rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixes to sepolicy transition, allow it to list all transitions from a domain

Browse Source
This commit is contained in:
rhatdan 2012-10-29 09:09:07 -04:00
parent 43cb5fa238
commit 7e71323398
2 changed files with 41 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
policycoreutils-rhat.patch
View File

@ -338405,10 +338405,10 @@ index 0000000..4ba92cc
+ +
diff --git a/policycoreutils/sepolicy/sepolicy-transition.8 b/policycoreutils/sepolicy/sepolicy-transition.8 diff --git a/policycoreutils/sepolicy/sepolicy-transition.8 b/policycoreutils/sepolicy/sepolicy-transition.8
new file mode 100644 new file mode 100644
index 0000000..2e26cea index 0000000..897f0c4
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy-transition.8 +++ b/policycoreutils/sepolicy/sepolicy-transition.8
@@ -0,0 +1,28 @@ @@ -0,0 +1,34 @@
+.TH "sepolicy-transition" "8" "20121005" "" "" +.TH "sepolicy-transition" "8" "20121005" "" ""
+.SH "NAME" +.SH "NAME"
+sepolicy-transition \- Examine the SELinux Policy and generate a process transition report +sepolicy-transition \- Examine the SELinux Policy and generate a process transition report
@ -338416,11 +338416,16 @@ index 0000000..2e26cea
+.SH "SYNOPSIS" +.SH "SYNOPSIS"
+ +
+.br +.br
+.B sepolicy transition [\-h] \-s SOURCE
+
+.br
+.B sepolicy transition [\-h] \-s SOURCE \-t TARGET +.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
+ +
+.SH "DESCRIPTION" +.SH "DESCRIPTION"
+Use sepolicy transition to examine SELinux Policy to if a source SELinux Domain can transition to a target SELinux Domain. +sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
+If a transition is possible, this tool will print out all transition paths from the source domain to the target domain +
+If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
+paths. If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+ +
+.SH "OPTIONS" +.SH "OPTIONS"
+.TP +.TP
@ -338429,6 +338434,7 @@ index 0000000..2e26cea
+.TP +.TP
+.I \-s, \-\-source +.I \-s, \-\-source
+Specify the source SELinux domain type. +Specify the source SELinux domain type.
+.TP
+.I \-t, \-\-target +.I \-t, \-\-target
+Specify the target SELinux domain type. +Specify the target SELinux domain type.
+ +
@ -338503,10 +338509,10 @@ index 0000000..2e0163b
+selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8) +selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8)
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
new file mode 100755 new file mode 100755
index 0000000..5469729 index 0000000..9f96fd5
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py
@@ -0,0 +1,299 @@ @@ -0,0 +1,303 @@
+#! /usr/bin/python -Es +#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat +# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh@redhat.com> +# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@ -338648,10 +338654,9 @@ index 0000000..5469729
+ newval = getattr(namespace, self.dest) + newval = getattr(namespace, self.dest)
+ if not newval: + if not newval:
+ newval = [] + newval = []
+ for v in values: + if values not in domains:
+ if v not in domains: + raise ValueError("%s must be an SELinux process domain" % values)
+ raise ValueError("%s must be an SELinux process domain" % values) + newval.append(values)
+ newval.append(v)
+ setattr(namespace, self.dest, newval) + setattr(namespace, self.dest, newval)
+ +
+class CheckPortType(argparse.Action): +class CheckPortType(argparse.Action):
@ -338689,7 +338694,7 @@ index 0000000..5469729
+ action=CheckPortType,nargs="+", + action=CheckPortType,nargs="+",
+ help=_("Show ports defined for this SELinux type")) + help=_("Show ports defined for this SELinux type"))
+ group.add_argument("-d", "--domain", dest="domain", default=None, + group.add_argument("-d", "--domain", dest="domain", default=None,
+ action=CheckDomain,nargs="+", + action=CheckDomain,
+ help=_("show ports to which this domain can bind and/or connect")) + help=_("show ports to which this domain can bind and/or connect"))
+ net.set_defaults(func=network) + net.set_defaults(func=network)
+ +
@ -338738,7 +338743,12 @@ index 0000000..5469729
+ +
+def transition(args): +def transition(args):
+ from sepolicy.transition import setrans + from sepolicy.transition import setrans
+ for l in setrans(args.source, args.target): + source = args.source[0]
+ if args.target:
+ target = args.target[0]
+ else:
+ target = None
+ for l in setrans(source, target):
+ print " --> ".join(l) + print " --> ".join(l)
+ +
+def gen_transition_args(parser): +def gen_transition_args(parser):
@ -338748,7 +338758,7 @@ index 0000000..5469729
+ action=CheckDomain, required=True, + action=CheckDomain, required=True,
+ help=_("source process domain")) + help=_("source process domain"))
+ trans.add_argument("-t", "--target", dest="target", + trans.add_argument("-t", "--target", dest="target",
+ action=CheckDomain, required=True, + action=CheckDomain,
+ help=_("target process domain")) + help=_("target process domain"))
+ trans.set_defaults(func=transition) + trans.set_defaults(func=transition)
+ +
@ -344024,7 +344034,7 @@ index 0000000..dccb5f1
+""" +"""
diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
new file mode 100755 new file mode 100755
index 0000000..5f16d70 index 0000000..72f5f65
--- /dev/null --- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/transition.py +++ b/policycoreutils/sepolicy/sepolicy/transition.py
@@ -0,0 +1,71 @@ @@ -0,0 +1,71 @@
@ -344056,6 +344066,11 @@ index 0000000..5f16d70
+_failedlist = [] +_failedlist = []
+__all__ = [ 'setrans', ] +__all__ = [ 'setrans', ]
+ +
+def _entrypoint(src):
+ trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
+ return map(lambda y: y[sepolicy.TARGET], filter(lambda x: "entrypoint" in x[sepolicy.PERMS], trans))
+
+
+def _get_trans(src, dest, slist, tlist = []): +def _get_trans(src, dest, slist, tlist = []):
+ foundstr = "" + foundstr = ""
+ trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src}) + trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
@ -344074,6 +344089,11 @@ index 0000000..5f16d70
+ +
+ tlist.append(src) + tlist.append(src)
+ +
+ if not dest:
+ for t in targets:
+ slist.append((src, _entrypoint(t)[0], t))
+ return True
+
+ if dest in targets: + if dest in targets:
+ slist.append(tlist + [ dest ]) + slist.append(tlist + [ dest ])
+ return True + return True
@ -344085,19 +344105,9 @@ index 0000000..5f16d70
+ +
+ return True + return True
+ +
+def _verify_domain(domain): +def setrans(source, dest = None):
+ try:
+ d = info(sepolicy.TYPE, domain)[0]
+ if "domain" not in d["attributes"]:
+ raise RuntimeError
+ except RuntimeError:
+ raise TypeError("Types must be process/domain types")
+
+def setrans(source, dest):
+ slist=[] + slist=[]
+ verify_domain(source) + _get_trans(source, dest, slist)
+ verify_domain(dest)
+ get_trans(source,dest, slist)
+ return slist + return slist
diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
new file mode 100644 new file mode 100644

5
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.13 Version: 2.1.13
Release: 19%{?dist} Release: 20%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
- Fixes to sepolicy transition, allow it to list all transitions from a domain
* Sat Oct 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-19 * Sat Oct 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-19
- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network - Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network