[policycoreutils/f18] Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for set

Daniel J Walsh dwalsh at fedoraproject.org
Fri Oct 19 14:08:46 UTC 2012 

commit 35b2aebb6edfb66ea02b1307dd1d90c8ffac5492
Author: rhatdan <dwalsh at redhat.com>
Date:   Fri Oct 19 10:08:37 2012 -0400

    Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools.
    
    - Fix man page generator.

 policycoreutils-rhat.patch |  191 ++++++++++++++++++++++++++++++++++++++------
 policycoreutils.spec       |    7 +-
 2 files changed, 172 insertions(+), 26 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 728b55c..72af65b 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -336427,10 +336427,10 @@ index 0000000..d0deafc
 +}
 diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
 new file mode 100644
-index 0000000..2f37f5e
+index 0000000..fb4bfd6
 --- /dev/null
 +++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,872 @@
+@@ -0,0 +1,1015 @@
 +// Author: Thomas Liu <tliu at redhat.com>
 +
 +/**
@@ -336539,6 +336539,120 @@ index 0000000..2f37f5e
 +	return rt;
 +}
 +
++static int perform_ra_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
++{
++	apol_role_allow_query_t *raq = NULL;
++	int error = 0;
++
++	if (!policy || !opt || !v) {
++		ERR(policy, "%s", strerror(EINVAL));
++		errno = EINVAL;
++		return -1;
++	}
++
++	if (!opt->role_allow && !opt->all) {
++		*v = NULL;
++		return 0;	       /* no search to do */
++	}
++
++	raq = apol_role_allow_query_create();
++	if (!raq) {
++		ERR(policy, "%s", strerror(ENOMEM));
++		errno = ENOMEM;
++		return -1;
++	}
++
++	apol_role_allow_query_set_regex(policy, raq, opt->useregex);
++	if (opt->src_role_name) {
++		if (apol_role_allow_query_set_source(policy, raq, opt->src_role_name)) {
++			error = errno;
++			goto err;
++		}
++	}
++	if (opt->tgt_role_name)
++		if (apol_role_allow_query_set_target(policy, raq, opt->tgt_role_name)) {
++			error = errno;
++			goto err;
++		}
++
++	if (apol_role_allow_get_by_query(policy, raq, v)) {
++		error = errno;
++		goto err;
++	}
++	apol_role_allow_query_destroy(&raq);
++	return 0;
++
++      err:
++	apol_vector_destroy(v);
++	apol_role_allow_query_destroy(&raq);
++	ERR(policy, "%s", strerror(error));
++	errno = error;
++	return -1;
++}
++
++static PyObject* get_ra_results(const apol_policy_t * policy, const apol_vector_t * v, PyObject *output)
++{
++	size_t i, num_rules = 0;
++	qpol_policy_t *q;
++	const qpol_role_allow_t *rule = NULL;
++	const char *tmp;
++	PyObject *obj, *dict=NULL;
++	const qpol_role_t *role = NULL;
++	int error = 0;
++	errno = EINVAL;
++	int rt;
++
++	if (!policy || !v) {
++		errno = EINVAL;
++		goto err;
++	}
++
++	if (!(num_rules = apol_vector_get_size(v)))
++		return NULL;
++
++	q = apol_policy_get_qpol(policy);
++
++	for (i = 0; i < num_rules; i++) {
++		dict = PyDict_New();
++		if (!dict) goto err;
++		if (!(rule = apol_vector_get_element(v, i)))
++			goto err;
++
++		if (qpol_role_allow_get_source_role(q, rule, &role)) {
++			goto err;
++		}
++		if (qpol_role_get_name(q, role, &tmp)) {
++			goto err;
++		}
++		obj = PyString_FromString(tmp);
++		if (py_insert_obj(dict, "source", obj)) 
++			goto err;
++
++		if (qpol_role_allow_get_target_role(q, rule, &role)) {
++			goto err;
++		}
++		if (qpol_role_get_name(q, role, &tmp)) {
++			goto err;
++		}
++		obj = PyString_FromString(tmp);
++		if (py_insert_obj(dict, "target", obj)) 
++			goto err;
++
++		rt = py_append_obj(output, dict);
++		Py_DECREF(dict); dict=NULL;
++		if (rt) goto err;
++	}
++	goto cleanup;
++err:
++	error = errno;
++	PyErr_SetString(PyExc_RuntimeError,strerror(error));
