From patchwork Thu May 28 12:51:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 11575801 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E0D2D92A for ; Thu, 28 May 2020 12:51:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C40EB206F1 for ; Thu, 28 May 2020 12:51:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="a3emvaz4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389918AbgE1Mvh (ORCPT ); Thu, 28 May 2020 08:51:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389871AbgE1Mvg (ORCPT ); Thu, 28 May 2020 08:51:36 -0400 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DAF5BC05BD1E for ; Thu, 28 May 2020 05:51:35 -0700 (PDT) Received: by mail-ej1-x632.google.com with SMTP id a2so31896258ejb.10 for ; Thu, 28 May 2020 05:51:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=yiP95y0KjE9Q81kCpZUKaOkve9G7QH+vD6ZcQVVcERc=; b=a3emvaz4dzvQPRoxkg06WZddZzgTmfJfigdZcF5z2CaoKPeqawYvxqVoc/xcVRXCSk BDzurQznSi8vB8lxGhwJ03GPXbooBJVSbFugXI7lLc6ASOH/zF97IwIFa/OT6KgBttzS 0J+H1BV75IZaWclXmAiEnavuGkgBveU5WsvYMXVn3kL92+LWQXS26qUHh1xoxrBwvvHn Cc4CXjeA2fJt2KSBE5DFt5esHALCRnuF7KxKkIZNBG1ugI739VduqlqgsIguO9f5hxIT mkfeCWz7639lO53/HXOh5JMnly2OD4b39C2W1uQrXYvYBlCPDv3+iPriYrzmMqW22d5E KzEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yiP95y0KjE9Q81kCpZUKaOkve9G7QH+vD6ZcQVVcERc=; b=oBvKJsqITmHfWZTyPVgOVAj0AsTjw3H6ZnepOtm3HD3kVG9GeT/9XZRSl3ZR6iGxzd zFCGEWCuLClJkQRKT6kXS5ACPJK5gVSjNgynKAOKnpFseOcuBLIDzIR849U483sCTP00 1YzauXrbId9fxgSeejJAxL8y0Tov+Fi/ofDXGOLOOsbuNA1A4Y+8BecdP/PHP1NewO/O uuKf3u4LSZfJgMVpFHUtH6trixazSqaF0uxG1py8S/wIgsDas6syOyE0el95dtJmkHYH pxFVKNiX/cDJSdLCcfUTzqS/Qt1sAl9Sd0eBZ9ZZbSX8zh2wHyT72jgQfBHnCArcpQiH ExtA== X-Gm-Message-State: AOAM53048UsB17jhmBGxpHPWgLfubse7khI308oI11ur0HiuQMI6apMJ 0su7ThJkIzpIiNMLZe/6pF7fbsGb X-Google-Smtp-Source: ABdhPJz4kpdNKKtfcWCYFcGiOhaLCY0NF6olvmveVF1y9VHXSk6L4tvJfMe/NiyHgdXt1WtRYrjjqA== X-Received: by 2002:a17:906:49c7:: with SMTP id w7mr3010271ejv.402.1590670294455; Thu, 28 May 2020 05:51:34 -0700 (PDT) Received: from debianHome.localdomain (x4d03b0ba.dyn.telefonica.de. [77.3.176.186]) by smtp.gmail.com with ESMTPSA id o59sm4537203edb.51.2020.05.28.05.51.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2020 05:51:34 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 1/3] sepolgen: parse gen_tunable as bool Date: Thu, 28 May 2020 14:51:26 +0200 Message-Id: <20200528125128.26915-1-cgzones@googlemail.com> X-Mailer: git-send-email 2.27.0.rc2 In-Reply-To: References: MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Currently sepolgen-ifgen parses a gen_tunable statement as interface and reports in verbose mode: Missing interface definition for gen_tunable Add grammar for gen_tunable statements in the refparser Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley --- python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py index 2e521a0f..f3e0ae87 100644 --- a/python/sepolgen/src/sepolgen/refparser.py +++ b/python/sepolgen/src/sepolgen/refparser.py @@ -126,6 +126,7 @@ tokens = ( 'GEN_REQ', 'TEMPLATE', 'GEN_CONTEXT', + 'GEN_TUNABLE', # m4 'IFELSE', 'IFDEF', @@ -192,6 +193,7 @@ reserved = { 'gen_require' : 'GEN_REQ', 'template' : 'TEMPLATE', 'gen_context' : 'GEN_CONTEXT', + 'gen_tunable' : 'GEN_TUNABLE', # M4 'ifelse' : 'IFELSE', 'ifndef' : 'IFNDEF', @@ -518,6 +520,7 @@ def p_policy_stmt(p): | range_transition_def | role_transition_def | bool + | gen_tunable | define | initial_sid | genfscon @@ -844,6 +847,17 @@ def p_bool(p): b.state = False p[0] = b +def p_gen_tunable(p): + '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN + | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN''' + b = refpolicy.Bool() + b.name = p[4] + if p[7] == "true": + b.state = True + else: + b.state = False + p[0] = b + def p_conditional(p): ''' conditional : IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE | IF OPAREN cond_expr CPAREN OBRACE interface_stmts CBRACE ELSE OBRACE interface_stmts CBRACE From patchwork Thu May 28 12:51:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 11575803 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 20E3214C0 for ; Thu, 28 May 2020 12:51:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 09B162075A for ; Thu, 28 May 2020 12:51:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="fUz4+87S" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389871AbgE1Mvh (ORCPT ); Thu, 28 May 2020 08:51:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389873AbgE1Mvg (ORCPT ); Thu, 28 May 2020 08:51:36 -0400 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5550AC08C5C5 for ; Thu, 28 May 2020 05:51:36 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id k8so7080780edq.4 for ; Thu, 28 May 2020 05:51:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=yd0DKovFRxBXFZ2+vwZaXcz8nkW5Wky8QeVHusDzPGk=; b=fUz4+87S33JhBbcHo2vV89rQKo7NPoR30PBghjma476dyvX6wVxKDn3xl0WF9aUBRV ZkkX3rHq+HPUaQqyIWfjV0sbenOncbSKEsvkxTYnyz+dnDKmWFwlOQqkE2oNL9XOAduh NlxQS/yMFGkIzWQ2a3am6ZVKVGx8W07zGKmjt0WmPBCjQ8ncN8F4MRc684oRUhB9l5AO UOk7Ke5XtPKIbxAtsUItacY8LP4EnZTGOtPhe3NTn4EtfiUH7rbB93v31cSxZ2ow4/q5 Lwk+Gb32SIuAJEiPM7zHpOpMKmI5tmuz9lNlRYJ1qFhnwCwJ2PajWF8rbscc8NinfWx0 N17A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yd0DKovFRxBXFZ2+vwZaXcz8nkW5Wky8QeVHusDzPGk=; b=VCfwSzO7wf3I8Jz002SJyLKz9bHXuChcjjgpe3johI1kkCy5aUo+knQdAe5JGqSVun vBWKjSXeA8BL/flkWxS2uBJDBpNl4qh4pxyLnRLXyXK4sVx6+nPqRwFAs1uTNJjSjOGn RZNVVEBDcdVo4WAFLbua3A9gq6t3lp8laN5k3QFDhrJ8KpEZKwlPWSIfxALBI79UO+vT ER0pnCZ8R1QNU9zVFyHQAkj29BU0V67hlQdDG1e2Wu2RoePoVnzRj2lPNEdijtqq+yr/ QttYJmnu3e8x1fvjVMH/6aL8TXdJxY3qEjSOtlpk52e9tZe0oU2rUWwPlIj+meOw6Rv7 V79w== X-Gm-Message-State: AOAM531QPwUdeq/KRz0zicEYx1LyPAjoSfVIsNJhuhON1te9ZNt9s4Qx Ogj5WKQtrIM64/SMpEm4+aQ/NIT4 X-Google-Smtp-Source: ABdhPJwjTy8221DCbmK4xXQHpdUkEdncCUkXEKw3TOhHWUBmKgyZpZBEP9KLETPzTpFCYg/mxgp5cA== X-Received: by 2002:a05:6402:19ae:: with SMTP id o14mr2916448edz.235.1590670294879; Thu, 28 May 2020 05:51:34 -0700 (PDT) Received: from debianHome.localdomain (x4d03b0ba.dyn.telefonica.de. [77.3.176.186]) by smtp.gmail.com with ESMTPSA id o59sm4537203edb.51.2020.05.28.05.51.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2020 05:51:34 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 2/3] refparser: add missing newline after error message Date: Thu, 28 May 2020 14:51:27 +0200 Message-Id: <20200528125128.26915-2-cgzones@googlemail.com> X-Mailer: git-send-email 2.27.0.rc2 In-Reply-To: <20200528125128.26915-1-cgzones@googlemail.com> References: <20200528125128.26915-1-cgzones@googlemail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley --- python/sepolgen/src/sepolgen/refparser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py index f3e0ae87..9f850990 100644 --- a/python/sepolgen/src/sepolgen/refparser.py +++ b/python/sepolgen/src/sepolgen/refparser.py @@ -1148,6 +1148,6 @@ def parse_headers(root, output=None, expand=True, debug=False): status.step() if len(failures): - o("failed to parse some headers: %s" % ", ".join(failures)) + o("failed to parse some headers: %s\n" % ", ".join(failures)) return headers From patchwork Thu May 28 12:51:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 11575805 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A141A14C0 for ; Thu, 28 May 2020 12:51:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8A1972075A for ; Thu, 28 May 2020 12:51:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="XQ9yjlQY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389982AbgE1Mvi (ORCPT ); Thu, 28 May 2020 08:51:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389873AbgE1Mvi (ORCPT ); Thu, 28 May 2020 08:51:38 -0400 Received: from mail-ej1-x641.google.com (mail-ej1-x641.google.com [IPv6:2a00:1450:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D163AC05BD1E for ; Thu, 28 May 2020 05:51:36 -0700 (PDT) Received: by mail-ej1-x641.google.com with SMTP id a2so31896312ejb.10 for ; Thu, 28 May 2020 05:51:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=J78XCAOgkvD7tEFcNfkx/1vf0ojFsMHQHQDKQnJyJO4=; b=XQ9yjlQYJK6FKLbOe9rwomBAdZpaI21tOrcUsZzOjyzkL+NNnjwRWteGwmAXZMjbn/ YW2lz2xAtb7rXL+QRKh7SxEUFWHMkKecq3o5QeWZp1widYmuJCvJhItj/6MTtsXpDAcd 13kXKN4bww2wvM9+kCN4YjKfVy0ZIa8tyxxUhx08PRLWdrECjMa43yz0Lr2ir6lG+3Tp K0xpAaCg0nThbkwd3EKkc6ivEpLbCx5FzNWMMrUlX8SfHEm7kGPiVmGhKskvZ9IIm8El C5osEPC24JbUmqgW8WngoD0Xf6jaTwhV+FMjkmKe8NoqZVTJ2XdfUsmic66b4Z3g/iAU yDiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=J78XCAOgkvD7tEFcNfkx/1vf0ojFsMHQHQDKQnJyJO4=; b=nNR7U0Xm05D16sSIV7Enip7jZxrmmiG3g3mObgeifK0TG9fXR4U2xGvh52KlA7jl7w 5DnII2tBEPioVDxc+Fizzb2ac++XBTxZpS/MjHJmERJOzSY/w/XSCxz9kU4Jns8c5dYX CvKRr9Bv+PFJysWs0ZV8Wn+iH9HQ8Q2FJ3b8h/TPtkE0gfkP+KIhzDXvjpA7prt0L5hj nAyWrLDjTLzQGbn0NaWC280MOHr712FoqdjPe6pgo3dK+EB8E3qr5R8650CBLddaoGBB XLP5VOBs2faeztDw07LZYi3RN2C6I+q+EyBwVX7g+zfU7QHN8WgZJ5K9VYG8L5zY7Dr7 Sijw== X-Gm-Message-State: AOAM533Nu56r6P0fk5KCYUDHL6w3tLE4NeI53XT1vupQ5tOY+A6v4PuU XrXFJr8c0c7V1VxOJCZHUx7JZnrI X-Google-Smtp-Source: ABdhPJwgVpsFt2E0BmoTUrLMRnDP23qgJl25g9zV9Jo3GvFIJpZeLm64orppHxmKyykDuXmB0B2mpw== X-Received: by 2002:a17:906:f0c6:: with SMTP id dk6mr2928338ejb.157.1590670295367; Thu, 28 May 2020 05:51:35 -0700 (PDT) Received: from debianHome.localdomain (x4d03b0ba.dyn.telefonica.de. [77.3.176.186]) by smtp.gmail.com with ESMTPSA id o59sm4537203edb.51.2020.05.28.05.51.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 May 2020 05:51:35 -0700 (PDT) From: =?utf-8?q?Christian_G=C3=B6ttsche?= To: selinux@vger.kernel.org Subject: [PATCH v2 3/3] sepolgen-ifgen: refactor default policy path retrieval Date: Thu, 28 May 2020 14:51:28 +0200 Message-Id: <20200528125128.26915-3-cgzones@googlemail.com> X-Mailer: git-send-email 2.27.0.rc2 In-Reply-To: <20200528125128.26915-1-cgzones@googlemail.com> References: <20200528125128.26915-1-cgzones@googlemail.com> MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On a SELinux disabled system `selinux.security_policyvers()` will fail; do not bailout but use a fallback policy version to check if a binary policy file with that extension exists. Signed-off-by: Christian Göttsche --- python/audit2allow/sepolgen-ifgen | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen index 4a71cda4..48e60f1d 100644 --- a/python/audit2allow/sepolgen-ifgen +++ b/python/audit2allow/sepolgen-ifgen @@ -69,7 +69,11 @@ def get_policy(): p = selinux.selinux_current_policy_path() if p and os.path.exists(p): return p - i = selinux.security_policyvers() + try: + i = selinux.security_policyvers() + except OSError: + # SELinux Disabled Machine + i = 50 # some high enough default value p = selinux.selinux_binary_policy_path() + "." + str(i) while i > 0 and not os.path.exists(p): i = i - 1 @@ -80,18 +84,16 @@ def get_policy(): def get_attrs(policy_path, attr_helper): + if not policy_path: + policy_path = get_policy() + if not policy_path: + sys.stderr.write("No installed policy to check\n") + return None + try: - if not policy_path: - policy_path = get_policy() - if not policy_path: - sys.stderr.write("No installed policy to check\n") - return None outfile = tempfile.NamedTemporaryFile() except IOError as e: - sys.stderr.write("could not open attribute output file\n") - return None - except OSError: - # SELinux Disabled Machine + sys.stderr.write("could not open attribute output file: %s\n" % e) return None fd = open("/dev/null", "w")