policycoreutils/policycoreutils-sepolgen.patch

diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py	2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py	2007-12-21 02:10:43.000000000 -0500
@@ -32,7 +32,7 @@
        string contain all of the audit messages returned by ausearch.
     """
     import subprocess
-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START"],
+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
                               stdout=subprocess.PIPE).communicate()[0]
     return output
 
@@ -251,7 +251,9 @@
             self.type = refpolicy.SecurityContext(dict["tcontext"]).type
         except:
             raise ValueError("Split string does not represent a valid compute sid message")
-
+    def output(self):
+        return "role %s types %s;\n" % (self.role, self.type)
+        
 # Parser for audit messages
 
 class AuditParser:
@@ -402,6 +404,26 @@
             self.__parse(l)
         self.__post_process()
 
+    def to_role(self, role_filter=None):
+        """Return list of SELINUX_ERR messages matching the specified filter
+
+        Filter out types that match the filer, or all roles
+
+        Params:
+           role_filter - [optional] Filter object used to filter the
+              output.
+        Returns:
+           Access vector set representing the denied access in the
+           audit logs parsed by this object.
+        """
+        roles = []
+        if role_filter:
+            for selinux_err in self.compute_sid_msgs:
+                if role_filter.filter(selinux_err):
+                    roles.append(selinux_err)
+            return roles
+        return self.compute_sid_msgs
+
     def to_access(self, avc_filter=None, only_denials=True):
         """Convert the audit logs access into a an access vector set.
 
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-20 14:20:49.000000000 -0500
@@ -118,6 +118,7 @@
     'TEMPLATE',
     'GEN_CONTEXT',
     #   m4
+    'IFELSE',
     'IFDEF',
     'IFNDEF',
     'DEFINE'
@@ -174,6 +175,7 @@
     'template' : 'TEMPLATE',
     'gen_context' : 'GEN_CONTEXT',
     # M4
+    'ifelse' : 'IFELSE',
     'ifndef' : 'IFNDEF',
     'ifdef' : 'IFDEF',
     'define' : 'DEFINE'
@@ -220,6 +222,12 @@
     # Ignore all comments
     t.lexer.lineno += 1
 
+def t_refpolicywarn1(t):
+    r'define.*refpolicywarn\(.*\n'
+    # Ignore refpolicywarn statements - they sometimes
+    # contain text that we can't parse.
+    t.skip(1)
+
 def t_refpolicywarn(t):
     r'refpolicywarn\(.*\n'
     # Ignore refpolicywarn statements - they sometimes
@@ -258,10 +266,12 @@
 m = None
 #   error is either None (indicating no error) or a string error message.
 error = None
+parse_file = ""
 #   spt is the support macros (e.g., obj/perm sets) - it is an instance of
 #     refpolicy.SupportMacros and should always be present during parsing
 #     though it may not contain any macros.
 spt = None
+success=True
 
 # utilities
 def collect(stmts, parent, val=None):
@@ -382,6 +392,19 @@
         collect(p[12], x, val=False)
     p[0] = [x]
 
+def p_ifelse(p):
+    '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+    '''
+#    x = refpolicy.IfDef(p[4])
+#    v = True
+#    collect(p[8], x, val=v)
+#    if len(p) > 12:
+#        collect(p[12], x, val=False)
+#    p[0] = [x]
+    pass
+
+
 def p_ifdef(p):
     '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
              | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
@@ -446,6 +469,7 @@
               | optional_policy
               | tunable_policy
               | ifdef
+              | ifelse
               | conditional
     '''
     p[0] = p[1]
@@ -844,8 +868,11 @@
 
 def p_error(tok):
     global error
-    error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
+    global parse_file
+    global success
+    error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
     print error
+    success = False
 
 def prep_spt(spt):
     if not spt:
@@ -892,7 +919,7 @@
 def list_headers(root):
     modules = []
     support_macros = None
-    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
+    blacklist = ["uml.if", "thunderbird.if"]
 
     for dirpath, dirnames, filenames in os.walk(root):
         for name in filenames:
@@ -941,12 +968,14 @@
             output.write(msg)
 
     def parse_file(f, module, spt=None):
+        global parse_file
         if debug:
             o("parsing file %s\n" % f)
         try:
             fd = open(f)
             txt = fd.read()
             fd.close()
+            parse_file = f
             parse(txt, module, spt, debug)
         except IOError, e:
             return
* Fri Dec 21 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-3 - Catch SELINUX_ERR with audit2allow and generate policy 2007-12-21 07:14:11 +00:00			`diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py`
			`--- nsasepolgen/src/sepolgen/audit.py 2007-09-13 08:21:11.000000000 -0400`
			`+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py 2007-12-21 02:10:43.000000000 -0500`
			`@@ -32,7 +32,7 @@`
			`string contain all of the audit messages returned by ausearch.`
			`"""`
			`import subprocess`
			`- output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START"],`
			`+ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],`
			`stdout=subprocess.PIPE).communicate()[0]`
			`return output`

