Browse Source

initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 2 years ago
commit
0db3db9a36
  1. 26
      SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
  2. 46
      SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
  3. 27
      SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
  4. 169
      SOURCES/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
  5. 26
      SOURCES/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
  6. 25
      SOURCES/0006-Fix-title-in-manpage.py-to-not-contain-online.patch
  7. 24
      SOURCES/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
  8. 63
      SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
  9. 53
      SOURCES/0009-sepolicy-Another-small-optimization-for-mcs-types.patch
  10. 515
      SOURCES/0010-Move-po-translation-files-into-the-right-sub-directo.patch
  11. 306
      SOURCES/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
  12. 4532
      SOURCES/0012-Initial-.pot-files-for-gui-python-sandbox.patch
  13. 30
      SOURCES/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
  14. 71
      SOURCES/0014-sepolicy-generate-Handle-more-reserved-port-types.patch
  15. 24
      SOURCES/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
  16. 74
      SOURCES/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
  17. 46
      SOURCES/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
  18. 297
      SOURCES/0018-Use-SHA-2-instead-of-SHA-1.patch
  19. 253
      SOURCES/0019-setfiles-restorecon-support-parallel-relabeling.patch
  20. 674
      SOURCES/0020-semodule-add-m-checksum-option.patch
  21. 29
      SOURCES/0021-semodule-Fix-lang_ext-column-index.patch
  22. 32
      SOURCES/0022-semodule-Don-t-forget-to-munmap-data.patch
  23. 539
      SOURCES/0023-semodule-libsemanage-move-module-hashing-into-libsem.patch
  24. 144
      SOURCES/0024-semodule-add-command-line-option-to-detect-module-ch.patch
  25. 180
      SOURCES/0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch
  26. 41
      SOURCES/0026-policycoreutils-Improve-error-message-when-selabel_o.patch
  27. BIN
      SOURCES/gui-po.tgz
  28. BIN
      SOURCES/policycoreutils-po.tgz
  29. BIN
      SOURCES/python-po.tgz
  30. BIN
      SOURCES/sandbox-po.tgz
  31. 73
      SOURCES/selinux-autorelabel
  32. 29
      SOURCES/selinux-autorelabel-generator.sh
  33. 18
      SOURCES/selinux-autorelabel-mark.service
  34. 14
      SOURCES/selinux-autorelabel.service
  35. 7
      SOURCES/selinux-autorelabel.target
  36. BIN
      SOURCES/sepolicy-icons.tgz
  37. BIN
      SOURCES/system-config-selinux.png
  38. 5564
      SPECS/policycoreutils.spec

26
SOURCES/0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@ -0,0 +1,26 @@
From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras

---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..4774528027ef 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.32.0

46
SOURCES/0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@ -0,0 +1,46 @@
From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Mon, 21 Apr 2014 13:54:40 -0400
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages

Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 2f847abb87e2..dccd778ed4be 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -737,10 +737,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
--
2.32.0

27
SOURCES/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@ -0,0 +1,27 @@
From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT

---
python/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index dccd778ed4be..81333928d552 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.32.0

169
SOURCES/0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@ -0,0 +1,169 @@
From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Thu, 19 Feb 2015 17:45:15 +0100
Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
system_release is no longer hardcoded and it creates only index.html and html
man pages in the directory for the system release.

---
python/sepolicy/sepolicy/__init__.py | 25 +++--------
python/sepolicy/sepolicy/manpage.py | 65 +++-------------------------
2 files changed, 13 insertions(+), 77 deletions(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index e8654abbceb3..a2475d22547a 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1225,27 +1225,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- try:
- from commands import getstatusoutput
- except ImportError:
- from subprocess import getstatusoutput
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 81333928d552..dc3e5207c57c 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -151,10 +151,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -192,9 +188,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or self.os_version in rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -203,7 +199,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -221,67 +216,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created" % index)
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages online</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
--
2.32.0

26
SOURCES/0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@ -0,0 +1,26 @@
From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:01 +0100
Subject: [PATCH] We want to remove the trailing newline for
/etc/system_release.

---
python/sepolicy/sepolicy/__init__.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index a2475d22547a..8055a12f6020 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -1228,7 +1228,7 @@ def get_os_version():
system_release = ""
try:
with open('/etc/system-release') as f:
- system_release = f.readline()
+ system_release = f.readline().rstrip()
except IOError:
system_release = "Misc"
--
2.32.0

25
SOURCES/0006-Fix-title-in-manpage.py-to-not-contain-online.patch

@ -0,0 +1,25 @@
From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Fri, 20 Feb 2015 16:42:53 +0100
Subject: [PATCH] Fix title in manpage.py to not contain 'online'.

---
python/sepolicy/sepolicy/manpage.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index dc3e5207c57c..6420ebe2e08e 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -222,7 +222,7 @@ class HTMLManPages:
<html>
<head>
<link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
+ <title>SELinux man pages</title>
</head>
<body>
<h1>SELinux man pages for %s</h1>
--
2.32.0

24
SOURCES/0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@ -0,0 +1,24 @@
From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty

---
policycoreutils/scripts/fixfiles | 1 +
1 file changed, 1 insertion(+)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6fb12e0451a9..cb20002ab613 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
RPMFILES=""
PREFC=""
--
2.32.0

63
SOURCES/0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@ -0,0 +1,63 @@
From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 27 Feb 2017 17:12:39 +0100
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
file_type_is_entrypoint(f)

- use direct queries
- load exec_types and entry_types only once
---
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 6420ebe2e08e..d15522135288 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -127,8 +127,24 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+types = None
def _gen_types():
global types
@@ -374,6 +390,8 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -691,7 +709,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if not f in self.exec_types or not f in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
--
2.32.0

53
SOURCES/0009-sepolicy-Another-small-optimization-for-mcs-types.patch

@ -0,0 +1,53 @@
From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 28 Feb 2017 21:29:46 +0100
Subject: [PATCH] sepolicy: Another small optimization for mcs types

---
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index d15522135288..ffcedb547993 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -144,6 +144,15 @@ def _gen_entry_types():
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return entry_types
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
types = None
def _gen_types():
@@ -392,6 +401,7 @@ class ManPage:
self.types = _gen_types()
self.exec_types = _gen_exec_types()
self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
%s""" % ", ".join(paths))
def _mcs_types(self):
- try:
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
- except StopIteration:
- return
- if self.type not in mcs_constrained_type['types']:
+ if self.type not in self.mcs_constrained_types['types']:
return
self.fd.write ("""
.SH "MCS Constrained"
--
2.32.0

515
SOURCES/0010-Move-po-translation-files-into-the-right-sub-directo.patch

@ -0,0 +1,515 @@
From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:23:00 +0200
Subject: [PATCH] Move po/ translation files into the right sub-directories

When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
sub-directories, po/ translation files stayed in policycoreutils/.

This commit split original policycoreutils/po directory into
policycoreutils/po
python/po
gui/po
sandbox/po

See https://github.com/fedora-selinux/selinux/issues/43
---
gui/Makefile | 3 ++
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
gui/po/POTFILES | 17 ++++++++
policycoreutils/po/Makefile | 70 ++-----------------------------
policycoreutils/po/POTFILES | 9 ++++
python/Makefile | 2 +-
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++
python/po/POTFILES | 10 +++++
sandbox/Makefile | 2 +
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++
sandbox/po/POTFILES | 1 +
11 files changed, 293 insertions(+), 68 deletions(-)
create mode 100644 gui/po/Makefile
create mode 100644 gui/po/POTFILES
create mode 100644 policycoreutils/po/POTFILES
create mode 100644 python/po/Makefile
create mode 100644 python/po/POTFILES
create mode 100644 sandbox/po/Makefile
create mode 100644 sandbox/po/POTFILES

diff --git a/gui/Makefile b/gui/Makefile
index ca965c942912..5a5bf6dcae19 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -22,6 +22,7 @@ system-config-selinux.ui \
usersPage.py
all: $(TARGETS) system-config-selinux.py polgengui.py
+ (cd po && $(MAKE) $@)
install: all
-mkdir -p $(DESTDIR)$(MANDIR)/man8
@@ -54,6 +55,8 @@ install: all
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
done
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ (cd po && $(MAKE) $@)
+
clean:
indent:
diff --git a/gui/po/Makefile b/gui/po/Makefile
new file mode 100644
index 000000000000..a0f5439f2d1c
--- /dev/null
+++ b/gui/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = gui
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/gui/po/POTFILES b/gui/po/POTFILES
new file mode 100644
index 000000000000..1795c5c1951b
--- /dev/null
+++ b/gui/po/POTFILES
@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e143122e6..18bc1dff8d1f 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -3,7 +3,6 @@
#
PREFIX ?= /usr
-TOP = ../..
# What is this package?
NLSPACKAGE = policycoreutils
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
MOFILES = $(patsubst %.po,%.mo,$(POFILES))
-POTFILES = \
- ../run_init/open_init_pty.c \
- ../run_init/run_init.c \
- ../semodule_link/semodule_link.c \
- ../audit2allow/audit2allow \
- ../semanage/seobject.py \
- ../setsebool/setsebool.c \
- ../newrole/newrole.c \
- ../load_policy/load_policy.c \
- ../sestatus/sestatus.c \
- ../semodule/semodule.c \
- ../setfiles/setfiles.c \
- ../semodule_package/semodule_package.c \
- ../semodule_deps/semodule_deps.c \
- ../semodule_expand/semodule_expand.c \
- ../scripts/chcat \
- ../scripts/fixfiles \
- ../restorecond/stringslist.c \
- ../restorecond/restorecond.h \
- ../restorecond/utmpwatcher.h \
- ../restorecond/stringslist.h \
- ../restorecond/restorecond.c \
- ../restorecond/utmpwatcher.c \
- ../gui/booleansPage.py \
- ../gui/fcontextPage.py \
- ../gui/loginsPage.py \
- ../gui/mappingsPage.py \
- ../gui/modulesPage.py \
- ../gui/polgen.glade \
- ../gui/polgengui.py \
- ../gui/portsPage.py \
- ../gui/semanagePage.py \
- ../gui/statusPage.py \
- ../gui/system-config-selinux.glade \
- ../gui/system-config-selinux.py \
- ../gui/usersPage.py \
- ../secon/secon.c \
- booleans.py \
- ../sepolicy/sepolicy.py \
- ../sepolicy/sepolicy/communicate.py \
- ../sepolicy/sepolicy/__init__.py \
- ../sepolicy/sepolicy/network.py \
- ../sepolicy/sepolicy/generate.py \
- ../sepolicy/sepolicy/sepolicy.glade \
- ../sepolicy/sepolicy/gui.py \
- ../sepolicy/sepolicy/manpage.py \
- ../sepolicy/sepolicy/transition.py \
- ../sepolicy/sepolicy/templates/executable.py \
- ../sepolicy/sepolicy/templates/__init__.py \
- ../sepolicy/sepolicy/templates/network.py \
- ../sepolicy/sepolicy/templates/rw.py \
- ../sepolicy/sepolicy/templates/script.py \
- ../sepolicy/sepolicy/templates/semodule.py \
- ../sepolicy/sepolicy/templates/tmp.py \
- ../sepolicy/sepolicy/templates/user.py \
- ../sepolicy/sepolicy/templates/var_lib.py \
- ../sepolicy/sepolicy/templates/var_log.py \
- ../sepolicy/sepolicy/templates/var_run.py \
- ../sepolicy/sepolicy/templates/var_spool.py
+POTFILES = $(shell cat POTFILES)
#default:: clean
-all:: $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
-booleans.py:
- sepolicy booleans -a > booleans.py
-
-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
rm -f $(NLSPACKAGE).po; \
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
mv -f $(NLSPACKAGE).po $(POTFILE); \
fi; \
-update-po: Makefile $(POTFILE) refresh-po
- @rm -f booleans.py
refresh-po: Makefile
for cat in $(POFILES); do \
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
new file mode 100644
index 000000000000..12237dc61ee4
--- /dev/null
+++ b/policycoreutils/po/POTFILES
@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
diff --git a/python/Makefile b/python/Makefile
index 9b66d52fbd4d..00312dbdb5c6 100644
--- a/python/Makefile
+++ b/python/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
all install relabel clean indent test:
@for subdir in $(SUBDIRS); do \
diff --git a/python/po/Makefile b/python/po/Makefile
new file mode 100644
index 000000000000..4e052d5a2bd7
--- /dev/null
+++ b/python/po/Makefile
@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = python
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/python/po/POTFILES b/python/po/POTFILES
new file mode 100644
index 000000000000..128eb870a69e
--- /dev/null
+++ b/python/po/POTFILES
@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58db9e6..b817824e2102 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
SEUNSHARE_OBJS = seunshare.o
all: sandbox seunshare sandboxX.sh start
+ (cd po && $(MAKE) $@)
seunshare: $(SEUNSHARE_OBJS)
@@ -39,6 +40,7 @@ install: all
install -m 755 start $(DESTDIR)$(SHAREDIR)
-mkdir -p $(DESTDIR)$(SYSCONFDIR)
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+ (cd po && $(MAKE) $@)
test:
@$(PYTHON) test_sandbox.py -v
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
new file mode 100644
index 000000000000..0556bbe953f0
--- /dev/null
+++ b/sandbox/po/Makefile
@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE = sandbox
+POTFILE = $(NLSPACKAGE).pot
+INSTALL = /usr/bin/install -c -p
+INSTALL_DATA = $(INSTALL) -m 644
+INSTALL_DIR = /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE = msgmerge
+MSGMERGE_FLAGS = -q
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT = msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES = $(patsubst %.po,%.mo,$(POFILES))
+POTFILES = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ rm -f $(NLSPACKAGE).po; \
+ else \
+ mv -f $(NLSPACKAGE).po $(POTFILE); \
+ fi; \
+
+
+refresh-po: Makefile
+ for cat in $(POFILES); do \
+ lang=`basename $$cat .po`; \
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+ mv -f $$lang.pot $$lang.po ; \
+ echo "$(MSGMERGE) of $$lang succeeded" ; \
+ else \
+ echo "$(MSGMERGE) of $$lang failed" ; \
+ rm -f $$lang.pot ; \
+ fi \
+ done
+
+clean:
+ @rm -fv *mo *~ .depend
+ @rm -rf tmp
+
+install: $(MOFILES)
+ @for n in $(MOFILES); do \
+ l=`basename $$n .mo`; \
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+ done
+
+%.mo: %.po
+ $(MSGFMT) -o $@ $<
+report:
+ @for cat in $(wildcard *.po); do \
+ echo -n "$$cat: "; \
+ msgfmt -v --statistics -o /dev/null $$cat; \
+ done
+
+.PHONY: missing depend
+
+relabel:
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
new file mode 100644
index 000000000000..deff3f2f4656
--- /dev/null
+++ b/sandbox/po/POTFILES
@@ -0,0 +1 @@
+../sandbox
--
2.32.0

306
SOURCES/0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@ -0,0 +1,306 @@
From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Mon, 6 Aug 2018 13:37:07 +0200
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/

https://github.com/fedora-selinux/selinux/issues/43
---
gui/booleansPage.py | 2 +-
gui/domainsPage.py | 2 +-
gui/fcontextPage.py | 2 +-
gui/loginsPage.py | 2 +-
gui/modulesPage.py | 2 +-
gui/polgengui.py | 2 +-
gui/portsPage.py | 2 +-
gui/semanagePage.py | 2 +-
gui/statusPage.py | 2 +-
gui/system-config-selinux.py | 2 +-
gui/usersPage.py | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/semanage/seobject.py | 2 +-
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
python/sepolicy/sepolicy.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 2 +-
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/gui.py | 2 +-
python/sepolicy/sepolicy/interface.py | 2 +-
sandbox/sandbox | 2 +-
21 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/gui/booleansPage.py b/gui/booleansPage.py
index 7849bea26a06..dd12b6d6ab86 100644
--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
@@ -38,7 +38,7 @@ DISABLED = 2
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/domainsPage.py b/gui/domainsPage.py
index bad5140d8c59..6bbe4de5884f 100644
--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
index d26aa1b405a9..52292cae01d2 100644
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@@ -47,7 +47,7 @@ class context:
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/loginsPage.py b/gui/loginsPage.py
index b67eb8bc42af..cbfb0cc23f65 100644
--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/modulesPage.py b/gui/modulesPage.py
index 0584acf9b3a4..35a0129bab9c 100644
--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
@@ -30,7 +30,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/polgengui.py b/gui/polgengui.py
index d284ded65279..01f541bafae8 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -63,7 +63,7 @@ def get_all_modules():
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/portsPage.py b/gui/portsPage.py
index 30f58383bc1d..a537ecc8c0a1 100644
--- a/gui/portsPage.py
+++ b/gui/portsPage.py
@@ -35,7 +35,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/semanagePage.py b/gui/semanagePage.py
index 4127804fbbee..5361d69c1313 100644
--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/statusPage.py b/gui/statusPage.py
index 766854b19cba..a8f079b9b163 100644
--- a/gui/statusPage.py
+++ b/gui/statusPage.py
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 3f70122b87e8..8c46c987b974 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -45,7 +45,7 @@ import selinux
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/gui/usersPage.py b/gui/usersPage.py
index 26794ed5c3f3..d15d4c5a71dd 100644
--- a/gui/usersPage.py
+++ b/gui/usersPage.py
@@ -29,7 +29,7 @@ from semanagePage import *
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
try:
import gettext
kwargs = {}
diff --git a/python/chcat/chcat b/python/chcat/chcat
index fdd2e46ee3f9..839ddd3b54b6 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -30,7 +30,7 @@ import getopt
import selinux
import seobject
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 18a2710531ca..0980aecb6311 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -30,7 +30,7 @@ import seobject
import sys
import traceback
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 21adbf6eb74f..69e60db80060 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -29,7 +29,7 @@ import sys
import stat
import socket
from semanage import *
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
import sepolicy
from setools.policyrep import SELinuxPolicy
from setools.typequery import TypeQuery
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
index 998c4356415c..56ebd807c69c 100644
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -19,7 +19,7 @@
try:
import gettext
- t = gettext.translation( 'yumex' )
+ t = gettext.translation( 'selinux-python' )
_ = t.gettext
except:
def _(str):
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 7b2230651099..32956e58f52e 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -28,7 +28,7 @@ import sepolicy
from multiprocessing import Pool
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
import argparse
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 8055a12f6020..aa8beda313c8 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery
from setools.typequery import TypeQuery
from setools.userquery import UserQuery
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 4e1ed4e9dc31..43180ca6fda4 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 1e86422b864a..c9ca158ddd09 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -41,7 +41,7 @@ import os
import re
import unicodedata
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
index bdffb770f364..9d40aea1498d 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
##
## I18N
##
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
try:
import gettext
kwargs = {}
diff --git a/sandbox/sandbox b/sandbox/sandbox
index ca5f1e030a51..16c43b51eaaa 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -37,7 +37,7 @@ import sepolicy
SEUNSHARE = "/usr/sbin/seunshare"
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
try:
import gettext
kwargs = {}
--
2.32.0

4532
SOURCES/0012-Initial-.pot-files-for-gui-python-sandbox.patch

File diff suppressed because it is too large Load Diff

30
SOURCES/0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@ -0,0 +1,30 @@
From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 21 Mar 2018 08:51:31 +0100
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch

The "-q" switch is becoming obsolete (completely unused in fedora) and
debug output ("-d" switch) makes sense in any scenario. Therefore both
options can be specified at once.

Resolves: rhbz#1271327
---
policycoreutils/setfiles/setfiles.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 4d28bc9a95c1..8e6c4ab94841 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -57,7 +57,7 @@ option will force a replacement of the entire context.
check the validity of the contexts against the specified binary policy.
.TP
.B \-d
-show what specification matched each file.
+show what specification matched each file. Not affected by "\-q".
.TP
.BI \-e \ directory
directory to exclude (repeat option for more than one directory).
--
2.32.0

71
SOURCES/0014-sepolicy-generate-Handle-more-reserved-port-types.patch

@ -0,0 +1,71 @@
From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types

Currently only reserved_port_t, port_t and hi_reserved_port_t are
handled as special when making a ports-dictionary. However, as fas as
corenetwork.te.in of serefpolicy, unreserved_port_t and
ephemeral_port_t should be handled in the same way, too.

(Details) I found the need of this change when I was using
selinux-polgengui. Though tcp port 12345, which my application may
use, was given to the gui, selinux-polgengui generates expected te
file and sh file which didn't utilize the tcp port.

selinux-polgengui checks whether a port given via gui is already typed
or not.

If it is already typed, selinux-polgengui generates a te file having
rules to allow the application to use the port. (A)

If not, it seems for me that selinux-polgengui is designed to generate
a te file having rules to allow the application to own(?) the port;
and a sh file having a command line to assign the application own type
to the port. (B)

As we can see the output of `semanage port -l' some of ports for
specified purpose have types already. The important point is that the
rest of ports also have types already:

hi_reserved_port_t tcp 512-1023
hi_reserved_port_t udp 512-1023
unreserved_port_t tcp 1024-32767, 61001-65535
unreserved_port_t udp 1024-32767, 61001-65535
ephemeral_port_t tcp 32768-61000
ephemeral_port_t udp 32768-61000

As my patch shows, the original selinux-polgengui ignored
hi_reserved_port_t; though hi_reserved_port_t is assigned,
selinux-polgengui considered ports 512-1023 are not used. As the
result selinux-polgengui generates file sets of (B).

For the purpose of selinux-polgengui, I think unreserved_port_t and
ephemeral_port_t are treated as the same as hi_reserved_port_t.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>

Fedora only patch:
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
---
python/sepolicy/sepolicy/generate.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 43180ca6fda4..d60a08e1d72c 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -99,7 +99,9 @@ def get_all_ports():
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
- p['type'] == "hi_reserved_port_t":
+ p['type'] == "hi_reserved_port_t" or \
+ p['type'] == "ephemeral_port_t" or \
+ p['type'] == "unreserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict
--
2.32.0

24
SOURCES/0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@ -0,0 +1,24 @@
From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 8 Nov 2018 09:20:58 +0100
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects

---
semodule-utils/semodule_package/semodule_package.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
index 3515234e36de..7b75b3fd9bb4 100644
--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
}
if (!sb.st_size) {
*len = 0;
+ close(fd);
return 0;
}
--
2.32.0

74
SOURCES/0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@ -0,0 +1,74 @@
From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox

---
sandbox/sandbox | 4 ++--
sandbox/sandbox.8 | 2 +-
sandbox/sandboxX.sh | 14 --------------
3 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/sandbox/sandbox b/sandbox/sandbox
index 16c43b51eaaa..7709a6585665 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
index d83fee76f335..90ef4951c8c2 100644
--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 4774528027ef..c211ebc14549 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
-cat > ~/.config/openbox/rc.xml << EOF
-<openbox_config xmlns="http://openbox.org/3.4/rc"
- xmlns:xi="http://www.w3.org/2001/XInclude">
-<applications>
- <application class="*">
- <decor>no</decor>
- <desktop>all</desktop>
- <maximized>yes</maximized>
- </application>
-</applications>
-</openbox_config>
-EOF
-
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
--
2.32.0

46
SOURCES/0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch

@ -0,0 +1,46 @@
From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 28 Jul 2020 14:37:13 +0200
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code

Fixes:
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
Analyzing 187 Python scripts
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolicy/sepolicy/manpage.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index ffcedb547993..c013c0d48502 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -719,7 +719,7 @@ Default Defined Ports:""")
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
- if not f in self.exec_types or not f in self.entry_types:
+ if f not in self.exec_types or f not in self.entry_types:
flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
if flist_non_exec:
- self.fd.write(r"""
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
2.32.0

297
SOURCES/0018-Use-SHA-2-instead-of-SHA-1.patch

@ -0,0 +1,297 @@
From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1

The use of SHA-1 in RHEL9 is deprecated
---
policycoreutils/setfiles/restorecon.8 | 10 +++++-----
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++----
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++----
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++----
policycoreutils/setfiles/setfiles.8 | 10 +++++-----
7 files changed, 33 insertions(+), 33 deletions(-)

diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index 668486f66113..a8900f02b3f3 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -93,14 +93,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -191,7 +191,7 @@ the
.B \-D
option to
.B restorecon
-will cause it to store a SHA1 digest of the default specfiles set in an extended
+will cause it to store a SHA256 digest of the default specfiles set in an extended
attribute named
.IR security.sehash
on each directory specified in
@@ -208,7 +208,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
index e04528e60824..4b1ce304d995 100644
--- a/policycoreutils/setfiles/restorecon_xattr.8
+++ b/policycoreutils/setfiles/restorecon_xattr.8
@@ -23,7 +23,7 @@ or
.SH "DESCRIPTION"
.B restorecon_xattr
-will display the SHA1 digests added to extended attributes
+will display the SHA256 digests added to extended attributes
.I security.sehash
or delete the attribute completely. These attributes are set by
.BR restorecon (8)
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
.sp
By default
.B restorecon_xattr
-will display the SHA1 digests with "Match" appended if they match the default
+will display the SHA256 digests with "Match" appended if they match the default
specfile set or the
.I specfile
set used with the
.B \-f
-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
+option. Non-matching SHA256 digests will be displayed with "No Match" appended.
This feature can be disabled by the
.B \-n
option.
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
recursively descend directories.
.TP
.B \-v
-display SHA1 digest generated by specfile set (Note that this digest is not
+display SHA256 digest generated by specfile set (Note that this digest is not
used to match the
.I security.sehash
directory digest entries, and is shown for reference only).
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
index 31fb82fd2099..bc22d3fd4560 100644
--- a/policycoreutils/setfiles/restorecon_xattr.c
+++ b/policycoreutils/setfiles/restorecon_xattr.c
@@ -38,7 +38,7 @@ int main(int argc, char **argv)
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
unsigned int delete_all_digests = 0, ignore_mounts = 0;
bool display_digest = false;
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
unsigned char *fc_digest = NULL;
size_t i, fc_digest_len = 0, num_specfiles;
@@ -133,8 +133,8 @@ int main(int argc, char **argv)
exit(-1);
}
- sha1_buf = malloc(fc_digest_len * 2 + 1);
- if (!sha1_buf) {
+ sha256_buf = malloc(fc_digest_len * 2 + 1);
+ if (!sha256_buf) {
fprintf(stderr,
"Error allocating digest buffer: %s\n",
strerror(errno));
@@ -143,16 +143,16 @@ int main(int argc, char **argv)
}
for (i = 0; i < fc_digest_len; i++)
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
- printf("specfiles SHA1 digest: %s\n", sha1_buf);
+ printf("specfiles SHA256 digest: %s\n", sha256_buf);
printf("calculated using the following specfile(s):\n");
if (specfiles) {
for (i = 0; i < num_specfiles; i++)
printf("%s\n", specfiles[i]);
}
- free(sha1_buf);
+ free(sha256_buf);
printf("\n");
}
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
index 9be3a63db356..745135020f4b 100644
--- a/policycoreutils/setfiles/ru/restorecon.8
+++ b/policycoreutils/setfiles/ru/restorecon.8
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-m
@@ -159,7 +159,7 @@ GNU
.B \-D
команды
.B restorecon
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
.IR security.restorecon_last
для каталогов, указанных в соответствующих путях
.IR pathname \ ...
@@ -173,7 +173,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
index 41c441b8c5c2..25c4c3033334 100644
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
.SH "ОПИСАНИЕ"
.B restorecon_xattr
-покажет дайджесты SHA1, добавленные в расширенные атрибуты
+покажет дайджесты SHA256, добавленные в расширенные атрибуты
.I security.restorecon_last,
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
.BR restorecon (8)
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
.sp
По умолчанию
.B restorecon_xattr
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
.I specfile,
который установлен с помощью параметра
.B \-f.
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
Эту возможность можно отключить с помощью параметра
.B \-n.
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
рекурсивно спускаться по каталогам.
.TP
.B \-v
-показать дайджест SHA1, созданный установленным файлом спецификации.
+показать дайджест SHA256, созданный установленным файлом спецификации.
.TP
.B \-e
.I directory
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
.BR file_contexts (5).
Он будет использоваться
.BR selabel_open (3)
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
.BR selabel_digest (3).
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
index 910101452625..7f2daa09191b 100644
--- a/policycoreutils/setfiles/ru/setfiles.8
+++ b/policycoreutils/setfiles/ru/setfiles.8
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
игнорировать файлы, которые не существуют.
.TP
.B \-I
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
.B ПРИМЕЧАНИЯ.
.TP
.B \-D
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
.IR security.restorecon_last.
.TP
.B \-l
@@ -186,7 +186,7 @@ GNU
.B \-D
команды
.B setfiles .
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации
.B spec_file
в расширенном атрибуте с именем
.IR security.restorecon_last
@@ -204,7 +204,7 @@ GNU
.sp
Параметр
.B \-I
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
.IR pathname \ ...
, и, при условии, что НЕ установлен параметр
.B \-n
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 8e6c4ab94841..0692121f2f4d 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -85,14 +85,14 @@ display usage information and exit.
ignore files that do not exist.
.TP
.B \-I
-ignore digest to force checking of labels even if the stored SHA1 digest
-matches the specfiles SHA1 digest. The digest will then be updated provided
+ignore digest to force checking of labels even if the stored SHA256 digest
+matches the specfiles SHA256 digest. The digest will then be updated provided
there are no errors. See the
.B NOTES
section for further details.
.TP
.B \-D
-Set or update any directory SHA1 digests. Use this option to
+Set or update any directory SHA256 digests. Use this option to
enable usage of the
.IR security.sehash
extended attribute.
@@ -230,7 +230,7 @@ the
.B \-D
option to
.B setfiles
-will cause it to store a SHA1 digest of the
+will cause it to store a SHA256 digest of the
.B spec_file
set in an extended attribute named
.IR security.sehash
@@ -251,7 +251,7 @@ for further details.
.sp
The
.B \-I
-option will ignore the SHA1 digest from each directory specified in
+option will ignore the SHA256 digest from each directory specified in
.IR pathname \ ...
and provided the
.B \-n
--
2.32.0

253
SOURCES/0019-setfiles-restorecon-support-parallel-relabeling.patch

@ -0,0 +1,253 @@
From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 26 Oct 2021 13:52:39 +0200
Subject: [PATCH] setfiles/restorecon: support parallel relabeling

Use the newly introduced selinux_restorecon_parallel(3) in
setfiles/restorecon and a -T option to both to allow enabling parallel
relabeling. The default behavior without specifying the -T option is to
use 1 thread; parallel relabeling must be requested explicitly by
passing -T 0 (which will use as many threads as there are available CPU
cores) or -T <N>, which will use <N> threads.

=== Benchmarks ===
As measured on a 32-core cloud VM with Fedora 34. Not a fully
representative environment, but still the scaling is quite good.

WITHOUT PATCHES:
$ time restorecon -rn /usr

real 0m21.689s
user 0m21.070s
sys 0m0.494s

WITH PATCHES:
$ time restorecon -rn /usr

real 0m23.940s
user 0m23.127s
sys 0m0.653s
$ time restorecon -rn -T 2 /usr

real 0m13.145s
user 0m25.306s
sys 0m0.695s
$ time restorecon -rn -T 4 /usr

real 0m7.559s
user 0m28.470s
sys 0m1.099s
$ time restorecon -rn -T 8 /usr

real 0m5.186s
user 0m37.450s
sys 0m2.094s
$ time restorecon -rn -T 16 /usr

real 0m3.831s
user 0m51.220s
sys 0m4.895s
$ time restorecon -rn -T 32 /usr

real 0m2.650s
user 1m5.136s
sys 0m6.614s

Note that the benchmarks were performed in read-only mode (-n), so the
labels were only read and looked up in the database, not written. When
fixing labels on a heavily mislabeled system, the scaling would likely
be event better, since a larger % of work could be done in parallel.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/setfiles/Makefile | 2 +-
policycoreutils/setfiles/restore.c | 7 ++++---
policycoreutils/setfiles/restore.h | 2 +-
policycoreutils/setfiles/restorecon.8 | 9 +++++++++
policycoreutils/setfiles/setfiles.8 | 9 +++++++++
policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++-----------
6 files changed, 41 insertions(+), 16 deletions(-)

diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index 63d818509791..d7670a8ff54b 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
CFLAGS ?= -g -Werror -Wall -W
-override LDLIBS += -lselinux -lsepol
+override LDLIBS += -lselinux -lsepol -lpthread
ifeq ($(AUDITH), y)
override CFLAGS += -DUSE_AUDIT
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 9d688c609f79..74d48bb3752d 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -72,7 +72,7 @@ void restore_finish(void)
}
}
-int process_glob(char *name, struct restore_opts *opts)
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads)
{
glob_t globbuf;
size_t i = 0;
@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts)
continue;
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
continue;
- rc = selinux_restorecon(globbuf.gl_pathv[i],
- opts->restorecon_flags);
+ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
+ opts->restorecon_flags,
+ nthreads);
if (rc < 0)
errors = rc;
}
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
index ac6ad6809f4f..bb35a1db9e34 100644
--- a/policycoreutils/setfiles/restore.h
+++ b/policycoreutils/setfiles/restore.h
@@ -49,7 +49,7 @@ struct restore_opts {
void restore_init(struct restore_opts *opts);
void restore_finish(void);
void add_exclude(const char *directory);
-int process_glob(char *name, struct restore_opts *opts);
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads);
extern char **exclude_list;
#endif
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
index a8900f02b3f3..dbd55ce7c512 100644
--- a/policycoreutils/setfiles/restorecon.8
+++ b/policycoreutils/setfiles/restorecon.8
@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts.
.RB [ \-W ]
.RB [ \-I | \-D ]
.RB [ \-x ]
+.RB [ \-T
+.IR nthreads ]
.SH "DESCRIPTION"
This manual page describes the
@@ -160,6 +162,13 @@ prevent
.B restorecon
from crossing file system boundaries.
.TP
+.BI \-T \ nthreads
+use up to
+.I nthreads
+threads. Specify 0 to create as many threads as there are available
+CPU cores; 1 to use only a single thread (default); or any positive
+number to use the given number of threads (if possible).
+.TP
.SH "ARGUMENTS"
.IR pathname \ ...
The pathname for the file(s) to be relabeled.
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
index 0692121f2f4d..8ef9f602e843 100644
--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts.
.RB [ \-W ]
.RB [ \-F ]
.RB [ \-I | \-D ]
+.RB [ \-T
+.IR nthreads ]
.I spec_file
.IR pathname \ ...
@@ -161,6 +163,13 @@ quote marks or backslashes. The
option of GNU
.B find
produces input suitable for this mode.
+.TP
+.BI \-T \ nthreads
+use up to
+.I nthreads
+threads. Specify 0 to create as many threads as there are available
+CPU cores; 1 to use only a single thread (default); or any positive
+number to use the given number of threads (if possible).
.SH "ARGUMENTS"
.TP
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index f018d161aa9e..2313a21fa0f3 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -1,4 +1,5 @@
#include "restore.h"
+#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio_ext.h>
@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
{
if (iamrestorecon) {
fprintf(stderr,
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
name, name);
} else {
fprintf(stderr,
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n",
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n",
name, name, name);
}
exit(-1);
@@ -144,12 +145,12 @@ int main(int argc, char **argv)
int opt, i = 0;
const char *input_filename = NULL;
int use_input_file = 0;
- char *buf = NULL;
- size_t buf_len;
+ char *buf = NULL, *endptr;
+ size_t buf_len, nthreads = 1;
const char *base;
int errors = 0;
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:";
const char *opts;
union selinux_callback cb;
@@ -370,6 +371,11 @@ int main(int argc, char **argv)
usage(argv[0]);
}
break;
+ case 'T':
+ nthreads = strtoull(optarg, &endptr, 10);
+ if (*optarg == '\0' || *endptr != '\0')
+ usage(argv[0]);
+ break;
case 'h':
case '?':
usage(argv[0]);
@@ -448,13 +454,13 @@ int main(int argc, char **argv)
buf[len - 1] = 0;
if (!strcmp(buf, "/"))
r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
- errors |= process_glob(buf, &r_opts) < 0;
+ errors |= process_glob(buf, &r_opts, nthreads) < 0;
}
if (strcmp(input_filename, "-") != 0)
fclose(f);
} else {
for (i = optind; i < argc; i++)
- errors |= process_glob(argv[i], &r_opts) < 0;
+ errors |= process_glob(argv[i], &r_opts, nthreads) < 0;
}
maybe_audit_mass_relabel(r_opts.mass_relabel, errors);
--
2.33.1

674
SOURCES/0020-semodule-add-m-checksum-option.patch

@ -0,0 +1,674 @@
From 4e6165719d3315b6502f3d290a549f9fa14c3238 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 14:27:11 +0100
Subject: [PATCH] semodule: add -m | --checksum option

Since cil doesn't store module name and module version in module itself,
there's no simple way how to compare that installed module is the same
version as the module which is supposed to be installed. Even though the
version was not used by semodule itself, it was apparently used by some
team.

With `semodule -l --checksum` users get SHA256 hashes of modules and
could compare them with their files which is faster than installing
modules again and again.

E.g.

