rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream

Browse Source 
policycoreutils-2.1.6
	* sepolgen-ifgen: new attr-helper does something
	* audit2allow: use alternate policy file
	* audit2allow: sepolgen-ifgen use the attr helper
	* setfiles: switch from stat to stat64
	* setfiles: Fix potential crash using dereferenced ftsent
	* setfiles: do not wrap * output at 80 characters
	* sandbox: add -Wall and -Werror to makefile
	* sandbox: add sandbox cgroup support
	* sandbox: rewrite /tmp handling
	* sandbox: do not bind mount so much
	* sandbox: add level based kill option
	* sandbox: cntrl-c should kill entire process control group
	* Create a new preserve_tunables flag in sepol_handle_t.
	* semanage: show running and disk setting for booleans
	* semanage: Dont print heading if no items selected
	* sepolgen: audit2allow is mistakakenly not allowing valid module names
	* semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled
	* More files to ignore
	* tree: default make target to all not install
	* sandbox: do not load unused generic init functions
sepolgen-1.1.2
	* src: sepolgen: add attribute storing infrastructure
	* Change perm-map and add open to try to get better results on
	* look for booleans that might solve problems
	* sepolgen: audit2allow is mistakakenly not allowing valid module names
	* tree: default make target to all not install
This commit is contained in:
Dan Walsh 2011-09-19 07:40:39 -04:00
parent 64a1a56e71
commit b91e98e2c2
5 changed files with 105 additions and 2259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,4 +1,6 @@
*.rpm
.svn .svn
*.tgz
policycoreutils-1.17.5.tgz policycoreutils-1.17.5.tgz
policycoreutils-1.17.6.tgz policycoreutils-1.17.6.tgz
policycoreutils-1.17.7.tgz policycoreutils-1.17.7.tgz
@ -227,3 +229,5 @@ policycoreutils-2.0.83.tgz
/policycoreutils-2.1.4.tgz /policycoreutils-2.1.4.tgz
/policycoreutils-2.1.5.tgz /policycoreutils-2.1.5.tgz
/sepolgen-1.1.1.tgz /sepolgen-1.1.1.tgz
/sepolgen-1.1.2.tgz
/policycoreutils-2.1.6.tgz

1985
policycoreutils-rhat.patch
View File

File diff suppressed because it is too large Load Diff

329
policycoreutils-sepolgen.patch
View File

@ -1,51 +1,3 @@
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 3eda2fd..649735f 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -32,6 +32,7 @@ in a variety of ways, but they are the fundamental representation of access.
"""
import refpolicy
+from selinux import audit2why
def is_idparam(id):
"""Determine if an id is a paramater in the form $N, where N is
@@ -85,6 +86,8 @@ class AccessVector:
self.obj_class = None
self.perms = refpolicy.IdSet()
self.audit_msgs = []
+ self.type = audit2why.TERULE
+ self.bools = []
# The direction of the information flow represented by this
# access vector - used for matching
@@ -253,20 +256,22 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
cls = tgt.setdefault(tgt_type, { })
- if cls.has_key(obj_class):
- access = cls[obj_class]
+ if cls.has_key((obj_class, avc_type)):
+ access = cls[obj_class, avc_type]
else:
access = AccessVector()
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
- cls[obj_class] = access
+ access.bools = bools
+ access.type = avc_type
+ cls[obj_class, avc_type] = access
access.perms.update(perms)
if audit_msg:
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 24e308e..e23725f 100644 index 24e308e..e23725f 100644
--- a/sepolgen/src/sepolgen/audit.py --- a/sepolgen/src/sepolgen/audit.py
@ -133,139 +85,6 @@ index 24e308e..e23725f 100644
return av_set return av_set
class AVCTypeFilter: class AVCTypeFilter:
diff --git a/sepolgen/src/sepolgen/defaults.py b/sepolgen/src/sepolgen/defaults.py
index 45ce61a..6d511c3 100644
--- a/sepolgen/src/sepolgen/defaults.py
+++ b/sepolgen/src/sepolgen/defaults.py
@@ -30,6 +30,9 @@ def perm_map():
def interface_info():
return data_dir() + "/interface_info"
+def attribute_info():
+ return data_dir() + "/attribute_info"
+
def refpolicy_devel():
return "/usr/share/selinux/devel"
diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
index d8b3e34..ae1c9c5 100644
--- a/sepolgen/src/sepolgen/interfaces.py
+++ b/sepolgen/src/sepolgen/interfaces.py
@@ -29,6 +29,8 @@ import matching
from sepolgeni18n import _
+import copy
+
class Param:
"""
Object representing a paramater for an interface.
@@ -197,10 +199,48 @@ def ifcall_extract_params(ifcall, params):
ret = 1
return ret
-
+
+class AttributeVector:
+ def __init__(self):
+ self.name = ""
+ self.access = access.AccessVectorSet()
+
+ def add_av(self, av):
+ self.access.add_av(av)
+
+class AttributeSet:
+ def __init__(self):
+ self.attributes = { }
+
+ def add_attr(self, attr):
+ self.attributes[attr.name] = attr
+
+ def from_file(self, fd):
+ def parse_attr(line):
+ fields = line[1:-1].split()
+ if len(fields) != 2 or fields[0] != "Attribute":
+ raise SyntaxError("Syntax error Attribute statement %s" % line)
+ a = AttributeVector()
+ a.name = fields[1]
+
+ return a
+
+ a = None
+ for line in fd:
+ line = line[:-1]
+ if line[0] == "[":
+ if a:
+ self.add_attr(a)
+ a = parse_attr(line)
+ elif a:
+ l = line.split(",")
+ av = access.AccessVector(l)
+ a.add_av(av)
+ if a:
+ self.add_attr(a)
class InterfaceVector:
- def __init__(self, interface=None):
+ def __init__(self, interface=None, attributes={}):
# Enabled is a loose concept currently - we are essentially
# not enabling interfaces that we can't handle currently.
# See InterfaceVector.add_ifv for more information.
@@ -214,10 +254,10 @@ class InterfaceVector:
# value: Param object).
self.params = { }
if interface:
- self.from_interface(interface)
+ self.from_interface(interface, attributes)
self.expanded = False
- def from_interface(self, interface):
+ def from_interface(self, interface, attributes={}):
self.name = interface.name
# Add allow rules
@@ -232,6 +272,23 @@ class InterfaceVector:
for av in avs:
self.add_av(av)
+ # Add typeattribute access
+ if attributes != None:
+ for typeattribute in interface.typeattributes():
+ for attr in typeattribute.attributes:
+ if not attributes.attributes.has_key(attr):
+ # print "missing attribute " + attr
+ continue
+ attr_vec = attributes.attributes[attr]
+ for a in attr_vec.access:
+ av = copy.copy(a)
+ if av.src_type == attr_vec.name:
+ av.src_type = typeattribute.type
+ if av.tgt_type == attr_vec.name:
+ av.tgt_type = typeattribute.type
+ self.add_av(av)
+
+
# Extract paramaters from roles
for role in interface.roles():
if role_extract_params(role, self.params):
@@ -346,13 +403,13 @@ class InterfaceSet:
l = self.tgt_type_map.setdefault(type, [])
l.append(ifv)
- def add(self, interface):
- ifv = InterfaceVector(interface)
+ def add(self, interface, attributes={}):
+ ifv = InterfaceVector(interface, attributes)
self.add_ifv(ifv)
- def add_headers(self, headers, output=None):
+ def add_headers(self, headers, output=None, attributes={}):
for i in itertools.chain(headers.interfaces(), headers.templates()):
- self.add(i)
+ self.add(i, attributes)
self.expand_ifcalls(headers)
self.index()
diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py diff --git a/sepolgen/src/sepolgen/matching.py b/sepolgen/src/sepolgen/matching.py
index 1a9a3e5..d56dd92 100644 index 1a9a3e5..d56dd92 100644
--- a/sepolgen/src/sepolgen/matching.py --- a/sepolgen/src/sepolgen/matching.py
@ -298,21 +117,6 @@ index 1a9a3e5..d56dd92 100644
def __iter__(self): def __iter__(self):
return iter(self.children) return iter(self.children)
diff --git a/sepolgen/src/sepolgen/module.py b/sepolgen/src/sepolgen/module.py
index edd24c6..5818cec 100644
--- a/sepolgen/src/sepolgen/module.py
+++ b/sepolgen/src/sepolgen/module.py
@@ -37,8 +37,8 @@ import shutil
def is_valid_name(modname):
"""Check that a module name is valid.
"""
- m = re.findall("[^a-zA-Z0-9]", modname)
- if len(m) == 0:
+ m = re.findall("[^a-zA-Z0-9_\-\.]", modname)
+ if len(m) == 0 and modname[0].isalpha():
return True
else:
return False
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 0e6b502..6ce892c 100644 index 0e6b502..6ce892c 100644
--- a/sepolgen/src/sepolgen/policygen.py --- a/sepolgen/src/sepolgen/policygen.py
@ -377,136 +181,3 @@ index 0e6b502..6ce892c 100644
self.module.children.append(rule) self.module.children.append(rule)
diff --git a/sepolgen/src/share/perm_map b/sepolgen/src/share/perm_map
index eb2e23b..ca4fa4d 100644
--- a/sepolgen/src/share/perm_map
+++ b/sepolgen/src/share/perm_map
@@ -124,7 +124,7 @@ class filesystem 10
quotamod w 1
quotaget r 1
-class file 20
+class file 21
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -141,48 +141,50 @@ class file 20
unlink w 1
link w 1
rename w 5
- execute r 100
+ execute r 10
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class dir 22
- add_name w 5
+class dir 23
+ add_name w 1
remove_name w 1
reparent w 1
search r 1
rmdir b 1
ioctl n 1
- read r 10
- write w 10
+ read r 1
+ write w 1
create w 1
- getattr r 7
- setattr w 7
+ getattr r 1
+ setattr w 1
lock n 1
- relabelfrom r 10
- relabelto w 10
+ relabelfrom r 1
+ relabelto w 1
append w 1
unlink w 1
link w 1
- rename w 5
+ rename w 1
execute r 1
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
class fd 1
use b 1
-class lnk_file 17
+class lnk_file 18
ioctl n 1
- read r 10
- write w 10
+ read r 1
+ write w 1
create w 1
- getattr r 7
- setattr w 7
+ getattr r 1
+ setattr w 1
lock n 1
- relabelfrom r 10
- relabelto w 10
+ relabelfrom r 1
+ relabelto w 1
append w 1
unlink w 1
link w 1
@@ -191,8 +193,9 @@ class lnk_file 17
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class chr_file 20
+class chr_file 21
execute_no_trans r 1
entrypoint r 1
execmod n 1
@@ -213,8 +216,9 @@ class chr_file 20
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class blk_file 17
+class blk_file 18
ioctl n 1
read r 10
write w 10
@@ -232,8 +236,9 @@ class blk_file 17
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class sock_file 17
+class sock_file 18
ioctl n 1
read r 10
write w 10
@@ -251,8 +256,9 @@ class sock_file 17
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
-class fifo_file 17
+class fifo_file 18
ioctl n 1
read r 10
write w 10
@@ -270,6 +276,7 @@ class fifo_file 17
swapon b 1
quotaon b 1
mounton b 1
+ open r 1
class socket 22
ioctl n 1

42
policycoreutils.spec
View File

@ -1,13 +1,13 @@
%define libauditver 1.4.2-1 %define libauditver 1.4.2-1
%define libsepolver 2.1.2-1 %define libsepolver 2.1.2-3
%define libsemanagever 2.1.2-1 %define libsemanagever 2.1.4-1
%define libselinuxver 2.1.5-2 %define libselinuxver 2.1.5-5
%define sepolgenver 1.1.1 %define sepolgenver 1.1.2
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.5 Version: 2.1.6
Release: 6%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -352,6 +352,36 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
-Update to upstream
policycoreutils-2.1.6
* sepolgen-ifgen: new attr-helper does something
* audit2allow: use alternate policy file
* audit2allow: sepolgen-ifgen use the attr helper
* setfiles: switch from stat to stat64
* setfiles: Fix potential crash using dereferenced ftsent
* setfiles: do not wrap * output at 80 characters
* sandbox: add -Wall and -Werror to makefile
* sandbox: add sandbox cgroup support
* sandbox: rewrite /tmp handling
* sandbox: do not bind mount so much
* sandbox: add level based kill option
* sandbox: cntrl-c should kill entire process control group
* Create a new preserve_tunables flag in sepol_handle_t.
* semanage: show running and disk setting for booleans
* semanage: Dont print heading if no items selected
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* semanage: Catch RuntimeErrors, that can be generated when SELinux is disabled
* More files to ignore
* tree: default make target to all not install
* sandbox: do not load unused generic init functions
sepolgen-1.1.2
* src: sepolgen: add attribute storing infrastructure
* Change perm-map and add open to try to get better results on
* look for booleans that might solve problems
* sepolgen: audit2allow is mistakakenly not allowing valid module names
* tree: default make target to all not install
* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-6 * Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-6
- Change separator on -L from ; to : - Change separator on -L from ; to :

4
sources
View File

@ -1,3 +1,3 @@
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
fcff0d994c5106e04190432304b1e8c6 sepolgen-1.1.1.tgz c372e90a754ee87e1cc40b09134b8f31 sepolgen-1.1.2.tgz
a84ec479bf09e8d2a912fd32532853e9 policycoreutils-2.1.5.tgz e62d247400005126df7d36d2ce24b48b policycoreutils-2.1.6.tgz