rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.458, 1.459 policycoreutils-sepolgen.patch, 1.29, 1.30 policycoreutils.spec, 1.662, 1.663
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 9 21:33:52 UTC 2009
- Previous message: rpms/initscripts/devel .cvsignore, 1.169, 1.170 initscripts.spec, 1.200, 1.201 sources, 1.188, 1.189
- Next message: rpms/policycoreutils/F-12 .cvsignore, 1.203, 1.204 policycoreutils-rhat.patch, 1.454, 1.455 policycoreutils-sepolgen.patch, 1.28, 1.29 policycoreutils.spec, 1.657, 1.658 sources, 1.212, 1.213
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5144
Modified Files:
policycoreutils-rhat.patch policycoreutils-sepolgen.patch
policycoreutils.spec
Log Message:
* Tue Dec 8 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/audit2allow | 59 +--
restorecond/Makefile | 24 +
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.8 | 15
restorecond/restorecond.c | 428 +++++-----------------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 18 +
restorecond/restorecond.init | 5
restorecond/restorecond_user.conf | 2
restorecond/user.c | 237 +++++++++++++++
restorecond/watch.c | 254 ++++++++++++++++
sandbox/Makefile | 31 ++
sandbox/deliverables/README | 32 ++
sandbox/deliverables/basicwrapper | 4
sandbox/deliverables/run-in-sandbox.py | 49 +++
sandbox/deliverables/sandbox | 216 ++++++++++++++
sandbox/sandbox | 253 ++++++++++++++++
sandbox/sandbox.8 | 26 +
sandbox/sandboxX.sh | 16 +
sandbox/seunshare.c | 265 +++++++++++++++++
semanage/semanage | 122 ++++++-
semanage/seobject.py | 397 ++++++++++++++++++++-----
semodule/semodule.8 | 6
semodule/semodule.c | 53 +++
setfiles/restore.c | 7
setfiles/restore.h | 1
setfiles/restore.o |binary
setfiles/restorecon.8 | 7
setfiles/setfiles.8 | 3
setfiles/setfiles.c | 9
32 files changed, 2042 insertions(+), 514 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.458
retrieving revision 1.459
diff -u -p -r1.458 -r1.459
--- policycoreutils-rhat.patch 1 Dec 2009 21:17:45 -0000 1.458
+++ policycoreutils-rhat.patch 9 Dec 2009 21:33:50 -0000 1.459
@@ -1,7 +1,15 @@
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.77/audit2allow/audit2allow
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.78/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.77/audit2allow/audit2allow 2009-11-24 10:27:27.000000000 -0500
-@@ -42,6 +42,8 @@
++++ policycoreutils-2.0.78/audit2allow/audit2allow 2009-12-08 17:05:49.000000000 -0500
+@@ -28,6 +28,7 @@
+ import sepolgen.defaults as defaults
+ import sepolgen.module as module
+ from sepolgen.sepolgeni18n import _
++import selinux.audit2why as audit2why
+
+ class AuditToPolicy:
+ VERSION = "%prog .1"
+@@ -42,6 +43,8 @@
from optparse import OptionParser
parser = OptionParser(version=self.VERSION)
@@ -10,7 +18,7 @@ diff --exclude-from=exclude --exclude=se
parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
-@@ -80,11 +82,11 @@
+@@ -80,11 +83,11 @@
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@@ -25,7 +33,7 @@ diff --exclude-from=exclude --exclude=se
if options.input is not None and options.dmesg is True:
sys.stderr.write("error: --input conflicts with --dmesg\n")
-@@ -129,6 +131,12 @@
+@@ -129,6 +132,12 @@
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
@@ -38,18 +46,101 @@ diff --exclude-from=exclude --exclude=se
else:
# This is the default if no input is specified
f = sys.stdin
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.77/Makefile
+@@ -220,63 +229,44 @@
+
+ def __output_audit2why(self):
+ import selinux
+- import selinux.audit2why as audit2why
+ import seobject
+- audit2why.init()
+ for i in self.__parser.avc_msgs:
+- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
+- if rc >= 0:
++ if i.type >= 0:
+ print "%s\n\tWas caused by:" % i.message
+- if rc == audit2why.NOPOLICY:
+- raise RuntimeError("Must call policy_init first")
+- if rc == audit2why.BADTCON:
+- print "Invalid Target Context %s\n" % i.tcontext
+- continue
+- if rc == audit2why.BADSCON:
+- print "Invalid Source Context %s\n" % i.scontext
+- continue
+- if rc == audit2why.BADSCON:
+- print "Invalid Type Class %s\n" % i.tclass
+- continue
+- if rc == audit2why.BADPERM:
+- print "Invalid permission %s\n" % i.accesses
+- continue
+- if rc == audit2why. BADCOMPUTE:
+- raise RuntimeError("Error during access vector computation")
+- if rc == audit2why.ALLOW:
++ if i.type == audit2why.ALLOW:
+ print "\t\tUnknown - would be allowed by active policy\n",
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+ continue
+- if rc == audit2why.DONTAUDIT:
++ if i.type == audit2why.DONTAUDIT:
+ print "\t\tUnknown - should be dontaudit'd by active policy\n",
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+ continue
+- if rc == audit2why.BOOLEAN:
+- if len(bools) > 1:
++ if i.type == audit2why.BOOLEAN:
++ if len(i.bools) > 1:
+ print "\tOne of the following booleans was set incorrectly."
+- for b in bools:
++ for b in i.bools:
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
+ else:
+- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
+- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
+- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
++ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
++ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
++ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
+ continue
+
+- if rc == audit2why.TERULE:
++ if i.type == audit2why.TERULE:
+ print "\t\tMissing type enforcement (TE) allow rule.\n"
+ print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
+ continue
+
+- if rc == audit2why.CONSTRAINT:
++ if i.type == audit2why.CONSTRAINT:
+ print "\t\tPolicy constraint violation.\n"
+ print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
+ print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
+ continue
+
+- if rc == audit2why.RBAC:
++ if i.type == audit2why.RBAC:
+ print "\t\tMissing role allow rule.\n"
+ print "\t\tAdd an allow rule for the role pair.\n"
+ continue
+@@ -344,5 +334,6 @@
+ sys.exit(0)
+
+ if __name__ == "__main__":
++ audit2why.init()
+ app = AuditToPolicy()
+ app.main()
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.78/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.77/Makefile 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.77/restorecond/Makefile
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/Makefile 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@@ -96,16 +187,16 @@ diff --exclude-from=exclude --exclude=se
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/restorecond/org.selinux.Restorecond.service 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.77/restorecond/restorecond.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/restorecond.8 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@@ -140,9 +231,9 @@ diff --exclude-from=exclude --exclude=se
.SH "SEE ALSO"
.BR restorecon (8),
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.77/restorecond/restorecond.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/restorecond.c 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-09 16:29:18.000000000 -0500
@@ -30,9 +30,11 @@
* and makes sure that there security context matches the systems defaults
*
@@ -480,7 +571,7 @@ diff --exclude-from=exclude --exclude=se
exit(0);
}
-@@ -390,74 +136,34 @@
+@@ -390,74 +136,35 @@
to see if it is one that we are watching.
*/
@@ -571,14 +662,15 @@ diff --exclude-from=exclude --exclude=se
+ r_opts.fts_flags = FTS_PHYSICAL;
+ r_opts.selabel_opt_validate = NULL;
+ r_opts.selabel_opt_path = NULL;
-+
++ r_opts.ignore_enoent = 1;
++
+ restore_init(&r_opts);
+ /* If we are not running SELinux then just exit */
+ if (is_selinux_enabled() != 1) return 0;
/* Register sighandlers */
sa.sa_flags = 0;
-@@ -467,38 +173,59 @@
+@@ -467,38 +174,59 @@
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@@ -647,9 +739,9 @@ diff --exclude-from=exclude --exclude=se
}
+
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.77/restorecond/restorecond.conf
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/restorecond.conf 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-08 17:05:49.000000000 -0500
@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
@@ -660,9 +752,9 @@ diff --exclude-from=exclude --exclude=se
/root/.ssh/*
-
-
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.77/restorecond/restorecond.desktop
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/restorecond/restorecond.desktop 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@@ -671,9 +763,9 @@ diff --exclude-from=exclude --exclude=se
+Encoding=UTF-8
+Type=Application
+StartupNotify=false
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.77/restorecond/restorecond.h
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/restorecond.h 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-08 17:05:49.000000000 -0500
@@ -24,7 +24,21 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@@ -698,9 +790,9 @@ diff --exclude-from=exclude --exclude=se
+extern void watch_list_free(int fd);
#endif
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.77/restorecond/restorecond.init
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.77/restorecond/restorecond.init 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-08 17:05:49.000000000 -0500
@@ -75,16 +75,15 @@
status restorecond
RETVAL=$?
@@ -720,15 +812,15 @@ diff --exclude-from=exclude --exclude=se
exit $RETVAL
-
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.77/restorecond/restorecond_user.conf
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/restorecond/restorecond_user.conf 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.77/restorecond/user.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/restorecond/user.c 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/restorecond/user.c 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,237 @@
+/*
+ * restorecond
@@ -967,10 +1059,10 @@ diff --exclude-from=exclude --exclude=se
+ return 0;
+}
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.77/restorecond/watch.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/restorecond/watch.c 2009-11-24 10:27:27.000000000 -0500
-@@ -0,0 +1,253 @@
++++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-09 16:31:48.000000000 -0500
+@@ -0,0 +1,254 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
@@ -1052,8 +1144,9 @@ diff --exclude-from=exclude --exclude=se
+ if (ptr->wd == -1) {
+ free(ptr);
+ free(x);
-+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
-+ path, strerror(errno));
++ if (! run_as_user)
++ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
++ path, strerror(errno));
+ return;
+ }
+
@@ -1224,17 +1317,17 @@ diff --exclude-from=exclude --exclude=se
+ exitApp("Error watching config file.");
+}
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.77/sandbox/deliverables/basicwrapper
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/deliverables/basicwrapper 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,4 @@
+import os, sys
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
+SANDBOX_ARGS.extend(sys.argv[1::])
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.77/sandbox/deliverables/README
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.78/sandbox/deliverables/README
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/deliverables/README 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/deliverables/README 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,32 @@
+Files:
+run-in-sandbox.py:
@@ -1268,9 +1361,9 @@ diff --exclude-from=exclude --exclude=se
+
+Thanks for a great summer.
+Chris Pardy
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/deliverables/run-in-sandbox.py 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/deliverables/run-in-sandbox.py 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,49 @@
+import os
+import os.path
@@ -1321,9 +1414,9 @@ diff --exclude-from=exclude --exclude=se
+ def get_background_items(self, window, file):
+ return
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.77/sandbox/deliverables/sandbox
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.78/sandbox/deliverables/sandbox
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/deliverables/sandbox 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/deliverables/sandbox 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,216 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
@@ -1541,9 +1634,9 @@ diff --exclude-from=exclude --exclude=se
+
+ sys.exit(rc)
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.77/sandbox/Makefile
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.78/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/Makefile 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/Makefile 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,31 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@@ -1576,10 +1669,10 @@ diff --exclude-from=exclude --exclude=se
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel:
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.77/sandbox/sandbox
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/sandbox 2009-11-24 10:27:27.000000000 -0500
-@@ -0,0 +1,242 @@
++++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-08 17:05:49.000000000 -0500
+@@ -0,0 +1,253 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
@@ -1623,36 +1716,42 @@ diff --exclude-from=exclude --exclude=se
+ sys.stderr.flush()
+ sys.exit(1)
+
-+def reserve(mcs):
++def reserve(level):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-+ sock.bind("\0%s" % mcs)
++ sock.bind("\0%s" % level)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
-+def gen_context(setype):
-+ while True:
-+ i1 = random.randrange(0, 1024)
-+ i2 = random.randrange(0, 1024)
-+ if i1 == i2:
-+ continue
-+ if i1 > i2:
-+ tmp = i1
-+ i1 = i2
-+ i2 = tmp
-+ mcs = "s0:c%d,c%d" % (i1, i2)
-+ reserve(mcs)
-+ try:
-+ reserve(mcs)
-+ except:
-+ continue
-+ break
++def gen_mcs():
++ while True:
++ i1 = random.randrange(0, 1024)
++ i2 = random.randrange(0, 1024)
++ if i1 == i2:
++ continue
++ if i1 > i2:
++ tmp = i1
++ i1 = i2
++ i2 = tmp
++ level = "s0:c%d,c%d" % (i1, i2)
++ level = "s0:c%d,c%d" % (i1, i2)
++ try:
++ reserve(level)
++ except socket.error:
++ continue
++ break
++ return level
++
++def gen_context(setype, level=None):
++ if not level:
++ level = gen_mcs()
++
+ con = selinux.getcon()[1].split(":")
+
-+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
++ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, level)
+
+ filecon = "%s:%s:%s:%s" % (con[0],
+ "object_r",
+ "%s_file_t" % setype[:-2],
-+ mcs)
++ level)
+ return execcon, filecon
+
+def copyfile(file, dir, dest):
@@ -1708,16 +1807,21 @@ diff --exclude-from=exclude --exclude=se
+
+ setype = DEFAULT_TYPE
+ X_ind = False
++ level=None
+ try:
-+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
++ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:",
+ ["help",
+ "include=",
+ "includefile=",
-+ "type="
++ "type=",
++ "level="
+ ])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
++
++ if o == "-l" or o == "--level":
++ level = a
+
+ if o == "-i" or o == "--include":
+ rp = os.path.realpath(a)
@@ -1745,7 +1849,7 @@ diff --exclude-from=exclude --exclude=se
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
-+ execcon, filecon = gen_context(setype)
++ execcon, filecon = gen_context(setype, level)
+ rc = -1
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
@@ -1822,9 +1926,9 @@ diff --exclude-from=exclude --exclude=se
+
+ sys.exit(rc)
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.77/sandbox/sandbox.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/sandbox.8 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,26 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
@@ -1852,9 +1956,9 @@ diff --exclude-from=exclude --exclude=se
+.TP
+runcon(1)
+.PP
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.77/sandbox/sandboxX.sh
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.78/sandbox/sandboxX.sh
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/sandboxX.sh 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/sandboxX.sh 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,16 @@
+#!/bin/bash
+export TITLE="Sandbox: `/usr/bin/tail -1 ~/.sandboxrc | /usr/bin/cut -b1-70`"
@@ -1872,9 +1976,9 @@ diff --exclude-from=exclude --exclude=se
+ kill -HUP 0
+ break
+done
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.77/sandbox/seunshare.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.78/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.77/sandbox/seunshare.c 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/sandbox/seunshare.c 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,265 @@
+#include <signal.h>
+#include <sys/types.h>
@@ -2141,9 +2245,9 @@ diff --exclude-from=exclude --exclude=se
+
+ return status;
+}
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.77/semanage/semanage
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.78/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-11-18 17:06:03.000000000 -0500
-+++ policycoreutils-2.0.77/semanage/semanage 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/semanage/semanage 2009-12-08 17:05:49.000000000 -0500
@@ -32,23 +32,32 @@
try:
gettext.install(PROGNAME,
@@ -2472,9 +2576,9 @@ diff --exclude-from=exclude --exclude=se
process_args(mkargv(l))
trans.finish()
else:
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.77/semanage/seobject.py
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.78/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-11-20 10:51:25.000000000 -0500
-+++ policycoreutils-2.0.77/semanage/seobject.py 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/semanage/seobject.py 2009-12-08 17:05:49.000000000 -0500
@@ -37,40 +37,6 @@
import syslog
@@ -3118,9 +3222,9 @@ diff --exclude-from=exclude --exclude=se
def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"), _("on"))
if use_file:
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.77/semodule/semodule.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.8 policycoreutils-2.0.78/semodule/semodule.8
--- nsapolicycoreutils/semodule/semodule.8 2009-09-17 08:59:43.000000000 -0400
-+++ policycoreutils-2.0.77/semodule/semodule.8 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/semodule/semodule.8 2009-12-08 17:05:49.000000000 -0500
@@ -35,6 +35,12 @@
.B \-b,\-\-base=MODULE_PKG
install/replace base module package
@@ -3134,9 +3238,9 @@ diff --exclude-from=exclude --exclude=se
.B \-r,\-\-remove=MODULE_NAME
remove existing module
.TP
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.77/semodule/semodule.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semodule/semodule.c policycoreutils-2.0.78/semodule/semodule.c
--- nsapolicycoreutils/semodule/semodule.c 2009-09-17 08:59:43.000000000 -0400
-+++ policycoreutils-2.0.77/semodule/semodule.c 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/semodule/semodule.c 2009-12-08 17:05:49.000000000 -0500
@@ -22,12 +22,12 @@
#include <semanage/modules.h>
@@ -3254,9 +3358,9 @@ diff --exclude-from=exclude --exclude=se
semanage_module_info_datum_destroy
(m);
}
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.77/setfiles/restore.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
-+++ policycoreutils-2.0.77/setfiles/restore.c 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-08 17:05:49.000000000 -0500
@@ -303,6 +303,12 @@
FTS *fts_handle;
FTSENT *ftsent;
@@ -3270,9 +3374,17 @@ diff --exclude-from=exclude --exclude=se
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
if (fts_handle == NULL) {
fprintf(stderr,
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.77/setfiles/restorecon.8
+@@ -374,6 +380,7 @@
+ } else {
+ rc = lstat(name, &sb);
+ if (rc < 0) {
++ if (r_opts->ignore_enoent && errno == ENOENT) return 0;
+ fprintf(stderr, "%s: lstat(%s) failed: %s\n",
+ r_opts->progname, name, strerror(errno));
+ return -1;
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.77/setfiles/restorecon.8 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-08 17:05:49.000000000 -0500
@@ -4,10 +4,10 @@
.SH "SYNOPSIS"
@@ -3296,9 +3408,21 @@ diff --exclude-from=exclude --exclude=se
.TP
.B \-v
show changes in file labels.
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.77/setfiles/setfiles.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
+--- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-08 17:05:49.000000000 -0500
+@@ -27,6 +27,7 @@
+ int hard_links;
+ int verbose;
+ int logging;
++ int ignore_enoent;
+ char *rootpath;
+ int rootpathlen;
+ char *progname;
+Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.77/setfiles/setfiles.8 2009-11-24 10:27:27.000000000 -0500
++++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-08 17:05:49.000000000 -0500
@@ -31,6 +31,9 @@
.TP
.B \-n
@@ -3309,10 +3433,18 @@ diff --exclude-from=exclude --exclude=se
.TP
.B \-q
suppress non-error output.
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.77/setfiles/setfiles.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
-+++ policycoreutils-2.0.77/setfiles/setfiles.c 2009-11-24 10:27:27.000000000 -0500
-@@ -44,13 +44,13 @@
++++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-09 16:28:55.000000000 -0500
+@@ -25,7 +25,6 @@
+ static int warn_no_match = 0;
+ static int null_terminated = 0;
+ static int errors;
+-static int ignore_enoent;
+ static struct restore_opts r_opts;
+
+ #define STAT_BLOCK_SIZE 1
+@@ -44,13 +43,13 @@
{
if (iamrestorecon) {
fprintf(stderr,
@@ -3328,7 +3460,16 @@ diff --exclude-from=exclude --exclude=se
name);
}
exit(1);
-@@ -371,7 +371,7 @@
+@@ -335,7 +334,7 @@
+ r_opts.debug = 1;
+ break;
+ case 'i':
+- ignore_enoent = 1;
++ r_opts.ignore_enoent = 1;
+ break;
+ case 'l':
+ r_opts.logging = 1;
+@@ -371,7 +370,7 @@
break;
}
if (optind + 1 >= argc) {
@@ -3337,9 +3478,3 @@ diff --exclude-from=exclude --exclude=se
argv[0]);
exit(1);
}
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/VERSION policycoreutils-2.0.77/VERSION
---- nsapolicycoreutils/VERSION 2009-12-01 15:46:50.000000000 -0500
-+++ policycoreutils-2.0.77/VERSION 2009-11-20 10:51:25.000000000 -0500
-@@ -1 +1 @@
--2.0.78
-+2.0.77
policycoreutils-sepolgen.patch:
access.py | 15 ++++++++-----
audit.py | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++------
policygen.py | 28 +++++++++++++++++++++++-
refparser.py | 2 -
refpolicy.py | 9 +++++--
5 files changed, 105 insertions(+), 16 deletions(-)
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-sepolgen.patch,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -p -r1.29 -r1.30
--- policycoreutils-sepolgen.patch 1 Dec 2009 21:17:46 -0000 1.29
+++ policycoreutils-sepolgen.patch 9 Dec 2009 21:33:51 -0000 1.30
@@ -1,6 +1,62 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
+@@ -32,6 +32,7 @@
+ """
+
+ import refpolicy
++from selinux import audit2why
+
+ def is_idparam(id):
+ """Determine if an id is a paramater in the form $N, where N is
+@@ -85,6 +86,8 @@
+ self.obj_class = None
+ self.perms = refpolicy.IdSet()
+ self.audit_msgs = []
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ # The direction of the information flow represented by this
+ # access vector - used for matching
+@@ -127,7 +130,7 @@
+ return self.to_string()
+
+ def to_string(self):
+- return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
++ return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
+ self.obj_class, self.perms.to_space_str())
+
+ def __cmp__(self, other):
+@@ -253,20 +256,22 @@
+ for av in l:
+ self.add_av(AccessVector(av))
+
+- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
++ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
+ """Add an access vector to the set.
