Allow sepolicy to specify the policy to generate content from

2012-10-26 14:44:32 -04:00 · 2012-10-26 14:44:32 -04:00 · 91f5677207
commit 91f5677207
parent 4a63d32419
2 changed files with 95 additions and 39 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -335731,6 +335731,19 @@ index f4602a9..61d455c 100644
                        codeset = 'utf-8')
 except IOError:
        import __builtin__
+diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
+index 63b11dd..28a9022 100644
+--- a/policycoreutils/semanage/semanage.8
+++ b/policycoreutils/semanage/semanage.8
+@@ -154,7 +154,7 @@ MLS/MCS Security Range (MLS/MCS Systems only)
+ SELinux Range for SELinux login mapping defaults to the SELinux user record range.
+ SELinux Range for SELinux user defaults to s0.
+ .TP
+-.I                \-R, \-\-role
+.I                \-R, \-\-roles
+ SELinux Roles.  You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
+ .TP
+ .I                \-P, \-\-prefix
 diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
 index ad7dc8c..0a1485e 100644
 --- a/policycoreutils/semanage/seobject.py
@ -336069,10 +336082,10 @@ index 0000000..dc3ce6a
 +
 diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
 new file mode 100644
-index 0000000..d0deafc
+index 0000000..e0a5466
 --- /dev/null
 +++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,938 @@
+@@ -0,0 +1,949 @@
 +/**
 + *  @file
 + *  Command line tool to search TE rules.
@ -336925,7 +336938,7 @@ index 0000000..d0deafc
 +	return list;
 +}
 +
-+PyObject* info(int type, const char *name)
+PyObject* info(int type, const char *name, const char *alt_policy_file)
 +{
 +	PyObject* output = NULL;
 +	int rt = -1;
@ -336934,10 +336947,20 @@ index 0000000..d0deafc
 +	apol_vector_t *mod_paths = NULL;
 +	apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
 +
-+	rt = qpol_default_policy_find(&policy_file);
-+	if (rt != 0) {
-+		PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
-+		return NULL;
+	if (alt_policy_file) {
+		policy_file = strdup(alt_policy_file);
+		if (!policy_file) {
+			apol_vector_destroy(&mod_paths);
+			PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
+			return NULL;
+		}
+	}
+	else {
+		rt = qpol_default_policy_find(&policy_file);
+		if (rt != 0) {
+			PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
+			return NULL;
+		}
 +	}
 +
 +	pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
@ -336987,11 +337010,12 @@ index 0000000..d0deafc
 +PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
 +    unsigned int type;
 +    char *name;
+    char *policy_file;
 +    
-+    if (!PyArg_ParseTuple(args, "iz", &type, &name))
+    if (!PyArg_ParseTuple(args, "izz", &type, &name, &policy_file))
 +        return NULL;
 +
-+    return Py_BuildValue("N",info(type, name));
+    return Py_BuildValue("N",info(type, name, policy_file));
 +
 +}
 +
@ -337013,10 +337037,10 @@ index 0000000..d0deafc
 +}
 diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
 new file mode 100644
-index 0000000..fb4bfd6
+index 0000000..80421fc
 --- /dev/null
 +++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,1015 @@
+@@ -0,0 +1,1022 @@
 +// Author: Thomas Liu <tliu@redhat.com>
 +
 +/**
@ -337804,16 +337828,17 @@ index 0000000..fb4bfd6
 +}
 +
 +PyObject* search(bool allow,
-+	     bool neverallow,
-+	     bool auditallow,
-+	     bool dontaudit,
-+	     bool transition,
-+	     bool role_allow,
-+	     const char *src_name,
-+	     const char *tgt_name,
-+	     const char *class_name,
-+	     const char *permlist
-+	     )
+		 bool neverallow,
+		 bool auditallow,
+		 bool dontaudit,
+		 bool transition,
+		 bool role_allow,
+		 const char *src_name,
+		 const char *tgt_name,
+		 const char *class_name,
+		 const char *permlist,
+		 const char *alt_policy_file
+	)
 +{
 +	options_t cmd_opts;
 +	int rt = -1;
@ -337824,6 +337849,9 @@ index 0000000..fb4bfd6
 +	apol_vector_t *mod_paths = NULL;
 +	apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
 +
+	if (alt_policy_file)
+		policy_file = strdup(alt_policy_file);
+
 +	memset(&cmd_opts, 0, sizeof(cmd_opts));
 +	cmd_opts.indirect = true;
 +	cmd_opts.allow = allow;
@ -337846,10 +337874,12 @@ index 0000000..fb4bfd6
 +	if (!(cmd_opts.nallow || cmd_opts.all))
 +		pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
 +
-+	rt = qpol_default_policy_find(&policy_file);
-+	if (rt) {
-+		PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
-+		return NULL;
+	if (! policy_file) {
+		rt = qpol_default_policy_find(&policy_file);
+		if (rt) {
+			PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
+			return NULL;
+		}
 +	}
 +	pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
 +
@ -338019,8 +338049,9 @@ index 0000000..fb4bfd6
 +    const char *tgt_name = Dict_ContainsString(dict, "target");
 +    const char *class_name = Dict_ContainsString(dict, "class");
 +    const char *permlist = Dict_ContainsString(dict, "permlist");
+    const char *policy_path = Dict_ContainsString(dict, "policy");
 +
-+    return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+    return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist, policy_path));
 +}
 +
 +static PyMethodDef methods[] = {
@ -338034,10 +338065,10 @@ index 0000000..fb4bfd6
 +}
 diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
 new file mode 100644
-index 0000000..0de9f32
+index 0000000..86b5af1
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,135 @@
 +# This file is part of systemd.
 +#
 +# Copyright 2011 Dan Walsh
@ -338101,6 +338132,7 @@ index 0000000..0de9f32
 +	       [GENERATE]='generate'
 +        )
 +
+	COMMONOPTS='-P --policy -h --help'
 +        local -A OPTS=(
 +	       [manpage]='-h --help -p --path -a -all -d --domain -w --web'
 +	       [network]='-h --help -d --domain -l --list -p --port -t --type '
@ -338118,7 +338150,7 @@ index 0000000..0de9f32
 +        done
 +
 +        if   [[ -z $verb ]]; then
-+                comps="${VERBS[*]}"
+                comps="${VERBS[*]} ${COMMONOPTS}"
 +	elif [ "$verb" = "manpage" ]; then
 +	    if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
 +	        COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
@ -338439,16 +338471,16 @@ index 0000000..2e26cea
 +sepolicy(8), selinux(8)
 diff --git a/policycoreutils/sepolicy/sepolicy.8 b/policycoreutils/sepolicy/sepolicy.8
 new file mode 100644
-index 0000000..88bb2fc
+index 0000000..2e0163b
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy.8
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,58 @@
 +.TH "sepolicy" "8" "20121005" "" ""
 +.SH "NAME"
 +sepolicy \- SELinux Policy Inspection tool
 +
 +.SH "SYNOPSIS"
-+.B semanage {manpage,network,communicate,transition,generate} OPTIONS
+.B semanage [-h] [-P policy_path ] {manpage,network,communicate,transition,generate} OPTIONS
 +
 +.br
 +Arguments:
@ -338488,6 +338520,14 @@ index 0000000..88bb2fc
 +sepolicy is a tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules.
 +See the argument specific man pages for options and descriptions.
 +
+.SH "OPTIONS"
+.TP
+.I                \-P, \-\-policy
+Alternate policy to analyze. (Defaults to currently installed policy /sys/fs/selinux/policy)
+.TP
+.I                \-h, \-\-help       
+Display help message
+
 +.SH "AUTHOR"
 +This man page was written by Daniel Walsh <dwalsh@redhat.com>
 +
@ -338495,10 +338535,10 @@ index 0000000..88bb2fc
 +selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8),  sepolicy-network(8), sepolicy-transition(8)
 diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
 new file mode 100755
-index 0000000..a86d93b
+index 0000000..5469729
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,294 @@
+@@ -0,0 +1,299 @@
 +#! /usr/bin/python -Es
 +# Copyright (C) 2012 Red Hat
 +# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@ -338746,6 +338786,7 @@ index 0000000..a86d93b
 +
 +def generate(args):
 +    from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS
+    print args.policy
 +    cmd = os.path.realpath(args.command)
 +    if not args.name:
 +        args.name = os.path.basename(cmd).replace("-","_")
@ -338779,6 +338820,8 @@ index 0000000..a86d93b
 +if __name__ == '__main__':
 +    parser = argparse.ArgumentParser(description='SELinux Policy Inspection Tool')
 +    subparsers = parser.add_subparsers(help=_("commands"))
+    parser.add_argument("-P", "--policy", dest="policy",
+                        default=None, help=_("Alternate SELinux policy, defaults to /sys/fs/selinux/policy"))
 +    gen_manpage_args(subparsers)
 +    gen_network_args(subparsers)
 +    gen_communicate_args(subparsers)
@ -338788,6 +338831,8 @@ index 0000000..a86d93b
 +
 +    try:
 +        args = parser.parse_args()
+        if args.policy:
+            sepolicy.policy(args.policy)
 +        args.func(args)
 +        sys.exit(0)
 +    except ValueError,e:
@ -338795,10 +338840,10 @@ index 0000000..a86d93b
 +        sys.exit(1)
 diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
 new file mode 100644
-index 0000000..f8a8af9
+index 0000000..a55162f
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,90 @@
 +#!/usr/bin/env python
 +
 +# Author: Thomas Liu <tliu@redhat.com>
@ -338825,6 +338870,8 @@ index 0000000..f8a8af9
 +TRANSITION = 'transition'
 +ROLE_ALLOW = 'role_allow'
 +
+policy_file = None
+
 +def search(types, info = {} ):
 +    valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
 +    for type in types:
@ -338836,7 +338883,8 @@ index 0000000..f8a8af9
 +    if PERMS in info:
 +        perms = info[PERMS]
 +        info[PERMS] = ",".join(info[PERMS])
-+    
+
+    info["policy"] = policy_file
 +    dict_list = _search.search(info)
 +    if dict_list and len(perms) != 0:
 +        dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
@ -338849,9 +338897,14 @@ index 0000000..f8a8af9
 +    return True
 +
 +def info(setype, name=None):
-+    dict_list = _info.info(setype, name)
+    global policy_file
+    dict_list = _info.info(setype, name, policy_file)
 +    return dict_list
 +
+def policy(alt_policy_file):
+    global policy_file
+    policy_file = alt_policy_file
+
 +def _gen_boolens_dict():
 +	import xml.etree.ElementTree
 +	import re
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 17%{?dist}
+Release: 18%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :

 %changelog
+* Fri Oct 25 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-18
+- Allow sepolicy to specify the policy to generate content from
+
 * Thu Oct 25 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-17
 - Fix semanage boolean -F to handle boolean subs