rpms/policycoreutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

policycoreutils-2.4-8

Browse Source 
- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564)

FIXME: some functionality of audit2allow was temporarily disabled until sepolicy is
ported to python 3
This commit is contained in:
Petr Lautrbach 2015-08-06 17:59:17 +02:00
parent 9ef0d2c14c
commit d0392a9475
3 changed files with 275 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
policycoreutils-rhat.patch
View File

@ -655722,10 +655722,10 @@ index 568ebfd..306d9b7 100644
def __init__(self, store):
diff --git a/policycoreutils-2.4/semanage/seobject/__init__.py b/policycoreutils-2.4/semanage/seobject/__init__.py
new file mode 100644
index 0000000..1cf9681
index 0000000..c23ebef
--- /dev/null
+++ b/policycoreutils-2.4/semanage/seobject/__init__.py
@@ -0,0 +1,2251 @@
@@ -0,0 +1,2271 @@
+#! /usr/bin/python3 -Es
+# Copyright (C) 2005-2013 Red Hat
+# see file 'COPYING' for use and warranty information
@ -655748,9 +655748,17 @@ index 0000000..1cf9681
+# 02111-1307 USA
+#
+#
+
+import pwd, grp, string, selinux, tempfile, os, re, sys, stat, shutil
+from semanage import *;
+import pwd
+import grp
+import string
+import selinux
+import tempfile
+import os
+import re
+import sys
+import stat
+import shutil
+from semanage import *
+PROGNAME = "policycoreutils"
+import sepolicy
+from sepolicy import boolean_desc, boolean_category, gen_bool_dict
@ -655758,7 +655766,6 @@ index 0000000..1cf9681
+from IPy import IP
+
+import gettext
+PROGNAME="policycoreutils"
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+gettext.textdomain(PROGNAME)
+try:
@ -655778,30 +655785,30 @@ index 0000000..1cf9681
+import syslog
+
+file_types = {}
+file_types[""] = SEMANAGE_FCONTEXT_ALL;
+file_types["all files"] = SEMANAGE_FCONTEXT_ALL;
+file_types["a"] = SEMANAGE_FCONTEXT_ALL;
+file_types["regular file"] = SEMANAGE_FCONTEXT_REG;
+file_types["--"] = SEMANAGE_FCONTEXT_REG;
+file_types["f"] = SEMANAGE_FCONTEXT_REG;
+file_types["-d"] = SEMANAGE_FCONTEXT_DIR;
+file_types["directory"] = SEMANAGE_FCONTEXT_DIR;
+file_types["d"] = SEMANAGE_FCONTEXT_DIR;
+file_types["-c"] = SEMANAGE_FCONTEXT_CHAR;
+file_types["character device"] = SEMANAGE_FCONTEXT_CHAR;
+file_types["c"] = SEMANAGE_FCONTEXT_CHAR;
+file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK;
+file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK;
+file_types["b"] = SEMANAGE_FCONTEXT_BLOCK;
+file_types["-s"] = SEMANAGE_FCONTEXT_SOCK;
+file_types["socket"] = SEMANAGE_FCONTEXT_SOCK;
+file_types["s"] = SEMANAGE_FCONTEXT_SOCK;
+file_types["-l"] = SEMANAGE_FCONTEXT_LINK;
+file_types["l"] = SEMANAGE_FCONTEXT_LINK;
+file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK;
+file_types["p"] = SEMANAGE_FCONTEXT_PIPE;
+file_types["-p"] = SEMANAGE_FCONTEXT_PIPE;
+file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE;
+file_types[""] = SEMANAGE_FCONTEXT_ALL
+file_types["all files"] = SEMANAGE_FCONTEXT_ALL
+file_types["a"] = SEMANAGE_FCONTEXT_ALL
+file_types["regular file"] = SEMANAGE_FCONTEXT_REG
+file_types["--"] = SEMANAGE_FCONTEXT_REG
+file_types["f"] = SEMANAGE_FCONTEXT_REG
+file_types["-d"] = SEMANAGE_FCONTEXT_DIR
+file_types["directory"] = SEMANAGE_FCONTEXT_DIR
+file_types["d"] = SEMANAGE_FCONTEXT_DIR
+file_types["-c"] = SEMANAGE_FCONTEXT_CHAR
+file_types["character device"] = SEMANAGE_FCONTEXT_CHAR
+file_types["c"] = SEMANAGE_FCONTEXT_CHAR
+file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["b"] = SEMANAGE_FCONTEXT_BLOCK
+file_types["-s"] = SEMANAGE_FCONTEXT_SOCK
+file_types["socket"] = SEMANAGE_FCONTEXT_SOCK
+file_types["s"] = SEMANAGE_FCONTEXT_SOCK
+file_types["-l"] = SEMANAGE_FCONTEXT_LINK
+file_types["l"] = SEMANAGE_FCONTEXT_LINK
+file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK
+file_types["p"] = SEMANAGE_FCONTEXT_PIPE
+file_types["-p"] = SEMANAGE_FCONTEXT_PIPE
+file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE
+
+file_type_str_to_option = {"all files": "a",
+ "regular file":"f",
@ -655821,11 +655828,14 @@ index 0000000..1cf9681
+
+ sep = "-"
+ if sename != oldsename:
+ msg += sep + "sename"; sep = ","
+ msg += sep + "sename"
+ sep = ","
+ if serole != oldserole:
+ msg += sep + "role"; sep = ","
+ msg += sep + "role"
+ sep = ","
+ if serange != oldserange:
+ msg += sep + "range"; sep = ","
+ msg += sep + "range"
+ sep = ","
+
+ self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_ASSIGN, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
+
@ -655919,10 +655929,12 @@ index 0000000..1cf9681
+ else:
+ return raw
+
+
+class semanageRecords:
+ transaction = False
+ handle = None
+ store = None
+
+ def __init__(self, store):
+ global handle
+ self.load = True
@ -655948,7 +655960,7 @@ index 0000000..1cf9681
+ raise ValueError(_("Could not create semanage handle"))
+
+ if not semanageRecords.transaction and store != "":
+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT)
+ semanageRecords.store = store
+
+ if not semanage_is_managed(handle):
@ -655988,6 +656000,7 @@ index 0000000..1cf9681
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not start semanage transaction"))
+
+ def customized(self):
+ raise ValueError(_("Not yet implemented"))
+
@ -656008,7 +656021,9 @@ index 0000000..1cf9681
+ semanageRecords.transaction = False
+ self.commit()
+
+
+class moduleRecords(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
@ -656076,7 +656091,7 @@ index 0000000..1cf9681
+ if rc < 0:
+ raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
+
+ rc = semanage_module_install_file(self.sh, module);
+ rc = semanage_module_install_file(self.sh, module)
+ if rc >= 0:
+ self.commit()
+
@ -656101,7 +656116,7 @@ index 0000000..1cf9681
+ def modify(self, file):
+ if not module:
+ raise ValueError(_("You did not define module name."))