++	Py_DECREF(dict); dict=NULL;
++
++cleanup:
++	errno = error;
++	return output;
++}
++
 +static int perform_te_query(const apol_policy_t * policy, const options_t * opt, apol_vector_t ** v)
 +{
 +	apol_terule_query_t *teq = NULL;
@@ -336595,7 +336709,7 @@ index 0000000..2f37f5e
 +	int error = 0;
 +	int rt = 0;
 +	PyObject *obj, *dict=NULL, *tuple = NULL;
-+	qpol_policy_t *q = apol_policy_get_qpol(policy);
++	qpol_policy_t *q;
 +	uint32_t rule_type = 0;
 +	const qpol_type_t *type;
 +	size_t i, num_rules = 0;
@@ -336607,11 +336721,15 @@ index 0000000..2f37f5e
 +	const char *tmp_name;
 +	const qpol_class_t *obj_class = NULL;
 +
-+	if (!policy || !v)
++	if (!policy || !v) {
++		errno = EINVAL;
 +		goto err;
++	}
 +
 +	if (!(num_rules = apol_vector_get_size(v)))
-+		goto err;
++		return NULL;
++
++	q = apol_policy_get_qpol(policy);
 +
 +	for (i = 0; i < num_rules; i++) {
 +		dict = PyDict_New();
@@ -336792,11 +336910,18 @@ index 0000000..2f37f5e
 +	const qpol_filename_trans_t *filename_trans = NULL;
 +	const qpol_class_t *obj_class = NULL;
 +	char *tmp = NULL, *filename_trans_str = NULL, *expr = NULL;
-+	qpol_policy_t *q = apol_policy_get_qpol(policy);
++	qpol_policy_t *q;
 +	const qpol_type_t *type = NULL;
 +
-+	if (!(num_filename_trans = apol_vector_get_size(v)))
++	if (!policy || !v) {
++		errno = EINVAL;
 +		goto err;
++	}
++
++	if (!(num_filename_trans = apol_vector_get_size(v)))
++		return NULL;
++
++	q = apol_policy_get_qpol(policy);
 +
 +	for (i = 0; i < num_filename_trans; i++) {
 +		if (!(filename_trans = apol_vector_get_element(v, i)))
@@ -336974,19 +337099,23 @@ index 0000000..2f37f5e
 +	PyObject *permlist = NULL;
 +	int rt;
 +	int error = 0;
-+	qpol_policy_t *q = apol_policy_get_qpol(policy);
++	qpol_policy_t *q;
 +	size_t i, num_rules = 0;
 +	const qpol_avrule_t *rule = NULL;
 +	char *tmp = NULL, *rule_str = NULL, *expr = NULL;
 +	qpol_iterator_t *iter = NULL;
 +	uint32_t enabled = 0;
 +
-+	if (!policy || !v)
-+		return NULL;
++	if (!policy || !v) {
++		errno = EINVAL;
++		goto err;
++	}
 +
 +	if (!(num_rules = apol_vector_get_size(v)))
 +		return NULL;
 +
++	q = apol_policy_get_qpol(policy);
++
 +	for (i = 0; i < num_rules; i++) {
 +		if (!(rule = apol_vector_get_element(v, i)))
 +			goto err;
@@ -337093,6 +337222,7 @@ index 0000000..2f37f5e
 +	     bool auditallow,
 +	     bool dontaudit,
 +	     bool transition,
++	     bool role_allow,
 +	     const char *src_name,
 +	     const char *tgt_name,
 +	     const char *class_name,
@@ -337115,6 +337245,7 @@ index 0000000..2f37f5e
 +	cmd_opts.auditallow = auditallow;
 +	cmd_opts.dontaudit = dontaudit;
 +	cmd_opts.type = transition;
++	cmd_opts.role_allow = role_allow;
 +	if (src_name)
 +		cmd_opts.src_name = strdup(src_name);
 +	if (tgt_name)
@@ -337240,6 +337371,17 @@ index 0000000..2f37f5e
 +		}
 +	}
 +
++	if (cmd_opts.all || cmd_opts.role_allow) {
++		apol_vector_destroy(&v);
++		if (perform_ra_query(policy, &cmd_opts, &v)) {
++			goto cleanup;
++		}
++
++		if (v) {
++			get_ra_results(policy, v, output);
++		}
++	}
++
 +	apol_vector_destroy(&v);
 +
 +      cleanup:
@@ -337285,13 +337427,14 @@ index 0000000..2f37f5e
 +    int auditallow = Dict_ContainsInt(dict, "auditallow");
 +    int dontaudit = Dict_ContainsInt(dict, "dontaudit");
 +    int transition = Dict_ContainsInt(dict, "transition");
++    int role_allow = Dict_ContainsInt(dict, "role_allow");
 +
 +    const char *src_name = Dict_ContainsString(dict, "source");
 +    const char *tgt_name = Dict_ContainsString(dict, "target");
 +    const char *class_name = Dict_ContainsString(dict, "class");
 +    const char *permlist = Dict_ContainsString(dict, "permlist");
 +
-+    return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, src_name, tgt_name, class_name, permlist));
++    return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
 +}
 +
 +static PyMethodDef methods[] = {
@@ -338057,7 +338200,7 @@ index 0000000..8fc3b56
 +        sys.exit(1)
 diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
 new file mode 100644
-index 0000000..2d76d0b
+index 0000000..f8a8af9
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
 @@ -0,0 +1,82 @@
@@ -338085,9 +338228,10 @@ index 0000000..2d76d0b
 +PERMS = 'permlist'
 +CLASS = 'class'
 +TRANSITION = 'transition'
++ROLE_ALLOW = 'role_allow'
 +
 +def search(types, info = {} ):
-+    valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION]
++    valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
 +    for type in types:
 +        if type not in valid_types:
 +            raise ValueError("Type has to be in %s" % valid_types)
@@ -338097,7 +338241,6 @@ index 0000000..2d76d0b
 +    if PERMS in info:
 +        perms = info[PERMS]
 +        info[PERMS] = ",".join(info[PERMS])
-+     
 +    
 +    dict_list = _search.search(info)
 +    if dict_list and len(perms) != 0:
@@ -339531,7 +339674,7 @@ index 0000000..8ba41c3
 +            return out
 diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
 new file mode 100755
-index 0000000..d5dd71d
+index 0000000..53308ba
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
 @@ -0,0 +1,1018 @@
@@ -339627,15 +339770,15 @@ index 0000000..d5dd71d
 +
 +def _gen_role_allows():
 +	role_allows = {}
-+	for rule in commands.getoutput("search --role_allow").split("\n"):
-+		role = rule.split()
-+		if len(role) == 3 and role[0] == "allow" and role[1] != "system_r" and role[2][:-1] != "system_r":
-+			if role[1] not in role_allows:
-+				role_allows[role[1]] = [role[2][:-1]]
-+			else:
-+				role_allows[role[1]].append(role[2][:-1])
++	for r in sepolicy.search([sepolicy.ROLE_ALLOW]):
++		if r["source"] == "system_r" or r["target"] == "system_r":
++			continue
++		if r["source"] in role_allows:
++			role_allows[r["source"]].append(r["target"])
++		else:
++			role_allows[r["source"]] = [ r["target"] ]
++
 +	return role_allows
-+#role_allows = sepolicy.search([sepolicy.ROLE_ALLOW],{'source':self.type,'target':'ping_t', 'class':'process'})
 +role_allows = _gen_role_allows()
 +
 +def _gen_roles():
@@ -339657,7 +339800,7 @@ index 0000000..d5dd71d
 +			continue
 +		if domain in domains:
 +			continue
-+	domains.append(domain)
++		domains.append(domain)
 +
 +	for role in roles:
 +		if role in domains:
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b756a45..9c52ed9 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 13%{?dist}
+Release: 14%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -218,7 +218,6 @@ Group: System Environment/Base
 Requires: policycoreutils-python = %{version}-%{release} 
 Requires: gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas
 Requires: usermode-gtk
-Requires: setools-console
 Requires: selinux-policy-doc
 Requires: python >= 2.6
 BuildRequires: desktop-file-utils
@@ -330,6 +329,10 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Fri Oct 19 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-14
+- Add role_allow to sepolicy.search python bindings, this allows us to remove last requirement for setools-cmdline in gui tools.
+- Fix man page generator.
+
 * Wed Oct 17 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-13
 - Remove dwalsh at redhat.com from man pages
 - Fix spec file for sepolicy generate

More information about the scm-commits mailing list