RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-12 00:19:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

policycoreutils: semanage: update to new source policy infrastructure

Browse Source 
- Remove version references
- Use new methods for enabling/disabling modules
- Add support to set priority when adding/removing modules
- Modify module --list output to include priority and language extension
- Update permissiveRecords call to support cil policy

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Signed-off-by: Jason Dana <jdana@tresys.com>
This commit is contained in:
Jason Dana 2013-08-23 10:10:28 -04:00 committed by Steve Lawrence
parent 6d4e8591a3
commit 2ff279e21e
2 changed files with 64 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
policycoreutils/semanage/semanage
View File

@ -212,6 +212,9 @@ def handleLogin(args):
def parser_add_store(parser, name): def parser_add_store(parser, name):
parser.add_argument('-S', '--store', action=SetStore, help=_("Select an alternate SELinux Policy Store to manage")) parser.add_argument('-S', '--store', action=SetStore, help=_("Select an alternate SELinux Policy Store to manage"))
def parser_add_priority(parser, name):
parser.add_argument('-P', '--priority', type=int, default=400, help=_("Select a priority for module operations"))
def parser_add_noheading(parser, name): def parser_add_noheading(parser, name):
parser.add_argument('-n', '--noheading', action='store_false', default=True, help=_("Do not print heading when listing %s object types") % name ) parser.add_argument('-n', '--noheading', action='store_false', default=True, help=_("Do not print heading when listing %s object types") % name )
@ -496,13 +499,13 @@ def handleModule(args):
OBJECT = seobject.moduleRecords(store) OBJECT = seobject.moduleRecords(store)
OBJECT.set_reload(args.noreload) OBJECT.set_reload(args.noreload)
if args.action == "add": if args.action == "add":
OBJECT.add(args.module_name) OBJECT.add(args.module_name, args.priority)
if args.action == "enable": if args.action == "enable":
OBJECT.enable(args.module_name) OBJECT.set_enabled(args.module_name, True)
if args.action == "disable": if args.action == "disable":
OBJECT.disable(args.module_name) OBJECT.set_enabled(args.module_name, False)
if args.action == "remove": if args.action == "remove":
OBJECT.delete(args.module_name) OBJECT.delete(args.module_name, args.priority)
if args.action is "deleteall": if args.action is "deleteall":
OBJECT.deleteall() OBJECT.deleteall()
if args.action == "list": if args.action == "list":
@ -517,6 +520,7 @@ def setupModuleParser(subparsers):
parser_add_noreload(moduleParser, "module") parser_add_noreload(moduleParser, "module")
parser_add_store(moduleParser, "module") parser_add_store(moduleParser, "module")
parser_add_locallist(moduleParser, "module") parser_add_locallist(moduleParser, "module")
parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True) mgroup = moduleParser.add_mutually_exclusive_group(required=True)
parser_add_add(mgroup, "module") parser_add_add(mgroup, "module")

