From patchwork Fri Aug 19 03:45:15 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Zaman X-Patchwork-Id: 9289275 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 883A06077B for ; Fri, 19 Aug 2016 03:46:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 764C028A5B for ; Fri, 19 Aug 2016 03:46:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 69B2128A80; Fri, 19 Aug 2016 03:46:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, T_DKIM_INVALID autolearn=no version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A785F28A5B for ; Fri, 19 Aug 2016 03:46:26 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,543,1464652800"; d="scan'208";a="16746149" IronPort-PHdr: =?us-ascii?q?9a23=3AP8exgRwZjBAfmuTXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e0XIJqq85mqBkHD//Il1AaPBtSCragZwLWG++C4ACpbsM7H6ChDOLV3FDY9wf?= =?us-ascii?q?0MmAIhBMPXQWbaF9XNKxIAIcJZSVV+9Gu6O0UGUOz3ZlnVv2HgpWVKQka3CwN5?= =?us-ascii?q?K6zPF5LIiIzvjqbpqsSVOVgD22r1Iesrak7n9UOJ7oheqLAhA5558gHOrHpMdr?= =?us-ascii?q?Ye7kJTDnXXoSzB4Nyt9oVo6SVatqFp3cdBVaLnY/ZwFuQAX3wbKWR92OnH/VmG?= =?us-ascii?q?FFPOtTMgVTANnx5JBRXVxA3rVZf29C3hv6xy3zfJE9fxSOUWUC+l6e9ZQRrhjm?= =?us-ascii?q?9TNTci92f/ksFqgqNdoRWn4Rd4xtiHM8muKPNic/aFLpshTm1bU5MUDnRM?= X-IPAS-Result: =?us-ascii?q?A2E2BQCcf7ZX/wHyM5BeGwEBAYJ5LYFSuVongXlUgzMCAoF?= =?us-ascii?q?sTAEBAQEBAQECAQJbJ4IyBAMRfVs/AQQCDygGAQEMIAwCAwkCFykICAMBLQMBB?= =?us-ascii?q?QELHwsFGAQBiA8Bnk+BMj4yilWFKwEBBYt0CBCED4pqEQE1hUKIJwmFc3VCiSt?= =?us-ascii?q?HjyBlgQSBfIVhJQyFU451MYEPVIIFggJjAYV2gTYBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 19 Aug 2016 03:46:24 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7J3jXB6022469; Thu, 18 Aug 2016 23:45:42 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u7J3jW3U009821 for ; Thu, 18 Aug 2016 23:45:32 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7J3jWYS022466 for ; Thu, 18 Aug 2016 23:45:32 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1C7AACMgLZXhkTcVdFeHAEBgnmBf7VchAyCZoM3gWxMAQEBAQEBAQITAQEBCAsLCRmFEAEVLgEBNwGBFAEFATUiiA8BnlWBMj4yilWFKwEBBYtLASgIEIQPjWELgweIJwmFc3VCiStHjyBlgQSBfIVhMYVTjnUxgQ+CWR6BZGMBhywBAQE X-IPAS-Result: A1C7AACMgLZXhkTcVdFeHAEBgnmBf7VchAyCZoM3gWxMAQEBAQEBAQITAQEBCAsLCRmFEAEVLgEBNwGBFAEFATUiiA8BnlWBMj4yilWFKwEBBYtLASgIEIQPjWELgweIJwmFc3VCiStHjyBlgQSBfIVhMYVTjnUxgQ+CWR6BZGMBhywBAQE X-IronPort-AV: E=Sophos;i="5.28,543,1464667200"; d="scan'208";a="5653734" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 18 Aug 2016 23:45:29 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3ArM0bDxPHfd1itF1KYOQl6mtUPXoX/o7sNwtQ0KIM?= =?us-ascii?q?zox0KPn9rarrMEGX3/hxlliBBdydsKMdzbCL+P+wESxYuNDa4ShEKMQNHzY+yu?= =?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?= =?us-ascii?q?GO35F8bogtit0KjqotuIMlwO3mf2PuM6bE3v616A7o9O2coqA51y4yOBmmFPde?= =?us-ascii?q?VSyDEgDnOotDG42P2N+oV++T9bofMr+p0Ie6z7e6MlUe4QV2x+YChmrPHs4ALO?= =?us-ascii?q?SQqJ+2s0TnQdkh0OBRPMqh79QMTfqCz/48h0wy6cdf//SLkyEWCg5rxsTjfwhT?= =?us-ascii?q?0JNjg492eRgct12vEI6Cm9rgByltaHKLqeM+BzK/vQ?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GFAQCcf7ZXhkTcVdFeHAEBgnmBf7Vch?= =?us-ascii?q?AyCElSDN4FsTAEBAQEBAQECAQIQAQEBCAsLCRkvgjIWf1s/ARUuAQE3AYEUAQU?= =?us-ascii?q?BNSKIDwGeT4EyPjKKVYUrAQEFi0sBKAgQhA+NYQuDB4gnCYVzdUKJK0ePIGWBB?= =?us-ascii?q?IF8hWExhVOOdTGBD4JZHoFkYwGHLAEBAQ?= X-IPAS-Result: =?us-ascii?q?A0GFAQCcf7ZXhkTcVdFeHAEBgnmBf7VchAyCElSDN4FsTAE?= =?us-ascii?q?BAQEBAQECAQIQAQEBCAsLCRkvgjIWf1s/ARUuAQE3AYEUAQUBNSKIDwGeT4EyP?= =?us-ascii?q?jKKVYUrAQEFi0sBKAgQhA+NYQuDB4gnCYVzdUKJK0ePIGWBBIF8hWExhVOOdTG?= =?us-ascii?q?BD4JZHoFkYwGHLAEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,543,1464652800"; d="scan'208";a="16746145" Received: from mail-pa0-f68.google.com ([209.85.220.68]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 19 Aug 2016 03:45:28 +0000 Received: by mail-pa0-f68.google.com with SMTP id ez1so2744530pab.3 for ; Thu, 18 Aug 2016 20:45:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=GysuNFic5bTdYBWheM9V1sIZRdGNcvuTMYMH5ssPV/8=; b=XEd8c99tlOYPLWepTp0p57YuNjUozoKJb6zY9/2x2jnbc3fe5bX7oNV0bFcL9s8723 3s+77iqtvZVge0mpdXwZPUoeKqg4AjjOF76MNr+fmNnvQLNsZYnD41ADI9Z8+UGWsEsc lsul/ZHKU4Uc8tXaUMYvPllXRt5IzTzEyl8vMVgGB2ipYmX+Vxe8xm3zqbYv5T5iUUcM uAAagJzsNb/VUdiU3r899S8tdOum/k6kHTKubnlQkBDG0mwIzTogO3Amj/zUKgO3/DBh PyZKTbh86rGQEy30oOHe5yh0kYYB0OAaxt3XEb8F6Ql/h4eHYbZKCiwwyE8cFy2vdzY7 pZ9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GysuNFic5bTdYBWheM9V1sIZRdGNcvuTMYMH5ssPV/8=; b=I+ShnOh+qHV06IDMcDXrRrfocv289gmlur2cHTno6Tp3zy1zHkwE024+lSaFD/buCU gIKuwaSJ6ok9AP6rQykqeUW/auioNl5ERuhOLG53F1oan/FcgAZTxTX3zdOjf6IbNy5f CSdpGX+yv6l8NbIXsnt+5Xd+K7+5PBetIJBDNUn+YJ04TSR8+DdjzYOhnZ0nmWO54M5Z Ge3lLEWiy/dxc1aRFE5lRwDTPno5WsdU0hYETS3b/4NkHHPt1tUnnmw2ueHRGHtf5MbK eHTbd5sU/wo27j+QyFmY23doP4RlWq4lEjc8nuTZEpYPnRa8PoXensj0BVeB7L/Yfj/z cD7g== X-Gm-Message-State: AEkoouvanqCt5ecM6QBNPKX7/lGaV3l862WKMxjhS4QRWfMd8rnT2p9sc6WZJynQQXYhZg== X-Received: by 10.66.32.131 with SMTP id j3mr10040742pai.58.1471578325670; Thu, 18 Aug 2016 20:45:25 -0700 (PDT) Received: from localhost ([2404:e800:e600:57b:88c4:1498:f95a:1537]) by smtp.gmail.com with ESMTPSA id g21sm2004894pfj.88.2016.08.18.20.45.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 Aug 2016 20:45:25 -0700 (PDT) From: Jason Zaman To: selinux@tycho.nsa.gov Subject: [PATCH 1/3] audit2allow: remove audit2why so it gets symlinked Date: Fri, 19 Aug 2016 11:45:15 +0800 Message-Id: <1471578317-22785-1-git-send-email-jason@perfinion.com> X-Mailer: git-send-email 2.7.3 X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP audit2why is supposed to be a symlink to audit2allow. There are instead 2 files in the repo so the makefile has not been replacing audit2why. Signed-off-by: Jason Zaman --- policycoreutils/audit2allow/audit2why | 365 +--------------------------------- 1 file changed, 1 insertion(+), 364 deletions(-) mode change 100644 => 120000 policycoreutils/audit2allow/audit2why diff --git a/policycoreutils/audit2allow/audit2why b/policycoreutils/audit2allow/audit2why deleted file mode 100644 index b1489ed..0000000 --- a/policycoreutils/audit2allow/audit2why +++ /dev/null @@ -1,364 +0,0 @@ -#! /usr/bin/python -Es -# Authors: Karl MacMillan -# Authors: Dan Walsh -# -# Copyright (C) 2006-2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -import sys -import os - -import sepolgen.audit as audit -import sepolgen.policygen as policygen -import sepolgen.interfaces as interfaces -import sepolgen.output as output -import sepolgen.objectmodel as objectmodel -import sepolgen.defaults as defaults -import sepolgen.module as module -from sepolgen.sepolgeni18n import _ -import selinux.audit2why as audit2why -import locale -try: - locale.setlocale(locale.LC_ALL, '') -except: - pass - - -class AuditToPolicy: - VERSION = "%prog .1" - SYSLOG = "/var/log/messages" - - def __init__(self): - self.__options = None - self.__parser = None - self.__avs = None - - def __parse_options(self): - from optparse import OptionParser - - parser = OptionParser(version=self.VERSION) - parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False, - help="audit messages since last boot conflicts with -i") - parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, - help="read input from audit log - conflicts with -i") - parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis") - parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, - help="read input from dmesg - conflicts with --all and --input") - parser.add_option("-i", "--input", dest="input", - help="read input from - conflicts with -a") - parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, - help="read input only after the last reload") - parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False, - help="generate require statements for rules") - parser.add_option("-m", "--module", dest="module", - help="set the module name - implies --requires") - parser.add_option("-M", "--module-package", dest="module_package", - help="generate a module package - conflicts with -o and -m") - parser.add_option("-o", "--output", dest="output", - help="append output to , conflicts with -M") - parser.add_option("-D", "--dontaudit", action="store_true", - dest="dontaudit", default=False, - help="generate policy with dontaudit rules") - parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", - default=True, help="generate refpolicy style output") - - parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", - default=False, help="do not generate refpolicy style output") - parser.add_option("-v", "--verbose", action="store_true", dest="verbose", - default=False, help="explain generated output") - parser.add_option("-e", "--explain", action="store_true", dest="explain_long", - default=False, help="fully explain generated output") - parser.add_option("-t", "--type", help="only process messages with a type that matches this regex", - dest="type") - parser.add_option("--perm-map", dest="perm_map", help="file name of perm map") - parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") - parser.add_option("--debug", dest="debug", action="store_true", default=False, - help="leave generated modules for -M") - parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"), - help="Translates SELinux audit messages into a description of why the access was denied") - - options, args = parser.parse_args() - - # Make -d, -a, and -i conflict - if options.audit is True or options.boot: - if options.input is not None: - sys.stderr.write("error: --all/--boot conflicts with --input\n") - if options.dmesg is True: - sys.stderr.write("error: --all/--boot conflicts with --dmesg\n") - if options.input is not None and options.dmesg is True: - sys.stderr.write("error: --input conflicts with --dmesg\n") - - # Turn on requires generation if a module name is given. Also verify - # the module name. - if options.module: - name = options.module - else: - name = options.module_package - if name: - options.requires = True - if not module.is_valid_name(name): - sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n') - sys.exit(2) - - # Make -M and -o conflict - if options.module_package: - if options.output: - sys.stderr.write("error: --module-package conflicts with --output\n") - sys.exit(2) - if options.module: - sys.stderr.write("error: --module-package conflicts with --module\n") - sys.exit(2) - - self.__options = options - - def __read_input(self): - parser = audit.AuditParser(last_load_only=self.__options.lastreload) - - filename = None - messages = None - f = None - - # Figure out what input we want - if self.__options.input is not None: - filename = self.__options.input - elif self.__options.dmesg: - messages = audit.get_dmesg_msgs() - elif self.__options.audit: - try: - messages = audit.get_audit_msgs() - except OSError as e: - sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) - sys.exit(1) - elif self.__options.boot: - try: - messages = audit.get_audit_boot_msgs() - except OSError as e: - sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) - sys.exit(1) - else: - # This is the default if no input is specified - f = sys.stdin - - # Get the input - if filename is not None: - try: - f = open(filename) - except IOError as e: - sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e))) - sys.exit(1) - - if f is not None: - parser.parse_file(f) - f.close() - - if messages is not None: - parser.parse_string(messages) - - self.__parser = parser - - def __process_input(self): - if self.__options.type: - avcfilter = audit.AVCTypeFilter(self.__options.type) - self.__avs = self.__parser.to_access(avcfilter) - csfilter = audit.ComputeSidTypeFilter(self.__options.type) - self.__role_types = self.__parser.to_role(csfilter) - else: - self.__avs = self.__parser.to_access() - self.__role_types = self.__parser.to_role() - - def __load_interface_info(self): - # Load interface info file - if self.__options.interface_info: - fn = self.__options.interface_info - else: - fn = defaults.interface_info() - try: - fd = open(fn) - except: - sys.stderr.write("could not open interface info [%s]\n" % fn) - sys.exit(1) - - ifs = interfaces.InterfaceSet() - ifs.from_file(fd) - fd.close() - - # Also load perm maps - if self.__options.perm_map: - fn = self.__options.perm_map - else: - fn = defaults.perm_map() - try: - fd = open(fn) - except: - sys.stderr.write("could not open perm map [%s]\n" % fn) - sys.exit(1) - - perm_maps = objectmodel.PermMappings() - perm_maps.from_file(fd) - - return (ifs, perm_maps) - - def __output_modulepackage(self, writer, generator): - generator.set_module_name(self.__options.module_package) - filename = self.__options.module_package + ".te" - packagename = self.__options.module_package + ".pp" - - try: - fd = open(filename, "w") - except IOError as e: - sys.stderr.write("could not write output file: %s\n" % str(e)) - sys.exit(1) - - writer.write(generator.get_module(), fd) - fd.close() - - mc = module.ModuleCompiler() - - try: - mc.create_module_package(filename, self.__options.refpolicy) - except RuntimeError as e: - print(e) - sys.exit(1) - - sys.stdout.write(_("******************** IMPORTANT ***********************\n")) - sys.stdout.write((_("To make this policy package active, execute:" + - "\n\nsemodule -i %s\n\n") % packagename)) - - def __output_audit2why(self): - import selinux - import seobject - for i in self.__parser.avc_msgs: - rc = i.type - data = i.data - if rc >= 0: - print("%s\n\tWas caused by:" % i.message) - if rc == audit2why.ALLOW: - print("\t\tUnknown - would be allowed by active policy") - print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") - print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") - continue - if rc == audit2why.DONTAUDIT: - print("\t\tUnknown - should be dontaudit'd by active policy") - print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") - print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") - continue - if rc == audit2why.BOOLEAN: - if len(data) > 1: - print("\tOne of the following booleans was set incorrectly.") - for b in data: - print("\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) - else: - print("\tThe boolean %s was set incorrectly. " % (data[0][0])) - print("\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0])) - print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) - continue - - if rc == audit2why.TERULE: - print("\t\tMissing type enforcement (TE) allow rule.\n") - print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n") - continue - - if rc == audit2why.CONSTRAINT: - print() # !!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" - print("#Constraint rule: \n\t" + data[0]) - for reason in data[1:]: - print("#\tPossible cause is the source %s and target %s are different.\n\b" % reason) - - if rc == audit2why.RBAC: - print("\t\tMissing role allow rule.\n") - print("\t\tAdd an allow rule for the role pair.\n") - continue - - audit2why.finish() - return - - def __output(self): - - if self.__options.audit2why: - try: - return self.__output_audit2why() - except RuntimeError as e: - print(e) - sys.exit(1) - - g = policygen.PolicyGenerator() - - g.set_gen_dontaudit(self.__options.dontaudit) - - if self.__options.module: - g.set_module_name(self.__options.module) - - # Interface generation - if self.__options.refpolicy: - ifs, perm_maps = self.__load_interface_info() - g.set_gen_refpol(ifs, perm_maps) - - # Explanation - if self.__options.verbose: - g.set_gen_explain(policygen.SHORT_EXPLANATION) - if self.__options.explain_long: - g.set_gen_explain(policygen.LONG_EXPLANATION) - - # Requires - if self.__options.requires: - g.set_gen_requires(True) - - # Generate the policy - g.add_access(self.__avs) - g.add_role_types(self.__role_types) - - # Output - writer = output.ModuleWriter() - - # Module package - if self.__options.module_package: - self.__output_modulepackage(writer, g) - else: - # File or stdout - if self.__options.module: - g.set_module_name(self.__options.module) - - if self.__options.output: - fd = open(self.__options.output, "a") - else: - fd = sys.stdout - writer.write(g.get_module(), fd) - - def main(self): - try: - self.__parse_options() - if self.__options.policy: - audit2why.init(self.__options.policy) - else: - audit2why.init() - - self.__read_input() - self.__process_input() - self.__output() - except KeyboardInterrupt: - sys.exit(0) - except ValueError as e: - print(e) - sys.exit(1) - except IOError as e: - print(e) - sys.exit(1) - -if __name__ == "__main__": - app = AuditToPolicy() - app.main() diff --git a/policycoreutils/audit2allow/audit2why b/policycoreutils/audit2allow/audit2why new file mode 120000 index 0000000..9cddcf5 --- /dev/null +++ b/policycoreutils/audit2allow/audit2why @@ -0,0 +1 @@ +audit2allow \ No newline at end of file