def config_security_check(config, verbose):
"""Checks each resource listed in the config to see if the active
policy will permit creation of a new domain using the config.
Returns 1 if the config passes all tests, otherwise 0.
"""
answer = 1
# get the domain acm_label
domain_label = None
domain_policy = None
for x in sxp.children(config):
if sxp.name(x) == 'security':
domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
# if no domain label, use default
if not domain_label and security.on():
try:
domain_label = security.ssidref2label(security.NULL_SSIDREF)
except:
import traceback
traceback.print_exc(limit=1)
return 0
domain_policy = 'NULL'
elif not domain_label:
domain_label = ""
domain_policy = 'NULL'
if verbose:
print "Checking resources:"
# build a list of all resources in the config file
resources = []
for x in sxp.children(config):
if sxp.name(x) == 'device':
if sxp.name(sxp.child0(x)) == 'vbd':
resources.append(sxp.child_value(sxp.child0(x), 'uname'))
# perform a security check on each resource
for resource in resources:
try:
security.res_security_check(resource, domain_label)
if verbose:
print " %s: PERMITTED" % (resource)
except security.XSMError:
print " %s: DENIED" % (resource)
(poltype, res_label, res_policy) = security.get_res_label(resource)
if not res_label:
res_label = ""
print " --> res: %s (%s:%s)" % (str(res_label),
str(poltype), str(res_policy))
print " --> dom: %s (%s:%s)" % (str(domain_label),
str(poltype), str(domain_policy))
answer = 0
return answer
def config_security_check(config, verbose):
"""Checks each resource listed in the config to see if the active
policy will permit creation of a new domain using the config.
Returns 1 if the config passes all tests, otherwise 0.
"""
answer = 1
# get the domain acm_label
domain_label = None
domain_policy = None
for x in sxp.children(config):
if sxp.name(x) == 'security':
domain_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
domain_policy = sxp.child_value(sxp.name(sxp.child0(x)), 'policy')
# if no domain label, use default
if not domain_label and security.on():
try:
domain_label = security.ssidref2label(security.NULL_SSIDREF)
except:
import traceback
traceback.print_exc(limit=1)
return 0
domain_policy = 'NULL'
elif not domain_label:
domain_label = ""
domain_policy = 'NULL'
if verbose:
print "Checking resources:"
# build a list of all resources in the config file
resources = []
for x in sxp.children(config):
if sxp.name(x) == 'device':
if sxp.name(sxp.child0(x)) == 'vbd':
resources.append(sxp.child_value(sxp.child0(x), 'uname'))
# perform a security check on each resource
for resource in resources:
try:
security.res_security_check(resource, domain_label)
if verbose:
print " %s: PERMITTED" % (resource)
except security.XSMError:
print " %s: DENIED" % (resource)
(poltype, res_label, res_policy) = security.get_res_label(resource)
if not res_label:
res_label = ""
print " --> res: %s (%s:%s)" % (str(res_label), str(poltype),
str(res_policy))
print " --> dom: %s (%s:%s)" % (str(domain_label), str(poltype),
str(domain_policy))
answer = 0
return answer
def check_domain_label(config, verbose):
"""All that we need to check here is that the domain label exists and
is not null when security is on. Other error conditions are
handled when the config file is parsed.
"""
answer = 0
default_label = None
secon = 0
if security.on():
default_label = security.ssidref2label(security.NULL_SSIDREF)
secon = 1
# get the domain acm_label
dom_label = None
dom_name = None
for x in sxp.children(config):
if sxp.name(x) == 'security':
dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
if sxp.name(x) == 'name':
dom_name = sxp.child0(x)
# sanity check on domain label
if verbose:
print "Checking domain:"
if (not secon) and (not dom_label):
answer = 1
if verbose:
print " %s: PERMITTED" % (dom_name)
elif (secon) and (dom_label) and (dom_label != default_label):
answer = 1
if verbose:
print " %s: PERMITTED" % (dom_name)
else:
print " %s: DENIED" % (dom_name)
if not secon:
print " --> Security off, but domain labeled"
else:
print " --> Domain not labeled"
answer = 0
return answer
def check_domain_label(config, verbose):
"""All that we need to check here is that the domain label exists and
is not null when security is on. Other error conditions are
handled when the config file is parsed.
"""
answer = 0
default_label = None
secon = 0
if security.on():
default_label = security.ssidref2label(security.NULL_SSIDREF)
secon = 1
# get the domain acm_label
dom_label = None
dom_name = None
for x in sxp.children(config):
if sxp.name(x) == 'security':
dom_label = sxp.child_value(sxp.name(sxp.child0(x)), 'label')
if sxp.name(x) == 'name':
dom_name = sxp.child0(x)
# sanity check on domain label
if verbose:
print "Checking domain:"
if (not secon) and (not dom_label):
answer = 1
if verbose:
print " %s: PERMITTED" % (dom_name)
elif (secon) and (dom_label) and (dom_label != default_label):
answer = 1
if verbose:
print " %s: PERMITTED" % (dom_name)
else:
print " %s: DENIED" % (dom_name)
if not secon:
print " --> Security off, but domain labeled"
else:
print " --> Domain not labeled"
answer = 0
return answer
def _get_config_ipaddr(config):
val = []
for ipaddr in sxp.children(config, elt='ip'):
val.append(sxp.child0(ipaddr))
return val
def _get_config_ipaddr(config):
val = []
for ipaddr in sxp.children(config, elt='ip'):
val.append(sxp.child0(ipaddr))
return val