diff --git policycoreutils-2.6/gui/polgengui.py policycoreutils-2.6/gui/polgengui.py index 1d262a9..7460cce 100644 --- policycoreutils-2.6/gui/polgengui.py +++ policycoreutils-2.6/gui/polgengui.py @@ -679,7 +679,7 @@ class childWindow: entry.set_text("") return False if name in self.all_modules: - if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: + if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO: entry.set_text("") return False diff --git policycoreutils-2.6/hll/pp/pp.c policycoreutils-2.6/hll/pp/pp.c index 2c9f53f..7f9afb0 100644 --- policycoreutils-2.6/hll/pp/pp.c +++ policycoreutils-2.6/hll/pp/pp.c @@ -141,7 +141,7 @@ int main(int argc, char **argv) if (separator) { *separator = '\0'; } - if (strcmp(mod_name, cil_name) != 0) { + if (mod_name && strcmp(mod_name, cil_name) != 0) { fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, mod_name, cil_name); } free(cil_path); diff --git policycoreutils-2.6/sandbox/sandboxX.sh policycoreutils-2.6/sandbox/sandboxX.sh index eaa500d..4774528 100644 --- policycoreutils-2.6/sandbox/sandboxX.sh +++ policycoreutils-2.6/sandbox/sandboxX.sh @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF EOF -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D cat > ~/seremote << __EOF #!/bin/sh diff --git policycoreutils-2.6/scripts/fixfiles policycoreutils-2.6/scripts/fixfiles index fa43a53..301fc34 100755 --- policycoreutils-2.6/scripts/fixfiles +++ policycoreutils-2.6/scripts/fixfiles @@ -116,14 +116,11 @@ exclude_dirs() { fullFlag=0 BOOTTIME="" VERBOSE="-p" +[ -t 1 ] || VERBOSE="" FORCEFLAG="" DIRS="" RPMILES="" -LOGFILE=`tty` -if [ $? != 0 ]; then - LOGFILE="/dev/null" -fi -LOGGER=/usr/sbin/logger +LOGFILE=/proc/self/fd/1 SETFILES=/sbin/setfiles RESTORECON=/sbin/restorecon FILESYSTEMSRW=`get_rw_labeled_mounts` @@ -137,12 +134,15 @@ else FC=/etc/security/selinux/file_contexts fi +FC_SUB_DIST=${FC}.subs_dist +FC_SUB=${FC}.subs +FC_HOMEDIRS=${FC}.homedirs # -# Log to either syslog or a LOGFILE +# Write to LOGFILE # logit () { if [ -n $LOGFILE ]; then - echo $1 >> $LOGFILE + echo $1 >> "$LOGFILE" fi } # @@ -244,6 +244,10 @@ then logit "skipping the directory ${p}" done FC=$TEMPFCFILE +/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit +/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit +/bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit + fi if [ ! -z "$RPMFILES" ]; then for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do @@ -265,7 +269,7 @@ if [ ${OPTION} != "Relabel" ]; then return fi echo "Cleaning up labels on /tmp" -rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE +rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs UNDEFINED=`get_undefined_type` || exit $? UNLABELED=`get_unlabeled_type` || exit $? @@ -314,7 +318,7 @@ process() { case "$1" in restore) restore Relabel;; check) VERBOSE="-v"; restore Check -n;; - verify) restore Verify -n -o -;; + verify) restore Verify -n;; relabel) relabel;; onboot) > /.autorelabel diff --git policycoreutils-2.6/semanage/semanage.8 policycoreutils-2.6/semanage/semanage.8 index ac39862..75b782f 100644 --- policycoreutils-2.6/semanage/semanage.8 +++ policycoreutils-2.6/semanage/semanage.8 @@ -51,8 +51,7 @@ to SELinux user identities (which controls the initial security context assigned to Linux users when they login and bounds their authorized role set) as well as security context mappings for various kinds of objects, such as network ports, interfaces, and nodes (hosts) as well as the file -context mapping. See the EXAMPLES section below for some examples -of common usage. Note that the semanage login command deals with the +context mapping. Note that the semanage login command deals with the mapping from Linux usernames (logins) to SELinux user identities, while the semanage user command deals with the mapping from SELinux user identities to authorized role sets. In most cases, only the diff --git policycoreutils-2.6/semanage/seobject.py policycoreutils-2.6/semanage/seobject.py index bb049c0..c836cc5 100644 --- policycoreutils-2.6/semanage/seobject.py +++ policycoreutils-2.6/semanage/seobject.py @@ -386,7 +386,7 @@ class moduleRecords(semanageRecords): def add(self, file, priority): if not os.path.exists(file): - raise ValueError(_("Module does not exists %s ") % file) + raise ValueError(_("Module does not exist: %s ") % file) rc = semanage_set_default_priority(self.sh, priority) if rc < 0: @@ -492,7 +492,7 @@ class permissiveRecords(semanageRecords): try: import sepolgen.module as module except ImportError: - raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) + raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel package.\n# yum install policycoreutils-devel\nOr similar for your distro.")) name = "permissive_%s" % type modtxt = "(typepermissive %s)" % type @@ -1823,7 +1823,7 @@ class fcontextRecords(semanageRecords): def modify_equal(self, target, substitute): self.begin() if target not in self.equiv.keys(): - raise ValueError(_("Equivalence class for %s does not exists") % target) + raise ValueError(_("Equivalence class for %s does not exist") % target) self.equiv[target] = substitute self.equal_ind = True @@ -1953,10 +1953,12 @@ class fcontextRecords(semanageRecords): if not exists: raise ValueError(_("File context for %s is not defined") % target) - (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) - if rc < 0: - (rc, fcontext) = semanage_fcontext_query(self.sh, k) - if rc < 0: + try: + (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + try: + (rc, fcontext) = semanage_fcontext_query(self.sh, k) + except OSError: raise ValueError(_("Could not query file context for %s") % target) if setype != "<>": diff --git policycoreutils-2.6/semodule_package/semodule_package.c policycoreutils-2.6/semodule_package/semodule_package.c index d2a5fd0..e472054 100644 --- policycoreutils-2.6/semodule_package/semodule_package.c +++ policycoreutils-2.6/semodule_package/semodule_package.c @@ -72,6 +72,10 @@ static int file_to_data(const char *path, char **data, size_t * len) path, strerror(errno)); goto err; } + if (!sb.st_size) { + *len = 0; + return 0; + } *data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (*data == MAP_FAILED) { diff --git policycoreutils-2.6/sepolicy/org.selinux.conf policycoreutils-2.6/sepolicy/org.selinux.conf index a350978..1ae079d 100644 --- policycoreutils-2.6/sepolicy/org.selinux.conf +++ policycoreutils-2.6/sepolicy/org.selinux.conf @@ -12,12 +12,8 @@ - - - - + diff --git policycoreutils-2.6/sepolicy/org.selinux.policy policycoreutils-2.6/sepolicy/org.selinux.policy index 0126610..9772127 100644 --- policycoreutils-2.6/sepolicy/org.selinux.policy +++ policycoreutils-2.6/sepolicy/org.selinux.policy @@ -70,9 +70,9 @@ auth_admin_keep - - SELinux write access - System policy prevents change_policy_type access to SELinux + + Change SELinux default enforcing mode + System policy prevents change_default_policy access to SELinux no no diff --git policycoreutils-2.6/sepolicy/selinux_client.py policycoreutils-2.6/sepolicy/selinux_client.py index 7f4a91c..dc29f28 100644 --- policycoreutils-2.6/sepolicy/selinux_client.py +++ policycoreutils-2.6/sepolicy/selinux_client.py @@ -39,6 +39,6 @@ if __name__ == "__main__": try: dbus_proxy = SELinuxDBus() resp = dbus_proxy.customized() - print convert_customization(resp) - except dbus.DBusException, e: - print e + print(convert_customization(resp)) + except dbus.DBusException as e: + print(e) diff --git policycoreutils-2.6/sepolicy/selinux_server.py policycoreutils-2.6/sepolicy/selinux_server.py index cdf4d16..84720f9 100644 --- policycoreutils-2.6/sepolicy/selinux_server.py +++ policycoreutils-2.6/sepolicy/selinux_server.py @@ -46,13 +46,13 @@ class selinux_server(slip.dbus.service.Object): return buf # - # The semodule_list method will return the output of semodule -l, using the customized polkit, + # The semodule_list method will return the output of semodule --list=full, using the customized polkit, # since this is a readonly behaviour # @slip.dbus.polkit.require_auth("org.selinux.semodule_list") @dbus.service.method("org.selinux", in_signature='', out_signature='s') def semodule_list(self): - p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE) + p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE) buf = p.stdout.read() output = p.communicate() if p.returncode and p.returncode != 0: diff --git policycoreutils-2.6/sepolicy/sepolicy-generate.8 policycoreutils-2.6/sepolicy/sepolicy-generate.8 index 2e67456..0c5f998 100644 --- policycoreutils-2.6/sepolicy/sepolicy-generate.8 +++ policycoreutils-2.6/sepolicy/sepolicy-generate.8 @@ -13,7 +13,7 @@ Common options Confined Applications .br -.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ] +.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ] .br .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ] .br diff --git policycoreutils-2.6/sepolicy/sepolicy.py policycoreutils-2.6/sepolicy/sepolicy.py index 3e502a7..5bf9b52 100755 --- policycoreutils-2.6/sepolicy/sepolicy.py +++ policycoreutils-2.6/sepolicy/sepolicy.py @@ -262,7 +262,7 @@ def _print_net(src, protocol, perm): if len(portdict) > 0: bold_start = "\033[1m" bold_end = "\033[0;0m" - print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end + print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end) port_strings = [] boolean_text = "" for p in portdict: @@ -275,7 +275,7 @@ def _print_net(src, protocol, perm): port_strings.append("%s (%s)" % (", ".join(recs), t)) port_strings.sort(numcmp) for p in port_strings: - print "\t" + p + print("\t" + p) def network(args): @@ -286,7 +286,7 @@ def network(args): if i[0] not in all_ports: all_ports.append(i[0]) all_ports.sort() - print "\n".join(all_ports) + print("\n".join(all_ports)) for port in args.port: found = False @@ -297,18 +297,18 @@ def network(args): else: range = "%s-%s" % (i[0], i[1]) found = True - print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range) + print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)) if not found: if port < 500: - print "Undefined reserved port type" + print("Undefined reserved port type") else: - print "Undefined port type" + print("Undefined port type") for t in args.type: if (t, 'tcp') in portrecs.keys(): - print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])) + print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))) if (t, 'udp') in portrecs.keys(): - print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])) + print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))) for a in args.applications: d = sepolicy.get_init_transtype(a) @@ -357,7 +357,7 @@ def manpage(args): for domain in test_domains: m = ManPage(domain, path, args.root, args.source_files, args.web) - print m.get_man_page_path() + print(m.get_man_page_path()) if args.web: HTMLManPages(manpage_roles, manpage_domains, path, args.os) @@ -418,7 +418,7 @@ def communicate(args): out = list(set(writable) & set(readable)) for t in out: - print t + print(t) def gen_communicate_args(parser): @@ -445,7 +445,7 @@ def booleans(args): args.booleans.sort() for b in args.booleans: - print "%s=_(\"%s\")" % (b, boolean_desc(b)) + print("%s=_(\"%s\")" % (b, boolean_desc(b))) def gen_booleans_args(parser): @@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""): for i in interfaces: if args.verbose: try: - print get_interface_format_text(i + append) + print(get_interface_format_text(i + append)) except KeyError: - print i + print(i) if args.compile: try: interface_compile_test(i) except KeyError: - print i + print(i) else: - print i + print(i) def interface(args): @@ -565,7 +565,7 @@ def generate(args): if args.policytype in APPLICATIONS: mypolicy.gen_writeable() mypolicy.gen_symbols() - print mypolicy.generate(args.path) + print(mypolicy.generate(args.path)) def gen_interface_args(parser): @@ -698,12 +698,12 @@ if __name__ == '__main__': args = parser.parse_args(args=parser_args) args.func(args) sys.exit(0) - except ValueError, e: + except ValueError as e: sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) sys.exit(1) - except IOError, e: + except IOError as e: sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e))) sys.exit(1) except KeyboardInterrupt: - print "Out" + print("Out") sys.exit(0) diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py index 8fbd5b4..43144c1 100644 --- policycoreutils-2.6/sepolicy/sepolicy/__init__.py +++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py @@ -383,7 +383,12 @@ def get_conditionals(src, dest, tclass, perm): def get_conditionals_format_text(cond): - enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0 + + enabled = False + for x in cond: + if x['boolean'][0][1]: + enabled = True + break return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) @@ -465,7 +470,7 @@ def find_file(reg): try: pat = re.compile(r"%s$" % reg) - return filter(pat.match, map(lambda x: path + x, os.listdir(path))) + return [x for x in map(lambda x: path + x, os.listdir(path)) if pat.match(x)] except: return [] @@ -589,7 +594,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()): def get_transitions_into(setype): try: - return filter(lambda x: x["transtype"] == setype, search([TRANSITION], {'class': 'process'})) + return [x for x in search([TRANSITION], {'class': 'process'}) if x["transtype"] == setype] except (TypeError, AttributeError): pass return None @@ -605,7 +610,7 @@ def get_transitions(setype): def get_file_transitions(setype): try: - return filter(lambda x: x['class'] != "process", search([TRANSITION], {'source': setype})) + return [x for x in search([TRANSITION], {'source': setype}) if x['class'] != "process"] except (TypeError, AttributeError): pass return None @@ -663,6 +668,23 @@ def get_init_entrypoint(transtype): return entrypoints +def get_init_entrypoints_str(): + q = setools.TERuleQuery(_pol, + ruletype=["type_transition"], + source="init_t", + tclass=["process"]) + entrypoints = {} + for i in q.results(): + try: + transtype = str(i.default) + if transtype in entrypoints: + entrypoints[transtype].append(str(i.target)) + else: + entrypoints[transtype] = [str(i.target)] + except AttributeError: + continue + + return entrypoints def get_init_entrypoint_target(entrypoint): try: @@ -695,7 +717,7 @@ def get_methods(): # List of per_role_template interfaces ifs = interfaces.InterfaceSet() ifs.from_file(fd) - methods = ifs.interfaces.keys() + methods = list(ifs.interfaces.keys()) fd.close() except: sys.stderr.write("could not open interface info [%s]\n" % fn) @@ -752,7 +774,10 @@ def get_all_entrypoint_domains(): def gen_interfaces(): - import commands + try: + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput ifile = defaults.interface_info() headers = defaults.headers() try: @@ -763,7 +788,7 @@ def gen_interfaces(): if os.getuid() != 0: raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen")) - print(commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1]) + print(getstatusoutput("/usr/bin/sepolgen-ifgen")[1]) def gen_port_dict(): @@ -1082,24 +1107,14 @@ def boolean_desc(boolean): def get_os_version(): - os_version = "" - pkg_name = "selinux-policy" + system_release = "" try: - import commands - rc, output = commands.getstatusoutput("rpm -q '%s'" % pkg_name) - if rc == 0: - os_version = output.split(".")[-2] - except: - os_version = "" - - if os_version[0:2] == "fc": - os_version = "Fedora" + os_version[2:] - elif os_version[0:2] == "el": - os_version = "RHEL" + os_version[2:] - else: - os_version = "" + with open('/etc/system-release') as f: + system_release = f.readline().rstrip() + except IOError: + system_release = "Misc" - return os_version + return system_release def reinit(): diff --git policycoreutils-2.6/sepolicy/sepolicy/communicate.py policycoreutils-2.6/sepolicy/sepolicy/communicate.py index b96c4b9..299316e 100755 --- policycoreutils-2.6/sepolicy/sepolicy/communicate.py +++ policycoreutils-2.6/sepolicy/sepolicy/communicate.py @@ -34,8 +34,8 @@ def usage(parser, msg): def expand_attribute(attribute): try: - return sepolicy.info(sepolicy.ATTRIBUTE, attribute)[0]["types"] - except RuntimeError: + return list(next(sepolicy.info(sepolicy.ATTRIBUTE, attribute))["types"]) + except StopIteration: return [attribute] diff --git policycoreutils-2.6/sepolicy/sepolicy/generate.py policycoreutils-2.6/sepolicy/sepolicy/generate.py index 65b33b6..ad59350 100644 --- policycoreutils-2.6/sepolicy/sepolicy/generate.py +++ policycoreutils-2.6/sepolicy/sepolicy/generate.py @@ -31,21 +31,21 @@ import time import types import platform -from templates import executable -from templates import boolean -from templates import etc_rw -from templates import unit_file -from templates import var_cache -from templates import var_spool -from templates import var_lib -from templates import var_log -from templates import var_run -from templates import tmp -from templates import rw -from templates import network -from templates import script -from templates import spec -from templates import user +from .templates import executable +from .templates import boolean +from .templates import etc_rw +from .templates import unit_file +from .templates import var_cache +from .templates import var_spool +from .templates import var_lib +from .templates import var_log +from .templates import var_run +from .templates import tmp +from .templates import rw +from .templates import network +from .templates import script +from .templates import spec +from .templates import user import sepolgen.interfaces as interfaces import sepolgen.defaults as defaults @@ -92,7 +92,7 @@ def get_rpm_nvr_list(package): nvr = get_rpm_nvr_from_header(h) break except: - print("Failed to retrieve rpm info for %s") % package + print(("Failed to retrieve rpm info for %s") % package) nvr = None return nvr diff --git policycoreutils-2.6/sepolicy/sepolicy/gui.py policycoreutils-2.6/sepolicy/sepolicy/gui.py index 7f1888c..bc6c2b1 100644 --- policycoreutils-2.6/sepolicy/sepolicy/gui.py +++ policycoreutils-2.6/sepolicy/sepolicy/gui.py @@ -67,8 +67,14 @@ enabled = [_("No"), _("Yes")] action = [_("Disable"), _("Enable")] -def compare(a, b): - return cmp(a.lower(), b.lower()) +def cmp(a, b): + if a is None and b is None: + return 0 + if a is None: + return -1 + if b is None: + return 1 + return (a > b) - (a < b) import distutils.sysconfig ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<")) @@ -110,6 +116,7 @@ class SELinuxGui(): def __init__(self, app=None, test=False): self.finish_init = False + self.advanced_init = True self.opage = START_PAGE self.dbus = SELinuxDBus() try: @@ -118,17 +125,11 @@ class SELinuxGui(): print(e) self.quit() - sepolicy_domains = sepolicy.get_all_domains() - sepolicy_domains.sort(compare) - if app and app not in sepolicy_domains: - self.error(_("%s is not a valid domain" % app)) - self.quit() - self.init_cur() self.application = app self.filter_txt = "" builder = Gtk.Builder() # BUILDER OBJ - self.code_path = distutils.sysconfig.get_python_lib(plat_specific=True) + "/sepolicy/" + self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/" glade_file = self.code_path + "sepolicy.glade" builder.add_from_file(glade_file) self.outer_notebook = builder.get_object("outer_notebook") @@ -147,7 +148,7 @@ class SELinuxGui(): self.files_add = False self.network_add = False - self.all_list = [] + self.all_domains = [] self.installed_list = [] self.previously_modified = {} @@ -159,10 +160,10 @@ class SELinuxGui(): self.invalid_entry = False # Advanced search window **************************** self.advanced_search_window = builder.get_object("advanced_search_window") - self.advanced_search_liststore = builder.get_object("Advanced_search_liststore") - self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING) self.advanced_search_filter = builder.get_object("advanced_filter") self.advanced_search_filter.set_visible_func(self.filter_the_data) + self.advanced_search_sort = builder.get_object("advanced_sort") + self.advanced_filter_entry = builder.get_object("advanced_filter_entry") self.advanced_search_treeview = builder.get_object("advanced_search_treeview") self.advanced_search = False @@ -431,12 +432,10 @@ class SELinuxGui(): # Combobox and Entry items ************************** self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar - self.combobox_menu_model = builder.get_object("application_liststore") + self.application_liststore = builder.get_object("application_liststore") self.completion_entry = builder.get_object("completion_entry") # self.combobox_menu.get_child() - self.completion_entry_model = builder.get_object("application_liststore") self.entrycompletion_obj = builder.get_object("entrycompletion_obj") #self.entrycompletion_obj = Gtk.EntryCompletion() - self.entrycompletion_obj.set_model(self.completion_entry_model) self.entrycompletion_obj.set_minimum_key_length(0) self.entrycompletion_obj.set_text_column(0) self.entrycompletion_obj.set_match_func(self.match_func, None) @@ -491,37 +490,41 @@ class SELinuxGui(): self.loading = 1 path = None if test: - domains = ["httpd_t", "abrt_t"] - if app and app not in domains: - domains.append(app) + self.all_domains = ["httpd_t", "abrt_t"] + if app and app not in self.all_domains: + self.all_domains.append(app) else: - domains = sepolicy_domains - loading_gui.show() - length = len(domains) - for domain in domains: + self.all_domains = sepolicy.get_all_domains() + self.all_domains.sort(key=str.lower) + + if app and app not in self.all_domains: + self.error(_("%s is not a valid domain" % app)) + self.quit() + + loading_gui.show() + length = len(self.all_domains) + + entrypoint_dict = sepolicy.get_init_entrypoints_str() + for domain in self.all_domains: # After the user selects a path in the drop down menu call # get_init_entrypoint_target(entrypoint) to get the transtype # which will give you the application - self.combo_box_initialize(domain, None) - self.advanced_search_initialize(domain) - self.all_list.append(domain) + self.combo_box_add(domain, domain) self.percentage = float(float(self.loading) / float(length)) self.progress_bar.set_fraction(self.percentage) self.progress_bar.set_pulse_step(self.percentage) self.idle_func() - entrypoint = sepolicy.get_init_entrypoint(domain) - if entrypoint: + for entrypoint in entrypoint_dict.get(domain, []): path = sepolicy.find_entrypoint_path(entrypoint) if path: - self.combo_box_initialize(path, None) - # Adds all files entrypoint paths that exists on disc - # into the combobox - self.advanced_search_initialize(path) + self.combo_box_add(path, domain) self.installed_list.append(path) self.loading += 1 loading_gui.hide() + self.entrycompletion_obj.set_model(self.application_liststore) + self.advanced_search_treeview.set_model(self.advanced_search_sort) dic = { "on_combo_button_clicked": self.open_combo_menu, @@ -553,7 +556,7 @@ class SELinuxGui(): "on_file_equiv_button_clicked": self.show_file_equiv_page, "on_app/system_button_clicked": self.system_interface, "on_app/users_button_clicked": self.users_interface, - "on_main_advanced_label_button_press_event": self.advanced_label_main, + "on_show_advanced_search_window": self.on_show_advanced_search_window, "on_Show_mislabeled_files_toggled": self.show_mislabeled_files, "on_Browse_button_files_clicked": self.browse_for_files, @@ -569,8 +572,6 @@ class SELinuxGui(): "on_advanced_filter_entry_changed": self.get_advanced_filter_data, "on_advanced_search_treeview_row_activated": self.advanced_item_selected, "on_Select_advanced_search_clicked": self.advanced_item_button_push, - "on_All_advanced_button_toggled": self.advanced_radio_select, - "on_Installed_advanced_button_toggled": self.advanced_radio_select, "on_info_button_button_press_event": self.on_help_button, "on_back_button_clicked": self.on_help_back_clicked, "on_forward_button_clicked": self.on_help_forward_clicked, @@ -676,9 +677,9 @@ class SELinuxGui(): self.module_dict = {} for m in self.dbus.semodule_list().split("\n"): mod = m.split() - if len(mod) < 2: + if len(mod) < 3: continue - self.module_dict[mod[0]] = {"version": mod[1], "Disabled": (len(mod) > 2)} + self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) } self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"]) self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"]) @@ -711,7 +712,7 @@ class SELinuxGui(): def match_func(self, completion, key_string, iter, func_data): try: - if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1: + if self.application_liststore.get_value(iter, 0).find(key_string) != -1: return True return False except AttributeError: @@ -834,8 +835,7 @@ class SELinuxGui(): self.enforce_button = self.disabled_button_default def populate_system_policy(self): - selinux_path = selinux.selinux_path() - types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0] + types = next(os.walk(selinux.selinux_path(), topdown=True))[1] types.sort() ctr = 0 for item in types: @@ -922,11 +922,11 @@ class SELinuxGui(): self.ready_mouse() def network_initialize(self, app): - netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect") + netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True) self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore) - netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind") + netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind", check_bools=True) self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore) - netd = sepolicy.network.get_network_connect(app, "udp", "name_bind") + netd = sepolicy.network.get_network_connect(app, "udp", "name_bind", check_bools=True) self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore) def network_initial_data_insert(self, model, ports, portType, protocol): @@ -962,12 +962,12 @@ class SELinuxGui(): iter = liststore.get_iter(index) return liststore.get_value(iter, 0) - def combo_box_initialize(self, val, desc): + def combo_box_add(self, val, val1): if val is None: return - iter = self.combobox_menu_model.append() - for f in val: - self.combobox_menu_model.set_value(iter, 0, val) + iter = self.application_liststore.append() + self.application_liststore.set_value(iter, 0, val) + self.application_liststore.set_value(iter, 1, val1) def select_type_more(self, *args): app = self.moreTypes_treeview.get_selection() @@ -983,19 +983,18 @@ class SELinuxGui(): model, iter = row.get_selected() iter = model.convert_iter_to_child_iter(iter) iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) - app = self.advanced_search_liststore.get_value(iter, 1) + app = self.application_liststore.get_value(iter, 1) if app is None: return self.advanced_filter_entry.set_text('') self.advanced_search_window.hide() self.reveal_advanced(self.main_advanced_label) self.completion_entry.set_text(app) - self.application_selected() def advanced_item_selected(self, treeview, path, *args): iter = self.advanced_search_filter.get_iter(path) iter = self.advanced_search_filter.convert_iter_to_child_iter(iter) - app = self.advanced_search_liststore.get_value(iter, 1) + app = self.application_liststore.get_value(iter, 1) self.advanced_filter_entry.set_text('') self.advanced_search_window.hide() self.reveal_advanced(self.main_advanced_label) @@ -1004,7 +1003,7 @@ class SELinuxGui(): def find_application(self, app): if app and len(app) > 0: - for items in self.combobox_menu_model: + for items in self.application_liststore: if app == items[0]: return True return False @@ -1066,9 +1065,9 @@ class SELinuxGui(): self.transitions_into_tab.set_label(_("Application Transitions Into '%s'" % app)) self.transitions_from_tab.set_label(_("Application Transitions From '%s'" % app)) self.transitions_file_tab.set_label(_("File Transitions From '%s'" % app)) - self.transitions_into_tab.set_tooltip_text(_("Executables which will transition to the '%s', when executing a selected domains entrypoint.") % app) - self.transitions_from_tab.set_tooltip_text(_("Executables which will transition to a different domain, when the '%s' executes them.") % app) - self.transitions_file_tab.set_tooltip_text(_("Files by '%s' will transitions to a different label." % app)) + self.transitions_into_tab.set_tooltip_text(_("Executables which will transition to '%s', when executing selected domains entrypoint.") % app) + self.transitions_from_tab.set_tooltip_text(_("Executables which will transition to a different domain, when '%s' executes them.") % app) + self.transitions_file_tab.set_tooltip_text(_("Files by '%s' with transitions to a different label." % app)) self.transitions_radio_button.set_tooltip_text(_("Display applications that can transition into or out of the '%s'." % app)) self.application = app @@ -1290,11 +1289,11 @@ class SELinuxGui(): niter = self.transitions_from_treestore.append(iter) # active[0][1] is either T or F (enabled is all the way at the top) self.transitions_from_treestore.set_value(iter, 0, enabled[active[0][1]]) - markup = '%s' + markup = ('','') if active[0][1]: - self.transitions_from_treestore.set_value(niter, 2, (_("To disable this transition, go to the " + markup % _("Boolean section.")))) + self.transitions_from_treestore.set_value(niter, 2, (_("To disable this transition, go to the %sBoolean section%s.") % markup)) else: - self.transitions_from_treestore.set_value(niter, 2, (_("To enable this transition, go to the " + markup % _("Boolean section.")))) + self.transitions_from_treestore.set_value(niter, 2, (_("To enable this transition, go to the %sBoolean section%s.") % markup)) # active[0][0] is the Bool Name self.transitions_from_treestore.set_value(niter, 1, active[0][0]) @@ -1377,8 +1376,8 @@ class SELinuxGui(): self.treeview = self.network_in_treeview category = _("listen for inbound connections") - self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category}) - self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category}) + self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) + self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category}) if self.transitions_radio_button.get_active(): @@ -1598,8 +1597,8 @@ class SELinuxGui(): self.show_popup(self.login_popup_window) if self.opage == FILE_EQUIV_PAGE: - self.file_equiv_source_entry.set_text(self.file_equiv_liststore.get_value(iter, 0)) - self.file_equiv_dest_entry.set_text(self.file_equiv_liststore.get_value(iter, 1)) + self.file_equiv_source_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 0))) + self.file_equiv_dest_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 1))) self.file_equiv_label.set_text((_("Modify File Equivalency Mapping. Mapping will be created when update is applied."))) self.file_equiv_popup_window.set_title(_("Modify SELinux File Equivalency")) self.clear_entry = True @@ -1635,7 +1634,7 @@ class SELinuxGui(): self.files_type_combolist.clear() self.files_class_combolist.clear() compare = self.strip_domain(self.application) - for d in self.completion_entry_model: + for d in self.application_liststore: if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"): exclude_list.append(self.strip_domain(d[0])) @@ -1714,10 +1713,10 @@ class SELinuxGui(): try: if ipage == OUTBOUND_PAGE: - netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect") + netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools=True) elif ipage == INBOUND_PAGE: - netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind") - netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind") + netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools=True) + netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools=True) port_types = [] for k in netd.keys(): @@ -2550,34 +2549,7 @@ class SELinuxGui(): self.network_mls_label.set_visible(advanced) self.network_mls_entry.set_visible(advanced) - def advanced_search_initialize(self, path): - try: - if path[0] == '/': - domain = sepolicy.get_init_transtype(path) - else: - domain = path - except IndexError: - return - except OSError: - return - iter = self.advanced_search_liststore.append() - self.advanced_search_liststore.set_value(iter, 0, path) - self.advanced_search_liststore.set_value(iter, 1, domain) - user_types = sepolicy.get_user_types() - if domain in user_types + ['initrc_t']: - return - - entrypoints = sepolicy.get_entrypoints(domain) - # From entry_point = 0 to the number of keys in the dic - for exe in entrypoints: - if len(entrypoints[exe]): - file_class = entrypoints[exe][1] - for path in entrypoints[exe][0]: - iter = self.advanced_search_liststore.append() - self.advanced_search_liststore.set_value(iter, 1, domain) - self.advanced_search_liststore.set_value(iter, 0, path) - - def advanced_label_main(self, label, *args): + def on_show_advanced_search_window(self, label, *args): if label.get_text() == ADVANCED_SEARCH_LABEL[1]: label.set_text(ADVANCED_SEARCH_LABEL[0]) self.close_popup() @@ -2585,33 +2557,18 @@ class SELinuxGui(): label.set_text(ADVANCED_SEARCH_LABEL[1]) self.show_popup(self.advanced_search_window) - def advanced_radio_select(self, button): - label = "" - if button.get_active(): - label = button.get_label() - if label == '': - return - self.advanced_search_liststore.clear() - if label == "All": - for items in self.all_list: - self.advanced_search_initialize(items) - self.idle_func() - - elif label == "Installed": - if self.installed_list == []: - return - for items in self.installed_list: - self.advanced_search_initialize(items) - self.idle_func() - def set_enforce_text(self, value): if value: self.status_bar.push(self.context_id, _("System Status: Enforcing")) + self.current_status_enforcing.set_active(True) else: self.status_bar.push(self.context_id, _("System Status: Permissive")) - self.current_status_permissive.set_active(True) + self.current_status_permissive.set_active(True) def set_enforce(self, button): + if not self.finish_init: + return + self.dbus.setenforce(button.get_active()) self.set_enforce_text(button.get_active()) diff --git policycoreutils-2.6/sepolicy/sepolicy/interface.py policycoreutils-2.6/sepolicy/sepolicy/interface.py index c2cb971..8956f39 100644 --- policycoreutils-2.6/sepolicy/sepolicy/interface.py +++ policycoreutils-2.6/sepolicy/sepolicy/interface.py @@ -192,10 +192,13 @@ def generate_compile_te(interface, idict, name="compiletest"): def get_xml_file(if_file): """ Returns xml format of interfaces for given .if policy file""" import os - import commands + try: + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput basedir = os.path.dirname(if_file) + "/" filename = os.path.basename(if_file).split(".")[0] - rc, output = commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename) + rc, output = getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename) if rc != 0: sys.stderr.write("\n Could not proceed selected interface file.\n") sys.stderr.write("\n%s" % output) @@ -208,7 +211,10 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml" exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"] exclude_interface_type = ["template"] - import commands + try: + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput import os policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"} idict = get_interface_dict(path) @@ -219,7 +225,7 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml" fd = open(policy_files['te'], "w") fd.write(generate_compile_te(interface, idict)) fd.close() - rc, output = commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp']) + rc, output = getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp']) if rc != 0: sys.stderr.write(output) sys.stderr.write(_("\nCompile test for %s failed.\n") % interface) diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py index 7365f93..9d54ab0 100755 --- policycoreutils-2.6/sepolicy/sepolicy/manpage.py +++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py @@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d import string import selinux import sepolicy -import commands import os import time -equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} +typealias_types = { +"antivirus_t":("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"), +"cluster_t":("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"), +"svirt_t":("qemu_t"), +"httpd_t":("phpfpm_t"), +} + +equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]} equiv_dirs = ["/var"] modules_dict = None @@ -144,10 +150,6 @@ def prettyprint(f, trim): manpage_domains = [] manpage_roles = [] -fedora_releases = ["Fedora17", "Fedora18"] -rhel_releases = ["RHEL6", "RHEL7"] - - def get_alphabet_manpages(manpage_list): alphabet_manpages = dict.fromkeys(string.ascii_letters, []) for i in string.ascii_letters: @@ -162,7 +164,11 @@ def get_alphabet_manpages(manpage_list): def convert_manpage_to_html(html_manpage, manpage): - rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage) + try: + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput + rc, output = getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage) if rc == 0: print(html_manpage, "has been created") fd = open(html_manpage, 'w') @@ -173,7 +179,7 @@ def convert_manpage_to_html(html_manpage, manpage): class HTMLManPages: """ - Generate a HHTML Manpages on an given SELinux domains + Generate a HTML Manpages on an given SELinux domains """ def __init__(self, manpage_roles, manpage_domains, path, os_version): @@ -181,9 +187,9 @@ class HTMLManPages: self.manpage_domains = get_alphabet_manpages(manpage_domains) self.os_version = os_version self.old_path = path + "/" - self.new_path = self.old_path + self.os_version + "/" + self.new_path = self.old_path - if self.os_version in fedora_releases or rhel_releases: + if self.os_version: self.__gen_html_manpages() else: print("SELinux HTML man pages can not be generated for this %s" % os_version) @@ -192,7 +198,6 @@ class HTMLManPages: def __gen_html_manpages(self): self._write_html_manpage() self._gen_index() - self._gen_body() self._gen_css() def _write_html_manpage(self): @@ -210,67 +215,21 @@ class HTMLManPages: convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r) def _gen_index(self): - index = self.old_path + "index.html" - fd = open(index, 'w') - fd.write(""" - - - - SELinux man pages online - - -

SELinux man pages

-

-Fedora or Red Hat Enterprise Linux Man Pages. -

-
-

Fedora

- - -
-
-
-""")
-        for f in fedora_releases:
-            fd.write("""
-%s - SELinux man pages for %s """ % (f, f, f, f))
-
-        fd.write("""
-
-
-

RHEL

- - -
-
-
-""")
-        for r in rhel_releases:
-            fd.write("""
-%s - SELinux man pages for %s """ % (r, r, r, r))
-
-        fd.write("""
-
- """) - fd.close() - print("%s has been created") % index - - def _gen_body(self): html = self.new_path + self.os_version + ".html" fd = open(html, 'w') fd.write(""" - - Linux man-pages online for Fedora18 + + SELinux man pages -

SELinux man pages for Fedora18

+

SELinux man pages for %s

SELinux roles

-""") +""" % self.os_version) for letter in self.manpage_roles: if len(self.manpage_roles[letter]): fd.write(""" @@ -501,6 +460,7 @@ class ManPage: self._booleans() self._port_types() + self._mcs_types() self._writes() self._footer() @@ -519,11 +479,22 @@ class ManPage: self._get_ptypes() for domain_type in self.ptypes: + try: + if typealias_types[domain_type]: + fd = self.fd + man_page_path = self.man_page_path + for t in typealias_types[domain_type]: + self._typealias_gen_man(t) + self.fd = fd + self.man_page_path = man_page_path + except KeyError: + continue; self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"] self._header() self._entrypoints() self._process_types() + self._mcs_types() self._booleans() self._nsswitch_domain() self._port_types() @@ -537,6 +508,34 @@ class ManPage: if f.startswith(self.short_name) or f.startswith(self.domainname): self.ptypes.append(f) + def _typealias_gen_man(self, t): + self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2]) + self.ports = [] + self.booltext = "" + self.fd = open(self.man_page_path, 'w') + self._typealias(t[:-2]) + self._footer() + self.fd.close() + + def _typealias(self,typealias): + self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"' + % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")}) + self.fd.write(r""" +.SH "NAME" +%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes +.SH "DESCRIPTION" + +%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t). +""" % {'typealias':typealias, 'domainname':self.domainname}) + + self.fd.write(r""" +Please see + +.B %(domainname)s_selinux + +man page for more details. +""" % {'domainname':self.domainname}) + def _header(self): self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"' % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")}) @@ -686,10 +685,13 @@ Default Defined Ports:""") def _file_context(self): flist = [] + flist_non_exec = [] mpaths = [] for f in self.all_file_types: if f.startswith(self.domainname): flist.append(f) + if not file_type_is_executable(f) or not file_type_is_entrypoint(f): + flist_non_exec.append(f) if f in self.fcdict: mpaths = mpaths + self.fcdict[f]["regex"] if len(mpaths) == 0: @@ -741,19 +743,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .PP """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]}) - self.fd.write(r""" + if flist_non_exec: + self.fd.write(r""" .PP .B STANDARD FILE CONTEXT SELinux defines the file context types for the %(domainname)s, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. -.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' +.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' .br .B restorecon -R -v /srv/my%(domainname)s_content Note: SELinux often uses regular expressions to specify labels that match multiple files. -""" % {'domainname': self.domainname, "type": flist[0]}) +""" % {'domainname': self.domainname, "type": flist_non_exec[-1]}) self.fd.write(r""" .I The following file types are defined for %(domainname)s: @@ -920,6 +923,17 @@ All executeables with the default executable label, usually stored in /usr/bin a self.fd.write(""" %s""" % ", ".join(paths)) + def _mcs_types(self): + attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] + if "mcs_constrained_type" not in attributes: + return + self.fd.write (""" +.SH "MCS Constrained" +The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group. + +For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4 +""" % {'type': self.domainname}) + def _writes(self): permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'}) if permlist is None or len(permlist) == 0: @@ -1156,7 +1170,7 @@ Three things can happen when %(type)s attempts to execute a program. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: -.B search -A -s %(type)s -c file -p execute_no_trans +.B sesearch -A -s %(type)s -c file -p execute_no_trans .TP @@ -1164,7 +1178,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut Execute the following to see the types that the SELinux user %(type)s can execute and transition: -.B $ search -A -s %(type)s -c process -p transition +.B $ sesearch -A -s %(type)s -c process -p transition """ % {'user': self.domainname, 'type': self.type}) diff --git policycoreutils-2.6/sepolicy/sepolicy/network.py policycoreutils-2.6/sepolicy/sepolicy/network.py index c4d95da..115f6b8 100755 --- policycoreutils-2.6/sepolicy/sepolicy/network.py +++ policycoreutils-2.6/sepolicy/sepolicy/network.py @@ -23,20 +23,20 @@ import sepolicy -def get_types(src, tclass, perm): +def get_types(src, tclass, perm, check_bools=False): allows = sepolicy.search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm}) nlist = [] if allows: - for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): + for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"]), allows)): if i not in nlist: nlist.append(i) return nlist -def get_network_connect(src, protocol, perm): +def get_network_connect(src, protocol, perm, check_bools=False): portrecs, portrecsbynum = sepolicy.gen_port_dict() d = {} - tlist = get_types(src, "%s_socket" % protocol, [perm]) + tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools) if len(tlist) > 0: d[(src, protocol, perm)] = [] for i in tlist: diff --git policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade index 1275c7f..8f6ad65 100644 --- policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade +++ policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade @@ -2,7 +2,7 @@ - + @@ -82,7 +82,7 @@ - + True @@ -225,7 +225,7 @@ - Advanced_search_liststore + application_liststore advanced_filter @@ -256,24 +256,6 @@ application_files_filter - - - - - - - - application_liststore - - - application_filter - - - - - - - @@ -473,7 +455,7 @@ False 0 10 - Add file Equivilence Mapping. Mapping will be created when Update is applied. + Add file Equivalence Mapping. Mapping will be created when Update is applied. fill True @@ -823,7 +805,7 @@ True True False - Select Make Path Recursive iff you want to apply this label to all children of the specified directory path. objects under the directory to have this label. + Select Make Path Recursive if you want to apply this label to all children of the specified directory path. objects under the directory to have this label. 0.5 True @@ -1061,7 +1043,7 @@ True False - images/booleans.png + help/booleans.png False @@ -2948,7 +2930,7 @@ Enabled Executables which will transition to a different domain, when the 'selected domain' executes them. 1 1 - Applicaton Transitions From 'select domain' + Application Transitions From 'select domain' 1 @@ -3909,7 +3891,7 @@ allow alternative access control. True True False - An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. + A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. 0 True enable_permissive @@ -3926,7 +3908,7 @@ allow alternative access control. True True False - An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. + A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. 0 True True @@ -3989,7 +3971,7 @@ allow alternative access control. True True False - An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. + A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed. 0 True True @@ -4328,46 +4310,7 @@ allow alternative access control. 0 - - - All - True - True - False - 0.5 - True - True - - - - True - True - 1 - - - - - Installed - True - True - False - 0.5 - True - All_advanced_button - - - - True - True - 2 - - - - False - True - 0 - @@ -4377,7 +4320,6 @@ allow alternative access control. True True - advanced_sort False @@ -4788,7 +4730,7 @@ allow alternative access control. False 0 10 - Select file equivalence labeling to delete.File equivalence labeling will be deleted when update is applied. + Select file equivalence labeling to delete. File equivalence labeling will be deleted when update is applied. fill True diff --git policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py index 4b9534d..f267993 100644 --- policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py +++ policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py @@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles; type TEMPLATETYPE_t; type TEMPLATETYPE_exec_t; application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t) +role TEMPLATETYPE_roles types TEMPLATETYPE_t; permissive TEMPLATETYPE_t; """ @@ -219,7 +220,7 @@ if_program_rules=""" ######################################## ## -## Execute TEMPLATE in the TEMPLATETYPE domin. +## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain. ## ## ## @@ -235,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',` corecmd_search_bin($1) domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t) ') + +###################################### +## +## Execute TEMPLATETYPE in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`TEMPLATETYPE_exec',` + gen_require(` + type TEMPLATETYPE_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, TEMPLATETYPE_exec_t) +') """ if_user_program_rules=""" @@ -418,8 +438,12 @@ interface(`TEMPLATETYPE_admin',` if_middle_admin=""" ') - allow $1 TEMPLATETYPE_t:process { ptrace signal_perms }; + allow $1 TEMPLATETYPE_t:process { signal_perms }; ps_process_pattern($1, TEMPLATETYPE_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 TEMPLATETYPE_t:process ptrace; + ') """ if_initscript_admin_types="""