policycoreutils-2.5-4

- Add documentation for MCS separated domains
- Move svirt man page out of libvirt into its own
This commit is contained in:
Petr Lautrbach 2016-03-18 20:36:47 +01:00
parent 86e29572df
commit e41aa2fbd5
2 changed files with 56 additions and 18 deletions

View File

@ -659502,7 +659502,7 @@ index 69078b0..42e79d9 100644
os.remove(v) os.remove(v)
diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py diff --git policycoreutils-2.5/sepolicy/sepolicy/manpage.py policycoreutils-2.5/sepolicy/sepolicy/manpage.py
index 7de2f80..7fb9dd3 100755 index 7de2f80..49df6fa 100755
--- policycoreutils-2.5/sepolicy/sepolicy/manpage.py --- policycoreutils-2.5/sepolicy/sepolicy/manpage.py
+++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.5/sepolicy/sepolicy/manpage.py
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -659511,7 +659511,7 @@ index 7de2f80..7fb9dd3 100755
# Copyright (C) 2012-2013 Red Hat # Copyright (C) 2012-2013 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com> # AUTHOR: Dan Walsh <dwalsh@redhat.com>
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com> # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
@@ -29,13 +29,22 @@ import argparse @@ -29,14 +29,23 @@ import argparse
import selinux import selinux
import sepolicy import sepolicy
from sepolicy import * from sepolicy import *
@ -659524,6 +659524,7 @@ index 7de2f80..7fb9dd3 100755
import re import re
import time import time
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+ +
+typealias_types = { +typealias_types = {
+ "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"), + "antivirus_t": ("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
@ -659532,9 +659533,10 @@ index 7de2f80..7fb9dd3 100755
+ "httpd_t": ("phpfpm_t"), + "httpd_t": ("phpfpm_t"),
+} +}
+ +
equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} +equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"] equiv_dirs = ["/var"]
modules_dict = None
@@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"): @@ -62,7 +71,7 @@ def gen_modules_dict(path="/usr/share/selinux/devel/policy.xml"):
name = "unconfined" name = "unconfined"
for b in m.findall("summary"): for b in m.findall("summary"):
@ -659754,7 +659756,15 @@ index 7de2f80..7fb9dd3 100755
if k == self.domainname: if k == self.domainname:
for alias in equiv_dict[k]: for alias in equiv_dict[k]:
self.__gen_man_page_link(alias) self.__gen_man_page_link(alias)
@@ -514,9 +477,10 @@ class ManPage: @@ -506,6 +469,7 @@ class ManPage:
self._booleans()
self._port_types()
+ self._mcs_types()
self._writes()
self._footer()
@@ -514,9 +478,10 @@ class ManPage:
self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w') self.fd = open("%s/%s_selinux.8" % (self.path, alias), 'w')
self.fd.write(".so man8/%s_selinux.8" % self.domainname) self.fd.write(".so man8/%s_selinux.8" % self.domainname)
self.fd.close() self.fd.close()
@ -659766,7 +659776,7 @@ index 7de2f80..7fb9dd3 100755
self.anon_list = [] self.anon_list = []
self.attributes = {} self.attributes = {}
@@ -524,6 +488,16 @@ class ManPage: @@ -524,11 +489,22 @@ class ManPage:
self._get_ptypes() self._get_ptypes()
for domain_type in self.ptypes: for domain_type in self.ptypes:
@ -659783,7 +659793,13 @@ index 7de2f80..7fb9dd3 100755
self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
self._header() self._header()
@@ -542,6 +516,34 @@ class ManPage: self._entrypoints()
self._process_types()
+ self._mcs_types()
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -542,6 +518,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname): if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f) self.ptypes.append(f)
@ -659818,7 +659834,7 @@ index 7de2f80..7fb9dd3 100755
def _header(self): def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
@@ -601,7 +603,7 @@ SELinux policy is customizable based on least access required. %s policy is ext @@ -601,7 +605,7 @@ SELinux policy is customizable based on least access required. %s policy is ext
nsswitch_types = [] nsswitch_types = []
nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled'] nsswitch_booleans = ['authlogin_nsswitch_use_ldap', 'kerberos_enabled']
nsswitchbooltext = "" nsswitchbooltext = ""
@ -659827,7 +659843,7 @@ index 7de2f80..7fb9dd3 100755
if "nsswitch_domain" in self.attributes[k]: if "nsswitch_domain" in self.attributes[k]:
nsswitch_types.append(k) nsswitch_types.append(k)
@@ -691,10 +693,13 @@ Default Defined Ports:""") @@ -691,10 +695,13 @@ Default Defined Ports:""")
def _file_context(self): def _file_context(self):
flist = [] flist = []
@ -659841,7 +659857,7 @@ index 7de2f80..7fb9dd3 100755
if f in self.fcdict: if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"] mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0: if len(mpaths) == 0:
@@ -746,19 +751,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d @@ -746,19 +753,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP .PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
@ -659865,7 +659881,7 @@ index 7de2f80..7fb9dd3 100755
self.fd.write(r""" self.fd.write(r"""
.I The following file types are defined for %(domainname)s: .I The following file types are defined for %(domainname)s:
@@ -895,7 +901,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) @@ -895,7 +903,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
def _entrypoints(self): def _entrypoints(self):
try: try:
@ -659874,7 +659890,7 @@ index 7de2f80..7fb9dd3 100755
except: except:
return return
@@ -911,7 +917,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8) @@ -911,7 +919,7 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
The %s_t SELinux type can be entered via the %s. The %s_t SELinux type can be entered via the %s.
The default entrypoint paths for the %s_t domain are the following: The default entrypoint paths for the %s_t domain are the following:
@ -659883,7 +659899,25 @@ index 7de2f80..7fb9dd3 100755
if "bin_t" in entrypoints: if "bin_t" in entrypoints:
entrypoints.remove("bin_t") entrypoints.remove("bin_t")
self.fd.write (""" self.fd.write ("""
@@ -948,7 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a @@ -925,6 +933,17 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+ def _mcs_types(self):
+ attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ if "mcs_constrained_type" not in attributes:
+ return
+ self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist == None or len(permlist) == 0:
@@ -948,7 +967,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
""") """)
self.fd.write (""" self.fd.write ("""
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
@ -659892,7 +659926,7 @@ index 7de2f80..7fb9dd3 100755
all_writes.sort() all_writes.sort()
if "file_type" in all_writes: if "file_type" in all_writes:
@@ -1013,7 +1019,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo @@ -1013,7 +1032,7 @@ If you want to map the one Linux user (joe) to the SELinux user %(user)s, you wo
.B $ semanage login -a -s %(user)s_u joe .B $ semanage login -a -s %(user)s_u joe
@ -659901,7 +659935,7 @@ index 7de2f80..7fb9dd3 100755
def _can_sudo(self): def _can_sudo(self):
sudotype = "%s_sudo_t" % self.domainname sudotype = "%s_sudo_t" % self.domainname
@@ -1161,7 +1167,7 @@ Three things can happen when %(type)s attempts to execute a program. @@ -1161,7 +1180,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
@ -659910,7 +659944,7 @@ index 7de2f80..7fb9dd3 100755
.TP .TP
@@ -1169,9 +1175,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut @@ -1169,9 +1188,9 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition: Execute the following to see the types that the SELinux user %(type)s can execute and transition:
@ -659922,7 +659956,7 @@ index 7de2f80..7fb9dd3 100755
def _role_header(self): def _role_header(self):
self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"' self.fd.write('.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"'
@@ -1233,7 +1239,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use @@ -1233,7 +1252,7 @@ You need to add %(user)s_r to the staff_u user. You could setup the staff_u use
SELinux policy also controls which roles can transition to a different role. SELinux policy also controls which roles can transition to a different role.
You can list these rules using the following command. You can list these rules using the following command.

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.5 Version: 2.5
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -20,7 +20,7 @@ Source4: sepolicy-icons.tgz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run: # run:
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
# HEAD https://github.com/fedora-selinux/selinux/commit/dd55f35aa786ad0c5635391e8a9bde47beb8de1b # HEAD https://github.com/fedora-selinux/selinux/commit/c3819c97e4231166cfb2ae64e623546bd26a5627
Patch: policycoreutils-fedora.patch Patch: policycoreutils-fedora.patch
# $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen # $ VERSION=1.2.3 ./make-fedora-selinux-patch.sh sepolgen
Patch1: sepolgen-fedora.patch Patch1: sepolgen-fedora.patch
@ -408,6 +408,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Fri Mar 18 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
- Add documentation for MCS separated domains
- Move svirt man page out of libvirt into its own
* Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3 * Thu Mar 17 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
- policycoreutils: use python3 in chcat(#1318408) - policycoreutils: use python3 in chcat(#1318408)