def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
if self.explain:
rule.comment = refpolicy.Comment(
explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
if self.dontaudit:
rule.rule_type = rule.DONTAUDIT
rule.comment = ""
if self.explain:
rule.comment = str(
refpolicy.Comment(
explain_access(av, verbosity=self.explain)))
if av.type == audit2why.ALLOW:
rule.comment += "#!!!! This avc is allowed in the current policy\n"
if av.type == audit2why.DONTAUDIT:
rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(
map(lambda x: x[0], av.data))
else:
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[
0][0]
if av.type == audit2why.CONSTRAINT:
rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
rule.comment += "#Constraint rule: "
for reason in av.data:
rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
try:
if (av.type == audit2why.TERULE and "write" in av.perms
and ("dir" in av.obj_class or "open" in av.perms)):
if not self.domains:
self.domains = seinfo(ATTRIBUTE,
name="domain")[0]["types"]
types = []
for i in map(
lambda x: x[TCONTEXT],
sesearch(
[ALLOW], {
SCONTEXT: av.src_type,
CLASS: av.obj_class,
PERMS: av.perms
})):
if i not in self.domains:
types.append(i)
if len(types) == 1:
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % (
av.src_type, av.obj_class, ", ".join(types))
elif len(types) >= 1:
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % (
av.src_type, av.obj_class, ", ".join(types))
except:
pass
self.module.children.append(rule)
def p_avrule_def(p):
'''avrule_def : ALLOW names names COLON names names SEMI
| DONTAUDIT names names COLON names names SEMI
| AUDITALLOW names names COLON names names SEMI
'''
a = refpolicy.AVRule()
if p[1] == 'dontaudit':
a.rule_type = refpolicy.AVRule.DONTAUDIT
elif p[1] == 'auditallow':
a.rule_type = refpolicy.AVRule.AUDITALLOW
a.src_types = p[2]
a.tgt_types = p[3]
a.obj_classes = p[5]
a.perms = p[6]
p[0] = a
o("Parsing support macros (%s): " % support_macros)
spt = refpolicy.SupportMacros()
parse_file(support_macros, spt)
headers.children.append(spt)
# FIXME: Total hack - add in can_exec rather than parse the insanity
# of misc_macros. We are just going to preten that this is an interface
# to make the expansion work correctly.
can_exec = refpolicy.Interface("can_exec")
av = access.AccessVector([
"$1", "$2", "file", "execute_no_trans", "read", "getattr", "lock",
"execute", "ioctl"
])
can_exec.children.append(refpolicy.AVRule(av))
headers.children.append(can_exec)
o("done.\n")
if output and not debug:
status = util.ConsoleProgressBar(sys.stdout, steps=len(modules))
status.start("Parsing interface files")
failures = []
for x in modules:
m = refpolicy.Module()
m.name = x[0]
try:
if expand:
parse_file(x[1], m, spt)