blob: a92783ac38c28d3e0872589741cd3f35c822ea58 [file] [log] [blame] [edit]
#!/usr/bin/python -Es
#
# Copyright (C) 2007-2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# policygentool is a tool for the initial generation of SELinux policy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import os
import sys
import stat
import re
import sepolicy
from sepolicy import get_all_types, get_all_attributes, get_all_roles
import time
import platform
from templates import executable
from templates import boolean
from templates import etc_rw
from templates import unit_file
from templates import var_cache
from templates import var_spool
from templates import var_lib
from templates import var_log
from templates import var_run
from templates import tmp
from templates import rw
from templates import network
from templates import script
from templates import spec
from templates import user
import sepolgen.interfaces as interfaces
import sepolgen.defaults as defaults
##
## I18N
##
PROGNAME = "policycoreutils"
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME,
localedir="/usr/share/locale",
unicode=False,
codeset='utf-8')
except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
def get_rpm_nvr_from_header(hdr):
'Given an RPM header return the package NVR as a string'
name = hdr['name']
version = hdr['version']
release = hdr['release']
release_version = version + "-" + release.split(".")[0]
os_version = release.split(".")[1]
return [name, release_version, os_version]
def get_rpm_nvr_list(package):
try:
import rpm
nvr = None
ts = rpm.ts()
mi = ts.dbMatch(rpm.RPMTAG_NAME, package)
for h in mi:
nvr = get_rpm_nvr_from_header(h)
break
except:
print("Failed to retrieve rpm info for %s") % package
nvr = None
return nvr
def get_all_ports():
dict = {}
for p in sepolicy.info(sepolicy.PORT):
if p['type'] == "reserved_port_t" or \
p['type'] == "port_t" or \
p['type'] == "hi_reserved_port_t":
continue
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p['range'])
return dict
def get_all_users():
users = map(lambda x: x['name'], sepolicy.info(sepolicy.USER))
users.remove("system_u")
users.remove("root")
users.sort()
return users
ALL = 0
RESERVED = 1
UNRESERVED = 2
PORTS = 3
ADMIN_TRANSITION_INTERFACE = "_admin$"
USER_TRANSITION_INTERFACE = "_role$"
DAEMON = 0
DBUS = 1
INETD = 2
CGI = 3
SANDBOX = 4
USER = 5
EUSER = 6
TUSER = 7
XUSER = 8
LUSER = 9
AUSER = 10
RUSER = 11
NEWTYPE = 12
poltype = {}
poltype[DAEMON] = _("Standard Init Daemon")
poltype[DBUS] = _("DBUS System Daemon")
poltype[INETD] = _("Internet Services Daemon")
poltype[CGI] = _("Web Application/Script (CGI)")
poltype[SANDBOX] = _("Sandbox")
poltype[USER] = _("User Application")
poltype[EUSER] = _("Existing Domain Type")
poltype[TUSER] = _("Minimal Terminal Login User Role")
poltype[XUSER] = _("Minimal X Windows Login User Role")
poltype[LUSER] = _("Desktop Login User Role")
poltype[AUSER] = _("Administrator Login User Role")
poltype[RUSER] = _("Confined Root Administrator Role")
poltype[NEWTYPE] = _("Module information for a new type")
def get_poltype_desc():
keys = poltype.keys()
keys.sort()
msg = _("Valid Types:\n")
for k in keys:
msg += "%2s: %s\n" % (k, poltype[k])
return msg
APPLICATIONS = [DAEMON, DBUS, INETD, USER, CGI]
USERS = [XUSER, TUSER, LUSER, AUSER, RUSER]
def verify_ports(ports):
if ports == "":
return []
max_port = 2 ** 16
try:
temp = []
for a in ports.split(","):
r = a.split("-")
if len(r) > 2:
raise ValueError
if len(r) == 1:
begin = int(r[0])
end = int(r[0])
else:
begin = int(r[0])
end = int(r[1])
if begin > end:
raise ValueError
for p in range(begin, end + 1):
if p < 1 or p > max_port:
raise ValueError
temp.append(p)
return temp
except ValueError:
raise ValueError(_("Ports must be numbers or ranges of numbers from 1 to %d " % max_port))
class policy:
def __init__(self, name, type):
self.rpms = []
self.ports = []
self.all_roles = get_all_roles()
self.types = []
if type not in poltype:
raise ValueError(_("You must enter a valid policy type"))
if not name:
raise ValueError(_("You must enter a name for your policy module for your '%s'.") % poltype[type])
try:
self.ports = get_all_ports()
except ValueError, e:
print "Can not get port types, must be root for this information"
except RuntimeError, e:
print "Can not get port types", e
self.symbols = {}
self.symbols["openlog"] = "set_use_kerberos(True)"
self.symbols["openlog"] = "set_use_kerb_rcache(True)"
self.symbols["openlog"] = "set_use_syslog(True)"
self.symbols["gethostby"] = "set_use_resolve(True)"
self.symbols["getaddrinfo"] = "set_use_resolve(True)"
self.symbols["getnameinfo"] = "set_use_resolve(True)"
self.symbols["krb"] = "set_use_kerberos(True)"
self.symbols["gss_accept_sec_context"] = "set_manage_krb5_rcache(True)"
self.symbols["krb5_verify_init_creds"] = "set_manage_krb5_rcache(True)"
self.symbols["krb5_rd_req"] = "set_manage_krb5_rcache(True)"
self.symbols["__syslog_chk"] = "set_use_syslog(True)"
self.symbols["getpwnam"] = "set_use_uid(True)"
self.symbols["getpwuid"] = "set_use_uid(True)"
self.symbols["dbus_"] = "set_use_dbus(True)"
self.symbols["pam_"] = "set_use_pam(True)"
self.symbols["pam_"] = "set_use_audit(True)"
self.symbols["fork"] = "add_process('fork')"
self.symbols["transition"] = "add_process('transition')"
self.symbols["sigchld"] = "add_process('sigchld')"
self.symbols["sigkill"] = "add_process('sigkill')"
self.symbols["sigstop"] = "add_process('sigstop')"
self.symbols["signull"] = "add_process('signull')"
self.symbols["ptrace"] = "add_process('ptrace')"
self.symbols["getsched"] = "add_process('getsched')"
self.symbols["setsched"] = "add_process('setsched')"
self.symbols["getsession"] = "add_process('getsession')"
self.symbols["getpgid"] = "add_process('getpgid')"
self.symbols["setpgid"] = "add_process('setpgid')"
self.symbols["getcap"] = "add_process('getcap')"
self.symbols["setcap"] = "add_process('setcap')"
self.symbols["share"] = "add_process('share')"
self.symbols["getattr"] = "add_process('getattr')"
self.symbols["setexec"] = "add_process('setexec')"
self.symbols["setfscreate"] = "add_process('setfscreate')"
self.symbols["noatsecure"] = "add_process('noatsecure')"
self.symbols["siginh"] = "add_process('siginh')"
self.symbols["kill"] = "add_process('signal_perms')"
self.symbols["setrlimit"] = "add_process('setrlimit')"
self.symbols["rlimitinh"] = "add_process('rlimitinh')"
self.symbols["dyntransition"] = "add_process('dyntransition')"
self.symbols["setcurrent"] = "add_process('setcurrent')"
self.symbols["execmem"] = "add_process('execmem')"
self.symbols["execstack"] = "add_process('execstack')"
self.symbols["execheap"] = "add_process('execheap')"
self.symbols["setkeycreate"] = "add_process('setkeycreate')"
self.symbols["setsockcreate"] = "add_process('setsockcreate')"
self.symbols["chown"] = "add_capability('chown')"
self.symbols["dac_override"] = "add_capability('dac_override')"
self.symbols["dac_read_search"] = "add_capability('dac_read_search')"
self.symbols["fowner"] = "add_capability('fowner')"
self.symbols["fsetid"] = "add_capability('fsetid')"
self.symbols["setgid"] = "add_capability('setgid')"
self.symbols["setegid"] = "add_capability('setgid')"
self.symbols["setresgid"] = "add_capability('setgid')"
self.symbols["setregid"] = "add_capability('setgid')"
self.symbols["setresuid"] = "add_capability('setuid')"
self.symbols["setuid"] = "add_capability('setuid')"
self.symbols["seteuid"] = "add_capability('setuid')"
self.symbols["setreuid"] = "add_capability('setuid')"
self.symbols["setresuid"] = "add_capability('setuid')"
self.symbols["setpcap"] = "add_capability('setpcap')"
self.symbols["linux_immutable"] = "add_capability('linux_immutable')"
self.symbols["net_bind_service"] = "add_capability('net_bind_service')"
self.symbols["net_broadcast"] = "add_capability('net_broadcast')"
self.symbols["net_admin"] = "add_capability('net_admin')"
self.symbols["net_raw"] = "add_capability('net_raw')"
self.symbols["ipc_lock"] = "add_capability('ipc_lock')"
self.symbols["ipc_owner"] = "add_capability('ipc_owner')"
self.symbols["sys_module"] = "add_capability('sys_module')"
self.symbols["sys_rawio"] = "add_capability('sys_rawio')"
self.symbols["chroot"] = "add_capability('sys_chroot')"
self.symbols["sys_chroot"] = "add_capability('sys_chroot')"
self.symbols["sys_ptrace"] = "add_capability('sys_ptrace')"
self.symbols["sys_pacct"] = "add_capability('sys_pacct')"
self.symbols["mount"] = "add_capability('sys_admin')"
self.symbols["unshare"] = "add_capability('sys_admin')"
self.symbols["sys_admin"] = "add_capability('sys_admin')"
self.symbols["sys_boot"] = "add_capability('sys_boot')"
self.symbols["sys_nice"] = "add_capability('sys_nice')"
self.symbols["sys_resource"] = "add_capability('sys_resource')"
self.symbols["sys_time"] = "add_capability('sys_time')"
self.symbols["sys_tty_config"] = "add_capability('sys_tty_config')"
self.symbols["mknod"] = "add_capability('mknod')"
self.symbols["lease"] = "add_capability('lease')"
self.symbols["audit_write"] = "add_capability('audit_write')"
self.symbols["audit_control"] = "add_capability('audit_control')"
self.symbols["setfcap"] = "add_capability('setfcap')"
self.DEFAULT_DIRS = {}
self.DEFAULT_DIRS["/etc"] = ["etc_rw", [], etc_rw]
self.DEFAULT_DIRS["/tmp"] = ["tmp", [], tmp]
self.DEFAULT_DIRS["rw"] = ["rw", [], rw]
self.DEFAULT_DIRS["/usr/lib/systemd/system"] = ["unit_file", [], unit_file]
self.DEFAULT_DIRS["/lib/systemd/system"] = ["unit_file", [], unit_file]
self.DEFAULT_DIRS["/etc/systemd/system"] = ["unit_file", [], unit_file]
self.DEFAULT_DIRS["/var/cache"] = ["var_cache", [], var_cache]
self.DEFAULT_DIRS["/var/lib"] = ["var_lib", [], var_lib]
self.DEFAULT_DIRS["/var/log"] = ["var_log", [], var_log]
self.DEFAULT_DIRS["/var/run"] = ["var_run", [], var_run]
self.DEFAULT_DIRS["/var/spool"] = ["var_spool", [], var_spool]
self.DEFAULT_EXT = {}
self.DEFAULT_EXT["_tmp_t"] = tmp
self.DEFAULT_EXT["_unit_file_t"] = unit_file
self.DEFAULT_EXT["_var_cache_t"] = var_cache
self.DEFAULT_EXT["_var_lib_t"] = var_lib
self.DEFAULT_EXT["_var_log_t"] = var_log
self.DEFAULT_EXT["_var_run_t"] = var_run
self.DEFAULT_EXT["_var_spool_t"] = var_spool
self.DEFAULT_EXT["_port_t"] = network
self.DEFAULT_KEYS = ["/etc", "/var/cache", "/var/log", "/tmp", "rw", "/var/lib", "/var/run", "/var/spool", "/etc/systemd/system", "/usr/lib/systemd/system", "/lib/systemd/system"]
self.DEFAULT_TYPES = (
(self.generate_daemon_types, self.generate_daemon_rules),
(self.generate_dbusd_types, self.generate_dbusd_rules),
(self.generate_inetd_types, self.generate_inetd_rules),
(self.generate_cgi_types, self.generate_cgi_rules),
(self.generate_sandbox_types, self.generate_sandbox_rules),
(self.generate_userapp_types, self.generate_userapp_rules),
(self.generate_existing_user_types, self.generate_existing_user_rules),
(self.generate_min_login_user_types, self.generate_login_user_rules),
(self.generate_x_login_user_types, self.generate_x_login_user_rules),
(self.generate_login_user_types, self.generate_login_user_rules),
(self.generate_admin_user_types, self.generate_login_user_rules),
(self.generate_root_user_types, self.generate_root_user_rules),
(self.generate_new_types, self.generate_new_rules))
if not re.match(r"^[a-zA-Z0-9-_]+$", name):
raise ValueError(_("Name must be alpha numberic with no spaces. Consider using option \"-n MODULENAME\""))
if type == CGI:
self.name = "httpd_%s_script" % name
else:
self.name = name
self.file_name = name
self.capabilities = []
self.processes = []
self.type = type
self.initscript = ""
self.program = None
self.in_tcp = [False, False, False, []]
self.in_udp = [False, False, False, []]
self.out_tcp = [False, False, False, []]
self.out_udp = [False, False, False, []]
self.use_resolve = False
self.use_tmp = False
self.use_uid = False
self.use_syslog = False
self.use_kerberos = False
self.manage_krb5_rcache = False
self.use_pam = False
self.use_dbus = False
self.use_audit = False
self.use_etc = self.type not in [EUSER, NEWTYPE]
self.use_localization = self.type not in [EUSER, NEWTYPE]
self.use_fd = self.type not in [EUSER, NEWTYPE]
self.use_terminal = False
self.use_mail = False
self.booleans = {}
self.files = {}
self.dirs = {}
self.found_tcp_ports = []
self.found_udp_ports = []
self.need_tcp_type = False
self.need_udp_type = False
self.admin_domains = []
self.existing_domains = []
self.transition_domains = []
self.transition_users = []
self.roles = []
def __isnetset(self, l):
return l[ALL] or l[RESERVED] or l[UNRESERVED] or len(l[PORTS]) > 0
def set_admin_domains(self, admin_domains):
self.admin_domains = admin_domains
def set_existing_domains(self, existing_domains):
self.existing_domains = existing_domains
def set_admin_roles(self, roles):
self.roles = roles
def set_transition_domains(self, transition_domains):
self.transition_domains = transition_domains
def set_transition_users(self, transition_users):
self.transition_users = transition_users
def use_in_udp(self):
return self.__isnetset(self.in_udp)
def use_out_udp(self):
return self.__isnetset(self.out_udp)
def use_udp(self):
return self.use_in_udp() or self.use_out_udp()
def use_in_tcp(self):
return self.__isnetset(self.in_tcp)
def use_out_tcp(self):
return self.__isnetset(self.out_tcp)
def use_tcp(self):
return self.use_in_tcp() or self.use_out_tcp()
def use_network(self):
return self.use_tcp() or self.use_udp()
def find_port(self, port, protocol="tcp"):
for begin, end, p in self.ports.keys():
if port >= begin and port <= end and protocol == p:
return self.ports[begin, end, protocol]
return None
def set_program(self, program):
if self.type not in APPLICATIONS:
raise ValueError(_("User Role types can not be assigned executables."))
self.program = program
def set_init_script(self, initscript):
if self.type != DAEMON:
raise ValueError(_("Only Daemon apps can use an init script.."))
self.initscript = initscript
def set_in_tcp(self, all, reserved, unreserved, ports):
self.in_tcp = [all, reserved, unreserved, verify_ports(ports)]
def set_in_udp(self, all, reserved, unreserved, ports):
self.in_udp = [all, reserved, unreserved, verify_ports(ports)]
def set_out_tcp(self, all, ports):
self.out_tcp = [all, False, False, verify_ports(ports)]
def set_out_udp(self, all, ports):
self.out_udp = [all, False, False, verify_ports(ports)]
def set_use_resolve(self, val):
if val != True and val != False:
raise ValueError(_("use_resolve must be a boolean value "))
self.use_resolve = val
def set_use_syslog(self, val):
if val != True and val != False:
raise ValueError(_("use_syslog must be a boolean value "))
self.use_syslog = val
def set_use_kerberos(self, val):
if val != True and val != False:
raise ValueError(_("use_kerberos must be a boolean value "))
self.use_kerberos = val
def set_manage_krb5_rcache(self, val):
if val != True and val != False:
raise ValueError(_("manage_krb5_rcache must be a boolean value "))
self.manage_krb5_rcache = val
def set_use_pam(self, val):
self.use_pam = val == True
def set_use_dbus(self, val):
self.use_dbus = val == True
def set_use_audit(self, val):
self.use_audit = val == True
def set_use_etc(self, val):
self.use_etc = val == True
def set_use_localization(self, val):
self.use_localization = val == True
def set_use_fd(self, val):
self.use_fd = val == True
def set_use_terminal(self, val):
self.use_terminal = val == True
def set_use_mail(self, val):
self.use_mail = val == True
def set_use_tmp(self, val):
if self.type in USERS:
raise ValueError(_("USER Types automatically get a tmp type"))
if val:
self.DEFAULT_DIRS["/tmp"][1].append("/tmp")
else:
self.DEFAULT_DIRS["/tmp"][1] = []
def set_use_uid(self, val):
self.use_uid = val == True
def generate_uid_rules(self):
if self.use_uid:
return re.sub("TEMPLATETYPE", self.name, executable.te_uid_rules)
else:
return ""
def generate_syslog_rules(self):
if self.use_syslog:
return re.sub("TEMPLATETYPE", self.name, executable.te_syslog_rules)
else:
return ""
def generate_resolve_rules(self):
if self.use_resolve:
return re.sub("TEMPLATETYPE", self.name, executable.te_resolve_rules)
else:
return ""
def generate_kerberos_rules(self):
if self.use_kerberos:
return re.sub("TEMPLATETYPE", self.name, executable.te_kerberos_rules)
else:
return ""
def generate_manage_krb5_rcache_rules(self):
if self.manage_krb5_rcache:
return re.sub("TEMPLATETYPE", self.name, executable.te_manage_krb5_rcache_rules)
else:
return ""
def generate_pam_rules(self):
newte = ""
if self.use_pam:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_pam_rules)
return newte
def generate_audit_rules(self):
newte = ""
if self.use_audit:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_audit_rules)
return newte
def generate_etc_rules(self):
newte = ""
if self.use_etc:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_etc_rules)
return newte
def generate_fd_rules(self):
newte = ""
if self.use_fd:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_fd_rules)
return newte
def generate_localization_rules(self):
newte = ""
if self.use_localization:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_localization_rules)
return newte
def generate_dbus_rules(self):
newte = ""
if self.type != DBUS and self.use_dbus:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_dbus_rules)
return newte
def generate_mail_rules(self):
newte = ""
if self.use_mail:
newte = re.sub("TEMPLATETYPE", self.name, executable.te_mail_rules)
return newte
def generate_network_action(self, protocol, action, port_name):
line = ""
method = "corenet_%s_%s_%s" % (protocol, action, port_name)
if method in sepolicy.get_methods():
line = "%s(%s_t)\n" % (method, self.name)
else:
line = """
gen_require(`
type %s_t;
')
allow %s_t %s_t:%s_socket name_%s;
""" % (port_name, self.name, port_name, protocol, action)
return line
def generate_network_types(self):
for i in self.in_tcp[PORTS]:
rec = self.find_port(int(i), "tcp")
if rec == None:
self.need_tcp_type = True
else:
port_name = rec[0][:-2]
line = self.generate_network_action("tcp", "bind", port_name)
# line = "corenet_tcp_bind_%s(%s_t)\n" % (port_name, self.name)
if line not in self.found_tcp_ports:
self.found_tcp_ports.append(line)
for i in self.out_tcp[PORTS]:
rec = self.find_port(int(i), "tcp")
if rec == None:
self.need_tcp_type = True
else:
port_name = rec[0][:-2]
line = self.generate_network_action("tcp", "connect", port_name)
# line = "corenet_tcp_connect_%s(%s_t)\n" % (port_name, self.name)
if line not in self.found_tcp_ports:
self.found_tcp_ports.append(line)
for i in self.in_udp[PORTS]:
rec = self.find_port(int(i), "udp")
if rec == None:
self.need_udp_type = True
else:
port_name = rec[0][:-2]
line = self.generate_network_action("udp", "bind", port_name)
# line = "corenet_udp_bind_%s(%s_t)\n" % (port_name, self.name)
if line not in self.found_udp_ports:
self.found_udp_ports.append(line)
if self.need_udp_type == True or self.need_tcp_type == True:
return re.sub("TEMPLATETYPE", self.name, network.te_types)
return ""
def __find_path(self, file):
for d in self.DEFAULT_DIRS:
if file.find(d) == 0:
self.DEFAULT_DIRS[d][1].append(file)
return self.DEFAULT_DIRS[d]
self.DEFAULT_DIRS["rw"][1].append(file)
return self.DEFAULT_DIRS["rw"]
def add_capability(self, capability):
if capability not in self.capabilities:
self.capabilities.append(capability)
def set_types(self, types):
self.types = types
def add_process(self, process):
if process not in self.processes:
self.processes.append(process)
def add_boolean(self, name, description):
self.booleans[name] = description
def add_file(self, file):
self.files[file] = self.__find_path(file)
def add_dir(self, file):
self.dirs[file] = self.__find_path(file)
def generate_capabilities(self):
newte = ""
self.capabilities.sort()
if len(self.capabilities) > 0:
newte = "allow %s_t self:capability { %s };\n" % (self.name, " ".join(self.capabilities))
return newte
def generate_process(self):
newte = ""
self.processes.sort()
if len(self.processes) > 0:
newte = "allow %s_t self:process { %s };\n" % (self.name, " ".join(self.processes))
return newte
def generate_network_rules(self):
newte = ""
if self.use_network():
newte = "\n"
newte += re.sub("TEMPLATETYPE", self.name, network.te_network)
if self.use_tcp():
newte += "\n"
newte += re.sub("TEMPLATETYPE", self.name, network.te_tcp)
if self.use_in_tcp():
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_tcp)
if self.need_tcp_type and len(self.in_tcp[PORTS]) > 0:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_tcp)
if self.need_tcp_type and len(self.out_tcp[PORTS]) > 0:
newte += re.sub("TEMPLATETYPE", self.name, network.te_out_need_port_tcp)
if self.in_tcp[ALL]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_tcp)
if self.in_tcp[RESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_tcp)
if self.in_tcp[UNRESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_tcp)
if self.out_tcp[ALL]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_out_all_ports_tcp)
if self.out_tcp[RESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_out_reserved_ports_tcp)
if self.out_tcp[UNRESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_out_unreserved_ports_tcp)
for i in self.found_tcp_ports:
newte += i
if self.use_udp():
newte += "\n"
newte += re.sub("TEMPLATETYPE", self.name, network.te_udp)
if self.need_udp_type:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_need_port_udp)
if self.use_in_udp():
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_udp)
if self.in_udp[ALL]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_all_ports_udp)
if self.in_udp[RESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_reserved_ports_udp)
if self.in_udp[UNRESERVED]:
newte += re.sub("TEMPLATETYPE", self.name, network.te_in_unreserved_ports_udp)
for i in self.found_udp_ports:
newte += i
return newte
def generate_transition_rules(self):
newte = ""
for app in self.transition_domains:
tmp = re.sub("TEMPLATETYPE", self.name, user.te_transition_rules)
newte += re.sub("APPLICATION", app, tmp)
if self.type == USER:
for u in self.transition_users:
temp = re.sub("TEMPLATETYPE", self.name, executable.te_run_rules)
newte += re.sub("USER", u.split("_u")[0], temp)
return newte
def generate_admin_rules(self):
newte = ""
if self.type == EUSER:
for d in self.existing_domains:
name = d.split("_t")[0]
role = name + "_r"
for app in self.admin_domains:
tmp = re.sub("TEMPLATETYPE", name, user.te_admin_domain_rules)
if role not in self.all_roles:
tmp = re.sub(role, "system_r", tmp)
newte += re.sub("APPLICATION", app, tmp)
return newte
if self.type == RUSER:
newte += re.sub("TEMPLATETYPE", self.name, user.te_admin_rules)
for app in self.admin_domains:
tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_domain_rules)
newte += re.sub("APPLICATION", app, tmp)
for u in self.transition_users:
role = u.split("_u")[0]
if (role + "_r") in self.all_roles:
tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules)
newte += re.sub("USER", role, tmp)
return newte
def generate_dbus_if(self):
newif = ""
if self.use_dbus:
newif = re.sub("TEMPLATETYPE", self.name, executable.if_dbus_rules)
return newif
def generate_sandbox_if(self):
newif = ""
if self.type != SANDBOX:
return newif
newif = re.sub("TEMPLATETYPE", self.name, executable.if_sandbox_rules)
return newif
def generate_admin_if(self):
newif = ""
newtypes = ""
if self.initscript != "":
newtypes += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin_types)
newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_admin)
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
newtypes += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_types)
newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_admin_rules)
if newif != "":
ret = re.sub("TEMPLATETYPE", self.name, executable.if_begin_admin)
ret += newtypes
ret += re.sub("TEMPLATETYPE", self.name, executable.if_middle_admin)
ret += newif
ret += re.sub("TEMPLATETYPE", self.name, executable.if_end_admin)
return ret
return ""
def generate_cgi_types(self):
return re.sub("TEMPLATETYPE", self.file_name, executable.te_cgi_types)
def generate_sandbox_types(self):
return re.sub("TEMPLATETYPE", self.file_name, executable.te_sandbox_types)
def generate_userapp_types(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_types)
def generate_inetd_types(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_types)
def generate_dbusd_types(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_types)
def generate_min_login_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_min_login_user_types)
def generate_login_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_login_user_types)
def generate_admin_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_admin_user_types)
def generate_existing_user_types(self):
if len(self.existing_domains) == 0:
raise ValueError(_("'%s' policy modules require existing domains") % poltype[self.type])
newte = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_types)
newte += """gen_require(`"""
for d in self.existing_domains:
newte += """
type %s;""" % d
role = d.split("_t")[0] + "_r"
if role in self.all_roles:
newte += """
role %s;""" % role
newte += """
')
"""
return newte
def generate_x_login_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_types)
def generate_root_user_types(self):
return re.sub("TEMPLATETYPE", self.name, user.te_root_user_types)
def generate_new_types(self):
newte = ""
if len(self.types) == 0:
raise ValueError(_("Type field required"))
for t in self.types:
for i in self.DEFAULT_EXT:
if t.endswith(i):
print t, t[:-len(i)]
newte += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].te_types)
break
if NEWTYPE and newte == "":
default_ext = []
for i in self.DEFAULT_EXT:
default_ext.append(i)
raise ValueError(_("You need to define a new type which ends with: \n %s") % "\n ".join(default_ext))
return newte
def generate_new_rules(self):
return ""
def generate_daemon_types(self):
newte = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_types)
if self.initscript != "":
newte += re.sub("TEMPLATETYPE", self.name, executable.te_initscript_types)
return newte
def generate_tmp_types(self):
if self.use_tmp:
return re.sub("TEMPLATETYPE", self.name, tmp.te_types)
else:
return ""
def generate_booleans(self):
newte = ""
for b in self.booleans:
tmp = re.sub("BOOLEAN", b, boolean.te_boolean)
newte += re.sub("DESCRIPTION", self.booleans[b], tmp)
return newte
def generate_boolean_rules(self):
newte = ""
for b in self.booleans:
newte += re.sub("BOOLEAN", b, boolean.te_rules)
return newte
def generate_sandbox_te(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_types)
def generate_cgi_te(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_cgi_types)
def generate_daemon_rules(self):
newif = re.sub("TEMPLATETYPE", self.name, executable.te_daemon_rules)
return newif
def generate_new_type_if(self):
newif = ""
for t in self.types:
for i in self.DEFAULT_EXT:
if t.endswith(i):
reqtype = t[:-len(i)] + "_t"
newif += re.sub("TEMPLATETYPE", t[:-len(i)], self.DEFAULT_EXT[i].if_rules)
break
return newif
def generate_login_user_rules(self):
return re.sub("TEMPLATETYPE", self.name, user.te_login_user_rules)
def generate_existing_user_rules(self):
nerules = re.sub("TEMPLATETYPE", self.name, user.te_existing_user_rules)
return nerules
def generate_x_login_user_rules(self):
return re.sub("TEMPLATETYPE", self.name, user.te_x_login_user_rules)
def generate_root_user_rules(self):
newte = re.sub("TEMPLATETYPE", self.name, user.te_root_user_rules)
return newte
def generate_userapp_rules(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_userapp_rules)
def generate_inetd_rules(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_inetd_rules)
def generate_dbusd_rules(self):
return re.sub("TEMPLATETYPE", self.name, executable.te_dbusd_rules)
def generate_tmp_rules(self):
if self.use_tmp:
return re.sub("TEMPLATETYPE", self.name, tmp.te_rules)
else:
return ""
def generate_cgi_rules(self):
newte = ""
newte += re.sub("TEMPLATETYPE", self.name, executable.te_cgi_rules)
return newte
def generate_sandbox_rules(self):
newte = ""
newte += re.sub("TEMPLATETYPE", self.name, executable.te_sandbox_rules)
return newte
def generate_user_if(self):
newif = ""
if self.use_terminal or self.type == USER:
newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules)
if self.type in (TUSER, XUSER, AUSER, LUSER):
newif += re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules)
return newif
def generate_if(self):
newif = ""
newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
if self.program:
newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules)
if self.initscript != "":
newif += re.sub("TEMPLATETYPE", self.name, executable.if_initscript_rules)
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_rules)
for i in self.DEFAULT_DIRS[d][1]:
if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
newif += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].if_stream_rules)
break
newif += self.generate_user_if()
newif += self.generate_dbus_if()
newif += self.generate_admin_if()
newif += self.generate_sandbox_if()
newif += self.generate_new_type_if()
newif += self.generate_new_rules()
return newif
def generate_default_types(self):
return self.DEFAULT_TYPES[self.type][0]()
def generate_default_rules(self):
if self.DEFAULT_TYPES[self.type][1]:
return self.DEFAULT_TYPES[self.type][1]()
return ""
def generate_roles_rules(self):
newte = ""
if self.type in (TUSER, XUSER, AUSER, LUSER):
roles = ""
if len(self.roles) > 0:
newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules)
newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules)
for role in self.roles:
tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules)
newte += re.sub("ROLE", role, tmp)
return newte
def generate_te(self):
newte = self.generate_default_types()
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
# CGI scripts already have a rw_t
if self.type != CGI or d != "rw":
newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
if self.type != EUSER:
newte += """
########################################
#
# %s local policy
#
""" % self.name
newte += self.generate_capabilities()
newte += self.generate_process()
newte += self.generate_network_types()
newte += self.generate_tmp_types()
newte += self.generate_booleans()
newte += self.generate_default_rules()
newte += self.generate_boolean_rules()
for d in self.DEFAULT_KEYS:
if len(self.DEFAULT_DIRS[d][1]) > 0:
if self.type == EUSER:
newte_tmp = ""
for domain in self.existing_domains:
newte_tmp += re.sub("TEMPLATETYPE_t", domain[:-2] + "_t", self.DEFAULT_DIRS[d][2].te_rules)
newte += re.sub("TEMPLATETYPE_rw_t", self.name + "_rw_t", newte_tmp)
else:
newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
for i in self.DEFAULT_DIRS[d][1]:
if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
if self.type == EUSER:
for domain in self.existing_domains:
newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules)
else:
newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
break
newte += self.generate_tmp_rules()
newte += self.generate_network_rules()
newte += self.generate_fd_rules()
newte += self.generate_etc_rules()
newte += self.generate_pam_rules()
newte += self.generate_uid_rules()
newte += self.generate_audit_rules()
newte += self.generate_syslog_rules()
newte += self.generate_localization_rules()
newte += self.generate_resolve_rules()
newte += self.generate_roles_rules()
newte += self.generate_mail_rules()
newte += self.generate_transition_rules()
newte += self.generate_admin_rules()
newte += self.generate_dbus_rules()
newte += self.generate_kerberos_rules()
newte += self.generate_manage_krb5_rcache_rules()
return newte
def generate_fc(self):
newfc = ""
fclist = []
for i in self.files.keys():
if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_sock_file)
else:
t1 = re.sub("TEMPLATETYPE", self.name, self.files[i][2].fc_file)
t2 = re.sub("FILENAME", i, t1)
fclist.append(re.sub("FILETYPE", self.files[i][0], t2))
for i in self.dirs.keys():
t1 = re.sub("TEMPLATETYPE", self.name, self.dirs[i][2].fc_dir)
t2 = re.sub("FILENAME", i, t1)
fclist.append(re.sub("FILETYPE", self.dirs[i][0], t2))
if self.type in USERS + [SANDBOX]:
if len(fclist) == 0:
return executable.fc_user
if self.type not in USERS + [SANDBOX, EUSER, NEWTYPE] and not self.program:
raise ValueError(_("You must enter the executable path for your confined process"))
if self.program:
t1 = re.sub("EXECUTABLE", self.program, executable.fc_program)
fclist.append(re.sub("TEMPLATETYPE", self.name, t1))
if self.initscript != "":
t1 = re.sub("EXECUTABLE", self.initscript, executable.fc_initscript)
fclist.append(re.sub("TEMPLATETYPE", self.name, t1))
fclist.sort()
newfc = "\n".join(fclist)
return newfc
def generate_user_sh(self):
newsh = ""
if self.type not in (TUSER, XUSER, AUSER, LUSER, RUSER):
return newsh
roles = ""
for role in self.roles:
roles += " %s_r" % role
if roles != "":
roles += " system_r"
tmp = re.sub("TEMPLATETYPE", self.name, script.users)
newsh += re.sub("ROLES", roles, tmp)
if self.type == RUSER or self.type == AUSER:
for u in self.transition_users:
tmp = re.sub("TEMPLATETYPE", self.name, script.admin_trans)
newsh += re.sub("USER", u, tmp)
if self.type == LUSER:
newsh += re.sub("TEMPLATETYPE", self.name, script.min_login_user_default_context)
else:
newsh += re.sub("TEMPLATETYPE", self.name, script.x_login_user_default_context)
return newsh
def generate_sh(self):
temp = re.sub("TEMPLATETYPE", self.file_name, script.compile)
temp = re.sub("DOMAINTYPE", self.name, temp)
if self.type == EUSER:
newsh = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
else:
newsh = re.sub("TEMPLATEFILE", self.file_name, temp)
newsh += re.sub("DOMAINTYPE", self.name, script.manpage)
if self.program:
newsh += re.sub("FILENAME", self.program, script.restorecon)
if self.initscript != "":
newsh += re.sub("FILENAME", self.initscript, script.restorecon)
for i in self.files.keys():
newsh += re.sub("FILENAME", i, script.restorecon)
for i in self.dirs.keys():
newsh += re.sub("FILENAME", i, script.restorecon)
for i in self.in_tcp[PORTS] + self.out_tcp[PORTS]:
if self.find_port(i, "tcp") == None:
t1 = re.sub("PORTNUM", "%d" % i, script.tcp_ports)
newsh += re.sub("TEMPLATETYPE", self.name, t1)
for i in self.in_udp[PORTS]:
if self.find_port(i, "udp") == None:
t1 = re.sub("PORTNUM", "%d" % i, script.udp_ports)
newsh += re.sub("TEMPLATETYPE", self.name, t1)
newsh += self.generate_user_sh()
if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
newsh += re.sub("TEMPLATEFILE", self.file_name, script.rpm)
return newsh
def generate_spec(self):
newspec = ""
selinux_policyver = get_rpm_nvr_list("selinux-policy")[1]
POLICYCOREUTILSVER = get_rpm_nvr_list("checkpolicy")[1]
newspec += spec.header_comment_section
if self.type in APPLICATIONS:
newspec += spec.define_relabel_files_begin
if self.program:
newspec += re.sub("FILENAME", self.program, spec.define_relabel_files_end)
if self.initscript != "":
newspec += re.sub("FILENAME", self.initscript, spec.define_relabel_files_end)
for i in self.files.keys():
newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
for i in self.dirs.keys():
newspec += re.sub("FILENAME", i, spec.define_relabel_files_end)
newspec += re.sub("VERSION", selinux_policyver, spec.base_section)
newspec = re.sub("MODULENAME", self.file_name, newspec)
newspec = re.sub("DOMAINNAME", self.name, newspec)
if len(self.rpms) > 0:
newspec += "Requires(post): %s\n" % ", ".join(self.rpms)
newspec += re.sub("MODULENAME", self.file_name, spec.mid_section)
newspec = re.sub("DOMAINNAME", self.name, newspec)
newspec = re.sub("TODAYSDATE", time.strftime("%a %b %e %Y"), newspec)
if self.type not in APPLICATIONS:
newspec = re.sub("%relabel_files", "", newspec)
# Remove man pages from EUSER spec file
if self.type == EUSER:
newspec = re.sub(".*%s_selinux.8.*" % self.name, "", newspec)
# Remove user context file from non users spec file
if self.type not in (TUSER, XUSER, AUSER, LUSER, RUSER):
newspec = re.sub(".*%s_u.*" % self.name, "", newspec)
return newspec
def write_spec(self, out_dir):
specfile = "%s/%s_selinux.spec" % (out_dir, self.file_name)
fd = open(specfile, "w")
fd.write(self.generate_spec())
fd.close()
return specfile
def write_te(self, out_dir):
tefile = "%s/%s.te" % (out_dir, self.file_name)
fd = open(tefile, "w")
fd.write(self.generate_te())
fd.close()
return tefile
def write_sh(self, out_dir):
shfile = "%s/%s.sh" % (out_dir, self.file_name)
fd = open(shfile, "w")
fd.write(self.generate_sh())
fd.close()
os.chmod(shfile, 0750)
return shfile
def write_if(self, out_dir):
iffile = "%s/%s.if" % (out_dir, self.file_name)
fd = open(iffile, "w")
fd.write(self.generate_if())
fd.close()
return iffile
def write_fc(self, out_dir):
fcfile = "%s/%s.fc" % (out_dir, self.file_name)
fd = open(fcfile, "w")
fd.write(self.generate_fc())
fd.close()
return fcfile
def __extract_rpms(self):
import yum
yb = yum.YumBase()
yb.setCacheDir()
for pkg in yb.rpmdb.searchProvides(self.program):
self.rpms.append(pkg.name)
for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
if fname.startswith(b):
if os.path.isfile(fname):
self.add_file(fname)
else:
self.add_dir(fname)
for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
if fname.startswith(b):
if os.path.isfile(fname):
self.add_file(fname)
else:
self.add_dir(fname)
# some packages have own systemd subpackage
# tor-systemd for example
binary_name = self.program.split("/")[-1]
for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
if fname.startswith(b):
if os.path.isfile(fname):
self.add_file(fname)
else:
self.add_dir(fname)
def gen_writeable(self):
try:
self.__extract_rpms()
except ImportError:
pass
if os.path.isfile("/var/run/%s.pid" % self.name):
self.add_file("/var/run/%s.pid" % self.name)
if os.path.isdir("/var/run/%s" % self.name):
self.add_dir("/var/run/%s" % self.name)
if os.path.isdir("/var/log/%s" % self.name):
self.add_dir("/var/log/%s" % self.name)
if os.path.isfile("/var/log/%s.log" % self.name):
self.add_file("/var/log/%s.log" % self.name)
if os.path.isdir("/var/lib/%s" % self.name):
self.add_dir("/var/lib/%s" % self.name)
if os.path.isfile("/etc/rc.d/init.d/%s" % self.name):
self.set_init_script("/etc/rc\.d/init\.d/%s" % self.name)
# we don't want to have subdir in the .fc policy file
# if we already specify labeling for parent dir
temp_basepath = []
for p in self.DEFAULT_DIRS.keys():
temp_dirs = []
try:
temp_basepath = self.DEFAULT_DIRS[p][1][0] + "/"
except IndexError:
continue
for i in self.DEFAULT_DIRS[p][1]:
if i.startswith(temp_basepath):
temp_dirs.append(i)
else:
continue
if len(temp_dirs) is not 0:
for i in temp_dirs:
if i in self.dirs.keys():
del(self.dirs[i])
elif i in self.files.keys():
del(self.files[i])
else:
continue
self.DEFAULT_DIRS[p][1] = list(set(self.DEFAULT_DIRS[p][1]) - set(temp_dirs))
def gen_symbols(self):
if self.type not in APPLICATIONS:
return
if not os.path.exists(self.program):
sys.stderr.write("""
***************************************
Warning %s does not exist
***************************************
""" % self.program)
return
fd = os.popen("nm -D %s | grep U" % self.program)
for s in fd.read().split():
for b in self.symbols:
if s.startswith(b):
exec "self.%s" % self.symbols[b]
fd.close()
def generate(self, out_dir=os.getcwd()):
out = "Created the following files:\n"
out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
out += "%s # %s\n" % (self.write_fc(out_dir), _("File Contexts file"))
if self.type != NEWTYPE:
if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
out += "%s # %s\n" % (self.write_spec(out_dir), _("Spec file"))
out += "%s # %s\n" % (self.write_sh(out_dir), _("Setup Script"))
return out