|
 |
a3b4df |
From 97bd46865e12246c00517d1e07aabca530a305ac Mon Sep 17 00:00:00 2001
|
|
|
a3b4df |
From: Vit Mojzis <vmojzis@redhat.com>
|
|
|
a3b4df |
Date: Wed, 17 Jun 2020 13:34:19 +0200
|
|
|
a3b4df |
Subject: [PATCH] Support old boolean names in policy queries
|
|
|
a3b4df |
|
|
|
a3b4df |
Translate old boolean names based on /etc/selinux/*/booleans.subs_dist
|
|
|
a3b4df |
file. The translation is only attempted when "policy" was not specified
|
|
|
a3b4df |
to avoid influencing queries of policies from other systems.
|
|
|
a3b4df |
|
|
|
a3b4df |
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
|
a3b4df |
---
|
|
|
a3b4df |
seinfo | 6 +++++-
|
|
|
a3b4df |
sesearch | 7 ++++++-
|
|
|
a3b4df |
setools/policyrep/selinux.pxd | 1 +
|
|
|
a3b4df |
setools/policyrep/util.pxi | 22 ++++++++++++++++++++++
|
|
|
a3b4df |
4 files changed, 34 insertions(+), 2 deletions(-)
|
|
|
a3b4df |
|
|
|
a3b4df |
diff --git a/seinfo b/seinfo
|
|
|
a3b4df |
index d2caf7c..bc33e12 100755
|
|
|
a3b4df |
--- a/seinfo
|
|
|
a3b4df |
+++ b/seinfo
|
|
|
a3b4df |
@@ -125,7 +125,11 @@ try:
|
|
|
a3b4df |
if args.boolquery or args.all:
|
|
|
a3b4df |
q = setools.BoolQuery(p)
|
|
|
a3b4df |
if isinstance(args.boolquery, str):
|
|
|
a3b4df |
- q.name = args.boolquery
|
|
|
a3b4df |
+ if args.policy:
|
|
|
a3b4df |
+ q.name = args.boolquery
|
|
|
a3b4df |
+ else:
|
|
|
a3b4df |
+ # try to find substitutions for old boolean names
|
|
|
a3b4df |
+ q.name = setools.policyrep.lookup_boolean_name_sub(args.boolquery)
|
|
|
a3b4df |
|
|
|
a3b4df |
components.append(("Booleans", q, lambda x: x.statement()))
|
|
|
a3b4df |
|
|
|
a3b4df |
diff --git a/sesearch b/sesearch
|
|
|
a3b4df |
index c4b1d38..733f3d3 100755
|
|
|
a3b4df |
--- a/sesearch
|
|
|
a3b4df |
+++ b/sesearch
|
|
|
a3b4df |
@@ -189,7 +189,12 @@ try:
|
|
|
a3b4df |
if args.boolean_regex:
|
|
|
a3b4df |
q.boolean = args.boolean
|
|
|
a3b4df |
else:
|
|
|
a3b4df |
- q.boolean = args.boolean.split(",")
|
|
|
a3b4df |
+ if args.policy:
|
|
|
a3b4df |
+ q.boolean = args.boolean.split(",")
|
|
|
a3b4df |
+ else:
|
|
|
a3b4df |
+ # try to find substitutions for old boolean names
|
|
|
a3b4df |
+ q.boolean = map(setools.policyrep.lookup_boolean_name_sub,
|
|
|
a3b4df |
+ args.boolean.split(","))
|
|
|
a3b4df |
|
|
|
a3b4df |
for r in sorted(q.results()):
|
|
|
a3b4df |
print(r)
|
|
|
a3b4df |
diff --git a/setools/policyrep/selinux.pxd b/setools/policyrep/selinux.pxd
|
|
|
a3b4df |
index a2e8af0..1686831 100644
|
|
|
a3b4df |
--- a/setools/policyrep/selinux.pxd
|
|
|
a3b4df |
+++ b/setools/policyrep/selinux.pxd
|
|
|
a3b4df |
@@ -24,3 +24,4 @@ cdef extern from "<selinux/selinux.h>":
|
|
|
a3b4df |
bint selinuxfs_exists()
|
|
|
a3b4df |
const char* selinux_current_policy_path()
|
|
|
a3b4df |
const char* selinux_binary_policy_path()
|
|
|
a3b4df |
+ char* selinux_boolean_sub(const char *boolean_name);
|
|
|
a3b4df |
diff --git a/setools/policyrep/util.pxi b/setools/policyrep/util.pxi
|
|
|
a3b4df |
index 40f21a7..abc7be8 100644
|
|
|
a3b4df |
--- a/setools/policyrep/util.pxi
|
|
|
a3b4df |
+++ b/setools/policyrep/util.pxi
|
|
|
a3b4df |
@@ -230,3 +230,25 @@ cdef flatten_list(input_list):
|
|
|
a3b4df |
ret.append(i)
|
|
|
a3b4df |
|
|
|
a3b4df |
return ret
|
|
|
a3b4df |
+
|
|
|
a3b4df |
+
|
|
|
a3b4df |
+def lookup_boolean_name_sub(name):
|
|
|
a3b4df |
+ """
|
|
|
a3b4df |
+ Read the /etc/selinux/TYPE/booleans.subs_dist file looking
|
|
|
a3b4df |
+ for a record with 'name'.
|
|
|
a3b4df |
+ Return the translated name if a corresponding substitution exists,
|
|
|
a3b4df |
+ otherwise return the original name.
|
|
|
a3b4df |
+ """
|
|
|
a3b4df |
+ cdef:
|
|
|
a3b4df |
+ char *_name = selinux.selinux_boolean_sub(name)
|
|
|
a3b4df |
+ str new_name = name
|
|
|
a3b4df |
+
|
|
|
a3b4df |
+ if _name == NULL:
|
|
|
a3b4df |
+ raise MemoryError
|
|
|
a3b4df |
+ # cast "char *" to "str" and free
|
|
|
a3b4df |
+ try:
|
|
|
a3b4df |
+ new_name = _name
|
|
|
a3b4df |
+ finally:
|
|
|
a3b4df |
+ free(_name)
|
|
|
a3b4df |
+
|
|
|
a3b4df |
+ return new_name
|
|
|
a3b4df |
--
|
|
|
a3b4df |
2.25.4
|
|
|
a3b4df |
|