rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.339, 1.340 policycoreutils-sepolgen.patch, 1.7, 1.8 policycoreutils.spec, 1.487, 1.488
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Dec 21 07:14:18 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19210
Modified Files:
policycoreutils-rhat.patch policycoreutils-sepolgen.patch
policycoreutils.spec
Log Message:
* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-3
- Catch SELINUX_ERR with audit2allow and generate policy
policycoreutils-rhat.patch:
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.339
retrieving revision 1.340
diff -u -r1.339 -r1.340
--- policycoreutils-rhat.patch 20 Dec 2007 19:24:11 -0000 1.339
+++ policycoreutils-rhat.patch 21 Dec 2007 07:14:11 -0000 1.340
@@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.34/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-19 06:05:50.000000000 -0500
++++ policycoreutils-2.0.34/audit2allow/audit2allow 2007-12-21 01:59:57.000000000 -0500
@@ -60,7 +60,9 @@
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
@@ -12,6 +12,32 @@
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
default=False, help="explain generated output")
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
+@@ -149,9 +151,11 @@
+ if self.__options.type:
+ filter = audit.TypeFilter(self.__options.type)
+ self.__avs = self.__parser.to_access(filter)
++ self.__selinux_errs = self.__parser.to_role(filter)
+ else:
+ self.__avs = self.__parser.to_access()
+-
++ self.__selinux_errs = self.__parser.to_role()
++
+ def __load_interface_info(self):
+ # Load interface info file
+ if self.__options.interface_info:
+@@ -251,6 +255,12 @@
+ fd = sys.stdout
+ writer.write(g.get_module(), fd)
+
++ if len(self.__selinux_errs) > 0:
++ fd.write("\n=========== ROLES ===============\n")
++
++ for role in self.__selinux_errs:
++ fd.write(role.output())
++
+ def main(self):
+ try:
+ self.__parse_options()
diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.34/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2007-07-16 14:20:41.000000000 -0400
+++ policycoreutils-2.0.34/audit2allow/audit2allow.1 2007-12-19 06:05:50.000000000 -0500
policycoreutils-sepolgen.patch:
Index: policycoreutils-sepolgen.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-sepolgen.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policycoreutils-sepolgen.patch 20 Dec 2007 19:24:12 -0000 1.7
+++ policycoreutils-sepolgen.patch 21 Dec 2007 07:14:11 -0000 1.8
@@ -1,3 +1,53 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py 2007-09-13 08:21:11.000000000 -0400
++++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/audit.py 2007-12-21 02:10:43.000000000 -0500
+@@ -32,7 +32,7 @@
+ string contain all of the audit messages returned by ausearch.
+ """
+ import subprocess
+- output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START"],
++ output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR"],
+ stdout=subprocess.PIPE).communicate()[0]
+ return output
+
+@@ -251,7 +251,9 @@
+ self.type = refpolicy.SecurityContext(dict["tcontext"]).type
+ except:
+ raise ValueError("Split string does not represent a valid compute sid message")
+-
++ def output(self):
++ return "role %s types %s;\n" % (self.role, self.type)
++
+ # Parser for audit messages
+
+ class AuditParser:
+@@ -402,6 +404,26 @@
+ self.__parse(l)
+ self.__post_process()
+
++ def to_role(self, role_filter=None):
++ """Return list of SELINUX_ERR messages matching the specified filter
++
++ Filter out types that match the filer, or all roles
++
++ Params:
++ role_filter - [optional] Filter object used to filter the
++ output.
++ Returns:
++ Access vector set representing the denied access in the
++ audit logs parsed by this object.
++ """
++ roles = []
++ if role_filter:
++ for selinux_err in self.compute_sid_msgs:
++ if role_filter.filter(selinux_err):
++ roles.append(selinux_err)
++ return roles
++ return self.compute_sid_msgs
++
+ def to_access(self, avc_filter=None, only_denials=True):
+ """Convert the audit logs access into a an access vector set.
+
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.34/sepolgen-1.0.10/src/sepolgen/refparser.py 2007-12-20 14:20:49.000000000 -0500
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.487
retrieving revision 1.488
diff -u -r1.487 -r1.488
--- policycoreutils.spec 20 Dec 2007 19:24:12 -0000 1.487
+++ policycoreutils.spec 21 Dec 2007 07:14:11 -0000 1.488
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.34
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -193,6 +193,9 @@
fi
%changelog
+* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-3
+- Catch SELINUX_ERR with audit2allow and generate policy
+
* Thu Dec 20 2007 Dan Walsh <dwalsh at redhat.com> 2.0.34-2
- Make sepolgen set error exit code when partial failure
- audit2why now checks booleans for avc diagnosis
More information about the fedora-extras-commits
mailing list