From 8ba90df46e8829d0266449b29fdc6eea53662b0f Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 19 Nov 2013 09:07:08 -0500 Subject: [PATCH] Speed up startup time of sepolicy gui - Clean up ports screen to only show enabled ports. - Update to upstream * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh. * Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh. --- policycoreutils-rhat.patch | 689 ++++++++++++++++++++++++++++++--- policycoreutils-sepolgen.patch | 144 +------ policycoreutils.spec | 18 +- 3 files changed, 662 insertions(+), 189 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index f5e64ab..affaded 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -9,7 +9,7 @@ index 83ebd45..bea9814 100644 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen -index 3967ba5..83c7ecf 100644 +index 3967ba5..7f8caaf 100644 --- a/policycoreutils/audit2allow/sepolgen-ifgen +++ b/policycoreutils/audit2allow/sepolgen-ifgen @@ -63,7 +63,7 @@ def parse_options(): @@ -21,6 +21,46 @@ index 3967ba5..83c7ecf 100644 return p i = selinux.security_policyvers() p = selinux.selinux_binary_policy_path() + "." + str(i) +@@ -82,7 +82,7 @@ def get_attrs(policy_path): + sys.stderr.write("No installed policy to check\n") + return None + outfile = tempfile.NamedTemporaryFile() +- except IOError, e: ++ except IOError as e: + sys.stderr.write("could not open attribute output file\n") + return None + except OSError: +@@ -100,7 +100,7 @@ def get_attrs(policy_path): + try: + attrs.from_file(outfile) + except: +- print "error parsing attribute info" ++ print("error parsing attribute info") + return None + + return attrs +@@ -111,7 +111,7 @@ def main(): + # Open the output first to generate errors before parsing + try: + f = open(options.output, "w") +- except IOError, e: ++ except IOError as e: + sys.stderr.write("could not open output file [%s]\n" % options.output) + return 1 + +@@ -130,9 +130,9 @@ def main(): + # Parse the headers + try: + headers = refparser.parse_headers(options.headers, output=log, debug=options.debug) +- except ValueError, e: +- print "error parsing headers" +- print str(e) ++ except ValueError as e: ++ print("error parsing headers") ++ print(str(e)) + return 1 + + if_set = interfaces.InterfaceSet(output=log) diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile index 9d9f820..0c2b390 100644 --- a/policycoreutils/gui/Makefile @@ -253158,6 +253198,24 @@ index 89201e1..af72868 100644 Type=Application StartupNotify=false X-GNOME-Autostart-enabled=false +diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service +index 7d64cc5..f560b05 100644 +--- a/policycoreutils/restorecond/restorecond.service ++++ b/policycoreutils/restorecond/restorecond.service +@@ -4,9 +4,10 @@ After=syslog.target + ConditionPathExists=/etc/selinux/restorecond.conf + + [Service] +-Type=oneshot +-ExecStart=/usr/sbin/restorecond +-RemainAfterExit=yes ++Environment=LANG=C ++ ++ExecStart=/usr/sbin/restorecond -d ++ExecStop=/bin/kill -WINCH ${MAINPID} + + [Install] + WantedBy=multi-user.target diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index fb5a24c..3668abe 100644 --- a/policycoreutils/sandbox/sandbox @@ -258832,6 +258890,100 @@ index cd1026a..ac44dfe 100644 + PyModule_AddIntConstant(m, "SENS", SENS); + PyModule_AddIntConstant(m, "CATS", CATS); } +diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy +index c0a730c..44ae625 100644 +--- a/policycoreutils/sepolicy/org.selinux.policy ++++ b/policycoreutils/sepolicy/org.selinux.policy +@@ -11,8 +11,8 @@ + SELinux write access + System policy prevents restorecon access to SELinux + +- auth_admin_keep +- auth_admin_keep ++ no ++ no + auth_admin_keep + + +@@ -20,8 +20,8 @@ + SELinux write access + System policy prevents setenforce access to SELinux + +- auth_admin_keep +- auth_admin_keep ++ no ++ no + auth_admin_keep + + +@@ -29,8 +29,8 @@ + SELinux write access + System policy prevents semanage access to SELinux + +- auth_admin_keep +- auth_admin_keep ++ no ++ no + auth_admin_keep + + +@@ -38,8 +38,8 @@ + SELinux Read access + System policy prevents read access to SELinux + +- yes +- yes ++ no ++ no + yes + + +@@ -47,8 +47,8 @@ + SELinux list modules access + System policy prevents read access to SELinux modules + +- yes +- yes ++ no ++ no + yes + + +@@ -56,25 +56,27 @@ + SELinux write access + System policy prevents relabel_on_boot access to SELinux + +- yes ++ no ++ no ++ auth_admin_keep + + + + SELinux write access + System policy prevents change_default_policy access to SELinux + +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep ++ no ++ no ++ auth_admin_keep + + + + SELinux write access + System policy prevents change_policy_type access to SELinux + +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep ++ no ++ no ++ auth_admin_keep + + + diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c index 2a9e1c7..365e622 100644 --- a/policycoreutils/sepolicy/policy.c @@ -259067,7 +259219,7 @@ index 458a4d2..b6088af 100644 + except dbus.DBusException as e: + print(e) diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py -index 98dbff4..e5d3103 100644 +index 98dbff4..3cfdc94 100644 --- a/policycoreutils/sepolicy/selinux_server.py +++ b/policycoreutils/sepolicy/selinux_server.py @@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object): @@ -259092,7 +259244,7 @@ index 98dbff4..e5d3103 100644 # another server to make the two systems have duplicate policy. # @slip.dbus.polkit.require_auth("org.selinux.customized") -@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object): +@@ -42,12 +42,12 @@ class selinux_server(slip.dbus.service.Object): if p.returncode and p.returncode != 0: raise OSError("Failed to read SELinux configuration: %s", output) return buf @@ -259101,7 +259253,13 @@ index 98dbff4..e5d3103 100644 # # The semodule_list method will return the output of semodule -l, using the customized polkit, # since this is a readonly behaviour -@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object): + # +- @slip.dbus.polkit.require_auth("org.selinux.customized") ++ @slip.dbus.polkit.require_auth("org.selinux.semodule_list") + @dbus.service.method("org.selinux", in_signature='', out_signature='s') + def semodule_list(self): + p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE) +@@ -56,10 +56,11 @@ class selinux_server(slip.dbus.service.Object): if p.returncode and p.returncode != 0: raise OSError("Failed to list SELinux modules: %s", output) return buf @@ -259110,7 +259268,27 @@ index 98dbff4..e5d3103 100644 # # The restorecon method modifies any file path to the default system label # -@@ -83,7 +83,7 @@ class selinux_server(slip.dbus.service.Object): ++ @slip.dbus.polkit.require_auth("org.selinux.restorecon") + @dbus.service.method("org.selinux", in_signature='s') + def restorecon(self, path): + selinux.restorecon(str(path), recursive=1) +@@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object): + # + # The setenforce method turns off the current enforcement of SELinux + # ++ @slip.dbus.polkit.require_auth("org.selinux.setenforce") + @dbus.service.method("org.selinux", in_signature='i') + def setenforce(self, value): + selinux.security_setenforce(value) +@@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object): + # + # The setenforce method turns off the current enforcement of SELinux + # ++ @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") + @dbus.service.method("org.selinux", in_signature='i') + def relabel_on_boot(self, value): + if value == 1: +@@ -83,7 +86,7 @@ class selinux_server(slip.dbus.service.Object): os.unlink("/.autorelabel") def write_selinux_config(self, enforcing=None, policy=None): @@ -259119,16 +259297,17 @@ index 98dbff4..e5d3103 100644 backup_path = path + ".bck" fd = open(path) lines = fd.readlines() -@@ -101,7 +101,7 @@ class selinux_server(slip.dbus.service.Object): +@@ -101,26 +104,28 @@ class selinux_server(slip.dbus.service.Object): os.rename(backup_path, path) # - # The change_default_enforcement modifies the current enforcement mode + # The change_default_enforcement modifies the current enforcement mode # ++ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") @dbus.service.method("org.selinux", in_signature='s') def change_default_mode(self, value): -@@ -109,7 +109,7 @@ class selinux_server(slip.dbus.service.Object): + values = [ "enforcing", "permissive", "disabled" ] if value not in values: raise ValueError("Enforcement mode must be %s" % ", ".join(values)) self.write_selinux_config(enforcing=value) @@ -259137,7 +259316,11 @@ index 98dbff4..e5d3103 100644 # # The change_default_policy method modifies the policy type -@@ -120,7 +120,7 @@ class selinux_server(slip.dbus.service.Object): + # ++ @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") + @dbus.service.method("org.selinux", in_signature='s') + def change_default_policy(self, value): + path = selinux.selinux_path() + value if os.path.isdir(path): return self.write_selinux_config(policy=value) raise ValueError("%s does not exist" % path) @@ -259215,6 +259398,19 @@ index 779fd75..29ccbdf 100644 } _sepolicy () { local command=${COMP_WORDS[1]} +diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 +index 96c20fc..3a76976 100644 +--- a/policycoreutils/sepolicy/sepolicy-generate.8 ++++ b/policycoreutils/sepolicy/sepolicy-generate.8 +@@ -13,7 +13,7 @@ Common options + Confined Applications + + .br +-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ] ++.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ] + .br + .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] + .br diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py index 74fb347..adb6ca5 100755 --- a/policycoreutils/sepolicy/sepolicy.py @@ -261047,7 +261243,7 @@ index 6b53035..32ea970 100644 out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file")) out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py -index 0123e6c..108d9e4 100644 +index 0123e6c..ac3e513 100644 --- a/policycoreutils/sepolicy/sepolicy/gui.py +++ b/policycoreutils/sepolicy/sepolicy/gui.py @@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") @@ -261079,23 +261275,51 @@ index 0123e6c..108d9e4 100644 import distutils.sysconfig ADVANCED_LABEL = ( _("Advanced >>"), _("Advanced <<") ) -@@ -106,12 +107,12 @@ class SELinuxGui(): +@@ -102,18 +103,13 @@ class SELinuxGui(): + + def __init__( self , app = None, test = False): + self.finish_init = False ++ self.advanced_init = True + self.opage = START_PAGE self.dbus = SELinuxDBus() try: customized = self.dbus.customized() - except dbus.exceptions.DBusException, e: - print e +- self.quit() +- +- sepolicy_domains = sepolicy.get_all_domains() +- sepolicy_domains.sort(compare) +- if app and app not in sepolicy_domains: +- self.error(_("%s is not a valid domain" % app)) + except dbus.exceptions.DBusException as e: + print(e) self.quit() - sepolicy_domains = sepolicy.get_all_domains() -- sepolicy_domains.sort(compare) -+ sepolicy_domains.sort(key=str.lower) - if app and app not in sepolicy_domains: - self.error(_("%s is not a valid domain" % app)) - self.quit() -@@ -234,7 +235,7 @@ class SELinuxGui(): + self.init_cur() +@@ -139,7 +135,7 @@ class SELinuxGui(): + self.files_add = False + self.network_add = False + +- self.all_list = [] ++ self.all_domains = [] + self.installed_list = [] + self.previously_modified = {} + +@@ -151,10 +147,10 @@ class SELinuxGui(): + self.invalid_entry = False + # Advanced search window **************************** + self.advanced_search_window = builder.get_object("advanced_search_window") +- self.advanced_search_liststore = builder.get_object("Advanced_search_liststore") +- self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING) + self.advanced_search_filter = builder.get_object("advanced_filter") + self.advanced_search_filter.set_visible_func(self.filter_the_data) ++ self.advanced_search_sort = builder.get_object("advanced_filter") ++ + self.advanced_filter_entry = builder.get_object("advanced_filter_entry") + self.advanced_search_treeview = builder.get_object("advanced_search_treeview") + self.advanced_search = False +@@ -234,7 +230,7 @@ class SELinuxGui(): self.advanced_system.set_visible(False) self.system_policy_label.set_visible(False) self.system_policy_type_combobox.set_visible(False) @@ -261104,16 +261328,99 @@ index 0123e6c..108d9e4 100644 self.enforcing_button_default = builder.get_object("Enforcing_button_default") self.permissive_button_default = builder.get_object("Permissive_button_default") self.disabled_button_default = builder.get_object("Disabled_button_default") -@@ -484,6 +485,8 @@ class SELinuxGui(): +@@ -423,12 +419,10 @@ class SELinuxGui(): + + # Combobox and Entry items ************************** + self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar +- self.combobox_menu_model = builder.get_object("application_liststore") ++ self.application_liststore = builder.get_object("application_liststore") + self.completion_entry = builder.get_object("completion_entry") #self.combobox_menu.get_child() +- self.completion_entry_model = builder.get_object("application_liststore") + self.entrycompletion_obj = builder.get_object("entrycompletion_obj") + #self.entrycompletion_obj = Gtk.EntryCompletion() +- self.entrycompletion_obj.set_model(self.completion_entry_model) + self.entrycompletion_obj.set_minimum_key_length(0) + self.entrycompletion_obj.set_text_column(0) + self.entrycompletion_obj.set_match_func(self.match_func, None) +@@ -483,18 +477,24 @@ class SELinuxGui(): + self.loading = 1 path = None if test: - domains = [ "httpd_t", "abrt_t" ] -+ if app and app not in domains: -+ domains.append(app) +- domains = [ "httpd_t", "abrt_t" ] ++ self.all_domains = [ "httpd_t", "abrt_t" ] ++ if app and app not in self.all_domains: ++ self.all_domains.append(app) else: - domains = sepolicy_domains - loading_gui.show() -@@ -812,7 +815,7 @@ class SELinuxGui(): +- domains = sepolicy_domains +- loading_gui.show() +- length = len(domains) +- for domain in domains: ++ self.all_domains = sepolicy.get_all_domains() ++ self.all_domains.sort(key=str.lower) ++ ++ if app and app not in self.all_domains: ++ self.error(_("%s is not a valid domain" % app)) ++ self.quit() ++ ++ loading_gui.show() ++ length = len(self.all_domains) ++ for domain in self.all_domains: + # After the user selects a path in the drop down menu call + # get_init_entrypoint_target(entrypoint) to get the transtype + # which will give you the application +- self.combo_box_initialize(domain, None) +- self.advanced_search_initialize(domain) +- self.all_list.append(domain) ++ self.combo_box_add(domain, domain) + self.percentage = float(float(self.loading)/float(length)) + self.progress_bar.set_fraction(self.percentage) + self.progress_bar.set_pulse_step(self.percentage) +@@ -504,14 +504,13 @@ class SELinuxGui(): + if entrypoint: + path = sepolicy.find_entrypoint_path(entrypoint) + if path: +- self.combo_box_initialize(path, None) +- # Adds all files entrypoint paths that exists on disc +- # into the combobox +- self.advanced_search_initialize(path) ++ self.combo_box_add(path, domain) + self.installed_list.append(path) + + self.loading += 1 + loading_gui.hide() ++ self.entrycompletion_obj.set_model(self.application_liststore) ++ self.advanced_search_treeview.set_model(self.advanced_search_sort) + + dic = { + "on_combo_button_clicked" : self.open_combo_menu, +@@ -543,7 +542,7 @@ class SELinuxGui(): + "on_file_equiv_button_clicked" : self.show_file_equiv_page, + "on_app/system_button_clicked" : self.system_interface, + "on_app/users_button_clicked" : self.users_interface, +- "on_main_advanced_label_button_press_event": self.advanced_label_main, ++ "on_show_advanced_search_window": self.on_show_advanced_search_window, + + "on_Show_mislabeled_files_toggled" : self.show_mislabeled_files, + "on_Browse_button_files_clicked" : self.browse_for_files, +@@ -559,8 +558,6 @@ class SELinuxGui(): + "on_advanced_filter_entry_changed" : self.get_advanced_filter_data, + "on_advanced_search_treeview_row_activated" : self.advanced_item_selected, + "on_Select_advanced_search_clicked" : self.advanced_item_button_push, +- "on_All_advanced_button_toggled" : self.advanced_radio_select, +- "on_Installed_advanced_button_toggled" : self.advanced_radio_select, + "on_info_button_button_press_event" : self.on_help_button, + "on_back_button_clicked" : self.on_help_back_clicked, + "on_forward_button_clicked" : self.on_help_forward_clicked, +@@ -701,7 +698,7 @@ class SELinuxGui(): + + def match_func(self, completion, key_string, iter, func_data): + try: +- if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1: ++ if self.application_liststore.get_value(iter, 0).find(key_string) != -1: + return True + return False + except AttributeError: +@@ -812,7 +809,7 @@ class SELinuxGui(): self.set_application_label = True def resize_wrap(self, *args): @@ -261122,7 +261429,7 @@ index 0123e6c..108d9e4 100644 def initialize_system_default_mode(self): self.enforce_mode = selinux.selinux_getenforcemode()[1] -@@ -825,7 +828,7 @@ class SELinuxGui(): +@@ -825,7 +822,7 @@ class SELinuxGui(): def populate_system_policy(self): selinux_path = selinux.selinux_path() @@ -261131,7 +261438,7 @@ index 0123e6c..108d9e4 100644 types.sort() ctr = 0 for item in types: -@@ -850,14 +853,14 @@ class SELinuxGui(): +@@ -850,14 +847,14 @@ class SELinuxGui(): # Returns true if filter_txt exists within the val if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1) : return True @@ -261148,7 +261455,66 @@ index 0123e6c..108d9e4 100644 for t,ports in netd[k]: pkey = (",".join(ports), protocol) if pkey in self.cur_dict["port"]: -@@ -1114,7 +1117,7 @@ class SELinuxGui(): +@@ -912,11 +909,11 @@ class SELinuxGui(): + self.ready_mouse() + + def network_initialize(self, app): +- netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect") ++ netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True) + self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore) +- netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind") ++ netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind",check_bools=True) + self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore) +- netd = sepolicy.network.get_network_connect(app, "udp", "name_bind") ++ netd = sepolicy.network.get_network_connect(app, "udp", "name_bind",check_bools=True) + self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore) + + def network_initial_data_insert(self, model, ports, portType, protocol): +@@ -952,12 +949,12 @@ class SELinuxGui(): + iter = liststore.get_iter(index) + return liststore.get_value(iter, 0) + +- def combo_box_initialize(self, val, desc): ++ def combo_box_add(self, val, val1): + if val == None: + return +- iter = self.combobox_menu_model.append() +- for f in val: +- self.combobox_menu_model.set_value(iter, 0, val) ++ iter = self.application_liststore.append() ++ self.application_liststore.set_value(iter, 0, val) ++ self.application_liststore.set_value(iter, 1, val1) + + def select_type_more(self, *args): + app = self.moreTypes_treeview.get_selection() +@@ -973,7 +970,7 @@ class SELinuxGui(): + model, iter = row.get_selected() + iter = model.convert_iter_to_child_iter(iter) + iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) +- app = self.advanced_search_liststore.get_value(iter, 1) ++ app = self.application_liststore.get_value(iter, 1) + if app == None: + return + self.advanced_filter_entry.set_text('') +@@ -985,7 +982,7 @@ class SELinuxGui(): + def advanced_item_selected(self, treeview, path, *args): + iter = self.advanced_search_filter.get_iter(path) + iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) +- app = self.advanced_search_liststore.get_value(iter, 1) ++ app = self.application_liststore.get_value(iter, 1) + self.advanced_filter_entry.set_text('') + self.advanced_search_window.hide() + self.reveal_advanced(self.main_advanced_label) +@@ -994,7 +991,7 @@ class SELinuxGui(): + + def find_application(self, app): + if app and len(app) > 0: +- for items in self.combobox_menu_model: ++ for items in self.application_liststore: + if app == items[0]: + return True + return False +@@ -1114,7 +1111,7 @@ class SELinuxGui(): def executable_files_initialize(self, application): self.entrypoints = sepolicy.get_entrypoints(application) @@ -261157,7 +261523,7 @@ index 0123e6c..108d9e4 100644 if len(self.entrypoints[exe]) == 0: continue file_class = self.entrypoints[exe][1] -@@ -1151,7 +1154,7 @@ class SELinuxGui(): +@@ -1151,7 +1148,7 @@ class SELinuxGui(): def writable_files_initialize(self, application): # Traversing the dictionary data struct self.writable_files = sepolicy.get_writable_files(application) @@ -261166,7 +261532,7 @@ index 0123e6c..108d9e4 100644 if len(self.writable_files[write]) < 2: self.files_initial_data_insert(self.writable_files_liststore, None, write, _("all files")) continue -@@ -1194,7 +1197,7 @@ class SELinuxGui(): +@@ -1194,7 +1191,7 @@ class SELinuxGui(): def application_files_initialize(self, application): self.file_types = sepolicy.get_file_types(application) @@ -261175,7 +261541,7 @@ index 0123e6c..108d9e4 100644 if len(self.file_types[app]) == 0: continue file_class = self.file_types[app][1] -@@ -1367,8 +1370,8 @@ class SELinuxGui(): +@@ -1367,8 +1364,8 @@ class SELinuxGui(): self.treeview = self.network_in_treeview category = _("listen for inbound connections") @@ -261186,7 +261552,7 @@ index 0123e6c..108d9e4 100644 self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) if self.transitions_radio_button.get_active(): -@@ -1439,7 +1442,7 @@ class SELinuxGui(): +@@ -1439,7 +1436,7 @@ class SELinuxGui(): sort_column, _ = model.get_sort_column_id() val1 = self.unmarkup(model.get_value(row1, sort_column)) val2 = self.unmarkup(model.get_value(row2, sort_column)) @@ -261195,7 +261561,16 @@ index 0123e6c..108d9e4 100644 def display_more_detail(self, windows, path): it = self.boolean_filter.get_iter(path) -@@ -1636,7 +1639,7 @@ class SELinuxGui(): +@@ -1625,7 +1622,7 @@ class SELinuxGui(): + self.files_type_combolist.clear() + self.files_class_combolist.clear() + compare = self.strip_domain(self.application) +- for d in self.completion_entry_model: ++ for d in self.application_liststore: + if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"): + exclude_list.append(self.strip_domain(d[0])) + +@@ -1636,7 +1633,7 @@ class SELinuxGui(): self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files]) if ipage == EXE_PAGE and self.entrypoints != None: @@ -261204,7 +261579,7 @@ index 0123e6c..108d9e4 100644 if exe.startswith(compare): iter = self.files_type_combolist.append() self.files_type_combolist.set_value(iter, 0, exe) -@@ -1646,7 +1649,7 @@ class SELinuxGui(): +@@ -1646,7 +1643,7 @@ class SELinuxGui(): self.files_class_combobox.set_sensitive(False) elif ipage == WRITABLE_PAGE and self.writable_files != None: @@ -261213,7 +261588,7 @@ index 0123e6c..108d9e4 100644 if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types: iter = self.files_type_combolist.append() self.files_type_combolist.set_value(iter, 0, write) -@@ -1663,7 +1666,7 @@ class SELinuxGui(): +@@ -1663,7 +1660,7 @@ class SELinuxGui(): self.more_types_files_liststore.set_value(iter, 0, app) self.files_class_combobox.set_active(0) except AttributeError: @@ -261222,8 +261597,17 @@ index 0123e6c..108d9e4 100644 pass self.files_type_combobox.set_active(0) self.files_mls_entry.set_text("s0") -@@ -1710,7 +1713,7 @@ class SELinuxGui(): - netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind") +@@ -1704,13 +1701,13 @@ class SELinuxGui(): + + try: + if ipage == OUTBOUND_PAGE: +- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect") ++ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools = True) + elif ipage == INBOUND_PAGE: +- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind") +- netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind") ++ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools = True) ++ netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools = True) port_types = [] - for k in netd.keys(): @@ -261231,7 +261615,7 @@ index 0123e6c..108d9e4 100644 for t,ports in netd[k]: if t not in port_types + ["port_t", "unreserved_port_t"]: if t.endswith("_type"): -@@ -1805,7 +1808,7 @@ class SELinuxGui(): +@@ -1805,7 +1802,7 @@ class SELinuxGui(): self.wait_mouse() try: self.dbus.semanage(update_buffer) @@ -261240,7 +261624,7 @@ index 0123e6c..108d9e4 100644 self.error(e) self.ready_mouse() -@@ -1883,7 +1886,7 @@ class SELinuxGui(): +@@ -1883,7 +1880,7 @@ class SELinuxGui(): tree.set_value(iter, 2, fclass) def restore_to_default(self, *args): @@ -261249,7 +261633,7 @@ index 0123e6c..108d9e4 100644 def invalid_entry_retry(self, *args): self.closewindow(self.error_check_window) -@@ -2136,7 +2139,7 @@ class SELinuxGui(): +@@ -2136,7 +2133,7 @@ class SELinuxGui(): def on_save_delete_file_equiv_clicked(self, *args): for delete in self.files_delete_liststore: @@ -261258,7 +261642,7 @@ index 0123e6c..108d9e4 100644 def on_toggle_update(self, cell, path, model): model[path][0] = not model[path][0] -@@ -2444,8 +2447,8 @@ class SELinuxGui(): +@@ -2444,8 +2441,8 @@ class SELinuxGui(): self.wait_mouse() try: self.dbus.semanage(update_buffer) @@ -261269,7 +261653,79 @@ index 0123e6c..108d9e4 100644 self.ready_mouse() self.init_cur() -@@ -2727,8 +2730,8 @@ class SELinuxGui(): +@@ -2539,34 +2536,7 @@ class SELinuxGui(): + self.network_mls_label.set_visible(advanced) + self.network_mls_entry.set_visible(advanced) + +- def advanced_search_initialize(self, path): +- try: +- if path[0] == '/': +- domain = sepolicy.get_init_transtype(path) +- else: +- domain = path +- except IndexError: +- return +- except OSError: +- return +- iter = self.advanced_search_liststore.append() +- self.advanced_search_liststore.set_value(iter, 0, path) +- self.advanced_search_liststore.set_value(iter, 1, domain) +- user_types = sepolicy.get_user_types() +- if domain in user_types + ['initrc_t']: +- return +- +- entrypoints = sepolicy.get_entrypoints(domain) +- # From entry_point = 0 to the number of keys in the dic +- for exe in entrypoints: +- if len(entrypoints[exe]): +- file_class = entrypoints[exe][1] +- for path in entrypoints[exe][0]: +- iter = self.advanced_search_liststore.append() +- self.advanced_search_liststore.set_value(iter, 1, domain) +- self.advanced_search_liststore.set_value(iter, 0, path) +- +- def advanced_label_main(self, label, *args): ++ def on_show_advanced_search_window(self, label, *args): + if label.get_text() == ADVANCED_SEARCH_LABEL[1]: + label.set_text(ADVANCED_SEARCH_LABEL[0]) + self.close_popup() +@@ -2574,25 +2544,6 @@ class SELinuxGui(): + label.set_text(ADVANCED_SEARCH_LABEL[1]) + self.show_popup(self.advanced_search_window) + +- def advanced_radio_select(self, button): +- label = "" +- if button.get_active(): +- label = button.get_label() +- if label == '': +- return +- self.advanced_search_liststore.clear() +- if label == "All": +- for items in self.all_list: +- self.advanced_search_initialize(items) +- self.idle_func() +- +- elif label == "Installed": +- if self.installed_list == []: +- return +- for items in self.installed_list: +- self.advanced_search_initialize(items) +- self.idle_func() +- + def set_enforce_text(self, value): + if value: + self.status_bar.push(self.context_id, _("System Status: Enforcing")) +@@ -2601,6 +2552,9 @@ class SELinuxGui(): + self.current_status_permissive.set_active(True) + + def set_enforce(self, button): ++ if not self.finish_init: ++ return ++ + self.dbus.setenforce(button.get_active()) + self.set_enforce_text(button.get_active()) + +@@ -2727,8 +2681,8 @@ class SELinuxGui(): if not active and not exists: return try: @@ -262984,22 +263440,36 @@ index ba15b2c..1765b1c 100755 SELinux policy also controls which roles can transition to a different role. You can list these rules using the following command. diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py -index 3a75d7c..d1bcd65 100755 +index 3a75d7c..dca1b79 100755 --- a/policycoreutils/sepolicy/sepolicy/network.py +++ b/policycoreutils/sepolicy/sepolicy/network.py -@@ -28,9 +28,9 @@ def get_types(src, tclass, perm): +@@ -24,20 +24,22 @@ import sepolicy + search=sepolicy.search + info=sepolicy.info + +-def get_types(src, tclass, perm): ++def get_types(src, tclass, perm, check_bools=False): allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm}) nlist=[] if allows: - for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): -- if i not in nlist: -- nlist.append(i) -+ for i in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]: -+ if i not in nlist: -+ nlist.append(i) ++ for i in [y[sepolicy.TARGET] for y in ++ [x for x in allows ++ if set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"])]]: + if i not in nlist: + nlist.append(i) return nlist +-def get_network_connect(src, protocol, perm): ++def get_network_connect(src, protocol, perm, check_bools=False): + portrecs, portrecsbynum = sepolicy.gen_port_dict() + d={} +- tlist = get_types(src, "%s_socket" % protocol, [perm]) ++ tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools) + if len(tlist) > 0: + d[(src,protocol,perm)] = [] + for i in tlist: diff --git a/policycoreutils/sepolicy/sepolicy/sedbus.py b/policycoreutils/sepolicy/sepolicy/sedbus.py index c6645ef..8965795 100644 --- a/policycoreutils/sepolicy/sepolicy/sedbus.py @@ -263012,6 +263482,129 @@ index c6645ef..8965795 100644 - print e + except dbus.DBusException as e: + print (e) +diff --git a/policycoreutils/sepolicy/sepolicy/sepolicy.glade b/policycoreutils/sepolicy/sepolicy/sepolicy.glade +index 1275c7f..e3137db 100644 +--- a/policycoreutils/sepolicy/sepolicy/sepolicy.glade ++++ b/policycoreutils/sepolicy/sepolicy/sepolicy.glade +@@ -2,7 +2,7 @@ + + + +- ++ + + + +@@ -82,7 +82,7 @@ + + + +- ++ + + + True +@@ -225,7 +225,7 @@ + + + +- Advanced_search_liststore ++ application_liststore + + + advanced_filter +@@ -256,24 +256,6 @@ + + application_files_filter + +- +- +- +- +- +- +- +- application_liststore +- +- +- application_filter +- +- +- +- +- +- +- + + + +@@ -4328,46 +4310,7 @@ allow alternative access control. + 0 + + +- +- +- All +- True +- True +- False +- 0.5 +- True +- True +- +- +- +- True +- True +- 1 +- +- +- +- +- Installed +- True +- True +- False +- 0.5 +- True +- All_advanced_button +- +- +- +- True +- True +- 2 +- +- + +- +- False +- True +- 0 +- + + + +@@ -4377,7 +4320,6 @@ allow alternative access control. + + True + True +- advanced_sort + False + + +diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py +index 4b9534d..0db6b9c 100644 +--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py ++++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py +@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles; + type TEMPLATETYPE_t; + type TEMPLATETYPE_exec_t; + application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) ++role TEMPLATETYPE_roles types TEMPLATETYPE_t; + + permissive TEMPLATETYPE_t; + """ diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py index 16a2208..d8ee42f 100644 --- a/policycoreutils/sepolicy/sepolicy/templates/spec.py diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index 263cdf4..6a3144b 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,131 +1,13 @@ -diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index d636091..56919be 100644 ---- a/sepolgen/src/sepolgen/audit.py -+++ b/sepolgen/src/sepolgen/audit.py -@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage): - raise ValueError("Error during access vector computation") - - if self.type == audit2why.CONSTRAINT: -- self.data = [] -+ self.data = [ self.data ] - if self.scontext.user != self.tcontext.user: -- self.data.append("user") -+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user)) - if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": -- self.data.append("role") -+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role)) - if self.scontext.level != self.tcontext.level: -- self.data.append("level") -+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level)) - - avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) - -diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py -index cc9f8ea..ce643e5 100644 ---- a/sepolgen/src/sepolgen/policygen.py -+++ b/sepolgen/src/sepolgen/policygen.py -@@ -161,21 +161,21 @@ class PolicyGenerator: - if self.explain: - rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) - if av.type == audit2why.ALLOW: -- rule.comment += "#!!!! This avc is allowed in the current policy\n" -+ rule.comment += "\n#!!!! This avc is allowed in the current policy" - if av.type == audit2why.DONTAUDIT: -- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" -+ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy" - - if av.type == audit2why.BOOLEAN: - if len(av.data) > 1: -- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) -+ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data)) - else: -- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] -+ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0] - - if av.type == audit2why.CONSTRAINT: -- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" -- rule.comment += "#Constraint rule: " -- for reason in av.data: -- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason -+ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" -+ rule.comment += "#Constraint rule: \n\t" + av.data[0] -+ for reason in av.data[1:]: -+ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason - - try: - if ( av.type == audit2why.TERULE and -@@ -189,9 +189,9 @@ class PolicyGenerator: - if i not in self.domains: - types.append(i) - if len(types) == 1: -- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - elif len(types) >= 1: -- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - except: - pass - self.module.children.append(rule) -diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py -index 7b76261..a05d9d1 100644 ---- a/sepolgen/src/sepolgen/refparser.py -+++ b/sepolgen/src/sepolgen/refparser.py -@@ -65,6 +65,7 @@ tokens = ( - 'BAR', - 'EXPL', - 'EQUAL', -+ 'FILENAME', - 'IDENTIFIER', - 'NUMBER', - 'PATH', -@@ -249,11 +250,17 @@ def t_refpolicywarn(t): - t.lexer.lineno += 1 - - def t_IDENTIFIER(t): -- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*' -+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*' - # Handle any keywords - t.type = reserved.get(t.value,'IDENTIFIER') - return t - -+def t_FILENAME(t): -+ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"' -+ # Handle any keywords -+ t.type = reserved.get(t.value,'FILENAME') -+ return t -+ - def t_comment(t): - r'\#.*\n' - # Ignore all comments -@@ -450,6 +457,7 @@ def p_interface_call_param(p): - | nested_id_set - | TRUE - | FALSE -+ | FILENAME - ''' - # Intentionally let single identifiers pass through - # List means set, non-list identifier -@@ -461,6 +469,7 @@ def p_interface_call_param(p): - def p_interface_call_param_list(p): - '''interface_call_param_list : interface_call_param - | interface_call_param_list COMMA interface_call_param -+ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list - ''' - if len(p) == 2: - p[0] = [p[1]] -@@ -787,6 +796,7 @@ def p_avrule_def(p): - - def p_typerule_def(p): - '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI -+ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI - | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI - | TYPE_CHANGE names names COLON names IDENTIFIER SEMI - | TYPE_MEMBER names names COLON names IDENTIFIER SEMI -@@ -800,6 +810,7 @@ def p_typerule_def(p): - t.tgt_types = p[3] - t.obj_classes = p[5] - t.dest_type = p[6] -+ t.file_name = p[7] - p[0] = t - - def p_bool(p): +diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py +index 3258684..88a6dc3 100644 +--- a/sepolgen/src/sepolgen/interfaces.py ++++ b/sepolgen/src/sepolgen/interfaces.py +@@ -276,7 +276,7 @@ class InterfaceVector: + if attributes: + for typeattribute in interface.typeattributes(): + for attr in typeattribute.attributes: +- if not attributes.has_key(attr): ++ if not attributes.attributes.has_key(attr): + # print "missing attribute " + attr + continue + attr_vec = attributes.attributes[attr] diff --git a/policycoreutils.spec b/policycoreutils.spec index a44776b..bf86d36 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -107,7 +107,6 @@ Requires:libsemanage-python >= %{libsemanagever} libselinux-python libcgroup Requires:audit-libs-python >= %{libauditver} Requires(pre): python >= 2.6 Obsoletes: policycoreutils < 2.0.61-2 -Requires: checkpolicy Requires: python-IPy yum %description python @@ -153,10 +152,6 @@ an SELinux environment. %{_mandir}/man8/sandbox.8* %{_mandir}/man8/semanage*.8* %{_mandir}/ru/man8/semanage.8* -%{_datadir}/system-config-selinux/selinux_server.py -%{_datadir}/dbus-1/system-services/org.selinux.service -%{_datadir}/polkit-1/actions/org.selinux.policy -%{_datadir}/polkit-1/actions/org.selinux.config.policy %{_datadir}/bash-completion/completions/semanage %{_datadir}/bash-completion/completions/setsebool @@ -165,6 +160,7 @@ Summary: SELinux policy core policy devel utilities Group: System Environment/Base Requires: policycoreutils-python = %{version}-%{release} Requires: /usr/bin/make +Requires: checkpolicy Requires: selinux-policy-devel %description devel @@ -270,6 +266,10 @@ system-config-selinux is a utility for managing the SELinux environment %{_mandir}/man8/system-config-selinux.8* %{_mandir}/man8/selinux-polgengui.8* %{_mandir}/man8/sepolicy-gui.8* +%{_datadir}/system-config-selinux/selinux_server.py +%{_datadir}/dbus-1/system-services/org.selinux.service +%{_datadir}/polkit-1/actions/org.selinux.policy +%{_datadir}/polkit-1/actions/org.selinux.config.policy %post gui /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -305,10 +305,6 @@ fi %{_mandir}/ru/man8/restorecon.8* %{_mandir}/man8/semodule.8* %{_mandir}/ru/man8/semodule.8* -%{_mandir}/man8/semodule_deps.8* -%{_mandir}/ru/man8/semodule_deps.8* -%{_mandir}/man8/semodule_expand.8* -%{_mandir}/ru/man8/semodule_expand.8* %{_mandir}/man8/sestatus.8* %{_mandir}/ru/man8/sestatus.8* %{_mandir}/man8/setfiles.8* @@ -351,7 +347,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog -* Mon Nov 11 2013 Dan Walsh - 2.2.2-1 +* Fri Nov 15 2013 Dan Walsh - 2.2.2-1 +- Speed up startup time of sepolicy gui +- Clean up ports screen to only show enabled ports. - Update to upstream * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.