policycoreutils/policycoreutils-sepolgen.patch

73 lines
2.6 KiB
Diff
Raw Normal View History

diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py
+++ b/sepolgen/src/sepolgen/matching.py
@@ -50,7 +50,7 @@ class Match:
return 1
class MatchList:
- DEFAULT_THRESHOLD = 120
+ DEFAULT_THRESHOLD = 150
def __init__(self):
# Match objects that pass the threshold
self.children = []
@@ -63,14 +63,15 @@ class MatchList:
def best(self):
if len(self.children):
return self.children[0]
- else:
- return None
+ if len(self.bastards):
+ return self.bastards[0]
+ return None
def __len__(self):
# Only return the length of the matches so
# that this can be used to test if there is
# a match.
- return len(self.children)
+ return len(self.children) + len(self.bastards)
def __iter__(self):
return iter(self.children)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 4882999..9dc2d32 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -30,7 +30,11 @@ import access
import interfaces
import matching
import selinux.audit2why as audit2why
-from setools import *
+try:
+ from setools import *
+ alldomains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+except:
+ pass
# Constants for the level of explanation from the generation
# routines
@@ -79,7 +83,6 @@ class PolicyGenerator:
self.dontaudit = False
2012-02-01 13:44:52 +00:00
- self.domains = None
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
2012-02-01 13:44:52 +00:00
@@ -175,13 +178,11 @@ class PolicyGenerator:
if av.type == audit2why.TERULE:
if "write" in av.perms:
if "dir" in av.obj_class or "open" in av.perms:
- if not self.domains:
- self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
types=[]
2012-02-01 13:44:52 +00:00
try:
for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
- if i not in self.domains:
+ if i not in alldomains:
types.append(i)
if len(types) == 1:
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))