policycoreutils-2.5-5

- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy
  files (#1319338)
This commit is contained in:
Petr Lautrbach 2016-04-08 20:52:33 +02:00
parent e41aa2fbd5
commit 6c6496a616
2 changed files with 91 additions and 2 deletions

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.5 Version: 2.5
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
# HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627 # HEAD https://github.com/fedora-selinux/selinux/commit/4bfb84c7ff7b33cf06b9a6b2317d24054b9db562
Patch: policycoreutils-fedora.patch Patch: policycoreutils-fedora.patch
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
Patch1: sepolgen-fedora.patch Patch1: sepolgen-fedora.patch
@ -408,6 +408,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
- sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files (#1319338)
* Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4 * Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
- Add documentation for MCS separated domains - Add documentation for MCS separated domains
- Move svirt man page out of libvirt into its own - Move svirt man page out of libvirt into its own

View File

@ -1,3 +1,13 @@
diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog
index 7cc0a18..c1ee815 100644
--- sepolgen-1.2.3/ChangeLog
+++ sepolgen-1.2.3/ChangeLog
@@ -1,3 +1,5 @@
+ * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
+
1.2.3 2016-02-23
* Support latest refpolicy interfaces, from Nicolas Iooss.
* Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss.
diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py
index a5d8698..7606561 100644 index a5d8698..7606561 100644
--- sepolgen-1.2.3/src/sepolgen/access.py --- sepolgen-1.2.3/src/sepolgen/access.py
@ -252,3 +262,79 @@ index 34c8401..f374132 100644
if av.type == audit2why.ALLOW: if av.type == audit2why.ALLOW:
rule.comment += "\n#!!!! This avc is allowed in the current policy" rule.comment += "\n#!!!! This avc is allowed in the current policy"
if av.type == audit2why.DONTAUDIT: if av.type == audit2why.DONTAUDIT:
diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py
index 9b1d0c8..2cef8e8 100644
--- sepolgen-1.2.3/src/sepolgen/refparser.py
+++ sepolgen-1.2.3/src/sepolgen/refparser.py
@@ -113,6 +113,7 @@ tokens = (
'AUDITALLOW',
'NEVERALLOW',
'PERMISSIVE',
+ 'TYPEBOUNDS',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
@@ -178,6 +179,7 @@ reserved = {
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
'permissive' : 'PERMISSIVE',
+ 'typebounds' : 'TYPEBOUNDS',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
@@ -502,6 +504,7 @@ def p_policy_stmt(p):
'''policy_stmt : gen_require
| avrule_def
| typerule_def
+ | typebound_def
| typeattribute_def
| roleattribute_def
| interface_call
@@ -823,6 +826,13 @@ def p_typerule_def(p):
t.file_name = p[7]
p[0] = t
+def p_typebound_def(p):
+ '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
+ t = refpolicy.TypeBound()
+ t.type = p[2]
+ t.tgt_types.update(p[3])
+ p[0] = t
+
def p_bool(p):
'''bool : BOOL IDENTIFIER TRUE SEMI
| BOOL IDENTIFIER FALSE SEMI'''
diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py
index 31b40d8..2ee029c 100644
--- sepolgen-1.2.3/src/sepolgen/refpolicy.py
+++ sepolgen-1.2.3/src/sepolgen/refpolicy.py
@@ -112,6 +112,9 @@ class Node(PolicyBase):
def typerules(self):
return filter(lambda x: isinstance(x, TypeRule), walktree(self))
+ def typebounds(self):
+ return filter(lambda x: isinstance(x, TypeBound), walktree(self))
+
def typeattributes(self):
"""Iterate over all of the TypeAttribute children of this Interface."""
return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
@@ -522,6 +525,19 @@ class TypeRule(Leaf):
self.tgt_types.to_space_str(),
self.obj_classes.to_space_str(),
self.dest_type)
+class TypeBound(Leaf):
+ """SElinux typebound statement.
+
+ This class represents a typebound statement.
+ """
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.type = ""
+ self.tgt_types = IdSet()
+
+ def to_string(self):
+ return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
+
class RoleAllow(Leaf):
def __init__(self, parent=None):