rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Redesign sepolicy to only read the policy file once, not for every call

Browse Source
This commit is contained in:
rhatdan 2012-10-29 12:38:36 -04:00
parent 7e71323398
commit 7d197203b0
4 changed files with 61 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
policycoreutils-rhat.patch
View File

@ -335989,7 +335989,7 @@ index 0000000..378eac2
+build
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
new file mode 100644
index 0000000..6767e53
index 0000000..af8cb8a
--- /dev/null
+++ b/policycoreutils/sepolicy/Makefile
@@ -0,0 +1,31 @@
@ -336010,7 +336010,7 @@ index 0000000..6767e53
+
+all: python-build
+
+python-build: info.c search.c common.h
+python-build: info.c search.c common.h policy.h policy.c
+ $(PYTHON) setup.py build
+
+clean:
@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a
+
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
new file mode 100644
index 0000000..f4cc0b0
index 0000000..18aa555
--- /dev/null
+++ b/policycoreutils/sepolicy/info.c
@@ -0,0 +1,928 @@
@@ -0,0 +1,895 @@
+/**
+ * @file
+ * Command line tool to search TE rules.
@ -336119,9 +336119,9 @@ index 0000000..f4cc0b0
+ */
+
+#include "common.h"
+#include "policy.h"
+
+/* libapol */
+#include <apol/policy.h>
+#include <apol/policy-query.h>
+#include <apol/render.h>
+#include <apol/util.h>
@ -336937,76 +336937,43 @@ index 0000000..f4cc0b0
+ return list;
+}
+
+PyObject* info( const char *policy_file, int type, const char *name)
+PyObject* info( int type, const char *name)
+{
+ PyObject* output = NULL;
+ apol_policy_t *policydb = NULL;
+ apol_policy_path_t *pol_path = NULL;
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
+ if (!pol_path) {
+ apol_vector_destroy(&mod_paths);
+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
+ return NULL;
+ }
+ apol_vector_destroy(&mod_paths);
+
+ int policy_load_options = 0;
+ policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+ policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
+ if (!policydb) {
+ apol_policy_path_destroy(&pol_path);
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ return NULL;
+ }
+
+ /* display requested info */
+ if (type == TYPE)
+ output = get_types(name, policydb);
+ output = get_types(name, policy);
+
+ if (type == ATTRIBUTE)
+ output = get_attribs(name, policydb);
+ output = get_attribs(name, policy);
+
+ if (type == ROLE)
+ output = get_roles(name, policydb);
+ output = get_roles(name, policy);
+
+ if (type == USER)
+ output = get_users(name, policydb);
+ output = get_users(name, policy);
+
+ if (type == BOOLEAN)
+ output = get_booleans(name, policydb);
+ output = get_booleans(name, policy);
+
+ if (type == PORT)
+ output = get_ports(name, policydb);
+ output = get_ports(name, policy);
+
+ apol_policy_destroy(&policydb);
+ apol_policy_path_destroy(&pol_path);
+ return output;
+}
+
+PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+ unsigned int type;
+ char *name;
+ const char *policy_file;
+
+ if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name))
+ if (!PyArg_ParseTuple(args, "iz", &type, &name))
+ return NULL;
+
+ return Py_BuildValue("N",info(policy_file, type, name));
+
+ return Py_BuildValue("N",info(type, name));
+}
+
+static PyMethodDef methods[] = {
+ {"info", (PyCFunction) wrap_info, METH_VARARGS,
+ "Return SELinux polcy info about types, attributes, roles, users"},
+ {NULL, NULL, 0, NULL}
+};
+
+void init_info(){
+ PyObject *m;
+ m = Py_InitModule("_info", methods);
+void init_info (PyObject *m) {
+ PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE);
+ PyModule_AddIntConstant(m, "PORT", PORT);
+ PyModule_AddIntConstant(m, "ROLE", ROLE);
@ -337016,10 +336983,10 @@ index 0000000..f4cc0b0
+}
diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
new file mode 100644
index 0000000..c98e4cf
index 0000000..c1d9411
--- /dev/null
+++ b/policycoreutils/sepolicy/search.c
@@ -0,0 +1,1007 @@
@@ -0,0 +1,967 @@
+// Author: Thomas Liu <tliu@redhat.com>
+
+/**
@ -337057,9 +337024,9 @@ index 0000000..c98e4cf
+ */
+
+#include "common.h"
+#include "policy.h"
+
+/* libapol */
+#include <apol/policy.h>
+#include <apol/policy-query.h>
+#include <apol/render.h>
+#include <apol/util.h>
@ -337805,8 +337772,7 @@ index 0000000..c98e4cf
+ return output;
+}
+
+PyObject* search(const char *policy_file,
+ bool allow,
+PyObject* search(bool allow,
+ bool neverallow,
+ bool auditallow,
+ bool dontaudit,
@ -337820,11 +337786,7 @@ index 0000000..c98e4cf
+{
+ options_t cmd_opts;
+ PyObject *output = NULL;
+ apol_policy_t *policy = NULL;
+ apol_vector_t *v = NULL;
+ apol_policy_path_t *pol_path = NULL;
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
+ memset(&cmd_opts, 0, sizeof(cmd_opts));
+ cmd_opts.indirect = true;
@ -337850,28 +337812,6 @@ index 0000000..c98e4cf
+
+ pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+
+ if (apol_file_is_policy_path_list(policy_file) > 0) {
+ pol_path = apol_policy_path_create_from_file(policy_file);
+ if (!pol_path) {
+ PyErr_SetString(PyExc_RuntimeError,"invalid policy list");
+ return NULL;
+ }
+ }
+
+ if (!pol_path)
+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
+ if (!pol_path) {
+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
+ return NULL;
+ }
+ apol_vector_destroy(&mod_paths);
+
+ policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL);
+ if (!policy) {
+ apol_policy_path_destroy(&pol_path);
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ return NULL;
+ }
+ /* handle regex for class name */
+ if (cmd_opts.useregex && cmd_opts.class_name != NULL) {
+ cmd_opts.class_vector = apol_vector_create(NULL);
@ -337965,8 +337905,6 @@ index 0000000..c98e4cf
+ apol_vector_destroy(&v);
+
+ cleanup:
+ apol_policy_destroy(&policy);
+ apol_policy_path_destroy(&pol_path);
+ free(cmd_opts.src_name);
+ free(cmd_opts.tgt_name);
+ free(cmd_opts.class_name);
@ -338013,19 +337951,8 @@ index 0000000..c98e4cf
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
+ const char *policy_path = Dict_ContainsString(dict, "policy");
+
+ return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+}
+
+static PyMethodDef methods[] = {
+ {"search", (PyCFunction) wrap_search, METH_VARARGS,
+ "Search SELinux Policy for allow, neverallow, auditallow, dontaudit and transition records"},
+ {NULL, NULL, 0, NULL} /* sentinel */
+};
+
+void init_search(void){
+ (void) Py_InitModule("_search", methods);
+ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+}
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
new file mode 100644
@ -338818,25 +338745,24 @@ index 0000000..9f96fd5
+ sys.exit(1)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644
index 0000000..fbd011c
index 0000000..22c0724
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -0,0 +1,91 @@
@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+
+# Author: Thomas Liu <tliu@redhat.com>
+# Author: Dan Walsh <dwalsh@redhat.com>
+
+import _search
+import _info
+import _policy
+import selinux
+
+TYPE = _info.TYPE
+ROLE = _info.ROLE
+ATTRIBUTE = _info.ATTRIBUTE
+PORT = _info.PORT
+USER = _info.USER
+BOOLEAN = _info.BOOLEAN
+TYPE = _policy.TYPE
+ROLE = _policy.ROLE
+ATTRIBUTE = _policy.ATTRIBUTE
+PORT = _policy.PORT
+USER = _policy.USER
+BOOLEAN = _policy.BOOLEAN
+
+ALLOW = 'allow'
+AUDITALLOW = 'auditallow'
@ -338849,7 +338775,11 @@ index 0000000..fbd011c
+TRANSITION = 'transition'
+ROLE_ALLOW = 'role_allow'
+
+def policy(policy_file):
+ _policy.policy(policy_file)
+
+policy_file = selinux.selinux_current_policy_path()
+policy(policy_file)
+
+def search(types, info = {} ):
+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
@ -338863,8 +338793,7 @@ index 0000000..fbd011c
+ perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS])
+
+ info["policy"] = policy_file
+ dict_list = _search.search(info)
+ dict_list = _policy.search(info)
+ if dict_list and len(perms) != 0:
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list
@ -338876,14 +338805,9 @@ index 0000000..fbd011c
+ return True
+
+def info(setype, name=None):
+ global policy_file
+ dict_list = _info.info(policy_file, setype, name)
+ dict_list = _policy.info(setype, name)
+ return dict_list
+
+def policy(alt_policy_file):
+ global policy_file
+ policy_file = alt_policy_file
+
+def _gen_boolens_dict():
+ import xml.etree.ElementTree
+ import re
@ -338912,7 +338836,6 @@ index 0000000..fbd011c
+ pass
+ return booleans_dict
+booleans_dict = _gen_boolens_dict()
+
diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py
new file mode 100644
index 0000000..c23cb11
@ -340308,10 +340231,10 @@ index 0000000..93b0762
+ return out
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
new file mode 100755
index 0000000..2446be1
index 0000000..7a07b5a
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -0,0 +1,1273 @@
@@ -0,0 +1,1279 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@ -340347,7 +340270,6 @@ index 0000000..2446be1
+import sys, os, re, time
+
+equiv_dict={ "smbd" : "samba", "httpd" : "apache" }
+
+def _gen_modules_dict():
+ import xml.etree.ElementTree
+ modules_dict = {}
@ -340367,7 +340289,7 @@ index 0000000..2446be1
+ except IOError, e:
+ pass
+ return modules_dict
+modules_dict = _gen_modules_dict()
+modules_dict = None
+
+all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
+entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
@ -340767,10 +340689,16 @@ index 0000000..2446be1
+ """
+ def __init__(self, domainname, path = "/tmp", html = False):
+ self.html = html
+ self.domainname = domainname
+ self.short_name = domainname
+ if domainname.endswith("_t"):
+ self.domainname = domainname[:-2]
+ else:
+ self.domainname = domainname
+
+ if self.domainname + "_t" not in alldomains:
+ raise ValueError("domain %s_t does not exist" % self.domainname)
+ self.short_name = self.domainname
+ self.type = self.domainname + "_t"
+ self.man_page_path = "%s/%s_selinux.8" % (path, domainname)
+ self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
+ self.fd = open(self.man_page_path, 'w')
+ if domainname in roles:
+ self.__gen_user_man_page()
@ -340787,7 +340715,8 @@ index 0000000..2446be1
+
+ def __gen_user_man_page(self):
+ self.role = self.domainname + "_r"
+
+ if not modules_dict:
+ modules_dict = _gen_modules_dict()
+ try:
+ self.desc = modules_dict[self.domainname]
+ except:
@ -344111,26 +344040,22 @@ index 0000000..72f5f65
+ return slist
diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
new file mode 100644
index 0000000..46a8415
index 0000000..ec9c071
--- /dev/null
+++ b/policycoreutils/sepolicy/setup.py
@@ -0,0 +1,16 @@
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+
+# Author: Thomas Liu <tliu@redhat.com>
+# Author: Dan Walsh <dwalsh@redhat.com>
+import os
+from distutils.core import setup, Extension
+info = Extension("sepolicy._info",
+ libraries=["apol", "qpol"],
+ sources=[ "info.c"]
+)
+search = Extension("sepolicy._search",
+ libraries=["apol", "qpol"],
+ sources=[ "search.c"]
+policy = Extension("sepolicy._policy",
+ libraries=["apol", "qpol"],
+ sources=[ "policy.c", "info.c", "search.c"]
+)
+
+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[info, search], packages=["sepolicy", "sepolicy.templates"])
+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[policy], packages=["sepolicy", "sepolicy.templates"])
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 4c62b41..01fc818 100644
--- a/policycoreutils/setfiles/restore.c

5
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
Release: 20%{?dist}
Release: 21%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-21
- Redesign sepolicy to only read the policy file once, not for every call
* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
- Fixes to sepolicy transition, allow it to list all transitions from a domain

1
selinux-polgengui.desktop
View File

@ -64,3 +64,4 @@ Type=Application
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
_Keywords=policy,security,selinux,avc,permission,mac

1
system-config-selinux.desktop
View File

@ -64,3 +64,4 @@ Type=Application
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
_Keywords=policy,security,selinux,avc,permission,mac