rpms/policycoreutils/F-12 .cvsignore, 1.203, 1.204 policycoreutils-rhat.patch, 1.454, 1.455 policycoreutils-sepolgen.patch, 1.28, 1.29 policycoreutils.spec, 1.657, 1.658 sources, 1.212, 1.213
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 9 21:34:46 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5548
Modified Files:
.cvsignore policycoreutils-rhat.patch
policycoreutils-sepolgen.patch policycoreutils.spec sources
Log Message:
* Tue Dec 8 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-12/.cvsignore,v
retrieving revision 1.203
retrieving revision 1.204
diff -u -p -r1.203 -r1.204
--- .cvsignore 17 Sep 2009 13:07:45 -0000 1.203
+++ .cvsignore 9 Dec 2009 21:34:45 -0000 1.204
@@ -208,3 +208,8 @@ policycoreutils-2.0.71.tgz
sepolgen-1.0.17.tgz
policycoreutils-2.0.73.tgz
policycoreutils-2.0.74.tgz
+policycoreutils-2.0.75.tgz
+policycoreutils-2.0.76.tgz
+policycoreutils-2.0.77.tgz
+policycoreutils-2.0.78.tgz
+sepolgen-1.0.19.tgz
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/audit2allow | 59 +--
restorecond/Makefile | 24 +
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.8 | 15
restorecond/restorecond.c | 428 +++++-----------------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 18 +
restorecond/restorecond.init | 5
restorecond/restorecond_user.conf | 2
restorecond/user.c | 237 +++++++++++++++
restorecond/watch.c | 254 ++++++++++++++++
sandbox/Makefile | 31 ++
sandbox/deliverables/README | 32 ++
sandbox/deliverables/basicwrapper | 4
sandbox/deliverables/run-in-sandbox.py | 49 +++
sandbox/deliverables/sandbox | 216 ++++++++++++++
sandbox/sandbox | 253 ++++++++++++++++
sandbox/sandbox.8 | 26 +
sandbox/sandboxX.sh | 16 +
sandbox/seunshare.c | 265 +++++++++++++++++
semanage/semanage | 122 ++++++-
semanage/seobject.py | 397 ++++++++++++++++++++-----
semodule/semodule.8 | 6
semodule/semodule.c | 53 +++
setfiles/restore.c | 7
setfiles/restore.h | 1
setfiles/restore.o |binary
setfiles/restorecon.8 | 7
setfiles/setfiles.8 | 3
setfiles/setfiles.c | 9
32 files changed, 2042 insertions(+), 514 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.454 -r 1.455 policycoreutils-rhat.patchIndex: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-12/policycoreutils-rhat.patch,v
retrieving revision 1.454
retrieving revision 1.455
diff -u -p -r1.454 -r1.455
--- policycoreutils-rhat.patch 16 Nov 2009 21:55:53 -0000 1.454
+++ policycoreutils-rhat.patch 9 Dec 2009 21:34:45 -0000 1.455
@@ -1,7 +1,15 @@
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.74/audit2allow/audit2allow
---- nsapolicycoreutils/audit2allow/audit2allow 2009-09-17 08:59:51.000000000 -0400
-+++ policycoreutils-2.0.74/audit2allow/audit2allow 2009-11-09 16:05:58.000000000 -0500
-@@ -42,6 +42,8 @@
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
+--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
++++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
+@@ -28,6 +28,7 @@
+ import sepolgen.defaults as defaults
+ import sepolgen.module as module
+ from sepolgen.sepolgeni18n import _
++import selinux.audit2why as audit2why
+
+ class AuditToPolicy:
+ VERSION = "%prog .1"
+@@ -42,6 +43,8 @@
from optparse import OptionParser
parser = OptionParser(version=self.VERSION)
@@ -10,7 +18,7 @@ diff --exclude-from=exclude --exclude=se
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
-@@ -80,11 +82,11 @@
+@@ -80,11 +83,11 @@
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@@ -25,7 +33,7 @@ diff --exclude-from=exclude --exclude=se
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
-@@ -129,6 +131,12 @@
+@@ -129,6 +132,12 @@
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
@@ -38,39 +46,101 @@ diff --exclude-from=exclude --exclude=se
else:
# This is the default if no input is specified
f = sys.stdin
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/load_policy/Makefile policycoreutils-2.0.74/load_policy/Makefile
---- nsapolicycoreutils/load_policy/Makefile 2009-09-17 08:59:51.000000000 -0400
-+++ policycoreutils-2.0.74/load_policy/Makefile 2009-11-09 16:05:58.000000000 -0500
-@@ -1,6 +1,7 @@
- # Installation directories.
- PREFIX ?= ${DESTDIR}/usr
--SBINDIR ?= $(PREFIX)/sbin
-+SBINDIR ?= $(DESTDIR)/sbin
-+USRSBINDIR ?= $(PREFIX)/sbin
- MANDIR ?= $(PREFIX)/share/man
- LOCALEDIR ?= /usr/share/locale
-
-@@ -17,6 +18,8 @@
- install -m 755 $(TARGETS) $(SBINDIR)
- test -d $(MANDIR)/man8 || install -m 755 -d $(MANDIR)/man8
- install -m 644 load_policy.8 $(MANDIR)/man8/
-+ -mkdir -p $(USRSBINDIR)
-+ ln -s /sbin/load_policy $(USRSBINDIR)/load_policy
-
- clean:
- -rm -f $(TARGETS) *.o
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.74/Makefile
---- nsapolicycoreutils/Makefile 2009-09-17 08:59:51.000000000 -0400
-+++ policycoreutils-2.0.74/Makefile 2009-11-09 16:05:58.000000000 -0500
+@@ -220,63 +229,44 @@
+
+ def __output_audit2why(self):
+ import selinux
+- import selinux.audit2why as audit2why
+ import seobject
+- audit2why.init()
+ for i in self.__parser.avc_msgs:
+- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
+- if rc >= 0:
++ if i.type >= 0:
+ print "%s\n\tWas caused by:" % i.message
+- if rc == audit2why.NOPOLICY:
+- raise RuntimeError("Must call policy_init first")
+- if rc == audit2why.BADTCON:
+- print "Invalid Target Context %s\n" % i.tcontext
+- continue
+- if rc == audit2why.BADSCON:
+- print "Invalid Source Context %s\n" % i.scontext
+- continue
+- if rc == audit2why.BADSCON:
+- print "Invalid Type Class %s\n" % i.tclass
+- continue
+- if rc == audit2why.BADPERM:
+- print "Invalid permission %s\n" % i.accesses
+- continue
+- if rc == audit2why. BADCOMPUTE:
+- raise RuntimeError("Error during access vector computation")
+- if rc == audit2why.ALLOW:
++ if i.type == audit2why.ALLOW:
+ print "\t\tUnknown - would be allowed by active policy\n",
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+ continue
+- if rc == audit2why.DONTAUDIT:
++ if i.type == audit2why.DONTAUDIT:
+ print "\t\tUnknown - should be dontaudit'd by active policy\n",
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+ continue
+- if rc == audit2why.BOOLEAN:
+- if len(bools) > 1:
++ if i.type == audit2why.BOOLEAN:
++ if len(i.bools) > 1:
+ print "\tOne of the following booleans was set incorrectly."
+- for b in bools:
++ for b in i.bools:
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
+ else:
+- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
+- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
+- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
++ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
++ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
++ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
+ continue
+
+- if rc == audit2why.TERULE:
++ if i.type == audit2why.TERULE:
+ print "\t\tMissing type enforcement (TE) allow rule.\n"
+ print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
+ continue
+
+- if rc == audit2why.CONSTRAINT:
++ if i.type == audit2why.CONSTRAINT:
+ print "\t\tPolicy constraint violation.\n"
+ print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
+ print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
+ continue
+
+- if rc == audit2why.RBAC:
++ if i.type == audit2why.RBAC:
+ print "\t\tMissing role allow rule.\n"
+ print "\t\tAdd an allow rule for the role pair.\n"
+ continue
+@@ -344,5 +334,6 @@
+ sys.exit(0)
+
+ if __name__ == "__main__":
++ audit2why.init()
+ app = AuditToPolicy()
+ app.main()
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.78/Makefile
+--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
++++ policycoreutils-2.0.78/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.74/restorecond/Makefile
---- nsapolicycoreutils/restorecond/Makefile 2009-09-17 08:59:51.000000000 -0400
-+++ policycoreutils-2.0.74/restorecond/Makefile 2009-11-09 16:05:58.000000000 -0500
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
+--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
++++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@@ -117,16 +187,16 @@ diff --exclude-from=exclude --exclude=se
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/restorecond/org.selinux.Restorecond.service 2009-11-09 16:05:58.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.74/restorecond/restorecond.8
---- nsapolicycoreutils/restorecond/restorecond.8 2009-09-17 08:59:51.000000000 -0400
-+++ policycoreutils-2.0.74/restorecond/restorecond.8 2009-11-09 16:05:58.000000000 -0500
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
+--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
++++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@@ -161,9 +231,9 @@ diff --exclude-from=exclude --exclude=se
.SH "SEE ALSO"
[...2557 lines suppressed...]
-- base = basename(progname);
-+ base = basename(r_opts.progname);
-
- if (!strcmp(base, SETFILES)) {
- /*
-@@ -832,28 +338,28 @@
- iamrestorecon = 0;
- recurse = 1;
- expand_realpath = 0;
-- abort_on_error = 1;
-- add_assoc = 1;
-- fts_flags = FTS_PHYSICAL | FTS_XDEV;
-+ r_opts.abort_on_error = 1;
-+ r_opts.add_assoc = 1;
-+ r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
- ctx_validate = 1;
- } else {
- /*
- * restorecon:
- * No recursive descent unless -r/-R,
-- * Expands paths via realpath,
- * Do not abort on errors during the file tree walk,
-+ * Expands paths via realpath,
- * Do not try to track inode associations for conflict detection,
- * Follows mounts,
- * Does lazy validation of contexts upon use.
- */
-- if (strcmp(base, RESTORECON) && !quiet)
-+ if (strcmp(base, RESTORECON) && !r_opts.quiet)
- printf("Executed with an unrecognized name (%s), defaulting to %s behavior.\n", base, RESTORECON);
- iamrestorecon = 1;
- recurse = 0;
- expand_realpath = 1;
-- abort_on_error = 0;
-- add_assoc = 0;
-- fts_flags = FTS_PHYSICAL;
-+ r_opts.abort_on_error = 0;
-+ r_opts.add_assoc = 0;
-+ r_opts.fts_flags = FTS_PHYSICAL;
- ctx_validate = 0;
-
- /* restorecon only: silent exit if no SELinux.
-@@ -915,37 +421,37 @@
- input_filename = optarg;
- break;
- case 'd':
-- debug = 1;
-+ r_opts.debug = 1;
+@@ -335,7 +334,7 @@
+ r_opts.debug = 1;
break;
case 'i':
- ignore_enoent = 1;
+- ignore_enoent = 1;
++ r_opts.ignore_enoent = 1;
break;
case 'l':
-- logging = 1;
-+ r_opts.logging = 1;
- break;
- case 'F':
-- force = 1;
-+ r_opts.force = 1;
- break;
- case 'n':
-- change = 0;
-+ r_opts.change = 0;
- break;
- case 'o':
- if (strcmp(optarg, "-") == 0) {
-- outfile = stdout;
-+ r_opts.outfile = stdout;
+ r_opts.logging = 1;
+@@ -371,7 +370,7 @@
break;
}
-
-- outfile = fopen(optarg, "w");
-- if (!outfile) {
-+ r_opts.outfile = fopen(optarg, "w");
-+ if (!r_opts.outfile) {
- fprintf(stderr, "Error opening %s: %s\n",
- optarg, strerror(errno));
-
- usage(argv[0]);
- }
-- __fsetlocking(outfile, FSETLOCKING_BYCALLER);
-+ __fsetlocking(r_opts.outfile, FSETLOCKING_BYCALLER);
- break;
- case 'q':
-- quiet = 1;
-+ r_opts.quiet = 1;
- break;
- case 'R':
- case 'r':
-@@ -958,7 +464,7 @@
- argv[0]);
- exit(1);
- }
-- if (NULL != rootpath) {
-+ if (NULL != r_opts.rootpath) {
- fprintf(stderr,
- "%s: only one -r can be specified\n",
+ if (optind + 1 >= argc) {
+- fprintf(stderr, "usage: %s -r r_opts.rootpath\n",
++ fprintf(stderr, "usage: %s -r rootpath\n",
argv[0]);
-@@ -969,23 +475,23 @@
- case 's':
- use_input_file = 1;
- input_filename = "-";
-- add_assoc = 0;
-+ r_opts.add_assoc = 0;
- break;
- case 'v':
-- if (progress) {
-+ if (r_opts.progress) {
- fprintf(stderr,
- "Progress and Verbose mutually exclusive\n");
exit(1);
}
-- verbose++;
-+ r_opts.verbose++;
- break;
- case 'p':
-- if (verbose) {
-+ if (r_opts.verbose) {
- fprintf(stderr,
- "Progress and Verbose mutually exclusive\n");
- usage(argv[0]);
- }
-- progress = 1;
-+ r_opts.progress = 1;
- break;
- case 'W':
- warn_no_match = 1;
-@@ -1033,18 +539,13 @@
- }
-
- /* Load the file contexts configuration and check it. */
-- opts[0].value = (ctx_validate ? (char*)1 : NULL);
-- opts[1].value = altpath;
--
-- hnd = selabel_open(SELABEL_CTX_FILE, opts, 2);
-- if (!hnd) {
-- perror(altpath);
-- exit(1);
-- }
-+ r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL);
-+ r_opts.selabel_opt_path = altpath;
-
- if (nerr)
- exit(1);
-
-+ restore_init(&r_opts);
- if (use_input_file) {
- FILE *f = stdin;
- ssize_t len;
-@@ -1061,6 +562,9 @@
- delim = (null_terminated != 0) ? '\0' : '\n';
- while ((len = getdelim(&buf, &buf_len, delim, f)) > 0) {
- buf[len - 1] = 0;
-+ if (!strcmp(buf, "/"))
-+ mass_relabel = 1;
-+
- errors |= process_one_realpath(buf);
- }
- if (strcmp(input_filename, "-") != 0)
-@@ -1070,22 +574,21 @@
- errors |= process_one_realpath(argv[i]);
- }
- }
--
-+
-+ if (mass_relabel)
-+ mass_relabel_errs = errors;
- maybe_audit_mass_relabel();
-
- if (warn_no_match)
-- selabel_stats(hnd);
-+ selabel_stats(r_opts.hnd);
-
-- selabel_close(hnd);
-+ selabel_close(r_opts.hnd);
-+ restore_finish();
-
-- if (outfile)
-- fclose(outfile);
--
-- for (i = 0; i < excludeCtr; i++) {
-- free(excludeArray[i].directory);
-- }
-+ if (r_opts.outfile)
-+ fclose(r_opts.outfile);
-
-- if (progress && count >= STAR_COUNT)
-+ if (r_opts.progress && r_opts.count >= STAR_COUNT)
- printf("\n");
- exit(errors);
- }
policycoreutils-sepolgen.patch:
access.py | 15 ++++++++-----
audit.py | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++------
policygen.py | 28 +++++++++++++++++++++++-
refparser.py | 2 -
refpolicy.py | 9 +++++--
5 files changed, 105 insertions(+), 16 deletions(-)
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-12/policycoreutils-sepolgen.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -p -r1.28 -r1.29
--- policycoreutils-sepolgen.patch 19 Aug 2009 19:02:29 -0000 1.28
+++ policycoreutils-sepolgen.patch 9 Dec 2009 21:34:46 -0000 1.29
@@ -1,6 +1,62 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.71/sepolgen-1.0.17/src/sepolgen/audit.py
---- nsasepolgen/src/sepolgen/audit.py 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/sepolgen-1.0.17/src/sepolgen/audit.py 2009-08-18 15:21:13.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
+@@ -32,6 +32,7 @@
+ """
+
+ import refpolicy
++from selinux import audit2why
+
+ def is_idparam(id):
+ """Determine if an id is a paramater in the form $N, where N is
+@@ -85,6 +86,8 @@
+ self.obj_class = None
+ self.perms = refpolicy.IdSet()
+ self.audit_msgs = []
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ # The direction of the information flow represented by this
+ # access vector - used for matching
+@@ -127,7 +130,7 @@
+ return self.to_string()
+
+ def to_string(self):
+- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
++ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
+ self.obj_class, self.perms.to_space_str())
+
+ def __cmp__(self, other):
+@@ -253,20 +256,22 @@
+ for av in l:
+ self.add_av(AccessVector(av))
+
+- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
++ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
+ """Add an access vector to the set.
+ """
+ tgt = self.src.setdefault(src_type, { })
+ cls = tgt.setdefault(tgt_type, { })
+
+- if cls.has_key(obj_class):
+- access = cls[obj_class]
++ if cls.has_key((obj_class, avc_type)):
++ access = cls[obj_class, avc_type]
+ else:
+ access = AccessVector()
+ access.src_type = src_type
+ access.tgt_type = tgt_type
+ access.obj_class = obj_class
+- cls[obj_class] = access
++ access.bools = bools
++ access.type = avc_type
++ cls[obj_class, avc_type] = access
+
+ access.perms.update(perms)
+ if audit_msg:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
@@ -47,10 +103,153 @@ diff --exclude-from=exclude -N -u -r nsa
# Classes representing audit messages
class AuditMessage:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.71/sepolgen-1.0.17/src/sepolgen/refparser.py
---- nsasepolgen/src/sepolgen/refparser.py 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/sepolgen-1.0.17/src/sepolgen/refparser.py 2009-08-13 17:57:55.000000000 -0400
-@@ -919,7 +919,7 @@
+@@ -106,6 +138,7 @@
+ if fields[0] == "path":
+ self.path = fields[1][1:-1]
+ return
++import selinux.audit2why as audit2why
+
+ class AVCMessage(AuditMessage):
+ """AVC message representing an access denial or granted message.
+@@ -146,6 +179,8 @@
+ self.path = ""
+ self.accesses = []
+ self.denial = True
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ def __parse_access(self, recs, start):
+ # This is kind of sucky - the access that is in a space separated
+@@ -205,7 +240,25 @@
+
+ if not found_src or not found_tgt or not found_class or not found_access:
+ raise ValueError("AVC message in invalid format [%s]\n" % self.message)
+-
++ self.analyze()
++
++ def analyze(self):
++ tcontext = self.tcontext.to_string()
++ scontext = self.scontext.to_string()
++ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
++ if self.type == audit2why.NOPOLICY:
++ raise ValueError("Must call policy_init first")
++ if self.type == audit2why.BADTCON:
++ raise ValueError("Invalid Target Context %s\n" % tcontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Source Context %s\n" % scontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Type Class %s\n" % self.tclass)
++ if self.type == audit2why.BADPERM:
++ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
++ if self.type == audit2why.BADCOMPUTE:
++ raise ValueError("Error during access vector computation")
++
+ class PolicyLoadMessage(AuditMessage):
+ """Audit message indicating that the policy was reloaded."""
+ def __init__(self, message):
+@@ -285,6 +338,9 @@
+
+ def __initialize(self):
+ self.avc_msgs = []
++ self.constraint_msgs = []
++ self.dontaudit_msgs = []
++ self.rbac_msgs = []
+ self.compute_sid_msgs = []
+ self.invalid_msgs = []
+ self.policy_load_msgs = []
+@@ -314,7 +370,7 @@
+ elif i == "security_compute_sid:":
+ msg = ComputeSidMessage(line)
+ found = True
+- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
++ elif i == "type=MAC_POLICY_LOAD":
+ msg = PolicyLoadMessage(line)
+ found = True
+ elif i == "type=AVC_PATH":
+@@ -442,16 +498,17 @@
+ audit logs parsed by this object.
+ """
+ av_set = access.AccessVectorSet()
++
+ for avc in self.avc_msgs:
+ if avc.denial != True and only_denials:
+ continue
+ if avc_filter:
+ if avc_filter.filter(avc):
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ else:
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ return av_set
+
+ class AVCTypeFilter:
+@@ -477,5 +534,3 @@
+ if self.regex.match(avc.tcontext.type):
+ return True
+ return False
+-
+-
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
+@@ -29,6 +29,8 @@
+ import access
+ import interfaces
+ import matching
++import selinux.audit2why as audit2why
++from setools import *
+
+ # Constants for the level of explanation from the generation
+ # routines
+@@ -74,7 +76,7 @@
+ self.moduel = module
+ else:
+ self.module = refpolicy.Module()
+-
++ self.domains = None
+ def set_gen_refpol(self, if_set=None, perm_maps=None):
+ """Set whether reference policy interfaces are generated.
+
+@@ -144,8 +146,32 @@
+ def __add_allow_rules(self, avs):
+ for av in avs:
+ rule = refpolicy.AVRule(av)
++ rule.comment = ""
+ if self.explain:
+ rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++ if av.type == audit2why.DONTAUDIT:
++ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++ if av.type == audit2why.BOOLEAN:
++ if len(av.bools) > 1:
++ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
++ else:
++ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
++
++ if av.type == audit2why.CONSTRAINT:
++ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
++ if av.type == audit2why.TERULE:
++ if "open" in av.perms and "write" in av.perms:
++ if not self.domains:
++ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
++ types=[]
++ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
++ if i not in self.domains:
++ types.append(i)
++ if len(types) == 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++ elif len(types) >= 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++
+ self.module.children.append(rule)
+
+
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
+--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
+@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
support_macros = None
@@ -59,3 +258,35 @@ diff --exclude-from=exclude -N -u -r nsa
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
+--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
+@@ -398,6 +398,7 @@
+ return "attribute %s;" % self.name
+
+ # Classes representing rules
++import selinux.audit2why as audit2why
+
+ class AVRule(Leaf):
+ """SELinux access vector (AV) rule.
+@@ -426,15 +427,17 @@
+ self.tgt_types = IdSet()
+ self.obj_classes = IdSet()
+ self.perms = IdSet()
+- self.rule_type = self.ALLOW
++ self.rule_type = audit2why.TERULE
+ if av:
+ self.from_av(av)
+
+ def __rule_type_str(self):
+- if self.rule_type == self.ALLOW:
++ if self.rule_type == audit2why.TERULE:
+ return "allow"
+- elif self.rule_type == self.DONTAUDIT:
++ elif self.rule_type == audit2why.DONTAUDIT:
+ return "dontaudit"
++ elif self.rule_type == audit2why.CONSTRAINT:
++ return "#constraint allow"
+ else:
+ return "auditallow"
+
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-12/policycoreutils.spec,v
retrieving revision 1.657
retrieving revision 1.658
diff -u -p -r1.657 -r1.658
--- policycoreutils.spec 16 Nov 2009 21:55:54 -0000 1.657
+++ policycoreutils.spec 9 Dec 2009 21:34:46 -0000 1.658
@@ -2,11 +2,11 @@
%define libsepolver 2.0.19-1
%define libsemanagever 2.0.36-2
%define libselinuxver 2.0.46-5
-%define sepolgenver 1.0.17
+%define sepolgenver 1.0.19
Summary: SELinux policy core utilities
Name: policycoreutils
-Version: 2.0.74
-Release: 18%{?dist}
+Version: 2.0.78
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -296,15 +296,44 @@ fi
exit 0
%changelog
-* Mon Nov 16 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-18
+* Tue Dec 8 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-3
+- Fix audit2allow to report constraints, dontaudits, types, booleans
+
+* Fri Dec 4 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-2
+- Fix restorecon -i to ignore enoent
+
+* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-1
+- Update to upstream
+ * Remove non-working OUTFILE from fixfiles from Dan Walsh.
+ * Additional exception handling in chcat from Dan Walsh.
+
+ * fix sepolgen to read a "type 1403" msg as a policy load by Stephen
+ Smalley <sds at tycho.nsa.gov>
+ * Add support for Xen ocontexts from Paul Nuzzi.
+
+* Tue Nov 24 2009 Dan Walsh <dwalsh at redhat.com> 2.0.77-1
+- Update to upstream
+ * Fixed bug preventing semanage node -a from working
+ from Chad Sellers
+ * Fixed bug preventing semanage fcontext -l from working
+ from Chad Sellers
+- Change semanage to use unicode
+
+* Wed Nov 18 2009 Dan Walsh <dwalsh at redhat.com> 2.0.76-1
+- Update to upstream
+ * Remove setrans management from semanage, as it does not work
+ from Dan Walsh.
+ * Move load_policy from /usr/sbin to /sbin from Dan Walsh.
+
+* Mon Nov 16 2009 Dan Walsh <dwalsh at redhat.com> 2.0.75-3
- Raise exception if user tries to add file context with an embedded space
-* Wed Nov 11 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-17
+* Wed Nov 11 2009 Dan Walsh <dwalsh at redhat.com> 2.0.75-2
- Fix sandbox to setsid so it can run under mozilla without crashing the session
-* Mon Nov 9 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-16
-- Fix sandbox to use chcon
-- Fix semanage to report duplicate ports
+* Tue Nov 2 2009 Dan Walsh <dwalsh at redhat.com> 2.0.75-1
+- Update to upstream
+ * Factor out restoring logic from setfiles.c into restore.c
* Fri Oct 30 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-15
- Fix typo in seobject.py
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-12/sources,v
retrieving revision 1.212
retrieving revision 1.213
diff -u -p -r1.212 -r1.213
--- sources 17 Sep 2009 13:07:47 -0000 1.212
+++ sources 9 Dec 2009 21:34:46 -0000 1.213
@@ -1,3 +1,3 @@
-480cc64a050735fa1163a87dc89c4f49 sepolgen-1.0.17.tgz
-60aa41df668a557892296ff02c7411aa policycoreutils-2.0.74.tgz
+96b2e73550b7e36daee0f5d347c8a95b policycoreutils-2.0.78.tgz
+2ae1a9f7242e33413aae036d2edeb1d8 sepolgen-1.0.19.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
More information about the fedora-extras-commits
mailing list