[yocto] [PATCH 06/13] policycoreutils: uprev to 2.5 (20160223)

Stephen Smalley Mon, 07 Mar 2016 13:04:33 -0800

Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov>
---
 ...cycoreutils-fix-TypeError-for-seobject.py.patch | 27 ++++-----
 .../policycoreutils-pp-builtin-roles.patch         | 70 ----------------------
 ...-process-ValueError-for-sepolicy-seobject.patch | 23 ++++---
 .../policycoreutils-semanage-edit-user.patch       | 21 -------
 recipes-security/selinux/policycoreutils_2.4.bb    | 20 -------
 recipes-security/selinux/policycoreutils_2.5.bb    | 18 ++++++
 6 files changed, 41 insertions(+), 138 deletions(-)
 delete mode 100644 
recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
 delete mode 100644 
recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
 delete mode 100644 recipes-security/selinux/policycoreutils_2.4.bb
 create mode 100644 recipes-security/selinux/policycoreutils_2.5.bb


diff --git 
a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
 
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
index dd6ca6d..993ff7e 100644
--- 
a/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
+++ 
b/recipes-security/selinux/policycoreutils/policycoreutils-fix-TypeError-for-seobject.py.patch
@@ -14,19 +14,16 @@ Signed-off-by: Wenzong Fan <wenzong....@windriver.com>
  semanage/seobject.py |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/semanage/seobject.py b/semanage/seobject.py
-index f8d2243..66653e6 100644
---- a/semanage/seobject.py
-+++ b/semanage/seobject.py
-@@ -105,7 +105,7 @@ except:
+Index: policycoreutils-2.5/semanage/seobject.py
+===================================================================
+--- policycoreutils-2.5.orig/semanage/seobject.py      2016-02-25 
13:41:38.035974459 -0500
++++ policycoreutils-2.5/semanage/seobject.py   2016-02-25 13:43:42.075974072 
-0500
+@@ -121,7 +121,7 @@
  
-               def log(self, msg, name = "", sename = "", serole = "", serange 
= "", oldsename = "", oldserole = "", oldserange = ""):
-                       message = " %s name=%s" % (msg, name)
--                      if sename != "":
-+                      if sename != "" and sename != None:
-                               message += " sename=" + sename
-                       if oldsename != "":
-                               message += " oldsename=" + oldsename
--- 
-1.7.9.5
-
+         def log(self, msg, name="", sename="", serole="", serange="", 
oldsename="", oldserole="", oldserange=""):
+             message = " %s name=%s" % (msg, name)
+-            if sename != "":
++            if sename != "" and sename != None:
+                 message += " sename=" + sename
+             if oldsename != "":
+                 message += " oldsename=" + oldsename
diff --git 
a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
 
b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
deleted file mode 100644
index f01cc3a..0000000
--- 
a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the 
base module
-
-In fedora and refpolicy, the auditadm_r and secadm_r roles can be in
-either the base module or a non-base module, or they could be in both.
-This means that it is possible for duplicate role declarations to exist.
-CIL does not allow duplicate declarations of anything, but there is no
-way for the pp compiler to know if the roles are declared in which
-module, or if they are in both when compiling a single module. This
-means we cannot use the same hack that we use for user_r, staff_r, etc.,
-to generate CIL role declarations (i.e. only create role declarations
-for these when defined in base).
-
-So only for these two roles, always declare them as part of base,
-regardless of where or if they are defined. This means that turning off
-the auditadm module will never remove the auditamd_r role (likewise for
-secadm), whereas right now, in some cases it would. This also means that
-role allow rules will still exist for these roles even with the modules
-removed. However, this is okay because the roles would not have any
-types associated with them so no access would be allowed.
-
-Signed-off-by: Steve Lawrence <slawre...@tresys.com>
-Reported-by: Miroslav Grepl <mgr...@redhat.com>
-
-Index: policycoreutils-2.4/hll/pp/pp.c
-===================================================================
---- policycoreutils-2.4.orig/hll/pp/pp.c
-+++ policycoreutils-2.4/hll/pp/pp.c
-@@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc
-                                           !strcmp(key, "sysadm_r") ||
-                                           !strcmp(key, "system_r") ||
-                                           !strcmp(key, "unconfined_r"));
--                      if ((is_base_role && pdb->policy_type == 
SEPOL_POLICY_BASE) || !is_base_role) {
-+                      int is_builtin_role = (!strcmp(key, "auditadm_r") ||
-+                                              !strcmp(key, "secadm_r"));
-+                      if ((is_base_role && pdb->policy_type == 
SEPOL_POLICY_BASE) ||
-+                              (!is_base_role && !is_builtin_role)) {
-                               cil_println(indent, "(role %s)", key);
-                       }
-               }
-@@ -3594,6 +3597,17 @@ static int generate_default_object(void)
-       return 0;
- }
- 
-+static int generate_builtin_roles(void)
-+{
-+      // due to inconsistentencies between policies and CIL not allowing
-+      // duplicate roles, some roles are always created, regardless of if they
-+      // are declared in modules or not
-+      cil_println(0, "(role auditadm_r)");
-+      cil_println(0, "(role secadm_r)");
-+
-+      return 0;
-+}
-+
- static int generate_gen_require_attribute(void)
- {
-       cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")");
-@@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct
-               if (rc != 0) {
-                       goto exit;
-               }
-+
-+              // roles that can exist in base, non-base module or both
-+              rc = generate_builtin_roles();
-+              if (rc != 0) {
-+                      goto exit;
-+              }
- 
-               // default attribute to be used to mimic gen_require in CIL
-               rc = generate_gen_require_attribute();
diff --git 
a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
 
b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
index 933f2b2..e52e1d3 100644
--- 
a/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
+++ 
b/recipes-security/selinux/policycoreutils/policycoreutils-process-ValueError-for-sepolicy-seobject.patch
@@ -14,10 +14,10 @@ Signed-off-by: Wenzong Fan <wenzong....@windriver.com>
  semanage/semanage |    9 +++++++--
  1 file changed, 7 insertions(+), 2 deletions(-)
 
