Date: Tue, 15 Aug 2006 18:36:49 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 104092 for review Message-ID: <200608151836.k7FIamTm043480@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=104092 Change 104092 by millert@millert_macbook on 2006/08/15 18:36:39 Update to policycoreutils 1.30.25 from sourceforge Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/ChangeLog#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/VERSION#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/audit2allow#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/audit2allow.1#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/avc.py#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2why/audit2why.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/load_policy/load_policy.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/newrole/newrole.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/POTFILES#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/POTFILES.in#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/af.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/am.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ar.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/be.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/bg.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/bn.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/bn_IN.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ca.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/cs.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/cy.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/da.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/de.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/el.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/en_GB.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/es.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/et.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/eu_ES.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/fa.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/fi.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/fr.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/gl.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/gu.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/he.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/hi.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/hr.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/hu.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/hy.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/id.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/is.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/it.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ja.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ka.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/kn.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ko.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ku.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/lo.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/lt.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/lv.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/mk.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ml.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/mr.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ms.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/my.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/nb.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/nl.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/nn.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/no.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/nso.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/or.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/pa.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/pl.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/policycoreutils.pot#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/pt.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/pt_BR.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ro.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ru.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/si.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/sk.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/sl.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/sq.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/sr.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/sv.po#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ta.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/te.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/th.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/tr.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/uk.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/ur.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/vi.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/zh_CN.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/zh_TW.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/po/zu.po#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecon/restorecon.8#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecon/restorecon.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/restorecond.8#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/restorecond.c#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/restorecond.conf#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/restorecond.h#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/restorecond.init#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/stringslist.c#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/stringslist.h#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/utmpwatcher.c#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/restorecond/utmpwatcher.h#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/run_init/open_init_pty.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/run_init/run_init.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/scripts/chcat#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/scripts/fixfiles#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/scripts/genhomedircon#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/secon/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/secon/secon.1#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/secon/secon.c#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semanage/semanage#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semanage/semanage.8#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semanage/seobject.py#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule/semodule.8#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule/semodule.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_deps/Makefile#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_deps/semodule_deps.8#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_deps/semodule_deps.c#1 add .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_expand/semodule_expand.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_link/semodule_link.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/semodule_package/semodule_package.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/sestatus/sestatus.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/setfiles/Makefile#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/setfiles/setfiles.c#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/setsebool/setsebool.8#2 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/setsebool/setsebool.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/ChangeLog#2 (text+ko) ==== @@ -1,3 +1,106 @@ +1.30.25 2006-08-03 + * Merged patch from Dan Walsh with: + * audit2allow: process MAC_POLICY_LOAD events + * newrole: run shell with - prefix to start a login shell + * po: po file updates + * restorecond: bail if SELinux not enabled + * fixfiles: omit -q + * genhomedircon: fix exit code if non-root + * semodule_deps: install man page + +1.30.24 2006-08-03 + * Merged secon Makefile fix from Joshua Brindle. + +1.30.23 2006-08-03 + * Merged netfilter contexts support patch from Chris PeBenito. + +1.30.22 2006-07-28 + * Merged restorecond size_t fix from Joshua Brindle. + +1.30.21 2006-07-28 + * Merged secon keycreate patch from Michael LeMay. + +1.30.20 2006-07-26 + * Merged restorecond fixes from Dan Walsh. + Merged updated po files from Dan Walsh. + +1.30.19 2006-07-26 + * Merged python gettext patch from Stephen Bennett. + +1.30.18 2006-07-25 + * Merged semodule_deps from Karl MacMillan. + +1.30.17 2006-06-29 + * Lindent. + +1.30.16 2006-06-26 + * Merged patch from Dan Walsh with: + * -p option (progress) for setfiles and restorecon. + * disable context translation for setfiles and restorecon. + * on/off values for setsebool. + +1.30.15 2006-06-26 + * Merged setfiles and semodule_link fixes from Joshua Brindle. + +1.30.14 2006-06-16 + * Merged fix for setsebool error path from Serge Hallyn. + +1.30.13 2006-06-16 + * Merged patch from Dan Walsh with: + * Updated po files. + * Fixes for genhomedircon and seobject. + * Audit message for mass relabel by setfiles. + +1.30.12 2006-06-02 + * Updated fixfiles script for new setfiles location in /sbin. + +1.30.11 2006-05-26 + * Merged more translations from Dan Walsh. + * Merged patch to relocate setfiles to /sbin for early relabel + when /usr might not be mounted from Dan Walsh. + * Merged semanage/seobject patch to preserve fcontext ordering in list. + * Merged secon patch from James Antill. + +1.30.10 2006-05-22 + * Merged patch with updates to audit2allow, secon, genhomedircon, + and semanage from Dan Walsh. + +1.30.9 2006-05-08 + * Fixed audit2allow and po Makefiles for DESTDIR= builds. + * Merged .po file patch from Dan Walsh. + * Merged bug fix for genhomedircon. + +1.30.8 2006-05-08 + * Merged patch from Dan Walsh. + This includes audit2allow changes for analysis plugins, + internationalization support for several additional programs + and added po files, some fixes for semanage, and several cleanups. + It also adds a new secon utility. + +1.30.7 2006-05-05 + * Merged fix warnings patch from Karl MacMillan. + +1.30.6 2006-04-14 + * Merged semanage prefix support from Russell Coker. + +1.30.5 2006-04-11 + * Added a test to setfiles to check that the spec file is + a regular file. + +1.30.4 2006-03-29 + * Merged audit2allow fixes for refpolicy from Dan Walsh. + * Merged fixfiles patch from Dan Walsh. + * Merged restorecond daemon from Dan Walsh. + +1.30.3 2006-03-29 + * Merged semanage non-MLS fixes from Chris PeBenito. + +1.30.2 2006-03-29 + * Merged semanage and semodule man page examples from Thomas Bleher. + +1.30.1 2006-03-20 + * Merged semanage labeling prefix patch from Ivan Gyurdiev. + 1.30 2006-03-14 * Updated version for release. ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/Makefile#2 (text+ko) ==== @@ -1,7 +1,8 @@ -SUBDIRS=setfiles semanage load_policy newrole run_init restorecon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand setsebool po +SUBDIRS=setfiles semanage load_policy newrole run_init restorecon restorecond secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po all install relabel clean: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ done +test: ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/VERSION#2 (text+ko) ==== @@ -1,1 +1,1 @@ -1.30 +1.30.25 ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/Makefile#2 (text+ko) ==== @@ -1,8 +1,11 @@ # Installation directories. PREFIX ?= ${DESTDIR}/usr BINDIR ?= $(PREFIX)/bin +LIBDIR ?= $(PREFIX)/lib MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale +PYLIBVER ?= python2.4 +PYTHONLIBDIR ?= $(LIBDIR)/$(PYLIBVER) TARGETS=audit2allow @@ -13,6 +16,8 @@ install -m 755 $(TARGETS) $(BINDIR) -mkdir -p $(MANDIR)/man1 install -m 644 audit2allow.1 $(MANDIR)/man1/ + test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages + install -m 755 avc.py $(PYTHONLIBDIR)/site-packages clean: ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/audit2allow#2 (text+ko) ==== @@ -24,438 +24,23 @@ # 02111-1307 USA # # -import commands, sys, os, pwd, string, getopt, re, selinux - -obj="(\{[^\}]*\}|[^ \t:]*)" -allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj) - -awk_script='/^[[:blank:]]*interface[[:blank:]]*\(/ {\n\ - IFACEFILE=FILENAME\n\ - IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\\\(\`?","","g",$0);\n\ - IFACENAME = gensub("\'?,.*$","","g",IFACENAME);\n\ -}\n\ -\n\ -/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {\n\ -\n\ - if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){\n\ - ALLOW = gensub("^[[:blank:]]*","","g",$0)\n\ - ALLOW = gensub(";[[:blank:]]*$","","g",$0)\n\ - print FILENAME "\\t" IFACENAME "\\t" ALLOW;\n\ - }\n\ -}\ -' - -class accessTrans: - def __init__(self): - self.dict={} - try: - fd=open("/usr/share/selinux/devel/include/support/obj_perm_sets.spt") - except IOError, error: - raise IOError("Reference policy generation requires the policy development package.\n%s" % error) - records=fd.read().split("\n") - regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'" - for r in records: - m=re.match(regexp,r) - if m!=None: - self.dict[m.groups()[0]] = m.groups()[1].split() - fd.close() - def get(self, var): - l=[] - for v in var: - if v in self.dict.keys(): - l += self.dict[v] - else: - if v not in ("{", "}"): - l.append(v) - return l - -class interfaces: - def __init__(self): - self.dict={} - trans=accessTrans() - (input, output) = os.popen2("awk -f - /usr/share/selinux/devel/include/*/*.if 2> /dev/null") - input.write(awk_script) - input.close() - records=output.read().split("\n") - input.close() - if len(records) > 0: - regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp - for r in records: - m=re.match(regexp,r) - if m==None: - continue - else: - val=m.groups() - file=os.path.basename(val[0]).split(".")[0] - iface=val[1] - Scon=val[2].split() - Tcon=val[3].split() - Class=val[4].split() - Access=trans.get(val[5].split()) - for s in Scon: - for t in Tcon: - for c in Class: - if (s, t, c) not in self.dict.keys(): - self.dict[(s, t, c)]=[] - self.dict[(s, t, c)].append((Access, file, iface)) - def out(self): - keys=self.dict.keys() - keys.sort() - for k in keys: - print k - for i in self.dict[k]: - print "\t", i - - def match(self, Scon, Tcon, Class, Access): - keys=self.dict.keys() - ret=[] - if (Scon, Tcon, Class) in keys: - for i in self.dict[(Scon, Tcon, Class)]: - if Access in i[0]: - if i[2].find(Access) >= 0: - ret.insert(0, i) - else: - ret.append(i) - return ret - if ("$1", Tcon, Class) in keys: - for i in self.dict[("$1", Tcon, Class)]: - if Access in i[0]: - if i[2].find(Access) >= 0: - ret.insert(0, i) - else: - ret.append(i) - return ret - if (Scon, "$1", Class) in keys: - for i in self.dict[(Scon, "$1", Class)]: - if Access in i[0]: - if i[2].find(Access) >= 0: - ret.insert(0, i) - else: - ret.append(i) - return ret - else: - return ret - - -class serule: - def __init__(self, type, source, target, seclass): - self.type=type - self.source=source - self.target=target - self.seclass=seclass - self.avcinfo={} - self.iface=None - - def add(self, avc): - for a in avc[0]: - if a not in self.avcinfo.keys(): - self.avcinfo[a]=[] - - self.avcinfo[a].append(avc[1:]) - - def getAccess(self): - if len(self.avcinfo.keys()) == 1: - for i in self.avcinfo.keys(): - return i - else: - keys=self.avcinfo.keys() - keys.sort() - ret="{" - for i in keys: - ret=ret + " " + i - ret=ret+" }" - return ret - def out(self, verbose=0): - ret="" - ret=ret+"%s %s %s:%s %s;" % (self.type, self.source, self.gettarget(), self.seclass, self.getAccess()) - if verbose: - keys=self.avcinfo.keys() - keys.sort() - for i in keys: - for x in self.avcinfo[i]: - ret=ret+"\n\t#TYPE=AVC MSG=%s " % x[0] - if len(x[1]): - ret=ret+"COMM=%s " % x[1] - if len(x[2]): - ret=ret+"NAME=%s " % x[2] - ret=ret + " : " + i - return ret - - def gen_reference_policy(self, iface): - ret="" - Scon=self.source - Tcon=self.gettarget() - Class=self.seclass - Access=self.getAccess() - m=iface.match(Scon,Tcon,Class,Access) - if len(m)==0: - return self.out() - else: - file=m[0][1] - ret="\n#%s\n"% self.out() - ret += "optional_policy(`%s', `\n" % m[0][1] - first=True - for i in m: - if file != i[1]: - ret += "')\ngen_require(`%s', `\n" % i[1] - file = i[1] - first=True - if first: - ret += "\t%s(%s)\n" % (i[2], Scon) - first=False - else: - ret += "#\t%s(%s)\n" % (i[2], Scon) - ret += "');" - return ret - - def gettarget(self): - if self.source == self.target: - return "self" - else: - return self.target - -class seruleRecords: - def __init__(self, input, last_reload=0, verbose=0, te_ind=0): - self.last_reload=last_reload - self.seRules={} - self.seclasses={} - self.types=[] - self.roles=[] - self.load(input, te_ind) - self.gen_ref_policy = False - - def gen_reference_policy(self): - self.gen_ref_policy = True - self.iface=interfaces() - - def warning(self, error): - sys.stderr.write("%s: " % sys.argv[0]) - sys.stderr.write("%s\n" % error) - sys.stderr.flush() - - def load(self, input, te_ind=0): - VALID_CMDS=("allow", "dontaudit", "auditallow", "role") - - avc=[] - found=0 - line = input.readline() - if te_ind: - while line: - rec=line.split() - if len(rec) and rec[0] in VALID_CMDS: - self.add_terule(line) - line = input.readline() - - else: - while line: - rec=line.split() - for i in rec: - if i=="avc:" or i=="message=avc:" or i=="msg='avc:": - - found=1 - else: - avc.append(i) - if found: - self.add(avc) - found=0 - avc=[] - line = input.readline() - - - def get_target(self, i, rule): - target=[] - if rule[i][0] == "{": - for t in rule[i].split("{"): - if len(t): - target.append(t) - i=i+1 - for s in rule[i:]: - if s.find("}") >= 0: - for s1 in s.split("}"): - if len(s1): - target.append(s1) - i=i+1 - return (i, target) - - target.append(s) - i=i+1 - else: - if rule[i].find(";") >= 0: - for s1 in rule[i].split(";"): - if len(s1): - target.append(s1) - else: - target.append(rule[i]) - - i=i+1 - return (i, target) - - def rules_split(self, rules): - (idx, target ) = self.get_target(0, rules) - (idx, subject) = self.get_target(idx, rules) - return (target, subject) - - def add_terule(self, rule): - rc = rule.split(":") - rules=rc[0].split() - type=rules[0] - if type == "role": - print type - (sources, targets) = self.rules_split(rules[1:]) - rules=rc[1].split() - (seclasses, access) = self.rules_split(rules) - for scon in sources: - for tcon in targets: - for seclass in seclasses: - self.add_rule(type, scon, tcon, seclass,access) - - def add_rule(self, rule_type, scon, tcon, seclass, access, msg="", comm="", name=""): - self.add_seclass(seclass, access) - self.add_type(tcon) - self.add_type(scon) - if (rule_type, scon, tcon, seclass) not in self.seRules.keys(): - self.seRules[(rule_type, scon, tcon, seclass)]=serule(rule_type, scon, tcon, seclass) - - self.seRules[(rule_type, scon, tcon, seclass)].add((access, msg, comm, name )) - - def add(self,avc): - scon="" - tcon="" - seclass="" - comm="" - name="" - msg="" - access=[] - if "security_compute_sid" in avc: - return - - if "load_policy" in avc and self.last_reload: - self.seRules={} - - if "granted" in avc: - return - try: - for i in range (0, len(avc)): - if avc[i]=="{": - i=i+1 - while i<len(avc) and avc[i] != "}": - access.append(avc[i]) - i=i+1 - continue - - t=avc[i].split('=') - if len(t) < 2: - continue - if t[0]=="scontext": - context=t[1].split(":") - scon=context[2] - srole=context[1] - continue - if t[0]=="tcontext": - context=t[1].split(":") - tcon=context[2] - trole=context[1] - continue - if t[0]=="tclass": - seclass=t[1] - continue - if t[0]=="comm": - comm=t[1] - continue - if t[0]=="name": - name=t[1] - continue - if t[0]=="msg": - msg=t[1] - continue - - if scon=="" or tcon =="" or seclass=="": - return - except IndexError, e: - self.warning("Bad AVC Line: %s" % avc) - return - - self.add_role(srole) - self.add_role(trole) - self.add_rule("allow", scon, tcon, seclass, access, msg, comm, name) +from avc import * - def add_seclass(self,seclass, access): - if seclass not in self.seclasses.keys(): - self.seclasses[seclass]=[] - for a in access: - if a not in self.seclasses[seclass]: - self.seclasses[seclass].append(a) - - def add_role(self,role): - if role not in self.roles: - self.roles.append(role) - - def add_type(self,type): - if type not in self.types: - self.types.append(type) - - def gen_module(self, module): - return "module %s 1.0;" % module - - def gen_requires(self): - self.roles.sort() - self.types.sort() - keys=self.seclasses.keys() - keys.sort() - rec="\n\nrequire {\n" - if len(self.roles) > 0: - for i in self.roles: - rec += "\trole %s; \n" % i - rec += "\n" - - for i in keys: - access=self.seclasses[i] - if len(access) > 1: - access.sort() - rec += "\tclass %s {" % i - for a in access: - rec += " %s" % a - rec += " }; \n" - else: - rec += "\tclass %s %s;\n" % (i, access[0]) - - rec += "\n" - - for i in self.types: - rec += "\ttype %s; \n" % i - rec += " };\n\n\n" - return rec - - def out(self, require=0, module=""): - rec="" - if len(self.seRules.keys())==0: - raise(ValueError("No AVC messages found.")) - if module != "": - rec += self.gen_module(module) - rec += self.gen_requires() - else: - if requires: - rec+=self.gen_requires() - - keys=self.seRules.keys() - keys.sort() - for i in keys: - if self.gen_ref_policy: - rec += self.seRules[i].gen_reference_policy(self.iface)+"\n" - else: - rec += self.seRules[i].out(verbose)+"\n" - return rec - if __name__ == '__main__': - + import commands, sys, os, getopt, selinux + import gettext + try: + gettext.install('policycoreutils') + except: + pass def get_mls_flag(): if selinux.is_selinux_mls_enabled(): return "-M" else: return "" - def usage(msg=""): - print 'audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\ + def usage(msg = ""): + print _('audit2allow [-adhilrv] [-t file ] [ -f fcfile ] [-i <inputfile> ] [[-m|-M] <modulename> ] [-o <outputfile>]\n\ -a, --all read input from audit and message log, conflicts with -i\n\ -d, --dmesg read input from output of /bin/dmesg\n\ -h, --help display this message\n\ @@ -465,10 +50,11 @@ -M generate loadable module package, conflicts with -o\n\ -o, --output append output to <outputfile>, conflicts with -M\n\ -r, --requires generate require output \n\ - -t, --tefile Indicates input is Existing Type Enforcement file\n\ + -t, --tefile Add input from Existing Type Enforcement file\n\ -f, --fcfile Existing Type Enforcement file, requires -M\n\ -v, --verbose verbose output\n\ - ' + -A, --analyze Analyze output\n\ + ') if msg != "": print msg sys.exit(1) @@ -483,24 +69,26 @@ # # try: - last_reload=0 - input=sys.stdin - output=sys.stdout - module="" - requires=0 - verbose=0 - auditlogs=0 - buildPP=0 - input_ind=0 - output_ind=0 - ref_ind=False - te_ind=0 + last_reload = 0 + inputfd = sys.stdin + output = sys.stdout + module = "" + requires = 0 + verbose = 0 + auditlogs = 0 + buildPP = 0 + input_ind = 0 + output_ind = 0 + ref_ind = False + analyze = False + te_inputs = [] - fc_file="" + fc_file = "" gopts, cmds = getopt.getopt(sys.argv[1:], - 'adf:hi:lm:M:o:rtvR', + 'Aadf:hi:lm:M:o:rt:vR', ['all', - 'dmesg', + 'analyze', + 'dmesg', 'fcfile=', 'help', 'input=', @@ -509,57 +97,61 @@ 'output=', 'requires', 'reference', - 'tefile', + 'tefile=', 'verbose' ]) for o,a in gopts: if o == "-a" or o == "--all": - if input_ind or te_ind: + if input_ind: usage() - input=open("/var/log/messages", "r") - auditlogs=1 + inputfd = open("/var/log/messages", "r") + auditlogs = 1 if o == "-d" or o == "--dmesg": - input=os.popen("/bin/dmesg", "r") + inputfd = os.popen("/bin/dmesg", "r") if o == "-f" or o == "--fcfile": - if a[0]=="-": + if a[0] == "-": usage() - fc_file=a + fc_file = a if o == "-h" or o == "--help": usage() if o == "-i"or o == "--input": - if auditlogs or a[0]=="-": + if auditlogs or a[0] == "-": usage() - input_ind=1 - input=open(a, "r") + input_ind = 1 + inputfd = open(a, "r") if o == '--lastreload' or o == "-l": - last_reload=1 + last_reload = 1 if o == "-m" or o == "--module": - if module != "" or a[0]=="-": + if module != "" or a[0] == "-": usage() - module=a + module = a if o == "-M": - if module != "" or output_ind or a[0]=="-": + if module != "" or output_ind or a[0] == "-": usage() - module=a - outfile=a+".te" - buildPP=1 - output=open(outfile, "w") + module = a + outfile = a+".te" + buildPP = 1 + if not os.path.exists("/usr/bin/checkmodule"): + errorExit("-M Requires the checkmodule command, you need to install the checkpolicy rpm package") + output = open(outfile, "w") if o == "-r" or o == "--requires": - requires=1 + requires = 1 if o == "-t" or o == "--tefile": - if auditlogs: - usage() - te_ind=1 + te_inputs.append(open(a, "r")) + if o == "-R" or o == "--reference": - ref_ind=True + ref_ind = True if o == "-o" or o == "--output": - if module != "" or a[0]=="-": + if module != "" or a[0] == "-": usage() - output=open(a, "a") - output_ind=1 + output = open(a, "a") + output_ind = 1 if o == "-v" or o == "--verbose": - verbose=1 + verbose = 1 + + if o == "-A" or o == "--analyze": + analyze = True if len(cmds) != 0: usage() @@ -567,42 +159,52 @@ if fc_file != "" and not buildPP: usage("Error %s: Option -fc requires -M" % sys.argv[0]) - out=seruleRecords(input, last_reload, verbose, te_ind) + serules = SERules(last_reload, verbose) + + for i in te_inputs: + te = TERules(serules) + te.load(i) + + serules.load(inputfd) if ref_ind: - out.gen_reference_policy() + serules.gen_reference_policy() + + if analyze: + serules.analyze() + sys.exit(0) - if auditlogs: - input=os.popen("ausearch -m avc") - out.load(input) + if auditlogs and os.path.exists("/var/log/audit/audit.log"): + inputfd = os.popen("ausearch -m avc,MAC_POLICY_LOAD") + serules.load(inputfd) if buildPP: - print ("Generating type enforcment file: %s.te" % module) - output.write(out.out(requires, module)) + print (_("Generating type enforcment file: %s.te") % module) + output.write(serules.out(requires, module)) output.flush() if buildPP: - cmd="checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) - print "Compiling policy" + cmd = "checkmodule %s -m -o %s.mod %s.te" % (get_mls_flag(), module, module) + print _("Compiling policy") print cmd - rc=commands.getstatusoutput(cmd) - if rc[0]==0: - cmd="semodule_package -o %s.pp -m %s.mod" % (module, module) + rc = commands.getstatusoutput(cmd) + if rc[0] == 0: + cmd = "semodule_package -o %s.pp -m %s.mod" % (module, module) if fc_file != "": cmd = "%s -f %s" % (cmd, fc_file) print cmd - rc=commands.getstatusoutput(cmd) - if rc[0]==0: - print ("\n******************** IMPORTANT ***********************\n") - print ("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n" % module) + rc = commands.getstatusoutput(cmd) + if rc[0] == 0: + print _("\n******************** IMPORTANT ***********************\n") + print (_("In order to load this newly created policy package into the kernel,\nyou are required to execute \n\nsemodule -i %s.pp\n\n") % module) else: errorExit(rc[1]) else: errorExit(rc[1]) except getopt.error, error: - errorExit("Options Error " + error.msg) + errorExit(_("Options Error: %s ") % error.msg) except ValueError, error: errorExit(error.args[0]) except IOError, error: ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2allow/audit2allow.1#2 (text+ko) ==== @@ -66,7 +66,7 @@ Generate require output syntax for loadable modules. .TP .B "\-R" | "\-\-reference" -Generate reference policy using installed macros +Generate reference policy using installed macros. Requires the selinux-policy-devel package. .TP .B "\-t " | "\-\-tefile" Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format. @@ -98,6 +98,11 @@ .PP .SH EXAMPLE .nf +.B NOTE: These examples are for systems using the audit package. If you do +.B not use the audit package, the AVC messages will be in /var/log/messages. +.B Please substitute /var/log/messages for /var/log/audit/audit.log in the +.B examples. +.PP .B Using audit2allow to generate monolithic (non-module) policy $ cd /etc/selinux/$SELINUXTYPE/src/policy $ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/policycoreutils/audit2why/audit2why.c#2 (text+ko) ==== @@ -15,13 +15,14 @@ #define TCONTEXT "tcontext=" #define TCLASS "tclass=" -void usage(char *progname, int rc) +void usage(char *progname, int rc) { - fprintf(stderr, "usage: %s [-p policy] < /var/log/audit/audit.log\n", progname); + fprintf(stderr, "usage: %s [-p policy] < /var/log/audit/audit.log\n", + progname); exit(rc); } -int main(int argc, char **argv) +int main(int argc, char **argv) { char path[PATH_MAX]; char *buffer = NULL, *bufcopy = NULL; @@ -62,25 +63,30 @@ if (!set_path) { if (!is_selinux_enabled()) { - fprintf(stderr, "%s: Must specify -p policy on non-SELinux systems\n", argv[0]); + fprintf(stderr, + "%s: Must specify -p policy on non-SELinux systems\n", >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608151836.k7FIamTm043480>