Make fcdict return a dictionary of dictionaries

- Fix for sepolicy manpage
This commit is contained in:
Dan Walsh 2013-06-18 14:38:47 -04:00
parent 4f89c533b5
commit 544468684c
2 changed files with 212 additions and 61 deletions

View File

@ -250464,14 +250464,14 @@ index 4c5243a..036c418 100644
diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8 diff --git a/policycoreutils/semodule/genhomedircon.8 b/policycoreutils/semodule/genhomedircon.8
new file mode 100644 new file mode 100644
index 0000000..08e3bad index 0000000..2a3315b
--- /dev/null --- /dev/null
+++ b/policycoreutils/semodule/genhomedircon.8 +++ b/policycoreutils/semodule/genhomedircon.8
@@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
+.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux" +.TH GENHOMEDIRCON "8" "Sep 2011" "Security Enhanced Linux" "SELinux"
+.SH NAME +.SH NAME
+genhomedircon \- generate SELinux file context configuration entries for user home directories +genhomedircon \- generate SELinux file context configuration entries for user home directories
+.SH SYNOPSIS +.SH DESCRIPTION
+.B genhomedircon +.B genhomedircon
+is a script that executes +is a script that executes
+.B semodule +.B semodule
@ -251020,7 +251020,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s). Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..9b29b39 100755 index b25d3b2..43a8101 100755
--- a/policycoreutils/sepolicy/sepolicy.py --- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@ @@ -22,6 +22,8 @@
@ -251037,7 +251037,7 @@ index b25d3b2..9b29b39 100755
__builtin__.__dict__['_'] = unicode __builtin__.__dict__['_'] = unicode
+usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] [" +usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
+usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)} +usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('[-r ROLE ]',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
+ +
class CheckPath(argparse.Action): class CheckPath(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None): def __call__(self, parser, namespace, values, option_string=None):
@ -251100,7 +251100,7 @@ index b25d3b2..9b29b39 100755
newval = getattr(namespace, self.dest) newval = getattr(namespace, self.dest)
if not newval: if not newval:
newval = [] newval = []
@@ -140,27 +165,65 @@ class CheckPolicyType(argparse.Action): @@ -140,27 +165,76 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action): class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None): def __call__(self, parser, namespace, value, option_string=None):
@ -251115,6 +251115,17 @@ index b25d3b2..9b29b39 100755
newval.append(value) newval.append(value)
setattr(namespace, self.dest, newval) setattr(namespace, self.dest, newval)
+class CheckRole(argparse.Action):
+ def __call__(self, parser, namespace, value, option_string=None):
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+ roles = sepolicy.get_all_roles()
+ if value not in roles:
+ raise ValueError("%s must be an SELinux role:\nValid roles: %s" % (value, ", ".join(roles)))
+ newval.append(value[:-2])
+ setattr(namespace, self.dest, newval)
+
+class InterfaceInfo(argparse.Action): +class InterfaceInfo(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None): + def __call__(self, parser, namespace, values, option_string=None):
+ from sepolicy.interface import get_interface_dict + from sepolicy.interface import get_interface_dict
@ -251173,7 +251184,7 @@ index b25d3b2..9b29b39 100755
if args.list_ports: if args.list_ports:
all_ports = [] all_ports = []
for i in portrecs: for i in portrecs:
@@ -201,41 +264,41 @@ def manpage(args): @@ -201,41 +275,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path path = args.path
@ -251238,7 +251249,7 @@ index b25d3b2..9b29b39 100755
def gen_network_args(parser): def gen_network_args(parser):
net = parser.add_parser("network", net = parser.add_parser("network",
@@ -283,7 +346,6 @@ def gen_communicate_args(parser): @@ -283,7 +357,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate) comm.set_defaults(func=communicate)
def booleans(args): def booleans(args):
@ -251246,7 +251257,7 @@ index b25d3b2..9b29b39 100755
from sepolicy import boolean_desc from sepolicy import boolean_desc
if args.all: if args.all:
rc, args.booleans = selinux.security_get_boolean_names() rc, args.booleans = selinux.security_get_boolean_names()
@@ -300,6 +362,7 @@ def gen_booleans_args(parser): @@ -300,6 +373,7 @@ def gen_booleans_args(parser):
action="store_true", action="store_true",
help=_("get all booleans descriptions")) help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+", group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@ -251254,7 +251265,7 @@ index b25d3b2..9b29b39 100755
help=_("boolean to get description")) help=_("boolean to get description"))
bools.set_defaults(func=booleans) bools.set_defaults(func=booleans)
@@ -319,22 +382,49 @@ def gen_transition_args(parser): @@ -319,22 +393,49 @@ def gen_transition_args(parser):
help=_("target process domain")) help=_("target process domain"))
trans.set_defaults(func=transition) trans.set_defaults(func=transition)
@ -251313,7 +251324,7 @@ index b25d3b2..9b29b39 100755
if not args.command: if not args.command:
raise ValueError(_("Command required for this type of policy")) raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command) cmd = os.path.realpath(args.command)
@@ -346,8 +436,18 @@ def generate(args): @@ -346,8 +447,18 @@ def generate(args):
mypolicy.set_program(cmd) mypolicy.set_program(cmd)
if args.types: if args.types:
@ -251332,7 +251343,15 @@ index b25d3b2..9b29b39 100755
for p in args.writepaths: for p in args.writepaths:
if os.path.isdir(p): if os.path.isdir(p):
mypolicy.add_dir(p) mypolicy.add_dir(p)
@@ -366,20 +466,34 @@ def generate(args): @@ -355,6 +466,7 @@ def generate(args):
mypolicy.add_file(p)
mypolicy.set_transition_users(args.user)
+ mypolicy.set_admin_roles(args.role)
mypolicy.set_admin_domains(args.admin_domain)
mypolicy.set_existing_domains(args.domain)
@@ -366,20 +478,34 @@ def generate(args):
def gen_interface_args(parser): def gen_interface_args(parser):
itf = parser.add_parser("interface", itf = parser.add_parser("interface",
help=_('List SELinux Policy interfaces')) help=_('List SELinux Policy interfaces'))
@ -251370,7 +251389,17 @@ index b25d3b2..9b29b39 100755
help=_('Generate SELinux Policy module template')) help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[], pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*", action=CheckDomain, nargs="*",
@@ -397,53 +511,57 @@ def gen_generate_args(parser): @@ -387,6 +513,9 @@ def gen_generate_args(parser):
pol.add_argument("-u", "--user", dest="user", default=[],
action=CheckUser,
help=_("Enter SELinux user(s) which will transition to this domain"))
+ pol.add_argument("-r", "--role", dest="role", default=[],
+ action=CheckRole,
+ help=_("Enter SELinux role(s) to which this domain will transition"))
pol.add_argument("-a", "--admin", dest="admin_domain",default=[],
action=CheckAdmin,
help=_("Enter domain(s) that this confined admin will administrate"))
@@ -397,53 +526,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS) help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType, action=CheckType,
@ -251454,7 +251483,7 @@ index b25d3b2..9b29b39 100755
pol.set_defaults(func=generate) pol.set_defaults(func=generate)
if __name__ == '__main__': if __name__ == '__main__':
@@ -461,11 +579,17 @@ if __name__ == '__main__': @@ -461,11 +594,17 @@ if __name__ == '__main__':
gen_transition_args(subparsers) gen_transition_args(subparsers)
try: try:
@ -251474,7 +251503,7 @@ index b25d3b2..9b29b39 100755
except KeyboardInterrupt: except KeyboardInterrupt:
sys.exit(0) sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..b367e9c 100644 index 5e7415c..8862ebb 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py --- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy @@ -7,6 +7,9 @@ import _policy
@ -251487,7 +251516,7 @@ index 5e7415c..b367e9c 100644
gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME) gettext.textdomain(PROGNAME)
try: try:
@@ -37,9 +40,119 @@ CLASS = 'class' @@ -37,9 +40,134 @@ CLASS = 'class'
TRANSITION = 'transition' TRANSITION = 'transition'
ROLE_ALLOW = 'role_allow' ROLE_ALLOW = 'role_allow'
@ -251541,11 +251570,20 @@ index 5e7415c..b367e9c 100644
+ +
+ for f in all_writes: + for f in all_writes:
+ try: + try:
+ mpaths[f] = fcdict[f] + mpaths[f] = fcdict[f]["regex"]
+ except KeyError: + except KeyError:
+ mpaths[f] = [] + mpaths[f] = []
+ return mpaths + return mpaths
+ +
+import os, pprint, re, sys
+def find_file(reg, path):
+ try:
+ pat = re.compile(r"%s$" % reg)
+ return filter(pat.match, map(lambda x: path + "/" + x, os.listdir(path)))
+ except:
+ return []
+
+import os
+fcdict=None +fcdict=None
+def get_fcdict(fc_path = selinux.selinux_file_context_path()): +def get_fcdict(fc_path = selinux.selinux_file_context_path()):
+ global fcdict + global fcdict
@ -251561,22 +251599,28 @@ index 5e7415c..b367e9c 100644
+ for i in fc: + for i in fc:
+ rec = i.split() + rec = i.split()
+ try: + try:
+ if len(rec) > 2:
+ ftype = rec[1]
+ else:
+ ftype = ""
+
+ t = rec[-1].split(":")[2] + t = rec[-1].split(":")[2]
+ if t in fcdict: + if t in fcdict:
+ fcdict[t].append(rec[0]) + fcdict[t]["regex"].append(rec[0])
+ fcdict[t]["paths"].append(find_file(rec[0], os.path.dirname(rec[0])))
+ else: + else:
+ fcdict[t] = [ rec[0] ] + fcdict[t] = { "regex": [ rec[0] ], "paths" : find_file(rec[0], os.path.dirname(rec[0])), "ftype": ftype}
+ except: + except:
+ pass + pass
+ fcdict["logfile"] = [ "all log files" ] + fcdict["logfile"] = { "regex" : [ "all log files" ]}
+ fcdict["user_tmp_type"] = [ "all user tmp files" ] + fcdict["user_tmp_type"] = { "regex" : [ "all user tmp files" ]}
+ fcdict["user_home_type"] = [ "all user home files" ] + fcdict["user_home_type"] = { "regex" : [ "all user home files" ]}
+ fcdict["virt_image_type"] = [ "all virtual image files" ] + fcdict["virt_image_type"] = { "regex" : [ "all virtual image files" ]}
+ fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ] + fcdict["noxattrfs"] = { "regex" : [ "all files on file systems which do not support extended attributes" ]}
+ fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ] + fcdict["sandbox_tmpfs_type"] = { "regex" : [ "all sandbox content in tmpfs file systems" ]}
+ fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ] + fcdict["user_tmpfs_type"] = { "regex" : [ "all user content in tmpfs file systems" ]}
+ fcdict["file_type"] = [ "all files on the system" ] + fcdict["file_type"] = { "regex" : [ "all files on the system" ] }
+ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ] + fcdict["samba_share_t"] = { "regex" : [ "use this label for random content that will be shared using samba" ] }
+ return fcdict + return fcdict
+ +
+def get_entrypoint_types(setype): +def get_entrypoint_types(setype):
@ -251585,7 +251629,8 @@ index 5e7415c..b367e9c 100644
+ return entrypoints + return entrypoints
+ +
+def get_init_entrypoint_target(entrypoint): +def get_init_entrypoint_target(entrypoint):
+ try: try:
- path = selinux.selinux_binary_policy_path()
+ entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'})) + entrypoints = map(lambda x: x['transtype'], search([TRANSITION],{'source':"init_t", 'target':entrypoint, 'class':'process'}))
+ return entrypoints[0] + return entrypoints[0]
+ except TypeError: + except TypeError:
@ -251597,19 +251642,18 @@ index 5e7415c..b367e9c 100644
+ mpaths = {} + mpaths = {}
+ for f in get_entrypoint_types(setype): + for f in get_entrypoint_types(setype):
+ try: + try:
+ mpaths[f] = fcdict[f] + mpaths[f] = fcdict[f]["regex"]
+ except: + except:
+ mpaths[f] = [] + mpaths[f] = []
+ return mpaths + return mpaths
+ +
+def get_installed_policy(root = "/"): +def get_installed_policy(root = "/"):
try: + try:
- path = selinux.selinux_binary_policy_path()
+ path = root + selinux.selinux_binary_policy_path() + path = root + selinux.selinux_binary_policy_path()
policies = glob.glob ("%s.*" % path ) policies = glob.glob ("%s.*" % path )
policies.sort() policies.sort()
return policies[-1] return policies[-1]
@@ -47,6 +160,27 @@ def __get_installed_policy(): @@ -47,6 +175,27 @@ def __get_installed_policy():
pass pass
raise ValueError(_("No SELinux Policy installed")) raise ValueError(_("No SELinux Policy installed"))
@ -251637,7 +251681,7 @@ index 5e7415c..b367e9c 100644
all_types = None all_types = None
def get_all_types(): def get_all_types():
global all_types global all_types
@@ -54,6 +188,13 @@ def get_all_types(): @@ -54,6 +203,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE)) all_types = map(lambda x: x['name'], info(TYPE))
return all_types return all_types
@ -251651,7 +251695,7 @@ index 5e7415c..b367e9c 100644
role_allows = None role_allows = None
def get_all_role_allows(): def get_all_role_allows():
global role_allows global role_allows
@@ -71,6 +212,7 @@ def get_all_role_allows(): @@ -71,6 +227,7 @@ def get_all_role_allows():
return role_allows return role_allows
def get_all_entrypoint_domains(): def get_all_entrypoint_domains():
@ -251659,7 +251703,7 @@ index 5e7415c..b367e9c 100644
all_domains = [] all_domains = []
types=get_all_types() types=get_all_types()
types.sort() types.sort()
@@ -81,11 +223,54 @@ def get_all_entrypoint_domains(): @@ -81,11 +238,54 @@ def get_all_entrypoint_domains():
all_domains.append(m[0]) all_domains.append(m[0])
return all_domains return all_domains
@ -251715,7 +251759,7 @@ index 5e7415c..b367e9c 100644
return all_domains return all_domains
roles = None roles = None
@@ -139,50 +324,92 @@ def get_all_attributes(): @@ -139,50 +339,92 @@ def get_all_attributes():
return all_attributes return all_attributes
def policy(policy_file): def policy(policy_file):
@ -251833,7 +251877,7 @@ index 5e7415c..b367e9c 100644
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict global booleans_dict
if booleans_dict: if booleans_dict:
@@ -191,7 +418,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): @@ -191,7 +433,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
import re import re
booleans_dict = {} booleans_dict = {}
try: try:
@ -251856,7 +251900,7 @@ index a179d95..9b9a09a 100755
tlist = [] tlist = []
for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..ce328e6 100644 index 26f8390..a5e4b9b 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py --- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError: @@ -63,20 +63,6 @@ except IOError:
@ -251898,15 +251942,6 @@ index 26f8390..ce328e6 100644
line = "%s(%s_t)\n" % (method, self.name) line = "%s(%s_t)\n" % (method, self.name)
else: else:
line = """ line = """
@@ -765,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
return newte
- if self.type == RUSER:
+ if self.type == RUSER or self.type == AUSER:
newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
for app in self.admin_domains:
@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s; @@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s;
if t.endswith(i): if t.endswith(i):
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types) newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
@ -252266,7 +252301,7 @@ index 8b063ca..c7dac62 100644
+ else: + else:
+ sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface)) + sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..086f2a7 100755 index 25062da..c4d8161 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py --- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string @@ -28,12 +28,12 @@ import string
@ -252304,7 +252339,47 @@ index 25062da..086f2a7 100755
if domain in domains: if domain in domains:
continue continue
domains.append(domain) domains.append(domain)
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list): @@ -114,39 +114,6 @@ def gen_domains():
domains.sort()
return domains
-fcdict=None
-def _gen_fcdict(fc_path = selinux.selinux_file_context_path()):
- global fcdict
- if fcdict:
- return fcdict
- fd = open(fc_path, "r")
- fc = fd.readlines()
- fd.close()
- fd = open(fc_path+".homedirs", "r")
- fc += fd.readlines()
- fd.close()
- fcdict = {}
- for i in fc:
- rec = i.split()
- try:
- t = rec[-1].split(":")[2]
- if t in fcdict:
- fcdict[t].append(rec[0])
- else:
- fcdict[t] = [ rec[0] ]
- except:
- pass
- fcdict["logfile"] = [ "all log files" ]
- fcdict["user_tmp_type"] = [ "all user tmp files" ]
- fcdict["user_home_type"] = [ "all user home files" ]
- fcdict["virt_image_type"] = [ "all virtual image files" ]
- fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
- fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
- fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
- fcdict["file_type"] = [ "all files on the system" ]
- fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
- return fcdict
-
types = None
def _gen_types():
global types
@@ -184,14 +151,12 @@ def get_alphabet_manpages(manpage_list):
return alphabet_manpages return alphabet_manpages
def convert_manpage_to_html(html_manpage,manpage): def convert_manpage_to_html(html_manpage,manpage):
@ -252323,7 +252398,7 @@ index 25062da..086f2a7 100755
class HTMLManPages: class HTMLManPages:
""" """
@@ -416,56 +414,42 @@ class ManPage: @@ -416,56 +381,42 @@ class ManPage:
""" """
Generate a Manpage on an SELinux domain in the specified path Generate a Manpage on an SELinux domain in the specified path
""" """
@ -252351,6 +252426,7 @@ index 25062da..086f2a7 100755
- self.fcpath = fcpath - self.fcpath = fcpath
- else: - else:
- self.fcpath = selinux.selinux_file_context_path() - self.fcpath = selinux.selinux_file_context_path()
- self.fcdict = _gen_fcdict(self.fcpath)
+ self.root = root + self.root = root
+ self.portrecs = gen_port_dict()[0] + self.portrecs = gen_port_dict()[0]
+ self.domains = gen_domains() + self.domains = gen_domains()
@ -252366,7 +252442,7 @@ index 25062da..086f2a7 100755
+ self.types = _gen_types() + self.types = _gen_types()
+ +
+ self.fcpath = self.root + selinux.selinux_file_context_path() + self.fcpath = self.root + selinux.selinux_file_context_path()
self.fcdict = _gen_fcdict(self.fcpath) + self.fcdict = get_fcdict(self.fcpath)
if not os.path.exists(path): if not os.path.exists(path):
os.makedirs(path) os.makedirs(path)
@ -252400,7 +252476,7 @@ index 25062da..086f2a7 100755
self.__gen_user_man_page() self.__gen_user_man_page()
if self.html: if self.html:
manpage_roles.append(self.man_page_path) manpage_roles.append(self.man_page_path)
@@ -483,16 +467,16 @@ class ManPage: @@ -483,16 +434,16 @@ class ManPage:
def _gen_bools(self): def _gen_bools(self):
self.bools=[] self.bools=[]
self.domainbools=[] self.domainbools=[]
@ -252427,7 +252503,7 @@ index 25062da..086f2a7 100755
self.bools.sort() self.bools.sort()
self.domainbools.sort() self.domainbools.sort()
@@ -538,9 +522,6 @@ class ManPage: @@ -538,9 +489,6 @@ class ManPage:
print path print path
def __gen_man_page(self): def __gen_man_page(self):
@ -252437,7 +252513,7 @@ index 25062da..086f2a7 100755
self.anon_list = [] self.anon_list = []
self.attributes = {} self.attributes = {}
@@ -563,22 +544,11 @@ class ManPage: @@ -563,22 +511,11 @@ class ManPage:
def _get_ptypes(self): def _get_ptypes(self):
for f in self.all_domains: for f in self.all_domains:
@ -252463,7 +252539,7 @@ index 25062da..086f2a7 100755
% {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")}) % {'domainname':self.domainname, 'date': time.strftime("%y-%m-%d")})
self.fd.write(r""" self.fd.write(r"""
.SH "NAME" .SH "NAME"
@@ -774,7 +744,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n @@ -774,7 +711,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
def _port_types(self): def _port_types(self):
self.ports = [] self.ports = []
for f in self.all_port_types: for f in self.all_port_types:
@ -252472,7 +252548,34 @@ index 25062da..086f2a7 100755
self.ports.append(f) self.ports.append(f)
if len(self.ports) == 0: if len(self.ports) == 0:
@@ -923,13 +893,12 @@ to apply the labels. @@ -821,7 +758,7 @@ Default Defined Ports:""")
if f.startswith(self.domainname):
flist.append(f)
if f in self.fcdict:
- mpaths = mpaths + self.fcdict[f]
+ mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
return
mpaths.sort()
@@ -901,14 +838,14 @@ Note: SELinux often uses regular expressions to specify labels that match multip
if f in self.fcdict:
plural = ""
- if len(self.fcdict[f]) > 1:
+ if len(self.fcdict[f]["regex"]) > 1:
plural = "s"
self.fd.write("""
.br
.TP 5
Path%s:
-%s""" % (plural, self.fcdict[f][0]))
- for x in self.fcdict[f][1:]:
+%s""" % (plural, self.fcdict[f]["regex"][0]))
+ for x in self.fcdict[f]["regex"][1:]:
self.fd.write(", %s" % x)
self.fd.write("""
@@ -923,13 +860,12 @@ to apply the labels.
