Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

semodule utils #392

Closed
wants to merge 44 commits into from
Closed

semodule utils #392

Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
d95bc8b
libselinux: migrating hashtab from policycoreutils
Mar 8, 2023
4a42050
libselinux: adapting hashtab to libselinux
Mar 8, 2023
2c7b71d
libselinux: performance optimization for duplicate detection
Mar 8, 2023
2d5f97b
checkpolicy: drop unused token CLONE
cgzones May 12, 2023
c646f39
checkpolicy: reject condition with bool and tunable in expression
cgzones May 12, 2023
00728e1
checkpolicy: only set declared permission bits for wildcards
cgzones May 12, 2023
f5d664e
libsepol: dump non-mls validatetrans rules as such
cgzones May 12, 2023
45a4fc7
libsepol: validate some object contexts
cgzones May 12, 2023
4cf3760
libsepol: validate old style range trans classes
cgzones May 12, 2023
ac015a3
libsepol: validate: check low category is not bigger than high
cgzones May 12, 2023
4ba8f7c
libsepol: validate: reject XEN policy with xperm rules
cgzones May 12, 2023
cae65d9
libsepol: expand: skip invalid cat
cgzones May 12, 2023
808a43a
libsepol: drop message for uncommon error cases
cgzones Jun 2, 2023
b041ecc
libsepol: drop duplicate newline in sepol_log_err() calls
cgzones Jun 2, 2023
5c35a7b
libsepol: replace sepol_log_err() by ERR()
cgzones Jun 2, 2023
30fe0f1
libsepol: replace log_err() by ERR()
cgzones Jun 2, 2023
5045368
dismod: add --help option
masatake May 31, 2023
5b1a2f1
dismod: delete an unnecessary empty line
masatake May 31, 2023
d1a9cdd
dismod: handle EOF in user interaction
masatake May 31, 2023
df0b192
dismod: add --actions option for non-interactive use
masatake May 31, 2023
e867c95
policycoreutils: Add examples to man pages
vmojzis Jun 1, 2023
0b1cb09
python/sepolicy: Improve man pages
vmojzis Jun 1, 2023
535dc24
sandbox: Add examples to man pages
vmojzis Jun 1, 2023
966de0c
checkpolicy: Add examples to man pages
vmojzis Jun 1, 2023
d596efb
libselinux: Add examples to man pages
vmojzis Jun 1, 2023
6360af7
sepolicy: clarify manual page of sepolicy interface
topimiettinen Jun 4, 2023
f78eea5
dispol: add --help option
masatake Jun 8, 2023
eeb0a75
dispol: delete an unnecessary empty line
masatake Jun 8, 2023
f8a076f
dispol: handle EOF in user interaction
masatake Jun 8, 2023
666a7df
dispol: add --actions option for non-interactive use
masatake Jun 8, 2023
391cf12
python/sepolicy: Fix template for confined user policy modules
vmojzis Jun 1, 2023
48306c4
python/sepolicy: Add/remove user even when SELinux is disabled
vmojzis May 29, 2023
55b75a2
libsepol: stop translating deprecated intial SIDs to strings
WOnder93 Jun 12, 2023
02e471f
libsepol: add support for the new "init" initial SID
WOnder93 Jun 12, 2023
b87724c
checkpolicy: add option to skip checking neverallow rules
cgzones May 12, 2023
4c06922
checkpolicy/dismod: misc improvements
cgzones May 12, 2023
6e077ba
dismod: print the policy version only in interactive mode
masatake Jun 14, 2023
b3788b9
dismod, dispol: reduce the messages in batch mode
masatake Jun 14, 2023
d8edd36
libselinux: add check for calloc in check_booleans
Jun 18, 2023
1a29c28
python/sepolicy: Fix get_os_version except clause
jefferyto Jun 19, 2023
1a78f40
semodule_expand: update
cgzones May 12, 2023
f258445
semodule_link: update
cgzones May 12, 2023
84f786b
semodule_package: update
cgzones May 12, 2023
7d5efdc
semodule_unpackage: update
cgzones May 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
dispol: add --actions option for non-interactive use 
Example session:

    $ ./dispol --help
    Usage:
     ./dismod [OPTIONS] binary_pol_file

    Options:
     -h, --help              print this help message
     -a, --actions ACTIONS   run non-interactively

    Actions:
      1    display unconditional AVTAB
      2    display conditional AVTAB (entirely)
      3    display conditional AVTAB (only ENABLED rules)
      4    display conditional AVTAB (only DISABLED rules)
      5    display conditional bools
      6    display conditional expressions
      8    display role transitions
      c    display policy capabilities
      b    display booleans
      C    display classes
      r    display roles
      t    display types
      a    display type attributes
      p    display the list of permissive types
      u    display unknown handling setting
      F    display filename_trans rules

    $ ./dispol --actions 1 /etc/selinux/targeted/policy/policy.33  | head
    Reading policy...
    libsepol.policydb_index_others: security:  8 users, 15 roles, 5408 types, 358 bools
    libsepol.policydb_index_others: security: 1 sens, 1024 cats
    libsepol.policydb_index_others: security:  134 classes, 86750 rules, 8818 cond rules
    binary policy file loaded

    allow abrt_dump_oops_t sssd_var_lib_t : sock_file { write getattr append open };
    type_transition authconfig_t entropyd_initrc_exec_t : process initrc_t;
    type_transition glusterd_t syslogd_initrc_exec_t : process initrc_t;xxxx

