|
|
|
@ -1,268 +0,0 @@
|
|
|
|
From 5bec01e56c565dfedd077bf4fad20cbc03de312e Mon Sep 17 00:00:00 2001
|
|
|
|
|
|
|
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
|
|
|
|
|
|
|
Date: Fri, 22 Apr 2022 16:27:02 +0200
|
|
|
|
|
|
|
|
Subject: [PATCH] Fix couple of typos
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Found by codespell
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
doc/audit_notes.txt | 2 +-
|
|
|
|
|
|
|
|
doc/developers_guide.wiki | 10 +++++-----
|
|
|
|
|
|
|
|
doc/user_faq.wiki | 12 ++++++------
|
|
|
|
|
|
|
|
src/config.py.in | 4 ++--
|
|
|
|
|
|
|
|
src/sealert | 4 ++--
|
|
|
|
|
|
|
|
src/sedispatch.c | 2 +-
|
|
|
|
|
|
|
|
src/setroubleshoot/Plugin.py | 4 ++--
|
|
|
|
|
|
|
|
src/setroubleshoot/audit_data.py | 2 +-
|
|
|
|
|
|
|
|
src/setroubleshoot/browser.py | 4 ++--
|
|
|
|
|
|
|
|
src/setroubleshoot/gui_utils.py | 2 +-
|
|
|
|
|
|
|
|
src/setroubleshoot/server.py | 2 +-
|
|
|
|
|
|
|
|
11 files changed, 24 insertions(+), 24 deletions(-)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
diff --git a/doc/audit_notes.txt b/doc/audit_notes.txt
|
|
|
|
|
|
|
|
index d48c03e..6cc68ad 100644
|
|
|
|
|
|
|
|
--- a/doc/audit_notes.txt
|
|
|
|
|
|
|
|
+++ b/doc/audit_notes.txt
|
|
|
|
|
|
|
|
@@ -61,7 +61,7 @@ AVC_AUDIT_DATA_NET
|
|
|
|
|
|
|
|
laddr: local address (i.e. source address) ?? is this the same as "saddr"?
|
|
|
|
|
|
|
|
lport: local port (i.e. source port)
|
|
|
|
|
|
|
|
faddr: foreign address (i.e. destination address) ?? is this the same as "addr"?
|
|
|
|
|
|
|
|
- fport: foreign port (i.e. desination port)
|
|
|
|
|
|
|
|
+ fport: foreign port (i.e. destination port)
|
|
|
|
|
|
|
|
else if AF_UNIX:
|
|
|
|
|
|
|
|
"path=%s"
|
|
|
|
|
|
|
|
path: UNIX socket path name
|
|
|
|
|
|
|
|
diff --git a/doc/developers_guide.wiki b/doc/developers_guide.wiki
|
|
|
|
|
|
|
|
index bac843d..2570c1b 100644
|
|
|
|
|
|
|
|
--- a/doc/developers_guide.wiki
|
|
|
|
|
|
|
|
+++ b/doc/developers_guide.wiki
|
|
|
|
|
|
|
|
@@ -105,12 +105,12 @@ component of setroubleshoot (sealert) benefits from its integration
|
|
|
|
|
|
|
|
with the desktop session, but this is independent of the issue of
|
|
|
|
|
|
|
|
where and how the AVC alert information is derived from. By analogy a
|
|
|
|
|
|
|
|
web browser benefits from DBUS integration on the desktop but its data
|
|
|
|
|
|
|
|
-commuication remains HTTP to remote nodes.
|
|
|
|
|
|
|
|
+communication remains HTTP to remote nodes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=== What is the data channel between the client and server? ===
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The connection is a socket. By default the socket is a local UNIX
|
|
|
|
|
|
|
|
-domain socket for enhanced security. However, it is trival to
|
|
|
|
|
|
|
|
+domain socket for enhanced security. However, it is trivial to
|
|
|
|
|
|
|
|
configure the client/server code to use INET sockets instead to
|
|
|
|
|
|
|
|
accommodate remote connections. The vast bulk of the code is agnostic
|
|
|
|
|
|
|
|
with regards to the socket type.
|
|
|
|
|
|
|
|
@@ -418,7 +418,7 @@ children of the <arg> node and construct a SEDatabaseProperties from
|
|
|
|
|
|
|
|
the values we parse.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
At this point the we lookup the rpc_id to see what callbacks were
|
|
|
|
|
|
|
|
-associated with the originial database_bind() call. For every callback
|
|
|
|
|
|
|
|
+associated with the original database_bind() call. For every callback
|
|
|
|
|
|
|
|
bound to this call we call the callback passing the
|
|
|
|
|
|
|
|
SEDatabaseProperties object we constructed from the XML body.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@@ -597,7 +597,7 @@ portable representation. The portable representation should be very
|
|
|
|
|
|
|
|
well defined. Lacking a well defined representation for the object
|
|
|
|
|
|
|
|
also means it's difficult to provide defaults for member values, to
|
|
|
|
|
|
|
|
validate its structure, guard against injecting superfluous data,
|
|
|
|
|
|
|
|
-especially if the extra data is malicous in intent, convert between
|
|
|
|
|
|
|
|
+especially if the extra data is malicious in intent, convert between
|
|
|
|
|
|
|
|
versions of the representation, etc. Automatic serialization via
|
|
|
|
|
|
|
|
introspection is like programming in Basic were everything is a global
|
|
|
|
|
|
|
|
variable.
|
|
|
|
|
|
|
|
@@ -608,7 +608,7 @@ are not part of the definition can never be introduced via
|
|
|
|
|
|
|
|
serilization. Malformed representations are easy to detect. Values can
|
|
|
|
|
|
|
|
be assigned types. Versioning can be used to upgrade and downgrade
|
|
|
|
|
|
|
|
representations. The representation can be controlled to take
|
|
|
|
|
|
|
|
-advantage of XML features and tailor the reprensentation to optimize
|
|
|
|
|
|
|
|
+advantage of XML features and tailor the representation to optimize
|
|
|
|
|
|
|
|
for size or speed.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
One of the original goals of the project included communicating data
|
|
|
|
|
|
|
|
diff --git a/doc/user_faq.wiki b/doc/user_faq.wiki
|
|
|
|
|
|
|
|
index efe6f12..337855e 100644
|
|
|
|
|
|
|
|
--- a/doc/user_faq.wiki
|
|
|
|
|
|
|
|
+++ b/doc/user_faq.wiki
|
|
|
|
|
|
|
|
@@ -468,7 +468,7 @@ file where logging will be directed. If no file is set logging goes to
|
|
|
|
|
|
|
|
the console. By default there is no file set for sealert because its a
|
|
|
|
|
|
|
|
per user log file and by default we don't want to be writing user
|
|
|
|
|
|
|
|
files. The 'console' flag will also send logging messages to the
|
|
|
|
|
|
|
|
-console if otherwise they are also being writtin to a log file (if
|
|
|
|
|
|
|
|
+console if otherwise they are also being written to a log file (if
|
|
|
|
|
|
|
|
there is no log file, messages are directed to the console). There is
|
|
|
|
|
|
|
|
also a 'categories' list which will allow you to select functional
|
|
|
|
|
|
|
|
areas to log. By default all categories are logged.
|
|
|
|
|
|
|
|
@@ -515,7 +515,7 @@ Every time a denial event is recognized it is converted to an
|
|
|
|
|
|
|
|
[#alert-signature alert signature], a general way of describing the
|
|
|
|
|
|
|
|
denial event. Then the [#alert-database alert database] is consulted
|
|
|
|
|
|
|
|
to see if the denial has been seen before, if so its report count is
|
|
|
|
|
|
|
|
-incremented, otherwise it's added to the database. Irregardless of
|
|
|
|
|
|
|
|
+incremented, otherwise it's added to the database. Regardless of
|
|
|
|
|
|
|
|
whether the denial was previously in the alert database or not a full
|
|
|
|
|
|
|
|
analysis is run on the denial event to produce a [#analysis-report
|
|
|
|
|
|
|
|
analysis report]. The most recent analysis report of the denial event
|
|
|
|
|
|
|
|
@@ -529,7 +529,7 @@ most recent occurrence of the denial event.
|
|
|
|
|
|
|
|
The kernel audit subsystem emits a message whenever SELinux denies
|
|
|
|
|
|
|
|
permission (or would have denied permission). These messages describe
|
|
|
|
|
|
|
|
the particulars of what the kernel is doing at the moment and is not a
|
|
|
|
|
|
|
|
-complete desciption of the denial (which we term [#denial-event denial
|
|
|
|
|
|
|
|
+complete description of the denial (which we term [#denial-event denial
|
|
|
|
|
|
|
|
event]. As the kernel continues to process the system call which
|
|
|
|
|
|
|
|
triggered the AVC additional messages may be emitted independently
|
|
|
|
|
|
|
|
which when combined fully describe the denial event. Thus any one AVC
|
|
|
|
|
|
|
|
@@ -558,7 +558,7 @@ items such as the version of the SELinux policy, the version of the
|
|
|
|
|
|
|
|
operating system, the RPM package and version the software which
|
|
|
|
|
|
|
|
triggered the denial came from, etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-However envionmental information can only be reliably gathered at the
|
|
|
|
|
|
|
|
+However environmental information can only be reliably gathered at the
|
|
|
|
|
|
|
|
moment the denial occurred. If one queried the system for
|
|
|
|
|
|
|
|
environmental information at a later point in time, for instance
|
|
|
|
|
|
|
|
during log file scanning, then the environment may have changed in the
|
|
|
|
|
|
|
|
@@ -586,7 +586,7 @@ signature.
|
|
|
|
|
|
|
|
Alert signatures are a means to describe a general denial. For most
|
|
|
|
|
|
|
|
users this can be thought of as an "SELinux problem" such as "the web
|
|
|
|
|
|
|
|
server can't execute CGI scripts". A signature collects the minimal
|
|
|
|
|
|
|
|
-information necessary to uniquely descibe a SELinux denial, but no
|
|
|
|
|
|
|
|
+information necessary to uniquely desrcibe a SELinux denial, but no
|
|
|
|
|
|
|
|
more information than is necessary otherwise the signature would begin
|
|
|
|
|
|
|
|
to describe specific instances rather than a general problem. However the
|
|
|
|
|
|
|
|
content of the signature must be unique enough so that denial events
|
|
|
|
|
|
|
|
@@ -611,7 +611,7 @@ When a [#denial-event denial event] enters the system for analysis
|
|
|
|
|
|
|
|
each analysis plugin is given an opportunity to examine the denial
|
|
|
|
|
|
|
|
event. If the plugin recognizes the denial event it creates an
|
|
|
|
|
|
|
|
analysis report providing as much information as it can about the
|
|
|
|
|
|
|
|
-event such as a summmary, a detailed description, how one might fix
|
|
|
|
|
|
|
|
+event such as a summary, a detailed description, how one might fix
|
|
|
|
|
|
|
|
the problem, etc. The analysis report is the bulk of the information
|
|
|
|
|
|
|
|
presented to the user when he or she views an alert. The analysis
|
|
|
|
|
|
|
|
report may optionally be merged with [#alert-environment-info
|
|
|
|
|
|
|
|
diff --git a/src/config.py.in b/src/config.py.in
|
|
|
|
|
|
|
|
index 7fd10d9..a44be7b 100644
|
|
|
|
|
|
|
|
--- a/src/config.py.in
|
|
|
|
|
|
|
|
+++ b/src/config.py.in
|
|
|
|
|
|
|
|
@@ -261,7 +261,7 @@ provide remote connections use this "{unix}%(path)s, hostname"
|
|
|
|
|
|
|
|
'value': 'warning',
|
|
|
|
|
|
|
|
'description' : '''
|
|
|
|
|
|
|
|
setroubleshootd logging level. Levels are the same as in the python logging
|
|
|
|
|
|
|
|
-module, but are case insenstive. The defined levels in severity order
|
|
|
|
|
|
|
|
+module, but are case insensitive. The defined levels in severity order
|
|
|
|
|
|
|
|
