eaiovnaovbqoebvqoeavibavo 3 Klf@s2ddlZddlZddlZddlZddlZddlZddlZddlZddlTdZ ddl Z ddl Z ddl Z y:ddl Z iZejdRkrded<e je fddd eWnJyddlZeejd <Wn&ek rddlZeejd <YnXYnXddlZiZeed <eed <eed <eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<eed<e ed <e ed!<e ed"<d ddddddd d#Z!d$d$d%d&d'd(d)d*dd+ Z"y(ddl#Z#e#j$e#j%Gd,d-d-Z&Wn(e'efk r4Gd.d-d-Z&YnXGd/d0d0Z(d1d2Z)dSd4d5Z*dTd6d7Z+Gd8d9d9Z,Gd:d;d;e,Z-Gdd?d?e,Z/Gd@dAdAe,Z0GdBdCdCe,Z1GdDdEdEe,Z2GdFdGdGe,Z3GdHdIdIe,Z4GdJdKdKe,Z5GdLdMdMe,Z6GdNdOdOe,Z7GdPdQdQe,Z8dS)UN)*zselinux-pythonTunicodez/usr/share/localezutf-8)Z localedirZcodeset_z all filesaz regular filez--fz-d directorydz-czcharacter devicecz-bz block devicebz-ssocketsz-llz symbolic linkpz-pz named pipe)z all filesz regular filer zcharacter devicez block devicer z symbolic linkz named pipeanyblockchardirfilesymlinkpipe) rrr r r rrrrc@s8eZdZddZd ddZdddZdd Zd d Zd S)loggercCstj|_g|_g|_dS)N)audit audit_openaudit_fdlog_listlog_change_list)selfr/usr/lib/python3.6/seobject.py__init__ls zlogger.__init__rc Csd} ||kr|| d7}d} ||kr4|| d7}d} ||krL|| d7}d} |jj|jtjtjdt||d||||||dddgdS)N-sename,rolerangerr)rappendrrZAUDIT_ROLE_ASSIGNsysargvstr) rmsgnamer#seroleserange oldsename oldserole oldserangeseprrr logqs   z logger.logc Cs<|jj|jtjtjdt||d||||||dddgdS)Nrr)rr'rrZAUDIT_ROLE_REMOVEr(r)r*) rr+r,r#r-r.r/r0r1rrr log_removeszlogger.log_removecCs&|jj|jtjt|ddddgdS)Nsemanager)rr'rrZAUDIT_USER_MAC_CONFIG_CHANGEr*)rr+rrr log_changeszlogger.log_changecCsPx|jD]}tj||gqWx|jD]}tj||gq(Wg|_g|_dS)N)rrZaudit_log_semanage_messagerZaudit_log_user_comm_message)rsuccessrrrr commits   z logger.commitN)rrrrrrr)rrrrrrr)__name__ __module__ __qualname__r!r3r4r6r8rrrr rjs   rc@s8eZdZddZd ddZdddZdd Zd d Zd S)rcCs g|_dS)N)r)rrrr r!szlogger.__init__rc Csd||f} |dkr | d|7} |dkr4| d|7} |dkrH| d|7} |dkr\| d|7} |dkrx|dk rx| d|7} |dkr|dk r| d|7} |jj| dS) Nz %s name=%srz sename=z oldsename=z role=z old_role=z MLSRange=z old_MLSRange=)rr') rr+r,r#r-r.r/r0r1messagerrr r3s       z logger.logc Cs|j||||||||dS)N)r3) rr+r,r#r-r.r/r0r1rrr r4szlogger.log_removecCs|jjd|dS)Nz %s)rr')rr+rrr r6szlogger.log_changecCs8|dkrd}nd}x |jD]}tjtj||qWdS)Nz Successful: zFailed: )rsyslogZLOG_INFO)rr7r<rrrr r8s  z logger.commitN)rrrrrrr)rrrrrrr)r9r:r;r!r3r4r6r8rrrr rs   c@s0eZdZd ddZd ddZddZdd Zd S) nullloggerrc CsdS)Nr) rr+r,r#r-r.r/r0r1rrr r3sznulllogger.logc CsdS)Nr) rr+r,r#r-r.r/r0r1rrr r4sznulllogger.log_removecCsdS)Nr)rr+rrr r6sznulllogger.log_changecCsdS)Nr)rr7rrr r8sznulllogger.commitN)rrrrrrr)rrrrrrr)r9r:r;r3r4r6r8rrrr r?s  r?cCsXd}d}|d|d}|d|d}|d|dd|d}tjd |d |S) Nzs[0-9]*zc[0-9]*z(\.z)?z(\,z)*z(-z(:^$)research)rawZ sensitivitycategoryZ cat_rangeZ categoriesZregrrr validate_levels rFr=cCs`d}|dkrd||f}n|}tj|\}}|dkr8|S|rL|t|d}|dkrX|S|SdS)Nza:b:c:r=z%s%srr)selinuxZselinux_raw_to_trans_contextlen)rDprependfillercontextrctransrrr translatesrNcCs`d}|dkrd||f}n|}tj|\}}|dkr8|S|rL|t|d}|dkrX|S|SdS)Nza:b:c:r=z%s%srr)rGZselinux_trans_to_raw_contextrH)rMrIrJrKrLrDrrr untranslatesrOc@sfeZdZdZdZdZdZdddZddZddZ d d Z d d Z d dZ ddZ ddZddZdS)semanageRecordsFNcCs|rt|tkr||_n||_t|dd|_|js@t|dd|_|j|j|_tj \}}|jdksn|j|krxt |_ n,t j |jtjdtj|jft|_ dS)NnoreloadFstorerz%s%s)typer*rRargsgetattrrQ get_handleshrGselinux_getpolicytypermylogsepolicyZload_store_policyZselinux_set_policy_rootZ selinux_pathr?)rrTrLZ localstorerrr r!s    zsemanageRecords.__init__cCs | |_dS)N)rQ)rloadrrr set_reload szsemanageRecords.set_reloadcCstjr tjSt}|s"ttdtj rD|dkrDt||t|t_t |s`t |ttdt |}|t krt |ttdt |}|dkrt |ttdt|atdkrt |ttd|t_tjS)Nz Could not create semanage handlerz:SELinux policy is not managed or store cannot be accessed.zCannot read policy store.rz'Could not establish semanage connectionz!Could not test MLS enabled status)rPhandleZsemanage_handle_create ValueErrorr transactionZsemanage_select_storeZSEMANAGE_CON_DIRECTrRZsemanage_is_managedZsemanage_handle_destroyZsemanage_access_checkZSEMANAGE_CAN_READZsemanage_connectZsemanage_mls_enabledis_mls_enabled)rrRr]rLrrr rV s2      zsemanageRecords.get_handlecCsttddS)NzNot yet implemented)r^r)rrrr deleteall1szsemanageRecords.deleteallcCs$tjrttd|jdt_dS)Nz(Semanage transaction already in progressT)rPr_r^rbegin)rrrr start4s zsemanageRecords.startcCs,tjr dSt|j}|dkr(ttddS)Nrz$Could not start semanage transaction)rPr_Zsemanage_begin_transactionrWr^r)rrLrrr rb:s  zsemanageRecords.begincCsttddS)NzNot yet implemented)r^r)rrrr customizedAszsemanageRecords.customizedcCsVtjr dS|jrt|jdt|j}|dkrF|jjdtt d|jjddS)Nrz%Could not commit semanage transactionr=) rPr_rQZsemanage_set_reloadrWZsemanage_commitrYr8r^r)rrLrrr r8Ds    zsemanageRecords.commitcCs$tjsttddt_|jdS)Nz$Semanage transaction not in progressF)rPr_r^rr8)rrrr finishPs zsemanageRecords.finish)N)r9r:r;r_r]rRrTr!r\rVrarcrbrdr8rerrrr rPs $ rPc@sPeZdZdddZddZddZdd d Zd d ZddZddZ ddZ dS) moduleRecordsNcCstj||dS)N)rPr!)rrTrrr r!YszmoduleRecords.__init__c Cs g}t|j\}}}|dkr(ttdxt|D]}t||}t|j|\}}|dkrdttdt|j|\}}|dkrttdt|j|\}} |dkrttdt |j|\}} |dkrttd|j ||| | fq2W|j ddd d |j d dd |S) NrzCould not list SELinux moduleszCould not get module namezCould not get module enabledzCould not get module priorityzCould not get module lang_extcSs|dS)Nrr)trrr xsz'moduleRecords.get_all..T)keyreversecSs|dS)Nrr)rgrrr rhys)ri) Zsemanage_module_list_allrWr^rr&semanage_module_list_nthZsemanage_module_info_get_nameZ semanage_module_info_get_enabledZ!semanage_module_info_get_priorityZ!semanage_module_info_get_lang_extr'sort) rrrLmlistnumberimodr,ZenabledpriorityZlang_extrrr get_all\s,      zmoduleRecords.get_allcCs0|j}t|dkrgSdddd|DDS)NrcSsg|]}d|dqS)z-d %srr).0xrrr sz,moduleRecords.customized..cSsg|]}|ddkr|qS)r=rr)rsrgrrr rus)rrrH)rallrrr rd|s zmoduleRecords.customizedr=rcCs|j}t|dkrdS|r:tdtdtdtdfxL|D]D}|ddkrZtd}n |r`q@d}td |d|d |d |fq@WdS) Nrz %-25s %-9s %s z Module NameZPriorityZLanguager=ZDisabledrz%-25s %-9s %-5s %sr)rrrHprintr)rheading locallistrvrgZdisabledrrr lists    zmoduleRecords.listcCs`tjj|sttd|t|j|}|dkr@ttd|t|j|}|dkr\|jdS)NzModule does not exist: %s rz3Invalid priority %d (needs to be between 1 and 999)) ospathexistsr^rsemanage_set_default_priorityrWZsemanage_module_install_filer8)rrrqrLrrr adds   zmoduleRecords.addcCsx|jD]}t|j\}}|dkr0ttdt|j||}|dkrRttdt|j||}|dkr |r~ttd|q ttd|q W|jdS)NrzCould not create module keyzCould not set module key namezCould not enable module %szCould not disable module %s)splitZsemanage_module_key_createrWr^rZsemanage_module_key_set_nameZsemanage_module_set_enabledr8)rmoduleenablemrLrirrr set_enableds  zmoduleRecords.set_enabledcCsnt|j|}|dkr$ttd|x<|jD]0}t|j|}|dkr.|dkr.ttd|q.W|jdS)Nrz3Invalid priority %d (needs to be between 1 and 999)rwz*Could not remove module %s (remove failed))rrWr^rrsemanage_module_remover8)rrrqrLrrrr deletes  zmoduleRecords.deletecCs:dddd|jDD}x|D]}|j|dq"WdS)NcSsg|] }|dqS)rr)rsrtrrr rusz+moduleRecords.deleteall..cSsg|]}|ddkr|qS)r=rr)rsrgrrr rusT)rrr)rrrrrr ras zmoduleRecords.deleteall)N)r=r) r9r:r;r!rrrdr{rrrrarrrr rfWs     rfc@seZdZdddZddZdS)dontauditClassNcCstj||dS)N)rPr!)rrTrrr r!szdontauditClass.__init__cCs8|dkrttd|jt|j|dk|jdS)Nonoffz'dontaudit requires either 'on' or 'off')rr)r^rrbZsemanage_set_disable_dontauditrWr8)rZ dontauditrrr toggles  zdontauditClass.toggle)N)r9r:r;r!rrrrr rs rc@sHeZdZdddZddZddZdd d Zd d ZddZddZ dS)permissiveRecordsNcCstj||dS)N)rPr!)rrTrrr r!szpermissiveRecords.__init__cCsrg}t|j\}}}|dkr(ttdxDt|D]8}t||}t|}|r2|jdr2|j|j ddq2W|S)NrzCould not list SELinux modulesZ permissive_r=) Zsemanage_module_listrWr^rr&rkZsemanage_module_get_name startswithr'r)rrrLrmrnrorpr,rrr rrs  zpermissiveRecords.get_allcCsddt|jDS)NcSsg|] }d|qS)z-a %sr)rsrtrrr rusz0permissiveRecords.customized..)sortedrr)rrrr rdszpermissiveRecords.customizedr=rcCsddddtjtjDD}t|dkr0dS|rDtdtd|j}x|D]}||krRt|qRWt|dkrzdS|rtdtdx|D] }t|qWdS)NcSsg|] }|dqS)r,r)rsyrrr rusz*permissiveRecords.list..cSsg|]}|dr|qS)Z permissiver)rsrtrrr rusrz %-25s zBuiltin Permissive TypeszCustomized Permissive Types)rZinfoZTYPErHrxrrr)rryrzrvrdrgrrr r{s      zpermissiveRecords.listcCsyddlj}Wn tk r.ttdYnXd|}d|}t|j|t||d}|dkrf|j|dkr~ttd|dS)NrzThe sepolgen python module is required to setup permissive domains. In some distributions it is included in the policycoreutils-devel package. # yum install policycoreutils-devel Or similar for your distro.z permissive_%sz(typepermissive %s)Zcilz?Could not set permissive domain %s (module installation failed)) Zsepolgen.moduler ImportErrorr^rZsemanage_module_installrWrHr8)rrSrr,ZmodtxtrLrrr rszpermissiveRecords.addcCsFx8|jD],}t|jd|}|dkr ttd|q W|jdS)Nz permissive_%srz5Could not remove permissive domain %s (remove failed))rrrWr^rr8)rr,nrLrrr rs zpermissiveRecords.deletecCs,|j}t|dkr(dj|}|j|dS)Nr )rrrHjoinr)rrrvrrr ras  zpermissiveRecords.deleteall)N)r=r) r9r:r;r!rrrdr{rrrarrrr rs   rc@s~eZdZdddZddZddZdd Zd d d Zd!d dZddZ ddZ ddZ ddZ d"ddZ ddZd#ddZdS)$ loginRecordsNcCs(tj||d|_d|_d|_d|_dS)N)rPr!r/r1r#r.)rrTrrr r!s  zloginRecords.__init__c Cstj|\}|_|_|dkr d}t|j}|j|j\}\}}|j|\}\}} tdkrn|dkrjt|}n|}t |j |\}} |dkrt t d||ddkryt j|ddWn$t t d|ddYnXn,ytj|Wnt t d|YnXt|j \}} |dkr4t t d |t|j | |}|dkr\t t d |tdkr|dkrt|j | |}|dkrt t d |t|j | |}|dkrt t d |t|j | | }|dkrt t d |t| t| dS)NrZuser_ur=rzCould not create a key for %s%zLinux Group %s does not existzLinux User %s does not existz%Could not create login mapping for %szCould not set name for %szCould not set MLS range for %sz!Could not set SELinux user for %sz"Could not add login mapping for %s)rGgetseuserbynamer/r1seluserRecordsrTgetr`rOsemanage_seuser_key_createrWr^rgrpZgetgrnampwdgetpwnamZsemanage_seuser_createZsemanage_seuser_set_namesemanage_seuser_set_mlsrangesemanage_seuser_set_senamesemanage_seuser_modify_localsemanage_seuser_key_freesemanage_seuser_free) rr,r#r.recuserrecr&rLr0r-kurrr __add sP         zloginRecords.__addcCsxyL|j|j|r4ttd||j|||n|j||||jWn&tk rr}z |WYdd}~XnXdS)Nz:Login mapping for %s is already defined, modifying instead)rb_loginRecords__existsrxr_loginRecords__modify_loginRecords__addr8r^)rr,r#r.errorrrr rVs  zloginRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)NrzCould not create a key for %sz2Could not check if login mapping for %s is defined)rrWr^rsemanage_seuser_existsr)rr,rLrr~rrr __existsdszloginRecords.__existsrc Cstj|\}|_|_|dkr0|dkr0ttdt|j}|j|j\}\}}|dkrj|j|\}\}} n|} |dkr~||_ n||_ t |j |\}} |dkrttd|t |j | \}} |dkrttd|| sttd|t |j | \}} |dkrttd|t| |_t| |_tdkrL|dkrLt|j | t||dkrlt|j | |||_n|j|_t|j | | }|dkrttd |t| t| dS) NrzRequires seuser or serangerzCould not create a key for %sz2Could not check if login mapping for %s is definedz#Login mapping for %s is not definedzCould not query seuser for %sr=z%Could not modify login mapping for %s)rGrr/r1r^rrrTrr.rrWrZsemanage_seuser_querysemanage_seuser_get_mlsrangesemanage_seuser_get_senamer`rrOrr#rrr) rr,r#r.rrr&rLr0r-rr~rrrr __modifypsF       zloginRecords.__modifycCsNy"|j|j||||jWn&tk rH}z |WYdd}~XnXdS)N)rbrr8r^)rr,r#r.rrrr modifys  zloginRecords.modifyc Cs*tj|\}|_|_t|j}|j|j\}\}}t|j|\}}|dkrZt t d|t |j|\}}|dkrt t d||st t d|t |j|\}}|dkrt t d||st t d|t |j|}|dkrt t d|t|tjd\}|_|_|j|j\}\}} dS)NrzCould not create a key for %sz2Could not check if login mapping for %s is definedz#Login mapping for %s is not definedzttdx,|jD]"}t|}t|t|df||<qFW|S)NrzCould not list login mappingsr) rrWrZsemanage_seuser_listr^rrrr)rrzrrLrr,rrr rrs  zloginRecords.get_allcCstg}|jd}x`t|jD]P}||drR|jd||d||d|fq|jd||d|fqW|S)NTr=z-a -s %s -r '%s' %srz -a -s %s %s)rrrkeysr')rrrrrrr rds  &zloginRecords.customizedr=c CsN|j|}|j}t|j}t|j}t|dkrFt|dkrFdStdkr|rxtdtdtdtdtdfx8|D]0}||}td||dt|d|d fq~Wt|rtd |j x|D]0}||}td||dt|d|d fqWnF|r"td tdtdfx&|D]}td |||dfq(WdS) Nrr=z %-20s %-20s %-20s %s z Login Namez SELinux Userz MLS/MCS RangeZServicez%-20s %-20s %-20s %srwz Local customization in %sz %-25s %-25s z %-25s %-25s) rrrrrrHr`rxrrNr) rryrzrZldictZlkeysrrrrrr r{s*    $ ( * zloginRecords.list)N)rr)rr)r)r=r)r9r:r;r!rrrrrrrrarrrrdr{rrrr rs 6 2     rc@seZdZdddZddZddZdd Zd d Zgd d d fd dZgd d d fddZ ddZ ddZ ddZ d ddZ ddZd!ddZdS)"rNcCstj||dS)N)rPr!)rrTrrr r!"szseluserRecords.__init__cCst|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t|j|\}}|dkrxttd|t|}t|j|}t|t |||fS)NrzCould not create a key for %sz-Could not check if SELinux user %s is definedzCould not query user for %s) semanage_user_key_createrWr^rsemanage_user_existssemanage_user_querysemanage_user_get_mlsrangesemanage_user_get_rolessemanage_user_key_freesemanage_user_free)rr,rLrr~rr.r-rrr r%s zseluserRecords.getc Cstdkr4|dkrd}nt|}|dkr,d}nt|}t|dkrPttd|t|j|\}}|dkrxttd|t|j\}}|dkrttd|t|j||}|dkrttd|x6|D].} t |j|| }|dkrttd | |fqWtdkrVt |j||}|dkr.ttd |t |j||}|dkrVttd |t |j||}|dkrttd | |ft |j|\}} |dkrttd |t|j||}|dkrttd|t|t||jjd|dj||ddS)Nr=rs0z%You must add at least one role for %srzCould not create a key for %sz$Could not create SELinux user for %szCould not set name for %szCould not add role %s for %szCould not set MLS range for %szCould not set MLS level for %szCould not add prefix %s for %szCould not extract key for %szCould not add SELinux user %sseuserr$)r#r-r.)r`rOrHr^rrrWZsemanage_user_createZsemanage_user_set_namesemanage_user_add_rolesemanage_user_set_mlsrangesemanage_user_set_mlslevelsemanage_user_set_prefixZsemanage_user_key_extractsemanage_user_modify_localrrrYr3r) rr,rolesselevelr.prefixrLrrrrirrr r5sR        zseluserRecords.__addcCsyT|j|j|r8ttd||j|||||n|j||||||jWn2tk r}z|jjd|WYdd}~XnXdS)Nz5SELinux user %s is already defined, modifying insteadr) rb_seluserRecords__existsrxr_seluserRecords__modify_seluserRecords__addr8r^rY)rr,rrr.rrrrr rls   zseluserRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)NrzCould not create a key for %sz-Could not check if SELinux user %s is defined)rrWr^rrr)rr,rLrr~rrr ryszseluserRecords.__existsrc Cs@d}d}dj|}|dkrXt|dkrX|dkrX|dkrXtdkrLttdn ttdt|j|\} } | dkrttd|t|j| \} } | dkrttd|| sttd |t|j| \} } | dkrttd |t | }t |j| \} } | dkrdj| }tdkr6|dkr6t |j| t |tdkr\|dkr\t |j| t ||dkrtt|j| |t|dkrx"| D]}||krt| |qWx&|D]}|| krt|j| |qWt|j| | } | dkrttd |t| t| d j|j}d j|j}|jjd ||||||ddS)Nrrrr=z&Requires prefix, roles, level or rangezRequires prefix or roleszCould not create a key for %sz-Could not check if SELinux user %s is definedzSELinux user %s is not definedzCould not query user for %sz Could not modify SELinux user %sr$r)r#r/r-r.r0r1)rrHr`r^rrrWrrrrrrOrrZsemanage_user_del_rolerrrrrrYr3)rr,rrr.rr0r1ZnewrolesrLrr~rrlistrr%rrr rsV $         zseluserRecords.__modifycCs^y&|j|j||||||jWn2tk rX}z|jjd|WYdd}~XnXdS)Nr)rbrr8r^rY)rr,rrr.rrrrr rs  zseluserRecords.modifyc Cs8t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd||sdttd|t|j|\}}|dkrttd||sttd|t|j|\}}|dkrttd|t|}t|j|\}}dj |}t |j|}|dkrttd|t |t ||j jd |||d dS) NrzCould not create a key for %sz-Could not check if SELinux user %s is definedzSELinux user %s is not definedz7SELinux user %s is defined in policy, cannot be deletedzCould not query user for %sr$z Could not delete SELinux user %sr)r/r1r0)rrWr^rrZsemanage_user_exists_localrrrrZsemanage_user_del_localrrrYr4) rr,rLrr~rr1rr0rrr rs2   zseluserRecords.__deletecCsVy|j|j||jWn2tk rP}z|jjd|WYdd}~XnXdS)Nr)rb_seluserRecords__deleter8r^rY)rr,rrrr rs   zseluserRecords.deletecCst|j\}}|dkr"ttdy0|jx|D]}|jt|q2W|jWn2tk r}z|jjd|WYdd}~XnXdS)NrzCould not list login mappings) semanage_user_list_localrWr^rrbrsemanage_user_get_namer8rY)rrLrrrrrr ras    zseluserRecords.deleteallrcCsi}|rt|j\}|_nt|j\}|_|dkr>ttdxh|jD]^}t|}t|j|\}}|dkrzttd|dj|}t |t |t ||f|t|<qFW|S)NrzCould not list SELinux usersz Could not list roles for user %sr) rrWrZsemanage_user_listr^rrrrZsemanage_user_get_prefixZsemanage_user_get_mlslevelr)rrzrrLrr,rrrrr rrs   $zseluserRecords.get_allcCsg}|jd}xvt|jD]f}||ds8||drh|jd||d||d||d|fq|jd||d|fqW|S)NTr=rwz-a -L %s -r %s -R '%s' %srz -a -R '%s' %s)rrrrr')rrrrrrr rds 0zseluserRecords.customizedr=c Cs|j|}t|dkrdSt|j}tdkr|r|tddtdtdtdftdtdtd td td td fx|D]B}td |||dt||dt||d||dfqWnB|rtdtdtd fx$|D]}td|||dfqWdS)Nrr=z %-15s %-10s %-10s %-30srZLabelingzMLS/z%-15s %-10s %-10s %-30s %s z SELinux UserZPrefixz MCS Levelz MCS Rangez SELinux Rolesz%-15s %-10s %-10s %-30s %srwrz %-15s %s z%-15s %s)rrrHrrr`rxrrN)rryrzrrrrrr r{s    * D zseluserRecords.list)N)r)r=r)r9r:r;r!rrrrrrrrrarrrdr{rrrr r s 7  8 !   rc@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ portRecordsNc CsJtj||y$tttjtjddd|_Wntk rDYnXdS)NZ port_typertypes)rPr!r{rZr ATTRIBUTE valid_types RuntimeError)rrTrrr r!4s  $zportRecords.__init__c Csttttd}||jkr$||}n ttd|dkrDttd|jd}t|dkrlt |d}}nt |d}t |d}|dkrttd t |j |||\}} |dkrttd ||f| |||fS) N)ZtcpZudpZsctpZdccpz0Protocol has to be one of udp, tcp, dccp or sctprzPort is requiredr"r=riz Invalid Portz Could not create a key for %s/%s) ZSEMANAGE_PROTO_TCPZSEMANAGE_PROTO_UDPZSEMANAGE_PROTO_SCTPZSEMANAGE_PROTO_DCCPrr^rrrHintZsemanage_port_key_createrW) rportprotoZ protocolsproto_dZportshighlowrLrrrr __genkey;s(         zportRecords.__genkeyc Cs,tdkr|dkrd}nt|}|dkr2ttdtj|}||jkrVttd||j||\}}}}t|j \} } | dkrttd||ft | |t | ||t |j \} } | dkrttd||ft |j | d } | dkrttd ||ft|j | d } | dkr*ttd ||ft|j | |} | dkrVttd ||ftdkr|dkrt|j | |} | dkrttd||ft|j | | } | dkrttd||ft|j || } | dkrttd||ft| t|t| |jjd|tj|d d ||fdS)Nr=rrzType is requiredz'Type %s is invalid, must be a port typerzCould not create port for %s/%sz"Could not create context for %s/%ssystem_uz,Could not set user in port context for %s/%sobject_rz,Could not set role in port context for %s/%sz,Could not set type in port context for %s/%sz2Could not set mls fields in port context for %s/%sz$Could not set port context for %s/%szCould not add port %s/%sz8resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s)r`rOr^rrZget_real_type_namer_portRecords__genkeyZsemanage_port_createrWZsemanage_port_set_protoZsemanage_port_set_rangesemanage_context_createsemanage_context_set_usersemanage_context_set_rolesemanage_context_set_typesemanage_context_set_mlsZsemanage_port_set_consemanage_port_modify_localsemanage_context_freesemanage_port_key_freesemanage_port_freerYr6r getprotobyname) rrrr.rSrrrrrLrconrrr rWsR          zportRecords.__addcCsX|j|j||rttdxX|jD]N}t|}t|}t|}t |}t |} t |} t |} ||f|| | | f<qFW|S)NrzCould not list ports) rrWrsemanage_port_listr^rrsemanage_context_get_typesemanage_context_get_mlsrrrr) rrzrrLrrctypelevelrr rrrrr rr s   zportRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttdx|jD]}t|}t|}t|}t |}t |} t |} ||f|j krg|||f<| | kr|||fj d| qF|||fj d| | fqFW|S)NrzCould not list portsz%dz%d-%d)rrWrr r^rrr rrrrrr') rrzrrLrrrrr rrrrr get_all_by_type s&   zportRecords.get_all_by_typecCsg}|jd}xt|jD]}|d|dkr8|dnd|d|df}||dr|jd||d||d|d|fq|jd||d|d|fqW|S)NTrr=z%s-%sz-a -t %s -r '%s' -p %s %srwz-a -t %s -p %s %s)rrrrr')rrrrrrrr rd8s , ,$zportRecords.customizedr=cCs|j|}t|dkrdSt|j}|rHtdtdtdtdfxV|D]N}d|}|d||d7}x$||ddD]}|d |7}qWt|qNWdS) Nrz%-30s %-8s %s zSELinux Port TypeZProtoz Port Numberz %-30s %-8s z%sr=z, %s)rrHrrrxr)rryrzrrrorrrrr r{Cs    zportRecords.list)N)r)r)r=r)r9r:r;rr!rrrrrrrar rrrrrdr{rrrr r0s :  *   rc@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ ibpkeyRecordsNc CsXtj||y:tjtjtj|jdgd}tdd|j D|_ Wn YnXdS)NZ ibpkey_type)attrscss|]}t|VqdS)N)r*)rsrgrrr Zsz)ibpkeyRecords.__init__..) rPr!setools TypeQuery SELinuxPolicyrZget_store_policyrRrresultsr)rrTqrrr r!Vs  zibpkeyRecords.__init__cCs|dkrttd|jd}t|dkr>t|dd}}nt|dd}t|dd}|dkrnttdt|j|||\}}|dkrttd||f||||fS) NrzSubnet Prefix is requiredr"r=riz Invalid Pkeyz Could not create a key for %s/%s)r^rrrHrZsemanage_ibpkey_key_createrW)rpkey subnet_prefixZpkeysrrrLrrrr r^s    zibpkeyRecords.__genkeyc Cstdkr|dkrd}nt|}|dkr2ttdtj|}||jkrVttd||j||\}}}}t|j \}} |dkrttd||ft |j | |t | ||t |j \}} |dkrttd||ft |j | d }|dkrttd ||ft|j | d }|dkr0ttd ||ft|j | |}|dkr\ttd ||ftdkr|dkrt|j | |}|dkrttd||ft|j | | }|dkrttd||ft|j || }|dkrttd||ft| t|t| dS)Nr=rrzType is requiredz)Type %s is invalid, must be a ibpkey typerz!Could not create ibpkey for %s/%sz"Could not create context for %s/%srz.Could not set user in ibpkey context for %s/%srz.Could not set role in ibpkey context for %s/%sz.Could not set type in ibpkey context for %s/%sz4Could not set mls fields in ibpkey context for %s/%sz&Could not set ibpkey context for %s/%szCould not add ibpkey %s/%s)r`rOr^rrZrr_ibpkeyRecords__genkeyZsemanage_ibpkey_createrWZ!semanage_ibpkey_set_subnet_prefixZsemanage_ibpkey_set_rangerrrrrZsemanage_ibpkey_set_consemanage_ibpkey_modify_localrsemanage_ibpkey_key_freesemanage_ibpkey_free) rrrr.rSrrrrLrrrrr rqsP          zibpkeyRecords.__addcCsX|j|j||rttdxb|jD]X}t|}t|}|dkrdqFt|}t |j|\}}t |} t |} ||f|| | |f<qFW|S)NrzCould not list ibpkeysZreserved_ibpkey_t) r%rWrsemanage_ibpkey_listr^rr$r r r&r'r() rrzrrLr*rrrrrrrrr rrs"  zibpkeyRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttdx|jD]}t|}t|}t|j|\}}t |}t |} ||f|j krg|||f<|| kr|||fj d|qF|||fj d|| fqFW|S)NrzCould not list ibpkeysz0x%xz 0x%x-0x%x) r%rWrr,r^rr$r r&r'r(rr') rrzrrLr*rrrrrrrr r,s$   zibpkeyRecords.get_all_by_typecCsg}|jd}xt|jD]}|d|dkr8|dnd|d|df}||dr|jd||d||d|d|fq|jd||d|d|fqW|S)NTrr=z%s-%sz-a -t %s -r '%s' -x %s %srwz-a -t %s -x %s %s)rrrrr')rrrrrrrr rdCs , ,$zibpkeyRecords.customizedr=cCs|j|}|j}t|dkr"dS|rDtdtdtdtdfxZt|D]N}d|}|d||d7}x$||ddD]}|d |7}qWt|qNWdS) Nrz%-30s %-18s %s zSELinux IB Pkey TypeZ Subnet_Prefixz Pkey Numberz %-30s %-18s z%sr=z, %s)rrrHrxrr)rryrzrrrorrrrr r{Os  zibpkeyRecords.list)N)r)r)r=r)r9r:r;rr!rr"rr r!rrar+rrrrrdr{rrrr rRs 8  &   rc@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ibendportRecordsNc CsXtj||y:tjtjtj|jdgd}tdd|j D|_ Wn YnXdS)NZibendport_type)rcss|]}t|VqdS)N)r*)rsrgrrr rfsz,ibendportRecords.__init__..) rPr!rrrrZrrRsetrr)rrTrrrr r!bs  zibendportRecords.__init__cCsp|dkrttdt|}|dks,|dkr8ttdt|j||\}}|dkrfttd||f|||fS)NrzIB device name is requiredr=zInvalid Port Numberrz*Could not create a key for ibendport %s/%s)r^rrZsemanage_ibendport_key_createrW)r ibendport ibdev_namerrLrrrr rjs  zibendportRecords.__genkeyc Cs tdkr|dkrd}nt|}|dkr2ttdtj|}||jkrVttd||j||\}}}t|j \}}|dkrttd||ft |j ||t ||t |j \}} |dkrttd||ft |j | d }|dkrttd ||ft|j | d }|dkr*ttd ||ft|j | |}|dkrVttd ||ftdkr|dkrt|j | |}|dkrttd||ft|j || }|dkrttd||ft|j ||}|dkrttd||ft| t|t|dS)Nr=rrzType is requiredz-Type %s is invalid, must be an ibendport typerz$Could not create ibendport for %s/%sz"Could not create context for %s/%srz1Could not set user in ibendport context for %s/%srz1Could not set role in ibendport context for %s/%sz1Could not set type in ibendport context for %s/%sz7Could not set mls fields in ibendport context for %s/%sz)Could not set ibendport context for %s/%szCould not add ibendport %s/%s)r`rOr^rrZrr_ibendportRecords__genkeyZsemanage_ibendport_createrWZ!semanage_ibendport_set_ibdev_nameZsemanage_ibendport_set_portrrrrrZsemanage_ibendport_set_consemanage_ibendport_modify_localrsemanage_ibendport_key_freesemanage_ibendport_free) rr0r1r.rSrrrLrrrrr rxsP         zibendportRecords.__addcCsX|j|j||rttd||f|sVttd||ft|j|\}}|dkrttd||f|sttd||ft|j|}|dkrttd||ft|dS)Nrz-Could not check if ibendport %s/%s is definedzibendport %s/%s is not definedz7ibendport %s/%s is defined in policy, cannot be deletedz Could not delete ibendport %s/%s)r2r9rWr^rZsemanage_ibendport_exists_localr>r4)rr0r1rrrLr~rrr rs zibendportRecords.__deletecCs |j|j|||jdS)N)rb_ibendportRecords__deleter8)rr0r1rrr rs zibendportRecords.deleterc Csi}|rt|j\}|_nt|j\}|_|dkr>ttdxX|jD]N}t|}t|}|dkrdqFt|}t |j|\}}t |} ||f|| |f<qFW|S)NrzCould not list ibendportsZreserved_ibendport_t) r;rWrsemanage_ibendport_listr^rr:r r r<r=) rrzrrLr0rrrr1rrrr rrs   zibendportRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttdxh|jD]^}t|}t|}t|j|\}}t |}||f|j krg|||f<|||fj d|qFW|S)NrzCould not list ibendportsz0x%x) r;rWrr@r^rr:r r<r=rr') rrzrrLr0rrr1rrrr r/s   z ibendportRecords.get_all_by_typecCsg}|jd}xtt|jD]d}||dr\|jd||d||d|d|dfq|jd||d|d|dfqW|S)NTr=z-a -t %s -r '%s' -z %s %srz-a -t %s -z %s %s)rrrrr')rrrrrrr rdBs  0(zibendportRecords.customizedr=cCs|j|}|j}t|dkr"dS|rDtdtdtdtdfxZt|D]N}d|}|d||d7}x$||ddD]}|d |7}qWt|qNWdS) Nrz%-30s %-18s %s zSELinux IB End Port TypezIB Device Namez Port Numberz %-30s %-18s z%sr=z, %s)rrrHrxrr)rryrzrrrorrrrr r{Ms  zibendportRecords.list)N)r)r)r=r)r9r:r;rr!r2r8rr6r7rrar?rrrrrdr{rrrr r-^s 7  &   r-c@s~eZdZgZdddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ dddZddZd ddZdS)! nodeRecordsNc CsTtj||ddg|_y$tttjtjddd|_Wntk rNYnXdS)NZipv4Zipv6Z node_typerr) rPr!protocolr{rZrrrr)rrTrrr r!`s   $znodeRecords.__init__c Cs|}|}d}|dkr ttdt|dks8|ddkrztj||}t|j}t|j}|dkrp|jdkrpd}d|j}y|j j |}Wnttd YnX|||fS) NrzNode Address is requiredrrz0.0.0.0z::zipv%dzUnknown or missing protocol) r^rrH ipaddressZ ip_networkr*Znetwork_addressZnetmaskversionrBindex)raddrmaskrBZnewaddrZnewmaskZ newprotocolrorrr validatehs"    znodeRecords.validatec Csp|j|||\}}}tdkr2|dkr*d}nt|}|dkrFttdtj|}||jkrjttd|t|j |||\}}|dkrttd|t |j \}}|dkrttd|t ||t |j |||}t |j \}} |dkrttd |t|j |||}|dkr&ttd |t|j | d }|dkrNttd |t|j | d }|dkrvttd|t|j | |}|dkrttd|tdkr|dkrt|j | |}|dkrttd|t|j || }|dkrttd|t|j ||}|dkr*ttd|t| t|t||jjd||tj|j|d d ||fdS)Nr=rrzSELinux node type is requiredz'Type %s is invalid, must be a node typerzCould not create key for %szCould not create addr for %szCould not create context for %szCould not set mask for %srz)Could not set user in addr context for %srz)Could not set role in addr context for %sz)Could not set type in addr context for %sz/Could not set mls fields in addr context for %sz!Could not set addr context for %szCould not add addr %szCresrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s)rIr`rOr^rrZrrsemanage_node_key_createrWZsemanage_node_createZsemanage_node_set_protoZsemanage_node_set_addrrZsemanage_node_set_maskrrrrZsemanage_node_set_consemanage_node_modify_localrsemanage_node_key_freesemanage_node_freerYr6r rrB) rrGrHrr.rrLrnoderrrr rs^           znodeRecords.__addcCsX|j|j|||r:ttd||j|||||n|j||||||jdS)Nz*Addr %s already defined, modifying instead)rb_nodeRecords__existsrxr_nodeRecords__modify_nodeRecords__addr8)rrGrHrr.rrrr rs znodeRecords.addcCst|j|||\}}}t|j|||\}}|dkr@ttd|t|j|\}}|dkrhttd|t||S)NrzCould not create key for %sz%Could not check if addr %s is defined)rIrJrWr^rsemanage_node_existsrL)rrGrHrrLrr~rrr rsznodeRecords.__existsc Cs|j|||\}}}|dkr0|dkr0ttdtj|}|rX||jkrXttd|t|j|||\}}|dkrttd|t|j|\}}|dkrttd||sttd|t |j|\}} |dkrttd|t | } t d kr|dkrt |j| t ||dkr.t|j| |t|j|| }|dkrVttd |t|t| |jjd ||tj|j|d d ||fdS)NrzRequires setype or serangez'Type %s is invalid, must be a node typerzCould not create key for %sz%Could not check if addr %s is definedzAddr %s is not definedzCould not query addr %sr=zCould not modify addr %szFresrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%srr)rIr^rrZrrrJrWrRZsemanage_node_querysemanage_node_get_conr`rrOrrKrLrMrYr6r rrB) rrGrHrr.rrLrr~rNrrrr rs8    znodeRecords.__modifycCs&|j|j||||||jdS)N)rbrPr8)rrGrHrr.rrrr rsznodeRecords.modifycCs |j|||\}}}t|j|||\}}|dkr@ttd|t|j|\}}|dkrhttd||s|ttd|t|j|\}}|dkrttd||sttd|t|j|}|dkrttd|t||j j d||t j |j |fdS)NrzCould not create key for %sz%Could not check if addr %s is definedzAddr %s is not definedz/Addr %s is defined in policy, cannot be deletedzCould not delete addr %sz1resrc=node op=delete laddr=%s netmask=%s proto=%s)rIrJrWr^rrRZsemanage_node_exists_localZsemanage_node_del_localrLrYr6r rrB)rrGrHrrLrr~rrr rs& znodeRecords.__deletecCs"|j|j||||jdS)N)rb_nodeRecords__deleter8)rrGrHrrrr r#sznodeRecords.deletecCstt|j\}}|dkr"ttd|jx<|D]4}|jt|j|dt|j|d|jt |q0W|j dS)Nrz!Could not deleteall node mappingsr=) semanage_node_list_localrWr^rrbrTsemanage_node_get_addrsemanage_node_get_maskrBsemanage_node_get_protor8)rrLZnlistrNrrr ra(s  4znodeRecords.deleteallrc Csi}|rt|j\}|_nt|j\}|_|dkr>ttdxj|jD]`}t|}t|j|}t|j|}|j t |}t |t |t |t|f||d|d|f<qFW|S)NrzCould not list addrsr=)rUrWilistZsemanage_node_listr^rrSrVrWrBrXsemanage_context_get_usersemanage_context_get_roler r ) rrzrrLrNrrGrHrrrr rr2s    2znodeRecords.get_allc Csg}|jd}xt|jD]p}||drb|jd|d|d||d||d|dfq|jd|d|d||d|dfqW|S)NTrz-a -M %s -p %s -t %s -r '%s' %sr=rwrz-a -M %s -p %s -t %s %s)rrrrr')rrrrrrr rdDs  6.znodeRecords.customizedr=c Cs|j|}t|dkrdSt|j}|r6tddtrx|D]r}d}x|D]}|dt|}qNWtd |d|d |d ||d||d ||d t||d d fq@WnJxH|D]@}td|d|d |d ||d||d ||d fqWdS)Nrz%-18s %-18s %-5s %-5s IP AddressNetmaskProtocolContextr z%-18s %-18s %-5s %s:%s:%s:%s r=rwrFz%-18s %-18s %-5s %s:%s:%s )r\r]r^r_)rrrHrrrxr`r*rN)rryrzrrrvalZfieldsrrr r{Ns      R znodeRecords.list)N)r)r=r)r9r:r;rr!rIrQrrOrPrrTrrarrrdr{rrrr rA\s B (  rAc@sreZdZdddZddZddZdd Zd d Zd d ZddZ ddZ ddZ dddZ ddZ dddZdS)interfaceRecordsNcCstj||dS)N)rPr!)rrTrrr r!cszinterfaceRecords.__init__cCstdkr|dkrd}nt|}|dkr2ttdt|j|\}}|dkrZttd|t|j\}}|dkrttd|t|j||}t|j\}}|dkrttd|t |j|d }|dkrttd |t |j|d }|dkrttd |t |j||}|dkr*ttd |tdkrf|dkrft |j||}|dkrfttd|t |j||}|dkrttd|t|j||}|dkrttd|t|j||}|dkrttd|t|t|t||jjd|d d ||fdS)Nr=rrzSELinux Type is requiredrzCould not create key for %sz!Could not create interface for %szCould not create context for %srz.Could not set user in interface context for %srz.Could not set role in interface context for %sz.Could not set type in interface context for %sz4Could not set mls fields in interface context for %sz&Could not set interface context for %sz$Could not set message context for %szCould not add interface %sz4resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s)r`rOr^rsemanage_iface_key_createrWZsemanage_iface_createZsemanage_iface_set_namerrrrrZsemanage_iface_set_ifconZsemanage_iface_set_msgconsemanage_iface_modify_localrsemanage_iface_key_freesemanage_iface_freerYr6)r interfacer.rrLrifacerrrr rfsT       zinterfaceRecords.__addcCsL|j|j|r2ttd||j|||n|j||||jdS)Nz/Interface %s already defined, modifying instead)rb_interfaceRecords__existsrxr_interfaceRecords__modify_interfaceRecords__addr8)rrgr.rrrr rs  zinterfaceRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)NrzCould not create key for %sz*Could not check if interface %s is defined)rcrWr^rsemanage_iface_existsre)rrgrLrr~rrr rszinterfaceRecords.__existsc Cs>|dkr|dkrttdt|j|\}}|dkrDttd|t|j|\}}|dkrlttd||sttd|t|j|\}}|dkrttd|t|}tdkr|dkrt|j|t ||dkrt |j||t |j||}|dkrttd |t |t ||jjd |d d ||fdS) NrzRequires setype or serangerzCould not create key for %sz*Could not check if interface %s is definedzInterface %s is not definedzCould not query interface %sr=zCould not modify interface %sz7resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%srr)r^rrcrWrlZsemanage_iface_querysemanage_iface_get_ifconr`rrOrrdrerfrYr6) rrgr.rrLrr~rhrrrr rs0  zinterfaceRecords.__modifycCs"|j|j||||jdS)N)rbrjr8)rrgr.rrrr rszinterfaceRecords.modifycCst|j|\}}|dkr(ttd|t|j|\}}|dkrPttd||sdttd|t|j|\}}|dkrttd||sttd|t|j|}|dkrttd|t||jj d|dS)NrzCould not create key for %sz*Could not check if interface %s is definedzInterface %s is not definedz4Interface %s is defined in policy, cannot be deletedzCould not delete interface %sz"resrc=interface op=delete netif=%s) rcrWr^rrlZsemanage_iface_exists_localZsemanage_iface_del_localrerYr6)rrgrLrr~rrr rs$ zinterfaceRecords.__deletecCs|j|j||jdS)N)rb_interfaceRecords__deleter8)rrgrrr rs zinterfaceRecords.deletecCsRt|j\}}|dkr"ttd|jx|D]}|jt|q0W|jdS)Nrz(Could not delete all interface mappings)semanage_iface_list_localrWr^rrbrnsemanage_iface_get_namer8)rrLrrorrr ras  zinterfaceRecords.deleteallrcCs~i}|rt|j\}|_nt|j\}|_|dkr>ttdx:|jD]0}t|}t|t|t |t |f|t |<qFW|S)NrzCould not list interfaces) rorWrYZsemanage_iface_listr^rrmrZr[r r rp)rrzrrLrgrrrr rr s  (zinterfaceRecords.get_allcCstg}|jd}x`t|jD]P}||drR|jd||d||d|fq|jd||d|fqW|S)NTrz-a -t %s -r '%s' %srwz -a -t %s %s)rrrrr')rrrrrrr rd s  &zinterfaceRecords.customizedr=c Cs|j|}t|dkrdSt|j}|rBtdtdtdftrx|D]@}td|||d||d||dt||dd fqLWn:x8|D]0}td |||d||d||dfqWdS) Nrz %-30s %s zSELinux Interfacer_z%-30s %s:%s:%s:%s r=rwrFz%-30s %s:%s:%s )rrrHrrrxrr`rN)rryrzrrrrrr r{ s    B zinterfaceRecords.list)N)r)r=r)r9r:r;r!rkrrirjrrnrrarrrdr{rrrr rbas :  "  rbc@seZdZgZd(ddZddZddZdd Zd)d d Zd dZ d*ddZ d+ddZ ddZ ddZ ddZddZddZddZd,d!d"Zd#d$Zd-d&d'ZdS).fcontextRecordsNcCstj||yLtttjtjddd|_|jtttjtjddd7_Wntk rlYnXi|_i|_ d|_ ydt t j d}xH|jD]<}|j}t|dkrq|jdrq|j\}}||j|<qW|jWntk rYnXynt t jd}xR|jD]F}|j}t|dkr2q|jdrBq|j\}}||j |<qW|jWntk r~YnXdS)NZ file_typerrZ device_nodeFr#)rPr!r{rZrrrrequiv equiv_dist equal_indrrGselinux_file_context_subs_path readlinesstriprHrrrIOErrorZ#selinux_file_context_subs_dist_path)rrTrrotarget substituterrr r!1 sF  ,       zfcontextRecords.__init__c Cs|jrtj}d|}t|d}x*|jjD]}|jd||j|fq,W|jytj |tj |t j Wn YnXtj ||d|_t j|dS)Nz%s.tmpwz%s %s F)rurGrvrrsrwriterr|chmodstatST_MODErenamerPr8)rZ subs_fileZtmpfilerrzrrr r8W s  zfcontextRecords.commitcCsL|j|dkr,|d dkr,ttd||dkrP|ddkrPttd|||jjkrttd|||j|<d|_|jjdt j d|d t j d |d f|j dS|j |xJ|j|j fD]:}x4|D],}|j|drttd ||||fqWqW|jjd t j d|d t j d |d f||j|<d|_|j dS)Nrr=z=Target %s is not valid. Target is not allowed to end with '/'zESubstitute %s is not valid. Substitute is not allowed to end with '/'z:Equivalence class for %s already exists, modifying insteadTz$resrc=fcontext op=modify-equal %s %ssglobrtglobz4File spec %s conflicts with equivalency rule '%s %s'z!resrc=fcontext op=add-equal %s %sr)rbr^rrsrrxrurYr6raudit_encode_nv_stringr8rIrtr)rrzr{fdictrorrr add_equalg s* (  "( zfcontextRecords.add_equalcCsj|j||jjkr&ttd|||j|<d|_|jjdtj d|dtj d|df|j dS)Nz'Equivalence class for %s does not existTz$resrc=fcontext op=modify-equal %s %srrr) rbrsrr^rrurYr6rrr8)rrzr{rrr modify_equal s (zfcontextRecords.modify_equalrcCst|j\}}|dkr&ttd||dkr2d}t|j||}|dkrXttd|t|j|d}|dkr~ttd|tdkrt|j|d }|dkrttd ||S) NrzCould not create context for %srrz)Could not set user in file context for %srz)Could not set role in file context for %sr=rz/Could not set mls fields in file context for %s)rrWr^rrrr`r)rrzrrLrrrr createcon s zfcontextRecords.createconcCs|dks|jddkr"ttd|jdd kr>z1Type %s is invalid, must be a file or device typerzCould not create key for %sz$Could not create file context for %sz)Could not set type in file context for %sz/Could not set mls fields in file context for %sz!Could not set file context for %sz!Could not add file context for %srz6resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%srr)rIr`rOr^rrZrrsemanage_fcontext_key_createrW file_typesZsemanage_fcontext_createZsemanage_fcontext_set_exprrrrsemanage_fcontext_set_conZsemanage_fcontext_set_typesemanage_fcontext_modify_localrsemanage_fcontext_key_freesemanage_fcontext_freerYr6rrftype_to_audit) rrzrSftyper.rrLrfcontextrrrr r sN          zfcontextRecords.__addcCsV|j|j||r8ttd||j|||||n|j||||||jdS)Nz6File context for %s already defined, modifying instead)rb_fcontextRecords__existsrxr_fcontextRecords__modify_fcontextRecords__addr8)rrzrSrr.rrrr r s  zfcontextRecords.addcCst|j|t|\}}|dkr.ttd|t|j|\}}|dkrVttd||st|j|\}}|dkrttd|t||S)NrzCould not create key for %sz1Could not check if file context for %s is defined)rrWrr^rsemanage_fcontext_existssemanage_fcontext_exists_localr)rrzrrLrr~rrr r szfcontextRecords.__existsc Cs|dkr$|dkr$|dkr$ttd|dkrPtj|}||jkrPttd||j|t|j|t|\}}|dkrttd|t |j|\}}|dkrttd||ryt |j|\}} Wn$t k rttd|YnXn|t |j|\}}|dkrttd||s0ttd |yt |j|\}} Wn&t k rjttd|YnX|dkrt| } | dkr|j|} td kr|dkrt|j| t||dkrt|j| ||dkrt|j| |t|j| | }|dkr:ttd |n(t|j| d}|dkr:ttd |t|j|| }|dkrbttd |t|t| |s|d }|jjdtjd|dt||d||fdS)Nrz"Requires setype, serange or seuser<>z1Type %s is invalid, must be a file or device typerzCould not create a key for %sz1Could not check if file context for %s is definedz#Could not query file context for %sz"File context for %s is not definedr=z!Could not set file context for %sz$Could not modify file context for %srz9resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%srr)rr)r^rrZrrrIrrWrrZsemanage_fcontext_queryOSErrorrZsemanage_fcontext_query_localsemanage_fcontext_get_conrr`rrOrrrrrrrYr6rrr) rrzrrr.rrLrr~rrrrr r sf             zfcontextRecords.__modifycCs&|j|j||||||jdS)N)rbrr8)rrzrrr.rrrr rC szfcontextRecords.modifycCst|j\}}|dkr"ttd|jx|D]}t|}t|}t|}t|j|t |\}}|dkrzttd|t |j|}|dkrttd|t ||j j dtjd|dtt|fq0Wi|_d|_|jdS)Nrz Could not list the file contextszCould not create a key for %sz$Could not delete the file context %sz$resrc=fcontext op=delete %s ftype=%srT)semanage_fcontext_list_localrWr^rrbsemanage_fcontext_get_exprsemanage_fcontext_get_typesemanage_fcontext_get_type_strrrsemanage_fcontext_del_localrrYr6rrrfile_type_str_to_optionrsrur8)rrLflistrrzr ftype_strrrrr raH s&   *zfcontextRecords.deleteallcCs:||jjkr>|jj|d|_|jjdtjd|ddSt|j |t |\}}|dkrlt t d|t |j |\}}|dkrt t d||st|j |\}}|dkrt t d||rt t d|nt t d|t|j |}|dkr t t d |t||jjd tjd|dt|fdS) NTz!resrc=fcontext op=delete-equal %srrzCould not create a key for %sz1Could not check if file context for %s is definedz;File context for %s is defined in policy, cannot be deletedz"File context for %s is not definedz$Could not delete file context for %sz$resrc=fcontext op=delete %s ftype=%s)rsrpoprurYr6rrrrWrr^rrrrrr)rrzrrLrr~rrr rb s.   zfcontextRecords.__deletecCs |j|j|||jdS)N)rb_fcontextRecords__deleter8)rrzrrrr r s zfcontextRecords.deleterc Cs|rt|j\}|_nt|j\}|_|dkr:ttdt|j\}}|dkr\ttdt|j\}}|dkr~ttd|j|7_|j|7_i}xd|jD]Z}t|}t|}t |} t |} | rt | t | t | t| f||| f<q| ||| f<qW|S)NrzCould not list file contextsz1Could not list file contexts for home directoriesz"Could not list local file contexts)rrWrZsemanage_fcontext_listr^rZsemanage_fcontext_list_homedirsrrrrrZr[r r ) rrzrLZ fchomedirsZfclocalrrexprrrrrrr rr s.    &zfcontextRecords.get_allcCsg}|jd}x|jD]t}||r||drd|jdt|d||d||d|dfq|jdt|d||d|dfqWt|jrx*|jjD]}|jd|j||fqW|S) NTrz-a -f %s -t %s -r '%s' '%s'r=rwrz-a -f %s -t %s '%s'z -a -e %s %s)rrrr'rrHrs)rr fcon_dictrrzrrr rd s  4, zfcontextRecords.customizedr=c Cs|j|}t|dkr|r:tdtdtdtdf|rH|j}n t|j}x|D]}||rtrtd|d|d||d||d||dt||d d fn6td |d|d||d||d||dfqZtd |d|dfqZWt|jrV|sV|r*ttd x*|jjD]}td||j|fq6Wt|j r|rtttdx*|j jD]}td||j |fqWdS)Nrz%-50s %-18s %s zSELinux fcontextrSr_z%-50s %-18s %s:%s:%s:%s r=rwrFz%-50s %-18s %s:%s:%s z%-50s %-18s <>z, SELinux Distribution fcontext Equivalence z%s = %sz% SELinux Local fcontext Equivalence ) rrrHrxrrrr`rNrtrs)rryrzrZfkeysrrzrrr r{ s0    H8    zfcontextRecords.list)N)r)rrr)rrr)r)r=r)r9r:r;rr!r8rrrrIrrrrrrarrrrrdr{rrrr rq- s$ &  6 C! rqc@sleZdZdddZddZdddZd d Zd d Zd dZdddZ ddZ ddZ ddZ dddZ dS)booleanRecordsNc Cstj||i|_d|jd<d|jd<d|jd<d|jd<d|jd<d|jd<ytj\}|_tj\}}Wng|_d}YnX|jd ks|j|krd |_nd |_dS) Nr=ZTRUErZFALSEZONZOFF10rTF) rPr!dictrGZsecurity_get_boolean_namescurrent_booleansrXrR modify_local)rrTrLZptyperrr r! s"        zbooleanRecords.__init__cCsLtj|}t|j|\}}|dkr2ttd|t|j|\}}|dkrZttd||snttd|t|j|\}}|dkrttd||j|j krt ||j |jnttddj |j j |j o||jkrt|j||}|dkrttd|t|j||}|dkr8ttd |t|t|dS) NrzCould not create a key for %sz(Could not check if boolean %s is definedzBoolean %s is not definedzCould not query file context %sz0You must specify one of the following values: %sz, z(Could not set active value of boolean %szCould not modify boolean %s)rGselinux_boolean_subsemanage_bool_key_createrWr^rsemanage_bool_existsZsemanage_bool_queryupperrZsemanage_bool_set_valuerrrrZsemanage_bool_set_activeZsemanage_bool_modify_localsemanage_bool_key_freeZsemanage_bool_free)rr,valuerLrr~r rrr Z__mod s0   zbooleanRecords.__modFc Cs|j|rt|}x||jjdD]j}|j}t|dkr>q$y|jd\}}Wn(tk rxttd||fYnX|j|j|jq$W|j n |j|||j dS)Nrr=zBad format %s: Record %s) rbrrrrxrHr^r_booleanRecords__modrr8)rr,ruse_filerr Zboolnamerarrr r s   zbooleanRecords.modifycCstj|}t|j|\}}|dkr2ttd|t|j|\}}|dkrZttd||snttd|t|j|\}}|dkrttd||sttd|t|j|}|dkrttd|t |dS)NrzCould not create a key for %sz(Could not check if boolean %s is definedzBoolean %s is not definedz2Boolean %s is defined in policy, cannot be deletedzCould not delete boolean %s) rGrrrWr^rrZsemanage_bool_exists_localZsemanage_bool_del_localr)rr,rLrr~rrr r# s$  zbooleanRecords.__deletecCs|j|j||jdS)N)rb_booleanRecords__deleter8)rr,rrr r; s zbooleanRecords.deletecCsZt|j\}|_|dkr$ttd|jx |jD]}t|}|j|q4W|jdS)NrzCould not list booleans) semanage_bool_list_localrWblistr^rrbsemanage_bool_get_namerr8)rrLbooleanr,rrr ra@ s  zbooleanRecords.deleteallrcCsi}|rt|j\}|_nt|j\}|_|dkr>ttdx~|jD]t}g}t|}|jt||j r||j kr|jt j ||jt j |n|j|d|j|d|||<qFW|S)NrzCould not list booleans)rrWrZsemanage_bool_listr^rrr'Zsemanage_bool_get_valuerrrGZsecurity_get_boolean_pendingZsecurity_get_boolean_active)rrzrrLrrr,rrr rrM s"   zbooleanRecords.get_allcCstj|}tj|S)N)rGrrZZ boolean_desc)rr,rrr get_descd s zbooleanRecords.get_desccCstj|}tj|S)N)rGrrZZboolean_category)rr,rrr get_categoryh s zbooleanRecords.get_categorycCsJg}|jd}x6t|jD]&}||r|jd||d|fqW|S)NTz -m -%s %srw)rrrrr')rrrrrrr rdl s  zbooleanRecords.customizedTcCstdtdf}|rX|j|}x4t|jD]$}||r,td|||dfq,WdS|j|}t|dkrrdS|rtdtdtdtd td fxNt|jD]>}||rtd ||||d|||d|j|fqWdS) Nrrz%s=%srwrz%-30s %s %s %s zSELinux booleanZStateZDefaultZ Descriptionz%-30s (%-5s,%5s) %s)rrrrrrxrHr)rryrzrZon_offrrrrr r{t s   $zbooleanRecords.list)N)NF)r)TFF)r9r:r;r!rrrrrarrrrrdr{rrrr r s   r)r)r=)r=)9rrrGr|rBr(rr r5ZPROGNAMErZrrDgettextkwargs version_infoZinstallbuiltinsr*__dict__rZ __builtin__rr>rZSEMANAGE_FCONTEXT_ALLZSEMANAGE_FCONTEXT_REGZSEMANAGE_FCONTEXT_DIRZSEMANAGE_FCONTEXT_CHARZSEMANAGE_FCONTEXT_BLOCKZSEMANAGE_FCONTEXT_SOCKZSEMANAGE_FCONTEXT_LINKZSEMANAGE_FCONTEXT_PIPErrrZ audit_closerrrr?rFrNrOrPrfrrrrrrr-rArbrqrrrrr s  $$  ik H $M.