rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.6-1.1

Browse Source 
- Update to upstream release 2016-10-14
This commit is contained in:
Petr Lautrbach 2017-02-15 13:41:54 +01:00
parent d6bd0d5a9b
commit 6d99bda7c6
5 changed files with 507 additions and 634276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -239,3 +239,5 @@ policycoreutils-2.0.83.tgz
/policycoreutils-2.5-rc1.tar.gz
/policycoreutils-2.5.tar.gz
/sepolgen-1.2.3.tar.gz
/policycoreutils-2.6.tar.gz
/sepolgen-2.6.tar.gz

634228
policycoreutils-fedora.patch
View File

File diff suppressed because it is too large Load Diff

153
policycoreutils.spec
View File

@ -1,20 +1,20 @@
%global libauditver 2.1.3-4
%global libsepolver 2.5-10
%global libsemanagever 2.5-8
%global libselinuxver 2.5-13
%global sepolgenver 1.2.3
%global libsepolver 2.6-0
%global libsemanagever 2.6-0
%global libselinuxver 2.6-0
%global sepolgenver 2.6
%global generatorsdir %{_prefix}/lib/systemd/system-generators
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.5
Release: 22%{?dist}
Version: 2.6
Release: 1.1%{?dist}
License: GPLv2
Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/policycoreutils-2.5.tar.gz
Source1:https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/sepolgen-1.2.3.tar.gz
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/policycoreutils-2.6.tar.gz
Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014/sepolgen-2.6.tar.gz
URL: http://www.selinuxproject.org
Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png
@ -26,11 +26,11 @@ Source8: selinux-autorelabel.target
Source9: selinux-autorelabel-generator.sh
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
# HEAD https://github.com/fedora-selinux/selinux/commit/223fc83c6e68cead9b3d8d4e5ca7e95a580952e7
# $ VERSION=2.6 ./make-fedora-selinux-patch.sh policycoreutils
# FIXME: HEAD https://github.com/fedora-selinux/selinux/commit/223fc83c6e68cead9b3d8d4e5ca7e95a580952e7
Patch: policycoreutils-fedora.patch
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
Patch1: sepolgen-fedora.patch
# $ VERSION=2.6 ./make-fedora-selinux-patch.sh sepolgen
# Patch1: sepolgen-fedora.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
# initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@ -40,7 +40,7 @@ Provides: /sbin/restorecon
BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python python-devel python3 python3-devel setools-devel >= 3.3.8-10
BuildRequires: python python-devel python3 python3-devel
BuildRequires: systemd
Requires: util-linux grep gawk diffutils rpm sed
Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >= %{libselinuxver}
@ -65,19 +65,19 @@ to switch roles.
# create selinux/ directory and extract %{SOURCE0} there
%setup -q -c -n selinux
%patch -p0 -b .policycoreutils-fedora
pushd policycoreutils-2.5
pushd policycoreutils-%{version}
popd
cp %{SOURCE3} policycoreutils-2.5/gui/
tar -xvf %{SOURCE4} -C policycoreutils-2.5/
cp %{SOURCE3} policycoreutils-%{version}/gui/
tar -xvf %{SOURCE4} -C policycoreutils-%{version}/
# extract {%SOURCE1} in selinux/ directory
%setup -T -D -a 1 -n selinux
%patch1 -p0 -b .sepolgen-fedora
# %patch1 -p0 -b .sepolgen-fedora
%build
make -C policycoreutils-2.5 LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
make -C sepolgen-1.2.3 SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
make -C policycoreutils-%{version} LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
make -C sepolgen-%{version} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
mkdir -p %{buildroot}%{_bindir}
@ -87,14 +87,14 @@ mkdir -p %{buildroot}%{_mandir}/man5
mkdir -p %{buildroot}%{_mandir}/man8
%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
make -C policycoreutils-2.5 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
make -C policycoreutils-2.5 PYTHON=python3 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
make -C policycoreutils-%{version} LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
make -C policycoreutils-%{version} PYTHON=python3 LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" SEMODULE_PATH="/usr/sbin" install
# Systemd
rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond
make -C sepolgen-1.2.3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-1.2.3 PYTHON=python3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-%{version} DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-%{version} PYTHON=python3 DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LIBDIR="%{buildroot}%{_libdir}" install
tar -jxf %{SOURCE2} -C %{buildroot}/
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
@ -135,7 +135,22 @@ ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.
# change /usr/bin/python3 to /usr/bin/python in policycoreutils-python
find %{buildroot}%{python_sitelib} %{buildroot}%{python_sitearch} -type f | xargs \
sed -i '1s/\(#! *\/usr\/bin\/python\)3/\1/'
sed -i '1s%\(#! */usr/bin/python\)3%\1%'
# change /usr/bin/python to /usr/bin/python3 in policycoreutils-python3
find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} -type f | xargs \
sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%'
# change /usr/bin/python to /usr/bin/python3 in python-utils
sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%' \
%{buildroot}%{_sbindir}/semanage \
%{buildroot}%{_bindir}/chcat \
%{buildroot}%{_bindir}/sandbox \
%{buildroot}%{_bindir}/audit2allow \
%{buildroot}%{_bindir}/audit2why \
%{buildroot}%{_bindir}/sepolicy \
%{buildroot}%{_bindir}/sepolgen{,-ifgen} \
%nil
%find_lang %{name}
@ -177,32 +192,30 @@ Requires:libsemanage-python3 >= %{libsemanagever} libselinux-python3 libcgroup
Requires:audit-libs-python3 >= %{libauditver}
Requires: python-IPy-python3
Requires: checkpolicy
Requires: setools-python3
%description python3
The policycoreutils-python3 package contains the interfaces that can be used
by python 3 in an SELinux environment.
%files python3
%dir %{python3_sitelib}/seobject
%{python3_sitelib}/seobject/__init__.py*
%{python3_sitelib}/seobject/__pycache__
%{python3_sitelib}/seobject*.egg-info
%{python3_sitearch}/seobject.py*
%{python3_sitearch}/__pycache__
%{python3_sitearch}/sepolgen
%dir %{python3_sitearch}/sepolicy
%{python3_sitearch}/sepolicy/*so
%{python3_sitearch}/sepolicy/templates
%dir %{python3_sitearch}/sepolicy/help
%{python3_sitearch}/sepolicy/help/*
%{python3_sitearch}/sepolicy/__init__.py*
%{python3_sitearch}/sepolicy/booleans.py*
%{python3_sitearch}/sepolicy/communicate.py*
%{python3_sitearch}/sepolicy/interface.py*
%{python3_sitearch}/sepolicy/manpage.py*
%{python3_sitearch}/sepolicy/network.py*
%{python3_sitearch}/sepolicy/transition.py*
%{python3_sitearch}/sepolicy/sedbus.py*
%{python3_sitearch}/sepolicy*.egg-info
%{python3_sitearch}/sepolicy/__pycache__
%{python3_sitelib}/sepolicy/templates
%dir %{python3_sitelib}/sepolicy/help
%{python3_sitelib}/sepolicy/help/*
%{python3_sitelib}/sepolicy/__init__.py*
%{python3_sitelib}/sepolicy/booleans.py*
%{python3_sitelib}/sepolicy/communicate.py*
%{python3_sitelib}/sepolicy/generate.py*
%{python3_sitelib}/sepolicy/interface.py*
%{python3_sitelib}/sepolicy/manpage.py*
%{python3_sitelib}/sepolicy/network.py*
%{python3_sitelib}/sepolicy/transition.py*
%{python3_sitelib}/sepolicy/sedbus.py*
%{python3_sitelib}/sepolicy*.egg-info
%{python3_sitelib}/sepolicy/__pycache__
%package python
Summary: SELinux policy core python utilities
@ -213,30 +226,26 @@ Requires:audit-libs-python >= %{libauditver}
Obsoletes: policycoreutils < 2.0.61-2
Requires: python-IPy
Requires: checkpolicy
Requires: setools-python
%description python
The policycoreutils-python package contains the management tools use to manage
an SELinux environment.
%files python
%dir %{python_sitelib}/seobject
%{python_sitelib}/seobject/__init__.py*
%{python_sitelib}/seobject*.egg-info
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
%dir %{python_sitearch}/sepolicy
%{python_sitearch}/sepolicy/*so
%{python_sitearch}/sepolicy/templates
%{python_sitearch}/sepolicy/__init__.py*
%{python_sitearch}/sepolicy/booleans.py*
%{python_sitearch}/sepolicy/communicate.py*
%{python_sitearch}/sepolicy/interface.py*
%{python_sitearch}/sepolicy/manpage.py*
%{python_sitearch}/sepolicy/network.py*
%{python_sitearch}/sepolicy/transition.py*
%{python_sitearch}/sepolicy/sedbus.py*
%{python_sitearch}/%{name}*.egg-info
%{python_sitearch}/sepolicy*.egg-info
%{python_sitearch}/%{name}
%{python_sitelib}/sepolicy/templates
%{python_sitelib}/sepolicy/__init__.py*
%{python_sitelib}/sepolicy/booleans.py*
%{python_sitelib}/sepolicy/communicate.py*
%{python_sitelib}/sepolicy/generate.py*
%{python_sitelib}/sepolicy/interface.py*
%{python_sitelib}/sepolicy/manpage.py*
%{python_sitelib}/sepolicy/network.py*
%{python_sitelib}/sepolicy/transition.py*
%{python_sitelib}/sepolicy/sedbus.py*
%{python_sitelib}/sepolicy*.egg-info
%package devel
Summary: SELinux policy core policy devel utilities
@ -255,8 +264,6 @@ The policycoreutils-devel package contains the management tools use to develop p
%dir /var/lib/sepolgen
/var/lib/sepolgen/perm_map
%{_bindir}/sepolicy
%{python_sitearch}/sepolicy/generate.py*
%{python3_sitearch}/sepolicy/generate.py*
%{_mandir}/man8/sepolgen.8*
%{_mandir}/man8/sepolicy-booleans.8*
%{_mandir}/man8/sepolicy-generate.8*
@ -337,12 +344,12 @@ system-config-selinux is a utility for managing the SELinux environment
%{_datadir}/system-config-selinux/system-config-selinux.png
%{_datadir}/system-config-selinux/*.py*
%{_datadir}/system-config-selinux/*.glade
%{python_sitearch}/sepolicy/gui.py*
%{python_sitearch}/sepolicy/sepolicy.glade
%dir %{python_sitearch}/sepolicy/help
%{python_sitearch}/sepolicy/help/*
%{python3_sitearch}/sepolicy/gui.py*
%{python3_sitearch}/sepolicy/sepolicy.glade
%{python_sitelib}/sepolicy/gui.py*
%{python_sitelib}/sepolicy/sepolicy.glade
%dir %{python_sitelib}/sepolicy/help
%{python_sitelib}/sepolicy/help/*
%{python3_sitelib}/sepolicy/gui.py*
%{python3_sitelib}/sepolicy/sepolicy.glade
%{_datadir}/icons/hicolor/*/apps/sepolicy.png
%{_datadir}/pixmaps/sepolicy.png
%{_mandir}/man8/system-config-selinux.8*
@ -366,6 +373,7 @@ fi
%files -f %{name}.lang
%{_sbindir}/restorecon
%{_sbindir}/restorecon_xattr
%{_sbindir}/fixfiles
%{_sbindir}/setfiles
%{_sbindir}/load_policy
@ -391,6 +399,7 @@ fi
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/restorecon.8*
%{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/restorecon_xattr.8*
%{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/sestatus.8*
@ -403,7 +412,7 @@ fi
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man8/genhomedircon.8*
%{!?_licensedir:%global license %%doc}
%license policycoreutils-2.5/COPYING
%license policycoreutils-%{version}/COPYING
%doc %{_usr}/share/doc/%{name}
%package restorecond
@ -424,7 +433,7 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{!?_licensedir:%global license %%doc}
%license policycoreutils-2.5/COPYING
%license policycoreutils-%{version}/COPYING
%post restorecond
%systemd_post restorecond.service
@ -436,6 +445,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Feb 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1.1
- Fix pp crash when processing base module (#1417200)
- Update to upstream release 2016-10-14
* Wed Feb 15 2017 Igor Gnatenko <ignatenko@redhat.com> - 2.5-22
- Rebuild for brp-python-bytecompile

394
sepolgen-fedora.patch
View File

@ -1,394 +0,0 @@
diff --git sepolgen-1.2.3/ChangeLog sepolgen-1.2.3/ChangeLog
index 7cc0a18..bda7a2e 100644
--- sepolgen-1.2.3/ChangeLog
+++ sepolgen-1.2.3/ChangeLog
@@ -1,3 +1,6 @@
+ * Remove additional files when cleaning, from Nicolas Iooss.
+ * Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
+
1.2.3 2016-02-23
* Support latest refpolicy interfaces, from Nicolas Iooss.
* Make sepolgen-ifgen output deterministic with Python>=3.3, from Nicolas Iooss.
diff --git sepolgen-1.2.3/src/sepolgen/Makefile sepolgen-1.2.3/src/sepolgen/Makefile
index 9ac7651..d3aa771 100644
--- sepolgen-1.2.3/src/sepolgen/Makefile
+++ sepolgen-1.2.3/src/sepolgen/Makefile
@@ -11,5 +11,4 @@ install: all
clean:
rm -f parser.out parsetab.py
rm -f *~ *.pyc
-
-
+ rm -rf __pycache__
diff --git sepolgen-1.2.3/src/sepolgen/access.py sepolgen-1.2.3/src/sepolgen/access.py
index a5d8698..7606561 100644
--- sepolgen-1.2.3/src/sepolgen/access.py
+++ sepolgen-1.2.3/src/sepolgen/access.py
@@ -90,6 +90,8 @@ class AccessVector(util.Comparison):
self.audit_msgs = []
self.type = audit2why.TERULE
self.data = []
+ self.obj_path = None
+ self.base_type = None
# when implementing __eq__ also __hash__ is needed on py2
# if object is muttable __hash__ should be None
self.__hash__ = None
@@ -138,6 +140,29 @@ class AccessVector(util.Comparison):
return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
self.obj_class, self.perms.to_space_str())
+ def base_file_type(self):
+ base_type_array = []
+ base_type_array = [self.base_type, self.tgt_type, self.src_type]
+ return base_type_array
+
+ def __cmp__(self, other):
+ if self.src_type != other.src_type:
+ return cmp(self.src_type, other.src_type)
+ if self.tgt_type != other.tgt_type:
+ return cmp(self.tgt_type, other.tgt_type)
+ if self.obj_class != self.obj_class:
+ return cmp(self.obj_class, other.obj_class)
+ if len(self.perms) != len(other.perms):
+ return cmp(len(self.perms), len(other.perms))
+ x = list(self.perms)
+ x.sort()
+ y = list(other.perms)
+ y.sort()
+ for pa, pb in zip(x, y):
+ if pa != pb:
+ return cmp(pa, pb)
+ return 0
+
def _compare(self, other, method):
try:
x = list(self.perms)
@@ -257,7 +282,8 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
+ def add(self, src_type, tgt_type, obj_class, perms, obj_path=None,
+ base_type=None, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
@@ -270,7 +296,9 @@ class AccessVectorSet:
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
+ access.obj_path = obj_path
access.data = data
+ access.base_type = base_type
access.type = avc_type
cls[obj_class, avc_type] = access
diff --git sepolgen-1.2.3/src/sepolgen/audit.py sepolgen-1.2.3/src/sepolgen/audit.py
index 724d3ea..dad0724 100644
--- sepolgen-1.2.3/src/sepolgen/audit.py
+++ sepolgen-1.2.3/src/sepolgen/audit.py
@@ -176,6 +176,7 @@ class AVCMessage(AuditMessage):
self.exe = ""
self.path = ""
self.name = ""
+ self.ino = ""
self.accesses = []
self.denial = True
self.type = audit2why.TERULE
@@ -237,6 +238,10 @@ class AVCMessage(AuditMessage):
self.exe = fields[1][1:-1]
elif fields[0] == "name":
self.name = fields[1][1:-1]
+ elif fields[0] == "path":
+ self.path = fields[1][1:-1]
+ elif fields[0] == "ino":
+ self.ino = fields[1]
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@@ -361,7 +366,9 @@ class AuditParser:
self.path_msgs = []
self.by_header = { }
self.check_input_file = False
-
+ self.inode_dict = { }
+ self.__store_base_types()
+
# Low-level parsing function - tries to determine if this audit
# message is an SELinux related message and then parses it into
# the appropriate AuditMessage subclass. This function deliberately
@@ -499,6 +506,61 @@ class AuditParser:
return role_types
+ def __restore_path(self, name, inode):
+ import subprocess
+ import os
+ path = ""
+ # Optimizing
+ if name == "" or inode == "":
+ return path
+ for d in self.inode_dict:
+ if d == inode and self.inode_dict[d] == name:
+ return path
+ if d == inode and self.inode_dict[d] != name:
+ return self.inode_dict[d]
+ if inode not in self.inode_dict.keys():
+ self.inode_dict[inode] = name
+
+ command = "locate -b '\%s'" % name
+ try:
+ output = subprocess.check_output(command,
+ stderr=subprocess.STDOUT,
+ shell=True,
+ universal_newlines=True)
+ try:
+ ino = int(inode)
+ except ValueError:
+ pass
+ for file in output.split("\n"):
+ try:
+ if int(os.lstat(file).st_ino) == ino:
+ self.inode_dict[inode] = path = file
+ return path
+ except:
+ pass
+ except subprocess.CalledProcessError as e:
+ pass
+ return path
+
+ def __store_base_types(self):
+ import sepolicy
+ self.base_types = sepolicy.get_types_from_attribute("base_file_type")
+
+ def __get_base_type(self, tcontext, scontext):
+ import sepolicy
+ # Prevent unnecessary searching
+ if (self.old_scontext == scontext and
+ self.old_tcontext == tcontext):
+ return
+ self.old_scontext = scontext
+ self.old_tcontext = tcontext
+ for btype in self.base_types:
+ if btype == tcontext:
+ for writable in sepolicy.get_writable_files(scontext):
+ if writable.endswith(tcontext) and writable.startswith(scontext.rstrip("_t")):
+ return writable
+ return 0
+
def to_access(self, avc_filter=None, only_denials=True):
"""Convert the audit logs access into a an access vector set.
@@ -517,16 +579,23 @@ class AuditParser:
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()
+ self.old_scontext = ""
+ self.old_tcontext = ""
for avc in self.avc_msgs:
if avc.denial != True and only_denials:
continue
+ base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
+ if avc.path == "":
+ avc.path = self.__restore_path(avc.name, avc.ino)
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
+ avc.accesses, avc.path, base_type, avc,
+ avc_type=avc.type, data=avc.data)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc, avc_type=avc.type, data=avc.data)
+ avc.accesses, avc.path, base_type, avc,
+ avc_type=avc.type, data=avc.data)
return av_set
class AVCTypeFilter:
diff --git sepolgen-1.2.3/src/sepolgen/policygen.py sepolgen-1.2.3/src/sepolgen/policygen.py
index 34c8401..f374132 100644
--- sepolgen-1.2.3/src/sepolgen/policygen.py
+++ sepolgen-1.2.3/src/sepolgen/policygen.py
@@ -82,8 +82,9 @@ class PolicyGenerator:
self.module = refpolicy.Module()
self.dontaudit = False
-
+ self.mislabled = None
self.domains = None
+
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -153,6 +154,18 @@ class PolicyGenerator:
"""Return the generated module"""
return self.module
+ def __restore_label(self, av):
+ import selinux
+ try:
+ context = selinux.matchpathcon(av.obj_path, 0)
+ split = context[1].split(":")[2]
+ if split != av.tgt_type:
+ self.mislabled = split
+ return
+ except OSError:
+ pass
+ self.mislabled = None
+
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
@@ -161,6 +174,34 @@ class PolicyGenerator:
rule.comment = ""
if self.explain:
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
+ # base_type[0] == 0 means there exists a base type but not the path
+ # base_type[0] == None means user isn't using base type
+ # base_type[1] contains the target context
+ # base_type[2] contains the source type
+ base_type = av.base_file_type()
+ if base_type[0] == 0 and av.type != audit2why.ALLOW:
+ rule.comment += "\n#!!!! WARNING: '%s' is a base type." % "".join(base_type[1])
+ for perm in av.perms:
+ if perm == "write" or perm == "create":
+ permission = True
+ break
+ else:
+ permission = False
+
+ # Catch perms 'write' and 'create' for base types
+ if (base_type[0] is not None and base_type[0] != 0
+ and permission and av.type != audit2why.ALLOW):
+ if av.obj_class == dir:
+ comp = "(/.*?)"
+ else:
+ comp = ""
+ rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s. Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0]))
+ if av.obj_path != "":
+ rule.comment += "\n#!!!! $ semanage fcontext -a -t %s %s%s \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
+
+ self.__restore_label(av)
+ if self.mislabled is not None and av.type != audit2why.ALLOW:
+ rule.comment += "\n#!!!! The file '%s' is mislabeled on your system. \n#!!!! Fix with $ restorecon -R -v %s" % ("".join(av.obj_path), "".join(av.obj_path))
if av.type == audit2why.ALLOW:
rule.comment += "\n#!!!! This avc is allowed in the current policy"
if av.type == audit2why.DONTAUDIT:
diff --git sepolgen-1.2.3/src/sepolgen/refparser.py sepolgen-1.2.3/src/sepolgen/refparser.py
index 9b1d0c8..2cef8e8 100644
--- sepolgen-1.2.3/src/sepolgen/refparser.py
+++ sepolgen-1.2.3/src/sepolgen/refparser.py
@@ -113,6 +113,7 @@ tokens = (
'AUDITALLOW',
'NEVERALLOW',
'PERMISSIVE',
+ 'TYPEBOUNDS',
'TYPE_TRANSITION',
'TYPE_CHANGE',
'TYPE_MEMBER',
@@ -178,6 +179,7 @@ reserved = {
'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW',
'permissive' : 'PERMISSIVE',
+ 'typebounds' : 'TYPEBOUNDS',
'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER',
@@ -502,6 +504,7 @@ def p_policy_stmt(p):
'''policy_stmt : gen_require
| avrule_def
| typerule_def
+ | typebound_def
| typeattribute_def
| roleattribute_def
| interface_call
@@ -823,6 +826,13 @@ def p_typerule_def(p):
t.file_name = p[7]
p[0] = t
+def p_typebound_def(p):
+ '''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
+ t = refpolicy.TypeBound()
+ t.type = p[2]
+ t.tgt_types.update(p[3])
+ p[0] = t
+
def p_bool(p):
'''bool : BOOL IDENTIFIER TRUE SEMI
| BOOL IDENTIFIER FALSE SEMI'''
diff --git sepolgen-1.2.3/src/sepolgen/refpolicy.py sepolgen-1.2.3/src/sepolgen/refpolicy.py
index 31b40d8..2ee029c 100644
--- sepolgen-1.2.3/src/sepolgen/refpolicy.py
+++ sepolgen-1.2.3/src/sepolgen/refpolicy.py
@@ -112,6 +112,9 @@ class Node(PolicyBase):
def typerules(self):
return filter(lambda x: isinstance(x, TypeRule), walktree(self))
+ def typebounds(self):
+ return filter(lambda x: isinstance(x, TypeBound), walktree(self))
+
def typeattributes(self):
"""Iterate over all of the TypeAttribute children of this Interface."""
return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
@@ -522,6 +525,19 @@ class TypeRule(Leaf):
self.tgt_types.to_space_str(),
self.obj_classes.to_space_str(),
self.dest_type)
+class TypeBound(Leaf):
+ """SElinux typebound statement.
+
+ This class represents a typebound statement.
+ """
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.type = ""
+ self.tgt_types = IdSet()
+
+ def to_string(self):
+ return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
+
class RoleAllow(Leaf):
def __init__(self, parent=None):
diff --git sepolgen-1.2.3/tests/.gitignore sepolgen-1.2.3/tests/.gitignore
new file mode 100644
index 0000000..c120af8
--- /dev/null
+++ sepolgen-1.2.3/tests/.gitignore
@@ -0,0 +1,4 @@
+module_compile_test.fc
+module_compile_test.if
+output
+tmp/
diff --git sepolgen-1.2.3/tests/Makefile sepolgen-1.2.3/tests/Makefile
index 924a9be..e17eef2 100644
--- sepolgen-1.2.3/tests/Makefile
+++ sepolgen-1.2.3/tests/Makefile
@@ -4,8 +4,11 @@ clean:
rm -f *~ *.pyc
rm -f parser.out parsetab.py
rm -f out.txt
+ rm -f module_compile_test.fc
+ rm -f module_compile_test.if
rm -f module_compile_test.pp
rm -f output
+ rm -rf __pycache__ tmp
test:
$(PYTHON) run-tests.py
diff --git sepolgen-1.2.3/tests/module_compile_test.te sepolgen-1.2.3/tests/module_compile_test.te
index 446c8dc..b365448 100644
--- sepolgen-1.2.3/tests/module_compile_test.te
+++ sepolgen-1.2.3/tests/module_compile_test.te
@@ -1,8 +1,8 @@
-module foo 1.0;
+module module_compile_test 1.0;
require {
type foo, bar;
class file { read write };
}
-allow foo bar : file { read write };
\ No newline at end of file
+allow foo bar : file { read write };

6
sources
View File

@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
9ad9331b2133262fb3f774359a7f4761 policycoreutils-2.5.tar.gz
d17b4072ed14d1f8d94ffd667ddc2864 sepolgen-1.2.3.tar.gz
SHA512 (policycoreutils_man_ru2.tar.bz2) = 7272801da169b8d7dd3f8b7e368a63a4fbb7ae94599f9384bc450d142e6b2a3805ab542d650cbe9c8978c2d8e5c56ef4c11f361abfefeaf184ec3a4b0d2afb4c
SHA512 (policycoreutils-2.6.tar.gz) = ba289060bc348f9315bce84a5e5daf145600274289fdd2206edc10bb0ee03f9b02a9e40e9c118809961ddfe7844dee7d8952d8c9a239af7282f4fc1614c21e9d
SHA512 (sepolgen-2.6.tar.gz) = b04d0b78416dde4857888f94bad1f6f83909cb4f9fb50519778ec8a50662be38ccac19f5fc6db269754cb63668c5324258ba4a4cb79440789b759ad5eb6148c0