Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel

- Apply Miroslav Grepl Patches for sepolicy
This commit is contained in:
Dan Walsh 2013-04-03 11:18:44 -04:00
parent 3cc0cfcac3
commit d4ae6ccd66
2 changed files with 96 additions and 35 deletions

View File

@ -3646,7 +3646,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..c353021 100755
index b25d3b2..7443ae0 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@ -3658,7 +3658,17 @@ index b25d3b2..c353021 100755
from sepolicy import get_os_version
import argparse
import gettext
@@ -45,7 +47,7 @@ class CheckPath(argparse.Action):
@@ -37,6 +39,9 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
+usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
+usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN','-a ADMIN_DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
+
class CheckPath(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
if not os.path.exists(values):
@@ -45,7 +50,7 @@ class CheckPath(argparse.Action):
class CheckType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@ -3667,7 +3677,7 @@ index b25d3b2..c353021 100755
if isinstance(values,str):
setattr(namespace, self.dest, values)
@@ -58,9 +60,30 @@ class CheckType(argparse.Action):
@@ -58,9 +63,30 @@ class CheckType(argparse.Action):
newval.append(v)
setattr(namespace, self.dest, newval)
@ -3699,7 +3709,7 @@ index b25d3b2..c353021 100755
if isinstance(values,str):
if values not in domains:
@@ -80,7 +103,6 @@ class CheckDomain(argparse.Action):
@@ -80,7 +106,6 @@ class CheckDomain(argparse.Action):
all_classes = None
class CheckClass(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@ -3707,7 +3717,7 @@ index b25d3b2..c353021 100755
global all_classes
if not all_classes:
all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
@@ -114,7 +136,7 @@ class CheckPort(argparse.Action):
@@ -114,7 +139,7 @@ class CheckPort(argparse.Action):
class CheckPortType(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
@ -3716,7 +3726,7 @@ index b25d3b2..c353021 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action):
@@ -140,19 +165,30 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@ -3751,7 +3761,7 @@ index b25d3b2..c353021 100755
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm):
@@ -160,7 +196,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
@ -3760,7 +3770,7 @@ index b25d3b2..c353021 100755
if args.list_ports:
all_ports = []
for i in portrecs:
@@ -201,41 +234,41 @@ def manpage(args):
@@ -201,41 +237,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@ -3825,7 +3835,7 @@ index b25d3b2..c353021 100755
def gen_network_args(parser):
net = parser.add_parser("network",
@@ -283,7 +316,6 @@ def gen_communicate_args(parser):
@@ -283,7 +319,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@ -3833,7 +3843,7 @@ index b25d3b2..c353021 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
@@ -300,6 +332,7 @@ def gen_booleans_args(parser):
@@ -300,6 +335,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@ -3841,7 +3851,7 @@ index b25d3b2..c353021 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
@@ -320,7 +353,7 @@ def gen_transition_args(parser):
@@ -320,7 +356,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
@ -3850,7 +3860,7 @@ index b25d3b2..c353021 100755
if args.list_admin:
for a in get_admin():
print a
@@ -328,13 +361,16 @@ def interface(args):
@@ -328,13 +364,25 @@ def interface(args):
for a in get_user():
print a
if args.list:
@ -3864,13 +3874,22 @@ index b25d3b2..c353021 100755
cmd = None
- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
+# numbers present POLTYPE defined in sepolicy.generate
+ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)}
+ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER, EUSER,)}
+ error_text = ""
+
+ if args.policytype is None:
+ generate_usage = generate_custom_usage(usage, usage_dict)
+ for k in usage_dict:
+ error_text += "%s" % (k)
+ print(generate_usage)
+ print(_("sepolicy generate: error: one of the arguments %s is required") % error_text)
+ sys.exit(1)
+
+ if args.policytype in APPLICATIONS:
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
@@ -346,8 +382,18 @@ def generate(args):
@@ -346,8 +394,18 @@ def generate(args):
mypolicy.set_program(cmd)
if args.types:
@ -3889,7 +3908,7 @@ index b25d3b2..c353021 100755
for p in args.writepaths:
if os.path.isdir(p):
mypolicy.add_dir(p)
@@ -368,10 +414,10 @@ def gen_interface_args(parser):
@@ -368,10 +426,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@ -3902,21 +3921,19 @@ index b25d3b2..c353021 100755
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
@@ -379,7 +425,12 @@ def gen_interface_args(parser):
@@ -379,7 +437,10 @@ def gen_interface_args(parser):
def gen_generate_args(parser):
from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
- pol = parser.add_parser("generate",
+
+ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
+ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
+ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict)
+ generate_usage = generate_custom_usage(usage, usage_dict)
+
+ pol = parser.add_parser("generate", usage = generate_usage,
help=_('Generate SELinux Policy module template'))
pol.add_argument("-d", "--domain", dest="domain", default=[],
action=CheckDomain, nargs="*",
@@ -397,53 +448,57 @@ def gen_generate_args(parser):
@@ -397,53 +458,57 @@ def gen_generate_args(parser):
help=argparse.SUPPRESS)
pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
action=CheckType,
@ -3931,7 +3948,7 @@ index b25d3b2..c353021 100755
- group = pol.add_mutually_exclusive_group(required=False)
- group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
+ cmdtype = pol.add_argument_group(_("Policy types which require a command"))
+ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True)
+ cmdgroup = cmdtype.add_mutually_exclusive_group(required=False)
+ cmdgroup.add_argument("--application", dest="policytype", const=USER,
action="store_const",
- help=_("Generate Policy for %s") % poltype[NEWTYPE])
@ -3956,7 +3973,7 @@ index b25d3b2..c353021 100755
+ help=_("Generate '%s' policy") % poltype[DAEMON])
+
+ type = pol.add_argument_group("Policy types which do not require a command")
+ group = type.add_mutually_exclusive_group(required=True)
+ group = type.add_mutually_exclusive_group(required=False)
+ group.add_argument("--admin_user", dest="policytype", const=AUSER,
+ action="store_const",
+ help=_("Generate '%s' policy") % poltype[AUSER])
@ -4000,7 +4017,7 @@ index b25d3b2..c353021 100755
pol.set_defaults(func=generate)
if __name__ == '__main__':
@@ -461,7 +516,10 @@ if __name__ == '__main__':
@@ -461,7 +526,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@ -4220,7 +4237,7 @@ index 5e7415c..5267ed9 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
index 26f8390..c83883f 100644
index 26f8390..4739025 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@ -4285,6 +4302,15 @@ index 26f8390..c83883f 100644
return newte
def generate_new_rules(self):
@@ -1014,7 +1007,7 @@ allow %s_t %s_t:%s_socket name_%s;
def generate_roles_rules(self):
newte = ""
- if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER):
+ if self.type in ( TUSER, XUSER, AUSER, LUSER ):
roles = ""
if len(self.roles) > 0:
newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules)
@@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s;
if len(self.DEFAULT_DIRS[d][1]) > 0:
# CGI scripts already have a rw_t
@ -4303,7 +4329,7 @@ index 26f8390..c83883f 100644
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1048,11 +1042,22 @@ allow %s_t %s_t:%s_socket name_%s;
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
@ -4313,8 +4339,10 @@ index 26f8390..c83883f 100644
- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
- break
+ if self.type == EUSER:
+ newte_tmp = ""
+ for domain in self.existing_domains:
+ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules)
+ newte_tmp += re.sub("TEMPLATETYPE_t", domain[:-2]+"_t", self.DEFAULT_DIRS[d][2].te_rules)
+ newte += re.sub("TEMPLATETYPE_rw_t", self.name+"_rw_t", newte_tmp)
+ else:
+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
+ for i in self.DEFAULT_DIRS[d][1]:
@ -4329,7 +4357,7 @@ index 26f8390..c83883f 100644
newte += self.generate_tmp_rules()
newte += self.generate_network_rules()
@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s;
@@ -1079,7 +1084,7 @@ allow %s_t %s_t:%s_socket name_%s;
fclist = []
if self.type in USERS + [ SANDBOX ]:
return executable.fc_user
@ -4338,8 +4366,24 @@ index 26f8390..c83883f 100644
raise ValueError(_("You must enter the executable path for your confined process"))
if self.program:
@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s;
tmp = re.sub("TEMPLATETYPE", self.name, script.users)
@@ -1109,7 +1114,7 @@ allow %s_t %s_t:%s_socket name_%s;
def generate_user_sh(self):
newsh = ""
- if self.type not in ( TUSER, XUSER, AUSER, LUSER, EUSER):
+ if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
return newsh
roles = ""
@@ -1117,13 +1122,10 @@ allow %s_t %s_t:%s_socket name_%s;
roles += " %s_r" % role
if roles != "":
roles += " system_r"
- if self.type == EUSER:
- tmp = re.sub("TEMPLATETYPE", self.name, script.eusers)
- else:
- tmp = re.sub("TEMPLATETYPE", self.name, script.users)
+ tmp = re.sub("TEMPLATETYPE", self.name, script.users)
newsh += re.sub("ROLES", roles, tmp)
- if self.type == RUSER:
@ -4408,7 +4452,7 @@ index 8b063ca..c9036c3 100644
trans_list.append(m[0])
return trans_list
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 25062da..f184b0c 100755
index 25062da..2747e4f 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -28,12 +28,12 @@ import string
@ -4504,7 +4548,7 @@ index 25062da..f184b0c 100755
self.booleans_dict = gen_bool_dict(self.xmlpath)
if domainname.endswith("_t"):
@@ -459,7 +450,10 @@ class ManPage:
@@ -459,13 +450,16 @@ class ManPage:
if self.domainname + "_t" not in self.all_domains:
raise ValueError("domain %s_t does not exist" % self.domainname)
@ -4516,6 +4560,13 @@ index 25062da..f184b0c 100755
self.type = self.domainname + "_t"
self._gen_bools()
self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
self.fd = open(self.man_page_path, 'w')
- if domainname + "_r" in self.all_roles:
+ if self.domainname + "_r" in self.all_roles:
self.__gen_user_man_page()
if self.html:
manpage_roles.append(self.man_page_path)
@@ -483,16 +477,23 @@ class ManPage:
def _gen_bools(self):
self.bools=[]

View File

@ -114,7 +114,6 @@ an SELinux environment.
%{_sbindir}/semanage
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/sepolicy
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
%{python_sitearch}/sepolicy
@ -126,12 +125,9 @@ an SELinux environment.
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man8/semanage.8*
%{_mandir}/man8/sepolicy*.8*
%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/semanage.8*
%{_usr}/share/bash-completion/completions/semanage
%{_usr}/share/bash-completion/completions/setsebool
%{_usr}/share/bash-completion/completions/sepolicy
%package devel
Summary: SELinux policy core policy devel utilities
@ -155,6 +151,10 @@ The policycoreutils-devel package contains the management tools use to develop p
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_bindir}/sepolicy
%{_mandir}/man8/sepolicy*.8*
%{_mandir}/man8/sepolgen.8*
%{_usr}/share/bash-completion/completions/sepolicy
%post devel
selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
@ -321,6 +321,16 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Wed Apr 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-32
- Move sepolicy to policycoreutils-devel pacage, since most of it is used for devel
- Apply Miroslav Grepl Patches for sepolicy
* Fix generate mutually groups option handling
* EUSER is used for existing policy
* customize options can be used together with admin_domain option
* Fix manpage.py to generate correct man pages for SELinux users
* Fix policy *.te file generated by customize+writepaths options
* Fix install script for confined_admin option
* Mon Apr 1 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-31
- Add post install scripts for gui to make sure Icon Cache is refreshed.
- Fix grammar issue in secon man page