rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

*** empty log message ***

Browse Source
This commit is contained in:
Daniel J Walsh 2005-11-17 02:49:32 +00:00
parent a95038d775
commit 15d8551a97
4 changed files with 593 additions and 347 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -65,3 +65,4 @@ policycoreutils-1.27.22.tgz
policycoreutils-1.27.23.tgz policycoreutils-1.27.23.tgz
policycoreutils-1.27.26.tgz policycoreutils-1.27.26.tgz
policycoreutils-1.27.27.tgz policycoreutils-1.27.27.tgz
policycoreutils-1.27.28.tgz

923
policycoreutils-rhat.patch
View File

@ -1,354 +1,593 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.27/scripts/genhomedircon diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.28/audit2allow/audit2allow
--- nsapolicycoreutils/scripts/genhomedircon 2005-09-12 16:33:30.000000000 -0400 --- nsapolicycoreutils/audit2allow/audit2allow 2005-09-12 16:33:30.000000000 -0400
+++ policycoreutils-1.27.27/scripts/genhomedircon 2005-11-14 15:25:45.000000000 -0500 +++ policycoreutils-1.27.28/audit2allow/audit2allow 2005-11-16 21:48:07.000000000 -0500
@@ -15,32 +15,19 @@ @@ -1,7 +1,12 @@
# The file CONTEXTDIR/files/homedir_template exists. This file is used to -#!/usr/bin/perl
# set up the home directory context for each real user. -
# -# Adapted from:
-# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses +#! /usr/bin/env python
-# the first role in the list. +# Copyright (C) 2005 Red Hat
+# If a user has more than one role, genhomedircon uses the first role in the list. +# see file 'COPYING' for use and warranty information
+#
+# Audit2allow is a rewrite of prior perl script.
+#
+# Based off original audit2allow perl script: which credits
# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu)
+# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp)
# #
-# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user # This program is free software; you can redistribute it and/or
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user # modify it under the terms of the GNU General Public License as
# @@ -17,148 +22,227 @@
# "Real" users (as opposed to system users) are those whose UID is greater than # along with this program; if not, write to the Free Software
# or equal STARTING_UID (usually 500) and whose login is not a member of # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
-# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users # 02111-1307 USA
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers -# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp)
# are always "real" (including root, in the default configuration).
#
#
-# Old ASSUMPTIONS:
-#
-# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
-# the first role in the list.
-#
-# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
-# the user's home dir will be found in one of the HOME_ROOTs.
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
-# are always "real" (including root, in the default configuration).
-#
import commands, sys, os, pwd, string, getopt, re
+from semanage import *;
EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
@@ -67,169 +54,6 @@
starting_uid = 500
return starting_uid
-#############################################################################
-#
-# This section is just for backwards compatability
-#
-#############################################################################
-def getPrefixes():
- ulist = pwd.getpwall()
- STARTING_UID=getStartingUID()
- prefixes = {}
- for u in ulist:
- if u[2] >= STARTING_UID and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- prefix = u[5][:string.rfind(u[5], "/")]
- if not prefixes.has_key(prefix):
- prefixes[prefix] = ""
- return prefixes
-
-def getUsers(filecontextdir):
- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
- udict = {}
- if rc[0] == 0:
- ulist = rc[1].strip().split("\n")
- for u in ulist:
- user = u.split()
- try:
- if user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
-def update(filecontext, user, prefs):
- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("grep/sed error ", rc[1]))
- return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
- sys.stderr.write("Using genhomedircon in this fashion is supported for backwards compatability\n")
- sys.stderr.write("Please update to the latest policy\n")
- sys.stderr.flush()
-
- if os.path.isdir(filecontextdir) == 0:
- sys.stderr.write("New usage is the following\n")
- usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
- -
- -
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") -$load_policy_pattern="avc:.*granted.*{.*load_policy.*}";
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
- sys.stderr.flush()
- -
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting -while ($opt = shift @ARGV) {
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd - if ($opt eq "-d") { $read_dmesg++; }
- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at - elsif ($opt eq "-v") { $verbose++; }
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs - elsif ($opt eq "-i") { $input = shift @ARGV; }
- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit - elsif ($opt eq "-o") { $output= shift @ARGV; }
- #is any regex that would match it which does not end with .*$ or .+$ since those are general - elsif ($opt eq "-l") { $load_policy++; }
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against - elsif ($opt eq "--help") { &printUsage; }
- #[pattern] - else { print "unknown option, '$opt'\n\n"; &printUsage; }
- potential_prefixes = getPrefixes() -}
- prefix_regex = {}
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- for potential in potential_prefixes.keys():
- addme = 1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, potential, 0):
- addme = 0
- if addme == 1:
- if not prefixes.has_key(potential):
- prefixes[potential] = ""
- -
-if ($read_dmesg && $input) {
- print "Error, can't read from both dmesg and $input\n\n";
- &printUsage;
-}
- -
- if prefixes.__eq__({}): -if ($read_dmesg) { open (IN, "/bin/dmesg|"); }
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") -elsif ($input) { open (IN, "$input"); }
- sys.stderr.write("HOME= not set in /etc/default/useradd\n") -else { open (IN, "-"); } # STDIN
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
- -
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works -if ($output) { open (OUT, ">>$output"); }
- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) -else { open (OUT, ">-"); } # STDOUT
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
- -
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users -if($load_policy){ #store logs after last "load_policy" in @log_buf
- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) - while ($line = <IN>) {
- if rc[0] == 0: - if($line=~/$load_policy_pattern/) {
- print rc[1] - #stored logs are unnecessary
- else: - undef @log_buf;
- errorExit(string.join("sed error ", rc[1])) - }
- else
- {
- push @log_buf,$line;
- }
- }
-}
- -
- users = getUsers(filecontextdir) -while ($line=&readNewline) {
- print "\n#\n# User-specific file contexts\n#\n" - next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);
- - @types=split /\ /,$line;
- # Fill in HOME and ROLE for users that are defined - $info="";
- for u in users.keys(): - $group="";
- update(filecontext, u, users[u]) - $command="";
- - foreach $i(0..$#types){
-############################################################################# - next if($types[$i]!~/[=\{]/);
-# - if($types[$i]=~/^\{/){
-# End of backwards compatability section - $j=$i+1;
-# - while($types[$j]!~/\}/){
-############################################################################# - $command.=" $types[$j]";
- - $j++;
def getDefaultHomeDir(): - }
ret = [] - next;
rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - }
@@ -287,6 +111,11 @@ - my($a,$b) = split /=/,$types[$i];
-
class selinuxConfig: - next if($a eq "pid");
def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): - next if($a eq "dev");
+ self.semanageHandle=semanage_handle_create() - next if($a eq "ino");
+ self.semanaged=semanage_is_managed(self.semanageHandle) +#
+ if self.semanaged: +#
+ semanage_connect(self.semanageHandle) +import commands, sys, os, pwd, string, getopt, re
+ (status, self.ulist, self.usize) = semanage_user_list(self.semanageHandle) +class allow:
self.type=type + def __init__(self, source, target, seclass):
self.selinuxdir=selinuxdir +"/" + self.source=source
self.contextdir="/contexts" + self.target=target
@@ -312,48 +141,75 @@ + self.seclass=seclass
else: + self.avcinfo={}
errorExit(string.join("sed error ", rc[1])) + def add(self, avc):
+ for a in avc[0]:
- def getUsersFile(self): + if a not in self.avcinfo.keys():
- return self.selinuxdir+self.type+"/users/local.users" + self.avcinfo[a]=[]
-
- def getSystemUsersFile(self):
- return self.selinuxdir+self.type+"/users/system.users"
-
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
+ if self.semanaged:
+ ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n"
+ else:
+ ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
return ret
- def getUsers(self):
- users=""
- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
- if rc[0] == 0:
- users+=rc[1]+"\n"
- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
+ def defaultrole(self, name):
+ for idx in range(self.usize):
+ user = semanage_user_by_idx(self.ulist, idx)
+ if semanage_user_get_name(user) == name:
+ role=semanage_user_get_defrole(user)
+ if role=="system_r":
+ # targeted policy
+ return "user_r"
+ else:
+ return role
+ return name
+ def getOldRole(self, role):
+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
+ if rc[0] != 0:
+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
if rc[0] == 0:
- users+=rc[1]
+ user=rc[1].split()
+ role = user[3]
+ if role == "{":
+ role = user[4]
+ return role
+
+ def adduser(self, udict, user, seuser, role):
+ try:
+ if seuser == "user_u" or user == "__default__":
+ return
+ # !!! chooses first role in the list to use in the file context !!!
+ if role[-2:] == "_r" or role[-2:] == "_u":
+ role = role[:-2]
+ home = pwd.getpwnam(user)[5]
+ if home == "/":
+ return
+ prefs = {}
+ prefs["role"] = role
+ prefs["home"] = home
+ udict[seuser] = prefs
+ except KeyError:
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
+ +
+ def getUsers(self): + self.avcinfo[a].append(avc[1:])
udict = {} +
- prefs = {} + def getAccess(self):
- if users != "": + if len(self.avcinfo.keys()) == 1:
- ulist = users.split("\n") + for i in self.avcinfo.keys():
- for u in ulist: + return i
- user = u.split()
- try:
- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
+ if self.semanaged:
+ (status, list, lsize) = semanage_seuser_list(self.semanageHandle)
+ for idx in range(lsize):
+ user=[]
+ seuser = semanage_seuser_by_idx(list, idx)
+ seusername=semanage_seuser_get_sename(seuser)
+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
+
+ else: + else:
+ rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers") + keys=self.avcinfo.keys()
+ if rc[0] == 0 and rc[1] != "": + keys.sort()
+ ulist = rc[1].split("\n") + ret="{"
+ for u in ulist: + for i in keys:
+ if len(u)==0: + ret=ret + " " + i
continue + ret=ret+" }"
- # !!! chooses first role in the list to use in the file context !!! + return ret
- role = user[3] + def out(self, verbose=0):
- if role == "{": + ret=""
- role = user[4] + ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess())
- role = role.split("_r")[0] + if verbose:
- home = pwd.getpwnam(user[1])[5] + keys=self.avcinfo.keys()
- if home == "/": + keys.sort()
+ user = u.split(":") + for i in keys:
+ if len(user) < 3: + for x in self.avcinfo[i]:
continue + ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0]
- prefs = {} + if len(x[1]):
- prefs["role"] = role + ret=ret+"COMM=%s " % x[1]
- prefs["home"] = home + if len(x[2]):
- udict[user[1]] = prefs + ret=ret+"NAME=%s " % x[2]
- except KeyError: + ret=ret + " : " + i
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) + return ret
+ role=self.getOldRole(user[1]) + def gettarget(self):
+ self.adduser(udict, user[0], user[1], role) + if self.source == self.target:
return udict + return "self"
+ else:
def getHomeDirContext(self, user, home, role): + return self.target
@@ -362,9 +218,8 @@
return ret + rc[1] + "\n" - if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){
- if($a ne "tclass"){
def getUserContext(self, user, sel_user, role): - my($c,$c,$c) = split /:/, $b;
- ret="\n\n#\n# Other Context for user %s\n#\n\n" % user - $b=$c;
rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user)) - }
- return ret + rc[1] + "\n" - $b=~s/\n//;
+ return rc[1] + "\n" - $group.="|$b";
- next;
def genHomeDirContext(self): - }
users = self.getUsers() - $b=~s/:\[\d+\]//;
@@ -478,10 +333,6 @@ - $a=uc $a;
if type==None: - $info.="$a=$b ";
type=getSELinuxType(directory) - }
-
- if len(cmds) == 2: - my($c,$c,$c,$c) = split /\|/, $group;
- oldgenhomedircon(cmds[0], cmds[1]) - $info=~s/\ $c=\S+\ //gi;
- sys.exit(0) - # escape regexp patterns --<g>
- $info=~s/([^\w])/\\$1/g;
-
- @atypes=split /\ /,$command;
- foreach $i(0..$#atypes){
- $rules{$group}{$atypes[$i]}++;
- }
-
- $info.=" ";
- if($occur{$group}!~$info){
- $occur{$group}.="\t#$info: $command\n";
- }
- else{
- my ($a,$b) = split /$info:\ /, $occur{$group};
- my ($temp) = split /\n/, $b;
+class allowRecords:
+ def __init__(self, input, last_reload=0, verbose=0):
+ self.last_reload=last_reload
+ self.allowRules={}
+ line = input.readline()
+ avc=[]
+ found=0
+ self.seclasses={}
+ self.types=[]
+ self.roles=[]
+ while line:
+ rec=line.split()
+ for i in rec:
+ if i=="avc:" or i=="message=avc:":
+ found=1
+ else:
+ avc.append(i)
+ if found:
+ self.add(avc)
+ found=0
+ avc=[]
+ line = input.readline()
+
+ def add(self,avc):
+ scon=""
+ tcon=""
+ seclass=""
+ comm=""
+ name=""
+ msg=""
+ access=[]
+ if "security_compute_sid" in avc:
+ return
+
+ if "granted" in avc:
+ if "load_policy" in avc and self.last_reload:
+ self.allowRules={}
+ return
+ for i in range (0, len(avc)):
+ t=avc[i].split('=')
+ if t[0]=="scontext":
+ context=t[1].split(":")
+ scon=context[2]
+ srole=context[1]
+ continue
+ if t[0]=="tcontext":
+ context=t[1].split(":")
+ tcon=context[2]
+ trole=context[1]
+ continue
+ if t[0]=="tclass":
+ seclass=t[1]
+ continue
+ if t[0]=="comm":
+ comm=t[1]
+ continue
+ if t[0]=="name":
+ name=t[1]
+ continue
+ if t[0]=="msg":
+ msg=t[1]
+ continue
+ if avc[i]=="{":
+ i=i+1
+ while i<len(avc) and avc[i] != "}":
+ access.append(avc[i])
+ i=i+1
+ if scon=="" or tcon =="" or seclass=="":
+ return
+
+ self.add_seclass(seclass, access)
+ self.add_type(tcon)
+ self.add_type(scon)
+ self.add_role(srole)
+ self.add_role(trole)
+
+ if (scon, tcon, seclass) not in self.allowRules.keys():
+ self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass)
+
+ self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name ))
+
+ def add_seclass(self,seclass, access):
+ if seclass not in self.seclasses.keys():
+ self.seclasses[seclass]=[]
+ for a in access:
+ if a not in self.seclasses[seclass]:
+ self.seclasses[seclass].append(a)
+
+ def add_role(self,role):
+ if role not in self.roles:
+ self.roles.append(role)
+
+ def add_type(self,type):
+ if type not in self.types:
+ self.types.append(type)
+
+ def module_out(self, module):
+ self.roles.sort()
+ self.types.sort()
+ keys=self.seclasses.keys()
+ keys.sort()
+ rec="module %s 1.0;" % module
+ rec+="\n\nrequire {\n"
+ for i in self.roles:
+ rec += "\trole %s; \n" % i
+ rec += "\n\n"
+ for i in keys:
+ access=self.seclasses[i]
+ access.sort()
+ rec+="\tclass %s { " % i
+ for a in access:
+ rec+=" %s" % a
+ rec+=" }; \n"
+ rec += "\n\n"
+
+ for i in self.types:
+ rec += "\ttype %s; \n" % i
+ rec += " };\n\n\n"
+ return rec
- @com=split /\ /, $command;
- foreach $i(1..$#com){
- $b=" $com[$i]$b" if($temp!~$com[$i]);
- }
- $occur{$group}="$a$info: $b";
- }
-}
- -
if len(cmds) != 0: -# done with the input file
usage() -# now generate the rules
selconf=selinuxConfig(directory, type, usepwd) -foreach $k (sort keys %rules)
-{
- my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
- if ($scontext eq $tcontext) {
- $tcontext = 'self';
- }
- print OUT "allow $scontext $tcontext:$tclass";
-
- my $access_types = $rules{$k};
- $len=(keys %$access_types);
- if ($len gt 2 ) { print OUT " {"; }
- foreach $t (sort keys %$access_types) {
- if ($t ne "") {print OUT " $t";}
- }
- if ($len gt 2 ) { print OUT " }"; }
- print OUT ";\n";
- $occur{$k} =~ s/\\(.)/$1/g; # de-escape string
- print OUT "$occur{$k}\n" if ($verbose);
-}
-
-exit;
-
-sub readNewline {
- if($load_policy){
- $newline=shift @log_buf;
- }else{
- $newline=<IN>;
- }
- return $newline;
-}
-
-sub printUsage {
- print "audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
- -d read input from output of /bin/dmesg
- -v verbose output
- -l read input only after last \"load_policy\"
- -i read input from <inputfile>
- -o append output to <outputfile>\n";
- exit;
-}
-
+ def out(self, module):
+ rec=""
+ if module!="":
+ rec+=self.module_out(module)
+ for i in self.allowRules.keys():
+ rec += self.allowRules[i].out(verbose)+"\n"
+ return rec
+
+def usage():
+ print 'audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]\n\
+ -d read input from output of /bin/dmesg\n\
+ -v verbose output\n\
+ -l read input only after last \"load_policy\"\n\
+ -i read input from <inputfile>\n\
+ -m module output <modulename>\n\
+ -o append output to <outputfile>\n'
+ sys.exit(1)
+#
+# This script will generate home dir file context
+# based off the homedir_template file, entries in the password file, and
+#
+try:
+ last_reload=0
+ input=sys.stdin
+ output=sys.stdout
+ module=""
+ verbose=0
+ gopts, cmds = getopt.getopt(sys.argv[1:], 'vdo:hli:m:', ['help',
+ 'last_reload='])
+ for o,a in gopts:
+ if o == '--last_reload' or o == "-l":
+ last_reload=1
+ if o == "-v":
+ verbose=1
+ if o == "-i":
+ input=open(a, "r")
+ if o == "-m":
+ module=a
+ if o == '--help':
+ usage()
+ if o == "-d":
+ input=os.popen("/bin/dmesg", "r")
+ if o == "-o":
+ output=open(a, "a")
+ if len(cmds) != 0:
+ usage()
+ out=allowRecords(input, last_reload, verbose)
+ output.write(out.out(module))
+
+except getopt.error, error:
+ errorExit(string.join("Options Error ", error))
+except ValueError, error:
+ errorExit(string.join("ValueError ", error))
+except IndexError, error:
+ errorExit("IndexError")
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.perl policycoreutils-1.27.28/audit2allow/audit2allow.perl
--- nsapolicycoreutils/audit2allow/audit2allow.perl 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.27.28/audit2allow/audit2allow.perl 2005-11-16 21:45:38.000000000 -0500
@@ -0,0 +1,164 @@
+#!/usr/bin/perl
+
+# Adapted from:
+# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu)
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp)
+
+
+$load_policy_pattern="avc:.*granted.*{.*load_policy.*}";
+
+while ($opt = shift @ARGV) {
+ if ($opt eq "-d") { $read_dmesg++; }
+ elsif ($opt eq "-v") { $verbose++; }
+ elsif ($opt eq "-i") { $input = shift @ARGV; }
+ elsif ($opt eq "-o") { $output= shift @ARGV; }
+ elsif ($opt eq "-l") { $load_policy++; }
+ elsif ($opt eq "--help") { &printUsage; }
+ else { print "unknown option, '$opt'\n\n"; &printUsage; }
+}
+
+if ($read_dmesg && $input) {
+ print "Error, can't read from both dmesg and $input\n\n";
+ &printUsage;
+}
+
+if ($read_dmesg) { open (IN, "/bin/dmesg|"); }
+elsif ($input) { open (IN, "$input"); }
+else { open (IN, "-"); } # STDIN
+
+if ($output) { open (OUT, ">>$output"); }
+else { open (OUT, ">-"); } # STDOUT
+
+if($load_policy){ #store logs after last "load_policy" in @log_buf
+ while ($line = <IN>) {
+ if($line=~/$load_policy_pattern/) {
+ #stored logs are unnecessary
+ undef @log_buf;
+ }
+ else
+ {
+ push @log_buf,$line;
+ }
+ }
+}
+
+while ($line=&readNewline) {
+ next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);
+ @types=split /\ /,$line;
+ $info="";
+ $group="";
+ $command="";
+ foreach $i(0..$#types){
+ next if($types[$i]!~/[=\{]/);
+ if($types[$i]=~/^\{/){
+ $j=$i+1;
+ while($types[$j]!~/\}/){
+ $command.=" $types[$j]";
+ $j++;
+ }
+ next;
+ }
+ my($a,$b) = split /=/,$types[$i];
+
+ next if($a eq "pid");
+ next if($a eq "dev");
+ next if($a eq "ino");
+
+ if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){
+ if($a ne "tclass"){
+ my($c,$c,$c) = split /:/, $b;
+ $b=$c;
+ }
+ $b=~s/\n//;
+ $group.="|$b";
+ next;
+ }
+ $b=~s/:\[\d+\]//;
+ $a=uc $a;
+ $info.="$a=$b ";
+ }
+
+ my($c,$c,$c,$c) = split /\|/, $group;
+ $info=~s/\ $c=\S+\ //gi;
+ # escape regexp patterns --<g>
+ $info=~s/([^\w])/\\$1/g;
+
+ @atypes=split /\ /,$command;
+ foreach $i(0..$#atypes){
+ $rules{$group}{$atypes[$i]}++;
+ }
+
+ $info.=" ";
+ if($occur{$group}!~$info){
+ $occur{$group}.="\t#$info: $command\n";
+ }
+ else{
+ my ($a,$b) = split /$info:\ /, $occur{$group};
+ my ($temp) = split /\n/, $b;
+
+ @com=split /\ /, $command;
+ foreach $i(1..$#com){
+ $b=" $com[$i]$b" if($temp!~$com[$i]);
+ }
+ $occur{$group}="$a$info: $b";
+ }
+}
+
+# done with the input file
+# now generate the rules
+foreach $k (sort keys %rules)
+{
+ my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
+ if ($scontext eq $tcontext) {
+ $tcontext = 'self';
+ }
+ print OUT "allow $scontext $tcontext:$tclass";
+
+ my $access_types = $rules{$k};
+ $len=(keys %$access_types);
+ if ($len gt 2 ) { print OUT " {"; }
+ foreach $t (sort keys %$access_types) {
+ if ($t ne "") {print OUT " $t";}
+ }
+ if ($len gt 2 ) { print OUT " }"; }
+ print OUT ";\n";
+ $occur{$k} =~ s/\\(.)/$1/g; # de-escape string
+ print OUT "$occur{$k}\n" if ($verbose);
+}
+
+exit;
+
+sub readNewline {
+ if($load_policy){
+ $newline=shift @log_buf;
+ }else{
+ $newline=<IN>;
+ }
+ return $newline;
+}
+
+sub printUsage {
+ print "audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
+ -d read input from output of /bin/dmesg
+ -v verbose output
+ -l read input only after last \"load_policy\"
+ -i read input from <inputfile>
+ -o append output to <outputfile>\n";
+ exit;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/Makefile policycoreutils-1.27.28/audit2allow/Makefile
--- nsapolicycoreutils/audit2allow/Makefile 2005-09-12 16:33:30.000000000 -0400
+++ policycoreutils-1.27.28/audit2allow/Makefile 2005-11-16 21:45:38.000000000 -0500
@@ -10,7 +10,7 @@
install: all
-mkdir -p $(BINDIR)
- install -m 755 $(TARGETS) $(BINDIR)
+ install -m 755 $(TARGETS).py $(BINDIR)
-mkdir -p $(MANDIR)/man1
install -m 644 audit2allow.1 $(MANDIR)/man1/
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.28/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2005-11-16 15:27:46.000000000 -0500
+++ policycoreutils-1.27.28/scripts/genhomedircon 2005-11-16 21:45:38.000000000 -0500
@@ -29,7 +29,9 @@
import commands, sys, os, pwd, string, getopt, re
from semanage import *;
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+fd=open("/etc/shells", 'r')
+VALID_SHELLS=fd.read().split('\n')
+fd.close()
def getStartingUID():
starting_uid = sys.maxint
@@ -272,7 +274,7 @@
ulist = pwd.getpwall()
for u in ulist:
if u[2] >= starting_uid and \
- not u[6] in EXCLUDE_LOGINS and \
+ u[6] in VALID_SHELLS and \
u[5] != "/" and \
string.count(u[5], "/") > 1:
homedir = u[5][:string.rfind(u[5], "/")]

14
policycoreutils.spec
View File

@ -1,9 +1,9 @@
%define libsepolver 1.9.39-1 %define libsepolver 1.9.40-1
%define libsemanagever 1.3.53-2 %define libsemanagever 1.3.56-1
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.27.27 Version: 1.27.28
Release: 5 Release: 1
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -88,6 +88,12 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog %changelog
* Wed Nov 16 2005 Dan Walsh <dwalsh@redhat.com> 1.27.28-1
- Update to match NSA
* Merged genhomedircon rewrite from Dan Walsh.
- Rewrite audit2allow to python
* Mon Nov 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.27-5 * Mon Nov 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.27-5
- Fix genhomedircon to work with non libsemanage systems - Fix genhomedircon to work with non libsemanage systems

2
sources
View File

@ -1 +1 @@
1434688ebb8140e900747448b099e873 policycoreutils-1.27.27.tgz b07eb927454989b6d4f458a70a38d357 policycoreutils-1.27.28.tgz