- Update to upstream

- Merged my latest fixes
- Fix cups policy to handle unix domain sockets

.cvsignore

@@ -46,3 +46,4 @@ serefpolicy-2.2.18.tgz
 serefpolicy-2.2.19.tgz
 serefpolicy-2.2.20.tgz
 serefpolicy-2.2.21.tgz
+serefpolicy-2.2.22.tgz

policygentool

@@ -21,64 +21,140 @@
 #
 #  
 import os, sys, getopt
-import seobject
 import re
 
 ########################### Interface File #############################
-interface="\n\
+interface="""\
-## <summary>policy for TEMPLATETYPE</summary>\n\
+## <summary>policy for TEMPLATETYPE</summary>
-\n\
+
-########################################\n\
+########################################
-## <summary>\n\
+## <summary>
-##	Execute a domain transition to run TEMPLATETYPE.\n\
+##	Execute a domain transition to run TEMPLATETYPE.
-## </summary>\n\
+## </summary>
-## <param name=\"domain\">\n\
+## <param name=\"domain\">
-##	Domain allowed to transition.\n\
+##	Domain allowed to transition.
-## </param>\n\
+## </param>
-#\n\
+#
-interface(`TEMPLATETYPE_domtrans',`\n\
+interface(`TEMPLATETYPE_domtrans',`
-	gen_requires(`\n\
+	gen_requires(`
-		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
+		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
-	')\n\
+	')
-\n\
+
-	domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
+	domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
-\n\
+
-	allow $1 TEMPLATETYPE_t:fd use;\n\
+	allow $1 TEMPLATETYPE_t:fd use;
-	allow TEMPLATETYPE_t $1:fd use;\n\
+	allow TEMPLATETYPE_t $1:fd use;
-	allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;\n\
+	allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;
-	allow TEMPLATETYPE_t $1:process sigchld;\n\
+	allow TEMPLATETYPE_t $1:process sigchld;
-')\n\
+')
-"
+"""
 
 ########################### Type Enforcement File #############################
-te="\n\
+te="""\
-policy_module(TEMPLATETYPE,1.0.0)\n\
+policy_module(TEMPLATETYPE,1.0.0)
-\n\
+
-########################################\n\
+########################################
-#\n\
+#
-# Declarations\n\
+# Declarations
-#\n\
+#
-\n\
+
-type TEMPLATETYPE_t;\n\
+type TEMPLATETYPE_t;
-type TEMPLATETYPE_exec_t;\n\
+type TEMPLATETYPE_exec_t;
-domain_type(TEMPLATETYPE_t)\n\
+domain_type(TEMPLATETYPE_t)
-init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
-\n\
+"""
-########################################\n\
+te_pidfile="""
-#\n\
+# pid files
-# TEMPLATETYPE local policy\n\
+type TEMPLATETYPE_var_run_t;
-#\n\
+files_pid_file(TEMPLATETYPE_var_run_t)
-# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
+"""
+te_logfile="""
+# log files
+type TEMPLATETYPE_var_log_t;
+logging_log_file(TEMPLATETYPE_var_log_t)
+"""
+te_libfile="""
+# var/lib files
+type TEMPLATETYPE_var_lib_t;
+files_type(TEMPLATETYPE_var_lib_t)
+"""
+te_sep="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(TEMPLATETYPE_t)
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+miscfiles_read_localization(TEMPLATETYPE_t)
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file { read write };
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+"""
+te_pidfile2="""
+# pid file
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
+"""
+te_logfile2="""
+# log files
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
+"""
+te_libfile2="""
+# var/lib files for TEMPLATETYPE
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
+files_var_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t)
+"""
+te_network2="""
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
+corenet_tcp_connect_http_port(TEMPLATETYPE_t)
+#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
+#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+allow TEMPLATETYPE_t self:tcp_socket { listen accept };
+"""
+te_initsc2="""
+# Init script handling
+init_use_fd(TEMPLATETYPE_t)
+init_use_script_ptys(TEMPLATETYPE_t)
+domain_use_interactive_fds(TEMPLATETYPE_t)
+"""
 
 ########################### File Context ##################################
-fc="\n\
+fc="""\
-# TEMPLATETYPE executable will have:\n\
+# TEMPLATETYPE executable will have:
-# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
+# label: system_u:object_r:TEMPLATETYPE_exec_t
-# MLS sensitivity: s0\n\
+# MLS sensitivity: s0
-# MCS categories: <none>\n\
+# MCS categories: <none>
-\n\
+
-EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
+EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
-"
+"""
+fc_pidfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+fc_logfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
+"""
+fc_libfile="""\
+FILENAME			gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
 def errorExit(error):
 	sys.stderr.write("%s: " % sys.argv[0])
 	sys.stderr.write("%s\n" % error)
@@ -86,9 +162,26 @@ def errorExit(error):
 	sys.exit(1)
 
 
-def write_te_file(module):
+def write_te_file(module, pidfile, logfile, libfile, network, initsc):
 	file="%s.te" % module
 	newte=re.sub("TEMPLATETYPE", module, te)
+	if pidfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
+	if logfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
+	if libfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
+	newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
+	if pidfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
+	if logfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
+	if libfile:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
+	if network:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
+	if initsc:
+		newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
 	if os.path.exists(file):
 		errorExit("%s already exists" % file)
 	fd = open(file, 'w')
@@ -104,20 +197,29 @@ def write_if_file(module):
 	fd.write(newif)
 	fd.close()
 
-def write_fc_file(module, executable):
+def write_fc_file(module, executable, pidfile, logfile, libfile):
 	file="%s.fc" % module
-	newfc=re.sub("TEMPLATETYPE", module, fc)
+	temp=re.sub("TEMPLATETYPE", module, fc)
-	newfc=re.sub("EXECUTABLE", executable, newfc)
+	newfc=re.sub("EXECUTABLE", executable, temp)
+	if pidfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
+		newfc=newfc + re.sub("FILENAME", pidfile, temp)
+	if logfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_logfile)
+		newfc=newfc + re.sub("FILENAME", logfile, temp)
+	if libfile:
+		temp=re.sub("TEMPLATETYPE", module, fc_libfile)
+		newfc=newfc + re.sub("FILENAME", libfile, temp)
 	if os.path.exists(file):
 		errorExit("%s already exists" % file)
 	fd = open(file, 'w')
 	fd.write(newfc)
 	fd.close()
 
-def gen_policy(module, executable):
+def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
-	write_te_file(module)
+	write_te_file(module, pidfile, logfile, libfile, initsc, network)
 	write_if_file(module)
-	write_fc_file(module, executable)
+	write_fc_file(module, executable, pidfile, logfile, libfile)
 	
 if __name__ == '__main__':
 	def usage(message = ""):
@@ -127,6 +229,69 @@ if __name__ == '__main__':
 	if len(sys.argv) != 3:
 		usage()
 
-	gen_policy(sys.argv[1], sys.argv[2])
+	print """\n
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if).  Most of the policy rules
+will be written in the te file.  Use the File Context file to associate file
+paths with security context.  Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+
+After generating these files use the /usr/share/selinux/devel/Makefile to
+compile your policy package.  Then use the semodule tool to load it.
+
+# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
+# make -f /usr/share/selinux/devel/Makefile
+# semodule -l myapp.pp
+# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+
+Now you can turn on permissive mode, start your application and avc messages
+will be generated.  You can use audit2allow to help translate the avc messages
+into policy.
+
+# setenforce 0
+# service myapp start
+# audit2allow -R -i /var/log/audit/audit.log
+
+Return to continue:"""
+        sys.stdin.readline().rstrip()
+
+	print 'If the module uses pidfiles, what is the pidfile called?'
+	pidfile = sys.stdin.readline().rstrip()
+	if pidfile == "":
+		pidfile = None
+	print 'If the module uses logfiles, where are they stored?'
+	logfile = sys.stdin.readline().rstrip()
+	if logfile == "":
+		logfile = None
+	print 'If the module has var/lib files, where are they stored?'
+	libfile = sys.stdin.readline().rstrip()
+	if libfile == "":
+		libfile = None
+	print 'Does the module have a init script? [yN]'
+	initsc = sys.stdin.readline().rstrip()
+	if initsc == "" or initsc == "n" or initsc == "N":
+		initsc = False
+	elif initsc == "y" or initsc == "Y":
+		initsc = True
+	else:
+		raise "Please answer with 'y' or 'n'!"
+	print 'Does the module use the network? [yN]'
+	network = sys.stdin.readline().rstrip()
+	if network == "" or network == "n" or network == "N":
+		network = False
+	elif network == "y" or network == "Y":
+		network = True
+	else:
+		raise "Please answer with 'y' or 'n'!"
+
+	gen_policy(
+		module=sys.argv[1],
+		executable=sys.argv[2],
+		pidfile=pidfile,
+		logfile=logfile,
+		libfile=libfile,
+		initsc=initsc,
+		network=network
+	)
 
 	

selinux-policy.spec

@@ -9,8 +9,8 @@
 %define CHECKPOLICYVER 1.29.4-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.21
+Version: 2.2.22
-Release: 9
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -293,20 +293,24 @@ ln -sf ../devel/include /usr/share/selinux/strict/include
 %fileList strict
 
 %changelog
+* Mon Feb 27 2006 Dan Walsh <dwalsh@redhat.com> 2.2.22-1
+- Update to upstream
+- Merged my latest fixes
+- Fix cups policy to handle unix domain sockets
 
-* Sat Feb 26 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-9
+* Sat Feb 25 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-9
 - NSCD socket is in nscd_var_run_t needs to be able to search dir
 
-* Fri Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-8
+* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-8
 - Fixes Apache interface file
 
-* Fri Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-7
+* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-7
 - Fixes for new version of cups
 
-* Fri Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-6
+* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-6
 - Turn off polyinstatiate util after FC5
 
-* Fri Feb 23 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-5
+* Fri Feb 24 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-5
 - Fix problem with privoxy talking to Tor
 
 * Thu Feb 22 2006 Dan Walsh <dwalsh@redhat.com> 2.2.21-4

sources

@@ -1 +1 @@
-fe84e844d9a838bd87d4e80f381141cb  serefpolicy-2.2.21.tgz
+298e1f669a1a0203eeffcc1a82b1a794  serefpolicy-2.2.22.tgz