>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Revised perl script

From: Justin Smith <jsmith_at_mcs.drexel.edu>
Date: 04 Dec 2001 13:24:35 -0500

Here's the revised perl script that uses the new one-line format for denied-messages: #---------------------cut here--------------------------------- #!/usr/bin/perl open ERRFILE, "< messages"; open NEWRULES, "> newrules";

my %rules = ();

# format: $rules{ "$scontext|$tcontext|$tclass"}
# = { '$accesstype' => 1};

while ($inline = <ERRFILE>)
  {
    next unless ($inline =~ /avc:\s*denied\s*\{((\w|\s)*)\}/);     my $accesstype = $1;
    my $nextline = $';
    $nextline =~ /scontext=\w+:\w+:(\w+)\s*/;     my $scontext = $1;
    $nextline = $';
    $nextline =~ /tcontext=\w+:\w+:(\w+)\s*/;     my $tcontext = $1;
    $nextline = $';
    $nextline =~ /tclass=(\w+)\s*\Z/;
    my $tclass = $1;
    my @atypes = split / /,$accesstype;
    foreach $atype (@atypes)

      {
	$atype =~ /\s*(\w+)\s*/;
	my $trim = $1;
	$rules{"$scontext|$tcontext|$tclass"}{$trim}=1;
      }

}

# done with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;     print NEWRULES "allow $scontext $tcontext:$tclass { ";     my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)

      {
	print NEWRULES "$t ";
      }

print NEWRULES "};\n";
}

#------------------------------------------------------------------

2. Here's the result of running it on the new ipchains domain:
# File contexts for the ipchains programs:

#-------------------------cut here------------
/usr/sbin/ipchains		system_u:object_r:ipchains_exec_t
/sbin/ipchains			system_u:object_r:ipchains_exec_t
/sbin/ipchains-restore		system_u:object_r:ipchains_exec_t
/sbin/ipchains-save		system_u:object_r:ipchains_exec_t
#--------------------------------------------------------------------

Description of the ipchains domain:

#---------------------cut here------------------------
#

# Rules for the ipchains_t domain.

#

type ipchains_t, domain, privlog;
type ipchains_exec_t, file_type, sysadmfile, exec_type;
type ipchains_file_t, file_type, syadmfile;
type ipchains_var_run_t, file_type, sysadmfile, pidfile;

domain_auto_trans(ipchains_t, insmod_exec_t, insmod_t)

domain_auto_trans(ipchains_t, ifconfig_exec_t, ifconfig_t) file_type_auto_trans(ipchains_t, var_run_t, ipchains_var_run_t)

# Inherit and use descriptors from init.
allow ipchains_t init_t:fd inherit_fd_perms; #--------suto-generated:

allow ipchains_t bin_t:file { execute execute_no_trans file };
allow ipchains_t ipchains_exec_t:file { execute_no_trans file };
allow ipchains_t ipchains_t:capability { capability net_admin net_raw };
allow ipchains_t ipchains_t:rawip_socket { create rawip_socket setopt };
#----------------------------end------------------------

-- 


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Tue 4 Dec 2001 - 13:40:31 EST

This message: [ Message body ]
Next message: Justin Smith: "Message"
Previous message: Stephen Smalley: "[PATCH] AVC auditing changes"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT