[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     7ca373dc8b60c87af8ca3a0ee238f529f893e8eb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Apr 30 18:27:08 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Apr 30 18:27:08 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7ca373dc

Some more whitespace fixes

Found a few more 8xspaces mixed with tabs here and there. Updated as Python3 doesn't accept that.

---
 support/genclassperms.py |    8 ++++----
 support/sedoctool.py     |   18 +++++++++---------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/support/genclassperms.py b/support/genclassperms.py
index 732d645..6d6ce8b 100644
--- a/support/genclassperms.py
+++ b/support/genclassperms.py
@@ -287,10 +287,10 @@ def error(error):
 	Print an error message and exit.
 	"""
 
-        sys.stderr.write("%s exiting for: " % sys.argv[0])
-        sys.stderr.write("%s\n" % error)
-        sys.stderr.flush()
-        sys.exit(1)
+	sys.stderr.write("%s exiting for: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
 
 # MAIN PROGRAM
 app_name = sys.argv[0]

diff --git a/support/sedoctool.py b/support/sedoctool.py
index 5bbaf76..aad7f99 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python
 
 #  Author: Joshua Brindle <jbrindle@tresys.com>
-#          Caleb Case <ccase@tresys.com>
+#	  Caleb Case <ccase@tresys.com>
 #
 # Copyright (C) 2005 - 2006 Tresys Technology, LLC
 #      This program is free software; you can redistribute it and/or modify
@@ -80,7 +80,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 				bool_val = BOOL_DISABLED
 
 			if bool_name and bool_val:
-	            		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+		    		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
 				bool_name = bool_val = None
 
 	# tunables are currently implemented as booleans
@@ -105,7 +105,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 				bool_val = BOOL_DISABLED
 
 			if bool_name and bool_val:
-	            		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+		    		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
 				bool_name = bool_val = None
 
 def gen_module_conf(doc, file_name, namevalue_list):
@@ -364,7 +364,7 @@ def gen_docs(doc, working_dir, templatedir):
 #arg, i have to go through this dom tree ahead of time to build up the menus
 	module_list = {}
 	for node in doc.getElementsByTagName("module"):
-                mod_name = mod_layer = interface_buf = ''
+		mod_name = mod_layer = interface_buf = ''
 
 		mod_name = node.getAttribute("name")
 		mod_layer = node.parentNode.getAttribute("name")
@@ -428,7 +428,7 @@ def gen_docs(doc, working_dir, templatedir):
 	all_tunables = []
 	all_booleans = []
 	for node in doc.getElementsByTagName("module"):
-                mod_name = mod_layer = mod_desc = interface_buf = ''
+		mod_name = mod_layer = mod_desc = interface_buf = ''
 
 		mod_name = node.getAttribute("name")
 		mod_layer = node.parentNode.getAttribute("name")
@@ -753,10 +753,10 @@ def error(error):
 	Print an error message and exit.
 	"""
 
-        sys.stderr.write("%s exiting for: " % sys.argv[0])
-        sys.stderr.write("%s\n" % error)
-        sys.stderr.flush()
-        sys.exit(1)
+	sys.stderr.write("%s exiting for: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
 
 def warning(warn):
 	"""

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     d533815085211db7c782e8d235f9b1c149b9a81f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  1 10:17:46 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  1 10:17:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d5338150

Still some whitespace left to fix

---
 support/sedoctool.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/support/sedoctool.py b/support/sedoctool.py
index aad7f99..9050719 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -80,7 +80,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 				bool_val = BOOL_DISABLED
 
 			if bool_name and bool_val:
-		    		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+				file_name.write("%s = %s\n\n" % (bool_name, bool_val))
 				bool_name = bool_val = None
 
 	# tunables are currently implemented as booleans

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     9b390581239ff7a6e5002c49fb5d44e074c6d96b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  1 11:07:04 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  1 11:07:04 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b390581

More fixes on python3, including String.split and cStringIO changes

---
 support/pyplate.py   |    6 +++---
 support/sedoctool.py |    8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/support/pyplate.py b/support/pyplate.py
index c7532cc..22385e9 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -51,7 +51,7 @@ PyPlate defines the following directives:
 #
 
 from __future__ import nested_scopes
-import sys, string, re, cStringIO
+import sys, string, re, io
 
 re_directive = re.compile("\[\[(.*)\]\]")
 re_for_loop = re.compile("for (.*) in (.*)")
@@ -82,7 +82,7 @@ class Template:
     file.close()
 
   def parse_string(self, template):
-    file = cStringIO.StringIO(template)
+    file = io.StringIO(template)
     self.parse(file)
     file.close()
 
@@ -111,7 +111,7 @@ class Template:
     file.close()
 
   def execute_string(self, data):
-    s = cStringIO.StringIO()
+    s = io.StringIO()
     self.execute(s, data)
     return s.getvalue()
 

diff --git a/support/sedoctool.py b/support/sedoctool.py
index 9050719..cd3f1ce 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -62,7 +62,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 	for node in doc.getElementsByTagName("bool"):
 		for desc in node.getElementsByTagName("desc"):
 			bool_desc = format_txt_desc(desc)
-		s = string.split(bool_desc, "\n")
+		s = bool_desc.split("\n")
 		file_name.write("#\n")
 		for line in s:
 			file_name.write("# %s\n" % line)
@@ -87,7 +87,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 	for node in doc.getElementsByTagName("tunable"):
 		for desc in node.getElementsByTagName("desc"):
 			bool_desc = format_txt_desc(desc)
-		s = string.split(bool_desc, "\n")
+		s = bool_desc.split("\n")
 		file_name.write("#\n")
 		for line in s:
 			file_name.write("# %s\n" % line)
@@ -105,7 +105,7 @@ def gen_booleans_conf(doc, file_name, namevalue_list):
 				bool_val = BOOL_DISABLED
 
 			if bool_name and bool_val:
-		    		file_name.write("%s = %s\n\n" % (bool_name, bool_val))
+				file_name.write("%s = %s\n\n" % (bool_name, bool_val))
 				bool_name = bool_val = None
 
 def gen_module_conf(doc, file_name, namevalue_list):
@@ -153,7 +153,7 @@ def gen_module_conf(doc, file_name, namevalue_list):
 			for desc in node.getElementsByTagName("summary"):
 				if not desc.parentNode == node:
 					continue
-				s = string.split(format_txt_desc(desc), "\n")
+				s = format_txt_desc(desc).split("\n")
 				for line in s:
 					file_name.write("# %s\n" % line)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     0be07d7860725a3101381048715edc1b4373a01e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May  1 11:43:10 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May  1 11:43:10 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0be07d78

For USE=doc, we need to transform a.has_key(b) into b in a too (python3)

