* [PATCH] Suppress rule generation for dontaudit rules
@ 2007-08-15 14:15 Karl MacMillan
2007-08-16 18:45 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Karl MacMillan @ 2007-08-15 14:15 UTC (permalink / raw)
To: selinux
The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
---
diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
--- a/sepolgen/src/sepolgen/policygen.py Thu Jun 07 08:08:31 2007 -0400
+++ b/sepolgen/src/sepolgen/policygen.py Wed Aug 15 10:13:28 2007 -0400
@@ -139,6 +139,8 @@ class PolicyGenerator:
def __add_allow_rules(self, avs):
for av in avs:
+ if not av.denial:
+ continue
rule = refpolicy.AVRule(av)
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-15 14:15 [PATCH] Suppress rule generation for dontaudit rules Karl MacMillan
@ 2007-08-16 18:45 ` Stephen Smalley
2007-08-16 19:23 ` Joshua Brindle
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2007-08-16 18:45 UTC (permalink / raw)
To: Karl MacMillan; +Cc: selinux, Joshua Brindle
On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
>
> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
> ---
>
> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
> --- a/sepolgen/src/sepolgen/policygen.py Thu Jun 07 08:08:31 2007 -0400
> +++ b/sepolgen/src/sepolgen/policygen.py Wed Aug 15 10:13:28 2007 -0400
> @@ -139,6 +139,8 @@ class PolicyGenerator:
>
> def __add_allow_rules(self, avs):
> for av in avs:
> + if not av.denial:
> + continue
> rule = refpolicy.AVRule(av)
> if self.explain:
> rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-16 18:45 ` Stephen Smalley
@ 2007-08-16 19:23 ` Joshua Brindle
2007-08-23 13:22 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Joshua Brindle @ 2007-08-16 19:23 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Karl MacMillan, selinux
Stephen Smalley wrote:
> On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
>
>> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
>>
>> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
>> ---
>>
>> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
>> --- a/sepolgen/src/sepolgen/policygen.py Thu Jun 07 08:08:31 2007 -0400
>> +++ b/sepolgen/src/sepolgen/policygen.py Wed Aug 15 10:13:28 2007 -0400
>> @@ -139,6 +139,8 @@ class PolicyGenerator:
>>
>> def __add_allow_rules(self, avs):
>> for av in avs:
>> + if not av.denial:
>> + continue
>> rule = refpolicy.AVRule(av)
>> if self.explain:
>> rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
>>
>>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
Merged into 1.0.9
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-16 19:23 ` Joshua Brindle
@ 2007-08-23 13:22 ` Stephen Smalley
2007-08-24 16:00 ` Karl MacMillan
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2007-08-23 13:22 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Karl MacMillan, selinux
On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> >
> >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> >>
> >> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
> >> ---
> >>
> >> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
> >> --- a/sepolgen/src/sepolgen/policygen.py Thu Jun 07 08:08:31 2007 -0400
> >> +++ b/sepolgen/src/sepolgen/policygen.py Wed Aug 15 10:13:28 2007 -0400
> >> @@ -139,6 +139,8 @@ class PolicyGenerator:
> >>
> >> def __add_allow_rules(self, avs):
> >> for av in avs:
> >> + if not av.denial:
> >> + continue
> >> rule = refpolicy.AVRule(av)
> >> if self.explain:
> >> rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
> >>
> >>
> >
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> >
>
> Merged into 1.0.9
Reverted. Didn't work.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-23 13:22 ` Stephen Smalley
@ 2007-08-24 16:00 ` Karl MacMillan
2007-08-29 12:30 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Karl MacMillan @ 2007-08-24 16:00 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, selinux
On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > >
> > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > >>
[...]
> >
> > Merged into 1.0.9
>
> Reverted. Didn't work.
>
That's because it was wildly wrong - I thought I tested that, but I
guess not. Correct patch below:
diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
--- a/sepolgen/src/sepolgen/audit.py Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/src/sepolgen/audit.py Thu Aug 23 15:11:09 2007 -0400
@@ -421,6 +421,8 @@ class AuditParser:
"""
av_set = access.AccessVectorSet()
for avc in self.avc_msgs:
+ if avc.denial == True:
+ continue
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-24 16:00 ` Karl MacMillan
@ 2007-08-29 12:30 ` Stephen Smalley
2007-09-03 16:18 ` Karl MacMillan
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2007-08-29 12:30 UTC (permalink / raw)
To: Karl MacMillan; +Cc: Joshua Brindle, selinux
On Fri, 2007-08-24 at 12:00 -0400, Karl MacMillan wrote:
> On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> > On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > > Stephen Smalley wrote:
> > > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > > >
> > > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > > >>
> [...]
> > >
> > > Merged into 1.0.9
> >
> > Reverted. Didn't work.
> >
>
> That's because it was wildly wrong - I thought I tested that, but I
> guess not. Correct patch below:
>
>
> diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
> --- a/sepolgen/src/sepolgen/audit.py Wed Aug 22 15:55:24 2007 -0400
> +++ b/sepolgen/src/sepolgen/audit.py Thu Aug 23 15:11:09 2007 -0400
> @@ -421,6 +421,8 @@ class AuditParser:
> """
> av_set = access.AccessVectorSet()
> for avc in self.avc_msgs:
> + if avc.denial == True:
> + continue
> if avc_filter:
> if avc_filter.filter(avc):
> av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
>
> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
Causes all avc messages to be discarded, yielding no output from
audit2allow -a (with a number of avc messages in audit.log). NAK.
