-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch to retrieve constraint information from libsepol into audit2why
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlJuv7MACgkQrlYvE4MpobMuqgCdESvYlp8B3ao+UlK9/8SU8ID7
uJIAnRCl2oij+YAUHQtF52dmlWxbaKd3
=W/Vc
-----END PGP SIGNATURE-----
>From ec866e10551383c140bfae78724b6988aaf581d1 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Mon, 28 Oct 2013 10:09:55 -0400
Subject: [PATCH 05/17] Change audit2why to return constraint information on
denial.
This patch uses Richard Haines fixes in libsepol to help identify which
constraint is blocking access. The end goal is helping policy writers
and administrators to diagnose issues with their policy.
---
libselinux/src/audit2why.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 6cf9ecf..ec946bb 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -299,6 +299,7 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
}
static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
+ char *reason_buf = NULL;
security_context_t scon;
security_context_t tcon;
char *tclassstr;
@@ -364,7 +365,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
/* Reproduce the computation. */
- rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
+ rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0);
if (rc < 0)
RETURN(BADCOMPUTE)
@@ -404,6 +405,12 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
if (reason & SEPOL_COMPUTEAV_CONS) {
+ if (reason_buf) {
+ PyObject *result = NULL;
+ result = Py_BuildValue("is", CONSTRAINT, reason_buf);
+ free(reason_buf);
+ return result;
+ }
RETURN(CONSTRAINT)
}
--
1.8.3.1
