[policycoreutils] Allow sepolicy to specify the policy to generate content from
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Oct 26 18:44:41 UTC 2012
commit 91f56772078f63e7720a13333a5f75895624944a
Author: rhatdan <dwalsh at redhat.com>
Date: Fri Oct 26 14:44:32 2012 -0400
Allow sepolicy to specify the policy to generate content from
policycoreutils-rhat.patch | 129 +++++++++++++++++++++++++++++++-------------
policycoreutils.spec | 5 ++-
2 files changed, 95 insertions(+), 39 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index fed6154..590f334 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -335731,6 +335731,19 @@ index f4602a9..61d455c 100644
codeset = 'utf-8')
except IOError:
import __builtin__
+diff --git a/policycoreutils/semanage/semanage.8 b/policycoreutils/semanage/semanage.8
+index 63b11dd..28a9022 100644
+--- a/policycoreutils/semanage/semanage.8
++++ b/policycoreutils/semanage/semanage.8
+@@ -154,7 +154,7 @@ MLS/MCS Security Range (MLS/MCS Systems only)
+ SELinux Range for SELinux login mapping defaults to the SELinux user record range.
+ SELinux Range for SELinux user defaults to s0.
+ .TP
+-.I \-R, \-\-role
++.I \-R, \-\-roles
+ SELinux Roles. You must enclose multiple roles within quotes, separate by spaces. Or specify \-R multiple times.
+ .TP
+ .I \-P, \-\-prefix
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index ad7dc8c..0a1485e 100644
--- a/policycoreutils/semanage/seobject.py
@@ -336069,10 +336082,10 @@ index 0000000..dc3ce6a
+
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
new file mode 100644
-index 0000000..d0deafc
+index 0000000..e0a5466
--- /dev/null
+++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,938 @@
+@@ -0,0 +1,949 @@
+/**
+ * @file
+ * Command line tool to search TE rules.
@@ -336925,7 +336938,7 @@ index 0000000..d0deafc
+ return list;
+}
+
-+PyObject* info(int type, const char *name)
++PyObject* info(int type, const char *name, const char *alt_policy_file)
+{
+ PyObject* output = NULL;
+ int rt = -1;
@@ -336934,10 +336947,20 @@ index 0000000..d0deafc
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
-+ rt = qpol_default_policy_find(&policy_file);
-+ if (rt != 0) {
-+ PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
-+ return NULL;
++ if (alt_policy_file) {
++ policy_file = strdup(alt_policy_file);
++ if (!policy_file) {
++ apol_vector_destroy(&mod_paths);
++ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
++ return NULL;
++ }
++ }
++ else {
++ rt = qpol_default_policy_find(&policy_file);
++ if (rt != 0) {
++ PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
++ return NULL;
++ }
+ }
+
+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
@@ -336987,11 +337010,12 @@ index 0000000..d0deafc
+PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+ unsigned int type;
+ char *name;
++ char *policy_file;
+
-+ if (!PyArg_ParseTuple(args, "iz", &type, &name))
++ if (!PyArg_ParseTuple(args, "izz", &type, &name, &policy_file))
+ return NULL;
+
-+ return Py_BuildValue("N",info(type, name));
++ return Py_BuildValue("N",info(type, name, policy_file));
+
+}
+
@@ -337013,10 +337037,10 @@ index 0000000..d0deafc
+}
diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
new file mode 100644
-index 0000000..fb4bfd6
+index 0000000..80421fc
--- /dev/null
+++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,1015 @@
+@@ -0,0 +1,1022 @@
+// Author: Thomas Liu <tliu at redhat.com>
+
+/**
@@ -337804,16 +337828,17 @@ index 0000000..fb4bfd6
+}
+
+PyObject* search(bool allow,
-+ bool neverallow,
-+ bool auditallow,
-+ bool dontaudit,
-+ bool transition,
-+ bool role_allow,
-+ const char *src_name,
-+ const char *tgt_name,
-+ const char *class_name,
-+ const char *permlist
-+ )
++ bool neverallow,
++ bool auditallow,
++ bool dontaudit,
++ bool transition,
++ bool role_allow,
++ const char *src_name,
++ const char *tgt_name,
++ const char *class_name,
++ const char *permlist,
++ const char *alt_policy_file
++ )
+{
+ options_t cmd_opts;
+ int rt = -1;
@@ -337824,6 +337849,9 @@ index 0000000..fb4bfd6
+ apol_vector_t *mod_paths = NULL;
+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
++ if (alt_policy_file)
++ policy_file = strdup(alt_policy_file);
++
+ memset(&cmd_opts, 0, sizeof(cmd_opts));
+ cmd_opts.indirect = true;
+ cmd_opts.allow = allow;
@@ -337846,10 +337874,12 @@ index 0000000..fb4bfd6
+ if (!(cmd_opts.nallow || cmd_opts.all))
+ pol_opt |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
+
-+ rt = qpol_default_policy_find(&policy_file);
-+ if (rt) {
-+ PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
-+ return NULL;
++ if (! policy_file) {
++ rt = qpol_default_policy_find(&policy_file);
++ if (rt) {
++ PyErr_SetString(PyExc_RuntimeError,"No default policy found.");
++ return NULL;
++ }
+ }
+ pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+
@@ -338019,8 +338049,9 @@ index 0000000..fb4bfd6
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
++ const char *policy_path = Dict_ContainsString(dict, "policy");
+
-+ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
++ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist, policy_path));
+}
+
+static PyMethodDef methods[] = {
@@ -338034,10 +338065,10 @@ index 0000000..fb4bfd6
+}
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
new file mode 100644
-index 0000000..0de9f32
+index 0000000..86b5af1
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,135 @@
+# This file is part of systemd.
