The addition of this rule caused interface vectors to be less accurate.
The grammar looks correct without the rule, so remove it.
Reverted hunk from commit 17cc87e56b
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Help the administrator/policy developer to see what parts of the label are different.
For example if you get a constraint violation and the role of the source and target
differ, audit2allow will suggest this might be the problem.
2.1.99 is just a placeholder to distinguish it from the prior release.
2.2 will be the released version. Switching to 2-component versions.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
audit2allow was generating rules which would not compile. We can only
do one per line, not tons of types at one time.
Signed-off-by: Eric Paris <eparis@redhat.com>
Return low quality matches as well as high quality matches. Sometimes
we just want the crap with the sugar.
Signed-off-by: Eric Paris <eparis@redhat.com>
Filenames can have a +, so we should be able to parse and handle those
files.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We still want to be able to use sepolgen even if setools isn't
installed. Degrade functionality, but still work if it can't be found.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwlash@redhat.com>
I am running into an issue with sepolgen. Debian ships more
than one version of the refpolicy, a default one, and a MLS enabled
one. So, the include files live in either
/usr/share/selinux/{default,mls}/include sepolgen (in
src/sepolgen/defaults.py) sets refpolicy_devel() to a single
location -- and thus, only one version of the security policy may be
supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the
value. This change fixes that. Now you may set the path to look for
development headers in /etc/selinux/sepolgen.conf, in the variable
SELINUX_DEVEL_PATH. The builtin default will have it work on Debian
and fedora machines out of the box.
Signed-off-by: Laurent Bigonville bigon@debian.org
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
FIPS does not allow md5 as a valid algorithm. Although we don't really
care about cryptographic strength since the algorithm isn't allowed to
be used at all use something strong, like sha256.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If you pass output from a log file that does not include any avc's
audit2allow will crash. This patch fixes this problem.
ausearch -m avc -ts recent | audit2allow
If there was no AVC's recently, we do not want the python to crash.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
combine analysys of audit2why into audit2allow, so users can see if a
boolean would solve an AVC or if it is a constrain violation. Rather
then blindly adding allow rules to modules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We already allow this in policy, so allow it in sepolgen as well.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
During Rawhide releases we change all "unconfined_domains" to
permissive domains in order to find new AVC messages without breaking
rawhide boxes. The way we do this is changing the unconfined_domain
interface and putting permissive $1; in it. sepolgen does not like
this and blows up the build. This patch tells sepolgen to ignore the
permissive in an interface.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change the default "make" target for the libraries from "install" to
"all" in the makefiles.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
module names must begin with a letter, optionally followed by letters,
numbers, "-", "_", "."\n' some of these were being denied.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This patch allows audit2allow to do analysis on the AVC's to see if a
boolean would have solved the problem or if the AVC is caused by a
constraint.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds open to sepolgen checks and resets the priorities to
get better matches on AVCs
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The parser cannot handle the new format of filename_trans rules. Nor
can it handle the " now used. Add support for both.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Bump checkpolicy to 2.1.0
Bump libselinux to 2.1.0
Bump libsepol to 2.1.0
Bump libsemanage to 2.1.0
Bump policycoreutils to 2.1.0
Bump sepolgen to 1.1.0
