rpms/policycoreutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Speed up startup time of sepolicy gui

Browse Source 
- Clean up ports screen to only show enabled ports.
- Update to upstream
	* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
	* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
	* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
This commit is contained in:
Dan Walsh 2013-11-19 09:07:08 -05:00
parent 667e3a73a2
commit 8ba90df46e
3 changed files with 662 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

689
policycoreutils-rhat.patch
View File

@ -9,7 +9,7 @@ index 83ebd45..bea9814 100644
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
index 3967ba5..83c7ecf 100644 index 3967ba5..7f8caaf 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen --- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen +++ b/policycoreutils/audit2allow/sepolgen-ifgen
@@ -63,7 +63,7 @@ def parse_options(): @@ -63,7 +63,7 @@ def parse_options():
@ -21,6 +21,46 @@ index 3967ba5..83c7ecf 100644
return p return p
i = selinux.security_policyvers() i = selinux.security_policyvers()
p = selinux.selinux_binary_policy_path() + "." + str(i) p = selinux.selinux_binary_policy_path() + "." + str(i)
@@ -82,7 +82,7 @@ def get_attrs(policy_path):
sys.stderr.write("No installed policy to check\n")
return None
outfile = tempfile.NamedTemporaryFile()
- except IOError, e:
+ except IOError as e:
sys.stderr.write("could not open attribute output file\n")
return None
except OSError:
@@ -100,7 +100,7 @@ def get_attrs(policy_path):
try:
attrs.from_file(outfile)
except:
- print "error parsing attribute info"
+ print("error parsing attribute info")
return None
return attrs
@@ -111,7 +111,7 @@ def main():
# Open the output first to generate errors before parsing
try:
f = open(options.output, "w")
- except IOError, e:
+ except IOError as e:
sys.stderr.write("could not open output file [%s]\n" % options.output)
return 1
@@ -130,9 +130,9 @@ def main():
# Parse the headers
try:
headers = refparser.parse_headers(options.headers, output=log, debug=options.debug)
- except ValueError, e:
- print "error parsing headers"
- print str(e)
+ except ValueError as e:
+ print("error parsing headers")
+ print(str(e))
return 1
if_set = interfaces.InterfaceSet(output=log)
diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile diff --git a/policycoreutils/gui/Makefile b/policycoreutils/gui/Makefile
index 9d9f820..0c2b390 100644 index 9d9f820..0c2b390 100644
--- a/policycoreutils/gui/Makefile --- a/policycoreutils/gui/Makefile
@ -253158,6 +253198,24 @@ index 89201e1..af72868 100644
Type=Application Type=Application
StartupNotify=false StartupNotify=false
X-GNOME-Autostart-enabled=false X-GNOME-Autostart-enabled=false
diff --git a/policycoreutils/restorecond/restorecond.service b/policycoreutils/restorecond/restorecond.service
index 7d64cc5..f560b05 100644
--- a/policycoreutils/restorecond/restorecond.service
+++ b/policycoreutils/restorecond/restorecond.service
@@ -4,9 +4,10 @@ After=syslog.target
ConditionPathExists=/etc/selinux/restorecond.conf
[Service]
-Type=oneshot
-ExecStart=/usr/sbin/restorecond
-RemainAfterExit=yes
+Environment=LANG=C
+
+ExecStart=/usr/sbin/restorecond -d
+ExecStop=/bin/kill -WINCH ${MAINPID}
[Install]
WantedBy=multi-user.target
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index fb5a24c..3668abe 100644 index fb5a24c..3668abe 100644
--- a/policycoreutils/sandbox/sandbox --- a/policycoreutils/sandbox/sandbox
@ -258832,6 +258890,100 @@ index cd1026a..ac44dfe 100644
+ PyModule_AddIntConstant(m, "SENS", SENS); + PyModule_AddIntConstant(m, "SENS", SENS);
+ PyModule_AddIntConstant(m, "CATS", CATS); + PyModule_AddIntConstant(m, "CATS", CATS);
} }
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
index c0a730c..44ae625 100644
--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
@@ -11,8 +11,8 @@
<description>SELinux write access</description>
<message>System policy prevents restorecon access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -20,8 +20,8 @@
<description>SELinux write access</description>
<message>System policy prevents setenforce access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -29,8 +29,8 @@
<description>SELinux write access</description>
<message>System policy prevents semanage access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
@@ -38,8 +38,8 @@
<description>SELinux Read access</description>
<message>System policy prevents read access to SELinux</message>
<defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
@@ -47,8 +47,8 @@
<description>SELinux list modules access</description>
<message>System policy prevents read access to SELinux modules</message>
<defaults>
- <allow_any>yes</allow_any>
- <allow_inactive>yes</allow_inactive>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
@@ -56,25 +56,27 @@
<description>SELinux write access</description>
<message>System policy prevents relabel_on_boot access to SELinux</message>
<defaults>
- <allow_any>yes</allow_any>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.change_default_policy">
<description>SELinux write access</description>
<message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
<action id="org.selinux.change_policy_type">
<description>SELinux write access</description>
<message>System policy prevents change_policy_type access to SELinux</message>
<defaults>
- <allow_any>auth_admin_keep</allow_any>
- <allow_inactive>auth_admin_keep</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
+ <allow_any>no</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
</policyconfig>
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 2a9e1c7..365e622 100644 index 2a9e1c7..365e622 100644
--- a/policycoreutils/sepolicy/policy.c --- a/policycoreutils/sepolicy/policy.c
@ -259067,7 +259219,7 @@ index 458a4d2..b6088af 100644
+ except dbus.DBusException as e: + except dbus.DBusException as e:
+ print(e) + print(e)
diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py diff --git a/policycoreutils/sepolicy/selinux_server.py b/policycoreutils/sepolicy/selinux_server.py
index 98dbff4..e5d3103 100644 index 98dbff4..3cfdc94 100644
--- a/policycoreutils/sepolicy/selinux_server.py --- a/policycoreutils/sepolicy/selinux_server.py
+++ b/policycoreutils/sepolicy/selinux_server.py +++ b/policycoreutils/sepolicy/selinux_server.py
@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object): @@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
@ -259092,7 +259244,7 @@ index 98dbff4..e5d3103 100644
# another server to make the two systems have duplicate policy. # another server to make the two systems have duplicate policy.
# #
@slip.dbus.polkit.require_auth("org.selinux.customized") @slip.dbus.polkit.require_auth("org.selinux.customized")
@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object): @@ -42,12 +42,12 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0: if p.returncode and p.returncode != 0:
raise OSError("Failed to read SELinux configuration: %s", output) raise OSError("Failed to read SELinux configuration: %s", output)
return buf return buf
@ -259101,7 +259253,13 @@ index 98dbff4..e5d3103 100644
# #
# The semodule_list method will return the output of semodule -l, using the customized polkit, # The semodule_list method will return the output of semodule -l, using the customized polkit,
# since this is a readonly behaviour # since this is a readonly behaviour
@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object): #
- @slip.dbus.polkit.require_auth("org.selinux.customized")
+ @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
@@ -56,10 +56,11 @@ class selinux_server(slip.dbus.service.Object):
if p.returncode and p.returncode != 0: if p.returncode and p.returncode != 0:
raise OSError("Failed to list SELinux modules: %s", output) raise OSError("Failed to list SELinux modules: %s", output)
return buf return buf
@ -259110,7 +259268,27 @@ index 98dbff4..e5d3103 100644
# #
# The restorecon method modifies any file path to the default system label # The restorecon method modifies any file path to the default system label
# #
@@ -83,7 +83,7 @@ class selinux_server(slip.dbus.service.Object): + @slip.dbus.polkit.require_auth("org.selinux.restorecon")
@dbus.service.method("org.selinux", in_signature='s')
def restorecon(self, path):
selinux.restorecon(str(path), recursive=1)
@@ -67,6 +68,7 @@ class selinux_server(slip.dbus.service.Object):
#
# The setenforce method turns off the current enforcement of SELinux
#
+ @slip.dbus.polkit.require_auth("org.selinux.setenforce")
@dbus.service.method("org.selinux", in_signature='i')
def setenforce(self, value):
selinux.security_setenforce(value)
@@ -74,6 +76,7 @@ class selinux_server(slip.dbus.service.Object):
#
# The setenforce method turns off the current enforcement of SELinux
#
+ @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
@dbus.service.method("org.selinux", in_signature='i')
def relabel_on_boot(self, value):
if value == 1:
@@ -83,7 +86,7 @@ class selinux_server(slip.dbus.service.Object):
os.unlink("/.autorelabel") os.unlink("/.autorelabel")
def write_selinux_config(self, enforcing=None, policy=None): def write_selinux_config(self, enforcing=None, policy=None):
@ -259119,16 +259297,17 @@ index 98dbff4..e5d3103 100644
backup_path = path + ".bck" backup_path = path + ".bck"
fd = open(path) fd = open(path)
lines = fd.readlines() lines = fd.readlines()
@@ -101,7 +101,7 @@ class selinux_server(slip.dbus.service.Object): @@ -101,26 +104,28 @@ class selinux_server(slip.dbus.service.Object):
os.rename(backup_path, path) os.rename(backup_path, path)
# #
- # The change_default_enforcement modifies the current enforcement mode - # The change_default_enforcement modifies the current enforcement mode
+ # The change_default_enforcement modifies the current enforcement mode + # The change_default_enforcement modifies the current enforcement mode
# #
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
@dbus.service.method("org.selinux", in_signature='s') @dbus.service.method("org.selinux", in_signature='s')
def change_default_mode(self, value): def change_default_mode(self, value):
@@ -109,7 +109,7 @@ class selinux_server(slip.dbus.service.Object): values = [ "enforcing", "permissive", "disabled" ]
if value not in values: if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values)) raise ValueError("Enforcement mode must be %s" % ", ".join(values))
self.write_selinux_config(enforcing=value) self.write_selinux_config(enforcing=value)
@ -259137,7 +259316,11 @@ index 98dbff4..e5d3103 100644
# #
# The change_default_policy method modifies the policy type # The change_default_policy method modifies the policy type
@@ -120,7 +120,7 @@ class selinux_server(slip.dbus.service.Object): #
+ @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
@dbus.service.method("org.selinux", in_signature='s')
def change_default_policy(self, value):
path = selinux.selinux_path() + value
if os.path.isdir(path): if os.path.isdir(path):
return self.write_selinux_config(policy=value) return self.write_selinux_config(policy=value)
raise ValueError("%s does not exist" % path) raise ValueError("%s does not exist" % path)
@ -259215,6 +259398,19 @@ index 779fd75..29ccbdf 100644
} }
_sepolicy () { _sepolicy () {
local command=${COMP_WORDS[1]} local command=${COMP_WORDS[1]}
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index 96c20fc..3a76976 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
@@ -13,7 +13,7 @@ Common options
Confined Applications
.br
-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ]
+.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
.br
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
.br
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index 74fb347..adb6ca5 100755 index 74fb347..adb6ca5 100755
--- a/policycoreutils/sepolicy/sepolicy.py --- a/policycoreutils/sepolicy/sepolicy.py
@ -261047,7 +261243,7 @@ index 6b53035..32ea970 100644
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file")) out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file")) out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py diff --git a/policycoreutils/sepolicy/sepolicy/gui.py b/policycoreutils/sepolicy/sepolicy/gui.py
index 0123e6c..108d9e4 100644 index 0123e6c..ac3e513 100644
--- a/policycoreutils/sepolicy/sepolicy/gui.py --- a/policycoreutils/sepolicy/sepolicy/gui.py
+++ b/policycoreutils/sepolicy/sepolicy/gui.py +++ b/policycoreutils/sepolicy/sepolicy/gui.py
@@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale") @@ -47,12 +47,15 @@ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
@ -261079,23 +261275,51 @@ index 0123e6c..108d9e4 100644
import distutils.sysconfig import distutils.sysconfig
ADVANCED_LABEL = ( _("Advanced >>"), _("Advanced <<") ) ADVANCED_LABEL = ( _("Advanced >>"), _("Advanced <<") )
@@ -106,12 +107,12 @@ class SELinuxGui(): @@ -102,18 +103,13 @@ class SELinuxGui():
def __init__( self , app = None, test = False):
self.finish_init = False
+ self.advanced_init = True
self.opage = START_PAGE
self.dbus = SELinuxDBus() self.dbus = SELinuxDBus()
try: try:
customized = self.dbus.customized() customized = self.dbus.customized()
- except dbus.exceptions.DBusException, e: - except dbus.exceptions.DBusException, e:
- print e - print e
- self.quit()
-
- sepolicy_domains = sepolicy.get_all_domains()
- sepolicy_domains.sort(compare)
- if app and app not in sepolicy_domains:
- self.error(_("%s is not a valid domain" % app))
+ except dbus.exceptions.DBusException as e: + except dbus.exceptions.DBusException as e:
+ print(e) + print(e)
self.quit() self.quit()
sepolicy_domains = sepolicy.get_all_domains() self.init_cur()
- sepolicy_domains.sort(compare) @@ -139,7 +135,7 @@ class SELinuxGui():
+ sepolicy_domains.sort(key=str.lower) self.files_add = False
if app and app not in sepolicy_domains: self.network_add = False
self.error(_("%s is not a valid domain" % app))
self.quit() - self.all_list = []
@@ -234,7 +235,7 @@ class SELinuxGui(): + self.all_domains = []
self.installed_list = []
self.previously_modified = {}
@@ -151,10 +147,10 @@ class SELinuxGui():
self.invalid_entry = False
# Advanced search window ****************************
self.advanced_search_window = builder.get_object("advanced_search_window")
- self.advanced_search_liststore = builder.get_object("Advanced_search_liststore")
- self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING)
self.advanced_search_filter = builder.get_object("advanced_filter")
self.advanced_search_filter.set_visible_func(self.filter_the_data)
+ self.advanced_search_sort = builder.get_object("advanced_filter")
+
self.advanced_filter_entry = builder.get_object("advanced_filter_entry")
self.advanced_search_treeview = builder.get_object("advanced_search_treeview")
self.advanced_search = False
@@ -234,7 +230,7 @@ class SELinuxGui():
self.advanced_system.set_visible(False) self.advanced_system.set_visible(False)
self.system_policy_label.set_visible(False) self.system_policy_label.set_visible(False)
self.system_policy_type_combobox.set_visible(False) self.system_policy_type_combobox.set_visible(False)
@ -261104,16 +261328,99 @@ index 0123e6c..108d9e4 100644
self.enforcing_button_default = builder.get_object("Enforcing_button_default") self.enforcing_button_default = builder.get_object("Enforcing_button_default")
self.permissive_button_default = builder.get_object("Permissive_button_default") self.permissive_button_default = builder.get_object("Permissive_button_default")
self.disabled_button_default = builder.get_object("Disabled_button_default") self.disabled_button_default = builder.get_object("Disabled_button_default")
@@ -484,6 +485,8 @@ class SELinuxGui(): @@ -423,12 +419,10 @@ class SELinuxGui():
# Combobox and Entry items **************************
self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar
- self.combobox_menu_model = builder.get_object("application_liststore")
+ self.application_liststore = builder.get_object("application_liststore")
self.completion_entry = builder.get_object("completion_entry") #self.combobox_menu.get_child()
- self.completion_entry_model = builder.get_object("application_liststore")
self.entrycompletion_obj = builder.get_object("entrycompletion_obj")
#self.entrycompletion_obj = Gtk.EntryCompletion()
- self.entrycompletion_obj.set_model(self.completion_entry_model)
self.entrycompletion_obj.set_minimum_key_length(0)
self.entrycompletion_obj.set_text_column(0)
self.entrycompletion_obj.set_match_func(self.match_func, None)
@@ -483,18 +477,24 @@ class SELinuxGui():
self.loading = 1
path = None path = None
if test: if test:
domains = [ "httpd_t", "abrt_t" ] - domains = [ "httpd_t", "abrt_t" ]
+ if app and app not in domains: + self.all_domains = [ "httpd_t", "abrt_t" ]
+ domains.append(app) + if app and app not in self.all_domains:
+ self.all_domains.append(app)
else: else:
domains = sepolicy_domains - domains = sepolicy_domains
loading_gui.show() - loading_gui.show()
@@ -812,7 +815,7 @@ class SELinuxGui(): - length = len(domains)
- for domain in domains:
+ self.all_domains = sepolicy.get_all_domains()
+ self.all_domains.sort(key=str.lower)
+
+ if app and app not in self.all_domains:
