ó â„^c@sdZddlmZddlmZddlmZd„Zdejfd„ƒYZd „Z d dd „ƒYZ d „Z d „Z ddd„ƒYZ dS(sV Classes representing basic access. SELinux - at the most basic level - represents access as the 4-tuple subject (type or context), target (type or context), object class, permission. The policy language elaborates this basic access to faciliate more concise rules (e.g., allow rules can have multiple source or target types - see refpolicy for more information). This module has objects for representing the most basic access (AccessVector) and sets of that access (AccessVectorSet). These objects are used in Madison in a variety of ways, but they are the fundamental representation of access. i(t refpolicy(tutiliÿÿÿÿ(t audit2whycCsUt|ƒdkrM|ddkrMyt|dƒWntk rHtSXtStSdS(s¬Determine if an id is a paramater in the form $N, where N is an integer. Returns: True if the id is a paramater False if the id is not a paramater iit$N(tlentintt ValueErrortFalsetTrue(tid((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt is_idparam's" t AccessVectorcBsYeZdZd d„Zd„Zd„Zd„Zd„Zd„Z d„Z d„Z RS( sº An access vector is the basic unit of access in SELinux. Access vectors are the most basic representation of access within SELinux. It represents the access a source type has to a target type in terms of an object class and a set of permissions. Access vectors are distinct from AVRules in that they can only store a single source type, target type, and object class. The simplicity of AccessVectors makes them useful for storing access in a form that is easy to search and compare. The source, target, and object are stored as string. No checking done to verify that the strings are valid SELinux identifiers. Identifiers in the form $N (where N is an integer) are reserved as interface parameters and are treated as wild cards in many circumstances. Properties: .src_type - The source type allowed access. [String or None] .tgt_type - The target type to which access is allowed. [String or None] .obj_class - The object class to which access is allowed. [String or None] .perms - The permissions allowed to the object class. [IdSet] .audit_msgs - The audit messages that generated this access vector [List of strings] cCs†|r|j|ƒnZd|_d|_d|_tjƒ|_g|_t j |_ g|_ d|_ d|_d|_d|_dS(N(t from_listtNonetsrc_typettgt_typet obj_classRtIdSettpermst audit_msgsRtTERULEttypetdatatobj_patht base_typet__hash__t info_flow_dir(tselft init_list((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt__init__Rs         cCslt|ƒdkr+tdt|ƒƒ‚n|d|_|d|_|d|_tj|dƒ|_dS(sxInitialize an access vector from a list. Initialize an access vector from a list treating the list as positional arguments - i.e., 0 = src_type, 1 = tgt_type, etc. All of the list elements 3 and greater are treated as perms. For example, the list ['foo_t', 'bar_t', 'file', 'read', 'write'] would create an access vector list with the source type 'foo_t', target type 'bar_t', object class 'file', and permissions 'read' and 'write'. This format is useful for very simple storage to strings or disc (see to_list) and for initializing access vectors. is+List must contain at least four elements %siiiiN( RRtstrRRRRRR(Rtlist((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR gs    cCs2|j|j|jg}|jt|jƒƒ|S(sî Convert an access vector to a list. Convert an access vector to a list treating the list as positional values. See from_list for more information on how an access vector is represented in a list. (RRRtextendtsortedR(Rtl((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytto_list|scCs |jƒS(N(t to_string(R((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt__str__ˆscCs&d|j|j|j|jjƒfS(Nsallow %s %s:%s %s;(RRRRt to_space_str(R((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR$‹scCs"g}|j|j|jg}|S(N(RRR(Rtbase_type_array((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytbase_file_typescCs|j|jkr%t|j|jƒS|j|jkrJt|j|jƒS|j|jkrot|j|jƒSt|jƒt|jƒkr¬tt|jƒt|jƒƒSt|jƒ}|jƒt|jƒ}|jƒx6t||ƒD]%\}}||krît||ƒSqîWdS(Ni( RtcmpRRRRRtsorttzip(Rtothertxtytpatpb((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt__cmp__”s    cCs˜yyt|jƒ}|j|j|j|f}t|jƒ}|jƒ|jƒ|j|j|j|f}|||ƒSWnttfk r“tSXdS(N( RRRRRR*tAttributeErrort TypeErrortNotImplemented(RR,tmethodR-taR.tb((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt_compare¦s  N( t__name__t __module__t__doc__R RR R#R%R$R(R1R8(((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR 8s      cCsŸt|tƒr|gSg}x||jD]q}xh|jD]]}xT|jD]I}tƒ}||_||_||_|jj ƒ|_|j |ƒqFWq6Wq&W|S(sQConvert an avrule into a list of access vectors. AccessVectors and AVRules are similary, but differ in that an AVRule can more than one source type, target type, and object class. This function expands a single avrule into a list of one or more AccessVectors representing the access defined in the AVRule. ( t isinstanceR t src_typest tgt_typest obj_classesRRRRtcopytappend(tavruleR6RRRtaccess((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytavrule_to_access_vectors´s     tAccessVectorSetcBsbeZdZd„Zd„Zd„Zd„Zd„Zddde j gd„Z dd„Z RS( s/A non-overlapping set of access vectors. An AccessVectorSet is designed to store one or more access vectors that are non-overlapping. Access can be added to the set incrementally and access vectors will be added or merged as necessary. For example, adding the following access vectors using add_av: allow $1 etc_t : read; allow $1 etc_t : write; allow $1 var_log_t : read; Would result in an access vector set with the access vectors: allow $1 etc_t : { read write}; allow $1 var_log_t : read; cCsi|_d|_dS(s)Initialize an access vector set. N(tsrcR tinfo_dir(R((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRÜs ccsQxJ|jjƒD]9}x0|jƒD]"}x|jƒD] }|Vq6Wq#WqWdS(s9Iterate over all of the unique access vectors in the set.N(RFtvalues(Rttgtstobjstav((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt__iter__åscCsKd}x>|jjƒD]-}x$|jƒD]}|t|ƒ7}q)WqW|S(s5Return the number of unique access vectors in the set. Because of the inernal representation of the access vector set, __len__ is not a constant time operation. Worst case is O(N) where N is the number of unique access vectors, but the common case is probably better. i(RFRHR(RR"RIRJ((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt__len__ìs cCs.g}x!|D]}|j|jƒƒq W|S(sbReturn the unique access vectors in the set as a list. The format of the returned list is a set of nested lists, each access vector represented by a list. This format is designed to be simply serializable to a file. For example, consider an access vector set with the following access vectors: allow $1 user_t : file read; allow $1 etc_t : file { read write}; to_list would return the following: [[$1, user_t, file, read] [$1, etc_t, file, read, write]] See AccessVector.to_list for more information. (RAR#(RR"RK((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR#ús cCs(x!|D]}|jt|ƒƒqWdS(sAdd access vectors stored in a list. See to list for more information on the list format that this method accepts. This will add all of the access from the list. Any existing access vectors in the set will be retained. N(tadd_avR (RR"RK((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR s c CsÑ|jj|iƒ} | j|iƒ} ||f| krL| ||f} nXtƒ} || _|| _|| _|| _| | _|| _|| _ | | ||f<| j j |ƒ|rÍ| j j |ƒndS(s)Add an access vector to the set. N(RFt setdefaultR RRRRRRRRtupdateRRA( RRRRRRRt audit_msgtavc_typeRttgttclsRC((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytadds         cCs&|j|j|j|j|jƒdS(s Add an access vector to the set.N(RURRRR(RRKRQ((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRN5sN( R9R:R;RRLRMR#R R RRRURN(((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyREÍs    cCsAtjƒ}x.|D]&}|j|jƒ|j|jƒqW|S(N(RRRURR(tavsttypesRK((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytavs_extract_types:s   cCsci}xV|D]N}|j|kr2||j}ntjƒ}|||j<|j|jƒq W|S(N(RRRRPR(RVRRKts((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pytavs_extract_obj_permsBs   t RoleTypeSetcBs2eZdZd„Zd„Zd„Zd„ZRS(s²A non-overlapping set of role type statements. This clas allows the incremental addition of role type statements and maintains a non-overlapping list of statements. cCs i|_dS(s Initialize an access vector set.N(t role_types(R((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRSsccs#x|jjƒD] }|VqWdS(sAIterate over all of the unique role allows statements in the set.N(R\RH(Rt role_type((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRLWscCst|jjƒƒS(s2Return the unique number of role allow statements.(RR\tkeys(R((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRM\scCsU||jkr|j|}n"tjƒ}||_||j|<|jj|ƒdS(N(R\RtRoleTypetroleRWRU(RR`RR]((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyRU`s    (R9R:R;RRLRMRU(((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyR[Ms    N(((R;tRRtselinuxRR t ComparisonR RDRERXRZR[(((s5/usr/lib64/python2.7/site-packages/sepolgen/access.pyt s | m