From 56e1b3d2073e7f9edc1e1589cd76ec569c81600a Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 26 Mar 2007 18:41:45 +0000 Subject: [PATCH] - Move booleans and tunables to modules when it is only used in a single module. - Add support for tunables and booleans local to a module. --- Changelog | 3 + Makefile | 41 +- doc/policy.dtd | 2 +- doc/templates/bool_list.html | 23 ++ doc/templates/boolean.html | 13 + doc/templates/menu.html | 4 + doc/templates/module.html | 27 +- doc/templates/tun_list.html | 23 ++ doc/templates/tunable.html | 13 + policy/global_tunables | 472 ------------------------ policy/modules/admin/netutils.te | 11 +- policy/modules/apps/cdrecord.te | 13 +- policy/modules/apps/evolution.if | 9 +- policy/modules/apps/evolution.te | 2 +- policy/modules/apps/games.if | 6 +- policy/modules/apps/games.te | 2 +- policy/modules/apps/java.te | 9 +- policy/modules/apps/mozilla.if | 11 +- policy/modules/apps/mozilla.te | 11 +- policy/modules/apps/mplayer.te | 11 +- policy/modules/apps/thunderbird.if | 6 +- policy/modules/apps/thunderbird.te | 2 +- policy/modules/apps/usernetctl.te | 12 +- policy/modules/services/apache.te | 96 ++++- policy/modules/services/bind.te | 10 +- policy/modules/services/cron.te | 19 +- policy/modules/services/cvs.te | 9 +- policy/modules/services/ftp.if | 12 +- policy/modules/services/ftp.te | 61 ++- policy/modules/services/inetd.te | 9 +- policy/modules/services/kerberos.te | 9 +- policy/modules/services/lpd.te | 9 +- policy/modules/services/ppp.te | 36 +- policy/modules/services/rpc.te | 17 +- policy/modules/services/rsync.te | 10 +- policy/modules/services/samba.te | 24 +- policy/modules/services/sasl.te | 9 +- policy/modules/services/spamassassin.te | 20 +- policy/modules/services/squid.te | 10 +- policy/modules/services/ssh.if | 20 +- policy/modules/services/ssh.te | 28 +- policy/modules/services/stunnel.te | 16 +- policy/modules/services/xserver.te | 19 +- policy/modules/services/zebra.te | 10 +- policy/modules/system/init.te | 11 +- policy/modules/system/mount.te | 11 +- policy/modules/system/userdomain.te | 47 ++- support/Makefile.devel | 74 +++- support/sedoctool.py | 128 ++++++- support/segenxml.py | 210 ++++------- 50 files changed, 852 insertions(+), 808 deletions(-) create mode 100644 doc/templates/bool_list.html create mode 100644 doc/templates/boolean.html create mode 100644 doc/templates/tun_list.html create mode 100644 doc/templates/tunable.html diff --git a/Changelog b/Changelog index 67a18ef3..dc1eebf4 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,6 @@ +- Move booleans and tunables to modules when it is only used in a single + module. +- Add support for tunables and booleans local to a module. - Merge sbin_t and ls_exec_t into bin_t. - Remove disable_trans booleans. - Output different header sets for kernel and userland from flask headers. diff --git a/Makefile b/Makefile index 640b7c4f..fa67f45e 100644 --- a/Makefile +++ b/Makefile @@ -108,7 +108,7 @@ genhomedircon := $(PYTHON) -E $(support)/genhomedircon # documentation paths docs := doc xmldtd = $(docs)/policy.dtd -layerxml = metadata.xml +metaxml = metadata.xml doctemplate = $(docs)/templates docfiles = $(docs)/Makefile.example $(addprefix $(docs)/,example.te example.if example.fc) @@ -254,6 +254,10 @@ generated_fc := $(basename $(foreach dir,$(all_layers),$(wildcard $(dir)/*.fc.in # when a generated file is already generated detected_mods := $(sort $(foreach dir,$(all_layers),$(wildcard $(dir)/*.te)) $(generated_te)) +modxml := $(detected_mods:.te=.xml) +layerxml := $(addprefix $(tmpdir)/, $(notdir $(addsuffix .xml,$(all_layers)))) +all_metaxml := $(addsuffix /$(metaxml), $(all_layers)) + # modules.conf setting for base module configbase := base @@ -408,23 +412,36 @@ $(fcsort) : $(support)/fc_sort.c # Documentation generation # -# minimal dependencies here, because we don't want to rebuild -# this and its dependents every time the dependencies -# change. Also use all .if files here, rather then just the -# enabled modules. -xml: $(polxml) -$(polxml): $(detected_mods:.te=.if) $(foreach dir,$(all_layers),$(dir)/$(layerxml)) +$(modxml): %.xml: %.if %.te + $(verbose) $(genxml) -w -m $* > $@ + +$(layerxml): %.xml: $(modxml) $(all_metaxml) + @test -d $(tmpdir) || mkdir -p $(tmpdir) + $(verbose) echo '' > $@ + $(verbose) cat $(addprefix $(moddir)/, $(notdir $*))/$(metaxml) >> $@ + $(verbose) cat $(filter-out $(addprefix $(moddir)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(moddir)/, $(notdir $*))/%, $(modxml))) >> $@ + $(verbose) echo '' >> $@ + +$(tunxml): $(globaltun) + $(verbose) $(genxml) -w -t $< > $@ + +$(boolxml): $(globalbool) + $(verbose) $(genxml) -w -b $< > $@ + +$(polxml): $(layerxml) $(tunxml) $(boolxml) @echo "Creating $(@F)" @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) @test -d $(tmpdir) || mkdir -p $(tmpdir) $(verbose) echo '' > $@ $(verbose) echo '' >> $@ - $(verbose) $(genxml) -w -m $(layerxml) -t $(globaltun) -b $(globalbool) -o $(docs) $(all_layers) >> $@ + $(verbose) echo '' >> $@ + $(verbose) cat $(layerxml) $(tunxml) $(boolxml) >> $@ + $(verbose) echo '' >> $@ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ fi -$(tunxml) $(boolxml): $(polxml) +xml: $(polxml) html $(tmpdir)/html: $(polxml) @echo "Building html interface reference documentation in $(htmldir)" @@ -517,7 +534,7 @@ $(contextpath)/users/%: $(appconf)/%_default_contexts # # Install policy headers # -install-headers: $(tunxml) $(boolxml) +install-headers: $(layerxml) $(tunxml) $(boolxml) @mkdir -p $(headerdir) @echo "Installing $(TYPE) policy headers." $(verbose) $(INSTALL) -m 644 $(tunxml) $(boolxml) $(headerdir) @@ -528,7 +545,7 @@ install-headers: $(tunxml) $(boolxml) $(verbose) for i in $(notdir $(all_layers)); do \ mkdir -p $(headerdir)/$$i ;\ $(INSTALL) -m 644 $(moddir)/$$i/*.if \ - $(moddir)/$$i/metadata.xml \ + $(moddir)/$$i/*.xml \ $(headerdir)/$$i ;\ done $(verbose) echo "TYPE ?= $(TYPE)" > $(headerdir)/build.conf @@ -620,6 +637,8 @@ resetlabels: # bare: clean rm -f $(polxml) + rm -f $(layerxml) + rm -f $(modxml) rm -f $(tunxml) rm -f $(boolxml) rm -f $(mod_conf) diff --git a/doc/policy.dtd b/doc/policy.dtd index dddae6ad..e6a41820 100644 --- a/doc/policy.dtd +++ b/doc/policy.dtd @@ -4,7 +4,7 @@ - + diff --git a/doc/templates/bool_list.html b/doc/templates/bool_list.html new file mode 100644 index 00000000..2d852da4 --- /dev/null +++ b/doc/templates/bool_list.html @@ -0,0 +1,23 @@ +

Master boolean index:

+ +[[for bool in booleans]] +
+[[if bool.has_key('mod_layer')]] +Module: +[[bool['mod_name']]]

+Layer: +[[bool['mod_layer']]]

+[[else]] +Global +[[end]] +

+[[bool['bool_name']]] +(Default: [[bool['def_val']]]) +
+[[if bool['desc']]] +
+[[bool['desc']]] +
+[[end]] +
+[[end]] diff --git a/doc/templates/boolean.html b/doc/templates/boolean.html new file mode 100644 index 00000000..ea5a2604 --- /dev/null +++ b/doc/templates/boolean.html @@ -0,0 +1,13 @@ +[[for bool in booleans]] + +
+
[[bool['bool_name']]]
+
+
Default value
+

[[bool['def_val']]]

+[[if bool['desc']]] +
Description
+[[bool['desc']]] +[[end]] +
+[[end]] diff --git a/doc/templates/menu.html b/doc/templates/menu.html index 6d2cce35..9472b2c3 100644 --- a/doc/templates/menu.html +++ b/doc/templates/menu.html @@ -16,6 +16,10 @@


* Layer Index

+ * Boolean Index +

+ * Tunable Index +

* Interface Index

* Template Index diff --git a/doc/templates/module.html b/doc/templates/module.html index 71341feb..a8d008a8 100644 --- a/doc/templates/module.html +++ b/doc/templates/module.html @@ -1,8 +1,16 @@

Layer: [[mod_layer]]

Module: [[mod_name]]

-[[if interfaces and templates]] +[[if booleans]] +Booleans +[[end]] +[[if tunables]] +Tunables +[[end]] +[[if interfaces]] Interfaces +[[end]] +[[if templates]] Templates [[end]]

Description:

@@ -14,6 +22,19 @@ [[if mod_req]]

This module is required to be included in all policies.

[[end]] +
+[[if booleans]] + +

Booleans:

+[[booleans]] +Return +[[end]] +[[if tunables]] + +

Tunables:

+[[tunables]] +Return +[[end]] [[if interfaces]]

Interfaces:

@@ -26,6 +47,6 @@ [[templates]] Return [[end]] -[[if not templates and not interfaces]] -

No interfaces or templates.

+[[if not templates and not interfaces and not tunables]] +

No booleans, tunables, interfaces, or templates.

[[end]] diff --git a/doc/templates/tun_list.html b/doc/templates/tun_list.html new file mode 100644 index 00000000..278f284c --- /dev/null +++ b/doc/templates/tun_list.html @@ -0,0 +1,23 @@ +

Master tunable index:

+ +[[for tun in tunables]] +
+[[if tun.has_key('mod_layer')]] +Module: +[[tun['mod_name']]]

+Layer: +[[tun['mod_layer']]]

+[[else]] +Global +[[end]] +

+[[tun['tun_name']]] +(Default: [[tun['def_val']]]) +
+[[if tun['desc']]] +
+[[tun['desc']]] +
+[[end]] +
+[[end]] diff --git a/doc/templates/tunable.html b/doc/templates/tunable.html new file mode 100644 index 00000000..9316779e --- /dev/null +++ b/doc/templates/tunable.html @@ -0,0 +1,13 @@ +[[for tun in tunables]] + +
+
[[tun['tun_name']]]
+
+
Default value
+

[[tun['def_val']]]

+[[if tun['desc']]] +
Description
+[[tun['desc']]] +[[end]] +
+[[end]] diff --git a/policy/global_tunables b/policy/global_tunables index 05b19ffd..9a443147 100644 --- a/policy/global_tunables +++ b/policy/global_tunables @@ -9,22 +9,6 @@ # Common tunables # -## -##

-## Allow cvs daemon to read shadow -##

-## -# -gen_tunable(allow_cvs_read_shadow,false) - -## -##

-## Allow zebra daemon to write it configuration files -##

-## -# -gen_tunable(allow_zebra_write_config,false) - ## ##

## Allow making the heap executable. @@ -56,82 +40,6 @@ gen_tunable(allow_execmod,false) ## gen_tunable(allow_execstack,false) -## -##

-## Allow ftp servers to modify public files -## used for public file transfer services. -##

-## -gen_tunable(allow_ftpd_anon_write,false) - -## -##

-## Allow ftp servers to login to local users and -## read/write all files on the system, governed by DAC. -##

-## -gen_tunable(allow_ftpd_full_access,false) - -## -##

-## Allow ftp servers to use cifs -## used for public file transfer services. -##

-## -gen_tunable(allow_ftpd_use_cifs,false) - -## -##

-## Allow ftp servers to use nfs -## used for public file transfer services. -##

-## -gen_tunable(allow_ftpd_use_nfs,false) - -## -##

-## Allow gssd to read temp directory. -##

-## -gen_tunable(allow_gssd_read_tmp,true) - -## -##

-## Allow Apache to modify public files -## used for public file transfer services. -##

-## -gen_tunable(allow_httpd_anon_write,false) - -## -##

-## Allow Apache to use mod_auth_pam -##

-## -gen_tunable(allow_httpd_mod_auth_pam,false) - -## -##

-## Allow java executable stack -##

-## -gen_tunable(allow_java_execstack,false) - -## -##

-## Allow system to run with kerberos -##

-## -gen_tunable(allow_kerberos,false) - -## -##

-## Allow nfs servers to modify public files -## used for public file transfer services. -##

-## -gen_tunable(allow_nfsd_anon_write,false) - ## ##

## Enable polyinstantiated directory support. @@ -139,30 +47,6 @@ gen_tunable(allow_nfsd_anon_write,false) ## gen_tunable(allow_polyinstantiation,false) -## -##

-## Allow rsync to modify public files -## used for public file transfer services. -##

-## -gen_tunable(allow_rsync_anon_write,false) - -## -##

-## Allow sasl to read shadow -##

-## -gen_tunable(allow_saslauthd_read_shadow,false) - -## -##

-## Allow samba to modify public files -## used for public file transfer services. -##

-## -gen_tunable(allow_smbd_anon_write,false) - - ## ##

## Allow system to run with NIS @@ -170,28 +54,6 @@ gen_tunable(allow_smbd_anon_write,false) ## gen_tunable(allow_ypbind,false) -## -##

-## Enable extra rules in the cron domain -## to support fcron. -##

-## -gen_tunable(fcron_crond,false) - -## -##

-## Allow ftp to read and write files in the user home directories -##

-## -gen_tunable(ftp_home_dir,false) - -## -##

-## Allow ftpd to run directly without inetd -##

-## -gen_tunable(ftpd_is_daemon,false) - ## ##

## Enable reading of urandom for all domains. @@ -205,85 +67,6 @@ gen_tunable(ftpd_is_daemon,false) ## gen_tunable(global_ssp,false) -## -##

-## Allow httpd to use built in scripting (usually php) -##

-## -gen_tunable(httpd_builtin_scripting,false) - -## -##

-## Allow http daemon to tcp connect -##

-## -gen_tunable(httpd_can_network_connect,false) - -## -##

-## Allow httpd to connect to mysql/posgresql -##

-## -gen_tunable(httpd_can_network_connect_db, false) - -## -##

-## Allow httpd to act as a relay -##

-## -gen_tunable(httpd_can_network_relay, false) - -## -##

-## Allow httpd cgi support -##

-## -gen_tunable(httpd_enable_cgi,false) - -## -##

-## Allow httpd to act as a FTP server by -## listening on the ftp port. -##

-## -gen_tunable(httpd_enable_ftp_server,false) - -## -##

-## Allow httpd to read home directories -##

-## -gen_tunable(httpd_enable_homedirs,false) - -## -##

-## Run SSI execs in system CGI script domain. -##

-## -gen_tunable(httpd_ssi_exec,false) - -## -##

-## Allow http daemon to communicate with the TTY -##

-## -gen_tunable(httpd_tty_comm,false) - -## -##

-## Run CGI in the main httpd domain -##

-## -gen_tunable(httpd_unified,false) - -## -##

-## Allow BIND to write the master zone files. -## Generally this is used for dynamic DNS. -##

-## -gen_tunable(named_write_master_zones,false) - ## ##

## Allow nfs to be exported read/write. @@ -298,13 +81,6 @@ gen_tunable(nfs_export_all_rw,false) ## gen_tunable(nfs_export_all_ro,false) -## -##

-## Allow pppd to load kernel modules for certain modems -##

-## -gen_tunable(pppd_can_insmod,false) - ## ##

## Allow reading of default_t files. @@ -312,43 +88,6 @@ gen_tunable(pppd_can_insmod,false) ## gen_tunable(read_default_t,false) -## -##

-## Allow samba to export user home directories. -##

-## -gen_tunable(samba_enable_home_dirs,false) - -## -##

-## Allow samba to export NFS volumes. -##

-## -gen_tunable(samba_share_nfs,false) - -## -##

-## Allow squid to connect to all ports, not just -## HTTP, FTP, and Gopher ports. -##

-## -gen_tunable(squid_connect_any,false) - -## -##

-## Allow ssh logins as sysadm_r:sysadm_t -##

-## -gen_tunable(ssh_sysadm_login,false) - -## -##

-## Configure stunnel to be a standalone daemon or -## inetd service. -##

-## -gen_tunable(stunnel_is_daemon,false) - ## ##

## Support NFS home directories @@ -363,115 +102,12 @@ gen_tunable(use_nfs_home_dirs,false) ## gen_tunable(use_samba_home_dirs,false) -## -##

-## Allow xdm logins as sysadm -##

-## -gen_tunable(xdm_sysadm_login,false) - ######################################## # # Strict policy specific # ifdef(`strict_policy',` -## -##

-## Control users use of ping and traceroute -##

-## -gen_tunable(user_ping,false) - -## -##

-## Allow gpg executable stack -##

-## -gen_tunable(allow_gpg_execstack,false) - -## -##

-## Allow mplayer executable stack -##

-## -gen_tunable(allow_mplayer_execstack,false) - -## -##

-## Allow sysadm to ptrace all processes -##

-## -gen_tunable(allow_ptrace,false) - -## -##

-## allow host key based authentication -##

-## -gen_tunable(allow_ssh_keysign,false) - -## -##

-## Allow users to connect to mysql -##

-## -gen_tunable(allow_user_mysql_connect,false) - -## -##

-## Allows clients to write to the X server shared -## memory segments. -##

-## -gen_tunable(allow_write_xshm,false) - -## -##

-## Allow cdrecord to read various content. -## nfs, samba, removable devices, user temp -## and untrusted content files -##

