sepolicy manpage:

-   use nroff instead of man2html
-   Remove checking for name of person who created the man page
- audit2allow
-   Fix output to show the level that is different.
This commit is contained in:
Dan Walsh 2013-03-19 16:58:35 -04:00
parent 3aca74a161
commit 8be0816a98
3 changed files with 427 additions and 43 deletions

View File

@ -34,7 +34,7 @@ index 88635d4..fc290ea 100644
clean: clean:
rm -f *~ rm -f *~
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 8e0c396..9bd66f5 100644 index 8e0c396..d282eee 100644
--- a/policycoreutils/audit2allow/audit2allow --- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow
@@ -18,7 +18,7 @@ @@ -18,7 +18,7 @@
@ -65,6 +65,23 @@ index 8e0c396..9bd66f5 100644
help="Translates SELinux audit messages into a description of why the access was denied") help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args() options, args = parser.parse_args()
@@ -267,12 +268,10 @@ class AuditToPolicy:
continue
if rc == audit2why.CONSTRAINT:
- print "\t\tPolicy constraint violation.\n"
- print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
- print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
- for reason in data:
- print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
- continue
+ print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ print "#Constraint rule: \n\t" + data[0]
+ for reason in data[1:]:
+ print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
if rc == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index a854a45..bc70938 100644 index a854a45..bc70938 100644
--- a/policycoreutils/audit2allow/audit2allow.1 --- a/policycoreutils/audit2allow/audit2allow.1
@ -396,10 +413,30 @@ index 4963cdc..a55dbed 100644
.sp .sp
.B REQUIRESEUSERS .B REQUIRESEUSERS
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 8fbf2d0..3510f12 100644 index 8fbf2d0..4e59a06 100644
--- a/policycoreutils/newrole/newrole.c --- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c
@@ -576,19 +576,22 @@ static int drop_capabilities(int full) @@ -547,9 +547,7 @@ static int drop_capabilities(int full)
if (!uid) return 0;
capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0)
- return -1;
+ capng_clear(CAPNG_SELECT_CAPS);
/* Change uid */
if (setresuid(uid, uid, uid)) {
@@ -558,7 +556,7 @@ static int drop_capabilities(int full)
}
if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
- return capng_apply(CAPNG_SELECT_BOTH);
+ return capng_apply(CAPNG_SELECT_CAPS);
}
#elif defined(NAMESPACE_PRIV)
/**
@@ -576,20 +574,21 @@ static int drop_capabilities(int full)
*/ */
static int drop_capabilities(int full) static int drop_capabilities(int full)
{ {
@ -407,9 +444,10 @@ index 8fbf2d0..3510f12 100644
+ if (!uid) return 0; + if (!uid) return 0;
+ +
capng_setpid(getpid()); capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH); - capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0) - if (capng_lock() < 0)
return -1; - return -1;
+ capng_clear(CAPNG_SELECT_CAPS);
- uid_t uid = getuid(); - uid_t uid = getuid();
/* Change uid */ /* Change uid */
@ -419,12 +457,14 @@ index 8fbf2d0..3510f12 100644
} }
if (! full) if (! full)
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1); - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1); - return capng_apply(CAPNG_SELECT_BOTH);
+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1);
+ +
return capng_apply(CAPNG_SELECT_BOTH); + return capng_apply(CAPNG_SELECT_CAPS);
} }
@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, #else
@@ -680,7 +679,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
security_context_t * tty_context, security_context_t * tty_context,
security_context_t * new_tty_context) security_context_t * new_tty_context)
{ {
@ -433,7 +473,7 @@ index 8fbf2d0..3510f12 100644
int enforcing = security_getenforce(); int enforcing = security_getenforce();
security_context_t tty_con = NULL; security_context_t tty_con = NULL;
security_context_t new_tty_con = NULL; security_context_t new_tty_con = NULL;
@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, @@ -699,7 +698,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
return fd; return fd;
} }
@ -448,7 +488,7 @@ index 8fbf2d0..3510f12 100644
if (fgetfilecon(fd, &tty_con) < 0) { if (fgetfilecon(fd, &tty_con) < 0) {
fprintf(stderr, _("%s! Could not get current context " fprintf(stderr, _("%s! Could not get current context "
@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[]) @@ -1010,9 +1015,9 @@ int main(int argc, char *argv[])
int fd; int fd;
pid_t childPid = 0; pid_t childPid = 0;
char *shell_argv0 = NULL; char *shell_argv0 = NULL;
@ -459,7 +499,7 @@ index 8fbf2d0..3510f12 100644
int pam_status; /* pam return code */ int pam_status; /* pam return code */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[]) @@ -1226,15 +1231,23 @@ int main(int argc, char *argv[])
fd = open(ttyn, O_RDONLY | O_NONBLOCK); fd = open(ttyn, O_RDONLY | O_NONBLOCK);
if (fd != 0) if (fd != 0)
goto err_close_pam; goto err_close_pam;
@ -486,6 +526,35 @@ index 8fbf2d0..3510f12 100644
} }
/* /*
@@ -1268,19 +1281,24 @@ int main(int argc, char *argv[])
}
#endif
- if (send_audit_message(1, old_context, new_context, ttyn))
+ if (send_audit_message(1, old_context, new_context, ttyn)) {
+ fprintf(stderr, _("Failed to send audit message"));
goto err_close_pam_session;
+ }
freecon(old_context); old_context=NULL;
freecon(new_context); new_context=NULL;
#ifdef NAMESPACE_PRIV
- if (transition_to_caller_uid())
+ if (transition_to_caller_uid()) {
+ fprintf(stderr, _("Failed to transition to namespace\n"));
goto err_close_pam_session;
+ }
#endif
- if (drop_capabilities(TRUE))
+ if (drop_capabilities(TRUE)) {
+ fprintf(stderr, _("Failed to drop capabilities %m\n"));
goto err_close_pam_session;
-
+ }
/* Handle environment changes */
if (restore_environment(preserve_environment, old_environ, &pw)) {
fprintf(stderr, _("Unable to restore the environment, "
diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
index d1b435c..de3582f 100644 index d1b435c..de3582f 100644
--- a/policycoreutils/newrole/newrole.pamd --- a/policycoreutils/newrole/newrole.pamd
@ -1776,6 +1845,28 @@ index 6c30734..5e7f885 100644
.B secon .B secon
will try reading a context from stdin, if that is not a tty, otherwise will try reading a context from stdin, if that is not a tty, otherwise
.B secon .B secon
diff --git a/policycoreutils/semanage/Makefile b/policycoreutils/semanage/Makefile
index 24d6a21..b797d83 100644
--- a/policycoreutils/semanage/Makefile
+++ b/policycoreutils/semanage/Makefile
@@ -5,7 +5,7 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
PYLIBVER ?= $(shell python -c 'import sys;print "python%d.%d" % sys.version_info[0:2]')
PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
TARGETS=semanage
@@ -21,7 +21,7 @@ install: all
test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
install -m 755 seobject.py $(PYTHONLIBDIR)/site-packages
-mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/semanage
clean:
diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
new file mode 100644 new file mode 100644
index 0000000..e15a877 index 0000000..e15a877
@ -2139,10 +2230,19 @@ index 62dd53e..d6e1be0 100644
.SH SYNOPSIS .SH SYNOPSIS
.B semodule_unpackage <module> [<file contexts>] .B semodule_unpackage <module> [<file contexts>]
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
index 11b534f..eb86eae 100644 index 11b534f..ae064c4 100644
--- a/policycoreutils/sepolicy/Makefile --- a/policycoreutils/sepolicy/Makefile
+++ b/policycoreutils/sepolicy/Makefile +++ b/policycoreutils/sepolicy/Makefile
@@ -22,10 +22,14 @@ clean: @@ -7,7 +7,7 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
PYTHON ?= /usr/bin/python
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
SHAREDIR ?= $(PREFIX)/share/sandbox
override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
@@ -22,11 +22,15 @@ clean:
$(PYTHON) setup.py clean $(PYTHON) setup.py clean
-rm -rf build *~ \#* *pyc .#* -rm -rf build *~ \#* *pyc .#*
@ -2157,6 +2257,8 @@ index 11b534f..eb86eae 100644
-mkdir -p $(MANDIR)/man8 -mkdir -p $(MANDIR)/man8
install -m 644 *.8 $(MANDIR)/man8 install -m 644 *.8 $(MANDIR)/man8
-mkdir -p $(BASHCOMPLETIONDIR) -mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/sepolicy
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
index 4eca22d..eeee0ab 100644 index 4eca22d..eeee0ab 100644
--- a/policycoreutils/sepolicy/policy.c --- a/policycoreutils/sepolicy/policy.c
@ -2200,6 +2302,39 @@ index 82fea52..29f9428 100644
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
return 0 return 0
elif test "$prev" = "-p" || test "$prev" = "--path" ; then elif test "$prev" = "-p" || test "$prev" = "--path" ; then
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index fb84af6..c2fa601 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
+++ b/policycoreutils/sepolicy/sepolicy-generate.8
@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
.SH "DESCRIPTION"
-Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files.
