policycoreutils/policycoreutils-sepolgen.patch

192 lines
8.1 KiB
Diff
Raw Normal View History

diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 649735f..cf13210 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -87,7 +87,7 @@ class AccessVector:
self.perms = refpolicy.IdSet()
self.audit_msgs = []
self.type = audit2why.TERULE
- self.bools = []
+ self.data = []
# The direction of the information flow represented by this
# access vector - used for matching
@@ -256,7 +256,7 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
@@ -269,7 +269,7 @@ class AccessVectorSet:
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
- access.bools = bools
+ access.data = data
access.type = avc_type
cls[obj_class, avc_type] = access
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 9e2ccee..73c60f6 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -173,7 +173,6 @@ class AVCMessage(AuditMessage):
self.accesses = []
self.denial = True
self.type = audit2why.TERULE
- self.bools = []
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -241,10 +240,12 @@ class AVCMessage(AuditMessage):
tcontext = self.tcontext.to_string()
scontext = self.scontext.to_string()
access_tuple = tuple( self.accesses)
+ self.data = []
+
if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
- self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
+ self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
else:
- self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
if self.type == audit2why.NOPOLICY:
self.type = audit2why.TERULE
if self.type == audit2why.BADTCON:
@@ -258,7 +259,16 @@ class AVCMessage(AuditMessage):
if self.type == audit2why.BADCOMPUTE:
raise ValueError("Error during access vector computation")
- avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+ if self.type == audit2why.CONSTRAINT:
+ self.data = []
+ if self.scontext.user != self.tcontext.user:
+ self.data.append("user")
+ if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
+ self.data.append("role")
+ if self.scontext.level != self.tcontext.level:
+ self.data.append("level")
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
@@ -507,10 +517,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ avc.accesses, avc, avc_type=avc.type, data=avc.data)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ avc.accesses, avc, avc_type=avc.type, data=avc.data)
return av_set
class AVCTypeFilter:
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
+++ b/sepolgen/src/sepolgen/matching.py
@@ -50,7 +50,7 @@ class Match:
return 1
class MatchList:
- DEFAULT_THRESHOLD = 120
+ DEFAULT_THRESHOLD = 150
def __init__(self):
# Match objects that pass the threshold
self.children = []
@@ -63,14 +63,15 @@ class MatchList:
def best(self):
if len(self.children):
return self.children[0]
- else:
- return None
+ if len(self.bastards):
+ return self.bastards[0]
+ return None
def __len__(self):
# Only return the length of the matches so
# that this can be used to test if there is
# a match.
- return len(self.children)
+ return len(self.children) + len(self.bastards)
def __iter__(self):
return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index c3d665c..cc9f8ea 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -166,14 +166,16 @@ class PolicyGenerator:
rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
if av.type == audit2why.BOOLEAN:
- if len(av.bools) > 1:
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
+ if len(av.data) > 1:
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
else:
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
if av.type == audit2why.CONSTRAINT:
rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
rule.comment += "#Constraint rule: "
+ for reason in av.data:
+ rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
try:
if ( av.type == audit2why.TERULE and
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..1399225 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -363,7 +363,10 @@ class Role(Leaf):
self.types = IdSet()
def to_string(self):
- return "role %s types %s;" % (self.role, self.types.to_comma_str())
+ s = ""
+ for t in self.types:
+ s += "role %s types %s;\n" % (self.role, t)
+ return s
class Type(Leaf):
def __init__(self, name="", parent=None):
@@ -511,7 +514,10 @@ class RoleType(Leaf):
self.types = IdSet()
def to_string(self):
- return "role %s types %s;" % (self.role, self.types.to_comma_str())
+ s = ""
+ for t in self.types:
+ s += "role %s types %s;\n" % (self.role, t)
+ return s
class ModuleDeclaration(Leaf):
def __init__(self, parent=None):
@@ -799,7 +805,7 @@ class Require(Leaf):
self.types = IdSet()
self.obj_classes = { }
self.roles = IdSet()
- self.bools = IdSet()
+ self.data = IdSet()
self.users = IdSet()
def add_obj_class(self, obj_class, perms):
@@ -816,7 +822,7 @@ class Require(Leaf):
s.append("\tclass %s %s;" % (obj_class, perms.to_space_str()))
for role in self.roles:
s.append("\trole %s;" % role)
- for bool in self.bools:
+ for bool in self.data:
s.append("\tbool %s;" % bool)
for user in self.users:
s.append("\tuser %s;" % user)