rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9 

- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
This commit is contained in:
Daniel J Walsh 2010-01-08 14:38:30 +00:00
parent 72c9357690
commit aec9d8794c
3 changed files with 224 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
policycoreutils-rhat.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
import sepolgen.defaults as defaults import sepolgen.defaults as defaults
import sepolgen.module as module import sepolgen.module as module
@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i") help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -80,11 +83,11 @@ @@ -58,6 +61,9 @@
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -80,11 +86,11 @@
options, args = parser.parse_args() options, args = parser.parse_args()
# Make -d, -a, and -i conflict # Make -d, -a, and -i conflict
@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
if options.input is not None and options.dmesg is True: if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n") sys.stderr.write("error: --input conflicts with --dmesg\n")
@@ -129,6 +132,12 @@ @@ -129,6 +135,12 @@
except OSError, e: except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1) sys.exit(1)
@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
else: else:
# This is the default if no input is specified # This is the default if no input is specified
f = sys.stdin f = sys.stdin
@@ -220,63 +229,44 @@ @@ -220,63 +232,44 @@
def __output_audit2why(self): def __output_audit2why(self):
import selinux import selinux
@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
print "\t\tMissing role allow rule.\n" print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n" print "\t\tAdd an allow rule for the role pair.\n"
continue continue
@@ -344,5 +334,6 @@ @@ -314,7 +307,7 @@
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ g.add_access(self.__avs, self.__options.dontaudit)
g.add_role_types(self.__role_types)
# Output
@@ -344,5 +337,6 @@
sys.exit(0) sys.exit(0)
if __name__ == "__main__": if __name__ == "__main__":
@ -1681,12 +1700,33 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+relabel: +relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-14 09:35:48.000000000 -0500 +++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-17 13:50:15.000000000 -0500
@@ -0,0 +1,272 @@ @@ -0,0 +1,318 @@
+#!/usr/bin/python -E +#! /usr/bin/python -E
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Authors: Josh Cogliati
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import os, sys, getopt, socket, random, fcntl, shutil, re +import os, sys, getopt, socket, random, fcntl, shutil, re
+import selinux +import selinux
+import signal +import signal
+from tempfile import mkdtemp
+ +
+PROGNAME = "policycoreutils" +PROGNAME = "policycoreutils"
+ +
@ -1819,7 +1859,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ +
+ def usage(message = ""): + def usage(message = ""):
+ text = _(""" + text = _("""
+sandbox [-h] [-X] [-M][-I includefile ] [[-i file ] ...] [ -t type ] command +sandbox [-h] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [[-i file ] ...] [ -t type ] command
+""") +""")
+ error_exit("%s\n%s" % (message, text)) + error_exit("%s\n%s" % (message, text))
+ +
@ -1827,13 +1867,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ X_ind = False + X_ind = False
+ home_and_temp = False + home_and_temp = False
+ level=None + level=None
+ newhomedir = None
+ newtmpdir = None
+ existing_home = False
+ existing_temp = False
+ try: + try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:M", + gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:MH:T:",
+ ["help", + ["help",
+ "include=", + "include=",
+ "includefile=", + "includefile=",
+ "type=", + "type=",
+ "mount", + "mount",
+ "homedir=",
+ "tmpdir=",
+ "level=" + "level="
+ ]) + ])
+ for o, a in gopts: + for o, a in gopts:
@ -1866,12 +1912,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ if o == "-M" or o == "--mount": + if o == "-M" or o == "--mount":
+ home_and_temp = True + home_and_temp = True
+ +
+ if o == "-H" or o == "--homedir":
+ existing_home = True
+ newhomedir = a
+ if o == "-T" or o == "--tmpdir":
+ existing_temp = True
+ newtempdir = a
+ if o == "-h" or o == "--help": + if o == "-h" or o == "--help":
+ usage(_("Usage")); + usage(_("Usage"));
+ +
+ if len(cmds) == 0: + if len(cmds) == 0:
+ usage(_("Command required")) + usage(_("Command required"))
+ +
+ if (existing_home or existing_temp) and not home_and_temp:
+ usage(_("-M required when specifying home directory or temp directory"))
+ execcon, filecon = gen_context(setype, level) + execcon, filecon = gen_context(setype, level)
+ rc = -1 + rc = -1
+ +
@ -1883,20 +1937,34 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ break + break
+ +
+ try: + try:
+ newhomedir = None
+ newtmpdir = None
+ if home_and_temp: + if home_and_temp:
+ if not os.path.exists("/usr/sbin/seunshare"): + if not os.path.exists("/usr/sbin/seunshare"):
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute + raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute
+#yum install /usr/sbin/seunshare""") +#yum install /usr/sbin/seunshare""")
+ import warnings + import warnings
+ warnings.simplefilter("ignore") + warnings.simplefilter("ignore")
+ newhomedir = os.tempnam(".", ".sandbox%s") + if existing_home:
+ os.mkdir(newhomedir) + if not os.path.isdir(newhomedir):
+ newtmpdir = os.tempnam("/tmp", ".sandbox") + raise IOError("Home directory "+newhomedir+" not found")
+ os.mkdir(newtmpdir) + if not level:
+ chcon = ("/usr/bin/chcon %s %s %s" % (filecon, newhomedir, newtmpdir)).split() + chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon) + rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newhomedir = mkdtemp(dir=".", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ if existing_temp:
+ if not os.path.isdir(newtempdir):
+ raise IOError("Temp directory "+newtempdir+" not found")
+ if not level:
+ chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newtmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ warnings.resetwarnings() + warnings.resetwarnings()
+ paths = [] + paths = []
+ for i in cmds: + for i in cmds:
@ -1907,22 +1975,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ paths.append(i) + paths.append(i)
+ +
+ copyfiles(newhomedir, newtmpdir, init_files + paths) + copyfiles(newhomedir, newtmpdir, init_files + paths)
+ execfile = newhomedir + "/.sandboxrc" + if X_ind:
+ fd = open(execfile, "w+") + execfile = newhomedir + "/.sandboxrc"
+ fd.write("""#! /bin/sh + fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+%s +%s
+""" % " ".join(paths)) +""" % " ".join(paths))
+ fd.close() + fd.close()
+ os.chmod(execfile, 0700) + os.chmod(execfile, 0700)
+ if X_ind:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split() + cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ else: + else:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds + cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ for i in paths: + for i in paths:
+ if i not in X_FILES: + if i not in X_FILES:
+ continue + continue
@ -1935,9 +2000,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ selinux.setexeccon(None) + selinux.setexeccon(None)
+ finally: + finally:
+ if home_and_temp: + if home_and_temp:
+ if newhomedir: + if newhomedir and not existing_home:
+ shutil.rmtree(newhomedir) + shutil.rmtree(newhomedir)
+ if newtmpdir: + if newtmpdir and not existing_temp:
+ shutil.rmtree(newtmpdir) + shutil.rmtree(newtmpdir)
+ +
+ except getopt.GetoptError, error: + except getopt.GetoptError, error:
@ -1957,26 +2022,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ +
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-14 09:37:40.000000000 -0500 +++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-18 07:37:35.000000000 -0500
@@ -0,0 +1,39 @@ @@ -0,0 +1,50 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME +.SH NAME
+sandbox \- Run cmd under an SELinux sandbox +sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS +.SH SYNOPSIS
+.B sandbox +.B sandbox
+[-M] [-X] [-I includefile ] [[-i file ]...] [ -t type ] cmd +[-l level ] [[-M | -X] -H homedir -T tmpdir ] [-I includefile ] [[-i file ]...] [ -t type ] cmd
+.br +.br
+.SH DESCRIPTION +.SH DESCRIPTION
+.PP +.PP
+Run the +Run the
+.I cmd +.I cmd
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. +application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
+ +
+If you have the +If you have the
+.I policycoreutils-sandbox +.I policycoreutils-sandbox
+package installed, you can use the -X option. +package installed, you can use the -X option and the -M option.
+.B sandbox -X +.B sandbox -X
+allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox. +allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+
+If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the directories need to have a matching label.
+.PP +.PP
+.TP +.TP
+\fB\-t type\fR +\fB\-t type\fR
@ -1988,12 +2055,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+\fB\-I inputfile\fR +\fB\-I inputfile\fR
+Copy all files listed in inputfile into the appropriate temporary sandbox direcories. +Copy all files listed in inputfile into the appropriate temporary sandbox direcories.
+.TP +.TP
+\fB\-l\fR
+Specify the MLS/MCS Security Level to run the sandbox in. Defaults to random.
+.TP
+\fB\-X\fR +\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t +Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP +.TP
+\fB\-M\fR +\fB\-M\fR
+Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t +Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t
+.TP +.TP
+\fB\-H\ homedir
+Use alternate homedir to mount. Defaults to temporary. Requires -X or -M.
+.TP
+\fB\-T\ tmpdir
+Use alternate tempdir to mount. Defaults to temporary. Requires -X or -M.
+.PP
+.SH "SEE ALSO" +.SH "SEE ALSO"
+.TP +.TP
+runcon(1) +runcon(1)
@ -2289,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+} +}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500 --- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500
@@ -32,23 +32,32 @@ @@ -32,25 +32,34 @@
try: try:
gettext.install(PROGNAME, gettext.install(PROGNAME,
localedir="/usr/share/locale", localedir="/usr/share/locale",
@ -2324,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
semanage interface -{a|d|m} [-tr] interface_spec semanage interface -{a|d|m} [-tr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] module +semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m} [-frst] file_spec -semanage fcontext -{a|d|m} [-frst] file_spec
+semanage fcontext -{a|d|m} [-efrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a} type
semanage dontaudit [ on | off ]
@@ -61,7 +70,9 @@ @@ -61,7 +70,9 @@
-d, --delete Delete a OBJECT record NAME -d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME -m, --modify Modify a OBJECT record NAME
@ -2340,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
-F, --file Treat target as an input file for command, change multiple settings -F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask -M, --mask Netmask
+ -e, --equal Make target equal to this paths labeling + -e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling -P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only) -L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r") -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
@ -2618,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
process_args(mkargv(l)) process_args(mkargv(l))
trans.finish() trans.finish()
else: else:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500
@@ -19,6 +19,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
+.br
.B semanage permissive \-{a|d} type
.br
.B semanage dontaudit [ on | off ]
@@ -52,6 +54,12 @@
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
+.I \-e, \-\-equal
+Substitute src path for targetpath when labeling. This is used with
+fcontext. Requires source and destination path arguments. The context
+labeling for the destination subtree is made equivalent to that
+defined for the source.
+.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
@@ -110,6 +118,8 @@
$ semanage login -a -s user_u %clerks
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
+# Make /home1 labeling equivalent to /home (used by restorecon)
+$ semanage fcontext -a -e /home1 /home
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
# Change apache to a permissive domain
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500 --- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500

93
policycoreutils-sepolgen.patch
View File

@ -56,7 +56,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
if audit_msg: if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500 --- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2010-01-06 09:52:35.000000000 -0500
@@ -23,6 +23,27 @@ @@ -23,6 +23,27 @@
# Convenience functions # Convenience functions
@ -103,15 +103,17 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages # Classes representing audit messages
class AuditMessage: class AuditMessage:
@@ -106,6 +138,7 @@ @@ -106,6 +138,9 @@
if fields[0] == "path": if fields[0] == "path":
self.path = fields[1][1:-1] self.path = fields[1][1:-1]
return return
+import selinux.audit2why as audit2why +import selinux.audit2why as audit2why
+
+avcdict = {}
class AVCMessage(AuditMessage): class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message. """AVC message representing an access denial or granted message.
@@ -146,6 +179,8 @@ @@ -146,6 +181,8 @@
self.path = "" self.path = ""
self.accesses = [] self.accesses = []
self.denial = True self.denial = True
@ -120,7 +122,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
def __parse_access(self, recs, start): def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated # This is kind of sucky - the access that is in a space separated
@@ -205,7 +240,25 @@ @@ -205,7 +242,31 @@
if not found_src or not found_tgt or not found_class or not found_access: if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message) raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -130,24 +132,30 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
+ def analyze(self): + def analyze(self):
+ tcontext = self.tcontext.to_string() + tcontext = self.tcontext.to_string()
+ scontext = self.scontext.to_string() + scontext = self.scontext.to_string()
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); + access_tuple = tuple( self.accesses)
+ if self.type == audit2why.NOPOLICY: + if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
+ raise ValueError("Must call policy_init first") + self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
+ if self.type == audit2why.BADTCON: + else:
+ raise ValueError("Invalid Target Context %s\n" % tcontext) + self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.BADSCON: + if self.type == audit2why.NOPOLICY:
+ raise ValueError("Invalid Source Context %s\n" % scontext) + raise ValueError("Must call policy_init first")
+ if self.type == audit2why.BADSCON: + if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Type Class %s\n" % self.tclass) + raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADPERM: + if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses)) + raise ValueError("Invalid Source Context %s\n" % scontext)
+ if self.type == audit2why.BADCOMPUTE: + if self.type == audit2why.BADSCON:
+ raise ValueError("Error during access vector computation") + raise ValueError("Invalid Type Class %s\n" % self.tclass)
+ if self.type == audit2why.BADPERM:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+ +
class PolicyLoadMessage(AuditMessage): class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded.""" """Audit message indicating that the policy was reloaded."""
