2016-02-26 14:12:34 +00:00
|
|
|
#!/usr/bin/env python
|
2015-03-07 16:41:04 +00:00
|
|
|
# Copyright 2014-2015, Tresys Technology, LLC
|
2014-07-08 18:28:55 +00:00
|
|
|
#
|
|
|
|
# This file is part of SETools.
|
|
|
|
#
|
|
|
|
# SETools is free software: you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 2 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# SETools is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
#
|
|
|
|
|
|
|
|
from __future__ import print_function
|
2014-10-25 01:23:13 +00:00
|
|
|
import setools
|
2014-07-08 18:28:55 +00:00
|
|
|
import argparse
|
|
|
|
import sys
|
2015-03-19 12:07:23 +00:00
|
|
|
import logging
|
2014-07-08 18:28:55 +00:00
|
|
|
|
2015-02-12 18:52:46 +00:00
|
|
|
parser = argparse.ArgumentParser(
|
|
|
|
description="SELinux policy rule search tool.",
|
|
|
|
epilog="TE/MLS rule searches cannot be mixed with RBAC rule searches.")
|
2014-10-25 01:23:13 +00:00
|
|
|
parser.add_argument("--version", action="version", version=setools.__version__)
|
2015-05-08 19:21:00 +00:00
|
|
|
parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
|
2015-03-19 12:07:23 +00:00
|
|
|
parser.add_argument("-v", "--verbose", action="store_true",
|
|
|
|
help="Print extra informational messages")
|
2015-03-07 16:41:04 +00:00
|
|
|
parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")
|
2014-07-08 18:28:55 +00:00
|
|
|
|
|
|
|
rtypes = parser.add_argument_group("TE Rule Types")
|
2016-03-22 15:12:23 +00:00
|
|
|
rtypes.add_argument("-A", action="store_true", help="Search allow and allowxperm rules.")
|
|
|
|
rtypes.add_argument("--allow", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="allow", dest="tertypes",
|
|
|
|
help="Search allow rules.")
|
2016-05-12 14:07:04 +00:00
|
|
|
rtypes.add_argument("--allowxperm", action="append_const",
|
2016-03-22 15:12:23 +00:00
|
|
|
const="allowxperm", dest="tertypes",
|
|
|
|
help="Search allowxperm rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rtypes.add_argument("--auditallow", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="auditallow", dest="tertypes",
|
|
|
|
help="Search auditallow rules.")
|
2016-05-12 14:07:04 +00:00
|
|
|
rtypes.add_argument("--auditallowxperm", action="append_const",
|
2016-03-22 15:12:23 +00:00
|
|
|
const="auditallowxperm", dest="tertypes",
|
|
|
|
help="Search auditallowxperm rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rtypes.add_argument("--dontaudit", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="dontaudit", dest="tertypes",
|
|
|
|
help="Search dontaudit rules.")
|
2016-05-12 14:07:04 +00:00
|
|
|
rtypes.add_argument("--dontauditxperm", action="append_const",
|
2016-03-22 15:12:23 +00:00
|
|
|
const="dontauditxperm", dest="tertypes",
|
|
|
|
help="Search dontauditxperm rules.")
|
2015-12-16 16:47:14 +00:00
|
|
|
rtypes.add_argument("--neverallow", action="append_const",
|
|
|
|
const="neverallow", dest="tertypes",
|
|
|
|
help="Search neverallow rules.")
|
2016-05-12 14:07:04 +00:00
|
|
|
rtypes.add_argument("--neverallowxperm", action="append_const",
|
2016-03-22 15:12:23 +00:00
|
|
|
const="neverallowxperm", dest="tertypes",
|
|
|
|
help="Search neverallowxperm rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rtypes.add_argument("-T", "--type_trans", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="type_transition", dest="tertypes",
|
|
|
|
help="Search type_transition rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rtypes.add_argument("--type_change", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="type_change", dest="tertypes",
|
|
|
|
help="Search type_change rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rtypes.add_argument("--type_member", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="type_member", dest="tertypes",
|
|
|
|
help="Search type_member rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rbacrtypes = parser.add_argument_group("RBAC Rule Types")
|
|
|
|
rbacrtypes.add_argument("--role_allow", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="allow", dest="rbacrtypes",
|
|
|
|
help="Search role allow rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
rbacrtypes.add_argument("--role_trans", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="role_transition", dest="rbacrtypes",
|
|
|
|
help="Search role_transition rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
|
|
|
|
mlsrtypes = parser.add_argument_group("MLS Rule Types")
|
|
|
|
mlsrtypes.add_argument("--range_trans", action="append_const",
|
2015-02-12 18:59:54 +00:00
|
|
|
const="range_transition", dest="mlsrtypes",
|
|
|
|
help="Search range_transition rules.")
|
2014-07-08 18:28:55 +00:00
|
|
|
|
|
|
|
expr = parser.add_argument_group("Expressions")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-s", "--source",
|
2015-02-14 15:33:18 +00:00
|
|
|
help="Source type/role of the TE/RBAC rule.")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-t", "--target",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Target type/role of the TE/RBAC rule.")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-c", "--class", dest="tclass",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Comma separated list of object classes")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-p", "--perms", metavar="PERMS",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Comma separated list of permissions.")
|
2016-03-22 15:12:23 +00:00
|
|
|
expr.add_argument("-x", "--xperms", metavar="XPERMS",
|
|
|
|
help="Comma separated list of extended permissions.")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-D", "--default",
|
2015-02-25 19:17:38 +00:00
|
|
|
help="Default of the rule. (type/role/range transition rules)")
|
2015-03-19 19:20:37 +00:00
|
|
|
expr.add_argument("-b", "--bool", dest="boolean", metavar="BOOL",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Comma separated list of Booleans in the conditional expression.")
|
2014-07-08 18:28:55 +00:00
|
|
|
|
|
|
|
opts = parser.add_argument_group("Search options")
|
2015-02-12 18:59:54 +00:00
|
|
|
opts.add_argument("-eb", action="store_true", dest="boolean_equal",
|
|
|
|
help="Match Boolean list exactly instead of matching any listed Boolean.")
|
|
|
|
opts.add_argument("-ep", action="store_true", dest="perms_equal",
|
|
|
|
help="Match permission set exactly instead of matching any listed permission.")
|
2016-03-22 15:12:23 +00:00
|
|
|
opts.add_argument("-ex", action="store_true", dest="xperms_equal",
|
|
|
|
help="Match extended permission set exactly instead of matching any listed "
|
|
|
|
"permission.")
|
2015-02-14 15:33:18 +00:00
|
|
|
opts.add_argument("-ds", action="store_false", dest="source_indirect",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Match source attributes directly instead of matching member types/roles.")
|
|
|
|
opts.add_argument("-dt", action="store_false", dest="target_indirect",
|
|
|
|
help="Match target attributes directly instead of matching member types/roles.")
|
|
|
|
opts.add_argument("-rs", action="store_true", dest="source_regex",
|
|
|
|
help="Use regular expression matching for the source type/role.")
|
2015-02-14 15:33:18 +00:00
|
|
|
opts.add_argument("-rt", action="store_true", dest="target_regex",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Use regular expression matching for the target type/role.")
|
2015-02-14 15:33:18 +00:00
|
|
|
opts.add_argument("-rc", action="store_true", dest="tclass_regex",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Use regular expression matching for the object class.")
|
2015-02-14 15:33:18 +00:00
|
|
|
opts.add_argument("-rd", action="store_true", dest="default_regex",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Use regular expression matching for the default type/role.")
|
2015-02-14 15:33:18 +00:00
|
|
|
opts.add_argument("-rb", action="store_true", dest="boolean_regex",
|
2015-02-12 18:59:54 +00:00
|
|
|
help="Use regular expression matching for Booleans.")
|
2014-07-08 18:28:55 +00:00
|
|
|
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
2016-03-22 15:12:23 +00:00
|
|
|
if args.A:
|
|
|
|
try:
|
|
|
|
args.tertypes.extend(["allow", "allowxperm"])
|
|
|
|
except AttributeError:
|
|
|
|
args.tertypes = ["allow", "allowxperm"]
|
|
|
|
|
2016-03-01 22:27:33 +00:00
|
|
|
if not args.tertypes and not args.mlsrtypes and not args.rbacrtypes:
|
2014-07-08 18:28:55 +00:00
|
|
|
parser.error("At least one rule type must be specified.")
|
|
|
|
|
2015-03-19 12:07:23 +00:00
|
|
|
if args.debug:
|
2015-03-25 17:40:03 +00:00
|
|
|
logging.basicConfig(level=logging.DEBUG,
|
|
|
|
format='%(asctime)s|%(levelname)s|%(name)s|%(message)s')
|
2015-03-19 12:07:23 +00:00
|
|
|
elif args.verbose:
|
2015-03-25 17:40:03 +00:00
|
|
|
logging.basicConfig(level=logging.INFO, format='%(message)s')
|
|
|
|
else:
|
|
|
|
logging.basicConfig(level=logging.WARNING, format='%(message)s')
|
2015-03-19 12:07:23 +00:00
|
|
|
|
2014-07-08 18:28:55 +00:00
|
|
|
try:
|
2014-10-25 01:23:13 +00:00
|
|
|
p = setools.SELinuxPolicy(args.policy)
|
2014-07-08 18:28:55 +00:00
|
|
|
|
2015-03-07 16:41:04 +00:00
|
|
|
if args.tertypes:
|
2015-04-15 16:00:59 +00:00
|
|
|
q = setools.TERuleQuery(p,
|
|
|
|
ruletype=args.tertypes,
|
|
|
|
source=args.source,
|
|
|
|
source_indirect=args.source_indirect,
|
|
|
|
source_regex=args.source_regex,
|
|
|
|
target=args.target,
|
|
|
|
target_indirect=args.target_indirect,
|
|
|
|
target_regex=args.target_regex,
|
|
|
|
tclass_regex=args.tclass_regex,
|
|
|
|
perms_equal=args.perms_equal,
|
2016-03-22 15:12:23 +00:00
|
|
|
xperms_equal=args.xperms_equal,
|
2015-04-15 16:00:59 +00:00
|
|
|
default=args.default,
|
|
|
|
default_regex=args.default_regex,
|
|
|
|
boolean_regex=args.boolean_regex,
|
|
|
|
boolean_equal=args.boolean_equal)
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
|
|
# with an empty string in it (split on empty string)
|
|
|
|
if args.tclass:
|
|
|
|
if args.tclass_regex:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass
|
2015-03-07 16:41:04 +00:00
|
|
|
else:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass.split(",")
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
if args.perms:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.perms = args.perms.split(",")
|
2015-03-07 16:41:04 +00:00
|
|
|
|
2016-03-22 15:12:23 +00:00
|
|
|
if args.xperms:
|
|
|
|
xperms = []
|
|
|
|
for item in args.xperms.split(","):
|
|
|
|
rng = item.split("-")
|
|
|
|
if len(rng) == 2:
|
|
|
|
xperms.append((int(rng[0], base=16), int(rng[1], base=16)))
|
|
|
|
elif len(rng) == 1:
|
|
|
|
xperms.append((int(rng[0], base=16), int(rng[0], base=16)))
|
|
|
|
else:
|
|
|
|
parser.error("Enter an extended permission or extended permission range, e.g. "
|
|
|
|
"0x5411 or 0x8800-0x88ff.")
|
|
|
|
|
|
|
|
q.xperms = xperms
|
|
|
|
|
2015-03-07 16:41:04 +00:00
|
|
|
if args.boolean:
|
|
|
|
if args.boolean_regex:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.boolean = args.boolean
|
2015-03-07 16:41:04 +00:00
|
|
|
else:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.boolean = args.boolean.split(",")
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
for r in sorted(q.results()):
|
|
|
|
print(r)
|
|
|
|
|
|
|
|
if args.rbacrtypes:
|
2015-04-15 16:00:59 +00:00
|
|
|
q = setools.RBACRuleQuery(p,
|
|
|
|
ruletype=args.rbacrtypes,
|
|
|
|
source=args.source,
|
|
|
|
source_indirect=args.source_indirect,
|
|
|
|
source_regex=args.source_regex,
|
|
|
|
target=args.target,
|
|
|
|
target_indirect=args.target_indirect,
|
|
|
|
target_regex=args.target_regex,
|
|
|
|
default=args.default,
|
|
|
|
default_regex=args.default_regex,
|
|
|
|
tclass_regex=args.tclass_regex)
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
|
|
# with an empty string in it (split on empty string)
|
|
|
|
if args.tclass:
|
|
|
|
if args.tclass_regex:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass
|
2015-03-07 16:41:04 +00:00
|
|
|
else:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass.split(",")
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
for r in sorted(q.results()):
|
|
|
|
print(r)
|
|
|
|
|
|
|
|
if args.mlsrtypes:
|
2015-04-15 16:00:59 +00:00
|
|
|
q = setools.MLSRuleQuery(p,
|
|
|
|
ruletype=args.mlsrtypes,
|
|
|
|
source=args.source,
|
2016-03-16 18:12:37 +00:00
|
|
|
source_indirect=args.source_indirect,
|
2015-04-15 16:00:59 +00:00
|
|
|
source_regex=args.source_regex,
|
|
|
|
target=args.target,
|
2016-03-16 18:12:37 +00:00
|
|
|
target_indirect=args.target_indirect,
|
2015-04-15 16:00:59 +00:00
|
|
|
target_regex=args.target_regex,
|
|
|
|
tclass_regex=args.tclass_regex,
|
|
|
|
default=args.default)
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
|
|
# with an empty string in it (split on empty string)
|
|
|
|
if args.tclass:
|
|
|
|
if args.tclass_regex:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass
|
2015-03-07 16:41:04 +00:00
|
|
|
else:
|
2015-05-17 01:59:10 +00:00
|
|
|
q.tclass = args.tclass.split(",")
|
2015-03-07 16:41:04 +00:00
|
|
|
|
|
|
|
for r in sorted(q.results()):
|
|
|
|
print(r)
|
|
|
|
|
|
|
|
except Exception as err:
|
|
|
|
if args.debug:
|
2016-07-22 23:14:40 +00:00
|
|
|
raise
|
2015-03-07 16:41:04 +00:00
|
|
|
else:
|
|
|
|
print(err)
|
|
|
|
|
2016-03-04 18:59:21 +00:00
|
|
|
sys.exit(1)
|