[PATCH] python/sepolicy: Fix type for cgi scripts

Discussion:

Vit Mojzis

2018-04-06 12:49:09 UTC

The type generated by apache_content_template macro for cgi scripts
changed from httpd_$1_script_t to $1_script_t.
Update sepolicy accordingly.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1271324

Signed-off-by: Vit Mojzis <***@redhat.com>
---
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/templates/executable.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index f814e278..675b99d6 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -347,7 +347,7 @@ class policy:
raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))

if type == CGI:
- self.name = "httpd_%s_script" % name
+ self.name = "%s_script" % name
else:
self.name = name

diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index f2679938..e1b17486 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -116,7 +116,7 @@ policy_module(TEMPLATETYPE, 1.0.0)

apache_content_template(TEMPLATETYPE)

-permissive httpd_TEMPLATETYPE_script_t;
+permissive TEMPLATETYPE_script_t;
"""

te_daemon_rules="""\

--
2.14.3

Stephen Smalley

2018-04-11 14:26:17 UTC

Permalink

Post by Vit Mojzis
The type generated by apache_content_template macro for cgi scripts
changed from httpd_$1_script_t to $1_script_t.
Update sepolicy accordingly.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1271324

This seems to be a change only present in Fedora policy, not upstream
refpolicy. So merging this would break users of refpolicy and
potentially distributions other than Fedora. Why was this change made,
and why wasn't a typealias added to preserve compatibility?

Post by Vit Mojzis
---
python/sepolicy/sepolicy/generate.py | 2 +-
python/sepolicy/sepolicy/templates/executable.py | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index f814e278..675b99d6 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
- self.name = "httpd_%s_script" % name
+ self.name = "%s_script" % name
self.name = name
diff --git a/python/sepolicy/sepolicy/templates/executable.py b/python/sepolicy/sepolicy/templates/executable.py
index f2679938..e1b17486 100644
--- a/python/sepolicy/sepolicy/templates/executable.py
+++ b/python/sepolicy/sepolicy/templates/executable.py
@@ -116,7 +116,7 @@ policy_module(TEMPLATETYPE, 1.0.0)
apache_content_template(TEMPLATETYPE)
-permissive httpd_TEMPLATETYPE_script_t;
+permissive TEMPLATETYPE_script_t;
"""
te_daemon_rules="""\

Lukas Vrabec

2018-04-11 17:40:54 UTC

Permalink

Post by Stephen Smalley

This seems to be a change only present in Fedora policy, not upstream
refpolicy. So merging this would break users of refpolicy and
potentially distributions other than Fedora. Why was this change made,> and why wasn't a typealias added to preserve compatibility?

Hi Stephen,

You're right with this change, however commit in our selinux-policy
sources changing this is from 2013. I will look on it and add proper
typealiases.

Thanks for heads up.
Lukas.

Post by Stephen Smalley

--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.