def __init__(self, message): def __init__(self, message):
@@ -285,6 +338,9 @@ @@ -285,6 +346,9 @@
def __initialize(self): def __initialize(self):
self.avc_msgs = [] self.avc_msgs = []
@ -157,7 +165,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
self.compute_sid_msgs = [] self.compute_sid_msgs = []
self.invalid_msgs = [] self.invalid_msgs = []
self.policy_load_msgs = [] self.policy_load_msgs = []
@@ -314,7 +370,7 @@ @@ -314,7 +378,7 @@
elif i == "security_compute_sid:": elif i == "security_compute_sid:":
msg = ComputeSidMessage(line) msg = ComputeSidMessage(line)
found = True found = True
@ -166,7 +174,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
msg = PolicyLoadMessage(line) msg = PolicyLoadMessage(line)
found = True found = True
elif i == "type=AVC_PATH": elif i == "type=AVC_PATH":
@@ -442,16 +498,17 @@ @@ -442,16 +506,17 @@
audit logs parsed by this object. audit logs parsed by this object.
""" """
av_set = access.AccessVectorSet() av_set = access.AccessVectorSet()
@ -186,7 +194,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
return av_set return av_set
class AVCTypeFilter: class AVCTypeFilter:
@@ -477,5 +534,3 @@ @@ -477,5 +542,3 @@
if self.regex.match(avc.tcontext.type): if self.regex.match(avc.tcontext.type):
return True return True
return False return False
@ -194,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
- -
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400 --- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
@@ -29,6 +29,8 @@ @@ -29,6 +29,8 @@
import access import access
import interfaces import interfaces
@ -213,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None): def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated. """Set whether reference policy interfaces are generated.
@@ -144,8 +146,35 @@ @@ -141,15 +143,42 @@
def __add_allow_rules(self, avs): """Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs: for av in avs:
rule = refpolicy.AVRule(av) - rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+ rule.comment = "" + rule.comment = ""
if self.explain: if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
@ -249,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
self.module.children.append(rule) self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +194,7 @@
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400 --- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@ -263,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
for name in filenames: for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400 --- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@ @@ -398,6 +398,7 @@
return "attribute %s;" % self.name return "attribute %s;" % self.name
@ -272,12 +299,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic
class AVRule(Leaf): class AVRule(Leaf):
"""SELinux access vector (AV) rule. """SELinux access vector (AV) rule.
@@ -426,15 +427,17 @@ @@ -420,21 +421,26 @@
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet() self.tgt_types = IdSet()
self.obj_classes = IdSet() self.obj_classes = IdSet()
self.perms = IdSet() self.perms = IdSet()
- self.rule_type = self.ALLOW - self.rule_type = self.ALLOW
+ self.rule_type = audit2why.TERULE + if dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
+ else:
+ self.rule_type = audit2why.TERULE
if av: if av:
self.from_av(av) self.from_av(av)

10
policycoreutils.spec
View File

@ -3,11 +3,10 @@
%define libsemanagever 2.0.39-1 %define libsemanagever 2.0.39-1
%define libselinuxver 2.0.87-1 %define libselinuxver 2.0.87-1
%define sepolgenver 1.0.19 %define sepolgenver 1.0.19
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.78 Version: 2.0.78
Release: 7%{?dist} Release: 9%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -298,6 +297,13 @@ fi
exit 0 exit 0
%changelog %changelog
* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
- Speed up audit2allow processing of audit2why comments
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7 * Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7
- Fixes to sandbox man page - Fixes to sandbox man page