From 93a347a42a5264847cce4b8d47aab8763c87f5db Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 25 May 2011 16:20:29 -0400 Subject: [PATCH] Fix var_spool template read_spool_files Fix sepolgen to handle filename transitions --- policycoreutils-gui.patch | 4 +- policycoreutils-sepolgen.patch | 119 +++++++++++++++++++-------------- policycoreutils.spec | 6 +- 3 files changed, 75 insertions(+), 54 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 1379bdf..06085d7 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -13999,7 +13999,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0 +""" diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py --- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400 -+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-23 17:00:58.813198478 -0400 ++++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400 @@ -0,0 +1,131 @@ +# Copyright (C) 2007-2011 Red Hat +# see file 'COPYING' for use and warranty information @@ -14073,7 +14073,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2 + ') + + files_search_spool($1) -+ read_files_pattern($1, TEMPLATETYPE_spool_t TEMPLATETYPE_spool_t) ++ read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t) +') + +######################################## diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index ad2ae56..a504f05 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,7 +1,7 @@ -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py ---- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py 2010-06-16 08:22:43.000000000 -0400 -@@ -32,6 +32,7 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py 2011-05-25 16:11:58.150628048 -0400 +@@ -32,6 +32,7 @@ in a variety of ways, but they are the f """ import refpolicy @@ -9,7 +9,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco def is_idparam(id): """Determine if an id is a paramater in the form $N, where N is -@@ -85,6 +86,8 @@ +@@ -85,6 +86,8 @@ class AccessVector: self.obj_class = None self.perms = refpolicy.IdSet() self.audit_msgs = [] @@ -18,7 +18,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco # The direction of the information flow represented by this # access vector - used for matching -@@ -253,20 +256,22 @@ +@@ -253,20 +256,22 @@ class AccessVectorSet: for av in l: self.add_av(AccessVector(av)) @@ -45,10 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco access.perms.update(perms) if audit_msg: -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py ---- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py 2010-06-16 08:22:43.000000000 -0400 -@@ -68,6 +68,17 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py 2011-05-25 16:11:58.150628048 -0400 +@@ -68,6 +68,17 @@ def get_dmesg_msgs(): stdout=subprocess.PIPE).communicate()[0] return output @@ -66,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor # Classes representing audit messages class AuditMessage: -@@ -127,6 +138,9 @@ +@@ -127,6 +138,9 @@ class PathMessage(AuditMessage): if fields[0] == "path": self.path = fields[1][1:-1] return @@ -76,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor class AVCMessage(AuditMessage): """AVC message representing an access denial or granted message. -@@ -167,6 +181,8 @@ +@@ -167,6 +181,8 @@ class AVCMessage(AuditMessage): self.path = "" self.accesses = [] self.denial = True @@ -85,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor def __parse_access(self, recs, start): # This is kind of sucky - the access that is in a space separated -@@ -226,7 +242,31 @@ +@@ -226,7 +242,31 @@ class AVCMessage(AuditMessage): if not found_src or not found_tgt or not found_class or not found_access: raise ValueError("AVC message in invalid format [%s]\n" % self.message) @@ -118,7 +118,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor class PolicyLoadMessage(AuditMessage): """Audit message indicating that the policy was reloaded.""" def __init__(self, message): -@@ -469,10 +509,10 @@ +@@ -469,10 +509,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, @@ -131,10 +131,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor return av_set class AVCTypeFilter: -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py ---- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-06-16 08:22:43.000000000 -0400 -@@ -30,6 +30,9 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py 2011-05-25 16:11:58.150628048 -0400 +@@ -30,6 +30,9 @@ def perm_map(): def interface_info(): return data_dir() + "/interface_info" @@ -144,10 +144,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policy def refpolicy_devel(): return "/usr/share/selinux/devel" -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py ---- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-06-16 08:22:43.000000000 -0400 -@@ -29,6 +29,8 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py 2011-05-25 16:11:58.151628058 -0400 +@@ -29,6 +29,8 @@ import matching from sepolgeni18n import _ @@ -156,7 +156,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli class Param: """ Object representing a paramater for an interface. -@@ -197,10 +199,48 @@ +@@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params ret = 1 return ret @@ -207,7 +207,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli # Enabled is a loose concept currently - we are essentially # not enabling interfaces that we can't handle currently. # See InterfaceVector.add_ifv for more information. -@@ -214,10 +254,10 @@ +@@ -214,10 +254,10 @@ class InterfaceVector: # value: Param object). self.params = { } if interface: @@ -220,7 +220,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli self.name = interface.name # Add allow rules -@@ -232,6 +272,23 @@ +@@ -232,6 +272,23 @@ class InterfaceVector: for av in avs: self.add_av(av) @@ -244,7 +244,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli # Extract paramaters from roles for role in interface.roles(): if role_extract_params(role, self.params): -@@ -346,13 +403,13 @@ +@@ -346,13 +403,13 @@ class InterfaceSet: l = self.tgt_type_map.setdefault(type, []) l.append(ifv) @@ -262,10 +262,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli self.expand_ifcalls(headers) self.index() -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py ---- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py 2010-06-16 08:22:43.000000000 -0400 -@@ -50,7 +50,7 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py 2011-05-25 16:11:58.151628058 -0400 +@@ -50,7 +50,7 @@ class Match: return 1 class MatchList: @@ -274,7 +274,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy def __init__(self): # Match objects that pass the threshold self.children = [] -@@ -63,14 +63,15 @@ +@@ -63,14 +63,15 @@ class MatchList: def best(self): if len(self.children): return self.children[0] @@ -293,10 +293,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy def __iter__(self): return iter(self.children) -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py ---- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-06-21 10:10:01.000000000 -0400 -@@ -29,6 +29,8 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py 2011-05-25 16:11:58.151628058 -0400 +@@ -29,6 +29,8 @@ import objectmodel import access import interfaces import matching @@ -305,7 +305,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic # Constants for the level of explanation from the generation # routines -@@ -77,6 +79,7 @@ +@@ -77,6 +79,7 @@ class PolicyGenerator: self.dontaudit = False @@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic def set_gen_refpol(self, if_set=None, perm_maps=None): """Set whether reference policy interfaces are generated. -@@ -151,8 +154,41 @@ +@@ -151,8 +154,41 @@ class PolicyGenerator: rule = refpolicy.AVRule(av) if self.dontaudit: rule.rule_type = rule.DONTAUDIT @@ -356,10 +356,27 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic self.module.children.append(rule) -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py ---- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-06-16 08:22:43.000000000 -0400 -@@ -1044,7 +1044,7 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py 2011-05-25 16:18:20.911964611 -0400 +@@ -243,7 +243,7 @@ def t_refpolicywarn(t): + t.lexer.lineno += 1 + + def t_IDENTIFIER(t): +- r'[a-zA-Z_\$][a-zA-Z0-9_\-\.\$\*]*' ++ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"]*' + # Handle any keywords + t.type = reserved.get(t.value,'IDENTIFIER') + return t +@@ -768,6 +768,7 @@ def p_avrule_def(p): + + def p_typerule_def(p): + '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI ++ | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI + | TYPE_CHANGE names names COLON names IDENTIFIER SEMI + | TYPE_MEMBER names names COLON names IDENTIFIER SEMI + ''' +@@ -1044,7 +1045,7 @@ def parse_headers(root, output=None, exp # of misc_macros. We are just going to pretend that this is an interface # to make the expansion work correctly. can_exec = refpolicy.Interface("can_exec") @@ -368,10 +385,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic "getattr","lock","execute","ioctl"]) can_exec.children.append(refpolicy.AVRule(av)) -diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map ---- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map 2010-06-16 08:22:43.000000000 -0400 -@@ -124,7 +124,7 @@ +diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map +--- policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen 2010-03-24 15:57:20.000000000 -0400 ++++ policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map 2011-05-25 16:11:58.152628068 -0400 +@@ -124,7 +124,7 @@ class filesystem 10 quotamod w 1 quotaget r 1 @@ -380,7 +397,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut execute_no_trans r 1 entrypoint r 1 execmod n 1 -@@ -141,48 +141,50 @@ +@@ -141,48 +141,50 @@ class file 20 unlink w 1 link w 1 rename w 5 @@ -448,7 +465,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut append w 1 unlink w 1 link w 1 -@@ -191,8 +193,9 @@ +@@ -191,8 +193,9 @@ class lnk_file 17 swapon b 1 quotaon b 1 mounton b 1 @@ -459,7 +476,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut execute_no_trans r 1 entrypoint r 1 execmod n 1 -@@ -213,8 +216,9 @@ +@@ -213,8 +216,9 @@ class chr_file 20 swapon b 1 quotaon b 1 mounton b 1 @@ -470,7 +487,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut ioctl n 1 read r 10 write w 10 -@@ -232,8 +236,9 @@ +@@ -232,8 +236,9 @@ class blk_file 17 swapon b 1 quotaon b 1 mounton b 1 @@ -481,7 +498,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut ioctl n 1 read r 10 write w 10 -@@ -251,8 +256,9 @@ +@@ -251,8 +256,9 @@ class sock_file 17 swapon b 1 quotaon b 1 mounton b 1 @@ -492,7 +509,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut ioctl n 1 read r 10 write w 10 -@@ -270,6 +276,7 @@ +@@ -270,6 +276,7 @@ class fifo_file 17 swapon b 1 quotaon b 1 mounton b 1 diff --git a/policycoreutils.spec b/policycoreutils.spec index 5ce8811..152628a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.86 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -331,6 +331,10 @@ fi exit 0 %changelog +* Wed May 25 2011 Dan Walsh 2.0.86-9 +- Fix var_spool template read_spool_files +- Fix sepolgen to handle filename transitions + * Mon May 23 2011 Dan Walsh 2.0.86-8 - Templates cleanedup by Dominic Grift