+ rc = semanage_module_upgrade_file(self.sh, file);
+ rc = semanage_module_upgrade_file(self.sh, file)
+ if rc >= 0:
+ self.commit()
+
@ -656124,7 +656139,9 @@ index 0000000..1cf9681
+ for m in l:
+ self.set_enabled(m, True)
+
+
+class dontauditClass(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
@ -656132,10 +656149,12 @@ index 0000000..1cf9681
+ if dontaudit not in ["on", "off"]:
+ raise ValueError(_("dontaudit requires either 'on' or 'off'"))
+ self.begin()
+ semanage_set_disable_dontaudit(self.sh, dontaudit == "off")
+ rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off")
+ self.commit()
+
+
+class permissiveRecords(semanageRecords):
+
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
+
@ -656186,7 +656205,7 @@ index 0000000..1cf9681
+ name = "permissive_%s" % setype
+ modtxt = "(typepermissive %s)" % type
+
+ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil");
+ rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil")
+ if rc >= 0:
+ self.commit()
+
@ -656274,7 +656293,7 @@ index 0000000..1cf9681
+
+ semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
+ self.mylog.log("login", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log("login", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
+
+ def add(self, name, sename, serange):
+ try:
@ -656324,6 +656343,7 @@ index 0000000..1cf9681
+
+ if sename != "":
+ semanage_seuser_set_sename(self.sh, u, sename)
+ self.sename = sename
+ else:
+ self.sename = self.oldsename
+
@ -656333,7 +656353,7 @@ index 0000000..1cf9681
+
+ semanage_seuser_key_free(k)
+ semanage_seuser_free(u)
+ self.mylog.log("login", name,sename=self.sename,serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
+
+ def modify(self, name, sename="", serange=None):
+ try:
@ -656374,7 +656394,7 @@ index 0000000..1cf9681
+ rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
+ RANGE, (rc, serole) = userrec.get(self.sename)
+
+ self.mylog.log_remove("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log_remove("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange)
+
+ def delete(self, name):
+ try:
@ -656560,7 +656580,7 @@ index 0000000..1cf9681
+ def __modify(self, name, roles=[], selevel="", serange=None, prefix=""):
+ oldserole = ""
+ oldserange = ""
+ newroles = ' '.join(roles);
+ newroles = ' '.join(roles)
+ if prefix == "" and len(roles) == 0 and not serange and selevel == "":
+ if is_mls_enabled == 1:
+ raise ValueError(_("Requires prefix, roles, level or range"))
@ -656584,7 +656604,7 @@ index 0000000..1cf9681
+ oldserange = semanage_user_get_mlsrange(u)
+ (rc, rlist) = semanage_user_get_roles(self.sh, u)
+ if rc >= 0:
+ oldserole = ' '.join(rlist);
+ oldserole = ' '.join(rlist)
+
+ if serange:
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
@ -656698,7 +656718,7 @@ index 0000000..1cf9681
+ if rc < 0:
+ raise ValueError(_("Could not list roles for user %s") % name)
+
+ roles = ' '.join(rlist);
+ roles = ' '.join(rlist)
+ ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
+
+ return ddict

7
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.4
Release: 7%{?dist}
Release: 8%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
# HEAD https://github.com/fedora-selinux/selinux/commit/b7b250d47a5ae70efc95492cda499ee6a8ae12d8
# HEAD https://github.com/fedora-selinux/selinux/commit/38d05b08329cb56bba1e64a37b9b166f2fa9f85c
Patch: policycoreutils-rhat.patch
Patch1: sepolgen-rhat.patch
Obsoletes: policycoreutils < 2.0.61-2
@ -399,6 +399,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Thu Aug 06 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-8
- Fix multiple python3 issues in sepolgen (#1249388,#1247575,#1247564)
* Mon Jul 27 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-7
- policycoreutils-python3 depends on python-IPy-python3

127
sepolgen-rhat.patch
View File

@ -122,10 +122,10 @@ index cf13210..60ff4e9 100644
else:
role_type = refpolicy.RoleType()
diff --git a/sepolgen-1.2.2/src/sepolgen/audit.py b/sepolgen-1.2.2/src/sepolgen/audit.py
index 56919be..ddad682 100644
