7f6f58266d
- Make sepolgen set error exit code when partial failure - audit2why now checks booleans for avc diagnosis
496 lines
15 KiB
Diff
496 lines
15 KiB
Diff
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow
|
|
--- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-19 06:05:50.000000000 -0500
|
|
@@ -60,7 +60,9 @@
|
|
parser.add_option("-o", "--output", dest="output",
|
|
help="append output to <filename>, conflicts with -M")
|
|
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
|
|
- default=False, help="generate refpolicy style output")
|
|
+ default=True, help="generate refpolicy style output")
|
|
+ parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
|
|
+ default=False, help="do not generate refpolicy style output")
|
|
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
|
|
default=False, help="explain generated output")
|
|
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1
|
|
--- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.34/audit2allow/audit2allow.1 2007-12-19 06:05:50.000000000 -0500
|
|
@@ -65,8 +65,11 @@
|
|
.B "\-r" | "\-\-requires"
|
|
Generate require output syntax for loadable modules.
|
|
.TP
|
|
+.B "\-N" | "\-\-noreference"
|
|
+Do not generate reference policy, traditional style allow rules.
|
|
+.TP
|
|
.B "\-R" | "\-\-reference"
|
|
-Generate reference policy using installed macros. Requires the selinux-policy-devel package.
|
|
+Generate reference policy using installed macros.Default
|
|
.TP
|
|
.B "\-t " | "\-\-tefile"
|
|
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen
|
|
--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500
|
|
@@ -80,7 +80,10 @@
|
|
if_set.to_file(f)
|
|
f.close()
|
|
|
|
- return 0
|
|
+ if refparser.success:
|
|
+ return 0
|
|
+ else:
|
|
+ return 1
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|
|
Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c
|
|
--- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-20 11:04:10.000000000 -0500
|
|
@@ -22,27 +22,151 @@
|
|
exit(rc);
|
|
}
|
|
|
|
+struct bool_t {
|
|
+ const sepol_bool_t * boolean;
|
|
+ char *name;
|
|
+ int active;
|
|
+};
|
|
+
|
|
+static struct bool_t **boollist = NULL;
|
|
+static int boolcnt = 0;
|
|
+
|
|
+struct access_t {
|
|
+ sepol_handle_t *handle;
|
|
+ sepol_policydb_t *policydb;
|
|
+ sepol_security_id_t ssid;
|
|
+ sepol_security_id_t tsid;
|
|
+ sepol_security_class_t tclass;
|
|
+ sepol_access_vector_t av;
|
|
+};
|
|
+
|
|
+static int load_booleans (const sepol_bool_t * boolean,
|
|
+ void *arg __attribute__ ((__unused__)) ) {
|
|
+ boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t));
|
|
+ boollist[boolcnt]->boolean = boolean;
|
|
+ boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
|
|
+ boollist[boolcnt]->active = sepol_bool_get_value(boolean);
|
|
+ boolcnt++;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int check_booleans (struct access_t *access) {
|
|
+ struct sepol_av_decision avd;
|
|
+ unsigned int reason;
|
|
+ int rc;
|
|
+ int i;
|
|
+ sepol_bool_key_t *key=NULL;
|
|
+ int fcnt = 0;
|
|
+ int *foundlist = calloc(boolcnt, sizeof(int));
|
|
+ if (!foundlist) {
|
|
+ fprintf(stderr,
|
|
+ "Out of memory.\n");
|
|
+ return -1;
|
|
+ }
|
|
+ for (i=0; i < boolcnt; i++) {
|
|
+ char *name = boollist[i]->name;
|
|
+ int active = boollist[i]->active;
|
|
+ sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean;
|
|
+ rc = sepol_bool_key_create(access->handle,
|
|
+ name,
|
|
+ &key);
|
|
+ if (rc < 0) {
|
|
+ fprintf(stderr,
|
|
+ "Could not create boolean key.\n");
|
|
+ rc = -1;
|
|
+ break;
|
|
+ }
|
|
+ sepol_bool_set_value(boolean, !active);
|
|
+
|
|
+ rc = sepol_bool_set(access->handle,
|
|
+ access->policydb,
|
|
+ key,
|
|
+ boolean);
|
|
+ if (rc < 0) {
|
|
+ fprintf(stderr,
|
|
+ "Could not set boolean data %s.\n", name);
|
|
+ rc = -1;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ /* Reproduce the computation. */
|
|
+ rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason);
|
|
+ if (rc < 0) {
|
|
+ fprintf(stderr,
|
|
+ "Error during access vector computation, skipping...\n");
|
|
+ rc = -1;
|
|
+ break;
|
|
+ } else {
|
|
+ if (!reason) {
|
|
+ foundlist[fcnt] = i;
|
|
+ fcnt++;
|
|
+ rc = 0;
|
|
+ }
|
|
+ sepol_bool_set_value((sepol_bool_t*)boolean, active);
|
|
+ rc = sepol_bool_set(access->handle,
|
|
+ access->policydb,
|
|
+ key,
|
|
+ (sepol_bool_t*) boolean);
|
|
+ if (rc < 0) {
|
|
+ fprintf(stderr,
|
|
+ "Could not set boolean data %s.\n", name);
|
|
+ rc = -1;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ sepol_bool_key_free(key);
|
|
+ key=NULL;
|
|
+ }
|
|
+ if (key)
|
|
+ sepol_bool_key_free(key);
|
|
+
|
|
+ if (fcnt > 0) {
|
|
+ printf("\tA boolean being set incorrectly.\n");
|
|
+ for (i = 0; i < fcnt; i++) {
|
|
+ int ctr = foundlist[i];
|
|
+ char *name = boollist[ctr]->name;
|
|
+ int active = boollist[ctr]->active;
|
|
+ printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active);
|
|
+ printf("\t# setsebool -P %s %d\n", name, !active);
|
|
+ }
|
|
+ }
|
|
+
|
|
+ free(foundlist);
|
|
+ return rc;
|
|
+}
|
|
+
|
|
+
|
|
int main(int argc, char **argv)
|
|
{
|
|
char path[PATH_MAX];
|
|
char *buffer = NULL, *bufcopy = NULL;
|
|
- unsigned int lineno = 0;
|
|
+ unsigned int lineno = 0, cnt;
|
|
size_t len = 0, bufcopy_len = 0;
|
|
- FILE *fp;
|
|
+ FILE *fp, *avcp=stdin;
|
|
int opt, rc, set_path = 0;
|
|
char *p, *scon, *tcon, *tclassstr, *permstr;
|
|
sepol_security_id_t ssid, tsid;
|
|
sepol_security_class_t tclass;
|
|
sepol_access_vector_t perm, av;
|
|
+ struct access_t access;
|
|
struct sepol_av_decision avd;
|
|
unsigned int reason;
|
|
int vers = 0;
|
|
sidtab_t sidtab;
|
|
policydb_t policydb;
|
|
struct policy_file pf;
|
|
-
|
|
- while ((opt = getopt(argc, argv, "p:?h")) > 0) {
|
|
+
|
|
+ while ((opt = getopt(argc, argv, "i:p:?h")) > 0) {
|
|
switch (opt) {
|
|
+ case 'i':
|
|
+ avcp = fopen(optarg, "r");
|
|
+ if (!avcp) {
|
|
+ fprintf(stderr, "%s: unable to open %s: %s\n",
|
|
+ argv[0], path, strerror(errno));
|
|
+ exit(1);
|
|
+ }
|
|
+ break;
|
|
+
|
|
case 'p':
|
|
set_path = 1;
|
|
strncpy(path, optarg, PATH_MAX);
|
|
@@ -110,7 +234,6 @@
|
|
}
|
|
fclose(fp);
|
|
sepol_set_policydb(&policydb);
|
|
-
|
|
if (!set_path) {
|
|
/* If they didn't specify a full path of a binary policy file,
|
|
then also try loading any boolean settings and user
|
|
@@ -125,6 +248,30 @@
|
|
(void)sepol_genusers_policydb(&policydb, selinux_users_path());
|
|
}
|
|
|
|
+ access.handle = sepol_handle_create();
|
|
+ access.policydb = (sepol_policydb_t *) &policydb,
|
|
+
|
|
+ rc = sepol_bool_count(access.handle,
|
|
+ access.policydb,
|
|
+ &cnt);
|
|
+ if (rc < 0) {
|
|
+ fprintf(stderr, "%s: unable to get bool count\n", argv[0]);
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
+ boollist = calloc(cnt, sizeof(struct bool_t));
|
|
+ if (!boollist) {
|
|
+ fprintf(stderr, "%s: Out of memory\n", argv[0]);
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
+
|
|
+ sepol_bool_iterate(access.handle,
|
|
+ (const sepol_policydb_t *) &policydb,
|
|
+ load_booleans,
|
|
+ (void *)NULL);
|
|
+
|
|
+
|
|
/* Initialize the sidtab for subsequent use by sepol_context_to_sid
|
|
and sepol_compute_av_reason. */
|
|
rc = sepol_sidtab_init(&sidtab);
|
|
@@ -135,8 +282,10 @@
|
|
sepol_set_sidtab(&sidtab);
|
|
|
|
/* Process the audit messages. */
|
|
- while (getline(&buffer, &len, stdin) > 0) {
|
|
+ while (getline(&buffer, &len, avcp) > 0) {
|
|
size_t len2 = strlen(buffer);
|
|
+ char *begin, *end, *search_buf;
|
|
+ int slen = 0;
|
|
|
|
if (buffer[len2 - 1] == '\n')
|
|
buffer[len2 - 1] = 0;
|
|
@@ -179,6 +328,7 @@
|
|
}
|
|
*p++ = 0;
|
|
|
|
+ search_buf = p;
|
|
/* Get scontext and convert to SID. */
|
|
while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
|
|
p++;
|
|
@@ -188,11 +338,14 @@
|
|
continue;
|
|
}
|
|
p += sizeof(SCONTEXT) - 1;
|
|
- scon = p;
|
|
+ begin = p;
|
|
while (*p && !isspace(*p))
|
|
p++;
|
|
- if (*p)
|
|
- *p++ = 0;
|
|
+ end = p;
|
|
+ slen=end - begin;
|
|
+ scon = calloc(slen+1, 1);
|
|
+ strncpy(scon, begin, slen);
|
|
+
|
|
rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
|
|
if (rc < 0) {
|
|
fprintf(stderr,
|
|
@@ -201,6 +354,10 @@
|
|
continue;
|
|
}
|
|
|
|
+ free(scon);
|
|
+ /* start searching at the beginning again */
|
|
+ p = search_buf;
|
|
+
|
|
/* Get tcontext and convert to SID. */
|
|
while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
|
|
p++;
|
|
@@ -210,11 +367,15 @@
|
|
continue;
|
|
}
|
|
p += sizeof(TCONTEXT) - 1;
|
|
- tcon = p;
|
|
+
|
|
+ begin = p;
|
|
while (*p && !isspace(*p))
|
|
p++;
|
|
- if (*p)
|
|
- *p++ = 0;
|
|
+ end = p;
|
|
+ slen=end - begin;
|
|
+ tcon = calloc(slen+1, 1);
|
|
+ strncpy(tcon, begin, slen);
|
|
+
|
|
rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
|
|
if (rc < 0) {
|
|
fprintf(stderr,
|
|
@@ -222,6 +383,9 @@
|
|
TCONTEXT, tcon, lineno);
|
|
continue;
|
|
}
|
|
+ free(tcon);
|
|
+ /* start searching at the beginning again */
|
|
+ p = search_buf;
|
|
|
|
/* Get tclass= and convert to value. */
|
|
while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
|
|
@@ -232,12 +396,17 @@
|
|
continue;
|
|
}
|
|
p += sizeof(TCLASS) - 1;
|
|
- tclassstr = p;
|
|
+ begin = p;
|
|
while (*p && !isspace(*p))
|
|
p++;
|
|
- if (*p)
|
|
- *p = 0;
|
|
+
|
|
+ end = p;
|
|
+ slen=end - begin;
|
|
+ tclassstr = calloc(slen+1, 1);
|
|
+ strncpy(tclassstr, begin, slen);
|
|
+
|
|
tclass = string_to_security_class(tclassstr);
|
|
+ free(tclassstr);
|
|
if (!tclass) {
|
|
fprintf(stderr,
|
|
"Invalid %s%s on line %u, skipping...\n",
|
|
@@ -286,11 +455,16 @@
|
|
}
|
|
|
|
if (reason & SEPOL_COMPUTEAV_TE) {
|
|
- printf("\t\tMissing or disabled TE allow rule.\n");
|
|
- printf
|
|
- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
|
|
- printf
|
|
- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
|
|
+ access.ssid = ssid;
|
|
+ access.tsid = tsid;
|
|
+ access.tclass = tclass;
|
|
+ access.av = av;
|
|
+
|
|
+ if (check_booleans(&access) < 0) {
|
|
+ printf("\t\tMissing or disabled TE allow rule.\n");
|
|
+ printf
|
|
+ ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
|
|
+ }
|
|
}
|
|
|
|
if (reason & SEPOL_COMPUTEAV_CONS) {
|
|
@@ -309,5 +483,8 @@
|
|
}
|
|
free(buffer);
|
|
free(bufcopy);
|
|
+ if (avcp != stdin)
|
|
+ fclose(avcp);
|
|
+
|
|
exit(0);
|
|
}
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile
|
|
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
|
|
+++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500
|
|
@@ -1,4 +1,4 @@
|
|
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
|
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
|
|
|
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.34/restorecond/restorecond.c
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2007-07-16 14:20:41.000000000 -0400
|
|
+++ policycoreutils-2.0.34/restorecond/restorecond.c 2007-12-19 06:05:50.000000000 -0500
|
|
@@ -210,9 +210,10 @@
|
|
}
|
|
|
|
if (fsetfilecon(fd, scontext) < 0) {
|
|
- syslog(LOG_ERR,
|
|
- "set context %s->%s failed:'%s'\n",
|
|
- filename, scontext, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR,
|
|
+ "set context %s->%s failed:'%s'\n",
|
|
+ filename, scontext, strerror(errno));
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
free(scontext);
|
|
@@ -225,8 +226,9 @@
|
|
if (retcontext >= 0)
|
|
free(prev_context);
|
|
} else {
|
|
- syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
- filename, strerror(errno));
|
|
+ if (errno != EOPNOTSUPP)
|
|
+ syslog(LOG_ERR, "get context on %s failed: '%s'\n",
|
|
+ filename, strerror(errno));
|
|
}
|
|
free(scontext);
|
|
close(fd);
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.34/scripts/chcat
|
|
--- nsapolicycoreutils/scripts/chcat 2007-08-23 16:52:26.000000000 -0400
|
|
+++ policycoreutils-2.0.34/scripts/chcat 2007-12-19 06:05:50.000000000 -0500
|
|
@@ -25,10 +25,6 @@
|
|
import commands, sys, os, pwd, string, getopt, selinux
|
|
import seobject
|
|
import gettext
|
|
-import codecs
|
|
-import locale
|
|
-sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace')
|
|
-sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
|
|
|
|
try:
|
|
gettext.install('policycoreutils')
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.34/semanage/semanage
|
|
--- nsapolicycoreutils/semanage/semanage 2007-10-05 13:09:53.000000000 -0400
|
|
+++ policycoreutils-2.0.34/semanage/semanage 2007-12-19 06:05:50.000000000 -0500
|
|
@@ -1,5 +1,5 @@
|
|
#! /usr/bin/python -E
|
|
-# Copyright (C) 2005 Red Hat
|
|
+# Copyright (C) 2005, 2006, 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# semanage is a tool for managing SELinux configuration files
|
|
@@ -28,10 +28,6 @@
|
|
import gettext
|
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
|
gettext.textdomain(PROGNAME)
|
|
-import codecs
|
|
-import locale
|
|
-sys.stderr = codecs.getwriter(locale.getpreferredencoding())(sys.__stderr__, 'replace')
|
|
-sys.stdout = codecs.getwriter(locale.getpreferredencoding())(sys.__stdout__, 'replace')
|
|
|
|
try:
|
|
gettext.install(PROGNAME,
|
|
@@ -115,7 +111,7 @@
|
|
valid_option["translation"] = []
|
|
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
|
|
valid_option["boolean"] = []
|
|
- valid_option["boolean"] += valid_everyone
|
|
+ valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
|
|
return valid_option
|
|
|
|
#
|
|
@@ -135,7 +131,7 @@
|
|
seuser = ""
|
|
prefix = ""
|
|
heading=1
|
|
-
|
|
+ value=0
|
|
add = 0
|
|
modify = 0
|
|
delete = 0
|
|
@@ -154,7 +150,7 @@
|
|
args = sys.argv[2:]
|
|
|
|
gopts, cmds = getopt.getopt(args,
|
|
- 'adf:lhmnp:s:CDR:L:r:t:T:P:S:',
|
|
+ '01adf:lhmnp:s:CDR:L:r:t:T:P:S:',
|
|
['add',
|
|
'delete',
|
|
'deleteall',
|
|
@@ -164,6 +160,8 @@
|
|
'modify',
|
|
'noheading',
|
|
'localist',
|
|
+ 'off',
|
|
+ 'on',
|
|
'proto=',
|
|
'seuser=',
|
|
'store=',
|
|
@@ -242,6 +240,11 @@
|
|
if o == "-T" or o == "--trans":
|
|
setrans = a
|
|
|
|
+ if o == "--on" or o == "-1":
|
|
+ value = 1
|
|
+ if o == "-off" or o == "-0":
|
|
+ value = 0
|
|
+
|
|
if object == "login":
|
|
OBJECT = seobject.loginRecords(store)
|
|
|