diff --git a/.gitignore b/.gitignore index 0d989de..bf1fee5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,6 @@ SOURCES/gui-po.tgz SOURCES/policycoreutils-po.tgz SOURCES/python-po.tgz SOURCES/sandbox-po.tgz -SOURCES/selinux-3.4.tar.gz +SOURCES/selinux-3.5.tar.gz SOURCES/sepolicy-icons.tgz SOURCES/system-config-selinux.png diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata index 779bfae..298caa7 100644 --- a/.policycoreutils.metadata +++ b/.policycoreutils.metadata @@ -2,6 +2,6 @@ f9342645227d02f617924de0bb0dbfa9c67ebb43 SOURCES/gui-po.tgz 04e31eca7c25edb3a896637aba5b81b61d572995 SOURCES/policycoreutils-po.tgz 2395f9e7d3a01715f103a04fed37468ba0d3da5a SOURCES/python-po.tgz 65f89d944d50c59dd5a35453e9a94916db076b3d SOURCES/sandbox-po.tgz -3c789c6783738e17f74221efa475cbb878183379 SOURCES/selinux-3.4.tar.gz +28e8c0a58e01436b1c931559da3844d5774f8186 SOURCES/selinux-3.5.tar.gz d849fa76cc3ef4a26047d8a69fef3a55d2f3097f SOURCES/sepolicy-icons.tgz 611a5d497efaddd45ec0dcc3e9b2e5b0f81ebc41 SOURCES/system-config-selinux.png diff --git a/SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch b/SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch index 1b5b9c9..f14e1a2 100644 --- a/SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch +++ b/SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -1,4 +1,4 @@ -From f361ee407490bc74b43ec408b1edc70cd647d4e0 Mon Sep 17 00:00:00 2001 +From 31ccf6f0fc5e77870f496fac4bea94a6ba2e5c30 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 20 Aug 2015 12:58:41 +0200 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in @@ -23,5 +23,5 @@ index eaa500d08143..4774528027ef 100644 cat > ~/seremote << __EOF #!/bin/sh -- -2.35.1 +2.39.1 diff --git a/SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch index 998345e..35b81ac 100644 --- a/SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ b/SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch @@ -1,4 +1,4 @@ -From 71a2f14767c0ec70c23ecce43d7cbc5404c95552 Mon Sep 17 00:00:00 2001 +From 837c347bbee5db90d11144363525113edc8baed3 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 21 Apr 2014 13:54:40 -0400 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages @@ -10,10 +10,10 @@ Signed-off-by: Miroslav Grepl 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3e61e333193f..82338aeeef32 100755 +index a488dcbf54f2..7d90ffb5a22f 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -737,10 +737,13 @@ Default Defined Ports:""") +@@ -679,10 +679,13 @@ Default Defined Ports:""") def _file_context(self): flist = [] @@ -27,9 +27,9 @@ index 3e61e333193f..82338aeeef32 100755 if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: -@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -741,12 +744,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d SELinux defines the file context types for the %(domainname)s, if you wanted to - store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. + store files with these types in a different paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. -.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' +.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' @@ -43,5 +43,5 @@ index 3e61e333193f..82338aeeef32 100755 self.fd.write(r""" .I The following file types are defined for %(domainname)s: -- -2.35.1 +2.39.1 diff --git a/SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch index aca9199..c31d159 100644 --- a/SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ b/SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch @@ -1,4 +1,4 @@ -From d55a06c002641dce1301b9b5639bd8e206460724 Mon Sep 17 00:00:00 2001 +From f21d5f9316094015c81339d25d69d3dc7150bd8a Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Mon, 12 May 2014 14:11:22 +0200 Subject: [PATCH] If there is no executable we don't want to print a part of @@ -10,10 +10,10 @@ Content-type: text/plain 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 82338aeeef32..ec8aa1cb94a2 100755 +index 7d90ffb5a22f..11809dcede43 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py -@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d +@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) @@ -24,5 +24,5 @@ index 82338aeeef32..ec8aa1cb94a2 100755 .B STANDARD FILE CONTEXT -- -2.35.1 +2.39.1 diff --git a/SOURCES/0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/SOURCES/0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch new file mode 100644 index 0000000..5caf30f --- /dev/null +++ b/SOURCES/0004-Don-t-be-verbose-if-you-are-not-on-a-tty.patch @@ -0,0 +1,25 @@ +From 9e22ab3619d68277c89926f3f31e37a9101ca082 Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Fri, 14 Feb 2014 12:32:12 -0500 +Subject: [PATCH] Don't be verbose if you are not on a tty +Content-type: text/plain + +--- + policycoreutils/scripts/fixfiles | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index 166af6f360a2..ebe64563c7d7 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { + fullFlag=0 + BOOTTIME="" + VERBOSE="-p" ++[ -t 1 ] || VERBOSE="" + FORCEFLAG="" + THREADS="" + RPMFILES="" +-- +2.39.1 + diff --git a/SOURCES/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch b/SOURCES/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch deleted file mode 100644 index 045c033..0000000 --- a/SOURCES/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch +++ /dev/null @@ -1,170 +0,0 @@ -From b180f7679c5e09535416f47d48afd0c0738f5fa9 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Thu, 19 Feb 2015 17:45:15 +0100 -Subject: [PATCH] Simplication of sepolicy-manpage web functionality. - system_release is no longer hardcoded and it creates only index.html and html - man pages in the directory for the system release. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/__init__.py | 25 +++-------- - python/sepolicy/sepolicy/manpage.py | 65 +++------------------------- - 2 files changed, 13 insertions(+), 77 deletions(-) - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 203ca25f4210..9447812b7450 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -1225,27 +1225,14 @@ def boolean_desc(boolean): - - - def get_os_version(): -- os_version = "" -- pkg_name = "selinux-policy" -+ system_release = "" - try: -- try: -- from commands import getstatusoutput -- except ImportError: -- from subprocess import getstatusoutput -- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) -- if rc == 0: -- os_version = output.split(".")[-2] -- except: -- os_version = "" -- -- if os_version[0:2] == "fc": -- os_version = "Fedora" + os_version[2:] -- elif os_version[0:2] == "el": -- os_version = "RHEL" + os_version[2:] -- else: -- os_version = "" -+ with open('/etc/system-release') as f: -+ system_release = f.readline() -+ except IOError: -+ system_release = "Misc" - -- return os_version -+ return system_release - - - def reinit(): -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index ec8aa1cb94a2..c632d05dbb1b 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -151,10 +151,6 @@ def prettyprint(f, trim): - manpage_domains = [] - manpage_roles = [] - --fedora_releases = ["Fedora17", "Fedora18"] --rhel_releases = ["RHEL6", "RHEL7"] -- -- - def get_alphabet_manpages(manpage_list): - alphabet_manpages = dict.fromkeys(string.ascii_letters, []) - for i in string.ascii_letters: -@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage): - class HTMLManPages: - - """ -- Generate a HHTML Manpages on an given SELinux domains -+ Generate a HTML Manpages on an given SELinux domains - """ - - def __init__(self, manpage_roles, manpage_domains, path, os_version): -@@ -192,9 +188,9 @@ class HTMLManPages: - self.manpage_domains = get_alphabet_manpages(manpage_domains) - self.os_version = os_version - self.old_path = path + "/" -- self.new_path = self.old_path + self.os_version + "/" -+ self.new_path = self.old_path - -- if self.os_version in fedora_releases or self.os_version in rhel_releases: -+ if self.os_version: - self.__gen_html_manpages() - else: - print("SELinux HTML man pages can not be generated for this %s" % os_version) -@@ -203,7 +199,6 @@ class HTMLManPages: - def __gen_html_manpages(self): - self._write_html_manpage() - self._gen_index() -- self._gen_body() - self._gen_css() - - def _write_html_manpage(self): -@@ -221,67 +216,21 @@ class HTMLManPages: - convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) - - def _gen_index(self): -- index = self.old_path + "index.html" -- fd = open(index, 'w') -- fd.write(""" -- -- -- -- SELinux man pages online -- -- --

SELinux man pages

--

--Fedora or Red Hat Enterprise Linux Man Pages. --

--
--

Fedora

-- -- --
--
--
--""")
--        for f in fedora_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (f, f, f, f))
--
--        fd.write("""
--
--
--

RHEL

-- -- --
--
--
--""")
--        for r in rhel_releases:
--            fd.write("""
--%s - SELinux man pages for %s """ % (r, r, r, r))
--
--        fd.write("""
--
-- """) -- fd.close() -- print("%s has been created" % index) -- -- def _gen_body(self): - html = self.new_path + self.os_version + ".html" - fd = open(html, 'w') - fd.write(""" - - -- -- Linux man-pages online for Fedora18 -+ -+ SELinux man pages online - - --

SELinux man pages for Fedora18

-+

SELinux man pages for %s

-
- -
-

SELinux roles

--""") -+""" % self.os_version) - for letter in self.manpage_roles: - if len(self.manpage_roles[letter]): - fd.write(""" --- -2.35.1 - diff --git a/SOURCES/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch b/SOURCES/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch deleted file mode 100644 index 948881f..0000000 --- a/SOURCES/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 1747f59fece8183772e5591ce5b5feb5f421f602 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Fri, 20 Feb 2015 16:42:01 +0100 -Subject: [PATCH] We want to remove the trailing newline for - /etc/system_release. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/__init__.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 9447812b7450..aa8beda313c8 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -1228,7 +1228,7 @@ def get_os_version(): - system_release = "" - try: - with open('/etc/system-release') as f: -- system_release = f.readline() -+ system_release = f.readline().rstrip() - except IOError: - system_release = "Misc" - --- -2.35.1 - diff --git a/SOURCES/0005-sepolicy-generate-Handle-more-reserved-port-types.patch b/SOURCES/0005-sepolicy-generate-Handle-more-reserved-port-types.patch new file mode 100644 index 0000000..361e47b --- /dev/null +++ b/SOURCES/0005-sepolicy-generate-Handle-more-reserved-port-types.patch @@ -0,0 +1,72 @@ +From be8bd714f37e6114661f02df4ddb7cb7b25cd0a1 Mon Sep 17 00:00:00 2001 +From: Masatake YAMATO +Date: Thu, 14 Dec 2017 15:57:58 +0900 +Subject: [PATCH] sepolicy-generate: Handle more reserved port types +Content-type: text/plain + +Currently only reserved_port_t, port_t and hi_reserved_port_t are +handled as special when making a ports-dictionary. However, as fas as +corenetwork.te.in of serefpolicy, unreserved_port_t and +ephemeral_port_t should be handled in the same way, too. + +(Details) I found the need of this change when I was using +selinux-polgengui. Though tcp port 12345, which my application may +use, was given to the gui, selinux-polgengui generates expected te +file and sh file which didn't utilize the tcp port. + +selinux-polgengui checks whether a port given via gui is already typed +or not. + +If it is already typed, selinux-polgengui generates a te file having +rules to allow the application to use the port. (A) + +If not, it seems for me that selinux-polgengui is designed to generate +a te file having rules to allow the application to own(?) the port; +and a sh file having a command line to assign the application own type +to the port. (B) + +As we can see the output of `semanage port -l' some of ports for +specified purpose have types already. The important point is that the +rest of ports also have types already: + + hi_reserved_port_t tcp 512-1023 + hi_reserved_port_t udp 512-1023 + unreserved_port_t tcp 1024-32767, 61001-65535 + unreserved_port_t udp 1024-32767, 61001-65535 + ephemeral_port_t tcp 32768-61000 + ephemeral_port_t udp 32768-61000 + +As my patch shows, the original selinux-polgengui ignored +hi_reserved_port_t; though hi_reserved_port_t is assigned, +selinux-polgengui considered ports 512-1023 are not used. As the +result selinux-polgengui generates file sets of (B). + +For the purpose of selinux-polgengui, I think unreserved_port_t and +ephemeral_port_t are treated as the same as hi_reserved_port_t. + +Signed-off-by: Masatake YAMATO + +Fedora only patch: +https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ +--- + python/sepolicy/sepolicy/generate.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index b6df3e91160b..36a3ea1196b1 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -100,7 +100,9 @@ def get_all_ports(): + for p in sepolicy.info(sepolicy.PORT): + if p['type'] == "reserved_port_t" or \ + p['type'] == "port_t" or \ +- p['type'] == "hi_reserved_port_t": ++ p['type'] == "hi_reserved_port_t" or \ ++ p['type'] == "ephemeral_port_t" or \ ++ p['type'] == "unreserved_port_t": + continue + dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) + return dict +-- +2.39.1 + diff --git a/SOURCES/0006-Fix-title-in-manpage.py-to-not-contain-online.patch b/SOURCES/0006-Fix-title-in-manpage.py-to-not-contain-online.patch deleted file mode 100644 index 9b31464..0000000 --- a/SOURCES/0006-Fix-title-in-manpage.py-to-not-contain-online.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0bd28bc715034c644405d3c03f160d69ae710500 Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Fri, 20 Feb 2015 16:42:53 +0100 -Subject: [PATCH] Fix title in manpage.py to not contain 'online'. -Content-type: text/plain - ---- - python/sepolicy/sepolicy/manpage.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index c632d05dbb1b..3ae2f42b2fdf 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -222,7 +222,7 @@ class HTMLManPages: - - - -- SELinux man pages online -+ SELinux man pages - - -

SELinux man pages for %s

--- -2.35.1 - diff --git a/SOURCES/0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/SOURCES/0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch new file mode 100644 index 0000000..f1c27fa --- /dev/null +++ b/SOURCES/0006-sandbox-Use-matchbox-window-manager-instead-of-openb.patch @@ -0,0 +1,75 @@ +From f4b78eeb59ae1ef4b5926c004debce04ee28dfe7 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 18 Jul 2018 09:09:35 +0200 +Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox +Content-type: text/plain + +--- + sandbox/sandbox | 4 ++-- + sandbox/sandbox.8 | 2 +- + sandbox/sandboxX.sh | 14 -------------- + 3 files changed, 3 insertions(+), 17 deletions(-) + +diff --git a/sandbox/sandbox b/sandbox/sandbox +index a2762a7d215a..a32a33ea3cf6 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -270,7 +270,7 @@ class Sandbox: + copyfile(f, "/tmp", self.__tmpdir) + copyfile(f, "/var/tmp", self.__tmpdir) + +- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): ++ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): + execfile = self.__homedir + "/.sandboxrc" + fd = open(execfile, "w+") + if self.__options.session: +@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", +- default="/usr/bin/openbox", ++ default="/usr/bin/matchbox-window-manager", + help=_("alternate window manager")) + + parser.add_option("-l", "--level", dest="level", +diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 +index 1ee0ecea96d1..775e4b231204 100644 +--- a/sandbox/sandbox.8 ++++ b/sandbox/sandbox.8 +@@ -80,7 +80,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz + \fB\-W\fR \fB\-\-windowmanager\fR + Select alternative window manager to run within + .B sandbox \-X. +-Default to /usr/bin/openbox. ++Default to /usr/bin/matchbox-window-manager. + .TP + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for +diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh +index 4774528027ef..c211ebc14549 100644 +--- a/sandbox/sandboxX.sh ++++ b/sandbox/sandboxX.sh +@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 + [ -z $2 ] && export DPI="96" || export DPI="$2" + trap "exit 0" HUP + +-mkdir -p ~/.config/openbox +-cat > ~/.config/openbox/rc.xml << EOF +- +- +- +- no +- all +- yes +- +- +- +-EOF +- + (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do + export DISPLAY=:$D + cat > ~/seremote << __EOF +-- +2.39.1 + diff --git a/SOURCES/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/SOURCES/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch deleted file mode 100644 index ba39b4d..0000000 --- a/SOURCES/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f204dd292340689c2d7ab75612b9fd81337fcbc3 Mon Sep 17 00:00:00 2001 -From: Dan Walsh -Date: Fri, 14 Feb 2014 12:32:12 -0500 -Subject: [PATCH] Don't be verbose if you are not on a tty -Content-type: text/plain - ---- - policycoreutils/scripts/fixfiles | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles -index c72ca0eb9d61..163ebcd1f232 100755 ---- a/policycoreutils/scripts/fixfiles -+++ b/policycoreutils/scripts/fixfiles -@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { - fullFlag=0 - BOOTTIME="" - VERBOSE="-p" -+[ -t 1 ] || VERBOSE="" - FORCEFLAG="" - THREADS="" - RPMFILES="" --- -2.35.1 - diff --git a/SOURCES/0007-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0007-Use-SHA-2-instead-of-SHA-1.patch new file mode 100644 index 0000000..8c2398e --- /dev/null +++ b/SOURCES/0007-Use-SHA-2-instead-of-SHA-1.patch @@ -0,0 +1,298 @@ +From 604a275f53750e4c1e1101bd53c4fd448cc0b5e3 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 30 Jul 2021 14:14:37 +0200 +Subject: [PATCH] Use SHA-2 instead of SHA-1 +Content-type: text/plain + +The use of SHA-1 in RHEL9 is deprecated +--- + policycoreutils/setfiles/restorecon.8 | 10 +++++----- + policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- + policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ + policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- + policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- + policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- + policycoreutils/setfiles/setfiles.8 | 10 +++++----- + 7 files changed, 33 insertions(+), 33 deletions(-) + +diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 +index e07db2c87dc4..dbd55ce7c512 100644 +--- a/policycoreutils/setfiles/restorecon.8 ++++ b/policycoreutils/setfiles/restorecon.8 +@@ -95,14 +95,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -200,7 +200,7 @@ the + .B \-D + option to + .B restorecon +-will cause it to store a SHA1 digest of the default specfiles set in an extended ++will cause it to store a SHA256 digest of the default specfiles set in an extended + attribute named + .IR security.sehash + on each directory specified in +@@ -217,7 +217,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 +index e04528e60824..4b1ce304d995 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/restorecon_xattr.8 +@@ -23,7 +23,7 @@ or + + .SH "DESCRIPTION" + .B restorecon_xattr +-will display the SHA1 digests added to extended attributes ++will display the SHA256 digests added to extended attributes + .I security.sehash + or delete the attribute completely. These attributes are set by + .BR restorecon (8) +@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. + .sp + By default + .B restorecon_xattr +-will display the SHA1 digests with "Match" appended if they match the default ++will display the SHA256 digests with "Match" appended if they match the default + specfile set or the + .I specfile + set used with the + .B \-f +-option. Non-matching SHA1 digests will be displayed with "No Match" appended. ++option. Non-matching SHA256 digests will be displayed with "No Match" appended. + This feature can be disabled by the + .B \-n + option. +@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. + recursively descend directories. + .TP + .B \-v +-display SHA1 digest generated by specfile set (Note that this digest is not ++display SHA256 digest generated by specfile set (Note that this digest is not + used to match the + .I security.sehash + directory digest entries, and is shown for reference only). +diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c +index 31fb82fd2099..bc22d3fd4560 100644 +--- a/policycoreutils/setfiles/restorecon_xattr.c ++++ b/policycoreutils/setfiles/restorecon_xattr.c +@@ -38,7 +38,7 @@ int main(int argc, char **argv) + unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; + unsigned int delete_all_digests = 0, ignore_mounts = 0; + bool display_digest = false; +- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; ++ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; + unsigned char *fc_digest = NULL; + size_t i, fc_digest_len = 0, num_specfiles; + +@@ -133,8 +133,8 @@ int main(int argc, char **argv) + exit(-1); + } + +- sha1_buf = malloc(fc_digest_len * 2 + 1); +- if (!sha1_buf) { ++ sha256_buf = malloc(fc_digest_len * 2 + 1); ++ if (!sha256_buf) { + fprintf(stderr, + "Error allocating digest buffer: %s\n", + strerror(errno)); +@@ -143,16 +143,16 @@ int main(int argc, char **argv) + } + + for (i = 0; i < fc_digest_len; i++) +- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); ++ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); + +- printf("specfiles SHA1 digest: %s\n", sha1_buf); ++ printf("specfiles SHA256 digest: %s\n", sha256_buf); + + printf("calculated using the following specfile(s):\n"); + if (specfiles) { + for (i = 0; i < num_specfiles; i++) + printf("%s\n", specfiles[i]); + } +- free(sha1_buf); ++ free(sha256_buf); + printf("\n"); + } + +diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 +index 9be3a63db356..745135020f4b 100644 +--- a/policycoreutils/setfiles/ru/restorecon.8 ++++ b/policycoreutils/setfiles/ru/restorecon.8 +@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-m +@@ -159,7 +159,7 @@ GNU + .B \-D + команды + .B restorecon +-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем ++обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем + .IR security.restorecon_last + для каталогов, указанных в соответствующих путях + .IR pathname \ ... +@@ -173,7 +173,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 +index 41c441b8c5c2..25c4c3033334 100644 +--- a/policycoreutils/setfiles/ru/restorecon_xattr.8 ++++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 +@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных + + .SH "ОПИСАНИЕ" + .B restorecon_xattr +-покажет дайджесты SHA1, добавленные в расширенные атрибуты ++покажет дайджесты SHA256, добавленные в расширенные атрибуты + .I security.restorecon_last, + или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой + .BR restorecon (8) +@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных + .sp + По умолчанию + .B restorecon_xattr +-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации ++показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации + .I specfile, + который установлен с помощью параметра + .B \-f. +-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. ++Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. + Эту возможность можно отключить с помощью параметра + .B \-n. + +@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных + рекурсивно спускаться по каталогам. + .TP + .B \-v +-показать дайджест SHA1, созданный установленным файлом спецификации. ++показать дайджест SHA256, созданный установленным файлом спецификации. + .TP + .B \-e + .I directory +@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных + .BR file_contexts (5). + Он будет использоваться + .BR selabel_open (3) +-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью ++для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью + .BR selabel_digest (3). + Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. + +diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 +index 910101452625..7f2daa09191b 100644 +--- a/policycoreutils/setfiles/ru/setfiles.8 ++++ b/policycoreutils/setfiles/ru/setfiles.8 +@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос + игнорировать файлы, которые не существуют. + .TP + .B \-I +-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе ++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе + .B ПРИМЕЧАНИЯ. + .TP + .B \-D +-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута ++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута + .IR security.restorecon_last. + .TP + .B \-l +@@ -186,7 +186,7 @@ GNU + .B \-D + команды + .B setfiles . +-Он обеспечивает сохранение дайджеста SHA1 файла спецификации ++Он обеспечивает сохранение дайджеста SHA256 файла спецификации + .B spec_file + в расширенном атрибуте с именем + .IR security.restorecon_last +@@ -204,7 +204,7 @@ GNU + .sp + Параметр + .B \-I +-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в ++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в + .IR pathname \ ... + , и, при условии, что НЕ установлен параметр + .B \-n +diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 +index bf26e161a71d..36fe6b369548 100644 +--- a/policycoreutils/setfiles/setfiles.8 ++++ b/policycoreutils/setfiles/setfiles.8 +@@ -95,14 +95,14 @@ display usage information and exit. + ignore files that do not exist. + .TP + .B \-I +-ignore digest to force checking of labels even if the stored SHA1 digest +-matches the specfiles SHA1 digest. The digest will then be updated provided ++ignore digest to force checking of labels even if the stored SHA256 digest ++matches the specfiles SHA256 digest. The digest will then be updated provided + there are no errors. See the + .B NOTES + section for further details. + .TP + .B \-D +-Set or update any directory SHA1 digests. Use this option to ++Set or update any directory SHA256 digests. Use this option to + enable usage of the + .IR security.sehash + extended attribute. +@@ -261,7 +261,7 @@ the + .B \-D + option to + .B setfiles +-will cause it to store a SHA1 digest of the ++will cause it to store a SHA256 digest of the + .B spec_file + set in an extended attribute named + .IR security.sehash +@@ -282,7 +282,7 @@ for further details. + .sp + The + .B \-I +-option will ignore the SHA1 digest from each directory specified in ++option will ignore the SHA256 digest from each directory specified in + .IR pathname \ ... + and provided the + .B \-n +-- +2.39.1 + diff --git a/SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch new file mode 100644 index 0000000..cf694e9 --- /dev/null +++ b/SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch @@ -0,0 +1,64 @@ +From b9b94a3254905518f00c4746c0bd712921af31cb Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 27 Feb 2017 17:12:39 +0100 +Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and + file_type_is_entrypoint(f) +Content-type: text/plain + +- use direct queries +- load exec_types and entry_types only once +--- + python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py +index 11809dcede43..543fef6c8d13 100755 +--- a/python/sepolicy/sepolicy/manpage.py ++++ b/python/sepolicy/sepolicy/manpage.py +@@ -127,8 +127,24 @@ def gen_domains(): + domains.sort() + return domains + +-types = None + ++exec_types = None ++ ++def _gen_exec_types(): ++ global exec_types ++ if exec_types is None: ++ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] ++ return exec_types ++ ++entry_types = None ++ ++def _gen_entry_types(): ++ global entry_types ++ if entry_types is None: ++ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] ++ return entry_types ++ ++types = None + + def _gen_types(): + global types +@@ -368,6 +384,8 @@ class ManPage: + self.all_file_types = sepolicy.get_all_file_types() + self.role_allows = sepolicy.get_all_role_allows() + self.types = _gen_types() ++ self.exec_types = _gen_exec_types() ++ self.entry_types = _gen_entry_types() + + if self.source_files: + self.fcpath = self.root + "file_contexts" +@@ -684,7 +702,7 @@ Default Defined Ports:""") + for f in self.all_file_types: + if f.startswith(self.domainname): + flist.append(f) +- if not file_type_is_executable(f) or not file_type_is_entrypoint(f): ++ if f not in self.exec_types or f not in self.entry_types: + flist_non_exec.append(f) + if f in self.fcdict: + mpaths = mpaths + self.fcdict[f]["regex"] +-- +2.39.1 + diff --git a/SOURCES/0008-sepolicy-generate-Handle-more-reserved-port-types.patch b/SOURCES/0008-sepolicy-generate-Handle-more-reserved-port-types.patch deleted file mode 100644 index 0e45be3..0000000 --- a/SOURCES/0008-sepolicy-generate-Handle-more-reserved-port-types.patch +++ /dev/null @@ -1,72 +0,0 @@ -From d8f51aa7d299383247213b69ec7cbb68c1fa3bc4 Mon Sep 17 00:00:00 2001 -From: Masatake YAMATO -Date: Thu, 14 Dec 2017 15:57:58 +0900 -Subject: [PATCH] sepolicy-generate: Handle more reserved port types -Content-type: text/plain - -Currently only reserved_port_t, port_t and hi_reserved_port_t are -handled as special when making a ports-dictionary. However, as fas as -corenetwork.te.in of serefpolicy, unreserved_port_t and -ephemeral_port_t should be handled in the same way, too. - -(Details) I found the need of this change when I was using -selinux-polgengui. Though tcp port 12345, which my application may -use, was given to the gui, selinux-polgengui generates expected te -file and sh file which didn't utilize the tcp port. - -selinux-polgengui checks whether a port given via gui is already typed -or not. - -If it is already typed, selinux-polgengui generates a te file having -rules to allow the application to use the port. (A) - -If not, it seems for me that selinux-polgengui is designed to generate -a te file having rules to allow the application to own(?) the port; -and a sh file having a command line to assign the application own type -to the port. (B) - -As we can see the output of `semanage port -l' some of ports for -specified purpose have types already. The important point is that the -rest of ports also have types already: - - hi_reserved_port_t tcp 512-1023 - hi_reserved_port_t udp 512-1023 - unreserved_port_t tcp 1024-32767, 61001-65535 - unreserved_port_t udp 1024-32767, 61001-65535 - ephemeral_port_t tcp 32768-61000 - ephemeral_port_t udp 32768-61000 - -As my patch shows, the original selinux-polgengui ignored -hi_reserved_port_t; though hi_reserved_port_t is assigned, -selinux-polgengui considered ports 512-1023 are not used. As the -result selinux-polgengui generates file sets of (B). - -For the purpose of selinux-polgengui, I think unreserved_port_t and -ephemeral_port_t are treated as the same as hi_reserved_port_t. - -Signed-off-by: Masatake YAMATO - -Fedora only patch: -https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ ---- - python/sepolicy/sepolicy/generate.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 43180ca6fda4..d60a08e1d72c 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -99,7 +99,9 @@ def get_all_ports(): - for p in sepolicy.info(sepolicy.PORT): - if p['type'] == "reserved_port_t" or \ - p['type'] == "port_t" or \ -- p['type'] == "hi_reserved_port_t": -+ p['type'] == "hi_reserved_port_t" or \ -+ p['type'] == "ephemeral_port_t" or \ -+ p['type'] == "unreserved_port_t": - continue - dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) - return dict --- -2.35.1 - diff --git a/SOURCES/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/SOURCES/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch deleted file mode 100644 index e8a52b2..0000000 --- a/SOURCES/0009-sandbox-Use-matchbox-window-manager-instead-of-openb.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 8054dc44cf105b959864a1424fe857fac3ba3d73 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 18 Jul 2018 09:09:35 +0200 -Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox -Content-type: text/plain - ---- - sandbox/sandbox | 4 ++-- - sandbox/sandbox.8 | 2 +- - sandbox/sandboxX.sh | 14 -------------- - 3 files changed, 3 insertions(+), 17 deletions(-) - -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 16c43b51eaaa..7709a6585665 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -268,7 +268,7 @@ class Sandbox: - copyfile(f, "/tmp", self.__tmpdir) - copyfile(f, "/var/tmp", self.__tmpdir) - -- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): -+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): - execfile = self.__homedir + "/.sandboxrc" - fd = open(execfile, "w+") - if self.__options.session: -@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- - - parser.add_option("-W", "--windowmanager", dest="wm", - type="string", -- default="/usr/bin/openbox", -+ default="/usr/bin/matchbox-window-manager", - help=_("alternate window manager")) - - parser.add_option("-l", "--level", dest="level", -diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 -index d83fee76f335..90ef4951c8c2 100644 ---- a/sandbox/sandbox.8 -+++ b/sandbox/sandbox.8 -@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz - \fB\-W\fR \fB\-\-windowmanager\fR - Select alternative window manager to run within - .B sandbox \-X. --Default to /usr/bin/openbox. -+Default to /usr/bin/matchbox-window-manager. - .TP - \fB\-X\fR - Create an X based Sandbox for gui apps, temporary files for -diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh -index 4774528027ef..c211ebc14549 100644 ---- a/sandbox/sandboxX.sh -+++ b/sandbox/sandboxX.sh -@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 - [ -z $2 ] && export DPI="96" || export DPI="$2" - trap "exit 0" HUP - --mkdir -p ~/.config/openbox --cat > ~/.config/openbox/rc.xml << EOF -- -- -- -- no -- all -- yes -- -- -- --EOF -- - (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do - export DISPLAY=:$D - cat > ~/seremote << __EOF --- -2.35.1 - diff --git a/SOURCES/0010-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0010-Use-SHA-2-instead-of-SHA-1.patch deleted file mode 100644 index 812028f..0000000 --- a/SOURCES/0010-Use-SHA-2-instead-of-SHA-1.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 53d085d8d6edc05886d473e412a8025b7f8d9ce4 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 30 Jul 2021 14:14:37 +0200 -Subject: [PATCH] Use SHA-2 instead of SHA-1 -Content-type: text/plain - -The use of SHA-1 in RHEL9 is deprecated ---- - policycoreutils/setfiles/restorecon.8 | 10 +++++----- - policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- - policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ - policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- - policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- - policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- - policycoreutils/setfiles/setfiles.8 | 10 +++++----- - 7 files changed, 33 insertions(+), 33 deletions(-) - -diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 -index e07db2c87dc4..dbd55ce7c512 100644 ---- a/policycoreutils/setfiles/restorecon.8 -+++ b/policycoreutils/setfiles/restorecon.8 -@@ -95,14 +95,14 @@ display usage information and exit. - ignore files that do not exist. - .TP - .B \-I --ignore digest to force checking of labels even if the stored SHA1 digest --matches the specfiles SHA1 digest. The digest will then be updated provided -+ignore digest to force checking of labels even if the stored SHA256 digest -+matches the specfiles SHA256 digest. The digest will then be updated provided - there are no errors. See the - .B NOTES - section for further details. - .TP - .B \-D --Set or update any directory SHA1 digests. Use this option to -+Set or update any directory SHA256 digests. Use this option to - enable usage of the - .IR security.sehash - extended attribute. -@@ -200,7 +200,7 @@ the - .B \-D - option to - .B restorecon --will cause it to store a SHA1 digest of the default specfiles set in an extended -+will cause it to store a SHA256 digest of the default specfiles set in an extended - attribute named - .IR security.sehash - on each directory specified in -@@ -217,7 +217,7 @@ for further details. - .sp - The - .B \-I --option will ignore the SHA1 digest from each directory specified in -+option will ignore the SHA256 digest from each directory specified in - .IR pathname \ ... - and provided the - .B \-n -diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 -index e04528e60824..4b1ce304d995 100644 ---- a/policycoreutils/setfiles/restorecon_xattr.8 -+++ b/policycoreutils/setfiles/restorecon_xattr.8 -@@ -23,7 +23,7 @@ or - - .SH "DESCRIPTION" - .B restorecon_xattr --will display the SHA1 digests added to extended attributes -+will display the SHA256 digests added to extended attributes - .I security.sehash - or delete the attribute completely. These attributes are set by - .BR restorecon (8) -@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. - .sp - By default - .B restorecon_xattr --will display the SHA1 digests with "Match" appended if they match the default -+will display the SHA256 digests with "Match" appended if they match the default - specfile set or the - .I specfile - set used with the - .B \-f --option. Non-matching SHA1 digests will be displayed with "No Match" appended. -+option. Non-matching SHA256 digests will be displayed with "No Match" appended. - This feature can be disabled by the - .B \-n - option. -@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. - recursively descend directories. - .TP - .B \-v --display SHA1 digest generated by specfile set (Note that this digest is not -+display SHA256 digest generated by specfile set (Note that this digest is not - used to match the - .I security.sehash - directory digest entries, and is shown for reference only). -diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c -index 31fb82fd2099..bc22d3fd4560 100644 ---- a/policycoreutils/setfiles/restorecon_xattr.c -+++ b/policycoreutils/setfiles/restorecon_xattr.c -@@ -38,7 +38,7 @@ int main(int argc, char **argv) - unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; - unsigned int delete_all_digests = 0, ignore_mounts = 0; - bool display_digest = false; -- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; -+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; - unsigned char *fc_digest = NULL; - size_t i, fc_digest_len = 0, num_specfiles; - -@@ -133,8 +133,8 @@ int main(int argc, char **argv) - exit(-1); - } - -- sha1_buf = malloc(fc_digest_len * 2 + 1); -- if (!sha1_buf) { -+ sha256_buf = malloc(fc_digest_len * 2 + 1); -+ if (!sha256_buf) { - fprintf(stderr, - "Error allocating digest buffer: %s\n", - strerror(errno)); -@@ -143,16 +143,16 @@ int main(int argc, char **argv) - } - - for (i = 0; i < fc_digest_len; i++) -- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); -+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); - -- printf("specfiles SHA1 digest: %s\n", sha1_buf); -+ printf("specfiles SHA256 digest: %s\n", sha256_buf); - - printf("calculated using the following specfile(s):\n"); - if (specfiles) { - for (i = 0; i < num_specfiles; i++) - printf("%s\n", specfiles[i]); - } -- free(sha1_buf); -+ free(sha256_buf); - printf("\n"); - } - -diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 -index 9be3a63db356..745135020f4b 100644 ---- a/policycoreutils/setfiles/ru/restorecon.8 -+++ b/policycoreutils/setfiles/ru/restorecon.8 -@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас - игнорировать файлы, которые не существуют. - .TP - .B \-I --игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе -+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе - .B ПРИМЕЧАНИЯ. - .TP - .B \-D --установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута -+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута - .IR security.restorecon_last. - .TP - .B \-m -@@ -159,7 +159,7 @@ GNU - .B \-D - команды - .B restorecon --обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем -+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем - .IR security.restorecon_last - для каталогов, указанных в соответствующих путях - .IR pathname \ ... -@@ -173,7 +173,7 @@ GNU - .sp - Параметр - .B \-I --позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в -+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в - .IR pathname \ ... - , и, при условии, что НЕ установлен параметр - .B \-n -diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 -index 41c441b8c5c2..25c4c3033334 100644 ---- a/policycoreutils/setfiles/ru/restorecon_xattr.8 -+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 -@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных - - .SH "ОПИСАНИЕ" - .B restorecon_xattr --покажет дайджесты SHA1, добавленные в расширенные атрибуты -+покажет дайджесты SHA256, добавленные в расширенные атрибуты - .I security.restorecon_last, - или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой - .BR restorecon (8) -@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных - .sp - По умолчанию - .B restorecon_xattr --показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации -+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации - .I specfile, - который установлен с помощью параметра - .B \-f. --Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. -+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. - Эту возможность можно отключить с помощью параметра - .B \-n. - -@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных - рекурсивно спускаться по каталогам. - .TP - .B \-v --показать дайджест SHA1, созданный установленным файлом спецификации. -+показать дайджест SHA256, созданный установленным файлом спецификации. - .TP - .B \-e - .I directory -@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных - .BR file_contexts (5). - Он будет использоваться - .BR selabel_open (3) --для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью -+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью - .BR selabel_digest (3). - Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. - -diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 -index 910101452625..7f2daa09191b 100644 ---- a/policycoreutils/setfiles/ru/setfiles.8 -+++ b/policycoreutils/setfiles/ru/setfiles.8 -@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос - игнорировать файлы, которые не существуют. - .TP - .B \-I --игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе -+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе - .B ПРИМЕЧАНИЯ. - .TP - .B \-D --установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута -+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута - .IR security.restorecon_last. - .TP - .B \-l -@@ -186,7 +186,7 @@ GNU - .B \-D - команды - .B setfiles . --Он обеспечивает сохранение дайджеста SHA1 файла спецификации -+Он обеспечивает сохранение дайджеста SHA256 файла спецификации - .B spec_file - в расширенном атрибуте с именем - .IR security.restorecon_last -@@ -204,7 +204,7 @@ GNU - .sp - Параметр - .B \-I --позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в -+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в - .IR pathname \ ... - , и, при условии, что НЕ установлен параметр - .B \-n -diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 -index 19b59a2cc90d..bad9f37a9ac4 100644 ---- a/policycoreutils/setfiles/setfiles.8 -+++ b/policycoreutils/setfiles/setfiles.8 -@@ -87,14 +87,14 @@ display usage information and exit. - ignore files that do not exist. - .TP - .B \-I --ignore digest to force checking of labels even if the stored SHA1 digest --matches the specfiles SHA1 digest. The digest will then be updated provided -+ignore digest to force checking of labels even if the stored SHA256 digest -+matches the specfiles SHA256 digest. The digest will then be updated provided - there are no errors. See the - .B NOTES - section for further details. - .TP - .B \-D --Set or update any directory SHA1 digests. Use this option to -+Set or update any directory SHA256 digests. Use this option to - enable usage of the - .IR security.sehash - extended attribute. -@@ -239,7 +239,7 @@ the - .B \-D - option to - .B setfiles --will cause it to store a SHA1 digest of the -+will cause it to store a SHA256 digest of the - .B spec_file - set in an extended attribute named - .IR security.sehash -@@ -260,7 +260,7 @@ for further details. - .sp - The - .B \-I --option will ignore the SHA1 digest from each directory specified in -+option will ignore the SHA256 digest from each directory specified in - .IR pathname \ ... - and provided the - .B \-n --- -2.35.1 - diff --git a/SOURCES/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch b/SOURCES/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch deleted file mode 100644 index c4e1fe1..0000000 --- a/SOURCES/0011-sepolicy-Drop-old-interface-file_type_is_executable-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 3748b7eab7434698998edfcf613fe738cf19d5c9 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 27 Feb 2017 17:12:39 +0100 -Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and - file_type_is_entrypoint(f) -Content-type: text/plain - -- use direct queries -- load exec_types and entry_types only once ---- - python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++-- - 1 file changed, 20 insertions(+), 2 deletions(-) - -diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py -index 3ae2f42b2fdf..5a434bd360ae 100755 ---- a/python/sepolicy/sepolicy/manpage.py -+++ b/python/sepolicy/sepolicy/manpage.py -@@ -127,8 +127,24 @@ def gen_domains(): - domains.sort() - return domains - --types = None - -+exec_types = None -+ -+def _gen_exec_types(): -+ global exec_types -+ if exec_types is None: -+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] -+ return exec_types -+ -+entry_types = None -+ -+def _gen_entry_types(): -+ global entry_types -+ if entry_types is None: -+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] -+ return entry_types -+ -+types = None - - def _gen_types(): - global types -@@ -374,6 +390,8 @@ class ManPage: - self.all_file_types = sepolicy.get_all_file_types() - self.role_allows = sepolicy.get_all_role_allows() - self.types = _gen_types() -+ self.exec_types = _gen_exec_types() -+ self.entry_types = _gen_entry_types() - - if self.source_files: - self.fcpath = self.root + "file_contexts" -@@ -691,7 +709,7 @@ Default Defined Ports:""") - for f in self.all_file_types: - if f.startswith(self.domainname): - flist.append(f) -- if not file_type_is_executable(f) or not file_type_is_entrypoint(f): -+ if f not in self.exec_types or f not in self.entry_types: - flist_non_exec.append(f) - if f in self.fcdict: - mpaths = mpaths + self.fcdict[f]["regex"] --- -2.35.1 - diff --git a/SOURCES/0012-gettext-handle-unsupported-languages-properly.patch b/SOURCES/0012-gettext-handle-unsupported-languages-properly.patch deleted file mode 100644 index 9f194b8..0000000 --- a/SOURCES/0012-gettext-handle-unsupported-languages-properly.patch +++ /dev/null @@ -1,349 +0,0 @@ -From f62227788b28e3afd2016b47af248f8ecefa8155 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 24 Jun 2022 16:24:25 +0200 -Subject: [PATCH] gettext: handle unsupported languages properly -Content-type: text/plain - -With "fallback=True" gettext.translation behaves the same as -gettext.install and uses NullTranslations in case the -translation file for given language was not found (as opposed to -throwing an exception). - -Fixes: - # LANG is set to any "unsupported" language, e.g. en_US.UTF-8 - $ chcat --help - Traceback (most recent call last): - File "/usr/bin/chcat", line 39, in - t = gettext.translation(PROGNAME, - File "/usr/lib64/python3.9/gettext.py", line 592, in translation - raise FileNotFoundError(ENOENT, - FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python' - -Signed-off-by: Vit Mojzis -Reviewed-by: Daniel Burgener -Acked-by: Petr Lautrbach ---- - gui/booleansPage.py | 3 ++- - gui/domainsPage.py | 3 ++- - gui/fcontextPage.py | 3 ++- - gui/loginsPage.py | 3 ++- - gui/modulesPage.py | 3 ++- - gui/polgengui.py | 3 ++- - gui/portsPage.py | 3 ++- - gui/semanagePage.py | 3 ++- - gui/statusPage.py | 3 ++- - gui/system-config-selinux.py | 3 ++- - gui/usersPage.py | 3 ++- - python/chcat/chcat | 5 +++-- - python/semanage/semanage | 3 ++- - python/semanage/seobject.py | 3 ++- - python/sepolgen/src/sepolgen/sepolgeni18n.py | 4 +++- - python/sepolicy/sepolicy.py | 3 ++- - python/sepolicy/sepolicy/__init__.py | 3 ++- - python/sepolicy/sepolicy/generate.py | 3 ++- - python/sepolicy/sepolicy/gui.py | 3 ++- - python/sepolicy/sepolicy/interface.py | 3 ++- - sandbox/sandbox | 3 ++- - 21 files changed, 44 insertions(+), 22 deletions(-) - -diff --git a/gui/booleansPage.py b/gui/booleansPage.py -index 5beec58bc360..ad11a9b24c79 100644 ---- a/gui/booleansPage.py -+++ b/gui/booleansPage.py -@@ -46,7 +46,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/domainsPage.py b/gui/domainsPage.py -index e08f34b4d3a9..e6eadd61c1bc 100644 ---- a/gui/domainsPage.py -+++ b/gui/domainsPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py -index bac2bec3ebbd..767664f26ec8 100644 ---- a/gui/fcontextPage.py -+++ b/gui/fcontextPage.py -@@ -55,7 +55,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/loginsPage.py b/gui/loginsPage.py -index 18b93d8c9756..7e08232a90b5 100644 ---- a/gui/loginsPage.py -+++ b/gui/loginsPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/modulesPage.py b/gui/modulesPage.py -index c546d455d4cd..02b79f150a13 100644 ---- a/gui/modulesPage.py -+++ b/gui/modulesPage.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/polgengui.py b/gui/polgengui.py -index a18f1cba17b9..7a3ecd50c91c 100644 ---- a/gui/polgengui.py -+++ b/gui/polgengui.py -@@ -71,7 +71,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/portsPage.py b/gui/portsPage.py -index 54aa80ded327..bee2bdf17b99 100644 ---- a/gui/portsPage.py -+++ b/gui/portsPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/semanagePage.py b/gui/semanagePage.py -index 1371d4e7dabe..efad14d9b375 100644 ---- a/gui/semanagePage.py -+++ b/gui/semanagePage.py -@@ -30,7 +30,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/statusPage.py b/gui/statusPage.py -index c241ef83dfa0..832849e60d60 100644 ---- a/gui/statusPage.py -+++ b/gui/statusPage.py -@@ -43,7 +43,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py -index 1b460c99363b..9f53b7fe9020 100644 ---- a/gui/system-config-selinux.py -+++ b/gui/system-config-selinux.py -@@ -53,7 +53,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/gui/usersPage.py b/gui/usersPage.py -index d51bd968b77e..9acd3b844056 100644 ---- a/gui/usersPage.py -+++ b/gui/usersPage.py -@@ -37,7 +37,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/chcat/chcat b/python/chcat/chcat -index e779fcc6ebd7..952cb8187599 100755 ---- a/python/chcat/chcat -+++ b/python/chcat/chcat -@@ -38,9 +38,10 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext --except ImportError: -+except: - try: - import builtins - builtins.__dict__['_'] = str -diff --git a/python/semanage/semanage b/python/semanage/semanage -index 8f4e44a7a9cd..f45061a601f9 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py -index ff8f4e9c3008..0782c082dc0c 100644 ---- a/python/semanage/seobject.py -+++ b/python/semanage/seobject.py -@@ -42,7 +42,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py -index 56ebd807c69c..1ff307d9b27d 100644 ---- a/python/sepolgen/src/sepolgen/sepolgeni18n.py -+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py -@@ -19,7 +19,9 @@ - - try: - import gettext -- t = gettext.translation( 'selinux-python' ) -+ t = gettext.translation("selinux-python", -+ localedir="/usr/share/locale", -+ fallback=True) - _ = t.gettext - except: - def _(str): -diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py -index 7ebe0efa88a1..c7a70e094b0c 100755 ---- a/python/sepolicy/sepolicy.py -+++ b/python/sepolicy/sepolicy.py -@@ -36,7 +36,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py -index 95520f9bc35d..6bde1971fd7c 100644 ---- a/python/sepolicy/sepolicy/__init__.py -+++ b/python/sepolicy/sepolicy/__init__.py -@@ -31,7 +31,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py -index 3e8b9f9c291d..eff3a8973917 100644 ---- a/python/sepolicy/sepolicy/generate.py -+++ b/python/sepolicy/sepolicy/generate.py -@@ -56,7 +56,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py -index b0263740a79f..5bdbfebade1d 100644 ---- a/python/sepolicy/sepolicy/gui.py -+++ b/python/sepolicy/sepolicy/gui.py -@@ -49,7 +49,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py -index 599f97fdc6e7..43f86443f2c8 100644 ---- a/python/sepolicy/sepolicy/interface.py -+++ b/python/sepolicy/sepolicy/interface.py -@@ -38,7 +38,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: -diff --git a/sandbox/sandbox b/sandbox/sandbox -index 3ef444a12561..53cc504149c9 100644 ---- a/sandbox/sandbox -+++ b/sandbox/sandbox -@@ -45,7 +45,8 @@ try: - kwargs['unicode'] = True - t = gettext.translation(PROGNAME, - localedir="/usr/share/locale", -- **kwargs) -+ **kwargs, -+ fallback=True) - _ = t.gettext - except: - try: --- -2.36.1 - diff --git a/SOURCES/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch b/SOURCES/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch deleted file mode 100644 index 0db14f7..0000000 --- a/SOURCES/0013-semodule-rename-rebuild-if-modules-changed-to-refres.patch +++ /dev/null @@ -1,82 +0,0 @@ -From dc99f08e121ee21650a4179e3deaea8c04ae40c9 Mon Sep 17 00:00:00 2001 -From: Ondrej Mosnacek -Date: Wed, 8 Jun 2022 19:09:54 +0200 -Subject: [PATCH] semodule: rename --rebuild-if-modules-changed to --refresh -Content-type: text/plain - -After the last commit this option's name and description no longer -matches the semantic, so give it a new one and update the descriptions. -The old name is still recognized and aliased to the new one for -backwards compatibility. - -Signed-off-by: Ondrej Mosnacek -Acked-by: Nicolas Iooss ---- - policycoreutils/semodule/semodule.8 | 12 ++++++------ - policycoreutils/semodule/semodule.c | 13 ++++++++++--- - 2 files changed, 16 insertions(+), 9 deletions(-) - -diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 -index d1735d216276..c56e580f27b8 100644 ---- a/policycoreutils/semodule/semodule.8 -+++ b/policycoreutils/semodule/semodule.8 -@@ -23,12 +23,12 @@ force a reload of policy - .B \-B, \-\-build - force a rebuild of policy (also reloads unless \-n is used) - .TP --.B \-\-rebuild-if-modules-changed --Force a rebuild of the policy if any changes to module content are detected --(by comparing with checksum from the last transaction). One can use this --instead of \-B to ensure that any changes to the module store done by an --external tool (e.g. a package manager) are applied, while automatically --skipping the rebuild if there are no new changes. -+.B \-\-refresh -+Like \-\-build, but reuses existing linked policy if no changes to module -+files are detected (by comparing with checksum from the last transaction). -+One can use this instead of \-B to ensure that any changes to the module -+store done by an external tool (e.g. a package manager) are applied, while -+automatically skipping the module re-linking if there are no module changes. - .TP - .B \-D, \-\-disable_dontaudit - Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt -diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c -index 1ed8e69054e0..ec0794866daa 100644 ---- a/policycoreutils/semodule/semodule.c -+++ b/policycoreutils/semodule/semodule.c -@@ -150,9 +150,12 @@ static void usage(char *progname) - printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); - printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); - printf(" -m, --checksum print module checksum (SHA256).\n"); -- printf(" --rebuild-if-modules-changed\n" -- " force policy rebuild if module content changed since\n" -- " last rebuild (based on checksum)\n"); -+ printf(" --refresh like --build, but reuses existing linked policy if no\n" -+ " changes to module files are detected (via checksum)\n"); -+ printf("Deprecated options:\n"); -+ printf(" -b,--base same as --install\n"); -+ printf(" --rebuild-if-modules-changed\n" -+ " same as --refresh\n"); - } - - /* Sets the global mode variable to new_mode, but only if no other -@@ -185,6 +188,7 @@ static void parse_command_line(int argc, char **argv) - { - static struct option opts[] = { - {"rebuild-if-modules-changed", 0, NULL, '\0'}, -+ {"refresh", 0, NULL, '\0'}, - {"store", required_argument, NULL, 's'}, - {"base", required_argument, NULL, 'b'}, - {"help", 0, NULL, 'h'}, -@@ -225,6 +229,9 @@ static void parse_command_line(int argc, char **argv) - case '\0': - switch(longind) { - case 0: /* --rebuild-if-modules-changed */ -+ fprintf(stderr, "The --rebuild-if-modules-changed option is deprecated. Use --refresh instead.\n"); -+ /* fallthrough */ -+ case 1: /* --refresh */ - check_ext_changes = 1; - break; - default: --- -2.36.1 - diff --git a/SOURCES/0014-python-Split-semanage-import-into-two-transactions.patch b/SOURCES/0014-python-Split-semanage-import-into-two-transactions.patch deleted file mode 100644 index 6ef58aa..0000000 --- a/SOURCES/0014-python-Split-semanage-import-into-two-transactions.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 8abaf61849ce9688dddc3b27ef4df3cc23af0109 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Mon, 30 May 2022 14:20:21 +0200 -Subject: [PATCH] python: Split "semanage import" into two transactions -Content-type: text/plain - -First transaction applies all deletion operations, so that there are no -collisions when applying the rest of the changes. - -Fixes: - # semanage port -a -t http_cache_port_t -r s0 -p tcp 3024 - # semanage export | semanage import - ValueError: Port tcp/3024 already defined - -Signed-off-by: Vit Mojzis ---- - python/semanage/semanage | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/python/semanage/semanage b/python/semanage/semanage -index f45061a601f9..4e8d64d6863a 100644 ---- a/python/semanage/semanage -+++ b/python/semanage/semanage -@@ -853,10 +853,29 @@ def handleImport(args): - trans = seobject.semanageRecords(args) - trans.start() - -+ deleteCommands = [] -+ commands = [] -+ # separate commands for deletion from the rest so they can be -+ # applied in a separate transaction - for l in sys.stdin.readlines(): - if len(l.strip()) == 0: - continue -+ if "-d" in l or "-D" in l: -+ deleteCommands.append(l) -+ else: -+ commands.append(l) -+ -+ if deleteCommands: -+ importHelper(deleteCommands) -+ trans.finish() -+ trans.start() -+ -+ importHelper(commands) -+ trans.finish() - -+ -+def importHelper(commands): -+ for l in commands: - try: - commandParser = createCommandParser() - args = commandParser.parse_args(mkargv(l)) -@@ -870,8 +889,6 @@ def handleImport(args): - except KeyboardInterrupt: - sys.exit(0) - -- trans.finish() -- - - def setupImportParser(subparsers): - importParser = subparsers.add_parser('import', help=_('Import local customizations')) --- -2.36.1 - diff --git a/SOURCES/selinux-autorelabel-generator.sh b/SOURCES/selinux-autorelabel-generator.sh index be60487..d9380b8 100644 --- a/SOURCES/selinux-autorelabel-generator.sh +++ b/SOURCES/selinux-autorelabel-generator.sh @@ -18,6 +18,15 @@ fi set_target () { ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" + AUTORELABEL="1" + source /etc/selinux/config + if [ "$AUTORELABEL" = "0" ]; then + mkdir -p "$earlydir/selinux-autorelabel.service.d" + cat > "$earlydir/selinux-autorelabel.service.d/tty.conf" <= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel -BuildRequires: python3-devel +BuildRequires: python3-devel python3-pip BuildRequires: systemd BuildRequires: git-core Requires: util-linux grep gawk diffutils rpm sed @@ -79,7 +73,7 @@ load_policy to load policies, setfiles to label filesystems, newrole to switch roles. %prep -p /usr/bin/bash -%autosetup -n selinux-%{version} -p 1 +%autosetup -p 1 -n selinux-%{version} cp %{SOURCE13} gui/ tar -xvf %{SOURCE14} -C python/sepolicy/ @@ -150,27 +144,6 @@ install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/ install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/ -# change /usr/bin/python to %%{__python3} in policycoreutils-python3 -pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} - -# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils -pathfix.py -i "%{__python3} -Es" -p \ - %{buildroot}%{_sbindir}/semanage \ - %{buildroot}%{_bindir}/chcat \ - %{buildroot}%{_bindir}/sandbox \ - %{buildroot}%{_datadir}/sandbox/start \ - %{buildroot}%{_bindir}/audit2allow \ - %{buildroot}%{_bindir}/sepolicy \ - %{buildroot}%{_bindir}/sepolgen-ifgen \ - %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \ - %{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \ - %nil - -# clean up ~ files from pathfix - https://bugzilla.redhat.com/show_bug.cgi?id=1546990 -find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} \ - %{buildroot}%{_sbindir} %{buildroot}%{_bindir} %{buildroot}%{_datadir} \ - -type f -name '*~' | xargs rm -f - # Manually invoke the python byte compile macro for each path that needs byte # compilation. %py_byte_compile %{__python3} %{buildroot}%{_datadir}/system-config-selinux @@ -239,6 +212,7 @@ Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux Requires:audit-libs-python3 >= %{libauditver} Requires: checkpolicy Requires: python3-setools >= 4.4.0 +Requires: python3-distro BuildArch: noarch %description -n python3-policycoreutils @@ -430,7 +404,7 @@ system-config-selinux is a utility for managing the SELinux environment %dir %{_datadir}/bash-completion %{_datadir}/bash-completion/completions/setsebool %{!?_licensedir:%global license %%doc} -%license policycoreutils/COPYING +%license policycoreutils/LICENSE %doc %{_usr}/share/doc/%{name} %package restorecond @@ -452,7 +426,7 @@ The policycoreutils-restorecond package contains the restorecond service. %{_mandir}/ru/man8/restorecond.8* %{!?_licensedir:%global license %%doc} -%license policycoreutils/COPYING +%license policycoreutils/LICENSE %post %systemd_post selinux-autorelabel-mark.service @@ -470,6 +444,24 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Thu Feb 23 2023 Petr Lautrbach - 3.5-1 +- SELinux userspace 3.5 release + +* Tue Feb 14 2023 Petr Lautrbach - 3.5-0.rc3.1.1 +- SELinux userspace 3.5-rc3 release + +* Wed Feb 8 2023 Petr Lautrbach - 3.5-0.rc2.3 +- Attach tty to selinux-autorelabel.service when AUTORELABEL=0 + +* Thu Jan 26 2023 Vit Mojzis - 3.5-0.rc2.2 +- python/sepolicy: Cache conditional rule queries + +* Tue Jan 17 2023 Petr Lautrbach - 3.5-0.rc2.1 +- SELinux userspace 3.5-rc2 release + +* Mon Jan 2 2023 Petr Lautrbach - 3.5-0.rc1.2 +- SELinux userspace 3.5-rc1 release + * Tue Sep 06 2022 Vit Mojzis - 3.4-4 - Update translations (#2062630) @@ -489,7 +481,7 @@ The policycoreutils-restorecond package contains the restorecond service. * Tue Feb 15 2022 Petr Lautrbach - 3.3-4.2 - semodule: add command-line option to detect module changes -* Tue Feb 22 2022 Petr Lautrbach - 3.3-5 +* Tue Feb 15 2022 Petr Lautrbach - 3.3-5 - Improve error message when selabel_open fails * Mon Feb 14 2022 Petr Lautrbach - 3.3-3