* Fri Dec 21 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-3

- Catch SELINUX_ERR with audit2allow and generate policy
2007-12-21 07:14:11 +00:00 · 2007-12-21 07:14:11 +00:00 · cdbdbe7a2a
parent 96efbf90c9
commit cdbdbe7a2a
3 changed files with 81 additions and 2 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow
 --- nsapolicycoreutils/audit2allow/audit2allow	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.34/audit2allow/audit2allow	2007-12-19 06:05:50.000000000 -0500
+++ policycoreutils-2.0.34/audit2allow/audit2allow	2007-12-21 01:59:57.000000000 -0500
@@ -60,7 +60,9 @@
         parser.add_option("-o", "--output", dest="output",
                           help="append output to <filename>, conflicts with -M")
@ -12,6 +12,32 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
         parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
                           default=False, help="explain generated output")
         parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
+@@ -149,9 +151,11 @@
+         if self.__options.type:
+             filter = audit.TypeFilter(self.__options.type)
+             self.__avs = self.__parser.to_access(filter)
+            self.__selinux_errs = self.__parser.to_role(filter)
+         else:
+             self.__avs = self.__parser.to_access()
+-
+            self.__selinux_errs = self.__parser.to_role()
+        
+     def __load_interface_info(self):
+         # Load interface info file
+         if self.__options.interface_info:
+@@ -251,6 +255,12 @@
+                 fd = sys.stdout
+             writer.write(g.get_module(), fd)
+ 
+        if len(self.__selinux_errs) > 0:
+            fd.write("\n=========== ROLES ===============\n")
+
+        for role in self.__selinux_errs:
+            fd.write(role.output())
+
+     def main(self):
+         try:
+             self.__parse_options()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1
 --- nsapolicycoreutils/audit2allow/audit2allow.1	2007-07-16 14:20:41.000000000 -0400
 +++ policycoreutils-2.0.34/audit2allow/audit2allow.1	2007-12-19 06:05:50.000000000 -0500
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,3 +1,53 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py	2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py	2007-12-21 02:10:43.000000000 -0500
+@@ -32,7 +32,7 @@
+        string contain all of the audit messages returned by ausearch.
+     """
+     import subprocess
+-    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START"],
+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
+                               stdout=subprocess.PIPE).communicate()[0]
+     return output
+ 
+@@ -251,7 +251,9 @@
+             self.type = refpolicy.SecurityContext(dict["tcontext"]).type
+         except:
+             raise ValueError("Split string does not represent a valid compute sid message")
+-
+    def output(self):
+        return "role %s types %s;\n" % (self.role, self.type)
+        
+ # Parser for audit messages
+ 
+ class AuditParser:
+@@ -402,6 +404,26 @@
+             self.__parse(l)
+         self.__post_process()
+ 
+    def to_role(self, role_filter=None):
+        """Return list of SELINUX_ERR messages matching the specified filter
+
+        Filter out types that match the filer, or all roles
+
+        Params:
+           role_filter - [optional] Filter object used to filter the
+              output.
+        Returns:
+           Access vector set representing the denied access in the
+           audit logs parsed by this object.
+        """
+        roles = []
+        if role_filter:
+            for selinux_err in self.compute_sid_msgs:
+                if role_filter.filter(selinux_err):
+                    roles.append(selinux_err)
+            return roles
+        return self.compute_sid_msgs
+
+     def to_access(self, avc_filter=None, only_denials=True):
+         """Convert the audit logs access into a an access vector set.
+ 
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
 +++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-20 14:20:49.000000000 -0500
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.34
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -193,6 +193,9 @@ if [ "$1" -ge "1" ]; then
 fi

 %changelog
+* Fri Dec 21 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-3
+- Catch SELINUX_ERR with audit2allow and generate policy
+
 * Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2
 - Make sepolgen set error exit code when partial failure
 - audit2why now checks booleans for avc diagnosis