index 56919be..1c94daa 100644
--- a/sepolgen-1.2.2/src/sepolgen/audit.py
+++ b/sepolgen-1.2.2/src/sepolgen/audit.py
@@ -17,11 +17,11 @@
@@ -17,11 +17,12 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
@ -136,10 +136,38 @@ index 56919be..ddad682 100644
+from . import refpolicy
+from . import access
+from . import util
# Convenience functions
def get_audit_boot_msgs():
@@ -169,6 +169,7 @@ class AVCMessage(AuditMessage):
@@ -42,6 +43,8 @@ def get_audit_boot_msgs():
boottime = time.strftime("%X", s)
output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
stdout=subprocess.PIPE).communicate()[0]
+ if util.PY3:
+ output = util.decode_input(output)
return output
def get_audit_msgs():
@@ -55,6 +58,8 @@ def get_audit_msgs():
import subprocess
output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
stdout=subprocess.PIPE).communicate()[0]
+ if util.PY3:
+ output = util.decode_input(output)
return output
def get_dmesg_msgs():
@@ -66,6 +71,8 @@ def get_dmesg_msgs():
import subprocess
output = subprocess.Popen(["/bin/dmesg"],
stdout=subprocess.PIPE).communicate()[0]
+ if util.PY3:
+ output = util.decode_input(output)
return output
# Classes representing audit messages
@@ -169,6 +176,7 @@ class AVCMessage(AuditMessage):
self.exe = ""
self.path = ""
self.name = ""
@ -147,7 +175,7 @@ index 56919be..ddad682 100644
self.accesses = []
self.denial = True
self.type = audit2why.TERULE
@@ -230,6 +231,10 @@ class AVCMessage(AuditMessage):
@@ -230,6 +238,10 @@ class AVCMessage(AuditMessage):
self.exe = fields[1][1:-1]
elif fields[0] == "name":
self.name = fields[1][1:-1]
@ -158,7 +186,7 @@ index 56919be..ddad682 100644
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@@ -354,7 +359,9 @@ class AuditParser:
@@ -354,7 +366,9 @@ class AuditParser:
self.path_msgs = []
self.by_header = { }
self.check_input_file = False
@ -169,7 +197,7 @@ index 56919be..ddad682 100644
# Low-level parsing function - tries to determine if this audit
# message is an SELinux related message and then parses it into
# the appropriate AuditMessage subclass. This function deliberately
@@ -430,7 +437,7 @@ class AuditParser:
@@ -430,7 +444,7 @@ class AuditParser:
# Group by audit header
if msg.header != "":
@ -178,7 +206,7 @@ index 56919be..ddad682 100644
self.by_header[msg.header].append(msg)
else:
self.by_header[msg.header] = [msg]
@@ -492,6 +499,60 @@ class AuditParser:
@@ -492,6 +506,68 @@ class AuditParser:
return role_types
@ -201,7 +229,11 @@ index 56919be..ddad682 100644
+ try:
+ output = subprocess.check_output(command,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ shell=True,
+ universal_newlines=True)
+ if util.PY3:
+ output = util.decode_input(output)
+
+ try:
+ ino = int(inode)
+ except ValueError:
@ -218,11 +250,14 @@ index 56919be..ddad682 100644
+ return path
+
+ def __store_base_types(self):
+ import sepolicy
+ self.base_types = sepolicy.get_types_from_attribute("base_file_type")
+ # FIXME: this is a temporary workaround until sepolicy is ported to python 3
+ # import sepolicy
+ # self.base_types = sepolicy.get_types_from_attribute("base_file_type")
+ self.base_types = []
+
+ def __get_base_type(self, tcontext, scontext):
+ import sepolicy
+ # FIXME: uncomment the following code when sepolicy is ported to python 3
+ # import sepolicy
+ # Prevent unnecessary searching
+ if (self.old_scontext == scontext and
+ self.old_tcontext == tcontext):
@ -231,15 +266,16 @@ index 56919be..ddad682 100644
+ self.old_tcontext = tcontext
+ for btype in self.base_types:
+ if btype == tcontext:
+ for writable in sepolicy.get_writable_files(scontext):
+ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
+ return writable
+ # FIXME: uncomment the following code when sepolicy is ported to python 3
+ # for writable in sepolicy.get_writable_files(scontext):
+ # if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
+ # return writable
+ return 0
+
def to_access(self, avc_filter=None, only_denials=True):
"""Convert the audit logs access into a an access vector set.
