[PATCH] Suppress rule generation for dontaudit rules

[PATCH] Suppress rule generation for dontaudit rules

[Karl MacMillan]

The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.

Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
---

diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
--- a/sepolgen/src/sepolgen/policygen.py	Thu Jun 07 08:08:31 2007 -0400
+++ b/sepolgen/src/sepolgen/policygen.py	Wed Aug 15 10:13:28 2007 -0400
@@ -139,6 +139,8 @@ class PolicyGenerator:
 
     def __add_allow_rules(self, avs):
         for av in avs:
+            if not av.denial:
+                continue
             rule = refpolicy.AVRule(av)
             if self.explain:
                 rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Stephen Smalley]

On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> 
> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
> ---
> 
> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
> --- a/sepolgen/src/sepolgen/policygen.py	Thu Jun 07 08:08:31 2007 -0400
> +++ b/sepolgen/src/sepolgen/policygen.py	Wed Aug 15 10:13:28 2007 -0400
> @@ -139,6 +139,8 @@ class PolicyGenerator:
>  
>      def __add_allow_rules(self, avs):
>          for av in avs:
> +            if not av.denial:
> +                continue
>              rule = refpolicy.AVRule(av)
>              if self.explain:
>                  rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
> 

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Joshua Brindle]

Stephen Smalley wrote:
> On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
>   
>> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
>>
>> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
>> ---
>>
>> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
>> --- a/sepolgen/src/sepolgen/policygen.py	Thu Jun 07 08:08:31 2007 -0400
>> +++ b/sepolgen/src/sepolgen/policygen.py	Wed Aug 15 10:13:28 2007 -0400
>> @@ -139,6 +139,8 @@ class PolicyGenerator:
>>  
>>      def __add_allow_rules(self, avs):
>>          for av in avs:
>> +            if not av.denial:
>> +                continue
>>              rule = refpolicy.AVRule(av)
>>              if self.explain:
>>                  rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
>>
>>     
>
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
>   

Merged into 1.0.9


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Stephen Smalley]

On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> >   
> >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> >>
> >> Signed-off-by: User "Karl MacMillan <kmacmillan@mentalrootkit.com>"
> >> ---
> >>
> >> diff -r 56dbe9166d98 -r 2ad2d21fc724 sepolgen/src/sepolgen/policygen.py
> >> --- a/sepolgen/src/sepolgen/policygen.py	Thu Jun 07 08:08:31 2007 -0400
> >> +++ b/sepolgen/src/sepolgen/policygen.py	Wed Aug 15 10:13:28 2007 -0400
> >> @@ -139,6 +139,8 @@ class PolicyGenerator:
> >>  
> >>      def __add_allow_rules(self, avs):
> >>          for av in avs:
> >> +            if not av.denial:
> >> +                continue
> >>              rule = refpolicy.AVRule(av)
> >>              if self.explain:
> >>                  rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
> >>
> >>     
> >
> > Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> >   
> 
> Merged into 1.0.9

Reverted.  Didn't work.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Karl MacMillan]

On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > Stephen Smalley wrote:
> > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > >   
> > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > >>
[...]
> > 
> > Merged into 1.0.9
> 
> Reverted.  Didn't work.
> 

That's because it was wildly wrong - I thought I tested that, but I
guess not. Correct patch below:


diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
--- a/sepolgen/src/sepolgen/audit.py	Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/src/sepolgen/audit.py	Thu Aug 23 15:11:09 2007 -0400
@@ -421,6 +421,8 @@ class AuditParser:
         """
         av_set = access.AccessVectorSet()
         for avc in self.avc_msgs:
+            if avc.denial == True:
+                continue
             if avc_filter:
                 if avc_filter.filter(avc):
                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,

Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Stephen Smalley]

On Fri, 2007-08-24 at 12:00 -0400, Karl MacMillan wrote:
> On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> > On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > > Stephen Smalley wrote:
> > > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > > >   
> > > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > > >>
> [...]
> > > 
> > > Merged into 1.0.9
> > 
> > Reverted.  Didn't work.
> > 
> 
> That's because it was wildly wrong - I thought I tested that, but I
> guess not. Correct patch below:
> 
> 
> diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
> --- a/sepolgen/src/sepolgen/audit.py	Wed Aug 22 15:55:24 2007 -0400
> +++ b/sepolgen/src/sepolgen/audit.py	Thu Aug 23 15:11:09 2007 -0400
> @@ -421,6 +421,8 @@ class AuditParser:
>          """
>          av_set = access.AccessVectorSet()
>          for avc in self.avc_msgs:
> +            if avc.denial == True:
> +                continue
>              if avc_filter:
>                  if avc_filter.filter(avc):
>                      av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
> 
> Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>

Causes all avc messages to be discarded, yielding no output from
audit2allow -a (with a number of avc messages in audit.log).  NAK.
Third time's the charm?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] Suppress rule generation for dontaudit rules

[Karl MacMillan]