+ """
+ tgt = self.src.setdefault(src_type, { })
+ cls = tgt.setdefault(tgt_type, { })
+
+- if cls.has_key(obj_class):
+- access = cls[obj_class]
++ if cls.has_key((obj_class, avc_type)):
++ access = cls[obj_class, avc_type]
+ else:
+ access = AccessVector()
+ access.src_type = src_type
+ access.tgt_type = tgt_type
+ access.obj_class = obj_class
+- cls[obj_class] = access
++ access.bools = bools
++ access.type = avc_type
++ cls[obj_class, avc_type] = access
+
+ access.perms.update(perms)
+ if audit_msg:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
-+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/audit.py 2009-11-24 10:27:28.000000000 -0500
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
@@ -47,10 +103,153 @@ diff --exclude-from=exclude -N -u -r nsa
# Classes representing audit messages
class AuditMessage:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py
+@@ -106,6 +138,7 @@
+ if fields[0] == "path":
+ self.path = fields[1][1:-1]
+ return
++import selinux.audit2why as audit2why
+
+ class AVCMessage(AuditMessage):
+ """AVC message representing an access denial or granted message.
+@@ -146,6 +179,8 @@
+ self.path = ""
+ self.accesses = []
+ self.denial = True
++ self.type = audit2why.TERULE
++ self.bools = []
+
+ def __parse_access(self, recs, start):
+ # This is kind of sucky - the access that is in a space separated
+@@ -205,7 +240,25 @@
+
+ if not found_src or not found_tgt or not found_class or not found_access:
+ raise ValueError("AVC message in invalid format [%s]\n" % self.message)
+-
++ self.analyze()
++
++ def analyze(self):
++ tcontext = self.tcontext.to_string()
++ scontext = self.scontext.to_string()
++ self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
++ if self.type == audit2why.NOPOLICY:
++ raise ValueError("Must call policy_init first")
++ if self.type == audit2why.BADTCON:
++ raise ValueError("Invalid Target Context %s\n" % tcontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Source Context %s\n" % scontext)
++ if self.type == audit2why.BADSCON:
++ raise ValueError("Invalid Type Class %s\n" % self.tclass)
++ if self.type == audit2why.BADPERM:
++ raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
++ if self.type == audit2why.BADCOMPUTE:
++ raise ValueError("Error during access vector computation")
++
+ class PolicyLoadMessage(AuditMessage):
+ """Audit message indicating that the policy was reloaded."""
+ def __init__(self, message):
+@@ -285,6 +338,9 @@
+
+ def __initialize(self):
+ self.avc_msgs = []
++ self.constraint_msgs = []
++ self.dontaudit_msgs = []
++ self.rbac_msgs = []
+ self.compute_sid_msgs = []
+ self.invalid_msgs = []
+ self.policy_load_msgs = []
+@@ -314,7 +370,7 @@
+ elif i == "security_compute_sid:":
+ msg = ComputeSidMessage(line)
+ found = True
+- elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
++ elif i == "type=MAC_POLICY_LOAD":
+ msg = PolicyLoadMessage(line)
+ found = True
+ elif i == "type=AVC_PATH":
+@@ -442,16 +498,17 @@
+ audit logs parsed by this object.
+ """
+ av_set = access.AccessVectorSet()
++
+ for avc in self.avc_msgs:
+ if avc.denial != True and only_denials:
+ continue
+ if avc_filter:
+ if avc_filter.filter(avc):
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ else:
+ av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
+- avc.accesses, avc)
++ avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
+ return av_set
+
+ class AVCTypeFilter:
+@@ -477,5 +534,3 @@
+ if self.regex.match(avc.tcontext.type):
+ return True
+ return False
+-
+-
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
+@@ -29,6 +29,8 @@
+ import access
+ import interfaces
+ import matching
++import selinux.audit2why as audit2why
++from setools import *
+
+ # Constants for the level of explanation from the generation
+ # routines
+@@ -74,7 +76,7 @@
+ self.moduel = module
+ else:
+ self.module = refpolicy.Module()
+-
++ self.domains = None
+ def set_gen_refpol(self, if_set=None, perm_maps=None):
+ """Set whether reference policy interfaces are generated.
+
+@@ -144,8 +146,32 @@
+ def __add_allow_rules(self, avs):
+ for av in avs:
+ rule = refpolicy.AVRule(av)
++ rule.comment = ""
+ if self.explain:
+ rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++ if av.type == audit2why.DONTAUDIT:
++ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++ if av.type == audit2why.BOOLEAN:
++ if len(av.bools) > 1:
++ rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
++ else:
++ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
++
++ if av.type == audit2why.CONSTRAINT:
++ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
++ if av.type == audit2why.TERULE:
++ if "open" in av.perms and "write" in av.perms:
++ if not self.domains:
++ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
++ types=[]
++ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
++ if i not in self.domains:
++ types.append(i)
++ if len(types) == 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++ elif len(types) >= 1:
++ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++
+ self.module.children.append(rule)
+
+
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.77/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-11-24 10:27:28.000000000 -0500
-@@ -973,7 +919,7 @@
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
+@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
support_macros = None
@@ -59,3 +258,35 @@ diff --exclude-from=exclude -N -u -r nsa
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
+--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
++++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
+@@ -398,6 +398,7 @@
+ return "attribute %s;" % self.name
+
+ # Classes representing rules
++import selinux.audit2why as audit2why
+
+ class AVRule(Leaf):
+ """SELinux access vector (AV) rule.
+@@ -426,15 +427,17 @@
+ self.tgt_types = IdSet()
+ self.obj_classes = IdSet()
+ self.perms = IdSet()
+- self.rule_type = self.ALLOW
++ self.rule_type = audit2why.TERULE
+ if av:
+ self.from_av(av)
+
+ def __rule_type_str(self):
+- if self.rule_type == self.ALLOW:
++ if self.rule_type == audit2why.TERULE:
+ return "allow"
+- elif self.rule_type == self.DONTAUDIT:
++ elif self.rule_type == audit2why.DONTAUDIT:
+ return "dontaudit"
++ elif self.rule_type == audit2why.CONSTRAINT:
++ return "#constraint allow"
+ else:
+ return "auditallow"
+
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.662
retrieving revision 1.663
diff -u -p -r1.662 -r1.663
--- policycoreutils.spec 1 Dec 2009 21:17:46 -0000 1.662
+++ policycoreutils.spec 9 Dec 2009 21:33:51 -0000 1.663
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.78
-Release: 1%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -296,6 +296,12 @@ fi
exit 0
%changelog
+* Tue Dec 8 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-3
+- Fix audit2allow to report constraints, dontaudits, types, booleans
+
+* Fri Dec 4 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-2
+- Fix restorecon -i to ignore enoent
+
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 2.0.78-1
- Update to upstream
* Remove non-working OUTFILE from fixfiles from Dan Walsh.
- Previous message: rpms/initscripts/devel .cvsignore, 1.169, 1.170 initscripts.spec, 1.200, 1.201 sources, 1.188, 1.189
- Next message: rpms/policycoreutils/F-12 .cvsignore, 1.203, 1.204 policycoreutils-rhat.patch, 1.454, 1.455 policycoreutils-sepolgen.patch, 1.28, 1.29 policycoreutils.spec, 1.657, 1.658 sources, 1.212, 1.213
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list