Commit Graph

70 Commits

Author SHA1 Message Date
Karl MacMillan
bc256454b7 Bump sepolgen to 1.0.22 2010-03-23 09:11:24 -04:00
Karl MacMillan
52f9d9f2ad Sepolgen: improve parser error recovery
Sepolgen has long not recovered from parsing errors, leading to
a blacklist of none bad modules in the source. I finally tracked
down the problem (lexer state) and this patch fixes the problem
by causing the lexer to be rebuilt on error.

Acked-by: Joshua Brindle <jbrindle@tresys.com>
2010-03-23 09:10:20 -04:00
Joshua Brindle
e796cee3f5 bump sepolgen to 1.0.21 2010-03-18 16:52:16 -04:00
Daniel J Walsh
03cd8c2d47 This patch allows audit2allow to look at all avc's since the last time the machine booted.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:36:22 -04:00
Daniel J Walsh
6688e96767 This simple patch fixes the output of sepolgen to match what Chris expects for upstream policy.
Acked-by: Karl MacMillan <kmacmillan@tresys.com>
2010-03-18 16:35:27 -04:00
Joshua Brindle
b5b2c2c2fe bump policycoreutils to 2.0.81 and sepolgen to 1.0.20 2010-03-12 08:32:38 -05:00
Daniel J Walsh
f509e1e8b9 Audit2allow generating dontaudit rules.
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com>  wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>

Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.

No passing of args.

Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
2010-03-12 08:30:04 -05:00
Joshua Brindle
32cf5d539b bump checkpolicy to 2.0.21, libselinux to 2.0.90 and sepolgen to 1.0.19 2009-11-27 15:03:02 -05:00
Stephen Smalley
a3ccf607a2 policycoreutils: audit2allow -l doesn't work with dmesg pipe
On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
> On Mon, 24 Aug 2009, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > >>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
> > >>
> > >> audit2allow -l is looking for the load_policy message which does not go
> > >> to the dmesg, /var/log/messages.  Therefore the tool has no idea when
> > >> policy was last loaded.
> > >
> > > That would be a kernel bug then.
> >
> > Well I believe the messages that are intercepted by the audit.log do not go
> > into dmesg, by design. Although Steve, James or Eric could probably say for
> > sure.
>
> When auditd is not running on a Debian system with CentOS kernel
> 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
> goes to the kernel message log which is interpreted by audit2allow as a
> candidate for the "-l" functionality.
>
> It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
> gives no output.  But if all AVC messages other than the load_policy message
> go to the kernel message log then it's a bug.

Originally audit2allow used the avc: allowed message generated by
auditallow statement for load_policy to identify policy reloads.  Later
it was switched to use the MAC_POLICY_LOAD events generated by the audit
framework.  Those events should still get logged via printk if auditd is
not running, but it appears that the code (audit_printk_skb) will then
log the type= field as an integer rather than a string, and
audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.

So I suspect that this would be resolved by modifying sepolgen/audit.py
to also match on type=1403 for load messages.  Try this:

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-11-27 13:33:52 -05:00
Joshua Brindle
f3c3bbd16a bump checkpolicy to 2.0.20, libsepol to 2.0.39, sepolgen to 1.0.18 2009-10-14 15:54:16 -04:00
pjnuzzi
6341f6a492 sepolgen: Add support for multiple target OSes
Add support to sepolgen for new Xen ocontext identifiers.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-10-14 15:46:14 -04:00
Joshua Brindle
4fabd7d0d1 bump sepolgen to 1.0.17 2009-05-05 20:20:36 -04:00
Marshall Miller
7e3311a9a7 sepolgen typo fix
Commit b3b3f8186e attempted to fix a bug,
but didn't.  The following patch should do it.

Marshall Miller

Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-04-10 17:26:55 -04:00
Joshua Brindle
6ed00ee094 bump sepolgen to 1.0.16 2009-02-17 12:19:32 -05:00
Joshua Brindle
fb50c7b4ef Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: sepolgen patch
Date: Tue, 13 Jan 2009 08:59:51 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

md5 semodule packages is being retired.  Supposed to use hashlib now.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklsnlcACgkQrlYvE4MpobMEHQCgiRH3w/m4vTnPSdKfYCJtPHKF
ncEAn2WdQb9l5uiUsmIvp+92mTBAcmCR
=RVRr
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-02-16 11:50:33 -05:00
Joshua Brindle
a5dfb3abe0 bump sepolgen to 1.0.15 2009-01-12 10:49:36 -05:00
Joshua Brindle
b3b3f8186e Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Problem in sepolgen
Date: Mon, 01 Dec 2008 11:51:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

self.roles does not exist, need to return length of dictionary.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkk0FgYACgkQrlYvE4MpobP5HwCeNgjPTSPoqBQTXa14ZA9Jc0ww
yycAoNWJhg78BXm4L5Vg9cNAdNa7ggfD
=Uz8t
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2009-01-12 10:19:59 -05:00
Joshua Brindle
5214ee3d97 bump policycoreutils to 2.0.56 and sepolgen to 1.0.14 2008-09-07 18:57:50 -04:00
Joshua Brindle
ceb5792c21 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: Only call gen_requires once.
Date: Thu, 11 Sep 2008 09:35:54 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently audit2allow/sepolgen will create two identical gen_requires
block if you have allow rules and a role statement.

This patch fixes this problem.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjJHroACgkQrlYvE4MpobPgMQCghgAMBtaQO0BeZX+ug6IwsWB8
bNEAoMkRo4cZa0iJhGoGMmCvy5ncGpj8
=gMFg
-----END PGP SIGNATURE-----

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-09-07 18:48:24 -04:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00