ó â„^c@sLddlZddlZddlmZddlmZddlmZd„Zd„Zd„Zd fd „ƒYZ d e fd „ƒYZ d e fd„ƒYZ ddl j Z iZde fd„ƒYZde fd„ƒYZde fd„ƒYZde fd„ƒYZdfd„ƒYZdfd„ƒYZdfd„ƒYZdS(i˙˙˙˙Ni(t refpolicy(taccess(tutilcCsÚddl}ddl}tddƒ}t|jƒjƒdƒ}|j|j|jƒ|ƒ}|jd|ƒ}|jd|ƒ}|j dd d d ||gd |j ƒj ƒd}t j rÖt j|ƒ}n|S( s Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. i˙˙˙˙Ns /proc/uptimetris%xs%Xs/sbin/ausearchs-ms5AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERRs-tststdout(t subprocessttimetopentfloattreadtsplittcloset localtimetstrftimetPopentPIPEt communicateRtPY3t decode_input(RRtfdtofftstbootdatetboottimetoutput((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_audit_boot_msgss   cCsVddl}|jdddgd|jƒjƒd}tjrRtj|ƒ}n|S(s Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. i˙˙˙˙Ns/sbin/ausearchs-ms5AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERRRi(RRRRRRR(RR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_audit_msgs2s   cCsPddl}|jdgd|jƒjƒd}tjrLtj|ƒ}n|S(s•Obtain all of the avc and policy load messages from /bin/dmesg. Returns: string contain all of the audit messages returned by dmesg. i˙˙˙˙Ns /bin/dmesgRi(RRRRRRR(RR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_dmesg_msgsAs   t AuditMessagecBs eZdZd„Zd„ZRS(săBase class for all objects representing audit messages. AuditMessage is a base class for all audit messages and only provides storage for the raw message (as a string) and a parsing function that does nothing. cCs||_d|_dS(Nt(tmessagetheader(tselfR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt__init__Ws cCszxs|D]k}|jdƒ}t|ƒdkrQ|d dkr||_dSqn|ddkr|d|_dSqWdS( sŕParse a string that has been split into records by space into an audit message. This method should be overridden by subclasses. Error reporting should be done by raise ValueError exceptions. t=iisaudit(Nitmsgi(R tlenR(R trecsR#tfields((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytfrom_split_string[s   (t__name__t __module__t__doc__R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRPs tInvalidMessagecBseZdZd„ZRS(sţClass representing invalid audit messages. This is used to differentiate between audit messages that aren't recognized (that should return None from the audit message parser) and a message that is recognized but is malformed in some way. cCstj||ƒdS(N(RR!(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!vs(R(R)R*R!(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR+pst PathMessagecBs eZdZd„Zd„ZRS(s!Class representing a path messagecCstj||ƒd|_dS(NR(RR!tpath(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!{scCsttj||ƒx]|D]U}|jdƒ}t|ƒdkrDqn|ddkr|ddd!|_dSqWdS(NR"iiR-ii˙˙˙˙(RR'R R$R-(R R%R#R&((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR's (R(R)R*R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR,ys t AVCMessagecBs2eZdZd„Zd„Zd„Zd„ZRS(skAVC message representing an access denial or granted message. This is a very basic class and does not represent all possible fields in an avc message. Currently the fields are: scontext - context for the source (process) that generated the message tcontext - context for the target tclass - object class for the target (only one) comm - the process name exe - the on-disc binary path - the path of the target access - list of accesses that were allowed or denied denial - boolean indicating whether this was a denial (True) or granted (False) message. An example audit message generated from the audit daemon looks like (line breaks added): 'type=AVC msg=audit(1155568085.407:10877): avc: denied { search } for pid=677 comm="python" name="modules" dev=dm-0 ino=13716388 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir' An example audit message stored in syslog (not processed by the audit daemon - line breaks added): 'Sep 12 08:26:43 dhcp83-5 kernel: audit(1158064002.046:4): avc: denied { read } for pid=2 496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file cCs†tj||ƒtjƒ|_tjƒ|_d|_d|_d|_d|_ d|_ d|_ g|_ t |_tj|_dS(NR(RR!RtSecurityContexttscontextttcontextttclasstcommtexeR-tnametinotaccessestTruetdenialt audit2whytTERULEttype(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!Şs        cCs­t}|}|t|ƒdkr8td|jƒ‚nxN|t|ƒkrˆ||dkrgt}Pn|jj||ƒ|d}q;W|sĽtd|jƒ‚n|dS(Nis#AVC message in invalid format [%s] t}(tFalseR$t ValueErrorRR8R7tappend(R R%tstartt found_closeti((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt__parse_access¸scCs>tj||ƒt}t}t}t}xÓtt|ƒƒD]ż}||dkrs|j||dƒ}t}q;n||dkrt|_n||jdƒ}t|ƒdkrşq;n|ddkrét j |dƒ|_ t}q;|ddkrt j |dƒ|_ t}q;|dd kr>|d|_ t}q;|dd kre|ddd !|_q;|dd krŒ|ddd !|_q;|dd krł|ddd !|_q;|ddkrÚ|ddd !|_q;|ddkr;|d|_q;q;W| s| s| s| r0td|jƒ‚n|jƒdS(Nt{itgrantedR"iiR0R1R2R3i˙˙˙˙R4R5R-R6s#AVC message in invalid format [%s] (RR'R>trangeR$t_AVCMessage__parse_accessR8R9R RR/R0R1R2R3R4R5R-R6R?Rtanalyze(R R%t found_srct found_tgtt found_classt found_accessRCR&((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR'ÎsJ     cCsź|jjƒ}|jjƒ}t|jƒ}g|_|||j|ftjƒkrt|||j|f\|_ |_n9t j |||j|jƒ\|_ |_|j t j krĘt j |_ n|j t jkrďtd|ƒ‚n|j t jkrtd|ƒ‚n|j t jkr<td|jƒ‚n|j t jkrmtddj|jƒƒ‚n|j t jkrŽtdƒ‚n|j t jkr“|jg|_|jj|jjkrô|jjd|jjd|jjfƒn|jj|jjkrK|jjdkrK|jjd |jjd |jjfƒn|jj|jjkr“|jjd |jjd |jjfƒq“n|j |jft|||j|ftauditd(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!#scCs,tj||ƒd|kr(t|_ndS(NRb(RR'R8Rb(R R%((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR''s (R(R)R*R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRa!s tComputeSidMessagecBs)eZdZd„Zd„Zd„ZRS(s†Audit message indicating that a sid was not valid. Compute sid messages are generated on attempting to create a security context that is not valid. Security contexts are invalid if the role is not authorized for the user or the type is not authorized for the role. This class does not store all of the fields from the compute sid message - just the type and role. cCsJtj||ƒtjƒ|_tjƒ|_tjƒ|_d|_dS(NR(RR!RR/tinvalid_contextR0R1R2(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!7s cCsĹtj||ƒt|ƒdkr1tdƒ‚nyztj|dƒ|_tj|djdƒdƒ|_tj|djdƒdƒ|_ |djdƒd|_ Wntdƒ‚nXdS( Ni s;Split string does not represent a valid compute sid messageiiR"iii ( RR'R$R?RR/RdR R0R1R2(R R%((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR'>s##cCsd|j|jfS(Nsrole %s types %s; (R]R<(R ((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRJs(R(R)R*R!R'R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRc-s   t AuditParsercBs†eZdZed„Zd„Zd„Zd„Zd„Zd„Z d„Z d d„Z d „Z d „Zd „Zd ed „ZRS(sťParser for audit messages. This class parses audit messages and stores them according to their message type. This is not a general purpose audit message parser - it only extracts selinux related messages. Each audit messages are stored in one of four lists: avc_msgs - avc denial or granted messages. Messages are stored in AVCMessage objects. comput_sid_messages - invalid sid messages. Messages are stored in ComputSidMessage objects. invalid_msgs - selinux related messages that are not valid. Messages are stored in InvalidMessageObjects. policy_load_messages - policy load messages. Messages are stored in PolicyLoadMessage objects. These lists will be reset when a policy load message is seen if AuditParser.last_load_only is set to true. It is assumed that messages are fed to the parser in chronological order - time stamps are not parsed. cCs|jƒ||_dS(N(t_AuditParser__initializetlast_load_only(R Rg((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!es cCsVg|_g|_g|_g|_g|_i|_t|_i|_|j ƒdS(N( tavc_msgstcompute_sid_msgst invalid_msgstpolicy_load_msgst path_msgst by_headerR>tcheck_input_filet inode_dictt_AuditParser__store_base_types(R ((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt __initializeis        c CsPg|jƒD]}|jdƒ^q }x!|D]}t}|dks_|dks_|dkrtt|ƒ}t}n|dkr•t|ƒ}t}no|dks­|dkrÂt|ƒ}t}nB|dkrăt|ƒ}t}n!|d krtt ƒ}t}n|r/t|_ y|j |ƒWnt k rCt |ƒ}nX|Sq/WdS( Ns…savc:s message=avc:s msg='avc:ssecurity_compute_sid:stype=MAC_POLICY_LOADs type=1403s type=AVC_PATHstype=DAEMON_START(R tstripR>R.R8RcR`R,RatlistRnR'R?R+tNone(R tlinetxtrecRCtfoundR#((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt __parse_lines4( $               cCse|j|ƒ}|dkrdSt|tƒrG|jr|jƒqnÉt|tƒrˆ|jru|jru|jƒn|jj |ƒnˆt|t ƒrŞ|j j |ƒnft|t ƒrĚ|j j |ƒnDt|tƒrî|jj |ƒn"t|tƒr|jj |ƒn|jdkra|j|jkrK|j|jj |ƒqa|g|j|jR!RfRzRƒRˆRŠRRtR”RśRpRľR8Rť(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyReOs   $ %  $  t AVCTypeFiltercBseZd„Zd„ZRS(cCstj|ƒ|_dS(N(tretcompiletregex(R Rż((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!\scCs<|jj|jjƒrtS|jj|jjƒr8tStS(N(RżtmatchR0R<R8R1R>(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR_s (R(R)R!R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRź[s tComputeSidTypeFiltercBseZd„Zd„ZRS(cCstj|ƒ|_dS(N(R˝RžRż(R Rż((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!gscCsX|jj|jjƒrtS|jj|jjƒr8tS|jj|jjƒrTtStS(N(RżRŔRdR<R8R0R1R>(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRjs(R(R)R!R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRÁfs (R˝R„RRRRRRRRR+R,tselinux.audit2whyR:RSR.R`RaRcReRźRÁ(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyts(        "˙