+#
+# Copyright 2011 Dan Walsh
@@ -338101,6 +338132,7 @@ index 0000000..0de9f32
+ [GENERATE]='generate'
+ )
+
++ COMMONOPTS='-P --policy -h --help'
+ local -A OPTS=(
+ [manpage]='-h --help -p --path -a -all -d --domain -w --web'
+ [network]='-h --help -d --domain -l --list -p --port -t --type '
@@ -338118,7 +338150,7 @@ index 0000000..0de9f32
+ done
+
+ if [[ -z $verb ]]; then
-+ comps="${VERBS[*]}"
++ comps="${VERBS[*]} ${COMMONOPTS}"
+ elif [ "$verb" = "manpage" ]; then
+ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
@@ -338439,16 +338471,16 @@ index 0000000..2e26cea
+sepolicy(8), selinux(8)
diff --git a/policycoreutils/sepolicy/sepolicy.8 b/policycoreutils/sepolicy/sepolicy.8
new file mode 100644
-index 0000000..88bb2fc
+index 0000000..2e0163b
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy.8
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,58 @@
+.TH "sepolicy" "8" "20121005" "" ""
+.SH "NAME"
+sepolicy \- SELinux Policy Inspection tool
+
+.SH "SYNOPSIS"
-+.B semanage {manpage,network,communicate,transition,generate} OPTIONS
++.B semanage [-h] [-P policy_path ] {manpage,network,communicate,transition,generate} OPTIONS
+
+.br
+Arguments:
@@ -338488,6 +338520,14 @@ index 0000000..88bb2fc
+sepolicy is a tools set that will query the installed SELinux policy and generate useful reports, man pages, or even new policy modules.
+See the argument specific man pages for options and descriptions.
+
++.SH "OPTIONS"
++.TP
++.I \-P, \-\-policy
++Alternate policy to analyze. (Defaults to currently installed policy /sys/fs/selinux/policy)
++.TP
++.I \-h, \-\-help
++Display help message
++
+.SH "AUTHOR"
+This man page was written by Daniel Walsh <dwalsh at redhat.com>
+
@@ -338495,10 +338535,10 @@ index 0000000..88bb2fc
+selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8)
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
new file mode 100755
-index 0000000..a86d93b
+index 0000000..5469729
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,294 @@
+@@ -0,0 +1,299 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh at redhat.com>
@@ -338746,6 +338786,7 @@ index 0000000..a86d93b
+
+def generate(args):
+ from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS
++ print args.policy
+ cmd = os.path.realpath(args.command)
+ if not args.name:
+ args.name = os.path.basename(cmd).replace("-","_")
@@ -338779,6 +338820,8 @@ index 0000000..a86d93b
+if __name__ == '__main__':
+ parser = argparse.ArgumentParser(description='SELinux Policy Inspection Tool')
+ subparsers = parser.add_subparsers(help=_("commands"))
++ parser.add_argument("-P", "--policy", dest="policy",
++ default=None, help=_("Alternate SELinux policy, defaults to /sys/fs/selinux/policy"))
+ gen_manpage_args(subparsers)
+ gen_network_args(subparsers)
+ gen_communicate_args(subparsers)
@@ -338788,6 +338831,8 @@ index 0000000..a86d93b
+
+ try:
+ args = parser.parse_args()
++ if args.policy:
++ sepolicy.policy(args.policy)
+ args.func(args)
+ sys.exit(0)
+ except ValueError,e:
@@ -338795,10 +338840,10 @@ index 0000000..a86d93b
+ sys.exit(1)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644
-index 0000000..f8a8af9
+index 0000000..a55162f
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,82 @@
+@@ -0,0 +1,90 @@
+#!/usr/bin/env python
+
+# Author: Thomas Liu <tliu at redhat.com>
@@ -338825,6 +338870,8 @@ index 0000000..f8a8af9
+TRANSITION = 'transition'
+ROLE_ALLOW = 'role_allow'
+
++policy_file = None
++
+def search(types, info = {} ):
+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
+ for type in types:
@@ -338836,7 +338883,8 @@ index 0000000..f8a8af9
+ if PERMS in info:
+ perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS])
-+
++
++ info["policy"] = policy_file
+ dict_list = _search.search(info)
+ if dict_list and len(perms) != 0:
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
@@ -338849,9 +338897,14 @@ index 0000000..f8a8af9
+ return True
+
+def info(setype, name=None):
-+ dict_list = _info.info(setype, name)
++ global policy_file
++ dict_list = _info.info(setype, name, policy_file)
+ return dict_list
+
++def policy(alt_policy_file):
++ global policy_file
++ policy_file = alt_policy_file
++
+def _gen_boolens_dict():
+ import xml.etree.ElementTree
+ import re
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 7006fe3..a4e4af4 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Oct 25 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-18
+- Allow sepolicy to specify the policy to generate content from
+
* Thu Oct 25 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-17
- Fix semanage boolean -F to handle boolean subs
More information about the scm-commits
mailing list