a ‰ÄÏhÜUã@søddlZddlZddlmZddlmZddlmZdd„Zdd „Zd d „ZGd d „d ƒZ Gdd„de ƒZ Gdd„de ƒZ ddl m Z iZGdd„de ƒZGdd„de ƒZGdd„de ƒZGdd„de ƒZGdd„dƒZGdd„dƒZGdd„dƒZdS) éNé)Ú refpolicy)Úaccess)ÚutilcCs–ddl}ddl}tddƒ}t| ¡ ¡dƒ}|j| | ¡|¡}| d|¡}| d|¡}|j ddd d ||g|j d   ¡d}t j r’t  |¡}|S) á Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. rNz /proc/uptimeÚrz%xz%Xú/sbin/ausearchú-mú5AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERRz-ts©Ústdout)Ú subprocessÚtimeÚopenÚfloatÚreadÚsplitÚcloseÚ localtimeÚstrftimeÚPopenÚPIPEÚ communicaterÚPY3Ú decode_input)r rÚfdZoffÚsZbootdateZboottimeÚoutput©rú2/usr/lib/python3.9/site-packages/sepolgen/audit.pyÚget_audit_boot_msgss    ÿÿ r cCs8ddl}|jgd¢|jd ¡d}tjr4t |¡}|S)rrN)rr r r ©r rrrrrr©r rrrrÚget_audit_msgs2s ÿÿ r#cCs6ddl}|jdg|jd ¡d}tjr2t |¡}|S)z•Obtain all of the avc and policy load messages from /bin/dmesg. Returns: string contain all of the audit messages returned by dmesg. rNz /bin/dmesgr r!r"rrrÚget_dmesg_msgsAsÿÿ r$c@s eZdZdZdd„Zdd„ZdS)Ú AuditMessagezãBase class for all objects representing audit messages. AuditMessage is a base class for all audit messages and only provides storage for the raw message (as a string) and a parsing function that does nothing. cCs||_d|_dS©NÚ)ÚmessageÚheader©Úselfr(rrrÚ__init__WszAuditMessage.__init__cCs^|D]T}| d¡}t|ƒdkr<|dd…dkr||_dSq|ddkr|d|_dSqdS) zàParse a string that has been split into records by space into an audit message. This method should be overridden by subclasses. Error reporting should be done by raise ValueError exceptions. ú=éNézaudit(rÚmsgr)rÚlenr)©r+Úrecsr0ÚfieldsrrrÚfrom_split_string[s    zAuditMessage.from_split_stringN©Ú__name__Ú __module__Ú __qualname__Ú__doc__r,r5rrrrr%Psr%c@seZdZdZdd„ZdS)ÚInvalidMessagezþClass representing invalid audit messages. This is used to differentiate between audit messages that aren't recognized (that should return None from the audit message parser) and a message that is recognized but is malformed in some way. cCst ||¡dS©N©r%r,r*rrrr,vszInvalidMessage.__init__N©r7r8r9r:r,rrrrr;psr;c@s eZdZdZdd„Zdd„ZdS)Ú PathMessagez!Class representing a path messagecCst ||¡d|_dSr&)r%r,Úpathr*rrrr,{s zPathMessage.__init__cCsVt ||¡|D]@}| d¡}t|ƒdkr,q|ddkr|ddd…|_dSqdS)Nr-r.rr@réÿÿÿÿ)r%r5rr1r@r2rrrr5s    zPathMessage.from_split_stringNr6rrrrr?ysr?c@s0eZdZdZdd„Zdd„Zdd„Zdd „Zd S) Ú AVCMessagea—AVC message representing an access denial or granted message. This is a very basic class and does not represent all possible fields in an avc message. Currently the fields are: scontext - context for the source (process) that generated the message tcontext - context for the target tclass - object class for the target (only one) comm - the process name exe - the on-disc binary path - the path of the target access - list of accesses