|
 |
ee1b47 |
From eafe62886f8941e249d8eceaee732d3b35e19616 Mon Sep 17 00:00:00 2001
|
|
|
ee1b47 |
From: Pino Toscano <ptoscano@redhat.com>
|
|
|
ee1b47 |
Date: Thu, 29 Nov 2018 11:22:28 +0100
|
|
|
ee1b47 |
Subject: [PATCH] New lens: Semanage (#594)
|
|
|
ee1b47 |
|
|
|
ee1b47 |
Introduce a new lens to parse /etc/selinux/semanage.conf instead of
|
|
|
ee1b47 |
using Simplevars: the latter cannot handle the more complex syntax of
|
|
|
ee1b47 |
groups introduced in newer versions of libsemanage.
|
|
|
ee1b47 |
---
|
|
|
ee1b47 |
lenses/semanage.aug | 37 ++++++++++++++++
|
|
|
ee1b47 |
lenses/simplevars.aug | 1 -
|
|
|
ee1b47 |
lenses/tests/test_semanage.aug | 81 ++++++++++++++++++++++++++++++++++
|
|
|
ee1b47 |
tests/Makefile.am | 1 +
|
|
|
ee1b47 |
4 files changed, 119 insertions(+), 1 deletion(-)
|
|
|
ee1b47 |
create mode 100644 lenses/semanage.aug
|
|
|
ee1b47 |
create mode 100644 lenses/tests/test_semanage.aug
|
|
|
ee1b47 |
|
|
|
ee1b47 |
diff --git a/lenses/semanage.aug b/lenses/semanage.aug
|
|
|
ee1b47 |
new file mode 100644
|
|
|
ee1b47 |
index 00000000..46f93b32
|
|
|
ee1b47 |
--- /dev/null
|
|
|
ee1b47 |
+++ b/lenses/semanage.aug
|
|
|
ee1b47 |
@@ -0,0 +1,37 @@
|
|
|
ee1b47 |
+(*
|
|
|
ee1b47 |
+Module: Semanage
|
|
|
ee1b47 |
+ Parses /etc/selinux/semanage.conf
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+Author:
|
|
|
ee1b47 |
+ Pino Toscano <ptoscano@redhat.com>
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+About: License
|
|
|
ee1b47 |
+ This file is licenced under the LGPL v2+, like the rest of Augeas.
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+About: Configuration files
|
|
|
ee1b47 |
+ This lens applies to /etc/selinux/semanage.conf. See <filter>.
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+About: Examples
|
|
|
ee1b47 |
+ The <Test_Semanage> file contains various examples and tests.
|
|
|
ee1b47 |
+*)
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+module Semanage =
|
|
|
ee1b47 |
+ autoload xfm
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+let comment = IniFile.comment "#" "#"
|
|
|
ee1b47 |
+let sep = IniFile.sep "=" "="
|
|
|
ee1b47 |
+let empty = IniFile.empty
|
|
|
ee1b47 |
+let eol = IniFile.eol
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+let entry = IniFile.entry IniFile.entry_re sep comment
|
|
|
ee1b47 |
+ | empty
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+let title = IniFile.title_label "@group" (IniFile.record_re - /^end$/)
|
|
|
ee1b47 |
+let record = [ title . entry+ . Util.del_str "[end]" . eol ]
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+let lns = (entry | record)*
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Variable: filter *)
|
|
|
ee1b47 |
+let filter = incl "/etc/selinux/semanage.conf"
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+let xfm = transform lns filter
|
|
|
ee1b47 |
diff --git a/lenses/simplevars.aug b/lenses/simplevars.aug
|
|
|
ee1b47 |
index ad9795f0..6e6547cc 100644
|
|
|
ee1b47 |
--- a/lenses/simplevars.aug
|
|
|
ee1b47 |
+++ b/lenses/simplevars.aug
|
|
|
ee1b47 |
@@ -46,6 +46,5 @@ let filter = incl "/etc/kernel-img.conf"
|
|
|
ee1b47 |
. incl "/etc/audit/auditd.conf"
|
|
|
ee1b47 |
. incl "/etc/mixerctl.conf"
|
|
|
ee1b47 |
. incl "/etc/wsconsctlctl.conf"
|
|
|
ee1b47 |
- . incl "/etc/selinux/semanage.conf"
|
|
|
ee1b47 |
|
|
|
ee1b47 |
let xfm = transform lns filter
|
|
|
ee1b47 |
diff --git a/lenses/tests/test_semanage.aug b/lenses/tests/test_semanage.aug
|
|
|
ee1b47 |
new file mode 100644
|
|
|
ee1b47 |
index 00000000..a6ceaca0
|
|
|
ee1b47 |
--- /dev/null
|
|
|
ee1b47 |
+++ b/lenses/tests/test_semanage.aug
|
|
|
ee1b47 |
@@ -0,0 +1,81 @@
|
|
|
ee1b47 |
+(*
|
|
|
ee1b47 |
+Module: Test_Semanage
|
|
|
ee1b47 |
+ Provides unit tests and examples for the <Semanage> lens.
|
|
|
ee1b47 |
+*)
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+module Test_Semanage =
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Variable: phony_conf *)
|
|
|
ee1b47 |
+let phony_conf = "# this is a comment
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+mykey = myvalue # eol comment
|
|
|
ee1b47 |
+anotherkey = another value
|
|
|
ee1b47 |
+"
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Test: Semanage.lns *)
|
|
|
ee1b47 |
+test Semanage.lns get phony_conf =
|
|
|
ee1b47 |
+ { "#comment" = "this is a comment" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "mykey" = "myvalue"
|
|
|
ee1b47 |
+ { "#comment" = "eol comment" } }
|
|
|
ee1b47 |
+ { "anotherkey" = "another value" }
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Test: Semanage.lns
|
|
|
ee1b47 |
+ Quotes are OK in variables that do not begin with a quote *)
|
|
|
ee1b47 |
+test Semanage.lns get "UserParameter=custom.vfs.dev.read.ops[*],cat /proc/diskstats | grep $1 | head -1 | awk '{print $$4}'\n" =
|
|
|
ee1b47 |
+ { "UserParameter" = "custom.vfs.dev.read.ops[*],cat /proc/diskstats | grep $1 | head -1 | awk '{print $$4}'" }
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Test: Semanage.lns
|
|
|
ee1b47 |
+ Support empty values *)
|
|
|
ee1b47 |
+test Semanage.lns get "foo =\n" =
|
|
|
ee1b47 |
+ { "foo" }
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Variable: conf *)
|
|
|
ee1b47 |
+let conf = "module-store = direct
|
|
|
ee1b47 |
+module-store = \"source\"
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+#policy-version = 19
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+expand-check=0
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+usepasswd=False
|
|
|
ee1b47 |
+bzip-small=true
|
|
|
ee1b47 |
+bzip-blocksize=5
|
|
|
ee1b47 |
+ignoredirs=/root
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+[sefcontext_compile]
|
|
|
ee1b47 |
+path = /usr/sbin/sefcontext_compile
|
|
|
ee1b47 |
+args = -r $@
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+[end]
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+config=test
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+[verify module]
|
|
|
ee1b47 |
+test=value
|
|
|
ee1b47 |
+[end]
|
|
|
ee1b47 |
+"
|
|
|
ee1b47 |
+
|
|
|
ee1b47 |
+(* Test: Semanage.lns *)
|
|
|
ee1b47 |
+test Semanage.lns get conf =
|
|
|
ee1b47 |
+ { "module-store" = "direct" }
|
|
|
ee1b47 |
+ { "module-store" = "source" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "#comment" = "policy-version = 19" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "expand-check" = "0" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "usepasswd" = "False" }
|
|
|
ee1b47 |
+ { "bzip-small" = "true" }
|
|
|
ee1b47 |
+ { "bzip-blocksize" = "5" }
|
|
|
ee1b47 |
+ { "ignoredirs" = "/root" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "@group" = "sefcontext_compile"
|
|
|
ee1b47 |
+ { "path" = "/usr/sbin/sefcontext_compile" }
|
|
|
ee1b47 |
+ { "args" = "-r $@" }
|
|
|
ee1b47 |
+ { } }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "config" = "test" }
|
|
|
ee1b47 |
+ { }
|
|
|
ee1b47 |
+ { "@group" = "verify module"
|
|
|
ee1b47 |
+ { "test" = "value" } }
|
|
|
ee1b47 |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
ee1b47 |
index 8e035e91..2b87c1c7 100644
|
|
|
ee1b47 |
--- a/tests/Makefile.am
|
|
|
ee1b47 |
+++ b/tests/Makefile.am
|
|
|
ee1b47 |
@@ -186,6 +186,7 @@ lens_tests = \
|
|
|
ee1b47 |
lens-rx.sh \
|
|
|
ee1b47 |
lens-samba.sh \
|
|
|
ee1b47 |
lens-securetty.sh \
|
|
|
ee1b47 |
+ lens-semanage.sh \
|
|
|
ee1b47 |
lens-services.sh \
|
|
|
ee1b47 |
lens-shadow.sh \
|
|
|
ee1b47 |
lens-shells.sh \
|
|
|
ee1b47 |
--
|
|
|
ee1b47 |
2.17.2
|
|
|
ee1b47 |
|