rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix var_spool template read_spool_files

Browse Source 
Fix sepolgen to handle filename transitions
This commit is contained in:
Dan Walsh 2011-05-25 16:20:29 -04:00
parent ed0051b493
commit 93a347a42a
3 changed files with 75 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policycoreutils-gui.patch
View File

@ -13999,7 +13999,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0
+"""
diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py
--- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400
+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-23 17:00:58.813198478 -0400
+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400
@@ -0,0 +1,131 @@
+# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information
@ -14073,7 +14073,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2
+ ')
+
+ files_search_spool($1)
+ read_files_pattern($1, TEMPLATETYPE_spool_t TEMPLATETYPE_spool_t)
+ read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
+')
+
+########################################

119
policycoreutils-sepolgen.patch
View File

@ -1,7 +1,7 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py 2010-06-16 08:22:43.000000000 -0400
@@ -32,6 +32,7 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py 2011-05-25 16:11:58.150628048 -0400
@@ -32,6 +32,7 @@ in a variety of ways, but they are the f
"""
import refpolicy
@ -9,7 +9,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
def is_idparam(id):
"""Determine if an id is a paramater in the form $N, where N is
@@ -85,6 +86,8 @@
@@ -85,6 +86,8 @@ class AccessVector:
self.obj_class = None
self.perms = refpolicy.IdSet()
self.audit_msgs = []
@ -18,7 +18,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
# The direction of the information flow represented by this
# access vector - used for matching
@@ -253,20 +256,22 @@
@@ -253,20 +256,22 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
@ -45,10 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
access.perms.update(perms)
if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py 2010-06-16 08:22:43.000000000 -0400
@@ -68,6 +68,17 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py 2011-05-25 16:11:58.150628048 -0400
@@ -68,6 +68,17 @@ def get_dmesg_msgs():
stdout=subprocess.PIPE).communicate()[0]
return output
@ -66,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages
class AuditMessage:
@@ -127,6 +138,9 @@
@@ -127,6 +138,9 @@ class PathMessage(AuditMessage):
if fields[0] == "path":
self.path = fields[1][1:-1]
return
@ -76,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message.
@@ -167,6 +181,8 @@
@@ -167,6 +181,8 @@ class AVCMessage(AuditMessage):
self.path = ""
self.accesses = []
self.denial = True
@ -85,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated
@@ -226,7 +242,31 @@
@@ -226,7 +242,31 @@ class AVCMessage(AuditMessage):
if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -118,7 +118,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded."""
def __init__(self, message):
@@ -469,10 +509,10 @@
@@ -469,10 +509,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -131,10 +131,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
return av_set
class AVCTypeFilter:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py
--- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-06-16 08:22:43.000000000 -0400
@@ -30,6 +30,9 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py 2011-05-25 16:11:58.150628048 -0400
@@ -30,6 +30,9 @@ def perm_map():
def interface_info():
return data_dir() + "/interface_info"
@ -144,10 +144,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policy
def refpolicy_devel():
return "/usr/share/selinux/devel"
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-06-16 08:22:43.000000000 -0400
@@ -29,6 +29,8 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py 2011-05-25 16:11:58.151628058 -0400
@@ -29,6 +29,8 @@ import matching
from sepolgeni18n import _
@ -156,7 +156,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
class Param:
"""
Object representing a paramater for an interface.
@@ -197,10 +199,48 @@
@@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params
ret = 1
return ret
@ -207,7 +207,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
# Enabled is a loose concept currently - we are essentially
# not enabling interfaces that we can't handle currently.
# See InterfaceVector.add_ifv for more information.
@@ -214,10 +254,10 @@
@@ -214,10 +254,10 @@ class InterfaceVector:
# value: Param object).
self.params = { }
if interface:
@ -220,7 +220,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
self.name = interface.name
# Add allow rules
@@ -232,6 +272,23 @@
@@ -232,6 +272,23 @@ class InterfaceVector:
for av in avs:
self.add_av(av)
@ -244,7 +244,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
# Extract paramaters from roles
for role in interface.roles():
if role_extract_params(role, self.params):
@@ -346,13 +403,13 @@
@@ -346,13 +403,13 @@ class InterfaceSet:
l = self.tgt_type_map.setdefault(type, [])
l.append(ifv)
@ -262,10 +262,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
self.expand_ifcalls(headers)
self.index()
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py
--- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py 2010-06-16 08:22:43.000000000 -0400
@@ -50,7 +50,7 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py 2011-05-25 16:11:58.151628058 -0400
@@ -50,7 +50,7 @@ class Match:
return 1
class MatchList:
@ -274,7 +274,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy
def __init__(self):
# Match objects that pass the threshold
self.children = []
@@ -63,14 +63,15 @@
@@ -63,14 +63,15 @@ class MatchList:
def best(self):
if len(self.children):
return self.children[0]
@ -293,10 +293,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy
def __iter__(self):
return iter(self.children)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-06-21 10:10:01.000000000 -0400
@@ -29,6 +29,8 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py 2011-05-25 16:11:58.151628058 -0400
@@ -29,6 +29,8 @@ import objectmodel
import access
import interfaces
import matching
@ -305,7 +305,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
# Constants for the level of explanation from the generation
# routines
@@ -77,6 +79,7 @@
@@ -77,6 +79,7 @@ class PolicyGenerator:
self.dontaudit = False
@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -151,8 +154,41 @@
@@ -151,8 +154,41 @@ class PolicyGenerator:
rule = refpolicy.AVRule(av)
if self.dontaudit:
rule.rule_type = rule.DONTAUDIT
@ -356,10 +356,27 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
self.module.children.append(rule)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-06-16 08:22:43.000000000 -0400
@@ -1044,7 +1044,7 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py 2011-05-25 16:18:20.911964611 -0400
@@ -243,7 +243,7 @@ def t_refpolicywarn(t):
t.lexer.lineno += 1
def t_IDENTIFIER(t):
- r'[a-zA-Z_\$][a-zA-Z0-9_\-\.\$\*]*'
+ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
@@ -768,6 +768,7 @@ def p_avrule_def(p):
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
+ | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
'''
@@ -1044,7 +1045,7 @@ def parse_headers(root, output=None, exp
# of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
@ -368,10 +385,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
"getattr","lock","execute","ioctl"])
can_exec.children.append(refpolicy.AVRule(av))
diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map
--- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map 2010-06-16 08:22:43.000000000 -0400
@@ -124,7 +124,7 @@
diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map
--- policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map 2011-05-25 16:11:58.152628068 -0400
@@ -124,7 +124,7 @@ class filesystem 10
quotamod w 1
quotaget r 1
@ -380,7 +397,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -141,48 +141,50 @@
@@ -141,48 +141,50 @@ class file 20
unlink w 1
link w 1
rename w 5
@ -448,7 +465,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
append w 1
unlink w 1
link w 1
@@ -191,8 +193,9 @@
@@ -191,8 +193,9 @@ class lnk_file 17
swapon b 1
quotaon b 1
mounton b 1
@ -459,7 +476,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -213,8 +216,9 @@
@@ -213,8 +216,9 @@ class chr_file 20
swapon b 1
quotaon b 1
mounton b 1
@ -470,7 +487,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1
read r 10
write w 10
@@ -232,8 +236,9 @@
@@ -232,8 +236,9 @@ class blk_file 17
swapon b 1
quotaon b 1
mounton b 1
@ -481,7 +498,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1
read r 10
write w 10
@@ -251,8 +256,9 @@
@@ -251,8 +256,9 @@ class sock_file 17
swapon b 1
quotaon b 1
mounton b 1
@ -492,7 +509,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1
read r 10
write w 10
@@ -270,6 +276,7 @@
@@ -270,6 +276,7 @@ class fifo_file 17
swapon b 1
quotaon b 1
mounton b 1

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.86
Release: 8%{?dist}
Release: 9%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -331,6 +331,10 @@ fi
exit 0
%changelog
* Wed May 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-9
- Fix var_spool template read_spool_files
- Fix sepolgen to handle filename transitions
* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-8
- Templates cleanedup by Dominic Grift