From 305ae476ddddfb65e5a4cafde501a9ded863be0a Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 17 Jun 2013 13:35:55 -0400 Subject: [PATCH] Fix handling of sepolicy network sorting. - Additional interfaces needed for sepolicy gui --- policycoreutils-rhat.patch | 204 ++++++++++++++++++++++++++++--------- policycoreutils.spec | 6 +- 2 files changed, 159 insertions(+), 51 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index e2fdd76..f762874 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -250089,7 +250089,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..a0b262b 100755 +index b25d3b2..9b29b39 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -250169,7 +250169,7 @@ index b25d3b2..a0b262b 100755 newval = getattr(namespace, self.dest) if not newval: newval = [] -@@ -140,19 +165,40 @@ class CheckPolicyType(argparse.Action): +@@ -140,27 +165,65 @@ class CheckPolicyType(argparse.Action): class CheckUser(argparse.Action): def __call__(self, parser, namespace, value, option_string=None): @@ -250205,6 +250205,19 @@ index b25d3b2..a0b262b 100755 + usage_text = _(usage_text) + + return usage_text ++ ++def numcmp(val1,val2): ++ try: ++ v1 = int(val1.split(",")[0].split("-")[0]) ++ v2 = int(val2.split(",")[0].split("-")[0]) ++ if v1 > v2: ++ return 1 ++ if v1 == v2: ++ return 0 ++ if v1 < v2: ++ return -1 ++ except: ++ return cmp(val1,val2) + def _print_net(src, protocol, perm): - from sepolicy.network import get_network_connect @@ -250213,9 +250226,15 @@ index b25d3b2..a0b262b 100755 + portdict = sepolicy.network.get_network_connect(src, protocol, perm) if len(portdict) > 0: print "%s: %s %s" % (src, protocol, perm) ++ port_strings=[] for p in portdict: -@@ -160,7 +206,7 @@ def _print_net(src, protocol, perm): - print "\t" + recs +- for recs in portdict[p]: +- print "\t" + recs ++ for t, recs in portdict[p]: ++ port_strings.append(", ".join(recs)) ++ port_strings.sort(numcmp) ++ for p in port_strings: ++ print "\t" + p def network(args): - from sepolicy.network import portrecsbynum, portrecs, get_network_connect @@ -250223,7 +250242,7 @@ index b25d3b2..a0b262b 100755 if args.list_ports: all_ports = [] for i in portrecs: -@@ -201,41 +247,41 @@ def manpage(args): +@@ -201,41 +264,41 @@ def manpage(args): from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path @@ -250288,7 +250307,7 @@ index b25d3b2..a0b262b 100755 def gen_network_args(parser): net = parser.add_parser("network", -@@ -283,7 +329,6 @@ def gen_communicate_args(parser): +@@ -283,7 +346,6 @@ def gen_communicate_args(parser): comm.set_defaults(func=communicate) def booleans(args): @@ -250296,7 +250315,7 @@ index b25d3b2..a0b262b 100755 from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() -@@ -300,6 +345,7 @@ def gen_booleans_args(parser): +@@ -300,6 +362,7 @@ def gen_booleans_args(parser): action="store_true", help=_("get all booleans descriptions")) group.add_argument("-b", "--boolean", dest="booleans", nargs="+", @@ -250304,7 +250323,7 @@ index b25d3b2..a0b262b 100755 help=_("boolean to get description")) bools.set_defaults(func=booleans) -@@ -319,22 +365,49 @@ def gen_transition_args(parser): +@@ -319,22 +382,49 @@ def gen_transition_args(parser): help=_("target process domain")) trans.set_defaults(func=transition) @@ -250363,7 +250382,7 @@ index b25d3b2..a0b262b 100755 if not args.command: raise ValueError(_("Command required for this type of policy")) cmd = os.path.realpath(args.command) -@@ -346,8 +419,18 @@ def generate(args): +@@ -346,8 +436,18 @@ def generate(args): mypolicy.set_program(cmd) if args.types: @@ -250382,7 +250401,7 @@ index b25d3b2..a0b262b 100755 for p in args.writepaths: if os.path.isdir(p): mypolicy.add_dir(p) -@@ -366,20 +449,34 @@ def generate(args): +@@ -366,20 +466,34 @@ def generate(args): def gen_interface_args(parser): itf = parser.add_parser("interface", help=_('List SELinux Policy interfaces')) @@ -250420,7 +250439,7 @@ index b25d3b2..a0b262b 100755 help=_('Generate SELinux Policy module template')) pol.add_argument("-d", "--domain", dest="domain", default=[], action=CheckDomain, nargs="*", -@@ -397,53 +494,57 @@ def gen_generate_args(parser): +@@ -397,53 +511,57 @@ def gen_generate_args(parser): help=argparse.SUPPRESS) pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", action=CheckType, @@ -250504,7 +250523,7 @@ index b25d3b2..a0b262b 100755 pol.set_defaults(func=generate) if __name__ == '__main__': -@@ -461,11 +562,17 @@ if __name__ == '__main__': +@@ -461,11 +579,17 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: @@ -250524,7 +250543,7 @@ index b25d3b2..a0b262b 100755 except KeyboardInterrupt: sys.exit(0) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index 5e7415c..92a6b88 100644 +index 5e7415c..3a5391e 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -7,6 +7,9 @@ import _policy @@ -250537,7 +250556,7 @@ index 5e7415c..92a6b88 100644 gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.textdomain(PROGNAME) try: -@@ -37,9 +40,75 @@ CLASS = 'class' +@@ -37,9 +40,116 @@ CLASS = 'class' TRANSITION = 'transition' ROLE_ALLOW = 'role_allow' @@ -250563,6 +250582,39 @@ index 5e7415c..92a6b88 100644 + dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) + return dict_list + ++def get_types_from_attribute(attribute): ++ return info(ATTRIBUTE,attribute)[0]["types"] ++ ++def get_writable_files(setype): ++ all_attributes = get_all_attributes() ++ all_writes = [] ++ mpaths = {} ++ permlist = search([ALLOW],{'source':setype, 'permlist':['open', 'write'], 'class':'file'}) ++ if permlist == None or len(permlist) == 0: ++ return mpaths ++ ++ fcdict = get_fcdict() ++ ++ attributes = ["proc_type", "sysctl_type"] ++ for i in permlist: ++ if i['target'] in attributes: ++ continue ++ if i['target'].endswith("_t"): ++ if i['target'] not in all_writes: ++ if i['target'] != setype: ++ all_writes.append(i['target']) ++ else: ++ for t in get_types_from_attribute(i['target']): ++ if t not in all_writes: ++ all_writes.append(t) ++ ++ for f in all_writes: ++ try: ++ mpaths[f] = fcdict[f] ++ except KeyError: ++ mpaths[f] = [] ++ return mpaths ++ +fcdict=None +def get_fcdict(fc_path = selinux.selinux_file_context_path()): + global fcdict @@ -250601,6 +250653,14 @@ index 5e7415c..92a6b88 100644 + entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype, 'permlist':['entrypoint'], 'class':'file'})) + return entrypoints + ++def get_init_entrypoint_target(entrypoint): ++ try: ++ entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'})) ++ return entrypoints[0] ++ except TypeError: ++ pass ++ return None ++ +def get_all_entrypoints(setype): + fcdict = get_fcdict() + mpaths = {} @@ -250615,7 +250675,7 @@ index 5e7415c..92a6b88 100644 policies = glob.glob ("%s.*" % path ) policies.sort() return policies[-1] -@@ -47,6 +116,27 @@ def __get_installed_policy(): +@@ -47,6 +157,27 @@ def __get_installed_policy(): pass raise ValueError(_("No SELinux Policy installed")) @@ -250643,7 +250703,7 @@ index 5e7415c..92a6b88 100644 all_types = None def get_all_types(): global all_types -@@ -54,6 +144,13 @@ def get_all_types(): +@@ -54,6 +185,13 @@ def get_all_types(): all_types = map(lambda x: x['name'], info(TYPE)) return all_types @@ -250657,7 +250717,7 @@ index 5e7415c..92a6b88 100644 role_allows = None def get_all_role_allows(): global role_allows -@@ -71,6 +168,7 @@ def get_all_role_allows(): +@@ -71,6 +209,7 @@ def get_all_role_allows(): return role_allows def get_all_entrypoint_domains(): @@ -250665,7 +250725,7 @@ index 5e7415c..92a6b88 100644 all_domains = [] types=get_all_types() types.sort() -@@ -81,11 +179,54 @@ def get_all_entrypoint_domains(): +@@ -81,11 +220,54 @@ def get_all_entrypoint_domains(): all_domains.append(m[0]) return all_domains @@ -250721,7 +250781,7 @@ index 5e7415c..92a6b88 100644 return all_domains roles = None -@@ -139,50 +280,62 @@ def get_all_attributes(): +@@ -139,50 +321,92 @@ def get_all_attributes(): return all_attributes def policy(policy_file): @@ -250786,6 +250846,36 @@ index 5e7415c..92a6b88 100644 -def info(setype, name=None): - dict_list = _policy.info(setype, name) - return dict_list ++def gen_short_name(setype): ++ all_domains = get_all_domains() ++ if setype.endswith("_t"): ++ domainname = setype[:-2] ++ else: ++ domainname = setype ++ if domainname + "_t" not in all_domains: ++ raise ValueError("domain %s_t does not exist" % domainname) ++ if domainname[-1]=='d': ++ short_name = domainname[:-1] + "_" ++ else: ++ short_name = domainname + "_" ++ return (domainname, short_name) ++ ++def get_bools(setype): ++ bools = [] ++ domainbools = [] ++ domainname, short_name = gen_short_name(setype) ++ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW],{'source' : setype}))): ++ for b in i: ++ if not isinstance(b,tuple): ++ continue ++ if b[0].startswith(short_name) or b[0].startswith(domainname): ++ if b not in domainbools and (b[0], not b[1]) not in domainbools: ++ domainbools.append(b) ++ else: ++ if b not in bools and (b[0], not b[1]) not in bools: ++ bools.append(b) ++ return (domainbools, bools) ++ +booleans = None +def get_all_booleans(): + global booleans @@ -250809,7 +250899,7 @@ index 5e7415c..92a6b88 100644 def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): global booleans_dict if booleans_dict: -@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): +@@ -191,7 +415,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): import re booleans_dict = {} try: @@ -251242,7 +251332,7 @@ index 8b063ca..c7dac62 100644 + else: + sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface)) diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py -index 25062da..cc5467f 100755 +index 25062da..086f2a7 100755 --- a/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py @@ -28,12 +28,12 @@ import string @@ -251299,7 +251389,7 @@ index 25062da..cc5467f 100755 class HTMLManPages: """ -@@ -416,40 +414,33 @@ class ManPage: +@@ -416,56 +414,42 @@ class ManPage: """ Generate a Manpage on an SELinux domain in the specified path """ @@ -251357,16 +251447,15 @@ index 25062da..cc5467f 100755 + self.xmlpath = self.root + "/usr/share/selinux/devel/policy.xml" self.booleans_dict = gen_bool_dict(self.xmlpath) - if domainname.endswith("_t"): -@@ -459,13 +450,16 @@ class ManPage: - - if self.domainname + "_t" not in self.all_domains: - raise ValueError("domain %s_t does not exist" % self.domainname) +- if domainname.endswith("_t"): +- self.domainname = domainname[:-2] +- else: +- self.domainname = domainname +- +- if self.domainname + "_t" not in self.all_domains: +- raise ValueError("domain %s_t does not exist" % self.domainname) - self.short_name = self.domainname -+ if self.domainname[-1]=='d': -+ self.short_name = self.domainname[:-1] + "_" -+ else: -+ self.short_name = self.domainname + "_" ++ self.domainname, self.short_name = gen_short_name(domainname) self.type = self.domainname + "_t" self._gen_bools() @@ -251377,7 +251466,7 @@ index 25062da..cc5467f 100755 self.__gen_user_man_page() if self.html: manpage_roles.append(self.man_page_path) -@@ -483,16 +477,23 @@ class ManPage: +@@ -483,16 +467,16 @@ class ManPage: def _gen_bools(self): self.bools=[] self.domainbools=[] @@ -251398,20 +251487,13 @@ index 25062da..cc5467f 100755 + types.append(t+"_t") + + for t in types: -+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))): -+ for b in i: -+ if not isinstance(b,tuple): -+ continue -+ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname): -+ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools: -+ self.domainbools.append(b) -+ else: -+ if b not in self.bools and (b[0], not b[1]) not in self.bools: -+ self.bools.append(b) ++ domainbools, bools = get_bools(t) ++ self.bools += bools ++ self.domainbools += bools self.bools.sort() self.domainbools.sort() -@@ -538,9 +539,6 @@ class ManPage: +@@ -538,9 +522,6 @@ class ManPage: print path def __gen_man_page(self): @@ -251421,7 +251503,7 @@ index 25062da..cc5467f 100755 self.anon_list = [] self.attributes = {} -@@ -563,22 +561,11 @@ class ManPage: +@@ -563,22 +544,11 @@ class ManPage: def _get_ptypes(self): for f in self.all_domains: @@ -251447,7 +251529,7 @@ index 25062da..cc5467f 100755 % {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")}) self.fd.write(r""" .SH "NAME" -@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n +@@ -774,7 +744,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n def _port_types(self): self.ports = [] for f in self.all_port_types: @@ -251456,7 +251538,7 @@ index 25062da..cc5467f 100755 self.ports.append(f) if len(self.ports) == 0: -@@ -923,13 +910,12 @@ to apply the labels. +@@ -923,13 +893,12 @@ to apply the labels. def _see_also(self): ret = "" @@ -251472,7 +251554,7 @@ index 25062da..cc5467f 100755 ret += ", %s_selinux(8)" % d self.fd.write(ret) -@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" +@@ -947,13 +916,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" .B restorecon -F -R -v /var/%(domainname)s .pp .TP @@ -251489,7 +251571,7 @@ index 25062da..cc5467f 100755 """ % {'domainname':self.domainname}) for b in self.anon_list: desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] -@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings. +@@ -998,12 +968,11 @@ is a GUI tool available to customize SELinux policy settings. .SH AUTHOR This manual page was auto-generated using @@ -251504,7 +251586,7 @@ index 25062da..cc5467f 100755 if self.booltext != "": self.fd.write(", setsebool(8)") -@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login. +@@ -1230,6 +1199,7 @@ The SELinux user %s_u is not able to terminal login. """ % self.domainname) def _network(self): @@ -251513,7 +251595,7 @@ index 25062da..cc5467f 100755 .SH NETWORK """) diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py -index 66efe26..a446d68 100755 +index 66efe26..739afa9 100755 --- a/policycoreutils/sepolicy/sepolicy/network.py +++ b/policycoreutils/sepolicy/sepolicy/network.py @@ -25,27 +25,6 @@ import sepolicy @@ -251552,6 +251634,28 @@ index 66efe26..a446d68 100755 d={} tlist = get_types(src, "%s_socket" % protocol, [perm]) if len(tlist) > 0: +@@ -77,16 +57,16 @@ def get_network_connect(src, protocol, perm): + if "port_t" in tlist: + continue + if i == "port_t": +- d[(src,protocol,perm)].append("all ports with out defined types") ++ d[(src,protocol,perm)].append((i, ["all ports with out defined types"])) + elif i == "unreserved_port_type": +- d[(src,protocol,perm)].append("%s: all ports > 1024" % i) ++ d[(src,protocol,perm)].append((i, ["all ports > 1024"])) + elif i == "reserved_port_type": +- d[(src,protocol,perm)].append("%s: all ports < 1024" % i) ++ d[(src,protocol,perm)].append((i, ["all ports < 1024"])) + elif i == "rpc_port_type": +- d[(src,protocol,perm)].append("%s: all ports > 500 and < 1024" % i) ++ d[(src,protocol,perm)].append((i, ["all ports > 500 and < 1024"])) + else: + try: +- d[(src,protocol,perm)].append("%s: %s" % (i, ",".join(portrecs[(i, protocol)]))) ++ d[(src,protocol,perm)].append((i, portrecs[(i, protocol)])) + except KeyError: + pass + return d diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py index c139070..c79738b 100644 --- a/policycoreutils/sepolicy/sepolicy/templates/script.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 870c2a6..1e1b7ce 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 51%{?dist} +Release: 52%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Jun 17 2013 Dan Walsh - 2.1.14-52 +- Fix handling of sepolicy network sorting. +- Additional interfaces needed for sepolicy gui + * Thu Jun 6 2013 Dan Walsh - 2.1.14-51 - Fix handling of semanage args