[policycoreutils] Fix audit2allow output to better align analysys with the allow rules
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Mar 27 18:00:25 UTC 2013
commit e9b167e78d5f7beaeb3c798ac246dadc85611480
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Mar 27 14:00:16 2013 -0400
Fix audit2allow output to better align analysys with the allow rules
- Apply Miroslav Grepl patch to clean up sepolicy generate usage
- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
- Update Tranlslations
policycoreutils-rhat.patch | 415 ++++++++++++++++++++++++++++++++++++++--
policycoreutils-sepolgen.patch | 37 +++-
policycoreutils.spec | 8 +-
3 files changed, 437 insertions(+), 23 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 06b2ab6..04837d6 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -983,6 +983,189 @@ index e84995e..a60b20e 100644
#: booleans.py:233
msgid "Allow xguest users to mount removable media"
+diff --git a/policycoreutils/po/gu.po b/policycoreutils/po/gu.po
+index 165b892..074abad 100644
+--- a/policycoreutils/po/gu.po
++++ b/policycoreutils/po/gu.po
+@@ -5,13 +5,14 @@
+ # Translators:
+ # Ankit Patel <ankit at redhat.com>, 2006-2008.
+ # Sweta Kothari <swkothar at redhat.com>, 2008-2010,2012.
++# <swkothar at redhat.com>, 2013.
+ msgid ""
+ msgstr ""
+ "Project-Id-Version: Policycoreutils\n"
+ "Report-Msgid-Bugs-To: \n"
+ "POT-Creation-Date: 2013-01-04 12:01-0500\n"
+-"PO-Revision-Date: 2013-01-04 17:02+0000\n"
+-"Last-Translator: dwalsh <dwalsh at redhat.com>\n"
++"PO-Revision-Date: 2013-03-26 08:31+0000\n"
++"Last-Translator: sweta <swkothar at redhat.com>\n"
+ "Language-Team: Gujarati <trans-gu at lists.fedoraproject.org>\n"
+ "MIME-Version: 1.0\n"
+ "Content-Type: text/plain; charset=UTF-8\n"
+@@ -287,7 +288,7 @@ msgstr "MLS/MCS વિસ્તાર"
+
+ #: ../semanage/seobject.py:672
+ msgid "Service"
+-msgstr ""
++msgstr "સેવા"
+
+ #: ../semanage/seobject.py:698 ../semanage/seobject.py:729
+ #: ../semanage/seobject.py:796 ../semanage/seobject.py:853
+@@ -424,7 +425,7 @@ msgstr "પ્રકાર જરૂરી છે"
+ #: ../semanage/seobject.py:1814
+ #, python-format
+ msgid "Type %s is invalid, must be a port type"
+-msgstr ""
++msgstr "પ્રકાર %s અયોગ્ય છે, પોર્ટ પ્રકાર હોવુ જ જોઇએ"
+
+ #: ../semanage/seobject.py:1000 ../semanage/seobject.py:1062
+ #: ../semanage/seobject.py:1117 ../semanage/seobject.py:1123
+@@ -546,12 +547,12 @@ msgstr "અજ્ઞાત અથવા ગેરહાજર પ્રોટો
+
+ #: ../semanage/seobject.py:1256
+ msgid "SELinux node type is required"
+-msgstr ""
++msgstr "SELinux નોડ પ્રકારની જરૂરિયાત છે"
+
+ #: ../semanage/seobject.py:1259 ../semanage/seobject.py:1327
+ #, python-format
+ msgid "Type %s is invalid, must be a node type"
+-msgstr ""
++msgstr "પ્રકાર %s અયોગ્ય છે, નોડ પ્રકાર હોવુ જ જોઇએ"
+
+ #: ../semanage/seobject.py:1263 ../semanage/seobject.py:1331
+ #: ../semanage/seobject.py:1367 ../semanage/seobject.py:1465
+@@ -785,7 +786,7 @@ msgstr "ફાઇલ સ્પષ્ટીકરણ %s સરખા નિયમ
+ #: ../semanage/seobject.py:1755
+ #, python-format
+ msgid "Type %s is invalid, must be a file or device type"
+-msgstr ""
++msgstr "પ્રકાર %s અયોગ્ય છે, ફાઇલ અથવા ઉપકરણ પ્રકાર હોવુ જ જોઇએ"
+
+ #: ../semanage/seobject.py:1763 ../semanage/seobject.py:1768
+ #: ../semanage/seobject.py:1824 ../semanage/seobject.py:1906
+@@ -2173,7 +2174,7 @@ msgstr "પેચ કે જેમાં ઉત્પન્ન થયેલ SELi
+
+ #: ../sepolicy/sepolicy.py:207
+ msgid "name of the OS for man pages"
+-msgstr ""
++msgstr "મુખ્ય પાનાં માટે OS નું નામ"
+
+ #: ../sepolicy/sepolicy.py:209
+ msgid "Generate HTML man pages structure for selected SELinux man page"
+@@ -2225,7 +2226,7 @@ msgstr "બુલિયનની જાણકારીને જોવા મા
+
+ #: ../sepolicy/sepolicy.py:280
+ msgid "get all booleans descriptions"
+-msgstr ""
++msgstr "બધા બુલિયન વર્ણનોને મેળવો"
+
+ #: ../sepolicy/sepolicy.py:282
+ msgid "boolean to get description"
+@@ -2247,11 +2248,11 @@ msgstr "લક્ષ્ય પ્રક્રિયા ડોમેઇન"
+
+ #: ../sepolicy/sepolicy.py:327
+ msgid "Command required for this type of policy"
+-msgstr ""
++msgstr "પોલિસીનાં આ પ્રકાર માટે આદેશ જરૂરી"
+
+ #: ../sepolicy/sepolicy.py:347
+ msgid "List SELinux Policy interfaces"
+-msgstr ""
++msgstr "SELinux પોલિસી ઇન્ટરફેસની યાદી કરો"
+
+ #: ../sepolicy/sepolicy.py:362
+ msgid "Generate SELinux Policy module template"
+@@ -2289,7 +2290,7 @@ msgstr "પુરાવા માટેના એક્ઝેક્યુટે
+ #: ../sepolicy/sepolicy.py:414 ../sepolicy/sepolicy.py:417
+ #, python-format
+ msgid "Generate Policy for %s"
+-msgstr ""
++msgstr "%s માટે પોલિસી ઉત્પન્ન કરો"
+
+ #: ../sepolicy/sepolicy.py:422
+ msgid "commands"
+@@ -2301,12 +2302,12 @@ msgstr ""
+
+ #: ../sepolicy/sepolicy/__init__.py:48
+ msgid "No SELinux Policy installed"
+-msgstr ""
++msgstr "SELinux પોલિસી સ્થાપિત થયેલ નથી"
+
+ #: ../sepolicy/sepolicy/__init__.py:54
+ #, python-format
+ msgid "Failed to read %s policy file"
+-msgstr ""
++msgstr "%s પોલિસી ફાઇલને વાંચવામાં નિષ્ફળતા"
+
+ #: ../sepolicy/sepolicy/__init__.py:127
+ msgid "unknown"
+@@ -2318,7 +2319,7 @@ msgstr "ઇન્ટરનેટ સેવા ડિમન"
+
+ #: ../sepolicy/sepolicy/generate.py:177
+ msgid "Existing Domain Type"
+-msgstr ""
++msgstr "હાલનો ડોમેઇન પ્રકાર"
+
+ #: ../sepolicy/sepolicy/generate.py:178
+ msgid "Minimal Terminal Login User Role"
+@@ -2330,11 +2331,11 @@ msgstr ""
+
+ #: ../sepolicy/sepolicy/generate.py:180
+ msgid "Desktop Login User Role"
+-msgstr ""
++msgstr "ડેસ્કટોપ લૉગિન વપરાશકર્તા ભૂમિકા"
+
+ #: ../sepolicy/sepolicy/generate.py:181
+ msgid "Administrator Login User Role"
+-msgstr ""
++msgstr "સંચાલક લૉગિન વપરાશકર્તા ભૂમિકા"
+
+ #: ../sepolicy/sepolicy/generate.py:182
+ msgid "Confined Root Administrator Role"
+@@ -2351,7 +2352,7 @@ msgstr "પોર્ટો નંબરો કે 1 થી %d સુધીના
+
+ #: ../sepolicy/sepolicy/generate.py:231
+ msgid "You must enter a valid policy type"
+-msgstr ""
++msgstr "તમારે યોગ્ય પોલિસી પ્રકારને દાખલ કરવુ જ જોઇએ"
+
+ #: ../sepolicy/sepolicy/generate.py:234
+ #, python-format
+@@ -2415,7 +2416,7 @@ msgstr "ફાઈલ સંદર્ભો ફાઈલ"
+
+ #: ../sepolicy/sepolicy/generate.py:1324
+ msgid "Spec file"
+-msgstr ""
++msgstr "Spec ફાઇલ"
+
+ #: ../sepolicy/sepolicy/generate.py:1325
+ msgid "Setup Script"
+@@ -2455,7 +2456,7 @@ msgstr "radius સર્વરની મદદથી પ્રવેશવા
+
+ #: booleans.py:8
+ msgid "Allow users to login using a yubikey server"
+-msgstr ""
++msgstr "yubikey સર્વરની મદદથી પ્રવેશવા વપરાશકર્તાઓને પરવાનગી આપો"
+
+ #: booleans.py:9
+ msgid "Allow awstats to purge Apache logs"
+@@ -2527,11 +2528,11 @@ msgstr "ટર્મિનલોને વાંચવા/લખવાની ક
+
+ #: booleans.py:25
+ msgid "Allow dan to manage user files"
+-msgstr ""
++msgstr "વપરાશકર્તા ફાઇલોને સંચાલિત કરવા માટે dan ને પરવાનગી આપો"
+
+ #: booleans.py:26
+ msgid "Allow dan to read user files"
+-msgstr ""
++msgstr "વપરાશકર્તા ફાઇલોને વાંચવા માટે dan ને પરવાનગી આપો"
+
+ #: booleans.py:27
+ msgid "Allow dbadm to manage files in users home directories"
diff --git a/policycoreutils/po/ja.po b/policycoreutils/po/ja.po
index 72ae12d..649d288 100644
--- a/policycoreutils/po/ja.po
@@ -2302,7 +2485,7 @@ index 0000000..3ecf3eb
@@ -0,0 +1 @@
+.so man8/sepolicy-generate.8
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
-index 82fea52..29f9428 100644
+index 82fea52..c969e0d 100644
--- a/policycoreutils/sepolicy/sepolicy-bash-completion.sh
+++ b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
@@ -81,7 +81,7 @@ _sepolicy () {
@@ -2314,7 +2497,26 @@ index 82fea52..29f9428 100644
[network]='-h --help -d --domain -l --list -p --port -t --type '
[transition]='-h --help -s --source -t --target'
)
-@@ -156,6 +156,10 @@ _sepolicy () {
+@@ -130,9 +130,6 @@ _sepolicy () {
+ COMPREPLY=( $( compgen -d -- "$cur") )
+ compopt -o filenames
+ return 0
+- elif [ "$prev" = "--type" -o "$prev" = "-t" ]; then
+- COMPREPLY=( $(compgen -W '0 1 2 3 4 5 6 7 8 9 10 11' -- "$cur") )
+- return 0
+ elif [ "$prev" = "--domain" -o "$prev" = "-d" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") )
+ return 0
+@@ -140,7 +137,7 @@ _sepolicy () {
+ COMPREPLY=( $(compgen -W "$( __get_all_admin_interaces ) " -- "$cur") )
+ return 0
+ elif [ "$prev" = "--user" -o "$prev" = "-u" ]; then
+- COMPREPLY=( $(compgen -W "$( __get_all_users ) " -- "$cur") )
++ COMPREPLY=( $(compgen -W "$( __get_all_users )" -- "$cur") )
+ return 0
+ elif [[ "$cur" == "$verb" || "$cur" == "" || "$cur" == -* ]]; then
+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
+@@ -156,6 +153,10 @@ _sepolicy () {
if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
COMPREPLY=( $(compgen -W "$( __get_all_domains ) " -- "$cur") )
return 0
@@ -2325,6 +2527,20 @@ index 82fea52..29f9428 100644
elif [ "$prev" = "-o" -o "$prev" = "--os" ]; then
return 0
elif test "$prev" = "-p" || test "$prev" = "--path" ; then
+@@ -167,11 +168,11 @@ _sepolicy () {
+ return 0
+ elif [ "$verb" = "network" ]; then
+ if [ "$prev" = "-t" -o "$prev" = "--type" ]; then
+- COMPREPLY=( $(compgen -W "$( __get_all_port_types ) " -- "$cur") )
++ COMPREPLY=( $(compgen -W "$( __get_all_port_types )" -- "$cur") )
+ return 0
+ fi
+ if [ "$prev" = "-d" -o "$prev" = "--domain" ]; then
+- COMPREPLY=( $(compgen -W "$( __get_all_domain_types ) " -- "$cur") )
++ COMPREPLY=( $(compgen -W "$( __get_all_domain_types )" -- "$cur") )
+ return 0
+ fi
+ COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
index fb84af6..c2fa601 100644
--- a/policycoreutils/sepolicy/sepolicy-generate.8
@@ -2382,7 +2598,7 @@ index b6abdf5..c05c943 100644
Generate an additional HTML man pages for the specified domain(s).
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index b25d3b2..1146bb3 100755
+index b25d3b2..c353021 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -22,6 +22,8 @@
@@ -2452,7 +2668,7 @@ index b25d3b2..1146bb3 100755
newval = getattr(namespace, self.dest)
if not newval:
newval = []
-@@ -140,19 +162,18 @@ class CheckPolicyType(argparse.Action):
+@@ -140,19 +162,30 @@ class CheckPolicyType(argparse.Action):
class CheckUser(argparse.Action):
def __call__(self, parser, namespace, value, option_string=None):
@@ -2467,6 +2683,18 @@ index b25d3b2..1146bb3 100755
newval.append(value)
setattr(namespace, self.dest, newval)
++def generate_custom_usage(usage_text,usage_dict):
++ sorted_keys = []
++ for i in usage_dict.keys():
++ sorted_keys.append(i)
++ sorted_keys.sort()
++ for k in sorted_keys:
++ usage_text += "%s %s |" % (k,(" ".join(usage_dict[k])))
++ usage_text = usage_text[:-1] + "]"
++ usage_text = _(usage_text)
++
++ return usage_text
++
def _print_net(src, protocol, perm):
- from sepolicy.network import get_network_connect
- portdict = get_network_connect(src, protocol, perm)
@@ -2475,7 +2703,7 @@ index b25d3b2..1146bb3 100755
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
-@@ -160,7 +181,7 @@ def _print_net(src, protocol, perm):
+@@ -160,7 +193,7 @@ def _print_net(src, protocol, perm):
print "\t" + recs
def network(args):
@@ -2484,7 +2712,7 @@ index b25d3b2..1146bb3 100755
if args.list_ports:
all_ports = []
for i in portrecs:
-@@ -201,41 +222,41 @@ def manpage(args):
+@@ -201,41 +234,41 @@ def manpage(args):
from sepolicy.manpage import ManPage, HTMLManPages, manpage_domains, manpage_roles, gen_domains
path = args.path
@@ -2549,7 +2777,7 @@ index b25d3b2..1146bb3 100755
def gen_network_args(parser):
net = parser.add_parser("network",
-@@ -283,7 +304,6 @@ def gen_communicate_args(parser):
+@@ -283,7 +316,6 @@ def gen_communicate_args(parser):
comm.set_defaults(func=communicate)
def booleans(args):
@@ -2557,7 +2785,7 @@ index b25d3b2..1146bb3 100755
from sepolicy import boolean_desc
if args.all:
rc, args.booleans = selinux.security_get_boolean_names()
-@@ -300,6 +320,7 @@ def gen_booleans_args(parser):
+@@ -300,6 +332,7 @@ def gen_booleans_args(parser):
action="store_true",
help=_("get all booleans descriptions"))
group.add_argument("-b", "--boolean", dest="booleans", nargs="+",
@@ -2565,7 +2793,7 @@ index b25d3b2..1146bb3 100755
help=_("boolean to get description"))
bools.set_defaults(func=booleans)
-@@ -320,7 +341,7 @@ def gen_transition_args(parser):
+@@ -320,7 +353,7 @@ def gen_transition_args(parser):
trans.set_defaults(func=transition)
def interface(args):
@@ -2574,7 +2802,7 @@ index b25d3b2..1146bb3 100755
if args.list_admin:
for a in get_admin():
print a
-@@ -328,13 +349,13 @@ def interface(args):
+@@ -328,13 +361,16 @@ def interface(args):
for a in get_user():
print a
if args.list:
@@ -2583,14 +2811,37 @@ index b25d3b2..1146bb3 100755
print m
def generate(args):
- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+- from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
++ from sepolicy.generate import policy, AUSER, RUSER, EUSER, USERS, SANDBOX, APPLICATIONS, NEWTYPE
cmd = None
- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
++# numbers present POLTYPE defined in sepolicy.generate
++ conflict_args = {'TYPES':(NEWTYPE,), 'DOMAIN':(EUSER,), 'ADMIN_DOMAIN':(AUSER, RUSER,)}
++
+ if args.policytype in APPLICATIONS:
if not args.command:
raise ValueError(_("Command required for this type of policy"))
cmd = os.path.realpath(args.command)
-@@ -368,10 +389,10 @@ def gen_interface_args(parser):
+@@ -346,8 +382,18 @@ def generate(args):
+ mypolicy.set_program(cmd)
+
+ if args.types:
++ if args.policytype not in conflict_args['TYPES']:
++ raise ValueError(_("-t option can not be used with this option. Read usage for more details."))
+ mypolicy.set_types(args.types)
+
++ if args.domain:
++ if args.policytype not in conflict_args['DOMAIN']:
++ raise ValueError(_("-d option can not be used with this option. Read usage for more details."))
++
++ if args.admin_domain:
++ if args.policytype not in conflict_args['ADMIN_DOMAIN']:
++ raise ValueError(_("-a option can not be used with this option. Read usage for more details."))
++
+ for p in args.writepaths:
+ if os.path.isdir(p):
+ mypolicy.add_dir(p)
+@@ -368,10 +414,10 @@ def gen_interface_args(parser):
help=_('List SELinux Policy interfaces'))
group = itf.add_mutually_exclusive_group(required=True)
group.add_argument("-a", "--list_admin", dest="list_admin",action="store_true", default=False,
@@ -2603,7 +2854,105 @@ index b25d3b2..1146bb3 100755
group.add_argument("-l", "--list", dest="list",action="store_true",
default=False,
help="List all interfaces")
-@@ -461,7 +482,10 @@ if __name__ == '__main__':
+@@ -379,7 +425,12 @@ def gen_interface_args(parser):
+
+ def gen_generate_args(parser):
+ from sepolicy.generate import DAEMON, get_poltype_desc, poltype, DAEMON, DBUS, INETD, CGI, SANDBOX, USER, EUSER, TUSER, XUSER, LUSER, AUSER, RUSER, NEWTYPE
+- pol = parser.add_parser("generate",
++
++ generate_usage = "sepolicy generate [-h] [-n NAME] [-p PATH] [-w [WRITEPATHS [WRITEPATHS ...]]] ["
++ generate_usage_dict = {' --newtype':('-t [TYPES [TYPES ...]]',),' --customize':('-d DOMAIN',), ' --admin_user':('-a ADMIN_DOMAIN',), ' --application':('COMMAND',), ' --cgi':('COMMAND',), ' --confined_admin':('-a ADMIN_DOMAIN',), ' --dbus':('COMMAND',), ' --desktop_user':('',),' --inetd':('COMMAND',),' --init':('COMMAND',), ' --sandbox':('',), ' --term_user':('',), ' --x_user':('',)}
++ generate_usage = generate_custom_usage(generate_usage, generate_usage_dict)
++
++ pol = parser.add_parser("generate", usage = generate_usage,
+ help=_('Generate SELinux Policy module template'))
+ pol.add_argument("-d", "--domain", dest="domain", default=[],
+ action=CheckDomain, nargs="*",
+@@ -397,53 +448,57 @@ def gen_generate_args(parser):
+ help=argparse.SUPPRESS)
+ pol.add_argument("-t", "--type", dest="types", default=[], nargs="*",
+ action=CheckType,
+- help=argparse.SUPPRESS)
++ help="Enter type(s) for which you will generate new definition and rule(s)")
+ pol.add_argument("-p", "--path", dest="path", default=os.getcwd(),
+ help=_("path in which the generated policy files will be stored"))
+ pol.add_argument("-w", "--writepath", dest="writepaths", nargs="*", default = [],
+ help=_("path to which the confined processes will need to write"))
+- pol.add_argument("command",nargs="?", default=None,
+- help=_("executable to confine"))
+- group = pol.add_mutually_exclusive_group(required=False)
+- group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
++ cmdtype = pol.add_argument_group(_("Policy types which require a command"))
++ cmdgroup = cmdtype.add_mutually_exclusive_group(required=True)
++ cmdgroup.add_argument("--application", dest="policytype", const=USER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[NEWTYPE])
+- group.add_argument("--admin_user", dest="policytype", const=AUSER,
++ help=_("Generate '%s' policy") % poltype[USER])
++ cmdgroup.add_argument("--cgi", dest="policytype", const=CGI,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[AUSER])
+- group.add_argument("--application", dest="policytype", const=USER,
++ help=_("Generate '%s' policy") % poltype[CGI])
++ cmdgroup.add_argument("--dbus", dest="policytype", const=DBUS,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[USER])
+- group.add_argument("--cgi", dest="policytype", const=CGI,
++ help=_("Generate '%s' policy") % poltype[DBUS])
++ cmdgroup.add_argument("--inetd", dest="policytype", const=INETD,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[CGI])
++ help=_("Generate '%s' policy") % poltype[INETD])
++ cmdgroup.add_argument("--init", dest="policytype", const=DAEMON,
++ action="store_const", default=DAEMON,
++ help=_("Generate '%s' policy") % poltype[DAEMON])
++
++ type = pol.add_argument_group("Policy types which do not require a command")
++ group = type.add_mutually_exclusive_group(required=True)
++ group.add_argument("--admin_user", dest="policytype", const=AUSER,
++ action="store_const",
++ help=_("Generate '%s' policy") % poltype[AUSER])
+ group.add_argument("--confined_admin", dest="policytype", const=RUSER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[RUSER])
++ help=_("Generate '%s' policy") % poltype[RUSER])
+ group.add_argument("--customize", dest="policytype", const=EUSER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[EUSER])
+- group.add_argument("--dbus", dest="policytype", const=DBUS,
+- action="store_const",
+- help=_("Generate Policy for %s") % poltype[DBUS])
++ help=_("Generate '%s' policy") % poltype[EUSER])
+ group.add_argument("--desktop_user", dest="policytype", const=LUSER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[LUSER])
+- group.add_argument("--inetd", dest="policytype", const=INETD,
++ help=_("Generate '%s' policy ") % poltype[LUSER])
++ group.add_argument("--newtype", dest="policytype", const=NEWTYPE,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[INETD])
+- group.add_argument("--init", dest="policytype", const=DAEMON,
+- action="store_const", default=DAEMON,
+- help=_("Generate Policy for %s") % poltype[DAEMON])
++ help=_("Generate '%s' policy") % poltype[NEWTYPE])
+ group.add_argument("--sandbox", dest="policytype", const=SANDBOX,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[SANDBOX])
++ help=_("Generate '%s' policy") % poltype[SANDBOX])
+ group.add_argument("--term_user", dest="policytype", const=TUSER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[TUSER])
++ help=_("Generate '%s' policy") % poltype[TUSER])
+ group.add_argument("--x_user", dest="policytype", const=XUSER,
+ action="store_const",
+- help=_("Generate Policy for %s") % poltype[XUSER])
++ help=_("Generate '%s' policy") % poltype[XUSER])
++ pol.add_argument("command",nargs="?", default=None,
++ help=_("executable to confine"))
+ pol.set_defaults(func=generate)
+
+ if __name__ == '__main__':
+@@ -461,7 +516,10 @@ if __name__ == '__main__':
gen_transition_args(subparsers)
try:
@@ -2823,7 +3172,7 @@ index 5e7415c..5267ed9 100644
booleans_dict = None
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
-index 26f8390..95b3ac0 100644
+index 26f8390..c83883f 100644
--- a/policycoreutils/sepolicy/sepolicy/generate.py
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@@ -2865,7 +3214,30 @@ index 26f8390..95b3ac0 100644
line = "%s(%s_t)\n" % (method, self.name)
else:
line = """
-@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -765,7 +751,7 @@ allow %s_t %s_t:%s_socket name_%s;
+
+ return newte
+
+- if self.type == RUSER:
++ if self.type == RUSER or self.type == AUSER:
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
+
+ for app in self.admin_domains:
+@@ -875,6 +861,13 @@ allow %s_t %s_t:%s_socket name_%s;
+ if t.endswith(i):
+ newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
+ break
++
++ if NEWTYPE and newte == "":
++ default_ext = []
++ for i in self.DEFAULT_EXT:
++ default_ext.append(i)
++ raise ValueError(_("You need to define a new type which ends with: \n %s") % "\n ".join(default_ext))
++
+ return newte
+
+ def generate_new_rules(self):
+@@ -1030,14 +1023,15 @@ allow %s_t %s_t:%s_socket name_%s;
if len(self.DEFAULT_DIRS[d][1]) > 0:
# CGI scripts already have a rw_t
if self.type != CGI or d != "rw":
@@ -2883,7 +3255,7 @@ index 26f8390..95b3ac0 100644
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
-@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1048,11 +1042,20 @@ allow %s_t %s_t:%s_socket name_%s;
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
@@ -2909,7 +3281,7 @@ index 26f8390..95b3ac0 100644
newte += self.generate_tmp_rules()
newte += self.generate_network_rules()
-@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1079,7 +1082,7 @@ allow %s_t %s_t:%s_socket name_%s;
fclist = []
if self.type in USERS + [ SANDBOX ]:
return executable.fc_user
@@ -2918,6 +3290,15 @@ index 26f8390..95b3ac0 100644
raise ValueError(_("You must enter the executable path for your confined process"))
if self.program:
+@@ -1123,7 +1126,7 @@ allow %s_t %s_t:%s_socket name_%s;
+ tmp = re.sub("TEMPLATETYPE", self.name, script.users)
+ newsh += re.sub("ROLES", roles, tmp)
+
+- if self.type == RUSER:
++ if self.type == RUSER or self.type == AUSER:
+ for u in self.transition_users:
+ tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
+ newsh += re.sub("USER", u, tmp)
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
index 8b063ca..c9036c3 100644
--- a/policycoreutils/sepolicy/sepolicy/interface.py
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index 644a5b5..263cdf4 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -21,24 +21,51 @@ index d636091..56919be 100644
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
-index cc9f8ea..24062a1 100644
+index cc9f8ea..ce643e5 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
-@@ -172,10 +172,10 @@ class PolicyGenerator:
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
+@@ -161,21 +161,21 @@ class PolicyGenerator:
+ if self.explain:
+ rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
+ if av.type == audit2why.ALLOW:
+- rule.comment += "#!!!! This avc is allowed in the current policy\n"
++ rule.comment += "\n#!!!! This avc is allowed in the current policy"
+ if av.type == audit2why.DONTAUDIT:
+- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
+
+ if av.type == audit2why.BOOLEAN:
+ if len(av.data) > 1:
+- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
++ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data))
+ else:
+- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
++ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
if av.type == audit2why.CONSTRAINT:
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
- rule.comment += "#Constraint rule: "
- for reason in av.data:
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
-+ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
++ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
+ for reason in av.data[1:]:
-+ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
++ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
try:
if ( av.type == audit2why.TERULE and
+@@ -189,9 +189,9 @@ class PolicyGenerator:
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ except:
+ pass
+ self.module.children.append(rule)
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 7b76261..a05d9d1 100644
--- a/sepolgen/src/sepolgen/refparser.py
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 7cf9e88..1b8fdb8 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 27%{?dist}
+Release: 28%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -309,6 +309,12 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Wed Mar 27 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-28
+- Fix audit2allow output to better align analysys with the allow rules
+- Apply Miroslav Grepl patch to clean up sepolicy generate usage
+- Apply Miroslav Grepl patch to fixupt handing of admin_user generation
+- Update Tranlslations
+
* Wed Mar 27 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-27
- Allow semanage fcontext -a -t "<<none>>" ... to work
More information about the scm-commits
mailing list