From 6c22c6b1f6d8f456f61058a9c9760b947294e8d0 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 8 Jan 2010 14:37:32 +0000 Subject: [PATCH] * Fri Jan 8 2010 Dan Walsh 2.0.78-9 - Add -e to semanage man page - Add -D qualifier to audit2allow to generate dontaudit rules --- policycoreutils-rhat.patch | 74 +++++++++++++++++++++++++++++----- policycoreutils-sepolgen.patch | 43 ++++++++++++++++---- policycoreutils.spec | 6 ++- 3 files changed, 106 insertions(+), 17 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 3d43dc3..6938906 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500 ++++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500 @@ -28,6 +28,7 @@ import sepolgen.defaults as defaults import sepolgen.module as module @@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, help="read input from audit log - conflicts with -i") parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, -@@ -80,11 +83,11 @@ +@@ -58,6 +61,9 @@ + help="generate a module package - conflicts with -o and -m") + parser.add_option("-o", "--output", dest="output", + help="append output to , conflicts with -M") ++ parser.add_option("-D", "--dontaudit", action="store_true", ++ dest="dontaudit", default=False, ++ help="generate policy with dontaudit rules") + parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", + default=True, help="generate refpolicy style output") + +@@ -80,11 +86,11 @@ options, args = parser.parse_args() # Make -d, -a, and -i conflict @@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po if options.input is not None and options.dmesg is True: sys.stderr.write("error: --input conflicts with --dmesg\n") -@@ -129,6 +132,12 @@ +@@ -129,6 +135,12 @@ except OSError, e: sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) sys.exit(1) @@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po else: # This is the default if no input is specified f = sys.stdin -@@ -220,63 +229,44 @@ +@@ -220,63 +232,44 @@ def __output_audit2why(self): import selinux @@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po print "\t\tMissing role allow rule.\n" print "\t\tAdd an allow rule for the role pair.\n" continue -@@ -344,5 +334,6 @@ +@@ -314,7 +307,7 @@ + g.set_gen_requires(True) + + # Generate the policy +- g.add_access(self.__avs) ++ g.add_access(self.__avs, self.__options.dontaudit) + g.add_role_types(self.__role_types) + + # Output +@@ -344,5 +337,6 @@ sys.exit(0) if __name__ == "__main__": @@ -2346,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +} diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500 -+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500 -@@ -32,23 +32,32 @@ ++++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500 +@@ -32,25 +32,34 @@ try: gettext.install(PROGNAME, localedir="/usr/share/locale", @@ -2381,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po semanage interface -{a|d|m} [-tr] interface_spec +semanage module -{a|d|m} [--enable|--disable] module semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr - semanage fcontext -{a|d|m} [-frst] file_spec +-semanage fcontext -{a|d|m} [-frst] file_spec ++semanage fcontext -{a|d|m} [-efrst] file_spec semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file + semanage permissive -{d|a} type + semanage dontaudit [ on | off ] @@ -61,7 +70,9 @@ -d, --delete Delete a OBJECT record NAME -m, --modify Modify a OBJECT record NAME @@ -2397,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -F, --file Treat target as an input file for command, change multiple settings -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -M, --mask Netmask -+ -e, --equal Make target equal to this paths labeling ++ -e, --equal Substitue source path for dest path when labeling -P, --prefix Prefix for home directory labeling -L, --level Default SELinux Level (MLS/MCS Systems only) -R, --roles SELinux Roles (ex: "sysadm_r staff_r") @@ -2675,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po process_args(mkargv(l)) trans.finish() else: +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8 +--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500 ++++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500 +@@ -19,6 +19,8 @@ + .br + .B semanage fcontext \-{a|d|m} [\-frst] file_spec + .br ++.B semanage fcontext \-{a|d|m} \-e src_path tgt_path ++.br + .B semanage permissive \-{a|d} type + .br + .B semanage dontaudit [ on | off ] +@@ -52,6 +54,12 @@ + .I \-D, \-\-deleteall + Remove all OBJECTS local customizations + .TP ++.I \-e, \-\-equal ++Substitute src path for targetpath when labeling. This is used with ++fcontext. Requires source and destination path arguments. The context ++labeling for the destination subtree is made equivalent to that ++defined for the source. ++.TP + .I \-f, \-\-ftype + File Type. This is used with fcontext. + Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files. +@@ -110,6 +118,8 @@ + $ semanage login -a -s user_u %clerks + # Add file-context for everything under /web (used by restorecon) + $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?" ++# Make /home1 labeling equivalent to /home (used by restorecon) ++$ semanage fcontext -a -e /home1 /home + # Allow Apache to listen on port 81 + $ semanage port -a -t http_port_t -p tcp 81 + # Change apache to a permissive domain diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500 +++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500 diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index f6bb331..43c6e11 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor - diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py --- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400 -+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500 ++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500 @@ -29,6 +29,8 @@ import access import interfaces @@ -221,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic def set_gen_refpol(self, if_set=None, perm_maps=None): """Set whether reference policy interfaces are generated. -@@ -144,8 +146,35 @@ - def __add_allow_rules(self, avs): +@@ -141,15 +143,42 @@ + """Return the generated module""" + return self.module + +- def __add_allow_rules(self, avs): ++ def __add_allow_rules(self, avs, dontaudit): for av in avs: - rule = refpolicy.AVRule(av) +- rule = refpolicy.AVRule(av) ++ rule = refpolicy.AVRule(av, dontaudit=dontaudit) + rule.comment = "" if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) @@ -257,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic self.module.children.append(rule) +- def add_access(self, av_set): ++ def add_access(self, av_set, dontaudit=False): + """Add the access from the access vector set to this + module. + """ +@@ -165,7 +194,7 @@ + raw_allow = av_set + + # Generate the raw allow rules from the filtered list +- self.__add_allow_rules(raw_allow) ++ self.__add_allow_rules(raw_allow, dontaudit) + + def add_role_types(self, role_type_set): + for role_type in role_type_set: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py --- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500 @@ -271,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic for name in filenames: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py --- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400 -+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500 ++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500 @@ -398,6 +398,7 @@ return "attribute %s;" % self.name @@ -280,12 +299,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic class AVRule(Leaf): """SELinux access vector (AV) rule. -@@ -426,15 +427,17 @@ +@@ -420,21 +421,26 @@ + AUDITALLOW = 2 + NEVERALLOW = 3 + +- def __init__(self, av=None, parent=None): ++ def __init__(self, av=None, parent=None, dontaudit=False): + Leaf.__init__(self, parent) + self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.perms = IdSet() - self.rule_type = self.ALLOW -+ self.rule_type = audit2why.TERULE ++ if dontaudit: ++ self.rule_type = audit2why.DONTAUDIT ++ else: ++ self.rule_type = audit2why.TERULE if av: self.from_av(av) diff --git a/policycoreutils.spec b/policycoreutils.spec index c4f9796..2741595 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.78 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -297,6 +297,10 @@ fi exit 0 %changelog +* Fri Jan 8 2010 Dan Walsh 2.0.78-9 +- Add -e to semanage man page +- Add -D qualifier to audit2allow to generate dontaudit rules + * Wed Jan 6 2010 Dan Walsh 2.0.78-8 - Speed up audit2allow processing of audit2why comments