diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e78a0d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/setools-3.3.8-f1e5b20.tar.bz2 diff --git a/.setools.metadata b/.setools.metadata new file mode 100644 index 0000000..4ed9316 --- /dev/null +++ b/.setools.metadata @@ -0,0 +1 @@ +4b9c3d82dc45170a05d5ebbdb171d81c2f2a87f5 SOURCES/setools-3.3.8-f1e5b20.tar.bz2 diff --git a/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch b/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch new file mode 100644 index 0000000..0725857 --- /dev/null +++ b/SOURCES/0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch @@ -0,0 +1,35 @@ +From b00d11c941b689fbf3441e80b318c6a05c6657e4 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 19 Oct 2017 15:17:21 +0200 +Subject: [PATCH] libqpol: Do not fail on neverallow rule query + +Drawing upon the conclusion from: + +77bd0f2103e8f02f02ba75dd5fd5ceb263d4f878 +No need to take into account the policy capabilities in sesearch code, +the lower levels in the library handle it correctly. (fixes Fedora +bug #526460) +--- + libqpol/src/avrule_query.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/libqpol/src/avrule_query.c b/libqpol/src/avrule_query.c +index 749565b..c2dd010 100644 +--- a/libqpol/src/avrule_query.c ++++ b/libqpol/src/avrule_query.c +@@ -55,12 +55,6 @@ int qpol_policy_get_avrule_iter(const qpol_policy_t * policy, uint32_t rule_type + } + #endif + +- if ((rule_type_mask & QPOL_RULE_NEVERALLOW) && !qpol_policy_has_capability(policy, QPOL_CAP_NEVERALLOW)) { +- ERR(policy, "%s", "Cannot get avrules: Neverallow rules requested but not available"); +- errno = ENOTSUP; +- return STATUS_ERR; +- } +- + db = &policy->p->p; + + state = calloc(1, sizeof(avtab_state_t)); +-- +2.9.4 + diff --git a/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch b/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch new file mode 100644 index 0000000..882a127 --- /dev/null +++ b/SOURCES/0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch @@ -0,0 +1,34 @@ +From 0332c009bd0581ab9a75a4ea80af92bb2d6b8b1f Mon Sep 17 00:00:00 2001 +From: Dan Walsh +Date: Tue, 20 Sep 2011 15:46:38 -0400 +Subject: [PATCH 02/11] Fix sepol calls to work with latest libsepol + +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 577ce48..2a5b55b 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -521,7 +521,7 @@ else + [AC_LANG_SOURCE([ + #include + int main () { +- return role_set_expand(NULL, NULL, NULL, NULL); ++ return role_set_expand(NULL, NULL, NULL, NULL, NULL); + }])], + sepol_new_user_role_mapping="yes", + sepol_new_user_role_mapping="no") +@@ -578,7 +578,7 @@ if test ${sepol_check_boolmap} = "yes"; then + [AC_LANG_SOURCE([ + #include + int main () { +- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0); ++ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0); + }])], + AC_MSG_RESULT([yes]), + AC_MSG_ERROR([this version of libsepol is incompatible with SETools])) +-- +1.8.5.3 + diff --git a/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch b/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch new file mode 100644 index 0000000..14cdbb6 --- /dev/null +++ b/SOURCES/0004-Apply-selinux_current_policy_path-patch.patch @@ -0,0 +1,97 @@ +From 85a12d481d664120865b46cd1c4c325307179471 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 10:53:54 +0200 +Subject: [PATCH 04/11] Apply selinux_current_policy_path patch + +--- + libqpol/src/util.c | 73 ++++-------------------------------------------------- + 1 file changed, 5 insertions(+), 68 deletions(-) + +diff --git a/libqpol/src/util.c b/libqpol/src/util.c +index 7c49876..8f74b2b 100644 +--- a/libqpol/src/util.c ++++ b/libqpol/src/util.c +@@ -84,75 +84,12 @@ static int get_binpol_version(const char *policy_fname) + + static int search_policy_binary_file(char **path) + { +- const char *binary_path; +- if ((binary_path = selinux_binary_policy_path()) == NULL) { +- return -1; +- } +- +- int expected_version = -1, latest_version = -1; +-#ifdef LIBSELINUX +- /* if the system has SELinux enabled, prefer the policy whose +- name matches the current policy version */ +- if ((expected_version = security_policyvers()) < 0) { +- return -1; +- } +-#endif +- +- glob_t glob_buf; +- struct stat fs; +- int rt, error = 0, retval = -1; +- size_t i; +- char *pattern = NULL; +- if (asprintf(&pattern, "%s.*", binary_path) < 0) { +- return -1; +- } +- glob_buf.gl_offs = 1; +- glob_buf.gl_pathc = 0; +- rt = glob(pattern, GLOB_DOOFFS, NULL, &glob_buf); +- if (rt != 0 && rt != GLOB_NOMATCH) { +- errno = EIO; +- return -1; +- } +- +- for (i = 0; i < glob_buf.gl_pathc; i++) { +- char *p = glob_buf.gl_pathv[i + glob_buf.gl_offs]; +- if (stat(p, &fs) != 0) { +- error = errno; +- goto cleanup; +- } +- if (S_ISDIR(fs.st_mode)) +- continue; +- +- if ((rt = get_binpol_version(p)) < 0) { +- error = errno; +- goto cleanup; +- } +- +- if (rt > latest_version || rt == expected_version) { +- free(*path); +- if ((*path = strdup(p)) == NULL) { +- error = errno; +- goto cleanup; +- } +- if (rt == expected_version) { +- break; +- } +- latest_version = rt; +- } +- } +- +- if (*path == NULL) { +- retval = 1; +- } else { +- retval = 0; +- } +- cleanup: +- free(pattern); +- globfree(&glob_buf); +- if (retval == -1) { +- errno = error; ++ const char *binary_path = selinux_current_policy_path(); ++ if (binary_path) { ++ *path = strdup(binary_path); ++ if (*path) return 0; + } +- return retval; ++ return -1; + } + + int qpol_default_policy_find(char **path) +-- +1.8.5.3 + diff --git a/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch b/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch new file mode 100644 index 0000000..29e5a0c --- /dev/null +++ b/SOURCES/0005-Apply-seaudit-patch-for-progress.c.patch @@ -0,0 +1,24 @@ +From ba8e76cd514e8ce92a48931963e97fe79589a71a Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 11:12:37 +0200 +Subject: [PATCH 05/11] Apply seaudit patch for progress.c + +--- + libqpol/swig/java/Makefile.am | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/libqpol/swig/java/Makefile.am b/libqpol/swig/java/Makefile.am +index a25eacb..533b55a 100644 +--- a/libqpol/swig/java/Makefile.am ++++ b/libqpol/swig/java/Makefile.am +@@ -48,7 +48,6 @@ BUILT_SOURCES = qpol_wrap.c \ + qpol_type_t.java \ + qpol_user_t.java \ + qpol_validatetrans_t.java \ +- SWIGTYPE_p_int.java \ + SWIGTYPE_p_unsigned_int.java \ + SWIGTYPE_p_void.java + +-- +1.8.5.3 + diff --git a/SOURCES/0006-Add-support-for-boolean-subs.patch b/SOURCES/0006-Add-support-for-boolean-subs.patch new file mode 100644 index 0000000..a495755 --- /dev/null +++ b/SOURCES/0006-Add-support-for-boolean-subs.patch @@ -0,0 +1,39 @@ +From 61d3d40e791a4ac392930f11785e4057f67a5b09 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 11:14:50 +0200 +Subject: [PATCH 06/11] Add support for boolean subs + +--- + secmds/seinfo.c | 2 +- + secmds/sesearch.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index a970890..54b2a6a 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -1720,7 +1720,7 @@ int main(int argc, char **argv) + case 'b': /* conditional booleans */ + bools = 1; + if (optarg != 0) +- bool_name = optarg; ++ bool_name = selinux_boolean_sub(optarg); + break; + case OPT_INITIALSID: + isids = 1; +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index 387d526..e1436a7 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -1067,7 +1067,7 @@ int main(int argc, char **argv) + printf("Missing boolean for -b (--bool)\n"); + exit(1); + } +- cmd_opts.bool_name = strdup(optarg); ++ cmd_opts.bool_name = strdup(selinux_boolean_sub(optarg)); + if (!cmd_opts.bool_name) { + fprintf(stderr, "%s\n", strerror(errno)); + exit(1); +-- +1.8.5.3 + diff --git a/SOURCES/0007-Setools-noship.patch b/SOURCES/0007-Setools-noship.patch new file mode 100644 index 0000000..eacd508 --- /dev/null +++ b/SOURCES/0007-Setools-noship.patch @@ -0,0 +1,207 @@ +From a39d0831d654292fb2a1f7b9ee18ecc9239f610f Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:38:34 +0200 +Subject: [PATCH 07/11] Setools noship + +--- + Makefile.am | 26 +++----------------------- + configure.ac | 2 +- + man/Makefile.am | 15 +++------------ + seaudit/Makefile.am | 31 +++---------------------------- + secmds/Makefile.am | 14 +------------- + sediff/Makefile.am | 32 ++------------------------------ + 6 files changed, 13 insertions(+), 107 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 176c8ea..4cac386 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -78,9 +70,9 @@ install-logwatch: + $(MAKE) -C $(top_srcdir)/seaudit install-logwatch + + .PHONY: libqpol libapol libpoldiff libsefs libseaudit \ +- apol secmds seaudit sediff sediffx sechecker \ ++ apol secmds seaudit sediff sechecker\ + install-logwatch help \ +- seinfo sesearch indexcon findcon replcon searchcon \ ++ seinfo sesearch findcon \ + packages + + seinfo: libqpol libapol +diff --git a/configure.ac b/configure.ac +index 2a5b55b..5b1da5e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -63,7 +63,7 @@ if test ${ac_cv_prog_cc_c99} = "no"; then + fi + AC_PROG_CXX + AC_LANG([C]) +-AC_PROG_LIBTOOL ++AC_PROG_RANLIB + AC_PROG_LN_S + AC_PROG_LEX + AC_PROG_YACC +diff --git a/man/Makefile.am b/man/Makefile.am +index 0fafccb..f88e00a 100644 +--- a/man/Makefile.am ++++ b/man/Makefile.am +@@ -1,19 +1,10 @@ + if BUILD_GUI + MAYBEMANS = apol.1 \ +- seaudit.8 seaudit-report.8 \ +- sediffx.1 ++ seaudit.8 + endif + + EXTRA_DIST=$(man_MANS) apol.1 \ +- seaudit.8 seaudit-report.8.in \ +- sediffx.1 ++ seaudit.8 + +-man_MANS = findcon.1 indexcon.1 replcon.1 \ +- sechecker.1 \ +- sediff.1 \ ++man_MANS = findcon.1 sediff.1 sechecker.1 \ + seinfo.1 sesearch.1 $(MAYBEMANS) +- +-seaudit-report.8: seaudit-report.8.in Makefile +- sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ +- +-CLEANFILES = seaudit-report.8 +diff --git a/seaudit/Makefile.am b/seaudit/Makefile.am +index 1987c99..3fa4413 100644 +--- a/seaudit/Makefile.am ++++ b/seaudit/Makefile.am +@@ -1,5 +1,4 @@ + setoolsdir = @setoolsdir@ +-bin_PROGRAMS = seaudit-report + sbin_PROGRAMS = seaudit + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ +@@ -20,13 +19,10 @@ LDADD = @SELINUX_LIB_FLAG@ @SEAUDIT_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ + dist_setools_DATA = \ + seaudit.glade \ + seaudit_help.txt \ +- seaudit-report.conf \ +- seaudit-report.css \ + seaudit.png seaudit-small.png + + nodist_setools_DATA = \ +- dot_seaudit \ +- seaudit-report-service ++ dot_seaudit + + seaudit_SOURCES = \ + filter_view.c filter_view.h \ +@@ -50,31 +46,12 @@ seaudit_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \ + dot_seaudit: dot_seaudit.in Makefile + sed -e 's|\@setoolsdir\@|$(setoolsdir)|g' $< > $@ + +-seaudit_report_SOURCES = seaudit-report.c +-seaudit_report_DEPENDENCIES = $(top_builddir)/libseaudit/src/libseaudit.so \ +- $(top_builddir)/libapol/src/libapol.so \ +- $(top_builddir)/libqpol/src/libqpol.so +- + logwatch = $(DESTDIR)/etc/logwatch + LOGWATCH_GROUP = $(logwatch)/conf/logfiles + LOGWATCH_SERVICE = $(logwatch)/conf/services + LOGWATCH_FILTER = $(logwatch)/scripts/services + +-dist_noinst_DATA = dot_seaudit.in \ +- seaudit-report-group.conf \ +- seaudit-report-service.conf \ +- seaudit-report-service.in +- +-seaudit-report-service: seaudit-report-service.in Makefile +- sed -e 's|\@bindir\@|$(bindir)|g' $< > $@ +- +-install-logwatch: $(dist_noinst_DATA) seaudit-report-service +- mkdir -p -- $(LOGWATCH_GROUP) +- install -m 644 seaudit-report-group.conf $(LOGWATCH_GROUP) +- mkdir -p -- $(LOGWATCH_SERVICE) +- install -m 644 seaudit-report-service.conf $(LOGWATCH_SERVICE) +- mkdir -p -- $(LOGWATCH_FILTER) +- install -m 755 seaudit-report-service $(LOGWATCH_FILTER) ++dist_noinst_DATA = dot_seaudit.in + + $(top_builddir)/libapol/src/libapol.so: + $(MAKE) -C $(top_builddir)/libapol/src $(notdir $@) +@@ -85,6 +62,4 @@ $(top_builddir)/libqpol/src/libqpol.so: + $(top_builddir)/libsefs/src/libsefs.so: + $(MAKE) -C $(top_builddir)/libsefs/src $(notdir $@) + +-.PHONY: install-logwatch +- +-CLEANFILES = dot_seaudit seaudit-report-service ++CLEANFILES = dot_seaudit +diff --git a/secmds/Makefile.am b/secmds/Makefile.am +index ddc88b1..7fa4364 100644 +--- a/secmds/Makefile.am ++++ b/secmds/Makefile.am +@@ -1,6 +1,6 @@ + # various setools command line tools + +-bin_PROGRAMS = seinfo sesearch findcon replcon indexcon ++bin_PROGRAMS = seinfo sesearch findcon + + # These are for indexcon so that it is usable on machines without setools + STATICLIBS = ../libsefs/src/libsefs.a ../libapol/src/libapol.a ../libqpol/src/libqpol.a -lsqlite3 +diff --git a/sediff/Makefile.am b/sediff/Makefile.am +index 3f53cd3..2d9ce84 100644 +--- a/sediff/Makefile.am ++++ b/sediff/Makefile.am +@@ -1,13 +1,6 @@ + setoolsdir = @setoolsdir@ + +-dist_setools_DATA = sediff_help.txt sediffx.glade \ +- sediffx.png sediffx-small.png +- +-if BUILD_GUI +- MAYBE_SEDIFFX = sediffx +-endif +- +-bin_PROGRAMS = sediff $(MAYBE_SEDIFFX) ++bin_PROGRAMS = sediff + + AM_CFLAGS = @DEBUGCFLAGS@ @WARNCFLAGS@ @PROFILECFLAGS@ @SELINUX_CFLAGS@ \ + @QPOL_CFLAGS@ @APOL_CFLAGS@ @POLDIFF_CFLAGS@ +@@ -15,14 +8,7 @@ AM_LDFLAGS = @DEBUGLDFLAGS@ @WARNLDFLAGS@ @PROFILELDFLAGS@ + + LDADD = @SELINUX_LIB_FLAG@ @POLDIFF_LIB_FLAG@ @APOL_LIB_FLAG@ @QPOL_LIB_FLAG@ + +-sediff_CFLAGS = $(AM_CFLAGS) +-sediffx_CFLAGS = $(AM_CFLAGS) \ +- @GTK_CFLAGS@ @PIXBUF_CFLAGS@ @GLADE_CFLAGS@ @GTHREAD_CFLAGS@ +- +-# need the -rdynamic flag below - glade uses dlopen() upon sediffx callbacks +-sediffx_LDFLAGS = $(AM_LDFLAGS) \ +- @GTK_LIBS@ @PIXBUF_LIBS@ @GLADE_LIBS@ @GTHREAD_LIBS@ @XML_LIBS@ \ +- -rdynamic ++sediff_CFLAGS = $(AM_CFLAGS) + + DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \ + $(top_builddir)/libapol/src/libapol.so \ +@@ -30,20 +16,6 @@ DEPENDENCIES = $(top_builddir)/libpoldiff/src/libpoldiff.so \ + + sediff_SOURCES = sediff.c + +-sediffx_SOURCES = \ +- find_dialog.c find_dialog.h \ +- open_policies_dialog.c open_policies_dialog.h \ +- policy_view.c policy_view.h \ +- progress.c progress.h \ +- remap_types_dialog.c remap_types_dialog.h \ +- result_item.c result_item.h \ +- result_item_render.c result_item_render.h \ +- results.c results.h \ +- select_diff_dialog.c select_diff_dialog.h \ +- toplevel.c toplevel.h \ +- utilgui.c utilgui.h \ +- sediffx.c sediffx.h +- + $(top_builddir)/libpoldiff/src/libpoldiff.so: + $(MAKE) -C $(top_builddir)/libpoldiff/src $(notdir $@) + +-- +1.8.5.3 + diff --git a/SOURCES/0008-Add-alias-support-to-seinfo-t.patch b/SOURCES/0008-Add-alias-support-to-seinfo-t.patch new file mode 100644 index 0000000..32d901a --- /dev/null +++ b/SOURCES/0008-Add-alias-support-to-seinfo-t.patch @@ -0,0 +1,92 @@ +From 1136e61a9839ad3b60eb2da4d624413c02545c7d Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:42:27 +0200 +Subject: [PATCH 08/11] Add alias support to seinfo -t + +--- + secmds/seinfo.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index 54b2a6a..1878c49 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" + +@@ -54,6 +55,7 @@ + + static char *policy_file = NULL; + ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb); + static int print_type_attrs(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static int print_attr_types(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb, const int expand); + static int print_user_roles(FILE * fp, const qpol_user_t * user_datum, const apol_policy_t * policydb, const int expand); +@@ -514,6 +516,7 @@ static int print_types(FILE * fp, const char *name, int expand, const apol_polic + goto cleanup; + if (print_type_attrs(fp, type_datum, policydb, expand)) + goto cleanup; ++ print_type_aliases(fp, type_datum, policydb); + } else { + if (qpol_policy_get_type_iter(q, &iter)) + goto cleanup; +@@ -1912,6 +1915,51 @@ int main(int argc, char **argv) + } + + /** ++ * Prints the alias of a type. ++ * ++ * @param fp Reference to a file to which to print type information ++ * @param type_datum Reference to sepol type_datum ++ * @param policydb Reference to a policy ++ * attributes ++ */ ++static void print_type_aliases(FILE * fp, const qpol_type_t * type_datum, const apol_policy_t * policydb) ++{ ++ qpol_iterator_t *iter = NULL; ++ size_t alias_size; ++ unsigned char isattr, isalias; ++ const char *type_name = NULL; ++ const char *alias_name; ++ qpol_policy_t *q = apol_policy_get_qpol(policydb); ++ ++ if (qpol_type_get_name(q, type_datum, &type_name)) ++ goto cleanup; ++ if (qpol_type_get_isattr(q, type_datum, &isattr)) ++ goto cleanup; ++ if (qpol_type_get_isalias(q, type_datum, &isalias)) ++ goto cleanup; ++ ++ if (isalias) { ++ fprintf(fp, " TypeName %s\n", type_name); ++ } ++ if (qpol_type_get_alias_iter(q, type_datum, &iter)) ++ goto cleanup; ++ if (qpol_iterator_get_size(iter, &alias_size)) ++ goto cleanup; ++ if (alias_size > 0) { ++ fprintf(fp, " Aliases\n"); ++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) { ++ if (qpol_iterator_get_item(iter, (void **)&alias_name)) ++ goto cleanup; ++ fprintf(fp, " %s\n", alias_name); ++ } ++ } ++ ++ cleanup: ++ qpol_iterator_destroy(&iter); ++ return; ++} ++ ++/** + * Prints a textual representation of a type, and possibly + * all of that type's attributes. + * +-- +1.8.5.3 + diff --git a/SOURCES/0009-Fix-help-message-on-sesearch-D.patch b/SOURCES/0009-Fix-help-message-on-sesearch-D.patch new file mode 100644 index 0000000..e90eba4 --- /dev/null +++ b/SOURCES/0009-Fix-help-message-on-sesearch-D.patch @@ -0,0 +1,258 @@ +From bbe9f57845101d07eef31a772946437b3245c7d5 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:46:24 +0200 +Subject: [PATCH 09/11] Fix help message on sesearch -D + +--- + man/sesearch.1 | 2 +- + secmds/sesearch.c | 77 +++++++++++++++++-------------------------------------- + 2 files changed, 25 insertions(+), 54 deletions(-) + +diff --git a/man/sesearch.1 b/man/sesearch.1 +index 573aedd..dc119eb 100644 +--- a/man/sesearch.1 ++++ b/man/sesearch.1 +@@ -43,7 +43,7 @@ Search for allow rules. + Search for neverallow rules. + .IP "--auditallow" + Search for auditallow rules. +-.IP "--dontaudit" ++.IP "-D, --dontaudit" + Search for dontaudit rules. + .IP "-T, --type" + Search for type_transition, type_member, and type_change rules. +diff --git a/secmds/sesearch.c b/secmds/sesearch.c +index e1436a7..f53d670 100644 +--- a/secmds/sesearch.c ++++ b/secmds/sesearch.c +@@ -24,6 +24,7 @@ + */ + + #include ++#include + + /* libapol */ + #include +@@ -61,9 +62,8 @@ enum opt_values + static struct option const longopts[] = { + {"allow", no_argument, NULL, 'A'}, + {"neverallow", no_argument, NULL, RULE_NEVERALLOW}, +- {"audit", no_argument, NULL, RULE_AUDIT}, + {"auditallow", no_argument, NULL, RULE_AUDITALLOW}, +- {"dontaudit", no_argument, NULL, RULE_DONTAUDIT}, ++ {"dontaudit", no_argument, NULL, 'D'}, + {"type", no_argument, NULL, 'T'}, + {"role_allow", no_argument, NULL, RULE_ROLE_ALLOW}, + {"role_trans", no_argument, NULL, RULE_ROLE_TRANS}, +@@ -72,7 +72,6 @@ static struct option const longopts[] = { + + {"source", required_argument, NULL, 's'}, + {"target", required_argument, NULL, 't'}, +- {"default", required_argument, NULL, 'D'}, + {"role_source", required_argument, NULL, EXPR_ROLE_SOURCE}, + {"role_target", required_argument, NULL, EXPR_ROLE_TARGET}, + {"class", required_argument, NULL, 'c'}, +@@ -129,7 +128,7 @@ void usage(const char *program_name, int brief) + printf(" -A, --allow allow rules\n"); + printf(" --neverallow neverallow rules\n"); + printf(" --auditallow auditallow rules\n"); +- printf(" --dontaudit dontaudit rules\n"); ++ printf(" -D, --dontaudit dontaudit rules\n"); + printf(" -T, --type type_trans, type_member, and type_change\n"); + printf(" --role_allow role allow rules\n"); + printf(" --role_trans role_transition rules\n"); +@@ -138,7 +137,6 @@ void usage(const char *program_name, int brief) + printf("EXPRESSIONS:\n"); + printf(" -s NAME, --source=NAME rules with type/attribute NAME as source\n"); + printf(" -t NAME, --target=NAME rules with type/attribute NAME as target\n"); +- printf(" -D NAME, --default=NAME rules with type NAME as default\n"); + printf(" --role_source=NAME rules with role NAME as source\n"); + printf(" --role_target=NAME rules with role NAME as target\n"); + printf(" -c NAME, --class=NAME rules with class NAME as the object class\n"); +@@ -296,10 +294,8 @@ static void print_syn_av_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -362,10 +358,8 @@ static void print_av_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -421,8 +415,6 @@ static int perform_te_query(const apol_policy_t * policy, const options_t * opt, + apol_terule_query_set_target(policy, teq, opt->tgt_name, opt->indirect); + if (opt->bool_name) + apol_terule_query_set_bool(policy, teq, opt->bool_name); +- if (opt->default_name) +- apol_terule_query_set_default(policy, teq, opt->default_name); + if (opt->class_name) { + if (opt->class_vector == NULL) { + if (apol_terule_query_append_class(policy, teq, opt->class_name)) { +@@ -499,14 +491,12 @@ static void print_syn_te_results(const apol_policy_t * policy, const options_t * + tmp = apol_cond_expr_render(policy, cond); + enable_char = (enabled ? 'E' : 'D'); + branch_char = ((is_true && enabled) || (!is_true && !enabled) ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +- goto cleanup; ++ break; + } + } + if (!(rule_str = apol_syn_terule_render(policy, rule))) +@@ -567,10 +557,8 @@ static void print_te_results(const apol_policy_t * policy, const options_t * opt + qpol_iterator_destroy(&iter); + enable_char = (enabled ? 'E' : 'D'); + branch_char = (list ? 'T' : 'F'); +- if (asprintf(&expr, "[ %s ]", tmp) < 0) { +- expr = NULL; ++ if (asprintf(&expr, "[ %s ]", tmp) < 0) + goto cleanup; +- } + free(tmp); + tmp = NULL; + if (!expr) +@@ -629,7 +617,6 @@ static int perform_ft_query(const apol_policy_t * policy, const options_t * opt, + goto err; + } + } +- + if (opt->default_name) { + if (apol_filename_trans_query_set_default(policy, ftq, opt->default_name)) { + error = errno; +@@ -677,13 +664,12 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt + { + size_t i, num_filename_trans = 0; + const qpol_filename_trans_t *filename_trans = NULL; +- char *filename_trans_str = NULL; +- qpol_iterator_t *iter = NULL; ++ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL; + + if (!(num_filename_trans = apol_vector_get_size(v))) + goto cleanup; + +- fprintf(stdout, "Found %zd named file transition rules:\n", num_filename_trans); ++ fprintf(stdout, "Found %zd named file transition filename_trans:\n", num_filename_trans); + + for (i = 0; i < num_filename_trans; i++) { + if (!(filename_trans = apol_vector_get_element(v, i))) +@@ -691,13 +677,17 @@ static void print_ft_results(const apol_policy_t * policy, const options_t * opt + + if (!(filename_trans_str = apol_filename_trans_render(policy, filename_trans))) + goto cleanup; +- fprintf(stdout, "%s\n", filename_trans_str); ++ fprintf(stdout, "%s %s\n", filename_trans_str, expr ? expr : ""); + free(filename_trans_str); + filename_trans_str = NULL; ++ free(expr); ++ expr = NULL; + } + + cleanup: ++ free(tmp); + free(filename_trans_str); ++ free(expr); + } + + static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v) +@@ -814,13 +804,6 @@ static int perform_rt_query(const apol_policy_t * policy, const options_t * opt, + } + } + +- if (opt->default_name) { +- if (apol_role_trans_query_set_default(policy, rtq, opt->default_name)) { +- error = errno; +- goto err; +- } +- } +- + if (apol_role_trans_get_by_query(policy, rtq, v)) { + error = errno; + goto err; +@@ -973,7 +956,7 @@ int main(int argc, char **argv) + + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; +- while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dD:RnSChV", longopts, NULL)) != -1) { ++ while ((optc = getopt_long(argc, argv, "ATs:t:c:p:b:dDRnSChV", longopts, NULL)) != -1) { + switch (optc) { + case 0: + break; +@@ -1001,18 +984,6 @@ int main(int argc, char **argv) + exit(1); + } + break; +- case 'D': /* default */ +- if (optarg == 0) { +- usage(argv[0], 1); +- printf("Missing default type for -D (--default)\n"); +- exit(1); +- } +- cmd_opts.default_name = strdup(optarg); +- if (!cmd_opts.default_name) { +- +- exit(1); +- } +- break; + case EXPR_ROLE_SOURCE: + if (optarg == 0) { + usage(argv[0], 1); +@@ -1093,7 +1064,7 @@ int main(int argc, char **argv) + case RULE_AUDITALLOW: + cmd_opts.auditallow = true; + break; +- case RULE_DONTAUDIT: ++ case 'D': + cmd_opts.dontaudit = true; + break; + case 'T': /* type */ +@@ -1273,12 +1244,13 @@ int main(int argc, char **argv) + fprintf(stdout, "\n"); + } + +- apol_vector_destroy(&v); +- if (perform_ft_query(policy, &cmd_opts, &v)) { +- rt = 1; +- goto cleanup; +- } +- if (v) { ++ if (cmd_opts.all || cmd_opts.type) { ++ apol_vector_destroy(&v); ++ if (perform_ft_query(policy, &cmd_opts, &v)) { ++ rt = 1; ++ goto cleanup; ++ } ++ + print_ft_results(policy, &cmd_opts, v); + fprintf(stdout, "\n"); + } +@@ -1317,7 +1289,6 @@ int main(int argc, char **argv) + apol_policy_path_destroy(&pol_path); + free(cmd_opts.src_name); + free(cmd_opts.tgt_name); +- free(cmd_opts.default_name); + free(cmd_opts.class_name); + free(cmd_opts.permlist); + free(cmd_opts.bool_name); +-- +1.8.5.3 + diff --git a/SOURCES/0011-Fix-Wformat-security-issues.patch b/SOURCES/0011-Fix-Wformat-security-issues.patch new file mode 100644 index 0000000..5288ed7 --- /dev/null +++ b/SOURCES/0011-Fix-Wformat-security-issues.patch @@ -0,0 +1,154 @@ +From 32ede3cc817ee4f6806877a34a6c84ed50c31df7 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Fri, 11 Apr 2014 18:49:33 +0200 +Subject: [PATCH 11/11] Fix -Wformat-security issues + +--- + libseaudit/src/bool_message.c | 4 ++-- + libseaudit/src/filter.c | 2 +- + libseaudit/src/model.c | 2 +- + seaudit/progress.c | 4 ++-- + seaudit/toplevel.c | 2 +- + seaudit/utilgui.c | 2 +- + sediff/progress.c | 4 ++-- + sediff/toplevel.c | 2 +- + sediff/utilgui.c | 2 +- + 9 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/libseaudit/src/bool_message.c b/libseaudit/src/bool_message.c +index f105cf0..d5b1e33 100644 +--- a/libseaudit/src/bool_message.c ++++ b/libseaudit/src/bool_message.c +@@ -101,7 +101,7 @@ char *bool_message_to_string(const seaudit_message_t * msg, const char *date) + return NULL; + } + if ((misc_string = bool_message_to_misc_string(boolm)) == NULL || +- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) { ++ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_append(&s, &len, close_brace) < 0) { + free(misc_string); + return NULL; + } +@@ -128,7 +128,7 @@ char *bool_message_to_string_html(const seaudit_message_t * msg, const char *dat + return NULL; + } + if ((misc_string = bool_message_to_misc_string(boolm)) == NULL || +- apol_str_appendf(&s, &len, misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s
", s, close_brace) < 0) { ++ apol_str_appendf(&s, &len, "%s", misc_string) < 0 || apol_str_appendf(&s, &len, "%s%s
", s, close_brace) < 0) { + free(misc_string); + return NULL; + } +diff --git a/libseaudit/src/filter.c b/libseaudit/src/filter.c +index 298a309..c710ce4 100644 +--- a/libseaudit/src/filter.c ++++ b/libseaudit/src/filter.c +@@ -1108,7 +1108,7 @@ int seaudit_filter_save_to_file(const seaudit_filter_t * filter, const char *fil + if ((file = fopen(filename, "w")) == NULL) { + return -1; + } +- fprintf(file, XML_VER); ++ fprintf(file, "%s", XML_VER); + fprintf(file, "\n", FILTER_FILE_FORMAT_VERSION); + filter_append_to_file(filter, file, 1); + fprintf(file, "\n"); +diff --git a/libseaudit/src/model.c b/libseaudit/src/model.c +index 1bc4a23..4a130cb 100644 +--- a/libseaudit/src/model.c ++++ b/libseaudit/src/model.c +@@ -514,7 +514,7 @@ int seaudit_model_save_to_file(const seaudit_model_t * model, const char *filena + if ((file = fopen(filename, "w")) == NULL) { + return -1; + } +- fprintf(file, XML_VER); ++ fprintf(file, "%s", XML_VER); + fprintf(file, "\n", + FILTER_FILE_FORMAT_VERSION, model->name, + model->match == SEAUDIT_FILTER_MATCH_ALL ? "all" : "any", +diff --git a/seaudit/progress.c b/seaudit/progress.c +index 2e0abeb..f092858 100644 +--- a/seaudit/progress.c ++++ b/seaudit/progress.c +@@ -114,10 +114,10 @@ int progress_wait(progress_t * progress) + } + g_mutex_unlock(progress->mutex); + if (progress->done < 0) { +- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done; + } else if (progress->done > 1) { +- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done - 1; + } else { + progress->done = 0; +diff --git a/seaudit/toplevel.c b/seaudit/toplevel.c +index d901a99..27938d5 100644 +--- a/seaudit/toplevel.c ++++ b/seaudit/toplevel.c +@@ -902,7 +902,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch + ERR(NULL, "%s", strerror(errno)); + return; + } +- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + free(msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); +diff --git a/seaudit/utilgui.c b/seaudit/utilgui.c +index 22028e1..78a1a08 100644 +--- a/seaudit/utilgui.c ++++ b/seaudit/utilgui.c +@@ -30,7 +30,7 @@ + void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg) + { + GtkWidget *dialog; +- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); + } +diff --git a/sediff/progress.c b/sediff/progress.c +index efaa120..312789e 100644 +--- a/sediff/progress.c ++++ b/sediff/progress.c +@@ -115,10 +115,10 @@ int progress_wait(progress_t * progress) + } + g_mutex_unlock(progress->mutex); + if (progress->done < 0) { +- toplevel_ERR(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_ERR(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done; + } else if (progress->done > 1) { +- toplevel_WARN(progress->top, GTK_LABEL(progress->label2)->label); ++ toplevel_WARN(progress->top, "%s", GTK_LABEL(progress->label2)->label); + return progress->done - 1; + } else { + progress->done = 0; +diff --git a/sediff/toplevel.c b/sediff/toplevel.c +index db6d1f5..aabd039 100644 +--- a/sediff/toplevel.c ++++ b/sediff/toplevel.c +@@ -453,7 +453,7 @@ static void toplevel_message(toplevel_t * top, GtkMessageType msg_type, const ch + ERR(NULL, "%s", strerror(errno)); + return; + } +- dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(top->w, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + free(msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); +diff --git a/sediff/utilgui.c b/sediff/utilgui.c +index 04e1e05..9e183ba 100644 +--- a/sediff/utilgui.c ++++ b/sediff/utilgui.c +@@ -31,7 +31,7 @@ + void util_message(GtkWindow * parent, GtkMessageType msg_type, const char *msg) + { + GtkWidget *dialog; +- dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, msg); ++ dialog = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT, msg_type, GTK_BUTTONS_CLOSE, "%s", msg); + gtk_dialog_run(GTK_DIALOG(dialog)); + gtk_widget_destroy(dialog); + } +-- +1.8.5.3 + diff --git a/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch b/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch new file mode 100644 index 0000000..efdd8a9 --- /dev/null +++ b/SOURCES/0013-libqpol-Skip-types-when-building-type-attribute-map.patch @@ -0,0 +1,29 @@ +From f7b31b7e28a4f89bcfcd0d139cfca78777a4333e Mon Sep 17 00:00:00 2001 +From: Chris PeBenito +Date: Thu, 4 Feb 2016 14:06:49 -0500 +Subject: [PATCH] libqpol: Skip types when building type attribute map. + +Fix originally from Richard Haines. + +Closes #94. +--- + libqpol/src/policy_extend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c +index 1417271..416bddb 100644 +--- a/libqpol/src/policy_extend.c ++++ b/libqpol/src/policy_extend.c +@@ -201,6 +201,9 @@ static int qpol_policy_build_attrs_from_map(qpol_policy_t * policy) + memset(&buff, 0, 10 * sizeof(char)); + + for (i = 0; i < db->p_types.nprim; i++) { ++ /* skip types */ ++ if (db->type_val_to_struct[i]->flavor == TYPE_TYPE) ++ continue; + count = 0; + ebitmap_for_each_bit(&db->attr_type_map[i], node, bit) { + if (ebitmap_node_get_bit(node, bit)) +-- +2.5.0 + diff --git a/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch b/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch new file mode 100644 index 0000000..94679d1 --- /dev/null +++ b/SOURCES/0014-Add-support-for-DCCP-and-SCTP-protocols.patch @@ -0,0 +1,235 @@ +From 78260f2d8fdeb05a9d53727ea64bf5b2d08d3349 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 20 Jul 2018 17:33:22 +0200 +Subject: [PATCH] Add support for DCCP and SCTP protocols + +Resolves: rhbz#1607273 +--- + libapol/include/apol/util.h | 12 ++++++------ + libapol/src/util.c | 17 +++++++++++++++++ + libapol/swig/apol.i | 3 +++ + libqpol/include/qpol/portcon_query.h | 13 +++++++++++-- + libqpol/src/policy_define.c | 10 ++++++++++ + libqpol/src/policy_parse.y | 7 +++++++ + libqpol/swig/qpol.i | 3 +++ + python/setools/seinfo.c | 4 +++- + secmds/seinfo.c | 4 ++++ + 9 files changed, 64 insertions(+), 9 deletions(-) + +diff --git a/libapol/include/apol/util.h b/libapol/include/apol/util.h +index 99db1685..3e370332 100644 +--- a/libapol/include/apol/util.h ++++ b/libapol/include/apol/util.h +@@ -48,8 +48,8 @@ extern "C" + * Given a portcon protocol, return a read-only string that describes + * that protocol. + * +- * @param protocol Portcon protocol, one of IPPROTO_TCP or IPPROTO_UDP +- * from netinet/in.h. ++ * @param protocol Portcon protocol, one of IPPROTO_TCP, IPPROTO_UDP, ++ * IPPROTO_DCCP or IPPROTO_SCTP from netinet/in.h. + * + * @return A string that describes the protocol, or NULL if the + * protocol is invalid. Do not free() this string. +@@ -59,10 +59,10 @@ extern "C" + /** + * Given the name of a portcon protocol, return its numeric value. + * +- * @param protocol_str Portcon protocol, one of "tcp", "TCP", "udp", or "UDP". +- * +- * @return Numeric value for the protocol, one of IPPROTO_TCP or IPPROTO_UDP +- * from netinet/in.h. Upon error return 0. ++ * @param protocol_str Portcon protocol, one of "tcp", "TCP", "udp", "UDP", ++ * "dccp", "DCCP", "sctp" or "SCTP". ++ * @return Numeric value for the protocol, one of IPPROTO_TCP, IPPROTO_UDP, ++ * IPPROTO_DCCP or IPPROTO_SCTP from netinet/in.h. Upon error return 0. + */ + extern uint8_t apol_str_to_protocol(const char *protocol_str); + +diff --git a/libapol/src/util.c b/libapol/src/util.c +index dd6d300d..fc38d9d5 100644 +--- a/libapol/src/util.c ++++ b/libapol/src/util.c +@@ -42,6 +42,13 @@ + #include + #include /* needed for portcon's protocol */ + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + /* use 8k line size */ + #define APOL_LINE_SZ 8192 + #define APOL_ENVIRON_VAR_NAME "APOL_INSTALL_DIR" +@@ -173,6 +180,10 @@ const char *apol_protocol_to_str(uint8_t protocol) + return "tcp"; + case IPPROTO_UDP: + return "udp"; ++ case IPPROTO_DCCP: ++ return "dccp"; ++ case IPPROTO_SCTP: ++ return "sctp"; + default: + errno = EPROTONOSUPPORT; + return NULL; +@@ -191,6 +202,12 @@ uint8_t apol_str_to_protocol(const char *protocol_str) + if (strcmp(protocol_str, "udp") == 0 || strcmp(protocol_str, "UDP") == 0) { + return IPPROTO_UDP; + } ++ if (strcmp(protocol_str, "dccp") == 0 || strcmp(protocol_str, "DCCP") == 0) { ++ return IPPROTO_DCCP; ++ } ++ if (strcmp(protocol_str, "sctp") == 0 || strcmp(protocol_str, "SCTP") == 0) { ++ return IPPROTO_SCTP; ++ } + errno = EPROTONOSUPPORT; + return 0; + } +diff --git a/libapol/swig/apol.i b/libapol/swig/apol.i +index 8a4a195f..6a650315 100644 +--- a/libapol/swig/apol.i ++++ b/libapol/swig/apol.i +@@ -227,6 +227,9 @@ const char *libapol_get_version(void); + /* defines from netinet/in.h for ip protocols */ + #define IPPROTO_TCP 6 + #define IPPROTO_UDP 17 ++#define IPPROTO_DCCP 33 ++#define IPPROTO_SCTP 132 ++ + const char *apol_protocol_to_str(uint8_t protocol); + uint8_t apol_str_to_protocol(const char *protocol_str); + %newobject wrap_apol_str_to_internal_ip(char*); +diff --git a/libqpol/include/qpol/portcon_query.h b/libqpol/include/qpol/portcon_query.h +index 63210feb..72e8ce9e 100644 +--- a/libqpol/include/qpol/portcon_query.h ++++ b/libqpol/include/qpol/portcon_query.h +@@ -37,6 +37,13 @@ extern "C" + #include + #include + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + typedef struct qpol_portcon qpol_portcon_t; + + /** +@@ -46,7 +53,8 @@ extern "C" + * @param high The high port of the range of ports; if searching for a + * single port, set high equal to low. + * @param protocol The protocol used in the portcon statement. +- * Value should be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h ++ * Value should be one of IPPROTO_TCP, IPPROTO_UDP, IPPROTO_DCCP or ++ * IPPROTO_SCTP from netinet/in.h + * @param ocon Pointer in which to store the statement returned. + * The caller should not free this pointer. + * @return 0 on success and < 0 on failure; if the call fails, +@@ -73,7 +81,8 @@ extern "C" + * @param policy The policy associated with the portcon statement. + * @param ocon The portcon statement from which to get the protocol. + * @param protocol Pointer to set to the value of protocol. +- * Value will be one of IPPROTO_TCP or IPPROTO_UDP from netinet/in.h ++ * Value will be one of IPPROTO_TCP, IPPROTO_UDP, IPPROTO_DCCP or ++ * IPPROTO_SCTP from netinet/in.h + * @return 0 on success and < 0 on failure; if the call fails, + * errno will be set and *protocol will be 0; + */ +diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c +index 15f70ba3..2c5d488b 100644 +--- a/libqpol/src/policy_define.c ++++ b/libqpol/src/policy_define.c +@@ -63,6 +63,12 @@ + #ifdef HAVE_SEPOL_ERRCODES + #include + #endif ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include "queue.h" + /* Required for SETools libqpol - Removed #include "checkpolicy.h"*/ +@@ -4350,6 +4356,10 @@ int define_port_context(unsigned int low, unsigned int high) + protocol = IPPROTO_TCP; + } else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) { + protocol = IPPROTO_UDP; ++ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) { ++ protocol = IPPROTO_DCCP; ++ } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) { ++ protocol = IPPROTO_SCTP; + } else { + yyerror2("unrecognized protocol %s", id); + free(newc); +diff --git a/libqpol/src/policy_parse.y b/libqpol/src/policy_parse.y +index 357f3d8f..e07ff52c 100644 +--- a/libqpol/src/policy_parse.y ++++ b/libqpol/src/policy_parse.y +@@ -52,6 +52,13 @@ + #include + #include + ++#ifndef IPPROTO_DCCP ++#define IPPROTO_DCCP 33 ++#endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif ++ + #include + #include + #include +diff --git a/libqpol/swig/qpol.i b/libqpol/swig/qpol.i +index b604488a..9fbb8286 100644 +--- a/libqpol/swig/qpol.i ++++ b/libqpol/swig/qpol.i +@@ -2005,6 +2005,9 @@ typedef struct qpol_nodecon {} qpol_nodecon_t; + /* from netinet/in.h */ + #define IPPROTO_TCP 6 + #define IPPROTO_UDP 17 ++#define IPPROTO_DCCP 33 ++#define IPPROTO_SCTP 132 ++ + typedef struct qpol_portcon {} qpol_portcon_t; + %extend qpol_portcon_t { + qpol_portcon(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) { +diff --git a/python/setools/seinfo.c b/python/setools/seinfo.c +index 211930a3..7c22f9e7 100644 +--- a/python/setools/seinfo.c ++++ b/python/setools/seinfo.c +@@ -512,7 +512,9 @@ static PyObject* get_ports(const char *num, const apol_policy_t * policydb) + } + + if ((ocon_proto != IPPROTO_TCP) && +- (ocon_proto != IPPROTO_UDP)) ++ (ocon_proto != IPPROTO_UDP) && ++ (ocon_proto != IPPROTO_DCCP) && ++ (ocon_proto != IPPROTO_SCTP)) + goto cleanup; + + if (qpol_portcon_get_context(q, portcon, &ctxt)) { +diff --git a/secmds/seinfo.c b/secmds/seinfo.c +index a9708907..3c71af57 100644 +--- a/secmds/seinfo.c ++++ b/secmds/seinfo.c +@@ -1155,6 +1155,10 @@ static int print_portcon(FILE * fp, const char *num, const char *protocol, const + proto = IPPROTO_TCP; + else if (!strcmp(protocol, "udp")) + proto = IPPROTO_UDP; ++ else if (!strcmp(protocol, "dccp")) ++ proto = IPPROTO_DCCP; ++ else if (!strcmp(protocol, "sctp")) ++ proto = IPPROTO_SCTP; + else { + ERR(policydb, "Unable to get portcon by protocol: bad protocol %s.", protocol); + goto cleanup; +-- +2.14.3 + diff --git a/SOURCES/apol.desktop b/SOURCES/apol.desktop new file mode 100644 index 0000000..727733a --- /dev/null +++ b/SOURCES/apol.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Name=SELinux Policy Analysis +GenericName=SELinux Policy Analysis Tool +Comment=This tool can examine, search, and relate policy components and policy rules +Icon=apol +Exec=/usr/bin/apol +Type=Application +Terminal=false +Categories=System; +X-Desktop-File-Install-Version=0.2 +StartupNotify=true diff --git a/SOURCES/seaudit.desktop b/SOURCES/seaudit.desktop new file mode 100644 index 0000000..d3a277e --- /dev/null +++ b/SOURCES/seaudit.desktop @@ -0,0 +1,11 @@ +[Desktop Entry] +Name=SELinux Audit Log Analysis +GenericName=SELinux Audit Log Analysis Tool +Comment=The tool parses syslog files and extracts all policy , AVC and change of boolean messages. +Icon=seaudit.png +Exec=/usr/bin/seaudit +Type=Application +Terminal=false +Categories=System; +X-Desktop-File-Install-Version=0.2 +StartupNotify=true diff --git a/SOURCES/setools.pam b/SOURCES/setools.pam new file mode 100644 index 0000000..c7d67e3 --- /dev/null +++ b/SOURCES/setools.pam @@ -0,0 +1,4 @@ +#%PAM-1.0 +auth include config-util +account include config-util +session include config-util diff --git a/SPECS/setools.spec b/SPECS/setools.spec new file mode 100644 index 0000000..615abc6 --- /dev/null +++ b/SPECS/setools.spec @@ -0,0 +1,757 @@ +%global setools_maj_ver 3.3 +%global setools_min_ver 8 +%global gitver f1e5b20 + +Name: setools +Version: %{setools_maj_ver}.%{setools_min_ver} +Release: 4%{?dist} +License: GPLv2 +URL: http://oss.tresys.com/projects/setools +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +# Source: http://oss.tresys.com/projects/setools/chrome/site/dists/setools-%{version}/setools-%{version}.tar.bz2 +# git clone https://github.com/TresysTechnology/setools3.git +# cd setools3 +# gitrev=`git rev-parse --verify --short HEAD` +# git archive --format=tar --prefix=setools-3.3.8/ HEAD | bzip2 > setools-3.3.8-$gitrev.tar.bz2 +Source: setools-%{version}-%{gitver}.tar.bz2 +Source1: setools.pam +Source2: apol.desktop +Source3: seaudit.desktop +Patch1: 0001-libqpol-Do-not-fail-on-neverallow-rule-query.patch +Patch2: 0002-Fix-sepol-calls-to-work-with-latest-libsepol.patch +Patch4: 0004-Apply-selinux_current_policy_path-patch.patch +Patch5: 0005-Apply-seaudit-patch-for-progress.c.patch +Patch6: 0006-Add-support-for-boolean-subs.patch +Patch7: 0007-Setools-noship.patch +Patch8: 0008-Add-alias-support-to-seinfo-t.patch +Patch9: 0009-Fix-help-message-on-sesearch-D.patch +Patch11: 0011-Fix-Wformat-security-issues.patch +# Patch12: 0012-Fix-configure.ac-to-use-SWIG-3.0.0.patch +Patch13: 0013-libqpol-Skip-types-when-building-type-attribute-map.patch +Patch14: 0014-Add-support-for-DCCP-and-SCTP-protocols.patch + +Summary: Policy analysis tools for SELinux +Group: System Environment/Base +Requires: setools-libs = %{version}-%{release} setools-libs-tcl = %{version}-%{release} setools-gui = %{version}-%{release} setools-console = %{version}-%{release} + +# external requirements +%define autoconf_ver 2.59 +%define bwidget_ver 1.8 +%define gtk_ver 2.8 +%define sepol_ver 2.5-10 +%define selinux_ver 2.5-14.1 +%define sqlite_ver 3.2.0 +%define swig_ver 2.0.7-3 +%define tcltk_ver 8.4.9 + +%description +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This meta-package depends upon the main packages necessary to run +SETools. + +%package libs +License: LGPLv2 +Summary: Policy analysis support libraries for SELinux +Group: System Environment/Libraries +Requires: libselinux >= %{selinux_ver} libsepol >= %{sepol_ver} sqlite >= %{sqlite_ver} +Obsoletes: setools-libs-java +Obsoletes: setools-libs-python < 3.3.7-36 +BuildRequires: flex bison pkgconfig bzip2-devel +BuildRequires: glibc-devel libstdc++-devel gcc gcc-c++ +BuildRequires: libselinux-devel >= %{selinux_ver} libsepol-devel >= %{sepol_ver} +BuildRequires: libsepol-static >= %{sepol_ver} +BuildRequires: sqlite-devel >= %{sqlite_ver} libxml2-devel +BuildRequires: tcl-devel >= %{tcltk_ver} +BuildRequires: autoconf >= %{autoconf_ver} automake + +%description libs +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following run-time libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package libs-tcl +License: LGPLv2 +Summary: Tcl bindings for SELinux policy analysis +Group: Development/Languages +Requires: setools-libs = %{version}-%{release} tcl >= %{tcltk_ver} +BuildRequires: tcl-devel >= %{tcltk_ver} swig >= %{swig_ver} + +%description libs-tcl +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes Tcl bindings for the following libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package devel +License: LGPLv2 +Summary: Policy analysis development files for SELinux +Group: Development/Libraries +Requires: libselinux-devel >= %{selinux_ver} libsepol-devel >= %{sepol_ver} setools-libs = %{version}-%{release} +BuildRequires: sqlite-devel >= %{sqlite_ver} libxml2-devel + +%description devel +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes header files and archives for the following +libraries: + + libapol policy analysis library + libpoldiff semantic policy difference library + libqpol library that abstracts policy internals + libseaudit parse and filter SELinux audit messages in log files + libsefs SELinux file contexts library + +%package console +Summary: Policy analysis command-line tools for SELinux +Group: System Environment/Base +License: GPLv2 +Requires: setools-libs = %{version}-%{release} +Requires: libselinux >= %{selinux_ver} + +%description console +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following console tools: + + secmds command line tools: seinfo, sesearch + sediff semantic policy difference tool + +%package gui +Summary: Policy analysis graphical tools for SELinux +Group: System Environment/Base +Requires: tcl >= %{tcltk_ver} tk >= %{tcltk_ver} bwidget >= %{bwidget_ver} +Requires: setools-libs = %{version}-%{release} setools-libs-tcl = %{version}-%{release} +Requires: glib2 gtk2 >= %{gtk_ver} usermode +BuildRequires: gtk2-devel >= %{gtk_ver} libglade2-devel libxml2-devel tk-devel >= %{tcltk_ver} +BuildRequires: desktop-file-utils + +%description gui +SETools is a collection of graphical tools, command-line tools, and +libraries designed to facilitate SELinux policy analysis. + +This package includes the following graphical tools: + + apol policy analysis tool + seaudit audit log analysis tool + +%define setoolsdir %{_datadir}/setools-%{setools_maj_ver} +%define tcllibdir %{_libdir}/setools + +%prep +%setup -q +%patch1 -p 1 -b .neverallow +%patch2 -p 1 -b .libsepol +%patch4 -p 1 -b .current_policy +%patch5 -p 1 -b .seaudit +%patch6 -p 1 -b .boolean-subs +%patch7 -p 1 -b .noship +%patch8 -p 1 -b .seinfo-t +%patch9 -p 1 -b .sesearch-D +%patch11 -p 1 -b .Wformat-security +# %patch12 -p 1 -b .version +%patch13 -p 1 -b .libqpol +%patch14 -p 1 -b .dccpsctp + +%ifarch sparc sparcv9 sparc64 s390 s390x + for file in `find . -name Makefile.am`; do + sed -i -e 's:-fpic:-fPIC:' $file; + done +%endif +# Fixup expected version of SWIG: +sed -i -e "s|AC_PROG_SWIG(1.3.28)|AC_PROG_SWIG(2.0.0)|g" configure.ac +# and rebuild the autotooled files: +aclocal +autoreconf -if + +%build +automake +%configure --libdir=%{_libdir} --disable-bwidget-check --disable-selinux-check \ + --enable-swig-tcl +# work around issue with gcc 4.3 + gnu99 + swig-generated code: +make %{?_smp_mflags} + +%install +rm -rf ${RPM_BUILD_ROOT} +make DESTDIR=${RPM_BUILD_ROOT} INSTALL="install -p" install +mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/applications +mkdir -p ${RPM_BUILD_ROOT}%{_datadir}/pixmaps +install -d -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d +install -p -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d/seaudit +install -d -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/security/console.apps +install -p -m 644 packages/rpm/seaudit.console ${RPM_BUILD_ROOT}%{_sysconfdir}/security/console.apps/seaudit +install -d -m 755 ${RPM_BUILD_ROOT}%{_datadir}/applications +install -p -m 644 apol/apol.png ${RPM_BUILD_ROOT}%{_datadir}/pixmaps/apol.png +install -p -m 644 seaudit/seaudit.png ${RPM_BUILD_ROOT}%{_datadir}/pixmaps/seaudit.png +desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications %{SOURCE2} +ln -sf consolehelper ${RPM_BUILD_ROOT}/%{_bindir}/seaudit +# remove static libs +rm -f ${RPM_BUILD_ROOT}/%{_libdir}/*.a +# ensure permissions are correct +chmod 0755 ${RPM_BUILD_ROOT}/%{_libdir}/*.so.* +chmod 0755 ${RPM_BUILD_ROOT}/%{_libdir}/%{name}/*/*.so.* +chmod 0644 ${RPM_BUILD_ROOT}/%{tcllibdir}/*/pkgIndex.tcl + +%clean +rm -rf ${RPM_BUILD_ROOT} + +%files +%defattr(-,root,root,-) + +%files libs +%defattr(-,root,root,-) +%{!?_licensedir:%global license %%doc} +%license COPYING COPYING.GPL COPYING.LGPL +%doc AUTHORS ChangeLog KNOWN-BUGS NEWS README +%{_libdir}/libqpol.so.* +%{_libdir}/libapol.so.* +%{_libdir}/libpoldiff.so.* +%{_libdir}/libsefs.so.* +%{_libdir}/libseaudit.so.* +%{tcllibdir}/apol_tcl/ +%dir %{setoolsdir} + +%files libs-tcl +%defattr(-,root,root,-) +%dir %{tcllibdir} +%{tcllibdir}/qpol/ +%{tcllibdir}/apol/ +%{tcllibdir}/poldiff/ +%{tcllibdir}/seaudit/ +%{tcllibdir}/sefs/ + +%files devel +%defattr(-,root,root,-) +%{_libdir}/*.so +%{_libdir}/pkgconfig/* +%{_includedir}/qpol/ +%{_includedir}/apol/ +%{_includedir}/poldiff/ +%{_includedir}/seaudit/ +%{_includedir}/sefs/ + +%files console +%defattr(-,root,root,-) +%{_bindir}/seinfo +%{_bindir}/sesearch +%{_bindir}/sediff +%{_bindir}/findcon +%{_bindir}/sechecker +%{setoolsdir}/sechecker-profiles/ +%{setoolsdir}/sechecker_help.txt +%{_mandir}/man1/findcon.1.gz +%{_mandir}/man1/sechecker.1.gz +%{_mandir}/man1/sediff.1.gz +%{_mandir}/man1/seinfo.1.gz +%{_mandir}/man1/sesearch.1.gz + +%files gui +%defattr(-,root,root,-) +%{_bindir}/seaudit +%{_bindir}/apol +%{setoolsdir}/apol_help.txt +%{setoolsdir}/domaintrans_help.txt +%{setoolsdir}/file_relabel_help.txt +%{setoolsdir}/infoflow_help.txt +%{setoolsdir}/types_relation_help.txt +%{setoolsdir}/apol_perm_mapping_* +%{setoolsdir}/seaudit_help.txt +%{setoolsdir}/*.glade +%{setoolsdir}/*.png +%{setoolsdir}/apol.gif +%{setoolsdir}/dot_seaudit +%{_mandir}/man1/apol.1.gz +%{_mandir}/man8/seaudit.8.gz +%{_sbindir}/seaudit +%config(noreplace) %{_sysconfdir}/pam.d/seaudit +%config(noreplace) %{_sysconfdir}/security/console.apps/seaudit +%{_datadir}/applications/* +%attr(0644,root,root) %{_datadir}/pixmaps/*.png + +%post libs -p /sbin/ldconfig + +%postun libs -p /sbin/ldconfig + +%post libs-tcl -p /sbin/ldconfig + +%postun libs-tcl -p /sbin/ldconfig + +%changelog +* Wed Jul 25 2018 Vit Mojzis - 3.3.8-4 +- Add support for DCCP and SCTP protocols (#1607273, #1601958) + +* Fri May 04 2018 Vit Mojzis - 3.3.8-3 +- Rebuild to incorporate support for extended_socket_class from libsepol (#1573925) + +* Thu Oct 19 2017 Vit Mojzis - 3.3.8-2 +- libqpol: Do not fail on neverallow rule query + +* Mon May 23 2016 Petr Lautrbach - 3.3.8-1.1 +- Rebase to the latest setools3 sources + +* Tue Mar 18 2014 Dan Walsh - 3.3.7-46 +- Move apol_tcl to setools-lib package +Resolves: #1076429 + +* Thu Feb 13 2014 Dan Walsh - 3.3.7-45 +- Fix sesearch --all + +* Fri Jan 24 2014 Daniel Mach - 3.3.7-44 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 3.3.7-43 +- Mass rebuild 2013-12-27 + +* Wed Nov 27 2013 Dan Walsh - 3.3.7-42 +- Add back in findcon and sechecker for RHEL customer request +Resolves: 927522 + +* Mon Sep 16 2013 Dan Walsh - 3.3.7-41 +- Cleanup Destop files. +Resolves: 884174 + +* Fri Jul 19 2013 Dan Walsh - 3.3.7-40 +- Fix help message on sesearch -D + +* Thu May 16 2013 Dan Walsh - 3.3.7-39 +- Remove --default and --audit from sesearch +- Make -D == --dontaudit in sesearch + +* Thu Mar 28 2013 Dan Walsh - 3.3.7-38 +- Add alias support to seinfo -t + +* Wed Mar 27 2013 Kalev Lember - 3.3.7-37 +- Obsolete the removed setools-libs-python subpackage + +* Fri Mar 15 2013 Dan Walsh - 3.3.7-36 +- Drop support for python bindings + +* Thu Mar 14 2013 Dan Walsh - 3.3.7-35 +- Add support for substituting bools to sesearch and seinfo + +* Wed Jan 30 2013 Dan Walsh - 3.3.7-34 +- Rebuild using pristine source from Tresys + +* Tue Jan 29 2013 Dan Walsh - 3.3.7-33 +- Apply swig patch to make apol work again. + +* Mon Jan 7 2013 Dan Walsh - 3.3.7-32 +- Rebuild with new tool chain + +* Fri Sep 28 2012 Dan Walsh - 3.3.7-31 +- Add filename_trans to python/setools/sesearch bindings + +* Fri Sep 28 2012 Dan Walsh - 3.3.7-30 +- Apply Lars Jensen patch to fix seaudit +- Remove java bindings, not supported + +* Sun Sep 16 2012 Dan Walsh - 3.3.7-29 +- Remove tools that we do not want to support + +* Mon Aug 20 2012 Dan Horák - 3.3.7-28 +- use autoreconf to rebuild all autotooled files (FTBFS) + +* Sat Jul 21 2012 Fedora Release Engineering - 3.3.7-27 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Dan Walsh - 3.3.7-26 +- mgrepl patch to Fix swig coding style for structures related to SWIG changes + +* Wed Jul 4 2012 Dan Walsh - 3.3.7-25 +- Fix swig coding style for structures related to SWIG changes + +* Wed May 2 2012 Dan Walsh - 3.3.7-24 +- Revert setools current patch + +- Rebuild to get latest libsepol which fixes the file_name transition problems +- Use selinux_current_policy_path to read by default policy + +* Tue Feb 28 2012 Fedora Release Engineering - 3.3.7-22 +- Rebuilt for c++ ABI breakage + +* Sat Jan 14 2012 Fedora Release Engineering - 3.3.7-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Dec 20 2011 Dan Walsh - 3.3.7-20 +- Rebuild to use latest libsepol + +* Wed Oct 26 2011 Dan Walsh - 3.3.7-19 +- Add ftrule*h in apol and qpol + +* Wed Sep 21 2011 Dan Walsh - 3.3.7-18 +- Fix output to match input in policy + +* Tue Sep 20 2011 Dan Walsh - 3.3.7-17 +- Fix to build with latest libsepol +- Show filename transition files + +* Thu Apr 21 2011 Dan Walsh - 3.3.7-16 +- Rebuild for new sepol + +* Fri Apr 15 2011 Dan Walsh - 3.3.7-15 +- Rebuild for new sepol + +* Sat Apr 9 2011 Dan Walsh - 3.3.7-14 +- Rebuild for new sepol + +* Sun Feb 27 2011 Dennis Gilmore - 3.3.7-13 +- switch in -fPIC in Makefile.am in prep stage + +* Wed Feb 09 2011 Fedora Release Engineering - 3.3.7-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Nov 5 2010 Dan Walsh 3.3.6-10 +- Exit seinfo and sesearch with proper status + +* Fri Nov 5 2010 Dan Walsh 3.3.6-9 +- Rebuild for new libxml2 + +* Thu Oct 14 2010 Dan Walsh 3.3.6-8 +- Return None when no records match python setools.sesearch + +* Thu Aug 19 2010 Dan Walsh 3.3.6-7 +- Add range to ports in seinfo python + +* Tue Aug 3 2010 Dan Walsh 3.3.6-6 +- Return range with ports + +* Tue Aug 3 2010 Dan Walsh 3.3.6-5 +- Add port support to setools python + +* Mon Jul 26 2010 David Malcolm - 3.3.7-4 +- fixup configure.ac to expect SWIG 2.0.0; bump the python version to 2.7 in +patch 1 + +* Thu Jul 22 2010 David Malcolm - 3.3.