rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Apply patches from Sven Vermeulen for sepolgen to fix typos.

This commit is contained in:
Dan Walsh 2013-05-13 16:47:23 -04:00
parent 4adc19aea3
commit 5918716f29
2 changed files with 171 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

239
policycoreutils-rhat.patch
View File

@ -34,18 +34,9 @@ index 88635d4..fc290ea 100644
clean:
rm -f *~
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 8e0c396..4fa07a1 100644
index 8e0c396..1059bea 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -1,7 +1,7 @@
#! /usr/bin/python -Es
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
-# Copyright (C) 2006-2007 Red Hat
+# Copyright (C) 2006-2013 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
@@ -18,7 +18,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
@ -74,16 +65,7 @@ index 8e0c396..4fa07a1 100644
help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args()
@@ -178,6 +179,8 @@ class AuditToPolicy:
if self.__options.interface_info:
fn = self.__options.interface_info
else:
+ import sepolicy
+ sepolicy.gen_interfaces()
fn = defaults.interface_info()
try:
fd = open(fn)
@@ -267,12 +270,10 @@ class AuditToPolicy:
@@ -267,12 +268,10 @@ class AuditToPolicy:
continue
if rc == audit2why.CONSTRAINT:
@ -100,7 +82,7 @@ index 8e0c396..4fa07a1 100644
if rc == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
@@ -350,6 +351,9 @@ class AuditToPolicy:
@@ -350,6 +349,9 @@ class AuditToPolicy:
except ValueError, e:
print e
sys.exit(1)
@ -250886,7 +250868,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..7ca5554 100755
index b25d3b2..a0b262b 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@ -251101,7 +251083,7 @@ index b25d3b2..7ca5554 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -319,22 +365,50 @@ def gen_transition_args(parser):
@@ -319,22 +365,49 @@ def gen_transition_args(parser):
help=_("target process domain"))
trans.set_defaults(func=transition)
@ -251123,22 +251105,21 @@ index b25d3b2..7ca5554 100755
+
def interface(args):
- from sepolicy.interface import get_admin, get, get_user
+ from sepolicy.interface import get_admin, get_user
+ from sepolicy import get_methods
+ from sepolicy.interface import get_admin, get_user, get_interface_dict, get_all_interfaces
if args.list_admin:
- for a in get_admin():
- print a
+ print_interfaces(get_admin(), args, "_admin")
+ print_interfaces(get_admin(args.file), args, "_admin")
if args.list_user:
- for a in get_user():
- print a
+ print_interfaces(get_user(), args, "_role")
+ print_interfaces(get_user(args.file), args, "_role")
if args.list:
- for m in get():
- print m
+ print_interfaces(get_methods(), args)
+ print_interfaces(get_all_interfaces(args.file), args)
+ if args.interfaces:
+ print_interfaces(args.interfaces, args)
+ print_interfaces(args.interfaces, args)
def generate(args):
- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
@ -251161,7 +251142,7 @@ index b25d3b2..7ca5554 100755
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
@@ -346,8 +420,18 @@ def generate(args):
@@ -346,8 +419,18 @@ def generate(args):
mypolicy.set_program(cmd)
if args.types:
@ -251180,7 +251161,7 @@ index b25d3b2..7ca5554 100755
for p in args.writepaths:
if os.path.isdir(p):
mypolicy.add_dir(p)
@@ -366,20 +450,32 @@ def generate(args):
@@ -366,20 +449,34 @@ def generate(args):
def gen_interface_args(parser):
itf = parser.add_parser("interface",
help=_('List SELinux Policy interfaces'))
@ -251190,6 +251171,8 @@ index b25d3b2..7ca5554 100755
+ itf.add_argument("-v", "--verbose", dest="verbose",
+ action="store_true", default=False,
+ help="Show verbose information")
+ itf.add_argument("-f", "--file", dest="file",
+ help="Interface file")
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
- help="List all domains with admin interface")
@ -251216,7 +251199,7 @@ index b25d3b2..7ca5554 100755
help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*",
@@ -397,53 +493,57 @@ def gen_generate_args(parser):
@@ -397,53 +494,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType,
@ -251300,7 +251283,7 @@ index b25d3b2..7ca5554 100755
pol.set_defaults(func=generate)
if __name__ == '__main__':
@@ -461,11 +561,17 @@ if __name__ == '__main__':
@@ -461,11 +562,17 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@ -251320,7 +251303,7 @@ index b25d3b2..7ca5554 100755
except KeyboardInterrupt:
sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..3f0372c 100644
index 5e7415c..a24063a 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
@ -251472,7 +251455,7 @@ index 5e7415c..3f0372c 100644
return all_domains
roles = None
@@ -139,48 +235,48 @@ def get_all_attributes():
@@ -139,50 +235,51 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@ -251545,7 +251528,21 @@ index 5e7415c..3f0372c 100644
+ return booleans
booleans_dict = None
+import gzip
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
if booleans_dict:
@@ -191,7 +288,9 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
import re
booleans_dict = {}
try:
- tree = xml.etree.ElementTree.parse(path)
+ fd = gzip.open(path)
+ tree = xml.etree.ElementTree.fromstring(fd.read())
+ fd.close()
for l in tree.findall("layer"):
for m in l.findall("module"):
for b in m.findall("tunable"):
diff --git a/policycoreutils/sepolicy/sepolicy/communicate.py b/policycoreutils/sepolicy/sepolicy/communicate.py
index a179d95..9b9a09a 100755
--- a/policycoreutils/sepolicy/sepolicy/communicate.py
@ -251715,7 +251712,7 @@ index 26f8390..4739025 100644
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
newsh += re.sub("USER", u, tmp)
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..407ce20 100644
index 8b063ca..c7dac62 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py
+++ b/policycoreutils/sepolicy/sepolicy/interface.py
@@ -21,15 +21,13 @@
@ -251734,11 +251731,11 @@ index 8b063ca..407ce20 100644
+import selinux
-__all__ = [ 'get', 'get_admin', 'get_user' ]
+__all__ = [ 'get_admin', 'get_user' ,'get_interface_dict', 'get_interface_format_text', 'get_interface_compile_format_text', 'interface_compile_test' ]
+__all__ = [ 'get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_user' ,'get_interface_dict', 'get_interface_format_text', 'get_interface_compile_format_text', 'get_xml_file', 'interface_compile_test' ]
##
## I18N
@@ -48,24 +46,10 @@ except IOError:
@@ -48,34 +46,173 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
@ -251756,38 +251753,108 @@ index 8b063ca..407ce20 100644
-
- return methods
-
def get_admin():
""" Get all domains with an admin interface"""
-def get_admin():
- """ Get all domains with an admin interface"""
+def get_interfaces_from_xml(path):
+ """ Get all interfaces from given xml file"""
+ interfaces_list = []
+ interface_dict = get_interface_dict(path)
+ for k in interface_dict.keys():
+ interfaces_list.append(k)
+ return interfaces_list
+
+
+def get_all_interfaces(path=""):
+ from sepolicy import get_methods
+ all_interfaces = []
+ if not path:
+ all_interfaces = get_methods()
+ else:
+ xml_path = get_xml_file(path)
+ all_interfaces = get_interfaces_from_xml(xml_path)
+
+ return all_interfaces
+
+def get_admin(path=""):
+ """ Get all domains with an admin interface from installed policy."""
+ """ If xml_path is specified, func returns an admin interface from specified xml file"""
admin_list = []
- for i in get():
+ for i in sepolicy.get_methods():
if i.endswith("_admin"):
admin_list.append(i.split("_admin")[0])
- if i.endswith("_admin"):
- admin_list.append(i.split("_admin")[0])
+ if path:
+ try:
+ xml_path = get_xml_file(path)
+ interface_dict = get_interface_dict(xml_path)
+ for k in interface_dict.keys():
+ if k.endswith("_admin"):
+ admin_list.append(k)
+ except IOError, e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ sys.exit(1)
+ else:
+ for i in sepolicy.get_methods():
+ if i.endswith("_admin"):
+ admin_list.append(i.split("_admin")[0])
+
return admin_list
@@ -73,9 +57,87 @@ def get_admin():
def get_user():
-def get_user():
+def get_user(path=""):
""" Get all domains with SELinux user role interface"""
+ """ If xml_path is specified, func returns an user role interface from specified xml file"""
trans_list = []
- for i in get():
+ for i in sepolicy.get_methods():
m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
if len(m) > 0:
- m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
- if len(m) > 0:
- if "%s_exec_t" % m[0] in get_all_types():
+ if "%s_exec_t" % m[0] in sepolicy.get_all_types():
trans_list.append(m[0])
- trans_list.append(m[0])
+ if path:
+ try:
+ xml_path = get_xml_file(path)
+ interface_dict = get_interface_dict(xml_path)
+ for k in interface_dict.keys():
+ if k.endswith("_role"):
+ if (("%s_exec_t" % k[:-5]) in sepolicy.get_all_types()):
+ trans_list.append(k)
+ except IOError, e:
+ sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
+ sys.exit(1)
+ else:
+ for i in sepolicy.get_methods():
+ m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
+ if len(m) > 0:
+ if "%s_exec_t" % m[0] in sepolicy.get_all_types():
+ trans_list.append(m[0])
+
return trans_list
+
+interface_dict = None
+def get_interface_dict(path = "/usr/share/selinux/devel/policy.xml"):
+def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
+ global interface_dict
+ import os
+ import xml.etree.ElementTree
+ if interface_dict:
+ return interface_dict
+
+ interface_dict = {}
+ param_list = []
+
+ xml_path = """<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
+<policy>
+<layer name="admin">
+"""
+ xml_path += path
+ xml_path +="""
+</layer>
+</policy>
+"""
+
+ try:
+ tree = xml.etree.ElementTree.parse(path)
+ if os.path.isfile(path):
+ tree = xml.etree.ElementTree.parse(path)
+ else:
+ tree = xml.etree.ElementTree.fromstring(xml_path)
+ for l in tree.findall("layer"):
+ for m in l.findall("module"):
+ for i in m.getiterator('interface'):
@ -251827,38 +251894,51 @@ index 8b063ca..407ce20 100644
+
+ return te
+
+def get_xml_file(if_file):
+ """ Returns xml format of interfaces for given .if policy file"""
+ import os, commands
+ basedir = os.path.dirname(if_file)+"/"
+ filename = os.path.basename(if_file).split(".")[0]
+ rc, output=commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir+filename)
+ if rc != 0:
+ sys.stderr.write("\n Could not proceed selected interface file.\n")
+ sys.stderr.write("\n%s" % output)
+ sys.exit(1)
+ else:
+ return output
+
+def interface_compile_test(interface, path = "/usr/share/selinux/devel/policy.xml"):
+ exclude_interfaces = ["userdom","kernel","corenet","files", "dev"]
+ exclude_interface_type = ["template"]
+
+ import commands, os
+ te = "compiletest.te"
+ pp = "compiletest.pp"
+ policy_files = {'pp':"compiletest.pp", 'te':"compiletest.te", 'fc':"compiletest.fc", 'if':"compiletest.if"}
+ interface_dict = get_interface_dict(path)
+
+ if not (interface.split("_")[0] in exclude_interfaces or interface_dict[interface][2] in exclude_interface_type):
+ print(_("Compiling %s interface" % interface))
+ try:
+ fd = open(te, "w")
+ fd = open(policy_files['te'], "w")
+ fd.write(generate_compile_te(interface, interface_dict))
+ fd.close()
+ rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % pp )
+ rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'] )
+ if rc != 0:
+ sys.stderr.write(output)
+ sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
+
+ except EnvironmentError, e:
+ sys.stderr.write(_("\nCompile test for %s has not run.\n") % interface)
+ if os.path.exists(te):
+ os.remove(te)
+ for v in policy_files.values():
+ if os.path.exists(v):
+ os.remove(v)
+
+ else:
+ sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..63efc6d 100755
index 25062da..c4e1970 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string
@@ -28,15 +28,16 @@ import string
import argparse
import selinux
import sepolicy
@ -251873,7 +251953,22 @@ index 25062da..63efc6d 100755
equiv_dirs=[ "/var" ]
modules_dict = None
@@ -100,8 +100,8 @@ def gen_domains():
+import gzip
def gen_modules_dict(path = "/usr/share/selinux/devel/policy.xml"):
global modules_dict
if modules_dict:
@@ -45,7 +46,9 @@ def gen_modules_dict(path = "/usr/share/selinux/devel/policy.xml"):
import xml.etree.ElementTree
modules_dict = {}
try:
- tree = xml.etree.ElementTree.parse(path)
+ fd = gzip.open(path)
+ tree = xml.etree.ElementTree.fromstring(fd.read())
+ fd.close()
for l in tree.findall("layer"):
for m in l.findall("module"):
name = m.get("name")
@@ -100,8 +103,8 @@ def gen_domains():
for d in get_all_domains():
found = False
domain = d[:-2]
@ -251884,7 +251979,7 @@ index 25062da..63efc6d 100755
if domain in domains:
continue
domains.append(domain)
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
@@ -184,14 +187,12 @@ def get_alphabet_manpages(manpage_list):
return alphabet_manpages
def convert_manpage_to_html(html_manpage,manpage):
@ -251903,7 +251998,7 @@ index 25062da..63efc6d 100755
class HTMLManPages:
"""
@@ -416,40 +414,33 @@ class ManPage:
@@ -416,40 +417,33 @@ class ManPage:
"""
Generate a Manpage on an SELinux domain in the specified path
"""
@ -251962,7 +252057,7 @@ index 25062da..63efc6d 100755
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
@@ -459,13 +450,16 @@ class ManPage:
@@ -459,13 +453,16 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
@ -251981,7 +252076,7 @@ index 25062da..63efc6d 100755
self.__gen_user_man_page()
if self.html:
manpage_roles.append(self.man_page_path)
@@ -483,16 +477,23 @@ class ManPage:
@@ -483,16 +480,23 @@ class ManPage:
def _gen_bools(self):
self.bools=[]
self.domainbools=[]
@ -252015,7 +252110,7 @@ index 25062da..63efc6d 100755
self.bools.sort()
self.domainbools.sort()
@@ -538,9 +539,6 @@ class ManPage:
@@ -538,9 +542,6 @@ class ManPage:
print path
def __gen_man_page(self):
@ -252025,7 +252120,7 @@ index 25062da..63efc6d 100755
self.anon_list = []
self.attributes = {}
@@ -563,22 +561,11 @@ class ManPage:
@@ -563,22 +564,11 @@ class ManPage:
def _get_ptypes(self):
for f in self.all_domains:
@ -252051,7 +252146,7 @@ index 25062da..63efc6d 100755
% {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")})
self.fd.write(r"""
.SH "NAME"
@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
@@ -774,7 +764,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
def _port_types(self):
self.ports = []
for f in self.all_port_types:
@ -252060,7 +252155,7 @@ index 25062da..63efc6d 100755
self.ports.append(f)
if len(self.ports) == 0:
@@ -923,13 +910,12 @@ to apply the labels.
@@ -923,13 +913,12 @@ to apply the labels.
def _see_also(self):
ret = ""
@ -252076,7 +252171,7 @@ index 25062da..63efc6d 100755
ret += ", %s_selinux(8)" % d
self.fd.write(ret)
@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
@@ -947,13 +936,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s
.pp
.TP
@ -252093,7 +252188,7 @@ index 25062da..63efc6d 100755
""" % {'domainname':self.domainname})
for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
@@ -998,12 +988,11 @@ is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was auto-generated using
@ -252108,7 +252203,7 @@ index 25062da..63efc6d 100755
if self.booltext != "":
self.fd.write(", setsebool(8)")
@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
@@ -1230,6 +1219,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname)
def _network(self):

5
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 40%{?dist}
Release: 41%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -315,6 +315,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Mon May 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-41
- Apply patches from Sven Vermeulen for sepolgen to fix typos.
* Mon May 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-40
- Only require selinux-policy-devel for policycoreutils-devel, this will shrink the size of the livecd.