Toshaan Bharvani
2 years ago
commit
0db3db9a36
38 changed files with 13951 additions and 0 deletions
@ -0,0 +1,26 @@ |
|||||||
|
From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Thu, 20 Aug 2015 12:58:41 +0200 |
||||||
|
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in |
||||||
|
recent Fedoras |
||||||
|
|
||||||
|
--- |
||||||
|
sandbox/sandboxX.sh | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh |
||||||
|
index eaa500d08143..4774528027ef 100644 |
||||||
|
--- a/sandbox/sandboxX.sh |
||||||
|
+++ b/sandbox/sandboxX.sh |
||||||
|
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF |
||||||
|
</openbox_config> |
||||||
|
EOF |
||||||
|
|
||||||
|
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do |
||||||
|
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do |
||||||
|
export DISPLAY=:$D |
||||||
|
cat > ~/seremote << __EOF |
||||||
|
#!/bin/sh |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,46 @@ |
|||||||
|
From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Dan Walsh <dwalsh@redhat.com> |
||||||
|
Date: Mon, 21 Apr 2014 13:54:40 -0400 |
||||||
|
Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages |
||||||
|
|
||||||
|
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com> |
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 7 +++++-- |
||||||
|
1 file changed, 5 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index 2f847abb87e2..dccd778ed4be 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -737,10 +737,13 @@ Default Defined Ports:""") |
||||||
|
|
||||||
|
def _file_context(self): |
||||||
|
flist = [] |
||||||
|
+ flist_non_exec = [] |
||||||
|
mpaths = [] |
||||||
|
for f in self.all_file_types: |
||||||
|
if f.startswith(self.domainname): |
||||||
|
flist.append(f) |
||||||
|
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): |
||||||
|
+ flist_non_exec.append(f) |
||||||
|
if f in self.fcdict: |
||||||
|
mpaths = mpaths + self.fcdict[f]["regex"] |
||||||
|
if len(mpaths) == 0: |
||||||
|
@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d |
||||||
|
SELinux defines the file context types for the %(domainname)s, if you wanted to |
||||||
|
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. |
||||||
|
|
||||||
|
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' |
||||||
|
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' |
||||||
|
.br |
||||||
|
.B restorecon -R -v /srv/my%(domainname)s_content |
||||||
|
|
||||||
|
Note: SELinux often uses regular expressions to specify labels that match multiple files. |
||||||
|
-""" % {'domainname': self.domainname, "type": flist[0]}) |
||||||
|
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]}) |
||||||
|
|
||||||
|
self.fd.write(r""" |
||||||
|
.I The following file types are defined for %(domainname)s: |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,27 @@ |
|||||||
|
From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Miroslav Grepl <mgrepl@redhat.com> |
||||||
|
Date: Mon, 12 May 2014 14:11:22 +0200 |
||||||
|
Subject: [PATCH] If there is no executable we don't want to print a part of |
||||||
|
STANDARD FILE CONTEXT |
||||||
|
|
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 3 ++- |
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index dccd778ed4be..81333928d552 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d |
||||||
|
.PP |
||||||
|
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) |
||||||
|
|
||||||
|
- self.fd.write(r""" |
||||||
|
+ if flist_non_exec: |
||||||
|
+ self.fd.write(r""" |
||||||
|
.PP |
||||||
|
.B STANDARD FILE CONTEXT |
||||||
|
|
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,169 @@ |
|||||||
|
From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Miroslav Grepl <mgrepl@redhat.com> |
||||||
|
Date: Thu, 19 Feb 2015 17:45:15 +0100 |
||||||
|
Subject: [PATCH] Simplication of sepolicy-manpage web functionality. |
||||||
|
system_release is no longer hardcoded and it creates only index.html and html |
||||||
|
man pages in the directory for the system release. |
||||||
|
|
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/__init__.py | 25 +++-------- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 65 +++------------------------- |
||||||
|
2 files changed, 13 insertions(+), 77 deletions(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py |
||||||
|
index e8654abbceb3..a2475d22547a 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/__init__.py |
||||||
|
+++ b/python/sepolicy/sepolicy/__init__.py |
||||||
|
@@ -1225,27 +1225,14 @@ def boolean_desc(boolean): |
||||||
|
|
||||||
|
|
||||||
|
def get_os_version(): |
||||||
|
- os_version = "" |
||||||
|
- pkg_name = "selinux-policy" |
||||||
|
+ system_release = "" |
||||||
|
try: |
||||||
|
- try: |
||||||
|
- from commands import getstatusoutput |
||||||
|
- except ImportError: |
||||||
|
- from subprocess import getstatusoutput |
||||||
|
- rc, output = getstatusoutput("rpm -q '%s'" % pkg_name) |
||||||
|
- if rc == 0: |
||||||
|
- os_version = output.split(".")[-2] |
||||||
|
- except: |
||||||
|
- os_version = "" |
||||||
|
- |
||||||
|
- if os_version[0:2] == "fc": |
||||||
|
- os_version = "Fedora" + os_version[2:] |
||||||
|
- elif os_version[0:2] == "el": |
||||||
|
- os_version = "RHEL" + os_version[2:] |
||||||
|
- else: |
||||||
|
- os_version = "" |
||||||
|
+ with open('/etc/system-release') as f: |
||||||
|
+ system_release = f.readline() |
||||||
|
+ except IOError: |
||||||
|
+ system_release = "Misc" |
||||||
|
|
||||||
|
- return os_version |
||||||
|
+ return system_release |
||||||
|
|
||||||
|
|
||||||
|
def reinit(): |
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index 81333928d552..dc3e5207c57c 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -151,10 +151,6 @@ def prettyprint(f, trim): |
||||||
|
manpage_domains = [] |
||||||
|
manpage_roles = [] |
||||||
|
|
||||||
|
-fedora_releases = ["Fedora17", "Fedora18"] |
||||||
|
-rhel_releases = ["RHEL6", "RHEL7"] |
||||||
|
- |
||||||
|
- |
||||||
|
def get_alphabet_manpages(manpage_list): |
||||||
|
alphabet_manpages = dict.fromkeys(string.ascii_letters, []) |
||||||
|
for i in string.ascii_letters: |
||||||
|
@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage): |
||||||
|
class HTMLManPages: |
||||||
|
|
||||||
|
""" |
||||||
|
- Generate a HHTML Manpages on an given SELinux domains |
||||||
|
+ Generate a HTML Manpages on an given SELinux domains |
||||||
|
""" |
||||||
|
|
||||||
|
def __init__(self, manpage_roles, manpage_domains, path, os_version): |
||||||
|
@@ -192,9 +188,9 @@ class HTMLManPages: |
||||||
|
self.manpage_domains = get_alphabet_manpages(manpage_domains) |
||||||
|
self.os_version = os_version |
||||||
|
self.old_path = path + "/" |
||||||
|
- self.new_path = self.old_path + self.os_version + "/" |
||||||
|
+ self.new_path = self.old_path |
||||||
|
|
||||||
|
- if self.os_version in fedora_releases or self.os_version in rhel_releases: |
||||||
|
+ if self.os_version: |
||||||
|
self.__gen_html_manpages() |
||||||
|
else: |
||||||
|
print("SELinux HTML man pages can not be generated for this %s" % os_version) |
||||||
|
@@ -203,7 +199,6 @@ class HTMLManPages: |
||||||
|
def __gen_html_manpages(self): |
||||||
|
self._write_html_manpage() |
||||||
|
self._gen_index() |
||||||
|
- self._gen_body() |
||||||
|
self._gen_css() |
||||||
|
|
||||||
|
def _write_html_manpage(self): |
||||||
|
@@ -221,67 +216,21 @@ class HTMLManPages: |
||||||
|
convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r) |
||||||
|
|
||||||
|
def _gen_index(self): |
||||||
|
- index = self.old_path + "index.html" |
||||||
|
- fd = open(index, 'w') |
||||||
|
- fd.write(""" |
||||||
|
-<html> |
||||||
|
-<head> |
||||||
|
- <link rel=stylesheet type="text/css" href="style.css" title="style"> |
||||||
|
- <title>SELinux man pages online</title> |
||||||
|
-</head> |
||||||
|
-<body> |
||||||
|
-<h1>SELinux man pages</h1> |
||||||
|
-<br></br> |
||||||
|
-Fedora or Red Hat Enterprise Linux Man Pages.</h2> |
||||||
|
-<br></br> |
||||||
|
-<hr> |
||||||
|
-<h3>Fedora</h3> |
||||||
|
-<table><tr> |
||||||
|
-<td valign="middle"> |
||||||
|
-</td> |
||||||
|
-</tr></table> |
||||||
|
-<pre> |
||||||
|
-""") |
||||||
|
- for f in fedora_releases: |
||||||
|
- fd.write(""" |
||||||
|
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f)) |
||||||
|
- |
||||||
|
- fd.write(""" |
||||||
|
-</pre> |
||||||
|
-<hr> |
||||||
|
-<h3>RHEL</h3> |
||||||
|
-<table><tr> |
||||||
|
-<td valign="middle"> |
||||||
|
-</td> |
||||||
|
-</tr></table> |
||||||
|
-<pre> |
||||||
|
-""") |
||||||
|
- for r in rhel_releases: |
||||||
|
- fd.write(""" |
||||||
|
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r)) |
||||||
|
- |
||||||
|
- fd.write(""" |
||||||
|
-</pre> |
||||||
|
- """) |
||||||
|
- fd.close() |
||||||
|
- print("%s has been created" % index) |
||||||
|
- |
||||||
|
- def _gen_body(self): |
||||||
|
html = self.new_path + self.os_version + ".html" |
||||||
|
fd = open(html, 'w') |
||||||
|
fd.write(""" |
||||||
|
<html> |
||||||
|
<head> |
||||||
|
- <link rel=stylesheet type="text/css" href="../style.css" title="style"> |
||||||
|
- <title>Linux man-pages online for Fedora18</title> |
||||||
|
+ <link rel=stylesheet type="text/css" href="style.css" title="style"> |
||||||
|
+ <title>SELinux man pages online</title> |
||||||
|
</head> |
||||||
|
<body> |
||||||
|
-<h1>SELinux man pages for Fedora18</h1> |
||||||
|
+<h1>SELinux man pages for %s</h1> |
||||||
|
<hr> |
||||||
|
<table><tr> |
||||||
|
<td valign="middle"> |
||||||
|
<h3>SELinux roles</h3> |
||||||
|
-""") |
||||||
|
+""" % self.os_version) |
||||||
|
for letter in self.manpage_roles: |
||||||
|
if len(self.manpage_roles[letter]): |
||||||
|
fd.write(""" |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,26 @@ |
|||||||
|
From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Miroslav Grepl <mgrepl@redhat.com> |
||||||
|
Date: Fri, 20 Feb 2015 16:42:01 +0100 |
||||||
|
Subject: [PATCH] We want to remove the trailing newline for |
||||||
|
/etc/system_release. |
||||||
|
|
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/__init__.py | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py |
||||||
|
index a2475d22547a..8055a12f6020 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/__init__.py |
||||||
|
+++ b/python/sepolicy/sepolicy/__init__.py |
||||||
|
@@ -1228,7 +1228,7 @@ def get_os_version(): |
||||||
|
system_release = "" |
||||||
|
try: |
||||||
|
with open('/etc/system-release') as f: |
||||||
|
- system_release = f.readline() |
||||||
|
+ system_release = f.readline().rstrip() |
||||||
|
except IOError: |
||||||
|
system_release = "Misc" |
||||||
|
|
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,25 @@ |
|||||||
|
From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Miroslav Grepl <mgrepl@redhat.com> |
||||||
|
Date: Fri, 20 Feb 2015 16:42:53 +0100 |
||||||
|
Subject: [PATCH] Fix title in manpage.py to not contain 'online'. |
||||||
|
|
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index dc3e5207c57c..6420ebe2e08e 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -222,7 +222,7 @@ class HTMLManPages: |
||||||
|
<html> |
||||||
|
<head> |
||||||
|
<link rel=stylesheet type="text/css" href="style.css" title="style"> |
||||||
|
- <title>SELinux man pages online</title> |
||||||
|
+ <title>SELinux man pages</title> |
||||||
|
</head> |
||||||
|
<body> |
||||||
|
<h1>SELinux man pages for %s</h1> |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,24 @@ |
|||||||
|
From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001 |
||||||
|
From: Dan Walsh <dwalsh@redhat.com> |
||||||
|
Date: Fri, 14 Feb 2014 12:32:12 -0500 |
||||||
|
Subject: [PATCH] Don't be verbose if you are not on a tty |
||||||
|
|
||||||
|
--- |
||||||
|
policycoreutils/scripts/fixfiles | 1 + |
||||||
|
1 file changed, 1 insertion(+) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles |
||||||
|
index 6fb12e0451a9..cb20002ab613 100755 |
||||||
|
--- a/policycoreutils/scripts/fixfiles |
||||||
|
+++ b/policycoreutils/scripts/fixfiles |
||||||
|
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { |
||||||
|
fullFlag=0 |
||||||
|
BOOTTIME="" |
||||||
|
VERBOSE="-p" |
||||||
|
+[ -t 1 ] || VERBOSE="" |
||||||
|
FORCEFLAG="" |
||||||
|
RPMFILES="" |
||||||
|
PREFC="" |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,63 @@ |
|||||||
|
From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Mon, 27 Feb 2017 17:12:39 +0100 |
||||||
|
Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and |
||||||
|
file_type_is_entrypoint(f) |
||||||
|
|
||||||
|
- use direct queries |
||||||
|
- load exec_types and entry_types only once |
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++-- |
||||||
|
1 file changed, 20 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index 6420ebe2e08e..d15522135288 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -127,8 +127,24 @@ def gen_domains(): |
||||||
|
domains.sort() |
||||||
|
return domains |
||||||
|
|
||||||
|
-types = None |
||||||
|
|
||||||
|
+exec_types = None |
||||||
|
+ |
||||||
|
+def _gen_exec_types(): |
||||||
|
+ global exec_types |
||||||
|
+ if exec_types is None: |
||||||
|
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"] |
||||||
|
+ return exec_types |
||||||
|
+ |
||||||
|
+entry_types = None |
||||||
|
+ |
||||||
|
+def _gen_entry_types(): |
||||||
|
+ global entry_types |
||||||
|
+ if entry_types is None: |
||||||
|
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] |
||||||
|
+ return entry_types |
||||||
|
+ |
||||||
|
+types = None |
||||||
|
|
||||||
|
def _gen_types(): |
||||||
|
global types |
||||||
|
@@ -374,6 +390,8 @@ class ManPage: |
||||||
|
self.all_file_types = sepolicy.get_all_file_types() |
||||||
|
self.role_allows = sepolicy.get_all_role_allows() |
||||||
|
self.types = _gen_types() |
||||||
|
+ self.exec_types = _gen_exec_types() |
||||||
|
+ self.entry_types = _gen_entry_types() |
||||||
|
|
||||||
|
if self.source_files: |
||||||
|
self.fcpath = self.root + "file_contexts" |
||||||
|
@@ -691,7 +709,7 @@ Default Defined Ports:""") |
||||||
|
for f in self.all_file_types: |
||||||
|
if f.startswith(self.domainname): |
||||||
|
flist.append(f) |
||||||
|
- if not file_type_is_executable(f) or not file_type_is_entrypoint(f): |
||||||
|
+ if not f in self.exec_types or not f in self.entry_types: |
||||||
|
flist_non_exec.append(f) |
||||||
|
if f in self.fcdict: |
||||||
|
mpaths = mpaths + self.fcdict[f]["regex"] |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,53 @@ |
|||||||
|
From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Tue, 28 Feb 2017 21:29:46 +0100 |
||||||
|
Subject: [PATCH] sepolicy: Another small optimization for mcs types |
||||||
|
|
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 16 +++++++++++----- |
||||||
|
1 file changed, 11 insertions(+), 5 deletions(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index d15522135288..ffcedb547993 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -144,6 +144,15 @@ def _gen_entry_types(): |
||||||
|
entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"] |
||||||
|
return entry_types |
||||||
|
|
||||||
|
+mcs_constrained_types = None |
||||||
|
+ |
||||||
|
+def _gen_mcs_constrained_types(): |
||||||
|
+ global mcs_constrained_types |
||||||
|
+ if mcs_constrained_types is None: |
||||||
|
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) |
||||||
|
+ return mcs_constrained_types |
||||||
|
+ |
||||||
|
+ |
||||||
|
types = None |
||||||
|
|
||||||
|
def _gen_types(): |
||||||
|
@@ -392,6 +401,7 @@ class ManPage: |
||||||
|
self.types = _gen_types() |
||||||
|
self.exec_types = _gen_exec_types() |
||||||
|
self.entry_types = _gen_entry_types() |
||||||
|
+ self.mcs_constrained_types = _gen_mcs_constrained_types() |
||||||
|
|
||||||
|
if self.source_files: |
||||||
|
self.fcpath = self.root + "file_contexts" |
||||||
|
@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an |
||||||
|
%s""" % ", ".join(paths)) |
||||||
|
|
||||||
|
def _mcs_types(self): |
||||||
|
- try: |
||||||
|
- mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type")) |
||||||
|
- except StopIteration: |
||||||
|
- return |
||||||
|
- if self.type not in mcs_constrained_type['types']: |
||||||
|
+ if self.type not in self.mcs_constrained_types['types']: |
||||||
|
return |
||||||
|
self.fd.write (""" |
||||||
|
.SH "MCS Constrained" |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,515 @@ |
|||||||
|
From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Mon, 6 Aug 2018 13:23:00 +0200 |
||||||
|
Subject: [PATCH] Move po/ translation files into the right sub-directories |
||||||
|
|
||||||
|
When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/ |
||||||
|
sub-directories, po/ translation files stayed in policycoreutils/. |
||||||
|
|
||||||
|
This commit split original policycoreutils/po directory into |
||||||
|
policycoreutils/po |
||||||
|
python/po |
||||||
|
gui/po |
||||||
|
sandbox/po |
||||||
|
|
||||||
|
See https://github.com/fedora-selinux/selinux/issues/43 |
||||||
|
--- |
||||||
|
gui/Makefile | 3 ++ |
||||||
|
gui/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++ |
||||||
|
gui/po/POTFILES | 17 ++++++++ |
||||||
|
policycoreutils/po/Makefile | 70 ++----------------------------- |
||||||
|
policycoreutils/po/POTFILES | 9 ++++ |
||||||
|
python/Makefile | 2 +- |
||||||
|
python/po/Makefile | 83 +++++++++++++++++++++++++++++++++++++ |
||||||
|
python/po/POTFILES | 10 +++++ |
||||||
|
sandbox/Makefile | 2 + |
||||||
|
sandbox/po/Makefile | 82 ++++++++++++++++++++++++++++++++++++ |
||||||
|
sandbox/po/POTFILES | 1 + |
||||||
|
11 files changed, 293 insertions(+), 68 deletions(-) |
||||||
|
create mode 100644 gui/po/Makefile |
||||||
|
create mode 100644 gui/po/POTFILES |
||||||
|
create mode 100644 policycoreutils/po/POTFILES |
||||||
|
create mode 100644 python/po/Makefile |
||||||
|
create mode 100644 python/po/POTFILES |
||||||
|
create mode 100644 sandbox/po/Makefile |
||||||
|
create mode 100644 sandbox/po/POTFILES |
||||||
|
|
||||||
|
diff --git a/gui/Makefile b/gui/Makefile |
||||||
|
index ca965c942912..5a5bf6dcae19 100644 |
||||||
|
--- a/gui/Makefile |
||||||
|
+++ b/gui/Makefile |
||||||
|
@@ -22,6 +22,7 @@ system-config-selinux.ui \ |
||||||
|
usersPage.py |
||||||
|
|
||||||
|
all: $(TARGETS) system-config-selinux.py polgengui.py |
||||||
|
+ (cd po && $(MAKE) $@) |
||||||
|
|
||||||
|
install: all |
||||||
|
-mkdir -p $(DESTDIR)$(MANDIR)/man8 |
||||||
|
@@ -54,6 +55,8 @@ install: all |
||||||
|
install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \ |
||||||
|
done |
||||||
|
install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/ |
||||||
|
+ (cd po && $(MAKE) $@) |
||||||
|
+ |
||||||
|
clean: |
||||||
|
|
||||||
|
indent: |
||||||
|
diff --git a/gui/po/Makefile b/gui/po/Makefile |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..a0f5439f2d1c |
||||||
|
--- /dev/null |
||||||
|
+++ b/gui/po/Makefile |
||||||
|
@@ -0,0 +1,82 @@ |
||||||
|
+# |
||||||
|
+# Makefile for the PO files (translation) catalog |
||||||
|
+# |
||||||
|
+ |
||||||
|
+PREFIX ?= /usr |
||||||
|
+ |
||||||
|
+# What is this package? |
||||||
|
+NLSPACKAGE = gui |
||||||
|
+POTFILE = $(NLSPACKAGE).pot |
||||||
|
+INSTALL = /usr/bin/install -c -p |
||||||
|
+INSTALL_DATA = $(INSTALL) -m 644 |
||||||
|
+INSTALL_DIR = /usr/bin/install -d |
||||||
|
+ |
||||||
|
+# destination directory |
||||||
|
+INSTALL_NLS_DIR = $(PREFIX)/share/locale |
||||||
|
+ |
||||||
|
+# PO catalog handling |
||||||
|
+MSGMERGE = msgmerge |
||||||
|
+MSGMERGE_FLAGS = -q |
||||||
|
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE) |
||||||
|
+MSGFMT = msgfmt |
||||||
|
+ |
||||||
|
+# All possible linguas |
||||||
|
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) |
||||||
|
+ |
||||||
|
+# Only the files matching what the user has set in LINGUAS |
||||||
|
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+# if no valid LINGUAS, build all languages |
||||||
|
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) |
||||||
|
+MOFILES = $(patsubst %.po,%.mo,$(POFILES)) |
||||||
|
+POTFILES = $(shell cat POTFILES) |
||||||
|
+ |
||||||
|
+#default:: clean |
||||||
|
+ |
||||||
|
+all:: $(MOFILES) |
||||||
|
+ |
||||||
|
+$(POTFILE): $(POTFILES) |
||||||
|
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) |
||||||
|
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ |
||||||
|
+ rm -f $(NLSPACKAGE).po; \ |
||||||
|
+ else \ |
||||||
|
+ mv -f $(NLSPACKAGE).po $(POTFILE); \ |
||||||
|
+ fi; \ |
||||||
|
+ |
||||||
|
+ |
||||||
|
+refresh-po: Makefile |
||||||
|
+ for cat in $(POFILES); do \ |
||||||
|
+ lang=`basename $$cat .po`; \ |
||||||
|
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ |
||||||
|
+ mv -f $$lang.pot $$lang.po ; \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang succeeded" ; \ |
||||||
|
+ else \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang failed" ; \ |
||||||
|
+ rm -f $$lang.pot ; \ |
||||||
|
+ fi \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+clean: |
||||||
|
+ @rm -fv *mo *~ .depend |
||||||
|
+ @rm -rf tmp |
||||||
|
+ |
||||||
|
+install: $(MOFILES) |
||||||
|
+ @for n in $(MOFILES); do \ |
||||||
|
+ l=`basename $$n .mo`; \ |
||||||
|
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ |
||||||
|
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+%.mo: %.po |
||||||
|
+ $(MSGFMT) -o $@ $< |
||||||
|
+report: |
||||||
|
+ @for cat in $(wildcard *.po); do \ |
||||||
|
+ echo -n "$$cat: "; \ |
||||||
|
+ msgfmt -v --statistics -o /dev/null $$cat; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+.PHONY: missing depend |
||||||
|
+ |
||||||
|
+relabel: |
||||||
|
diff --git a/gui/po/POTFILES b/gui/po/POTFILES |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..1795c5c1951b |
||||||
|
--- /dev/null |
||||||
|
+++ b/gui/po/POTFILES |
||||||
|
@@ -0,0 +1,17 @@ |
||||||
|
+../booleansPage.py |
||||||
|
+../domainsPage.py |
||||||
|
+../fcontextPage.py |
||||||
|
+../loginsPage.py |
||||||
|
+../modulesPage.py |
||||||
|
+../org.selinux.config.policy |
||||||
|
+../polgengui.py |
||||||
|
+../polgen.ui |
||||||
|
+../portsPage.py |
||||||
|
+../selinux-polgengui.desktop |
||||||
|
+../semanagePage.py |
||||||
|
+../sepolicy.desktop |
||||||
|
+../statusPage.py |
||||||
|
+../system-config-selinux.desktop |
||||||
|
+../system-config-selinux.py |
||||||
|
+../system-config-selinux.ui |
||||||
|
+../usersPage.py |
||||||
|
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile |
||||||
|
index 575e143122e6..18bc1dff8d1f 100644 |
||||||
|
--- a/policycoreutils/po/Makefile |
||||||
|
+++ b/policycoreutils/po/Makefile |
||||||
|
@@ -3,7 +3,6 @@ |
||||||
|
# |
||||||
|
|
||||||
|
PREFIX ?= /usr |
||||||
|
-TOP = ../.. |
||||||
|
|
||||||
|
# What is this package? |
||||||
|
NLSPACKAGE = policycoreutils |
||||||
|
@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) |
||||||
|
|
||||||
|
POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) |
||||||
|
MOFILES = $(patsubst %.po,%.mo,$(POFILES)) |
||||||
|
-POTFILES = \ |
||||||
|
- ../run_init/open_init_pty.c \ |
||||||
|
- ../run_init/run_init.c \ |
||||||
|
- ../semodule_link/semodule_link.c \ |
||||||
|
- ../audit2allow/audit2allow \ |
||||||
|
- ../semanage/seobject.py \ |
||||||
|
- ../setsebool/setsebool.c \ |
||||||
|
- ../newrole/newrole.c \ |
||||||
|
- ../load_policy/load_policy.c \ |
||||||
|
- ../sestatus/sestatus.c \ |
||||||
|
- ../semodule/semodule.c \ |
||||||
|
- ../setfiles/setfiles.c \ |
||||||
|
- ../semodule_package/semodule_package.c \ |
||||||
|
- ../semodule_deps/semodule_deps.c \ |
||||||
|
- ../semodule_expand/semodule_expand.c \ |
||||||
|
- ../scripts/chcat \ |
||||||
|
- ../scripts/fixfiles \ |
||||||
|
- ../restorecond/stringslist.c \ |
||||||
|
- ../restorecond/restorecond.h \ |
||||||
|
- ../restorecond/utmpwatcher.h \ |
||||||
|
- ../restorecond/stringslist.h \ |
||||||
|
- ../restorecond/restorecond.c \ |
||||||
|
- ../restorecond/utmpwatcher.c \ |
||||||
|
- ../gui/booleansPage.py \ |
||||||
|
- ../gui/fcontextPage.py \ |
||||||
|
- ../gui/loginsPage.py \ |
||||||
|
- ../gui/mappingsPage.py \ |
||||||
|
- ../gui/modulesPage.py \ |
||||||
|
- ../gui/polgen.glade \ |
||||||
|
- ../gui/polgengui.py \ |
||||||
|
- ../gui/portsPage.py \ |
||||||
|
- ../gui/semanagePage.py \ |
||||||
|
- ../gui/statusPage.py \ |
||||||
|
- ../gui/system-config-selinux.glade \ |
||||||
|
- ../gui/system-config-selinux.py \ |
||||||
|
- ../gui/usersPage.py \ |
||||||
|
- ../secon/secon.c \ |
||||||
|
- booleans.py \ |
||||||
|
- ../sepolicy/sepolicy.py \ |
||||||
|
- ../sepolicy/sepolicy/communicate.py \ |
||||||
|
- ../sepolicy/sepolicy/__init__.py \ |
||||||
|
- ../sepolicy/sepolicy/network.py \ |
||||||
|
- ../sepolicy/sepolicy/generate.py \ |
||||||
|
- ../sepolicy/sepolicy/sepolicy.glade \ |
||||||
|
- ../sepolicy/sepolicy/gui.py \ |
||||||
|
- ../sepolicy/sepolicy/manpage.py \ |
||||||
|
- ../sepolicy/sepolicy/transition.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/executable.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/__init__.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/network.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/rw.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/script.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/semodule.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/tmp.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/user.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/var_lib.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/var_log.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/var_run.py \ |
||||||
|
- ../sepolicy/sepolicy/templates/var_spool.py |
||||||
|
+POTFILES = $(shell cat POTFILES) |
||||||
|
|
||||||
|
#default:: clean |
||||||
|
|
||||||
|
-all:: $(MOFILES) |
||||||
|
+all:: $(POTFILE) $(MOFILES) |
||||||
|
|
||||||
|
-booleans.py: |
||||||
|
- sepolicy booleans -a > booleans.py |
||||||
|
- |
||||||
|
-$(POTFILE): $(POTFILES) booleans.py |
||||||
|
+$(POTFILE): $(POTFILES) |
||||||
|
$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) |
||||||
|
@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ |
||||||
|
rm -f $(NLSPACKAGE).po; \ |
||||||
|
@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py |
||||||
|
mv -f $(NLSPACKAGE).po $(POTFILE); \ |
||||||
|
fi; \ |
||||||
|
|
||||||
|
-update-po: Makefile $(POTFILE) refresh-po |
||||||
|
- @rm -f booleans.py |
||||||
|
|
||||||
|
refresh-po: Makefile |
||||||
|
for cat in $(POFILES); do \ |
||||||
|
diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..12237dc61ee4 |
||||||
|
--- /dev/null |
||||||
|
+++ b/policycoreutils/po/POTFILES |
||||||
|
@@ -0,0 +1,9 @@ |
||||||
|
+../run_init/open_init_pty.c |
||||||
|
+../run_init/run_init.c |
||||||
|
+../setsebool/setsebool.c |
||||||
|
+../newrole/newrole.c |
||||||
|
+../load_policy/load_policy.c |
||||||
|
+../sestatus/sestatus.c |
||||||
|
+../semodule/semodule.c |
||||||
|
+../setfiles/setfiles.c |
||||||
|
+../secon/secon.c |
||||||
|
diff --git a/python/Makefile b/python/Makefile |
||||||
|
index 9b66d52fbd4d..00312dbdb5c6 100644 |
||||||
|
--- a/python/Makefile |
||||||
|
+++ b/python/Makefile |
||||||
|
@@ -1,4 +1,4 @@ |
||||||
|
-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat |
||||||
|
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po |
||||||
|
|
||||||
|
all install relabel clean indent test: |
||||||
|
@for subdir in $(SUBDIRS); do \ |
||||||
|
diff --git a/python/po/Makefile b/python/po/Makefile |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..4e052d5a2bd7 |
||||||
|
--- /dev/null |
||||||
|
+++ b/python/po/Makefile |
||||||
|
@@ -0,0 +1,83 @@ |
||||||
|
+# |
||||||
|
+# Makefile for the PO files (translation) catalog |
||||||
|
+# |
||||||
|
+ |
||||||
|
+PREFIX ?= /usr |
||||||
|
+ |
||||||
|
+# What is this package? |
||||||
|
+NLSPACKAGE = python |
||||||
|
+POTFILE = $(NLSPACKAGE).pot |
||||||
|
+INSTALL = /usr/bin/install -c -p |
||||||
|
+INSTALL_DATA = $(INSTALL) -m 644 |
||||||
|
+INSTALL_DIR = /usr/bin/install -d |
||||||
|
+ |
||||||
|
+# destination directory |
||||||
|
+INSTALL_NLS_DIR = $(PREFIX)/share/locale |
||||||
|
+ |
||||||
|
+# PO catalog handling |
||||||
|
+MSGMERGE = msgmerge |
||||||
|
+MSGMERGE_FLAGS = -q |
||||||
|
+XGETTEXT = xgettext --default-domain=$(NLSPACKAGE) |
||||||
|
+MSGFMT = msgfmt |
||||||
|
+ |
||||||
|
+# All possible linguas |
||||||
|
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) |
||||||
|
+ |
||||||
|
+# Only the files matching what the user has set in LINGUAS |
||||||
|
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+# if no valid LINGUAS, build all languages |
||||||
|
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) |
||||||
|
+MOFILES = $(patsubst %.po,%.mo,$(POFILES)) |
||||||
|
+POTFILES = $(shell cat POTFILES) |
||||||
|
+ |
||||||
|
+#default:: clean |
||||||
|
+ |
||||||
|
+all:: $(MOFILES) |
||||||
|
+ |
||||||
|
+$(POTFILE): $(POTFILES) |
||||||
|
+ $(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES) |
||||||
|
+ $(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade |
||||||
|
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ |
||||||
|
+ rm -f $(NLSPACKAGE).po; \ |
||||||
|
+ else \ |
||||||
|
+ mv -f $(NLSPACKAGE).po $(POTFILE); \ |
||||||
|
+ fi; \ |
||||||
|
+ |
||||||
|
+ |
||||||
|
+refresh-po: Makefile |
||||||
|
+ for cat in $(POFILES); do \ |
||||||
|
+ lang=`basename $$cat .po`; \ |
||||||
|
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ |
||||||
|
+ mv -f $$lang.pot $$lang.po ; \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang succeeded" ; \ |
||||||
|
+ else \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang failed" ; \ |
||||||
|
+ rm -f $$lang.pot ; \ |
||||||
|
+ fi \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+clean: |
||||||
|
+ @rm -fv *mo *~ .depend |
||||||
|
+ @rm -rf tmp |
||||||
|
+ |
||||||
|
+install: $(MOFILES) |
||||||
|
+ @for n in $(MOFILES); do \ |
||||||
|
+ l=`basename $$n .mo`; \ |
||||||
|
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ |
||||||
|
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+%.mo: %.po |
||||||
|
+ $(MSGFMT) -o $@ $< |
||||||
|
+report: |
||||||
|
+ @for cat in $(wildcard *.po); do \ |
||||||
|
+ echo -n "$$cat: "; \ |
||||||
|
+ msgfmt -v --statistics -o /dev/null $$cat; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+.PHONY: missing depend |
||||||
|
+ |
||||||
|
+relabel: |
||||||
|
diff --git a/python/po/POTFILES b/python/po/POTFILES |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..128eb870a69e |
||||||
|
--- /dev/null |
||||||
|
+++ b/python/po/POTFILES |
||||||
|
@@ -0,0 +1,10 @@ |
||||||
|
+../audit2allow/audit2allow |
||||||
|
+../chcat/chcat |
||||||
|
+../semanage/semanage |
||||||
|
+../semanage/seobject.py |
||||||
|
+../sepolgen/src/sepolgen/interfaces.py |
||||||
|
+../sepolicy/sepolicy/generate.py |
||||||
|
+../sepolicy/sepolicy/gui.py |
||||||
|
+../sepolicy/sepolicy/__init__.py |
||||||
|
+../sepolicy/sepolicy/interface.py |
||||||
|
+../sepolicy/sepolicy.py |
||||||
|
diff --git a/sandbox/Makefile b/sandbox/Makefile |
||||||
|
index 9da5e58db9e6..b817824e2102 100644 |
||||||
|
--- a/sandbox/Makefile |
||||||
|
+++ b/sandbox/Makefile |
||||||
|
@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng |
||||||
|
SEUNSHARE_OBJS = seunshare.o |
||||||
|
|
||||||
|
all: sandbox seunshare sandboxX.sh start |
||||||
|
+ (cd po && $(MAKE) $@) |
||||||
|
|
||||||
|
seunshare: $(SEUNSHARE_OBJS) |
||||||
|
|
||||||
|
@@ -39,6 +40,7 @@ install: all |
||||||
|
install -m 755 start $(DESTDIR)$(SHAREDIR) |
||||||
|
-mkdir -p $(DESTDIR)$(SYSCONFDIR) |
||||||
|
install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox |
||||||
|
+ (cd po && $(MAKE) $@) |
||||||
|
|
||||||
|
test: |
||||||
|
@$(PYTHON) test_sandbox.py -v |
||||||
|
diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..0556bbe953f0 |
||||||
|
--- /dev/null |
||||||
|
+++ b/sandbox/po/Makefile |
||||||
|
@@ -0,0 +1,82 @@ |
||||||
|
+# |
||||||
|
+# Makefile for the PO files (translation) catalog |
||||||
|
+# |
||||||
|
+ |
||||||
|
+PREFIX ?= /usr |
||||||
|
+ |
||||||
|
+# What is this package? |
||||||
|
+NLSPACKAGE = sandbox |
||||||
|
+POTFILE = $(NLSPACKAGE).pot |
||||||
|
+INSTALL = /usr/bin/install -c -p |
||||||
|
+INSTALL_DATA = $(INSTALL) -m 644 |
||||||
|
+INSTALL_DIR = /usr/bin/install -d |
||||||
|
+ |
||||||
|
+# destination directory |
||||||
|
+INSTALL_NLS_DIR = $(PREFIX)/share/locale |
||||||
|
+ |
||||||
|
+# PO catalog handling |
||||||
|
+MSGMERGE = msgmerge |
||||||
|
+MSGMERGE_FLAGS = -q |
||||||
|
+XGETTEXT = xgettext -L Python --default-domain=$(NLSPACKAGE) |
||||||
|
+MSGFMT = msgfmt |
||||||
|
+ |
||||||
|
+# All possible linguas |
||||||
|
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po))) |
||||||
|
+ |
||||||
|
+# Only the files matching what the user has set in LINGUAS |
||||||
|
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+# if no valid LINGUAS, build all languages |
||||||
|
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS)) |
||||||
|
+ |
||||||
|
+POFILES = $(patsubst %,%.po,$(USE_LINGUAS)) |
||||||
|
+MOFILES = $(patsubst %.po,%.mo,$(POFILES)) |
||||||
|
+POTFILES = $(shell cat POTFILES) |
||||||
|
+ |
||||||
|
+#default:: clean |
||||||
|
+ |
||||||
|
+all:: $(POTFILE) $(MOFILES) |
||||||
|
+ |
||||||
|
+$(POTFILE): $(POTFILES) |
||||||
|
+ $(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES) |
||||||
|
+ @if cmp -s $(NLSPACKAGE).po $(POTFILE); then \ |
||||||
|
+ rm -f $(NLSPACKAGE).po; \ |
||||||
|
+ else \ |
||||||
|
+ mv -f $(NLSPACKAGE).po $(POTFILE); \ |
||||||
|
+ fi; \ |
||||||
|
+ |
||||||
|
+ |
||||||
|
+refresh-po: Makefile |
||||||
|
+ for cat in $(POFILES); do \ |
||||||
|
+ lang=`basename $$cat .po`; \ |
||||||
|
+ if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \ |
||||||
|
+ mv -f $$lang.pot $$lang.po ; \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang succeeded" ; \ |
||||||
|
+ else \ |
||||||
|
+ echo "$(MSGMERGE) of $$lang failed" ; \ |
||||||
|
+ rm -f $$lang.pot ; \ |
||||||
|
+ fi \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+clean: |
||||||
|
+ @rm -fv *mo *~ .depend |
||||||
|
+ @rm -rf tmp |
||||||
|
+ |
||||||
|
+install: $(MOFILES) |
||||||
|
+ @for n in $(MOFILES); do \ |
||||||
|
+ l=`basename $$n .mo`; \ |
||||||
|
+ $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \ |
||||||
|
+ $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+%.mo: %.po |
||||||
|
+ $(MSGFMT) -o $@ $< |
||||||
|
+report: |
||||||
|
+ @for cat in $(wildcard *.po); do \ |
||||||
|
+ echo -n "$$cat: "; \ |
||||||
|
+ msgfmt -v --statistics -o /dev/null $$cat; \ |
||||||
|
+ done |
||||||
|
+ |
||||||
|
+.PHONY: missing depend |
||||||
|
+ |
||||||
|
+relabel: |
||||||
|
diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..deff3f2f4656 |
||||||
|
--- /dev/null |
||||||
|
+++ b/sandbox/po/POTFILES |
||||||
|
@@ -0,0 +1 @@ |
||||||
|
+../sandbox |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,306 @@ |
|||||||
|
From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Mon, 6 Aug 2018 13:37:07 +0200 |
||||||
|
Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/ |
||||||
|
|
||||||
|
https://github.com/fedora-selinux/selinux/issues/43 |
||||||
|
--- |
||||||
|
gui/booleansPage.py | 2 +- |
||||||
|
gui/domainsPage.py | 2 +- |
||||||
|
gui/fcontextPage.py | 2 +- |
||||||
|
gui/loginsPage.py | 2 +- |
||||||
|
gui/modulesPage.py | 2 +- |
||||||
|
gui/polgengui.py | 2 +- |
||||||
|
gui/portsPage.py | 2 +- |
||||||
|
gui/semanagePage.py | 2 +- |
||||||
|
gui/statusPage.py | 2 +- |
||||||
|
gui/system-config-selinux.py | 2 +- |
||||||
|
gui/usersPage.py | 2 +- |
||||||
|
python/chcat/chcat | 2 +- |
||||||
|
python/semanage/semanage | 2 +- |
||||||
|
python/semanage/seobject.py | 2 +- |
||||||
|
python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +- |
||||||
|
python/sepolicy/sepolicy.py | 2 +- |
||||||
|
python/sepolicy/sepolicy/__init__.py | 2 +- |
||||||
|
python/sepolicy/sepolicy/generate.py | 2 +- |
||||||
|
python/sepolicy/sepolicy/gui.py | 2 +- |
||||||
|
python/sepolicy/sepolicy/interface.py | 2 +- |
||||||
|
sandbox/sandbox | 2 +- |
||||||
|
21 files changed, 21 insertions(+), 21 deletions(-) |
||||||
|
|
||||||
|
diff --git a/gui/booleansPage.py b/gui/booleansPage.py |
||||||
|
index 7849bea26a06..dd12b6d6ab86 100644 |
||||||
|
--- a/gui/booleansPage.py |
||||||
|
+++ b/gui/booleansPage.py |
||||||
|
@@ -38,7 +38,7 @@ DISABLED = 2 |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/domainsPage.py b/gui/domainsPage.py |
||||||
|
index bad5140d8c59..6bbe4de5884f 100644 |
||||||
|
--- a/gui/domainsPage.py |
||||||
|
+++ b/gui/domainsPage.py |
||||||
|
@@ -30,7 +30,7 @@ from semanagePage import * |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py |
||||||
|
index d26aa1b405a9..52292cae01d2 100644 |
||||||
|
--- a/gui/fcontextPage.py |
||||||
|
+++ b/gui/fcontextPage.py |
||||||
|
@@ -47,7 +47,7 @@ class context: |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/loginsPage.py b/gui/loginsPage.py |
||||||
|
index b67eb8bc42af..cbfb0cc23f65 100644 |
||||||
|
--- a/gui/loginsPage.py |
||||||
|
+++ b/gui/loginsPage.py |
||||||
|
@@ -29,7 +29,7 @@ from semanagePage import * |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/modulesPage.py b/gui/modulesPage.py |
||||||
|
index 0584acf9b3a4..35a0129bab9c 100644 |
||||||
|
--- a/gui/modulesPage.py |
||||||
|
+++ b/gui/modulesPage.py |
||||||
|
@@ -30,7 +30,7 @@ from semanagePage import * |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/polgengui.py b/gui/polgengui.py |
||||||
|
index d284ded65279..01f541bafae8 100644 |
||||||
|
--- a/gui/polgengui.py |
||||||
|
+++ b/gui/polgengui.py |
||||||
|
@@ -63,7 +63,7 @@ def get_all_modules(): |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/portsPage.py b/gui/portsPage.py |
||||||
|
index 30f58383bc1d..a537ecc8c0a1 100644 |
||||||
|
--- a/gui/portsPage.py |
||||||
|
+++ b/gui/portsPage.py |
||||||
|
@@ -35,7 +35,7 @@ from semanagePage import * |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/semanagePage.py b/gui/semanagePage.py |
||||||
|
index 4127804fbbee..5361d69c1313 100644 |
||||||
|
--- a/gui/semanagePage.py |
||||||
|
+++ b/gui/semanagePage.py |
||||||
|
@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/statusPage.py b/gui/statusPage.py |
||||||
|
index 766854b19cba..a8f079b9b163 100644 |
||||||
|
--- a/gui/statusPage.py |
||||||
|
+++ b/gui/statusPage.py |
||||||
|
@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel" |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py |
||||||
|
index 3f70122b87e8..8c46c987b974 100644 |
||||||
|
--- a/gui/system-config-selinux.py |
||||||
|
+++ b/gui/system-config-selinux.py |
||||||
|
@@ -45,7 +45,7 @@ import selinux |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/gui/usersPage.py b/gui/usersPage.py |
||||||
|
index 26794ed5c3f3..d15d4c5a71dd 100644 |
||||||
|
--- a/gui/usersPage.py |
||||||
|
+++ b/gui/usersPage.py |
||||||
|
@@ -29,7 +29,7 @@ from semanagePage import * |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-gui" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/chcat/chcat b/python/chcat/chcat |
||||||
|
index fdd2e46ee3f9..839ddd3b54b6 100755 |
||||||
|
--- a/python/chcat/chcat |
||||||
|
+++ b/python/chcat/chcat |
||||||
|
@@ -30,7 +30,7 @@ import getopt |
||||||
|
import selinux |
||||||
|
import seobject |
||||||
|
|
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/semanage/semanage b/python/semanage/semanage |
||||||
|
index 18a2710531ca..0980aecb6311 100644 |
||||||
|
--- a/python/semanage/semanage |
||||||
|
+++ b/python/semanage/semanage |
||||||
|
@@ -30,7 +30,7 @@ import seobject |
||||||
|
import sys |
||||||
|
import traceback |
||||||
|
|
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py |
||||||
|
index 21adbf6eb74f..69e60db80060 100644 |
||||||
|
--- a/python/semanage/seobject.py |
||||||
|
+++ b/python/semanage/seobject.py |
||||||
|
@@ -29,7 +29,7 @@ import sys |
||||||
|
import stat |
||||||
|
import socket |
||||||
|
from semanage import * |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
import sepolicy |
||||||
|
from setools.policyrep import SELinuxPolicy |
||||||
|
from setools.typequery import TypeQuery |
||||||
|
diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py |
||||||
|
index 998c4356415c..56ebd807c69c 100644 |
||||||
|
--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py |
||||||
|
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py |
||||||
|
@@ -19,7 +19,7 @@ |
||||||
|
|
||||||
|
try: |
||||||
|
import gettext |
||||||
|
- t = gettext.translation( 'yumex' ) |
||||||
|
+ t = gettext.translation( 'selinux-python' ) |
||||||
|
_ = t.gettext |
||||||
|
except: |
||||||
|
def _(str): |
||||||
|
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py |
||||||
|
index 7b2230651099..32956e58f52e 100755 |
||||||
|
--- a/python/sepolicy/sepolicy.py |
||||||
|
+++ b/python/sepolicy/sepolicy.py |
||||||
|
@@ -28,7 +28,7 @@ import sepolicy |
||||||
|
from multiprocessing import Pool |
||||||
|
from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text |
||||||
|
import argparse |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py |
||||||
|
index 8055a12f6020..aa8beda313c8 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/__init__.py |
||||||
|
+++ b/python/sepolicy/sepolicy/__init__.py |
||||||
|
@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery |
||||||
|
from setools.typequery import TypeQuery |
||||||
|
from setools.userquery import UserQuery |
||||||
|
|
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py |
||||||
|
index 4e1ed4e9dc31..43180ca6fda4 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/generate.py |
||||||
|
+++ b/python/sepolicy/sepolicy/generate.py |
||||||
|
@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py |
||||||
|
index 1e86422b864a..c9ca158ddd09 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/gui.py |
||||||
|
+++ b/python/sepolicy/sepolicy/gui.py |
||||||
|
@@ -41,7 +41,7 @@ import os |
||||||
|
import re |
||||||
|
import unicodedata |
||||||
|
|
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py |
||||||
|
index bdffb770f364..9d40aea1498d 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/interface.py |
||||||
|
+++ b/python/sepolicy/sepolicy/interface.py |
||||||
|
@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us |
||||||
|
## |
||||||
|
## I18N |
||||||
|
## |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-python" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
diff --git a/sandbox/sandbox b/sandbox/sandbox |
||||||
|
index ca5f1e030a51..16c43b51eaaa 100644 |
||||||
|
--- a/sandbox/sandbox |
||||||
|
+++ b/sandbox/sandbox |
||||||
|
@@ -37,7 +37,7 @@ import sepolicy |
||||||
|
|
||||||
|
SEUNSHARE = "/usr/sbin/seunshare" |
||||||
|
SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" |
||||||
|
-PROGNAME = "policycoreutils" |
||||||
|
+PROGNAME = "selinux-sandbox" |
||||||
|
try: |
||||||
|
import gettext |
||||||
|
kwargs = {} |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,30 @@ |
|||||||
|
From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Vit Mojzis <vmojzis@redhat.com> |
||||||
|
Date: Wed, 21 Mar 2018 08:51:31 +0100 |
||||||
|
Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch |
||||||
|
|
||||||
|
The "-q" switch is becoming obsolete (completely unused in fedora) and |
||||||
|
debug output ("-d" switch) makes sense in any scenario. Therefore both |
||||||
|
options can be specified at once. |
||||||
|
|
||||||
|
Resolves: rhbz#1271327 |
||||||
|
--- |
||||||
|
policycoreutils/setfiles/setfiles.8 | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 |
||||||
|
index 4d28bc9a95c1..8e6c4ab94841 100644 |
||||||
|
--- a/policycoreutils/setfiles/setfiles.8 |
||||||
|
+++ b/policycoreutils/setfiles/setfiles.8 |
||||||
|
@@ -57,7 +57,7 @@ option will force a replacement of the entire context. |
||||||
|
check the validity of the contexts against the specified binary policy. |
||||||
|
.TP |
||||||
|
.B \-d |
||||||
|
-show what specification matched each file. |
||||||
|
+show what specification matched each file. Not affected by "\-q". |
||||||
|
.TP |
||||||
|
.BI \-e \ directory |
||||||
|
directory to exclude (repeat option for more than one directory). |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,71 @@ |
|||||||
|
From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Masatake YAMATO <yamato@redhat.com> |
||||||
|
Date: Thu, 14 Dec 2017 15:57:58 +0900 |
||||||
|
Subject: [PATCH] sepolicy-generate: Handle more reserved port types |
||||||
|
|
||||||
|
Currently only reserved_port_t, port_t and hi_reserved_port_t are |
||||||
|
handled as special when making a ports-dictionary. However, as fas as |
||||||
|
corenetwork.te.in of serefpolicy, unreserved_port_t and |
||||||
|
ephemeral_port_t should be handled in the same way, too. |
||||||
|
|
||||||
|
(Details) I found the need of this change when I was using |
||||||
|
selinux-polgengui. Though tcp port 12345, which my application may |
||||||
|
use, was given to the gui, selinux-polgengui generates expected te |
||||||
|
file and sh file which didn't utilize the tcp port. |
||||||
|
|
||||||
|
selinux-polgengui checks whether a port given via gui is already typed |
||||||
|
or not. |
||||||
|
|
||||||
|
If it is already typed, selinux-polgengui generates a te file having |
||||||
|
rules to allow the application to use the port. (A) |
||||||
|
|
||||||
|
If not, it seems for me that selinux-polgengui is designed to generate |
||||||
|
a te file having rules to allow the application to own(?) the port; |
||||||
|
and a sh file having a command line to assign the application own type |
||||||
|
to the port. (B) |
||||||
|
|
||||||
|
As we can see the output of `semanage port -l' some of ports for |
||||||
|
specified purpose have types already. The important point is that the |
||||||
|
rest of ports also have types already: |
||||||
|
|
||||||
|
hi_reserved_port_t tcp 512-1023 |
||||||
|
hi_reserved_port_t udp 512-1023 |
||||||
|
unreserved_port_t tcp 1024-32767, 61001-65535 |
||||||
|
unreserved_port_t udp 1024-32767, 61001-65535 |
||||||
|
ephemeral_port_t tcp 32768-61000 |
||||||
|
ephemeral_port_t udp 32768-61000 |
||||||
|
|
||||||
|
As my patch shows, the original selinux-polgengui ignored |
||||||
|
hi_reserved_port_t; though hi_reserved_port_t is assigned, |
||||||
|
selinux-polgengui considered ports 512-1023 are not used. As the |
||||||
|
result selinux-polgengui generates file sets of (B). |
||||||
|
|
||||||
|
For the purpose of selinux-polgengui, I think unreserved_port_t and |
||||||
|
ephemeral_port_t are treated as the same as hi_reserved_port_t. |
||||||
|
|
||||||
|
Signed-off-by: Masatake YAMATO <yamato@redhat.com> |
||||||
|
|
||||||
|
Fedora only patch: |
||||||
|
https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/ |
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/generate.py | 4 +++- |
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py |
||||||
|
index 43180ca6fda4..d60a08e1d72c 100644 |
||||||
|
--- a/python/sepolicy/sepolicy/generate.py |
||||||
|
+++ b/python/sepolicy/sepolicy/generate.py |
||||||
|
@@ -99,7 +99,9 @@ def get_all_ports(): |
||||||
|
for p in sepolicy.info(sepolicy.PORT): |
||||||
|
if p['type'] == "reserved_port_t" or \ |
||||||
|
p['type'] == "port_t" or \ |
||||||
|
- p['type'] == "hi_reserved_port_t": |
||||||
|
+ p['type'] == "hi_reserved_port_t" or \ |
||||||
|
+ p['type'] == "ephemeral_port_t" or \ |
||||||
|
+ p['type'] == "unreserved_port_t": |
||||||
|
continue |
||||||
|
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) |
||||||
|
return dict |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,24 @@ |
|||||||
|
From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Thu, 8 Nov 2018 09:20:58 +0100 |
||||||
|
Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects |
||||||
|
|
||||||
|
--- |
||||||
|
semodule-utils/semodule_package/semodule_package.c | 1 + |
||||||
|
1 file changed, 1 insertion(+) |
||||||
|
|
||||||
|
diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c |
||||||
|
index 3515234e36de..7b75b3fd9bb4 100644 |
||||||
|
--- a/semodule-utils/semodule_package/semodule_package.c |
||||||
|
+++ b/semodule-utils/semodule_package/semodule_package.c |
||||||
|
@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len) |
||||||
|
} |
||||||
|
if (!sb.st_size) { |
||||||
|
*len = 0; |
||||||
|
+ close(fd); |
||||||
|
return 0; |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,74 @@ |
|||||||
|
From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Wed, 18 Jul 2018 09:09:35 +0200 |
||||||
|
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox |
||||||
|
|
||||||
|
--- |
||||||
|
sandbox/sandbox | 4 ++-- |
||||||
|
sandbox/sandbox.8 | 2 +- |
||||||
|
sandbox/sandboxX.sh | 14 -------------- |
||||||
|
3 files changed, 3 insertions(+), 17 deletions(-) |
||||||
|
|
||||||
|
diff --git a/sandbox/sandbox b/sandbox/sandbox |
||||||
|
index 16c43b51eaaa..7709a6585665 100644 |
||||||
|
--- a/sandbox/sandbox |
||||||
|
+++ b/sandbox/sandbox |
||||||
|
@@ -268,7 +268,7 @@ class Sandbox: |
||||||
|
copyfile(f, "/tmp", self.__tmpdir) |
||||||
|
copyfile(f, "/var/tmp", self.__tmpdir) |
||||||
|
|
||||||
|
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): |
||||||
|
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): |
||||||
|
execfile = self.__homedir + "/.sandboxrc" |
||||||
|
fd = open(execfile, "w+") |
||||||
|
if self.__options.session: |
||||||
|
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- |
||||||
|
|
||||||
|
parser.add_option("-W", "--windowmanager", dest="wm", |
||||||
|
type="string", |
||||||
|
- default="/usr/bin/openbox", |
||||||
|
+ default="/usr/bin/matchbox-window-manager", |
||||||
|
help=_("alternate window manager")) |
||||||
|
|
||||||
|
parser.add_option("-l", "--level", dest="level", |
||||||
|
diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8 |
||||||
|
index d83fee76f335..90ef4951c8c2 100644 |
||||||
|
--- a/sandbox/sandbox.8 |
||||||
|
+++ b/sandbox/sandbox.8 |
||||||
|
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz |
||||||
|
\fB\-W\fR \fB\-\-windowmanager\fR |
||||||
|
Select alternative window manager to run within |
||||||
|
.B sandbox \-X. |
||||||
|
-Default to /usr/bin/openbox. |
||||||
|
+Default to /usr/bin/matchbox-window-manager. |
||||||
|
.TP |
||||||
|
\fB\-X\fR |
||||||
|
Create an X based Sandbox for gui apps, temporary files for |
||||||
|
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh |
||||||
|
index 4774528027ef..c211ebc14549 100644 |
||||||
|
--- a/sandbox/sandboxX.sh |
||||||
|
+++ b/sandbox/sandboxX.sh |
||||||
|
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 |
||||||
|
[ -z $2 ] && export DPI="96" || export DPI="$2" |
||||||
|
trap "exit 0" HUP |
||||||
|
|
||||||
|
-mkdir -p ~/.config/openbox |
||||||
|
-cat > ~/.config/openbox/rc.xml << EOF |
||||||
|
-<openbox_config xmlns="http://openbox.org/3.4/rc" |
||||||
|
- xmlns:xi="http://www.w3.org/2001/XInclude"> |
||||||
|
-<applications> |
||||||
|
- <application class="*"> |
||||||
|
- <decor>no</decor> |
||||||
|
- <desktop>all</desktop> |
||||||
|
- <maximized>yes</maximized> |
||||||
|
- </application> |
||||||
|
-</applications> |
||||||
|
-</openbox_config> |
||||||
|
-EOF |
||||||
|
- |
||||||
|
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do |
||||||
|
export DISPLAY=:$D |
||||||
|
cat > ~/seremote << __EOF |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,46 @@ |
|||||||
|
From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
Date: Tue, 28 Jul 2020 14:37:13 +0200 |
||||||
|
Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code |
||||||
|
|
||||||
|
Fixes: |
||||||
|
$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8 |
||||||
|
Analyzing 187 Python scripts |
||||||
|
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in' |
||||||
|
./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented |
||||||
|
./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in' |
||||||
|
./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented |
||||||
|
./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in' |
||||||
|
./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented |
||||||
|
The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1. |
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
--- |
||||||
|
python/sepolicy/sepolicy/manpage.py | 4 ++-- |
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-) |
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py |
||||||
|
index ffcedb547993..c013c0d48502 100755 |
||||||
|
--- a/python/sepolicy/sepolicy/manpage.py |
||||||
|
+++ b/python/sepolicy/sepolicy/manpage.py |
||||||
|
@@ -719,7 +719,7 @@ Default Defined Ports:""") |
||||||
|
for f in self.all_file_types: |
||||||
|
if f.startswith(self.domainname): |
||||||
|
flist.append(f) |
||||||
|
- if not f in self.exec_types or not f in self.entry_types: |
||||||
|
+ if f not in self.exec_types or f not in self.entry_types: |
||||||
|
flist_non_exec.append(f) |
||||||
|
if f in self.fcdict: |
||||||
|
mpaths = mpaths + self.fcdict[f]["regex"] |
||||||
|
@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d |
||||||
|
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) |
||||||
|
|
||||||
|
if flist_non_exec: |
||||||
|
- self.fd.write(r""" |
||||||
|
+ self.fd.write(r""" |
||||||
|
.PP |
||||||
|
.B STANDARD FILE CONTEXT |
||||||
|
|
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,297 @@ |
|||||||
|
From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Fri, 30 Jul 2021 14:14:37 +0200 |
||||||
|
Subject: [PATCH] Use SHA-2 instead of SHA-1 |
||||||
|
|
||||||
|
The use of SHA-1 in RHEL9 is deprecated |
||||||
|
--- |
||||||
|
policycoreutils/setfiles/restorecon.8 | 10 +++++----- |
||||||
|
policycoreutils/setfiles/restorecon_xattr.8 | 8 ++++---- |
||||||
|
policycoreutils/setfiles/restorecon_xattr.c | 12 ++++++------ |
||||||
|
policycoreutils/setfiles/ru/restorecon.8 | 8 ++++---- |
||||||
|
policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++----- |
||||||
|
policycoreutils/setfiles/ru/setfiles.8 | 8 ++++---- |
||||||
|
policycoreutils/setfiles/setfiles.8 | 10 +++++----- |
||||||
|
7 files changed, 33 insertions(+), 33 deletions(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 |
||||||
|
index 668486f66113..a8900f02b3f3 100644 |
||||||
|
--- a/policycoreutils/setfiles/restorecon.8 |
||||||
|
+++ b/policycoreutils/setfiles/restorecon.8 |
||||||
|
@@ -93,14 +93,14 @@ display usage information and exit. |
||||||
|
ignore files that do not exist. |
||||||
|
.TP |
||||||
|
.B \-I |
||||||
|
-ignore digest to force checking of labels even if the stored SHA1 digest |
||||||
|
-matches the specfiles SHA1 digest. The digest will then be updated provided |
||||||
|
+ignore digest to force checking of labels even if the stored SHA256 digest |
||||||
|
+matches the specfiles SHA256 digest. The digest will then be updated provided |
||||||
|
there are no errors. See the |
||||||
|
.B NOTES |
||||||
|
section for further details. |
||||||
|
.TP |
||||||
|
.B \-D |
||||||
|
-Set or update any directory SHA1 digests. Use this option to |
||||||
|
+Set or update any directory SHA256 digests. Use this option to |
||||||
|
enable usage of the |
||||||
|
.IR security.sehash |
||||||
|
extended attribute. |
||||||
|
@@ -191,7 +191,7 @@ the |
||||||
|
.B \-D |
||||||
|
option to |
||||||
|
.B restorecon |
||||||
|
-will cause it to store a SHA1 digest of the default specfiles set in an extended |
||||||
|
+will cause it to store a SHA256 digest of the default specfiles set in an extended |
||||||
|
attribute named |
||||||
|
.IR security.sehash |
||||||
|
on each directory specified in |
||||||
|
@@ -208,7 +208,7 @@ for further details. |
||||||
|
.sp |
||||||
|
The |
||||||
|
.B \-I |
||||||
|
-option will ignore the SHA1 digest from each directory specified in |
||||||
|
+option will ignore the SHA256 digest from each directory specified in |
||||||
|
.IR pathname \ ... |
||||||
|
and provided the |
||||||
|
.B \-n |
||||||
|
diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8 |
||||||
|
index e04528e60824..4b1ce304d995 100644 |
||||||
|
--- a/policycoreutils/setfiles/restorecon_xattr.8 |
||||||
|
+++ b/policycoreutils/setfiles/restorecon_xattr.8 |
||||||
|
@@ -23,7 +23,7 @@ or |
||||||
|
|
||||||
|
.SH "DESCRIPTION" |
||||||
|
.B restorecon_xattr |
||||||
|
-will display the SHA1 digests added to extended attributes |
||||||
|
+will display the SHA256 digests added to extended attributes |
||||||
|
.I security.sehash |
||||||
|
or delete the attribute completely. These attributes are set by |
||||||
|
.BR restorecon (8) |
||||||
|
@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches. |
||||||
|
.sp |
||||||
|
By default |
||||||
|
.B restorecon_xattr |
||||||
|
-will display the SHA1 digests with "Match" appended if they match the default |
||||||
|
+will display the SHA256 digests with "Match" appended if they match the default |
||||||
|
specfile set or the |
||||||
|
.I specfile |
||||||
|
set used with the |
||||||
|
.B \-f |
||||||
|
-option. Non-matching SHA1 digests will be displayed with "No Match" appended. |
||||||
|
+option. Non-matching SHA256 digests will be displayed with "No Match" appended. |
||||||
|
This feature can be disabled by the |
||||||
|
.B \-n |
||||||
|
option. |
||||||
|
@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests. |
||||||
|
recursively descend directories. |
||||||
|
.TP |
||||||
|
.B \-v |
||||||
|
-display SHA1 digest generated by specfile set (Note that this digest is not |
||||||
|
+display SHA256 digest generated by specfile set (Note that this digest is not |
||||||
|
used to match the |
||||||
|
.I security.sehash |
||||||
|
directory digest entries, and is shown for reference only). |
||||||
|
diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c |
||||||
|
index 31fb82fd2099..bc22d3fd4560 100644 |
||||||
|
--- a/policycoreutils/setfiles/restorecon_xattr.c |
||||||
|
+++ b/policycoreutils/setfiles/restorecon_xattr.c |
||||||
|
@@ -38,7 +38,7 @@ int main(int argc, char **argv) |
||||||
|
unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0; |
||||||
|
unsigned int delete_all_digests = 0, ignore_mounts = 0; |
||||||
|
bool display_digest = false; |
||||||
|
- char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL; |
||||||
|
+ char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL; |
||||||
|
unsigned char *fc_digest = NULL; |
||||||
|
size_t i, fc_digest_len = 0, num_specfiles; |
||||||
|
|
||||||
|
@@ -133,8 +133,8 @@ int main(int argc, char **argv) |
||||||
|
exit(-1); |
||||||
|
} |
||||||
|
|
||||||
|
- sha1_buf = malloc(fc_digest_len * 2 + 1); |
||||||
|
- if (!sha1_buf) { |
||||||
|
+ sha256_buf = malloc(fc_digest_len * 2 + 1); |
||||||
|
+ if (!sha256_buf) { |
||||||
|
fprintf(stderr, |
||||||
|
"Error allocating digest buffer: %s\n", |
||||||
|
strerror(errno)); |
||||||
|
@@ -143,16 +143,16 @@ int main(int argc, char **argv) |
||||||
|
} |
||||||
|
|
||||||
|
for (i = 0; i < fc_digest_len; i++) |
||||||
|
- sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]); |
||||||
|
+ sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]); |
||||||
|
|
||||||
|
- printf("specfiles SHA1 digest: %s\n", sha1_buf); |
||||||
|
+ printf("specfiles SHA256 digest: %s\n", sha256_buf); |
||||||
|
|
||||||
|
printf("calculated using the following specfile(s):\n"); |
||||||
|
if (specfiles) { |
||||||
|
for (i = 0; i < num_specfiles; i++) |
||||||
|
printf("%s\n", specfiles[i]); |
||||||
|
} |
||||||
|
- free(sha1_buf); |
||||||
|
+ free(sha256_buf); |
||||||
|
printf("\n"); |
||||||
|
} |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8 |
||||||
|
index 9be3a63db356..745135020f4b 100644 |
||||||
|
--- a/policycoreutils/setfiles/ru/restorecon.8 |
||||||
|
+++ b/policycoreutils/setfiles/ru/restorecon.8 |
||||||
|
@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас |
||||||
|
игнорировать файлы, которые не существуют. |
||||||
|
.TP |
||||||
|
.B \-I |
||||||
|
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе |
||||||
|
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе |
||||||
|
.B ПРИМЕЧАНИЯ. |
||||||
|
.TP |
||||||
|
.B \-D |
||||||
|
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута |
||||||
|
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута |
||||||
|
.IR security.restorecon_last. |
||||||
|
.TP |
||||||
|
.B \-m |
||||||
|
@@ -159,7 +159,7 @@ GNU |
||||||
|
.B \-D |
||||||
|
команды |
||||||
|
.B restorecon |
||||||
|
-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем |
||||||
|
+обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем |
||||||
|
.IR security.restorecon_last |
||||||
|
для каталогов, указанных в соответствующих путях |
||||||
|
.IR pathname \ ... |
||||||
|
@@ -173,7 +173,7 @@ GNU |
||||||
|
.sp |
||||||
|
Параметр |
||||||
|
.B \-I |
||||||
|
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в |
||||||
|
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в |
||||||
|
.IR pathname \ ... |
||||||
|
, и, при условии, что НЕ установлен параметр |
||||||
|
.B \-n |
||||||
|
diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8 |
||||||
|
index 41c441b8c5c2..25c4c3033334 100644 |
||||||
|
--- a/policycoreutils/setfiles/ru/restorecon_xattr.8 |
||||||
|
+++ b/policycoreutils/setfiles/ru/restorecon_xattr.8 |
||||||
|
@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных |
||||||
|
|
||||||
|
.SH "ОПИСАНИЕ" |
||||||
|
.B restorecon_xattr |
||||||
|
-покажет дайджесты SHA1, добавленные в расширенные атрибуты |
||||||
|
+покажет дайджесты SHA256, добавленные в расширенные атрибуты |
||||||
|
.I security.restorecon_last, |
||||||
|
или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой |
||||||
|
.BR restorecon (8) |
||||||
|
@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных |
||||||
|
.sp |
||||||
|
По умолчанию |
||||||
|
.B restorecon_xattr |
||||||
|
-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации |
||||||
|
+показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации |
||||||
|
.I specfile, |
||||||
|
который установлен с помощью параметра |
||||||
|
.B \-f. |
||||||
|
-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце. |
||||||
|
+Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце. |
||||||
|
Эту возможность можно отключить с помощью параметра |
||||||
|
.B \-n. |
||||||
|
|
||||||
|
@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных |
||||||
|
рекурсивно спускаться по каталогам. |
||||||
|
.TP |
||||||
|
.B \-v |
||||||
|
-показать дайджест SHA1, созданный установленным файлом спецификации. |
||||||
|
+показать дайджест SHA256, созданный установленным файлом спецификации. |
||||||
|
.TP |
||||||
|
.B \-e |
||||||
|
.I directory |
||||||
|
@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных |
||||||
|
.BR file_contexts (5). |
||||||
|
Он будет использоваться |
||||||
|
.BR selabel_open (3) |
||||||
|
-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью |
||||||
|
+для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью |
||||||
|
.BR selabel_digest (3). |
||||||
|
Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию. |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8 |
||||||
|
index 910101452625..7f2daa09191b 100644 |
||||||
|
--- a/policycoreutils/setfiles/ru/setfiles.8 |
||||||
|
+++ b/policycoreutils/setfiles/ru/setfiles.8 |
||||||
|
@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос |
||||||
|
игнорировать файлы, которые не существуют. |
||||||
|
.TP |
||||||
|
.B \-I |
||||||
|
-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе |
||||||
|
+игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе |
||||||
|
.B ПРИМЕЧАНИЯ. |
||||||
|
.TP |
||||||
|
.B \-D |
||||||
|
-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута |
||||||
|
+установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута |
||||||
|
.IR security.restorecon_last. |
||||||
|
.TP |
||||||
|
.B \-l |
||||||
|
@@ -186,7 +186,7 @@ GNU |
||||||
|
.B \-D |
||||||
|
команды |
||||||
|
.B setfiles . |
||||||
|
-Он обеспечивает сохранение дайджеста SHA1 файла спецификации |
||||||
|
+Он обеспечивает сохранение дайджеста SHA256 файла спецификации |
||||||
|
.B spec_file |
||||||
|
в расширенном атрибуте с именем |
||||||
|
.IR security.restorecon_last |
||||||
|
@@ -204,7 +204,7 @@ GNU |
||||||
|
.sp |
||||||
|
Параметр |
||||||
|
.B \-I |
||||||
|
-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в |
||||||
|
+позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в |
||||||
|
.IR pathname \ ... |
||||||
|
, и, при условии, что НЕ установлен параметр |
||||||
|
.B \-n |
||||||
|
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 |
||||||
|
index 8e6c4ab94841..0692121f2f4d 100644 |
||||||
|
--- a/policycoreutils/setfiles/setfiles.8 |
||||||
|
+++ b/policycoreutils/setfiles/setfiles.8 |
||||||
|
@@ -85,14 +85,14 @@ display usage information and exit. |
||||||
|
ignore files that do not exist. |
||||||
|
.TP |
||||||
|
.B \-I |
||||||
|
-ignore digest to force checking of labels even if the stored SHA1 digest |
||||||
|
-matches the specfiles SHA1 digest. The digest will then be updated provided |
||||||
|
+ignore digest to force checking of labels even if the stored SHA256 digest |
||||||
|
+matches the specfiles SHA256 digest. The digest will then be updated provided |
||||||
|
there are no errors. See the |
||||||
|
.B NOTES |
||||||
|
section for further details. |
||||||
|
.TP |
||||||
|
.B \-D |
||||||
|
-Set or update any directory SHA1 digests. Use this option to |
||||||
|
+Set or update any directory SHA256 digests. Use this option to |
||||||
|
enable usage of the |
||||||
|
.IR security.sehash |
||||||
|
extended attribute. |
||||||
|
@@ -230,7 +230,7 @@ the |
||||||
|
.B \-D |
||||||
|
option to |
||||||
|
.B setfiles |
||||||
|
-will cause it to store a SHA1 digest of the |
||||||
|
+will cause it to store a SHA256 digest of the |
||||||
|
.B spec_file |
||||||
|
set in an extended attribute named |
||||||
|
.IR security.sehash |
||||||
|
@@ -251,7 +251,7 @@ for further details. |
||||||
|
.sp |
||||||
|
The |
||||||
|
.B \-I |
||||||
|
-option will ignore the SHA1 digest from each directory specified in |
||||||
|
+option will ignore the SHA256 digest from each directory specified in |
||||||
|
.IR pathname \ ... |
||||||
|
and provided the |
||||||
|
.B \-n |
||||||
|
-- |
||||||
|
2.32.0 |
||||||
|
|
@ -0,0 +1,253 @@ |
|||||||
|
From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
Date: Tue, 26 Oct 2021 13:52:39 +0200 |
||||||
|
Subject: [PATCH] setfiles/restorecon: support parallel relabeling |
||||||
|
|
||||||
|
Use the newly introduced selinux_restorecon_parallel(3) in |
||||||
|
setfiles/restorecon and a -T option to both to allow enabling parallel |
||||||
|
relabeling. The default behavior without specifying the -T option is to |
||||||
|
use 1 thread; parallel relabeling must be requested explicitly by |
||||||
|
passing -T 0 (which will use as many threads as there are available CPU |
||||||
|
cores) or -T <N>, which will use <N> threads. |
||||||
|
|
||||||
|
=== Benchmarks === |
||||||
|
As measured on a 32-core cloud VM with Fedora 34. Not a fully |
||||||
|
representative environment, but still the scaling is quite good. |
||||||
|
|
||||||
|
WITHOUT PATCHES: |
||||||
|
$ time restorecon -rn /usr |
||||||
|
|
||||||
|
real 0m21.689s |
||||||
|
user 0m21.070s |
||||||
|
sys 0m0.494s |
||||||
|
|
||||||
|
WITH PATCHES: |
||||||
|
$ time restorecon -rn /usr |
||||||
|
|
||||||
|
real 0m23.940s |
||||||
|
user 0m23.127s |
||||||
|
sys 0m0.653s |
||||||
|
$ time restorecon -rn -T 2 /usr |
||||||
|
|
||||||
|
real 0m13.145s |
||||||
|
user 0m25.306s |
||||||
|
sys 0m0.695s |
||||||
|
$ time restorecon -rn -T 4 /usr |
||||||
|
|
||||||
|
real 0m7.559s |
||||||
|
user 0m28.470s |
||||||
|
sys 0m1.099s |
||||||
|
$ time restorecon -rn -T 8 /usr |
||||||
|
|
||||||
|
real 0m5.186s |
||||||
|
user 0m37.450s |
||||||
|
sys 0m2.094s |
||||||
|
$ time restorecon -rn -T 16 /usr |
||||||
|
|
||||||
|
real 0m3.831s |
||||||
|
user 0m51.220s |
||||||
|
sys 0m4.895s |
||||||
|
$ time restorecon -rn -T 32 /usr |
||||||
|
|
||||||
|
real 0m2.650s |
||||||
|
user 1m5.136s |
||||||
|
sys 0m6.614s |
||||||
|
|
||||||
|
Note that the benchmarks were performed in read-only mode (-n), so the |
||||||
|
labels were only read and looked up in the database, not written. When |
||||||
|
fixing labels on a heavily mislabeled system, the scaling would likely |
||||||
|
be event better, since a larger % of work could be done in parallel. |
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
--- |
||||||
|
policycoreutils/setfiles/Makefile | 2 +- |
||||||
|
policycoreutils/setfiles/restore.c | 7 ++++--- |
||||||
|
policycoreutils/setfiles/restore.h | 2 +- |
||||||
|
policycoreutils/setfiles/restorecon.8 | 9 +++++++++ |
||||||
|
policycoreutils/setfiles/setfiles.8 | 9 +++++++++ |
||||||
|
policycoreutils/setfiles/setfiles.c | 28 ++++++++++++++++----------- |
||||||
|
6 files changed, 41 insertions(+), 16 deletions(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile |
||||||
|
index 63d818509791..d7670a8ff54b 100644 |
||||||
|
--- a/policycoreutils/setfiles/Makefile |
||||||
|
+++ b/policycoreutils/setfiles/Makefile |
||||||
|
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man |
||||||
|
AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) |
||||||
|
|
||||||
|
CFLAGS ?= -g -Werror -Wall -W |
||||||
|
-override LDLIBS += -lselinux -lsepol |
||||||
|
+override LDLIBS += -lselinux -lsepol -lpthread |
||||||
|
|
||||||
|
ifeq ($(AUDITH), y) |
||||||
|
override CFLAGS += -DUSE_AUDIT |
||||||
|
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c |
||||||
|
index 9d688c609f79..74d48bb3752d 100644 |
||||||
|
--- a/policycoreutils/setfiles/restore.c |
||||||
|
+++ b/policycoreutils/setfiles/restore.c |
||||||
|
@@ -72,7 +72,7 @@ void restore_finish(void) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
-int process_glob(char *name, struct restore_opts *opts) |
||||||
|
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads) |
||||||
|
{ |
||||||
|
glob_t globbuf; |
||||||
|
size_t i = 0; |
||||||
|
@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts) |
||||||
|
continue; |
||||||
|
if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) |
||||||
|
continue; |
||||||
|
- rc = selinux_restorecon(globbuf.gl_pathv[i], |
||||||
|
- opts->restorecon_flags); |
||||||
|
+ rc = selinux_restorecon_parallel(globbuf.gl_pathv[i], |
||||||
|
+ opts->restorecon_flags, |
||||||
|
+ nthreads); |
||||||
|
if (rc < 0) |
||||||
|
errors = rc; |
||||||
|
} |
||||||
|
diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h |
||||||
|
index ac6ad6809f4f..bb35a1db9e34 100644 |
||||||
|
--- a/policycoreutils/setfiles/restore.h |