-## -gen_tunable(cdrecord_read_content,false) - -## -##

-## Allow system cron jobs to relabel filesystem -## for restoring file contexts. -##

-## -gen_tunable(cron_can_relabel,false) - -## -##

-## force to games to run in user_t -## mapping executable (text relocation). -##

-## -gen_tunable(disable_games_trans,false) - -## -##

-## Disable transitions to evolution domains. -##

-## -gen_tunable(disable_evolution_trans,false) - -## -##

-## Disable transitions to user mozilla domains -##

-## -gen_tunable(disable_mozilla_trans,false) - -## -##

-## Disable transitions to user thunderbird domains -##

-## -gen_tunable(disable_thunderbird_trans,false) - ## ##

## Allow email client to various content. @@ -481,20 +117,6 @@ gen_tunable(disable_thunderbird_trans,false) ## gen_tunable(mail_read_content,false) -## -##

-## Control mozilla content access -##

-## -gen_tunable(mozilla_read_content,false) - -## -##

-## Allow pppd to be run for a regular user -##

-## -gen_tunable(pppd_for_user,false) - ## ##

## Allow applications to read untrusted content @@ -504,65 +126,6 @@ gen_tunable(pppd_for_user,false) ## gen_tunable(read_untrusted_content,false) -## -##

-## Allow ssh to run from inetd instead of as a daemon. -##

-## -gen_tunable(run_ssh_inetd,false) - -## -##

-## Allow user spamassassin clients to use the network. -##

-## -gen_tunable(spamassassin_can_network,false) - -## -##

-## Allow staff_r users to search the sysadm home -## dir and read files (such as ~/.bashrc) -##

-## -gen_tunable(staff_read_sysadm_file,false) - -## -##

-## Use lpd server instead of cups -##

-## -gen_tunable(use_lpd_server,false) - -## -##

-## Allow regular users direct mouse access -##

-## -gen_tunable(user_direct_mouse,false) - -## -##

-## Allow users to read system messages. -##

-## -gen_tunable(user_dmesg,false) - -## -##

-## Allow users to control network interfaces -## (also needs USERCTL=true) -##

-## -gen_tunable(user_net_control,false) - -## -##

-## Allow user to r/w files on filesystems -## that do not have extended attributes (FAT, CDROM, FLOPPY) -##

-## -gen_tunable(user_rw_noexattrfile,false) - ## ##

## Allow users to run TCP servers (bind to ports and accept connection from @@ -572,13 +135,6 @@ gen_tunable(user_rw_noexattrfile,false) ## gen_tunable(user_tcp_server,false) -## -##

-## Allow w to display everyone -##

-## -gen_tunable(user_ttyfile_stat,false) - ## ##

## Allow applications to write untrusted content @@ -588,31 +144,3 @@ gen_tunable(user_ttyfile_stat,false) ## gen_tunable(write_untrusted_content,false) ') - -######################################## -# -# Targeted policy specific -# - -ifdef(`targeted_policy',` -## -##

-## Allow all daemons the ability to use unallocated ttys -##

-## -gen_tunable(allow_daemons_use_tty,false) - -## -##

-## Allow mount to mount any file -##

-## -gen_tunable(allow_mount_anyfile,false) - -## -##

-## Allow spamd to read/write user home directories. -##

-## -gen_tunable(spamd_enable_home_dirs,true) -') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index d27eaf60..b34146e8 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,11 +1,20 @@ -policy_module(netutils,1.3.0) +policy_module(netutils,1.3.1) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Control users use of ping and traceroute +##

+## +gen_tunable(user_ping,false) +') + type netutils_t; type netutils_exec_t; init_system_domain(netutils_t,netutils_exec_t) diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te index abdf579a..760ce28e 100644 --- a/policy/modules/apps/cdrecord.te +++ b/policy/modules/apps/cdrecord.te @@ -1,10 +1,21 @@ -policy_module(cdrecord,1.1.0) +policy_module(cdrecord,1.1.1) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Allow cdrecord to read various content. +## nfs, samba, removable devices, user temp +## and untrusted content files +##

+## +gen_tunable(cdrecord_read_content,false) +') + type cdrecord_exec_t; corecmd_executable_file(cdrecord_exec_t) diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if index dee79e05..b1678579 100644 --- a/policy/modules/apps/evolution.if +++ b/policy/modules/apps/evolution.if @@ -187,7 +187,6 @@ template(`evolution_per_role_template',` corecmd_exec_shell($1_evolution_t) # Run various programs corecmd_exec_bin($1_evolution_t) - corecmd_exec_bin($1_evolution_t) corenet_non_ipsec_sendrecv($1_evolution_t) corenet_tcp_sendrecv_generic_if($1_evolution_t) @@ -674,7 +673,8 @@ template(`evolution_per_role_template',` allow $1_evolution_server_t $1_evolution_alarm_t:unix_stream_socket connectto; allow $1_evolution_server_t $1_evolution_alarm_orbit_tmp_t:sock_file write; - allow $1_evolution_server_t $2:fd use; + # Transition from user type + domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t) kernel_read_system_state($1_evolution_server_t) @@ -718,11 +718,6 @@ template(`evolution_per_role_template',` # until properly implemented userdom_dontaudit_read_user_home_content_files($1,$1_evolution_server_t) - # Transition from user type - tunable_policy(`!disable_evolution_trans',` - domain_auto_trans($2, evolution_server_exec_t, $1_evolution_server_t) - ') - # Access evolution home tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_evolution_server_t) diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te index e6d1b5c1..b3a08567 100644 --- a/policy/modules/apps/evolution.te +++ b/policy/modules/apps/evolution.te @@ -1,5 +1,5 @@ -policy_module(evolution,1.1.1) +policy_module(evolution,1.1.2) ######################################## # diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if index dedbd6db..7aa39b34 100644 --- a/policy/modules/apps/games.if +++ b/policy/modules/apps/games.if @@ -84,6 +84,7 @@ template(`games_per_role_template',` can_exec($1_games_t, games_exec_t) + domain_auto_trans($2, games_exec_t, $1_games_t) allow $2 $1_games_t:unix_stream_socket connectto; allow $1_games_t $2:unix_stream_socket connectto; @@ -136,11 +137,6 @@ template(`games_per_role_template',` # Suppress .icons denial until properly implemented userdom_dontaudit_read_user_home_content_files($1,$1_games_t) - # Type transition - tunable_policy(`!disable_games_trans',` - domain_auto_trans($2, games_exec_t, $1_games_t) - ') - tunable_policy(`allow_execmem',` allow $1_games_t self:process execmem; ') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index d3b63bc1..4c462b8c 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -1,5 +1,5 @@ -policy_module(games,1.1.2) +policy_module(games,1.1.3) ######################################## # diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te index bb18d375..7c061203 100644 --- a/policy/modules/apps/java.te +++ b/policy/modules/apps/java.te @@ -1,11 +1,18 @@ -policy_module(java,1.3.3) +policy_module(java,1.3.4) ######################################## # # Declarations # +## +##

+## Allow java executable stack +##

+## +gen_tunable(allow_java_execstack,false) + type java_t; type java_exec_t; init_system_domain(java_t,java_exec_t) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 42616176..5056fb1e 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -105,6 +105,10 @@ template(`mozilla_per_role_template',` allow $1_mozilla_t $2:process signull; + domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) + # Unrestricted inheritance from the caller. + allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; + # Allow the user domain to signal/ps. ps_process_pattern($2,$1_mozilla_t) allow $2 $1_mozilla_t:process signal_perms; @@ -207,13 +211,6 @@ template(`mozilla_per_role_template',` fs_manage_cifs_symlinks($1_mozilla_t) ') - # Type transition - tunable_policy(`! disable_mozilla_trans',` - domain_auto_trans($2, mozilla_exec_t, $1_mozilla_t) - # Unrestricted inheritance from the caller. - allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh }; - ') - # Uploads, local html tunable_policy(`mozilla_read_content && use_nfs_home_dirs',` fs_list_auto_mountpoints($1_mozilla_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 7752e69e..6832f0e3 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -1,11 +1,20 @@ -policy_module(mozilla,1.1.1) +policy_module(mozilla,1.1.2) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Control mozilla content access +##

+## +gen_tunable(mozilla_read_content,false) +') + type mozilla_conf_t; files_config_file(mozilla_conf_t) diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te index dd9b1a46..1ee51bf4 100644 --- a/policy/modules/apps/mplayer.te +++ b/policy/modules/apps/mplayer.te @@ -1,11 +1,20 @@ -policy_module(mplayer,1.1.1) +policy_module(mplayer,1.1.2) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Allow mplayer executable stack +##

+## +gen_tunable(allow_mplayer_execstack,false) +') + type mplayer_etc_t; files_config_file(mplayer_etc_t) diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if index 7edcec68..fe9dcc5e 100644 --- a/policy/modules/apps/thunderbird.if +++ b/policy/modules/apps/thunderbird.if @@ -77,6 +77,7 @@ template(`thunderbird_per_role_template',` manage_sock_files_pattern($1_thunderbird_t,$1_thunderbird_tmpfs_t,$1_thunderbird_tmpfs_t) fs_tmpfs_filetrans($1_thunderbird_t,$1_thunderbird_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) allow $2 $1_thunderbird_t:fd use; allow $2 $1_thunderbird_t:shm { associate getattr }; allow $2 $1_thunderbird_t:unix_stream_socket connectto; @@ -166,11 +167,6 @@ template(`thunderbird_per_role_template',` xserver_read_xdm_tmp_files($1_thunderbird_t) xserver_dontaudit_getattr_xdm_tmp_sockets($1_thunderbird_t) - # Transition from user type - tunable_policy(`! disable_thunderbird_trans',` - domain_auto_trans($2, thunderbird_exec_t, $1_thunderbird_t) - ') - # Access ~/.thunderbird tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($1_thunderbird_t) diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te index 0d1c693d..54e5575b 100644 --- a/policy/modules/apps/thunderbird.te +++ b/policy/modules/apps/thunderbird.te @@ -1,5 +1,5 @@ -policy_module(thunderbird,1.1.1) +policy_module(thunderbird,1.1.2) ######################################## # diff --git a/policy/modules/apps/usernetctl.te b/policy/modules/apps/usernetctl.te index f2bcebfc..bf1bee72 100644 --- a/policy/modules/apps/usernetctl.te +++ b/policy/modules/apps/usernetctl.te @@ -1,11 +1,21 @@ -policy_module(usernetctl,1.0.0) +policy_module(usernetctl,1.0.1) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Allow users to control network interfaces +## (also needs USERCTL=true) +##

+## +gen_tunable(user_net_control,false) +') + type usernetctl_t; type usernetctl_exec_t; domain_type(usernetctl_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index c11832c5..8c4c9989 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.5.4) +policy_module(apache,1.5.5) # # NOTES: @@ -20,6 +20,92 @@ policy_module(apache,1.5.4) # Declarations # +## +##

+## Allow Apache to modify public files +## used for public file transfer services. +##

+## +gen_tunable(allow_httpd_anon_write,false) + +## +##

+## Allow Apache to use mod_auth_pam +##

+## +gen_tunable(allow_httpd_mod_auth_pam,false) + +## +##

+## Allow httpd to use built in scripting (usually php) +##

+## +gen_tunable(httpd_builtin_scripting,false) + +## +##

+## Allow http daemon to tcp connect +##

+## +gen_tunable(httpd_can_network_connect,false) + +## +##

+## Allow httpd to connect to mysql/posgresql +##

+## +gen_tunable(httpd_can_network_connect_db, false) + +## +##

+## Allow httpd to act as a relay +##

+## +gen_tunable(httpd_can_network_relay, false) + +## +##

+## Allow httpd cgi support +##

+## +gen_tunable(httpd_enable_cgi,false) + +## +##

+## Allow httpd to act as a FTP server by +## listening on the ftp port. +##

+## +gen_tunable(httpd_enable_ftp_server,false) + +## +##

+## Allow httpd to read home directories +##

+## +gen_tunable(httpd_enable_homedirs,false) + +## +##

+## Run SSI execs in system CGI script domain. +##

+## +gen_tunable(httpd_ssi_exec,false) + +## +##

+## Allow http daemon to communicate with the TTY +##

+## +gen_tunable(httpd_tty_comm,false) + +## +##

+## Run CGI in the main httpd domain +##

+## +gen_tunable(httpd_unified,false) + attribute httpdcontent; # domains that can exec all users scripts @@ -507,13 +593,7 @@ allow httpd_suexec_t self:process signal_perms; allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms; allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms; -ifdef(`targeted_policy',` - gen_tunable(httpd_suexec_disable_trans,false) - - tunable_policy(`httpd_suexec_disable_trans',`',` - domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) - ') -') +domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) create_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) append_files_pattern(httpd_suexec_t,httpd_log_t,httpd_log_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index cec18b07..6bb39666 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,11 +1,19 @@ -policy_module(bind,1.3.1) +policy_module(bind,1.3.2) ######################################## # # Declarations # +## +##

+## Allow BIND to write the master zone files. +## Generally this is used for dynamic DNS. +##

+## +gen_tunable(named_write_master_zones,false) + # for DNSSEC key files type dnssec_t; files_security_file(dnssec_t) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index bb08029d..d9cb1bba 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,5 +1,5 @@ -policy_module(cron,1.5.1) +policy_module(cron,1.5.2) gen_require(` class passwd rootok; @@ -9,6 +9,23 @@ gen_require(` # # Declarations # + +## +##

+## Allow system cron jobs to relabel filesystem +## for restoring file contexts. +##

+## +gen_tunable(cron_can_relabel,false) + +## +##

+## Enable extra rules in the cron domain +## to support fcron. +##

+## +gen_tunable(fcron_crond,false) + attribute cron_spool_type; type anacron_exec_t; diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te index 35ddd025..43721b5d 100644 --- a/policy/modules/services/cvs.te +++ b/policy/modules/services/cvs.te @@ -1,11 +1,18 @@ -policy_module(cvs,1.3.0) +policy_module(cvs,1.3.1) ######################################## # # Declarations # +## +##

+## Allow cvs daemon to read shadow +##

+## +gen_tunable(allow_cvs_read_shadow,false) + type cvs_t; type cvs_exec_t; inetd_tcp_service_domain(cvs_t,cvs_exec_t) diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 31585d1b..e3bbfb5d 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -28,13 +28,11 @@ template(`ftp_per_role_template',` type ftpd_t; ') - tunable_policy(`ftpd_is_daemon',` - userdom_manage_user_home_content_files($1,ftpd_t) - userdom_manage_user_home_content_symlinks($1,ftpd_t) - userdom_manage_user_home_content_sockets($1,ftpd_t) - userdom_manage_user_home_content_pipes($1,ftpd_t) - userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) - ') + userdom_manage_user_home_content_files($1,ftpd_t) + userdom_manage_user_home_content_symlinks($1,ftpd_t) + userdom_manage_user_home_content_sockets($1,ftpd_t) + userdom_manage_user_home_content_pipes($1,ftpd_t) + userdom_user_home_dir_filetrans_user_home_content($1,ftpd_t,{ dir file lnk_file sock_file fifo_file }) ') ######################################## diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index 3138f0c8..033d90a1 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -1,11 +1,50 @@ -policy_module(ftp,1.4.3) +policy_module(ftp,1.4.4) ######################################## # # Declarations # +## +##

+## Allow ftp servers to modify public files +## used for public file transfer services. +##

+## +gen_tunable(allow_ftpd_anon_write,false) + +## +##

+## Allow ftp servers to login to local users and +## read/write all files on the system, governed by DAC. +##

+## +gen_tunable(allow_ftpd_full_access,false) + +## +##

+## Allow ftp servers to use cifs +## used for public file transfer services. +##

+## +gen_tunable(allow_ftpd_use_cifs,false) + +## +##

+## Allow ftp servers to use nfs +## used for public file transfer services. +##

+## +gen_tunable(allow_ftpd_use_nfs,false) + +## +##

+## Allow ftp to read and write files in the user home directories +##

+## +gen_tunable(ftp_home_dir,false) + type ftpd_t; type ftpd_exec_t; init_daemon_domain(ftpd_t,ftpd_exec_t) @@ -13,7 +52,6 @@ init_daemon_domain(ftpd_t,ftpd_exec_t) type ftpd_etc_t; files_config_file(ftpd_etc_t) -# ftpd_lock_t is only needed when ftpd_is_daemon is true, but we cannot define types conditionally type ftpd_lock_t; files_lock_file(ftpd_lock_t) @@ -53,6 +91,9 @@ allow ftpd_t self:udp_socket create_socket_perms; allow ftpd_t ftpd_etc_t:file read_file_perms; +allow ftpd_t ftpd_lock_t:file manage_file_perms; +files_lock_filetrans(ftpd_t,ftpd_lock_t,file) + manage_dirs_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) manage_files_pattern(ftpd_t,ftpd_tmp_t,ftpd_tmp_t) files_tmp_filetrans(ftpd_t, ftpd_tmp_t, { file dir }) @@ -198,13 +239,6 @@ tunable_policy(`ftp_home_dir && use_samba_home_dirs',` fs_read_cifs_symlinks(ftpd_t) ') -tunable_policy(`ftpd_is_daemon',` - allow ftpd_t ftpd_lock_t:file manage_file_perms; - files_lock_filetrans(ftpd_t,ftpd_lock_t,file) - - corenet_tcp_bind_ftp_port(ftpd_t) -') - optional_policy(` tunable_policy(`ftp_home_dir',` apache_search_sys_content(ftpd_t) @@ -232,17 +266,10 @@ optional_policy(` ') optional_policy(` - #reh: typeattributes not allowed in conditionals yet. - #tunable_policy(`! ftpd_is_daemon',` - # inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) - #') - inetd_tcp_service_domain(ftpd_t,ftpd_exec_t) optional_policy(` - tunable_policy(`! ftpd_is_daemon',` - tcpd_domtrans(tcpd_t) - ') + tcpd_domtrans(tcpd_t) ') ') diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te index c746cd44..344c57ab 100644 --- a/policy/modules/services/inetd.te +++ b/policy/modules/services/inetd.te @@ -1,5 +1,5 @@ -policy_module(inetd,1.2.3) +policy_module(inetd,1.2.4) ######################################## # @@ -227,13 +227,6 @@ ifdef(`targeted_policy',` unconfined_domain(inetd_child_t) ') -optional_policy(` - tunable_policy(`ftpd_is_daemon',` - # Allows it to check exec privs on daemon - ftp_check_exec(inetd_t) - ') -') - optional_policy(` kerberos_use(inetd_child_t) ') diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te index a384b13c..142974b5 100644 --- a/policy/modules/services/kerberos.te +++ b/policy/modules/services/kerberos.te @@ -1,11 +1,18 @@ -policy_module(kerberos,1.3.3) +policy_module(kerberos,1.3.4) ######################################## # # Declarations # +## +##

+## Allow system to run with kerberos +##

+## +gen_tunable(allow_kerberos,false) + type kadmind_t; type kadmind_exec_t; init_daemon_domain(kadmind_t,kadmind_exec_t) diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te index 5d74d247..ef0f8eda 100644 --- a/policy/modules/services/lpd.te +++ b/policy/modules/services/lpd.te @@ -1,11 +1,18 @@ -policy_module(lpd,1.4.2) +policy_module(lpd,1.4.3) ######################################## # # Declarations # +## +##

+## Use lpd server instead of cups +##

+## +gen_tunable(use_lpd_server,false) + type checkpc_t; type checkpc_exec_t; init_system_domain(checkpc_t,checkpc_exec_t) diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te index 7b7d00a3..f7c683e9 100644 --- a/policy/modules/services/ppp.te +++ b/policy/modules/services/ppp.te @@ -1,11 +1,27 @@ -policy_module(ppp,1.3.1) +policy_module(ppp,1.3.2) ######################################## # # Declarations # +## +##

+## Allow pppd to load kernel modules for certain modems +##

+## +gen_tunable(pppd_can_insmod,false) + +ifdef(`strict_policy',` +## +##

+## Allow pppd to be run for a regular user +##

+## +gen_tunable(pppd_for_user,false) +') + # pppd_t is the domain for the pppd program. # pppd_exec_t is the type of the pppd executable. type pppd_t; @@ -172,20 +188,6 @@ ifdef(`targeted_policy', ` term_dontaudit_use_unallocated_ttys(pppd_t) term_dontaudit_use_generic_ptys(pppd_t) files_dontaudit_read_root_files(pppd_t) - - optional_policy(` - gen_require(` - bool postfix_disable_trans; - ') - - if(!postfix_disable_trans) { - postfix_domtrans_master(pppd_t) - } - ') -',` - optional_policy(` - postfix_domtrans_master(pppd_t) - ') ') optional_policy(` @@ -210,6 +212,10 @@ optional_policy(` nscd_socket_use(pppd_t) ') +optional_policy(` + postfix_domtrans_master(pppd_t) +') + optional_policy(` seutil_sigchld_newrole(pppd_t) ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index e21f3e71..697d7803 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -1,11 +1,26 @@ -policy_module(rpc,1.4.3) +policy_module(rpc,1.4.4) ######################################## # # Declarations # +## +##

+## Allow gssd to read temp directory. +##

+## +gen_tunable(allow_gssd_read_tmp,true) + +## +##

+## Allow nfs servers to modify public files +## used for public file transfer services. +##

+## +gen_tunable(allow_nfsd_anon_write,false) + type exports_t; files_type(exports_t) diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te index 5e12b876..682d5f28 100644 --- a/policy/modules/services/rsync.te +++ b/policy/modules/services/rsync.te @@ -1,11 +1,19 @@ -policy_module(rsync,1.3.1) +policy_module(rsync,1.3.2) ######################################## # # Declarations # +## +##

+## Allow rsync to modify public files +## used for public file transfer services. +##

+## +gen_tunable(allow_rsync_anon_write,false) + type rsync_t; type rsync_exec_t; init_daemon_domain(rsync_t,rsync_exec_t) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index b2a5004a..a114c46c 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,11 +1,33 @@ -policy_module(samba,1.4.2) +policy_module(samba,1.4.3) ################################# # # Declarations # +## +##

+## Allow samba to modify public files +## used for public file transfer services. +##

+## +gen_tunable(allow_smbd_anon_write,false) + +## +##

+## Allow samba to export user home directories. +##

+## +gen_tunable(samba_enable_home_dirs,false) + +## +##

+## Allow samba to export NFS volumes. +##

+## +gen_tunable(samba_share_nfs,false) + type nmbd_t; type nmbd_exec_t; init_daemon_domain(nmbd_t,nmbd_exec_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index a20ace85..6128b90f 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -1,11 +1,18 @@ -policy_module(sasl,1.4.1) +policy_module(sasl,1.4.2) ######################################## # # Declarations # +## +##

+## Allow sasl to read shadow +##

+## +gen_tunable(allow_saslauthd_read_shadow,false) + type saslauthd_t; type saslauthd_exec_t; init_daemon_domain(saslauthd_t,saslauthd_exec_t) diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te index 2a8e3a4b..f5e023eb 100644 --- a/policy/modules/services/spamassassin.te +++ b/policy/modules/services/spamassassin.te @@ -1,11 +1,29 @@ -policy_module(spamassassin,1.5.5) +policy_module(spamassassin,1.5.6) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Allow user spamassassin clients to use the network. +##

+## +gen_tunable(spamassassin_can_network,false) +') + +ifdef(`targeted_policy',` +## +##

+## Allow spamd to read/write user home directories. +##

+## +gen_tunable(spamd_enable_home_dirs,true) +') + # spamassassin client executable type spamc_exec_t; corecmd_executable_file(spamc_exec_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index 18ebdd85..8fa700fe 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -1,11 +1,19 @@ -policy_module(squid,1.2.1) +policy_module(squid,1.2.2) ######################################## # # Declarations # +## +##

+## Allow squid to connect to all ports, not just +## HTTP, FTP, and Gopher ports. +##

+## +gen_tunable(squid_connect_any,false) + type squid_t; type squid_exec_t; init_daemon_domain(squid_t,squid_exec_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index b22317cb..4b05a154 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -476,6 +476,7 @@ template(`ssh_server_template', ` corenet_non_ipsec_sendrecv($1_t) corenet_tcp_bind_all_nodes($1_t) corenet_udp_bind_all_nodes($1_t) + corenet_tcp_bind_ssh_port($1_t) corenet_tcp_connect_all_ports($1_t) corenet_sendrecv_ssh_server_packets($1_t) @@ -517,25 +518,6 @@ template(`ssh_server_template', ` fs_read_cifs_files($1_t) ') - # cjp: commenting out until typeattribute works in conditional - # and require block in optional else is resolved - #optional_policy(` - # tunable_policy(`run_ssh_inetd',` - # allow $1_t self:process signal; - # files_list_pids($1_t) - # ',` - # corenet_tcp_bind_ssh_port($1_t) - # init_use_fds($1_t) - # init_use_script_ptys($1_t) - # ') - #',` - # These rules should match the else block - # of the run_ssh_inetd tunable directly above - corenet_tcp_bind_ssh_port($1_t) - init_use_fds($1_t) - init_use_script_ptys($1_t) - #') - optional_policy(` kerberos_use($1_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index cf9cceb8..cbe8c0d9 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,11 +1,25 @@ -policy_module(ssh,1.5.1) +policy_module(ssh,1.5.2) ######################################## # # Declarations # +## +##

+## allow host key based authentication +##

+## +gen_tunable(allow_ssh_keysign,false) + +## +##

+## Allow ssh logins as sysadm_r:sysadm_t +##

+## +gen_tunable(ssh_sysadm_login,false) + attribute ssh_server; # Type for the ssh-agent executable. @@ -140,6 +154,8 @@ tunable_policy(`ssh_sysadm_login',` ifdef(`strict_policy',` ifdef(`TODO',` + domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) + domain_trans(sshd_extern_t, shell_exec_t, user_mini_domain) # Signal the user domains. allow sshd_extern_t user_mini_domain:process signal; @@ -159,15 +175,7 @@ ifdef(`strict_policy',` allow user_mini_domain sshd_extern_t:unix_stream_socket rw_stream_socket_perms; optional_policy(` - tunable_policy(`run_ssh_inetd',` - domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) - ',` - domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) - ') - ',` - # These rules should match the else block - # of the run_ssh_inetd tunable directly above - domain_trans(initrc_t, sshd_exec_t, sshd_extern_t) + domain_trans(inetd_t, sshd_exec_t, sshd_extern_t) ') ifdef(`direct_sysadm_daemon', ` diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te index 73160ea7..09443a48 100644 --- a/policy/modules/services/stunnel.te +++ b/policy/modules/services/stunnel.te @@ -1,5 +1,5 @@ -policy_module(stunnel,1.2.1) +policy_module(stunnel,1.2.2) ######################################## # @@ -127,13 +127,9 @@ ifdef(`distro_gentoo', ` ') ') -tunable_policy(`stunnel_is_daemon',` - allow stunnel_t self:tcp_socket create_stream_socket_perms; - - # hack since this port has no interfaces since it doesnt - # have net_contexts - gen_require(` - type stunnel_port_t; - ') - allow stunnel_t stunnel_port_t:tcp_socket name_bind; +# hack since this port has no interfaces since it doesnt +# have net_contexts +gen_require(` + type stunnel_port_t; ') +allow stunnel_t stunnel_port_t:tcp_socket name_bind; diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 4c299e20..c94dc602 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,11 +1,28 @@ -policy_module(xserver,1.3.3) +policy_module(xserver,1.3.4) ######################################## # # Declarations # +ifdef(`strict_policy',` +## +##

+## Allows clients to write to the X server shared +## memory segments. +##

+## +gen_tunable(allow_write_xshm,false) +') + +## +##

+## Allow xdm logins as sysadm +##

+## +gen_tunable(xdm_sysadm_login,false) + attribute fonts_type; attribute fonts_cache_type; attribute fonts_config_type; diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te index c32fe07d..27cb5715 100644 --- a/policy/modules/services/zebra.te +++ b/policy/modules/services/zebra.te @@ -1,11 +1,19 @@ -policy_module(zebra,1.3.1) +policy_module(zebra,1.3.2) ######################################## # # Declarations # +## +##

+## Allow zebra daemon to write it configuration files +##

+## +# +gen_tunable(allow_zebra_write_config,false) + type zebra_t; type zebra_exec_t; init_daemon_domain(zebra_t,zebra_exec_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d92065f4..cf355f6e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,5 +1,5 @@ -policy_module(init,1.5.4) +policy_module(init,1.5.5) gen_require(` class passwd rootok; @@ -10,6 +10,15 @@ gen_require(` # Declarations # +ifdef(`targeted_policy',` +## +##

+## Allow all daemons the ability to use unallocated ttys +##

+## +gen_tunable(allow_daemons_use_tty,false) +') + # used for direct running of init scripts # by admin domains attribute direct_run_init; diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 1d095283..d7ae4b78 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,11 +1,20 @@ -policy_module(mount,1.5.0) +policy_module(mount,1.5.1) ######################################## # # Declarations # +ifdef(`targeted_policy',` +## +##

+## Allow mount to mount any file +##

+## +gen_tunable(allow_mount_anyfile,false) +') + type mount_t; type mount_exec_t; init_system_domain(mount_t,mount_exec_t) diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index d3fa84ef..ec35724e 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,2.1.2) +policy_module(userdomain,2.1.3) gen_require(` role sysadm_r, staff_r, user_r; @@ -15,6 +15,51 @@ gen_require(` # Declarations # +ifdef(`strict_policy',` +## +##

+## Allow sysadm to ptrace all processes +##

+## +gen_tunable(allow_ptrace,false) + +## +##

+## Allow users to connect to mysql +##

+## +gen_tunable(allow_user_mysql_connect,false) + +## +##

+## Allow regular users direct mouse access +##

+## +gen_tunable(user_direct_mouse,false) + +## +##

+## Allow users to read system messages. +##

+## +gen_tunable(user_dmesg,false) + +## +##

+## Allow user to r/w files on filesystems +## that do not have extended attributes (FAT, CDROM, FLOPPY) +##

+## +gen_tunable(user_rw_noexattrfile,false) + +## +##

+## Allow w to display everyone +##

+## +gen_tunable(user_ttyfile_stat,false) +') + # admin users terminals (tty and pty) attribute admin_terminal; diff --git a/support/Makefile.devel b/support/Makefile.devel index 595f7789..ccbec6b5 100644 --- a/support/Makefile.devel +++ b/support/Makefile.devel @@ -33,7 +33,7 @@ genxml := $(PYTHON) $(HEADERDIR)/support/segenxml.py docs = doc polxml = $(docs)/policy.xml xmldtd = $(HEADERDIR)/support/policy.dtd -layerxml = metadata.xml +metaxml = metadata.xml globaltun = $(HEADERDIR)/global_tunables.xml globalbool = $(HEADERDIR)/global_booleans.xml @@ -84,26 +84,41 @@ M4PARAM += -D hide_broken_symptoms -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$ # policy headers m4support = $(wildcard $(HEADERDIR)/support/*.spt) + all_layers = $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEADERDIR)/*) -maxdepth 0 -type d)) all_interfaces = $(foreach layer,$(all_layers),$(wildcard $(layer)/*.if)) rolemap = $(HEADERDIR)/rolemap detected_layers = $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d)) + +clayers = $(addprefix $(CURDIR)/, $(filter $(notdir $(detected_layers)), $(notdir $(all_layers)))) +all_layers_subset = $(addprefix $(HEADERDIR)/, $(filter-out $(notdir $(detected_layers)), $(notdir $(all_layers)))) +detected_layers_subset = $(addprefix $(CURDIR)/, $(filter-out $(notdir $(clayers)), $(notdir $(detected_layers)))) + 3rd_party_mods = $(wildcard *.te) detected_mods = $(3rd_party_mods) $(foreach layer,$(detected_layers),$(wildcard $(layer)/*.te)) +detected_mods_subset = $(3rd_party_mods) $(foreach layer,$(detected_layers_subset),$(wildcard $(layer)/*.te)) + detected_ifs = $(detected_mods:.te=.if) detected_fcs = $(detected_mods:.te=.fc) all_packages = $(notdir $(detected_mods:.te=.pp)) +modxml = $(addprefix $(CURDIR)/, $(detected_mods_subset:.te=.xml)) +layerxml = $(addprefix tmp/, $(notdir $(addsuffix .xml, $(detected_layers_subset) $(CURDIR)))) + +hmodxml = $(all_interfaces:.if=.xml) +hlayerxml = $(addsuffix .xml, $(addprefix tmp/, $(notdir $(all_layers_subset)))) +hmetaxml = $(foreach layer, $(all_layers_subset), $(layer)/$(metaxml)) + +cmods = $(foreach layer, $(clayers), $(wildcard $(layer)/*.te)) +cmodxml = $(cmods:.te=.xml) +clayerxml= $(addsuffix .xml, $(addprefix tmp/, $(notdir $(clayers)))) +cmetaxml = $(foreach layer, $(notdir $(clayers)), $(HEADERDIR)/$(layer)/$(metaxml)) + vpath %.te $(detected_layers) vpath %.if $(detected_layers) vpath %.fc $(detected_layers) -# if there are modules in the current directory, add them into the third party layer -ifneq "$(3rd_party_mods)" "" - genxml += -3 . -endif - ######################################## # # Functions @@ -197,18 +212,45 @@ $(detected_ifs) $(detected_fcs): # Documentation generation # -# minimal dependencies here, because we don't want to rebuild -# this and its dependents every time the dependencies -# change. Also use all .if files here, rather then just the -# enabled modules. -$(polxml): $(detected_ifs) $(foreach dir,$(all_layers),$(dir)/$(layerxml)) - @echo "Creating $@" - @mkdir -p doc +$(clayerxml): %.xml: $(cmodxml) $(hmodxml) $(cmetaxml) + @test -d tmp || mkdir -p tmp + $(verbose) echo '' > $@ + $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; + $(verbose) cat $(filter $(addprefix $(CURDIR)/, $(notdir $*))/%, $(cmodxml)) >> $@ + $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ + $(verbose) echo '' >> $@ + +$(hlayerxml): %.xml: $(hmodxml) $(hmetaxml) + @test -d tmp || mkdir -p tmp + $(verbose) echo '' > $@ + $(verbose) cat $(addprefix $(HEADERDIR)/, $(notdir $*)/$(metaxml)) >> $@; + $(verbose) cat $(filter-out $(addprefix $(HEADERDIR)/, $(notdir $*))/$(metaxml), $(filter $(addprefix $(HEADERDIR)/, $(notdir $*))/%, $(hmodxml))) >> $@ + $(verbose) echo '' >> $@ + +$(cmodxml) $(modxml): %.xml: %.if %.te + $(verbose) $(genxml) -w -m $* > $@ + +$(layerxml): %.xml: $(modxml) + @test -d tmp || mkdir -p tmp + $(verbose) echo '' > $@ + $(verbose) if test -f '$(metaxml)'; then \ + cat $(metaxml) >> $@; \ + else \ + echo 'This is all third-party generated modules.' >> $@; \ + fi + $(verbose) cat $(filter-out %/$(metaxml), $^) >> $@ + $(verbose) echo '' >> $@ + +$(polxml): $(clayerxml) $(hlayerxml) $(layerxml) $(globaltun) $(globalbool) + @echo "Creating $(@F)" + @test -d $(dir $(polxml)) || mkdir -p $(dir $(polxml)) $(verbose) echo '' > $@ - $(verbose) echo '' >> $@ - $(verbose) $(genxml) -m $(layerxml) --tunables-xml $(globaltun) --booleans-xml $(globalbool) $(all_layers) $(detected_layers) >> $@ + $(verbose) echo '' >> $@ + $(verbose) echo '' >> $@ + $(verbose) cat $(sort $(clayerxml) $(hlayerxml) $(layerxml)) $(globaltun) $(globalbool) >> $@ + $(verbose) echo '' >> $@ $(verbose) if test -x $(XMLLINT) && test -f $(xmldtd); then \ - $(XMLLINT) --noout --dtdvalid $(xmldtd) $@ ;\ + $(XMLLINT) --noout --path $(dir $(xmldtd)) --dtdvalid $(xmldtd) $@ ;\ fi ######################################## diff --git a/support/sedoctool.py b/support/sedoctool.py index 55eee3b4..f15a5b50 100644 --- a/support/sedoctool.py +++ b/support/sedoctool.py @@ -1,6 +1,7 @@ #!/usr/bin/python # Author: Joshua Brindle +# Caleb Case # # Copyright (C) 2005 - 2006 Tresys Technology, LLC # This program is free software; you can redistribute it and/or modify @@ -317,6 +318,12 @@ def gen_docs(doc, working_dir, templatedir): templatefile = open(templatedir + "/template.html", "r") templatedata = templatefile.read() templatefile.close() + tunfile = open(templatedir + "/tunable.html", "r") + tundata = tunfile.read() + tunfile.close() + boolfile = open(templatedir + "/boolean.html", "r") + booldata = boolfile.read() + boolfile.close() menufile = open(templatedir + "/menu.html", "r") menudata = menufile.read() menufile.close() @@ -332,12 +339,18 @@ def gen_docs(doc, working_dir, templatedir): templistfile = open(templatedir + "/temp_list.html", "r") templistdata = templistfile.read() templistfile.close() - boollistfile = open(templatedir + "/global_bool_list.html", "r") - boollistdata = boollistfile.read() - boollistfile.close() - tunlistfile = open(templatedir + "/global_tun_list.html", "r") + tunlistfile = open(templatedir + "/tun_list.html", "r") tunlistdata = tunlistfile.read() tunlistfile.close() + boollistfile = open(templatedir + "/bool_list.html", "r") + boollistdata = boollistfile.read() + boollistfile.close() + gboollistfile = open(templatedir + "/global_bool_list.html", "r") + gboollistdata = gboollistfile.read() + gboollistfile.close() + gtunlistfile = open(templatedir + "/global_tun_list.html", "r") + gtunlistdata = gtunlistfile.read() + gtunlistfile.close() except: error("Could not open templates") @@ -412,6 +425,8 @@ def gen_docs(doc, working_dir, templatedir): all_interfaces = [] all_templates = [] + all_tunables = [] + all_booleans = [] for node in doc.getElementsByTagName("module"): mod_name = mod_layer = mod_desc = interface_buf = '' @@ -511,6 +526,54 @@ def gen_docs(doc, working_dir, templatedir): template_tpl = pyplate.Template(templatedata) template_buf = template_tpl.execute_string({"templates" : templates}) + #generate 'boolean' pages + booleans = [] + for boolean in node.getElementsByTagName("bool"): + boolean_parameters = [] + boolean_desc = None + boolean_name = boolean.getAttribute("name") + boolean_dftval = boolean.getAttribute("dftval") + for desc in boolean.childNodes: + if desc.nodeName == "desc": + boolean_desc = format_html_desc(desc) + + booleans.append({ "bool_name" : boolean_name, + "desc" : boolean_desc, + "def_val" : boolean_dftval }) + #all_booleans is for the main boolean index with all booleans + all_booleans.append({ "bool_name" : boolean_name, + "desc" : boolean_desc, + "def_val" : boolean_dftval, + "mod_name": mod_name, + "mod_layer" : mod_layer }) + booleans.sort(bool_cmp) + boolean_tpl = pyplate.Template(booldata) + boolean_buf = boolean_tpl.execute_string({"booleans" : booleans}) + + #generate 'tunable' pages + tunables = [] + for tunable in node.getElementsByTagName("tunable"): + tunable_parameters = [] + tunable_desc = None + tunable_name = tunable.getAttribute("name") + tunable_dftval = tunable.getAttribute("dftval") + for desc in tunable.childNodes: + if desc.nodeName == "desc": + tunable_desc = format_html_desc(desc) + + tunables.append({ "tun_name" : tunable_name, + "desc" : tunable_desc, + "def_val" : tunable_dftval }) + #all_tunables is for the main tunable index with all tunables + all_tunables.append({ "tun_name" : tunable_name, + "desc" : tunable_desc, + "def_val" : tunable_dftval, + "mod_name": mod_name, + "mod_layer" : mod_layer }) + tunables.sort(tun_cmp) + tunable_tpl = pyplate.Template(tundata) + tunable_buf = tunable_tpl.execute_string({"tunables" : tunables}) + menu = gen_doc_menu(mod_layer, module_list) @@ -531,6 +594,10 @@ def gen_docs(doc, working_dir, templatedir): interface_buf = None if not template_buf.strip(): template_buf = None + if not tunable_buf.strip(): + tunable_buf = None + if not boolean_buf.strip(): + boolean_buf = None module_args = { "mod_layer" : mod_layer, "mod_name" : mod_name, @@ -538,7 +605,9 @@ def gen_docs(doc, working_dir, templatedir): "mod_desc" : mod_desc, "mod_req" : mod_req, "interfaces" : interface_buf, - "templates": template_buf } + "templates" : template_buf, + "tunables" : tunable_buf, + "booleans" : boolean_buf } module_tpl = pyplate.Template(moduledata) module_buf = module_tpl.execute_string(module_args) @@ -590,19 +659,19 @@ def gen_docs(doc, working_dir, templatedir): #build the global tunable index - global_tun_buf = [] + global_tun = [] for tunable in doc.getElementsByTagName("tunable"): if tunable.parentNode.nodeName == "policy": tunable_name = tunable.getAttribute("name") default_value = tunable.getAttribute("dftval") for desc in tunable.getElementsByTagName("desc"): description = format_html_desc(desc) - global_tun_buf.append( { "tun_name" : tunable_name, + global_tun.append( { "tun_name" : tunable_name, "def_val" : default_value, "desc" : description } ) - global_tun_buf.sort(tun_cmp) - global_tun_tpl = pyplate.Template(tunlistdata) - global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun_buf}) + global_tun.sort(tun_cmp) + global_tun_tpl = pyplate.Template(gtunlistdata) + global_tun_buf = global_tun_tpl.execute_string({"tunables" : global_tun}) global_tun_file = "global_tunables.html" global_tun_fh = open(global_tun_file, "w") body_tpl = pyplate.Template(bodydata) @@ -613,21 +682,35 @@ def gen_docs(doc, working_dir, templatedir): body_tpl.execute(global_tun_fh, body_args) global_tun_fh.close() + #build the tunable index + all_tunables = all_tunables + global_tun + all_tunables.sort(tun_cmp) + tunable_tpl = pyplate.Template(tunlistdata) + tunable_buf = tunable_tpl.execute_string({"tunables" : all_tunables}) + temp_file = "tunables.html" + temp_fh = open(temp_file, "w") + body_tpl = pyplate.Template(bodydata) + + body_args = { "menu" : menu_buf, + "content" : tunable_buf } + + body_tpl.execute(temp_fh, body_args) + temp_fh.close() #build the global boolean index - global_bool_buf = [] + global_bool = [] for boolean in doc.getElementsByTagName("bool"): if boolean.parentNode.nodeName == "policy": bool_name = boolean.getAttribute("name") default_value = boolean.getAttribute("dftval") for desc in boolean.getElementsByTagName("desc"): description = format_html_desc(desc) - global_bool_buf.append( { "bool_name" : bool_name, + global_bool.append( { "bool_name" : bool_name, "def_val" : default_value, "desc" : description } ) - global_bool_buf.sort(bool_cmp) - global_bool_tpl = pyplate.Template(boollistdata) - global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool_buf}) + global_bool.sort(bool_cmp) + global_bool_tpl = pyplate.Template(gboollistdata) + global_bool_buf = global_bool_tpl.execute_string({"booleans" : global_bool}) global_bool_file = "global_booleans.html" global_bool_fh = open(global_bool_file, "w") body_tpl = pyplate.Template(bodydata) @@ -637,6 +720,21 @@ def gen_docs(doc, working_dir, templatedir): body_tpl.execute(global_bool_fh, body_args) global_bool_fh.close() + + #build the boolean index + all_booleans = all_booleans + global_bool + all_booleans.sort(bool_cmp) + boolean_tpl = pyplate.Template(boollistdata) + boolean_buf = boolean_tpl.execute_string({"booleans" : all_booleans}) + temp_file = "booleans.html" + temp_fh = open(temp_file, "w") + body_tpl = pyplate.Template(bodydata) + + body_args = { "menu" : menu_buf, + "content" : boolean_buf } + + body_tpl.execute(temp_fh, body_args) + temp_fh.close() diff --git a/support/segenxml.py b/support/segenxml.py index 10cc8bdd..d6c4fd59 100644 --- a/support/segenxml.py +++ b/support/segenxml.py @@ -3,6 +3,7 @@ # Author(s): Donald Miner # Dave Sugar # Brian Williams +# Caleb Case # # Copyright (C) 2005 - 2006 Tresys Technology, LLC # This program is free software; you can redistribute it and/or modify @@ -18,6 +19,7 @@ import sys import os import glob import re +import getopt # GLOBALS @@ -70,9 +72,15 @@ def getModuleXML(file_name): Returns the XML data for a module in a list, one line per list item. ''' + # Gather information. + module_dir = os.path.dirname(file_name) + module_name = os.path.basename(file_name) + module_te = "%s/%s.te" % (module_dir, module_name) + module_if = "%s/%s.if" % (module_dir, module_name) + # Try to open the file, if it cant, just ignore it. try: - module_file = open(file_name, "r") + module_file = open(module_if, "r") module_code = module_file.readlines() module_file.close() except: @@ -83,7 +91,7 @@ def getModuleXML(file_name): # Infer the module name, which is the base of the file name. module_buf.append("\n" - % (os.path.splitext(os.path.split(file_name)[-1])[0], file_name)) + % (os.path.splitext(os.path.split(file_name)[-1])[0], module_if)) temp_buf = [] interface = None @@ -175,54 +183,13 @@ def getModuleXML(file_name): elif temp_buf: warning("orphan XML comments at bottom of file %s" % file_name) + # Process the TE file if it exists. + module_buf = module_buf + getTunableXML(module_te, "both") + module_buf.append("\n") return module_buf -def getLayerXML (layerName, directories): - ''' - Returns the XML documentation for a layer. - ''' - - layer_buf = [] - - # Infer the layer name from the directory name. - layer_buf.append("\n" % layerName) - - # Try to file the metadata file for this layer and if it exists, - # append the contents to the buffer. - bFoundMeta = False - for directory in directories: - metafile = directory + "/" + meta - - if not bFoundMeta and os.path.isfile (metafile): - layer_meta = open (metafile, "r") - layer_buf += layer_meta.readlines () - layer_meta.close() - bFoundMeta = True - - # force the metadata for the third party layer - if not bFoundMeta: - if layerName == third_party: - layer_buf.append ("This is all third-party generated modules.\n") - bFoundMeta = True - - # didn't find meta data for this layer - oh well - if not bFoundMeta: - layer_buf.append ("Summary is missing!.\n") - warning ("unable to find %s for layer %s" % (meta, layerName)) - - # For each module file in the layer, add its XML. - for directory in directories: - modules = glob.glob("%s/*.if" % directory) - modules.sort() - for module in modules: - layer_buf += getModuleXML(module) - - layer_buf.append("\n") - - return layer_buf - def getTunableXML(file_name, kind): ''' Return all the XML for the tunables/bools in the file specified. @@ -257,8 +224,10 @@ def getTunableXML(file_name, kind): if boolean: # If there is a gen_bool in a tunable file or a # gen_tunable in a boolean file, error and exit. - if boolean.group(1) != kind: - error("%s in a %s file." % (boolean.group(1), kind)) + # Skip if both kinds are valid. + if kind != "both": + if boolean.group(1) != kind: + error("%s in a %s file." % (boolean.group(1), kind)) tunable_buf.append("<%s name=\"%s\" dftval=\"%s\">\n" % boolean.groups()) tunable_buf += temp_buf @@ -341,39 +310,15 @@ def usage(): Displays a message describing the proper usage of this script. """ - sys.stdout.write("usage: %s [-w] [-m file] "\ - % sys.argv[0]) + sys.stdout.write("usage: %s [-w] [-mtb] \n\n" % sys.argv[0]) + sys.stdout.write("-w --warn\t\t\tshow warnings\n"+\ + "-m --module \t\tname of module to process\n"+\ + "-t --tunable \t\tname of global tunable file to process\n"+\ + "-b --boolean \t\tname of global boolean file to process\n\n") - sys.stdout.write("layerdirectory [layerdirectory...]\n\n") - - sys.stdout.write("Options:\n") - - sys.stdout.write ("-h --help -- "+\ - "show command line options\n") - - sys.stdout.write("-w --warn -- "+\ - "show warnings\n") - - sys.stdout.write("-m --meta -- "+\ - "the filename of the metadata in each layer\n") - - sys.stdout.write("-t --tunable -- "+\ - "A file containing tunable declarations\n") - - sys.stdout.write("-b --bool -- "+\ - "A file containing bool declarations\n") - - sys.stdout.write("-o --output-dir -- "+\ - "A directory to output global_tunables.xml and global_booleans.xml\n") - - sys.stdout.write("--tunables-xml -- "+\ - "A file containing tunable declarations already in XML format\n") - - sys.stdout.write("--booleans-xml -- "+\ - "A file containing bool declarations already in XML format\n") - - sys.stdout.write ("-3 --third-party -- "+\ - "Look for 3rd Party modules in directory.\n") + sys.stdout.write("examples:\n") + sys.stdout.write("> %s -w -m policy/modules/apache\n" % sys.argv[0]) + sys.stdout.write("> %s -t policy/global_tunables\n" % sys.argv[0]) def warning(description): ''' @@ -397,79 +342,50 @@ def error(description): # MAIN PROGRAM + +# Defaults +warn = False +module = False +tunable = False +boolean = False + # Check that there are command line arguments. if len(sys.argv) <= 1: usage() sys.exit(1) - -# Parse the command line arguments -for i in range(1, len(sys.argv)): - if sys.argv[i-1] in ("-m", "--meta",\ - "-t", "--tunable", "-b", "--bool",\ - "-o", "--output-dir", "-3", "--third-party", \ - "--tunables-xml", "--booleans-xml"): - continue - elif sys.argv[i] in ("-w", "--warn"): +# Parse command line args +try: + opts, args = getopt.getopt(sys.argv[1:], 'whm:t:b:', ['warn', 'help', 'module=', 'tunable=', 'boolean=']) +except getopt.GetoptError: + usage() + sys.exit(2) +for o, a in opts: + if o in ('-w', '--warn'): warn = True - elif sys.argv[i] in ("-m", "--meta"): - if i < len(sys.argv)-1: - meta = sys.argv[i+1] - else: - usage() - elif sys.argv[i] in ("-t", "--tunable"): - if i < len(sys.argv)-1: - tunable_files.append(sys.argv[i+1]) - else: - usage() - elif sys.argv[i] in ("-b", "--bool"): - if i < len(sys.argv)-1: - bool_files.append(sys.argv[i+1]) - else: - usage() - - elif sys.argv[i] == "--tunables-xml": - if i < len(sys.argv)-1: - xml_bool_files.append (sys.argv[i+1]) - else: - usage () - - elif sys.argv[i] == "--booleans-xml": - if i < len(sys.argv)-1: - xml_tunable_files.append (sys.argv[i+1]) - else: - usage () - - elif sys.argv[i] in ("-o", "--output-dir"): - if i < len(sys.argv)-1: - output_dir = sys.argv[i+1] - else: - usage () - - elif sys.argv[i] in ("-3", "--third-party"): - if i < len(sys.argv) -1: - if layers.has_key (third_party): - layers[third_party].append (sys.argv[i+1]) - else: - layers[third_party] = [sys.argv[i+1]] - else: - usage () - - elif sys.argv[i] in ("-h", "--help"): - usage () - sys.exit (1) - + elif o in ('-h', '--help'): + usage() + sys.exit(0) + elif o in ('-m', '--module'): + module = a + break + elif o in ('-t', '--tunable'): + tunable = a + break + elif o in ('-b', '--boolean'): + boolean = a + break else: - # store directories in hash stored by layer name - splitlayer = os.path.split(sys.argv[i]) - if layers.has_key (splitlayer[1]): - layers[splitlayer[1]].append (sys.argv[i]) - else: - layers[splitlayer[1]] = [sys.argv[i]] + usage() + sys.exit(2) - -# Generate the XML and output it to a file -lines = getPolicyXML() -for s in lines: - sys.stdout.write(s) +if module: + sys.stdout.writelines(getModuleXML(module)) +elif tunable: + sys.stdout.writelines(getTunableXML(tunable, "tunable")) +elif boolean: + sys.stdout.writelines(getTunableXML(boolean, "bool")) +else: + usage() + sys.exit(2)