policycoreutils-2.6-3

- Fix several issues in gui and 'sepolicy manpage' (#1416372)
This commit is contained in:
Petr Lautrbach 2017-02-28 21:57:37 +01:00
parent fbd38097f4
commit c12014f9e3
2 changed files with 129 additions and 30 deletions

View File

@ -393,10 +393,18 @@ index 3e502a7..5bf9b52 100755
+ print("Out")
sys.exit(0)
diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py
index 8fbd5b4..43144c1 100644
index 8fbd5b4..254fc67 100644
--- policycoreutils-2.6/sepolicy/sepolicy/__init__.py
+++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py
@@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm):
@@ -171,6 +171,7 @@ def info(setype, name=None):
'aliases': map(str, x.aliases()),
'name': str(x),
'permissive': bool(x.ispermissive),
+ 'attributes': map(str, x.attributes())
} for x in q.results())
elif setype == ROLE:
@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm):
def get_conditionals_format_text(cond):
@ -410,7 +418,7 @@ index 8fbd5b4..43144c1 100644
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
@@ -465,7 +470,7 @@ def find_file(reg):
@@ -465,7 +471,7 @@ def find_file(reg):
try:
pat = re.compile(r"%s$" % reg)
@ -419,7 +427,7 @@ index 8fbd5b4..43144c1 100644
except:
return []
@@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
@@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
def get_transitions_into(setype):
try:
@ -428,7 +436,7 @@ index 8fbd5b4..43144c1 100644
except (TypeError, AttributeError):
pass
return None
@@ -605,7 +610,7 @@ def get_transitions(setype):
@@ -605,7 +611,7 @@ def get_transitions(setype):
def get_file_transitions(setype):
try:
@ -437,7 +445,7 @@ index 8fbd5b4..43144c1 100644
except (TypeError, AttributeError):
pass
return None
@@ -663,6 +668,23 @@ def get_init_entrypoint(transtype):
@@ -663,6 +669,23 @@ def get_init_entrypoint(transtype):
return entrypoints
@ -461,7 +469,7 @@ index 8fbd5b4..43144c1 100644
def get_init_entrypoint_target(entrypoint):
try:
@@ -695,7 +717,7 @@ def get_methods():
@@ -695,7 +718,7 @@ def get_methods():
# List of per_role_template interfaces
ifs = interfaces.InterfaceSet()
ifs.from_file(fd)
@ -470,7 +478,16 @@ index 8fbd5b4..43144c1 100644
fd.close()
except:
sys.stderr.write("could not open interface info [%s]\n" % fn)
@@ -752,7 +774,10 @@ def get_all_entrypoint_domains():
@@ -725,7 +748,7 @@ def get_all_role_allows():
return role_allows
role_allows = {}
- q = setools.RBACRuleQuery(_pol, ruletype='allow')
+ q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
for r in q.results():
src = str(r.source)
tgt = str(r.target)
@@ -752,7 +775,10 @@ def get_all_entrypoint_domains():
def gen_interfaces():
@ -482,7 +499,7 @@ index 8fbd5b4..43144c1 100644
ifile = defaults.interface_info()
headers = defaults.headers()
try:
@@ -763,7 +788,7 @@ def gen_interfaces():
@@ -763,7 +789,7 @@ def gen_interfaces():
if os.getuid() != 0:
raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
@ -491,7 +508,7 @@ index 8fbd5b4..43144c1 100644
def gen_port_dict():
@@ -1082,24 +1107,14 @@ def boolean_desc(boolean):
@@ -1082,24 +1108,14 @@ def boolean_desc(boolean):
def get_os_version():
@ -1031,7 +1048,7 @@ index c2cb971..8956f39 100644
sys.stderr.write(output)
sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py
index 7365f93..9d54ab0 100755
index 7365f93..5103272 100755
--- policycoreutils-2.6/sepolicy/sepolicy/manpage.py
+++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py
@@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d
@ -1054,7 +1071,55 @@ index 7365f93..9d54ab0 100755
equiv_dirs = ["/var"]
modules_dict = None
@@ -144,10 +150,6 @@ def prettyprint(f, trim):
@@ -88,11 +94,10 @@ def get_all_users_info():
all_entrypoints = None
-
def get_entrypoints():
global all_entrypoints
if not all_entrypoints:
- all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"]
+ all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return all_entrypoints
domains = None
@@ -120,8 +125,33 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
+types = None
def _gen_types():
global types
@@ -144,10 +174,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
@ -1065,7 +1130,7 @@ index 7365f93..9d54ab0 100755
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -162,7 +164,11 @@ def get_alphabet_manpages(manpage_list):
@@ -162,7 +188,11 @@ def get_alphabet_manpages(manpage_list):
def convert_manpage_to_html(html_manpage, manpage):
