* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9

- Add -e to semanage man page - Add -D qualifier to audit2allow to generate dontaudit rules
2010-01-08 14:37:32 +00:00 · 2010-01-08 14:37:32 +00:00 · 6c22c6b1f6
commit 6c22c6b1f6
parent 0779b0302c
3 changed files with 106 additions and 17 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
 --- nsapolicycoreutils/audit2allow/audit2allow	2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.78/audit2allow/audit2allow	2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/audit2allow/audit2allow	2010-01-08 09:32:57.000000000 -0500
@@ -28,6 +28,7 @@
 import sepolgen.defaults as defaults
 import sepolgen.module as module
@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
         parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
                           help="read input from audit log - conflicts with -i")
         parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
-@@ -80,11 +83,11 @@
+@@ -58,6 +61,9 @@
+                           help="generate a module package - conflicts with -o and -m")
+         parser.add_option("-o", "--output", dest="output",
+                           help="append output to <filename>, conflicts with -M")
+        parser.add_option("-D", "--dontaudit", action="store_true", 
+                          dest="dontaudit", default=False, 
+                          help="generate policy with dontaudit rules")
+         parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
+                           default=True, help="generate refpolicy style output")
+ 
+@@ -80,11 +86,11 @@
         options, args = parser.parse_args()
 
         # Make -d, -a, and -i conflict
@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
         if options.input is not None and options.dmesg is True:
             sys.stderr.write("error: --input conflicts with --dmesg\n")
 
-@@ -129,6 +132,12 @@
+@@ -129,6 +135,12 @@
             except OSError, e:
                 sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
                 sys.exit(1)
@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
         else:
             # This is the default if no input is specified
             f = sys.stdin
-@@ -220,63 +229,44 @@
+@@ -220,63 +232,44 @@
 
     def __output_audit2why(self):
             import selinux
@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
                     print "\t\tMissing role allow rule.\n"
                     print "\t\tAdd an allow rule for the role pair.\n"
                     continue
-@@ -344,5 +334,6 @@
+@@ -314,7 +307,7 @@
+             g.set_gen_requires(True)
+ 
+         # Generate the policy
+-        g.add_access(self.__avs)
+        g.add_access(self.__avs, self.__options.dontaudit)
+         g.add_role_types(self.__role_types)
+ 
+         # Output
+@@ -344,5 +337,6 @@
             sys.exit(0)
 
 if __name__ == "__main__":
@ -2346,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 +}
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
 --- nsapolicycoreutils/semanage/semanage	2009-11-18 17:06:03.000000000 -0500
-+++ policycoreutils-2.0.78/semanage/semanage	2009-12-08 17:05:49.000000000 -0500
-@@ -32,23 +32,32 @@
+++ policycoreutils-2.0.78/semanage/semanage	2010-01-08 09:24:07.000000000 -0500
+@@ -32,25 +32,34 @@
 try:
        gettext.install(PROGNAME,
                        localedir="/usr/share/locale",
@ -2381,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
 semanage interface -{a|d|m} [-tr] interface_spec
 +semanage module -{a|d|m} [--enable|--disable] module
 semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
- semanage fcontext -{a|d|m} [-frst] file_spec
+-semanage fcontext -{a|d|m} [-frst] file_spec
+semanage fcontext -{a|d|m} [-efrst] file_spec
 semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
+ semanage permissive -{d|a} type
+ semanage dontaudit [ on | off ]
@@ -61,7 +70,9 @@
 	-d, --delete     Delete a OBJECT record NAME
 	-m, --modify     Modify a OBJECT record NAME
@ -2397,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
         -F, --file       Treat target as an input file for command, change multiple settings
 	-p, --proto      Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
 	-M, --mask       Netmask
-+        -e, --equal      Make target equal to this paths labeling
+        -e, --equal      Substitue source path for dest path when labeling
 	-P, --prefix     Prefix for home directory labeling
 	-L, --level      Default SELinux Level (MLS/MCS Systems only)
 	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")
@ -2675,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
                              process_args(mkargv(l))
                       trans.finish()
                else:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
+--- nsapolicycoreutils/semanage/semanage.8	2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage.8	2010-01-08 09:32:28.000000000 -0500
+@@ -19,6 +19,8 @@
+ .br
+ .B semanage fcontext \-{a|d|m} [\-frst] file_spec
+ .br
+.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
+.br
+ .B semanage permissive \-{a|d} type
+ .br
+ .B semanage dontaudit [ on | off ]
+@@ -52,6 +54,12 @@
+ .I                \-D, \-\-deleteall
+ Remove all OBJECTS local customizations
+ .TP
+.I                \-e, \-\-equal
+Substitute src path for targetpath when labeling.  This is used with
+fcontext. Requires source and destination path arguments.  The context
+labeling for the destination subtree is made equivalent to that
+defined for the source.
+.TP
+ .I                \-f, \-\-ftype
+ File Type.   This is used with fcontext.
+ Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
+@@ -110,6 +118,8 @@
+ $ semanage login -a -s user_u %clerks
+ # Add file-context for everything under /web (used by restorecon)
+ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
+# Make /home1 labeling equivalent to /home (used by restorecon)
+$ semanage fcontext -a -e /home1 /home
+ # Allow Apache to listen on port 81
+ $ semanage port -a -t http_port_t -p tcp 81
+ # Change apache to a permissive domain
 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2009-11-20 10:51:25.000000000 -0500
 +++ policycoreutils-2.0.78/semanage/seobject.py	2009-12-08 17:05:49.000000000 -0500
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 -
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
 --- nsasepolgen/src/sepolgen/policygen.py	2008-09-12 11:48:15.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2009-12-16 08:20:45.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2010-01-08 09:33:54.000000000 -0500
@@ -29,6 +29,8 @@
 import access
 import interfaces
@ -221,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
     def set_gen_refpol(self, if_set=None, perm_maps=None):
         """Set whether reference policy interfaces are generated.
 
-@@ -144,8 +146,35 @@
-     def __add_allow_rules(self, avs):
+@@ -141,15 +143,42 @@
+         """Return the generated module"""
+         return self.module
+ 
+-    def __add_allow_rules(self, avs):
+    def __add_allow_rules(self, avs, dontaudit):
         for av in avs:
-             rule = refpolicy.AVRule(av)
+-            rule = refpolicy.AVRule(av)
+            rule = refpolicy.AVRule(av, dontaudit=dontaudit)
 +            rule.comment = ""
             if self.explain:
                 rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
@ -257,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
             self.module.children.append(rule)
 
 
+-    def add_access(self, av_set):
+    def add_access(self, av_set, dontaudit=False):
+         """Add the access from the access vector set to this
+         module.
+         """
+@@ -165,7 +194,7 @@
+             raw_allow = av_set
+ 
+         # Generate the raw allow rules from the filtered list
+-        self.__add_allow_rules(raw_allow)
+        self.__add_allow_rules(raw_allow, dontaudit)
+ 
+     def add_role_types(self, role_type_set):
+         for role_type in role_type_set:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2009-10-29 15:21:39.000000000 -0400
 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:05:49.000000000 -0500
@ -271,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
         for name in filenames:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
 --- nsasepolgen/src/sepolgen/refpolicy.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@
         return "attribute %s;" % self.name
 
@ -280,12 +299,22 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic
 
 class AVRule(Leaf):
     """SELinux access vector (AV) rule.
-@@ -426,15 +427,17 @@
+@@ -420,21 +421,26 @@
+     AUDITALLOW = 2
+     NEVERALLOW = 3
+ 
+-    def __init__(self, av=None, parent=None):
+    def __init__(self, av=None, parent=None, dontaudit=False):
+         Leaf.__init__(self, parent)
+         self.src_types = IdSet()
         self.tgt_types = IdSet()
         self.obj_classes = IdSet()
         self.perms = IdSet()
 -        self.rule_type = self.ALLOW
-+        self.rule_type = audit2why.TERULE
+        if dontaudit:
+            self.rule_type = audit2why.DONTAUDIT
+        else:
+            self.rule_type = audit2why.TERULE
         if av:
             self.from_av(av)
 
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.78
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -297,6 +297,10 @@ fi
 exit 0

 %changelog
+* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
+- Add -e to semanage man page
+- Add -D qualifier to audit2allow to generate dontaudit rules
+
 * Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
 - Speed up audit2allow processing of audit2why comments