Commit Graph

95 Commits

Author SHA1 Message Date
Petr Lautrbach
7bd95d71f1 policycoreutils: Comment constraint rules in audit2allow and sepolgen output
Constraint rules in output need to be commented in order to make a policy
compilable.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1155974

Patch-by: Miroslav Grepl <mgrepl@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-07-31 11:16:00 -04:00
Stephen Smalley
2202a68d5a Updated sepolgen ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-07-16 13:11:14 -04:00
Robert Kuska
a280b06dd9 sepolgen: Edit tests so they pass even on Python3 where hash is random.
By default in Python3 hash uses random seed as salt, this leads to
different order in output from functions which rely on hash as are
dicts and sets. Tests in sepolgen relied on the frozen order.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:03 -04:00
Robert Kuska
a9fb9053f7 sepolgen: Close files after reading/writing in tests.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:03 -04:00
Robert Kuska
15a7553d22 sepolgen: Apply fixes discovered by 2to3 where needed.
Replace usage of print statement with print function.
Use `in` instead of `has_key` when checking for key in dict.
When using `raise` add text (if any) as parameter of exception function.
Add Python3 imports of moved modules.
Replace `map` with list comprehension.
Use reserved word `as` in try-except when catching exception.
Replace `ifilter` function with `filter`.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:03 -04:00
Robert Kuska
c2ecb8e3ec sepolgen: Replace usage of xrange inside of tests.
xrange function is gone in Python3 and instead range is
xrange by default. Also it doesnt seem to be important
to have xrange used in tests on Python2.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
2747dfb880 sepolgen: Replace usage of attributes of types module
In Python3 all strings are by default Unicode and both Unicode and String
types are removed from types module. We introduce separate
variables `bytes_type` and `string_type` to reflect Python3 understanding
of strings, on Python2 `bytes_type` refers to <str> and `string_type` to
<unicode>, on Python3 `bytes_type` are <bytes> and `string_type` <str>.
As all strings are Unicodes by default on Python3 we encode them to
bytes when needed as late as possible.

Also other attributes were replaced with their equivalents from
builtins which are available for both Python3 and Python2.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
aa903a27ba sepolgen: Replace usage of __cmp__ with rich comparison.
In Python3 the __cmp__ function is removed, and rich
comparison should be used instead.
Also the cmp function is gone in Python3 therefore it is
reimplemented in util.py and used if running on Python3.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
aee172010a sepolgen: Unicode-objects must be encoded before hashing.
sha256 hash operates with bytes and in Python3 all strings are unicode
by default, we must encode the data before hashing to ensure they
are bytes in Python3

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
788f5dba54 sepolgen: Use sort function with key parameter.
Since Python 2.4 .sort() as well as the new sorted() function
take a key parameter which should be a function that returns
a sorting key.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
467c2a45b9 sepolgen: Replace func_code calls with __code__.
In Python 3, special function attributes have been
renamed for consistency with other attributes.
__code__ attribute is also present in py2.7 and py2.6

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
fd00e882c4 sepolgen: Use relative imports for modules within sepolgen.
Python 3 changes the syntax for imports from within a package,
requiring you to use the relative import syntax,
saying from . import mymodule instead of the just import mymodule.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Robert Kuska
e25d39addc sepolgen: Replace deprecated *Equals functions in tests
Also remove usage of cmp in tests as cmp is removed in Python3

Signed-off-by: Robert Kuska <rkuska@redhat.com>
2015-07-16 13:06:02 -04:00
Stephen Smalley
3057bcf6a0 Update ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-18 08:37:10 -04:00
Daniel De Graaf
f029067709 libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
2015-03-18 08:16:44 -04:00
Steve Lawrence
f0c9966f88 Bump to final release 2015-02-02 09:38:10 -05:00
Steve Lawrence
823ebc8c6b Bump to release candidate 7 2014-12-03 10:06:26 -05:00
Steve Lawrence
07e75a9cc7 Bump to release candidate 6 2014-11-12 08:30:15 -05:00
Steve Lawrence
d1db56c52b Bump to release candidate 5 2014-10-29 11:01:03 -04:00
Steve Lawrence
6280387034 Bump to release candidate 4 2014-10-06 15:03:24 -04:00
Steve Lawrence
ff5bbe6dcf Bump VERSION/ChangeLog for release candidate 3
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 10:16:34 -04:00
Nicolas Iooss
e4d693ae87 Use $(PYTHON) instead of "python" in every Makefile
This fixes the build with "make PYTHON=python2" on systems where python
is python3.

For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4.  For each of them, these commands print the expected result:

    python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
    python -c "from distutils.sysconfig import *;print(get_python_lib(1))"

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:49 -04:00
Steve Lawrence
213c3189d0 Bump versions for r2
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-27 11:47:04 -04:00
Steve Lawrence
8f9d3a7c95 Fix typos in ChangeLog and Versions 2014-08-26 14:20:48 -04:00
Steve Lawrence
79fd2d06ab Bump versions and update ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 09:48:54 -04:00
Steve Lawrence
8b4fb2d2de sepolgen: remove unnecessary grammar in interface call param list
The addition of this rule caused interface vectors to be less accurate.
The grammar looks correct without the rule, so remove it.

Reverted hunk from commit 17cc87e56b

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-08-26 07:59:08 -04:00
Stephen Smalley
75fdea94bb Bump version for bug fix to sepolgen-ifgen.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-31 10:13:10 -04:00
Dan Walsh
bbf72baca1 Add back attributes flag to fix exception crash. 2013-10-31 10:11:20 -04:00
Stephen Smalley
7c4bb77999 Version bump for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-30 12:45:19 -04:00
Stephen Smalley
8e5d465335 Update ChangeLog files.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-30 12:42:05 -04:00
Dan Walsh
cde05f3b61 Have sepolgen return additional constraint information 2013-10-29 08:49:52 -04:00
Dan Walsh
579236d30a Fix line spacing on audit2allow output 2013-10-29 08:49:52 -04:00
Dan Walsh
4a674abd34 Return the sections of the source and target context that differ
Help the administrator/policy developer to see what parts of the label are different.

For example if you get a constraint violation and the role of the source and target
differ, audit2allow will suggest this might be the problem.
2013-10-29 08:49:52 -04:00
Stephen Smalley
a08010023b Update ChangeLogs and bump VERSIONs to an intermediate value.
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version.  Switching to 2-component versions.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-25 15:14:23 -04:00
Stephen Smalley
56258807ea Revert "Richard Haines patch that allows us discover constraint violation information"
This reverts commit 56b49ab711.

Conflicts:
	libselinux/src/audit2why.c
2013-10-25 13:53:03 -04:00
Stephen Smalley
07e8f316da Fix sepolgen test case.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-25 12:54:04 -04:00
Dan Walsh
8137b9392c Fix test matching to use proper constants 2013-10-24 13:58:38 -04:00
Dan Walsh
17cc87e56b sepolgen did not work with filename transitions.
This patch adds support for it.
2013-10-24 13:58:38 -04:00
Dan Walsh
3223746ba8 fix bug in calls to attributes 2013-10-24 13:58:38 -04:00
Dan Walsh
56b49ab711 Richard Haines patch that allows us discover constraint violation information
Basically we need this information to allow audit2allow/audit2why to better
describe which constraint is being broken.
2013-10-24 13:58:37 -04:00
Eric Paris
e9410c9b06 VERSION BUMP FOR UPSTREAM PUSH 2013-02-05 20:22:02 -05:00
Miroslav Grepl
3dd13f7d08 sepolgen: understand role attributes
Parse and handle role attributes in sepolgen.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:47 -05:00
Laurent Bigonville
7b3a9a30eb sepolgen: Use refpolicy_makefile() instead of hardcoding Makefile path
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:47 -05:00
rhatdan
a2a50eaaec sepolgen: audit.py: Handle times in foreign locals for audit2allow -b
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2013-02-05 20:14:40 -05:00
Eric Paris
8638197342 Version bumps for upstream push 2012-09-13 10:33:58 -04:00
Eric Paris
a8a36f88c2 sepolgen: audit2allow: one role/type pair per line
audit2allow was generating rules which would not compile.  We can only
do one per line, not tons of types at one time.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 20:57:24 -04:00
Eric Paris
628bcc69e2 policycoreutils: sepolgen: return and output constraint violation information
update sepolgen to return constraint violation information.  Then output
that information in audit2allow.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 15:08:56 -04:00
Dan Walsh
065e5d3149 sepolgen: Allow returning of bastard matches
Return low quality matches as well as high quality matches.  Sometimes
we just want the crap with the sugar.

Signed-off-by: Eric Paris <eparis@redhat.com>
2012-09-12 12:16:19 -04:00
Eric Paris
f05a71b92d Version bumps for upstream push 2012-06-28 14:02:29 -04:00
Dan Walsh
0eed03e756 checkpolicy: sepolgen: We need to support files that have a + in them
Filenames can have a +, so we should be able to parse and handle those
files.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-06-28 13:29:24 -04:00