that were allowed or denied denial - boolean indicating whether this was a denial (True) or granted (False) message. ioctlcmd - ioctl 'request' parameter An example audit message generated from the audit daemon looks like (line breaks added): 'type=AVC msg=audit(1155568085.407:10877): avc: denied { search } for pid=677 comm="python" name="modules" dev=dm-0 ino=13716388 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir' An example audit message stored in syslog (not processed by the audit daemon - line breaks added): 'Sep 12 08:26:43 dhcp83-5 kernel: audit(1158064002.046:4): avc: denied { read } for pid=2 496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file cCs\t ||¡t ¡|_t ¡|_d|_d|_d|_d|_ d|_ g|_ d|_ d|_ tj|_dS)Nr'T)r%r,rÚSecurityContextÚscontextÚtcontextÚtclassÚcommÚexer@ÚnameÚaccessesÚdenialÚioctlcmdÚ audit2whyÚTERULEÚtyper*rrrr,«s   zAVCMessage.__init__cCsxd}|}|t|ƒdkr&td|jƒ‚|t|ƒkr^||dkrDd}q^|j ||¡|d}q&|sptd|jƒ‚|dS)NFrú#AVC message in invalid format [%s] Ú}T)r1Ú ValueErrorr(rJÚappend)r+r3ÚstartZ found_closeÚirrrZ__parse_access¹s   zAVCMessage.__parse_accessc Cs°t ||¡d}d}d}d}tt|ƒƒD]R}||dkrR| ||d¡}d}q(n||dkrdd|_|| d¡}t|ƒdkr€q(|dd kr¢t |d¡|_ d}q(|dd krÄt |d¡|_ d}q(|dd krà|d|_ d}q(|dd kr|ddd …|_ q(|ddkr$|ddd …|_ q(|ddkrF|ddd …|_q(|ddkr(zt|ddƒ|_Wq(tyzYq(0q(|r–|r–|r–|s¤td|jƒ‚| ¡dS)NFÚ{rTZgrantedr-r.rrDrErFrGrArHrIrLérP)r%r5Úranger1Ú_AVCMessage__parse_accessrKrrrCrDrErFrGrHrIÚintrLrRr(Úanalyze)r+r3Z found_srcZ found_tgtZ found_classZ found_accessrUr4rrrr5ÏsL         zAVCMessage.from_split_stringcCsâ|j ¡}|j ¡}t|jƒ}g|_|||j|ft ¡vrXt|||j|f\|_ |_n†t   |||j|j¡\|_ |_|j t j krˆt j |_ |j t jkr td|ƒ‚|j t jkr¸td|ƒ‚|j t jkrÒtd|jƒ‚|j t jkròtdd |j¡ƒ‚|j t jkrtdƒ‚|j t jkrÄ|jg|_|jj|jjkrR|j d|jjd|jjf¡|jj|jjkr’|jjdkr’|j d |jjd |jjf¡|jj|jjkrÄ|j d |jjd |jjf¡|j |jft|||j|f<dS) NzInvalid Target Context %s zInvalid Source Context %s zInvalid Type Class %s zInvalid permission %s ú z&Error during access vector computationz user (%s)Zobject_rz role (%s)z level (%s))rEZ to_stringrDÚtuplerJÚdatarFÚavcdictÚkeysrOrMr[ZNOPOLICYrNZBADTCONrRZBADSCONZBADPERMÚjoinZ BADCOMPUTEZ CONSTRAINTÚuserrSÚroleÚlevel)r+rErDZ access_tuplerrrr[üs8               zAVCMessage.analyzeN)r7r8r9r:r,rYr5r[rrrrrBs -rBc@seZdZdZdd„ZdS)ÚPolicyLoadMessagez6Audit message indicating that the policy was reloaded.cCst ||¡dSr<r=r*rrrr, szPolicyLoadMessage.__init__Nr>rrrrresrec@s eZdZdZdd„Zdd„ZdS)ÚDaemonStartMessagez3Audit message indicating that a daemon was started.cCst ||¡d|_dS©NF)r%r,Úauditdr*rrrr,%s zDaemonStartMessage.