diff --git a/.cvsignore b/.cvsignore
index e30ab6b..ce74461 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -46,3 +46,4 @@ serefpolicy-2.2.18.tgz
serefpolicy-2.2.19.tgz
serefpolicy-2.2.20.tgz
serefpolicy-2.2.21.tgz
+serefpolicy-2.2.22.tgz
diff --git a/policygentool b/policygentool
index ee31b35..97042eb 100644
--- a/policygentool
+++ b/policygentool
@@ -21,64 +21,140 @@
#
#
import os, sys, getopt
-import seobject
import re
########################### Interface File #############################
-interface="\n\
-## policy for TEMPLATETYPE\n\
-\n\
-########################################\n\
-## \n\
-## Execute a domain transition to run TEMPLATETYPE.\n\
-## \n\
-## \n\
-## Domain allowed to transition.\n\
-## \n\
-#\n\
-interface(`TEMPLATETYPE_domtrans',`\n\
- gen_requires(`\n\
- type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
- ')\n\
-\n\
- domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
-\n\
- allow $1 TEMPLATETYPE_t:fd use;\n\
- allow TEMPLATETYPE_t $1:fd use;\n\
- allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;\n\
- allow TEMPLATETYPE_t $1:process sigchld;\n\
-')\n\
-"
+interface="""\
+## policy for TEMPLATETYPE
+
+########################################
+##
+## Execute a domain transition to run TEMPLATETYPE.
+##
+##
+## Domain allowed to transition.
+##
+#
+interface(`TEMPLATETYPE_domtrans',`
+ gen_requires(`
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
+ ')
+
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
+
+ allow $1 TEMPLATETYPE_t:fd use;
+ allow TEMPLATETYPE_t $1:fd use;
+ allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;
+ allow TEMPLATETYPE_t $1:process sigchld;
+')
+"""
########################### Type Enforcement File #############################
-te="\n\
-policy_module(TEMPLATETYPE,1.0.0)\n\
-\n\
-########################################\n\
-#\n\
-# Declarations\n\
-#\n\
-\n\
-type TEMPLATETYPE_t;\n\
-type TEMPLATETYPE_exec_t;\n\
-domain_type(TEMPLATETYPE_t)\n\
-init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
-\n\
-########################################\n\
-#\n\
-# TEMPLATETYPE local policy\n\
-#\n\
-# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
+te="""\
+policy_module(TEMPLATETYPE,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type TEMPLATETYPE_t;
+type TEMPLATETYPE_exec_t;
+domain_type(TEMPLATETYPE_t)
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
+"""
+te_pidfile="""
+# pid files
+type TEMPLATETYPE_var_run_t;
+files_pid_file(TEMPLATETYPE_var_run_t)
+"""
+te_logfile="""
+# log files
+type TEMPLATETYPE_var_log_t;
+logging_log_file(TEMPLATETYPE_var_log_t)
+"""
+te_libfile="""
+# var/lib files
+type TEMPLATETYPE_var_lib_t;
+files_type(TEMPLATETYPE_var_lib_t)
+"""
+te_sep="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
+
+# Some common macros (you might be able to remove some)
+files_read_etc_files(TEMPLATETYPE_t)
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+miscfiles_read_localization(TEMPLATETYPE_t)
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file { read write };
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+"""
+te_pidfile2="""
+# pid file
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
+"""
+te_logfile2="""
+# log files
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
+"""
+te_libfile2="""
+# var/lib files for TEMPLATETYPE
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
+allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
+files_var_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t,{ file dir sock_file })
+files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t)
+"""
+te_network2="""
+## Networking basics (adjust to your needs!)
+sysnet_dns_name_resolve(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
+corenet_tcp_connect_http_port(TEMPLATETYPE_t)
+#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
+## if it is a network daemon, consider these:
+#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
+#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+allow TEMPLATETYPE_t self:tcp_socket { listen accept };
+"""
+te_initsc2="""
+# Init script handling
+init_use_fd(TEMPLATETYPE_t)
+init_use_script_ptys(TEMPLATETYPE_t)
+domain_use_interactive_fds(TEMPLATETYPE_t)
+"""
########################### File Context ##################################
-fc="\n\
-# TEMPLATETYPE executable will have:\n\
-# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
-# MLS sensitivity: s0\n\
-# MCS categories: \n\
-\n\
-EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
-"
+fc="""\
+# TEMPLATETYPE executable will have:
+# label: system_u:object_r:TEMPLATETYPE_exec_t
+# MLS sensitivity: s0
+# MCS categories:
+
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
+"""
+fc_pidfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+fc_logfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
+"""
+fc_libfile="""\
+FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
def errorExit(error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
@@ -86,9 +162,26 @@ def errorExit(error):
sys.exit(1)
-def write_te_file(module):
+def write_te_file(module, pidfile, logfile, libfile, network, initsc):
file="%s.te" % module
newte=re.sub("TEMPLATETYPE", module, te)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
+ newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
+ if pidfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
+ if logfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
+ if libfile:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
+ if network:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
+ if initsc:
+ newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
@@ -104,20 +197,29 @@ def write_if_file(module):
fd.write(newif)
fd.close()
-def write_fc_file(module, executable):
+def write_fc_file(module, executable, pidfile, logfile, libfile):
file="%s.fc" % module
- newfc=re.sub("TEMPLATETYPE", module, fc)
- newfc=re.sub("EXECUTABLE", executable, newfc)
+ temp=re.sub("TEMPLATETYPE", module, fc)
+ newfc=re.sub("EXECUTABLE", executable, temp)
+ if pidfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
+ newfc=newfc + re.sub("FILENAME", pidfile, temp)
+ if logfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_logfile)
+ newfc=newfc + re.sub("FILENAME", logfile, temp)
+ if libfile:
+ temp=re.sub("TEMPLATETYPE", module, fc_libfile)
+ newfc=newfc + re.sub("FILENAME", libfile, temp)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newfc)
fd.close()
-def gen_policy(module, executable):
- write_te_file(module)
+def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
+ write_te_file(module, pidfile, logfile, libfile, initsc, network)
write_if_file(module)
- write_fc_file(module, executable)
+ write_fc_file(module, executable, pidfile, logfile, libfile)
if __name__ == '__main__':
def usage(message = ""):
@@ -127,6 +229,69 @@ if __name__ == '__main__':
if len(sys.argv) != 3:
usage()
- gen_policy(sys.argv[1], sys.argv[2])
+ print """\n
+This tool generate three files for policy development, A Type Enforcement (te)
+file, a File Context (fc), and a Interface File(if). Most of the policy rules
+will be written in the te file. Use the File Context file to associate file
+paths with security context. Use the interface rules to allow other protected
+domains to interact with the newly defined domains.
+
+After generating these files use the /usr/share/selinux/devel/Makefile to
+compile your policy package. Then use the semodule tool to load it.
+
+# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
+# make -f /usr/share/selinux/devel/Makefile
+# semodule -l myapp.pp
+# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
+
+Now you can turn on permissive mode, start your application and avc messages
+will be generated. You can use audit2allow to help translate the avc messages
+into policy.
+
+# setenforce 0
+# service myapp start
+# audit2allow -R -i /var/log/audit/audit.log
+
+Return to continue:"""
+ sys.stdin.readline().rstrip()
+
+ print 'If the module uses pidfiles, what is the pidfile called?'
+ pidfile = sys.stdin.readline().rstrip()
+ if pidfile == "":
+ pidfile = None
+ print 'If the module uses logfiles, where are they stored?'
+ logfile = sys.stdin.readline().rstrip()
+ if logfile == "":
+ logfile = None
+ print 'If the module has var/lib files, where are they stored?'
+ libfile = sys.stdin.readline().rstrip()
+ if libfile == "":
+ libfile = None
+ print 'Does the module have a init script? [yN]'
+ initsc = sys.stdin.readline().rstrip()
+ if initsc == "" or initsc == "n" or initsc == "N":
+ initsc = False
+ elif initsc == "y" or initsc == "Y":
+ initsc = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+ print 'Does the module use the network? [yN]'
+ network = sys.stdin.readline().rstrip()
+ if network == "" or network == "n" or network == "N":
+ network = False
+ elif network == "y" or network == "Y":
+ network = True
+ else:
+ raise "Please answer with 'y' or 'n'!"
+
+ gen_policy(
+ module=sys.argv[1],
+ executable=sys.argv[2],
+ pidfile=pidfile,
+ logfile=logfile,
+ libfile=libfile,
+ initsc=initsc,
+ network=network
+ )
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7e505e3..e3da84a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -9,8 +9,8 @@
%define CHECKPOLICYVER 1.29.4-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.21
-Release: 9
+Version: 2.2.22
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -293,20 +293,24 @@ ln -sf ../devel/include /usr/share/selinux/strict/include
%fileList strict
%changelog
+* Mon Feb 27 2006 Dan Walsh 2.2.22-1
+- Update to upstream
+- Merged my latest fixes
+- Fix cups policy to handle unix domain sockets
-* Sat Feb 26 2006 Dan Walsh 2.2.21-9
+* Sat Feb 25 2006 Dan Walsh 2.2.21-9
- NSCD socket is in nscd_var_run_t needs to be able to search dir
-* Fri Feb 23 2006 Dan Walsh 2.2.21-8
+* Fri Feb 24 2006 Dan Walsh 2.2.21-8
- Fixes Apache interface file
-* Fri Feb 23 2006 Dan Walsh 2.2.21-7
+* Fri Feb 24 2006 Dan Walsh 2.2.21-7
- Fixes for new version of cups
-* Fri Feb 23 2006 Dan Walsh 2.2.21-6
+* Fri Feb 24 2006 Dan Walsh 2.2.21-6
- Turn off polyinstatiate util after FC5
-* Fri Feb 23 2006 Dan Walsh 2.2.21-5
+* Fri Feb 24 2006 Dan Walsh 2.2.21-5
- Fix problem with privoxy talking to Tor
* Thu Feb 22 2006 Dan Walsh 2.2.21-4
diff --git a/sources b/sources
index 35efdaf..568badf 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-fe84e844d9a838bd87d4e80f381141cb serefpolicy-2.2.21.tgz
+298e1f669a1a0203eeffcc1a82b1a794 serefpolicy-2.2.22.tgz