rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3

Browse Source 
- Fix audit2allow to report constraints, dontaudits, types, booleans
This commit is contained in:
Daniel J Walsh 2009-12-09 21:33:50 +00:00
parent 3fbc112632
commit 79944fd474
3 changed files with 480 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

339
policycoreutils-rhat.patch
View File

@ -1,7 +1,15 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.77/audit2allow/audit2allow
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.77/audit2allow/audit2allow 2009-11-24 10:27:27.000000000 -0500
@@ -42,6 +42,8 @@
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
@@ -28,6 +28,7 @@
import sepolgen.defaults as defaults
import sepolgen.module as module
from sepolgen.sepolgeni18n import _
+import selinux.audit2why as audit2why
class AuditToPolicy:
VERSION = "%prog .1"
@@ -42,6 +43,8 @@
from optparse import OptionParser
parser = OptionParser(version=self.VERSION)
@ -10,7 +18,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
@@ -80,11 +82,11 @@
@@ -80,11 +83,11 @@
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@ -25,7 +33,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
@@ -129,6 +131,12 @@
@@ -129,6 +132,12 @@
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
@ -38,18 +46,101 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
else:
# This is the default if no input is specified
f = sys.stdin
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.77/Makefile
@@ -220,63 +229,44 @@
def __output_audit2why(self):
import selinux
- import selinux.audit2why as audit2why
import seobject
- audit2why.init()
for i in self.__parser.avc_msgs:
- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
- if rc >= 0:
+ if i.type >= 0:
print "%s\n\tWas caused by:" % i.message
- if rc == audit2why.NOPOLICY:
- raise RuntimeError("Must call policy_init first")
- if rc == audit2why.BADTCON:
- print "Invalid Target Context %s\n" % i.tcontext
- continue
- if rc == audit2why.BADSCON:
- print "Invalid Source Context %s\n" % i.scontext
- continue
- if rc == audit2why.BADSCON:
- print "Invalid Type Class %s\n" % i.tclass
- continue
- if rc == audit2why.BADPERM:
- print "Invalid permission %s\n" % i.accesses
- continue
- if rc == audit2why. BADCOMPUTE:
- raise RuntimeError("Error during access vector computation")
- if rc == audit2why.ALLOW:
+ if i.type == audit2why.ALLOW:
print "\t\tUnknown - would be allowed by active policy\n",
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
continue
- if rc == audit2why.DONTAUDIT:
+ if i.type == audit2why.DONTAUDIT:
print "\t\tUnknown - should be dontaudit'd by active policy\n",
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
continue
- if rc == audit2why.BOOLEAN:
- if len(bools) > 1:
+ if i.type == audit2why.BOOLEAN:
+ if len(i.bools) > 1:
print "\tOne of the following booleans was set incorrectly."
- for b in bools:
+ for b in i.bools:
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
else:
- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
+ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
continue
- if rc == audit2why.TERULE:
+ if i.type == audit2why.TERULE:
print "\t\tMissing type enforcement (TE) allow rule.\n"
print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
continue
- if rc == audit2why.CONSTRAINT:
+ if i.type == audit2why.CONSTRAINT:
print "\t\tPolicy constraint violation.\n"
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
continue
- if rc == audit2why.RBAC:
+ if i.type == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n"
continue
@@ -344,5 +334,6 @@
sys.exit(0)
if __name__ == "__main__":
+ audit2why.init()
app = AuditToPolicy()
app.main()
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.78/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.77/Makefile 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.77/restorecond/Makefile
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/Makefile 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@ -96,16 +187,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.77/restorecond/restorecond.8
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/restorecond.8 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@ -140,9 +231,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
.SH "SEE ALSO"
.BR restorecon (8),
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.77/restorecond/restorecond.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/restorecond.c 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-09 16:29:18.000000000 -0500
@@ -30,9 +30,11 @@
* and makes sure that there security context matches the systems defaults
*
@ -480,7 +571,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
exit(0);
}
@@ -390,74 +136,34 @@
@@ -390,74 +136,35 @@
to see if it is one that we are watching.
*/
@ -571,14 +662,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ r_opts.fts_flags = FTS_PHYSICAL;
+ r_opts.selabel_opt_validate = NULL;
+ r_opts.selabel_opt_path = NULL;
+
+ r_opts.ignore_enoent = 1;
+
+ restore_init(&r_opts);
+ /* If we are not running SELinux then just exit */
+ if (is_selinux_enabled() != 1) return 0;
/* Register sighandlers */
sa.sa_flags = 0;
@@ -467,38 +173,59 @@
@@ -467,38 +174,59 @@
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@ -647,9 +739,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
}
+
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.77/restorecond/restorecond.conf
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/restorecond.conf 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-08 17:05:49.000000000 -0500
@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
@ -660,9 +752,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
/root/.ssh/*
-
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.77/restorecond/restorecond.desktop
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/restorecond/restorecond.desktop 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@ -671,9 +763,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+Encoding=UTF-8
+Type=Application
+StartupNotify=false
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.77/restorecond/restorecond.h
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/restorecond.h 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-08 17:05:49.000000000 -0500
@@ -24,7 +24,21 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@ -698,9 +790,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+extern void watch_list_free(int fd);
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.77/restorecond/restorecond.init
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.77/restorecond/restorecond.init 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-08 17:05:49.000000000 -0500
@@ -75,16 +75,15 @@
status restorecond
RETVAL=$?
@ -720,15 +812,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
exit $RETVAL
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.77/restorecond/restorecond_user.conf
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/restorecond/restorecond_user.conf 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.77/restorecond/user.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/restorecond/user.c 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/user.c 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,237 @@
+/*
+ * restorecond
@ -967,10 +1059,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ return 0;
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.77/restorecond/watch.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/restorecond/watch.c 2009-11-24 10:27:27.000000000 -0500
@@ -0,0 +1,253 @@
+++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-09 16:31:48.000000000 -0500
@@ -0,0 +1,254 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
@ -1052,8 +1144,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ if (ptr->wd == -1) {
+ free(ptr);
+ free(x);
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
+ path, strerror(errno));
+ if (! run_as_user)
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
+ path, strerror(errno));
+ return;
+ }
+
@ -1224,17 +1317,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ exitApp("Error watching config file.");
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.77/sandbox/deliverables/basicwrapper
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/deliverables/basicwrapper 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,4 @@
+import os, sys
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
+SANDBOX_ARGS.extend(sys.argv[1::])
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.77/sandbox/deliverables/README
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.78/sandbox/deliverables/README
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/deliverables/README 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/deliverables/README 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,32 @@
+Files:
+run-in-sandbox.py:
@ -1268,9 +1361,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+Thanks for a great summer.
+Chris Pardy
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,49 @@
+import os
+import os.path
@ -1321,9 +1414,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ def get_background_items(self, window, file):
+ return
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.77/sandbox/deliverables/sandbox
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.78/sandbox/deliverables/sandbox
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/deliverables/sandbox 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/deliverables/sandbox 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,216 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
@ -1541,9 +1634,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ sys.exit(rc)
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.77/sandbox/Makefile
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.78/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/Makefile 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,31 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@ -1576,10 +1669,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.77/sandbox/sandbox
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/sandbox 2009-11-24 10:27:27.000000000 -0500
@@ -0,0 +1,242 @@
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,253 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
@ -1623,36 +1716,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ sys.stderr.flush()
+ sys.exit(1)
+
+def reserve(mcs):
+def reserve(level):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ sock.bind("\0%s" % level)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
+def gen_context(setype):
+ while True:
+ i1 = random.randrange(0, 1024)
+ i2 = random.randrange(0, 1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+def gen_mcs():
+ while True:
+ i1 = random.randrange(0, 1024)
+ i2 = random.randrange(0, 1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ level = "s0:c%d,c%d" % (i1, i2)
+ level = "s0:c%d,c%d" % (i1, i2)
+ try:
+ reserve(level)
+ except socket.error:
+ continue
+ break
+ return level
+
+def gen_context(setype, level=None):
+ if not level:
+ level = gen_mcs()
+
+ con = selinux.getcon()[1].split(":")
+
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, level)
+
+ filecon = "%s:%s:%s:%s" % (con[0],
+ "object_r",
+ "%s_file_t" % setype[:-2],
+ mcs)
+ level)
+ return execcon, filecon
+
+def copyfile(file, dir, dest):
@ -1708,16 +1807,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ setype = DEFAULT_TYPE
+ X_ind = False
+ level=None
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:",
+ ["help",
+ "include=",
+ "includefile=",
+ "type="
+ "type=",
+ "level="
+ ])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-l" or o == "--level":
+ level = a
+
+ if o == "-i" or o == "--include":
+ rp = os.path.realpath(a)
@ -1745,7 +1849,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ execcon, filecon = gen_context(setype)
+ execcon, filecon = gen_context(setype, level)
+ rc = -1
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
@ -1822,9 +1926,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ sys.exit(rc)
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.77/sandbox/sandbox.8
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/sandbox.8 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,26 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
@ -1852,9 +1956,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+.TP
+runcon(1)
+.PP
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.77/sandbox/sandboxX.sh
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.78/sandbox/sandboxX.sh
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/sandboxX.sh 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandboxX.sh 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,16 @@
+#!/bin/bash
+export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`"
@ -1872,9 +1976,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ kill -HUP 0
+ break
+done
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.77/sandbox/seunshare.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.78/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.77/sandbox/seunshare.c 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/seunshare.c 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,265 @@
+#include <signal.h>
+#include <sys/types.h>
@ -2141,9 +2245,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ return status;
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.77/semanage/semanage
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
+++ policycoreutils-2.0.77/semanage/semanage 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
@@ -32,23 +32,32 @@
try:
gettext.install(PROGNAME,
@ -2472,9 +2576,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
process_args(mkargv(l))
trans.finish()
else:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.77/semanage/seobject.py
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
+++ policycoreutils-2.0.77/semanage/seobject.py 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
@@ -37,40 +37,6 @@
import syslog
@ -3118,9 +3222,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"), _("on"))
if use_file:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.77/semodule/semodule.8
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.78/semodule/semodule.8
--- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400
+++ policycoreutils-2.0.77/semodule/semodule.8 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/semodule/semodule.8 2009-12-08 17:05:49.000000000 -0500
@@ -35,6 +35,12 @@
.B \-b,\-\-base=MODULE_PKG
install/replace base module package
@ -3134,9 +3238,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
.B \-r,\-\-remove=MODULE_NAME
remove existing module
.TP
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.77/semodule/semodule.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.78/semodule/semodule.c
--- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400
+++ policycoreutils-2.0.77/semodule/semodule.c 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/semodule/semodule.c 2009-12-08 17:05:49.000000000 -0500
@@ -22,12 +22,12 @@
#include <semanage/modules.h>
@ -3254,9 +3358,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
semanage_module_info_datum_destroy
(m);
}
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.77/setfiles/restore.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.77/setfiles/restore.c 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-08 17:05:49.000000000 -0500
@@ -303,6 +303,12 @@
FTS *fts_handle;
FTSENT *ftsent;
@ -3270,9 +3374,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
if (fts_handle == NULL) {
fprintf(stderr,
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.77/setfiles/restorecon.8
@@ -374,6 +380,7 @@
} else {
rc = lstat(name, &sb);
if (rc < 0) {
+ if (r_opts->ignore_enoent && errno == ENOENT) return 0;
fprintf(stderr, "%s: lstat(%s) failed: %s\n",
r_opts->progname, name, strerror(errno));
return -1;
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.77/setfiles/restorecon.8 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-08 17:05:49.000000000 -0500
@@ -4,10 +4,10 @@
.SH "SYNOPSIS"
@ -3296,9 +3408,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
.TP
.B \-v
show changes in file labels.
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.77/setfiles/setfiles.8
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
--- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-08 17:05:49.000000000 -0500
@@ -27,6 +27,7 @@
int hard_links;
int verbose;
int logging;
+ int ignore_enoent;
char *rootpath;
int rootpathlen;
char *progname;
Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.77/setfiles/setfiles.8 2009-11-24 10:27:27.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-08 17:05:49.000000000 -0500
@@ -31,6 +31,9 @@
.TP
.B \-n
@ -3309,10 +3433,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
.TP
.B \-q
suppress non-error output.
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.77/setfiles/setfiles.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.77/setfiles/setfiles.c 2009-11-24 10:27:27.000000000 -0500
@@ -44,13 +44,13 @@
+++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-09 16:28:55.000000000 -0500
@@ -25,7 +25,6 @@
static int warn_no_match = 0;
static int null_terminated = 0;
static int errors;
-static int ignore_enoent;
static struct restore_opts r_opts;
#define STAT_BLOCK_SIZE 1
@@ -44,13 +43,13 @@
{
if (iamrestorecon) {
fprintf(stderr,
@ -3328,7 +3460,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
