setools-4.4.3-1
This commit is contained in:
parent
46e11071de
commit
dd68fa8535
1
.gitignore
vendored
1
.gitignore
vendored
@ -14,3 +14,4 @@ setools-3.3.8-f1e5b20.tar.bz2
|
|||||||
/4.4.0.tar.gz
|
/4.4.0.tar.gz
|
||||||
/4.4.1.tar.gz
|
/4.4.1.tar.gz
|
||||||
/4.4.2.tar.gz
|
/4.4.2.tar.gz
|
||||||
|
/4.4.3.tar.gz
|
||||||
|
@ -1,92 +0,0 @@
|
|||||||
From edf1a80fa41fa34ad849fbf5098eddd4c5339c18 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
Date: Tue, 9 May 2023 19:22:01 +0200
|
|
||||||
Subject: [PATCH] Disable/remove neverallow options in sediff.
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Apply change from commit 06335957b701 ("Disable/remove neverallow
|
|
||||||
options in frontends.") to sediff
|
|
||||||
|
|
||||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
---
|
|
||||||
man/ru/sediff.1 | 4 ----
|
|
||||||
man/sediff.1 | 4 ----
|
|
||||||
sediff | 10 +++++++---
|
|
||||||
3 files changed, 7 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/man/ru/sediff.1 b/man/ru/sediff.1
|
|
||||||
index c6bf2939443f..af5d8efcf82c 100644
|
|
||||||
--- a/man/ru/sediff.1
|
|
||||||
+++ b/man/ru/sediff.1
|
|
||||||
@@ -57,16 +57,12 @@ sediff \- утилита выявления различий политик SELi
|
|
||||||
Найти различия правил включения журналирования событий.
|
|
||||||
.IP "--dontaudit"
|
|
||||||
Найти различия правил запрета журналирования событий.
|
|
||||||
-.IP "--neverallow"
|
|
||||||
-Найти различия запрещающих правил.
|
|
||||||
.IP "--allowxperm"
|
|
||||||
Найти различия расширенных разрешительных правил.
|
|
||||||
.IP "--auditallowxperm"
|
|
||||||
Найти различия расширенных правил включения журналирования событий.
|
|
||||||
.IP "--dontauditxperm"
|
|
||||||
Найти различия расширенных правил запрета журналирования событий.
|
|
||||||
-.IP "--neverallowxperm"
|
|
||||||
-Найти различия расширенных запрещающих правил.
|
|
||||||
.IP "-T, --type_trans"
|
|
||||||
Найти различия правил перехода типов.
|
|
||||||
.IP "--type_member"
|
|
||||||
diff --git a/man/sediff.1 b/man/sediff.1
|
|
||||||
index ed3b497db2c4..18466d8aeb68 100644
|
|
||||||
--- a/man/sediff.1
|
|
||||||
+++ b/man/sediff.1
|
|
||||||
@@ -50,16 +50,12 @@ Find differences in allow rules.
|
|
||||||
Find differences in auditallow rules.
|
|
||||||
.IP "--dontaudit"
|
|
||||||
Find differences in dontaudit rules.
|
|
||||||
-.IP "--neverallow"
|
|
||||||
-Find differences in neverallow rules.
|
|
||||||
.IP "--allowxperm"
|
|
||||||
Find differences in allowxperm rules.
|
|
||||||
.IP "--auditallowxperm"
|
|
||||||
Find differences in auditallowxperm rules.
|
|
||||||
.IP "--dontauditxperm"
|
|
||||||
Find differences in dontauditxperm rules.
|
|
||||||
-.IP "--neverallowxperm"
|
|
||||||
-Find differences in neverallowxperm rules.
|
|
||||||
.IP "-T, --type_trans"
|
|
||||||
Find differences in type_transition rules.
|
|
||||||
.IP "--type_member"
|
|
||||||
diff --git a/sediff b/sediff
|
|
||||||
index b2fef9771f18..a39d6f5c8f57 100755
|
|
||||||
--- a/sediff
|
|
||||||
+++ b/sediff
|
|
||||||
@@ -45,12 +45,12 @@ comp.add_argument("--level", action="store_true", help="Print MLS level definiti
|
|
||||||
terule = parser.add_argument_group("type enforcement rule differences")
|
|
||||||
terule.add_argument("-A", action="store_true", help="Print allow and allowxperm rule differences")
|
|
||||||
terule.add_argument("--allow", action="store_true", help="Print allow rule differences")
|
|
||||||
-terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
|
|
||||||
+# terule.add_argument("--neverallow", action="store_true", help="Print neverallow rule differences")
|
|
||||||
terule.add_argument("--auditallow", action="store_true", help="Print auditallow rule differences")
|
|
||||||
terule.add_argument("--dontaudit", action="store_true", help="Print dontaudit rule differences")
|
|
||||||
terule.add_argument("--allowxperm", action="store_true", help="Print allowxperm rule differences")
|
|
||||||
-terule.add_argument("--neverallowxperm", action="store_true",
|
|
||||||
- help="Print neverallowxperm rule differences")
|
|
||||||
+# terule.add_argument("--neverallowxperm", action="store_true",
|
|
||||||
+# help="Print neverallowxperm rule differences")
|
|
||||||
terule.add_argument("--auditallowxperm", action="store_true",
|
|
||||||
help="Print auditallowxperm rule differences")
|
|
||||||
terule.add_argument("--dontauditxperm", action="store_true",
|
|
||||||
@@ -97,6 +97,10 @@ other.add_argument("--typebounds", action="store_true", help="Print typebounds d
|
|
||||||
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
+# neverallow and neverallowxperm options are disabled
|
|
||||||
+args.neverallow = False
|
|
||||||
+args.neverallowxperm = False
|
|
||||||
+
|
|
||||||
if args.A:
|
|
||||||
args.allow = True
|
|
||||||
args.allowxperm = True
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,225 +0,0 @@
|
|||||||
From 2fea8eb0d4aedbbdca2209ee904eb10df69737b8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Vit Mojzis <vmojzis@redhat.com>
|
|
||||||
Date: Thu, 11 May 2023 18:38:21 +0200
|
|
||||||
Subject: [PATCH] Improve man pages
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
- Add missing parameters
|
|
||||||
- Add examples
|
|
||||||
- Fix typos
|
|
||||||
|
|
||||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
||||||
---
|
|
||||||
man/sechecker.1 | 6 +++---
|
|
||||||
man/sediff.1 | 12 ++++++++++++
|
|
||||||
man/sedta.1 | 9 +++++++++
|
|
||||||
man/seinfo.1 | 25 +++++++++++++++++++++++++
|
|
||||||
man/seinfoflow.1 | 9 +++++++++
|
|
||||||
man/sesearch.1 | 12 ++++++++++++
|
|
||||||
6 files changed, 70 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/man/sechecker.1 b/man/sechecker.1
|
|
||||||
index 507b8615c26f..e32d6d6114ba 100644
|
|
||||||
--- a/man/sechecker.1
|
|
||||||
+++ b/man/sechecker.1
|
|
||||||
@@ -81,7 +81,7 @@ A space-separated list of object class criteria for the query.
|
|
||||||
A space-separated list of permissions for the query.
|
|
||||||
|
|
||||||
.PP
|
|
||||||
-\fBA least one of the above options must be set in this check.\fR
|
|
||||||
+\fBAt least one of the above options must be set in this check.\fR
|
|
||||||
|
|
||||||
.PP
|
|
||||||
Additional Options:
|
|
||||||
@@ -123,7 +123,7 @@ The source role criteria for the query.
|
|
||||||
The target role criteria for the query.
|
|
||||||
|
|
||||||
.PP
|
|
||||||
-\fBA least one of the above options must be set in this check.\fR
|
|
||||||
+\fBAt least one of the above options must be set in this check.\fR
|
|
||||||
|
|
||||||
.PP
|
|
||||||
Additional Options:
|
|
||||||
@@ -205,7 +205,7 @@ executable types are read-only.\fR
|
|
||||||
.\}
|
|
||||||
.nf
|
|
||||||
[ro_execs]
|
|
||||||
-check_type = empty_typeattr
|
|
||||||
+check_type = ro_execs
|
|
||||||
desc = Verify that the all executables and libraries are read-only.
|
|
||||||
.fi
|
|
||||||
.if n \{\
|
|
||||||
diff --git a/man/sediff.1 b/man/sediff.1
|
|
||||||
index 18466d8aeb68..9b189885ff3c 100644
|
|
||||||
--- a/man/sediff.1
|
|
||||||
+++ b/man/sediff.1
|
|
||||||
@@ -84,6 +84,10 @@ Find differences in validatetrans rules.
|
|
||||||
Find differences in mlsvalidatetrans rules.
|
|
||||||
|
|
||||||
.SS Labeling Statement Differences
|
|
||||||
+.IP "--ibendportcon"
|
|
||||||
+Find differences in ibendportcon (InfiniBand endport context) statements.
|
|
||||||
+.IP "--ibpkeycon"
|
|
||||||
+Find differences in ibpkeycon (InfiniBand parition key context) statements.
|
|
||||||
.IP "--initialsid"
|
|
||||||
Find differences in initial SID statements.
|
|
||||||
.IP "--fs_use"
|
|
||||||
@@ -136,6 +140,14 @@ For example, a class is modified if one or more permissions are added or removed
|
|
||||||
.RE
|
|
||||||
.PP
|
|
||||||
|
|
||||||
+.SH EXAMPLE
|
|
||||||
+.nf
|
|
||||||
+Show differences in boolean settings
|
|
||||||
+# sediff -b /backup/policy.33 /etc/selinux/targeted/policy/policy.33
|
|
||||||
+Show statistics for allow and allowxperm rule changes (how many rules where added, removed, or modified)
|
|
||||||
+#sediff -A --stats /backup/policy.33 /etc/selinux/targeted/policy/policy.33
|
|
||||||
+
|
|
||||||
+
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
|
|
||||||
diff --git a/man/sedta.1 b/man/sedta.1
|
|
||||||
index 1d84d92664e0..d3d21db6f172 100644
|
|
||||||
--- a/man/sedta.1
|
|
||||||
+++ b/man/sedta.1
|
|
||||||
@@ -49,6 +49,8 @@ Specify the maximum number of domain transitions to output. The default is unlim
|
|
||||||
A space-separated list of types to exclude from the analysis.
|
|
||||||
|
|
||||||
.SS General Options
|
|
||||||
+.IP "--full"
|
|
||||||
+Print rule lists for transitions.
|
|
||||||
.IP "--stats"
|
|
||||||
Print domain transition graph statistics at the end of the analysis.
|
|
||||||
.IP "-h, --help"
|
|
||||||
@@ -60,6 +62,13 @@ Print additional informational messages.
|
|
||||||
.IP "--debug"
|
|
||||||
Enable debugging output.
|
|
||||||
|
|
||||||
+.SH EXAMPLE
|
|
||||||
+.nf
|
|
||||||
+Show the shortest transition paths from httpd_t to unconfined_t, while not using container_runtime_t
|
|
||||||
+# sedta -s httpd_t -t unconfined_t -S container_runtime_t
|
|
||||||
+List all domain transition paths shorter than 3 steps from init_t to smbd_t
|
|
||||||
+# sedta -s init_t -t smbd_t -A 3
|
|
||||||
+
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
|
|
||||||
diff --git a/man/seinfo.1 b/man/seinfo.1
|
|
||||||
index 1adea9868d66..9e7cbde8c06e 100644
|
|
||||||
--- a/man/seinfo.1
|
|
||||||
+++ b/man/seinfo.1
|
|
||||||
@@ -56,6 +56,10 @@ There is no expanded information for this component.
|
|
||||||
.IP "--genfscon [FS_TYPE]"
|
|
||||||
Print a list of genfscon statements or, if FS_TYPE is provided, print the statement for the named filesystem type.
|
|
||||||
There is no expanded information for this component.
|
|
||||||
+.IP "--ibpkeycon [PKEY[-PKEY]]"
|
|
||||||
+Print a list of InfiniBand parition key contexts.
|
|
||||||
+.IP "--ibendportcon [NAME]"
|
|
||||||
+Print a list of InfiniBand endport contexts.
|
|
||||||
.IP "--initialsid [NAME]"
|
|
||||||
Print a list of initial SIDs or, if NAME is provided, print the named initial SID.
|
|
||||||
With \fI-x\fR, print the context assigned to each displayed SID.
|
|
||||||
@@ -86,6 +90,18 @@ There is no expanded information for this component.
|
|
||||||
.IP "--all"
|
|
||||||
Print all components.
|
|
||||||
|
|
||||||
+.IP "\fB Xen Component Queries: \fR"
|
|
||||||
+.IP "--ioportcon"
|
|
||||||
+Print all ioportcon statements.
|
|
||||||
+.IP "--iomemcon"
|
|
||||||
+Print all iomemcon statements.
|
|
||||||
+.IP "--pcidevicecon"
|
|
||||||
+Print all pcidevicecon statements.
|
|
||||||
+.IP "--pirqcon"
|
|
||||||
+Print all pirqcon statements.
|
|
||||||
+.IP "--devicetreecon"
|
|
||||||
+Print all devicetreecon statements.
|
|
||||||
+
|
|
||||||
.SH OPTIONS
|
|
||||||
.IP "-x, --expand"
|
|
||||||
Print additional details for each component matching the expression.
|
|
||||||
@@ -101,6 +117,15 @@ Print additional informational messages.
|
|
||||||
.IP "--debug"
|
|
||||||
Enable debugging output.
|
|
||||||
|
|
||||||
+.SH EXAMPLE
|
|
||||||
+.nf
|
|
||||||
+List aliases of and attributes assigned to type httpd_t
|
|
||||||
+# seinfo -t httpd_t -x
|
|
||||||
+List all executable types (all types assigned to "exec_type" attribute)
|
|
||||||
+# seinfo -a exec_type -x
|
|
||||||
+List all constrains and mlsconstrains for class "file"
|
|
||||||
+# seinfo --constrain file
|
|
||||||
+
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
|
|
||||||
diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
|
|
||||||
index 2e4a261606bf..75763d6f2378 100644
|
|
||||||
--- a/man/seinfoflow.1
|
|
||||||
+++ b/man/seinfoflow.1
|
|
||||||
@@ -54,6 +54,8 @@ A space-separated list of types to exclude from the analysis.
|
|
||||||
Print information flow graph statistics at the end of the analysis.
|
|
||||||
.IP "-h, --help"
|
|
||||||
Print help information and exit.
|
|
||||||
+.IP "--full"
|
|
||||||
+Print full rule lists for information flows.
|
|
||||||
.IP "--version"
|
|
||||||
Print version information and exit.
|
|
||||||
.IP "-v, --verbose"
|
|
||||||
@@ -61,6 +63,13 @@ Print additional informational messages.
|
|
||||||
.IP "--debug"
|
|
||||||
Enable debugging output.
|
|
||||||
|
|
||||||
+.SH EXAMPLE
|
|
||||||
+.nf
|
|
||||||
+Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map
|
|
||||||
+# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S
|
|
||||||
+List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
|
|
||||||
+# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
|
|
||||||
+
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
|
|
||||||
diff --git a/man/sesearch.1 b/man/sesearch.1
|
|
||||||
index 35f16c4ba33e..edc18346673c 100644
|
|
||||||
--- a/man/sesearch.1
|
|
||||||
+++ b/man/sesearch.1
|
|
||||||
@@ -48,6 +48,7 @@ Find type_change rules.
|
|
||||||
Find role allow rules.
|
|
||||||
.IP "--role_trans"
|
|
||||||
Find role_transition rules.
|
|
||||||
+.IP "Note: TE/MLS rule searches cannot be mixed with RBAC rule searches"
|
|
||||||
|
|
||||||
.SS MLS Rule Types
|
|
||||||
.IP "--range_trans"
|
|
||||||
@@ -80,6 +81,8 @@ A matching rule must have the specified target attribute/type/role explicitly, i
|
|
||||||
A matching rule must have all specified Booleans, instead of matching any of the specified Boolean.
|
|
||||||
.IP "-ep"
|
|
||||||
A matching rule must have exactly the specified permissions, instead of matching any of the specified permission.
|
|
||||||
+.IP "-ex"
|
|
||||||
+A matching rule must have exactly the specified extended permissions, instead of matching any listed extended permission.
|
|
||||||
.IP "-Sp"
|
|
||||||
A matching rule must have permissions where are a superset of the specified permissions, instead of matching any of the permissions.
|
|
||||||
.IP "-rs"
|
|
||||||
@@ -103,6 +106,15 @@ Print additional informational messages.
|
|
||||||
.IP "--debug"
|
|
||||||
Enable debugging output.
|
|
||||||
|
|
||||||
+.SH EXAMPLE
|
|
||||||
+.nf
|
|
||||||
+List allow (and allowxperm) rules for accessing files labeled container_file_t from domains with attribute container_domain
|
|
||||||
+# sesearch -A -s container_domain -t container_file_t -c file
|
|
||||||
+List allow and dontaudit rules for accessing chr_files labeled container_file_t, that are controlled by boolean container_use_devices
|
|
||||||
+# sesearch -A --dontaudit -t container_file_t -c chr_file -b container_use_devices
|
|
||||||
+List dontaudit rules assigned via application_domain_type attribute (rules concerning specific types with that attribute are excluded)
|
|
||||||
+# sesearch --dontaudit -s application_domain_type -ds
|
|
||||||
+
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,62 +0,0 @@
|
|||||||
From 6425b45e2748605b99d4e45b286fbf5bb8e8243e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
Date: Mon, 17 Jul 2023 16:45:01 -0400
|
|
||||||
Subject: [PATCH] tox.ini: Change environments to use "python" instead of "py".
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
---
|
|
||||||
.github/workflows/tests.yml | 12 ++++++------
|
|
||||||
tox.ini | 8 ++++----
|
|
||||||
2 files changed, 10 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
|
|
||||||
index eb443ae7f0f7..c3c8d552ca15 100644
|
|
||||||
--- a/.github/workflows/tests.yml
|
|
||||||
+++ b/.github/workflows/tests.yml
|
|
||||||
@@ -27,12 +27,12 @@ jobs:
|
|
||||||
|
|
||||||
matrix:
|
|
||||||
build-opts:
|
|
||||||
- - {python: '3.6', tox: py36}
|
|
||||||
- - {python: '3.7', tox: py37}
|
|
||||||
- - {python: '3.8', tox: py38}
|
|
||||||
- - {python: '3.9', tox: py39}
|
|
||||||
- - {python: '3.10', tox: py310}
|
|
||||||
- - {python: '3.11', tox: py311}
|
|
||||||
+ - {python: '3.6', tox: python3.6}
|
|
||||||
+ - {python: '3.7', tox: python3.7}
|
|
||||||
+ - {python: '3.8', tox: python3.8}
|
|
||||||
+ - {python: '3.9', tox: python3.9}
|
|
||||||
+ - {python: '3.10', tox: python3.10}
|
|
||||||
+ - {python: '3.11', tox: python3.11}
|
|
||||||
- {python: '3.6', tox: pep8}
|
|
||||||
- {python: '3.6', tox: lint}
|
|
||||||
- {python: '3.6', tox: mypy}
|
|
||||||
diff --git a/tox.ini b/tox.ini
|
|
||||||
index b2f6b51858e6..a668bb3de425 100644
|
|
||||||
--- a/tox.ini
|
|
||||||
+++ b/tox.ini
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
[tox]
|
|
||||||
minversion = 1.4
|
|
||||||
-envlist = py3, pep8, lint, mypy
|
|
||||||
+envlist = python3, pep8, lint, mypy
|
|
||||||
|
|
||||||
[pycodestyle]
|
|
||||||
max-line-length = 100
|
|
||||||
@@ -53,8 +53,8 @@ passenv = USERSPACE_SRC
|
|
||||||
deps = networkx>=2.0
|
|
||||||
cython>=0.27
|
|
||||||
pytest
|
|
||||||
- py38: cython>=0.29.14
|
|
||||||
- py39: networkx>=2.6
|
|
||||||
- py39: cython>=0.29.14
|
|
||||||
+ python38: cython>=0.29.14
|
|
||||||
+ python39: networkx>=2.6
|
|
||||||
+ python39: cython>=0.29.14
|
|
||||||
commands_pre = {envpython} setup.py build_ext -i
|
|
||||||
commands = pytest tests
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,51 +0,0 @@
|
|||||||
From 8ec295066289cf74df0e3f2c6e068abe503f1121 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
Date: Wed, 21 Jun 2023 08:56:08 -0400
|
|
||||||
Subject: [PATCH] seinfoflow: Add -r option to get flows into the source type.
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
---
|
|
||||||
man/seinfoflow.1 | 2 ++
|
|
||||||
seinfoflow | 5 ++++-
|
|
||||||
2 files changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
|
|
||||||
index 75763d6f2378..63c70c0e7b14 100644
|
|
||||||
--- a/man/seinfoflow.1
|
|
||||||
+++ b/man/seinfoflow.1
|
|
||||||
@@ -50,6 +50,8 @@ Specify the maximum number of information flows to output. The default is unlimi
|
|
||||||
A space-separated list of types to exclude from the analysis.
|
|
||||||
|
|
||||||
.SS General Options
|
|
||||||
+.IP "-r, --reverse"
|
|
||||||
+Display information flows into the source type. No effect if a target type is specified.
|
|
||||||
.IP "--stats"
|
|
||||||
Print information flow graph statistics at the end of the analysis.
|
|
||||||
.IP "-h, --help"
|
|
||||||
diff --git a/seinfoflow b/seinfoflow
|
|
||||||
index 5f4e7642ecf9..9bd1bec41da8 100755
|
|
||||||
--- a/seinfoflow
|
|
||||||
+++ b/seinfoflow
|
|
||||||
@@ -42,6 +42,9 @@ alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",
|
|
||||||
help="Calculate all paths, with the specified maximum path length. (Expensive)")
|
|
||||||
|
|
||||||
opts = parser.add_argument_group("Analysis options")
|
|
||||||
+opts.add_argument("-r", "--reverse", action="store_false",
|
|
||||||
+ help="Display information flows into the source type. "
|
|
||||||
+ "No effect if a target type is specified.")
|
|
||||||
opts.add_argument("-w", "--min_weight", default=3, type=int,
|
|
||||||
help="Minimum permission weight. Default is 3.")
|
|
||||||
opts.add_argument("-l", "--limit_flows", default=0, type=int,
|
|
||||||
@@ -119,7 +122,7 @@ try:
|
|
||||||
|
|
||||||
else: # single direct info flow
|
|
||||||
flownum = 0
|
|
||||||
- for flownum, flow in enumerate(g.infoflows(args.source), start=1):
|
|
||||||
+ for flownum, flow in enumerate(g.infoflows(args.source, out=args.reverse), start=1):
|
|
||||||
print("Flow {0}: {1} -> {2}".format(flownum, flow.source, flow.target))
|
|
||||||
|
|
||||||
if args.full:
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,34 +0,0 @@
|
|||||||
From 32ebd2c802ca0fcf3b920b298f0d2d8b2972cfa9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
Date: Wed, 21 Jun 2023 08:56:53 -0400
|
|
||||||
Subject: [PATCH] seinfoflow.1: Remove references to sepolgen permission map.
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
SETools ships with its own so that it is usable on non-SELinux systems.
|
|
||||||
|
|
||||||
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
---
|
|
||||||
man/seinfoflow.1 | 6 +++---
|
|
||||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/man/seinfoflow.1 b/man/seinfoflow.1
|
|
||||||
index 63c70c0e7b14..e482520a8b82 100644
|
|
||||||
--- a/man/seinfoflow.1
|
|
||||||
+++ b/man/seinfoflow.1
|
|
||||||
@@ -67,10 +67,10 @@ Enable debugging output.
|
|
||||||
|
|
||||||
.SH EXAMPLE
|
|
||||||
.nf
|
|
||||||
-Show the shortest paths for process running as httpd_t to access user home files, using permission map from /var/lib/sepolgen/perm_map
|
|
||||||
-# seinfoflow -m /var/lib/sepolgen/perm_map -s httpd_t -t user_home_t -S
|
|
||||||
+Show the shortest paths for process running as httpd_t to access user home files, using the default permission map:
|
|
||||||
+# seinfoflow -s httpd_t -t user_home_t -S
|
|
||||||
List all data paths shorter than 3 steps from smbd_t to httpd_log_t, when samba_enable_home_dirs and samba_create_home_dirs booleans are enabled
|
|
||||||
-# seinfoflow -m /var/lib/sepolgen/perm_map -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
|
|
||||||
+# seinfoflow -s smbd_t -t user_home_t -A 3 -b "samba_enable_home_dirs:true,samba_create_home_dirs:true"
|
|
||||||
|
|
||||||
.SH AUTHOR
|
|
||||||
Chris PeBenito <pebenito@ieee.org>
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,55 +0,0 @@
|
|||||||
From 725d224e8dd8af3a5a56c71b9de7936d098cae61 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
Date: Tue, 16 May 2023 13:21:09 -0400
|
|
||||||
Subject: [PATCH] AVRule/AVRuleXperm: Treat rules with no permissions as
|
|
||||||
invalid policy.
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
---
|
|
||||||
setools/policyrep/terule.pxi | 22 ++++++++++++++++++++++
|
|
||||||
1 file changed, 22 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/setools/policyrep/terule.pxi b/setools/policyrep/terule.pxi
|
|
||||||
index 6c869ed08ad9..4f4a95f553bc 100644
|
|
||||||
--- a/setools/policyrep/terule.pxi
|
|
||||||
+++ b/setools/policyrep/terule.pxi
|
|
||||||
@@ -120,6 +120,17 @@ cdef class AVRule(BaseTERule):
|
|
||||||
r._conditional = conditional
|
|
||||||
r._conditional_block = conditional_block
|
|
||||||
r.origin = None
|
|
||||||
+
|
|
||||||
+ if not r.perms:
|
|
||||||
+ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {{ }};"
|
|
||||||
+ try:
|
|
||||||
+ rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
|
|
||||||
+ except RuleNotConditional:
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
+ raise LowLevelPolicyError("Invalid policy: Found a rule with no permissions: "
|
|
||||||
+ f"{rule_string}")
|
|
||||||
+
|
|
||||||
return r
|
|
||||||
|
|
||||||
def __hash__(self):
|
|
||||||
@@ -319,6 +330,17 @@ cdef class AVRuleXperm(BaseTERule):
|
|
||||||
r._conditional = conditional
|
|
||||||
r._conditional_block = conditional_block
|
|
||||||
r.origin = None
|
|
||||||
+
|
|
||||||
+ if not perms:
|
|
||||||
+ rule_string = f"{r.ruletype} {r.source} {r.target}:{r.tclass} {r.xperm_type} {{ }};"
|
|
||||||
+ try:
|
|
||||||
+ rule_string += f" [ {r.conditional} ]:{r.conditional_block}"
|
|
||||||
+ except RuleNotConditional:
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
+ raise LowLevelPolicyError(
|
|
||||||
+ f"Invalid policy: Found a rule with no extended permissions: {rule_string}.")
|
|
||||||
+
|
|
||||||
return r
|
|
||||||
|
|
||||||
def __hash__(self):
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
From fc443b5a0379f3644e071a458e996ea6115ccba3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
Date: Mon, 17 Jul 2023 16:08:21 -0400
|
|
||||||
Subject: [PATCH] SELinuxPolicy: Add explicit cast for libspol message
|
|
||||||
callback.
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Cython 3.0 is more strict. The change fixes this issue:
|
|
||||||
|
|
||||||
setools/policyrep/selinuxpolicy.pxi:685:46: Cannot assign type 'void (void *, sepol_handle_t *, const char *, ...) except *' to 'msg_callback'
|
|
||||||
|
|
||||||
Additionally, the msg_callback is not typedef-ed in sepol/debug.h, so it must
|
|
||||||
be explicitly defined in sepol.pxd for the casting to work.
|
|
||||||
|
|
||||||
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
||||||
---
|
|
||||||
setools/policyrep/selinuxpolicy.pxi | 2 +-
|
|
||||||
setools/policyrep/sepol.pxd | 4 +++-
|
|
||||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/setools/policyrep/selinuxpolicy.pxi b/setools/policyrep/selinuxpolicy.pxi
|
|
||||||
index 9267a0c43abc..236316f1c6c5 100644
|
|
||||||
--- a/setools/policyrep/selinuxpolicy.pxi
|
|
||||||
+++ b/setools/policyrep/selinuxpolicy.pxi
|
|
||||||
@@ -668,7 +668,7 @@ cdef class SELinuxPolicy:
|
|
||||||
if self.sh == NULL:
|
|
||||||
raise MemoryError
|
|
||||||
|
|
||||||
- sepol.sepol_msg_set_callback(self.sh, sepol_logging_callback, self.handle)
|
|
||||||
+ sepol.sepol_msg_set_callback(self.sh, <sepol.msg_callback>sepol_logging_callback, self.handle)
|
|
||||||
|
|
||||||
if sepol.sepol_policydb_create(&self.handle) < 0:
|
|
||||||
raise MemoryError
|
|
||||||
diff --git a/setools/policyrep/sepol.pxd b/setools/policyrep/sepol.pxd
|
|
||||||
index 769498f2c5fd..36589ed1a607 100644
|
|
||||||
--- a/setools/policyrep/sepol.pxd
|
|
||||||
+++ b/setools/policyrep/sepol.pxd
|
|
||||||
@@ -16,8 +16,10 @@ cdef extern from "<sepol/handle.h>":
|
|
||||||
void sepol_handle_destroy(sepol_handle_t *sh)
|
|
||||||
|
|
||||||
|
|
||||||
+ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
cdef extern from "<sepol/debug.h>":
|
|
||||||
- ctypedef void (*msg_callback)(void *varg, sepol_handle_t *handle, const char *fmt, ...)
|
|
||||||
void sepol_msg_set_callback(sepol_handle * handle, msg_callback cb, void *cb_arg)
|
|
||||||
|
|
||||||
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
14
setools.spec
14
setools.spec
@ -2,8 +2,8 @@
|
|||||||
%global selinux_ver 3.5-1
|
%global selinux_ver 3.5-1
|
||||||
|
|
||||||
Name: setools
|
Name: setools
|
||||||
Version: 4.4.2
|
Version: 4.4.3
|
||||||
Release: 4%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Policy analysis tools for SELinux
|
Summary: Policy analysis tools for SELinux
|
||||||
|
|
||||||
License: GPL-2.0-only and LGPL-2.1-only
|
License: GPL-2.0-only and LGPL-2.1-only
|
||||||
@ -11,13 +11,6 @@ URL: https://github.com/SELinuxProject/setools/wiki
|
|||||||
Source0: https://github.com/SELinuxProject/setools/archive/%{version}.tar.gz
|
Source0: https://github.com/SELinuxProject/setools/archive/%{version}.tar.gz
|
||||||
Source1: setools.pam
|
Source1: setools.pam
|
||||||
Source2: apol.desktop
|
Source2: apol.desktop
|
||||||
Patch0001: 0001-Disable-remove-neverallow-options-in-sediff.patch
|
|
||||||
Patch0002: 0002-Improve-man-pages.patch
|
|
||||||
Patch0003: 0003-tox.ini-Change-environments-to-use-python-instead-of.patch
|
|
||||||
Patch0004: 0004-seinfoflow-Add-r-option-to-get-flows-into-the-source.patch
|
|
||||||
Patch0005: 0005-seinfoflow.1-Remove-references-to-sepolgen-permissio.patch
|
|
||||||
Patch0006: 0006-AVRule-AVRuleXperm-Treat-rules-with-no-permissions-a.patch
|
|
||||||
Patch0007: 0007-SELinuxPolicy-Add-explicit-cast-for-libspol-message-.patch
|
|
||||||
|
|
||||||
Obsoletes: setools < 4.0.0, setools-devel < 4.0.0
|
Obsoletes: setools < 4.0.0, setools-devel < 4.0.0
|
||||||
BuildRequires: flex, bison
|
BuildRequires: flex, bison
|
||||||
@ -151,6 +144,9 @@ Python modules designed to facilitate SELinux policy analysis.
|
|||||||
%{_mandir}/ru/man1/apol*
|
%{_mandir}/ru/man1/apol*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 9 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.3-1
|
||||||
|
- SETools 4.4.3 release
|
||||||
|
|
||||||
* Wed Jul 26 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.2-4
|
* Wed Jul 26 2023 Petr Lautrbach <lautrbach@redhat.com> - 4.4.2-4
|
||||||
- Disable/remove neverallow options in sediff.
|
- Disable/remove neverallow options in sediff.
|
||||||
- Improve man pages
|
- Improve man pages
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (4.4.2.tar.gz) = b5117c5de1503e25183c2a1af92cd015320dd37e0cf26b8e09bd5d0ff879734d2f9c301def2a40b476c1ed1960f9ee04ae13b284df73f39f743004104ac85fb1
|
SHA512 (4.4.3.tar.gz) = dcea6f10af0f46cb7f06aa1b29a757de7dbc30b52fe705c51a4f395d6cc25bfc7b78c15b6fc5c09ec05a2bbe8316bc79b87156304de5fe098040007d33a70143
|
||||||
|
Loading…
Reference in New Issue
Block a user