# time (
semodule -l --checksum | grep localmodule
/usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
)
localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd -

real 0m0.876s
user 0m0.849s
sys 0m0.028s

vs

# time semodule -i localmodule.pp

real 0m6.147s
user 0m5.800s
sys 0m0.231s

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.8 | 6 +
policycoreutils/semodule/semodule.c | 95 ++++++++-
policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++
policycoreutils/semodule/sha256.h | 89 +++++++++
5 files changed, 480 insertions(+), 6 deletions(-)
create mode 100644 policycoreutils/semodule/sha256.c
create mode 100644 policycoreutils/semodule/sha256.h

diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 73801e487a76..9875ac383280 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o
+SEMODULE_OBJS = semodule.o sha256.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 18d4f708661c..3a2fb21c2481 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
.B \-H,\-\-hll
Extract module as an HLL file. This only affects the \-\-extract option and
only modules listed in \-\-extract after this option.
+.TP
+.B \-m,\-\-checksum
+Add SHA256 checksum of modules to the list output.
.SH EXAMPLE
.nf
@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
# Write the HLL version of puppet and the CIL version of wireshark
# modules at priority 400 to the current working directory
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
+$ semodule -l -m | grep localmodule
.fi
.SH SEE ALSO
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index c815f01546b4..ddbf10455abf 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -25,6 +25,8 @@
#include <sepol/cil/cil.h>
#include <semanage/modules.h>
+#include "sha256.h"
+
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -57,6 +59,7 @@ static semanage_handle_t *sh = NULL;
static char *store;
static char *store_root;
int extract_cil = 0;
+static int checksum = 0;
extern char *optarg;
extern int optind;
@@ -147,6 +150,7 @@ static void usage(char *progname)
printf(" -S,--store-path use an alternate path for the policy store root\n");
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
+ printf(" -m, --checksum print module checksum (SHA256).\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -200,6 +204,7 @@ static void parse_command_line(int argc, char **argv)
{"disable", required_argument, NULL, 'd'},
{"path", required_argument, NULL, 'p'},
{"store-path", required_argument, NULL, 'S'},
+ {"checksum", 0, NULL, 'm'},
{NULL, 0, NULL, 0}
};
int extract_selected = 0;
@@ -210,7 +215,7 @@ static void parse_command_line(int argc, char **argv)
no_reload = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
NULL)) != -1) {
switch (i) {
case 'b':
@@ -287,6 +292,9 @@ static void parse_command_line(int argc, char **argv)
case 'd':
set_mode(DISABLE_M, optarg);
break;
+ case 'm':
+ checksum = 1;
+ break;
case '?':
default:{
usage(argv[0]);
@@ -338,6 +346,61 @@ static void parse_command_line(int argc, char **argv)
}
}
+/* Get module checksum */
+static char *hash_module_data(const char *module_name, const int prio) {
+ semanage_module_info_t *extract_info = NULL;
+ semanage_module_key_t *modkey = NULL;
+ Sha256Context context;
+ uint8_t sha256_hash[SHA256_HASH_SIZE];
+ char *sha256_buf = NULL;
+ void *data;
+ size_t data_len = 0, i;
+ int result;
+
+ result = semanage_module_key_create(sh, &modkey);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_name(sh, modkey, module_name);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_key_set_priority(sh, modkey, prio);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
+ &extract_info);
+ if (result != 0) {
+ goto cleanup_extract;
+ }
+
+ Sha256Initialise(&context);
+ Sha256Update(&context, data, data_len);
+
+ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
+
+ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
+
+ if (sha256_buf == NULL)
+ goto cleanup_extract;
+
+ for (i = 0; i < SHA256_HASH_SIZE; i++) {
+ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ }
+ sha256_buf[i * 2] = 0;
+
+cleanup_extract:
+ semanage_module_info_destroy(sh, extract_info);
+ free(extract_info);
+ semanage_module_key_destroy(sh, modkey);
+ free(modkey);
+ return sha256_buf;
+}
+
int main(int argc, char *argv[])
{
int i, commit = 0;
@@ -546,6 +609,8 @@ cleanup_extract:
int modinfos_len = 0;
semanage_module_info_t *m = NULL;
int j = 0;
+ char *module_checksum = NULL;
+ uint16_t pri = 0;
if (verbose) {
printf
@@ -570,7 +635,18 @@ cleanup_extract:
result = semanage_module_info_get_name(sh, m, &name);
if (result != 0) goto cleanup_list;
- printf("%s\n", name);
+ result = semanage_module_info_get_priority(sh, m, &pri);
+ if (result != 0) goto cleanup_list;
+
+ printf("%s", name);
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %s", module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
}
}
else if (strcmp(mode_arg, "full") == 0) {
@@ -585,11 +661,12 @@ cleanup_extract:
}
/* calculate column widths */
- size_t column[4] = { 0, 0, 0, 0 };
+ size_t column[5] = { 0, 0, 0, 0, 0 };
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
+ column[4] = 64; /* SHA256_HASH_SIZE * 2 */
/* variable width columns */
const char *tmp = NULL;
@@ -612,7 +689,6 @@ cleanup_extract:
/* print out each module */
for (j = 0; j < modinfos_len; j++) {
- uint16_t pri = 0;
const char *name = NULL;
int enabled = 0;
const char *lang_ext = NULL;
@@ -631,11 +707,20 @@ cleanup_extract:
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
if (result != 0) goto cleanup_list;
- printf("%0*u %-*s %-*s %-*s\n",
+ printf("%0*u %-*s %-*s %-*s",
(int)column[0], pri,
(int)column[1], name,
(int)column[2], lang_ext,
(int)column[3], enabled ? "" : "disabled");
+ if (checksum) {
+ module_checksum = hash_module_data(name, pri);
+ if (module_checksum) {
+ printf(" %-*s", (int)column[4], module_checksum);
+ free(module_checksum);
+ }
+ }
+ printf("\n");
+
}
}
else {
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
new file mode 100644
index 000000000000..fe2aeef07f53
--- /dev/null
+++ b/policycoreutils/semodule/sha256.c
@@ -0,0 +1,294 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include "sha256.h"
+#include <memory.h>
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// MACROS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
+
+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
+
+#define STORE32H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
+
+#define LOAD32H(x, y) \
+ { x = ((uint32_t)((y)[0] & 255)<<24) | \
+ ((uint32_t)((y)[1] & 255)<<16) | \
+ ((uint32_t)((y)[2] & 255)<<8) | \
+ ((uint32_t)((y)[3] & 255)); }
+
+#define STORE64H(x, y) \
+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// CONSTANTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// The K array
+static const uint32_t K[64] = {
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+};
+
+#define BLOCK_SIZE 64
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// INTERNAL FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+// Various logical functions
+#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
+#define Maj( x, y, z ) (((x | y) & z) | (x & y))
+#define S( x, n ) ror((x),(n))
+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+
+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
+ t1 = Sigma0(a) + Maj(a, b, c); \
+ d += t0; \
+ h = t0 + t1;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// TransformFunction
+//
+// Compress 512-bits
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+static
+void
+ TransformFunction
+ (
+ Sha256Context* Context,
+ uint8_t const* Buffer
+ )
+{
+ uint32_t S[8];
+ uint32_t W[64];
+ uint32_t t0;
+ uint32_t t1;
+ uint32_t t;
+ int i;
+
+ // Copy state into S
+ for( i=0; i<8; i++ )
+ {
+ S[i] = Context->state[i];
+ }
+
+ // Copy the state into 512-bits into W[0..15]
+ for( i=0; i<16; i++ )
+ {
+ LOAD32H( W[i], Buffer + (4*i) );
+ }
+
+ // Fill W[16..63]
+ for( i=16; i<64; i++ )
+ {
+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
+ }
+
+ // Compress
+ for( i=0; i<64; i++ )
+ {
+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
+ t = S[7];
+ S[7] = S[6];
+ S[6] = S[5];
+ S[5] = S[4];
+ S[4] = S[3];
+ S[3] = S[2];
+ S[2] = S[1];
+ S[1] = S[0];
+ S[0] = t;
+ }
+
+ // Feedback
+ for( i=0; i<8; i++ )
+ {
+ Context->state[i] = Context->state[i] + S[i];
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ )
+{
+ Context->curlen = 0;
+ Context->length = 0;
+ Context->state[0] = 0x6A09E667UL;
+ Context->state[1] = 0xBB67AE85UL;
+ Context->state[2] = 0x3C6EF372UL;
+ Context->state[3] = 0xA54FF53AUL;
+ Context->state[4] = 0x510E527FUL;
+ Context->state[5] = 0x9B05688CUL;
+ Context->state[6] = 0x1F83D9ABUL;
+ Context->state[7] = 0x5BE0CD19UL;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ )
+{
+ uint32_t n;
+
+ if( Context->curlen > sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ while( BufferSize > 0 )
+ {
+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
+ {
+ TransformFunction( Context, (uint8_t*)Buffer );
+ Context->length += BLOCK_SIZE * 8;
+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
+ BufferSize -= BLOCK_SIZE;
+ }
+ else
+ {
+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
+ Context->curlen += n;
+ Buffer = (uint8_t*)Buffer + n;
+ BufferSize -= n;
+ if( Context->curlen == BLOCK_SIZE )
+ {
+ TransformFunction( Context, Context->buf );
+ Context->length += 8*BLOCK_SIZE;
+ Context->curlen = 0;
+ }
+ }
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ )
+{
+ int i;
+
+ if( Context->curlen >= sizeof(Context->buf) )
+ {
+ return;
+ }
+
+ // Increase the length of the message
+ Context->length += Context->curlen * 8;
+
+ // Append the '1' bit
+ Context->buf[Context->curlen++] = (uint8_t)0x80;
+
+ // if the length is currently above 56 bytes we append zeros
+ // then compress. Then we can fall back to padding zeros and length
+ // encoding like normal.
+ if( Context->curlen > 56 )
+ {
+ while( Context->curlen < 64 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+ TransformFunction(Context, Context->buf);
+ Context->curlen = 0;
+ }
+
+ // Pad up to 56 bytes of zeroes
+ while( Context->curlen < 56 )
+ {
+ Context->buf[Context->curlen++] = (uint8_t)0;
+ }
+
+ // Store length
+ STORE64H( Context->length, Context->buf+56 );
+ TransformFunction( Context, Context->buf );
+
+ // Copy output
+ for( i=0; i<8; i++ )
+ {
+ STORE32H( Context->state[i], Digest->bytes+(4*i) );
+ }
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ )
+{
+ Sha256Context context;
+
+ Sha256Initialise( &context );
+ Sha256Update( &context, Buffer, BufferSize );
+ Sha256Finalise( &context, Digest );
+}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
new file mode 100644
index 000000000000..406ed869cd82
--- /dev/null
+++ b/policycoreutils/semodule/sha256.h
@@ -0,0 +1,89 @@
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// WjCryptLib_Sha256
+//
+// Implementation of SHA256 hash function.
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+// Modified by WaterJuice retaining Public Domain license.
+//
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#pragma once
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// IMPORTS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+#include <stdint.h>
+#include <stdio.h>
+
+typedef struct
+{
+ uint64_t length;
+ uint32_t state[8];
+ uint32_t curlen;
+ uint8_t buf[64];
+} Sha256Context;
+
+#define SHA256_HASH_SIZE ( 256 / 8 )
+
+typedef struct
+{
+ uint8_t bytes [SHA256_HASH_SIZE];
+} SHA256_HASH;
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// PUBLIC FUNCTIONS
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Initialise
+//
+// Initialises a SHA256 Context. Use this to initialise/reset a context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Initialise
+ (
+ Sha256Context* Context // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Update
+//
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Update
+ (
+ Sha256Context* Context, // [in out]
+ void const* Buffer, // [in]
+ uint32_t BufferSize // [in]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Finalise
+//
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+// calling this, Sha256Initialised must be used to reuse the context.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Finalise
+ (
+ Sha256Context* Context, // [in out]
+ SHA256_HASH* Digest // [out]
+ );
+
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+// Sha256Calculate
+//
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+// buffer.
+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+void
+ Sha256Calculate
+ (
+ void const* Buffer, // [in]
+ uint32_t BufferSize, // [in]
+ SHA256_HASH* Digest // [in]
+ );
--
2.33.1

