[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: audit2allow patch
From: Stephen Smalley <sds () tycho ! nsa ! gov>
Date: 2008-01-24 18:56:23
Message-ID: 1201200983.21288.95.camel () moss-spartans ! epoch ! ncsc ! mil
[Download RAW message or body]
On Thu, 2008-01-24 at 13:37 -0500, Stephen Smalley wrote:
> On Wed, 2008-01-23 at 17:22 -0500, Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Fan through pychecker and cleaned up some bugs.
> >
> > Also added booleans description from policy.xml file
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.8 (GNU/Linux)
> > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAkeXvjMACgkQrlYvE4MpobOsgwCfbTTJxThRmfUw5LHQGhsG99vj
> > rtwAoMTo1ms2h6dOQXmrtLpHrwB1Ec5Z
> > =mNcO
> > -----END PGP SIGNATURE-----
> > plain text document attachment (audit2allow.patch)
> > --- nsapolicycoreutils/audit2allow/audit2allow 2008-01-23 16:47:07.000000000 \
> > -0500
> > +++ policycoreutils-2.0.37/audit2allow/audit2allow 2008-01-23 17:15:21.000000000 \
> > -0500 @@ -19,7 +19,6 @@
> > #
> >
> > import sys
> > -import tempfile
> >
> > import sepolgen.audit as audit
> > import sepolgen.policygen as policygen
> > @@ -153,9 +152,9 @@
> >
> > def __process_input(self):
> > if self.__options.type:
> > - filter = audit.TypeFilter(self.__options.type)
> > - self.__avs = self.__parser.to_access(filter)
> > - self.__selinux_errs = self.__parser.to_role(filter)
> > + avcfilter = audit.TypeFilter(self.__options.type)
> > + self.__avs = self.__parser.to_access(avcfilter)
> > + self.__selinux_errs = self.__parser.to_role(avcfilter)
> > else:
> > self.__avs = self.__parser.to_access()
> > self.__selinux_errs = self.__parser.to_role()
> > @@ -221,13 +220,14 @@
> > def __output_audit2why(self):
> > import selinux
> > import selinux.audit2why as audit2why
> > + import seobject
> > audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), \
> > selinux.security_policyvers())) for i in self.__parser.avc_msgs:
> > rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), \
> > i.tclass, i.accesses) if rc >= 0:
> > print "%s\n\tWas caused by:" % i.message
> > if rc == audit2why.NOPOLICY:
> > - raise "Must call policy_init first"
> > + raise RuntimeError("Must call policy_init first")
> > if rc == audit2why.BADTCON:
> > print "Invalid Target Context %s\n" % i.tcontext
> > continue
> > @@ -241,7 +241,7 @@
> > print "Invalid permission %s\n" % i.accesses
> > continue
> > if rc == audit2why. BADCOMPUTE:
> > - raise "Error during access vector computation"
> > + raise RuntimeError("Error during access vector computation")
> > if rc == audit2why.ALLOW:
> > print "\t\tUnknown - would be allowed by active policy\n",
> > print "\t\tPossible mismatch between this policy and the one under which the \
> > audit message was generated.\n" @@ -251,12 +251,14 @@
> > if len(bools) > 1:
> > print "\tOne of the following booleans was set incorrectly."
> > for b in bools:
> > - print "\n\tBoolean %s is %d. Allow access by \
> > executing:" % (b[0], not b[1])
> > - print "\t# setsebool -P %s %d" % (b[0], b[1])
> > + print "\n\tBoolean %s is %d." % (b[0], not b[1])
>
> Here is you have "not b[1]".
>
> > + print "\tDescription:\n\t%s\n" % \
> > seobject.boolean_desc(b[0]) + print "\tAllow access by \
> > executing:\n\t# setsebool -P %s %d" % (b[0], b[1]) else:
> > - print "\tThe boolean %s was set incorrectly. Allow \
> > access by executing:" % bools[0][0]
> > - print "\t# setsebool -P %s %d\n" % (bools[0][0], \
> > bools[0][1])
> > -
> > + print "\tThe boolean %s set incorrectly. " % \
> > (bools[0][0]) + print "\n\tBoolean %s is %d." % \
> > (bools[0][0], bools[0][1])
>
> Here you have "bools[0][1]".
>
> Should that be negated too (looks like it - I get the wrong output in
> running it on sample avc messages)? But what's the point of even doing
> that if we are just displaying the negation of what we are going to tell
> them to pass to setsebool, and since we've already told them it is
> wrong?
I'm just going to drop the "Boolean is ..." lines out altogether, since
the rest of the message tells them it is incorrect, what it means and
what command to execute.
>
> > + print "\tDescription:\n\t%s\n" % \
> > seobject.boolean_desc(bools[0][0]) + print "\tAllow access \
> > by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1]) continue
> >
> > if rc == audit2why.TERULE:
> > --- nsapolicycoreutils/semanage/seobject.py 2007-12-10 21:42:27.000000000 -0500
> > +++ policycoreutils-2.0.37/semanage/seobject.py 2008-01-23 17:13:45.000000000 \
> > -0500 @@ -117,6 +117,12 @@
> > #print _("Failed to translate booleans.\n%s") % e
> > pass
> >
> > +def boolean_desc(boolean):
> > + if boolean in booleans_dict:
> > + return _(booleans_dict[boolean][2])
> > + else:
> > + return boolean
> > +
> > def validate_level(raw):
> > sensitivity = "s[0-9]*"
> > category = "c[0-9]*"
> > @@ -1456,10 +1462,7 @@
> > return ddict
> >
> > def get_desc(self, boolean):
> > - if boolean in booleans_dict:
> > - return _(booleans_dict[boolean][2])
> > - else:
> > - return boolean
> > + return boolean_desc(boolean)
> >
> > def get_category(self, boolean):
> > if boolean in booleans_dict:
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic