a yeē @stddlZddlZddlZddlmZddlmZddlZddlZddl Z ddl Z ddl m Z ddl mZddlmZddlmZddlmZddlmZddlmZdd lmZdd lmZdd lmZd ZzFddl Z iZ!ej"d krde!d<e j#efddie!ddiZ$e$j Z%WnJzddl&Z&e'e&j(d<Wn&e)yVddl*Z*e+e*j(d<Yn0Yn0dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6dZ7d Z8d!Z9d"Z:d#Z;d$Ze%d=e>d><e%d?e>d@<e%dAe>dB<e%dCe>dD<e%dEe>dF<e%dGe>dH<e%dIe>dJ<e%dKe>dL<iZ?d>e?dM<d@e?dN<dBe?dO<dDe?dP<dFe?dQ<dHe?dR<dJe?dS<dLe?dT<da@daAdaBdaCdaDgaEdaFdaGdaHdaIdaJdaKdaLdaMdaNdaOdaPdaQdaRdaSdaTdaUdaVdaWdaXdUdVZYddXdYZZdZd[Z[d\d]Z\d^d_Z]d`daZ^ddbdcZ_dddeZ`ddfdgZadhdiZbdjdkZcdldmZddndoZedpdqZfdrdsZgdtduZhgfdvdwZigfdxdyZjdzd{Zkelfd|d}Zmelfd~dZnelfddZoelfddZpddZqddZrddZsddZtddZuddZvddZwddZxddZyddZzddZ{ddZ|ddZ}ddZ~ddZddZddZddZddZddZddZddZddZddZddZddZddZddZddZefddZddZddÄZddńZddDŽZddɄZdd˄Zdd̈́ZddτZddd҄ZdddԄZddքZdd؄ZddڄZdd܄ZdS)N) BoolQuery) PortconQuery) SELinuxPolicy) ObjClassQuery) RBACRuleQuery) RoleQuery) TERuleQuery)TypeAttributeQuery) TypeQuery) UserQueryzselinux-python)Tunicode localedirz/usr/share/localefallback_r allowZ auditallowZ neverallowZ dontauditsourcetargetpermlistclassZ transitionZ role_allowZetc_tz/etcZtmp_tz/tmpZ unit_file_tz/usr/lib/systemd/systemz/lib/systemd/systemz/etc/systemd/systemZ var_cache_tz /var/cacheZ var_lib_tz/var/libZlog_tz/var/logZ var_run_tz/var/runz/runZ var_lock_tz /run/lockz /var/run/lockZ var_spool_tz /var/spoolZ content_tz/var/wwwz all filesaz regular filefZ directorydzcharacter devicecz block devicebz socket filesz symbolic linklz named pipepz--z-dz-cz-bz-sz-lz-pcCs>|ddd}zt||fWSty8d|fYS0dS)Nz/policy.rr)rsplitint ValueError)Z policy_path extensionr)5/usr/lib/python3.9/site-packages/sepolicy/__init__.pypolicy_sortkeys  r+/cCsNz0|t}td|}|jtd|dWSYn0ttddS)Nz%s.*keyzNo SELinux Policy installed)selinuxZselinux_binary_policy_pathglobsortr+r'r)rootpathpoliciesr)r)r*get_installed_policys   r6cCs2tdt|f}|sdS|jtd|dS)z?Get the path to the policy file located in the given store namez%s%s/policy/policy.*Nr-r/)r1r0Z selinux_pathr2r+)storer5r)r)r*get_store_policys  r8cCsRdadadadadadadadadaz t |a Wnt t d|Yn0dS)NzFailed to read %s policy file) all_domainsall_attributesbools all_types role_allowsZusersroles file_types port_typesr_polr'r policy_filer)r)r*policys  rDcCst|}|sdSt|dSN)r8rD)r7rCr)r)r*load_store_policysrFcCst}t|dSrE)r6rDrBr)r)r* init_policysrGcCsts t|tkrbtt}||_t|}|rTt|dkrTd|_||_t|}dd|DS|t krt t}|r|||_dd|DS|t krt t}|r||_dd|DS|t krHtt}|rdd|dD}t|d kr||_n t|dkr|d |d f|_tjr6d d|DSd d|DS|tkrtt}|rf||_tjrd d|DSdd|DS|tkrtt}|r||_dd|DS|tkrtt}|r||_dd|DStddS)Nrc ssB|]:}ttt|t|t|jttt|dVqdS))aliasesnameZ permissive attributesN)listmapstrrHboolZ ispermissiverJ.0xr)r)r* s zinfo..css:|]2}t|ttt|ttt|dVqdS))rIr>typesN)rMrKrLexpandrSrOr)r)r*rRs css*|]"}t|ttt|dVqdS))rIrSN)rMrKrLrTrOr)r)r*rRscSsg|] }t|qSr))r&)rPir)r)r* zinfo..-rrcss<|]4}|jjt|jt|jjt|jj|jjdVqdS))highprotocolrangetypelowN)portsrYrMrZcontextZrange_type_r]rOr)r)r*rRs  css2|]*}|jjt|jt|jj|jjdVqdS))rYrZr\r]N)r^rYrMrZr_r`r]rOr)r)r*rRs  css8|]0}t|jt|ttt|jt|jdVqdS))r[rIr>levelN)rMZ mls_rangerKrLr>Z mls_levelrOr)r)r*rRs css(|] }t|ttt|jdVqdS))rIr>N)rMrKrLr>rOr)r)r*rRscss|]}t||jdVqdS))rIstateNrMrbrOr)r)r*rRscss"|]}t|t|jdVqdS))rIrN)rMrKpermsrOr)r)r*rR)sz Invalid type)rArGTYPEr rIrKresultslenaliasROLEr ATTRIBUTEr PORTrsplitr^mlsUSERr BOOLEANrTCLASSrr')setyperIqrfr^r)r)r*infos      rscCsTt|jt|jt|jt|jd}z.booleans conditionalfilename)rMruletyperrtclassrwrvrbZevaluateZconditional_blockAttributeErrorrKrLrddefaultrx)ZrulerZ boolstatebooleanrtr)r)r*_setools_rule_to_dict2sD     r~c Csts t|si}tttttttg}|D]}||vr*t dd |q*d}t |vrbt |t }d}t |vrzt |t }d}t|vrt |td}g}g}t|vr|tt|vr|tt|vr|tt|vr|tt|dkr2tt||||d} t|vr|t| _|dd| D7}t|vrgd} tt| |||d} t|vrj|t| _|d d| D7}t|vrd g} tt| |||d} | D]"} |t | jt | jd q|S) NzType has to be in %s ,r)ryrrrzcSsg|] }t|qSr)r~rOr)r)r*rVrWzsearch..)type_transitionZ type_changeZ type_membercSsg|] }t|qSr)rrOr)r)r*rVrWr)rr)rArGsetALLOW AUDITALLOW NEVERALLOW DONTAUDIT TRANSITION ROLE_ALLOWr'joinSOURCErMTARGETCLASSrlappendrgrPERMSrdrfrrr) rSZseinfoZ valid_typesrqrrrzZtoretZtertypesrrZrtypesZratypesrr)r)r*searchdsz               rcsi}g}ggz(ttfddtdd7Wn Yn0z(ttfddtdd7Wn Yn0tddtfddt}zD|D]:}||d|d |d fd ||vr||i}qWnty|YS0|S) Ncs |dkSNrIr)rQ)srcr)r*rWz"get_conditionals..rrJcs |dkSrr)r)destr)r*rrWcSs|SrEr))yr)r)r*rrWcs2|dvo0|dvo0t|to0d|vS)Nrrrw)rissubsetrr) dest_listpermsrc_listr)r*rs   rrwrt)rrw)rKfilterget_all_types_inforLget_all_allow_rulesupdaterKeyError)rrrzrZtdictZtlistZallowsrUr))rrrrrr*get_conditionalss0((    rcCsFd}|D]}|ddrd}q"qtd|dttdd|fS) NFrwrTz-- Allowed %s [ %s ]z || cSsd|dd|ddfS)Nz%s=%drwrrr)rr)r)r*rrWz.get_conditionals_format_text..)rrrrL)ZcondrtrQr)r)r*get_conditionals_format_texts  rcCsttt|ddS)NrrS)rKrsrj)Z attributer)r)r*get_types_from_attributesrc Csg}i}tD]}|t|r||qt}|D]D}z$||dt||df||<Wq6tyxg||<Yq60q6|SNregexftype)get_all_file_types startswithgen_short_namer get_fcdict file_type_strr)rqflistmpathsrfcdictr)r)r*get_file_typess  $ rc Cs<|s|Szttt|dWSttfy6|YS0dS)zReturn the real name of a type * If 'name' refers to a type alias, return the corresponding type name. * Otherwise return the original name (even if the type does not exist). rIN)nextrsre RuntimeError StopIterationrIr)r)r*get_real_type_names rc Cs.t}g}i}ttg|ddgdd}|dus:t|dkr>|St}ddg}|D]}|d|vrbqPd |vrt|d stqP|dd r|d|vrqP|d|vr|d|kr||dqPt|dD]}||vr||qqP|D]F} z$|| d t|| d f|| <Wqt y&g|| <Yq0q|S) Nopenwritefile)rrrrZ proc_typeZ sysctl_typerrt_trr) rrrrgrendswithrrrr) rqr?Z all_writesrrrrJrUtrr)r)r*get_writable_filess:    $rcstj|r|gSztd|Wntd|gYS0|}|dr^|ddd}tj|zddkrd7WntytdYn0z6td|fdd t fd d t DWSgYS0dS) Nz%s$zbad reg:z(/.*)?ir,r/ztry failed got an IndexErrorcsg|]}|r|qSr))matchrO)patr)r*rV5rWzfind_file..cs|SrEr)r)r4r)r*r5rWzfind_file..) osr4existsrecompileprintrdirname IndexErrorrLlistdir)Zregr#r))rr4r* find_files*        (rcCsVt|}|D]@}|dr||vr||D] }t|D]}|Sq.qdS)N_exec_t)get_entrypointskeysrr)domain exclude_listZexecutable_filesexer4rr)r)r*find_all_files:s   rcCs`t}zB|drF||vrF||dD]}t|D]}|WSq&WntyZYn0dS)Nrr)rrrr)rrrr4rr)r)r*find_entrypoint_pathDs  rc Cszht|dJ}|D]4}|}|r|dds|d|d||d<qWdn1s\0YWn2ty}z|jtjkrWYd}~n d}~00|S)Nrr#r)Zequivmodify)rrlrOSErrorerrnoENOENT)Zedictfc_pathrfderr)r)r*read_file_equivPs : rcCs"trtSiatt|dddatS)Nz.subsTr)file_equiv_modifiedrrr)r)r*get_file_equiv_modified]s rcCs&trtSt|att|dddatS)Nz .subs_distFr) file_equivrrrr)r)r*get_file_equivfs rc CstrtSgaz:t|dd}|}Wdn1s:0YWn6ty|}z|jtjkrdgWYd}~Sd}~00|D]b}|}t|dkrqz4t|dkrt|d}nd}t |d|fWqt yYq0qtS)N.localrrrrr) local_filesr readlinesrrrrlrgtrans_file_type_strrr)rrfcrrUrecrr)r)r*get_local_file_pathsos,*    rc CstrtSt|d}|}|t|dd}||7}|iaz>t|dd}||7}Wdn1sz0YWn2ty}z|jtjkrWYd}~n d}~00|D]}|}zjt|dkrt |d}nd}|ddd}|tvrt|d  |d n|d g|d t|<WqYq0qd d gitd <d dgitd<d dgitd<d dgitd<d dgitd<d dgitd<d dgitd<d dgitd<d dgitd<tS)Nrz .homedirsrrrrr/:rr)rrz all log filesZlogfilezall user tmp filesZ user_tmp_typezall user home filesZuser_home_typezall virtual image filesZvirt_image_typezBall files on file systems which do not support extended attributesZ noxattrfsz)all sandbox content in tmpfs file systemsZsandbox_tmpfs_typez&all user content in tmpfs file systemsZuser_tmpfs_typezall files on the system file_typezAuse this label for random content that will be shared using sambaZ samba_share_t) rrrcloserrrrlrgrr)rrrrrUrrrr)r)r*rsJ  .   rc s<z fddttgddiDWSttfy6Yn0dS)Ncsg|]}|dkr|qS)rur)rOrqr)r*rVrWz(get_transitions_into..rprocessrr TypeErrorr{rr)rr*get_transitions_intos  rc Cs0zttg|ddWSttfy*Yn0dS)Nrrrrrr)r)r*get_transitionss rc Cs8zddttgd|iDWSttfy2Yn0dS)NcSsg|]}|ddkr|qS)rrr)rOr)r)r*rVrWz(get_file_transitions..rrrr)r)r*get_file_transitionss rcCs\g}ttgd|i}|D]>}d|vrz$|dD]}||vr.||q.WqYq0q|S)Nrrv)rrr)rqr}Zboollistrr#r r)r)r*get_boolean_ruless rcCstdS)NZ entry_type)rr)r)r)r*get_all_entrypointssrcs.tttgdgdgd}fdd|DS)Nr entrypoint)ryrrzrdcs g|]}|jkrt|jqSr))rrMrrOrr)r*rVrWz(get_entrypoint_types..)rrArrf)rqrrr)rr*get_entrypoint_typessrc sht|dddz2ttfddttgddd}|d d WSttt fybYn0dS) Nrrrcs |dkS)Nrr)rrr)r*rrWz$get_init_transtype..init_trrrru) r0Z getfileconrlrKrrrrr{r)r4 entrypointsr)rr*get_init_transtypes$rc Cs\ttdgddgd}g}|D]6}z|j|kr<||jWq tyTYq Yq 0q |SNrrr)ryrrz)rrArfr|rrr{)rurrrrUr)r)r*get_init_entrypoints    rc Cs~ttdgddgd}i}|D]X}z.rr)rrrr)rLrrrKrr)rrr)r)r*get_init_entrypoint_targets rc Cs\t}i}t|D]D}z$||dt||df||<WqtyTg||<Yq0q|Sr)rrrr)rqrrrr)r)r*r s $ rcCsttdkrtStt}z4t|}t}||t |j a| Wn&t j d|t dYn0ttS)Nrz#could not open interface info [%s] r)rgmethodsgen_interfacesdefaultsinterface_infor interfacesZ InterfaceSetZ from_filerKrrsysstderrrexitr2)fnrifsr)r)r* get_methods+s   rcCstdurddttDatS)NcSsg|] }|dqSrr)rOr)r)r*rVCrWz!get_all_types..)r<rsrer)r)r)r* get_all_types@srcCstdurtttatSrE)all_types_inforKrsrer)r)r)r*rFs rcCs&tdur"ttttdddatS)NZ userdomainrrS) user_typesrKrsrjr)r)r)r*get_user_typesLsr cCsttrtSiatttgd}|D]L}t|j}t|j}|dks"|dkrLq"|tvrdt||q"|gt|<q"tS)N)ryZsystem_r) r=rrArrfrMrrr)rrrrZtgtr)r)r*get_all_role_allowsSs    r cCsvddl}g}tt}|D]V}|dd|}t|dkrt|dd|ddkr|d|vr||dq|S)Nrz(.*)%sz_exec_t$z_initrc$)rsortedrfindallrgr)rr9rSrUmr)r)r*get_all_entrypoint_domainsgs  (rcCszddlm}Wnty.ddlm}Yn0t}t}z"t|j t|j kr`WdSWnt ytYn0t dkrt t dt|dddS)Nr)getstatusoutputzEYou must regenerate interface info by running /usr/bin/sepolgen-ifgenz/usr/bin/sepolgen-ifgenr)Zcommandsr ImportError subprocessrrheadersrstatst_mtimergetuidr'rr)rZifilerr)r)r*rss     rcCstr ttfSiaiattD]}|d|dkr>t|d}ndt|dt|df}|d|dftvrt|d|df|n|gt|d|df<d|vr|d|dft|d|d|df<q|dt|d|d|df<qttfS)Nr]rYz%s-%sr\rZr[)portrecs portrecsbynumrsrkrMr)rUportr)r)r* gen_port_dicts ( rcCs"tsttttdddatS)NrrrS)r9rKrsrjr)r)r)r*get_all_domainssrcCs0trtStsttt}dd|DatS)NcSs g|]}t|dkrt|qS)Zobject_r)rMrOr)r)r*rVrWz!get_all_roles..)r>rArGrrfrrr)r)r* get_all_rolessrcCs<ts8tttatjr8tD]}d|dd|d<qtS)Nr$r[r)selinux_user_listrKrsrnrArmrrlrr)r)r*get_selinux_userss  rc CstrtSttd}|}|ga|dD]V}|}t|dks4| drXq4|d}t |d|dd |dddq4tS) Nr rrrrr)rIZseuserrm) login_mappingsrr0Zselinux_usersconf_pathreadrrlstriprgrrr)rbufr rQr)r)r*get_login_mappingss *r%cCsttddtS)NcSs|dSrr)rr)r)r*rrWzget_all_users..)r rLrr)r)r)r* get_all_userssr&cCs&trtSttttdddatS)NrrrS)r?rKr rsrjr)r)r)r*rsrcCs&trtSttttdddatS)NZ port_typerrS)r@rKr rsrjr)r)r)r*get_all_port_typessr'cCststttatSrE)r;rKrsror)r)r)r* get_all_boolss r(cCsd|dt| dS)Nrr)rrgrl)rZtrimr)r)r* prettyprintsr)cCs|SrEr))rr)r)r*markupsr*cCsVd||}|dr(|dt|dS|drD|dt|dS|dr`|dt|dS|dr||d t|dS|d r|d t|d S|d r|d t|d S|d s|dr|dS|dr|dS|dr|dt|dS|dr|dt|dS|dr:|dt|dS|drX|dt|dS|dr~|d|dtd S|dr|dt|dS|dr|dt|dS|dr|dt|dS|d r|dt|d S|d!r|d"t|d!S|d#r2|d$t|d#S|d%rP|d&t|d%S|d'rn|d(t|d'S|d)r|d*t|d)S|d+r|d$t|d+S|d,r|d-t|d,S|d.r|d/t|d.S|d0r|d1t|d0S|d2r"|d3t|d2S|d4r@|d1t|d4S|d5r^|d1t|d5S|d6r||d1t|d6S|d5r|d7t|d5S|d8r|d9t|d8S|d:r|d;t|d:S|d<r|d=t|d<S|d>r|d?t|d>S|d@r&|dAS|dBrD|dCt|dBS|dDt|dES)FNz+Set files with the %s type, if you want to Z _var_run_tz8store the %s files under the /run or /var/run directory.Z_pid_tz,store the %s files under the /run directory.Z _var_lib_tz0store the %s files under the /var/lib directory.Z_var_tz,store the %s files under the /var directory.Z _var_spool_tz2store the %s files under the /var/spool directory.Z_spool_tZ_cache_tZ _var_cache_tz/store the files under the /var/cache directory.Z _keytab_tz)treat the files as kerberos keytab files.Z_lock_tzEtreat the files as %s lock data, stored under the /var/lock directoryZ_log_tzKtreat the data as %s log data, usually stored under the /var/log directory.Z _config_tzRtreat the files as %s configuration data, usually stored under the /etc directory.Z_conf_trz,transition an executable to the %s_t domain.Z_cgi_content_tz"treat the files as %s cgi content.Z _rw_content_tz)treat the files as %s read/write content.Z_rw_tZ_write_tZ_db_tz'treat the files as %s database content.Z _ra_content_tz*treat the files as %s read/append content.Z_cert_tz'treat the files as %s certificate data.Z_key_tztreat the files as %s key data.Z _secret_tz"treat the files as %s secret data.Z_ra_tZ_ro_tz(treat the files as %s read/only content.Z _modules_tztreat the files as %s modules.Z _content_tztreat the files as %s content.Z_state_tz!treat the files as %s state data.Z_files_tZ_file_tZ_data_tztreat the data as %s content.Z_tmp_tz1store %s temporary files in the /tmp directories.Z_etc_tz'store %s files in the /etc directories.Z_home_tz+store %s files in the users home directory.Z_tmpfs_tz&store %s files on a tmpfs file system.Z _unit_file_tz#treat files as a systemd unit file.Z _htaccess_tz#treat the file as a %s access file.ztreat the files as %s data.r)rr)rg)rr*Ztxtr)r)r*get_descriptions                                     r+cCs"tstttddttatS)NcSs|dSrr)rr)r)r*rSrWz$get_all_attributes..)r:rKr rLrsrjr)r)r)r*get_all_attributesPsr,cCs |D]}||tvrdSqdS)NFT)r)dictrdrr)r)r*_dict_has_permsWs r.cCspt}|dr&t|}|dd}n|}|d|vrBtd||ddkr`|ddd}n|d}||fS)Nrzdomain %s_t does not existr/rr)rrrr')rqr9 domainname short_namer)r)r*r^s    rcCststtgatSrE)all_allow_rulesrrr)r)r)r*rns rcCs.ts*ttddttgd}dd|DatS)Nz.