def _see_also(self): def _see_also(self):
ret = "" ret = ""
@ -252488,7 +252591,7 @@ index 25062da..086f2a7 100755
ret += ", %s_selinux(8)" % d ret += ", %s_selinux(8)" % d
self.fd.write(ret) self.fd.write(ret)
@@ -947,13 +916,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" @@ -947,13 +883,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s .B restorecon -F -R -v /var/%(domainname)s
.pp .pp
.TP .TP
@ -252505,7 +252608,7 @@ index 25062da..086f2a7 100755
""" % {'domainname':self.domainname}) """ % {'domainname':self.domainname})
for b in self.anon_list: for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -998,12 +968,11 @@ is a GUI tool available to customize SELinux policy settings. @@ -998,12 +935,11 @@ is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR .SH AUTHOR
This manual page was auto-generated using This manual page was auto-generated using
@ -252520,7 +252623,25 @@ index 25062da..086f2a7 100755
if self.booltext != "": if self.booltext != "":
self.fd.write(", setsebool(8)") self.fd.write(", setsebool(8)")
@@ -1230,6 +1199,7 @@ The SELinux user %s_u is not able to terminal login. @@ -1046,7 +982,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
paths=[]
for entrypoint in entrypoints:
if entrypoint in self.fcdict:
- paths += self.fcdict[entrypoint]
+ paths += self.fcdict[entrypoint]["regex"]
self.fd.write("""
%s""" % ", ".join(paths))
@@ -1086,7 +1022,7 @@ The SELinux process type %s_t can manage files labeled with the following file t
""" % f)
if f in self.fcdict:
- for path in self.fcdict[f]:
+ for path in self.fcdict[f]["regex"]:
self.fd.write("""\t%s
.br
""" % path)
@@ -1230,6 +1166,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname) """ % self.domainname)
def _network(self): def _network(self):
@ -252528,6 +252649,32 @@ index 25062da..086f2a7 100755
self.fd.write(""" self.fd.write("""
.SH NETWORK .SH NETWORK
""") """)
@@ -1241,10 +1178,10 @@ The SELinux user %s_u is not able to terminal login.
The SELinux user %s_u is able to listen on the following %s ports.
""" % (self.domainname, net))
for p in portdict:
- for recs in portdict[p]:
+ for t, ports in portdict[p]:
self.fd.write("""
.B %s
-""" % recs)
+""" % ",".join(ports))
portdict = network.get_network_connect(self.type, "tcp", "name_connect")
if len(portdict) > 0:
self.fd.write("""
@@ -1252,10 +1189,10 @@ The SELinux user %s_u is able to listen on the following %s ports.
The SELinux user %s_u is able to connect to the following tcp ports.
""" % (self.domainname))
for p in portdict:
- for recs in portdict[p]:
+ for t, ports in portdict[p]:
self.fd.write("""
.B %s
-""" % recs)
+""" % ",".join(ports))
def _home_exec(self):
permlist = sepolicy.search([sepolicy.ALLOW],{'source':self.type,'target':'user_home_type', 'class':'file', 'permlist':['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']})
diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py diff --git a/policycoreutils/sepolicy/sepolicy/network.py b/policycoreutils/sepolicy/sepolicy/network.py
index 66efe26..970f4c8 100755 index 66efe26..970f4c8 100755
--- a/policycoreutils/sepolicy/sepolicy/network.py --- a/policycoreutils/sepolicy/sepolicy/network.py

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.14 Version: 2.1.14
Release: 53%{?dist} Release: 54%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -54,7 +54,7 @@ to switch roles.
%setup -q -a 1 %setup -q -a 1
%patch -p2 -b .rhat %patch -p2 -b .rhat
%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver} %patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
%patch2 -p1 -b .semanage %patch2 -p1 -b .semanage
%build %build
cp %{SOURCE3} gui/ cp %{SOURCE3} gui/
@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Tue Jun 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-54
- Make fcdict return a dictionary of dictionaries
- Fix for sepolicy manpage
* Mon Jun 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-53 * Mon Jun 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-53
- Add new man pages for each semanage subsection - Add new man pages for each semanage subsection