* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9

- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
This commit is contained in:
Daniel J Walsh 2010-01-08 14:37:32 +00:00
parent 0779b0302c
commit 6c22c6b1f6
3 changed files with 106 additions and 17 deletions

View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/audit2allow/audit2allow 2010-01-08 09:32:57.000000000 -0500
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
import sepolgen.defaults as defaults import sepolgen.defaults as defaults
import sepolgen.module as module import sepolgen.module as module
@ -18,7 +18,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i") help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -80,11 +83,11 @@ @@ -58,6 +61,9 @@
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -80,11 +86,11 @@
options, args = parser.parse_args() options, args = parser.parse_args()
# Make -d, -a, and -i conflict # Make -d, -a, and -i conflict
@ -33,7 +43,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
if options.input is not None and options.dmesg is True: if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n") sys.stderr.write("error: --input conflicts with --dmesg\n")
@@ -129,6 +132,12 @@ @@ -129,6 +135,12 @@
except OSError, e: except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1) sys.exit(1)
@ -46,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
else: else:
# This is the default if no input is specified # This is the default if no input is specified
f = sys.stdin f = sys.stdin
@@ -220,63 +229,44 @@ @@ -220,63 +232,44 @@
def __output_audit2why(self): def __output_audit2why(self):
import selinux import selinux
@ -122,7 +132,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
print "\t\tMissing role allow rule.\n" print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n" print "\t\tAdd an allow rule for the role pair.\n"
continue continue
@@ -344,5 +334,6 @@ @@ -314,7 +307,7 @@
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ g.add_access(self.__avs, self.__options.dontaudit)
g.add_role_types(self.__role_types)
# Output
@@ -344,5 +337,6 @@
sys.exit(0) sys.exit(0)
if __name__ == "__main__": if __name__ == "__main__":
@ -2346,8 +2365,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+} +}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500 --- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/semanage/semanage 2010-01-08 09:24:07.000000000 -0500
@@ -32,23 +32,32 @@ @@ -32,25 +32,34 @@
try: try:
gettext.install(PROGNAME, gettext.install(PROGNAME,
localedir="/usr/share/locale", localedir="/usr/share/locale",
@ -2381,8 +2400,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
semanage interface -{a|d|m} [-tr] interface_spec semanage interface -{a|d|m} [-tr] interface_spec
+semanage module -{a|d|m} [--enable|--disable] module +semanage module -{a|d|m} [--enable|--disable] module
semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr semanage node -{a|d|m} [-tr] [ -p protocol ] [-M netmask] addr
semanage fcontext -{a|d|m} [-frst] file_spec -semanage fcontext -{a|d|m} [-frst] file_spec
+semanage fcontext -{a|d|m} [-efrst] file_spec
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
semanage permissive -{d|a} type
semanage dontaudit [ on | off ]
@@ -61,7 +70,9 @@ @@ -61,7 +70,9 @@
-d, --delete Delete a OBJECT record NAME -d, --delete Delete a OBJECT record NAME
-m, --modify Modify a OBJECT record NAME -m, --modify Modify a OBJECT record NAME
@ -2397,7 +2419,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
-F, --file Treat target as an input file for command, change multiple settings -F, --file Treat target as an input file for command, change multiple settings
-p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6) -p, --proto Port protocol (tcp or udp) or internet protocol version of node (ipv4 or ipv6)
-M, --mask Netmask -M, --mask Netmask
+ -e, --equal Make target equal to this paths labeling + -e, --equal Substitue source path for dest path when labeling
-P, --prefix Prefix for home directory labeling -P, --prefix Prefix for home directory labeling
-L, --level Default SELinux Level (MLS/MCS Systems only) -L, --level Default SELinux Level (MLS/MCS Systems only)
-R, --roles SELinux Roles (ex: "sysadm_r staff_r") -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
@ -2675,6 +2697,40 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
process_args(mkargv(l)) process_args(mkargv(l))
trans.finish() trans.finish()
else: else:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.78/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage.8 2010-01-08 09:32:28.000000000 -0500
@@ -19,6 +19,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage fcontext \-{a|d|m} \-e src_path tgt_path
+.br
.B semanage permissive \-{a|d} type
.br
.B semanage dontaudit [ on | off ]
@@ -52,6 +54,12 @@
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
+.I \-e, \-\-equal
+Substitute src path for targetpath when labeling. This is used with
+fcontext. Requires source and destination path arguments. The context
+labeling for the destination subtree is made equivalent to that
+defined for the source.
+.TP
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
@@ -110,6 +118,8 @@
$ semanage login -a -s user_u %clerks
# Add file-context for everything under /web (used by restorecon)
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
+# Make /home1 labeling equivalent to /home (used by restorecon)
+$ semanage fcontext -a -e /home1 /home
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
# Change apache to a permissive domain
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500 --- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500

View File

@ -202,7 +202,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
- -
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400 --- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2010-01-08 09:33:54.000000000 -0500
@@ -29,6 +29,8 @@ @@ -29,6 +29,8 @@
import access import access
import interfaces import interfaces
@ -221,10 +221,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None): def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated. """Set whether reference policy interfaces are generated.
@@ -144,8 +146,35 @@ @@ -141,15 +143,42 @@
def __add_allow_rules(self, avs): """Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs: for av in avs:
rule = refpolicy.AVRule(av) - rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+ rule.comment = "" + rule.comment = ""
if self.explain: if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
@ -257,6 +262,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
self.module.children.append(rule) self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +194,7 @@
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400 --- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@ -271,7 +290,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
for name in filenames: for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400 --- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500 +++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2010-01-08 09:33:37.000000000 -0500
@@ -398,6 +398,7 @@ @@ -398,6 +398,7 @@
return "attribute %s;" % self.name return "attribute %s;" % self.name
@ -280,11 +299,21 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py polic
class AVRule(Leaf): class AVRule(Leaf):
"""SELinux access vector (AV) rule. """SELinux access vector (AV) rule.
@@ -426,15 +427,17 @@ @@ -420,21 +421,26 @@
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet() self.tgt_types = IdSet()
self.obj_classes = IdSet() self.obj_classes = IdSet()
self.perms = IdSet() self.perms = IdSet()
- self.rule_type = self.ALLOW - self.rule_type = self.ALLOW
+ if dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
+ else:
+ self.rule_type = audit2why.TERULE + self.rule_type = audit2why.TERULE
if av: if av:
self.from_av(av) self.from_av(av)

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.78 Version: 2.0.78
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -297,6 +297,10 @@ fi
exit 0 exit 0
%changelog %changelog
* Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
* Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8 * Wed Jan 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-8
- Speed up audit2allow processing of audit2why comments - Speed up audit2allow processing of audit2why comments