Make fcdict return a dictionary of dictionaries
- Fix for sepolicy manpage
This commit is contained in:
parent
4f89c533b5
commit
544468684c
@ -250464,14 +250464,14 @@ index 4c5243a..036c418 100644
|
|||||||
|
|
||||||
diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8
|
diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..08e3bad
|
index 0000000..2a3315b
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/policycoreutils/semodule/genhomedircon.8
|
+++ b/policycoreutils/semodule/genhomedircon.8
|
||||||
@@ -0,0 +1,24 @@
|
@@ -0,0 +1,24 @@
|
||||||
+.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
|
+.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
|
||||||
+.SH NAME
|
+.SH NAME
|
||||||
+genhomedircon \- generate SELinux file context configuration entries for user home directories
|
+genhomedircon \- generate SELinux file context configuration entries for user home directories
|
||||||
+.SH SYNOPSIS
|
+.SH DESCRIPTION
|
||||||
+.B genhomedircon
|
+.B genhomedircon
|
||||||
+is a script that executes
|
+is a script that executes
|
||||||
+.B semodule
|
+.B semodule
|
||||||
@ -251020,7 +251020,7 @@ index b6abdf5..c05c943 100644
|
|||||||
Generate an additional HTML man pages for the specified domain(s).
|
Generate an additional HTML man pages for the specified domain(s).
|
||||||
|
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
|
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
|
||||||
index b25d3b2..9b29b39 100755
|
index b25d3b2..43a8101 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy.py
|
--- a/policycoreutils/sepolicy/sepolicy.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy.py
|
+++ b/policycoreutils/sepolicy/sepolicy.py
|
||||||
@@ -22,6 +22,8 @@
|
@@ -22,6 +22,8 @@
|
||||||
@ -251037,7 +251037,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
__builtin__.__dict__['_'] = unicode
|
__builtin__.__dict__['_'] = unicode
|
||||||
|
|
||||||
+usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
|
+usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
|
||||||
+usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
|
+usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('[-r ROLE ]',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
|
||||||
+
|
+
|
||||||
class CheckPath(argparse.Action):
|
class CheckPath(argparse.Action):
|
||||||
def __call__(self, parser, namespace, values, option_string=None):
|
def __call__(self, parser, namespace, values, option_string=None):
|
||||||
@ -251100,7 +251100,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
newval = getattr(namespace, self.dest)
|
newval = getattr(namespace, self.dest)
|
||||||
if not newval:
|
if not newval:
|
||||||
newval = []
|
newval = []
|
||||||
@@ -140,27 +165,65 @@ class CheckPolicyType(argparse.Action):
|
@@ -140,27 +165,76 @@ class CheckPolicyType(argparse.Action):
|
||||||
|
|
||||||
class CheckUser(argparse.Action):
|
class CheckUser(argparse.Action):
|
||||||
def __call__(self, parser, namespace, value, option_string=None):
|
def __call__(self, parser, namespace, value, option_string=None):
|
||||||
@ -251115,6 +251115,17 @@ index b25d3b2..9b29b39 100755
|
|||||||
newval.append(value)
|
newval.append(value)
|
||||||
setattr(namespace, self.dest, newval)
|
setattr(namespace, self.dest, newval)
|
||||||
|
|
||||||
|
+class CheckRole(argparse.Action):
|
||||||
|
+ def __call__(self, parser, namespace, value, option_string=None):
|
||||||
|
+ newval = getattr(namespace, self.dest)
|
||||||
|
+ if not newval:
|
||||||
|
+ newval = []
|
||||||
|
+ roles = sepolicy.get_all_roles()
|
||||||
|
+ if value not in roles:
|
||||||
|
+ raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (value, ", ".join(roles)))
|
||||||
|
+ newval.append(value[:-2])
|
||||||
|
+ setattr(namespace, self.dest, newval)
|
||||||
|
+
|
||||||
