4]c@sdddddgZddlZddlZddlZddlZddlTddlmZddlZddlZddl Z ddl Z ddl Z id0d 6d1d6dd6dd6Z idgd6dgd6ddgd6dgd6d gd!6d"gd#6Z d$gZdad%d&Zdadad'Zdad(Zdad)Zdad*Zd+ZgZgZd,Zd-Zdd2d.YZ dd3d/YZ!dS(4tManPaget HTMLManPagestmanpage_domainst manpage_rolest gen_domainsiN(t*(tutiltamavis_ttclamd_tt clamscan_tt freshclam_tt antivirus_tt rgmanager_tt corosync_tt aisexec_tt pacemaker_tt cluster_ttqemu_ttsvirt_ttphpfpm_tthttpd_ttsambatsmbdtapachethttpdtvirttlibvirttvirtdtbindtnamedtsmartmontfsdaemontraidtmdadms/vars#/usr/share/selinux/devel/policy.xmlcCstr tSddl}iay|jjjt|}x|jdD]}x|jdD]}|jd}|dks`|dkrq`n|dkrd}n|dkrd}nx$|jd D]}|jt||D]6}|j|d|dt|djddsrootR@(tuserst users_rangetinfotUSERtappendtsplittreplacetsort(talluserst allusers_infotdtu((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pytget_all_users_infoRs    #    cCs*ts&tjtjdddantS(Nt entry_typeittypes(tall_entrypointstsepolicyREt ATTRIBUTE(((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pytget_entrypointsjs cCstr tSgax@tD]5}t}|d }|tkrBqntj|qWxDtD]9}|d tks]|dkrq]ntj|d q]WtjtS(Nitsystem_r(tdomainstget_all_domainstFalseRGt get_all_rolesRJ(RMtfoundtdomaintrole((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRss   cCsetr tStjtj}iax<|D]4}y|dt|d/dev/nulltstderrtshelltwb( t subprocesst check_outputtSTDOUTtTruetCalledProcessErrortsysRttwriteRt decode_inputtoutputtopentclose(t html_manpagetmanpagetman_pageR:tfd((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pytconvert_manpage_to_htmls    cBs;eZdZdZdZdZdZdZRS(sG Generate a HHTML Manpages on an given SELinux domains cCsmt||_t||_||_|d|_|j|_|jrV|jnd|GHtddS(NRis7SELinux HTML man pages can not be generated for this %si(RsRRt os_versiontold_pathtnew_patht _HTMLManPages__gen_html_manpagestexit(tselfRRR4R((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyt__init__s      cCs"|j|j|jdS(N(t_write_html_manpaget _gen_indext_gen_css(R((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyt__gen_html_manpagess  cCs tjj|js(tj|jnxlt|jjD]U}t|r>x@|D]5}t |j|j dddd|j |qWWq>q>Wxlt|j jD]U}t|rx@|D]5}t |j|j dddd|j |qWqqWdS(Nt_selinuxiis.html( tosR4tisdirRtmkdirtlistRtvaluesReRtrsplitRR(RR\RMR]tr((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRs  :  c Cs |jd}t|d}|jd|jx>|jD]3}t|j|r:|jd||fq:q:W|jdd}xy|jD]n}t|j|r|d7}xH|j|D]6}|jdd d }|d ||||f7}qWqqW|jd |x>|jD]3}t|j|r|jd ||fqqW|jdd}xy|jD]n}t|j|ro|d7}xH|j|D]6}|jdd d }|d||||f7}qWqoqoW|jd||jd|GHdS(Ns index.htmltws SELinux man pages

SELinux man pages for %s

SELinux roles

s %ss 
RBs
Riiso%s_selinux(8) - Security Enhanced Linux Policy for the %s SELinux user
sH%s