@@ -510,16 +571,23 @@ class AuditParser:
@@ -510,16 +586,23 @@ class AuditParser:
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()
@ -911,7 +947,7 @@ index 88c8a1f..d05d721 100644
self.classes[c] = { }
cur = self.classes[c]
diff --git a/sepolgen-1.2.2/src/sepolgen/output.py b/sepolgen-1.2.2/src/sepolgen/output.py
index 739452d..d8daedb 100644
index 739452d..7a83aee 100644
--- a/sepolgen-1.2.2/src/sepolgen/output.py
+++ b/sepolgen-1.2.2/src/sepolgen/output.py
@@ -27,8 +27,12 @@ generating policy. This keeps the semantic / syntactic issues
@ -929,6 +965,24 @@ index 739452d..d8daedb 100644
class ModuleWriter:
def __init__(self):
@@ -127,7 +131,7 @@ def sort_filter(module):
rules = []
rules.extend(node.avrules())
rules.extend(node.interface_calls())
- rules.sort(rule_cmp)
+ rules.sort(key=util.cmp_to_key(rule_cmp))
cur = None
sep_rules = []
@@ -151,7 +155,7 @@ def sort_filter(module):
ras = []
ras.extend(node.role_types())
- ras.sort(role_type_cmp)
+ ras.sort(key=util.cmp_to_key(role_type_cmp))
if len(ras):
comment = refpolicy.Comment()
comment.lines.append("============= ROLES ==============")
diff --git a/sepolgen-1.2.2/src/sepolgen/policygen.py b/sepolgen-1.2.2/src/sepolgen/policygen.py
index 5f38577..89366df 100644
--- a/sepolgen-1.2.2/src/sepolgen/policygen.py
@ -1256,7 +1310,7 @@ index 8ad64a9..a9bb92d 100644
class Require(Leaf):
def __init__(self, parent=None):
diff --git a/sepolgen-1.2.2/src/sepolgen/util.py b/sepolgen-1.2.2/src/sepolgen/util.py
index 74a11f5..4934bec 100644
index 74a11f5..1fca971 100644
--- a/sepolgen-1.2.2/src/sepolgen/util.py
+++ b/sepolgen-1.2.2/src/sepolgen/util.py
@@ -16,6 +16,19 @@
@ -1279,7 +1333,7 @@ index 74a11f5..4934bec 100644
class ConsoleProgressBar:
def __init__(self, out, steps=100, indicator='#'):
@@ -76,6 +89,51 @@ def first(s, sorted=False):
@@ -76,6 +89,88 @@ def first(s, sorted=False):
for x in s:
return x
@ -1297,6 +1351,20 @@ index 74a11f5..4934bec 100644
+ encoded_text = text.encode('utf-8')
+ return encoded_text
+
+def decode_input(text):
+ import locale
+ """Decode given text via preferred system encoding"""
+ # locale will often find out the correct encoding
+ encoding = locale.getpreferredencoding()
+ try:
+ decoded_text = text.decode(encoding)
+ except UnicodeError:
+ # if it fails to find correct encoding then ascii is used
+ # which may lead to UnicodeError if `text` contains non ascii signs
+ # utf-8 is our guess to fix the situation
+ decoded_text = text.decode('utf-8')
+ return decoded_text
+
+class Comparison():
+ """Class used when implementing rich comparison.
+
@ -1325,6 +1393,29 @@ index 74a11f5..4934bec 100644
+ def __ne__(self, other):
+ return self._compare(other, lambda a, b: a != b)
+
+if sys.version_info < (2,7):
+ # cmp_to_key function is missing in python2.6
+ def cmp_to_key(mycmp):
+ 'Convert a cmp= function into a key= function'
+ class K:
+ def __init__(self, obj, *args):
+ self.obj = obj
+ def __lt__(self, other):
+ return mycmp(self.obj, other.obj) < 0
+ def __gt__(self, other):
+ return mycmp(self.obj, other.obj) > 0
+ def __eq__(self, other):
+ return mycmp(self.obj, other.obj) == 0
+ def __le__(self, other):
+ return mycmp(self.obj, other.obj) <= 0
+ def __ge__(self, other):
+ return mycmp(self.obj, other.obj) >= 0
+ def __ne__(self, other):
+ return mycmp(self.obj, other.obj) != 0
+ return K
+else:
+ from functools import cmp_to_key
+
+def cmp(first, second):
+ return (first > second) - (second > first)
+