From f9db9c1e299b5237288d93d1ad61a1a132d4b614 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 30 Nov 2005 19:32:20 +0000 Subject: [PATCH] *** empty log message *** --- .cvsignore | 1 + policycoreutils-rhat.patch | 460 ++++++++++++++++++++++++++++++++++++- policycoreutils.spec | 9 +- sources | 2 +- 4 files changed, 462 insertions(+), 10 deletions(-) diff --git a/.cvsignore b/.cvsignore index 3871ad6..2d12eb6 100644 --- a/.cvsignore +++ b/.cvsignore @@ -68,3 +68,4 @@ policycoreutils-1.27.27.tgz policycoreutils-1.27.28.tgz policycoreutils-1.27.29.tgz policycoreutils-1.27.30.tgz +policycoreutils-1.27.31.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 0cfdea0..91effa9 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,450 @@ +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.30/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2005-11-29 13:43:42.000000000 -0500 ++++ policycoreutils-1.27.30/audit2allow/audit2allow 2005-11-30 13:40:16.000000000 -0500 +@@ -25,8 +25,9 @@ + # + # + import commands, sys, os, pwd, string, getopt, re, selinux +-class allow: +- def __init__(self, source, target, seclass): ++class serule: ++ def __init__(self, type, source, target, seclass): ++ self.type=type + self.source=source + self.target=target + self.seclass=seclass +@@ -52,7 +53,7 @@ + return ret + def out(self, verbose=0): + ret="" +- ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess()) ++ ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) + if verbose: + keys=self.avcinfo.keys() + keys.sort() +@@ -72,38 +73,104 @@ + else: + return self.target + +-class allowRecords: +- def __init__(self, input, last_reload=0, verbose=0): ++class seruleRecords: ++ def __init__(self, input, last_reload=0, verbose=0, te_ind=0): + self.last_reload=last_reload +- self.allowRules={} ++ self.seRules={} + self.seclasses={} + self.types=[] + self.roles=[] +- self.load(input) ++ self.load(input, te_ind) + + def warning(self, error): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % error) + sys.stderr.flush() + +- def load(self, input): ++ def load(self, input, te_ind=0): ++ VALID_CMDS=("allow", "dontaudit", "auditallow", "role") ++ + avc=[] + found=0 + line = input.readline() +- while line: +- rec=line.split() +- for i in rec: +- if i=="avc:" or i=="message=avc:": +- found=1 +- else: +- avc.append(i) +- if found: +- self.add(avc) +- found=0 +- avc=[] +- line = input.readline() ++ if te_ind: ++ while line: ++ rec=line.split() ++ if len(rec) and rec[0] in VALID_CMDS: ++ self.add_terule(line) ++ line = input.readline() ++ ++ else: ++ while line: ++ rec=line.split() ++ for i in rec: ++ if i=="avc:" or i=="message=avc:": ++ found=1 ++ else: ++ avc.append(i) ++ if found: ++ self.add(avc) ++ found=0 ++ avc=[] ++ line = input.readline() + + ++ def get_target(self, i, rule): ++ target=[] ++ if rule[i][0] == "{": ++ for t in rule[i].split("{"): ++ if len(t): ++ target.append(t) ++ i=i+1 ++ for s in rule[i:]: ++ if s.find("}") >= 0: ++ for s1 in s.split("}"): ++ if len(s1): ++ target.append(s1) ++ i=i+1 ++ return (i, target) ++ ++ target.append(s) ++ i=i+1 ++ else: ++ if rule[i].find(";") >= 0: ++ for s1 in rule[i].split(";"): ++ if len(s1): ++ target.append(s1) ++ else: ++ target.append(rule[i]) ++ ++ i=i+1 ++ return (i, target) ++ ++ def rules_split(self, rules): ++ (idx, target ) = self.get_target(0, rules) ++ (idx, subject) = self.get_target(idx, rules) ++ return (target, subject) ++ ++ def add_terule(self, rule): ++ rc = rule.split(":") ++ rules=rc[0].split() ++ type=rules[0] ++ if type == "role": ++ print type ++ (sources, targets) = self.rules_split(rules[1:]) ++ rules=rc[1].split() ++ (seclasses, access) = self.rules_split(rules) ++ for scon in sources: ++ for tcon in targets: ++ for seclass in seclasses: ++ self.add_rule(type, scon, tcon, seclass,access) ++ ++ def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""): ++ self.add_seclass(seclass, access) ++ self.add_type(tcon) ++ self.add_type(scon) ++ if (type, scon, tcon, seclass) not in self.seRules.keys(): ++ self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) ++ ++ self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) ++ + def add(self,avc): + scon="" + tcon="" +@@ -117,7 +184,7 @@ + + if "granted" in avc: + if "load_policy" in avc and self.last_reload: +- self.allowRules={} ++ self.seRules={} + return + try: + for i in range (0, len(avc)): +@@ -160,16 +227,9 @@ + self.warning("Bad AVC Line: %s" % avc) + return + +- self.add_seclass(seclass, access) +- self.add_type(tcon) +- self.add_type(scon) + self.add_role(srole) + self.add_role(trole) +- +- if (scon, tcon, seclass) not in self.allowRules.keys(): +- self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass) +- +- self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name )) ++ self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name) + + def add_seclass(self,seclass, access): + if seclass not in self.seclasses.keys(): +@@ -195,17 +255,23 @@ + keys=self.seclasses.keys() + keys.sort() + rec="\n\nrequire {\n" +- for i in self.roles: +- rec += "\trole %s; \n" % i +- rec += "\n\n" ++ if len(self.roles) > 0: ++ for i in self.roles: ++ rec += "\trole %s; \n" % i ++ rec += "\n" ++ + for i in keys: + access=self.seclasses[i] +- access.sort() +- rec += "\tclass %s { " % i +- for a in access: +- rec += " %s" % a +- rec += " }; \n" +- rec += "\n\n" ++ if len(access) > 1: ++ access.sort() ++ rec += "\tclass %s {" % i ++ for a in access: ++ rec += " %s" % a ++ rec += " }; \n" ++ else: ++ rec += "\tclass %s %s;\n" % (i, access[0]) ++ ++ rec += "\n" + + for i in self.types: + rec += "\ttype %s; \n" % i +@@ -214,17 +280,19 @@ + + def out(self, require=0, module=""): + rec="" +- if len(self.allowRules.keys())==0: ++ if len(self.seRules.keys())==0: + raise(ValueError("No AVC messages found.")) +- if module!="": ++ if module != "": + rec += self.gen_module(module) + rec += self.gen_requires() + else: + if requires: + rec+=self.gen_requires() +- +- for i in self.allowRules.keys(): +- rec += self.allowRules[i].out(verbose)+"\n" ++ ++ keys=self.seRules.keys() ++ keys.sort() ++ for i in keys: ++ rec += self.seRules[i].out(verbose)+"\n" + return rec + + if __name__ == '__main__': +@@ -235,8 +303,8 @@ + else: + return "" + +- def usage(): +- print 'audit2allow [-adhilrv] [-i ] [[-m|-M] ] [-o ]\n\ ++ def usage(msg=""): ++ print 'audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i ] [[-m|-M] ] [-o ]\n\ + -a, --all read input from audit and message log, conflicts with -i\n\ + -d, --dmesg read input from output of /bin/dmesg\n\ + -h, --help display this message\n\ +@@ -246,8 +314,12 @@ + -M generate loadable module package, conflicts with -o\n\ + -o, --output append output to , conflicts with -M\n\ + -r, --requires generate require output \n\ ++ -t, --tefile Indicates input is Existing Type Enforcement file\n\ ++ -f, --fcfile Existing Type Enforcement file, requires -M\n\ + -v, --verbose verbose output\n\ + ' ++ if msg != "": ++ print msg + sys.exit(1) + + def errorExit(error): +@@ -270,41 +342,50 @@ + buildPP=0 + input_ind=0 + output_ind=0 ++ te_ind=0 ++ ++ fc_file="" + gopts, cmds = getopt.getopt(sys.argv[1:], +- 'adhi:lm:M:o:rv', ++ 'adf:hi:lm:M:o:rtv', + ['all', + 'dmesg', ++ 'fcfile=', + 'help', + 'input=', + 'lastreload', + 'module=', + 'output=', + 'requires' ++ 'tefile', + 'verbose' + ]) + for o,a in gopts: + if o == "-a" or o == "--all": +- if input_ind: ++ if input_ind or te_ind: + usage() + input=open("/var/log/messages", "r") + auditlogs=1 + if o == "-d" or o == "--dmesg": + input=os.popen("/bin/dmesg", "r") ++ if o == "-f" or o == "--fcfile": ++ if a[0]=="-": ++ usage() ++ fc_file=a + if o == "-h" or o == "--help": + usage() + if o == "-i"or o == "--input": +- if auditlogs: ++ if auditlogs or a[0]=="-": + usage() + input_ind=1 + input=open(a, "r") + if o == '--lastreload' or o == "-l": + last_reload=1 + if o == "-m" or o == "--module": +- if module != "": ++ if module != "" or a[0]=="-": + usage() + module=a + if o == "-M": +- if module != "" or output_ind: ++ if module != "" or output_ind or a[0]=="-": + usage() + module=a + outfile=a+".te" +@@ -312,19 +393,30 @@ + output=open(outfile, "w") + if o == "-r" or o == "--requires": + requires=1 ++ if o == "-t" or o == "--tefile": ++ if auditlogs: ++ usage() ++ te_ind=1 + if o == "-o" or o == "--output": +- if module != "": ++ if module != "" or a[0]=="-": + usage() + output=open(a, "a") + output_ind=1 + if o == "-v" or o == "--verbose": + verbose=1 +- if len(cmds) != 0: +- usage() +- out=allowRecords(input, last_reload, verbose) ++ ++ if len(cmds) != 0: ++ usage() ++ ++ if fc_file != "" and not buildPP: ++ usage("Error %s: Option -fc requires -M" % sys.argv[0]) ++ ++ out=seruleRecords(input, last_reload, verbose, te_ind) ++ + if auditlogs: + input=open("/var/log/audit/audit.log", "r") +- out.load(input) ++ out.load(input) ++ + if buildPP: + print ("Generating type enforcment file: %s.te" % module) + output.write(out.out(requires, module)) +@@ -334,8 +426,13 @@ + print "Compiling policy: %s" % cmd + rc=commands.getstatusoutput(cmd) + if rc[0]==0: +- print ("Building package: semodule_package -o %s.pp -m %s.mod" % (module, module)) +- rc=commands.getstatusoutput("semodule_package -o %s.pp -m %s.mod" % (module, module)) ++ cmd="semodule_package -o %s.pp -m %s.mod" % (module, module) ++ print cmd ++ if fc_file != "": ++ cmd = "%s -f %s" % (cmd, fc_file) ++ ++ print "Building package: %s" % cmd ++ rc=commands.getstatusoutput(cmd) + if rc[0]==0: + print ("\n******************** IMPORTANT ***********************\n") + print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.27.30/audit2allow/audit2allow.1 +--- nsapolicycoreutils/audit2allow/audit2allow.1 2005-11-29 13:43:42.000000000 -0500 ++++ policycoreutils-1.27.30/audit2allow/audit2allow.1 2005-11-30 13:45:15.000000000 -0500 +@@ -33,37 +33,44 @@ + .B "\-a" | "\-\-all" + Read input from audit and message log, conflicts with -i + .TP +-.B "\-h" | "\-\-help" +-Print a short usage message +-.TP + .B "\-d" | "\-\-dmesg" + Read input from output of + .I /bin/dmesg. + Note that audit messages are not available via dmesg when + auditd is running; use -i /var/log/audit/audit.log instead. + .TP +-.B "\-v" | "\-\-verbose" +-Turn on verbose output ++.B "\-f" | "\-\-fcfile" ++Add File Context File to generated Module Package. Requires -M option. ++.TP ++.B "\-h" | "\-\-help" ++Print a short usage message ++.TP ++.B "\-i " | "\-\-input " ++read input from ++.I + .TP + .B "\-l" | "\-\-lastreload" + read input only after last policy reload + .TP +-.B "\-r" | "\-\-requires" +-Generate require output syntax for loadable modules. +-.TP + .B "\-m " | "\-\-module " + Generate module/require output + .TP + .B "\-M " + Generate loadable module package, conflicts with -o + .TP +-.B "\-i " | "\-\-input " +-read input from +-.I +-.TP + .B "\-o " | "\-\-output " + append output to + .I ++.TP ++.B "\-r" | "\-\-requires" ++Generate require output syntax for loadable modules. ++.TP ++.B "\-t " | "\-\-tefile" ++Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. ++.TP ++.B "\-v" | "\-\-verbose" ++Turn on verbose output ++ + .SH DESCRIPTION + .PP + This utility scans the logs for messages logged when the system denied +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.30/scripts/genhomedircon +--- nsapolicycoreutils/scripts/genhomedircon 2005-11-30 13:59:30.000000000 -0500 ++++ policycoreutils-1.27.30/scripts/genhomedircon 2005-11-30 10:35:24.000000000 -0500 +@@ -32,6 +32,8 @@ + fd=open("/etc/shells", 'r') + VALID_SHELLS=fd.read().split('\n') + fd.close() ++if "/sbin/nologin" in VALID_SHELLS: ++ VALID_SHELLS.remove("/sbin/nologin") + + def getStartingUID(): + starting_uid = sys.maxint +@@ -266,7 +271,7 @@ + homedir = u[5][:string.rfind(u[5], "/")] + if not homedir in homedirs: + if self.checkExists(homedir)==0: +- warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0])) ++ warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) + else: + homedirs.append(homedir) + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/Makefile policycoreutils-1.27.30/semodule/Makefile --- nsapolicycoreutils/semodule/Makefile 2005-10-10 09:02:48.000000000 -0400 -+++ policycoreutils-1.27.30/semodule/Makefile 2005-11-29 16:11:32.000000000 -0500 ++++ policycoreutils-1.27.30/semodule/Makefile 2005-11-30 10:35:13.000000000 -0500 @@ -17,6 +17,8 @@ install: all -mkdir -p $(SBINDIR) @@ -12,7 +456,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/Makefile policy diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-1.27.30/semodule/semodule.8 --- nsapolicycoreutils/semodule/semodule.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.30/semodule/semodule.8 2005-11-29 15:47:33.000000000 -0500 ++++ policycoreutils-1.27.30/semodule/semodule.8 2005-11-30 10:35:13.000000000 -0500 @@ -0,0 +1,53 @@ +.TH SEMODULE "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME @@ -69,7 +513,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule/semodule.8 poli +The program was written by Karl MacMillan , Joshua Brindle , Jason Tang diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile policycoreutils-1.27.30/semodule_expand/Makefile --- nsapolicycoreutils/semodule_expand/Makefile 2005-10-12 15:25:33.000000000 -0400 -+++ policycoreutils-1.27.30/semodule_expand/Makefile 2005-11-29 16:06:55.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_expand/Makefile 2005-11-30 10:35:13.000000000 -0500 @@ -3,6 +3,7 @@ INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin @@ -89,7 +533,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/Makefile diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule_expand.8 policycoreutils-1.27.30/semodule_expand/semodule_expand.8 --- nsapolicycoreutils/semodule_expand/semodule_expand.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.30/semodule_expand/semodule_expand.8 2005-11-29 15:58:23.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_expand/semodule_expand.8 2005-11-30 10:35:13.000000000 -0500 @@ -0,0 +1,26 @@ +.TH SEMODULE_EXPAND "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME @@ -119,7 +563,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_expand/semodule +The program was written by Karl MacMillan , Joshua Brindle diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile policycoreutils-1.27.30/semodule_link/Makefile --- nsapolicycoreutils/semodule_link/Makefile 2005-10-12 15:25:33.000000000 -0400 -+++ policycoreutils-1.27.30/semodule_link/Makefile 2005-11-29 16:06:48.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_link/Makefile 2005-11-30 10:35:13.000000000 -0500 @@ -2,6 +2,7 @@ PREFIX ?= ${DESTDIR}/usr INCLUDEDIR ?= $(PREFIX)/include @@ -139,7 +583,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/Makefile p diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_link.8 policycoreutils-1.27.30/semodule_link/semodule_link.8 --- nsapolicycoreutils/semodule_link/semodule_link.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.30/semodule_link/semodule_link.8 2005-11-29 16:04:14.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_link/semodule_link.8 2005-11-30 10:35:13.000000000 -0500 @@ -0,0 +1,27 @@ +.TH SEMODULE_LINK "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME @@ -170,7 +614,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_link/semodule_l +The program was written by Karl MacMillan diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefile policycoreutils-1.27.30/semodule_package/Makefile --- nsapolicycoreutils/semodule_package/Makefile 2005-10-12 15:25:33.000000000 -0400 -+++ policycoreutils-1.27.30/semodule_package/Makefile 2005-11-29 16:06:08.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_package/Makefile 2005-11-30 10:35:13.000000000 -0500 @@ -3,6 +3,7 @@ INCLUDEDIR ?= $(PREFIX)/include BINDIR ?= $(PREFIX)/bin @@ -190,7 +634,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/Makefil diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semodule_package/semodule_package.8 policycoreutils-1.27.30/semodule_package/semodule_package.8 --- nsapolicycoreutils/semodule_package/semodule_package.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-1.27.30/semodule_package/semodule_package.8 2005-11-29 16:02:13.000000000 -0500 ++++ policycoreutils-1.27.30/semodule_package/semodule_package.8 2005-11-30 10:35:13.000000000 -0500 @@ -0,0 +1,29 @@ +.TH SEMODULE_PACKAGE "8" "Nov 2005" "Security Enhanced Linux" NSA +.SH NAME diff --git a/policycoreutils.spec b/policycoreutils.spec index d3e142a..2e4a2ef 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -2,7 +2,7 @@ %define libsemanagever 1.3.61-1 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.27.30 +Version: 1.27.31 Release: 1 License: GPL Group: System Environment/Base @@ -95,6 +95,13 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Wed Nov 30 2005 Dan Walsh 1.27.31-1 +- Update to match NSA + * Changed genhomedircon to always use user_r for the role in the + managed case since user_get_defrole is broken. +- Add te file capabilities to audit2allow +- Add man pages for semodule + * Tue Nov 29 2005 Dan Walsh 1.27.30-1 - Update to match NSA * Merged sestatus, audit2allow, and semanage patch from Dan Walsh. diff --git a/sources b/sources index 56dc8f7..7b4ee92 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -38cdc65c904b41a6ec941b8ef9be25a6 policycoreutils-1.27.30.tgz +baf3d49d7f7b8805aa8bb7b465f54f76 policycoreutils-1.27.31.tgz