policycoreutils/policycoreutils-sepolgen.patch

diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 649735f..cf13210 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -87,7 +87,7 @@ class AccessVector:
             self.perms = refpolicy.IdSet()
             self.audit_msgs = []
             self.type = audit2why.TERULE
-            self.bools = []
+            self.data = []
 
         # The direction of the information flow represented by this
         # access vector - used for matching
@@ -256,7 +256,7 @@ class AccessVectorSet:
         for av in l:
             self.add_av(AccessVector(av))
 
-    def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
+    def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
         """Add an access vector to the set.
         """
         tgt = self.src.setdefault(src_type, { })
@@ -269,7 +269,7 @@ class AccessVectorSet:
             access.src_type = src_type
             access.tgt_type = tgt_type
             access.obj_class = obj_class
-            access.bools = bools
+            access.data = data
             access.type = avc_type
             cls[obj_class, avc_type] = access
 
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 9e2ccee..73c60f6 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -173,7 +173,6 @@ class AVCMessage(AuditMessage):
         self.accesses = []
         self.denial = True
         self.type = audit2why.TERULE
-        self.bools = []
 
     def __parse_access(self, recs, start):
         # This is kind of sucky - the access that is in a space separated
@@ -241,10 +240,12 @@ class AVCMessage(AuditMessage):
         tcontext = self.tcontext.to_string()
         scontext = self.scontext.to_string()
         access_tuple = tuple( self.accesses)
+        self.data = []
+
         if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
-            self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
+            self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
         else:
-            self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+            self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
             if self.type == audit2why.NOPOLICY:
                 self.type = audit2why.TERULE
             if self.type == audit2why.BADTCON:
@@ -258,7 +259,16 @@ class AVCMessage(AuditMessage):
             if self.type == audit2why.BADCOMPUTE:
                 raise ValueError("Error during access vector computation")
 
-            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+            if self.type == audit2why.CONSTRAINT:
+                self.data = []
+                if self.scontext.user != self.tcontext.user:
+                    self.data.append("user")
+                if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
+                    self.data.append("role")
+                if self.scontext.level != self.tcontext.level:
+                    self.data.append("level")
+
+            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
 
 class PolicyLoadMessage(AuditMessage):
     """Audit message indicating that the policy was reloaded."""
@@ -507,10 +517,10 @@ class AuditParser:
             if avc_filter:
                 if avc_filter.filter(avc):
                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-                               avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+                               avc.accesses, avc, avc_type=avc.type, data=avc.data)
             else:
                 av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-                           avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+                           avc.accesses, avc, avc_type=avc.type, data=avc.data)
         return av_set
 
 class AVCTypeFilter:
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
+++ b/sepolgen/src/sepolgen/matching.py
@@ -50,7 +50,7 @@ class Match:
                 return 1
 
 class MatchList:
-    DEFAULT_THRESHOLD = 120
+    DEFAULT_THRESHOLD = 150
     def __init__(self):
         # Match objects that pass the threshold
         self.children = []
@@ -63,14 +63,15 @@ class MatchList:
     def best(self):
         if len(self.children):
             return self.children[0]
-        else:
-            return None
+        if len(self.bastards):
+            return self.bastards[0]
+        return None
 
     def __len__(self):
         # Only return the length of the matches so
         # that this can be used to test if there is
         # a match.
-        return len(self.children)
+        return len(self.children) + len(self.bastards)
 
     def __iter__(self):
         return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index c3d665c..cc9f8ea 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -166,14 +166,16 @@ class PolicyGenerator:
                 rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
 
             if av.type == audit2why.BOOLEAN:
-                if len(av.bools) > 1:
-                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.bools))
+                if len(av.data) > 1:
+                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.data))
                 else:
-                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
+                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
 
             if av.type == audit2why.CONSTRAINT:
                 rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n"
                 rule.comment += "#Constraint rule: "
+                for reason in av.data:
+                    rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
 
             try:
                 if ( av.type == audit2why.TERULE and
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..1399225 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -363,7 +363,10 @@ class Role(Leaf):
         self.types = IdSet()
 
     def to_string(self):
-        return "role %s types %s;" % (self.role, self.types.to_comma_str())
+        s = ""
+        for t in self.types:
+            s += "role %s types %s;\n" % (self.role, t)
+        return s
 
 class Type(Leaf):
     def __init__(self, name="", parent=None):
@@ -511,7 +514,10 @@ class RoleType(Leaf):
         self.types = IdSet()
 
     def to_string(self):
-        return "role %s types %s;" % (self.role, self.types.to_comma_str())
+        s = ""
+        for t in self.types:
+            s += "role %s types %s;\n" % (self.role, t)
+        return s
 
 class ModuleDeclaration(Leaf):
     def __init__(self, parent=None):
@@ -799,7 +805,7 @@ class Require(Leaf):
         self.types = IdSet()
         self.obj_classes = { }
         self.roles = IdSet()
-        self.bools = IdSet()
+        self.data = IdSet()
         self.users = IdSet()
 
     def add_obj_class(self, obj_class, perms):
@@ -816,7 +822,7 @@ class Require(Leaf):
             s.append("\tclass %s %s;" % (obj_class, perms.to_space_str()))
         for role in self.roles:
             s.append("\trole %s;" % role)
-        for bool in self.bools:
+        for bool in self.data:
             s.append("\tbool %s;" % bool)
         for user in self.users:
             s.append("\tuser %s;" % user)
userapps is generating sandbox code in polgengui 2012-07-19 17:21:49 +00:00			`diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py`
			`index 649735f..cf13210 100644`
			`--- a/sepolgen/src/sepolgen/access.py`
			`+++ b/sepolgen/src/sepolgen/access.py`
			`@@ -87,7 +87,7 @@ class AccessVector:`
			`self.perms = refpolicy.IdSet()`
			`self.audit_msgs = []`
			`self.type = audit2why.TERULE`
			`- self.bools = []`
			`+ self.data = []`

			`# The direction of the information flow represented by this`
			`# access vector - used for matching`
			`@@ -256,7 +256,7 @@ class AccessVectorSet:`
			`for av in l:`
			`self.add_av(AccessVector(av))`

			`- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):`
			`+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):`
			`"""Add an access vector to the set.`
			`"""`
			`tgt = self.src.setdefault(src_type, { })`
			`@@ -269,7 +269,7 @@ class AccessVectorSet:`
			`access.src_type = src_type`
			`access.tgt_type = tgt_type`
			`access.obj_class = obj_class`
			`- access.bools = bools`
			`+ access.data = data`
			`access.type = avc_type`
			`cls[obj_class, avc_type] = access`

			`diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py`
			`index 9e2ccee..73c60f6 100644`
			`--- a/sepolgen/src/sepolgen/audit.py`
			`+++ b/sepolgen/src/sepolgen/audit.py`
			`@@ -173,7 +173,6 @@ class AVCMessage(AuditMessage):`
			`self.accesses = []`
			`self.denial = True`
			`self.type = audit2why.TERULE`
			`- self.bools = []`

			`def __parse_access(self, recs, start):`
			`# This is kind of sucky - the access that is in a space separated`
			`@@ -241,10 +240,12 @@ class AVCMessage(AuditMessage):`
			`tcontext = self.tcontext.to_string()`
			`scontext = self.scontext.to_string()`
			`access_tuple = tuple( self.accesses)`
			`+ self.data = []`
			`+`
			`if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():`
			`- self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]`
			`+ self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)]`
			`else:`
			`- self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);`
			`+ self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);`
			`if self.type == audit2why.NOPOLICY:`
			`self.type = audit2why.TERULE`
			`if self.type == audit2why.BADTCON:`
			`@@ -258,7 +259,16 @@ class AVCMessage(AuditMessage):`
			`if self.type == audit2why.BADCOMPUTE:`
			`raise ValueError("Error during access vector computation")`

			`- avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)`
			`+ if self.type == audit2why.CONSTRAINT:`
			`+ self.data = []`
			`+ if self.scontext.user != self.tcontext.user:`
			`+ self.data.append("user")`
			`+ if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":`
			`+ self.data.append("role")`
			`+ if self.scontext.level != self.tcontext.level:`
			`+ self.data.append("level")`
			`+`
			`+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)`

			`class PolicyLoadMessage(AuditMessage):`
			`"""Audit message indicating that the policy was reloaded."""`
			`@@ -507,10 +517,10 @@ class AuditParser:`
			`if avc_filter:`
			`if avc_filter.filter(avc):`
			`av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,`
			`- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)`
			`+ avc.accesses, avc, avc_type=avc.type, data=avc.data)`
			`else:`
			`av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,`
			`- avc.accesses, avc, avc_type=avc.type, bools=avc.bools)`
			`+ avc.accesses, avc, avc_type=avc.type, data=avc.data)`
			`return av_set`

			`class AVCTypeFilter:`
Update to upstream * policycoreutils * setfiles: Fix process_glob to handle error situations * sandbox: Allow seunshare to run as root * sandbox: trap sigterm to make sure sandbox * sandbox: pass DPI from the desktop * sandbox: seunshare: introduce helper spawn_command * sandbox: seunshare: introduce new filesystem helpers * sandbox: add -C option to not drop * sandbox: split seunshare caps dropping * sandbox: use dbus-launch * sandbox: numerous simple updates to sandbox * sandbox: do not require selinux context * sandbox: Makefile: new man pages * sandbox: rename dir to srcdir * sandbox: allow users specify sandbox window size * sandbox: check for paths up front * sandbox: use defined values for paths rather * sandbox: move seunshare globals to the top * sandbox: whitespace fix * semodule_package: Add semodule_unpackage executable * setfiles: get rid of some stupid globals * setfiles: move exclude_non_seclabel_mounts to a generic location * sepolgen * refparser: include open among valid permissions * refparser: add support for filename_trans rules 2011-08-30 20:32:33 +00:00			`diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py`
			`index 1a9a3e5..d56dd92 100644`
			`--- a/sepolgen/src/sepolgen/matching.py`
			`+++ b/sepolgen/src/sepolgen/matching.py`
Fix var_spool template read_spool_files Fix sepolgen to handle filename transitions 2011-05-25 20:20:29 +00:00			`@@ -50,7 +50,7 @@ class Match:`
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24 - Man page fixes - sandbox fixes Resolves: #595796 - Move seunshare to base package 2010-05-27 21:23:08 +00:00			`return 1`

			`class MatchList:`
			`- DEFAULT_THRESHOLD = 120`
			`+ DEFAULT_THRESHOLD = 150`
			`def __init__(self):`
			`# Match objects that pass the threshold`
			`self.children = []`
Fix var_spool template read_spool_files Fix sepolgen to handle filename transitions 2011-05-25 20:20:29 +00:00			`@@ -63,14 +63,15 @@ class MatchList:`
* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24 - Man page fixes - sandbox fixes Resolves: #595796 - Move seunshare to base package 2010-05-27 21:23:08 +00:00			`def best(self):`
			`if len(self.children):`
			`return self.children[0]`
			`- else:`
			`- return None`
			`+ if len(self.bastards):`
			`+ return self.bastards[0]`
			`+ return None`

			`def __len__(self):`
			`# Only return the length of the matches so`
			`# that this can be used to test if there is`
			`# a match.`
			`- return len(self.children)`
			`+ return len(self.children) + len(self.bastards)`

			`def __iter__(self):`
			`return iter(self.children)`
userapps is generating sandbox code in polgengui 2012-07-19 17:21:49 +00:00			`diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py`
			`index c3d665c..cc9f8ea 100644`
			`--- a/sepolgen/src/sepolgen/policygen.py`
			`+++ b/sepolgen/src/sepolgen/policygen.py`
			`@@ -166,14 +166,16 @@ class PolicyGenerator:`
			`rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"`

			`if av.type == audit2why.BOOLEAN:`
			`- if len(av.bools) > 1:`
			`- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))`
			`+ if len(av.data) > 1:`
			`+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))`
			`else:`
			`- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]`
			`+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]`

			`if av.type == audit2why.CONSTRAINT:`
			`rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"`
			`rule.comment += "#Constraint rule: "`
			`+ for reason in av.data:`
			`+ rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason`

			`try:`
			`if ( av.type == audit2why.TERULE and`
			`diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py`
Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly 2012-07-27 13:42:59 +00:00			`index b138e3d..1399225 100644`
userapps is generating sandbox code in polgengui 2012-07-19 17:21:49 +00:00			`--- a/sepolgen/src/sepolgen/refpolicy.py`
			`+++ b/sepolgen/src/sepolgen/refpolicy.py`
Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly 2012-07-27 13:42:59 +00:00			`@@ -363,7 +363,10 @@ class Role(Leaf):`
			`self.types = IdSet()`

			`def to_string(self):`
			`- return "role %s types %s;" % (self.role, self.types.to_comma_str())`
			`+ s = ""`
			`+ for t in self.types:`
			`+ s += "role %s types %s;\n" % (self.role, t)`
			`+ return s`

			`class Type(Leaf):`
			`def __init__(self, name="", parent=None):`
			`@@ -511,7 +514,10 @@ class RoleType(Leaf):`
			`self.types = IdSet()`

			`def to_string(self):`
			`- return "role %s types %s;" % (self.role, self.types.to_comma_str())`
			`+ s = ""`
			`+ for t in self.types:`
			`+ s += "role %s types %s;\n" % (self.role, t)`
			`+ return s`

			`class ModuleDeclaration(Leaf):`
			`def __init__(self, parent=None):`
			`@@ -799,7 +805,7 @@ class Require(Leaf):`
userapps is generating sandbox code in polgengui 2012-07-19 17:21:49 +00:00			`self.types = IdSet()`
			`self.obj_classes = { }`
			`self.roles = IdSet()`
			`- self.bools = IdSet()`
			`+ self.data = IdSet()`
			`self.users = IdSet()`

			`def add_obj_class(self, obj_class, perms):`
Fix sepolgen/audit2allow to handle multiple role/types in avc messages properly 2012-07-27 13:42:59 +00:00			`@@ -816,7 +822,7 @@ class Require(Leaf):`
userapps is generating sandbox code in polgengui 2012-07-19 17:21:49 +00:00			`s.append("\tclass %s %s;" % (obj_class, perms.to_space_str()))`
			`for role in self.roles:`
			`s.append("\trole %s;" % role)`
			`- for bool in self.bools:`
			`+ for bool in self.data:`
			`s.append("\tbool %s;" % bool)`
			`for user in self.users:`
			`s.append("\tuser %s;" % user)`