* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2
- Add descriptions of booleans to audit2allow
This commit is contained in:
parent
34a3b99b21
commit
b16ae3b80f
@ -1,7 +1,15 @@
|
|||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow
|
||||||
--- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400
|
--- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400
|
||||||
+++ policycoreutils-2.0.35/audit2allow/audit2allow 2008-01-11 11:17:46.000000000 -0500
|
+++ policycoreutils-2.0.35/audit2allow/audit2allow 2008-01-15 11:32:58.000000000 -0500
|
||||||
@@ -60,7 +60,10 @@
|
@@ -19,7 +19,6 @@
|
||||||
|
#
|
||||||
|
|
||||||
|
import sys
|
||||||
|
-import tempfile
|
||||||
|
|
||||||
|
import sepolgen.audit as audit
|
||||||
|
import sepolgen.policygen as policygen
|
||||||
|
@@ -60,7 +59,10 @@
|
||||||
parser.add_option("-o", "--output", dest="output",
|
parser.add_option("-o", "--output", dest="output",
|
||||||
help="append output to <filename>, conflicts with -M")
|
help="append output to <filename>, conflicts with -M")
|
||||||
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
|
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
|
||||||
@ -13,7 +21,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
|
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
|
||||||
default=False, help="explain generated output")
|
default=False, help="explain generated output")
|
||||||
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
|
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
|
||||||
@@ -72,6 +75,9 @@
|
@@ -72,6 +74,9 @@
|
||||||
parser.add_option("--debug", dest="debug", action="store_true", default=False,
|
parser.add_option("--debug", dest="debug", action="store_true", default=False,
|
||||||
help="leave generated modules for -M")
|
help="leave generated modules for -M")
|
||||||
|
|
||||||
@ -23,31 +31,36 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
options, args = parser.parse_args()
|
options, args = parser.parse_args()
|
||||||
|
|
||||||
# Make -d, -a, and -i conflict
|
# Make -d, -a, and -i conflict
|
||||||
@@ -149,8 +155,10 @@
|
@@ -147,10 +152,12 @@
|
||||||
|
|
||||||
|
def __process_input(self):
|
||||||
if self.__options.type:
|
if self.__options.type:
|
||||||
filter = audit.TypeFilter(self.__options.type)
|
- filter = audit.TypeFilter(self.__options.type)
|
||||||
self.__avs = self.__parser.to_access(filter)
|
- self.__avs = self.__parser.to_access(filter)
|
||||||
+ self.__selinux_errs = self.__parser.to_role(filter)
|
+ avcfilter = audit.TypeFilter(self.__options.type)
|
||||||
|
+ self.__avs = self.__parser.to_access(avcfilter)
|
||||||
|
+ self.__selinux_errs = self.__parser.to_role(avcfilter)
|
||||||
else:
|
else:
|
||||||
self.__avs = self.__parser.to_access()
|
self.__avs = self.__parser.to_access()
|
||||||
+ self.__selinux_errs = self.__parser.to_role()
|
+ self.__selinux_errs = self.__parser.to_role()
|
||||||
|
|
||||||
def __load_interface_info(self):
|
def __load_interface_info(self):
|
||||||
# Load interface info file
|
# Load interface info file
|
||||||
@@ -210,7 +218,71 @@
|
@@ -210,7 +217,74 @@
|
||||||
sys.stdout.write((_("To make this policy package active, execute:" +\
|
sys.stdout.write((_("To make this policy package active, execute:" +\
|
||||||
"\n\nsemodule -i %s\n\n") % packagename))
|
"\n\nsemodule -i %s\n\n") % packagename))
|
||||||
|
|
||||||
+ def __output_audit2why(self):
|
+ def __output_audit2why(self):
|
||||||
+ import selinux
|
+ import selinux
|
||||||
+ import selinux.audit2why as audit2why
|
+ import selinux.audit2why as audit2why
|
||||||
|
+ import seobject
|
||||||
+ audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
|
+ audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
|
||||||
+ for i in self.__parser.avc_msgs:
|
+ for i in self.__parser.avc_msgs:
|
||||||
+ rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
+ rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
||||||
+ if rc >= 0:
|
+ if rc >= 0:
|
||||||
+ print "%s\n\tWas caused by:" % i.message
|
+ print "%s\n\tWas caused by:" % i.message
|
||||||
+ if rc == audit2why.NOPOLICY:
|
+ if rc == audit2why.NOPOLICY:
|
||||||
+ raise "Must call policy_init first"
|
+ raise RuntimeError("Must call policy_init first")
|
||||||
+ if rc == audit2why.BADTCON:
|
+ if rc == audit2why.BADTCON:
|
||||||
+ print "Invalid Target Context %s\n" % i.tcontext
|
+ print "Invalid Target Context %s\n" % i.tcontext
|
||||||
+ continue
|
+ continue
|
||||||
@ -61,7 +74,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
+ print "Invalid permission %s\n" % i.accesses
|
+ print "Invalid permission %s\n" % i.accesses
|
||||||
+ continue
|
+ continue
|
||||||
+ if rc == audit2why. BADCOMPUTE:
|
+ if rc == audit2why. BADCOMPUTE:
|
||||||
+ raise "Error during access vector computation"
|
+ raise RuntimeError("Error during access vector computation")
|
||||||
+ if rc == audit2why.ALLOW:
|
+ if rc == audit2why.ALLOW:
|
||||||
+ print "\t\tUnknown - would be allowed by active policy\n",
|
+ print "\t\tUnknown - would be allowed by active policy\n",
|
||||||
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||||
@ -71,12 +84,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
+ if len(bools) > 1:
|
+ if len(bools) > 1:
|
||||||
+ print "\tOne of the following booleans being set incorrectly."
|
+ print "\tOne of the following booleans being set incorrectly."
|
||||||
+ for b in bools:
|
+ for b in bools:
|
||||||
+ print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1])
|
+ print "\n\tBoolean %s is %d." % (b[0], not b[1])
|
||||||
+ print "\t# setsebool -P %s %d" % (b[0], b[1])
|
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||||
|
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||||
+ else:
|
+ else:
|
||||||
+ print "\tThe boolean %s set incorrectly. Allow access by executing:" % bools[0][0]
|
+ print "\tThe boolean %s set incorrectly. " % (bools[0][0])
|
||||||
+ print "\t# setsebool -P %s %d\n" % (bools[0][0], bools[0][1])
|
+ print "\n\tBoolean %s is %d." % (bools[0][0], bools[0][1])
|
||||||
+
|
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||||
|
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||||
+ continue
|
+ continue
|
||||||
+
|
+
|
||||||
+ if rc == audit2why.TERULE:
|
+ if rc == audit2why.TERULE:
|
||||||
@ -106,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
g = policygen.PolicyGenerator()
|
g = policygen.PolicyGenerator()
|
||||||
|
|
||||||
if self.__options.module:
|
if self.__options.module:
|
||||||
@@ -251,6 +323,12 @@
|
@@ -251,6 +325,12 @@
|
||||||
fd = sys.stdout
|
fd = sys.stdout
|
||||||
writer.write(g.get_module(), fd)
|
writer.write(g.get_module(), fd)
|
||||||
|
|
||||||
@ -831,3 +846,31 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
|||||||
if object == "login":
|
if object == "login":
|
||||||
OBJECT = seobject.loginRecords(store)
|
OBJECT = seobject.loginRecords(store)
|
||||||
|
|
||||||
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.35/semanage/seobject.py
|
||||||
|
--- nsapolicycoreutils/semanage/seobject.py 2007-12-10 21:42:27.000000000 -0500
|
||||||
|
+++ policycoreutils-2.0.35/semanage/seobject.py 2008-01-15 11:31:49.000000000 -0500
|
||||||
|
@@ -117,6 +117,12 @@
|
||||||
|
#print _("Failed to translate booleans.\n%s") % e
|
||||||
|
pass
|
||||||
|
|
||||||
|
+def boolean_desc(boolean):
|
||||||
|
+ if boolean in booleans_dict:
|
||||||
|
+ return _(booleans_dict[boolean][2])
|
||||||
|
+ else:
|
||||||
|
+ return boolean
|
||||||
|
+
|
||||||
|
def validate_level(raw):
|
||||||
|
sensitivity = "s[0-9]*"
|
||||||
|
category = "c[0-9]*"
|
||||||
|
@@ -1456,10 +1462,7 @@
|
||||||
|
return ddict
|
||||||
|
|
||||||
|
def get_desc(self, boolean):
|
||||||
|
- if boolean in booleans_dict:
|
||||||
|
- return _(booleans_dict[boolean][2])
|
||||||
|
- else:
|
||||||
|
- return boolean
|
||||||
|
+ return boolean_desc(boolean)
|
||||||
|
|
||||||
|
def get_category(self, boolean):
|
||||||
|
if boolean in booleans_dict:
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.35
|
Version: 2.0.35
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -193,6 +193,9 @@ if [ "$1" -ge "1" ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2
|
||||||
|
- Add descriptions of booleans to audit2allow
|
||||||
|
|
||||||
* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-1
|
* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-1
|
||||||
- Update to upstream
|
- Update to upstream
|
||||||
* Merged support for non-interactive newrole command invocation from Tim Reed.
|
* Merged support for non-interactive newrole command invocation from Tim Reed.
|
||||||
|
Loading…
Reference in New Issue
Block a user