---
 support/sedoctool.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/support/sedoctool.py b/support/sedoctool.py
index cd3f1ce..a363e72 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -372,7 +372,7 @@ def gen_docs(doc, working_dir, templatedir):
 		for desc in node.getElementsByTagName("summary"):
 			if desc.parentNode == node and desc:
 				mod_summary = format_html_desc(desc)
-		if not module_list.has_key(mod_layer):
+		if not mod_layer in module_list:
 			module_list[mod_layer] = {}
 
 		module_list[mod_layer][mod_name] = mod_summary

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     a1d3ade6fa42151f6a840c4754d87511eb75fa02
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 24 09:38:21 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jun 24 09:38:21 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a1d3ade6

Improve unicode support, needed for python3

---
 support/pyplate.py |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/support/pyplate.py b/support/pyplate.py
index c13cd88..2e5a938 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -82,7 +82,10 @@ class Template:
     file.close()
 
   def parse_string(self, template):
-    file = io.StringIO(template)
+    if sys.version_info >= (3,0):
+      file = io.StringIO(template)
+    else:
+      file = io.StringIO(template.decode('utf-8'))
     self.parse(file)
     file.close()
 
@@ -288,7 +291,11 @@ class CommentTemplateNode(LeafTemplateNode):
 
 class ExpressionTemplateNode(LeafTemplateNode):
   def execute(self, stream, data):
-    stream.write(str(eval(self.s, globals(), data)))
+    if sys.version_info >= (3,0):
+      stream.write(str(eval(self.s, globals(), data)))
+    else:
+      stream.write(str(eval(self.s, globals(), data)).decode('utf-8'))
+
 
 class ExecTemplateNode(LeafTemplateNode):
   def __init__(self, parent, s):

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     84d93951fa8e2833ff4dcb8a3ff40ac9548e7b0c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul  4 16:56:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul  4 16:56:31 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=84d93951

Some more backports

---
 support/comment_move_decl.sed  |    1 +
 support/get_type_attr_decl.sed |    7 ++++++-
 support/pyplate.py             |    1 -
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/support/comment_move_decl.sed b/support/comment_move_decl.sed
index 601c4f7..00b94b6 100644
--- a/support/comment_move_decl.sed
+++ b/support/comment_move_decl.sed
@@ -10,5 +10,6 @@
 /^[[:blank:]]*fs_use_(xattr|task|trans) /s/^/# this line was moved by the build process: &/
 /^[[:blank:]]*sid /s/^/# this line was moved by the build process: &/
 /^[[:blank:]]*bool /s/^/# this line was moved by the build process: &/
+/^[[:blank:]]*role[[:blank:]]+[a-zA-Z_]+[[:blank:]]*;/s/^/# this line was moved by the build process: &/
 
 :nextline

diff --git a/support/get_type_attr_decl.sed b/support/get_type_attr_decl.sed
index 69c6ccd..5c7a6a8 100644
--- a/support/get_type_attr_decl.sed
+++ b/support/get_type_attr_decl.sed
@@ -1,5 +1,5 @@
 #n
-# print out type and attribute declarations that
+# print out type, role and attribute declarations that
 # are not inside require and optional blocks.
 
 /require \{/,/} # end require/b nextline
@@ -10,4 +10,9 @@
 	p
 }
 
+/^[[:blank:]]*role[[:blank:]]+[a-zA-Z_]+[[:blank:]]*;/{
+	s/^[[:blank:]]+//
+	p
+}
+
 :nextline

diff --git a/support/pyplate.py b/support/pyplate.py
index 2e5a938..44b662a 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -296,7 +296,6 @@ class ExpressionTemplateNode(LeafTemplateNode):
     else:
       stream.write(str(eval(self.s, globals(), data)).decode('utf-8'))
 
-
 class ExecTemplateNode(LeafTemplateNode):
   def __init__(self, parent, s):
     LeafTemplateNode.__init__(self, parent, s)

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     ecfec7d07362a34a0cc6c0785bb649c58211ea47
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Feb 26 14:16:49 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Mar  4 20:13:14 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ecfec7d0

Fix fc_sort.c warning uncovered by recent gcc

output_name in main was set to argv[2] but then argv[2] rather than
output_name was used later in the function.

---
 support/fc_sort.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 6c43035..e03ef3b 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -1,4 +1,4 @@
-/* Copyright 2005, Tresys Technology 
+/* Copyright 2005,2013 Tresys Technology
  * 
  * Some parts of this came from matchpathcon.c in libselinux
  */
@@ -523,7 +523,7 @@ int main(int argc, char *argv[])
 	fc_merge_sort(master);
 
 	/* Open the output file. */
-	if (!(out_file = fopen(argv[2], "w"))) {
+	if (!(out_file = fopen(output_name, "w"))) {
 		printf("Error: failure opening output file for write.\n");
 		return -1;
 	}

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     3ac5fcd1c6ef5b5fbdd91db151300deb8cd3b408
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Sep 23 18:26:32 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:39:09 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3ac5fcd1

Fix support/policyvers.py not to error if building policy on a SELinux-disabled system.

---
 support/policyvers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/support/policyvers.py b/support/policyvers.py
index 74b8de0..0d969a4 100644
--- a/support/policyvers.py
+++ b/support/policyvers.py
@@ -1,3 +1,4 @@
 #!/usr/bin/python
 import selinux
-print selinux.security_policyvers()
+if selinux.is_selinux_enabled():
+	print selinux.security_policyvers()

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     2b3ad3e102a5932ca54db3276cabc35a744b33ea
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Mar 23 21:01:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:48 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2b3ad3e1

fc_sort: initialize allocated memory to fix execution on an empty file

When running fc_sort on an empty context file, this program uses uninitialized
pointers when accessing to the elements of a list.  On my system, it goes in a
very long loop (maybe infinite) because uninitialized fields in malloc'ed
structures happen to contain valid pointers in the heap.

This patch fixes this bug by initializing ->next and ->data fields before they
may be read.

---
 support/fc_sort.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 29e2ce9..5aed783 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -346,6 +346,7 @@ int main(int argc, char *argv[])
 
 	/* Initialize the head of the linked list. */
 	head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
+	head->next = NULL;
 
 	/* Parse the file into a file_context linked list. */
 	line_buf = NULL;
@@ -489,6 +490,8 @@ int main(int argc, char *argv[])
 	bcurrent = master =
 	    (file_context_bucket_t *)
 	    malloc(sizeof(file_context_bucket_t));
+	bcurrent->next = NULL;
+	bcurrent->data = NULL;
 
 	/* Go until all the nodes have been put in individual buckets. */
 	while (current) {

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     0ec7241b0d77111ca2d105bc2c38a85ba6cef4f2
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Mar 23 21:01:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:45 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0ec7241b

fc_sort: fix typos in comments

---
 support/fc_sort.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index e03ef3b..29e2ce9 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -81,7 +81,7 @@ typedef struct file_context_bucket {
  *      -> a is less specific than b.
  *     If a's string length is shorter than b's string length,
  *      -> a is less specific than b.
- *     If a does not have a specified type and b does not,
+ *     If a does not have a specified type and b does,
  *      -> a is less specific than b.
  */
 int fc_compare(file_context_node_t *a, file_context_node_t *b)
@@ -496,7 +496,7 @@ int main(int argc, char *argv[])
 		bcurrent->data = current;
 		current = current->next;
 
-		/* Detatch the node in the bucket from the old list. */
+		/* Detach the node in the bucket from the old list. */
 		bcurrent->data->next = NULL;
 
 		/* If there should be another bucket, put one at the end. */

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     304ec5224b39f6d7ac2c731bd9b4c0fd4f5c0af8
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Mar 23 21:01:39 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:50 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=304ec522

fc_sort: make outfile argument optional

When working on fc_sort to try to understand why using /usr/s?bin/... file
contexts has been reported not to work properly [1], I found it frustrating not
to be able to do "tmp/fc_sort my_filecontexts.fc" and see the result printed on
the screen.  This patch implements this behavior by making optional the second
argument of fc_sort.

[1] commit 36e2216f8 of contrib repository,
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f82192660d063012e69281f27ba20864b

---
 support/fc_sort.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 5aed783..6dc59af 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -328,13 +328,13 @@ int main(int argc, char *argv[])
 
 
 	/* Check for the correct number of command line arguments. */
-	if (argc != 3) {
-		fprintf(stderr, "Usage: %s <infile> <outfile>\n",argv[0]);
+	if (argc < 2 || argc > 3) {
+		fprintf(stderr, "Usage: %s <infile> [<outfile>]\n",argv[0]);
 		return 1;
 	}
 	
 	input_name = argv[1];
-	output_name = argv[2];
+	output_name = (argc >= 3) ? argv[2] : NULL;
 
 	i = j = lines = 0;
 
@@ -526,9 +526,13 @@ int main(int argc, char *argv[])
 	fc_merge_sort(master);
 
 	/* Open the output file. */
-	if (!(out_file = fopen(output_name, "w"))) {
-		printf("Error: failure opening output file for write.\n");
-		return -1;
+	if (output_name) {
+		if (!(out_file = fopen(output_name, "w"))) {
+			printf("Error: failure opening output file for write.\n");
+			return -1;
+		}
+	} else {
+		out_file = stdout;
 	}
 
 	/* Output the sorted file_context linked list to the output file. */
@@ -555,7 +559,9 @@ int main(int argc, char *argv[])
 	}
 	free(master);
 
-	fclose(out_file);
+	if (output_name) {
+		fclose(out_file);
+	}
 
 	return 0;
 }

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     198bd85a025f7b81e1d1afc9b594b33f64080e06
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 13 13:39:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 16 18:42:58 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=198bd85a

Need the __future__ import for python2 if using print().

---
 support/policyvers.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/support/policyvers.py b/support/policyvers.py
index a367ef1..834ff3d 100644
--- a/support/policyvers.py
+++ b/support/policyvers.py
@@ -1,4 +1,5 @@
 #!/usr/bin/python
+from __future__ import print_function
 import selinux
 if selinux.is_selinux_enabled():
 	print(selinux.security_policyvers())

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     73d7fb2e565bba1c32e7c4a9bb2e7eb18e3022e1
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat May 10 14:44:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 16 18:42:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73d7fb2e

Make support/policyvers.py compatible with Python 3

Add parenthesis around print statement, like in other Python scripts.

---
 support/policyvers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/policyvers.py b/support/policyvers.py
index 0d969a4..a367ef1 100644
--- a/support/policyvers.py
+++ b/support/policyvers.py
@@ -1,4 +1,4 @@
 #!/usr/bin/python
 import selinux
 if selinux.is_selinux_enabled():
-	print selinux.security_policyvers()
+	print(selinux.security_policyvers())

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     393b946b07d418fccf66759420c2210fe9475cc1
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Nov 23 15:34:33 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Dec  2 21:09:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=393b946b

Create tmp directory when compiling a .mod.fc file in a modular way

When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.

Add the missing command to create tmp/ when running tmp/%.mod.fc target.

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178

---
 support/Makefile.devel | 1 +
 1 file changed, 1 insertion(+)

diff --git a/support/Makefile.devel b/support/Makefile.devel
index b96e9b3..ae52932 100644
--- a/support/Makefile.devel
+++ b/support/Makefile.devel
@@ -158,6 +158,7 @@ tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
 
 tmp/%.mod.fc: $(m4support) %.fc
+	@test -d $(@D) || mkdir -p $(@D)
 	$(verbose) $(M4) $(M4PARAM) $^ > $@
 
 %.pp: tmp/%.mod tmp/%.mod.fc

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     cde11120caf4ffea75639428abdf91ab5568d653
Author:     William Roberts <william.c.roberts <AT> intel <DOT> com>
AuthorDate: Thu Jan  7 16:41:32 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cde11120

fc_sort: strip whitespace errors

Signed-off-by: William Roberts <william.c.roberts <AT> intel.com>

 support/fc_sort.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 6dc59af..f4d2cd0 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -1,13 +1,13 @@
 /* Copyright 2005,2013 Tresys Technology
- * 
+ *
  * Some parts of this came from matchpathcon.c in libselinux
  */
 
 /* PURPOSE OF THIS PROGRAM
- * The original setfiles sorting algorithm did not take into 
- * account regular expression specificity. With the current 
- * strict and targeted policies this is not an issue because 
- * the file contexts are partially hand sorted and concatenated 
+ * The original setfiles sorting algorithm did not take into
+ * account regular expression specificity. With the current
+ * strict and targeted policies this is not an issue because
+ * the file contexts are partially hand sorted and concatenated
  * in the right order so that the matches are generally correct.
  * The way reference policy and loadable policy modules handle
  * file contexts makes them come out in an unpredictable order
@@ -27,7 +27,7 @@ typedef unsigned char bool_t;
 
 /* file_context_node
  * A node used in a linked list of file contexts.c
- * Each node contains the regular expression, the type and 
+ * Each node contains the regular expression, the type and
  *  the context, as well as information about the regular
  *  expression. The regular expression data (meta, stem_len
  *  and str_len) can be filled in by using the fc_fill_data
@@ -114,7 +114,7 @@ int fc_compare(file_context_node_t *a, file_context_node_t *b)
 	if (!b->file_type && a->file_type)
 		return 1;
 
-	/* If none of the above conditions were satisfied, 
+	/* If none of the above conditions were satisfied,
 	 * then a and b are equally specific. */
 	return 0;
 }
@@ -251,7 +251,7 @@ void fc_merge_sort(file_context_bucket_t *master)
 /* fc_fill_data
  * This processes a regular expression in a file context
  *  and sets the data held in file_context_node, namely
- *  meta, str_len and stem_len. 
+ *  meta, str_len and stem_len.
  * The following changes are made to fc_node after the
  *  the completion of the function:
  *     fc_node->meta =		1 if path has a meta character, 0 if not.
@@ -332,7 +332,7 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "Usage: %s <infile> [<outfile>]\n",argv[0]);
 		return 1;
 	}
-	
+
 	input_name = argv[1];
 	output_name = (argc >= 3) ? argv[2] : NULL;
 
@@ -395,7 +395,7 @@ int main(int argc, char *argv[])
 
 			continue;
 		}
-		
+
 		temp->path = (char*)strndup(&line_buf[start], regex_len);
 		if (!temp->path) {
 			file_context_node_destroy(temp);
@@ -409,7 +409,7 @@ int main(int argc, char *argv[])
 
 			if (!isspace(line_buf[i]))
 				break;
-		}	
+		}
 
 		if (i == line_len) {
 			file_context_node_destroy(temp);
@@ -417,7 +417,7 @@ int main(int argc, char *argv[])
 			continue;
 		}
 
-		/* Parse out the type from the line (if it 
+		/* Parse out the type from the line (if it
 			*  is there). */
 		if (line_buf[i] == '-') {
 			temp->file_type = (char *)malloc(sizeof(char) * 3);

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     0c0b0517f41f139a2a14ddcb3d305e0999a0bcaa
Author:     Sean Placchetti <Sean.P.Placchetti <AT> gmail <DOT> com>
AuthorDate: Tue Oct 11 19:35:07 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:32 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c0b0517

Update to refpolicy spec file

Missing forwardslash

 support/selinux-policy-refpolicy.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
index 7a8df03..a9557b7 100644
--- a/support/selinux-policy-refpolicy.spec
+++ b/support/selinux-policy-refpolicy.spec
@@ -310,7 +310,7 @@ SELinux Reference policy mysql module.
 %config %{_usr}/share/selinux/*/*/mysql.pp
 
 %post mysql
-semodule -i %{_usr}/share/selinux/targeted/targeted-mcsmysql.pp
+semodule -i %{_usr}/share/selinux/targeted/targeted-mcs/mysql.pp
 
 %preun mysql
 semodule -r mysql

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     fdf49cd4990b345a34e022dccd818a550754e8f9
Author:     Rahul Chaudhry <rahulchaudhry <AT> google <DOT> com>
AuthorDate: Wed Oct 12 19:19:48 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:46 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fdf49cd4

fc_sort: cleanup warnings caught by clang tidy / static analyzer.

Value stored to 'i' is never read.
Variable 'j' is never used.

 support/fc_sort.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index f4d2cd0..5561288 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -315,7 +315,7 @@ int main(int argc, char *argv[])
 {
 	int lines;
 	size_t start, finish, regex_len, context_len;
-	size_t line_len, buf_len, i, j;
+	size_t line_len, buf_len, i;
 	char *input_name, *output_name, *line_buf;
 
 	file_context_node_t *temp;
@@ -336,7 +336,7 @@ int main(int argc, char *argv[])
 	input_name = argv[1];
 	output_name = (argc >= 3) ? argv[2] : NULL;
 
-	i = j = lines = 0;
+	lines = 0;
 
 	/* Open the input file. */
 	if (!(in_file = fopen(input_name, "r"))) {

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     b80312183a76562c5363fee273011a8a2f64eb48
Author:     Sean Placchetti <Sean.P.Placchetti <AT> gmail <DOT> com>
AuthorDate: Mon Oct 17 11:37:51 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:00:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8031218

Update specfile

Minor tweaks to specfile

 support/selinux-policy-refpolicy.spec | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/support/selinux-policy-refpolicy.spec b/support/selinux-policy-refpolicy.spec
index a9557b7..55b422f 100644
--- a/support/selinux-policy-refpolicy.spec
+++ b/support/selinux-policy-refpolicy.spec
@@ -7,17 +7,21 @@
 %define type2 strict-mcs
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 20051019
+Version: 2.20151208
 Release: 1
-License: GPL
+License: GPLv2
 Group: System Environment/Base
 Source: refpolicy-%{version}.tar.bz2
 Url: http://serefpolicy.sourceforge.net
 BuildRoot: %{_tmppath}/refpolicy-buildroot
 BuildArch: noarch
 # FIXME Need to ensure these have correct versions
-BuildRequires: checkpolicy m4 policycoreutils python make gcc
-PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
+BuildRequires: checkpolicy >= 2.1.8
+BuildRequires: policycoreutils >= 2.1.10
+BuildRequires: python >= 2.6
+BuildRequires: libsepol >= 2.1.4
+BuildRequires: libsemanage >= 2.0.29
+BuildRequires: m4 make gcc
 Obsoletes: policy 
 
 %description

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     d95bd051d23600ea746b71790ef5184e71d34ddd
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 18:59:33 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:03:24 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d95bd051

Only display the WERROR notice if there actually are errors.

 support/fatal_error.m4 | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/support/fatal_error.m4 b/support/fatal_error.m4
index 8b01dc26..edf39ee7 100644
--- a/support/fatal_error.m4
+++ b/support/fatal_error.m4
@@ -1,2 +1,4 @@
-ifdef(`m4_werror',`errprint(__file__: Notice: Treating warnings as errors.__endline__)')
-ifdef(`m4_fatal_error',`m4exit(`1')')
+ifdef(`m4_fatal_error',`
+    ifdef(`m4_werror',`errprint(__file__: Notice: Treating warnings as errors.__endline__)')
+    m4exit(`1')
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Sven Vermeulen]

commit:     b64d2694b612f6962fb43f87557a9562253c68fd
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr  8 09:41:05 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:58:49 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b64d2694

Use raw strings in regular expressions

Python 3.6 complains about the strings which are used as regular
expression in the support scripts:

    File "support/segenxml.py", line 37
        INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
                              ^
    SyntaxError: invalid escape sequence \s

 support/pyplate.py  | 16 ++++++++--------
 support/segenxml.py |  6 +++---
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/support/pyplate.py b/support/pyplate.py
index 28c61088..d0e7fe26 100644
--- a/support/pyplate.py
+++ b/support/pyplate.py
@@ -54,14 +54,14 @@ PyPlate defines the following directives:
 
 import sys, re, io
 
-re_directive = re.compile("\[\[(.*)\]\]")
-re_for_loop = re.compile("for (.*) in (.*)")
-re_if = re.compile("if (.*)")
-re_elif = re.compile("elif (.*)")
-re_def = re.compile("def (.*?)\((.*)\)")
-re_call = re.compile("call (.*?)\((.*)\)")
-re_exec = re.compile("exec (.*)")
-re_comment = re.compile("#(.*)#")
+re_directive = re.compile(r"\[\[(.*)\]\]")
+re_for_loop = re.compile(r"for (.*) in (.*)")
+re_if = re.compile(r"if (.*)")
+re_elif = re.compile(r"elif (.*)")
+re_def = re.compile(r"def (.*?)\((.*)\)")
+re_call = re.compile(r"call (.*?)\((.*)\)")
+re_exec = re.compile(r"exec (.*)")
+re_comment = re.compile(r"#(.*)#")
 
 ############################################################
 # Template parser

diff --git a/support/segenxml.py b/support/segenxml.py
index 383428df..e37ea041 100644
--- a/support/segenxml.py
+++ b/support/segenxml.py
@@ -34,7 +34,7 @@ output_dir = ""
 #	 -> ("interface", "kernel_read_system_state")
 #	"template(`base_user_template',`"
 #	 -> ("template", "base_user_template")
-INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
+INTERFACE = re.compile(r"^\s*(interface|template)\(`(\w*)'")
 
 # Matches either a gen_bool or a gen_tunable statement. Will give the tuple:
 #	("tunable" or "bool", name, "true" or "false")
@@ -43,7 +43,7 @@ INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
 #	 -> ("bool", "secure_mode", "false")
 #	"gen_tunable(allow_kerberos, false)"
 #	 -> ("tunable", "allow_kerberos", "false")
-BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
+BOOLEAN = re.compile(r"^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
 
 # Matches a XML comment in the policy, which is defined as any line starting
 #  with two # and at least one character of white space. Will give the single
@@ -54,7 +54,7 @@ BOOLEAN = re.compile("^\s*gen_(tunable|bool)\(\s*(\w*)\s*,\s*(true|false)\s*\)")
 #	 -> ("<summary>")
 #	"##		The domain allowed access.	"
 #	 -> ("The domain allowed access.")
-XML_COMMENT = re.compile("^##\s+(.*?)\s*$")
+XML_COMMENT = re.compile(r"^##\s+(.*?)\s*$")
 
 
 # FUNCTIONS

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     47a129496e11fe3fb46818410ae53615531c1ff1
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jun  5 22:08:13 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 07:59:58 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=47a12949

fc_sort: avoid compiler warning/error

Fix a "-Werror=implicit-fallthrough" compiler warning/error on
the switch statement.

This third version (v3) fixes a bug introduced in the first
version and improves the style over the second version.

Signed-off-by: Guido Trentalancia <guido at trentalancia.com>

 support/fc_sort.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 5561288a..66cdf39f 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -292,14 +292,16 @@ void fc_fill_data(file_context_node_t *fc_node)
 			/* If a escape character is found,
 			 *  skip the next character. */
 			c++;
+			break;
 		default:
-			/* If no meta character has been found yet,
-			 *  add one to the stem length. */
-			if (!fc_node->meta)
-				fc_node->stem_len++;
 			break;
 		}
 
+		/* If no meta character has been found yet,
+		 * add one to the stem length. */
+		if (!fc_node->meta)
+			fc_node->stem_len++;
+
 		fc_node->str_len++;
 		c++;
 	}

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     7d6bc428460407eec6715b9aa2d303cc3a8f36a1
Author:     Adam Duskett <Adamduskett <AT> outlook <DOT> com>
AuthorDate: Tue Oct 10 22:00:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d6bc428

fix regex escape sequence error.

python3.6 will error out with the message "invalid escape sequence"
in genhomedircon.py.  This patch fixes these errors by turning the string
in the into a raw string.

 support/genhomedircon.py | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 036f5cc9..6662f412 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -189,13 +189,13 @@ def oldgenhomedircon(filecontextdir, filecontext):
                 addme = 1
                 for regex in prefix_regex:
                         #match a trailing (/*)? which is actually a bug in rpc_pipefs
-                        regex = re.sub("\(/\*\)\?$", "", regex)
+                        regex = re.sub(r"\(/\*\)\?$", "", regex)
                         #match a trailing .+
-                        regex = re.sub("\.+$", "", regex)
+                        regex = re.sub(r"\.+$", "", regex)
                         #match a trailing .*
-                        regex = re.sub("\.\*$", "", regex)
+                        regex = re.sub(r"\.\*$", "", regex)
                         #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-                        regex = re.sub("\(\/\.\*\)\?", "", regex)
+                        regex = re.sub(r"\(\/\.\*\)\?", "", regex)
                         regex = regex + "/*$"
                         if re.search(regex, potential, 0):
                                 addme = 0
@@ -391,13 +391,13 @@ class selinuxConfig:
 		exists=1
 		for regex in prefix_regex:
 			#match a trailing (/*)? which is actually a bug in rpc_pipefs
-			regex = re.sub("\(/\*\)\?$", "", regex)
+			regex = re.sub(r"\(/\*\)\?$", "", regex)
 			#match a trailing .+
-			regex = re.sub("\.+$", "", regex)
+			regex = re.sub(r"\.+$", "", regex)
 			#match a trailing .*
-			regex = re.sub("\.\*$", "", regex)
+			regex = re.sub(r"\.\*$", "", regex)
 			#strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-			regex = re.sub("\(\/\.\*\)\?", "", regex)
+			regex = re.sub(r"\(\/\.\*\)\?", "", regex)
 			regex = regex + "/*$"
 			if re.search(regex, home, 0):
 				exists = 0

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     9303a33ab384c0af2ad5e90e6491dc330e3e5a01
Author:     William Roberts <william.c.roberts <AT> intel <DOT> com>
AuthorDate: Tue Oct 17 18:16:23 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:50 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9303a33a

fc_sort: use calloc instead of malloc

Rather than using malloc to allocated nodes and setting all the fields,
just use calloc.

Signed-off-by: William Roberts <william.c.roberts <AT> intel.com>

 support/fc_sort.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/support/fc_sort.c b/support/fc_sort.c
index 956c37b8..bfe28ca8 100644
--- a/support/fc_sort.c
+++ b/support/fc_sort.c
@@ -357,15 +357,11 @@ int main(int argc, char *argv[])
 	}
 
 	/* Initialize the head of the linked list. */
-	head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
+	head = current = (file_context_node_t*)calloc(1, sizeof(file_context_node_t));
 	if (!head) {
 		fprintf(stderr, "Error: failure allocating memory.\n");
 		return 1;
 	}
-	head->next = NULL;
-	head->path = NULL;
-	head->file_type = NULL;
-	head->context = NULL;
 
 	/* Parse the file into a file_context linked list. */
 	line_buf = NULL;
@@ -390,15 +386,13 @@ int main(int argc, char *argv[])
 			continue;
 
 		/* We have a valid line - allocate a new node. */
-		temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
+		temp = (file_context_node_t *)calloc(1, sizeof(file_context_node_t));
 		if (!temp) {
 			free(line_buf);
 			fprintf(stderr, "Error: failure allocating memory.\n");
 			fc_free_file_context_node_list(head);
 			return 1;
 		}
-		temp->next = NULL;
-		memset(temp, 0, sizeof(file_context_node_t));
 
 		/* Parse out the regular expression from the line. */
 		start = i;

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     6b260827b085206d6796b69a48f931ddb2c0c328
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Fri Mar 15 13:25:00 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b260827

genhomedircon.py: Fix top-level exception handling.

