rpms/policycoreutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix sandbox to always use sandbox_file_t, so generated policy will work.

Browse Source 
- Update Translations
This commit is contained in:
Dan Walsh 2013-05-21 10:24:55 -04:00
parent 72cc2c98e2
commit 55520d61bb
2 changed files with 298 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

294
policycoreutils-rhat.patch
View File

@ -248304,7 +248304,7 @@ index d1b435c..1c323d2 100644
account include system-auth
password include system-auth
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index b629006..6631c2d 100644
index b629006..49f735a 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -243,7 +243,7 @@ class Sandbox:
@ -248325,6 +248325,17 @@ index b629006..6631c2d 100644
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
@@ -403,9 +403,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
con = selinux.getcon()[1].split(":")
self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
- "%s_file_t" % self.setype[:-2],
- level)
+ self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
def __setup_dir(self):
if self.__options.level or self.__options.session:
return
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 521afcd..0c8cd1e 100644
--- a/policycoreutils/sandbox/sandbox.8
@ -249866,18 +249877,70 @@ index 82fea52..6efd463 100644
fi
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index fb84af6..c2fa601 100644
index fb84af6..84a96f1 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
@@ -4,16 +4,69 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
.SH "SYNOPSIS"
+Common options
+
+.B sepolicy generate [\-h ] [\-p PATH]
+
+.br
+
+Confined Applications
+
+.br
+.B sepolicy generate \-\-application [\-n NAME] [\-w WRITE_PATH ] command
+.br
+.B sepolicy generate \-\-init [\-n NAME] [\-w WRITE_PATH ] command
+.br
+.B sepolicy generate \-\-cgi [\-n NAME] [\-w WRITE_PATH ] command
+.br
+.B sepolicy generate \-\-dbus [\-n NAME] [\-w WRITE_PATH ] command
+.br
+.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
+.br
+.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
+.br
+
+Confined Users
+
+.br
+.B sepolicy generate \-\-admin_user \-n NAME
+.br
+.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-p PATH]
+.br
+.B sepolicy generate \-\-desktop_user \-n NAME [\-p PATH]
+.br
+.B sepolicy generate \-\-term_user \-n NAME [\-p PATH]
+.br
+.B sepolicy generate \-\-x_user \-n NAME [\-p PATH]
.br
-.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
+
+Miscellaneous Policy
+
+.br
+.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN]
+.br
+.B sepolicy generate \-\-newtype \-t type \-n NAME
+.br
+.B sepolicy generate \-\-sandbox \-n NAME
.SH "DESCRIPTION"
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
+Use \fBsepolicy generate\fP to generate an SELinux policy Module.
+
+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
+.br
+\fBsepolicy generate\fP will create 5 files.
+
+When specifying a \fBconfined application\fP you must specify a
+path. \fBsepolicy generate\fP will use the rpm payload of the
+application along with \fBnm -D APPLICATION\fP to help it generate
+types and policy rules for your policy files.
.B Type Enforcing File NAME.te
.br
@ -249889,7 +249952,7 @@ index fb84af6..c2fa601 100644
.B Interface File NAME.if
.br
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
@@ -25,7 +78,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
.B RPM Spec File NAME_selinux.spec
.br
@ -249898,6 +249961,27 @@ index fb84af6..c2fa601 100644
.B Shell File NAME.sh
.br
@@ -39,13 +92,19 @@ If a generate is possible, this tool will print out all generate paths from the
.I \-h, \-\-help
Display help message
.TP
+.I \-d, \-\-domain
+Enter domain type(s) which you will be extending
+.TP
.I \-n, \-\-name
-Specify alternate name of policy. The policy will default to the executable or name specified.
+Specify alternate name of policy. The policy will default to the executable or name specified
.TP
.I \-p, \-\-path
Specify the directory to store the created policy files. (Default to current working directory )
optional arguments:
.TP
+.I \-t, \-\-type
+Enter type(s) for which you will generate new definition and rule(s)
+.TP
.I \-u, \-\-user
SELinux user(s) which will transition to this domain
.TP
diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8
index 4fc9792..02c4c1a 100644
--- a/policycoreutils/sepolicy/sepolicy-interface.8
@ -250657,7 +250741,7 @@ index a179d95..9b9a09a 100755
tlist = []
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..4739025 100644
index 26f8390..837d3e3 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@ -250811,6 +250895,38 @@ index 26f8390..4739025 100644
for u in self.transition_users:
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
newsh += re.sub("USER", u, tmp)
@@ -1143,6 +1145,8 @@ allow %s_t %s_t:%s_socket name_%s;
newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
else:
newsh = re.sub("TEMPLATEFILE", self.file_name, temp)
+ newsh += re.sub("DOMAINTYPE", self.name, script.manpage)
+
if self.program:
newsh += re.sub("FILENAME", self.program, script.restorecon)
if self.initscript != "":
@@ -1165,6 +1169,7 @@ allow %s_t %s_t:%s_socket name_%s;
newsh += re.sub("TEMPLATETYPE", self.name, t1)
newsh += self.generate_user_sh()
+ newsh += re.sub("TEMPLATETYPE", self.name, script.rpm)
return newsh
@@ -1198,7 +1203,13 @@ allow %s_t %s_t:%s_socket name_%s;
if self.type not in APPLICATIONS:
newspec = re.sub("%relabel_files", "", newspec)
- return newspec
+ # Remove man pages from EUSER spec file
+ if self.type == EUSER:
+ newspec = re.sub(".*%s_selinux.8.*" % self.name,"", newspec)
+ # Remove user context file from non users spec file
+ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
+ newspec = re.sub(".*%s_u.*" % self.name,"", newspec)
+ return newspec
def write_spec(self, out_dir):
specfile = "%s/%s_selinux.spec" % (out_dir, self.file_name)
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..c7dac62 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py
@ -251345,6 +251461,111 @@ index 66efe26..a446d68 100755
d={}
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py
index c139070..54fd40a 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/script.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/script.py
@@ -66,14 +66,17 @@ set -x
make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit
/usr/sbin/semodule -i TEMPLATEFILE.pp
-# Generate a man page off the installed module
-sepolicy manpage -p . -d DOMAINTYPE_t
-
+"""
+rpm="""\
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba TEMPLATETYPE_selinux.spec
+"""
+manpage="""\
+# Generate a man page off the installed module
+sepolicy manpage -p . -d DOMAINTYPE_t
"""
restorecon="""\
@@ -107,8 +110,7 @@ admin_trans="""\
"""
min_login_user_default_context="""\
-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
+cat > TEMPLATETYPE_u << _EOF
TEMPLATETYPE_r:TEMPLATETYPE_t:s0 TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t
@@ -116,12 +118,13 @@ system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t
_EOF
+if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
+ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
fi
"""
x_login_user_default_context="""\
-if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
-cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
+cat > TEMPLATETYPE_u << _EOF
TEMPLATETYPE_r:TEMPLATETYPE_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t
@@ -130,5 +133,7 @@ system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t
system_r:xdm_t TEMPLATETYPE_r:TEMPLATETYPE_t
_EOF
+if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
+ cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
fi
"""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
index dbddf39..d8ee42f 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/spec.py
@@ -18,6 +18,7 @@ URL: http://HOSTNAME
Source0: MODULENAME.pp
Source1: MODULENAME.if
Source2: DOMAINNAME_selinux.8
+Source3: DOMAINNAME_u
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
@@ -36,13 +37,16 @@ install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}%{_mandir}/man8/
-install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u
%post
semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
+ /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
fi;
exit 0
@@ -52,6 +56,7 @@ if [ $1 -eq 0 ]; then
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
+ /usr/sbin/semanage user -d DOMAINNAME_u
fi;
fi;
exit 0
@@ -60,6 +65,7 @@ exit 0
%attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp
%{_datadir}/selinux/devel/include/contrib/MODULENAME.if
%{_mandir}/man8/DOMAINNAME_selinux.8.*
+/etc/selinux/targeted/contexts/users/DOMAINNAME_u
%changelog
* TODAYSDATE YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
diff --git a/policycoreutils/sepolicy/sepolicy/templates/test_module.py b/policycoreutils/sepolicy/sepolicy/templates/test_module.py
new file mode 100644
index 0000000..3a3faa6
@ -251470,6 +251691,63 @@ index 0000000..3a3faa6
+#
+
+"""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
index 79f3997..9c9439c 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
te_admin_user_types="""\
policy_module(TEMPLATETYPE, 1.0.0)
+## <desc>
+## <p>
+## Allow TEMPLATETYPE to read files in the user home directory
+## </p>
+## </desc>
+gen_tunable(TEMPLATETYPE_read_user_files, false)
+
+## <desc>
+## <p>
+## Allow TEMPLATETYPE to manage files in the user home directory
+## </p>
+## </desc>
+gen_tunable(TEMPLATETYPE_manage_user_files, false)
+
########################################
#
# Declarations
@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
# Declarations
#
-## <desc>
-## <p>
-## Allow TEMPLATETYPE to read files in the user home directory
-## </p>
-## </desc>
-gen_tunable(TEMPLATETYPE_read_user_files, false)
-
-## <desc>
-## <p>
-## Allow TEMPLATETYPE to manage files in the user home directory
-## </p>
-## </desc>
-gen_tunable(TEMPLATETYPE_manage_user_files, false)
-
userdom_base_user_template(TEMPLATETYPE)
"""
@@ -151,7 +151,9 @@ tunable_policy(`TEMPLATETYPE_read_user_files',`
')
tunable_policy(`TEMPLATETYPE_manage_user_files',`
- userdom_manage_user_home_content(TEMPLATETYPE_t)
+ userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
+ userdom_manage_user_home_content_files(TEMPLATETYPE_t)
+ userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
userdom_manage_user_tmp_files(TEMPLATETYPE_t)
')
"""
diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
index 5850622..5e308e3 100755
--- a/policycoreutils/sepolicy/sepolicy/transition.py

19
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 43%{?dist}
Release: 45%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -308,13 +308,18 @@ The policycoreutils-restorecond package contains the restorecond service.
%postun restorecond
%systemd_postun_with_restart restorecond.service
%triggerun -- restorecond < 2.0.86-13
%{_bindir}/systemd-sysv-convert --save restorecond >/dev/null 2>&1 ||:
%{_bindir}/systemctl enable restorecond.service >/dev/null 2>&1
%{_sbindir}/chkconfig --del restorecond >/dev/null 2>&1 || :
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Tue May 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-45
- Fix sandbox to always use sandbox_file_t, so generated policy will work.
- Update Translations
* Thu May 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-44
- Fix sepolicy-generate man page to clear up options/policy type
- Add Miroslav Grepl to not generate man page when doing
sepolicy generate --customize
- Add support for executing semanage user within spec file
- Fix generation of confined admin domains, to handle booleans properly.
* Tue May 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-43
- Need to handle gziped policy.xml as well as not compressed.