[policycoreutils] Redesign sepolicy to only read the policy file once, not for every call
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 29 16:38:46 UTC 2012
commit 7d197203b0ca6064ea11801ac46e9dd73e594f6a
Author: rhatdan <dwalsh at redhat.com>
Date: Mon Oct 29 12:38:36 2012 -0400
Redesign sepolicy to only read the policy file once, not for every call
policycoreutils-rhat.patch | 185 ++++++++++++-----------------------------
policycoreutils.spec | 5 +-
selinux-polgengui.desktop | 1 +
system-config-selinux.desktop | 1 +
4 files changed, 61 insertions(+), 131 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index b414792..91644b3 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -335989,7 +335989,7 @@ index 0000000..378eac2
+build
diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
new file mode 100644
-index 0000000..6767e53
+index 0000000..af8cb8a
--- /dev/null
+++ b/policycoreutils/sepolicy/Makefile
@@ -0,0 +1,31 @@
@@ -336010,7 +336010,7 @@ index 0000000..6767e53
+
+all: python-build
+
-+python-build: info.c search.c common.h
++python-build: info.c search.c common.h policy.h policy.c
+ $(PYTHON) setup.py build
+
+clean:
@@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a
+
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
new file mode 100644
-index 0000000..f4cc0b0
+index 0000000..18aa555
--- /dev/null
+++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,928 @@
+@@ -0,0 +1,895 @@
+/**
+ * @file
+ * Command line tool to search TE rules.
@@ -336119,9 +336119,9 @@ index 0000000..f4cc0b0
+ */
+
+#include "common.h"
++#include "policy.h"
+
+/* libapol */
-+#include <apol/policy.h>
+#include <apol/policy-query.h>
+#include <apol/render.h>
+#include <apol/util.h>
@@ -336937,76 +336937,43 @@ index 0000000..f4cc0b0
+ return list;
+}
+
-+PyObject* info( const char *policy_file, int type, const char *name)
++PyObject* info( int type, const char *name)
+{
+ PyObject* output = NULL;
-+ apol_policy_t *policydb = NULL;
-+ apol_policy_path_t *pol_path = NULL;
-+ apol_vector_t *mod_paths = NULL;
-+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
-+
-+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
-+ if (!pol_path) {
-+ apol_vector_destroy(&mod_paths);
-+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
-+ return NULL;
-+ }
-+ apol_vector_destroy(&mod_paths);
-+
-+ int policy_load_options = 0;
-+ policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
-+ policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
-+ if (!policydb) {
-+ apol_policy_path_destroy(&pol_path);
-+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
-+ return NULL;
-+ }
+
+ /* display requested info */
+ if (type == TYPE)
-+ output = get_types(name, policydb);
++ output = get_types(name, policy);
+
+ if (type == ATTRIBUTE)
-+ output = get_attribs(name, policydb);
++ output = get_attribs(name, policy);
+
+ if (type == ROLE)
-+ output = get_roles(name, policydb);
++ output = get_roles(name, policy);
+
+ if (type == USER)
-+ output = get_users(name, policydb);
++ output = get_users(name, policy);
+
+ if (type == BOOLEAN)
-+ output = get_booleans(name, policydb);
++ output = get_booleans(name, policy);
+
+ if (type == PORT)
-+ output = get_ports(name, policydb);
++ output = get_ports(name, policy);
+
-+ apol_policy_destroy(&policydb);
-+ apol_policy_path_destroy(&pol_path);
+ return output;
+}
+
+PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
+ unsigned int type;
+ char *name;
-+ const char *policy_file;
+
-+ if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name))
++ if (!PyArg_ParseTuple(args, "iz", &type, &name))
+ return NULL;
+
-+ return Py_BuildValue("N",info(policy_file, type, name));
-+
++ return Py_BuildValue("N",info(type, name));
+}
+
-+static PyMethodDef methods[] = {
-+ {"info", (PyCFunction) wrap_info, METH_VARARGS,
-+ "Return SELinux polcy info about types, attributes, roles, users"},
-+ {NULL, NULL, 0, NULL}
-+};
-+
-+void init_info(){
-+ PyObject *m;
-+ m = Py_InitModule("_info", methods);
++void init_info (PyObject *m) {
+ PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE);
+ PyModule_AddIntConstant(m, "PORT", PORT);
+ PyModule_AddIntConstant(m, "ROLE", ROLE);
@@ -337016,10 +336983,10 @@ index 0000000..f4cc0b0
+}
diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
new file mode 100644
-index 0000000..c98e4cf
+index 0000000..c1d9411
--- /dev/null
+++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,1007 @@
+@@ -0,0 +1,967 @@
+// Author: Thomas Liu <tliu at redhat.com>
+
+/**
@@ -337057,9 +337024,9 @@ index 0000000..c98e4cf
+ */
+
+#include "common.h"
++#include "policy.h"
+
+/* libapol */
-+#include <apol/policy.h>
+#include <apol/policy-query.h>
+#include <apol/render.h>
+#include <apol/util.h>
@@ -337805,8 +337772,7 @@ index 0000000..c98e4cf
+ return output;
+}
+
-+PyObject* search(const char *policy_file,
-+ bool allow,
++PyObject* search(bool allow,
+ bool neverallow,
+ bool auditallow,
+ bool dontaudit,
@@ -337820,11 +337786,7 @@ index 0000000..c98e4cf
+{
+ options_t cmd_opts;
+ PyObject *output = NULL;
-+ apol_policy_t *policy = NULL;
+ apol_vector_t *v = NULL;
-+ apol_policy_path_t *pol_path = NULL;
-+ apol_vector_t *mod_paths = NULL;
-+ apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
+
+ memset(&cmd_opts, 0, sizeof(cmd_opts));
+ cmd_opts.indirect = true;
@@ -337850,28 +337812,6 @@ index 0000000..c98e4cf
+
+ pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
+
-+ if (apol_file_is_policy_path_list(policy_file) > 0) {
-+ pol_path = apol_policy_path_create_from_file(policy_file);
-+ if (!pol_path) {
-+ PyErr_SetString(PyExc_RuntimeError,"invalid policy list");
-+ return NULL;
-+ }
-+ }
-+
-+ if (!pol_path)
-+ pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
-+ if (!pol_path) {
-+ PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
-+ return NULL;
-+ }
-+ apol_vector_destroy(&mod_paths);
-+
-+ policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL);
-+ if (!policy) {
-+ apol_policy_path_destroy(&pol_path);
-+ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
-+ return NULL;
-+ }
+ /* handle regex for class name */
+ if (cmd_opts.useregex && cmd_opts.class_name != NULL) {
+ cmd_opts.class_vector = apol_vector_create(NULL);
@@ -337965,8 +337905,6 @@ index 0000000..c98e4cf
+ apol_vector_destroy(&v);
+
+ cleanup:
-+ apol_policy_destroy(&policy);
-+ apol_policy_path_destroy(&pol_path);
+ free(cmd_opts.src_name);
+ free(cmd_opts.tgt_name);
+ free(cmd_opts.class_name);
@@ -338013,19 +337951,8 @@ index 0000000..c98e4cf
+ const char *tgt_name = Dict_ContainsString(dict, "target");
+ const char *class_name = Dict_ContainsString(dict, "class");
+ const char *permlist = Dict_ContainsString(dict, "permlist");
-+ const char *policy_path = Dict_ContainsString(dict, "policy");
-+
-+ return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
-+}
-+
-+static PyMethodDef methods[] = {
-+ {"search", (PyCFunction) wrap_search, METH_VARARGS,
-+ "Search SELinux Policy for allow, neverallow, auditallow, dontaudit and transition records"},
-+ {NULL, NULL, 0, NULL} /* sentinel */
-+};
+
-+void init_search(void){
-+ (void) Py_InitModule("_search", methods);
++ return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
+}
diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
new file mode 100644
@@ -338818,25 +338745,24 @@ index 0000000..9f96fd5
+ sys.exit(1)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644
-index 0000000..fbd011c
+index 0000000..22c0724
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+
+# Author: Thomas Liu <tliu at redhat.com>
+# Author: Dan Walsh <dwalsh at redhat.com>
+
-+import _search
-+import _info
++import _policy
+import selinux
+
-+TYPE = _info.TYPE
-+ROLE = _info.ROLE
-+ATTRIBUTE = _info.ATTRIBUTE
-+PORT = _info.PORT
-+USER = _info.USER
-+BOOLEAN = _info.BOOLEAN
++TYPE = _policy.TYPE
++ROLE = _policy.ROLE
++ATTRIBUTE = _policy.ATTRIBUTE
++PORT = _policy.PORT
++USER = _policy.USER
++BOOLEAN = _policy.BOOLEAN
+
+ALLOW = 'allow'
+AUDITALLOW = 'auditallow'
@@ -338849,7 +338775,11 @@ index 0000000..fbd011c
+TRANSITION = 'transition'
+ROLE_ALLOW = 'role_allow'
+
++def policy(policy_file):
++ _policy.policy(policy_file)
++
+policy_file = selinux.selinux_current_policy_path()
++policy(policy_file)
+
+def search(types, info = {} ):
+ valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
@@ -338863,8 +338793,7 @@ index 0000000..fbd011c
+ perms = info[PERMS]
+ info[PERMS] = ",".join(info[PERMS])
+
-+ info["policy"] = policy_file
-+ dict_list = _search.search(info)
++ dict_list = _policy.search(info)
+ if dict_list and len(perms) != 0:
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list
@@ -338876,14 +338805,9 @@ index 0000000..fbd011c
+ return True
+
+def info(setype, name=None):
-+ global policy_file
-+ dict_list = _info.info(policy_file, setype, name)
++ dict_list = _policy.info(setype, name)
+ return dict_list
+
-+def policy(alt_policy_file):
-+ global policy_file
-+ policy_file = alt_policy_file
-+
+def _gen_boolens_dict():
+ import xml.etree.ElementTree
+ import re
@@ -338912,7 +338836,6 @@ index 0000000..fbd011c
+ pass
+ return booleans_dict
+booleans_dict = _gen_boolens_dict()
-+
diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py
new file mode 100644
index 0000000..c23cb11
@@ -340308,10 +340231,10 @@ index 0000000..93b0762
+ return out
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
new file mode 100755
-index 0000000..2446be1
+index 0000000..7a07b5a
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
-@@ -0,0 +1,1273 @@
+@@ -0,0 +1,1279 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh at redhat.com>
@@ -340347,7 +340270,6 @@ index 0000000..2446be1
+import sys, os, re, time
+
+equiv_dict={ "smbd" : "samba", "httpd" : "apache" }
-+
+def _gen_modules_dict():
+ import xml.etree.ElementTree
+ modules_dict = {}
@@ -340367,7 +340289,7 @@ index 0000000..2446be1
+ except IOError, e:
+ pass
+ return modules_dict
-+modules_dict = _gen_modules_dict()
++modules_dict = None
+
+all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
+entrypoints = sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
@@ -340767,10 +340689,16 @@ index 0000000..2446be1
+ """
+ def __init__(self, domainname, path = "/tmp", html = False):
+ self.html = html
-+ self.domainname = domainname
-+ self.short_name = domainname
++ if domainname.endswith("_t"):
++ self.domainname = domainname[:-2]
++ else:
++ self.domainname = domainname
++
++ if self.domainname + "_t" not in alldomains:
++ raise ValueError("domain %s_t does not exist" % self.domainname)
++ self.short_name = self.domainname
+ self.type = self.domainname + "_t"
-+ self.man_page_path = "%s/%s_selinux.8" % (path, domainname)
++ self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
+ self.fd = open(self.man_page_path, 'w')
+ if domainname in roles:
+ self.__gen_user_man_page()
@@ -340787,7 +340715,8 @@ index 0000000..2446be1
+
+ def __gen_user_man_page(self):
+ self.role = self.domainname + "_r"
-+
++ if not modules_dict:
++ modules_dict = _gen_modules_dict()
+ try:
+ self.desc = modules_dict[self.domainname]
+ except:
@@ -344111,26 +344040,22 @@ index 0000000..72f5f65
+ return slist
diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
new file mode 100644
-index 0000000..46a8415
+index 0000000..ec9c071
--- /dev/null
+++ b/policycoreutils/sepolicy/setup.py
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+
+# Author: Thomas Liu <tliu at redhat.com>
+# Author: Dan Walsh <dwalsh at redhat.com>
+import os
+from distutils.core import setup, Extension
-+info = Extension("sepolicy._info",
-+ libraries=["apol", "qpol"],
-+ sources=[ "info.c"]
-+)
-+search = Extension("sepolicy._search",
-+ libraries=["apol", "qpol"],
-+ sources=[ "search.c"]
++policy = Extension("sepolicy._policy",
++ libraries=["apol", "qpol"],
++ sources=[ "policy.c", "info.c", "search.c"]
+)
+
-+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh at redhat.com", ext_modules=[info, search], packages=["sepolicy", "sepolicy.templates"])
++setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh at redhat.com", ext_modules=[policy], packages=["sepolicy", "sepolicy.templates"])
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index 4c62b41..01fc818 100644
--- a/policycoreutils/setfiles/restore.c
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 46b4605..c6cfad7 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Mon Oct 29 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-21
+- Redesign sepolicy to only read the policy file once, not for every call
+
* Mon Oct 29 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-20
- Fixes to sepolicy transition, allow it to list all transitions from a domain
diff --git a/selinux-polgengui.desktop b/selinux-polgengui.desktop
index bbcb18f..9ca9bb6 100644
--- a/selinux-polgengui.desktop
+++ b/selinux-polgengui.desktop
@@ -64,3 +64,4 @@ Type=Application
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
+_Keywords=policy,security,selinux,avc,permission,mac
diff --git a/system-config-selinux.desktop b/system-config-selinux.desktop
index befdb23..55aae1e 100644
--- a/system-config-selinux.desktop
+++ b/system-config-selinux.desktop
@@ -64,3 +64,4 @@ Type=Application
Terminal=false
Categories=System;Security;
X-Desktop-File-Install-Version=0.2
+_Keywords=policy,security,selinux,avc,permission,mac
More information about the scm-commits
mailing list