Fixes errors like this:

Traceback (most recent call last):
  File "support/genhomedircon.py", line 490, in <module>
    errorExit("Options Error " + error)
TypeError: Can't convert 'GetoptError' object to str implicitly

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 support/genhomedircon.py | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 6662f412..3503fb4a 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -486,9 +486,5 @@ try:
 	selconf=selinuxConfig(directory, setype, usepwd)
 	selconf.write()
 
-except getopt.error as error:
-	errorExit("Options Error " + error)
-except ValueError as error:
-	errorExit("ValueError " + error)
-except IndexError:
-	errorExit("IndexError")
+except Exception as error:
+	errorExit(error)

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     f88425ee9c7b0d1586d770c00bba35327fbb55da
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct  8 19:45:27 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f88425ee

fc_sort.py: Use "==" for comparing integers.

"is" is for testing two references are the same object.  The fact that this
worked is specific to the Python implementation.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/fc_sort.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/fc_sort.py b/support/fc_sort.py
index 9e38a9eb..3a35553b 100644
--- a/support/fc_sort.py
+++ b/support/fc_sort.py
@@ -108,7 +108,7 @@ class FileContext():
         return 0
 
     def __lt__(self, other):
-        return self._compare(self, other) is -1
+        return self._compare(self, other) == -1
 
     def __str__(self):
         if self.file_type:

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     ae2697a78299ab76d5efa932eb4e13ce6874965d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 23 15:12:53 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ae2697a7

Remove incorrect usages of "is" operator from Python scripts.

Closes #128

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 4 ++--
 support/sedoctool.py     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 3503fb4a..a565af2a 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -46,10 +46,10 @@ EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
 
 # Python 2/3 wrapper
 def getstatusoutput_wrapper(cmd):
-    if sys.version_info.major is 2:
+    if sys.version_info.major == 2:
         import commands
         return commands.getstatusoutput(cmd)
-    elif sys.version_info.major is 3:
+    elif sys.version_info.major == 3:
         import subprocess
         return subprocess.getstatusoutput(cmd)
     else:

diff --git a/support/sedoctool.py b/support/sedoctool.py
index de848631..3fddc39a 100644
--- a/support/sedoctool.py
+++ b/support/sedoctool.py
@@ -266,7 +266,7 @@ def format_html_desc(node):
 	desc_buf = ''
 	for desc in node.childNodes:
 		if desc.nodeName == "#text":
-			if desc.data is not '':
+			if desc.data:
 				if desc.parentNode.nodeName != "p":
 					desc_buf += "<p>" + desc.data + "</p>"
 				else:

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     607c61b089898d26c00af42a887cd1f24372be4d
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:25 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=607c61b0

genhomedircon: misc pylint cleanup

support/genhomedircon.py:297:5: R1714: Consider merging these comparisons with "in" to "o in ('--type', '-t')" (consider-using-in)
support/genhomedircon.py:299:5: R1714: Consider merging these comparisons with "in" to "o in ('--nopasswd', '-n')" (consider-using-in)
support/genhomedircon.py:301:5: R1714: Consider merging these comparisons with "in" to "o in ('--dir', '-d')" (consider-using-in)
support/genhomedircon.py:238:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:207:11: C0201: Consider iterating the dictionary directly instead of calling .keys() (consider-iterating-dictionary)
support/genhomedircon.py:146:2: R1705: Unnecessary "else" after "return" (no-else-return)
support/genhomedircon.py:144:1: R1710: Either all return statements in a function should return an expression, or none of them should. (inconsistent-return-statements)

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 0490f724..e4475f5c 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -143,10 +143,9 @@ class selinuxConfig:
 
 	def getHomeRootContext(self, homedir):
 		rc=getstatusoutput("grep HOME_ROOT  %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
-		if rc[0] == 0:
-			return rc[1]+"\n"
-		else:
-			errorExit("sed error " + rc[1])
+		if rc[0] != 0:
+			errorExit("sed error (" + str(rc[0]) + "): " + rc[1])
+		return rc[1]+"\n"
 
 	def getUsersFile(self):
 		return self.selinuxdir+self.setype+"/users/local.users"
@@ -211,7 +210,7 @@ class selinuxConfig:
 		users = self.getUsers()
 		ret=""
 		# Fill in HOME and ROLE for users that are defined
-		for u in users.keys():
+		for u in users:
 			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"], users[u]["name"], users[u]["uid"])
 		return ret+"\n"
 
@@ -244,8 +243,7 @@ class selinuxConfig:
 				break
 		if exists == 1:
 			return 1
-		else:
-			return 0
+		return 0
 
 
 	def getHomeDirs(self):
@@ -301,11 +299,11 @@ try:
 						'nopasswd',
 						'dir='])
 	for o,a in gopts:
-		if o == '--type' or o == "-t":
+		if o in ('--type', '-t'):
 			setype=a
-		if o == '--nopasswd'  or o == "-n":
+		if o in ('--nopasswd', '-n'):
 			usepwd=0
-		if o == '--dir'  or o == "-d":
+		if o in ('--dir', '-d'):
 			directory=a
 		if o == '--help':
 			usage()

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     d9f222e97e52817baf1340926455efed93113feb
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:21 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9f222e9

genhomedircon: drop unused functions

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 54745730..13e9c9e8 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -138,9 +138,6 @@ class selinuxConfig:
 	def getFileContextFile(self):
 		return self.getFileContextDir()+"/file_contexts"
 
-	def getContextDir(self):
-		return self.selinuxdir+self.setype+self.contextdir
-
 	def getHomeDirTemplate(self):
 		return self.getFileContextDir()+"/homedir_template"
 
@@ -271,9 +268,6 @@ class selinuxConfig:
 		ret += self.genHomeDirContext()
 		return ret
 
-	def printout(self):
-		print(self.genoutput())
-
 	def write(self):
 		try:
 			fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     b4d183812aec480eae859f4c32d20829a8ff53bf
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:23 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4d18381

genhomedircon: generate file contexts for %{USERNAME} and %{USERID}

Generate substituted file contexts for templated paths containing
%{USERNAME} or %{USERID}, like semodules' genhomedircon.

Example:
  /run/user/%{USERID}  -d  gen_context(system_u:object_r:user_runtime_t,s0)
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 13e9c9e8..0490f724 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -168,7 +168,6 @@ class selinuxConfig:
 		if rc[0] == 0:
 			users+=rc[1]
 		udict = {}
-		prefs = {}
 		if users != "":
 			ulist = users.split("\n")
 			for u in ulist:
@@ -181,20 +180,31 @@ class selinuxConfig:
 					if role == "{":
 						role = user[4]
 					role = role.split("_r")[0]
-					home = pwd.getpwnam(user[1])[5]
+					pwdentry = pwd.getpwnam(user[1])
+					home = pwdentry[5]
 					if home == "/":
 						continue
 					prefs = {}
 					prefs["role"] = role
 					prefs["home"] = home
+					prefs["name"] = pwdentry[0]
+					prefs["uid"] = pwdentry[2]
 					udict[user[1]] = prefs
 				except KeyError:
 					sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
 		return udict
 
-	def getHomeDirContext(self, user, home, role):
-		ret="\n\n#\n# Context for user %s\n#\n\n" % user
-		rc=getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
+	def getHomeDirContext(self, seuser, home, role, username, userid):
+		ret = "\n\n#\n# Context for user %s\n#\n\n" % seuser
+		rc = getstatusoutput("grep -E '^HOME_DIR|%%{USERID}|%%{USERNAME}' %s | sed"
+			" -e 's|HOME_DIR|%s|'"
+			" -e 's|ROLE|%s|'"
+			" -e 's|system_u|%s|'"
+			" -e 's|%%{USERID}|%s|'"
+			" -e 's|%%{USERNAME}|%s|'"
+			% (self.getHomeDirTemplate(), home, role, seuser, userid, username))
+		if rc[0] != 0:
+			errorExit("sed error (" + str(rc[0]) + "): " + rc[1])
 		return ret + rc[1] + "\n"
 
 	def genHomeDirContext(self):
@@ -202,7 +212,7 @@ class selinuxConfig:
 		ret=""
 		# Fill in HOME and ROLE for users that are defined
 		for u in users.keys():
-			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
+			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"], users[u]["name"], users[u]["uid"])
 		return ret+"\n"
 
 	def checkExists(self, home):
@@ -263,7 +273,7 @@ class selinuxConfig:
 	def genoutput(self):
 		ret= self.heading()
 		for h in self.getHomeDirs():
-			ret += self.getHomeDirContext ("user_u" , h+'/[^/]+', "user")
+			ret += self.getHomeDirContext ("user_u" , h+'/[^/]+', "user", "[^/]+", "[0-9]+")
 			ret += self.getHomeRootContext(h)
 		ret += self.genHomeDirContext()
 		return ret

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     8f9a8d44ce4ec0d2229d5bd9363a56621416676c
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:18 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f9a8d44

genhomedircon: require match for home directory name

Use regular expression '/[^/]+' instead of '/[^/]*', like semodule's
genhomedircon.
Generates file contexts like '/home/[^/]+/dead\.letter'

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index e9d72067..54745730 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -266,7 +266,7 @@ class selinuxConfig:
 	def genoutput(self):
 		ret= self.heading()
 		for h in self.getHomeDirs():
-			ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
+			ret += self.getHomeDirContext ("user_u" , h+'/[^/]+', "user")
 			ret += self.getHomeRootContext(h)
 		ret += self.genHomeDirContext()
 		return ret

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     16fa2fe4be80df6b61c0ecfa755ce7ad0ea9d358
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:27 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=16fa2fe4

genhomedircon: improve error messages for min uid search

Only grep if the files exist.
grep returns 1 on no match, check against 1 instead of 256.

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 56 +++++++++++++++++++++++++-----------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index e4475f5c..2721bd7d 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -40,7 +40,7 @@
 #  are always "real" (including root, in the default configuration).
 #
 
-import sys, pwd, getopt, re
+import sys, pwd, getopt, re, os
 from subprocess import getstatusoutput
 
 EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
@@ -71,32 +71,34 @@ def getStartingUID():
 
 def getDefaultHomeDir():
 	ret = []
-	rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-	if rc[0] == 0:
-		homedir = rc[1].split("=")[1]
-		homedir = homedir.split("#")[0]
-		homedir = homedir.strip()
-		if not homedir in ret:
-			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-			sys.stderr.flush()
-	rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
-	if rc[0] == 0:
-		homedir = rc[1].split("=")[1]
-		homedir = homedir.split("#")[0]
-		homedir = homedir.strip()
-		if not homedir in ret:
-			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
-			sys.stderr.flush()
+	if os.path.isfile('/etc/default/useradd'):
+		rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+		if rc[0] == 0:
+			homedir = rc[1].split("=")[1]
+			homedir = homedir.split("#")[0]
+			homedir = homedir.strip()
+			if not homedir in ret:
+				ret.append(homedir)
+		else:
+			#rc[0] == 1 means the file was there, we read it, but the grep didn't match
+			if rc[0] != 1:
+				sys.stderr.write("(%d): %s\n" % (rc[0], rc[1]))
+				sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
+				sys.stderr.flush()
+	if os.path.isfile('/etc/libuser.conf'):
+		rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
+		if rc[0] == 0:
+			homedir = rc[1].split("=")[1]
+			homedir = homedir.split("#")[0]
+			homedir = homedir.strip()
+			if not homedir in ret:
+				ret.append(homedir)
+		else:
+			#rc[0] == 1 means the file was there, we read it, but the grep didn't match
+			if rc[0] != 1:
+				sys.stderr.write("(%d): %s\n" % (rc[0], rc[1]))
+				sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
+				sys.stderr.flush()
 	if ret == []:
 		ret.append("/home")
 	return ret

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Jason Zaman]

commit:     c7d0c5c923977ecd27f6e3464d12b296151c17ad
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:11 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7d0c5c9

genhomedircon: drop backwards compatibility section

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 support/genhomedircon.py | 162 +----------------------------------------------
 1 file changed, 1 insertion(+), 161 deletions(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index bb4e5061..e9d72067 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -40,7 +40,7 @@
 #  are always "real" (including root, in the default configuration).
 #
 
-import sys, os, pwd, getopt, re
+import sys, pwd, getopt, re
 from subprocess import getstatusoutput
 
 EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
@@ -69,162 +69,6 @@ def getStartingUID():
 		starting_uid = 500
 	return starting_uid
 
