From c1e35cdc8997492490eec6d8528eca8a571961d5 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Thu, 21 Mar 2013 10:52:00 -0400 Subject: [PATCH] sepolgen-ifgen needs to handle filename transition rules containing ":" --- policycoreutils-sepolgen.patch | 97 ++++++++++++++++++++++++++++++++-- policycoreutils.spec | 5 +- 2 files changed, 98 insertions(+), 4 deletions(-) diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index 2ac2cb0..644a5b5 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,13 +1,104 @@ diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index d636091..9ca35a7 100644 +index d636091..56919be 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py -@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage): +@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage): raise ValueError("Error during access vector computation") if self.type == audit2why.CONSTRAINT: - self.data = [] + self.data = [ self.data ] if self.scontext.user != self.tcontext.user: - self.data.append("user") +- self.data.append("user") ++ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user)) if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": +- self.data.append("role") ++ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role)) + if self.scontext.level != self.tcontext.level: +- self.data.append("level") ++ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level)) + + avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) + +diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py +index cc9f8ea..24062a1 100644 +--- a/sepolgen/src/sepolgen/policygen.py ++++ b/sepolgen/src/sepolgen/policygen.py +@@ -172,10 +172,10 @@ class PolicyGenerator: + rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] + + if av.type == audit2why.CONSTRAINT: +- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" +- rule.comment += "#Constraint rule: " +- for reason in av.data: +- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason ++ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" ++ rule.comment += "#Constraint rule: \n\t" + av.data[0] ++ for reason in av.data[1:]: ++ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason + + try: + if ( av.type == audit2why.TERULE and +diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py +index 7b76261..a05d9d1 100644 +--- a/sepolgen/src/sepolgen/refparser.py ++++ b/sepolgen/src/sepolgen/refparser.py +@@ -65,6 +65,7 @@ tokens = ( + 'BAR', + 'EXPL', + 'EQUAL', ++ 'FILENAME', + 'IDENTIFIER', + 'NUMBER', + 'PATH', +@@ -249,11 +250,17 @@ def t_refpolicywarn(t): + t.lexer.lineno += 1 + + def t_IDENTIFIER(t): +- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*' ++ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*' + # Handle any keywords + t.type = reserved.get(t.value,'IDENTIFIER') + return t + ++def t_FILENAME(t): ++ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"' ++ # Handle any keywords ++ t.type = reserved.get(t.value,'FILENAME') ++ return t ++ + def t_comment(t): + r'\#.*\n' + # Ignore all comments +@@ -450,6 +457,7 @@ def p_interface_call_param(p): + | nested_id_set + | TRUE + | FALSE ++ | FILENAME + ''' + # Intentionally let single identifiers pass through + # List means set, non-list identifier +@@ -461,6 +469,7 @@ def p_interface_call_param(p): + def p_interface_call_param_list(p): + '''interface_call_param_list : interface_call_param + | interface_call_param_list COMMA interface_call_param ++ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list + ''' + if len(p) == 2: + p[0] = [p[1]] +@@ -787,6 +796,7 @@ def p_avrule_def(p): + + def p_typerule_def(p): + '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI ++ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI + | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI + | TYPE_CHANGE names names COLON names IDENTIFIER SEMI + | TYPE_MEMBER names names COLON names IDENTIFIER SEMI +@@ -800,6 +810,7 @@ def p_typerule_def(p): + t.tgt_types = p[3] + t.obj_classes = p[5] + t.dest_type = p[6] ++ t.file_name = p[7] + p[0] = t + + def p_bool(p): diff --git a/policycoreutils.spec b/policycoreutils.spec index 2252080..dc2c772 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 23%{?dist} +Release: 24%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -309,6 +309,9 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Thu Mar 21 2013 Dan Walsh - 2.1.14-24 +- sepolgen-ifgen needs to handle filename transition rules containing ":" + * Tue Mar 19 2013 Dan Walsh - 2.1.14-23 - sepolicy manpage: - use nroff instead of man2html