+ self.error(_("%s is not a valid domain" % app))
+ self.quit()
+
+ loading_gui.show()
+ length = len(self.all_domains)
+ for domain in self.all_domains:
# After the user selects a path in the drop down menu call
# get_init_entrypoint_target(entrypoint) to get the transtype
# which will give you the application
- self.combo_box_initialize(domain, None)
- self.advanced_search_initialize(domain)
- self.all_list.append(domain)
+ self.combo_box_add(domain, domain)
self.percentage = float(float(self.loading)/float(length))
self.progress_bar.set_fraction(self.percentage)
self.progress_bar.set_pulse_step(self.percentage)
@@ -504,14 +504,13 @@ class SELinuxGui():
if entrypoint:
path = sepolicy.find_entrypoint_path(entrypoint)
if path:
- self.combo_box_initialize(path, None)
- # Adds all files entrypoint paths that exists on disc
- # into the combobox
- self.advanced_search_initialize(path)
+ self.combo_box_add(path, domain)
self.installed_list.append(path)
self.loading += 1
loading_gui.hide()
+ self.entrycompletion_obj.set_model(self.application_liststore)
+ self.advanced_search_treeview.set_model(self.advanced_search_sort)
dic = {
"on_combo_button_clicked" : self.open_combo_menu,
@@ -543,7 +542,7 @@ class SELinuxGui():
"on_file_equiv_button_clicked" : self.show_file_equiv_page,
"on_app/system_button_clicked" : self.system_interface,
"on_app/users_button_clicked" : self.users_interface,
- "on_main_advanced_label_button_press_event": self.advanced_label_main,
+ "on_show_advanced_search_window": self.on_show_advanced_search_window,
"on_Show_mislabeled_files_toggled" : self.show_mislabeled_files,
"on_Browse_button_files_clicked" : self.browse_for_files,
@@ -559,8 +558,6 @@ class SELinuxGui():
"on_advanced_filter_entry_changed" : self.get_advanced_filter_data,
"on_advanced_search_treeview_row_activated" : self.advanced_item_selected,
"on_Select_advanced_search_clicked" : self.advanced_item_button_push,
- "on_All_advanced_button_toggled" : self.advanced_radio_select,
- "on_Installed_advanced_button_toggled" : self.advanced_radio_select,
"on_info_button_button_press_event" : self.on_help_button,
"on_back_button_clicked" : self.on_help_back_clicked,
"on_forward_button_clicked" : self.on_help_forward_clicked,
@@ -701,7 +698,7 @@ class SELinuxGui():
def match_func(self, completion, key_string, iter, func_data):
try:
- if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1:
+ if self.application_liststore.get_value(iter, 0).find(key_string) != -1:
return True
return False
except AttributeError:
@@ -812,7 +809,7 @@ class SELinuxGui():
self.set_application_label = True self.set_application_label = True
def resize_wrap(self, *args): def resize_wrap(self, *args):
@ -261122,7 +261429,7 @@ index 0123e6c..108d9e4 100644
def initialize_system_default_mode(self): def initialize_system_default_mode(self):
self.enforce_mode = selinux.selinux_getenforcemode()[1] self.enforce_mode = selinux.selinux_getenforcemode()[1]
@@ -825,7 +828,7 @@ class SELinuxGui(): @@ -825,7 +822,7 @@ class SELinuxGui():
def populate_system_policy(self): def populate_system_policy(self):
selinux_path = selinux.selinux_path() selinux_path = selinux.selinux_path()
@ -261131,7 +261438,7 @@ index 0123e6c..108d9e4 100644
types.sort() types.sort()
ctr = 0 ctr = 0
for item in types: for item in types:
@@ -850,14 +853,14 @@ class SELinuxGui(): @@ -850,14 +847,14 @@ class SELinuxGui():
# Returns true if filter_txt exists within the val # Returns true if filter_txt exists within the val
if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1) : if(val.find(self.filter_txt) != -1 or val.lower().find(self.filter_txt) != -1) :
return True return True
@ -261148,7 +261455,66 @@ index 0123e6c..108d9e4 100644
for t,ports in netd[k]: for t,ports in netd[k]:
pkey = (",".join(ports), protocol) pkey = (",".join(ports), protocol)
if pkey in self.cur_dict["port"]: if pkey in self.cur_dict["port"]:
@@ -1114,7 +1117,7 @@ class SELinuxGui(): @@ -912,11 +909,11 @@ class SELinuxGui():
self.ready_mouse()
def network_initialize(self, app):
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True)
self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore)
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind",check_bools=True)
self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore)
- netd = sepolicy.network.get_network_connect(app, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "udp", "name_bind",check_bools=True)
self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore)
def network_initial_data_insert(self, model, ports, portType, protocol):
@@ -952,12 +949,12 @@ class SELinuxGui():
iter = liststore.get_iter(index)
return liststore.get_value(iter, 0)
- def combo_box_initialize(self, val, desc):
+ def combo_box_add(self, val, val1):
if val == None:
return
- iter = self.combobox_menu_model.append()
- for f in val:
- self.combobox_menu_model.set_value(iter, 0, val)
+ iter = self.application_liststore.append()
+ self.application_liststore.set_value(iter, 0, val)
+ self.application_liststore.set_value(iter, 1, val1)
def select_type_more(self, *args):
app = self.moreTypes_treeview.get_selection()
@@ -973,7 +970,7 @@ class SELinuxGui():
model, iter = row.get_selected()
iter = model.convert_iter_to_child_iter(iter)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
