* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
This commit is contained in:
parent
3fbc112632
commit
79944fd474
@ -1,7 +1,15 @@
|
|||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.77/audit2allow/audit2allow
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
|
||||||
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
|
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/audit2allow/audit2allow 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -42,6 +42,8 @@
|
@@ -28,6 +28,7 @@
|
||||||
|
import sepolgen.defaults as defaults
|
||||||
|
import sepolgen.module as module
|
||||||
|
from sepolgen.sepolgeni18n import _
|
||||||
|
+import selinux.audit2why as audit2why
|
||||||
|
|
||||||
|
class AuditToPolicy:
|
||||||
|
VERSION = "%prog .1"
|
||||||
|
@@ -42,6 +43,8 @@
|
||||||
from optparse import OptionParser
|
from optparse import OptionParser
|
||||||
|
|
||||||
parser = OptionParser(version=self.VERSION)
|
parser = OptionParser(version=self.VERSION)
|
||||||
@ -10,7 +18,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
||||||
help="read input from audit log - conflicts with -i")
|
help="read input from audit log - conflicts with -i")
|
||||||
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
||||||
@@ -80,11 +82,11 @@
|
@@ -80,11 +83,11 @@
|
||||||
options, args = parser.parse_args()
|
options, args = parser.parse_args()
|
||||||
|
|
||||||
# Make -d, -a, and -i conflict
|
# Make -d, -a, and -i conflict
|
||||||
@ -25,7 +33,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
if options.input is not None and options.dmesg is True:
|
if options.input is not None and options.dmesg is True:
|
||||||
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
||||||
|
|
||||||
@@ -129,6 +131,12 @@
|
@@ -129,6 +132,12 @@
|
||||||
except OSError, e:
|
except OSError, e:
|
||||||
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
|
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
@ -38,18 +46,101 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
else:
|
else:
|
||||||
# This is the default if no input is specified
|
# This is the default if no input is specified
|
||||||
f = sys.stdin
|
f = sys.stdin
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.77/Makefile
|
@@ -220,63 +229,44 @@
|
||||||
|
|
||||||
|
def __output_audit2why(self):
|
||||||
|
import selinux
|
||||||
|
- import selinux.audit2why as audit2why
|
||||||
|
import seobject
|
||||||
|
- audit2why.init()
|
||||||
|
for i in self.__parser.avc_msgs:
|
||||||
|
- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
||||||
|
- if rc >= 0:
|
||||||
|
+ if i.type >= 0:
|
||||||
|
print "%s\n\tWas caused by:" % i.message
|
||||||
|
- if rc == audit2why.NOPOLICY:
|
||||||
|
- raise RuntimeError("Must call policy_init first")
|
||||||
|
- if rc == audit2why.BADTCON:
|
||||||
|
- print "Invalid Target Context %s\n" % i.tcontext
|
||||||
|
- continue
|
||||||
|
- if rc == audit2why.BADSCON:
|
||||||
|
- print "Invalid Source Context %s\n" % i.scontext
|
||||||
|
- continue
|
||||||
|
- if rc == audit2why.BADSCON:
|
||||||
|
- print "Invalid Type Class %s\n" % i.tclass
|
||||||
|
- continue
|
||||||
|
- if rc == audit2why.BADPERM:
|
||||||
|
- print "Invalid permission %s\n" % i.accesses
|
||||||
|
- continue
|
||||||
|
- if rc == audit2why. BADCOMPUTE:
|
||||||
|
- raise RuntimeError("Error during access vector computation")
|
||||||
|
- if rc == audit2why.ALLOW:
|
||||||
|
+ if i.type == audit2why.ALLOW:
|
||||||
|
print "\t\tUnknown - would be allowed by active policy\n",
|
||||||
|
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||||
|
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||||
|
continue
|
||||||
|
- if rc == audit2why.DONTAUDIT:
|
||||||
|
+ if i.type == audit2why.DONTAUDIT:
|
||||||
|
print "\t\tUnknown - should be dontaudit'd by active policy\n",
|
||||||
|
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||||
|
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||||
|
continue
|
||||||
|
- if rc == audit2why.BOOLEAN:
|
||||||
|
- if len(bools) > 1:
|
||||||
|
+ if i.type == audit2why.BOOLEAN:
|
||||||
|
+ if len(i.bools) > 1:
|
||||||
|
print "\tOne of the following booleans was set incorrectly."
|
||||||
|
- for b in bools:
|
||||||
|
+ for b in i.bools:
|
||||||
|
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||||
|
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||||
|
else:
|
||||||
|
- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
|
||||||
|
- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||||
|
- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||||
|
+ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
|
||||||
|
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
|
||||||
|
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
|
||||||
|
continue
|
||||||
|
|
||||||
|
- if rc == audit2why.TERULE:
|
||||||
|
+ if i.type == audit2why.TERULE:
|
||||||
|
print "\t\tMissing type enforcement (TE) allow rule.\n"
|
||||||
|
print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
|
||||||
|
continue
|
||||||
|
|
||||||
|
- if rc == audit2why.CONSTRAINT:
|
||||||
|
+ if i.type == audit2why.CONSTRAINT:
|
||||||
|
print "\t\tPolicy constraint violation.\n"
|
||||||
|
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
|
||||||
|
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
|
||||||
|
continue
|
||||||
|
|
||||||
|
- if rc == audit2why.RBAC:
|
||||||
|
+ if i.type == audit2why.RBAC:
|
||||||
|
print "\t\tMissing role allow rule.\n"
|
||||||
|
print "\t\tAdd an allow rule for the role pair.\n"
|
||||||
|
continue
|
||||||
|
@@ -344,5 +334,6 @@
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
+ audit2why.init()
|
||||||
|
app = AuditToPolicy()
|
||||||
|
app.main()
|
||||||
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.78/Makefile
|
||||||
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
|
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/Makefile 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -1,4 +1,4 @@
|
@@ -1,4 +1,4 @@
|
||||||
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
||||||
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
||||||
|
|
||||||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||||
|
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.77/restorecond/Makefile
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
|
||||||
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/Makefile 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -1,17 +1,28 @@
|
@@ -1,17 +1,28 @@
|
||||||
# Installation directories.
|
# Installation directories.
|
||||||
PREFIX ?= ${DESTDIR}/usr
|
PREFIX ?= ${DESTDIR}/usr
|
||||||
@ -96,16 +187,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
|
|
||||||
relabel: install
|
relabel: install
|
||||||
/sbin/restorecon $(SBINDIR)/restorecond
|
/sbin/restorecon $(SBINDIR)/restorecond
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
|
||||||
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,3 @@
|
@@ -0,0 +1,3 @@
|
||||||
+[D-BUS Service]
|
+[D-BUS Service]
|
||||||
+Name=org.selinux.Restorecond
|
+Name=org.selinux.Restorecond
|
||||||
+Exec=/usr/sbin/restorecond -u
|
+Exec=/usr/sbin/restorecond -u
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.77/restorecond/restorecond.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.8 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -3,7 +3,7 @@
|
@@ -3,7 +3,7 @@
|
||||||
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
|
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
|
||||||
|
|
||||||
@ -140,9 +231,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
|
|
||||||
.SH "SEE ALSO"
|
.SH "SEE ALSO"
|
||||||
.BR restorecon (8),
|
.BR restorecon (8),
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.77/restorecond/restorecond.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-09 16:29:18.000000000 -0500
|
||||||
@@ -30,9 +30,11 @@
|
@@ -30,9 +30,11 @@
|
||||||
* and makes sure that there security context matches the systems defaults
|
* and makes sure that there security context matches the systems defaults
|
||||||
*
|
*
|
||||||
@ -480,7 +571,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
exit(0);
|
exit(0);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -390,74 +136,34 @@
|
@@ -390,74 +136,35 @@
|
||||||
to see if it is one that we are watching.
|
to see if it is one that we are watching.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
@ -571,6 +662,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ r_opts.fts_flags = FTS_PHYSICAL;
|
+ r_opts.fts_flags = FTS_PHYSICAL;
|
||||||
+ r_opts.selabel_opt_validate = NULL;
|
+ r_opts.selabel_opt_validate = NULL;
|
||||||
+ r_opts.selabel_opt_path = NULL;
|
+ r_opts.selabel_opt_path = NULL;
|
||||||
|
+ r_opts.ignore_enoent = 1;
|
||||||
+
|
+
|
||||||
+ restore_init(&r_opts);
|
+ restore_init(&r_opts);
|
||||||
+ /* If we are not running SELinux then just exit */
|
+ /* If we are not running SELinux then just exit */
|
||||||
@ -578,7 +670,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
|
|
||||||
/* Register sighandlers */
|
/* Register sighandlers */
|
||||||
sa.sa_flags = 0;
|
sa.sa_flags = 0;
|
||||||
@@ -467,38 +173,59 @@
|
@@ -467,38 +174,59 @@
|
||||||
|
|
||||||
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
|
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
|
||||||
|
|
||||||
@ -647,9 +739,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
}
|
}
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.77/restorecond/restorecond.conf
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.conf 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -4,8 +4,5 @@
|
@@ -4,8 +4,5 @@
|
||||||
/etc/mtab
|
/etc/mtab
|
||||||
/var/run/utmp
|
/var/run/utmp
|
||||||
@ -660,9 +752,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
/root/.ssh/*
|
/root/.ssh/*
|
||||||
-
|
-
|
||||||
-
|
-
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.77/restorecond/restorecond.desktop
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.desktop 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,7 @@
|
@@ -0,0 +1,7 @@
|
||||||
+[Desktop Entry]
|
+[Desktop Entry]
|
||||||
+Name=File Context maintainer
|
+Name=File Context maintainer
|
||||||
@ -671,9 +763,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+Encoding=UTF-8
|
+Encoding=UTF-8
|
||||||
+Type=Application
|
+Type=Application
|
||||||
+StartupNotify=false
|
+StartupNotify=false
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.77/restorecond/restorecond.h
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.h 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -24,7 +24,21 @@
|
@@ -24,7 +24,21 @@
|
||||||
#ifndef RESTORED_CONFIG_H
|
#ifndef RESTORED_CONFIG_H
|
||||||
#define RESTORED_CONFIG_H
|
#define RESTORED_CONFIG_H
|
||||||
@ -698,9 +790,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+extern void watch_list_free(int fd);
|
+extern void watch_list_free(int fd);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.77/restorecond/restorecond.init
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
|
||||||
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
|
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond.init 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -75,16 +75,15 @@
|
@@ -75,16 +75,15 @@
|
||||||
status restorecond
|
status restorecond
|
||||||
RETVAL=$?
|
RETVAL=$?
|
||||||
@ -720,15 +812,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
|
|
||||||
exit $RETVAL
|
exit $RETVAL
|
||||||
-
|
-
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.77/restorecond/restorecond_user.conf
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
|
||||||
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/restorecond/restorecond_user.conf 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,2 @@
|
@@ -0,0 +1,2 @@
|
||||||
+~/*
|
+~/*
|
||||||
+~/public_html/*
|
+~/public_html/*
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.77/restorecond/user.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
|
||||||
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/restorecond/user.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/user.c 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,237 @@
|
@@ -0,0 +1,237 @@
|
||||||
+/*
|
+/*
|
||||||
+ * restorecond
|
+ * restorecond
|
||||||
@ -967,10 +1059,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.77/restorecond/watch.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
|
||||||
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/restorecond/watch.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-09 16:31:48.000000000 -0500
|
||||||
@@ -0,0 +1,253 @@
|
@@ -0,0 +1,254 @@
|
||||||
+#define _GNU_SOURCE
|
+#define _GNU_SOURCE
|
||||||
+#include <sys/inotify.h>
|
+#include <sys/inotify.h>
|
||||||
+#include <errno.h>
|
+#include <errno.h>
|
||||||
@ -1052,8 +1144,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ if (ptr->wd == -1) {
|
+ if (ptr->wd == -1) {
|
||||||
+ free(ptr);
|
+ free(ptr);
|
||||||
+ free(x);
|
+ free(x);
|
||||||
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
|
+ if (! run_as_user)
|
||||||
+ path, strerror(errno));
|
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
|
||||||
|
+ path, strerror(errno));
|
||||||
+ return;
|
+ return;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -1224,17 +1317,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ exitApp("Error watching config file.");
|
+ exitApp("Error watching config file.");
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.77/sandbox/deliverables/basicwrapper
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
|
||||||
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/deliverables/basicwrapper 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,4 @@
|
@@ -0,0 +1,4 @@
|
||||||
+import os, sys
|
+import os, sys
|
||||||
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
|
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
|
||||||
+SANDBOX_ARGS.extend(sys.argv[1::])
|
+SANDBOX_ARGS.extend(sys.argv[1::])
|
||||||
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
|
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.77/sandbox/deliverables/README
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.78/sandbox/deliverables/README
|
||||||
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/deliverables/README 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/deliverables/README 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,32 @@
|
@@ -0,0 +1,32 @@
|
||||||
+Files:
|
+Files:
|
||||||
+run-in-sandbox.py:
|
+run-in-sandbox.py:
|
||||||
@ -1268,9 +1361,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+Thanks for a great summer.
|
+Thanks for a great summer.
|
||||||
+Chris Pardy
|
+Chris Pardy
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py
|
||||||
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,49 @@
|
@@ -0,0 +1,49 @@
|
||||||
+import os
|
+import os
|
||||||
+import os.path
|
+import os.path
|
||||||
@ -1321,9 +1414,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ def get_background_items(self, window, file):
|
+ def get_background_items(self, window, file):
|
||||||
+ return
|
+ return
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.77/sandbox/deliverables/sandbox
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.78/sandbox/deliverables/sandbox
|
||||||
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/deliverables/sandbox 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/deliverables/sandbox 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,216 @@
|
@@ -0,0 +1,216 @@
|
||||||
+#!/usr/bin/python -E
|
+#!/usr/bin/python -E
|
||||||
+import os, sys, getopt, socket, random, fcntl, shutil
|
+import os, sys, getopt, socket, random, fcntl, shutil
|
||||||
@ -1541,9 +1634,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ sys.exit(rc)
|
+ sys.exit(rc)
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.77/sandbox/Makefile
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.78/sandbox/Makefile
|
||||||
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/Makefile 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,31 @@
|
@@ -0,0 +1,31 @@
|
||||||
+# Installation directories.
|
+# Installation directories.
|
||||||
+PREFIX ?= ${DESTDIR}/usr
|
+PREFIX ?= ${DESTDIR}/usr
|
||||||
@ -1576,10 +1669,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ ../../scripts/Lindent $(wildcard *.[ch])
|
+ ../../scripts/Lindent $(wildcard *.[ch])
|
||||||
+
|
+
|
||||||
+relabel:
|
+relabel:
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.77/sandbox/sandbox
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
|
||||||
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/sandbox 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,242 @@
|
@@ -0,0 +1,253 @@
|
||||||
+#!/usr/bin/python -E
|
+#!/usr/bin/python -E
|
||||||
+import os, sys, getopt, socket, random, fcntl, shutil
|
+import os, sys, getopt, socket, random, fcntl, shutil
|
||||||
+import selinux
|
+import selinux
|
||||||
@ -1623,36 +1716,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ sys.stderr.flush()
|
+ sys.stderr.flush()
|
||||||
+ sys.exit(1)
|
+ sys.exit(1)
|
||||||
+
|
+
|
||||||
+def reserve(mcs):
|
+def reserve(level):
|
||||||
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||||
+ sock.bind("\0%s" % mcs)
|
+ sock.bind("\0%s" % level)
|
||||||
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||||
+
|
+
|
||||||
+def gen_context(setype):
|
+def gen_mcs():
|
||||||
+ while True:
|
+ while True:
|
||||||
+ i1 = random.randrange(0, 1024)
|
+ i1 = random.randrange(0, 1024)
|
||||||
+ i2 = random.randrange(0, 1024)
|
+ i2 = random.randrange(0, 1024)
|
||||||
+ if i1 == i2:
|
+ if i1 == i2:
|
||||||
+ continue
|
+ continue
|
||||||
+ if i1 > i2:
|
+ if i1 > i2:
|
||||||
+ tmp = i1
|
+ tmp = i1
|
||||||
+ i1 = i2
|
+ i1 = i2
|
||||||
+ i2 = tmp
|
+ i2 = tmp
|
||||||
+ mcs = "s0:c%d,c%d" % (i1, i2)
|
+ level = "s0:c%d,c%d" % (i1, i2)
|
||||||
+ reserve(mcs)
|
+ level = "s0:c%d,c%d" % (i1, i2)
|
||||||
+ try:
|
+ try:
|
||||||
+ reserve(mcs)
|
+ reserve(level)
|
||||||
+ except:
|
+ except socket.error:
|
||||||
+ continue
|
+ continue
|
||||||
+ break
|
+ break
|
||||||
|
+ return level
|
||||||
|
+
|
||||||
|
+def gen_context(setype, level=None):
|
||||||
|
+ if not level:
|
||||||
|
+ level = gen_mcs()
|
||||||
|
+
|
||||||
+ con = selinux.getcon()[1].split(":")
|
+ con = selinux.getcon()[1].split(":")
|
||||||
+
|
+
|
||||||
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
|
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, level)
|
||||||
+
|
+
|
||||||
+ filecon = "%s:%s:%s:%s" % (con[0],
|
+ filecon = "%s:%s:%s:%s" % (con[0],
|
||||||
+ "object_r",
|
+ "object_r",
|
||||||
+ "%s_file_t" % setype[:-2],
|
+ "%s_file_t" % setype[:-2],
|
||||||
+ mcs)
|
+ level)
|
||||||
+ return execcon, filecon
|
+ return execcon, filecon
|
||||||
+
|
+
|
||||||
+def copyfile(file, dir, dest):
|
+def copyfile(file, dir, dest):
|
||||||
@ -1708,17 +1807,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ setype = DEFAULT_TYPE
|
+ setype = DEFAULT_TYPE
|
||||||
+ X_ind = False
|
+ X_ind = False
|
||||||
|
+ level=None
|
||||||
+ try:
|
+ try:
|
||||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
|
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:",
|
||||||
+ ["help",
|
+ ["help",
|
||||||
+ "include=",
|
+ "include=",
|
||||||
+ "includefile=",
|
+ "includefile=",
|
||||||
+ "type="
|
+ "type=",
|
||||||
|
+ "level="
|
||||||
+ ])
|
+ ])
|
||||||
+ for o, a in gopts:
|
+ for o, a in gopts:
|
||||||
+ if o == "-t" or o == "--type":
|
+ if o == "-t" or o == "--type":
|
||||||
+ setype = a
|
+ setype = a
|
||||||
+
|
+
|
||||||
|
+ if o == "-l" or o == "--level":
|
||||||
|
+ level = a
|
||||||
|
+
|
||||||
+ if o == "-i" or o == "--include":
|
+ if o == "-i" or o == "--include":
|
||||||
+ rp = os.path.realpath(a)
|
+ rp = os.path.realpath(a)
|
||||||
+ if rp not in init_files:
|
+ if rp not in init_files:
|
||||||
@ -1745,7 +1849,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ if len(cmds) == 0:
|
+ if len(cmds) == 0:
|
||||||
+ usage(_("Command required"))
|
+ usage(_("Command required"))
|
||||||
+
|
+
|
||||||
+ execcon, filecon = gen_context(setype)
|
+ execcon, filecon = gen_context(setype, level)
|
||||||
+ rc = -1
|
+ rc = -1
|
||||||
+
|
+
|
||||||
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
|
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
|
||||||
@ -1822,9 +1926,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ sys.exit(rc)
|
+ sys.exit(rc)
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.77/sandbox/sandbox.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
|
||||||
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/sandbox.8 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,26 @@
|
@@ -0,0 +1,26 @@
|
||||||
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
|
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
|
||||||
+.SH NAME
|
+.SH NAME
|
||||||
@ -1852,9 +1956,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+.TP
|
+.TP
|
||||||
+runcon(1)
|
+runcon(1)
|
||||||
+.PP
|
+.PP
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.77/sandbox/sandboxX.sh
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.78/sandbox/sandboxX.sh
|
||||||
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/sandboxX.sh 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/sandboxX.sh 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,16 @@
|
@@ -0,0 +1,16 @@
|
||||||
+#!/bin/bash
|
+#!/bin/bash
|
||||||
+export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`"
|
+export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`"
|
||||||
@ -1872,9 +1976,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+ kill -HUP 0
|
+ kill -HUP 0
|
||||||
+ break
|
+ break
|
||||||
+done
|
+done
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.77/sandbox/seunshare.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.78/sandbox/seunshare.c
|
||||||
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sandbox/seunshare.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/sandbox/seunshare.c 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -0,0 +1,265 @@
|
@@ -0,0 +1,265 @@
|
||||||
+#include <signal.h>
|
+#include <signal.h>
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
@ -2141,9 +2245,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ return status;
|
+ return status;
|
||||||
+}
|
+}
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.77/semanage/semanage
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
|
||||||
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
|
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/semanage/semanage 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -32,23 +32,32 @@
|
@@ -32,23 +32,32 @@
|
||||||
try:
|
try:
|
||||||
gettext.install(PROGNAME,
|
gettext.install(PROGNAME,
|
||||||
@ -2472,9 +2576,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
process_args(mkargv(l))
|
process_args(mkargv(l))
|
||||||
trans.finish()
|
trans.finish()
|
||||||
else:
|
else:
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.77/semanage/seobject.py
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
|
||||||
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
|
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/semanage/seobject.py 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -37,40 +37,6 @@
|
@@ -37,40 +37,6 @@
|
||||||
|
|
||||||
import syslog
|
import syslog
|
||||||
@ -3118,9 +3222,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
def list(self, heading = True, locallist = False, use_file = False):
|
def list(self, heading = True, locallist = False, use_file = False):
|
||||||
on_off = (_("off"), _("on"))
|
on_off = (_("off"), _("on"))
|
||||||
if use_file:
|
if use_file:
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.77/semodule/semodule.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.78/semodule/semodule.8
|
||||||
--- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400
|
--- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/semodule/semodule.8 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/semodule/semodule.8 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -35,6 +35,12 @@
|
@@ -35,6 +35,12 @@
|
||||||
.B \-b,\-\-base=MODULE_PKG
|
.B \-b,\-\-base=MODULE_PKG
|
||||||
install/replace base module package
|
install/replace base module package
|
||||||
@ -3134,9 +3238,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
.B \-r,\-\-remove=MODULE_NAME
|
.B \-r,\-\-remove=MODULE_NAME
|
||||||
remove existing module
|
remove existing module
|
||||||
.TP
|
.TP
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.77/semodule/semodule.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.78/semodule/semodule.c
|
||||||
--- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400
|
--- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/semodule/semodule.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/semodule/semodule.c 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -22,12 +22,12 @@
|
@@ -22,12 +22,12 @@
|
||||||
|
|
||||||
#include <semanage/modules.h>
|
#include <semanage/modules.h>
|
||||||
@ -3254,9 +3358,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
semanage_module_info_datum_destroy
|
semanage_module_info_datum_destroy
|
||||||
(m);
|
(m);
|
||||||
}
|
}
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.77/setfiles/restore.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
|
||||||
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
|
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/setfiles/restore.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -303,6 +303,12 @@
|
@@ -303,6 +303,12 @@
|
||||||
FTS *fts_handle;
|
FTS *fts_handle;
|
||||||
FTSENT *ftsent;
|
FTSENT *ftsent;
|
||||||
@ -3270,9 +3374,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
|
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
|
||||||
if (fts_handle == NULL) {
|
if (fts_handle == NULL) {
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.77/setfiles/restorecon.8
|
@@ -374,6 +380,7 @@
|
||||||
|
} else {
|
||||||
|
rc = lstat(name, &sb);
|
||||||
|
if (rc < 0) {
|
||||||
|
+ if (r_opts->ignore_enoent && errno == ENOENT) return 0;
|
||||||
|
fprintf(stderr, "%s: lstat(%s) failed: %s\n",
|
||||||
|
r_opts->progname, name, strerror(errno));
|
||||||
|
return -1;
|
||||||
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
|
||||||
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
|
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/setfiles/restorecon.8 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -4,10 +4,10 @@
|
@@ -4,10 +4,10 @@
|
||||||
|
|
||||||
.SH "SYNOPSIS"
|
.SH "SYNOPSIS"
|
||||||
@ -3296,9 +3408,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
.TP
|
.TP
|
||||||
.B \-v
|
.B \-v
|
||||||
show changes in file labels.
|
show changes in file labels.
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.77/setfiles/setfiles.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
|
||||||
|
--- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500
|
||||||
|
+++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-08 17:05:49.000000000 -0500
|
||||||
|
@@ -27,6 +27,7 @@
|
||||||
|
int hard_links;
|
||||||
|
int verbose;
|
||||||
|
int logging;
|
||||||
|
+ int ignore_enoent;
|
||||||
|
char *rootpath;
|
||||||
|
int rootpathlen;
|
||||||
|
char *progname;
|
||||||
|
Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
|
||||||
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
|
||||||
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
|
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/setfiles/setfiles.8 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-08 17:05:49.000000000 -0500
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
.TP
|
.TP
|
||||||
.B \-n
|
.B \-n
|
||||||
@ -3309,10 +3433,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
.TP
|
.TP
|
||||||
.B \-q
|
.B \-q
|
||||||
suppress non-error output.
|
suppress non-error output.
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.77/setfiles/setfiles.c
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
|
||||||
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
|
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/setfiles/setfiles.c 2009-11-24 10:27:27.000000000 -0500
|
+++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-09 16:28:55.000000000 -0500
|
||||||
@@ -44,13 +44,13 @@
|
@@ -25,7 +25,6 @@
|
||||||
|
static int warn_no_match = 0;
|
||||||
|
static int null_terminated = 0;
|
||||||
|
static int errors;
|
||||||
|
-static int ignore_enoent;
|
||||||
|
static struct restore_opts r_opts;
|
||||||
|
|
||||||
|
#define STAT_BLOCK_SIZE 1
|
||||||
|
@@ -44,13 +43,13 @@
|
||||||
{
|
{
|
||||||
if (iamrestorecon) {
|
if (iamrestorecon) {
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
@ -3328,7 +3460,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
name);
|
name);
|
||||||
}
|
}
|
||||||
exit(1);
|
exit(1);
|
||||||
@@ -371,7 +371,7 @@
|
@@ -335,7 +334,7 @@
|
||||||
|
r_opts.debug = 1;
|
||||||
|
break;
|
||||||
|
case 'i':
|
||||||
|
- ignore_enoent = 1;
|
||||||
|
+ r_opts.ignore_enoent = 1;
|
||||||
|
break;
|
||||||
|
case 'l':
|
||||||
|
r_opts.logging = 1;
|
||||||
|
@@ -371,7 +370,7 @@
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (optind + 1 >= argc) {
|
if (optind + 1 >= argc) {
|
||||||
@ -3337,9 +3478,3 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
|||||||
argv[0]);
|
argv[0]);
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.77/VERSION
|
|
||||||
--- nsapolicycoreutils/VERSION 2009-12-01 15:46:50.000000000 -0500
|
|
||||||
+++ policycoreutils-2.0.77/VERSION 2009-11-20 10:51:25.000000000 -0500
|
|
||||||
@@ -1 +1 @@
|
|
||||||
-2.0.78
|
|
||||||
+2.0.77
|
|
||||||
|
@ -1,6 +1,62 @@
|
|||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
|
||||||
|
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
|
||||||
|
@@ -32,6 +32,7 @@
|
||||||
|
"""
|
||||||
|
|
||||||
|
import refpolicy
|
||||||
|
+from selinux import audit2why
|
||||||
|
|
||||||
|
def is_idparam(id):
|
||||||
|
"""Determine if an id is a paramater in the form $N, where N is
|
||||||
|
@@ -85,6 +86,8 @@
|
||||||
|
self.obj_class = None
|
||||||
|
self.perms = refpolicy.IdSet()
|
||||||
|
self.audit_msgs = []
|
||||||
|
+ self.type = audit2why.TERULE
|
||||||
|
+ self.bools = []
|
||||||
|
|
||||||
|
# The direction of the information flow represented by this
|
||||||
|
# access vector - used for matching
|
||||||
|
@@ -127,7 +130,7 @@
|
||||||
|
return self.to_string()
|
||||||
|
|
||||||
|
def to_string(self):
|
||||||
|
- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
|
||||||
|
+ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
|
||||||
|
self.obj_class, self.perms.to_space_str())
|
||||||
|
|
||||||
|
def __cmp__(self, other):
|
||||||
|
@@ -253,20 +256,22 @@
|
||||||
|
for av in l:
|
||||||
|
self.add_av(AccessVector(av))
|
||||||
|
|
||||||
|
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
|
||||||
|
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
|
||||||
|
"""Add an access vector to the set.
