rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.338, 1.339 policycoreutils-sepolgen.patch, 1.6, 1.7 policycoreutils.spec, 1.486, 1.487
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Dec 20 19:24:18 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13945
Modified Files:
policycoreutils-rhat.patch policycoreutils-sepolgen.patch
policycoreutils.spec
Log Message:
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-2
- Make sepolgen set error exit code when partial failure
- audit2why now checks booleans for avc diagnosis
policycoreutils-rhat.patch:
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.338
retrieving revision 1.339
diff -u -r1.338 -r1.339
--- policycoreutils-rhat.patch 19 Dec 2007 17:55:58 -0000 1.338
+++ policycoreutils-rhat.patch 20 Dec 2007 19:24:11 -0000 1.339
@@ -28,19 +28,233 @@
.TP
.B "\-t " | "\-\-tefile"
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.34/audit2allow/sepolgen-ifgen
+--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2007-07-16 14:20:41.000000000 -0400
++++ policycoreutils-2.0.34/audit2allow/sepolgen-ifgen 2007-12-20 14:19:50.000000000 -0500
+@@ -80,7 +80,10 @@
+ if_set.to_file(f)
+ f.close()
+
+- return 0
++ if refparser.success:
++ return 0
++ else:
++ return 1
+
+ if __name__ == "__main__":
+ sys.exit(main())
+Binary files nsapolicycoreutils/audit2why/audit2why and policycoreutils-2.0.34/audit2why/audit2why differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.34/audit2why/audit2why.c
--- nsapolicycoreutils/audit2why/audit2why.c 2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-19 06:05:50.000000000 -0500
-@@ -137,6 +137,8 @@
++++ policycoreutils-2.0.34/audit2why/audit2why.c 2007-12-20 11:04:10.000000000 -0500
+@@ -22,27 +22,151 @@
+ exit(rc);
+ }
+
++struct bool_t {
++ const sepol_bool_t * boolean;
++ char *name;
++ int active;
++};
++
++static struct bool_t **boollist = NULL;
++static int boolcnt = 0;
++
++struct access_t {
++ sepol_handle_t *handle;
++ sepol_policydb_t *policydb;
++ sepol_security_id_t ssid;
++ sepol_security_id_t tsid;
++ sepol_security_class_t tclass;
++ sepol_access_vector_t av;
++};
++
++static int load_booleans (const sepol_bool_t * boolean,
++ void *arg __attribute__ ((__unused__)) ) {
++ boollist[boolcnt] = (struct bool_t *) malloc(sizeof (struct bool_t));
++ boollist[boolcnt]->boolean = boolean;
++ boollist[boolcnt]->name = strdup(sepol_bool_get_name(boolean));
++ boollist[boolcnt]->active = sepol_bool_get_value(boolean);
++ boolcnt++;
++ return 0;
++}
++
++static int check_booleans (struct access_t *access) {
++ struct sepol_av_decision avd;
++ unsigned int reason;
++ int rc;
++ int i;
++ sepol_bool_key_t *key=NULL;
++ int fcnt = 0;
++ int *foundlist = calloc(boolcnt, sizeof(int));
++ if (!foundlist) {
++ fprintf(stderr,
++ "Out of memory.\n");
++ return -1;
++ }
++ for (i=0; i < boolcnt; i++) {
++ char *name = boollist[i]->name;
++ int active = boollist[i]->active;
++ sepol_bool_t * boolean = (sepol_bool_t *) boollist[i]->boolean;
++ rc = sepol_bool_key_create(access->handle,
++ name,
++ &key);
++ if (rc < 0) {
++ fprintf(stderr,
++ "Could not create boolean key.\n");
++ rc = -1;
++ break;
++ }
++ sepol_bool_set_value(boolean, !active);
++
++ rc = sepol_bool_set(access->handle,
++ access->policydb,
++ key,
++ boolean);
++ if (rc < 0) {
++ fprintf(stderr,
++ "Could not set boolean data %s.\n", name);
++ rc = -1;
++ break;
++ }
++
++ /* Reproduce the computation. */
++ rc = sepol_compute_av_reason(access->ssid, access->tsid, access->tclass, access->av, &avd, &reason);
++ if (rc < 0) {
++ fprintf(stderr,
++ "Error during access vector computation, skipping...\n");
++ rc = -1;
++ break;
++ } else {
++ if (!reason) {
++ foundlist[fcnt] = i;
++ fcnt++;
++ rc = 0;
++ }
++ sepol_bool_set_value((sepol_bool_t*)boolean, active);
++ rc = sepol_bool_set(access->handle,
++ access->policydb,
++ key,
++ (sepol_bool_t*) boolean);
++ if (rc < 0) {
++ fprintf(stderr,
++ "Could not set boolean data %s.\n", name);
++ rc = -1;
++ break;
++ }
++ }
++ sepol_bool_key_free(key);
++ key=NULL;
++ }
++ if (key)
++ sepol_bool_key_free(key);
++
++ if (fcnt > 0) {
++ printf("\tA boolean being set incorrectly.\n");
++ for (i = 0; i < fcnt; i++) {
++ int ctr = foundlist[i];
++ char *name = boollist[ctr]->name;
++ int active = boollist[ctr]->active;
++ printf("\n\tBoolean %s is %d.\n\tExecute the following to allow access:\n", name, active);
++ printf("\t# setsebool -P %s %d\n", name, !active);
++ }
++ }
++
++ free(foundlist);
++ return rc;
++}
++
++
+ int main(int argc, char **argv)
+ {
+ char path[PATH_MAX];
+ char *buffer = NULL, *bufcopy = NULL;
+- unsigned int lineno = 0;
++ unsigned int lineno = 0, cnt;
+ size_t len = 0, bufcopy_len = 0;
+- FILE *fp;
++ FILE *fp, *avcp=stdin;
+ int opt, rc, set_path = 0;
+ char *p, *scon, *tcon, *tclassstr, *permstr;
+ sepol_security_id_t ssid, tsid;
+ sepol_security_class_t tclass;
+ sepol_access_vector_t perm, av;
++ struct access_t access;
+ struct sepol_av_decision avd;
+ unsigned int reason;
+ int vers = 0;
+ sidtab_t sidtab;
+ policydb_t policydb;
+ struct policy_file pf;
+-
+- while ((opt = getopt(argc, argv, "p:?h")) > 0) {
++
++ while ((opt = getopt(argc, argv, "i:p:?h")) > 0) {
+ switch (opt) {
++ case 'i':
++ avcp = fopen(optarg, "r");
++ if (!avcp) {
++ fprintf(stderr, "%s: unable to open %s: %s\n",
++ argv[0], path, strerror(errno));
++ exit(1);
++ }
++ break;
++
+ case 'p':
+ set_path = 1;
+ strncpy(path, optarg, PATH_MAX);
+@@ -110,7 +234,6 @@
+ }
+ fclose(fp);
+ sepol_set_policydb(&policydb);
+-
+ if (!set_path) {
+ /* If they didn't specify a full path of a binary policy file,
+ then also try loading any boolean settings and user
+@@ -125,6 +248,30 @@
+ (void)sepol_genusers_policydb(&policydb, selinux_users_path());
+ }
+
++ access.handle = sepol_handle_create();
++ access.policydb = (sepol_policydb_t *) &policydb,
++
++ rc = sepol_bool_count(access.handle,
++ access.policydb,
++ &cnt);
++ if (rc < 0) {
++ fprintf(stderr, "%s: unable to get bool count\n", argv[0]);
++ exit(1);
++ }
++
++ boollist = calloc(cnt, sizeof(struct bool_t));
++ if (!boollist) {
++ fprintf(stderr, "%s: Out of memory\n", argv[0]);
++ exit(1);
++ }
++
++
++ sepol_bool_iterate(access.handle,
++ (const sepol_policydb_t *) &policydb,
++ load_booleans,
++ (void *)NULL);
++
++
+ /* Initialize the sidtab for subsequent use by sepol_context_to_sid
+ and sepol_compute_av_reason. */
+ rc = sepol_sidtab_init(&sidtab);
+@@ -135,8 +282,10 @@
+ sepol_set_sidtab(&sidtab);
+
/* Process the audit messages. */
- while (getline(&buffer, &len, stdin) > 0) {
+- while (getline(&buffer, &len, stdin) > 0) {
++ while (getline(&buffer, &len, avcp) > 0) {
size_t len2 = strlen(buffer);
+ char *begin, *end, *search_buf;
+ int slen = 0;
if (buffer[len2 - 1] == '\n')
buffer[len2 - 1] = 0;
-@@ -179,6 +181,7 @@
+@@ -179,6 +328,7 @@
}
*p++ = 0;
@@ -48,7 +262,7 @@
/* Get scontext and convert to SID. */
while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
p++;
-@@ -188,11 +191,14 @@
+@@ -188,11 +338,14 @@
continue;
}
p += sizeof(SCONTEXT) - 1;
@@ -66,7 +280,7 @@
rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
if (rc < 0) {
fprintf(stderr,
-@@ -201,6 +207,10 @@
+@@ -201,6 +354,10 @@
continue;
}
@@ -77,7 +291,7 @@
/* Get tcontext and convert to SID. */
while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
p++;
-@@ -210,11 +220,15 @@
+@@ -210,11 +367,15 @@
continue;
}
p += sizeof(TCONTEXT) - 1;
@@ -96,7 +310,7 @@
rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
if (rc < 0) {
fprintf(stderr,
-@@ -222,6 +236,9 @@
+@@ -222,6 +383,9 @@
TCONTEXT, tcon, lineno);
continue;
}
@@ -106,7 +320,7 @@
/* Get tclass= and convert to value. */
while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
-@@ -232,12 +249,17 @@
+@@ -232,12 +396,17 @@
continue;
}
p += sizeof(TCLASS) - 1;
@@ -127,6 +341,37 @@
if (!tclass) {
fprintf(stderr,
"Invalid %s%s on line %u, skipping...\n",
+@@ -286,11 +455,16 @@
+ }
+
+ if (reason & SEPOL_COMPUTEAV_TE) {
+- printf("\t\tMissing or disabled TE allow rule.\n");
+- printf
+- ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
+- printf
+- ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
++ access.ssid = ssid;
++ access.tsid = tsid;
++ access.tclass = tclass;
++ access.av = av;
++
++ if (check_booleans(&access) < 0) {
++ printf("\t\tMissing or disabled TE allow rule.\n");
++ printf
++ ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
++ }
+ }
+
+ if (reason & SEPOL_COMPUTEAV_CONS) {
+@@ -309,5 +483,8 @@
+ }
+ free(buffer);
+ free(bufcopy);
++ if (avcp != stdin)
++ fclose(avcp);
++
+ exit(0);
+ }
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.34/Makefile
--- nsapolicycoreutils/Makefile 2007-12-19 06:02:52.000000000 -0500
+++ policycoreutils-2.0.34/Makefile 2007-12-19 06:06:04.000000000 -0500
policycoreutils-sepolgen.patch:
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-sepolgen.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policycoreutils-sepolgen.patch 19 Dec 2007 17:55:58 -0000 1.6
+++ policycoreutils-sepolgen.patch 20 Dec 2007 19:24:12 -0000 1.7
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400
-+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-19 06:05:51.000000000 -0500
++++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500
@@ -118,6 +118,7 @@
'TEMPLATE',
'GEN_CONTEXT',
@@ -30,7 +30,7 @@
def t_refpolicywarn(t):
r'refpolicywarn\(.*\n'
# Ignore refpolicywarn statements - they sometimes
-@@ -258,6 +266,7 @@
+@@ -258,10 +266,12 @@
m = None
# error is either None (indicating no error) or a string error message.
error = None
@@ -38,7 +38,12 @@
# spt is the support macros (e.g., obj/perm sets) - it is an instance of
# refpolicy.SupportMacros and should always be present during parsing
# though it may not contain any macros.
-@@ -382,6 +391,19 @@
+ spt = None
++success=True
+
+ # utilities
+ def collect(stmts, parent, val=None):
+@@ -382,6 +392,19 @@
collect(p[12], x, val=False)
p[0] = [x]
@@ -58,7 +63,7 @@
def p_ifdef(p):
'''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
| IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
-@@ -446,6 +468,7 @@
+@@ -446,6 +469,7 @@
| optional_policy
| tunable_policy
| ifdef
@@ -66,17 +71,20 @@
| conditional
'''
p[0] = p[1]
-@@ -844,7 +867,8 @@
+@@ -844,8 +868,11 @@
def p_error(tok):
global error
- error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
+ global parse_file
++ global success
+ error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
print error
++ success = False
def prep_spt(spt):
-@@ -892,7 +916,7 @@
+ if not spt:
+@@ -892,7 +919,7 @@
def list_headers(root):
modules = []
support_macros = None
@@ -85,7 +93,7 @@
for dirpath, dirnames, filenames in os.walk(root):
for name in filenames:
-@@ -941,12 +965,14 @@
+@@ -941,12 +968,14 @@
output.write(msg)
def parse_file(f, module, spt=None):
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.486
retrieving revision 1.487
diff -u -r1.486 -r1.487
--- policycoreutils.spec 19 Dec 2007 17:55:58 -0000 1.486
+++ policycoreutils.spec 20 Dec 2007 19:24:12 -0000 1.487
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.34
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -193,9 +193,14 @@
fi
%changelog
-* Tue Dec 19 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-1
+* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-2
+- Make sepolgen set error exit code when partial failure
+- audit2why now checks booleans for avc diagnosis
+
+* Wed Dec 19 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-1
- Update to upstream
-* Tue Dec 19 2007 Dan Walsh <dwalsh at redhat.com> 2.0.33-4
+
+* Wed Dec 19 2007 Dan Walsh <dwalsh at redhat.com> 2.0.33-4
- Fix sepolgen to be able to parse Fedora 9 policy
Handle ifelse statements
Handle refpolicywarn inside of define
More information about the fedora-extras-commits
mailing list