rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity
eef44bd006
policycoreutils/policycoreutils-sepolgen.patch
Dan Walsh eef44bd006 Additional changes for bash completsion and generate man page to match the w 
-  Add newtype as a new qualifier to sepolicy generate.  This new mechanism wil
-  a policy write to generate types after the initial policy has been written a
-  will autogenerate all of the interfaces.
-  I also added a -w options to allow policy writers from the command line to s
-  the writable directories of files.
-
-  Modify network.py to include interface definitions for newly created port type
-  Standardize of te_types just like all of the other templates.
2013-01-21 13:37:48 -06:00

152 lines
5.3 KiB
Diff
Raw Blame History

diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index 73c60f6..9ca35a7 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -38,8 +38,7 @@ def get_audit_boot_msgs():
off=float(fd.read().split()[0])
fd.close
s = time.localtime(time.time() - off)
- date = time.strftime("%D/%Y", s).split("/")
- bootdate="%s/%s/%s" % (date[0], date[1], date[3])
+ bootdate = time.strftime("%x", s)
boottime = time.strftime("%X", s)
output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
stdout=subprocess.PIPE).communicate()[0]
@@ -260,7 +259,7 @@ class AVCMessage(AuditMessage):
raise ValueError("Error during access vector computation")
if self.type == audit2why.CONSTRAINT:
- self.data = []
+ self.data = [ self.data ]
if self.scontext.user != self.tcontext.user:
self.data.append("user")
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index a4adbd8..7b76261 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -91,8 +91,10 @@ tokens = (
'CLASS',
# types and attributes
'TYPEATTRIBUTE',
+ 'ROLEATTRIBUTE',
'TYPE',
'ATTRIBUTE',
+ 'ATTRIBUTE_ROLE',
'ALIAS',
'TYPEALIAS',
# conditional policy
@@ -153,8 +155,10 @@ reserved = {
'class' : 'CLASS',
# types and attributes
'typeattribute' : 'TYPEATTRIBUTE',
+ 'roleattribute' : 'ROLEATTRIBUTE',
'type' : 'TYPE',
'attribute' : 'ATTRIBUTE',
+ 'attribute_role' : 'ATTRIBUTE_ROLE',
'alias' : 'ALIAS',
'typealias' : 'TYPEALIAS',
# conditional policy
@@ -489,6 +493,7 @@ def p_policy_stmt(p):
| avrule_def
| typerule_def
| typeattribute_def
+ | roleattribute_def
| interface_call
| role_def
| role_allow
@@ -496,6 +501,7 @@ def p_policy_stmt(p):
| type_def
| typealias_def
| attribute_def
+ | attribute_role_def
| range_transition_def
| role_transition_def
| bool
@@ -542,6 +548,7 @@ def p_require(p):
'''require : TYPE comma_list SEMI
| ROLE comma_list SEMI
| ATTRIBUTE comma_list SEMI
+ | ATTRIBUTE_ROLE comma_list SEMI
| CLASS comma_list SEMI
| BOOL comma_list SEMI
'''
@@ -727,6 +734,11 @@ def p_attribute_def(p):
a = refpolicy.Attribute(p[2])
p[0] = a
+def p_attribute_role_def(p):
+ 'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
+ a = refpolicy.Attribute_Role(p[2])
+ p[0] = a
+
def p_typealias_def(p):
'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
t = refpolicy.TypeAlias()
@@ -819,6 +831,13 @@ def p_typeattribute_def(p):
t.attributes.update(p[3])
p[0] = t
+def p_roleattribute_def(p):
+ '''roleattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
+ t = refpolicy.RoleAttribute()
+ t.role = p[2]
+ t.roleattributes.update(p[3])
+ p[0] = t
+
def p_range_transition_def(p):
'''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
| RANGE_TRANSITION names names names SEMI'''
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index 1399225..b07550a 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -117,6 +117,10 @@ class Node(PolicyBase):
"""Iterate over all of the TypeAttribute children of this Interface."""
return itertools.ifilter(lambda x: isinstance(x, TypeAttribute), walktree(self))
+ def roleattributes(self):
+ """Iterate over all of the RoleAttribute children of this Interface."""
+ return itertools.ifilter(lambda x: isinstance(x, RoleAttribute), walktree(self))
+
def requires(self):
return itertools.ifilter(lambda x: isinstance(x, Require), walktree(self))
@@ -356,6 +360,20 @@ class TypeAttribute(Leaf):
def to_string(self):
return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str())
+class RoleAttribute(Leaf):
+ """SElinux typeattribute statement.
+
+ This class represents a typeattribute statement.
+ """
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
+ self.role = ""
+ self.roleattributes = IdSet()
+
+ def to_string(self):
+ return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str())
+
+
class Role(Leaf):
def __init__(self, parent=None):
Leaf.__init__(self, parent)
@@ -400,6 +418,15 @@ class Attribute(Leaf):
def to_string(self):
return "attribute %s;" % self.name
+class Attribute_Role(Leaf):
+ def __init__(self, name="", parent=None):
+ Leaf.__init__(self, parent)
+ self.name = name
+
+ def to_string(self):
+ return "attribute_role %s;" % self.name
+
+
# Classes representing rules
class AVRule(Leaf):
Reference in New Issue View Git Blame Copy Permalink