[policycoreutils/f18] Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for set
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Oct 19 14:08:46 UTC 2012
commit 35b2aebb6edfb66ea02b1307dd1d90c8ffac5492
Author: rhatdan <dwalsh at redhat.com>
Date: Fri Oct 19 10:08:37 2012 -0400
Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools.
- Fix man page generator.
policycoreutils-rhat.patch | 191 ++++++++++++++++++++++++++++++++++++++------
policycoreutils.spec | 7 +-
2 files changed, 172 insertions(+), 26 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 728b55c..72af65b 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -336427,10 +336427,10 @@ index 0000000..d0deafc
+}
diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
new file mode 100644
-index 0000000..2f37f5e
+index 0000000..fb4bfd6
--- /dev/null
+++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,872 @@
+@@ -0,0 +1,1015 @@
+// Author: Thomas Liu <tliu at redhat.com>
+
+/**
@@ -336539,6 +336539,120 @@ index 0000000..2f37f5e
+ return rt;
+}
+
++static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
++{
++ apol_role_allow_query_t *raq = NULL;
++ int error = 0;
++
++ if (!policy || !opt || !v) {
++ ERR(policy, "%s", strerror(EINVAL));
++ errno = EINVAL;
++ return -1;
++ }
++
++ if (!opt->role_allow && !opt->all) {
++ *v = NULL;
++ return 0; /* no search to do */
++ }
++
++ raq = apol_role_allow_query_create();
++ if (!raq) {
++ ERR(policy, "%s", strerror(ENOMEM));
++ errno = ENOMEM;
++ return -1;
++ }
++
++ apol_role_allow_query_set_regex(policy, raq, opt->useregex);
++ if (opt->src_role_name) {
++ if (apol_role_allow_query_set_source(policy, raq, opt->src_role_name)) {
++ error = errno;
++ goto err;
++ }
++ }
++ if (opt->tgt_role_name)
++ if (apol_role_allow_query_set_target(policy, raq, opt->tgt_role_name)) {
++ error = errno;
++ goto err;
++ }
++
++ if (apol_role_allow_get_by_query(policy, raq, v)) {
++ error = errno;
++ goto err;
++ }
++ apol_role_allow_query_destroy(&raq);
++ return 0;
++
++ err:
++ apol_vector_destroy(v);
++ apol_role_allow_query_destroy(&raq);
++ ERR(policy, "%s", strerror(error));
++ errno = error;
++ return -1;
++}
++
++static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
++{
++ size_t i, num_rules = 0;
++ qpol_policy_t *q;
++ const qpol_role_allow_t *rule = NULL;
++ const char *tmp;
++ PyObject *obj, *dict=NULL;
++ const qpol_role_t *role = NULL;
++ int error = 0;
++ errno = EINVAL;
++ int rt;
++
++ if (!policy || !v) {
++ errno = EINVAL;
++ goto err;
++ }
++
++ if (!(num_rules = apol_vector_get_size(v)))
++ return NULL;
++
++ q = apol_policy_get_qpol(policy);
++
++ for (i = 0; i < num_rules; i++) {
++ dict = PyDict_New();
++ if (!dict) goto err;
++ if (!(rule = apol_vector_get_element(v, i)))
++ goto err;
++
++ if (qpol_role_allow_get_source_role(q, rule, &role)) {
++ goto err;
++ }
++ if (qpol_role_get_name(q, role, &tmp)) {
++ goto err;
++ }
++ obj = PyString_FromString(tmp);
++ if (py_insert_obj(dict, "source", obj))
++ goto err;
++
++ if (qpol_role_allow_get_target_role(q, rule, &role)) {
++ goto err;
++ }
++ if (qpol_role_get_name(q, role, &tmp)) {
++ goto err;
++ }
++ obj = PyString_FromString(tmp);
++ if (py_insert_obj(dict, "target", obj))
++ goto err;
++
++ rt = py_append_obj(output, dict);
++ Py_DECREF(dict); dict=NULL;
++ if (rt) goto err;
++ }
++ goto cleanup;
++err:
++ error = errno;
++ PyErr_SetString(PyExc_RuntimeError,strerror(error));
++ Py_DECREF(dict); dict=NULL;
++
++cleanup:
++ errno = error;
++ return output;
++}
++
+static int perform_te_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
+{
+ apol_terule_query_t *teq = NULL;
@@ -336595,7 +336709,7 @@ index 0000000..2f37f5e
+ int error = 0;
+ int rt = 0;
+ PyObject *obj, *dict=NULL, *tuple = NULL;
-+ qpol_policy_t *q = apol_policy_get_qpol(policy);
++ qpol_policy_t *q;
+ uint32_t rule_type = 0;
+ const qpol_type_t *type;
+ size_t i, num_rules = 0;
@@ -336607,11 +336721,15 @@ index 0000000..2f37f5e
+ const char *tmp_name;
+ const qpol_class_t *obj_class = NULL;
+
-+ if (!policy || !v)
++ if (!policy || !v) {
++ errno = EINVAL;
+ goto err;
++ }
+
+ if (!(num_rules = apol_vector_get_size(v)))
-+ goto err;
++ return NULL;
++
++ q = apol_policy_get_qpol(policy);
+
+ for (i = 0; i < num_rules; i++) {
+ dict = PyDict_New();
@@ -336792,11 +336910,18 @@ index 0000000..2f37f5e
+ const qpol_filename_trans_t *filename_trans = NULL;
+ const qpol_class_t *obj_class = NULL;
+ char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL;
-+ qpol_policy_t *q = apol_policy_get_qpol(policy);
++ qpol_policy_t *q;
+ const qpol_type_t *type = NULL;
+
-+ if (!(num_filename_trans = apol_vector_get_size(v)))
++ if (!policy || !v) {
++ errno = EINVAL;
+ goto err;
++ }
++
++ if (!(num_filename_trans = apol_vector_get_size(v)))
++ return NULL;
++
++ q = apol_policy_get_qpol(policy);
+
+ for (i = 0; i < num_filename_trans; i++) {
+ if (!(filename_trans = apol_vector_get_element(v, i)))
@@ -336974,19 +337099,23 @@ index 0000000..2f37f5e
+ PyObject *permlist = NULL;
+ int rt;
+ int error = 0;
-+ qpol_policy_t *q = apol_policy_get_qpol(policy);
++ qpol_policy_t *q;
+ size_t i, num_rules = 0;
+ const qpol_avrule_t *rule = NULL;
+ char *tmp = NULL, *rule_str = NULL, *expr = NULL;
+ qpol_iterator_t *iter = NULL;
+ uint32_t enabled = 0;
+
-+ if (!policy || !v)
-+ return NULL;
++ if (!policy || !v) {
++ errno = EINVAL;
++ goto err;
++ }
+
+ if (!(num_rules = apol_vector_get_size(v)))
+ return NULL;
+
++ q = apol_policy_get_qpol(policy);
++
+ for (i = 0; i < num_rules; i++) {
+ if (!(rule = apol_vector_get_element(v, i)))
+ goto err;
@@ -337093,6 +337222,7 @@ index 0000000..2f37f5e
+ bool auditallow,
+ bool dontaudit,
+ bool transition,
++ bool role_allow,
+ const char *src_name,
+ const char *tgt_name,
+ const char *class_name,
@@ -337115,6 +337245,7 @@ index 0000000..2f37f5e
+ cmd_opts.auditallow = auditallow;
+ cmd_opts.dontaudit = dontaudit;
+ cmd_opts.type = transition;
++ cmd_opts.role_allow = role_allow;
+ if (src_name)
+ cmd_opts.src_name = strdup(src_name);
+ if (tgt_name)
@@ -337240,6 +337371,17 @@ index 0000000..2f37f5e
+ }
+ }
+
++ if (cmd_opts.all || cmd_opts.role_allow) {
++ apol_vector_destroy(&v);
++ if (perform_ra_query(policy, &cmd_opts, &v)) {
++ goto cleanup;
++ }
++
++ if (v) {
++ get_ra_results(policy, v, output);
++ }
++ }
++
+ apol_vector_destroy(&v);
+
+ cleanup:
@@ -337285,13 +337427,14 @@ index 0000000..2f37f5e
+ int auditallow = Dict_ContainsInt(dict, "auditallow");
+ int dontaudit = Dict_ContainsInt(dict, "dontaudit");
+ int transition = Dict_ContainsInt(dict, "transition");
++ int role_allow = Dict_ContainsInt(dict, "role_allow");
+
+ const char *src_name = Dict_ContainsString(dict, "source");
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
+
-+ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, src_name, tgt_name, class_name, permlist));
++ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+}
+
+static PyMethodDef methods[] = {
@@ -338057,7 +338200,7 @@ index 0000000..8fc3b56
+ sys.exit(1)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644
-index 0000000..2d76d0b
+index 0000000..f8a8af9
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -0,0 +1,82 @@
@@ -338085,9 +338228,10 @@ index 0000000..2d76d0b
+PERMS = 'permlist'
+CLASS = 'class'
+TRANSITION = 'transition'
++ROLE_ALLOW = 'role_allow'
+
+def search(types, info = {} ):
-+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION]
++ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
+ for type in types:
+ if type not in valid_types:
+ raise ValueError("Type has to be in %s" % valid_types)
@@ -338097,7 +338241,6 @@ index 0000000..2d76d0b
+ if PERMS in info:
+ perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS])
-+
+
+ dict_list = _search.search(info)
+ if dict_list and len(perms) != 0:
@@ -339531,7 +339674,7 @@ index 0000000..8ba41c3
+ return out
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
new file mode 100755
-index 0000000..d5dd71d
+index 0000000..53308ba
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -0,0 +1,1018 @@
@@ -339627,15 +339770,15 @@ index 0000000..d5dd71d
+
+def _gen_role_allows():
+ role_allows = {}
-+ for rule in commands.getoutput("search --role_allow").split("\n"):
-+ role = rule.split()
-+ if len(role) == 3 and role[0] == "allow" and role[1] != "system_r" and role[2][:-1] != "system_r":
-+ if role[1] not in role_allows:
-+ role_allows[role[1]] = [role[2][:-1]]
-+ else:
-+ role_allows[role[1]].append(role[2][:-1])
++ for r in sepolicy.search([sepolicy.ROLE_ALLOW]):
++ if r["source"] == "system_r" or r["target"] == "system_r":
++ continue
++ if r["source"] in role_allows:
++ role_allows[r["source"]].append(r["target"])
++ else:
++ role_allows[r["source"]] = [ r["target"] ]
++
+ return role_allows
-+#role_allows = sepolicy.search([sepolicy.ROLE_ALLOW],{'source':self.type,'target':'ping_t', 'class':'process'})
+role_allows = _gen_role_allows()
+
+def _gen_roles():
@@ -339657,7 +339800,7 @@ index 0000000..d5dd71d
+ continue
+ if domain in domains:
+ continue
-+ domains.append(domain)
++ domains.append(domain)
+
+ for role in roles:
+ if role in domains:
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b756a45..9c52ed9 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -218,7 +218,6 @@ Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release}
Requires: gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas
Requires: usermode-gtk
-Requires: setools-console
Requires: selinux-policy-doc
Requires: python >= 2.6
BuildRequires: desktop-file-utils
@@ -330,6 +329,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Oct 19 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-14
+- Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools.
+- Fix man page generator.
+
* Wed Oct 17 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-13
- Remove dwalsh at redhat.com from man pages
- Fix spec file for sepolicy generate
More information about the scm-commits
mailing list