Fix sepolicy generate --confined_admin to generate tunables
- Add new interface to generate entrypoints for use with new gui
This commit is contained in:
parent
a4276d4030
commit
7c656bbb66
@ -250524,7 +250524,7 @@ index b25d3b2..a0b262b 100755
|
|||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
index 5e7415c..c288a11 100644
|
index 5e7415c..92a6b88 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
@@ -7,6 +7,9 @@ import _policy
|
@@ -7,6 +7,9 @@ import _policy
|
||||||
@ -250537,7 +250537,7 @@ index 5e7415c..c288a11 100644
|
|||||||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||||
gettext.textdomain(PROGNAME)
|
gettext.textdomain(PROGNAME)
|
||||||
try:
|
try:
|
||||||
@@ -37,9 +40,30 @@ CLASS = 'class'
|
@@ -37,9 +40,75 @@ CLASS = 'class'
|
||||||
TRANSITION = 'transition'
|
TRANSITION = 'transition'
|
||||||
ROLE_ALLOW = 'role_allow'
|
ROLE_ALLOW = 'role_allow'
|
||||||
|
|
||||||
@ -250563,6 +250563,51 @@ index 5e7415c..c288a11 100644
|
|||||||
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
|
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
|
||||||
+ return dict_list
|
+ return dict_list
|
||||||
+
|
+
|
||||||
|
+fcdict=None
|
||||||
|
+def get_fcdict(fc_path = selinux.selinux_file_context_path()):
|
||||||
|
+ global fcdict
|
||||||
|
+ if fcdict:
|
||||||
|
+ return fcdict
|
||||||
|
+ fd = open(fc_path, "r")
|
||||||
|
+ fc = fd.readlines()
|
||||||
|
+ fd.close()
|
||||||
|
+ fd = open(fc_path+".homedirs", "r")
|
||||||
|
+ fc += fd.readlines()
|
||||||
|
+ fd.close()
|
||||||
|
+ fcdict = {}
|
||||||
|
+ for i in fc:
|
||||||
|
+ rec = i.split()
|
||||||
|
+ try:
|
||||||
|
+ t = rec[-1].split(":")[2]
|
||||||
|
+ if t in fcdict:
|
||||||
|
+ fcdict[t].append(rec[0])
|
||||||
|
+ else:
|
||||||
|
+ fcdict[t] = [ rec[0] ]
|
||||||
|
+ except:
|
||||||
|
+ pass
|
||||||
|
+ fcdict["logfile"] = [ "all log files" ]
|
||||||
|
+ fcdict["user_tmp_type"] = [ "all user tmp files" ]
|
||||||
|
+ fcdict["user_home_type"] = [ "all user home files" ]
|
||||||
|
+ fcdict["virt_image_type"] = [ "all virtual image files" ]
|
||||||
|
+ fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
|
||||||
|
+ fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
|
||||||
|
+ fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
|
||||||
|
+ fcdict["file_type"] = [ "all files on the system" ]
|
||||||
|
+ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
|
||||||
|
+ return fcdict
|
||||||
|
+
|
||||||
|
+def get_entrypoint_types(setype):
|
||||||
|
+ entrypoints = None
|
||||||
|
+ entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype, 'permlist':['entrypoint'], 'class':'file'}))
|
||||||
|
+ return entrypoints
|
||||||
|
+
|
||||||
|
+def get_all_entrypoints(setype):
|
||||||
|
+ fcdict = get_fcdict()
|
||||||
|
+ mpaths = {}
|
||||||
|
+ for f in get_entrypoint_types(setype):
|
||||||
|
+ mpaths[f] = fcdict[f]
|
||||||
|
+ return mpaths
|
||||||
|
+
|
||||||
+def get_installed_policy(root = "/"):
|
+def get_installed_policy(root = "/"):
|
||||||
try:
|
try:
|
||||||
- path = selinux.selinux_binary_policy_path()
|
- path = selinux.selinux_binary_policy_path()
|
||||||
@ -250570,7 +250615,7 @@ index 5e7415c..c288a11 100644
|
|||||||
policies = glob.glob ("%s.*" % path )
|
policies = glob.glob ("%s.*" % path )
|
||||||
policies.sort()
|
policies.sort()
|
||||||
return policies[-1]
|
return policies[-1]
|
||||||
@@ -47,6 +71,27 @@ def __get_installed_policy():
|
@@ -47,6 +116,27 @@ def __get_installed_policy():
|
||||||
pass
|
pass
|
||||||
raise ValueError(_("No SELinux Policy installed"))
|
raise ValueError(_("No SELinux Policy installed"))
|
||||||
|
|
||||||
@ -250598,7 +250643,7 @@ index 5e7415c..c288a11 100644
|
|||||||
all_types = None
|
all_types = None
|
||||||
def get_all_types():
|
def get_all_types():
|
||||||
global all_types
|
global all_types
|
||||||
@@ -54,6 +99,13 @@ def get_all_types():
|
@@ -54,6 +144,13 @@ def get_all_types():
|
||||||
all_types = map(lambda x: x['name'], info(TYPE))
|
all_types = map(lambda x: x['name'], info(TYPE))
|
||||||
return all_types
|
return all_types
|
||||||
|
|
||||||
@ -250612,7 +250657,7 @@ index 5e7415c..c288a11 100644
|
|||||||
role_allows = None
|
role_allows = None
|
||||||
def get_all_role_allows():
|
def get_all_role_allows():
|
||||||
global role_allows
|
global role_allows
|
||||||
@@ -71,6 +123,7 @@ def get_all_role_allows():
|
@@ -71,6 +168,7 @@ def get_all_role_allows():
|
||||||
return role_allows
|
return role_allows
|
||||||
|
|
||||||
def get_all_entrypoint_domains():
|
def get_all_entrypoint_domains():
|
||||||
@ -250620,7 +250665,7 @@ index 5e7415c..c288a11 100644
|
|||||||
all_domains = []
|
all_domains = []
|
||||||
types=get_all_types()
|
types=get_all_types()
|
||||||
types.sort()
|
types.sort()
|
||||||
@@ -81,11 +134,54 @@ def get_all_entrypoint_domains():
|
@@ -81,11 +179,54 @@ def get_all_entrypoint_domains():
|
||||||
all_domains.append(m[0])
|
all_domains.append(m[0])
|
||||||
return all_domains
|
return all_domains
|
||||||
|
|
||||||
@ -250676,7 +250721,7 @@ index 5e7415c..c288a11 100644
|
|||||||
return all_domains
|
return all_domains
|
||||||
|
|
||||||
roles = None
|
roles = None
|
||||||
@@ -139,50 +235,62 @@ def get_all_attributes():
|
@@ -139,50 +280,62 @@ def get_all_attributes():
|
||||||
return all_attributes
|
return all_attributes
|
||||||
|
|
||||||
def policy(policy_file):
|
def policy(policy_file):
|
||||||
@ -250764,7 +250809,7 @@ index 5e7415c..c288a11 100644
|
|||||||
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
global booleans_dict
|
global booleans_dict
|
||||||
if booleans_dict:
|
if booleans_dict:
|
||||||
@@ -191,7 +299,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
import re
|
import re
|
||||||
booleans_dict = {}
|
booleans_dict = {}
|
||||||
try:
|
try:
|
||||||
@ -251739,48 +251784,30 @@ index 0000000..3a3faa6
|
|||||||
+
|
+
|
||||||
+"""
|
+"""
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
index 79f3997..9c9439c 100644
|
index 79f3997..1ff9d2c 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
|
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||||
@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
|
@@ -71,11 +71,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
te_admin_user_types="""\
|
te_root_user_types="""\
|
||||||
policy_module(TEMPLATETYPE, 1.0.0)
|
policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
|
|
||||||
+## <desc>
|
-########################################
|
||||||
+## <p>
|
-#
|
||||||
+## Allow TEMPLATETYPE to read files in the user home directory
|
-# Declarations
|
||||||
+## </p>
|
-#
|
||||||
+## </desc>
|
-
|
||||||
+gen_tunable(TEMPLATETYPE_read_user_files, false)
|
## <desc>
|
||||||
+
|
## <p>
|
||||||
+## <desc>
|
## Allow TEMPLATETYPE to read files in the user home directory
|
||||||
+## <p>
|
@@ -90,6 +85,11 @@ gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||||
+## Allow TEMPLATETYPE to manage files in the user home directory
|
## </desc>
|
||||||
+## </p>
|
gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||||
+## </desc>
|
|
||||||
+gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
|
||||||
+
|
|
||||||
########################################
|
|
||||||
#
|
|
||||||
# Declarations
|
|
||||||
@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
|
||||||
# Declarations
|
|
||||||
#
|
|
||||||
|
|
||||||
-## <desc>
|
+########################################
|
||||||
-## <p>
|
+#
|
||||||
-## Allow TEMPLATETYPE to read files in the user home directory
|
+# Declarations
|
||||||
-## </p>
|
+#
|
||||||
-## </desc>
|
+
|
||||||
-gen_tunable(TEMPLATETYPE_read_user_files, false)
|
|
||||||
-
|
|
||||||
-## <desc>
|
|
||||||
-## <p>
|
|
||||||
-## Allow TEMPLATETYPE to manage files in the user home directory
|
|
||||||
-## </p>
|
|
||||||
-## </desc>
|
|
||||||
-gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
|
||||||
-
|
|
||||||
userdom_base_user_template(TEMPLATETYPE)
|
userdom_base_user_template(TEMPLATETYPE)
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.14
|
Version: 2.1.14
|
||||||
Release: 46.1%{?dist}
|
Release: 46.2%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -309,6 +309,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-46.2
|
||||||
|
- Fix sepolicy generate --confined_admin to generate tunables
|
||||||
|
- Add new interface to generate entrypoints for use with new gui
|
||||||
|
|
||||||
* Tue Jun 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-46.1
|
* Tue Jun 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-46.1
|
||||||
- Fix audit2allow -o to open file for append
|
- Fix audit2allow -o to open file for append
|
||||||
- Fix the name of the spec file generated in the build script
|
- Fix the name of the spec file generated in the build script
|
||||||
|
Loading…
Reference in New Issue
Block a user