*T)r}Z boolean_regexrycSsg|] }t|qSr)rrOr)r)r*rVyrWz&get_all_bool_rules..)all_bool_rulesrrArrrfrr)r)r*get_all_bool_rulests r4cCststttgatSrE)all_transitionsrKrrr)r)r)r*get_all_transitions|sr6c s g}g}t\}}tddtfddtD]}|D]}t|tsJq:zt|d}Wntyv|d}Yn0|d |s|d |r|d|f|vr|d| f|vr| |d|fq:|d|f|vr:|d| f|vr:| |d|fq:q2||fS)NcSs|dS)Nrvr)rr)r)r*rrWzget_bools..csd|vo|dkS)Nrvrr)rrr)r*rrWrr) rrLrr4 isinstancetupler0Zsecurity_get_boolean_activerrr)rqr;Z domainboolsr0r1rUr rtr)rr* get_boolss" "  ""r9cCststdatS)Nr)rvr0Zsecurity_get_boolean_namesr)r)r)r*get_all_booleanss r:#/usr/share/selinux/devel/policy.xmlcCsNzt|}|}|Wn*tyHt|}|}|Yn0|SrE)gziprr"rIOError)r4rr$r)r)r* policy_xmls   r>cCstrtSddl}iaz|jjt|}|dD]}|dD]}|dD]J}|ddj d}t dd|}| d | d |ft| d <qR|d D]J}|ddj d}t dd|}| d | d |ft| d <qqD|d D]F}|ddj d}t dd|}d | d |ft| d <qq4|dD]F}|ddj d}t dd|}d | d |ft| d <qTWnt yYn0tS) NrZlayermoduleZtunabledescr#r rrIZdftvalrNglobal) booleans_dictZxml.etree.ElementTreeZetreeZ ElementTreeZ fromstringr>r findtextr#rsubgetr=)r4ZxmlZtreer"rr r@rUr)r)r* gen_bool_dicts6"$ "rGcCs*t}||vrt||dStdSdS)Nrunknown)rGr)r}rBr)r)r*boolean_categorysrIcCsPt}||vrt||dS|d}tdj|dd|dddSdS)NrrzAllow {subject} to {rest}rrr)Zsubjectrest)rGrrlformatr)r}rBr@r)r)r* boolean_descs  rLc CsLddl}d}zddl}|jdd}Wn"tttt|jfyFd}Yn0|S)Nrr$T)ZprettyZMisc)rdistrorIModuleNotFoundErrorrr= UnicodeErrorZCalledProcessError)rZsystem_releaserMr)r)r*get_os_versions rPcCsPdadadadadadadadadada da da da da da dadadadadSrE)r:r9r<rvrBr;rr?rrrrr@r=r>r r!rr)r)r)r*reinits&rQ)r,)N)N)r;)r;)rr0r1Zsepolgen.defaultsrZsepolgen.interfacesrrrrr<Zsetools.boolqueryrZsetools.portconqueryrZsetools.policyreprZsetools.objclassqueryrZsetools.rbacrulequeryrZsetools.rolequeryrZsetools.terulequeryrZsetools.typeattrqueryr Zsetools.typequeryr Zsetools.userqueryr ZPROGNAMEgettextkwargs version_info translationrrbuiltinsrM__dict__rZ __builtin__r rerirjrkrnrorprrrrrrrrrrZ DEFAULT_DIRSrrrArrrrrr<rr r=rrr9r>rr!r?r@r;r:rvrBr2r3r5r+r6r8rDrFrGrsr~rrrrrrrrrrrZselinux_file_context_pathrrrrrrrrrrrrrrrrrrr r rrrrrrr%r&rr'r(r)r*r+r,r.rrr4r6r9r:r>rGrIrLrPrQr)r)r)r*sj                          m2 K! $    .       ]