rpms/policycoreutils/devel .cvsignore, 1.106, 1.107 policycoreutils-rhat.patch, 1.180, 1.181 policycoreutils.spec, 1.257, 1.258 sources, 1.110, 1.111
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Apr 14 11:51:04 UTC 2006
- Previous message (by thread): rpms/libsemanage/devel .cvsignore, 1.56, 1.57 libsemanage-rhat.patch, 1.12, 1.13 libsemanage.spec, 1.85, 1.86 sources, 1.58, 1.59
- Next message (by thread): rpms/krb5/FC-5 krb5-kinit-man-typo.patch, NONE, 1.1 krb5.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/policycoreutils/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv4075
Modified Files:
.cvsignore policycoreutils-rhat.patch policycoreutils.spec
sources
Log Message:
* Fri Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 1.30.5-1
- Update from upstream
* Added a test to setfiles to check that the spec file is
a regular file.
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/.cvsignore,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- .cvsignore 29 Mar 2006 20:39:44 -0000 1.106
+++ .cvsignore 14 Apr 2006 11:51:02 -0000 1.107
@@ -96,3 +96,4 @@
policycoreutils-1.30.tgz
policycoreutils-1.30.1.tgz
policycoreutils-1.30.4.tgz
+policycoreutils-1.30.5.tgz
policycoreutils-rhat.patch:
audit2allow/audit2allow | 471 ++-------------------------------------
audit2allow/audit2allow.1 | 5
audit2allow/avc.py | 518 +++++++++++++++++++++++++++++++++++++++++++
restorecond/restorecond.conf | 1
semanage/semanage | 18 +
semanage/seobject.py | 30 +-
setsebool/setsebool.8 | 2
7 files changed, 592 insertions(+), 453 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.180
retrieving revision 1.181
diff -u -r1.180 -r1.181
--- policycoreutils-rhat.patch 5 Apr 2006 13:11:54 -0000 1.180
+++ policycoreutils-rhat.patch 14 Apr 2006 11:51:02 -0000 1.181
@@ -1,18 +1,546 @@
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.30.4/audit2allow/audit2allow
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-1.30.5/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2006-03-29 15:35:22.000000000 -0500
-+++ policycoreutils-1.30.4/audit2allow/audit2allow 2006-04-05 08:59:26.000000000 -0400
-@@ -577,7 +577,7 @@
++++ policycoreutils-1.30.5/audit2allow/audit2allow 2006-04-14 07:44:00.000000000 -0400
+@@ -24,431 +24,8 @@
+ # 02111-1307 USA
+ #
+ #
+-import commands, sys, os, pwd, string, getopt, re, selinux
+-
+-obj="(\{[^\}]*\}|[^ \t:]*)"
+-allow_regexp="(allow|dontaudit)[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
+-awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
+- IFACEFILE=FILENAME\n\
+- IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
+- IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
+-}\n\
+-\n\
+-/^[[:blank:]]*(allow|dontaudit)[[:blank:]]+.*;[[:blank:]]*$/ {\n\
+-\n\
+- if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
+- ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
+- ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
+- print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
+- }\n\
+-}\
+-'
+-
+-class accessTrans:
+- def __init__(self):
+- self.dict={}
+- try:
+- fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt")
+- except IOError, error:
+- raise IOError("Reference policy generation requires the policy development package.\n%s" % error)
+- records=fd.read().split("\n")
+- regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
+- for r in records:
+- m=re.match(regexp,r)
+- if m!=None:
+- self.dict[m.groups()[0]] = m.groups()[1].split()
+- fd.close()
+- def get(self, var):
+- l=[]
+- for v in var:
+- if v in self.dict.keys():
+- l += self.dict[v]
+- else:
+- if v not in ("{", "}"):
+- l.append(v)
+- return l
+-
+-class interfaces:
+- def __init__(self):
+- self.dict={}
+- trans=accessTrans()
+- (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null")
+- input.write(awk_script)
+- input.close()
+- records=output.read().split("\n")
+- input.close()
+- if len(records) > 0:
+- regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
+- for r in records:
+- m=re.match(regexp,r)
+- if m==None:
+- continue
+- val=m.groups()
+- file=os.path.basename(val[0]).split(".")[0]
+- iface=val[1]
+- Scon=val[3].split()
+- Tcon=val[4].split()
+- Class=val[5].split()
+- Access=trans.get(val[6].split())
+- for s in Scon:
+- for t in Tcon:
+- for c in Class:
+- if (s, t, c) not in self.dict.keys():
+- self.dict[(s, t, c)]=[]
+- self.dict[(s, t, c)].append((Access, file, iface))
+- def out(self):
+- keys=self.dict.keys()
+- keys.sort()
+- for k in keys:
+- print k
+- for i in self.dict[k]:
+- print "\t", i
+-
+- def match(self, Scon, Tcon, Class, Access):
+- keys=self.dict.keys()
+- ret=[]
+- if (Scon, Tcon, Class) in keys:
+- for i in self.dict[(Scon, Tcon, Class)]:
+- if Access in i[0]:
+- if i[2].find(Access) >= 0:
+- ret.insert(0, i)
+- else:
+- ret.append(i)
+- return ret
+- if ("$1", Tcon, Class) in keys:
+- for i in self.dict[("$1", Tcon, Class)]:
+- if Access in i[0]:
+- if i[2].find(Access) >= 0:
+- ret.insert(0, i)
+- else:
+- ret.append(i)
+- return ret
+- if (Scon, "$1", Class) in keys:
+- for i in self.dict[(Scon, "$1", Class)]:
+- if Access in i[0]:
+- if i[2].find(Access) >= 0:
+- ret.insert(0, i)
+- else:
+- ret.append(i)
+- return ret
+- else:
+- return ret
+-
+-
+-class serule:
+- def __init__(self, type, source, target, seclass):
+- self.type=type
+- self.source=source
+- self.target=target
+- self.seclass=seclass
+- self.avcinfo={}
+- self.iface=None
+-
+- def add(self, avc):
+- for a in avc[0]:
+- if a not in self.avcinfo.keys():
+- self.avcinfo[a]=[]
+-
+- self.avcinfo[a].append(avc[1:])
+-
+- def getAccess(self):
+- if len(self.avcinfo.keys()) == 1:
+- for i in self.avcinfo.keys():
+- return i
+- else:
+- keys=self.avcinfo.keys()
+- keys.sort()
+- ret="{"
+- for i in keys:
+- ret=ret + " " + i
+- ret=ret+" }"
+- return ret
+- def out(self, verbose=0):
+- ret=""
+- ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess())
+- if verbose:
+- keys=self.avcinfo.keys()
+- keys.sort()
+- for i in keys:
+- for x in self.avcinfo[i]:
+- ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0]
+- if len(x[1]):
+- ret=ret+"COMM=%s " % x[1]
+- if len(x[2]):
+- ret=ret+"NAME=%s " % x[2]
+- ret=ret + " : " + i
+- return ret
+-
+- def gen_reference_policy(self, iface):
+- ret=""
+- Scon=self.source
+- Tcon=self.gettarget()
+- Class=self.seclass
+- Access=self.getAccess()
+- m=iface.match(Scon,Tcon,Class,Access)
+- if len(m)==0:
+- return self.out()
+- else:
+- file=m[0][1]
+- ret="\n#%s\n"% self.out()
+- ret += "optional_policy(`%s', `\n" % m[0][1]
+- first=True
+- for i in m:
+- if file != i[1]:
+- ret += "')\ngen_require(`%s', `\n" % i[1]
+- file = i[1]
+- first=True
+- if first:
+- ret += "\t%s(%s)\n" % (i[2], Scon)
+- first=False
+- else:
+- ret += "#\t%s(%s)\n" % (i[2], Scon)
+- ret += "');"
+- return ret
+-
+- def gettarget(self):
+- if self.source == self.target:
+- return "self"
+- else:
+- return self.target
+-
+-class seruleRecords:
+- def __init__(self, input, last_reload=0, verbose=0, te_ind=0):
+- self.last_reload=last_reload
+- self.initialize()
+- self.load(input, te_ind)
+- self.gen_ref_policy = False
+-
+- def initialize(self):
+- self.seRules={}
+- self.seclasses={}
+- self.types=[]
+- self.roles=[]
+-
+- def gen_reference_policy(self):
+- self.gen_ref_policy = True
+- self.iface=interfaces()
+-
+- def warning(self, error):
+- sys.stderr.write("%s: " % sys.argv[0])
+- sys.stderr.write("%s\n" % error)
+- sys.stderr.flush()
+-
+- def load(self, input, te_ind=0):
+- VALID_CMDS=("allow", "dontaudit", "auditallow", "role")
+-
+- avc=[]
+- found=0
+- line = input.readline()
+- if te_ind:
+- while line:
+- rec=line.split()
+- if len(rec) and rec[0] in VALID_CMDS:
+- self.add_terule(line)
+- line = input.readline()
+-
+- else:
+- while line:
+- rec=line.split()
+- for i in rec:
+- if i=="avc:" or i=="message=avc:" or i=="msg='avc:":
+-
+- found=1
+- else:
+- avc.append(i)
+- if found:
+- self.add(avc)
+- found=0
+- avc=[]
+- line = input.readline()
+-
+-
+- def get_target(self, i, rule):
+- target=[]
+- if rule[i][0] == "{":
+- for t in rule[i].split("{"):
+- if len(t):
+- target.append(t)
+- i=i+1
+- for s in rule[i:]:
+- if s.find("}") >= 0:
+- for s1 in s.split("}"):
+- if len(s1):
+- target.append(s1)
+- i=i+1
+- return (i, target)
+-
+- target.append(s)
+- i=i+1
+- else:
+- if rule[i].find(";") >= 0:
+- for s1 in rule[i].split(";"):
+- if len(s1):
+- target.append(s1)
+- else:
+- target.append(rule[i])
+-
+- i=i+1
+- return (i, target)
+-
+- def rules_split(self, rules):
+- (idx, target ) = self.get_target(0, rules)
+- (idx, subject) = self.get_target(idx, rules)
+- return (target, subject)
+-
+- def add_terule(self, rule):
+- rc = rule.split(":")
+- rules=rc[0].split()
+- type=rules[0]
+- if type == "role":
+- print type
+- (sources, targets) = self.rules_split(rules[1:])
+- rules=rc[1].split()
+- (seclasses, access) = self.rules_split(rules)
+- for scon in sources:
+- for tcon in targets:
+- for seclass in seclasses:
+- self.add_rule(type, scon, tcon, seclass,access)
+-
+- def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""):
+- self.add_seclass(seclass, access)
+- self.add_type(tcon)
+- self.add_type(scon)
+- if (rule_type, scon, tcon, seclass) not in self.seRules.keys():
+- self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass)
+-
+- self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name ))
+-
+- def add(self,avc):
+- scon=""
+- tcon=""
+- seclass=""
+- comm=""
+- name=""
+- msg=""
+- access=[]
+- if "security_compute_sid" in avc:
+- return
+-
+- if "load_policy" in avc and self.last_reload:
+- self.initialize()
+-
+- if "granted" in avc:
+- return
+- try:
+- for i in range (0, len(avc)):
+- if avc[i]=="{":
+- i=i+1
+- while i<len(avc) and avc[i] != "}":
+- access.append(avc[i])
+- i=i+1
+- continue
+-
+- t=avc[i].split('=')
+- if len(t) < 2:
+- continue
+- if t[0]=="scontext":
+- context=t[1].split(":")
+- scon=context[2]
+- srole=context[1]
+- continue
+- if t[0]=="tcontext":
+- context=t[1].split(":")
+- tcon=context[2]
+- trole=context[1]
+- continue
+- if t[0]=="tclass":
+- seclass=t[1]
+- continue
+- if t[0]=="comm":
+- comm=t[1]
+- continue
+- if t[0]=="name":
+- name=t[1]
+- continue
+- if t[0]=="msg":
+- msg=t[1]
+- continue
+-
+- if scon=="" or tcon =="" or seclass=="":
+- return
+- except IndexError, e:
+- self.warning("Bad AVC Line: %s" % avc)
+- return
+-
+- self.add_role(srole)
+- self.add_role(trole)
+- self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name)
+-
+- def add_seclass(self,seclass, access):
+- if seclass not in self.seclasses.keys():
+- self.seclasses[seclass]=[]
+- for a in access:
+- if a not in self.seclasses[seclass]:
+- self.seclasses[seclass].append(a)
+-
+- def add_role(self,role):
+- if role not in self.roles:
+- self.roles.append(role)
+-
+- def add_type(self,type):
+- if type not in self.types:
+- self.types.append(type)
+-
+- def gen_module(self, module):
+- if self.gen_ref_policy:
+- return "policy_module(%s, 1.0);" % module
+- else:
+- return "module %s 1.0;" % module
+-
+- def gen_requires(self):
+- self.roles.sort()
+- self.types.sort()
+- keys=self.seclasses.keys()
+- keys.sort()
+- rec="\n\nrequire {\n"
+-# if len(self.roles) > 0:
+-# for i in self.roles:
+-# rec += "\trole %s; \n" % i
+-# rec += "\n"
+-#
+- for i in keys:
+- access=self.seclasses[i]
+- if len(access) > 1:
+- access.sort()
+- rec += "\tclass %s {" % i
+- for a in access:
+- rec += " %s" % a
+- rec += " }; \n"
+- else:
+- rec += "\tclass %s %s;\n" % (i, access[0])
+-
+- rec += "\n"
+-
+- for i in self.types:
+- rec += "\ttype %s; \n" % i
+- rec += "};\n\n"
+- return rec
+-
+- def out(self, require=0, module=""):
+- rec=""
+- if len(self.seRules.keys())==0:
+- raise(ValueError("No AVC messages found."))
+- if module != "":
+- rec += self.gen_module(module)
+- rec += self.gen_requires()
+- else:
+- if requires:
+- rec+=self.gen_requires()
+-
+- keys=self.seRules.keys()
+- keys.sort()
+- for i in keys:
+- if self.gen_ref_policy:
+- rec += self.seRules[i].gen_reference_policy(self.iface)+"\n"
+- else:
+- rec += self.seRules[i].out(verbose)+"\n"
+- return rec
++import commands, sys, os, getopt, selinux
++from avc import *
+
+ if __name__ == '__main__':
+
+@@ -469,10 +46,11 @@
+ -M generate loadable module package, conflicts with -o\n\
+ -o, --output append output to <outputfile>, conflicts with -M\n\
+ -r, --requires generate require output \n\
+- -t, --tefile Indicates input is Existing Type Enforcement file\n\
++ -t, --tefile Add input from Existing Type Enforcement file\n\
+ -f, --fcfile Existing Type Enforcement file, requires -M\n\
+ -v, --verbose verbose output\n\
+- '
++ -A, --analyze Analyze output\n\
++ '
+ if msg != "":
+ print msg
+ sys.exit(1)
+@@ -498,13 +76,15 @@
+ input_ind=0
+ output_ind=0
+ ref_ind=False
+- te_ind=0
++ analyze=False
++ te_inputs=[]
+
+ fc_file=""
+ gopts, cmds = getopt.getopt(sys.argv[1:],
+- 'adf:hi:lm:M:o:rtvR',
++ 'Aadf:hi:lm:M:o:rt:vR',
+ ['all',
+- 'dmesg',
++ 'analyze',
++ 'dmesg',
+ 'fcfile=',
+ 'help',
+ 'input=',
+@@ -513,12 +93,12 @@
+ 'output=',
+ 'requires',
+ 'reference',
+- 'tefile',
++ 'tefile=',
+ 'verbose'
+ ])
+ for o,a in gopts:
+ if o == "-a" or o == "--all":
+- if input_ind or te_ind:
++ if input_ind:
+ usage()
+ input=open("/var/log/messages", "r")
+ auditlogs=1
+@@ -551,9 +131,8 @@
+ if o == "-r" or o == "--requires":
+ requires=1
+ if o == "-t" or o == "--tefile":
+- if auditlogs:
+- usage()
+- te_ind=1
++ te_inputs.append(open(a, "r"))
++
+ if o == "-R" or o == "--reference":
+ ref_ind=True
+
+@@ -565,25 +144,37 @@
+ if o == "-v" or o == "--verbose":
+ verbose=1
+
++ if o == "-A" or o == "--analyze":
++ analyze=True
++
+ if len(cmds) != 0:
+ usage()
+
+ if fc_file != "" and not buildPP:
+ usage("Error %s: Option -fc requires -M" % sys.argv[0])
+
+- out=seruleRecords(input, last_reload, verbose, te_ind)
++ serules=SERules(last_reload, verbose)
++
++ for i in te_inputs:
++ te=TERules(serules)
++ te.load(i)
++
++ serules.load(input)
+
+
if ref_ind:
- out.gen_reference_policy()
+- out.gen_reference_policy()
++ serules.gen_reference_policy()
++
++ if analyze:
++ serules.analyze()
- if auditlogs:
+ if auditlogs and os.path.exists("/var/log/audit/audit.log"):
input=os.popen("ausearch -m avc")
- out.load(input)
+- out.load(input)
++ serules.load(input)
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.30.4/audit2allow/audit2allow.1
+ if buildPP:
+ print ("Generating type enforcment file: %s.te" % module)
+- output.write(out.out(requires, module))
++ output.write(serules.out(requires, module))
+ output.flush()
+ if buildPP:
+ cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module)
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-1.30.5/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2006-03-10 09:48:04.000000000 -0500
-+++ policycoreutils-1.30.4/audit2allow/audit2allow.1 2006-04-05 09:09:05.000000000 -0400
++++ policycoreutils-1.30.5/audit2allow/audit2allow.1 2006-04-14 07:44:00.000000000 -0400
@@ -98,6 +98,11 @@
.PP
.SH EXAMPLE
@@ -25,18 +553,612 @@
.B Using audit2allow to generate monolithic (non-module) policy
$ cd /etc/selinux/$SELINUXTYPE/src/policy
$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.30.4/restorecond/restorecond.conf
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/audit2allow/avc.py policycoreutils-1.30.5/audit2allow/avc.py
+--- nsapolicycoreutils/audit2allow/avc.py 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-1.30.5/audit2allow/avc.py 2006-04-14 07:44:00.000000000 -0400
+@@ -0,0 +1,518 @@
++#! /usr/bin/env python
++# Copyright (C) 2006 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# avc.py is a plugin modules used by audit2allow and other objects to process
++# avc messages from the log files
++#
++# Based off original audit2allow perl script: which credits
++# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith at mcs.drexel.edu)
++# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam at users.sourceforge.jp)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License as
++# published by the Free Software Foundation; either version 2 of
++# the License, or (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++# 02111-1307 USA
++#
++#
++import sys, os, pwd, string, re, selinux
++
++obj="(\{[^\}]*\}|[^ \t:]*)"
++allow_regexp="(allow|dontaudit)[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)
++awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\
++ IFACEFILE=FILENAME\n\
++ IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\
++ IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\
++}\n\
++\n\
++/^[[:blank:]]*(allow|dontaudit)[[:blank:]]+.*;[[:blank:]]*$/ {\n\
++\n\
++ if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\
++ ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\
++ ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\
++ print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\
++ }\n\
++}\
++'
++
++class context:
++ def __init__(self, scontext):
++ self.scontext=scontext
++ con=scontext.split(":")
++ self.user=con[0]
++ self.role=con[1]
++ self.type=con[2]
++ if len(con) > 3:
++ self.mls=con[3]
++ else:
++ self.mls="s0"
++
++ def __str__(self):
++ return self.scontext
++
++class accessTrans:
++ def __init__(self):
++ self.dict={}
++ try:
++ fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt")
++ except IOError, error:
++ raise IOError("Reference policy generation requires the policy development package.\n%s" % error)
++ records=fd.read().split("\n")
++ regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
++ for r in records:
++ m=re.match(regexp,r)
++ if m!=None:
++ self.dict[m.groups()[0]] = m.groups()[1].split()
++ fd.close()
++ def get(self, var):
++ l=[]
++ for v in var:
++ if v in self.dict.keys():
++ l += self.dict[v]
++ else:
++ if v not in ("{", "}"):
++ l.append(v)
++ return l
++
++class interfaces:
++ def __init__(self):
++ self.dict={}
++ trans=accessTrans()
++ (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null")
++ input.write(awk_script)
++ input.close()
++ records=output.read().split("\n")
++ input.close()
++ if len(records) > 0:
++ regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
++ for r in records:
++ m=re.match(regexp,r)
++ if m==None:
++ continue
++ val=m.groups()
++ file=os.path.basename(val[0]).split(".")[0]
++ iface=val[1]
++ Scon=val[3].split()
++ Tcon=val[4].split()
++ Class=val[5].split()
++ Access=trans.get(val[6].split())
++ for s in Scon:
++ for t in Tcon:
++ for c in Class:
++ if (s, t, c) not in self.dict.keys():
++ self.dict[(s, t, c)]=[]
++ self.dict[(s, t, c)].append((Access, file, iface))
++ def out(self):
++ keys=self.dict.keys()
++ keys.sort()
++ for k in keys:
++ print k
++ for i in self.dict[k]:
++ print "\t", i
++
++ def match(self, Scon, Tcon, Class, Access):
++ keys=self.dict.keys()
++ ret=[]
++ if (Scon, Tcon, Class) in keys:
++ for i in self.dict[(Scon, Tcon, Class)]:
++ if Access in i[0]:
++ if i[2].find(Access) >= 0:
++ ret.insert(0, i)
++ else:
++ ret.append(i)
++ return ret
++ if ("$1", Tcon, Class) in keys:
++ for i in self.dict[("$1", Tcon, Class)]:
++ if Access in i[0]:
++ if i[2].find(Access) >= 0:
++ ret.insert(0, i)
++ else:
++ ret.append(i)
++ return ret
++ if (Scon, "$1", Class) in keys:
++ for i in self.dict[(Scon, "$1", Class)]:
++ if Access in i[0]:
++ if i[2].find(Access) >= 0:
++ ret.insert(0, i)
++ else:
++ ret.append(i)
++ return ret
++ else:
++ return ret
++
++import glob, imp
++pluginPath="/usr/share/selinux/plugins"
++if not pluginPath in sys.path:
++ sys.path.append(pluginPath)
++
++class Analyze:
++ def __init__(self):
++ self.plugins=[]
++ for p in glob.glob("/usr/share/selinux/plugins/*.py"):
++ plugin=os.path.basename(p)[:-3]
++ self.plugins.append(imp.load_module(plugin, *imp.find_module(plugin)))
++
++ def process(self, AVCS):
++ ret=[]
++ avcs=AVCS
++ for p in self.plugins:
++ if avcs == None:
++ break;
++ r = p.analyze(avcs)
++ if len(r)==0:
++ continue
++ avcs=r[1]
++ if len(r[0]) > 0:
++ ret.append(r[0])
++ return ret
++
++class serule:
++ def __init__(self, key):
++ self.type=key[0]
++ self.source=key[1]
++ self.target=key[2]
++ self.seclass=key[3]
++ self.access=[]
++ self.avcinfo={}
++ self.iface=None
++
++ def add(self, avc):
++ for a in avc[0]:
++ if a not in self.avcinfo.keys():
++ self.avcinfo[a]=[]
++ self.access.append(a)
++ self.avcinfo[a].append(avc[1:])
++
++ def getAccess(self):
++ if len(self.access) == 1:
++ return self.access[0]
++ else:
++ self.access.sort()
++ return "{ " + string.join(self.access) +" }"
++
++ def getName(self):
++ print self.avcinfo
++
++ def out(self, verbose=0):
++ ret=""
++ ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess())
++ if verbose:
++ keys=self.avcinfo.keys()
++ keys.sort()
++ for i in keys:
++ for x in self.avcinfo[i]:
++ ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0]
++ if len(x[1]):
++ ret=ret+"COMM=%s " % x[1]
++ if len(x[2]):
++ ret=ret+"NAME=%s " % x[2]
++ ret=ret + " : " + i
++ return ret
++
++ def gen_reference_policy(self, iface):
++ ret=""
++ Scon=self.source
++ Tcon=self.gettarget()
++ Class=self.seclass
++ Access=self.getAccess()
++ m=iface.match(Scon,Tcon,Class,Access)
++ if len(m)==0:
++ return self.out()
++ else:
++ file=m[0][1]
++ ret="\n#%s\n"% self.out()
++ ret += "optional_policy(`%s', `\n" % m[0][1]
++ first=True
++ for i in m:
++ if file != i[1]:
++ ret += "')\ngen_require(`%s', `\n" % i[1]
++ file = i[1]
++ first=True
++ if first:
++ ret += "\t%s(%s)\n" % (i[2], Scon)
++ first=False
++ else:
++ ret += "#\t%s(%s)\n" % (i[2], Scon)
++ ret += "');"
++ return ret
++
++ def gettarget(self):
++ if self.source == self.target:
++ return "self"
++ else:
++ return self.target
++
++def warning(error):
++ sys.stderr.write("%s: " % sys.argv[0])
++ sys.stderr.write("%s\n" % error)
++ sys.stderr.flush()
++
++
++class TERules:
++ def __init__(self, serules):
++ self.VALID_CMDS=("allow", "dontaudit", "auditallow")
++ self.serules=serules
++
++ def load(self, input):
++ line = input.readline()
++ while line:
++ rec=line.split()
++ if len(rec) and rec[0] in self.VALID_CMDS:
++ self.add_terule(line)
++ line = input.readline()
++
++ def add_terule(self, rule):
++ rc = rule.split(":")
++ rules=rc[0].split()
++ type=rules[0]
++ (sources, targets) = self.rules_split(rules[1:])
++ rules=rc[1].split()
++ (classes, access) = self.rules_split(rules)
++ for scon in sources:
++ for tcon in targets:
++ for seclass in classes:
++ self.serules.add_rule(type, scon, tcon, seclass,access)
++
++ def rules_split(self, rules):
++ (idx, target ) = self.get_target(0, rules)
++ (idx, subject) = self.get_target(idx, rules)
++ return (target, subject)
++
++ def get_target(self, i, rule):
++ target=[]
++ if rule[i][0] == "{":
++ for t in rule[i].split("{"):
