diff --git a/.cvsignore b/.cvsignore index fe4380d..1e0aa57 100644 --- a/.cvsignore +++ b/.cvsignore @@ -65,3 +65,4 @@ policycoreutils-1.27.22.tgz policycoreutils-1.27.23.tgz policycoreutils-1.27.26.tgz policycoreutils-1.27.27.tgz +policycoreutils-1.27.28.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index a361525..c80d69f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,354 +1,593 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.27/scripts/genhomedircon ---- nsapolicycoreutils/scripts/genhomedircon 2005-09-12 16:33:30.000000000 -0400 -+++ policycoreutils-1.27.27/scripts/genhomedircon 2005-11-14 15:25:45.000000000 -0500 -@@ -15,32 +15,19 @@ - # The file CONTEXTDIR/files/homedir_template exists. This file is used to - # set up the home directory context for each real user. - # --# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses --# the first role in the list. -+# If a user has more than one role, genhomedircon uses the first role in the list. +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.28/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2005-09-12 16:33:30.000000000 -0400 ++++ policycoreutils-1.27.28/audit2allow/audit2allow 2005-11-16 21:48:07.000000000 -0500 +@@ -1,7 +1,12 @@ +-#!/usr/bin/perl +- +-# Adapted from: ++#! /usr/bin/env python ++# Copyright (C) 2005 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# Audit2allow is a rewrite of prior perl script. ++# ++# Based off original audit2allow perl script: which credits + # newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) ++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) # --# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user -+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user - # - # "Real" users (as opposed to system users) are those whose UID is greater than - # or equal STARTING_UID (usually 500) and whose login is not a member of --# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users -+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers - # are always "real" (including root, in the default configuration). - # - # --# Old ASSUMPTIONS: --# --# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses --# the first role in the list. --# --# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that --# the user's home dir will be found in one of the HOME_ROOTs. --# --# "Real" users (as opposed to system users) are those whose UID is greater than --# or equal STARTING_UID (usually 500) and whose login is not a member of --# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users --# are always "real" (including root, in the default configuration). --# - - import commands, sys, os, pwd, string, getopt, re -+from semanage import *; - - EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] - -@@ -67,169 +54,6 @@ - starting_uid = 500 - return starting_uid - --############################################################################# --# --# This section is just for backwards compatability --# --############################################################################# --def getPrefixes(): -- ulist = pwd.getpwall() -- STARTING_UID=getStartingUID() -- prefixes = {} -- for u in ulist: -- if u[2] >= STARTING_UID and \ -- not u[6] in EXCLUDE_LOGINS and \ -- u[5] != "/" and \ -- string.count(u[5], "/") > 1: -- prefix = u[5][:string.rfind(u[5], "/")] -- if not prefixes.has_key(prefix): -- prefixes[prefix] = "" -- return prefixes -- --def getUsers(filecontextdir): -- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir) -- udict = {} -- if rc[0] == 0: -- ulist = rc[1].strip().split("\n") -- for u in ulist: -- user = u.split() -- try: -- if user[1] == "user_u" or user[1] == "system_u": -- continue -- # !!! chooses first role in the list to use in the file context !!! -- role = user[3] -- if role == "{": -- role = user[4] -- role = role.split("_r")[0] -- home = pwd.getpwnam(user[1])[5] -- if home == "/": -- continue -- prefs = {} -- prefs["role"] = role -- prefs["home"] = home -- udict[user[1]] = prefs -- except KeyError: -- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) -- return udict -- --def update(filecontext, user, prefs): -- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) -- if rc[0] == 0: -- print rc[1] -- else: -- errorExit(string.join("grep/sed error ", rc[1])) -- return rc -- --def oldgenhomedircon(filecontextdir, filecontext): -- sys.stderr.write("Using genhomedircon in this fashion is supported for backwards compatability\n") -- sys.stderr.write("Please update to the latest policy\n") -- sys.stderr.flush() -- -- if os.path.isdir(filecontextdir) == 0: -- sys.stderr.write("New usage is the following\n") -- usage() -- #We are going to define home directory used by libuser and show-utils as a home directory root -- prefixes = {} -- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") -- if rc[0] == 0: -- homedir = rc[1].split("=")[1] -- homedir = homedir.split("#")[0] -- homedir = homedir.strip() -- if not prefixes.has_key(homedir): -- prefixes[homedir] = "" -- else: -- #rc[0] == 256 means the file was there, we read it, but the grep didn't match -- if rc[0] != 256: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") -- sys.stderr.flush() + # This program is free software; you can redistribute it and/or + # modify it under the terms of the GNU General Public License as +@@ -17,148 +22,227 @@ + # along with this program; if not, write to the Free Software + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + # 02111-1307 USA +-# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) - - -- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") -- if rc[0] == 0: -- homedir = rc[1].split("=")[1] -- homedir = homedir.split("#")[0] -- homedir = homedir.strip() -- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir) -- if not prefixes.has_key(homedir): -- prefixes[homedir] = "" -- else: -- if rc[0] != 256: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n") -- sys.stderr.flush() +-$load_policy_pattern="avc:.*granted.*{.*load_policy.*}"; - -- #the idea is that we need to find all of the home_root_t directories we do this by just accepting -- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd -- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at -- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs -- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit -- #is any regex that would match it which does not end with .*$ or .+$ since those are general -- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against -- #[pattern] -- potential_prefixes = getPrefixes() -- prefix_regex = {} -- #this works by grepping the file_contexts for -- # 1. ^/ makes sure this is not a comment -- # 2. prints only the regex in the first column first cut on \t then on space -- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) ) -- if rc[0] == 0: -- prefix_regex = rc[1].split("\n") -- else: -- sys.stderr.write("%s\n" % rc[1]) -- sys.stderr.write("You do not have access to grep/cut/the file contexts\n") -- sys.stderr.flush() -- for potential in potential_prefixes.keys(): -- addme = 1 -- for regex in prefix_regex: -- #match a trailing (/*)? which is actually a bug in rpc_pipefs -- regex = re.sub("\(/\*\)\?$", "", regex) -- #match a trailing .+ -- regex = re.sub("\.+$", "", regex) -- #match a trailing .* -- regex = re.sub("\.\*$", "", regex) -- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s -- regex = re.sub("\(\/\.\*\)\?", "", regex) -- regex = regex + "/*$" -- if re.search(regex, potential, 0): -- addme = 0 -- if addme == 1: -- if not prefixes.has_key(potential): -- prefixes[potential] = "" +-while ($opt = shift @ARGV) { +- if ($opt eq "-d") { $read_dmesg++; } +- elsif ($opt eq "-v") { $verbose++; } +- elsif ($opt eq "-i") { $input = shift @ARGV; } +- elsif ($opt eq "-o") { $output= shift @ARGV; } +- elsif ($opt eq "-l") { $load_policy++; } +- elsif ($opt eq "--help") { &printUsage; } +- else { print "unknown option, '$opt'\n\n"; &printUsage; } +-} - +-if ($read_dmesg && $input) { +- print "Error, can't read from both dmesg and $input\n\n"; +- &printUsage; +-} - -- if prefixes.__eq__({}): -- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") -- sys.stderr.write("HOME= not set in /etc/default/useradd\n") -- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n") -- sys.stderr.write("Assuming /home is the root of home directories\n") -- sys.stderr.flush() -- prefixes["/home"] = "" +-if ($read_dmesg) { open (IN, "/bin/dmesg|"); } +-elsif ($input) { open (IN, "$input"); } +-else { open (IN, "-"); } # STDIN - -- # There may be a more elegant sed script to expand a macro to multiple lines, but this works -- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) -- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) +-if ($output) { open (OUT, ">>$output"); } +-else { open (OUT, ">-"); } # STDOUT - -- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users -- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) -- if rc[0] == 0: -- print rc[1] -- else: -- errorExit(string.join("sed error ", rc[1])) +-if($load_policy){ #store logs after last "load_policy" in @log_buf +- while ($line = ) { +- if($line=~/$load_policy_pattern/) { +- #stored logs are unnecessary +- undef @log_buf; +- } +- else +- { +- push @log_buf,$line; +- } +- } +-} - -- users = getUsers(filecontextdir) -- print "\n#\n# User-specific file contexts\n#\n" -- -- # Fill in HOME and ROLE for users that are defined -- for u in users.keys(): -- update(filecontext, u, users[u]) -- --############################################################################# --# --# End of backwards compatability section --# --############################################################################# -- - def getDefaultHomeDir(): - ret = [] - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") -@@ -287,6 +111,11 @@ - - class selinuxConfig: - def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): -+ self.semanageHandle=semanage_handle_create() -+ self.semanaged=semanage_is_managed(self.semanageHandle) -+ if self.semanaged: -+ semanage_connect(self.semanageHandle) -+ (status, self.ulist, self.usize) = semanage_user_list(self.semanageHandle) - self.type=type - self.selinuxdir=selinuxdir +"/" - self.contextdir="/contexts" -@@ -312,48 +141,75 @@ - else: - errorExit(string.join("sed error ", rc[1])) - -- def getUsersFile(self): -- return self.selinuxdir+self.type+"/users/local.users" -- -- def getSystemUsersFile(self): -- return self.selinuxdir+self.type+"/users/system.users" -- - def heading(self): - ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] -- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() -+ if self.semanaged: -+ ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n" -+ else: -+ ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") - return ret - -- def getUsers(self): -- users="" -- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile()) -- if rc[0] == 0: -- users+=rc[1]+"\n" -- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile()) -+ def defaultrole(self, name): -+ for idx in range(self.usize): -+ user = semanage_user_by_idx(self.ulist, idx) -+ if semanage_user_get_name(user) == name: -+ role=semanage_user_get_defrole(user) -+ if role=="system_r": -+ # targeted policy -+ return "user_r" -+ else: -+ return role -+ return name -+ def getOldRole(self, role): -+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users")) -+ if rc[0] != 0: -+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users")) - if rc[0] == 0: -- users+=rc[1] -+ user=rc[1].split() -+ role = user[3] -+ if role == "{": -+ role = user[4] -+ return role -+ -+ def adduser(self, udict, user, seuser, role): -+ try: -+ if seuser == "user_u" or user == "__default__": -+ return -+ # !!! chooses first role in the list to use in the file context !!! -+ if role[-2:] == "_r" or role[-2:] == "_u": -+ role = role[:-2] -+ home = pwd.getpwnam(user)[5] -+ if home == "/": -+ return -+ prefs = {} -+ prefs["role"] = role -+ prefs["home"] = home -+ udict[seuser] = prefs -+ except KeyError: -+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) +-while ($line=&readNewline) { +- next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/); +- @types=split /\ /,$line; +- $info=""; +- $group=""; +- $command=""; +- foreach $i(0..$#types){ +- next if($types[$i]!~/[=\{]/); +- if($types[$i]=~/^\{/){ +- $j=$i+1; +- while($types[$j]!~/\}/){ +- $command.=" $types[$j]"; +- $j++; +- } +- next; +- } +- my($a,$b) = split /=/,$types[$i]; +- +- next if($a eq "pid"); +- next if($a eq "dev"); +- next if($a eq "ino"); ++# ++# ++import commands, sys, os, pwd, string, getopt, re ++class allow: ++ def __init__(self, source, target, seclass): ++ self.source=source ++ self.target=target ++ self.seclass=seclass ++ self.avcinfo={} ++ def add(self, avc): ++ for a in avc[0]: ++ if a not in self.avcinfo.keys(): ++ self.avcinfo[a]=[] + -+ def getUsers(self): - udict = {} -- prefs = {} -- if users != "": -- ulist = users.split("\n") -- for u in ulist: -- user = u.split() -- try: -- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u": -+ if self.semanaged: -+ (status, list, lsize) = semanage_seuser_list(self.semanageHandle) -+ for idx in range(lsize): -+ user=[] -+ seuser = semanage_seuser_by_idx(list, idx) -+ seusername=semanage_seuser_get_sename(seuser) -+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername)) -+ ++ self.avcinfo[a].append(avc[1:]) ++ ++ def getAccess(self): ++ if len(self.avcinfo.keys()) == 1: ++ for i in self.avcinfo.keys(): ++ return i + else: -+ rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers") -+ if rc[0] == 0 and rc[1] != "": -+ ulist = rc[1].split("\n") -+ for u in ulist: -+ if len(u)==0: - continue -- # !!! chooses first role in the list to use in the file context !!! -- role = user[3] -- if role == "{": -- role = user[4] -- role = role.split("_r")[0] -- home = pwd.getpwnam(user[1])[5] -- if home == "/": -+ user = u.split(":") -+ if len(user) < 3: - continue -- prefs = {} -- prefs["role"] = role -- prefs["home"] = home -- udict[user[1]] = prefs -- except KeyError: -- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) -+ role=self.getOldRole(user[1]) -+ self.adduser(udict, user[0], user[1], role) - return udict - - def getHomeDirContext(self, user, home, role): -@@ -362,9 +218,8 @@ - return ret + rc[1] + "\n" - - def getUserContext(self, user, sel_user, role): -- ret="\n\n#\n# Other Context for user %s\n#\n\n" % user - rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user)) -- return ret + rc[1] + "\n" -+ return rc[1] + "\n" - - def genHomeDirContext(self): - users = self.getUsers() -@@ -478,10 +333,6 @@ - if type==None: - type=getSELinuxType(directory) - -- if len(cmds) == 2: -- oldgenhomedircon(cmds[0], cmds[1]) -- sys.exit(0) ++ keys=self.avcinfo.keys() ++ keys.sort() ++ ret="{" ++ for i in keys: ++ ret=ret + " " + i ++ ret=ret+" }" ++ return ret ++ def out(self, verbose=0): ++ ret="" ++ ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess()) ++ if verbose: ++ keys=self.avcinfo.keys() ++ keys.sort() ++ for i in keys: ++ for x in self.avcinfo[i]: ++ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] ++ if len(x[1]): ++ ret=ret+"COMM=%s " % x[1] ++ if len(x[2]): ++ ret=ret+"NAME=%s " % x[2] ++ ret=ret + " : " + i ++ return ret ++ def gettarget(self): ++ if self.source == self.target: ++ return "self" ++ else: ++ return self.target + +- if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){ +- if($a ne "tclass"){ +- my($c,$c,$c) = split /:/, $b; +- $b=$c; +- } +- $b=~s/\n//; +- $group.="|$b"; +- next; +- } +- $b=~s/:\[\d+\]//; +- $a=uc $a; +- $info.="$a=$b "; +- } +- +- my($c,$c,$c,$c) = split /\|/, $group; +- $info=~s/\ $c=\S+\ //gi; +- # escape regexp patterns -- +- $info=~s/([^\w])/\\$1/g; +- +- @atypes=split /\ /,$command; +- foreach $i(0..$#atypes){ +- $rules{$group}{$atypes[$i]}++; +- } +- +- $info.=" "; +- if($occur{$group}!~$info){ +- $occur{$group}.="\t#$info: $command\n"; +- } +- else{ +- my ($a,$b) = split /$info:\ /, $occur{$group}; +- my ($temp) = split /\n/, $b; ++class allowRecords: ++ def __init__(self, input, last_reload=0, verbose=0): ++ self.last_reload=last_reload ++ self.allowRules={} ++ line = input.readline() ++ avc=[] ++ found=0 ++ self.seclasses={} ++ self.types=[] ++ self.roles=[] ++ while line: ++ rec=line.split() ++ for i in rec: ++ if i=="avc:" or i=="message=avc:": ++ found=1 ++ else: ++ avc.append(i) ++ if found: ++ self.add(avc) ++ found=0 ++ avc=[] ++ line = input.readline() ++ ++ def add(self,avc): ++ scon="" ++ tcon="" ++ seclass="" ++ comm="" ++ name="" ++ msg="" ++ access=[] ++ if "security_compute_sid" in avc: ++ return ++ ++ if "granted" in avc: ++ if "load_policy" in avc and self.last_reload: ++ self.allowRules={} ++ return ++ for i in range (0, len(avc)): ++ t=avc[i].split('=') ++ if t[0]=="scontext": ++ context=t[1].split(":") ++ scon=context[2] ++ srole=context[1] ++ continue ++ if t[0]=="tcontext": ++ context=t[1].split(":") ++ tcon=context[2] ++ trole=context[1] ++ continue ++ if t[0]=="tclass": ++ seclass=t[1] ++ continue ++ if t[0]=="comm": ++ comm=t[1] ++ continue ++ if t[0]=="name": ++ name=t[1] ++ continue ++ if t[0]=="msg": ++ msg=t[1] ++ continue ++ if avc[i]=="{": ++ i=i+1 ++ while i; +- } +- return $newline; +-} +- +-sub printUsage { +- print "audit2allow [-d] [-v] [-l] [-i ] [-o ] +- -d read input from output of /bin/dmesg +- -v verbose output +- -l read input only after last \"load_policy\" +- -i read input from +- -o append output to \n"; +- exit; +-} +- ++ def out(self, module): ++ rec="" ++ if module!="": ++ rec+=self.module_out(module) ++ for i in self.allowRules.keys(): ++ rec += self.allowRules[i].out(verbose)+"\n" ++ return rec ++ ++def usage(): ++ print 'audit2allow [-d] [-v] [-l] [-i ] [-o ]\n\ ++ -d read input from output of /bin/dmesg\n\ ++ -v verbose output\n\ ++ -l read input only after last \"load_policy\"\n\ ++ -i read input from \n\ ++ -m module output \n\ ++ -o append output to \n' ++ sys.exit(1) ++# ++# This script will generate home dir file context ++# based off the homedir_template file, entries in the password file, and ++# ++try: ++ last_reload=0 ++ input=sys.stdin ++ output=sys.stdout ++ module="" ++ verbose=0 ++ gopts, cmds = getopt.getopt(sys.argv[1:], 'vdo:hli:m:', ['help', ++ 'last_reload=']) ++ for o,a in gopts: ++ if o == '--last_reload' or o == "-l": ++ last_reload=1 ++ if o == "-v": ++ verbose=1 ++ if o == "-i": ++ input=open(a, "r") ++ if o == "-m": ++ module=a ++ if o == '--help': ++ usage() ++ if o == "-d": ++ input=os.popen("/bin/dmesg", "r") ++ if o == "-o": ++ output=open(a, "a") ++ if len(cmds) != 0: ++ usage() ++ out=allowRecords(input, last_reload, verbose) ++ output.write(out.out(module)) ++ ++except getopt.error, error: ++ errorExit(string.join("Options Error ", error)) ++except ValueError, error: ++ errorExit(string.join("ValueError ", error)) ++except IndexError, error: ++ errorExit("IndexError") +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.perl policycoreutils-1.27.28/audit2allow/audit2allow.perl +--- nsapolicycoreutils/audit2allow/audit2allow.perl 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.27.28/audit2allow/audit2allow.perl 2005-11-16 21:45:38.000000000 -0500 +@@ -0,0 +1,164 @@ ++#!/usr/bin/perl ++ ++# Adapted from: ++# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu) ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation; either version 2 of ++# the License, or (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++# 02111-1307 USA ++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp) ++ ++ ++$load_policy_pattern="avc:.*granted.*{.*load_policy.*}"; ++ ++while ($opt = shift @ARGV) { ++ if ($opt eq "-d") { $read_dmesg++; } ++ elsif ($opt eq "-v") { $verbose++; } ++ elsif ($opt eq "-i") { $input = shift @ARGV; } ++ elsif ($opt eq "-o") { $output= shift @ARGV; } ++ elsif ($opt eq "-l") { $load_policy++; } ++ elsif ($opt eq "--help") { &printUsage; } ++ else { print "unknown option, '$opt'\n\n"; &printUsage; } ++} ++ ++if ($read_dmesg && $input) { ++ print "Error, can't read from both dmesg and $input\n\n"; ++ &printUsage; ++} ++ ++if ($read_dmesg) { open (IN, "/bin/dmesg|"); } ++elsif ($input) { open (IN, "$input"); } ++else { open (IN, "-"); } # STDIN ++ ++if ($output) { open (OUT, ">>$output"); } ++else { open (OUT, ">-"); } # STDOUT ++ ++if($load_policy){ #store logs after last "load_policy" in @log_buf ++ while ($line = ) { ++ if($line=~/$load_policy_pattern/) { ++ #stored logs are unnecessary ++ undef @log_buf; ++ } ++ else ++ { ++ push @log_buf,$line; ++ } ++ } ++} ++ ++while ($line=&readNewline) { ++ next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/); ++ @types=split /\ /,$line; ++ $info=""; ++ $group=""; ++ $command=""; ++ foreach $i(0..$#types){ ++ next if($types[$i]!~/[=\{]/); ++ if($types[$i]=~/^\{/){ ++ $j=$i+1; ++ while($types[$j]!~/\}/){ ++ $command.=" $types[$j]"; ++ $j++; ++ } ++ next; ++ } ++ my($a,$b) = split /=/,$types[$i]; ++ ++ next if($a eq "pid"); ++ next if($a eq "dev"); ++ next if($a eq "ino"); ++ ++ if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){ ++ if($a ne "tclass"){ ++ my($c,$c,$c) = split /:/, $b; ++ $b=$c; ++ } ++ $b=~s/\n//; ++ $group.="|$b"; ++ next; ++ } ++ $b=~s/:\[\d+\]//; ++ $a=uc $a; ++ $info.="$a=$b "; ++ } ++ ++ my($c,$c,$c,$c) = split /\|/, $group; ++ $info=~s/\ $c=\S+\ //gi; ++ # escape regexp patterns -- ++ $info=~s/([^\w])/\\$1/g; ++ ++ @atypes=split /\ /,$command; ++ foreach $i(0..$#atypes){ ++ $rules{$group}{$atypes[$i]}++; ++ } ++ ++ $info.=" "; ++ if($occur{$group}!~$info){ ++ $occur{$group}.="\t#$info: $command\n"; ++ } ++ else{ ++ my ($a,$b) = split /$info:\ /, $occur{$group}; ++ my ($temp) = split /\n/, $b; ++ ++ @com=split /\ /, $command; ++ foreach $i(1..$#com){ ++ $b=" $com[$i]$b" if($temp!~$com[$i]); ++ } ++ $occur{$group}="$a$info: $b"; ++ } ++} ++ ++# done with the input file ++# now generate the rules ++foreach $k (sort keys %rules) ++{ ++ my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k; ++ if ($scontext eq $tcontext) { ++ $tcontext = 'self'; ++ } ++ print OUT "allow $scontext $tcontext:$tclass"; ++ ++ my $access_types = $rules{$k}; ++ $len=(keys %$access_types); ++ if ($len gt 2 ) { print OUT " {"; } ++ foreach $t (sort keys %$access_types) { ++ if ($t ne "") {print OUT " $t";} ++ } ++ if ($len gt 2 ) { print OUT " }"; } ++ print OUT ";\n"; ++ $occur{$k} =~ s/\\(.)/$1/g; # de-escape string ++ print OUT "$occur{$k}\n" if ($verbose); ++} ++ ++exit; ++ ++sub readNewline { ++ if($load_policy){ ++ $newline=shift @log_buf; ++ }else{ ++ $newline=; ++ } ++ return $newline; ++} ++ ++sub printUsage { ++ print "audit2allow [-d] [-v] [-l] [-i ] [-o ] ++ -d read input from output of /bin/dmesg ++ -v verbose output ++ -l read input only after last \"load_policy\" ++ -i read input from ++ -o append output to \n"; ++ exit; ++} ++ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/Makefile policycoreutils-1.27.28/audit2allow/Makefile +--- nsapolicycoreutils/audit2allow/Makefile 2005-09-12 16:33:30.000000000 -0400 ++++ policycoreutils-1.27.28/audit2allow/Makefile 2005-11-16 21:45:38.000000000 -0500 +@@ -10,7 +10,7 @@ + + install: all + -mkdir -p $(BINDIR) +- install -m 755 $(TARGETS) $(BINDIR) ++ install -m 755 $(TARGETS).py $(BINDIR) + -mkdir -p $(MANDIR)/man1 + install -m 644 audit2allow.1 $(MANDIR)/man1/ + +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.28/scripts/genhomedircon +--- nsapolicycoreutils/scripts/genhomedircon 2005-11-16 15:27:46.000000000 -0500 ++++ policycoreutils-1.27.28/scripts/genhomedircon 2005-11-16 21:45:38.000000000 -0500 +@@ -29,7 +29,9 @@ + import commands, sys, os, pwd, string, getopt, re + from semanage import *; + +-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] ++fd=open("/etc/shells", 'r') ++VALID_SHELLS=fd.read().split('\n') ++fd.close() + + def getStartingUID(): + starting_uid = sys.maxint +@@ -272,7 +274,7 @@ + ulist = pwd.getpwall() + for u in ulist: + if u[2] >= starting_uid and \ +- not u[6] in EXCLUDE_LOGINS and \ ++ u[6] in VALID_SHELLS and \ + u[5] != "/" and \ + string.count(u[5], "/") > 1: + homedir = u[5][:string.rfind(u[5], "/")] diff --git a/policycoreutils.spec b/policycoreutils.spec index 10247c0..5c191e0 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,9 +1,9 @@ -%define libsepolver 1.9.39-1 -%define libsemanagever 1.3.53-2 +%define libsepolver 1.9.40-1 +%define libsemanagever 1.3.56-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.27.27 -Release: 5 +Version: 1.27.28 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -88,6 +88,12 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog + +* Wed Nov 16 2005 Dan Walsh 1.27.28-1 +- Update to match NSA + * Merged genhomedircon rewrite from Dan Walsh. +- Rewrite audit2allow to python + * Mon Nov 14 2005 Dan Walsh 1.27.27-5 - Fix genhomedircon to work with non libsemanage systems diff --git a/sources b/sources index f290288..d40219c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -1434688ebb8140e900747448b099e873 policycoreutils-1.27.27.tgz +b07eb927454989b6d4f458a70a38d357 policycoreutils-1.27.28.tgz