rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix handling of sepolicy network sorting.

Browse Source 
- Additional interfaces needed for sepolicy gui
This commit is contained in:
Dan Walsh 2013-06-17 13:35:55 -04:00
parent 39c0a6ec6a
commit 305ae476dd
2 changed files with 159 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
policycoreutils-rhat.patch
View File

@ -250089,7 +250089,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..a0b262b 100755
index b25d3b2..9b29b39 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@ -250169,7 +250169,7 @@ index b25d3b2..a0b262b 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
@@ -140,19 +165,40 @@ class CheckPolicyType(argparse.Action):
@@ -140,27 +165,65 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@ -250205,6 +250205,19 @@ index b25d3b2..a0b262b 100755
+ usage_text = _(usage_text)
+
+ return usage_text
+
+def numcmp(val1,val2):
+ try:
+ v1 = int(val1.split(",")[0].split("-")[0])
+ v2 = int(val2.split(",")[0].split("-")[0])
+ if v1 > v2:
+ return 1
+ if v1 == v2:
+ return 0
+ if v1 < v2:
+ return -1
+ except:
+ return cmp(val1,val2)
+
def _print_net(src, protocol, perm):
- from sepolicy.network import get_network_connect
@ -250213,9 +250226,15 @@ index b25d3b2..a0b262b 100755
+ portdict = sepolicy.network.get_network_connect(src, protocol, perm)
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
+ port_strings=[]
for p in portdict:
@@ -160,7 +206,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
- for recs in portdict[p]:
- print "\t" + recs
+ for t, recs in portdict[p]:
+ port_strings.append(", ".join(recs))
+ port_strings.sort(numcmp)
+ for p in port_strings:
+ print "\t" + p
def network(args):
- from sepolicy.network import portrecsbynum, portrecs, get_network_connect
@ -250223,7 +250242,7 @@ index b25d3b2..a0b262b 100755
if args.list_ports:
all_ports = []
for i in portrecs:
@@ -201,41 +247,41 @@ def manpage(args):
@@ -201,41 +264,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@ -250288,7 +250307,7 @@ index b25d3b2..a0b262b 100755
def gen_network_args(parser):
net = parser.add_parser("network",
@@ -283,7 +329,6 @@ def gen_communicate_args(parser):
@@ -283,7 +346,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@ -250296,7 +250315,7 @@ index b25d3b2..a0b262b 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
@@ -300,6 +345,7 @@ def gen_booleans_args(parser):
@@ -300,6 +362,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@ -250304,7 +250323,7 @@ index b25d3b2..a0b262b 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -319,22 +365,49 @@ def gen_transition_args(parser):
@@ -319,22 +382,49 @@ def gen_transition_args(parser):
help=_("target process domain"))
trans.set_defaults(func=transition)
@ -250363,7 +250382,7 @@ index b25d3b2..a0b262b 100755
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
@@ -346,8 +419,18 @@ def generate(args):
@@ -346,8 +436,18 @@ def generate(args):
mypolicy.set_program(cmd)
if args.types:
@ -250382,7 +250401,7 @@ index b25d3b2..a0b262b 100755
for p in args.writepaths:
if os.path.isdir(p):
mypolicy.add_dir(p)
@@ -366,20 +449,34 @@ def generate(args):
@@ -366,20 +466,34 @@ def generate(args):
def gen_interface_args(parser):
itf = parser.add_parser("interface",
help=_('List SELinux Policy interfaces'))
@ -250420,7 +250439,7 @@ index b25d3b2..a0b262b 100755
help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*",
@@ -397,53 +494,57 @@ def gen_generate_args(parser):
@@ -397,53 +511,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType,
@ -250504,7 +250523,7 @@ index b25d3b2..a0b262b 100755
pol.set_defaults(func=generate)
if __name__ == '__main__':
@@ -461,11 +562,17 @@ if __name__ == '__main__':
@@ -461,11 +579,17 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@ -250524,7 +250543,7 @@ index b25d3b2..a0b262b 100755
except KeyboardInterrupt:
sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..92a6b88 100644
index 5e7415c..3a5391e 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
@ -250537,7 +250556,7 @@ index 5e7415c..92a6b88 100644
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
@@ -37,9 +40,75 @@ CLASS = 'class'
@@ -37,9 +40,116 @@ CLASS = 'class'
TRANSITION = 'transition'
ROLE_ALLOW = 'role_allow'
@ -250563,6 +250582,39 @@ index 5e7415c..92a6b88 100644
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list
+
+def get_types_from_attribute(attribute):
+ return info(ATTRIBUTE,attribute)[0]["types"]
+
+def get_writable_files(setype):
+ all_attributes = get_all_attributes()
+ all_writes = []
+ mpaths = {}
+ permlist = search([ALLOW],{'source':setype, 'permlist':['open', 'write'], 'class':'file'})
+ if permlist == None or len(permlist) == 0:
+ return mpaths
+
+ fcdict = get_fcdict()
+
+ attributes = ["proc_type", "sysctl_type"]
+ for i in permlist:
+ if i['target'] in attributes:
+ continue
+ if i['target'].endswith("_t"):
+ if i['target'] not in all_writes:
+ if i['target'] != setype:
+ all_writes.append(i['target'])
+ else:
+ for t in get_types_from_attribute(i['target']):
+ if t not in all_writes:
+ all_writes.append(t)
+
+ for f in all_writes:
+ try:
+ mpaths[f] = fcdict[f]
+ except KeyError:
+ mpaths[f] = []
+ return mpaths
+
+fcdict=None
+def get_fcdict(fc_path = selinux.selinux_file_context_path()):
+ global fcdict
@ -250601,6 +250653,14 @@ index 5e7415c..92a6b88 100644
+ entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype, 'permlist':['entrypoint'], 'class':'file'}))
+ return entrypoints
+
+def get_init_entrypoint_target(entrypoint):
+ try:
+ entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'}))
+ return entrypoints[0]
+ except TypeError:
+ pass
+ return None
+
+def get_all_entrypoints(setype):
+ fcdict = get_fcdict()
+ mpaths = {}
@ -250615,7 +250675,7 @@ index 5e7415c..92a6b88 100644
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
@@ -47,6 +116,27 @@ def __get_installed_policy():
@@ -47,6 +157,27 @@ def __get_installed_policy():
pass
raise ValueError(_("No SELinux Policy installed"))
@ -250643,7 +250703,7 @@ index 5e7415c..92a6b88 100644
all_types = None
def get_all_types():
global all_types
@@ -54,6 +144,13 @@ def get_all_types():
@@ -54,6 +185,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE))
return all_types
@ -250657,7 +250717,7 @@ index 5e7415c..92a6b88 100644
role_allows = None
def get_all_role_allows():
global role_allows
@@ -71,6 +168,7 @@ def get_all_role_allows():
@@ -71,6 +209,7 @@ def get_all_role_allows():
return role_allows
def get_all_entrypoint_domains():
@ -250665,7 +250725,7 @@ index 5e7415c..92a6b88 100644
all_domains = []
types=get_all_types()
types.sort()
@@ -81,11 +179,54 @@ def get_all_entrypoint_domains():
@@ -81,11 +220,54 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
@ -250721,7 +250781,7 @@ index 5e7415c..92a6b88 100644
return all_domains
roles = None
@@ -139,50 +280,62 @@ def get_all_attributes():
@@ -139,50 +321,92 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@ -250786,6 +250846,36 @@ index 5e7415c..92a6b88 100644
-def info(setype, name=None):
- dict_list = _policy.info(setype, name)
- return dict_list
+def gen_short_name(setype):
+ all_domains = get_all_domains()
+ if setype.endswith("_t"):
+ domainname = setype[:-2]
+ else:
+ domainname = setype
+ if domainname + "_t" not in all_domains:
+ raise ValueError("domain %s_t does not exist" % domainname)
+ if domainname[-1]=='d':
+ short_name = domainname[:-1] + "_"
+ else:
+ short_name = domainname + "_"
+ return (domainname, short_name)
+
+def get_bools(setype):
+ bools = []
+ domainbools = []
+ domainname, short_name = gen_short_name(setype)
+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW],{'source' : setype}))):
+ for b in i:
+ if not isinstance(b,tuple):
+ continue
+ if b[0].startswith(short_name) or b[0].startswith(domainname):
+ if b not in domainbools and (b[0], not b[1]) not in domainbools:
+ domainbools.append(b)
+ else:
+ if b not in bools and (b[0], not b[1]) not in bools:
+ bools.append(b)
+ return (domainbools, bools)
+
+booleans = None
+def get_all_booleans():
+ global booleans
@ -250809,7 +250899,7 @@ index 5e7415c..92a6b88 100644
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
if booleans_dict:
@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
@@ -191,7 +415,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
import re
booleans_dict = {}
try:
@ -251242,7 +251332,7 @@ index 8b063ca..c7dac62 100644
+ else:
+ sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..cc5467f 100755
index 25062da..086f2a7 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string
@ -251299,7 +251389,7 @@ index 25062da..cc5467f 100755
class HTMLManPages:
"""
@@ -416,40 +414,33 @@ class ManPage:
@@ -416,56 +414,42 @@ class ManPage:
"""
Generate a Manpage on an SELinux domain in the specified path
"""
@ -251357,16 +251447,15 @@ index 25062da..cc5467f 100755
+ self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml"
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
@@ -459,13 +450,16 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
- if domainname.endswith("_t"):
- self.domainname = domainname[:-2]
- else:
- self.domainname = domainname
-
- if self.domainname + "_t" not in self.all_domains:
- raise ValueError("domain %s_t does not exist" % self.domainname)
- self.short_name = self.domainname
+ if self.domainname[-1]=='d':
+ self.short_name = self.domainname[:-1] + "_"
+ else:
+ self.short_name = self.domainname + "_"
+ self.domainname, self.short_name = gen_short_name(domainname)
self.type = self.domainname + "_t"
self._gen_bools()
@ -251377,7 +251466,7 @@ index 25062da..cc5467f 100755
self.__gen_user_man_page()
if self.html:
manpage_roles.append(self.man_page_path)
@@ -483,16 +477,23 @@ class ManPage:
@@ -483,16 +467,16 @@ class ManPage:
def _gen_bools(self):
self.bools=[]
self.domainbools=[]
@ -251398,20 +251487,13 @@ index 25062da..cc5467f 100755
+ types.append(t+"_t")
+
+ for t in types:
+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))):
+ for b in i:
+ if not isinstance(b,tuple):
+ continue
+ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname):
+ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
+ self.domainbools.append(b)
+ else:
+ if b not in self.bools and (b[0], not b[1]) not in self.bools:
+ self.bools.append(b)
+ domainbools, bools = get_bools(t)
+ self.bools += bools
+ self.domainbools += bools
self.bools.sort()
self.domainbools.sort()
@@ -538,9 +539,6 @@ class ManPage:
@@ -538,9 +522,6 @@ class ManPage:
print path
def __gen_man_page(self):
@ -251421,7 +251503,7 @@ index 25062da..cc5467f 100755
self.anon_list = []
self.attributes = {}
@@ -563,22 +561,11 @@ class ManPage:
@@ -563,22 +544,11 @@ class ManPage:
def _get_ptypes(self):
for f in self.all_domains:
@ -251447,7 +251529,7 @@ index 25062da..cc5467f 100755
% {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")})
self.fd.write(r"""
.SH "NAME"
@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
@@ -774,7 +744,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
def _port_types(self):
self.ports = []
for f in self.all_port_types:
@ -251456,7 +251538,7 @@ index 25062da..cc5467f 100755
self.ports.append(f)
if len(self.ports) == 0:
@@ -923,13 +910,12 @@ to apply the labels.
@@ -923,13 +893,12 @@ to apply the labels.
def _see_also(self):
ret = ""
@ -251472,7 +251554,7 @@ index 25062da..cc5467f 100755
ret += ", %s_selinux(8)" % d
self.fd.write(ret)
@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
@@ -947,13 +916,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s
.pp
.TP
@ -251489,7 +251571,7 @@ index 25062da..cc5467f 100755
""" % {'domainname':self.domainname})
for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
@@ -998,12 +968,11 @@ is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was auto-generated using
@ -251504,7 +251586,7 @@ index 25062da..cc5467f 100755
if self.booltext != "":
self.fd.write(", setsebool(8)")
@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
@@ -1230,6 +1199,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname)
def _network(self):
@ -251513,7 +251595,7 @@ index 25062da..cc5467f 100755
.SH NETWORK
""")
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
index 66efe26..a446d68 100755
index 66efe26..739afa9 100755
--- a/policycoreutils/sepolicy/sepolicy/network.py
+++ b/policycoreutils/sepolicy/sepolicy/network.py
@@ -25,27 +25,6 @@ import sepolicy
@ -251552,6 +251634,28 @@ index 66efe26..a446d68 100755
d={}
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
@@ -77,16 +57,16 @@ def get_network_connect(src, protocol, perm):
if "port_t" in tlist:
continue
if i == "port_t":
- d[(src,protocol,perm)].append("all ports with out defined types")
+ d[(src,protocol,perm)].append((i, ["all ports with out defined types"]))
elif i == "unreserved_port_type":
- d[(src,protocol,perm)].append("%s: all ports > 1024" % i)
+ d[(src,protocol,perm)].append((i, ["all ports > 1024"]))
elif i == "reserved_port_type":
- d[(src,protocol,perm)].append("%s: all ports < 1024" % i)
+ d[(src,protocol,perm)].append((i, ["all ports < 1024"]))
elif i == "rpc_port_type":
- d[(src,protocol,perm)].append("%s: all ports > 500 and < 1024" % i)
+ d[(src,protocol,perm)].append((i, ["all ports > 500 and < 1024"]))
else:
try:
- d[(src,protocol,perm)].append("%s: %s" % (i, ",".join(portrecs[(i, protocol)])))
+ d[(src,protocol,perm)].append((i, portrecs[(i, protocol)]))
except KeyError:
pass
return d
diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py
index c139070..c79738b 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/script.py

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 51%{?dist}
Release: 52%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Jun 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-52
- Fix handling of sepolicy network sorting.
- Additional interfaces needed for sepolicy gui
* Thu Jun 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-51
- Fix handling of semanage args