sepolicy manpage:
- use nroff instead of man2html - Remove checking for name of person who created the man page - audit2allow - Fix output to show the level that is different.
This commit is contained in:
parent
3aca74a161
commit
8be0816a98
@ -34,7 +34,7 @@ index 88635d4..fc290ea 100644
|
|||||||
clean:
|
clean:
|
||||||
rm -f *~
|
rm -f *~
|
||||||
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
|
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
|
||||||
index 8e0c396..9bd66f5 100644
|
index 8e0c396..d282eee 100644
|
||||||
--- a/policycoreutils/audit2allow/audit2allow
|
--- a/policycoreutils/audit2allow/audit2allow
|
||||||
+++ b/policycoreutils/audit2allow/audit2allow
|
+++ b/policycoreutils/audit2allow/audit2allow
|
||||||
@@ -18,7 +18,7 @@
|
@@ -18,7 +18,7 @@
|
||||||
@ -65,6 +65,23 @@ index 8e0c396..9bd66f5 100644
|
|||||||
help="Translates SELinux audit messages into a description of why the access was denied")
|
help="Translates SELinux audit messages into a description of why the access was denied")
|
||||||
|
|
||||||
options, args = parser.parse_args()
|
options, args = parser.parse_args()
|
||||||
|
@@ -267,12 +268,10 @@ class AuditToPolicy:
|
||||||
|
continue
|
||||||
|
|
||||||
|
if rc == audit2why.CONSTRAINT:
|
||||||
|
- print "\t\tPolicy constraint violation.\n"
|
||||||
|
- print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
|
||||||
|
- print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
|
||||||
|
- for reason in data:
|
||||||
|
- print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
|
||||||
|
- continue
|
||||||
|
+ print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
|
||||||
|
+ print "#Constraint rule: \n\t" + data[0]
|
||||||
|
+ for reason in data[1:]:
|
||||||
|
+ print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
|
||||||
|
|
||||||
|
if rc == audit2why.RBAC:
|
||||||
|
print "\t\tMissing role allow rule.\n"
|
||||||
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
|
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
|
||||||
index a854a45..bc70938 100644
|
index a854a45..bc70938 100644
|
||||||
--- a/policycoreutils/audit2allow/audit2allow.1
|
--- a/policycoreutils/audit2allow/audit2allow.1
|
||||||
@ -396,10 +413,30 @@ index 4963cdc..a55dbed 100644
|
|||||||
.sp
|
.sp
|
||||||
.B REQUIRESEUSERS
|
.B REQUIRESEUSERS
|
||||||
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
|
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
|
||||||
index 8fbf2d0..3510f12 100644
|
index 8fbf2d0..4e59a06 100644
|
||||||
--- a/policycoreutils/newrole/newrole.c
|
--- a/policycoreutils/newrole/newrole.c
|
||||||
+++ b/policycoreutils/newrole/newrole.c
|
+++ b/policycoreutils/newrole/newrole.c
|
||||||
@@ -576,19 +576,22 @@ static int drop_capabilities(int full)
|
@@ -547,9 +547,7 @@ static int drop_capabilities(int full)
|
||||||
|
if (!uid) return 0;
|
||||||
|
|
||||||
|
capng_setpid(getpid());
|
||||||
|
- capng_clear(CAPNG_SELECT_BOTH);
|
||||||
|
- if (capng_lock() < 0)
|
||||||
|
- return -1;
|
||||||
|
+ capng_clear(CAPNG_SELECT_CAPS);
|
||||||
|
|
||||||
|
/* Change uid */
|
||||||
|
if (setresuid(uid, uid, uid)) {
|
||||||
|
@@ -558,7 +556,7 @@ static int drop_capabilities(int full)
|
||||||
|
}
|
||||||
|
if (! full)
|
||||||
|
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
|
||||||
|
- return capng_apply(CAPNG_SELECT_BOTH);
|
||||||
|
+ return capng_apply(CAPNG_SELECT_CAPS);
|
||||||
|
}
|
||||||
|
#elif defined(NAMESPACE_PRIV)
|
||||||
|
/**
|
||||||
|
@@ -576,20 +574,21 @@ static int drop_capabilities(int full)
|
||||||
*/
|
*/
|
||||||
static int drop_capabilities(int full)
|
static int drop_capabilities(int full)
|
||||||
{
|
{
|
||||||
@ -407,9 +444,10 @@ index 8fbf2d0..3510f12 100644
|
|||||||
+ if (!uid) return 0;
|
+ if (!uid) return 0;
|
||||||
+
|
+
|
||||||
capng_setpid(getpid());
|
capng_setpid(getpid());
|
||||||
capng_clear(CAPNG_SELECT_BOTH);
|
- capng_clear(CAPNG_SELECT_BOTH);
|
||||||
if (capng_lock() < 0)
|
- if (capng_lock() < 0)
|
||||||
return -1;
|
- return -1;
|
||||||
|
+ capng_clear(CAPNG_SELECT_CAPS);
|
||||||
|
|
||||||
- uid_t uid = getuid();
|
- uid_t uid = getuid();
|
||||||
/* Change uid */
|
/* Change uid */
|
||||||
@ -419,12 +457,14 @@ index 8fbf2d0..3510f12 100644
|
|||||||
}
|
}
|
||||||
if (! full)
|
if (! full)
|
||||||
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
|
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
|
||||||
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1);
|
- return capng_apply(CAPNG_SELECT_BOTH);
|
||||||
|
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1);
|
||||||
+
|
+
|
||||||
return capng_apply(CAPNG_SELECT_BOTH);
|
+ return capng_apply(CAPNG_SELECT_CAPS);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
#else
|
||||||
|
@@ -680,7 +679,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||||
security_context_t * tty_context,
|
security_context_t * tty_context,
|
||||||
security_context_t * new_tty_context)
|
security_context_t * new_tty_context)
|
||||||
{
|
{
|
||||||
@ -433,7 +473,7 @@ index 8fbf2d0..3510f12 100644
|
|||||||
int enforcing = security_getenforce();
|
int enforcing = security_getenforce();
|
||||||
security_context_t tty_con = NULL;
|
security_context_t tty_con = NULL;
|
||||||
security_context_t new_tty_con = NULL;
|
security_context_t new_tty_con = NULL;
|
||||||
@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
@@ -699,7 +698,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||||
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
|
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
|
||||||
return fd;
|
return fd;
|
||||||
}
|
}
|
||||||
@ -448,7 +488,7 @@ index 8fbf2d0..3510f12 100644
|
|||||||
|
|
||||||
if (fgetfilecon(fd, &tty_con) < 0) {
|
if (fgetfilecon(fd, &tty_con) < 0) {
|
||||||
fprintf(stderr, _("%s! Could not get current context "
|
fprintf(stderr, _("%s! Could not get current context "
|
||||||
@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[])
|
@@ -1010,9 +1015,9 @@ int main(int argc, char *argv[])
|
||||||
int fd;
|
int fd;
|
||||||
pid_t childPid = 0;
|
pid_t childPid = 0;
|
||||||
char *shell_argv0 = NULL;
|
char *shell_argv0 = NULL;
|
||||||
@ -459,7 +499,7 @@ index 8fbf2d0..3510f12 100644
|
|||||||
int pam_status; /* pam return code */
|
int pam_status; /* pam return code */
|
||||||
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
|
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
|
||||||
|
|
||||||
@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[])
|
@@ -1226,15 +1231,23 @@ int main(int argc, char *argv[])
|
||||||
fd = open(ttyn, O_RDONLY | O_NONBLOCK);
|
fd = open(ttyn, O_RDONLY | O_NONBLOCK);
|
||||||
if (fd != 0)
|
if (fd != 0)
|
||||||
goto err_close_pam;
|
goto err_close_pam;
|
||||||
@ -486,6 +526,35 @@ index 8fbf2d0..3510f12 100644
|
|||||||
|
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
|
@@ -1268,19 +1281,24 @@ int main(int argc, char *argv[])
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (send_audit_message(1, old_context, new_context, ttyn))
|
||||||
|
+ if (send_audit_message(1, old_context, new_context, ttyn)) {
|
||||||
|
+ fprintf(stderr, _("Failed to send audit message"));
|
||||||
|
goto err_close_pam_session;
|
||||||
|
+ }
|
||||||
|
freecon(old_context); old_context=NULL;
|
||||||
|
freecon(new_context); new_context=NULL;
|
||||||
|
|
||||||
|
#ifdef NAMESPACE_PRIV
|
||||||
|
- if (transition_to_caller_uid())
|
||||||
|
+ if (transition_to_caller_uid()) {
|
||||||
|
+ fprintf(stderr, _("Failed to transition to namespace\n"));
|
||||||
|
goto err_close_pam_session;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (drop_capabilities(TRUE))
|
||||||
|
+ if (drop_capabilities(TRUE)) {
|
||||||
|
+ fprintf(stderr, _("Failed to drop capabilities %m\n"));
|
||||||
|
goto err_close_pam_session;
|
||||||
|
-
|
||||||
|
+ }
|
||||||
|
/* Handle environment changes */
|
||||||
|
if (restore_environment(preserve_environment, old_environ, &pw)) {
|
||||||
|
fprintf(stderr, _("Unable to restore the environment, "
|
||||||
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
|
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
|
||||||
index d1b435c..de3582f 100644
|
index d1b435c..de3582f 100644
|
||||||
--- a/policycoreutils/newrole/newrole.pamd
|
--- a/policycoreutils/newrole/newrole.pamd
|
||||||
@ -1776,6 +1845,28 @@ index 6c30734..5e7f885 100644
|
|||||||
.B secon
|
.B secon
|
||||||
will try reading a context from stdin, if that is not a tty, otherwise
|
will try reading a context from stdin, if that is not a tty, otherwise
|
||||||
.B secon
|
.B secon
|
||||||
|
diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
|
||||||
|
index 24d6a21..b797d83 100644
|
||||||
|
--- a/policycoreutils/semanage/Makefile
|
||||||
|
+++ b/policycoreutils/semanage/Makefile
|
||||||
|
@@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin
|
||||||
|
MANDIR = $(PREFIX)/share/man
|
||||||
|
PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
|
||||||
|
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
|
||||||
|
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
|
||||||
|
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
|
||||||
|
|
||||||
|
TARGETS=semanage
|
||||||
|
|
||||||
|
@@ -21,7 +21,7 @@ install: all
|
||||||
|
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
|
||||||
|
install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
|
||||||
|
-mkdir -p $(BASHCOMPLETIONDIR)
|
||||||
|
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
|
||||||
|
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
|
||||||
|
|
||||||
|
clean:
|
||||||
|
|
||||||
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
|
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000..e15a877
|
index 0000000..e15a877
|
||||||
@ -2139,10 +2230,19 @@ index 62dd53e..d6e1be0 100644
|
|||||||
.SH SYNOPSIS
|
.SH SYNOPSIS
|
||||||
.B semodule_unpackage <module> [<file contexts>]
|
.B semodule_unpackage <module> [<file contexts>]
|
||||||
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
|
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
|
||||||
index 11b534f..eb86eae 100644
|
index 11b534f..ae064c4 100644
|
||||||
--- a/policycoreutils/sepolicy/Makefile
|
--- a/policycoreutils/sepolicy/Makefile
|
||||||
+++ b/policycoreutils/sepolicy/Makefile
|
+++ b/policycoreutils/sepolicy/Makefile
|
||||||
@@ -22,10 +22,14 @@ clean:
|
@@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin
|
||||||
|
MANDIR ?= $(PREFIX)/share/man
|
||||||
|
LOCALEDIR ?= /usr/share/locale
|
||||||
|
PYTHON ?= /usr/bin/python
|
||||||
|
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
|
||||||
|
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
|
||||||
|
SHAREDIR ?= $(PREFIX)/share/sandbox
|
||||||
|
override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
|
||||||
|
|
||||||
|
@@ -22,11 +22,15 @@ clean:
|
||||||
$(PYTHON) setup.py clean
|
$(PYTHON) setup.py clean
|
||||||
-rm -rf build *~ \#* *pyc .#*
|
-rm -rf build *~ \#* *pyc .#*
|
||||||
|
|
||||||
@ -2157,6 +2257,8 @@ index 11b534f..eb86eae 100644
|
|||||||
-mkdir -p $(MANDIR)/man8
|
-mkdir -p $(MANDIR)/man8
|
||||||
install -m 644 *.8 $(MANDIR)/man8
|
install -m 644 *.8 $(MANDIR)/man8
|
||||||
-mkdir -p $(BASHCOMPLETIONDIR)
|
-mkdir -p $(BASHCOMPLETIONDIR)
|
||||||
|
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
|
||||||
|
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/sepolicy
|
||||||
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
|
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
|
||||||
index 4eca22d..eeee0ab 100644
|
index 4eca22d..eeee0ab 100644
|
||||||
--- a/policycoreutils/sepolicy/policy.c
|
--- a/policycoreutils/sepolicy/policy.c
|
||||||
@ -2200,6 +2302,39 @@ index 82fea52..29f9428 100644
|
|||||||
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
|
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
|
||||||
return 0
|
return 0
|
||||||
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
|
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
|
||||||
|
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
|
index fb84af6..c2fa601 100644
|
||||||
|
--- a/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
|
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
|
||||||
|
@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
|
||||||
|
.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
|
||||||
|
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
|
||||||
|
+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
|
||||||
|
+
|
||||||
|
+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
|
||||||
|
+
|
||||||
|
|
||||||
|
.B Type Enforcing File NAME.te
|
||||||
|
.br
|
||||||
|
This file can be used to define all the types rules for a particular domain.
|
||||||
|
|
||||||
|
+.I Note:
|
||||||
|
+Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
|
||||||
|
+
|
||||||
|
.B Interface File NAME.if
|
||||||
|
.br
|
||||||
|
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
|
||||||
|
@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
|
||||||
|
|
||||||
|
.B RPM Spec File NAME_selinux.spec
|
||||||
|
.br
|
||||||
|
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page.
|
||||||
|
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
|
||||||
|
|
||||||
|
.B Shell File NAME.sh
|
||||||
|
.br
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8
|
diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8
|
||||||
index b6abdf5..c05c943 100644
|
index b6abdf5..c05c943 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy-manpage.8
|
--- a/policycoreutils/sepolicy/sepolicy-manpage.8
|
||||||
@ -2224,7 +2359,7 @@ index b6abdf5..c05c943 100644
|
|||||||
Generate an additional HTML man pages for the specified domain(s).
|
Generate an additional HTML man pages for the specified domain(s).
|
||||||
|
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
|
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
|
||||||
index b25d3b2..2bbea35 100755
|
index b25d3b2..6e71f00 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy.py
|
--- a/policycoreutils/sepolicy/sepolicy.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy.py
|
+++ b/policycoreutils/sepolicy/sepolicy.py
|
||||||
@@ -22,6 +22,8 @@
|
@@ -22,6 +22,8 @@
|
||||||
@ -2245,8 +2380,31 @@ index b25d3b2..2bbea35 100755
|
|||||||
|
|
||||||
if isinstance(values,str):
|
if isinstance(values,str):
|
||||||
setattr(namespace, self.dest, values)
|
setattr(namespace, self.dest, values)
|
||||||
@@ -60,7 +62,7 @@ class CheckType(argparse.Action):
|
@@ -58,9 +60,30 @@ class CheckType(argparse.Action):
|
||||||
|
newval.append(v)
|
||||||
|
setattr(namespace, self.dest, newval)
|
||||||
|
|
||||||
|
+class CheckBoolean(argparse.Action):
|
||||||
|
+ def __call__(self, parser, namespace, values, option_string=None):
|
||||||
|
+ booleans = sepolicy.get_all_booleans()
|
||||||
|
+ newval = getattr(namespace, self.dest)
|
||||||
|
+ if not newval:
|
||||||
|
+ newval = []
|
||||||
|
+
|
||||||
|
+ if isinstance(values,str):
|
||||||
|
+ v = selinux.selinux_boolean_sub(values)
|
||||||
|
+ if v not in booleans:
|
||||||
|
+ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(booleans)))
|
||||||
|
+ newval.append(v)
|
||||||
|
+ setattr(namespace, self.dest, newval)
|
||||||
|
+ else:
|
||||||
|
+ for value in values:
|
||||||
|
+ v = selinux.selinux_boolean_sub(value)
|
||||||
|
+ if v not in booleans:
|
||||||
|
+ raise ValueError("%s must be an SELinux boolean:\nValid boolean: %s" % (v, ", ".join(booleans)))
|
||||||
|
+ newval.append(v)
|
||||||
|
+ setattr(namespace, self.dest, newval)
|
||||||
|
+
|
||||||
class CheckDomain(argparse.Action):
|
class CheckDomain(argparse.Action):
|
||||||
def __call__(self, parser, namespace, values, option_string=None):
|
def __call__(self, parser, namespace, values, option_string=None):
|
||||||
- from sepolicy.network import domains
|
- from sepolicy.network import domains
|
||||||
@ -2254,7 +2412,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
|
|
||||||
if isinstance(values,str):
|
if isinstance(values,str):
|
||||||
if values not in domains:
|
if values not in domains:
|
||||||
@@ -80,7 +82,6 @@ class CheckDomain(argparse.Action):
|
@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
|
||||||
all_classes = None
|
all_classes = None
|
||||||
class CheckClass(argparse.Action):
|
class CheckClass(argparse.Action):
|
||||||
def __call__(self, parser, namespace, values, option_string=None):
|
def __call__(self, parser, namespace, values, option_string=None):
|
||||||
@ -2262,7 +2420,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
global all_classes
|
global all_classes
|
||||||
if not all_classes:
|
if not all_classes:
|
||||||
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
|
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
|
||||||
@@ -114,7 +115,7 @@ class CheckPort(argparse.Action):
|
@@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
|
||||||
|
|
||||||
class CheckPortType(argparse.Action):
|
class CheckPortType(argparse.Action):
|
||||||
def __call__(self, parser, namespace, values, option_string=None):
|
def __call__(self, parser, namespace, values, option_string=None):
|
||||||
@ -2271,7 +2429,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
newval = getattr(namespace, self.dest)
|
newval = getattr(namespace, self.dest)
|
||||||
if not newval:
|
if not newval:
|
||||||
newval = []
|
newval = []
|
||||||
@@ -140,19 +141,18 @@ class CheckPolicyType(argparse.Action):
|
@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
|
||||||
|
|
||||||
class CheckUser(argparse.Action):
|
class CheckUser(argparse.Action):
|
||||||
def __call__(self, parser, namespace, value, option_string=None):
|
def __call__(self, parser, namespace, value, option_string=None):
|
||||||
@ -2294,7 +2452,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
if len(portdict) > 0:
|
if len(portdict) > 0:
|
||||||
print "%s: %s %s" % (src, protocol, perm)
|
print "%s: %s %s" % (src, protocol, perm)
|
||||||
for p in portdict:
|
for p in portdict:
|
||||||
@@ -160,7 +160,7 @@ def _print_net(src, protocol, perm):
|
@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
|
||||||
print "\t" + recs
|
print "\t" + recs
|
||||||
|
|
||||||
def network(args):
|
def network(args):
|
||||||
@ -2303,7 +2461,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
if args.list_ports:
|
if args.list_ports:
|
||||||
all_ports = []
|
all_ports = []
|
||||||
for i in portrecs:
|
for i in portrecs:
|
||||||
@@ -201,41 +201,41 @@ def manpage(args):
|
@@ -201,41 +222,41 @@ def manpage(args):
|
||||||
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
|
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
|
||||||
|
|
||||||
path = args.path
|
path = args.path
|
||||||
@ -2368,7 +2526,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
|
|
||||||
def gen_network_args(parser):
|
def gen_network_args(parser):
|
||||||
net = parser.add_parser("network",
|
net = parser.add_parser("network",
|
||||||
@@ -283,7 +283,6 @@ def gen_communicate_args(parser):
|
@@ -283,7 +304,6 @@ def gen_communicate_args(parser):
|
||||||
comm.set_defaults(func=communicate)
|
comm.set_defaults(func=communicate)
|
||||||
|
|
||||||
def booleans(args):
|
def booleans(args):
|
||||||
@ -2376,7 +2534,15 @@ index b25d3b2..2bbea35 100755
|
|||||||
from sepolicy import boolean_desc
|
from sepolicy import boolean_desc
|
||||||
if args.all:
|
if args.all:
|
||||||
rc, args.booleans = selinux.security_get_boolean_names()
|
rc, args.booleans = selinux.security_get_boolean_names()
|
||||||
@@ -320,7 +319,7 @@ def gen_transition_args(parser):
|
@@ -300,6 +320,7 @@ def gen_booleans_args(parser):
|
||||||
|
action="store_true",
|
||||||
|
help=_("get all booleans descriptions"))
|
||||||
|
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
|
||||||
|
+ action=CheckBoolean, required=False,
|
||||||
|
help=_("boolean to get description"))
|
||||||
|
bools.set_defaults(func=booleans)
|
||||||
|
|
||||||
|
@@ -320,7 +341,7 @@ def gen_transition_args(parser):
|
||||||
trans.set_defaults(func=transition)
|
trans.set_defaults(func=transition)
|
||||||
|
|
||||||
def interface(args):
|
def interface(args):
|
||||||
@ -2385,7 +2551,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
if args.list_admin:
|
if args.list_admin:
|
||||||
for a in get_admin():
|
for a in get_admin():
|
||||||
print a
|
print a
|
||||||
@@ -328,7 +327,7 @@ def interface(args):
|
@@ -328,7 +349,7 @@ def interface(args):
|
||||||
for a in get_user():
|
for a in get_user():
|
||||||
print a
|
print a
|
||||||
if args.list:
|
if args.list:
|
||||||
@ -2394,7 +2560,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
print m
|
print m
|
||||||
|
|
||||||
def generate(args):
|
def generate(args):
|
||||||
@@ -368,10 +367,10 @@ def gen_interface_args(parser):
|
@@ -368,10 +389,10 @@ def gen_interface_args(parser):
|
||||||
help=_('List SELinux Policy interfaces'))
|
help=_('List SELinux Policy interfaces'))
|
||||||
group = itf.add_mutually_exclusive_group(required=True)
|
group = itf.add_mutually_exclusive_group(required=True)
|
||||||
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
|
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
|
||||||
@ -2407,7 +2573,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
group.add_argument("-l", "--list", dest="list",action="store_true",
|
group.add_argument("-l", "--list", dest="list",action="store_true",
|
||||||
default=False,
|
default=False,
|
||||||
help="List all interfaces")
|
help="List all interfaces")
|
||||||
@@ -461,7 +460,10 @@ if __name__ == '__main__':
|
@@ -461,7 +482,10 @@ if __name__ == '__main__':
|
||||||
gen_transition_args(subparsers)
|
gen_transition_args(subparsers)
|
||||||
|
|
||||||
try:
|
try:
|
||||||
@ -2420,7 +2586,7 @@ index b25d3b2..2bbea35 100755
|
|||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
except ValueError,e:
|
except ValueError,e:
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
index 5e7415c..35c3758 100644
|
index 5e7415c..5267ed9 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
||||||
@@ -7,6 +7,9 @@ import _policy
|
@@ -7,6 +7,9 @@ import _policy
|
||||||
@ -2552,7 +2718,7 @@ index 5e7415c..35c3758 100644
|
|||||||
return all_domains
|
return all_domains
|
||||||
|
|
||||||
roles = None
|
roles = None
|
||||||
@@ -139,49 +215,42 @@ def get_all_attributes():
|
@@ -139,48 +215,48 @@ def get_all_attributes():
|
||||||
return all_attributes
|
return all_attributes
|
||||||
|
|
||||||
def policy(policy_file):
|
def policy(policy_file):
|
||||||
@ -2617,10 +2783,15 @@ index 5e7415c..35c3758 100644
|
|||||||
-def info(setype, name=None):
|
-def info(setype, name=None):
|
||||||
- dict_list = _policy.info(setype, name)
|
- dict_list = _policy.info(setype, name)
|
||||||
- return dict_list
|
- return dict_list
|
||||||
-
|
+booleans = None
|
||||||
|
+def get_all_booleans():
|
||||||
|
+ global booleans
|
||||||
|
+ if not booleans:
|
||||||
|
+ booleans = selinux.security_get_boolean_names()[1]
|
||||||
|
+ return booleans
|
||||||
|
|
||||||
booleans_dict = None
|
booleans_dict = None
|
||||||
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||||
global booleans_dict
|
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
index 26f8390..898ec43 100644
|
index 26f8390..898ec43 100644
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
||||||
@ -2726,10 +2897,10 @@ index 8b063ca..c9036c3 100644
|
|||||||
trans_list.append(m[0])
|
trans_list.append(m[0])
|
||||||
return trans_list
|
return trans_list
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
index 25062da..b3c24e6 100755
|
index 25062da..f184b0c 100755
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
||||||
@@ -28,7 +28,7 @@ import string
|
@@ -28,12 +28,12 @@ import string
|
||||||
import argparse
|
import argparse
|
||||||
import selinux
|
import selinux
|
||||||
import sepolicy
|
import sepolicy
|
||||||
@ -2738,7 +2909,32 @@ index 25062da..b3c24e6 100755
|
|||||||
|
|
||||||
import commands
|
import commands
|
||||||
import sys, os, re, time
|
import sys, os, re, time
|
||||||
@@ -416,40 +416,33 @@ class ManPage:
|
|
||||||
|
-equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
|
||||||
|
+equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
|
||||||
|
|
||||||
|
equiv_dirs=[ "/var" ]
|
||||||
|
modules_dict = None
|
||||||
|
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
|
||||||
|
return alphabet_manpages
|
||||||
|
|
||||||
|
def convert_manpage_to_html(html_manpage,manpage):
|
||||||
|
- fd = open(html_manpage,'w')
|
||||||
|
- rc, output = commands.getstatusoutput("man2html -r %s" % manpage)
|
||||||
|
+ rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
|
||||||
|
if rc == 0:
|
||||||
|
+ print html_manpage, " has been created"
|
||||||
|
+ fd = open(html_manpage,'w')
|
||||||
|
fd.write(output)
|
||||||
|
- else:
|
||||||
|
- fd.write("Man page does not exist")
|
||||||
|
-
|
||||||
|
- fd.close()
|
||||||
|
+ fd.close()
|
||||||
|
|
||||||
|
class HTMLManPages:
|
||||||
|
"""
|
||||||
|
@@ -416,40 +414,33 @@ class ManPage:
|
||||||
"""
|
"""
|
||||||
Generate a Manpage on an SELinux domain in the specified path
|
Generate a Manpage on an SELinux domain in the specified path
|
||||||
"""
|
"""
|
||||||
@ -2797,7 +2993,110 @@ index 25062da..b3c24e6 100755
|
|||||||
self.booleans_dict = gen_bool_dict(self.xmlpath)
|
self.booleans_dict = gen_bool_dict(self.xmlpath)
|
||||||
|
|
||||||
if domainname.endswith("_t"):
|
if domainname.endswith("_t"):
|
||||||
@@ -947,13 +940,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
|
@@ -459,7 +450,10 @@ class ManPage:
|
||||||
|
|
||||||
|
if self.domainname + "_t" not in self.all_domains:
|
||||||
|
raise ValueError("domain %s_t does not exist" % self.domainname)
|
||||||
|
- self.short_name = self.domainname
|
||||||
|
+ if self.domainname[-1]=='d':
|
||||||
|
+ self.short_name = self.domainname[:-1] + "_"
|
||||||
|
+ else:
|
||||||
|
+ self.short_name = self.domainname + "_"
|
||||||
|
|
||||||
|
self.type = self.domainname + "_t"
|
||||||
|
self._gen_bools()
|
||||||
|
@@ -483,16 +477,23 @@ class ManPage:
|
||||||
|
def _gen_bools(self):
|
||||||
|
self.bools=[]
|
||||||
|
self.domainbools=[]
|
||||||
|
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))):
|
||||||
|
- for b in i:
|
||||||
|
- if not isinstance(b,tuple):
|
||||||
|
- continue
|
||||||
|
- if b[0].startswith(self.short_name):
|
||||||
|
- if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
|
||||||
|
- self.domainbools.append(b)
|
||||||
|
- else:
|
||||||
|
- if b not in self.bools and (b[0], not b[1]) not in self.bools:
|
||||||
|
- self.bools.append(b)
|
||||||
|
+ types = [self.type]
|
||||||
|
+ if self.domainname in equiv_dict:
|
||||||
|
+ for t in equiv_dict[self.domainname]:
|
||||||
|
+ if t + "_t" in self.all_domains:
|
||||||
|
+ types.append(t+"_t")
|
||||||
|
+
|
||||||
|
+ for t in types:
|
||||||
|
+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))):
|
||||||
|
+ for b in i:
|
||||||
|
+ if not isinstance(b,tuple):
|
||||||
|
+ continue
|
||||||
|
+ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname):
|
||||||
|
+ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
|
||||||
|
+ self.domainbools.append(b)
|
||||||
|
+ else:
|
||||||
|
+ if b not in self.bools and (b[0], not b[1]) not in self.bools:
|
||||||
|
+ self.bools.append(b)
|
||||||
|
|
||||||
|
self.bools.sort()
|
||||||
|
self.domainbools.sort()
|
||||||
|
@@ -538,9 +539,6 @@ class ManPage:
|
||||||
|
print path
|
||||||
