Implement NodeconQuery.

This commit is contained in:
Chris PeBenito 2014-11-08 22:40:42 -05:00
parent 248df414ab
commit 669bc5194a
5 changed files with 378 additions and 0 deletions

View File

@ -46,6 +46,7 @@ from . import mlsrulequery
from . import fsusequery
from . import genfsconquery
from . import initsidquery
from . import netifconquery
from . import nodeconquery
# Information Flow Analysis

82
setools/netifconquery.py Normal file
View File

@ -0,0 +1,82 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
from . import compquery
from . import contextquery
class NetifconQuery(compquery.ComponentQuery, contextquery.ContextQuery):
"""Network interface context query."""
def __init__(self, policy,
name="", name_regex=False,
user="", user_regex=False,
role="", role_regex=False,
type_="", type_regex=False,
range_=""):
"""
Parameters:
policy The policy to query.
user The criteria to match the context's user.
user_regex If true, regular expression matching
will be used on the user.
role The criteria to match the context's role.
role_regex If true, regular expression matching
will be used on the role.
type_ The criteria to match the context's type.
type_regex If true, regular expression matching
will be used on the type.
range_ The criteria to match the context's range.
"""
self.policy = policy
self.set_name(name, regex=name_regex)
self.set_user(user, regex=user_regex)
self.set_role(role, regex=role_regex)
self.set_type(type_, regex=type_regex)
self.set_range(range_)
def results(self):
"""Generator which yields all matching netifcons."""
for netif in self.policy.netifcons():
if self.name and not self._match_regex(
netif.netif,
self.name,
self.name_regex,
self.name_cmp):
continue
if not self._match_context(
netif.context,
self.user,
self.user_regex,
self.user_cmp,
self.role,
self.role_regex,
self.role_cmp,
self.type_,
self.type_regex,
self.type_cmp,
self.range_):
continue
yield netif

View File

@ -22,6 +22,7 @@ from . import fsusequery
from . import genfsconquery
from . import initsidquery
from . import mlsrulequery
from . import netifconquery
from . import nodeconquery
from . import objclassquery
from . import polcapquery

199
tests/netifconquery.conf Normal file
View File

@ -0,0 +1,199 @@
class infoflow
class infoflow2
class infoflow3
class infoflow4
class infoflow5
class infoflow6
class infoflow7
sid kernel
sid security
common infoflow
{
low_w
med_w
hi_w
low_r
med_r
hi_r
}
class infoflow
inherits infoflow
class infoflow2
inherits infoflow
{
super_w
super_r
}
class infoflow3
{
null
}
class infoflow4
inherits infoflow
class infoflow5
inherits infoflow
class infoflow6
inherits infoflow
class infoflow7
inherits infoflow
{
super_w
super_r
super_none
super_both
super_unmapped
}
sensitivity s0;
sensitivity s1;
sensitivity s2;
dominance { s0 s1 s2 }
category c0;
category c1;
category c2;
category c3;
category c4;
#level decl
level s0:c0.c4;
level s1:c0.c4;
level s2:c0.c4;
#some constraints
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
attribute mls_exempt;
type system;
role system;
role system types system;
role role20_r;
role role21a_r;
role role21b_r;
role role21c_r;
role role20_r types system;
role role21a_r types system;
role role21b_r types system;
role role21c_r types system;
type type30;
type type31a;
type type31b;
type type31c;
role system types { type30 type31a type31b type31c };
allow system self:infoflow hi_w;
#users
user system roles { system role20_r role21a_r role21b_r role21c_r } level s0 range s0 - s2:c0.c4;
user user10 roles system level s0 range s0 - s2:c0.c4;
user user11a roles system level s0 range s0 - s2:c0.c4;
user user11b roles system level s0 range s0 - s2:c0.c4;
user user11c roles system level s0 range s0 - s2:c0.c4;
#normal constraints
constrain infoflow hi_w (u1 == u2);
#isids
sid kernel system:system:system:s0
sid security system:system:system:s0
#fs_use
fs_use_trans devpts system:object_r:system:s0;
fs_use_xattr ext3 system:object_r:system:s0;
fs_use_task pipefs system:object_r:system:s0;
#genfscon
genfscon proc / system:object_r:system:s1
genfscon proc /sys system:object_r:system:s0
genfscon selinuxfs / system:object_r:system:s2:c0.c4
portcon tcp 80 system:object_r:system:s0
# test 1:
# name: test1, exact
# user: unset
# role: unset
# type: unset
# range: unset
netifcon test1 system:system:system:s0:c0.c4 system:object_r:system:s0
# test 2:
# name: test2(a|b), regex
# user: unset
# role: unset
# type: unset
# range: unset
netifcon test2a system:system:system:s0:c0.c1 system:object_r:system:s0
netifcon test2b system:system:system:s0:c2.c4 system:object_r:system:s0
# test 10:
# name: unset
# user: user10, exact
# role: unset
# type: unset
# range: unset
netifcon test10 user10:system:system:s0:c0.c1 system:object_r:system:s0
# test 11:
# name: unset
# user: user11(a|b), regex
# role: unset
# type: unset
# range: unset
netifcon test11a user11a:system:system:s0:c0.c1 system:object_r:system:s0
netifcon test11b user11b:system:system:s0:c0.c1 system:object_r:system:s0
netifcon test11c user11c:system:system:s0:c0.c1 system:object_r:system:s0
# test 20:
# name: unset
# user: unset
# role: role20_r, exact
# type: unset
# range: unset
netifcon test20 system:role20_r:system:s0:c0.c1 system:object_r:system:s0
# test 21:
# name: unset
# user: unset
# role: role20(a|c)_r, regex
# type: unset
# range: unset
netifcon test21a system:role21a_r:system:s0:c0.c1 system:object_r:system:s0
netifcon test21b system:role21b_r:system:s0:c0.c1 system:object_r:system:s0
netifcon test21c system:role21c_r:system:s0:c0.c1 system:object_r:system:s0
# test 30:
# name: unset
# user: unset
# role: unset
# type: type30
# range: unset
netifcon test30 system:system:type30:s0:c0.c1 system:object_r:system:s0
# test 31:
# name: unset
# user: unset
# role: unset
# type: type31(b|c)
# range: unset
netifcon test31a system:system:type31a:s0:c0.c1 system:object_r:system:s0
netifcon test31b system:system:type31b:s0:c0.c1 system:object_r:system:s0
netifcon test31c system:system:type31c:s0:c0.c1 system:object_r:system:s0
nodecon 127.0.0.1 255.255.255.255 system:object_r:system:s0
nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:s0

95
tests/netifconquery.py Normal file
View File

@ -0,0 +1,95 @@
# Copyright 2014, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
import unittest
from setools import SELinuxPolicy
from setools.netifconquery import NetifconQuery
class NetifconQueryTest(unittest.TestCase):
def setUp(self):
self.p = SELinuxPolicy("tests/netifconquery.conf")
def test_000_unset(self):
"""Netifcon query with no criteria"""
# query with no parameters gets all netifs.
for numrules, s in enumerate(self.p.netifcons(), start=1):
pass
q = NetifconQuery(self.p)
for q_numrules, s in enumerate(q.results(), start=1):
pass
self.assertEqual(numrules, q_numrules)
def test_001_name_exact(self):
"""Netifcon query with exact match"""
q = NetifconQuery(self.p, name="test1", name_regex=False)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test1"], netifs)
def test_002_name_regex(self):
"""Netifcon query with regex match"""
q = NetifconQuery(self.p, name="test2(a|b)", name_regex=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test2a", "test2b"], netifs)
def test_010_user_exact(self):
"""Netifcon query with context user exact match"""
q = NetifconQuery(self.p, user="user10", user_regex=False)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test10"], netifs)
def test_011_user_regex(self):
"""Netifcon query with context user regex match"""
q = NetifconQuery(self.p, user="user11(a|b)", user_regex=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test11a", "test11b"], netifs)
def test_020_role_exact(self):
"""Netifcon query with context role exact match"""
q = NetifconQuery(self.p, role="role20_r", role_regex=False)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test20"], netifs)
def test_021_role_regex(self):
"""Netifcon query with context role regex match"""
q = NetifconQuery(self.p, role="role21(a|c)_r", role_regex=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test21a", "test21c"], netifs)
def test_030_type_exact(self):
"""Netifcon query with context type exact match"""
q = NetifconQuery(self.p, type_="type30", type_regex=False)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test30"], netifs)
def test_031_type_regex(self):
"""Netifcon query with context type regex match"""
q = NetifconQuery(self.p, type_="type31(b|c)", type_regex=True)
netifs = sorted(s.netif for s in q.results())
self.assertListEqual(["test31b", "test31c"], netifs)