ó â„^c@sdZddlZddlZddljZyddlTWnnXddlmZddlmZddlm Z ddlm Z dd lm Z dd lm Z d Z dZd Zd dd„ƒYZded„Zd„Zddd„ƒYZd„ZdS(s> classes and algorithms for the generation of SELinux policy. iÿÿÿÿN(t*i(t refpolicy(t objectmodel(taccess(t interfaces(tmatching(tutiliitPolicyGeneratorcBsŒeZdZdd„Zddd„Zed„Zed„Z d„Z d„Z dd„Z d „Z d „Zd „Zd „Zd „ZRS(s¤Generate a reference policy module from access vectors. PolicyGenerator generates a new reference policy module or updates an existing module based on requested access in the form of access vectors. It generates allow rules and optionally module require statements and reference policy interfaces. By default only allow rules are generated. The methods .set_gen_refpol and .set_gen_requires turns on interface generation and requires generation respectively. PolicyGenerator can also optionally add comments explaining why a particular access was allowed based on the audit messages that generated the access. The access vectors passed in must have the .audit_msgs field set correctly and .explain set to SHORT|LONG_EXPLANATION to enable this feature. The module created by PolicyGenerator can be passed to output.ModuleWriter to output a text representation. cCs[d|_t|_t|_|r-||_ntjƒ|_ t|_ d|_ d|_ dS(søInitialize a PolicyGenerator with an optional existing module. If the module paramater is not None then access will be added to the passed in module. Otherwise a new reference policy module will be created. N( tNonetifgentNO_EXPLANATIONtexplaintFalset gen_requirestmoduelRtModuletmodulet dontauditt mislabledtdomains(tselfR((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__init__Ds      cCs;|r$t||ƒ|_t|_n d|_|jƒdS(s?Set whether reference policy interfaces are generated. To turn on interface generation pass in an interface set to use for interface generation. To turn off interface generation pass in None. If interface generation is enabled requires generation will also be enabled. N(tInterfaceGeneratorR tTrueR Rt"_PolicyGenerator__set_module_style(Rtif_sett perm_maps((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_refpolXs   cCs ||_dS(s&Set whether module requires are generated. Passing in true will turn on requires generation and False will disable generation. If requires generation is disabled interface generation will also be disabled and can only be re-enabled via .set_gen_refpol. N(R (Rtstatus((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_requiresjscCs ||_dS(s)Set whether access is explained. N(R (RR ((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_explaintscCs ||_dS(N(R(RR((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_dontaudityscCs?|jrt}nt}x |jjƒD]}||_q(WdS(N(R RR Rtmodule_declarationsR(RRtmod((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__set_module_style|s   s1.0cCs…d}x|jjƒD] }|}qW|sQtjƒ}|jjjd|ƒn||_||_|j rxt |_n t |_dS(s?Set the name of the module and optionally the version. iN( RRR RtModuleDeclarationtchildrentinserttnametversionR RR (RR&R'tmR!((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_module_name„s      cCs |jrt|jƒn|jS(N(R R(R((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt get_module•s cCsyddl}yL|j|jdƒ}|djdƒd}||jkrW||_dSWntk rknXd|_dS(Niÿÿÿÿiit:i(tselinuxt matchpathcontobj_pathtsplitttgt_typeRtOSErrorR(RtavR,tcontextR/((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__restore_labels   c Cs&x|D]}tj|ƒ}|jr4|j|_nd|_|jrpttjt |d|jƒƒƒ|_n|j ƒ}|ddkrÁ|j t j krÁ|jddj|dƒ7_nx9|jD].}|dksé|dkrót}PqËt}qËW|ddk rø|ddkrø|rø|j t j krø|jtkrMd}nd}|jd dj|d ƒdj|dƒdj|dƒf7_|jdkrø|jd dj|dƒdj|jƒdj|ƒdj|jƒf7_qøn|j|ƒ|jdk rZ|j t j krZ|jd dj|jƒdj|jƒf7_n|j t j kr~|jd 7_n|j t jkr¢|jd7_n|j t jkr#t|jƒdkr|jddjg|jD]}|d^qãƒ7_q#|jd|jdd7_n|j t jkr›|jd7_|jd7_|jd|jd7_x+|jdD]} |jd| 7_q{Wnyf|j t jkrd|jkrd|jksÝd|jkr|jsttddƒdd|_ng} xngt t gi|j!t"6|jt#6|jt$6ƒD]}|t%^q@D]%} | |jkrT| j&| ƒqTqTWt| ƒdkr½|jd|j!|jdj| ƒf7_qt| ƒdkr|jd|j!|jdj| ƒf7_qnWnnX|j'j(j&|ƒqWdS(Ntt verbosityis$ #!!!! WARNING: '%s' is a base type.itwritetcreates(/.*?)sU #!!!! WARNING '%s' is not allowed to write or create to %s. Change the label to %s.isG #!!!! $ semanage fcontext -a -t %s %s%s #!!!! $ restorecon -R -v %ssY #!!!! The file '%s' is mislabeled on your system. #!!!! Fix with $ restorecon -R -v %ss0 #!!!! This avc is allowed in the current policys: #!!!! This avc has a dontaudit rule in the current policysH #!!!! This avc can be allowed using one of the these booleans: # %ss, s5 #!!!! This avc can be allowed using the boolean '%s'sŽ #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.s #Constraint rule: s # s? # Possible cause is the source %s and target %s are different.tdirtopenR&tdomainttypessL #!!!! The source type '%s' can write to a '%s' of the following type: # %s sM #!!!! The source type '%s' can write to a '%s' of the following types: # %s ()RtAVRuleRt DONTAUDITt rule_typetcommentR tstrtCommenttexplain_accesstbase_file_typettypet audit2whytALLOWtjointpermsRR Rt obj_classR9R.t_PolicyGenerator__restore_labelRtBOOLEANtlentdatat CONSTRAINTtTERULERtseinfot ATTRIBUTEtsesearchtsrc_typetSCONTEXTtCLASStPERMStTCONTEXTtappendRR$( RtavsR2trulet base_typetpermt permissiontcomptxtreasonR<ti((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__add_allow_rules©sr    * "#   CS !49!  N.5cCsT|jr=|jj||jƒ\}}|jjj|ƒn|}|j|ƒdS(sJAdd the access from the access vector set to this module. N(R tgenR RR$textendt!_PolicyGenerator__add_allow_rules(Rtav_sett raw_allowtifcalls((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt add_accessós cCs(x!|D]}|jjj|ƒqWdS(N(RR$RY(Rt role_type_sett role_type((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytadd_role_typess N(t__name__t __module__t__doc__RRRRRtSHORT_EXPLANATIONRRRR)R*RKRfRjRm(((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR-s       J c sƒg‰‡‡fd†}|tkrøxÇ|jD]¼}ˆjd|jƒˆjdt|jƒt|jƒfƒˆjd|jtj |j ƒfƒˆjd|j |j |j fƒˆjtjd|jddd d d d ƒƒq.W|ƒn‡|rˆjd |j|j|j|jjƒfƒt|jƒdkru|jd}ˆjd|j |j |j fƒn|ƒnˆS(sªExplain why a policy statement was generated. Return a string containing a text explanation of why a policy statement was generated. The string is commented and wrapped and can be directly inserted into a policy. Params: av - access vector representing the access. Should have .audit_msgs set appropriately. verbosity - the amount of explanation provided. Should be set to NO_EXPLANATION, SHORT_EXPLANATION, or LONG_EXPLANATION. Returns: list of strings - strings explaining the access or an empty string if verbosity=NO_EXPLANATION or there is not sufficient information to provide an explanation. csgˆs dSˆjdƒxIˆjƒD];}t|jˆjƒ}ˆjd|jƒ|jfƒq$WdS(Ns Interface options:s %s # [%d](RYtalltcall_interfacet interfaceR2t to_stringtdist(tmatchtifcall(tmlts(s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytexplain_interfacess  s %ss scontext="%s" tcontext="%s"s class="%s" perms="%s"s comm="%s" exe="%s" path="%s"s message="t"iPtinitial_indents tsubsequent_indents s) src="%s" tgt="%s" class="%s", perms="%s"is comm="%s" exe="%s" path="%s"(tLONG_EXPLANATIONt audit_msgsRYtheaderRAtscontextttcontextttclassRtlist_to_space_strtaccessestcommtexetpathRettextwraptwraptmessageRTR0RJRIt to_space_strRM(R2RyR6R{tmsg((RyRzs8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRC s*    #&  & & cCsg}g}|j|jjƒƒ|jdd„dtƒtjƒ}|j|_xªt t |ƒƒD]–}||j tj kr˜|j j|jƒqf||j tjkrÄ|j j|jƒqf||j tjkrð|j j|jƒqf||j GHqfW|S(NtkeycSs|jS(N(tnum(tparam((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytEstreverse(RetparamstvaluestsortRRt InterfaceCallR&tifnametrangeRMREtSRC_TYPEtargsRYRTtTGT_TYPER0t OBJ_CLASSRJ(RtR2R”R›RxRb((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRs@s    RcBs/eZdd„Zd„Zd„Zd„ZRS(cCs5||_|j|ƒtj|ƒ|_g|_dS(N(tifsthack_check_ifsRt AccessMatchertmatchertcalls(RRžR((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRZs  cCsÆx¿|jjƒD]®}g}|j|jjƒƒ|jdd„dtƒxptt|ƒƒD]\}|d||jkrˆt |_ Pn||j t j t jt jgkr^t |_ Pq^q^WqWdS(NRcSs|jS(N(R(R‘((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR’hsR“i(RR•ReR”R–RR™RMRR tenabledRERRšRœR(RRžR`R”Rb((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRŸ`s  c Cs|j|ƒ}g}xi|jD]^}t|jƒj|jƒ}|rjtjt|j||ƒƒ|_ n|j ||fƒqWg}x|D]y\}}t } xN|D]F} | j |ƒr§| j rä|j rä| j j |j ƒnt} q§q§W| sŽ|j |ƒqŽqŽW||fS(N(RwR¢RstbestRtR2RRBRCR@RYR tmatchestmergeR( RRZR6traw_avRiRyRxtdRžtfoundto_ifcall((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRdws$$  cCslg}x_|D]W}tjƒ}|jj|j||ƒt|ƒrW|jj|ƒq |j|ƒq W|S(N(Rt MatchListR¡t search_ifsRžRMR¢RY(RRZR§R2tans((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRwŽs   N(RnRoRRRŸRdRw(((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRYs   cCs.d„}x|jƒD]}||ƒqWdS(s*Add require statements to the module. cSstjƒ}xa|jƒD]S}|jj|jƒ|jj|jƒx$|jD]}|j||j ƒqOWqWx8|j ƒD]*}x!|j D]}|jj |ƒqWq}Wx:|j ƒD],}|jj |jƒ|jj|jƒq¸W|jjdƒ|jjd|ƒdS(NRi(RtRequiretavrulesR<tupdatet src_typest tgt_typest obj_classest add_obj_classRItinterface_callsR›taddt role_typestrolestroletdiscardR$R%(tnodetrtavruletobjRxtargRl((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytcollect_requiresžs N(tnodes(RRÀR»((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR ›s (((Rpt itertoolsRŠtselinux.audit2whyRFtsetoolsR5RRRRRRR RqRRRRCRsRR (((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyts*  Ü7 B