* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2

- Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis
2007-12-20 19:24:11 +00:00 · 2007-12-20 19:24:11 +00:00 · 96efbf90c9
commit 96efbf90c9
parent 44981fdef3
3 changed files with 277 additions and 19 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -28,19 +28,233 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 .TP
 .B "\-t "  | "\-\-tefile"
 Indicates input file is a te (type enforcement) file.  This can be used to translate old te format to new policy format.
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen
+--- nsapolicycoreutils/audit2allow/sepolgen-ifgen	2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen	2007-12-20 14:19:50.000000000 -0500
+@@ -80,7 +80,10 @@
+     if_set.to_file(f)
+     f.close()
+ 
+-    return 0
+    if refparser.success:
+        return 0
+    else:
+        return 1
+     
+ if __name__ == "__main__":
+     sys.exit(main())
+Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c
 --- nsapolicycoreutils/audit2why/audit2why.c	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.34/audit2why/audit2why.c	2007-12-19 06:05:50.000000000 -0500
-@@ -137,6 +137,8 @@
+++ policycoreutils-2.0.34/audit2why/audit2why.c	2007-12-20 11:04:10.000000000 -0500
+@@ -22,27 +22,151 @@
+ 	exit(rc);
+ }
+ 
+struct bool_t {
+	const sepol_bool_t * boolean;
+	char *name;
+	int active;
+};
+
+static struct bool_t **boollist = NULL;
+static int boolcnt = 0;
+
+struct access_t {
+	sepol_handle_t *handle;
+	sepol_policydb_t *policydb;
+	sepol_security_id_t ssid;
+	sepol_security_id_t  tsid;
+	sepol_security_class_t tclass;
+	sepol_access_vector_t av;
+};
+
+static int load_booleans (const sepol_bool_t * boolean,
+			  void *arg __attribute__ ((__unused__)) ) {
+	boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t));
+	boollist[boolcnt]->boolean = boolean;
+	boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
+	boollist[boolcnt]->active = sepol_bool_get_value(boolean);
+	boolcnt++;
+	return 0;
+}
+
+static int check_booleans (struct access_t *access) {
+	struct sepol_av_decision avd;
+	unsigned int reason;
+	int rc;
+	int i;
+	sepol_bool_key_t *key=NULL;
+	int fcnt = 0;
+	int *foundlist = calloc(boolcnt, sizeof(int));
+	if (!foundlist) {
+		fprintf(stderr,
+			"Out of memory.\n");
+		return -1;
+	}
+	for (i=0; i < boolcnt; i++) {
+		char *name = boollist[i]->name;
+		int active = boollist[i]->active;
+		sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean;
+		rc = sepol_bool_key_create(access->handle,
+					   name, 
+					   &key);
+		if (rc < 0) {
+			fprintf(stderr,
+				"Could not create boolean key.\n");
+			rc = -1;
+			break;
+		}
+		sepol_bool_set_value(boolean, !active);
+
+		rc = sepol_bool_set(access->handle,
+				    access->policydb,
+				    key,
+				    boolean);
+		if (rc < 0) {
+			fprintf(stderr,
+				"Could not set boolean data %s.\n", name);
+			rc = -1;
+			break;
+		}
+
+		/* Reproduce the computation. */
+		rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason);
+		if (rc < 0) {
+			fprintf(stderr,
+				"Error during access vector computation, skipping...\n");
+			rc = -1;
+			break;
+		} else {
+			if (!reason) {
+				foundlist[fcnt] = i;
+				fcnt++;
+				rc = 0;
+			}
+			sepol_bool_set_value((sepol_bool_t*)boolean, active);
+			rc = sepol_bool_set(access->handle,
+					    access->policydb,
+					    key,
+					    (sepol_bool_t*) boolean);
+			if (rc < 0) {
+				fprintf(stderr,
+					"Could not set boolean data %s.\n", name);
+				rc = -1;
+				break;
+			}
+		}
+		sepol_bool_key_free(key);
+		key=NULL;		
+	}
+	if (key)
+		sepol_bool_key_free(key);
+
+	if (fcnt > 0)  {
+		printf("\tA boolean being set incorrectly.\n");
+		for (i = 0; i < fcnt; i++) {
+			int ctr = foundlist[i];
+			char *name = boollist[ctr]->name;
+			int active = boollist[ctr]->active;
+			printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active);
+			printf("\t# setsebool -P %s %d\n", name, !active);
+		}
+	}
+
+	free(foundlist);
+	return rc;
+}
+
+
+ int main(int argc, char **argv)
+ {
+ 	char path[PATH_MAX];
+ 	char *buffer = NULL, *bufcopy = NULL;
+-	unsigned int lineno = 0;
+	unsigned int lineno = 0, cnt;
+ 	size_t len = 0, bufcopy_len = 0;
+-	FILE *fp;
+	FILE *fp, *avcp=stdin;
+ 	int opt, rc, set_path = 0;
+ 	char *p, *scon, *tcon, *tclassstr, *permstr;
+ 	sepol_security_id_t ssid, tsid;
+ 	sepol_security_class_t tclass;
+ 	sepol_access_vector_t perm, av;
+	struct access_t access;
+ 	struct sepol_av_decision avd;
+ 	unsigned int reason;
+ 	int vers = 0;
+ 	sidtab_t sidtab;
+ 	policydb_t policydb;
+ 	struct policy_file pf;
+-
+-	while ((opt = getopt(argc, argv, "p:?h")) > 0) {
+	
+	while ((opt = getopt(argc, argv, "i:p:?h")) > 0) {
+ 		switch (opt) {
+		case 'i':
+			avcp = fopen(optarg, "r");
+			if (!avcp) {
+				fprintf(stderr, "%s:  unable to open %s:  %s\n",
+					argv[0], path, strerror(errno));
+				exit(1);
+			}
+			break;
+			
+ 		case 'p':
+ 			set_path = 1;
+ 			strncpy(path, optarg, PATH_MAX);
+@@ -110,7 +234,6 @@
+ 	}
+ 	fclose(fp);
+ 	sepol_set_policydb(&policydb);
+-
+ 	if (!set_path) {
+ 		/* If they didn't specify a full path of a binary policy file,
+ 		   then also try loading any boolean settings and user
+@@ -125,6 +248,30 @@
+ 		(void)sepol_genusers_policydb(&policydb, selinux_users_path());
+ 	}
+ 
+	access.handle = sepol_handle_create();
+	access.policydb = (sepol_policydb_t *) &policydb, 
+
+	rc = sepol_bool_count(access.handle,
+			      access.policydb, 
+			      &cnt); 
+	if (rc < 0) {
+		fprintf(stderr, "%s:  unable to get bool count\n", argv[0]);
+		exit(1);
+	}
+
+	boollist = calloc(cnt, sizeof(struct bool_t));
+	if (!boollist) {
+		fprintf(stderr, "%s:  Out of memory\n", argv[0]);
+		exit(1);
+	}
+
+
+	sepol_bool_iterate(access.handle,
+			   (const sepol_policydb_t *) &policydb, 
+			   load_booleans, 
+			   (void *)NULL);
+
+
+ 	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
+ 	   and sepol_compute_av_reason. */
+ 	rc = sepol_sidtab_init(&sidtab);
+@@ -135,8 +282,10 @@
+ 	sepol_set_sidtab(&sidtab);
+ 
 	/* Process the audit messages. */
- 	while (getline(&buffer, &len, stdin) > 0) {
+-	while (getline(&buffer, &len, stdin) > 0) {
+	while (getline(&buffer, &len, avcp) > 0) {
 		size_t len2 = strlen(buffer);
 +		char *begin, *end, *search_buf;
 +		int slen = 0;
 
