rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Wed Sep 4 2007 Dan Walsh <dwalsh@redhat.com> 2.0.25-9 

- Bump libsemanage version for disable dontaudit
- New gui features for creating admin users
This commit is contained in:
Daniel J Walsh 2007-09-06 12:25:31 +00:00
parent 7683888461
commit 35a05d0eef
2 changed files with 159 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

206
policycoreutils-gui.patch
View File

@ -914,8 +914,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.25/gui/polgen.glade
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/polgen.glade 2007-08-31 15:06:49.000000000 -0400
@@ -0,0 +1,2313 @@
+++ policycoreutils-2.0.25/gui/polgen.glade 2007-09-05 22:33:12.000000000 -0400
@@ -0,0 +1,2312 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
+
@ -1028,8 +1028,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+ <child>
+ <widget class="GtkNotebook" id="notebook1">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="show_tabs">True</property>
+ <property name="show_tabs">False</property>
+ <property name="show_border">True</property>
+ <property name="tab_pos">GTK_POS_TOP</property>
+ <property name="scrollable">False</property>
@ -3231,8 +3230,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.25/gui/polgengui.py
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/polgengui.py 2007-08-31 15:06:45.000000000 -0400
@@ -0,0 +1,444 @@
+++ policycoreutils-2.0.25/gui/polgengui.py 2007-09-05 22:33:06.000000000 -0400
@@ -0,0 +1,432 @@
+#!/usr/bin/python
+#
+# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
@ -3265,8 +3264,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+import gnome
+import sys
+import polgen
+import sepolgen.interfaces as interfaces
+import sepolgen.defaults as defaults
+import re
+
+##
@ -3305,13 +3302,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+else:
+ xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME)
+
+fn = defaults.interface_info()
+try:
+ fd = open(fn)
+except:
+ sys.stderr.write("could not open interface info [%s]\n" % fn)
+ sys.exit(1)
+
+FILE = 1
+DIR = 2
+
@ -3400,11 +3390,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0)
+ self.admin_treeview.append_column(col)
+
+ # List of per_role_template interfaces
+ ifs = interfaces.InterfaceSet()
+ ifs.from_file(fd)
+ fd.close()
+ for i in ifs.interfaces.keys():
+ for i in polgen.methods:
+ print i
+ m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i)
+ if len(m) > 0:
+ iter = self.transition_store.append()
@ -3442,7 +3429,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ self.forward_button.set_label(gtk.STOCK_APPLY)
+
+ def back(self,arg):
+ type = self.confine_application()
+ type = self.get_type()
+ if self.pages[type][self.current_page] == self.FINISH_PAGE:
+ self.forward_button.set_label(gtk.STOCK_GO_FORWARD)
+
@ -3679,8 +3666,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.25/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/polgen.py 2007-08-31 15:06:41.000000000 -0400
@@ -0,0 +1,656 @@
+++ policycoreutils-2.0.25/gui/polgen.py 2007-09-05 22:26:53.000000000 -0400
@@ -0,0 +1,715 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -3715,6 +3702,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+from templates import script
+from templates import user
+import seobject
+import sepolgen.interfaces as interfaces
+import sepolgen.defaults as defaults
+
+##
+## I18N
@ -3733,6 +3722,20 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+methods = []
+fn = defaults.interface_info()
+try:
+ fd = open(fn)
+ # List of per_role_template interfaces
+ ifs = interfaces.InterfaceSet()
+ ifs.from_file(fd)
+ fd.close()
+ methods = ifs.interfaces.keys()
+except:
+ sys.stderr.write("could not open interface info [%s]\n" % fn)
+ sys.exit(1)
+
+
+ALL = 0
+RESERVED = 1
+UNRESERVED = 2
@ -3792,6 +3795,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.need_udp_type=False
+ self.admin_domains = []
+ self.transition_domains = []
+ self.roles = []
+
+ def __isnetset(self, l):
+ return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0
@ -3799,6 +3803,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ def set_admin_domains(self, admin_domains):
+ self.admin_domains = admin_domains
+
+ def set_admin_roles(self, roles):
+ self.roles = roles
+
+ def set_transition_domains(self, transition_domains):
+ self.transition_domains = transition_domains
+
@ -3906,7 +3913,21 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ if self.use_pam:
+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules)
+ return newte
+
+
+ def generate_network_action(self, protocol, action, port_name):
+ line = ""
+ method = "corenet_%s_%s_%s" % (protocol, action, port_name)
+ if method in methods:
+ line = "%s(%s_t)\n" % (method, self.name)
+ else:
+ line = """
+gen_require(`
+ type %s_t;
+')
+allow %s_t %s_t:%s_socket name_%s;
+""" % (port_name, self.name, port_name, protocol, action)
+ return line
+
