diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py index 649735f..cf13210 100644 --- a/sepolgen/src/sepolgen/access.py +++ b/sepolgen/src/sepolgen/access.py @@ -87,7 +87,7 @@ class AccessVector: self.perms = refpolicy.IdSet() self.audit_msgs = [] self.type = audit2why.TERULE - self.bools = [] + self.data = [] # The direction of the information flow represented by this # access vector - used for matching @@ -256,7 +256,7 @@ class AccessVectorSet: for av in l: self.add_av(AccessVector(av)) - def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]): + def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]): """Add an access vector to the set. """ tgt = self.src.setdefault(src_type, { }) @@ -269,7 +269,7 @@ class AccessVectorSet: access.src_type = src_type access.tgt_type = tgt_type access.obj_class = obj_class - access.bools = bools + access.data = data access.type = avc_type cls[obj_class, avc_type] = access diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py index 9e2ccee..73c60f6 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -173,7 +173,6 @@ class AVCMessage(AuditMessage): self.accesses = [] self.denial = True self.type = audit2why.TERULE - self.bools = [] def __parse_access(self, recs, start): # This is kind of sucky - the access that is in a space separated @@ -241,10 +240,12 @@ class AVCMessage(AuditMessage): tcontext = self.tcontext.to_string() scontext = self.scontext.to_string() access_tuple = tuple( self.accesses) + self.data = [] + if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys(): - self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)] + self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)] else: - self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); + self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); if self.type == audit2why.NOPOLICY: self.type = audit2why.TERULE if self.type == audit2why.BADTCON: @@ -258,7 +259,16 @@ class AVCMessage(AuditMessage): if self.type == audit2why.BADCOMPUTE: raise ValueError("Error during access vector computation") - avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools) + if self.type == audit2why.CONSTRAINT: + self.data = [] + if self.scontext.user != self.tcontext.user: + self.data.append("user") + if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": + self.data.append("role") + if self.scontext.level != self.tcontext.level: + self.data.append("level") + + avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) class PolicyLoadMessage(AuditMessage): """Audit message indicating that the policy was reloaded.""" @@ -507,10 +517,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) else: av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) return av_set class AVCTypeFilter: diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py index 1a9a3e5..d56dd92 100644 --- a/sepolgen/src/sepolgen/matching.py +++ b/sepolgen/src/sepolgen/matching.py @@ -50,7 +50,7 @@ class Match: return 1 class MatchList: - DEFAULT_THRESHOLD = 120 + DEFAULT_THRESHOLD = 150 def __init__(self): # Match objects that pass the threshold self.children = [] @@ -63,14 +63,15 @@ class MatchList: def best(self): if len(self.children): return self.children[0] - else: - return None + if len(self.bastards): + return self.bastards[0] + return None def __len__(self): # Only return the length of the matches so # that this can be used to test if there is # a match. - return len(self.children) + return len(self.children) + len(self.bastards) def __iter__(self): return iter(self.children) diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index c3d665c..cc9f8ea 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -166,14 +166,16 @@ class PolicyGenerator: rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" if av.type == audit2why.BOOLEAN: - if len(av.bools) > 1: - rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools)) + if len(av.data) > 1: + rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) else: - rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0] + rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] if av.type == audit2why.CONSTRAINT: rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" rule.comment += "#Constraint rule: " + for reason in av.data: + rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason try: if ( av.type == audit2why.TERULE and diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d..7ce8f9d 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -799,7 +799,7 @@ class Require(Leaf): self.types = IdSet() self.obj_classes = { } self.roles = IdSet() - self.bools = IdSet() + self.data = IdSet() self.users = IdSet() def add_obj_class(self, obj_class, perms): @@ -816,7 +816,7 @@ class Require(Leaf): s.append("\tclass %s %s;" % (obj_class, perms.to_space_str())) for role in self.roles: s.append("\trole %s;" % role) - for bool in self.bools: + for bool in self.data: s.append("\tbool %s;" % bool) for user in self.users: s.append("\tuser %s;" % user)