|
||||||
|
"""
|
||||||
|
tgt = self.src.setdefault(src_type, { })
|
||||||
|
cls = tgt.setdefault(tgt_type, { })
|
||||||
|
|
||||||
|
- if cls.has_key(obj_class):
|
||||||
|
- access = cls[obj_class]
|
||||||
|
+ if cls.has_key((obj_class, avc_type)):
|
||||||
|
+ access = cls[obj_class, avc_type]
|
||||||
|
else:
|
||||||
|
access = AccessVector()
|
||||||
|
access.src_type = src_type
|
||||||
|
access.tgt_type = tgt_type
|
||||||
|
access.obj_class = obj_class
|
||||||
|
- cls[obj_class] = access
|
||||||
|
+ access.bools = bools
|
||||||
|
+ access.type = avc_type
|
||||||
|
+ cls[obj_class, avc_type] = access
|
||||||
|
|
||||||
|
access.perms.update(perms)
|
||||||
|
if audit_msg:
|
||||||
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
|
||||||
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
|
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
|
||||||
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py 2009-11-24 10:27:28.000000000 -0500
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
|
||||||
@@ -23,6 +23,27 @@
|
@@ -23,6 +23,27 @@
|
||||||
|
|
||||||
# Convenience functions
|
# Convenience functions
|
||||||
@ -47,10 +103,153 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
|||||||
# Classes representing audit messages
|
# Classes representing audit messages
|
||||||
|
|
||||||
class AuditMessage:
|
class AuditMessage:
|
||||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py
|
@@ -106,6 +138,7 @@
|
||||||
|
if fields[0] == "path":
|
||||||
|
self.path = fields[1][1:-1]
|
||||||
|
return
|
||||||
|
+import selinux.audit2why as audit2why
|
||||||
|
|
||||||
|
class AVCMessage(AuditMessage):
|
||||||
|
"""AVC message representing an access denial or granted message.
|
||||||
|
@@ -146,6 +179,8 @@
|
||||||
|
self.path = ""
|
||||||
|
self.accesses = []
|
||||||
|
self.denial = True
|
||||||
|
+ self.type = audit2why.TERULE
|
||||||
|
+ self.bools = []
|
||||||
|
|
||||||
|
def __parse_access(self, recs, start):
|
||||||
|
# This is kind of sucky - the access that is in a space separated
|
||||||
|
@@ -205,7 +240,25 @@
|
||||||
|
|
||||||
|
if not found_src or not found_tgt or not found_class or not found_access:
|
||||||
|
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||||
|
-
|
||||||
|
+ self.analyze()
|
||||||
|
+
|
||||||
|
+ def analyze(self):
|
||||||
|
+ tcontext = self.tcontext.to_string()
|
||||||
|
+ scontext = self.scontext.to_string()
|
||||||
|
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||||
|
+ if self.type == audit2why.NOPOLICY:
|
||||||
|
+ raise ValueError("Must call policy_init first")
|
||||||
|
+ if self.type == audit2why.BADTCON:
|
||||||
|
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
|
||||||
|
+ if self.type == audit2why.BADSCON:
|
||||||
|
+ raise ValueError("Invalid Source Context %s\n" % scontext)
|
||||||
|
+ if self.type == audit2why.BADSCON:
|
||||||
|
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
|
||||||
|
+ if self.type == audit2why.BADPERM:
|
||||||
|
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
|
||||||
|
+ if self.type == audit2why.BADCOMPUTE:
|
||||||
|
+ raise ValueError("Error during access vector computation")
|
||||||
|
+
|
||||||
|
class PolicyLoadMessage(AuditMessage):
|
||||||
|
"""Audit message indicating that the policy was reloaded."""
|
||||||
|
def __init__(self, message):
|
||||||
|
@@ -285,6 +338,9 @@
|
||||||
|
|
||||||
|
def __initialize(self):
|
||||||
|
self.avc_msgs = []
|
||||||
|
+ self.constraint_msgs = []
|
||||||
|
+ self.dontaudit_msgs = []
|
||||||
|
+ self.rbac_msgs = []
|
||||||
|
self.compute_sid_msgs = []
|
||||||
|
self.invalid_msgs = []
|
||||||
|
self.policy_load_msgs = []
|
||||||
|
@@ -314,7 +370,7 @@
|
||||||
|
elif i == "security_compute_sid:":
|
||||||
|
msg = ComputeSidMessage(line)
|
||||||
|
found = True
|
||||||
|
- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
|
||||||
|
+ elif i == "type=MAC_POLICY_LOAD":
|
||||||
|
msg = PolicyLoadMessage(line)
|
||||||
|
found = True
|
||||||
|
elif i == "type=AVC_PATH":
|
||||||
|
@@ -442,16 +498,17 @@
|
||||||
|
audit logs parsed by this object.
