Home | History | Annotate | Download | only in policyrep 
      1 # Copyright 2014, Tresys Technology, LLC
      2 #
      3 # This file is part of SETools.
      4 #
      5 # SETools is free software: you can redistribute it and/or modify
      6 # it under the terms of the GNU Lesser General Public License as
      7 # published by the Free Software Foundation, either version 2.1 of
      8 # the License, or (at your option) any later version.
      9 #
     10 # SETools is distributed in the hope that it will be useful,
     11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
     12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     13 # GNU Lesser General Public License for more details.
     14 #
     15 # You should have received a copy of the GNU Lesser General Public
     16 # License along with SETools.  If not, see
     17 # <http://www.gnu.org/licenses/>.
     18 #
     19 from . import exception
     20 from . import qpol
     21 from . import rule
     22 from . import role
     23 from . import typeattr
     24 
     25 
     26 def rbac_rule_factory(policy, name):
     27     """Factory function for creating RBAC rule objects."""
     28 
     29     if isinstance(name, qpol.qpol_role_allow_t):
     30         return RoleAllow(policy, name)
     31     elif isinstance(name, qpol.qpol_role_trans_t):
     32         return RoleTransition(policy, name)
     33     else:
     34         raise TypeError("RBAC rules cannot be looked up.")
     35 
     36 
     37 def validate_ruletype(types):
     38     """Validate RBAC rule types."""
     39     for t in types:
     40         if t not in ["allow", "role_transition"]:
     41             raise exception.InvalidRBACRuleType("{0} is not a valid RBAC rule type.".format(t))
     42 
     43 
     44 class RoleAllow(rule.PolicyRule):
     45 
     46     """A role allow rule."""
     47 
     48     def __str__(self):
     49         return "allow {0.source} {0.target};".format(self)
     50 
     51     @property
     52     def source(self):
     53         """The rule's source role."""
     54         return role.role_factory(self.policy, self.qpol_symbol.source_role(self.policy))
     55 
     56     @property
     57     def target(self):
     58         """The rule's target role."""
     59         return role.role_factory(self.policy, self.qpol_symbol.target_role(self.policy))
     60 
     61     @property
     62     def tclass(self):
     63         """The rule's object class."""
     64         raise exception.RuleUseError("Role allow rules do not have an object class.")
     65 
     66     @property
     67     def default(self):
     68         """The rule's default role."""
     69         raise exception.RuleUseError("Role allow rules do not have a default role.")
     70 
     71 
     72 class RoleTransition(rule.PolicyRule):
     73 
     74     """A role_transition rule."""
     75 
     76     def __str__(self):
     77         return "role_transition {0.source} {0.target}:{0.tclass} {0.default};".format(self)
     78 
     79     @property
     80     def source(self):
     81         """The rule's source role."""
     82         return role.role_factory(self.policy, self.qpol_symbol.source_role(self.policy))
     83 
     84     @property
     85     def target(self):
     86         """The rule's target type/attribute."""
     87         return typeattr.type_or_attr_factory(self.policy, self.qpol_symbol.target_type(self.policy))
     88 
     89     @property
     90     def default(self):
     91         """The rule's default role."""
     92         return role.role_factory(self.policy, self.qpol_symbol.default_role(self.policy))
     93