Third time's the charm?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Suppress rule generation for dontaudit rules
2007-08-29 12:30 ` Stephen Smalley
@ 2007-09-03 16:18 ` Karl MacMillan
0 siblings, 0 replies; 7+ messages in thread
From: Karl MacMillan @ 2007-09-03 16:18 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, selinux
On Wed, 2007-08-29 at 08:30 -0400, Stephen Smalley wrote:
> On Fri, 2007-08-24 at 12:00 -0400, Karl MacMillan wrote:
> > On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> > > On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > > > Stephen Smalley wrote:
> > > > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > > > >
> > > > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > > > >>
> > [...]
> > > >
> > > > Merged into 1.0.9
> > >
> > > Reverted. Didn't work.
> > >
> >
> > That's because it was wildly wrong - I thought I tested that, but I
> > guess not. Correct patch below:
> >
> >
> > diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
> > --- a/sepolgen/src/sepolgen/audit.py Wed Aug 22 15:55:24 2007 -0400
> > +++ b/sepolgen/src/sepolgen/audit.py Thu Aug 23 15:11:09 2007 -0400
> > @@ -421,6 +421,8 @@ class AuditParser:
> > """
> > av_set = access.AccessVectorSet()
> > for avc in self.avc_msgs:
> > + if avc.denial == True:
> > + continue
> > if avc_filter:
> > if avc_filter.filter(avc):
> > av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
> >
> > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
>
> Causes all avc messages to be discarded, yielding no output from
> audit2allow -a (with a number of avc messages in audit.log). NAK.
> Third time's the charm?
>
We can hope - this version includes a test. If this isn't right someone
else will have to fix this bug.
Suppress rule generation for dontaudit rules.
The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
--- a/sepolgen/src/sepolgen/audit.py Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/src/sepolgen/audit.py Wed Aug 29 16:01:09 2007 -0400
@@ -402,7 +402,7 @@ class AuditParser:
self.__parse(l)
self.__post_process()
- def to_access(self, avc_filter=None):
+ def to_access(self, avc_filter=None, only_denials=True):
"""Convert the audit logs access into a an access vector set.
Convert the audit logs into an access vector set, optionally
@@ -421,6 +421,8 @@ class AuditParser:
"""
av_set = access.AccessVectorSet()
for avc in self.avc_msgs:
+ if avc.denial != True and only_denials:
+ continue
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
diff -r e962f4f773fc sepolgen/tests/test_audit.py
--- a/sepolgen/tests/test_audit.py Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/tests/test_audit.py Mon Sep 03 11:49:09 2007 -0400
@@ -46,6 +46,8 @@ type=AVC_PATH msg=audit(1162850461.778:1
type=AVC_PATH msg=audit(1162850461.778:1113): path="/etc/rc.d/init.d/innd"
"""
+granted1 = """type=AVC msg=audit(1188833848.190:34): avc: granted { getattr } for pid=4310 comm="ls" name="foo.pp" dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file"""
+
path1 = """type=AVC_PATH msg=audit(1162852201.019:1225): path="/usr/lib/sa/sa1"
"""
@@ -62,6 +64,26 @@ class TestAVCMessage(unittest.TestCase):
self.assertEquals(avc.tcontext, sc)
self.assertEquals(avc.tclass, "")
self.assertEquals(avc.accesses, [])
+
+ def test_granted(self):
+ avc = sepolgen.audit.AVCMessage(granted1)
+ avc.from_split_string(granted1.split())
+
+ self.assertEquals(avc.scontext.user, "user_u")
+ self.assertEquals(avc.scontext.role, "system_r")
+ self.assertEquals(avc.scontext.type, "unconfined_t")
+ self.assertEquals(avc.scontext.level, "s0")
+
+ self.assertEquals(avc.tcontext.user, "user_u")
+ self.assertEquals(avc.tcontext.role, "object_r")
+ self.assertEquals(avc.tcontext.type, "user_home_t")
+ self.assertEquals(avc.tcontext.level, "s0")
+
+ self.assertEquals(avc.tclass, "file")
+ self.assertEquals(avc.accesses, ["getattr"])
+
+ self.assertEquals(avc.denial, False)
+
def test_from_split_string(self):
# syslog message
@@ -148,4 +170,23 @@ class TestAuditParser(unittest.TestCase)
self.assertEquals(len(a.compute_sid_msgs), 0)
self.assertEquals(len(a.invalid_msgs), 0)
self.assertEquals(len(a.policy_load_msgs), 0)
+
+class TestGeneration(unittest.TestCase):
+ def test_generation(self):
+ parser = sepolgen.audit.AuditParser()
+ parser.parse_string(log1)
+ avs = parser.to_access()
+
+ self.assertEqual(len(avs), 1)
+
+ def test_genaration_granted(self):
+ parser = sepolgen.audit.AuditParser()
+ parser.parse_string(granted1)
+ avs = parser.to_access()
+
+ self.assertEqual(len(avs), 0)
+ avs = parser.to_access(only_denials=False)
+
+ self.assertEqual(len(avs), 1)
+
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-09-03 16:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-08-15 14:15 [PATCH] Suppress rule generation for dontaudit rules Karl MacMillan
2007-08-16 18:45 ` Stephen Smalley
2007-08-16 19:23 ` Joshua Brindle
2007-08-23 13:22 ` Stephen Smalley
2007-08-24 16:00 ` Karl MacMillan
2007-08-29 12:30 ` Stephen Smalley
2007-09-03 16:18 ` Karl MacMillan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.