From 7f6f58266d1d1b755f7eb9554311d0794cd30c22 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 20 Dec 2007 19:24:11 +0000 Subject: [PATCH] * Thu Dec 20 2007 Dan Walsh 2.0.34-2 - Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis --- policycoreutils-rhat.patch | 263 +++++++++++++++++++++++++++++++-- policycoreutils-sepolgen.patch | 22 ++- policycoreutils.spec | 11 +- 3 files changed, 277 insertions(+), 19 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index b7e5701..2431a2f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -28,19 +28,233 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po .TP .B "\-t " | "\-\-tefile" Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. +diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen +--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400 ++++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500 +@@ -80,7 +80,10 @@ + if_set.to_file(f) + f.close() + +- return 0 ++ if refparser.success: ++ return 0 ++ else: ++ return 1 + + if __name__ == "__main__": + sys.exit(main()) +Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c --- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400 -+++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-19 06:05:50.000000000 -0500 -@@ -137,6 +137,8 @@ ++++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-20 11:04:10.000000000 -0500 +@@ -22,27 +22,151 @@ + exit(rc); + } + ++struct bool_t { ++ const sepol_bool_t * boolean; ++ char *name; ++ int active; ++}; ++ ++static struct bool_t **boollist = NULL; ++static int boolcnt = 0; ++ ++struct access_t { ++ sepol_handle_t *handle; ++ sepol_policydb_t *policydb; ++ sepol_security_id_t ssid; ++ sepol_security_id_t tsid; ++ sepol_security_class_t tclass; ++ sepol_access_vector_t av; ++}; ++ ++static int load_booleans (const sepol_bool_t * boolean, ++ void *arg __attribute__ ((__unused__)) ) { ++ boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t)); ++ boollist[boolcnt]->boolean = boolean; ++ boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean)); ++ boollist[boolcnt]->active = sepol_bool_get_value(boolean); ++ boolcnt++; ++ return 0; ++} ++ ++static int check_booleans (struct access_t *access) { ++ struct sepol_av_decision avd; ++ unsigned int reason; ++ int rc; ++ int i; ++ sepol_bool_key_t *key=NULL; ++ int fcnt = 0; ++ int *foundlist = calloc(boolcnt, sizeof(int)); ++ if (!foundlist) { ++ fprintf(stderr, ++ "Out of memory.\n"); ++ return -1; ++ } ++ for (i=0; i < boolcnt; i++) { ++ char *name = boollist[i]->name; ++ int active = boollist[i]->active; ++ sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean; ++ rc = sepol_bool_key_create(access->handle, ++ name, ++ &key); ++ if (rc < 0) { ++ fprintf(stderr, ++ "Could not create boolean key.\n"); ++ rc = -1; ++ break; ++ } ++ sepol_bool_set_value(boolean, !active); ++ ++ rc = sepol_bool_set(access->handle, ++ access->policydb, ++ key, ++ boolean); ++ if (rc < 0) { ++ fprintf(stderr, ++ "Could not set boolean data %s.\n", name); ++ rc = -1; ++ break; ++ } ++ ++ /* Reproduce the computation. */ ++ rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason); ++ if (rc < 0) { ++ fprintf(stderr, ++ "Error during access vector computation, skipping...\n"); ++ rc = -1; ++ break; ++ } else { ++ if (!reason) { ++ foundlist[fcnt] = i; ++ fcnt++; ++ rc = 0; ++ } ++ sepol_bool_set_value((sepol_bool_t*)boolean, active); ++ rc = sepol_bool_set(access->handle, ++ access->policydb, ++ key, ++ (sepol_bool_t*) boolean); ++ if (rc < 0) { ++ fprintf(stderr, ++ "Could not set boolean data %s.\n", name); ++ rc = -1; ++ break; ++ } ++ } ++ sepol_bool_key_free(key); ++ key=NULL; ++ } ++ if (key) ++ sepol_bool_key_free(key); ++ ++ if (fcnt > 0) { ++ printf("\tA boolean being set incorrectly.\n"); ++ for (i = 0; i < fcnt; i++) { ++ int ctr = foundlist[i]; ++ char *name = boollist[ctr]->name; ++ int active = boollist[ctr]->active; ++ printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active); ++ printf("\t# setsebool -P %s %d\n", name, !active); ++ } ++ } ++ ++ free(foundlist); ++ return rc; ++} ++ ++ + int main(int argc, char **argv) + { + char path[PATH_MAX]; + char *buffer = NULL, *bufcopy = NULL; +- unsigned int lineno = 0; ++ unsigned int lineno = 0, cnt; + size_t len = 0, bufcopy_len = 0; +- FILE *fp; ++ FILE *fp, *avcp=stdin; + int opt, rc, set_path = 0; + char *p, *scon, *tcon, *tclassstr, *permstr; + sepol_security_id_t ssid, tsid; + sepol_security_class_t tclass; + sepol_access_vector_t perm, av; ++ struct access_t access; + struct sepol_av_decision avd; + unsigned int reason; + int vers = 0; + sidtab_t sidtab; + policydb_t policydb; + struct policy_file pf; +- +- while ((opt = getopt(argc, argv, "p:?h")) > 0) { ++ ++ while ((opt = getopt(argc, argv, "i:p:?h")) > 0) { + switch (opt) { ++ case 'i': ++ avcp = fopen(optarg, "r"); ++ if (!avcp) { ++ fprintf(stderr, "%s: unable to open %s: %s\n", ++ argv[0], path, strerror(errno)); ++ exit(1); ++ } ++ break; ++ + case 'p': + set_path = 1; + strncpy(path, optarg, PATH_MAX); +@@ -110,7 +234,6 @@ + } + fclose(fp); + sepol_set_policydb(&policydb); +- + if (!set_path) { + /* If they didn't specify a full path of a binary policy file, + then also try loading any boolean settings and user +@@ -125,6 +248,30 @@ + (void)sepol_genusers_policydb(&policydb, selinux_users_path()); + } + ++ access.handle = sepol_handle_create(); ++ access.policydb = (sepol_policydb_t *) &policydb, ++ ++ rc = sepol_bool_count(access.handle, ++ access.policydb, ++ &cnt); ++ if (rc < 0) { ++ fprintf(stderr, "%s: unable to get bool count\n", argv[0]); ++ exit(1); ++ } ++ ++ boollist = calloc(cnt, sizeof(struct bool_t)); ++ if (!boollist) { ++ fprintf(stderr, "%s: Out of memory\n", argv[0]); ++ exit(1); ++ } ++ ++ ++ sepol_bool_iterate(access.handle, ++ (const sepol_policydb_t *) &policydb, ++ load_booleans, ++ (void *)NULL); ++ ++ + /* Initialize the sidtab for subsequent use by sepol_context_to_sid + and sepol_compute_av_reason. */ + rc = sepol_sidtab_init(&sidtab); +@@ -135,8 +282,10 @@ + sepol_set_sidtab(&sidtab); + /* Process the audit messages. */ - while (getline(&buffer, &len, stdin) > 0) { +- while (getline(&buffer, &len, stdin) > 0) { ++ while (getline(&buffer, &len, avcp) > 0) { size_t len2 = strlen(buffer); + char *begin, *end, *search_buf; + int slen = 0; if (buffer[len2 - 1] == '\n') buffer[len2 - 1] = 0; -@@ -179,6 +181,7 @@ +@@ -179,6 +328,7 @@ } *p++ = 0; @@ -48,7 +262,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po /* Get scontext and convert to SID. */ while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1)) p++; -@@ -188,11 +191,14 @@ +@@ -188,11 +338,14 @@ continue; } p += sizeof(SCONTEXT) - 1; @@ -66,7 +280,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid); if (rc < 0) { fprintf(stderr, -@@ -201,6 +207,10 @@ +@@ -201,6 +354,10 @@ continue; } @@ -77,7 +291,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po /* Get tcontext and convert to SID. */ while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1)) p++; -@@ -210,11 +220,15 @@ +@@ -210,11 +367,15 @@ continue; } p += sizeof(TCONTEXT) - 1; @@ -96,7 +310,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid); if (rc < 0) { fprintf(stderr, -@@ -222,6 +236,9 @@ +@@ -222,6 +383,9 @@ TCONTEXT, tcon, lineno); continue; } @@ -106,7 +320,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po /* Get tclass= and convert to value. */ while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1)) -@@ -232,12 +249,17 @@ +@@ -232,12 +396,17 @@ continue; } p += sizeof(TCLASS) - 1; @@ -127,6 +341,37 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po if (!tclass) { fprintf(stderr, "Invalid %s%s on line %u, skipping...\n", +@@ -286,11 +455,16 @@ + } + + if (reason & SEPOL_COMPUTEAV_TE) { +- printf("\t\tMissing or disabled TE allow rule.\n"); +- printf +- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n"); +- printf +- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); ++ access.ssid = ssid; ++ access.tsid = tsid; ++ access.tclass = tclass; ++ access.av = av; ++ ++ if (check_booleans(&access) < 0) { ++ printf("\t\tMissing or disabled TE allow rule.\n"); ++ printf ++ ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n"); ++ } + } + + if (reason & SEPOL_COMPUTEAV_CONS) { +@@ -309,5 +483,8 @@ + } + free(buffer); + free(bufcopy); ++ if (avcp != stdin) ++ fclose(avcp); ++ + exit(0); + } diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile --- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500 +++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500 diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index cfca5ef..c1611cb 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py --- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400 -+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-19 06:05:51.000000000 -0500 ++++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500 @@ -118,6 +118,7 @@ 'TEMPLATE', 'GEN_CONTEXT', @@ -30,7 +30,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic def t_refpolicywarn(t): r'refpolicywarn\(.*\n' # Ignore refpolicywarn statements - they sometimes -@@ -258,6 +266,7 @@ +@@ -258,10 +266,12 @@ m = None # error is either None (indicating no error) or a string error message. error = None @@ -38,7 +38,12 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic # spt is the support macros (e.g., obj/perm sets) - it is an instance of # refpolicy.SupportMacros and should always be present during parsing # though it may not contain any macros. -@@ -382,6 +391,19 @@ + spt = None ++success=True + + # utilities + def collect(stmts, parent, val=None): +@@ -382,6 +392,19 @@ collect(p[12], x, val=False) p[0] = [x] @@ -58,7 +63,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic def p_ifdef(p): '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi -@@ -446,6 +468,7 @@ +@@ -446,6 +469,7 @@ | optional_policy | tunable_policy | ifdef @@ -66,17 +71,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic | conditional ''' p[0] = p[1] -@@ -844,7 +867,8 @@ +@@ -844,8 +868,11 @@ def p_error(tok): global error - error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type) + global parse_file ++ global success + error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type) print error ++ success = False def prep_spt(spt): -@@ -892,7 +916,7 @@ + if not spt: +@@ -892,7 +919,7 @@ def list_headers(root): modules = [] support_macros = None @@ -85,7 +93,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic for dirpath, dirnames, filenames in os.walk(root): for name in filenames: -@@ -941,12 +965,14 @@ +@@ -941,12 +968,14 @@ output.write(msg) def parse_file(f, module, spt=None): diff --git a/policycoreutils.spec b/policycoreutils.spec index d603447..c451a07 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.34 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -193,9 +193,14 @@ if [ "$1" -ge "1" ]; then fi %changelog -* Tue Dec 19 2007 Dan Walsh 2.0.34-1 +* Thu Dec 20 2007 Dan Walsh 2.0.34-2 +- Make sepolgen set error exit code when partial failure +- audit2why now checks booleans for avc diagnosis + +* Wed Dec 19 2007 Dan Walsh 2.0.34-1 - Update to upstream -* Tue Dec 19 2007 Dan Walsh 2.0.33-4 + +* Wed Dec 19 2007 Dan Walsh 2.0.33-4 - Fix sepolgen to be able to parse Fedora 9 policy Handle ifelse statements Handle refpolicywarn inside of define