def to_string(self, default_level=None):
"""Return a string representing this security context.
By default, the string will contiain a MCS / MLS level
potentially from the default which is passed in if none was
set.
Arguments:
default_level - the default level to use if self.level is an
empty string.
Returns:
A string represening the security context in the form
'user:role:type:level'.
"""
fields = [self.user, self.role, self.type]
if self.level is None:
if default_level is None:
if selinux.is_selinux_mls_enabled() == 1:
fields.append("s0")
else:
fields.append(default_level)
else:
fields.append(self.level)
return ":".join(fields)
def to_string(self, default_level=None):
"""Return a string representing this security context.
By default, the string will contiain a MCS / MLS level
potentially from the default which is passed in if none was
set.
Arguments:
default_level - the default level to use if self.level is an
empty string.
Returns:
A string represening the security context in the form
'user:role:type:level'.
"""
fields = [self.user, self.role, self.type]
if self.level is None:
if default_level is None:
if selinux.is_selinux_mls_enabled() == 1:
fields.append("s0")
else:
fields.append(default_level)
else:
fields.append(self.level)
return ":".join(fields)
def selinux_mls_enabled(self):
if not HAVE_SELINUX:
return False
if selinux.is_selinux_mls_enabled() == 1:
return True
else:
return False
def selinux_mls_enabled(self):
if not HAVE_SELINUX:
return False
if selinux.is_selinux_mls_enabled() == 1:
return True
else:
return False
def get_selinux_status():
''' Get SELinux status information '''
try:
import selinux
except ImportError:
api.report_error(
"SELinux Import Error",
details="libselinux-python package must be installed.")
return
outdata = dict({'enabled': selinux.is_selinux_enabled() == 1})
outdata['mls_enabled'] = selinux.is_selinux_mls_enabled() == 1
try:
outdata['runtime_mode'] = "enforcing" if selinux.security_getenforce(
) == 1 else "permissive"
# FIXME: check selinux_getenforcemode[0] (that should be return value of a underneath function)
enforce_mode = selinux.selinux_getenforcemode()[1]
if enforce_mode >= 0:
outdata[
'static_mode'] = "enforcing" if enforce_mode == 1 else "permissive"
else:
outdata['static_mode'] = "disabled"
outdata['policy'] = selinux.selinux_getpolicytype()[1]
except OSError:
# This happens when SELinux is disabled
# [Errno 2] No such file or directory
outdata['runtime_mode'] = 'permissive'
outdata['static_mode'] = 'disabled'
outdata['policy'] = 'targeted'
return SELinuxFacts(**outdata)
def test_from_string(self):
context = "user_u:object_r:foo_t"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEqual(sc.user, "user_u")
self.assertEqual(sc.role, "object_r")
self.assertEqual(sc.type, "foo_t")
self.assertEqual(sc.level, None)
if selinux.is_selinux_mls_enabled():
self.assertEqual(str(sc), context + ":s0")
else:
self.assertEqual(str(sc), context)
self.assertEqual(sc.to_string(default_level="s1"), context + ":s1")
context = "user_u:object_r:foo_t:s0-s0:c0-c255"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEqual(sc.user, "user_u")
self.assertEqual(sc.role, "object_r")
self.assertEqual(sc.type, "foo_t")
self.assertEqual(sc.level, "s0-s0:c0-c255")
self.assertEqual(str(sc), context)
self.assertEqual(sc.to_string(), context)
sc = refpolicy.SecurityContext()
self.assertRaises(ValueError, sc.from_string, "abc")
def test_from_string(self):
context = "user_u:object_r:foo_t"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEquals(sc.user, "user_u")
self.assertEquals(sc.role, "object_r")
self.assertEquals(sc.type, "foo_t")
self.assertEquals(sc.level, None)
if selinux.is_selinux_mls_enabled():
self.assertEquals(str(sc), context + ":s0")
else:
self.assertEquals(str(sc), context)
self.assertEquals(sc.to_string(default_level="s1"), context + ":s1")
context = "user_u:object_r:foo_t:s0-s0:c0-c255"
sc = refpolicy.SecurityContext()
sc.from_string(context)
self.assertEquals(sc.user, "user_u")
self.assertEquals(sc.role, "object_r")
self.assertEquals(sc.type, "foo_t")
self.assertEquals(sc.level, "s0-s0:c0-c255")
self.assertEquals(str(sc), context)
self.assertEquals(sc.to_string(), context)
sc = refpolicy.SecurityContext()
self.assertRaises(ValueError, sc.from_string, "abc")
def __create_selinuxfs(self):
# if selinux exists on the host we need to lie to the chroot
if os.path.exists("/selinux/enforce"):
selinux_dir = self._instroot + "/selinux"
# enforce=0 tells the chroot selinux is not enforcing
# policyvers=999 tell the chroot to make the highest version of policy it can
files = [('/enforce', '0'),
('/policyvers', '999'),
('/commit_pending_bools', ''),
('/mls', str(selinux.is_selinux_mls_enabled()))]
for (file, value) in files + self.__getbooleans():
fd = os.open(selinux_dir + file, os.O_WRONLY | os.O_TRUNC | os.O_CREAT)
os.write(fd, value)
os.close(fd)
# we steal mls from the host system for now, might be best to always set it to 1????
# make /load -> /dev/null so chroot policy loads don't hurt anything
os.mknod(selinux_dir + "/load", 0666 | stat.S_IFCHR, os.makedev(1, 3))
# selinux is on in the kickstart, so clean up as best we can to start
if kickstart.selinux_enabled(self.ks):
# label the fs like it is a root before the bind mounting
arglist = ["/sbin/setfiles", "-F", "-r", self._instroot, selinux.selinux_file_context_path(), self._instroot]
subprocess.call(arglist, close_fds = True)
# these dumb things don't get magically fixed, so make the user generic
for f in ("/proc", "/sys", "/selinux"):
arglist = ["/usr/bin/chcon", "-u", "system_u", self._instroot + f]
subprocess.call(arglist, close_fds = True)
def __init__(self, output=None):
"""Create a ModuleCompiler instance, optionally with an
output file object for verbose output of the compilation process.
"""
self.mls = selinux.is_selinux_mls_enabled()
self.module = True
self.checkmodule = "/usr/bin/checkmodule"
self.semodule_package = "/usr/bin/semodule_package"
self.output = output
self.last_output = ""
self.refpol_makefile = defaults.refpolicy_makefile()
self.make = "/usr/bin/make"
def __init__(self, output=None):
"""Create a ModuleCompiler instance, optionally with an
output file object for verbose output of the compilation process.
"""
self.mls = selinux.is_selinux_mls_enabled()
self.module = True
self.checkmodule = "/usr/bin/checkmodule"
self.semodule_package = "/usr/bin/semodule_package"
self.output = output
self.last_output = ""
self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
self.make = "/usr/bin/make"
def update(self):
import platform
import selinux
# security_getenforce is the same as the getenforce command.
# selinux_getenforcemode tells you what is set in /etc/selinux/config
self.platform, self.kernel = get_os_environment()
self.policy_type = selinux.selinux_getpolicytype()[1]
self.policy_rpm = get_rpm_nvr_by_name("selinux-policy")
self.policyvers = str(selinux.security_policyvers())
enforce = selinux.security_getenforce()
if enforce == 0:
self.enforce = "Permissive"
else:
self.enforce = "Enforcing"
self.selinux_enabled = bool(selinux.is_selinux_enabled())
self.selinux_mls_enabled = bool(selinux.is_selinux_mls_enabled())
self.hostname = platform.node()
self.uname = " ".join(platform.uname())
def update(self):
import platform
import selinux
# security_getenforce is the same as the getenforce command.
# selinux_getenforcemode tells you what is set in /etc/selinux/config
self.platform, self.kernel = get_os_environment()
self.policy_type = selinux.selinux_getpolicytype()[1]
self.policy_rpm = get_rpm_nvr_by_name("selinux-policy")
self.policyvers = str(selinux.security_policyvers())
enforce = selinux.security_getenforce()
if enforce == 0:
self.enforce = "Permissive"
else:
self.enforce = "Enforcing"
self.selinux_enabled = bool(selinux.is_selinux_enabled())
self.selinux_mls_enabled = bool(selinux.is_selinux_mls_enabled())
self.hostname = platform.node()
self.uname = " ".join(platform.uname())
# This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA # 02111-1307 USA # # import pwd, string, selinux, tempfile, os, re, sys from semanage import *; is_mls_enabled=selinux.is_selinux_mls_enabled() import syslog try: import audit class logger: def __init__(self): self.audit_fd=audit.audit_open() def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],msg, name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); except: class logger: def log(self, success, msg, name="", sename="", serole="", serange="", old_sename="", old_serole="", old_serange=""): if success == 1: message = "Successful: " else:
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *
from rhpl.translate import _, N_
is_mls_enabled = selinux.is_selinux_mls_enabled()
import syslog
file_types = {}
file_types[""] = SEMANAGE_FCONTEXT_ALL
file_types["all files"] = SEMANAGE_FCONTEXT_ALL
file_types["--"] = SEMANAGE_FCONTEXT_REG
file_types["regular file"] = SEMANAGE_FCONTEXT_REG
file_types["-d"] = SEMANAGE_FCONTEXT_DIR
file_types["directory"] = SEMANAGE_FCONTEXT_DIR
file_types["-c"] = SEMANAGE_FCONTEXT_CHAR
file_types["character device"] = SEMANAGE_FCONTEXT_CHAR
file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK
file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK
file_types["-s"] = SEMANAGE_FCONTEXT_SOCK