[policycoreutils] Fixes to sepolicy transition, allow it to list all transitions from a domain
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 29 13:09:25 UTC 2012
commit 7e7132339832ccf62a1a5a260063b26861eae0ce
Author: rhatdan <dwalsh at redhat.com>
Date: Mon Oct 29 09:09:07 2012 -0400
Fixes to sepolicy transition, allow it to list all transitions from a domain
policycoreutils-rhat.patch | 64 +++++++++++++++++++++++++------------------
policycoreutils.spec | 5 +++-
2 files changed, 41 insertions(+), 28 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 9a96d05..b414792 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -338405,10 +338405,10 @@ index 0000000..4ba92cc
+
diff --git a/policycoreutils/sepolicy/sepolicy-transition.8 b/policycoreutils/sepolicy/sepolicy-transition.8
new file mode 100644
-index 0000000..2e26cea
+index 0000000..897f0c4
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy-transition.8
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,34 @@
+.TH "sepolicy-transition" "8" "20121005" "" ""
+.SH "NAME"
+sepolicy-transition \- Examine the SELinux Policy and generate a process transition report
@@ -338416,11 +338416,16 @@ index 0000000..2e26cea
+.SH "SYNOPSIS"
+
+.br
++.B sepolicy transition [\-h] \-s SOURCE
++
++.br
+.B sepolicy transition [\-h] \-s SOURCE \-t TARGET
+
+.SH "DESCRIPTION"
-+Use sepolicy transition to examine SELinux Policy to if a source SELinux Domain can transition to a target SELinux Domain.
-+If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
++sepolicy transition will show all domains that a give SELinux source domain can transition to, including the entrypoint.
++
++If a target domain is given, sepolicy transition will examine policy for all transition paths from the source domain to the target domain, and will list the
++paths. If a transition is possible, this tool will print out all transition paths from the source domain to the target domain
+
+.SH "OPTIONS"
+.TP
@@ -338429,6 +338434,7 @@ index 0000000..2e26cea
+.TP
+.I \-s, \-\-source
+Specify the source SELinux domain type.
++.TP
+.I \-t, \-\-target
+Specify the target SELinux domain type.
+
@@ -338503,10 +338509,10 @@ index 0000000..2e0163b
+selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8)
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
new file mode 100755
-index 0000000..5469729
+index 0000000..9f96fd5
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,303 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh at redhat.com>
@@ -338648,10 +338654,9 @@ index 0000000..5469729
+ newval = getattr(namespace, self.dest)
+ if not newval:
+ newval = []
-+ for v in values:
-+ if v not in domains:
-+ raise ValueError("%s must be an SELinux process domain" % values)
-+ newval.append(v)
++ if values not in domains:
++ raise ValueError("%s must be an SELinux process domain" % values)
++ newval.append(values)
+ setattr(namespace, self.dest, newval)
+
+class CheckPortType(argparse.Action):
@@ -338689,7 +338694,7 @@ index 0000000..5469729
+ action=CheckPortType,nargs="+",
+ help=_("Show ports defined for this SELinux type"))
+ group.add_argument("-d", "--domain", dest="domain", default=None,
-+ action=CheckDomain,nargs="+",
++ action=CheckDomain,
+ help=_("show ports to which this domain can bind and/or connect"))
+ net.set_defaults(func=network)
+
@@ -338738,17 +338743,22 @@ index 0000000..5469729
+
+def transition(args):
+ from sepolicy.transition import setrans
-+ for l in setrans(args.source, args.target):
++ source = args.source[0]
++ if args.target:
++ target = args.target[0]
++ else:
++ target = None
++ for l in setrans(source, target):
+ print " --> ".join(l)
+
+def gen_transition_args(parser):
+ trans = parser.add_parser("transition",
+ help=_('query SELinux Policy to see how a source process domain can transition to the target process domain'))
+ trans.add_argument("-s", "--source", dest="source",
-+ action=CheckDomain, required=True,
++ action=CheckDomain, required=True,
+ help=_("source process domain"))
+ trans.add_argument("-t", "--target", dest="target",
-+ action=CheckDomain, required=True,
++ action=CheckDomain,
+ help=_("target process domain"))
+ trans.set_defaults(func=transition)
+
@@ -344024,7 +344034,7 @@ index 0000000..dccb5f1
+"""
diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
new file mode 100755
-index 0000000..5f16d70
+index 0000000..72f5f65
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/transition.py
@@ -0,0 +1,71 @@
@@ -344056,6 +344066,11 @@ index 0000000..5f16d70
+_failedlist = []
+__all__ = [ 'setrans', ]
+
++def _entrypoint(src):
++ trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
++ return map(lambda y: y[sepolicy.TARGET], filter(lambda x: "entrypoint" in x[sepolicy.PERMS], trans))
++
++
+def _get_trans(src, dest, slist, tlist = []):
+ foundstr = ""
+ trans=search([sepolicy.ALLOW],{sepolicy.SOURCE:src})
@@ -344074,6 +344089,11 @@ index 0000000..5f16d70
+
+ tlist.append(src)
+
++ if not dest:
++ for t in targets:
++ slist.append((src, _entrypoint(t)[0], t))
++ return True
++
+ if dest in targets:
+ slist.append(tlist + [ dest ])
+ return True
@@ -344085,19 +344105,9 @@ index 0000000..5f16d70
+
+ return True
+
-+def _verify_domain(domain):
-+ try:
-+ d = info(sepolicy.TYPE, domain)[0]
-+ if "domain" not in d["attributes"]:
-+ raise RuntimeError
-+ except RuntimeError:
-+ raise TypeError("Types must be process/domain types")
-+
-+def setrans(source, dest):
++def setrans(source, dest = None):
+ slist=[]
-+ verify_domain(source)
-+ verify_domain(dest)
-+ get_trans(source,dest, slist)
++ _get_trans(source, dest, slist)
+ return slist
diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
new file mode 100644
diff --git a/policycoreutils.spec b/policycoreutils.spec
index e37db34..46b4605 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Mon Oct 29 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-20
+- Fixes to sepolicy transition, allow it to list all transitions from a domain
+
* Sat Oct 27 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-19
- Change sepolicy python bindings to have python pick policy file, fixes weird memory problems in sepolicy network
More information about the scm-commits
mailing list