RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-23 15:47:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Implement genfscon query.

Browse Source
This commit is contained in:
Chris PeBenito 2014-11-02 10:47:30 -05:00
parent 49fd39c9c2
commit 4e7aeed9ff
7 changed files with 507 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
seinfo
View File

@ -156,3 +156,15 @@ if args.initialsidquery:
print(i.statement()) print(i.statement())
else: else:
print(i) print(i)
if args.genfsconquery:
if isinstance(args.genfsconquery, str):
q = setools.genfsconquery.GenfsconQuery(p, args.genfsconquery)
else:
q = setools.genfsconquery.GenfsconQuery(p)
for g in sorted(q.results()):
if args.expand:
print(g.statement())
else:
print(g)

1
setools/__init__.py
View File

@ -43,6 +43,7 @@ from . import rbacrulequery
from . import mlsrulequery from . import mlsrulequery
# In-policy Context Queries # In-policy Context Queries
from . import genfsconquery
from . import initsidquery from . import initsidquery
# Information Flow Analysis # Information Flow Analysis

149
setools/genfsconquery.py Normal file
View File

@ -0,0 +1,149 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
import re
from . import compquery
from . import contextquery
class GenfsconQuery(contextquery.ContextQuery):
"""Genfscon query."""
def __init__(self, policy,
fs="", fs_regex=False,
path="", path_regex=False,
user="", user_regex=False,
role="", role_regex=False,
type_="", type_regex=False,
range_=""):
"""
Parameters:
policy The policy to query.
fs The criteria to match the file system type.
fs_regex If true, regular expression matching
will be used on the file system type.
path The criteria to match the path.
path_regex If true, regular expression matching
will be used on the path.
user The criteria to match the context's user.
user_regex If true, regular expression matching
will be used on the user.
role The criteria to match the context's role.
role_regex If true, regular expression matching
will be used on the role.
type_ The criteria to match the context's type.
type_regex If true, regular expression matching
will be used on the type.
range_ The criteria to match the context's range.
"""
self.policy = policy
self.set_fs(fs, regex=fs_regex)
self.set_path(path, regex=path_regex)
self.set_user(user, regex=user_regex)
self.set_role(role, regex=role_regex)
self.set_type(type_, regex=type_regex)
self.set_range(range_)
def results(self):
"""Generator which yields all matching genfscons."""
for g in self.policy.genfscons():
if self.fs and not self._match_regex(
g.fs,
self.fs,
self.fs_regex,
self.fs_cmp):
continue
if self.path and not self._match_regex(
g.path,
self.path,
self.path_regex,
self.path_cmp):
continue
if not self._match_context(
g.context,
self.user,
self.user_regex,
self.user_cmp,
self.role,
self.role_regex,
self.role_cmp,
self.type_,
self.type_regex,
self.type_cmp,
self.range_):
continue
yield g
def set_fs(self, fs, **opts):
"""
Set the criteria for matching the file system type.
Parameter:
fs Name to match the file system.
regex If true, regular expression matching will be used.
Exceptions:
NameError Invalid keyword option.
"""
self.fs = str(fs)
for k in list(opts.keys()):
if k == "regex":
self.fs_regex = opts[k]
else:
raise NameError("Invalid name option: {0}".format(k))
if self.fs_regex:
self.fs_cmp = re.compile(self.fs)
else:
self.fs_cmp = None
def set_path(self, path, **opts):
"""
Set the criteria for matching the path.
Parameter:
path Criteria to match the path.
regex If true, regular expression matching will be used.
Exceptions:
NameError Invalid keyword option.
"""
self.path = str(path)
for k in list(opts.keys()):
if k == "regex":
self.path_regex = opts[k]
else:
raise NameError("Invalid name option: {0}".format(k))
if self.path_regex:
self.path_cmp = re.compile(self.path)
else:
self.path_cmp = None

4
setools/policyrep/fscontext.py
View File

@ -49,6 +49,10 @@ class Genfscon(FSContext):
def __str__(self): def __str__(self):
return "genfscon {0.fs} {0.path} {0.context}".format(self) return "genfscon {0.fs} {0.path} {0.context}".format(self)
def filetype(self):
"""The file type for this genfscon statement."""
raise NotImplementedError
@property @property
def path(self): def path(self):
"""The path for this genfscon statement.""" """The path for this genfscon statement."""

1
tests/__init__.py
View File

@ -18,6 +18,7 @@
from . import boolquery from . import boolquery
from . import commonquery from . import commonquery
from . import dta from . import dta
from . import genfsconquery
from . import initsidquery from . import initsidquery
from . import objclassquery from . import objclassquery
from . import polcapquery from . import polcapquery

231
tests/genfsconquery.conf Normal file
View File

@ -0,0 +1,231 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity s0;
sensitivity s1;
sensitivity s2;
dominance { s0 s1 s2 }
category c0;
category c1;
category c2;
category c3;
category c4;
#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
role role30_r;
role role31a_r;
role role31b_r;
role role31c_r;
role role30_r types system;
role role31a_r types system;
role role31b_r types system;
role role31c_r types system;
type type40;
type type41a;
type type41b;
type type41c;
role system types { type40 type41a type41b type41c };
################################################################################
# Type enforcement declarations and rules
################################################################################
#users
user system roles { system role30_r role31a_r role31b_r role31c_r } level s0 range s0 - s2:c0.c4;
user user20 roles system level s0 range s0 - s2:c0.c4;
user user21a roles system level s0 range s0 - s2:c0.c4;
user user21b roles system level s0 range s0 - s2:c0.c4;
user user21c roles system level s0 range s0 - s2:c0.c4;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
#genfscon
# test 1:
# fs: test1, exact
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test1 / system:system:system:s0:c0.c4
# test 2:
# fs: test2(a|b), regex
# path: unset
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test2a / system:system:system:s0:c0.c1
genfscon test2b / system:system:system:s0:c2.c4
# test 10:
# fs: unset
# path: /sys, exact
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test10 /sys system:system:system:s0:c2.c4
# test 11:
# fs: unset
# path: /(spam|eggs), regex
# user: unset
# role: unset
# type: unset
# range: unset
genfscon test11a /spam system:system:system:s0:c2.c4
genfscon test11b /eggs system:system:system:s0:c2.c4
genfscon test11c /FAIL system:system:system:s0:c2.c4
# test 20:
# fs: unset
# path: unset
# user: user20, exact
# role: unset
# type: unset
# range: unset
genfscon test20 / user20:system:system:s0:c0.c1
# test 21:
# fs: unset
# path: unset
# user: user21(a|b), regex
# role: unset
# type: unset
# range: unset
genfscon test21a / user21a:system:system:s0:c0.c1
genfscon test21b / user21b:system:system:s0:c0.c1
genfscon test21c / user21c:system:system:s0:c0.c1
# test 30:
# fs: unset
# path: unset
# user: unset
# role: role30_r, exact
# type: unset
# range: unset
genfscon test30 / system:role30_r:system:s0:c0.c1
# test 31:
# fs: unset
# path: unset
# user: unset
# role: role30(a|c)_r, regex
# type: unset
# range: unset
genfscon test31a / system:role31a_r:system:s0:c0.c1
genfscon test31b / system:role31b_r:system:s0:c0.c1
genfscon test31c / system:role31c_r:system:s0:c0.c1
# test 40:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type40
# range: unset
genfscon test40 / system:system:type40:s0:c0.c1
# test 41:
# fs: unset
# path: unset
# user: unset
# role: unset
# type: type41(b|c)
# range: unset
genfscon test41a / system:system:type41a:s0:c0.c1
genfscon test41b / system:system:type41b:s0:c0.c1
genfscon test41c / system:system:type41c:s0:c0.c1
portcon tcp 80 system:object_r:system:s0
netifcon eth0 system:object_r:system:s0 system:object_r:system:s0
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

109
tests/genfsconquery.py Normal file
View File

@ -0,0 +1,109 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import unittest
from setools import SELinuxPolicy
from setools.genfsconquery import GenfsconQuery
class GenfsconQueryTest(unittest.TestCase):
def setUp(self):
self.p = SELinuxPolicy("tests/genfsconquery.conf")
def test_000_unset(self):
"""Genfscon query with no criteria"""
# query with no parameters gets all genfs.
for numrules, s in enumerate(self.p.genfscons(), start=1):
pass
q = GenfsconQuery(self.p)
for q_numrules, s in enumerate(q.results(), start=1):
pass
self.assertEqual(numrules, q_numrules)
def test_001_fs_exact(self):
"""Genfscon query with exact fs match"""
q = GenfsconQuery(self.p, fs="test1", fs_regex=False)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test1"], genfs)
def test_002_fs_regex(self):
"""Genfscon query with regex fs match"""
q = GenfsconQuery(self.p, fs="test2(a|b)", fs_regex=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test2a", "test2b"], genfs)
def test_010_path_exact(self):
"""Genfscon query with exact path match"""
q = GenfsconQuery(self.p, path="/sys", path_regex=False)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test10"], genfs)
def test_011_path_regex(self):
"""Genfscon query with regex path match"""
q = GenfsconQuery(self.p, path="/(spam|eggs)", path_regex=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test11a", "test11b"], genfs)
def test_020_user_exact(self):
"""Genfscon query with context user exact match"""
q = GenfsconQuery(self.p, user="user20", user_regex=False)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test20"], genfs)
def test_021_user_regex(self):
"""Genfscon query with context user regex match"""
q = GenfsconQuery(self.p, user="user21(a|b)", user_regex=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test21a", "test21b"], genfs)
def test_030_role_exact(self):
"""Genfscon query with context role exact match"""
q = GenfsconQuery(self.p, role="role30_r", role_regex=False)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test30"], genfs)
def test_031_role_regex(self):
"""Genfscon query with context role regex match"""
q = GenfsconQuery(self.p, role="role31(a|c)_r", role_regex=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test31a", "test31c"], genfs)
def test_040_type_exact(self):
"""Genfscon query with context type exact match"""
q = GenfsconQuery(self.p, type_="type40", type_regex=False)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test40"], genfs)
def test_041_type_regex(self):
"""Genfscon query with context type regex match"""
q = GenfsconQuery(self.p, type_="type41(b|c)", type_regex=True)
genfs = sorted(s.fs for s in q.results())
self.assertListEqual(["test41b", "test41c"], genfs)