2011-08-30 20:32:33 +00:00
|
|
|
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
|
|
|
|
|
index 1a9a3e5..d56dd92 100644
|
|
|
|
|
--- a/sepolgen/src/sepolgen/matching.py
|
|
|
|
|
+++ b/sepolgen/src/sepolgen/matching.py
|
2011-05-25 20:20:29 +00:00
|
|
|
@@ -50,7 +50,7 @@ class Match:
|
2010-05-27 21:23:08 +00:00
|
|
|
return 1
|
|
|
|
|
|
|
|
|
|
class MatchList:
|
|
|
|
|
- DEFAULT_THRESHOLD = 120
|
|
|
|
|
+ DEFAULT_THRESHOLD = 150
|
|
|
|
|
def __init__(self):
|
|
|
|
|
# Match objects that pass the threshold
|
|
|
|
|
self.children = []
|
2011-05-25 20:20:29 +00:00
|
|
|
@@ -63,14 +63,15 @@ class MatchList:
|
2010-05-27 21:23:08 +00:00
|
|
|
def best(self):
|
|
|
|
|
if len(self.children):
|
|
|
|
|
return self.children[0]
|
|
|
|
|
- else:
|
|
|
|
|
- return None
|
|
|
|
|
+ if len(self.bastards):
|
|
|
|
|
+ return self.bastards[0]
|
|
|
|
|
+ return None
|
|
|
|
|
|
|
|
|
|
def __len__(self):
|
|
|
|
|
# Only return the length of the matches so
|
|
|
|
|
# that this can be used to test if there is
|
|
|
|
|
# a match.
|
|
|
|
|
- return len(self.children)
|
|
|
|
|
+ return len(self.children) + len(self.bastards)
|
|
|
|
|
|
|
|
|
|
def __iter__(self):
|
|
|
|
|
return iter(self.children)
|
2012-03-30 19:18:42 +00:00
|
|
|
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
|
|
|
|
index 4882999..9dc2d32 100644
|
|
|
|
|
--- a/sepolgen/src/sepolgen/policygen.py
|
|
|
|
|
+++ b/sepolgen/src/sepolgen/policygen.py
|
|
|
|
|
@@ -30,7 +30,11 @@ import access
|
|
|
|
|
import interfaces
|
|
|
|
|
import matching
|
|
|
|
|
import selinux.audit2why as audit2why
|
|
|
|
|
-from setools import *
|
|
|
|
|
+try:
|
|
|
|
|
+ from setools import *
|
|
|
|
|
+ alldomains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
|
|
|
|
+except:
|
|
|
|
|
+ pass
|
|
|
|
|
|
|
|
|
|
# Constants for the level of explanation from the generation
|
|
|
|
|
# routines
|
|
|
|
|
@@ -79,7 +83,6 @@ class PolicyGenerator:
|
|
|
|
|
|
|
|
|
|
self.dontaudit = False
|
2012-02-01 13:44:52 +00:00
|
|
|
|
2012-03-30 19:18:42 +00:00
|
|
|
- self.domains = None
|
|
|
|
|
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
|
|
|
|
"""Set whether reference policy interfaces are generated.
|
2012-02-01 13:44:52 +00:00
|
|
|
|
2012-03-30 19:18:42 +00:00
|
|
|
@@ -175,13 +178,11 @@ class PolicyGenerator:
|
|
|
|
|
if av.type == audit2why.TERULE:
|
|
|
|
|
if "write" in av.perms:
|
|
|
|
|
if "dir" in av.obj_class or "open" in av.perms:
|
|
|
|
|
- if not self.domains:
|
|
|
|
|
- self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
|
|
|
|
types=[]
|
2012-02-01 13:44:52 +00:00
|
|
|
|
2012-03-30 19:18:42 +00:00
|
|
|
try:
|
|
|
|
|
for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
|
|
|
|
|
- if i not in self.domains:
|
|
|
|
|
+ if i not in alldomains:
|
|
|
|
|
types.append(i)
|
|
|
|
|
if len(types) == 1:
|
|
|
|
|
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
2012-04-03 22:58:26 +00:00
|
|
|
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
|
|
|
|
|
index 9a79340..a4adbd8 100644
|
|
|
|
|
--- a/sepolgen/src/sepolgen/refparser.py
|
|
|
|
|
+++ b/sepolgen/src/sepolgen/refparser.py
|
|
|
|
|
@@ -245,7 +245,7 @@ def t_refpolicywarn(t):
|
|
|
|
|
t.lexer.lineno += 1
|
|
|
|
|
|
|
|
|
|
def t_IDENTIFIER(t):
|
|
|
|
|
- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"~]*'
|
|
|
|
|
+ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
|
|
|
|
|
# Handle any keywords
|
|
|
|
|
t.type = reserved.get(t.value,'IDENTIFIER')
|
|
|
|
|
return t
|