SELinux domains

s3 %s sv%s_selinux(8) - Security Enhanced Linux Policy for the %s SELinux processes s%s s%s has been created( RRR}RRReRRR( RthtmlRtlettert rolename_bodyRtrolenametdomainname_bodyt domainname((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRsL   % %  cCs@|jd}t|d}|jd|jd|GHdS(Ns style.cssRsf html, body { background-color: #fcfcfc; font-family: arial, sans-serif; font-size: 110%; color: #333; } h1, h2, h3, h4, h5, h5 { color: #2d7c0b; font-family: arial, sans-serif; margin-top: 25px; } a { color: #336699; text-decoration: none; } a:visited { color: #4488bb; } a:hover, a:focus, a:active { color: #07488A; text-decoration: none; } a.func { color: red; text-decoration: none; } a.file { color: red; text-decoration: none; } pre.code { background-color: #f4f0f4; // font-family: monospace, courier; font-size: 110%; margin-left: 0px; margin-right: 60px; padding-top: 5px; padding-bottom: 5px; padding-left: 8px; padding-right: 8px; border: 1px solid #AADDAA; } .url { font-family: serif; font-style: italic; color: #440064; } s%s has been created(RRR}R(Rt style_cssR((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyR*s  7 (t__name__t __module__t__doc__RRRRR(((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRs     GcBs^eZdZd'ZddgZddeedZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(RS((sK Generate a Manpage on an SELinux domain in the specified path tDisabledtEnableds/tmpRicCs||_||_||_td|_t|_t|_t |_ t |_ t |_t|_td|_td|_t|_t|_t|_|jr|jd|_n|jtj|_t|j|_tj j!|stj"|n||_ |jrB|jd|_#n|jd|_#t$|j#|_%t&|\|_'|_(|j'd|_)|j*d||j'f|_+t,|j+d|_-|j'd |jkr|j.|jr&t/j0|j+q&n&|jrt1j0|j+n|j2|j-j3xNt4t5j6D]:}||j'krFx"t5|D]}|j7|qfWqFqFWdS( Niit file_contextss policy.xmls#/usr/share/selinux/devel/policy.xmlt_ts%s/%s_selinux.8Rt_r(8Rt source_filesR?t gen_port_dicttportrecsRRWRXt all_domainstget_all_attributestall_attributest get_all_boolst all_boolstget_all_port_typestall_port_typesRZt all_rolesROt all_userstall_users_rangetget_all_file_typestall_file_typestget_all_role_allowst role_allowsRbRQtfcpathtselinuxtselinux_file_context_patht get_fcdicttfcdictRR4texiststmakedirstxmlpatht gen_bool_dictt booleans_dicttgen_short_nameRt short_namettypet _gen_boolst man_page_pathRRt_ManPage__gen_user_man_pageRRGRt_ManPage__gen_man_pageRRt equiv_dicttkeyst_ManPage__gen_man_page_link(RRR4R?RRtktalias((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRqsV                     cCsg|_g|_|jg}|jtkrox?t|jD]-}|d|jkr;|j|dq;q;Wnx>|D]6}t|\}}|j|7_|j|7_qvW|jj|jjdS(NR( tboolst domainboolsRRRRRGt get_boolsRJ(RRQttRR((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRs     cCs|jS(N(R(R((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pytget_man_page_pathscCs'|jd|_|js.t|j|_ny|j|j|_Wnd|j|_nX|j|jkrtjtj |j dd|_ |j |j |j|j|j|j|j|jn|j|j|j|j|j|jdS(NRs %s user roleiR^(RR]R*R;RtdescRRSRER_RR^t _user_headert_user_attributet _can_sudot_xwindows_logint_networkt _booleanst _home_exect _transitionst _role_headert _port_typest _mcs_typest_writest_footer(R((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyt__gen_user_man_pages. #             cCs_d|j|f}td|j|fd|_|jjd|j|jj|GHdS(Ns%s/%s_selinux.8Rs.so man8/%s_selinux.8(R4RRR}RR(RRR4((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyt__gen_man_page_links  cCsAg|_i|_g|_|jx|jD]}yWt|r|j}|j}xt|D]}|j|q_W||_||_nWntk rq/nXt j t j d|dd|j|}x5||D])\}}|jjd d j|qWq{Wn|j|jdd }t|dkr'|jjd |jxI|D]>}x5||D])\}}|jjd d j|qWqWq'q'WdS(Ni(tnetworks .SH NETWORK R R t name_bindisH .TP The SELinux user %s_u is able to listen on the following %s ports. s .B %s R t name_connectsJ .TP The SELinux user %s_u is able to connect to the following tcp ports. (stcpsudp( RSRDRR}tget_network_connectRReRRd(RRDtnettportdictR RR((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRes(        c Cstjtjgi|jd6dd6dd6dddd d d gd 6}|jjd |dk r|jjd|jn|jjd|jdS(NR%tuser_home_typeR*R(R)tioctltreadtgetattrtexecutetexecute_no_transRR's .SH HOME_EXEC s; The SELinux user %s_u is able execute home content files. s? The SELinux user %s_u is not able execute home content files. (RSR,R-RRR}R6R(RR'((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRsI    cCs,|jjdi|jd6|jd6dS(Ns .SH TRANSITIONS Three things can happen when %(type)s attempts to execute a program. \fB1.\fP SELinux Policy can deny %(type)s from executing the program. .TP \fB2.\fP SELinux Policy can allow %(type)s to execute the program in the current user type. Execute the following to see the types that the SELinux user %(type)s can execute without transitioning: .B sesearch -A -s %(type)s -c file -p execute_no_trans .TP \fB3.\fP SELinux can allow %(type)s to execute the program and transition to a new type. Execute the following to see the types that the SELinux user %(type)s can execute and transition: .B $ sesearch -A -s %(type)s -c process -p transition R%R(RR}RR(R((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRs cCs|jjdi|jd6|jjdi|jd6|jd6g}x;|jD]0}|jd|j|krV|j|qVqVWt|dkrd}t|dkrd }|jjd d j|||jfqndS( Nsd.TH "%(user)s_selinux" "8" "%(user)s" "mgrepl@redhat.com" "%(user)s SELinux Policy documentation"R%s] .SH "NAME" %(user)s_r \- \fB%(desc)s\fP - Security Enhanced Linux Policy .SH DESCRIPTION SELinux supports Roles Based Access Control (RBAC), some Linux roles are login roles, while other roles need to be transition into. .I Note: Examples in this man page will use the .B staff_u SELinux user. Non login roles are usually used for administrative tasks. For example, tasks that require root privileges. Roles control which types a user can run processes with. Roles often have default types assigned to them. The default type for the %(user)s_r role is %(user)s_t. The .B newrole program to transition directly to this role. .B newrole -r %(user)s_r -t %(user)s_t .B sudo is the preferred method to do transition from one role to another. You setup sudo to transition to %(user)s_r by adding a similar line to the /etc/sudoers file. USERNAME ALL=(ALL) ROLE=%(user)s_r TYPE=%(user)s_t COMMAND .br sudo will run COMMAND as staff_u:%(user)s_r:%(user)s_t:LEVEL When using a a non login role, you need to setup SELinux so that your SELinux user can reach %(user)s_r role. Execute the following to see all of the assigned SELinux roles: .B semanage user -l You need to add %(user)s_r to the staff_u user. You could setup the staff_u user to be able to use the %(user)s_r role with a command like: .B $ semanage user -m -R 'staff_r system_r %(user)s_r' staff_u RRiRBiRs SELinux policy also controls which roles can transition to a different role. You can list these rules using the following command. .B sesearch --role_allow SELinux policy allows the %s role%s can transition to the %s_r role. s, (RR}RRRRGReRd(RttrolesRpR((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRs  ) N()RRRR6R*RRYRRRRRRRRRRRRRRRRRR!RRR$RRRR9RRRRRCRRRR(((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pyRjsJ 8     !        + o " + (  - )      (RRR R (R R RR((("t__all__RltargparseRRStsepolgenRRwR|RtreRRRRR6R*R;RCRDRORRRURWRRQRbRhRRRsRRR(((s6/usr/lib64/python2.7/site-packages/sepolicy/manpage.pytsH           E