From 229214bc80b70d51be4b53a9b1f58c67c2d8d6ad Mon Sep 17 00:00:00 2001 From: Jason Zaman Date: Fri, 19 Aug 2016 11:45:15 +0800 Subject: [PATCH] audit2allow: remove audit2why so it gets symlinked audit2why is supposed to be a symlink to audit2allow. There are instead 2 files in the repo so the makefile has not been replacing audit2why. Signed-off-by: Jason Zaman --- policycoreutils/audit2allow/audit2why | 365 +------------------------- 1 file changed, 1 insertion(+), 364 deletions(-) mode change 100644 => 120000 policycoreutils/audit2allow/audit2why diff --git a/policycoreutils/audit2allow/audit2why b/policycoreutils/audit2allow/audit2why deleted file mode 100644 index b1489eda..00000000 --- a/policycoreutils/audit2allow/audit2why +++ /dev/null @@ -1,364 +0,0 @@ -#! /usr/bin/python -Es -# Authors: Karl MacMillan -# Authors: Dan Walsh -# -# Copyright (C) 2006-2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import sys -import os - -import sepolgen.audit as audit -import sepolgen.policygen as policygen -import sepolgen.interfaces as interfaces -import sepolgen.output as output -import sepolgen.objectmodel as objectmodel -import sepolgen.defaults as defaults -import sepolgen.module as module -from sepolgen.sepolgeni18n import _ -import selinux.audit2why as audit2why -import locale -try: - locale.setlocale(locale.LC_ALL, '') -except: - pass - - -class AuditToPolicy: - VERSION = "%prog .1" - SYSLOG = "/var/log/messages" - - def __init__(self): - self.__options = None - self.__parser = None - self.__avs = None - - def __parse_options(self): - from optparse import OptionParser - - parser = OptionParser(version=self.VERSION) - parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False, - help="audit messages since last boot conflicts with -i") - parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, - help="read input from audit log - conflicts with -i") - parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis") - parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, - help="read input from dmesg - conflicts with --all and --input") - parser.add_option("-i", "--input", dest="input", - help="read input from - conflicts with -a") - parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, - help="read input only after the last reload") - parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False, - help="generate require statements for rules") - parser.add_option("-m", "--module", dest="module", - help="set the module name - implies --requires") - parser.add_option("-M", "--module-package", dest="module_package", - help="generate a module package - conflicts with -o and -m") - parser.add_option("-o", "--output", dest="output", - help="append output to , conflicts with -M") - parser.add_option("-D", "--dontaudit", action="store_true", - dest="dontaudit", default=False, - help="generate policy with dontaudit rules") - parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", - default=True, help="generate refpolicy style output") - - parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", - default=False, help="do not generate refpolicy style output") - parser.add_option("-v", "--verbose", action="store_true", dest="verbose", - default=False, help="explain generated output") - parser.add_option("-e", "--explain", action="store_true", dest="explain_long", - default=False, help="fully explain generated output") - parser.add_option("-t", "--type", help="only process messages with a type that matches this regex", - dest="type") - parser.add_option("--perm-map", dest="perm_map", help="file name of perm map") - parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") - parser.add_option("--debug", dest="debug", action="store_true", default=False, - help="leave generated modules for -M") - parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"), - help="Translates SELinux audit messages into a description of why the access was denied") - - options, args = parser.parse_args() - - # Make -d, -a, and -i conflict - if options.audit is True or options.boot: - if options.input is not None: - sys.stderr.write("error: --all/--boot conflicts with --input\n") - if options.dmesg is True: - sys.stderr.write("error: --all/--boot conflicts with --dmesg\n") - if options.input is not None and options.dmesg is True: - sys.stderr.write("error: --input conflicts with --dmesg\n") - - # Turn on requires generation if a module name is given. Also verify - # the module name. - if options.module: - name = options.module - else: - name = options.module_package - if name: - options.requires = True - if not module.is_valid_name(name): - sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n') - sys.exit(2) - - # Make -M and -o conflict - if options.module_package: - if options.output: - sys.stderr.write("error: --module-package conflicts with --output\n") - sys.exit(2) - if options.module: - sys.stderr.write("error: --module-package conflicts with --module\n") - sys.exit(2) - - self.__options = options - - def __read_input(self): - parser = audit.AuditParser(last_load_only=self.__options.lastreload) - - filename = None - messages = None - f = None - - # Figure out what input we want - if self.__options.input is not None: - filename = self.__options.input - elif self.__options.dmesg: - messages = audit.get_dmesg_msgs() - elif self.__options.audit: - try: - messages = audit.get_audit_msgs() - except OSError as e: - sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) - sys.exit(1) - elif self.__options.boot: - try: - messages = audit.get_audit_boot_msgs() - except OSError as e: - sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) - sys.exit(1) - else: - # This is the default if no input is specified - f = sys.stdin - - # Get the input - if filename is not None: - try: - f = open(filename) - except IOError as e: - sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e))) - sys.exit(1) - - if f is not None: - parser.parse_file(f) - f.close() - - if messages is not None: - parser.parse_string(messages) - - self.__parser = parser - - def __process_input(self): - if self.__options.type: - avcfilter = audit.AVCTypeFilter(self.__options.type) - self.__avs = self.__parser.to_access(avcfilter) - csfilter = audit.ComputeSidTypeFilter(self.__options.type) - self.__role_types = self.__parser.to_role(csfilter) - else: - self.__avs = self.__parser.to_access() - self.__role_types = self.__parser.to_role() - - def __load_interface_info(self): - # Load interface info file - if self.__options.interface_info: - fn = self.__options.interface_info - else: - fn = defaults.interface_info() - try: - fd = open(fn) - except: - sys.stderr.write("could not open interface info [%s]\n" % fn) - sys.exit(1) - - ifs = interfaces.InterfaceSet() - ifs.from_file(fd) - fd.close() - - # Also load perm maps - if self.__options.perm_map: - fn = self.__options.perm_map - else: - fn = defaults.perm_map() - try: - fd = open(fn) - except: - sys.stderr.write("could not open perm map [%s]\n" % fn) - sys.exit(1) - - perm_maps = objectmodel.PermMappings() - perm_maps.from_file(fd) - - return (ifs, perm_maps) - - def __output_modulepackage(self, writer, generator): - generator.set_module_name(self.__options.module_package) - filename = self.__options.module_package + ".te" - packagename = self.__options.module_package + ".pp" - - try: - fd = open(filename, "w") - except IOError as e: - sys.stderr.write("could not write output file: %s\n" % str(e)) - sys.exit(1) - - writer.write(generator.get_module(), fd) - fd.close() - - mc = module.ModuleCompiler() - - try: - mc.create_module_package(filename, self.__options.refpolicy) - except RuntimeError as e: - print(e) - sys.exit(1) - - sys.stdout.write(_("******************** IMPORTANT ***********************\n")) - sys.stdout.write((_("To make this policy package active, execute:" + - "\n\nsemodule -i %s\n\n") % packagename)) - - def __output_audit2why(self): - import selinux - import seobject - for i in self.__parser.avc_msgs: - rc = i.type - data = i.data - if rc >= 0: - print("%s\n\tWas caused by:" % i.message) - if rc == audit2why.ALLOW: - print("\t\tUnknown - would be allowed by active policy") - print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") - print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") - continue - if rc == audit2why.DONTAUDIT: - print("\t\tUnknown - should be dontaudit'd by active policy") - print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") - print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") - continue - if rc == audit2why.BOOLEAN: - if len(data) > 1: - print("\tOne of the following booleans was set incorrectly.") - for b in data: - print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) - else: - print("\tThe boolean %s was set incorrectly. " % (data[0][0])) - print("\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) - continue - - if rc == audit2why.TERULE: - print("\t\tMissing type enforcement (TE) allow rule.\n") - print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n") - continue - - if rc == audit2why.CONSTRAINT: - print() # !!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" - print("#Constraint rule: \n\t" + data[0]) - for reason in data[1:]: - print("#\tPossible cause is the source %s and target %s are different.\n\b" % reason) - - if rc == audit2why.RBAC: - print("\t\tMissing role allow rule.\n") - print("\t\tAdd an allow rule for the role pair.\n") - continue - - audit2why.finish() - return - - def __output(self): - - if self.__options.audit2why: - try: - return self.__output_audit2why() - except RuntimeError as e: - print(e) - sys.exit(1) - - g = policygen.PolicyGenerator() - - g.set_gen_dontaudit(self.__options.dontaudit) - - if self.__options.module: - g.set_module_name(self.__options.module) - - # Interface generation - if self.__options.refpolicy: - ifs, perm_maps = self.__load_interface_info() - g.set_gen_refpol(ifs, perm_maps) - - # Explanation - if self.__options.verbose: - g.set_gen_explain(policygen.SHORT_EXPLANATION) - if self.__options.explain_long: - g.set_gen_explain(policygen.LONG_EXPLANATION) - - # Requires - if self.__options.requires: - g.set_gen_requires(True) - - # Generate the policy - g.add_access(self.__avs) - g.add_role_types(self.__role_types) - - # Output - writer = output.ModuleWriter() - - # Module package - if self.__options.module_package: - self.__output_modulepackage(writer, g) - else: - # File or stdout - if self.__options.module: - g.set_module_name(self.__options.module) - - if self.__options.output: - fd = open(self.__options.output, "a") - else: - fd = sys.stdout - writer.write(g.get_module(), fd) - - def main(self): - try: - self.__parse_options() - if self.__options.policy: - audit2why.init(self.__options.policy) - else: - audit2why.init() - - self.__read_input() - self.__process_input() - self.__output() - except KeyboardInterrupt: - sys.exit(0) - except ValueError as e: - print(e) - sys.exit(1) - except IOError as e: - print(e) - sys.exit(1) - -if __name__ == "__main__": - app = AuditToPolicy() - app.main() diff --git a/policycoreutils/audit2allow/audit2why b/policycoreutils/audit2allow/audit2why new file mode 120000 index 00000000..9cddcf58 --- /dev/null +++ b/policycoreutils/audit2allow/audit2why @@ -0,0 +1 @@ +audit2allow \ No newline at end of file