rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix audit2allow output to better align analysys with the allow rules 

- Apply Miroslav Grepl patch to clean up sepolicy generate usage
- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
- Update Tranlslations
This commit is contained in:
Dan Walsh 2013-03-27 14:00:16 -04:00
parent 8e3bfe0949
commit e9b167e78d
3 changed files with 437 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

415
policycoreutils-rhat.patch
View File

@ -983,6 +983,189 @@ index e84995e..a60b20e 100644
#: booleans.py:233
msgid "Allow xguest users to mount removable media"
diff --git a/policycoreutils/po/gu.po b/policycoreutils/po/gu.po
index 165b892..074abad 100644
--- a/policycoreutils/po/gu.po
+++ b/policycoreutils/po/gu.po
@@ -5,13 +5,14 @@
# Translators:
# Ankit Patel <ankit@redhat.com>, 2006-2008.
# Sweta Kothari <swkothar@redhat.com>, 2008-2010,2012.
+# <swkothar@redhat.com>, 2013.
msgid ""
msgstr ""
"Project-Id-Version: Policycoreutils\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-01-04 12:01-0500\n"
-"PO-Revision-Date: 2013-01-04 17:02+0000\n"
-"Last-Translator: dwalsh <dwalsh@redhat.com>\n"
+"PO-Revision-Date: 2013-03-26 08:31+0000\n"
+"Last-Translator: sweta <swkothar@redhat.com>\n"
"Language-Team: Gujarati <trans-gu@lists.fedoraproject.org>\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
@@ -287,7 +288,7 @@ msgstr "MLS/MCS વિસ્તાર"
#: ../semanage/seobject.py:672
msgid "Service"
-msgstr ""
+msgstr "સેવા"
#: ../semanage/seobject.py:698 ../semanage/seobject.py:729
#: ../semanage/seobject.py:796 ../semanage/seobject.py:853
@@ -424,7 +425,7 @@ msgstr "પ્રકાર જરૂરી છે"
#: ../semanage/seobject.py:1814
#, python-format
msgid "Type %s is invalid, must be a port type"
-msgstr ""
+msgstr "પ્રકાર %s અયોગ્ય છે, પોર્ટ પ્રકાર હોવુ જ જોઇએ"
#: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062
#: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123
@@ -546,12 +547,12 @@ msgstr "અજ્ઞાત અથવા ગેરહાજર પ્રોટો
#: ../semanage/seobject.py:1256
msgid "SELinux node type is required"
-msgstr ""
+msgstr "SELinux નોડ પ્રકારની જરૂરિયાત છે"
#: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327
#, python-format
msgid "Type %s is invalid, must be a node type"
-msgstr ""
+msgstr "પ્રકાર %s અયોગ્ય છે, નોડ પ્રકાર હોવુ જ જોઇએ"
#: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331
#: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465
@@ -785,7 +786,7 @@ msgstr "ફાઇલ સ્પષ્ટીકરણ %s સરખા નિયમ
#: ../semanage/seobject.py:1755
#, python-format
msgid "Type %s is invalid, must be a file or device type"
-msgstr ""
+msgstr "પ્રકાર %s અયોગ્ય છે, ફાઇલ અથવા ઉપકરણ પ્રકાર હોવુ જ જોઇએ"
#: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768
#: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906
@@ -2173,7 +2174,7 @@ msgstr "પેચ કે જેમાં ઉત્પન્ન થયેલ SELi
#: ../sepolicy/sepolicy.py:207
msgid "name of the OS for man pages"
-msgstr ""
+msgstr "મુખ્ય પાનાં માટે OS નું નામ"
#: ../sepolicy/sepolicy.py:209
msgid "Generate HTML man pages structure for selected SELinux man page"
@@ -2225,7 +2226,7 @@ msgstr "બુલિયનની જાણકારીને જોવા મા
#: ../sepolicy/sepolicy.py:280
msgid "get all booleans descriptions"
-msgstr ""
+msgstr "બધા બુલિયન વર્ણનોને મેળવો"
#: ../sepolicy/sepolicy.py:282
msgid "boolean to get description"
@@ -2247,11 +2248,11 @@ msgstr "લક્ષ્ય પ્રક્રિયા ડોમેઇન"
#: ../sepolicy/sepolicy.py:327
msgid "Command required for this type of policy"
-msgstr ""
+msgstr "પોલિસીનાં આ પ્રકાર માટે આદેશ જરૂરી"
#: ../sepolicy/sepolicy.py:347
msgid "List SELinux Policy interfaces"
-msgstr ""
+msgstr "SELinux પોલિસી ઇન્ટરફેસની યાદી કરો"
#: ../sepolicy/sepolicy.py:362
msgid "Generate SELinux Policy module template"
@@ -2289,7 +2290,7 @@ msgstr "પુરાવા માટેના એક્ઝેક્યુટે