29
SOURCES/0021-semodule-Fix-lang_ext-column-index.patch

@ -0,0 +1,29 @@
From 7537374e7f5802852c0c64b4cb2a9646402e3cba Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 16 Nov 2021 16:11:22 +0100
Subject: [PATCH] semodule: Fix lang_ext column index

lang_ext is 3. column - index number 2.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index ddbf10455abf..57f005ce2c62 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -684,7 +684,7 @@ cleanup_extract:
if (result != 0) goto cleanup_list;
size = strlen(tmp);
- if (size > column[3]) column[3] = size;
+ if (size > column[2]) column[2] = size;
}
/* print out each module */
--
2.33.1

32
SOURCES/0022-semodule-Don-t-forget-to-munmap-data.patch

@ -0,0 +1,32 @@
From 0c4e5d70fde006977e798d6cc7d80db2e8af7bb9 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Tue, 23 Nov 2021 17:38:51 +0100
Subject: [PATCH] semodule: Don't forget to munmap() data

semanage_module_extract() mmap()'s the module raw data but it leaves on
the caller to munmap() them.

Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
policycoreutils/semodule/semodule.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 57f005ce2c62..94a9d131bb79 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -394,6 +394,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
sha256_buf[i * 2] = 0;
cleanup_extract:
+ if (data_len > 0) {
+ munmap(data, data_len);
+ }
semanage_module_info_destroy(sh, extract_info);
free(extract_info);
semanage_module_key_destroy(sh, modkey);
--
2.33.1

539
SOURCES/0023-semodule-libsemanage-move-module-hashing-into-libsem.patch

@ -0,0 +1,539 @@
From 7809f29b68e17a455478990ae9b22728381a126b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:23 +0100
Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage

The main goal of this move is to have the SHA-256 implementation under
libsemanage, since upcoming patches will make use of SHA-256 for a
different (but similar) purpose in libsemanage. Having the hashing code
in libsemanage will reduce code duplication and allow for easier hash
algorithm upgrade in the future.

Note that libselinux currently also contains a hash function
implementation (for yet another different purpose). This patch doesn't
make any effort to address that duplicity yet.

This patch also changes the format of the hash string printed by
semodule to include the name of the hash. The intent is to avoid
ambiguity and potential collisions when the algorithm is potentially
changed in the future.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/Makefile | 2 +-
policycoreutils/semodule/semodule.c | 53 ++---
policycoreutils/semodule/sha256.c | 294 ----------------------------
policycoreutils/semodule/sha256.h | 89 ---------
4 files changed, 17 insertions(+), 421 deletions(-)
delete mode 100644 policycoreutils/semodule/sha256.c
delete mode 100644 policycoreutils/semodule/sha256.h

diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 9875ac383280..73801e487a76 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
CFLAGS ?= -Werror -Wall -W
override LDLIBS += -lsepol -lselinux -lsemanage
-SEMODULE_OBJS = semodule.o sha256.o
+SEMODULE_OBJS = semodule.o
all: semodule genhomedircon
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 94a9d131bb79..f4a76289efa3 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -25,8 +25,6 @@
#include <sepol/cil/cil.h>
#include <semanage/modules.h>
-#include "sha256.h"
-
enum client_modes {
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
@@ -348,60 +346,38 @@ static void parse_command_line(int argc, char **argv)
/* Get module checksum */
static char *hash_module_data(const char *module_name, const int prio) {
- semanage_module_info_t *extract_info = NULL;
semanage_module_key_t *modkey = NULL;
- Sha256Context context;
- uint8_t sha256_hash[SHA256_HASH_SIZE];
- char *sha256_buf = NULL;
- void *data;
- size_t data_len = 0, i;
+ char *hash_str = NULL;
+ void *hash = NULL;
+ size_t hash_len = 0;
int result;
result = semanage_module_key_create(sh, &modkey);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_name(sh, modkey, module_name);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
result = semanage_module_key_set_priority(sh, modkey, prio);
if (result != 0) {
- goto cleanup_extract;
+ goto cleanup;
}
- result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
- &extract_info);
+ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
+ &hash_len);
if (result != 0) {
- goto cleanup_extract;
- }
-
- Sha256Initialise(&context);
- Sha256Update(&context, data, data_len);
-
- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
-
- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
-
- if (sha256_buf == NULL)
- goto cleanup_extract;
-
- for (i = 0; i < SHA256_HASH_SIZE; i++) {
- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
+ goto cleanup;
}
- sha256_buf[i * 2] = 0;
-cleanup_extract:
- if (data_len > 0) {
- munmap(data, data_len);
- }
- semanage_module_info_destroy(sh, extract_info);
- free(extract_info);
+cleanup:
+ free(hash);
semanage_module_key_destroy(sh, modkey);
free(modkey);
- return sha256_buf;
+ return hash_str;
}
int main(int argc, char *argv[])
@@ -669,7 +645,10 @@ cleanup_extract:
/* fixed width columns */
column[0] = sizeof("000") - 1;
column[3] = sizeof("disabled") - 1;
- column[4] = 64; /* SHA256_HASH_SIZE * 2 */
+
+ result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
+ &column[4]);
+ if (result != 0) goto cleanup_list;
/* variable width columns */
const char *tmp = NULL;
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
deleted file mode 100644
index fe2aeef07f53..000000000000
--- a/policycoreutils/semodule/sha256.c
+++ /dev/null
@@ -1,294 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include "sha256.h"
-#include <memory.h>
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// MACROS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-
-#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-
-#define STORE32H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-
-#define LOAD32H(x, y) \
- { x = ((uint32_t)((y)[0] & 255)<<24) | \
- ((uint32_t)((y)[1] & 255)<<16) | \
- ((uint32_t)((y)[2] & 255)<<8) | \
- ((uint32_t)((y)[3] & 255)); }
-
-#define STORE64H(x, y) \
- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// CONSTANTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// The K array
-static const uint32_t K[64] = {
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-#define BLOCK_SIZE 64
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// INTERNAL FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-// Various logical functions
-#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
-#define Maj( x, y, z ) (((x | y) & z) | (x & y))
-#define S( x, n ) ror((x),(n))
-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-
-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
- t1 = Sigma0(a) + Maj(a, b, c); \
- d += t0; \
- h = t0 + t1;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// TransformFunction
-//
-// Compress 512-bits
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-static
-void
- TransformFunction
- (
- Sha256Context* Context,
- uint8_t const* Buffer
- )
-{
- uint32_t S[8];
- uint32_t W[64];
- uint32_t t0;
- uint32_t t1;
- uint32_t t;
- int i;
-
- // Copy state into S
- for( i=0; i<8; i++ )
- {
- S[i] = Context->state[i];
- }
-
- // Copy the state into 512-bits into W[0..15]
- for( i=0; i<16; i++ )
- {
- LOAD32H( W[i], Buffer + (4*i) );
- }
-
- // Fill W[16..63]
- for( i=16; i<64; i++ )
- {
- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
- }
-
- // Compress
- for( i=0; i<64; i++ )
- {
- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
- t = S[7];
- S[7] = S[6];
- S[6] = S[5];
- S[5] = S[4];
- S[4] = S[3];
- S[3] = S[2];
- S[2] = S[1];
- S[1] = S[0];
- S[0] = t;
- }
-
- // Feedback
- for( i=0; i<8; i++ )
- {
- Context->state[i] = Context->state[i] + S[i];
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- )
-{
- Context->curlen = 0;
- Context->length = 0;
- Context->state[0] = 0x6A09E667UL;
- Context->state[1] = 0xBB67AE85UL;
- Context->state[2] = 0x3C6EF372UL;
- Context->state[3] = 0xA54FF53AUL;
- Context->state[4] = 0x510E527FUL;
- Context->state[5] = 0x9B05688CUL;
- Context->state[6] = 0x1F83D9ABUL;
- Context->state[7] = 0x5BE0CD19UL;
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- )
-{
- uint32_t n;
-
- if( Context->curlen > sizeof(Context->buf) )
- {
- return;
- }
-
- while( BufferSize > 0 )
- {
- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
- {
- TransformFunction( Context, (uint8_t*)Buffer );
- Context->length += BLOCK_SIZE * 8;
- Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
- BufferSize -= BLOCK_SIZE;
- }
- else
- {
- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
- Context->curlen += n;
- Buffer = (uint8_t*)Buffer + n;
- BufferSize -= n;
- if( Context->curlen == BLOCK_SIZE )
- {
- TransformFunction( Context, Context->buf );
- Context->length += 8*BLOCK_SIZE;
- Context->curlen = 0;
- }
- }
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- )
-{
- int i;
-
- if( Context->curlen >= sizeof(Context->buf) )
- {
- return;
- }
-
- // Increase the length of the message
- Context->length += Context->curlen * 8;
-
- // Append the '1' bit
- Context->buf[Context->curlen++] = (uint8_t)0x80;
-
- // if the length is currently above 56 bytes we append zeros
- // then compress. Then we can fall back to padding zeros and length
- // encoding like normal.
- if( Context->curlen > 56 )
- {
- while( Context->curlen < 64 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
- TransformFunction(Context, Context->buf);
- Context->curlen = 0;
- }
-
- // Pad up to 56 bytes of zeroes
- while( Context->curlen < 56 )
- {
- Context->buf[Context->curlen++] = (uint8_t)0;
- }
-
- // Store length
- STORE64H( Context->length, Context->buf+56 );
- TransformFunction( Context, Context->buf );
-
- // Copy output
- for( i=0; i<8; i++ )
- {
- STORE32H( Context->state[i], Digest->bytes+(4*i) );
- }
-}
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- )
-{
- Sha256Context context;
-
- Sha256Initialise( &context );
- Sha256Update( &context, Buffer, BufferSize );
- Sha256Finalise( &context, Digest );
-}
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
deleted file mode 100644
index 406ed869cd82..000000000000
--- a/policycoreutils/semodule/sha256.h
+++ /dev/null
@@ -1,89 +0,0 @@
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// WjCryptLib_Sha256
-//
-// Implementation of SHA256 hash function.
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-// Modified by WaterJuice retaining Public Domain license.
-//
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#pragma once
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// IMPORTS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-#include <stdint.h>
-#include <stdio.h>
-
-typedef struct
-{
- uint64_t length;
- uint32_t state[8];
- uint32_t curlen;
- uint8_t buf[64];
-} Sha256Context;
-
-#define SHA256_HASH_SIZE ( 256 / 8 )
-
-typedef struct
-{
- uint8_t bytes [SHA256_HASH_SIZE];
-} SHA256_HASH;
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// PUBLIC FUNCTIONS
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Initialise
-//
-// Initialises a SHA256 Context. Use this to initialise/reset a context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Initialise
- (
- Sha256Context* Context // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Update
-//
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Update
- (
- Sha256Context* Context, // [in out]
- void const* Buffer, // [in]
- uint32_t BufferSize // [in]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Finalise
-//
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-// calling this, Sha256Initialised must be used to reuse the context.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Finalise
- (
- Sha256Context* Context, // [in out]
- SHA256_HASH* Digest // [out]
- );
-
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-// Sha256Calculate
-//
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-// buffer.
-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-void
- Sha256Calculate
- (
- void const* Buffer, // [in]
- uint32_t BufferSize, // [in]
- SHA256_HASH* Digest // [in]
- );
--
2.34.1

144
SOURCES/0024-semodule-add-command-line-option-to-detect-module-ch.patch

@ -0,0 +1,144 @@
From 9341da3478625bb2ba2e7d4f3e227735cc9c8198 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Thu, 3 Feb 2022 17:53:27 +0100
Subject: [PATCH] semodule: add command-line option to detect module changes

Add a new command-line option "--rebuild-if-modules-changed" to control
the newly introduced check_ext_changes libsemanage flag.

For example, running `semodule --rebuild-if-modules-changed` will ensure
that any externally added/removed modules (e.g. by an RPM transaction)
are reflected in the compiled policy, while skipping the most expensive
part of the rebuild if no module change was deteceted since the last
libsemanage transaction.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/semodule/semodule.8 | 7 +++++++
policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index 3a2fb21c2481..d1735d216276 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -23,6 +23,13 @@ force a reload of policy
.B \-B, \-\-build
force a rebuild of policy (also reloads unless \-n is used)
.TP
+.B \-\-rebuild-if-modules-changed
+Force a rebuild of the policy if any changes to module content are detected
+(by comparing with checksum from the last transaction). One can use this
+instead of \-B to ensure that any changes to the module store done by an
+external tool (e.g. a package manager) are applied, while automatically
+skipping the rebuild if there are no new changes.
+.TP
.B \-D, \-\-disable_dontaudit
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt
.TP
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index f4a76289efa3..1ed8e69054e0 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -47,6 +47,7 @@ static int verbose;
static int reload;
static int no_reload;
static int build;
+static int check_ext_changes;
static int disable_dontaudit;
static int preserve_tunables;
static int ignore_module_cache;
@@ -149,6 +150,9 @@ static void usage(char *progname)
printf(" -c, --cil extract module as cil. This only affects module extraction.\n");
printf(" -H, --hll extract module as hll. This only affects module extraction.\n");
printf(" -m, --checksum print module checksum (SHA256).\n");
+ printf(" --rebuild-if-modules-changed\n"
+ " force policy rebuild if module content changed since\n"
+ " last rebuild (based on checksum)\n");
}
/* Sets the global mode variable to new_mode, but only if no other
@@ -180,6 +184,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
static void parse_command_line(int argc, char **argv)
{
static struct option opts[] = {
+ {"rebuild-if-modules-changed", 0, NULL, '\0'},
{"store", required_argument, NULL, 's'},
{"base", required_argument, NULL, 'b'},
{"help", 0, NULL, 'h'},
@@ -207,15 +212,26 @@ static void parse_command_line(int argc, char **argv)
};
int extract_selected = 0;
int cil_hll_set = 0;
- int i;
+ int i, longind;
verbose = 0;
reload = 0;
no_reload = 0;
+ check_ext_changes = 0;
priority = 400;
while ((i =
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
- NULL)) != -1) {
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
+ opts, &longind)) != -1) {
switch (i) {
+ case '\0':
+ switch(longind) {
+ case 0: /* --rebuild-if-modules-changed */
+ check_ext_changes = 1;
+ break;
+ default:
+ usage(argv[0]);
+ exit(1);
+ }
+ break;
case 'b':
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
set_mode(INSTALL_M, optarg);
@@ -300,13 +316,13 @@ static void parse_command_line(int argc, char **argv)
}
}
}
- if ((build || reload) && num_commands) {
+ if ((build || reload || check_ext_changes) && num_commands) {
fprintf(stderr,
"build or reload should not be used with other commands\n");
usage(argv[0]);
exit(1);
}
- if (num_commands == 0 && reload == 0 && build == 0) {
+ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
fprintf(stderr, "At least one mode must be specified.\n");
usage(argv[0]);
exit(1);
@@ -395,7 +411,7 @@ int main(int argc, char *argv[])
cil_set_log_level(CIL_ERR + verbose);
- if (build)
+ if (build || check_ext_changes)
commit = 1;
sh = semanage_handle_create();
@@ -434,7 +450,7 @@ int main(int argc, char *argv[])
}
}
- if (build) {
+ if (build || check_ext_changes) {
if ((result = semanage_begin_transaction(sh)) < 0) {
fprintf(stderr, "%s: Could not begin transaction: %s\n",
argv[0], errno ? strerror(errno) : "");
@@ -807,6 +823,8 @@ cleanup_disable:
semanage_set_reload(sh, 0);
if (build)
semanage_set_rebuild(sh, 1);
+ if (check_ext_changes)
+ semanage_set_check_ext_changes(sh, 1);
if (disable_dontaudit)
semanage_set_disable_dontaudit(sh, 1);
else if (build)
--
2.34.1

180
SOURCES/0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch

@ -0,0 +1,180 @@
From 09f700e9f953769d1697c46179faba32e4b80c0f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 4 Feb 2022 13:41:12 +0100
Subject: [PATCH] policycoreutils/fixfiles: Use parallel relabeling

Commit 93902fc8340f ("setfiles/restorecon: support parallel relabeling")
implemented support for parallel relabeling in setfiles. This is
available for fixfiles now.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 35 +++++++++++++++++-------------
policycoreutils/scripts/fixfiles.8 | 17 ++++++++++-----
2 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index cb20002ab613..a4a419ab62de 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -110,6 +110,7 @@ BOOTTIME=""
VERBOSE="-p"
[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
+THREADS=""
RPMFILES=""
PREFC=""
RESTORE_MODE=""
@@ -153,7 +154,7 @@ newer() {
shift
LogReadOnly
for m in `echo $FILESYSTEMSRW`; do
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
+ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
done;
}
@@ -197,7 +198,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
esac; \
fi; \
done | \
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi
}
@@ -235,11 +236,11 @@ LogExcluded
case "$RESTORE_MODE" in
RPMFILES)
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
- rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -
+ rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -
done
;;
FILEPATH)
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -R -- "$FILEPATH"
;;
*)
if [ -n "${FILESYSTEMSRW}" ]; then
@@ -247,7 +248,7 @@ case "$RESTORE_MODE" in
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${THREADS} ${FC} ${FILESYSTEMSRW}
else
# we bind mount so we can fix the labels of files that have already been
# mounted over
@@ -257,7 +258,7 @@ case "$RESTORE_MODE" in
mkdir -p "${TMP_MOUNT}${m}" || exit 1
mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
umount "${TMP_MOUNT}${m}" || exit 1
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
done;
@@ -330,8 +331,9 @@ case "$1" in
fi
> /.autorelabel || exit $?
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
- [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
- [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
+ [ -z "$BOOTTIME" ] || echo -n "-N $BOOTTIME " >> /.autorelabel
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo -n "-M " >> /.autorelabel
+ [ -z "$THREADS" ] || echo -n "$THREADS " >> /.autorelabel
# Force full relabel if SELinux is not enabled
selinuxenabled || echo -F > /.autorelabel
echo "System will relabel on next boot"
@@ -343,17 +345,17 @@ esac
}
usage() {
echo $"""
-Usage: $0 [-v] [-F] [-M] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] [-T nthreads] relabel
or
-Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
+Usage: $0 [-v] [-F] [-B | -N time ] [-T nthreads] { check | restore | verify }
or
-Usage: $0 [-v] [-F] { check | restore | verify } dir/file ...
+Usage: $0 [-v] [-F] [-T nthreads] { check | restore | verify } dir/file ...
or
-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
+Usage: $0 [-v] [-F] [-T nthreads] -R rpmpackage[,rpmpackage...] { check | restore | verify }
or
-Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+Usage: $0 [-v] [-F] [-T nthreads] -C PREVIOUS_FILECONTEXT { check | restore | verify }
or
-Usage: $0 [-F] [-M] [-B] onboot
+Usage: $0 [-F] [-M] [-B] [-T nthreads] onboot
"""
}
@@ -372,7 +374,7 @@ set_restore_mode() {
}
# See how we were called.
-while getopts "N:BC:FfR:l:vM" i; do
+while getopts "N:BC:FfR:l:vMT:" i; do
case "$i" in
B)
BOOTTIME=`/bin/who -b | awk '{print $3}'`
@@ -407,6 +409,9 @@ while getopts "N:BC:FfR:l:vM" i; do
f)
fullFlag=1
;;
+ T)
+ THREADS="-T $OPTARG"
+ ;;
*)
usage
exit 1
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index c4e894e56e8f..9a317d9181e2 100644
--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
@@ -6,22 +6,22 @@ fixfiles \- fix file SELinux security contexts.
.na
.B fixfiles
-.I [\-v] [\-F] [-M] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel
.B fixfiles
-.I [\-v] [\-F] { check | restore | verify } dir/file ...
+.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ...
.B fixfiles
-.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify }
+.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
.B fixfiles
-.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
+.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
.B fixfiles
-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
+.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT { check | restore | verify }
.B fixfiles
-.I [-F] [-M] [-B] onboot
+.I [-F] [-M] [-B] [\-T nthreads] onboot
.ad
@@ -76,6 +76,11 @@ Bind mount filesystems before relabeling them, this allows fixing the context of
.B -v
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
+.TP
+.B \-T nthreads
+Use parallel relabeling, see
+.B setfiles(8)
+
.SH "ARGUMENTS"
One of:
.TP
--
2.34.1

41
SOURCES/0026-policycoreutils-Improve-error-message-when-selabel_o.patch

@ -0,0 +1,41 @@
From d83caa39d7ff497bddabb54619a8985227ad1264 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 10 Jan 2022 18:35:27 +0100
Subject: [PATCH] policycoreutils: Improve error message when selabel_open
fails

When selabel_open fails to locate file_context files and
selabel_opt_path is not specified (e.g. when the policy type is
missconfigured in /etc/selinux/config), perror only prints
"No such file or directory".
This can be confusing in case of "restorecon" since it's
not apparent that the issue is in policy store.

Before:
\# restorecon -v /tmp/foo.txt
No such file or directory
After:
\# restorecon -v /tmp/foo.txt
/etc/selinux/yolo/contexts/files/file_contexts: No such file or directory

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
policycoreutils/setfiles/restore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 74d48bb3752d..e9ae33ad039a 100644
--- a/policycoreutils/setfiles/restore.c
+++ b/policycoreutils/setfiles/restore.c
@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts)
opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3);
if (!opts->hnd) {
- perror(opts->selabel_opt_path);
+ perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path());
exit(1);
}
--
2.35.1

BIN
SOURCES/gui-po.tgz

Binary file not shown.

BIN
SOURCES/policycoreutils-po.tgz

Binary file not shown.

BIN
SOURCES/python-po.tgz

Binary file not shown.

BIN
SOURCES/sandbox-po.tgz

Binary file not shown.

73
SOURCES/selinux-autorelabel

@ -0,0 +1,73 @@
#!/bin/bash
#
# Do automatic relabelling
#

# . /etc/init.d/functions

# If the user has this (or similar) UEFI boot order:
#
# Windows | grub | Linux
#
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
# would cause the system to boot into Windows again, if the autorelabel was run.
#
# This function restores the UEFI boot order, so the user will boot into the
# previously set (and expected) partition.
efi_set_boot_next() {
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
# succeed even on system which is not EFI-enabled...
if ! efibootmgr > /dev/null 2>&1; then
return
fi

# NOTE: It it possible that some other services might be setting the
# 'BootNext' item for any reasons, and we shouldn't override it if so.
if ! efibootmgr | grep --quiet -e 'BootNext'; then
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
fi
}

relabel_selinux() {
# if /sbin/init is not labeled correctly this process is running in the
# wrong context, so a reboot will be required after relabel
AUTORELABEL=
. /etc/selinux/config
echo "0" > /sys/fs/selinux/enforce
[ -x /bin/plymouth ] && plymouth --quit

if [ "$AUTORELABEL" = "0" ]; then
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
echo $"*** problems. Dropping you to a shell; the system will reboot"
echo $"*** when you leave the shell."
sulogin

else
echo
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
echo $"*** Relabeling could take a very long time, depending on file"
echo $"*** system size and speed of hard drives."

FORCE=`cat /.autorelabel`
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
/sbin/fixfiles $FORCE restore
fi

rm -f /.autorelabel
/usr/lib/dracut/dracut-initramfs-restore
efi_set_boot_next
if [ -x /usr/bin/grub2-editenv ]; then
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
fi
sync
systemctl --force reboot
}

# Check to see if a full relabel is needed
if [ "$READONLY" != "yes" ]; then
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
relabel_selinux
fi

29
SOURCES/selinux-autorelabel-generator.sh

@ -0,0 +1,29 @@
#!/bin/sh

# This systemd.generator(7) detects if SELinux is running and if the
# user requested an autorelabel, and if so sets the default target to
# selinux-autorelabel.target, which will cause the filesystem to be
# relabelled and then the system will reboot again and boot into the
# real default target.

PATH=/usr/sbin:$PATH
unitdir=/usr/lib/systemd/system

# If invoked with no arguments (for testing) write to /tmp.
earlydir="/tmp"
if [ -n "$2" ]; then
earlydir="$2"
fi

set_target ()
{
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
}

if selinuxenabled; then
if test -f /.autorelabel; then
set_target
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
set_target
fi
fi

18
SOURCES/selinux-autorelabel-mark.service

@ -0,0 +1,18 @@
[Unit]
Description=Mark the need to relabel after reboot
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=!selinux
ConditionPathIsDirectory=/etc/selinux
ConditionPathExists=!/.autorelabel

[Service]
ExecStart=-/bin/touch /.autorelabel
Type=oneshot
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target

14
SOURCES/selinux-autorelabel.service

@ -0,0 +1,14 @@
[Unit]
Description=Relabel all filesystems
DefaultDependencies=no
Conflicts=shutdown.target
After=sysinit.target
Before=shutdown.target
ConditionSecurity=selinux

[Service]
ExecStart=/usr/libexec/selinux/selinux-autorelabel
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardOutput=journal+console

7
SOURCES/selinux-autorelabel.target

@ -0,0 +1,7 @@
[Unit]
Description=Relabel all filesystems and reboot
DefaultDependencies=no
Requires=sysinit.target selinux-autorelabel.service
Conflicts=shutdown.target
After=sysinit.target selinux-autorelabel.service
ConditionSecurity=selinux

BIN
SOURCES/sepolicy-icons.tgz

Binary file not shown.

BIN
SOURCES/system-config-selinux.png

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

5564
SPECS/policycoreutils.spec

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save