-#############################################################################
-#
-# This section is just for backwards compatibility
-#
-#############################################################################
-def getPrefixes():
-	ulist = pwd.getpwall()
-	STARTING_UID=getStartingUID()
-	prefixes = {}
-	for u in ulist:
-		if u[2] >= STARTING_UID and \
-				not u[6] in EXCLUDE_LOGINS and \
-				u[5] != "/" and \
-				u[5].count("/") > 1:
-			prefix = u[5][:u[5].rfind("/")]
-			if not prefix in prefixes:
-				prefixes[prefix] = ""
-	return prefixes
-
-def getUsers(filecontextdir):
-	rc = getstatusoutput("grep ^user %s/users" % filecontextdir)
-	udict = {}
-	if rc[0] == 0:
-		ulist = rc[1].strip().split("\n")
-		for u in ulist:
-			user = u.split()
-			try:
-				if user[1] == "user_u" or user[1] == "system_u":
-					continue
-				# !!! chooses first role in the list to use in the file context !!!
-				role = user[3]
-				if role == "{":
-					role = user[4]
-				role = role.split("_r")[0]
-				home = pwd.getpwnam(user[1])[5]
-				if home == "/":
-					continue
-				prefs = {}
-				prefs["role"] = role
-				prefs["home"] = home
-				udict[user[1]] = prefs
-			except KeyError:
-				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
-	return udict
-
-def update(filecontext, user, prefs):
-	rc=getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
-	if rc[0] == 0:
-		print(rc[1])
-	else:
-		errorExit("grep/sed error " + rc[1])
-	return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
-        sys.stderr.flush()
-
-        if os.path.isdir(filecontextdir) == 0:
-                sys.stderr.write("New usage is the following\n")
-                usage()
-        #We are going to define home directory used by libuser and show-utils as a home directory root
-        prefixes = {}
-        rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-        if rc[0] == 0:
-                homedir = rc[1].split("=")[1]
-                homedir = homedir.split("#")[0]
-                homedir = homedir.strip()
-                if not homedir in prefixes:
-                        prefixes[homedir] = ""
-        else:
-                #rc[0] == 256 means the file was there, we read it, but the grep didn't match
-                if rc[0] != 256:
-                        sys.stderr.write("%s\n" % rc[1])
-                        sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-                        sys.stderr.flush()
-
-
-        rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
-        if rc[0] == 0:
-                homedir = rc[1].split("=")[1]
-                homedir = homedir.split("#")[0]
-                homedir = homedir.strip()
-                homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
-                if not homedir in prefixes:
-                        prefixes[homedir] = ""
-
-        #the idea is that we need to find all of the home_root_t directories we do this by just accepting
-        #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
-        #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
-        #the defined homedir for all users with UID > STARTING_UID.  This list of possible root homedirs
-        #is then checked to see if it has an explicit context defined in the file_contexts.  Explicit
-        #is any regex that would match it which does not end with .*$ or .+$ since those are general
-        #recursive matches.  We then take any regex which ends with [pattern](/.*)?$ and just check against
-        #[pattern]
-        potential_prefixes = getPrefixes()
-        prefix_regex = {}
-        #this works by grepping the file_contexts for
-        # 1. ^/ makes sure this is not a comment
-        # 2. prints only the regex in the first column first cut on \t then on space
-        rc=getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " %  (sys.argv[2]) )
-        if rc[0] == 0:
-                prefix_regex = rc[1].split("\n")
-        else:
-                sys.stderr.write("%s\n" % rc[1])
-                sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
-                sys.stderr.flush()
-        for potential in potential_prefixes.keys():
-                addme = 1
-                for regex in prefix_regex:
-                        #match a trailing (/*)? which is actually a bug in rpc_pipefs
-                        regex = re.sub(r"\(/\*\)\?$", "", regex)
-                        #match a trailing .+
-                        regex = re.sub(r"\.+$", "", regex)
-                        #match a trailing .*
-                        regex = re.sub(r"\.\*$", "", regex)
-                        #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-                        regex = re.sub(r"\(\/\.\*\)\?", "", regex)
-                        regex = regex + "/*$"
-                        if re.search(regex, potential, 0):
-                                addme = 0
-                if addme == 1:
-                        if not potential in prefixes:
-                                prefixes[potential] = ""
-
-
-        if prefixes.__eq__({}):
-                sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
-                sys.stderr.write("HOME= not set in /etc/default/useradd\n")
-                sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
-                sys.stderr.write("Assuming /home is the root of home directories\n")
-                sys.stderr.flush()
-                prefixes["/home"] = ""
-
-        # There may be a more elegant sed script to expand a macro to multiple lines, but this works
-        sed_root = "h; s|^HOME_ROOT|%s|" % (prefixes.keys() + "|; p; g; s|^HOME_ROOT|")
-        sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (prefixes.keys() + "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|")
-
-        # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
-        rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
-        if rc[0] == 0:
-                print(rc[1])
-        else:
-                errorExit("sed error " + rc[1])
-
-        users = getUsers(filecontextdir)
-        print("\n#\n# User-specific file contexts\n#\n")
-
-        # Fill in HOME and ROLE for users that are defined
-        for u in users.keys():
-                update(filecontext, u, users[u])
-
-#############################################################################
-#
-# End of backwards compatibility section
-#
-#############################################################################
-
 def getDefaultHomeDir():
 	ret = []
 	rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
@@ -466,10 +310,6 @@ try:
 	if setype is None:
 		setype=getSELinuxType(directory)
 
-	if len(cmds) == 2:
-		oldgenhomedircon(cmds[0], cmds[1])
-		sys.exit(0)
-
 	if len(cmds) != 0:
 		usage()
 	selconf=selinuxConfig(directory, setype, usepwd)

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Kenton Groombridge]

commit:     5f5e11b22bbcecf05ef2f4b6d1aac6c624f6584e
Author:     Oleksii Miroshko <oleksii.miroshko <AT> bmw <DOT> de>
AuthorDate: Thu Dec 15 08:05:28 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:26 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f5e11b2

Fix templates parsing in gentemplates.sh

Template definitions might have a whitespace after
the comma, e.g. su_restricted_domain_template
in /policy/modules/admin/su.if

template(`su_restricted_domain_template', `
  ...
')

gentemplates.sh silently fails to parse it. This works
unless 'set -e' is set, in which case the script fails
non-silently.

This commit adds support of whitespace after comma, which
is a valid syntax.

Signed-off-by: Oleksii Miroshko <oleksii.miroshko <AT> bmw.de>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 support/gentemplates.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/gentemplates.sh b/support/gentemplates.sh
index 7f20505ee..f28debd3d 100755
--- a/support/gentemplates.sh
+++ b/support/gentemplates.sh
@@ -57,6 +57,6 @@ fi
 for ifile in $(find ${SOURCEDIR} -type f -name '*.if'); do
   for interface in $(grep -E '^template\(' ${ifile} | sed -e 's:^template(`\([^'\'']*\)'\''\s*,\s*`:\1:g'); do
     # Generate the interface
-    sed -n "/^template(\`${interface}',\`/,/^')/p" ${ifile} | grep -v "^template" | grep -v "^')" > ${TARGETDIR}/${interface}.iftemplate;
+    sed -n "/^template(\`${interface}',\s*\`/,/^')/p" ${ifile} | grep -v "^template" | grep -v "^')" > ${TARGETDIR}/${interface}.iftemplate;
   done
 done

[gentoo-commits] proj/hardened-refpolicy:master commit in: support/

[Kenton Groombridge]

commit:     83d40084db8ceeaa3225e915ea8d8e9ebfbe878e
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 16:12:56 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:33 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83d40084

support/genhomedircon: support usr prefixed paths

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 support/genhomedircon.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index 2721bd7df..d5177ee4a 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -43,7 +43,7 @@
 import sys, pwd, getopt, re, os
 from subprocess import getstatusoutput
 
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+EXCLUDE_LOGINS=["/sbin/nologin", "/usr/sbin/nologin", "/bin/false", "/usr/bin/false"]
 
 
 def getStartingUID():