* Tue Jul 1 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-2
- Remove semodule use within semanage - Fix launching of polgengui from toolbar
This commit is contained in:
parent
f40ec8f4b7
commit
7e46ae00c4
|
@ -179,3 +179,6 @@ policycoreutils-2.0.44.tgz
|
||||||
policycoreutils-2.0.46.tgz
|
policycoreutils-2.0.46.tgz
|
||||||
policycoreutils-2.0.47.tgz
|
policycoreutils-2.0.47.tgz
|
||||||
policycoreutils-2.0.49.tgz
|
policycoreutils-2.0.49.tgz
|
||||||
|
policycoreutils-2.0.50.tgz
|
||||||
|
sepolgen-1.0.12.tgz
|
||||||
|
policycoreutils-2.0.51.tgz
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,56 +1,15 @@
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.50/Makefile
|
||||||
--- nsapolicycoreutils/Makefile 2008-06-12 23:25:24.000000000 -0400
|
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
|
||||||
+++ policycoreutils-2.0.49/Makefile 2008-06-23 07:03:37.000000000 -0400
|
+++ policycoreutils-2.0.50/Makefile 2008-07-01 14:59:58.000000000 -0400
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
||||||
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
||||||
|
|
||||||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||||
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.49/audit2allow/audit2allow
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.50/restorecond/restorecond.c
|
||||||
--- nsapolicycoreutils/audit2allow/audit2allow 2008-06-12 23:25:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400
|
||||||
+++ policycoreutils-2.0.49/audit2allow/audit2allow 2008-06-23 07:03:50.000000000 -0400
|
+++ policycoreutils-2.0.50/restorecond/restorecond.c 2008-07-01 14:59:58.000000000 -0400
|
||||||
@@ -152,12 +152,13 @@
|
|
||||||
|
|
||||||
def __process_input(self):
|
|
||||||
if self.__options.type:
|
|
||||||
- avcfilter = audit.TypeFilter(self.__options.type)
|
|
||||||
+ avcfilter = audit.AVCTypeFilter(self.__options.type)
|
|
||||||
self.__avs = self.__parser.to_access(avcfilter)
|
|
||||||
- self.__selinux_errs = self.__parser.to_role(avcfilter)
|
|
||||||
+ csfilter = audit.ComputeSidTypeFilter(self.__options.type)
|
|
||||||
+ self.__role_types = self.__parser.to_role(csfilter)
|
|
||||||
else:
|
|
||||||
self.__avs = self.__parser.to_access()
|
|
||||||
- self.__selinux_errs = self.__parser.to_role()
|
|
||||||
+ self.__role_types = self.__parser.to_role()
|
|
||||||
|
|
||||||
def __load_interface_info(self):
|
|
||||||
# Load interface info file
|
|
||||||
@@ -310,6 +311,7 @@
|
|
||||||
|
|
||||||
# Generate the policy
|
|
||||||
g.add_access(self.__avs)
|
|
||||||
+ g.add_role_types(self.__role_types)
|
|
||||||
|
|
||||||
# Output
|
|
||||||
writer = output.ModuleWriter()
|
|
||||||
@@ -328,12 +330,6 @@
|
|
||||||
fd = sys.stdout
|
|
||||||
writer.write(g.get_module(), fd)
|
|
||||||
|
|
||||||
- if len(self.__selinux_errs) > 0:
|
|
||||||
- fd.write("\n=========== ROLES ===============\n")
|
|
||||||
-
|
|
||||||
- for role in self.__selinux_errs:
|
|
||||||
- fd.write(role.output())
|
|
||||||
-
|
|
||||||
def main(self):
|
|
||||||
try:
|
|
||||||
self.__parse_options()
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
|
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.c 2008-06-12 23:25:21.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-06-23 07:03:37.000000000 -0400
|
|
||||||
@@ -210,9 +210,10 @@
|
@@ -210,9 +210,10 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -77,75 +36,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
}
|
}
|
||||||
free(scontext);
|
free(scontext);
|
||||||
close(fd);
|
close(fd);
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.50/semanage/semanage
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.init 2008-06-12 23:25:21.000000000 -0400
|
--- nsapolicycoreutils/semanage/semanage 2008-05-06 14:33:04.000000000 -0400
|
||||||
+++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-06-23 07:03:37.000000000 -0400
