + * Don't add user site directory to sys.path + * newrole retain CAP_SETPCAP + +2.1.2 2011-08-02 + * seunshare: define _GNU_SOURCE earlier + * make ignore_enoent do something + * restorecond: first user logged in is not noticed + * Repo: update .gitignore + +2.1.1 2011-08-01 + * Man page updates + * restorecon fix for bad inotify assumptions + +2.1.0 2011-07-27 + * Release, minor version bump + +* Tue Jul 26 2011 Dan Walsh 2.0.86-20 +- Fix sepolgen usage statement +- Stop using -k insandbox +- Fix seunshare usage statement + +* Thu Jul 7 2011 Dan Walsh 2.0.86-18 +- Change seunshare to send kill signals to the childs session. +- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown. + +* Wed Jul 6 2011 Dan Walsh 2.0.86-17 +- Add -k qualifier to seunshare to have it attempt to kill all processes with +the matching MCS label. + +* Tue Jul 5 2011 Dan Walsh 2.0.86-16 +- Add -C option to sandbox and seunshare to maintain capabilities, otherwise +the bounding set will be dropped. +- Change --cgroups short name -c rather then -C for consistancy +- Fix memory and fd leaks in seunshare + +* Wed Jun 29 2011 Jóhann B. Guðmundsson - 2.0.86-15 +- Introduce systemd unit file for restorecond drop SysV support + +* Mon Jun 13 2011 Dan Walsh 2.0.86-14 +- Do not drop capability bounding set in seunshare, this allows sandbox to +- run setuid apps. + +* Fri Jun 10 2011 Dan Walsh 2.0.86-13 +- Add semanage-bash-completion.sh script + +* Tue Jun 7 2011 Dan Walsh 2.0.86-12 +- Remove mount -o bind calls from sandbox init script +- pam_namespace now has this built in. + +* Tue Jun 7 2011 Dan Walsh 2.0.86-11 +- Pass desktop dpi to sandbox Xephyr window + +* Mon Jun 6 2011 Dan Walsh 2.0.86-10 +- Allow semodule to pick alternate root for selinux files +- Add ~/.config/* to restorcond_user.conf, so restorecond will watch for mislabeled files in this directory. + +* Wed May 25 2011 Dan Walsh 2.0.86-9 +- Fix var_spool template read_spool_files +- Fix sepolgen to handle filename transitions + +* Mon May 23 2011 Dan Walsh 2.0.86-8 +- Templates cleanedup by Dominic Grift + +* Fri Apr 29 2011 Dan Walsh 2.0.86-7 +- Clean up some of the templates for sepolgen + +* Fri Apr 22 2011 Dan Walsh 2.0.86-6 +- Apply patches from Christoph A. + * fix sandbox title + * stop xephyr from li +- Also ignore errors on sandbox include of directory missing files + +* Thu Apr 21 2011 Dan Walsh 2.0.86-5 +- rebuild versus latest libsepol + +* Mon Apr 18 2011 Dan Walsh 2.0.86-4 +- Change fixfiles restore to delete unlabeled sockets in /tmp + +* Mon Apr 18 2011 Dan Walsh 2.0.86-2 +- rebuild versus latest libsepol + +* Tue Apr 12 2011 Dan Walsh 2.0.86-1 +- Update to upstream + * Use correct color range in mcstrand by Richard Haines. + +* Mon Apr 11 2011 Dan Walsh 2.0.85-30 +- Add Elia Pinto patches to allow user to specify directories to ignore + +* Tue Apr 5 2011 Dan Walsh 2.0.85-29 +- Fix policycoreutils-sandbox description + +* Tue Mar 29 2011 Dan Walsh 2.0.85-28 +- rsynccmd should run outside of execcon + +* Thu Mar 24 2011 Dan Walsh 2.0.85-27 +- Fix semange node handling of ipv6 addresses + +* Wed Mar 23 2011 Dan Walsh 2.0.85-26 +- Fix sepolgen-ifgen call, add -p option + +* Wed Mar 23 2011 Dan Walsh 2.0.85-25 +- Fix sepolgen-ifgen call + +* Fri Mar 18 2011 Dan Walsh 2.0.85-24 +- Fix rsync command to work if the directory is old. +- Fix all tests + +* Wed Mar 16 2011 Dan Walsh 2.0.85-23 +- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node + +* Wed Mar 16 2011 Dan Walsh 2.0.85-22 +- Return to original seunshare man page + +* Fri Mar 11 2011 Dan Walsh 2.0.85-21 +- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* +- This will allow default sandboxes to work on NFS homedirs without allowing + access to homedir data + +* Fri Mar 11 2011 Dan Walsh 2.0.85-20 +- Change sepolgen-ifgen to search all available policy files +- Exit in restorecond if it can not find a UID in the passwd database + +* Wed Mar 9 2011 Dan Walsh 2.0.85-19 +- Fix portspage in system-config-selinux to not crash +- More fixes for seunshare from Tomas Hoger + +* Tue Mar 8 2011 Dan Walsh 2.0.85-18 +- put back in old handling of -T in sandbox command +- Put back setsid in seunshare +- Fix rsync to maintain times + +* Tue Mar 8 2011 Dan Walsh 2.0.85-17 +- Use rewritten seunshare from thoger + +* Mon Mar 7 2011 Dan Walsh 2.0.85-16 +- Require python-IPy for policycoreutils-python package +- Fixes for sepologen + - Usage statement needs -n name + - Names with _ are being prevented + - dbus apps should get _chat interface + +* Thu Mar 3 2011 Dan Walsh 2.0.85-15 +- Fix error message in seunshare, check for tmpdir existance before unlink. + +* Fri Feb 25 2011 Dan Walsh 2.0.85-13 +- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root +- Only allow names in polgengui that contain letters and numbers +- Fix up node handling in semanage command +- Update translations + +* Wed Feb 09 2011 Fedora Release Engineering - 2.0.85-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Dan Walsh 2.0.85-11 +- Fix sandbox policy creation with udp connect ports + +* Thu Feb 3 2011 Dan Walsh 2.0.85-10 +- Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name +- Cleanup chcat man page + +* Wed Feb 2 2011 Dan Walsh 2.0.85-9 +- Report full errors on OSError on Sandbox + +* Fri Jan 21 2011 Dan Walsh 2.0.85-8 +- Fix newrole hanlding of pcap + +* Wed Jan 19 2011 Dan Walsh 2.0.85-7 +- Have restorecond watch more directories in homedir + +* Fri Jan 14 2011 Dan Walsh 2.0.85-6 +- Add sandbox to sepolgen + +* Thu Jan 6 2011 Dan Walsh 2.0.85-4 +- Fix proper handling of getopt errors +- Do not allow modules names to contain spaces + +* Wed Jan 5 2011 Dan Walsh 2.0.85-3 +- Polgengui raises the wrong type of exception. #471078 +- Change semanage to not allow it to semanage module -D +- Change setsebool to suggest run as root on failure + +* Wed Dec 22 2010 Dan Walsh 2.0.85-2 +- Fix restorecond watching utmp file for people logging in our out + +* Tue Dec 21 2010 Dan Walsh 2.0.85-1 +- Update to upstream + +* Thu Dec 16 2010 Dan Walsh 2.0.84-5 +- Change to allow sandbox to run on nfs homedirs, add start python script + +* Wed Dec 15 2010 Dan Walsh 2.0.84-4 +- Move seunshare to sandbox package + +* Mon Nov 29 2010 Dan Walsh 2.0.84-3 +- Fix sandbox to show correct types in usage statement + +* Mon Nov 29 2010 Dan Walsh 2.0.84-2 +- Stop fixfiles from complaining about missing dirs + +* Mon Nov 22 2010 Dan Walsh 2.0.84-1 +- Update to upstream +- List types available for sandbox in usage statement + +* Mon Nov 22 2010 Dan Walsh 2.0.83-37 +- Don't report error on load_policy when system is disabled. + +* Mon Nov 8 2010 Dan Walsh 2.0.83-36 +- Fix up problems pointed out by solar designer on dropping capabilities + +* Mon Nov 1 2010 Dan Walsh 2.0.83-35 +- Check if you have full privs and reset otherwise dont drop caps + +* Mon Nov 1 2010 Dan Walsh 2.0.83-34 +- Fix setools require line + +* Fri Oct 29 2010 Dan Walsh 2.0.83-33 +- Move /etc/pam.d/newrole in to polcicycoreutils-newrole +- Additional capability checking in sepolgen + +* Mon Oct 25 2010 Dan Walsh 2.0.83-32 +- Remove setuid flag and replace with file capabilities +- Fix sandbox handling of files with spaces in them + +* Wed Sep 29 2010 jkeating - 2.0.83-31 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Dan Walsh 2.0.83-30 +- Move restorecond into its own subpackage + +* Thu Sep 23 2010 Dan Walsh 2.0.83-29 +- Fix semanage man page + +* Mon Sep 13 2010 Dan Walsh 2.0.83-28 +- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox. + +* Mon Sep 13 2010 Dan Walsh 2.0.83-27 +- Fix sandbox copyfile when copying a dir with a socket, print error + +* Fri Sep 10 2010 Dan Walsh 2.0.83-26 +- Stop polgengui from crashing if selinux policy is not installed + +* Thu Sep 9 2010 Dan Walsh 2.0.83-25 +- Fix bug preventing sandbox from using -l + +* Tue Sep 7 2010 Dan Walsh 2.0.83-24 +- Eliminate quotes fro desktop files + +* Mon Aug 30 2010 Dan Walsh 2.0.83-23 +- Add -w windowsize patch from Christoph A. + +* Mon Aug 30 2010 Dan Walsh 2.0.83-22 +- Update po + +* Wed Aug 25 2010 Dan Walsh 2.0.83-21 +- Update po + +* Tue Aug 24 2010 Dan Walsh 2.0.83-20 +- Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC; +- Remove setsid on seunshare so ^c on sandbox will cause apps to exit +- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox +- Clean up error handling so error will get sent back to sandbox tool + +* Mon Aug 23 2010 Dan Walsh 2.0.83-19 +- Fix translation handling in file context page of system-config-selinux + +* Fri Aug 13 2010 Dan Walsh 2.0.83-18 +- Fix sandbox error handling + +* Fri Aug 13 2010 Dan Walsh 2.0.83-17 +- Apply patch to restorecond from Chris Adams, which will cause restorecond +- to watch first user that logs in. + +* Thu Aug 12 2010 Dan Walsh 2.0.83-16 +- Add COPYING file to doc dir + +* Thu Aug 5 2010 Dan Walsh 2.0.83-15 +- Update po and translations +Resolves: #610473 + +* Thu Aug 5 2010 Dan Walsh 2.0.83-14 +- More fixes for polgen tools + +* Thu Aug 5 2010 Dan Walsh 2.0.83-13 +- Remove requirement to run selinux-polgen as root + +* Thu Aug 5 2010 Dan Walsh 2.0.83-12 +- Update po and translations +- Fix gui policy generation tools + +* Wed Aug 4 2010 Dan Walsh 2.0.83-11 +- Update po and translations + +* Sat Jul 31 2010 David Malcolm - 2.0.83-10 +- rebuild against python 2.7 + +* Wed Jul 28 2010 Dan Walsh 2.0.83-9 +- Update selinux-polgengui to sepolgen policy generation + +* Wed Jul 28 2010 Dan Walsh 2.0.83-8 +- Fix invalid free in seunshare and fix man page + +* Tue Jul 27 2010 Dan Walsh 2.0.83-7 +- Update translations + +* Mon Jul 26 2010 Dan Walsh 2.0.83-6 +- Fix sandbox man page + +* Wed Jul 21 2010 David Malcolm - 2.0.83-5 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Jul 20 2010 Dan Walsh 2.0.83-4 +- Add translations for menus +- Fixup man page from Russell Coker + +* Tue Jun 15 2010 Dan Walsh 2.0.83-3 +- Change python scripts to use -s flag +- Update po + +* Tue Jun 15 2010 Dan Walsh 2.0.83-1 +- Update to upstream + * Add sandbox support from Dan Walsh with modifications from Steve Lawrence. + +* Tue Jun 15 2010 Dan Walsh 2.0.82-31 +- Fix sepolgen code generation +Resolve: #603001 + +* Tue Jun 8 2010 Dan Walsh 2.0.82-30 +- Add cgroup support for sandbox + +* Mon Jun 7 2010 Dan Walsh 2.0.82-29 +- Allow creation of /var/cache/DOMAIN from sepolgen + +* Thu Jun 3 2010 Dan Walsh 2.0.82-28 +- Fix sandbox init script +- Add dbus-launch to sandbox -X +Resolve: #599599 + +* Thu Jun 3 2010 Dan Walsh 2.0.82-27 +- Move genhomedircon.8 to same package as genhomedircon +- Fix sandbox to pass unit test +Resolves: #595796 + +* Wed Jun 2 2010 Dan Walsh 2.0.82-26 +- Fix listing of booleans from audit2allow + +* Wed Jun 2 2010 Dan Walsh 2.0.82-25 +- Fix audit2allow to output if the current policy has avc +- Update translations +- Fix icon + +* Thu May 27 2010 Dan Walsh 2.0.82-24 +- Man page fixes +- sandbox fixes +- Move seunshare to base package + +* Fri May 21 2010 Dan Walsh 2.0.82-23 +- Fix seunshare translations +- Fix seunshare to work on all arches +- Fix icon for system-config-selinux +Resolves: #595276 + +* Fri May 21 2010 Dan Walsh 2.0.82-22 +- Fix can_exec definition in sepolgen + +* Fri May 21 2010 Dan Walsh 2.0.82-21 +- Add man page for seunshare and genhomedircon +Resolves: #594303 +- Fix node management via semanage + +* Wed May 19 2010 Dan Walsh 2.0.82-20 +- Fixes from upstream for sandbox command +Resolves: #580938 + +* Thu May 13 2010 Dan Walsh 2.0.82-18 +- Fix sandbox error handling on copyfile +- Fix desktop files + +* Tue May 11 2010 Dan Walsh 2.0.82-17 +- Fix policy tool to have correct name in menus +- Fix seunshare to handle /tmp being in ~/home +- Fix saving of altered files +- Update translations + +* Tue May 4 2010 Dan Walsh 2.0.82-15 +- Allow audit2allow to specify alternative policy file for analysis + +* Mon May 3 2010 Dan Walsh 2.0.82-14 +- Update po +- Fix sepolgen --no_attrs +Resolves: #588280 + +* Thu Apr 29 2010 Dan Walsh 2.0.82-13 +- Make semanage boolean work on disabled machines and during livecd xguest +- Fix homedir and tmpdir handling in sandbox +Resolves: #587263 + +* Wed Apr 28 2010 Dan Walsh 2.0.82-11 +- Make semanage boolean work on disabled machines + +* Tue Apr 27 2010 Dan Walsh 2.0.82-10 +- Make sepolgen-ifgen be quiet + +* Wed Apr 21 2010 Dan Walsh 2.0.82-8 +- Make sepolgen report on more interfaces +- Fix system-config-selinux display of modules + +* Thu Apr 15 2010 Dan Walsh 2.0.82-7 +- Fix crash when args are empty +Resolves: #582542 +- Fix semange to exit on bad options +- Fix semanage dontaudit man page section +Resolves: #582533 + +* Wed Apr 14 2010 Dan Walsh 2.0.82-6 +- Remove debug line from semanage +- Update po + +* Tue Apr 13 2010 Dan Walsh 2.0.82-5 +- Fix sandbox comment on HOMEDIRS +- Fix sandbox to throw error on bad executable + +* Tue Apr 6 2010 Dan Walsh 2.0.82-4 +- Fix spacing in templates + +* Wed Mar 31 2010 Dan Walsh 2.0.82-3 +- Fix semanage return codes + +* Tue Mar 30 2010 Dan Walsh 2.0.82-2 +- Fix sepolgen to confirm to the "Reference Policy Style Guide" + +* Tue Mar 23 2010 Dan Walsh 2.0.82-1 +- Update to upstream + * Add avc's since boot from Dan Walsh. + * Fix unit tests from Dan Walsh. + +* Tue Mar 23 2010 Dan Walsh 2.0.81-4 +- Update to upstream - sepolgen + * Add since-last-boot option to audit2allow from Dan Walsh. + * Fix sepolgen output to match what Chris expects for upstream + refpolicy from Dan Walsh. + +* Mon Mar 22 2010 Dan Walsh 2.0.81-3 +- Allow restorecon on > 2 Gig files + +* Tue Mar 16 2010 Dan Walsh 2.0.81-2 +- Fix semanage handling of boolean options +- Update translations + +* Fri Mar 12 2010 Dan Walsh 2.0.81-1 +- Update to upstream + * Add dontaudit flag to audit2allow from Dan Walsh. + +* Thu Mar 11 2010 Dan Walsh 2.0.80-2 +- Use --rbind in sandbox init scripts + +* Mon Mar 8 2010 Dan Walsh 2.0.80-1 +- Update to upstream + * Module enable/disable support from Dan Walsh. + +* Mon Mar 1 2010 Dan Walsh 2.0.79-5 +- Rewrite of sandbox script, add unit test for sandbox +- Update translations + +* Mon Mar 1 2010 Dan Walsh 2.0.79-4 +- Fix patch for dontaudit rules from audit2allow for upstream acceptance + +* Fri Feb 26 2010 Dan Walsh 2.0.79-3 +- Fixes for fixfiles + +* Wed Feb 17 2010 Dan Walsh 2.0.79-2 +- Fix sandbox to complain if mount-shared has not been run +- Fix to use /etc/sysconfig/sandbox + +* Tue Feb 16 2010 Dan Walsh 2.0.79-1 +- Update to upstream + * Fix double-free in newrole +- Fix python language handling + +* Thu Feb 11 2010 Dan Walsh 2.0.78-21 +- Fix display of command in sandbox + +* Fri Feb 5 2010 Dan Walsh 2.0.78-20 +- Catch OSError in semanage + +* Wed Feb 3 2010 Dan Walsh 2.0.78-19 +- Fix seobject and fixfiles + +* Fri Jan 29 2010 Dan Walsh 2.0.78-17 +- Change seobject to use translations properly + +* Thu Jan 28 2010 Dan Walsh 2.0.78-16 +- Cleanup spec file +Resolves: 555835 + +* Thu Jan 28 2010 Dan Walsh 2.0.78-15 +- Add use_resolve to sepolgen + +* Wed Jan 27 2010 Dan Walsh 2.0.78-14 +- Add session capability to sandbox +- sandbox -SX -H ~/.homedir -t unconfined_t -l s0:c15 /etc/gdm/Xsession + +* Thu Jan 21 2010 Dan Walsh 2.0.78-13 +- Fix executable template for fifo files + +* Tue Jan 19 2010 Dan Walsh 2.0.78-12 +- Fix patch xod xmodmap +- Exit 0 from script + +* Thu Jan 14 2010 Dan Walsh 2.0.78-11 +- Run with the same xdmodmap in sandbox as outside +- Patch from Josh Cogliati + +* Fri Jan 8 2010 Dan Walsh 2.0.78-10 +- Fix sepolgen to not generate user sh section on non user policy + +* Fri Jan 8 2010 Dan Walsh 2.0.78-9 +- Add -e to semanage man page +- Add -D qualifier to audit2allow to generate dontaudit rules + +* Wed Jan 6 2010 Dan Walsh 2.0.78-8 +- Speed up audit2allow processing of audit2why comments + +* Fri Dec 18 2009 Dan Walsh 2.0.78-7 +- Fixes to sandbox man page + +* Thu Dec 17 2009 Dan Walsh 2.0.78-6 +- Add setools-libs-python to requires for gui + +* Wed Dec 16 2009 Dan Walsh 2.0.78-5 +- If restorecond running as a user has no files to watch then it should exit. (NFS Homedirs) + +* Thu Dec 10 2009 Dan Walsh 2.0.78-4 +- Move sandbox man page to base package + +* Tue Dec 8 2009 Dan Walsh 2.0.78-3 +- Fix audit2allow to report constraints, dontaudits, types, booleans + +* Fri Dec 4 2009 Dan Walsh 2.0.78-2 +- Fix restorecon -i to ignore enoent + +* Tue Dec 1 2009 Dan Walsh 2.0.78-1 +- Update to upstream + * Remove non-working OUTFILE from fixfiles from Dan Walsh. + * Additional exception handling in chcat from Dan Walsh. + + * fix sepolgen to read a "type 1403" msg as a policy load by Stephen + Smalley + * Add support for Xen ocontexts from Paul Nuzzi. + +* Tue Nov 24 2009 Dan Walsh 2.0.77-1 +- Update to upstream + * Fixed bug preventing semanage node -a from working + from Chad Sellers + * Fixed bug preventing semanage fcontext -l from working + from Chad Sellers +- Change semanage to use unicode + +* Wed Nov 18 2009 Dan Walsh 2.0.76-1 +- Update to upstream + * Remove setrans management from semanage, as it does not work + from Dan Walsh. + * Move load_policy from /usr/sbin to /sbin from Dan Walsh. + +* Mon Nov 16 2009 Dan Walsh 2.0.75-3 +- Raise exception if user tries to add file context with an embedded space + +* Wed Nov 11 2009 Dan Walsh 2.0.75-2 +- Fix sandbox to setsid so it can run under mozilla without crashing the session + +* Mon Nov 2 2009 Dan Walsh 2.0.75-1 +- Update to upstream + * Factor out restoring logic from setfiles.c into restore.c + +* Fri Oct 30 2009 Dan Walsh 2.0.74-15 +- Fix typo in seobject.py + +* Fri Oct 30 2009 Dan Walsh 2.0.74-14 +- Allow semanage -i and semanage -o to generate customization files. +- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration + +* Tue Oct 20 2009 Dan Walsh 2.0.74-13 +- Fix restorecond man page + +* Mon Oct 19 2009 Dan Walsh 2.0.74-12 +- Add generation of the users context file to polgengui + +* Fri Oct 16 2009 Dan Walsh 2.0.74-11 +- Remove tabs from system-config-selinux glade file + +* Thu Oct 15 2009 Dan Walsh 2.0.74-10 +- Remove translations screen from system-config-selinux + +* Wed Oct 14 2009 Dan Walsh 2.0.74-9 +- Move fixfiles man pages into the correct package +- Add genhomedircon to fixfiles restore + +* Tue Oct 6 2009 Dan Walsh 2.0.74-8 +- Add check to sandbox to verify save changes - Chris Pardy +- Fix memory leak in restorecond - Steve Grubb + +* Thu Oct 1 2009 Dan Walsh 2.0.74-7 +- Fixes Templates + +* Thu Oct 1 2009 Dan Walsh 2.0.74-6 +- Fixes for polgengui to handle tcp ports correctly +- Fix semanage node -a + +* Wed Sep 30 2009 Dan Walsh 2.0.74-5 +- Fixes for semanage -equiv, readded modules, --enable, --disable + +* Sun Sep 20 2009 Dan Walsh 2.0.74-4 +- Close sandbox when eclipse exits + +* Fri Sep 18 2009 Dan Walsh 2.0.74-3 +- Security fixes for seunshare +- Fix Sandbox to handle non file input to command. + +* Thu Sep 17 2009 Dan Walsh 2.0.74-2 +- Security fixes for seunshare + +* Thu Sep 17 2009 Dan Walsh 2.0.74-1 +- Update to upstream + * Change semodule upgrade behavior to install even if the module + is not present from Dan Walsh. + * Make setfiles label if selinux is disabled and a seclabel aware + kernel is running from Caleb Case. + * Clarify forkpty() error message in run_init from Manoj Srivastava. + +* Mon Sep 14 2009 Dan Walsh 2.0.73-5 +- Fix sandbox to handle relative paths + +* Mon Sep 14 2009 Dan Walsh 2.0.73-4 +- Add symbolic link to load_policy + +* Mon Sep 14 2009 Dan Walsh 2.0.73-3 +- Fix restorecond script to use force-reload + +* Tue Sep 8 2009 Dan Walsh 2.0.73-2 +- Fix init script to show status in usage message + +* Tue Sep 8 2009 Dan Walsh 2.0.73-1 +- Update to upstream + * Add semanage dontaudit to turn off dontaudits from Dan Walsh. + * Fix semanage to set correct mode for setrans file from Dan Walsh. + * Fix malformed dictionary in portRecord from Dan Walsh. + * Restore symlink handling support to restorecon based on a patch by + Martin Orr. This fixes the restorecon /dev/stdin performed by Debian + udev scripts that was broken by policycoreutils 2.0.70. + +* Thu Sep 3 2009 Dan Walsh 2.0.71-15 +- Add DAC_OVERRIED to seunshare + +* Wed Sep 2 2009 Bill Nottingham 2.0.71-15 +- Fix typo + +* Fri Aug 28 2009 Dan Walsh 2.0.71-14 +- Add enable/disable patch + +* Thu Aug 27 2009 Tomas Mraz - 2.0.71-13 +- rebuilt with new audit + +* Wed Aug 26 2009 Dan Walsh 2.0.71-12 +- Tighten up controls on seunshare.c + +* Wed Aug 26 2009 Dan Walsh 2.0.71-11 +- Add sandboxX + +* Sat Aug 22 2009 Dan Walsh 2.0.71-10 +- Fix realpath usage to only happen on argv input from user + +* Fri Aug 21 2009 Ville Skyttä - 2.0.71-9 +- Don't try to remove restorecond after last erase (done already in %%preun). +- Ensure scriptlets exit with status 0. +- Fix %%post and %%pr + +* Thu Aug 20 2009 Dan Walsh 2.0.71-7 +- Fix glob handling of /.. + +* Wed Aug 19 2009 Dan Walsh 2.0.71-6 +- Redesign restorecond to use setfiles/restore functionality + +* Wed Aug 19 2009 Dan Walsh 2.0.71-5 +- Fix sepolgen again + +* Tue Aug 18 2009 Dan Walsh 2.0.71-4 +- Add --boot flag to audit2allow to get all AVC messages since last boot + +* Tue Aug 18 2009 Dan Walsh 2.0.71-3 +- Fix semanage command + +* Thu Aug 13 2009 Dan Walsh 2.0.71-2 +- exclude unconfined.if from sepolgen + +* Thu Aug 13 2009 Dan Walsh 2.0.71-1 +- Fix chcat to report error on non existing file +- Update to upstream + * Modify setfiles/restorecon checking of exclude paths. Only check + user-supplied exclude paths (not automatically generated ones based on + lack of seclabel support), don't require them to be directories, and + ignore permission denied errors on them (it is ok to exclude a path to + which the caller lacks permission). + +* Mon Aug 10 2009 Dan Walsh 2.0.70-2 +- Don't warn if the user did not specify the exclude if root can not stat file system + +* Wed Aug 5 2009 Dan Walsh 2.0.70-1 +- Update to upstream + * Modify restorecon to only call realpath() on user-supplied pathnames + from Stephen Smalley. + * Fix typo in fixfiles that prevented it from relabeling btrfs + filesystems from Dan Walsh. + +* Wed Jul 29 2009 Dan Walsh 2.0.68-1 +- Fix location of man pages +- Update to upstream + * Modify setfiles to exclude mounts without seclabel option in + /proc/mounts on kernels >= 2.6.30 from Thomas Liu. + * Re-enable disable_dontaudit rules upon semodule -B from Christopher + Pardy and Dan Walsh. + * setfiles converted to fts from Thomas Liu. + +* Sun Jul 26 2009 Fedora Release Engineering - 2.0.64-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Tue Jul 7 2009 Tom "spot" Callaway 2.0.64-2 +- fix multiple directory ownership of mandirs + +* Fri Jun 26 2009 Dan Walsh 2.0.64-1 +- Update to upstream + * Keep setfiles from spamming console from Dan Walsh. + * Fix chcat's category expansion for users from Dan Walsh. +- Update po files +- Fix sepolgen + +* Thu Jun 4 2009 Dan Walsh 2.0.63-5 +- Add sepolgen executable + +* Mon Jun 1 2009 Dan Walsh 2.0.63-4 +- Fix Sandbox option handling +- Fix fixfiles handling of btrfs + +* Tue May 26 2009 Dan Walsh 2.0.63-3 +- Fix sandbox to be able to execute files in homedir + +* Fri May 22 2009 Dan Walsh 2.0.63-2 +- Change polgen.py to be able to generate policy + +* Wed May 20 2009 Dan Walsh 2.0.63-1 +- Update to upstream + * Fix transaction checking from Dan Walsh. + * Make fixfiles -R (for rpm) recursive. + * Make semanage permissive clean up after itself from Dan Walsh. + * add /root/.ssh/* to restorecond.conf + +* Wed Apr 22 2009 Dan Walsh 2.0.62-14 +- Fix audit2allow -a to retun /var/log/messages + +* Wed Apr 22 2009 Dan Walsh 2.0.62-13 +- Run restorecond as a user service + +* Thu Apr 16 2009 Dan Walsh 2.0.62-12 +- Add semanage module support + +* Tue Apr 14 2009 Dan Walsh 2.0.62-10 +- Do not print \n, if count < 1000; + +* Sat Apr 11 2009 Dan Walsh 2.0.62-9 +- Handle case where subs file does not exist + +* Wed Apr 8 2009 Dan Walsh 2.0.62-8 +- Update po files +- Add --equiv command for semanage + +* Tue Mar 31 2009 Dan Walsh 2.0.62-7 +- Cleanup creation of permissive domains +- Update po files + +* Mon Mar 23 2009 Dan Walsh 2.0.62-6 +- Update po files + +* Thu Mar 12 2009 Dan Walsh 2.0.62-5 +- Fix semanage transations + +* Sat Mar 7 2009 Dan Walsh 2.0.62-4 +- Update polgengui templates to match current upstream policy + +* Thu Feb 26 2009 Fedora Release Engineering - 2.0.62-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Mon Feb 23 2009 Dan Walsh 2.0.62-2 +- Add /root/.ssh to restorecond.conf +- fixfiles -R package should recursively fix files + +* Wed Feb 18 2009 Dan Walsh 2.0.62-1 +- Update to upstream + * Add btrfs to fixfiles from Dan Walsh. + * Remove restorecond error for matching globs with multiple hard links + and fix some error messages from Dan Walsh. + * Make removing a non-existant module a warning rather than an error + from Dan Walsh. + * Man page fixes from Dan Walsh. + +* Mon Feb 16 2009 Dan Walsh 2.0.61-10 +- Fix script created by polgengui to not refer to selinux-policy-devel + +* Mon Feb 9 2009 Dan Walsh 2.0.61-9 +- Change initc scripts to use proper labeling on gui + +* Mon Feb 9 2009 Dan Walsh 2.0.61-8 +- Add obsoletes to cause policycoreuils to update both python and non python version + +* Fri Jan 30 2009 Dan Walsh 2.0.61-7 +- Dont report errors on glob match and multiple links + +* Thu Jan 22 2009 Dan Walsh 2.0.61-6 +- Move sepolgen-ifgen to post python + +* Wed Jan 21 2009 Dan Walsh 2.0.61-4 +- Fix Translations + +* Tue Jan 20 2009 Dan Walsh 2.0.61-3 +- Add Domains Page to system-config-selinux +- Add ability to create dbus confined applications to polgen + +* Wed Jan 14 2009 Dan Walsh 2.0.61-2 +- Split python into a separate package + +* Tue Jan 13 2009 Dan Walsh 2.0.61-1 +- Update to upstream + * chcat: cut categories at arbitrary point (25) from Dan Walsh + * semodule: use new interfaces in libsemanage for compressed files + from Dan Walsh + * audit2allow: string changes for usage + +* Tue Jan 6 2009 Dan Walsh 2.0.60-7 +- Don't error out when removing a non existing module + +* Mon Dec 15 2008 Dan Walsh 2.0.60-6 +- fix audit2allow man page + +* Wed Dec 10 2008 Dan Walsh 2.0.60-5 +- Fix Japanese translations + +* Sat Dec 6 2008 Dan Walsh 2.0.60-4 +- Change md5 to hashlib.md5 in sepolgen + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 2.0.60-3 +- Rebuild for Python 2.6 + +* Tue Dec 2 2008 Dan Walsh 2.0.60-2 +- Fix error checking in restorecond, for inotify_add_watch + +* Mon Dec 1 2008 Dan Walsh 2.0.60-1 +- Update to upstream + * semanage: use semanage_mls_enabled() from Stephen Smalley. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 2.0.59-2 +- Rebuild for Python 2.6 + +* Tue Nov 11 2008 Dan Walsh 2.0.59-1 +- Update to upstream + * fcontext add checked local records twice, fix from Dan Walsh. + +* Mon Nov 10 2008 Dan Walsh 2.0.58-1 +- Update to upstream + * Allow local file context entries to override policy entries in + semanage from Dan Walsh. + * Newrole error message corrections from Dan Walsh. + * Add exception to audit2why call in audit2allow from Dan Walsh. + +* Fri Nov 7 2008 Dan Walsh 2.0.57-12 +- add compression + +* Tue Nov 04 2008 Jesse Keating - 2.0.57-11 +- Move the usermode-gtk requires to the -gui subpackage. + +* Thu Oct 30 2008 Dan Walsh 2.0.57-10 +- Fix traceback in audit2why + +* Wed Oct 29 2008 Dan Walsh 2.0.57-9 +- Make GUI use translations + +* Wed Oct 29 2008 Dan Walsh 2.0.57-8 +- Fix typo in man page + +* Tue Oct 28 2008 Dan Walsh 2.0.57-7 +- Handle selinux disabled correctly +- Handle manipulation of fcontext file correctly + +* Mon Oct 27 2008 Dan Walsh 2.0.57-6 +- Add usermode-gtk requires + +* Thu Oct 23 2008 Dan Walsh 2.0.57-5 +- Allow addition of local modifications of fcontext policy. + +* Mon Oct 20 2008 Dan Walsh 2.0.57-4 +- Fix system-config-selinux booleanspage throwing and exception +- Update po files + +* Fri Oct 17 2008 Dan Walsh 2.0.57-3 +- Fix text in newrole +- Fix revertbutton on booleans page in system-config-selinux + +* Wed Oct 1 2008 Dan Walsh 2.0.57-2 +- Change semodule calls for libsemanage + +* Wed Oct 1 2008 Dan Walsh 2.0.57-1 +- Update to upstream + * Update po files from Dan Walsh. + +* Fri Sep 12 2008 Dan Walsh 2.0.56-1 +- Fix semanage help display +- Update to upstream + * fixfiles will now remove all files in /tmp and will check for + unlabeled_t in /tmp and /var/tmp from Dan Walsh. + * add glob support to restorecond from Dan Walsh. + * allow semanage to handle multi-line commands in a single transaction + from Dan Walsh. + +* Thu Sep 11 2008 Dan Walsh 2.0.55-8 +- Only call gen_requires once in sepolgen + +* Tue Sep 9 2008 Dan Walsh 2.0.55-7 +- Change Requires line to gnome-python2-gnome +- Fix spelling mistakes +- Require libselinux-utils + +* Mon Sep 8 2008 Dan Walsh 2.0.55-5 +- Add node support to semanage + +* Mon Sep 8 2008 Dan Walsh 2.0.55-4 +- Fix fixfiles to correct unlabeled_t files and remove .? files + +* Wed Sep 3 2008 Dan Walsh 2.0.55-2 +- Add glob support to restorecond so it can check every file in the homedir + +* Thu Aug 28 2008 Dan Walsh 2.0.55-1 +- Update to upstream + * Merged semanage node support from Christian Kuester. + +* Fri Aug 15 2008 Dan Walsh 2.0.54-7 +- Add require libsemanage-python + +* Mon Aug 11 2008 Dan Walsh 2.0.54-6 +- Add missing html_util.py file + +* Thu Aug 7 2008 Dan Walsh 2.0.54-5 +- Fixes for multiple transactions + +* Wed Aug 6 2008 Dan Walsh 2.0.54-2 +- Allow multiple transactions in one semanage command + +* Tue Aug 5 2008 Dan Walsh 2.0.54-1 +- Update to upstream + * Add support for boolean files and group support for seusers from Dan Walsh. + * Ensure that setfiles -p output is newline terminated from Russell Coker. + +* Fri Aug 1 2008 Dan Walsh 2.0.53-3 +- Allow semanage user to add group lists % groupname + +* Tue Jul 29 2008 Dan Walsh 2.0.53-2 +- Fix help + +* Tue Jul 29 2008 Dan Walsh 2.0.53-1 +- Update to upstream + * Change setfiles to validate all file_contexts files when using -c from Stephen Smalley. + +* Tue Jul 29 2008 Dan Walsh 2.0.52-6 +- Fix boolean handling +- Upgrade to latest sepolgen +- Update po patch + +* Wed Jul 9 2008 Dan Walsh 2.0.52-5 +- Additial cleanup of boolean handling for semanage + +* Tue Jul 8 2008 Dan Walsh 2.0.52-4 +- Handle ranges of ports in gui + +* Tue Jul 8 2008 Dan Walsh 2.0.52-3 +- Fix indent problems in seobject + +* Wed Jul 2 2008 Dan Walsh 2.0.52-2 +- Add lockdown wizard +- Allow semanage booleans to take an input file an process lots of booleans at once. + +* Wed Jul 2 2008 Dan Walsh 2.0.52-1 +- Default prefix to "user" + +* Tue Jul 1 2008 Dan Walsh 2.0.50-2 +- Remove semodule use within semanage +- Fix launching of polgengui from toolbar + +* Mon Jun 30 2008 Dan Walsh 2.0.50-1 +- Update to upstream + * Fix audit2allow generation of role-type rules from Karl MacMillan. + +* Tue Jun 24 2008 Dan Walsh 2.0.49-10 +- Fix spelling of enforcement + +* Mon Jun 23 2008 Dan Walsh 2.0.49-8 +- Fix sepolgen/audit2allow handling of roles + +* Mon Jun 16 2008 Dan Walsh 2.0.49-7 +- Fix sepolgen-ifgen processing + +* Thu Jun 12 2008 Dan Walsh 2.0.49-6 +- Add deleteall to semanage permissive, cleanup error handling + +* Thu Jun 12 2008 Dan Walsh 2.0.49-5 +- Complete removal of rhpl requirement + +* Wed Jun 11 2008 Dan Walsh 2.0.49-4 +- Add semanage permissive * + +* Fri May 16 2008 Dan Walsh 2.0.49-3 +- Fix fixfiles to cleanup /tmp and /var/tmp + +* Fri May 16 2008 Dan Walsh 2.0.49-2 +- Fix listing of types in gui + +* Mon May 12 2008 Dan Walsh 2.0.49-1 +- Update to upstream + * Remove security_check_context calls for prefix validation from semanage. + * Change setfiles and restorecon to not relabel if the file already has the correct context value even if -F/force is specified. + +* Mon May 12 2008 Dan Walsh 2.0.47-3 +- Remove /usr/share/locale/sr@Latn/LC_MESSAGES/policycoreutils.mo + +* Wed May 7 2008 Dan Walsh 2.0.47-2 +- Add rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* to fixfiles restore +- So that mislabeled files will get removed on full relabel + +* Wed May 7 2008 Dan Walsh 2.0.47-1 +- Make restorecond not start by default +- Fix polgengui to allow defining of confined roles. +- Add patches from Lubomir Rintel + * Add necessary runtime dependencies on setools-console for -gui + * separate stderr when run seinfo commands +- Update to upstream + * Update semanage man page for booleans from Dan Walsh. + * Add further error checking to seobject.py for setting booleans. + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-5 +- Uninvasive (ie no string or widget changes) HIG approximations + in selinux-polgenui + +* Fri Apr 18 2008 Matthias Clasen - 2.0.46-4 +- Move s-c-selinux to the right menu + +* Sun Apr 6 2008 Dan Walsh 2.0.46-3 +- Fix boolean descriptions +- Fix semanage man page + +* Wed Mar 19 2008 Dan Walsh 2.0.46-2 +- Don't use prefix in gui + +* Tue Mar 18 2008 Dan Walsh 2.0.46-1 +- Update to upstream + * Update audit2allow to report dontaudit cases from Dan Walsh. + * Fix semanage port to use --proto from Caleb Case. + +* Fri Feb 22 2008 Dan Walsh 2.0.44-1 +- Update to upstream + * Fix for segfault when conf file parse error occurs. + +* Wed Feb 13 2008 Dan Walsh 2.0.43-2 +- Don't show tabs on polgengui + +* Wed Feb 13 2008 Dan Walsh 2.0.43-1 +- Update to upstream + * Merged fix fixfiles option processing from Vaclav Ovsik. +- Added existing users, staff and user_t users to polgengui + +* Fri Feb 8 2008 Dan Walsh 2.0.42-3 +- Add messages for audit2allow DONTAUDIT + +* Tue Feb 5 2008 Dan Walsh 2.0.42-2 +- Add ability to transition to roles via polgengui + +* Sat Feb 2 2008 Dan Walsh 2.0.42-1 +- Update to upstream + * Make semodule_expand use sepol_set_expand_consume_base to reduce + peak memory usage. + +* Tue Jan 29 2008 Dan Walsh 2.0.41-1 +- Update to upstream + * Merged audit2why fix and semanage boolean --on/--off/-1/-0 support from Dan Walsh. + * Merged a second fixfiles -C fix from Marshall Miller. + + +* Thu Jan 24 2008 Dan Walsh 2.0.39-1 +- Don't initialize audit2allow for audit2why call. Use default +- Update to upstream + * Merged fixfiles -C fix from Marshall Miller. + +* Thu Jan 24 2008 Dan Walsh 2.0.38-1 +- Update to upstream + * Merged audit2allow cleanups and boolean descriptions from Dan Walsh. + * Merged setfiles -0 support by Benny Amorsen via Dan Walsh. + * Merged fixfiles fixes and support for ext4 and gfs2 from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.37-1 +- Update to upstream + * Merged replacement for audit2why from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.36-2 +- Cleanup fixfiles -f message in man page + +* Wed Jan 23 2008 Dan Walsh 2.0.36-1 +- Update to upstream + * Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh. + * Merged sepolgen fixes from Dan Walsh. + +* Tue Jan 22 2008 Dan Walsh 2.0.35-5 +- handle files with spaces on upgrades + +* Tue Jan 22 2008 Dan Walsh 2.0.35-4 +- Add support in fixfiles for ext4 ext4dev and gfs2 + +* Mon Jan 21 2008 Dan Walsh 2.0.35-3 +- Allow files with spaces to be used by setfiles + +* Tue Jan 15 2008 Dan Walsh 2.0.35-2 +- Add descriptions of booleans to audit2allow + +* Fri Jan 11 2008 Dan Walsh 2.0.35-1 +- Update to upstream + * Merged support for non-interactive newrole command invocation from Tim Reed. + +* Thu Jan 10 2008 Dan Walsh 2.0.34-8 +- Change to use selinux bindings to audit2why + +* Tue Jan 8 2008 Dan Walsh 2.0.34-7 +- Fix fixfiles to handle no args + +* Mon Dec 31 2007 Dan Walsh 2.0.34-5 +- Fix roles output when creating a module + +* Mon Dec 31 2007 Dan Walsh 2.0.34-4 +- Handle files with spaces in fixfiles + +* Fri Dec 21 2007 Dan Walsh 2.0.34-3 +- Catch SELINUX_ERR with audit2allow and generate policy + +* Thu Dec 20 2007 Dan Walsh 2.0.34-2 +- Make sepolgen set error exit code when partial failure +- audit2why now checks booleans for avc diagnosis + +* Wed Dec 19 2007 Dan Walsh 2.0.34-1 +- Update to upstream + * Update Makefile to not build restorecond if + /usr/include/sys/inotify.h is not present + +* Wed Dec 19 2007 Dan Walsh 2.0.33-4 +- Fix sepolgen to be able to parse Fedora 9 policy + Handle ifelse statements + Handle refpolicywarn inside of define + Add init.if and inetd.if into parse + Add parse_file to syntax error message + +* Fri Dec 14 2007 Dan Walsh 2.0.33-3 +- Add scroll bar to fcontext gui page + +* Tue Dec 11 2007 Dan Walsh 2.0.33-2 +- Add Russion Man pages + +* Mon Dec 10 2007 Dan Walsh 2.0.33-1 +- Upgrade from NSA + * Drop verbose output on fixfiles -C from Dan Walsh. + * Fix argument handling in fixfiles from Dan Walsh. + * Enhance boolean support in semanage, including using the .xml description when available, from Dan Walsh. +- Fix handling of final screen in polgengui + +* Sun Dec 2 2007 Dan Walsh 2.0.32-2 +- Fix handling of disable selinux button in gui + +* Mon Nov 19 2007 Dan Walsh 2.0.32-1 +- Upgrade from NSA + * load_policy initial load option from Chad Sellers. + +* Mon Nov 19 2007 Dan Walsh 2.0.31-20 +- Don't show error on missing policy.xml + +* Mon Nov 19 2007 Dan Walsh 2.0.31-19 +- GUI Enhancements + - Fix cgi generation + - Use more patterns + +* Mon Nov 19 2007 Dan Walsh 2.0.31-18 +- Remove codec hacking, which seems to be fixed in python + +* Fri Nov 16 2007 Dan Walsh 2.0.31-17 +- Fix typo +- Change to upstream minimal privledge interfaces + +* Fri Nov 16 2007 Dan Walsh 2.0.31-16 +- Fix fixfiles argument parsing + +* Thu Nov 15 2007 Dan Walsh 2.0.31-15 +- Fix File Labeling add + +* Thu Nov 8 2007 Dan Walsh 2.0.31-14 +- Fix semanage to handle state where policy.xml is not installed + +* Mon Nov 5 2007 Dan Walsh 2.0.31-13 +- Remove -v from restorecon in fixfiles + +* Mon Nov 5 2007 Dan Walsh 2.0.31-12 +- Fix filter and search capabilities, add wait cursor + +* Fri Nov 2 2007 Dan Walsh 2.0.31-11 +- Translate booleans via policy.xml +- Allow booleans to be set via semanage + +* Thu Nov 1 2007 Dan Walsh 2.0.31-10 +- Require use of selinux-policy-devel + +* Wed Oct 31 2007 Dan Walsh 2.0.31-9 +- Validate semanage fcontext input +- Fix template names for log files in gui + +* Fri Oct 19 2007 Dan Walsh 2.0.31-8 +- Fix template to generate correct content + +* Fri Oct 19 2007 Dan Walsh 2.0.31-7 +- Fix consolekit link to selinux-polgengui + +* Thu Oct 18 2007 Dan Walsh 2.0.31-6 +- Fix the generation templates + +* Tue Oct 16 2007 Dan Walsh 2.0.31-5 +- Fix enable/disable audit messages + +* Mon Oct 15 2007 Dan Walsh 2.0.31-4 +- Add booleans page + +* Mon Oct 15 2007 Dan Walsh 2.0.31-3 +- Lots of updates to gui + +* Mon Oct 15 2007 Dan Walsh 2.0.31-1 +- Remove no.po +- Update to upstream + * Fix semodule option handling from Dan Walsh. + * Add deleteall support for ports and fcontexts in semanage from Dan Walsh. + +* Thu Oct 11 2007 Dan Walsh 2.0.29-2 +- Fix semodule parameter checking + +* Sun Oct 7 2007 Dan Walsh 2.0.29-1 +- Update to upstream + * Add genhomedircon script to invoke semodule -Bn from Dan Walsh. +- Add deleteall for ports and fcontext + +* Fri Oct 5 2007 Dan Walsh 2.0.28-1 +- Update to upstream + * Update semodule man page for -D from Dan Walsh. + * Add boolean, locallist, deleteall, and store support to semanage from Dan Walsh. + +* Tue Oct 2 2007 Dan Walsh 2.0.27-7 +- Add genhomedircon script to rebuild file_context for shadow-utils + +* Tue Oct 2 2007 Dan Walsh 2.0.27-6 +- Update translations + +* Tue Oct 2 2007 Dan Walsh 2.0.27-5 +- Additional checkboxes for application policy + +* Fri Sep 28 2007 Dan Walsh 2.0.27-4 +- Allow policy writer to select user types to transition to there users + +* Thu Sep 27 2007 Dan Walsh 2.0.27-3 +- Fix bug in building policy with polgengui +- Creating ports correctly + +* Wed Sep 26 2007 Dan Walsh 2.0.27-1 +- Update to upstream + * Improve semodule reporting of system errors from Stephen Smalley. + +* Mon Sep 24 2007 Dan Walsh 2.0.26-3 +- Show local changes with semanage + +* Mon Sep 24 2007 Dan Walsh 2.0.26-2 +- Fixed spelling mistakes in booleans defs +- Update po + +* Tue Sep 18 2007 Dan Walsh 2.0.26-1 +- Update to upstream + * Fix setfiles selabel option flag setting for 64-bit from Stephen Smalley. + +* Tue Sep 18 2007 Dan Walsh 2.0.25-15 +- Fix wording in policy generation tool + +* Fri Sep 14 2007 Dan Walsh 2.0.25-14 +- Fix calls to _admin interfaces + +* Thu Sep 13 2007 Dan Walsh 2.0.25-13 +- Upgrade version of sepolgen from NSA + * Expand the sepolgen parser to parse all current refpolicy modules from Karl MacMillan. + * Suppress generation of rules for non-denials from Karl MacMillan (take 3). + +* Tue Sep 11 2007 Dan Walsh 2.0.25-12 +- Remove bogus import libxml2 + +* Mon Sep 10 2007 Dan Walsh 2.0.25-11 +- Lots of fixes for polgengui + +* Thu Sep 6 2007 Dan Walsh 2.0.25-10 +- Change Requires /bin/rpm to rpm + +* Wed Sep 5 2007 Dan Walsh 2.0.25-9 +- Bump libsemanage version for disable dontaudit +- New gui features for creating admin users + +* Fri Aug 31 2007 Dan Walsh 2.0.25-8 +- Fix generated code for admin policy + +* Fri Aug 31 2007 Dan Walsh 2.0.25-7 +- Lots of fixes for role templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-6 +- Add more role_templates + +* Tue Aug 28 2007 Dan Walsh 2.0.25-5 +- Update genpolgui to add creation of user domains + +* Mon Aug 27 2007 Dan Walsh 2.0.25-4 +- Fix location of sepolgen-ifgen + +* Sat Aug 25 2007 Dan Walsh 2.0.25-3 +- Add selinux-polgengui to desktop + +* Fri Aug 24 2007 Dan Walsh 2.0.25-2 +- Cleanup spec + +* Thu Aug 23 2007 Dan Walsh 2.0.25-1 +- Update semodule man page + * Fix genhomedircon searching for USER from Todd Miller + * Install run_init with mode 0755 from Dan Walsh. + * Fix chcat from Dan Walsh. + * Fix fixfiles pattern expansion and error reporting from Dan Walsh. + * Optimize genhomedircon to compile regexes once from Dan Walsh. + * Fix semanage gettext call from Dan Walsh. + +* Thu Aug 23 2007 Dan Walsh 2.0.23-2 +- Update semodule man page + +* Mon Aug 20 2007 Dan Walsh 2.0.23-1 +- Update to match NSA + * Disable dontaudits via semodule -D + +* Wed Aug 1 2007 Dan Walsh 2.0.22-13 +- Speed up genhomedircon by an order of magnitude by compiling regex +- Allow semanage fcontext -a -t <> /path to work + +* Fri Jul 27 2007 Dan Walsh 2.0.22-11 +- Fixfiles update required to match new regex + +* Fri Jul 27 2007 Dan Walsh 2.0.22-10 +- Update booleans translations + +* Wed Jul 25 2007 Jeremy Katz - 2.0.22-9 +- rebuild for toolchain bug + +* Tue Jul 24 2007 Dan Walsh 2.0.22-8 +- Add requires libselinux-python + +* Mon Jul 23 2007 Dan Walsh 2.0.22-7 +- Fix fixfiles to report incorrect rpm +- Patch provided by Tony Nelson + +* Fri Jul 20 2007 Dan Walsh 2.0.22-6 +- Clean up spec file + +* Fri Jul 13 2007 Dan Walsh 2.0.22-5 +- Require newer libselinux version + +* Sat Jul 7 2007 Dan Walsh 2.0.22-4 +- Fix checking for conflicting directory specification in genhomedircon + +* Mon Jun 25 2007 Dan Walsh 2.0.22-3 +- Fix spelling mistakes in GUI + +* Fri Jun 22 2007 Dan Walsh 2.0.22-2 +- Fix else path in chcat + +* Thu Jun 21 2007 Dan Walsh 2.0.22-1 +- Update to match NSA + * Rebase setfiles to use new labeling interface. + +* Wed Jun 13 2007 Dan Walsh 2.0.21-2 +- Add filter to all system-config-selinux lists + +* Wed Jun 13 2007 Dan Walsh 2.0.21-1 +- Update to match NSA + * Fixed setsebool (falling through to error path on success). + +* Mon Jun 11 2007 Dan Walsh 2.0.20-1 +- Update to match NSA + * Merged genhomedircon fixes from Dan Walsh. + * Merged setfiles -c usage fix from Dan Walsh. + * Merged restorecon fix from Yuichi Nakamura. + * Dropped -lsepol where no longer needed. + +* Mon Jun 11 2007 Dan Walsh 2.0.19-5 +- Fix translations code, Add more filters to gui + +* Mon Jun 4 2007 Dan Walsh 2.0.19-4 +- Fix setfiles -c to make it work + +* Mon Jun 4 2007 Dan Walsh 2.0.19-3 +- Fix french translation to not crash system-config-selinux + +* Fri Jun 1 2007 Dan Walsh 2.0.19-2 +- Fix genhomedircon to work in stage2 builds of anaconda + +* Sat May 19 2007 Dan Walsh 2.0.19-1 +- Update to match NSA + +* Thu May 17 2007 Dan Walsh 2.0.16-2 +- Fixes for polgentool templates file + +* Fri May 4 2007 Dan Walsh 2.0.16-1 +- Updated version of policycoreutils + * Merged support for modifying the prefix via semanage from Dan Walsh. +- Fixed genhomedircon to find homedirs correctly. + +* Tue May 1 2007 Dan Walsh 2.0.15-1 +- Updated version of policycoreutils + * Merged po file updates from Dan Walsh. +- Fix semanage to be able to modify prefix in user record + +* Mon Apr 30 2007 Dan Walsh 2.0.14-2 +- Fix title on system-config-selinux + +* Wed Apr 25 2007 Dan Walsh 2.0.14-1 +- Updated version of policycoreutils + * Build fix for setsebool. + +* Wed Apr 25 2007 Dan Walsh 2.0.13-1 +- Updated version of policycoreutils + * Merged setsebool patch to only use libsemanage for persistent boolean changes from Stephen Smalley. + * Merged genhomedircon patch to use the __default__ setting from Dan Walsh. + * Dropped -b option from load_policy in preparation for always preserving booleans across reloads in the kernel. + +* Tue Apr 24 2007 Dan Walsh 2.0.10-2 +- Fixes for polgengui + +* Tue Apr 24 2007 Dan Walsh 2.0.10-1 +- Updated version of policycoreutils + * Merged chcat, fixfiles, genhomedircon, restorecond, and restorecon patches from Dan Walsh. + +* Fri Apr 20 2007 Dan Walsh 2.0.9-10 +- Fix genhomedircon to handle non user_u for the default user + +* Wed Apr 18 2007 Dan Walsh 2.0.9-9 +- More cleanups for gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-8 +- Fix size and use_tmp problem on gui + +* Wed Apr 18 2007 Dan Walsh 2.0.9-7 +- Fix restorecon crash + +* Wed Apr 18 2007 Dan Walsh 2.0.9-6 +- Change polgengui to a druid + +* Tue Apr 17 2007 Dan Walsh 2.0.9-5 +- Fully path script.py + +* Mon Apr 16 2007 Dan Walsh 2.0.9-4 +- Add -l flag to restorecon to not traverse file systems + +* Sat Apr 14 2007 Dan Walsh 2.0.9-3 +- Fixes for policygengui + +* Fri Apr 13 2007 Dan Walsh 2.0.9-2 +- Add polgengui + +* Thu Apr 12 2007 Dan Walsh 2.0.9-1 +- Updated version of sepolgen + * Merged seobject setransRecords patch to return the first alias from Xavier Toth. + +* Wed Apr 11 2007 Dan Walsh 2.0.8-1 +- Updated version of sepolgen + * Merged updates to sepolgen-ifgen from Karl MacMillan. + * Merged updates to sepolgen parser and tools from Karl MacMillan. + This includes improved debugging support, handling of interface + calls with list parameters, support for role transition rules, + updated range transition rule support, and looser matching. + +* Mon Apr 9 2007 Dan Walsh 2.0.7-11 +- Don't generate invalid context with genhomedircon + +* Mon Apr 9 2007 Dan Walsh 2.0.7-10 +- Add filter to booleans page + +* Tue Apr 3 2007 Dan Walsh 2.0.7-9 +- Fix polgen.py to not generate udp rules on tcp input + +* Fri Mar 30 2007 Dan Walsh 2.0.7-8 +- system-config-selinux should be able to run on a disabled system, +- at least enough to get it enabled. + +* Thu Mar 29 2007 Dan Walsh 2.0.7-7 +- Many fixes to polgengui + +* Fri Mar 23 2007 Dan Walsh 2.0.7-6 +- Updated version of sepolgen + * Merged patch to discard self from types when generating requires from Karl MacMillan. + +* Fri Mar 23 2007 Dan Walsh 2.0.7-5 +- Change location of audit2allow and sepol-ifgen to sbin +- Updated version of sepolgen + * Merged patch to move the sepolgen runtime data from /usr/share to /var/lib to facilitate a read-only /usr from Karl MacMillan. + +* Mon Mar 19 2007 Dan Walsh 2.0.7-4 +- Add polgen gui +- Many fixes to system-config-selinux + +* Mon Mar 12 2007 Dan Walsh 2.0.7-3 +- service restorecond status needs to set exit value correctly + +* Mon Mar 12 2007 Dan Walsh 2.0.7-2 +- Fix gui + +* Thu Mar 1 2007 Dan Walsh 2.0.7-1 +- Update to upstream + * Merged restorecond init script LSB compliance patch from Steve Grubb. + -sepolgen + * Merged better matching for refpolicy style from Karl MacMillan + * Merged support for extracting interface paramaters from interface calls from Karl MacMillan + * Merged support for parsing USER_AVC audit messages from Karl MacMillan. + +* Tue Feb 27 2007 Dan Walsh 2.0.6-3 +- Update to upstream + -sepolgen + * Merged support for enabling parser debugging from Karl MacMillan. +- Add sgrupp cleanup of restorcon init script + +* Mon Feb 26 2007 Dan Walsh 2.0.6-2 +- Add Bill Nottinham patch to run restorcond condrestart in postun + +* Fri Feb 23 2007 Dan Walsh 2.0.6-1 +- Update to upstream + - policycoreutils + * Merged newrole O_NONBLOCK fix from Linda Knippers. + * Merged sepolgen and audit2allow patches to leave generated files + in the current directory from Karl MacMillan. + * Merged restorecond memory leak fix from Steve Grubb. + -sepolgen + * Merged patch to leave generated files (e.g. local.te) in current directory from Karl MacMillan. + * Merged patch to make run-tests.py use unittest.main from Karl MacMillan. + * Merged patch to update PLY from Karl MacMillan. + * Merged patch to update the sepolgen parser to handle the latest reference policy from Karl MacMillan. + +* Thu Feb 22 2007 Dan Walsh 2.0.3-2 +- Do not fail on sepolgen-ifgen + +* Thu Feb 22 2007 Dan Walsh 2.0.3-1 +- Update to upstream + * Merged translations update from Dan Walsh. + * Merged chcat fixes from Dan Walsh. + * Merged man page fixes from Dan Walsh. + * Merged seobject prefix validity checking from Dan Walsh. + * Merged Makefile and refparser.py patch from Dan Walsh. + Fixes PYTHONLIBDIR definition and error handling on interface files. + +* Tue Feb 20 2007 Dan Walsh 2.0.2-3 +- Updated newrole NONBlOCK patch + +* Tue Feb 20 2007 Dan Walsh 2.0.2-2 +- Remove Requires: %%{name}-plugins + +* Tue Feb 20 2007 Dan Walsh 2.0.2-1 +- Update to upstream + * Merged seobject exception handler fix from Caleb Case. + * Merged setfiles memory leak patch from Todd Miller. + +* Thu Feb 15 2007 Dan Walsh 2.0.1-2 +- Cleanup man pages syntax +- Add sepolgen + +* Mon Feb 12 2007 Dan Walsh 2.0.1-1 +- Update to upstream + * Merged small fix to correct include of errcodes.h in semodule_deps from Dan Walsh. + +* Wed Feb 7 2007 Dan Walsh 2.0.0-1 +- Update to upstream + * Merged new audit2allow from Karl MacMillan. + This audit2allow depends on the new sepolgen python module. + Note that you must run the sepolgen-ifgen tool to generate + the data needed by audit2allow to generate refpolicy. + * Fixed newrole non-pam build. +- Fix Changelog and spelling error in man page + +* Thu Feb 1 2007 Dan Walsh 1.34.1-4 +- Fix audit2allow on missing translations + +* Wed Jan 24 2007 Dan Walsh 1.34.1-3 +- More chcat fixes + +* Wed Jan 24 2007 Dan Walsh 1.34.1-2 +- Change chcat to exec semodule so file context is maintained + +* Wed Jan 24 2007 Dan Walsh 1.34.1-1 +- Fix system-config-selinux ports view +- Update to upstream + * Fixed newrole non-pam build. + * Updated version for stable branch. + +* Wed Jan 17 2007 Dan Walsh 1.33.15-1 +- Update to upstream + * Merged unicode-to-string fix for seobject audit from Dan Walsh. + * Merged man page updates to make "apropos selinux" work from Dan Walsh. +* Tue Jan 16 2007 Dan Walsh 1.33.14-1 + * Merged newrole man page patch from Michael Thompson. + * Merged patch to fix python unicode problem from Dan Walsh. + +* Tue Jan 16 2007 Dan Walsh 1.33.12-3 +- Fix handling of audit messages for useradd change +Resolves: #222159 + +* Fri Jan 12 2007 Dan Walsh 1.33.12-2 +- Update man pages by adding SELinux to header to fix apropos database +Resolves: #217881 + +* Tue Jan 9 2007 Dan Walsh 1.33.12-1 +- Want to update to match api +- Update to upstream + * Merged newrole securetty check from Dan Walsh. + * Merged semodule patch to generalize list support from Karl MacMillan. +Resolves: #200110 + +* Tue Jan 9 2007 Dan Walsh 1.33.11-1 +- Update to upstream + * Merged fixfiles and seobject fixes from Dan Walsh. + * Merged semodule support for list of modules after -i from Karl MacMillan. + +* Tue Jan 9 2007 Dan Walsh 1.33.10-1 +- Update to upstream + * Merged patch to correctly handle a failure during semanage handle + creation from Karl MacMillan. + * Merged patch to fix seobject role modification from Dan Walsh. + +* Fri Jan 5 2007 Dan Walsh 1.33.8-2 +- Stop newrole -l from working on non secure ttys +Resolves: #200110 + +* Thu Jan 4 2007 Dan Walsh 1.33.8-1 +- Update to upstream + * Merged patches from Dan Walsh to: + - omit the optional name from audit2allow + - use the installed python version in the Makefiles + - re-open the tty with O_RDWR in newrole + +* Wed Jan 3 2007 Dan Walsh 1.33.7-1 +- Update to upstream + * Patch from Dan Walsh to correctly suppress warnings in load_policy. + +* Tue Jan 2 2007 Dan Walsh 1.33.6-9 +- Fix fixfiles script to use tty command correctly. If this command fails, it +should set the LOGFILE to /dev/null +Resolves: #220879 + +* Wed Dec 20 2006 Dan Walsh 1.33.6-8 +- Remove hard coding of python2.4 from Makefiles + +* Tue Dec 19 2006 Dan Walsh 1.33.6-7 +- add exists switch to semanage to tell it not to check for existance of Linux user +Resolves: #219421 + +* Mon Dec 18 2006 Dan Walsh 1.33.6-6 +- Fix audit2allow generating reference policy +- Fix semanage to manage user roles properly +Resolves: #220071 + +* Fri Dec 8 2006 Dan Walsh 1.33.6-5 +- Update po files +- Fix newrole to open stdout and stderr rdrw so more will work on MLS machines +Resolves: #216920 + +* Thu Dec 7 2006 Jeremy Katz - 1.33.6-4 +- rebuild for python 2.5 + +* Wed Dec 6 2006 Dan Walsh 1.33.6-3 +- Update po files +Resolves: #216920 + +* Fri Dec 1 2006 Dan Walsh 1.33.6-2 +- Update po files +Resolves: #216920 + +* Wed Nov 29 2006 Dan Walsh 1.33.6-1 +- Update to upstream + * Patch from Dan Walsh to add an pam_acct_msg call to run_init + * Patch from Dan Walsh to fix error code returns in newrole + * Patch from Dan Walsh to remove verbose flag from semanage man page + * Patch from Dan Walsh to make audit2allow use refpolicy Makefile + in /usr/share/selinux/ + +* Wed Nov 29 2006 Dan Walsh 1.33.5-4 +- Fixing the Makefile line again to build with LSPP support +Resolves: #208838 + +* Wed Nov 29 2006 Dan Walsh 1.33.5-3 +- Don't report errors on restorecond when file system does not support XATTRS +Resolves: #217694 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-2 +- Fix -q qualifier on load_policy +Resolves: #214827 + +* Tue Nov 28 2006 Dan Walsh 1.33.5-1 +- Merge to upstream +- Fix makefile line +Resolves: #208838 + +* Fri Nov 24 2006 Dan Walsh 1.33.4-2 +- Additional po changes +- Added all booleans definitions + +* Wed Nov 22 2006 Dan Walsh 1.33.4-1 +- Upstream accepted my patches + * Merged setsebool patch from Karl MacMillan. + This fixes a bug reported by Yuichi Nakamura with + always setting booleans persistently on an unmanaged system. + +* Mon Nov 20 2006 Dan Walsh 1.33.2-2 +- Fixes for the gui + +* Mon Nov 20 2006 Dan Walsh 1.33.2-1 +- Upstream accepted my patches + +* Fri Nov 17 2006 Dan Walsh 1.33.1-9 +- Add Amy Grifis Patch to preserve newrole exit status + +* Thu Nov 16 2006 Dan Walsh 1.33.1-8 +- Fix display of gui + +* Thu Nov 16 2006 Dan Walsh 1.33.1-7 +- Add patch by Jose Plans to make run_init use pam_acct_mgmt + +* Wed Nov 15 2006 Dan Walsh 1.33.1-6 +- More fixes to gui + +* Wed Nov 15 2006 Dan Walsh 1.33.1-5 +- Fix audit2allow to generate referene policy + +* Wed Nov 15 2006 Dan Walsh 1.33.1-4 +- Add group sort for portsPage.py +- Add enable/disableaudit to modules page + +* Wed Nov 15 2006 Dan Walsh 1.33.1-3 +- Add glade file + +* Tue Nov 14 2006 Dan Walsh 1.33.1-2 +- Fix Module handling in system-config-selinux + +* Tue Nov 14 2006 Dan Walsh 1.33.1-1 +- Update to upstream + * Merged newrole patch set from Michael Thompson. +- Add policycoreutils-gui + +* Thu Nov 9 2006 Dan Walsh 1.32-3 +- No longer requires rhpl + +* Mon Nov 6 2006 Dan Walsh 1.32-2 +- Fix genhomedircon man page + +* Mon Oct 9 2006 Dan Walsh 1.32-1 +- Add newrole audit patch from sgrubb +- Update to upstream + * Merged audit2allow -l fix from Yuichi Nakamura. + * Merged restorecon -i and -o - support from Karl MacMillan. + * Merged semanage/seobject fix from Dan Walsh. + * Merged fixfiles -R and verify changes from Dan Walsh. + +* Fri Oct 6 2006 Dan Walsh 1.30.30-2 +- Separate out newrole into its own package + +* Fri Sep 29 2006 Dan Walsh 1.30.30-1 +- Update to upstream + * Merged newrole auditing of failures due to user actions from + Michael Thompson. + +* Thu Sep 21 2006 Dan Walsh 1.30.29-6 +- Pass -i qualifier to restorecon for fixfiles -R +- Update translations + +* Thu Sep 21 2006 Dan Walsh 1.30.29-5 +- Remove recursion from fixfiles -R calls +- Fix semanage to verify prefix + +* Thu Sep 21 2006 Dan Walsh 1.30.29-4 +- More translations +- Compile with -pie + +* Mon Sep 18 2006 Dan Walsh 1.30.29-3 +- Add translations +- Fix audit2allow -l + +* Thu Sep 14 2006 Dan Walsh 1.30.29-2 +- Rebuild + +* Thu Sep 14 2006 Dan Walsh 1.30.29-1 +- Update to upstream +- Change -o to take "-" for stdout + +* Wed Sep 13 2006 Dan Walsh 1.30.28-9 +- Add -h support for genhomedircon + +* Wed Sep 13 2006 Dan Walsh 1.30.28-8 +- Fix fixfiles handling of -o + +* Mon Sep 11 2006 Dan Walsh 1.30.28-7 +- Make restorecon return the number of changes files if you use the -n flag + +* Fri Sep 8 2006 Dan Walsh 1.30.28-6 +- Change setfiles and restorecon to use stderr except for -o flag +- Also -o flag will now output files + +* Thu Sep 7 2006 Dan Walsh 1.30.28-5 +- Put back Erich's change + +* Wed Sep 6 2006 Dan Walsh 1.30.28-4 +- Remove recursive switch when using rpm + +* Wed Sep 6 2006 Dan Walsh 1.30.28-3 +- Fix fixfiles to handle multiple rpm and make -o work + +* Fri Sep 1 2006 Dan Walsh 1.30.28-2 +- Apply patch + +* Fri Sep 1 2006 Dan Walsh 1.30.28-1 +- Security fixes to run python in a more locked down manner +- More Translations +- Update to upstream + * Merged fix for restorecon // handling from Erich Schubert. + * Merged translations update and fixfiles fix from Dan Walsh. + +* Thu Aug 31 2006 Dan Walsh 1.30.27-5 +- Change scripts to use /usr/sbin/python + +* Thu Aug 31 2006 Dan Walsh 1.30.27-4 +- Add -i qualified to restorecon to tell it to ignore files that do not exist +- Fixfiles also modified for this change + +* Thu Aug 31 2006 Dan Walsh 1.30.27-3 +- Ignore sigpipe + +* Thu Aug 31 2006 Dan Walsh 1.30.27-2 +- Fix init script and add translations + +* Thu Aug 24 2006 Dan Walsh 1.30.27-1 +- Update to upstream + * Merged fix for restorecon symlink handling from Erich Schubert. + +* Sat Aug 12 2006 Dan Walsh 1.30.26-1 +- Update to upstream + * Merged semanage local file contexts patch from Chris PeBenito. +- Fix fixfiles log creation +- More translations + +* Thu Aug 3 2006 Dan Walsh 1.30.25-1 +- Update to upstream + * Merged patch from Dan Walsh with: + * audit2allow: process MAC_POLICY_LOAD events + * newrole: run shell with - prefix to start a login shell + * po: po file updates + * restorecond: bail if SELinux not enabled + * fixfiles: omit -q + * genhomedircon: fix exit code if non-root + * semodule_deps: install man page + * Merged secon Makefile fix from Joshua Brindle. + * Merged netfilter contexts support patch from Chris PeBenito. + +* Wed Aug 2 2006 Dan Walsh 1.30.22-3 +- Fix audit2allow to handle reload of policy + +* Wed Aug 2 2006 Dan Walsh 1.30.22-2 +- Stop restorecond init script when selinux is not enabled + +* Tue Aug 1 2006 Dan Walsh 1.30.22-1 +- Update to upstream + * Merged restorecond size_t fix from Joshua Brindle. + * Merged secon keycreate patch from Michael LeMay. + * Merged restorecond fixes from Dan Walsh. + Merged updated po files from Dan Walsh. + * Merged python gettext patch from Stephen Bennett. + * Merged semodule_deps from Karl MacMillan. + +* Thu Jul 27 2006 Dan Walsh 1.30.17-7 +- Change newrole to exec a login shell to prevent suspend. + +* Fri Jul 21 2006 Dan Walsh 1.30.17-6 +- Report error when selinux not enabled in restorecond + +* Tue Jul 18 2006 Dan Walsh 1.30.17-5 +- Fix handling of restorecond + +* Mon Jul 17 2006 Dan Walsh 1.30.17-4 +- Fix creation of restorecond pidfile + +* Mon Jul 17 2006 Dan Walsh 1.30.17-3 +- Update translations +- Update to new GCC + +* Mon Jul 10 2006 Dan Walsh 1.30.17-2 +- Add verbose flag to restorecond and update translations + +* Tue Jul 4 2006 Dan Walsh 1.30.17-1 +- Update to upstream + * Lindent. + * Merged patch from Dan Walsh with: + * -p option (progress) for setfiles and restorecon. + * disable context translation for setfiles and restorecon. + * on/off values for setsebool. + * Merged setfiles and semodule_link fixes from Joshua Brindle. + +* Thu Jun 22 2006 Dan Walsh 1.30.14-5 +- Add progress indicator on fixfiles/setfiles/restorecon + +* Wed Jun 21 2006 Dan Walsh 1.30.14-4 +- Don't use translations with matchpathcon + +* Tue Jun 20 2006 Dan Walsh 1.30.14-3 +- Prompt for selinux-policy-devel package in audit2allow + +* Mon Jun 19 2006 Dan Walsh 1.30.14-2 +- Allow setsebool to use on/off +- Update translations + +* Fri Jun 16 2006 Dan Walsh 1.30.14-1 +- Update to upstream + * Merged fix for setsebool error path from Serge Hallyn. + * Merged patch from Dan Walsh with: + * Updated po files. + * Fixes for genhomedircon and seobject. + * Audit message for mass relabel by setfiles. + +* Tue Jun 13 2006 James Antill 1.30.12-5 +- Update audit mass relabel to only compile in when audit is installed. + +* Mon Jun 12 2006 Dan Walsh 1.30.12-4 +- Update to required versions +- Update translation + +* Wed Jun 7 2006 Dan Walsh 1.30.12-3 +- Fix shell selection + +* Mon Jun 5 2006 Dan Walsh 1.30.12-2 +- Add BuildRequires for gettext + +* Mon Jun 5 2006 Dan Walsh 1.30.12-1 + * Updated fixfiles script for new setfiles location in /sbin. + +* Tue May 30 2006 Dan Walsh 1.30.11-1 +- Update to upstream + * Merged more translations from Dan Walsh. + * Merged patch to relocate setfiles to /sbin for early relabel + when /usr might not be mounted from Dan Walsh. + * Merged semanage/seobject patch to preserve fcontext ordering in list. + * Merged secon patch from James Antill. + +* Fri May 26 2006 Dan Walsh 1.30.10-4 +- Fix seobject.py to not sort the file_context file. +- move setfiles to /sbin + +* Wed May 24 2006 James Antill 1.30.10-3 +- secon man page and getopt fixes. +- Enable mass relabel audit, even though it doesn't work. + +* Wed May 24 2006 James Antill 1.30.10-2 +- secon fixes for --self-exec etc. +- secon change from level => sensitivity, add clearance. +- Add mass relabel AUDIT patch, but disable it until kernel problem solved. + +* Tue May 23 2006 Dan Walsh 1.30.10-1 +- Update to upstream + * Merged patch with updates to audit2allow, secon, genhomedircon, + and semanage from Dan Walsh. + +* Sat May 20 2006 Dan Walsh 1.30.9-4 +- Fix exception in genhomedircon + +* Mon May 15 2006 James Antill 1.30.9-3 +- Add rhpl dependancy + +* Mon May 15 2006 James Antill 1.30.9-2 +- Add secon man page and prompt options. + +* Mon May 15 2006 Dan Walsh 1.30.9-1 +- Update to upstream + * Fixed audit2allow and po Makefiles for DESTDIR= builds. + * Merged .po file patch from Dan Walsh. + * Merged bug fix for genhomedircon. + +* Wed May 10 2006 Dan Walsh 1.30.8-2 +- Fix exception on bad file_context + +* Mon May 8 2006 Dan Walsh 1.30.8-1 +- Update to upstream + * Merged fix warnings patch from Karl MacMillan. + * Merged patch from Dan Walsh. + This includes audit2allow changes for analysis plugins, + internationalization support for several additional programs + and added po files, some fixes for semanage, and several cleanups. + It also adds a new secon utility. + +* Sun May 7 2006 Dan Walsh 1.30.6-5 +- Fix genhomedircon to catch duplicate homedir problem + +* Thu May 4 2006 Dan Walsh 1.30.6-4 +- Add secon program +- Add translations + +* Thu Apr 20 2006 Dan Walsh 1.30.6-3 +- Fix check for "msg" + +* Mon Apr 17 2006 Dan Walsh 1.30.6-2 +- Ship avc.py + +* Fri Apr 14 2006 Dan Walsh 1.30.6-1 +- Add /etc/samba/secrets.tdb to restorecond.conf +- Update from upstream + * Merged semanage prefix support from Russell Coker. + * Added a test to setfiles to check that the spec file is + a regular file. + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-4 +- added some missing buildrequires +- added Requires: initscripts for /sbin/service + +* Thu Apr 06 2006 Karsten Hopp 1.30.4-3 +- use absolute path /sbin/service + +* Wed Apr 5 2006 Dan Walsh 1.30.4-2 +- Fix audit2allow to not require ausearch. +- Fix man page +- Add libflashplayer to restorecond.conf + +* Wed Mar 29 2006 Dan Walsh 1.30.4-1 +- Update from upstream + * Merged audit2allow fixes for refpolicy from Dan Walsh. + * Merged fixfiles patch from Dan Walsh. + * Merged restorecond daemon from Dan Walsh. + * Merged semanage non-MLS fixes from Chris PeBenito. + * Merged semanage and semodule man page examples from Thomas Bleher. + +* Tue Mar 28 2006 Dan Walsh 1.30.1-4 +- Clean up reference policy generation in audit2allow + +* Tue Mar 21 2006 Dan Walsh 1.30.1-3 +- Add IN_MOVED_TO to catch renames + +* Tue Mar 21 2006 Dan Walsh 1.30.1-2 +- make restorecond only ignore non directories with lnk > 1 + +* Tue Mar 21 2006 Dan Walsh 1.30.1-1 +- Make audit2allow translate dontaudit as well as allow rules +- Update from upstream + * Merged semanage labeling prefix patch from Ivan Gyurdiev. + +* Tue Mar 21 2006 Dan Walsh 1.30-5 +- Fix audit2allow to retrieve dontaudit rules + +* Mon Mar 20 2006 Dan Walsh 1.30-4 +- Open file descriptor to make sure file does not change from underneath. + +* Fri Mar 17 2006 Dan Walsh 1.30-3 +- Fixes for restorecond attack via symlinks +- Fixes for fixfiles + +* Fri Mar 17 2006 Dan Walsh 1.30-2 +- Restorecon has to handle suspend/resume + +* Fri Mar 17 2006 Dan Walsh 1.30-1 +- Update to upstream + +* Fri Mar 10 2006 Dan Walsh 1.29.27-1 +- Add restorecond + +* Fri Mar 10 2006 Dan Walsh 1.29.26-6 +- Remove prereq + +* Mon Mar 6 2006 Dan Walsh 1.29.26-5 +- Fix audit2allow to generate all rules + +* Fri Mar 3 2006 Dan Walsh 1.29.26-4 +- Minor fixes to chcat and semanage + +* Fri Feb 24 2006 Dan Walsh 1.29.26-3 +- Add missing setsebool man page + +* Thu Feb 23 2006 Dan Walsh 1.29.26-2 +- Change audit2allow to use devel instead of refpolicy + +* Mon Feb 20 2006 Dan Walsh 1.29.26-1 +- Update from upstream + * Merged semanage bug fix patch from Ivan Gyurdiev. + * Merged improve bindings patch from Ivan Gyurdiev. + * Merged semanage usage patch from Ivan Gyurdiev. + * Merged use PyList patch from Ivan Gyurdiev. + +* Mon Feb 13 2006 Dan Walsh 1.29.23-1 +- Update from upstream + * Merged newrole -V/--version support from Glauber de Oliveira Costa. + * Merged genhomedircon prefix patch from Dan Walsh. + * Merged optionals in base patch from Joshua Brindle. + +* Fri Feb 10 2006 Jesse Keating - 1.29.20-2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Dan Walsh 1.29.20-2 +- Fix auditing to semanage +- Change genhomedircon to use new prefix interface in libselinux + +* Tue Feb 07 2006 Dan Walsh 1.29.20-1 +- Update from upstream + * Merged seuser/user_extra support patch to semodule_package + from Joshua Brindle. + * Merged getopt type fix for semodule_link/expand and sestatus + from Chris PeBenito. +- Fix genhomedircon output + +* Tue Feb 07 2006 Jesse Keating - 1.29.18-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Feb 3 2006 Dan Walsh 1.29.18-2 +- Add auditing to semanage + +* Thu Feb 2 2006 Dan Walsh 1.29.18-1 +- Update from upstream + * Merged clone record on set_con patch from Ivan Gyurdiev. + +* Mon Jan 30 2006 Dan Walsh 1.29.17-1 +- Update from upstream + * Merged genhomedircon fix from Dan Walsh. + * Merged seusers.system patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged genhomedircon patch from Dan Walsh. + +* Fri Jan 27 2006 Dan Walsh 1.29.15-1 +- Update from upstream + * Merged newrole audit patch from Steve Grubb. + * Merged seuser -> seuser local rename patch from Ivan Gyurdiev. + * Merged semanage and semodule access check patches from Joshua Brindle. +* Wed Jan 25 2006 Dan Walsh 1.29.12-1 +- Add a default of /export/home + +* Wed Jan 25 2006 Dan Walsh 1.29.11-3 +- Cleanup of the patch + +* Wed Jan 25 2006 Dan Walsh 1.29.11-2 +- Correct handling of symbolic links in restorecon + +* Wed Jan 25 2006 Dan Walsh 1.29.11-1 +- Added translation support to semanage +- Update from upstream + * Modified newrole and run_init to use the loginuid when + supported to obtain the Linux user identity to re-authenticate, + and to fall back to real uid. Dropped the use of the SELinux + user identity, as Linux users are now mapped to SELinux users + via seusers and the SELinux user identity space is separate. + * Merged semanage bug fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat.8 and genhomedircon patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.9-2 +- Fix genhomedircon to work on MLS policy + +* Thu Jan 19 2006 Dan Walsh 1.29.9-1 +- Update to match NSA + * Merged chcat, semanage, and setsebool patches from Dan Walsh. + +* Thu Jan 19 2006 Dan Walsh 1.29.8-4 +- Fixes for "add"-"modify" error messages +- Fixes for chcat + +* Wed Jan 18 2006 Dan Walsh 1.29.8-3 +- Add management of translation file to semaange and seobject + +* Wed Jan 18 2006 Dan Walsh 1.29.8-2 +- Fix chcat -l -L to work while not root + +* Wed Jan 18 2006 Dan Walsh 1.29.8-1 +- Update to match NSA + * Merged semanage fixes from Ivan Gyurdiev. + * Merged semanage fixes from Russell Coker. + * Merged chcat, genhomedircon, and semanage diffs from Dan Walsh. + +* Tue Jan 17 2006 Dan Walsh 1.29.7-4 +- Update chcat to manage user categories also + +* Sat Jan 14 2006 Dan Walsh 1.29.7-3 +- Add check for root for semanage, genhomedircon + +* Sat Jan 14 2006 Dan Walsh 1.29.7-2 +- Add ivans patch + +* Fri Jan 13 2006 Dan Walsh 1.29.7-1 +- Update to match NSA + * Merged newrole cleanup patch from Steve Grubb. + * Merged setfiles/restorecon performance patch from Russell Coker. + * Merged genhomedircon and semanage patches from Dan Walsh. + * Merged remove add_local/set_local patch from Ivan Gyurdiev. + +* Tue Jan 10 2006 Dan Walsh 1.29.5-3 +- Fixes for mls policy + +* Tue Jan 10 2006 Dan Walsh 1.29.5-2 +- Update semanage and split out seobject +- Fix labeleing of home_root + +* Thu Jan 5 2006 Dan Walsh 1.29.5-1 +- Update to match NSA + * Added filename to semodule error reporting. + +* Thu Jan 5 2006 Dan Walsh 1.29.4-1 +- Update to match NSA + * Merged genhomedircon and semanage patch from Dan Walsh. + * Changed semodule error reporting to include argv[0]. + +* Wed Jan 4 2006 Dan Walsh 1.29.3-1 +- Update to match NSA + * Merged semanage getpwnam bug fix from Serge Hallyn (IBM). + * Merged patch series from Ivan Gyurdiev. + This includes patches to: + - cleanup setsebool + - update setsebool to apply active booleans through libsemanage + - update semodule to use the new semanage_set_rebuild() interface + - fix various bugs in semanage + * Merged patch from Dan Walsh (Red Hat). + This includes fixes for restorecon, chcat, fixfiles, genhomedircon, + and semanage. + +* Mon Jan 2 2006 Dan Walsh 1.29.2-10 +- Fix restorecon to not say it is changing user section when -vv is specified + +* Tue Dec 27 2005 Dan Walsh 1.29.2-9 +- Fixes for semanage, patch from Ivan and added a test script + +* Sat Dec 24 2005 Dan Walsh 1.29.2-8 +- Fix getpwnam call + +* Fri Dec 23 2005 Dan Walsh 1.29.2-7 +- Anaconda fixes + +* Thu Dec 22 2005 Dan Walsh 1.29.2-6 +- Turn off try catch block to debug anaconda failure + +* Tue Dec 20 2005 Dan Walsh 1.29.2-5 +- More fixes for chcat + +* Tue Dec 20 2005 Dan Walsh 1.29.2-4 +- Add try catch for files that may not exists + +* Mon Dec 19 2005 Dan Walsh 1.29.2-3 +- Remove commands from genhomedircon for installer + +* Wed Dec 14 2005 Dan Walsh 1.29.2-1 +- Fix genhomedircon to work in installer +- Update to match NSA + * Merged patch for chcat script from Dan Walsh. + +* Fri Dec 9 2005 Dan Walsh 1.29.1-2 +- More fixes to chcat + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Dec 8 2005 Dan Walsh 1.29.1-1 +- Update to match NSA + * Merged fix for audit2allow long option list from Dan Walsh. + * Merged -r option for restorecon (alias for -R) from Dan Walsh. + * Merged chcat script and man page from Dan Walsh. + +* Wed Dec 7 2005 Dan Walsh 1.28-1 +- Update to match NSA +- Add gfs support + +* Wed Dec 7 2005 Dan Walsh 1.27.37-1 +- Update to match NSA +- Add chcat to policycoreutils, adding +/- syntax +` +* Tue Dec 6 2005 Dan Walsh 1.27.36-2 +- Require new version of libsemanage + +* Mon Dec 5 2005 Dan Walsh 1.27.36-1 +- Update to match NSA + * Changed genhomedircon to warn on use of ROLE in homedir_template + if using managed policy, as libsemanage does not yet support it. + +* Sun Dec 4 2005 Dan Walsh 1.27.35-1 +- Update to match NSA + * Merged genhomedircon bug fix from Dan Walsh. + * Revised semodule* man pages to refer to checkmodule and + to include example sections. + +* Thu Dec 1 2005 Dan Walsh 1.27.33-1 +- Update to match NSA + * Merged audit2allow --tefile and --fcfile support from Dan Walsh. + * Merged genhomedircon fix from Dan Walsh. + * Merged semodule* man pages from Dan Walsh, and edited them. + * Changed setfiles to set the MATCHPATHCON_VALIDATE flag to + retain validation/canonicalization of contexts during init. + +* Wed Nov 30 2005 Dan Walsh 1.27.31-1 +- Update to match NSA + * Changed genhomedircon to always use user_r for the role in the + managed case since user_get_defrole is broken. +- Add te file capabilities to audit2allow +- Add man pages for semodule + +* Tue Nov 29 2005 Dan Walsh 1.27.30-1 +- Update to match NSA + * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. + * Fixed semodule -v option. + +* Mon Nov 28 2005 Dan Walsh 1.27.29-1 +- Update to match NSA + * Merged audit2allow python script from Dan Walsh. + (old script moved to audit2allow.perl, will be removed later). + * Merged genhomedircon fixes from Dan Walsh. + * Merged semodule quieting patch from Dan Walsh + (inverts default, use -v to restore original behavior). + +* Thu Nov 17 2005 Dan Walsh 1.27.28-3 +- Audit2allow + * Add more error checking + * Add gen policy package + * Add gen requires + +* Wed Nov 16 2005 Dan Walsh 1.27.28-2 +- Update to match NSA + * Merged genhomedircon rewrite from Dan Walsh. +- Rewrite audit2allow to python + +* Mon Nov 14 2005 Dan Walsh 1.27.27-5 +- Fix genhomedircon to work with non libsemanage systems + +* Fri Nov 11 2005 Dan Walsh 1.27.27-3 +- Patch genhomedircon to use libsemanage.py stuff + +* Wed Nov 9 2005 Dan Walsh 1.27.27-1 +- Update to match NSA + * Merged setsebool cleanup patch from Ivan Gyurdiev. + +* Wed Nov 9 2005 Dan Walsh 1.27.26-4 +- Fix genhomedircon to use seusers file, temporary fix until swigified semanage + +* Tue Nov 8 2005 Dan Walsh 1.27.26-1 + * Added -B (--build) option to semodule to force a rebuild. + * Reverted setsebool patch to call semanage_set_reload_bools(). + * Changed setsebool to disable policy reload and to call + security_set_boolean_list to update the runtime booleans. + * Changed setfiles -c to use new flag to set_matchpathcon_flags() + to disable context translation by matchpathcon_init(). + +* Tue Nov 8 2005 Dan Walsh 1.27.23-1 +- Update to match NSA + * Changed setfiles for the context canonicalization support. + * Changed setsebool to call semanage_is_managed() interface + and fall back to security_set_boolean_list() if policy is + not managed. + * Merged setsebool memory leak fix from Ivan Gyurdiev. + * Merged setsebool patch to call semanage_set_reload_bools() + interface from Ivan Gyurdiev. + +* Mon Nov 7 2005 Dan Walsh 1.27.20-1 +- Update to match NSA + * Merged setsebool patch from Ivan Gyurdiev. + This moves setsebool from libselinux/utils to policycoreutils, + and rewrites it to use libsemanage for permanent boolean changes. + +* Tue Oct 25 2005 Dan Walsh 1.27.19-2 +- Rebuild to use latest libselinux, libsemanage, and libsepol + +* Tue Oct 25 2005 Dan Walsh 1.27.19-1 +- Update to match NSA + * Merged semodule support for reload, noreload, and store options + from Joshua Brindle. + * Merged semodule_package rewrite from Joshua Brindle. + +* Thu Oct 20 2005 Dan Walsh 1.27.18-1 +- Update to match NSA + * Cleaned up usage and error messages and releasing of memory by + semodule utilities. + * Corrected error reporting by semodule. + * Updated semodule_expand for change to sepol interface. + * Merged fixes for make DESTDIR= builds from Joshua Brindle. + +* Tue Oct 18 2005 Dan Walsh 1.27.14-1 +- Update to match NSA + * Updated semodule_package for sepol interface changes. + +* Tue Oct 18 2005 Dan Walsh 1.27.13-1 +- Update to match NSA + * Updated semodule_expand/link for sepol interface changes. + +* Sat Oct 15 2005 Dan Walsh 1.27.12-1 +- Update to match NSA + * Merged non-PAM Makefile support for newrole and run_init from Timothy Wood. + +* Fri Oct 14 2005 Dan Walsh 1.27.11-1 +- Update to match NSA + * Updated semodule_expand to use get interfaces for hidden sepol_module_package type. + * Merged newrole and run_init pam config patches from Dan Walsh (Red Hat). + * Merged fixfiles patch from Dan Walsh (Red Hat). + * Updated semodule for removal of semanage_strerror. + + +* Thu Oct 13 2005 Dan Walsh 1.27.7-2 +- Fix run_init.pamd and spec file + +* Wed Oct 12 2005 Dan Walsh 1.27.7-1 +- Update to match NSA + * Updated semodule_link and semodule_expand to use shared libsepol. + Fixed audit2why to call policydb_init prior to policydb_read (still + uses the static libsepol). + +* Mon Oct 10 2005 Dan Walsh 1.27.6-1 +- Update to match NSA + * Updated for changes to libsepol. + Changed semodule and semodule_package to use the shared libsepol. + Disabled build of semodule_link and semodule_expand for now. + Updated audit2why for relocated policydb internal headers, + still needs to be converted to a shared lib interface. + +* Fri Oct 7 2005 Dan Walsh 1.27.5-3 +- Update newrole pam file to remove pam-stack +- Update run_init pam file to remove pam-stack + +* Thu Oct 6 2005 Dan Walsh 1.27.5-1 +- Update to match NSA + * Fixed warnings in load_policy. + * Rewrote load_policy to use the new selinux_mkload_policy() + interface provided by libselinux. + +* Wed Oct 5 2005 Dan Walsh 1.27.3-2 +- Rebuild with newer libararies + +* Wed Sep 28 2005 Dan Walsh 1.27.3-1 +- Update to match NSA + * Merged patch to update semodule to the new libsemanage API + and improve the user interface from Karl MacMillan (Tresys). + * Modified semodule for the create/connect API split. + +* Wed Sep 28 2005 Dan Walsh 1.27.2-2 +- More fixes to stop find from following nfs paths + +* Wed Sep 21 2005 Dan Walsh 1.27.2-1 +- Update to match NSA + * Merged run_init open_init_pty bug fix from Manoj Srivastava + (unblock SIGCHLD). Bug reported by Erich Schubert. + +* Tue Sep 20 2005 Dan Walsh 1.27.1-1 +- Update to match NSA + * Merged error shadowing bug fix for restorecon from Dan Walsh. + * Merged setfiles usage/man page update for -r option from Dan Walsh. + * Merged fixfiles -C patch to ignore :s0 addition on update + to a MCS/MLS policy from Dan Walsh. + +* Thu Sep 15 2005 Dan Walsh 1.26-3 +- Add chcat script for use with chcon. + +* Tue Sep 13 2005 Dan Walsh 1.26-2 +- Fix restorecon to exit with error code + +* Mon Sep 12 2005 Dan Walsh 1.26-1 + * Updated version for release. + +* Tue Sep 6 2005 Dan Walsh 1.25.9-2 +- Add prereq for mount command + +* Thu Sep 1 2005 Dan Walsh 1.25.9-1 +- Update to match NSA + * Changed setfiles -c to translate the context to raw format + prior to calling libsepol. + +* Fri Aug 26 2005 Dan Walsh 1.25.7-3 +- Use new version of libsemange and require it for install + +* Fri Aug 26 2005 Dan Walsh 1.25.7-2 +- Ignore s0 in file context + +* Thu Aug 25 2005 Dan Walsh 1.25.7-1 +- Update to match NSA + * Merged patch for fixfiles -C from Dan Walsh. + +* Tue Aug 23 2005 Dan Walsh 1.25.6-1 +- Update to match NSA + * Merged fixes for semodule_link and sestatus from Serge Hallyn (IBM). + Bugs found by Coverity. + +* Mon Aug 22 2005 Dan Walsh 1.25.5-3 +- Fix fixfiles to call sort -u followed by sort -d. + +* Wed Aug 17 2005 Dan Walsh 1.25.5-2 +- Change fixfiles to ignore /home directory on updates + +* Fri Aug 5 2005 Dan Walsh 1.25.5-1 +- Update to match NSA + * Merged patch to move module read/write code from libsemanage + to libsepol from Jason Tang (Tresys). + +* Thu Jul 28 2005 Dan Walsh 1.25.4-1 +- Update to match NSA + * Changed semodule* to link with libsemanage. + +* Wed Jul 27 2005 Dan Walsh 1.25.3-1 +- Update to match NSA + * Merged restorecon patch from Ivan Gyurdiev. + +* Mon Jul 18 2005 Dan Walsh 1.25.2-1 +- Update to match NSA + * Merged load_policy, newrole, and genhomedircon patches from Red Hat. + +* Thu Jul 7 2005 Dan Walsh 1.25.1-1 +- Update to match NSA + * Merged loadable module support from Tresys Technology. + +* Wed Jun 29 2005 Dan Walsh 1.24-1 +- Update to match NSA + * Updated version for release. + +* Tue Jun 14 2005 Dan Walsh 1.23.11-4 +- Fix Ivan's patch for user role changes + +* Sat May 28 2005 Dan Walsh 1.23.11-3 +- Add Ivan's patch for user role changes in genhomedircon + +* Thu May 26 2005 Dan Walsh 1.23.11-2 +- Fix warning message on reload of booleans + + +* Fri May 20 2005 Dan Walsh 1.23.11-1 +- Update to match NSA + * Merged fixfiles and newrole patch from Dan Walsh. + * Merged audit2why man page from Dan Walsh. + +* Thu May 19 2005 Dan Walsh 1.23.10-2 +- Add call to pam_acct_mgmt in newrole. + +* Tue May 17 2005 Dan Walsh 1.23.10-1 +- Update to match NSA + * Extended audit2why to incorporate booleans and local user + settings when analyzing audit messages. + +* Mon May 16 2005 Dan Walsh 1.23.9-1 +- Update to match NSA + * Updated audit2why for sepol_ prefixes on Flask types to + avoid namespace collision with libselinux, and to + include now. + +* Fri May 13 2005 Dan Walsh 1.23.8-1 +- Fix fixfiles to accept -f +- Update to match NSA + * Added audit2why utility. + +* Fri Apr 29 2005 Dan Walsh 1.23.7-1 +- Change -f flag in fixfiles to remove stuff from /tmp +- Change -F flag to pass -F flag to restorecon/fixfiles. (IE Force relabel). + +* Thu Apr 14 2005 Dan Walsh 1.23.6-1 +- Update to match NSA + * Fixed signed/unsigned pointer bug in load_policy. + * Reverted context validation patch for genhomedircon. + +* Wed Apr 13 2005 Dan Walsh 1.23.5-1 +- Update to match NSA + * Reverted load_policy is_selinux_enabled patch from Dan Walsh. + Otherwise, an initial policy load cannot be performed using + load_policy, e.g. for anaconda. + + +* Mon Apr 11 2005 Dan Walsh 1.23.4-3 +- remove is_selinux_enabled check from load_policy (Bad idea) + +* Mon Apr 11 2005 Dan Walsh 1.23.4-1 +- Update to version from NSA + * Merged load_policy is_selinux_enabled patch from Dan Walsh. + * Merged restorecon verbose output patch from Dan Walsh. + * Merged setfiles altroot patch from Chris PeBenito. + +* Thu Apr 7 2005 Dan Walsh 1.23.3-2 +- Don't run load_policy on a non SELinux kernel. + +* Wed Apr 6 2005 Dan Walsh 1.23.3-1 +- Update to version from NSA + * Merged context validation patch for genhomedircon from Eric Paris. +- Fix verbose output of restorecon + +* Thu Mar 17 2005 Dan Walsh 1.23.2-1 +- Update to version from NSA + * Changed setfiles -c to call set_matchpathcon_flags(3) to + turn off processing of .homedirs and .local. + +* Tue Mar 15 2005 Dan Walsh 1.23.1-1 +- Update to released version from NSA + * Merged rewrite of genhomedircon by Eric Paris. + * Changed fixfiles to relabel jfs since it now supports security xattrs + (as of 2.6.11). Removed reiserfs until 2.6.12 is released with + fixed support for reiserfs and selinux. + +* Thu Mar 10 2005 Dan Walsh 1.22-2 +- Update to released version from NSA +- Patch genhomedircon to handle passwd in different places. + +* Wed Mar 9 2005 Dan Walsh 1.21.22-2 +- Fix genhomedircon to not put bad userad error in file_contexts.homedir + +* Tue Mar 8 2005 Dan Walsh 1.21.22-1 +- Cleanup error reporting + +* Tue Mar 1 2005 Dan Walsh 1.21.21-1 + * Merged load_policy and genhomedircon patch from Dan Walsh. + +* Mon Feb 28 2005 Dan Walsh 1.21.20-3 +- Fix genhomedircon to add extr "\n" + +* Fri Feb 25 2005 Dan Walsh 1.21.20-2 +- Fix genhomedircon to handle blank users + +* Fri Feb 25 2005 Dan Walsh 1.21.20-1 +- Update to latest from NSA +- Add call to libsepol + +* Thu Feb 24 2005 Dan Walsh 1.21.19-4 +- Fix genhomedircon to handle root +- Fix fixfiles to better handle file system types + +* Wed Feb 23 2005 Dan Walsh 1.21.19-2 +- Fix genhomedircon to handle spaces in SELINUXPOLICYTYPE + +* Tue Feb 22 2005 Dan Walsh 1.21.19-1 +- Update to latest from NSA + * Merged several fixes from Ulrich Drepper. + +* Mon Feb 21 2005 Dan Walsh 1.21.18-2 +- Apply Uli patch + * The Makefiles should use the -Wall option even if compiled in beehive + * Add -W, too + * use -Werror when used outside of beehive. This could also be used unconditionally + * setfiles/setfiles.c: fix resulting warning + * restorecon/restorecon.c: Likewise + * run_init/open_init_pty.c: argc hasn't been checked, the program would crash if +called without parameters. ignore the return value of nice properly. + * run_init: don't link with -ldl lutil + * load_policy: that's the bad bug. pointer to unsigned int is passed, size_t is +written to. fails on 64-bit archs + * sestatus: signed vs unsigned problem + * newrole: don't link with -ldl + +* Sat Feb 19 2005 Dan Walsh 1.21.18-1 +- Update to latest from NSA + * Changed load_policy to fall back to the original policy upon + an error from sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.17-2 +- Only restorecon on ext[23], reiser and xfs + +* Thu Feb 17 2005 Dan Walsh 1.21.17-1 +- Update to latest from NSA + * Merged new genhomedircon script from Dan Walsh. + * Changed load_policy to call sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.15-9 +- Remove Red Hat rhpl usage +- Add back in original syntax +- Update man page to match new syntax + +* Fri Feb 11 2005 Dan Walsh 1.21.15-8 +- Fix genhomedircon regular expression +- Fix exclude in restorecon + +* Thu Feb 10 2005 Dan Walsh 1.21.15-5 +- Trap failure on write +- Rewrite genhomedircon to generate file_context.homedirs +- several passes + +* Thu Feb 10 2005 Dan Walsh 1.21.15-1 +- Update from NSA + * Changed relabel Makefile target to use restorecon. + +* Wed Feb 9 2005 Dan Walsh 1.21.14-1 +- Update from NSA + * Merged restorecon patch from Dan Walsh. + +* Tue Feb 8 2005 Dan Walsh 1.21.13-1 +- Update from NSA + * Merged further change to fixfiles -C from Dan Walsh. + * Merged updated fixfiles script from Dan Walsh. +- Fix error handling of restorecon + + +* Mon Feb 7 2005 Dan Walsh 1.21.12-2 +- Fix sestatus for longer booleans + +* Wed Feb 2 2005 Dan Walsh 1.21.12-1 +- More cleanup of fixfiles sed patch + * Merged further patches for restorecon/setfiles -e and fixfiles -C. + +* Wed Feb 2 2005 Dan Walsh 1.21.10-2 +- More cleanup of fixfiles sed patch + +* Mon Jan 31 2005 Dan Walsh 1.21.10-1 +- More cleanup of fixfiles sed patch +- Upgrade to latest from NSA + * Merged patch for open_init_pty from Manoj Srivastava. + +* Fri Jan 28 2005 Dan Walsh 1.21.9-1 +- More cleanup of sed patch +- Upgrade to latest from NSA + * Merged updated fixfiles script from Dan Walsh. + * Merged updated man page for fixfiles from Dan Walsh and re-added unzipped. + * Reverted fixfiles patch for file_contexts.local; + obsoleted by setfiles rewrite. + * Merged error handling patch for restorecon from Dan Walsh. + * Merged semi raw mode for open_init_pty helper from Manoj Srivastava. + * Rewrote setfiles to use matchpathcon and the new interfaces + exported by libselinux (>= 1.21.5). + + +* Fri Jan 28 2005 Dan Walsh 1.21.7-3 +- Fix fixfiles patch +- Upgrade to latest from NSA + * Prevent overflow of spec array in setfiles. +- Add diff comparason between file_contexts to fixfiles +- Allow restorecon to give an warning on file not found instead of exiting + +* Thu Jan 27 2005 Dan Walsh 1.21.5-1 +- Upgrade to latest from NSA + * Merged newrole -l support from Darrel Goeddel (TCS). +- Fix genhomedircon STARTING_UID + +* Wed Jan 26 2005 Dan Walsh 1.21.4-1 +- Upgrade to latest from NSA + * Merged fixfiles patch for file_contexts.local from Dan Walsh. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-2 +- Temp file needs to be created in /etc/selinux/POLICYTYPE/contexts/files/ directory. + +* Fri Jan 21 2005 Dan Walsh 1.21.3-1 +- Upgrade to latest from NSA + * Fixed restorecon to not treat errors from is_context_customizable() + as a customizable context. + * Merged setfiles/restorecon patch to not reset user field unless + -F option is specified from Dan Walsh. + * Merged open_init_pty helper for run_init from Manoj Srivastava. + * Merged audit2allow and genhomedircon man pages from Manoj Srivastava. + +* Fri Jan 21 2005 Dan Walsh 1.21.1-3 +- Don't change user componant if it is all that changed unless forced. +- Change fixfiles to concatinate file_context.local for setfiles + +* Thu Jan 20 2005 Dan Walsh 1.21.1-1 +- Update to latest from NSA + +* Mon Jan 10 2005 Dan Walsh 1.20.1-2 +- Fix restorecon segfault + +* Mon Jan 3 2005 Dan Walsh 1.20.1-1 +- Update to latest from NSA + * Merged fixfiles rewrite from Dan Walsh. + * Merged restorecon patch from Dan Walsh. + +* Mon Jan 3 2005 Dan Walsh 1.19.3-1 +- Update to latest from NSA + * Merged fixfiles and restorecon patches from Dan Walsh. + * Don't display change if only user part changed. + +* Mon Jan 3 2005 Dan Walsh 1.19.2-4 +- Fix fixfiles handling of rpm +- Fix restorecon to not warn on symlinks unless -v -v +- Fix output of verbose to show old context as well as new context + +* Wed Dec 29 2004 Dan Walsh 1.19.2-1 +- Update to latest from NSA + * Changed restorecon to ignore ENOENT errors from matchpathcon. + * Merged nonls patch from Chris PeBenito. + +* Mon Dec 20 2004 Dan Walsh 1.19.1-1 +- Update to latest from NSA + * Removed fixfiles.cron. + * Merged run_init.8 patch from Dan Walsh. + +* Thu Nov 18 2004 Dan Walsh 1.18.1-3 +- Fix run_init.8 to refer to correct location of initrc_context + +* Wed Nov 3 2004 Dan Walsh 1.18.1-1 +- Upgrade to latest from NSA + +* Wed Oct 27 2004 Steve Grubb 1.17.7-3 +- Add code to sestatus to output the current policy from config file + +* Fri Oct 22 2004 Dan Walsh 1.17.7-2 +- Patch audit2allow to return self and no brackets if only one rule + +* Fri Oct 22 2004 Dan Walsh 1.17.7-1 +- Update to latest from NSA +- Eliminate fixfiles.cron + +* Tue Oct 12 2004 Dan Walsh 1.17.6-2 +- Only run fixfiles.cron once a week, and eliminate null message + +* Fri Oct 1 2004 Dan Walsh 1.17.6-1 +- Update with NSA + * Added -l option to setfiles to log changes via syslog. + * Merged -e option to setfiles to exclude directories. + * Merged -R option to restorecon for recursive descent. +* Fri Oct 1 2004 Dan Walsh 1.17.5-6 +- Add -e (exclude directory) switch to setfiles +- Add syslog to setfiles + +* Fri Sep 24 2004 Dan Walsh 1.17.5-5 +- Add -R (recursive) switch to restorecon. + +* Thu Sep 23 2004 Dan Walsh 1.17.5-4 +- Change to only display to terminal if tty is specified + +* Tue Sep 21 2004 Dan Walsh 1.17.5-3 +- Only display to stdout if logfile not specified + +* Thu Sep 9 2004 Dan Walsh 1.17.5-2 +- Add Steve Grubb patch to cleanup log files. + +* Mon Aug 30 2004 Dan Walsh 1.17.5-1 +- Add optargs +- Update to match NSA + +* Wed Aug 25 2004 Dan Walsh 1.17.4-1 +- Add fix to get cdrom info from /proc/media in fixfiles. + +* Wed Aug 25 2004 Dan Walsh 1.17.3-4 +- Add Steve Grub patches for + * Fix fixfiles.cron MAILTO + * Several problems in sestatus + +* Wed Aug 25 2004 Dan Walsh 1.17.3-3 +- Add -q (quiet) qualifier to load_policy to not report warnings + +* Tue Aug 24 2004 Dan Walsh 1.17.3-2 +- Add requires for libsepol >= 1.1.1 + +* Tue Aug 24 2004 Dan Walsh 1.17.3-1 +- Update to latest from upstream + +* Mon Aug 23 2004 Dan Walsh 1.17.2-1 +- Update to latest from upstream +- Includes Colin patch for verifying file_contexts + +* Sun Aug 22 2004 Dan Walsh 1.17.1-1 +- Update to latest from upstream + +* Mon Aug 16 2004 Dan Walsh 1.15.7-1 +- Update to latest from upstream + +* Thu Aug 12 2004 Dan Walsh 1.15.6-1 +- Add Man page for load_policy + +* Tue Aug 10 2004 Dan Walsh 1.15.5-1 +- new version from NSA uses libsepol + +* Mon Aug 2 2004 Dan Walsh 1.15.3-2 +- Fix genhomedircon join command + +* Thu Jul 29 2004 Dan Walsh 1.15.3-1 +- Latest from NSA + +* Mon Jul 26 2004 Dan Walsh 1.15.2-4 +- Change fixfiles to not change when running a check + +* Tue Jul 20 2004 Dan Walsh 1.15.2-3 +- Fix restorecon getopt call to stop hang on IBM Arches + +* Mon Jul 19 2004 Dan Walsh 1.15.2-2 +- Only mail files less than 100 lines from fixfiles.cron +- Add Russell's fix for genhomedircon + +* Fri Jul 16 2004 Dan Walsh 1.15.2-1 +- Latest from NSA + +* Thu Jul 8 2004 Dan Walsh 1.15.1-2 +- Add ro warnings + +* Thu Jul 8 2004 Dan Walsh 1.15.1-1 +- Latest from NSA +- Fix fixfiles.cron to delete outfile + +* Tue Jul 6 2004 Dan Walsh 1.14.1-2 +- Fix fixfiles.cron to not run on non SELinux boxes +- Fix several problems in fixfiles and fixfiles.cron + +* Wed Jun 30 2004 Dan Walsh 1.14.1-1 +- Update from NSA +- Add cron capability to fixfiles + +* Fri Jun 25 2004 Dan Walsh 1.13.4-1 +- Update from NSA + +* Thu Jun 24 2004 Dan Walsh 1.13.3-2 +- Fix fixfiles to handle no rpm file on relabel + +* Wed Jun 23 2004 Dan Walsh 1.13.3-1 +- Update latest from NSA +- Add -o option to setfiles to save output of any files with incorrect context. + +* Tue Jun 22 2004 Dan Walsh 1.13.2-2 +- Add rpm support to fixfiles +- Update restorecon to add file input support + +* Fri Jun 18 2004 Dan Walsh 1.13.2-1 +- Update with NSA Latest + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Sat Jun 12 2004 Dan Walsh 1.13.1-2 +- Fix run_init to use policy formats + +* Wed Jun 2 2004 Dan Walsh 1.13.1-1 +- Update from NSA + +* Tue May 25 2004 Dan Walsh 1.13-3 +- Change location of file_context file + +* Tue May 25 2004 Dan Walsh 1.13-2 +- Change to use /etc/sysconfig/selinux to determine location of policy files + +* Fri May 21 2004 Dan Walsh 1.13-1 +- Update to latest from NSA +- Change fixfiles to prompt before deleteing /tmp files + +* Tue May 18 2004 Dan Walsh 1.12-2 +- have restorecon ingnore <> +- Hand matchpathcon the file status + +* Thu May 13 2004 Dan Walsh 1.12-1 +- Update to match NSA + +* Mon May 10 2004 Dan Walsh 1.11-4 +- Move location of log file to /var/tmp + +* Mon May 10 2004 Dan Walsh 1.11-3 +- Better grep command for bind + +* Fri May 7 2004 Dan Walsh 1.11-2 +- Eliminate bind and context mounts + +* Wed May 5 2004 Dan Walsh 1.11-1 +- update to match NSA + +* Wed Apr 28 2004 Dan Walsh 1.10-4 +- Log fixfiles to the /tmp directory + +* Wed Apr 21 2004 Colin Walters 1.10-3 +- Add patch to fall back to authenticating via uid if + the current user's SELinux user identity is the default + identity +- Add BuildRequires pam-devel + +* Mon Apr 12 2004 Dan Walsh 1.10-2 +- Add man page, thanks to Richard Halley + +* Thu Apr 8 2004 Dan Walsh 1.10-1 +- Upgrade to latest from NSA + +* Fri Apr 2 2004 Dan Walsh 1.9.2-1 +- Update with latest from gentoo and NSA + +* Thu Apr 1 2004 Dan Walsh 1.9.1-1 +- Check return codes in sestatus.c + +* Mon Mar 29 2004 Dan Walsh 1.9-19 +- Fix sestatus to not double free +- Fix sestatus.conf to be unix format + +* Mon Mar 29 2004 Dan Walsh 1.9-18 +- Warn on setfiles failure to relabel. + +* Mon Mar 29 2004 Dan Walsh 1.9-17 +- Updated version of sestatus + +* Mon Mar 29 2004 Dan Walsh 1.9-16 +- Fix fixfiles to checklabel properly + +* Fri Mar 26 2004 Dan Walsh 1.9-15 +- add sestatus + +* Thu Mar 25 2004 Dan Walsh 1.9-14 +- Change free call to freecon +- Cleanup + +* Tue Mar 23 2004 Dan Walsh 1.9-12 +- Remove setfiles-assoc patch +- Fix restorecon to not crash on missing dir + +* Thu Mar 18 2004 Dan Walsh 1.9-11 +- Eliminate trailing / in restorecon + +* Thu Mar 18 2004 Dan Walsh 1.9-10 +- Add Verbosity check + +* Thu Mar 18 2004 Dan Walsh 1.9-9 +- Change restorecon to not follow symlinks. It is too difficult and confusing +- to figure out the file context for the file pointed to by a symlink. + +* Wed Mar 17 2004 Dan Walsh 1.9-8 +- Fix restorecon +* Wed Mar 17 2004 Dan Walsh 1.9-7 +- Read restorecon patch + +* Wed Mar 17 2004 Dan Walsh 1.9-6 +- Change genhomedircon to take POLICYSOURCEDIR from command line + +* Wed Mar 17 2004 Dan Walsh 1.9-5 +- Add checkselinux +- move fixfiles and restorecon to /sbin + +* Wed Mar 17 2004 Dan Walsh 1.9-4 +- Restore patch of genhomedircon + +* Mon Mar 15 2004 Dan Walsh 1.9-3 +- Add setfiles-assoc patch to try to freeup memory use + +* Mon Mar 15 2004 Dan Walsh 1.9-2 +- Add fixlabels + +* Mon Mar 15 2004 Dan Walsh 1.9-1 +- Update to latest from NSA + +* Wed Mar 10 2004 Dan Walsh 1.6-8 +- Increase the size of buffer accepted by setfiles to BUFSIZ. + +* Tue Mar 9 2004 Dan Walsh 1.6-7 +- genhomedircon should complete even if it can't read /etc/default/useradd + +* Tue Mar 9 2004 Dan Walsh 1.6-6 +- fix restorecon to relabel unlabled files. + +* Fri Mar 5 2004 Dan Walsh 1.6-5 +- Add genhomedircon from tresys +- Fixed patch for restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-4 +- exit out when selinux is not enabled + +* Thu Feb 26 2004 Dan Walsh 1.6-3 +- Fix minor bugs in restorecon + +* Thu Feb 26 2004 Dan Walsh 1.6-2 +- Add restorecon c program + +* Tue Feb 24 2004 Dan Walsh 1.6-1 +- Update to latest tarball from NSA + +* Thu Feb 19 2004 Dan Walsh 1.4-9 +- Add sort patch + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Thu Jan 29 2004 Dan Walsh 1.4-7 +- remove mods to run_init since init scripts don't require it anymore + +* Wed Jan 28 2004 Dan Walsh 1.4-6 +- fix genhomedircon not to return and error + +* Wed Jan 28 2004 Dan Walsh 1.4-5 +- add setfiles quiet patch + +* Tue Jan 27 2004 Dan Walsh 1.4-4 +- add checkcon to verify context match file_context + +* Wed Jan 7 2004 Dan Walsh 1.4-3 +- fix command parsing restorecon + +* Tue Jan 6 2004 Dan Walsh 1.4-2 +- Add restorecon + +* Sat Dec 6 2003 Dan Walsh 1.4-1 +- Update to latest NSA 1.4 + +* Tue Nov 25 2003 Dan Walsh 1.2-9 +- Change run_init.console to run as run_init_t + +* Tue Oct 14 2003 Dan Walsh 1.2-8 +- Remove dietcc since load_policy is not in mkinitrd +- Change to use CONSOLEHELPER flag + +* Tue Oct 14 2003 Dan Walsh 1.2-7 +- Don't authenticate run_init when used with consolehelper + +* Wed Oct 01 2003 Dan Walsh 1.2-6 +- Add run_init consolehelper link + +* Wed Sep 24 2003 Dan Walsh 1.2-5 +- Add russell spead up patch to deal with file path stems + +* Fri Sep 12 2003 Dan Walsh 1.2-4 +- Build load_policy with diet gcc in order to save space on initrd + +* Fri Sep 12 2003 Dan Walsh 1.2-3 +- Update with NSA latest + +* Thu Aug 7 2003 Dan Walsh 1.2-1 +- remove i18n +- Temp remove gtk support + +* Thu Aug 7 2003 Dan Walsh 1.1-4 +- Remove wnck requirement + +* Thu Aug 7 2003 Dan Walsh 1.1-3 +- Add gtk support to run_init + +* Tue Aug 5 2003 Dan Walsh 1.1-2 +- Add internationalization + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version

+

SELinux roles

+-""") ++""" % self.os_version) + for letter in self.manpage_roles: + if len(self.manpage_roles[letter]): + fd.write(""" +@@ -292,7 +256,7 @@ Fedora or Red Hat Enterprise Linux Man Pages. + if len(self.manpage_roles[letter]): + rolename_body += "

" + for r in self.manpage_roles[letter]: +- rolename = r.split("_selinux")[0] ++ rolename = r.rsplit("_selinux", 1)[0] + rolename_body += "%s_selinux(8) - Security Enhanced Linux Policy for the %s SELinux user\n" % (letter, rolename, rolename, rolename) + + fd.write("""%s +@@ -307,7 +271,7 @@ Fedora or Red Hat Enterprise Linux Man Pages. + if len(self.manpage_domains[letter]): + fd.write(""" + %s +- """ % (letter, letter)) ++ """ % (letter, letter)) + + fd.write(""" +