[policycoreutils/f19] sepolgen-ifgen needs to handle filename transition rules containing ":"
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Mar 21 14:52:45 UTC 2013
commit 9ef13ad6bc09e45285a4a31f41d74f57497bcb2f
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Mar 21 10:52:38 2013 -0400
sepolgen-ifgen needs to handle filename transition rules containing ":"
policycoreutils-sepolgen.patch | 97 ++++++++++++++++++++++++++++++++++++++-
policycoreutils.spec | 5 ++-
2 files changed, 98 insertions(+), 4 deletions(-)
---
diff --git a/policycoreutils-sepolgen.patch b/policycoreutils-sepolgen.patch
index 2ac2cb0..644a5b5 100644
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@@ -1,13 +1,104 @@
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index d636091..9ca35a7 100644
+index d636091..56919be 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
-@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
+@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
raise ValueError("Error during access vector computation")
if self.type == audit2why.CONSTRAINT:
- self.data = []
+ self.data = [ self.data ]
if self.scontext.user != self.tcontext.user:
- self.data.append("user")
+- self.data.append("user")
++ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
+- self.data.append("role")
++ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
+ if self.scontext.level != self.tcontext.level:
+- self.data.append("level")
++ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
+
+ avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
+
+diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
+index cc9f8ea..24062a1 100644
+--- a/sepolgen/src/sepolgen/policygen.py
++++ b/sepolgen/src/sepolgen/policygen.py
+@@ -172,10 +172,10 @@ class PolicyGenerator:
+ rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
+
+ if av.type == audit2why.CONSTRAINT:
+- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+- rule.comment += "#Constraint rule: "
+- for reason in av.data:
+- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
++ rule.comment += "#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
++ rule.comment += "#Constraint rule: \n\t" + av.data[0]
++ for reason in av.data[1:]:
++ rule.comment += "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
+
+ try:
+ if ( av.type == audit2why.TERULE and
+diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
+index 7b76261..a05d9d1 100644
+--- a/sepolgen/src/sepolgen/refparser.py
++++ b/sepolgen/src/sepolgen/refparser.py
+@@ -65,6 +65,7 @@ tokens = (
+ 'BAR',
+ 'EXPL',
+ 'EQUAL',
++ 'FILENAME',
+ 'IDENTIFIER',
+ 'NUMBER',
+ 'PATH',
+@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
+ t.lexer.lineno += 1
+
+ def t_IDENTIFIER(t):
+- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
++ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
+ # Handle any keywords
+ t.type = reserved.get(t.value,'IDENTIFIER')
+ return t
+
++def t_FILENAME(t):
++ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
++ # Handle any keywords
++ t.type = reserved.get(t.value,'FILENAME')
++ return t
++
+ def t_comment(t):
+ r'\#.*\n'
+ # Ignore all comments
+@@ -450,6 +457,7 @@ def p_interface_call_param(p):
+ | nested_id_set
+ | TRUE
+ | FALSE
++ | FILENAME
+ '''
+ # Intentionally let single identifiers pass through
+ # List means set, non-list identifier
+@@ -461,6 +469,7 @@ def p_interface_call_param(p):
+ def p_interface_call_param_list(p):
+ '''interface_call_param_list : interface_call_param
+ | interface_call_param_list COMMA interface_call_param
++ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
+ '''
+ if len(p) == 2:
+ p[0] = [p[1]]
+@@ -787,6 +796,7 @@ def p_avrule_def(p):
+
+ def p_typerule_def(p):
+ '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
++ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
+ | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
+ | TYPE_CHANGE names names COLON names IDENTIFIER SEMI
+ | TYPE_MEMBER names names COLON names IDENTIFIER SEMI
+@@ -800,6 +810,7 @@ def p_typerule_def(p):
+ t.tgt_types = p[3]
+ t.obj_classes = p[5]
+ t.dest_type = p[6]
++ t.file_name = p[7]
+ p[0] = t
+
+ def p_bool(p):
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 2252080..dc2c772 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -309,6 +309,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Thu Mar 21 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-24
+- sepolgen-ifgen needs to handle filename transition rules containing ":"
+
* Tue Mar 19 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-23
- sepolicy manpage:
- use nroff instead of man2html
More information about the scm-commits
mailing list