||||||
|
+++ b/policycoreutils/setfiles/restore.h |
||||||
|
@@ -49,7 +49,7 @@ struct restore_opts { |
||||||
|
void restore_init(struct restore_opts *opts); |
||||||
|
void restore_finish(void); |
||||||
|
void add_exclude(const char *directory); |
||||||
|
-int process_glob(char *name, struct restore_opts *opts); |
||||||
|
+int process_glob(char *name, struct restore_opts *opts, size_t nthreads); |
||||||
|
extern char **exclude_list; |
||||||
|
|
||||||
|
#endif |
||||||
|
diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8 |
||||||
|
index a8900f02b3f3..dbd55ce7c512 100644 |
||||||
|
--- a/policycoreutils/setfiles/restorecon.8 |
||||||
|
+++ b/policycoreutils/setfiles/restorecon.8 |
||||||
|
@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts. |
||||||
|
.RB [ \-W ] |
||||||
|
.RB [ \-I | \-D ] |
||||||
|
.RB [ \-x ] |
||||||
|
+.RB [ \-T |
||||||
|
+.IR nthreads ] |
||||||
|
|
||||||
|
.SH "DESCRIPTION" |
||||||
|
This manual page describes the |
||||||
|
@@ -160,6 +162,13 @@ prevent |
||||||
|
.B restorecon |
||||||
|
from crossing file system boundaries. |
||||||
|
.TP |
||||||
|
+.BI \-T \ nthreads |
||||||
|
+use up to |
||||||
|
+.I nthreads |
||||||
|
+threads. Specify 0 to create as many threads as there are available |
||||||
|
+CPU cores; 1 to use only a single thread (default); or any positive |
||||||
|
+number to use the given number of threads (if possible). |
||||||
|
+.TP |
||||||
|
.SH "ARGUMENTS" |
||||||
|
.IR pathname \ ... |
||||||
|
The pathname for the file(s) to be relabeled. |
||||||
|
diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8 |
||||||
|
index 0692121f2f4d..8ef9f602e843 100644 |
||||||
|
--- a/policycoreutils/setfiles/setfiles.8 |
||||||
|
+++ b/policycoreutils/setfiles/setfiles.8 |
||||||
|
@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts. |
||||||
|
.RB [ \-W ] |
||||||
|
.RB [ \-F ] |
||||||
|
.RB [ \-I | \-D ] |
||||||
|
+.RB [ \-T |
||||||
|
+.IR nthreads ] |
||||||
|
.I spec_file |
||||||
|
.IR pathname \ ... |
||||||
|
|
||||||
|
@@ -161,6 +163,13 @@ quote marks or backslashes. The |
||||||
|
option of GNU |
||||||
|
.B find |
||||||
|
produces input suitable for this mode. |
||||||
|
+.TP |
||||||
|
+.BI \-T \ nthreads |
||||||
|
+use up to |
||||||
|
+.I nthreads |
||||||
|
+threads. Specify 0 to create as many threads as there are available |
||||||
|
+CPU cores; 1 to use only a single thread (default); or any positive |
||||||
|
+number to use the given number of threads (if possible). |
||||||
|
|
||||||
|
.SH "ARGUMENTS" |
||||||
|
.TP |
||||||
|
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c |
||||||
|
index f018d161aa9e..2313a21fa0f3 100644 |
||||||
|
--- a/policycoreutils/setfiles/setfiles.c |
||||||
|
+++ b/policycoreutils/setfiles/setfiles.c |
||||||
|
@@ -1,4 +1,5 @@ |
||||||
|
#include "restore.h" |
||||||
|
+#include <stdlib.h> |
||||||
|
#include <unistd.h> |
||||||
|
#include <fcntl.h> |
||||||
|
#include <stdio_ext.h> |
||||||
|
@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name) |
||||||
|
{ |
||||||
|
if (iamrestorecon) { |
||||||
|
fprintf(stderr, |
||||||
|
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n" |
||||||
|
- "usage: %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n", |
||||||
|
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n" |
||||||
|
+ "usage: %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n", |
||||||
|
name, name); |
||||||
|
} else { |
||||||
|
fprintf(stderr, |
||||||
|
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" |
||||||
|
- "usage: %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" |
||||||
|
- "usage: %s -s [-diIDlmnpqvFW] spec_file\n", |
||||||
|
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n" |
||||||
|
+ "usage: %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n" |
||||||
|
+ "usage: %s -s [-diIDlmnpqvFWT] spec_file\n", |
||||||
|
name, name, name); |
||||||
|
} |
||||||
|
exit(-1); |
||||||
|
@@ -144,12 +145,12 @@ int main(int argc, char **argv) |
||||||
|
int opt, i = 0; |
||||||
|
const char *input_filename = NULL; |
||||||
|
int use_input_file = 0; |
||||||
|
- char *buf = NULL; |
||||||
|
- size_t buf_len; |
||||||
|
+ char *buf = NULL, *endptr; |
||||||
|
+ size_t buf_len, nthreads = 1; |
||||||
|
const char *base; |
||||||
|
int errors = 0; |
||||||
|
- const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x"; |
||||||
|
- const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0"; |
||||||
|
+ const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:"; |
||||||
|
+ const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:"; |
||||||
|
const char *opts; |
||||||
|
union selinux_callback cb; |
||||||
|
|
||||||
|
@@ -370,6 +371,11 @@ int main(int argc, char **argv) |
||||||
|
usage(argv[0]); |
||||||
|
} |
||||||
|
break; |
||||||
|
+ case 'T': |
||||||
|
+ nthreads = strtoull(optarg, &endptr, 10); |
||||||
|
+ if (*optarg == '\0' || *endptr != '\0') |
||||||
|
+ usage(argv[0]); |
||||||
|
+ break; |
||||||
|
case 'h': |
||||||
|
case '?': |
||||||
|
usage(argv[0]); |
||||||
|
@@ -448,13 +454,13 @@ int main(int argc, char **argv) |
||||||
|
buf[len - 1] = 0; |
||||||
|
if (!strcmp(buf, "/")) |
||||||
|
r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL; |
||||||
|
- errors |= process_glob(buf, &r_opts) < 0; |
||||||
|
+ errors |= process_glob(buf, &r_opts, nthreads) < 0; |
||||||
|
} |
||||||
|
if (strcmp(input_filename, "-") != 0) |
||||||
|
fclose(f); |
||||||
|
} else { |
||||||
|
for (i = optind; i < argc; i++) |
||||||
|
- errors |= process_glob(argv[i], &r_opts) < 0; |
||||||
|
+ errors |= process_glob(argv[i], &r_opts, nthreads) < 0; |
||||||
|
} |
||||||
|
|
||||||
|
maybe_audit_mass_relabel(r_opts.mass_relabel, errors); |
||||||
|
-- |
||||||
|
2.33.1 |
||||||
|
|
@ -0,0 +1,674 @@ |
|||||||
|
From 4e6165719d3315b6502f3d290a549f9fa14c3238 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Tue, 16 Nov 2021 14:27:11 +0100 |
||||||
|
Subject: [PATCH] semodule: add -m | --checksum option |
||||||
|
|
||||||
|
Since cil doesn't store module name and module version in module itself, |
||||||
|
there's no simple way how to compare that installed module is the same |
||||||
|
version as the module which is supposed to be installed. Even though the |
||||||
|
version was not used by semodule itself, it was apparently used by some |
||||||
|
team. |
||||||
|
|
||||||
|
With `semodule -l --checksum` users get SHA256 hashes of modules and |
||||||
|
could compare them with their files which is faster than installing |
||||||
|
modules again and again. |
||||||
|
|
||||||
|
E.g. |
||||||
|
|
||||||
|
# time ( |
||||||
|
semodule -l --checksum | grep localmodule |
||||||
|
/usr/libexec/selinux/hll/pp localmodule.pp | sha256sum |
||||||
|
) |
||||||
|
localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd |
||||||
|
db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd - |
||||||
|
|
||||||
|
real 0m0.876s |
||||||
|
user 0m0.849s |
||||||
|
sys 0m0.028s |
||||||
|
|
||||||
|
vs |
||||||
|
|
||||||
|
# time semodule -i localmodule.pp |
||||||
|
|
||||||
|
real 0m6.147s |
||||||
|
user 0m5.800s |
||||||
|
sys 0m0.231s |
||||||
|
|
||||||
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Acked-by: James Carter <jwcart2@gmail.com> |
||||||
|
--- |
||||||
|
policycoreutils/semodule/Makefile | 2 +- |
||||||
|
policycoreutils/semodule/semodule.8 | 6 + |
||||||
|
policycoreutils/semodule/semodule.c | 95 ++++++++- |
||||||
|
policycoreutils/semodule/sha256.c | 294 ++++++++++++++++++++++++++++ |
||||||
|
policycoreutils/semodule/sha256.h | 89 +++++++++ |
||||||
|
5 files changed, 480 insertions(+), 6 deletions(-) |
||||||
|
create mode 100644 policycoreutils/semodule/sha256.c |
||||||
|
create mode 100644 policycoreutils/semodule/sha256.h |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile |
||||||
|
index 73801e487a76..9875ac383280 100644 |
||||||
|
--- a/policycoreutils/semodule/Makefile |
||||||
|
+++ b/policycoreutils/semodule/Makefile |
||||||
|
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man |
||||||
|
|
||||||
|
CFLAGS ?= -Werror -Wall -W |
||||||
|
override LDLIBS += -lsepol -lselinux -lsemanage |
||||||
|
-SEMODULE_OBJS = semodule.o |
||||||
|
+SEMODULE_OBJS = semodule.o sha256.o |
||||||
|
|
||||||
|
all: semodule genhomedircon |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 |
||||||
|
index 18d4f708661c..3a2fb21c2481 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.8 |
||||||
|
+++ b/policycoreutils/semodule/semodule.8 |
||||||
|
@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option. |
||||||
|
.B \-H,\-\-hll |
||||||
|
Extract module as an HLL file. This only affects the \-\-extract option and |
||||||
|
only modules listed in \-\-extract after this option. |
||||||
|
+.TP |
||||||
|
+.B \-m,\-\-checksum |
||||||
|
+Add SHA256 checksum of modules to the list output. |
||||||
|
|
||||||
|
.SH EXAMPLE |
||||||
|
.nf |
||||||
|
@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux" |
||||||
|
# Write the HLL version of puppet and the CIL version of wireshark |
||||||
|
# modules at priority 400 to the current working directory |
||||||
|
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark |
||||||
|
+# Check whether a module in "localmodule.pp" file is same as installed module "localmodule" |
||||||
|
+$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum |
||||||
|
+$ semodule -l -m | grep localmodule |
||||||
|
.fi |
||||||
|
|
||||||
|
.SH SEE ALSO |
||||||
|
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c |
||||||
|
index c815f01546b4..ddbf10455abf 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.c |
||||||
|
+++ b/policycoreutils/semodule/semodule.c |
||||||
|
@@ -25,6 +25,8 @@ |
||||||
|
#include <sepol/cil/cil.h> |
||||||
|
#include <semanage/modules.h> |
||||||
|
|
||||||
|
+#include "sha256.h" |
||||||
|
+ |
||||||
|
enum client_modes { |
||||||
|
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, |
||||||
|
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M |
||||||
|
@@ -57,6 +59,7 @@ static semanage_handle_t *sh = NULL; |
||||||
|
static char *store; |
||||||
|
static char *store_root; |
||||||
|
int extract_cil = 0; |
||||||
|
+static int checksum = 0; |
||||||
|
|
||||||
|
extern char *optarg; |
||||||
|
extern int optind; |
||||||
|
@@ -147,6 +150,7 @@ static void usage(char *progname) |
||||||
|
printf(" -S,--store-path use an alternate path for the policy store root\n"); |
||||||
|
printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); |
||||||
|
printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); |
||||||
|
+ printf(" -m, --checksum print module checksum (SHA256).\n"); |
||||||
|
} |
||||||
|
|
||||||
|
/* Sets the global mode variable to new_mode, but only if no other |
||||||
|
@@ -200,6 +204,7 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
{"disable", required_argument, NULL, 'd'}, |
||||||
|
{"path", required_argument, NULL, 'p'}, |
||||||
|
{"store-path", required_argument, NULL, 'S'}, |
||||||
|
+ {"checksum", 0, NULL, 'm'}, |
||||||
|
{NULL, 0, NULL, 0} |
||||||
|
}; |
||||||
|
int extract_selected = 0; |
||||||
|
@@ -210,7 +215,7 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
no_reload = 0; |
||||||
|
priority = 400; |
||||||
|
while ((i = |
||||||
|
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts, |
||||||
|
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, |
||||||
|
NULL)) != -1) { |
||||||
|
switch (i) { |
||||||
|
case 'b': |
||||||
|
@@ -287,6 +292,9 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
case 'd': |
||||||
|
set_mode(DISABLE_M, optarg); |
||||||
|
break; |
||||||
|
+ case 'm': |
||||||
|
+ checksum = 1; |
||||||
|
+ break; |
||||||
|
case '?': |
||||||
|
default:{ |
||||||
|
usage(argv[0]); |
||||||
|
@@ -338,6 +346,61 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+/* Get module checksum */ |
||||||
|
+static char *hash_module_data(const char *module_name, const int prio) { |
||||||
|
+ semanage_module_info_t *extract_info = NULL; |
||||||
|
+ semanage_module_key_t *modkey = NULL; |
||||||
|
+ Sha256Context context; |
||||||
|
+ uint8_t sha256_hash[SHA256_HASH_SIZE]; |
||||||
|
+ char *sha256_buf = NULL; |
||||||
|
+ void *data; |
||||||
|
+ size_t data_len = 0, i; |
||||||
|
+ int result; |
||||||
|
+ |
||||||
|
+ result = semanage_module_key_create(sh, &modkey); |
||||||
|
+ if (result != 0) { |
||||||
|
+ goto cleanup_extract; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ result = semanage_module_key_set_name(sh, modkey, module_name); |
||||||
|
+ if (result != 0) { |
||||||
|
+ goto cleanup_extract; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ result = semanage_module_key_set_priority(sh, modkey, prio); |
||||||
|
+ if (result != 0) { |
||||||
|
+ goto cleanup_extract; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ result = semanage_module_extract(sh, modkey, 1, &data, &data_len, |
||||||
|
+ &extract_info); |
||||||
|
+ if (result != 0) { |
||||||
|
+ goto cleanup_extract; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ Sha256Initialise(&context); |
||||||
|
+ Sha256Update(&context, data, data_len); |
||||||
|
+ |
||||||
|
+ Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); |
||||||
|
+ |
||||||
|
+ sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); |
||||||
|
+ |
||||||
|
+ if (sha256_buf == NULL) |
||||||
|
+ goto cleanup_extract; |
||||||
|
+ |
||||||
|
+ for (i = 0; i < SHA256_HASH_SIZE; i++) { |
||||||
|
+ sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); |
||||||
|
+ } |
||||||
|
+ sha256_buf[i * 2] = 0; |
||||||
|
+ |
||||||
|
+cleanup_extract: |
||||||
|
+ semanage_module_info_destroy(sh, extract_info); |
||||||
|
+ free(extract_info); |
||||||
|
+ semanage_module_key_destroy(sh, modkey); |
||||||
|
+ free(modkey); |
||||||
|
+ return sha256_buf; |
||||||
|
+} |
||||||
|
+ |
||||||
|
int main(int argc, char *argv[]) |
||||||
|
{ |
||||||
|
int i, commit = 0; |
||||||
|
@@ -546,6 +609,8 @@ cleanup_extract: |
||||||
|
int modinfos_len = 0; |
||||||
|
semanage_module_info_t *m = NULL; |
||||||
|
int j = 0; |
||||||
|
+ char *module_checksum = NULL; |
||||||
|
+ uint16_t pri = 0; |
||||||
|
|
||||||
|
if (verbose) { |
||||||
|
printf |
||||||
|
@@ -570,7 +635,18 @@ cleanup_extract: |
||||||
|
result = semanage_module_info_get_name(sh, m, &name); |
||||||
|
if (result != 0) goto cleanup_list; |
||||||
|
|
||||||
|
- printf("%s\n", name); |
||||||
|
+ result = semanage_module_info_get_priority(sh, m, &pri); |
||||||
|
+ if (result != 0) goto cleanup_list; |
||||||
|
+ |
||||||
|
+ printf("%s", name); |
||||||
|
+ if (checksum) { |
||||||
|
+ module_checksum = hash_module_data(name, pri); |
||||||
|
+ if (module_checksum) { |
||||||
|
+ printf(" %s", module_checksum); |
||||||
|
+ free(module_checksum); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ printf("\n"); |
||||||
|
} |
||||||
|
} |
||||||
|
else if (strcmp(mode_arg, "full") == 0) { |
||||||
|
@@ -585,11 +661,12 @@ cleanup_extract: |
||||||
|
} |
||||||
|
|
||||||
|
/* calculate column widths */ |
||||||
|
- size_t column[4] = { 0, 0, 0, 0 }; |
||||||
|
+ size_t column[5] = { 0, 0, 0, 0, 0 }; |
||||||
|
|
||||||
|
/* fixed width columns */ |
||||||
|
column[0] = sizeof("000") - 1; |
||||||
|
column[3] = sizeof("disabled") - 1; |
||||||
|
+ column[4] = 64; /* SHA256_HASH_SIZE * 2 */ |
||||||
|
|
||||||
|
/* variable width columns */ |
||||||
|
const char *tmp = NULL; |
||||||
|
@@ -612,7 +689,6 @@ cleanup_extract: |
||||||
|
|
||||||
|
/* print out each module */ |
||||||
|
for (j = 0; j < modinfos_len; j++) { |
||||||
|
- uint16_t pri = 0; |
||||||
|
const char *name = NULL; |
||||||
|
int enabled = 0; |
||||||
|
const char *lang_ext = NULL; |
||||||
|
@@ -631,11 +707,20 @@ cleanup_extract: |
||||||
|
result = semanage_module_info_get_lang_ext(sh, m, &lang_ext); |
||||||
|
if (result != 0) goto cleanup_list; |
||||||
|
|
||||||
|
- printf("%0*u %-*s %-*s %-*s\n", |
||||||
|
+ printf("%0*u %-*s %-*s %-*s", |
||||||
|
(int)column[0], pri, |
||||||
|
(int)column[1], name, |
||||||
|
(int)column[2], lang_ext, |
||||||
|
(int)column[3], enabled ? "" : "disabled"); |
||||||
|
+ if (checksum) { |
||||||
|
+ module_checksum = hash_module_data(name, pri); |
||||||
|
+ if (module_checksum) { |
||||||
|
+ printf(" %-*s", (int)column[4], module_checksum); |
||||||
|
+ free(module_checksum); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ printf("\n"); |
||||||
|
+ |
||||||
|
} |
||||||
|
} |
||||||
|
else { |
||||||
|
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..fe2aeef07f53 |
||||||
|
--- /dev/null |
||||||
|
+++ b/policycoreutils/semodule/sha256.c |
||||||
|
@@ -0,0 +1,294 @@ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// WjCryptLib_Sha256 |
||||||
|
+// |
||||||
|
+// Implementation of SHA256 hash function. |
||||||
|
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org |
||||||
|
+// Modified by WaterJuice retaining Public Domain license. |
||||||
|
+// |
||||||
|
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// IMPORTS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+#include "sha256.h" |
||||||
|
+#include <memory.h> |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// MACROS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) |
||||||
|
+ |
||||||
|
+#define MIN(x, y) ( ((x)<(y))?(x):(y) ) |
||||||
|
+ |
||||||
|
+#define STORE32H(x, y) \ |
||||||
|
+ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ |
||||||
|
+ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } |
||||||
|
+ |
||||||
|
+#define LOAD32H(x, y) \ |
||||||
|
+ { x = ((uint32_t)((y)[0] & 255)<<24) | \ |
||||||
|
+ ((uint32_t)((y)[1] & 255)<<16) | \ |
||||||
|
+ ((uint32_t)((y)[2] & 255)<<8) | \ |
||||||
|
+ ((uint32_t)((y)[3] & 255)); } |
