From 7d197203b0ca6064ea11801ac46e9dd73e594f6a Mon Sep 17 00:00:00 2001 From: rhatdan Date: Mon, 29 Oct 2012 12:38:36 -0400 Subject: [PATCH] Redesign sepolicy to only read the policy file once, not for every call --- policycoreutils-rhat.patch | 185 ++++++++++------------------------ policycoreutils.spec | 5 +- selinux-polgengui.desktop | 1 + system-config-selinux.desktop | 1 + 4 files changed, 61 insertions(+), 131 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index b414792..91644b3 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -335989,7 +335989,7 @@ index 0000000..378eac2 +build diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile new file mode 100644 -index 0000000..6767e53 +index 0000000..af8cb8a --- /dev/null +++ b/policycoreutils/sepolicy/Makefile @@ -0,0 +1,31 @@ @@ -336010,7 +336010,7 @@ index 0000000..6767e53 + +all: python-build + -+python-build: info.c search.c common.h ++python-build: info.c search.c common.h policy.h policy.c + $(PYTHON) setup.py build + +clean: @@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a + diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c new file mode 100644 -index 0000000..f4cc0b0 +index 0000000..18aa555 --- /dev/null +++ b/policycoreutils/sepolicy/info.c -@@ -0,0 +1,928 @@ +@@ -0,0 +1,895 @@ +/** + * @file + * Command line tool to search TE rules. @@ -336119,9 +336119,9 @@ index 0000000..f4cc0b0 + */ + +#include "common.h" ++#include "policy.h" + +/* libapol */ -+#include +#include +#include +#include @@ -336937,76 +336937,43 @@ index 0000000..f4cc0b0 + return list; +} + -+PyObject* info( const char *policy_file, int type, const char *name) ++PyObject* info( int type, const char *name) +{ + PyObject* output = NULL; -+ apol_policy_t *policydb = NULL; -+ apol_policy_path_t *pol_path = NULL; -+ apol_vector_t *mod_paths = NULL; -+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; -+ -+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); -+ if (!pol_path) { -+ apol_vector_destroy(&mod_paths); -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ return NULL; -+ } -+ apol_vector_destroy(&mod_paths); -+ -+ int policy_load_options = 0; -+ policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM; -+ policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL); -+ if (!policydb) { -+ apol_policy_path_destroy(&pol_path); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } + + /* display requested info */ + if (type == TYPE) -+ output = get_types(name, policydb); ++ output = get_types(name, policy); + + if (type == ATTRIBUTE) -+ output = get_attribs(name, policydb); ++ output = get_attribs(name, policy); + + if (type == ROLE) -+ output = get_roles(name, policydb); ++ output = get_roles(name, policy); + + if (type == USER) -+ output = get_users(name, policydb); ++ output = get_users(name, policy); + + if (type == BOOLEAN) -+ output = get_booleans(name, policydb); ++ output = get_booleans(name, policy); + + if (type == PORT) -+ output = get_ports(name, policydb); ++ output = get_ports(name, policy); + -+ apol_policy_destroy(&policydb); -+ apol_policy_path_destroy(&pol_path); + return output; +} + +PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){ + unsigned int type; + char *name; -+ const char *policy_file; + -+ if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name)) ++ if (!PyArg_ParseTuple(args, "iz", &type, &name)) + return NULL; + -+ return Py_BuildValue("N",info(policy_file, type, name)); -+ ++ return Py_BuildValue("N",info(type, name)); +} + -+static PyMethodDef methods[] = { -+ {"info", (PyCFunction) wrap_info, METH_VARARGS, -+ "Return SELinux polcy info about types, attributes, roles, users"}, -+ {NULL, NULL, 0, NULL} -+}; -+ -+void init_info(){ -+ PyObject *m; -+ m = Py_InitModule("_info", methods); ++void init_info (PyObject *m) { + PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE); + PyModule_AddIntConstant(m, "PORT", PORT); + PyModule_AddIntConstant(m, "ROLE", ROLE); @@ -337016,10 +336983,10 @@ index 0000000..f4cc0b0 +} diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c new file mode 100644 -index 0000000..c98e4cf +index 0000000..c1d9411 --- /dev/null +++ b/policycoreutils/sepolicy/search.c -@@ -0,0 +1,1007 @@ +@@ -0,0 +1,967 @@ +// Author: Thomas Liu + +/** @@ -337057,9 +337024,9 @@ index 0000000..c98e4cf + */ + +#include "common.h" ++#include "policy.h" + +/* libapol */ -+#include +#include +#include +#include @@ -337805,8 +337772,7 @@ index 0000000..c98e4cf + return output; +} + -+PyObject* search(const char *policy_file, -+ bool allow, ++PyObject* search(bool allow, + bool neverallow, + bool auditallow, + bool dontaudit, @@ -337820,11 +337786,7 @@ index 0000000..c98e4cf +{ + options_t cmd_opts; + PyObject *output = NULL; -+ apol_policy_t *policy = NULL; + apol_vector_t *v = NULL; -+ apol_policy_path_t *pol_path = NULL; -+ apol_vector_t *mod_paths = NULL; -+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC; + + memset(&cmd_opts, 0, sizeof(cmd_opts)); + cmd_opts.indirect = true; @@ -337850,28 +337812,6 @@ index 0000000..c98e4cf + + pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM; + -+ if (apol_file_is_policy_path_list(policy_file) > 0) { -+ pol_path = apol_policy_path_create_from_file(policy_file); -+ if (!pol_path) { -+ PyErr_SetString(PyExc_RuntimeError,"invalid policy list"); -+ return NULL; -+ } -+ } -+ -+ if (!pol_path) -+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths); -+ if (!pol_path) { -+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM)); -+ return NULL; -+ } -+ apol_vector_destroy(&mod_paths); -+ -+ policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL); -+ if (!policy) { -+ apol_policy_path_destroy(&pol_path); -+ PyErr_SetString(PyExc_RuntimeError,strerror(errno)); -+ return NULL; -+ } + /* handle regex for class name */ + if (cmd_opts.useregex && cmd_opts.class_name != NULL) { + cmd_opts.class_vector = apol_vector_create(NULL); @@ -337965,8 +337905,6 @@ index 0000000..c98e4cf + apol_vector_destroy(&v); + + cleanup: -+ apol_policy_destroy(&policy); -+ apol_policy_path_destroy(&pol_path); + free(cmd_opts.src_name); + free(cmd_opts.tgt_name); + free(cmd_opts.class_name); @@ -338013,19 +337951,8 @@ index 0000000..c98e4cf + const char *tgt_name = Dict_ContainsString(dict, "target"); + const char *class_name = Dict_ContainsString(dict, "class"); + const char *permlist = Dict_ContainsString(dict, "permlist"); -+ const char *policy_path = Dict_ContainsString(dict, "policy"); + -+ return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist)); -+} -+ -+static PyMethodDef methods[] = { -+ {"search", (PyCFunction) wrap_search, METH_VARARGS, -+ "Search SELinux Policy for allow, neverallow, auditallow, dontaudit and transition records"}, -+ {NULL, NULL, 0, NULL} /* sentinel */ -+}; -+ -+void init_search(void){ -+ (void) Py_InitModule("_search", methods); ++ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist)); +} diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh new file mode 100644 @@ -338818,25 +338745,24 @@ index 0000000..9f96fd5 + sys.exit(1) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py new file mode 100644 -index 0000000..fbd011c +index 0000000..22c0724 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -0,0 +1,91 @@ +@@ -0,0 +1,87 @@ +#!/usr/bin/env python + +# Author: Thomas Liu +# Author: Dan Walsh + -+import _search -+import _info ++import _policy +import selinux + -+TYPE = _info.TYPE -+ROLE = _info.ROLE -+ATTRIBUTE = _info.ATTRIBUTE -+PORT = _info.PORT -+USER = _info.USER -+BOOLEAN = _info.BOOLEAN ++TYPE = _policy.TYPE ++ROLE = _policy.ROLE ++ATTRIBUTE = _policy.ATTRIBUTE ++PORT = _policy.PORT ++USER = _policy.USER ++BOOLEAN = _policy.BOOLEAN + +ALLOW = 'allow' +AUDITALLOW = 'auditallow' @@ -338849,7 +338775,11 @@ index 0000000..fbd011c +TRANSITION = 'transition' +ROLE_ALLOW = 'role_allow' + ++def policy(policy_file): ++ _policy.policy(policy_file) ++ +policy_file = selinux.selinux_current_policy_path() ++policy(policy_file) + +def search(types, info = {} ): + valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] @@ -338863,8 +338793,7 @@ index 0000000..fbd011c + perms = info[PERMS] + info[PERMS] = ",".join(info[PERMS]) + -+ info["policy"] = policy_file -+ dict_list = _search.search(info) ++ dict_list = _policy.search(info) + if dict_list and len(perms) != 0: + dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) + return dict_list @@ -338876,14 +338805,9 @@ index 0000000..fbd011c + return True + +def info(setype, name=None): -+ global policy_file -+ dict_list = _info.info(policy_file, setype, name) ++ dict_list = _policy.info(setype, name) + return dict_list + -+def policy(alt_policy_file): -+ global policy_file -+ policy_file = alt_policy_file -+ +def _gen_boolens_dict(): + import xml.etree.ElementTree + import re @@ -338912,7 +338836,6 @@ index 0000000..fbd011c + pass + return booleans_dict +booleans_dict = _gen_boolens_dict() -+ diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py new file mode 100644 index 0000000..c23cb11 @@ -340308,10 +340231,10 @@ index 0000000..93b0762 + return out diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py new file mode 100755 -index 0000000..2446be1 +index 0000000..7a07b5a --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -0,0 +1,1273 @@ +@@ -0,0 +1,1279 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh @@ -340347,7 +340270,6 @@ index 0000000..2446be1 +import sys, os, re, time + +equiv_dict={ "smbd" : "samba", "httpd" : "apache" } -+ +def _gen_modules_dict(): + import xml.etree.ElementTree + modules_dict = {} @@ -340367,7 +340289,7 @@ index 0000000..2446be1 + except IOError, e: + pass + return modules_dict -+modules_dict = _gen_modules_dict() ++modules_dict = None + +all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE)) +entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"] @@ -340767,10 +340689,16 @@ index 0000000..2446be1 + """ + def __init__(self, domainname, path = "/tmp", html = False): + self.html = html -+ self.domainname = domainname -+ self.short_name = domainname ++ if domainname.endswith("_t"): ++ self.domainname = domainname[:-2] ++ else: ++ self.domainname = domainname ++ ++ if self.domainname + "_t" not in alldomains: ++ raise ValueError("domain %s_t does not exist" % self.domainname) ++ self.short_name = self.domainname + self.type = self.domainname + "_t" -+ self.man_page_path = "%s/%s_selinux.8" % (path, domainname) ++ self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname) + self.fd = open(self.man_page_path, 'w') + if domainname in roles: + self.__gen_user_man_page() @@ -340787,7 +340715,8 @@ index 0000000..2446be1 + + def __gen_user_man_page(self): + self.role = self.domainname + "_r" -+ ++ if not modules_dict: ++ modules_dict = _gen_modules_dict() + try: + self.desc = modules_dict[self.domainname] + except: @@ -344111,26 +344040,22 @@ index 0000000..72f5f65 + return slist diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py new file mode 100644 -index 0000000..46a8415 +index 0000000..ec9c071 --- /dev/null +++ b/policycoreutils/sepolicy/setup.py -@@ -0,0 +1,16 @@ +@@ -0,0 +1,12 @@ +#!/usr/bin/env python + +# Author: Thomas Liu +# Author: Dan Walsh +import os +from distutils.core import setup, Extension -+info = Extension("sepolicy._info", -+ libraries=["apol", "qpol"], -+ sources=[ "info.c"] -+) -+search = Extension("sepolicy._search", -+ libraries=["apol", "qpol"], -+ sources=[ "search.c"] ++policy = Extension("sepolicy._policy", ++ libraries=["apol", "qpol"], ++ sources=[ "policy.c", "info.c", "search.c"] +) + -+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[info, search], packages=["sepolicy", "sepolicy.templates"]) ++setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[policy], packages=["sepolicy", "sepolicy.templates"]) diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index 4c62b41..01fc818 100644 --- a/policycoreutils/setfiles/restore.c diff --git a/policycoreutils.spec b/policycoreutils.spec index 46b4605..c6cfad7 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.13 -Release: 20%{?dist} +Release: 21%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Mon Oct 29 2012 Dan Walsh - 2.1.12-21 +- Redesign sepolicy to only read the policy file once, not for every call + * Mon Oct 29 2012 Dan Walsh - 2.1.12-20 - Fixes to sepolicy transition, allow it to list all transitions from a domain diff --git a/selinux-polgengui.desktop b/selinux-polgengui.desktop index bbcb18f..9ca9bb6 100644 --- a/selinux-polgengui.desktop +++ b/selinux-polgengui.desktop @@ -64,3 +64,4 @@ Type=Application Terminal=false Categories=System;Security; X-Desktop-File-Install-Version=0.2 +_Keywords=policy,security,selinux,avc,permission,mac diff --git a/system-config-selinux.desktop b/system-config-selinux.desktop index befdb23..55aae1e 100644 --- a/system-config-selinux.desktop +++ b/system-config-selinux.desktop @@ -64,3 +64,4 @@ Type=Application Terminal=false Categories=System;Security; X-Desktop-File-Install-Version=0.2 +_Keywords=policy,security,selinux,avc,permission,mac