RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-04-24 12:24:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

PolicyDifference: implement policy capabilities diff

Browse Source 
Closes #64
This commit is contained in:
Chris PeBenito 2016-01-14 18:31:06 -05:00
parent dbad48a742
commit b64fcea379
6 changed files with 95 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sediff
View File

@ -78,6 +78,9 @@ labeling.add_argument("--netifcon", action="store_true", help="Print netifcon di
labeling.add_argument("--nodecon", action="store_true", help="Print nodecon differences") labeling.add_argument("--nodecon", action="store_true", help="Print nodecon differences")
labeling.add_argument("--portcon", action="store_true", help="Print portcon differences") labeling.add_argument("--portcon", action="store_true", help="Print portcon differences")
other = parser.add_argument_group("other differences")
other.add_argument("--polcap", action="store_true", help="Print policy capability differences")
args = parser.parse_args() args = parser.parse_args()
all_differences = not any((args.class_, args.common, args.type_, args.attribute, args.role, all_differences = not any((args.class_, args.common, args.type_, args.attribute, args.role,
@ -85,7 +88,7 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
args.allow, args.neverallow, args.auditallow, args.dontaudit, args.allow, args.neverallow, args.auditallow, args.dontaudit,
args.type_trans, args.type_change, args.type_member, args.role_allow, args.type_trans, args.type_change, args.type_member, args.role_allow,
args.role_trans, args.range_trans, args.initialsid, args.genfscon, args.role_trans, args.range_trans, args.initialsid, args.genfscon,
args.netifcon, args.nodecon, args.portcon, args.fs_use)) args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap))
if args.debug: if args.debug:
logging.basicConfig(level=logging.DEBUG, logging.basicConfig(level=logging.DEBUG,
@ -902,6 +905,21 @@ try:
print() print()
if all_differences or args.polcap:
if diff.added_polcaps or diff.removed_polcaps or args.polcap:
print("Policy Capabilities ({0} Added, {1} Removed)".format(
len(diff.added_polcaps), len(diff.removed_polcaps)))
if diff.added_polcaps and not args.stats:
print(" Added Policy Capabilities: {0}".format(len(diff.added_polcaps)))
for n in sorted(diff.added_polcaps):
print(" + {0}".format(n))
if diff.removed_polcaps and not args.stats:
print(" Removed Policy Capabilities: {0}".format(len(diff.removed_polcaps)))
for n in sorted(diff.removed_polcaps):
print(" - {0}".format(n))
print()
except Exception as err: except Exception as err:
if args.debug: if args.debug:
import traceback import traceback

2
setools/diff/__init__.py
View File

@ -26,6 +26,7 @@ from .mlsrules import MLSRulesDifference
from .netifcon import NetifconsDifference from .netifcon import NetifconsDifference
from .nodecon import NodeconsDifference from .nodecon import NodeconsDifference
from .objclass import ObjClassDifference from .objclass import ObjClassDifference
from .polcap import PolCapsDifference
from .rbacrules import RBACRulesDifference from .rbacrules import RBACRulesDifference
from .roles import RolesDifference from .roles import RolesDifference
from .terules import TERulesDifference from .terules import TERulesDifference
@ -47,6 +48,7 @@ class PolicyDifference(BooleansDifference,
NetifconsDifference, NetifconsDifference,
NodeconsDifference, NodeconsDifference,
ObjClassDifference, ObjClassDifference,
PolCapsDifference,
RBACRulesDifference, RBACRulesDifference,
RolesDifference, RolesDifference,
SensitivitiesDifference, SensitivitiesDifference,

47
setools/diff/polcap.py Normal file
View File

@ -0,0 +1,47 @@
# Copyright 2016, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
from .descriptors import DiffResultDescriptor
from .difference import Difference, SymbolWrapper
class PolCapsDifference(Difference):
"""Determine the difference in polcaps between two policies."""
added_polcaps = DiffResultDescriptor("diff_polcaps")
removed_polcaps = DiffResultDescriptor("diff_polcaps")
def diff_polcaps(self):
"""Generate the difference in polcaps between the policies."""
self.log.info("Generating policy cap differences from {0.left_policy} to {0.right_policy}".
format(self))
self.added_polcaps, self.removed_polcaps, _ = self._set_diff(
(SymbolWrapper(n) for n in self.left_policy.polcaps()),
(SymbolWrapper(n) for n in self.right_policy.polcaps()))
#
# Internal functions
#
def _reset_diff(self):
"""Reset diff results on policy changes."""
self.log.debug("Resetting policy capability differences")
self.added_polcaps = None
self.removed_polcaps = None

19
tests/diff.py
View File

@ -1225,6 +1225,17 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
self.assertEqual("modified_change_level:object_r:system:s2:c1", added_context) self.assertEqual("modified_change_level:object_r:system:s2:c1", added_context)
self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed_context) self.assertEqual("modified_change_level:object_r:system:s2:c0.c1", removed_context)
#
# Policy capabilities
#
def test_added_polcaps(self):
"""Diff: added polcaps."""
self.assertSetEqual(set(["always_check_network"]), self.diff.added_polcaps)
def test_removed_polcaps(self):
"""Diff: removed polcaps."""
self.assertSetEqual(set(["network_peer_controls"]), self.diff.removed_polcaps)
class PolicyDifferenceTestNoDiff(unittest.TestCase): class PolicyDifferenceTestNoDiff(unittest.TestCase):
@ -1533,3 +1544,11 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
def test_modified_nodecons(self): def test_modified_nodecons(self):
"""NoDiff: no modified nodecons.""" """NoDiff: no modified nodecons."""
self.assertFalse(self.diff.modified_nodecons) self.assertFalse(self.diff.modified_nodecons)
def test_added_polcaps(self):
"""NoDiff: no added polcaps."""
self.assertFalse(self.diff.added_polcaps)
def test_removed_polcaps(self):
"""NoDiff: no removed polcaps."""
self.assertFalse(self.diff.removed_polcaps)

4
tests/diff_left.conf
View File

@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_
################################################################################ ################################################################################
# policycaps
policycap open_perms;
policycap network_peer_controls;
#users #users
user system roles system level s0 range s0; user system roles system level s0 range s0;

4
tests/diff_right.conf
View File

@ -595,6 +595,10 @@ role_transition role_tr_matched_source role_tr_matched_target:infoflow3 role_tr_
################################################################################ ################################################################################
# policycaps
policycap open_perms;
policycap always_check_network;
#users #users
user system roles system level s0 range s0; user system roles system level s0 range s0;