||||||
|
+ |
||||||
|
+#define STORE64H(x, y) \ |
||||||
|
+ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ |
||||||
|
+ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ |
||||||
|
+ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ |
||||||
|
+ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// CONSTANTS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+// The K array |
||||||
|
+static const uint32_t K[64] = { |
||||||
|
+ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, |
||||||
|
+ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, |
||||||
|
+ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, |
||||||
|
+ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
||||||
|
+ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, |
||||||
|
+ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, |
||||||
|
+ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, |
||||||
|
+ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
||||||
|
+ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, |
||||||
|
+ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, |
||||||
|
+ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, |
||||||
|
+ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
||||||
|
+ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
||||||
|
+}; |
||||||
|
+ |
||||||
|
+#define BLOCK_SIZE 64 |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// INTERNAL FUNCTIONS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+// Various logical functions |
||||||
|
+#define Ch( x, y, z ) (z ^ (x & (y ^ z))) |
||||||
|
+#define Maj( x, y, z ) (((x | y) & z) | (x & y)) |
||||||
|
+#define S( x, n ) ror((x),(n)) |
||||||
|
+#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) |
||||||
|
+#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) |
||||||
|
+#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) |
||||||
|
+#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) |
||||||
|
+#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) |
||||||
|
+ |
||||||
|
+#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ |
||||||
|
+ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ |
||||||
|
+ t1 = Sigma0(a) + Maj(a, b, c); \ |
||||||
|
+ d += t0; \ |
||||||
|
+ h = t0 + t1; |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// TransformFunction |
||||||
|
+// |
||||||
|
+// Compress 512-bits |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+static |
||||||
|
+void |
||||||
|
+ TransformFunction |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context, |
||||||
|
+ uint8_t const* Buffer |
||||||
|
+ ) |
||||||
|
+{ |
||||||
|
+ uint32_t S[8]; |
||||||
|
+ uint32_t W[64]; |
||||||
|
+ uint32_t t0; |
||||||
|
+ uint32_t t1; |
||||||
|
+ uint32_t t; |
||||||
|
+ int i; |
||||||
|
+ |
||||||
|
+ // Copy state into S |
||||||
|
+ for( i=0; i<8; i++ ) |
||||||
|
+ { |
||||||
|
+ S[i] = Context->state[i]; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Copy the state into 512-bits into W[0..15] |
||||||
|
+ for( i=0; i<16; i++ ) |
||||||
|
+ { |
||||||
|
+ LOAD32H( W[i], Buffer + (4*i) ); |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Fill W[16..63] |
||||||
|
+ for( i=16; i<64; i++ ) |
||||||
|
+ { |
||||||
|
+ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Compress |
||||||
|
+ for( i=0; i<64; i++ ) |
||||||
|
+ { |
||||||
|
+ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); |
||||||
|
+ t = S[7]; |
||||||
|
+ S[7] = S[6]; |
||||||
|
+ S[6] = S[5]; |
||||||
|
+ S[5] = S[4]; |
||||||
|
+ S[4] = S[3]; |
||||||
|
+ S[3] = S[2]; |
||||||
|
+ S[2] = S[1]; |
||||||
|
+ S[1] = S[0]; |
||||||
|
+ S[0] = t; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Feedback |
||||||
|
+ for( i=0; i<8; i++ ) |
||||||
|
+ { |
||||||
|
+ Context->state[i] = Context->state[i] + S[i]; |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// PUBLIC FUNCTIONS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Initialise |
||||||
|
+// |
||||||
|
+// Initialises a SHA256 Context. Use this to initialise/reset a context. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Initialise |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context // [out] |
||||||
|
+ ) |
||||||
|
+{ |
||||||
|
+ Context->curlen = 0; |
||||||
|
+ Context->length = 0; |
||||||
|
+ Context->state[0] = 0x6A09E667UL; |
||||||
|
+ Context->state[1] = 0xBB67AE85UL; |
||||||
|
+ Context->state[2] = 0x3C6EF372UL; |
||||||
|
+ Context->state[3] = 0xA54FF53AUL; |
||||||
|
+ Context->state[4] = 0x510E527FUL; |
||||||
|
+ Context->state[5] = 0x9B05688CUL; |
||||||
|
+ Context->state[6] = 0x1F83D9ABUL; |
||||||
|
+ Context->state[7] = 0x5BE0CD19UL; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Update |
||||||
|
+// |
||||||
|
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on |
||||||
|
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Update |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context, // [in out] |
||||||
|
+ void const* Buffer, // [in] |
||||||
|
+ uint32_t BufferSize // [in] |
||||||
|
+ ) |
||||||
|
+{ |
||||||
|
+ uint32_t n; |
||||||
|
+ |
||||||
|
+ if( Context->curlen > sizeof(Context->buf) ) |
||||||
|
+ { |
||||||
|
+ return; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ while( BufferSize > 0 ) |
||||||
|
+ { |
||||||
|
+ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) |
||||||
|
+ { |
||||||
|
+ TransformFunction( Context, (uint8_t*)Buffer ); |
||||||
|
+ Context->length += BLOCK_SIZE * 8; |
||||||
|
+ Buffer = (uint8_t*)Buffer + BLOCK_SIZE; |
||||||
|
+ BufferSize -= BLOCK_SIZE; |
||||||
|
+ } |
||||||
|
+ else |
||||||
|
+ { |
||||||
|
+ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); |
||||||
|
+ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); |
||||||
|
+ Context->curlen += n; |
||||||
|
+ Buffer = (uint8_t*)Buffer + n; |
||||||
|
+ BufferSize -= n; |
||||||
|
+ if( Context->curlen == BLOCK_SIZE ) |
||||||
|
+ { |
||||||
|
+ TransformFunction( Context, Context->buf ); |
||||||
|
+ Context->length += 8*BLOCK_SIZE; |
||||||
|
+ Context->curlen = 0; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Finalise |
||||||
|
+// |
||||||
|
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After |
||||||
|
+// calling this, Sha256Initialised must be used to reuse the context. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Finalise |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context, // [in out] |
||||||
|
+ SHA256_HASH* Digest // [out] |
||||||
|
+ ) |
||||||
|
+{ |
||||||
|
+ int i; |
||||||
|
+ |
||||||
|
+ if( Context->curlen >= sizeof(Context->buf) ) |
||||||
|
+ { |
||||||
|
+ return; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Increase the length of the message |
||||||
|
+ Context->length += Context->curlen * 8; |
||||||
|
+ |
||||||
|
+ // Append the '1' bit |
||||||
|
+ Context->buf[Context->curlen++] = (uint8_t)0x80; |
||||||
|
+ |
||||||
|
+ // if the length is currently above 56 bytes we append zeros |
||||||
|
+ // then compress. Then we can fall back to padding zeros and length |
||||||
|
+ // encoding like normal. |
||||||
|
+ if( Context->curlen > 56 ) |
||||||
|
+ { |
||||||
|
+ while( Context->curlen < 64 ) |
||||||
|
+ { |
||||||
|
+ Context->buf[Context->curlen++] = (uint8_t)0; |
||||||
|
+ } |
||||||
|
+ TransformFunction(Context, Context->buf); |
||||||
|
+ Context->curlen = 0; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Pad up to 56 bytes of zeroes |
||||||
|
+ while( Context->curlen < 56 ) |
||||||
|
+ { |
||||||
|
+ Context->buf[Context->curlen++] = (uint8_t)0; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ // Store length |
||||||
|
+ STORE64H( Context->length, Context->buf+56 ); |
||||||
|
+ TransformFunction( Context, Context->buf ); |
||||||
|
+ |
||||||
|
+ // Copy output |
||||||
|
+ for( i=0; i<8; i++ ) |
||||||
|
+ { |
||||||
|
+ STORE32H( Context->state[i], Digest->bytes+(4*i) ); |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Calculate |
||||||
|
+// |
||||||
|
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the |
||||||
|
+// buffer. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Calculate |
||||||
|
+ ( |
||||||
|
+ void const* Buffer, // [in] |
||||||
|
+ uint32_t BufferSize, // [in] |
||||||
|
+ SHA256_HASH* Digest // [in] |
||||||
|
+ ) |
||||||
|
+{ |
||||||
|
+ Sha256Context context; |
||||||
|
+ |
||||||
|
+ Sha256Initialise( &context ); |
||||||
|
+ Sha256Update( &context, Buffer, BufferSize ); |
||||||
|
+ Sha256Finalise( &context, Digest ); |
||||||
|
+} |
||||||
|
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h |
||||||
|
new file mode 100644 |
||||||
|
index 000000000000..406ed869cd82 |
||||||
|
--- /dev/null |
||||||
|
+++ b/policycoreutils/semodule/sha256.h |
||||||
|
@@ -0,0 +1,89 @@ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// WjCryptLib_Sha256 |
||||||
|
+// |
||||||
|
+// Implementation of SHA256 hash function. |
||||||
|
+// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org |
||||||
|
+// Modified by WaterJuice retaining Public Domain license. |
||||||
|
+// |
||||||
|
+// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+#pragma once |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// IMPORTS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+#include <stdint.h> |
||||||
|
+#include <stdio.h> |
||||||
|
+ |
||||||
|
+typedef struct |
||||||
|
+{ |
||||||
|
+ uint64_t length; |
||||||
|
+ uint32_t state[8]; |
||||||
|
+ uint32_t curlen; |
||||||
|
+ uint8_t buf[64]; |
||||||
|
+} Sha256Context; |
||||||
|
+ |
||||||
|
+#define SHA256_HASH_SIZE ( 256 / 8 ) |
||||||
|
+ |
||||||
|
+typedef struct |
||||||
|
+{ |
||||||
|
+ uint8_t bytes [SHA256_HASH_SIZE]; |
||||||
|
+} SHA256_HASH; |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// PUBLIC FUNCTIONS |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Initialise |
||||||
|
+// |
||||||
|
+// Initialises a SHA256 Context. Use this to initialise/reset a context. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Initialise |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context // [out] |
||||||
|
+ ); |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Update |
||||||
|
+// |
||||||
|
+// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on |
||||||
|
+// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Update |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context, // [in out] |
||||||
|
+ void const* Buffer, // [in] |
||||||
|
+ uint32_t BufferSize // [in] |
||||||
|
+ ); |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Finalise |
||||||
|
+// |
||||||
|
+// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After |
||||||
|
+// calling this, Sha256Initialised must be used to reuse the context. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Finalise |
||||||
|
+ ( |
||||||
|
+ Sha256Context* Context, // [in out] |
||||||
|
+ SHA256_HASH* Digest // [out] |
||||||
|
+ ); |
||||||
|
+ |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+// Sha256Calculate |
||||||
|
+// |
||||||
|
+// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the |
||||||
|
+// buffer. |
||||||
|
+//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
+void |
||||||
|
+ Sha256Calculate |
||||||
|
+ ( |
||||||
|
+ void const* Buffer, // [in] |
||||||
|
+ uint32_t BufferSize, // [in] |
||||||
|
+ SHA256_HASH* Digest // [in] |
||||||
|
+ ); |
||||||
|
-- |
||||||
|
2.33.1 |
||||||
|
|
@ -0,0 +1,29 @@ |
|||||||
|
From 7537374e7f5802852c0c64b4cb2a9646402e3cba Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Tue, 16 Nov 2021 16:11:22 +0100 |
||||||
|
Subject: [PATCH] semodule: Fix lang_ext column index |
||||||
|
|
||||||
|
lang_ext is 3. column - index number 2. |
||||||
|
|
||||||
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Acked-by: James Carter <jwcart2@gmail.com> |
||||||
|
--- |
||||||
|
policycoreutils/semodule/semodule.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c |
||||||
|
index ddbf10455abf..57f005ce2c62 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.c |
||||||
|
+++ b/policycoreutils/semodule/semodule.c |
||||||
|
@@ -684,7 +684,7 @@ cleanup_extract: |
||||||
|
if (result != 0) goto cleanup_list; |
||||||
|
|
||||||
|
size = strlen(tmp); |
||||||
|
- if (size > column[3]) column[3] = size; |
||||||
|
+ if (size > column[2]) column[2] = size; |
||||||
|
} |
||||||
|
|
||||||
|
/* print out each module */ |
||||||
|
-- |
||||||
|
2.33.1 |
||||||
|
|
@ -0,0 +1,32 @@ |
|||||||
|
From 0c4e5d70fde006977e798d6cc7d80db2e8af7bb9 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Tue, 23 Nov 2021 17:38:51 +0100 |
||||||
|
Subject: [PATCH] semodule: Don't forget to munmap() data |
||||||
|
|
||||||
|
semanage_module_extract() mmap()'s the module raw data but it leaves on |
||||||
|
the caller to munmap() them. |
||||||
|
|
||||||
|
Reported-by: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Acked-by: James Carter <jwcart2@gmail.com> |
||||||
|
--- |
||||||
|
policycoreutils/semodule/semodule.c | 3 +++ |
||||||
|
1 file changed, 3 insertions(+) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c |
||||||
|
index 57f005ce2c62..94a9d131bb79 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.c |
||||||
|
+++ b/policycoreutils/semodule/semodule.c |
||||||
|
@@ -394,6 +394,9 @@ static char *hash_module_data(const char *module_name, const int prio) { |
||||||
|
sha256_buf[i * 2] = 0; |
||||||
|
|
||||||
|
cleanup_extract: |
||||||
|
+ if (data_len > 0) { |
||||||
|
+ munmap(data, data_len); |
||||||
|
+ } |
||||||
|
semanage_module_info_destroy(sh, extract_info); |
||||||
|
free(extract_info); |
||||||
|
semanage_module_key_destroy(sh, modkey); |
||||||
|
-- |
||||||
|
2.33.1 |
||||||
|
|
@ -0,0 +1,539 @@ |
|||||||
|
From 7809f29b68e17a455478990ae9b22728381a126b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
Date: Thu, 3 Feb 2022 17:53:23 +0100 |
||||||
|
Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage |
||||||
|
|
||||||
|
The main goal of this move is to have the SHA-256 implementation under |
||||||
|
libsemanage, since upcoming patches will make use of SHA-256 for a |
||||||
|
different (but similar) purpose in libsemanage. Having the hashing code |
||||||
|
in libsemanage will reduce code duplication and allow for easier hash |
||||||
|
algorithm upgrade in the future. |
||||||
|
|
||||||
|
Note that libselinux currently also contains a hash function |
||||||
|
implementation (for yet another different purpose). This patch doesn't |
||||||
|
make any effort to address that duplicity yet. |
||||||
|
|
||||||
|
This patch also changes the format of the hash string printed by |
||||||
|
semodule to include the name of the hash. The intent is to avoid |
||||||
|
ambiguity and potential collisions when the algorithm is potentially |
||||||
|
changed in the future. |
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
--- |
||||||
|
policycoreutils/semodule/Makefile | 2 +- |
||||||
|
policycoreutils/semodule/semodule.c | 53 ++--- |
||||||
|
policycoreutils/semodule/sha256.c | 294 ---------------------------- |
||||||
|
policycoreutils/semodule/sha256.h | 89 --------- |
||||||
|
4 files changed, 17 insertions(+), 421 deletions(-) |
||||||
|
delete mode 100644 policycoreutils/semodule/sha256.c |
||||||
|
delete mode 100644 policycoreutils/semodule/sha256.h |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile |
||||||
|
index 9875ac383280..73801e487a76 100644 |
||||||
|
--- a/policycoreutils/semodule/Makefile |
||||||
|
+++ b/policycoreutils/semodule/Makefile |
||||||
|
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man |
||||||
|
|
||||||
|
CFLAGS ?= -Werror -Wall -W |
||||||
|
override LDLIBS += -lsepol -lselinux -lsemanage |
||||||
|
-SEMODULE_OBJS = semodule.o sha256.o |
||||||
|
+SEMODULE_OBJS = semodule.o |
||||||
|
|
||||||
|
all: semodule genhomedircon |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c |
||||||
|
index 94a9d131bb79..f4a76289efa3 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.c |
||||||
|
+++ b/policycoreutils/semodule/semodule.c |
||||||
|
@@ -25,8 +25,6 @@ |
||||||
|
#include <sepol/cil/cil.h> |
||||||
|
#include <semanage/modules.h> |
||||||
|
|
||||||
|
-#include "sha256.h" |
||||||
|
- |
||||||
|
enum client_modes { |
||||||
|
NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M, |
||||||
|
LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M |
||||||
|
@@ -348,60 +346,38 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
|
||||||
|
/* Get module checksum */ |
||||||
|
static char *hash_module_data(const char *module_name, const int prio) { |
||||||
|
- semanage_module_info_t *extract_info = NULL; |
||||||
|
semanage_module_key_t *modkey = NULL; |
||||||
|
- Sha256Context context; |
||||||
|
- uint8_t sha256_hash[SHA256_HASH_SIZE]; |
||||||
|
- char *sha256_buf = NULL; |
||||||
|
- void *data; |
||||||
|
- size_t data_len = 0, i; |
||||||
|
+ char *hash_str = NULL; |
||||||
|
+ void *hash = NULL; |
||||||
|
+ size_t hash_len = 0; |
||||||
|
int result; |
||||||
|
|
||||||
|
result = semanage_module_key_create(sh, &modkey); |
||||||
|
if (result != 0) { |
||||||
|
- goto cleanup_extract; |
||||||
|
+ goto cleanup; |
||||||
|
} |
||||||
|
|
||||||
|
result = semanage_module_key_set_name(sh, modkey, module_name); |
||||||
|
if (result != 0) { |
||||||
|
- goto cleanup_extract; |
||||||
|
+ goto cleanup; |
||||||
|
} |
||||||
|
|
||||||
|
result = semanage_module_key_set_priority(sh, modkey, prio); |
||||||
|
if (result != 0) { |
||||||
|
- goto cleanup_extract; |
||||||
|
+ goto cleanup; |
||||||
|
} |
||||||
|
|
||||||
|
- result = semanage_module_extract(sh, modkey, 1, &data, &data_len, |
||||||
|
- &extract_info); |
||||||
|
+ result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str, |
||||||
|
+ &hash_len); |
||||||
|
