def sort_node(node):
c = []
# Module statement
for mod in node.module_declarations():
c.append(mod)
c.append(refpolicy.Comment())
# Requires
for require in node.requires():
c.append(require)
c.append(refpolicy.Comment())
# Rules
#
# We are going to group output by source type (which
# we assume is the first argument for interfaces).
rules = []
rules.extend(node.avrules())
rules.extend(node.interface_calls())
rules.sort(rule_cmp)
cur = None
sep_rules = []
for rule in rules:
if isinstance(rule, refpolicy.InterfaceCall):
x = rule.args[0]
else:
x = util.first(rule.src_types)
if cur != x:
if cur:
sep_rules.append(refpolicy.Comment())
cur = x
comment = refpolicy.Comment()
comment.lines.append("============= %s ==============" % cur)
sep_rules.append(comment)
sep_rules.append(rule)
c.extend(sep_rules)
ras = []
ras.extend(node.role_types())
ras.sort(role_type_cmp)
if len(ras):
comment = refpolicy.Comment()
comment.lines.append("============= ROLES ==============")
c.append(comment)
c.extend(ras)
# Everything else
for child in node.children:
if child not in c:
c.append(child)
node.children = c
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
if self.explain:
rule.comment = refpolicy.Comment(
explain_access(av, verbosity=self.explain))
self.module.children.append(rule)
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
if self.dontaudit:
rule.rule_type = rule.DONTAUDIT
rule.comment = ""
if self.explain:
rule.comment = str(
refpolicy.Comment(
explain_access(av, verbosity=self.explain)))
if av.type == audit2why.ALLOW:
rule.comment += "#!!!! This avc is allowed in the current policy\n"
if av.type == audit2why.DONTAUDIT:
rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(
map(lambda x: x[0], av.data))
else:
rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[
0][0]
if av.type == audit2why.CONSTRAINT:
rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
rule.comment += "#Constraint rule: "
for reason in av.data:
rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
try:
if (av.type == audit2why.TERULE and "write" in av.perms
and ("dir" in av.obj_class or "open" in av.perms)):
if not self.domains:
self.domains = seinfo(ATTRIBUTE,
name="domain")[0]["types"]
types = []
for i in map(
lambda x: x[TCONTEXT],
sesearch(
[ALLOW], {
SCONTEXT: av.src_type,
CLASS: av.obj_class,
PERMS: av.perms
})):
if i not in self.domains:
types.append(i)
if len(types) == 1:
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % (
av.src_type, av.obj_class, ", ".join(types))
elif len(types) >= 1:
rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % (
av.src_type, av.obj_class, ", ".join(types))
except:
pass
self.module.children.append(rule)
def gen(self, avs, verbosity):
raw_av = self.match(avs)
ifcalls = []
for ml in self.calls:
ifcall = call_interface(ml.best().interface, ml.av)
if verbosity:
ifcall.comment = refpolicy.Comment(explain_access(ml.av, ml, verbosity))
ifcalls.append((ifcall, ml))
d = []
for ifcall, ifs in ifcalls:
found = False
for o_ifcall in d:
if o_ifcall.matches(ifcall):
if o_ifcall.comment and ifcall.comment:
o_ifcall.comment.merge(ifcall.comment)
found = True
if not found:
d.append(ifcall)
return (raw_av, d)