def analyze(self, avc):
if avc.matches_source_types("httpd_t httpd_.*_script_t") and \
avc.matches_target_types("httpd_.*t") and \
(avc.tclass == "file" or avc.tclass == "dir") and \
( not selinux.security_get_boolean_active("httpd_unified")) and \
( not selinux.security_get_boolean_active("httpd_enable_cgi")):
return self.report()
return None
def analyze(self, avc):
if (avc.matches_source_types("httpd_t httpd_.*_script_t") and
avc.matches_target_types("httpd_.*t") and
(avc.tclass == "file" or avc.tclass == "dir") and
( not selinux.security_get_boolean_active("httpd_unified")) and
( not selinux.security_get_boolean_active("httpd_enable_cgi"))):
return self.report()
return None
def get_boolean_value(module, name):
state = 0
try:
state = selinux.security_get_boolean_active(name)
except OSError, e:
module.fail_json(
msg="Failed to determine current state for boolean %s" % name)
def __getbooleans(self):
booleans = []
if not kickstart.selinux_enabled(self.ks) or not os.path.exists("/selinux/enforce"):
return booleans
for i in selinux.security_get_boolean_names()[1]:
on = selinux.security_get_boolean_active(i)
booleans.append(("/booleans/%s" % i, "%d %d" % (on, on)))
return booleans
def get_boolean_value(module, name):
state = 0
try:
state = selinux.security_get_boolean_active(name)
except OSError:
module.fail_json(msg="Failed to determine current state for boolean %s" % name)
if state == 1:
return True
else:
return False
def test_boolean(self):
import selinux
boolean_status = {0: "--off", 1: "--on"}
boolean_state = selinux.security_get_boolean_active("httpd_anon_write")
# Test
print("Verify semanage boolean -m %s httpd_anon_write" % boolean_status[not boolean_state])
p = Popen(["semanage", "boolean", "-m", boolean_status[(not boolean_state)], "httpd_anon_write"], stdout=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
print("Verify semanage boolean -m %s httpd_anon_write" % boolean_status[boolean_state])
p = Popen(["semanage", "boolean", "-m", boolean_status[boolean_state], "httpd_anon_write"], stdout=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def test_boolean(self):
import selinux
boolean_status={0:"--off",1:"--on"}
boolean_state=selinux.security_get_boolean_active("httpd_anon_write")
# Test
print("Verify semanage boolean -m %s httpd_anon_write" % boolean_status[not boolean_state])
p = Popen(["semanage","boolean","-m",boolean_status[(not boolean_state)],"httpd_anon_write"], stdout = PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
print("Verify semanage boolean -m %s httpd_anon_write" % boolean_status[boolean_state])
p = Popen(["semanage","boolean","-m",boolean_status[boolean_state],"httpd_anon_write"], stdout = PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
def sepolicy_booleans_json_generator():
for bool in sepolicy.get_all_bools():
name = bool['name']
active_flag = selinux.security_get_boolean_active(name)
current = (False, True)[active_flag]
records = booleanRecords()
desc = records.get_desc(name)
yield {
"name": name,
"current": current,
"default": bool['state'],
"desc": desc,
}
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.blist) = semanage_bool_list_local(self.sh)
else:
(rc, self.blist) = semanage_bool_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list booleans"))
for boolean in self.blist:
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
value.append(selinux.security_get_boolean_pending(name))
value.append(selinux.security_get_boolean_active(name))
ddict[name] = value
return ddict
def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x, search([ALLOW], {'source': setype}))):
for b in i:
if not isinstance(b, tuple):
continue
try:
enabled = selinux.security_get_boolean_active(b[0])
except OSError:
enabled = b[1]
if b[0].startswith(short_name) or b[0].startswith(domainname):
if (b[0], enabled) not in domainbools and (b[0], not enabled) not in domainbools:
domainbools.append((b[0], enabled))
else:
if (b[0], enabled) not in bools and (b[0], not enabled) not in bools:
bools.append((b[0], enabled))
return (domainbools, bools)
def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())):
for b in i:
if not isinstance(b, tuple):
continue
try:
enabled = selinux.security_get_boolean_active(b[0])
except OSError:
enabled = b[1]
if b[0].startswith(short_name) or b[0].startswith(domainname):
if (b[0], enabled) not in domainbools and (b[0], not enabled) not in domainbools:
domainbools.append((b[0], enabled))
else:
if (b[0], enabled) not in bools and (b[0], not enabled) not in bools:
bools.append((b[0], enabled))
return (domainbools, bools)
def get_bools(setype):
bools = []
domainbools = []
domainname, short_name = gen_short_name(setype)
for i in [x['boolean'] for x in [x for x in search([ALLOW],{'source' : setype}) if 'boolean' in x]]:
for b in i:
if not isinstance(b,tuple):
continue
try:
enabled = selinux.security_get_boolean_active(b[0])
except OSError:
enabled = b[1]
if b[0].startswith(short_name) or b[0].startswith(domainname):
if (b[0], enabled) not in domainbools and (b[0], not enabled) not in domainbools:
domainbools.append((b[0], enabled))
else:
if (b[0], enabled) not in bools and (b[0], not enabled) not in bools:
bools.append((b[0],enabled))
return (domainbools, bools)
def check_cause(exception):
"""
Check, whether exception was thrown due to some known problem.
If it's known, provide some hints for user, so that he can fix it.
@return { 'description' : dsc, 'fix': fix} in case, that
problem is known, None otherwise.
"""
if (not isinstance(exception, pywbem.CIMError) or exception.args[0] != 0):
return
if (_RE_ERRNO_13.match(exception.args[1]) and util.is_selinux_running()):
import selinux
if not selinux.security_get_boolean_active(
"httpd_can_network_connect"):
cause = ("SELinux prevents YAWN"
" from connecting to the network using TCP.")
solution = SafeString(
'Please run as root:<br/>'
'<span class="code_snippet">'
' setsebool -P httpd_can_network_connect 1</span>')
return {"description": cause, "fix": solution}
def check_cause(exception):
"""
Check, whether exception was thrown due to some known problem.
If it's known, provide some hints for user, so that he can fix it.
@return { 'description' : dsc, 'fix': fix} in case, that
problem is known, None otherwise.
"""
if not isinstance(exception, pywbem.CIMError) or exception.args[0] != 0:
return
if _RE_ERRNO_13.match(exception.args[1]) and util.is_selinux_running():
import selinux
if not selinux.security_get_boolean_active("httpd_can_network_connect"):
cause = "SELinux prevents YAWN" " from connecting to the network using TCP."
solution = SafeString(
"Please run as root:<br/>"
'<span class="code_snippet">'
" setsebool -P httpd_can_network_connect 1</span>"
)
return {"description": cause, "fix": solution}
def get_boolean_active(boolean):
try:
return selinux.security_get_boolean_active(boolean)
except:
return False