 		if (buffer[len2 - 1] == '\n')
 			buffer[len2 - 1] = 0;
-@@ -179,6 +181,7 @@
+@@ -179,6 +328,7 @@
 		}
 		*p++ = 0;
 
@ -48,7 +262,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 		/* Get scontext and convert to SID. */
 		while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
 			p++;
-@@ -188,11 +191,14 @@
+@@ -188,11 +338,14 @@
 			continue;
 		}
 		p += sizeof(SCONTEXT) - 1;
@ -66,7 +280,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 		rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
 		if (rc < 0) {
 			fprintf(stderr,
-@@ -201,6 +207,10 @@
+@@ -201,6 +354,10 @@
 			continue;
 		}
 
@ -77,7 +291,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 		/* Get tcontext and convert to SID. */
 		while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
 			p++;
-@@ -210,11 +220,15 @@
+@@ -210,11 +367,15 @@
 			continue;
 		}
 		p += sizeof(TCONTEXT) - 1;
@ -96,7 +310,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 		rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
 		if (rc < 0) {
 			fprintf(stderr,
-@@ -222,6 +236,9 @@
+@@ -222,6 +383,9 @@
 				TCONTEXT, tcon, lineno);
 			continue;
 		}
@ -106,7 +320,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 
 		/* Get tclass= and convert to value. */
 		while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
-@@ -232,12 +249,17 @@
+@@ -232,12 +396,17 @@
 			continue;
 		}
 		p += sizeof(TCLASS) - 1;
@ -127,6 +341,37 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 		if (!tclass) {
 			fprintf(stderr,
 				"Invalid %s%s on line %u, skipping...\n",
+@@ -286,11 +455,16 @@
+ 		}
+ 
+ 		if (reason & SEPOL_COMPUTEAV_TE) {
+-			printf("\t\tMissing or disabled TE allow rule.\n");
+-			printf
+-			    ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
+-			printf
+-			    ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
+			access.ssid = ssid;
+			access.tsid = tsid;
+			access.tclass = tclass;
+			access.av = av;
+			
+			if (check_booleans(&access) < 0) {
+				printf("\t\tMissing or disabled TE allow rule.\n");
+				printf
+					("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
+			}
+ 		}
+ 
+ 		if (reason & SEPOL_COMPUTEAV_CONS) {
+@@ -309,5 +483,8 @@
+ 	}
+ 	free(buffer);
+ 	free(bufcopy);
+	if (avcp != stdin)
+		fclose(avcp);
+
+ 	exit(0);
+ }
 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile
 --- nsapolicycoreutils/Makefile	2007-12-19 06:02:52.000000000 -0500
 +++ policycoreutils-2.0.34/Makefile	2007-12-19 06:06:04.000000000 -0500
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
-+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-19 06:05:51.000000000 -0500
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-20 14:20:49.000000000 -0500
@@ -118,6 +118,7 @@
     'TEMPLATE',
     'GEN_CONTEXT',
@ -30,7 +30,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
 def t_refpolicywarn(t):
     r'refpolicywarn\(.*\n'
     # Ignore refpolicywarn statements - they sometimes
-@@ -258,6 +266,7 @@
+@@ -258,10 +266,12 @@
 m = None
 #   error is either None (indicating no error) or a string error message.
 error = None
@ -38,7 +38,12 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
 #   spt is the support macros (e.g., obj/perm sets) - it is an instance of
 #     refpolicy.SupportMacros and should always be present during parsing
 #     though it may not contain any macros.
-@@ -382,6 +391,19 @@
+ spt = None
+success=True
+ 
+ # utilities
+ def collect(stmts, parent, val=None):
+@@ -382,6 +392,19 @@
         collect(p[12], x, val=False)
     p[0] = [x]
 
@ -58,7 +63,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
 def p_ifdef(p):
     '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
              | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
-@@ -446,6 +468,7 @@
+@@ -446,6 +469,7 @@
               | optional_policy
               | tunable_policy
               | ifdef
@ -66,17 +71,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
               | conditional
     '''
     p[0] = p[1]
-@@ -844,7 +867,8 @@
+@@ -844,8 +868,11 @@
 
 def p_error(tok):
     global error
 -    error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
 +    global parse_file
+    global success
 +    error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
     print error
+    success = False
 
 def prep_spt(spt):
-@@ -892,7 +916,7 @@
+     if not spt:
+@@ -892,7 +919,7 @@
 def list_headers(root):
     modules = []
     support_macros = None
@ -85,7 +93,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
 
     for dirpath, dirnames, filenames in os.walk(root):
         for name in filenames:
-@@ -941,12 +965,14 @@
+@@ -941,12 +968,14 @@
             output.write(msg)
 
     def parse_file(f, module, spt=None):
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.34
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -193,9 +193,14 @@ if [ "$1" -ge "1" ]; then
 fi

 %changelog
-* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-1
+* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2
+- Make sepolgen set error exit code when partial failure
+- audit2why now checks booleans for avc diagnosis
+
+* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-1
 - Update to upstream
-* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
+
+* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
 - Fix sepolgen to be able to parse Fedora 9 policy
      Handle ifelse statements
      Handle refpolicywarn inside of define