policycoreutils/0028-python-semanage-Improve-handling-of-permissive-state.patch

103 lines
4.1 KiB
Diff
Raw Normal View History

From 0803fcb2c014b2cedf8f4d92b80fc382916477ee Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Fri, 27 Sep 2019 16:13:47 +0200
Subject: [PATCH] python/semanage: Improve handling of "permissive" statements
- Add "customized" method to permissiveRecords which is than used for
"semanage permissive --extract" and "semanage export"
- Enable "semanage permissive --deleteall" (already implemented)
- Add "permissive" to the list of modules exported using
"semanage export"
- Update "semanage permissive" man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/semanage/semanage | 11 ++++++++---
python/semanage/semanage-permissive.8 | 8 +++++++-
python/semanage/seobject.py | 3 +++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/python/semanage/semanage b/python/semanage/semanage
index fa78afce..b2bd9df9 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -722,6 +722,11 @@ def handlePermissive(args):
if args.action == "list":
OBJECT.list(args.noheading)
+ elif args.action == "deleteall":
+ OBJECT.deleteall()
+ elif args.action == "extract":
+ for i in OBJECT.customized():
+ print("permissive %s" % str(i))
elif args.type is not None:
if args.action == "add":
OBJECT.add(args.type)
@@ -737,9 +742,9 @@ def setupPermissiveParser(subparsers):
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
parser_add_add(pgroup, "permissive")
parser_add_delete(pgroup, "permissive")
+ parser_add_deleteall(pgroup, "permissive")
+ parser_add_extract(pgroup, "permissive")
parser_add_list(pgroup, "permissive")
- #TODO: probably should be also added => need to implement own option handling
- #parser_add_deleteall(pgroup)
parser_add_noheading(permissiveParser, "permissive")
parser_add_noreload(permissiveParser, "permissive")
@@ -763,7 +768,7 @@ def setupDontauditParser(subparsers):
def handleExport(args):
- manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey"]
+ manageditems = ["boolean", "login", "interface", "user", "port", "node", "fcontext", "module", "ibendport", "ibpkey", "permissive"]
for i in manageditems:
print("%s -D" % i)
for i in manageditems:
diff --git a/python/semanage/semanage-permissive.8 b/python/semanage/semanage-permissive.8
index 1999a451..5c3364fa 100644
--- a/python/semanage/semanage-permissive.8
+++ b/python/semanage/semanage-permissive.8
@@ -2,7 +2,7 @@
.SH "NAME"
.B semanage\-permissive \- SELinux Policy Management permissive mapping tool
.SH "SYNOPSIS"
-.B semanage permissive [\-h] (\-a | \-d | \-l) [\-n] [\-N] [\-S STORE] [type]
+.B semanage permissive [\-h] [\-n] [\-N] [\-S STORE] (\-\-add TYPE | \-\-delete TYPE | \-\-deleteall | \-\-extract | \-\-list)
.SH "DESCRIPTION"
semanage is used to configure certain elements of SELinux policy without requiring modification to or recompilation from policy sources. semanage permissive adds or removes a SELinux Policy permissive module.
@@ -18,9 +18,15 @@ Add a record of the specified object type
.I \-d, \-\-delete
Delete a record of the specified object type
.TP
+.I \-D, \-\-deleteall
+Remove all local customizations of permissive domains
+.TP
.I \-l, \-\-list
List records of the specified object type
.TP
+.I \-E, \-\-extract
+Extract customizable commands, for use within a transaction
+.TP
.I \-n, \-\-noheading
Do not print heading when listing the specified object type
.TP
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 58497e3b..3959abc8 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -478,6 +478,9 @@ class permissiveRecords(semanageRecords):
l.append(name.split("permissive_")[1])
return l
+ def customized(self):
+ return ["-a %s" % x for x in sorted(self.get_all())]
+
def list(self, heading=1, locallist=0):
all = [y["name"] for y in [x for x in sepolicy.info(sepolicy.TYPE) if x["permissive"]]]
if len(all) == 0:
--
2.21.0