++ if len(t):
++ target.append(t)
++ i=i+1
++ for s in rule[i:]:
++ if s.find("}") >= 0:
++ for s1 in s.split("}"):
++ if len(s1):
++ target.append(s1)
++ i=i+1
++ return (i, target)
++
++ target.append(s)
++ i=i+1
++ else:
++ if rule[i].find(";") >= 0:
++ for s1 in rule[i].split(";"):
++ if len(s1):
++ target.append(s1)
++ else:
++ target.append(rule[i])
++
++ i=i+1
++ return (i, target)
++
++
++ALLOW=0
++STYPE=1
++TTYPE=2
++CLASS=3
++COMM=1
++NAME=3
++
++class SERules:
++ def __init__(self, last_reload=0, verbose=0):
++ self.last_reload=last_reload
++ self.initialize()
++ self.gen_ref_policy = False
++ self.verbose = verbose
++ self.AVCS=[]
++
++ def initialize(self):
++ self.seRules={}
++ self.classes={}
++ self.types=[]
++ self.roles=[]
++
++ def load(self, input):
++ dict=[]
++ found=0
++ line = input.readline()
++ while line:
++ rec=line.split()
++ for i in rec:
++ if i=="avc:" or i=="message=avc:" or i=="msg='avc:":
++ found=1
++ else:
++ dict.append(i)
++ if found:
++ self.translate(dict)
++ found=0
++ dict=[]
++ line = input.readline()
++
++
++ def translate(self,dict):
++ AVC={}
++ AVC["access"]=[]
++ if "security_compute_sid" in dict:
++ return
++
++ if "load_policy" in dict and self.last_reload:
++ self.initialize()
++
++ if "granted" in dict:
++ return
++ try:
++ for i in range (0, len(dict)):
++ if dict[i]=="{":
++ i=i+1
++ while i<len(dict) and dict[i] != "}":
++ AVC["access"].append(dict[i])
++ i=i+1
++ continue
++
++ t=dict[i].split('=')
++ if len(t) < 2:
++ continue
++ AVC[t[0]]=t[1]
++
++ for i in ("scontext", "tcontext", "tclass"):
++ if i not in AVC.keys():
++ return
++
++ except IndexError, e:
++ warning("Bad AVC Line: %s" % avc)
++ return
++
++ self.add_allow(AVC)
++
++ def add_avc(self, AVC):
++ for a in self.AVCS:
++ if a["tclass"] == AVC["tclass"] and a["access"] == AVC["access"] and a["tcontext"] == AVC["tcontext"] and a["scontext"] == AVC["scontext"] and a["comm"] == AVC["comm"] and a["name"] == AVC["name"]:
++ return
++ self.AVCS.append(AVC)
++
++ def add_rule(self, rule_type, scon, tcon, tclass, access, msg="", comm="", name=""):
++ AVC={}
++ AVC["tclass"]=tclass
++ AVC["access"]=access
++ AVC["tcon"]=tcon
++ AVC["scon"]=scon
++ AVC["comm"]=comm
++ AVC["name"]=name
++ self.add_avc(AVC)
++
++ self.add_class(tclass, access)
++ self.add_type(tcon)
++ self.add_type(scon)
++ key=(rule_type, scon, tcon, seclass)
++ if key not in self.seRules.keys():
++ self.seRules[key]=serule(key)
++ self.seRules[key].add((access, msg, comm, name ))
++
++ def add_allow(self, AVC):
++ self.add_class(AVC["tclass"], AVC["access"])
++ tcontext=context(AVC["tcontext"])
++ scontext=context(AVC["scontext"])
++
++ self.add_type(tcontext.type)
++ self.add_type(scontext.type)
++
++ self.add_role(scontext.role)
++
++ key=("allow", scontext.type, tcontext.type, AVC["tclass"])
++ if key not in self.seRules.keys():
++ self.seRules[key]=serule(key)
++ if "name" not in AVC.keys():
++ AVC["name"]=""
++
++ self.add_avc(AVC)
++ self.seRules[key].add((AVC["access"], AVC["msg"], AVC["comm"], AVC["name"]))
++
++ def add_class(self,seclass, access):
++ if seclass not in self.classes.keys():
++ self.classes[seclass]=[]
++ for a in access:
++ if a not in self.classes[seclass]:
++ self.classes[seclass].append(a)
++
++ def add_role(self,role):
++ if role not in self.roles:
++ self.roles.append(role)
++
++ def add_type(self,type):
++ if type not in self.types:
++ self.types.append(type)
++
++ def gen_reference_policy(self):
++ self.gen_ref_policy = True
++ self.iface=interfaces()
++
++ def gen_module(self, module):
++ if self.gen_ref_policy:
++ return "policy_module(%s, 1.0);" % module
++ else:
++ return "module %s 1.0;" % module
++
++ def gen_requires(self):
++ self.roles.sort()
++ self.types.sort()
++ keys=self.classes.keys()
++ keys.sort()
++ rec="\n\nrequire {\n"
++# if len(self.roles) > 0:
++# for i in self.roles:
++# rec += "\trole %s; \n" % i
++# rec += "\n"
++#
++ for i in keys:
++ access=self.classes[i]
++ if len(access) > 1:
++ access.sort()
++ rec += "\tclass %s {" % i
++ for a in access:
++ rec += " %s" % a
++ rec += " }; \n"
++ else:
++ rec += "\tclass %s %s;\n" % (i, access[0])
++
++ rec += "\n"
++
++ for i in self.types:
++ rec += "\ttype %s; \n" % i
++ rec += "};\n\n"
++ return rec
++
++ def analyze(self):
++ a=Analyze()
++ analysys=a.process(self.AVCS)
++ for i in analysys:
++ print i[0][0]
++ print ""
++ sys.exit(0)
++
++ def out(self, require=0, module=""):
++ rec=""
++ if len(self.seRules.keys())==0:
++ raise(ValueError("No AVC messages found."))
++ if module != "":
++ rec += self.gen_module(module)
++ rec += self.gen_requires()
++ else:
++ if require:
++ rec+=self.gen_requires()
++
++ keys=self.seRules.keys()
++ keys.sort()
++ for i in keys:
++ if self.gen_ref_policy:
++ rec += self.seRules[i].gen_reference_policy(self.iface)+"\n"
++ else:
++ rec += self.seRules[i].out(self.verbose)+"\n"
++ return rec
++
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-1.30.5/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2006-03-29 11:08:21.000000000 -0500
-+++ policycoreutils-1.30.4/restorecond/restorecond.conf 2006-04-03 11:57:26.000000000 -0400
++++ policycoreutils-1.30.5/restorecond/restorecond.conf 2006-04-14 07:44:00.000000000 -0400
@@ -2,3 +2,4 @@
/etc/mtab
/var/run/utmp
~/public_html
+~/.mozilla/plugins/libflashplayer.so
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.30.4/semanage/semanage
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.30.5/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2006-03-29 15:35:22.000000000 -0500
-+++ policycoreutils-1.30.4/semanage/semanage 2006-04-01 04:54:36.000000000 -0500
-@@ -286,6 +286,8 @@
++++ policycoreutils-1.30.5/semanage/semanage 2006-04-14 07:45:07.000000000 -0400
+@@ -32,7 +32,7 @@
+ print '\
+ semanage {login|user|port|interface|fcontext|translation} -l [-n] \n\
+ semanage login -{a|d|m} [-sr] login_name\n\
+-semanage user -{a|d|m} [-LrR] selinux_name\n\
++semanage user -{a|d|m} [-LrRP] selinux_name\n\
+ semanage port -{a|d|m} [-tr] [ -p protocol ] port | port_range\n\
+ semanage interface -{a|d|m} [-tr] interface_spec\n\
+ semanage fcontext -{a|d|m} [-frst] file_spec\n\
+@@ -60,6 +60,7 @@
+ -p (named pipe) \n\n\
+ \
+ -p, --proto Port protocol (tcp or udp)\n\
++ -P, --prefix Prefix for home directory labeling\n\
+ -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
+@@ -83,7 +84,7 @@
+ valid_option["login"] = []
+ valid_option["login"] += valid_everyone + [ '-s', '--seuser', '-r', '--range']
+ valid_option["user"] = []
+- valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles' ]
++ valid_option["user"] += valid_everyone + [ '-L', '--level', '-r', '--range', '-R', '--roles', '-P', '--prefix' ]
+ valid_option["port"] = []
+ valid_option["port"] += valid_everyone + [ '-t', '--type', '-r', '--range', '-p', '--protocol' ]
+ valid_option["interface"] = []
+@@ -109,6 +110,7 @@
+ setrans = ""
+ roles = ""
+ seuser = ""
++ prefix = ""
+ heading=1
+
+ add = 0
+@@ -126,7 +128,7 @@
+ args = sys.argv[2:]
+
+ gopts, cmds = getopt.getopt(args,
+- 'adf:lhmnp:s:R:L:r:t:T:',
++ 'adf:lhmnp:s:R:L:r:t:T:P:',
+ ['add',
+ 'delete',
+ 'ftype=',
+@@ -140,7 +142,8 @@
+ 'level=',
+ 'roles=',
+ 'type=',
+- 'trans='
++ 'trans=',
++ 'prefix='
+ ])
+ for o, a in gopts:
+ if o not in option_dict[object]:
+@@ -185,6 +188,9 @@
+ if o == "-p" or o == '--proto':
+ proto = a
+
++ if o == "-P" or o == '--prefix':
++ prefix = a
++
+ if o == "-R" or o == '--roles':
+ roles = roles + " " + a
+
+@@ -235,7 +241,7 @@
+ rlist = roles.split()
+ if len(rlist) == 0:
+ raise ValueError("You must specify a role")
+- OBJECT.add(target, rlist, selevel, serange)
++ OBJECT.add(target, rlist, selevel, serange, prefix)
+
+ if object == "port":
+ OBJECT.add(target, proto, serange, setype)
+@@ -286,6 +292,8 @@
errorExit("Options Error " + error.msg)
except ValueError, error:
errorExit(error.args[0])
@@ -45,3 +1167,93 @@
except IOError, error:
errorExit(error.args[1])
except KeyboardInterrupt, error:
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.30.5/semanage/seobject.py
+--- nsapolicycoreutils/semanage/seobject.py 2006-03-29 15:35:22.000000000 -0500
++++ policycoreutils-1.30.5/semanage/seobject.py 2006-04-14 07:47:13.000000000 -0400
+@@ -381,7 +381,7 @@
+ def __init__(self):
+ semanageRecords.__init__(self)
+
+- def add(self, name, roles, selevel, serange):
++ def add(self, name, roles, selevel, serange, prefix):
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+@@ -427,6 +427,9 @@
+ if rc < 0:
+ raise ValueError("Could not set MLS level for %s" % name)
+
++ rc = semanage_user_set_prefix(self.sh, u, prefix)
++ if rc < 0:
++ raise ValueError("Could not add prefix %s for %s" % (r, prefix))
+ (rc,key) = semanage_user_key_extract(self.sh,u)
+ if rc < 0:
+ raise ValueError("Could not extract key for %s" % name)
+@@ -451,13 +454,15 @@
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+
+- def modify(self, name, roles = [], selevel = "", serange = ""):
++ def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
++ oldroles=""
++ newroles = string.join(roles, ' ');
+ try:
+- if len(roles) == 0 and serange == "" and selevel == "":
++ if prefix == "" and len(roles) == 0 and serange == "" and selevel == "":
+ if is_mls_enabled == 1:
+- raise ValueError("Requires roles, level or range")
++ raise ValueError("Requires prefix, roles, level or range")
+ else:
+- raise ValueError("Requires roles")
++ raise ValueError("Requires prefix or roles")
+
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+@@ -473,11 +478,21 @@
+ if rc < 0:
+ raise ValueError("Could not query user for %s" % name)
+
++ oldserange=semanage_user_get_mlsrange(u)
++ (rc, rlist)=semanage_user_get_roles(self.sh, u)
++ if rc >= 0:
++ oldroles = string.join(rlist, ' ');
++ newroles = newroles + ' ' + oldroles;
++
++
+ if serange != "":
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
+ if selevel != "":
+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
+
++ if prefix != "":
++ semanage_user_set_prefix(self.sh, u, prefix)
++
+ if len(roles) != 0:
+ for r in roles:
+ semanage_user_add_role(self.sh, u, r)
+@@ -495,10 +510,11 @@
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ except ValueError, error:
+- mylog.log(0,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
++ mylog.log(0,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange)
+ raise error
+
+- mylog.log(1,"modify SELinux user record", name, seuser, seroles, serange, oldseuser, oldseroles, olrserange)
++ mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange)
++
+ semanage_user_key_free(k)
+ semanage_user_free(u)
+
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/setsebool/setsebool.8 policycoreutils-1.30.5/setsebool/setsebool.8
+--- nsapolicycoreutils/setsebool/setsebool.8 2005-11-04 15:37:49.000000000 -0500
++++ policycoreutils-1.30.5/setsebool/setsebool.8 2006-04-14 07:44:00.000000000 -0400
+@@ -17,7 +17,7 @@
+ are not changed.
+
+ If the -P option is given, all pending values are written to
+-the boolean file on disk.
++the policy file on disk. So they will be persistant across reboots.
+
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.257
retrieving revision 1.258
diff -u -r1.257 -r1.258
--- policycoreutils.spec 6 Apr 2006 10:21:29 -0000 1.257
+++ policycoreutils.spec 14 Apr 2006 11:51:02 -0000 1.258
@@ -1,11 +1,11 @@
%define libauditver 1.1.4-3
-%define libsepolver 1.12-1
-%define libsemanagever 1.6-1
-%define libselinuxver 1.30-1
+%define libsepolver 1.12.5-1
+%define libsemanagever 1.6.5-1
+%define libselinuxver 1.30.3-1
Summary: SELinux policy core utilities.
Name: policycoreutils
-Version: 1.30.4
-Release: 4
+Version: 1.30.5
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -108,6 +108,11 @@
/sbin/service restorecond condrestart
%changelog
+* Fri Apr 14 2006 Dan Walsh <dwalsh at redhat.com> 1.30.5-1
+- Update from upstream
+ * Added a test to setfiles to check that the spec file is
+ a regular file.
+
* Thu Apr 06 2006 Karsten Hopp <karsten at redhat.de> 1.30.4-4
- added some missing buildrequires
- added Requires: initscripts for /sbin/service
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/policycoreutils/devel/sources,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -r1.110 -r1.111
--- sources 29 Mar 2006 20:39:44 -0000 1.110
+++ sources 14 Apr 2006 11:51:02 -0000 1.111
@@ -1 +1 @@
-4af18b5ace84c5cb075f5160ab51f86b policycoreutils-1.30.4.tgz
+b3eba7a93507ee2e576c184854d01610 policycoreutils-1.30.5.tgz
- Previous message (by thread): rpms/libsemanage/devel .cvsignore, 1.56, 1.57 libsemanage-rhat.patch, 1.12, 1.13 libsemanage.spec, 1.85, 1.86 sources, 1.58, 1.59
- Next message (by thread): rpms/krb5/FC-5 krb5-kinit-man-typo.patch, NONE, 1.1 krb5.spec, 1.68, 1.69
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list