* Audit2allow generating dontaudit rules. @ 2010-02-24 20:20 Daniel J Walsh 2010-03-01 19:29 ` Karl MacMillan 0 siblings, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2010-02-24 20:20 UTC (permalink / raw) To: SELinux [-- Attachment #1: Type: text/plain, Size: 1 bytes --] [-- Attachment #2: aut2allow_dontaudit.patch --] [-- Type: text/plain, Size: 4277 bytes --] diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..0b95071 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -46,6 +46,9 @@ class AuditToPolicy: help="read input from audit log - conflicts with -i") parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, help="read input from dmesg - conflicts with --all and --input") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate dontaudit rules") parser.add_option("-i", "--input", dest="input", help="read input from <input> - conflicts with -a") parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, @@ -314,7 +317,7 @@ class AuditToPolicy: g.set_gen_requires(True) # Generate the policy - g.add_access(self.__avs) + g.add_access(self.__avs, self.__options.dontaudit) g.add_role_types(self.__role_types) # Output diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index 55cffeb..52ca4b4 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -141,15 +141,15 @@ class PolicyGenerator: """Return the generated module""" return self.module - def __add_allow_rules(self, avs): + def __add_allow_rules(self, avs, dontaudit): for av in avs: - rule = refpolicy.AVRule(av) + rule = refpolicy.AVRule(av, dontaudit=dontaudit) if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) self.module.children.append(rule) - def add_access(self, av_set): + def add_access(self, av_set, dontaudit=False): """Add the access from the access vector set to this module. """ @@ -165,7 +165,7 @@ class PolicyGenerator: raw_allow = av_set # Generate the raw allow rules from the filtered list - self.__add_allow_rules(raw_allow) + self.__add_allow_rules(raw_allow, dontaudit) def add_role_types(self, role_type_set): for role_type in role_type_set: diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d..f2cf057 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -420,13 +420,16 @@ class AVRule(Leaf): AUDITALLOW = 2 NEVERALLOW = 3 - def __init__(self, av=None, parent=None): + def __init__(self, av=None, parent=None, dontaudit=False): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.perms = IdSet() - self.rule_type = self.ALLOW + if dontaudit: + self.rule_type = self.DONTAUDIT + else: + self.rule_type = self.ALLOW if av: self.from_av(av) ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-02-24 20:20 Audit2allow generating dontaudit rules Daniel J Walsh @ 2010-03-01 19:29 ` Karl MacMillan 2010-03-01 20:02 ` Daniel J Walsh 2010-03-01 20:45 ` Daniel J Walsh 0 siblings, 2 replies; 12+ messages in thread From: Karl MacMillan @ 2010-03-01 19:29 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux I'd rather pass in the rule type to the AVRule init rather than a boolean about this being a dontaudit rule. Karl On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-01 19:29 ` Karl MacMillan @ 2010-03-01 20:02 ` Daniel J Walsh 2010-03-01 20:45 ` Daniel J Walsh 1 sibling, 0 replies; 12+ messages in thread From: Daniel J Walsh @ 2010-03-01 20:02 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux On 03/01/2010 02:29 PM, Karl MacMillan wrote: > I'd rather pass in the rule type to the AVRule init rather than a > boolean about this being a dontaudit rule. > > Karl > > On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> wrote: > >> >> What function from audit2allow do you want the flag passed in? self.__avs = self.__parser.to_access(avcfilter, self.__options.dontaudit) ? Or at a higher level. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-01 19:29 ` Karl MacMillan 2010-03-01 20:02 ` Daniel J Walsh @ 2010-03-01 20:45 ` Daniel J Walsh 2010-03-01 21:47 ` Daniel J Walsh 1 sibling, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2010-03-01 20:45 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 360 bytes --] On 03/01/2010 02:29 PM, Karl MacMillan wrote: > I'd rather pass in the rule type to the AVRule init rather than a > boolean about this being a dontaudit rule. > > Karl > > On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> wrote: > >> >> How about this patch. Moves the dontaudit up the chain a little bit. Is this what you want. [-- Attachment #2: audit2allow.patch --] [-- Type: text/plain, Size: 5589 bytes --] diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..1c7d896 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -58,6 +58,9 @@ class AuditToPolicy: help="generate a module package - conflicts with -o and -m") parser.add_option("-o", "--output", dest="output", help="append output to <filename>, conflicts with -M") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate policy with dontaudit rules") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", default=True, help="generate refpolicy style output") @@ -153,11 +156,11 @@ class AuditToPolicy: def __process_input(self): if self.__options.type: avcfilter = audit.AVCTypeFilter(self.__options.type) - self.__avs = self.__parser.to_access(avcfilter) + self.__avs = self.__parser.to_access(avcfilter, dontaudit=self.__options.dontaudit) csfilter = audit.ComputeSidTypeFilter(self.__options.type) self.__role_types = self.__parser.to_role(csfilter) else: - self.__avs = self.__parser.to_access() + self.__avs = self.__parser.to_access(dontaudit=self.__options.dontaudit) self.__role_types = self.__parser.to_role() def __load_interface_info(self): diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py index 71121d7..88a6db5 100644 --- a/sepolgen/src/sepolgen/access.py +++ b/sepolgen/src/sepolgen/access.py @@ -85,6 +85,7 @@ class AccessVector: self.obj_class = None self.perms = refpolicy.IdSet() self.audit_msgs = [] + self.dontaudit = False # The direction of the information flow represented by this # access vector - used for matching @@ -253,7 +254,7 @@ class AccessVectorSet: for av in l: self.add_av(AccessVector(av)) - def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None): + def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, dontaudit=False): """Add an access vector to the set. """ tgt = self.src.setdefault(src_type, { }) @@ -266,6 +267,7 @@ class AccessVectorSet: access.src_type = src_type access.tgt_type = tgt_type access.obj_class = obj_class + access.dontaudit = dontaudit cls[obj_class] = access access.perms.update(perms) diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py index efcc40d..80371d0 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -424,7 +424,7 @@ class AuditParser: return role_types - def to_access(self, avc_filter=None, only_denials=True): + def to_access(self, avc_filter=None, only_denials=True, dontaudit=False): """Convert the audit logs access into a an access vector set. Convert the audit logs into an access vector set, optionally @@ -448,10 +448,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc) + avc.accesses, avc, dontaudit=dontaudit) else: av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc) + avc.accesses, avc, dontaudit=dontaudit) return av_set class AVCTypeFilter: @@ -477,5 +477,3 @@ class ComputeSidTypeFilter: if self.regex.match(avc.tcontext.type): return True return False - - diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d..782ea3d 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -449,6 +449,8 @@ class AVRule(Leaf): self.tgt_types.add(av.tgt_type) self.obj_classes.add(av.obj_class) self.perms.update(av.perms) + if av.dontaudit: + self.rule_type = audit2why.DONTAUDIT def to_string(self): """Return a string representation of the rule ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-01 20:45 ` Daniel J Walsh @ 2010-03-01 21:47 ` Daniel J Walsh 2010-03-04 17:08 ` Joshua Brindle 0 siblings, 1 reply; 12+ messages in thread From: Daniel J Walsh @ 2010-03-01 21:47 UTC (permalink / raw) To: Karl MacMillan; +Cc: SELinux [-- Attachment #1: Type: text/plain, Size: 445 bytes --] On 03/01/2010 03:45 PM, Daniel J Walsh wrote: > On 03/01/2010 02:29 PM, Karl MacMillan wrote: >> I'd rather pass in the rule type to the AVRule init rather than a >> boolean about this being a dontaudit rule. >> >> Karl >> >> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> >> wrote: >>> > How about this patch. Moves the dontaudit up the chain a little bit. > Is this what you want. One minor problem. Updated patch. [-- Attachment #2: audit2allow.patch --] [-- Type: text/plain, Size: 5587 bytes --] diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..1c7d896 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -58,6 +58,9 @@ class AuditToPolicy: help="generate a module package - conflicts with -o and -m") parser.add_option("-o", "--output", dest="output", help="append output to <filename>, conflicts with -M") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate policy with dontaudit rules") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", default=True, help="generate refpolicy style output") @@ -153,11 +156,11 @@ class AuditToPolicy: def __process_input(self): if self.__options.type: avcfilter = audit.AVCTypeFilter(self.__options.type) - self.__avs = self.__parser.to_access(avcfilter) + self.__avs = self.__parser.to_access(avcfilter, dontaudit=self.__options.dontaudit) csfilter = audit.ComputeSidTypeFilter(self.__options.type) self.__role_types = self.__parser.to_role(csfilter) else: - self.__avs = self.__parser.to_access() + self.__avs = self.__parser.to_access(dontaudit=self.__options.dontaudit) self.__role_types = self.__parser.to_role() def __load_interface_info(self): diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py index 71121d7..139f786 100644 --- a/sepolgen/src/sepolgen/access.py +++ b/sepolgen/src/sepolgen/access.py @@ -86,6 +86,8 @@ class AccessVector: self.perms = refpolicy.IdSet() self.audit_msgs = [] + self.dontaudit = False + # The direction of the information flow represented by this # access vector - used for matching self.info_flow_dir = None @@ -253,7 +255,7 @@ class AccessVectorSet: for av in l: self.add_av(AccessVector(av)) - def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None): + def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, dontaudit=False): """Add an access vector to the set. """ tgt = self.src.setdefault(src_type, { }) @@ -266,6 +268,7 @@ class AccessVectorSet: access.src_type = src_type access.tgt_type = tgt_type access.obj_class = obj_class + access.dontaudit = dontaudit cls[obj_class] = access access.perms.update(perms) diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py index efcc40d..80371d0 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -424,7 +424,7 @@ class AuditParser: return role_types - def to_access(self, avc_filter=None, only_denials=True): + def to_access(self, avc_filter=None, only_denials=True, dontaudit=False): """Convert the audit logs access into a an access vector set. Convert the audit logs into an access vector set, optionally @@ -448,10 +448,10 @@ class AuditParser: if avc_filter: if avc_filter.filter(avc): av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc) + avc.accesses, avc, dontaudit=dontaudit) else: av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass, - avc.accesses, avc) + avc.accesses, avc, dontaudit=dontaudit) return av_set class AVCTypeFilter: @@ -477,5 +477,3 @@ class ComputeSidTypeFilter: if self.regex.match(avc.tcontext.type): return True return False - - diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d..782ea3d 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -449,6 +449,8 @@ class AVRule(Leaf): self.tgt_types.add(av.tgt_type) self.obj_classes.add(av.obj_class) self.perms.update(av.perms) + if av.dontaudit: + self.rule_type = audit2why.DONTAUDIT def to_string(self): """Return a string representation of the rule ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-01 21:47 ` Daniel J Walsh @ 2010-03-04 17:08 ` Joshua Brindle [not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com> 0 siblings, 1 reply; 12+ messages in thread From: Joshua Brindle @ 2010-03-04 17:08 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Karl MacMillan, SELinux Daniel J Walsh wrote: > On 03/01/2010 03:45 PM, Daniel J Walsh wrote: >> On 03/01/2010 02:29 PM, Karl MacMillan wrote: >>> I'd rather pass in the rule type to the AVRule init rather than a >>> boolean about this being a dontaudit rule. >>> >>> Karl >>> >>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> >>> wrote: >>>> >> How about this patch. Moves the dontaudit up the chain a little bit. >> Is this what you want. > One minor problem. Updated patch. > Karl? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>]
* Re: Audit2allow generating dontaudit rules. [not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com> @ 2010-03-08 16:11 ` Karl MacMillan 2010-03-08 16:50 ` Joshua Brindle 2010-03-08 19:33 ` Daniel J Walsh 0 siblings, 2 replies; 12+ messages in thread From: Karl MacMillan @ 2010-03-08 16:11 UTC (permalink / raw) To: Joshua Brindle, SE Linux, Daniel J Walsh Accidentally sent this straight to Josh. Karl On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan <karlwmacmillan@gmail.com> wrote: > I meant this - I don't want to pass around a boolean flag when we have > a flag for rule type. This allows cleanly adding support for, say, > generating both allow rules and auditallow rules at the same time. > > Karl > > On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle <method@manicmethod.com> wrote: >> Daniel J Walsh wrote: >>> >>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote: >>>> >>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote: >>>>> >>>>> I'd rather pass in the rule type to the AVRule init rather than a >>>>> boolean about this being a dontaudit rule. >>>>> >>>>> Karl >>>>> >>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> >>>>> wrote: >>>>>> >>>> How about this patch. Moves the dontaudit up the chain a little bit. >>>> Is this what you want. >>> >>> One minor problem. Updated patch. >>> >> >> Karl? >> > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-08 16:11 ` Karl MacMillan @ 2010-03-08 16:50 ` Joshua Brindle 2010-03-08 17:00 ` Karl MacMillan 2010-03-08 19:33 ` Daniel J Walsh 1 sibling, 1 reply; 12+ messages in thread From: Joshua Brindle @ 2010-03-08 16:50 UTC (permalink / raw) To: Karl MacMillan; +Cc: SE Linux, Daniel J Walsh Karl MacMillan wrote: > Accidentally sent this straight to Josh. > > Karl > > On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote: >> I meant this - I don't want to pass around a boolean flag when we have >> a flag for rule type. This allows cleanly adding support for, say, >> generating both allow rules and auditallow rules at the same time. -ENOATTACH >> >> Karl >> >> On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle<method@manicmethod.com> wrote: >>> Daniel J Walsh wrote: >>>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote: >>>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote: >>>>>> I'd rather pass in the rule type to the AVRule init rather than a >>>>>> boolean about this being a dontaudit rule. >>>>>> >>>>>> Karl >>>>>> >>>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> >>>>>> wrote: >>>>> How about this patch. Moves the dontaudit up the chain a little bit. >>>>> Is this what you want. >>>> One minor problem. Updated patch. >>>> >>> Karl? >>> > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-08 16:50 ` Joshua Brindle @ 2010-03-08 17:00 ` Karl MacMillan 0 siblings, 0 replies; 12+ messages in thread From: Karl MacMillan @ 2010-03-08 17:00 UTC (permalink / raw) To: Joshua Brindle; +Cc: SE Linux, Daniel J Walsh [-- Attachment #1: Type: text/plain, Size: 1228 bytes --] On Mon, Mar 8, 2010 at 11:50 AM, Joshua Brindle <method@manicmethod.com> wrote: > Karl MacMillan wrote: >> >> Accidentally sent this straight to Josh. >> >> Karl >> >> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> >> wrote: >>> >>> I meant this - I don't want to pass around a boolean flag when we have >>> a flag for rule type. This allows cleanly adding support for, say, >>> generating both allow rules and auditallow rules at the same time. > > -ENOATTACH > >>> >>> Karl >>> >>> On Thu, Mar 4, 2010 at 12:08 PM, Joshua Brindle<method@manicmethod.com> >>> wrote: >>>> >>>> Daniel J Walsh wrote: >>>>> >>>>> On 03/01/2010 03:45 PM, Daniel J Walsh wrote: >>>>>> >>>>>> On 03/01/2010 02:29 PM, Karl MacMillan wrote: >>>>>>> >>>>>>> I'd rather pass in the rule type to the AVRule init rather than a >>>>>>> boolean about this being a dontaudit rule. >>>>>>> >>>>>>> Karl >>>>>>> >>>>>>> On Wed, Feb 24, 2010 at 3:20 PM, Daniel J Walsh<dwalsh@redhat.com> >>>>>>> wrote: >>>>>> >>>>>> How about this patch. Moves the dontaudit up the chain a little bit. >>>>>> Is this what you want. >>>>> >>>>> One minor problem. Updated patch. >>>>> >>>> Karl? >>>> >> > [-- Attachment #2: 0001-Add-support-for-dontaudit-in-audit2allow.patch --] [-- Type: application/octet-stream, Size: 5273 bytes --] From 4944c87f6f60714f545bcbfc141054fa6d325594 Mon Sep 17 00:00:00 2001 From: Karl MacMillan <kmacmillan@tresys.com> Date: Thu, 4 Mar 2010 16:00:38 -0500 Subject: [PATCH] Add support for dontaudit in audit2allow. Add support for generated dontallow messages from audit2allow (includes needed sepolgen changes). Based on patch from Dan Walsh. --- policycoreutils/audit2allow/audit2allow | 11 ++++++++++- policycoreutils/audit2allow/audit2allow.1 | 7 +++++-- sepolgen/src/sepolgen/policygen.py | 8 ++++---- sepolgen/src/sepolgen/refpolicy.py | 5 +++-- 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..3e82cfa 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -27,6 +27,7 @@ import sepolgen.output as output import sepolgen.objectmodel as objectmodel import sepolgen.defaults as defaults import sepolgen.module as module +import sepolgen.refpolicy as refpolicy from sepolgen.sepolgeni18n import _ class AuditToPolicy: @@ -46,6 +47,9 @@ class AuditToPolicy: help="read input from audit log - conflicts with -i") parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, help="read input from dmesg - conflicts with --all and --input") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate dontaudit rules") parser.add_option("-i", "--input", dest="input", help="read input from <input> - conflicts with -a") parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, @@ -314,7 +318,12 @@ class AuditToPolicy: g.set_gen_requires(True) # Generate the policy - g.add_access(self.__avs) + if self.__options.dontaudit: + rule_type = refpolicy.AVRule.DONTAUDIT + else: + rule_type = refpolicy.AVRule.ALLOW + + g.add_access(self.__avs, rule_type) g.add_role_types(self.__role_types) # Output diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index 55cffeb..047007e 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -141,15 +141,15 @@ class PolicyGenerator: """Return the generated module""" return self.module - def __add_allow_rules(self, avs): + def __add_allow_rules(self, avs, rule_type): for av in avs: - rule = refpolicy.AVRule(av) + rule = refpolicy.AVRule(av, rule_type=rule_type) if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) self.module.children.append(rule) - def add_access(self, av_set): + def add_access(self, av_set, rule_type=refpolicy.AVRule.ALLOW): """Add the access from the access vector set to this module. """ @@ -165,7 +165,7 @@ class PolicyGenerator: raw_allow = av_set # Generate the raw allow rules from the filtered list - self.__add_allow_rules(raw_allow) + self.__add_allow_rules(raw_allow, rule_type) def add_role_types(self, role_type_set): for role_type in role_type_set: diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py index b138e3d..1820429 100644 --- a/sepolgen/src/sepolgen/refpolicy.py +++ b/sepolgen/src/sepolgen/refpolicy.py @@ -420,13 +420,14 @@ class AVRule(Leaf): AUDITALLOW = 2 NEVERALLOW = 3 - def __init__(self, av=None, parent=None): + def __init__(self, av=None, parent=None, rule_type=ALLOW): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.perms = IdSet() - self.rule_type = self.ALLOW + self.rule_type = rule_type + if av: self.from_av(av) -- 1.6.6 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-08 16:11 ` Karl MacMillan 2010-03-08 16:50 ` Joshua Brindle @ 2010-03-08 19:33 ` Daniel J Walsh 2010-03-08 20:44 ` Karl MacMillan 2010-03-12 13:33 ` Joshua Brindle 1 sibling, 2 replies; 12+ messages in thread From: Daniel J Walsh @ 2010-03-08 19:33 UTC (permalink / raw) To: Karl MacMillan; +Cc: Joshua Brindle, SE Linux [-- Attachment #1: Type: text/plain, Size: 537 bytes --] On 03/08/2010 11:11 AM, Karl MacMillan wrote: > Accidentally sent this straight to Josh. > > Karl > > On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> wrote: > >> I meant this - I don't want to pass around a boolean flag when we have >> a flag for rule type. This allows cleanly adding support for, say, >> generating both allow rules and auditallow rules at the same time. >> >> <snip> Ok this one only adds a flag to the policygenerator to tell it to generate dontaudit rules. No passing of args. [-- Attachment #2: audit2allow_dontaudit.patch --] [-- Type: text/plain, Size: 3286 bytes --] diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow index 9186965..5ad9fdb 100644 --- a/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow @@ -58,6 +58,9 @@ class AuditToPolicy: help="generate a module package - conflicts with -o and -m") parser.add_option("-o", "--output", dest="output", help="append output to <filename>, conflicts with -M") + parser.add_option("-D", "--dontaudit", action="store_true", + dest="dontaudit", default=False, + help="generate policy with dontaudit rules") parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", default=True, help="generate refpolicy style output") @@ -295,6 +298,8 @@ class AuditToPolicy: g = policygen.PolicyGenerator() + g.set_gen_dontaudit(self.__options.dontaudit) + if self.__options.module: g.set_module_name(self.__options.module) diff --git a/policycoreutils/audit2allow/audit2allow.1 b/policycoreutils/audit2allow/audit2allow.1 index c041f75..d9635c2 100644 --- a/policycoreutils/audit2allow/audit2allow.1 +++ b/policycoreutils/audit2allow/audit2allow.1 @@ -25,10 +25,10 @@ .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA .SH NAME .BR audit2allow - \- generate SELinux policy allow rules from logs of denied operations +\- generate SELinux policy allow/dontaudit rules from logs of denied operations .BR audit2why - \- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) +\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w) .SH SYNOPSIS .B audit2allow @@ -44,6 +44,9 @@ Read input from output of Note that all audit messages are not available via dmesg when auditd is running; use "ausearch -m avc | audit2allow" or "-a" instead. .TP +.B "\-D" | "\-\-dontaudit" +Generate dontaudit rules (Default: allow) +.TP .B "\-h" | "\-\-help" Print a short usage message .TP diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index 55cffeb..0e6b502 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -75,6 +75,8 @@ class PolicyGenerator: else: self.module = refpolicy.Module() + self.dontaudit = False + def set_gen_refpol(self, if_set=None, perm_maps=None): """Set whether reference policy interfaces are generated. @@ -108,6 +110,9 @@ class PolicyGenerator: """ self.explain = explain + def set_gen_dontaudit(self, dontaudit): + self.dontaudit = dontaudit + def __set_module_style(self): if self.ifgen: refpolicy = True @@ -144,6 +149,8 @@ class PolicyGenerator: def __add_allow_rules(self, avs): for av in avs: rule = refpolicy.AVRule(av) + if self.dontaudit: + rule.rule_type = rule.DONTAUDIT if self.explain: rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain)) self.module.children.append(rule) ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-08 19:33 ` Daniel J Walsh @ 2010-03-08 20:44 ` Karl MacMillan 2010-03-12 13:33 ` Joshua Brindle 1 sibling, 0 replies; 12+ messages in thread From: Karl MacMillan @ 2010-03-08 20:44 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Joshua Brindle, SE Linux On Mon, Mar 8, 2010 at 2:33 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 03/08/2010 11:11 AM, Karl MacMillan wrote: >> >> Accidentally sent this straight to Josh. >> >> Karl >> >> On Thu, Mar 4, 2010 at 4:46 PM, Karl MacMillan<karlwmacmillan@gmail.com> >> wrote: >> >>> >>> I meant this - I don't want to pass around a boolean flag when we have >>> a flag for rule type. This allows cleanly adding support for, say, >>> generating both allow rules and auditallow rules at the same time. >>> >>> > > <snip> > > Ok this one only adds a flag to the policygenerator to tell it to generate > dontaudit rules. > > No passing of args. > Acked-by: Karl MacMillan <karlwmacmillan@gmail.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Audit2allow generating dontaudit rules. 2010-03-08 19:33 ` Daniel J Walsh 2010-03-08 20:44 ` Karl MacMillan @ 2010-03-12 13:33 ` Joshua Brindle 1 sibling, 0 replies; 12+ messages in thread From: Joshua Brindle @ 2010-03-12 13:33 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Karl MacMillan, SE Linux Daniel J Walsh wrote: > On 03/08/2010 11:11 AM, Karl MacMillan wrote: >> Accidentally sent this straight to Josh. >> >> Karl >> >> On Thu, Mar 4, 2010 at 4:46 PM, Karl >> MacMillan<karlwmacmillan@gmail.com> wrote: >>> I meant this - I don't want to pass around a boolean flag when we have >>> a flag for rule type. This allows cleanly adding support for, say, >>> generating both allow rules and auditallow rules at the same time. >>> > <snip> > > Ok this one only adds a flag to the policygenerator to tell it to > generate dontaudit rules. > > No passing of args. Merged in policycoreutils 2.0.81 and sepolgen 1.0.20 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2010-03-12 13:33 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-24 20:20 Audit2allow generating dontaudit rules Daniel J Walsh
2010-03-01 19:29 ` Karl MacMillan
2010-03-01 20:02 ` Daniel J Walsh
2010-03-01 20:45 ` Daniel J Walsh
2010-03-01 21:47 ` Daniel J Walsh
2010-03-04 17:08 ` Joshua Brindle
[not found] ` <10143821003041346o6903d2bbw49863b44d05a2a8c@mail.gmail.com>
2010-03-08 16:11 ` Karl MacMillan
2010-03-08 16:50 ` Joshua Brindle
2010-03-08 17:00 ` Karl MacMillan
2010-03-08 19:33 ` Daniel J Walsh
2010-03-08 20:44 ` Karl MacMillan
2010-03-12 13:33 ` Joshua Brindle
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.