| Message ID | 1471250698-16573-2-git-send-email-mvadkert@redhat.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On 08/15/2016 10:44 AM, Miroslav Vadkerti wrote: > In case serange is empty, but the record is beeing modified > (setype was supplied), use default "s0" range. With the original > code the audit event would be printed with no range (i.e. > "system_u:object_r:ssh_port_t:") > > Note that default "s0" is currently used in other places > of seobject.py. > Note-to-self: when we deal with refpolicy specific identifiers like system_u remember to also deal with these. Since these are essentially also refpolicy specific identifiers. > Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> > --- > policycoreutils/semanage/seobject.py | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py > index 538ff0a..a6681f0 100644 > --- a/policycoreutils/semanage/seobject.py > +++ b/policycoreutils/semanage/seobject.py > @@ -1161,8 +1161,11 @@ class portRecords(semanageRecords): > > con = semanage_port_get_con(p) > > - if (is_mls_enabled == 1) and (serange != ""): > - semanage_context_set_mls(self.sh, con, untranslate(serange)) > + if is_mls_enabled == 1: > + if serange == "": > + serange = "s0" > + else: > + semanage_context_set_mls(self.sh, con, untranslate(serange)) > if setype != "": > semanage_context_set_type(self.sh, con, setype) > >
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py index 538ff0a..a6681f0 100644 --- a/policycoreutils/semanage/seobject.py +++ b/policycoreutils/semanage/seobject.py @@ -1161,8 +1161,11 @@ class portRecords(semanageRecords): con = semanage_port_get_con(p) - if (is_mls_enabled == 1) and (serange != ""): - semanage_context_set_mls(self.sh, con, untranslate(serange)) + if is_mls_enabled == 1: + if serange == "": + serange = "s0" + else: + semanage_context_set_mls(self.sh, con, untranslate(serange)) if setype != "": semanage_context_set_type(self.sh, con, setype)
In case serange is empty, but the record is beeing modified (setype was supplied), use default "s0" range. With the original code the audit event would be printed with no range (i.e. "system_u:object_r:ssh_port_t:") Note that default "s0" is currently used in other places of seobject.py. Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com> --- policycoreutils/semanage/seobject.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)