* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
This commit is contained in:
parent
3fbc112632
commit
79944fd474
@ -1,7 +1,15 @@
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.77/audit2allow/audit2allow
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
|
||||
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/audit2allow/audit2allow 2009-11-24 10:27:27.000000000 -0500
|
||||
@@ -42,6 +42,8 @@
|
||||
+++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -28,6 +28,7 @@
|
||||
import sepolgen.defaults as defaults
|
||||
import sepolgen.module as module
|
||||
from sepolgen.sepolgeni18n import _
|
||||
+import selinux.audit2why as audit2why
|
||||
|
||||
class AuditToPolicy:
|
||||
VERSION = "%prog .1"
|
||||
@@ -42,6 +43,8 @@
|
||||
from optparse import OptionParser
|
||||
|
||||
parser = OptionParser(version=self.VERSION)
|
||||
@ -10,7 +18,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
|
||||
help="read input from audit log - conflicts with -i")
|
||||
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
||||
@@ -80,11 +82,11 @@
|
||||
@@ -80,11 +83,11 @@
|
||||
options, args = parser.parse_args()
|
||||
|
||||
# Make -d, -a, and -i conflict
|
||||
@ -25,7 +33,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
if options.input is not None and options.dmesg is True:
|
||||
sys.stderr.write("error: --input conflicts with --dmesg\n")
|
||||
|
||||
@@ -129,6 +131,12 @@
|
||||
@@ -129,6 +132,12 @@
|
||||
except OSError, e:
|
||||
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
|
||||
sys.exit(1)
|
||||
@ -38,18 +46,101 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
else:
|
||||
# This is the default if no input is specified
|
||||
f = sys.stdin
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.77/Makefile
|
||||
@@ -220,63 +229,44 @@
|
||||
|
||||
def __output_audit2why(self):
|
||||
import selinux
|
||||
- import selinux.audit2why as audit2why
|
||||
import seobject
|
||||
- audit2why.init()
|
||||
for i in self.__parser.avc_msgs:
|
||||
- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
||||
- if rc >= 0:
|
||||
+ if i.type >= 0:
|
||||
print "%s\n\tWas caused by:" % i.message
|
||||
- if rc == audit2why.NOPOLICY:
|
||||
- raise RuntimeError("Must call policy_init first")
|
||||
- if rc == audit2why.BADTCON:
|
||||
- print "Invalid Target Context %s\n" % i.tcontext
|
||||
- continue
|
||||
- if rc == audit2why.BADSCON:
|
||||
- print "Invalid Source Context %s\n" % i.scontext
|
||||
- continue
|
||||
- if rc == audit2why.BADSCON:
|
||||
- print "Invalid Type Class %s\n" % i.tclass
|
||||
- continue
|
||||
- if rc == audit2why.BADPERM:
|
||||
- print "Invalid permission %s\n" % i.accesses
|
||||
- continue
|
||||
- if rc == audit2why. BADCOMPUTE:
|
||||
- raise RuntimeError("Error during access vector computation")
|
||||
- if rc == audit2why.ALLOW:
|
||||
+ if i.type == audit2why.ALLOW:
|
||||
print "\t\tUnknown - would be allowed by active policy\n",
|
||||
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||
continue
|
||||
- if rc == audit2why.DONTAUDIT:
|
||||
+ if i.type == audit2why.DONTAUDIT:
|
||||
print "\t\tUnknown - should be dontaudit'd by active policy\n",
|
||||
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||
continue
|
||||
- if rc == audit2why.BOOLEAN:
|
||||
- if len(bools) > 1:
|
||||
+ if i.type == audit2why.BOOLEAN:
|
||||
+ if len(i.bools) > 1:
|
||||
print "\tOne of the following booleans was set incorrectly."
|
||||
- for b in bools:
|
||||
+ for b in i.bools:
|
||||
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||
else:
|
||||
- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
|
||||
- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||
- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||
+ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
|
||||
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
|
||||
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
|
||||
continue
|
||||
|
||||
- if rc == audit2why.TERULE:
|
||||
+ if i.type == audit2why.TERULE:
|
||||
print "\t\tMissing type enforcement (TE) allow rule.\n"
|
||||
print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
|
||||
continue
|
||||
|
||||
- if rc == audit2why.CONSTRAINT:
|
||||
+ if i.type == audit2why.CONSTRAINT:
|
||||
print "\t\tPolicy constraint violation.\n"
|
||||
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
|
||||
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
|
||||
continue
|
||||
|
||||
- if rc == audit2why.RBAC:
|
||||
+ if i.type == audit2why.RBAC:
|
||||
print "\t\tMissing role allow rule.\n"
|
||||
print "\t\tAdd an allow rule for the role pair.\n"
|
||||
continue
|
||||
@@ -344,5 +334,6 @@
|
||||
sys.exit(0)
|
||||
|
||||
if __name__ == "__main__":
|
||||
+ audit2why.init()
|
||||
app = AuditToPolicy()
|
||||
app.main()
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.78/Makefile
|
||||
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/Makefile 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
||||
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
||||
|
||||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.77/restorecond/Makefile
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
|
||||
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/Makefile 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -1,17 +1,28 @@
|
||||
# Installation directories.
|
||||
PREFIX ?= ${DESTDIR}/usr
|
||||
@ -96,16 +187,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
relabel: install
|
||||
/sbin/restorecon $(SBINDIR)/restorecond
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
|
||||
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,3 @@
|
||||
+[D-BUS Service]
|
||||
+Name=org.selinux.Restorecond
|
||||
+Exec=/usr/sbin/restorecond -u
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.77/restorecond/restorecond.8
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
|
||||
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.8 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -3,7 +3,7 @@
|
||||
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
|
||||
|
||||
@ -140,9 +231,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.BR restorecon (8),
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.77/restorecond/restorecond.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
|
||||
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.c 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-09 16:29:18.000000000 -0500
|
||||
@@ -30,9 +30,11 @@
|
||||
* and makes sure that there security context matches the systems defaults
|
||||
*
|
||||
@ -480,7 +571,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
exit(0);
|
||||
}
|
||||
|
||||
@@ -390,74 +136,34 @@
|
||||
@@ -390,74 +136,35 @@
|
||||
to see if it is one that we are watching.
|
||||
*/
|
||||
|
||||
@ -571,6 +662,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ r_opts.fts_flags = FTS_PHYSICAL;
|
||||
+ r_opts.selabel_opt_validate = NULL;
|
||||
+ r_opts.selabel_opt_path = NULL;
|
||||
+ r_opts.ignore_enoent = 1;
|
||||
+
|
||||
+ restore_init(&r_opts);
|
||||
+ /* If we are not running SELinux then just exit */
|
||||
@ -578,7 +670,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
/* Register sighandlers */
|
||||
sa.sa_flags = 0;
|
||||
@@ -467,38 +173,59 @@
|
||||
@@ -467,38 +174,59 @@
|
||||
|
||||
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
|
||||
|
||||
@ -647,9 +739,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
}
|
||||
+
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.77/restorecond/restorecond.conf
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
|
||||
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.conf 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -4,8 +4,5 @@
|
||||
/etc/mtab
|
||||
/var/run/utmp
|
||||
@ -660,9 +752,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
/root/.ssh/*
|
||||
-
|
||||
-
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.77/restorecond/restorecond.desktop
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
|
||||
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.desktop 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,7 @@
|
||||
+[Desktop Entry]
|
||||
+Name=File Context maintainer
|
||||
@ -671,9 +763,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+Encoding=UTF-8
|
||||
+Type=Application
|
||||
+StartupNotify=false
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.77/restorecond/restorecond.h
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
|
||||
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.h 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -24,7 +24,21 @@
|
||||
#ifndef RESTORED_CONFIG_H
|
||||
#define RESTORED_CONFIG_H
|
||||
@ -698,9 +790,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+extern void watch_list_free(int fd);
|
||||
|
||||
#endif
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.77/restorecond/restorecond.init
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
|
||||
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond.init 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -75,16 +75,15 @@
|
||||
status restorecond
|
||||
RETVAL=$?
|
||||
@ -720,15 +812,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
|
||||
exit $RETVAL
|
||||
-
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.77/restorecond/restorecond_user.conf
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
|
||||
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/restorecond/restorecond_user.conf 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,2 @@
|
||||
+~/*
|
||||
+~/public_html/*
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.77/restorecond/user.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
|
||||
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/restorecond/user.c 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/restorecond/user.c 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,237 @@
|
||||
+/*
|
||||
+ * restorecond
|
||||
@ -967,10 +1059,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.77/restorecond/watch.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
|
||||
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/restorecond/watch.c 2009-11-24 10:27:27.000000000 -0500
|
||||
@@ -0,0 +1,253 @@
|
||||
+++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-09 16:31:48.000000000 -0500
|
||||
@@ -0,0 +1,254 @@
|
||||
+#define _GNU_SOURCE
|
||||
+#include <sys/inotify.h>
|
||||
+#include <errno.h>
|
||||
@ -1052,8 +1144,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ if (ptr->wd == -1) {
|
||||
+ free(ptr);
|
||||
+ free(x);
|
||||
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
|
||||
+ path, strerror(errno));
|
||||
+ if (! run_as_user)
|
||||
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
|
||||
+ path, strerror(errno));
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
@ -1224,17 +1317,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ exitApp("Error watching config file.");
|
||||
+}
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.77/sandbox/deliverables/basicwrapper
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
|
||||
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/deliverables/basicwrapper 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,4 @@
|
||||
+import os, sys
|
||||
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
|
||||
+SANDBOX_ARGS.extend(sys.argv[1::])
|
||||
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.77/sandbox/deliverables/README
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.78/sandbox/deliverables/README
|
||||
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/deliverables/README 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/deliverables/README 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,32 @@
|
||||
+Files:
|
||||
+run-in-sandbox.py:
|
||||
@ -1268,9 +1361,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+Thanks for a great summer.
|
||||
+Chris Pardy
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py
|
||||
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,49 @@
|
||||
+import os
|
||||
+import os.path
|
||||
@ -1321,9 +1414,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ def get_background_items(self, window, file):
|
||||
+ return
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.77/sandbox/deliverables/sandbox
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.78/sandbox/deliverables/sandbox
|
||||
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/deliverables/sandbox 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/deliverables/sandbox 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,216 @@
|
||||
+#!/usr/bin/python -E
|
||||
+import os, sys, getopt, socket, random, fcntl, shutil
|
||||
@ -1541,9 +1634,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+ sys.exit(rc)
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.77/sandbox/Makefile
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.78/sandbox/Makefile
|
||||
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/Makefile 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/Makefile 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,31 @@
|
||||
+# Installation directories.
|
||||
+PREFIX ?= ${DESTDIR}/usr
|
||||
@ -1576,10 +1669,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ ../../scripts/Lindent $(wildcard *.[ch])
|
||||
+
|
||||
+relabel:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.77/sandbox/sandbox
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
|
||||
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/sandbox 2009-11-24 10:27:27.000000000 -0500
|
||||
@@ -0,0 +1,242 @@
|
||||
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,253 @@
|
||||
+#!/usr/bin/python -E
|
||||
+import os, sys, getopt, socket, random, fcntl, shutil
|
||||
+import selinux
|
||||
@ -1623,36 +1716,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ sys.stderr.flush()
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+def reserve(mcs):
|
||||
+def reserve(level):
|
||||
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
+ sock.bind("\0%s" % mcs)
|
||||
+ sock.bind("\0%s" % level)
|
||||
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||
+
|
||||
+def gen_context(setype):
|
||||
+ while True:
|
||||
+ i1 = random.randrange(0, 1024)
|
||||
+ i2 = random.randrange(0, 1024)
|
||||
+ if i1 == i2:
|
||||
+ continue
|
||||
+ if i1 > i2:
|
||||
+ tmp = i1
|
||||
+ i1 = i2
|
||||
+ i2 = tmp
|
||||
+ mcs = "s0:c%d,c%d" % (i1, i2)
|
||||
+ reserve(mcs)
|
||||
+ try:
|
||||
+ reserve(mcs)
|
||||
+ except:
|
||||
+ continue
|
||||
+ break
|
||||
+def gen_mcs():
|
||||
+ while True:
|
||||
+ i1 = random.randrange(0, 1024)
|
||||
+ i2 = random.randrange(0, 1024)
|
||||
+ if i1 == i2:
|
||||
+ continue
|
||||
+ if i1 > i2:
|
||||
+ tmp = i1
|
||||
+ i1 = i2
|
||||
+ i2 = tmp
|
||||
+ level = "s0:c%d,c%d" % (i1, i2)
|
||||
+ level = "s0:c%d,c%d" % (i1, i2)
|
||||
+ try:
|
||||
+ reserve(level)
|
||||
+ except socket.error:
|
||||
+ continue
|
||||
+ break
|
||||
+ return level
|
||||
+
|
||||
+def gen_context(setype, level=None):
|
||||
+ if not level:
|
||||
+ level = gen_mcs()
|
||||
+
|
||||
+ con = selinux.getcon()[1].split(":")
|
||||
+
|
||||
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
|
||||
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, level)
|
||||
+
|
||||
+ filecon = "%s:%s:%s:%s" % (con[0],
|
||||
+ "object_r",
|
||||
+ "%s_file_t" % setype[:-2],
|
||||
+ mcs)
|
||||
+ level)
|
||||
+ return execcon, filecon
|
||||
+
|
||||
+def copyfile(file, dir, dest):
|
||||
@ -1708,17 +1807,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+ setype = DEFAULT_TYPE
|
||||
+ X_ind = False
|
||||
+ level=None
|
||||
+ try:
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:",
|
||||
+ ["help",
|
||||
+ "include=",
|
||||
+ "includefile=",
|
||||
+ "type="
|
||||
+ "type=",
|
||||
+ "level="
|
||||
+ ])
|
||||
+ for o, a in gopts:
|
||||
+ if o == "-t" or o == "--type":
|
||||
+ setype = a
|
||||
+
|
||||
+ if o == "-l" or o == "--level":
|
||||
+ level = a
|
||||
+
|
||||
+ if o == "-i" or o == "--include":
|
||||
+ rp = os.path.realpath(a)
|
||||
+ if rp not in init_files:
|
||||
@ -1745,7 +1849,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ if len(cmds) == 0:
|
||||
+ usage(_("Command required"))
|
||||
+
|
||||
+ execcon, filecon = gen_context(setype)
|
||||
+ execcon, filecon = gen_context(setype, level)
|
||||
+ rc = -1
|
||||
+
|
||||
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
|
||||
@ -1822,9 +1926,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+ sys.exit(rc)
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.77/sandbox/sandbox.8
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
|
||||
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/sandbox.8 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,26 @@
|
||||
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
|
||||
+.SH NAME
|
||||
@ -1852,9 +1956,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+.TP
|
||||
+runcon(1)
|
||||
+.PP
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.77/sandbox/sandboxX.sh
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.78/sandbox/sandboxX.sh
|
||||
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/sandboxX.sh 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/sandboxX.sh 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,16 @@
|
||||
+#!/bin/bash
|
||||
+export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`"
|
||||
@ -1872,9 +1976,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ kill -HUP 0
|
||||
+ break
|
||||
+done
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.77/sandbox/seunshare.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.78/sandbox/seunshare.c
|
||||
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sandbox/seunshare.c 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sandbox/seunshare.c 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -0,0 +1,265 @@
|
||||
+#include <signal.h>
|
||||
+#include <sys/types.h>
|
||||
@ -2141,9 +2245,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+ return status;
|
||||
+}
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.77/semanage/semanage
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
|
||||
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/semanage/semanage 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -32,23 +32,32 @@
|
||||
try:
|
||||
gettext.install(PROGNAME,
|
||||
@ -2472,9 +2576,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
process_args(mkargv(l))
|
||||
trans.finish()
|
||||
else:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.77/semanage/seobject.py
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/semanage/seobject.py 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -37,40 +37,6 @@
|
||||
|
||||
import syslog
|
||||
@ -3118,9 +3222,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
def list(self, heading = True, locallist = False, use_file = False):
|
||||
on_off = (_("off"), _("on"))
|
||||
if use_file:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.77/semodule/semodule.8
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.78/semodule/semodule.8
|
||||
--- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/semodule/semodule.8 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/semodule/semodule.8 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -35,6 +35,12 @@
|
||||
.B \-b,\-\-base=MODULE_PKG
|
||||
install/replace base module package
|
||||
@ -3134,9 +3238,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
.B \-r,\-\-remove=MODULE_NAME
|
||||
remove existing module
|
||||
.TP
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.77/semodule/semodule.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.78/semodule/semodule.c
|
||||
--- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/semodule/semodule.c 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/semodule/semodule.c 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -22,12 +22,12 @@
|
||||
|
||||
#include <semanage/modules.h>
|
||||
@ -3254,9 +3358,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
semanage_module_info_datum_destroy
|
||||
(m);
|
||||
}
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.77/setfiles/restore.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
|
||||
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/setfiles/restore.c 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -303,6 +303,12 @@
|
||||
FTS *fts_handle;
|
||||
FTSENT *ftsent;
|
||||
@ -3270,9 +3374,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
|
||||
if (fts_handle == NULL) {
|
||||
fprintf(stderr,
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.77/setfiles/restorecon.8
|
||||
@@ -374,6 +380,7 @@
|
||||
} else {
|
||||
rc = lstat(name, &sb);
|
||||
if (rc < 0) {
|
||||
+ if (r_opts->ignore_enoent && errno == ENOENT) return 0;
|
||||
fprintf(stderr, "%s: lstat(%s) failed: %s\n",
|
||||
r_opts->progname, name, strerror(errno));
|
||||
return -1;
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
|
||||
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/setfiles/restorecon.8 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -4,10 +4,10 @@
|
||||
|
||||
.SH "SYNOPSIS"
|
||||
@ -3296,9 +3408,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
.TP
|
||||
.B \-v
|
||||
show changes in file labels.
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.77/setfiles/setfiles.8
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
|
||||
--- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -27,6 +27,7 @@
|
||||
int hard_links;
|
||||
int verbose;
|
||||
int logging;
|
||||
+ int ignore_enoent;
|
||||
char *rootpath;
|
||||
int rootpathlen;
|
||||
char *progname;
|
||||
Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
|
||||
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/setfiles/setfiles.8 2009-11-24 10:27:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-08 17:05:49.000000000 -0500
|
||||
@@ -31,6 +31,9 @@
|
||||
.TP
|
||||
.B \-n
|
||||
@ -3309,10 +3433,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
.TP
|
||||
.B \-q
|
||||
suppress non-error output.
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.77/setfiles/setfiles.c
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
|
||||
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/setfiles/setfiles.c 2009-11-24 10:27:27.000000000 -0500
|
||||
@@ -44,13 +44,13 @@
|
||||
+++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-09 16:28:55.000000000 -0500
|
||||
@@ -25,7 +25,6 @@
|
||||
static int warn_no_match = 0;
|
||||
static int null_terminated = 0;
|
||||
static int errors;
|
||||
-static int ignore_enoent;
|
||||
static struct restore_opts r_opts;
|
||||
|
||||
#define STAT_BLOCK_SIZE 1
|
||||
@@ -44,13 +43,13 @@
|
||||
{
|
||||
if (iamrestorecon) {
|
||||
fprintf(stderr,
|
||||
@ -3328,7 +3460,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
name);
|
||||
}
|
||||
exit(1);
|
||||
@@ -371,7 +371,7 @@
|
||||
@@ -335,7 +334,7 @@
|
||||
r_opts.debug = 1;
|
||||
break;
|
||||
case 'i':
|
||||
- ignore_enoent = 1;
|
||||
+ r_opts.ignore_enoent = 1;
|
||||
break;
|
||||
case 'l':
|
||||
r_opts.logging = 1;
|
||||
@@ -371,7 +370,7 @@
|
||||
break;
|
||||
}
|
||||
if (optind + 1 >= argc) {
|
||||
@ -3337,9 +3478,3 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
argv[0]);
|
||||
exit(1);
|
||||
}
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.77/VERSION
|
||||
--- nsapolicycoreutils/VERSION 2009-12-01 15:46:50.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/VERSION 2009-11-20 10:51:25.000000000 -0500
|
||||
@@ -1 +1 @@
|
||||
-2.0.78
|
||||
+2.0.77
|
||||
|
@ -1,6 +1,62 @@
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
|
||||
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
|
||||
@@ -32,6 +32,7 @@
|
||||
"""
|
||||
|
||||
import refpolicy
|
||||
+from selinux import audit2why
|
||||
|
||||
def is_idparam(id):
|
||||
"""Determine if an id is a paramater in the form $N, where N is
|
||||
@@ -85,6 +86,8 @@
|
||||
self.obj_class = None
|
||||
self.perms = refpolicy.IdSet()
|
||||
self.audit_msgs = []
|
||||
+ self.type = audit2why.TERULE
|
||||
+ self.bools = []
|
||||
|
||||
# The direction of the information flow represented by this
|
||||
# access vector - used for matching
|
||||
@@ -127,7 +130,7 @@
|
||||
return self.to_string()
|
||||
|
||||
def to_string(self):
|
||||
- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
|
||||
+ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
|
||||
self.obj_class, self.perms.to_space_str())
|
||||
|
||||
def __cmp__(self, other):
|
||||
@@ -253,20 +256,22 @@
|
||||
for av in l:
|
||||
self.add_av(AccessVector(av))
|
||||
|
||||
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
|
||||
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
|
||||
"""Add an access vector to the set.
|
||||
"""
|
||||
tgt = self.src.setdefault(src_type, { })
|
||||
cls = tgt.setdefault(tgt_type, { })
|
||||
|
||||
- if cls.has_key(obj_class):
|
||||
- access = cls[obj_class]
|
||||
+ if cls.has_key((obj_class, avc_type)):
|
||||
+ access = cls[obj_class, avc_type]
|
||||
else:
|
||||
access = AccessVector()
|
||||
access.src_type = src_type
|
||||
access.tgt_type = tgt_type
|
||||
access.obj_class = obj_class
|
||||
- cls[obj_class] = access
|
||||
+ access.bools = bools
|
||||
+ access.type = avc_type
|
||||
+ cls[obj_class, avc_type] = access
|
||||
|
||||
access.perms.update(perms)
|
||||
if audit_msg:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
|
||||
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
|
||||
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py 2009-11-24 10:27:28.000000000 -0500
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
|
||||
@@ -23,6 +23,27 @@
|
||||
|
||||
# Convenience functions
|
||||
@ -47,10 +103,153 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
|
||||
# Classes representing audit messages
|
||||
|
||||
class AuditMessage:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py
|
||||
@@ -106,6 +138,7 @@
|
||||
if fields[0] == "path":
|
||||
self.path = fields[1][1:-1]
|
||||
return
|
||||
+import selinux.audit2why as audit2why
|
||||
|
||||
class AVCMessage(AuditMessage):
|
||||
"""AVC message representing an access denial or granted message.
|
||||
@@ -146,6 +179,8 @@
|
||||
self.path = ""
|
||||
self.accesses = []
|
||||
self.denial = True
|
||||
+ self.type = audit2why.TERULE
|
||||
+ self.bools = []
|
||||
|
||||
def __parse_access(self, recs, start):
|
||||
# This is kind of sucky - the access that is in a space separated
|
||||
@@ -205,7 +240,25 @@
|
||||
|
||||
if not found_src or not found_tgt or not found_class or not found_access:
|
||||
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
|
||||
-
|
||||
+ self.analyze()
|
||||
+
|
||||
+ def analyze(self):
|
||||
+ tcontext = self.tcontext.to_string()
|
||||
+ scontext = self.scontext.to_string()
|
||||
+ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||
+ if self.type == audit2why.NOPOLICY:
|
||||
+ raise ValueError("Must call policy_init first")
|
||||
+ if self.type == audit2why.BADTCON:
|
||||
+ raise ValueError("Invalid Target Context %s\n" % tcontext)
|
||||
+ if self.type == audit2why.BADSCON:
|
||||
+ raise ValueError("Invalid Source Context %s\n" % scontext)
|
||||
+ if self.type == audit2why.BADSCON:
|
||||
+ raise ValueError("Invalid Type Class %s\n" % self.tclass)
|
||||
+ if self.type == audit2why.BADPERM:
|
||||
+ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
|
||||
+ if self.type == audit2why.BADCOMPUTE:
|
||||
+ raise ValueError("Error during access vector computation")
|
||||
+
|
||||
class PolicyLoadMessage(AuditMessage):
|
||||
"""Audit message indicating that the policy was reloaded."""
|
||||
def __init__(self, message):
|
||||
@@ -285,6 +338,9 @@
|
||||
|
||||
def __initialize(self):
|
||||
self.avc_msgs = []
|
||||
+ self.constraint_msgs = []
|
||||
+ self.dontaudit_msgs = []
|
||||
+ self.rbac_msgs = []
|
||||
self.compute_sid_msgs = []
|
||||
self.invalid_msgs = []
|
||||
self.policy_load_msgs = []
|
||||
@@ -314,7 +370,7 @@
|
||||
elif i == "security_compute_sid:":
|
||||
msg = ComputeSidMessage(line)
|
||||
found = True
|
||||
- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
|
||||
+ elif i == "type=MAC_POLICY_LOAD":
|
||||
msg = PolicyLoadMessage(line)
|
||||
found = True
|
||||
elif i == "type=AVC_PATH":
|
||||
@@ -442,16 +498,17 @@
|
||||
audit logs parsed by this object.
|
||||
"""
|
||||
av_set = access.AccessVectorSet()
|
||||
+
|
||||
for avc in self.avc_msgs:
|
||||
if avc.denial != True and only_denials:
|
||||
continue
|
||||
if avc_filter:
|
||||
if avc_filter.filter(avc):
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc)
|
||||
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
else:
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
- avc.accesses, avc)
|
||||
+ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
return av_set
|
||||
|
||||
class AVCTypeFilter:
|
||||
@@ -477,5 +534,3 @@
|
||||
if self.regex.match(avc.tcontext.type):
|
||||
return True
|
||||
return False
|
||||
-
|
||||
-
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
|
||||
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
|
||||
@@ -29,6 +29,8 @@
|
||||
import access
|
||||
import interfaces
|
||||
import matching
|
||||
+import selinux.audit2why as audit2why
|
||||
+from setools import *
|
||||
|
||||
# Constants for the level of explanation from the generation
|
||||
# routines
|
||||
@@ -74,7 +76,7 @@
|
||||
self.moduel = module
|
||||
else:
|
||||
self.module = refpolicy.Module()
|
||||
-
|
||||
+ self.domains = None
|
||||
def set_gen_refpol(self, if_set=None, perm_maps=None):
|
||||
"""Set whether reference policy interfaces are generated.
|
||||
|
||||
@@ -144,8 +146,32 @@
|
||||
def __add_allow_rules(self, avs):
|
||||
for av in avs:
|
||||
rule = refpolicy.AVRule(av)
|
||||
+ rule.comment = ""
|
||||
if self.explain:
|
||||
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
|
||||
+ if av.type == audit2why.DONTAUDIT:
|
||||
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||
+ if av.type == audit2why.BOOLEAN:
|
||||
+ if len(av.bools) > 1:
|
||||
+ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
|
||||
+ else:
|
||||
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
|
||||
+
|
||||
+ if av.type == audit2why.CONSTRAINT:
|
||||
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
+ if av.type == audit2why.TERULE:
|
||||
+ if "open" in av.perms and "write" in av.perms:
|
||||
+ if not self.domains:
|
||||
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
|
||||
+ types=[]
|
||||
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
|
||||
+ if i not in self.domains:
|
||||
+ types.append(i)
|
||||
+ if len(types) == 1:
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ elif len(types) >= 1:
|
||||
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+
|
||||
self.module.children.append(rule)
|
||||
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
|
||||
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
|
||||
+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-11-24 10:27:28.000000000 -0500
|
||||
@@ -973,7 +919,7 @@
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
|
||||
@@ -973,7 +973,7 @@
|
||||
def list_headers(root):
|
||||
modules = []
|
||||
support_macros = None
|
||||
@ -59,3 +258,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
|
||||
for dirpath, dirnames, filenames in os.walk(root):
|
||||
for name in filenames:
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
|
||||
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
|
||||
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
|
||||
@@ -398,6 +398,7 @@
|
||||
return "attribute %s;" % self.name
|
||||
|
||||
# Classes representing rules
|
||||
+import selinux.audit2why as audit2why
|
||||
|
||||
class AVRule(Leaf):
|
||||
"""SELinux access vector (AV) rule.
|
||||
@@ -426,15 +427,17 @@
|
||||
self.tgt_types = IdSet()
|
||||
self.obj_classes = IdSet()
|
||||
self.perms = IdSet()
|
||||
- self.rule_type = self.ALLOW
|
||||
+ self.rule_type = audit2why.TERULE
|
||||
if av:
|
||||
self.from_av(av)
|
||||
|
||||
def __rule_type_str(self):
|
||||
- if self.rule_type == self.ALLOW:
|
||||
+ if self.rule_type == audit2why.TERULE:
|
||||
return "allow"
|
||||
- elif self.rule_type == self.DONTAUDIT:
|
||||
+ elif self.rule_type == audit2why.DONTAUDIT:
|
||||
return "dontaudit"
|
||||
+ elif self.rule_type == audit2why.CONSTRAINT:
|
||||
+ return "#constraint allow"
|
||||
else:
|
||||
return "auditallow"
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.78
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -296,6 +296,12 @@ fi
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
|
||||
- Fix audit2allow to report constraints, dontaudits, types, booleans
|
||||
|
||||
* Fri Dec 4 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-2
|
||||
- Fix restorecon -i to ignore enoent
|
||||
|
||||
* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-1
|
||||
- Update to upstream
|
||||
* Remove non-working OUTFILE from fixfiles from Dan Walsh.
|
||||
|
Loading…
Reference in New Issue
Block a user