Current upstreamable patch set from Fedora

Current upstreamable patch set from Fedora

[Dan Walsh]

[PATCH 01/08] Call proper dbus function
[PATCH 02/08] Only return writeable files that are enabled
[PATCH 03/08] Add domain to short list of domains, when -t and -d
[PATCH 04/08] Fix up desktop files to match current standards
[PATCH 05/08] Add support to return sesitivities and cats for python
[PATCH 06/08] Update po
[PATCH 07/08] Cleanup whitespace
[PATCH 08/08] Add message to tell user to install sandbox policy

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 01/08] Call proper dbus function

[Dan Walsh]

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sepolicy/sepolicy/gui.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
index 0123e6c..94ddb72 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -2727,7 +2727,7 @@ class SELinuxGui():
         if not active and not exists:
             return
         try:
-            self.dbus.relabel_on_boots(active)
+            self.dbus.relabel_on_boot(active)
         except dbus.exceptions.DBusException, e:
             self.error(e)
 
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 02/08] Only return writeable files that are enabled

[Dan Walsh]

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sepolicy/sepolicy/__init__.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index fd95c16..679725d 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -141,6 +141,9 @@ def get_writable_files(setype):
     for i in permlist:
         if i['target'] in attributes:
             continue
+        if "enabled" in i:
+            if not i["enabled"]:
+                continue
         if i['target'].endswith("_t"):
             if i['target'] not in file_types:
                 continue
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 03/08] Add domain to short list of domains, when -t and -d used together

[Dan Walsh]

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sepolicy/sepolicy/gui.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
index 94ddb72..5ca87b9 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -484,6 +484,8 @@ class SELinuxGui():
         path = None
         if test:
             domains = [ "httpd_t", "abrt_t" ]
+            if app and app not in domains:
+                domains.append(app)
         else:
             domains = sepolicy_domains
             loading_gui.show()
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 04/08] Fix up desktop files to match current standards

[Dan Walsh]

Encoding is depracated
Keywords is depracated

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/gui/selinux-polgengui.desktop     | 1 -
 policycoreutils/gui/system-config-selinux.desktop | 1 -
 policycoreutils/restorecond/restorecond.desktop   | 1 -
 3 files changed, 3 deletions(-)

diff --git a/policycoreutils/gui/selinux-polgengui.desktop b/policycoreutils/gui/selinux-polgengui.desktop
index 0c2f399..bbcb18f 100644
--- a/policycoreutils/gui/selinux-polgengui.desktop
+++ b/policycoreutils/gui/selinux-polgengui.desktop
@@ -64,4 +64,3 @@ Type=Application
 Terminal=false
 Categories=System;Security;
 X-Desktop-File-Install-Version=0.2
-Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/gui/system-config-selinux.desktop b/policycoreutils/gui/system-config-selinux.desktop
index 8822ce2..befdb23 100644
--- a/policycoreutils/gui/system-config-selinux.desktop
+++ b/policycoreutils/gui/system-config-selinux.desktop
@@ -64,4 +64,3 @@ Type=Application
 Terminal=false
 Categories=System;Security;
 X-Desktop-File-Install-Version=0.2
-Keywords=policy;security;selinux;avc;permission;mac;
diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop
index 89201e1..af72868 100644
--- a/policycoreutils/restorecond/restorecond.desktop
+++ b/policycoreutils/restorecond/restorecond.desktop
@@ -2,7 +2,6 @@
 Name=File Context maintainer
 Exec=/usr/sbin/restorecond -u
 Comment=Fix file context in owned by the user
-Encoding=UTF-8
 Type=Application
 StartupNotify=false
 X-GNOME-Autostart-enabled=false
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 05/08] Add support to return sesitivities and cats for python bindings.

[Dan Walsh]

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sepolicy/info.c | 300 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 290 insertions(+), 10 deletions(-)

diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
index cd1026a..b353f2c 100644
--- a/policycoreutils/sepolicy/info.c
+++ b/policycoreutils/sepolicy/info.c
@@ -54,13 +54,13 @@
 
 enum input
 {
-	TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS
+	TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS, SENS, CATS
 };
 
 static int py_insert_long(PyObject *dict, const char *name, int value)
 {
 	int rt;
-	PyObject *obj = PyInt_FromLong(value);
+	PyObject *obj = PyLong_FromLong(value);
 	if (!obj) return -1;
 	rt = PyDict_SetItemString(dict, name, obj);
 	Py_DECREF(obj);
@@ -78,9 +78,287 @@ static int py_insert_bool(PyObject *dict, const char *name, int value)
 }
 
 /**
+ * Get a policy's MLS sensitivities.
+ * If this function is given a name, it will attempt to
+ * get statistics about a particular sensitivity; otherwise
+ * the function gets statistics about all of the policy's
+ * sensitivities.
+ *
+ * @param name Reference to a sensitivity's name; if NULL,
+ * all sensitivities will be considered
+ * @param policydb Reference to a policy
+ *
+ * @return 0 on success, < 0 on error.
+ */
+static PyObject* get_sens(const char *name, const apol_policy_t * policydb)
+{
+	PyObject *dict = NULL;
+	int error = 0;
+	int rt = 0;
+	size_t i;
+	char *tmp = NULL;
+	const char *lvl_name = NULL;
+	apol_level_query_t *query = NULL;
+	apol_vector_t *v = NULL;
+	const qpol_level_t *level = NULL;
+	apol_mls_level_t *ap_mls_lvl = NULL;
+	qpol_policy_t *q = apol_policy_get_qpol(policydb);
+
+	query = apol_level_query_create();
+	if (!query)
+		goto cleanup;
+	if (apol_level_query_set_sens(policydb, query, name))
+		goto cleanup;
+	if (apol_level_get_by_query(policydb, query, &v))
+		goto cleanup;
+
+	dict = PyDict_New(); 
+	if (!dict) goto err;
+	for (i = 0; i < apol_vector_get_size(v); i++) {
+		level = apol_vector_get_element(v, i);
+		if (qpol_level_get_name(q, level, &lvl_name))
+			goto err;
+		ap_mls_lvl = (apol_mls_level_t *) apol_mls_level_create_from_qpol_level_datum(policydb, level);
+		tmp = apol_mls_level_render(policydb, ap_mls_lvl);
+		apol_mls_level_destroy(&ap_mls_lvl);
+		if (!tmp)
+			goto cleanup;
+		if (py_insert_string(dict, lvl_name, tmp))
+			goto err;
+		free(tmp); tmp = NULL;
+		if (rt) goto err;
+	}
+
+	if (name && !apol_vector_get_size(v)) {
+		goto cleanup;
+	}
+
+	goto cleanup;
+err:
+	error = errno;
+	PyErr_SetString(PyExc_RuntimeError,strerror(error));
+	py_decref(dict); dict = NULL;
+cleanup:
+	free(tmp);
+	apol_level_query_destroy(&query);
+	apol_vector_destroy(&v);
+	errno = error; 
+	return dict;
+}
+
+/**
+ * Compare two qpol_cat_datum_t objects.
+ * This function is meant to be passed to apol_vector_compare
+ * as the callback for performing comparisons.
+ *
+ * @param datum1 Reference to a qpol_type_datum_t object
+ * @param datum2 Reference to a qpol_type_datum_t object
+ * @param data Reference to a policy
+ * @return Greater than 0 if the first argument is less than the second argument,
+ * less than 0 if the first argument is greater than the second argument,
+ * 0 if the arguments are equal
+ */
+static int qpol_cat_datum_compare(const void *datum1, const void *datum2, void *data)
+{
+	const qpol_cat_t *cat_datum1 = NULL, *cat_datum2 = NULL;
+	apol_policy_t *policydb = NULL;
+	qpol_policy_t *q;
+	uint32_t val1, val2;
+
+	policydb = (apol_policy_t *) data;
+	q = apol_policy_get_qpol(policydb);
+	assert(policydb);
+
+	if (!datum1 || !datum2)
+		goto exit_err;
+	cat_datum1 = datum1;
+	cat_datum2 = datum2;
+
+	if (qpol_cat_get_value(q, cat_datum1, &val1))
+		goto exit_err;
+	if (qpol_cat_get_value(q, cat_datum2, &val2))
+		goto exit_err;
+
+	return (val1 > val2) ? 1 : ((val1 == val2) ? 0 : -1);
+
+      exit_err:
+	assert(0);
+	return 0;
+}
+
+/**
+ * Compare two qpol_level_datum_t objects.
+ * This function is meant to be passed to apol_vector_compare
+ * as the callback for performing comparisons.
+ *
+ * @param datum1 Reference to a qpol_level_datum_t object
+ * @param datum2 Reference to a qpol_level_datum_t object
+ * @param data Reference to a policy
+ * @return Greater than 0 if the first argument is less than the second argument,
+ * less than 0 if the first argument is greater than the second argument,
+ * 0 if the arguments are equal
+ */
+static int qpol_level_datum_compare(const void *datum1, const void *datum2, void *data)
+{
+	const qpol_level_t *lvl_datum1 = NULL, *lvl_datum2 = NULL;
+	apol_policy_t *policydb = NULL;
+	qpol_policy_t *q;
+	uint32_t val1, val2;
+
+	policydb = (apol_policy_t *) data;
+	assert(policydb);
+	q = apol_policy_get_qpol(policydb);
+
+	if (!datum1 || !datum2)
+		goto exit_err;
+	lvl_datum1 = datum1;
+	lvl_datum2 = datum2;
+
+	if (qpol_level_get_value(q, lvl_datum1, &val1))
+		goto exit_err;
+	if (qpol_level_get_value(q, lvl_datum2, &val2))
+		goto exit_err;
+
+	return (val1 > val2) ? 1 : ((val1 == val2) ? 0 : -1);
+
+      exit_err:
+	assert(0);
+	return 0;
+}
+
+/**
+ * Gets a textual representation of a MLS category and 
+ * all of that category's sensitivies.
+ *
+ * @param type_datum Reference to sepol type_datum
+ * @param policydb Reference to a policy
+ */
+static PyObject* get_cat_sens(const qpol_cat_t * cat_datum, const apol_policy_t * policydb)
+{
+	const char *cat_name, *lvl_name;
+	apol_level_query_t *query = NULL;
+	apol_vector_t *v = NULL;
+	const qpol_level_t *lvl_datum = NULL;
+	qpol_policy_t *q = apol_policy_get_qpol(policydb);
+	size_t i, n_sens = 0;
+	int error = 0;
+	PyObject *list = NULL;
+	PyObject *dict = PyDict_New(); 
+	if (!dict) goto err;
+	if (!cat_datum || !policydb)
+		goto err;
+
+	/* get category name for apol query */
+	if (qpol_cat_get_name(q, cat_datum, &cat_name))
+		goto cleanup;
+
+	query = apol_level_query_create();
+	if (!query)
+		goto err;
+	if (apol_level_query_set_cat(policydb, query, cat_name))
+		goto err;
+	if (apol_level_get_by_query(policydb, query, &v))
+		goto err;
+	apol_vector_sort(v, &qpol_level_datum_compare, (void *)policydb);
+	dict = PyDict_New(); 
+	if (!dict) goto err;
+	if (py_insert_string(dict, "name", cat_name))
+		goto err;
+	n_sens = apol_vector_get_size(v);
+	list = PyList_New(0);
+	if (!list) goto err;
+	for (i = 0; i < n_sens; i++) {
+		lvl_datum = (qpol_level_t *) apol_vector_get_element(v, i);
+		if (!lvl_datum)
+			goto err;
+		if (qpol_level_get_name(q, lvl_datum, &lvl_name))
+			goto err;
+		if (py_append_string(list, lvl_name))
+			goto err;
+	}
+	if (py_insert_obj(dict, "level", list))
+		goto err;
+	Py_DECREF(list);
+
+	goto cleanup;
+err:
+	error = errno;
+	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+	py_decref(list); list = NULL;
+	py_decref(dict); dict = NULL;
+cleanup:
+	apol_level_query_destroy(&query);
+	apol_vector_destroy(&v);
+	errno = error;
+	return dict;
+}
+
+/**
+ * Prints statistics regarding a policy's MLS categories.
+ * If this function is given a name, it will attempt to
+ * get statistics about a particular category; otherwise
+ * the function gets statistics about all of the policy's
+ * categories.
+ *
+ * @param name Reference to a MLS category's name; if NULL,
+ * all categories will be considered
+ * @param policydb Reference to a policy
+ *
+ * @return 0 on success, < 0 on error.
+ */
+static PyObject* get_cats(const char *name, const apol_policy_t * policydb)
+{
+	PyObject *obj = NULL;
+	apol_cat_query_t *query = NULL;
+	apol_vector_t *v = NULL;
+	const qpol_cat_t *cat_datum = NULL;
+	size_t i, n_cats;
+	int error = 0;
+	int rt;
+	PyObject *list = PyList_New(0);
+	if (!list) goto err;
+
+	query = apol_cat_query_create();
+	if (!query)
+		goto err;
+	if (apol_cat_query_set_cat(policydb, query, name))
+		goto err;
+	if (apol_cat_get_by_query(policydb, query, &v))
+		goto err;
+	n_cats = apol_vector_get_size(v);
+	apol_vector_sort(v, &qpol_cat_datum_compare, (void *)policydb);
+
+	for (i = 0; i < n_cats; i++) {
+		cat_datum = apol_vector_get_element(v, i);
+		if (!cat_datum)
+			goto err;
+		obj = get_cat_sens(cat_datum, policydb);
+		if (!obj) 
+			goto err;
+		rt = py_append_obj(list, obj);
+		Py_DECREF(obj);
+		if (rt) goto err;
+	}
+
+	if (name && !n_cats) {
+		goto err;
+	}
+
+	goto cleanup;
+err:
+	error = errno;
+	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+	py_decref(list); list = NULL;
+cleanup:
+	apol_cat_query_destroy(&query);
+	apol_vector_destroy(&v);
+	errno = error;
+	return list;
+}
+
+/**
  * Get the alias of a type.
  *
- * @param fp Reference to a file to which to get type information
  * @param type_datum Reference to sepol type_datum
  * @param policydb Reference to a policy
  * attributes
@@ -315,7 +593,7 @@ cleanup:
 	return list;
 }
 
