rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix sepoicy interface to work properly

Browse Source
This commit is contained in:
Dan Walsh 2013-03-01 14:18:15 -05:00
parent 5324d20ca0
commit fefce8f581
2 changed files with 302 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

317
policycoreutils-rhat.patch
View File

@ -1464,10 +1464,164 @@ index 201a988..f5d6e9d 100644
clean:
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 6901e4d..337d652 100755
index 6901e4d..5acb111 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -241,8 +241,8 @@ then
@@ -3,7 +3,7 @@
#
# Script to restore labels on a SELinux box
#
-# Copyright (C) 2004-2011 Red Hat, Inc.
+# Copyright (C) 2004-2013 Red Hat, Inc.
# Authors: Dan Walsh <dwalsh@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
@@ -26,11 +26,11 @@
# number if the current is less than 2.6.30 and 0 if they are the same.
#
function useseclabel {
- VER=`uname -r`
- SUP=2.6.30
- expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
- '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
- '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
+ VER=`uname -r`
+ SUP=2.6.30
+ expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+ '(' "$VER.0" : '[^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0" : '[^.]*[.]\([^.]*\)' ')' '|' \
+ '(' "$VER.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')' '-' '(' "$SUP.0.0" : '[^.]*[.][^.]*[.]\([^.]*\)' ')'
}
#
@@ -65,7 +65,7 @@ done
}
#
-# Get the default label returned from the kernel for a file with a lable the
+# Get the default label returned from the kernel for a file with a lable the
# kernel does not understand
#
get_undefined_type() {
@@ -78,25 +78,25 @@ get_undefined_type() {
#
get_unlabeled_type() {
SELINUXMNT=`grep selinuxfs /proc/self/mountinfo | head -1 | awk '{ print $5 }'`
- cat $SELINUXMNT/initial_contexts/file | secon -t
+ cat $SELINUXMNT/initial_contexts/file | secon -t
}
exclude_dirs_from_relabelling() {
exclude_from_relabelling=
if [ -e /etc/selinux/fixfiles_exclude_dirs ]
then
- while read i
- do
- # skip blank line and comment
- # skip not absolute path
- # skip not directory
- [ -z "${i}" ] && continue
- [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
- [[ ! "${i}" =~ ^/.* ]] && continue
- [[ ! -d "${i}" ]] && continue
- exclude_from_relabelling="$exclude_from_relabelling -e $i"
- logit "skipping the directory $i from relabelling"
- done < /etc/selinux/fixfiles_exclude_dirs
+ while read i
+ do
+ # skip blank line and comment
+ # skip not absolute path
+ # skip not directory
+ [ -z "${i}" ] && continue
+ [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+ [[ ! "${i}" =~ ^/.* ]] && continue
+ [[ ! -d "${i}" ]] && continue
+ exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ logit "skipping the directory $i from relabelling"
+ done < /etc/selinux/fixfiles_exclude_dirs
fi
echo "$exclude_from_relabelling"
}
@@ -104,7 +104,7 @@ exclude_dirs_from_relabelling() {
exclude_dirs() {
exclude=
for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
- [ -e $i ] && exclude="$exclude -e $i";
+ [ -e $i ] && exclude="$exclude -e $i";
done
exclude="$exclude `exclude_dirs_from_relabelling`"
echo "$exclude"
@@ -133,7 +133,7 @@ FILESYSTEMS="$FILESYSTEMSRW $FILESYSTEMSRO"
SELINUXTYPE="targeted"
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
- FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
+ FC=/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts
else
FC=/etc/security/selinux/file_contexts
fi
@@ -158,7 +158,7 @@ newer() {
}
#
-# Compare PREVious File Context to currently installed File Context and
+# Compare PREVious File Context to currently installed File Context and
# run restorecon on all files affected by the differences.
#
diff_filecontext() {
@@ -172,30 +172,31 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
grep '^[<>]'|cut -c3-| grep ^/ | \
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
sed -r -e 's,[[:blank:]].*,,g' \
- -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
+ -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \
- -e 's|\?.*|*|g' \
+ -e 's|\?.*|*|g' \
+ -e 's|\{.*|*|g' \
-e 's|\(.*|*|g' \
-e 's|\[.*|*|g' \
- -e 's|\.\*.*|*|g' \
- -e 's|\.\+.*|*|g' | \
+ -e 's|\.\*.*|*|g' \
+ -e 's|\.\+.*|*|g' | \
# These two sorts need to be separate commands \
sort -u | \
sort -d | \
- while read pattern ; \
+ while read pattern ; \
do if ! echo "$pattern" | grep -q -f ${TEMPFILE} 2>/dev/null; then \
- echo "$pattern"; \
- case "$pattern" in *"*") \
- echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
- esac; \
- fi; \
- done | \
+ echo "$pattern"; \
+ case "$pattern" in *"*") \
+ echo "$pattern" | sed -e 's,^,^,' -e 's,\*$,,g' >> ${TEMPFILE};;
+ esac; \
+ fi; \
+ done | \
${RESTORECON} ${VERBOSE} -i -f - -R `exclude_dirs`; \
rm -f ${TEMPFILE} ${PREFCTEMPFILE}
fi
}
#
-# Log all Read Only file systems
+# Log all Read Only file systems
#
LogReadOnly() {
if [ ! -z "$FILESYSTEMSRO" ]; then
@@ -209,7 +210,7 @@ rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
}
-#
+#
# restore
# if called with -n will only check file context
#
@@ -241,8 +242,8 @@ then
TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
test -z "$TEMPFCFILE" && exit
/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
@ -1478,7 +1632,7 @@ index 6901e4d..337d652 100755
do
p="${p%/}"
p1="${p}(/.*)? -- <<none>>"
@@ -253,7 +253,7 @@ FC=$TEMPFCFILE
@@ -253,7 +254,7 @@ FC=$TEMPFCFILE
fi
if [ -n "${FILESYSTEMSRW}" ]; then
echo "Relabeling `echo ${FILESYSTEMSRW}`"
@ -1487,6 +1641,76 @@ index 6901e4d..337d652 100755
else
echo >&2 "fixfiles: No suitable file systems found"
fi
@@ -278,7 +279,7 @@ fullrelabel() {
relabel() {
if [ ! -z "$RPMFILES" ]; then
- restore
+ restore
fi
if [ $fullFlag == 1 ]; then
@@ -286,13 +287,13 @@ relabel() {
fi
echo -n "
- Files in the /tmp directory may be labeled incorrectly, this command
- can remove all files in /tmp. If you choose to remove files from /tmp,
+ Files in the /tmp directory may be labeled incorrectly, this command
+ can remove all files in /tmp. If you choose to remove files from /tmp,
a reboot will be required after completion.
-
+
Do you wish to clean out the /tmp directory [N]? "
read answer
- if [ "$answer" = y -o "$answer" = Y ]; then
+ if [ "$answer" = y -o "$answer" = Y ]; then
fullrelabel
else
restore
@@ -322,8 +323,8 @@ case "$1" in
esac
}
usage() {
- echo $"""
-Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
+ echo $"""
+Usage: $0 [-F] [-l logfile ] { check | restore| [-f] relabel | verify } [[dir/file] ... ]
or
Usage: $0 [-F] -R rpmpackage[,rpmpackage...] [-l logfile ] { check | restore | verify }
or
@@ -351,13 +352,13 @@ while getopts "N:BC:FfR:l:v" i; do
v)
VERBOSE="-v"
;;
- R)
+ R)
RPMFILES=$OPTARG
;;
- l)
+ l)
LOGFILE=$OPTARG
;;
- C)
+ C)
PREFC=$OPTARG
;;
F)
@@ -397,11 +398,11 @@ else
if [ -z "$1" ]; then
process $command
else
- while [ -n "$1" ]; do
+ while [ -n "$1" ]; do
FILEPATH=$1
- process $command
+ process $command
shift
- done
+ done
fi
fi
exit $?
diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
index 9ab7334..f263805 100644
--- a/policycoreutils/scripts/fixfiles.8
@ -1972,7 +2196,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..600eee2 100755
index b25d3b2..0ca3fc3 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@ -2123,6 +2347,37 @@ index b25d3b2..600eee2 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
@@ -320,7 +318,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
- from sepolicy.interface import get_admin, get, get_user
+ from sepolicy.interface import get_admin, get_user
if args.list_admin:
for a in get_admin():
print a
@@ -328,7 +326,7 @@ def interface(args):
for a in get_user():
print a
if args.list:
- for m in get():
+ for m in sepolicy.get_methods():
print m
def generate(args):
@@ -368,10 +366,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
- help="List all domains with admin interface")
+ help="List all domains with admin interface - DOMAIN_admin()")
group.add_argument("-u", "--list_user", dest="list_user",action="store_true",
default=False,
- help="List all domains with SELinux user role interface")
+ help="List all domains with SELinux user role interface - DOMAIN_role()")
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
@@ -461,7 +459,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
@ -2136,10 +2391,20 @@ index b25d3b2..600eee2 100755
sys.exit(0)
except ValueError,e:
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index 5e7415c..9f4a774 100644
index 5e7415c..35c3758 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -37,9 +37,30 @@ CLASS = 'class'
@@ -7,6 +7,9 @@ import _policy
import selinux, glob
PROGNAME="policycoreutils"
import gettext
+import sepolgen.defaults as defaults
+import sepolgen.interfaces as interfaces
+import sys
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
@@ -37,9 +40,30 @@ CLASS = 'class'
TRANSITION = 'transition'
ROLE_ALLOW = 'role_allow'
@ -2172,7 +2437,7 @@ index 5e7415c..9f4a774 100644
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
@@ -47,6 +68,25 @@ def __get_installed_policy():
@@ -47,6 +71,26 @@ def __get_installed_policy():
pass
raise ValueError(_("No SELinux Policy installed"))
@ -2192,13 +2457,14 @@ index 5e7415c..9f4a774 100644
+ except:
+ sys.stderr.write("could not open interface info [%s]\n" % fn)
+ sys.exit(1)
+
+
+ methods.sort()
+ return methods
+
all_types = None
def get_all_types():
global all_types
@@ -54,6 +94,13 @@ def get_all_types():
@@ -54,6 +98,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE))
return all_types
@ -2212,7 +2478,7 @@ index 5e7415c..9f4a774 100644
role_allows = None
def get_all_role_allows():
global role_allows
@@ -71,6 +118,7 @@ def get_all_role_allows():
@@ -71,6 +122,7 @@ def get_all_role_allows():
return role_allows
def get_all_entrypoint_domains():
@ -2220,7 +2486,7 @@ index 5e7415c..9f4a774 100644
all_domains = []
types=get_all_types()
types.sort()
@@ -81,11 +129,35 @@ def get_all_entrypoint_domains():
@@ -81,11 +133,35 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
@ -2257,7 +2523,7 @@ index 5e7415c..9f4a774 100644
return all_domains
roles = None
@@ -139,49 +211,42 @@ def get_all_attributes():
@@ -139,49 +215,42 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@ -2371,19 +2637,28 @@ index 26f8390..898ec43 100644
newte += self.generate_process()
newte += self.generate_network_types()
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..5e92c7c 100644
index 8b063ca..c9036c3 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py
+++ b/policycoreutils/sepolicy/sepolicy/interface.py
@@ -27,7 +27,7 @@ import sepolgen.interfaces as interfaces
import sepolgen.defaults as defaults
@@ -22,14 +22,12 @@
#
#
import re
-
-import sepolgen.interfaces as interfaces
-import sepolgen.defaults as defaults
+import sepolicy
ADMIN_TRANSITION_INTERFACE = "_admin$"
USER_TRANSITION_INTERFACE = "_role$"
-from sepolicy.generate import get_all_types
+import selinux
__all__ = [ 'get', 'get_admin', 'get_user' ]
-__all__ = [ 'get', 'get_admin', 'get_user' ]
+__all__ = [ 'get_admin', 'get_user' ]
@@ -48,24 +48,10 @@ except IOError:
##
## I18N
@@ -48,24 +46,10 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
@ -2409,8 +2684,12 @@ index 8b063ca..5e92c7c 100644
if i.endswith("_admin"):
admin_list.append(i.split("_admin")[0])
return admin_list
@@ -76,6 +62,6 @@ def get_user():
for i in get():
@@ -73,9 +57,9 @@ def get_admin():
def get_user():
""" Get all domains with SELinux user role interface"""
trans_list = []
- for i in get():
+ for i in sepolicy.get_methods():
m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
if len(m) > 0:
- if "%s_exec_t" % m[0] in get_all_types():

5
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
Release: 15%{?dist}
Release: 16%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -310,6 +310,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
* Fri Mar 1 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-16
- Fix sepoicy interface to work properly
* Thu Feb 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-15
- Fix fixfiles to use exclude_dirs on fixfiles restore