Commit Graph

13 Commits

Author SHA1 Message Date
Joshua Brindle 32cf5d539b bump checkpolicy to 2.0.21, libselinux to 2.0.90 and sepolgen to 1.0.19 2009-11-27 15:03:02 -05:00
Stephen Smalley a3ccf607a2 policycoreutils: audit2allow -l doesn't work with dmesg pipe
On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
> On Mon, 24 Aug 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
> > >>
> > >> audit2allow -l is looking for the load_policy message which does not go
> > >> to the dmesg, /var/log/messages.  Therefore the tool has no idea when
> > >> policy was last loaded.
> > >
> > > That would be a kernel bug then.
> >
> > Well I believe the messages that are intercepted by the audit.log do not go
> > into dmesg, by design. Although Steve, James or Eric could probably say for
> > sure.
>
> When auditd is not running on a Debian system with CentOS kernel
> 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
> goes to the kernel message log which is interpreted by audit2allow as a
> candidate for the "-l" functionality.
>
> It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
> gives no output.  But if all AVC messages other than the load_policy message
> go to the kernel message log then it's a bug.

Originally audit2allow used the avc: allowed message generated by
auditallow statement for load_policy to identify policy reloads.  Later
it was switched to use the MAC_POLICY_LOAD events generated by the audit
framework.  Those events should still get logged via printk if auditd is
not running, but it appears that the code (audit_printk_skb) will then
log the type= field as an integer rather than a string, and
audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.

So I suspect that this would be resolved by modifying sepolgen/audit.py
to also match on type=1403 for load messages.  Try this:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 13:33:52 -05:00
Joshua Brindle f3c3bbd16a bump checkpolicy to 2.0.20, libsepol to 2.0.39, sepolgen to 1.0.18 2009-10-14 15:54:16 -04:00
pjnuzzi 6341f6a492 sepolgen: Add support for multiple target OSes
Add support to sepolgen for new Xen ocontext identifiers.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:14 -04:00
Joshua Brindle 4fabd7d0d1 bump sepolgen to 1.0.17 2009-05-05 20:20:36 -04:00
Marshall Miller 7e3311a9a7 sepolgen typo fix
Commit b3b3f8186e attempted to fix a bug,
but didn't.  The following patch should do it.

Marshall Miller

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-04-10 17:26:55 -04:00
Joshua Brindle 6ed00ee094 bump sepolgen to 1.0.16 2009-02-17 12:19:32 -05:00
Joshua Brindle fb50c7b4ef Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: sepolgen patch
Date: Tue, 13 Jan 2009 08:59:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5 semodule packages is being retired.  Supposed to use hashlib now.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnlcACgkQrlYvE4MpobMEHQCgiRH3w/m4vTnPSdKfYCJtPHKF
ncEAn2WdQb9l5uiUsmIvp+92mTBAcmCR
=RVRr
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:50:33 -05:00
Joshua Brindle a5dfb3abe0 bump sepolgen to 1.0.15 2009-01-12 10:49:36 -05:00
Joshua Brindle b3b3f8186e Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Problem in sepolgen
Date: Mon, 01 Dec 2008 11:51:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

self.roles does not exist, need to return length of dictionary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk0FgYACgkQrlYvE4MpobP5HwCeNgjPTSPoqBQTXa14ZA9Jc0ww
yycAoNWJhg78BXm4L5Vg9cNAdNa7ggfD
=Uz8t
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:59 -05:00
Joshua Brindle 5214ee3d97 bump policycoreutils to 2.0.56 and sepolgen to 1.0.14 2008-09-07 18:57:50 -04:00
Joshua Brindle ceb5792c21 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Only call gen_requires once.
Date: Thu, 11 Sep 2008 09:35:54 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently audit2allow/sepolgen will create two identical gen_requires
block if you have allow rules and a role statement.

This patch fixes this problem.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJHroACgkQrlYvE4MpobPgMQCghgAMBtaQO0BeZX+ug6IwsWB8
bNEAoMkRo4cZa0iJhGoGMmCvy5ncGpj8
=gMFg
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:48:24 -04:00
Joshua Brindle 13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00