Fix sepolicy communicate to handle invalid input

policycoreutils-rhat.patch

@@ -331654,10 +331654,10 @@ index 0000000..dc3ce6a
 +
 diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
 new file mode 100644
-index 0000000..18aa555
+index 0000000..ae5424e
 --- /dev/null
 +++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,895 @@
+@@ -0,0 +1,1034 @@
 +/**
 + *  @file
 + *  Command line tool to search TE rules.
@@ -331714,7 +331714,7 @@ index 0000000..18aa555
 +
 +enum input
 +{
-+	TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN,
++	TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS
 +};
 +
 +static int py_insert_long(PyObject *dict, const char *name, int value)
@@ -332136,6 +332136,141 @@ index 0000000..18aa555
 +}
 +
 +/**
++ * Prints a textual representation of an object class and possibly
++ * all of that object class' permissions.
++ *
++ * @param fp Reference to a file to which to print object class information
++ * @param type_datum Reference to sepol type_datum
++ * @param policydb Reference to a policy
++ * @param expand Flag indicating whether to print each object class'
++ * permissions
++ */
++static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
++{
++	const char *class_name = NULL, *perm_name = NULL;
++	qpol_iterator_t *iter = NULL;
++	const qpol_common_t *common_datum = NULL;
++	qpol_policy_t *q = apol_policy_get_qpol(policydb);
++	int error = 0;
++	int rt;
++	PyObject *list = NULL;
++	PyObject *dict = PyDict_New();
++	if (!dict) goto err;
++
++	if (!class_datum)
++		goto err;
++
++	if (qpol_class_get_name(q, class_datum, &class_name))
++		goto err;
++
++	if (py_insert_string(dict, "name", class_name))
++		goto err;
++	/* get commons for this class */
++	if (qpol_class_get_common(q, class_datum, &common_datum))
++		goto err;
++
++	list = PyList_New(0);
++	if (!list) goto err;
++
++	if (common_datum) {
++		if (qpol_common_get_perm_iter(q, common_datum, &iter))
++			goto err;
++		/* print perms for the common */
++		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++			if (qpol_iterator_get_item(iter, (void **)&perm_name))
++				goto err;
++			if (py_append_string(list, perm_name))
++				goto err;
++		}
++	}
++	/* print unique perms for this class */
++	if (qpol_class_get_perm_iter(q, class_datum, &iter))
++		goto err;
++	for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++		if (qpol_iterator_get_item(iter, (void **)&perm_name))
++			goto err;
++		if (py_append_string(list, perm_name))
++			goto err;
++	}
++	rt = py_insert_obj(dict, "permlist", list);
++	Py_DECREF(list); list = NULL;
++	if (rt) goto err;
++	qpol_iterator_destroy(&iter);
++	goto cleanup;
++
++err:
++	error = errno;
++	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++	py_decref(list); list=NULL;
++	py_decref(dict); dict=NULL;
++
++cleanup:
++	errno = error;
++	qpol_iterator_destroy(&iter);
++	return dict;
++}
++
++/**
++ * Get statistics regarding a policy's object classes.
++ * If this function is given a name, it will attempt to
++ * print statistics about a particular object class; otherwise
++ * the function prints statistics about all of the policy's object
++ * classes.
++ *
++ * @param name Reference to an object class' name; if NULL,
++ * all object classes will be considered
++ * @param policydb Reference to a policy
++ *
++ * @return 0 on success, < 0 on error.
++ */
++static PyObject*  get_classes(const char *name, const apol_policy_t * policydb)
++{
++	qpol_iterator_t *iter = NULL;
++	size_t n_classes = 0;
++	const qpol_class_t *class_datum = NULL;
++	qpol_policy_t *q = apol_policy_get_qpol(policydb);
++	int error = 0;
++	int rt;
++	PyObject *obj;
++	PyObject *list = PyList_New(0);
++	if (!list) goto err;
++
++	if (name != NULL) {
++		if (qpol_policy_get_class_by_name(q, name, &class_datum))
++			goto err;
++		obj = get_class(class_datum, policydb);
++		rt = py_append_obj(list, obj);
++		Py_DECREF(obj);
++		if (rt) goto err;
++	} else {
++		if (qpol_policy_get_class_iter(q, &iter))
++			goto err;
++		if (qpol_iterator_get_size(iter, &n_classes))
++			goto err;
++
++		for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++			if (qpol_iterator_get_item(iter, (void **)&class_datum))
++				goto err;
++			obj = get_class(class_datum, policydb);
++			rt = py_append_obj(list, obj);
++			Py_DECREF(obj);
++			if (rt) goto err;
++		}
++		qpol_iterator_destroy(&iter);
++	}
++	goto cleanup;
++err:
++	error = errno;
++	PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++	py_decref(list); list = NULL;
++
++cleanup:
++	qpol_iterator_destroy(&iter);
++	errno = error;
++	return list;
++}
++
++/**
 + * Gets statistics regarding a policy's users.
 + * If this function is given a name, it will attempt to
 + * get statistics about a particular user; otherwise
@@ -332526,6 +332661,9 @@ index 0000000..18aa555
 +	if (type == USER)
 +		output = get_users(name, policy);
 +
++	if (type == CLASS)
++		output = get_classes(name, policy);
++
 +	if (type == BOOLEAN)
 +		output = get_booleans(name, policy);
 +
@@ -332551,6 +332689,7 @@ index 0000000..18aa555
 +    PyModule_AddIntConstant(m, "ROLE", ROLE);
 +    PyModule_AddIntConstant(m, "TYPE", TYPE);
 +    PyModule_AddIntConstant(m, "USER", USER);
++    PyModule_AddIntConstant(m, "CLASS", CLASS);
 +    PyModule_AddIntConstant(m, "BOOLEAN", BOOLEAN);
 +}
 diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
@@ -334177,10 +334316,10 @@ index 0000000..a40f37d
 +selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8),  sepolicy-network(8), sepolicy-transition(8)
 diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
 new file mode 100755
-index 0000000..8dfce7c
+index 0000000..dd4adef
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,331 @@
 +#! /usr/bin/python -Es
 +# Copyright (C) 2012 Red Hat
 +# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@@ -334291,21 +334430,31 @@ index 0000000..8dfce7c
 +class CheckDomain(argparse.Action):
 +    def __call__(self, parser, namespace, values, option_string=None):
 +        from sepolicy.network import domains
-+        newval = getattr(namespace, self.dest)
-+        if not newval:
-+            newval = []
 +
 +        if isinstance(values,str):
 +            if values not in domains:
 +                raise ValueError("%s must be an SELinux process domain" % values)
-+            newval.append(values)
++            setattr(namespace, self.dest, values)
 +        else:
++            newval = getattr(namespace, self.dest)
++            if not newval:
++                newval = []
++
 +            for v in values:
 +                if v not in domains:
 +                    raise ValueError("%s must be an SELinux process domain" % values)
 +                newval.append(v)
++            setattr(namespace, self.dest, newval)
 +
-+        setattr(namespace, self.dest, newval)
++all_classes = None
++class CheckClass(argparse.Action):
++    def __call__(self, parser, namespace, values, option_string=None):
++        global all_classes
++	if not all_classes:
++		all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
++        if values not in all_classes:
++            raise ValueError("%s must be an SELinux process domain" % values)
++        setattr(namespace, self.dest, values)
 +
 +class CheckPort(argparse.Action):
 +    def __call__(self, parser, namespace, values, option_string=None):
@@ -334399,7 +334548,9 @@ index 0000000..8dfce7c
 +    comm.add_argument("-t", "--target", dest="target",
 +                      action=CheckDomain, required=True,
 +                      help=_("Target Domain"))
-+    comm.add_argument("-c", "--class", required=False, dest="tclass",  default="file", help="class to use for communications, Default 'file'")
++    comm.add_argument("-c", "--class", required=False, dest="tclass",  
++                      action=CheckClass, 
++                      default="file", help="class to use for communications, Default 'file'")
 +    comm.add_argument("-S", "--sourceaccess", required=False, dest="sourceaccess",  default="open,write", help="comma separate list of permissions for the source type to use, Default 'open,write'")
 +    comm.add_argument("-T", "--targetaccess", required=False, dest="targetaccess",  default="open,read", help="comma separated list of permissions for the target type to use, Default 'open,read'")
 +    comm.set_defaults(func=communicate)
@@ -334502,11 +334653,11 @@ index 0000000..8dfce7c
 +        sys.exit(0)        
 diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
 new file mode 100644
-index 0000000..e43a2fb
+index 0000000..ece5b4b
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,136 @@
+@@ -0,0 +1,137 @@
-+#!/usr/bin/env python
++#!/usr/bin/python
 +
 +# Author: Thomas Liu <tliu@redhat.com>
 +# Author: Dan Walsh <dwalsh@redhat.com>
@@ -334532,6 +334683,7 @@ index 0000000..e43a2fb
 +PORT = _policy.PORT
 +USER = _policy.USER
 +BOOLEAN = _policy.BOOLEAN
++TCLASS =  _policy.CLASS
 +
 +ALLOW = 'allow'
 +AUDITALLOW = 'auditallow'

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 39%{?dist}
+Release: 40%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -338,6 +338,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Fri Nov 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-40
+- Fix sepolicy communicate to handle invalid input
+
 * Thu Nov 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-39
 - Fix sepolicy network -p to handle high ports