mirror of
https://github.com/SELinuxProject/setools
synced 2025-01-30 03:32:42 +00:00
2f44b599ca
Undo past whitespace fixes that are now unnecessary now that the max line length increased to 100.
193 lines
9.0 KiB
Python
Executable File
193 lines
9.0 KiB
Python
Executable File
#!/usr/bin/python
|
|
# Copyright 2014, Tresys Technology, LLC
|
|
#
|
|
# This file is part of SETools.
|
|
#
|
|
# SETools is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# SETools is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
from __future__ import print_function
|
|
import setools
|
|
import argparse
|
|
import sys
|
|
|
|
parser = argparse.ArgumentParser(
|
|
description="SELinux policy rule search tool.",
|
|
epilog="TE/MLS rule searches cannot be mixed with RBAC rule searches.")
|
|
parser.add_argument("--version", action="version", version=setools.__version__)
|
|
parser.add_argument("policy", help="Path to the SELinux policy to search.")
|
|
|
|
rtypes = parser.add_argument_group("TE Rule Types")
|
|
rtypes.add_argument("-A", "--allow", action="append_const",
|
|
const="allow", dest="tertypes",
|
|
help="Search allow rules.")
|
|
rtypes.add_argument("--auditallow", action="append_const",
|
|
const="auditallow", dest="tertypes",
|
|
help="Search auditallow rules.")
|
|
rtypes.add_argument("--dontaudit", action="append_const",
|
|
const="dontaudit", dest="tertypes",
|
|
help="Search dontaudit rules.")
|
|
rtypes.add_argument("-T", "--type_trans", action="append_const",
|
|
const="type_transition", dest="tertypes",
|
|
help="Search type_transition rules.")
|
|
rtypes.add_argument("--type_change", action="append_const",
|
|
const="type_change", dest="tertypes",
|
|
help="Search type_change rules.")
|
|
rtypes.add_argument("--type_member", action="append_const",
|
|
const="type_member", dest="tertypes",
|
|
help="Search type_member rules.")
|
|
|
|
rbacrtypes = parser.add_argument_group("RBAC Rule Types")
|
|
rbacrtypes.add_argument("--role_allow", action="append_const",
|
|
const="allow", dest="rbacrtypes",
|
|
help="Search role allow rules.")
|
|
rbacrtypes.add_argument("--role_trans", action="append_const",
|
|
const="role_transition", dest="rbacrtypes",
|
|
help="Search role_transition rules.")
|
|
|
|
mlsrtypes = parser.add_argument_group("MLS Rule Types")
|
|
mlsrtypes.add_argument("--range_trans", action="append_const",
|
|
const="range_transition", dest="mlsrtypes",
|
|
help="Search range_transition rules.")
|
|
|
|
expr = parser.add_argument_group("Expressions")
|
|
expr.add_argument("-s", "--source", default="",
|
|
help="Source type/role of the TE/RBAC rule.")
|
|
expr.add_argument("-t", "--target", default="",
|
|
help="Target type/role of the TE/RBAC rule.")
|
|
expr.add_argument("-c", "--class", dest="tclass", default="",
|
|
help="Comma separated list of object classes")
|
|
expr.add_argument("-p", "--perms", metavar="PERMS", default="",
|
|
help="Comma separated list of permissions.")
|
|
expr.add_argument("-D", "--default", default="",
|
|
help="Default type of the TE/RBAC rule.")
|
|
expr.add_argument("-b", "--bool", dest="boolean", metavar="BOOL", default="",
|
|
help="Comma separated list of Booleans in the conditional expression.")
|
|
|
|
opts = parser.add_argument_group("Search options")
|
|
opts.add_argument("-eb", action="store_true", dest="boolean_equal",
|
|
help="Match Boolean list exactly instead of matching any listed Boolean.")
|
|
opts.add_argument("-ep", action="store_true", dest="perms_equal",
|
|
help="Match permission set exactly instead of matching any listed permission.")
|
|
opts.add_argument("-ds", action="store_false", dest="source_indirect",
|
|
help="Match source attributes directly instead of matching member types/roles.")
|
|
opts.add_argument("-dt", action="store_false", dest="target_indirect",
|
|
help="Match target attributes directly instead of matching member types/roles.")
|
|
opts.add_argument("-rs", action="store_true", dest="source_regex",
|
|
help="Use regular expression matching for the source type/role.")
|
|
opts.add_argument("-rt", action="store_true", dest="target_regex",
|
|
help="Use regular expression matching for the target type/role.")
|
|
opts.add_argument("-rc", action="store_true", dest="tclass_regex",
|
|
help="Use regular expression matching for the object class.")
|
|
opts.add_argument("-rd", action="store_true", dest="default_regex",
|
|
help="Use regular expression matching for the default type/role.")
|
|
opts.add_argument("-rb", action="store_true", dest="boolean_regex",
|
|
help="Use regular expression matching for Booleans.")
|
|
|
|
args = parser.parse_args()
|
|
|
|
if not args.tertypes and not args.mlsrtypes and not args.rbacrtypes:
|
|
parser.error("At least one rule type must be specified.")
|
|
|
|
if (args.tertypes or args.mlsrtypes) and args.rbacrtypes:
|
|
parser.error("TE/MLS rule searches cannot be mixed with RBAC rule searches.")
|
|
|
|
try:
|
|
p = setools.SELinuxPolicy(args.policy)
|
|
except Exception as err:
|
|
print(err)
|
|
sys.exit(-1)
|
|
|
|
if args.tertypes:
|
|
q = setools.terulequery.TERuleQuery(p,
|
|
ruletype=args.tertypes,
|
|
source=args.source,
|
|
source_indirect=args.source_indirect,
|
|
source_regex=args.source_regex,
|
|
target=args.target,
|
|
target_indirect=args.target_indirect,
|
|
target_regex=args.target_regex,
|
|
tclass_regex=args.tclass_regex,
|
|
perms_equal=args.perms_equal,
|
|
default=args.default,
|
|
default_regex=args.default_regex,
|
|
boolean_regex=args.boolean_regex,
|
|
boolean_equal=args.boolean_equal)
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
# with an empty string in it (split on empty string)
|
|
if args.tclass:
|
|
if args.tclass_regex:
|
|
q.set_tclass(args.tclass)
|
|
else:
|
|
q.set_tclass(args.tclass.split(","))
|
|
|
|
if args.perms:
|
|
q.set_perms(args.perms.split(","))
|
|
|
|
if args.boolean:
|
|
if args.boolean_regex:
|
|
q.set_boolean(args.boolean)
|
|
else:
|
|
q.set_boolean(args.boolean.split(","))
|
|
|
|
for r in sorted(q.results()):
|
|
print(r)
|
|
|
|
if args.rbacrtypes:
|
|
q = setools.rbacrulequery.RBACRuleQuery(p,
|
|
ruletype=args.rbacrtypes,
|
|
source=args.source,
|
|
source_indirect=args.source_indirect,
|
|
source_regex=args.source_regex,
|
|
target=args.target,
|
|
target_indirect=args.target_indirect,
|
|
target_regex=args.target_regex,
|
|
default=args.default,
|
|
default_regex=args.default_regex,
|
|
tclass_regex=args.tclass_regex)
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
# with an empty string in it (split on empty string)
|
|
if args.tclass:
|
|
if args.tclass_regex:
|
|
q.set_tclass(args.tclass)
|
|
else:
|
|
q.set_tclass(args.tclass.split(","))
|
|
|
|
for r in sorted(q.results()):
|
|
print(r)
|
|
|
|
if args.mlsrtypes:
|
|
q = setools.mlsrulequery.MLSRuleQuery(p,
|
|
ruletype=args.mlsrtypes,
|
|
source=args.source,
|
|
source_indirect=args.source_indirect,
|
|
source_regex=args.source_regex,
|
|
target=args.target,
|
|
target_indirect=args.target_indirect,
|
|
target_regex=args.target_regex,
|
|
tclass_regex=args.tclass_regex)
|
|
|
|
# these are broken out from the above statement to prevent making a list
|
|
# with an empty string in it (split on empty string)
|
|
if args.tclass:
|
|
if args.tclass_regex:
|
|
q.set_tclass(args.tclass)
|
|
else:
|
|
q.set_tclass(args.tclass.split(","))
|
|
|
|
for r in sorted(q.results()):
|
|
print(r)
|