From 8c0761612141092a43f6a07d267600b3466063f3 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 22 Feb 2013 17:38:59 +0100 Subject: [PATCH] Do not load interface file by default when sepolicy is called, mov get_all_methods to the sepolicy package --- policycoreutils-rhat.patch | 125 +++++++++++++++++++++++++++++++------ policycoreutils.spec | 7 ++- 2 files changed, 111 insertions(+), 21 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index c071d9e..1431b4c 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -270,14 +270,6 @@ index 0000000..0c2f399 +Categories=System;Security; +X-Desktop-File-Install-Version=0.2 +Keywords=policy;security;selinux;avc;permission;mac; -diff --git a/policycoreutils/gui/sepolgen b/policycoreutils/gui/sepolgen -deleted file mode 100644 -index 2f0c1cc..0000000 ---- a/policycoreutils/gui/sepolgen -+++ /dev/null -@@ -1,2 +0,0 @@ --#!/bin/sh --sepolicy generate $* diff --git a/policycoreutils/gui/system-config-selinux b/policycoreutils/gui/system-config-selinux new file mode 100755 index 0000000..5be5ccd @@ -1546,7 +1538,7 @@ index b25d3b2..7a15d88 100755 sys.exit(0) except ValueError,e: diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..e0f5f86 100644 +index 5e7415c..9f4a774 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -37,9 +37,30 @@ CLASS = 'class' @@ -1582,7 +1574,33 @@ index 5e7415c..e0f5f86 100644 policies = glob.glob ("%s.*" % path ) policies.sort() return policies[-1] -@@ -54,6 +75,13 @@ def get_all_types(): +@@ -47,6 +68,25 @@ def __get_installed_policy(): + pass + raise ValueError(_("No SELinux Policy installed")) + ++methods = [] ++def get_methods(): ++ global methods ++ if len(methods) > 0: ++ return methods ++ fn = defaults.interface_info() ++ try: ++ fd = open(fn) ++ # List of per_role_template interfaces ++ ifs = interfaces.InterfaceSet() ++ ifs.from_file(fd) ++ methods = ifs.interfaces.keys() ++ fd.close() ++ except: ++ sys.stderr.write("could not open interface info [%s]\n" % fn) ++ sys.exit(1) ++ ++ return methods ++ + all_types = None + def get_all_types(): + global all_types +@@ -54,6 +94,13 @@ def get_all_types(): all_types = map(lambda x: x['name'], info(TYPE)) return all_types @@ -1596,7 +1614,7 @@ index 5e7415c..e0f5f86 100644 role_allows = None def get_all_role_allows(): global role_allows -@@ -71,6 +99,7 @@ def get_all_role_allows(): +@@ -71,6 +118,7 @@ def get_all_role_allows(): return role_allows def get_all_entrypoint_domains(): @@ -1604,7 +1622,7 @@ index 5e7415c..e0f5f86 100644 all_domains = [] types=get_all_types() types.sort() -@@ -81,11 +110,35 @@ def get_all_entrypoint_domains(): +@@ -81,11 +129,35 @@ def get_all_entrypoint_domains(): all_domains.append(m[0]) return all_domains @@ -1641,7 +1659,7 @@ index 5e7415c..e0f5f86 100644 return all_domains roles = None -@@ -139,49 +192,42 @@ def get_all_attributes(): +@@ -139,49 +211,42 @@ def get_all_attributes(): return all_attributes def policy(policy_file): @@ -1711,18 +1729,40 @@ index 5e7415c..e0f5f86 100644 def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): global booleans_dict diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py -index 26f8390..a23ce9b 100644 +index 26f8390..898ec43 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py -@@ -63,7 +63,6 @@ except IOError: +@@ -63,20 +63,6 @@ except IOError: import __builtin__ __builtin__.__dict__['_'] = unicode -user_types = sepolicy.info(sepolicy.ATTRIBUTE,"userdomain")[0]["types"] - methods = [] - fn = defaults.interface_info() - try: -@@ -1037,7 +1036,8 @@ allow %s_t %s_t:%s_socket name_%s; +-methods = [] +-fn = defaults.interface_info() +-try: +- fd = open(fn) +- # List of per_role_template interfaces +- ifs = interfaces.InterfaceSet() +- ifs.from_file(fd) +- methods = ifs.interfaces.keys() +- fd.close() +-except: +- sys.stderr.write("could not open interface info [%s]\n" % fn) +- sys.exit(1) +- + def get_rpm_nvr_from_header(hdr): + 'Given an RPM header return the package NVR as a string' + name = hdr['name'] +@@ -587,7 +573,7 @@ class policy: + def generate_network_action(self, protocol, action, port_name): + line = "" + method = "corenet_%s_%s_%s" % (protocol, action, port_name) +- if method in methods: ++ if method in sepolicy.get_methods(): + line = "%s(%s_t)\n" % (method, self.name) + else: + line = """ +@@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s; ######################################## # # %s local policy @@ -1732,6 +1772,53 @@ index 26f8390..a23ce9b 100644 newte += self.generate_capabilities() newte += self.generate_process() newte += self.generate_network_types() +diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py +index 8b063ca..5e92c7c 100644 +--- a/policycoreutils/sepolicy/sepolicy/interface.py ++++ b/policycoreutils/sepolicy/sepolicy/interface.py +@@ -27,7 +27,7 @@ import sepolgen.interfaces as interfaces + import sepolgen.defaults as defaults + ADMIN_TRANSITION_INTERFACE = "_admin$" + USER_TRANSITION_INTERFACE = "_role$" +-from sepolicy.generate import get_all_types ++import selinux + + __all__ = [ 'get', 'get_admin', 'get_user' ] + +@@ -48,24 +48,10 @@ except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + +-def get(): +- """ Get all Methods """ +- fn = defaults.interface_info() +- try: +- fd = open(fn) +- ifs = interfaces.InterfaceSet() +- ifs.from_file(fd) +- methods = ifs.interfaces.keys() +- fd.close() +- except: +- raise ValueError(_("could not open interface info [%s]\n") % fn) +- +- return methods +- + def get_admin(): + """ Get all domains with an admin interface""" + admin_list = [] +- for i in get(): ++ for i in sepolicy.get_methods(): + if i.endswith("_admin"): + admin_list.append(i.split("_admin")[0]) + return admin_list +@@ -76,6 +62,6 @@ def get_user(): + for i in get(): + m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i) + if len(m) > 0: +- if "%s_exec_t" % m[0] in get_all_types(): ++ if "%s_exec_t" % m[0] in sepolicy.get_all_types(): + trans_list.append(m[0]) + return trans_list diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py index 25062da..b3c24e6 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 06eac76..5dddc1c 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -324,6 +324,9 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Fri Feb 22 2013 Dan Walsh - 2.1.14-12 +- Do not load interface file by default when sepolicy is called, mov get_all_methods to the sepolicy package + * Fri Feb 22 2013 Dan Walsh - 2.1.14-11 - sepolgen-ifgen should use the current policy path if selinux is enabled @@ -355,7 +358,7 @@ do not drop capabilities when run as root. * Thu Feb 14 2013 Dan Walsh - 2.1.14-4 - Revert some changes which are causing the wrong policy version file to be created -- Switch sandbox to start using openbox rather then matchpbox +- Switch sandbox to start using openbox rather then matchbox - Make sepolgen a symlink to sepolicy - update translations