>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Didn't notice this question

From: Justin Smith <jsmith_at_mcs.drexel.edu>
Date: 11 Dec 2001 20:23:09 -0500

On Tue, 2001-12-04 at 14:43, Stephen Smalley wrote: > newrules.te'. Could you clarify under what terms you are releasing > this script (e.g. GPL)?

>
Of course, I am GPL'ing this script. Here's a slightly revised form (it runs dmesg itself):

#----------------------------cut-------------------
#!/usr/bin/perl
#
# newrules.pl.
#
#
# Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu)
#
# This program is free software; you can redistribute it and/or
# modify
# it under the terms of the GNU General Public License as published
# by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#

# Get the 'access denied' messages

@allmessages=split /\n/,`dmesg`;

my %rules = ();

# format: $rules{ "$scontext|$tcontext|$tclass"}
# = { '$accesstype' => 1};

foreach $inline (@allmessages)
  {
    next unless ($inline =~ m/avc:\s*denied\s*\{((\w|\s)*)\}/);     my $accesstype = $1;
    my $nextline = $';
    $nextline =~ m/scontext=\w+:\w+:(\w+)\s*/;     my $scontext = $1;
    $nextline = $';
    $nextline =~ m/tcontext=\w+:\w+:(\w+)\s*/;     my $tcontext = $1;
    $nextline = $';
    $nextline =~ m/tclass=(\w+)\s*\Z/;
    my $tclass = $1;
    my @atypes = split /\s+/,$accesstype;     foreach $atype (@atypes)

      {
	next unless $atype =~ m/\S/;
	my $trim=undef;
	$atype =~ m/\s*(\w+)\s*/;
	$trim = $1;
	$rules{"$scontext|$tcontext|$tclass"}{$trim}=1;
      }

}

# done with the input file
# now generate the rules

foreach $k (sort keys %rules)
  {
    my ($scontext,$tcontext,$tclass) = split /\|/, $k;     print "allow $scontext $tcontext:$tclass { ";     my $access_types = $rules{$k};
    foreach $t (sort keys %$access_types)

      {
	print  "$t ";
      }

print "};\n";
}
#

------------------cut---------------------------

If I find the time (?), I'll try to expand this to a gui tool for configuring security policies (using Perl/Tk).

-- 



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Tue 11 Dec 2001 - 20:43:03 EST

This message: [ Message body ]
Next message: Dale Amon: "Undefined refs in compile attempt"
Previous message: Stephen Smalley: "Re: Other Architecture Support..."
In reply to: Stephen Smalley: "Re: OOPS, the earlier script had an error"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT