policycoreutils: sepolgen: return and output constraint violation information
update sepolgen to return constraint violation information. Then output that information in audit2allow. Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Eric Paris
parent
4d04f4c443
commit
628bcc69e2
5 changed files with 34 additions and 20 deletions
|
|
@ -236,7 +236,7 @@ class AuditToPolicy:
|
|||
import seobject
|
||||
for i in self.__parser.avc_msgs:
|
||||
rc = i.type
|
||||
bools = i.bools
|
||||
data = i.data
|
||||
if rc >= 0:
|
||||
print "%s\n\tWas caused by:" % i.message
|
||||
if rc == audit2why.ALLOW:
|
||||
|
|
@ -250,15 +250,15 @@ class AuditToPolicy:
|
|||
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||
continue
|
||||
if rc == audit2why.BOOLEAN:
|
||||
if len(bools) > 1:
|
||||
if len(data) > 1:
|
||||
print "\tOne of the following booleans was set incorrectly."
|
||||
for b in bools:
|
||||
for b in data:
|
||||
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||
else:
|
||||
print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
|
||||
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||
print "\tThe boolean %s was set incorrectly. " % (data[0][0])
|
||||
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(data[0][0])
|
||||
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])
|
||||
continue
|
||||
|
||||
if rc == audit2why.TERULE:
|
||||
|
|
@ -270,6 +270,8 @@ class AuditToPolicy:
|
|||
print "\t\tPolicy constraint violation.\n"
|
||||
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
|
||||
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
|
||||
for reason in data:
|
||||
print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
|
||||
continue
|
||||
|
||||
if rc == audit2why.RBAC:
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ class AccessVector:
|
|||
self.perms = refpolicy.IdSet()
|
||||
self.audit_msgs = []
|
||||
self.type = audit2why.TERULE
|
||||
self.bools = []
|
||||
self.data = []
|
||||
|
||||
# The direction of the information flow represented by this
|
||||
# access vector - used for matching
|
||||
|
|
@ -256,7 +256,7 @@ class AccessVectorSet:
|
|||
for av in l:
|
||||
self.add_av(AccessVector(av))
|
||||
|
||||
def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
|
||||
def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, data=[]):
|
||||
"""Add an access vector to the set.
|
||||
"""
|
||||
tgt = self.src.setdefault(src_type, { })
|
||||
|
|
@ -269,7 +269,7 @@ class AccessVectorSet:
|
|||
access.src_type = src_type
|
||||
access.tgt_type = tgt_type
|
||||
access.obj_class = obj_class
|
||||
access.bools = bools
|
||||
access.data = data
|
||||
access.type = avc_type
|
||||
cls[obj_class, avc_type] = access
|
||||
|
||||
|
|
|
|||
|
|
@ -173,7 +173,6 @@ class AVCMessage(AuditMessage):
|
|||
self.accesses = []
|
||||
self.denial = True
|
||||
self.type = audit2why.TERULE
|
||||
self.bools = []
|
||||
|
||||
def __parse_access(self, recs, start):
|
||||
# This is kind of sucky - the access that is in a space separated
|
||||
|
|
@ -241,10 +240,12 @@ class AVCMessage(AuditMessage):
|
|||
tcontext = self.tcontext.to_string()
|
||||
scontext = self.scontext.to_string()
|
||||
access_tuple = tuple( self.accesses)
|
||||
self.data = []
|
||||
|
||||
if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
|
||||
self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
|
||||
self.type, self.data = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
|
||||
else:
|
||||
self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||
self.type, self.data = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
|
||||
if self.type == audit2why.NOPOLICY:
|
||||
self.type = audit2why.TERULE
|
||||
if self.type == audit2why.BADTCON:
|
||||
|
|
@ -258,7 +259,16 @@ class AVCMessage(AuditMessage):
|
|||
if self.type == audit2why.BADCOMPUTE:
|
||||
raise ValueError("Error during access vector computation")
|
||||
|
||||
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
|
||||
if self.type == audit2why.CONSTRAINT:
|
||||
self.data = []
|
||||
if self.scontext.user != self.tcontext.user:
|
||||
self.data.append("user")
|
||||
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
||||
self.data.append("role")
|
||||
if self.scontext.level != self.tcontext.level:
|
||||
self.data.append("level")
|
||||
|
||||
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
||||
|
||||
class PolicyLoadMessage(AuditMessage):
|
||||
"""Audit message indicating that the policy was reloaded."""
|
||||
|
|
@ -507,10 +517,10 @@ class AuditParser:
|
|||
if avc_filter:
|
||||
if avc_filter.filter(avc):
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||
else:
|
||||
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
|
||||
avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
|
||||
avc.accesses, avc, avc_type=avc.type, data=avc.data)
|
||||
return av_set
|
||||
|
||||
class AVCTypeFilter:
|
||||
|
|
|
|||
|
|
@ -166,14 +166,16 @@ class PolicyGenerator:
|
|||
rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||
|
||||
if av.type == audit2why.BOOLEAN:
|
||||
if len(av.bools) > 1:
|
||||
rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.bools))
|
||||
if len(av.data) > 1:
|
||||
rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
|
||||
else:
|
||||
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
|
||||
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
||||
|
||||
if av.type == audit2why.CONSTRAINT:
|
||||
rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
rule.comment += "#Constraint rule: "
|
||||
for reason in av.data:
|
||||
rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
||||
|
||||
try:
|
||||
if ( av.type == audit2why.TERULE and
|
||||
|
|
|
|||
|
|
@ -799,7 +799,7 @@ class Require(Leaf):
|
|||
self.types = IdSet()
|
||||
self.obj_classes = { }
|
||||
self.roles = IdSet()
|
||||
self.bools = IdSet()
|
||||
self.data = IdSet()
|
||||
self.users = IdSet()
|
||||
|
||||
def add_obj_class(self, obj_class, perms):
|
||||
|
|
@ -816,7 +816,7 @@ class Require(Leaf):
|
|||
s.append("\tclass %s %s;" % (obj_class, perms.to_space_str()))
|
||||
for role in self.roles:
|
||||
s.append("\trole %s;" % role)
|
||||
for bool in self.bools:
|
||||
for bool in self.data:
|
||||
s.append("\tbool %s;" % bool)
|
||||
for user in self.users:
|
||||
s.append("\tuser %s;" % user)
|
||||
|
|
|
|||
Loading…
Reference in a new issue