From 9236954d7cc4bcf5a776ed57167470ced8163053 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jun 23 2008 11:09:58 +0000 Subject: * Mon Jun 23 2008 Dan Walsh 2.0.49-8 - Fix sepolgen/audit2allow handling of roles --- diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 49cca7d..7f55c44 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,15 +1,56 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile ---- nsapolicycoreutils/Makefile 2008-05-22 14:01:49.000000000 -0400 -+++ policycoreutils-2.0.49/Makefile 2008-05-16 11:27:02.000000000 -0400 +--- nsapolicycoreutils/Makefile 2008-06-12 23:25:24.000000000 -0400 ++++ policycoreutils-2.0.49/Makefile 2008-06-23 07:03:37.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) +diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.49/audit2allow/audit2allow +--- nsapolicycoreutils/audit2allow/audit2allow 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/audit2allow/audit2allow 2008-06-23 07:03:50.000000000 -0400 +@@ -152,12 +152,13 @@ + + def __process_input(self): + if self.__options.type: +- avcfilter = audit.TypeFilter(self.__options.type) ++ avcfilter = audit.AVCTypeFilter(self.__options.type) + self.__avs = self.__parser.to_access(avcfilter) +- self.__selinux_errs = self.__parser.to_role(avcfilter) ++ csfilter = audit.ComputeSidTypeFilter(self.__options.type) ++ self.__role_types = self.__parser.to_role(csfilter) + else: + self.__avs = self.__parser.to_access() +- self.__selinux_errs = self.__parser.to_role() ++ self.__role_types = self.__parser.to_role() + + def __load_interface_info(self): + # Load interface info file +@@ -310,6 +311,7 @@ + + # Generate the policy + g.add_access(self.__avs) ++ g.add_role_types(self.__role_types) + + # Output + writer = output.ModuleWriter() +@@ -328,12 +330,6 @@ + fd = sys.stdout + writer.write(g.get_module(), fd) + +- if len(self.__selinux_errs) > 0: +- fd.write("\n=========== ROLES ===============\n") +- +- for role in self.__selinux_errs: +- fd.write(role.output()) +- + def main(self): + try: + self.__parse_options() diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c ---- nsapolicycoreutils/restorecond/restorecond.c 2008-05-22 14:01:42.000000000 -0400 -+++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-05-16 11:27:02.000000000 -0400 +--- nsapolicycoreutils/restorecond/restorecond.c 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/restorecond/restorecond.c 2008-06-23 07:03:37.000000000 -0400 @@ -210,9 +210,10 @@ } @@ -37,8 +78,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po free(scontext); close(fd); diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init ---- nsapolicycoreutils/restorecond/restorecond.init 2008-05-22 14:01:42.000000000 -0400 -+++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-05-16 11:27:02.000000000 -0400 +--- nsapolicycoreutils/restorecond/restorecond.init 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/restorecond/restorecond.init 2008-06-23 07:03:37.000000000 -0400 @@ -2,7 +2,7 @@ # # restorecond: Daemon used to maintain path file context @@ -49,8 +90,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po # listed in the /etc/selinux/restorecond.conf file, and restores the \ # correct security context. diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2008-05-22 14:01:41.000000000 -0400 -+++ policycoreutils-2.0.49/scripts/fixfiles 2008-05-22 13:56:53.000000000 -0400 +--- nsapolicycoreutils/scripts/fixfiles 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/scripts/fixfiles 2008-06-23 07:03:37.000000000 -0400 @@ -138,6 +138,9 @@ fi LogReadOnly @@ -81,8 +122,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po if [ $# = 0 ]; then diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8 ---- nsapolicycoreutils/scripts/fixfiles.8 2008-05-22 14:01:41.000000000 -0400 -+++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-05-16 11:27:02.000000000 -0400 +--- nsapolicycoreutils/scripts/fixfiles.8 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/scripts/fixfiles.8 2008-06-23 07:03:37.000000000 -0400 @@ -7,6 +7,8 @@ .B fixfiles [-F] [-l logfile ] [-o outputfile ] { check | restore|[-f] relabel | verify } [[dir/file] ... ] @@ -103,8 +144,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po .SH "OPTIONS" .TP diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2008-05-22 14:01:41.000000000 -0400 -+++ policycoreutils-2.0.49/semanage/semanage 2008-06-12 14:34:26.499263000 -0400 +--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/semanage/semanage 2008-06-23 07:03:37.000000000 -0400 @@ -43,49 +43,52 @@ if __name__ == '__main__': @@ -231,8 +272,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po if modify: diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8 ---- nsapolicycoreutils/semanage/semanage.8 2008-05-22 14:01:41.000000000 -0400 -+++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-11 16:18:48.000000000 -0400 +--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/semanage/semanage.8 2008-06-23 07:03:37.000000000 -0400 @@ -17,6 +17,8 @@ .br .B semanage fcontext \-{a|d|m} [\-frst] file_spec @@ -256,8 +297,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po Examples by Thomas Bleher . - diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2008-05-22 14:01:41.000000000 -0400 -+++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-12 14:34:36.038161000 -0400 +--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400 ++++ policycoreutils-2.0.49/semanage/seobject.py 2008-06-23 07:03:37.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007 Red Hat diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch index e8d93f2..0d0bf8d 100644 --- a/policycoreutils-sepolgen.patch +++ b/policycoreutils-sepolgen.patch @@ -1,28 +1,195 @@ +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py +--- nsasepolgen/src/sepolgen/access.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py 2008-06-23 07:04:21.000000000 -0400 +@@ -295,3 +295,32 @@ + perms[av.obj_class] = s + s.update(av.perms) + return perms ++ ++class RoleTypeSet: ++ """A non-overlapping set of role type statements. ++ ++ This clas allows the incremental addition of role type statements and ++ maintains a non-overlapping list of statements. ++ """ ++ def __init__(self): ++ """Initialize an access vector set.""" ++ self.role_types = {} ++ ++ def __iter__(self): ++ """Iterate over all of the unique role allows statements in the set.""" ++ for role_type in self.role_types.values(): ++ yield role_type ++ ++ def __len__(self): ++ """Return the unique number of role allow statements.""" ++ return len(self.roles) ++ ++ def add(self, role, type): ++ if self.role_types.has_key(role): ++ role_type = self.role_types[role] ++ else: ++ role_type = refpolicy.RoleType() ++ role_type.role = role ++ self.role_types[role] = role_type ++ ++ role_type.types.add(type) diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py ---- nsasepolgen/src/sepolgen/audit.py 2008-01-23 14:36:29.000000000 -0500 -+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-05-28 10:11:36.373597000 -0400 -@@ -241,14 +241,17 @@ +--- nsasepolgen/src/sepolgen/audit.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-06-23 07:05:23.000000000 -0400 +@@ -235,20 +235,21 @@ + """ + def __init__(self, message): + AuditMessage.__init__(self, message) +- self.type = "" +- self.role = "" ++ self.invalid_context = refpolicy.SecurityContext() ++ self.scontext = refpolicy.SecurityContext() ++ self.tcontext = refpolicy.SecurityContext() ++ self.tclass = "" + def from_split_string(self, recs): AuditMessage.from_split_string(self, recs) - dict={} -+ ctr = 0 - for i in recs: -+ ctr = ctr + 1 - t = i.split('=') - if len(t) < 2: -+ if t[0] == "context": -+ self.type = refpolicy.SecurityContext(recs[ctr]).type - continue - dict[t[0]]=t[1] +- dict={} +- for i in recs: +- t = i.split('=') +- if len(t) < 2: +- continue +- dict[t[0]]=t[1] ++ if len(recs) < 10: ++ raise ValueError("Split string does not represent a valid compute sid message") ++ try: - self.role = refpolicy.SecurityContext(dict["scontext"]).role +- self.role = refpolicy.SecurityContext(dict["scontext"]).role - self.type = refpolicy.SecurityContext(dict["tcontext"]).type ++ self.invalid_context = refpolicy.SecurityContext(recs[5]) ++ self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1]) ++ self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1]) ++ self.tclass = recs[9].split("=")[1] except: raise ValueError("Split string does not represent a valid compute sid message") def output(self): +@@ -405,7 +406,7 @@ + self.__post_process() + + def to_role(self, role_filter=None): +- """Return list of SELINUX_ERR messages matching the specified filter ++ """Return RoleAllowSet statements matching the specified filter + + Filter out types that match the filer, or all roles + +@@ -416,13 +417,12 @@ + Access vector set representing the denied access in the + audit logs parsed by this object. + """ +- roles = [] +- if role_filter: +- for selinux_err in self.compute_sid_msgs: +- if role_filter.filter(selinux_err): +- roles.append(selinux_err) +- return roles +- return self.compute_sid_msgs ++ role_types = access.RoleTypeSet() ++ for cs in self.compute_sid_msgs: ++ if not role_filter or role_filter.filter(cs): ++ role_types.add(cs.invalid_context.role, cs.invalid_context.type) ++ ++ return role_types + + def to_access(self, avc_filter=None, only_denials=True): + """Convert the audit logs access into a an access vector set. +@@ -454,7 +454,7 @@ + avc.accesses, avc) + return av_set + +-class TypeFilter: ++class AVCTypeFilter: + def __init__(self, regex): + self.regex = re.compile(regex) + +@@ -465,4 +465,17 @@ + return True + return False + ++class ComputeSidTypeFilter: ++ def __init__(self, regex): ++ self.regex = re.compile(regex) ++ ++ def filter(self, avc): ++ if self.regex.match(avc.invalid_context.type): ++ return True ++ if self.regex.match(avc.scontext.type): ++ return True ++ if self.regex.match(avc.tcontext.type): ++ return True ++ return False ++ + +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py +--- nsasepolgen/src/sepolgen/output.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py 2008-06-23 07:04:31.000000000 -0400 +@@ -101,6 +101,8 @@ + else: + return id_set_cmp(a.src_types, [b.args[0]]) + ++def role_type_cmp(a, b): ++ return cmp(a.role, b.role) + + def sort_filter(module): + """Sort and group the output for readability. +@@ -146,6 +148,18 @@ + + c.extend(sep_rules) + ++ ++ ras = [] ++ ras.extend(node.role_types()) ++ ras.sort(role_type_cmp) ++ if len(ras): ++ comment = refpolicy.Comment() ++ comment.lines.append("============= ROLES ==============") ++ c.append(comment) ++ ++ ++ c.extend(ras) ++ + # Everything else + for child in node.children: + if child not in c: +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py +--- nsasepolgen/src/sepolgen/policygen.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py 2008-06-23 07:04:36.000000000 -0400 +@@ -167,6 +167,13 @@ + if self.gen_requires: + gen_requires(self.module) + ++ def add_role_types(self, role_type_set): ++ for role_type in role_type_set: ++ self.module.children.append(role_type) ++ ++ # Generate the requires ++ if self.gen_requires: ++ gen_requires(self.module) + + def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION): + """Explain why a policy statement was generated. +@@ -334,8 +341,12 @@ + # can actually figure those out. + r.types.add(arg) + +- r.types.discard("self") ++ for role_type in node.role_types(): ++ r.roles.add(role_type.role) ++ r.types.update(role_type.types) + ++ r.types.discard("self") ++ + node.children.insert(0, r) + + # FUTURE - this is untested on modules with any sort of diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py ---- nsasepolgen/src/sepolgen/refparser.py 2008-01-23 14:36:29.000000000 -0500 -+++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-05-16 11:27:03.000000000 -0400 +--- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-06-23 07:05:23.000000000 -0400 @@ -919,7 +919,7 @@ def list_headers(root): modules = [] @@ -32,3 +199,35 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic for dirpath, dirnames, filenames in os.walk(root): for name in filenames: +diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py +--- nsasepolgen/src/sepolgen/refpolicy.py 2008-06-12 23:25:26.000000000 -0400 ++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py 2008-06-23 07:04:47.000000000 -0400 +@@ -122,6 +122,12 @@ + def roles(self): + return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self)) + ++ def role_allows(self): ++ return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self)) ++ ++ def role_types(self): ++ return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self)) ++ + def __str__(self): + if self.comment: + return str(self.comment) + "\n" + self.to_string() +@@ -494,6 +500,15 @@ + return "allow %s %s;" % (self.src_roles.to_comma_str(), + self.tgt_roles.to_comma_str()) + ++class RoleType(Leaf): ++ def __init__(self, parent=None): ++ Leaf.__init__(self, parent) ++ self.role = "" ++ self.types = IdSet() ++ ++ def to_string(self): ++ return "role %s types %s;" % (self.role, self.types.to_comma_str()) ++ + class ModuleDeclaration(Leaf): + def __init__(self, parent=None): + Leaf.__init__(self, parent) diff --git a/policycoreutils.spec b/policycoreutils.spec index a4d7820..61e4a80 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.49 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -21,7 +21,6 @@ Source7: selinux-polgengui.console Source8: policycoreutils_man_ru2.tar.bz2 Patch: policycoreutils-rhat.patch Patch1: policycoreutils-po.patch -#Patch2: policycoreutils-sepolgen.patch Patch3: policycoreutils-gui.patch Patch4: policycoreutils-sepolgen.patch @@ -52,9 +51,8 @@ context. %setup -q -a 1 %patch -p1 -b .rhat %patch1 -p1 -b .rhatpo -#%patch2 -p1 -b .sepolgen %patch3 -p1 -b .gui -%patch4 -p1 -b .sepolgen +#%patch4 -p1 -b .sepolgen %build make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all @@ -193,6 +191,9 @@ if [ "$1" -ge "1" ]; then fi %changelog +* Mon Jun 23 2008 Dan Walsh 2.0.49-8 +- Fix sepolgen/audit2allow handling of roles + * Mon Jun 16 2008 Dan Walsh 2.0.49-7 - Fix sepolgen-ifgen processing