Move permissive query into type query

TypeQuery needed the permisive matching support to be complete. This made
PermissiveQuery redundant.

Made the permissive state an option, so enforcing types could be queried.
This commit is contained in:
Chris PeBenito 2015-01-31 12:10:11 -05:00
parent 3ec1cf7d60
commit 2418619e2a
8 changed files with 63 additions and 259 deletions

View File

@ -1,5 +1,5 @@
"""The SETools SELinux policy analysis library."""
# Copyright 2014, Tresys Technology, LLC
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
@ -35,7 +35,6 @@ from . import rolequery
from . import userquery
from . import boolquery
from . import polcapquery
from . import permissivequery
# Rule Queries
from . import terulequery

View File

@ -1,51 +0,0 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import re
from . import compquery
class PermissiveQuery(compquery.ComponentQuery):
"""Query permissive types"""
def __init__(self, policy,
name="", name_regex=False):
"""
Parameters:
name The name of the permissive type to match.
name_regex If true, regular expression matching will
be used for matching the name.
"""
self.policy = policy
self.set_name(name, regex=name_regex)
def results(self):
"""Generator which yields all matching permissive types."""
for t in self.policy.permissives():
if self.name and not self._match_regex(
t,
self.name,
self.name_regex,
self.name_cmp):
continue
yield t

View File

@ -1,4 +1,4 @@
# Copyright 2014, Tresys Technology, LLC
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
@ -28,30 +28,34 @@ class TypeQuery(compquery.ComponentQuery):
def __init__(self, policy,
name="", name_regex=False,
alias="", alias_regex=False,
attrs=set(), attrs_equal=False, attrs_regex=False):
attrs=set(), attrs_equal=False, attrs_regex=False,
permissive=False, match_permissive=False):
"""
Parameter:
policy The policy to query.
name The type name to match.
name_regex If true, regular expression matching
will be used on the type names.
alias The alias name to match.
alias_regex If true, regular expression matching
will be used on the alias names.
attrs The attribute to match.
attrs_equal If true, only types with attribute sets
that are equal to the criteria will
match. Otherwise, any intersection
will match.
attrs_regex If true, regular expression matching
will be used on the attribute names instead
of set logic.
policy The policy to query.
name The type name to match.
name_regex If true, regular expression matching
will be used on the type names.
alias The alias name to match.
alias_regex If true, regular expression matching
will be used on the alias names.
attrs The attribute to match.
attrs_equal If true, only types with attribute sets
that are equal to the criteria will
match. Otherwise, any intersection
will match.
attrs_regex If true, regular expression matching
will be used on the attribute names instead
of set logic.
match_permissive If true, the permissive state will be matched.
permissive The permissive state to match.
"""
self.policy = policy
self.set_name(name, regex=name_regex)
self.set_alias(alias, regex=alias_regex)
self.set_attrs(attrs, regex=attrs_regex, equal=attrs_equal)
self.set_permissive(match_permissive, permissive=permissive)
def results(self):
"""Generator which yields all matching types."""
@ -79,6 +83,9 @@ class TypeQuery(compquery.ComponentQuery):
self.attrs_cmp):
continue
if self.match_permissive and t.ispermissive != self.permissive:
continue
yield t
def set_alias(self, alias, **opts):
@ -141,3 +148,24 @@ class TypeQuery(compquery.ComponentQuery):
self.attrs_cmp = re.compile(self.attrs)
else:
self.attrs_cmp = None
def set_permissive(self, match, **opts):
"""
Set if the permissive state should be matched.
Parameter:
match If true, the permissive state will be matched.
permissive If true, permissive types will match, otherwise
enforcing types will match.
Exceptions:
NameError Invalid keyword option.
"""
self.match_permissive = bool(match)
for k in list(opts.keys()):
if k == "permissive":
self.permissive = bool(opts[k])
else:
raise NameError("Invalid permissive option: {0}".format(k))

View File

@ -1,4 +1,4 @@
# Copyright 2014, Tresys Technology, LLC
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
@ -26,7 +26,6 @@ from . import netifconquery
from . import nodeconquery
from . import objclassquery
from . import polcapquery
from . import permissivequery
from . import infoflow
from . import terulequery
from . import rbacrulequery

View File

@ -1,135 +0,0 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity low_s;
sensitivity medium_s alias med;
sensitivity high_s;
dominance { low_s med high_s }
category here;
category there;
category elsewhere alias lost;
#level decl
level low_s:here.there;
level med:here, elsewhere;
level high_s:here.lost;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
################################################################################
# Type enforcement declarations and rules
########################################
#
# Type Query
#
# test 1
# name: test1
# attrs: unset
# alias: unset
type test1;
type test1a;
permissive test1;
# test 2
# name: test2(a|b)$ regex
type test2a;
type test2b;
type test2c alias test2alias;
type test2aFAIL;
permissive test2a;
permissive test2b;
permissive test2aFAIL;
################################################################################
#users
user system roles system level med range low_s - high_s:here.lost;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:medium_s:here
sid security system:system:system:high_s:lost
#fs_use
fs_use_trans devpts system:object_r:system:low_s;
fs_use_xattr ext3 system:object_r:system:low_s;
fs_use_task pipefs system:object_r:system:low_s;
#genfscon
genfscon proc / system:object_r:system:med
genfscon proc /sys system:object_r:system:low_s
genfscon selinuxfs / system:object_r:system:high_s:here.there
portcon tcp 80 system:object_r:system:low_s
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here

View File

@ -1,51 +0,0 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import unittest
from setools import SELinuxPolicy
from setools.permissivequery import PermissiveQuery
class PolCapQueryTest(unittest.TestCase):
def setUp(self):
self.p = SELinuxPolicy("tests/permissivequery.conf")
def test_000_unset(self):
"""Policy capability query with no criteria"""
# query with no parameters gets all permissives
types = sorted(self.p.permissives())
q = PermissiveQuery(self.p)
q_types = sorted(q.results())
self.assertListEqual(types, q_types)
def test_001_name_exact(self):
"""Permissive query with exact match"""
q = PermissiveQuery(self.p, name="test1", name_regex=False)
types = sorted(str(t) for t in q.results())
self.assertListEqual(["test1"], types)
def test_002_name_regex(self):
"""Permissive query query with regex match"""
q = PermissiveQuery(self.p, name="test2(a|b)$", name_regex=True)
types = sorted(str(t) for t in q.results())
self.assertListEqual(["test2a", "test2b"], types)

View File

@ -158,6 +158,14 @@ type test21t1 alias { test21a test21c };
type test21t2 alias { test21b test21d };
type test21t3 alias { test21e test21f };
# test 30
# name: test30
# attrs: unset
# alias: unset
type test30;
type test30a;
permissive test30;
################################################################################
#users

View File

@ -1,4 +1,4 @@
# Copyright 2014, Tresys Technology, LLC
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
@ -86,3 +86,10 @@ class TypeQueryTest(unittest.TestCase):
types = sorted(str(t) for t in q.results())
self.assertListEqual(["test21t1", "test21t2"], types)
def test_030_permissive(self):
"""Type query with permissive match"""
q = TypeQuery(self.p, match_permissive=True, permissive=True)
types = sorted(str(t) for t in q.results())
self.assertListEqual(["test30"], types)