All of lore.kernel.org
 help / color / mirror / Atom feed
* Several sepolicy fixes from Fedora
@ 2017-05-03 10:30 Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains Petr Lautrbach
                   ` (18 more replies)
  0 siblings, 19 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Hi,

this is set of sepolicy fixes we use in Fedora.

There are basically 2 groups of patches:

1. fixes which was pushed to Fedora few years ago and probably have not been
sent upstream

[PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS
[PATCH 02/19] sepolicy: Fix spelling mistakes in commands in
[PATCH 03/19] sepolicy: Add manpages for typealiased types
[PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its
[PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/
[PATCH 06/19] Fix up generation of application policy
[PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace
[PATCH 08/19] sepolicy: We should be creating _exec interfaces when
[PATCH 09/19] Fix typo in  executable.py template.

2. fixes related to python 3 and the change to SETools 4

[PATCH 10/19] sepolicy: Adapt to new the semodule list output
[PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation
[PATCH 12/19] sepolicy: Simplify policy types detection
[PATCH 13/19] sepolicy/generate.py: Fix string formatting
[PATCH 14/19] policycoreutils/sepolicy: Define our own cmp()
[PATCH 15/19] dbus: Use text streams in selinux_server.py
[PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype
[PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a'
[PATCH 18/19] sepolicy: info() should provide attributes for a TYPE
[PATCH 19/19] sepolicy/gui: Update text strings to use better gettext

^ permalink raw reply	[flat|nested] 21+ messages in thread

* [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages Petr Lautrbach
                   ` (17 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 1af4295c..3ebdfeb7 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -504,6 +504,7 @@ class ManPage:
             self._booleans()
 
         self._port_types()
+        self._mcs_types()
         self._writes()
         self._footer()
 
@@ -527,6 +528,7 @@ class ManPage:
         self._header()
         self._entrypoints()
         self._process_types()
+        self._mcs_types()
         self._booleans()
         self._nsswitch_domain()
         self._port_types()
@@ -923,6 +925,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
         self.fd.write("""
 %s""" % ", ".join(paths))
 
+    def _mcs_types(self):
+        attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+        if "mcs_constrained_type" not in attributes:
+            return
+        self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type.  Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users.  The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
     def _writes(self):
         permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
         if permlist is None or len(permlist) == 0:
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 03/19] sepolicy: Add manpages for typealiased types Petr Lautrbach
                   ` (16 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 3ebdfeb7..bd5a64ac 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -1172,7 +1172,7 @@ Three things can happen when %(type)s attempts to execute a program.
 
 Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
 
-.B search -A -s %(type)s -c file -p execute_no_trans
+.B sesearch -A -s %(type)s -c file -p execute_no_trans
 
 .TP
 
@@ -1180,7 +1180,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
 
 Execute the following to see the types that the SELinux user %(type)s can execute and transition:
 
-.B $ search -A -s %(type)s -c process -p transition
+.B $ sesearch -A -s %(type)s -c process -p transition
 
 """ % {'user': self.domainname, 'type': self.type})
 
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 03/19] sepolicy: Add manpages for typealiased types
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own Petr Lautrbach
                   ` (15 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 45 +++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index bd5a64ac..b268680a 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -30,6 +30,13 @@ import sepolicy
 import os
 import time
 
+typealias_types = {
+"antivirus_t":("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
+"cluster_t":("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"),
+"svirt_t":("qemu_t"),
+"httpd_t":("phpfpm_t"),
+}
+
 equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
 
 equiv_dirs = ["/var"]
@@ -523,6 +530,16 @@ class ManPage:
         self._get_ptypes()
 
         for domain_type in self.ptypes:
+            try:
+                if typealias_types[domain_type]:
+                    fd = self.fd
+                    man_page_path =  self.man_page_path
+                    for t in typealias_types[domain_type]:
+                        self._typealias_gen_man(t)
+                    self.fd = fd
+                    self.man_page_path = man_page_path
+            except KeyError:
+                continue;
             self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
 
         self._header()
@@ -542,6 +559,34 @@ class ManPage:
             if f.startswith(self.short_name) or f.startswith(self.domainname):
                 self.ptypes.append(f)
 