__init__cCst ||¡d|vrd|_dS)NrhT)r%r5rh©r+r3rrrr5)s z$DaemonStartMessage.from_split_stringNr6rrrrrf#srfc@s(eZdZdZdd„Zdd„Zdd„ZdS) ÚComputeSidMessagea†Audit message indicating that a sid was not valid. Compute sid messages are generated on attempting to create a security context that is not valid. Security contexts are invalid if the role is not authorized for the user or the type is not authorized for the role. This class does not store all of the fields from the compute sid message - just the type and role. cCs4t ||¡t ¡|_t ¡|_t ¡|_d|_dSr&)r%r,rrCÚinvalid_contextrDrErFr*rrrr,9s     zComputeSidMessage.__init__cCs–t ||¡t|ƒdkr tdƒ‚z\t |d¡|_t |d d¡d¡|_t |d d¡d¡|_ |d d¡d|_ Wntdƒ‚Yn0dS) Né z;Split string does not represent a valid compute sid messageéér-réé ) r%r5r1rRrrCrkrrDrErFrirrrr5@s  z#ComputeSidMessage.from_split_stringcCsd|j|jfS)Nzrole %s types %s; )rcrO©r+rrrrLszComputeSidMessage.outputN)r7r8r9r:r,r5rrrrrrj/s  rjc@s^eZdZdZddd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z ddd„Z ddd„Z dS)Ú AuditParsera»Parser for audit messages. This class parses audit messages and stores them according to their message type. This is not a general purpose audit message parser - it only extracts selinux related messages. Each audit messages are stored in one of four lists: avc_msgs - avc denial or granted messages. Messages are stored in AVCMessage objects. comput_sid_messages - invalid sid messages. Messages are stored in ComputSidMessage objects. invalid_msgs - selinux related messages that are not valid. Messages are stored in InvalidMessageObjects. policy_load_messages - policy load messages. Messages are stored in PolicyLoadMessage objects. These lists will be reset when a policy load message is seen if AuditParser.last_load_only is set to true. It is assumed that messages are fed to the parser in chronological order - time stamps are not parsed. FcCs| ¡||_dSr<)Ú_AuditParser__initializeÚlast_load_only)r+rtrrrr,gszAuditParser.__init__cCs.g|_g|_g|_g|_g|_i|_d|_dSrg)Úavc_msgsÚcompute_sid_msgsÚ invalid_msgsÚpolicy_load_msgsÚ path_msgsÚ by_headerÚcheck_input_filerqrrrZ __initializekszAuditParser.__initializec Csädd„| ¡Dƒ}|D]È}d}|dks6|dks6|dkrDt|ƒ}d}n^|dkrZt|ƒ}d}nH|d ksj|d krxt|ƒ}d}n*|d krŽt|ƒ}d}n|d kr¢ttƒ}d}|rd|_z| |¡Wnt yÔt |ƒ}Yn0|SqdS) NcSsg|]}| d¡‘qS)uÂ…)Ústrip)Ú.0ÚxrrrÚ „óz,AuditParser.__parse_line..Fzavc:z message=avc:z msg='avc:Tzsecurity_compute_sid:ztype=MAC_POLICY_LOADz type=1403z type=AVC_PATHztype=DAEMON_START) rrBrjrer?rfÚlistr{r5rRr;)r+ÚlineZrecrUÚfoundr0rrrZ __parse_lines4  zAuditParser.__parse_linecCsö| |¡}|durdSt|tƒr0|jrº| ¡nŠt|tƒr\|jrN|jrN| ¡|j |¡n^t|t ƒrt|j  |¡nFt|t ƒrŒ|j  |¡n.t|t ƒr¤|j |¡nt|tƒrº|j |¡|jdkrò|j|jvrä|j|j |¡n|g|j|j<dSr&)Ú_AuditParser__parse_lineÚ isinstancerertrsrfrhrxrSrBrurjrvr;rwr?ryr)rz)r+r‚r0rrrZ__parse¥s,            zAuditParser.__parsecCsl|j ¡D]\}g}d}|D](}t|tƒr.|}qt|tƒr| |¡qt|ƒdkr |r |D] }|j|_qXq dS)Nr)rzÚvaluesr…r?rBrSr1r@)r+ÚvalueÚavcr@r0ÚarrrZ__post_processÊs   zAuditParser.__post_processcCsH| ¡}|r | |¡| ¡}q|jss*       "T