1# Copyright (C) 2007-2012 Red Hat 2# see file 'COPYING' for use and warranty information 3# 4# policygentool is a tool for the initial generation of SELinux policy 5# 6# This program is free software; you can redistribute it and/or 7# modify it under the terms of the GNU General Public License as 8# published by the Free Software Foundation; either version 2 of 9# the License, or (at your option) any later version. 10# 11# This program is distributed in the hope that it will be useful, 12# but WITHOUT ANY WARRANTY; without even the implied warranty of 13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14# GNU General Public License for more details. 15# 16# You should have received a copy of the GNU General Public License 17# along with this program; if not, write to the Free Software 18# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 19# 02111-1307 USA 20# 21# 22 23########################### tmp Template File ############################# 24compile="""\ 25#!/bin/sh -e 26 27DIRNAME=`dirname $0` 28cd $DIRNAME 29USAGE="$0 [ --update ]" 30if [ `id -u` != 0 ]; then 31echo 'You must be root to run this script' 32exit 1 33fi 34 35if [ $# -eq 1 ]; then 36 if [ "$1" = "--update" ] ; then 37 time=`ls -l --time-style="+%x %X" TEMPLATEFILE.te | awk '{ printf "%s %s", $6, $7 }'` 38 rules=`ausearch --start $time -m avc --raw -se TEMPLATETYPE` 39 if [ x"$rules" != "x" ] ; then 40 echo "Found avc's to update policy with" 41 echo -e "$rules" | audit2allow -R 42 echo "Do you want these changes added to policy [y/n]?" 43 read ANS 44 if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then 45 echo "Updating policy" 46 echo -e "$rules" | audit2allow -R >> TEMPLATEFILE.te 47 # Fall though and rebuild policy 48 else 49 exit 0 50 fi 51 else 52 echo "No new avcs found" 53 exit 0 54 fi 55 else 56 echo -e $USAGE 57 exit 1 58 fi 59elif [ $# -ge 2 ] ; then 60 echo -e $USAGE 61 exit 1 62fi 63 64echo "Building and Loading Policy" 65set -x 66make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit 67/usr/sbin/semodule -i TEMPLATEFILE.pp 68 69""" 70rpm="""\ 71# Generate a rpm package for the newly generated policy 72 73pwd=$(pwd) 74rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba TEMPLATEFILE_selinux.spec 75""" 76 77manpage="""\ 78# Generate a man page off the installed module 79sepolicy manpage -p . -d DOMAINTYPE_t 80""" 81 82restorecon="""\ 83# Fixing the file context on FILENAME 84/sbin/restorecon -F -R -v FILENAME 85""" 86 87tcp_ports="""\ 88# Adding SELinux tcp port to port PORTNUM 89/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p tcp PORTNUM 90""" 91 92udp_ports="""\ 93# Adding SELinux udp port to port PORTNUM 94/usr/sbin/semanage port -a -t TEMPLATETYPE_port_t -p udp PORTNUM 95""" 96 97users="""\ 98# Adding SELinux user TEMPLATETYPE_u 99/usr/sbin/semanage user -a -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u 100""" 101 102eusers="""\ 103# Adding roles to SELinux user TEMPLATETYPE_u 104/usr/sbin/semanage user -m -R "TEMPLATETYPE_rROLES" TEMPLATETYPE_u 105""" 106 107admin_trans="""\ 108# Adding roles to SELinux user USER 109/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER 110""" 111 112min_login_user_default_context="""\ 113cat > TEMPLATETYPE_u << _EOF 114TEMPLATETYPE_r:TEMPLATETYPE_t:s0 TEMPLATETYPE_r:TEMPLATETYPE_t 115system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t 116system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t 117system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t 118system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t 119system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t 120_EOF 121if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then 122 cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/ 123fi 124""" 125 126x_login_user_default_context="""\ 127cat > TEMPLATETYPE_u << _EOF 128TEMPLATETYPE_r:TEMPLATETYPE_t TEMPLATETYPE_r:TEMPLATETYPE_t 129system_r:crond_t TEMPLATETYPE_r:TEMPLATETYPE_t 130system_r:initrc_su_t TEMPLATETYPE_r:TEMPLATETYPE_t 131system_r:local_login_t TEMPLATETYPE_r:TEMPLATETYPE_t 132system_r:remote_login_t TEMPLATETYPE_r:TEMPLATETYPE_t 133system_r:sshd_t TEMPLATETYPE_r:TEMPLATETYPE_t 134system_r:xdm_t TEMPLATETYPE_r:TEMPLATETYPE_t 135_EOF 136if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then 137 cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/ 138fi 139""" 140