From 5031b9bd5ab6b9755bc6c07714a6cd8d65b3f0c5 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 23 Jan 2008 22:11:23 +0000 Subject: [PATCH] * Wed Jan 23 2008 Dan Walsh 2.0.37-1 - Update to upstream * Merged replacement for audit2why from Dan Walsh. --- .cvsignore | 2 + policycoreutils-rhat.patch | 675 ++++--------------------------------- policycoreutils.spec | 11 +- sources | 4 +- 4 files changed, 85 insertions(+), 607 deletions(-) diff --git a/.cvsignore b/.cvsignore index e180741..97e2aef 100644 --- a/.cvsignore +++ b/.cvsignore @@ -168,3 +168,5 @@ policycoreutils-2.0.33.tgz policycoreutils-2.0.34.tgz policycoreutils-2.0.35.tgz policycoreutils-2.0.36.tgz +policycoreutils-2.0.37.tgz +sepolgen-1.0.11.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index c1b717d..618f705 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow ---- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.35/audit2allow/audit2allow 2008-01-15 11:32:58.000000000 -0500 +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.36/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2008-01-23 16:47:07.000000000 -0500 ++++ policycoreutils-2.0.36/audit2allow/audit2allow 2008-01-23 15:47:45.000000000 -0500 @@ -19,7 +19,6 @@ # @@ -9,627 +9,84 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po import sepolgen.audit as audit import sepolgen.policygen as policygen -@@ -60,7 +59,10 @@ - parser.add_option("-o", "--output", dest="output", - help="append output to , conflicts with -M") - parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", -- default=False, help="generate refpolicy style output") -+ default=True, help="generate refpolicy style output") -+ -+ parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", -+ default=False, help="do not generate refpolicy style output") - parser.add_option("-v", "--verbose", action="store_true", dest="verbose", - default=False, help="explain generated output") - parser.add_option("-e", "--explain", action="store_true", dest="explain_long", -@@ -72,6 +74,9 @@ - parser.add_option("--debug", dest="debug", action="store_true", default=False, - help="leave generated modules for -M") - -+ parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False, -+ help="Translates SELinux audit messages into a description of why the access was denied") -+ - options, args = parser.parse_args() - - # Make -d, -a, and -i conflict -@@ -147,10 +152,12 @@ +@@ -153,9 +152,9 @@ def __process_input(self): if self.__options.type: - filter = audit.TypeFilter(self.__options.type) - self.__avs = self.__parser.to_access(filter) +- self.__selinux_errs = self.__parser.to_role(filter) + avcfilter = audit.TypeFilter(self.__options.type) + self.__avs = self.__parser.to_access(avcfilter) + self.__selinux_errs = self.__parser.to_role(avcfilter) else: self.__avs = self.__parser.to_access() -+ self.__selinux_errs = self.__parser.to_role() - - def __load_interface_info(self): - # Load interface info file -@@ -210,7 +217,74 @@ - sys.stdout.write((_("To make this policy package active, execute:" +\ - "\n\nsemodule -i %s\n\n") % packagename)) - -+ def __output_audit2why(self): -+ import selinux -+ import selinux.audit2why as audit2why + self.__selinux_errs = self.__parser.to_role() +@@ -221,13 +220,14 @@ + def __output_audit2why(self): + import selinux + import selinux.audit2why as audit2why + import seobject -+ audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers())) -+ for i in self.__parser.avc_msgs: -+ rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses) -+ if rc >= 0: -+ print "%s\n\tWas caused by:" % i.message -+ if rc == audit2why.NOPOLICY: + audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers())) + for i in self.__parser.avc_msgs: + rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses) + if rc >= 0: + print "%s\n\tWas caused by:" % i.message + if rc == audit2why.NOPOLICY: +- raise "Must call policy_init first" + raise RuntimeError("Must call policy_init first") -+ if rc == audit2why.BADTCON: -+ print "Invalid Target Context %s\n" % i.tcontext -+ continue -+ if rc == audit2why.BADSCON: -+ print "Invalid Source Context %s\n" % i.scontext -+ continue -+ if rc == audit2why.BADSCON: -+ print "Invalid Type Class %s\n" % i.tclass -+ continue -+ if rc == audit2why.BADPERM: -+ print "Invalid permission %s\n" % i.accesses -+ continue -+ if rc == audit2why. BADCOMPUTE: + if rc == audit2why.BADTCON: + print "Invalid Target Context %s\n" % i.tcontext + continue +@@ -241,7 +241,7 @@ + print "Invalid permission %s\n" % i.accesses + continue + if rc == audit2why. BADCOMPUTE: +- raise "Error during access vector computation" + raise RuntimeError("Error during access vector computation") -+ if rc == audit2why.ALLOW: -+ print "\t\tUnknown - would be allowed by active policy\n", -+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" -+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n" -+ continue -+ if rc == audit2why.BOOLEAN: -+ if len(bools) > 1: + if rc == audit2why.ALLOW: + print "\t\tUnknown - would be allowed by active policy\n", + print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" +@@ -249,18 +249,20 @@ + continue + if rc == audit2why.BOOLEAN: + if len(bools) > 1: +- print "\tOne of the following booleans was set incorrectly." + print "\tOne of the following booleans being set incorrectly." -+ for b in bools: + for b in bools: +- print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1]) +- print "\t# setsebool -P %s %d" % (b[0], b[1]) + print "\n\tBoolean %s is %d." % (b[0], not b[1]) + print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]) + print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]) -+ else: + else: +- print "\tThe boolean %s was set incorrectly. Allow access by executing:" % bools[0][0] +- print "\t# setsebool -P %s %d\n" % (bools[0][0], bools[0][1]) +- + print "\tThe boolean %s set incorrectly. " % (bools[0][0]) + print "\n\tBoolean %s is %d." % (bools[0][0], bools[0][1]) + print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0]) + print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1]) -+ continue -+ -+ if rc == audit2why.TERULE: + continue + + if rc == audit2why.TERULE: +- print "\t\tMissing or disabled type enforcing (TE) allow rule.\n" + print "\t\tMissing or disabled type enforcingment (TE) allow rule.\n" -+ print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n" -+ continue -+ -+ if rc == audit2why.CONSTRAINT: -+ print "\t\tConstraint violation.\n" -+ print "\t\tCheck policy/constraints.\n" -+ print "\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n" -+ continue -+ -+ if rc == audit2why.RBAC: -+ print "\t\tMissing role allow rule.\n" -+ print "\t\tAdd allow rule for the role pair.\n" -+ continue -+ -+ audit2why.finish() -+ return -+ - def __output(self): -+ -+ if self.__options.audit2why: -+ return self.__output_audit2why() -+ - g = policygen.PolicyGenerator() + print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n" + continue - if self.__options.module: -@@ -251,6 +325,12 @@ - fd = sys.stdout - writer.write(g.get_module(), fd) - -+ if len(self.__selinux_errs) > 0: -+ fd.write("\n=========== ROLES ===============\n") -+ -+ for role in self.__selinux_errs: -+ fd.write(role.output()) -+ - def main(self): - try: - self.__parse_options() -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.35/audit2allow/audit2allow.1 ---- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.35/audit2allow/audit2allow.1 2008-01-11 11:25:54.000000000 -0500 -@@ -24,7 +24,12 @@ - .\" - .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA - .SH NAME --audit2allow \- generate SELinux policy allow rules from logs of denied operations -+.BR audit2allow -+ \- generate SELinux policy allow rules from logs of denied operations -+ -+.BR audit2why -+ \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) -+ - .SH SYNOPSIS - .B audit2allow - .RI [ options "] " -@@ -65,12 +70,19 @@ - .B "\-r" | "\-\-requires" - Generate require output syntax for loadable modules. - .TP -+.B "\-N" | "\-\-noreference" -+Do not generate reference policy, traditional style allow rules. -+.TP - .B "\-R" | "\-\-reference" --Generate reference policy using installed macros. Requires the selinux-policy-devel package. -+Generate reference policy using installed macros.Default - .TP - .B "\-t " | "\-\-tefile" - Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. - .TP -+.B "\-w" | "\-\-why" -+Translates SELinux audit messages into a description of why the access wasn denied -+ -+.TP - .B "\-v" | "\-\-verbose" - Turn on verbose output - -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why policycoreutils-2.0.35/audit2why/audit2why ---- nsapolicycoreutils/audit2why/audit2why 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.35/audit2why/audit2why 2008-01-11 11:26:34.000000000 -0500 -@@ -0,0 +1,2 @@ -+#!/bin/sh -+/usr/bin/audit2allow -w $* -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.1 policycoreutils-2.0.35/audit2why/audit2why.1 ---- nsapolicycoreutils/audit2why/audit2why.1 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.35/audit2why/audit2why.1 2008-01-11 11:30:41.000000000 -0500 -@@ -0,0 +1 @@ -+.so man1/audit2allow.1 -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.8 policycoreutils-2.0.35/audit2why/audit2why.8 ---- nsapolicycoreutils/audit2why/audit2why.8 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.35/audit2why/audit2why.8 1969-12-31 19:00:00.000000000 -0500 -@@ -1,79 +0,0 @@ --.\" Hey, Emacs! This is an -*- nroff -*- source file. --.\" Copyright (c) 2005 Dan Walsh --.\" --.\" This is free documentation; you can redistribute it and/or --.\" modify it under the terms of the GNU General Public License as --.\" published by the Free Software Foundation; either version 2 of --.\" the License, or (at your option) any later version. --.\" --.\" The GNU General Public License's references to "object code" --.\" and "executables" are to be interpreted as the output of any --.\" document formatting or typesetting system, including --.\" intermediate and printed output. --.\" --.\" This manual is distributed in the hope that it will be useful, --.\" but WITHOUT ANY WARRANTY; without even the implied warranty of --.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --.\" GNU General Public License for more details. --.\" --.\" You should have received a copy of the GNU General Public --.\" License along with this manual; if not, write to the Free --.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, --.\" USA. --.\" --.\" --.TH AUDIT2WHY "8" "May 2005" "Security Enhanced Linux" NSA --.SH NAME --audit2why \- Translates SELinux audit messages into a description of why the access was denied --.SH SYNOPSIS --.B audit2why --.RI [ options "] " --.SH OPTIONS --.TP -- --.B "\-\-help" --Print a short usage message --.TP --.B "\-p " --Specify an alternate policy file. --.SH DESCRIPTION --.PP --This utility processes SELinux audit messages from standard --input and and reports which component of the policy caused each --permission denial based on the specified policy file if the -p option --was used or the active policy otherwise. There are three possible --causes: 1) a missing or disabled TE allow rule, 2) a constraint violation, --or 3) a missing role allow rule. In the first case, the TE allow --rule may exist in the policy but may be disabled due to boolean settings. --See --.BR booleans (8). --If the allow rule is not present at all, it can be generated via --.BR audit2allow (1). --In the second case, a constraint is being