From 3bce4420a0014f803c5885e410d0ff7d7891169c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 14 Apr 2006 11:51:02 +0000 Subject: [PATCH] * Fri Apr 14 2006 Dan Walsh 1.30.5-1 - Update from upstream * Added a test to setfiles to check that the spec file is a regular file. --- .cvsignore | 1 + policycoreutils-rhat.patch | 1236 +++++++++++++++++++++++++++++++++++- policycoreutils.spec | 15 +- sources | 2 +- 4 files changed, 1236 insertions(+), 18 deletions(-) diff --git a/.cvsignore b/.cvsignore index ad03a42..1e42024 100644 --- a/.cvsignore +++ b/.cvsignore @@ -96,3 +96,4 @@ policycoreutils-1.29.27.tgz policycoreutils-1.30.tgz policycoreutils-1.30.1.tgz policycoreutils-1.30.4.tgz +policycoreutils-1.30.5.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index f8d8ef5..20658d9 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,18 +1,546 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.30.4/audit2allow/audit2allow +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.30.5/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2006-03-29 15:35:22.000000000 -0500 -+++ policycoreutils-1.30.4/audit2allow/audit2allow 2006-04-05 08:59:26.000000000 -0400 -@@ -577,7 +577,7 @@ ++++ policycoreutils-1.30.5/audit2allow/audit2allow 2006-04-14 07:44:00.000000000 -0400 +@@ -24,431 +24,8 @@ + # 02111-1307 USA + # + # +-import commands, sys, os, pwd, string, getopt, re, selinux +- +-obj="(\{[^\}]*\}|[^ \t:]*)" +-allow_regexp="(allow|dontaudit)[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) +-awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ +- IFACEFILE=FILENAME\n\ +- IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ +- IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ +-}\n\ +-\n\ +-/^[[:blank:]]*(allow|dontaudit)[[:blank:]]+.*;[[:blank:]]*$/ {\n\ +-\n\ +- if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ +- ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ +- ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ +- print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ +- }\n\ +-}\ +-' +- +-class accessTrans: +- def __init__(self): +- self.dict={} +- try: +- fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt") +- except IOError, error: +- raise IOError("Reference policy generation requires the policy development package.\n%s" % error) +- records=fd.read().split("\n") +- regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" +- for r in records: +- m=re.match(regexp,r) +- if m!=None: +- self.dict[m.groups()[0]] = m.groups()[1].split() +- fd.close() +- def get(self, var): +- l=[] +- for v in var: +- if v in self.dict.keys(): +- l += self.dict[v] +- else: +- if v not in ("{", "}"): +- l.append(v) +- return l +- +-class interfaces: +- def __init__(self): +- self.dict={} +- trans=accessTrans() +- (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null") +- input.write(awk_script) +- input.close() +- records=output.read().split("\n") +- input.close() +- if len(records) > 0: +- regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp +- for r in records: +- m=re.match(regexp,r) +- if m==None: +- continue +- val=m.groups() +- file=os.path.basename(val[0]).split(".")