Update to upstream
sepolgen * better analysis of why things broke policycoreutils * Remove excess whitespace * sandbox: Add back in . functions to sandbox.init script * Fix Makefile to match other policycoreutils Makefiles * semanage: drop unused translation getopt
This commit is contained in:
parent
1bf48c8679
commit
414b6a904d
@ -84,40 +84,6 @@ index 9db766c..068e24c 100644
|
||||
return 0;
|
||||
|
||||
} /* main() */
|
||||
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
|
||||
index 7789d23..b817364 100644
|
||||
--- a/policycoreutils/sandbox/Makefile
|
||||
+++ b/policycoreutils/sandbox/Makefile
|
||||
@@ -8,13 +8,13 @@ SBINDIR ?= $(PREFIX)/sbin
|
||||
MANDIR ?= $(PREFIX)/share/man
|
||||
LOCALEDIR ?= /usr/share/locale
|
||||
SHAREDIR ?= $(PREFIX)/share/sandbox
|
||||
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
|
||||
-LDLIBS += -lcgroup -lselinux -lcap-ng
|
||||
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W
|
||||
+LDLIBS += -lcgroup -lselinux -lcap-ng -L$(LIBDIR)
|
||||
+SEUNSHARE_OBJS = seunshare.o
|
||||
|
||||
all: sandbox seunshare sandboxX.sh start
|
||||
|
||||
-seunshare: seunshare.o $(EXTRA_OBJS)
|
||||
- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) -L$(LIBDIR)
|
||||
+seunshare: $(SEUNSHARE_OBJS)
|
||||
|
||||
install: all
|
||||
-mkdir -p $(BINDIR)
|
||||
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
|
||||
index 8aed876..b3979bf 100644
|
||||
--- a/policycoreutils/sandbox/sandbox.init
|
||||
+++ b/policycoreutils/sandbox/sandbox.init
|
||||
@@ -19,6 +19,7 @@
|
||||
#
|
||||
|
||||
# Source function library.
|
||||
+. /etc/init.d/functions
|
||||
|
||||
LOCKFILE=/var/lock/subsys/sandbox
|
||||
|
||||
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
||||
index ab696a7..58b19cd 100644
|
||||
--- a/policycoreutils/scripts/genhomedircon
|
||||
@ -271,7 +237,7 @@ index 0000000..e2befdb
|
||||
+ packages=["policycoreutils"],
|
||||
+)
|
||||
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
|
||||
index 48d7baa..2c0cfdd 100644
|
||||
index 0c7c186..aaba8b1 100644
|
||||
--- a/policycoreutils/semanage/semanage
|
||||
+++ b/policycoreutils/semanage/semanage
|
||||
@@ -20,6 +20,7 @@
|
||||
@ -291,96 +257,8 @@ index 48d7baa..2c0cfdd 100644
|
||||
codeset = 'utf-8')
|
||||
except IOError:
|
||||
import __builtin__
|
||||
@@ -283,11 +284,14 @@ Object-specific Options (see above):
|
||||
equal = a
|
||||
|
||||
if o == "--enable":
|
||||
- set_action(o)
|
||||
+ if disable:
|
||||
+ raise ValueError(_("You can't disable and enable at the same time"))
|
||||
+
|
||||
enable = True
|
||||
|
||||
if o == "--disable":
|
||||
- set_action(o)
|
||||
+ if enable:
|
||||
+ raise ValueError(_("You can't disable and enable at the same time"))
|
||||
disable = True
|
||||
|
||||
if o == "-F" or o == "--file":
|
||||
@@ -504,31 +508,36 @@ Object-specific Options (see above):
|
||||
if len(sys.argv) < 3:
|
||||
usage(_("Requires 2 or more arguments"))
|
||||
|
||||
- gopts, cmds = getopt.getopt(sys.argv[1:],
|
||||
- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
|
||||
- ['add',
|
||||
- 'delete',
|
||||
- 'deleteall',
|
||||
- 'ftype=',
|
||||
- 'file',
|
||||
- 'help',
|
||||
- 'input=',
|
||||
- 'list',
|
||||
- 'modify',
|
||||
- 'noheading',
|
||||
- 'localist',
|
||||
- 'off',
|
||||
- 'on',
|
||||
- 'output=',
|
||||
- 'proto=',
|
||||
- 'seuser=',
|
||||
- 'store=',
|
||||
- 'range=',
|
||||
- 'level=',
|
||||
- 'roles=',
|
||||
- 'type=',
|
||||
- 'prefix='
|
||||
- ])
|
||||
+ try:
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:],
|
||||
+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:',
|
||||
+ ['add',
|
||||
+ 'delete',
|
||||
+ 'deleteall',
|
||||
+ 'ftype=',
|
||||
+ 'file',
|
||||
+ 'help',
|
||||
+ 'input=',
|
||||
+ 'list',
|
||||
+ 'modify',
|
||||
+ 'noheading',
|
||||
+ 'localist',
|
||||
+ 'off',
|
||||
+ 'on',
|
||||
+ 'output=',
|
||||
+ 'proto=',
|
||||
+ 'seuser=',
|
||||
+ 'store=',
|
||||
+ 'range=',
|
||||
+ 'level=',
|
||||
+ 'roles=',
|
||||
+ 'type=',
|
||||
+ 'trans=',
|
||||
+ 'prefix='
|
||||
+ ])
|
||||
+ except getopt.error, error:
|
||||
+ usage(_("Options Error %s ") % error.msg)
|
||||
+
|
||||
for o, a in gopts:
|
||||
if o == "-S" or o == '--store':
|
||||
store = a
|
||||
@@ -558,8 +567,6 @@ Object-specific Options (see above):
|
||||
else:
|
||||
process_args(sys.argv[1:])
|
||||
|
||||
- except getopt.error, error:
|
||||
- usage(_("Options Error %s ") % error.msg)
|
||||
except ValueError, error:
|
||||
errorExit(error.args[0])
|
||||
except KeyError, error:
|
||||
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
|
||||
index 2628645..e5b6303 100644
|
||||
index 17afe23..e5b6303 100644
|
||||
--- a/policycoreutils/semanage/seobject.py
|
||||
+++ b/policycoreutils/semanage/seobject.py
|
||||
@@ -30,11 +30,10 @@ from IPy import IP
|
||||
@ -420,15 +298,7 @@ index 2628645..e5b6303 100644
|
||||
|
||||
(rc, u) = semanage_user_create(self.sh)
|
||||
if rc < 0:
|
||||
@@ -1136,7 +1138,6 @@ class nodeRecords(semanageRecords):
|
||||
return newaddr, newmask, newprotocol
|
||||
|
||||
def __add(self, addr, mask, proto, serange, ctype):
|
||||
-
|
||||
addr, mask, proto = self.validate(addr, mask, proto)
|
||||
|
||||
if is_mls_enabled == 1:
|
||||
@@ -1156,7 +1157,8 @@ class nodeRecords(semanageRecords):
|
||||
@@ -1155,7 +1157,8 @@ class nodeRecords(semanageRecords):
|
||||
|
||||
(rc, exists) = semanage_node_exists(self.sh, k)
|
||||
if exists:
|
||||
@ -438,31 +308,7 @@ index 2628645..e5b6303 100644
|
||||
|
||||
(rc, node) = semanage_node_create(self.sh)
|
||||
if rc < 0:
|
||||
@@ -1172,7 +1174,6 @@ class nodeRecords(semanageRecords):
|
||||
if rc < 0:
|
||||
raise ValueError(_("Could not set mask for %s") % addr)
|
||||
|
||||
-
|
||||
rc = semanage_context_set_user(self.sh, con, "system_u")
|
||||
if rc < 0:
|
||||
raise ValueError(_("Could not set user in addr context for %s") % addr)
|
||||
@@ -1208,7 +1209,6 @@ class nodeRecords(semanageRecords):
|
||||
self.commit()
|
||||
|
||||
def __modify(self, addr, mask, proto, serange, setype):
|
||||
-
|
||||
addr, mask, proto = self.validate(addr, mask, proto)
|
||||
|
||||
if serange == "" and setype == "":
|
||||
@@ -1229,7 +1229,6 @@ class nodeRecords(semanageRecords):
|
||||
raise ValueError(_("Could not query addr %s") % addr)
|
||||
|
||||
con = semanage_node_get_con(node)
|
||||
-
|
||||
if serange != "":
|
||||
semanage_context_set_mls(self.sh, con, untranslate(serange))
|
||||
if setype != "":
|
||||
@@ -1357,7 +1356,8 @@ class interfaceRecords(semanageRecords):
|
||||
@@ -1353,7 +1356,8 @@ class interfaceRecords(semanageRecords):
|
||||
if rc < 0:
|
||||
raise ValueError(_("Could not check if interface %s is defined") % interface)
|
||||
if exists:
|
||||
@ -472,7 +318,7 @@ index 2628645..e5b6303 100644
|
||||
|
||||
(rc, iface) = semanage_iface_create(self.sh)
|
||||
if rc < 0:
|
||||
@@ -1640,7 +1640,8 @@ class fcontextRecords(semanageRecords):
|
||||
@@ -1636,7 +1640,8 @@ class fcontextRecords(semanageRecords):
|
||||
raise ValueError(_("Could not check if file context for %s is defined") % target)
|
||||
|
||||
if exists:
|
||||
@ -482,14 +328,6 @@ index 2628645..e5b6303 100644
|
||||
|
||||
(rc, fcontext) = semanage_fcontext_create(self.sh)
|
||||
if rc < 0:
|
||||
@@ -1734,7 +1735,6 @@ class fcontextRecords(semanageRecords):
|
||||
self.begin()
|
||||
self.__modify(target, setype, ftype, serange, seuser)
|
||||
self.commit()
|
||||
-
|
||||
|
||||
def deleteall(self):
|
||||
(rc, flist) = semanage_fcontext_list_local(self.sh)
|
||||
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
|
||||
index 9a7d315..e57d34f 100644
|
||||
--- a/policycoreutils/setfiles/restore.c
|
||||
|
@ -1,72 +1,3 @@
|
||||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
||||
index 898fbc3..9fdfafa 100644
|
||||
--- a/sepolgen/src/sepolgen/audit.py
|
||||
+++ b/sepolgen/src/sepolgen/audit.py
|
||||
@@ -127,6 +127,9 @@ class PathMessage(AuditMessage):
|
||||
if fields[0] == "path":
|
||||
self.path = fields[1][1:-1]
|
||||
return
|
||||
+import selinux.audit2why as audit2why
|
||||
+
|
||||
+avcdict = {}
|
||||
|
||||
class AVCMessage(AuditMessage):
|
||||
"""AVC message representing an access denial or granted message.
|
||||
@@ -168,6 +171,8 @@ class AVCMessage(AuditMessage):
|
||||
self.name = ""
|
||||
self.accesses = []
|
||||
self.denial = True
|
||||
+ self.type = audit2why.TERULE
|
||||
+ self.bools = []
|
||||
|
||||
def __parse_access(self, recs, start):
|
||||
# This is kind of sucky - the access that is in a space separated
|
||||
@@ -229,7 +234,31 @@ class AVCMessage(AuditMessage):
|
||||
|
||||
if not found_src or not found_tgt or not found_class or not found_access:
|
||||
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||
-
|
||||
+ self.analyze()
|
||||
+
|
||||
+ def analyze(self):
|
||||
+ tcontext = self.tcontext.to_string()
|
||||
+ scontext = self.scontext.to_string()
|
||||
+ access_tuple = tuple( self.accesses)
|
||||
+ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
|
||||
+ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
|
||||
+ else:
|
||||
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||
+ if self.type == audit2why.NOPOLICY:
|
||||
+ self.type = audit2why.TERULE
|
||||
+ if self.type == audit2why.BADTCON:
|
||||
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
|
||||
+ if self.type == audit2why.BADSCON:
|
||||
+ raise ValueError("Invalid Source Context %s\n" % scontext)
|
||||
+ if self.type == audit2why.BADSCON:
|
||||
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
|
||||
+ if self.type == audit2why.BADPERM:
|
||||
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
|
||||
+ if self.type == audit2why.BADCOMPUTE:
|
||||
+ raise ValueError("Error during access vector computation")
|
||||
+
|
||||
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
|
||||
+
|
||||
class PolicyLoadMessage(AuditMessage):
|
||||
"""Audit message indicating that the policy was reloaded."""
|
||||
def __init__(self, message):
|
||||
@@ -472,10 +501,10 @@ class AuditParser:
|
||||
if avc_filter:
|
||||
if avc_filter.filter(avc):
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc)
|
||||
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
else:
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc)
|
||||
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
return av_set
|
||||
|
||||
class AVCTypeFilter:
|
||||
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
|
||||
index 1a9a3e5..d56dd92 100644
|
||||
--- a/sepolgen/src/sepolgen/matching.py
|
||||
@ -99,67 +30,3 @@ index 1a9a3e5..d56dd92 100644
|
||||
|
||||
def __iter__(self):
|
||||
return iter(self.children)
|
||||
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
||||
index 0e6b502..4882999 100644
|
||||
--- a/sepolgen/src/sepolgen/policygen.py
|
||||
+++ b/sepolgen/src/sepolgen/policygen.py
|
||||
@@ -29,6 +29,8 @@ import objectmodel
|
||||
import access
|
||||
import interfaces
|
||||
import matching
|
||||
+import selinux.audit2why as audit2why
|
||||
+from setools import *
|
||||
|
||||
# Constants for the level of explanation from the generation
|
||||
# routines
|
||||
@@ -77,6 +79,7 @@ class PolicyGenerator:
|
||||
|
||||
self.dontaudit = False
|
||||
|
||||
+ self.domains = None
|
||||
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||
"""Set whether reference policy interfaces are generated.
|
||||
|
||||
@@ -151,8 +154,41 @@ class PolicyGenerator:
|
||||
rule = refpolicy.AVRule(av)
|
||||
if self.dontaudit:
|
||||
rule.rule_type = rule.DONTAUDIT
|
||||
+ rule.comment = ""
|
||||
if self.explain:
|
||||
- rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
||||
+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
|
||||
+ if av.type == audit2why.ALLOW:
|
||||
+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
|
||||
+ if av.type == audit2why.DONTAUDIT:
|
||||
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||
+
|
||||
+ if av.type == audit2why.BOOLEAN:
|
||||
+ if len(av.bools) > 1:
|
||||
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
|
||||
+ else:
|
||||
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
|
||||
+
|
||||
+ if av.type == audit2why.CONSTRAINT:
|
||||
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
+ rule.comment += "#Constraint rule: "
|
||||
+
|
||||
+ if av.type == audit2why.TERULE:
|
||||
+ if "write" in av.perms:
|
||||
+ if "dir" in av.obj_class or "open" in av.perms:
|
||||
+ if not self.domains:
|
||||
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
||||
+ types=[]
|
||||
+
|
||||
+ try:
|
||||
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
|
||||
+ if i not in self.domains:
|
||||
+ types.append(i)
|
||||
+ if len(types) == 1:
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ elif len(types) >= 1:
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ except:
|
||||
+ pass
|
||||
self.module.children.append(rule)
|
||||
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
%define libauditver 2.1.3-4
|
||||
%define libsepolver 2.1.4-4
|
||||
%define libsepolver 2.1.4-5
|
||||
%define libsemanagever 2.1.5-1
|
||||
%define libselinuxver 2.1.7-2
|
||||
%define sepolgenver 1.1.4
|
||||
%define libselinuxver 2.1.8-5
|
||||
%define sepolgenver 1.1.5
|
||||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.1.9
|
||||
Release: 4%{?dist}
|
||||
Version: 2.1.10
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
@ -355,6 +355,16 @@ fi
|
||||
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
|
||||
-Update to upstream
|
||||
- sepolgen
|
||||
* better analysis of why things broke
|
||||
- policycoreutils
|
||||
* Remove excess whitespace
|
||||
* sandbox: Add back in . functions to sandbox.init script
|
||||
* Fix Makefile to match other policycoreutils Makefiles
|
||||
* semanage: drop unused translation getopt
|
||||
|
||||
* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
|
||||
- Bump libsepol version requires rebuild
|
||||
|
||||
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||
c7d17d1cb82dcb6f0dc15d3ce2203f27 policycoreutils-2.1.9.tgz
|
||||
fb184a69c16fd775527e0ca3176a422d sepolgen-1.1.4.tgz
|
||||
86d10b576c95d220bd2e27cc387e67da policycoreutils-2.1.10.tgz
|
||||
34b1f6599517f80c9b7cfa2dc22826db sepolgen-1.1.5.tgz
|
||||
|
Loading…
Reference in New Issue
Block a user