audit2allow/sepolgen not setting the locale properly when calculating the bootdate

audit2allow/sepolgen not setting the locale properly when calculating the bootdate

[Laurent Bigonville]

Hello,

When using a locale that use the date format other than MM/DD/YY,
allow2audit -b is not working properly (shows <no matches>). The
ausearch executable is expecting the date to be formatted in the user
locale.

Explicitly setting "locale.setlocale(locale.LC_ALL, '')" inside the
sepolgen get_audit_boot_msgs() function (or in the allow2audit
executable) is passing the correct date to the ausearch executable.

I'll propose a patch for this if you want, but I'm not sure if you would
prefer this to be fixed in the audit2allow executable or in the sepolgen
python library.

Cheers

Laurent Bigonville

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: audit2allow/sepolgen not setting the locale properly when calculating the bootdate

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1435 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/09/2013 04:51 PM, Laurent Bigonville wrote:
> Hello,
> 
> When using a locale that use the date format other than MM/DD/YY, 
> allow2audit -b is not working properly (shows <no matches>). The ausearch
> executable is expecting the date to be formatted in the user locale.
> 
> Explicitly setting "locale.setlocale(locale.LC_ALL, '')" inside the 
> sepolgen get_audit_boot_msgs() function (or in the allow2audit executable)
> is passing the correct date to the ausearch executable.
> 
> I'll propose a patch for this if you want, but I'm not sure if you would 
> prefer this to be fixed in the audit2allow executable or in the sepolgen 
> python library.
> 
> Cheers
> 
> Laurent Bigonville
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes
> as the message.
> 
We have a patch for this in Fedora now.  Attach patch is the difference
between upstream and Fedora.  Eric and I will begin putting together a series
of patches to get Fedora patches into upstream.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGM5c0ACgkQrlYvE4MpobOBaACg072AlvtRX5zX0Q/p7bvdUrJS
zqgAniqFg98UT4pu9cfOaa1t+lJpQGr4
=4dHo
-----END PGP SIGNATURE-----

[-- Attachment #2: audit2allow.patch --]
[-- Type: text/x-patch, Size: 2767 bytes --]

diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 8e0c396..1059bea 100644
--- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow
@@ -18,7 +18,7 @@
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 #
 
-import sys
+import sys, os
 
 import sepolgen.audit as audit
 import sepolgen.policygen as policygen
@@ -29,6 +29,8 @@ import sepolgen.defaults as defaults
 import sepolgen.module as module
 from sepolgen.sepolgeni18n import _
 import selinux.audit2why as audit2why
+import locale
+locale.setlocale(locale.LC_ALL, '')
 
 class AuditToPolicy:
     VERSION = "%prog .1"
@@ -80,8 +82,7 @@ class AuditToPolicy:
         parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
         parser.add_option("--debug", dest="debug", action="store_true", default=False,
                           help="leave generated modules for -M")
-
-        parser.add_option("-w", "--why", dest="audit2why",  action="store_true", default=False,
+        parser.add_option("-w", "--why", dest="audit2why",  action="store_true", default=(os.path.basename(sys.argv[0])=="audit2why"),
                           help="Translates SELinux audit messages into a description of why the access was denied")
 
         options, args = parser.parse_args()
@@ -267,12 +268,10 @@ class AuditToPolicy:
                     continue
 
                 if rc == audit2why.CONSTRAINT:
-                    print "\t\tPolicy constraint violation.\n"
-                    print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
-                    print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
-                    for reason in data:
-                        print "\t\tNote: Possible cause is the source and target %s differ\n" % reason
-                    continue
+                    print #!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.\n"
+                    print "#Constraint rule: \n\t" + data[0]
+                    for reason in data[1:]:
+                        print "#\tPossible cause is the source %s and target %s are different.\n\b" % reason
 
                 if rc == audit2why.RBAC:
                     print "\t\tMissing role allow rule.\n"
@@ -350,6 +349,9 @@ class AuditToPolicy:
         except ValueError, e:
             print e
             sys.exit(1)
+        except IOError, e:
+            print e
+            sys.exit(1)
 
 if __name__ == "__main__":
     app = AuditToPolicy()