From 414b6a904d4ef6e44c1c9482bdebec37ab5c1af1 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 21 Dec 2011 18:18:01 +0000 Subject: [PATCH] Update to upstream sepolgen * better analysis of why things broke policycoreutils * Remove excess whitespace * sandbox: Add back in . functions to sandbox.init script * Fix Makefile to match other policycoreutils Makefiles * semanage: drop unused translation getopt --- policycoreutils-rhat.patch | 172 +-------------------------------- policycoreutils-sepolgen.patch | 133 ------------------------- policycoreutils.spec | 20 +++- sources | 4 +- 4 files changed, 22 insertions(+), 307 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 73e48c2..a544da3 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -84,40 +84,6 @@ index 9db766c..068e24c 100644 return 0; } /* main() */ -diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile -index 7789d23..b817364 100644 ---- a/policycoreutils/sandbox/Makefile -+++ b/policycoreutils/sandbox/Makefile -@@ -8,13 +8,13 @@ SBINDIR ?= $(PREFIX)/sbin - MANDIR ?= $(PREFIX)/share/man - LOCALEDIR ?= /usr/share/locale - SHAREDIR ?= $(PREFIX)/share/sandbox --override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra --LDLIBS += -lcgroup -lselinux -lcap-ng -+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -+LDLIBS += -lcgroup -lselinux -lcap-ng -L$(LIBDIR) -+SEUNSHARE_OBJS = seunshare.o - - all: sandbox seunshare sandboxX.sh start - --seunshare: seunshare.o $(EXTRA_OBJS) -- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) -L$(LIBDIR) -+seunshare: $(SEUNSHARE_OBJS) - - install: all - -mkdir -p $(BINDIR) -diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init -index 8aed876..b3979bf 100644 ---- a/policycoreutils/sandbox/sandbox.init -+++ b/policycoreutils/sandbox/sandbox.init -@@ -19,6 +19,7 @@ - # - - # Source function library. -+. /etc/init.d/functions - - LOCKFILE=/var/lock/subsys/sandbox - diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon index ab696a7..58b19cd 100644 --- a/policycoreutils/scripts/genhomedircon @@ -271,7 +237,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index 48d7baa..2c0cfdd 100644 +index 0c7c186..aaba8b1 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -20,6 +20,7 @@ @@ -291,96 +257,8 @@ index 48d7baa..2c0cfdd 100644 codeset = 'utf-8') except IOError: import __builtin__ -@@ -283,11 +284,14 @@ Object-specific Options (see above): - equal = a - - if o == "--enable": -- set_action(o) -+ if disable: -+ raise ValueError(_("You can't disable and enable at the same time")) -+ - enable = True - - if o == "--disable": -- set_action(o) -+ if enable: -+ raise ValueError(_("You can't disable and enable at the same time")) - disable = True - - if o == "-F" or o == "--file": -@@ -504,31 +508,36 @@ Object-specific Options (see above): - if len(sys.argv) < 3: - usage(_("Requires 2 or more arguments")) - -- gopts, cmds = getopt.getopt(sys.argv[1:], -- '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', -- ['add', -- 'delete', -- 'deleteall', -- 'ftype=', -- 'file', -- 'help', -- 'input=', -- 'list', -- 'modify', -- 'noheading', -- 'localist', -- 'off', -- 'on', -- 'output=', -- 'proto=', -- 'seuser=', -- 'store=', -- 'range=', -- 'level=', -- 'roles=', -- 'type=', -- 'prefix=' -- ]) -+ try: -+ gopts, cmds = getopt.getopt(sys.argv[1:], -+ '01adf:i:lhmno:p:s:FCDR:L:r:t:T:P:S:', -+ ['add', -+ 'delete', -+ 'deleteall', -+ 'ftype=', -+ 'file', -+ 'help', -+ 'input=', -+ 'list', -+ 'modify', -+ 'noheading', -+ 'localist', -+ 'off', -+ 'on', -+ 'output=', -+ 'proto=', -+ 'seuser=', -+ 'store=', -+ 'range=', -+ 'level=', -+ 'roles=', -+ 'type=', -+ 'trans=', -+ 'prefix=' -+ ]) -+ except getopt.error, error: -+ usage(_("Options Error %s ") % error.msg) -+ - for o, a in gopts: - if o == "-S" or o == '--store': - store = a -@@ -558,8 +567,6 @@ Object-specific Options (see above): - else: - process_args(sys.argv[1:]) - -- except getopt.error, error: -- usage(_("Options Error %s ") % error.msg) - except ValueError, error: - errorExit(error.args[0]) - except KeyError, error: diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index 2628645..e5b6303 100644 +index 17afe23..e5b6303 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -30,11 +30,10 @@ from IPy import IP @@ -420,15 +298,7 @@ index 2628645..e5b6303 100644 (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -1136,7 +1138,6 @@ class nodeRecords(semanageRecords): - return newaddr, newmask, newprotocol - - def __add(self, addr, mask, proto, serange, ctype): -- - addr, mask, proto = self.validate(addr, mask, proto) - - if is_mls_enabled == 1: -@@ -1156,7 +1157,8 @@ class nodeRecords(semanageRecords): +@@ -1155,7 +1157,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -438,31 +308,7 @@ index 2628645..e5b6303 100644 (rc, node) = semanage_node_create(self.sh) if rc < 0: -@@ -1172,7 +1174,6 @@ class nodeRecords(semanageRecords): - if rc < 0: - raise ValueError(_("Could not set mask for %s") % addr) - -- - rc = semanage_context_set_user(self.sh, con, "system_u") - if rc < 0: - raise ValueError(_("Could not set user in addr context for %s") % addr) -@@ -1208,7 +1209,6 @@ class nodeRecords(semanageRecords): - self.commit() - - def __modify(self, addr, mask, proto, serange, setype): -- - addr, mask, proto = self.validate(addr, mask, proto) - - if serange == "" and setype == "": -@@ -1229,7 +1229,6 @@ class nodeRecords(semanageRecords): - raise ValueError(_("Could not query addr %s") % addr) - - con = semanage_node_get_con(node) -- - if serange != "": - semanage_context_set_mls(self.sh, con, untranslate(serange)) - if setype != "": -@@ -1357,7 +1356,8 @@ class interfaceRecords(semanageRecords): +@@ -1353,7 +1356,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -472,7 +318,7 @@ index 2628645..e5b6303 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1640,7 +1640,8 @@ class fcontextRecords(semanageRecords): +@@ -1636,7 +1640,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -482,14 +328,6 @@ index 2628645..e5b6303 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1734,7 +1735,6 @@ class fcontextRecords(semanageRecords): - self.begin() - self.__modify(target, setype, ftype, serange, seuser) - self.commit() -- - - def deleteall(self): - (rc, flist) = semanage_fcontext_list_local(self.sh) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 9a7d315..e57d34f 100644 --- a/policycoreutils/setfiles/restore.c diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index d71fa33..5c7af1d 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,72 +1,3 @@ -diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index 898fbc3..9fdfafa 100644 ---- a/sepolgen/src/sepolgen/audit.py -+++ b/sepolgen/src/sepolgen/audit.py -@@ -127,6 +127,9 @@ class PathMessage(AuditMessage): - if fields[0] == "path": - self.path = fields[1][1:-1] - return -+import selinux.audit2why as audit2why -+ -+avcdict = {} - - class AVCMessage(AuditMessage): - """AVC message representing an access denial or granted message. -@@ -168,6 +171,8 @@ class AVCMessage(AuditMessage): - self.name = "" - self.accesses = [] - self.denial = True -+ self.type = audit2why.TERULE -+ self.bools = [] - - def __parse_access(self, recs, start): - # This is kind of sucky - the access that is in a space separated -@@ -229,7 +234,31 @@ class AVCMessage(AuditMessage): - - if not found_src or not found_tgt or not found_class or not found_access: - raise ValueError("AVC message in invalid format [%s]\n" % self.message) -- -+ self.analyze() -+ -+ def analyze(self): -+ tcontext = self.tcontext.to_string() -+ scontext = self.scontext.to_string() -+ access_tuple = tuple( self.accesses) -+ if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys(): -+ self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)] -+ else: -+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); -+ if self.type == audit2why.NOPOLICY: -+ self.type = audit2why.TERULE -+ if self.type == audit2why.BADTCON: -+ raise ValueError("Invalid Target Context %s\n" % tcontext) -+ if self.type == audit2why.BADSCON: -+ raise ValueError("Invalid Source Context %s\n" % scontext) -+ if self.type == audit2why.BADSCON: -+ raise ValueError("Invalid Type Class %s\n" % self.tclass) -+ if self.type == audit2why.BADPERM: -+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses)) -+ if self.type == audit2why.BADCOMPUTE: -+ raise ValueError("Error during access vector