* [PATCH 1/2] semanage: use socket.getprotobyname for protocol
@ 2016-08-15 8:44 Miroslav Vadkerti
2016-08-15 8:44 ` [PATCH 2/2] semanage: default to "s0" if serange empty for port modify Miroslav Vadkerti
2016-08-15 18:29 ` [PATCH 1/2] semanage: use socket.getprotobyname for protocol James Carter
0 siblings, 2 replies; 4+ messages in thread
From: Miroslav Vadkerti @ 2016-08-15 8:44 UTC (permalink / raw)
To: selinux
This patch removes proto_to_audit dictionary and uses
standard socket.getprotobyname(protocol) to resolve
protocol number from given protocol name.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 8d3088c..538ff0a 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -28,6 +28,7 @@ import os
import re
import sys
import stat
+import socket
from semanage import *
PROGNAME = "policycoreutils"
import sepolicy
@@ -88,11 +89,6 @@ file_type_str_to_option = {"all files": "a",
"symbolic link": "l",
"named pipe": "p"}
-proto_to_audit = {"tcp": 6,
- "udp": 17,
- "ipv4": 4,
- "ipv6": 41}
-
ftype_to_audit = {"": "any",
"b": "block",
"c": "char",
@@ -1134,7 +1130,7 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
- self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+ self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange))
def add(self, port, proto, serange, type):
self.begin()
@@ -1177,7 +1173,7 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
semanage_port_free(p)
- self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+ self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange))
def modify(self, port, proto, serange, setype):
self.begin()
@@ -1210,7 +1206,7 @@ class portRecords(semanageRecords):
if low == high:
port_str = low
- self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str)))
self.commit()
@@ -1234,7 +1230,7 @@ class portRecords(semanageRecords):
semanage_port_key_free(k)
- self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+ self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto)))
def delete(self, port, proto):
self.begin()
@@ -1414,7 +1410,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+ self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
def add(self, addr, mask, proto, serange, ctype):
self.begin()
@@ -1457,7 +1453,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
semanage_node_free(node)
- self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+ self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
def modify(self, addr, mask, proto, serange, setype):
self.begin()
@@ -1490,7 +1486,7 @@ class nodeRecords(semanageRecords):
semanage_node_key_free(k)
- self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+ self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
def delete(self, addr, mask, proto):
self.begin()
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] semanage: default to "s0" if serange empty for port modify
2016-08-15 8:44 [PATCH 1/2] semanage: use socket.getprotobyname for protocol Miroslav Vadkerti
@ 2016-08-15 8:44 ` Miroslav Vadkerti
2016-08-15 8:52 ` Dominick Grift
2016-08-15 18:29 ` [PATCH 1/2] semanage: use socket.getprotobyname for protocol James Carter
1 sibling, 1 reply; 4+ messages in thread
From: Miroslav Vadkerti @ 2016-08-15 8:44 UTC (permalink / raw)
To: selinux
In case serange is empty, but the record is beeing modified
(setype was supplied), use default "s0" range. With the original
code the audit event would be printed with no range (i.e.
"system_u:object_r:ssh_port_t:")
Note that default "s0" is currently used in other places
of seobject.py.
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
policycoreutils/semanage/seobject.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 538ff0a..a6681f0 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -1161,8 +1161,11 @@ class portRecords(semanageRecords):
con = semanage_port_get_con(p)
- if (is_mls_enabled == 1) and (serange != ""):
- semanage_context_set_mls(self.sh, con, untranslate(serange))
+ if is_mls_enabled == 1:
+ if serange == "":
+ serange = "s0"
+ else:
+ semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
semanage_context_set_type(self.sh, con, setype)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] semanage: default to "s0" if serange empty for port modify
2016-08-15 8:44 ` [PATCH 2/2] semanage: default to "s0" if serange empty for port modify Miroslav Vadkerti
@ 2016-08-15 8:52 ` Dominick Grift
0 siblings, 0 replies; 4+ messages in thread
From: Dominick Grift @ 2016-08-15 8:52 UTC (permalink / raw)
To: selinux
[-- Attachment #1.1: Type: text/plain, Size: 1668 bytes --]
On 08/15/2016 10:44 AM, Miroslav Vadkerti wrote:
> In case serange is empty, but the record is beeing modified
> (setype was supplied), use default "s0" range. With the original
> code the audit event would be printed with no range (i.e.
> "system_u:object_r:ssh_port_t:")
>
> Note that default "s0" is currently used in other places
> of seobject.py.
>
Note-to-self: when we deal with refpolicy specific identifiers like
system_u remember to also deal with these. Since these are essentially
also refpolicy specific identifiers.
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> ---
> policycoreutils/semanage/seobject.py | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 538ff0a..a6681f0 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -1161,8 +1161,11 @@ class portRecords(semanageRecords):
>
> con = semanage_port_get_con(p)
>
> - if (is_mls_enabled == 1) and (serange != ""):
> - semanage_context_set_mls(self.sh, con, untranslate(serange))
> + if is_mls_enabled == 1:
> + if serange == "":
> + serange = "s0"
> + else:
> + semanage_context_set_mls(self.sh, con, untranslate(serange))
> if setype != "":
> semanage_context_set_type(self.sh, con, setype)
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] semanage: use socket.getprotobyname for protocol
2016-08-15 8:44 [PATCH 1/2] semanage: use socket.getprotobyname for protocol Miroslav Vadkerti
2016-08-15 8:44 ` [PATCH 2/2] semanage: default to "s0" if serange empty for port modify Miroslav Vadkerti
@ 2016-08-15 18:29 ` James Carter
1 sibling, 0 replies; 4+ messages in thread
From: James Carter @ 2016-08-15 18:29 UTC (permalink / raw)
To: Miroslav Vadkerti, selinux
On 08/15/2016 04:44 AM, Miroslav Vadkerti wrote:
> This patch removes proto_to_audit dictionary and uses
> standard socket.getprotobyname(protocol) to resolve
> protocol number from given protocol name.
>
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
Applied both patches.
Thanks,
Jim
> ---
> policycoreutils/semanage/seobject.py | 20 ++++++++------------
> 1 file changed, 8 insertions(+), 12 deletions(-)
>
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 8d3088c..538ff0a 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -28,6 +28,7 @@ import os
> import re
> import sys
> import stat
> +import socket
> from semanage import *
> PROGNAME = "policycoreutils"
> import sepolicy
> @@ -88,11 +89,6 @@ file_type_str_to_option = {"all files": "a",
> "symbolic link": "l",
> "named pipe": "p"}
>
> -proto_to_audit = {"tcp": 6,
> - "udp": 17,
> - "ipv4": 4,
> - "ipv6": 41}
> -
> ftype_to_audit = {"": "any",
> "b": "block",
> "c": "char",
> @@ -1134,7 +1130,7 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> - self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
> + self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", type, serange))
>
> def add(self, port, proto, serange, type):
> self.begin()
> @@ -1177,7 +1173,7 @@ class portRecords(semanageRecords):
> semanage_port_key_free(k)
> semanage_port_free(p)
>
> - self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
> + self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, socket.getprotobyname(proto), "system_u", "object_r", setype, serange))
>
> def modify(self, port, proto, serange, setype):
> self.begin()
> @@ -1210,7 +1206,7 @@ class portRecords(semanageRecords):
> if low == high:
> port_str = low
>
> - self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, socket.getprotobyname(proto_str)))
>
> self.commit()
>
> @@ -1234,7 +1230,7 @@ class portRecords(semanageRecords):
>
> semanage_port_key_free(k)
>
> - self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
> + self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, socket.getprotobyname(proto)))
>
> def delete(self, port, proto):
> self.begin()
> @@ -1414,7 +1410,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
>
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> @@ -1457,7 +1453,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
>
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> @@ -1490,7 +1486,7 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> - self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
>
> def delete(self, addr, mask, proto):
> self.begin()
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-08-15 18:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-15 8:44 [PATCH 1/2] semanage: use socket.getprotobyname for protocol Miroslav Vadkerti
2016-08-15 8:44 ` [PATCH 2/2] semanage: default to "s0" if serange empty for port modify Miroslav Vadkerti
2016-08-15 8:52 ` Dominick Grift
2016-08-15 18:29 ` [PATCH 1/2] semanage: use socket.getprotobyname for protocol James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.