policycoreutils: uprev to 2.5 (20160223)

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Philip Tricca <flihp@twobit.us>
author: Stephen Smalley <sds@tycho.nsa.gov> 2016-03-07 15:52:45 -0500
committer: Philip Tricca <flihp@twobit.us> 2016-03-17 02:30:11 +0000
commit: 05c431d6ce16f81befb039194b873cc07c7ad630 (patch)
tree: 27dcd7606fa867a3c7fe65f11bf4c8b138b3d7ec
parent: 25aaf831096dce1e4c924255558ba8664d7db187 (diff)
download: meta-selinux-05c431d6ce16f81befb039194b873cc07c7ad630.tar.gz
5 files changed, 26 insertions, 123 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
index dd6ca6d..993ff7e 100644
--- a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
@@ -14,19 +14,16 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 semanage/seobject.py |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/semanage/seobject.py b/semanage/seobject.py
+Index: policycoreutils-2.5/semanage/seobject.py
-index f8d2243..66653e6 100644
+===================================================================
--- a/semanage/seobject.py
+--- policycoreutils-2.5.orig/semanage/seobject.py       2016-02-25 13:41:38.035974459 -0500
-+++ b/semanage/seobject.py
+++ policycoreutils-2.5/semanage/seobject.py    2016-02-25 13:43:42.075974072 -0500
-@@ -105,7 +105,7 @@ except:
+@@ -121,7 +121,7 @@
 
-                def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
+         def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
-                        message = " %s name=%s" % (msg, name)
+             message = " %s name=%s" % (msg, name)
-                       if sename != "":
+-            if sename != "":
-+                       if sename != "" and sename != None:
+            if sename != "" and sename != None:
-                                message += " sename=" + sename
+                 message += " sename=" + sename
-                        if oldsename != "":
+             if oldsename != "":
-                                message += " oldsename=" + oldsename
+                 message += " oldsename=" + oldsename
-- 
-1.7.9.5
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
deleted file mode 100644
index f01cc3a..0000000
--- a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module
-In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
-either the base module or a non-base module, or they could be in both.
-This means that it is possible for duplicate role declarations to exist.
-CIL does not allow duplicate declarations of anything, but there is no
-way for the pp compiler to know if the roles are declared in which
-module, or if they are in both when compiling a single module. This
-means we cannot use the same hack that we use for user_r, staff_r, etc.,
-to generate CIL role declarations (i.e. only create role declarations
-for these when defined in base).
-So only for these two roles, always declare them as part of base,
-regardless of where or if they are defined. This means that turning off
-the auditadm module will never remove the auditamd_r role (likewise for
-secadm), whereas right now, in some cases it would. This also means that
-role allow rules will still exist for these roles even with the modules
-removed. However, this is okay because the roles would not have any
-types associated with them so no access would be allowed.
-Signed-off-by: Steve Lawrence <slawrence@tresys.com>
-Reported-by: Miroslav Grepl <mgrepl@redhat.com>
-Index: policycoreutils-2.4/hll/pp/pp.c
-===================================================================
--- policycoreutils-2.4.orig/hll/pp/pp.c
-+++ policycoreutils-2.4/hll/pp/pp.c
-@@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc
-                                            !strcmp(key, "sysadm_r") ||
-                                            !strcmp(key, "system_r") ||
-                                            !strcmp(key, "unconfined_r"));
-                       if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) {
-+                       int is_builtin_role = (!strcmp(key, "auditadm_r") ||
-+                                               !strcmp(key, "secadm_r"));
-+                       if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) ||
-+                               (!is_base_role && !is_builtin_role)) {
-                                cil_println(indent, "(role %s)", key);
-                        }
-                }
-@@ -3594,6 +3597,17 @@ static int generate_default_object(void)
-        return 0;
- }
- 
-+static int generate_builtin_roles(void)
-+{
-+       // due to inconsistentencies between policies and CIL not allowing
-+       // duplicate roles, some roles are always created, regardless of if they
-+       // are declared in modules or not
-+       cil_println(0, "(role auditadm_r)");
-+       cil_println(0, "(role secadm_r)");
-+
-+       return 0;
-+}
-+
- static int generate_gen_require_attribute(void)
- {
-        cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
-@@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct
-                if (rc != 0) {
-                        goto exit;
-                }
-+
-+               // roles that can exist in base, non-base module or both
-+               rc = generate_builtin_roles();
-+               if (rc != 0) {
-+                       goto exit;
-+               }
- 
-                // default attribute to be used to mimic gen_require in CIL
-                rc = generate_gen_require_attribute();
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
index 933f2b2..e52e1d3 100644
--- a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 semanage/semanage |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/semanage/semanage b/semanage/semanage
+Index: policycoreutils-2.5/semanage/semanage
-index 36b41cd..a36a3f9 100644
+===================================================================
--- a/semanage/semanage
+--- policycoreutils-2.5.orig/semanage/semanage  2016-02-25 13:38:39.947975015 -0500
-+++ b/semanage/semanage
+++ policycoreutils-2.5/semanage/semanage       2016-02-25 13:40:50.627974607 -0500
 @@ -24,9 +24,15 @@
 #
 
@@ -32,17 +32,16 @@ index 36b41cd..a36a3f9 100644
 +        print "Error: %s\n" % e
 +        sys.exit(1)
 +
- PROGNAME="policycoreutils"
+ PROGNAME = "policycoreutils"
 try:
-        gettext.install(PROGNAME,
+     kwargs = {}
-@@ -59,7 +65,6 @@ usage_interface_dict = {' --add':('-t TYPE','-r RANGE','interface'),' --modify':
+@@ -66,9 +72,6 @@
 usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] ["
- usage_boolean_dict = {' --modify':('(','--on','|','--off',')','boolean'), ' --list':('-C',), '  --extract':('',), ' --deleteall':('',)}
+ usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 'boolean'), ' --list': ('-C',), '  --extract': ('',), ' --deleteall': ('',)}
 
 -import sepolicy
+-
+-
 class CheckRole(argparse.Action):
+ 
     def __call__(self, parser, namespace, value, option_string=None):
-         newval = getattr(namespace, self.dest)
-- 
-1.7.9.5
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch b/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
deleted file mode 100644
index f5aaa74..0000000
--- a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-policycoreutils: semanage
-When modifying selinux login records, self.sename might not be
-needed, but it IS passed to a log function, so it must be set
-to something or the log attempt will fail.
-Upstream-Status: Pending
-Signed-off-by: Joe Slater <jslater@windriver.com>
--- a/semanage/seobject.py
-+++ b/semanage/seobject.py
-@@ -576,6 +576,7 @@ class loginRecords(semanageRecords):
- 
-                if sename != "":
-                        semanage_seuser_set_sename(self.sh, u, sename)
-+                       self.sename = sename
-                else:
-                        self.sename = self.oldsename
-                        
diff --git a/recipes-security/selinux/policycoreutils_2.4.bb b/recipes-security/selinux/policycoreutils_2.5.bb
index 2937c62..37d3870 100644
--- a/recipes-security/selinux/policycoreutils_2.4.bb
+++ b/recipes-security/selinux/policycoreutils_2.5.bb
@@ -1,20 +1,18 @@
-include selinux_20150202.inc
+include selinux_20160223.inc
 include ${BPN}.inc
 LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-SRC_URI[md5sum] = "795b05c3ad58253cba61249ec65b28ef"
+SRC_URI[md5sum] = "9ad9331b2133262fb3f774359a7f4761"
-SRC_URI[sha256sum] = "b819f876f12473783ccce9f63b9a79cd77177477cd6d46818441f808cc4c3479"
+SRC_URI[sha256sum] = "329382cfe9fa977678abf541dcd8fe3847cf0c83b24654c8f7322343907078a1"
 SRC_URI += "\
        file://policycoreutils-fix-sepolicy-install-path.patch \
        file://policycoreutils-make-O_CLOEXEC-optional.patch \
        file://policycoreutils-loadpolicy-symlink.patch \
-        file://policycoreutils-semanage-edit-user.patch \
        file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
        file://policycoreutils-fix-TypeError-for-seobject.py.patch \
        file://0001-mcstrans-fix-the-init-script.patch \
        file://enable-mcstrans.patch \
        file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \
-        file://policycoreutils-pp-builtin-roles.patch \
        "
author	Stephen Smalley <sds@tycho.nsa.gov>	2016-03-07 15:52:45 -0500
committer	Philip Tricca <flihp@twobit.us>	2016-03-17 02:30:11 +0000
commit	05c431d6ce16f81befb039194b873cc07c7ad630 (patch)
tree	27dcd7606fa867a3c7fe65f11bf4c8b138b3d7ec
parent	25aaf831096dce1e4c924255558ba8664d7db187 (diff)
download	meta-selinux-05c431d6ce16f81befb039194b873cc07c7ad630.tar.gz

diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch index dd6ca6d..993ff7e 100644 --- a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch +++ b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
@@ -14,19 +14,16 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14	semanage/seobject.py \| 2 +-	14	semanage/seobject.py \| 2 +-
15	1 file changed, 1 insertion(+), 1 deletion(-)	15	1 file changed, 1 insertion(+), 1 deletion(-)
16		16
17	diff --git a/semanage/seobject.py b/semanage/seobject.py	17	Index: policycoreutils-2.5/semanage/seobject.py
18	index f8d2243..66653e6 100644	18	===================================================================
19	--- a/semanage/seobject.py	19	--- policycoreutils-2.5.orig/semanage/seobject.py 2016-02-25 13:41:38.035974459 -0500
20	+++ b/semanage/seobject.py	20	+++ policycoreutils-2.5/semanage/seobject.py 2016-02-25 13:43:42.075974072 -0500
21	@@ -105,7 +105,7 @@ except:	21	@@ -121,7 +121,7 @@
22		22
23	def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):	23	def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
24	message = " %s name=%s" % (msg, name)	24	message = " %s name=%s" % (msg, name)
25	- if sename != "":	25	- if sename != "":
26	+ if sename != "" and sename != None:	26	+ if sename != "" and sename != None:
27	message += " sename=" + sename	27	message += " sename=" + sename
28	if oldsename != "":	28	if oldsename != "":
29	message += " oldsename=" + oldsename	29	message += " oldsename=" + oldsename
30	--
31	1.7.9.5
32


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch deleted file mode 100644 index f01cc3a..0000000 --- a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch +++ /dev/null
@@ -1,70 +0,0 @@
1	libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module
2
3	In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
4	either the base module or a non-base module, or they could be in both.
5	This means that it is possible for duplicate role declarations to exist.
6	CIL does not allow duplicate declarations of anything, but there is no
7	way for the pp compiler to know if the roles are declared in which
8	module, or if they are in both when compiling a single module. This
9	means we cannot use the same hack that we use for user_r, staff_r, etc.,
10	to generate CIL role declarations (i.e. only create role declarations
11	for these when defined in base).
12
13	So only for these two roles, always declare them as part of base,
14	regardless of where or if they are defined. This means that turning off
15	the auditadm module will never remove the auditamd_r role (likewise for
16	secadm), whereas right now, in some cases it would. This also means that
17	role allow rules will still exist for these roles even with the modules
18	removed. However, this is okay because the roles would not have any
19	types associated with them so no access would be allowed.
20
21	Signed-off-by: Steve Lawrence <slawrence@tresys.com>
22	Reported-by: Miroslav Grepl <mgrepl@redhat.com>
23
24	Index: policycoreutils-2.4/hll/pp/pp.c
25	===================================================================
26	--- policycoreutils-2.4.orig/hll/pp/pp.c
27	+++ policycoreutils-2.4/hll/pp/pp.c
28	@@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc
29	!strcmp(key, "sysadm_r") \|\|
30	!strcmp(key, "system_r") \|\|
31	!strcmp(key, "unconfined_r"));
32	- if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) \|\| !is_base_role) {
33	+ int is_builtin_role = (!strcmp(key, "auditadm_r") \|\|
34	+ !strcmp(key, "secadm_r"));
35	+ if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) \|\|
36	+ (!is_base_role && !is_builtin_role)) {
37	cil_println(indent, "(role %s)", key);
38	}
39	}
40	@@ -3594,6 +3597,17 @@ static int generate_default_object(void)
41	return 0;
42	}
43
44	+static int generate_builtin_roles(void)
45	+{
46	+ // due to inconsistentencies between policies and CIL not allowing
47	+ // duplicate roles, some roles are always created, regardless of if they
48	+ // are declared in modules or not
49	+ cil_println(0, "(role auditadm_r)");
50	+ cil_println(0, "(role secadm_r)");
51	+
52	+ return 0;
53	+}
54	+
55	static int generate_gen_require_attribute(void)
56	{
57	cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
58	@@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct
59	if (rc != 0) {
60	goto exit;
61	}
62	+
63	+ // roles that can exist in base, non-base module or both
64	+ rc = generate_builtin_roles();
65	+ if (rc != 0) {
66	+ goto exit;
67	+ }
68
69	// default attribute to be used to mimic gen_require in CIL
70	rc = generate_gen_require_attribute();


