rpms/policycoreutils/devel .cvsignore, 1.80, 1.81 policycoreutils-rhat.patch, 1.114, 1.115 policycoreutils.spec, 1.176, 1.177 sources, 1.83, 1.84
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Nov 17 02:49:35 UTC 2005
- Previous message (by thread): rpms/dhcdbd/devel .cvsignore, 1.13, 1.14 dhcdbd.spec, 1.21, 1.22 sources, 1.23, 1.24
- Next message (by thread): rpms/anaconda/devel .cvsignore, 1.171, 1.172 anaconda.spec, 1.287, 1.288 sources, 1.289, 1.290
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/policycoreutils/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv30997
Modified Files:
.cvsignore policycoreutils-rhat.patch policycoreutils.spec
sources
Log Message:
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/.cvsignore,v
retrieving revision 1.80
retrieving revision 1.81
diff -u -r1.80 -r1.81
--- .cvsignore 10 Nov 2005 02:59:06 -0000 1.80
+++ .cvsignore 17 Nov 2005 02:49:32 -0000 1.81
@@ -65,3 +65,4 @@
policycoreutils-1.27.23.tgz
policycoreutils-1.27.26.tgz
policycoreutils-1.27.27.tgz
+policycoreutils-1.27.28.tgz
policycoreutils-rhat.patch:
audit2allow/Makefile | 2
audit2allow/audit2allow | 376 ++++++++++++++++++++++++++-----------------
audit2allow/audit2allow.perl | 164 ++++++++++++++++++
scripts/genhomedircon | 6
4 files changed, 399 insertions(+), 149 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -r1.114 -r1.115
--- policycoreutils-rhat.patch 14 Nov 2005 20:26:05 -0000 1.114
+++ policycoreutils-rhat.patch 17 Nov 2005 02:49:32 -0000 1.115
@@ -1,354 +1,593 @@
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.27/scripts/genhomedircon
---- nsapolicycoreutils/scripts/genhomedircon 2005-09-12 16:33:30.000000000 -0400
-+++ policycoreutils-1.27.27/scripts/genhomedircon 2005-11-14 15:25:45.000000000 -0500
-@@ -15,32 +15,19 @@
- # The file CONTEXTDIR/files/homedir_template exists. This file is used to
- # set up the home directory context for each real user.
- #
--# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
--# the first role in the list.
-+# If a user has more than one role, genhomedircon uses the first role in the list.
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.27.28/audit2allow/audit2allow
+--- nsapolicycoreutils/audit2allow/audit2allow 2005-09-12 16:33:30.000000000 -0400
++++ policycoreutils-1.27.28/audit2allow/audit2allow 2005-11-16 21:48:07.000000000 -0500
+@@ -1,7 +1,12 @@
+-#!/usr/bin/perl
+-
+-# Adapted from:
++#! /usr/bin/env python
++# Copyright (C) 2005 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# Audit2allow is a rewrite of prior perl script.
++#
++# Based off original audit2allow perl script: which credits
+ # newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith at mcs.drexel.edu)
++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
#
--# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
-+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
- #
- # "Real" users (as opposed to system users) are those whose UID is greater than
- # or equal STARTING_UID (usually 500) and whose login is not a member of
--# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
-+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
- # are always "real" (including root, in the default configuration).
- #
- #
--# Old ASSUMPTIONS:
--#
--# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
--# the first role in the list.
--#
--# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
--# the user's home dir will be found in one of the HOME_ROOTs.
--#
--# "Real" users (as opposed to system users) are those whose UID is greater than
--# or equal STARTING_UID (usually 500) and whose login is not a member of
--# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
--# are always "real" (including root, in the default configuration).
--#
-
- import commands, sys, os, pwd, string, getopt, re
-+from semanage import *;
-
- EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
-
-@@ -67,169 +54,6 @@
- starting_uid = 500
- return starting_uid
-
--#############################################################################
--#
--# This section is just for backwards compatability
--#
--#############################################################################
--def getPrefixes():
-- ulist = pwd.getpwall()
-- STARTING_UID=getStartingUID()
-- prefixes = {}
-- for u in ulist:
-- if u[2] >= STARTING_UID and \
-- not u[6] in EXCLUDE_LOGINS and \
-- u[5] != "/" and \
-- string.count(u[5], "/") > 1:
-- prefix = u[5][:string.rfind(u[5], "/")]
-- if not prefixes.has_key(prefix):
-- prefixes[prefix] = ""
-- return prefixes
--
--def getUsers(filecontextdir):
-- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
-- udict = {}
-- if rc[0] == 0:
-- ulist = rc[1].strip().split("\n")
-- for u in ulist:
-- user = u.split()
-- try:
-- if user[1] == "user_u" or user[1] == "system_u":
-- continue
-- # !!! chooses first role in the list to use in the file context !!!
-- role = user[3]
-- if role == "{":
-- role = user[4]
-- role = role.split("_r")[0]
-- home = pwd.getpwnam(user[1])[5]
-- if home == "/":
-- continue
-- prefs = {}
-- prefs["role"] = role
-- prefs["home"] = home
-- udict[user[1]] = prefs
-- except KeyError:
-- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
-- return udict
--
--def update(filecontext, user, prefs):
-- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
-- if rc[0] == 0:
-- print rc[1]
-- else:
-- errorExit(string.join("grep/sed error ", rc[1]))
-- return rc
--
--def oldgenhomedircon(filecontextdir, filecontext):
-- sys.stderr.write("Using genhomedircon in this fashion is supported for backwards compatability\n")
-- sys.stderr.write("Please update to the latest policy\n")
-- sys.stderr.flush()
--
-- if os.path.isdir(filecontextdir) == 0:
-- sys.stderr.write("New usage is the following\n")
-- usage()
-- #We are going to define home directory used by libuser and show-utils as a home directory root
-- prefixes = {}
-- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-- if rc[0] == 0:
-- homedir = rc[1].split("=")[1]
-- homedir = homedir.split("#")[0]
-- homedir = homedir.strip()
-- if not prefixes.has_key(homedir):
-- prefixes[homedir] = ""
-- else:
-- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
-- if rc[0] != 256:
-- sys.stderr.write("%s\n" % rc[1])
-- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-- sys.stderr.flush()
--
--
-- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
-- if rc[0] == 0:
-- homedir = rc[1].split("=")[1]
-- homedir = homedir.split("#")[0]
-- homedir = homedir.strip()
-- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
-- if not prefixes.has_key(homedir):
-- prefixes[homedir] = ""
-- else:
-- if rc[0] != 256:
-- sys.stderr.write("%s\n" % rc[1])
-- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
-- sys.stderr.flush()
--
-- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
-- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
-- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
-- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
-- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
-- #is any regex that would match it which does not end with .*$ or .+$ since those are general
-- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
-- #[pattern]
-- potential_prefixes = getPrefixes()
-- prefix_regex = {}
-- #this works by grepping the file_contexts for
-- # 1. ^/ makes sure this is not a comment
-- # 2. prints only the regex in the first column first cut on \t then on space
-- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
-- if rc[0] == 0:
-- prefix_regex = rc[1].split("\n")
-- else:
-- sys.stderr.write("%s\n" % rc[1])
-- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
-- sys.stderr.flush()
-- for potential in potential_prefixes.keys():
-- addme = 1
-- for regex in prefix_regex:
-- #match a trailing (/*)? which is actually a bug in rpc_pipefs
-- regex = re.sub("\(/\*\)\?$", "", regex)
-- #match a trailing .+
-- regex = re.sub("\.+$", "", regex)
-- #match a trailing .*
-- regex = re.sub("\.\*$", "", regex)
-- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-- regex = re.sub("\(\/\.\*\)\?", "", regex)
-- regex = regex + "/*$"
-- if re.search(regex, potential, 0):
-- addme = 0
-- if addme == 1:
-- if not prefixes.has_key(potential):
-- prefixes[potential] = ""
--
--
-- if prefixes.__eq__({}):
-- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
-- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
-- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
-- sys.stderr.write("Assuming /home is the root of home directories\n")
-- sys.stderr.flush()
-- prefixes["/home"] = ""
--
-- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
-- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
-- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
--
-- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
-- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
-- if rc[0] == 0:
-- print rc[1]
-- else:
-- errorExit(string.join("sed error ", rc[1]))
--
-- users = getUsers(filecontextdir)
-- print "\n#\n# User-specific file contexts\n#\n"
--
-- # Fill in HOME and ROLE for users that are defined
-- for u in users.keys():
-- update(filecontext, u, users[u])
--
--#############################################################################
--#
--# End of backwards compatability section
--#
--#############################################################################
--
- def getDefaultHomeDir():
- ret = []
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-@@ -287,6 +111,11 @@
-
- class selinuxConfig:
- def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
-+ self.semanageHandle=semanage_handle_create()
-+ self.semanaged=semanage_is_managed(self.semanageHandle)
-+ if self.semanaged:
-+ semanage_connect(self.semanageHandle)
-+ (status, self.ulist, self.usize) = semanage_user_list(self.semanageHandle)
- self.type=type
- self.selinuxdir=selinuxdir +"/"
- self.contextdir="/contexts"
-@@ -312,48 +141,75 @@
- else:
- errorExit(string.join("sed error ", rc[1]))
-
-- def getUsersFile(self):
-- return self.selinuxdir+self.type+"/users/local.users"
--
-- def getSystemUsersFile(self):
-- return self.selinuxdir+self.type+"/users/system.users"
--
- def heading(self):
- ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
-- ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
-+ if self.semanaged:
-+ ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n"
+ # This program is free software; you can redistribute it and/or
+ # modify it under the terms of the GNU General Public License as
+@@ -17,148 +22,227 @@
+ # along with this program; if not, write to the Free Software
+ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+ # 02111-1307 USA
+-# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
+-
+-
+-$load_policy_pattern="avc:.*granted.*{.*load_policy.*}";
+-
+-while ($opt = shift @ARGV) {
+- if ($opt eq "-d") { $read_dmesg++; }
+- elsif ($opt eq "-v") { $verbose++; }
+- elsif ($opt eq "-i") { $input = shift @ARGV; }
+- elsif ($opt eq "-o") { $output= shift @ARGV; }
+- elsif ($opt eq "-l") { $load_policy++; }
+- elsif ($opt eq "--help") { &printUsage; }
+- else { print "unknown option, '$opt'\n\n"; &printUsage; }
+-}
+-
+-if ($read_dmesg && $input) {
+- print "Error, can't read from both dmesg and $input\n\n";
+- &printUsage;
+-}
+-
+-if ($read_dmesg) { open (IN, "/bin/dmesg|"); }
+-elsif ($input) { open (IN, "$input"); }
+-else { open (IN, "-"); } # STDIN
+-
+-if ($output) { open (OUT, ">>$output"); }
+-else { open (OUT, ">-"); } # STDOUT
+-
+-if($load_policy){ #store logs after last "load_policy" in @log_buf
+- while ($line = <IN>) {
+- if($line=~/$load_policy_pattern/) {
+- #stored logs are unnecessary
+- undef @log_buf;
+- }
+- else
+- {
+- push @log_buf,$line;
+- }
+- }
+-}
+-
+-while ($line=&readNewline) {
+- next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);
+- @types=split /\ /,$line;
+- $info="";
+- $group="";
+- $command="";
+- foreach $i(0..$#types){
+- next if($types[$i]!~/[=\{]/);
+- if($types[$i]=~/^\{/){
+- $j=$i+1;
+- while($types[$j]!~/\}/){
+- $command.=" $types[$j]";
+- $j++;
+- }
+- next;
+- }
+- my($a,$b) = split /=/,$types[$i];
+-
+- next if($a eq "pid");
+- next if($a eq "dev");
+- next if($a eq "ino");
++#
++#
++import commands, sys, os, pwd, string, getopt, re
++class allow:
++ def __init__(self, source, target, seclass):
++ self.source=source
++ self.target=target
++ self.seclass=seclass
++ self.avcinfo={}
++ def add(self, avc):
++ for a in avc[0]:
++ if a not in self.avcinfo.keys():
++ self.avcinfo[a]=[]
++
++ self.avcinfo[a].append(avc[1:])
++
++ def getAccess(self):
++ if len(self.avcinfo.keys()) == 1:
++ for i in self.avcinfo.keys():
++ return i
+ else:
-+ ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
- return ret
-
-- def getUsers(self):
-- users=""
-- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
-- if rc[0] == 0:
-- users+=rc[1]+"\n"
-- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
-+ def defaultrole(self, name):
-+ for idx in range(self.usize):
-+ user = semanage_user_by_idx(self.ulist, idx)
-+ if semanage_user_get_name(user) == name:
-+ role=semanage_user_get_defrole(user)
-+ if role=="system_r":
-+ # targeted policy
-+ return "user_r"
++ keys=self.avcinfo.keys()
++ keys.sort()
++ ret="{"
++ for i in keys:
++ ret=ret + " " + i
++ ret=ret+" }"
++ return ret
++ def out(self, verbose=0):
++ ret=""
++ ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess())
++ if verbose:
++ keys=self.avcinfo.keys()
++ keys.sort()
++ for i in keys:
++ for x in self.avcinfo[i]:
++ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0]
++ if len(x[1]):
++ ret=ret+"COMM=%s " % x[1]
++ if len(x[2]):
++ ret=ret+"NAME=%s " % x[2]
++ ret=ret + " : " + i
++ return ret
++ def gettarget(self):
++ if self.source == self.target:
++ return "self"
++ else:
++ return self.target
+
+- if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){
+- if($a ne "tclass"){
+- my($c,$c,$c) = split /:/, $b;
+- $b=$c;
+- }
+- $b=~s/\n//;
+- $group.="|$b";
+- next;
+- }
+- $b=~s/:\[\d+\]//;
+- $a=uc $a;
+- $info.="$a=$b ";
+- }
+-
+- my($c,$c,$c,$c) = split /\|/, $group;
+- $info=~s/\ $c=\S+\ //gi;
+- # escape regexp patterns --<g>
+- $info=~s/([^\w])/\\$1/g;
+-
+- @atypes=split /\ /,$command;
+- foreach $i(0..$#atypes){
+- $rules{$group}{$atypes[$i]}++;
+- }
+-
+- $info.=" ";
+- if($occur{$group}!~$info){
+- $occur{$group}.="\t#$info: $command\n";
+- }
+- else{
+- my ($a,$b) = split /$info:\ /, $occur{$group};
+- my ($temp) = split /\n/, $b;
++class allowRecords:
++ def __init__(self, input, last_reload=0, verbose=0):
++ self.last_reload=last_reload
++ self.allowRules={}
++ line = input.readline()
++ avc=[]
++ found=0
++ self.seclasses={}
++ self.types=[]
++ self.roles=[]
++ while line:
++ rec=line.split()
++ for i in rec:
++ if i=="avc:" or i=="message=avc:":
++ found=1
+ else:
-+ return role
-+ return name
-+ def getOldRole(self, role):
-+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
-+ if rc[0] != 0:
-+ rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
- if rc[0] == 0:
-- users+=rc[1]
-+ user=rc[1].split()
-+ role = user[3]
-+ if role == "{":
-+ role = user[4]
-+ return role
++ avc.append(i)
++ if found:
++ self.add(avc)
++ found=0
++ avc=[]
++ line = input.readline()
++
++ def add(self,avc):
++ scon=""
++ tcon=""
++ seclass=""
++ comm=""
++ name=""
++ msg=""
++ access=[]
++ if "security_compute_sid" in avc:
++ return
++
++ if "granted" in avc:
++ if "load_policy" in avc and self.last_reload:
++ self.allowRules={}
++ return
++ for i in range (0, len(avc)):
++ t=avc[i].split('=')
++ if t[0]=="scontext":
++ context=t[1].split(":")
++ scon=context[2]
++ srole=context[1]
++ continue
++ if t[0]=="tcontext":
++ context=t[1].split(":")
++ tcon=context[2]
++ trole=context[1]
++ continue
++ if t[0]=="tclass":
++ seclass=t[1]
++ continue
++ if t[0]=="comm":
++ comm=t[1]
++ continue
++ if t[0]=="name":
++ name=t[1]
++ continue
++ if t[0]=="msg":
++ msg=t[1]
++ continue
++ if avc[i]=="{":
++ i=i+1
++ while i<len(avc) and avc[i] != "}":
++ access.append(avc[i])
++ i=i+1
++ if scon=="" or tcon =="" or seclass=="":
++ return
++
++ self.add_seclass(seclass, access)
++ self.add_type(tcon)
++ self.add_type(scon)
++ self.add_role(srole)
++ self.add_role(trole)
+
-+ def adduser(self, udict, user, seuser, role):
-+ try:
-+ if seuser == "user_u" or user == "__default__":
-+ return
-+ # !!! chooses first role in the list to use in the file context !!!