+    def _typealias_gen_man(self, t):
+        self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2])
+        self.ports = []
+        self.booltext = ""
+        self.fd = open(self.man_page_path, 'w')
+        self._typealias(t[:-2])
+        self._footer()
+        self.fd.close()
+
+    def _typealias(self,typealias):
+        self.fd.write('.TH  "%(typealias)s_selinux"  "8"  "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
+                 % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+        self.fd.write(r"""
+.SH "NAME"
+%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
+.SH "DESCRIPTION"
+
+%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t). 
+""" % {'typealias':typealias, 'domainname':self.domainname})
+
+        self.fd.write(r"""
+Please see 
+
+.B %(domainname)s_selinux 
+
+man page for more details.
+"""  % {'domainname':self.domainname})
+
     def _header(self):
         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
                       % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (2 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 03/19] sepolicy: Add manpages for typealiased types Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/ Petr Lautrbach
                   ` (14 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index b268680a..4cebb299 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -37,7 +37,7 @@ typealias_types = {
 "httpd_t":("phpfpm_t"),
 }
 
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
 
 equiv_dirs = ["/var"]
 modules_dict = None
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (3 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 06/19] Fix up generation of application policy Petr Lautrbach
                   ` (13 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Fixes:
(sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/sepolicy.glade | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/sepolicy.glade b/python/sepolicy/sepolicy/sepolicy.glade
index e7d96f98..8f6ad650 100644
--- a/python/sepolicy/sepolicy/sepolicy.glade
+++ b/python/sepolicy/sepolicy/sepolicy.glade
@@ -1043,7 +1043,7 @@
               <object class="GtkImage" id="help_image">
                 <property name="visible">True</property>
                 <property name="can_focus">False</property>
-                <property name="pixbuf">images/booleans.png</property>
+                <property name="pixbuf">help/booleans.png</property>
               </object>
               <packing>
                 <property name="expand">False</property>
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 06/19] Fix up generation of application policy
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (4 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/ Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin Petr Lautrbach
                   ` (12 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 python/sepolicy/sepolicy-generate.8              | 2 +-
 python/sepolicy/sepolicy/templates/executable.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy-generate.8 b/python/sepolicy/sepolicy-generate.8
index 2e674568..0c5f998f 100644
--- a/python/sepolicy/sepolicy-generate.8
+++ b/python/sepolicy/sepolicy-generate.8
@@ -13,7 +13,7 @@ Common options
 Confined Applications
 
 .br
-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ]
+.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
 .br
 .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
 .br
diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index 4b9534d3..0db6b9cc 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
 type TEMPLATETYPE_t;
 type TEMPLATETYPE_exec_t;
 application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+role TEMPLATETYPE_roles types TEMPLATETYPE_t;
 
 permissive TEMPLATETYPE_t;
 """
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (5 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 06/19] Fix up generation of application policy Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface Petr Lautrbach
                   ` (11 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Miroslav Grepl <mgrepl@redhat.com>

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
---
 python/sepolicy/sepolicy/templates/executable.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index 0db6b9cc..4cc5bfa4 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -419,8 +419,12 @@ interface(`TEMPLATETYPE_admin',`
 if_middle_admin="""
 	')
 
-	allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
+	allow $1 TEMPLATETYPE_t:process { signal_perms };
 	ps_process_pattern($1, TEMPLATETYPE_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 TEMPLATETYPE_t:process ptrace;
+    ')
 """
 
 if_initscript_admin_types="""
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (6 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 09/19] Fix typo in executable.py template Petr Lautrbach
                   ` (10 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/templates/executable.py | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index 4cc5bfa4..456a7ca8 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -220,7 +220,7 @@ if_program_rules="""
 
 ########################################
 ## <summary>
-##	Execute TEMPLATE in the TEMPLATETYPE domin.
+##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domin.
 ## </summary>
 ## <param name=\"domain\">
 ## <summary>
@@ -236,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
 ')
+
+######################################
+## <summary>
+##	Execute TEMPLATETYPE in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`TEMPLATETYPE_exec',`
+	gen_require(`
+		type TEMPLATETYPE_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, TEMPLATETYPE_exec_t)
+')
 """
 
 if_user_program_rules="""
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 09/19] Fix typo in  executable.py template.
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (7 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 10/19] sepolicy: Adapt to new the semodule list output Petr Lautrbach
                   ` (9 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

From: Miroslav Grepl <mgrepl@redhat.com>

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/templates/executable.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index 456a7ca8..f2679938 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -220,7 +220,7 @@ if_program_rules="""
 
 ########################################
 ## <summary>
-##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domin.
+##	Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
 ## </summary>
 ## <param name=\"domain\">
 ## <summary>
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 10/19] sepolicy: Adapt to new the semodule list output
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (8 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 09/19] Fix typo in executable.py template Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead Petr Lautrbach
                   ` (8 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

semodule in policycoreutils-2.4 changed the list format. With this
patch, org.selinux.semodule_list uses 'semodule --list=full' and the
code using this was adapted to the new format.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309

Fixes:
File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 670, in lockdown_init
  self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
KeyError: 'unconfined'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 dbus/selinux_server.py          | 4 ++--
 gui/polgengui.py                | 2 +-
 python/sepolicy/sepolicy/gui.py | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index 8bd1fe5b..aae8b5fa 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -46,13 +46,13 @@ class selinux_server(slip.dbus.service.Object):
         return buf
 
     #
-    # The semodule_list method will return the output of semodule -l, using the customized polkit,
+    # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
     # since this is a readonly behaviour
     #
     @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
     @dbus.service.method("org.selinux", in_signature='', out_signature='s')
     def semodule_list(self):
-        p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE)
+        p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE)
         buf = p.stdout.read()
         output = p.communicate()
         if p.returncode and p.returncode != 0:
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 1d262a95..7460cce2 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -679,7 +679,7 @@ class childWindow:
                     entry.set_text("")
                     return False
             if name in self.all_modules:
-                if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
+                if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
                     entry.set_text("")
                     return False
 
diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index c9dd4c1c..e361aa1c 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -673,9 +673,9 @@ class SELinuxGui():
         self.module_dict = {}
         for m in self.dbus.semodule_list().split("\n"):
             mod = m.split()
-            if len(mod) < 2:
+            if len(mod) < 3:
                 continue
-            self.module_dict[mod[0]] = {"version": mod[1], "Disabled": (len(mod) > 2)}
+            self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) }
 
         self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
         self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"])
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (9 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 10/19] sepolicy: Adapt to new the semodule list output Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 12/19] sepolicy: Simplify policy types detection Petr Lautrbach
                   ` (7 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

filter() changed it's behavior among python 2 and python 3

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/__init__.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 22c72b2f..074d20ef 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm):
 
 
 def get_conditionals_format_text(cond):
-    enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0
+
+    enabled = False
+    for x in cond:
+        if x['boolean'][0][1]:
+            enabled = True
+            break
     return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
 
 
@@ -465,7 +470,7 @@ def find_file(reg):
 
     try:
         pat = re.compile(r"%s$" % reg)
-        return filter(pat.match, map(lambda x: path + x, os.listdir(path)))
+        return [x for x in map(lambda x: path + x, os.listdir(path)) if pat.match(x)]
     except:
         return []
 
@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
 
 def get_transitions_into(setype):
     try:
-        return filter(lambda x: x["transtype"] == setype, search([TRANSITION], {'class': 'process'}))
+        return [x for x in search([TRANSITION], {'class': 'process'}) if x["transtype"] == setype]
     except (TypeError, AttributeError):
         pass
     return None
@@ -605,7 +610,7 @@ def get_transitions(setype):
 
 def get_file_transitions(setype):
     try:
-        return filter(lambda x: x['class'] != "process", search([TRANSITION], {'source': setype}))
+        return [x for x in search([TRANSITION], {'source': setype}) if x['class'] != "process"]
     except (TypeError, AttributeError):
         pass
     return None
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 12/19] sepolicy: Simplify policy types detection
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (10 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 13/19] sepolicy/generate.py: Fix string formatting Petr Lautrbach
                   ` (6 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

map() and filter() changed their return values from list to iterators in
Python 3. This change drops filter() and map() from gui.py to make it
work on Python 2 and 3

Fixes:
Traceback (most recent call last):
  File "/bin/sepolicy", line 700, in <module>
    args.func(args)
  File "/bin/sepolicy", line 326, in gui_run
    sepolicy.gui.SELinuxGui(args.domain, args.test)
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 238, in __init__
    if self.populate_system_policy() < 2:
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 835, in populate_system_policy
    types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
TypeError: 'map' object is not subscriptable

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/gui.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index e361aa1c..8e86a369 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -831,8 +831,7 @@ class SELinuxGui():
             self.enforce_button = self.disabled_button_default
 
     def populate_system_policy(self):
-        selinux_path = selinux.selinux_path()
-        types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
+        types = next(os.walk(selinux.selinux_path(), topdown=True))[1]
         types.sort()
         ctr = 0
         for item in types:
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 13/19] sepolicy/generate.py: Fix string formatting
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (11 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 12/19] sepolicy: Simplify policy types detection Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp() Petr Lautrbach
                   ` (5 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Fixes python3 problem:

>>> print("Failed to retrieve rpm info for %s") % package
Failed to retrieve rpm info for %s
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/generate.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 596891a4..d68f96ef 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -92,7 +92,7 @@ def get_rpm_nvr_list(package):
             nvr = get_rpm_nvr_from_header(h)
             break
     except:
-        print("Failed to retrieve rpm info for %s") % package
+        print(("Failed to retrieve rpm info for %s") % package)
         nvr = None
 
     return nvr
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp()
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (12 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 13/19] sepolicy/generate.py: Fix string formatting Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 15/19] dbus: Use text streams in selinux_server.py Petr Lautrbach
                   ` (4 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Fixes:
Traceback (most recent call last):
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in stripsort
    return cmp(val1, val2)
NameError: name 'cmp' is not defined

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/gui.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 8e86a369..7f84b6f9 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -69,8 +69,14 @@ enabled = [_("No"), _("Yes")]
 action = [_("Disable"), _("Enable")]
 
 
-def compare(a, b):
-    return cmp(a.lower(), b.lower())
+def cmp(a, b):
+    if a is None and b is None:
+        return 0
+    if a is None:
+        return -1
+    if b is None:
+        return 1
+    return (a > b) - (a < b)
 
 import distutils.sysconfig
 ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 15/19] dbus: Use text streams in selinux_server.py
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (13 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp() Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype Petr Lautrbach
                   ` (3 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

subprocess.Popen called without universal_newlines=True opens stdin,
stout and stderr as binary stream which cause problems with Python 3.

Fixes:
Traceback (most recent call last):
  File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 2773, in unconfined_toggle
    self.dbus.semanage("module -e unconfined")
  File "<string>", line 2, in semanage
  File "/usr/lib/python3.4/site-packages/slip/dbus/polkit.py", line 121, in _enable_proxy
    return func(*p, **k)
  File "/usr/lib64/python3.4/site-packages/sepolicy/sedbus.py", line 14, in semanage
    ret = self.dbus_object.semanage(buf, dbus_interface = "org.selinux")
  File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python3.4/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Python.TypeError: TypeError: 'dbus.String' does not support the buffer interface

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 dbus/selinux_server.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index aae8b5fa..6e380e58 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -24,7 +24,7 @@ class selinux_server(slip.dbus.service.Object):
     @slip.dbus.polkit.require_auth("org.selinux.semanage")
     @dbus.service.method("org.selinux", in_signature='s')
     def semanage(self, buf):
-        p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE)
+        p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
         p.stdin.write(buf)
         output = p.communicate()
         if p.returncode and p.returncode != 0:
@@ -38,7 +38,7 @@ class selinux_server(slip.dbus.service.Object):
     @slip.dbus.polkit.require_auth("org.selinux.customized")
     @dbus.service.method("org.selinux", in_signature='', out_signature='s')
     def customized(self):
-        p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE)
+        p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
         buf = p.stdout.read()
         output = p.communicate()
         if p.returncode and p.returncode != 0:
@@ -52,7 +52,7 @@ class selinux_server(slip.dbus.service.Object):
     @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
     @dbus.service.method("org.selinux", in_signature='', out_signature='s')
     def semodule_list(self):
-        p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE)
+        p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
         buf = p.stdout.read()
         output = p.communicate()
         if p.returncode and p.returncode != 0:
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (14 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 15/19] dbus: Use text streams in selinux_server.py Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a' Petr Lautrbach
                   ` (2 subsequent siblings)
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

This fixes a problem introduced in 18410c86 where ruletype is specified
as a string not a list.

Fixes:
>>> sepolicy.get_all_role_allows()
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60, in lookup
    return cls(value)
  File "/usr/lib64/python3.6/enum.py", line 291, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib64/python3.6/enum.py", line 533, in __new__
    return cls._missing_(value)
  File "/usr/lib64/python3.6/enum.py", line 546, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 'a' is not a valid RBACRuletype

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 074d20ef..d2e3fc46 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -747,7 +747,7 @@ def get_all_role_allows():
         return role_allows
     role_allows = {}
 
-    q = setools.RBACRuleQuery(_pol, ruletype='allow')
+    q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
     for r in q.results():
         src = str(r.source)
         tgt = str(r.target)
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a'
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (15 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates Petr Lautrbach
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Fixes:
$ sepolicy manpage -a
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 359, in manpage
    m = ManPage(domain, path, args.root, args.source_files, args.web)
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
    self.__gen_man_page()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 495, in __gen_man_page
    self._entrypoints()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 903, in _entrypoints
    if len(entrypoints) > 1:
TypeError: object of type 'map' has no len()

$ sepolicy manpage -a
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 359, in manpage
    m = ManPage(domain, path, args.root, args.source_files, args.web)
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
    self.__gen_man_page()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 497, in __gen_man_page
    self._mcs_types()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 927, in _mcs_types
    attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
TypeError: 'generator' object is not subscriptable

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/manpage.py | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index 4cebb299..a4dc717a 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -94,11 +94,10 @@ def get_all_users_info():
 
 all_entrypoints = None
 
-
 def get_entrypoints():
     global all_entrypoints
     if not all_entrypoints:
-        all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"]
+        all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
     return all_entrypoints
 
 domains = None
@@ -939,9 +938,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
         return True
 
     def _entrypoints(self):
-        try:
-            entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
-        except:
+        entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+        if len(entrypoints) == 0:
             return
 
         self.fd.write("""
@@ -971,8 +969,8 @@ All executeables with the default executable label, usually stored in /usr/bin a
 %s""" % ", ".join(paths))
 
     def _mcs_types(self):
-        attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
-        if "mcs_constrained_type" not in attributes:
+        mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+        if self.type not in mcs_constrained_type['types']:
             return
         self.fd.write ("""
 .SH "MCS Constrained"
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (16 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a' Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-03 10:30 ` [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates Petr Lautrbach
  18 siblings, 0 replies; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

"attributes" used to be there when sepolicy.info() used setools3

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/__init__.py | 1 +
 python/sepolicy/sepolicy/manpage.py  | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index d2e3fc46..8fa2c2ae 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -171,6 +171,7 @@ def info(setype, name=None):
             'aliases': map(str, x.aliases()),
             'name': str(x),
             'permissive': bool(x.ispermissive),
+            'attributes': map(str, x.attributes())
         } for x in q.results())
 
     elif setype == ROLE:
diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
index a4dc717a..4159bafb 100755
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@@ -494,7 +494,7 @@ class ManPage:
             self.desc = "%s user role" % self.domainname
 
         if self.domainname in self.all_users:
-            self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+            self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"]
             self._user_header()
             self._user_attribute()
             self._can_sudo()
@@ -539,7 +539,7 @@ class ManPage:
                     self.man_page_path = man_page_path
             except KeyError:
                 continue;
-            self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+            self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"]
 
         self._header()
         self._entrypoints()
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates
  2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
                   ` (17 preceding siblings ...)
  2017-05-03 10:30 ` [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE Petr Lautrbach
@ 2017-05-03 10:30 ` Petr Lautrbach
  2017-05-05 17:06   ` Stephen Smalley
  18 siblings, 1 reply; 21+ messages in thread
From: Petr Lautrbach @ 2017-05-03 10:30 UTC (permalink / raw)
  To: selinux

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 python/sepolicy/sepolicy/gui.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
index 7f84b6f9..007c94a7 100644
--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
@@ -1378,8 +1378,8 @@ class SELinuxGui():
                 self.treeview = self.network_in_treeview
                 category = _("listen for inbound connections")
 
-            self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
-            self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
+            self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
+            self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
             self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
 
         if self.transitions_radio_button.get_active():
@@ -1599,8 +1599,8 @@ class SELinuxGui():
             self.show_popup(self.login_popup_window)
 
         if self.opage == FILE_EQUIV_PAGE:
-            self.file_equiv_source_entry.set_text(self.file_equiv_liststore.get_value(iter, 0))
-            self.file_equiv_dest_entry.set_text(self.file_equiv_liststore.get_value(iter, 1))
+            self.file_equiv_source_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 0)))
+            self.file_equiv_dest_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 1)))
             self.file_equiv_label.set_text((_("Modify File Equivalency Mapping. Mapping will be created when update is applied.")))
             self.file_equiv_popup_window.set_title(_("Modify SELinux File Equivalency"))
             self.clear_entry = True
-- 
2.12.2

^ permalink raw reply related	[flat|nested] 21+ messages in thread

* Re: [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates
  2017-05-03 10:30 ` [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates Petr Lautrbach
@ 2017-05-05 17:06   ` Stephen Smalley
  0 siblings, 0 replies; 21+ messages in thread
From: Stephen Smalley @ 2017-05-05 17:06 UTC (permalink / raw)
  To: Petr Lautrbach, selinux

On Wed, 2017-05-03 at 12:30 +0200, Petr Lautrbach wrote:
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Thanks, applied all 19 patches.

> ---
>  python/sepolicy/sepolicy/gui.py | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/python/sepolicy/sepolicy/gui.py
> b/python/sepolicy/sepolicy/gui.py
> index 7f84b6f9..007c94a7 100644
> --- a/python/sepolicy/sepolicy/gui.py
> +++ b/python/sepolicy/sepolicy/gui.py
> @@ -1378,8 +1378,8 @@ class SELinuxGui():
>                  self.treeview = self.network_in_treeview
>                  category = _("listen for inbound connections")
>  
> -            self.add_button.set_tooltip_text(_("Add new port
> definition to which the '%(APP)s' domain is allowed to %s.") %
> {"APP": self.application, "PERM": category})
> -            self.delete_button.set_tooltip_text(_("Delete modified
> port definitions to which the '%(APP)s' domain is allowed to %s.") %
> {"APP": self.application, "PERM": category})
> +            self.add_button.set_tooltip_text(_("Add new port
> definition to which the '%(APP)s' domain is allowed to %(PERM)s.") %
> {"APP": self.application, "PERM": category})
> +            self.delete_button.set_tooltip_text(_("Delete modified
> port definitions to which the '%(APP)s' domain is allowed to
> %(PERM)s.") % {"APP": self.application, "PERM": category})
>              self.modify_button.set_tooltip_text(_("Modify port
> definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") %
> {"APP": self.application, "PERM": category})
>  
>          if self.transitions_radio_button.get_active():
> @@ -1599,8 +1599,8 @@ class SELinuxGui():
>              self.show_popup(self.login_popup_window)
>  
>          if self.opage == FILE_EQUIV_PAGE:
> -            self.file_equiv_source_entry.set_text(self.file_equiv_li
> ststore.get_value(iter, 0))
> -            self.file_equiv_dest_entry.set_text(self.file_equiv_list
> store.get_value(iter, 1))
> +            self.file_equiv_source_entry.set_text(self.unmarkup(self
> .file_equiv_liststore.get_value(iter, 0)))
> +            self.file_equiv_dest_entry.set_text(self.unmarkup(self.f
> ile_equiv_liststore.get_value(iter, 1)))
>              self.file_equiv_label.set_text((_("Modify File
> Equivalency Mapping. Mapping will be created when update is
> applied.")))
>              self.file_equiv_popup_window.set_title(_("Modify SELinux
> File Equivalency"))
>              self.clear_entry = True

^ permalink raw reply	[flat|nested] 21+ messages in thread

end of thread, other threads:[~2017-05-05 17:06 UTC | newest]

Thread overview: 21+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-03 10:30 Several sepolicy fixes from Fedora Petr Lautrbach
2017-05-03 10:30 ` [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains Petr Lautrbach
2017-05-03 10:30 ` [PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages Petr Lautrbach
2017-05-03 10:30 ` [PATCH 03/19] sepolicy: Add manpages for typealiased types Petr Lautrbach
2017-05-03 10:30 ` [PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own Petr Lautrbach
2017-05-03 10:30 ` [PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/ Petr Lautrbach
2017-05-03 10:30 ` [PATCH 06/19] Fix up generation of application policy Petr Lautrbach
2017-05-03 10:30 ` [PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin Petr Lautrbach
2017-05-03 10:30 ` [PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface Petr Lautrbach
2017-05-03 10:30 ` [PATCH 09/19] Fix typo in executable.py template Petr Lautrbach
2017-05-03 10:30 ` [PATCH 10/19] sepolicy: Adapt to new the semodule list output Petr Lautrbach
2017-05-03 10:30 ` [PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead Petr Lautrbach
2017-05-03 10:30 ` [PATCH 12/19] sepolicy: Simplify policy types detection Petr Lautrbach
2017-05-03 10:30 ` [PATCH 13/19] sepolicy/generate.py: Fix string formatting Petr Lautrbach
2017-05-03 10:30 ` [PATCH 14/19] policycoreutils/sepolicy: Define our own cmp() Petr Lautrbach
2017-05-03 10:30 ` [PATCH 15/19] dbus: Use text streams in selinux_server.py Petr Lautrbach
2017-05-03 10:30 ` [PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype Petr Lautrbach
2017-05-03 10:30 ` [PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a' Petr Lautrbach
2017-05-03 10:30 ` [PATCH 18/19] sepolicy: info() should provide attributes for a TYPE Petr Lautrbach
2017-05-03 10:30 ` [PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates Petr Lautrbach
2017-05-05 17:06   ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.