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch index 933f2b2..e52e1d3 100644 --- a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch +++ b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
14	semanage/semanage \| 9 +++++++--	14	semanage/semanage \| 9 +++++++--
15	1 file changed, 7 insertions(+), 2 deletions(-)	15	1 file changed, 7 insertions(+), 2 deletions(-)
16		16
17	diff --git a/semanage/semanage b/semanage/semanage	17	Index: policycoreutils-2.5/semanage/semanage
18	index 36b41cd..a36a3f9 100644	18	===================================================================
19	--- a/semanage/semanage	19	--- policycoreutils-2.5.orig/semanage/semanage 2016-02-25 13:38:39.947975015 -0500
20	+++ b/semanage/semanage	20	+++ policycoreutils-2.5/semanage/semanage 2016-02-25 13:40:50.627974607 -0500
21	@@ -24,9 +24,15 @@	21	@@ -24,9 +24,15 @@
22	#	22	#
23		23
@@ -32,17 +32,16 @@ index 36b41cd..a36a3f9 100644
32	+ print "Error: %s\n" % e	32	+ print "Error: %s\n" % e
33	+ sys.exit(1)	33	+ sys.exit(1)
34	+	34	+
35	PROGNAME="policycoreutils"	35	PROGNAME = "policycoreutils"
36	try:	36	try:
37	gettext.install(PROGNAME,	37	kwargs = {}
38	@@ -59,7 +65,6 @@ usage_interface_dict = {' --add':('-t TYPE','-r RANGE','interface'),' --modify':	38	@@ -66,9 +72,6 @@
39	usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] ["	39	usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] ["
40	usage_boolean_dict = {' --modify':('(','--on','\|','--off',')','boolean'), ' --list':('-C',), ' --extract':('',), ' --deleteall':('',)}	40	usage_boolean_dict = {' --modify': ('(', '--on', '\|', '--off', ')', 'boolean'), ' --list': ('-C',), ' --extract': ('',), ' --deleteall': ('',)}
41		41
42	-import sepolicy	42	-import sepolicy
		43	-
		44	-
43	class CheckRole(argparse.Action):	45	class CheckRole(argparse.Action):
		46
44	def __call__(self, parser, namespace, value, option_string=None):	47	def __call__(self, parser, namespace, value, option_string=None):
45	newval = getattr(namespace, self.dest)
46	--
47	1.7.9.5
48


diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch b/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch deleted file mode 100644 index f5aaa74..0000000 --- a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch +++ /dev/null
@@ -1,21 +0,0 @@
1	policycoreutils: semanage
2
3	When modifying selinux login records, self.sename might not be
4	needed, but it IS passed to a log function, so it must be set
5	to something or the log attempt will fail.
6
7	Upstream-Status: Pending
8
9	Signed-off-by: Joe Slater <jslater@windriver.com>
10
11
12	--- a/semanage/seobject.py
13	+++ b/semanage/seobject.py
14	@@ -576,6 +576,7 @@ class loginRecords(semanageRecords):
15
16	if sename != "":
17	semanage_seuser_set_sename(self.sh, u, sename)
18	+ self.sename = sename
19	else:
20	self.sename = self.oldsename
21


diff --git a/recipes-security/selinux/policycoreutils_2.4.bb b/recipes-security/selinux/policycoreutils_2.5.bb index 2937c62..37d3870 100644 --- a/recipes-security/selinux/policycoreutils_2.4.bb +++ b/recipes-security/selinux/policycoreutils_2.5.bb
@@ -1,20 +1,18 @@
1	include selinux_20150202.inc	1	include selinux_20160223.inc
2	include ${BPN}.inc	2	include ${BPN}.inc
3		3
4	LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"	4	LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
5		5
6	SRC_URI[md5sum] = "795b05c3ad58253cba61249ec65b28ef"	6	SRC_URI[md5sum] = "9ad9331b2133262fb3f774359a7f4761"
7	SRC_URI[sha256sum] = "b819f876f12473783ccce9f63b9a79cd77177477cd6d46818441f808cc4c3479"	7	SRC_URI[sha256sum] = "329382cfe9fa977678abf541dcd8fe3847cf0c83b24654c8f7322343907078a1"
8		8
9	SRC_URI += "\	9	SRC_URI += "\
10	file://policycoreutils-fix-sepolicy-install-path.patch \	10	file://policycoreutils-fix-sepolicy-install-path.patch \
11	file://policycoreutils-make-O_CLOEXEC-optional.patch \	11	file://policycoreutils-make-O_CLOEXEC-optional.patch \
12	file://policycoreutils-loadpolicy-symlink.patch \	12	file://policycoreutils-loadpolicy-symlink.patch \
13	file://policycoreutils-semanage-edit-user.patch \
14	file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \	13	file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
15	file://policycoreutils-fix-TypeError-for-seobject.py.patch \	14	file://policycoreutils-fix-TypeError-for-seobject.py.patch \
16	file://0001-mcstrans-fix-the-init-script.patch \	15	file://0001-mcstrans-fix-the-init-script.patch \
17	file://enable-mcstrans.patch \	16	file://enable-mcstrans.patch \
18	file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \	17	file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \
19	file://policycoreutils-pp-builtin-roles.patch \
20	"	18	"