From: Daniel J Walsh <dwalsh@redhat.com>
To: Laurent Bigonville <bigon@debian.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: audit2allow/sepolgen not setting the locale properly when calculating the bootdate
Date: Fri, 10 May 2013 08:19:25 -0400 [thread overview]
Message-ID: <518CE5CD.8000809@redhat.com> (raw)
In-Reply-To: <20130509225106.7191c1df@soldur.bigon.be>
[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/09/2013 04:51 PM, Laurent Bigonville wrote:
> Hello,
>
> When using a locale that use the date format other than MM/DD/YY,
> allow2audit -b is not working properly (shows <no matches>). The ausearch
> executable is expecting the date to be formatted in the user locale.
>
> Explicitly setting "locale.setlocale(locale.LC_ALL, '')" inside the
> sepolgen get_audit_boot_msgs() function (or in the allow2audit executable)
> is passing the correct date to the ausearch executable.
>
> I'll propose a patch for this if you want, but I'm not sure if you would
> prefer this to be fixed in the audit2allow executable or in the sepolgen
> python library.
>
> Cheers
>
> Laurent Bigonville
>
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
>
We have a patch for this in Fedora now. Attach patch is the difference
between upstream and Fedora. Eric and I will begin putting together a series
of patches to get Fedora patches into upstream.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlGM5c0ACgkQrlYvE4MpobOBaACg072AlvtRX5zX0Q/p7bvdUrJS
zqgAniqFg98UT4pu9cfOaa1t+lJpQGr4
=4dHo
-----END PGP SIGNATURE-----
[-- Attachment #2: audit2allow.patch --]
[-- Type: text/x-patch, Size: 2767 bytes --]
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 8e0c396..1059bea 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -18,7 +18,7 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
-import sys
+import sys, os
import sepolgen.audit as audit
import sepolgen.policygen as policygen
@@ -29,6 +29,8 @@ import sepolgen.defaults as defaults
import sepolgen.module as module
from sepolgen.sepolgeni18n import _
import selinux.audit2why as audit2why
+import locale
+locale.setlocale(locale.LC_ALL, '')
class AuditToPolicy:
VERSION = "%prog .1"
@@ -80,8 +82,7 @@ class AuditToPolicy:
parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
parser.add_option("--debug", dest="debug", action="store_true", default=False,
help="leave generated modules for -M")
-
- parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=False,
+ parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0])=="audit2why"),
help="Translates SELinux audit messages into a description of why the access was denied")
options, args = parser.parse_args()
@@ -267,12 +268,10 @@ class AuditToPolicy:
continue
if rc == audit2why.CONSTRAINT:
- print "\t\tPolicy constraint violation.\n"
- print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
- print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
- for reason in data:
- print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
- continue
+ print #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
+ print "#Constraint rule: \n\t" + data[0]
+ for reason in data[1:]:
+ print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
if rc == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
@@ -350,6 +349,9 @@ class AuditToPolicy:
except ValueError, e:
print e
sys.exit(1)
+ except IOError, e:
+ print e
+ sys.exit(1)
if __name__ == "__main__":
app = AuditToPolicy()
prev parent reply other threads:[~2013-05-10 12:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-09 20:51 audit2allow/sepolgen not setting the locale properly when calculating the bootdate Laurent Bigonville
2013-05-10 12:19 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=518CE5CD.8000809@redhat.com \
--to=dwalsh@redhat.com \
--cc=bigon@debian.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.