* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
- Add -e to semanage man page - Add -D qualifier to audit2allow to generate dontaudit rules
This commit is contained in:
parent
0779b0302c
commit
6c22c6b1f6
@ -1,6 +1,6 @@
|
|||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
|
||||||
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
|
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
|
||||||
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
|
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500
|
||||||
@@ -28,6 +28,7 @@
|
@@ -28,6 +28,7 @@
|
||||||
import sepolgen.defaults as defaults
|
import sepolgen.defaults as defaults
|
||||||
import sepolgen.module as module
|
import sepolgen.module as module
|
||||||
@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
||||||
help="read input from audit log - conflicts with -i")
|
help="read input from audit log - conflicts with -i")
|
||||||
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
||||||
@@ -80,11 +83,11 @@
|
@@ -58,6 +61,9 @@
|
||||||
|
help="generate a module package - conflicts with -o and -m")
|
||||||
|
parser.add_option("-o", "--output", dest="output",
|
||||||
|
help="append output to <filename>, conflicts with -M")
|
||||||
|
+ parser.add_option("-D", "--dontaudit", action="store_true",
|
||||||
|
+ dest="dontaudit", default=False,
|
||||||
|
+ help="generate policy with dontaudit rules")
|
||||||
|
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
|
||||||
|
default=True, help="generate refpolicy style output")
|
||||||
|
|
||||||
|
@@ -80,11 +86,11 @@
|
||||||
options, args = parser.parse_args()
|
options, args = parser.parse_args()
|
||||||
|
|
||||||
# Make -d, -a, and -i conflict
|
# Make -d, -a, and -i conflict
|
||||||
@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
if options.input is not None and options.dmesg is True:
|
if options.input is not None and options.dmesg is True:
|
||||||
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
||||||
|
|
||||||
@@ -129,6 +132,12 @@
|
@@ -129,6 +135,12 @@
|
||||||
except OSError, e:
|
except OSError, e:
|
||||||
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
|
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
else:
|
else:
|
||||||
# This is the default if no input is specified
|
# This is the default if no input is specified
|
||||||
f = sys.stdin
|
f = sys.stdin
|
||||||
@@ -220,63 +229,44 @@
|
@@ -220,63 +232,44 @@
|
||||||
|
|
||||||
def __output_audit2why(self):
|
def __output_audit2why(self):
|
||||||
import selinux
|
import selinux
|
||||||
@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
print "\t\tMissing role allow rule.\n"
|
print "\t\tMissing role allow rule.\n"
|
||||||
print "\t\tAdd an allow rule for the role pair.\n"
|
print "\t\tAdd an allow rule for the role pair.\n"
|
||||||
continue
|
continue
|
||||||
@@ -344,5 +334,6 @@
|
@@ -314,7 +307,7 @@
|
||||||
|
g.set_gen_requires(True)
|
||||||
|
|
||||||
|
# Generate the policy
|
||||||
|
- g.add_access(self.__avs)
|
||||||
|
+ g.add_access(self.__avs, self.__options.dontaudit)
|
||||||
|
g.add_role_types(self.__role_types)
|
||||||
|
|
||||||
|
# Output
|
||||||
|
@@ -344,5 +337,6 @@
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
@ -2346,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
+}
|
+}
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
|
||||||
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
|
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
|
||||||
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
|
+++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500
|
||||||
@@ -32,23 +32,32 @@
|
@@ -32,25 +32,34 @@
|
||||||
try:
|
try:
|
||||||
gettext.install(PROGNAME,
|
gettext.install(PROGNAME,
|
||||||
localedir="/usr/share/locale",
|
localedir="/usr/share/locale",
|
||||||
@ -2381,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
semanage interface -{a|d|m} [-tr] interface_spec
|
semanage interface -{a|d|m} [-tr] interface_spec
|
||||||
+semanage module -{a|d|m} [--enable|--disable] module
|
+semanage module -{a|d|m} [--enable|--disable] module
|
||||||
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
|
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
|
||||||
semanage fcontext -{a|d|m} [-frst] file_spec
|
-semanage fcontext -{a|d|m} [-frst] file_spec
|
||||||
|
+semanage fcontext -{a|d|m} [-efrst] file_spec
|
||||||
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
|
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
|
||||||
|
semanage permissive -{d|a} type
|
||||||
|
semanage dontaudit [ on | off ]
|
||||||
@@ -61,7 +70,9 @@
|
@@ -61,7 +70,9 @@
|
||||||
-d, --delete Delete a OBJECT record NAME
|
-d, --delete Delete a OBJECT record NAME
|
||||||
-m, --modify Modify a OBJECT record NAME
|
-m, --modify Modify a OBJECT record NAME
|
||||||
@ -2397,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
-F, --file Treat target as an input file for command, change multiple settings
|
-F, --file Treat target as an input file for command, change multiple settings
|
||||||
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
|
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
|
||||||
-M, --mask Netmask
|
-M, --mask Netmask
|
||||||
+ -e, --equal Make target equal to this paths labeling
|
+ -e, --equal Substitue source path for dest path when labeling
|
||||||
-P, --prefix Prefix for home directory labeling
|
-P, --prefix Prefix for home directory labeling
|
||||||
-L, --level Default SELinux Level (MLS/MCS Systems only)
|
-L, --level Default SELinux Level (MLS/MCS Systems only)
|
||||||
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
|
-R, --roles SELinux Roles (ex: "sysadm_r staff_r")
|
||||||
@ -2675,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||||||
process_args(mkargv(l))
|
process_args(mkargv(l))
|
||||||
trans.finish()
|
trans.finish()
|
||||||
else:
|
else:
|
||||||
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
|
||||||
|
--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500
|
||||||
|
+++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500
|
||||||
|
@@ -19,6 +19,8 @@
|
||||||
|
.br
|
||||||
|
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
|
||||||
|
.br
|
||||||
|
+.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
|
||||||
|
+.br
|
||||||
|
.B semanage permissive \-{a|d} type
|
||||||
|
.br
|
||||||
|
.B semanage dontaudit [ on | off ]
|
||||||
|
@@ -52,6 +54,12 @@
|
||||||
|
.I \-D, \-\-deleteall
|
||||||
|
Remove all OBJECTS local customizations
|
||||||
|
.TP
|
||||||
|
+.I \-e, \-\-equal
|
||||||
|
+Substitute src path for targetpath when labeling. This is used with
|
||||||
|
+fcontext. Requires source and destination path arguments. The context
|
||||||
|
+labeling for the destination subtree is made equivalent to that
|
||||||
|
+defined for the source.
|
||||||
|
+.TP
|
||||||
|
.I \-f, \-\-ftype
|
||||||
|
File Type. This is used with fcontext.
|
||||||
|
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
|
||||||
|
@@ -110,6 +118,8 @@
|
||||||
|
$ semanage login -a -s user_u %clerks
|
||||||
|
# Add file-context for everything under /web (used by restorecon)
|
||||||
|
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
|
||||||
|
+# Make /home1 labeling equivalent to /home (used by restorecon)
|
||||||
|
+$ semanage fcontext -a -e /home1 /home
|
||||||
|
# Allow Apache to listen on port 81
|
||||||
|
$ semanage port -a -t http_port_t -p tcp 81
|
||||||
|
# Change apache to a permissive domain
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
|
||||||
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
|
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
|
||||||
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
|
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
|
||||||
|
@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
|||||||
-
|
-
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
|
||||||
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
|
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
|
||||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
|
||||||
@@ -29,6 +29,8 @@
|
@@ -29,6 +29,8 @@
|
||||||
import access
|
import access
|
||||||
import interfaces
|
import interfaces
|
||||||
@ -221,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
|
|||||||
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||||
"""Set whether reference policy interfaces are generated.
|
"""Set whether reference policy interfaces are generated.
|
||||||
|
|
||||||
@@ -144,8 +146,35 @@
|
@@ -141,15 +143,42 @@
|
||||||
def __add_allow_rules(self, avs):
|
"""Return the generated module"""
|
||||||
|
return self.module
|
||||||
|
|
||||||
|
- def __add_allow_rules(self, avs):
|
||||||
|
+ def __add_allow_rules(self, avs, dontaudit):
|
||||||
for av in avs:
|
for av in avs:
|
||||||
rule = refpolicy.AVRule(av)
|
- rule = refpolicy.AVRule(av)
|
||||||
|
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
|
||||||
+ rule.comment = ""
|
+ rule.comment = ""
|
||||||
if self.explain:
|
if self.explain:
|
||||||
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
||||||
@ -257,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
|
|||||||
self.module.children.append(rule)
|
self.module.children.append(rule)
|
||||||
|
|
||||||
|
|
||||||
|
- def add_access(self, av_set):
|
||||||
|
+ def add_access(self, av_set, dontaudit=False):
|
||||||
|
"""Add the access from the access vector set to this
|
||||||
|
module.
|
||||||
|
"""
|
||||||
|
@@ -165,7 +194,7 @@
|
||||||
|
raw_allow = av_set
|
||||||
|
|
||||||
|
# Generate the raw allow rules from the filtered list
|
||||||
|
- self.__add_allow_rules(raw_allow)
|
||||||
|
+ self.__add_allow_rules(raw_allow, dontaudit)
|
||||||
|
|
||||||
|
def add_role_types(self, role_type_set):
|
||||||
|
for role_type in role_type_set:
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
|
||||||
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
||||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
|
||||||
@ -271,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
|||||||
for name in filenames:
|
for name in filenames:
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
|
||||||
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
|
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
|
||||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
|
||||||
@@ -398,6 +398,7 @@
|
@@ -398,6 +398,7 @@
|
||||||
return "attribute %s;" % self.name
|
return "attribute %s;" % self.name
|
||||||
|
|
||||||
@ -280,11 +299,21 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic
|
|||||||
|
|
||||||
class AVRule(Leaf):
|
class AVRule(Leaf):
|
||||||
"""SELinux access vector (AV) rule.
|
"""SELinux access vector (AV) rule.
|
||||||
@@ -426,15 +427,17 @@
|
@@ -420,21 +421,26 @@
|
||||||
|
AUDITALLOW = 2
|
||||||
|
NEVERALLOW = 3
|
||||||
|
|
||||||
|
- def __init__(self, av=None, parent=None):
|
||||||
|
+ def __init__(self, av=None, parent=None, dontaudit=False):
|
||||||
|
Leaf.__init__(self, parent)
|
||||||
|
self.src_types = IdSet()
|
||||||
self.tgt_types = IdSet()
|
self.tgt_types = IdSet()
|
||||||
self.obj_classes = IdSet()
|
self.obj_classes = IdSet()
|
||||||
self.perms = IdSet()
|
self.perms = IdSet()
|
||||||
- self.rule_type = self.ALLOW
|
- self.rule_type = self.ALLOW
|
||||||
|
+ if dontaudit:
|
||||||
|
+ self.rule_type = audit2why.DONTAUDIT
|
||||||
|
+ else:
|
||||||
+ self.rule_type = audit2why.TERULE
|
+ self.rule_type = audit2why.TERULE
|
||||||
if av:
|
if av:
|
||||||
self.from_av(av)
|
self.from_av(av)
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.78
|
Version: 2.0.78
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -297,6 +297,10 @@ fi
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
|
||||||
|
- Add -e to semanage man page
|
||||||
|
- Add -D qualifier to audit2allow to generate dontaudit rules
|
||||||
|
|
||||||
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
|
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
|
||||||
- Speed up audit2allow processing of audit2why comments
|
- Speed up audit2allow processing of audit2why comments
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user