[0] +- iface=val[1] +- Scon=val[3].split() +- Tcon=val[4].split() +- Class=val[5].split() +- Access=trans.get(val[6].split()) +- for s in Scon: +- for t in Tcon: +- for c in Class: +- if (s, t, c) not in self.dict.keys(): +- self.dict[(s, t, c)]=[] +- self.dict[(s, t, c)].append((Access, file, iface)) +- def out(self): +- keys=self.dict.keys() +- keys.sort() +- for k in keys: +- print k +- for i in self.dict[k]: +- print "\t", i +- +- def match(self, Scon, Tcon, Class, Access): +- keys=self.dict.keys() +- ret=[] +- if (Scon, Tcon, Class) in keys: +- for i in self.dict[(Scon, Tcon, Class)]: +- if Access in i[0]: +- if i[2].find(Access) >= 0: +- ret.insert(0, i) +- else: +- ret.append(i) +- return ret +- if ("$1", Tcon, Class) in keys: +- for i in self.dict[("$1", Tcon, Class)]: +- if Access in i[0]: +- if i[2].find(Access) >= 0: +- ret.insert(0, i) +- else: +- ret.append(i) +- return ret +- if (Scon, "$1", Class) in keys: +- for i in self.dict[(Scon, "$1", Class)]: +- if Access in i[0]: +- if i[2].find(Access) >= 0: +- ret.insert(0, i) +- else: +- ret.append(i) +- return ret +- else: +- return ret +- +- +-class serule: +- def __init__(self, type, source, target, seclass): +- self.type=type +- self.source=source +- self.target=target +- self.seclass=seclass +- self.avcinfo={} +- self.iface=None +- +- def add(self, avc): +- for a in avc[0]: +- if a not in self.avcinfo.keys(): +- self.avcinfo[a]=[] +- +- self.avcinfo[a].append(avc[1:]) +- +- def getAccess(self): +- if len(self.avcinfo.keys()) == 1: +- for i in self.avcinfo.keys(): +- return i +- else: +- keys=self.avcinfo.keys() +- keys.sort() +- ret="{" +- for i in keys: +- ret=ret + " " + i +- ret=ret+" }" +- return ret +- def out(self, verbose=0): +- ret="" +- ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) +- if verbose: +- keys=self.avcinfo.keys() +- keys.sort() +- for i in keys: +- for x in self.avcinfo[i]: +- ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] +- if len(x[1]): +- ret=ret+"COMM=%s " % x[1] +- if len(x[2]): +- ret=ret+"NAME=%s " % x[2] +- ret=ret + " : " + i +- return ret +- +- def gen_reference_policy(self, iface): +- ret="" +- Scon=self.source +- Tcon=self.gettarget() +- Class=self.seclass +- Access=self.getAccess() +- m=iface.match(Scon,Tcon,Class,Access) +- if len(m)==0: +- return self.out() +- else: +- file=m[0][1] +- ret="\n#%s\n"% self.out() +- ret += "optional_policy(`%s', `\n" % m[0][1] +- first=True +- for i in m: +- if file != i[1]: +- ret += "')\ngen_require(`%s', `\n" % i[1] +- file = i[1] +- first=True +- if first: +- ret += "\t%s(%s)\n" % (i[2], Scon) +- first=False +- else: +- ret += "#\t%s(%s)\n" % (i[2], Scon) +- ret += "');" +- return ret +- +- def gettarget(self): +- if self.source == self.target: +- return "self" +- else: +- return self.target +- +-class seruleRecords: +- def __init__(self, input, last_reload=0, verbose=0, te_ind=0): +- self.last_reload=last_reload +- self.initialize() +- self.load(input, te_ind) +- self.gen_ref_policy = False +- +- def initialize(self): +- self.seRules={} +- self.seclasses={} +- self.types=[] +- self.roles=[] +- +- def gen_reference_policy(self): +- self.gen_ref_policy = True +- self.iface=interfaces() +- +- def warning(self, error): +- sys.stderr.write("%s: " % sys.argv[0]) +- sys.stderr.write("%s\n" % error) +- sys.stderr.flush() +- +- def load(self, input, te_ind=0): +- VALID_CMDS=("allow", "dontaudit", "auditallow", "role") +- +- avc=[] +- found=0 +- line = input.readline() +- if te_ind: +- while line: +- rec=line.split() +- if len(rec) and rec[0] in VALID_CMDS: +- self.add_terule(line) +- line = input.readline() +- +- else: +- while line: +- rec=line.split() +- for i in rec: +- if i=="avc:" or i=="message=avc:" or i=="msg='avc:": +- +- found=1 +- else: +- avc.append(i) +- if found: +- self.add(avc) +- found=0 +- avc=[] +- line = input.readline() +- +- +- def get_target(self, i, rule): +- target=[] +- if rule[i][0] == "{": +- for t in rule[i].split("{"): +- if len(t): +- target.append(t) +- i=i+1 +- for s in rule[i:]: +- if s.find("}") >= 0: +- for s1 in s.split("}"): +- if len(s1): +- target.append(s1) +- i=i+1 +- return (i, target) +- +- target.append(s) +- i=i+1 +- else: +- if rule[i].find(";") >= 0: +- for s1 in rule[i].split(";"): +- if len(s1): +- target.append(s1) +- else: +- target.append(rule[i]) +- +- i=i+1 +- return (i, target) +- +- def rules_split(self, rules): +- (idx, target ) = self.get_target(0, rules) +- (idx, subject) = self.get_target(idx, rules) +- return (target, subject) +- +- def add_terule(self, rule): +- rc = rule.split(":") +- rules=rc[0].split() +- type=rules[0] +- if type == "role": +- print type +- (sources, targets) = self.rules_split(rules[1:]) +- rules=rc[1].split() +- (seclasses, access) = self.rules_split(rules) +- for scon in sources: +- for tcon in targets: +- for seclass in seclasses: +- self.add_rule(type, scon, tcon, seclass,access) +- +- def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""): +- self.add_seclass(seclass, access) +- self.add_type(tcon) +- self.add_type(scon) +- if (rule_type, scon, tcon, seclass) not in self.seRules.keys(): +- self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) +- +- self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) +- +- def add(self,avc): +- scon="" +- tcon="" +- seclass="" +- comm="" +- name="" +- msg="" +- access=[] +- if "security_compute_sid" in avc: +- return +- +- if "load_policy" in avc and self.last_reload: +- self.initialize() +- +- if "granted" in avc: +- return +- try: +- for i in range (0, len(avc)): +- if avc[i]=="{": +- i=i+1 +- while i 0: +-# for i in self.roles: +-# rec += "\trole %s; \n" % i +-# rec += "\n" +-# +- for i in keys: +- access=self.seclasses[i] +- if len(access) > 1: +- access.sort() +- rec += "\tclass %s {" % i +- for a in access: +- rec += " %s" % a +- rec += " }; \n" +- else: +- rec += "\tclass %s %s;\n" % (i, access[0]) +- +- rec += "\n" +- +- for i in self.types: +- rec += "\ttype %s; \n" % i +- rec += "};\n\n" +- return rec +- +- def out(self, require=0, module=""): +- rec="" +- if len(self.seRules.keys())==0: +- raise(ValueError("No AVC messages found.")) +- if module != "": +- rec += self.gen_module(module) +- rec += self.gen_requires() +- else: +- if requires: +- rec+=self.gen_requires() +- +- keys=self.seRules.keys() +- keys.sort() +- for i in keys: +- if self.gen_ref_policy: +- rec += self.seRules[i].gen_reference_policy(self.iface)+"\n" +- else: +- rec += self.seRules[i].out(verbose)+"\n" +- return rec ++import commands, sys, os, getopt, selinux ++from avc import * + + if __name__ == '__main__': + +@@ -469,10 +46,11 @@ + -M generate loadable module package, conflicts with -o\n\ + -o, --output append output to , conflicts with -M\n\ + -r, --requires generate require output \n\ +- -t, --tefile Indicates input is Existing Type Enforcement file\n\ ++ -t, --tefile Add input from Existing Type Enforcement file\n\ + -f, --fcfile Existing Type Enforcement file, requires -M\n\ + -v, --verbose verbose output\n\ +- ' ++ -A, --analyze Analyze output\n\ ++ ' + if msg != "": + print msg + sys.exit(1) +@@ -498,13 +76,15 @@ + input_ind=0 + output_ind=0 + ref_ind=False +- te_ind=0 ++ analyze=False ++ te_inputs=[] + + fc_file="" + gopts, cmds = getopt.getopt(sys.argv[1:], +- 'adf:hi:lm:M:o:rtvR', ++ 'Aadf:hi:lm:M:o:rt:vR', + ['all', +- 'dmesg', ++ 'analyze', ++ 'dmesg', + 'fcfile=', + 'help', + 'input=', +@@ -513,12 +93,12 @@ + 'output=', + 'requires', + 'reference', +- 'tefile', ++ 'tefile=', + 'verbose' + ]) + for o,a in gopts: + if o == "-a" or o == "--all": +- if input_ind or te_ind: ++ if input_ind: + usage() + input=open("/var/log/messages", "r") + auditlogs=1 +@@ -551,9 +131,8 @@ + if o == "-r" or o == "--requires": + requires=1 + if o == "-t" or o == "--tefile": +- if auditlogs: +- usage() +- te_ind=1 ++ te_inputs.append(open(a, "r")) ++ + if o == "-R" or o == "--reference": + ref_ind=True + +@@ -565,25 +144,37 @@ + if o == "-v" or o == "--verbose": + verbose=1 + ++ if o == "-A" or o == "--analyze": ++ analyze=True ++ + if len(cmds) != 0: + usage() + + if fc_file != "" and not buildPP: + usage("Error %s: Option -fc requires -M" % sys.argv[0]) + +- out=seruleRecords(input, last_reload, verbose, te_ind) ++ serules=SERules(last_reload, verbose) ++ ++ for i in te_inputs: ++ te=TERules(serules) ++ te.load(i) ++ ++ serules.load(input) + + if ref_ind: - out.gen_reference_policy() +- out.gen_reference_policy() ++ serules.gen_reference_policy() ++ ++ if analyze: ++ serules.analyze() - if auditlogs: + if auditlogs and os.path.exists("/var/log/audit/audit.log"): input=os.popen("ausearch -m avc") - out.load(input) +- out.load(input) ++ serules.load(input) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.30.4/audit2allow/audit2allow.1 + if buildPP: + print ("Generating type enforcment file: %s.te" % module) +- output.write(out.out(requires, module)) ++ output.write(serules.out(requires, module)) + output.flush() + if buildPP: + cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.30.5/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2006-03-10 09:48:04.000000000 -0500 -+++ policycoreutils-1.30.4/audit2allow/audit2allow.1 2006-04-05 09:09:05.000000000 -0400 ++++ policycoreutils-1.30.5/audit2allow/audit2allow.1 2006-04-14 07:44:00.000000000 -0400 @@ -98,6 +98,11 @@ .PP .SH EXAMPLE @@ -25,18 +553,612 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow. .B Using audit2allow to generate monolithic (non-module) policy $ cd /etc/selinux/$SELINUXTYPE/src/policy $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.30.4/restorecond/restorecond.conf +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/avc.py policycoreutils-1.30.5/audit2allow/avc.py +--- nsapolicycoreutils/audit2allow/avc.py 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.30.5/audit2allow/avc.py 2006-04-14 07:44:00.000000000 -0400 +@@ -0,0 +1,518 @@ ++#! /usr/bin/env python ++# Copyright (C) 2006 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# avc.py is a plugin modules used by audit2allow and other objects to process ++# avc messages from the log files ++# ++# Based off original audit2allow perl script: which credits ++# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) ++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation; either version 2 of ++# the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++# 02111-1307 USA ++# ++# ++import sys, os, pwd, string, re, selinux ++ ++obj="(\{[^\}]*\}|[^ \t:]*)" ++allow_regexp="(allow|dontaudit)[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) ++awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ ++ IFACEFILE=FILENAME\n\ ++ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ ++ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ ++}\n\ ++\n\ ++/^[[:blank:]]*(allow|dontaudit)[[:blank:]]+.*;[[:blank:]]*$/ {\n\ ++\n\ ++ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ ++ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ ++ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ ++ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ ++ }\n\ ++}\ ++' ++ ++class context: ++ def __init__(self, scontext): ++ self.scontext=scontext ++ con=scontext.split(":") ++ self.user=con[0] ++ self.role=con[1] ++ self.type=con[2] ++ if len(con) > 3: ++ self.mls=con[3] ++ else: ++ self.mls="s0" ++ ++ def __str__(self): ++ return self.scontext ++ ++class accessTrans: ++ def __init__(self): ++ self.dict={} ++ try: ++ fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt") ++ except IOError, error: ++ raise IOError("Reference policy generation requires the policy development package.\n%s" % error) ++ records=fd.read().split("\n") ++ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" ++ for r in records: ++ m=re.match(regexp,r) ++ if m!=None: ++ self.dict[m.groups()[0]] = m.groups()[1].split() ++ fd.close() ++ def get(self, var): ++ l=[] ++ for v in var: ++ if v in self.dict.keys(): ++ l += self.dict[v] ++ else: ++ if v not in ("{", "}"): ++ l.append(v) ++ return l ++ ++class interfaces: ++ def __init__(self): ++ self.dict={} ++ trans=accessTrans() ++ (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null") ++ input.write(awk_script) ++ input.close() ++ records=output.read().split("\n") ++ input.close() ++ if len(records) > 0: ++ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp ++ for r in records: ++ m=re.match(regexp,r) ++ if m==None: ++ continue ++ val=m.groups() ++ file=os.path.basename(val[0]).split(".")[0] ++ iface=val[1] ++ Scon=val[3].split() ++ Tcon=val[4].split() ++ Class=val[5].split() ++ Access=trans.get(val[6].split()) ++ for s in Scon: ++ for t in Tcon: ++ for c in Class: ++ if (s, t, c) not in self.dict.keys(): ++ self.dict[(s, t, c)]=[] ++ self.dict[(s, t, c)].append((Access, file, iface)) ++ def out(self): ++ keys=self.dict.keys() ++ keys.sort() ++ for k in keys: ++ print k ++ for i in self.dict[k]: ++ print "\t", i ++ ++ def match(self, Scon, Tcon, Class, Access): ++ keys=self.dict.keys() ++ ret=[] ++ if (Scon, Tcon, Class) in keys: ++ for i in self.dict[(Scon, Tcon, Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ if ("$1", Tcon, Class) in keys: ++ for i in self.dict[("$1", Tcon, Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ if (Scon, "$1", Class) in keys: ++ for i in self.dict[(Scon, "$1", Class)]: ++ if Access in i[0]: ++ if i[2].find(Access) >= 0: ++ ret.insert(0, i) ++ else: ++ ret.append(i) ++ return ret ++ else: ++ return ret ++ ++import glob, imp ++pluginPath="/usr/share/selinux/plugins" ++if not pluginPath in sys.path: ++ sys.path.append(pluginPath) ++ ++class Analyze: ++ def __init__(self): ++ self.plugins=[] ++ for p in glob.glob("/usr/share/selinux/plugins/*.py"): ++ plugin=os.path.basename(p)[:-3] ++ self.plugins.append(imp.load_module(plugin, *imp.find_module(plugin))) ++ ++ def process(self, AVCS): ++ ret=[] ++ avcs=AVCS ++ for p in self.plugins: ++ if avcs == None: ++ break; ++ r = p.analyze(avcs) ++ if len(r)==0: ++ continue ++ avcs=r[1] ++ if len(r[0]) > 0: ++ ret.append(r[0]) ++ return ret ++ ++class serule: ++ def __init__(self, key): ++ self.type=key[0] ++ self.source=key[1] ++ self.target=key[2] ++ self.seclass=key[3] ++ self.access=[] ++ self.avcinfo={} ++ self.iface=None ++ ++ def add(self, avc): ++ for a in avc[0]: ++ if a not in self.avcinfo.keys(): ++ self.avcinfo[a]=[] ++ self.access.append(a) ++ self.avcinfo[a].append(avc[1:]) ++ ++ def getAccess(self): ++ if len(self.access) == 1: ++ return self.access[0] ++ else: ++ self.access.sort() ++ return "{ " + string.join(self.access) +" }" ++ ++ def getName(self): ++ print self.avcinfo ++ ++ def out(self, verbose=0): ++ ret="" ++ ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) ++ if verbose: ++ keys=self.avcinfo.keys() ++ keys.sort() ++ for i in keys: ++ for x in self.avcinfo[i]: ++ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] ++ if len(x[1]): ++ ret=ret+"COMM=%s " % x[1] ++ if len(x[2]): ++ ret=ret+"NAME=%s " % x[2] ++ ret=ret + " : " + i ++ return ret ++ ++ def gen_reference_policy(self, iface): ++ ret="" ++ Scon=self.source ++ Tcon=self.gettarget() ++ Class=self.seclass ++ Access=self.getAccess() ++ m=iface.match(Scon,Tcon,Class,Access) ++ if len(m)==0: ++ return self.out() ++ else: ++ file=m[0][1] ++ ret="\n#%s\n"% self.out() ++ ret += "optional_policy(`%s', `\n" % m[0][1] ++ first=True ++ for i in m: ++ if file != i[1]: ++ ret += "')\ngen_require(`%s', `\n" % i[1] ++ file = i[1] ++ first=True ++ if first: ++ ret += "\t%s(%s)\n" % (i[2], Scon) ++ first=False ++ else: ++ ret += "#\t%s(%s)\n" % (i[2], Scon) ++ ret += "');" ++ return ret ++ ++ def gettarget(self): ++ if self.source == self.target: ++ return "self" ++ else: ++ return self.target ++ ++def warning(error): ++ sys.stderr.write("%s: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % error) ++ sys.stderr.flush() ++ ++ ++class TERules: ++ def __init__(self, serules): ++ self.VALID_CMDS=("allow", "dontaudit", "auditallow") ++ self.serules=serules ++ ++ def load(self, input): ++ line = input.readline() ++ while line: ++ rec=line.split() ++ if len(rec) and rec[0] in self.VALID_CMDS: ++ self.add_terule(line) ++ line = input.readline() ++ ++ def add_terule(self, rule): ++ rc = rule.split(":") ++ rules=rc[0].split() ++ type=rules[0] ++ (sources, targets) = self.rules_split(rules[1:]) ++ rules=rc[1].split() ++ (classes, access) = self.rules_split(rules) ++ for scon in sources: ++ for tcon in targets: ++ for seclass in classes: ++ self.serules.add_rule(type, scon, tcon, seclass,access) ++ ++ def rules_split(self, rules): ++ (idx, target ) = self.get_target(0, rules) ++ (idx, subject) = self.get_target(idx, rules) ++ return (target, subject) ++ ++ def get_target(self, i, rule): ++ target=[] ++ if rule[i][0] == "{": ++ for t in rule[i].split("{"): ++ if len(t): ++ target.append(t) ++ i=i+1 ++ for s in rule[i:]: ++ if s.find("}") >= 0: ++ for s1 in s.split("}"): ++ if len(s1): ++ target.append(s1) ++ i=i+1 ++ return (i, target) ++ ++ target.append(s) ++ i=i+1 ++ else: ++ if rule[i].find(";") >= 0: ++ for s1 in rule[i].split(";"): ++ if len(s1): ++ target.append(s1) ++ else: ++ target.append(rule[i]) ++ ++ i=i+1 ++ return (i, target) ++ ++ ++ALLOW=0 ++STYPE=1 ++TTYPE=2 ++CLASS=3 ++COMM=1 ++NAME=3 ++ ++class SERules: ++ def __init__(self, last_reload=0, verbose=0): ++ self.last_reload=last_reload ++ self.initialize() ++ self.gen_ref_policy = False ++ self.verbose = verbose ++ self.AVCS=[] ++ ++ def initialize(self): ++ self.seRules={} ++ self.classes={} ++ self.types=[] ++ self.roles=[] ++ ++ def load(self, input): ++ dict=[] ++ found=0 ++ line = input.readline() ++ while line: ++ rec=line.split() ++ for i in rec: ++ if i=="avc:" or i=="message=avc:" or i=="msg='avc:": ++ found=1 ++ else: ++ dict.append(i) ++ if found: ++ self.translate(dict) ++ found=0 ++ dict=[] ++ line = input.readline() ++ ++ ++ def translate(self,dict): ++ AVC={} ++ AVC["access"]=[] ++ if "security_compute_sid" in dict: ++ return ++ ++ if "load_policy" in dict and self.last_reload: ++ self.initialize() ++ ++ if "granted" in dict: ++ return ++ try: ++ for i in range (0, len(dict)): ++ if dict[i]=="{": ++ i=i+1 ++ while i 0: ++# for i in self.roles: ++# rec += "\trole %s; \n" % i ++# rec += "\n" ++# ++ for i in keys: ++ access=self.classes[i] ++ if len(access) > 1: ++ access.sort() ++ rec += "\tclass %s {" % i ++ for a in access: ++ rec += " %s" % a ++ rec += " }; \n" ++ else: ++ rec += "\tclass %s %s;\n" % (i, access[0]) ++ ++ rec += "\n" ++ ++ for i in self.types: ++ rec += "\ttype %s; \n" % i ++ rec += "};\n\n" ++ return rec ++ ++ def analyze(self): ++ a=Analyze() ++ analysys=a.process(self.AVCS) ++ for i in analysys: ++ print i[0][0] ++ print "" ++ sys.exit(0) ++ ++ def out(self, require=0, module=""): ++ rec="" ++ if len(self.seRules.keys())==0: ++ raise(ValueError("No AVC messages found.")) ++ if module != "": ++ rec += self.gen_module(module) ++ rec += self.gen_requires() ++ else: ++ if require: ++ rec+=self.gen_requires() ++ ++ keys=self.seRules.keys() ++ keys.sort() ++ for i in keys: ++ if self.gen_ref_policy: ++ rec += self.seRules[i].gen_reference_policy(self.iface)+"\n" ++ else: ++ rec += self.seRules[i].out(self.verbose)+"\n" ++ return rec ++ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.30.5/restorecond/restorecond.conf --- nsapolicycoreutils/restorecond/restorecond.conf 2006-03-29 11:08:21.000000000 -0500 -+++ policycoreutils-1.30.4/restorecond/restorecond.conf 2006-04-03 11:57:26.000000000 -0400 ++++ policycoreutils-1.30.5/restorecond/restorecond.conf 2006-04-14 07:44:00.000000000 -0400 @@ -2,3 +2,4 @@ /etc/mtab /var/run/utmp ~/public_html +~/.mozilla/plugins/libflashplayer.so -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.30.4/semanage/semanage +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.30.5/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2006-03-29 15:35:22.000000000 -0500 -+++ policycoreutils-1.30.4/semanage/semanage 2006-04-01 04:54:36.000000000 -0500 -@@ -286,6 +286,8 @@ ++++ policycoreutils-1.30.5/semanage/semanage 2006-04-14 07:45:07.000000000 -0400 +@@ -32,7 +32,7 @@ + print '\ + semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\ + semanage login -{a|d|m} [-sr] login_name\n\ +-semanage user -{a|d|m} [-LrR] selinux_name\n\ ++semanage user -{a|d|m} [-LrRP] selinux_name\n\ + semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\ + semanage interface -{a|d|m} [-tr] interface_spec\n\ + semanage fcontext -{a|d|m} [-frst] file_spec\n\ +@@ -60,6 +60,7 @@ + -p (named pipe) \n\n\ + \ + -p, --proto Port protocol (tcp or udp)\n\ ++ -P, --prefix Prefix for home directory labeling\n\ + -L, --level Default SELinux Level (MLS/MCS Systems only)\n\ + -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\ + -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\ +@@ -83,7 +84,7 @@ + valid_option["login"] = [] + valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range'] + valid_option["user"] = [] +- valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ] ++ valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ] + valid_option["port"] = [] + valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ] + valid_option["interface"] = [] +@@ -109,6 +110,7 @@ + setrans = "" + roles = "" + seuser = "" ++ prefix = "" + heading=1 + + add = 0 +@@ -126,7 +128,7 @@ + args = sys.argv[2:] + + gopts, cmds = getopt.getopt(args, +- 'adf:lhmnp:s:R:L:r:t:T:', ++ 'adf:lhmnp:s:R:L:r:t:T:P:', + ['add', + 'delete', + 'ftype=', +@@ -140,7 +142,8 @@ + 'level=', + 'roles=', + 'type=', +- 'trans=' ++ 'trans=', ++ 'prefix=' + ]) + for o, a in gopts: + if o not in option_dict[object]: +@@ -185,6 +188,9 @@ + if o == "-p" or o == '--proto': + proto = a + ++ if o == "-P" or o == '--prefix': ++ prefix = a ++ + if o == "-R" or o == '--roles': + roles = roles + " " + a + +@@ -235,7 +241,7 @@ + rlist = roles.split() + if len(rlist) == 0: + raise ValueError("You must specify a role") +- OBJECT.add(target, rlist, selevel, serange) ++ OBJECT.add(target, rlist, selevel, serange, prefix) + + if object == "port": + OBJECT.add(target, proto, serange, setype) +@@ -286,6 +292,8 @@ errorExit("Options Error " + error.msg) except ValueError, error: errorExit(error.args[0]) @@ -45,3 +1167,93 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policy except IOError, error: errorExit(error.args[1]) except KeyboardInterrupt, error: +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.30.5/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2006-03-29 15:35:22.000000000 -0500 ++++ policycoreutils-1.30.5/semanage/seobject.py 2006-04-14 07:47:13.000000000 -0400 +@@ -381,7 +381,7 @@ + def __init__(self): + semanageRecords.