Commit Graph

50 Commits

Author SHA1 Message Date
Eric Paris
a8a36f88c2 sepolgen: audit2allow: one role/type pair per line
audit2allow was generating rules which would not compile.  We can only
do one per line, not tons of types at one time.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 20:57:24 -04:00
Eric Paris
628bcc69e2 policycoreutils: sepolgen: return and output constraint violation information
update sepolgen to return constraint violation information.  Then output
that information in audit2allow.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 15:08:56 -04:00
Dan Walsh
065e5d3149 sepolgen: Allow returning of bastard matches
Return low quality matches as well as high quality matches.  Sometimes
we just want the crap with the sugar.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 12:16:19 -04:00
Eric Paris
f05a71b92d Version bumps for upstream push 2012-06-28 14:02:29 -04:00
Dan Walsh
0eed03e756 checkpolicy: sepolgen: We need to support files that have a + in them
Filenames can have a +, so we should be able to parse and handle those
files.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 13:29:24 -04:00
Dan Walsh
0ea11e7315 sepolgen: Make use of setools optional within sepolgen
We still want to be able to use sepolgen even if setools isn't
installed.  Degrade functionality, but still work if it can't be found.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
2012-06-28 13:29:23 -04:00
Eric Paris
7a86fe1a3d bump version and changelog for upstream push 2012-03-28 15:44:05 -04:00
Manoj Srivastava
98455c5524 sepolgen: fix detection of policy loads
I am running into an issue with sepolgen. Debian ships more
than one version of the refpolicy, a default one, and a MLS enabled
one. So, the include files live in either
/usr/share/selinux/{default,mls}/include sepolgen (in
src/sepolgen/defaults.py) sets refpolicy_devel() to a single
location -- and thus, only one version of the security policy may be
supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the
value. This change fixes that. Now you may set the path to look for
development headers in /etc/selinux/sepolgen.conf, in the variable
SELINUX_DEVEL_PATH. The builtin default will have it work on Debian
and fedora machines out of the box.

Signed-off-by: Laurent Bigonville bigon@debian.org
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
8f3207eda0 sepolgen: do not use md5 when calculating hash signatures
FIPS does not allow md5 as a valid algorithm.  Although we don't really
care about cryptographic strength since the algorithm isn't allowed to
be used at all use something strong, like sha256.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Dan Walsh
df45dcdf3d sepolgen: audit.py Dont crash if empty data is passed to sepolgen
If you pass output from a log file that does not include any avc's
audit2allow will crash.  This patch fixes this problem.

ausearch -m avc -ts recent | audit2allow

If there was no AVC's recently, we do not want the python to crash.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:12 -04:00
Dan Walsh
18e3a8d396 checkpolicy: libselinux: Fix dead links to www.nsa.gov/selinux
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 08:39:07 -04:00
Eric Paris
339f8079d7 update VERSION and Changelog for public push 2011-12-21 12:46:04 -05:00
Eric Paris
5c3211bcca sepolgen: better analysis of why things broke
combine analysys of audit2why into audit2allow, so users can see if a
boolean would solve an AVC or if it is a constrain violation.  Rather
then blindly adding allow rules to modules.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-21 12:22:05 -05:00
Eric Paris
d65c02f066 bump version and changelog 2011-12-05 16:20:45 -05:00
Dan Walsh
a0af38a531 sepolgen: Allow ~ as a file identifier
We already allow this in policy, so allow it in sepolgen as well.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-12-05 16:10:37 -05:00
Eric Paris
14e4b70b93 Bump Version and Changelog for commit 2011-11-03 15:26:36 -04:00
Dan Walsh
077e863517 sepolgen: Return name field in avc data
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 16:22:06 -04:00
Dan Walsh
9cbd404ceb sepolgen: Ignore permissive qualifier if found in an interface
During Rawhide releases we change all "unconfined_domains" to
permissive domains in order to find new AVC messages without breaking
rawhide boxes.  The way we do this is changing the unconfined_domain
interface and putting permissive $1; in it.  sepolgen does not like
this and blows up the build.  This patch tells sepolgen to ignore the
permissive in an interface.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 16:22:06 -04:00
Eric Paris
418dbc70e8 Bump version and changelog for all components. 2011-09-16 15:34:36 -04:00
Guido Trentalancia
eb695e5a56 whole tree: default make target to all not install
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:04 -04:00
Dan Walsh
b1331909a0 policycoreutils: sepolgen: audit2allow is mistakakenly not allowing valid module names
module names must begin with a letter, optionally followed by letters,
numbers, "-", "_", "."\n'  some of these were being denied.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:03 -04:00
Dan Walsh
ab1195dcfe sepolgen: look for booleans that might solve problems
This patch allows audit2allow to do analysis on the AVC's to see if a
boolean would have solved the problem or if the AVC is caused by a
constraint.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Dan Walsh
eecf746aa8 sepolgen: Change perm-map and add open to try to get better results on matches
This patch adds open to sepolgen checks and resets the priorities to
get better matches on AVCs

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-09-16 11:54:00 -04:00
Dan Walsh
037285e936 sepolgen: src: sepolgen: add attribute storing infrastructure
add attribute handling to sepolgen so it can take into account the attributes
within an interface

Signed-off-by: Eric Paris <eparis@redhat.com>
2011-09-15 19:19:58 -04:00
Eric Paris
1f8cf403be update changelog and versions for 2011-08-26 2011-08-26 15:11:58 -04:00
Eric Paris
3f1446944e sepolgen: refparser: include open among valid permissions
The perser doesn't recognize 'open'.  Make it so.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:46:02 -04:00
Eric Paris
de311acdc9 sepolgen: refparser: add support for filename_trans rules
The parser cannot handle the new format of filename_trans rules.  Nor
can it handle the " now used.  Add support for both.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-26 14:44:33 -04:00
Steve Lawrence
44121f6624 Minor version bump for release
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
2011-07-27 15:32:54 -04:00
Joshua Brindle
4bbaeeb7bb bump sepolgen to 1.0.23 2010-03-24 13:47:39 -04:00
Daniel J Walsh
6e35202e20 sepolgen unit tests fail
Patch to fix unit test.

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2010-03-24 13:43:53 -04:00
Karl MacMillan
bc256454b7 Bump sepolgen to 1.0.22 2010-03-23 09:11:24 -04:00
Karl MacMillan
52f9d9f2ad Sepolgen: improve parser error recovery
Sepolgen has long not recovered from parsing errors, leading to
a blacklist of none bad modules in the source. I finally tracked
down the problem (lexer state) and this patch fixes the problem
by causing the lexer to be rebuilt on error.

Acked-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-23 09:10:20 -04:00
Joshua Brindle
e796cee3f5 bump sepolgen to 1.0.21 2010-03-18 16:52:16 -04:00
Daniel J Walsh
03cd8c2d47 This patch allows audit2allow to look at all avc's since the last time the machine booted.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:36:22 -04:00
Daniel J Walsh
6688e96767 This simple patch fixes the output of sepolgen to match what Chris expects for upstream policy.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:35:27 -04:00
Joshua Brindle
b5b2c2c2fe bump policycoreutils to 2.0.81 and sepolgen to 1.0.20 2010-03-12 08:32:38 -05:00
Daniel J Walsh
f509e1e8b9 Audit2allow generating dontaudit rules.
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com>  wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>

Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.

No passing of args.

Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
2010-03-12 08:30:04 -05:00
Joshua Brindle
32cf5d539b bump checkpolicy to 2.0.21, libselinux to 2.0.90 and sepolgen to 1.0.19 2009-11-27 15:03:02 -05:00
Stephen Smalley
a3ccf607a2 policycoreutils: audit2allow -l doesn't work with dmesg pipe
On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
> On Mon, 24 Aug 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
> > >>
> > >> audit2allow -l is looking for the load_policy message which does not go
> > >> to the dmesg, /var/log/messages.  Therefore the tool has no idea when
> > >> policy was last loaded.
> > >
> > > That would be a kernel bug then.
> >
> > Well I believe the messages that are intercepted by the audit.log do not go
> > into dmesg, by design. Although Steve, James or Eric could probably say for
> > sure.
>
> When auditd is not running on a Debian system with CentOS kernel
> 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
> goes to the kernel message log which is interpreted by audit2allow as a
> candidate for the "-l" functionality.
>
> It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
> gives no output.  But if all AVC messages other than the load_policy message
> go to the kernel message log then it's a bug.

Originally audit2allow used the avc: allowed message generated by
auditallow statement for load_policy to identify policy reloads.  Later
it was switched to use the MAC_POLICY_LOAD events generated by the audit
framework.  Those events should still get logged via printk if auditd is
not running, but it appears that the code (audit_printk_skb) will then
log the type= field as an integer rather than a string, and
audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.

So I suspect that this would be resolved by modifying sepolgen/audit.py
to also match on type=1403 for load messages.  Try this:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 13:33:52 -05:00
Joshua Brindle
f3c3bbd16a bump checkpolicy to 2.0.20, libsepol to 2.0.39, sepolgen to 1.0.18 2009-10-14 15:54:16 -04:00
pjnuzzi
6341f6a492 sepolgen: Add support for multiple target OSes
Add support to sepolgen for new Xen ocontext identifiers.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:14 -04:00
Joshua Brindle
4fabd7d0d1 bump sepolgen to 1.0.17 2009-05-05 20:20:36 -04:00
Marshall Miller
7e3311a9a7 sepolgen typo fix
Commit b3b3f8186e attempted to fix a bug,
but didn't.  The following patch should do it.

Marshall Miller

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-04-10 17:26:55 -04:00
Joshua Brindle
6ed00ee094 bump sepolgen to 1.0.16 2009-02-17 12:19:32 -05:00
Joshua Brindle
fb50c7b4ef Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: sepolgen patch
Date: Tue, 13 Jan 2009 08:59:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5 semodule packages is being retired.  Supposed to use hashlib now.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnlcACgkQrlYvE4MpobMEHQCgiRH3w/m4vTnPSdKfYCJtPHKF
ncEAn2WdQb9l5uiUsmIvp+92mTBAcmCR
=RVRr
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:50:33 -05:00
Joshua Brindle
a5dfb3abe0 bump sepolgen to 1.0.15 2009-01-12 10:49:36 -05:00
Joshua Brindle
b3b3f8186e Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Problem in sepolgen
Date: Mon, 01 Dec 2008 11:51:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

self.roles does not exist, need to return length of dictionary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk0FgYACgkQrlYvE4MpobP5HwCeNgjPTSPoqBQTXa14ZA9Jc0ww
yycAoNWJhg78BXm4L5Vg9cNAdNa7ggfD
=Uz8t
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:59 -05:00
Joshua Brindle
5214ee3d97 bump policycoreutils to 2.0.56 and sepolgen to 1.0.14 2008-09-07 18:57:50 -04:00
Joshua Brindle
ceb5792c21 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Only call gen_requires once.
Date: Thu, 11 Sep 2008 09:35:54 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently audit2allow/sepolgen will create two identical gen_requires
block if you have allow rules and a role statement.

This patch fixes this problem.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJHroACgkQrlYvE4MpobPgMQCghgAMBtaQO0BeZX+ug6IwsWB8
bNEAoMkRo4cZa0iJhGoGMmCvy5ncGpj8
=gMFg
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:48:24 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00