| Message ID | 20200819150534.18026-2-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] sepolgen: print extended permissions in hexadecimal | expand |
On Wed, Aug 19, 2020 at 11:07 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Currently: > > #============= sshd_t ============== > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t ptmx_t:chr_file ioctl; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t sshd_devpts_t:chr_file ioctl; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t user_devpts_t:chr_file ioctl; > > #============= user_t ============== > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow user_t devtty_t:chr_file ioctl; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow user_t user_devpts_t:chr_file ioctl; > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; > allowxperm user_t devtty_t:chr_file ioctl 0x4b33; > > Changed: > > #============= sshd_t ============== > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t ptmx_t:chr_file ioctl; > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t sshd_devpts_t:chr_file ioctl; > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow sshd_t user_devpts_t:chr_file ioctl; > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; > > #============= user_t ============== > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow user_t devtty_t:chr_file ioctl; > allowxperm user_t devtty_t:chr_file ioctl 0x4b33; > > #!!!! This avc is allowed in the current policy > #!!!! This av rule may have been overridden by an extended permission av rule > allow user_t user_devpts_t:chr_file ioctl; > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
On Mon, Aug 24, 2020 at 9:46 AM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Wed, Aug 19, 2020 at 11:07 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Currently: > > > > #============= sshd_t ============== > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t ptmx_t:chr_file ioctl; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t sshd_devpts_t:chr_file ioctl; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t user_devpts_t:chr_file ioctl; > > > > #============= user_t ============== > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow user_t devtty_t:chr_file ioctl; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow user_t user_devpts_t:chr_file ioctl; > > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; > > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; > > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; > > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; > > allowxperm user_t devtty_t:chr_file ioctl 0x4b33; > > > > Changed: > > > > #============= sshd_t ============== > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t ptmx_t:chr_file ioctl; > > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t sshd_devpts_t:chr_file ioctl; > > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow sshd_t user_devpts_t:chr_file ioctl; > > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; > > > > #============= user_t ============== > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow user_t devtty_t:chr_file ioctl; > > allowxperm user_t devtty_t:chr_file ioctl 0x4b33; > > > > #!!!! This avc is allowed in the current policy > > #!!!! This av rule may have been overridden by an extended permission av rule > > allow user_t user_devpts_t:chr_file ioctl; > > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Both applied.
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py index 3a21b64c..aeeaafc8 100644 --- a/python/sepolgen/src/sepolgen/output.py +++ b/python/sepolgen/src/sepolgen/output.py @@ -84,7 +84,7 @@ def avrule_cmp(a, b): return ret # At this point, who cares - just return something - return cmp(len(a.perms), len(b.perms)) + return 0 # Compare two interface calls def ifcall_cmp(a, b): @@ -100,7 +100,7 @@ def rule_cmp(a, b): else: return id_set_cmp([a.args[0]], b.src_types) else: - if isinstance(b, refpolicy.AVRule): + if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule): return avrule_cmp(a,b) else: return id_set_cmp(a.src_types, [b.args[0]]) @@ -130,6 +130,7 @@ def sort_filter(module): # we assume is the first argument for interfaces). rules = [] rules.extend(node.avrules()) + rules.extend(node.avextrules()) rules.extend(node.interface_calls()) rules.sort(key=util.cmp_to_key(rule_cmp))
Currently: #============= sshd_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t ptmx_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t sshd_devpts_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t user_devpts_t:chr_file ioctl; #============= user_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t devtty_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t user_devpts_t:chr_file ioctl; allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; allowxperm user_t devtty_t:chr_file ioctl 0x4b33; Changed: #============= sshd_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t ptmx_t:chr_file ioctl; allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t sshd_devpts_t:chr_file ioctl; allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t user_devpts_t:chr_file ioctl; allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; #============= user_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t devtty_t:chr_file ioctl; allowxperm user_t devtty_t:chr_file ioctl 0x4b33; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t user_devpts_t:chr_file ioctl; allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- python/sepolgen/src/sepolgen/output.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)