sechecker: Implement sechecker.

This is a command line tool for the configuration file-driven automated policy analysis. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2025-05-16 23:29:16 +00:00 · 2020-06-10 10:26:18 -04:00 · 2020-06-10 10:26:18 -04:00 · b58fdc00cd
commit b58fdc00cd
parent bf03b6749c
2 changed files with 264 additions and 0 deletions
--- a/man/sechecker.1
+++ b/man/sechecker.1
@ -0,0 +1,190 @@
 .TH sechecker 1 2020-06-09 "SELinux Project" "SETools: SELinux Policy Analysis Tools"
 .SH NAME
 sechecker \- Configuration-driven automated SELinux policy analysis
 .SH SYNOPSIS
 \fBsechecker\fR [OPTIONS] config.ini [POLICY]
 .SH DESCRIPTION
 .PP
 \fBsechecker\fR is an automated SELinux policy analysis tool. It uses a
 configuration file to define one or more analysis checks.
 .SH POLICY
 .PP
 A single file containing a binary policy. This file is usually named by version
 on Linux systems, for example, \fIpolicy.30\fR. This file is usually named
 \fIsepolicy\fR on Android systems.  If not provided, \fBsechecker\fR will attempt
 to locate and open the current policy running on the system.
 .SH OPTIONS
 .IP "-o <path>"
 Output the results to the specified path instead of stdout.
 .IP "-h, --help"
 Print help information and exit.
 .IP "--version"
 Print version information and exit.
 .IP "-v, --verbose"
 Print additional informational messages.
 .IP "--debug"
 Enable debugging output.
 .SH RETURN CODES
 \fBsechecker\fR has the following return codes:
 .TP
 .B 0
 All checks passed.
 .TP
 .B 1
 One or more checks failed.
 .TP
 .B 2
 Error in the configuration file.
 .TP
 .B 3
 Other errors, such as policy open error.
 .SH "CONFIGURATION FILE"
 The configuration file is in the .ini format. Each section is considered
 a check, with the configuration section name being the name of the check.  All
 checks have the following options:
 .IP "check_type = <name>"
 This selects the type of test be be used in this check.  This is required.
 .IP "desc = <text>"
 This is an optional text field.  If set, the contents are printed in the output
 and is typically used to explain the purpose of the check.
 .IP "disable = <text>"
 This is an optional text field.  If it is set, the check will not run and the
 contents of this text will be added to the report to explain why the check
 was not ran.
 .SH "TYPE ENFORCEMENT ALLOW RULE ASSERTION"
 This checks for the nonexistence of type enforcement allow rules. The check_type
 is \fBassert_te\fR.  It will run the query and any results from the query,
 removing any exempted sources or targets, will be listed as failures.
 If a rule has an empty attribute, rendering it useless, it will
 be ignored.  If a rule has an attribute, it will be considered
 a failure unless all of the member types are exempted.
 .PP
 Criteria options:
 .IP "source = <type or type attribute>"
 The source type/attribute criteria for the query.
 .IP "target = <type or type attribute>"
 The target type/attribute criteria for the query.
 .IP "tclass = <type or type attribute>[, ....]"
 A comma-separated list of object class criteria for the query.
 .IP "perms = <type or type attribute>[, ....]"
 A comma-separated list of permissions for the query.
 .PP
 \fBA least one of the above options must be set in this check.\fR
 .PP
 Additional Options:
 .IP "exempt_source = <type or type attribute>[, ....]"
 A comma-separated list of types and type attributes.  Rules with these
 as the source will be ignored. This is optional.
 .IP "exempt_target = <type or type attribute>[, ....]"
 A comma-separated list of types and type attributes.  Rules with these
 as the target will be ignored. This is optional.
 .SH "EMPTY TYPE ATTRIBUTE ASSERTION"
 This checks that the specified attribute is empty.  This can optionally
 be set to also pass if the attribute does not exist.
 The check_type is \fBempty_typeattr\fR.
 .PP
 Options:
 .IP "attr = <type attribute>"
 The type attribute to check.  This is required.
 .IP "missing_ok = <type attribute>"
 Consider the check passing if the attribute does not exist.
 This is optional.  Default is false.
