rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9 

- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
This commit is contained in:
Daniel J Walsh 2010-01-08 14:38:30 +00:00
parent 72c9357690
commit aec9d8794c
3 changed files with 224 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
policycoreutils-rhat.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500
@@ -28,6 +28,7 @@
import sepolgen.defaults as defaults
import sepolgen.module as module
@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -80,11 +83,11 @@
@@ -58,6 +61,9 @@
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -80,11 +86,11 @@
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
@@ -129,6 +132,12 @@
@@ -129,6 +135,12 @@
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
else:
# This is the default if no input is specified
f = sys.stdin
@@ -220,63 +229,44 @@
@@ -220,63 +232,44 @@
def __output_audit2why(self):
import selinux
@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n"
continue
@@ -344,5 +334,6 @@
@@ -314,7 +307,7 @@
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ g.add_access(self.__avs, self.__options.dontaudit)
g.add_role_types(self.__role_types)
# Output
@@ -344,5 +337,6 @@
sys.exit(0)
if __name__ == "__main__":
@ -1681,12 +1700,33 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-14 09:35:48.000000000 -0500
@@ -0,0 +1,272 @@
+#!/usr/bin/python -E
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-17 13:50:15.000000000 -0500
@@ -0,0 +1,318 @@
+#! /usr/bin/python -E
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Authors: Josh Cogliati
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import os, sys, getopt, socket, random, fcntl, shutil, re
+import selinux
+import signal
+from tempfile import mkdtemp
+
+PROGNAME = "policycoreutils"
+
@ -1819,7 +1859,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
+ def usage(message = ""):
+ text = _("""
+sandbox [-h] [-X] [-M][-I includefile ] [[-i file ] ...] [ -t type ] command
+sandbox [-h] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [[-i file ] ...] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
@ -1827,13 +1867,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ X_ind = False
+ home_and_temp = False
+ level=None
+ newhomedir = None
+ newtmpdir = None
+ existing_home = False
+ existing_temp = False
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:M",
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:MH:T:",
+ ["help",
+ "include=",
+ "includefile=",
+ "type=",
+ "mount",
+ "homedir=",
+ "tmpdir=",
+ "level="
+ ])
+ for o, a in gopts:
@ -1866,12 +1912,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ if o == "-M" or o == "--mount":
+ home_and_temp = True
+
+ if o == "-H" or o == "--homedir":
+ existing_home = True
+ newhomedir = a
+ if o == "-T" or o == "--tmpdir":
+ existing_temp = True
+ newtempdir = a
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ if (existing_home or existing_temp) and not home_and_temp:
+ usage(_("-M required when specifying home directory or temp directory"))
+ execcon, filecon = gen_context(setype, level)
+ rc = -1
+
@ -1883,20 +1937,34 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ break
+
+ try:
+ newhomedir = None
+ newtmpdir = None
+ if home_and_temp:
+ if not os.path.exists("/usr/sbin/seunshare"):
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute
+#yum install /usr/sbin/seunshare""")
+ import warnings
+ warnings.simplefilter("ignore")
+ newhomedir = os.tempnam(".", ".sandbox%s")
+ os.mkdir(newhomedir)
+ newtmpdir = os.tempnam("/tmp", ".sandbox")
+ os.mkdir(newtmpdir)
+ chcon = ("/usr/bin/chcon %s %s %s" % (filecon, newhomedir, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ if existing_home:
+ if not os.path.isdir(newhomedir):
+ raise IOError("Home directory "+newhomedir+" not found")
+ if not level:
+ chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newhomedir = mkdtemp(dir=".", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ if existing_temp:
+ if not os.path.isdir(newtempdir):
+ raise IOError("Temp directory "+newtempdir+" not found")
+ if not level:
+ chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newtmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ warnings.resetwarnings()
+ paths = []
+ for i in cmds:
@ -1907,22 +1975,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ paths.append(i)
+
+ copyfiles(newhomedir, newtmpdir, init_files + paths)
+ execfile = newhomedir + "/.sandboxrc"
+ fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+ if X_ind:
+ execfile = newhomedir + "/.sandboxrc"
+ fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+%s
+""" % " ".join(paths))
+ fd.close()
+ os.chmod(execfile, 0700)
+ if X_ind:
+ fd.close()
+ os.chmod(execfile, 0700)
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ else:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ for i in paths:
+ if i not in X_FILES:
+ continue
@ -1935,9 +2000,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ selinux.setexeccon(None)
+ finally:
+ if home_and_temp:
+ if newhomedir:
+ if newhomedir and not existing_home:
+ shutil.rmtree(newhomedir)
+ if newtmpdir:
+ if newtmpdir and not existing_temp:
+ shutil.rmtree(newtmpdir)
+
+ except getopt.GetoptError, error:
@ -1957,26 +2022,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-14 09:37:40.000000000 -0500
@@ -0,0 +1,39 @@
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-18 07:37:35.000000000 -0500
@@ -0,0 +1,50 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
+[-M] [-X] [-I includefile ] [[-i file ]...] [ -t type ] cmd
+[-l level ] [[-M | -X] -H homedir -T tmpdir ] [-I includefile ] [[-i file ]...] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
+Run the
+.I cmd
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files.
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
+
+If you have the
+.I policycoreutils-sandbox
+package installed, you can use the -X option.
+package installed, you can use the -X option and the -M option.
+.B sandbox -X
+allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+
+If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the directories need to have a matching label.
+.PP
+.TP
+\fB\-t type\fR
@ -1988,12 +2055,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+\fB\-I inputfile\fR
+Copy all files listed in inputfile into the appropriate temporary sandbox direcories.
+.TP
+\fB\-l\fR
+Specify the MLS/MCS Security Level to run the sandbox in. Defaults to random.
+.TP
+\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP
+\fB\-M\fR
+Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t
+.TP
+\fB\-H\ homedir
+Use alternate homedir to mount. Defaults to temporary. Requires -X or -M.
+.TP
+\fB\-T\ tmpdir
+Use alternate tempdir to mount. Defaults to temporary. Requires -X or -M.
+.PP
+.SH "SEE ALSO"
+.TP
+runcon(1)
@ -2289,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
@@ -32,23 +32,32 @@
+++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500
@@ -32,25 +32,34 @@
try:
gettext.install(PROGNAME,
localedir="/usr/share/locale",
@ -2324,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
semanage interface -{a|d|m} [-tr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m} [-frst] file_spec
-semanage fcontext -{a|d|m} [-frst] file_spec
+semanage fcontext -{a|d|m} [-efrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a} type
semanage dontaudit [ on | off ]
@@ -61,7 +70,9 @@
-d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME
@ -2340,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
-F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask
+ -e, --equal Make target equal to this paths labeling
+ -e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
@ -2618,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
process_args(mkargv(l))
trans.finish()
else:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500
@@ -19,6 +19,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
+.br
.B semanage permissive \-{a|d} type
.br
.B semanage dontaudit [ on | off ]
@@ -52,6 +54,12 @@
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
+.I \-e, \-\-equal
+Substitute src path for targetpath when labeling. This is used with
+fcontext. Requires source and destination path arguments. The context
+labeling for the destination subtree is made equivalent to that
+defined for the source.
+.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
@@ -110,6 +118,8 @@
$ semanage login -a -s user_u %clerks
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
+# Make /home1 labeling equivalent to /home (used by restorecon)
+$ semanage fcontext -a -e /home1 /home
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
# Change apache to a permissive domain
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500

