rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix var_spool template read_spool_files

Browse Source 
Fix sepolgen to handle filename transitions
This commit is contained in:
Dan Walsh 2011-05-25 16:20:29 -04:00
parent ed0051b493
commit 93a347a42a
3 changed files with 75 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
policycoreutils-gui.patch
View File

@ -13999,7 +13999,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0
+""" +"""
diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py
--- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400 --- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400
+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-23 17:00:58.813198478 -0400 +++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400
@@ -0,0 +1,131 @@ @@ -0,0 +1,131 @@
+# Copyright (C) 2007-2011 Red Hat +# Copyright (C) 2007-2011 Red Hat
+# see file 'COPYING' for use and warranty information +# see file 'COPYING' for use and warranty information
@ -14073,7 +14073,7 @@ diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2
+ ') + ')
+ +
+ files_search_spool($1) + files_search_spool($1)
+ read_files_pattern($1, TEMPLATETYPE_spool_t TEMPLATETYPE_spool_t) + read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
+') +')
+ +
+######################################## +########################################

119
policycoreutils-sepolgen.patch
View File

@ -1,7 +1,7 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/access.py 2011-05-25 16:11:58.150628048 -0400
@@ -32,6 +32,7 @@ @@ -32,6 +32,7 @@ in a variety of ways, but they are the f
""" """
import refpolicy import refpolicy
@ -9,7 +9,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
def is_idparam(id): def is_idparam(id):
"""Determine if an id is a paramater in the form $N, where N is """Determine if an id is a paramater in the form $N, where N is
@@ -85,6 +86,8 @@ @@ -85,6 +86,8 @@ class AccessVector:
self.obj_class = None self.obj_class = None
self.perms = refpolicy.IdSet() self.perms = refpolicy.IdSet()
self.audit_msgs = [] self.audit_msgs = []
@ -18,7 +18,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
# The direction of the information flow represented by this # The direction of the information flow represented by this
# access vector - used for matching # access vector - used for matching
@@ -253,20 +256,22 @@ @@ -253,20 +256,22 @@ class AccessVectorSet:
for av in l: for av in l:
self.add_av(AccessVector(av)) self.add_av(AccessVector(av))
@ -45,10 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
access.perms.update(perms) access.perms.update(perms)
if audit_msg: if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/audit.py 2011-05-25 16:11:58.150628048 -0400
@@ -68,6 +68,17 @@ @@ -68,6 +68,17 @@ def get_dmesg_msgs():
stdout=subprocess.PIPE).communicate()[0] stdout=subprocess.PIPE).communicate()[0]
return output return output
@ -66,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
# Classes representing audit messages # Classes representing audit messages
class AuditMessage: class AuditMessage:
@@ -127,6 +138,9 @@ @@ -127,6 +138,9 @@ class PathMessage(AuditMessage):
if fields[0] == "path": if fields[0] == "path":
self.path = fields[1][1:-1] self.path = fields[1][1:-1]
return return
@ -76,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
class AVCMessage(AuditMessage): class AVCMessage(AuditMessage):
"""AVC message representing an access denial or granted message. """AVC message representing an access denial or granted message.
@@ -167,6 +181,8 @@ @@ -167,6 +181,8 @@ class AVCMessage(AuditMessage):
self.path = "" self.path = ""
self.accesses = [] self.accesses = []
self.denial = True self.denial = True
@ -85,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
def __parse_access(self, recs, start): def __parse_access(self, recs, start):
# This is kind of sucky - the access that is in a space separated # This is kind of sucky - the access that is in a space separated
@@ -226,7 +242,31 @@ @@ -226,7 +242,31 @@ class AVCMessage(AuditMessage):
if not found_src or not found_tgt or not found_class or not found_access: if not found_src or not found_tgt or not found_class or not found_access:
raise ValueError("AVC message in invalid format [%s]\n" % self.message) raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@ -118,7 +118,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
class PolicyLoadMessage(AuditMessage): class PolicyLoadMessage(AuditMessage):
"""Audit message indicating that the policy was reloaded.""" """Audit message indicating that the policy was reloaded."""
def __init__(self, message): def __init__(self, message):
@@ -469,10 +509,10 @@ @@ -469,10 +509,10 @@ class AuditParser:
if avc_filter: if avc_filter:
if avc_filter.filter(avc): if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@ -131,10 +131,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
return av_set return av_set
class AVCTypeFilter: class AVCTypeFilter:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py
--- nsasepolgen/src/sepolgen/defaults.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/defaults.py 2011-05-25 16:11:58.150628048 -0400
@@ -30,6 +30,9 @@ @@ -30,6 +30,9 @@ def perm_map():
def interface_info(): def interface_info():
return data_dir() + "/interface_info" return data_dir() + "/interface_info"
@ -144,10 +144,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policy
def refpolicy_devel(): def refpolicy_devel():
return "/usr/share/selinux/devel" return "/usr/share/selinux/devel"
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- nsasepolgen/src/sepolgen/interfaces.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/interfaces.py 2011-05-25 16:11:58.151628058 -0400
@@ -29,6 +29,8 @@ @@ -29,6 +29,8 @@ import matching
from sepolgeni18n import _ from sepolgeni18n import _
@ -156,7 +156,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
class Param: class Param:
""" """
Object representing a paramater for an interface. Object representing a paramater for an interface.
@@ -197,10 +199,48 @@ @@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params
ret = 1 ret = 1
return ret return ret
@ -207,7 +207,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
# Enabled is a loose concept currently - we are essentially # Enabled is a loose concept currently - we are essentially
# not enabling interfaces that we can't handle currently. # not enabling interfaces that we can't handle currently.
# See InterfaceVector.add_ifv for more information. # See InterfaceVector.add_ifv for more information.
@@ -214,10 +254,10 @@ @@ -214,10 +254,10 @@ class InterfaceVector:
# value: Param object). # value: Param object).
self.params = { } self.params = { }
if interface: if interface:
@ -220,7 +220,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
self.name = interface.name self.name = interface.name
# Add allow rules # Add allow rules
@@ -232,6 +272,23 @@ @@ -232,6 +272,23 @@ class InterfaceVector:
for av in avs: for av in avs:
self.add_av(av) self.add_av(av)
@ -244,7 +244,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
# Extract paramaters from roles # Extract paramaters from roles
for role in interface.roles(): for role in interface.roles():
if role_extract_params(role, self.params): if role_extract_params(role, self.params):
@@ -346,13 +403,13 @@ @@ -346,13 +403,13 @@ class InterfaceSet:
l = self.tgt_type_map.setdefault(type, []) l = self.tgt_type_map.setdefault(type, [])
l.append(ifv) l.append(ifv)
@ -262,10 +262,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py poli
self.expand_ifcalls(headers) self.expand_ifcalls(headers)
self.index() self.index()
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py
--- nsasepolgen/src/sepolgen/matching.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/matching.py 2011-05-25 16:11:58.151628058 -0400
@@ -50,7 +50,7 @@ @@ -50,7 +50,7 @@ class Match:
return 1 return 1
class MatchList: class MatchList:
@ -274,7 +274,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy
def __init__(self): def __init__(self):
# Match objects that pass the threshold # Match objects that pass the threshold
self.children = [] self.children = []
@@ -63,14 +63,15 @@ @@ -63,14 +63,15 @@ class MatchList:
def best(self): def best(self):
if len(self.children): if len(self.children):
return self.children[0] return self.children[0]
@ -293,10 +293,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policy
def __iter__(self): def __iter__(self):
return iter(self.children) return iter(self.children)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py 2010-06-21 10:10:01.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/policygen.py 2011-05-25 16:11:58.151628058 -0400
@@ -29,6 +29,8 @@ @@ -29,6 +29,8 @@ import objectmodel
import access import access
import interfaces import interfaces
import matching import matching
@ -305,7 +305,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
# Constants for the level of explanation from the generation # Constants for the level of explanation from the generation
# routines # routines
@@ -77,6 +79,7 @@ @@ -77,6 +79,7 @@ class PolicyGenerator:
self.dontaudit = False self.dontaudit = False
@ -313,7 +313,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None): def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated. """Set whether reference policy interfaces are generated.
@@ -151,8 +154,41 @@ @@ -151,8 +154,41 @@ class PolicyGenerator:
rule = refpolicy.AVRule(av) rule = refpolicy.AVRule(av)
if self.dontaudit: if self.dontaudit:
rule.rule_type = rule.DONTAUDIT rule.rule_type = rule.DONTAUDIT
@ -356,10 +356,27 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
self.module.children.append(rule) self.module.children.append(rule)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/sepolgen/refparser.py 2011-05-25 16:18:20.911964611 -0400
@@ -1044,7 +1044,7 @@ @@ -243,7 +243,7 @@ def t_refpolicywarn(t):
t.lexer.lineno += 1
def t_IDENTIFIER(t):
- r'[a-zA-Z_\$][a-zA-Z0-9_\-\.\$\*]*'
+ r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\.\$\*\"]*'
# Handle any keywords
t.type = reserved.get(t.value,'IDENTIFIER')
return t
@@ -768,6 +768,7 @@ def p_avrule_def(p):
def p_typerule_def(p):
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
+ | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
'''
@@ -1044,7 +1045,7 @@ def parse_headers(root, output=None, exp
# of misc_macros. We are just going to pretend that this is an interface # of misc_macros. We are just going to pretend that this is an interface
# to make the expansion work correctly. # to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec") can_exec = refpolicy.Interface("can_exec")
@ -368,10 +385,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
"getattr","lock","execute","ioctl"]) "getattr","lock","execute","ioctl"])
can_exec.children.append(refpolicy.AVRule(av)) can_exec.children.append(refpolicy.AVRule(av))
diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map diff -up policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map
--- nsasepolgen/src/share/perm_map 2010-05-19 14:45:51.000000000 -0400 --- policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map.sepolgen 2010-03-24 15:57:20.000000000 -0400
+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map 2010-06-16 08:22:43.000000000 -0400 +++ policycoreutils-2.0.86/sepolgen-1.0.23/src/share/perm_map 2011-05-25 16:11:58.152628068 -0400
@@ -124,7 +124,7 @@ @@ -124,7 +124,7 @@ class filesystem 10
quotamod w 1 quotamod w 1
quotaget r 1 quotaget r 1
@ -380,7 +397,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
execute_no_trans r 1 execute_no_trans r 1
entrypoint r 1 entrypoint r 1
execmod n 1 execmod n 1
@@ -141,48 +141,50 @@ @@ -141,48 +141,50 @@ class file 20
unlink w 1 unlink w 1
link w 1 link w 1
rename w 5 rename w 5
@ -448,7 +465,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
append w 1 append w 1
unlink w 1 unlink w 1
link w 1 link w 1
@@ -191,8 +193,9 @@ @@ -191,8 +193,9 @@ class lnk_file 17
swapon b 1 swapon b 1
quotaon b 1 quotaon b 1
mounton b 1 mounton b 1
@ -459,7 +476,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
execute_no_trans r 1 execute_no_trans r 1
entrypoint r 1 entrypoint r 1
execmod n 1 execmod n 1
@@ -213,8 +216,9 @@ @@ -213,8 +216,9 @@ class chr_file 20
swapon b 1 swapon b 1
quotaon b 1 quotaon b 1
mounton b 1 mounton b 1
@ -470,7 +487,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1 ioctl n 1
read r 10 read r 10
write w 10 write w 10
@@ -232,8 +236,9 @@ @@ -232,8 +236,9 @@ class blk_file 17
swapon b 1 swapon b 1
quotaon b 1 quotaon b 1
mounton b 1 mounton b 1
@ -481,7 +498,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1 ioctl n 1
read r 10 read r 10
write w 10 write w 10
@@ -251,8 +256,9 @@ @@ -251,8 +256,9 @@ class sock_file 17
swapon b 1 swapon b 1
quotaon b 1 quotaon b 1
mounton b 1 mounton b 1
@ -492,7 +509,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreut
ioctl n 1 ioctl n 1
read r 10 read r 10
write w 10 write w 10
@@ -270,6 +276,7 @@ @@ -270,6 +276,7 @@ class fifo_file 17
swapon b 1 swapon b 1
quotaon b 1 quotaon b 1
mounton b 1 mounton b 1

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.86 Version: 2.0.86
Release: 8%{?dist} Release: 9%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -331,6 +331,10 @@ fi
exit 0 exit 0
%changelog %changelog
* Wed May 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-9
- Fix var_spool template read_spool_files
- Fix sepolgen to handle filename transitions
* Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-8 * Mon May 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-8
- Templates cleanedup by Dominic Grift - Templates cleanedup by Dominic Grift