rpms/policycoreutils
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
b91e98e2c2
policycoreutils/policycoreutils-sepolgen.patch
Dan Walsh b91e98e2c2 Update to upstream 
policycoreutils-2.1.6
	* sepolgen-ifgen: new attr-helper does something
	* audit2allow: use alternate policy file
	* audit2allow: sepolgen-ifgen use the attr helper
	* setfiles: switch from stat to stat64
	* setfiles: Fix potential crash using dereferenced ftsent
	* setfiles: do not wrap * output at 80 characters
	* sandbox: add -Wall and -Werror to makefile
	* sandbox: add sandbox cgroup support
	* sandbox: rewrite /tmp handling
	* sandbox: do not bind mount so much
	* sandbox: add level based kill option
	* sandbox: cntrl-c should kill entire process control group
	* Create a new preserve_tunables flag in sepol_handle_t.
	* semanage: show running and disk setting for booleans
	* semanage: Dont print heading if no items selected
	* sepolgen: audit2allow is mistakakenly not allowing valid module names
	* semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled
	* More files to ignore
	* tree: default make target to all not install
	* sandbox: do not load unused generic init functions
sepolgen-1.1.2
	* src: sepolgen: add attribute storing infrastructure
	* Change perm-map and add open to try to get better results on
	* look for booleans that might solve problems
	* sepolgen: audit2allow is mistakakenly not allowing valid module names
	* tree: default make target to all not install
2011-09-19 07:40:39 -04:00

184 lines
7.7 KiB
Diff
Raw Blame History

diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 24e308e..e23725f 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
stdout=subprocess.PIPE).communicate()[0]
return output
+def get_log_msgs():
+ """Obtain all of the avc and policy load messages from /var/log/messages.
+
+ Returns:
+ string contain all of the audit messages returned by /var/log/messages.
+ """
+ import subprocess
+ output = subprocess.Popen(["/bin/grep", "avc", "/var/log/messages"],
+ stdout=subprocess.PIPE).communicate()[0]
+ return output
+
# Classes representing audit messages
class AuditMessage:
@@ -127,6 +138,9 @@ class PathMessage(AuditMessage):
if fields[0] == "path":
self.path = fields[1][1:-1]
return
+import selinux.audit2why as audit2why
+
+avcdict = {}
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -167,6 +181,8 @@ class AVCMessage(AuditMessage):
self.path = ""
self.accesses = []
self.denial = True
+ self.type = audit2why.TERULE
+ self.bools = []
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -226,7 +242,31 @@ class AVCMessage(AuditMessage):
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
-
+ self.analyze()
+
+ def analyze(self):
+ tcontext = self.tcontext.to_string()
+ scontext = self.scontext.to_string()
+ access_tuple = tuple( self.accesses)
+ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
+ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
+ else:
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.NOPOLICY:
+ self.type = audit2why.TERULE
+ if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Source Context %s\n" % scontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
+ if self.type == audit2why.BADPERM:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
+
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -469,10 +509,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
return av_set
class AVCTypeFilter:
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
+++ b/sepolgen/src/sepolgen/matching.py
@@ -50,7 +50,7 @@ class Match:
return 1
class MatchList:
- DEFAULT_THRESHOLD = 120
+ DEFAULT_THRESHOLD = 150
def __init__(self):
# Match objects that pass the threshold
self.children = []
@@ -63,14 +63,15 @@ class MatchList:
def best(self):
if len(self.children):
return self.children[0]
- else:
- return None
+ if len(self.bastards):
+ return self.bastards[0]
+ return None
def __len__(self):
# Only return the length of the matches so
# that this can be used to test if there is
# a match.
- return len(self.children)
+ return len(self.children) + len(self.bastards)
def __iter__(self):
return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 0e6b502..6ce892c 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -29,6 +29,8 @@ import objectmodel
import access
import interfaces
import matching
+import selinux.audit2why as audit2why
+from setools import *
# Constants for the level of explanation from the generation
# routines
@@ -77,6 +79,7 @@ class PolicyGenerator:
self.dontaudit = False
+ self.domains = None
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -151,8 +154,41 @@ class PolicyGenerator:
rule = refpolicy.AVRule(av)
if self.dontaudit:
rule.rule_type = rule.DONTAUDIT
+ rule.comment = ""
if self.explain:
- rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
+ if av.type == audit2why.ALLOW:
+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ if av.type == audit2why.DONTAUDIT:
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+
+ if av.type == audit2why.BOOLEAN:
+ if len(av.bools) > 1:
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
+ else:
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
+
+ if av.type == audit2why.CONSTRAINT:
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ rule.comment += "#Constraint rule: "
+
+ if av.type == audit2why.TERULE:
+ if "write" in av.perms:
+ if "dir" in av.obj_class or "open" in av.perms:
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
+
+ try:
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ except:
+ pass
self.module.children.append(rule)
Reference in New Issue View Git Blame Copy Permalink