def _entrypoints(self):
entrypoints = [x['target'] for x in filter(lambda y:
y['source'] == self.type and y['class'] == 'file' and 'entrypoint' in y['permlist'],
sepolicy.get_all_allow_rules()
)]
if len(entrypoints) == 0:
return
self.fd.write("""
.SH "ENTRYPOINTS"
""")
if len(entrypoints) > 1:
entrypoints_str = "\\fB%s\\fP file types" % ", ".join(entrypoints)
else:
entrypoints_str = "\\fB%s\\fP file type" % entrypoints[0]
self.fd.write("""
The %s_t SELinux type can be entered via the %s.
The default entrypoint paths for the %s_t domain are the following:
""" % (self.domainname, entrypoints_str, self.domainname))
if "bin_t" in entrypoints:
entrypoints.remove("bin_t")
self.fd.write("""
All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin.""")
paths = []
for entrypoint in entrypoints:
if entrypoint in self.fcdict:
paths += self.fcdict[entrypoint]["regex"]
self.fd.write("""
%s""" % ", ".join(paths))
def _entrypoints(self):
entrypoints = [x['target'] for x in filter(lambda y:
y['source'] == self.type and y['class'] == 'file' and 'entrypoint' in y['permlist'],
sepolicy.get_all_allow_rules()
)]
if len(entrypoints) == 0:
return
self.fd.write("""
.SH "ENTRYPOINTS"
""")
if len(entrypoints) > 1:
entrypoints_str = "\\fB%s\\fP file types" % ", ".join(entrypoints)
else:
entrypoints_str = "\\fB%s\\fP file type" % entrypoints[0]
self.fd.write("""
The %s_t SELinux type can be entered via the %s.
The default entrypoint paths for the %s_t domain are the following:
""" % (self.domainname, entrypoints_str, self.domainname))
if "bin_t" in entrypoints:
entrypoints.remove("bin_t")
self.fd.write("""
All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin.""")
paths = []
for entrypoint in entrypoints:
if entrypoint in self.fcdict:
paths += self.fcdict[entrypoint]["regex"]
self.fd.write("""
%s""" % ", ".join(paths))
def _writes(self):
# add assigned attributes
src_list = [self.type]
try:
src_list += list(
filter(lambda x: x['name'] == self.type,
sepolicy.get_all_types_info()))[0]['attributes']
except:
pass
permlist = list(
filter(
lambda x: x['source'] in src_list and set(['open', 'write']).
issubset(x['permlist']) and x['class'] == 'file',
sepolicy.get_all_allow_rules()))
if permlist is None or len(permlist) == 0:
return
all_writes = []
attributes = ["proc_type", "sysctl_type"]
for i in permlist:
if self._valid_write(i['target'], attributes):
if i['target'] not in all_writes:
all_writes.append(i['target'])
if len(all_writes) == 0:
return
self.fd.write("""
.SH "MANAGED FILES"
""")
self.fd.write("""
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
""" % self.domainname)
all_writes.sort()
if "file_type" in all_writes:
all_writes = ["file_type"]
for f in all_writes:
self.fd.write("""
.br
.B %s
""" % f)
if f in self.fcdict:
for path in self.fcdict[f]["regex"]:
self.fd.write("""\t%s
.br
""" % path)
def _writes(self):
# add assigned attributes
src_list = [self.type]
try:
src_list += list(filter(lambda x: x['name'] == self.type, sepolicy.get_all_types_info()))[0]['attributes']
except:
pass
permlist = list(filter(lambda x:
x['source'] in src_list and
set(['open', 'write']).issubset(x['permlist']) and
x['class'] == 'file',
sepolicy.get_all_allow_rules()))
if permlist is None or len(permlist) == 0:
return
all_writes = []
attributes = ["proc_type", "sysctl_type"]
for i in permlist:
if self._valid_write(i['target'], attributes):
if i['target'] not in all_writes:
all_writes.append(i['target'])
if len(all_writes) == 0:
return
self.fd.write("""
.SH "MANAGED FILES"
""")
self.fd.write("""
The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
""" % self.domainname)
all_writes.sort()
if "file_type" in all_writes:
all_writes = ["file_type"]
for f in all_writes:
self.fd.write("""
.br
.B %s
""" % f)
if f in self.fcdict:
for path in self.fcdict[f]["regex"]:
self.fd.write("""\t%s
.br
""" % path)
def _home_exec(self):
permlist = list(filter(lambda x:
x['source'] == self.type and
x['target'] == 'user_home_type' and
x['class'] == 'file' and
set(['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']).issubset(set(x['permlist'])),
sepolicy.get_all_allow_rules()))
self.fd.write("""
.SH HOME_EXEC
""")
if permlist is not None:
self.fd.write("""
The SELinux user %s_u is able execute home content files.
""" % self.domainname)
else:
self.fd.write("""
The SELinux user %s_u is not able execute home content files.
""" % self.domainname)
def _home_exec(self):
permlist = list(filter(lambda x:
x['source'] == self.type and
x['target'] == 'user_home_type' and
x['class'] == 'file' and
set(['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']).issubset(set(x['permlist'])),
sepolicy.get_all_allow_rules()))
self.fd.write("""
.SH HOME_EXEC
""")
if permlist is not None:
self.fd.write("""
The SELinux user %s_u is able execute home content files.
""" % self.domainname)
else:
self.fd.write("""
The SELinux user %s_u is not able execute home content files.
""" % self.domainname)