+class InterfaceInfo(argparse.Action):
|
+class InterfaceInfo(argparse.Action):
|
||||||
+ def __call__(self, parser, namespace, values, option_string=None):
|
+ def __call__(self, parser, namespace, values, option_string=None):
|
||||||
+ from sepolicy.interface import get_interface_dict
|
+ from sepolicy.interface import get_interface_dict
|
||||||
@ -251173,7 +251184,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
if args.list_ports:
|
if args.list_ports:
|
||||||
all_ports = []
|
all_ports = []
|
||||||
for i in portrecs:
|
for i in portrecs:
|
||||||
@@ -201,41 +264,41 @@ def manpage(args):
|
@@ -201,41 +275,41 @@ def manpage(args):
|
||||||
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
|
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
|
||||||
|
|
||||||
path = args.path
|
path = args.path
|
||||||
@ -251238,7 +251249,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
|
|
||||||
def gen_network_args(parser):
|
def gen_network_args(parser):
|
||||||
net = parser.add_parser("network",
|
net = parser.add_parser("network",
|
||||||
@@ -283,7 +346,6 @@ def gen_communicate_args(parser):
|
@@ -283,7 +357,6 @@ def gen_communicate_args(parser):
|
||||||
comm.set_defaults(func=communicate)
|
comm.set_defaults(func=communicate)
|
||||||
|
|
||||||
def booleans(args):
|
def booleans(args):
|
||||||
@ -251246,7 +251257,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
from sepolicy import boolean_desc
|
from sepolicy import boolean_desc
|
||||||
if args.all:
|
if args.all:
|
||||||
rc, args.booleans = selinux.security_get_boolean_names()
|
rc, args.booleans = selinux.security_get_boolean_names()
|
||||||
@@ -300,6 +362,7 @@ def gen_booleans_args(parser):
|
@@ -300,6 +373,7 @@ def gen_booleans_args(parser):
|
||||||
action="store_true",
|
action="store_true",
|
||||||
help=_("get all booleans descriptions"))
|
help=_("get all booleans descriptions"))
|
||||||
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
|
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
|
||||||
@ -251254,7 +251265,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
help=_("boolean to get description"))
|
help=_("boolean to get description"))
|
||||||
bools.set_defaults(func=booleans)
|
bools.set_defaults(func=booleans)
|
||||||
|
|
||||||
@@ -319,22 +382,49 @@ def gen_transition_args(parser):
|
@@ -319,22 +393,49 @@ def gen_transition_args(parser):
|
||||||
help=_("target process domain"))
|
help=_("target process domain"))
|
||||||
trans.set_defaults(func=transition)
|
trans.set_defaults(func=transition)
|
||||||
|
|
||||||
@ -251313,7 +251324,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
if not args.command:
|
if not args.command:
|
||||||
raise ValueError(_("Command required for this type of policy"))
|
raise ValueError(_("Command required for this type of policy"))
|
||||||
cmd = os.path.realpath(args.command)
|
cmd = os.path.realpath(args.command)
|
||||||
@@ -346,8 +436,18 @@ def generate(args):
|
@@ -346,8 +447,18 @@ def generate(args):
|
||||||
mypolicy.set_program(cmd)
|
mypolicy.set_program(cmd)
|
||||||
|
|
||||||
if args.types:
|
if args.types:
|
||||||
@ -251332,7 +251343,15 @@ index b25d3b2..9b29b39 100755
|
|||||||
for p in args.writepaths:
|
for p in args.writepaths:
|
||||||
if os.path.isdir(p):
|
if os.path.isdir(p):
|
||||||
mypolicy.add_dir(p)
|
mypolicy.add_dir(p)
|
||||||
@@ -366,20 +466,34 @@ def generate(args):
|
@@ -355,6 +466,7 @@ def generate(args):
|
||||||
|
mypolicy.add_file(p)
|
||||||
|
|
||||||
|
mypolicy.set_transition_users(args.user)
|
||||||
|
+ mypolicy.set_admin_roles(args.role)
|
||||||
|
mypolicy.set_admin_domains(args.admin_domain)
|
||||||
|
mypolicy.set_existing_domains(args.domain)
|
||||||
|
|
||||||
|
@@ -366,20 +478,34 @@ def generate(args):
|
||||||
def gen_interface_args(parser):
|
def gen_interface_args(parser):
|
||||||
itf = parser.add_parser("interface",
|
itf = parser.add_parser("interface",
|
||||||
help=_('List SELinux Policy interfaces'))
|
help=_('List SELinux Policy interfaces'))
|
||||||
@ -251370,7 +251389,17 @@ index b25d3b2..9b29b39 100755
|
|||||||
help=_('Generate SELinux Policy module template'))
|
help=_('Generate SELinux Policy module template'))
|
||||||
pol.add_argument("-d", "--domain", dest="domain", default=[],
|
pol.add_argument("-d", "--domain", dest="domain", default=[],
|
||||||
action=CheckDomain, nargs="*",
|
action=CheckDomain, nargs="*",
|
||||||
@@ -397,53 +511,57 @@ def gen_generate_args(parser):
|
@@ -387,6 +513,9 @@ def gen_generate_args(parser):
|
||||||
|
pol.add_argument("-u", "--user", dest="user", default=[],
|
||||||
|
action=CheckUser,
|
||||||
|
help=_("Enter SELinux user(s) which will transition to this domain"))
|
||||||
|
+ pol.add_argument("-r", "--role", dest="role", default=[],
|
||||||
|
+ action=CheckRole,
|
||||||
|
+ help=_("Enter SELinux role(s) to which this domain will transition"))
|
||||||
|
pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
|
||||||
|
action=CheckAdmin,
|
||||||
|
help=_("Enter domain(s) that this confined admin will administrate"))
|
||||||
|
@@ -397,53 +526,57 @@ def gen_generate_args(parser):
|
||||||
help=argparse.SUPPRESS)
|
help=argparse.SUPPRESS)
|
||||||
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
|
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
|
||||||
action=CheckType,
|
action=CheckType,
|
||||||
@ -251454,7 +251483,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
pol.set_defaults(func=generate)
|
pol.set_defaults(func=generate)
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
@@ -461,11 +579,17 @@ if __name__ == '__main__':
|
@@ -461,11 +594,17 @@ if __name__ == '__main__':
|
||||||
gen_transition_args(subparsers)
|
gen_transition_args(subparsers)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@ -251474,7 +251503,7 @@ index b25d3b2..9b29b39 100755
|
|||||||
except KeyboardInterrupt:
|
except KeyboardInterrupt:
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
index 5e7415c..b367e9c 100644
|
index 5e7415c..8862ebb 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
@@ -7,6 +7,9 @@ import _policy
|
@@ -7,6 +7,9 @@ import _policy
|
||||||
@ -251487,7 +251516,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||||
gettext.textdomain(PROGNAME)
|
gettext.textdomain(PROGNAME)
|
||||||
try:
|
try:
|
||||||
@@ -37,9 +40,119 @@ CLASS = 'class'
|
@@ -37,9 +40,134 @@ CLASS = 'class'
|
||||||
TRANSITION = 'transition'
|
TRANSITION = 'transition'
|
||||||
ROLE_ALLOW = 'role_allow'
|
ROLE_ALLOW = 'role_allow'
|
||||||
|
|
||||||
@ -251541,11 +251570,20 @@ index 5e7415c..b367e9c 100644
|
|||||||
+
|
+
|
||||||
+ for f in all_writes:
|
+ for f in all_writes:
|
||||||
+ try:
|
+ try:
|
||||||
+ mpaths[f] = fcdict[f]
|
+ mpaths[f] = fcdict[f]["regex"]
|
||||||
+ except KeyError:
|
+ except KeyError:
|
||||||
+ mpaths[f] = []
|
+ mpaths[f] = []
|
||||||
+ return mpaths
|
+ return mpaths
|
||||||
+
|
+
|
||||||
|
+import os, pprint, re, sys
|
||||||
|
+def find_file(reg, path):
|
||||||
|
+ try:
|
||||||
|
+ pat = re.compile(r"%s$" % reg)
|
||||||
|
+ return filter(pat.match, map(lambda x: path + "/" + x, os.listdir(path)))
|
||||||
|
+ except:
|
||||||
|
+ return []
|
||||||
|
+
|
||||||
|
+import os
|
||||||
+fcdict=None
|
+fcdict=None
|
||||||
+def get_fcdict(fc_path = selinux.selinux_file_context_path()):
|
+def get_fcdict(fc_path = selinux.selinux_file_context_path()):
|
||||||
+ global fcdict
|
+ global fcdict
|
||||||
@ -251561,22 +251599,28 @@ index 5e7415c..b367e9c 100644
|
|||||||
+ for i in fc:
|
+ for i in fc:
|
||||||
+ rec = i.split()
|
+ rec = i.split()
|
||||||
+ try:
|
+ try:
|
||||||
|
+ if len(rec) > 2:
|
||||||
|
+ ftype = rec[1]
|
||||||
|
+ else:
|
||||||
|
+ ftype = ""
|
||||||
|
+
|
||||||
+ t = rec[-1].split(":")[2]
|
+ t = rec[-1].split(":")[2]
|
||||||
+ if t in fcdict:
|
+ if t in fcdict:
|
||||||
+ fcdict[t].append(rec[0])
|
+ fcdict[t]["regex"].append(rec[0])
|
||||||
|
+ fcdict[t]["paths"].append(find_file(rec[0], os.path.dirname(rec[0])))
|
||||||
+ else:
|
+ else:
|
||||||
+ fcdict[t] = [ rec[0] ]
|
+ fcdict[t] = { "regex": [ rec[0] ], "paths" : find_file(rec[0], os.path.dirname(rec[0])), "ftype": ftype}
|
||||||
+ except:
|
+ except:
|
||||||
+ pass
|
+ pass
|
||||||
+ fcdict["logfile"] = [ "all log files" ]
|
+ fcdict["logfile"] = { "regex" : [ "all log files" ]}
|
||||||
+ fcdict["user_tmp_type"] = [ "all user tmp files" ]
|
+ fcdict["user_tmp_type"] = { "regex" : [ "all user tmp files" ]}
|
||||||
+ fcdict["user_home_type"] = [ "all user home files" ]
|
+ fcdict["user_home_type"] = { "regex" : [ "all user home files" ]}
|
||||||
+ fcdict["virt_image_type"] = [ "all virtual image files" ]
|
+ fcdict["virt_image_type"] = { "regex" : [ "all virtual image files" ]}
|
||||||
+ fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
|
+ fcdict["noxattrfs"] = { "regex" : [ "all files on file systems which do not support extended attributes" ]}
|
||||||
+ fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
|
+ fcdict["sandbox_tmpfs_type"] = { "regex" : [ "all sandbox content in tmpfs file systems" ]}
|
||||||
+ fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
|
+ fcdict["user_tmpfs_type"] = { "regex" : [ "all user content in tmpfs file systems" ]}
|
||||||
+ fcdict["file_type"] = [ "all files on the system" ]
|
+ fcdict["file_type"] = { "regex" : [ "all files on the system" ] }
|
||||||
+ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
|
+ fcdict["samba_share_t"] = { "regex" : [ "use this label for random content that will be shared using samba" ] }
|
||||||
+ return fcdict
|
+ return fcdict
|
||||||
+
|
+
|
||||||
+def get_entrypoint_types(setype):
|
+def get_entrypoint_types(setype):
|
||||||
@ -251585,7 +251629,8 @@ index 5e7415c..b367e9c 100644
|
|||||||
+ return entrypoints
|
+ return entrypoints
|
||||||
+
|
+
|
||||||
+def get_init_entrypoint_target(entrypoint):
|
+def get_init_entrypoint_target(entrypoint):
|
||||||
+ try:
|
try:
|
||||||
|
- path = selinux.selinux_binary_policy_path()
|
||||||
+ entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'}))
|
+ entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'}))
|
||||||
+ return entrypoints[0]
|
+ return entrypoints[0]
|
||||||
+ except TypeError:
|
+ except TypeError:
|
||||||
@ -251597,19 +251642,18 @@ index 5e7415c..b367e9c 100644
|
|||||||
+ mpaths = {}
|
+ mpaths = {}
|
||||||
+ for f in get_entrypoint_types(setype):
|
+ for f in get_entrypoint_types(setype):
|
||||||
+ try:
|
+ try:
|
||||||
+ mpaths[f] = fcdict[f]
|
+ mpaths[f] = fcdict[f]["regex"]
|
||||||
+ except:
|
+ except:
|
||||||
+ mpaths[f] = []
|
+ mpaths[f] = []
|
||||||
+ return mpaths
|
+ return mpaths
|
||||||
+
|
+
|
||||||
+def get_installed_policy(root = "/"):
|
+def get_installed_policy(root = "/"):
|
||||||
try:
|
+ try:
|
||||||
- path = selinux.selinux_binary_policy_path()
|
|
||||||
+ path = root + selinux.selinux_binary_policy_path()
|
+ path = root + selinux.selinux_binary_policy_path()
|
||||||
policies = glob.glob ("%s.*" % path )
|
policies = glob.glob ("%s.*" % path )
|
||||||
policies.sort()
|
policies.sort()
|
||||||
return policies[-1]
|
return policies[-1]
|
||||||
@@ -47,6 +160,27 @@ def __get_installed_policy():
|
@@ -47,6 +175,27 @@ def __get_installed_policy():
|
||||||
pass
|
pass
|
||||||
raise ValueError(_("No SELinux Policy installed"))
|
raise ValueError(_("No SELinux Policy installed"))
|
||||||
|
|
||||||
@ -251637,7 +251681,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
all_types = None
|
all_types = None
|
||||||
def get_all_types():
|
def get_all_types():
|
||||||
global all_types
|
global all_types
|
||||||
@@ -54,6 +188,13 @@ def get_all_types():
|
@@ -54,6 +203,13 @@ def get_all_types():
|
||||||
all_types = map(lambda x: x['name'], info(TYPE))
|
all_types = map(lambda x: x['name'], info(TYPE))
|
||||||
return all_types
|
return all_types
|
||||||
|
|
||||||
@ -251651,7 +251695,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
role_allows = None
|
role_allows = None
|
||||||
def get_all_role_allows():
|
def get_all_role_allows():
|
||||||
global role_allows
|
global role_allows
|
||||||
@@ -71,6 +212,7 @@ def get_all_role_allows():
|
@@ -71,6 +227,7 @@ def get_all_role_allows():
|
||||||
return role_allows
|
return role_allows
|
||||||
|
|
||||||
def get_all_entrypoint_domains():
|
def get_all_entrypoint_domains():
|
||||||
@ -251659,7 +251703,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
all_domains = []
|
all_domains = []
|
||||||
types=get_all_types()
|
types=get_all_types()
|
||||||
types.sort()
|
types.sort()
|
||||||
@@ -81,11 +223,54 @@ def get_all_entrypoint_domains():
|
@@ -81,11 +238,54 @@ def get_all_entrypoint_domains():
|
||||||
all_domains.append(m[0])
|
all_domains.append(m[0])
|
||||||
return all_domains
|
return all_domains
|
||||||
|
|
||||||
@ -251715,7 +251759,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
return all_domains
|
return all_domains
|
||||||
|
|
||||||
roles = None
|
roles = None
|
||||||
@@ -139,50 +324,92 @@ def get_all_attributes():
|
@@ -139,50 +339,92 @@ def get_all_attributes():
|
||||||
return all_attributes
|
return all_attributes
|
||||||
|
|
||||||
def policy(policy_file):
|
def policy(policy_file):
|
||||||
@ -251833,7 +251877,7 @@ index 5e7415c..b367e9c 100644
|
|||||||
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
global booleans_dict
|
global booleans_dict
|
||||||
if booleans_dict:
|
if booleans_dict:
|
||||||
@@ -191,7 +418,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
@@ -191,7 +433,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
import re
|
import re
|
||||||
booleans_dict = {}
|
booleans_dict = {}
|
||||||
try:
|
try:
|
||||||
@ -251856,7 +251900,7 @@ index a179d95..9b9a09a 100755
|
|||||||
tlist = []
|
tlist = []
|
||||||
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
|
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
index 26f8390..ce328e6 100644
|
index 26f8390..a5e4b9b 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
|
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
@@ -63,20 +63,6 @@ except IOError:
|
@@ -63,20 +63,6 @@ except IOError:
|
||||||
@ -251898,15 +251942,6 @@ index 26f8390..ce328e6 100644
|
|||||||
line = "%s(%s_t)\n" % (method, self.name)
|
line = "%s(%s_t)\n" % (method, self.name)
|
||||||
else:
|
else:
|
||||||
line = """
|
line = """
|
||||||
@@ -765,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
|
|
||||||
|
|
||||||
return newte
|
|
||||||
|
|
||||||
- if self.type == RUSER:
|
|
||||||
+ if self.type == RUSER or self.type == AUSER:
|
|
||||||
newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
|
|
||||||
|
|
||||||
for app in self.admin_domains:
|
|
||||||
@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s;
|
@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
if t.endswith(i):
|
if t.endswith(i):
|
||||||
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
|
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
|
||||||
@ -252266,7 +252301,7 @@ index 8b063ca..c7dac62 100644
|
|||||||
+ else:
|
+ else:
|
||||||
+ sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
|
+ sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
index 25062da..086f2a7 100755
|
index 25062da..c4d8161 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
@@ -28,12 +28,12 @@ import string
|
@@ -28,12 +28,12 @@ import string
|
||||||
@ -252304,7 +252339,47 @@ index 25062da..086f2a7 100755
|
|||||||
if domain in domains:
|
if domain in domains:
|
||||||
continue
|
continue
|
||||||
domains.append(domain)
|
domains.append(domain)
|
||||||
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
|
@@ -114,39 +114,6 @@ def gen_domains():
|
||||||
|
domains.sort()
|
||||||
|
return domains
|
||||||
|
|
||||||
|
-fcdict=None
|
||||||
|
-def _gen_fcdict(fc_path = selinux.selinux_file_context_path()):
|
||||||
|
- global fcdict
|
||||||
|
- if fcdict:
|
||||||
|
- return fcdict
|
||||||
|
- fd = open(fc_path, "r")
|
||||||
|
- fc = fd.readlines()
|
||||||
|
- fd.close()
|
||||||
|
- fd = open(fc_path+".homedirs", "r")
|
||||||
|
- fc += fd.readlines()
|
||||||
|
- fd.close()
|
||||||
|
- fcdict = {}
|
||||||
|
- for i in fc:
|
||||||
|
- rec = i.split()
|
||||||
|
- try:
|
||||||
|
- t = rec[-1].split(":")[2]
|
||||||
|
- if t in fcdict:
|
||||||
|
- fcdict[t].append(rec[0])
|
||||||
|
- else:
|
||||||
|
- fcdict[t] = [ rec[0] ]
|
||||||
|
- except:
|
||||||
|
- pass
|
||||||
|
- fcdict["logfile"] = [ "all log files" ]
|
||||||
|
- fcdict["user_tmp_type"] = [ "all user tmp files" ]
|
||||||
|
- fcdict["user_home_type"] = [ "all user home files" ]
|
||||||
|
- fcdict["virt_image_type"] = [ "all virtual image files" ]
|
||||||
|
- fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
|
||||||
|
- fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
|
||||||
|
- fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
|
||||||
|
- fcdict["file_type"] = [ "all files on the system" ]
|
||||||
|
- fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
|
||||||
|
- return fcdict
|
||||||
|
-
|
||||||
|
types = None
|
||||||
|
def _gen_types():
|
||||||
|
global types
|
||||||
|
@@ -184,14 +151,12 @@ def get_alphabet_manpages(manpage_list):
|
||||||
return alphabet_manpages
|
return alphabet_manpages
|
||||||
|
|
||||||
def convert_manpage_to_html(html_manpage,manpage):
|
def convert_manpage_to_html(html_manpage,manpage):
|
||||||
@ -252323,7 +252398,7 @@ index 25062da..086f2a7 100755
|
|||||||
|
|
||||||
class HTMLManPages:
|
class HTMLManPages:
|
||||||
"""
|
"""
|
||||||
@@ -416,56 +414,42 @@ class ManPage:
|
@@ -416,56 +381,42 @@ class ManPage:
|
||||||
"""
|
"""
|
||||||
Generate a Manpage on an SELinux domain in the specified path
|
Generate a Manpage on an SELinux domain in the specified path
|
||||||
"""
|
"""
|
||||||
@ -252351,6 +252426,7 @@ index 25062da..086f2a7 100755
|
|||||||
- self.fcpath = fcpath
|
- self.fcpath = fcpath
|
||||||
- else:
|
- else:
|
||||||
- self.fcpath = selinux.selinux_file_context_path()
|
- self.fcpath = selinux.selinux_file_context_path()
|
||||||
|
- self.fcdict = _gen_fcdict(self.fcpath)
|
||||||
+ self.root = root
|
+ self.root = root
|
||||||
+ self.portrecs = gen_port_dict()[0]
|
+ self.portrecs = gen_port_dict()[0]
|
||||||
+ self.domains = gen_domains()
|
+ self.domains = gen_domains()
|
||||||
@ -252366,7 +252442,7 @@ index 25062da..086f2a7 100755
|
|||||||
+ self.types = _gen_types()
|
+ self.types = _gen_types()
|
||||||
+
|
+
|
||||||
+ self.fcpath = self.root + selinux.selinux_file_context_path()
|
+ self.fcpath = self.root + selinux.selinux_file_context_path()
|
||||||
self.fcdict = _gen_fcdict(self.fcpath)
|
+ self.fcdict = get_fcdict(self.fcpath)
|
||||||
|
|
||||||
if not os.path.exists(path):
|
if not os.path.exists(path):
|
||||||
os.makedirs(path)
|
os.makedirs(path)
|
||||||
@ -252400,7 +252476,7 @@ index 25062da..086f2a7 100755
|
|||||||
self.__gen_user_man_page()
|
self.__gen_user_man_page()
|
||||||
if self.html:
|
if self.html:
|
||||||
manpage_roles.append(self.man_page_path)
|
manpage_roles.append(self.man_page_path)
|
||||||
@@ -483,16 +467,16 @@ class ManPage:
|
@@ -483,16 +434,16 @@ class ManPage:
|
||||||
def _gen_bools(self):
|
def _gen_bools(self):
|
||||||
self.bools=[]
|
self.bools=[]
|
||||||
self.domainbools=[]
|
self.domainbools=[]
|
||||||
@ -252427,7 +252503,7 @@ index 25062da..086f2a7 100755
|
|||||||
|
|
||||||
self.bools.sort()
|
self.bools.sort()
|
||||||
self.domainbools.sort()
|
self.domainbools.sort()
|
||||||
@@ -538,9 +522,6 @@ class ManPage:
|
@@ -538,9 +489,6 @@ class ManPage:
|
||||||
print path
|
print path
|
||||||
|
|
||||||
def __gen_man_page(self):
|
def __gen_man_page(self):
|
||||||
@ -252437,7 +252513,7 @@ index 25062da..086f2a7 100755
|
|||||||
self.anon_list = []
|
self.anon_list = []
|
||||||
|
|
||||||
self.attributes = {}
|
self.attributes = {}
|
||||||
@@ -563,22 +544,11 @@ class ManPage:
|
@@ -563,22 +511,11 @@ class ManPage:
|
||||||
|
|
||||||
def _get_ptypes(self):
|
def _get_ptypes(self):
|
||||||
for f in self.all_domains:
|
for f in self.all_domains:
|
||||||
@ -252463,7 +252539,7 @@ index 25062da..086f2a7 100755
|
|||||||
% {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")})
|
% {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")})
|
||||||
self.fd.write(r"""
|
self.fd.write(r"""
|
||||||
.SH "NAME"
|
.SH "NAME"
|
||||||
@@ -774,7 +744,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
|
@@ -774,7 +711,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
|
||||||
def _port_types(self):
|
def _port_types(self):
|
||||||
self.ports = []
|
self.ports = []
|
||||||
for f in self.all_port_types:
|
for f in self.all_port_types:
|
||||||
@ -252472,7 +252548,34 @@ index 25062da..086f2a7 100755
|
|||||||
self.ports.append(f)
|
self.ports.append(f)
|
||||||
|
|
||||||
if len(self.ports) == 0:
|
if len(self.ports) == 0:
|
||||||
@@ -923,13 +893,12 @@ to apply the labels.
|
@@ -821,7 +758,7 @@ Default Defined Ports:""")
|
||||||
|
if f.startswith(self.domainname):
|
||||||
|
flist.append(f)
|
||||||
|
if f in self.fcdict:
|
||||||
|
- mpaths = mpaths + self.fcdict[f]
|
||||||
|
+ mpaths = mpaths + self.fcdict[f]["regex"]
|
||||||
|
if len(mpaths) == 0:
|
||||||
|
return
|
||||||
|
mpaths.sort()
|
||||||
|
@@ -901,14 +838,14 @@ Note: SELinux often uses regular expressions to specify labels that match multip
|
||||||
|
|
||||||
|
if f in self.fcdict:
|
||||||
|
plural = ""
|
||||||
|
- if len(self.fcdict[f]) > 1:
|
||||||
|
+ if len(self.fcdict[f]["regex"]) > 1:
|
||||||
|
plural = "s"
|
||||||
|
self.fd.write("""
|
||||||
|
.br
|
||||||
|
.TP 5
|
||||||
|
Path%s:
|
||||||
|
-%s""" % (plural, self.fcdict[f][0]))
|
||||||
|
- for x in self.fcdict[f][1:]:
|
||||||
|
+%s""" % (plural, self.fcdict[f]["regex"][0]))
|
||||||
|
+ for x in self.fcdict[f]["regex"][1:]:
|
||||||
|
self.fd.write(", %s" % x)
|
||||||
|
|
||||||
|
self.fd.write("""
|
||||||
|
@@ -923,13 +860,12 @@ to apply the labels.
|
||||||
|
|
||||||
def _see_also(self):
|
def _see_also(self):
|
||||||
ret = ""
|
ret = ""
|
||||||
@ -252488,7 +252591,7 @@ index 25062da..086f2a7 100755
|
|||||||
ret += ", %s_selinux(8)" % d
|
ret += ", %s_selinux(8)" % d
|
||||||
self.fd.write(ret)
|
self.fd.write(ret)
|
||||||
|
|
||||||
@@ -947,13 +916,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
|
@@ -947,13 +883,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
|
||||||
.B restorecon -F -R -v /var/%(domainname)s
|
.B restorecon -F -R -v /var/%(domainname)s
|
||||||
.pp
|
.pp
|
||||||
.TP
|
.TP
|
||||||
@ -252505,7 +252608,7 @@ index 25062da..086f2a7 100755
|
|||||||
""" % {'domainname':self.domainname})
|
""" % {'domainname':self.domainname})
|
||||||
for b in self.anon_list:
|
for b in self.anon_list:
|
||||||
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
|
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
|
||||||
@@ -998,12 +968,11 @@ is a GUI tool available to customize SELinux policy settings.
|
@@ -998,12 +935,11 @@ is a GUI tool available to customize SELinux policy settings.
|
||||||
|
|
||||||
.SH AUTHOR
|
.SH AUTHOR
|
||||||
This manual page was auto-generated using
|
This manual page was auto-generated using
|
||||||
@ -252520,7 +252623,25 @@ index 25062da..086f2a7 100755
|
|||||||
|
|
||||||
if self.booltext != "":
|
if self.booltext != "":
|
||||||
self.fd.write(", setsebool(8)")
|
self.fd.write(", setsebool(8)")
|
||||||
@@ -1230,6 +1199,7 @@ The SELinux user %s_u is not able to terminal login.
|
@@ -1046,7 +982,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
|
||||||
|
paths=[]
|
||||||
|
for entrypoint in entrypoints:
|
||||||
|
if entrypoint in self.fcdict:
|
||||||
|
- paths += self.fcdict[entrypoint]
|
||||||
|
+ paths += self.fcdict[entrypoint]["regex"]
|
||||||
|
|
||||||
|
self.fd.write("""
|
||||||
|
%s""" % ", ".join(paths))
|
||||||
|
@@ -1086,7 +1022,7 @@ The SELinux process type %s_t can manage files labeled with the following file t
|
||||||
|
|
||||||
|
""" % f)
|
||||||
|
if f in self.fcdict:
|
||||||
|
- for path in self.fcdict[f]:
|
||||||
|
+ for path in self.fcdict[f]["regex"]:
|
||||||
|
self.fd.write("""\t%s
|
||||||
|
.br
|
||||||
|
""" % path)
|
||||||
|
@@ -1230,6 +1166,7 @@ The SELinux user %s_u is not able to terminal login.
|
||||||
""" % self.domainname)
|
""" % self.domainname)
|
||||||
|
|
||||||
def _network(self):
|
def _network(self):
|
||||||
@ -252528,6 +252649,32 @@ index 25062da..086f2a7 100755
|
|||||||
self.fd.write("""
|
self.fd.write("""
|
||||||
.SH NETWORK
|
.SH NETWORK
|
||||||
""")
|
""")
|
||||||
|
@@ -1241,10 +1178,10 @@ The SELinux user %s_u is not able to terminal login.
|
||||||
|
The SELinux user %s_u is able to listen on the following %s ports.
|
||||||
|
""" % (self.domainname, net))
|
||||||
|
for p in portdict:
|
||||||
|
- for recs in portdict[p]:
|
||||||
|
+ for t, ports in portdict[p]:
|
||||||
|
self.fd.write("""
|
||||||
|
.B %s
|
||||||
|
-""" % recs)
|
||||||
|
+""" % ",".join(ports))
|
||||||
|
portdict = network.get_network_connect(self.type, "tcp", "name_connect")
|
||||||
|
if len(portdict) > 0:
|
||||||
|
self.fd.write("""
|
||||||
|
@@ -1252,10 +1189,10 @@ The SELinux user %s_u is able to listen on the following %s ports.
|
||||||
|
The SELinux user %s_u is able to connect to the following tcp ports.
|
||||||
|
""" % (self.domainname))
|
||||||
|
for p in portdict:
|
||||||
|
- for recs in portdict[p]:
|
||||||
|
+ for t, ports in portdict[p]:
|
||||||
|
self.fd.write("""
|
||||||
|
.B %s
|
||||||
|
-""" % recs)
|
||||||
|
+""" % ",".join(ports))
|
||||||
|
|
||||||
|
def _home_exec(self):
|
||||||
|
permlist = sepolicy.search([sepolicy.ALLOW],{'source':self.type,'target':'user_home_type', 'class':'file', 'permlist':['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']})
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
|
||||||
index 66efe26..970f4c8 100755
|
index 66efe26..970f4c8 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/network.py
|
--- a/policycoreutils/sepolicy/sepolicy/network.py
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.14
|
Version: 2.1.14
|
||||||
Release: 53%{?dist}
|
Release: 54%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -54,7 +54,7 @@ to switch roles.
|
|||||||
%setup -q -a 1
|
%setup -q -a 1
|
||||||
%patch -p2 -b .rhat
|
%patch -p2 -b .rhat
|
||||||
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
||||||
%patch2 -p1 -b .semanage
|
%patch2 -p1 -b .semanage
|
||||||
|
|
||||||
%build
|
%build
|
||||||
cp %{SOURCE3} gui/
|
cp %{SOURCE3} gui/
|
||||||
@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-54
|
||||||
|
- Make fcdict return a dictionary of dictionaries
|
||||||
|
- Fix for sepolicy manpage
|
||||||
|
|
||||||
* Mon Jun 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-53
|
* Mon Jun 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-53
|
||||||
- Add new man pages for each semanage subsection
|
- Add new man pages for each semanage subsection
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user