#: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417
#, python-format
msgid "Generate Policy for %s"
-msgstr ""
+msgstr "%s માટે પોલિસી ઉત્પન્ન કરો"
#: ../sepolicy/sepolicy.py:422
msgid "commands"
@@ -2301,12 +2302,12 @@ msgstr ""
#: ../sepolicy/sepolicy/__init__.py:48
msgid "No SELinux Policy installed"
-msgstr ""
+msgstr "SELinux પોલિસી સ્થાપિત થયેલ નથી"
#: ../sepolicy/sepolicy/__init__.py:54
#, python-format
msgid "Failed to read %s policy file"
-msgstr ""
+msgstr "%s પોલિસી ફાઇલને વાંચવામાં નિષ્ફળતા"
#: ../sepolicy/sepolicy/__init__.py:127
msgid "unknown"
@@ -2318,7 +2319,7 @@ msgstr "ઇન્ટરનેટ સેવા ડિમન"
#: ../sepolicy/sepolicy/generate.py:177
msgid "Existing Domain Type"
-msgstr ""
+msgstr "હાલનો ડોમેઇન પ્રકાર"
#: ../sepolicy/sepolicy/generate.py:178
msgid "Minimal Terminal Login User Role"
@@ -2330,11 +2331,11 @@ msgstr ""
#: ../sepolicy/sepolicy/generate.py:180
msgid "Desktop Login User Role"
-msgstr ""
+msgstr "ડેસ્કટોપ લૉગિન વપરાશકર્તા ભૂમિકા"
#: ../sepolicy/sepolicy/generate.py:181
msgid "Administrator Login User Role"
-msgstr ""
+msgstr "સંચાલક લૉગિન વપરાશકર્તા ભૂમિકા"
#: ../sepolicy/sepolicy/generate.py:182
msgid "Confined Root Administrator Role"
@@ -2351,7 +2352,7 @@ msgstr "પોર્ટો નંબરો કે 1 થી %d સુધીના
#: ../sepolicy/sepolicy/generate.py:231
msgid "You must enter a valid policy type"
-msgstr ""
+msgstr "તમારે યોગ્ય પોલિસી પ્રકારને દાખલ કરવુ જ જોઇએ"
#: ../sepolicy/sepolicy/generate.py:234
#, python-format
@@ -2415,7 +2416,7 @@ msgstr "ફાઈલ સંદર્ભો ફાઈલ"
#: ../sepolicy/sepolicy/generate.py:1324
msgid "Spec file"
-msgstr ""
+msgstr "Spec ફાઇલ"
#: ../sepolicy/sepolicy/generate.py:1325
msgid "Setup Script"
@@ -2455,7 +2456,7 @@ msgstr "radius સર્વરની મદદથી પ્રવેશવા
#: booleans.py:8
msgid "Allow users to login using a yubikey server"
-msgstr ""
+msgstr "yubikey સર્વરની મદદથી પ્રવેશવા વપરાશકર્તાઓને પરવાનગી આપો"
#: booleans.py:9
msgid "Allow awstats to purge Apache logs"
@@ -2527,11 +2528,11 @@ msgstr "ટર્મિનલોને વાંચવા/લખવાની ક
#: booleans.py:25
msgid "Allow dan to manage user files"
-msgstr ""
+msgstr "વપરાશકર્તા ફાઇલોને સંચાલિત કરવા માટે dan ને પરવાનગી આપો"
#: booleans.py:26
msgid "Allow dan to read user files"
-msgstr ""
+msgstr "વપરાશકર્તા ફાઇલોને વાંચવા માટે dan ને પરવાનગી આપો"
#: booleans.py:27
msgid "Allow dbadm to manage files in users home directories"
diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po
index 72ae12d..649d288 100644
--- a/policycoreutils/po/ja.po
@ -2302,7 +2485,7 @@ index 0000000..3ecf3eb
@@ -0,0 +1 @@
+.so man8/sepolicy-generate.8
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
index 82fea52..29f9428 100644
index 82fea52..c969e0d 100644
--- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh
+++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
@@ -81,7 +81,7 @@ _sepolicy () {
@ -2314,7 +2497,26 @@ index 82fea52..29f9428 100644
[network]='-h --help -d --domain -l --list -p --port -t --type '
[transition]='-h --help -s --source -t --target'
)
@@ -156,6 +156,10 @@ _sepolicy () {
@@ -130,9 +130,6 @@ _sepolicy () {
COMPREPLY=( $( compgen -d -- "$cur") )
compopt -o filenames
return 0
- elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then
- COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") )
- return 0
elif [ "$prev" = "--domain" -o "$prev" = "-d" ]; then
COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") )
return 0
@@ -140,7 +137,7 @@ _sepolicy () {
COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") )
return 0
elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then
- COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
+ COMPREPLY=( $(compgen -W "$( __get_all_users )" -- "$cur") )
return 0
elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
@@ -156,6 +153,10 @@ _sepolicy () {
if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
return 0
@ -2325,6 +2527,20 @@ index 82fea52..29f9428 100644
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
return 0
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
@@ -167,11 +168,11 @@ _sepolicy () {
return 0
elif [ "$verb" = "network" ]; then
if [ "$prev" = "-t" -o "$prev" = "--type" ]; then
- COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") )
+ COMPREPLY=( $(compgen -W "$( __get_all_port_types )" -- "$cur") )
return 0
fi
if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
- COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") )
+ COMPREPLY=( $(compgen -W "$( __get_all_domain_types )" -- "$cur") )
return 0
fi
COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index fb84af6..c2fa601 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
@ -2382,7 +2598,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..1146bb3 100755
index b25d3b2..c353021 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@ -2452,7 +2668,7 @@ index b25d3b2..1146bb3 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@ -2467,6 +2683,18 @@ index b25d3b2..1146bb3 100755
newval.append(value)
setattr(namespace, self.dest, newval)
+def generate_custom_usage(usage_text,usage_dict):
+ sorted_keys = []
+ for i in usage_dict.keys():
+ sorted_keys.append(i)
+ sorted_keys.sort()
+ for k in sorted_keys:
+ usage_text += "%s %s |" % (k,(" ".join(usage_dict[k])))
+ usage_text = usage_text[:-1] + "]"
+ usage_text = _(usage_text)
+
+ return usage_text
+
def _print_net(src, protocol, perm):
- from sepolicy.network import get_network_connect
- portdict = get_network_connect(src, protocol, perm)
@ -2475,7 +2703,7 @@ index b25d3b2..1146bb3 100755
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
@ -2484,7 +2712,7 @@ index b25d3b2..1146bb3 100755
if args.list_ports:
all_ports = []
for i in portrecs:
@@ -201,41 +222,41 @@ def manpage(args):
@@ -201,41 +234,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@ -2549,7 +2777,7 @@ index b25d3b2..1146bb3 100755
def gen_network_args(parser):
net = parser.add_parser("network",
@@ -283,7 +304,6 @@ def gen_communicate_args(parser):
@@ -283,7 +316,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@ -2557,7 +2785,7 @@ index b25d3b2..1146bb3 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
@@ -300,6 +320,7 @@ def gen_booleans_args(parser):
@@ -300,6 +332,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@ -2565,7 +2793,7 @@ index b25d3b2..1146bb3 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -320,7 +341,7 @@ def gen_transition_args(parser):
@@ -320,7 +353,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
@ -2574,7 +2802,7 @@ index b25d3b2..1146bb3 100755
if args.list_admin:
for a in get_admin():
print a
@@ -328,13 +349,13 @@ def interface(args):
@@ -328,13 +361,16 @@ def interface(args):
for a in get_user():
print a
if args.list:
@ -2583,14 +2811,37 @@ index b25d3b2..1146bb3 100755
print m
def generate(args):
from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+ from sepolicy.generate import policy, AUSER, RUSER, EUSER, USERS, SANDBOX, APPLICATIONS, NEWTYPE
cmd = None
- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
+# numbers present POLTYPE defined in sepolicy.generate
+ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)}
+
+ if args.policytype in APPLICATIONS:
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
@@ -368,10 +389,10 @@ def gen_interface_args(parser):
@@ -346,8 +382,18 @@ def generate(args):
mypolicy.set_program(cmd)
if args.types:
+ if args.policytype not in conflict_args['TYPES']:
+ raise ValueError(_("-t option can not be used with this option. Read usage for more details."))
mypolicy.set_types(args.types)
+ if args.domain:
+ if args.policytype not in conflict_args['DOMAIN']:
+ raise ValueError(_("-d option can not be used with this option. Read usage for more details."))
+
+ if args.admin_domain:
+ if args.policytype not in conflict_args['ADMIN_DOMAIN']:
+ raise ValueError(_("-a option can not be used with this option. Read usage for more details."))
+
for p in args.writepaths:
if os.path.isdir(p):
mypolicy.add_dir(p)
@@ -368,10 +414,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@ -2603,7 +2854,105 @@ index b25d3b2..1146bb3 100755
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
@@ -461,7 +482,10 @@ if __name__ == '__main__':
@@ -379,7 +425,12 @@ def gen_interface_args(parser):
def gen_generate_args(parser):
from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
- pol = parser.add_parser("generate",
+
+ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
+ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
+ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict)
+
+ pol = parser.add_parser("generate", usage = generate_usage,
help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*",
@@ -397,53 +448,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType,
- help=argparse.SUPPRESS)
+ help="Enter type(s) for which you will generate new definition and rule(s)")
pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
help=_("path in which the generated policy files will be stored"))
pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [],
help=_("path to which the confined processes will need to write"))
- pol.add_argument("command",nargs="?", default=None,
- help=_("executable to confine"))
- group = pol.add_mutually_exclusive_group(required=False)
- group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
+ cmdtype = pol.add_argument_group(_("Policy types which require a command"))
+ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True)
+ cmdgroup.add_argument("--application", dest="policytype", const=USER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[NEWTYPE])
- group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ help=_("Generate '%s' policy") % poltype[USER])
+ cmdgroup.add_argument("--cgi", dest="policytype", const=CGI,
action="store_const",
- help=_("Generate Policy for %s") % poltype[AUSER])
- group.add_argument("--application", dest="policytype", const=USER,
+ help=_("Generate '%s' policy") % poltype[CGI])
+ cmdgroup.add_argument("--dbus", dest="policytype", const=DBUS,
action="store_const",
- help=_("Generate Policy for %s") % poltype[USER])
- group.add_argument("--cgi", dest="policytype", const=CGI,
+ help=_("Generate '%s' policy") % poltype[DBUS])
+ cmdgroup.add_argument("--inetd", dest="policytype", const=INETD,
action="store_const",
- help=_("Generate Policy for %s") % poltype[CGI])
+ help=_("Generate '%s' policy") % poltype[INETD])
+ cmdgroup.add_argument("--init", dest="policytype", const=DAEMON,
+ action="store_const", default=DAEMON,
+ help=_("Generate '%s' policy") % poltype[DAEMON])
+
+ type = pol.add_argument_group("Policy types which do not require a command")
+ group = type.add_mutually_exclusive_group(required=True)
+ group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ action="store_const",
+ help=_("Generate '%s' policy") % poltype[AUSER])
group.add_argument("--confined_admin", dest="policytype", const=RUSER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[RUSER])
+ help=_("Generate '%s' policy") % poltype[RUSER])
group.add_argument("--customize", dest="policytype", const=EUSER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[EUSER])
- group.add_argument("--dbus", dest="policytype", const=DBUS,
- action="store_const",
- help=_("Generate Policy for %s") % poltype[DBUS])
+ help=_("Generate '%s' policy") % poltype[EUSER])
group.add_argument("--desktop_user", dest="policytype", const=LUSER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[LUSER])
- group.add_argument("--inetd", dest="policytype", const=INETD,
+ help=_("Generate '%s' policy ") % poltype[LUSER])
+ group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
action="store_const",
- help=_("Generate Policy for %s") % poltype[INETD])
- group.add_argument("--init", dest="policytype", const=DAEMON,
- action="store_const", default=DAEMON,
- help=_("Generate Policy for %s") % poltype[DAEMON])
+ help=_("Generate '%s' policy") % poltype[NEWTYPE])
group.add_argument("--sandbox", dest="policytype", const=SANDBOX,
action="store_const",
- help=_("Generate Policy for %s") % poltype[SANDBOX])
+ help=_("Generate '%s' policy") % poltype[SANDBOX])
group.add_argument("--term_user", dest="policytype", const=TUSER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[TUSER])
+ help=_("Generate '%s' policy") % poltype[TUSER])
group.add_argument("--x_user", dest="policytype", const=XUSER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[XUSER])
+ help=_("Generate '%s' policy") % poltype[XUSER])
+ pol.add_argument("command",nargs="?", default=None,
+ help=_("executable to confine"))
pol.set_defaults(func=generate)
if __name__ == '__main__':
@@ -461,7 +516,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@ -2823,7 +3172,7 @@ index 5e7415c..5267ed9 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..95b3ac0 100644
index 26f8390..c83883f 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@ -2865,7 +3214,30 @@ index 26f8390..95b3ac0 100644
line = "%s(%s_t)\n" % (method, self.name)
else:
line = """
@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -765,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
return newte
- if self.type == RUSER:
+ if self.type == RUSER or self.type == AUSER:
newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
for app in self.admin_domains:
@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s;
if t.endswith(i):
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
break
+
+ if NEWTYPE and newte == "":
+ default_ext = []
+ for i in self.DEFAULT_EXT:
+ default_ext.append(i)
+ raise ValueError(_("You need to define a new type which ends with: \n %s") % "\n ".join(default_ext))
+
return newte
def generate_new_rules(self):
@@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s;
if len(self.DEFAULT_DIRS[d][1]) > 0:
# CGI scripts already have a rw_t
if self.type != CGI or d != "rw":
@ -2883,7 +3255,7 @@ index 26f8390..95b3ac0 100644
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s;
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
@ -2909,7 +3281,7 @@ index 26f8390..95b3ac0 100644
newte += self.generate_tmp_rules()
newte += self.generate_network_rules()
@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s;
fclist = []
if self.type in USERS + [ SANDBOX ]:
return executable.fc_user
@ -2918,6 +3290,15 @@ index 26f8390..95b3ac0 100644
raise ValueError(_("You must enter the executable path for your confined process"))
if self.program:
@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s;
tmp = re.sub("TEMPLATETYPE", self.name, script.users)
newsh += re.sub("ROLES", roles, tmp)
- if self.type == RUSER:
+ if self.type == RUSER or self.type == AUSER:
for u in self.transition_users:
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
newsh += re.sub("USER", u, tmp)
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..c9036c3 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py

37
policycoreutils-sepolgen.patch
View File

@ -21,24 +21,51 @@ index d636091..56919be 100644
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index cc9f8ea..24062a1 100644
index cc9f8ea..ce643e5 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -172,10 +172,10 @@ class PolicyGenerator:
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
@@ -161,21 +161,21 @@ class PolicyGenerator:
if self.explain:
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
if av.type == audit2why.ALLOW:
- rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ rule.comment += "\n#!!!! This avc is allowed in the current policy"
if av.type == audit2why.DONTAUDIT:
- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
+ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data))
else:
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
+ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
if av.type == audit2why.CONSTRAINT:
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
- rule.comment += "#Constraint rule: "
- for reason in av.data:
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
+ for reason in av.data[1:]:
+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
+ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
try:
if ( av.type == audit2why.TERULE and
@@ -189,9 +189,9 @@ class PolicyGenerator:
if i not in self.domains:
types.append(i)
if len(types) == 1:
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
elif len(types) >= 1:
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
except:
pass
self.module.children.append(rule)
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 7b76261..a05d9d1 100644
--- a/sepolgen/src/sepolgen/refparser.py

8
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 27%{?dist}
Release: 28%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -309,6 +309,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Wed Mar 27 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-28
- Fix audit2allow output to better align analysys with the allow rules
- Apply Miroslav Grepl patch to clean up sepolicy generate usage
- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
- Update Tranlslations
* Wed Mar 27 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-27
- Allow semanage fcontext -a -t "<<none>>" ... to work