sepolgen-ifgen needs to handle filename transition rules containing ":"
This commit is contained in:
parent
71f3efb73d
commit
c1e35cdc89
@ -1,13 +1,104 @@
|
|||||||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
||||||
index d636091..9ca35a7 100644
|
index d636091..56919be 100644
|
||||||
--- a/sepolgen/src/sepolgen/audit.py
|
--- a/sepolgen/src/sepolgen/audit.py
|
||||||
+++ b/sepolgen/src/sepolgen/audit.py
|
+++ b/sepolgen/src/sepolgen/audit.py
|
||||||
@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
|
@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
|
||||||
raise ValueError("Error during access vector computation")
|
raise ValueError("Error during access vector computation")
|
||||||
|
|
||||||
if self.type == audit2why.CONSTRAINT:
|
if self.type == audit2why.CONSTRAINT:
|
||||||
- self.data = []
|
- self.data = []
|
||||||
+ self.data = [ self.data ]
|
+ self.data = [ self.data ]
|
||||||
if self.scontext.user != self.tcontext.user:
|
if self.scontext.user != self.tcontext.user:
|
||||||
self.data.append("user")
|
- self.data.append("user")
|
||||||
|
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
|
||||||
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
||||||
|
- self.data.append("role")
|
||||||
|
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
|
||||||
|
if self.scontext.level != self.tcontext.level:
|
||||||
|
- self.data.append("level")
|
||||||
|
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
|
||||||
|
|
||||||
|
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
||||||
|
|
||||||
|
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
||||||
|
index cc9f8ea..24062a1 100644
|
||||||
|
--- a/sepolgen/src/sepolgen/policygen.py
|
||||||
|
+++ b/sepolgen/src/sepolgen/policygen.py
|
||||||
|
@@ -172,10 +172,10 @@ class PolicyGenerator:
|
||||||
|
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
||||||
|
|
||||||
|
if av.type == audit2why.CONSTRAINT:
|
||||||
|
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||||
|
- rule.comment += "#Constraint rule: "
|
||||||
|
- for reason in av.data:
|
||||||
|
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
||||||
|
+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
|
||||||
|
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
|
||||||
|
+ for reason in av.data[1:]:
|
||||||
|
+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
|
||||||
|
|
||||||
|
try:
|
||||||
|
if ( av.type == audit2why.TERULE and
|
||||||
|
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
|
||||||
|
index 7b76261..a05d9d1 100644
|
||||||
|
--- a/sepolgen/src/sepolgen/refparser.py
|
||||||
|
+++ b/sepolgen/src/sepolgen/refparser.py
|
||||||
|
@@ -65,6 +65,7 @@ tokens = (
|
||||||
|
'BAR',
|
||||||
|
'EXPL',
|
||||||
|
'EQUAL',
|
||||||
|
+ 'FILENAME',
|
||||||
|
'IDENTIFIER',
|
||||||
|
'NUMBER',
|
||||||
|
'PATH',
|
||||||
|
@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
|
||||||
|
t.lexer.lineno += 1
|
||||||
|
|
||||||
|
def t_IDENTIFIER(t):
|
||||||
|
- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
|
||||||
|
+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
|
||||||
|
# Handle any keywords
|
||||||
|
t.type = reserved.get(t.value,'IDENTIFIER')
|
||||||
|
return t
|
||||||
|
|
||||||
|
+def t_FILENAME(t):
|
||||||
|
+ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
|
||||||
|
+ # Handle any keywords
|
||||||
|
+ t.type = reserved.get(t.value,'FILENAME')
|
||||||
|
+ return t
|
||||||
|
+
|
||||||
|
def t_comment(t):
|
||||||
|
r'\#.*\n'
|
||||||
|
# Ignore all comments
|
||||||
|
@@ -450,6 +457,7 @@ def p_interface_call_param(p):
|
||||||
|
| nested_id_set
|
||||||
|
| TRUE
|
||||||
|
| FALSE
|
||||||
|
+ | FILENAME
|
||||||
|
'''
|
||||||
|
# Intentionally let single identifiers pass through
|
||||||
|
# List means set, non-list identifier
|
||||||
|
@@ -461,6 +469,7 @@ def p_interface_call_param(p):
|
||||||
|
def p_interface_call_param_list(p):
|
||||||
|
'''interface_call_param_list : interface_call_param
|
||||||
|
| interface_call_param_list COMMA interface_call_param
|
||||||
|
+ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
|
||||||
|
'''
|
||||||
|
if len(p) == 2:
|
||||||
|
p[0] = [p[1]]
|
||||||
|
@@ -787,6 +796,7 @@ def p_avrule_def(p):
|
||||||
|
|
||||||
|
def p_typerule_def(p):
|
||||||
|
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
|
||||||
|
+ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
|
||||||
|
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
|
||||||
|
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
|
||||||
|
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
|
||||||
|
@@ -800,6 +810,7 @@ def p_typerule_def(p):
|
||||||
|
t.tgt_types = p[3]
|
||||||
|
t.obj_classes = p[5]
|
||||||
|
t.dest_type = p[6]
|
||||||
|
+ t.file_name = p[7]
|
||||||
|
p[0] = t
|
||||||
|
|
||||||
|
def p_bool(p):
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.14
|
Version: 2.1.14
|
||||||
Release: 23%{?dist}
|
Release: 24%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -309,6 +309,9 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24
|
||||||
|
- sepolgen-ifgen needs to handle filename transition rules containing ":"
|
||||||
|
|
||||||
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-23
|
* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-23
|
||||||
- sepolicy manpage:
|
- sepolicy manpage:
|
||||||
- use nroff instead of man2html
|
- use nroff instead of man2html
|
||||||
|
Loading…
Reference in New Issue
Block a user