From 0ea11e731507b2b6abfc924405a7f1bedc900b5c Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 6 Mar 2012 10:43:22 -0500 Subject: [PATCH] sepolgen: Make use of setools optional within sepolgen We still want to be able to use sepolgen even if setools isn't installed. Degrade functionality, but still work if it can't be found. Signed-off-by: Eric Paris Acked-by: Dan Walsh --- policycoreutils/semanage/seobject.py | 7 +++++- sepolgen/src/sepolgen/policygen.py | 37 +++++++++++++++------------- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 97451028..e20d35ba 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -379,7 +379,12 @@ class permissiveRecords(semanageRecords): return l def list(self, heading = 1, locallist = 0): - import setools + try: + import setools + except: + print "only able to list permissive types when setools is installed" + return + all = map(lambda y: y["name"], filter(lambda x: x["permissive"], setools.seinfo(setools.TYPE))) if len(all) == 0: return diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index 48829994..c3d665c4 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -30,7 +30,10 @@ import access import interfaces import matching import selinux.audit2why as audit2why -from setools import * +try: + from setools import * +except: + pass # Constants for the level of explanation from the generation # routines @@ -172,23 +175,23 @@ class PolicyGenerator: rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" rule.comment += "#Constraint rule: " - if av.type == audit2why.TERULE: - if "write" in av.perms: - if "dir" in av.obj_class or "open" in av.perms: - if not self.domains: - self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] - types=[] + try: + if ( av.type == audit2why.TERULE and + "write" in av.perms and + ( "dir" in av.obj_class or "open" in av.perms )): + if not self.domains: + self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] + types=[] - try: - for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): - if i not in self.domains: - types.append(i) - if len(types) == 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - elif len(types) >= 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) - except: - pass + for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})): + if i not in self.domains: + types.append(i) + if len(types) == 1: + rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + elif len(types) >= 1: + rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + except: + pass self.module.children.append(rule)