* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2
- Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis
This commit is contained in:
parent
bac931cd73
commit
7f6f58266d
@ -28,19 +28,233 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
.TP
|
||||
.B "\-t " | "\-\-tefile"
|
||||
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen
|
||||
--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500
|
||||
@@ -80,7 +80,10 @@
|
||||
if_set.to_file(f)
|
||||
f.close()
|
||||
|
||||
- return 0
|
||||
+ if refparser.success:
|
||||
+ return 0
|
||||
+ else:
|
||||
+ return 1
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
||||
Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c
|
||||
--- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-19 06:05:50.000000000 -0500
|
||||
@@ -137,6 +137,8 @@
|
||||
+++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-20 11:04:10.000000000 -0500
|
||||
@@ -22,27 +22,151 @@
|
||||
exit(rc);
|
||||
}
|
||||
|
||||
+struct bool_t {
|
||||
+ const sepol_bool_t * boolean;
|
||||
+ char *name;
|
||||
+ int active;
|
||||
+};
|
||||
+
|
||||
+static struct bool_t **boollist = NULL;
|
||||
+static int boolcnt = 0;
|
||||
+
|
||||
+struct access_t {
|
||||
+ sepol_handle_t *handle;
|
||||
+ sepol_policydb_t *policydb;
|
||||
+ sepol_security_id_t ssid;
|
||||
+ sepol_security_id_t tsid;
|
||||
+ sepol_security_class_t tclass;
|
||||
+ sepol_access_vector_t av;
|
||||
+};
|
||||
+
|
||||
+static int load_booleans (const sepol_bool_t * boolean,
|
||||
+ void *arg __attribute__ ((__unused__)) ) {
|
||||
+ boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t));
|
||||
+ boollist[boolcnt]->boolean = boolean;
|
||||
+ boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
|
||||
+ boollist[boolcnt]->active = sepol_bool_get_value(boolean);
|
||||
+ boolcnt++;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static int check_booleans (struct access_t *access) {
|
||||
+ struct sepol_av_decision avd;
|
||||
+ unsigned int reason;
|
||||
+ int rc;
|
||||
+ int i;
|
||||
+ sepol_bool_key_t *key=NULL;
|
||||
+ int fcnt = 0;
|
||||
+ int *foundlist = calloc(boolcnt, sizeof(int));
|
||||
+ if (!foundlist) {
|
||||
+ fprintf(stderr,
|
||||
+ "Out of memory.\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+ for (i=0; i < boolcnt; i++) {
|
||||
+ char *name = boollist[i]->name;
|
||||
+ int active = boollist[i]->active;
|
||||
+ sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean;
|
||||
+ rc = sepol_bool_key_create(access->handle,
|
||||
+ name,
|
||||
+ &key);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr,
|
||||
+ "Could not create boolean key.\n");
|
||||
+ rc = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ sepol_bool_set_value(boolean, !active);
|
||||
+
|
||||
+ rc = sepol_bool_set(access->handle,
|
||||
+ access->policydb,
|
||||
+ key,
|
||||
+ boolean);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr,
|
||||
+ "Could not set boolean data %s.\n", name);
|
||||
+ rc = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* Reproduce the computation. */
|
||||
+ rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr,
|
||||
+ "Error during access vector computation, skipping...\n");
|
||||
+ rc = -1;
|
||||
+ break;
|
||||
+ } else {
|
||||
+ if (!reason) {
|
||||
+ foundlist[fcnt] = i;
|
||||
+ fcnt++;
|
||||
+ rc = 0;
|
||||
+ }
|
||||
+ sepol_bool_set_value((sepol_bool_t*)boolean, active);
|
||||
+ rc = sepol_bool_set(access->handle,
|
||||
+ access->policydb,
|
||||
+ key,
|
||||
+ (sepol_bool_t*) boolean);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr,
|
||||
+ "Could not set boolean data %s.\n", name);
|
||||
+ rc = -1;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ sepol_bool_key_free(key);
|
||||
+ key=NULL;
|
||||
+ }
|
||||
+ if (key)
|
||||
+ sepol_bool_key_free(key);
|
||||
+
|
||||
+ if (fcnt > 0) {
|
||||
+ printf("\tA boolean being set incorrectly.\n");
|
||||
+ for (i = 0; i < fcnt; i++) {
|
||||
+ int ctr = foundlist[i];
|
||||
+ char *name = boollist[ctr]->name;
|
||||
+ int active = boollist[ctr]->active;
|
||||
+ printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active);
|
||||
+ printf("\t# setsebool -P %s %d\n", name, !active);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ free(foundlist);
|
||||
+ return rc;
|
||||
+}
|
||||
+
|
||||
+
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
char path[PATH_MAX];
|
||||
char *buffer = NULL, *bufcopy = NULL;
|
||||
- unsigned int lineno = 0;
|
||||
+ unsigned int lineno = 0, cnt;
|
||||
size_t len = 0, bufcopy_len = 0;
|
||||
- FILE *fp;
|
||||
+ FILE *fp, *avcp=stdin;
|
||||
int opt, rc, set_path = 0;
|
||||
char *p, *scon, *tcon, *tclassstr, *permstr;
|
||||
sepol_security_id_t ssid, tsid;
|
||||
sepol_security_class_t tclass;
|
||||
sepol_access_vector_t perm, av;
|
||||
+ struct access_t access;
|
||||
struct sepol_av_decision avd;
|
||||
unsigned int reason;
|
||||
int vers = 0;
|
||||
sidtab_t sidtab;
|
||||
policydb_t policydb;
|
||||
struct policy_file pf;
|
||||
-
|
||||
- while ((opt = getopt(argc, argv, "p:?h")) > 0) {
|
||||
+
|
||||
+ while ((opt = getopt(argc, argv, "i:p:?h")) > 0) {
|
||||
switch (opt) {
|
||||
+ case 'i':
|
||||
+ avcp = fopen(optarg, "r");
|
||||
+ if (!avcp) {
|
||||
+ fprintf(stderr, "%s: unable to open %s: %s\n",
|
||||
+ argv[0], path, strerror(errno));
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
case 'p':
|
||||
set_path = 1;
|
||||
strncpy(path, optarg, PATH_MAX);
|
||||
@@ -110,7 +234,6 @@
|
||||
}
|
||||
fclose(fp);
|
||||
sepol_set_policydb(&policydb);
|
||||
-
|
||||
if (!set_path) {
|
||||
/* If they didn't specify a full path of a binary policy file,
|
||||
then also try loading any boolean settings and user
|
||||
@@ -125,6 +248,30 @@
|
||||
(void)sepol_genusers_policydb(&policydb, selinux_users_path());
|
||||
}
|
||||
|
||||
+ access.handle = sepol_handle_create();
|
||||
+ access.policydb = (sepol_policydb_t *) &policydb,
|
||||
+
|
||||
+ rc = sepol_bool_count(access.handle,
|
||||
+ access.policydb,
|
||||
+ &cnt);
|
||||
+ if (rc < 0) {
|
||||
+ fprintf(stderr, "%s: unable to get bool count\n", argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+ boollist = calloc(cnt, sizeof(struct bool_t));
|
||||
+ if (!boollist) {
|
||||
+ fprintf(stderr, "%s: Out of memory\n", argv[0]);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
+
|
||||
+ sepol_bool_iterate(access.handle,
|
||||
+ (const sepol_policydb_t *) &policydb,
|
||||
+ load_booleans,
|
||||
+ (void *)NULL);
|
||||
+
|
||||
+
|
||||
/* Initialize the sidtab for subsequent use by sepol_context_to_sid
|
||||
and sepol_compute_av_reason. */
|
||||
rc = sepol_sidtab_init(&sidtab);
|
||||
@@ -135,8 +282,10 @@
|
||||
sepol_set_sidtab(&sidtab);
|
||||
|
||||
/* Process the audit messages. */
|
||||
while (getline(&buffer, &len, stdin) > 0) {
|
||||
- while (getline(&buffer, &len, stdin) > 0) {
|
||||
+ while (getline(&buffer, &len, avcp) > 0) {
|
||||
size_t len2 = strlen(buffer);
|
||||
+ char *begin, *end, *search_buf;
|
||||
+ int slen = 0;
|
||||
|
||||
if (buffer[len2 - 1] == '\n')
|
||||
buffer[len2 - 1] = 0;
|
||||
@@ -179,6 +181,7 @@
|
||||
@@ -179,6 +328,7 @@
|
||||
}
|
||||
*p++ = 0;
|
||||
|
||||
@ -48,7 +262,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
/* Get scontext and convert to SID. */
|
||||
while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
|
||||
p++;
|
||||
@@ -188,11 +191,14 @@
|
||||
@@ -188,11 +338,14 @@
|
||||
continue;
|
||||
}
|
||||
p += sizeof(SCONTEXT) - 1;
|
||||
@ -66,7 +280,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr,
|
||||
@@ -201,6 +207,10 @@
|
||||
@@ -201,6 +354,10 @@
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -77,7 +291,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
/* Get tcontext and convert to SID. */
|
||||
while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
|
||||
p++;
|
||||
@@ -210,11 +220,15 @@
|
||||
@@ -210,11 +367,15 @@
|
||||
continue;
|
||||
}
|
||||
p += sizeof(TCONTEXT) - 1;
|
||||
@ -96,7 +310,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
|
||||
if (rc < 0) {
|
||||
fprintf(stderr,
|
||||
@@ -222,6 +236,9 @@
|
||||
@@ -222,6 +383,9 @@
|
||||
TCONTEXT, tcon, lineno);
|
||||
continue;
|
||||
}
|
||||
@ -106,7 +320,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
|
||||
/* Get tclass= and convert to value. */
|
||||
while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
|
||||
@@ -232,12 +249,17 @@
|
||||
@@ -232,12 +396,17 @@
|
||||
continue;
|
||||
}
|
||||
p += sizeof(TCLASS) - 1;
|
||||
@ -127,6 +341,37 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
if (!tclass) {
|
||||
fprintf(stderr,
|
||||
"Invalid %s%s on line %u, skipping...\n",
|
||||
@@ -286,11 +455,16 @@
|
||||
}
|
||||
|
||||
if (reason & SEPOL_COMPUTEAV_TE) {
|
||||
- printf("\t\tMissing or disabled TE allow rule.\n");
|
||||
- printf
|
||||
- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
|
||||
- printf
|
||||
- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
|
||||
+ access.ssid = ssid;
|
||||
+ access.tsid = tsid;
|
||||
+ access.tclass = tclass;
|
||||
+ access.av = av;
|
||||
+
|
||||
+ if (check_booleans(&access) < 0) {
|
||||
+ printf("\t\tMissing or disabled TE allow rule.\n");
|
||||
+ printf
|
||||
+ ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
|
||||
+ }
|
||||
}
|
||||
|
||||
if (reason & SEPOL_COMPUTEAV_CONS) {
|
||||
@@ -309,5 +483,8 @@
|
||||
}
|
||||
free(buffer);
|
||||
free(bufcopy);
|
||||
+ if (avcp != stdin)
|
||||
+ fclose(avcp);
|
||||
+
|
||||
exit(0);
|
||||
}
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile
|
||||
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
|
||||
+++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
|
||||
--- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400
|
||||
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-19 06:05:51.000000000 -0500
|
||||
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500
|
||||
@@ -118,6 +118,7 @@
|
||||
'TEMPLATE',
|
||||
'GEN_CONTEXT',
|
||||
@ -30,7 +30,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
def t_refpolicywarn(t):
|
||||
r'refpolicywarn\(.*\n'
|
||||
# Ignore refpolicywarn statements - they sometimes
|
||||
@@ -258,6 +266,7 @@
|
||||
@@ -258,10 +266,12 @@
|
||||
m = None
|
||||
# error is either None (indicating no error) or a string error message.
|
||||
error = None
|
||||
@ -38,7 +38,12 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
# spt is the support macros (e.g., obj/perm sets) - it is an instance of
|
||||
# refpolicy.SupportMacros and should always be present during parsing
|
||||
# though it may not contain any macros.
|
||||
@@ -382,6 +391,19 @@
|
||||
spt = None
|
||||
+success=True
|
||||
|
||||
# utilities
|
||||
def collect(stmts, parent, val=None):
|
||||
@@ -382,6 +392,19 @@
|
||||
collect(p[12], x, val=False)
|
||||
p[0] = [x]
|
||||
|
||||
@ -58,7 +63,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
def p_ifdef(p):
|
||||
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
||||
| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
|
||||
@@ -446,6 +468,7 @@
|
||||
@@ -446,6 +469,7 @@
|
||||
| optional_policy
|
||||
| tunable_policy
|
||||
| ifdef
|
||||
@ -66,17 +71,20 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
| conditional
|
||||
'''
|
||||
p[0] = p[1]
|
||||
@@ -844,7 +867,8 @@
|
||||
@@ -844,8 +868,11 @@
|
||||
|
||||
def p_error(tok):
|
||||
global error
|
||||
- error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
|
||||
+ global parse_file
|
||||
+ global success
|
||||
+ error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
|
||||
print error
|
||||
+ success = False
|
||||
|
||||
def prep_spt(spt):
|
||||
@@ -892,7 +916,7 @@
|
||||
if not spt:
|
||||
@@ -892,7 +919,7 @@
|
||||
def list_headers(root):
|
||||
modules = []
|
||||
support_macros = None
|
||||
@ -85,7 +93,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
|
||||
|
||||
for dirpath, dirnames, filenames in os.walk(root):
|
||||
for name in filenames:
|
||||
@@ -941,12 +965,14 @@
|
||||
@@ -941,12 +968,14 @@
|
||||
output.write(msg)
|
||||
|
||||
def parse_file(f, module, spt=None):
|
||||
|
@ -6,7 +6,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.34
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -193,9 +193,14 @@ if [ "$1" -ge "1" ]; then
|
||||
fi
|
||||
|
||||
%changelog
|
||||
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-1
|
||||
* Thu Dec 20 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-2
|
||||
- Make sepolgen set error exit code when partial failure
|
||||
- audit2why now checks booleans for avc diagnosis
|
||||
|
||||
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.34-1
|
||||
- Update to upstream
|
||||
* Tue Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
|
||||
|
||||
* Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 2.0.33-4
|
||||
- Fix sepolgen to be able to parse Fedora 9 policy
|
||||
Handle ifelse statements
|
||||
Handle refpolicywarn inside of define
|
||||
|
Loading…
Reference in New Issue
Block a user