2008-06-23 11:09:58 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py
|
|
|
|
|
--- nsasepolgen/src/sepolgen/access.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py 2008-06-23 07:04:21.000000000 -0400
|
|
|
|
|
@@ -295,3 +295,32 @@
|
|
|
|
|
perms[av.obj_class] = s
|
|
|
|
|
s.update(av.perms)
|
|
|
|
|
return perms
|
|
|
|
|
+
|
|
|
|
|
+class RoleTypeSet:
|
|
|
|
|
+ """A non-overlapping set of role type statements.
|
|
|
|
|
+
|
|
|
|
|
+ This clas allows the incremental addition of role type statements and
|
|
|
|
|
+ maintains a non-overlapping list of statements.
|
|
|
|
|
+ """
|
|
|
|
|
+ def __init__(self):
|
|
|
|
|
+ """Initialize an access vector set."""
|
|
|
|
|
+ self.role_types = {}
|
|
|
|
|
+
|
|
|
|
|
+ def __iter__(self):
|
|
|
|
|
+ """Iterate over all of the unique role allows statements in the set."""
|
|
|
|
|
+ for role_type in self.role_types.values():
|
|
|
|
|
+ yield role_type
|
|
|
|
|
+
|
|
|
|
|
+ def __len__(self):
|
|
|
|
|
+ """Return the unique number of role allow statements."""
|
|
|
|
|
+ return len(self.roles)
|
|
|
|
|
+
|
|
|
|
|
+ def add(self, role, type):
|
|
|
|
|
+ if self.role_types.has_key(role):
|
|
|
|
|
+ role_type = self.role_types[role]
|
|
|
|
|
+ else:
|
|
|
|
|
+ role_type = refpolicy.RoleType()
|
|
|
|
|
+ role_type.role = role
|
|
|
|
|
+ self.role_types[role] = role_type
|
|
|
|
|
+
|
|
|
|
|
+ role_type.types.add(type)
|
2008-06-11 20:20:15 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
|
2008-06-23 11:09:58 +00:00
|
|
|
--- nsasepolgen/src/sepolgen/audit.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-06-23 07:05:23.000000000 -0400
|
|
|
|
|
@@ -235,20 +235,21 @@
|
|
|
|
|
"""
|
|
|
|
|
def __init__(self, message):
|
|
|
|
|
AuditMessage.__init__(self, message)
|
|
|
|
|
- self.type = ""
|
|
|
|
|
- self.role = ""
|
|
|
|
|
+ self.invalid_context = refpolicy.SecurityContext()
|
|
|
|
|
+ self.scontext = refpolicy.SecurityContext()
|
|
|
|
|
+ self.tcontext = refpolicy.SecurityContext()
|
|
|
|
|
+ self.tclass = ""
|
|
|
|
|
|
2008-06-11 20:20:15 +00:00
|
|
|
def from_split_string(self, recs):
|
|
|
|
|
AuditMessage.from_split_string(self, recs)
|
2008-06-23 11:09:58 +00:00
|
|
|
- dict={}
|
|
|
|
|
- for i in recs:
|
|
|
|
|
- t = i.split('=')
|
|
|
|
|
- if len(t) < 2:
|
|
|
|
|
- continue
|
|
|
|
|
- dict[t[0]]=t[1]
|
|
|
|
|
+ if len(recs) < 10:
|
|
|
|
|
+ raise ValueError("Split string does not represent a valid compute sid message")
|
|
|
|
|
+
|
2008-06-11 20:20:15 +00:00
|
|
|
try:
|
2008-06-23 11:09:58 +00:00
|
|
|
- self.role = refpolicy.SecurityContext(dict["scontext"]).role
|
2008-06-11 20:20:15 +00:00
|
|
|
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
|
2008-06-23 11:09:58 +00:00
|
|
|
+ self.invalid_context = refpolicy.SecurityContext(recs[5])
|
|
|
|
|
+ self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
|
|
|
|
|
+ self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
|
|
|
|
|
+ self.tclass = recs[9].split("=")[1]
|
2008-06-11 20:20:15 +00:00
|
|
|
except:
|
|
|
|
|
raise ValueError("Split string does not represent a valid compute sid message")
|
|
|
|
|
def output(self):
|
2008-06-23 11:09:58 +00:00
|
|
|
@@ -405,7 +406,7 @@
|
|
|
|
|
self.__post_process()
|
|
|
|
|
|
|
|
|
|
def to_role(self, role_filter=None):
|
|
|
|
|
- """Return list of SELINUX_ERR messages matching the specified filter
|
|
|
|
|
+ """Return RoleAllowSet statements matching the specified filter
|
|
|
|
|
|
|
|
|
|
Filter out types that match the filer, or all roles
|
|
|
|
|
|
|
|
|
|
@@ -416,13 +417,12 @@
|
|
|
|
|
Access vector set representing the denied access in the
|
|
|
|
|
audit logs parsed by this object.
|
|
|
|
|
"""
|
|
|
|
|
- roles = []
|
|
|
|
|
- if role_filter:
|
|
|
|
|
- for selinux_err in self.compute_sid_msgs:
|
|
|
|
|
- if role_filter.filter(selinux_err):
|
|
|
|
|
- roles.append(selinux_err)
|
|
|
|
|
- return roles
|
|
|
|
|
- return self.compute_sid_msgs
|
|
|
|
|
+ role_types = access.RoleTypeSet()
|
|
|
|
|
+ for cs in self.compute_sid_msgs:
|
|
|
|
|
+ if not role_filter or role_filter.filter(cs):
|
|
|
|
|
+ role_types.add(cs.invalid_context.role, cs.invalid_context.type)
|
|
|
|
|
+
|
|
|
|
|
+ return role_types
|
|
|
|
|
|
|
|
|
|
def to_access(self, avc_filter=None, only_denials=True):
|
|
|
|
|
"""Convert the audit logs access into a an access vector set.
|
|
|
|
|
@@ -454,7 +454,7 @@
|
|
|
|
|
avc.accesses, avc)
|
|
|
|
|
return av_set
|
|
|
|
|
|
|
|
|
|
-class TypeFilter:
|
|
|
|
|
+class AVCTypeFilter:
|
|
|
|
|
def __init__(self, regex):
|
|
|
|
|
self.regex = re.compile(regex)
|
|
|
|
|
|
|
|
|
|
@@ -465,4 +465,17 @@
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
+class ComputeSidTypeFilter:
|
|
|
|
|
+ def __init__(self, regex):
|
|
|
|
|
+ self.regex = re.compile(regex)
|
|
|
|
|
+
|
|
|
|
|
+ def filter(self, avc):
|
|
|
|
|
+ if self.regex.match(avc.invalid_context.type):
|
|
|
|
|
+ return True
|
|
|
|
|
+ if self.regex.match(avc.scontext.type):
|
|
|
|
|
+ return True
|
|
|
|
|
+ if self.regex.match(avc.tcontext.type):
|
|
|
|
|
+ return True
|
|
|
|
|
+ return False
|
|
|
|
|
+
|
|
|
|
|
|
|
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py
|
|
|
|
|
--- nsasepolgen/src/sepolgen/output.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py 2008-06-23 07:04:31.000000000 -0400
|
|
|
|
|
@@ -101,6 +101,8 @@
|
|
|
|
|
else:
|
|
|
|
|
return id_set_cmp(a.src_types, [b.args[0]])
|
|
|
|
|
|
|
|
|
|
+def role_type_cmp(a, b):
|
|
|
|
|
+ return cmp(a.role, b.role)
|
|
|
|
|
|
|
|
|
|
def sort_filter(module):
|
|
|
|
|
"""Sort and group the output for readability.
|
|
|
|
|
@@ -146,6 +148,18 @@
|
|
|
|
|
|
|
|
|
|
c.extend(sep_rules)
|
|
|
|
|
|
|
|
|
|
+
|
|
|
|
|
+ ras = []
|
|
|
|
|
+ ras.extend(node.role_types())
|
|
|
|
|
+ ras.sort(role_type_cmp)
|
|
|
|
|
+ if len(ras):
|
|
|
|
|
+ comment = refpolicy.Comment()
|
|
|
|
|
+ comment.lines.append("============= ROLES ==============")
|
|
|
|
|
+ c.append(comment)
|
|
|
|
|
+
|
|
|
|
|
+
|
|
|
|
|
+ c.extend(ras)
|
|
|
|
|
+
|
|
|
|
|
# Everything else
|
|
|
|
|
for child in node.children:
|
|
|
|
|
if child not in c:
|
|
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py
|
|
|
|
|
--- nsasepolgen/src/sepolgen/policygen.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py 2008-06-23 07:04:36.000000000 -0400
|
|
|
|
|
@@ -167,6 +167,13 @@
|
|
|
|
|
if self.gen_requires:
|
|
|
|
|
gen_requires(self.module)
|
|
|
|
|
|
|
|
|
|
+ def add_role_types(self, role_type_set):
|
|
|
|
|
+ for role_type in role_type_set:
|
|
|
|
|
+ self.module.children.append(role_type)
|
|
|
|
|
+
|
|
|
|
|
+ # Generate the requires
|
|
|
|
|
+ if self.gen_requires:
|
|
|
|
|
+ gen_requires(self.module)
|
|
|
|
|
|
|
|
|
|
def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
|
|
|
|
|
"""Explain why a policy statement was generated.
|
|
|
|
|
@@ -334,8 +341,12 @@
|
|
|
|
|
# can actually figure those out.
|
|
|
|
|
r.types.add(arg)
|
|
|
|
|
|
|
|
|
|
- r.types.discard("self")
|
|
|
|
|
+ for role_type in node.role_types():
|
|
|
|
|
+ r.roles.add(role_type.role)
|
|
|
|
|
+ r.types.update(role_type.types)
|
|
|
|
|
|
|
|
|
|
+ r.types.discard("self")
|
|
|
|
|
+
|
|
|
|
|
node.children.insert(0, r)
|
|
|
|
|
|
|
|
|
|
# FUTURE - this is untested on modules with any sort of
|
2008-06-11 20:20:15 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
|
2008-06-23 11:09:58 +00:00
|
|
|
--- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-06-23 07:05:23.000000000 -0400
|
2008-01-23 20:23:24 +00:00
|
|
|
@@ -919,7 +919,7 @@
|
2007-12-19 10:40:23 +00:00
|
|
|
def list_headers(root):
|
|
|
|
|
modules = []
|
|
|
|
|
support_macros = None
|
|
|
|
|
- blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
|
|
|
|
|
+ blacklist = ["uml.if", "thunderbird.if"]
|
|
|
|
|
|
|
|
|
|
for dirpath, dirnames, filenames in os.walk(root):
|
|
|
|
|
for name in filenames:
|
2008-06-23 11:09:58 +00:00
|
|
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py
|
|
|
|
|
--- nsasepolgen/src/sepolgen/refpolicy.py 2008-06-12 23:25:26.000000000 -0400
|
|
|
|
|
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py 2008-06-23 07:04:47.000000000 -0400
|
|
|
|
|
@@ -122,6 +122,12 @@
|
|
|
|
|
def roles(self):
|
|
|
|
|
return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
|
|
|
|
|
|
|
|
|
|
+ def role_allows(self):
|
|
|
|
|
+ return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
|
|
|
|
|
+
|
|
|
|
|
+ def role_types(self):
|
|
|
|
|
+ return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
|
|
|
|
|
+
|
|
|
|
|
def __str__(self):
|
|
|
|
|
if self.comment:
|
|
|
|
|
return str(self.comment) + "\n" + self.to_string()
|
|
|
|
|
@@ -494,6 +500,15 @@
|
|
|
|
|
return "allow %s %s;" % (self.src_roles.to_comma_str(),
|
|
|
|
|
self.tgt_roles.to_comma_str())
|
|
|
|
|
|
|
|
|
|
+class RoleType(Leaf):
|
|
|
|
|
+ def __init__(self, parent=None):
|
|
|
|
|
+ Leaf.__init__(self, parent)
|
|
|
|
|
+ self.role = ""
|
|
|
|
|
+ self.types = IdSet()
|
|
|
|
|
+
|
|
|
|
|
+ def to_string(self):
|
|
|
|
|
+ return "role %s types %s;" % (self.role, self.types.to_comma_str())
|
|
|
|
|
+
|
|
|
|
|
class ModuleDeclaration(Leaf):
|
|
|
|
|
def __init__(self, parent=None):
|
|
|
|
|
Leaf.__init__(self, parent)
|