+ def generate_network_types(self):
+ for i in self.in_tcp[PORTS]:
+ rec = self.find_port(int(i))
@ -3914,7 +3935,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.need_tcp_type = True;
+ else:
+ port_name = rec[0][:-2]
+ line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name)
+ line = self.generate_network_action("tcp", "bind", port_name)
+# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_tcp_ports:
+ self.found_tcp_ports.append(line)
+
@ -3924,7 +3946,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.need_tcp_type = True;
+ else:
+ port_name = rec[0][:-2]
+ line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name)
+ line = self.generate_network_action("tcp", "connect", port_name)
+# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_tcp_ports:
+ self.found_tcp_ports.append(line)
+
@ -3934,7 +3957,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.need_udp_type = True;
+ else:
+ port_name = rec[0][:-2]
+ line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name)
+ line = self.generate_network_action("udp", "bind", port_name)
+# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name)
+ if line not in self.found_udp_ports:
+ self.found_udp_ports.append(line)
+
@ -4022,8 +4046,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+
+ def generate_admin_rules(self):
+ newte = ""
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
+
+ for app in self.admin_domains:
+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules)
+ newte += re.sub("APPLICATION", app, tmp)
+ return newte
+
@ -4132,6 +4158,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ def generate_default_rules(self):
+ return self.DEFAULT_TYPES[self.type][1]()
+
+ def generate_roles_rules(self):
+ newte = ""
+ if self.type in ( TUSER, XUSER):
+ roles = ""
+ if len(self.roles) > 0:
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules)
+ for role in self.roles:
+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules)
+ newte += re.sub("ROLE", role, tmp)
+ return newte
+
+ def generate_te(self):
+ newte = self.generate_default_types()
+ for d in self.DEFAULT_DIRS:
@ -4157,6 +4194,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ newte += self.generate_uid_rules()
+ newte += self.generate_syslog_rules()
+ newte += self.generate_pam_rules()
+ newte += self.generate_roles_rules()
+ newte += self.generate_transition_rules()
+ newte += self.generate_admin_rules()
+ return newte
@ -4188,6 +4226,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+
+ return newfc
+
+ def generate_user_sh(self):
+ newsh = ""
+ if self.type in ( TUSER, XUSER):
+ roles = ""
+ for role in self.roles:
+ roles += " %s_r" % role
+ if roles != "":
+ roles += " system_r"
+ tmp = re.sub("TEMPLATETYPE", self.name, script.users)
+ newsh += re.sub("ROLES", roles, tmp)
+ return newsh
+
+ def generate_sh(self):
+ newsh = re.sub("TEMPLATETYPE", self.name, script.compile)
+ newsh = re.sub("PACKAGEFILENAME", self.file_name, newsh)
@ -4208,6 +4258,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ if self.find_port(i) == None:
+ t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports)
+ newsh += re.sub("TEMPLATETYPE", self.name, t1)
+
+ newsh += self.generate_user_sh()
+
+ return newsh
+
@ -4265,7 +4317,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_out_tcp(0,"8000")
+ print mypolicy.generate("/tmp")
+ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myuser", USER)
+ mypolicy.set_program("/usr/bin/myuser")
@ -4277,7 +4329,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.set_use_pam(True)
+ mypolicy.add_file("/var/lib/myuser/myuser.sock")
+ mypolicy.set_out_tcp(0,"8000")
+ print mypolicy.generate("/tmp")
+ print mypolicy.generate("/var/tmp")
+
+
+ mypolicy = policy("myrwho", DAEMON)
@ -4290,7 +4342,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.set_use_pam(True)
+ mypolicy.add_dir("/var/run/myrwho")
+ mypolicy.add_dir("/var/lib/myrwho")
+ print mypolicy.generate("/tmp")
+ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myinetd", INETD)
+ mypolicy.set_program("/usr/bin/mytest")
@ -4308,16 +4360,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.add_dir("/etc/daemon")
+ mypolicy.add_dir("/etc/daemon/special")
+ mypolicy.set_out_tcp(0,"8000")
+ print mypolicy.generate("/tmp")
+ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("mytuser", TUSER)
+ mypolicy.set_in_tcp(1, 0, 0, "513")
+ mypolicy.set_in_udp(1, 0, 0, "1513")
+ mypolicy.set_use_uid(True)
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_transition_domains(["mozilla", "ssh"])
+ print mypolicy.generate("/tmp")
+ mypolicy.set_transition_domains(["sudo"])
+ mypolicy.set_admin_roles(["mydbadm"])
+ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myxuser", XUSER)
+ mypolicy.set_in_tcp(1, 1, 1, "")
@ -4326,13 +4374,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_transition_domains(["mozilla"])
+ print mypolicy.generate("/tmp")
+ print mypolicy.generate("/var/tmp")
+
+ mypolicy = policy("myruser", RUSER)
+ mypolicy.set_in_tcp(1, 0, 0, "513")
+ mypolicy.set_in_udp(1, 0, 0, "1513")
+ mypolicy.set_admin_domains(["postgresql", "mysql", "apache"])
+ print mypolicy.generate("/tmp")
+ mypolicy = policy("mydbadm", RUSER)
+ mypolicy.set_admin_domains(["postgresql", "mysql"])
+ print mypolicy.generate("/var/tmp")
+
+ sys.exit(0)
+
@ -8762,8 +8808,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.25/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/templates/executable.py 2007-08-31 15:41:21.000000000 -0400
@@ -0,0 +1,222 @@
+++ policycoreutils-2.0.25/gui/templates/executable.py 2007-09-05 22:25:10.000000000 -0400
@@ -0,0 +1,229 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -8906,7 +8952,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+#
+interface(`TEMPLATETYPE_domtrans',`
+ gen_require(`
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
+ type TEMPLATETYPE_t;
+ type TEMPLATETYPE_exec_t;
+ ')
+
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
@ -8961,13 +9008,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+## <rolecap/>
+#
+interface(`TEMPLATETYPE_admin',`
+ gen_require(`
+ type TEMPLATETYPE_t;
+ ')
+
+ allow $1 TEMPLATETYPE_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, TEMPLATETYPE_t, TEMPLATETYPE_t)
+
+"""
+
+if_initscript_admin="""
+ # Allow $1 to restart the apache service
+ TEMPLATETYPE_script_domtrans($1)
+ domain_role_change_exemption($1)
+ domain_obj_id_change_exemption($1)
+ domain_system_change_exemption($1)
+ role_transition $2 TEMPLATETYPE_script_exec_t system_r;
+ allow $2 system_r;
+"""
@ -9226,8 +9279,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.25/gui/templates/script.py
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/templates/script.py 2007-08-31 15:07:36.000000000 -0400
@@ -0,0 +1,42 @@
+++ policycoreutils-2.0.25/gui/templates/script.py 2007-09-05 22:25:46.000000000 -0400
@@ -0,0 +1,45 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -9270,6 +9323,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py
+/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM
+"""
+
+users="""\
+/usr/sbin/semanage user -a -P TEMPLATETYPE -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.25/gui/templates/semodule.py
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/templates/semodule.py 2007-08-31 15:07:36.000000000 -0400
@ -9418,8 +9474,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.25/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.25/gui/templates/user.py 2007-08-31 15:07:36.000000000 -0400
@@ -0,0 +1,97 @@
+++ policycoreutils-2.0.25/gui/templates/user.py 2007-09-05 22:25:03.000000000 -0400
@@ -0,0 +1,139 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -9511,11 +9567,53 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
+"""
+
+te_admin_rules="""
+allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
+
+selinux_get_enforce_mode(TEMPLATETYPE_t)
+seutil_domtrans_restorecon(TEMPLATETYPE_t)
+seutil_search_default_contexts(mydbadm_t)
+
+logging_send_syslog_msg(TEMPLATETYPE_t)
+
+kernel_read_system_state(TEMPLATETYPE_t)
+
+domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
+domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
+
+userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t)
+userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t)
+
+bool TEMPLATETYPE_read_user_files false;
+bool TEMPLATETYPE_manage_user_files false;
+
+if (TEMPLATETYPE_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t)
+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
+}
+
+if (TEMPLATETYPE_manage_user_files) {
+ userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t)
+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
+ userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t)
+}
+
+"""
+
+te_admin_domain_rules="""
+optional_policy(`
+ APPLICATION_admin(TEMPLATETYPE_t,TEMPLATETYPE_r, { TEMPLATETYPE_tty_device_t TEMPLATETYPE_devpts_t })
+')
+"""
+
+te_roles_rules="""
+userdom_role_change_template(TEMPLATETYPE, ROLE)
+"""
+
+te_newrole_rules="""
+seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+"""
+
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.25/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500

10
policycoreutils.spec
View File

@ -1,12 +1,12 @@
%define libauditver 1.4.2-1
%define libsepolver 2.0.6-1
%define libsemanagever 2.0.4-1
%define libsepolver 2.0.9-1
%define libsemanagever 2.0.5-1
%define libselinuxver 2.0.23-3
%define sepolgenver 1.0.9
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.25
Release: 8%{?dist}
Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -200,6 +200,10 @@ if [ "$1" -ge "1" ]; then
fi
%changelog
* Wed Sep 4 2007 Dan Walsh <dwalsh@redhat.com> 2.0.25-9
- Bump libsemanage version for disable dontaudit
- New gui features for creating admin users
* Fri Aug 31 2007 Dan Walsh <dwalsh@redhat.com> 2.0.25-8
- Fix generated code for admin policy