* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-8

- Fix sepolgen/audit2allow handling of roles
2008-06-23 11:09:58 +00:00 · 2008-06-23 11:09:58 +00:00 · 9236954d7c
commit 9236954d7c
parent 66f5edd31b
3 changed files with 277 additions and 36 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,15 +1,56 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
--- nsapolicycoreutils/Makefile	2008-05-22 14:01:49.000000000 -0400
-+++ policycoreutils-2.0.49/Makefile	2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/Makefile	2008-06-12 23:25:24.000000000 -0400
+++ policycoreutils-2.0.49/Makefile	2008-06-23 07:03:37.000000000 -0400
@@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
 
 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
 
+diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.49/audit2allow/audit2allow
+--- nsapolicycoreutils/audit2allow/audit2allow	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/audit2allow/audit2allow	2008-06-23 07:03:50.000000000 -0400
+@@ -152,12 +152,13 @@
+ 
+     def __process_input(self):
+         if self.__options.type:
+-            avcfilter = audit.TypeFilter(self.__options.type)
+            avcfilter = audit.AVCTypeFilter(self.__options.type)
+             self.__avs = self.__parser.to_access(avcfilter)
+-            self.__selinux_errs = self.__parser.to_role(avcfilter)
+            csfilter = audit.ComputeSidTypeFilter(self.__options.type)
+            self.__role_types = self.__parser.to_role(csfilter)
+         else:
+             self.__avs = self.__parser.to_access()
+-            self.__selinux_errs = self.__parser.to_role()
+            self.__role_types = self.__parser.to_role()
+ 
+     def __load_interface_info(self):
+         # Load interface info file
+@@ -310,6 +311,7 @@
+ 
+         # Generate the policy
+         g.add_access(self.__avs)
+        g.add_role_types(self.__role_types)
+ 
+         # Output
+         writer = output.ModuleWriter()
+@@ -328,12 +330,6 @@
+                 fd = sys.stdout
+             writer.write(g.get_module(), fd)
+ 
+-            if len(self.__selinux_errs) > 0:
+-                fd.write("\n=========== ROLES ===============\n")
+-
+-            for role in self.__selinux_errs:
+-                fd.write(role.output())
+-
+     def main(self):
+         try:
+             self.__parse_options()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c	2008-05-22 14:01:42.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.c	2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.c	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.c	2008-06-23 07:03:37.000000000 -0400
@@ -210,9 +210,10 @@
 			}
 
@ -37,8 +78,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 	free(scontext);
 	close(fd);
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init	2008-05-22 14:01:42.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.init	2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.init	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.init	2008-06-23 07:03:37.000000000 -0400
@@ -2,7 +2,7 @@
 #
 # restorecond:		Daemon used to maintain path file context
@ -49,8 +90,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 # listed in the /etc/selinux/restorecond.conf file, and restores the \
 # correct security context.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles	2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles	2008-05-22 13:56:53.000000000 -0400
+--- nsapolicycoreutils/scripts/fixfiles	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles	2008-06-23 07:03:37.000000000 -0400
@@ -138,6 +138,9 @@
 fi
 LogReadOnly
@ -81,8 +122,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 
 if [ $# = 0 ]; then
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
--- nsapolicycoreutils/scripts/fixfiles.8	2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles.8	2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/scripts/fixfiles.8	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles.8	2008-06-23 07:03:37.000000000 -0400
@@ -7,6 +7,8 @@
 
 .B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] 
@ -103,8 +144,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 .SH "OPTIONS"
 .TP 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
--- nsapolicycoreutils/semanage/semanage	2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage	2008-06-12 14:34:26.499263000 -0400
+--- nsapolicycoreutils/semanage/semanage	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage	2008-06-23 07:03:37.000000000 -0400
@@ -43,49 +43,52 @@
 if __name__ == '__main__':
 
@ -231,8 +272,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 			
 		if modify:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8	2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage.8	2008-06-11 16:18:48.000000000 -0400
+--- nsapolicycoreutils/semanage/semanage.8	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage.8	2008-06-23 07:03:37.000000000 -0400
@@ -17,6 +17,8 @@
 .br
 .B semanage fcontext \-{a|d|m} [\-frst] file_spec
@ -256,8 +297,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 Examples by Thomas Bleher <ThomasBleher@gmx.de>.
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py	2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/seobject.py	2008-06-12 14:34:36.038161000 -0400
+--- nsapolicycoreutils/semanage/seobject.py	2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.49/semanage/seobject.py	2008-06-23 07:03:37.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
 -# Copyright (C) 2005, 2006, 2007 Red Hat 
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,28 +1,195 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py	2008-06-23 07:04:21.000000000 -0400
+@@ -295,3 +295,32 @@
+             perms[av.obj_class] = s
+         s.update(av.perms)
+     return perms
+
+class RoleTypeSet:
+    """A non-overlapping set of role type statements.
+
+    This clas allows the incremental addition of role type statements and
+    maintains a non-overlapping list of statements.
+    """
+    def __init__(self):
+        """Initialize an access vector set."""
+        self.role_types = {}
+
+    def __iter__(self):
+        """Iterate over all of the unique role allows statements in the set."""
+        for role_type in self.role_types.values():
+            yield role_type
+
+    def __len__(self):
+        """Return the unique number of role allow statements."""
+        return len(self.roles)
+
+    def add(self, role, type):
+        if self.role_types.has_key(role):
+            role_type = self.role_types[role]
+        else:
+            role_type = refpolicy.RoleType()
+            role_type.role = role
+            self.role_types[role] = role_type
+
+        role_type.types.add(type)
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py	2008-01-23 14:36:29.000000000 -0500
-+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py	2008-05-28 10:11:36.373597000 -0400
-@@ -241,14 +241,17 @@
+--- nsasepolgen/src/sepolgen/audit.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py	2008-06-23 07:05:23.000000000 -0400
+@@ -235,20 +235,21 @@
+     """
+     def __init__(self, message):
+         AuditMessage.__init__(self, message)
+-        self.type = ""
+-        self.role = ""
+        self.invalid_context = refpolicy.SecurityContext()
+        self.scontext = refpolicy.SecurityContext()
+        self.tcontext = refpolicy.SecurityContext()
+        self.tclass = ""
+ 
     def from_split_string(self, recs):
         AuditMessage.from_split_string(self, recs)
-         dict={}
-+        ctr = 0
-         for i in recs:
-+            ctr = ctr + 1
-             t = i.split('=')
-             if len(t) < 2:
-+                if t[0] == "context":
-+                    self.type = refpolicy.SecurityContext(recs[ctr]).type
-                 continue
-             dict[t[0]]=t[1]
+-        dict={}
+-        for i in recs:
+-            t = i.split('=')
+-            if len(t) < 2:
+-                continue
+-            dict[t[0]]=t[1]
+        if len(recs) < 10:
+            raise ValueError("Split string does not represent a valid compute sid message")
+
         try:
-             self.role = refpolicy.SecurityContext(dict["scontext"]).role
+-            self.role = refpolicy.SecurityContext(dict["scontext"]).role
 -            self.type = refpolicy.SecurityContext(dict["tcontext"]).type
+            self.invalid_context = refpolicy.SecurityContext(recs[5])
+            self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
+            self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
+            self.tclass = recs[9].split("=")[1]
         except:
             raise ValueError("Split string does not represent a valid compute sid message")
     def output(self):
+@@ -405,7 +406,7 @@
+         self.__post_process()
+ 
+     def to_role(self, role_filter=None):
+-        """Return list of SELINUX_ERR messages matching the specified filter
+        """Return RoleAllowSet statements matching the specified filter
+ 
+         Filter out types that match the filer, or all roles
+ 
+@@ -416,13 +417,12 @@
+            Access vector set representing the denied access in the
+            audit logs parsed by this object.
+         """
+-        roles = []
+-        if role_filter:
+-            for selinux_err in self.compute_sid_msgs:
+-                if role_filter.filter(selinux_err):
+-                    roles.append(selinux_err)
+-            return roles
+-        return self.compute_sid_msgs
+        role_types = access.RoleTypeSet()
+        for cs in self.compute_sid_msgs:
+            if not role_filter or role_filter.filter(cs):
+                role_types.add(cs.invalid_context.role, cs.invalid_context.type)
+        
+        return role_types
+ 
+     def to_access(self, avc_filter=None, only_denials=True):
+         """Convert the audit logs access into a an access vector set.
+@@ -454,7 +454,7 @@
+                            avc.accesses, avc)
+         return av_set
+ 
+-class TypeFilter:
+class AVCTypeFilter:
+     def __init__(self, regex):
+         self.regex = re.compile(regex)
+ 
+@@ -465,4 +465,17 @@
+             return True
+         return False
+ 
+class ComputeSidTypeFilter:
+    def __init__(self, regex):
+        self.regex = re.compile(regex)
+
+    def filter(self, avc):
+        if self.regex.match(avc.invalid_context.type):
+            return True
+        if self.regex.match(avc.scontext.type):
+            return True
+        if self.regex.match(avc.tcontext.type):
+            return True
+        return False
+
+ 
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py
+--- nsasepolgen/src/sepolgen/output.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py	2008-06-23 07:04:31.000000000 -0400
+@@ -101,6 +101,8 @@
+         else:
+             return id_set_cmp(a.src_types, [b.args[0]])
+                 
+def role_type_cmp(a, b):
+    return cmp(a.role, b.role)
+ 
+ def sort_filter(module):
+     """Sort and group the output for readability.
+@@ -146,6 +148,18 @@
+ 
+         c.extend(sep_rules)
+ 
+
+        ras = []
+        ras.extend(node.role_types())
+        ras.sort(role_type_cmp)
+        if len(ras):
+            comment = refpolicy.Comment()
+            comment.lines.append("============= ROLES ==============")
+            c.append(comment)
+        
+
+        c.extend(ras)
+
+         # Everything else
+         for child in node.children:
+             if child not in c:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py	2008-06-23 07:04:36.000000000 -0400
+@@ -167,6 +167,13 @@
+         if self.gen_requires:
+             gen_requires(self.module)
+ 
+    def add_role_types(self, role_type_set):
+        for role_type in role_type_set:
+            self.module.children.append(role_type)
+
+        # Generate the requires
+        if self.gen_requires:
+            gen_requires(self.module)
+ 
+ def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
+     """Explain why a policy statement was generated.
+@@ -334,8 +341,12 @@
+                 # can actually figure those out.
+                 r.types.add(arg)
+ 
+-        r.types.discard("self")
+        for role_type in node.role_types():
+            r.roles.add(role_type.role)
+            r.types.update(role_type.types)
+                 
+        r.types.discard("self")
+
+         node.children.insert(0, r)
+ 
+     # FUTURE - this is untested on modules with any sort of
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py	2008-01-23 14:36:29.000000000 -0500
-+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py	2008-05-16 11:27:03.000000000 -0400
+--- nsasepolgen/src/sepolgen/refparser.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py	2008-06-23 07:05:23.000000000 -0400
@@ -919,7 +919,7 @@
 def list_headers(root):
     modules = []
@ -32,3 +199,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
 
     for dirpath, dirnames, filenames in os.walk(root):
         for name in filenames:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py
+--- nsasepolgen/src/sepolgen/refpolicy.py	2008-06-12 23:25:26.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py	2008-06-23 07:04:47.000000000 -0400
+@@ -122,6 +122,12 @@
+     def roles(self):
+         return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
+ 
+    def role_allows(self):
+        return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
+
+    def role_types(self):
+        return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
+
+     def __str__(self):
+         if self.comment:
+             return str(self.comment) + "\n" + self.to_string()
+@@ -494,6 +500,15 @@
+         return "allow %s %s;" % (self.src_roles.to_comma_str(),
+                                  self.tgt_roles.to_comma_str())
+ 
+class RoleType(Leaf):
+    def __init__(self, parent=None):
+        Leaf.__init__(self, parent)
+        self.role = ""
+        self.types = IdSet()
+
+    def to_string(self):
+        return "role %s types %s;" % (self.role, self.types.to_comma_str())
+
+ class ModuleDeclaration(Leaf):
+     def __init__(self, parent=None):
+         Leaf.__init__(self, parent)
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.49
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -21,7 +21,6 @@ Source7: selinux-polgengui.console
 Source8: policycoreutils_man_ru2.tar.bz2
 Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
-#Patch2: policycoreutils-sepolgen.patch
 Patch3:	 policycoreutils-gui.patch
 Patch4:	 policycoreutils-sepolgen.patch

@ -52,9 +51,8 @@ context.
 %setup -q -a 1 
 %patch -p1 -b .rhat
 %patch1 -p1 -b .rhatpo
-#%patch2 -p1 -b .sepolgen
 %patch3 -p1 -b .gui
-%patch4 -p1 -b .sepolgen
+#%patch4 -p1 -b .sepolgen

 %build
 make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
@ -193,6 +191,9 @@ if [ "$1" -ge "1" ]; then
 fi

 %changelog
+* Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-8
+- Fix sepolgen/audit2allow handling of roles
+
 * Mon Jun 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-7
 - Fix sepolgen-ifgen processing