[policycoreutils] Fix sepolicy generate --confined_admin to generate tunables
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Jun 6 18:06:05 UTC 2013
commit b8c1b26e165effb3ae713415b38c5302045f8eae
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Jun 6 14:05:52 2013 -0400
Fix sepolicy generate --confined_admin to generate tunables
- Add new interface to generate entrypoints for use with new gui
policycoreutils-rhat.patch | 117 +++++++++++++++++++++++++++-----------------
policycoreutils.spec | 6 ++-
2 files changed, 77 insertions(+), 46 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index bd3a750..e2fdd76 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -250524,7 +250524,7 @@ index b25d3b2..a0b262b 100755
except KeyboardInterrupt:
sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
-index 5e7415c..c288a11 100644
+index 5e7415c..92a6b88 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -7,6 +7,9 @@ import _policy
@@ -250537,7 +250537,7 @@ index 5e7415c..c288a11 100644
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
-@@ -37,9 +40,30 @@ CLASS = 'class'
+@@ -37,9 +40,75 @@ CLASS = 'class'
TRANSITION = 'transition'
ROLE_ALLOW = 'role_allow'
@@ -250563,6 +250563,51 @@ index 5e7415c..c288a11 100644
+ dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
+ return dict_list
+
++fcdict=None
++def get_fcdict(fc_path = selinux.selinux_file_context_path()):
++ global fcdict
++ if fcdict:
++ return fcdict
++ fd = open(fc_path, "r")
++ fc = fd.readlines()
++ fd.close()
++ fd = open(fc_path+".homedirs", "r")
++ fc += fd.readlines()
++ fd.close()
++ fcdict = {}
++ for i in fc:
++ rec = i.split()
++ try:
++ t = rec[-1].split(":")[2]
++ if t in fcdict:
++ fcdict[t].append(rec[0])
++ else:
++ fcdict[t] = [ rec[0] ]
++ except:
++ pass
++ fcdict["logfile"] = [ "all log files" ]
++ fcdict["user_tmp_type"] = [ "all user tmp files" ]
++ fcdict["user_home_type"] = [ "all user home files" ]
++ fcdict["virt_image_type"] = [ "all virtual image files" ]
++ fcdict["noxattrfs"] = [ "all files on file systems which do not support extended attributes" ]
++ fcdict["sandbox_tmpfs_type"] = [ "all sandbox content in tmpfs file systems" ]
++ fcdict["user_tmpfs_type"] = [ "all user content in tmpfs file systems" ]
++ fcdict["file_type"] = [ "all files on the system" ]
++ fcdict["samba_share_t"] = [ "use this label for random content that will be shared using samba" ]
++ return fcdict
++
++def get_entrypoint_types(setype):
++ entrypoints = None
++ entrypoints = map(lambda x: x['target'], search([ALLOW],{'source':setype, 'permlist':['entrypoint'], 'class':'file'}))
++ return entrypoints
++
++def get_all_entrypoints(setype):
++ fcdict = get_fcdict()
++ mpaths = {}
++ for f in get_entrypoint_types(setype):
++ mpaths[f] = fcdict[f]
++ return mpaths
++
+def get_installed_policy(root = "/"):
try:
- path = selinux.selinux_binary_policy_path()
@@ -250570,7 +250615,7 @@ index 5e7415c..c288a11 100644
policies = glob.glob ("%s.*" % path )
policies.sort()
return policies[-1]
-@@ -47,6 +71,27 @@ def __get_installed_policy():
+@@ -47,6 +116,27 @@ def __get_installed_policy():
pass
raise ValueError(_("No SELinux Policy installed"))
@@ -250598,7 +250643,7 @@ index 5e7415c..c288a11 100644
all_types = None
def get_all_types():
global all_types
-@@ -54,6 +99,13 @@ def get_all_types():
+@@ -54,6 +144,13 @@ def get_all_types():
all_types = map(lambda x: x['name'], info(TYPE))
return all_types
@@ -250612,7 +250657,7 @@ index 5e7415c..c288a11 100644
role_allows = None
def get_all_role_allows():
global role_allows
-@@ -71,6 +123,7 @@ def get_all_role_allows():
+@@ -71,6 +168,7 @@ def get_all_role_allows():
return role_allows
def get_all_entrypoint_domains():
@@ -250620,7 +250665,7 @@ index 5e7415c..c288a11 100644
all_domains = []
types=get_all_types()
types.sort()
-@@ -81,11 +134,54 @@ def get_all_entrypoint_domains():
+@@ -81,11 +179,54 @@ def get_all_entrypoint_domains():
all_domains.append(m[0])
return all_domains
@@ -250676,7 +250721,7 @@ index 5e7415c..c288a11 100644
return all_domains
roles = None
-@@ -139,50 +235,62 @@ def get_all_attributes():
+@@ -139,50 +280,62 @@ def get_all_attributes():
return all_attributes
def policy(policy_file):
@@ -250764,7 +250809,7 @@ index 5e7415c..c288a11 100644
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
global booleans_dict
if booleans_dict:
-@@ -191,7 +299,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
+@@ -191,7 +344,7 @@ def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
import re
booleans_dict = {}
try:
@@ -251739,48 +251784,30 @@ index 0000000..3a3faa6
+
+"""
diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
-index 79f3997..9c9439c 100644
+index 79f3997..1ff9d2c 100644
--- a/policycoreutils/sepolicy/sepolicy/templates/user.py
+++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
-@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
- te_admin_user_types="""\
+@@ -71,11 +71,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
+ te_root_user_types="""\
policy_module(TEMPLATETYPE, 1.0.0)
-+## <desc>
-+## <p>
-+## Allow TEMPLATETYPE to read files in the user home directory
-+## </p>
-+## </desc>
-+gen_tunable(TEMPLATETYPE_read_user_files, false)
-+
-+## <desc>
-+## <p>
-+## Allow TEMPLATETYPE to manage files in the user home directory
-+## </p>
-+## </desc>
-+gen_tunable(TEMPLATETYPE_manage_user_files, false)
-+
- ########################################
- #
- # Declarations
-@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
- # Declarations
- #
-
--## <desc>
--## <p>
--## Allow TEMPLATETYPE to read files in the user home directory
--## </p>
--## </desc>
--gen_tunable(TEMPLATETYPE_read_user_files, false)
--
--## <desc>
--## <p>
--## Allow TEMPLATETYPE to manage files in the user home directory
--## </p>
--## </desc>
--gen_tunable(TEMPLATETYPE_manage_user_files, false)
+-########################################
+-#
+-# Declarations
+-#
-
+ ## <desc>
+ ## <p>
+ ## Allow TEMPLATETYPE to read files in the user home directory
+@@ -90,6 +85,11 @@ gen_tunable(TEMPLATETYPE_read_user_files, false)
+ ## </desc>
+ gen_tunable(TEMPLATETYPE_manage_user_files, false)
+
++########################################
++#
++# Declarations
++#
++
userdom_base_user_template(TEMPLATETYPE)
"""
diff --git a/policycoreutils.spec b/policycoreutils.spec
index b0a4f23..fc43a68 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -311,6 +311,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
+* Thu Jun 6 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-50
+- Fix sepolicy generate --confined_admin to generate tunables
+- Add new interface to generate entrypoints for use with new gui
+
* Wed Jun 5 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-49
- Fix handing of semanage with no args
More information about the scm-commits
mailing list