-static PyObject* get_type( const qpol_type_t * type_datum, const apol_policy_t * policydb) {
+static PyObject* get_type(const qpol_type_t * type_datum, const apol_policy_t * policydb) {
 
 	PyObject *obj;
 	qpol_policy_t *q = apol_policy_get_qpol(policydb);
@@ -370,11 +648,8 @@ cleanup:
  * get statistics about a particular boolean; otherwise
  * the function gets statistics about all of the policy's booleans.
  *
- * @param fp Reference to a file to which to print statistics
  * @param name Reference to a boolean's name; if NULL,
  * all booleans will be considered
- * @param expand Flag indicating whether to print each
- * boolean's default state
  * @param policydb Reference to a policy
  *
  * @return new reference, or NULL (setting an exception)
@@ -536,11 +811,8 @@ cleanup:
  * Prints a textual representation of an object class and possibly
  * all of that object class' permissions.
  *
- * @param fp Reference to a file to which to print object class information
  * @param type_datum Reference to sepol type_datum
  * @param policydb Reference to a policy
- * @param expand Flag indicating whether to print each object class'
- * permissions
  */
 static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
 {
@@ -1066,6 +1338,12 @@ PyObject* info( int type, const char *name)
 	case PORT:
 		output = get_ports(name, policy);
 		break;
+	case SENS:
+		output = get_sens(name, policy);
+		break;
+	case CATS:
+		output = get_cats(name, policy);
+		break;
 	default:
 		errno = EINVAL;
 		PyErr_SetString(PyExc_RuntimeError,strerror(errno));
@@ -1098,4 +1376,6 @@ void init_info (PyObject *m) {
     PyModule_AddIntConstant(m, "USER", USER);
     PyModule_AddIntConstant(m, "CLASS", CLASS);
     PyModule_AddIntConstant(m, "BOOLEAN", BOOLEAN);
+    PyModule_AddIntConstant(m, "SENS", SENS);
+    PyModule_AddIntConstant(m, "CATS", CATS);
 }
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 07/08] Cleanup whitespace