-+ if role[-2:] == "_r" or role[-2:] == "_u":
-+ role = role[:-2]
-+ home = pwd.getpwnam(user)[5]
-+ if home == "/":
-+ return
-+ prefs = {}
-+ prefs["role"] = role
-+ prefs["home"] = home
-+ udict[seuser] = prefs
-+ except KeyError:
-+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
-+
-+ def getUsers(self):
- udict = {}
-- prefs = {}
-- if users != "":
-- ulist = users.split("\n")
-- for u in ulist:
-- user = u.split()
-- try:
-- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
-+ if self.semanaged:
-+ (status, list, lsize) = semanage_seuser_list(self.semanageHandle)
-+ for idx in range(lsize):
-+ user=[]
-+ seuser = semanage_seuser_by_idx(list, idx)
-+ seusername=semanage_seuser_get_sename(seuser)
-+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
++ if (scon, tcon, seclass) not in self.allowRules.keys():
++ self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass)
+
-+ else:
-+ rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
-+ if rc[0] == 0 and rc[1] != "":
-+ ulist = rc[1].split("\n")
-+ for u in ulist:
-+ if len(u)==0:
- continue
-- # !!! chooses first role in the list to use in the file context !!!
-- role = user[3]
-- if role == "{":
-- role = user[4]
-- role = role.split("_r")[0]
-- home = pwd.getpwnam(user[1])[5]
-- if home == "/":
-+ user = u.split(":")
-+ if len(user) < 3:
- continue
-- prefs = {}
-- prefs["role"] = role
-- prefs["home"] = home
-- udict[user[1]] = prefs
-- except KeyError:
-- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
-+ role=self.getOldRole(user[1])
-+ self.adduser(udict, user[0], user[1], role)
- return udict
-
- def getHomeDirContext(self, user, home, role):
-@@ -362,9 +218,8 @@
- return ret + rc[1] + "\n"
-
- def getUserContext(self, user, sel_user, role):
-- ret="\n\n#\n# Other Context for user %s\n#\n\n" % user
- rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user))
-- return ret + rc[1] + "\n"
-+ return rc[1] + "\n"
-
- def genHomeDirContext(self):
- users = self.getUsers()
-@@ -478,10 +333,6 @@
- if type==None:
- type=getSELinuxType(directory)
++ self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name ))
++
++ def add_seclass(self,seclass, access):
++ if seclass not in self.seclasses.keys():
++ self.seclasses[seclass]=[]
++ for a in access:
++ if a not in self.seclasses[seclass]:
++ self.seclasses[seclass].append(a)
++
++ def add_role(self,role):
++ if role not in self.roles:
++ self.roles.append(role)
++
++ def add_type(self,type):
++ if type not in self.types:
++ self.types.append(type)
++
++ def module_out(self, module):
++ self.roles.sort()
++ self.types.sort()
++ keys=self.seclasses.keys()
++ keys.sort()
++ rec="module %s 1.0;" % module
++ rec+="\n\nrequire {\n"
++ for i in self.roles:
++ rec += "\trole %s; \n" % i
++ rec += "\n\n"
++ for i in keys:
++ access=self.seclasses[i]
++ access.sort()
++ rec+="\tclass %s { " % i
++ for a in access:
++ rec+=" %s" % a
++ rec+=" }; \n"
++ rec += "\n\n"
++
++ for i in self.types:
++ rec += "\ttype %s; \n" % i
++ rec += " };\n\n\n"
++ return rec
+
+- @com=split /\ /, $command;
+- foreach $i(1..$#com){
+- $b=" $com[$i]$b" if($temp!~$com[$i]);
+- }
+- $occur{$group}="$a$info: $b";
+- }
+-}
+-
+-# done with the input file
+-# now generate the rules
+-foreach $k (sort keys %rules)
+-{
+- my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
+- if ($scontext eq $tcontext) {
+- $tcontext = 'self';
+- }
+- print OUT "allow $scontext $tcontext:$tclass";
+-
+- my $access_types = $rules{$k};
+- $len=(keys %$access_types);
+- if ($len gt 2 ) { print OUT " {"; }
+- foreach $t (sort keys %$access_types) {
+- if ($t ne "") {print OUT " $t";}
+- }
+- if ($len gt 2 ) { print OUT " }"; }
+- print OUT ";\n";
+- $occur{$k} =~ s/\\(.)/$1/g; # de-escape string
+- print OUT "$occur{$k}\n" if ($verbose);
+-}
+-
+-exit;
+-
+-sub readNewline {
+- if($load_policy){
+- $newline=shift @log_buf;
+- }else{
+- $newline=<IN>;
+- }
+- return $newline;
+-}
+-
+-sub printUsage {
+- print "audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
+- -d read input from output of /bin/dmesg
+- -v verbose output
+- -l read input only after last \"load_policy\"
+- -i read input from <inputfile>
+- -o append output to <outputfile>\n";
+- exit;
+-}
+-
++ def out(self, module):
++ rec=""
++ if module!="":
++ rec+=self.module_out(module)
++ for i in self.allowRules.keys():
++ rec += self.allowRules[i].out(verbose)+"\n"
++ return rec
++
++def usage():
++ print 'audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]\n\
++ -d read input from output of /bin/dmesg\n\
++ -v verbose output\n\
++ -l read input only after last \"load_policy\"\n\
++ -i read input from <inputfile>\n\
++ -m module output <modulename>\n\
++ -o append output to <outputfile>\n'
++ sys.exit(1)
++#
++# This script will generate home dir file context
++# based off the homedir_template file, entries in the password file, and
++#
++try:
++ last_reload=0
++ input=sys.stdin
++ output=sys.stdout
++ module=""
++ verbose=0
++ gopts, cmds = getopt.getopt(sys.argv[1:], 'vdo:hli:m:', ['help',
++ 'last_reload='])
++ for o,a in gopts:
++ if o == '--last_reload' or o == "-l":
++ last_reload=1
++ if o == "-v":
++ verbose=1
++ if o == "-i":
++ input=open(a, "r")
++ if o == "-m":
++ module=a
++ if o == '--help':
++ usage()
++ if o == "-d":
++ input=os.popen("/bin/dmesg", "r")
++ if o == "-o":
++ output=open(a, "a")
++ if len(cmds) != 0:
++ usage()
++ out=allowRecords(input, last_reload, verbose)
++ output.write(out.out(module))
++
++except getopt.error, error:
++ errorExit(string.join("Options Error ", error))
++except ValueError, error:
++ errorExit(string.join("ValueError ", error))
++except IndexError, error:
++ errorExit("IndexError")
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.perl policycoreutils-1.27.28/audit2allow/audit2allow.perl
+--- nsapolicycoreutils/audit2allow/audit2allow.perl 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-1.27.28/audit2allow/audit2allow.perl 2005-11-16 21:45:38.000000000 -0500
+@@ -0,0 +1,164 @@
++#!/usr/bin/perl
++
++# Adapted from:
++# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith at mcs.drexel.edu)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License as
++# published by the Free Software Foundation; either version 2 of
++# the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++# 02111-1307 USA
++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
++
++
++$load_policy_pattern="avc:.*granted.*{.*load_policy.*}";
++
++while ($opt = shift @ARGV) {
++ if ($opt eq "-d") { $read_dmesg++; }
++ elsif ($opt eq "-v") { $verbose++; }
++ elsif ($opt eq "-i") { $input = shift @ARGV; }
++ elsif ($opt eq "-o") { $output= shift @ARGV; }
++ elsif ($opt eq "-l") { $load_policy++; }
++ elsif ($opt eq "--help") { &printUsage; }
++ else { print "unknown option, '$opt'\n\n"; &printUsage; }
++}
++
++if ($read_dmesg && $input) {
++ print "Error, can't read from both dmesg and $input\n\n";
++ &printUsage;
++}
++
++if ($read_dmesg) { open (IN, "/bin/dmesg|"); }
++elsif ($input) { open (IN, "$input"); }
++else { open (IN, "-"); } # STDIN
++
++if ($output) { open (OUT, ">>$output"); }
++else { open (OUT, ">-"); } # STDOUT
++
++if($load_policy){ #store logs after last "load_policy" in @log_buf
++ while ($line = <IN>) {
++ if($line=~/$load_policy_pattern/) {
++ #stored logs are unnecessary
++ undef @log_buf;
++ }
++ else
++ {
++ push @log_buf,$line;
++ }
++ }
++}
++
++while ($line=&readNewline) {
++ next unless ($line =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);
++ @types=split /\ /,$line;
++ $info="";
++ $group="";
++ $command="";
++ foreach $i(0..$#types){
++ next if($types[$i]!~/[=\{]/);
++ if($types[$i]=~/^\{/){
++ $j=$i+1;
++ while($types[$j]!~/\}/){
++ $command.=" $types[$j]";
++ $j++;
++ }
++ next;
++ }
++ my($a,$b) = split /=/,$types[$i];
++
++ next if($a eq "pid");
++ next if($a eq "dev");
++ next if($a eq "ino");
++
++ if(($a eq "scontext")||($a eq "tcontext")||($a eq "tclass")){
++ if($a ne "tclass"){
++ my($c,$c,$c) = split /:/, $b;
++ $b=$c;
++ }
++ $b=~s/\n//;
++ $group.="|$b";
++ next;
++ }
++ $b=~s/:\[\d+\]//;
++ $a=uc $a;
++ $info.="$a=$b ";
++ }
++
++ my($c,$c,$c,$c) = split /\|/, $group;
++ $info=~s/\ $c=\S+\ //gi;
++ # escape regexp patterns --<g>
++ $info=~s/([^\w])/\\$1/g;
++
++ @atypes=split /\ /,$command;
++ foreach $i(0..$#atypes){
++ $rules{$group}{$atypes[$i]}++;
++ }
++
++ $info.=" ";
++ if($occur{$group}!~$info){
++ $occur{$group}.="\t#$info: $command\n";
++ }
++ else{
++ my ($a,$b) = split /$info:\ /, $occur{$group};
++ my ($temp) = split /\n/, $b;
++
++ @com=split /\ /, $command;
++ foreach $i(1..$#com){
++ $b=" $com[$i]$b" if($temp!~$com[$i]);
++ }
++ $occur{$group}="$a$info: $b";
++ }
++}
++
++# done with the input file
++# now generate the rules
++foreach $k (sort keys %rules)
++{
++ my ($a,$scontext,$tcontext,$tclass) = split /\|/, $k;
++ if ($scontext eq $tcontext) {
++ $tcontext = 'self';
++ }
++ print OUT "allow $scontext $tcontext:$tclass";
++
++ my $access_types = $rules{$k};
++ $len=(keys %$access_types);
++ if ($len gt 2 ) { print OUT " {"; }
++ foreach $t (sort keys %$access_types) {
++ if ($t ne "") {print OUT " $t";}
++ }
++ if ($len gt 2 ) { print OUT " }"; }
++ print OUT ";\n";
++ $occur{$k} =~ s/\\(.)/$1/g; # de-escape string
++ print OUT "$occur{$k}\n" if ($verbose);
++}
++
++exit;
++
++sub readNewline {
++ if($load_policy){
++ $newline=shift @log_buf;
++ }else{
++ $newline=<IN>;
++ }
++ return $newline;
++}
++
++sub printUsage {
++ print "audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]
++ -d read input from output of /bin/dmesg
++ -v verbose output
++ -l read input only after last \"load_policy\"
++ -i read input from <inputfile>
++ -o append output to <outputfile>\n";
++ exit;
++}
++
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/Makefile policycoreutils-1.27.28/audit2allow/Makefile
+--- nsapolicycoreutils/audit2allow/Makefile 2005-09-12 16:33:30.000000000 -0400
++++ policycoreutils-1.27.28/audit2allow/Makefile 2005-11-16 21:45:38.000000000 -0500
+@@ -10,7 +10,7 @@
+
+ install: all
+ -mkdir -p $(BINDIR)
+- install -m 755 $(TARGETS) $(BINDIR)
++ install -m 755 $(TARGETS).py $(BINDIR)
+ -mkdir -p $(MANDIR)/man1
+ install -m 644 audit2allow.1 $(MANDIR)/man1/
+
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.28/scripts/genhomedircon
+--- nsapolicycoreutils/scripts/genhomedircon 2005-11-16 15:27:46.000000000 -0500
++++ policycoreutils-1.27.28/scripts/genhomedircon 2005-11-16 21:45:38.000000000 -0500
+@@ -29,7 +29,9 @@
+ import commands, sys, os, pwd, string, getopt, re
+ from semanage import *;
-- if len(cmds) == 2:
-- oldgenhomedircon(cmds[0], cmds[1])
-- sys.exit(0)
--
- if len(cmds) != 0:
- usage()
- selconf=selinuxConfig(directory, type, usepwd)
+-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
++fd=open("/etc/shells", 'r')
++VALID_SHELLS=fd.read().split('\n')
++fd.close()
+
+ def getStartingUID():
+ starting_uid = sys.maxint
+@@ -272,7 +274,7 @@
+ ulist = pwd.getpwall()
+ for u in ulist:
+ if u[2] >= starting_uid and \
+- not u[6] in EXCLUDE_LOGINS and \
++ u[6] in VALID_SHELLS and \
+ u[5] != "/" and \
+ string.count(u[5], "/") > 1:
+ homedir = u[5][:string.rfind(u[5], "/")]
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -r1.176 -r1.177
--- policycoreutils.spec 14 Nov 2005 18:59:33 -0000 1.176
+++ policycoreutils.spec 17 Nov 2005 02:49:32 -0000 1.177
@@ -1,9 +1,9 @@
-%define libsepolver 1.9.39-1
-%define libsemanagever 1.3.53-2
+%define libsepolver 1.9.40-1
+%define libsemanagever 1.3.56-1
Summary: SELinux policy core utilities.
Name: policycoreutils
-Version: 1.27.27
-Release: 5
+Version: 1.27.28
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -88,6 +88,12 @@
%config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog
+
+* Wed Nov 16 2005 Dan Walsh <dwalsh at redhat.com> 1.27.28-1
+- Update to match NSA
+ * Merged genhomedircon rewrite from Dan Walsh.
+- Rewrite audit2allow to python
+
* Mon Nov 14 2005 Dan Walsh <dwalsh at redhat.com> 1.27.27-5
- Fix genhomedircon to work with non libsemanage systems
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/sources,v
retrieving revision 1.83
retrieving revision 1.84
diff -u -r1.83 -r1.84
--- sources 10 Nov 2005 02:59:06 -0000 1.83
+++ sources 17 Nov 2005 02:49:32 -0000 1.84
@@ -1 +1 @@
-1434688ebb8140e900747448b099e873 policycoreutils-1.27.27.tgz
+b07eb927454989b6d4f458a70a38d357 policycoreutils-1.27.28.tgz
- Previous message (by thread): rpms/dhcdbd/devel .cvsignore, 1.13, 1.14 dhcdbd.spec, 1.21, 1.22 sources, 1.23, 1.24
- Next message (by thread): rpms/anaconda/devel .cvsignore, 1.171, 1.172 anaconda.spec, 1.287, 1.288 sources, 1.289, 1.290
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list