* Audit2allow generating dontaudit rules.
@ 2010-02-24 20:20 Daniel J Walsh
2010-03-01 19:29 ` Karl MacMillan
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-02-24 20:20 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 1 bytes --]
[-- Attachment #2: aut2allow_dontaudit.patch --]
[-- Type: text/plain, Size: 4277 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..0b95071 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -46,6 +46,9 @@ class AuditToPolicy:
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
help="read input from dmesg - conflicts with --all and --input")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate dontaudit rules")
parser.add_option("-i", "--input", dest="input",
help="read input from <input> - conflicts with -a")
parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
@@ -314,7 +317,7 @@ class AuditToPolicy:
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ g.add_access(self.__avs, self.__options.dontaudit)
g.add_role_types(self.__role_types)
# Output
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..52ca4b4 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -141,15 +141,15 @@ class PolicyGenerator:
"""Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, dontaudit):
for av in avs:
- rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, dontaudit=dontaudit)
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, dontaudit=False):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +165,7 @@ class PolicyGenerator:
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, dontaudit)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..f2cf057 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -420,13 +420,16 @@ class AVRule(Leaf):
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, dontaudit=False):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ if dontaudit:
+ self.rule_type = self.DONTAUDIT
+ else:
+ self.rule_type = self.ALLOW
if av:
self.from_av(av)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-02-24 20:20 Audit2allow generating dontaudit rules Daniel J Walsh
@ 2010-03-01 19:29 ` Karl MacMillan
2010-03-01 20:02 ` Daniel J Walsh
2010-03-01 20:45 ` Daniel J Walsh
0 siblings, 2 replies; 12+ messages in thread
From: Karl MacMillan @ 2010-03-01 19:29 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
I'd rather pass in the rule type to the AVRule init rather than a
boolean about this being a dontaudit rule.
Karl
On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-01 19:29 ` Karl MacMillan
@ 2010-03-01 20:02 ` Daniel J Walsh
2010-03-01 20:45 ` Daniel J Walsh
1 sibling, 0 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-03-01 20:02 UTC (permalink / raw)
To: Karl MacMillan; +Cc: SELinux
On 03/01/2010 02:29 PM, Karl MacMillan wrote:
> I'd rather pass in the rule type to the AVRule init rather than a
> boolean about this being a dontaudit rule.
>
> Karl
>
> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>>
>>
What function from audit2allow do you want the flag passed in?
self.__avs = self.__parser.to_access(avcfilter,
self.__options.dontaudit)
?
Or at a higher level.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-01 19:29 ` Karl MacMillan
2010-03-01 20:02 ` Daniel J Walsh
@ 2010-03-01 20:45 ` Daniel J Walsh
2010-03-01 21:47 ` Daniel J Walsh
1 sibling, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-03-01 20:45 UTC (permalink / raw)
To: Karl MacMillan; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 360 bytes --]
On 03/01/2010 02:29 PM, Karl MacMillan wrote:
> I'd rather pass in the rule type to the AVRule init rather than a
> boolean about this being a dontaudit rule.
>
> Karl
>
> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>>
>>
How about this patch. Moves the dontaudit up the chain a little bit.
Is this what you want.
[-- Attachment #2: audit2allow.patch --]
[-- Type: text/plain, Size: 5589 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..1c7d896 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -153,11 +156,11 @@ class AuditToPolicy:
def __process_input(self):
if self.__options.type:
avcfilter = audit.AVCTypeFilter(self.__options.type)
- self.__avs = self.__parser.to_access(avcfilter)
+ self.__avs = self.__parser.to_access(avcfilter, dontaudit=self.__options.dontaudit)
csfilter = audit.ComputeSidTypeFilter(self.__options.type)
self.__role_types = self.__parser.to_role(csfilter)
else:
- self.__avs = self.__parser.to_access()
+ self.__avs = self.__parser.to_access(dontaudit=self.__options.dontaudit)
self.__role_types = self.__parser.to_role()
def __load_interface_info(self):
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 71121d7..88a6db5 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -85,6 +85,7 @@ class AccessVector:
self.obj_class = None
self.perms = refpolicy.IdSet()
self.audit_msgs = []
+ self.dontaudit = False
# The direction of the information flow represented by this
# access vector - used for matching
@@ -253,7 +254,7 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, dontaudit=False):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
@@ -266,6 +267,7 @@ class AccessVectorSet:
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
+ access.dontaudit = dontaudit
cls[obj_class] = access
access.perms.update(perms)
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index efcc40d..80371d0 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -424,7 +424,7 @@ class AuditParser:
return role_types
- def to_access(self, avc_filter=None, only_denials=True):
+ def to_access(self, avc_filter=None, only_denials=True, dontaudit=False):
"""Convert the audit logs access into a an access vector set.
Convert the audit logs into an access vector set, optionally
@@ -448,10 +448,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
return av_set
class AVCTypeFilter:
@@ -477,5 +477,3 @@ class ComputeSidTypeFilter:
if self.regex.match(avc.tcontext.type):
return True
return False
-
-
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..782ea3d 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -449,6 +449,8 @@ class AVRule(Leaf):
self.tgt_types.add(av.tgt_type)
self.obj_classes.add(av.obj_class)
self.perms.update(av.perms)
+ if av.dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
def to_string(self):
"""Return a string representation of the rule
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-01 20:45 ` Daniel J Walsh
@ 2010-03-01 21:47 ` Daniel J Walsh
2010-03-04 17:08 ` Joshua Brindle
0 siblings, 1 reply; 12+ messages in thread
From: Daniel J Walsh @ 2010-03-01 21:47 UTC (permalink / raw)
To: Karl MacMillan; +Cc: SELinux
[-- Attachment #1: Type: text/plain, Size: 445 bytes --]
On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
> On 03/01/2010 02:29 PM, Karl MacMillan wrote:
>> I'd rather pass in the rule type to the AVRule init rather than a
>> boolean about this being a dontaudit rule.
>>
>> Karl
>>
>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com>
>> wrote:
>>>
> How about this patch. Moves the dontaudit up the chain a little bit.
> Is this what you want.
One minor problem. Updated patch.
[-- Attachment #2: audit2allow.patch --]
[-- Type: text/plain, Size: 5587 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..1c7d896 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -153,11 +156,11 @@ class AuditToPolicy:
def __process_input(self):
if self.__options.type:
avcfilter = audit.AVCTypeFilter(self.__options.type)
- self.__avs = self.__parser.to_access(avcfilter)
+ self.__avs = self.__parser.to_access(avcfilter, dontaudit=self.__options.dontaudit)
csfilter = audit.ComputeSidTypeFilter(self.__options.type)
self.__role_types = self.__parser.to_role(csfilter)
else:
- self.__avs = self.__parser.to_access()
+ self.__avs = self.__parser.to_access(dontaudit=self.__options.dontaudit)
self.__role_types = self.__parser.to_role()
def __load_interface_info(self):
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 71121d7..139f786 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -86,6 +86,8 @@ class AccessVector:
self.perms = refpolicy.IdSet()
self.audit_msgs = []
+ self.dontaudit = False
+
# The direction of the information flow represented by this
# access vector - used for matching
self.info_flow_dir = None
@@ -253,7 +255,7 @@ class AccessVectorSet:
for av in l:
self.add_av(AccessVector(av))
- def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
+ def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, dontaudit=False):
"""Add an access vector to the set.
"""
tgt = self.src.setdefault(src_type, { })
@@ -266,6 +268,7 @@ class AccessVectorSet:
access.src_type = src_type
access.tgt_type = tgt_type
access.obj_class = obj_class
+ access.dontaudit = dontaudit
cls[obj_class] = access
access.perms.update(perms)
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index efcc40d..80371d0 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
@@ -424,7 +424,7 @@ class AuditParser:
return role_types
- def to_access(self, avc_filter=None, only_denials=True):
+ def to_access(self, avc_filter=None, only_denials=True, dontaudit=False):
"""Convert the audit logs access into a an access vector set.
Convert the audit logs into an access vector set, optionally
@@ -448,10 +448,10 @@ class AuditParser:
if avc_filter:
if avc_filter.filter(avc):
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
else:
av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
- avc.accesses, avc)
+ avc.accesses, avc, dontaudit=dontaudit)
return av_set
class AVCTypeFilter:
@@ -477,5 +477,3 @@ class ComputeSidTypeFilter:
if self.regex.match(avc.tcontext.type):
return True
return False
-
-
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..782ea3d 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -449,6 +449,8 @@ class AVRule(Leaf):
self.tgt_types.add(av.tgt_type)
self.obj_classes.add(av.obj_class)
self.perms.update(av.perms)
+ if av.dontaudit:
+ self.rule_type = audit2why.DONTAUDIT
def to_string(self):
"""Return a string representation of the rule
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-01 21:47 ` Daniel J Walsh
@ 2010-03-04 17:08 ` Joshua Brindle
[not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>
0 siblings, 1 reply; 12+ messages in thread
From: Joshua Brindle @ 2010-03-04 17:08 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Karl MacMillan, SELinux
Daniel J Walsh wrote:
> On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
>> On 03/01/2010 02:29 PM, Karl MacMillan wrote:
>>> I'd rather pass in the rule type to the AVRule init rather than a
>>> boolean about this being a dontaudit rule.
>>>
>>> Karl
>>>
>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com>
>>> wrote:
>>>>
>> How about this patch. Moves the dontaudit up the chain a little bit.
>> Is this what you want.
> One minor problem. Updated patch.
>
Karl?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
[not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>
@ 2010-03-08 16:11 ` Karl MacMillan
2010-03-08 16:50 ` Joshua Brindle
2010-03-08 19:33 ` Daniel J Walsh
0 siblings, 2 replies; 12+ messages in thread
From: Karl MacMillan @ 2010-03-08 16:11 UTC (permalink / raw)
To: Joshua Brindle, SE Linux, Daniel J Walsh
Accidentally sent this straight to Josh.
Karl
On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan <karlwmacmillan@gmail.com> wrote:
> I meant this - I don't want to pass around a boolean flag when we have
> a flag for rule type. This allows cleanly adding support for, say,
> generating both allow rules and auditallow rules at the same time.
>
> Karl
>
> On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle <method@manicmethod.com> wrote:
>> Daniel J Walsh wrote:
>>>
>>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
>>>>
>>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote:
>>>>>
>>>>> I'd rather pass in the rule type to the AVRule init rather than a
>>>>> boolean about this being a dontaudit rule.
>>>>>
>>>>> Karl
>>>>>
>>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com>
>>>>> wrote:
>>>>>>
>>>> How about this patch. Moves the dontaudit up the chain a little bit.
>>>> Is this what you want.
>>>
>>> One minor problem. Updated patch.
>>>
>>
>> Karl?
>>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-08 16:11 ` Karl MacMillan
@ 2010-03-08 16:50 ` Joshua Brindle
2010-03-08 17:00 ` Karl MacMillan
2010-03-08 19:33 ` Daniel J Walsh
1 sibling, 1 reply; 12+ messages in thread
From: Joshua Brindle @ 2010-03-08 16:50 UTC (permalink / raw)
To: Karl MacMillan; +Cc: SE Linux, Daniel J Walsh
Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote:
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
-ENOATTACH
>>
>> Karl
>>
>> On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle<method@manicmethod.com> wrote:
>>> Daniel J Walsh wrote:
>>>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
>>>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote:
>>>>>> I'd rather pass in the rule type to the AVRule init rather than a
>>>>>> boolean about this being a dontaudit rule.
>>>>>>
>>>>>> Karl
>>>>>>
>>>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com>
>>>>>> wrote:
>>>>> How about this patch. Moves the dontaudit up the chain a little bit.
>>>>> Is this what you want.
>>>> One minor problem. Updated patch.
>>>>
>>> Karl?
>>>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-08 16:50 ` Joshua Brindle
@ 2010-03-08 17:00 ` Karl MacMillan
0 siblings, 0 replies; 12+ messages in thread
From: Karl MacMillan @ 2010-03-08 17:00 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux, Daniel J Walsh
[-- Attachment #1: Type: text/plain, Size: 1228 bytes --]
On Mon, Mar 8, 2010 at 11:50 AM, Joshua Brindle <method@manicmethod.com> wrote:
> Karl MacMillan wrote:
>>
>> Accidentally sent this straight to Josh.
>>
>> Karl
>>
>> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com>
>> wrote:
>>>
>>> I meant this - I don't want to pass around a boolean flag when we have
>>> a flag for rule type. This allows cleanly adding support for, say,
>>> generating both allow rules and auditallow rules at the same time.
>
> -ENOATTACH
>
>>>
>>> Karl
>>>
>>> On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle<method@manicmethod.com>
>>> wrote:
>>>>
>>>> Daniel J Walsh wrote:
>>>>>
>>>>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote:
>>>>>>
>>>>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote:
>>>>>>>
>>>>>>> I'd rather pass in the rule type to the AVRule init rather than a
>>>>>>> boolean about this being a dontaudit rule.
>>>>>>>
>>>>>>> Karl
>>>>>>>
>>>>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com>
>>>>>>> wrote:
>>>>>>
>>>>>> How about this patch. Moves the dontaudit up the chain a little bit.
>>>>>> Is this what you want.
>>>>>
>>>>> One minor problem. Updated patch.
>>>>>
>>>> Karl?
>>>>
>>
>
[-- Attachment #2: 0001-Add-support-for-dontaudit-in-audit2allow.patch --]
[-- Type: application/octet-stream, Size: 5273 bytes --]
From 4944c87f6f60714f545bcbfc141054fa6d325594 Mon Sep 17 00:00:00 2001
From: Karl MacMillan <kmacmillan@tresys.com>
Date: Thu, 4 Mar 2010 16:00:38 -0500
Subject: [PATCH] Add support for dontaudit in audit2allow.
Add support for generated dontallow messages from audit2allow (includes
needed sepolgen changes). Based on patch from Dan Walsh.
---
policycoreutils/audit2allow/audit2allow | 11 ++++++++++-
policycoreutils/audit2allow/audit2allow.1 | 7 +++++--
sepolgen/src/sepolgen/policygen.py | 8 ++++----
sepolgen/src/sepolgen/refpolicy.py | 5 +++--
4 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..3e82cfa 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -27,6 +27,7 @@ import sepolgen.output as output
import sepolgen.objectmodel as objectmodel
import sepolgen.defaults as defaults
import sepolgen.module as module
+import sepolgen.refpolicy as refpolicy
from sepolgen.sepolgeni18n import _
class AuditToPolicy:
@@ -46,6 +47,9 @@ class AuditToPolicy:
help="read input from audit log - conflicts with -i")
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
help="read input from dmesg - conflicts with --all and --input")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate dontaudit rules")
parser.add_option("-i", "--input", dest="input",
help="read input from <input> - conflicts with -a")
parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
@@ -314,7 +318,12 @@ class AuditToPolicy:
g.set_gen_requires(True)
# Generate the policy
- g.add_access(self.__avs)
+ if self.__options.dontaudit:
+ rule_type = refpolicy.AVRule.DONTAUDIT
+ else:
+ rule_type = refpolicy.AVRule.ALLOW
+
+ g.add_access(self.__avs, rule_type)
g.add_role_types(self.__role_types)
# Output
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..047007e 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -141,15 +141,15 @@ class PolicyGenerator:
"""Return the generated module"""
return self.module
- def __add_allow_rules(self, avs):
+ def __add_allow_rules(self, avs, rule_type):
for av in avs:
- rule = refpolicy.AVRule(av)
+ rule = refpolicy.AVRule(av, rule_type=rule_type)
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
- def add_access(self, av_set):
+ def add_access(self, av_set, rule_type=refpolicy.AVRule.ALLOW):
"""Add the access from the access vector set to this
module.
"""
@@ -165,7 +165,7 @@ class PolicyGenerator:
raw_allow = av_set
# Generate the raw allow rules from the filtered list
- self.__add_allow_rules(raw_allow)
+ self.__add_allow_rules(raw_allow, rule_type)
def add_role_types(self, role_type_set):
for role_type in role_type_set:
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index b138e3d..1820429 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -420,13 +420,14 @@ class AVRule(Leaf):
AUDITALLOW = 2
NEVERALLOW = 3
- def __init__(self, av=None, parent=None):
+ def __init__(self, av=None, parent=None, rule_type=ALLOW):
Leaf.__init__(self, parent)
self.src_types = IdSet()
self.tgt_types = IdSet()
self.obj_classes = IdSet()
self.perms = IdSet()
- self.rule_type = self.ALLOW
+ self.rule_type = rule_type
+
if av:
self.from_av(av)
--
1.6.6
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-08 16:11 ` Karl MacMillan
2010-03-08 16:50 ` Joshua Brindle
@ 2010-03-08 19:33 ` Daniel J Walsh
2010-03-08 20:44 ` Karl MacMillan
2010-03-12 13:33 ` Joshua Brindle
1 sibling, 2 replies; 12+ messages in thread
From: Daniel J Walsh @ 2010-03-08 19:33 UTC (permalink / raw)
To: Karl MacMillan; +Cc: Joshua Brindle, SE Linux
[-- Attachment #1: Type: text/plain, Size: 537 bytes --]
On 03/08/2010 11:11 AM, Karl MacMillan wrote:
> Accidentally sent this straight to Josh.
>
> Karl
>
> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote:
>
>> I meant this - I don't want to pass around a boolean flag when we have
>> a flag for rule type. This allows cleanly adding support for, say,
>> generating both allow rules and auditallow rules at the same time.
>>
>>
<snip>
Ok this one only adds a flag to the policygenerator to tell it to
generate dontaudit rules.
No passing of args.
[-- Attachment #2: audit2allow_dontaudit.patch --]
[-- Type: text/plain, Size: 3286 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 9186965..5ad9fdb 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -58,6 +58,9 @@ class AuditToPolicy:
help="generate a module package - conflicts with -o and -m")
parser.add_option("-o", "--output", dest="output",
help="append output to <filename>, conflicts with -M")
+ parser.add_option("-D", "--dontaudit", action="store_true",
+ dest="dontaudit", default=False,
+ help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
@@ -295,6 +298,8 @@ class AuditToPolicy:
g = policygen.PolicyGenerator()
+ g.set_gen_dontaudit(self.__options.dontaudit)
+
if self.__options.module:
g.set_module_name(self.__options.module)
diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1
index c041f75..d9635c2 100644
--- a/policycoreutils/audit2allow/audit2allow.1
+++ b/policycoreutils/audit2allow/audit2allow.1
@@ -25,10 +25,10 @@
.TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
.SH NAME
.BR audit2allow
- \- generate SELinux policy allow rules from logs of denied operations
+\- generate SELinux policy allow/dontaudit rules from logs of denied operations
.BR audit2why
- \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
+\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
.SH SYNOPSIS
.B audit2allow
@@ -44,6 +44,9 @@ Read input from output of
Note that all audit messages are not available via dmesg when
auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead.
.TP
+.B "\-D" | "\-\-dontaudit"
+Generate dontaudit rules (Default: allow)
+.TP
.B "\-h" | "\-\-help"
Print a short usage message
.TP
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
index 55cffeb..0e6b502 100644
--- a/sepolgen/src/sepolgen/policygen.py
+++ b/sepolgen/src/sepolgen/policygen.py
@@ -75,6 +75,8 @@ class PolicyGenerator:
else:
self.module = refpolicy.Module()
+ self.dontaudit = False
+
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -108,6 +110,9 @@ class PolicyGenerator:
"""
self.explain = explain
+ def set_gen_dontaudit(self, dontaudit):
+ self.dontaudit = dontaudit
+
def __set_module_style(self):
if self.ifgen:
refpolicy = True
@@ -144,6 +149,8 @@ class PolicyGenerator:
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
+ if self.dontaudit:
+ rule.rule_type = rule.DONTAUDIT
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-08 19:33 ` Daniel J Walsh
@ 2010-03-08 20:44 ` Karl MacMillan
2010-03-12 13:33 ` Joshua Brindle
1 sibling, 0 replies; 12+ messages in thread
From: Karl MacMillan @ 2010-03-08 20:44 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Joshua Brindle, SE Linux
On Mon, Mar 8, 2010 at 2:33 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/08/2010 11:11 AM, Karl MacMillan wrote:
>>
>> Accidentally sent this straight to Josh.
>>
>> Karl
>>
>> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com>
>> wrote:
>>
>>>
>>> I meant this - I don't want to pass around a boolean flag when we have
>>> a flag for rule type. This allows cleanly adding support for, say,
>>> generating both allow rules and auditallow rules at the same time.
>>>
>>>
>
> <snip>
>
> Ok this one only adds a flag to the policygenerator to tell it to generate
> dontaudit rules.
>
> No passing of args.
>
Acked-by: Karl MacMillan <karlwmacmillan@gmail.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules.
2010-03-08 19:33 ` Daniel J Walsh
2010-03-08 20:44 ` Karl MacMillan
@ 2010-03-12 13:33 ` Joshua Brindle
1 sibling, 0 replies; 12+ messages in thread
From: Joshua Brindle @ 2010-03-12 13:33 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Karl MacMillan, SE Linux
Daniel J Walsh wrote:
> On 03/08/2010 11:11 AM, Karl MacMillan wrote:
>> Accidentally sent this straight to Josh.
>>
>> Karl
>>
>> On Thu, Mar 4, 2010 at 4:46 PM, Karl
>> MacMillan<karlwmacmillan@gmail.com> wrote:
>>> I meant this - I don't want to pass around a boolean flag when we have
>>> a flag for rule type. This allows cleanly adding support for, say,
>>> generating both allow rules and auditallow rules at the same time.
>>>
> <snip>
>
> Ok this one only adds a flag to the policygenerator to tell it to
> generate dontaudit rules.
>
> No passing of args.
Merged in policycoreutils 2.0.81 and sepolgen 1.0.20
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-03-12 13:33 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-24 20:20 Audit2allow generating dontaudit rules Daniel J Walsh
2010-03-01 19:29 ` Karl MacMillan
2010-03-01 20:02 ` Daniel J Walsh
2010-03-01 20:45 ` Daniel J Walsh
2010-03-01 21:47 ` Daniel J Walsh
2010-03-04 17:08 ` Joshua Brindle
[not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>
2010-03-08 16:11 ` Karl MacMillan
2010-03-08 16:50 ` Joshua Brindle
2010-03-08 17:00 ` Karl MacMillan
2010-03-08 19:33 ` Daniel J Walsh
2010-03-08 20:44 ` Karl MacMillan
2010-03-12 13:33 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.