Signed-off-by: Masatake YAMATO <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
@masatake @jwcart2
masatake authored and jwcart2 committed Jun 8, 2023
commit 666a7dfdc8d4524d83c9ca176d001c9e1540b118
121 changes: 86 additions & 35 deletions checkpolicy/test/dispol.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,58 @@

static policydb_t policydb;

static struct command {
enum {
EOL = 0,
HEADER = 1,
CMD = 1 << 1,
NOOPT = 1 << 2,
} meta;
char cmd;
const char *desc;
} commands[] = {
{HEADER, 0, "\nSelect a command:"},
{CMD, '1', "display unconditional AVTAB" },
{CMD, '2', "display conditional AVTAB (entirely)"},
{CMD, '3', "display conditional AVTAB (only ENABLED rules)"},
{CMD, '4', "display conditional AVTAB (only DISABLED rules)"},
{CMD, '5', "display conditional bools"},
{CMD, '6', "display conditional expressions"},
{CMD|NOOPT, '7', "change a boolean value"},
{CMD, '8', "display role transitions"},
{HEADER, 0, ""},
{CMD, 'c', "display policy capabilities"},
{CMD, 'b', "display booleans"},
{CMD, 'C', "display classes"},
{CMD, 'r', "display roles"},
{CMD, 't', "display types"},
{CMD, 'a', "display type attributes"},
{CMD, 'p', "display the list of permissive types"},
{CMD, 'u', "display unknown handling setting"},
{CMD, 'F', "display filename_trans rules"},
{HEADER, 0, ""},
{CMD|NOOPT, 'f', "set output file"},
{CMD|NOOPT, 'm', "display menu"},
{CMD|NOOPT, 'q', "quit"},
{EOL, 0, "" },
};

static __attribute__((__noreturn__)) void usage(const char *progname)
{
puts("Usage:");
printf(" %s [OPTIONS] binary_pol_file\n\n", progname);
puts("Options:");
puts(" -h, --help print this help message");
puts("\n");
puts(" -a, --actions ACTIONS run non-interactively");
puts("");
puts("Actions:");
for (unsigned int i = 0; commands[i].meta != EOL; i++) {
if (commands[i].meta == HEADER
|| commands[i].meta & NOOPT)
continue;
printf(" %c %s\n", commands[i].cmd, commands[i].desc);
}
puts("");
exit(1);
}

Expand Down Expand Up @@ -447,34 +492,20 @@ static void display_filename_trans(policydb_t *p, FILE *fp)

static int menu(void)
{
printf("\nSelect a command:\n");
printf("1) display unconditional AVTAB\n");
printf("2) display conditional AVTAB (entirely)\n");
printf("3) display conditional AVTAB (only ENABLED rules)\n");
printf("4) display conditional AVTAB (only DISABLED rules)\n");
printf("5) display conditional bools\n");
printf("6) display conditional expressions\n");
printf("7) change a boolean value\n");
printf("8) display role transitions\n");
printf("\n");
printf("c) display policy capabilities\n");
printf("b) display booleans\n");
printf("C) display classes\n");
printf("r) display roles\n");
printf("t) display types\n");
printf("a) display type attributes\n");
printf("p) display the list of permissive types\n");
printf("u) display unknown handling setting\n");
printf("F) display filename_trans rules\n");
printf("\n");
printf("f) set output file\n");
printf("m) display menu\n");
printf("q) quit\n");
unsigned int i;
for (i = 0; commands[i].meta != EOL; i++) {
if (commands[i].meta == HEADER)
printf("%s\n", commands[i].desc);
else if (commands[i].meta & CMD)
printf("%c) %s\n", commands[i].cmd, commands[i].desc);
}
return 0;
}

int main(int argc, char **argv)
{
char *ops = NULL;
char *bpol;
FILE *out_fp = stdout;
char ans[81], OutfileName[121];
int fd, ret;
Expand All @@ -487,22 +518,35 @@ int main(int argc, char **argv)
if (argc < 2 || strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0)
usage(argv[0]);

fd = open(argv[1], O_RDONLY);
bpol = argv[1];
if (strcmp (bpol, "--actions") == 0 || strcmp (bpol, "-a") == 0) {
if (argc != 4) {
fprintf(stderr, "%s: unexpected number of arguments\n", argv[0]);
usage(argv[0]);
}
ops = argv[2];
bpol = argv[3];
} else if (bpol[0] == '-') {
fprintf(stderr, "%s: unknown option: %s\n", argv[0], bpol);
usage(argv[0]);
}

fd = open(bpol, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n",
argv[1], strerror(errno));
bpol, strerror(errno));
exit(1);
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n",
argv[1], strerror(errno));
bpol, strerror(errno));
exit(1);
}
map =
mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't map '%s': %s\n",
argv[1], strerror(errno));
bpol, strerror(errno));
exit(1);
}

Expand All @@ -527,15 +571,22 @@ int main(int argc, char **argv)
fprintf(stdout, "binary policy file loaded\n\n");
close(fd);

menu();
if (!ops)
menu();
for (;;) {
printf("\nCommand (\'m\' for menu): ");
if (fgets(ans, sizeof(ans), stdin) == NULL) {
if (feof(stdin))
break;
fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
if (ops) {
puts("");
ans[0] = *ops? *ops++: 'q';
ans[1] = '\0';
} else {
printf("\nCommand (\'m\' for menu): ");
if (fgets(ans, sizeof(ans), stdin) == NULL) {
if (feof(stdin))
break;
fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,
strerror(errno));
continue;
continue;
}
}
switch (ans[0]) {

Expand Down