diff --git policycoreutils-2.6/gui/polgengui.py policycoreutils-2.6/gui/polgengui.py
index 1d262a9..064001b 100644
--- policycoreutils-2.6/gui/polgengui.py
+++ policycoreutils-2.6/gui/polgengui.py
@@ -34,7 +34,9 @@ except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
+import sepolicy.generate
import sepolicy.interface
+
try:
from subprocess import getstatusoutput
except ImportError:
@@ -679,7 +681,7 @@ class childWindow:
entry.set_text("")
return False
if name in self.all_modules:
- if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
+ if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
entry.set_text("")
return False
@@ -696,16 +698,16 @@ class childWindow:
def on_in_net_page_next(self, *args):
try:
- generate.verify_ports(self.in_tcp_entry.get_text())
- generate.verify_ports(self.in_udp_entry.get_text())
+ sepolicy.generate.verify_ports(self.in_tcp_entry.get_text())
+ sepolicy.generate.verify_ports(self.in_udp_entry.get_text())
except ValueError as e:
self.error(e.message)
return True
def on_out_net_page_next(self, *args):
try:
- generate.verify_ports(self.out_tcp_entry.get_text())
- generate.verify_ports(self.out_udp_entry.get_text())
+ sepolicy.generate.verify_ports(self.out_tcp_entry.get_text())
+ sepolicy.generate.verify_ports(self.out_udp_entry.get_text())
except ValueError as e:
self.error(e.message)
return True
diff --git policycoreutils-2.6/hll/pp/pp.c policycoreutils-2.6/hll/pp/pp.c
index 2c9f53f..7f9afb0 100644
--- policycoreutils-2.6/hll/pp/pp.c
+++ policycoreutils-2.6/hll/pp/pp.c
@@ -141,7 +141,7 @@ int main(int argc, char **argv)
if (separator) {
*separator = '\0';
}
- if (strcmp(mod_name, cil_name) != 0) {
+ if (mod_name && strcmp(mod_name, cil_name) != 0) {
fprintf(stderr, "Warning: SELinux userspace will refer to the module from %s as %s rather than %s\n", ifile, mod_name, cil_name);
}
free(cil_path);
diff --git policycoreutils-2.6/sandbox/sandboxX.sh policycoreutils-2.6/sandbox/sandboxX.sh
index eaa500d..4774528 100644
--- policycoreutils-2.6/sandbox/sandboxX.sh
+++ policycoreutils-2.6/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
diff --git policycoreutils-2.6/scripts/fixfiles policycoreutils-2.6/scripts/fixfiles
index fa43a53..301fc34 100755
--- policycoreutils-2.6/scripts/fixfiles
+++ policycoreutils-2.6/scripts/fixfiles
@@ -116,14 +116,11 @@ exclude_dirs() {
fullFlag=0
BOOTTIME=""
VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
FORCEFLAG=""
DIRS=""
RPMILES=""
-LOGFILE=`tty`
-if [ $? != 0 ]; then
- LOGFILE="/dev/null"
-fi
-LOGGER=/usr/sbin/logger
+LOGFILE=/proc/self/fd/1
SETFILES=/sbin/setfiles
RESTORECON=/sbin/restorecon
FILESYSTEMSRW=`get_rw_labeled_mounts`
@@ -137,12 +134,15 @@ else
FC=/etc/security/selinux/file_contexts
fi
+FC_SUB_DIST=${FC}.subs_dist
+FC_SUB=${FC}.subs
+FC_HOMEDIRS=${FC}.homedirs
#
-# Log to either syslog or a LOGFILE
+# Write to LOGFILE
#
logit () {
if [ -n $LOGFILE ]; then
- echo $1 >> $LOGFILE
+ echo $1 >> "$LOGFILE"
fi
}
#
@@ -244,6 +244,10 @@ then
logit "skipping the directory ${p}"
done
FC=$TEMPFCFILE
+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
+/bin/cp -p ${FC_HOMEDIRS} ${TEMPFCFILE}.homedirs &>/dev/null || exit
+
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -265,7 +269,7 @@ if [ ${OPTION} != "Relabel" ]; then
return
fi
echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs ${TEMPFCFILE}.homedirs
UNDEFINED=`get_undefined_type` || exit $?
UNLABELED=`get_unlabeled_type` || exit $?
@@ -314,7 +318,7 @@ process() {
case "$1" in
restore) restore Relabel;;
check) VERBOSE="-v"; restore Check -n;;
- verify) restore Verify -n -o -;;
+ verify) restore Verify -n;;
relabel) relabel;;
onboot)
> /.autorelabel
diff --git policycoreutils-2.6/semanage/semanage.8 policycoreutils-2.6/semanage/semanage.8
index ac39862..75b782f 100644
--- policycoreutils-2.6/semanage/semanage.8
+++ policycoreutils-2.6/semanage/semanage.8
@@ -51,8 +51,7 @@ to SELinux user identities (which controls the initial security context
assigned to Linux users when they login and bounds their authorized role set)
as well as security context mappings for various kinds of objects, such
as network ports, interfaces, and nodes (hosts) as well as the file
-context mapping. See the EXAMPLES section below for some examples
-of common usage. Note that the semanage login command deals with the
+context mapping. Note that the semanage login command deals with the
mapping from Linux usernames (logins) to SELinux user identities,
while the semanage user command deals with the mapping from SELinux
user identities to authorized role sets. In most cases, only the
diff --git policycoreutils-2.6/semanage/seobject.py policycoreutils-2.6/semanage/seobject.py
index bb049c0..c836cc5 100644
--- policycoreutils-2.6/semanage/seobject.py
+++ policycoreutils-2.6/semanage/seobject.py
@@ -386,7 +386,7 @@ class moduleRecords(semanageRecords):
def add(self, file, priority):
if not os.path.exists(file):
- raise ValueError(_("Module does not exists %s ") % file)
+ raise ValueError(_("Module does not exist: %s ") % file)
rc = semanage_set_default_priority(self.sh, priority)
if rc < 0:
@@ -492,7 +492,7 @@ class permissiveRecords(semanageRecords):
try:
import sepolgen.module as module
except ImportError:
- raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
+ raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel package.\n# yum install policycoreutils-devel\nOr similar for your distro."))
name = "permissive_%s" % type
modtxt = "(typepermissive %s)" % type
@@ -1823,7 +1823,7 @@ class fcontextRecords(semanageRecords):
def modify_equal(self, target, substitute):
self.begin()
if target not in self.equiv.keys():
- raise ValueError(_("Equivalence class for %s does not exists") % target)
+ raise ValueError(_("Equivalence class for %s does not exist") % target)
self.equiv[target] = substitute
self.equal_ind = True
@@ -1953,10 +1953,12 @@ class fcontextRecords(semanageRecords):
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- if rc < 0:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
- if rc < 0:
+ try:
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+ except OSError:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
raise ValueError(_("Could not query file context for %s") % target)
if setype != "<<none>>":
diff --git policycoreutils-2.6/semodule_package/semodule_package.c policycoreutils-2.6/semodule_package/semodule_package.c
index d2a5fd0..e472054 100644
--- policycoreutils-2.6/semodule_package/semodule_package.c
+++ policycoreutils-2.6/semodule_package/semodule_package.c
@@ -72,6 +72,10 @@ static int file_to_data(const char *path, char **data, size_t * len)
path, strerror(errno));
goto err;
}
+ if (!sb.st_size) {
+ *len = 0;
+ return 0;
+ }
*data = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
if (*data == MAP_FAILED) {
diff --git policycoreutils-2.6/sepolicy/org.selinux.conf policycoreutils-2.6/sepolicy/org.selinux.conf
index a350978..1ae079d 100644
--- policycoreutils-2.6/sepolicy/org.selinux.conf
+++ policycoreutils-2.6/sepolicy/org.selinux.conf
@@ -12,12 +12,8 @@
<!-- Allow anyone to invoke methods on the interfaces,
authorization is performed by PolicyKit -->
- <policy at_console="true">
- <allow send_destination="org.selinux"/>
- </policy>
<policy context="default">
- <allow send_destination="org.selinux"
- send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="org.selinux"/>
</policy>
</busconfig>
diff --git policycoreutils-2.6/sepolicy/org.selinux.policy policycoreutils-2.6/sepolicy/org.selinux.policy
index 0126610..9772127 100644
--- policycoreutils-2.6/sepolicy/org.selinux.policy
+++ policycoreutils-2.6/sepolicy/org.selinux.policy
@@ -70,9 +70,9 @@
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
- <action id="org.selinux.change_policy_type">
- <description>SELinux write access</description>
- <message>System policy prevents change_policy_type access to SELinux</message>
+ <action id="org.selinux.change_default_mode">
+ <description>Change SELinux default enforcing mode</description>
+ <message>System policy prevents change_default_policy access to SELinux</message>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
diff --git policycoreutils-2.6/sepolicy/selinux_client.py policycoreutils-2.6/sepolicy/selinux_client.py
index 7f4a91c..dc29f28 100644
--- policycoreutils-2.6/sepolicy/selinux_client.py
+++ policycoreutils-2.6/sepolicy/selinux_client.py
@@ -39,6 +39,6 @@ if __name__ == "__main__":
try:
dbus_proxy = SELinuxDBus()
resp = dbus_proxy.customized()
- print convert_customization(resp)
- except dbus.DBusException, e:
- print e
+ print(convert_customization(resp))
+ except dbus.DBusException as e:
+ print(e)
diff --git policycoreutils-2.6/sepolicy/selinux_server.py policycoreutils-2.6/sepolicy/selinux_server.py
index cdf4d16..84720f9 100644
--- policycoreutils-2.6/sepolicy/selinux_server.py
+++ policycoreutils-2.6/sepolicy/selinux_server.py
@@ -46,13 +46,13 @@ class selinux_server(slip.dbus.service.Object):
return buf
#
- # The semodule_list method will return the output of semodule -l, using the customized polkit,
+ # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
# since this is a readonly behaviour
#
@slip.dbus.polkit.require_auth("org.selinux.semodule_list")
@dbus.service.method("org.selinux", in_signature='', out_signature='s')
def semodule_list(self):
- p = Popen(["/usr/sbin/semodule", "-l"], stdout=PIPE, stderr=PIPE)
+ p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE)
buf = p.stdout.read()
output = p.communicate()
if p.returncode and p.returncode != 0:
diff --git policycoreutils-2.6/sepolicy/sepolicy-generate.8 policycoreutils-2.6/sepolicy/sepolicy-generate.8
index 2e67456..0c5f998 100644
--- policycoreutils-2.6/sepolicy/sepolicy-generate.8
+++ policycoreutils-2.6/sepolicy/sepolicy-generate.8
@@ -13,7 +13,7 @@ Common options
Confined Applications
.br
-.B sepolicy generate \-\-application [\-n NAME] command [\-w WRITE_PATH ]
+.B sepolicy generate \-\-application [\-n NAME] [\-u USER ]command [\-w WRITE_PATH ]
.br
.B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
.br
diff --git policycoreutils-2.6/sepolicy/sepolicy.py policycoreutils-2.6/sepolicy/sepolicy.py
index 3e502a7..5bf9b52 100755
--- policycoreutils-2.6/sepolicy/sepolicy.py
+++ policycoreutils-2.6/sepolicy/sepolicy.py
@@ -262,7 +262,7 @@ def _print_net(src, protocol, perm):
if len(portdict) > 0:
bold_start = "\033[1m"
bold_end = "\033[0;0m"
- print "\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end
+ print("\n" + bold_start + "%s: %s %s" % (src, protocol, perm) + bold_end)
port_strings = []
boolean_text = ""
for p in portdict:
@@ -275,7 +275,7 @@ def _print_net(src, protocol, perm):
port_strings.append("%s (%s)" % (", ".join(recs), t))
port_strings.sort(numcmp)
for p in port_strings:
- print "\t" + p
+ print("\t" + p)
def network(args):
@@ -286,7 +286,7 @@ def network(args):
if i[0] not in all_ports:
all_ports.append(i[0])
all_ports.sort()
- print "\n".join(all_ports)
+ print("\n".join(all_ports))
for port in args.port:
found = False
@@ -297,18 +297,18 @@ def network(args):
else:
range = "%s-%s" % (i[0], i[1])
found = True
- print "%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range)
+ print("%d: %s %s %s" % (port, i[2], portrecsbynum[i][0], range))
if not found:
if port < 500:
- print "Undefined reserved port type"
+ print("Undefined reserved port type")
else:
- print "Undefined port type"
+ print("Undefined port type")
for t in args.type:
if (t, 'tcp') in portrecs.keys():
- print "%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp']))
+ print("%s: tcp: %s" % (t, ",".join(portrecs[t, 'tcp'])))
if (t, 'udp') in portrecs.keys():
- print "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp']))
+ print( "%s: udp: %s" % (t, ",".join(portrecs[t, 'udp'])))
for a in args.applications:
d = sepolicy.get_init_transtype(a)
@@ -357,7 +357,7 @@ def manpage(args):
for domain in test_domains:
m = ManPage(domain, path, args.root, args.source_files, args.web)
- print m.get_man_page_path()
+ print(m.get_man_page_path())
if args.web:
HTMLManPages(manpage_roles, manpage_domains, path, args.os)
@@ -418,7 +418,7 @@ def communicate(args):
out = list(set(writable) & set(readable))
for t in out:
- print t
+ print(t)
def gen_communicate_args(parser):
@@ -445,7 +445,7 @@ def booleans(args):
args.booleans.sort()
for b in args.booleans:
- print "%s=_(\"%s\")" % (b, boolean_desc(b))
+ print("%s=_(\"%s\")" % (b, boolean_desc(b)))
def gen_booleans_args(parser):
@@ -484,16 +484,16 @@ def print_interfaces(interfaces, args, append=""):
for i in interfaces:
if args.verbose:
try:
- print get_interface_format_text(i + append)
+ print(get_interface_format_text(i + append))
except KeyError:
- print i
+ print(i)
if args.compile:
try:
interface_compile_test(i)
except KeyError:
- print i
+ print(i)
else:
- print i
+ print(i)
def interface(args):
@@ -565,7 +565,7 @@ def generate(args):
if args.policytype in APPLICATIONS:
mypolicy.gen_writeable()
mypolicy.gen_symbols()
- print mypolicy.generate(args.path)
+ print(mypolicy.generate(args.path))
def gen_interface_args(parser):
@@ -698,12 +698,12 @@ if __name__ == '__main__':
args = parser.parse_args(args=parser_args)
args.func(args)
sys.exit(0)
- except ValueError, e:
+ except ValueError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
- except IOError, e:
+ except IOError as e:
sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
sys.exit(1)
except KeyboardInterrupt:
- print "Out"
+ print("Out")
sys.exit(0)
diff --git policycoreutils-2.6/sepolicy/sepolicy/__init__.py policycoreutils-2.6/sepolicy/sepolicy/__init__.py
index 8fbd5b4..254fc67 100644
--- policycoreutils-2.6/sepolicy/sepolicy/__init__.py
+++ policycoreutils-2.6/sepolicy/sepolicy/__init__.py
@@ -171,6 +171,7 @@ def info(setype, name=None):
'aliases': map(str, x.aliases()),
'name': str(x),
'permissive': bool(x.ispermissive),
+ 'attributes': map(str, x.attributes())
} for x in q.results())
elif setype == ROLE:
@@ -383,7 +384,12 @@ def get_conditionals(src, dest, tclass, perm):
def get_conditionals_format_text(cond):
- enabled = len(filter(lambda x: x['boolean'][0][1], cond)) > 0
+
+ enabled = False
+ for x in cond:
+ if x['boolean'][0][1]:
+ enabled = True
+ break
return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond))))
@@ -465,7 +471,7 @@ def find_file(reg):
try:
pat = re.compile(r"%s$" % reg)
- return filter(pat.match, map(lambda x: path + x, os.listdir(path)))
+ return [x for x in map(lambda x: path + x, os.listdir(path)) if pat.match(x)]
except:
return []
@@ -589,7 +595,7 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
def get_transitions_into(setype):
try:
- return filter(lambda x: x["transtype"] == setype, search([TRANSITION], {'class': 'process'}))
+ return [x for x in search([TRANSITION], {'class': 'process'}) if x["transtype"] == setype]
except (TypeError, AttributeError):
pass
return None
@@ -605,7 +611,7 @@ def get_transitions(setype):
def get_file_transitions(setype):
try:
- return filter(lambda x: x['class'] != "process", search([TRANSITION], {'source': setype}))
+ return [x for x in search([TRANSITION], {'source': setype}) if x['class'] != "process"]
except (TypeError, AttributeError):
pass
return None
@@ -663,6 +669,23 @@ def get_init_entrypoint(transtype):
return entrypoints
+def get_init_entrypoints_str():
+ q = setools.TERuleQuery(_pol,
+ ruletype=["type_transition"],
+ source="init_t",
+ tclass=["process"])
+ entrypoints = {}
+ for i in q.results():
+ try:
+ transtype = str(i.default)
+ if transtype in entrypoints:
+ entrypoints[transtype].append(str(i.target))
+ else:
+ entrypoints[transtype] = [str(i.target)]
+ except AttributeError:
+ continue
+
+ return entrypoints
def get_init_entrypoint_target(entrypoint):
try:
@@ -695,7 +718,7 @@ def get_methods():
# List of per_role_template interfaces
ifs = interfaces.InterfaceSet()
ifs.from_file(fd)
- methods = ifs.interfaces.keys()
+ methods = list(ifs.interfaces.keys())
fd.close()
except:
sys.stderr.write("could not open interface info [%s]\n" % fn)
@@ -725,7 +748,7 @@ def get_all_role_allows():
return role_allows
role_allows = {}
- q = setools.RBACRuleQuery(_pol, ruletype='allow')
+ q = setools.RBACRuleQuery(_pol, ruletype=[ALLOW])
for r in q.results():
src = str(r.source)
tgt = str(r.target)
@@ -752,7 +775,10 @@ def get_all_entrypoint_domains():
def gen_interfaces():
- import commands
+ try:
+ from commands import getstatusoutput
+ except ImportError:
+ from subprocess import getstatusoutput
ifile = defaults.interface_info()
headers = defaults.headers()
try:
@@ -763,7 +789,7 @@ def gen_interfaces():
if os.getuid() != 0:
raise ValueError(_("You must regenerate interface info by running /usr/bin/sepolgen-ifgen"))
- print(commands.getstatusoutput("/usr/bin/sepolgen-ifgen")[1])
+ print(getstatusoutput("/usr/bin/sepolgen-ifgen")[1])
def gen_port_dict():
@@ -1082,24 +1108,14 @@ def boolean_desc(boolean):
def get_os_version():
- os_version = ""
- pkg_name = "selinux-policy"
+ system_release = ""
try:
- import commands
- rc, output = commands.getstatusoutput("rpm -q '%s'" % pkg_name)
- if rc == 0:
- os_version = output.split(".")[-2]
- except:
- os_version = ""
-
- if os_version[0:2] == "fc":
- os_version = "Fedora" + os_version[2:]
- elif os_version[0:2] == "el":
- os_version = "RHEL" + os_version[2:]
- else:
- os_version = ""
+ with open('/etc/system-release') as f:
+ system_release = f.readline().rstrip()
+ except IOError:
+ system_release = "Misc"
- return os_version
+ return system_release
def reinit():
diff --git policycoreutils-2.6/sepolicy/sepolicy/communicate.py policycoreutils-2.6/sepolicy/sepolicy/communicate.py
index b96c4b9..299316e 100755
--- policycoreutils-2.6/sepolicy/sepolicy/communicate.py
+++ policycoreutils-2.6/sepolicy/sepolicy/communicate.py
@@ -34,8 +34,8 @@ def usage(parser, msg):
def expand_attribute(attribute):
try:
- return sepolicy.info(sepolicy.ATTRIBUTE, attribute)[0]["types"]
- except RuntimeError:
+ return list(next(sepolicy.info(sepolicy.ATTRIBUTE, attribute))["types"])
+ except StopIteration:
return [attribute]
diff --git policycoreutils-2.6/sepolicy/sepolicy/generate.py policycoreutils-2.6/sepolicy/sepolicy/generate.py
index 65b33b6..ad59350 100644
--- policycoreutils-2.6/sepolicy/sepolicy/generate.py
+++ policycoreutils-2.6/sepolicy/sepolicy/generate.py
@@ -31,21 +31,21 @@ import time
import types
import platform
-from templates import executable
-from templates import boolean
-from templates import etc_rw
-from templates import unit_file
-from templates import var_cache
-from templates import var_spool
-from templates import var_lib
-from templates import var_log
-from templates import var_run
-from templates import tmp
-from templates import rw
-from templates import network
-from templates import script
-from templates import spec
-from templates import user
+from .templates import executable
+from .templates import boolean
+from .templates import etc_rw
+from .templates import unit_file
+from .templates import var_cache
+from .templates import var_spool
+from .templates import var_lib
+from .templates import var_log
+from .templates import var_run
+from .templates import tmp
+from .templates import rw
+from .templates import network
+from .templates import script
+from .templates import spec
+from .templates import user
import sepolgen.interfaces as interfaces
import sepolgen.defaults as defaults
@@ -92,7 +92,7 @@ def get_rpm_nvr_list(package):
nvr = get_rpm_nvr_from_header(h)
break
except:
- print("Failed to retrieve rpm info for %s") % package
+ print(("Failed to retrieve rpm info for %s") % package)
nvr = None
return nvr
diff --git policycoreutils-2.6/sepolicy/sepolicy/gui.py policycoreutils-2.6/sepolicy/sepolicy/gui.py
index 7f1888c..bc6c2b1 100644
--- policycoreutils-2.6/sepolicy/sepolicy/gui.py
+++ policycoreutils-2.6/sepolicy/sepolicy/gui.py
@@ -67,8 +67,14 @@ enabled = [_("No"), _("Yes")]
action = [_("Disable"), _("Enable")]
-def compare(a, b):
- return cmp(a.lower(), b.lower())
+def cmp(a, b):
+ if a is None and b is None:
+ return 0
+ if a is None:
+ return -1
+ if b is None:
+ return 1
+ return (a > b) - (a < b)
import distutils.sysconfig
ADVANCED_LABEL = (_("Advanced >>"), _("Advanced <<"))
@@ -110,6 +116,7 @@ class SELinuxGui():
def __init__(self, app=None, test=False):
self.finish_init = False
+ self.advanced_init = True
self.opage = START_PAGE
self.dbus = SELinuxDBus()
try:
@@ -118,17 +125,11 @@ class SELinuxGui():
print(e)
self.quit()
- sepolicy_domains = sepolicy.get_all_domains()
- sepolicy_domains.sort(compare)
- if app and app not in sepolicy_domains:
- self.error(_("%s is not a valid domain" % app))
- self.quit()
-
self.init_cur()
self.application = app
self.filter_txt = ""
builder = Gtk.Builder() # BUILDER OBJ
- self.code_path = distutils.sysconfig.get_python_lib(plat_specific=True) + "/sepolicy/"
+ self.code_path = distutils.sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
glade_file = self.code_path + "sepolicy.glade"
builder.add_from_file(glade_file)
self.outer_notebook = builder.get_object("outer_notebook")
@@ -147,7 +148,7 @@ class SELinuxGui():
self.files_add = False
self.network_add = False
- self.all_list = []
+ self.all_domains = []
self.installed_list = []
self.previously_modified = {}
@@ -159,10 +160,10 @@ class SELinuxGui():
self.invalid_entry = False
# Advanced search window ****************************
self.advanced_search_window = builder.get_object("advanced_search_window")
- self.advanced_search_liststore = builder.get_object("Advanced_search_liststore")
- self.advanced_search_liststore.set_sort_column_id(0, Gtk.SortType.ASCENDING)
self.advanced_search_filter = builder.get_object("advanced_filter")
self.advanced_search_filter.set_visible_func(self.filter_the_data)
+ self.advanced_search_sort = builder.get_object("advanced_sort")
+
self.advanced_filter_entry = builder.get_object("advanced_filter_entry")
self.advanced_search_treeview = builder.get_object("advanced_search_treeview")
self.advanced_search = False
@@ -431,12 +432,10 @@ class SELinuxGui():
# Combobox and Entry items **************************
self.combobox_menu = builder.get_object("combobox_org") # This is the combobox box object, aka the arrow next to the entry text bar
- self.combobox_menu_model = builder.get_object("application_liststore")
+ self.application_liststore = builder.get_object("application_liststore")
self.completion_entry = builder.get_object("completion_entry") # self.combobox_menu.get_child()
- self.completion_entry_model = builder.get_object("application_liststore")
self.entrycompletion_obj = builder.get_object("entrycompletion_obj")
#self.entrycompletion_obj = Gtk.EntryCompletion()
- self.entrycompletion_obj.set_model(self.completion_entry_model)
self.entrycompletion_obj.set_minimum_key_length(0)
self.entrycompletion_obj.set_text_column(0)
self.entrycompletion_obj.set_match_func(self.match_func, None)
@@ -491,37 +490,41 @@ class SELinuxGui():
self.loading = 1
path = None
if test:
- domains = ["httpd_t", "abrt_t"]
- if app and app not in domains:
- domains.append(app)
+ self.all_domains = ["httpd_t", "abrt_t"]
+ if app and app not in self.all_domains:
+ self.all_domains.append(app)
else:
- domains = sepolicy_domains
- loading_gui.show()
- length = len(domains)
- for domain in domains:
+ self.all_domains = sepolicy.get_all_domains()
+ self.all_domains.sort(key=str.lower)
+
+ if app and app not in self.all_domains:
+ self.error(_("%s is not a valid domain" % app))
+ self.quit()
+
+ loading_gui.show()
+ length = len(self.all_domains)
+
+ entrypoint_dict = sepolicy.get_init_entrypoints_str()
+ for domain in self.all_domains:
# After the user selects a path in the drop down menu call
# get_init_entrypoint_target(entrypoint) to get the transtype
# which will give you the application
- self.combo_box_initialize(domain, None)
- self.advanced_search_initialize(domain)
- self.all_list.append(domain)
+ self.combo_box_add(domain, domain)
self.percentage = float(float(self.loading) / float(length))
self.progress_bar.set_fraction(self.percentage)
self.progress_bar.set_pulse_step(self.percentage)
self.idle_func()
- entrypoint = sepolicy.get_init_entrypoint(domain)
- if entrypoint:
+ for entrypoint in entrypoint_dict.get(domain, []):
path = sepolicy.find_entrypoint_path(entrypoint)
if path:
- self.combo_box_initialize(path, None)
- # Adds all files entrypoint paths that exists on disc
- # into the combobox
- self.advanced_search_initialize(path)
+ self.combo_box_add(path, domain)
self.installed_list.append(path)
self.loading += 1
loading_gui.hide()
+ self.entrycompletion_obj.set_model(self.application_liststore)
+ self.advanced_search_treeview.set_model(self.advanced_search_sort)
dic = {
"on_combo_button_clicked": self.open_combo_menu,
@@ -553,7 +556,7 @@ class SELinuxGui():
"on_file_equiv_button_clicked": self.show_file_equiv_page,
"on_app/system_button_clicked": self.system_interface,
"on_app/users_button_clicked": self.users_interface,
- "on_main_advanced_label_button_press_event": self.advanced_label_main,
+ "on_show_advanced_search_window": self.on_show_advanced_search_window,
"on_Show_mislabeled_files_toggled": self.show_mislabeled_files,
"on_Browse_button_files_clicked": self.browse_for_files,
@@ -569,8 +572,6 @@ class SELinuxGui():
"on_advanced_filter_entry_changed": self.get_advanced_filter_data,
"on_advanced_search_treeview_row_activated": self.advanced_item_selected,
"on_Select_advanced_search_clicked": self.advanced_item_button_push,
- "on_All_advanced_button_toggled": self.advanced_radio_select,
- "on_Installed_advanced_button_toggled": self.advanced_radio_select,
"on_info_button_button_press_event": self.on_help_button,
"on_back_button_clicked": self.on_help_back_clicked,
"on_forward_button_clicked": self.on_help_forward_clicked,
@@ -676,9 +677,9 @@ class SELinuxGui():
self.module_dict = {}
for m in self.dbus.semodule_list().split("\n"):
mod = m.split()
- if len(mod) < 2:
+ if len(mod) < 3:
continue
- self.module_dict[mod[0]] = {"version": mod[1], "Disabled": (len(mod) > 2)}
+ self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) }
self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"])
@@ -711,7 +712,7 @@ class SELinuxGui():
def match_func(self, completion, key_string, iter, func_data):
try:
- if self.combobox_menu_model.get_value(iter, 0).find(key_string) != -1:
+ if self.application_liststore.get_value(iter, 0).find(key_string) != -1:
return True
return False
except AttributeError:
@@ -834,8 +835,7 @@ class SELinuxGui():
self.enforce_button = self.disabled_button_default
def populate_system_policy(self):
- selinux_path = selinux.selinux_path()
- types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
+ types = next(os.walk(selinux.selinux_path(), topdown=True))[1]
types.sort()
ctr = 0
for item in types:
@@ -922,11 +922,11 @@ class SELinuxGui():
self.ready_mouse()
def network_initialize(self, app):
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_connect", check_bools=True)
self.net_update(app, netd, "tcp", OUTBOUND_PAGE, self.network_out_liststore)
- netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "tcp", "name_bind", check_bools=True)
self.net_update(app, netd, "tcp", INBOUND_PAGE, self.network_in_liststore)
- netd = sepolicy.network.get_network_connect(app, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(app, "udp", "name_bind", check_bools=True)
self.net_update(app, netd, "udp", INBOUND_PAGE, self.network_in_liststore)
def network_initial_data_insert(self, model, ports, portType, protocol):
@@ -962,12 +962,12 @@ class SELinuxGui():
iter = liststore.get_iter(index)
return liststore.get_value(iter, 0)
- def combo_box_initialize(self, val, desc):
+ def combo_box_add(self, val, val1):
if val is None:
return
- iter = self.combobox_menu_model.append()
- for f in val:
- self.combobox_menu_model.set_value(iter, 0, val)
+ iter = self.application_liststore.append()
+ self.application_liststore.set_value(iter, 0, val)
+ self.application_liststore.set_value(iter, 1, val1)
def select_type_more(self, *args):
app = self.moreTypes_treeview.get_selection()
@@ -983,19 +983,18 @@ class SELinuxGui():
model, iter = row.get_selected()
iter = model.convert_iter_to_child_iter(iter)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
if app is None:
return
self.advanced_filter_entry.set_text('')
self.advanced_search_window.hide()
self.reveal_advanced(self.main_advanced_label)
self.completion_entry.set_text(app)
- self.application_selected()
def advanced_item_selected(self, treeview, path, *args):
iter = self.advanced_search_filter.get_iter(path)
iter = self.advanced_search_filter.convert_iter_to_child_iter(iter)
- app = self.advanced_search_liststore.get_value(iter, 1)
+ app = self.application_liststore.get_value(iter, 1)
self.advanced_filter_entry.set_text('')
self.advanced_search_window.hide()
self.reveal_advanced(self.main_advanced_label)
@@ -1004,7 +1003,7 @@ class SELinuxGui():
def find_application(self, app):
if app and len(app) > 0:
- for items in self.combobox_menu_model:
+ for items in self.application_liststore:
if app == items[0]:
return True
return False
@@ -1066,9 +1065,9 @@ class SELinuxGui():
self.transitions_into_tab.set_label(_("Application Transitions Into '%s'" % app))
self.transitions_from_tab.set_label(_("Application Transitions From '%s'" % app))
self.transitions_file_tab.set_label(_("File Transitions From '%s'" % app))
- self.transitions_into_tab.set_tooltip_text(_("Executables which will transition to the '%s', when executing a selected domains entrypoint.") % app)
- self.transitions_from_tab.set_tooltip_text(_("Executables which will transition to a different domain, when the '%s' executes them.") % app)
- self.transitions_file_tab.set_tooltip_text(_("Files by '%s' will transitions to a different label." % app))
+ self.transitions_into_tab.set_tooltip_text(_("Executables which will transition to '%s', when executing selected domains entrypoint.") % app)
+ self.transitions_from_tab.set_tooltip_text(_("Executables which will transition to a different domain, when '%s' executes them.") % app)
+ self.transitions_file_tab.set_tooltip_text(_("Files by '%s' with transitions to a different label." % app))
self.transitions_radio_button.set_tooltip_text(_("Display applications that can transition into or out of the '%s'." % app))
self.application = app
@@ -1290,11 +1289,11 @@ class SELinuxGui():
niter = self.transitions_from_treestore.append(iter)
# active[0][1] is either T or F (enabled is all the way at the top)
self.transitions_from_treestore.set_value(iter, 0, enabled[active[0][1]])
- markup = '<span foreground="blue"><u>%s</u></span>'
+ markup = ('<span foreground="blue"><u>','</u></span>')
if active[0][1]:
- self.transitions_from_treestore.set_value(niter, 2, (_("To disable this transition, go to the " + markup % _("Boolean section."))))
+ self.transitions_from_treestore.set_value(niter, 2, (_("To disable this transition, go to the %sBoolean section%s.") % markup))
else:
- self.transitions_from_treestore.set_value(niter, 2, (_("To enable this transition, go to the " + markup % _("Boolean section."))))
+ self.transitions_from_treestore.set_value(niter, 2, (_("To enable this transition, go to the %sBoolean section%s.") % markup))
# active[0][0] is the Bool Name
self.transitions_from_treestore.set_value(niter, 1, active[0][0])
@@ -1377,8 +1376,8 @@ class SELinuxGui():
self.treeview = self.network_in_treeview
category = _("listen for inbound connections")
- self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
- self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %s.") % {"APP": self.application, "PERM": category})
+ self.add_button.set_tooltip_text(_("Add new port definition to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
+ self.delete_button.set_tooltip_text(_("Delete modified port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
if self.transitions_radio_button.get_active():
@@ -1598,8 +1597,8 @@ class SELinuxGui():
self.show_popup(self.login_popup_window)
if self.opage == FILE_EQUIV_PAGE:
- self.file_equiv_source_entry.set_text(self.file_equiv_liststore.get_value(iter, 0))
- self.file_equiv_dest_entry.set_text(self.file_equiv_liststore.get_value(iter, 1))
+ self.file_equiv_source_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 0)))
+ self.file_equiv_dest_entry.set_text(self.unmarkup(self.file_equiv_liststore.get_value(iter, 1)))
self.file_equiv_label.set_text((_("Modify File Equivalency Mapping. Mapping will be created when update is applied.")))
self.file_equiv_popup_window.set_title(_("Modify SELinux File Equivalency"))
self.clear_entry = True
@@ -1635,7 +1634,7 @@ class SELinuxGui():
self.files_type_combolist.clear()
self.files_class_combolist.clear()
compare = self.strip_domain(self.application)
- for d in self.completion_entry_model:
+ for d in self.application_liststore:
if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"):
exclude_list.append(self.strip_domain(d[0]))
@@ -1714,10 +1713,10 @@ class SELinuxGui():
try:
if ipage == OUTBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_connect", check_bools=True)
elif ipage == INBOUND_PAGE:
- netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind")
- netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind")
+ netd = sepolicy.network.get_network_connect(self.application, "tcp", "name_bind", check_bools=True)
+ netd += sepolicy.network.get_network_connect(self.application, "udp", "name_bind", check_bools=True)
port_types = []
for k in netd.keys():
@@ -2550,34 +2549,7 @@ class SELinuxGui():
self.network_mls_label.set_visible(advanced)
self.network_mls_entry.set_visible(advanced)
- def advanced_search_initialize(self, path):
- try:
- if path[0] == '/':
- domain = sepolicy.get_init_transtype(path)
- else:
- domain = path
- except IndexError:
- return
- except OSError:
- return
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 0, path)
- self.advanced_search_liststore.set_value(iter, 1, domain)
- user_types = sepolicy.get_user_types()
- if domain in user_types + ['initrc_t']:
- return
-
- entrypoints = sepolicy.get_entrypoints(domain)
- # From entry_point = 0 to the number of keys in the dic
- for exe in entrypoints:
- if len(entrypoints[exe]):
- file_class = entrypoints[exe][1]
- for path in entrypoints[exe][0]:
- iter = self.advanced_search_liststore.append()
- self.advanced_search_liststore.set_value(iter, 1, domain)
- self.advanced_search_liststore.set_value(iter, 0, path)
-
- def advanced_label_main(self, label, *args):
+ def on_show_advanced_search_window(self, label, *args):
if label.get_text() == ADVANCED_SEARCH_LABEL[1]:
label.set_text(ADVANCED_SEARCH_LABEL[0])
self.close_popup()
@@ -2585,33 +2557,18 @@ class SELinuxGui():
label.set_text(ADVANCED_SEARCH_LABEL[1])
self.show_popup(self.advanced_search_window)
- def advanced_radio_select(self, button):
- label = ""
- if button.get_active():
- label = button.get_label()
- if label == '':
- return
- self.advanced_search_liststore.clear()
- if label == "All":
- for items in self.all_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
- elif label == "Installed":
- if self.installed_list == []:
- return
- for items in self.installed_list:
- self.advanced_search_initialize(items)
- self.idle_func()
-
def set_enforce_text(self, value):
if value:
self.status_bar.push(self.context_id, _("System Status: Enforcing"))
+ self.current_status_enforcing.set_active(True)
else:
self.status_bar.push(self.context_id, _("System Status: Permissive"))
- self.current_status_permissive.set_active(True)
+ self.current_status_permissive.set_active(True)
def set_enforce(self, button):
+ if not self.finish_init:
+ return
+
self.dbus.setenforce(button.get_active())
self.set_enforce_text(button.get_active())
diff --git policycoreutils-2.6/sepolicy/sepolicy/interface.py policycoreutils-2.6/sepolicy/sepolicy/interface.py
index c2cb971..8956f39 100644
--- policycoreutils-2.6/sepolicy/sepolicy/interface.py
+++ policycoreutils-2.6/sepolicy/sepolicy/interface.py
@@ -192,10 +192,13 @@ def generate_compile_te(interface, idict, name="compiletest"):
def get_xml_file(if_file):
""" Returns xml format of interfaces for given .if policy file"""
import os
- import commands
+ try:
+ from commands import getstatusoutput
+ except ImportError:
+ from subprocess import getstatusoutput
basedir = os.path.dirname(if_file) + "/"
filename = os.path.basename(if_file).split(".")[0]
- rc, output = commands.getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
+ rc, output = getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
if rc != 0:
sys.stderr.write("\n Could not proceed selected interface file.\n")
sys.stderr.write("\n%s" % output)
@@ -208,7 +211,10 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"
exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"]
exclude_interface_type = ["template"]
- import commands
+ try:
+ from commands import getstatusoutput
+ except ImportError:
+ from subprocess import getstatusoutput
import os
policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"}
idict = get_interface_dict(path)
@@ -219,7 +225,7 @@ def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"
fd = open(policy_files['te'], "w")
fd.write(generate_compile_te(interface, idict))
fd.close()
- rc, output = commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
+ rc, output = getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
if rc != 0:
sys.stderr.write(output)
sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
diff --git policycoreutils-2.6/sepolicy/sepolicy/manpage.py policycoreutils-2.6/sepolicy/sepolicy/manpage.py
index 7365f93..703cce2 100755
--- policycoreutils-2.6/sepolicy/sepolicy/manpage.py
+++ policycoreutils-2.6/sepolicy/sepolicy/manpage.py
@@ -27,11 +27,17 @@ __all__ = ['ManPage', 'HTMLManPages', 'manpage_domains', 'manpage_roles', 'gen_d
import string
import selinux
import sepolicy
-import commands
import os
import time
-equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt", "svirt", "svirt_tcg", "svirt_lxc_t", "svirt_lxc_net_t"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+typealias_types = {
+"antivirus_t":("amavis_t", "clamd_t", "clamscan_t", "freshclam_t"),
+"cluster_t":("rgmanager_t", "corosync_t", "aisexec_t", "pacemaker_t"),
+"svirt_t":("qemu_t"),
+"httpd_t":("phpfpm_t"),
+}
+
+equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
equiv_dirs = ["/var"]
modules_dict = None
@@ -88,11 +94,10 @@ def get_all_users_info():
all_entrypoints = None
-
def get_entrypoints():
global all_entrypoints
if not all_entrypoints:
- all_entrypoints = sepolicy.info(sepolicy.ATTRIBUTE, "entry_type")[0]["types"]
+ all_entrypoints = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
return all_entrypoints
domains = None
@@ -120,8 +125,33 @@ def gen_domains():
domains.sort()
return domains
-types = None
+exec_types = None
+
+def _gen_exec_types():
+ global exec_types
+ if exec_types is None:
+ exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+ return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+ global entry_types
+ if entry_types is None:
+ entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+ return entry_types
+
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+ global mcs_constrained_types
+ if mcs_constrained_types is None:
+ mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+ return mcs_constrained_types
+
+
+types = None
def _gen_types():
global types
@@ -144,10 +174,6 @@ def prettyprint(f, trim):
manpage_domains = []
manpage_roles = []
-fedora_releases = ["Fedora17", "Fedora18"]
-rhel_releases = ["RHEL6", "RHEL7"]
-
-
def get_alphabet_manpages(manpage_list):
alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
for i in string.ascii_letters:
@@ -162,7 +188,11 @@ def get_alphabet_manpages(manpage_list):
def convert_manpage_to_html(html_manpage, manpage):
- rc, output = commands.getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
+ try:
+ from commands import getstatusoutput
+ except ImportError:
+ from subprocess import getstatusoutput
+ rc, output = getstatusoutput("/usr/bin/groff -man -Thtml %s 2>/dev/null" % manpage)
if rc == 0:
print(html_manpage, "has been created")
fd = open(html_manpage, 'w')
@@ -173,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
class HTMLManPages:
"""
- Generate a HHTML Manpages on an given SELinux domains
+ Generate a HTML Manpages on an given SELinux domains
"""
def __init__(self, manpage_roles, manpage_domains, path, os_version):
@@ -181,9 +211,9 @@ class HTMLManPages:
self.manpage_domains = get_alphabet_manpages(manpage_domains)
self.os_version = os_version
self.old_path = path + "/"
- self.new_path = self.old_path + self.os_version + "/"
+ self.new_path = self.old_path
- if self.os_version in fedora_releases or rhel_releases:
+ if self.os_version:
self.__gen_html_manpages()
else:
print("SELinux HTML man pages can not be generated for this %s" % os_version)
@@ -192,7 +222,6 @@ class HTMLManPages:
def __gen_html_manpages(self):
self._write_html_manpage()
self._gen_index()
- self._gen_body()
self._gen_css()
def _write_html_manpage(self):
@@ -202,75 +231,29 @@ class HTMLManPages:
for domain in self.manpage_domains.values():
if len(domain):
for d in domain:
- convert_manpage_to_html((self.new_path + d.split("_selinux")[0] + ".html"), self.old_path + d)
+ convert_manpage_to_html((self.new_path + d.rsplit("_selinux", 1)[0] + ".html"), self.old_path + d)
for role in self.manpage_roles.values():
if len(role):
for r in role:
- convert_manpage_to_html((self.new_path + r.split("_selinux")[0] + ".html"), self.old_path + r)
+ convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
def _gen_index(self):
- index = self.old_path + "index.html"
- fd = open(index, 'w')
- fd.write("""
-<html>
-<head>
- <link rel=stylesheet type="text/css" href="style.css" title="style">
- <title>SELinux man pages online</title>
-</head>
-<body>
-<h1>SELinux man pages</h1>
-<br></br>
-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
-<br></br>
-<hr>
-<h3>Fedora</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for f in fedora_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
-
- fd.write("""
-</pre>
-<hr>
-<h3>RHEL</h3>
-<table><tr>
-<td valign="middle">
-</td>
-</tr></table>
-<pre>
-""")
- for r in rhel_releases:
- fd.write("""
-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
-
- fd.write("""
-</pre>
- """)
- fd.close()
- print("%s has been created") % index
-
- def _gen_body(self):
html = self.new_path + self.os_version + ".html"
fd = open(html, 'w')
fd.write("""
<html>
<head>
- <link rel=stylesheet type="text/css" href="../style.css" title="style">
- <title>Linux man-pages online for Fedora18</title>
+ <link rel=stylesheet type="text/css" href="style.css" title="style">
+ <title>SELinux man pages</title>
</head>
<body>
-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
<hr>
<table><tr>
<td valign="middle">
<h3>SELinux roles</h3>
-""")
+""" % self.os_version)
for letter in self.manpage_roles:
if len(self.manpage_roles[letter]):
fd.write("""
@@ -287,7 +270,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
if len(self.manpage_roles[letter]):
rolename_body += "<p>"
for r in self.manpage_roles[letter]:
- rolename = r.split("_selinux")[0]
+ rolename = r.rsplit("_selinux", 1)[0]
rolename_body += "<a name=%s_role></a><a href=%s.html>%s_selinux(8)</a> - Security Enhanced Linux Policy for the %s SELinux user\n" % (letter, rolename, rolename, rolename)
fd.write("""%s
@@ -314,7 +297,7 @@ Fedora or Red Hat Enterprise Linux Man Pages.</h2>
if len(self.manpage_domains[letter]):
domainname_body += "<p>"
for r in self.manpage_domains[letter]:
- domainname = r.split("_selinux")[0]
+ domainname = r.rsplit("_selinux", 1)[0]
domainname_body += "<a name=%s_domain></a><a href=%s.html>%s_selinux(8)</a> - Security Enhanced Linux Policy for the %s SELinux processes\n" % (letter, domainname, domainname, domainname)
fd.write("""%s
@@ -414,6 +397,9 @@ class ManPage:
self.all_file_types = sepolicy.get_all_file_types()
self.role_allows = sepolicy.get_all_role_allows()
self.types = _gen_types()
+ self.exec_types = _gen_exec_types()
+ self.entry_types = _gen_entry_types()
+ self.mcs_constrained_types = _gen_mcs_constrained_types()
if self.source_files:
self.fcpath = self.root + "file_contexts"
@@ -485,7 +471,7 @@ class ManPage:
self.desc = "%s user role" % self.domainname
if self.domainname in self.all_users:
- self.attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
+ self.attributes = next(sepolicy.info(sepolicy.TYPE, (self.type)))["attributes"]
self._user_header()
self._user_attribute()
self._can_sudo()
@@ -501,6 +487,7 @@ class ManPage:
self._booleans()
self._port_types()
+ self._mcs_types()
self._writes()
self._footer()
@@ -519,11 +506,22 @@ class ManPage:
self._get_ptypes()
for domain_type in self.ptypes:
- self.attributes[domain_type] = sepolicy.info(sepolicy.TYPE, ("%s") % domain_type)[0]["attributes"]
+ try:
+ if typealias_types[domain_type]:
+ fd = self.fd
+ man_page_path = self.man_page_path
+ for t in typealias_types[domain_type]:
+ self._typealias_gen_man(t)
+ self.fd = fd
+ self.man_page_path = man_page_path
+ except KeyError:
+ continue;
+ self.attributes[domain_type] = next(sepolicy.info(sepolicy.TYPE, ("%s") % domain_type))["attributes"]
self._header()
self._entrypoints()
self._process_types()
+ self._mcs_types()
self._booleans()
self._nsswitch_domain()
self._port_types()
@@ -537,6 +535,34 @@ class ManPage:
if f.startswith(self.short_name) or f.startswith(self.domainname):
self.ptypes.append(f)
+ def _typealias_gen_man(self, t):
+ self.man_page_path = "%s/%s_selinux.8" % (self.path, t[:-2])
+ self.ports = []
+ self.booltext = ""
+ self.fd = open(self.man_page_path, 'w')
+ self._typealias(t[:-2])
+ self._footer()
+ self.fd.close()
+
+ def _typealias(self,typealias):
+ self.fd.write('.TH "%(typealias)s_selinux" "8" "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
+ % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+ self.fd.write(r"""
+.SH "NAME"
+%(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
+.SH "DESCRIPTION"
+
+%(typealias)s_t SELinux domain type is now associated with %(domainname)s domain type (%(domainname)s_t).
+""" % {'typealias':typealias, 'domainname':self.domainname})
+
+ self.fd.write(r"""
+Please see
+
+.B %(domainname)s_selinux
+
+man page for more details.
+""" % {'domainname':self.domainname})
+
def _header(self):
self.fd.write('.TH "%(domainname)s_selinux" "8" "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
% {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
@@ -686,10 +712,13 @@ Default Defined Ports:""")
def _file_context(self):
flist = []
+ flist_non_exec = []
mpaths = []
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not f in self.exec_types or not f in self.entry_types:
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -741,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:
@@ -889,9 +919,8 @@ selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
return True
def _entrypoints(self):
- try:
- entrypoints = map(lambda x: x['target'], sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'}))
- except:
+ entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['entrypoint'], 'class': 'file'})]
+ if len(entrypoints) == 0:
return
self.fd.write("""
@@ -920,6 +949,16 @@ All executeables with the default executable label, usually stored in /usr/bin a
self.fd.write("""
%s""" % ", ".join(paths))
+ def _mcs_types(self):
+ if self.type not in self.mcs_constrained_types['types']:
+ return
+ self.fd.write ("""
+.SH "MCS Constrained"
+The SELinux process type %(type)s_t is an MCS (Multi Category Security) constrained type. Sometimes this separation is referred to as sVirt. These types are usually used for securing multi-tenant environments, such as virtualization, containers or separation of users. The tools used to launch MCS types, pick out a different MCS label for each process group.
+
+For example one process might be launched with %(type)s_t:s0:c1,c2, and another process launched with %(type)s_t:s0:c3,c4. The SELinux kernel only allows these processes can only write to content with a matching MCS label, or a MCS Label of s0. A process running with the MCS level of s0:c1,c2 is not allowed to write to content with the MCS label of s0:c3,c4
+""" % {'type': self.domainname})
+
def _writes(self):
permlist = sepolicy.search([sepolicy.ALLOW], {'source': self.type, 'permlist': ['open', 'write'], 'class': 'file'})
if permlist is None or len(permlist) == 0:
@@ -1156,7 +1195,7 @@ Three things can happen when %(type)s attempts to execute a program.
Execute the following to see the types that the SELinux user %(type)s can execute without transitioning:
-.B search -A -s %(type)s -c file -p execute_no_trans
+.B sesearch -A -s %(type)s -c file -p execute_no_trans
.TP
@@ -1164,7 +1203,7 @@ Execute the following to see the types that the SELinux user %(type)s can execut
Execute the following to see the types that the SELinux user %(type)s can execute and transition:
-.B $ search -A -s %(type)s -c process -p transition
+.B $ sesearch -A -s %(type)s -c process -p transition
""" % {'user': self.domainname, 'type': self.type})
diff --git policycoreutils-2.6/sepolicy/sepolicy/network.py policycoreutils-2.6/sepolicy/sepolicy/network.py
index c4d95da..115f6b8 100755
--- policycoreutils-2.6/sepolicy/sepolicy/network.py
+++ policycoreutils-2.6/sepolicy/sepolicy/network.py
@@ -23,20 +23,20 @@
import sepolicy
-def get_types(src, tclass, perm):
+def get_types(src, tclass, perm, check_bools=False):
allows = sepolicy.search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm})
nlist = []
if allows:
- for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
+ for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]) and (not check_bools or x["enabled"]), allows)):
if i not in nlist:
nlist.append(i)
return nlist
-def get_network_connect(src, protocol, perm):
+def get_network_connect(src, protocol, perm, check_bools=False):
portrecs, portrecsbynum = sepolicy.gen_port_dict()
d = {}
- tlist = get_types(src, "%s_socket" % protocol, [perm])
+ tlist = get_types(src, "%s_socket" % protocol, [perm], check_bools)
if len(tlist) > 0:
d[(src, protocol, perm)] = []
for i in tlist:
diff --git policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade
index 1275c7f..8f6ad65 100644
--- policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade
+++ policycoreutils-2.6/sepolicy/sepolicy/sepolicy.glade
@@ -2,7 +2,7 @@
<!-- Generated with glade 3.16.0 on Fri Oct 11 08:24:19 2013 -->
<interface>
<!-- interface-requires gtk+ 3.8 -->
- <object class="GtkListStore" id="Advanced_search_liststore">
+ <object class="GtkListStore" id="application_liststore">
<columns>
<!-- column-name Application -->
<column type="gchararray"/>
@@ -82,7 +82,7 @@
<attributes>
<attribute name="foreground" value="#00004e4e9999"/>
</attributes>
- <signal name="button-press-event" handler="on_main_advanced_label_button_press_event" swapped="no"/>
+ <signal name="button-press-event" handler="on_show_advanced_search_window" swapped="no"/>
</object>
<packing>
<property name="expand">True</property>
@@ -225,7 +225,7 @@
</child>
</object>
<object class="GtkTreeModelFilter" id="advanced_filter">
- <property name="child_model">Advanced_search_liststore</property>
+ <property name="child_model">application_liststore</property>
</object>
<object class="GtkTreeModelSort" id="advanced_sort">
<property name="model">advanced_filter</property>
@@ -256,24 +256,6 @@
<object class="GtkTreeModelSort" id="application_files_sort">
<property name="model">application_files_filter</property>
</object>
- <object class="GtkListStore" id="application_liststore">
- <columns>
- <!-- column-name Application -->
- <column type="gchararray"/>
- </columns>
- </object>
- <object class="GtkTreeModelFilter" id="application_filter">
- <property name="child_model">application_liststore</property>
- </object>
- <object class="GtkTreeModelSort" id="application_sort">
- <property name="model">application_filter</property>
- </object>
- <object class="GtkListStore" id="application_tree_list">
- <columns>
- <!-- column-name Process -->
- <column type="gchararray"/>
- </columns>
- </object>
<object class="GtkListStore" id="boolean_liststore">
<columns>
<!-- column-name Active -->
@@ -473,7 +455,7 @@
<property name="can_focus">False</property>
<property name="xalign">0</property>
<property name="xpad">10</property>
- <property name="label" translatable="yes">Add file Equivilence Mapping. Mapping will be created when Update is applied.</property>
+ <property name="label" translatable="yes">Add file Equivalence Mapping. Mapping will be created when Update is applied.</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
</object>
@@ -823,7 +805,7 @@
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <property name="tooltip_text" translatable="yes">Select Make Path Recursive iff you want to apply this label to all children of the specified directory path. objects under the directory to have this label.</property>
+ <property name="tooltip_text" translatable="yes">Select Make Path Recursive if you want to apply this label to all children of the specified directory path. objects under the directory to have this label.</property>
<property name="xalign">0.5</property>
<property name="draw_indicator">True</property>
<signal name="toggled" handler="on_make_path_recursive_toggled" swapped="no"/>
@@ -1061,7 +1043,7 @@
<object class="GtkImage" id="help_image">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="pixbuf">images/booleans.png</property>
+ <property name="pixbuf">help/booleans.png</property>
</object>
<packing>
<property name="expand">False</property>
@@ -2948,7 +2930,7 @@ Enabled</property>
<property name="tooltip_text" translatable="yes">Executables which will transition to a different domain, when the 'selected domain' executes them.</property>
<property name="xpad">1</property>
<property name="ypad">1</property>
- <property name="label" translatable="yes">Applicaton Transitions From 'select domain'</property>
+ <property name="label" translatable="yes">Application Transitions From 'select domain'</property>
</object>
<packing>
<property name="position">1</property>
@@ -3909,7 +3891,7 @@ allow alternative access control.</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <property name="tooltip_text" translatable="yes">An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
+ <property name="tooltip_text" translatable="yes">A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
<property name="xalign">0</property>
<property name="draw_indicator">True</property>
<property name="group">enable_permissive</property>
@@ -3926,7 +3908,7 @@ allow alternative access control.</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <property name="tooltip_text" translatable="yes">An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
+ <property name="tooltip_text" translatable="yes">A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
<property name="xalign">0</property>
<property name="active">True</property>
<property name="draw_indicator">True</property>
@@ -3989,7 +3971,7 @@ allow alternative access control.</property>
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="receives_default">False</property>
- <property name="tooltip_text" translatable="yes">An permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
+ <property name="tooltip_text" translatable="yes">A permissive domain is a process label that allows the process to do what it wants, with SELinux only logging the denials, but not enforcing them. Usually permissive domains indicate experimental policy, disabling the module could cause SELinux to deny access to a domain, that should be allowed.</property>
<property name="xalign">0</property>
<property name="active">True</property>
<property name="draw_indicator">True</property>
@@ -4328,46 +4310,7 @@ allow alternative access control.</property>
<property name="position">0</property>
</packing>
</child>
- <child>
- <object class="GtkRadioButton" id="All_advanced_button">
- <property name="label" translatable="yes">All</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="active">True</property>
- <property name="draw_indicator">True</property>
- <signal name="toggled" handler="on_All_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">1</property>
- </packing>
- </child>
- <child>
- <object class="GtkRadioButton" id="Installed_advanced_button">
- <property name="label" translatable="yes">Installed</property>
- <property name="visible">True</property>
- <property name="can_focus">True</property>
- <property name="receives_default">False</property>
- <property name="xalign">0.5</property>
- <property name="draw_indicator">True</property>
- <property name="group">All_advanced_button</property>
- <signal name="toggled" handler="on_Installed_advanced_button_toggled" swapped="no"/>
- </object>
- <packing>
- <property name="expand">True</property>
- <property name="fill">True</property>
- <property name="position">2</property>
- </packing>
- </child>
</object>
- <packing>
- <property name="expand">False</property>
- <property name="fill">True</property>
- <property name="position">0</property>
- </packing>
</child>
<child>
<object class="GtkScrolledWindow" id="scrolledwindow11">
@@ -4377,7 +4320,6 @@ allow alternative access control.</property>
<object class="GtkTreeView" id="advanced_search_treeview">
<property name="visible">True</property>
<property name="can_focus">True</property>
- <property name="model">advanced_sort</property>
<property name="enable_search">False</property>
<signal name="row-activated" handler="on_advanced_search_treeview_row_activated" swapped="no"/>
<child internal-child="selection">
@@ -4788,7 +4730,7 @@ allow alternative access control.</property>
<property name="can_focus">False</property>
<property name="xalign">0</property>
<property name="xpad">10</property>
- <property name="label" translatable="yes">Select file equivalence labeling to delete.File equivalence labeling will be deleted when update is applied.</property>
+ <property name="label" translatable="yes">Select file equivalence labeling to delete. File equivalence labeling will be deleted when update is applied.</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
</object>
diff --git policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py
index 4b9534d..f267993 100644
--- policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py
+++ policycoreutils-2.6/sepolicy/sepolicy/templates/executable.py
@@ -86,6 +86,7 @@ roleattribute system_r TEMPLATETYPE_roles;
type TEMPLATETYPE_t;
type TEMPLATETYPE_exec_t;
application_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+role TEMPLATETYPE_roles types TEMPLATETYPE_t;
permissive TEMPLATETYPE_t;
"""
@@ -219,7 +220,7 @@ if_program_rules="""
########################################
## <summary>
-## Execute TEMPLATE in the TEMPLATETYPE domin.
+## Execute TEMPLATETYPE_exec_t in the TEMPLATETYPE domain.
## </summary>
## <param name=\"domain\">
## <summary>
@@ -235,6 +236,25 @@ interface(`TEMPLATETYPE_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
')
+
+######################################
+## <summary>
+## Execute TEMPLATETYPE in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`TEMPLATETYPE_exec',`
+ gen_require(`
+ type TEMPLATETYPE_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, TEMPLATETYPE_exec_t)
+')
"""
if_user_program_rules="""
@@ -418,8 +438,12 @@ interface(`TEMPLATETYPE_admin',`
if_middle_admin="""
')
- allow $1 TEMPLATETYPE_t:process { ptrace signal_perms };
+ allow $1 TEMPLATETYPE_t:process { signal_perms };
ps_process_pattern($1, TEMPLATETYPE_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 TEMPLATETYPE_t:process ptrace;
+ ')
"""
if_initscript_admin_types="""