 .SH "READ-ONLY EXECUTABLES ASSERTION"
 This checks that all file types that are executable are read-only.
 The check_type is \fBro_execs\fR.
 .PP
 Options:
 .IP "exempt_file = <type or type attribute>[, ....]"
 A comma-separated list of types and type attributes.  These
 will not be considered executable.  This is optional.
 .IP "exempt_exec_domain = <type or type attribute>[, ....]"
 A comma-separated list of types and type attributes.  Rules with these
 as the source will be ignored if they allow file execute permission.
 This is optional.
 .IP "exempt_write_domain = <type or type attribute>[, ....]"
 A comma-separated list of types and type attributes.  Rules with these
 as the source will be ignored if they allow file write or append permissions
 on types determined executable.  This is optional.
 .SH "CONFIGURATION EXAMPLES"
 .PP
 \fBExample\ \&1.\ \&A check called "no_unconfined" that will determine if the
 domain_unconfined_type attribute is empty or missing.\fR
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 [no_unconfined]
 check_type = empty_typeattr
 desc = Verify that the domain_unconfined_type attribute is missing or empty.
 attr = domain_unconfined_type
 missing_ok = True
 .fi
 .if n \{\
 .RE
 .\}
 .PP
 \fBExample\ \&2.\ \&A check called "ro_execs" that will determine if all
 executable types are read-only.\fR
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 [ro_execs]
 check_type = empty_typeattr
 desc = Verify that the all executables and libraries are read-only.
 .fi
 .if n \{\
 .RE
 .\}
 .PP
 \fBExample\ \&3.\ \&A check called "execheap" that will determine that
 there are no domains with the execheap permission except for
 unconfined_execheap_t.\fR
 .sp
 .if n \{\
 .RS 4
 .\}
 .nf
 [execheap]
 check_type = assert_te
 desc = Verify no domains have executable heap.
 tclass = process
 perms = execheap
 exempt_source = unconfined_execheap_t
 .fi
 .if n \{\
 .RE
 .\}
 .PP
 .SH AUTHOR
 Chris PeBenito <chpebeni@linux.microsoft.com>
 .SH BUGS
 Please report bugs via the SETools bug tracker, https://github.com/SELinuxProject/setools/issues
 .SH SEE ALSO
 apol(1), sediff(1), sedta(1), seinfo(1), seinfoflow(1), sesearch(1)
--- a/74
+++ b/74
@ -0,0 +1,74 @@
 #!/usr/bin/env python3
 # Copyright 2020 Microsoft Corporation
 #
 # This file is part of SETools.
 #
 # SETools is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 2 of the License, or
 # (at your option) any later version.
 #
 # SETools is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with SETools.  If not, see <http://www.gnu.org/licenses/>.
 #
 import setools
 import argparse
 import sys
 import logging
 import signal
 signal.signal(signal.SIGPIPE, signal.SIG_DFL)
 parser = argparse.ArgumentParser(description="SELinux policy checker tool.")
 parser.add_argument("--version", action="version", version=setools.__version__)
 parser.add_argument("config", help="Path to the checker configuration file.")
 parser.add_argument("policy", help="Path to the SELinux policy to check.", nargs="?")
 parser.add_argument("-o", "--output_file", help="Path to log output.", required=False)
 parser.add_argument("-v", "--verbose", action="store_true",
                    help="Print extra informational messages")
 parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")
 args = parser.parse_args()
 if args.debug:
    logging.basicConfig(level=logging.DEBUG,
                        format='%(asctime)s|%(levelname)s|%(name)s|%(message)s')
 elif args.verbose:
    logging.basicConfig(level=logging.INFO, format='%(message)s')
 else:
    logging.basicConfig(level=logging.WARNING, format='%(message)s')
 try:
    p = setools.SELinuxPolicy(args.policy)
    c = setools.PolicyChecker(p, args.config)
    if args.output_file:
        with open(args.output_file, "w") as fd:
            failures = c.run(output=fd)
    else:
        failures = c.run()
    sys.exit(1 if failures else 0)
 except setools.exception.InvalidCheckerConfig as err:
    if args.debug:
        raise
    else:
        print(err)
    sys.exit(2)
 except Exception as err:
    if args.debug:
        raise
    else:
        print(err)
    sys.exit(3)