| #!/usr/bin/env python |
| # Copyright 2014-2015, Tresys Technology, LLC |
| # |
| # This file is part of SETools. |
| # |
| # SETools is free software: you can redistribute it and/or modify |
| # it under the terms of the GNU General Public License as published by |
| # the Free Software Foundation, either version 2 of the License, or |
| # (at your option) any later version. |
| # |
| # SETools is distributed in the hope that it will be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| # You should have received a copy of the GNU General Public License |
| # along with SETools. If not, see <http://www.gnu.org/licenses/>. |
| # |
| |
| from __future__ import print_function |
| import setools |
| import argparse |
| import sys |
| import logging |
| |
| parser = argparse.ArgumentParser( |
| description="SELinux policy rule search tool.", |
| epilog="TE/MLS rule searches cannot be mixed with RBAC rule searches.") |
| parser.add_argument("--version", action="version", version=setools.__version__) |
| parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?") |
| parser.add_argument("-v", "--verbose", action="store_true", |
| help="Print extra informational messages") |
| parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.") |
| |
| rtypes = parser.add_argument_group("TE Rule Types") |
| rtypes.add_argument("-A", action="store_true", help="Search allow and allowxperm rules.") |
| rtypes.add_argument("--allow", action="append_const", |
| const="allow", dest="tertypes", |
| help="Search allow rules.") |
| rtypes.add_argument("--allowxperm", action="append_const", |
| const="allowxperm", dest="tertypes", |
| help="Search allowxperm rules.") |
| rtypes.add_argument("--auditallow", action="append_const", |
| const="auditallow", dest="tertypes", |
| help="Search auditallow rules.") |
| rtypes.add_argument("--auditallowxperm", action="append_const", |
| const="auditallowxperm", dest="tertypes", |
| help="Search auditallowxperm rules.") |
| rtypes.add_argument("--dontaudit", action="append_const", |
| const="dontaudit", dest="tertypes", |
| help="Search dontaudit rules.") |
| rtypes.add_argument("--dontauditxperm", action="append_const", |
| const="dontauditxperm", dest="tertypes", |
| help="Search dontauditxperm rules.") |
| rtypes.add_argument("--neverallow", action="append_const", |
| const="neverallow", dest="tertypes", |
| help="Search neverallow rules.") |
| rtypes.add_argument("--neverallowxperm", action="append_const", |
| const="neverallowxperm", dest="tertypes", |
| help="Search neverallowxperm rules.") |
| rtypes.add_argument("-T", "--type_trans", action="append_const", |
| const="type_transition", dest="tertypes", |
| help="Search type_transition rules.") |
| rtypes.add_argument("--type_change", action="append_const", |
| const="type_change", dest="tertypes", |
| help="Search type_change rules.") |
| rtypes.add_argument("--type_member", action="append_const", |
| const="type_member", dest="tertypes", |
| help="Search type_member rules.") |
| rbacrtypes = parser.add_argument_group("RBAC Rule Types") |
| rbacrtypes.add_argument("--role_allow", action="append_const", |
| const="allow", dest="rbacrtypes", |
| help="Search role allow rules.") |
| rbacrtypes.add_argument("--role_trans", action="append_const", |
| const="role_transition", dest="rbacrtypes", |
| help="Search role_transition rules.") |
| |
| mlsrtypes = parser.add_argument_group("MLS Rule Types") |
| mlsrtypes.add_argument("--range_trans", action="append_const", |
| const="range_transition", dest="mlsrtypes", |
| help="Search range_transition rules.") |
| |
| expr = parser.add_argument_group("Expressions") |
| expr.add_argument("-s", "--source", |
| help="Source type/role of the TE/RBAC rule.") |
| expr.add_argument("-t", "--target", |
| help="Target type/role of the TE/RBAC rule.") |
| expr.add_argument("-c", "--class", dest="tclass", |
| help="Comma separated list of object classes") |
| expr.add_argument("-p", "--perms", metavar="PERMS", |
| help="Comma separated list of permissions.") |
| expr.add_argument("-x", "--xperms", metavar="XPERMS", |
| help="Comma separated list of extended permissions.") |
| expr.add_argument("-D", "--default", |
| help="Default of the rule. (type/role/range transition rules)") |
| expr.add_argument("-b", "--bool", dest="boolean", metavar="BOOL", |
| help="Comma separated list of Booleans in the conditional expression.") |
| |
| opts = parser.add_argument_group("Search options") |
| opts.add_argument("-eb", action="store_true", dest="boolean_equal", |
| help="Match Boolean list exactly instead of matching any listed Boolean.") |
| opts.add_argument("-ep", action="store_true", dest="perms_equal", |
| help="Match permission set exactly instead of matching any listed permission.") |
| opts.add_argument("-ex", action="store_true", dest="xperms_equal", |
| help="Match extended permission set exactly instead of matching any listed " |
| "permission.") |
| opts.add_argument("-ds", action="store_false", dest="source_indirect", |
| help="Match source attributes directly instead of matching member types/roles.") |
| opts.add_argument("-dt", action="store_false", dest="target_indirect", |
| help="Match target attributes directly instead of matching member types/roles.") |
| opts.add_argument("-rs", action="store_true", dest="source_regex", |
| help="Use regular expression matching for the source type/role.") |
| opts.add_argument("-rt", action="store_true", dest="target_regex", |
| help="Use regular expression matching for the target type/role.") |
| opts.add_argument("-rc", action="store_true", dest="tclass_regex", |
| help="Use regular expression matching for the object class.") |
| opts.add_argument("-rd", action="store_true", dest="default_regex", |
| help="Use regular expression matching for the default type/role.") |
| opts.add_argument("-rb", action="store_true", dest="boolean_regex", |
| help="Use regular expression matching for Booleans.") |
| |
| args = parser.parse_args() |
| |
| if args.A: |
| try: |
| args.tertypes.extend(["allow", "allowxperm"]) |
| except AttributeError: |
| args.tertypes = ["allow", "allowxperm"] |
| |
| if not args.tertypes and not args.mlsrtypes and not args.rbacrtypes: |
| parser.error("At least one rule type must be specified.") |
| |
| if args.debug: |
| logging.basicConfig(level=logging.DEBUG, |
| format='%(asctime)s|%(levelname)s|%(name)s|%(message)s') |
| elif args.verbose: |
| logging.basicConfig(level=logging.INFO, format='%(message)s') |
| else: |
| logging.basicConfig(level=logging.WARNING, format='%(message)s') |
| |
| try: |
| p = setools.SELinuxPolicy(args.policy) |
| |
| if args.tertypes: |
| q = setools.TERuleQuery(p, |
| ruletype=args.tertypes, |
| source=args.source, |
| source_indirect=args.source_indirect, |
| source_regex=args.source_regex, |
| target=args.target, |
| target_indirect=args.target_indirect, |
| target_regex=args.target_regex, |
| tclass_regex=args.tclass_regex, |
| perms_equal=args.perms_equal, |
| xperms_equal=args.xperms_equal, |
| default=args.default, |
| default_regex=args.default_regex, |
| boolean_regex=args.boolean_regex, |
| boolean_equal=args.boolean_equal) |
| |
| # these are broken out from the above statement to prevent making a list |
| # with an empty string in it (split on empty string) |
| if args.tclass: |
| if args.tclass_regex: |
| q.tclass = args.tclass |
| else: |
| q.tclass = args.tclass.split(",") |
| |
| if args.perms: |
| q.perms = args.perms.split(",") |
| |
| if args.xperms: |
| xperms = [] |
| for item in args.xperms.split(","): |
| rng = item.split("-") |
| if len(rng) == 2: |
| xperms.append((int(rng[0], base=16), int(rng[1], base=16))) |
| elif len(rng) == 1: |
| xperms.append((int(rng[0], base=16), int(rng[0], base=16))) |
| else: |
| parser.error("Enter an extended permission or extended permission range, e.g. " |
| "0x5411 or 0x8800-0x88ff.") |
| |
| q.xperms = xperms |
| |
| if args.boolean: |
| if args.boolean_regex: |
| q.boolean = args.boolean |
| else: |
| q.boolean = args.boolean.split(",") |
| |
| for r in sorted(q.results()): |
| print(r) |
| |
| if args.rbacrtypes: |
| q = setools.RBACRuleQuery(p, |
| ruletype=args.rbacrtypes, |
| source=args.source, |
| source_indirect=args.source_indirect, |
| source_regex=args.source_regex, |
| target=args.target, |
| target_indirect=args.target_indirect, |
| target_regex=args.target_regex, |
| default=args.default, |
| default_regex=args.default_regex, |
| tclass_regex=args.tclass_regex) |
| |
| # these are broken out from the above statement to prevent making a list |
| # with an empty string in it (split on empty string) |
| if args.tclass: |
| if args.tclass_regex: |
| q.tclass = args.tclass |
| else: |
| q.tclass = args.tclass.split(",") |
| |
| for r in sorted(q.results()): |
| print(r) |
| |
| if args.mlsrtypes: |
| q = setools.MLSRuleQuery(p, |
| ruletype=args.mlsrtypes, |
| source=args.source, |
| source_indirect=args.source_indirect, |
| source_regex=args.source_regex, |
| target=args.target, |
| target_indirect=args.target_indirect, |
| target_regex=args.target_regex, |
| tclass_regex=args.tclass_regex, |
| default=args.default) |
| |
| # these are broken out from the above statement to prevent making a list |
| # with an empty string in it (split on empty string) |
| if args.tclass: |
| if args.tclass_regex: |
| q.tclass = args.tclass |
| else: |
| q.tclass = args.tclass.split(",") |
| |
| for r in sorted(q.results()): |
| print(r) |
| |
| except Exception as err: |
| if args.debug: |
| logging.exception(str(err)) |
| else: |
| print(err) |
| |
| sys.exit(1) |