-diff --git a/semanage/semanage b/semanage/semanage
-index 36b41cd..a36a3f9 100644
---- a/semanage/semanage
-+++ b/semanage/semanage
+Index: policycoreutils-2.5/semanage/semanage
+===================================================================
+--- policycoreutils-2.5.orig/semanage/semanage 2016-02-25 13:38:39.947975015 
-0500
++++ policycoreutils-2.5/semanage/semanage      2016-02-25 13:40:50.627974607 
-0500
 @@ -24,9 +24,15 @@
  #
  
@@ -32,17 +32,16 @@ index 36b41cd..a36a3f9 100644
 +        print "Error: %s\n" % e
 +        sys.exit(1)
 +
- PROGNAME="policycoreutils"
+ PROGNAME = "policycoreutils"
  try:
-        gettext.install(PROGNAME,
-@@ -59,7 +65,6 @@ usage_interface_dict = {' --add':('-t TYPE','-r 
RANGE','interface'),' --modify':
+     kwargs = {}
+@@ -66,9 +72,6 @@
  usage_boolean = "semanage boolean [-h] [-n] [-N] [-s STORE] ["
- usage_boolean_dict = {' --modify':('(','--on','|','--off',')','boolean'), ' 
--list':('-C',), '  --extract':('',), ' --deleteall':('',)}
+ usage_boolean_dict = {' --modify': ('(', '--on', '|', '--off', ')', 
'boolean'), ' --list': ('-C',), '  --extract': ('',), ' --deleteall': ('',)}
  
 -import sepolicy
+-
+-
  class CheckRole(argparse.Action):
+ 
      def __call__(self, parser, namespace, value, option_string=None):
-         newval = getattr(namespace, self.dest)
--- 
-1.7.9.5
-
diff --git 
a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
 
b/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
deleted file mode 100644
index f5aaa74..0000000
--- 
a/recipes-security/selinux/policycoreutils/policycoreutils-semanage-edit-user.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-policycoreutils: semanage
-
-When modifying selinux login records, self.sename might not be
-needed, but it IS passed to a log function, so it must be set
-to something or the log attempt will fail.
-
-Upstream-Status: Pending
-
-Signed-off-by: Joe Slater <jsla...@windriver.com>
-
-
---- a/semanage/seobject.py
-+++ b/semanage/seobject.py
-@@ -576,6 +576,7 @@ class loginRecords(semanageRecords):
- 
-               if sename != "":
-                       semanage_seuser_set_sename(self.sh, u, sename)
-+                      self.sename = sename
-               else:
-                       self.sename = self.oldsename
-                       
diff --git a/recipes-security/selinux/policycoreutils_2.4.bb 
b/recipes-security/selinux/policycoreutils_2.4.bb
deleted file mode 100644
index 2937c62..0000000
--- a/recipes-security/selinux/policycoreutils_2.4.bb
+++ /dev/null
@@ -1,20 +0,0 @@
-include selinux_20150202.inc
-include ${BPN}.inc
-
-LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
-
-SRC_URI[md5sum] = "795b05c3ad58253cba61249ec65b28ef"
-SRC_URI[sha256sum] = 
"b819f876f12473783ccce9f63b9a79cd77177477cd6d46818441f808cc4c3479"
-
-SRC_URI += "\
-       file://policycoreutils-fix-sepolicy-install-path.patch \
-       file://policycoreutils-make-O_CLOEXEC-optional.patch \
-       file://policycoreutils-loadpolicy-symlink.patch \
-       file://policycoreutils-semanage-edit-user.patch \
-       file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
-       file://policycoreutils-fix-TypeError-for-seobject.py.patch \
-       file://0001-mcstrans-fix-the-init-script.patch \
-       file://enable-mcstrans.patch \
-       file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \
-       file://policycoreutils-pp-builtin-roles.patch \
-       "
diff --git a/recipes-security/selinux/policycoreutils_2.5.bb 
b/recipes-security/selinux/policycoreutils_2.5.bb
new file mode 100644
index 0000000..37d3870
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils_2.5.bb
@@ -0,0 +1,18 @@
+include selinux_20160223.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "9ad9331b2133262fb3f774359a7f4761"
+SRC_URI[sha256sum] = 
"329382cfe9fa977678abf541dcd8fe3847cf0c83b24654c8f7322343907078a1"
+
+SRC_URI += "\
+       file://policycoreutils-fix-sepolicy-install-path.patch \
+       file://policycoreutils-make-O_CLOEXEC-optional.patch \
+       file://policycoreutils-loadpolicy-symlink.patch \
+       file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
+       file://policycoreutils-fix-TypeError-for-seobject.py.patch \
+       file://0001-mcstrans-fix-the-init-script.patch \
+       file://enable-mcstrans.patch \
+       file://policycoreutils-fts_flags-FTS_NOCHDIR.patch \
+       "
-- 
2.4.3

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [PATCH 06/13] policycoreutils: uprev to 2.5 (20160223)

Reply via email to