+Use \fBsepolicy generate\fP to generate an SELinux policy Module. \fBsepolicy generate\fP will create 5 files.
+
+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
+
.B Type Enforcing File NAME.te
.br
This file can be used to define all the types rules for a particular domain.
+.I Note:
+Policy generated by \fBsepolicy generate\fP will automatically add a permissive DOMAIN to your te file. When you are satisfied that your policy works, you need to remove the permissive line from the te file to run your domain in enforcing mode.
+
.B Interface File NAME.if
.br
This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
@@ -25,7 +31,7 @@ file paths to the types. Tools like restorecon and RPM will use these paths to
.B RPM Spec File NAME_selinux.spec
.br
-This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use sepolicy manpage -d NAME to generate the man page.
+This file is an RPM SPEC file that can be used to install the SELinux policy on to machines and setup the labeling. The spec file also installs the interface file and a man page describing the policy. You can use \fBsepolicy manpage -d NAME\fP to generate the man page.
.B Shell File NAME.sh
.br
diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8 diff --git a/policycoreutils/sepolicy/sepolicy-manpage.8 b/policycoreutils/sepolicy/sepolicy-manpage.8
index b6abdf5..c05c943 100644 index b6abdf5..c05c943 100644
--- a/policycoreutils/sepolicy/sepolicy-manpage.8 --- a/policycoreutils/sepolicy/sepolicy-manpage.8
@ -2224,7 +2359,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s). Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..2bbea35 100755 index b25d3b2..6e71f00 100755
--- a/policycoreutils/sepolicy/sepolicy.py --- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@ @@ -22,6 +22,8 @@
@ -2245,8 +2380,31 @@ index b25d3b2..2bbea35 100755
if isinstance(values,str): if isinstance(values,str):
setattr(namespace, self.dest, values) setattr(namespace, self.dest, values)
@@ -60,7 +62,7 @@ class CheckType(argparse.Action): @@ -58,9 +60,30 @@ class CheckType(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
+class CheckBoolean(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ booleans = sepolicy.get_all_booleans()
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
+
+ if isinstance(values,str):
+ v = selinux.selinux_boolean_sub(values)
+ if v not in booleans:
+ raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(booleans)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+ else:
+ for value in values:
+ v = selinux.selinux_boolean_sub(value)
+ if v not in booleans:
+ raise ValueError("%s must be an SELinux boolean:\nValid boolean: %s" % (v, ", ".join(booleans)))
+ newval.append(v)
+ setattr(namespace, self.dest, newval)
+
class CheckDomain(argparse.Action): class CheckDomain(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None): def __call__(self, parser, namespace, values, option_string=None):
- from sepolicy.network import domains - from sepolicy.network import domains
@ -2254,7 +2412,7 @@ index b25d3b2..2bbea35 100755
if isinstance(values,str): if isinstance(values,str):
if values not in domains: if values not in domains:
@@ -80,7 +82,6 @@ class CheckDomain(argparse.Action): @@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
all_classes = None all_classes = None
class CheckClass(argparse.Action): class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None): def __call__(self, parser, namespace, values, option_string=None):
@ -2262,7 +2420,7 @@ index b25d3b2..2bbea35 100755
global all_classes global all_classes
if not all_classes: if not all_classes:
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS)) all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
@@ -114,7 +115,7 @@ class CheckPort(argparse.Action): @@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
class CheckPortType(argparse.Action): class CheckPortType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None): def __call__(self, parser, namespace, values, option_string=None):
@ -2271,7 +2429,7 @@ index b25d3b2..2bbea35 100755
newval = getattr(namespace, self.dest) newval = getattr(namespace, self.dest)
if not newval: if not newval:
newval = [] newval = []
@@ -140,19 +141,18 @@ class CheckPolicyType(argparse.Action): @@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action): class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None): def __call__(self, parser, namespace, value, option_string=None):
@ -2294,7 +2452,7 @@ index b25d3b2..2bbea35 100755
if len(portdict) > 0: if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm) print "%s: %s %s" % (src, protocol, perm)
for p in portdict: for p in portdict:
@@ -160,7 +160,7 @@ def _print_net(src, protocol, perm): @@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs print "\t" + recs
def network(args): def network(args):
@ -2303,7 +2461,7 @@ index b25d3b2..2bbea35 100755
if args.list_ports: if args.list_ports:
all_ports = [] all_ports = []
for i in portrecs: for i in portrecs:
@@ -201,41 +201,41 @@ def manpage(args): @@ -201,41 +222,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path path = args.path
@ -2368,7 +2526,7 @@ index b25d3b2..2bbea35 100755
def gen_network_args(parser): def gen_network_args(parser):
net = parser.add_parser("network", net = parser.add_parser("network",
@@ -283,7 +283,6 @@ def gen_communicate_args(parser): @@ -283,7 +304,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate) comm.set_defaults(func=communicate)
def booleans(args): def booleans(args):
@ -2376,7 +2534,15 @@ index b25d3b2..2bbea35 100755
from sepolicy import boolean_desc from sepolicy import boolean_desc
if args.all: if args.all:
rc, args.booleans = selinux.security_get_boolean_names() rc, args.booleans = selinux.security_get_boolean_names()
@@ -320,7 +319,7 @@ def gen_transition_args(parser): @@ -300,6 +320,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
+ action=CheckBoolean, required=False,
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -320,7 +341,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition) trans.set_defaults(func=transition)
def interface(args): def interface(args):
@ -2385,7 +2551,7 @@ index b25d3b2..2bbea35 100755
if args.list_admin: if args.list_admin:
for a in get_admin(): for a in get_admin():
print a print a
@@ -328,7 +327,7 @@ def interface(args): @@ -328,7 +349,7 @@ def interface(args):
for a in get_user(): for a in get_user():
print a print a
if args.list: if args.list:
@ -2394,7 +2560,7 @@ index b25d3b2..2bbea35 100755
print m print m
def generate(args): def generate(args):
@@ -368,10 +367,10 @@ def gen_interface_args(parser): @@ -368,10 +389,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces')) help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True) group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@ -2407,7 +2573,7 @@ index b25d3b2..2bbea35 100755
group.add_argument("-l", "--list", dest="list",action="store_true", group.add_argument("-l", "--list", dest="list",action="store_true",
default=False, default=False,
help="List all interfaces") help="List all interfaces")
@@ -461,7 +460,10 @@ if __name__ == '__main__': @@ -461,7 +482,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers) gen_transition_args(subparsers)
try: try:
@ -2420,7 +2586,7 @@ index b25d3b2..2bbea35 100755
sys.exit(0) sys.exit(0)
except ValueError,e: except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..35c3758 100644 index 5e7415c..5267ed9 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py --- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy @@ -7,6 +7,9 @@ import _policy
@ -2552,7 +2718,7 @@ index 5e7415c..35c3758 100644
return all_domains return all_domains
roles = None roles = None
@@ -139,49 +215,42 @@ def get_all_attributes(): @@ -139,48 +215,48 @@ def get_all_attributes():
return all_attributes return all_attributes
def policy(policy_file): def policy(policy_file):
@ -2617,10 +2783,15 @@ index 5e7415c..35c3758 100644
-def info(setype, name=None): -def info(setype, name=None):
- dict_list = _policy.info(setype, name) - dict_list = _policy.info(setype, name)
- return dict_list - return dict_list
- +booleans = None
+def get_all_booleans():
+ global booleans
+ if not booleans:
+ booleans = selinux.security_get_boolean_names()[1]
+ return booleans
booleans_dict = None booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..898ec43 100644 index 26f8390..898ec43 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py --- a/policycoreutils/sepolicy/sepolicy/generate.py
@ -2726,10 +2897,10 @@ index 8b063ca..c9036c3 100644
trans_list.append(m[0]) trans_list.append(m[0])
return trans_list return trans_list
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..b3c24e6 100755 index 25062da..f184b0c 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py --- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,7 +28,7 @@ import string @@ -28,12 +28,12 @@ import string
import argparse import argparse
import selinux import selinux
import sepolicy import sepolicy
@ -2738,7 +2909,32 @@ index 25062da..b3c24e6 100755
import commands import commands
import sys, os, re, time import sys, os, re, time
@@ -416,40 +416,33 @@ class ManPage:
-equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
+equiv_dict={ "smbd" : [ "samba" ], "httpd" : [ "apache" ], "virtd" : [ "virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t" ], "named" : [ "bind" ], "fsdaemon" : [ "smartmon" ], "mdadm" : [ "raid" ] }
equiv_dirs=[ "/var" ]
modules_dict = None
@@ -184,14 +184,12 @@ def get_alphabet_manpages(manpage_list):
return alphabet_manpages
def convert_manpage_to_html(html_manpage,manpage):
- fd = open(html_manpage,'w')
- rc, output = commands.getstatusoutput("man2html -r %s" % manpage)
+ rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
if rc == 0:
+ print html_manpage, " has been created"
+ fd = open(html_manpage,'w')
fd.write(output)
- else:
- fd.write("Man page does not exist")
-
- fd.close()
+ fd.close()
class HTMLManPages:
"""
@@ -416,40 +414,33 @@ class ManPage:
""" """
Generate a Manpage on an SELinux domain in the specified path Generate a Manpage on an SELinux domain in the specified path
""" """
@ -2797,7 +2993,110 @@ index 25062da..b3c24e6 100755
self.booleans_dict = gen_bool_dict(self.xmlpath) self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"): if domainname.endswith("_t"):
@@ -947,13 +940,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?" @@ -459,7 +450,10 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
- self.short_name = self.domainname
+ if self.domainname[-1]=='d':
+ self.short_name = self.domainname[:-1] + "_"
+ else:
+ self.short_name = self.domainname + "_"
self.type = self.domainname + "_t"
self._gen_bools()
@@ -483,16 +477,23 @@ class ManPage:
def _gen_bools(self):
self.bools=[]
self.domainbools=[]
- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))):
- for b in i:
- if not isinstance(b,tuple):
- continue
- if b[0].startswith(self.short_name):
- if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
- self.domainbools.append(b)
- else:
- if b not in self.bools and (b[0], not b[1]) not in self.bools:
- self.bools.append(b)
+ types = [self.type]
+ if self.domainname in equiv_dict:
+ for t in equiv_dict[self.domainname]:
+ if t + "_t" in self.all_domains:
+ types.append(t+"_t")
+
+ for t in types:
+ for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : t }))):
+ for b in i:
+ if not isinstance(b,tuple):
+ continue
+ if b[0].startswith(self.short_name) or b[0].startswith(self.domainname):
+ if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools:
+ self.domainbools.append(b)
+ else:
+ if b not in self.bools and (b[0], not b[1]) not in self.bools:
+ self.bools.append(b)
self.bools.sort()
self.domainbools.sort()
@@ -538,9 +539,6 @@ class ManPage:
print path
def __gen_man_page(self):
- if self.domainname[-1]=='d':
- self.short_name = self.domainname[:-1]
-
self.anon_list = []
self.attributes = {}
@@ -563,19 +561,8 @@ class ManPage:
def _get_ptypes(self):
for f in self.all_domains:
- if f.startswith(self.short_name):
- self.ptypes.append(f)
-
- def __whoami(self):
- import pwd
- fd = open("/proc/self/loginuid", "r")
- uid = int(fd.read())
- fd.close()
- pw = pwd.getpwuid(uid)
- if len(pw.pw_gecos) > 0:
- return pw.pw_gecos
- else:
- return pw.pw_name
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
+ self.ptypes.append(f)
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy documentation for %(domainname)s"'
@@ -774,7 +761,7 @@ can be used to make the process type %(domainname)s_t permissive. SELinux does n
def _port_types(self):
self.ports = []
for f in self.all_port_types:
- if f.startswith(self.short_name):
+ if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ports.append(f)
if len(self.ports) == 0:
@@ -923,13 +910,12 @@ to apply the labels.
def _see_also(self):
ret = ""
- prefix = self.short_name.split("_")[0]
for d in self.domains:
if d == self.domainname:
continue
- if d.startswith(prefix):
+ if d.startswith(self.short_name):
ret += ", %s_selinux(8)" % d
- if self.domainname.startswith(d):
+ if d.startswith(self.domainname + "_"):
ret += ", %s_selinux(8)" % d
self.fd.write(ret)
@@ -947,13 +933,14 @@ semanage fcontext -a -t public_content_t "/var/%(domainname)s(/.*)?"
.B restorecon -F -R -v /var/%(domainname)s .B restorecon -F -R -v /var/%(domainname)s
.pp .pp
.TP .TP
@ -2814,7 +3113,22 @@ index 25062da..b3c24e6 100755
""" % {'domainname':self.domainname}) """ % {'domainname':self.domainname})
for b in self.anon_list: for b in self.anon_list:
desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:] desc = self.booleans_dict[b][2][0].lower() + self.booleans_dict[b][2][1:]
@@ -1230,6 +1224,7 @@ The SELinux user %s_u is not able to terminal login. @@ -998,12 +985,11 @@ is a GUI tool available to customize SELinux policy settings.
.SH AUTHOR
This manual page was auto-generated using
-.B "sepolicy manpage"
-by %s.
+.B "sepolicy manpage".
.SH "SEE ALSO"
selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
-""" % (self.__whoami(), self.domainname))
+""" % (self.domainname))
if self.booltext != "":
self.fd.write(", setsebool(8)")
@@ -1230,6 +1216,7 @@ The SELinux user %s_u is not able to terminal login.
""" % self.domainname) """ % self.domainname)
def _network(self): def _network(self):
@ -3058,3 +3372,25 @@ index b11e49f..ac1c39a 100644
- exit(errors); - exit(errors);
+ exit(errors ? -1: 0); + exit(errors ? -1: 0);
} }
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
index a6addc5..45d6538 100644
--- a/policycoreutils/setsebool/Makefile
+++ b/policycoreutils/setsebool/Makefile
@@ -4,7 +4,7 @@ INCLUDEDIR ?= $(PREFIX)/include
SBINDIR ?= $(PREFIX)/sbin
MANDIR = $(PREFIX)/share/man
LIBDIR ?= $(PREFIX)/lib
-BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
CFLAGS ?= -Werror -Wall -W
override CFLAGS += -I$(INCLUDEDIR)
@@ -23,7 +23,7 @@ install: all
-mkdir -p $(MANDIR)/man8
install -m 644 setsebool.8 $(MANDIR)/man8/
-mkdir -p $(BASHCOMPLETIONDIR)
- install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)
+ install -m 644 $(BASHCOMPLETIONS) $(BASHCOMPLETIONDIR)/setsebool
relabel:

View File

@ -1,13 +1,41 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index d636091..9ca35a7 100644 index d636091..56919be 100644
--- a/sepolgen/src/sepolgen/audit.py --- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py
@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage): @@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
raise ValueError("Error during access vector computation") raise ValueError("Error during access vector computation")
if self.type == audit2why.CONSTRAINT: if self.type == audit2why.CONSTRAINT:
- self.data = [] - self.data = []
+ self.data = [ self.data ] + self.data = [ self.data ]
if self.scontext.user != self.tcontext.user: if self.scontext.user != self.tcontext.user:
self.data.append("user") - self.data.append("user")
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
- self.data.append("role")
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
if self.scontext.level != self.tcontext.level:
- self.data.append("level")
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index cc9f8ea..24062a1 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -172,10 +172,10 @@ class PolicyGenerator:
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
if av.type == audit2why.CONSTRAINT:
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
- rule.comment += "#Constraint rule: "
- for reason in av.data:
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
+ for reason in av.data[1:]:
+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
try:
if ( av.type == audit2why.TERULE and

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.14 Version: 2.1.14
Release: 19%{?dist} Release: 23%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -129,10 +129,9 @@ an SELinux environment.
%{_mandir}/man8/sepolicy*.8* %{_mandir}/man8/sepolicy*.8*
%{_mandir}/man8/sepolgen.8* %{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/semanage.8* %{_mandir}/ru/man8/semanage.8*
%dir %{_sysconfdir}/bash_completion.d %{_usr}/share/bash-completion/completions/semanage
%{_sysconfdir}/bash_completion.d/semanage-bash-completion.sh %{_usr}/share/bash-completion/completions/setsebool
%{_sysconfdir}/bash_completion.d/sepolicy-bash-completion.sh %{_usr}/share/bash-completion/completions/sepolicy
%{_sysconfdir}/bash_completion.d/setsebool-bash-completion.sh
%package devel %package devel
Summary: SELinux policy core policy devel utilities Summary: SELinux policy core policy devel utilities
@ -310,6 +309,27 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-23
- sepolicy manpage:
- use nroff instead of man2html
- Remove checking for name of person who created the man page
- audit2allow
- Fix output to show the level that is different.
* Thu Mar 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-22
- Fix newrole to not drop capabilities from the bounding set.
- Stop dropping capabilities from its children.
- Add better error messages.
- Change location of bash_completion files to /usr/share/bash-completion/compl
* Mon Mar 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-21
- sepolicy generate should look for booleans that effect equivalence names, and add them to the man page
* Thu Mar 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-20
- Mention creation of permissive domains in sepolicy generate man page
- Change sepolicy manpage to use shortname with an "_" to stop accidently grabbing unrelated types for a domain.
- Fix audit2allow to show better information on constraint violations.
* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-19 * Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-19
- Have restorecon exit -1 on errors for consistancy. - Have restorecon exit -1 on errors for consistancy.