if (result != 0) { |
||||||
|
- goto cleanup_extract; |
||||||
|
- } |
||||||
|
- |
||||||
|
- Sha256Initialise(&context); |
||||||
|
- Sha256Update(&context, data, data_len); |
||||||
|
- |
||||||
|
- Sha256Finalise(&context, (SHA256_HASH *)sha256_hash); |
||||||
|
- |
||||||
|
- sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1); |
||||||
|
- |
||||||
|
- if (sha256_buf == NULL) |
||||||
|
- goto cleanup_extract; |
||||||
|
- |
||||||
|
- for (i = 0; i < SHA256_HASH_SIZE; i++) { |
||||||
|
- sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]); |
||||||
|
+ goto cleanup; |
||||||
|
} |
||||||
|
- sha256_buf[i * 2] = 0; |
||||||
|
|
||||||
|
-cleanup_extract: |
||||||
|
- if (data_len > 0) { |
||||||
|
- munmap(data, data_len); |
||||||
|
- } |
||||||
|
- semanage_module_info_destroy(sh, extract_info); |
||||||
|
- free(extract_info); |
||||||
|
+cleanup: |
||||||
|
+ free(hash); |
||||||
|
semanage_module_key_destroy(sh, modkey); |
||||||
|
free(modkey); |
||||||
|
- return sha256_buf; |
||||||
|
+ return hash_str; |
||||||
|
} |
||||||
|
|
||||||
|
int main(int argc, char *argv[]) |
||||||
|
@@ -669,7 +645,10 @@ cleanup_extract: |
||||||
|
/* fixed width columns */ |
||||||
|
column[0] = sizeof("000") - 1; |
||||||
|
column[3] = sizeof("disabled") - 1; |
||||||
|
- column[4] = 64; /* SHA256_HASH_SIZE * 2 */ |
||||||
|
+ |
||||||
|
+ result = semanage_module_compute_checksum(sh, NULL, 0, NULL, |
||||||
|
+ &column[4]); |
||||||
|
+ if (result != 0) goto cleanup_list; |
||||||
|
|
||||||
|
/* variable width columns */ |
||||||
|
const char *tmp = NULL; |
||||||
|
diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c |
||||||
|
deleted file mode 100644 |
||||||
|
index fe2aeef07f53..000000000000 |
||||||
|
--- a/policycoreutils/semodule/sha256.c |
||||||
|
+++ /dev/null |
||||||
|
@@ -1,294 +0,0 @@ |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// WjCryptLib_Sha256 |
||||||
|
-// |
||||||
|
-// Implementation of SHA256 hash function. |
||||||
|
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org |
||||||
|
-// Modified by WaterJuice retaining Public Domain license. |
||||||
|
-// |
||||||
|
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// IMPORTS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-#include "sha256.h" |
||||||
|
-#include <memory.h> |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// MACROS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits)))) |
||||||
|
- |
||||||
|
-#define MIN(x, y) ( ((x)<(y))?(x):(y) ) |
||||||
|
- |
||||||
|
-#define STORE32H(x, y) \ |
||||||
|
- { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \ |
||||||
|
- (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); } |
||||||
|
- |
||||||
|
-#define LOAD32H(x, y) \ |
||||||
|
- { x = ((uint32_t)((y)[0] & 255)<<24) | \ |
||||||
|
- ((uint32_t)((y)[1] & 255)<<16) | \ |
||||||
|
- ((uint32_t)((y)[2] & 255)<<8) | \ |
||||||
|
- ((uint32_t)((y)[3] & 255)); } |
||||||
|
- |
||||||
|
-#define STORE64H(x, y) \ |
||||||
|
- { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \ |
||||||
|
- (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \ |
||||||
|
- (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \ |
||||||
|
- (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); } |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// CONSTANTS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-// The K array |
||||||
|
-static const uint32_t K[64] = { |
||||||
|
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, |
||||||
|
- 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, |
||||||
|
- 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, |
||||||
|
- 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, |
||||||
|
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, |
||||||
|
- 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, |
||||||
|
- 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, |
||||||
|
- 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, |
||||||
|
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, |
||||||
|
- 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, |
||||||
|
- 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, |
||||||
|
- 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, |
||||||
|
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL |
||||||
|
-}; |
||||||
|
- |
||||||
|
-#define BLOCK_SIZE 64 |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// INTERNAL FUNCTIONS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-// Various logical functions |
||||||
|
-#define Ch( x, y, z ) (z ^ (x & (y ^ z))) |
||||||
|
-#define Maj( x, y, z ) (((x | y) & z) | (x & y)) |
||||||
|
-#define S( x, n ) ror((x),(n)) |
||||||
|
-#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n)) |
||||||
|
-#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22)) |
||||||
|
-#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25)) |
||||||
|
-#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3)) |
||||||
|
-#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10)) |
||||||
|
- |
||||||
|
-#define Sha256Round( a, b, c, d, e, f, g, h, i ) \ |
||||||
|
- t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ |
||||||
|
- t1 = Sigma0(a) + Maj(a, b, c); \ |
||||||
|
- d += t0; \ |
||||||
|
- h = t0 + t1; |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// TransformFunction |
||||||
|
-// |
||||||
|
-// Compress 512-bits |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-static |
||||||
|
-void |
||||||
|
- TransformFunction |
||||||
|
- ( |
||||||
|
- Sha256Context* Context, |
||||||
|
- uint8_t const* Buffer |
||||||
|
- ) |
||||||
|
-{ |
||||||
|
- uint32_t S[8]; |
||||||
|
- uint32_t W[64]; |
||||||
|
- uint32_t t0; |
||||||
|
- uint32_t t1; |
||||||
|
- uint32_t t; |
||||||
|
- int i; |
||||||
|
- |
||||||
|
- // Copy state into S |
||||||
|
- for( i=0; i<8; i++ ) |
||||||
|
- { |
||||||
|
- S[i] = Context->state[i]; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Copy the state into 512-bits into W[0..15] |
||||||
|
- for( i=0; i<16; i++ ) |
||||||
|
- { |
||||||
|
- LOAD32H( W[i], Buffer + (4*i) ); |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Fill W[16..63] |
||||||
|
- for( i=16; i<64; i++ ) |
||||||
|
- { |
||||||
|
- W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16]; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Compress |
||||||
|
- for( i=0; i<64; i++ ) |
||||||
|
- { |
||||||
|
- Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i ); |
||||||
|
- t = S[7]; |
||||||
|
- S[7] = S[6]; |
||||||
|
- S[6] = S[5]; |
||||||
|
- S[5] = S[4]; |
||||||
|
- S[4] = S[3]; |
||||||
|
- S[3] = S[2]; |
||||||
|
- S[2] = S[1]; |
||||||
|
- S[1] = S[0]; |
||||||
|
- S[0] = t; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Feedback |
||||||
|
- for( i=0; i<8; i++ ) |
||||||
|
- { |
||||||
|
- Context->state[i] = Context->state[i] + S[i]; |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// PUBLIC FUNCTIONS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Initialise |
||||||
|
-// |
||||||
|
-// Initialises a SHA256 Context. Use this to initialise/reset a context. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Initialise |
||||||
|
- ( |
||||||
|
- Sha256Context* Context // [out] |
||||||
|
- ) |
||||||
|
-{ |
||||||
|
- Context->curlen = 0; |
||||||
|
- Context->length = 0; |
||||||
|
- Context->state[0] = 0x6A09E667UL; |
||||||
|
- Context->state[1] = 0xBB67AE85UL; |
||||||
|
- Context->state[2] = 0x3C6EF372UL; |
||||||
|
- Context->state[3] = 0xA54FF53AUL; |
||||||
|
- Context->state[4] = 0x510E527FUL; |
||||||
|
- Context->state[5] = 0x9B05688CUL; |
||||||
|
- Context->state[6] = 0x1F83D9ABUL; |
||||||
|
- Context->state[7] = 0x5BE0CD19UL; |
||||||
|
-} |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Update |
||||||
|
-// |
||||||
|
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on |
||||||
|
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Update |
||||||
|
- ( |
||||||
|
- Sha256Context* Context, // [in out] |
||||||
|
- void const* Buffer, // [in] |
||||||
|
- uint32_t BufferSize // [in] |
||||||
|
- ) |
||||||
|
-{ |
||||||
|
- uint32_t n; |
||||||
|
- |
||||||
|
- if( Context->curlen > sizeof(Context->buf) ) |
||||||
|
- { |
||||||
|
- return; |
||||||
|
- } |
||||||
|
- |
||||||
|
- while( BufferSize > 0 ) |
||||||
|
- { |
||||||
|
- if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE ) |
||||||
|
- { |
||||||
|
- TransformFunction( Context, (uint8_t*)Buffer ); |
||||||
|
- Context->length += BLOCK_SIZE * 8; |
||||||
|
- Buffer = (uint8_t*)Buffer + BLOCK_SIZE; |
||||||
|
- BufferSize -= BLOCK_SIZE; |
||||||
|
- } |
||||||
|
- else |
||||||
|
- { |
||||||
|
- n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) ); |
||||||
|
- memcpy( Context->buf + Context->curlen, Buffer, (size_t)n ); |
||||||
|
- Context->curlen += n; |
||||||
|
- Buffer = (uint8_t*)Buffer + n; |
||||||
|
- BufferSize -= n; |
||||||
|
- if( Context->curlen == BLOCK_SIZE ) |
||||||
|
- { |
||||||
|
- TransformFunction( Context, Context->buf ); |
||||||
|
- Context->length += 8*BLOCK_SIZE; |
||||||
|
- Context->curlen = 0; |
||||||
|
- } |
||||||
|
- } |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Finalise |
||||||
|
-// |
||||||
|
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After |
||||||
|
-// calling this, Sha256Initialised must be used to reuse the context. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Finalise |
||||||
|
- ( |
||||||
|
- Sha256Context* Context, // [in out] |
||||||
|
- SHA256_HASH* Digest // [out] |
||||||
|
- ) |
||||||
|
-{ |
||||||
|
- int i; |
||||||
|
- |
||||||
|
- if( Context->curlen >= sizeof(Context->buf) ) |
||||||
|
- { |
||||||
|
- return; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Increase the length of the message |
||||||
|
- Context->length += Context->curlen * 8; |
||||||
|
- |
||||||
|
- // Append the '1' bit |
||||||
|
- Context->buf[Context->curlen++] = (uint8_t)0x80; |
||||||
|
- |
||||||
|
- // if the length is currently above 56 bytes we append zeros |
||||||
|
- // then compress. Then we can fall back to padding zeros and length |
||||||
|
- // encoding like normal. |
||||||
|
- if( Context->curlen > 56 ) |
||||||
|
- { |
||||||
|
- while( Context->curlen < 64 ) |
||||||
|
- { |
||||||
|
- Context->buf[Context->curlen++] = (uint8_t)0; |
||||||
|
- } |
||||||
|
- TransformFunction(Context, Context->buf); |
||||||
|
- Context->curlen = 0; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Pad up to 56 bytes of zeroes |
||||||
|
- while( Context->curlen < 56 ) |
||||||
|
- { |
||||||
|
- Context->buf[Context->curlen++] = (uint8_t)0; |
||||||
|
- } |
||||||
|
- |
||||||
|
- // Store length |
||||||
|
- STORE64H( Context->length, Context->buf+56 ); |
||||||
|
- TransformFunction( Context, Context->buf ); |
||||||
|
- |
||||||
|
- // Copy output |
||||||
|
- for( i=0; i<8; i++ ) |
||||||
|
- { |
||||||
|
- STORE32H( Context->state[i], Digest->bytes+(4*i) ); |
||||||
|
- } |
||||||
|
-} |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Calculate |
||||||
|
-// |
||||||
|
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the |
||||||
|
-// buffer. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Calculate |
||||||
|
- ( |
||||||
|
- void const* Buffer, // [in] |
||||||
|
- uint32_t BufferSize, // [in] |
||||||
|
- SHA256_HASH* Digest // [in] |
||||||
|
- ) |
||||||
|
-{ |
||||||
|
- Sha256Context context; |
||||||
|
- |
||||||
|
- Sha256Initialise( &context ); |
||||||
|
- Sha256Update( &context, Buffer, BufferSize ); |
||||||
|
- Sha256Finalise( &context, Digest ); |
||||||
|
-} |
||||||
|
diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h |
||||||
|
deleted file mode 100644 |
||||||
|
index 406ed869cd82..000000000000 |
||||||
|
--- a/policycoreutils/semodule/sha256.h |
||||||
|
+++ /dev/null |
||||||
|
@@ -1,89 +0,0 @@ |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// WjCryptLib_Sha256 |
||||||
|
-// |
||||||
|
-// Implementation of SHA256 hash function. |
||||||
|
-// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org |
||||||
|
-// Modified by WaterJuice retaining Public Domain license. |
||||||
|
-// |
||||||
|
-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-#pragma once |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// IMPORTS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-#include <stdint.h> |
||||||
|
-#include <stdio.h> |
||||||
|
- |
||||||
|
-typedef struct |
||||||
|
-{ |
||||||
|
- uint64_t length; |
||||||
|
- uint32_t state[8]; |
||||||
|
- uint32_t curlen; |
||||||
|
- uint8_t buf[64]; |
||||||
|
-} Sha256Context; |
||||||
|
- |
||||||
|
-#define SHA256_HASH_SIZE ( 256 / 8 ) |
||||||
|
- |
||||||
|
-typedef struct |
||||||
|
-{ |
||||||
|
- uint8_t bytes [SHA256_HASH_SIZE]; |
||||||
|
-} SHA256_HASH; |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// PUBLIC FUNCTIONS |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Initialise |
||||||
|
-// |
||||||
|
-// Initialises a SHA256 Context. Use this to initialise/reset a context. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Initialise |
||||||
|
- ( |
||||||
|
- Sha256Context* Context // [out] |
||||||
|
- ); |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Update |
||||||
|
-// |
||||||
|
-// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on |
||||||
|
-// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Update |
||||||
|
- ( |
||||||
|
- Sha256Context* Context, // [in out] |
||||||
|
- void const* Buffer, // [in] |
||||||
|
- uint32_t BufferSize // [in] |
||||||
|
- ); |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Finalise |
||||||
|
-// |
||||||
|
-// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After |
||||||
|
-// calling this, Sha256Initialised must be used to reuse the context. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Finalise |
||||||
|
- ( |
||||||
|
- Sha256Context* Context, // [in out] |
||||||
|
- SHA256_HASH* Digest // [out] |
||||||
|
- ); |
||||||
|
- |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-// Sha256Calculate |
||||||
|
-// |
||||||
|
-// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the |
||||||
|
-// buffer. |
||||||
|
-//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
||||||
|
-void |
||||||
|
- Sha256Calculate |
||||||
|
- ( |
||||||
|
- void const* Buffer, // [in] |
||||||
|
- uint32_t BufferSize, // [in] |
||||||
|
- SHA256_HASH* Digest // [in] |
||||||
|
- ); |
||||||
|
-- |
||||||
|
2.34.1 |
||||||
|
|
@ -0,0 +1,144 @@ |
|||||||
|
From 9341da3478625bb2ba2e7d4f3e227735cc9c8198 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
Date: Thu, 3 Feb 2022 17:53:27 +0100 |
||||||
|
Subject: [PATCH] semodule: add command-line option to detect module changes |
||||||
|
|
||||||
|
Add a new command-line option "--rebuild-if-modules-changed" to control |
||||||
|
the newly introduced check_ext_changes libsemanage flag. |
||||||
|
|
||||||
|
For example, running `semodule --rebuild-if-modules-changed` will ensure |
||||||
|
that any externally added/removed modules (e.g. by an RPM transaction) |
||||||
|
are reflected in the compiled policy, while skipping the most expensive |
||||||
|
part of the rebuild if no module change was deteceted since the last |
||||||
|
libsemanage transaction. |
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||||||
|
--- |
||||||
|
policycoreutils/semodule/semodule.8 | 7 +++++++ |
||||||
|
policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++------- |
||||||
|
2 files changed, 32 insertions(+), 7 deletions(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8 |
||||||
|
index 3a2fb21c2481..d1735d216276 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.8 |
||||||
|
+++ b/policycoreutils/semodule/semodule.8 |
||||||
|
@@ -23,6 +23,13 @@ force a reload of policy |
||||||
|
.B \-B, \-\-build |
||||||
|
force a rebuild of policy (also reloads unless \-n is used) |
||||||
|
.TP |
||||||
|
+.B \-\-rebuild-if-modules-changed |
||||||
|
+Force a rebuild of the policy if any changes to module content are detected |
||||||
|
+(by comparing with checksum from the last transaction). One can use this |
||||||
|
+instead of \-B to ensure that any changes to the module store done by an |
||||||
|
+external tool (e.g. a package manager) are applied, while automatically |
||||||
|
+skipping the rebuild if there are no new changes. |
||||||
|
+.TP |
||||||
|
.B \-D, \-\-disable_dontaudit |
||||||
|
Temporarily remove dontaudits from policy. Reverts whenever policy is rebuilt |
||||||
|
.TP |
||||||
|
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c |
||||||
|
index f4a76289efa3..1ed8e69054e0 100644 |
||||||
|
--- a/policycoreutils/semodule/semodule.c |
||||||
|
+++ b/policycoreutils/semodule/semodule.c |
||||||
|
@@ -47,6 +47,7 @@ static int verbose; |
||||||
|
static int reload; |
||||||
|
static int no_reload; |
||||||
|
static int build; |
||||||
|
+static int check_ext_changes; |
||||||
|
static int disable_dontaudit; |
||||||
|
static int preserve_tunables; |
||||||
|
static int ignore_module_cache; |
||||||
|
@@ -149,6 +150,9 @@ static void usage(char *progname) |
||||||
|
printf(" -c, --cil extract module as cil. This only affects module extraction.\n"); |
||||||
|
printf(" -H, --hll extract module as hll. This only affects module extraction.\n"); |
||||||
|
printf(" -m, --checksum print module checksum (SHA256).\n"); |
||||||
|
+ printf(" --rebuild-if-modules-changed\n" |
||||||
|
+ " force policy rebuild if module content changed since\n" |
||||||
|
+ " last rebuild (based on checksum)\n"); |
||||||
|
} |
||||||
|
|
||||||
|
/* Sets the global mode variable to new_mode, but only if no other |
||||||
|
@@ -180,6 +184,7 @@ static void set_mode(enum client_modes new_mode, char *arg) |
