* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2
- Add descriptions of booleans to audit2allow
This commit is contained in:
parent
34a3b99b21
commit
b16ae3b80f
@ -1,7 +1,15 @@
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow
|
||||
--- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400
|
||||
+++ policycoreutils-2.0.35/audit2allow/audit2allow 2008-01-11 11:17:46.000000000 -0500
|
||||
@@ -60,7 +60,10 @@
|
||||
+++ policycoreutils-2.0.35/audit2allow/audit2allow 2008-01-15 11:32:58.000000000 -0500
|
||||
@@ -19,7 +19,6 @@
|
||||
#
|
||||
|
||||
import sys
|
||||
-import tempfile
|
||||
|
||||
import sepolgen.audit as audit
|
||||
import sepolgen.policygen as policygen
|
||||
@@ -60,7 +59,10 @@
|
||||
parser.add_option("-o", "--output", dest="output",
|
||||
help="append output to <filename>, conflicts with -M")
|
||||
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
|
||||
@ -13,7 +21,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
|
||||
default=False, help="explain generated output")
|
||||
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
|
||||
@@ -72,6 +75,9 @@
|
||||
@@ -72,6 +74,9 @@
|
||||
parser.add_option("--debug", dest="debug", action="store_true", default=False,
|
||||
help="leave generated modules for -M")
|
||||
|
||||
@ -23,31 +31,36 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
options, args = parser.parse_args()
|
||||
|
||||
# Make -d, -a, and -i conflict
|
||||
@@ -149,8 +155,10 @@
|
||||
@@ -147,10 +152,12 @@
|
||||
|
||||
def __process_input(self):
|
||||
if self.__options.type:
|
||||
filter = audit.TypeFilter(self.__options.type)
|
||||
self.__avs = self.__parser.to_access(filter)
|
||||
+ self.__selinux_errs = self.__parser.to_role(filter)
|
||||
- filter = audit.TypeFilter(self.__options.type)
|
||||
- self.__avs = self.__parser.to_access(filter)
|
||||
+ avcfilter = audit.TypeFilter(self.__options.type)
|
||||
+ self.__avs = self.__parser.to_access(avcfilter)
|
||||
+ self.__selinux_errs = self.__parser.to_role(avcfilter)
|
||||
else:
|
||||
self.__avs = self.__parser.to_access()
|
||||
+ self.__selinux_errs = self.__parser.to_role()
|
||||
|
||||
def __load_interface_info(self):
|
||||
# Load interface info file
|
||||
@@ -210,7 +218,71 @@
|
||||
@@ -210,7 +217,74 @@
|
||||
sys.stdout.write((_("To make this policy package active, execute:" +\
|
||||
"\n\nsemodule -i %s\n\n") % packagename))
|
||||
|
||||
+ def __output_audit2why(self):
|
||||
+ import selinux
|
||||
+ import selinux.audit2why as audit2why
|
||||
+ import seobject
|
||||
+ audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
|
||||
+ for i in self.__parser.avc_msgs:
|
||||
+ rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
||||
+ if rc >= 0:
|
||||
+ print "%s\n\tWas caused by:" % i.message
|
||||
+ if rc == audit2why.NOPOLICY:
|
||||
+ raise "Must call policy_init first"
|
||||
+ raise RuntimeError("Must call policy_init first")
|
||||
+ if rc == audit2why.BADTCON:
|
||||
+ print "Invalid Target Context %s\n" % i.tcontext
|
||||
+ continue
|
||||
@ -61,7 +74,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
+ print "Invalid permission %s\n" % i.accesses
|
||||
+ continue
|
||||
+ if rc == audit2why. BADCOMPUTE:
|
||||
+ raise "Error during access vector computation"
|
||||
+ raise RuntimeError("Error during access vector computation")
|
||||
+ if rc == audit2why.ALLOW:
|
||||
+ print "\t\tUnknown - would be allowed by active policy\n",
|
||||
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||
@ -71,12 +84,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
+ if len(bools) > 1:
|
||||
+ print "\tOne of the following booleans being set incorrectly."
|
||||
+ for b in bools:
|
||||
+ print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1])
|
||||
+ print "\t# setsebool -P %s %d" % (b[0], b[1])
|
||||
+ print "\n\tBoolean %s is %d." % (b[0], not b[1])
|
||||
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||
+ else:
|
||||
+ print "\tThe boolean %s set incorrectly. Allow access by executing:" % bools[0][0]
|
||||
+ print "\t# setsebool -P %s %d\n" % (bools[0][0], bools[0][1])
|
||||
+
|
||||
+ print "\tThe boolean %s set incorrectly. " % (bools[0][0])
|
||||
+ print "\n\tBoolean %s is %d." % (bools[0][0], bools[0][1])
|
||||
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||
+ continue
|
||||
+
|
||||
+ if rc == audit2why.TERULE:
|
||||
@ -106,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
g = policygen.PolicyGenerator()
|
||||
|
||||
if self.__options.module:
|
||||
@@ -251,6 +323,12 @@
|
||||
@@ -251,6 +325,12 @@
|
||||
fd = sys.stdout
|
||||
writer.write(g.get_module(), fd)
|
||||
|
||||
@ -831,3 +846,31 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
|
||||
if object == "login":
|
||||
OBJECT = seobject.loginRecords(store)
|
||||
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.35/semanage/seobject.py
|
||||
--- nsapolicycoreutils/semanage/seobject.py 2007-12-10 21:42:27.000000000 -0500
|
||||
+++ policycoreutils-2.0.35/semanage/seobject.py 2008-01-15 11:31:49.000000000 -0500
|
||||
@@ -117,6 +117,12 @@
|
||||
#print _("Failed to translate booleans.\n%s") % e
|
||||
pass
|
||||
|
||||
+def boolean_desc(boolean):
|
||||
+ if boolean in booleans_dict:
|
||||
+ return _(booleans_dict[boolean][2])
|
||||
+ else:
|
||||
+ return boolean
|
||||
+
|
||||
def validate_level(raw):
|
||||
sensitivity = "s[0-9]*"
|
||||
category = "c[0-9]*"
|
||||
@@ -1456,10 +1462,7 @@
|
||||
return ddict
|
||||
|
||||
def get_desc(self, boolean):
|
||||
- if boolean in booleans_dict:
|
||||
- return _(booleans_dict[boolean][2])
|
||||
- else:
|
||||
- return boolean
|
||||
+ return boolean_desc(boolean)
|
||||
|
||||
def get_category(self, boolean):
|
||||
if boolean in booleans_dict:
|
||||
|
@ -6,7 +6,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.35
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -193,6 +193,9 @@ if [ "$1" -ge "1" ]; then
|
||||
fi
|
||||
|
||||
%changelog
|
||||
* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-2
|
||||
- Add descriptions of booleans to audit2allow
|
||||
|
||||
* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.35-1
|
||||
- Update to upstream
|
||||
* Merged support for non-interactive newrole command invocation from Tim Reed.
|
||||
|
Loading…
Reference in New Issue
Block a user