rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Redesign sepolicy to only read the policy file once, not for every call

Browse Source
This commit is contained in:
rhatdan 2012-10-29 12:38:36 -04:00
parent 7e71323398
commit 7d197203b0
4 changed files with 61 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

185
policycoreutils-rhat.patch
View File

@ -335989,7 +335989,7 @@ index 0000000..378eac2
+build +build
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
new file mode 100644 new file mode 100644
index 0000000..6767e53 index 0000000..af8cb8a
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/Makefile +++ b/policycoreutils/sepolicy/Makefile
@@ -0,0 +1,31 @@ @@ -0,0 +1,31 @@
@ -336010,7 +336010,7 @@ index 0000000..6767e53
+ +
+all: python-build +all: python-build
+ +
+python-build: info.c search.c common.h +python-build: info.c search.c common.h policy.h policy.c
+ $(PYTHON) setup.py build + $(PYTHON) setup.py build
+ +
+clean: +clean:
@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a
+ +
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
new file mode 100644 new file mode 100644
index 0000000..f4cc0b0 index 0000000..18aa555
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/info.c +++ b/policycoreutils/sepolicy/info.c
@@ -0,0 +1,928 @@ @@ -0,0 +1,895 @@
+/** +/**
+ * @file + * @file
+ * Command line tool to search TE rules. + * Command line tool to search TE rules.
@ -336119,9 +336119,9 @@ index 0000000..f4cc0b0
+ */ + */
+ +
+#include "common.h" +#include "common.h"
+#include "policy.h"
+ +
+/* libapol */ +/* libapol */
+#include <apol/policy.h>
+#include <apol/policy-query.h> +#include <apol/policy-query.h>
+#include <apol/render.h> +#include <apol/render.h>
+#include <apol/util.h> +#include <apol/util.h>
@ -336937,76 +336937,43 @@ index 0000000..f4cc0b0
+ return list; + return list;
+} +}
+ +
+PyObject* info( const char *policy_file, int type, const char *name) +PyObject* info( int type, const char *name)
+{ +{
+ PyObject* output = NULL; + PyObject* output = NULL;
+ apol_policy_t *policydb = NULL;
+ apol_policy_path_t *pol_path = NULL;
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
+ if (!pol_path) {
+ apol_vector_destroy(&mod_paths);
+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
+ return NULL;
+ }
+ apol_vector_destroy(&mod_paths);
+
+ int policy_load_options = 0;
+ policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+ policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
+ if (!policydb) {
+ apol_policy_path_destroy(&pol_path);
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ return NULL;
+ }
+ +
+ /* display requested info */ + /* display requested info */
+ if (type == TYPE) + if (type == TYPE)
+ output = get_types(name, policydb); + output = get_types(name, policy);
+ +
+ if (type == ATTRIBUTE) + if (type == ATTRIBUTE)
+ output = get_attribs(name, policydb); + output = get_attribs(name, policy);
+ +
+ if (type == ROLE) + if (type == ROLE)
+ output = get_roles(name, policydb); + output = get_roles(name, policy);
+ +
+ if (type == USER) + if (type == USER)
+ output = get_users(name, policydb); + output = get_users(name, policy);
+ +
+ if (type == BOOLEAN) + if (type == BOOLEAN)
+ output = get_booleans(name, policydb); + output = get_booleans(name, policy);
+ +
+ if (type == PORT) + if (type == PORT)
+ output = get_ports(name, policydb); + output = get_ports(name, policy);
+ +
+ apol_policy_destroy(&policydb);
+ apol_policy_path_destroy(&pol_path);
+ return output; + return output;
+} +}
+ +
+PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){ +PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+ unsigned int type; + unsigned int type;
+ char *name; + char *name;
+ const char *policy_file;
+ +
+ if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name)) + if (!PyArg_ParseTuple(args, "iz", &type, &name))
+ return NULL; + return NULL;
+ +
+ return Py_BuildValue("N",info(policy_file, type, name)); + return Py_BuildValue("N",info(type, name));
+
+} +}
+ +
+static PyMethodDef methods[] = { +void init_info (PyObject *m) {
+ {"info", (PyCFunction) wrap_info, METH_VARARGS,
+ "Return SELinux polcy info about types, attributes, roles, users"},
+ {NULL, NULL, 0, NULL}
+};
+
+void init_info(){
+ PyObject *m;
+ m = Py_InitModule("_info", methods);
+ PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE); + PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE);
+ PyModule_AddIntConstant(m, "PORT", PORT); + PyModule_AddIntConstant(m, "PORT", PORT);
+ PyModule_AddIntConstant(m, "ROLE", ROLE); + PyModule_AddIntConstant(m, "ROLE", ROLE);
@ -337016,10 +336983,10 @@ index 0000000..f4cc0b0
+} +}
diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
new file mode 100644 new file mode 100644
index 0000000..c98e4cf index 0000000..c1d9411
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/search.c +++ b/policycoreutils/sepolicy/search.c
@@ -0,0 +1,1007 @@ @@ -0,0 +1,967 @@
+// Author: Thomas Liu <tliu@redhat.com> +// Author: Thomas Liu <tliu@redhat.com>
+ +
+/** +/**
@ -337057,9 +337024,9 @@ index 0000000..c98e4cf
+ */ + */
+ +
+#include "common.h" +#include "common.h"
+#include "policy.h"
+ +
+/* libapol */ +/* libapol */
+#include <apol/policy.h>
+#include <apol/policy-query.h> +#include <apol/policy-query.h>
+#include <apol/render.h> +#include <apol/render.h>
+#include <apol/util.h> +#include <apol/util.h>
@ -337805,8 +337772,7 @@ index 0000000..c98e4cf
+ return output; + return output;
+} +}
+ +
+PyObject* search(const char *policy_file, +PyObject* search(bool allow,
+ bool allow,
+ bool neverallow, + bool neverallow,
+ bool auditallow, + bool auditallow,
+ bool dontaudit, + bool dontaudit,
@ -337820,11 +337786,7 @@ index 0000000..c98e4cf
+{ +{
+ options_t cmd_opts; + options_t cmd_opts;
+ PyObject *output = NULL; + PyObject *output = NULL;
+ apol_policy_t *policy = NULL;
+ apol_vector_t *v = NULL; + apol_vector_t *v = NULL;
+ apol_policy_path_t *pol_path = NULL;
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+ +
+ memset(&cmd_opts, 0, sizeof(cmd_opts)); + memset(&cmd_opts, 0, sizeof(cmd_opts));
+ cmd_opts.indirect = true; + cmd_opts.indirect = true;
@ -337850,28 +337812,6 @@ index 0000000..c98e4cf
+ +
+ pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM; + pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+ +
+ if (apol_file_is_policy_path_list(policy_file) > 0) {
+ pol_path = apol_policy_path_create_from_file(policy_file);
+ if (!pol_path) {
+ PyErr_SetString(PyExc_RuntimeError,"invalid policy list");
+ return NULL;
+ }
+ }
+
+ if (!pol_path)
+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
+ if (!pol_path) {
+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
+ return NULL;
+ }
+ apol_vector_destroy(&mod_paths);
+
+ policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL);
+ if (!policy) {
+ apol_policy_path_destroy(&pol_path);
+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
+ return NULL;
+ }
+ /* handle regex for class name */ + /* handle regex for class name */
+ if (cmd_opts.useregex && cmd_opts.class_name != NULL) { + if (cmd_opts.useregex && cmd_opts.class_name != NULL) {
+ cmd_opts.class_vector = apol_vector_create(NULL); + cmd_opts.class_vector = apol_vector_create(NULL);
@ -337965,8 +337905,6 @@ index 0000000..c98e4cf
+ apol_vector_destroy(&v); + apol_vector_destroy(&v);
+ +
+ cleanup: + cleanup:
+ apol_policy_destroy(&policy);
+ apol_policy_path_destroy(&pol_path);
+ free(cmd_opts.src_name); + free(cmd_opts.src_name);
+ free(cmd_opts.tgt_name); + free(cmd_opts.tgt_name);
+ free(cmd_opts.class_name); + free(cmd_opts.class_name);
@ -338013,19 +337951,8 @@ index 0000000..c98e4cf
+ const char *tgt_name = Dict_ContainsString(dict, "target"); + const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class"); + const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist"); + const char *permlist = Dict_ContainsString(dict, "permlist");
+ const char *policy_path = Dict_ContainsString(dict, "policy");
+ +
+ return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist)); + return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+}
+
+static PyMethodDef methods[] = {
+ {"search", (PyCFunction) wrap_search, METH_VARARGS,
+ "Search SELinux Policy for allow, neverallow, auditallow, dontaudit and transition records"},
+ {NULL, NULL, 0, NULL} /* sentinel */
+};
+
+void init_search(void){
+ (void) Py_InitModule("_search", methods);
+} +}
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
new file mode 100644 new file mode 100644
@ -338818,25 +338745,24 @@ index 0000000..9f96fd5
+ sys.exit(1) + sys.exit(1)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644 new file mode 100644
index 0000000..fbd011c index 0000000..22c0724
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -0,0 +1,91 @@ @@ -0,0 +1,87 @@
+#!/usr/bin/env python +#!/usr/bin/env python
+ +
+# Author: Thomas Liu <tliu@redhat.com> +# Author: Thomas Liu <tliu@redhat.com>
+# Author: Dan Walsh <dwalsh@redhat.com> +# Author: Dan Walsh <dwalsh@redhat.com>
+ +
+import _search +import _policy
+import _info
+import selinux +import selinux
+ +
+TYPE = _info.TYPE +TYPE = _policy.TYPE
+ROLE = _info.ROLE +ROLE = _policy.ROLE
+ATTRIBUTE = _info.ATTRIBUTE +ATTRIBUTE = _policy.ATTRIBUTE
+PORT = _info.PORT +PORT = _policy.PORT
+USER = _info.USER +USER = _policy.USER
+BOOLEAN = _info.BOOLEAN +BOOLEAN = _policy.BOOLEAN
+ +
+ALLOW = 'allow' +ALLOW = 'allow'
+AUDITALLOW = 'auditallow' +AUDITALLOW = 'auditallow'
@ -338849,7 +338775,11 @@ index 0000000..fbd011c
+TRANSITION = 'transition' +TRANSITION = 'transition'
+ROLE_ALLOW = 'role_allow' +ROLE_ALLOW = 'role_allow'
+ +
+def policy(policy_file):
+ _policy.policy(policy_file)
+
+policy_file = selinux.selinux_current_policy_path() +policy_file = selinux.selinux_current_policy_path()
+policy(policy_file)
+ +
+def search(types, info = {} ): +def search(types, info = {} ):
+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] + valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
@ -338863,8 +338793,7 @@ index 0000000..fbd011c
+ perms = info[PERMS] + perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS]) + info[PERMS] = ",".join(info[PERMS])
+ +
+ info["policy"] = policy_file + dict_list = _policy.search(info)
+ dict_list = _search.search(info)
+ if dict_list and len(perms) != 0: + if dict_list and len(perms) != 0:
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) + dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list + return dict_list
@ -338876,14 +338805,9 @@ index 0000000..fbd011c
+ return True + return True
+ +
+def info(setype, name=None): +def info(setype, name=None):
+ global policy_file + dict_list = _policy.info(setype, name)
+ dict_list = _info.info(policy_file, setype, name)
+ return dict_list + return dict_list
+ +
+def policy(alt_policy_file):
+ global policy_file
+ policy_file = alt_policy_file
+
+def _gen_boolens_dict(): +def _gen_boolens_dict():
+ import xml.etree.ElementTree + import xml.etree.ElementTree
+ import re + import re
@ -338912,7 +338836,6 @@ index 0000000..fbd011c
+ pass + pass
+ return booleans_dict + return booleans_dict
+booleans_dict = _gen_boolens_dict() +booleans_dict = _gen_boolens_dict()
+
diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py
new file mode 100644 new file mode 100644
index 0000000..c23cb11 index 0000000..c23cb11
@ -340308,10 +340231,10 @@ index 0000000..93b0762
+ return out + return out
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
new file mode 100755 new file mode 100755
index 0000000..2446be1 index 0000000..7a07b5a
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -0,0 +1,1273 @@ @@ -0,0 +1,1279 @@
+#! /usr/bin/python -Es +#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat +# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh@redhat.com> +# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@ -340347,7 +340270,6 @@ index 0000000..2446be1
+import sys, os, re, time +import sys, os, re, time
+ +
+equiv_dict={ "smbd" : "samba", "httpd" : "apache" } +equiv_dict={ "smbd" : "samba", "httpd" : "apache" }
+
+def _gen_modules_dict(): +def _gen_modules_dict():
+ import xml.etree.ElementTree + import xml.etree.ElementTree
+ modules_dict = {} + modules_dict = {}
@ -340367,7 +340289,7 @@ index 0000000..2446be1
+ except IOError, e: + except IOError, e:
+ pass + pass
+ return modules_dict + return modules_dict
+modules_dict = _gen_modules_dict() +modules_dict = None
+ +
+all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE)) +all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
+entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"] +entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
@ -340767,10 +340689,16 @@ index 0000000..2446be1
+ """ + """
+ def __init__(self, domainname, path = "/tmp", html = False): + def __init__(self, domainname, path = "/tmp", html = False):
+ self.html = html + self.html = html
+ self.domainname = domainname + if domainname.endswith("_t"):
+ self.short_name = domainname + self.domainname = domainname[:-2]
+ else:
+ self.domainname = domainname
+
+ if self.domainname + "_t" not in alldomains:
+ raise ValueError("domain %s_t does not exist" % self.domainname)
+ self.short_name = self.domainname
+ self.type = self.domainname + "_t" + self.type = self.domainname + "_t"
+ self.man_page_path = "%s/%s_selinux.8" % (path, domainname) + self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
+ self.fd = open(self.man_page_path, 'w') + self.fd = open(self.man_page_path, 'w')
+ if domainname in roles: + if domainname in roles:
+ self.__gen_user_man_page() + self.__gen_user_man_page()
@ -340787,7 +340715,8 @@ index 0000000..2446be1
+ +
+ def __gen_user_man_page(self): + def __gen_user_man_page(self):
+ self.role = self.domainname + "_r" + self.role = self.domainname + "_r"
+ + if not modules_dict:
+ modules_dict = _gen_modules_dict()
+ try: + try:
+ self.desc = modules_dict[self.domainname] + self.desc = modules_dict[self.domainname]
+ except: + except:
@ -344111,26 +344040,22 @@ index 0000000..72f5f65
+ return slist + return slist
diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
new file mode 100644 new file mode 100644
index 0000000..46a8415 index 0000000..ec9c071
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/setup.py +++ b/policycoreutils/sepolicy/setup.py
@@ -0,0 +1,16 @@ @@ -0,0 +1,12 @@
+#!/usr/bin/env python +#!/usr/bin/env python
+ +
+# Author: Thomas Liu <tliu@redhat.com> +# Author: Thomas Liu <tliu@redhat.com>
+# Author: Dan Walsh <dwalsh@redhat.com> +# Author: Dan Walsh <dwalsh@redhat.com>
+import os +import os
+from distutils.core import setup, Extension +from distutils.core import setup, Extension
+info = Extension("sepolicy._info", +policy = Extension("sepolicy._policy",
+ libraries=["apol", "qpol"], + libraries=["apol", "qpol"],
+ sources=[ "info.c"] + sources=[ "policy.c", "info.c", "search.c"]
+)
+search = Extension("sepolicy._search",
+ libraries=["apol", "qpol"],
+ sources=[ "search.c"]
+) +)
+ +
+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[info, search], packages=["sepolicy", "sepolicy.templates"]) +setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[policy], packages=["sepolicy", "sepolicy.templates"])
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 4c62b41..01fc818 100644 index 4c62b41..01fc818 100644
--- a/policycoreutils/setfiles/restore.c --- a/policycoreutils/setfiles/restore.c

5
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.13 Version: 2.1.13
Release: 20%{?dist} Release: 21%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-21
- Redesign sepolicy to only read the policy file once, not for every call
* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20 * Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
- Fixes to sepolicy transition, allow it to list all transitions from a domain - Fixes to sepolicy transition, allow it to list all transitions from a domain

1
selinux-polgengui.desktop
View File

@ -64,3 +64,4 @@ Type=Application
Terminal=false Terminal=false
Categories=System;Security; Categories=System;Security;
X-Desktop-File-Install-Version=0.2 X-Desktop-File-Install-Version=0.2
_Keywords=policy,security,selinux,avc,permission,mac

1
system-config-selinux.desktop
View File

@ -64,3 +64,4 @@ Type=Application
Terminal=false Terminal=false
Categories=System;Security; Categories=System;Security;
X-Desktop-File-Install-Version=0.2 X-Desktop-File-Install-Version=0.2
_Keywords=policy,security,selinux,avc,permission,mac