93
policycoreutils-sepolgen.patch
View File

@ -56,7 +56,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2010-01-06 09:52:35.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
@ -103,15 +103,17 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages
class AuditMessage:
@@ -106,6 +138,7 @@
@@ -106,6 +138,9 @@
if fields[0] == "path":
self.path = fields[1][1:-1]
return
+import selinux.audit2why as audit2why
+
+avcdict = {}
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -146,6 +179,8 @@
@@ -146,6 +181,8 @@
self.path = ""
self.accesses = []
self.denial = True
@ -120,7 +122,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -205,7 +240,25 @@
@@ -205,7 +242,31 @@
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -130,24 +132,30 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
+ def analyze(self):
+ tcontext = self.tcontext.to_string()
+ scontext = self.scontext.to_string()
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.NOPOLICY:
+ raise ValueError("Must call policy_init first")
+ if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Source Context %s\n" % scontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
+ if self.type == audit2why.BADPERM:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+ access_tuple = tuple( self.accesses)
+ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
+ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
+ else:
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.NOPOLICY:
+ raise ValueError("Must call policy_init first")
+ if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Source Context %s\n" % scontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
+ if self.type == audit2why.BADPERM:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -285,6 +338,9 @@
@@ -285,6 +346,9 @@
def __initialize(self):
self.avc_msgs = []
@ -157,7 +165,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
self.compute_sid_msgs = []
self.invalid_msgs = []
self.policy_load_msgs = []
@@ -314,7 +370,7 @@
@@ -314,7 +378,7 @@
elif i == "security_compute_sid:":
msg = ComputeSidMessage(line)
found = True
@ -166,7 +174,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
msg = PolicyLoadMessage(line)
found = True
elif i == "type=AVC_PATH":
@@ -442,16 +498,17 @@
@@ -442,16 +506,17 @@
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()
@ -186,7 +194,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
return av_set
class AVCTypeFilter:
@@ -477,5 +534,3 @@
@@ -477,5 +542,3 @@
if self.regex.match(avc.tcontext.type):
return True
return False
@ -194,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
-
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
@@ -29,6 +29,8 @@
import access
import interfaces
@ -213,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -144,8 +146,35 @@
def __add_allow_rules(self, avs):
@@ -141,15 +143,42 @@
"""Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs:
rule = refpolicy.AVRule(av)
- rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+ rule.comment = ""
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
@ -249,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +194,7 @@
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@ -263,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@
return "attribute %s;" % self.name
@ -272,12 +299,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic
class AVRule(Leaf):
"""SELinux access vector (AV) rule.
@@ -426,15 +427,17 @@
@@ -420,21 +421,26 @@
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ self.rule_type = audit2why.TERULE
+ if dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
+ else:
+ self.rule_type = audit2why.TERULE
if av:
self.from_av(av)

10
policycoreutils.spec
View File

@ -3,11 +3,10 @@
%define libsemanagever 2.0.39-1
%define libselinuxver 2.0.87-1
%define sepolgenver 1.0.19
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.78
Release: 7%{?dist}
Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -298,6 +297,13 @@ fi
exit 0
%changelog
* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
- Speed up audit2allow processing of audit2why comments
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7
- Fixes to sandbox man page