Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2741] trunk/policycoreutils
|
From: <ssm...@us...> - 2008-01-23 20:24:18
|
Revision: 2741
http://selinux.svn.sourceforge.net/selinux/?rev=2741&view=rev
Author: ssmalley
Date: 2008-01-23 12:24:15 -0800 (Wed, 23 Jan 2008)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Patch to use new audit2why interface in via audit2allow
Date: Fri, 11 Jan 2008 16:11:30 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Added a --why qualifier to audit2allow, which gives the same output as
audit2why.
Removed audit2why.c and replaced it with a script
#!/bin/sh
/usr/bin/audit2allow -w $*
This way audit2why can take advantage of the parsing available in
audit2allow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeH24EACgkQrlYvE4MpobMSagCgmK5S8TGx8485X1769oqrzLF6
iuwAoKUWB6tGrrTHFkDJqz41xTSv1Tvy
=M+CO
-----END PGP SIGNATURE-----
Modified Paths:
--------------
trunk/policycoreutils/audit2allow/audit2allow
trunk/policycoreutils/audit2allow/audit2allow.1
trunk/policycoreutils/audit2why/Makefile
Added Paths:
-----------
trunk/policycoreutils/audit2why/audit2why
trunk/policycoreutils/audit2why/audit2why.1
Modified: trunk/policycoreutils/audit2allow/audit2allow
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow 2008-01-23 20:22:37 UTC (rev 2740)
+++ trunk/policycoreutils/audit2allow/audit2allow 2008-01-23 20:24:15 UTC (rev 2741)
@@ -60,7 +60,10 @@
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
- default=False, help="generate refpolicy style output")
+ default=True, help="generate refpolicy style output")
+
+ parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
+ default=False, help="do not generate refpolicy style output")
parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
default=False, help="explain generated output")
parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
@@ -72,6 +75,9 @@
parser.add_option("--debug", dest="debug", action="store_true", default=False,
help="leave generated modules for -M")
+ parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False,
+ help="Translates SELinux audit messages into a description of why the access was denied")
+
options, args = parser.parse_args()
# Make -d, -a, and -i conflict
@@ -149,8 +155,10 @@
if self.__options.type:
filter = audit.TypeFilter(self.__options.type)
self.__avs = self.__parser.to_access(filter)
+ self.__selinux_errs = self.__parser.to_role(filter)
else:
self.__avs = self.__parser.to_access()
+ self.__selinux_errs = self.__parser.to_role()
def __load_interface_info(self):
# Load interface info file
@@ -210,7 +218,71 @@
sys.stdout.write((_("To make this policy package active, execute:" +\
"\n\nsemodule -i %s\n\n") % packagename))
+ def __output_audit2why(self):
+ import selinux
+ import selinux.audit2why as audit2why
+ audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
+ for i in self.__parser.avc_msgs:
+ rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
+ if rc >= 0:
+ print "%s\n\tWas caused by:" % i.message
+ if rc == audit2why.NOPOLICY:
+ raise "Must call policy_init first"
+ if rc == audit2why.BADTCON:
+ print "Invalid Target Context %s\n" % i.tcontext
+ continue
+ if rc == audit2why.BADSCON:
+ print "Invalid Source Context %s\n" % i.scontext
+ continue
+ if rc == audit2why.BADSCON:
+ print "Invalid Type Class %s\n" % i.tclass
+ continue
+ if rc == audit2why.BADPERM:
+ print "Invalid permission %s\n" % i.accesses
+ continue
+ if rc == audit2why. BADCOMPUTE:
+ raise "Error during access vector computation"
+ if rc == audit2why.ALLOW:
+ print "\t\tUnknown - would be allowed by active policy\n",
+ print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+ print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+ continue
+ if rc == audit2why.BOOLEAN:
+ if len(bools) > 1:
+ print "\tOne of the following booleans being set incorrectly."
+ for b in bools:
+ print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1])
+ print "\t# setsebool -P %s %d" % (b[0], b[1])
+ else:
+ print "\tThe boolean %s set incorrectly. Allow access by executing:" % bools[0][0]
+ print "\t# setsebool -P %s %d\n" % (bools[0][0], bools[0][1])
+
+ continue
+
+ if rc == audit2why.TERULE:
+ print "\t\tMissing or disabled type enforcingment (TE) allow rule.\n"
+ print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n"
+ continue
+
+ if rc == audit2why.CONSTRAINT:
+ print "\t\tConstraint violation.\n"
+ print "\t\tCheck policy/constraints.\n"
+ print "\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n"
+ continue
+
+ if rc == audit2why.RBAC:
+ print "\t\tMissing role allow rule.\n"
+ print "\t\tAdd allow rule for the role pair.\n"
+ continue
+
+ audit2why.finish()
+ return
+
def __output(self):
+
+ if self.__options.audit2why:
+ return self.__output_audit2why()
+
g = policygen.PolicyGenerator()
if self.__options.module:
@@ -251,6 +323,12 @@
fd = sys.stdout
writer.write(g.get_module(), fd)
+ if len(self.__selinux_errs) > 0:
+ fd.write("\n=========== ROLES ===============\n")
+
+ for role in self.__selinux_errs:
+ fd.write(role.output())
+
def main(self):
try:
self.__parse_options()
Modified: trunk/policycoreutils/audit2allow/audit2allow.1
===================================================================
--- trunk/policycoreutils/audit2allow/audit2allow.1 2008-01-23 20:22:37 UTC (rev 2740)
+++ trunk/policycoreutils/audit2allow/audit2allow.1 2008-01-23 20:24:15 UTC (rev 2741)
@@ -24,7 +24,12 @@
.\"
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
-audit2allow \- generate SELinux policy allow rules from logs of denied operations
+.BR audit2allow
+ \- generate SELinux policy allow rules from logs of denied operations
+
+.BR audit2why
+ \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+
.SH SYNOPSIS
.B audit2allow
.RI [ options "] "
@@ -65,12 +70,19 @@
.B "\-r" | "\-\-requires"
Generate require output syntax for loadable modules.
.TP
+.B "\-N" | "\-\-noreference"
+Do not generate reference policy, traditional style allow rules.
+.TP
.B "\-R" | "\-\-reference"
-Generate reference policy using installed macros. Requires the selinux-policy-devel package.
+Generate reference policy using installed macros.Default
.TP
.B "\-t " | "\-\-tefile"
Indicates input file is a te (type enforcement) file. This can be used to translate old te format to new policy format.
.TP
+.B "\-w" | "\-\-why"
+Translates SELinux audit messages into a description of why the access wasn denied
+
+.TP
.B "\-v" | "\-\-verbose"
Turn on verbose output
Modified: trunk/policycoreutils/audit2why/Makefile
===================================================================
--- trunk/policycoreutils/audit2why/Makefile 2008-01-23 20:22:37 UTC (rev 2740)
+++ trunk/policycoreutils/audit2why/Makefile 2008-01-23 20:24:15 UTC (rev 2741)
@@ -1,16 +1,8 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
BINDIR ?= $(PREFIX)/bin
-LIBDIR ?= ${PREFIX}/lib
MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= /usr/share/locale
-INCLUDEDIR ?= ${PREFIX}/include
-
-CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(INCLUDEDIR)
-LDLIBS = ${LIBDIR}/libsepol.a -lselinux -L$(LIBDIR)
-
TARGETS=audit2why
all: $(TARGETS)
@@ -18,13 +10,5 @@
install: all
-mkdir -p $(BINDIR)
install -m 755 $(TARGETS) $(BINDIR)
- -mkdir -p $(MANDIR)/man8
- install -m 644 audit2why.8 $(MANDIR)/man8/
-
-clean:
- -rm -f $(TARGETS) *.o
-
-indent:
- ../../scripts/Lindent $(wildcard *.[ch])
-
-relabel:
+ -mkdir -p $(MANDIR)/man1
+ install -m 644 audit2why.1 $(MANDIR)/man1/
Added: trunk/policycoreutils/audit2why/audit2why
===================================================================
--- trunk/policycoreutils/audit2why/audit2why (rev 0)
+++ trunk/policycoreutils/audit2why/audit2why 2008-01-23 20:24:15 UTC (rev 2741)
@@ -0,0 +1,2 @@
+#!/bin/sh
+/usr/bin/audit2allow -w $*
Added: trunk/policycoreutils/audit2why/audit2why.1
===================================================================
--- trunk/policycoreutils/audit2why/audit2why.1 (rev 0)
+++ trunk/policycoreutils/audit2why/audit2why.1 2008-01-23 20:24:15 UTC (rev 2741)
@@ -0,0 +1 @@
+.so man1/audit2allow.1
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