violated; see policy/constraints --or policy/mls to identify the particular constraint. Typically, this can --be resolved by adding a type attribute to the domain. In the third case, --a role transition was attempted but no allow rule existed for the role pair. --This can be resolved by adding an allow rule for the role pair to the policy. --.PP --.SH EXAMPLE --.nf --$ /usr/sbin/audit2why < /var/log/audit/audit.log -- --type=KERNEL msg=audit(1115316408.926:336418): avc: denied { getattr } for path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir -- Was caused by: -- Missing or disabled TE allow rule. -- Allow rules may exist but be disabled by boolean settings; check boolean settings. -- You can see the necessary allow rules by running audit2allow with this audit message as input. -- --type=KERNEL msg=audit(1115320071.648:606858): avc: denied { append } for name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file -- Was caused by: -- Constraint violation. -- Check policy/constraints. -- Typically, you just need to add a type attribute to the domain to satisfy the constraint. --.fi --.PP --.SH AUTHOR --This manual page was written by --.I Dan Walsh , --.B audit2why --utility was written by Stephen Smalley . -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.35/audit2why/audit2why.c ---- nsapolicycoreutils/audit2why/audit2why.c 2008-01-11 10:52:37.000000000 -0500 -+++ policycoreutils-2.0.35/audit2why/audit2why.c 1969-12-31 19:00:00.000000000 -0500 -@@ -1,313 +0,0 @@ --#define _GNU_SOURCE --#include --#include --#include --#include --#include --#include --#include --#include --#include --#include -- --#define AVCPREFIX "avc: denied { " --#define SCONTEXT "scontext=" --#define TCONTEXT "tcontext=" --#define TCLASS "tclass=" -- --void usage(char *progname, int rc) --{ -- fprintf(stderr, "usage: %s [-p policy] < /var/log/audit/audit.log\n", -- progname); -- exit(rc); --} -- --int main(int argc, char **argv) --{ -- char path[PATH_MAX]; -- char *buffer = NULL, *bufcopy = NULL; -- unsigned int lineno = 0; -- size_t len = 0, bufcopy_len = 0; -- FILE *fp = NULL; -- int opt, rc, set_path = 0; -- char *p, *scon, *tcon, *tclassstr, *permstr; -- sepol_security_id_t ssid, tsid; -- sepol_security_class_t tclass; -- sepol_access_vector_t perm, av; -- struct sepol_av_decision avd; -- unsigned int reason; -- int vers = 0; -- sidtab_t sidtab; -- policydb_t policydb; -- struct policy_file pf; -- -- while ((opt = getopt(argc, argv, "p:?h")) > 0) { -- switch (opt) { -- case 'p': -- set_path = 1; -- strncpy(path, optarg, PATH_MAX); -- fp = fopen(path, "r"); -- if (!fp) { -- fprintf(stderr, "%s: unable to open %s: %s\n", -- argv[0], path, strerror(errno)); -- exit(1); -- } -- break; -- default: -- usage(argv[0], 0); -- } -- } -- -- if (argc - optind) -- usage(argv[0], 1); -- -- if (!set_path) { -- if (!is_selinux_enabled()) { -- fprintf(stderr, -- "%s: Must specify -p policy on non-SELinux systems\n", -- argv[0]); -- exit(1); -- } -- vers = security_policyvers(); -- if (vers < 0) { -- fprintf(stderr, -- "%s: Could not get policy version: %s\n", -- argv[0], strerror(errno)); -- exit(1); -- } -- snprintf(path, PATH_MAX, "%s.%d", -- selinux_binary_policy_path(), vers); -- fp = fopen(path, "r"); -- while (!fp && errno == ENOENT && --vers) { -- snprintf(path, PATH_MAX, "%s.%d", -- selinux_binary_policy_path(), vers); -- fp = fopen(path, "r"); -- } -- if (!fp) { -- snprintf(path, PATH_MAX, "%s.%d", -- selinux_binary_policy_path(), -- security_policyvers()); -- fprintf(stderr, "%s: unable to open %s: %s\n", -- argv[0], path, strerror(errno)); -- exit(1); -- } -- } -- -- /* Set up a policydb directly so that we can mutate it later -- for booleans and user settings. Otherwise we would just use -- sepol_set_policydb_from_file() here. */ -- pf.fp = fp; -- pf.type = PF_USE_STDIO; -- if (policydb_init(&policydb)) { -- fprintf(stderr, "%s: policydb_init failed: %s\n", -- argv[0], strerror(errno)); -- exit(1); -- } -- if (policydb_read(&policydb, &pf, 0)) { -- fprintf(stderr, "%s: invalid binary policy %s\n", -- argv[0], path); -- exit(1); -- } -- fclose(fp); -- sepol_set_policydb(&policydb); -- -- if (!set_path) { -- /* If they didn't specify a full path of a binary policy file, -- then also try loading any boolean settings and user -- definitions from the active locations. Otherwise, -- they can use genpolbools and genpolusers to build a -- binary policy file that includes any desired settings -- and then apply audit2why -p to the resulting file. -- Errors are non-fatal as such settings are optional. */ -- sepol_debug(0); -- (void)sepol_genbools_policydb(&policydb, -- selinux_booleans_path()); -- (void)sepol_genusers_policydb(&policydb, selinux_users_path()); -- } -- -- /* Initialize the sidtab for subsequent use by sepol_context_to_sid -- and sepol_compute_av_reason. */ -- rc = sepol_sidtab_init(&sidtab); -- if (rc < 0) { -- fprintf(stderr, "%s: unable to init sidtab\n", argv[0]); -- exit(1); -- } -- sepol_set_sidtab(&sidtab); -- -- /* Process the audit messages. */ -- while (getline(&buffer, &len, stdin) > 0) { -- size_t len2 = strlen(buffer); -- -- if (buffer[len2 - 1] == '\n') -- buffer[len2 - 1] = 0; -- lineno++; -- -- p = buffer; -- while (*p && strncmp(p, AVCPREFIX, sizeof(AVCPREFIX) - 1)) -- p++; -- if (!(*p)) -- continue; /* not an avc denial */ -- -- p += sizeof(AVCPREFIX) - 1; -- -- /* Save a copy of the original unmodified buffer. */ -- if (!bufcopy) { -- /* Initial allocation */ -- bufcopy_len = len; -- bufcopy = malloc(len); -- } else if (bufcopy_len < len) { -- /* Grow */ -- bufcopy_len = len; -- bufcopy = realloc(bufcopy, len); -- } -- if (!bufcopy) { -- fprintf(stderr, "%s: OOM on buffer copy\n", argv[0]); -- exit(2); -- } -- memcpy(bufcopy, buffer, len); -- -- /* Remember where the permission list begins, -- and terminate the list. */ -- permstr = p; -- while (*p && *p != '}') -- p++; -- if (!(*p)) { -- fprintf(stderr, -- "Missing closing bracket on line %u, skipping...\n", -- lineno); -- continue; -- } -- *p++ = 0; -- -- /* Get scontext and convert to SID. */ -- while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1)) -- p++; -- if (!(*p)) { -- fprintf(stderr, "Missing %s on line %u, skipping...\n", -- SCONTEXT, lineno); -- continue; -- } -- p += sizeof(SCONTEXT) - 1; -- scon = p; -- while (*p && !isspace(*p)) -- p++; -- if (*p) -- *p++ = 0; -- rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); -- if (rc < 0) { -- fprintf(stderr, -- "Invalid %s%s on line %u, skipping...\n", -- SCONTEXT, scon, lineno); -- continue; -- } -- -- /* Get tcontext and convert to SID. */ -- while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1)) -- p++; -- if (!(*p)) { -- fprintf(stderr, "Missing %s on line %u, skipping...\n", -- TCONTEXT, lineno); -- continue; -- } -- p += sizeof(TCONTEXT) - 1; -- tcon = p; -- while (*p && !isspace(*p)) -- p++; -- if (*p) -- *p++ = 0; -- rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); -- if (rc < 0) { -- fprintf(stderr, -- "Invalid %s%s on line %u, skipping...\n", -- TCONTEXT, tcon, lineno); -- continue; -- } -- -- /* Get tclass= and convert to value. */ -- while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1)) -- p++; -- if (!(*p)) { -- fprintf(stderr, "Missing %s on line %u, skipping...\n", -- TCLASS, lineno); -- continue; -- } -- p += sizeof(TCLASS) - 1; -- tclassstr = p; -- while (*p && !isspace(*p)) -- p++; -- if (*p) -- *p = 0; -- tclass = string_to_security_class(tclassstr); -- if (!tclass) { -- fprintf(stderr, -- "Invalid %s%s on line %u, skipping...\n", -- TCLASS, tclassstr, lineno); -- continue; -- } -- -- /* Convert the permission list to an AV. */ -- p = permstr; -- av = 0; -- while (*p) { -- while (*p && !isspace(*p)) -- p++; -- if (*p) -- *p++ = 0; -- perm = string_to_av_perm(tclass, permstr); -- if (!perm) { -- fprintf(stderr, -- "Invalid permission %s on line %u, skipping...\n", -- permstr, lineno); -- continue; -- } -- av |= perm; -- permstr = p; -- } -- -- /* Reproduce the computation. */ -- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, -- &reason); -- if (rc < 0) { -- fprintf(stderr, -- "Error during access vector computation on line %u, skipping...\n", -- lineno); -- continue; -- } -- -- printf("%s\n\tWas caused by:\n", bufcopy); -- -- if (!reason) { -- printf("\t\tUnknown - would be allowed by %s policy\n", -- set_path ? "specified" : "active"); -- printf -- ("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"); -- printf -- ("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"); -- } -- -- if (reason & SEPOL_COMPUTEAV_TE) { -- printf("\t\tMissing or disabled TE allow rule.\n"); -- printf -- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n"); -- printf -- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); -- } -- -- if (reason & SEPOL_COMPUTEAV_CONS) { -- printf("\t\tConstraint violation.\n"); -- printf("\t\tCheck policy/constraints.\n"); -- printf -- ("\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n"); -- } -- -- if (reason & SEPOL_COMPUTEAV_RBAC) { -- printf("\t\tMissing role allow rule.\n"); -- printf("\t\tAdd allow rule for the role pair.\n"); -- } -- -- printf("\n"); -- } -- free(buffer); -- free(bufcopy); -- exit(0); --} -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/Makefile policycoreutils-2.0.35/audit2why/Makefile ---- nsapolicycoreutils/audit2why/Makefile 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.35/audit2why/Makefile 2008-01-11 11:39:04.000000000 -0500 -@@ -1,15 +1,7 @@ - # Installation directories. - PREFIX ?= ${DESTDIR}/usr - BINDIR ?= $(PREFIX)/bin --LIBDIR ?= ${PREFIX}/lib - MANDIR ?= $(PREFIX)/share/man --LOCALEDIR ?= /usr/share/locale --INCLUDEDIR ?= ${PREFIX}/include -- -- --CFLAGS ?= -Werror -Wall -W --override CFLAGS += -I$(INCLUDEDIR) --LDLIBS = ${LIBDIR}/libsepol.a -lselinux -L$(LIBDIR) - - TARGETS=audit2why - -@@ -18,13 +10,5 @@ - install: all - -mkdir -p $(BINDIR) - install -m 755 $(TARGETS) $(BINDIR) -- -mkdir -p $(MANDIR)/man8 -- install -m 644 audit2why.8 $(MANDIR)/man8/ -- --clean: -- -rm -f $(TARGETS) *.o -- --indent: -- ../../scripts/Lindent $(wildcard *.[ch]) -- --relabel: -+ -mkdir -p $(MANDIR)/man1 -+ install -m 644 audit2why.1 $(MANDIR)/man1/ -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.35/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.36/Makefile --- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500 -+++ policycoreutils-2.0.35/Makefile 2008-01-11 11:17:46.000000000 -0500 ++++ policycoreutils-2.0.36/Makefile 2008-01-23 15:47:45.000000000 -0500 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.35/restorecond/restorecond.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.36/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.35/restorecond/restorecond.c 2008-01-11 11:17:46.000000000 -0500 ++++ policycoreutils-2.0.36/restorecond/restorecond.c 2008-01-23 15:47:45.000000000 -0500 @@ -210,9 +210,10 @@ } @@ -656,9 +113,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po } free(scontext); close(fd); -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.35/scripts/fixfiles +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.36/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2008-01-23 14:36:28.000000000 -0500 -+++ policycoreutils-2.0.35/scripts/fixfiles 2008-01-23 13:32:53.000000000 -0500 ++++ policycoreutils-2.0.36/scripts/fixfiles 2008-01-23 15:47:45.000000000 -0500 @@ -36,8 +36,8 @@ LOGGER=/usr/sbin/logger SETFILES=/sbin/setfiles @@ -697,9 +154,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po else ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE fi -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.35/semanage/semanage +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.36/scripts/fixfiles.8 +--- nsapolicycoreutils/scripts/fixfiles.8 2007-07-16 14:20:41.000000000 -0400 ++++ policycoreutils-2.0.36/scripts/fixfiles.8 2008-01-23 15:48:52.000000000 -0500 +@@ -35,7 +35,7 @@ + + .TP + .B -f +-Don't prompt for removal of /tmp directory. ++Clear /tmp directory with out prompt for removal. + + .TP + .B -R rpmpackagename[,rpmpackagename...] +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.36/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2008-01-23 14:36:28.000000000 -0500 -+++ policycoreutils-2.0.35/semanage/semanage 2008-01-11 11:17:46.000000000 -0500 ++++ policycoreutils-2.0.36/semanage/semanage 2008-01-23 15:47:45.000000000 -0500 @@ -111,7 +111,7 @@ valid_option["translation"] = [] valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] @@ -748,9 +217,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po if object == "login": OBJECT = seobject.loginRecords(store) -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.35/semanage/seobject.py +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.36/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2007-12-10 21:42:27.000000000 -0500 -+++ policycoreutils-2.0.35/semanage/seobject.py 2008-01-15 11:31:49.000000000 -0500 ++++ policycoreutils-2.0.36/semanage/seobject.py 2008-01-23 15:47:45.000000000 -0500 @@ -117,6 +117,12 @@ #print _("Failed to translate booleans.\n%s") % e pass @@ -776,9 +245,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po def get_category(self, boolean): if boolean in booleans_dict: -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.35/setfiles/setfiles.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.36/setfiles/setfiles.8 --- nsapolicycoreutils/setfiles/setfiles.8 2007-07-16 14:20:43.000000000 -0400 -+++ policycoreutils-2.0.35/setfiles/setfiles.8 2008-01-21 14:08:06.000000000 -0500 ++++ policycoreutils-2.0.36/setfiles/setfiles.8 2008-01-23 15:47:45.000000000 -0500 @@ -59,6 +59,9 @@ .TP .B \-W @@ -789,9 +258,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po .SH "ARGUMENTS" .B spec_file -diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.35/setfiles/setfiles.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.36/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2008-01-11 10:52:37.000000000 -0500 -+++ policycoreutils-2.0.35/setfiles/setfiles.c 2008-01-21 14:04:32.000000000 -0500 ++++ policycoreutils-2.0.36/setfiles/setfiles.c 2008-01-23 15:47:45.000000000 -0500 @@ -55,6 +55,7 @@ static int verbose = 0; static int logging = 0; diff --git a/policycoreutils.spec b/policycoreutils.spec index bb3fb27..be827b9 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,10 +2,10 @@ %define libsepolver 2.0.10-1 %define libsemanagever 2.0.5-1 %define libselinuxver 2.0.46-5 -%define sepolgenver 1.0.10 +%define sepolgenver 1.0.11 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.0.36 +Version: 2.0.37 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base @@ -193,6 +193,13 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Wed Jan 23 2008 Dan Walsh 2.0.37-1 +- Update to upstream + * Merged replacement for audit2why from Dan Walsh. + +* Wed Jan 23 2008 Dan Walsh 2.0.36-2 +- Cleanup fixfiles -f message in man page + * Wed Jan 23 2008 Dan Walsh 2.0.36-1 - Update to upstream * Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh. diff --git a/sources b/sources index bb82e64..602399b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -eddb3e34fb982d752aa8cbed7b98f3d2 sepolgen-1.0.10.tgz -58d63c40aab742f45be11e30e32c31c4 policycoreutils-2.0.36.tgz +f450ab5a14db31051869cc22a4e532a3 policycoreutils-2.0.37.tgz +3fed5cd04ee67c0f86e3cc6825261819 sepolgen-1.0.11.tgz