|
|
||||||
|
def __gen_man_page(self):
|
||||||
|
- if self.domainname[-1]=='d':
|
||||||
|
- self.short_name = self.domainname[:-1]
|
||||||
|
-
|
||||||
|
self.anon_list = []
|
||||||
|
|
||||||
|
self.attributes = {}
|
||||||
|
@@ -563,19 +561,8 @@ class ManPage:
|
||||||
|
|
||||||
|
def _get_ptypes(self):
|
||||||
|
for f in self.all_domains:
|
||||||
|
- if f.startswith(self.short_name):
|
||||||
|
- self.ptypes.append(f)
|
||||||
|
-
|
||||||
|
- def __whoami(self):
|
||||||
|
- import pwd
|
||||||
|
- fd = open("/proc/self/loginuid", "r")
|
||||||
|
- uid = int(fd.read())
|
||||||
|
- fd.close()
|
||||||
|
- pw = pwd.getpwuid(uid)
|
||||||
|
- if len(pw.pw_gecos) > 0:
|
||||||
|
- return pw.pw_gecos
|
||||||
|
- else:
|
||||||
|
- return pw.pw_name
|
||||||
|
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
|
||||||
|
+ self.ptypes.append(f)
|
||||||
|
|
||||||
|
def _header(self):
|
||||||
|
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy documentation for %(domainname)s"'
|
||||||
|
@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
|
||||||
|
def _port_types(self):
|
||||||
|
self.ports = []
|
||||||
|
for f in self.all_port_types:
|
||||||
|
- if f.startswith(self.short_name):
|
||||||
|
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
|
||||||
|
self.ports.append(f)
|
||||||
|
|
||||||
|
if len(self.ports) == 0:
|
||||||
|
@@ -923,13 +910,12 @@ to apply the labels.
|
||||||
|
|
||||||
|
def _see_also(self):
|
||||||
|
ret = ""
|
||||||
|
- prefix = self.short_name.split("_")[0]
|
||||||
|
for d in self.domains:
|
||||||
|
if d == self.domainname:
|
||||||
|
continue
|
||||||
|
- if d.startswith(prefix):
|
||||||
|
+ if d.startswith(self.short_name):
|
||||||
|
ret += ", %s_selinux(8)" % d
|
||||||
|
- if self.domainname.startswith(d):
|
||||||
|
+ if d.startswith(self.domainname + "_"):
|
||||||
|
ret += ", %s_selinux(8)" % d
|
||||||
|
self.fd.write(ret)
|
||||||
|
|
||||||
|
@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
|
||||||
.B restorecon -F -R -v /var/%(domainname)s
|
.B restorecon -F -R -v /var/%(domainname)s
|
||||||
.pp
|
.pp
|
||||||
.TP
|
.TP
|
||||||
@ -2814,7 +3113,22 @@ index 25062da..b3c24e6 100755
|
|||||||
""" % {'domainname':self.domainname})
|
""" % {'domainname':self.domainname})
|
||||||
for b in self.anon_list:
|
for b in self.anon_list:
|
||||||
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
|
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
|
||||||
@@ -1230,6 +1224,7 @@ The SELinux user %s_u is not able to terminal login.
|
@@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
|
||||||
|
|
||||||
|
.SH AUTHOR
|
||||||
|
This manual page was auto-generated using
|
||||||
|
-.B "sepolicy manpage"
|
||||||
|
-by %s.
|
||||||
|
+.B "sepolicy manpage".
|
||||||
|
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
|
||||||
|
-""" % (self.__whoami(), self.domainname))
|
||||||
|
+""" % (self.domainname))
|
||||||
|
|
||||||
|
if self.booltext != "":
|
||||||
|
self.fd.write(", setsebool(8)")
|
||||||
|
@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
|
||||||
""" % self.domainname)
|
""" % self.domainname)
|
||||||
|
|
||||||
def _network(self):
|
def _network(self):
|
||||||
@ -3058,3 +3372,25 @@ index b11e49f..ac1c39a 100644
|
|||||||
- exit(errors);
|
- exit(errors);
|
||||||
+ exit(errors ? -1: 0);
|
+ exit(errors ? -1: 0);
|
||||||
}
|
}
|
||||||
|
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
|
||||||
|
index a6addc5..45d6538 100644
|
||||||
|
--- a/policycoreutils/setsebool/Makefile
|
||||||
|
+++ b/policycoreutils/setsebool/Makefile
|
||||||
|
@@ -4,7 +4,7 @@ INCLUDEDIR ?= $(PREFIX)/include
|
||||||
|
SBINDIR ?= $(PREFIX)/sbin
|
||||||
|
MANDIR = $(PREFIX)/share/man
|
||||||
|
LIBDIR ?= $(PREFIX)/lib
|
||||||
|
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
|
||||||
|
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
|
||||||
|
|
||||||
|
CFLAGS ?= -Werror -Wall -W
|
||||||
|
override CFLAGS += -I$(INCLUDEDIR)
|
||||||
|
@@ -23,7 +23,7 @@ install: all
|
||||||
|
-mkdir -p $(MANDIR)/man8
|
||||||
|
install -m 644 setsebool.8 $(MANDIR)/man8/
|
||||||
|
-mkdir -p $(BASHCOMPLETIONDIR)
|
||||||
|
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
|
||||||
|
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/setsebool
|
||||||
|
|
||||||
|
relabel:
|
||||||
|
|
||||||
|
@ -1,13 +1,41 @@
|
|||||||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
||||||
index d636091..9ca35a7 100644
|
index d636091..56919be 100644
|
||||||
--- a/sepolgen/src/sepolgen/audit.py
|
--- a/sepolgen/src/sepolgen/audit.py
|
||||||
+++ b/sepolgen/src/sepolgen/audit.py
|
+++ b/sepolgen/src/sepolgen/audit.py
|
||||||
@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
|
@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
|
||||||
raise ValueError("Error during access vector computation")
|
raise ValueError("Error during access vector computation")
|
||||||
|
|
||||||
if self.type == audit2why.CONSTRAINT:
|
if self.type == audit2why.CONSTRAINT:
|
||||||
- self.data = []
|
- self.data = []
|
||||||
+ self.data = [ self.data ]
|
+ self.data = [ self.data ]
|
||||||
if self.scontext.user != self.tcontext.user:
|
if self.scontext.user != self.tcontext.user:
|
||||||
self.data.append("user")
|
- self.data.append("user")
|
||||||
|
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
|
||||||
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
||||||
|
- self.data.append("role")
|
||||||
|
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
|
||||||
|
if self.scontext.level != self.tcontext.level:
|
||||||
|
- self.data.append("level")
|
||||||
|
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
|
||||||
|
|
||||||
|
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
||||||
|
|
||||||
|
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
||||||
|
index cc9f8ea..24062a1 100644
|
||||||
|
--- a/sepolgen/src/sepolgen/policygen.py
|
||||||
|
+++ b/sepolgen/src/sepolgen/policygen.py
|
||||||
|
@@ -172,10 +172,10 @@ class PolicyGenerator:
|
||||||
|
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
||||||
|
|
||||||
|
if av.type == audit2why.CONSTRAINT:
|
||||||
|
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||||
|
- rule.comment += "#Constraint rule: "
|
||||||
|
- for reason in av.data:
|
||||||
|
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
||||||
|
+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
|
||||||
|
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
|
||||||
|
+ for reason in av.data[1:]:
|
||||||
|
+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
|
||||||
|
|
||||||
|
try:
|
||||||
|
if ( av.type == audit2why.TERULE and
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.14
|
Version: 2.1.14
|
||||||
Release: 19%{?dist}
|
Release: 23%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -129,10 +129,9 @@ an SELinux environment.
|
|||||||
%{_mandir}/man8/sepolicy*.8*
|
%{_mandir}/man8/sepolicy*.8*
|
||||||
%{_mandir}/man8/sepolgen.8*
|
%{_mandir}/man8/sepolgen.8*
|
||||||
%{_mandir}/ru/man8/semanage.8*
|
%{_mandir}/ru/man8/semanage.8*
|
||||||
%dir %{_sysconfdir}/bash_completion.d
|
%{_usr}/share/bash-completion/completions/semanage
|
||||||
%{_sysconfdir}/bash_completion.d/semanage-bash-completion.sh
|
%{_usr}/share/bash-completion/completions/setsebool
|
||||||
%{_sysconfdir}/bash_completion.d/sepolicy-bash-completion.sh
|
%{_usr}/share/bash-completion/completions/sepolicy
|
||||||
%{_sysconfdir}/bash_completion.d/setsebool-bash-completion.sh
|
|
||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: SELinux policy core policy devel utilities
|
Summary: SELinux policy core policy devel utilities
|
||||||
@ -310,6 +309,27 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-23
|
||||||
|
- sepolicy manpage:
|
||||||
|
- use nroff instead of man2html
|
||||||
|
- Remove checking for name of person who created the man page
|
||||||
|
- audit2allow
|
||||||
|
- Fix output to show the level that is different.
|
||||||
|
|
||||||
|
* Thu Mar 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-22
|
||||||
|
- Fix newrole to not drop capabilities from the bounding set.
|
||||||
|
- Stop dropping capabilities from its children.
|
||||||
|
- Add better error messages.
|
||||||
|
- Change location of bash_completion files to /usr/share/bash-completion/compl
|
||||||
|
|
||||||
|
* Mon Mar 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-21
|
||||||
|
- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page
|
||||||
|
|
||||||
|
* Thu Mar 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-20
|
||||||
|
- Mention creation of permissive domains in sepolicy generate man page
|
||||||
|
- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain.
|
||||||
|
- Fix audit2allow to show better information on constraint violations.
|
||||||
|
|
||||||
* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-19
|
* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-19
|
||||||
- Have restorecon exit -1 on errors for consistancy.
|
- Have restorecon exit -1 on errors for consistancy.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user