* Mon Jun 30 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-1

- Update to upstream * Fix audit2allow generation of role-type rules from Karl MacMillan.
2008-06-30 15:52:24 +00:00 · 2008-06-30 15:52:24 +00:00 · d21474fea3
commit d21474fea3
parent d0f20a4df5
6 changed files with 385 additions and 304963 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -179,3 +179,5 @@ policycoreutils-2.0.44.tgz
 policycoreutils-2.0.46.tgz
 policycoreutils-2.0.47.tgz
 policycoreutils-2.0.49.tgz
 policycoreutils-2.0.50.tgz
 sepolgen-1.0.12.tgz
--- a/policycoreutils-po.patch
+++ b/policycoreutils-po.patch
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,56 +1,21 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
 --- nsapolicycoreutils/Makefile	2008-06-12 23:25:24.000000000 -0400
-+++ policycoreutils-2.0.49/Makefile	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/Makefile	2008-06-27 07:21:06.000000000 -0400
@@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.49/audit2allow/audit2allow
+diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.49/VERSION
--- nsapolicycoreutils/audit2allow/audit2allow	2008-06-12 23:25:21.000000000 -0400
+--- nsapolicycoreutils/VERSION	2008-06-30 11:12:04.000000000 -0400
-+++ policycoreutils-2.0.49/audit2allow/audit2allow	2008-06-23 07:03:50.000000000 -0400
+++ policycoreutils-2.0.49/VERSION	2008-05-16 10:55:40.000000000 -0400
-@@ -152,12 +152,13 @@
+@@ -1 +1 @@
- 
+-2.0.50
-     def __process_input(self):
+2.0.49
         if self.__options.type:
 -            avcfilter = audit.TypeFilter(self.__options.type)
 +            avcfilter = audit.AVCTypeFilter(self.__options.type)
             self.__avs = self.__parser.to_access(avcfilter)
 -            self.__selinux_errs = self.__parser.to_role(avcfilter)
 +            csfilter = audit.ComputeSidTypeFilter(self.__options.type)
 +            self.__role_types = self.__parser.to_role(csfilter)
         else:
             self.__avs = self.__parser.to_access()
 -            self.__selinux_errs = self.__parser.to_role()
 +            self.__role_types = self.__parser.to_role()
     def __load_interface_info(self):
         # Load interface info file
@@ -310,6 +311,7 @@
         # Generate the policy
         g.add_access(self.__avs)
 +        g.add_role_types(self.__role_types)
         # Output
         writer = output.ModuleWriter()
@@ -328,12 +330,6 @@
                 fd = sys.stdout
             writer.write(g.get_module(), fd)
 -            if len(self.__selinux_errs) > 0:
 -                fd.write("\n=========== ROLES ===============\n")
 -
 -            for role in self.__selinux_errs:
 -                fd.write(role.output())
 -
     def main(self):
         try:
             self.__parse_options()
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
 --- nsapolicycoreutils/restorecond/restorecond.c	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.c	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.c	2008-06-27 07:21:06.000000000 -0400
@@ -210,9 +210,10 @@
 			}
@ -79,7 +44,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 	close(fd);
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
 --- nsapolicycoreutils/restorecond/restorecond.init	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.init	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/restorecond/restorecond.init	2008-06-27 07:21:06.000000000 -0400
@@ -2,7 +2,7 @@
 #
 # restorecond:		Daemon used to maintain path file context
@ -91,7 +56,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 # correct security context.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
 --- nsapolicycoreutils/scripts/fixfiles	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles	2008-06-27 07:21:06.000000000 -0400
@@ -138,6 +138,9 @@
 fi
 LogReadOnly
@ -123,7 +88,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 if [ $# = 0 ]; then
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
 --- nsapolicycoreutils/scripts/fixfiles.8	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles.8	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/scripts/fixfiles.8	2008-06-27 07:21:06.000000000 -0400
@@ -7,6 +7,8 @@
 .B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] 
@ -145,7 +110,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 .TP 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
 --- nsapolicycoreutils/semanage/semanage	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage	2008-06-27 07:21:06.000000000 -0400
@@ -43,49 +43,52 @@
 if __name__ == '__main__':
@ -273,7 +238,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 		if modify:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
 --- nsapolicycoreutils/semanage/semanage.8	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage.8	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/semanage/semanage.8	2008-06-27 07:21:06.000000000 -0400
@@ -17,6 +17,8 @@
 .br
 .B semanage fcontext \-{a|d|m} [\-frst] file_spec
@ -298,7 +263,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2008-06-12 23:25:21.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/seobject.py	2008-06-23 07:03:37.000000000 -0400
+++ policycoreutils-2.0.49/semanage/seobject.py	2008-06-27 07:21:06.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
 -# Copyright (C) 2005, 2006, 2007 Red Hat 
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,195 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.12/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/access.py	2008-06-12 23:25:26.000000000 -0400
 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py	2008-06-23 07:04:21.000000000 -0400
@@ -295,3 +295,32 @@
             perms[av.obj_class] = s
         s.update(av.perms)
     return perms
 +
 +class RoleTypeSet:
 +    """A non-overlapping set of role type statements.
 +
 +    This clas allows the incremental addition of role type statements and
 +    maintains a non-overlapping list of statements.
 +    """
 +    def __init__(self):
 +        """Initialize an access vector set."""
 +        self.role_types = {}
 +
 +    def __iter__(self):
 +        """Iterate over all of the unique role allows statements in the set."""
 +        for role_type in self.role_types.values():
 +            yield role_type
 +
 +    def __len__(self):
 +        """Return the unique number of role allow statements."""
 +        return len(self.roles)
 +
 +    def add(self, role, type):
 +        if self.role_types.has_key(role):
 +            role_type = self.role_types[role]
 +        else:
 +            role_type = refpolicy.RoleType()
 +            role_type.role = role
 +            self.role_types[role] = role_type
 +
 +        role_type.types.add(type)
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
 --- nsasepolgen/src/sepolgen/audit.py	2008-06-12 23:25:26.000000000 -0400
 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py	2008-06-23 07:05:23.000000000 -0400
@@ -235,20 +235,21 @@
     """
     def __init__(self, message):
         AuditMessage.__init__(self, message)
 -        self.type = ""
 -        self.role = ""
 +        self.invalid_context = refpolicy.SecurityContext()
 +        self.scontext = refpolicy.SecurityContext()
 +        self.tcontext = refpolicy.SecurityContext()
 +        self.tclass = ""
     def from_split_string(self, recs):
         AuditMessage.from_split_string(self, recs)
 -        dict={}
 -        for i in recs:
 -            t = i.split('=')
 -            if len(t) < 2:
 -                continue
 -            dict[t[0]]=t[1]
 +        if len(recs) < 10:
 +            raise ValueError("Split string does not represent a valid compute sid message")
 +
         try:
 -            self.role = refpolicy.SecurityContext(dict["scontext"]).role
 -            self.type = refpolicy.SecurityContext(dict["tcontext"]).type
 +            self.invalid_context = refpolicy.SecurityContext(recs[5])
 +            self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
 +            self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
 +            self.tclass = recs[9].split("=")[1]
         except:
             raise ValueError("Split string does not represent a valid compute sid message")
     def output(self):
@@ -405,7 +406,7 @@
         self.__post_process()
     def to_role(self, role_filter=None):
 -        """Return list of SELINUX_ERR messages matching the specified filter
 +        """Return RoleAllowSet statements matching the specified filter
         Filter out types that match the filer, or all roles
@@ -416,13 +417,12 @@
            Access vector set representing the denied access in the
            audit logs parsed by this object.
         """
 -        roles = []
 -        if role_filter:
 -            for selinux_err in self.compute_sid_msgs:
 -                if role_filter.filter(selinux_err):
 -                    roles.append(selinux_err)
 -            return roles
 -        return self.compute_sid_msgs
 +        role_types = access.RoleTypeSet()
 +        for cs in self.compute_sid_msgs:
 +            if not role_filter or role_filter.filter(cs):
 +                role_types.add(cs.invalid_context.role, cs.invalid_context.type)
 +        
 +        return role_types
     def to_access(self, avc_filter=None, only_denials=True):
         """Convert the audit logs access into a an access vector set.
@@ -454,7 +454,7 @@
                            avc.accesses, avc)
         return av_set
 -class TypeFilter:
 +class AVCTypeFilter:
     def __init__(self, regex):
         self.regex = re.compile(regex)
@@ -465,4 +465,17 @@
             return True
         return False
 +class ComputeSidTypeFilter:
 +    def __init__(self, regex):
 +        self.regex = re.compile(regex)
 +
 +    def filter(self, avc):
 +        if self.regex.match(avc.invalid_context.type):
 +            return True
 +        if self.regex.match(avc.scontext.type):
 +            return True
 +        if self.regex.match(avc.tcontext.type):
 +            return True
 +        return False
 +
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py
 --- nsasepolgen/src/sepolgen/output.py	2008-06-12 23:25:26.000000000 -0400
 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py	2008-06-23 07:04:31.000000000 -0400
@@ -101,6 +101,8 @@
         else:
             return id_set_cmp(a.src_types, [b.args[0]])
 +def role_type_cmp(a, b):
 +    return cmp(a.role, b.role)
 def sort_filter(module):
     """Sort and group the output for readability.
@@ -146,6 +148,18 @@
         c.extend(sep_rules)
 +
 +        ras = []
 +        ras.extend(node.role_types())
 +        ras.sort(role_type_cmp)
 +        if len(ras):
 +            comment = refpolicy.Comment()
 +            comment.lines.append("============= ROLES ==============")
 +            c.append(comment)
 +        
 +
 +        c.extend(ras)
 +
         # Everything else
         for child in node.children:
             if child not in c:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py
 --- nsasepolgen/src/sepolgen/policygen.py	2008-06-12 23:25:26.000000000 -0400
 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py	2008-06-23 07:04:36.000000000 -0400
@@ -167,6 +167,13 @@
         if self.gen_requires:
             gen_requires(self.module)
 +    def add_role_types(self, role_type_set):
 +        for role_type in role_type_set:
 +            self.module.children.append(role_type)
 +
 +        # Generate the requires
 +        if self.gen_requires:
 +            gen_requires(self.module)
 def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
     """Explain why a policy statement was generated.
@@ -334,8 +341,12 @@
                 # can actually figure those out.
                 r.types.add(arg)
 -        r.types.discard("self")
 +        for role_type in node.role_types():
 +            r.roles.add(role_type.role)
 +            r.types.update(role_type.types)
 +        r.types.discard("self")
 +
         node.children.insert(0, r)
     # FUTURE - this is untested on modules with any sort of
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2008-06-12 23:25:26.000000000 -0400
-+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py	2008-06-23 07:05:23.000000000 -0400
+++ policycoreutils-2.0.49/sepolgen-1.0.12/src/sepolgen/refparser.py	2008-06-27 07:21:06.000000000 -0400
@@ -919,7 +919,7 @@
 def list_headers(root):
     modules = []
@ -199,35 +10,3 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
     for dirpath, dirnames, filenames in os.walk(root):
         for name in filenames:
 diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py
 --- nsasepolgen/src/sepolgen/refpolicy.py	2008-06-12 23:25:26.000000000 -0400
 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py	2008-06-23 07:04:47.000000000 -0400
@@ -122,6 +122,12 @@
     def roles(self):
         return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
 +    def role_allows(self):
 +        return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
 +
 +    def role_types(self):
 +        return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
 +
     def __str__(self):
         if self.comment:
             return str(self.comment) + "\n" + self.to_string()
@@ -494,6 +500,15 @@
         return "allow %s %s;" % (self.src_roles.to_comma_str(),
                                  self.tgt_roles.to_comma_str())
 +class RoleType(Leaf):
 +    def __init__(self, parent=None):
 +        Leaf.__init__(self, parent)
 +        self.role = ""
 +        self.types = IdSet()
 +
 +    def to_string(self):
 +        return "role %s types %s;" % (self.role, self.types.to_comma_str())
 +
 class ModuleDeclaration(Leaf):
     def __init__(self, parent=None):
         Leaf.__init__(self, parent)
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -2,11 +2,11 @@
 %define	libsepolver	2.0.19-1
 %define	libsemanagever	2.0.5-1
 %define	libselinuxver	2.0.46-5
-%define	sepolgenver	1.0.11
+%define	sepolgenver	1.0.12
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.49
+Version: 2.0.50
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -191,6 +191,10 @@ if [ "$1" -ge "1" ]; then
 fi
 %changelog
 * Mon Jun 30 2008 Dan Walsh <dwalsh@redhat.com> 2.0.50-1
 - Update to upstream
 	* Fix audit2allow generation of role-type rules from Karl MacMillan.
 * Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-10
 - Fix spelling of enforcement
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-3fed5cd04ee67c0f86e3cc6825261819  sepolgen-1.0.11.tgz
+bf55b96652d47bb2838141130f851477  policycoreutils-2.0.50.tgz
-2a4121369b3d63dddd4cdf8d3fb9ef84  policycoreutils-2.0.49.tgz
+4813a1ed80f19068ed9897165f073e8b  sepolgen-1.0.12.tgz
`@ -1,2 +1,2 @@`
	`3fed5cd04ee67c0f86e3cc6825261819 sepolgen-1.0.11.tgz`	`bf55b96652d47bb2838141130f851477 policycoreutils-2.0.50.tgz`
	`2a4121369b3d63dddd4cdf8d3fb9ef84 policycoreutils-2.0.49.tgz`	`4813a1ed80f19068ed9897165f073e8b sepolgen-1.0.12.tgz`