On Wed, 2007-08-29 at 08:30 -0400, Stephen Smalley wrote:
> On Fri, 2007-08-24 at 12:00 -0400, Karl MacMillan wrote:
> > On Thu, 2007-08-23 at 09:22 -0400, Stephen Smalley wrote:
> > > On Thu, 2007-08-16 at 15:23 -0400, Joshua Brindle wrote:
> > > > Stephen Smalley wrote:
> > > > > On Wed, 2007-08-15 at 10:15 -0400, Karl MacMillan wrote:
> > > > >   
> > > > >> The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.
> > > > >>
> > [...]
> > > > 
> > > > Merged into 1.0.9
> > > 
> > > Reverted.  Didn't work.
> > > 
> > 
> > That's because it was wildly wrong - I thought I tested that, but I
> > guess not. Correct patch below:
> > 
> > 
> > diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
> > --- a/sepolgen/src/sepolgen/audit.py	Wed Aug 22 15:55:24 2007 -0400
> > +++ b/sepolgen/src/sepolgen/audit.py	Thu Aug 23 15:11:09 2007 -0400
> > @@ -421,6 +421,8 @@ class AuditParser:
> >          """
> >          av_set = access.AccessVectorSet()
> >          for avc in self.avc_msgs:
> > +            if avc.denial == True:
> > +                continue
> >              if avc_filter:
> >                  if avc_filter.filter(avc):
> >                      av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
> > 
> > Signed-off-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> 
> Causes all avc messages to be discarded, yielding no output from
> audit2allow -a (with a number of avc messages in audit.log).  NAK.
> Third time's the charm?
> 

We can hope - this version includes a test. If this isn't right someone
else will have to fix this bug.

Suppress rule generation for dontaudit rules.

The current policy generation code incorrectly generates allow rules for dontaudit messages. This patch fixes that.

diff -r e962f4f773fc sepolgen/src/sepolgen/audit.py
--- a/sepolgen/src/sepolgen/audit.py	Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/src/sepolgen/audit.py	Wed Aug 29 16:01:09 2007 -0400
@@ -402,7 +402,7 @@ class AuditParser:
             self.__parse(l)
         self.__post_process()
 
-    def to_access(self, avc_filter=None):
+    def to_access(self, avc_filter=None, only_denials=True):
         """Convert the audit logs access into a an access vector set.
 
         Convert the audit logs into an access vector set, optionally
@@ -421,6 +421,8 @@ class AuditParser:
         """
         av_set = access.AccessVectorSet()
         for avc in self.avc_msgs:
+            if avc.denial != True and only_denials:
+                continue
             if avc_filter:
                 if avc_filter.filter(avc):
                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
diff -r e962f4f773fc sepolgen/tests/test_audit.py
--- a/sepolgen/tests/test_audit.py	Wed Aug 22 15:55:24 2007 -0400
+++ b/sepolgen/tests/test_audit.py	Mon Sep 03 11:49:09 2007 -0400
@@ -46,6 +46,8 @@ type=AVC_PATH msg=audit(1162850461.778:1
 type=AVC_PATH msg=audit(1162850461.778:1113):  path="/etc/rc.d/init.d/innd"
 """
 
+granted1 = """type=AVC msg=audit(1188833848.190:34): avc:  granted  { getattr } for  pid=4310 comm="ls" name="foo.pp" dev=sda5 ino=295171 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file"""
+
 path1 = """type=AVC_PATH msg=audit(1162852201.019:1225):  path="/usr/lib/sa/sa1"
 """
 
@@ -62,6 +64,26 @@ class TestAVCMessage(unittest.TestCase):
         self.assertEquals(avc.tcontext, sc)
         self.assertEquals(avc.tclass, "")
         self.assertEquals(avc.accesses, [])
+
+    def test_granted(self):
+        avc = sepolgen.audit.AVCMessage(granted1)
+        avc.from_split_string(granted1.split())
+
+        self.assertEquals(avc.scontext.user, "user_u")
+        self.assertEquals(avc.scontext.role, "system_r")
+        self.assertEquals(avc.scontext.type, "unconfined_t")
+        self.assertEquals(avc.scontext.level, "s0")
+
+        self.assertEquals(avc.tcontext.user, "user_u")
+        self.assertEquals(avc.tcontext.role, "object_r")
+        self.assertEquals(avc.tcontext.type, "user_home_t")
+        self.assertEquals(avc.tcontext.level, "s0")
+        
+        self.assertEquals(avc.tclass, "file")
+        self.assertEquals(avc.accesses, ["getattr"])
+
+        self.assertEquals(avc.denial, False)
+
 
     def test_from_split_string(self):
         # syslog message
@@ -148,4 +170,23 @@ class TestAuditParser(unittest.TestCase)
         self.assertEquals(len(a.compute_sid_msgs), 0)
         self.assertEquals(len(a.invalid_msgs), 0)
         self.assertEquals(len(a.policy_load_msgs), 0)
+
+class TestGeneration(unittest.TestCase):
+    def test_generation(self):
+        parser = sepolgen.audit.AuditParser()
+        parser.parse_string(log1)
+        avs = parser.to_access()
+
+        self.assertEqual(len(avs), 1)
+
+    def test_genaration_granted(self):
+        parser = sepolgen.audit.AuditParser()
+        parser.parse_string(granted1)
+        avs = parser.to_access()
+
+        self.assertEqual(len(avs), 0)
         
+        avs = parser.to_access(only_denials=False)
+        
+        self.assertEqual(len(avs), 1)
+



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.