|
+++ policycoreutils-2.0.50/semanage/semanage 2008-07-01 20:31:40.000000000 -0400
|
||||||
@@ -2,7 +2,7 @@
|
|
||||||
#
|
|
||||||
# restorecond: Daemon used to maintain path file context
|
|
||||||
#
|
|
||||||
-# chkconfig: 2345 12 87
|
|
||||||
+# chkconfig: - 12 87
|
|
||||||
# description: restorecond uses inotify to look for creation of new files \
|
|
||||||
# listed in the /etc/selinux/restorecond.conf file, and restores the \
|
|
||||||
# correct security context.
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
|
|
||||||
--- nsapolicycoreutils/scripts/fixfiles 2008-06-12 23:25:21.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/scripts/fixfiles 2008-06-23 07:03:37.000000000 -0400
|
|
||||||
@@ -138,6 +138,9 @@
|
|
||||||
fi
|
|
||||||
LogReadOnly
|
|
||||||
${SETFILES} -q ${OUTFILES} ${SYSLOGFLAG} ${FORCEFLAG} $* ${FC} ${FILESYSTEMSRW} 2>&1 >> $LOGFILE
|
|
||||||
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-*
|
|
||||||
+find /tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
|
|
||||||
+find /var/tmp -context "*:file_t*" -exec chcon -t tmp_t {} \;
|
|
||||||
exit $?
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -180,6 +183,10 @@
|
|
||||||
check) restore -n -v;;
|
|
||||||
verify) restore -n -o -;;
|
|
||||||
relabel) relabel;;
|
|
||||||
+ onboot)
|
|
||||||
+ touch /.autorelabel
|
|
||||||
+ echo "System will relabel on next boot"
|
|
||||||
+ ;;
|
|
||||||
*)
|
|
||||||
usage
|
|
||||||
exit 1
|
|
||||||
@@ -189,6 +196,7 @@
|
|
||||||
echo $"Usage: $0 [-l logfile ] [-o outputfile ] { check | restore|[-F] relabel } [[dir] ... ] "
|
|
||||||
echo or
|
|
||||||
echo $"Usage: $0 -R rpmpackage[,rpmpackage...] -C PREVIOUS_FILECONTEXT [-l logfile ] [-o outputfile ] { check | restore }"
|
|
||||||
+ echo $"Usage: $0 onboot"
|
|
||||||
}
|
|
||||||
|
|
||||||
if [ $# = 0 ]; then
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
|
|
||||||
--- nsapolicycoreutils/scripts/fixfiles.8 2008-06-12 23:25:21.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-06-23 07:03:37.000000000 -0400
|
|
||||||
@@ -7,6 +7,8 @@
|
|
||||||
|
|
||||||
.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
|
|
||||||
|
|
||||||
+.B fixfiles onboot
|
|
||||||
+
|
|
||||||
.SH "DESCRIPTION"
|
|
||||||
This manual page describes the
|
|
||||||
.BR fixfiles
|
|
||||||
@@ -20,6 +22,9 @@
|
|
||||||
as you expect. By default it will relabel all mounted ext2, ext3, xfs and
|
|
||||||
jfs file systems as long as they do not have a security context mount
|
|
||||||
option. You can use the -R flag to use rpmpackages as an alternative.
|
|
||||||
+.P
|
|
||||||
+.B fixfiles onboot
|
|
||||||
+will setup the machine to relabel on the next reboot.
|
|
||||||
|
|
||||||
.SH "OPTIONS"
|
|
||||||
.TP
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
|
|
||||||
--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/semanage/semanage 2008-06-23 07:03:37.000000000 -0400
|
|
||||||
@@ -43,49 +43,52 @@
|
@@ -43,49 +43,52 @@
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
||||||
|
@ -271,9 +164,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
sys.exit(0);
|
sys.exit(0);
|
||||||
|
|
||||||
if modify:
|
if modify:
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.50/semanage/semanage.8
|
||||||
--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400
|
--- nsapolicycoreutils/semanage/semanage.8 2008-05-06 14:33:04.000000000 -0400
|
||||||
+++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-23 07:03:37.000000000 -0400
|
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-07-01 20:33:48.000000000 -0400
|
||||||
|
@@ -3,7 +3,7 @@
|
||||||
|
semanage \- SELinux Policy Management tool
|
||||||
|
|
||||||
|
.SH "SYNOPSIS"
|
||||||
|
-.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|lC|D} [\-n]
|
||||||
|
+.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store]
|
||||||
|
.br
|
||||||
|
.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] boolean
|
||||||
|
.br
|
||||||
@@ -17,6 +17,8 @@
|
@@ -17,6 +17,8 @@
|
||||||
.br
|
.br
|
||||||
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
|
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
|
||||||
|
@ -283,7 +185,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
.B semanage translation \-{a|d|m} [\-T] level
|
.B semanage translation \-{a|d|m} [\-T] level
|
||||||
.P
|
.P
|
||||||
|
|
||||||
@@ -101,10 +103,11 @@
|
@@ -85,6 +87,9 @@
|
||||||
|
.I \-s, \-\-seuser
|
||||||
|
SELinux user name
|
||||||
|
.TP
|
||||||
|
+.I \-S, \-\-store
|
||||||
|
+Select and alternate SELinux store to manage
|
||||||
|
+.TP
|
||||||
|
.I \-t, \-\-type
|
||||||
|
SELinux Type for the object
|
||||||
|
.TP
|
||||||
|
@@ -101,10 +106,11 @@
|
||||||
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
||||||
# Allow Apache to listen on port 81
|
# Allow Apache to listen on port 81
|
||||||
$ semanage port -a -t http_port_t -p tcp 81
|
$ semanage port -a -t http_port_t -p tcp 81
|
||||||
|
@ -296,9 +208,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
Russell Coker <rcoker@redhat.com>.
|
Russell Coker <rcoker@redhat.com>.
|
||||||
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
|
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
|
||||||
-
|
-
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.50/semanage/seobject.py
|
||||||
--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400
|
--- nsapolicycoreutils/semanage/seobject.py 2008-05-16 10:55:38.000000000 -0400
|
||||||
+++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-23 07:03:37.000000000 -0400
|
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-07-01 20:30:55.000000000 -0400
|
||||||
@@ -1,5 +1,5 @@
|
@@ -1,5 +1,5 @@
|
||||||
#! /usr/bin/python -E
|
#! /usr/bin/python -E
|
||||||
-# Copyright (C) 2005, 2006, 2007 Red Hat
|
-# Copyright (C) 2005, 2006, 2007 Red Hat
|
||||||
|
@ -316,7 +228,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
import gettext
|
import gettext
|
||||||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||||
gettext.textdomain(PROGNAME)
|
gettext.textdomain(PROGNAME)
|
||||||
@@ -246,7 +248,67 @@
|
@@ -246,7 +248,103 @@
|
||||||
os.close(fd)
|
os.close(fd)
|
||||||
os.rename(newfilename, self.filename)
|
os.rename(newfilename, self.filename)
|
||||||
os.system("/sbin/service mcstrans reload > /dev/null")
|
os.system("/sbin/service mcstrans reload > /dev/null")
|
||||||
|
@ -325,13 +237,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
+class permissiveRecords:
|
+class permissiveRecords:
|
||||||
+ def __init__(self, store):
|
+ def __init__(self, store):
|
||||||
+ self.store = store
|
+ self.store = store
|
||||||
|
+ self.sh = semanage_handle_create()
|
||||||
|
+ if not self.sh:
|
||||||
|
+ raise ValueError(_("Could not create semanage handle"))
|
||||||
|
+
|
||||||
|
+ if store != "":
|
||||||
|
+ semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT);
|
||||||
|
+
|
||||||
|
+ self.semanaged = semanage_is_managed(self.sh)
|
||||||
|
+
|
||||||
|
+ if not self.semanaged:
|
||||||
|
+ semanage_handle_destroy(self.sh)
|
||||||
|
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
|
||||||
|
+
|
||||||
|
+ rc = semanage_access_check(self.sh)
|
||||||
|
+ if rc < SEMANAGE_CAN_READ:
|
||||||
|
+ semanage_handle_destroy(self.sh)
|
||||||
|
+ raise ValueError(_("Cannot read policy store."))
