def check_dominance2(con1, con2, debug=False):
(rc, raw_con1) = selinux.selinux_trans_to_raw_context(con1)
(rc, raw_con2) = selinux.selinux_trans_to_raw_context(con2)
avd = selinux.av_decision()
selinux.avc_reset()
if debug:
logging.debug("check_dominance2: " + raw_con1 + " " + raw_con2)
rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
if rc < 0:
raise Exception("selinux.security_compute_av_raw failed")
if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
return True
else:
return False
def from_string(self, context):
"""Parse a string representing a context into a SecurityContext.
The string should be in the standard format - e.g.,
'user:role:type:level'.
Raises ValueError if the string is not parsable as a security context.
"""
# try to translate the context string to raw form
raw = selinux.selinux_trans_to_raw_context(context)
if raw[0] == 0:
context = raw[1]
fields = context.split(":")
if len(fields) < 3:
raise ValueError("context string [%s] not in a valid format" % context)
self.user = fields[0]
self.role = fields[1]
self.type = fields[2]
if len(fields) > 3:
# FUTURE - normalize level fields to allow more comparisons to succeed.
self.level = ':'.join(fields[3:])
else:
self.level = None
def from_string(self, context):
"""Parse a string representing a context into a SecurityContext.
The string should be in the standard format - e.g.,
'user:role:type:level'.
Raises ValueError if the string is not parsable as a security context.
"""
# try to translate the context string to raw form
raw = selinux.selinux_trans_to_raw_context(context)
if raw[0] == 0:
context = raw[1]
fields = context.split(":")
if len(fields) < 3:
raise ValueError("context string [%s] not in a valid format" % context)
self.user = fields[0]
self.role = fields[1]
self.type = fields[2]
if len(fields) > 3:
# FUTURE - normalize level fields to allow more comparisons to succeed.
self.level = ':'.join(fields[3:])
else:
self.level = None
def check_dominance2(con1, con2, debug=False):
(rc, raw_con1) = selinux.selinux_trans_to_raw_context(con1)
(rc, raw_con2) = selinux.selinux_trans_to_raw_context(con2)
avd = selinux.av_decision()
selinux.avc_reset()
if debug:
logging.debug("check_dominance2: " + raw_con1 + " " + raw_con2)
rc = selinux.security_compute_av_raw(raw_con1, raw_con2, SECCLASS_CONTEXT,
CONTEXT__CONTAINS, avd)
if rc < 0:
raise Exception("selinux.security_compute_av_raw failed")
if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
return True
else:
return False
def make_polydir_name(dir_name, context):
(rc, dircon) = selinux.getfilecon(dir_name)
if rc < 0:
raise Exception("Error in getting directory context: %s " % (dir_name))
context_array = dircon.split(":")
# Only generate polyinstantiated name based on the level not the range
context_array[3] = get_level(context)
newcontext = ':'.join(context_array)
(rc, full_dir) = selinux.selinux_trans_to_raw_context(newcontext)
if rc < 0:
raise Exception("Error translating context: %s " % (newcontext))
m = md5.new()
m.update(full_dir)
return dir_name + ".inst/" + m.hexdigest()
def make_polydir_name(dir_name, context):
(rc, dircon) = selinux.getfilecon(dir_name)
if rc < 0:
raise Exception("Error in getting directory context: %s " % (dir_name))
context_array = dircon.split(":")
# Only generate polyinstantiated name based on the level not the range
context_array[3] = get_level(context)
newcontext = ':'.join(context_array)
(rc, full_dir) = selinux.selinux_trans_to_raw_context(newcontext)
if rc < 0:
raise Exception("Error translating context: %s " % (newcontext))
m = md5.new()
m.update(full_dir)
return dir_name + ".inst/" + m.hexdigest()
def untranslate(trans, prepend=1):
if prepend == 1:
context = "a:b:c:%s" % trans
else:
context = trans
(rc, raw) = selinux.selinux_trans_to_raw_context(context)
if rc != 0:
return trans
if prepend:
raw = raw.strip("a:b:c")
if raw == "":
return trans
else:
return raw
def untranslate(trans, prepend=1):
if prepend == 1:
context="a:b:c:%s" % trans
else:
context = trans
(rc, raw)=selinux.selinux_trans_to_raw_context(context)
if rc != 0:
return trans
if prepend:
raw = raw.strip("a:b:c")
if raw == "":
return trans
else:
return raw
def untranslate(trans, prepend = 1):
filler="a:b:c:"
if prepend == 1:
context = "%s%s" % (filler,trans)
else:
context = trans
(rc, raw) = selinux.selinux_trans_to_raw_context(context)
if rc != 0:
return trans
if prepend:
raw = raw[len(filler):]
if raw == "":
return trans
else:
return raw
def check_dominance(con, debug=False):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
if rc != 0:
raise Exception("selinux.selinux_trans_to_raw_context failed: %d" % rc)
avd = selinux.av_decision()
selinux.avc_reset()
if debug:
logging.debug("check_dominance: %s %s" % (dom_raw_context, raw_con))
rc = selinux.security_compute_av_raw(dom_raw_context, raw_con, SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
if rc < 0:
raise Exception("selinux.security_compute_av_raw failed")
if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
if debug:
logging.debug("check_dominance: returned True")
return True
else:
if debug:
logging.debug("check_dominance: returned False")
return False
def check_dominance(con, debug=False):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
if rc != 0:
raise Exception("selinux.selinux_trans_to_raw_context failed: %d" % rc)
avd = selinux.av_decision()
selinux.avc_reset()
if debug:
logging.debug("check_dominance: %s %s" % (dom_raw_context, raw_con))
rc = selinux.security_compute_av_raw(dom_raw_context, raw_con,
SECCLASS_CONTEXT, CONTEXT__CONTAINS,
avd)
if rc < 0:
raise Exception("selinux.security_compute_av_raw failed")
if (avd.allowed & CONTEXT__CONTAINS) == CONTEXT__CONTAINS:
if debug:
logging.debug("check_dominance: returned True")
return True
else:
if debug:
logging.debug("check_dominance: returned False")
return False
import logging
import selinux
SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
(rc, dom_context) = selinux.getcon()
(rc, dom_raw_context) = selinux.selinux_trans_to_raw_context(dom_context)
def check_level_dominance2(level1, level2, debug=False):
context_array = dom_context.split(":")
context_array[3] = level1
level1_con = ':'.join(context_array)
context_array[3] = level2
level2_con = ':'.join(context_array)
return check_dominance2(level1_con, level2_con, debug)
def check_level_dominance(level, debug=False):
context_array = dom_context.split(":")
context_array[3] = level
con = ':'.join(context_array)
if debug:
logging.debug("check_level_dominance: %s" % (con))
return check_dominance(con, debug)
def check_dominance(con, debug=False):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
if rc != 0:
raise Exception("selinux.selinux_trans_to_raw_context failed: %d" % rc)
avd = selinux.av_decision()
def get_raw_con(con):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
return raw_con
def get_raw_range(con):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
raw_con_range = raw_con.replace(":", " ", 3).split(" ")[3]
return raw_con_range
def get_raw_range(con):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
raw_con_range = raw_con.replace(":", " ", 3).split(" ")[3]
return raw_con_range
import logging
import selinux
SECCLASS_CONTEXT = selinux.string_to_security_class("context")
CONTEXT__CONTAINS = selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
(rc, dom_context) = selinux.getcon()
(rc, dom_raw_context) = selinux.selinux_trans_to_raw_context(dom_context)
def check_level_dominance2(level1, level2, debug=False):
context_array = dom_context.split(":")
context_array[3] = level1
level1_con = ':'.join(context_array)
context_array[3] = level2
level2_con = ':'.join(context_array)
return check_dominance2(level1_con, level2_con, debug)
def check_level_dominance(level, debug=False):
context_array = dom_context.split(":")
context_array[3] = level
con = ':'.join(context_array)
if debug:
logging.debug("check_level_dominance: %s" % (con))
return check_dominance(con, debug)
def check_dominance(con, debug=False):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
if rc != 0:
def get_raw_con(con):
(rc, raw_con) = selinux.selinux_trans_to_raw_context(con)
return raw_con