mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-11 07:18:15 +00:00
Implement NodeconQuery.
This commit is contained in:
parent
248df414ab
commit
669bc5194a
@ -46,6 +46,7 @@ from . import mlsrulequery
|
||||
from . import fsusequery
|
||||
from . import genfsconquery
|
||||
from . import initsidquery
|
||||
from . import netifconquery
|
||||
from . import nodeconquery
|
||||
|
||||
# Information Flow Analysis
|
||||
|
82
setools/netifconquery.py
Normal file
82
setools/netifconquery.py
Normal file
@ -0,0 +1,82 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as
|
||||
# published by the Free Software Foundation, either version 2.1 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with SETools. If not, see
|
||||
# <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
from . import compquery
|
||||
from . import contextquery
|
||||
|
||||
|
||||
class NetifconQuery(compquery.ComponentQuery, contextquery.ContextQuery):
|
||||
|
||||
"""Network interface context query."""
|
||||
|
||||
def __init__(self, policy,
|
||||
name="", name_regex=False,
|
||||
user="", user_regex=False,
|
||||
role="", role_regex=False,
|
||||
type_="", type_regex=False,
|
||||
range_=""):
|
||||
"""
|
||||
Parameters:
|
||||
policy The policy to query.
|
||||
|
||||
user The criteria to match the context's user.
|
||||
user_regex If true, regular expression matching
|
||||
will be used on the user.
|
||||
role The criteria to match the context's role.
|
||||
role_regex If true, regular expression matching
|
||||
will be used on the role.
|
||||
type_ The criteria to match the context's type.
|
||||
type_regex If true, regular expression matching
|
||||
will be used on the type.
|
||||
range_ The criteria to match the context's range.
|
||||
"""
|
||||
|
||||
self.policy = policy
|
||||
|
||||
self.set_name(name, regex=name_regex)
|
||||
self.set_user(user, regex=user_regex)
|
||||
self.set_role(role, regex=role_regex)
|
||||
self.set_type(type_, regex=type_regex)
|
||||
self.set_range(range_)
|
||||
|
||||
def results(self):
|
||||
"""Generator which yields all matching netifcons."""
|
||||
|
||||
for netif in self.policy.netifcons():
|
||||
if self.name and not self._match_regex(
|
||||
netif.netif,
|
||||
self.name,
|
||||
self.name_regex,
|
||||
self.name_cmp):
|
||||
continue
|
||||
|
||||
if not self._match_context(
|
||||
netif.context,
|
||||
self.user,
|
||||
self.user_regex,
|
||||
self.user_cmp,
|
||||
self.role,
|
||||
self.role_regex,
|
||||
self.role_cmp,
|
||||
self.type_,
|
||||
self.type_regex,
|
||||
self.type_cmp,
|
||||
self.range_):
|
||||
continue
|
||||
|
||||
yield netif
|
@ -22,6 +22,7 @@ from . import fsusequery
|
||||
from . import genfsconquery
|
||||
from . import initsidquery
|
||||
from . import mlsrulequery
|
||||
from . import netifconquery
|
||||
from . import nodeconquery
|
||||
from . import objclassquery
|
||||
from . import polcapquery
|
||||
|
199
tests/netifconquery.conf
Normal file
199
tests/netifconquery.conf
Normal file
@ -0,0 +1,199 @@
|
||||
class infoflow
|
||||
class infoflow2
|
||||
class infoflow3
|
||||
class infoflow4
|
||||
class infoflow5
|
||||
class infoflow6
|
||||
class infoflow7
|
||||
|
||||
sid kernel
|
||||
sid security
|
||||
|
||||
common infoflow
|
||||
{
|
||||
low_w
|
||||
med_w
|
||||
hi_w
|
||||
low_r
|
||||
med_r
|
||||
hi_r
|
||||
}
|
||||
|
||||
class infoflow
|
||||
inherits infoflow
|
||||
|
||||
class infoflow2
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
}
|
||||
|
||||
class infoflow3
|
||||
{
|
||||
null
|
||||
}
|
||||
|
||||
class infoflow4
|
||||
inherits infoflow
|
||||
|
||||
class infoflow5
|
||||
inherits infoflow
|
||||
|
||||
class infoflow6
|
||||
inherits infoflow
|
||||
|
||||
class infoflow7
|
||||
inherits infoflow
|
||||
{
|
||||
super_w
|
||||
super_r
|
||||
super_none
|
||||
super_both
|
||||
super_unmapped
|
||||
}
|
||||
|
||||
sensitivity s0;
|
||||
sensitivity s1;
|
||||
sensitivity s2;
|
||||
|
||||
dominance { s0 s1 s2 }
|
||||
|
||||
category c0;
|
||||
category c1;
|
||||
category c2;
|
||||
category c3;
|
||||
category c4;
|
||||
|
||||
#level decl
|
||||
level s0:c0.c4;
|
||||
level s1:c0.c4;
|
||||
level s2:c0.c4;
|
||||
|
||||
#some constraints
|
||||
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
||||
|
||||
attribute mls_exempt;
|
||||
|
||||
type system;
|
||||
role system;
|
||||
role system types system;
|
||||
|
||||
role role20_r;
|
||||
role role21a_r;
|
||||
role role21b_r;
|
||||
role role21c_r;
|
||||
|
||||
role role20_r types system;
|
||||
role role21a_r types system;
|
||||
role role21b_r types system;
|
||||
role role21c_r types system;
|
||||
|
||||
type type30;
|
||||
type type31a;
|
||||
type type31b;
|
||||
type type31c;
|
||||
role system types { type30 type31a type31b type31c };
|
||||
|
||||
allow system self:infoflow hi_w;
|
||||
|
||||
#users
|
||||
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
|
||||
user user10 roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11a roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11b roles system level s0 range s0 - s2:c0.c4;
|
||||
user user11c roles system level s0 range s0 - s2:c0.c4;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system:s0
|
||||
sid security system:system:system:s0
|
||||
|
||||
#fs_use
|
||||
fs_use_trans devpts system:object_r:system:s0;
|
||||
fs_use_xattr ext3 system:object_r:system:s0;
|
||||
fs_use_task pipefs system:object_r:system:s0;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system:s1
|
||||
genfscon proc /sys system:object_r:system:s0
|
||||
genfscon selinuxfs / system:object_r:system:s2:c0.c4
|
||||
|
||||
portcon tcp 80 system:object_r:system:s0
|
||||
|
||||
# test 1:
|
||||
# name: test1, exact
|
||||
# user: unset
|
||||
# role: unset
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test1 system:system:system:s0:c0.c4 system:object_r:system:s0
|
||||
|
||||
# test 2:
|
||||
# name: test2(a|b), regex
|
||||
# user: unset
|
||||
# role: unset
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test2a system:system:system:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test2b system:system:system:s0:c2.c4 system:object_r:system:s0
|
||||
|
||||
# test 10:
|
||||
# name: unset
|
||||
# user: user10, exact
|
||||
# role: unset
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test10 user10:system:system:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
# test 11:
|
||||
# name: unset
|
||||
# user: user11(a|b), regex
|
||||
# role: unset
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test11a user11a:system:system:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test11b user11b:system:system:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test11c user11c:system:system:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
# test 20:
|
||||
# name: unset
|
||||
# user: unset
|
||||
# role: role20_r, exact
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test20 system:role20_r:system:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
# test 21:
|
||||
# name: unset
|
||||
# user: unset
|
||||
# role: role20(a|c)_r, regex
|
||||
# type: unset
|
||||
# range: unset
|
||||
netifcon test21a system:role21a_r:system:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test21b system:role21b_r:system:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test21c system:role21c_r:system:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
# test 30:
|
||||
# name: unset
|
||||
# user: unset
|
||||
# role: unset
|
||||
# type: type30
|
||||
# range: unset
|
||||
netifcon test30 system:system:type30:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
# test 31:
|
||||
# name: unset
|
||||
# user: unset
|
||||
# role: unset
|
||||
# type: type31(b|c)
|
||||
# range: unset
|
||||
netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0
|
||||
netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0
|
||||
|
||||
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
|
||||
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0
|
||||
|
95
tests/netifconquery.py
Normal file
95
tests/netifconquery.py
Normal file
@ -0,0 +1,95 @@
|
||||
# Copyright 2014, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
import unittest
|
||||
|
||||
from setools import SELinuxPolicy
|
||||
from setools.netifconquery import NetifconQuery
|
||||
|
||||
|
||||
class NetifconQueryTest(unittest.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
self.p = SELinuxPolicy("tests/netifconquery.conf")
|
||||
|
||||
def test_000_unset(self):
|
||||
"""Netifcon query with no criteria"""
|
||||
# query with no parameters gets all netifs.
|
||||
for numrules, s in enumerate(self.p.netifcons(), start=1):
|
||||
pass
|
||||
|
||||
q = NetifconQuery(self.p)
|
||||
for q_numrules, s in enumerate(q.results(), start=1):
|
||||
pass
|
||||
|
||||
self.assertEqual(numrules, q_numrules)
|
||||
|
||||
def test_001_name_exact(self):
|
||||
"""Netifcon query with exact match"""
|
||||
q = NetifconQuery(self.p, name="test1", name_regex=False)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test1"], netifs)
|
||||
|
||||
def test_002_name_regex(self):
|
||||
"""Netifcon query with regex match"""
|
||||
q = NetifconQuery(self.p, name="test2(a|b)", name_regex=True)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test2a", "test2b"], netifs)
|
||||
|
||||
def test_010_user_exact(self):
|
||||
"""Netifcon query with context user exact match"""
|
||||
q = NetifconQuery(self.p, user="user10", user_regex=False)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test10"], netifs)
|
||||
|
||||
def test_011_user_regex(self):
|
||||
"""Netifcon query with context user regex match"""
|
||||
q = NetifconQuery(self.p, user="user11(a|b)", user_regex=True)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test11a", "test11b"], netifs)
|
||||
|
||||
def test_020_role_exact(self):
|
||||
"""Netifcon query with context role exact match"""
|
||||
q = NetifconQuery(self.p, role="role20_r", role_regex=False)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test20"], netifs)
|
||||
|
||||
def test_021_role_regex(self):
|
||||
"""Netifcon query with context role regex match"""
|
||||
q = NetifconQuery(self.p, role="role21(a|c)_r", role_regex=True)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test21a", "test21c"], netifs)
|
||||
|
||||
def test_030_type_exact(self):
|
||||
"""Netifcon query with context type exact match"""
|
||||
q = NetifconQuery(self.p, type_="type30", type_regex=False)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test30"], netifs)
|
||||
|
||||
def test_031_type_regex(self):
|
||||
"""Netifcon query with context type regex match"""
|
||||
q = NetifconQuery(self.p, type_="type31(b|c)", type_regex=True)
|
||||
|
||||
netifs = sorted(s.netif for s in q.results())
|
||||
self.assertListEqual(["test31b", "test31c"], netifs)
|
Loading…
Reference in New Issue
Block a user