Fix sepolicy generate --confined_admin to generate tunables
- Add new interface to generate entrypoints for use with new gui
This commit is contained in:
Dan Walsh
parent
ad349ef1ad
commit
b8c1b26e16
|
|
@ -250524,7 +250524,7 @@ index b25d3b2..a0b262b 100755
|
|||
except KeyboardInterrupt:
|
||||
sys.exit(0)
|
||||
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||
index 5e7415c..c288a11 100644
|
||||
index 5e7415c..92a6b88 100644
|
||||
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||
@@ -7,6 +7,9 @@ import _policy
|
||||
|
|
@ -250537,7 +250537,7 @@ index 5e7415c..c288a11 100644
|
|||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||
gettext.textdomain(PROGNAME)
|
||||
try:
|
||||
@@ -37,9 +40,30 @@ CLASS = 'class'
|
||||
@@ -37,9 +40,75 @@ CLASS = 'class'
|
||||
TRANSITION = 'transition'
|
||||
ROLE_ALLOW = 'role_allow'
|
||||
|
||||
|
|
@ -250563,6 +250563,51 @@ index 5e7415c..c288a11 100644
|
|||
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
|
||||
+ return dict_list
|
||||
+
|
||||
+fcdict=None
|
||||
+def get_fcdict(fc_path = selinux.selinux_file_context_path()):
|
||||
+ global fcdict
|
||||
+ if fcdict:
|
||||
+ return fcdict
|
||||
+ fd = open(fc_path, "r")
|
||||
+ fc = fd.readlines()
|
||||
+ fd.close()
|
||||
+ fd = open(fc_path+".homedirs", "r")
|
||||
+ fc += fd.readlines()
|
||||
+ fd.close()
|
||||
+ fcdict = {}
|
||||
+ for i in fc:
|
||||
+ rec = i.split()
|
||||
+ try:
|
||||
+ t = rec[-1].split(":")[2]
|
||||
+ if t in fcdict:
|
||||
+ fcdict[t].append(rec[0])
|
||||
+ else:
|
||||
+ fcdict[t] = [ rec[0] ]
|
||||
+ except:
|
||||
+ pass
|
||||
+ fcdict["logfile"] = [ "all log files" ]
|
||||
+ fcdict["user_tmp_type"] = [ "all user tmp files" ]
|
||||
+ fcdict["user_home_type"] = [ "all user home files" ]
|
||||
+ fcdict["virt_image_type"] = [ "all virtual image files" ]
|
||||
+ fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
|
||||
+ fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
|
||||
+ fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
|
||||
+ fcdict["file_type"] = [ "all files on the system" ]
|
||||
+ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
|
||||
+ return fcdict
|
||||
+
|
||||
+def get_entrypoint_types(setype):
|
||||
+ entrypoints = None
|
||||
+ entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype, 'permlist':['entrypoint'], 'class':'file'}))
|
||||
+ return entrypoints
|
||||
+
|
||||
+def get_all_entrypoints(setype):
|
||||
+ fcdict = get_fcdict()
|
||||
+ mpaths = {}
|
||||
+ for f in get_entrypoint_types(setype):
|
||||
+ mpaths[f] = fcdict[f]
|
||||
+ return mpaths
|
||||
+
|
||||
+def get_installed_policy(root = "/"):
|
||||
try:
|
||||
- path = selinux.selinux_binary_policy_path()
|
||||
|
|
@ -250570,7 +250615,7 @@ index 5e7415c..c288a11 100644
|
|||
policies = glob.glob ("%s.*" % path )
|
||||
policies.sort()
|
||||
return policies[-1]
|
||||
@@ -47,6 +71,27 @@ def __get_installed_policy():
|
||||
@@ -47,6 +116,27 @@ def __get_installed_policy():
|
||||
pass
|
||||
raise ValueError(_("No SELinux Policy installed"))
|
||||
|
||||
|
|
@ -250598,7 +250643,7 @@ index 5e7415c..c288a11 100644
|
|||
all_types = None
|
||||
def get_all_types():
|
||||
global all_types
|
||||
@@ -54,6 +99,13 @@ def get_all_types():
|
||||
@@ -54,6 +144,13 @@ def get_all_types():
|
||||
all_types = map(lambda x: x['name'], info(TYPE))
|
||||
return all_types
|
||||
|
||||
|
|
@ -250612,7 +250657,7 @@ index 5e7415c..c288a11 100644
|
|||
role_allows = None
|
||||
def get_all_role_allows():
|
||||
global role_allows
|
||||
@@ -71,6 +123,7 @@ def get_all_role_allows():
|
||||
@@ -71,6 +168,7 @@ def get_all_role_allows():
|
||||
return role_allows
|
||||
|
||||
def get_all_entrypoint_domains():
|
||||
|
|
@ -250620,7 +250665,7 @@ index 5e7415c..c288a11 100644
|
|||
all_domains = []
|
||||
types=get_all_types()
|
||||
types.sort()
|
||||
@@ -81,11 +134,54 @@ def get_all_entrypoint_domains():
|
||||
@@ -81,11 +179,54 @@ def get_all_entrypoint_domains():
|
||||
all_domains.append(m[0])
|
||||
return all_domains
|
||||
|
||||
|
|
@ -250676,7 +250721,7 @@ index 5e7415c..c288a11 100644
|
|||
return all_domains
|
||||
|
||||
roles = None
|
||||
@@ -139,50 +235,62 @@ def get_all_attributes():
|
||||
@@ -139,50 +280,62 @@ def get_all_attributes():
|
||||
return all_attributes
|
||||
|
||||
def policy(policy_file):
|
||||
|
|
@ -250764,7 +250809,7 @@ index 5e7415c..c288a11 100644
|
|||
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||
global booleans_dict
|
||||
if booleans_dict:
|
||||
@@ -191,7 +299,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||
@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||
import re
|
||||
booleans_dict = {}
|
||||
try:
|
||||
|
|
@ -251739,48 +251784,30 @@ index 0000000..3a3faa6
|
|||
+
|
||||
+"""
|
||||
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||
index 79f3997..9c9439c 100644
|
||||
index 79f3997..1ff9d2c 100644
|
||||
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
|
||||
@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
|
||||
te_admin_user_types="""\
|
||||
@@ -71,11 +71,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
||||
te_root_user_types="""\
|
||||
policy_module(TEMPLATETYPE, 1.0.0)
|
||||
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow TEMPLATETYPE to read files in the user home directory
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow TEMPLATETYPE to manage files in the user home directory
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
|
||||
# Declarations
|
||||
#
|
||||
-########################################
|
||||
-#
|
||||
-# Declarations
|
||||
-#
|
||||
-
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow TEMPLATETYPE to read files in the user home directory
|
||||
@@ -90,6 +85,11 @@ gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||
## </desc>
|
||||
gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||
|
||||
-## <desc>
|
||||
-## <p>
|
||||
-## Allow TEMPLATETYPE to read files in the user home directory
|
||||
-## </p>
|
||||
-## </desc>
|
||||
-gen_tunable(TEMPLATETYPE_read_user_files, false)
|
||||
-
|
||||
-## <desc>
|
||||
-## <p>
|
||||
-## Allow TEMPLATETYPE to manage files in the user home directory
|
||||
-## </p>
|
||||
-## </desc>
|
||||
-gen_tunable(TEMPLATETYPE_manage_user_files, false)
|
||||
-
|
||||
+########################################
|
||||
+#
|
||||
+# Declarations
|
||||
+#
|
||||
+
|
||||
userdom_base_user_template(TEMPLATETYPE)
|
||||
"""
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.1.14
|
||||
Release: 49%{?dist}
|
||||
Release: 50%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
|
|
@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Thu Jun 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-50
|
||||
- Fix sepolicy generate --confined_admin to generate tunables
|
||||
- Add new interface to generate entrypoints for use with new gui
|
||||
|
||||
* Wed Jun 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-49
|
||||
- Fix handing of semanage with no args
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue