From e9b167e78d5f7beaeb3c798ac246dadc85611480 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Wed, 27 Mar 2013 14:00:16 -0400 Subject: [PATCH] Fix audit2allow output to better align analysys with the allow rules - Apply Miroslav Grepl patch to clean up sepolicy generate usage - Apply Miroslav Grepl patch to fixupt handing of admin_user generation - Update Tranlslations --- policycoreutils-rhat.patch | 415 +++++++++++++++++++++++++++++++-- policycoreutils-sepolgen.patch | 37 ++- policycoreutils.spec | 8 +- 3 files changed, 437 insertions(+), 23 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 06b2ab6..04837d6 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -983,6 +983,189 @@ index e84995e..a60b20e 100644 #: booleans.py:233 msgid "Allow xguest users to mount removable media" +diff --git a/policycoreutils/po/gu.po b/policycoreutils/po/gu.po +index 165b892..074abad 100644 +--- a/policycoreutils/po/gu.po ++++ b/policycoreutils/po/gu.po +@@ -5,13 +5,14 @@ + # Translators: + # Ankit Patel , 2006-2008. + # Sweta Kothari , 2008-2010,2012. ++# , 2013. + msgid "" + msgstr "" + "Project-Id-Version: Policycoreutils\n" + "Report-Msgid-Bugs-To: \n" + "POT-Creation-Date: 2013-01-04 12:01-0500\n" +-"PO-Revision-Date: 2013-01-04 17:02+0000\n" +-"Last-Translator: dwalsh \n" ++"PO-Revision-Date: 2013-03-26 08:31+0000\n" ++"Last-Translator: sweta \n" + "Language-Team: Gujarati \n" + "MIME-Version: 1.0\n" + "Content-Type: text/plain; charset=UTF-8\n" +@@ -287,7 +288,7 @@ msgstr "MLS/MCS વિસ્તાર" + + #: ../semanage/seobject.py:672 + msgid "Service" +-msgstr "" ++msgstr "સેવા" + + #: ../semanage/seobject.py:698 ../semanage/seobject.py:729 + #: ../semanage/seobject.py:796 ../semanage/seobject.py:853 +@@ -424,7 +425,7 @@ msgstr "પ્રકાર જરૂરી છે" + #: ../semanage/seobject.py:1814 + #, python-format + msgid "Type %s is invalid, must be a port type" +-msgstr "" ++msgstr "પ્રકાર %s અયોગ્ય છે, પોર્ટ પ્રકાર હોવુ જ જોઇએ" + + #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062 + #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123 +@@ -546,12 +547,12 @@ msgstr "અજ્ઞાત અથવા ગેરહાજર પ્રોટો + + #: ../semanage/seobject.py:1256 + msgid "SELinux node type is required" +-msgstr "" ++msgstr "SELinux નોડ પ્રકારની જરૂરિયાત છે" + + #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327 + #, python-format + msgid "Type %s is invalid, must be a node type" +-msgstr "" ++msgstr "પ્રકાર %s અયોગ્ય છે, નોડ પ્રકાર હોવુ જ જોઇએ" + + #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331 + #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465 +@@ -785,7 +786,7 @@ msgstr "ફાઇલ સ્પષ્ટીકરણ %s સરખા નિયમ + #: ../semanage/seobject.py:1755 + #, python-format + msgid "Type %s is invalid, must be a file or device type" +-msgstr "" ++msgstr "પ્રકાર %s અયોગ્ય છે, ફાઇલ અથવા ઉપકરણ પ્રકાર હોવુ જ જોઇએ" + + #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768 + #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906 +@@ -2173,7 +2174,7 @@ msgstr "પેચ કે જેમાં ઉત્પન્ન થયેલ SELi + + #: ../sepolicy/sepolicy.py:207 + msgid "name of the OS for man pages" +-msgstr "" ++msgstr "મુખ્ય પાનાં માટે OS નું નામ" + + #: ../sepolicy/sepolicy.py:209 + msgid "Generate HTML man pages structure for selected SELinux man page" +@@ -2225,7 +2226,7 @@ msgstr "બુલિયનની જાણકારીને જોવા મા + + #: ../sepolicy/sepolicy.py:280 + msgid "get all booleans descriptions" +-msgstr "" ++msgstr "બધા બુલિયન વર્ણનોને મેળવો" + + #: ../sepolicy/sepolicy.py:282 + msgid "boolean to get description" +@@ -2247,11 +2248,11 @@ msgstr "લક્ષ્ય પ્રક્રિયા ડોમેઇન" + + #: ../sepolicy/sepolicy.py:327 + msgid "Command required for this type of policy" +-msgstr "" ++msgstr "પોલિસીનાં આ પ્રકાર માટે આદેશ જરૂરી" + + #: ../sepolicy/sepolicy.py:347 + msgid "List SELinux Policy interfaces" +-msgstr "" ++msgstr "SELinux પોલિસી ઇન્ટરફેસની યાદી કરો" + + #: ../sepolicy/sepolicy.py:362 + msgid "Generate SELinux Policy module template" +@@ -2289,7 +2290,7 @@ msgstr "પુરાવા માટેના એક્ઝેક્યુટે + #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417 + #, python-format + msgid "Generate Policy for %s" +-msgstr "" ++msgstr "%s માટે પોલિસી ઉત્પન્ન કરો" + + #: ../sepolicy/sepolicy.py:422 + msgid "commands" +@@ -2301,12 +2302,12 @@ msgstr "" + + #: ../sepolicy/sepolicy/__init__.py:48 + msgid "No SELinux Policy installed" +-msgstr "" ++msgstr "SELinux પોલિસી સ્થાપિત થયેલ નથી" + + #: ../sepolicy/sepolicy/__init__.py:54 + #, python-format + msgid "Failed to read %s policy file" +-msgstr "" ++msgstr "%s પોલિસી ફાઇલને વાંચવામાં નિષ્ફળતા" + + #: ../sepolicy/sepolicy/__init__.py:127 + msgid "unknown" +@@ -2318,7 +2319,7 @@ msgstr "ઇન્ટરનેટ સેવા ડિમન" + + #: ../sepolicy/sepolicy/generate.py:177 + msgid "Existing Domain Type" +-msgstr "" ++msgstr "હાલનો ડોમેઇન પ્રકાર" + + #: ../sepolicy/sepolicy/generate.py:178 + msgid "Minimal Terminal Login User Role" +@@ -2330,11 +2331,11 @@ msgstr "" + + #: ../sepolicy/sepolicy/generate.py:180 + msgid "Desktop Login User Role" +-msgstr "" ++msgstr "ડેસ્કટોપ લૉગિન વપરાશકર્તા ભૂમિકા" + + #: ../sepolicy/sepolicy/generate.py:181 + msgid "Administrator Login User Role" +-msgstr "" ++msgstr "સંચાલક લૉગિન વપરાશકર્તા ભૂમિકા" + + #: ../sepolicy/sepolicy/generate.py:182 + msgid "Confined Root Administrator Role" +@@ -2351,7 +2352,7 @@ msgstr "પોર્ટો નંબરો કે 1 થી %d સુધીના + + #: ../sepolicy/sepolicy/generate.py:231 + msgid "You must enter a valid policy type" +-msgstr "" ++msgstr "તમારે યોગ્ય પોલિસી પ્રકારને દાખલ કરવુ જ જોઇએ" + + #: ../sepolicy/sepolicy/generate.py:234 + #, python-format +@@ -2415,7 +2416,7 @@ msgstr "ફાઈલ સંદર્ભો ફાઈલ" + + #: ../sepolicy/sepolicy/generate.py:1324 + msgid "Spec file" +-msgstr "" ++msgstr "Spec ફાઇલ" + + #: ../sepolicy/sepolicy/generate.py:1325 + msgid "Setup Script" +@@ -2455,7 +2456,7 @@ msgstr "radius સર્વરની મદદથી પ્રવેશવા + + #: booleans.py:8 + msgid "Allow users to login using a yubikey server" +-msgstr "" ++msgstr "yubikey સર્વરની મદદથી પ્રવેશવા વપરાશકર્તાઓને પરવાનગી આપો" + + #: booleans.py:9 + msgid "Allow awstats to purge Apache logs" +@@ -2527,11 +2528,11 @@ msgstr "ટર્મિનલોને વાંચવા/લખવાની ક + + #: booleans.py:25 + msgid "Allow dan to manage user files" +-msgstr "" ++msgstr "વપરાશકર્તા ફાઇલોને સંચાલિત કરવા માટે dan ને પરવાનગી આપો" + + #: booleans.py:26 + msgid "Allow dan to read user files" +-msgstr "" ++msgstr "વપરાશકર્તા ફાઇલોને વાંચવા માટે dan ને પરવાનગી આપો" + + #: booleans.py:27 + msgid "Allow dbadm to manage files in users home directories" diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po index 72ae12d..649d288 100644 --- a/policycoreutils/po/ja.po @@ -2302,7 +2485,7 @@ index 0000000..3ecf3eb @@ -0,0 +1 @@ +.so man8/sepolicy-generate.8 diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh -index 82fea52..29f9428 100644 +index 82fea52..c969e0d 100644 --- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh @@ -81,7 +81,7 @@ _sepolicy () { @@ -2314,7 +2497,26 @@ index 82fea52..29f9428 100644 [network]='-h --help -d --domain -l --list -p --port -t --type ' [transition]='-h --help -s --source -t --target' ) -@@ -156,6 +156,10 @@ _sepolicy () { +@@ -130,9 +130,6 @@ _sepolicy () { + COMPREPLY=( $( compgen -d -- "$cur") ) + compopt -o filenames + return 0 +- elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then +- COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") ) +- return 0 + elif [ "$prev" = "--domain" -o "$prev" = "-d" ]; then + COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) + return 0 +@@ -140,7 +137,7 @@ _sepolicy () { + COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") ) + return 0 + elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then +- COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") ) ++ COMPREPLY=( $(compgen -W "$( __get_all_users )" -- "$cur") ) + return 0 + elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) +@@ -156,6 +153,10 @@ _sepolicy () { if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") ) return 0 @@ -2325,6 +2527,20 @@ index 82fea52..29f9428 100644 elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then return 0 elif test "$prev" = "-p" || test "$prev" = "--path" ; then +@@ -167,11 +168,11 @@ _sepolicy () { + return 0 + elif [ "$verb" = "network" ]; then + if [ "$prev" = "-t" -o "$prev" = "--type" ]; then +- COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") ) ++ COMPREPLY=( $(compgen -W "$( __get_all_port_types )" -- "$cur") ) + return 0 + fi + if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then +- COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") ) ++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types )" -- "$cur") ) + return 0 + fi + COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") ) diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 index fb84af6..c2fa601 100644 --- a/policycoreutils/sepolicy/sepolicy-generate.8 @@ -2382,7 +2598,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..1146bb3 100755 +index b25d3b2..c353021 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -2452,7 +2668,7 @@ index b25d3b2..1146bb3 100755 newval = getattr(namespace, self.dest) if not newval: newval = [] -@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action): +@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action): class CheckUser(argparse.Action): def __call__(self, parser, namespace, value, option_string=None): @@ -2467,6 +2683,18 @@ index b25d3b2..1146bb3 100755 newval.append(value) setattr(namespace, self.dest, newval) ++def generate_custom_usage(usage_text,usage_dict): ++ sorted_keys = [] ++ for i in usage_dict.keys(): ++ sorted_keys.append(i) ++ sorted_keys.sort() ++ for k in sorted_keys: ++ usage_text += "%s %s |" % (k,(" ".join(usage_dict[k]))) ++ usage_text = usage_text[:-1] + "]" ++ usage_text = _(usage_text) ++ ++ return usage_text ++ def _print_net(src, protocol, perm): - from sepolicy.network import get_network_connect - portdict = get_network_connect(src, protocol, perm) @@ -2475,7 +2703,7 @@ index b25d3b2..1146bb3 100755 if len(portdict) > 0: print "%s: %s %s" % (src, protocol, perm) for p in portdict: -@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm): +@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm): print "\t" + recs def network(args): @@ -2484,7 +2712,7 @@ index b25d3b2..1146bb3 100755 if args.list_ports: all_ports = [] for i in portrecs: -@@ -201,41 +222,41 @@ def manpage(args): +@@ -201,41 +234,41 @@ def manpage(args): from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains path = args.path @@ -2549,7 +2777,7 @@ index b25d3b2..1146bb3 100755 def gen_network_args(parser): net = parser.add_parser("network", -@@ -283,7 +304,6 @@ def gen_communicate_args(parser): +@@ -283,7 +316,6 @@ def gen_communicate_args(parser): comm.set_defaults(func=communicate) def booleans(args): @@ -2557,7 +2785,7 @@ index b25d3b2..1146bb3 100755 from sepolicy import boolean_desc if args.all: rc, args.booleans = selinux.security_get_boolean_names() -@@ -300,6 +320,7 @@ def gen_booleans_args(parser): +@@ -300,6 +332,7 @@ def gen_booleans_args(parser): action="store_true", help=_("get all booleans descriptions")) group.add_argument("-b", "--boolean", dest="booleans", nargs="+", @@ -2565,7 +2793,7 @@ index b25d3b2..1146bb3 100755 help=_("boolean to get description")) bools.set_defaults(func=booleans) -@@ -320,7 +341,7 @@ def gen_transition_args(parser): +@@ -320,7 +353,7 @@ def gen_transition_args(parser): trans.set_defaults(func=transition) def interface(args): @@ -2574,7 +2802,7 @@ index b25d3b2..1146bb3 100755 if args.list_admin: for a in get_admin(): print a -@@ -328,13 +349,13 @@ def interface(args): +@@ -328,13 +361,16 @@ def interface(args): for a in get_user(): print a if args.list: @@ -2583,14 +2811,37 @@ index b25d3b2..1146bb3 100755 print m def generate(args): - from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE +- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE ++ from sepolicy.generate import policy, AUSER, RUSER, EUSER, USERS, SANDBOX, APPLICATIONS, NEWTYPE cmd = None - if args.policytype not in USERS + [ SANDBOX, NEWTYPE]: ++# numbers present POLTYPE defined in sepolicy.generate ++ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)} ++ + if args.policytype in APPLICATIONS: if not args.command: raise ValueError(_("Command required for this type of policy")) cmd = os.path.realpath(args.command) -@@ -368,10 +389,10 @@ def gen_interface_args(parser): +@@ -346,8 +382,18 @@ def generate(args): + mypolicy.set_program(cmd) + + if args.types: ++ if args.policytype not in conflict_args['TYPES']: ++ raise ValueError(_("-t option can not be used with this option. Read usage for more details.")) + mypolicy.set_types(args.types) + ++ if args.domain: ++ if args.policytype not in conflict_args['DOMAIN']: ++ raise ValueError(_("-d option can not be used with this option. Read usage for more details.")) ++ ++ if args.admin_domain: ++ if args.policytype not in conflict_args['ADMIN_DOMAIN']: ++ raise ValueError(_("-a option can not be used with this option. Read usage for more details.")) ++ + for p in args.writepaths: + if os.path.isdir(p): + mypolicy.add_dir(p) +@@ -368,10 +414,10 @@ def gen_interface_args(parser): help=_('List SELinux Policy interfaces')) group = itf.add_mutually_exclusive_group(required=True) group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False, @@ -2603,7 +2854,105 @@ index b25d3b2..1146bb3 100755 group.add_argument("-l", "--list", dest="list",action="store_true", default=False, help="List all interfaces") -@@ -461,7 +482,10 @@ if __name__ == '__main__': +@@ -379,7 +425,12 @@ def gen_interface_args(parser): + + def gen_generate_args(parser): + from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE +- pol = parser.add_parser("generate", ++ ++ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] [" ++ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)} ++ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict) ++ ++ pol = parser.add_parser("generate", usage = generate_usage, + help=_('Generate SELinux Policy module template')) + pol.add_argument("-d", "--domain", dest="domain", default=[], + action=CheckDomain, nargs="*", +@@ -397,53 +448,57 @@ def gen_generate_args(parser): + help=argparse.SUPPRESS) + pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", + action=CheckType, +- help=argparse.SUPPRESS) ++ help="Enter type(s) for which you will generate new definition and rule(s)") + pol.add_argument("-p", "--path", dest="path", default=os.getcwd(), + help=_("path in which the generated policy files will be stored")) + pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [], + help=_("path to which the confined processes will need to write")) +- pol.add_argument("command",nargs="?", default=None, +- help=_("executable to confine")) +- group = pol.add_mutually_exclusive_group(required=False) +- group.add_argument("--newtype", dest="policytype", const=NEWTYPE, ++ cmdtype = pol.add_argument_group(_("Policy types which require a command")) ++ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True) ++ cmdgroup.add_argument("--application", dest="policytype", const=USER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[NEWTYPE]) +- group.add_argument("--admin_user", dest="policytype", const=AUSER, ++ help=_("Generate '%s' policy") % poltype[USER]) ++ cmdgroup.add_argument("--cgi", dest="policytype", const=CGI, + action="store_const", +- help=_("Generate Policy for %s") % poltype[AUSER]) +- group.add_argument("--application", dest="policytype", const=USER, ++ help=_("Generate '%s' policy") % poltype[CGI]) ++ cmdgroup.add_argument("--dbus", dest="policytype", const=DBUS, + action="store_const", +- help=_("Generate Policy for %s") % poltype[USER]) +- group.add_argument("--cgi", dest="policytype", const=CGI, ++ help=_("Generate '%s' policy") % poltype[DBUS]) ++ cmdgroup.add_argument("--inetd", dest="policytype", const=INETD, + action="store_const", +- help=_("Generate Policy for %s") % poltype[CGI]) ++ help=_("Generate '%s' policy") % poltype[INETD]) ++ cmdgroup.add_argument("--init", dest="policytype", const=DAEMON, ++ action="store_const", default=DAEMON, ++ help=_("Generate '%s' policy") % poltype[DAEMON]) ++ ++ type = pol.add_argument_group("Policy types which do not require a command") ++ group = type.add_mutually_exclusive_group(required=True) ++ group.add_argument("--admin_user", dest="policytype", const=AUSER, ++ action="store_const", ++ help=_("Generate '%s' policy") % poltype[AUSER]) + group.add_argument("--confined_admin", dest="policytype", const=RUSER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[RUSER]) ++ help=_("Generate '%s' policy") % poltype[RUSER]) + group.add_argument("--customize", dest="policytype", const=EUSER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[EUSER]) +- group.add_argument("--dbus", dest="policytype", const=DBUS, +- action="store_const", +- help=_("Generate Policy for %s") % poltype[DBUS]) ++ help=_("Generate '%s' policy") % poltype[EUSER]) + group.add_argument("--desktop_user", dest="policytype", const=LUSER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[LUSER]) +- group.add_argument("--inetd", dest="policytype", const=INETD, ++ help=_("Generate '%s' policy ") % poltype[LUSER]) ++ group.add_argument("--newtype", dest="policytype", const=NEWTYPE, + action="store_const", +- help=_("Generate Policy for %s") % poltype[INETD]) +- group.add_argument("--init", dest="policytype", const=DAEMON, +- action="store_const", default=DAEMON, +- help=_("Generate Policy for %s") % poltype[DAEMON]) ++ help=_("Generate '%s' policy") % poltype[NEWTYPE]) + group.add_argument("--sandbox", dest="policytype", const=SANDBOX, + action="store_const", +- help=_("Generate Policy for %s") % poltype[SANDBOX]) ++ help=_("Generate '%s' policy") % poltype[SANDBOX]) + group.add_argument("--term_user", dest="policytype", const=TUSER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[TUSER]) ++ help=_("Generate '%s' policy") % poltype[TUSER]) + group.add_argument("--x_user", dest="policytype", const=XUSER, + action="store_const", +- help=_("Generate Policy for %s") % poltype[XUSER]) ++ help=_("Generate '%s' policy") % poltype[XUSER]) ++ pol.add_argument("command",nargs="?", default=None, ++ help=_("executable to confine")) + pol.set_defaults(func=generate) + + if __name__ == '__main__': +@@ -461,7 +516,10 @@ if __name__ == '__main__': gen_transition_args(subparsers) try: @@ -2823,7 +3172,7 @@ index 5e7415c..5267ed9 100644 booleans_dict = None def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py -index 26f8390..95b3ac0 100644 +index 26f8390..c83883f 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py @@ -63,20 +63,6 @@ except IOError: @@ -2865,7 +3214,30 @@ index 26f8390..95b3ac0 100644 line = "%s(%s_t)\n" % (method, self.name) else: line = """ -@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -765,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s; + + return newte + +- if self.type == RUSER: ++ if self.type == RUSER or self.type == AUSER: + newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules) + + for app in self.admin_domains: +@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s; + if t.endswith(i): + newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types) + break ++ ++ if NEWTYPE and newte == "": ++ default_ext = [] ++ for i in self.DEFAULT_EXT: ++ default_ext.append(i) ++ raise ValueError(_("You need to define a new type which ends with: \n %s") % "\n ".join(default_ext)) ++ + return newte + + def generate_new_rules(self): +@@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s; if len(self.DEFAULT_DIRS[d][1]) > 0: # CGI scripts already have a rw_t if self.type != CGI or d != "rw": @@ -2883,7 +3255,7 @@ index 26f8390..95b3ac0 100644 newte += self.generate_capabilities() newte += self.generate_process() newte += self.generate_network_types() -@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s; for d in self.DEFAULT_KEYS: if len(self.DEFAULT_DIRS[d][1]) > 0: @@ -2909,7 +3281,7 @@ index 26f8390..95b3ac0 100644 newte += self.generate_tmp_rules() newte += self.generate_network_rules() -@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s; fclist = [] if self.type in USERS + [ SANDBOX ]: return executable.fc_user @@ -2918,6 +3290,15 @@ index 26f8390..95b3ac0 100644 raise ValueError(_("You must enter the executable path for your confined process")) if self.program: +@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s; + tmp = re.sub("TEMPLATETYPE", self.name, script.users) + newsh += re.sub("ROLES", roles, tmp) + +- if self.type == RUSER: ++ if self.type == RUSER or self.type == AUSER: + for u in self.transition_users: + tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans) + newsh += re.sub("USER", u, tmp) diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py index 8b063ca..c9036c3 100644 --- a/policycoreutils/sepolicy/sepolicy/interface.py diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index 644a5b5..263cdf4 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -21,24 +21,51 @@ index d636091..56919be 100644 avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py -index cc9f8ea..24062a1 100644 +index cc9f8ea..ce643e5 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py -@@ -172,10 +172,10 @@ class PolicyGenerator: - rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] +@@ -161,21 +161,21 @@ class PolicyGenerator: + if self.explain: + rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) + if av.type == audit2why.ALLOW: +- rule.comment += "#!!!! This avc is allowed in the current policy\n" ++ rule.comment += "\n#!!!! This avc is allowed in the current policy" + if av.type == audit2why.DONTAUDIT: +- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" ++ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy" + + if av.type == audit2why.BOOLEAN: + if len(av.data) > 1: +- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) ++ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data)) + else: +- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] ++ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0] if av.type == audit2why.CONSTRAINT: - rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" - rule.comment += "#Constraint rule: " - for reason in av.data: - rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason -+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" ++ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" + rule.comment += "#Constraint rule: \n\t" + av.data[0] + for reason in av.data[1:]: -+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason ++ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason try: if ( av.type == audit2why.TERULE and +@@ -189,9 +189,9 @@ class PolicyGenerator: + if i not in self.domains: + types.append(i) + if len(types) == 1: +- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) ++ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + elif len(types) >= 1: +- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) ++ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + except: + pass + self.module.children.append(rule) diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py index 7b76261..a05d9d1 100644 --- a/sepolgen/src/sepolgen/refparser.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 7cf9e88..1b8fdb8 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -309,6 +309,12 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Wed Mar 27 2013 Dan Walsh - 2.1.14-28 +- Fix audit2allow output to better align analysys with the allow rules +- Apply Miroslav Grepl patch to clean up sepolicy generate usage +- Apply Miroslav Grepl patch to fixupt handing of admin_user generation +- Update Tranlslations + * Wed Mar 27 2013 Dan Walsh - 2.1.14-27 - Allow semanage fcontext -a -t "<>" ... to work