computation") -+ -+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools) -+ - class PolicyLoadMessage(AuditMessage): - """Audit message indicating that the policy was reloaded.""" - def __init__(self, message): -@@ -472,10 +501,10 @@ class AuditParser: - if avc_filter: - if avc_filter.filter(avc): - av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, -- avc.accesses, avc) -+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools) - else: - av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, -- avc.accesses, avc) -+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools) - return av_set - - class AVCTypeFilter: diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py index 1a9a3e5..d56dd92 100644 --- a/sepolgen/src/sepolgen/matching.py @@ -99,67 +30,3 @@ index 1a9a3e5..d56dd92 100644 def __iter__(self): return iter(self.children) -diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py -index 0e6b502..4882999 100644 ---- a/sepolgen/src/sepolgen/policygen.py -+++ b/sepolgen/src/sepolgen/policygen.py -@@ -29,6 +29,8 @@ import objectmodel - import access - import interfaces - import matching -+import selinux.audit2why as audit2why -+from setools import * - - # Constants for the level of explanation from the generation - # routines -@@ -77,6 +79,7 @@ class PolicyGenerator: - - self.dontaudit = False - -+ self.domains = None - def set_gen_refpol(self, if_set=None, perm_maps=None): - """Set whether reference policy interfaces are generated. - -@@ -151,8 +154,41 @@ class PolicyGenerator: - rule = refpolicy.AVRule(av) - if self.dontaudit: - rule.rule_type = rule.DONTAUDIT -+ rule.comment = "" - if self.explain: -- rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) -+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) -+ if av.type == audit2why.ALLOW: -+ rule.comment += "#!!!! This avc is allowed in the current policy\n" -+ if av.type == audit2why.DONTAUDIT: -+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" -+ -+ if av.type == audit2why.BOOLEAN: -+ if len(av.bools) > 1: -+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools)) -+ else: -+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0] -+ -+ if av.type == audit2why.CONSTRAINT: -+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" -+ rule.comment += "#Constraint rule: " -+ -+ if av.type == audit2why.TERULE: -+ if "write" in av.perms: -+ if "dir" in av.obj_class or "open" in av.perms: -+ if not self.domains: -+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] -+ types=[] -+ -+ try: -+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): -+ if i not in self.domains: -+ types.append(i) -+ if len(types) == 1: -+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ elif len(types) >= 1: -+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) -+ except: -+ pass - self.module.children.append(rule) - - diff --git a/policycoreutils.spec b/policycoreutils.spec index a2a1254..85ba308 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,13 +1,13 @@ %define libauditver 2.1.3-4 -%define libsepolver 2.1.4-4 +%define libsepolver 2.1.4-5 %define libsemanagever 2.1.5-1 -%define libselinuxver 2.1.7-2 -%define sepolgenver 1.1.4 +%define libselinuxver 2.1.8-5 +%define sepolgenver 1.1.5 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.1.9 -Release: 4%{?dist} +Version: 2.1.10 +Release: 1%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -355,6 +355,16 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Dec 21 2011 Dan Walsh - 2.1.10-1 +-Update to upstream +- sepolgen + * better analysis of why things broke +- policycoreutils + * Remove excess whitespace + * sandbox: Add back in . functions to sandbox.init script + * Fix Makefile to match other policycoreutils Makefiles + * semanage: drop unused translation getopt + * Thu Dec 15 2011 Dan Walsh - 2.1.9-3 - Bump libsepol version requires rebuild diff --git a/sources b/sources index 91b04fe..902efac 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 -c7d17d1cb82dcb6f0dc15d3ce2203f27 policycoreutils-2.1.9.tgz -fb184a69c16fd775527e0ca3176a422d sepolgen-1.1.4.tgz +86d10b576c95d220bd2e27cc387e67da policycoreutils-2.1.10.tgz +34b1f6599517f80c9b7cfa2dc22826db sepolgen-1.1.5.tgz