Spade
Mini Shell
| Directory:~$ /proc/self/root/usr/lib64/python2.7/site-packages/sepolgen/ |
| [Home] [System Details] [Kill Me] |
�
��^c@sdZddlZddlZddljZyddlTWnnXddlmZddlmZddlm Z ddlm
Z
dd lm
Z
dd
lm
Z
d
Z
dZd
Zd
dd��YZded�Zd�Zddd��YZd�ZdS(s>
classes and algorithms for the generation of SELinux policy.
i����N(t*i(t refpolicy(t
objectmodel(taccess(t
interfaces(tmatching(tutiliitPolicyGeneratorcBs�eZdZdd�Zddd�Zed�Zed�Z d�Z
d�Z
dd�Z
d �Z
d
�Zd
�Zd
�Zd
�ZRS(s�Generate a reference policy module from
access vectors.
PolicyGenerator generates a new reference policy module
or updates an existing module based on requested access
in the form of access vectors.
It generates allow rules and optionally module require
statements and reference policy interfaces. By default
only allow rules are generated. The methods .set_gen_refpol
and .set_gen_requires turns on interface generation and
requires generation respectively.
PolicyGenerator can also optionally add comments explaining
why a particular access was allowed based on the audit
messages that generated the access. The access vectors
passed in must have the .audit_msgs field set correctly
and .explain set to SHORT|LONG_EXPLANATION to enable this
feature.
The module created by PolicyGenerator can be passed to
output.ModuleWriter to output a text representation.
cCs[d|_t|_t|_|r-||_ntj�|_ t|_
d|_
d|_
dS(s�Initialize a PolicyGenerator with an optional
existing module.
If the module paramater is not None then access
will be added to the passed in module. Otherwise
a new reference policy module will be created.
N(
tNonetifgentNO_EXPLANATIONtexplaintFalset
gen_requirestmoduelRtModuletmodulet dontauditt mislabledtdomains(tselfR((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__init__Ds
cCs;|r$t||�|_t|_n d|_|j�dS(s?Set
whether reference policy interfaces are generated.
To turn on interface generation pass in an interface set
to use for interface generation. To turn off interface
generation pass in None.
If interface generation is enabled requires generation
will also be enabled.
N(tInterfaceGeneratorR tTrueR
Rt"_PolicyGenerator__set_module_style(Rtif_sett perm_maps((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_refpolXs
cCs
||_dS(s&Set whether module requires are generated.
Passing in true will turn on requires generation and
False will disable generation. If requires generation is
disabled interface generation will also be disabled and
can only be re-enabled via .set_gen_refpol.
N(R
(Rtstatus((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_requiresjscCs
||_dS(s)Set
whether access is explained.
N(R
(RR
((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_explaintscCs
||_dS(N(R(RR((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_gen_dontaudityscCs?|jrt}nt}x
|jj�D]}||_q(WdS(N(R RR
Rtmodule_declarationsR(RRtmod((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__set_module_style|s
s1.0cCs�d}x
|jj�D]
}|}qW|sQtj�}|jjjd|�n||_||_|j rxt
|_n t
|_dS(s?Set the name of the module and optionally the version.
iN(
RRR
RtModuleDeclarationtchildrentinserttnametversionR RR
(RR&R'tmR!((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytset_module_name�s
cCs
|jrt|j�n|jS(N(R
R(R((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt
get_module�s cCsyddl}yL|j|jd�}|djd�d}||jkrW||_dSWntk
rknXd|_dS(Ni����iit:i(tselinuxt
matchpathcontobj_pathtsplitttgt_typeRtOSErrorR(RtavR,tcontextR/((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__restore_label�s
c
Cs&x |D]}tj|�}|jr4|j|_nd|_|jrpttjt |d|j���|_n|j
�}|ddkr�|j
t
j
kr�|jddj|d�7_nx9|jD].}|dks�|dkr�t}Pq�t}q�W|ddk r�|ddkr�|r�|j
t
j
kr�|jtkrMd}nd}|jd dj|d
�dj|d�dj|d�f7_|jdkr�|jd
dj|d�dj|j�dj|�dj|j�f7_q�n|j|�|jdk rZ|j
t
j
krZ|jd
dj|j�dj|j�f7_n|j
t
j
kr~|jd
7_n|j
t
jkr�|jd7_n|j
t
jkr#t|j�dkr|jddjg|jD]}|d^q��7_q#|jd|jdd7_n|j
t
jkr�|jd7_|jd7_|jd|jd7_x+|jd D]} |jd| 7_q{Wnyf|j
t
j
krd|jkrd|jks�d|jkr|j
st
t dd�dd|_
ng}
xngt t
gi|j!t"6|jt#6|jt$6�D]}|t%^q@D]%}
|
|j
krT|
j&|
�qTqTWt|
�dkr�|jd|j!|jdj|
�f7_qt|
�dkr|jd
|j!|jdj|
�f7_qnWnnX|j'j(j&|�qWdS(
Ntt verbosityis$
#!!!! WARNING: '%s' is a base type.itwritetcreates(/.*?)sU
#!!!! WARNING '%s' is not allowed to write or create to %s.
Change the label to %s.isG
#!!!! $ semanage fcontext -a -t %s %s%s
#!!!! $ restorecon -R -v %ssY
#!!!! The file '%s' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v %ss0
#!!!! This avc is allowed in the current policys:
#!!!! This avc has a dontaudit rule in the current policysH
#!!!! This avc can be allowed using one of the these booleans:
# %ss, s5
#!!!! This avc can be allowed using the boolean '%s's�
#!!!! This avc is a constraint violation. You would need to modify the
attributes of either the source or target types to allow this access.s
#Constraint rule: s
# s?
# Possible cause is the source %s and target %s are
different.tdirtopenR&tdomainttypessL
#!!!! The source type '%s' can write to a '%s' of the
following type:
# %s
sM
#!!!! The source type '%s' can write to a '%s' of the
following types:
# %s
()RtAVRuleRt DONTAUDITt rule_typetcommentR
tstrtCommenttexplain_accesstbase_file_typettypet audit2whytALLOWtjointpermsRR
Rt obj_classR9R.t _PolicyGenerator__restore_labelRtBOOLEANtlentdatat
CONSTRAINTtTERULERtseinfot ATTRIBUTEtsesearchtsrc_typetSCONTEXTtCLASStPERMStTCONTEXTtappendRR$(
RtavsR2trulet base_typetpermt
permissiontcomptxtreasonR<ti((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt__add_allow_rules�sr
*
"#
CS
!49!
N.5cCsT|jr=|jj||j�\}}|jjj|�n|}|j|�dS(sJAdd
the access from the access vector set to this
module.
N(R tgenR
RR$textendt!_PolicyGenerator__add_allow_rules(Rtav_sett raw_allowtifcalls((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt
add_access�s
cCs(x!|D]}|jjj|�qWdS(N(RR$RY(Rt
role_type_sett role_type((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytadd_role_typess
N(t__name__t
__module__t__doc__RRRRR
tSHORT_EXPLANATIONR
R RR)R*RKRfRjRm(((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR-s
J c s�g���fd�}|tkr�x�|jD]�}�jd|j��jdt|j�t|j�f��jd|jtj |j
�f��jd|j
|j
|j
f��jtjd|jddd d
d
d
��q.W|�n�|r�jd
|j|j|j|jj�f�t|j�dkru|jd}�jd|j
|j
|j
f�n|�n�S(s�Explain
why a policy statement was generated.
Return a string containing a text explanation of
why a policy statement was generated. The string is
commented and wrapped and can be directly inserted
into a policy.
Params:
av - access vector representing the access. Should
have .audit_msgs set appropriately.
verbosity - the amount of explanation provided. Should
be set to NO_EXPLANATION, SHORT_EXPLANATION, or
LONG_EXPLANATION.
Returns:
list of strings - strings explaining the access or an empty
string if verbosity=NO_EXPLANATION or there is not sufficient
information to provide an explanation.
csg�s
dS�jd�xI�j�D];}t|j�j�}�jd|j�|jf�q$WdS(Ns
Interface options:s
%s #
[%d](RYtalltcall_interfacet interfaceR2t to_stringtdist(tmatchtifcall(tmlts(s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytexplain_interfaces
s
s
%ss
scontext="%s" tcontext="%s"s
class="%s" perms="%s"s
comm="%s"
exe="%s"
path="%s"s message="t"iPtinitial_indents
tsubsequent_indents s) src="%s" tgt="%s"
class="%s", perms="%s"is
comm="%s"
exe="%s" path="%s"(tLONG_EXPLANATIONt
audit_msgsRYtheaderRAtscontextttcontextttclassRtlist_to_space_strtaccessestcommtexetpathRettextwraptwraptmessageRTR0RJRIt
to_space_strRM(R2RyR6R{tmsg((RyRzs8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRC s*
#&
&
&
cCs+g}g}|j|jj��|jdd�dt�tj�}|j|_x�t t
|��D]�}||j
tj
kr�|j
j|j�qf||j
tjkr�|j
j|j�qf||j
tjkr�|j
j|j�qf||j
GHdsft�qfWt
|j
�dks't�|S(NtkeycSs|jS(N(tnum(tparam((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt<lambda>Estreversei(RetparamstvaluestsortRRt
InterfaceCallR&tifnametrangeRMREtSRC_TYPEtargsRYRTtTGT_TYPER0t OBJ_CLASSRJtAssertionError(RtR2R�R�RxRb((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRs@s"
RcBs/eZdd�Zd�Zd�Zd�ZRS(cCs5||_|j|�tj|�|_g|_dS(N(tifsthack_check_ifsRt
AccessMatchertmatchertcalls(RR�R((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRZs
cCs�x�|jj�D]�}g}|j|jj��|jdd�dt�xptt|��D]\}|d||jkr�t |_
Pn||j
t
j
t
jt
jgkr^t |_
Pq^q^WqWdS(NR�cSs|jS(N(R�(R�((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR�hsR�i(RR�ReR�R�RR�RMR�R
tenabledRERR�R�R�(RR�R`R�Rb((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR�`s c
Cs|j|�}g}xi|jD]^}t|j�j|j�}|rjtjt|j||��|_ n|j
||f�q Wg}x�|D]y\}}t
} xN|D]F}
|
j
|�r�|
j r�|j r�|
j j
|j �nt} q�q�W| s�|j
|�q�q�W||fS(N(RwR�RstbestRtR2RRBRCR@RYR
tmatchestmergeR(
RRZR6traw_avRiRyRxtdR�tfoundto_ifcall((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRdws$$
cCslg}x_|D]W}tj�}|jj|j||�t|�rW|jj|�q
|j|�q
W|S(N(Rt MatchListR�t
search_ifsR�RMR�RY(RRZR�R2tans((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRw�s
N(RnRoRRR�RdRw(((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyRYs
cCs.d�}x
|j�D]}||�qWdS(s*Add
require statements to the module.
cSstj�}xa|j�D]S}|jj|j�|jj|j�x$|jD]}|j||j �qOWqWx8|j
�D]*}x!|j
D]}|jj
|�q�Wq}Wx:|j
�D],}|jj
|j�|jj|j�q�W|jjd�|jjd|�dS(NRi(RtRequiretavrulesR<tupdatet src_typest tgt_typest
obj_classest
add_obj_classRItinterface_callsR�taddt
role_typestrolestroletdiscardR$R%(tnodetrtavruletobjRxtargRl((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pytcollect_requires�s
N(tnodes(RR�R�((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyR
�s (((Rpt itertoolsR�tselinux.audit2whyRFtsetoolsR5RRRRRRR
RqRRRRCRsRR
(((s8/usr/lib64/python2.7/site-packages/sepolgen/policygen.pyt<module>s*
�7 B