are:[CRITICAL, ERROR, WARNING, INFO, DEBUG]''',
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
'log_full_report': {
|
|
|
|
|
|
|
|
@@ -274,7 +274,7 @@ are:[CRITICAL, ERROR, WARNING, INFO, DEBUG]''',
|
|
|
|
|
|
|
|
'value': 'warning',
|
|
|
|
|
|
|
|
'description' : '''
|
|
|
|
|
|
|
|
sealert logging level. Levels are the same as in the python logging
|
|
|
|
|
|
|
|
-module, but are case insenstive. The defined levels in severity order are:
|
|
|
|
|
|
|
|
+module, but are case insensitive. The defined levels in severity order are:
|
|
|
|
|
|
|
|
[CRITICAL, ERROR, WARNING, INFO, DEBUG]''',
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
diff --git a/src/sealert b/src/sealert
|
|
|
|
|
|
|
|
index 2663a21..f56f60a 100755
|
|
|
|
|
|
|
|
--- a/src/sealert
|
|
|
|
|
|
|
|
+++ b/src/sealert
|
|
|
|
|
|
|
|
@@ -372,7 +372,7 @@ class SEAlert(object):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
self.alert_client.connect('alert', self.alert)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- # If there is no presentation mananger make sure when the
|
|
|
|
|
|
|
|
+ # If there is no presentation manager make sure when the
|
|
|
|
|
|
|
|
# user closes the window the whole application exits. When running
|
|
|
|
|
|
|
|
# in "alert" mode we want the application to persist in the background
|
|
|
|
|
|
|
|
self.browser.window_delete_hides = False
|
|
|
|
|
|
|
|
@@ -562,7 +562,7 @@ def do_analyze_logfile(logfile_path):
|
|
|
|
|
|
|
|
def display_terminal_traceback(who):
|
|
|
|
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
stacktrace = traceback.format_exc()
|
|
|
|
|
|
|
|
- print(_("Opps, %s hit an error!" % who) + '\n\n' + stacktrace)
|
|
|
|
|
|
|
|
+ print(_("Oops, %s hit an error!" % who) + '\n\n' + stacktrace)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
|
|
|
from setroubleshoot.gui_utils import display_traceback
|
|
|
|
|
|
|
|
diff --git a/src/sedispatch.c b/src/sedispatch.c
|
|
|
|
|
|
|
|
index 371db0d..ed900b0 100644
|
|
|
|
|
|
|
|
--- a/src/sedispatch.c
|
|
|
|
|
|
|
|
+++ b/src/sedispatch.c
|
|
|
|
|
|
|
|
@@ -248,7 +248,7 @@ static void handle_event(auparse_state_t *au,
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef NOTUSED
|
|
|
|
|
|
|
|
/* This function shows how to iterate through the fields of a record
|
|
|
|
|
|
|
|
- * and print its name and raw value and interpretted value. */
|
|
|
|
|
|
|
|
+ * and print its name and raw value and interpreted value. */
|
|
|
|
|
|
|
|
static void dump_fields_of_record(auparse_state_t *au)
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
|
|
|
|
|
|
|
|
diff --git a/src/setroubleshoot/Plugin.py b/src/setroubleshoot/Plugin.py
|
|
|
|
|
|
|
|
index 8fba3f8..e4783d9 100644
|
|
|
|
|
|
|
|
--- a/src/setroubleshoot/Plugin.py
|
|
|
|
|
|
|
|
+++ b/src/setroubleshoot/Plugin.py
|
|
|
|
|
|
|
|
@@ -74,10 +74,10 @@ class Plugin(object):
|
|
|
|
|
|
|
|
* $SOURCE_PACKAGE - name of the package which contains the
|
|
|
|
|
|
|
|
executable (from $SOURCE_PATH).
|
|
|
|
|
|
|
|
* $PORT_NUMBER - the port number for the connection denied.
|
|
|
|
|
|
|
|
- Additional subtitutions can be added with set_template_substitutions.
|
|
|
|
|
|
|
|
+ Additional substitutions can be added with set_template_substitutions.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
You can also optional pass the name for a single boolean which will be
|
|
|
|
|
|
|
|
- used to set the $BOOLEAN subtitution into Plugin.__init__.
|
|
|
|
|
|
|
|
+ used to set the $BOOLEAN substitution into Plugin.__init__.
|
|
|
|
|
|
|
|
o
|
|
|
|
|
|
|
|
You can also set the level, of the alert, if the plugin believes discovers
|
|
|
|
|
|
|
|
a signature of an attack, the level should be set to red
|
|
|
|
|
|
|
|
diff --git a/src/setroubleshoot/audit_data.py b/src/setroubleshoot/audit_data.py
|
|
|
|
|
|
|
|
index f11fc27..fbece5d 100644
|
|
|
|
|
|
|
|
--- a/src/setroubleshoot/audit_data.py
|
|
|
|
|
|
|
|
+++ b/src/setroubleshoot/audit_data.py
|
|
|
|
|
|
|
|
@@ -769,7 +769,7 @@ class AVC:
|
|
|
|
|
|
|
|
'''Derive the target path.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
If path information is available the avc record will have a path field
|
|
|
|
|
|
|
|
- and no name field because the path field is more specific and supercedes
|
|
|
|
|
|
|
|
+ and no name field because the path field is more specific and supersedes
|
|
|
|
|
|
|
|
name. The name field is typically the directory entry.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For some special files the kernel embeds instance information
|
|
|
|
|
|
|
|
diff --git a/src/setroubleshoot/browser.py b/src/setroubleshoot/browser.py
|
|
|
|
|
|
|
|
index 4801583..bba419f 100644
|
|
|
|
|
|
|
|
--- a/src/setroubleshoot/browser.py
|
|
|
|
|
|
|
|
+++ b/src/setroubleshoot/browser.py
|
|
|
|
|
|
|
|
@@ -327,8 +327,8 @@ class BrowserApplet:
|
|
|
|
|
|
|
|
alert_date = alert.last_seen_date
|
|
|
|
|
|
|
|
start_date = alert.first_seen_date
|
|
|
|
|
|
|
|
# %c - Locale’s approrpiate date and time representation
|
|
|
|
|
|
|
|
- date_formated = alert_date.format("%c")
|
|
|
|
|
|
|
|
- self.date_label.set_label(date_formated)
|
|
|
|
|
|
|
|
+ date_formatted = alert_date.format("%c")
|
|
|
|
|
|
|
|
+ self.date_label.set_label(date_formatted)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def on_receive_button_changed(self, widget):
|
|
|
|
|
|
|
|
found = False
|
|
|
|
|
|
|
|
diff --git a/src/setroubleshoot/gui_utils.py b/src/setroubleshoot/gui_utils.py
|
|
|
|
|
|
|
|
index 183f83d..e822047 100644
|
|
|
|
|
|
|
|
--- a/src/setroubleshoot/gui_utils.py
|
|
|
|
|
|
|
|
+++ b/src/setroubleshoot/gui_utils.py
|
|
|
|
|
|
|
|
@@ -53,7 +53,7 @@ def display_traceback(who, parent=None):
|
|
|
|
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
stacktrace = traceback.format_exc()
|
|
|
|
|
|
|
|
- message = _("Opps, %s hit an error!" % who)
|
|
|
|
|
|
|
|
+ message = _("Oops, %s hit an error!" % who)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
title = who + ' ' + _("Error")
|
|
|
|
|
|
|
|
dlg = Gtk.Dialog(title, parent, 0, (Gtk.STOCK_OK, Gtk.ResponseType.OK))
|
|
|
|
|
|
|
|
diff --git a/src/setroubleshoot/server.py b/src/setroubleshoot/server.py
|
|
|
|
|
|
|
|
index 10ef215..37775b6 100755
|
|
|
|
|
|
|
|
--- a/src/setroubleshoot/server.py
|
|
|
|
|
|
|
|
+++ b/src/setroubleshoot/server.py
|
|
|
|
|
|
|
|
@@ -812,7 +812,7 @@ def RunFaultServer(timeout=10):
|
|
|
|
|
|
|
|
import six.moves.queue
|
|
|
|
|
|
|
|
analysis_queue = six.moves.queue.Queue(0)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- # Create a thread to peform analysis, it takes AVC objects off
|
|
|
|
|
|
|
|
+ # Create a thread to perform analysis, it takes AVC objects off
|
|
|
|
|
|
|
|
# the analysis queue and runs the plugins against the
|
|
|
|
|
|
|
|
# AVC. Analysis requests in the queue may arrive from a
|
|
|
|
|
|
|
|
# variety of places; from the audit system, from a log file
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
2.35.3
|
|
|
|
|
|
|
|
|
|
|
|
|
CentOS Sources
2 years ago
committed by
MSVSphere Packaging Team