if app == None:
return
self.advanced_filter_entry.set_text('')
@@ -985,7 +982,7 @@ class SELinuxGui():
def advanced_item_selected(self, treeview, path, *args):
iter = self.advanced_search_filter.get_iter(path)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
self.advanced_filter_entry.set_text('')
self.advanced_search_window.hide()
self.reveal_advanced(self.main_advanced_label)
@@ -994,7 +991,7 @@ class SELinuxGui():
def find_application(self, app):
if app and len(app) > 0:
- for items in self.combobox_menu_model:
+ for items in self.application_liststore:
if app == items[0]:
return True
return False
@@ -1114,7 +1111,7 @@ class SELinuxGui():
def executable_files_initialize(self, application): def executable_files_initialize(self, application):
self.entrypoints = sepolicy.get_entrypoints(application) self.entrypoints = sepolicy.get_entrypoints(application)
@ -261157,7 +261523,7 @@ index 0123e6c..108d9e4 100644
if len(self.entrypoints[exe]) == 0: if len(self.entrypoints[exe]) == 0:
continue continue
file_class = self.entrypoints[exe][1] file_class = self.entrypoints[exe][1]
@@ -1151,7 +1154,7 @@ class SELinuxGui(): @@ -1151,7 +1148,7 @@ class SELinuxGui():
def writable_files_initialize(self, application): def writable_files_initialize(self, application):
# Traversing the dictionary data struct # Traversing the dictionary data struct
self.writable_files = sepolicy.get_writable_files(application) self.writable_files = sepolicy.get_writable_files(application)
@ -261166,7 +261532,7 @@ index 0123e6c..108d9e4 100644
if len(self.writable_files[write]) < 2: if len(self.writable_files[write]) < 2:
self.files_initial_data_insert(self.writable_files_liststore, None, write, _("all files")) self.files_initial_data_insert(self.writable_files_liststore, None, write, _("all files"))
continue continue
@@ -1194,7 +1197,7 @@ class SELinuxGui(): @@ -1194,7 +1191,7 @@ class SELinuxGui():
def application_files_initialize(self, application): def application_files_initialize(self, application):
self.file_types = sepolicy.get_file_types(application) self.file_types = sepolicy.get_file_types(application)
@ -261175,7 +261541,7 @@ index 0123e6c..108d9e4 100644
if len(self.file_types[app]) == 0: if len(self.file_types[app]) == 0:
continue continue
file_class = self.file_types[app][1] file_class = self.file_types[app][1]
@@ -1367,8 +1370,8 @@ class SELinuxGui(): @@ -1367,8 +1364,8 @@ class SELinuxGui():
self.treeview = self.network_in_treeview self.treeview = self.network_in_treeview
category = _("listen for inbound connections") category = _("listen for inbound connections")
@ -261186,7 +261552,7 @@ index 0123e6c..108d9e4 100644
self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
if self.transitions_radio_button.get_active(): if self.transitions_radio_button.get_active():
@@ -1439,7 +1442,7 @@ class SELinuxGui(): @@ -1439,7 +1436,7 @@ class SELinuxGui():
sort_column, _ = model.get_sort_column_id() sort_column, _ = model.get_sort_column_id()
val1 = self.unmarkup(model.get_value(row1, sort_column)) val1 = self.unmarkup(model.get_value(row1, sort_column))
val2 = self.unmarkup(model.get_value(row2, sort_column)) val2 = self.unmarkup(model.get_value(row2, sort_column))
@ -261195,7 +261561,16 @@ index 0123e6c..108d9e4 100644
def display_more_detail(self, windows, path): def display_more_detail(self, windows, path):
it = self.boolean_filter.get_iter(path) it = self.boolean_filter.get_iter(path)
@@ -1636,7 +1639,7 @@ class SELinuxGui(): @@ -1625,7 +1622,7 @@ class SELinuxGui():
self.files_type_combolist.clear()
self.files_class_combolist.clear()
compare = self.strip_domain(self.application)
- for d in self.completion_entry_model:
+ for d in self.application_liststore:
if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"):
exclude_list.append(self.strip_domain(d[0]))
@@ -1636,7 +1633,7 @@ class SELinuxGui():
self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files]) self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files])
if ipage == EXE_PAGE and self.entrypoints != None: if ipage == EXE_PAGE and self.entrypoints != None:
@ -261204,7 +261579,7 @@ index 0123e6c..108d9e4 100644
if exe.startswith(compare): if exe.startswith(compare):
iter = self.files_type_combolist.append() iter = self.files_type_combolist.append()
self.files_type_combolist.set_value(iter, 0, exe) self.files_type_combolist.set_value(iter, 0, exe)
@@ -1646,7 +1649,7 @@ class SELinuxGui(): @@ -1646,7 +1643,7 @@ class SELinuxGui():
self.files_class_combobox.set_sensitive(False) self.files_class_combobox.set_sensitive(False)
elif ipage == WRITABLE_PAGE and self.writable_files != None: elif ipage == WRITABLE_PAGE and self.writable_files != None:
@ -261213,7 +261588,7 @@ index 0123e6c..108d9e4 100644
if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types: if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types:
iter = self.files_type_combolist.append() iter = self.files_type_combolist.append()
self.files_type_combolist.set_value(iter, 0, write) self.files_type_combolist.set_value(iter, 0, write)
@@ -1663,7 +1666,7 @@ class SELinuxGui(): @@ -1663,7 +1660,7 @@ class SELinuxGui():
self.more_types_files_liststore.set_value(iter, 0, app) self.more_types_files_liststore.set_value(iter, 0, app)
self.files_class_combobox.set_active(0) self.files_class_combobox.set_active(0)
except AttributeError: except AttributeError:
@ -261222,8 +261597,17 @@ index 0123e6c..108d9e4 100644
pass pass
self.files_type_combobox.set_active(0) self.files_type_combobox.set_active(0)
self.files_mls_entry.set_text("s0") self.files_mls_entry.set_text("s0")
@@ -1710,7 +1713,7 @@ class SELinuxGui(): @@ -1704,13 +1701,13 @@ class SELinuxGui():
netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind")
try:
if ipage == OUTBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools = True)
elif ipage == INBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind")
- netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools = True)
+ netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools = True)
port_types = [] port_types = []
- for k in netd.keys(): - for k in netd.keys():
@ -261231,7 +261615,7 @@ index 0123e6c..108d9e4 100644
for t,ports in netd[k]: for t,ports in netd[k]:
if t not in port_types + ["port_t", "unreserved_port_t"]: if t not in port_types + ["port_t", "unreserved_port_t"]:
if t.endswith("_type"): if t.endswith("_type"):
@@ -1805,7 +1808,7 @@ class SELinuxGui(): @@ -1805,7 +1802,7 @@ class SELinuxGui():
self.wait_mouse() self.wait_mouse()
try: try:
self.dbus.semanage(update_buffer) self.dbus.semanage(update_buffer)
@ -261240,7 +261624,7 @@ index 0123e6c..108d9e4 100644
self.error(e) self.error(e)
self.ready_mouse() self.ready_mouse()
@@ -1883,7 +1886,7 @@ class SELinuxGui(): @@ -1883,7 +1880,7 @@ class SELinuxGui():
tree.set_value(iter, 2, fclass) tree.set_value(iter, 2, fclass)
def restore_to_default(self, *args): def restore_to_default(self, *args):
@ -261249,7 +261633,7 @@ index 0123e6c..108d9e4 100644
def invalid_entry_retry(self, *args): def invalid_entry_retry(self, *args):
self.closewindow(self.error_check_window) self.closewindow(self.error_check_window)
@@ -2136,7 +2139,7 @@ class SELinuxGui(): @@ -2136,7 +2133,7 @@ class SELinuxGui():
def on_save_delete_file_equiv_clicked(self, *args): def on_save_delete_file_equiv_clicked(self, *args):
for delete in self.files_delete_liststore: for delete in self.files_delete_liststore:
@ -261258,7 +261642,7 @@ index 0123e6c..108d9e4 100644
def on_toggle_update(self, cell, path, model): def on_toggle_update(self, cell, path, model):
model[path][0] = not model[path][0] model[path][0] = not model[path][0]
@@ -2444,8 +2447,8 @@ class SELinuxGui(): @@ -2444,8 +2441,8 @@ class SELinuxGui():
self.wait_mouse() self.wait_mouse()
try: try:
self.dbus.semanage(update_buffer) self.dbus.semanage(update_buffer)
@ -261269,7 +261653,79 @@ index 0123e6c..108d9e4 100644
self.ready_mouse() self.ready_mouse()
self.init_cur() self.init_cur()
@@ -2727,8 +2730,8 @@ class SELinuxGui(): @@ -2539,34 +2536,7 @@ class SELinuxGui():
self.network_mls_label.set_visible(advanced)
self.network_mls_entry.set_visible(advanced)
- def advanced_search_initialize(self, path):
- try:
- if path[0] == '/':
- domain = sepolicy.get_init_transtype(path)
- else:
- domain = path
- except IndexError:
- return
- except OSError:
- return
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 0, path)
- self.advanced_search_liststore.set_value(iter, 1, domain)
- user_types = sepolicy.get_user_types()
- if domain in user_types + ['initrc_t']:
- return
-
- entrypoints = sepolicy.get_entrypoints(domain)
- # From entry_point = 0 to the number of keys in the dic
- for exe in entrypoints:
- if len(entrypoints[exe]):
- file_class = entrypoints[exe][1]
- for path in entrypoints[exe][0]:
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 1, domain)
- self.advanced_search_liststore.set_value(iter, 0, path)
-
- def advanced_label_main(self, label, *args):
+ def on_show_advanced_search_window(self, label, *args):
if label.get_text() == ADVANCED_SEARCH_LABEL[1]:
label.set_text(ADVANCED_SEARCH_LABEL[0])
self.close_popup()
@@ -2574,25 +2544,6 @@ class SELinuxGui():
label.set_text(ADVANCED_SEARCH_LABEL[1])
self.show_popup(self.advanced_search_window)
- def advanced_radio_select(self, button):
- label = ""
- if button.get_active():
- label = button.get_label()
- if label == '':
- return
- self.advanced_search_liststore.clear()
- if label == "All":
- for items in self.all_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
- elif label == "Installed":
- if self.installed_list == []:
- return
- for items in self.installed_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
def set_enforce_text(self, value):
if value:
self.status_bar.push(self.context_id, _("System Status: Enforcing"))
@@ -2601,6 +2552,9 @@ class SELinuxGui():
self.current_status_permissive.set_active(True)
def set_enforce(self, button):
+ if not self.finish_init:
+ return
+
self.dbus.setenforce(button.get_active())
self.set_enforce_text(button.get_active())
@@ -2727,8 +2681,8 @@ class SELinuxGui():
if not active and not exists: if not active and not exists:
return return
try: try:
@ -262984,22 +263440,36 @@ index ba15b2c..1765b1c 100755
SELinux policy also controls which roles can transition to a different role. SELinux policy also controls which roles can transition to a different role.
You can list these rules using the following command. You can list these rules using the following command.
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
index 3a75d7c..d1bcd65 100755 index 3a75d7c..dca1b79 100755
--- a/policycoreutils/sepolicy/sepolicy/network.py --- a/policycoreutils/sepolicy/sepolicy/network.py
+++ b/policycoreutils/sepolicy/sepolicy/network.py +++ b/policycoreutils/sepolicy/sepolicy/network.py
@@ -28,9 +28,9 @@ def get_types(src, tclass, perm): @@ -24,20 +24,22 @@ import sepolicy
search=sepolicy.search
info=sepolicy.info
-def get_types(src, tclass, perm):
+def get_types(src, tclass, perm, check_bools=False):
allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm}) allows=search([sepolicy.ALLOW],{sepolicy.SOURCE:src,sepolicy.CLASS:tclass, sepolicy.PERMS:perm})
nlist=[] nlist=[]
if allows: if allows:
- for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): - for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
- if i not in nlist: + for i in [y[sepolicy.TARGET] for y in
- nlist.append(i) + [x for x in allows
+ for i in [y[sepolicy.TARGET] for y in [x for x in allows if set(perm).issubset(x[sepolicy.PERMS])]]: + if set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"])]]:
+ if i not in nlist: if i not in nlist:
+ nlist.append(i) nlist.append(i)
return nlist return nlist
-def get_network_connect(src, protocol, perm):
+def get_network_connect(src, protocol, perm, check_bools=False):
portrecs, portrecsbynum = sepolicy.gen_port_dict()
d={}
- tlist = get_types(src, "%s_socket" % protocol, [perm])
+ tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools)
if len(tlist) > 0:
d[(src,protocol,perm)] = []
for i in tlist:
diff --git a/policycoreutils/sepolicy/sepolicy/sedbus.py b/policycoreutils/sepolicy/sepolicy/sedbus.py diff --git a/policycoreutils/sepolicy/sepolicy/sedbus.py b/policycoreutils/sepolicy/sepolicy/sedbus.py
index c6645ef..8965795 100644 index c6645ef..8965795 100644
--- a/policycoreutils/sepolicy/sepolicy/sedbus.py --- a/policycoreutils/sepolicy/sepolicy/sedbus.py
@ -263012,6 +263482,129 @@ index c6645ef..8965795 100644
- print e - print e
+ except dbus.DBusException as e: + except dbus.DBusException as e:
+ print (e) + print (e)
diff --git a/policycoreutils/sepolicy/sepolicy/sepolicy.glade b/policycoreutils/sepolicy/sepolicy/sepolicy.glade
index 1275c7f..e3137db 100644
--- a/policycoreutils/sepolicy/sepolicy/sepolicy.glade
+++ b/policycoreutils/sepolicy/sepolicy/sepolicy.glade
@@ -2,7 +2,7 @@
<!-- Generated with glade 3.16.0 on Fri Oct 11 08:24:19 2013 -->
<interface>
<!-- interface-requires gtk+ 3.8 -->
- <object class="GtkListStore" id="Advanced_search_liststore">
+ <object class="GtkListStore" id="application_liststore">
<columns>
<!-- column-name Application -->
<column type="gchararray"/>
@@ -82,7 +82,7 @@
<attributes>
<attribute name="foreground" value="#00004e4e9999"/>
</attributes>
- <signal name="button-press-event" handler="on_main_advanced_label_button_press_event" swapped="no"/>
+ <signal name="button-press-event" handler="on_show_advanced_search_window" swapped="no"/>
</object>
<packing>
<property name="expand">True</property>
@@ -225,7 +225,7 @@
</child>
</object>
<object class="GtkTreeModelFilter" id="advanced_filter">
- <property name="child_model">Advanced_search_liststore</property>
+ <property name="child_model">application_liststore</property>
</object>
<object class="GtkTreeModelSort" id="advanced_sort">
<property name="model">advanced_filter</property>
@@ -256,24 +256,6 @@
<object class="GtkTreeModelSort" id="application_files_sort">
<property name="model">application_files_filter</property>
</object>
- <object class="GtkListStore" id="application_liststore">
- <columns>
- <!-- column-name Application -->
- <column type="gchararray"/>
- </columns>
- </object>
- <object class="GtkTreeModelFilter" id="application_filter">
- <property name="child_model">application_liststore</property>
- </object>
- <object class="GtkTreeModelSort" id="application_sort">
- <property name="model">application_filter</property>
- </object>
- <object class="GtkListStore" id="application_tree_list">
- <columns>
- <!-- column-name Process -->
- <column type="gchararray"/>
- </columns>
- </object>
<object class="GtkListStore" id="boolean_liststore">
<columns>
<!-- column-name Active -->
@@ -4328,46 +4310,7 @@ allow alternative access control.</property>
<property name="position">0</property>
</packing>
</child>
- <child>
- <object class="GtkRadioButton" id="All_advanced_button">
- <property name="label" translatable="yes">All</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="active">True</property>
- <property name="draw_indicator">True</property>
- <signal name="toggled" handler="on_All_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">1</property>
- </packing>
- </child>
- <child>
- <object class="GtkRadioButton" id="Installed_advanced_button">
- <property name="label" translatable="yes">Installed</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="draw_indicator">True</property>
- <property name="group">All_advanced_button</property>
- <signal name="toggled" handler="on_Installed_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">2</property>
- </packing>
- </child>
</object>
- <packing>
- <property name="expand">False</property>
- <property name="fill">True</property>
- <property name="position">0</property>
- </packing>
</child>
<child>
<object class="GtkScrolledWindow" id="scrolledwindow11">
@@ -4377,7 +4320,6 @@ allow alternative access control.</property>
<object class="GtkTreeView" id="advanced_search_treeview">
<property name="visible">True</property>
<property name="can_focus">True</property>
- <property name="model">advanced_sort</property>
<property name="enable_search">False</property>
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
<child internal-child="selection">
diff --git a/policycoreutils/sepolicy/sepolicy/templates/executable.py b/policycoreutils/sepolicy/sepolicy/templates/executable.py
index 4b9534d..0db6b9c 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/executable.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
type TEMPLATETYPE_t;
type TEMPLATETYPE_exec_t;
application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+role TEMPLATETYPE_roles types TEMPLATETYPE_t;
permissive TEMPLATETYPE_t;
"""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
index 16a2208..d8ee42f 100644 index 16a2208..d8ee42f 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/spec.py --- a/policycoreutils/sepolicy/sepolicy/templates/spec.py

144
policycoreutils-sepolgen.patch
View File

@ -1,131 +1,13 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
index d636091..56919be 100644 index 3258684..88a6dc3 100644
--- a/sepolgen/src/sepolgen/audit.py --- a/sepolgen/src/sepolgen/interfaces.py
+++ b/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/interfaces.py
@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage): @@ -276,7 +276,7 @@ class InterfaceVector:
raise ValueError("Error during access vector computation") if attributes:
for typeattribute in interface.typeattributes():
if self.type == audit2why.CONSTRAINT: for attr in typeattribute.attributes:
- self.data = [] - if not attributes.has_key(attr):
+ self.data = [ self.data ] + if not attributes.attributes.has_key(attr):
if self.scontext.user != self.tcontext.user: # print "missing attribute " + attr
- self.data.append("user") continue
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user)) attr_vec = attributes.attributes[attr]
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
- self.data.append("role")
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
if self.scontext.level != self.tcontext.level:
- self.data.append("level")
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index cc9f8ea..ce643e5 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -161,21 +161,21 @@ class PolicyGenerator:
if self.explain:
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
if av.type == audit2why.ALLOW:
- rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ rule.comment += "\n#!!!! This avc is allowed in the current policy"
if av.type == audit2why.DONTAUDIT:
- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
+ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data))
else:
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
+ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
if av.type == audit2why.CONSTRAINT:
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
- rule.comment += "#Constraint rule: "
- for reason in av.data:
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
+ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
+ for reason in av.data[1:]:
+ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
try:
if ( av.type == audit2why.TERULE and
@@ -189,9 +189,9 @@ class PolicyGenerator:
if i not in self.domains:
types.append(i)
if len(types) == 1:
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
elif len(types) >= 1:
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
except:
pass
self.module.children.append(rule)
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 7b76261..a05d9d1 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -65,6 +65,7 @@ tokens = (
'BAR',
'EXPL',
'EQUAL',
+ 'FILENAME',
'IDENTIFIER',
'NUMBER',
'PATH',
@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
t.lexer.lineno += 1
def t_IDENTIFIER(t):
- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
+def t_FILENAME(t):
+ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
+ # Handle any keywords
+ t.type = reserved.get(t.value,'FILENAME')
+ return t
+
def t_comment(t):
r'\#.*\n'
# Ignore all comments
@@ -450,6 +457,7 @@ def p_interface_call_param(p):
| nested_id_set
| TRUE
| FALSE
+ | FILENAME
'''
# Intentionally let single identifiers pass through
# List means set, non-list identifier
@@ -461,6 +469,7 @@ def p_interface_call_param(p):
def p_interface_call_param_list(p):
'''interface_call_param_list : interface_call_param
| interface_call_param_list COMMA interface_call_param
+ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
'''
if len(p) == 2:
p[0] = [p[1]]
@@ -787,6 +796,7 @@ def p_avrule_def(p):
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
+ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
@@ -800,6 +810,7 @@ def p_typerule_def(p):
t.tgt_types = p[3]
t.obj_classes = p[5]
t.dest_type = p[6]
+ t.file_name = p[7]
p[0] = t
def p_bool(p):

18
policycoreutils.spec
View File

@ -107,7 +107,6 @@ Requires:libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
Requires:audit-libs-python >= %{libauditver} Requires:audit-libs-python >= %{libauditver}
Requires(pre): python >= 2.6 Requires(pre): python >= 2.6
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Requires: checkpolicy
Requires: python-IPy yum Requires: python-IPy yum
%description python %description python
@ -153,10 +152,6 @@ an SELinux environment.
%{_mandir}/man8/sandbox.8* %{_mandir}/man8/sandbox.8*
%{_mandir}/man8/semanage*.8* %{_mandir}/man8/semanage*.8*
%{_mandir}/ru/man8/semanage.8* %{_mandir}/ru/man8/semanage.8*
%{_datadir}/system-config-selinux/selinux_server.py
%{_datadir}/dbus-1/system-services/org.selinux.service
%{_datadir}/polkit-1/actions/org.selinux.policy
%{_datadir}/polkit-1/actions/org.selinux.config.policy
%{_datadir}/bash-completion/completions/semanage %{_datadir}/bash-completion/completions/semanage
%{_datadir}/bash-completion/completions/setsebool %{_datadir}/bash-completion/completions/setsebool
@ -165,6 +160,7 @@ Summary: SELinux policy core policy devel utilities
Group: System Environment/Base Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release} Requires: policycoreutils-python = %{version}-%{release}
Requires: /usr/bin/make Requires: /usr/bin/make
Requires: checkpolicy
Requires: selinux-policy-devel Requires: selinux-policy-devel
%description devel %description devel
@ -270,6 +266,10 @@ system-config-selinux is a utility for managing the SELinux environment
%{_mandir}/man8/system-config-selinux.8* %{_mandir}/man8/system-config-selinux.8*
%{_mandir}/man8/selinux-polgengui.8* %{_mandir}/man8/selinux-polgengui.8*
%{_mandir}/man8/sepolicy-gui.8* %{_mandir}/man8/sepolicy-gui.8*
%{_datadir}/system-config-selinux/selinux_server.py
%{_datadir}/dbus-1/system-services/org.selinux.service
%{_datadir}/polkit-1/actions/org.selinux.policy
%{_datadir}/polkit-1/actions/org.selinux.config.policy
%post gui %post gui
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -305,10 +305,6 @@ fi
%{_mandir}/ru/man8/restorecon.8* %{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/semodule.8* %{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8* %{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/semodule_deps.8*
%{_mandir}/ru/man8/semodule_deps.8*
%{_mandir}/man8/semodule_expand.8*
%{_mandir}/ru/man8/semodule_expand.8*
%{_mandir}/man8/sestatus.8* %{_mandir}/man8/sestatus.8*
%{_mandir}/ru/man8/sestatus.8* %{_mandir}/ru/man8/sestatus.8*
%{_mandir}/man8/setfiles.8* %{_mandir}/man8/setfiles.8*
@ -351,7 +347,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Nov 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1 * Fri Nov 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1
- Speed up startup time of sepolicy gui
- Clean up ports screen to only show enabled ports.
- Update to upstream - Update to upstream
* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh. * Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh. * Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.