mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-11 07:18:15 +00:00
Move permissive query into type query
TypeQuery needed the permisive matching support to be complete. This made PermissiveQuery redundant. Made the permissive state an option, so enforcing types could be queried.
This commit is contained in:
parent
3ec1cf7d60
commit
2418619e2a
@ -1,5 +1,5 @@
|
||||
"""The SETools SELinux policy analysis library."""
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
# Copyright 2014-2015, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
@ -35,7 +35,6 @@ from . import rolequery
|
||||
from . import userquery
|
||||
from . import boolquery
|
||||
from . import polcapquery
|
||||
from . import permissivequery
|
||||
|
||||
# Rule Queries
|
||||
from . import terulequery
|
||||
|
@ -1,51 +0,0 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as
|
||||
# published by the Free Software Foundation, either version 2.1 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with SETools. If not, see
|
||||
# <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
import re
|
||||
|
||||
from . import compquery
|
||||
|
||||
|
||||
class PermissiveQuery(compquery.ComponentQuery):
|
||||
|
||||
"""Query permissive types"""
|
||||
|
||||
def __init__(self, policy,
|
||||
name="", name_regex=False):
|
||||
"""
|
||||
Parameters:
|
||||
name The name of the permissive type to match.
|
||||
name_regex If true, regular expression matching will
|
||||
be used for matching the name.
|
||||
"""
|
||||
|
||||
self.policy = policy
|
||||
self.set_name(name, regex=name_regex)
|
||||
|
||||
def results(self):
|
||||
"""Generator which yields all matching permissive types."""
|
||||
|
||||
for t in self.policy.permissives():
|
||||
if self.name and not self._match_regex(
|
||||
t,
|
||||
self.name,
|
||||
self.name_regex,
|
||||
self.name_cmp):
|
||||
continue
|
||||
|
||||
yield t
|
@ -1,4 +1,4 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
# Copyright 2014-2015, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
@ -28,30 +28,34 @@ class TypeQuery(compquery.ComponentQuery):
|
||||
def __init__(self, policy,
|
||||
name="", name_regex=False,
|
||||
alias="", alias_regex=False,
|
||||
attrs=set(), attrs_equal=False, attrs_regex=False):
|
||||
attrs=set(), attrs_equal=False, attrs_regex=False,
|
||||
permissive=False, match_permissive=False):
|
||||
"""
|
||||
Parameter:
|
||||
policy The policy to query.
|
||||
name The type name to match.
|
||||
name_regex If true, regular expression matching
|
||||
will be used on the type names.
|
||||
alias The alias name to match.
|
||||
alias_regex If true, regular expression matching
|
||||
will be used on the alias names.
|
||||
attrs The attribute to match.
|
||||
attrs_equal If true, only types with attribute sets
|
||||
that are equal to the criteria will
|
||||
match. Otherwise, any intersection
|
||||
will match.
|
||||
attrs_regex If true, regular expression matching
|
||||
will be used on the attribute names instead
|
||||
of set logic.
|
||||
policy The policy to query.
|
||||
name The type name to match.
|
||||
name_regex If true, regular expression matching
|
||||
will be used on the type names.
|
||||
alias The alias name to match.
|
||||
alias_regex If true, regular expression matching
|
||||
will be used on the alias names.
|
||||
attrs The attribute to match.
|
||||
attrs_equal If true, only types with attribute sets
|
||||
that are equal to the criteria will
|
||||
match. Otherwise, any intersection
|
||||
will match.
|
||||
attrs_regex If true, regular expression matching
|
||||
will be used on the attribute names instead
|
||||
of set logic.
|
||||
match_permissive If true, the permissive state will be matched.
|
||||
permissive The permissive state to match.
|
||||
"""
|
||||
|
||||
self.policy = policy
|
||||
self.set_name(name, regex=name_regex)
|
||||
self.set_alias(alias, regex=alias_regex)
|
||||
self.set_attrs(attrs, regex=attrs_regex, equal=attrs_equal)
|
||||
self.set_permissive(match_permissive, permissive=permissive)
|
||||
|
||||
def results(self):
|
||||
"""Generator which yields all matching types."""
|
||||
@ -79,6 +83,9 @@ class TypeQuery(compquery.ComponentQuery):
|
||||
self.attrs_cmp):
|
||||
continue
|
||||
|
||||
if self.match_permissive and t.ispermissive != self.permissive:
|
||||
continue
|
||||
|
||||
yield t
|
||||
|
||||
def set_alias(self, alias, **opts):
|
||||
@ -141,3 +148,24 @@ class TypeQuery(compquery.ComponentQuery):
|
||||
self.attrs_cmp = re.compile(self.attrs)
|
||||
else:
|
||||
self.attrs_cmp = None
|
||||
|
||||
def set_permissive(self, match, **opts):
|
||||
"""
|
||||
Set if the permissive state should be matched.
|
||||
|
||||
Parameter:
|
||||
match If true, the permissive state will be matched.
|
||||
permissive If true, permissive types will match, otherwise
|
||||
enforcing types will match.
|
||||
|
||||
Exceptions:
|
||||
NameError Invalid keyword option.
|
||||
"""
|
||||
|
||||
self.match_permissive = bool(match)
|
||||
|
||||
for k in list(opts.keys()):
|
||||
if k == "permissive":
|
||||
self.permissive = bool(opts[k])
|
||||
else:
|
||||
raise NameError("Invalid permissive option: {0}".format(k))
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
# Copyright 2014-2015, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
@ -26,7 +26,6 @@ from . import netifconquery
|
||||
from . import nodeconquery
|
||||
from . import objclassquery
|
||||
from . import polcapquery
|
||||
from . import permissivequery
|
||||
from . import infoflow
|
||||
from . import terulequery
|
||||
from . import rbacrulequery
|
||||
|
@ -1,135 +0,0 @@
|
||||
class infoflow
|
||||
class infoflow2
|
||||
class infoflow3
|
||||
class infoflow4
|
||||
class infoflow5
|
||||
class infoflow6
|
||||
class infoflow7
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
|
||||
common infoflow
|
||||
{
|
||||
low_w
|
||||
med_w
|
||||
hi_w
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
}
|
||||
|
||||
class infoflow
|
||||
inherits infoflow
|
||||
|
||||
class infoflow2
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
}
|
||||
|
||||
class infoflow3
|
||||
{
|
||||
null
|
||||
}
|
||||
|
||||
class infoflow4
|
||||
inherits infoflow
|
||||
|
||||
class infoflow5
|
||||
inherits infoflow
|
||||
|
||||
class infoflow6
|
||||
inherits infoflow
|
||||
|
||||
class infoflow7
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
super_none
|
||||
super_both
|
||||
super_unmapped
|
||||
}
|
||||
|
||||
sensitivity low_s;
|
||||
sensitivity medium_s alias med;
|
||||
sensitivity high_s;
|
||||
|
||||
dominance { low_s med high_s }
|
||||
|
||||
category here;
|
||||
category there;
|
||||
category elsewhere alias lost;
|
||||
|
||||
#level decl
|
||||
level low_s:here.there;
|
||||
level med:here, elsewhere;
|
||||
level high_s:here.lost;
|
||||
|
||||
#some constraints
|
||||
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
||||
|
||||
attribute mls_exempt;
|
||||
|
||||
type system;
|
||||
role system;
|
||||
role system types system;
|
||||
|
||||
################################################################################
|
||||
# Type enforcement declarations and rules
|
||||
|
||||
########################################
|
||||
#
|
||||
# Type Query
|
||||
#
|
||||
|
||||
# test 1
|
||||
# name: test1
|
||||
# attrs: unset
|
||||
# alias: unset
|
||||
type test1;
|
||||
type test1a;
|
||||
permissive test1;
|
||||
|
||||
|
||||
# test 2
|
||||
# name: test2(a|b)$ regex
|
||||
type test2a;
|
||||
type test2b;
|
||||
type test2c alias test2alias;
|
||||
type test2aFAIL;
|
||||
permissive test2a;
|
||||
permissive test2b;
|
||||
permissive test2aFAIL;
|
||||
|
||||
################################################################################
|
||||
|
||||
#users
|
||||
user system roles system level med range low_s - high_s:here.lost;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system:medium_s:here
|
||||
sid security system:system:system:high_s:lost
|
||||
|
||||
#fs_use
|
||||
fs_use_trans devpts system:object_r:system:low_s;
|
||||
fs_use_xattr ext3 system:object_r:system:low_s;
|
||||
fs_use_task pipefs system:object_r:system:low_s;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system:med
|
||||
genfscon proc /sys system:object_r:system:low_s
|
||||
genfscon selinuxfs / system:object_r:system:high_s:here.there
|
||||
|
||||
portcon tcp 80 system:object_r:system:low_s
|
||||
|
||||
netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
|
||||
|
||||
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
|
||||
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
|
||||
|
@ -1,51 +0,0 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
import unittest
|
||||
|
||||
from setools import SELinuxPolicy
|
||||
from setools.permissivequery import PermissiveQuery
|
||||
|
||||
|
||||
class PolCapQueryTest(unittest.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
self.p = SELinuxPolicy("tests/permissivequery.conf")
|
||||
|
||||
def test_000_unset(self):
|
||||
"""Policy capability query with no criteria"""
|
||||
# query with no parameters gets all permissives
|
||||
types = sorted(self.p.permissives())
|
||||
|
||||
q = PermissiveQuery(self.p)
|
||||
q_types = sorted(q.results())
|
||||
|
||||
self.assertListEqual(types, q_types)
|
||||
|
||||
def test_001_name_exact(self):
|
||||
"""Permissive query with exact match"""
|
||||
q = PermissiveQuery(self.p, name="test1", name_regex=False)
|
||||
|
||||
types = sorted(str(t) for t in q.results())
|
||||
self.assertListEqual(["test1"], types)
|
||||
|
||||
def test_002_name_regex(self):
|
||||
"""Permissive query query with regex match"""
|
||||
q = PermissiveQuery(self.p, name="test2(a|b)$", name_regex=True)
|
||||
|
||||
types = sorted(str(t) for t in q.results())
|
||||
self.assertListEqual(["test2a", "test2b"], types)
|
@ -158,6 +158,14 @@ type test21t1 alias { test21a test21c };
|
||||
type test21t2 alias { test21b test21d };
|
||||
type test21t3 alias { test21e test21f };
|
||||
|
||||
# test 30
|
||||
# name: test30
|
||||
# attrs: unset
|
||||
# alias: unset
|
||||
type test30;
|
||||
type test30a;
|
||||
permissive test30;
|
||||
|
||||
################################################################################
|
||||
|
||||
#users
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
# Copyright 2014-2015, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
@ -86,3 +86,10 @@ class TypeQueryTest(unittest.TestCase):
|
||||
|
||||
types = sorted(str(t) for t in q.results())
|
||||
self.assertListEqual(["test21t1", "test21t2"], types)
|
||||
|
||||
def test_030_permissive(self):
|
||||
"""Type query with permissive match"""
|
||||
q = TypeQuery(self.p, match_permissive=True, permissive=True)
|
||||
|
||||
types = sorted(str(t) for t in q.results())
|
||||
self.assertListEqual(["test30"], types)
|
||||
|
Loading…
Reference in New Issue
Block a user