108
policycoreutils/semanage/seobject.py
View File

@ -276,20 +276,41 @@ class moduleRecords(semanageRecords):
def get_all(self): def get_all(self):
l = [] l = []
(rc, mlist, number) = semanage_module_list(self.sh) (rc, mlist, number) = semanage_module_list_all(self.sh)
if rc < 0: if rc < 0:
raise ValueError(_("Could not list SELinux modules")) raise ValueError(_("Could not list SELinux modules"))
for i in range(number): for i in range(number):
mod = semanage_module_list_nth(mlist, i) mod = semanage_module_list_nth(mlist, i)
l.append((semanage_module_get_name(mod), semanage_module_get_version(mod), semanage_module_get_enabled(mod)))
rc, name = semanage_module_info_get_name(self.sh, mod)
if rc < 0:
raise ValueError(_("Could not get module name"))
rc, enabled = semanage_module_info_get_enabled(self.sh, mod)
if rc < 0:
raise ValueError(_("Could not get module enabled"))
rc, priority = semanage_module_info_get_priority(self.sh, mod)
if rc < 0:
raise ValueError(_("Could not get module priority"))
rc, lang_ext = semanage_module_info_get_lang_ext(self.sh, mod)
if rc < 0:
raise ValueError(_("Could not get module lang_ext"))
l.append((name, enabled, priority, lang_ext))
# sort the list so they are in name order, but with higher priorities coming first
l.sort(key = lambda t: t[3], reverse=True)
l.sort(key = lambda t: t[0])
return l return l
def customized(self): def customized(self):
all = self.get_all() all = self.get_all()
if len(all) == 0: if len(all) == 0:
return return
return map(lambda x: "-d %s" % x[0], filter(lambda t: t[2] == 0, all)) return map(lambda x: "-d %s" % x[0], filter(lambda t: t[1] == 0, all))
def list(self, heading = 1, locallist = 0): def list(self, heading = 1, locallist = 0):
all = self.get_all() all = self.get_all()
@ -297,51 +318,56 @@ class moduleRecords(semanageRecords):
return return
if heading: if heading:
print "\n%-25s%-10s\n" % (_("Modules Name"), _("Version")) print "\n%-25s %-9s %s\n" % (_("Module Name"), _("Priority"), _("Language"))
for t in all: for t in all:
if t[2] == 0: if t[1] == 0:
disabled = _("Disabled") disabled = _("Disabled")
else: else:
if locallist: if locallist:
continue continue
disabled = "" disabled = ""
print "%-25s%-10s%s" % (t[0], t[1], disabled) print "%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)
def add(self, file): def add(self, file, priority):
if not os.path.exists(file): if not os.path.exists(file):
raise ValueError(_("Module does not exists %s ") % file) raise ValueError(_("Module does not exists %s ") % file)
rc = semanage_set_default_priority(self.sh, priority)
if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
rc = semanage_module_install_file(self.sh, file); rc = semanage_module_install_file(self.sh, file);
if rc >= 0: if rc >= 0:
self.commit() self.commit()
def disable(self, module): def set_enabled(self, module, enable):
need_commit = False
for m in module.split(): for m in module.split():
rc = semanage_module_disable(self.sh, m) rc, key = semanage_module_key_create(self.sh)
if rc < 0 and rc != -3: if rc < 0:
raise ValueError(_("Could not disable module %s (remove failed)") % m) raise ValueError(_("Could not create module key"))
if rc != -3:
need_commit = True
if need_commit:
self.commit()
def enable(self, module): rc = semanage_module_key_set_name(self.sh, key, m)
need_commit = False if rc < 0:
for m in module.split(): raise ValueError(_("Could not set module key name"))
rc = semanage_module_enable(self.sh, m)
if rc < 0 and rc != -3: rc = semanage_module_set_enabled(self.sh, key, enable)
raise ValueError(_("Could not enable module %s (remove failed)") % m) if rc < 0:
if rc != -3: if enable:
need_commit = True raise ValueError(_("Could not enable module %s") % m)
if need_commit: else:
self.commit() raise ValueError(_("Could not disable module %s") % m)
self.commit()
def modify(self, file): def modify(self, file):
rc = semanage_module_update_file(self.sh, file); rc = semanage_module_update_file(self.sh, file);
if rc >= 0: if rc >= 0:
self.commit() self.commit()
def delete(self, module): def delete(self, module, priority):
rc = semanage_set_default_priority(self.sh, priority)
if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
for m in module.split(): for m in module.split():
rc = semanage_module_remove(self.sh, m) rc = semanage_module_remove(self.sh, m)
if rc < 0 and rc != -2: if rc < 0 and rc != -2:
@ -350,7 +376,7 @@ class moduleRecords(semanageRecords):
self.commit() self.commit()
def deleteall(self): def deleteall(self):
l = map(lambda x: x[0], filter(lambda t: t[2] == 0, self.get_all())) l = map(lambda x: x[0], filter(lambda t: t[1] == 0, self.get_all()))
for m in l: for m in l:
self.enable(m) self.enable(m)
@ -410,34 +436,12 @@ class permissiveRecords(semanageRecords):
raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro.")) raise ValueError(_("The sepolgen python module is required to setup permissive domains.\nIn some distributions it is included in the policycoreutils-devel patckage.\n# yum install policycoreutils-devel\nOr similar for your distro."))
name = "permissive_%s" % type name = "permissive_%s" % type
dirname = tempfile.mkdtemp("-semanage") modtxt = "(typepermissive %s)" % type
savedir = os.getcwd()
os.chdir(dirname)
filename = "%s.te" % name
modtxt = """
module %s 1.0;
require { rc = semanage_module_install(self.sh, modtxt, len(modtxt), name, "cil");
type %s;
}
permissive %s;
""" % (name, type, type)
fd = open(filename, 'w')
fd.write(modtxt)
fd.close()
mc = module.ModuleCompiler()
mc.create_module_package(filename, 1)
fd = open("permissive_%s.pp" % type)
data = fd.read()
fd.close()
rc = semanage_module_install(self.sh, data, len(data));
if rc >= 0: if rc >= 0:
self.commit() self.commit()
os.chdir(savedir)
shutil.rmtree(dirname)
if rc < 0: if rc < 0:
raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)