[policycoreutils] Fixes to sepolicy transition, allow it to list all transitions from a domain

Mon Oct 29 13:09:25 UTC 2012

commit 7e7132339832ccf62a1a5a260063b26861eae0ce
Author: rhatdan <dwalsh at redhat.com>
Date:   Mon Oct 29 09:09:07 2012 -0400

    Fixes to sepolicy transition, allow it to list all transitions from a domain

 policycoreutils-rhat.patch |   64 +++++++++++++++++++++++++------------------
 policycoreutils.spec       |    5 +++-
 2 files changed, 41 insertions(+), 28 deletions(-)
---

diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 9a96d05..b414792 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -338405,10 +338405,10 @@ index 0000000..4ba92cc
 +
 diff --git a/policycoreutils/sepolicy/sepolicy-transition.8 b/policycoreutils/sepolicy/sepolicy-transition.8
 new file mode 100644
-index 0000000..2e26cea
+index 0000000..897f0c4
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy-transition.8
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,34 @@
 +.TH "sepolicy-transition" "8" "20121005" "" ""
 +.SH "NAME"
 +sepolicy-transition \- Examine the SELinux Policy and generate a process transition report
@@ -338416,11 +338416,16 @@ index 0000000..2e26cea
 +.SH "SYNOPSIS"
 +
 +.br
++.B sepolicy transition [\-h] \-s SOURCE
++
++.br
 +.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
 +
 +.SH "DESCRIPTION"
-+Use sepolicy transition to examine SELinux Policy to if a source SELinux Domain can transition to a target SELinux Domain.
-+If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
++sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
++
++If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the 
++paths.  If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
 +
 +.SH "OPTIONS"
 +.TP
@@ -338429,6 +338434,7 @@ index 0000000..2e26cea
 +.TP
 +.I                \-s, \-\-source
 +Specify the source SELinux domain type.
++.TP
 +.I                \-t, \-\-target
 +Specify the target SELinux domain type.
 +
@@ -338503,10 +338509,10 @@ index 0000000..2e0163b
 +selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8),  sepolicy-network(8), sepolicy-transition(8)
 diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
 new file mode 100755
-index 0000000..5469729
+index 0000000..9f96fd5
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,303 @@
 +#! /usr/bin/python -Es
 +# Copyright (C) 2012 Red Hat
 +# AUTHOR: Dan Walsh <dwalsh at redhat.com>
@@ -338648,10 +338654,9 @@ index 0000000..5469729
 +        newval = getattr(namespace, self.dest)
 +        if not newval:
 +            newval = []
-+        for v in values:
-+            if v not in domains:
-+                raise ValueError("%s must be an SELinux process domain" % values)
-+            newval.append(v)
++        if values not in domains:
++            raise ValueError("%s must be an SELinux process domain" % values)
++        newval.append(values)
 +        setattr(namespace, self.dest, newval)
 +
 +class CheckPortType(argparse.Action):
@@ -338689,7 +338694,7 @@ index 0000000..5469729
 +                            action=CheckPortType,nargs="+",
 +                            help=_("Show ports defined for this SELinux type"))
 +        group.add_argument("-d", "--domain", dest="domain", default=None,
-+                            action=CheckDomain,nargs="+",
++                            action=CheckDomain,
 +                            help=_("show ports to which this domain can bind and/or connect"))
 +        net.set_defaults(func=network)
 +
@@ -338738,17 +338743,22 @@ index 0000000..5469729
 +
 +def transition(args):
 +    from sepolicy.transition import setrans
-+    for l in setrans(args.source, args.target):
++    source = args.source[0]
++    if args.target:
++        target = args.target[0]
++    else:
++        target = None
++    for l in setrans(source, target):
 +        print " --> ".join(l)
 +
 +def gen_transition_args(parser):
 +    trans = parser.add_parser("transition",
 +                              help=_('query SELinux Policy to see how a source process domain can transition to the target process domain'))
 +    trans.add_argument("-s", "--source", dest="source",
-+                       action=CheckDomain, required=True,
++                       action=CheckDomain, required=True, 
 +                       help=_("source process domain"))
 +    trans.add_argument("-t", "--target", dest="target",
-+                       action=CheckDomain, required=True,
++                       action=CheckDomain,
 +                       help=_("target process domain"))
 +    trans.set_defaults(func=transition)
 +
@@ -344024,7 +344034,7 @@ index 0000000..dccb5f1
 +"""
 diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
 new file mode 100755
-index 0000000..5f16d70
+index 0000000..72f5f65
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/transition.py
 @@ -0,0 +1,71 @@
@@ -344056,6 +344066,11 @@ index 0000000..5f16d70
 +_failedlist = []
 +__all__ = [ 'setrans', ]
 +
++def _entrypoint(src):
++    trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
++    return map(lambda y: y[sepolicy.TARGET], filter(lambda x: "entrypoint" in x[sepolicy.PERMS], trans))
++    
++
 +def _get_trans(src, dest, slist, tlist = []):
 +    foundstr = ""
 +    trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
@@ -344074,6 +344089,11 @@ index 0000000..5f16d70
 +
 +    tlist.append(src)
 +    
++    if not dest:
++        for t in targets:
++            slist.append((src, _entrypoint(t)[0], t))
++        return True
++
 +    if dest in targets:
 +        slist.append(tlist + [ dest ])
 +        return True
@@ -344085,19 +344105,9 @@ index 0000000..5f16d70
 +
 +    return True
 +
-+def _verify_domain(domain):
-+    try:
-+        d = info(sepolicy.TYPE, domain)[0]
-+        if "domain" not in d["attributes"]:
-+            raise RuntimeError
-+    except RuntimeError:
-+        raise TypeError("Types must be process/domain types")
-+
-+def setrans(source, dest):
++def setrans(source, dest = None):
 +    slist=[]
-+    verify_domain(source)
-+    verify_domain(dest)
-+    get_trans(source,dest, slist)
++    _get_trans(source, dest, slist)
 +    return slist
 diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
 new file mode 100644
diff --git a/policycoreutils.spec b/policycoreutils.spec
index e37db34..46b4605 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Mon Oct 29 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-20
+- Fixes to sepolicy transition, allow it to list all transitions from a domain
+
 * Sat Oct 27 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-19
 - Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network
 
