diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index e68b20f..9166633 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -337422,7 +337422,7 @@ index 0000000..e2befdb + packages=["policycoreutils"], +) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage -index f4602a9..a2e27f0 100644 +index f4602a9..49e4709 100644 --- a/policycoreutils/semanage/semanage +++ b/policycoreutils/semanage/semanage @@ -20,6 +20,7 @@ @@ -337442,18 +337442,17 @@ index f4602a9..a2e27f0 100644 codeset = 'utf-8') except IOError: import __builtin__ -@@ -375,7 +376,10 @@ Object-specific Options (see above): +@@ -375,8 +376,8 @@ Object-specific Options (see above): OBJECT = seobject.moduleRecords(store) if object == "permissive": - OBJECT = seobject.permissiveRecords(store) -+ try: -+ OBJECT = seobject.permissiveRecords(store) -+ except ImportError: -+ raise ValueError(_("Additional packages are required to setup permissive domains.\nYou must execute the following:\n# yum install policycoreutils-devel")) - +- ++ OBJECT = seobject.permissiveRecords(store) ++ if object == "dontaudit": OBJECT = seobject.dontauditClass(store) + diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8 index 63b11dd..28a9022 100644 --- a/policycoreutils/semanage/semanage.8 @@ -337468,7 +337467,7 @@ index 63b11dd..28a9022 100644 .TP .I \-P, \-\-prefix diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py -index ad7dc8c..81e0613 100644 +index ad7dc8c..64ab96d 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -24,17 +24,18 @@ @@ -337560,15 +337559,19 @@ index ad7dc8c..81e0613 100644 if len(all) == 0: return -@@ -411,6 +373,7 @@ class permissiveRecords(semanageRecords): +@@ -411,6 +373,11 @@ class permissiveRecords(semanageRecords): def add(self, type): import glob -+ import sepolgen.module as module ++ try: ++ import sepolgen.module as module ++ except ImportError: ++ raise ValueError(_("Additional packages are required to setup permissive domains.\nYou must execute the following:\n# yum install policycoreutils-devel")) ++ name = "permissive_%s" % type dirname = "/var/lib/selinux" os.chdir(dirname) -@@ -493,7 +456,9 @@ class loginRecords(semanageRecords): +@@ -493,7 +460,9 @@ class loginRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: @@ -337579,7 +337582,7 @@ index ad7dc8c..81e0613 100644 if name[0] == '%': try: grp.getgrnam(name[1:]) -@@ -654,6 +619,21 @@ class loginRecords(semanageRecords): +@@ -654,6 +623,21 @@ class loginRecords(semanageRecords): self.mylog.commit(0) raise error @@ -337601,7 +337604,7 @@ index ad7dc8c..81e0613 100644 def get_all(self, locallist = 0): ddict = {} if locallist: -@@ -665,7 +645,7 @@ class loginRecords(semanageRecords): +@@ -665,7 +649,7 @@ class loginRecords(semanageRecords): for u in self.ulist: name = semanage_seuser_get_name(u) @@ -337610,7 +337613,7 @@ index ad7dc8c..81e0613 100644 return ddict def customized(self): -@@ -679,16 +659,26 @@ class loginRecords(semanageRecords): +@@ -679,16 +663,26 @@ class loginRecords(semanageRecords): def list(self,heading = 1, locallist = 0): ddict = self.get_all(locallist) @@ -337640,7 +337643,7 @@ index ad7dc8c..81e0613 100644 else: if heading: print "\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User")) -@@ -738,7 +728,8 @@ class seluserRecords(semanageRecords): +@@ -738,7 +732,8 @@ class seluserRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if exists: @@ -337650,7 +337653,7 @@ index ad7dc8c..81e0613 100644 (rc, u) = semanage_user_create(self.sh) if rc < 0: -@@ -958,6 +949,8 @@ class seluserRecords(semanageRecords): +@@ -958,6 +953,8 @@ class seluserRecords(semanageRecords): print "%-15s %s" % (k, ddict[k][3]) class portRecords(semanageRecords): @@ -337659,7 +337662,7 @@ index ad7dc8c..81e0613 100644 def __init__(self, store = ""): semanageRecords.__init__(self, store) -@@ -997,6 +990,9 @@ class portRecords(semanageRecords): +@@ -997,6 +994,9 @@ class portRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) @@ -337669,7 +337672,7 @@ index ad7dc8c..81e0613 100644 ( k, proto_d, low, high ) = self.__genkey(port, proto) (rc, exists) = semanage_port_exists(self.sh, k) -@@ -1056,6 +1052,9 @@ class portRecords(semanageRecords): +@@ -1056,6 +1056,9 @@ class portRecords(semanageRecords): else: raise ValueError(_("Requires setype")) @@ -337679,7 +337682,7 @@ index ad7dc8c..81e0613 100644 ( k, proto_d, low, high ) = self.__genkey(port, proto) (rc, exists) = semanage_port_exists(self.sh, k) -@@ -1213,6 +1212,8 @@ class portRecords(semanageRecords): +@@ -1213,6 +1216,8 @@ class portRecords(semanageRecords): print rec class nodeRecords(semanageRecords): @@ -337688,7 +337691,7 @@ index ad7dc8c..81e0613 100644 def __init__(self, store = ""): semanageRecords.__init__(self,store) self.protocol = ["ipv4", "ipv6"] -@@ -1252,7 +1253,10 @@ class nodeRecords(semanageRecords): +@@ -1252,7 +1257,10 @@ class nodeRecords(semanageRecords): serange = untranslate(serange) if ctype == "": @@ -337700,7 +337703,7 @@ index ad7dc8c..81e0613 100644 (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: -@@ -1262,7 +1266,8 @@ class nodeRecords(semanageRecords): +@@ -1262,7 +1270,8 @@ class nodeRecords(semanageRecords): (rc, exists) = semanage_node_exists(self.sh, k) if exists: @@ -337710,7 +337713,7 @@ index ad7dc8c..81e0613 100644 (rc, node) = semanage_node_create(self.sh) if rc < 0: -@@ -1318,6 +1323,9 @@ class nodeRecords(semanageRecords): +@@ -1318,6 +1327,9 @@ class nodeRecords(semanageRecords): if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -337720,7 +337723,7 @@ index ad7dc8c..81e0613 100644 (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) if rc < 0: raise ValueError(_("Could not create key for %s") % addr) -@@ -1460,7 +1468,8 @@ class interfaceRecords(semanageRecords): +@@ -1460,7 +1472,8 @@ class interfaceRecords(semanageRecords): if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if exists: @@ -337730,7 +337733,7 @@ index ad7dc8c..81e0613 100644 (rc, iface) = semanage_iface_create(self.sh) if rc < 0: -@@ -1625,6 +1634,9 @@ class interfaceRecords(semanageRecords): +@@ -1625,6 +1638,9 @@ class interfaceRecords(semanageRecords): print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2]) class fcontextRecords(semanageRecords): @@ -337740,7 +337743,7 @@ index ad7dc8c..81e0613 100644 def __init__(self, store = ""): semanageRecords.__init__(self, store) self.equiv = {} -@@ -1739,6 +1751,9 @@ class fcontextRecords(semanageRecords): +@@ -1739,6 +1755,9 @@ class fcontextRecords(semanageRecords): if type == "": raise ValueError(_("SELinux Type is required")) @@ -337750,7 +337753,7 @@ index ad7dc8c..81e0613 100644 (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: raise ValueError(_("Could not create key for %s") % target) -@@ -1753,7 +1768,8 @@ class fcontextRecords(semanageRecords): +@@ -1753,7 +1772,8 @@ class fcontextRecords(semanageRecords): raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: @@ -337760,7 +337763,7 @@ index ad7dc8c..81e0613 100644 (rc, fcontext) = semanage_fcontext_create(self.sh) if rc < 0: -@@ -1794,6 +1810,9 @@ class fcontextRecords(semanageRecords): +@@ -1794,6 +1814,9 @@ class fcontextRecords(semanageRecords): def __modify(self, target, setype, ftype, serange, seuser): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) @@ -337770,7 +337773,7 @@ index ad7dc8c..81e0613 100644 self.validate(target) (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) -@@ -1999,6 +2018,8 @@ class booleanRecords(semanageRecords): +@@ -1999,6 +2022,8 @@ class booleanRecords(semanageRecords): self.modify_local = False def __mod(self, name, value): @@ -337779,7 +337782,7 @@ index ad7dc8c..81e0613 100644 (rc, k) = semanage_bool_key_create(self.sh, name) if rc < 0: raise ValueError(_("Could not create a key for %s") % name) -@@ -2028,8 +2049,6 @@ class booleanRecords(semanageRecords): +@@ -2028,8 +2053,6 @@ class booleanRecords(semanageRecords): semanage_bool_free(b) def modify(self, name, value = None, use_file = False): @@ -337788,7 +337791,7 @@ index ad7dc8c..81e0613 100644 self.begin() if use_file: fd = open(name) -@@ -2120,10 +2139,7 @@ class booleanRecords(semanageRecords): +@@ -2120,10 +2143,7 @@ class booleanRecords(semanageRecords): def get_category(self, name): name = selinux.selinux_boolean_sub(name) @@ -340092,10 +340095,10 @@ index 0000000..4693bb4 +} diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh new file mode 100644 -index 0000000..01ac68a +index 0000000..28b6767 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh -@@ -0,0 +1,186 @@ +@@ -0,0 +1,190 @@ +# This file is part of systemd. +# +# Copyright 2012 Dan Walsh @@ -340177,7 +340180,7 @@ index 0000000..01ac68a + local -A OPTS=( + [booleans]='-h --help -p --path -a -all -b --boolean' + [communicate]='-h --help -s --source -t --target -c --class -S --sourceaccess -T --targetaccess' -+ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name -p --path --sandbox -T --test --term_user -u --user --x_user' ++ [generate]='-a --admin --admin_user --application --cgi --confined_admin --customize -d --domain --dbus --desktop_user -h --help --inetd --init -n --name --newuser -p --path --sandbox -T --test --term_user -u --user -w --writepath --x_user' + [interface]='-h --help -a --list_admin" -u --list_user -l --list' + [manpage]='-h --help -p --path -a -all -o --os -d --domain -w --web' + [network]='-h --help -d --domain -l --list -p --port -t --type ' @@ -340224,6 +340227,10 @@ index 0000000..01ac68a + COMPREPLY=( $( compgen -d -- "$cur") ) + compopt -o filenames + return 0 ++ elif test "$prev" = "-w" || test "$prev" = "--writepath" ; then ++ COMPREPLY=( $( compgen -d -- "$cur") ) ++ compopt -o filenames ++ return 0 + elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then + COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") ) + return 0 @@ -340364,10 +340371,10 @@ index 0000000..764fd35 + diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8 new file mode 100644 -index 0000000..7d9c86b +index 0000000..fb84af6 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy-generate.8 -@@ -0,0 +1,108 @@ +@@ -0,0 +1,120 @@ +.TH "sepolicy-generate" "8" "20121005" "" "" +.SH "NAME" +sepolicy-generate \- Generate an initial SELinux policy module template. @@ -340375,7 +340382,7 @@ index 0000000..7d9c86b +.SH "SYNOPSIS" + +.br -+.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] ++.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user] + +.SH "DESCRIPTION" +Use sepolicy generate to generate an SELinux policy Module. sepolicy generate will generate 4 files. @@ -340416,6 +340423,15 @@ index 0000000..7d9c86b +Specify the directory to store the created policy files. (Default to current working directory ) +optional arguments: +.TP ++.I \-u, \-\-user ++SELinux user(s) which will transition to this domain ++.TP ++.I \-w, \-\-writepath ++Path(s) which the confined processes need to write ++.TP ++.I \-a, \-\-admin ++Domain(s) that this confined admin will administrate ++.TP +.I \-\-admin_user +Generate Policy for Administrator Login User Role +.TP @@ -340443,6 +340459,9 @@ index 0000000..7d9c86b +.I \-\-init +Generate Policy for Standard Init Daemon (Default) +.TP ++.I \-\-newtype ++Generate new policy for new types to add to an existing policy. ++.TP +.I \-\-sandbox +Generate Policy for Sandbox +.TP @@ -340713,10 +340732,10 @@ index 0000000..0748ca9 +selinux(8), sepolicy-booleans(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-interface(8), sepolicy-network(8), sepolicy-manpage(8), sepolicy-transition(8) diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py new file mode 100755 -index 0000000..ca86f5f +index 0000000..154369d --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy.py -@@ -0,0 +1,438 @@ +@@ -0,0 +1,470 @@ +#! /usr/bin/python -Es +# Copyright (C) 2012 Red Hat +# AUTHOR: Dan Walsh @@ -340762,6 +340781,21 @@ index 0000000..ca86f5f + raise ValueError("%s does not exist" % values) + setattr(namespace, self.dest, values) + ++class CheckType(argparse.Action): ++ def __call__(self, parser, namespace, values, option_string=None): ++ from sepolicy.network import domains ++ ++ if isinstance(values,str): ++ setattr(namespace, self.dest, values) ++ else: ++ newval = getattr(namespace, self.dest) ++ if not newval: ++ newval = [] ++ ++ for v in values: ++ newval.append(v) ++ setattr(namespace, self.dest, newval) ++ +class CheckDomain(argparse.Action): + def __call__(self, parser, namespace, values, option_string=None): + from sepolicy.network import domains @@ -341035,24 +341069,33 @@ index 0000000..ca86f5f + print m + +def generate(args): -+ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS ++ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE + cmd = None -+ if args.type not in USERS + [ SANDBOX ]: ++ if args.policytype not in USERS + [ SANDBOX, NEWTYPE]: + if not args.command: + raise ValueError(_("Command required for this type of policy")) + cmd = os.path.realpath(args.command) + if not args.name: + args.name = os.path.basename(cmd).replace("-","_") + -+ mypolicy = policy(args.name, args.type) ++ mypolicy = policy(args.name, args.policytype) + if cmd: + mypolicy.set_program(cmd) + ++ if args.types: ++ mypolicy.set_types(args.types) ++ ++ for p in args.writepaths: ++ if os.path.isdir(p): ++ mypolicy.add_dir(p) ++ else: ++ mypolicy.add_file(p) ++ + mypolicy.set_transition_users(args.user) + mypolicy.set_admin_domains(args.admin_domain) + mypolicy.set_existing_domains(args.domain) + -+ if args.type in APPLICATIONS: ++ if args.policytype in APPLICATIONS: + mypolicy.gen_writeable() + mypolicy.gen_symbols() + print mypolicy.generate(args.path) @@ -341072,7 +341115,7 @@ index 0000000..ca86f5f + itf.set_defaults(func=interface) + +def gen_generate_args(parser): -+ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER ++ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE + pol = parser.add_parser("generate", + help=_('Generate SELinux Policy module template')) + pol.add_argument("-d", "--domain", dest="domain", @@ -341089,45 +341132,53 @@ index 0000000..ca86f5f + help=_("name of policy to generate")) + pol.add_argument("-T", "--test", dest="test", default=False, action="store_true", + help=argparse.SUPPRESS) ++ pol.add_argument("-t", "--type", dest="types", default=[], nargs="*", ++ action=CheckType, ++ help=argparse.SUPPRESS) + pol.add_argument("-p", "--path", dest="path", default=os.getcwd(), + help=_("path in which the generated policy files will be stored")) ++ pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [], ++ help=_("path to which the confined processes will need to write")) + pol.add_argument("command",nargs="?", default=None, + help=_("executable to confine")) + group = pol.add_mutually_exclusive_group(required=False) -+ group.add_argument("--admin_user", dest="type", const=AUSER, ++ group.add_argument("--newtype", dest="policytype", const=NEWTYPE, ++ action="store_const", ++ help=_("Generate Policy for %s") % poltype[NEWTYPE]) ++ group.add_argument("--admin_user", dest="policytype", const=AUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[AUSER]) -+ group.add_argument("--application", dest="type", const=USER, ++ group.add_argument("--application", dest="policytype", const=USER, + action="store_const", + help=_("Generate Policy for %s") % poltype[USER]) -+ group.add_argument("--cgi", dest="type", const=CGI, ++ group.add_argument("--cgi", dest="policytype", const=CGI, + action="store_const", + help=_("Generate Policy for %s") % poltype[CGI]) -+ group.add_argument("--confined_admin", dest="type", const=RUSER, ++ group.add_argument("--confined_admin", dest="policytype", const=RUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[RUSER]) -+ group.add_argument("--customize", dest="type", const=EUSER, ++ group.add_argument("--customize", dest="policytype", const=EUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[EUSER]) -+ group.add_argument("--dbus", dest="type", const=DBUS, ++ group.add_argument("--dbus", dest="policytype", const=DBUS, + action="store_const", + help=_("Generate Policy for %s") % poltype[DBUS]) -+ group.add_argument("--desktop_user", dest="type", const=LUSER, ++ group.add_argument("--desktop_user", dest="policytype", const=LUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[LUSER]) -+ group.add_argument("--inetd", dest="type", const=INETD, ++ group.add_argument("--inetd", dest="policytype", const=INETD, + action="store_const", + help=_("Generate Policy for %s") % poltype[INETD]) -+ group.add_argument("--init", dest="type", const=DAEMON, ++ group.add_argument("--init", dest="policytype", const=DAEMON, + action="store_const", default=DAEMON, + help=_("Generate Policy for %s") % poltype[DAEMON]) -+ group.add_argument("--sandbox", dest="type", const=SANDBOX, ++ group.add_argument("--sandbox", dest="policytype", const=SANDBOX, + action="store_const", + help=_("Generate Policy for %s") % poltype[SANDBOX]) -+ group.add_argument("--term_user", dest="type", const=TUSER, ++ group.add_argument("--term_user", dest="policytype", const=TUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[TUSER]) -+ group.add_argument("--x_user", dest="type", const=XUSER, ++ group.add_argument("--x_user", dest="policytype", const=XUSER, + action="store_const", + help=_("Generate Policy for %s") % poltype[XUSER]) + pol.set_defaults(func=generate) @@ -341424,10 +341475,10 @@ index 0000000..a179d95 + diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py new file mode 100644 -index 0000000..e0b1893 +index 0000000..6c5e482 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/generate.py -@@ -0,0 +1,1329 @@ +@@ -0,0 +1,1378 @@ +#!/usr/bin/python -Es +# +# Copyright (C) 2007-2012 Red Hat @@ -341596,6 +341647,7 @@ index 0000000..e0b1893 +LUSER = 9 +AUSER = 10 +RUSER = 11 ++NEWTYPE = 12 + +poltype={} +poltype[DAEMON] = _("Standard Init Daemon") @@ -341610,6 +341662,7 @@ index 0000000..e0b1893 +poltype[LUSER] = _("Desktop Login User Role") +poltype[AUSER] = _("Administrator Login User Role") +poltype[RUSER] = _("Confined Root Administrator Role") ++poltype[NEWTYPE] = _("Module information for a new type") + +def get_poltype_desc(): + keys = poltype.keys() @@ -341766,6 +341819,16 @@ index 0000000..e0b1893 + self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]; + self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool]; + ++ self.DEFAULT_EXT = {} ++ self.DEFAULT_EXT["_tmp_t"] = tmp; ++ self.DEFAULT_EXT["_unit_file_t"] = unit_file; ++ self.DEFAULT_EXT["_var_cache_t"] = var_cache; ++ self.DEFAULT_EXT["_var_lib_t"] = var_lib; ++ self.DEFAULT_EXT["_var_log_t"] = var_log; ++ self.DEFAULT_EXT["_var_run_t"] = var_run; ++ self.DEFAULT_EXT["_var_spool_t"] = var_spool; ++ self.DEFAULT_EXT["port_t"] = network; ++ + self.DEFAULT_KEYS=["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool", "/etc/systemd/system", "/usr/lib/systemd/system", "/lib/systemd/system" ] + + self.DEFAULT_TYPES = (\ @@ -341780,7 +341843,8 @@ index 0000000..e0b1893 +( self.generate_x_login_user_types, self.generate_x_login_user_rules), \ +( self.generate_login_user_types, self.generate_login_user_rules), \ +( self.generate_admin_user_types, self.generate_login_user_rules), \ -+( self.generate_root_user_types, self.generate_root_user_rules)) ++( self.generate_root_user_types, self.generate_root_user_rules), \ ++( self.generate_new_types, self.generate_new_rules)) + if not re.match(r"^[a-zA-Z0-9-_]+$", name): + raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\"")) + @@ -341795,7 +341859,7 @@ index 0000000..e0b1893 + self.processes = [] + self.type = type + self.initscript = "" -+ self.program = "" ++ self.program = None + self.in_tcp = [False, False, False, []] + self.in_udp = [False, False, False, []] + self.out_tcp = [False, False, False, []] @@ -341809,9 +341873,9 @@ index 0000000..e0b1893 + self.use_pam = False + self.use_dbus = False + self.use_audit = False -+ self.use_etc = self.type != EUSER -+ self.use_localization = self.type != EUSER -+ self.use_fd = self.type != EUSER ++ self.use_etc = self.type not in [ EUSER, NEWTYPE ] ++ self.use_localization = self.type not in [ EUSER, NEWTYPE ] ++ self.use_fd = self.type not in [ EUSER, NEWTYPE ] + self.use_terminal = False + self.use_mail = False + self.booleans = {} @@ -342077,7 +342141,7 @@ index 0000000..e0b1893 + self.found_udp_ports.append(line) + + if self.need_udp_type == True or self.need_tcp_type == True: -+ return re.sub("TEMPLATETYPE", self.name, network.te_port_types) ++ return re.sub("TEMPLATETYPE", self.name, network.te_types) + return "" + + def __find_path(self, file): @@ -342092,6 +342156,9 @@ index 0000000..e0b1893 + if capability not in self.capabilities: + self.capabilities.append(capability) + ++ def set_types(self, types): ++ self.types = types ++ + def add_process(self, process): + if process not in self.processes: + self.processes.append(process) @@ -342306,6 +342373,24 @@ index 0000000..e0b1893 + def generate_root_user_types(self): + return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types) + ++ def generate_new_types(self): ++ newte = "" ++ for t in self.types: ++ for i in self.DEFAULT_EXT: ++ if t.endswith(i): ++ newte += re.sub("TEMPLATETYPE", t[:len(i)], self.DEFAULT_EXT[i].te_types) ++ break ++ return newte ++ ++ def generate_new_rules(self): ++ newte = "" ++ for t in self.types: ++ for i in self.DEFAULT_EXT: ++ if t.endswith(i): ++ newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_rules) ++ break ++ return newte ++ + def generate_daemon_types(self): + newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types) + if self.initscript != "": @@ -342342,6 +342427,16 @@ index 0000000..e0b1893 + + return newif + ++ def generate_new_type_if(self): ++ newif = "" ++ for t in self.types: ++ for i in self.DEFAULT_EXT: ++ if t.endswith(i): ++ reqtype = t[:-len(i)] + "_t" ++ newif += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].if_rules) ++ break ++ return newif ++ + def generate_login_user_rules(self): + return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules) + @@ -342393,7 +342488,7 @@ index 0000000..e0b1893 + def generate_if(self): + newif = "" + newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules) -+ if self.program != "": ++ if self.program: + newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules) + if self.initscript != "": + newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules) @@ -342409,6 +342504,8 @@ index 0000000..e0b1893 + newif += self.generate_dbus_if() + newif += self.generate_admin_if() + newif += self.generate_sandbox_if() ++ newif += self.generate_new_type_if() ++ newif += self.generate_new_rules() + + return newif + @@ -342416,7 +342513,9 @@ index 0000000..e0b1893 + return self.DEFAULT_TYPES[self.type][0]() + + def generate_default_rules(self): -+ return self.DEFAULT_TYPES[self.type][1]() ++ if self.DEFAULT_TYPES[self.type][1]: ++ return self.DEFAULT_TYPES[self.type][1]() ++ return "" + + def generate_roles_rules(self): + newte = "" @@ -342485,11 +342584,12 @@ index 0000000..e0b1893 + fclist = [] + if self.type in USERS + [ SANDBOX ]: + return re.sub("EXECUTABLE", self.program, executable.fc_user) -+ if self.program == "": ++ if self.type != NEWTYPE and self.program: + raise ValueError(_("You must enter the executable path for your confined process")) + -+ t1 = re.sub("EXECUTABLE", self.program, executable.fc_program) -+ fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) ++ if self.program: ++ t1 = re.sub("EXECUTABLE", self.program, executable.fc_program) ++ fclist.append(re.sub("TEMPLATETYPE", self.name, t1)) + + if self.initscript != "": + t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript) @@ -342548,7 +342648,7 @@ index 0000000..e0b1893 + newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp) + else: + newsh = re.sub("TEMPLATEFILE", self.file_name, temp) -+ if self.program != "": ++ if self.program: + newsh += re.sub("FILENAME", self.program, script.restorecon) + if self.initscript != "": + newsh += re.sub("FILENAME", self.initscript, script.restorecon) @@ -342582,7 +342682,7 @@ index 0000000..e0b1893 + newspec += spec.header_comment_section + if self.type in APPLICATIONS: + newspec += spec.define_relabel_files_begin -+ if self.program != "": ++ if self.program: + newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end) + if self.initscript != "": + newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end) @@ -345055,10 +345155,10 @@ index 0000000..092a53e +""" diff --git a/policycoreutils/sepolicy/sepolicy/templates/network.py b/policycoreutils/sepolicy/sepolicy/templates/network.py new file mode 100644 -index 0000000..679d0a5 +index 0000000..4499440 --- /dev/null +++ b/policycoreutils/sepolicy/sepolicy/templates/network.py -@@ -0,0 +1,101 @@ +@@ -0,0 +1,580 @@ +# Copyright (C) 2007-2012 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -345081,7 +345181,7 @@ index 0000000..679d0a5 +# +# +########################### Type Enforcement File ############################# -+te_port_types=""" ++te_types=""" +type TEMPLATETYPE_port_t; +corenet_port(TEMPLATETYPE_port_t) +""" @@ -345160,6 +345260,485 @@ index 0000000..679d0a5 +te_in_unreserved_ports_udp="""\ +corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" ++ ++if_rules="""\ ++######################################## ++## ++## Send and receive TCP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_tcp_sendrecv_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:tcp_socket { send_msg recv_msg }; ++') ++ ++######################################## ++## ++## Send UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_udp_send_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:udp_socket send_msg; ++') ++ ++######################################## ++## ++## Do not audit attempts to send UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_send_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket send_msg; ++') ++ ++######################################## ++## ++## Receive UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_udp_receive_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:udp_socket recv_msg; ++') ++ ++######################################## ++## ++## Do not audit attempts to receive UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_receive_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket recv_msg; ++') ++ ++######################################## ++## ++## Send and receive UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_udp_sendrecv_TEMPLATETYPE_port',` ++ corenet_udp_send_TEMPLATETYPE_port($1) ++ corenet_udp_receive_TEMPLATETYPE_port($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to send and receive ++## UDP traffic on the TEMPLATETYPE port. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_sendrecv_TEMPLATETYPE_port',` ++ corenet_dontaudit_udp_send_TEMPLATETYPE_port($1) ++ corenet_dontaudit_udp_receive_TEMPLATETYPE_port($1) ++') ++ ++######################################## ++## ++## Bind TCP sockets to the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_tcp_bind_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:tcp_socket name_bind; ++ ++') ++ ++######################################## ++## ++## Bind UDP sockets to the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_udp_bind_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:udp_socket name_bind; ++ ++') ++ ++######################################## ++## ++## Do not audit attempts to sbind to TEMPLATETYPE port. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_udp_bind_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_port_t:udp_socket name_bind; ++ ++') ++ ++######################################## ++## ++## Make a TCP connection to the TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_tcp_connect_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_port_t:tcp_socket name_connect; ++') ++######################################## ++## ++## Do not audit attempts to make a TCP connection to TEMPLATETYPE port. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_dontaudit_tcp_connect_TEMPLATETYPE_port',` ++ gen_require(` ++ type TEMPLATETYPE_port_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_port_t:tcp_socket name_connect; ++') ++ ++ ++######################################## ++## ++## Send TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_send_TEMPLATETYPE_client_packets',` ++ gen_require(` ++ type TEMPLATETYPE_client_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_client_packet_t:packet send; ++') ++ ++######################################## ++## ++## Do not audit attempts to send TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_send_TEMPLATETYPE_client_packets',` ++ gen_require(` ++ type TEMPLATETYPE_client_packet_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_client_packet_t:packet send; ++') ++ ++######################################## ++## ++## Receive TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_receive_TEMPLATETYPE_client_packets',` ++ gen_require(` ++ type TEMPLATETYPE_client_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_client_packet_t:packet recv; ++') ++ ++######################################## ++## ++## Do not audit attempts to receive TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_dontaudit_receive_TEMPLATETYPE_client_packets',` ++ gen_require(` ++ type TEMPLATETYPE_client_packet_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_client_packet_t:packet recv; ++') ++ ++######################################## ++## ++## Send and receive TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_sendrecv_TEMPLATETYPE_client_packets',` ++ corenet_send_TEMPLATETYPE_client_packets($1) ++ corenet_receive_TEMPLATETYPE_client_packets($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to send and receive TEMPLATETYPE_client packets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_client_packets',` ++ corenet_dontaudit_send_TEMPLATETYPE_client_packets($1) ++ corenet_dontaudit_receive_TEMPLATETYPE_client_packets($1) ++') ++ ++######################################## ++## ++## Relabel packets to TEMPLATETYPE_client the packet type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_relabelto_TEMPLATETYPE_client_packets',` ++ gen_require(` ++ type TEMPLATETYPE_client_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_client_packet_t:packet relabelto; ++') ++ ++ ++######################################## ++## ++## Send TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_send_TEMPLATETYPE_server_packets',` ++ gen_require(` ++ type TEMPLATETYPE_server_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_server_packet_t:packet send; ++') ++ ++######################################## ++## ++## Do not audit attempts to send TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_send_TEMPLATETYPE_server_packets',` ++ gen_require(` ++ type TEMPLATETYPE_server_packet_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_server_packet_t:packet send; ++') ++ ++######################################## ++## ++## Receive TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_receive_TEMPLATETYPE_server_packets',` ++ gen_require(` ++ type TEMPLATETYPE_server_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_server_packet_t:packet recv; ++') ++ ++######################################## ++## ++## Do not audit attempts to receive TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_dontaudit_receive_TEMPLATETYPE_server_packets',` ++ gen_require(` ++ type TEMPLATETYPE_server_packet_t; ++ ') ++ ++ dontaudit $1 TEMPLATETYPE_server_packet_t:packet recv; ++') ++ ++######################################## ++## ++## Send and receive TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`corenet_sendrecv_TEMPLATETYPE_server_packets',` ++ corenet_send_TEMPLATETYPE_server_packets($1) ++ corenet_receive_TEMPLATETYPE_server_packets($1) ++') ++ ++######################################## ++## ++## Do not audit attempts to send and receive TEMPLATETYPE_server packets. ++## ++## ++## ++## Domain to not audit. ++## ++## ++## ++# ++interface(`corenet_dontaudit_sendrecv_TEMPLATETYPE_server_packets',` ++ corenet_dontaudit_send_TEMPLATETYPE_server_packets($1) ++ corenet_dontaudit_receive_TEMPLATETYPE_server_packets($1) ++') ++ ++######################################## ++## ++## Relabel packets to TEMPLATETYPE_server the packet type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`corenet_relabelto_TEMPLATETYPE_server_packets',` ++ gen_require(` ++ type TEMPLATETYPE_server_packet_t; ++ ') ++ ++ allow $1 TEMPLATETYPE_server_packet_t:packet relabelto; ++') ++""" diff --git a/policycoreutils/sepolicy/sepolicy/templates/rw.py b/policycoreutils/sepolicy/sepolicy/templates/rw.py new file mode 100644 index 0000000..46dd367 diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index 0204d5d..c3be167 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,5 +1,5 @@ diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py -index 73c60f6..d636091 100644 +index 73c60f6..9ca35a7 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -38,8 +38,7 @@ def get_audit_boot_msgs(): @@ -12,6 +12,15 @@ index 73c60f6..d636091 100644 boottime = time.strftime("%X", s) output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime], stdout=subprocess.PIPE).communicate()[0] +@@ -260,7 +259,7 @@ class AVCMessage(AuditMessage): + raise ValueError("Error during access vector computation") + + if self.type == audit2why.CONSTRAINT: +- self.data = [] ++ self.data = [ self.data ] + if self.scontext.user != self.tcontext.user: + self.data.append("user") + if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py index a4adbd8..7b76261 100644 --- a/sepolgen/src/sepolgen/refparser.py diff --git a/policycoreutils.spec b/policycoreutils.spec index 3e020c5..ab7c76d 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.13 -Release: 55%{?dist} +Release: 56%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -338,6 +338,22 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Mon Jan 15 2013 Dan Walsh - 2.1.12-56 +- Additional changes for bash completsion and generate man page to match the w +- Add newtype as a new qualifier to sepolicy generate. This new mechanism wil +- a policy write to generate types after the initial policy has been written a +- will autogenerate all of the interfaces. +- I also added a -w options to allow policy writers from the command line to s +- the writable directories of files. +- +- Modify network.py to include interface definitions for newly created port type +- Standardize of te_types just like all of the other templates. + +- Change permissive domains creation to raise exception if sepolgen is not ins +- get_te_results no longer needs or uses the opts parameter. +- The compliler was complaining so I just removed the option. +- Start returning analysis data for audit2allow + * Tue Jan 15 2013 Dan Walsh - 2.1.12-55 - Update Translations - Fix handling of semanage generate --cgi -n MODULE PATHTO/CGI