* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2

- Add descriptions of booleans to audit2allow

policycoreutils-rhat.patch

@@ -1,7 +1,15 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow
 --- nsapolicycoreutils/audit2allow/audit2allow	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.35/audit2allow/audit2allow	2008-01-11 11:17:46.000000000 -0500
-@@ -60,7 +60,10 @@
++++ policycoreutils-2.0.35/audit2allow/audit2allow	2008-01-15 11:32:58.000000000 -0500
+@@ -19,7 +19,6 @@
+ #
+ 
+ import sys
+-import tempfile
+ 
+ import sepolgen.audit as audit
+ import sepolgen.policygen as policygen
+@@ -60,7 +59,10 @@
          parser.add_option("-o", "--output", dest="output",
                            help="append output to <filename>, conflicts with -M")
          parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
@@ -13,7 +21,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
          parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
                            default=False, help="explain generated output")
          parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
-@@ -72,6 +75,9 @@
+@@ -72,6 +74,9 @@
          parser.add_option("--debug", dest="debug", action="store_true", default=False,
                            help="leave generated modules for -M")
  
@@ -23,31 +31,36 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
          options, args = parser.parse_args()
  
          # Make -d, -a, and -i conflict
-@@ -149,8 +155,10 @@
+@@ -147,10 +152,12 @@
+ 
+     def __process_input(self):
          if self.__options.type:
-             filter = audit.TypeFilter(self.__options.type)
-             self.__avs = self.__parser.to_access(filter)
-+            self.__selinux_errs = self.__parser.to_role(filter)
+-            filter = audit.TypeFilter(self.__options.type)
+-            self.__avs = self.__parser.to_access(filter)
++            avcfilter = audit.TypeFilter(self.__options.type)
++            self.__avs = self.__parser.to_access(avcfilter)
++            self.__selinux_errs = self.__parser.to_role(avcfilter)
          else:
              self.__avs = self.__parser.to_access()
 +            self.__selinux_errs = self.__parser.to_role()
  
      def __load_interface_info(self):
          # Load interface info file
-@@ -210,7 +218,71 @@
+@@ -210,7 +217,74 @@
          sys.stdout.write((_("To make this policy package active, execute:" +\
                                  "\n\nsemodule -i %s\n\n") % packagename))
  
 +    def __output_audit2why(self):
 +            import selinux
 +            import selinux.audit2why as audit2why
++            import seobject
 +            audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
 +            for i in self.__parser.avc_msgs:
 +                rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
 +                if rc >= 0:
 +                    print "%s\n\tWas caused by:" % i.message
 +                if rc == audit2why.NOPOLICY:
-+                    raise "Must call policy_init first"
++                    raise RuntimeError("Must call policy_init first")
 +                if rc == audit2why.BADTCON:
 +                    print "Invalid Target Context %s\n" % i.tcontext
 +                    continue
@@ -61,7 +74,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 +                    print "Invalid permission %s\n" % i.accesses
 +                    continue
 +                if rc == audit2why. BADCOMPUTE:
-+                    raise "Error during access vector computation"
++                    raise RuntimeError("Error during access vector computation")
 +                if rc == audit2why.ALLOW:
 +                    print "\t\tUnknown - would be allowed by active policy\n",
 +                    print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
@@ -71,12 +84,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
 +                    if len(bools) > 1:
 +                        print "\tOne of the following booleans being set incorrectly."
 +                        for b in bools:
-+                            print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1])
-+                            print "\t# setsebool -P %s %d"  % (b[0], b[1])
++                            print "\n\tBoolean %s is %d." % (b[0], not b[1])
++                            print "\tDescription:\n\t%s\n"  % seobject.boolean_desc(b[0])
++                            print "\tAllow access by executing:\n\t# setsebool -P %s %d"  % (b[0], b[1])
 +                    else:
-+                        print "\tThe boolean %s set incorrectly.  Allow access by executing:" % bools[0][0]
-+                        print "\t# setsebool -P %s %d\n"  % (bools[0][0], bools[0][1])
-+
++                        print "\tThe boolean %s set incorrectly. " % (bools[0][0])
++                        print "\n\tBoolean %s is %d." % (bools[0][0], bools[0][1])
++                        print "\tDescription:\n\t%s\n"  % seobject.boolean_desc(bools[0][0])
++                        print "\tAllow access by executing:\n\t# setsebool -P %s %d"  % (bools[0][0], bools[0][1])
 +                    continue
 +
 +                if rc == audit2why.TERULE:
@@ -106,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
          g = policygen.PolicyGenerator()
  
          if self.__options.module:
-@@ -251,6 +323,12 @@
+@@ -251,6 +325,12 @@
                  fd = sys.stdout
              writer.write(g.get_module(), fd)
  
@@ -831,3 +846,31 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  		if object == "login":
  			OBJECT = seobject.loginRecords(store)
  
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.35/semanage/seobject.py
+--- nsapolicycoreutils/semanage/seobject.py	2007-12-10 21:42:27.000000000 -0500
++++ policycoreutils-2.0.35/semanage/seobject.py	2008-01-15 11:31:49.000000000 -0500
+@@ -117,6 +117,12 @@
+        #print _("Failed to translate booleans.\n%s") % e
+        pass
+ 
++def boolean_desc(boolean):
++       if boolean in booleans_dict:
++              return _(booleans_dict[boolean][2])
++       else:
++              return boolean
++
+ def validate_level(raw):
+ 	sensitivity = "s[0-9]*"
+ 	category = "c[0-9]*"
+@@ -1456,10 +1462,7 @@
+ 		return ddict
+ 			
+         def get_desc(self, boolean):
+-               if boolean in booleans_dict:
+-                      return _(booleans_dict[boolean][2])
+-               else:
+-                      return boolean
++               return boolean_desc(boolean)
+ 
+         def get_category(self, boolean):
+                if boolean in booleans_dict:

policycoreutils.spec

@@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.35
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -193,6 +193,9 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
+* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2
+- Add descriptions of booleans to audit2allow
+
 * Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-1
 - Update to upstream
 	* Merged support for non-interactive newrole command invocation from Tim Reed.