rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.367, 1.368 policycoreutils-sepolgen.patch, 1.11, 1.12 policycoreutils.spec, 1.529, 1.530
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Jun 23 11:10:50 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16337
Modified Files:
policycoreutils-rhat.patch policycoreutils-sepolgen.patch
policycoreutils.spec
Log Message:
* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 2.0.49-8
- Fix sepolgen/audit2allow handling of roles
policycoreutils-rhat.patch:
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.367
retrieving revision 1.368
diff -u -r1.367 -r1.368
--- policycoreutils-rhat.patch 12 Jun 2008 18:35:22 -0000 1.367
+++ policycoreutils-rhat.patch 23 Jun 2008 11:09:58 -0000 1.368
@@ -1,15 +1,56 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
---- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.000000000 -0400
-+++ policycoreutils-2.0.49/Makefile 2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/Makefile 2008-06-12 23:25:24.000000000 -0400
++++ policycoreutils-2.0.49/Makefile 2008-06-23 07:03:37.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.49/audit2allow/audit2allow
+--- nsapolicycoreutils/audit2allow/audit2allow 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/audit2allow/audit2allow 2008-06-23 07:03:50.000000000 -0400
+@@ -152,12 +152,13 @@
+
+ def __process_input(self):
+ if self.__options.type:
+- avcfilter = audit.TypeFilter(self.__options.type)
++ avcfilter = audit.AVCTypeFilter(self.__options.type)
+ self.__avs = self.__parser.to_access(avcfilter)
+- self.__selinux_errs = self.__parser.to_role(avcfilter)
++ csfilter = audit.ComputeSidTypeFilter(self.__options.type)
++ self.__role_types = self.__parser.to_role(csfilter)
+ else:
+ self.__avs = self.__parser.to_access()
+- self.__selinux_errs = self.__parser.to_role()
++ self.__role_types = self.__parser.to_role()
+
+ def __load_interface_info(self):
+ # Load interface info file
+@@ -310,6 +311,7 @@
+
+ # Generate the policy
+ g.add_access(self.__avs)
++ g.add_role_types(self.__role_types)
+
+ # Output
+ writer = output.ModuleWriter()
+@@ -328,12 +330,6 @@
+ fd = sys.stdout
+ writer.write(g.get_module(), fd)
+
+- if len(self.__selinux_errs) > 0:
+- fd.write("\n=========== ROLES ===============\n")
+-
+- for role in self.__selinux_errs:
+- fd.write(role.output())
+-
+ def main(self):
+ try:
+ self.__parse_options()
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
---- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.c 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-06-23 07:03:37.000000000 -0400
@@ -210,9 +210,10 @@
}
@@ -37,8 +78,8 @@
free(scontext);
close(fd);
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
---- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.000000000 -0400
-+++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.init 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-06-23 07:03:37.000000000 -0400
@@ -2,7 +2,7 @@
#
# restorecond: Daemon used to maintain path file context
@@ -49,8 +90,8 @@
# listed in the /etc/selinux/restorecond.conf file, and restores the \
# correct security context.
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
---- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.000000000 -0400
+--- nsapolicycoreutils/scripts/fixfiles 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/scripts/fixfiles 2008-06-23 07:03:37.000000000 -0400
@@ -138,6 +138,9 @@
fi
LogReadOnly
@@ -81,8 +122,8 @@
if [ $# = 0 ]; then
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
---- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-05-16 11:27:02.000000000 -0400
+--- nsapolicycoreutils/scripts/fixfiles.8 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-06-23 07:03:37.000000000 -0400
@@ -7,6 +7,8 @@
.B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ]
@@ -103,8 +144,8 @@
.SH "OPTIONS"
.TP
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
---- nsapolicycoreutils/semanage/semanage 2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage 2008-06-12 14:34:26.499263000 -0400
+--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/semanage/semanage 2008-06-23 07:03:37.000000000 -0400
@@ -43,49 +43,52 @@
if __name__ == '__main__':
@@ -231,8 +272,8 @@
if modify:
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
---- nsapolicycoreutils/semanage/semanage.8 2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-11 16:18:48.000000000 -0400
+--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-23 07:03:37.000000000 -0400
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
@@ -256,8 +297,8 @@
Examples by Thomas Bleher <ThomasBleher at gmx.de>.
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
---- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.000000000 -0400
-+++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-12 14:34:36.038161000 -0400
+--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400
++++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-23 07:03:37.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
policycoreutils-sepolgen.patch:
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-sepolgen.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policycoreutils-sepolgen.patch 11 Jun 2008 20:20:16 -0000 1.11
+++ policycoreutils-sepolgen.patch 23 Jun 2008 11:09:58 -0000 1.12
@@ -1,28 +1,195 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py 2008-06-23 07:04:21.000000000 -0400
+@@ -295,3 +295,32 @@
+ perms[av.obj_class] = s
+ s.update(av.perms)
+ return perms
++
++class RoleTypeSet:
++ """A non-overlapping set of role type statements.
++
++ This clas allows the incremental addition of role type statements and
++ maintains a non-overlapping list of statements.
++ """
++ def __init__(self):
++ """Initialize an access vector set."""
++ self.role_types = {}
++
++ def __iter__(self):
++ """Iterate over all of the unique role allows statements in the set."""
++ for role_type in self.role_types.values():
++ yield role_type
++
++ def __len__(self):
++ """Return the unique number of role allow statements."""
++ return len(self.roles)
++
++ def add(self, role, type):
++ if self.role_types.has_key(role):
++ role_type = self.role_types[role]
++ else:
++ role_type = refpolicy.RoleType()
++ role_type.role = role
++ self.role_types[role] = role_type
++
++ role_type.types.add(type)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
---- nsasepolgen/src/sepolgen/audit.py 2008-01-23 14:36:29.000000000 -0500
-+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-05-28 10:11:36.373597000 -0400
-@@ -241,14 +241,17 @@
+--- nsasepolgen/src/sepolgen/audit.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-06-23 07:05:23.000000000 -0400
+@@ -235,20 +235,21 @@
+ """
+ def __init__(self, message):
+ AuditMessage.__init__(self, message)
+- self.type = ""
+- self.role = ""
++ self.invalid_context = refpolicy.SecurityContext()
++ self.scontext = refpolicy.SecurityContext()
++ self.tcontext = refpolicy.SecurityContext()
++ self.tclass = ""
+
def from_split_string(self, recs):
AuditMessage.from_split_string(self, recs)
- dict={}
-+ ctr = 0
- for i in recs:
-+ ctr = ctr + 1
- t = i.split('=')
- if len(t) < 2:
-+ if t[0] == "context":
-+ self.type = refpolicy.SecurityContext(recs[ctr]).type
- continue
- dict[t[0]]=t[1]
+- dict={}
+- for i in recs:
+- t = i.split('=')
+- if len(t) < 2:
+- continue
+- dict[t[0]]=t[1]
++ if len(recs) < 10:
++ raise ValueError("Split string does not represent a valid compute sid message")
++
try:
- self.role = refpolicy.SecurityContext(dict["scontext"]).role
+- self.role = refpolicy.SecurityContext(dict["scontext"]).role
- self.type = refpolicy.SecurityContext(dict["tcontext"]).type
++ self.invalid_context = refpolicy.SecurityContext(recs[5])
++ self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1])
++ self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1])
++ self.tclass = recs[9].split("=")[1]
except:
raise ValueError("Split string does not represent a valid compute sid message")
def output(self):
+@@ -405,7 +406,7 @@
+ self.__post_process()
+
+ def to_role(self, role_filter=None):
+- """Return list of SELINUX_ERR messages matching the specified filter
++ """Return RoleAllowSet statements matching the specified filter
+
+ Filter out types that match the filer, or all roles
+
+@@ -416,13 +417,12 @@
+ Access vector set representing the denied access in the
+ audit logs parsed by this object.
+ """
+- roles = []
+- if role_filter:
+- for selinux_err in self.compute_sid_msgs:
+- if role_filter.filter(selinux_err):
+- roles.append(selinux_err)
+- return roles
+- return self.compute_sid_msgs
++ role_types = access.RoleTypeSet()
++ for cs in self.compute_sid_msgs:
++ if not role_filter or role_filter.filter(cs):
++ role_types.add(cs.invalid_context.role, cs.invalid_context.type)
++
++ return role_types
+
+ def to_access(self, avc_filter=None, only_denials=True):
+ """Convert the audit logs access into a an access vector set.
+@@ -454,7 +454,7 @@
+ avc.accesses, avc)
+ return av_set
+
+-class TypeFilter:
++class AVCTypeFilter:
+ def __init__(self, regex):
+ self.regex = re.compile(regex)
+
+@@ -465,4 +465,17 @@
+ return True
+ return False
+
++class ComputeSidTypeFilter:
++ def __init__(self, regex):
++ self.regex = re.compile(regex)
++
++ def filter(self, avc):
++ if self.regex.match(avc.invalid_context.type):
++ return True
++ if self.regex.match(avc.scontext.type):
++ return True
++ if self.regex.match(avc.tcontext.type):
++ return True
++ return False
++
+
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py
+--- nsasepolgen/src/sepolgen/output.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py 2008-06-23 07:04:31.000000000 -0400
+@@ -101,6 +101,8 @@
+ else:
+ return id_set_cmp(a.src_types, [b.args[0]])
+
++def role_type_cmp(a, b):
++ return cmp(a.role, b.role)
+
+ def sort_filter(module):
+ """Sort and group the output for readability.
+@@ -146,6 +148,18 @@
+
+ c.extend(sep_rules)
+
++
++ ras = []
++ ras.extend(node.role_types())
++ ras.sort(role_type_cmp)
++ if len(ras):
++ comment = refpolicy.Comment()
++ comment.lines.append("============= ROLES ==============")
++ c.append(comment)
++
++
++ c.extend(ras)
++
+ # Everything else
+ for child in node.children:
+ if child not in c:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py 2008-06-23 07:04:36.000000000 -0400
+@@ -167,6 +167,13 @@
+ if self.gen_requires:
+ gen_requires(self.module)
+
++ def add_role_types(self, role_type_set):
++ for role_type in role_type_set:
++ self.module.children.append(role_type)
++
++ # Generate the requires
++ if self.gen_requires:
++ gen_requires(self.module)
+
+ def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
+ """Explain why a policy statement was generated.
+@@ -334,8 +341,12 @@
+ # can actually figure those out.
+ r.types.add(arg)
+
+- r.types.discard("self")
++ for role_type in node.role_types():
++ r.roles.add(role_type.role)
++ r.types.update(role_type.types)
+
++ r.types.discard("self")
++
+ node.children.insert(0, r)
+
+ # FUTURE - this is untested on modules with any sort of
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
---- nsasepolgen/src/sepolgen/refparser.py 2008-01-23 14:36:29.000000000 -0500
-+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-05-16 11:27:03.000000000 -0400
+--- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-06-23 07:05:23.000000000 -0400
@@ -919,7 +919,7 @@
def list_headers(root):
modules = []
@@ -32,3 +199,35 @@
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py
+--- nsasepolgen/src/sepolgen/refpolicy.py 2008-06-12 23:25:26.000000000 -0400
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py 2008-06-23 07:04:47.000000000 -0400
+@@ -122,6 +122,12 @@
+ def roles(self):
+ return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self))
+
++ def role_allows(self):
++ return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self))
++
++ def role_types(self):
++ return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self))
++
+ def __str__(self):
+ if self.comment:
+ return str(self.comment) + "\n" + self.to_string()
+@@ -494,6 +500,15 @@
+ return "allow %s %s;" % (self.src_roles.to_comma_str(),
+ self.tgt_roles.to_comma_str())
+
++class RoleType(Leaf):
++ def __init__(self, parent=None):
++ Leaf.__init__(self, parent)
++ self.role = ""
++ self.types = IdSet()
++
++ def to_string(self):
++ return "role %s types %s;" % (self.role, self.types.to_comma_str())
++
+ class ModuleDeclaration(Leaf):
+ def __init__(self, parent=None):
+ Leaf.__init__(self, parent)
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.529
retrieving revision 1.530
diff -u -r1.529 -r1.530
--- policycoreutils.spec 16 Jun 2008 10:43:37 -0000 1.529
+++ policycoreutils.spec 23 Jun 2008 11:09:58 -0000 1.530
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.49
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -21,7 +21,6 @@
Source8: policycoreutils_man_ru2.tar.bz2
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
-#Patch2: policycoreutils-sepolgen.patch
Patch3: policycoreutils-gui.patch
Patch4: policycoreutils-sepolgen.patch
@@ -52,9 +51,8 @@
%setup -q -a 1
%patch -p1 -b .rhat
%patch1 -p1 -b .rhatpo
-#%patch2 -p1 -b .sepolgen
%patch3 -p1 -b .gui
-%patch4 -p1 -b .sepolgen
+#%patch4 -p1 -b .sepolgen
%build
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
@@ -193,6 +191,9 @@
fi
%changelog
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 2.0.49-8
+- Fix sepolgen/audit2allow handling of roles
+
* Mon Jun 16 2008 Dan Walsh <dwalsh at redhat.com> 2.0.49-7
- Fix sepolgen-ifgen processing
More information about the fedora-extras-commits
mailing list