mirror of
https://github.com/SELinuxProject/setools
synced 2025-02-21 22:46:50 +00:00
Chris PeBenito
parent
f284552609
commit
d6e0d56fac
25
sediff
25
sediff
@ -72,6 +72,7 @@ mlsrule.add_argument("--range_trans", action="store_true",
|
||||
|
||||
labeling = parser.add_argument_group("labeling statement differences")
|
||||
labeling.add_argument("--initialsid", action="store_true", help="Print initial SID differences")
|
||||
labeling.add_argument("--fs_use", action="store_true", help="Print fs_use_* differences")
|
||||
labeling.add_argument("--genfscon", action="store_true", help="Print genfscon differences")
|
||||
labeling.add_argument("--netifcon", action="store_true", help="Print netifcon differences")
|
||||
labeling.add_argument("--nodecon", action="store_true", help="Print nodecon differences")
|
||||
@ -84,7 +85,7 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
|
||||
args.allow, args.neverallow, args.auditallow, args.dontaudit,
|
||||
args.type_trans, args.type_change, args.type_member, args.role_allow,
|
||||
args.role_trans, args.range_trans, args.initialsid, args.genfscon,
|
||||
args.netifcon, args.nodecon, args.portcon))
|
||||
args.netifcon, args.nodecon, args.portcon, args.fs_use))
|
||||
|
||||
if args.debug:
|
||||
logging.basicConfig(level=logging.DEBUG,
|
||||
@ -766,6 +767,28 @@ try:
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.fs_use:
|
||||
if diff.added_fs_uses or diff.removed_fs_uses or diff.modified_fs_uses \
|
||||
or args.fs_use:
|
||||
print("Fs_use ({0} Added, {1} Removed, {2} Modified)".format(
|
||||
len(diff.added_fs_uses), len(diff.removed_fs_uses),
|
||||
len(diff.modified_fs_uses)))
|
||||
if diff.added_fs_uses and not args.stats:
|
||||
print(" Added Fs_use: {0}".format(len(diff.added_fs_uses)))
|
||||
for s in sorted(diff.added_fs_uses):
|
||||
print(" + {0}".format(s))
|
||||
if diff.removed_fs_uses and not args.stats:
|
||||
print(" Removed Fs_use: {0}".format(len(diff.removed_fs_uses)))
|
||||
for s in sorted(diff.removed_fs_uses):
|
||||
print(" - {0}".format(s))
|
||||
if diff.modified_fs_uses and not args.stats:
|
||||
print(" Modified Fs_use: {0}".format(len(diff.modified_fs_uses)))
|
||||
for entry in sorted(diff.modified_fs_uses):
|
||||
print(" * {0.ruletype} {0.fs} +[{1}] -[{2}];".format(
|
||||
entry.rule, entry.added_context, entry.removed_context))
|
||||
|
||||
print()
|
||||
|
||||
except Exception as err:
|
||||
if args.debug:
|
||||
import traceback
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
#
|
||||
from .bool import BooleansDifference
|
||||
from .commons import CommonDifference
|
||||
from .fsuse import FSUsesDifference
|
||||
from .initsid import InitialSIDsDifference
|
||||
from .mls import CategoriesDifference, SensitivitiesDifference
|
||||
from .mlsrules import MLSRulesDifference
|
||||
@ -35,6 +36,7 @@ __all__ = ['PolicyDifference']
|
||||
class PolicyDifference(BooleansDifference,
|
||||
CategoriesDifference,
|
||||
CommonDifference,
|
||||
FSUsesDifference,
|
||||
InitialSIDsDifference,
|
||||
MLSRulesDifference,
|
||||
ObjClassDifference,
|
||||
|
||||
89
setools/diff/fsuse.py
Normal file
89
setools/diff/fsuse.py
Normal file
@ -0,0 +1,89 @@
|
||||
# Copyright 2016, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as
|
||||
# published by the Free Software Foundation, either version 2.1 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with SETools. If not, see
|
||||
# <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
from collections import namedtuple
|
||||
|
||||
from .context import ContextWrapper
|
||||
from .descriptors import DiffResultDescriptor
|
||||
from .difference import Difference, Wrapper
|
||||
|
||||
|
||||
modified_fsuse_record = namedtuple("modified_fsuse", ["rule",
|
||||
"added_context",
|
||||
"removed_context"])
|
||||
|
||||
|
||||
class FSUsesDifference(Difference):
|
||||
|
||||
"""Determine the difference in fs_use_* rules between two policies."""
|
||||
|
||||
added_fs_uses = DiffResultDescriptor("diff_fs_uses")
|
||||
removed_fs_uses = DiffResultDescriptor("diff_fs_uses")
|
||||
modified_fs_uses = DiffResultDescriptor("diff_fs_uses")
|
||||
|
||||
def diff_fs_uses(self):
|
||||
"""Generate the difference in fs_use rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating fs_use_* differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
self.added_fs_uses, self.removed_fs_uses, matched = self._set_diff(
|
||||
(FSUseWrapper(fs) for fs in self.left_policy.fs_uses()),
|
||||
(FSUseWrapper(fs) for fs in self.right_policy.fs_uses()))
|
||||
|
||||
self.modified_fs_uses = []
|
||||
|
||||
for left_rule, right_rule in matched:
|
||||
# Criteria for modified rules
|
||||
# 1. change to context
|
||||
if ContextWrapper(left_rule.context) != ContextWrapper(right_rule.context):
|
||||
self.modified_fs_uses.append(modified_fsuse_record(left_rule,
|
||||
right_rule.context,
|
||||
left_rule.context))
|
||||
|
||||
#
|
||||
# Internal functions
|
||||
#
|
||||
def _reset_diff(self):
|
||||
"""Reset diff results on policy changes."""
|
||||
self.log.debug("Resetting fs_use_* rule differences")
|
||||
self.added_fs_uses = None
|
||||
self.removed_fs_uses = None
|
||||
self.modified_fs_uses = None
|
||||
|
||||
|
||||
class FSUseWrapper(Wrapper):
|
||||
|
||||
"""Wrap fs_use_* rules to allow set operations."""
|
||||
|
||||
def __init__(self, rule):
|
||||
self.origin = rule
|
||||
self.ruletype = rule.ruletype
|
||||
self.fs = rule.fs
|
||||
self.context = ContextWrapper(rule.context)
|
||||
self.key = hash(rule)
|
||||
|
||||
def __hash__(self):
|
||||
return self.key
|
||||
|
||||
def __lt__(self, other):
|
||||
return self.key < other.key
|
||||
|
||||
def __eq__(self, other):
|
||||
return self.ruletype == other.ruletype and self.fs == other.fs
|
||||
@ -993,6 +993,40 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
|
||||
self.assertEqual("system:system:system:s0",
|
||||
self.diff.modified_initialsids["modified_sid"].removed_context)
|
||||
|
||||
#
|
||||
# fs_use_*
|
||||
#
|
||||
def test_added_fs_uses(self):
|
||||
"""Diff: added fs_uses."""
|
||||
l = sorted(self.diff.added_fs_uses)
|
||||
self.assertEqual(1, len(l))
|
||||
|
||||
rule = l[0]
|
||||
self.assertEqual("fs_use_xattr", rule.ruletype)
|
||||
self.assertEqual("added_fsuse", rule.fs)
|
||||
self.assertEqual("system:object_r:system:s0", rule.context)
|
||||
|
||||
def test_removed_fs_uses(self):
|
||||
"""Diff: removed fs_uses."""
|
||||
l = sorted(self.diff.removed_fs_uses)
|
||||
self.assertEqual(1, len(l))
|
||||
|
||||
rule = l[0]
|
||||
self.assertEqual("fs_use_task", rule.ruletype)
|
||||
self.assertEqual("removed_fsuse", rule.fs)
|
||||
self.assertEqual("system:object_r:system:s0", rule.context)
|
||||
|
||||
def test_modified_fs_uses(self):
|
||||
"""Diff: modified fs_uses."""
|
||||
l = sorted(self.diff.modified_fs_uses)
|
||||
self.assertEqual(1, len(l))
|
||||
|
||||
rule, added_context, removed_context = l[0]
|
||||
self.assertEqual("fs_use_trans", rule.ruletype)
|
||||
self.assertEqual("modified_fsuse", rule.fs)
|
||||
self.assertEqual("added_user:object_r:system:s1", added_context)
|
||||
self.assertEqual("removed_user:object_r:system:s0", removed_context)
|
||||
|
||||
|
||||
class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
|
||||
@ -1241,3 +1275,15 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
def test_modified_initialsids(self):
|
||||
"""NoDiff: no modified initialsids."""
|
||||
self.assertFalse(self.diff.modified_initialsids)
|
||||
|
||||
def test_added_fs_uses(self):
|
||||
"""NoDiff: no added fs_uses."""
|
||||
self.assertFalse(self.diff.added_fs_uses)
|
||||
|
||||
def test_removed_fs_uses(self):
|
||||
"""NoDiff: no removed fs_uses."""
|
||||
self.assertFalse(self.diff.removed_fs_uses)
|
||||
|
||||
def test_modified_fs_uses(self):
|
||||
"""NoDiff: no modified fs_uses."""
|
||||
self.assertFalse(self.diff.modified_fs_uses)
|
||||
|
||||
@ -619,6 +619,8 @@ sid modified_sid system:system:system:s0
|
||||
fs_use_trans devpts system:object_r:system:s0;
|
||||
fs_use_xattr ext3 system:object_r:system:s0;
|
||||
fs_use_task pipefs system:object_r:system:s0;
|
||||
fs_use_task removed_fsuse system:object_r:system:s0;
|
||||
fs_use_trans modified_fsuse removed_user:object_r:system:s0;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system:s0
|
||||
|
||||
@ -619,6 +619,8 @@ sid modified_sid modified_add_role:system:system:s2
|
||||
fs_use_trans devpts system:object_r:system:s0;
|
||||
fs_use_xattr ext3 system:object_r:system:s0;
|
||||
fs_use_task pipefs system:object_r:system:s0;
|
||||
fs_use_xattr added_fsuse system:object_r:system:s0;
|
||||
fs_use_trans modified_fsuse added_user:object_r:system:s1;
|
||||
|
||||
#genfscon
|
||||
genfscon proc / system:object_r:system:s0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user