||||||
|
static void parse_command_line(int argc, char **argv) |
||||||
|
{ |
||||||
|
static struct option opts[] = { |
||||||
|
+ {"rebuild-if-modules-changed", 0, NULL, '\0'}, |
||||||
|
{"store", required_argument, NULL, 's'}, |
||||||
|
{"base", required_argument, NULL, 'b'}, |
||||||
|
{"help", 0, NULL, 'h'}, |
||||||
|
@@ -207,15 +212,26 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
}; |
||||||
|
int extract_selected = 0; |
||||||
|
int cil_hll_set = 0; |
||||||
|
- int i; |
||||||
|
+ int i, longind; |
||||||
|
verbose = 0; |
||||||
|
reload = 0; |
||||||
|
no_reload = 0; |
||||||
|
+ check_ext_changes = 0; |
||||||
|
priority = 400; |
||||||
|
while ((i = |
||||||
|
- getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts, |
||||||
|
- NULL)) != -1) { |
||||||
|
+ getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", |
||||||
|
+ opts, &longind)) != -1) { |
||||||
|
switch (i) { |
||||||
|
+ case '\0': |
||||||
|
+ switch(longind) { |
||||||
|
+ case 0: /* --rebuild-if-modules-changed */ |
||||||
|
+ check_ext_changes = 1; |
||||||
|
+ break; |
||||||
|
+ default: |
||||||
|
+ usage(argv[0]); |
||||||
|
+ exit(1); |
||||||
|
+ } |
||||||
|
+ break; |
||||||
|
case 'b': |
||||||
|
fprintf(stderr, "The --base option is deprecated. Use --install instead.\n"); |
||||||
|
set_mode(INSTALL_M, optarg); |
||||||
|
@@ -300,13 +316,13 @@ static void parse_command_line(int argc, char **argv) |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
- if ((build || reload) && num_commands) { |
||||||
|
+ if ((build || reload || check_ext_changes) && num_commands) { |
||||||
|
fprintf(stderr, |
||||||
|
"build or reload should not be used with other commands\n"); |
||||||
|
usage(argv[0]); |
||||||
|
exit(1); |
||||||
|
} |
||||||
|
- if (num_commands == 0 && reload == 0 && build == 0) { |
||||||
|
+ if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) { |
||||||
|
fprintf(stderr, "At least one mode must be specified.\n"); |
||||||
|
usage(argv[0]); |
||||||
|
exit(1); |
||||||
|
@@ -395,7 +411,7 @@ int main(int argc, char *argv[]) |
||||||
|
|
||||||
|
cil_set_log_level(CIL_ERR + verbose); |
||||||
|
|
||||||
|
- if (build) |
||||||
|
+ if (build || check_ext_changes) |
||||||
|
commit = 1; |
||||||
|
|
||||||
|
sh = semanage_handle_create(); |
||||||
|
@@ -434,7 +450,7 @@ int main(int argc, char *argv[]) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
- if (build) { |
||||||
|
+ if (build || check_ext_changes) { |
||||||
|
if ((result = semanage_begin_transaction(sh)) < 0) { |
||||||
|
fprintf(stderr, "%s: Could not begin transaction: %s\n", |
||||||
|
argv[0], errno ? strerror(errno) : ""); |
||||||
|
@@ -807,6 +823,8 @@ cleanup_disable: |
||||||
|
semanage_set_reload(sh, 0); |
||||||
|
if (build) |
||||||
|
semanage_set_rebuild(sh, 1); |
||||||
|
+ if (check_ext_changes) |
||||||
|
+ semanage_set_check_ext_changes(sh, 1); |
||||||
|
if (disable_dontaudit) |
||||||
|
semanage_set_disable_dontaudit(sh, 1); |
||||||
|
else if (build) |
||||||
|
-- |
||||||
|
2.34.1 |
||||||
|
|
@ -0,0 +1,180 @@ |
|||||||
|
From 09f700e9f953769d1697c46179faba32e4b80c0f Mon Sep 17 00:00:00 2001 |
||||||
|
From: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
Date: Fri, 4 Feb 2022 13:41:12 +0100 |
||||||
|
Subject: [PATCH] policycoreutils/fixfiles: Use parallel relabeling |
||||||
|
|
||||||
|
Commit 93902fc8340f ("setfiles/restorecon: support parallel relabeling") |
||||||
|
implemented support for parallel relabeling in setfiles. This is |
||||||
|
available for fixfiles now. |
||||||
|
|
||||||
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com> |
||||||
|
--- |
||||||
|
policycoreutils/scripts/fixfiles | 35 +++++++++++++++++------------- |
||||||
|
policycoreutils/scripts/fixfiles.8 | 17 ++++++++++----- |
||||||
|
2 files changed, 31 insertions(+), 21 deletions(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles |
||||||
|
index cb20002ab613..a4a419ab62de 100755 |
||||||
|
--- a/policycoreutils/scripts/fixfiles |
||||||
|
+++ b/policycoreutils/scripts/fixfiles |
||||||
|
@@ -110,6 +110,7 @@ BOOTTIME="" |
||||||
|
VERBOSE="-p" |
||||||
|
[ -t 1 ] || VERBOSE="" |
||||||
|
FORCEFLAG="" |
||||||
|
+THREADS="" |
||||||
|
RPMFILES="" |
||||||
|
PREFC="" |
||||||
|
RESTORE_MODE="" |
||||||
|
@@ -153,7 +154,7 @@ newer() { |
||||||
|
shift |
||||||
|
LogReadOnly |
||||||
|
for m in `echo $FILESYSTEMSRW`; do |
||||||
|
- find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f - |
||||||
|
+ find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f - |
||||||
|
done; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -197,7 +198,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then |
||||||
|
esac; \ |
||||||
|
fi; \ |
||||||
|
done | \ |
||||||
|
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \ |
||||||
|
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \ |
||||||
|
rm -f ${TEMPFILE} ${PREFCTEMPFILE} |
||||||
|
fi |
||||||
|
} |
||||||
|
@@ -235,11 +236,11 @@ LogExcluded |
||||||
|
case "$RESTORE_MODE" in |
||||||
|
RPMFILES) |
||||||
|
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do |
||||||
|
- rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f - |
||||||
|
+ rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f - |
||||||
|
done |
||||||
|
;; |
||||||
|
FILEPATH) |
||||||
|
- ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH" |
||||||
|
+ ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -R -- "$FILEPATH" |
||||||
|
;; |
||||||
|
*) |
||||||
|
if [ -n "${FILESYSTEMSRW}" ]; then |
||||||
|
@@ -247,7 +248,7 @@ case "$RESTORE_MODE" in |
||||||
|
echo "${OPTION}ing `echo ${FILESYSTEMSRW}`" |
||||||
|
|
||||||
|
if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then |
||||||
|
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW} |
||||||
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${THREADS} ${FC} ${FILESYSTEMSRW} |
||||||
|
else |
||||||
|
# we bind mount so we can fix the labels of files that have already been |
||||||
|
# mounted over |
||||||
|
@@ -257,7 +258,7 @@ case "$RESTORE_MODE" in |
||||||
|
|
||||||
|
mkdir -p "${TMP_MOUNT}${m}" || exit 1 |
||||||
|
mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1 |
||||||
|
- ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" |
||||||
|
+ ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}" |
||||||
|
umount "${TMP_MOUNT}${m}" || exit 1 |
||||||
|
rm -rf "${TMP_MOUNT}" || echo "Error cleaning up." |
||||||
|
done; |
||||||
|
@@ -330,8 +331,9 @@ case "$1" in |
||||||
|
fi |
||||||
|
> /.autorelabel || exit $? |
||||||
|
[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel |
||||||
|
- [ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel |
||||||
|
- [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel |
||||||
|
+ [ -z "$BOOTTIME" ] || echo -n "-N $BOOTTIME " >> /.autorelabel |
||||||
|
+ [ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo -n "-M " >> /.autorelabel |
||||||
|
+ [ -z "$THREADS" ] || echo -n "$THREADS " >> /.autorelabel |
||||||
|
# Force full relabel if SELinux is not enabled |
||||||
|
selinuxenabled || echo -F > /.autorelabel |
||||||
|
echo "System will relabel on next boot" |
||||||
|
@@ -343,17 +345,17 @@ esac |
||||||
|
} |
||||||
|
usage() { |
||||||
|
echo $""" |
||||||
|
-Usage: $0 [-v] [-F] [-M] [-f] relabel |
||||||
|
+Usage: $0 [-v] [-F] [-M] [-f] [-T nthreads] relabel |
||||||
|
or |
||||||
|
-Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify } |
||||||
|
+Usage: $0 [-v] [-F] [-B | -N time ] [-T nthreads] { check | restore | verify } |
||||||
|
or |
||||||
|
-Usage: $0 [-v] [-F] { check | restore | verify } dir/file ... |
||||||
|
+Usage: $0 [-v] [-F] [-T nthreads] { check | restore | verify } dir/file ... |
||||||
|
or |
||||||
|
-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify } |
||||||
|
+Usage: $0 [-v] [-F] [-T nthreads] -R rpmpackage[,rpmpackage...] { check | restore | verify } |
||||||
|
or |
||||||
|
-Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify } |
||||||
|
+Usage: $0 [-v] [-F] [-T nthreads] -C PREVIOUS_FILECONTEXT { check | restore | verify } |
||||||
|
or |
||||||
|
-Usage: $0 [-F] [-M] [-B] onboot |
||||||
|
+Usage: $0 [-F] [-M] [-B] [-T nthreads] onboot |
||||||
|
""" |
||||||
|
} |
||||||
|
|
||||||
|
@@ -372,7 +374,7 @@ set_restore_mode() { |
||||||
|
} |
||||||
|
|
||||||
|
# See how we were called. |
||||||
|
-while getopts "N:BC:FfR:l:vM" i; do |
||||||
|
+while getopts "N:BC:FfR:l:vMT:" i; do |
||||||
|
case "$i" in |
||||||
|
B) |
||||||
|
BOOTTIME=`/bin/who -b | awk '{print $3}'` |
||||||
|
@@ -407,6 +409,9 @@ while getopts "N:BC:FfR:l:vM" i; do |
||||||
|
f) |
||||||
|
fullFlag=1 |
||||||
|
;; |
||||||
|
+ T) |
||||||
|
+ THREADS="-T $OPTARG" |
||||||
|
+ ;; |
||||||
|
*) |
||||||
|
usage |
||||||
|
exit 1 |
||||||
|
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8 |
||||||
|
index c4e894e56e8f..9a317d9181e2 100644 |
||||||
|
--- a/policycoreutils/scripts/fixfiles.8 |
||||||
|
+++ b/policycoreutils/scripts/fixfiles.8 |
||||||
|
@@ -6,22 +6,22 @@ fixfiles \- fix file SELinux security contexts. |
||||||
|
.na |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [\-v] [\-F] [-M] [\-f] relabel |
||||||
|
+.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [\-v] [\-F] { check | restore | verify } dir/file ... |
||||||
|
+.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ... |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify } |
||||||
|
+.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify } |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify } |
||||||
|
+.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify } |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT { check | restore | verify } |
||||||
|
+.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT { check | restore | verify } |
||||||
|
|
||||||
|
.B fixfiles |
||||||
|
-.I [-F] [-M] [-B] onboot |
||||||
|
+.I [-F] [-M] [-B] [\-T nthreads] onboot |
||||||
|
|
||||||
|
.ad |
||||||
|
|
||||||
|
@@ -76,6 +76,11 @@ Bind mount filesystems before relabeling them, this allows fixing the context of |
||||||
|
.B -v |
||||||
|
Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p) |
||||||
|
|
||||||
|
+.TP |
||||||
|
+.B \-T nthreads |
||||||
|
+Use parallel relabeling, see |
||||||
|
+.B setfiles(8) |
||||||
|
+ |
||||||
|
.SH "ARGUMENTS" |
||||||
|
One of: |
||||||
|
.TP |
||||||
|
-- |
||||||
|
2.34.1 |
||||||
|
|
@ -0,0 +1,41 @@ |
|||||||
|
From d83caa39d7ff497bddabb54619a8985227ad1264 Mon Sep 17 00:00:00 2001 |
||||||
|
From: Vit Mojzis <vmojzis@redhat.com> |
||||||
|
Date: Mon, 10 Jan 2022 18:35:27 +0100 |
||||||
|
Subject: [PATCH] policycoreutils: Improve error message when selabel_open |
||||||
|
fails |
||||||
|
|
||||||
|
When selabel_open fails to locate file_context files and |
||||||
|
selabel_opt_path is not specified (e.g. when the policy type is |
||||||
|
missconfigured in /etc/selinux/config), perror only prints |
||||||
|
"No such file or directory". |
||||||
|
This can be confusing in case of "restorecon" since it's |
||||||
|
not apparent that the issue is in policy store. |
||||||
|
|
||||||
|
Before: |
||||||
|
\# restorecon -v /tmp/foo.txt |
||||||
|
No such file or directory |
||||||
|
After: |
||||||
|
\# restorecon -v /tmp/foo.txt |
||||||
|
/etc/selinux/yolo/contexts/files/file_contexts: No such file or directory |
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com> |
||||||
|
--- |
||||||
|
policycoreutils/setfiles/restore.c | 2 +- |
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-) |
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c |
||||||
|
index 74d48bb3752d..e9ae33ad039a 100644 |
||||||
|
--- a/policycoreutils/setfiles/restore.c |
||||||
|
+++ b/policycoreutils/setfiles/restore.c |
||||||
|
@@ -29,7 +29,7 @@ void restore_init(struct restore_opts *opts) |
||||||
|
|
||||||
|
opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); |
||||||
|
if (!opts->hnd) { |
||||||
|
- perror(opts->selabel_opt_path); |
||||||
|
+ perror(opts->selabel_opt_path ? opts->selabel_opt_path : selinux_file_context_path()); |
||||||
|
exit(1); |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
2.35.1 |
||||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,73 @@ |
|||||||
|
#!/bin/bash |
||||||
|
# |
||||||
|
# Do automatic relabelling |
||||||
|
# |
||||||
|
|
||||||
|
# . /etc/init.d/functions |
||||||
|
|
||||||
|
# If the user has this (or similar) UEFI boot order: |
||||||
|
# |
||||||
|
# Windows | grub | Linux |
||||||
|
# |
||||||
|
# And decides to boot into grub/Linux, then the reboot at the end of autorelabel |
||||||
|
# would cause the system to boot into Windows again, if the autorelabel was run. |
||||||
|
# |
||||||
|
# This function restores the UEFI boot order, so the user will boot into the |
||||||
|
# previously set (and expected) partition. |
||||||
|
efi_set_boot_next() { |
||||||
|
# NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could |
||||||
|
# succeed even on system which is not EFI-enabled... |
||||||
|
if ! efibootmgr > /dev/null 2>&1; then |
||||||
|
return |
||||||
|
fi |
||||||
|
|
||||||
|
# NOTE: It it possible that some other services might be setting the |
||||||
|
# 'BootNext' item for any reasons, and we shouldn't override it if so. |
||||||
|
if ! efibootmgr | grep --quiet -e 'BootNext'; then |
||||||
|
CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')" |
||||||
|
efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1 |
||||||
|
fi |
||||||
|
} |
||||||
|
|
||||||
|
relabel_selinux() { |
||||||
|
# if /sbin/init is not labeled correctly this process is running in the |
||||||
|
# wrong context, so a reboot will be required after relabel |
||||||
|
AUTORELABEL= |
||||||
|
. /etc/selinux/config |
||||||
|
echo "0" > /sys/fs/selinux/enforce |
||||||
|
[ -x /bin/plymouth ] && plymouth --quit |
||||||
|
|
||||||
|
if [ "$AUTORELABEL" = "0" ]; then |
||||||
|
echo |
||||||
|
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " |
||||||
|
echo $"*** /etc/selinux/config indicates you want to manually fix labeling" |
||||||
|
echo $"*** problems. Dropping you to a shell; the system will reboot" |
||||||
|
echo $"*** when you leave the shell." |
||||||
|
sulogin |
||||||
|
|
||||||
|
else |
||||||
|
echo |
||||||
|
echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." |
||||||
|
echo $"*** Relabeling could take a very long time, depending on file" |
||||||
|
echo $"*** system size and speed of hard drives." |
||||||
|
|
||||||
|
FORCE=`cat /.autorelabel` |
||||||
|
[ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug |
||||||
|
/sbin/fixfiles $FORCE restore |
||||||
|
fi |
||||||
|
|
||||||
|
rm -f /.autorelabel |
||||||
|
/usr/lib/dracut/dracut-initramfs-restore |
||||||
|
efi_set_boot_next |
||||||
|
if [ -x /usr/bin/grub2-editenv ]; then |
||||||
|
grub2-editenv - incr boot_indeterminate >/dev/null 2>&1 |
||||||
|
fi |
||||||
|
sync |
||||||
|
systemctl --force reboot |
||||||
|
} |
||||||
|
|
||||||
|
# Check to see if a full relabel is needed |
||||||
|
if [ "$READONLY" != "yes" ]; then |
||||||
|
restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 |
||||||
|
relabel_selinux |
||||||
|
fi |
@ -0,0 +1,29 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
# This systemd.generator(7) detects if SELinux is running and if the |
||||||
|
# user requested an autorelabel, and if so sets the default target to |
||||||
|
# selinux-autorelabel.target, which will cause the filesystem to be |
||||||
|
# relabelled and then the system will reboot again and boot into the |
||||||
|
# real default target. |
||||||
|
|
||||||
|
PATH=/usr/sbin:$PATH |
||||||
|
unitdir=/usr/lib/systemd/system |
||||||
|
|
||||||
|
# If invoked with no arguments (for testing) write to /tmp. |
||||||
|
earlydir="/tmp" |
||||||
|
if [ -n "$2" ]; then |
||||||
|
earlydir="$2" |
||||||
|
fi |
||||||
|
|
||||||
|
set_target () |
||||||
|
{ |
||||||
|
ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" |
||||||
|
} |
||||||
|
|
||||||
|
if selinuxenabled; then |
||||||
|
if test -f /.autorelabel; then |
||||||
|
set_target |
||||||
|
elif grep -sqE "\bautorelabel\b" /proc/cmdline; then |
||||||
|
set_target |
||||||
|
fi |
||||||
|
fi |
@ -0,0 +1,18 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Mark the need to relabel after reboot |
||||||
|
DefaultDependencies=no |
||||||
|
Requires=local-fs.target |
||||||
|
Conflicts=shutdown.target |
||||||
|
After=local-fs.target |
||||||
|
Before=sysinit.target shutdown.target |
||||||
|
ConditionSecurity=!selinux |
||||||
|
ConditionPathIsDirectory=/etc/selinux |
||||||
|
ConditionPathExists=!/.autorelabel |
||||||
|
|
||||||
|
[Service] |
||||||
|
ExecStart=-/bin/touch /.autorelabel |
||||||
|
Type=oneshot |
||||||
|
RemainAfterExit=yes |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=sysinit.target |
@ -0,0 +1,14 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Relabel all filesystems |
||||||
|
DefaultDependencies=no |
||||||
|
Conflicts=shutdown.target |
||||||
|
After=sysinit.target |
||||||
|
Before=shutdown.target |
||||||
|
ConditionSecurity=selinux |
||||||
|
|
||||||
|
[Service] |
||||||
|
ExecStart=/usr/libexec/selinux/selinux-autorelabel |
||||||
|
Type=oneshot |
||||||
|
TimeoutSec=0 |
||||||
|
RemainAfterExit=yes |
||||||
|
StandardOutput=journal+console |
@ -0,0 +1,7 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Relabel all filesystems and reboot |
||||||
|
DefaultDependencies=no |
||||||
|
Requires=sysinit.target selinux-autorelabel.service |
||||||
|
Conflicts=shutdown.target |
||||||
|
After=sysinit.target selinux-autorelabel.service |
||||||
|
ConditionSecurity=selinux |
Binary file not shown.
After Width: | Height: | Size: 1.4 KiB |
Loading…
Reference in new issue