def _home_exec(self): permlist = sepolicy.search( [sepolicy.ALLOW], { 'source': self.type, 'target': 'user_home_type', 'class': 'file', 'permlist': [ 'ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open' ] }) self.fd.write(""" .SH HOME_EXEC """) if permlist is not None: self.fd.write(""" The SELinux user %s_u is able execute home content files. """ % self.domainname) else: self.fd.write(""" The SELinux user %s_u is not able execute home content files. """ % self.domainname)
def _home_exec(self): permlist = sepolicy.search( [sepolicy.ALLOW], { "source": self.type, "target": "user_home_type", "class": "file", "permlist": ["ioctl", "read", "getattr", "execute", "execute_no_trans", "open"], }, ) self.fd.write( """ .SH HOME_EXEC """ ) if permlist is not None: self.fd.write( """ The SELinux user %s_u is able execute home content files. """ % self.domainname ) else: self.fd.write( """ The SELinux user %s_u is not able execute home content files. """ % self.domainname )
def _entrypoints(self): try: entrypoints = [x['target'] for x in sepolicy.search([sepolicy.ALLOW],{'source':self.type, 'permlist':['entrypoint'], 'class':'file'})] except: return self.fd.write (""" .SH "ENTRYPOINTS" """) if len(entrypoints) > 1: entrypoints_str = "\\fB%s\\fP file types" % ", ".join(entrypoints) else: entrypoints_str = "\\fB%s\\fP file type" % entrypoints[0] self.fd.write (""" The %s_t SELinux type can be entered via the %s. The default entrypoint paths for the %s_t domain are the following: """ % (self.domainname, entrypoints_str, self.domainname)) if "bin_t" in entrypoints: entrypoints.remove("bin_t") self.fd.write (""" All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin.""") paths=[] for entrypoint in entrypoints: if entrypoint in self.fcdict: paths += self.fcdict[entrypoint]["regex"] self.fd.write(""" %s""" % ", ".join(paths))
def get_types(src, tclass, perm): allows = sepolicy.search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm}) nlist = [] if allows: for i in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): if i not in nlist: nlist.append(i) return nlist
def search_rules(types=[sepolicy.ALLOW], source="", target="", perms=[], klass=""): options = SEPolicyRules.options(source, target, perms, klass) rules = sepolicy.search(types, options) return rules
def get_types(src, tclass, perm): allows = sepolicy.search([sepolicy.ALLOW], {sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm}) if not allows: raise ValueError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) tlist = [] for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): tlist = tlist + expand_attribute(l) return tlist
def load_sepolicy_rules(types=None, info={}): if types is None: types = [ sepolicy.ALLOW, sepolicy.AUDITALLOW, #sepolicy.NEVERALLOW, sepolicy.DONTAUDIT, sepolicy.TRANSITION, sepolicy.ROLE_ALLOW ] rules = sepolicy.search(types, info) return rules
def _writes(self): permlist = sepolicy.search( [sepolicy.ALLOW], {"source": self.type, "permlist": ["open", "write"], "class": "file"} ) if permlist == None or len(permlist) == 0: return all_writes = [] attributes = ["proc_type", "sysctl_type"] for i in permlist: if not i["target"].endswith("_t"): attributes.append(i["target"]) for i in permlist: if self._valid_write(i["target"], attributes): if i["target"] not in all_writes: all_writes.append(i["target"]) if len(all_writes) == 0: return self.fd.write( """ .SH "MANAGED FILES" """ ) self.fd.write( """ The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. """ % self.domainname ) all_writes.sort() if "file_type" in all_writes: all_writes = ["file_type"] for f in all_writes: self.fd.write( """ .br .B %s """ % f ) if f in self.fcdict: for path in self.fcdict[f]["regex"]: self.fd.write( """\t%s .br """ % path )
def _home_exec(self): permlist = sepolicy.search([sepolicy.ALLOW],{'source':self.type,'target':'user_home_type', 'class':'file', 'permlist':['ioctl', 'read', 'getattr', 'execute', 'execute_no_trans', 'open']}) self.fd.write(""" .SH HOME_EXEC """ ) if permlist is not None: self.fd.write(""" The SELinux user %s_u is able execute home content files. """ % self.domainname) else: self.fd.write(""" The SELinux user %s_u is not able execute home content files. """ % self.domainname)
def _gen_bools(self): self.bools=[] self.domainbools=[] for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, sepolicy.search([sepolicy.ALLOW],{'source' : self.type }))): for b in i: if not isinstance(b,tuple): continue if b[0].startswith(self.short_name): if b not in self.domainbools and (b[0], not b[1]) not in self.domainbools: self.domainbools.append(b) else: if b not in self.bools and (b[0], not b[1]) not in self.bools: self.bools.append(b) self.bools.sort() self.domainbools.sort()
def get_types(src, tclass, perm): allows = sepolicy.search([sepolicy.ALLOW], { sepolicy.SOURCE: src, sepolicy.CLASS: tclass, sepolicy.PERMS: perm }) if not allows: raise ValueError("The %s type is not allowed to %s any types" % (src, ",".join(perm))) tlist = [] for l in map( lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)): tlist = tlist + expand_attribute(l) return tlist
def _writes(self): permlist = sepolicy.search([sepolicy.ALLOW], { 'source': self.type, 'permlist': ['open', 'write'], 'class': 'file' }) if permlist is None or len(permlist) == 0: return all_writes = [] attributes = ["proc_type", "sysctl_type"] for i in permlist: if not i['target'].endswith("_t"): attributes.append(i['target']) for i in permlist: if self._valid_write(i['target'], attributes): if i['target'] not in all_writes: all_writes.append(i['target']) if len(all_writes) == 0: return self.fd.write(""" .SH "MANAGED FILES" """) self.fd.write(""" The SELinux process type %s_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. """ % self.domainname) all_writes.sort() if "file_type" in all_writes: all_writes = ["file_type"] for f in all_writes: self.fd.write(""" .br .B %s """ % f) if f in self.fcdict: for path in self.fcdict[f]["regex"]: self.fd.write("""\t%s .br """ % path)
def _entrypoints(self): try: entrypoints = map( lambda x: x['target'], sepolicy.search( [sepolicy.ALLOW], { 'source': self.type, 'permlist': ['entrypoint'], 'class': 'file' })) except: return self.fd.write(""" .SH "ENTRYPOINTS" """) if len(entrypoints) > 1: entrypoints_str = "\\fB%s\\fP file types" % ", ".join(entrypoints) else: entrypoints_str = "\\fB%s\\fP file type" % entrypoints[0] self.fd.write(""" The %s_t SELinux type can be entered via the %s. The default entrypoint paths for the %s_t domain are the following: """ % (self.domainname, entrypoints_str, self.domainname)) if "bin_t" in entrypoints: entrypoints.remove("bin_t") self.fd.write(""" All executeables with the default executable label, usually stored in /usr/bin and /usr/sbin.""" ) paths = [] for entrypoint in entrypoints: if entrypoint in self.fcdict: paths += self.fcdict[entrypoint]["regex"] self.fd.write(""" %s""" % ", ".join(paths))
def _get_trans(src): return sepolicy.search([sepolicy.TRANSITION], { sepolicy.SOURCE: src, sepolicy.CLASS: "process" })
def _get_trans(src): return sepolicy.search([sepolicy.TRANSITION], {sepolicy.SOURCE: src, sepolicy.CLASS: "process"})
def _entrypoint(src): trans = sepolicy.search([sepolicy.ALLOW], {sepolicy.SOURCE: src}) return map(lambda y: y[sepolicy.TARGET], filter(lambda x: "entrypoint" in x[sepolicy.PERMS], trans))