name);
}
exit(1);
@@ -371,7 +371,7 @@
@@ -335,7 +334,7 @@
r_opts.debug = 1;
break;
case 'i':
- ignore_enoent = 1;
+ r_opts.ignore_enoent = 1;
break;
case 'l':
r_opts.logging = 1;
@@ -371,7 +370,7 @@
break;
}
if (optind + 1 >= argc) {
@ -3337,9 +3478,3 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
argv[0]);
exit(1);
}
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.77/VERSION
--- nsapolicycoreutils/VERSION 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.77/VERSION 2009-11-20 10:51:25.000000000 -0500
@@ -1 +1 @@
-2.0.78
+2.0.77

241
policycoreutils-sepolgen.patch
View File

@ -1,6 +1,62 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
@@ -32,6 +32,7 @@
"""
import refpolicy
+from selinux import audit2why
def is_idparam(id):
"""Determine if an id is a paramater in the form $N, where N is
@@ -85,6 +86,8 @@
self.obj_class = None
self.perms = refpolicy.IdSet()
self.audit_msgs = []
+ self.type = audit2why.TERULE
+ self.bools = []
# The direction of the information flow represented by this
# access vector - used for matching
@@ -127,7 +130,7 @@
return self.to_string()
def to_string(self):
- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
+ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
self.obj_class, self.perms.to_space_str())
def __cmp__(self, other):
@@ -253,20 +256,22 @@
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
cls = tgt.setdefault(tgt_type, { })
- if cls.has_key(obj_class):
- access = cls[obj_class]
+ if cls.has_key((obj_class, avc_type)):
+ access = cls[obj_class, avc_type]
else:
access = AccessVector()
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
- cls[obj_class] = access
+ access.bools = bools
+ access.type = avc_type
+ cls[obj_class, avc_type] = access
access.perms.update(perms)
if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py 2009-11-24 10:27:28.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
@ -47,10 +103,153 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages
class AuditMessage:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py
@@ -106,6 +138,7 @@
if fields[0] == "path":
self.path = fields[1][1:-1]
return
+import selinux.audit2why as audit2why
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -146,6 +179,8 @@
self.path = ""
self.accesses = []
self.denial = True
+ self.type = audit2why.TERULE
+ self.bools = []
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -205,7 +240,25 @@
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
-
+ self.analyze()
+
+ def analyze(self):
+ tcontext = self.tcontext.to_string()
+ scontext = self.scontext.to_string()
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
+ if self.type == audit2why.NOPOLICY:
+ raise ValueError("Must call policy_init first")
+ if self.type == audit2why.BADTCON:
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Source Context %s\n" % scontext)
+ if self.type == audit2why.BADSCON:
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
+ if self.type == audit2why.BADPERM:
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
+ if self.type == audit2why.BADCOMPUTE:
+ raise ValueError("Error during access vector computation")
+
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -285,6 +338,9 @@
def __initialize(self):
self.avc_msgs = []
+ self.constraint_msgs = []
+ self.dontaudit_msgs = []
+ self.rbac_msgs = []
self.compute_sid_msgs = []
self.invalid_msgs = []
self.policy_load_msgs = []
@@ -314,7 +370,7 @@
elif i == "security_compute_sid:":
msg = ComputeSidMessage(line)
found = True
- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
+ elif i == "type=MAC_POLICY_LOAD":
msg = PolicyLoadMessage(line)
found = True
elif i == "type=AVC_PATH":
@@ -442,16 +498,17 @@
audit logs parsed by this object.
"""
av_set = access.AccessVectorSet()
+
for avc in self.avc_msgs:
if avc.denial != True and only_denials:
continue
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
return av_set
class AVCTypeFilter:
@@ -477,5 +534,3 @@
if self.regex.match(avc.tcontext.type):
return True
return False
-
-
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
@@ -29,6 +29,8 @@
import access
import interfaces
import matching
+import selinux.audit2why as audit2why
+from setools import *
# Constants for the level of explanation from the generation
# routines
@@ -74,7 +76,7 @@
self.moduel = module
else:
self.module = refpolicy.Module()
-
+ self.domains = None
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -144,8 +146,32 @@
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
+ rule.comment = ""
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+ if av.type == audit2why.DONTAUDIT:
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+ if av.type == audit2why.BOOLEAN:
+ if len(av.bools) > 1:
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
+ else:
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
+
+ if av.type == audit2why.CONSTRAINT:
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ if av.type == audit2why.TERULE:
+ if "open" in av.perms and "write" in av.perms:
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+
self.module.children.append(rule)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-11-24 10:27:28.000000000 -0500
@@ -973,7 +919,7 @@
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
support_macros = None
@ -59,3 +258,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
@@ -398,6 +398,7 @@
return "attribute %s;" % self.name
# Classes representing rules
+import selinux.audit2why as audit2why
class AVRule(Leaf):
"""SELinux access vector (AV) rule.
@@ -426,15 +427,17 @@
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ self.rule_type = audit2why.TERULE
if av:
self.from_av(av)
def __rule_type_str(self):
- if self.rule_type == self.ALLOW:
+ if self.rule_type == audit2why.TERULE:
return "allow"
- elif self.rule_type == self.DONTAUDIT:
+ elif self.rule_type == audit2why.DONTAUDIT:
return "dontaudit"
+ elif self.rule_type == audit2why.CONSTRAINT:
+ return "#constraint allow"
else:
return "auditallow"

8
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.78
Release: 1%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -296,6 +296,12 @@ fi
exit 0
%changelog
* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-2
- Fix restorecon -i to ignore enoent
* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-1
- Update to upstream
* Remove non-working OUTFILE from fixfiles from Dan Walsh.