def config_security_check(config, verbose): """Checks each resource listed in the config to see if the active policy will permit creation of a new domain using the config. Returns 1 if the config passes all tests, otherwise 0. """ answer = 1 # get the domain acm_label domain_label = None domain_policy = None for x in sxp.children(config): if sxp.name(x) == 'security': domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label') domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy') # if no domain label, use default if not domain_label and security.on(): try: domain_label = security.ssidref2label(security.NULL_SSIDREF) except: import traceback traceback.print_exc(limit=1) return 0 domain_policy = 'NULL' elif not domain_label: domain_label = "" domain_policy = 'NULL' if verbose: print "Checking resources:" # build a list of all resources in the config file resources = [] for x in sxp.children(config): if sxp.name(x) == 'device': if sxp.name(sxp.child0(x)) == 'vbd': resources.append(sxp.child_value(sxp.child0(x), 'uname')) # perform a security check on each resource for resource in resources: try: security.res_security_check(resource, domain_label) if verbose: print " %s: PERMITTED" % (resource) except security.XSMError: print " %s: DENIED" % (resource) (poltype, res_label, res_policy) = security.get_res_label(resource) if not res_label: res_label = "" print " --> res: %s (%s:%s)" % (str(res_label), str(poltype), str(res_policy)) print " --> dom: %s (%s:%s)" % (str(domain_label), str(poltype), str(domain_policy)) answer = 0 return answer
def check_domain_label(config, verbose): """All that we need to check here is that the domain label exists and is not null when security is on. Other error conditions are handled when the config file is parsed. """ answer = 0 default_label = None secon = 0 if security.on(): default_label = security.ssidref2label(security.NULL_SSIDREF) secon = 1 # get the domain acm_label dom_label = None dom_name = None for x in sxp.children(config): if sxp.name(x) == 'security': dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label') if sxp.name(x) == 'name': dom_name = sxp.child0(x) # sanity check on domain label if verbose: print "Checking domain:" if (not secon) and (not dom_label): answer = 1 if verbose: print " %s: PERMITTED" % (dom_name) elif (secon) and (dom_label) and (dom_label != default_label): answer = 1 if verbose: print " %s: PERMITTED" % (dom_name) else: print " %s: DENIED" % (dom_name) if not secon: print " --> Security off, but domain labeled" else: print " --> Domain not labeled" answer = 0 return answer