[policycoreutils] Fix sepolicy generate --confined_admin to generate tunables

Daniel J Walsh dwalsh at fedoraproject.org
Thu Jun 6 18:06:05 UTC 2013 

commit b8c1b26e165effb3ae713415b38c5302045f8eae
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Jun 6 14:05:52 2013 -0400

    Fix sepolicy generate --confined_admin to generate tunables
    
    - Add new interface to generate entrypoints for use with new gui

 policycoreutils-rhat.patch |  117 +++++++++++++++++++++++++++-----------------
 policycoreutils.spec       |    6 ++-
 2 files changed, 77 insertions(+), 46 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index bd3a750..e2fdd76 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -250524,7 +250524,7 @@ index b25d3b2..a0b262b 100755
      except KeyboardInterrupt:
          sys.exit(0)
 diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
-index 5e7415c..c288a11 100644
+index 5e7415c..92a6b88 100644
 --- a/policycoreutils/sepolicy/sepolicy/__init__.py
 +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
 @@ -7,6 +7,9 @@ import _policy
@@ -250537,7 +250537,7 @@ index 5e7415c..c288a11 100644
  gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
  gettext.textdomain(PROGNAME)
  try:
-@@ -37,9 +40,30 @@ CLASS = 'class'
+@@ -37,9 +40,75 @@ CLASS = 'class'
  TRANSITION = 'transition'
  ROLE_ALLOW = 'role_allow'
  
@@ -250563,6 +250563,51 @@ index 5e7415c..c288a11 100644
 +        dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
 +    return dict_list
 +
++fcdict=None
++def get_fcdict(fc_path = selinux.selinux_file_context_path()):
++	global fcdict
++	if fcdict:
++		return fcdict
++	fd = open(fc_path, "r")
++	fc = fd.readlines()
++	fd.close()
++	fd = open(fc_path+".homedirs", "r")
++	fc += fd.readlines()
++	fd.close()
++	fcdict = {}
++	for i in fc:
++		rec = i.split()
++		try:
++			t = rec[-1].split(":")[2]
++			if t in fcdict:
++				fcdict[t].append(rec[0])
++			else:
++				fcdict[t] = [ rec[0] ]
++		except:
++			pass
++	fcdict["logfile"] = [ "all log files" ]
++	fcdict["user_tmp_type"] = [ "all user tmp files" ]
++	fcdict["user_home_type"] = [ "all user home files" ]
++	fcdict["virt_image_type"] = [ "all virtual image files" ]
++	fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
++	fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
++	fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
++	fcdict["file_type"] = [ "all files on the system" ]
++	fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
++	return fcdict
++
++def get_entrypoint_types(setype):
++    entrypoints = None
++    entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype,  'permlist':['entrypoint'], 'class':'file'}))
++    return entrypoints
++
++def get_all_entrypoints(setype):
++    fcdict = get_fcdict()
++    mpaths = {}
++    for f in get_entrypoint_types(setype):
++        mpaths[f] = fcdict[f]
++    return mpaths
++
 +def get_installed_policy(root = "/"):
      try:
 -        path = selinux.selinux_binary_policy_path()
@@ -250570,7 +250615,7 @@ index 5e7415c..c288a11 100644
          policies = glob.glob ("%s.*" % path )
          policies.sort()
          return policies[-1]
-@@ -47,6 +71,27 @@ def __get_installed_policy():
+@@ -47,6 +116,27 @@ def __get_installed_policy():
          pass
      raise ValueError(_("No SELinux Policy installed"))
          
@@ -250598,7 +250643,7 @@ index 5e7415c..c288a11 100644
  all_types = None
  def get_all_types():
      global all_types
-@@ -54,6 +99,13 @@ def get_all_types():
+@@ -54,6 +144,13 @@ def get_all_types():
          all_types = map(lambda x: x['name'], info(TYPE))
      return all_types
  
@@ -250612,7 +250657,7 @@ index 5e7415c..c288a11 100644
  role_allows = None
  def get_all_role_allows():
  	global role_allows
-@@ -71,6 +123,7 @@ def get_all_role_allows():
+@@ -71,6 +168,7 @@ def get_all_role_allows():
  	return role_allows
  
  def get_all_entrypoint_domains():
@@ -250620,7 +250665,7 @@ index 5e7415c..c288a11 100644
      all_domains = []
      types=get_all_types()
      types.sort()
-@@ -81,11 +134,54 @@ def get_all_entrypoint_domains():
+@@ -81,11 +179,54 @@ def get_all_entrypoint_domains():
                  all_domains.append(m[0])
      return all_domains
  
@@ -250676,7 +250721,7 @@ index 5e7415c..c288a11 100644
  	return all_domains
  
  roles = None
-@@ -139,50 +235,62 @@ def get_all_attributes():
+@@ -139,50 +280,62 @@ def get_all_attributes():
  	return all_attributes
  
  def policy(policy_file):
@@ -250764,7 +250809,7 @@ index 5e7415c..c288a11 100644
  def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
          global booleans_dict
          if booleans_dict:
-@@ -191,7 +299,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
+@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
  	import re
  	booleans_dict = {}
  	try:
@@ -251739,48 +251784,30 @@ index 0000000..3a3faa6
 +
 +"""
 diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
-index 79f3997..9c9439c 100644
+index 79f3997..1ff9d2c 100644
 --- a/policycoreutils/sepolicy/sepolicy/templates/user.py
 +++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
-@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
- te_admin_user_types="""\
+@@ -71,11 +71,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
+ te_root_user_types="""\
  policy_module(TEMPLATETYPE, 1.0.0)
  
-+## <desc>
-+## <p>
-+## Allow TEMPLATETYPE to read files in the user home directory
-+## </p>
-+## </desc>
-+gen_tunable(TEMPLATETYPE_read_user_files, false)
-+
-+## <desc>
-+## <p>
-+## Allow TEMPLATETYPE to manage files in the user home directory
-+## </p>
-+## </desc>
-+gen_tunable(TEMPLATETYPE_manage_user_files, false)
-+
- ########################################
- #
- # Declarations
-@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
- # Declarations
- #
- 
--## <desc>
--## <p>
--## Allow TEMPLATETYPE to read files in the user home directory
--## </p>
--## </desc>
--gen_tunable(TEMPLATETYPE_read_user_files, false)
--
--## <desc>
--## <p>
--## Allow TEMPLATETYPE to manage files in the user home directory
--## </p>
--## </desc>
--gen_tunable(TEMPLATETYPE_manage_user_files, false)
+-########################################
+-#
+-# Declarations
+-#
 -
+ ## <desc>
+ ## <p>
+ ## Allow TEMPLATETYPE to read files in the user home directory
+@@ -90,6 +85,11 @@ gen_tunable(TEMPLATETYPE_read_user_files, false)
+ ## </desc>
+ gen_tunable(TEMPLATETYPE_manage_user_files, false)
+ 
++########################################
++#
++# Declarations
++#
++
  userdom_base_user_template(TEMPLATETYPE)
  """
  
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b0a4f23..fc43a68 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.14
-Release: 49%{?dist}
+Release: 50%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Thu Jun 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-50
+- Fix sepolicy generate --confined_admin to generate tunables
+- Add new interface to generate entrypoints for use with new gui
+
 * Wed Jun 5 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-49
 - Fix handing of semanage with no args

More information about the scm-commits mailing list