From ec80e1ce63cb1a78824dd6cd5aeeaa0ff884a30d Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Fri, 21 Dec 2007 07:14:11 +0000 Subject: [PATCH] * Fri Dec 21 2007 Dan Walsh 2.0.34-3 - Catch SELINUX_ERR with audit2allow and generate policy --- policycoreutils-rhat.patch | 28 ++++++++++++++++++- policycoreutils-sepolgen.patch | 50 ++++++++++++++++++++++++++++++++++ policycoreutils.spec | 5 +++- 3 files changed, 81 insertions(+), 2 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 2431a2f..9470d88 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-19 06:05:50.000000000 -0500 ++++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-21 01:59:57.000000000 -0500 @@ -60,7 +60,9 @@ parser.add_option("-o", "--output", dest="output", help="append output to , conflicts with -M") @@ -12,6 +12,32 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po parser.add_option("-v", "--verbose", action="store_true", dest="verbose", default=False, help="explain generated output") parser.add_option("-e", "--explain", action="store_true", dest="explain_long", +@@ -149,9 +151,11 @@ + if self.__options.type: + filter = audit.TypeFilter(self.__options.type) + self.__avs = self.__parser.to_access(filter) ++ self.__selinux_errs = self.__parser.to_role(filter) + else: + self.__avs = self.__parser.to_access() +- ++ self.__selinux_errs = self.__parser.to_role() ++ + def __load_interface_info(self): + # Load interface info file + if self.__options.interface_info: +@@ -251,6 +255,12 @@ + fd = sys.stdout + writer.write(g.get_module(), fd) + ++ if len(self.__selinux_errs) > 0: ++ fd.write("\n=========== ROLES ===============\n") ++ ++ for role in self.__selinux_errs: ++ fd.write(role.output()) ++ + def main(self): + try: + self.__parse_options() diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400 +++ policycoreutils-2.0.34/audit2allow/audit2allow.1 2007-12-19 06:05:50.000000000 -0500 diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index c1611cb..5c5b410 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,3 +1,53 @@ +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py +--- nsasepolgen/src/sepolgen/audit.py 2007-09-13 08:21:11.000000000 -0400 ++++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py 2007-12-21 02:10:43.000000000 -0500 +@@ -32,7 +32,7 @@ + string contain all of the audit messages returned by ausearch. + """ + import subprocess +- output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START"], ++ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"], + stdout=subprocess.PIPE).communicate()[0] + return output + +@@ -251,7 +251,9 @@ + self.type = refpolicy.SecurityContext(dict["tcontext"]).type + except: + raise ValueError("Split string does not represent a valid compute sid message") +- ++ def output(self): ++ return "role %s types %s;\n" % (self.role, self.type) ++ + # Parser for audit messages + + class AuditParser: +@@ -402,6 +404,26 @@ + self.__parse(l) + self.__post_process() + ++ def to_role(self, role_filter=None): ++ """Return list of SELINUX_ERR messages matching the specified filter ++ ++ Filter out types that match the filer, or all roles ++ ++ Params: ++ role_filter - [optional] Filter object used to filter the ++ output. ++ Returns: ++ Access vector set representing the denied access in the ++ audit logs parsed by this object. ++ """ ++ roles = [] ++ if role_filter: ++ for selinux_err in self.compute_sid_msgs: ++ if role_filter.filter(selinux_err): ++ roles.append(selinux_err) ++ return roles ++ return self.compute_sid_msgs ++ + def to_access(self, avc_filter=None, only_denials=True): + """Convert the audit logs access into a an access vector set. + diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py --- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400 +++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500 diff --git a/policycoreutils.spec b/policycoreutils.spec index c451a07..e168af1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.34 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -193,6 +193,9 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Fri Dec 21 2007 Dan Walsh 2.0.34-3 +- Catch SELINUX_ERR with audit2allow and generate policy + * Thu Dec 20 2007 Dan Walsh 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis