a
    ÖâÏh©†  ã                   @   s*  d dl mZ g d¢Zd dlmZmZ d dlZd dlZd dlZd dl	Z	d dl
Z
d dlZd dlZd dlZd dlZd dlZd dlmZmZ eddƒZeddƒZi Zejd	k r®d
ed< e	jf eedœe¤Ž e	jeed
dZz
ejZW n eyö   ej	ZY n0 d dlmZ d dlm Z m!Z!m"Z"m#Z# d dl$T d dlmZ d dl$m%Z% d dl&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z- d dl.m/Z/m0Z0m1Z1m2Z2 d dl3m4Z4m5Z5m6Z6 d dl7m8Z8m9Z9m:Z:m;Z;m<Z<m=Z=m>Z> e<dƒ dd„ Z?dd„ Z@dd„ ZAdd„ ZBed d!ƒZCed d"ƒZDed d#ƒZEe F¡ ZGeG HeC¡ d$d%„ ZIdaJdaKdaLed&d'ƒZMedd(ƒaNedd)ƒZOedd*ƒZPeAƒ ZQG d+d,„ d,eRƒZSeSƒ ZTG d-d.„ d.e ƒZUG d/d0„ d0e/ƒZVG d1d2„ d2eVe4e5e6ƒZWG d3d4„ d4eRƒZXd dlYT d dl7ZZG d5d6„ d6ej[j\ƒZ]d7d8„ Z^G d9d:„ d:ƒZ_d dl`Z`d dlambZb d;d<„ Zce d¡ Zed=d>„ ZfdCd@dA„ZgehdBkr&egƒ  dS )Dé    )Úabsolute_import)ÚRunFaultServerÚClientConnectionHandlerÚget_host_databaseÚsend_alert_notificationÚConnectionPool)ÚGObjectÚGLibN)Úparse_config_settingÚ
get_configZgeneralZi18n_text_domainZi18n_locale_dir)é   TZunicode)ÚdomainÚ	localedir)r   r   Úfallback)ÚServerAccess)ÚPluginReportReceiverÚSETroubleshootDatabaseÚTestPluginReportReceiverÚAnalyzeThread)Ú*)r   )ÚAuditRecordReceiver)ÚProgramErrorÚERR_NOT_AUTHENTICATEDÚERR_USER_LOOKUPÚERR_USER_PROHIBITEDÚERR_USER_PERMISSIONÚERR_FILE_OPENÚERR_DATABASE_NOT_FOUND)Ú
RpcChannelÚConnectionStateÚget_socket_list_from_configÚListeningServer)ÚSETroubleshootServerInterfaceÚ%SETroubleshootDatabaseNotifyInterfaceÚSEAlertInterface)Úget_hostnameÚmake_database_filepathÚ!assure_file_ownership_permissionsÚget_identityÚlog_initÚ	log_debugÚsyslog_traceÚsetroubleshootd_logc                 C   s:   t d|  ƒ dd lm} | tjkr6t dƒ | ¡  d S d S )Núreceived signal=%sr   zreloading configuration file)r*   Úsetroubleshoot.configÚconfigÚsignalÚSIGHUPZconfig_init)ÚsignumÚframer/   © r4   ú9/usr/lib/python3.9/site-packages/setroubleshoot/server.pyÚ
sighandlerm   s    
r6   c                 C   s(   t d|  ƒ t tjd¡ t d¡ d S )Nr-   z=/sys/fs/selinux/policy is in use by another process. Exiting!é   )r*   ÚsyslogÚLOG_ERRÚosÚ_exit©r2   r3   r4   r4   r5   Úpolling_failed_handlerv   s    r=   c                  C   s0   dd l } tƒ }t ¡ }t|   ¡ ƒ}d|||f S )Nr   z%s:%s:%s)Útimer%   r:   ÚgetpidÚstr)r>   ÚhostnameÚpidZstampr4   r4   r5   Úmake_instance_id}   s
    rC   c                   C   s   t S ©N)Úhost_databaser4   r4   r4   r5   r   …   s    r   Zsystem_dbusZbus_nameÚobject_pathZ	interfacec                 C   sP   t j ttd¡}| | j¡ | | j¡ t 	|¡ t
 d¡D ]}| | ¡ q<d S )NÚalertÚsealert)ÚdbusZlowlevelZSignalMessageÚdbus_system_object_pathÚdbus_system_interfaceÚappendÚlevelÚlocal_idÚ
system_busZsend_messageÚconnection_poolÚclientsrG   )ÚsiginforG   Úclientr4   r4   r5   r   ’   s    
r   ZemailZrecipients_filepathÚpkg_nameÚpkg_versionÚrpc_versionc                   @   s8   e Zd Zdd„ Zdd„ Zdd„ Zddd	„Zdd
d„ZdS )r   c                 C   s
   i | _ d S rD   )Úclient_pool©Úselfr4   r4   r5   Ú__init__«   s    zConnectionPool.__init__c                 C   s(   || j v rtd| ƒ d S d | j |< d S )Nz.add_client: client (%s) already in client pool©rW   r*   ©rY   Zhandlerr4   r4   r5   Ú
add_client®   s    
zConnectionPool.add_clientc                 C   s&   || j vrtd| ƒ d S | j |= d S )Nz-remove_client: client (%s) not in client poolr[   r\   r4   r4   r5   Úremove_client´   s    
zConnectionPool.remove_clientNc                 c   s0   | j D ]$}|d u r|V  q|j|kr|V  qd S rD   )rW   Úchannel_type©rY   r_   rS   r4   r4   r5   rQ   º   s
    

zConnectionPool.clientsc                 C   s"   | j D ]}|j|kr| ¡  qd S rD   )rW   r_   Zclose_connectionr`   r4   r4   r5   Ú	close_allÁ   s    

zConnectionPool.close_all)N)N)Ú__name__Ú
__module__Ú__qualname__rZ   r]   r^   rQ   ra   r4   r4   r4   r5   r   ©   s
   
r   c                       s(   e Zd Z‡ fdd„Z‡ fdd„Z‡  ZS )ÚAlertPluginReportReceiverc                    s   t t| ƒ |¡ d S rD   )Úsuperre   rZ   )rY   Údatabase©Ú	__class__r4   r5   rZ   Í   s    z"AlertPluginReportReceiver.__init__c                    sX  t t| ƒ |¡}td urŠg }tjD ]>}d|j }| ||j¡}|dkr"td|j	 ƒ | 
|j¡ q"t|ƒr€ddlm} |||ƒ | j ¡  tdƒ ddlm} t tj| ¡ tdƒ|j  ¡ |jjD ]}|jd	krÆ|jd
 }	 qäqÆtddtƒrtjj|  ¡ |	t!d |j"D ]<}
|
j#dd… dkr*q| |
j#¡}|dkr|  S qt$|ƒ |S )Nzemail:%sÚignorezEmail: siginfo.sig=%sr   )Úemail_alertzsending alert to all clients)Úhtml_to_textz1 For complete SELinux messages run: sealert -l %sÚAVCrB   r,   Zlog_full_report)Z
OBJECT_PIDZSYSLOG_IDENTIFIERé   zemail:)%rf   re   Úreport_problemÚemail_recipientsZrecipient_listÚaddressÚevaluate_filter_for_userÚfilter_typer*   ÚsigrL   ÚlenZsetroubleshoot.email_alertrk   rg   Zmark_modifiedZsetroubleshoot.html_utilrl   r8   r9   ÚsummaryÚ_rN   Úaudit_eventÚrecordsÚrecord_typeÚfieldsr   ÚboolÚsystemdZjournalÚsendZformat_textrT   ZusersÚusernamer   )rY   rR   Zto_addrsZ	recipientr   Úactionrk   rl   Úaudit_recordrB   Úurh   r4   r5   ro   Ð   s<    



 



z(AlertPluginReportReceiver.report_problem)rb   rc   rd   rZ   ro   Ú__classcell__r4   r4   rh   r5   re   Ë   s   re   c                   @   s$   e Zd Zdd„ Zdd„ Zdd„ ZdS )r   c                 C   s*   t  | d¡ | ¡ | _| j d| j¡ d S )NrH   Zchanged)r   rZ   ÚcopyÚsocket_addressÚconnection_stateZconnectÚon_connection_state_change©rY   r…   r4   r4   r5   rZ   ý   s    
z ClientConnectionHandler.__init__c                 C   sT   t d| jj|| |¡| |¡| jf ƒ |tj@ r<t | ¡ |tj@ rPt 	| ¡ d S )Nú]%s.on_connection_state_change: connection_state=%s flags_added=%s flags_removed=%s address=%s)
r*   ri   rb   Úflags_to_stringr…   r   ÚOPENrP   r^   r]   ©rY   r†   ÚflagsZflags_addedZflags_removedr4   r4   r5   r‡     s
    (


z2ClientConnectionHandler.on_connection_state_changec                 C   s8   | j jtj@ rdS || j_| j  tj¡ |  | j¡ d S ©NT©	r†   r   r   r‹   r…   ÚsocketÚupdateZio_watch_addZhandle_client_io©rY   r   r…   r4   r4   r5   Úopen  s
    zClientConnectionHandler.openN)rb   rc   rd   rZ   r‡   r“   r4   r4   r4   r5   r   û   s   	r   c                   @   s~   e Zd Zdd„ Zdd„ Zdd„ Zdd„ Zd	d
„ Zdd„ Zdd„ Z	dd„ Z
dd„ Zdd„ Zdd„ Zdd„ Zddd„Zdd„ ZdS ) Ú&SetroubleshootdClientConnectionHandlerc                 C   sJ   t  | |¡ tƒ | _|  d| ¡ |  d| ¡ tƒ | _d | _d | _d | _	d S )NZSETroubleshootServerr   )
r   rZ   r   rg   Zconnect_rpc_interfacer   Úaccessr   ÚuidÚgidrˆ   r4   r4   r5   rZ     s    z/SetroubleshootdClientConnectionHandler.__init__c                 C   s†   t d| jj|| |¡| |¡| jf ƒ |tj@ r<t | ¡ |tj@ r‚| j	 
| jj¡\| _| _t d| jj| j| jf ƒ t | ¡ d S )Nr‰   zF%s.on_connection_state_change: open, socket credentials: uid=%s gid=%s)r*   ri   rb   rŠ   r…   r   r‹   rP   r^   r•   Zget_credentialsr   r–   r—   r]   rŒ   r4   r4   r5   r‡   (  s    (


zASetroubleshootdClientConnectionHandler.on_connection_state_changec                 C   s8   | j jtj@ rdS || j_| j  tj¡ |  | j¡ d S rŽ   r   r’   r4   r4   r5   r“   3  s
    z+SetroubleshootdClientConnectionHandler.openc                 C   sB   | j jtj@ sttƒ‚tƒ }|jj|kr0|jgS tt	d| ƒ‚d S )Nzdatabase (%s) not found)
r†   r   r   ÚAUTHENTICATEDr   r   r   Ú
propertiesÚnamer   )rY   Zdatabase_namerE   r4   r4   r5   Údatabase_bind<  s    z4SetroubleshootdClientConnectionHandler.database_bindc                 C   sª   t d| ||f ƒ |t| jƒkr6ttd| j|f d‚|dkrDd}nd }| j ||¡s^ttƒ‚|| _|| _	|| _
| j |¡| _| jd u r”| j |¡ | j tj¡ ttgS )Nzlogon(%s) type=%s username=%sz)uid=%s does not match logon username (%s)©ZdetailrH   rS   )r*   r(   r–   r   r   r•   Zuser_allowedr   r_   Zchannel_namer   rg   Zget_userÚuserZadd_userr†   r‘   r   r˜   rU   rV   )rY   Útyper   ÚpasswordZ	privileger4   r4   r5   ÚlogonE  s     
z,SetroubleshootdClientConnectionHandler.logonc                 C   s   | j jtj@ sttƒ‚tgS rD   )r†   r   r   r˜   r   r   rp   rX   r4   r4   r5   Úquery_email_recipients]  s    z=SetroubleshootdClientConnectionHandler.query_email_recipientsc                 C   s4   t d| ƒ | jjtj@ s"ttƒ‚|at t	¡ d S )Nzset_email_recipients: %s)
r*   r†   r   r   r˜   r   r   rp   Zwrite_recipient_fileÚemail_recipients_filepath)rY   Z
recipientsr4   r4   r5   Úset_email_recipientsc  s
    z;SetroubleshootdClientConnectionHandler.set_email_recipientsc                 C   s2   t d| ƒ | jjtj@ s"ttƒ‚| j |¡}d S )Nzdelete_signature: sig=%s)	r*   r†   r   r   r˜   r   r   rg   Údelete_signature)rY   rt   rR   r4   r4   r5   r¤   p  s
    z7SetroubleshootdClientConnectionHandler.delete_signaturec                 C   s.   t dƒ | jjtj@ sttƒ‚| j ¡ }|gS )NÚget_properties)	r*   r†   r   r   r˜   r   r   rg   r¥   )rY   r™   r4   r4   r5   r¥   y  s
    
z5SetroubleshootdClientConnectionHandler.get_propertiesc                 C   s:   t d||f ƒ | jjtj@ s&ttƒ‚| j ||¡}|gS )Nz)evaluate_alert_filter: username=%s sig=%s)	r*   r†   r   r   r˜   r   r   rg   Úevaluate_alert_filter)rY   rt   r   r€   r4   r4   r5   r¦   ‚  s
    z<SetroubleshootdClientConnectionHandler.evaluate_alert_filterc                 C   s4   t d| ƒ | jjtj@ s"ttƒ‚| j |¡}|gS )Nzlookup_local_id: %s)	r*   r†   r   r   r˜   r   r   rg   Úlookup_local_id)rY   rN   rR   r4   r4   r5   r§   ‹  s
    z6SetroubleshootdClientConnectionHandler.lookup_local_idc                 C   s4   t d| ƒ | jjtj@ s"ttƒ‚| j |¡}|gS )Nzquery_alerts: criteria=%s)	r*   r†   r   r   r˜   r   r   rg   Úquery_alerts)rY   ZcriteriaÚsigsr4   r4   r5   r¨   ”  s
    z3SetroubleshootdClientConnectionHandler.query_alertsÚ c                 C   sb   t d|||f ƒ | jjtj@ s(ttƒ‚|| jkrLttt	dƒ| j|f d‚| j
 ||||¡ d S )Nz.set_filter: username=%s filter_type=%s sig=
%sz)The user (%s) cannot modify data for (%s)rœ   )r*   r†   r   r   r˜   r   r   r   r   rw   rg   Ú
set_filter)rY   rt   r   rs   Údatar4   r4   r5   r«     s    
z1SetroubleshootdClientConnectionHandler.set_filterc                 C   s@   t d||||f ƒ | jjtj@ s*ttƒ‚| j ||||¡ d S )Nz2set_user_data: username=%s item=%s data=%s sig=
%s)	r*   r†   r   r   r˜   r   r   rg   Úset_user_data)rY   rt   r   Úitemr¬   r4   r4   r5   r­   ©  s
    z4SetroubleshootdClientConnectionHandler.set_user_dataN)rª   )rb   rc   rd   rZ   r‡   r“   r›   r    r¡   r£   r¤   r¥   r¦   r§   r¨   r«   r­   r4   r4   r4   r5   r”     s   							
r”   c                   @   s   e Zd Zdd„ Zdd„ ZdS )ÚClientNotifierc                 C   s
   || _ d S rD   )rP   )rY   rP   r4   r4   r5   rZ   ·  s    zClientNotifier.__init__c                 C   s"   | j  d¡D ]}| ||¡ qd S )NrH   )rP   rQ   Úsignatures_updated)rY   rž   r®   rS   r4   r4   r5   r°   ¼  s    z!ClientNotifier.signatures_updatedN)rb   rc   rd   rZ   r°   r4   r4   r4   r5   r¯   µ  s   r¯   c                   @   sl  e Zd Zd2dd„Zdd„ Zej e¡dd„ ƒZ	ejjedd	d
d„ ƒZ
ej e¡dd„ ƒZejjedddddd„ ƒZd3dd„Zejjedddddd„ ƒZejjedddddd„ ƒZejjedddddd„ ƒZd d!„ Zejjeddd"dd#d$„ ƒZejjeddd%dd&d'„ ƒZejjeddd%dd(d)„ ƒZejjeddd*d+d,„ ƒZej e¡d-d.„ ƒZd4d/d0„Zd1S )5ÚSetroubleshootdDBusObjecté
   c                 C   sj   t jj | t  ¡ |¡ d| _|| _|  | j¡ td| ƒ || _	|| _
ttjƒ| _tƒ | _tj ¡ | _d S )Nr   zdbus __init__ %s called)rI   ÚserviceÚObjectrZ   Ú	SystemBusÚconn_ctrÚtimeoutÚalarmr*   ÚqueueÚreceiverZAuditRecordReaderZTEXT_FORMATÚrecord_readerr   Úrecord_receiverÚsetroubleshootÚutilZget_store_rootÚ
store_root)rY   rF   Úanalysis_queueÚalert_receiverr·   r4   r4   r5   rZ   È  s    z"SetroubleshootdDBusObject.__init__c                 C   s€   t  ¡ d }dt  ¡ |f d| j|f fD ]$}tj |¡r*t tjd¡  d S q*t	|ƒ}|D ]}t
|ƒr\| j || jf¡ q\d S )Nr7   z%%s%s/modules/active/disable_dontauditz%s/%s/active/disable_dontauditzsSetroubleshoot can not analyze AVCs while dontaudit rules are disabled, 'semodule -B' will turn on dontaudit rules.)ÚselinuxZselinux_getpolicytypeZselinux_pathr¿   r:   ÚpathÚexistsr8   r9   Zcompute_avcsZ
verify_avcr¹   Zputrº   )rY   rx   Zpolicy_typeZ
store_pathZavcsÚavcr4   r4   r5   Úadd_audit_eventÔ  s    þz)SetroubleshootdDBusObject.add_audit_eventc                 C   s   d S rD   r4   )rY   Úreasonr4   r4   r5   Úrestartä  s    z!SetroubleshootdDBusObject.restartÚss)Z	signaturec                 C   s   d S rD   r4   )rY   rM   rN   r4   r4   r5   rG   è  s    zSetroubleshootdDBusObject.alertc                 C   s.   |   d¡ |  jd7  _td| j ƒ tdƒS )Nr   r7   z)dbus iface start() called: %d ConnectionsZStarted)r¸   r¶   r*   rw   rX   r4   r4   r5   Ústartì  s    
zSetroubleshootdDBusObject.startÚsenderÚsÚii)Zsender_keywordÚin_signatureÚout_signaturec                 C   s    t | j |¡ƒ}tƒ }d}g }| d¡ ¡ D ] }| |¡}|dkr,| |¡ q,|jt	d d}	d}
|D ]0}|	d7 }	|j
dkr„|
d7 }
|j|krfd}
d}	qf|	|
fS )Nrª   r   rj   )Úkeyr   r7   Úred)r(   Ú
connectionÚget_unix_userr   r¨   Úsiginfosrr   rL   ÚsortÚcompare_sigrM   rN   )rY   Zlast_seen_idrË   r   rg   rÌ   Z
signaturesrt   r€   ÚcountrÑ   r4   r4   r5   Úcheck_for_newó  s&    


z'SetroubleshootdDBusObject.check_for_newÚdisplayc           
      C   sz   t | j |¡ƒ}tƒ }tj t|d ƒ¡}| d¡j	}g }|D ]6}	|	j
|k rNq>|	 |¡|kr>| |	j|	 ¡ |	jf¡ q>|S )Né@B r   )r(   rÒ   rÓ   r   r½   r¾   Z	TimeStampÚfloatr¨   Úsignature_listÚlast_seen_daterr   rL   rN   rv   Úreport_count)
rY   ÚsincerË   Úalert_actionr   rg   Zsince_alertsÚdatabase_alertsZalertsrG   r4   r4   r5   Ú_get_all_alerts_since  s    
z/SetroubleshootdDBusObject._get_all_alerts_sinceÚtza(ssi)c                 C   s   |   ||¡S rD   ©râ   )rY   rß   rË   r4   r4   r5   Úget_all_alerts_since  s    z.SetroubleshootdDBusObject.get_all_alerts_sincerª   c                 C   s   |   d|¡S )aº  
        Return array of *local_id*'s, *summary*'s, and *report_count*'s of all current alerts in a setroubleshoot database

        returns list of:
        * `local_id(s)`: a report id in a setroubleshoot database
        * `summary(s)`: a brief description of an alert. E.g. `"SELinux is preventing /usr/bin/bash from ioctl access on the unix_stream_socket unix_stream_socket."`
        * `report_count(i)`: count of reports of this alert
r   rä   ©rY   rË   r4   r4   r5   Úget_all_alerts  s    
z(SetroubleshootdDBusObject.get_all_alertsc                 C   s   | j d|ddS )a¾  
        Return array of *local_id*'s, *summary*'s, and *report_count*'s of all alerts which a user set to be ignored by a user

        returns list of:
        * `local_id(s)`: a report id in a setroubleshoot database
        * `summary(s)`: a brief description of an alert. E.g. `"SELinux is preventing /usr/bin/bash from ioctl access on the unix_stream_socket unix_stream_socket."`
        * `report_count(i)`: count of reports of this alert
r   rj   )rà   rä   ræ   r4   r4   r5   Úget_all_alerts_ignored)  s    
z0SetroubleshootdDBusObject.get_all_alerts_ignoredc              
   C   sH   z|  |¡}W n( ty6 } z|‚W Y d }~n
d }~0 0 | ¡  ¡ }|S rD   )r¨   r   rÔ   Ú__next__)rY   rN   rg   rá   ÚerG   r4   r4   r5   Ú
_get_alert5  s    z$SetroubleshootdDBusObject._get_alertzssiasa(ssssbbi)ttsc                 C   sê   t | j |¡ƒ}tƒ }|  ||¡}| ¡  |jj}dd„ |D ƒ}| ¡ \}}	g }
|	D ]R\}}|
 	| 
| ||¡¡| 
| ||¡¡| 
| ||¡¡|j|j|j|jf¡ qT|j| ¡ |j||
t|j d¡ƒd t|j d¡ƒd |jpædfS )ar  
Return an alert with summary, audit events, fix suggestions

##### arguments

* `local_id(s)`: an alert id

##### return values

* `local_id(s)`: an alert id
* `summary(s)`: a brief description of an alert. E.g. `"SELinux is preventing /usr/bin/bash from
  ioctl access on the unix_stream_socket unix_stream_socket."`
* `report_count(i)`: count of reports of this alert
* `audit_event(as)`: an array of audit events (AVC, SYSCALL) connected to the alert
* `plugin_analysis(a(ssssbb)`: an array of plugin analysis structure
 * `if_text(s)`:
 * `then_text(s)`
 * `do_text(s)`
 * `analysis_id(s)`: plugin id. It can be used in `org.fedoraproject.SetroubleshootFixit.run_fix()`
 * `fixable(b)`: True when an alert is fixable by a plugin
 * `report_bug(b)`: True when an alert should be reported to bugzilla
 * `priority(i)`:  An analysis priority. Typically the value is between 1 - 100.
* `first_seen_date(t)`: when the alert was seen for the first time, number of microseconds since the Epoch
* `last_seen_date(t)`: when the alert was seen for the last time, number of microseconds since the Epoch
* `level(s)`: "green", "yellow" or "red"
c                 S   s   g | ]}|  ¡ ‘qS r4   )Zto_text)Ú.0Zeventr4   r4   r5   Ú
<listcomp>_  ó    z7SetroubleshootdDBusObject.get_alert.<locals>.<listcomp>z%srÚ   rª   )r(   rÒ   rÓ   r   rë   Z%update_derived_template_substitutionsrx   ry   Zget_pluginsrL   Z
substituteZget_if_textZget_then_textZget_do_textZanalysis_idZfixableZ
report_bugÚpriorityrN   rv   rÞ   ÚintZfirst_seen_dateÚformatrÝ   rM   )rY   rN   rË   r   rg   rG   rÅ   Zaudit_eventsZtotal_priorityZalert_pluginsZpluginsZpluginÚargsr4   r4   r5   Ú	get_alert=  s0    ù
üz#SetroubleshootdDBusObject.get_alertÚbc                 C   s^   zJt | j |¡ƒ}tƒ }|  ||¡}ddlm} | |j||| d¡ W dS    Y dS 0 dS )zö
Sets a filter on an alert. The alert can be "always" filtered, "never" filtered or "after_first" filtered.

##### arguments

* `local_id(s)`: an alert id
* `filter_type(s)`: "always", "never", "after_first"

##### return values

* `success(b)`:
r   )Úmap_filter_name_to_valueNTF)	r(   rÒ   rÓ   r   rë   Úsetroubleshoot.signaturerõ   r«   rt   )rY   rN   rs   rË   r   rg   rG   rõ   r4   r4   r5   r«   u  s    z$SetroubleshootdDBusObject.set_filterc                 C   s8   z$t ƒ }|  ||¡}| |j¡ W dS    Y dS 0 dS )zz
Deletes an alert from the database.

##### arguments

* `local_id(s)`: an alert id

##### return values

* `success(b)`:
TFN)r   rë   r¤   rt   )rY   rN   rË   rg   rG   r4   r4   r5   Údelete_alert  s    z&SetroubleshootdDBusObject.delete_alert)rÎ   rÏ   c           	   	   C   sâ   t |ƒ}z´|  jd7  _|  d¡ td|| jf ƒ | j |¡D ]B\}}}}}t|||||ƒ}| ¡  | j |¡D ]}|  	|¡ qrq@| j 
d¡D ]}|  	|¡ qW |  jd8  _|  | j¡ n|  jd8  _|  | j¡ 0 tdƒS )Nr7   r   z#dbus avc(%s) called: %d Connectionsrm   )r@   r¶   r¸   r*   r»   ZfeedZAuditRecordZaudispd_rectifyr¼   rÆ   Úflushr·   rw   )	rY   r¬   rz   Zevent_idZ	body_textr{   Zline_numberr   rx   r4   r4   r5   rÅ   ¢  s"    
ÿzSetroubleshootdDBusObject.avcc                 C   s,   |  j d8  _ td| j  ƒ |  | j¡ dS )Nr7   z*dbus iface finish() called: %d Connectionsrª   )r¶   r*   r¸   r·   rX   r4   r4   r5   Úfinish»  s    z SetroubleshootdDBusObject.finishc                 C   s    | j dks|dkrt |¡ d S )Nr   )r¶   r0   r¸   )rY   r·   r4   r4   r5   r¸   Â  s    zSetroubleshootdDBusObject.alarmN)r²   )rÙ   )r²   )rb   rc   rd   rZ   rÆ   rI   r³   r0   rK   rÈ   rG   ÚmethodrÊ   rØ   râ   rå   rç   rè   rë   ró   r«   r÷   rÅ   rù   r¸   r4   r4   r4   r5   r±   Æ  s:   











7




r±   c                 C   s   | j S rD   )rÝ   )Úar4   r4   r5   rÖ   Ç  s    rÖ   c                   @   s   e Zd Zdd„ Zdd„ ZdS )ÚSetroubleshootdDBusc              
   C   sf   z&t dtttf ƒ tt|||ƒ| _W n: ty` } z"t tjd| ¡ |‚W Y d }~n
d }~0 0 d S )Nz=creating system dbus: bus_name=%s object_path=%s interface=%sz$cannot start system DBus service: %s)	r*   Údbus_system_bus_namerJ   rK   r±   Údbus_objÚ	Exceptionr8   r9   )rY   rÀ   rÁ   r·   rê   r4   r4   r5   rZ   Í  s    zSetroubleshootdDBus.__init__c                 C   s   | j  d¡ dS )Nzdaemon requestT)rþ   rÈ   rX   r4   r4   r5   Ú
do_restartÕ  s    zSetroubleshootdDBus.do_restartN)rb   rc   rd   rZ   r   r4   r4   r4   r5   rü   Ë  s   rü   c                 C   s   |   ¡  t ¡  d S rD   )ÚsaveÚ	audit2whyrù   )rg   r4   r4   r5   ÚgoodbyeÞ  s    r  c                 C   s   t dƒ t ¡  d S )Nz SIGALRM raised in RunFaultServer)r*   Ú	main_loopÚquitr<   r4   r4   r5   Úalarm_handleræ  s    r  r²   c              
   C   s  t  | ¡ t   t jt¡ zt ¡  t  d¡ W q¼W q tyr } z(dt|ƒv rZW Y d }~q|‚W Y d }~qd }~0  ty¸ } z0dtt	|ddƒƒv r W Y d }~q|‚W Y d }~qd }~0 0 qt   t jt
¡ t   t jt¡ zŒt t¡ ttƒ}tddƒ}t|ƒ}t|ddƒ t||td	ƒd
at |¡ t tt¡ d}tjjD ]}t t|jj ƒt|jj!ƒt|jj"ƒ|jj#¡\}}|tj$tj%tj&tj'tj(tj)fv r@|tj$krªd}	nv|tj%kr¼d}	nd|tj&krÖd|jj  }	nJ|tj'krðd|jj! }	n0|tj(krd|jj"  }	}	ndd *|jj#¡ }	t tj+d|j,|	f ¡ d}t -|j¡ q@|r^tj.dd tddt/ƒsvt0tƒ}
nt1tƒ}
dd l2}|j3j4 5d¡a6t7t6| ƒ}| 8d¡ | 9¡  ddl:m;} |ƒ a<tt=ddƒ zt< >t=¡ W nB t?y } z(|j@tAkrtB|jCƒ n|‚W Y d }~n
d }~0 0 tDdƒ}|D ]}tE|tFƒ}| G¡  q,tHjI J¡  tKt6|
| ƒ}tL M¡  W n° tNy” } ztBdƒ W Y d }~nŒd }~0  tOyÀ } ztBdƒ W Y d }~n`d }~0  tPy } z>dd lQ}tR| S¡ ƒ t tjTd|jUjVt|ƒf ¡ W Y d }~n
d }~0 0 d S )Nr   z%unable to open /sys/fs/selinux/policyÚ__context__rª   rg   Úfilenamei€  r½   zAudit Listener)Zfriendly_nameFzit is allowedzit is dontaudit'dzsource context %s is undefinedztarget context %s is undefinedzsecurity class %s is undefinedzpermission %s is undefinedú,z'Deleting alert %s, %s in current policyT)ZpruneÚtestÚanalyze)ÚSEEmailRecipientSetZlisten_for_clientz#KeyboardInterrupt in RunFaultServerz$raising SystemExit in RunFaultServerzexception %s: %s)Wr0   r¸   ÚSIGALRMr=   r  ÚinitÚ
ValueErrorr@   ÚSystemErrorÚgetattrr  r1   r6   r8   ZopenlogrT   r¯   rP   r   r&   r'   r   rw   rE   Z
set_notifyÚatexitÚregisterr  r©   rÜ   r  rt   ZscontextZtcontextZtclassr•   ZALLOWZ	DONTAUDITZBADSCONZBADTCONZ	BADTCLASSZBADPERMÚjoinZ
LOG_NOTICErN   r¤   r  r|   re   r   Zsix.moves.queueZmovesr¹   ZQueuerÀ   r   Ú	setDaemonrÊ   rö   r  rp   r¢   Zparse_recipient_filer   Úerrnor   r*   Ústrerrorr    r!   r”   r“   rI   ZglibZinit_threadsrü   r  ÚrunÚKeyboardInterruptÚ
SystemExitrÿ   Ú	tracebackr+   Ú
format_excr9   ri   rb   )r·   rê   Zclient_notifierZdatabase_filenameZdatabase_filepathZdeletedÚiÚwhyZboolsrÇ   rÁ   ZsixZanalyze_threadr  Zlisten_addressesZlisten_addressZlistening_serverZsetroubleshootd_dbusr  r4   r4   r5   r   ë  sž    



ÿ
0"





r   Ú__main__)r²   )iZ
__future__r   Ú__all__Zgi.repositoryr   r	   rI   Zdbus.serviceZ	dbus.glibÚgettextr:   r0   r  Úsysr8   Zsystemd.journalr}   r.   r
   r   r   r   ÚkwargsÚversion_infoÚinstallÚtranslationZugettextrw   ÚAttributeErrorZsetroubleshoot.access_controlr   Zsetroubleshoot.analyzer   r   r   r   Zsetroubleshoot.avc_auditr   Zsetroubleshoot.errcoder   r   r   r   r   r   r   Zsetroubleshoot.rpcr   r   r    r!   Zsetroubleshoot.rpc_interfacesr"   r#   r$   Zsetroubleshoot.utilr%   r&   r'   r(   r)   r*   r+   r6   r=   rC   r   rý   rJ   rK   rµ   rO   Zrequest_namer   rE   rÀ   rp   r¢   rT   rU   rV   Zinstance_idÚobjectr   rP   re   r   r”   r¯   Zsetroubleshoot.audit_datar½   r³   r´   r±   rÖ   rü   rÂ   Zselinux.audit2whyr  r  ZMainLoopr  r  r   rb   r4   r4   r4   r5   Ú<module>   s¬   


ÿþþ
$	$	






0ý !  
 