From e96c403a63ed29ac9ae34192d53de2d1989b1063 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 18 Aug 2009 19:25:04 +0000 Subject: [PATCH] * Tue Aug 18 2009 Dan Walsh 2.0.71-4 - Add --boot flag to audit2allow to get all AVC messages since last boot --- .cvsignore | 1 + policycoreutils-rhat.patch | 40 ++++++++++++++++++++++++++ policycoreutils-sepolgen.patch | 52 ++++++++++++++++++++++------------ policycoreutils.spec | 7 +++-- sources | 2 +- 5 files changed, 81 insertions(+), 21 deletions(-) diff --git a/.cvsignore b/.cvsignore index 1d1b406..1cc7d3c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -205,3 +205,4 @@ policycoreutils-2.0.68.tgz policycoreutils-2.0.70.tgz policycoreutils_man_ru2.tar.bz2 policycoreutils-2.0.71.tgz +sepolgen-1.0.17.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index dd67bec..7fc804a 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,3 +1,43 @@ +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.71/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 ++++ policycoreutils-2.0.71/audit2allow/audit2allow 2009-08-18 15:19:58.000000000 -0400 +@@ -42,6 +42,8 @@ + from optparse import OptionParser + + parser = OptionParser(version=self.VERSION) ++ parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False, ++ help="audit messages since last boot conflicts with -i") + parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, + help="read input from audit log - conflicts with -i") + parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, +@@ -80,11 +82,11 @@ + options, args = parser.parse_args() + + # Make -d, -a, and -i conflict +- if options.audit is True: ++ if options.audit is True or options.boot: + if options.input is not None: +- sys.stderr.write("error: --all conflicts with --input\n") ++ sys.stderr.write("error: --all/--boot conflicts with --input\n") + if options.dmesg is True: +- sys.stderr.write("error: --all conflicts with --dmesg\n") ++ sys.stderr.write("error: --all/--boot conflicts with --dmesg\n") + if options.input is not None and options.dmesg is True: + sys.stderr.write("error: --input conflicts with --dmesg\n") + +@@ -129,6 +131,12 @@ + except OSError, e: + sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) + sys.exit(1) ++ elif self.__options.boot: ++ try: ++ messages = audit.get_audit_boot_msgs() ++ except OSError, e: ++ sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) ++ sys.exit(1) + else: + # This is the default if no input is specified + f = sys.stdin diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 +++ policycoreutils-2.0.71/Makefile 2009-08-13 17:57:54.000000000 -0400 diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index 9826801..67707da 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,19 +1,35 @@ -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py ---- nsasepolgen/src/sepolgen/access.py 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/access.py 2009-04-21 14:54:12.000000000 -0400 -@@ -313,7 +313,7 @@ - - def __len__(self): - """Return the unique number of role allow statements.""" -- return len(self.role_type.keys()) -+ return len(self.role_types.keys()) - - def add(self, role, type): - if self.role_types.has_key(role): -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.71/sepolgen-1.0.16/src/sepolgen/audit.py --- nsasepolgen/src/sepolgen/audit.py 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/audit.py 2009-04-24 13:19:39.000000000 -0400 -@@ -47,6 +47,17 @@ ++++ policycoreutils-2.0.71/sepolgen-1.0.16/src/sepolgen/audit.py 2009-08-18 15:21:13.000000000 -0400 +@@ -23,6 +23,27 @@ + + # Convenience functions + ++def get_audit_boot_msgs(): ++ """Obtain all of the avc and policy load messages from the audit ++ log. This function uses ausearch and requires that the current ++ process have sufficient rights to run ausearch. ++ ++ Returns: ++ string contain all of the audit messages returned by ausearch. ++ """ ++ import subprocess ++ import time ++ fd=open("/proc/uptime", "r") ++ off=float(fd.read().split()[0]) ++ fd.close ++ s = time.localtime(time.time() - off) ++ date = time.strftime("%D/%Y", s).split("/") ++ bootdate="%s/%s/%s" % (date[0], date[1], date[3]) ++ boottime = time.strftime("%X", s) ++ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime], ++ stdout=subprocess.PIPE).communicate()[0] ++ return output ++ + def get_audit_msgs(): + """Obtain all of the avc and policy load messages from the audit + log. This function uses ausearch and requires that the current +@@ -47,6 +68,17 @@ stdout=subprocess.PIPE).communicate()[0] return output @@ -31,15 +47,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor # Classes representing audit messages class AuditMessage: -diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.71/sepolgen-1.0.16/src/sepolgen/refparser.py --- nsasepolgen/src/sepolgen/refparser.py 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/sepolgen-1.0.16/src/sepolgen/refparser.py 2009-04-21 14:54:12.000000000 -0400 ++++ policycoreutils-2.0.71/sepolgen-1.0.16/src/sepolgen/refparser.py 2009-08-13 17:57:55.000000000 -0400 @@ -919,7 +919,7 @@ def list_headers(root): modules = [] support_macros = None - blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"] -+ blacklist = ["uml.if", "thunderbird.if", "unconfined.if"] ++ blacklist = ["uml.if", "thunderbird.if, unconfined.if"] for dirpath, dirnames, filenames in os.walk(root): for name in filenames: diff --git a/policycoreutils.spec b/policycoreutils.spec index c61a285..acdab89 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,11 +2,11 @@ %define libsepolver 2.0.19-1 %define libsemanagever 2.0.28-2 %define libselinuxver 2.0.46-5 -%define sepolgenver 1.0.16 +%define sepolgenver 1.0.17 Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.71 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -265,6 +265,9 @@ else fi %changelog +* Tue Aug 18 2009 Dan Walsh 2.0.71-4 +- Add --boot flag to audit2allow to get all AVC messages since last boot + * Tue Aug 18 2009 Dan Walsh 2.0.71-3 - Fix semanage command diff --git a/sources b/sources index d7e9862..f27091e 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -e1b5416c3e0d76e5d702b3f54f4def45 sepolgen-1.0.16.tgz 00fd9d86bd6a8066da710d6fda910b01 policycoreutils-2.0.71.tgz 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 +480cc64a050735fa1163a87dc89c4f49 sepolgen-1.0.17.tgz