From 628bcc69e23d96cec308bae5c70bebdeebeeeecc Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 12 Sep 2012 14:57:53 -0400 Subject: [PATCH] policycoreutils: sepolgen: return and output constraint violation information update sepolgen to return constraint violation information. Then output that information in audit2allow. Signed-off-by: Eric Paris --- policycoreutils/audit2allow/audit2allow | 14 ++++++++------ sepolgen/src/sepolgen/access.py | 6 +++--- sepolgen/src/sepolgen/audit.py | 22 ++++++++++++++++------ sepolgen/src/sepolgen/policygen.py | 8 +++++--- sepolgen/src/sepolgen/refpolicy.py | 4 ++-- 5 files changed, 34 insertions(+), 20 deletions(-) diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index e9d5882c..8e0c3965 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -236,7 +236,7 @@ class AuditToPolicy: import seobject for i in self.__parser.avc_msgs: rc = i.type - bools = i.bools + data = i.data if rc >= 0: print "%s\n\tWas caused by:" % i.message if rc == audit2why.ALLOW: @@ -250,15 +250,15 @@ class AuditToPolicy: print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n" continue if rc == audit2why.BOOLEAN: - if len(bools) > 1: + if len(data) > 1: print "\tOne of the following booleans was set incorrectly." - for b in bools: + for b in data: print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0]) print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]) else: - print "\tThe boolean %s was set incorrectly. " % (bools[0][0]) - print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0]) - print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1]) + print "\tThe boolean %s was set incorrectly. " % (data[0][0]) + print "\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0]) + print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]) continue if rc == audit2why.TERULE: @@ -270,6 +270,8 @@ class AuditToPolicy: print "\t\tPolicy constraint violation.\n" print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n" print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n" + for reason in data: + print "\t\tNote: Possible cause is the source and target %s differ\n" % reason continue if rc == audit2why.RBAC: diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py index 649735f5..cf132104 100644 --- a/sepolgen/src/sepolgen/access.py +++ b/sepolgen/src/sepolgen/access.py @@ -87,7 +87,7 @@ class AccessVector: self.perms = refpolicy.IdSet() self.audit_msgs = [] self.type = audit2why.TERULE - self.bools = [] + self.data = [] # The direction of the information flow represented by this # access vector - used for matching @@ -256,7 +256,7 @@ class AccessVectorSet: for av in l: self.add_av(AccessVector(av)) - def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]): + def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]): """Add an access vector to the set. """ tgt = self.src.setdefault(src_type, { }) @@ -269,7 +269,7 @@ class AccessVectorSet: access.src_type = src_type access.tgt_type = tgt_type access.obj_class = obj_class - access.bools = bools + access.data = data access.type = avc_type cls[obj_class, avc_type] = access diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py index 9e2ccee7..73c60f6b 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -173,7 +173,6 @@ class AVCMessage(AuditMessage): self.accesses = [] self.denial = True self.type = audit2why.TERULE - self.bools = [] def __parse_access(self, recs, start): # This is kind of sucky - the access that is in a space separated @@ -241,10 +240,12 @@ class AVCMessage(AuditMessage): tcontext = self.tcontext.to_string() scontext = self.scontext.to_string() access_tuple = tuple( self.accesses) + self.data = [] + if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys(): - self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)] + self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)] else: - self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); + self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses); if self.type == audit2why.NOPOLICY: self.type = audit2why.TERULE if self.type == audit2why.BADTCON: @@ -258,7 +259,16 @@ class AVCMessage(AuditMessage): if self.type == audit2why.BADCOMPUTE: raise ValueError("Error during access vector computation") - avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools) + if self.type == audit2why.CONSTRAINT: + self.data = [] + if self.scontext.user != self.tcontext.user: + self.data.append("user") + if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": + self.data.append("role") + if self.scontext.level != self.tcontext.level: + self.data.append("level") + + avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) class PolicyLoadMessage(AuditMessage): """Audit message indicating that the policy was reloaded.""" @@ -507,10 +517,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) else: av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc, avc_type=avc.type, bools=avc.bools) + avc.accesses, avc, avc_type=avc.type, data=avc.data) return av_set class AVCTypeFilter: diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index c3d665c4..cc9f8ea0 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -166,14 +166,16 @@ class PolicyGenerator: rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" if av.type == audit2why.BOOLEAN: - if len(av.bools) > 1: - rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools)) + if len(av.data) > 1: + rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) else: - rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0] + rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] if av.type == audit2why.CONSTRAINT: rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" rule.comment += "#Constraint rule: " + for reason in av.data: + rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason try: if ( av.type == audit2why.TERULE and diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d6..7ce8f9d2 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -799,7 +799,7 @@ class Require(Leaf): self.types = IdSet() self.obj_classes = { } self.roles = IdSet() - self.bools = IdSet() + self.data = IdSet() self.users = IdSet() def add_obj_class(self, obj_class, perms): @@ -816,7 +816,7 @@ class Require(Leaf): s.append("\tclass %s %s;" % (obj_class, perms.to_space_str())) for role in self.roles: s.append("\trole %s;" % role) - for bool in self.bools: + for bool in self.data: s.append("\tbool %s;" % bool) for user in self.users: s.append("\tuser %s;" % user)