__init__(self) + +- def add(self, name, roles, selevel, serange): ++ def add(self, name, roles, selevel, serange, prefix): + if is_mls_enabled == 1: + if serange == "": + serange = "s0" +@@ -427,6 +427,9 @@ + if rc < 0: + raise ValueError("Could not set MLS level for %s" % name) + ++ rc = semanage_user_set_prefix(self.sh, u, prefix) ++ if rc < 0: ++ raise ValueError("Could not add prefix %s for %s" % (r, prefix)) + (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: + raise ValueError("Could not extract key for %s" % name) +@@ -451,13 +454,15 @@ + semanage_user_key_free(k) + semanage_user_free(u) + +- def modify(self, name, roles = [], selevel = "", serange = ""): ++ def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): ++ oldroles="" ++ newroles = string.join(roles, ' '); + try: +- if len(roles) == 0 and serange == "" and selevel == "": ++ if prefix == "" and len(roles) == 0 and serange == "" and selevel == "": + if is_mls_enabled == 1: +- raise ValueError("Requires roles, level or range") ++ raise ValueError("Requires prefix, roles, level or range") + else: +- raise ValueError("Requires roles") ++ raise ValueError("Requires prefix or roles") + + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: +@@ -473,11 +478,21 @@ + if rc < 0: + raise ValueError("Could not query user for %s" % name) + ++ oldserange=semanage_user_get_mlsrange(u) ++ (rc, rlist)=semanage_user_get_roles(self.sh, u) ++ if rc >= 0: ++ oldroles = string.join(rlist, ' '); ++ newroles = newroles + ' ' + oldroles; ++ ++ + if serange != "": + semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) + if selevel != "": + semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) + ++ if prefix != "": ++ semanage_user_set_prefix(self.sh, u, prefix) ++ + if len(roles) != 0: + for r in roles: + semanage_user_add_role(self.sh, u, r) +@@ -495,10 +510,11 @@ + raise ValueError("Could not modify SELinux user %s" % name) + + except ValueError, error: +- mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) ++ mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) + raise error + +- mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange) ++ mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) ++ + semanage_user_key_free(k) + semanage_user_free(u) + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/setsebool.8 policycoreutils-1.30.5/setsebool/setsebool.8 +--- nsapolicycoreutils/setsebool/setsebool.8 2005-11-04 15:37:49.000000000 -0500 ++++ policycoreutils-1.30.5/setsebool/setsebool.8 2006-04-14 07:44:00.000000000 -0400 +@@ -17,7 +17,7 @@ + are not changed. + + If the -P option is given, all pending values are written to +-the boolean file on disk. ++the policy file on disk. So they will be persistant across reboots. + + .SH AUTHOR + This manual page was written by Dan Walsh . diff --git a/policycoreutils.spec b/policycoreutils.spec index 5b8152c..6990321 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,11 +1,11 @@ %define libauditver 1.1.4-3 -%define libsepolver 1.12-1 -%define libsemanagever 1.6-1 -%define libselinuxver 1.30-1 +%define libsepolver 1.12.5-1 +%define libsemanagever 1.6.5-1 +%define libselinuxver 1.30.3-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.30.4 -Release: 4 +Version: 1.30.5 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -108,6 +108,11 @@ rm -rf ${RPM_BUILD_ROOT} /sbin/service restorecond condrestart %changelog +* Fri Apr 14 2006 Dan Walsh 1.30.5-1 +- Update from upstream + * Added a test to setfiles to check that the spec file is + a regular file. + * Thu Apr 06 2006 Karsten Hopp 1.30.4-4 - added some missing buildrequires - added Requires: initscripts for /sbin/service diff --git a/sources b/sources index 56aa4d0..40ede2f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -4af18b5ace84c5cb075f5160ab51f86b policycoreutils-1.30.4.tgz +b3eba7a93507ee2e576c184854d01610 policycoreutils-1.30.5.tgz