			`@@ -251,7 +251,9 @@`
			`self.type = refpolicy.SecurityContext(dict["tcontext"]).type`
			`except:`
			`raise ValueError("Split string does not represent a valid compute sid message")`
			`-`
			`+ def output(self):`
			`+ return "role %s types %s;\n" % (self.role, self.type)`
			`+`
			`# Parser for audit messages`

			`class AuditParser:`
			`@@ -402,6 +404,26 @@`
			`self.__parse(l)`
			`self.__post_process()`

			`+ def to_role(self, role_filter=None):`
			`+ """Return list of SELINUX_ERR messages matching the specified filter`
			`+`
			`+ Filter out types that match the filer, or all roles`
			`+`
			`+ Params:`
			`+ role_filter - [optional] Filter object used to filter the`
			`+ output.`
			`+ Returns:`
			`+ Access vector set representing the denied access in the`
			`+ audit logs parsed by this object.`
			`+ """`
			`+ roles = []`
			`+ if role_filter:`
			`+ for selinux_err in self.compute_sid_msgs:`
			`+ if role_filter.filter(selinux_err):`
			`+ roles.append(selinux_err)`
			`+ return roles`
			`+ return self.compute_sid_msgs`
			`+`
			`def to_access(self, avc_filter=None, only_denials=True):`
			`"""Convert the audit logs access into a an access vector set.`

* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-1 - Update to upstream * Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 17:55:58 +00:00			`diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`--- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`@@ -118,6 +118,7 @@`
			`'TEMPLATE',`
			`'GEN_CONTEXT',`
			`# m4`
			`+ 'IFELSE',`
			`'IFDEF',`
			`'IFNDEF',`
			`'DEFINE'`
			`@@ -174,6 +175,7 @@`
			`'template' : 'TEMPLATE',`
			`'gen_context' : 'GEN_CONTEXT',`
			`# M4`
			`+ 'ifelse' : 'IFELSE',`
			`'ifndef' : 'IFNDEF',`
			`'ifdef' : 'IFDEF',`
			`'define' : 'DEFINE'`
			`@@ -220,6 +222,12 @@`
			`# Ignore all comments`
			`t.lexer.lineno += 1`

			`+def t_refpolicywarn1(t):`
			`+ r'define.refpolicywarn\(.\n'`
			`+ # Ignore refpolicywarn statements - they sometimes`
			`+ # contain text that we can't parse.`
			`+ t.skip(1)`
			`+`
			`def t_refpolicywarn(t):`
			`r'refpolicywarn\(.*\n'`
			`# Ignore refpolicywarn statements - they sometimes`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`@@ -258,10 +266,12 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`m = None`
			`# error is either None (indicating no error) or a string error message.`
			`error = None`
			`+parse_file = ""`
			`# spt is the support macros (e.g., obj/perm sets) - it is an instance of`
			`# refpolicy.SupportMacros and should always be present during parsing`
			`# though it may not contain any macros.`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`spt = None`
			`+success=True`

			`# utilities`
			`def collect(stmts, parent, val=None):`
			`@@ -382,6 +392,19 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`collect(p[12], x, val=False)`
			`p[0] = [x]`

			`+def p_ifelse(p):`
			`+ '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi`
			`+ \| IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi`
			`+ '''`
			`+# x = refpolicy.IfDef(p[4])`
			`+# v = True`
			`+# collect(p[8], x, val=v)`
			`+# if len(p) > 12:`
			`+# collect(p[12], x, val=False)`
			`+# p[0] = [x]`
			`+ pass`
			`+`
			`+`
			`def p_ifdef(p):`
			`'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi`
			`\| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`@@ -446,6 +469,7 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`\| optional_policy`
			`\| tunable_policy`
			`\| ifdef`
			`+ \| ifelse`
			`\| conditional`
			`'''`
			`p[0] = p[1]`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`@@ -844,8 +868,11 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00
			`def p_error(tok):`
			`global error`
			`- error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)`
			`+ global parse_file`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`+ global success`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`+ error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)`
			`print error`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`+ success = False`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00
			`def prep_spt(spt):`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`if not spt:`
			`@@ -892,7 +919,7 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`def list_headers(root):`
			`modules = []`
			`support_macros = None`
			`- blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]`
			`+ blacklist = ["uml.if", "thunderbird.if"]`

			`for dirpath, dirnames, filenames in os.walk(root):`
			`for name in filenames:`
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis 2007-12-20 19:24:11 +00:00			`@@ -941,12 +968,14 @@`
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define Add init.if and inetd.if into parse Add parse_file to syntax error message 2007-12-19 10:40:23 +00:00			`output.write(msg)`

			`def parse_file(f, module, spt=None):`
			`+ global parse_file`
			`if debug:`
			`o("parsing file %s\n" % f)`
			`try:`
			`fd = open(f)`
			`txt = fd.read()`
			`fd.close()`
			`+ parse_file = f`
			`parse(txt, module, spt, debug)`
			`except IOError, e:`
			`return`