diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.31/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2005-11-29 13:43:42.000000000 -0500 +++ policycoreutils-1.27.31/audit2allow/audit2allow 2005-11-30 14:51:35.000000000 -0500 @@ -25,8 +25,9 @@ # # import commands, sys, os, pwd, string, getopt, re, selinux -class allow: - def __init__(self, source, target, seclass): +class serule: + def __init__(self, type, source, target, seclass): + self.type=type self.source=source self.target=target self.seclass=seclass @@ -52,7 +53,7 @@ return ret def out(self, verbose=0): ret="" - ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess()) + ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) if verbose: keys=self.avcinfo.keys() keys.sort() @@ -72,38 +73,104 @@ else: return self.target -class allowRecords: - def __init__(self, input, last_reload=0, verbose=0): +class seruleRecords: + def __init__(self, input, last_reload=0, verbose=0, te_ind=0): self.last_reload=last_reload - self.allowRules={} + self.seRules={} self.seclasses={} self.types=[] self.roles=[] - self.load(input) + self.load(input, te_ind) def warning(self, error): sys.stderr.write("%s: " % sys.argv[0]) sys.stderr.write("%s\n" % error) sys.stderr.flush() - def load(self, input): + def load(self, input, te_ind=0): + VALID_CMDS=("allow", "dontaudit", "auditallow", "role") + avc=[] found=0 line = input.readline() - while line: - rec=line.split() - for i in rec: - if i=="avc:" or i=="message=avc:": - found=1 - else: - avc.append(i) - if found: - self.add(avc) - found=0 - avc=[] - line = input.readline() + if te_ind: + while line: + rec=line.split() + if len(rec) and rec[0] in VALID_CMDS: + self.add_terule(line) + line = input.readline() + + else: + while line: + rec=line.split() + for i in rec: + if i=="avc:" or i=="message=avc:": + found=1 + else: + avc.append(i) + if found: + self.add(avc) + found=0 + avc=[] + line = input.readline() + def get_target(self, i, rule): + target=[] + if rule[i][0] == "{": + for t in rule[i].split("{"): + if len(t): + target.append(t) + i=i+1 + for s in rule[i:]: + if s.find("}") >= 0: + for s1 in s.split("}"): + if len(s1): + target.append(s1) + i=i+1 + return (i, target) + + target.append(s) + i=i+1 + else: + if rule[i].find(";") >= 0: + for s1 in rule[i].split(";"): + if len(s1): + target.append(s1) + else: + target.append(rule[i]) + + i=i+1 + return (i, target) + + def rules_split(self, rules): + (idx, target ) = self.get_target(0, rules) + (idx, subject) = self.get_target(idx, rules) + return (target, subject) + + def add_terule(self, rule): + rc = rule.split(":") + rules=rc[0].split() + type=rules[0] + if type == "role": + print type + (sources, targets) = self.rules_split(rules[1:]) + rules=rc[1].split() + (seclasses, access) = self.rules_split(rules) + for scon in sources: + for tcon in targets: + for seclass in seclasses: + self.add_rule(type, scon, tcon, seclass,access) + + def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""): + self.add_seclass(seclass, access) + self.add_type(tcon) + self.add_type(scon) + if (type, scon, tcon, seclass) not in self.seRules.keys(): + self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) + + self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) + def add(self,avc): scon="" tcon="" @@ -117,7 +184,7 @@ if "granted" in avc: if "load_policy" in avc and self.last_reload: - self.allowRules={} + self.seRules={} return try: for i in range (0, len(avc)): @@ -160,16 +227,9 @@ self.warning("Bad AVC Line: %s" % avc) return - self.add_seclass(seclass, access) - self.add_type(tcon) - self.add_type(scon) self.add_role(srole) self.add_role(trole) - - if (scon, tcon, seclass) not in self.allowRules.keys(): - self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass) - - self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name )) + self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name) def add_seclass(self,seclass, access): if seclass not in self.seclasses.keys(): @@ -195,17 +255,23 @@ keys=self.seclasses.keys() keys.sort() rec="\n\nrequire {\n" - for i in self.roles: - rec += "\trole %s; \n" % i - rec += "\n\n" + if len(self.roles) > 0: + for i in self.roles: + rec += "\trole %s; \n" % i + rec += "\n" + for i in keys: access=self.seclasses[i] - access.sort() - rec += "\tclass %s { " % i - for a in access: - rec += " %s" % a - rec += " }; \n" - rec += "\n\n" + if len(access) > 1: + access.sort() + rec += "\tclass %s {" % i + for a in access: + rec += " %s" % a + rec += " }; \n" + else: + rec += "\tclass %s %s;\n" % (i, access[0]) + + rec += "\n" for i in self.types: rec += "\ttype %s; \n" % i @@ -214,17 +280,19 @@ def out(self, require=0, module=""): rec="" - if len(self.allowRules.keys())==0: + if len(self.seRules.keys())==0: raise(ValueError("No AVC messages found.")) - if module!="": + if module != "": rec += self.gen_module(module) rec += self.gen_requires() else: if requires: rec+=self.gen_requires() - - for i in self.allowRules.keys(): - rec += self.allowRules[i].out(verbose)+"\n" + + keys=self.seRules.keys() + keys.sort() + for i in keys: + rec += self.seRules[i].out(verbose)+"\n" return rec if __name__ == '__main__': @@ -235,8 +303,8 @@ else: return "" - def usage(): - print 'audit2allow [-adhilrv] [-i ] [[-m|-M] ] [-o ]\n\ + def usage(msg=""): + print 'audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i ] [[-m|-M] ] [-o ]\n\ -a, --all read input from audit and message log, conflicts with -i\n\ -d, --dmesg read input from output of /bin/dmesg\n\ -h, --help display this message\n\ @@ -246,8 +314,12 @@ -M generate loadable module package, conflicts with -o\n\ -o, --output append output to , conflicts with -M\n\ -r, --requires generate require output \n\ + -t, --tefile Indicates input is Existing Type Enforcement file\n\ + -f, --fcfile Existing Type Enforcement file, requires -M\n\ -v, --verbose verbose output\n\ ' + if msg != "": + print msg sys.exit(1) def errorExit(error): @@ -270,41 +342,50 @@ buildPP=0 input_ind=0 output_ind=0 + te_ind=0 + + fc_file="" gopts, cmds = getopt.getopt(sys.argv[1:], - 'adhi:lm:M:o:rv', + 'adf:hi:lm:M:o:rtv', ['all', 'dmesg', + 'fcfile=', 'help', 'input=', 'lastreload', 'module=', 'output=', 'requires' + 'tefile', 'verbose' ]) for o,a in gopts: if o == "-a" or o == "--all": - if input_ind: + if input_ind or te_ind: usage() input=open("/var/log/messages", "r") auditlogs=1 if o == "-d" or o == "--dmesg": input=os.popen("/bin/dmesg", "r") + if o == "-f" or o == "--fcfile": + if a[0]=="-": + usage() + fc_file=a if o == "-h" or o == "--help": usage() if o == "-i"or o == "--input": - if auditlogs: + if auditlogs or a[0]=="-": usage() input_ind=1 input=open(a, "r") if o == '--lastreload' or o == "-l": last_reload=1 if o == "-m" or o == "--module": - if module != "": + if module != "" or a[0]=="-": usage() module=a if o == "-M": - if module != "" or output_ind: + if module != "" or output_ind or a[0]=="-": usage() module=a outfile=a+".te" @@ -312,19 +393,30 @@ output=open(outfile, "w") if o == "-r" or o == "--requires": requires=1 + if o == "-t" or o == "--tefile": + if auditlogs: + usage() + te_ind=1 if o == "-o" or o == "--output": - if module != "": + if module != "" or a[0]=="-": usage() output=open(a, "a") output_ind=1 if o == "-v" or o == "--verbose": verbose=1 - if len(cmds) != 0: - usage() - out=allowRecords(input, last_reload, verbose) + + if len(cmds) != 0: + usage() + + if fc_file != "" and not buildPP: + usage("Error %s: Option -fc requires -M" % sys.argv[0]) + + out=seruleRecords(input, last_reload, verbose, te_ind) + if auditlogs: - input=open("/var/log/audit/audit.log", "r") - out.load(input) + input=os.popen("ausearch -m avc") + out.load(input) + if buildPP: print ("Generating type enforcment file: %s.te" % module) output.write(out.out(requires, module)) @@ -334,8 +426,13 @@ print "Compiling policy: %s" % cmd rc=commands.getstatusoutput(cmd) if rc[0]==0: - print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) - rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) + cmd="semodule_package -o %s.pp -m %s.mod" % (module, module) + print cmd + if fc_file != "": + cmd = "%s -f %s" % (cmd, fc_file) + + print "Building package: %s" % cmd + rc=commands.getstatusoutput(cmd) if rc[0]==0: print ("\n******************** IMPORTANT ***********************\n") print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.31/audit2allow/audit2allow.1 --- nsapolicycoreutils/audit2allow/audit2allow.1 2005-11-29 13:43:42.000000000 -0500 +++ policycoreutils-1.27.31/audit2allow/audit2allow.1 2005-11-30 14:53:31.000000000 -0500 @@ -33,37 +33,44 @@ .B "\-a" | "\-\-all" Read input from audit and message log, conflicts with -i .TP -.B "\-h" | "\-\-help" -Print a short usage message -.TP .B "\-d" | "\-\-dmesg" Read input from output of .I /bin/dmesg. -Note that audit messages are not available via dmesg when -auditd is running; use -i /var/log/audit/audit.log instead. +Note that all audit messages are not available via dmesg when +auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP -.B "\-v" | "\-\-verbose" -Turn on verbose output +.B "\-f" | "\-\-fcfile" +Add File Context File to generated Module Package. Requires -M option. +.TP +.B "\-h" | "\-\-help" +Print a short usage message +.TP +.B "\-i " | "\-\-input " +read input from +.I .TP .B "\-l" | "\-\-lastreload" read input only after last policy reload .TP -.B "\-r" | "\-\-requires" -Generate require output syntax for loadable modules. -.TP .B "\-m " | "\-\-module " Generate module/require output .TP .B "\-M " Generate loadable module package, conflicts with -o .TP -.B "\-i " | "\-\-input " -read input from -.I -.TP .B "\-o " | "\-\-output " append output to .I +.TP +.B "\-r" | "\-\-requires" +Generate require output syntax for loadable modules. +.TP +.B "\-t " | "\-\-tefile" +Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. +.TP +.B "\-v" | "\-\-verbose" +Turn on verbose output + .SH DESCRIPTION .PP This utility scans the logs for messages logged when the system denied diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.31/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2005-11-30 13:59:30.000000000 -0500 +++ policycoreutils-1.27.31/scripts/genhomedircon 2005-11-30 14:31:26.000000000 -0500 @@ -32,6 +32,8 @@ fd=open("/etc/shells", 'r') VALID_SHELLS=fd.read().split('\n') fd.close() +if "/sbin/nologin" in VALID_SHELLS: + VALID_SHELLS.remove("/sbin/nologin") def getStartingUID(): starting_uid = sys.maxint @@ -266,7 +268,7 @@ homedir = u[5][:string.rfind(u[5], "/")] if not homedir in homedirs: if self.checkExists(homedir)==0: - warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0])) + warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) else: homedirs.append(homedir) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/Makefile policycoreutils-1.27.31/semodule/Makefile --- nsapolicycoreutils/semodule/Makefile 2005-10-10 09:02:48.000000000 -0400 +++ policycoreutils-1.27.31/semodule/Makefile 2005-11-30 14:31:26.000000000 -0500 @@ -17,6 +17,8 @@ install: all -mkdir -p $(SBINDIR) install -m 755 semodule $(SBINDIR) + test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + install -m 644 semodule.8 $(MANDIR)/man8/ relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-1.27.31/semodule/semodule.8 --- nsapolicycoreutils/semodule/semodule.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.31/semodule/semodule.8 2005-11-30 14:31:26.000000000 -0500 @@ -0,0 +1,53 @@ +.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME +semodule \- Manage SELinux policy modules. + +.SH SYNOPSIS +.B semodule +.br +.SH DESCRIPTION +.PP +semodule is the tool used to manage policy, it can call functions to load/replace the policy in the kernel, as well as setup load_able modules. + +.SH "OPTIONS" +.TP +.B \-R, \-\-reload +reload policy +.TP +.B \-B, \-\-build +build and reload policy +.TP +.B \-i,\-\-install=MODULE_PKG +install a new module +.TP +.B \-u,\-\-upgrade=MODULE_PKG +upgrade existing module +.TP +.B \-b,\-\-base=MODULE_PKG +install new base module +.TP +.B \-r,\-\-remove=MODULE_NAME +remove existing module +.TP +.B \-l,\-\-list-modules +display list of installed modules +.TP +.B \-s,\-\-store +name of the store to operate on +.TP +.B \-n,\-\-noreload +do not reload policy after commit +.TP +.B \-h,\-\-help +prints help message and quit +.TP +.B \-v,\-\-verbose +be verbose reset the policy boolean values to the saved policy settings. + +.SH SEE ALSO +.B load_policy(8), semodule_package(8), semodule_expand(8), semodule_link(8) +(8), +.SH AUTHORS +.nf +This manual page was written by Dan Walsh . +The program was written by Karl MacMillan , Joshua Brindle , Jason Tang diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile policycoreutils-1.27.31/semodule_expand/Makefile --- nsapolicycoreutils/semodule_expand/Makefile 2005-10-12 15:25:33.000000000 -0400 +++ policycoreutils-1.27.31/semodule_expand/Makefile 2005-11-30 14:31:26.000000000 -0500 @@ -3,6 +3,7 @@ INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin LIBDIR ?= ${PREFIX}/lib +MANDIR ?= $(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override CFLAGS += -I$(INCLUDEDIR) @@ -15,6 +16,8 @@ install: all -mkdir -p $(BINDIR) install -m 755 semodule_expand $(BINDIR) + test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + install -m 644 semodule_expand.8 $(MANDIR)/man8/ relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.27.31/semodule_expand/semodule_expand.8 --- nsapolicycoreutils/semodule_expand/semodule_expand.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.31/semodule_expand/semodule_expand.8 2005-11-30 14:31:26.000000000 -0500 @@ -0,0 +1,26 @@ +.TH SEMODULE_EXPAND "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME +semodule_expand \- Manage SELinux policy modules. + +.SH SYNOPSIS +.B semodule_expand [-V -c [version]] basemodpkg outputfile +.br +.SH DESCRIPTION +.PP +semodule_expand is the tool used to create a policy file from a base policy module. Tool takes to arguments: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). + +.SH "OPTIONS" +.TP +.B \-V +verbose mode +.TP +.B \-c [version] +policy version to create + +.SH SEE ALSO +.B load_policy(8), semodule_package(8), semodule(8), semodule_link(8) +(8), +.SH AUTHORS +.nf +This manual page was written by Dan Walsh . +The program was written by Karl MacMillan , Joshua Brindle diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile policycoreutils-1.27.31/semodule_link/Makefile --- nsapolicycoreutils/semodule_link/Makefile 2005-10-12 15:25:33.000000000 -0400 +++ policycoreutils-1.27.31/semodule_link/Makefile 2005-11-30 14:31:26.000000000 -0500 @@ -2,6 +2,7 @@ PREFIX ?= ${DESTDIR}/usr INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin +MANDIR ?= $(PREFIX)/share/man LIBDIR ?= ${PREFIX}/lib CFLAGS ?= -Werror -Wall -W @@ -15,6 +16,8 @@ install: all -mkdir -p $(BINDIR) install -m 755 semodule_link $(BINDIR) + test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + install -m 644 semodule_link.8 $(MANDIR)/man8/ relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_link.8 policycoreutils-1.27.31/semodule_link/semodule_link.8 --- nsapolicycoreutils/semodule_link/semodule_link.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.31/semodule_link/semodule_link.8 2005-11-30 14:31:26.000000000 -0500 @@ -0,0 +1,27 @@ +.TH SEMODULE_LINK "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME +semodule_link \- Link a group of modules together with a base module + +.SH SYNOPSIS +.B semodule_link [-V] [-o outfile] basemodpkg modpkg1 [modpkg2]... +.br +.SH DESCRIPTION +.PP +semodule_link is the tool used to create a policy file from a base policy module. and one of more loadable policy modules: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). + +.SH "OPTIONS" +.TP +.B \-V +verbose mode +.TP +.B \-o \-\-outfile +Loadable package Output file + + +.SH SEE ALSO +.B load_policy(8), semodule_package(8), semodule(8), semodule_expand(8) +(8), +.SH AUTHORS +.nf +This manual page was written by Dan Walsh . +The program was written by Karl MacMillan diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefile policycoreutils-1.27.31/semodule_package/Makefile --- nsapolicycoreutils/semodule_package/Makefile 2005-10-12 15:25:33.000000000 -0400 +++ policycoreutils-1.27.31/semodule_package/Makefile 2005-11-30 14:31:26.000000000 -0500 @@ -3,6 +3,7 @@ INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin LIBDIR ?= ${PREFIX}/lib +MANDIR ?= $(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override CFLAGS += -I$(INCLUDEDIR) @@ -15,6 +16,8 @@ install: all -mkdir -p $(BINDIR) install -m 755 semodule_package $(BINDIR) + test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8 + install -m 644 semodule_package.8 $(MANDIR)/man8/ relabel: diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/semodule_package.8 policycoreutils-1.27.31/semodule_package/semodule_package.8 --- nsapolicycoreutils/semodule_package/semodule_package.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-1.27.31/semodule_package/semodule_package.8 2005-11-30 14:31:26.000000000 -0500 @@ -0,0 +1,29 @@ +.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME +semodule_package \- Create loadable policy modules. + +.SH SYNOPSIS +.B semodule_package -o -m [-f ] +.br +.SH DESCRIPTION +.PP +semodule_package is the tool used to create a policy file from a base policy module. Tool takes to arguments: The name of the base policy package (usually base.pp) and the name of the policy output file (policy.20). + +.SH "OPTIONS" +.TP +.B \-o \-\-outfile +Loadable package Output file +.TP +.B \-m \-\-module +Module file (te file) +.TP +.B \-f \-\-fc +Policy File contexts file + +.SH SEE ALSO +.B load_policy(8), semodule(8), semodule_expand(8), semodule_link(8) +(8), +.SH AUTHORS +.nf +This manual page was written by Dan Walsh . +The program was written by Karl MacMillan