|
||||||
|
+
|
||||||
|
+ rc = semanage_connect(self.sh)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ semanage_handle_destroy(self.sh)
|
||||||
|
+ raise ValueError(_("Could not establish semanage connection"))
|
||||||
+
|
+
|
||||||
+ def get_all(self):
|
+ def get_all(self):
|
||||||
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
|
|
||||||
+ l = []
|
+ l = []
|
||||||
+ for i in out.split():
|
+ (rc, mlist, number) = semanage_module_list(self.sh)
|
||||||
+ if i.startswith("permissive_"):
|
+ if rc < 0:
|
||||||
+ l.append(i.split("permissive_")[1])
|
+ raise ValueError(_("Could not list SELinux modules"))
|
||||||
|
+
|
||||||
|
+ for i in range(number):
|
||||||
|
+ mod = semanage_module_list_nth(mlist, i)
|
||||||
|
+ name = semanage_module_get_name(mod)
|
||||||
|
+ if name and name.startswith("permissive_"):
|
||||||
|
+ l.append(name.split("permissive_")[1])
|
||||||
+ return l
|
+ return l
|
||||||
+
|
+
|
||||||
+ def list(self,heading = 1, locallist = 0):
|
+ def list(self,heading = 1, locallist = 0):
|
||||||
|
@ -360,8 +299,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
+ fd.close()
|
+ fd.close()
|
||||||
+ mc = module.ModuleCompiler()
|
+ mc = module.ModuleCompiler()
|
||||||
+ mc.create_module_package(filename, 1)
|
+ mc.create_module_package(filename, 1)
|
||||||
+ rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
|
+ fd = open("permissive_%s.pp" % type)
|
||||||
+ for root, dirs, files in os.walk("top", topdown=False):
|
+ data = fd.read()
|
||||||
|
+ fd.close()
|
||||||
|
+
|
||||||
|
+ rc = semanage_module_install(self.sh, data, len(data));
|
||||||
|
+ rc = semanage_commit(self.sh)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not set permissive domain %s") % name)
|
||||||
|
+ for root, dirs, files in os.walk("tmp", topdown=False):
|
||||||
+ for name in files:
|
+ for name in files:
|
||||||
+ os.remove(os.path.join(root, name))
|
+ os.remove(os.path.join(root, name))
|
||||||
+ for name in dirs:
|
+ for name in dirs:
|
||||||
|
@ -372,20 +318,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+ def delete(self, name):
|
+ def delete(self, name):
|
||||||
+ rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
|
+ for n in name.split():
|
||||||
+ if rc != 0:
|
+ rc = semanage_module_remove(self.sh, "permissive_%s" % n)
|
||||||
+ raise ValueError(out)
|
+ rc = semanage_commit(self.sh)
|
||||||
|
+ if rc < 0:
|
||||||
|
+ raise ValueError(_("Could not remove permissive domain %s") % name)
|
||||||
+
|
+
|
||||||
+ def deleteall(self):
|
+ def deleteall(self):
|
||||||
+ l = self.get_all()
|
+ l = self.get_all()
|
||||||
+ if len(l) > 0:
|
+ if len(l) > 0:
|
||||||
+ all = " permissive_".join(l)
|
+ all = " ".join(l)
|
||||||
+ self.delete(all)
|
+ self.delete(all)
|
||||||
+
|
+
|
||||||
class semanageRecords:
|
class semanageRecords:
|
||||||
def __init__(self, store):
|
def __init__(self, store):
|
||||||
self.sh = semanage_handle_create()
|
self.sh = semanage_handle_create()
|
||||||
@@ -464,7 +526,7 @@
|
@@ -464,7 +562,7 @@
|
||||||
def __init__(self, store = ""):
|
def __init__(self, store = ""):
|
||||||
semanageRecords.__init__(self, store)
|
semanageRecords.__init__(self, store)
|
||||||
|
|
||||||
|
|
|
@ -1,195 +1,6 @@
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.12/src/sepolgen/refparser.py
|
||||||
--- nsasepolgen/src/sepolgen/access.py 2008-06-12 23:25:26.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py 2008-06-23 07:04:21.000000000 -0400
|
|
||||||
@@ -295,3 +295,32 @@
|
|
||||||
perms[av.obj_class] = s
|
|
||||||
s.update(av.perms)
|
|
||||||
return perms
|
|
||||||
+
|
|
||||||
+class RoleTypeSet:
|
|
||||||
+ """A non-overlapping set of role type statements.
|
|
||||||
+
|
|
||||||
+ This clas allows the incremental addition of role type statements and
|
|
||||||
+ maintains a non-overlapping list of statements.
|
|
||||||
+ """
|
|
||||||
+ def __init__(self):
|
|
||||||
+ """Initialize an access vector set."""
|
|
||||||
+ self.role_types = {}
|
|
||||||
+
|
|
||||||
+ def __iter__(self):
|
|
||||||
+ """Iterate over all of the unique role allows statements in the set."""
|
|
||||||
+ for role_type in self.role_types.values():
|
|
||||||
+ yield role_type
|
|
||||||
+
|
|
||||||
+ def __len__(self):
|
|
||||||
+ """Return the unique number of role allow statements."""
|
|
||||||
+ return len(self.roles)
|
|
||||||
+
|
|
||||||
+ def add(self, role, type):
|
|
||||||
+ if self.role_types.has_key(role):
|
|
||||||
+ role_type = self.role_types[role]
|
|
||||||
+ else:
|
|
||||||
+ role_type = refpolicy.RoleType()
|
|
||||||
+ role_type.role = role
|
|
||||||
+ self.role_types[role] = role_type
|
|
||||||
+
|
|
||||||
+ role_type.types.add(type)
|
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
|
|
||||||
--- nsasepolgen/src/sepolgen/audit.py 2008-06-12 23:25:26.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-06-23 07:05:23.000000000 -0400
|
|
||||||
@@ -235,20 +235,21 @@
|
|
||||||
"""
|
|
||||||
def __init__(self, message):
|
|
||||||
AuditMessage.__init__(self, message)
|
|
||||||
- self.type = ""
|
|
||||||
- self.role = ""
|
|
||||||
+ self.invalid_context = refpolicy.SecurityContext()
|
|
||||||
+ self.scontext = refpolicy.SecurityContext()
|
|
||||||
+ self.tcontext = refpolicy.SecurityContext()
|
|
||||||
+ self.tclass = ""
|
|
||||||
|
|
||||||
def from_split_string(self, recs):
|
|
||||||
AuditMessage.from_split_string(self, recs)
|
|
||||||
- dict={}
|
|
||||||
- for i in recs:
|
|
||||||
- t = i.split('=')
|
|
||||||
- if len(t) < 2:
|
|
||||||
- continue
|
|
||||||
- dict[t[0]]=t[1]
|
|
||||||
+ if len(recs) < 10:
|
|
||||||
+ raise ValueError("Split string does not represent a valid compute sid message")
|
|
||||||
+
|
|
||||||
try:
|
|
||||||
- self.role = refpolicy.SecurityContext(dict["scontext"]).role
|
|
||||||
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
|
|
||||||
+ self.invalid_context = refpolicy.SecurityContext(recs[5])
|
|
||||||
+ self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
|
|
||||||
+ self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
|
|
||||||
+ self.tclass = recs[9].split("=")[1]
|
|
||||||
except:
|
|
||||||
raise ValueError("Split string does not represent a valid compute sid message")
|
|
||||||
def output(self):
|
|
||||||
@@ -405,7 +406,7 @@
|
|
||||||
self.__post_process()
|
|
||||||
|
|
||||||
def to_role(self, role_filter=None):
|
|
||||||
- """Return list of SELINUX_ERR messages matching the specified filter
|
|
||||||
+ """Return RoleAllowSet statements matching the specified filter
|
|
||||||
|
|
||||||
Filter out types that match the filer, or all roles
|
|
||||||
|
|
||||||
@@ -416,13 +417,12 @@
|
|
||||||
Access vector set representing the denied access in the
|
|
||||||
audit logs parsed by this object.
|
|
||||||
"""
|
|
||||||
- roles = []
|
|
||||||
- if role_filter:
|
|
||||||
- for selinux_err in self.compute_sid_msgs:
|
|
||||||
- if role_filter.filter(selinux_err):
|
|
||||||
- roles.append(selinux_err)
|
|
||||||
- return roles
|
|
||||||
- return self.compute_sid_msgs
|
|
||||||
+ role_types = access.RoleTypeSet()
|
|
||||||
+ for cs in self.compute_sid_msgs:
|
|
||||||
+ if not role_filter or role_filter.filter(cs):
|
|
||||||
+ role_types.add(cs.invalid_context.role, cs.invalid_context.type)
|
|
||||||
+
|
|
||||||
+ return role_types
|
|
||||||
|
|
||||||
def to_access(self, avc_filter=None, only_denials=True):
|
|
||||||
"""Convert the audit logs access into a an access vector set.
|
|
||||||
@@ -454,7 +454,7 @@
|
|
||||||
avc.accesses, avc)
|
|
||||||
return av_set
|
|
||||||
|
|
||||||
-class TypeFilter:
|
|
||||||
+class AVCTypeFilter:
|
|
||||||
def __init__(self, regex):
|
|
||||||
self.regex = re.compile(regex)
|
|
||||||
|
|
||||||
@@ -465,4 +465,17 @@
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
+class ComputeSidTypeFilter:
|
|
||||||
+ def __init__(self, regex):
|
|
||||||
+ self.regex = re.compile(regex)
|
|
||||||
+
|
|
||||||
+ def filter(self, avc):
|
|
||||||
+ if self.regex.match(avc.invalid_context.type):
|
|
||||||
+ return True
|
|
||||||
+ if self.regex.match(avc.scontext.type):
|
|
||||||
+ return True
|
|
||||||
+ if self.regex.match(avc.tcontext.type):
|
|
||||||
+ return True
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
|
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py
|
|
||||||
--- nsasepolgen/src/sepolgen/output.py 2008-06-12 23:25:26.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py 2008-06-23 07:04:31.000000000 -0400
|
|
||||||
@@ -101,6 +101,8 @@
|
|
||||||
else:
|
|
||||||
return id_set_cmp(a.src_types, [b.args[0]])
|
|
||||||
|
|
||||||
+def role_type_cmp(a, b):
|
|
||||||
+ return cmp(a.role, b.role)
|
|
||||||
|
|
||||||
def sort_filter(module):
|
|
||||||
"""Sort and group the output for readability.
|
|
||||||
@@ -146,6 +148,18 @@
|
|
||||||
|
|
||||||
c.extend(sep_rules)
|
|
||||||
|
|
||||||
+
|
|
||||||
+ ras = []
|
|
||||||
+ ras.extend(node.role_types())
|
|
||||||
+ ras.sort(role_type_cmp)
|
|
||||||
+ if len(ras):
|
|
||||||
+ comment = refpolicy.Comment()
|
|
||||||
+ comment.lines.append("============= ROLES ==============")
|
|
||||||
+ c.append(comment)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ c.extend(ras)
|
|
||||||
+
|
|
||||||
# Everything else
|
|
||||||
for child in node.children:
|
|
||||||
if child not in c:
|
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py
|
|
||||||
--- nsasepolgen/src/sepolgen/policygen.py 2008-06-12 23:25:26.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py 2008-06-23 07:04:36.000000000 -0400
|
|
||||||
@@ -167,6 +167,13 @@
|
|
||||||
if self.gen_requires:
|
|
||||||
gen_requires(self.module)
|
|
||||||
|
|
||||||
+ def add_role_types(self, role_type_set):
|
|
||||||
+ for role_type in role_type_set:
|
|
||||||
+ self.module.children.append(role_type)
|
|
||||||
+
|
|
||||||
+ # Generate the requires
|
|
||||||
+ if self.gen_requires:
|
|
||||||
+ gen_requires(self.module)
|
|
||||||
|
|
||||||
def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
|
|
||||||
"""Explain why a policy statement was generated.
|
|
||||||
@@ -334,8 +341,12 @@
|
|
||||||
# can actually figure those out.
|
|
||||||
r.types.add(arg)
|
|
||||||
|
|
||||||
- r.types.discard("self")
|
|
||||||
+ for role_type in node.role_types():
|
|
||||||
+ r.roles.add(role_type.role)
|
|
||||||
+ r.types.update(role_type.types)
|
|
||||||
|
|
||||||
+ r.types.discard("self")
|
|
||||||
+
|
|
||||||
node.children.insert(0, r)
|
|
||||||
|
|
||||||
# FUTURE - this is untested on modules with any sort of
|
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
|
|
||||||
--- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400
|
--- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-06-23 07:05:23.000000000 -0400
|
+++ policycoreutils-2.0.49/sepolgen-1.0.12/src/sepolgen/refparser.py 2008-06-27 07:21:06.000000000 -0400
|
||||||
@@ -919,7 +919,7 @@
|
@@ -919,7 +919,7 @@
|
||||||
def list_headers(root):
|
def list_headers(root):
|
||||||
modules = []
|
modules = []
|
||||||
|
@ -199,35 +10,3 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||||
|
|
||||||
for dirpath, dirnames, filenames in os.walk(root):
|
for dirpath, dirnames, filenames in os.walk(root):
|
||||||
for name in filenames:
|
for name in filenames:
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py
|
|
||||||
--- nsasepolgen/src/sepolgen/refpolicy.py 2008-06-12 23:25:26.000000000 -0400
|
|
||||||
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py 2008-06-23 07:04:47.000000000 -0400
|
|
||||||
@@ -122,6 +122,12 @@
|
|
||||||
def roles(self):
|
|
||||||
return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
|
|
||||||
|
|
||||||
+ def role_allows(self):
|
|
||||||
+ return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
|
|
||||||
+
|
|
||||||
+ def role_types(self):
|
|
||||||
+ return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
|
|
||||||
+
|
|
||||||
def __str__(self):
|
|
||||||
if self.comment:
|
|
||||||
return str(self.comment) + "\n" + self.to_string()
|
|
||||||
@@ -494,6 +500,15 @@
|
|
||||||
return "allow %s %s;" % (self.src_roles.to_comma_str(),
|
|
||||||
self.tgt_roles.to_comma_str())
|
|
||||||
|
|
||||||
+class RoleType(Leaf):
|
|
||||||
+ def __init__(self, parent=None):
|
|
||||||
+ Leaf.__init__(self, parent)
|
|
||||||
+ self.role = ""
|
|
||||||
+ self.types = IdSet()
|
|
||||||
+
|
|
||||||
+ def to_string(self):
|
|
||||||
+ return "role %s types %s;" % (self.role, self.types.to_comma_str())
|
|
||||||
+
|
|
||||||
class ModuleDeclaration(Leaf):
|
|
||||||
def __init__(self, parent=None):
|
|
||||||
Leaf.__init__(self, parent)
|
|
||||||
|
|
|
@ -2,11 +2,11 @@
|
||||||
%define libsepolver 2.0.19-1
|
%define libsepolver 2.0.19-1
|
||||||
%define libsemanagever 2.0.5-1
|
%define libsemanagever 2.0.5-1
|
||||||
%define libselinuxver 2.0.46-5
|
%define libselinuxver 2.0.46-5
|
||||||
%define sepolgenver 1.0.11
|
%define sepolgenver 1.0.12
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.49
|
Version: 2.0.51
|
||||||
Release: 10%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
|
@ -112,6 +112,7 @@ Requires: policycoreutils = %{version}-%{release}
|
||||||
Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas
|
Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas
|
||||||
Requires: usermode
|
Requires: usermode
|
||||||
Requires: setools-console
|
Requires: setools-console
|
||||||
|
Requires: selinux-policy-devel
|
||||||
Requires: python >= 2.4
|
Requires: python >= 2.4
|
||||||
BuildRequires: desktop-file-utils
|
BuildRequires: desktop-file-utils
|
||||||
|
|
||||||
|
@ -191,6 +192,14 @@ if [ "$1" -ge "1" ]; then
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jul 1 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-2
|
||||||
|
- Remove semodule use within semanage
|
||||||
|
- Fix launching of polgengui from toolbar
|
||||||
|
|
||||||
|
* Mon Jun 30 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-1
|
||||||
|
- Update to upstream
|
||||||
|
* Fix audit2allow generation of role-type rules from Karl MacMillan.
|
||||||
|
|
||||||
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-10
|
* Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-10
|
||||||
- Fix spelling of enforcement
|
- Fix spelling of enforcement
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue