1 # Copyright 2014-2015, Tresys Technology, LLC 2 # 3 # This file is part of SETools. 4 # 5 # SETools is free software: you can redistribute it and/or modify 6 # it under the terms of the GNU Lesser General Public License as 7 # published by the Free Software Foundation, either version 2.1 of 8 # the License, or (at your option) any later version. 9 # 10 # SETools is distributed in the hope that it will be useful, 11 # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 # GNU Lesser General Public License for more details. 14 # 15 # You should have received a copy of the GNU Lesser General Public 16 # License along with SETools. If not, see 17 # <http://www.gnu.org/licenses/>. 18 # 19 import logging 20 import re 21 22 from . import compquery 23 from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor 24 25 26 class UserQuery(compquery.ComponentQuery): 27 28 """ 29 Query SELinux policy users. 30 31 Parameter: 32 policy The policy to query. 33 34 Keyword Parameters/Class attributes: 35 name The user name to match. 36 name_regex If true, regular expression matching 37 will be used on the user names. 38 roles The attribute to match. 39 roles_equal If true, only types with role sets 40 that are equal to the criteria will 41 match. Otherwise, any intersection 42 will match. 43 roles_regex If true, regular expression matching 44 will be used on the role names instead 45 of set logic. 46 level The criteria to match the user's default level. 47 level_dom If true, the criteria will match if it dominates 48 the user's default level. 49 level_domby If true, the criteria will match if it is dominated 50 by the user's default level. 51 level_incomp If true, the criteria will match if it is incomparable 52 to the user's default level. 53 range_ The criteria to match the user's range. 54 range_subset If true, the criteria will match if it is a subset 55 of the user's range. 56 range_overlap If true, the criteria will match if it overlaps 57 any of the user's range. 58 range_superset If true, the criteria will match if it is a superset 59 of the user's range. 60 range_proper If true, use proper superset/subset operations. 61 No effect if not using set operations. 62 """ 63 64 level = CriteriaDescriptor(lookup_function="lookup_level") 65 level_dom = False 66 level_domby = False 67 level_incomp = False 68 range_ = CriteriaDescriptor(lookup_function="lookup_range") 69 range_overlap = False 70 range_subset = False 71 range_superset = False 72 range_proper = False 73 roles = CriteriaSetDescriptor("roles_regex", "lookup_role") 74 roles_equal = False 75 roles_regex = False 76 77 def results(self): 78 """Generator which yields all matching users.""" 79 self.log.info("Generating results from {0.policy}".format(self)) 80 self.log.debug("Name: {0.name!r}, regex: {0.name_regex}".format(self)) 81 self.log.debug("Roles: {0.roles!r}, regex: {0.roles_regex}, " 82 "eq: {0.roles_equal}".format(self)) 83 self.log.debug("Level: {0.level!r}, dom: {0.level_dom}, domby: {0.level_domby}, " 84 "incomp: {0.level_incomp}".format(self)) 85 self.log.debug("Range: {0.range_!r}, subset: {0.range_subset}, overlap: {0.range_overlap}, " 86 "superset: {0.range_superset}, proper: {0.range_proper}".format(self)) 87 88 for user in self.policy.users(): 89 if not self._match_name(user): 90 continue 91 92 if self.roles and not self._match_regex_or_set( 93 user.roles, 94 self.roles, 95 self.roles_equal, 96 self.roles_regex): 97 continue 98 99 if self.level and not self._match_level( 100 user.mls_level, 101 self.level, 102 self.level_dom, 103 self.level_domby, 104 self.level_incomp): 105 continue 106 107 if self.range_ and not self._match_range( 108 user.mls_range, 109 self.range_, 110 self.range_subset, 111 self.range_overlap, 112 self.range_superset, 113 self.range_proper): 114 continue 115 116 yield user 117
