From 70bff091facd2d969204958256a3b918045c0110 Mon Sep 17 00:00:00 2001 From: rhatdan Date: Sat, 27 Oct 2012 07:48:31 -0400 Subject: [PATCH] Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network --- policycoreutils-rhat.patch | 76 ++++++++++++-------------------------- policycoreutils.spec | 7 +++- 2 files changed, 28 insertions(+), 55 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 590f334..88b2ab0 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a + diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c new file mode 100644 -index 0000000..e0a5466 +index 0000000..f4cc0b0 --- /dev/null +++ b/policycoreutils/sepolicy/info.c -@@ -0,0 +1,949 @@ +@@ -0,0 +1,928 @@ +/** + * @file + * Command line tool to search TE rules. @@ -336139,7 +336139,6 @@ index 0000000..e0a5466 +#include + +#define COPYRIGHT_INFO "Copyright (C) 2003-2007 Tresys Technology, LLC" -+static char *policy_file = NULL; + +enum input +{ @@ -336938,34 +336937,16 @@ index 0000000..e0a5466 + return list; +} + -+PyObject* info(int type, const char *name, const char *alt_policy_file) ++PyObject* info( const char *policy_file, int type, const char *name) +{ + PyObject* output = NULL; -+ int rt = -1; + apol_policy_t *policydb = NULL; + apol_policy_path_t *pol_path = NULL; + apol_vector_t *mod_paths = NULL; + apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; + -+ if (alt_policy_file) { -+ policy_file = strdup(alt_policy_file); -+ if (!policy_file) { -+ apol_vector_destroy(&mod_paths); -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ return NULL; -+ } -+ } -+ else { -+ rt = qpol_default_policy_find(&policy_file); -+ if (rt != 0) { -+ PyErr_SetString(PyExc_RuntimeError,"No default policy found."); -+ return NULL; -+ } -+ } -+ + pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); + if (!pol_path) { -+ free(policy_file); + apol_vector_destroy(&mod_paths); + PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); + return NULL; @@ -336976,12 +336957,10 @@ index 0000000..e0a5466 + policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM; + policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL); + if (!policydb) { -+ free(policy_file); + apol_policy_path_destroy(&pol_path); + PyErr_SetString(PyExc_RuntimeError,strerror(errno)); + return NULL; + } -+ free(policy_file); + + /* display requested info */ + if (type == TYPE) @@ -337010,12 +336989,12 @@ index 0000000..e0a5466 +PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){ + unsigned int type; + char *name; -+ char *policy_file; ++ const char *policy_file; + -+ if (!PyArg_ParseTuple(args, "izz", &type, &name, &policy_file)) ++ if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name)) + return NULL; + -+ return Py_BuildValue("N",info(type, name, policy_file)); ++ return Py_BuildValue("N",info(policy_file, type, name)); + +} + @@ -337037,10 +337016,10 @@ index 0000000..e0a5466 +} diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c new file mode 100644 -index 0000000..80421fc +index 0000000..a1aaa22 --- /dev/null +++ b/policycoreutils/sepolicy/search.c -@@ -0,0 +1,1022 @@ +@@ -0,0 +1,1008 @@ +// Author: Thomas Liu + +/** @@ -337102,7 +337081,6 @@ index 0000000..80421fc +#include + +#define COPYRIGHT_INFO "Copyright (C) 2012 Red Hat, Inc, Tresys Technology, LLC" -+static char *policy_file = NULL; + +enum opt_values +{ @@ -337827,7 +337805,8 @@ index 0000000..80421fc + return output; +} + -+PyObject* search(bool allow, ++PyObject* search(const char *policy_file, ++ bool allow, + bool neverallow, + bool auditallow, + bool dontaudit, @@ -337836,8 +337815,7 @@ index 0000000..80421fc + const char *src_name, + const char *tgt_name, + const char *class_name, -+ const char *permlist, -+ const char *alt_policy_file ++ const char *permlist + ) +{ + options_t cmd_opts; @@ -337849,9 +337827,6 @@ index 0000000..80421fc + apol_vector_t *mod_paths = NULL; + apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; + -+ if (alt_policy_file) -+ policy_file = strdup(alt_policy_file); -+ + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; + cmd_opts.allow = allow; @@ -337874,19 +337849,11 @@ index 0000000..80421fc + if (!(cmd_opts.nallow || cmd_opts.all)) + pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS; + -+ if (! policy_file) { -+ rt = qpol_default_policy_find(&policy_file); -+ if (rt) { -+ PyErr_SetString(PyExc_RuntimeError,"No default policy found."); -+ return NULL; -+ } -+ } + pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM; + + if (apol_file_is_policy_path_list(policy_file) > 0) { + pol_path = apol_policy_path_create_from_file(policy_file); + if (!pol_path) { -+ free(policy_file); + PyErr_SetString(PyExc_RuntimeError,"invalid policy list"); + return NULL; + } @@ -337895,11 +337862,9 @@ index 0000000..80421fc + if (!pol_path) + pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); + if (!pol_path) { -+ free(policy_file); + PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); + return NULL; + } -+ free(policy_file); + apol_vector_destroy(&mod_paths); + + policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL); @@ -338051,7 +338016,7 @@ index 0000000..80421fc + const char *permlist = Dict_ContainsString(dict, "permlist"); + const char *policy_path = Dict_ContainsString(dict, "policy"); + -+ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist, policy_path)); ++ return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist)); +} + +static PyMethodDef methods[] = { @@ -338065,10 +338030,10 @@ index 0000000..80421fc +} diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh new file mode 100644 -index 0000000..86b5af1 +index 0000000..c574a46 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh -@@ -0,0 +1,135 @@ +@@ -0,0 +1,139 @@ +# This file is part of systemd. +# +# Copyright 2011 Dan Walsh @@ -338167,6 +338132,10 @@ index 0000000..86b5af1 + COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") ) + return 0 + fi ++ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ return 0 ++ fi + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) + return 0 + elif [ "$verb" = "communicate" ]; then @@ -338840,10 +338809,10 @@ index 0000000..5469729 + sys.exit(1) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py new file mode 100644 -index 0000000..a55162f +index 0000000..fbd011c --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -0,0 +1,90 @@ +@@ -0,0 +1,91 @@ +#!/usr/bin/env python + +# Author: Thomas Liu @@ -338851,6 +338820,7 @@ index 0000000..a55162f + +import _search +import _info ++import selinux + +TYPE = _info.TYPE +ROLE = _info.ROLE @@ -338870,7 +338840,7 @@ index 0000000..a55162f +TRANSITION = 'transition' +ROLE_ALLOW = 'role_allow' + -+policy_file = None ++policy_file = selinux.selinux_current_policy_path() + +def search(types, info = {} ): + valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] @@ -338898,7 +338868,7 @@ index 0000000..a55162f + +def info(setype, name=None): + global policy_file -+ dict_list = _info.info(setype, name, policy_file) ++ dict_list = _info.info(policy_file, setype, name) + return dict_list + +def policy(alt_policy_file): diff --git a/policycoreutils.spec b/policycoreutils.spec index a4e4af4..e37db34 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.13 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -329,7 +329,10 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog -* Fri Oct 25 2012 Dan Walsh - 2.1.12-18 +* Sat Oct 27 2012 Dan Walsh - 2.1.12-19 +- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network + +* Fri Oct 26 2012 Dan Walsh - 2.1.12-18 - Allow sepolicy to specify the policy to generate content from * Thu Oct 25 2012 Dan Walsh - 2.1.12-17