Make packaging more transparent
- add make-rhat-patches.sh script which creates policycoreutils-rhat.patch and sepolgen-rhat.patch patches - use source files from https://github.com/SELinuxProject/selinux/wiki/Releases - extract sources to selinux/ directory and build them there Create -rhat patches from399c6647b1
(cherry picked from commit9d99a57696
)
This commit is contained in:
parent
3c95ebbb37
commit
6a4d32af88
2
.gitignore
vendored
2
.gitignore
vendored
@ -231,3 +231,5 @@ policycoreutils-2.0.83.tgz
|
|||||||
/sepolgen-1.1.1.tgz
|
/sepolgen-1.1.1.tgz
|
||||||
/sepolgen-1.1.2.tgz
|
/sepolgen-1.1.2.tgz
|
||||||
/policycoreutils-2.1.6.tgz
|
/policycoreutils-2.1.6.tgz
|
||||||
|
/policycoreutils-2.3.tar.gz
|
||||||
|
/sepolgen-1.2.1.tar.gz
|
||||||
|
40
make-rhat-patches.sh
Executable file
40
make-rhat-patches.sh
Executable file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
POLICYCOREUTILS_VERSION=2.3
|
||||||
|
SEPOLGEN_VERSION=1.2.1
|
||||||
|
BRANCH=f21
|
||||||
|
|
||||||
|
REBASEDIR=`mktemp -d rebase.XXXXXX`
|
||||||
|
pushd $REBASEDIR
|
||||||
|
|
||||||
|
git clone git@github.com:fedora-selinux/selinux.git
|
||||||
|
pushd selinux; git checkout $BRANCH; COMMIT=`git rev-parse --verify HEAD`; popd
|
||||||
|
|
||||||
|
# prepare policycoreutils-rhat.patch
|
||||||
|
tar xfz ../policycoreutils-$POLICYCOREUTILS_VERSION.tar.gz
|
||||||
|
pushd policycoreutils-$POLICYCOREUTILS_VERSION
|
||||||
|
|
||||||
|
git init; git add .; git commit -m "init"
|
||||||
|
cp -r ../selinux/policycoreutils/* .
|
||||||
|
git add -A .
|
||||||
|
|
||||||
|
git diff --cached --src-prefix=a/policycoreutils-$POLICYCOREUTILS_VERSION/ --dst-prefix=b/policycoreutils-$POLICYCOREUTILS_VERSION/ > ../../policycoreutils-rhat.patch
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
|
#prepare sepolgen-rhat.patch
|
||||||
|
tar xfz ../sepolgen-$SEPOLGEN_VERSION.tar.gz
|
||||||
|
pushd sepolgen-$SEPOLGEN_VERSION
|
||||||
|
|
||||||
|
git init; git add .; git commit -m "init"
|
||||||
|
cp -r ../selinux/sepolgen/* .
|
||||||
|
git add -A .
|
||||||
|
|
||||||
|
git diff --cached --src-prefix=a/sepolgen-$SEPOLGEN_VERSION/ --dst-prefix=b/sepolgen-$SEPOLGEN_VERSION/ > ../../sepolgen-rhat.patch
|
||||||
|
|
||||||
|
popd
|
||||||
|
|
||||||
|
popd
|
||||||
|
# echo rm -rf $REBASEDIR
|
||||||
|
|
||||||
|
echo policycoreutils-rhat.patch and sepolgen-rhat.patch created against https://github.com/fedora-selinux/selinux/commit/$COMMIT
|
File diff suppressed because it is too large
Load Diff
@ -10,15 +10,16 @@ Version: 2.3
|
|||||||
Release: 7.1%{?dist}
|
Release: 7.1%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source: git://oss.tresys.com/git/selinux/policycoreutils-%{version}.tgz
|
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140506/policycoreutils-%{version}.tar.gz
|
||||||
Source1:git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
|
Source1:https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140506/sepolgen-%{sepolgenver}.tar.gz
|
||||||
URL: http://www.selinuxproject.org
|
URL: http://www.selinuxproject.org
|
||||||
Source2: policycoreutils_man_ru2.tar.bz2
|
Source2: policycoreutils_man_ru2.tar.bz2
|
||||||
Source3: system-config-selinux.png
|
Source3: system-config-selinux.png
|
||||||
Source4: sepolicy-icons.tgz
|
Source4: sepolicy-icons.tgz
|
||||||
|
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
|
||||||
Patch: policycoreutils-rhat.patch
|
Patch: policycoreutils-rhat.patch
|
||||||
Patch1: 0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch
|
Patch1: sepolgen-rhat.patch
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Conflicts: filesystem < 3
|
Conflicts: filesystem < 3
|
||||||
Provides: /sbin/fixfiles
|
Provides: /sbin/fixfiles
|
||||||
@ -47,15 +48,19 @@ load_policy to load policies, setfiles to label filesystems, newrole
|
|||||||
to switch roles.
|
to switch roles.
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -a 1
|
# create selinux/ directory and extract %{SOURCE0} there
|
||||||
%patch -p2 -b .rhat
|
%setup -q -c -n selinux
|
||||||
%patch1 -p2 -b .setfiles
|
%patch -p1 -b .policycoreutils-rhat
|
||||||
|
pushd policycoreutils-%{version}/
|
||||||
cp %{SOURCE3} gui/
|
popd
|
||||||
tar xvf %{SOURCE4}
|
cp %{SOURCE3} policycoreutils-%{version}/gui/
|
||||||
|
tar -xvf %{SOURCE4} -C policycoreutils-%{version}/
|
||||||
|
# extract {%SOURCE1} in selinux/ directory
|
||||||
|
%setup -T -D -a 1 -n selinux
|
||||||
|
%patch1 -p1 -b .sepolgen-rhat
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
|
make -C policycoreutils-%{version} LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
|
||||||
make -C sepolgen-%{sepolgenver} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
|
make -C sepolgen-%{sepolgenver} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -67,8 +72,8 @@ mkdir -p %{buildroot}%{_mandir}/man5
|
|||||||
mkdir -p %{buildroot}%{_mandir}/man8
|
mkdir -p %{buildroot}%{_mandir}/man8
|
||||||
%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
|
%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
|
||||||
|
|
||||||
make LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
|
make -C policycoreutils-%{version} LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
|
||||||
make PYTHON=python3 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
|
make -C policycoreutils-%{version} PYTHON=python3 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
|
||||||
|
|
||||||
# Systemd
|
# Systemd
|
||||||
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
|
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
|
||||||
@ -351,7 +356,8 @@ fi
|
|||||||
%{_mandir}/man8/genhomedircon.8*
|
%{_mandir}/man8/genhomedircon.8*
|
||||||
%doc %{_usr}/share/doc/%{name}
|
%doc %{_usr}/share/doc/%{name}
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
%license COPYING
|
%license policycoreutils-%{version}/COPYING
|
||||||
|
%doc %{_usr}/share/doc/%{name}
|
||||||
|
|
||||||
%package restorecond
|
%package restorecond
|
||||||
Summary: SELinux restorecond utilities
|
Summary: SELinux restorecond utilities
|
||||||
@ -371,7 +377,7 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%{_mandir}/man8/restorecond.8*
|
%{_mandir}/man8/restorecond.8*
|
||||||
%{_mandir}/ru/man8/restorecond.8*
|
%{_mandir}/ru/man8/restorecond.8*
|
||||||
%{!?_licensedir:%global license %%doc}
|
%{!?_licensedir:%global license %%doc}
|
||||||
%license COPYING
|
%license policycoreutils-%{version}/COPYING
|
||||||
|
|
||||||
%post restorecond
|
%post restorecond
|
||||||
%systemd_post restorecond.service
|
%systemd_post restorecond.service
|
||||||
|
244
sepolgen-rhat.patch
Normal file
244
sepolgen-rhat.patch
Normal file
@ -0,0 +1,244 @@
|
|||||||
|
diff --git a/sepolgen-1.2.1/src/sepolgen/access.py b/sepolgen-1.2.1/src/sepolgen/access.py
|
||||||
|
index cf13210..9154887 100644
|
||||||
|
--- a/sepolgen-1.2.1/src/sepolgen/access.py
|
||||||
|
+++ b/sepolgen-1.2.1/src/sepolgen/access.py
|
||||||
|
@@ -88,6 +88,8 @@ class AccessVector:
|
||||||
|
self.audit_msgs = []
|
||||||
|
self.type = audit2why.TERULE
|
||||||
|
self.data = []
|
||||||
|
+ self.obj_path = None
|
||||||
|
+ self.base_type = None
|
||||||
|
|
||||||
|
# The direction of the information flow represented by this
|
||||||
|
# access vector - used for matching
|
||||||
|
@@ -133,6 +135,11 @@ class AccessVector:
|
||||||
|
return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
|
||||||
|
self.obj_class, self.perms.to_space_str())
|
||||||
|
|
||||||
|
+ def base_file_type(self):
|
||||||
|
+ base_type_array = []
|
||||||
|
+ base_type_array = [self.base_type, self.tgt_type, self.src_type]
|
||||||
|
+ return base_type_array
|
||||||
|
+
|
||||||
|
def __cmp__(self, other):
|
||||||
|
if self.src_type != other.src_type:
|
||||||
|
return cmp(self.src_type, other.src_type)
|
||||||
|
@@ -256,7 +263,8 @@ class AccessVectorSet:
|
||||||
|
for av in l:
|
||||||
|
self.add_av(AccessVector(av))
|
||||||
|
|
||||||
|
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
||||||
|
+ def add(self, src_type, tgt_type, obj_class, perms, obj_path=None,
|
||||||
|
+ base_type=None, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
||||||
|
"""Add an access vector to the set.
|
||||||
|
"""
|
||||||
|
tgt = self.src.setdefault(src_type, { })
|
||||||
|
@@ -269,7 +277,9 @@ class AccessVectorSet:
|
||||||
|
access.src_type = src_type
|
||||||
|
access.tgt_type = tgt_type
|
||||||
|
access.obj_class = obj_class
|
||||||
|
+ access.obj_path = obj_path
|
||||||
|
access.data = data
|
||||||
|
+ access.base_type = base_type
|
||||||
|
access.type = avc_type
|
||||||
|
cls[obj_class, avc_type] = access
|
||||||
|
|
||||||
|
diff --git a/sepolgen-1.2.1/src/sepolgen/audit.py b/sepolgen-1.2.1/src/sepolgen/audit.py
|
||||||
|
index 56919be..57263d0 100644
|
||||||
|
--- a/sepolgen-1.2.1/src/sepolgen/audit.py
|
||||||
|
+++ b/sepolgen-1.2.1/src/sepolgen/audit.py
|
||||||
|
@@ -169,6 +169,7 @@ class AVCMessage(AuditMessage):
|
||||||
|
self.exe = ""
|
||||||
|
self.path = ""
|
||||||
|
self.name = ""
|
||||||
|
+ self.ino = ""
|
||||||
|
self.accesses = []
|
||||||
|
self.denial = True
|
||||||
|
self.type = audit2why.TERULE
|
||||||
|
@@ -230,6 +231,10 @@ class AVCMessage(AuditMessage):
|
||||||
|
self.exe = fields[1][1:-1]
|
||||||
|
elif fields[0] == "name":
|
||||||
|
self.name = fields[1][1:-1]
|
||||||
|
+ elif fields[0] == "path":
|
||||||
|
+ self.path = fields[1][1:-1]
|
||||||
|
+ elif fields[0] == "ino":
|
||||||
|
+ self.ino = fields[1]
|
||||||
|
|
||||||
|
if not found_src or not found_tgt or not found_class or not found_access:
|
||||||
|
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||||
|
@@ -354,7 +359,9 @@ class AuditParser:
|
||||||
|
self.path_msgs = []
|
||||||
|
self.by_header = { }
|
||||||
|
self.check_input_file = False
|
||||||
|
-
|
||||||
|
+ self.inode_dict = { }
|
||||||
|
+ self.__store_base_types()
|
||||||
|
+
|
||||||
|
# Low-level parsing function - tries to determine if this audit
|
||||||
|
# message is an SELinux related message and then parses it into
|
||||||
|
# the appropriate AuditMessage subclass. This function deliberately
|
||||||
|
@@ -492,6 +499,60 @@ class AuditParser:
|
||||||
|
|
||||||
|
return role_types
|
||||||
|
|
||||||
|
+ def __restore_path(self, name, inode):
|
||||||
|
+ import subprocess
|
||||||
|
+ import os
|
||||||
|
+ path = ""
|
||||||
|
+ # Optimizing
|
||||||
|
+ if name == "" or inode == "":
|
||||||
|
+ return path
|
||||||
|
+ for d in self.inode_dict:
|
||||||
|
+ if d == inode and self.inode_dict[d] == name:
|
||||||
|
+ return path
|
||||||
|
+ if d == inode and self.inode_dict[d] != name:
|
||||||
|
+ return self.inode_dict[d]
|
||||||
|
+ if inode not in self.inode_dict.keys():
|
||||||
|
+ self.inode_dict[inode] = name
|
||||||
|
+
|
||||||
|
+ command = "locate -b '\%s'" % name
|
||||||
|
+ try:
|
||||||
|
+ output = subprocess.check_output(command,
|
||||||
|
+ stderr=subprocess.STDOUT,
|
||||||
|
+ shell=True)
|
||||||
|
+ try:
|
||||||
|
+ ino = int(inode)
|
||||||
|
+ except ValueError:
|
||||||
|
+ pass
|
||||||
|
+ for file in output.split("\n"):
|
||||||
|
+ try:
|
||||||
|
+ if int(os.lstat(file).st_ino) == ino:
|
||||||
|
+ self.inode_dict[inode] = path = file
|
||||||
|
+ return path
|
||||||
|
+ except:
|
||||||
|
+ pass
|
||||||
|
+ except subprocess.CalledProcessError as e:
|
||||||
|
+ pass
|
||||||
|
+ return path
|
||||||
|
+
|
||||||
|
+ def __store_base_types(self):
|
||||||
|
+ import sepolicy
|
||||||
|
+ self.base_types = sepolicy.get_types_from_attribute("base_file_type")
|
||||||
|
+
|
||||||
|
+ def __get_base_type(self, tcontext, scontext):
|
||||||
|
+ import sepolicy
|
||||||
|
+ # Prevent unnecessary searching
|
||||||
|
+ if (self.old_scontext == scontext and
|
||||||
|
+ self.old_tcontext == tcontext):
|
||||||
|
+ return
|
||||||
|
+ self.old_scontext = scontext
|
||||||
|
+ self.old_tcontext = tcontext
|
||||||
|
+ for btype in self.base_types:
|
||||||
|
+ if btype == tcontext:
|
||||||
|
+ for writable in sepolicy.get_writable_files(scontext):
|
||||||
|
+ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
|
||||||
|
+ return writable
|
||||||
|
+ return 0
|
||||||
|
+
|
||||||
|
def to_access(self, avc_filter=None, only_denials=True):
|
||||||
|
"""Convert the audit logs access into a an access vector set.
|
||||||
|
|
||||||
|
@@ -510,16 +571,23 @@ class AuditParser:
|
||||||
|
audit logs parsed by this object.
|
||||||
|
"""
|
||||||
|
av_set = access.AccessVectorSet()
|
||||||
|
+ self.old_scontext = ""
|
||||||
|
+ self.old_tcontext = ""
|
||||||
|
for avc in self.avc_msgs:
|
||||||
|
if avc.denial != True and only_denials:
|
||||||
|
continue
|
||||||
|
+ base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
|
||||||
|
+ if avc.path == "":
|
||||||
|
+ avc.path = self.__restore_path(avc.name, avc.ino)
|
||||||
|
if avc_filter:
|
||||||
|
if avc_filter.filter(avc):
|
||||||
|
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||||
|
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||||
|
+ avc.accesses, avc.path, base_type, avc,
|
||||||
|
+ avc_type=avc.type, data=avc.data)
|
||||||
|
else:
|
||||||
|
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||||
|
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||||
|
+ avc.accesses, avc.path, base_type, avc,
|
||||||
|
+ avc_type=avc.type, data=avc.data)
|
||||||
|
return av_set
|
||||||
|
|
||||||
|
class AVCTypeFilter:
|
||||||
|
diff --git a/sepolgen-1.2.1/src/sepolgen/policygen.py b/sepolgen-1.2.1/src/sepolgen/policygen.py
|
||||||
|
index 5f38577..3b9e9f4 100644
|
||||||
|
--- a/sepolgen-1.2.1/src/sepolgen/policygen.py
|
||||||
|
+++ b/sepolgen-1.2.1/src/sepolgen/policygen.py
|
||||||
|
@@ -81,8 +81,9 @@ class PolicyGenerator:
|
||||||
|
self.module = refpolicy.Module()
|
||||||
|
|
||||||
|
self.dontaudit = False
|
||||||
|
-
|
||||||
|
+ self.mislabled = None
|
||||||
|
self.domains = None
|
||||||
|
+
|
||||||
|
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||||
|
"""Set whether reference policy interfaces are generated.
|
||||||
|
|
||||||
|
@@ -152,6 +153,18 @@ class PolicyGenerator:
|
||||||
|
"""Return the generated module"""
|
||||||
|
return self.module
|
||||||
|
|
||||||
|
+ def __restore_label(self, av):
|
||||||
|
+ import selinux
|
||||||
|
+ try:
|
||||||
|
+ context = selinux.matchpathcon(av.obj_path, 0)
|
||||||
|
+ split = context[1].split(":")[2]
|
||||||
|
+ if split != av.tgt_type:
|
||||||
|
+ self.mislabled = split
|
||||||
|
+ return
|
||||||
|
+ except OSError:
|
||||||
|
+ pass
|
||||||
|
+ self.mislabled = None
|
||||||
|
+
|
||||||
|
def __add_allow_rules(self, avs):
|
||||||
|
for av in avs:
|
||||||
|
rule = refpolicy.AVRule(av)
|
||||||
|
@@ -160,6 +173,34 @@ class PolicyGenerator:
|
||||||
|
rule.comment = ""
|
||||||
|
if self.explain:
|
||||||
|
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
|
||||||
|
+ # base_type[0] == 0 means there exists a base type but not the path
|
||||||
|
+ # base_type[0] == None means user isn't using base type
|
||||||
|
+ # base_type[1] contains the target context
|
||||||
|
+ # base_type[2] contains the source type
|
||||||
|
+ base_type = av.base_file_type()
|
||||||
|
+ if base_type[0] == 0 and av.type != audit2why.ALLOW:
|
||||||
|
+ rule.comment += "\n#!!!! WARNING: '%s' is a base type." % "".join(base_type[1])
|
||||||
|
+ for perm in av.perms:
|
||||||
|
+ if perm == "write" or perm == "create":
|
||||||
|
+ permission = True
|
||||||
|
+ break
|
||||||
|
+ else:
|
||||||
|
+ permission = False
|
||||||
|
+
|
||||||
|
+ # Catch perms 'write' and 'create' for base types
|
||||||
|
+ if (base_type[0] is not None and base_type[0] != 0
|
||||||
|
+ and permission and av.type != audit2why.ALLOW):
|
||||||
|
+ if av.obj_class == dir:
|
||||||
|
+ comp = "(/.*?)"
|
||||||
|
+ else:
|
||||||
|
+ comp = ""
|
||||||
|
+ rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s. Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0]))
|
||||||
|
+ if av.obj_path != "":
|
||||||
|
+ rule.comment += "\n#!!!! $ semange fcontext -a -t %s %s%s \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
|
||||||
|
+
|
||||||
|
+ self.__restore_label(av)
|
||||||
|
+ if self.mislabled is not None and av.type != audit2why.ALLOW:
|
||||||
|
+ rule.comment += "\n#!!!! The file '%s' is mislabeled on your system. \n#!!!! Fix with $ restorecon -R -v %s" % ("".join(av.obj_path), "".join(av.obj_path))
|
||||||
|
if av.type == audit2why.ALLOW:
|
||||||
|
rule.comment += "\n#!!!! This avc is allowed in the current policy"
|
||||||
|
if av.type == audit2why.DONTAUDIT:
|
||||||
|
@@ -174,7 +215,7 @@ class PolicyGenerator:
|
||||||
|
if av.type == audit2why.CONSTRAINT:
|
||||||
|
rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access."
|
||||||
|
rule.comment += "\n#Constraint rule: "
|
||||||
|
- rule.comment += "\n\t" + av.data[0]
|
||||||
|
+ rule.comment += "\n#\t" + av.data[0]
|
||||||
|
for reason in av.data[1:]:
|
||||||
|
rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
|
||||||
|
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
|||||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||||
e9134b52e6620c14cbce9234a6b67b20 sepolgen-1.2.1.tgz
|
9a5db20adfe2250f53833b277ac796ae policycoreutils-2.3.tar.gz
|
||||||
99b6d7ceb2b58d4cd88a8ec0e7c8631a policycoreutils-2.3.tgz
|
ce662a83188bc3a9b40c15792fcaf2c8 sepolgen-1.2.1.tar.gz
|
||||||
|
Loading…
Reference in New Issue
Block a user