@ -1078,7 +1143,7 @@ index 7365f93..9d54ab0 100755
if rc == 0:
print(html_manpage, "has been created")
fd = open(html_manpage, 'w')
@@ -173,7 +179,7 @@ def convert_manpage_to_html(html_manpage, manpage):
@@ -173,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
@ -1087,7 +1152,7 @@ index 7365f93..9d54ab0 100755
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -181,9 +187,9 @@ class HTMLManPages:
@@ -181,9 +211,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
@ -1099,7 +1164,7 @@ index 7365f93..9d54ab0 100755
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -192,7 +198,6 @@ class HTMLManPages:
@@ -192,7 +222,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
@ -1107,7 +1172,7 @@ index 7365f93..9d54ab0 100755
self._gen_css()
def _write_html_manpage(self):
@@ -210,67 +215,21 @@ class HTMLManPages:
@@ -210,67 +239,21 @@ class HTMLManPages:
convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r)
def _gen_index(self):
@ -1179,7 +1244,26 @@ index 7365f93..9d54ab0 100755
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
@@ -501,6 +460,7 @@ class ManPage:
@@ -414,6 +397,9 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -485,7 +471,7 @@ class ManPage:
self.desc = "%s user role" % self.domainname
if self.domainname in self.all_users:
- self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"]
self._user_header()
self._user_attribute()
self._can_sudo()
@@ -501,6 +487,7 @@ class ManPage:
self._booleans()
self._port_types()
@ -1187,10 +1271,11 @@ index 7365f93..9d54ab0 100755
self._writes()
self._footer()
@@ -519,11 +479,22 @@ class ManPage:
@@ -519,11 +506,22 @@ class ManPage:
self._get_ptypes()
for domain_type in self.ptypes:
- self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+ try:
+ if typealias_types[domain_type]:
+ fd = self.fd
@ -1201,7 +1286,7 @@ index 7365f93..9d54ab0 100755
+ self.man_page_path = man_page_path
+ except KeyError:
+ continue;
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+ self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"]
self._header()
self._entrypoints()
@ -1210,7 +1295,7 @@ index 7365f93..9d54ab0 100755
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -537,6 +508,34 @@ class ManPage:
@@ -537,6 +535,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f)
@ -1245,7 +1330,7 @@ index 7365f93..9d54ab0 100755
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
@@ -686,10 +685,13 @@ Default Defined Ports:""")
@@ -686,10 +712,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
@ -1254,12 +1339,12 @@ index 7365f93..9d54ab0 100755
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ if not f in self.exec_types or not f in self.entry_types:
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -741,19 +743,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
@ -1283,13 +1368,24 @@ index 7365f93..9d54ab0 100755
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
@@ -920,6 +923,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
@@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
return True
def _entrypoints(self):
- try:
- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
- except:
+ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+ if len(entrypoints) == 0:
return
self.fd.write("""
@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+ def _mcs_types(self):
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ if "mcs_constrained_type" not in attributes:
+ if self.type not in self.mcs_constrained_types['types']:
+ return
+ self.fd.write ("""
+.SH "MCS Constrained"
@ -1301,7 +1397,7 @@ index 7365f93..9d54ab0 100755
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist is None or len(permlist) == 0:
@@ -1156,7 +1170,7 @@ Three things can happen when %(type)s attempts to execute a program.
@@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
@ -1310,7 +1406,7 @@ index 7365f93..9d54ab0 100755
.TP
@@ -1164,7 +1178,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
@@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition:

View File

@ -9,7 +9,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.6
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -445,6 +445,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Tue Feb 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
- Fix several issues in gui and 'sepolicy manpage' (#1416372)
* Thu Feb 23 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
- Use %{__python3} instead of python3