diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index e34b245..772c6c1 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -2463,8 +2463,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic + self.error(e.args[0]) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.85/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.85/gui/polgen.glade 2011-01-06 16:45:14.000000000 -0500 -@@ -0,0 +1,3305 @@ ++++ policycoreutils-2.0.85/gui/polgen.glade 2011-01-14 14:38:17.000000000 -0500 +@@ -0,0 +1,3326 @@ + + + @@ -2822,6 +2822,27 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + False + + ++ ++ ++ ++ True ++ User Application are any application that you would like to confine that is started by a user ++ True ++ Sandbox ++ True ++ GTK_RELIEF_NORMAL ++ True ++ False ++ False ++ True ++ init_radiobutton ++ ++ ++ 0 ++ False ++ False ++ ++ + + + 0 @@ -5783,8 +5804,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policy + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.85/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.85/gui/polgengui.py 2011-01-10 14:24:00.000000000 -0500 -@@ -0,0 +1,662 @@ ++++ policycoreutils-2.0.85/gui/polgengui.py 2011-01-14 14:38:34.000000000 -0500 +@@ -0,0 +1,665 @@ +#!/usr/bin/python -Es +# +# polgengui.py - GUI for SELinux Config tool in system-config-selinux @@ -5916,7 +5937,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.pages[i] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] + self.pages[polgen.RUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.USER_TRANSITION_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] + self.pages[polgen.LUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] -+ ++ self.pages[polgen.SANDBOX] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_POLICY_PAGE] + self.pages[polgen.EUSER] = [ self.START_PAGE, self.SELECT_TYPE_PAGE, self.EXISTING_USER_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE, self.GEN_USER_POLICY_PAGE] + + for i in polgen.APPLICATIONS: @@ -6125,6 +6146,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + return self.name_entry.get_text() + + def get_type(self): ++ if self.sandbox_radiobutton.get_active(): ++ return polgen.SANDBOX + if self.cgi_radiobutton.get_active(): + return polgen.CGI + if self.user_radiobutton.get_active(): @@ -6317,6 +6340,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + self.inetd_radiobutton = self.xml.get_widget("inetd_radiobutton") + self.dbus_radiobutton = self.xml.get_widget("dbus_radiobutton") + self.cgi_radiobutton = self.xml.get_widget("cgi_radiobutton") ++ self.sandbox_radiobutton = self.xml.get_widget("sandbox_radiobutton") + self.tmp_checkbutton = self.xml.get_widget("tmp_checkbutton") + self.uid_checkbutton = self.xml.get_widget("uid_checkbutton") + self.pam_checkbutton = self.xml.get_widget("pam_checkbutton") @@ -6449,8 +6473,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.85/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.85/gui/polgen.py 2011-01-06 16:45:14.000000000 -0500 -@@ -0,0 +1,1311 @@ ++++ policycoreutils-2.0.85/gui/polgen.py 2011-01-14 14:05:54.000000000 -0500 +@@ -0,0 +1,1346 @@ +#!/usr/bin/python -Es +# +# Copyright (C) 2007-2010 Red Hat @@ -6597,6 +6621,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +AUSER = 8 +EUSER = 9 +RUSER = 10 ++SANDBOX = 11 + +poltype={} +poltype[DAEMON] = _("Standard Init Daemon") @@ -6609,7 +6634,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +poltype[LUSER] = _("User Role") +poltype[AUSER] = _("Admin User Role") +poltype[RUSER] = _("Root Admin User Role") -+ ++poltype[SANDBOX] = _("Sandbox") + +APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] +USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] @@ -6756,6 +6781,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +( self.generate_inetd_types, self.generate_inetd_rules), \ +( self.generate_userapp_types, self.generate_userapp_rules), \ +( self.generate_cgi_types, self.generate_cgi_rules), \ ++( self.generate_sandbox_types, self.generate_sandbox_rules), \ +( self.generate_x_login_user_types, self.generate_x_login_user_rules), \ +( self.generate_min_login_user_types, self.generate_login_user_rules), \ +( self.generate_login_user_types, self.generate_login_user_rules), \ @@ -6768,7 +6794,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.name = "httpd_%s_script" % name + else: + self.name = name -+ self.file_name = name ++ ++ self.file_name = name + + self.capabilities = [] + self.processes = [] @@ -6920,7 +6947,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.use_mail = val == True + + def set_use_tmp(self, val): -+ if self.type not in APPLICATIONS: ++ if self.type in USERS: + raise ValueError(_("USER Types automatically get a tmp type")) + + if val: @@ -7192,11 +7219,19 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + return newte + + def generate_dbus_if(self): -+ newif ="" ++ newif = "" + if self.use_dbus: + newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules) + return newif + ++ def generate_sandbox_if(self): ++ newif = "" ++ if self.type != SANDBOX: ++ return newif ++ newif = re.sub("TEMPLATETYPE", self.name, executable.if_sandbox_rules) ++ return newif ++ ++ + def generate_admin_if(self): + newif = "" + newtypes = "" @@ -7222,6 +7257,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_cgi_types(self): + return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types) + ++ def generate_sandbox_types(self): ++ return re.sub("TEMPLATETYPE", self.file_name, executable.te_sandbox_types) ++ + def generate_userapp_types(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_types) + @@ -7274,6 +7312,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newte += re.sub("BOOLEAN", b, boolean.te_rules) + return newte + ++ def generate_sandbox_te(self): ++ return re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_types) ++ + def generate_cgi_te(self): + return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types) + @@ -7315,6 +7356,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newte += re.sub("TEMPLATETYPE", self.name, executable.te_cgi_rules) + return newte + ++ def generate_sandbox_rules(self): ++ newte = "" ++ newte += re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_rules) ++ return newte ++ + def generate_user_if(self): + newif ="" + if self.use_terminal or self.type == USER: @@ -7342,6 +7388,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newif += self.generate_user_if() + newif += self.generate_dbus_if() + newif += self.generate_admin_if() ++ newif += self.generate_sandbox_if() + + return newif + @@ -7416,7 +7463,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_fc(self): + newfc = "" + fclist = [] -+ if self.type in USERS: ++ if self.type in USERS + [ SANDBOX ]: + return re.sub("EXECUTABLE", self.program, executable.fc_user) + if self.program == "": + raise ValueError(_("You must enter the executable path for your confined process")) @@ -7632,6 +7679,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_out_tcp(0,"8000") + print mypolicy.generate(tmpdir) + ++ mypolicy = policy("mycgi", SANDBOX) ++ mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000") ++ mypolicy.set_in_udp(1, 0, 0, "1513") ++ mypolicy.set_use_uid(True) ++ mypolicy.set_use_tmp(False) ++ mypolicy.set_use_syslog(True) ++ mypolicy.set_use_pam(True) ++ mypolicy.set_out_tcp(0,"8000") ++ print mypolicy.generate(tmpdir) ++ + mypolicy = policy("myinetd", INETD) + mypolicy.set_program("/usr/bin/mytest") + mypolicy.set_in_tcp(1, 0, 0, "513") @@ -7702,7 +7759,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + print _(""" +%s + -+polgen [ -m ] [ -t type ] [ executable | Name ] ++sepolgen [ -m ] [ -t type ] [ executable | Name ] +valid Types: +""") % msg + keys=poltype.keys() @@ -7754,7 +7811,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + name = os.path.basename(cmds[0]).replace("-","_") + cmd = cmds[0] + mypolicy = policy(name, setype) -+ mypolicy.set_program(cmd) ++ if setype not in USERS + [ SANDBOX ]: ++ mypolicy.set_program(cmd) ++ + if setype in APPLICATIONS: + mypolicy.gen_writeable() + mypolicy.gen_symbols() @@ -12022,8 +12081,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.85/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.85/gui/templates/executable.py 2011-01-06 16:45:14.000000000 -0500 -@@ -0,0 +1,393 @@ ++++ policycoreutils-2.0.85/gui/templates/executable.py 2011-01-14 14:20:52.000000000 -0500 +@@ -0,0 +1,447 @@ +# Copyright (C) 2007-2009 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12112,6 +12171,21 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +permissive TEMPLATETYPE_t; +""" + ++te_sandbox_types="""\ ++policy_module(TEMPLATETYPE,1.0.0) ++ ++######################################## ++# ++# Declarations ++# ++ ++sandbox_x_domain_template(TEMPLATETYPE) ++ ++permissive TEMPLATETYPE_t; ++permissive TEMPLATETYPE_client_t; ++ ++""" ++ +te_cgi_types="""\ +policy_module(TEMPLATETYPE,1.0.0) + @@ -12144,6 +12218,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +te_cgi_rules=""" +""" + ++te_sandbox_rules=""" ++""" ++ +te_uid_rules=""" +auth_use_nsswitch(TEMPLATETYPE_t) +""" @@ -12295,6 +12372,42 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + +""" + ++if_sandbox_rules=""" ++######################################## ++## ++## Execute sandbox in the TEMPLATETYPE_t domain, and ++## allow the specified role the TEMPLATETYPE_t domain. ++## ++## ++## ++## Domain allowed access ++## ++## ++## ++## ++## The role to be allowed the TEMPLATETYPE_t domain. ++## ++## ++# ++interface(`TEMPLATETYPE_transition',` ++ gen_require(` ++ type TEMPLATETYPE_t; ++ type TEMPLATETYPE_client_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_t:process { signal_perms transition }; ++ dontaudit $1 TEMPLATETYPE_t:process { noatsecure siginh rlimitinh }; ++ role $2 types TEMPLATETYPE_t; ++ role $2 types TEMPLATETYPE_client_t; ++ ++ allow TEMPLATETYPE_t $1:process { sigchld signull }; ++ allow TEMPLATETYPE_t $1:fifo_file rw_inherited_fifo_file_perms; ++ allow TEMPLATETYPE_client_t $1:process { sigchld signull }; ++ allow TEMPLATETYPE_client_t $1:fifo_file rw_inherited_fifo_file_perms; ++') ++ ++""" ++ +if_role_change_rules=""" +######################################## +## @@ -12523,1313 +12636,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py +corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/polgen.py policycoreutils-2.0.85/gui/templates/polgen.py ---- nsapolicycoreutils/gui/templates/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.85/gui/templates/polgen.py 2011-01-06 16:45:14.000000000 -0500 -@@ -0,0 +1,1303 @@ -+#!/usr/bin/python -Es -+# -+# Copyright (C) 2007-2010 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# policygentool is a tool for the initial generation of SELinux policy -+# -+# This program is free software; you can redistribute it and/or -+# modify it under the terms of the GNU General Public License as -+# published by the Free Software Foundation; either version 2 of -+# the License, or (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program; if not, write to the Free Software -+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA -+# 02111-1307 USA -+# -+# -+import os, sys, stat -+import re -+import commands -+import setools -+ -+from templates import executable -+from templates import boolean -+from templates import etc_rw -+from templates import var_cache -+from templates import var_spool -+from templates import var_lib -+from templates import var_log -+from templates import var_run -+from templates import tmp -+from templates import rw -+from templates import network -+from templates import script -+from templates import user -+import sepolgen.interfaces as interfaces -+import sepolgen.defaults as defaults -+ -+## -+## I18N -+## -+PROGNAME="policycoreutils" -+ -+import gettext -+gettext.bindtextdomain(PROGNAME, "/usr/share/locale") -+gettext.textdomain(PROGNAME) -+try: -+ gettext.install(PROGNAME, -+ localedir="/usr/share/locale", -+ unicode=False, -+ codeset = 'utf-8') -+except IOError: -+ import __builtin__ -+ __builtin__.__dict__['_'] = unicode -+ -+methods = [] -+fn = defaults.interface_info() -+try: -+ fd = open(fn) -+ # List of per_role_template interfaces -+ ifs = interfaces.InterfaceSet() -+ ifs.from_file(fd) -+ methods = ifs.interfaces.keys() -+ fd.close() -+except: -+ sys.stderr.write("could not open interface info [%s]\n" % fn) -+ sys.exit(1) -+ -+def get_all_types(): -+ return map(lambda x: x['name'], setools.seinfo(setools.TYPE)) -+ -+def get_all_ports(): -+ dict = {} -+ for p in setools.seinfo(setools.PORT): -+ dict[(p['low'], p['high'], p['protocol'])]=(p['type'], p['range']) -+ return dict -+ -+def get_all_roles(): -+ roles = map(lambda x: x['name'], setools.seinfo(setools.ROLE)) -+ roles.remove("object_r") -+ roles.sort() -+ return roles -+ -+def get_all_domains(): -+ all_domains = [] -+ types=get_all_types() -+ types.sort() -+ for i in types: -+ m = re.findall("(.*)%s" % "_exec_t$", i) -+ if len(m) > 0: -+ if len(re.findall("(.*)%s" % "_initrc$", m[0])) == 0 and m[0] not in all_domains: -+ all_domains.append(m[0]) -+ return all_domains -+ -+def get_all_modules(): -+ try: -+ all_modules = [] -+ rc, output=commands.getstatusoutput("semodule -l 2>/dev/null") -+ if rc == 0: -+ l = output.split("\n") -+ for i in l: -+ all_modules.append(i.split()[0]) -+ except: -+ pass -+ -+ return all_modules -+ -+def get_all_users(): -+ users = map(lambda x: x['name'], setools.seinfo(setools.USER)) -+ users.remove("system_u") -+ users.remove("root") -+ users.sort() -+ return users -+ -+ALL = 0 -+RESERVED = 1 -+UNRESERVED = 2 -+PORTS = 3 -+ADMIN_TRANSITION_INTERFACE = "_admin$" -+USER_TRANSITION_INTERFACE = "_role$" -+ -+DAEMON = 0 -+DBUS = 1 -+INETD = 2 -+USER = 3 -+CGI = 4 -+XUSER = 5 -+TUSER = 6 -+LUSER = 7 -+AUSER = 8 -+EUSER = 9 -+RUSER = 10 -+ -+poltype={} -+poltype[DAEMON] = _("Standard Init Daemon") -+poltype[DBUS] = _("DBUS System Daemon") -+poltype[INETD] = _("Internet Services Daemon") -+poltype[CGI] = _("Web Application/Script (CGI)") -+poltype[USER] = _("User Application") -+poltype[TUSER] = _("Minimal Terminal User Role") -+poltype[XUSER] = _("Minimal X Windows User Role") -+poltype[LUSER] = _("User Role") -+poltype[AUSER] = _("Admin User Role") -+poltype[RUSER] = _("Root Admin User Role") -+ -+ -+APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] -+USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] -+ -+def verify_ports(ports): -+ if ports == "": -+ return [] -+ max_port=2**16 -+ try: -+ temp = [] -+ for a in ports.split(","): -+ r = a.split("-") -+ if len(r) > 2: -+ raise ValueError -+ if len(r) == 1: -+ begin = int (r[0]) -+ end = int (r[0]) -+ else: -+ begin = int (r[0]) -+ end = int (r[1]) -+ -+ if begin > end: -+ raise ValueError -+ -+ for p in range(begin, end + 1): -+ if p < 1 or p > max_port: -+ raise ValueError -+ temp.append(p) -+ return temp -+ except ValueError: -+ raise ValueError(_("Ports must be numbers or ranges of numbers from 1 to %d " % max_port )) -+ -+class policy: -+ -+ def __init__(self, name, type): -+ self.ports = [] -+ try: -+ self.ports = get_all_ports() -+ except ValueError, e: -+ print "Can not get port types, must be root for this information" -+ -+ self.symbols = {} -+ self.symbols["openlog"] = "set_use_kerberos(True)" -+ self.symbols["openlog"] = "set_use_kerb_rcache(True)" -+ self.symbols["openlog"] = "set_use_syslog(True)" -+ self.symbols["gethostby"] = "set_use_resolve(True)" -+ self.symbols["getaddrinfo"] = "set_use_resolve(True)" -+ self.symbols["getnameinfo"] = "set_use_resolve(True)" -+ self.symbols["krb"] = "set_use_kerberos(True)" -+ self.symbols["gss_accept_sec_context"] = "set_manage_krb5_rcache(True)" -+ self.symbols["krb5_verify_init_creds"] = "set_manage_krb5_rcache(True)" -+ self.symbols["krb5_rd_req"] = "set_manage_krb5_rcache(True)" -+ self.symbols["__syslog_chk"] = "set_use_syslog(True)" -+ self.symbols["getpwnam"] = "set_use_uid(True)" -+ self.symbols["getpwuid"] = "set_use_uid(True)" -+ self.symbols["dbus_"] = "set_use_dbus(True)" -+ self.symbols["pam_"] = "set_use_pam(True)" -+ self.symbols["pam_"] = "set_use_audit(True)" -+ self.symbols["fork"] = "add_process('fork')" -+ self.symbols["transition"] = "add_process('transition')" -+ self.symbols["sigchld"] = "add_process('sigchld')" -+ self.symbols["sigkill"] = "add_process('sigkill')" -+ self.symbols["sigstop"] = "add_process('sigstop')" -+ self.symbols["signull"] = "add_process('signull')" -+ self.symbols["signal"] = "add_process('signal')" -+ self.symbols["ptrace"] = "add_process('ptrace')" -+ self.symbols["getsched"] = "add_process('getsched')" -+ self.symbols["setsched"] = "add_process('setsched')" -+ self.symbols["getsession"] = "add_process('getsession')" -+ self.symbols["getpgid"] = "add_process('getpgid')" -+ self.symbols["setpgid"] = "add_process('setpgid')" -+ self.symbols["getcap"] = "add_process('getcap')" -+ self.symbols["setcap"] = "add_process('setcap')" -+ self.symbols["share"] = "add_process('share')" -+ self.symbols["getattr"] = "add_process('getattr')" -+ self.symbols["setexec"] = "add_process('setexec')" -+ self.symbols["setfscreate"] = "add_process('setfscreate')" -+ self.symbols["noatsecure"] = "add_process('noatsecure')" -+ self.symbols["siginh"] = "add_process('siginh')" -+ self.symbols["setrlimit"] = "add_process('setrlimit')" -+ self.symbols["rlimitinh"] = "add_process('rlimitinh')" -+ self.symbols["dyntransition"] = "add_process('dyntransition')" -+ self.symbols["setcurrent"] = "add_process('setcurrent')" -+ self.symbols["execmem"] = "add_process('execmem')" -+ self.symbols["execstack"] = "add_process('execstack')" -+ self.symbols["execheap"] = "add_process('execheap')" -+ self.symbols["setkeycreate"] = "add_process('setkeycreate')" -+ self.symbols["setsockcreate"] = "add_process('setsockcreate')" -+ -+ self.symbols["chown"] = "add_capability('chown')" -+ self.symbols["dac_override"] = "add_capability('dac_override')" -+ self.symbols["dac_read_search"] = "add_capability('dac_read_search')" -+ self.symbols["fowner"] = "add_capability('fowner')" -+ self.symbols["fsetid"] = "add_capability('fsetid')" -+ self.symbols["kill"] = "add_capability('kill')" -+ self.symbols["setgid"] = "add_capability('setgid')" -+ self.symbols["setuid"] = "add_capability('setuid')" -+ self.symbols["setpcap"] = "add_capability('setpcap')" -+ self.symbols["linux_immutable"] = "add_capability('linux_immutable')" -+ self.symbols["net_bind_service"] = "add_capability('net_bind_service')" -+ self.symbols["net_broadcast"] = "add_capability('net_broadcast')" -+ self.symbols["net_admin"] = "add_capability('net_admin')" -+ self.symbols["net_raw"] = "add_capability('net_raw')" -+ self.symbols["ipc_lock"] = "add_capability('ipc_lock')" -+ self.symbols["ipc_owner"] = "add_capability('ipc_owner')" -+ self.symbols["sys_module"] = "add_capability('sys_module')" -+ self.symbols["sys_rawio"] = "add_capability('sys_rawio')" -+ self.symbols["sys_chroot"] = "add_capability('sys_chroot')" -+ self.symbols["sys_ptrace"] = "add_capability('sys_ptrace')" -+ self.symbols["sys_pacct"] = "add_capability('sys_pacct')" -+ self.symbols["sys_admin"] = "add_capability('sys_admin')" -+ self.symbols["sys_boot"] = "add_capability('sys_boot')" -+ self.symbols["sys_nice"] = "add_capability('sys_nice')" -+ self.symbols["sys_resource"] = "add_capability('sys_resource')" -+ self.symbols["sys_time"] = "add_capability('sys_time')" -+ self.symbols["sys_tty_config"] = "add_capability('sys_tty_config')" -+ self.symbols["mknod"] = "add_capability('mknod')" -+ self.symbols["lease"] = "add_capability('lease')" -+ self.symbols["audit_write"] = "add_capability('audit_write')" -+ self.symbols["audit_control"] = "add_capability('audit_control')" -+ self.symbols["setfcap"] = "add_capability('setfcap')" -+ -+ self.DEFAULT_DIRS = {} -+ self.DEFAULT_DIRS["/etc"] = ["etc_rw", [], etc_rw]; -+ self.DEFAULT_DIRS["/tmp"] = ["tmp", [], tmp]; -+ self.DEFAULT_DIRS["rw"] = ["rw", [], rw]; -+ self.DEFAULT_DIRS["/var/cache"] = ["var_cache", [], var_cache]; -+ self.DEFAULT_DIRS["/var/lib"] = ["var_lib", [], var_lib]; -+ self.DEFAULT_DIRS["/var/log"] = ["var_log", [], var_log]; -+ self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]; -+ self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool]; -+ -+ self.DEFAULT_KEYS=["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool"] -+ -+ self.DEFAULT_TYPES = (\ -+( self.generate_daemon_types, self.generate_daemon_rules), \ -+( self.generate_dbusd_types, self.generate_dbusd_rules), \ -+( self.generate_inetd_types, self.generate_inetd_rules), \ -+( self.generate_userapp_types, self.generate_userapp_rules), \ -+( self.generate_cgi_types, self.generate_cgi_rules), \ -+( self.generate_x_login_user_types, self.generate_x_login_user_rules), \ -+( self.generate_min_login_user_types, self.generate_login_user_rules), \ -+( self.generate_login_user_types, self.generate_login_user_rules), \ -+( self.generate_admin_user_types, self.generate_login_user_rules), \ -+( self.generate_existing_user_types, self.generate_existing_user_rules), \ -+( self.generate_root_user_types, self.generate_root_user_rules)) -+ if name == "": -+ raise ValueError(_("You must enter a name for your confined process/user")) -+ if type == CGI: -+ self.name = "httpd_%s_script" % name -+ else: -+ self.name = name -+ self.file_name = name -+ -+ self.capabilities = [] -+ self.processes = [] -+ self.type = type -+ self.initscript = "" -+ self.program = "" -+ self.in_tcp = [False, False, False, []] -+ self.in_udp = [False, False, False, []] -+ self.out_tcp = [False, False, False, []] -+ self.out_udp = [False, False, False, []] -+ self.use_resolve = False -+ self.use_tmp = False -+ self.use_uid = False -+ self.use_syslog = False -+ self.use_kerberos = False -+ self.manage_krb5_rcache = False -+ self.use_pam = False -+ self.use_dbus = False -+ self.use_audit = False -+ self.use_etc = True -+ self.use_localization = True -+ self.use_fd = True -+ self.use_terminal = False -+ self.use_mail = False -+ self.booleans = {} -+ self.files = {} -+ self.dirs = {} -+ self.found_tcp_ports=[] -+ self.found_udp_ports=[] -+ self.need_tcp_type=False -+ self.need_udp_type=False -+ self.admin_domains = [] -+ self.transition_domains = [] -+ self.transition_users = [] -+ self.roles = [] -+ self.all_roles = get_all_roles() -+ -+ def __isnetset(self, l): -+ return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0 -+ -+ def set_admin_domains(self, admin_domains): -+ self.admin_domains = admin_domains -+ -+ def set_admin_roles(self, roles): -+ self.roles = roles -+ -+ def set_transition_domains(self, transition_domains): -+ self.transition_domains = transition_domains -+ -+ def set_transition_users(self, transition_users): -+ self.transition_users = transition_users -+ -+ def use_in_udp(self): -+ return self.__isnetset(self.in_udp) -+ -+ def use_out_udp(self): -+ return self.__isnetset(self.out_udp) -+ -+ def use_udp(self): -+ return self.use_in_udp() or self.use_out_udp() -+ -+ def use_in_tcp(self): -+ return self.__isnetset(self.in_tcp) -+ -+ def use_out_tcp(self): -+ return self.__isnetset(self.out_tcp) -+ -+ def use_tcp(self): -+ return self.use_in_tcp() or self.use_out_tcp() -+ -+ def use_network(self): -+ return self.use_tcp() or self.use_udp() -+ -+ def find_port(self, port, protocol="tcp"): -+ for begin,end,p in self.ports.keys(): -+ if port >= begin and port <= end and protocol == p: -+ return self.ports[begin, end, protocol] -+ return None -+ -+ def set_program(self, program): -+ if self.type not in APPLICATIONS: -+ raise ValueError(_("USER Types are not allowed executables")) -+ -+ self.program = program -+ -+ def set_init_script(self, initscript): -+ if self.type != DAEMON: -+ raise ValueError(_("Only DAEMON apps can use an init script")) -+ -+ self.initscript = initscript -+ -+ def set_in_tcp(self, all, reserved, unreserved, ports): -+ self.in_tcp = [ all, reserved, unreserved, verify_ports(ports)] -+ -+ def set_in_udp(self, all, reserved, unreserved, ports): -+ self.in_udp = [ all, reserved, unreserved, verify_ports(ports)] -+ -+ def set_out_tcp(self, all, ports): -+ self.out_tcp = [ all , False, False, verify_ports(ports) ] -+ -+ def set_out_udp(self, all, ports): -+ self.out_udp = [ all , False, False, verify_ports(ports) ] -+ -+ def set_use_resolve(self, val): -+ if val != True and val != False: -+ raise ValueError(_("use_resolve must be a boolean value ")) -+ -+ self.use_resolve = val -+ -+ def set_use_syslog(self, val): -+ if val != True and val != False: -+ raise ValueError(_("use_syslog must be a boolean value ")) -+ -+ self.use_syslog = val -+ -+ def set_use_kerberos(self, val): -+ if val != True and val != False: -+ raise ValueError(_("use_kerberos must be a boolean value ")) -+ -+ self.use_kerberos = val -+ -+ def set_manage_krb5_rcache(self, val): -+ if val != True and val != False: -+ raise ValueError(_("manage_krb5_rcache must be a boolean value ")) -+ -+ self.manage_krb5_rcache = val -+ -+ def set_use_pam(self, val): -+ self.use_pam = val == True -+ -+ def set_use_dbus(self, val): -+ self.use_dbus = val == True -+ -+ def set_use_audit(self, val): -+ self.use_audit = val == True -+ -+ def set_use_etc(self, val): -+ self.use_etc = val == True -+ -+ def set_use_localization(self, val): -+ self.use_localization = val == True -+ -+ def set_use_fd(self, val): -+ self.use_fd = val == True -+ -+ def set_use_terminal(self, val): -+ self.use_terminal = val == True -+ -+ def set_use_mail(self, val): -+ self.use_mail = val == True -+ -+ def set_use_tmp(self, val): -+ if self.type not in APPLICATIONS: -+ raise ValueError(_("USER Types automatically get a tmp type")) -+ -+ if val: -+ self.DEFAULT_DIRS["/tmp"][1].append("/tmp"); -+ else: -+ self.DEFAULT_DIRS["/tmp"][1]=[] -+ -+ def set_use_uid(self, val): -+ self.use_uid = val == True -+ -+ def generate_uid_rules(self): -+ if self.use_uid: -+ return re.sub("TEMPLATETYPE", self.name, executable.te_uid_rules) -+ else: -+ return "" -+ -+ def generate_syslog_rules(self): -+ if self.use_syslog: -+ return re.sub("TEMPLATETYPE", self.name, executable.te_syslog_rules) -+ else: -+ return "" -+ -+ def generate_resolve_rules(self): -+ if self.use_resolve: -+ return re.sub("TEMPLATETYPE", self.name, executable.te_resolve_rules) -+ else: -+ return "" -+ -+ def generate_kerberos_rules(self): -+ if self.use_kerberos: -+ return re.sub("TEMPLATETYPE", self.name, executable.te_kerberos_rules) -+ else: -+ return "" -+ -+ def generate_manage_krb5_rcache_rules(self): -+ if self.manage_krb5_rcache: -+ return re.sub("TEMPLATETYPE", self.name, executable.te_manage_krb5_rcache_rules) -+ else: -+ return "" -+ -+ def generate_pam_rules(self): -+ newte ="" -+ if self.use_pam: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules) -+ return newte -+ -+ def generate_audit_rules(self): -+ newte ="" -+ if self.use_audit: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_audit_rules) -+ return newte -+ -+ def generate_etc_rules(self): -+ newte ="" -+ if self.use_etc: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_etc_rules) -+ return newte -+ -+ def generate_fd_rules(self): -+ newte ="" -+ if self.use_fd: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_fd_rules) -+ return newte -+ -+ def generate_localization_rules(self): -+ newte ="" -+ if self.use_localization: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_localization_rules) -+ return newte -+ -+ def generate_dbus_rules(self): -+ newte ="" -+ if self.type != DBUS and self.use_dbus: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_dbus_rules) -+ return newte -+ -+ def generate_mail_rules(self): -+ newte ="" -+ if self.use_mail: -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules) -+ return newte -+ -+ def generate_network_action(self, protocol, action, port_name): -+ line = "" -+ method = "corenet_%s_%s_%s" % (protocol, action, port_name) -+ if method in methods: -+ line = "%s(%s_t)\n" % (method, self.name) -+ else: -+ line = """ -+gen_require(` -+ type %s_t; -+') -+allow %s_t %s_t:%s_socket name_%s; -+""" % (port_name, self.name, port_name, protocol, action) -+ return line -+ -+ def generate_network_types(self): -+ for i in self.in_tcp[PORTS]: -+ rec = self.find_port(int(i), "tcp") -+ if rec == None: -+ self.need_tcp_type = True; -+ else: -+ port_name = rec[0][:-2] -+ line = self.generate_network_action("tcp", "bind", port_name) -+# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name) -+ if line not in self.found_tcp_ports: -+ self.found_tcp_ports.append(line) -+ -+ for i in self.out_tcp[PORTS]: -+ rec = self.find_port(int(i), "tcp") -+ if rec == None: -+ self.need_tcp_type = True; -+ else: -+ port_name = rec[0][:-2] -+ line = self.generate_network_action("tcp", "connect", port_name) -+# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name) -+ if line not in self.found_tcp_ports: -+ self.found_tcp_ports.append(line) -+ -+ for i in self.in_udp[PORTS]: -+ rec = self.find_port(int(i),"udp") -+ if rec == None: -+ self.need_udp_type = True; -+ else: -+ port_name = rec[0][:-2] -+ line = self.generate_network_action("udp", "bind", port_name) -+# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name) -+ if line not in self.found_udp_ports: -+ self.found_udp_ports.append(line) -+ -+ if self.need_udp_type == True or self.need_tcp_type == True: -+ return re.sub("TEMPLATETYPE", self.name, network.te_port_types) -+ return "" -+ -+ def __find_path(self, file): -+ for d in self.DEFAULT_DIRS: -+ if file.find(d) == 0: -+ self.DEFAULT_DIRS[d][1].append(file) -+ return self.DEFAULT_DIRS[d] -+ self.DEFAULT_DIRS["rw"][1].append(file) -+ return self.DEFAULT_DIRS["rw"] -+ -+ def add_capability(self, capability): -+ if capability not in self.capabilities: -+ self.capabilities.append(capability) -+ -+ def add_process(self, process): -+ if process not in self.processes: -+ self.processes.append(process) -+ -+ def add_boolean(self, name, description): -+ self.booleans[name] = description -+ -+ def add_file(self, file): -+ self.files[file] = self.__find_path(file) -+ -+ def add_dir(self, file): -+ self.dirs[file] = self.__find_path(file) -+ -+ def generate_capabilities(self): -+ newte = "" -+ self.capabilities.sort() -+ if len(self.capabilities) > 0: -+ newte = "allow %s_t self:capability { %s };\n" % (self.name, " ".join(self.capabilities)) -+ return newte -+ -+ def generate_process(self): -+ newte = "" -+ self.processes.sort() -+ if len(self.processes) > 0: -+ newte = "allow %s_t self:process { %s };\n" % (self.name, " ".join(self.processes)) -+ return newte -+ -+ -+ def generate_network_rules(self): -+ newte = "" -+ if self.use_network(): -+ newte = "\n" -+ -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_network) -+ -+ if self.use_tcp(): -+ newte += "\n" -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_tcp) -+ -+ if self.use_in_tcp(): -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_tcp) -+ -+ if self.need_tcp_type and len(self.in_tcp[PORTS]) > 0: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_tcp) -+ -+ if self.need_tcp_type and len(self.out_tcp[PORTS]) > 0: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_out_need_port_tcp) -+ -+ -+ if self.in_tcp[ALL]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_tcp) -+ if self.in_tcp[RESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_tcp) -+ if self.in_tcp[UNRESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_tcp) -+ -+ if self.out_tcp[ALL]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_out_all_ports_tcp) -+ if self.out_tcp[RESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_out_reserved_ports_tcp) -+ if self.out_tcp[UNRESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_out_unreserved_ports_tcp) -+ -+ for i in self.found_tcp_ports: -+ newte += i -+ -+ if self.use_udp(): -+ newte += "\n" -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_udp) -+ -+ if self.need_udp_type: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_udp) -+ if self.use_in_udp(): -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_udp) -+ if self.in_udp[ALL]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_udp) -+ if self.in_udp[RESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_udp) -+ if self.in_udp[UNRESERVED]: -+ newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_udp) -+ -+ for i in self.found_udp_ports: -+ newte += i -+ return newte -+ -+ def generate_transition_rules(self): -+ newte = "" -+ for app in self.transition_domains: -+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_transition_rules) -+ newte += re.sub("APPLICATION", app, tmp) -+ -+ if self.type == USER: -+ for u in self.transition_users: -+ temp = re.sub("TEMPLATETYPE", self.name, executable.te_run_rules) -+ newte += re.sub("USER", u.split("_u")[0], temp) -+ -+ return newte -+ -+ def generate_admin_rules(self): -+ newte = "" -+ if self.type == RUSER: -+ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) -+ -+ for app in self.admin_domains: -+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules) -+ newte += re.sub("APPLICATION", app, tmp) -+ -+ for u in self.transition_users: -+ role = u.split("_u")[0] -+ -+ if (role + "_r") in self.all_roles: -+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules) -+ newte += re.sub("USER", role, tmp) -+ -+ return newte -+ -+ def generate_dbus_if(self): -+ newif ="" -+ if self.use_dbus: -+ newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules) -+ return newif -+ -+ def generate_admin_if(self): -+ newif = "" -+ newtypes = "" -+ if self.initscript != "": -+ newtypes += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin_types) -+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin) -+ for d in self.DEFAULT_KEYS: -+ if len(self.DEFAULT_DIRS[d][1]) > 0: -+ newtypes += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_types) -+ newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_rules) -+ -+ if newif != "": -+ ret = re.sub("TEMPLATETYPE", self.name, executable.if_begin_admin) -+ ret += newtypes -+ -+ ret += re.sub("TEMPLATETYPE", self.name, executable.if_middle_admin) -+ ret += newif -+ ret += re.sub("TEMPLATETYPE", self.name, executable.if_end_admin) -+ return ret -+ -+ return "" -+ -+ def generate_cgi_types(self): -+ return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types) -+ -+ def generate_userapp_types(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_types) -+ -+ def generate_inetd_types(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_types) -+ -+ def generate_dbusd_types(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_types) -+ -+ def generate_min_login_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_min_login_user_types) -+ -+ def generate_login_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_login_user_types) -+ -+ def generate_admin_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_admin_user_types) -+ -+ def generate_existing_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types) -+ -+ def generate_x_login_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types) -+ -+ def generate_root_user_types(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types) -+ -+ def generate_daemon_types(self): -+ newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) -+ if self.initscript != "": -+ newte += re.sub("TEMPLATETYPE", self.name, executable.te_initscript_types) -+ return newte -+ -+ def generate_tmp_types(self): -+ if self.use_tmp: -+ return re.sub("TEMPLATETYPE", self.name, tmp.te_types) -+ else: -+ return "" -+ -+ def generate_booleans(self): -+ newte = "" -+ for b in self.booleans: -+ tmp = re.sub("BOOLEAN", b, boolean.te_boolean) -+ newte += re.sub("DESCRIPTION", self.booleans[b], tmp) -+ return newte -+ -+ def generate_boolean_rules(self): -+ newte = "" -+ for b in self.booleans: -+ newte += re.sub("BOOLEAN", b, boolean.te_rules) -+ return newte -+ -+ def generate_cgi_te(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types) -+ -+ def generate_daemon_rules(self): -+ newif = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules) -+ -+ return newif -+ -+ def generate_login_user_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) -+ -+ def generate_existing_user_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules) -+ -+ def generate_x_login_user_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules) -+ -+ def generate_root_user_rules(self): -+ newte =re.sub("TEMPLATETYPE", self.name, user.te_root_user_rules) -+ return newte -+ -+ def generate_userapp_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_rules) -+ -+ def generate_inetd_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_rules) -+ -+ def generate_dbusd_rules(self): -+ return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_rules) -+ -+ def generate_tmp_rules(self): -+ if self.use_tmp: -+ return re.sub("TEMPLATETYPE", self.name, tmp.te_rules) -+ else: -+ return "" -+ -+ def generate_cgi_rules(self): -+ newte = "" -+ newte += re.sub("TEMPLATETYPE", self.name, executable.te_cgi_rules) -+ return newte -+ -+ def generate_user_if(self): -+ newif ="" -+ if self.use_terminal or self.type == USER: -+ newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules) -+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules) -+ return newif -+ -+ def generate_if(self): -+ newif = "" -+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules) -+ if self.program != "": -+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules) -+ if self.initscript != "": -+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules) -+ -+ for d in self.DEFAULT_KEYS: -+ if len(self.DEFAULT_DIRS[d][1]) > 0: -+ newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_rules) -+ for i in self.DEFAULT_DIRS[d][1]: -+ if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): -+ newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules) -+ break -+ newif += self.generate_user_if() -+ newif += self.generate_dbus_if() -+ newif += self.generate_admin_if() -+ -+ return newif -+ -+ def generate_default_types(self): -+ return self.DEFAULT_TYPES[self.type][0]() -+ -+ def generate_default_rules(self): -+ return self.DEFAULT_TYPES[self.type][1]() -+ -+ def generate_roles_rules(self): -+ newte = "" -+ if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): -+ roles = "" -+ if len(self.roles) > 0: -+ newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules) -+ newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules) -+ for role in self.roles: -+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules) -+ newte += re.sub("ROLE", role, tmp) -+ return newte -+ -+ def generate_te(self): -+ newte = self.generate_default_types() -+ for d in self.DEFAULT_KEYS: -+ if len(self.DEFAULT_DIRS[d][1]) > 0: -+ # CGI scripts already have a rw_t -+ if self.type != CGI or d != "rw": -+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) -+ -+ newte +=""" -+######################################## -+# -+# %s local policy -+# -+""" % self.name -+ newte += self.generate_capabilities() -+ newte += self.generate_process() -+ newte += self.generate_network_types() -+ newte += self.generate_tmp_types() -+ newte += self.generate_booleans() -+ newte += self.generate_default_rules() -+ newte += self.generate_boolean_rules() -+ -+ for d in self.DEFAULT_KEYS: -+ if len(self.DEFAULT_DIRS[d][1]) > 0: -+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) -+ for i in self.DEFAULT_DIRS[d][1]: -+ if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): -+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) -+ break -+ -+ newte += self.generate_tmp_rules() -+ newte += self.generate_network_rules() -+ newte += self.generate_fd_rules() -+ newte += self.generate_etc_rules() -+ newte += self.generate_pam_rules() -+ newte += self.generate_uid_rules() -+ newte += self.generate_audit_rules() -+ newte += self.generate_syslog_rules() -+ newte += self.generate_localization_rules() -+ newte += self.generate_resolve_rules() -+ newte += self.generate_roles_rules() -+ newte += self.generate_mail_rules() -+ newte += self.generate_transition_rules() -+ newte += self.generate_admin_rules() -+ newte += self.generate_dbus_rules() -+ newte += self.generate_kerberos_rules() -+ newte += self.generate_manage_krb5_rcache_rules() -+ -+ return newte -+ -+ def generate_fc(self): -+ newfc = "" -+ fclist = [] -+ if self.type in USERS: -+ return re.sub("EXECUTABLE", self.program, executable.fc_user) -+ if self.program == "": -+ raise ValueError(_("You must enter the executable path for your confined process")) -+ -+ t1 = re.sub("EXECUTABLE", self.program, executable.fc_program) -+ fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) -+ -+ if self.initscript != "": -+ t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript) -+ fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) -+ -+ for i in self.files.keys(): -+ if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): -+ t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file) -+ else: -+ t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_file) -+ t2 = re.sub("FILENAME", i, t1) -+ fclist.append(re.sub("FILETYPE", self.files[i][0], t2)) -+ -+ for i in self.dirs.keys(): -+ t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir) -+ t2 = re.sub("FILENAME", i, t1) -+ fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2)) -+ -+ fclist.sort() -+ newfc="\n".join(fclist) -+ return newfc -+ -+ def generate_user_sh(self): -+ newsh = "" -+ if self.type not in ( TUSER, XUSER, AUSER, LUSER, EUSER): -+ return newsh -+ -+ roles = "" -+ for role in self.roles: -+ roles += " %s_r" % role -+ if roles != "": -+ roles += " system_r" -+ if self.type == EUSER: -+ tmp = re.sub("TEMPLATETYPE", self.name, script.eusers) -+ else: -+ tmp = re.sub("TEMPLATETYPE", self.name, script.users) -+ newsh += re.sub("ROLES", roles, tmp) -+ -+ if self.type == RUSER: -+ for u in self.transition_users: -+ tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans) -+ newsh += re.sub("USER", u, tmp) -+ -+ if self.type == LUSER: -+ newsh += re.sub("TEMPLATETYPE", self.name, script.min_login_user_default_context) -+ else: -+ newsh += re.sub("TEMPLATETYPE", self.name, script.x_login_user_default_context) -+ -+ -+ return newsh -+ -+ def generate_sh(self): -+ temp = re.sub("TEMPLATETYPE", self.file_name, script.compile) -+ if self.type == EUSER: -+ newsh = re.sub("TEMPLATEFILE", "my%s" % self.file_name, temp) -+ else: -+ newsh = re.sub("TEMPLATEFILE", self.file_name, temp) -+ if self.program != "": -+ newsh += re.sub("FILENAME", self.program, script.restorecon) -+ if self.initscript != "": -+ newsh += re.sub("FILENAME", self.initscript, script.restorecon) -+ -+ for i in self.files.keys(): -+ newsh += re.sub("FILENAME", i, script.restorecon) -+ -+ for i in self.dirs.keys(): -+ newsh += re.sub("FILENAME", i, script.restorecon) -+ -+ for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]: -+ if self.find_port(i,"tcp") == None: -+ t1 = re.sub("PORTNUM", "%d" % i, script.tcp_ports) -+ newsh += re.sub("TEMPLATETYPE", self.name, t1) -+ -+ for i in self.in_udp[PORTS] + self.out_udp[PORTS]: -+ if self.find_port(i,"udp") == None: -+ t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports) -+ newsh += re.sub("TEMPLATETYPE", self.name, t1) -+ -+ newsh += self.generate_user_sh() -+ -+ return newsh -+ -+ def write_te(self, out_dir): -+ if self.type == EUSER: -+ tefile = "%s/my%s.te" % (out_dir, self.file_name) -+ else: -+ tefile = "%s/%s.te" % (out_dir, self.file_name) -+ fd = open(tefile, "w") -+ fd.write(self.generate_te()) -+ fd.close() -+ return tefile -+ -+ def write_sh(self, out_dir): -+ if self.type == EUSER: -+ shfile = "%s/my%s.sh" % (out_dir, self.file_name) -+ else: -+ shfile = "%s/%s.sh" % (out_dir, self.file_name) -+ fd = open(shfile, "w") -+ fd.write(self.generate_sh()) -+ fd.close() -+ os.chmod(shfile, 0750) -+ return shfile -+ -+ def write_if(self, out_dir): -+ if self.type == EUSER: -+ iffile = "%s/my%s.if" % (out_dir, self.file_name) -+ else: -+ iffile = "%s/%s.if" % (out_dir, self.file_name) -+ fd = open(iffile, "w") -+ fd.write(self.generate_if()) -+ fd.close() -+ return iffile -+ -+ def write_fc(self,out_dir): -+ if self.type == EUSER: -+ fcfile = "%s/my%s.fc" % (out_dir, self.file_name) -+ else: -+ fcfile = "%s/%s.fc" % (out_dir, self.file_name) -+ fd = open(fcfile, "w") -+ fd.write(self.generate_fc()) -+ fd.close() -+ return fcfile -+ -+ def gen_writeable(self): -+ fd = os.popen("rpm -qlf %s" % self.program) -+ for f in fd.read().split(): -+ for b in self.DEFAULT_DIRS: -+ if b == "/etc": -+ continue -+ if f.startswith(b): -+ if os.path.isfile(f): -+ self.add_file(f) -+ else: -+ self.add_dir(f) -+ fd.close() -+ if os.path.isfile("/var/run/%s.pid" % self.name): -+ self.add_file("/var/run/%s.pid" % self.name) -+ -+ if os.path.isfile("/etc/rc.d/init.d/%s" % self.name): -+ self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name) -+ -+ -+ def gen_symbols(self): -+ if self.type not in APPLICATIONS: -+ return -+ -+ fd = os.popen("nm -D %s | grep U" % self.program) -+ for s in fd.read().split(): -+ for b in self.symbols: -+ if s.startswith(b): -+ exec "self.%s" % self.symbols[b] -+ fd.close() -+ -+ def generate(self, out_dir = "."): -+ out = "Created the following files:\n" -+ out += "%-25s %s\n" % (_("Type Enforcement file"), self.write_te(out_dir)) -+ out += "%-25s %s\n" % (_("Interface file"), self.write_if(out_dir)) -+ out += "%-25s %s\n" % (_("File Contexts file"), self.write_fc(out_dir)) -+ out += "%-25s %s\n" % (_("Setup Script"),self.write_sh(out_dir)) -+ return out -+ -+def errorExit(error): -+ sys.stderr.write("%s: " % sys.argv[0]) -+ sys.stderr.write("%s\n" % error) -+ sys.stderr.flush() -+ sys.exit(1) -+ -+def test(): -+ import tempfile -+ -+ tmpdir = tempfile.mkdtemp() -+ -+ mypolicy = policy("mytuser", TUSER) -+ mypolicy.set_admin_roles(["mydbadm"]) -+ mypolicy.add_boolean("allow_mytuser_setuid", "Allow mytuser users to run setuid applications") -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("mywhois", USER) -+ mypolicy.set_program("/usr/bin/jwhois") -+ mypolicy.set_out_tcp(0, "43") -+ mypolicy.set_out_udp(0, "43") -+ mypolicy.set_out_tcp(0, "63") -+ mypolicy.set_out_udp(0, "63") -+ mypolicy.set_out_tcp(0, "4321") -+ mypolicy.set_out_udp(0, "4321") -+ mypolicy.add_dir("/var/cache/jwhois") -+ mypolicy.set_transition_users(["staff_u"]) -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("mycgi", CGI) -+ mypolicy.set_program("/var/www/cgi-bin/cgi") -+ mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_tmp(False) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("myrwho", DAEMON) -+ mypolicy.set_program("/usr/sbin/myrwhod") -+ mypolicy.set_init_script("/etc/init.d/myrwhod") -+ mypolicy.add_dir("/etc/nasd") -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_tmp(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.add_dir("/var/run/myrwho") -+ mypolicy.add_dir("/var/lib/myrwho") -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("myinetd", INETD) -+ mypolicy.set_program("/usr/bin/mytest") -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_tmp(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.add_file("/var/lib/mysql/mysql.sock") -+ mypolicy.add_file("/var/run/rpcbind.sock") -+ mypolicy.add_file("/var/run/daemon.pub") -+ mypolicy.add_file("/var/log/daemon.log") -+ mypolicy.add_dir("/var/lib/daemon") -+ mypolicy.add_dir("/etc/daemon") -+ mypolicy.add_dir("/etc/daemon/special") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.set_use_audit(True) -+ mypolicy.set_use_dbus(True) -+ mypolicy.set_use_terminal(True) -+ mypolicy.set_use_mail(True) -+ mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate(tmpdir) -+ -+ -+ mypolicy = policy("mydbus", DBUS) -+ mypolicy.set_program("/usr/libexec/mydbus") -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_tmp(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("myxuser", XUSER) -+ mypolicy.set_in_tcp(1, 1, 1, "28920") -+ mypolicy.set_in_udp(0, 0, 1, "1513") -+ mypolicy.set_transition_domains(["mozilla"]) -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("myuser", USER) -+ mypolicy.set_program("/usr/bin/myuser") -+ mypolicy.set_in_tcp(1, 0, 0, "513") -+ mypolicy.set_in_udp(1, 0, 0, "1513") -+ mypolicy.set_use_uid(True) -+ mypolicy.set_use_tmp(True) -+ mypolicy.set_use_syslog(True) -+ mypolicy.set_use_pam(True) -+ mypolicy.add_file("/var/lib/myuser/myuser.sock") -+ mypolicy.set_out_tcp(0,"8000") -+ mypolicy.set_transition_users(["unconfined_u", "staff_u"]) -+ print mypolicy.generate(tmpdir) -+ -+ mypolicy = policy("mydbadm", RUSER) -+ mypolicy.set_admin_domains(["postgresql", "mysql"]) -+ print mypolicy.generate(tmpdir) -+ os.chdir(tmpdir) -+ rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile") -+ print output -+ print type(rc), os.WEXITSTATUS(rc) -+ sys.exit(os.WEXITSTATUS(rc)) -+ -+import os, sys, getopt, socket, random, fcntl -+ -+def usage(msg): -+ print _(""" -+%s -+ -+polgen [ -m ] [ -t type ] [ executable | Name ] -+valid Types: -+""") % msg -+ keys=poltype.keys() -+ for i in keys: -+ print "\t%s\t%s" % (i, poltype[i]) -+ sys.exit(-1) -+ -+if __name__ == '__main__': -+ setype = DAEMON -+ name = None -+ try: -+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:mn:", -+ ["type=", -+ "mount", -+ "test", -+ "name", -+ "help"]) -+ for o, a in gopts: -+ if o == "-t" or o == "--type": -+ try: -+ if int(a) not in poltype: -+ usage ("invalid type %s" % a ) -+ except: -+ usage ("invalid type %s" % a ) -+ -+ setype = int(a) -+ -+ if o == "-m" or o == "--mount": -+ mount_ind = True -+ -+ if o == "-n" or o == "--name": -+ name = a -+ -+ if o == "-h" or o == "--help": -+ usage("") -+ -+ if o == "--test": -+ test() -+ sys.exit(0) -+ -+ except getopt.error, error: -+ usage(_("Options Error %s ") % error.msg) -+ -+ if len(cmds) == 0: -+ usage(_("Executable or Name required")) -+ -+ if not name: -+ name = os.path.basename(cmds[0]).replace("-","_") -+ cmd = cmds[0] -+ mypolicy = policy(name, setype) -+ mypolicy.set_program(cmd) -+ if setype in APPLICATIONS: -+ mypolicy.gen_writeable() -+ mypolicy.gen_symbols() -+ print mypolicy.generate() -+ sys.exit(0) -+ -+ try: -+ if not name: -+ name = os.path.basename(cmds[0]).replace("-","_") -+ cmd = cmds[0] -+ mypolicy = policy(name, setype) -+ mypolicy.set_program(cmd) -+ if setype in APPLICATIONS: -+ mypolicy.gen_writeable() -+ mypolicy.gen_symbols() -+ print mypolicy.generate() -+ sys.exit(0) -+ except ValueError, e: -+ usage(e) diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.85/gui/templates/rw.py --- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.85/gui/templates/rw.py 2011-01-06 16:45:14.000000000 -0500 diff --git a/policycoreutils.spec b/policycoreutils.spec index 08d3751..4869dc9 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.85 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -329,6 +329,9 @@ fi exit 0 %changelog +* Fri Jan 14 2011 Dan Walsh 2.0.85-5 +- Add sandbox to sepolgen + * Thu Jan 6 2011 Dan Walsh 2.0.85-4 - Fix proper handling of getopt errors - Do not allow modules names to contain spaces