|
||||||
|
"""
|
||||||
|
av_set = access.AccessVectorSet()
|
||||||
|
+
|
||||||
|
for avc in self.avc_msgs:
|
||||||
|
if avc.denial != True and only_denials:
|
||||||
|
continue
|
||||||
|
if avc_filter:
|
||||||
|
if avc_filter.filter(avc):
|
||||||
|
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||||
|
- avc.accesses, avc)
|
||||||
|
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||||
|
else:
|
||||||
|
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||||
|
- avc.accesses, avc)
|
||||||
|
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||||
|
return av_set
|
||||||
|
|
||||||
|
class AVCTypeFilter:
|
||||||
|
@@ -477,5 +534,3 @@
|
||||||
|
if self.regex.match(avc.tcontext.type):
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
-
|
||||||
|
-
|
||||||
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
|
||||||
|
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
|
||||||
|
@@ -29,6 +29,8 @@
|
||||||
|
import access
|
||||||
|
import interfaces
|
||||||
|
import matching
|
||||||
|
+import selinux.audit2why as audit2why
|
||||||
|
+from setools import *
|
||||||
|
|
||||||
|
# Constants for the level of explanation from the generation
|
||||||
|
# routines
|
||||||
|
@@ -74,7 +76,7 @@
|
||||||
|
self.moduel = module
|
||||||
|
else:
|
||||||
|
self.module = refpolicy.Module()
|
||||||
|
-
|
||||||
|
+ self.domains = None
|
||||||
|
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||||
|
"""Set whether reference policy interfaces are generated.
|
||||||
|
|
||||||
|
@@ -144,8 +146,32 @@
|
||||||
|
def __add_allow_rules(self, avs):
|
||||||
|
for av in avs:
|
||||||
|
rule = refpolicy.AVRule(av)
|
||||||
|
+ rule.comment = ""
|
||||||
|
if self.explain:
|
||||||
|
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
||||||
|
+ if av.type == audit2why.DONTAUDIT:
|
||||||
|
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||||
|
+ if av.type == audit2why.BOOLEAN:
|
||||||
|
+ if len(av.bools) > 1:
|
||||||
|
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
|
||||||
|
+ else:
|
||||||
|
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
|
||||||
|
+
|
||||||
|
+ if av.type == audit2why.CONSTRAINT:
|
||||||
|
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||||
|
+ if av.type == audit2why.TERULE:
|
||||||
|
+ if "open" in av.perms and "write" in av.perms:
|
||||||
|
+ if not self.domains:
|
||||||
|
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
||||||
|
+ types=[]
|
||||||
|
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
|
||||||
|
+ if i not in self.domains:
|
||||||
|
+ types.append(i)
|
||||||
|
+ if len(types) == 1:
|
||||||
|
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||||
|
+ elif len(types) >= 1:
|
||||||
|
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||||
|
+
|
||||||
|
self.module.children.append(rule)
|
||||||
|
|
||||||
|
|
||||||
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
|
||||||
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
||||||
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-11-24 10:27:28.000000000 -0500
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
|
||||||
@@ -973,7 +919,7 @@
|
@@ -973,7 +973,7 @@
|
||||||
def list_headers(root):
|
def list_headers(root):
|
||||||
modules = []
|
modules = []
|
||||||
support_macros = None
|
support_macros = None
|
||||||
@ -59,3 +258,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
|||||||
|
|
||||||
for dirpath, dirnames, filenames in os.walk(root):
|
for dirpath, dirnames, filenames in os.walk(root):
|
||||||
for name in filenames:
|
for name in filenames:
|
||||||
|
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
|
||||||
|
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
|
||||||
|
@@ -398,6 +398,7 @@
|
||||||
|
return "attribute %s;" % self.name
|
||||||
|
|
||||||
|
# Classes representing rules
|
||||||
|
+import selinux.audit2why as audit2why
|
||||||
|
|
||||||
|
class AVRule(Leaf):
|
||||||
|
"""SELinux access vector (AV) rule.
|
||||||
|
@@ -426,15 +427,17 @@
|
||||||
|
self.tgt_types = IdSet()
|
||||||
|
self.obj_classes = IdSet()
|
||||||
|
self.perms = IdSet()
|
||||||
|
- self.rule_type = self.ALLOW
|
||||||
|
+ self.rule_type = audit2why.TERULE
|
||||||
|
if av:
|
||||||
|
self.from_av(av)
|
||||||
|
|
||||||
|
def __rule_type_str(self):
|
||||||
|
- if self.rule_type == self.ALLOW:
|
||||||
|
+ if self.rule_type == audit2why.TERULE:
|
||||||
|
return "allow"
|
||||||
|
- elif self.rule_type == self.DONTAUDIT:
|
||||||
|
+ elif self.rule_type == audit2why.DONTAUDIT:
|
||||||
|
return "dontaudit"
|
||||||
|
+ elif self.rule_type == audit2why.CONSTRAINT:
|
||||||
|
+ return "#constraint allow"
|
||||||
|
else:
|
||||||
|
return "auditallow"
|
||||||
|
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.78
|
Version: 2.0.78
|
||||||
Release: 1%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -296,6 +296,12 @@ fi
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
|
||||||
|
- Fix audit2allow to report constraints, dontaudits, types, booleans
|
||||||
|
|
||||||
|
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-2
|
||||||
|
- Fix restorecon -i to ignore enoent
|
||||||
|
|
||||||
* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-1
|
* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
* Remove non-working OUTFILE from fixfiles from Dan Walsh.
|
* Remove non-working OUTFILE from fixfiles from Dan Walsh.
|
||||||
|
Loading…
Reference in New Issue
Block a user