Home | History | Annotate | Download | only in sepolicy
      1 #!/usr/bin/python -Es
      2 #
      3 # Copyright (C) 2012 Red Hat
      4 # see file 'COPYING' for use and warranty information
      5 #
      6 # policygentool is a tool for the initial generation of SELinux policy
      7 #
      8 #    This program is free software; you can redistribute it and/or
      9 #    modify it under the terms of the GNU General Public License as
     10 #    published by the Free Software Foundation; either version 2 of
     11 #    the License, or (at your option) any later version.
     12 #
     13 #    This program is distributed in the hope that it will be useful,
     14 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
     15 #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     16 #    GNU General Public License for more details.
     17 #
     18 #    You should have received a copy of the GNU General Public License
     19 #    along with this program; if not, write to the Free Software
     20 #    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
     21 #                                        02111-1307  USA
     22 #
     23 #
     24 import re
     25 import sys
     26 import sepolicy
     27 ADMIN_TRANSITION_INTERFACE = "_admin$"
     28 USER_TRANSITION_INTERFACE = "_role$"
     29 
     30 __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_user', 'get_interface_dict', 'get_interface_format_text', 'get_interface_compile_format_text', 'get_xml_file', 'interface_compile_test']
     31 
     32 ##
     33 ## I18N
     34 ##
     35 PROGNAME = "policycoreutils"
     36 try:
     37     import gettext
     38     kwargs = {}
     39     if sys.version_info < (3,):
     40         kwargs['unicode'] = True
     41     gettext.install(PROGNAME,
     42                     localedir="/usr/share/locale",
     43                     codeset='utf-8',
     44                     **kwargs)
     45 except:
     46     try:
     47         import builtins
     48         builtins.__dict__['_'] = str
     49     except ImportError:
     50         import __builtin__
     51         __builtin__.__dict__['_'] = unicode
     52 
     53 
     54 def get_interfaces_from_xml(path):
     55     """ Get all interfaces from given xml file"""
     56     interfaces_list = []
     57     idict = get_interface_dict(path)
     58     for k in idict.keys():
     59         interfaces_list.append(k)
     60     return interfaces_list
     61 
     62 
     63 def get_all_interfaces(path=""):
     64     from sepolicy import get_methods
     65     all_interfaces = []
     66     if not path:
     67         all_interfaces = get_methods()
     68     else:
     69         xml_path = get_xml_file(path)
     70         all_interfaces = get_interfaces_from_xml(xml_path)
     71 
     72     return all_interfaces
     73 
     74 
     75 def get_admin(path=""):
     76     """ Get all domains with an admin interface from installed policy."""
     77     """ If xml_path is specified, func returns an admin interface from specified xml file"""
     78     admin_list = []
     79     if path:
     80         try:
     81             xml_path = get_xml_file(path)
     82             idict = get_interface_dict(xml_path)
     83             for k in idict.keys():
     84                 if k.endswith("_admin"):
     85                     admin_list.append(k)
     86         except IOError as e:
     87             sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
     88             sys.exit(1)
     89     else:
     90         for i in sepolicy.get_methods():
     91             if i.endswith("_admin"):
     92                 admin_list.append(i.split("_admin")[0])
     93 
     94     return admin_list
     95 
     96 
     97 def get_user(path=""):
     98     """ Get all domains with SELinux user role interface"""
     99     """ If xml_path is specified, func returns an user role interface from specified xml file"""
    100     trans_list = []
    101     if path:
    102         try:
    103             xml_path = get_xml_file(path)
    104             idict = get_interface_dict(xml_path)
    105             for k in idict.keys():
    106                 if k.endswith("_role"):
    107                     if (("%s_exec_t" % k[:-5]) in sepolicy.get_all_types()):
    108                         trans_list.append(k)
    109         except IOError as e:
    110             sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
    111             sys.exit(1)
    112     else:
    113         for i in sepolicy.get_methods():
    114             m = re.findall("(.*)%s" % USER_TRANSITION_INTERFACE, i)
    115             if len(m) > 0:
    116                 if "%s_exec_t" % m[0] in sepolicy.get_all_types():
    117                     trans_list.append(m[0])
    118 
    119     return trans_list
    120 
    121 interface_dict = None
    122 
    123 
    124 def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
    125     global interface_dict
    126     import os
    127     import xml.etree.ElementTree
    128     if interface_dict:
    129         return interface_dict
    130 
    131     interface_dict = {}
    132     param_list = []
    133 
    134     xml_path = """<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
    135 <policy>
    136 <layer name="admin">
    137 """
    138     xml_path += path
    139     xml_path += """
    140 </layer>
    141 </policy>
    142 """
    143 
    144     try:
    145         if os.path.isfile(path):
    146             tree = xml.etree.ElementTree.parse(path)
    147         else:
    148             tree = xml.etree.ElementTree.fromstring(xml_path)
    149         for l in tree.findall("layer"):
    150             for m in l.findall("module"):
    151                 for i in m.getiterator('interface'):
    152                     for e in i.findall("param"):
    153                         param_list.append(e.get('name'))
    154                     interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "interface"]
    155                     param_list = []
    156                 for i in m.getiterator('template'):
    157                     for e in i.findall("param"):
    158                         param_list.append(e.get('name'))
    159                     interface_dict[(i.get("name"))] = [param_list, (i.find('summary').text), "template"]
    160                     param_list = []
    161     except IOError:
    162         pass
    163     return interface_dict
    164 
    165 
    166 def get_interface_format_text(interface, path="/usr/share/selinux/devel/policy.xml"):
    167     idict = get_interface_dict(path)
    168     interface_text = "%s(%s) %s" % (interface, ", ".join(idict[interface][0]), " ".join(idict[interface][1].split("\n")))
    169 
    170     return interface_text
    171 
    172 
    173 def get_interface_compile_format_text(interfaces_dict, interface):
    174     from .templates import test_module
    175     param_tmp = []
    176     for i in interfaces_dict[interface][0]:
    177         param_tmp.append(test_module.dict_values[i])
    178         interface_text = "%s(%s)\n" % (interface, ", ".join(param_tmp))
    179 
    180     return interface_text
    181 
    182 
    183 def generate_compile_te(interface, idict, name="compiletest"):
    184     from .templates import test_module
    185     te = ""
    186     te += re.sub("TEMPLATETYPE", name, test_module.te_test_module)
    187     te += get_interface_compile_format_text(idict, interface)
    188 
    189     return te
    190 
    191 
    192 def get_xml_file(if_file):
    193     """ Returns xml format of interfaces for given .if policy file"""
    194     import os
    195     try:
    196             from commands import getstatusoutput
    197     except ImportError:
    198             from subprocess import getstatusoutput
    199     basedir = os.path.dirname(if_file) + "/"
    200     filename = os.path.basename(if_file).split(".")[0]
    201     rc, output = getstatusoutput("python /usr/share/selinux/devel/include/support/segenxml.py -w -m %s" % basedir + filename)
    202     if rc != 0:
    203         sys.stderr.write("\n Could not proceed selected interface file.\n")
    204         sys.stderr.write("\n%s" % output)
    205         sys.exit(1)
    206     else:
    207         return output
    208 
    209 
    210 def interface_compile_test(interface, path="/usr/share/selinux/devel/policy.xml"):
    211     exclude_interfaces = ["userdom", "kernel", "corenet", "files", "dev"]
    212     exclude_interface_type = ["template"]
    213 
    214     try:
    215             from commands import getstatusoutput
    216     except ImportError:
    217             from subprocess import getstatusoutput
    218     import os
    219     policy_files = {'pp': "compiletest.pp", 'te': "compiletest.te", 'fc': "compiletest.fc", 'if': "compiletest.if"}
    220     idict = get_interface_dict(path)
    221 
    222     if not (interface.split("_")[0] in exclude_interfaces or idict[interface][2] in exclude_interface_type):
    223         print(_("Compiling %s interface" % interface))
    224         try:
    225             fd = open(policy_files['te'], "w")
    226             fd.write(generate_compile_te(interface, idict))
    227             fd.close()
    228             rc, output = getstatusoutput("make -f /usr/share/selinux/devel/Makefile %s" % policy_files['pp'])
    229             if rc != 0:
    230                 sys.stderr.write(output)
    231                 sys.stderr.write(_("\nCompile test for %s failed.\n") % interface)
    232 
    233         except EnvironmentError as e:
    234             sys.stderr.write(_("\nCompile test for %s has not run. %s\n") % (interface, e))
    235         for v in policy_files.values():
    236             if os.path.exists(v):
    237                 os.remove(v)
    238 
    239     else:
    240         sys.stderr.write(_("\nCompiling of %s interface is not supported." % interface))
    241