[Dan Walsh]

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/setsebool/setsebool.8 | 1 -
 policycoreutils/setsebool/setsebool.c | 4 ++--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policycoreutils/setsebool/setsebool.8 b/policycoreutils/setsebool/setsebool.8
index 7338f15..916a58c 100644
--- a/policycoreutils/setsebool/setsebool.8
+++ b/policycoreutils/setsebool/setsebool.8
@@ -20,7 +20,6 @@ the policy file on disk. So they will be persistent across reboots.
 
 If the \-N option is given, the policy on disk is not reloaded into the kernel.
 
-
 If the \-V option is given, verbose error messages will be printed from semanage libraries.
 
 
diff --git a/policycoreutils/setsebool/setsebool.c b/policycoreutils/setsebool/setsebool.c
index 89412d0..b101f08 100644
--- a/policycoreutils/setsebool/setsebool.c
+++ b/policycoreutils/setsebool/setsebool.c
@@ -53,10 +53,10 @@ int main(int argc, char **argv)
 			permanent = 1;
 			break;
 		case 'N':
-		        reload = 0;
+			reload = 0;
 			break;
 		case 'V':
-		        verbose = 1;
+			verbose = 1;
 			break;
 		default:
 			usage();
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 08/08] Add message to tell user to install sandbox policy package.

[Dan Walsh]

Sandbox policy is huge do to macro expansion.  We do not install this by default
but sandbox command can fail without it installed.  This patch prints a message to the
user to install the package.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 policycoreutils/sandbox/sandbox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index fb5a24c..3668abe 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -356,7 +356,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
                try:
                       sepolicy.info(sepolicy.TYPE, "sandbox_t")
                except RuntimeError:
-                      raise ValueError(_("Sandbox Policy is currently disabled.\nYou need to enable the policy by executing the following as root\n# semodule -e sandbox"))
+                      raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command"))
                
         if self.__options.setype:
                self.setype = self.__options.setype
-- 
1.8.4.2


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 08/08] Add message to tell user to install sandbox policy package.

[Stephen Smalley]

On 11/08/2013 08:17 AM, Dan Walsh wrote:
> Sandbox policy is huge do to macro expansion.  We do not install this by default
> but sandbox command can fail without it installed.  This patch prints a message to the
> user to install the package.
> 
> Signed-off-by: Dan Walsh <dwalsh@redhat.com>

Thanks, applied to #next.  Did not receive patch 06/08.
patch 01/08 looked like a bug fix that should get pushed as an update, yes?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 08/08] Add message to tell user to install sandbox policy package.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/08/2013 04:10 PM, Stephen Smalley wrote:
> On 11/08/2013 08:17 AM, Dan Walsh wrote:
>> Sandbox policy is huge do to macro expansion.  We do not install this by
>> default but sandbox command can fail without it installed.  This patch
>> prints a message to the user to install the package.
>> 
>> Signed-off-by: Dan Walsh <dwalsh@redhat.com>
> 
> Thanks, applied to #next.  Did not receive patch 06/08. patch 01/08 looked
> like a bug fix that should get pushed as an update, yes?
> 
> 
Yes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJ9Z3sACgkQrlYvE4MpobNUlQCgrCVMPpmgZbd53nIogRXYgf9D
i/wAnjVV9AK2RRtJ+XF4ECw6RjH8ukVe
=R2Le
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.