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Wed May 12 2010 Chris PeBenito 3.3.7-2 +- Add missing bzip2 dependencies. + +* Wed May 12 2010 Chris PeBenito 3.3.7-1 +- New upstream release. + +* Tue Aug 11 2009 Dan Walsh 3.3.6-4 +- Add python bindings for sesearch and seinfo + +* Tue Jul 28 2009 Dan Walsh 3.3.6-3 +- Fix qpol install of include files + +* Sun Jul 26 2009 Fedora Release Engineering - 3.3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Chris PeBenito 3.3.6-1 +- New upstream release. + +* Sun Apr 5 2009 Dan Horák - 3.3.5-8 +- don't expect that java-devel resolves as gcj + +* Sun Apr 5 2009 Dan Horák - 3.3.5-7 +- add support for s390x + +* Wed Feb 25 2009 Fedora Release Engineering - 3.3.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Dec 04 2008 Ignacio Vazquez-Abrams - 3.3.5-5 +- Rebuild for Python 2.6 + +* Mon Dec 1 2008 Michael Schwendt - 3.3.5-4 +- Include %%tcllibdir directory in -libs-tcl package. + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 3.3.5-3 +- Rebuild for Python 2.6 + +* Wed Sep 17 2008 Dennis Gilmore 3.3.5-2 +- fix building in sparc and s390 arches + +* Tue Aug 26 2008 Chris PeBenito 3.3.5-1 +- Update to upstream version 3.3.5. + +* Wed Feb 27 2008 Chris PeBenito 3.3.4-1 +- Fixes gcc 4.3, glibc 2.7, tcl 8.5, and libsepol 2.0.20 issues. +- Fix policy loading when policy on disk is higher version than the kernel. + +* Tue Feb 19 2008 Fedora Release Engineering - 3.3.2-3 +- Autorebuild for GCC 4.3 + +* Tue Jan 29 2008 Chris Pebenito 3.3.2-2.fc9 +- Bump to pick up new libsepol and policy 22. + +* Wed Nov 28 2007 Chris Pebenito 3.3.2-1.fc9 +- Update for 3.3.2. + +* Thu Oct 18 2007 Chris PeBenito 3.3.1-7.fc8 +- Rebuild to fix ppc64 issue. + +* Wed Oct 17 2007 Chris PeBenito 3.3.1-6.fc8 +- Update for 3.3.1. + +* Tue Aug 28 2007 Fedora Release Engineering - 3.2-4 +- Rebuild for selinux ppc32 issue. + +* Fri Jul 20 2007 Dan Walsh 3.2-3 +- Move to Tresys spec file + +* Wed Jun 13 2007 Dan Walsh 3.2-2 +- Bump for rebuild + +* Mon Apr 30 2007 Dan Walsh 3.2-1 +- Start shipping the rest of the setools command line apps + +* Wed Apr 25 2007 Jason Tang 3.2-0 +- update to SETools 3.2 release + +* Fri Feb 02 2007 Jason Tang 3.1-1 +- update to SETools 3.1 release + +* Mon Oct 30 2006 Dan Walsh 3.0-2.fc6 +- bump for fc6 + +* Thu Oct 26 2006 Dan Walsh 3.0-2 +- Build on rawhide + +* Sun Oct 15 2006 Dan Walsh 3.0-1 +- Update to upstream + +* Wed Jul 12 2006 Jesse Keating - sh: line 0: fg: no job control +- rebuild + +* Tue May 23 2006 Dan Walsh 2.4-2 +- Remove sqlite include directory + +* Wed May 3 2006 Dan Walsh 2.4-1 +- Update from upstream + +* Mon Apr 10 2006 Dan Walsh 2.3-3 +- Fix help +- Add icons + +* Tue Mar 21 2006 Dan Walsh 2.3-2 +- Remove console apps for sediff, sediffx and apol + +* Fri Feb 10 2006 Jesse Keating - 2.3-1.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 2.3-1.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 31 2006 Dan Walsh 2.3-1 +- Update from upstream + * apol: + added new MLS components tab for sensitivities, + levels, and categories. + Changed users tab to support ranges and default + levels. + added range transition tab for searching range + Transition rules. + added new tab for network context components. + added new tab for file system context components. + * libapol: + added binpol support for MLS, network contexts, + and file system contexts. + * seinfo: + added command line options for MLS components. + added command line options for network contexts + and file system contexts. + * sesearch: + added command line option for searching for rules + by conditional boolean name. + * seaudit: + added new column in the log view for the 'comm' + field found in auditd log files. + added filters for the 'comm' field and 'message' + field. + * manpages: + added manpages for all tools. + + + +* Fri Dec 16 2005 Jesse Keating +- rebuilt for new gcj + +* Wed Dec 14 2005 Dan Walsh 2.2-4 +- Fix dessktop files +- Apply fixes from bkyoung + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Nov 3 2005 Dan Walsh 2.2-3 +- Move more gui files out of base into gui + +* Thu Nov 3 2005 Dan Walsh 2.2-2 +- Move sediff from gui to main package + +* Thu Nov 3 2005 Dan Walsh 2.2-1 +- Upgrade to upstream version + +* Thu Oct 13 2005 Dan Walsh 2.1.3-1 +- Upgrade to upstream version + +* Mon Oct 10 2005 Tomas Mraz 2.1.2-3 +- use include instead of pam_stack in pam config + +* Thu Sep 1 2005 Dan Walsh 2.1.2-2 +- Fix spec file + +* Thu Sep 1 2005 Dan Walsh 2.1.2-1 +- Upgrade to upstream version + +* Thu Aug 18 2005 Florian La Roche +- do not package debug files into the -devel package + +* Wed Aug 17 2005 Jeremy Katz - 2.1.1-3 +- rebuild against new cairo + +* Wed May 25 2005 Dan Walsh 2.1.1-0 +- Upgrade to upstream version + +* Mon May 23 2005 Bill Nottingham 2.1.0-5 +- put libraries in the right place (also puts debuginfo in the right + package) +- add %%defattr for -devel too + +* Thu May 12 2005 Dan Walsh 2.1.0-4 +- Move sepcut to gui apps. + +* Fri May 6 2005 Dan Walsh 2.1.0-3 +- Fix Missing return code. + +* Wed Apr 20 2005 Dan Walsh 2.1.0-2 +- Fix requires line + +* Tue Apr 19 2005 Dan Walsh 2.1.0-1 +- Update to latest from tresys + +* Tue Apr 5 2005 Dan Walsh 2.0.0-2 +- Fix buildrequires lines in spec file + +* Wed Mar 2 2005 Dan Walsh 2.0.0-1 +- Update to latest from tresys + +* Mon Nov 29 2004 Dan Walsh 1.5.1-6 +- add FALLBACK=true to /etc/security/console.apps/apol + +* Wed Nov 10 2004 Dan Walsh 1.5.1-3 +- Add badtcl patch from Tresys. + +* Mon Nov 8 2004 Dan Walsh 1.5.1-2 +- Apply malloc problem patch provided by Sami Farin + +* Mon Nov 1 2004 Dan Walsh 1.5.1-1 +- Update to latest from Upstream + +* Wed Oct 6 2004 Dan Walsh 1.4.1-5 +- Update tresys patch + +* Mon Oct 4 2004 Dan Walsh 1.4.1-4 +- Fix directory ownership + +* Thu Jul 8 2004 Dan Walsh 1.4.1-1 +- Latest from Tresys + +* Wed Jun 23 2004 Dan Walsh 1.4-5 +- Add build requires libselinux + +* Tue Jun 22 2004 Dan Walsh 1.4-4 +- Add support for policy.18 + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Thu Jun 10 2004 Dan Walsh 1.4-2 +- Fix install locations of policy_src_dir + +* Wed Jun 2 2004 Dan Walsh 1.4-1 +- Update to latest from TRESYS. + +* Tue Jun 1 2004 Dan Walsh 1.3-3 +- Make changes to work with targeted/strict policy +* Fri Apr 16 2004 Dan Walsh 1.3-2 +- Take out requirement for policy file + +* Fri Apr 16 2004 Dan Walsh 1.3-1 +- Fix doc location + +* Fri Apr 16 2004 Dan Walsh 1.3-1 +- Latest from TRESYS + +* Tue Apr 13 2004 Dan Walsh 1.2.1-8 +- fix location of policy.conf file + +* Tue Apr 6 2004 Dan Walsh 1.2.1-7 +- Obsolete setools-devel +* Tue Apr 6 2004 Dan Walsh 1.2.1-6 +- Fix location of +* Tue Apr 6 2004 Dan Walsh 1.2.1-5 +- Remove devel libraries +- Fix installdir for lib64 + +* Sat Apr 3 2004 Dan Walsh 1.2.1-4 +- Add usr_t file read to policy + +* Thu Mar 25 2004 Dan Walsh 1.2.1-3 +- Use tcl8.4 + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Feb 6 2004 Dan Walsh 1.2.1-1 +- New patch + +* Fri Feb 6 2004 Dan Walsh 1.2-1 +- Latest upstream version + +* Tue Dec 30 2003 Dan Walsh 1.1.1-1 +- New version from upstream +- Remove seuser.te. Now in policy file. + +* Tue Dec 30 2003 Dan Walsh 1.1-2 +- Add Defattr to devel +- move libs to base kit + +* Fri Dec 19 2003 Dan Walsh 1.1-1 +- Update to latest code from tresys +- Break into three separate packages for cmdline, devel and gui +- Incorporate the tcl patch + +* Mon Dec 15 2003 Jens Petersen - 1.0.1-3 +- apply setools-1.0.1-tcltk.patch to build against tcl/tk 8.4 +- buildrequire tk-devel + +* Thu Nov 20 2003 Dan Walsh 1.0.1-2 +- Add Bwidgets to this RPM + +* Tue Nov 4 2003 Dan Walsh 1.0.1-1 +- Upgrade to 1.0.1 + +* Wed Oct 15 2003 Dan Walsh 1.0-6 +- Clean up build + +* Tue Oct 14 2003 Dan Walsh 1.0-5 +- Update with correct seuser.te + +* Wed Oct 1 2003 Dan Walsh 1.0-4 +- Update with final release from Tresys + +* Mon Jun 2 2003 Dan Walsh 1.0-1 +- Initial version