*** empty log message ***

This commit is contained in:
Daniel J Walsh 2005-11-30 19:32:20 +00:00
parent ecae8883a5
commit f9db9c1e29
4 changed files with 462 additions and 10 deletions

View File

@ -68,3 +68,4 @@ policycoreutils-1.27.27.tgz
policycoreutils-1.27.28.tgz
policycoreutils-1.27.29.tgz
policycoreutils-1.27.30.tgz
policycoreutils-1.27.31.tgz

View File

@ -1,6 +1,450 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.30/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2005-11-29 13:43:42.000000000 -0500
+++ policycoreutils-1.27.30/audit2allow/audit2allow 2005-11-30 13:40:16.000000000 -0500
@@ -25,8 +25,9 @@
#
#
import commands, sys, os, pwd, string, getopt, re, selinux
-class allow:
- def __init__(self, source, target, seclass):
+class serule:
+ def __init__(self, type, source, target, seclass):
+ self.type=type
self.source=source
self.target=target
self.seclass=seclass
@@ -52,7 +53,7 @@
return ret
def out(self, verbose=0):
ret=""
- ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess())
+ ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess())
if verbose:
keys=self.avcinfo.keys()
keys.sort()
@@ -72,38 +73,104 @@
else:
return self.target
-class allowRecords:
- def __init__(self, input, last_reload=0, verbose=0):
+class seruleRecords:
+ def __init__(self, input, last_reload=0, verbose=0, te_ind=0):
self.last_reload=last_reload
- self.allowRules={}
+ self.seRules={}
self.seclasses={}
self.types=[]
self.roles=[]
- self.load(input)
+ self.load(input, te_ind)
def warning(self, error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
sys.stderr.flush()
- def load(self, input):
+ def load(self, input, te_ind=0):
+ VALID_CMDS=("allow", "dontaudit", "auditallow", "role")
+
avc=[]
found=0
line = input.readline()
- while line:
- rec=line.split()
- for i in rec:
- if i=="avc:" or i=="message=avc:":
- found=1
- else:
- avc.append(i)
- if found:
- self.add(avc)
- found=0
- avc=[]
- line = input.readline()
+ if te_ind:
+ while line:
+ rec=line.split()
+ if len(rec) and rec[0] in VALID_CMDS:
+ self.add_terule(line)
+ line = input.readline()
+
+ else:
+ while line:
+ rec=line.split()
+ for i in rec:
+ if i=="avc:" or i=="message=avc:":
+ found=1
+ else:
+ avc.append(i)
+ if found:
+ self.add(avc)
+ found=0
+ avc=[]
+ line = input.readline()
+ def get_target(self, i, rule):
+ target=[]
+ if rule[i][0] == "{":
+ for t in rule[i].split("{"):
+ if len(t):
+ target.append(t)
+ i=i+1
+ for s in rule[i:]:
+ if s.find("}") >= 0:
+ for s1 in s.split("}"):
+ if len(s1):
+ target.append(s1)
+ i=i+1
+ return (i, target)
+
+ target.append(s)
+ i=i+1
+ else:
+ if rule[i].find(";") >= 0:
+ for s1 in rule[i].split(";"):
+ if len(s1):
+ target.append(s1)
+ else:
+ target.append(rule[i])
+
+ i=i+1
+ return (i, target)
+
+ def rules_split(self, rules):
+ (idx, target ) = self.get_target(0, rules)
+ (idx, subject) = self.get_target(idx, rules)
+ return (target, subject)
+
+ def add_terule(self, rule):
+ rc = rule.split(":")
+ rules=rc[0].split()
+ type=rules[0]
+ if type == "role":
+ print type
+ (sources, targets) = self.rules_split(rules[1:])
+ rules=rc[1].split()
+ (seclasses, access) = self.rules_split(rules)
+ for scon in sources:
+ for tcon in targets:
+ for seclass in seclasses:
+ self.add_rule(type, scon, tcon, seclass,access)
+
+ def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""):
+ self.add_seclass(seclass, access)
+ self.add_type(tcon)
+ self.add_type(scon)
+ if (type, scon, tcon, seclass) not in self.seRules.keys():
+ self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass)
+
+ self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name ))
+
def add(self,avc):
scon=""
tcon=""
@@ -117,7 +184,7 @@
if "granted" in avc:
if "load_policy" in avc and self.last_reload:
- self.allowRules={}
+ self.seRules={}
return
try:
for i in range (0, len(avc)):
@@ -160,16 +227,9 @@
self.warning("Bad AVC Line: %s" % avc)
return
- self.add_seclass(seclass, access)
- self.add_type(tcon)
- self.add_type(scon)
self.add_role(srole)
self.add_role(trole)
-
- if (scon, tcon, seclass) not in self.allowRules.keys():
- self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass)
-
- self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name ))
+ self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name)
def add_seclass(self,seclass, access):
if seclass not in self.seclasses.keys():
@@ -195,17 +255,23 @@
keys=self.seclasses.keys()
keys.sort()
rec="\n\nrequire {\n"
- for i in self.roles:
- rec += "\trole %s; \n" % i
- rec += "\n\n"
+ if len(self.roles) > 0:
+ for i in self.roles:
+ rec += "\trole %s; \n" % i
+ rec += "\n"
+
for i in keys:
access=self.seclasses[i]
- access.sort()
- rec += "\tclass %s { " % i
- for a in access:
- rec += " %s" % a
- rec += " }; \n"
- rec += "\n\n"
+ if len(access) > 1:
+ access.sort()
+ rec += "\tclass %s {" % i
+ for a in access:
+ rec += " %s" % a
+ rec += " }; \n"
+ else:
+ rec += "\tclass %s %s;\n" % (i, access[0])
+
+ rec += "\n"
for i in self.types:
rec += "\ttype %s; \n" % i
@@ -214,17 +280,19 @@
def out(self, require=0, module=""):
rec=""
- if len(self.allowRules.keys())==0:
+ if len(self.seRules.keys())==0:
raise(ValueError("No AVC messages found."))
- if module!="":
+ if module != "":
rec += self.gen_module(module)
rec += self.gen_requires()
else:
if requires:
rec+=self.gen_requires()
-
- for i in self.allowRules.keys():
- rec += self.allowRules[i].out(verbose)+"\n"
+
+ keys=self.seRules.keys()
+ keys.sort()
+ for i in keys:
+ rec += self.seRules[i].out(verbose)+"\n"
return rec
if __name__ == '__main__':
@@ -235,8 +303,8 @@
else:
return ""
- def usage():
- print 'audit2allow [-adhilrv] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
+ def usage(msg=""):
+ print 'audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\
-a, --all read input from audit and message log, conflicts with -i\n\
-d, --dmesg read input from output of /bin/dmesg\n\
-h, --help display this message\n\
@@ -246,8 +314,12 @@
-M generate loadable module package, conflicts with -o\n\
-o, --output append output to <outputfile>, conflicts with -M\n\
-r, --requires generate require output \n\
+ -t, --tefile Indicates input is Existing Type Enforcement file\n\
+ -f, --fcfile Existing Type Enforcement file, requires -M\n\
-v, --verbose verbose output\n\
'
+ if msg != "":
+ print msg
sys.exit(1)
def errorExit(error):
@@ -270,41 +342,50 @@
buildPP=0
input_ind=0
output_ind=0
+ te_ind=0
+
+ fc_file=""
gopts, cmds = getopt.getopt(sys.argv[1:],
- 'adhi:lm:M:o:rv',
+ 'adf:hi:lm:M:o:rtv',
['all',
'dmesg',
+ 'fcfile=',
'help',
'input=',
'lastreload',
'module=',
'output=',
'requires'
+ 'tefile',
'verbose'
])
for o,a in gopts:
if o == "-a" or o == "--all":
- if input_ind:
+ if input_ind or te_ind:
usage()
input=open("/var/log/messages", "r")
auditlogs=1
if o == "-d" or o == "--dmesg":
input=os.popen("/bin/dmesg", "r")
+ if o == "-f" or o == "--fcfile":
+ if a[0]=="-":
+ usage()
+ fc_file=a
if o == "-h" or o == "--help":
usage()
if o == "-i"or o == "--input":
- if auditlogs:
+ if auditlogs or a[0]=="-":
usage()
input_ind=1
input=open(a, "r")
if o == '--lastreload' or o == "-l":
last_reload=1
if o == "-m" or o == "--module":
- if module != "":
+ if module != "" or a[0]=="-":
usage()
module=a
if o == "-M":
- if module != "" or output_ind:
+ if module != "" or output_ind or a[0]=="-":
usage()
module=a
outfile=a+".te"
@@ -312,19 +393,30 @@
output=open(outfile, "w")
if o == "-r" or o == "--requires":
requires=1
+ if o == "-t" or o == "--tefile":
+ if auditlogs:
+ usage()
+ te_ind=1
if o == "-o" or o == "--output":
- if module != "":
+ if module != "" or a[0]=="-":
usage()
output=open(a, "a")
output_ind=1
if o == "-v" or o == "--verbose":
verbose=1
- if len(cmds) != 0:
- usage()
- out=allowRecords(input, last_reload, verbose)
+
+ if len(cmds) != 0:
+ usage()
+
+ if fc_file != "" and not buildPP:
+ usage("Error %s: Option -fc requires -M" % sys.argv[0])
+
+ out=seruleRecords(input, last_reload, verbose, te_ind)
+
if auditlogs:
input=open("/var/log/audit/audit.log", "r")
- out.load(input)
+ out.load(input)
+
if buildPP:
print ("Generating type enforcment file: %s.te" % module)
output.write(out.out(requires, module))
@@ -334,8 +426,13 @@
print "Compiling policy: %s" % cmd
rc=commands.getstatusoutput(cmd)
if rc[0]==0:
- print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module))
- rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module))
+ cmd="semodule_package -o %s.pp -m %s.mod" % (module, module)
+ print cmd
+ if fc_file != "":
+ cmd = "%s -f %s" % (cmd, fc_file)
+
+ print "Building package: %s" % cmd
+ rc=commands.getstatusoutput(cmd)
if rc[0]==0:
print ("\n******************** IMPORTANT ***********************\n")
print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.30/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2005-11-29 13:43:42.000000000 -0500
+++ policycoreutils-1.27.30/audit2allow/audit2allow.1 2005-11-30 13:45:15.000000000 -0500
@@ -33,37 +33,44 @@
.B "\-a" | "\-\-all"
Read input from audit and message log, conflicts with -i
.TP
-.B "\-h" | "\-\-help"
-Print a short usage message
-.TP
.B "\-d" | "\-\-dmesg"
Read input from output of
.I /bin/dmesg.
Note that audit messages are not available via dmesg when
auditd is running; use -i /var/log/audit/audit.log instead.
.TP
-.B "\-v" | "\-\-verbose"
-Turn on verbose output
+.B "\-f" | "\-\-fcfile" <File Context File>
+Add File Context File to generated Module Package. Requires -M option.
+.TP
+.B "\-h" | "\-\-help"
+Print a short usage message
+.TP
+.B "\-i <inputfile>" | "\-\-input <inputfile>"
+read input from
+.I <inputfile>
.TP
.B "\-l" | "\-\-lastreload"
read input only after last policy reload
.TP
-.B "\-r" | "\-\-requires"
-Generate require output syntax for loadable modules.
-.TP
.B "\-m <modulename>" | "\-\-module <modulename>"
Generate module/require output <modulename>
.TP
.B "\-M <modulename>"
Generate loadable module package, conflicts with -o
.TP
-.B "\-i <inputfile>" | "\-\-input <inputfile>"
-read input from
-.I <inputfile>
-.TP
.B "\-o <outputfile>" | "\-\-output <outputfile>"
append output to
.I <outputfile>
+.TP
+.B "\-r" | "\-\-requires"
+Generate require output syntax for loadable modules.
+.TP
+.B "\-t " | "\-\-tefile"
+Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
+.TP
+.B "\-v" | "\-\-verbose"
+Turn on verbose output
+
.SH DESCRIPTION
.PP
This utility scans the logs for messages logged when the system denied
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.30/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2005-11-30 13:59:30.000000000 -0500
+++ policycoreutils-1.27.30/scripts/genhomedircon 2005-11-30 10:35:24.000000000 -0500
@@ -32,6 +32,8 @@
fd=open("/etc/shells", 'r')
VALID_SHELLS=fd.read().split('\n')
fd.close()
+if "/sbin/nologin" in VALID_SHELLS:
+ VALID_SHELLS.remove("/sbin/nologin")
def getStartingUID():
starting_uid = sys.maxint
@@ -266,7 +271,7 @@
homedir = u[5][:string.rfind(u[5], "/")]
if not homedir in homedirs:
if self.checkExists(homedir)==0:
- warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0]))
+ warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
else:
homedirs.append(homedir)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/Makefile policycoreutils-1.27.30/semodule/Makefile
--- nsapolicycoreutils/semodule/Makefile 2005-10-10 09:02:48.000000000 -0400
+++ policycoreutils-1.27.30/semodule/Makefile 2005-11-29 16:11:32.000000000 -0500
+++ policycoreutils-1.27.30/semodule/Makefile 2005-11-30 10:35:13.000000000 -0500
@@ -17,6 +17,8 @@
install: all
-mkdir -p $(SBINDIR)
@ -12,7 +456,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/Makefile policy
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-1.27.30/semodule/semodule.8
--- nsapolicycoreutils/semodule/semodule.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.27.30/semodule/semodule.8 2005-11-29 15:47:33.000000000 -0500
+++ policycoreutils-1.27.30/semodule/semodule.8 2005-11-30 10:35:13.000000000 -0500
@@ -0,0 +1,53 @@
+.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA
+.SH NAME
@ -69,7 +513,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.8 poli
+The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>, Jason Tang <jtang@tresys.com>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile policycoreutils-1.27.30/semodule_expand/Makefile
--- nsapolicycoreutils/semodule_expand/Makefile 2005-10-12 15:25:33.000000000 -0400
+++ policycoreutils-1.27.30/semodule_expand/Makefile 2005-11-29 16:06:55.000000000 -0500
+++ policycoreutils-1.27.30/semodule_expand/Makefile 2005-11-30 10:35:13.000000000 -0500
@@ -3,6 +3,7 @@
INCLUDEDIR ?= $(PREFIX)/include
BINDIR ?= $(PREFIX)/bin
@ -89,7 +533,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.27.30/semodule_expand/semodule_expand.8
--- nsapolicycoreutils/semodule_expand/semodule_expand.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.27.30/semodule_expand/semodule_expand.8 2005-11-29 15:58:23.000000000 -0500
+++ policycoreutils-1.27.30/semodule_expand/semodule_expand.8 2005-11-30 10:35:13.000000000 -0500
@@ -0,0 +1,26 @@
+.TH SEMODULE_EXPAND "8" "Nov 2005" "Security Enhanced Linux" NSA
+.SH NAME
@ -119,7 +563,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule
+The program was written by Karl MacMillan <kmacmillan@tresys.com>, Joshua Brindle <jbrindle@tresys.com>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile policycoreutils-1.27.30/semodule_link/Makefile
--- nsapolicycoreutils/semodule_link/Makefile 2005-10-12 15:25:33.000000000 -0400
+++ policycoreutils-1.27.30/semodule_link/Makefile 2005-11-29 16:06:48.000000000 -0500
+++ policycoreutils-1.27.30/semodule_link/Makefile 2005-11-30 10:35:13.000000000 -0500
@@ -2,6 +2,7 @@
PREFIX ?= ${DESTDIR}/usr
INCLUDEDIR ?= $(PREFIX)/include
@ -139,7 +583,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile p
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_link.8 policycoreutils-1.27.30/semodule_link/semodule_link.8
--- nsapolicycoreutils/semodule_link/semodule_link.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.27.30/semodule_link/semodule_link.8 2005-11-29 16:04:14.000000000 -0500
+++ policycoreutils-1.27.30/semodule_link/semodule_link.8 2005-11-30 10:35:13.000000000 -0500
@@ -0,0 +1,27 @@
+.TH SEMODULE_LINK "8" "Nov 2005" "Security Enhanced Linux" NSA
+.SH NAME
@ -170,7 +614,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_l
+The program was written by Karl MacMillan <kmacmillan@tresys.com>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefile policycoreutils-1.27.30/semodule_package/Makefile
--- nsapolicycoreutils/semodule_package/Makefile 2005-10-12 15:25:33.000000000 -0400
+++ policycoreutils-1.27.30/semodule_package/Makefile 2005-11-29 16:06:08.000000000 -0500
+++ policycoreutils-1.27.30/semodule_package/Makefile 2005-11-30 10:35:13.000000000 -0500
@@ -3,6 +3,7 @@
INCLUDEDIR ?= $(PREFIX)/include
BINDIR ?= $(PREFIX)/bin
@ -190,7 +634,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefil
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/semodule_package.8 policycoreutils-1.27.30/semodule_package/semodule_package.8
--- nsapolicycoreutils/semodule_package/semodule_package.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-1.27.30/semodule_package/semodule_package.8 2005-11-29 16:02:13.000000000 -0500
+++ policycoreutils-1.27.30/semodule_package/semodule_package.8 2005-11-30 10:35:13.000000000 -0500
@@ -0,0 +1,29 @@
+.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA
+.SH NAME

View File

@ -2,7 +2,7 @@
%define libsemanagever 1.3.61-1
Summary: SELinux policy core utilities.
Name: policycoreutils
Version: 1.27.30
Version: 1.27.31
Release: 1
License: GPL
Group: System Environment/Base
@ -95,6 +95,13 @@ rm -rf ${RPM_BUILD_ROOT}
%changelog
* Wed Nov 30 2005 Dan Walsh <dwalsh@redhat.com> 1.27.31-1
- Update to match NSA
* Changed genhomedircon to always use user_r for the role in the
managed case since user_get_defrole is broken.
- Add te file capabilities to audit2allow
- Add man pages for semodule
* Tue Nov 29 2005 Dan Walsh <dwalsh@redhat.com> 1.27.30-1
- Update to match NSA
* Merged sestatus, audit2allow, and semanage patch from Dan Walsh.

View File

@ -1 +1 @@
38cdc65c904b41a6ec941b8ef9be25a6 policycoreutils-1.27.30.tgz
baf3d49d7f7b8805aa8bb7b465f54f76 policycoreutils-1.27.31.tgz