>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

OOPS, the earlier script had an error

From: Justin Smith <jsmith_at_mcs.drexel.edu>
Date: 04 Dec 2001 13:40:44 -0500

Here's the corrected one:

#----------------------cut---------------------------------------

#!/usr/bin/perl
open ERRFILE, "< messages";
open NEWRULES, "> newrules";

my %rules = ();

# format: $rules{ "$scontext|$tcontext|$tclass"}
# = { '$accesstype' => 1};

while ($inline = <ERRFILE>)
  {
    next unless ($inline =~ /avc:\s*denied\s*\{((\w|\s)*)\}/);     my $accesstype = $1;
    my $nextline = $';
    $nextline =~ /scontext=\w+:\w+:(\w+)\s*/;     my $scontext = $1;
    $nextline = $';
    $nextline =~ /tcontext=\w+:\w+:(\w+)\s*/;     my $tcontext = $1;
    $nextline = $';
    $nextline =~ /tclass=(\w+)\s*\Z/;
    my $tclass = $1;
    my @atypes = split /\s+/,$accesstype;     foreach $atype (@atypes)

      {
	next unless $atype =~ /\S/;
	my $trim=undef;
	$atype =~ m/\s*(\w+)\s*/;
	$trim = $1;
	$rules{"$scontext|$tcontext|$tclass"}{$trim}=1;
      }

}

# done with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;     print NEWRULES "allow $scontext $tcontext:$tclass { ";     my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)

      {
	print NEWRULES "$t ";
      }

print NEWRULES "};\n";
}

#--------------------------------end-------------------------

and the corrected ipchains

#-------------------------------------------------------

#

# Rules for the ipchains_t domain.

#

type ipchains_t, domain, privlog;
type ipchains_exec_t, file_type, sysadmfile, exec_type;
type ipchains_file_t, file_type, syadmfile;
type ipchains_var_run_t, file_type, sysadmfile, pidfile;

domain_auto_trans(ipchains_t, insmod_exec_t, insmod_t)

domain_auto_trans(ipchains_t, ifconfig_exec_t, ifconfig_t) file_type_auto_trans(ipchains_t, var_run_t, ipchains_var_run_t)

# Inherit and use descriptors from init.
allow ipchains_t init_t:fd inherit_fd_perms;

allow ipchains_t bin_t:file { execute execute_no_trans };
allow ipchains_t ipchains_exec_t:file { execute_no_trans };
allow ipchains_t ipchains_t:capability { net_admin net_raw };
allow ipchains_t ipchains_t:rawip_socket { create setopt };


#-------------------------------------------------------

-- 
______________________________________________________________________
Time blows wildly against my door       | Justin R. Smith
Stirring discarded sorrows      	| Department of Mathematics and
Like dead leaves of summers past        |     Computer Science
Memories of forgotten lore          	| Drexel University
Making way for new tomorrows         	| Philadelphia, PA 19104
New hopes, new fears,                   |
         and new ways that last         | Office: (215) 895-1847
URL: http://vorpal.mcs.drexel.edu       | Fax:    (215) 895-1582



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Tue 4 Dec 2001 - 13:55:22 EST

This message: [ Message body ]
Next message: Stephen Smalley: "Re: Message"
Previous message: Justin Smith: "Message"
Next in thread: Stephen Smalley: "Re: OOPS, the earlier script had an error"
Reply: Stephen Smalley: "Re: OOPS, the earlier script had an error"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT