a {h @sddlZddlZddlZddlZddlZddlmZmZmZddlZddl m Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddl mZddl mZddl mZddl mZddl mZddlmZddlmZdZzHddlZiZej dkr6ded<ej!efddieddiZ"e"jZ#WnJzddl$Z$e%e$j&d<Wn&e'yddl(Z(e)e(j&d<Yn0Yn0ddZ*ddZ+dd Z,d!d"Z-dZ.dZ/d#Z0d$Z1d%Z2d&Z3dZ4dZ5d#Z6d$Z7d'Z8d(Z9d)Z:d*Z;d+Zd.Z?d/Z@iZAe#d0eAe4<e#d1eAe5<e#d2eAe6<e#d3eAe7<e#d4eAe8<e#d5eAe9<e#d6eAe:<e#d7eAe;<e#d8eAe<<e#d9eAe=<e#d:eAe><e#d;eAe?<e#d<eAe@<d=d>ZBe4e5e6e9e7gZCee?gZDd?d@ZEGdAdBdBZFdS)CN) get_all_typesget_all_attributes get_all_roles) executable)boolean)etc_rw) unit_file) var_cache) var_spool)var_lib)var_log)var_run)tmp)rw)network)script)spec)userzselinux-python)Tunicode localedirz/usr/share/localefallback_cCsF|d}|d}|d}|d|dd}|dd}|||gS)z6Given an RPM header return the package NVR as a stringnameversionrelease-.rr)split)ZhdrrrrZrelease_versionZ os_versionr 5/usr/lib/python3.9/site-packages/sepolicy/generate.pyget_rpm_nvr_from_headerGs r"cCs^zpz!get_all_users..Zsystem_uroot)r-r.USERremovesort)usersr r r! get_all_usersos   r<rz_admin$z_role$ zStandard Init DaemonzDBUS System DaemonzInternet Services DaemonzWeb Application/Script (CGI)ZSandboxzUser ApplicationzExisting Domain Typez Minimal Terminal Login User Rolez!Minimal X Windows Login User RolezDesktop Login User RolezAdministrator Login User Rolez Confined Root Administrator Rolez!Module information for a new typecCs:t}|td}|D]}|d|t|f7}q|S)Nz Valid Types: z%2s: %s )poltypekeysr:r)rHmsgkr r r!get_poltype_descs rKcCs|dkr gSd}zg}|dD]}|d}t|dkr>tt|dkrdt|d}t|d}n$t|d}t|d}||krtt||dD]"}|dks||krt||qq |WStyttd|Yn0dS) Ni,rr=rrz8Ports must be numbers or ranges of numbers from 1 to %d )rlen ValueErrorintr+appendr)portsZmax_porttemparbeginendr1r r r! verify_portss.       rXc@seZdZddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZdddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&dJdKZ'dLdMZ(dNdOZ)dPdQZ*dRdSZ+dTdUZ,dVdWZ-dXdYZ.dZd[Z/d\d]Z0d^d_Z1d`daZ2dbdcZ3dddeZ4dfdgZ5dhdiZ6djdkZ7dldmZ8dndoZ9dpdqZ:drdsZ;dtduZdzd{Z?d|d}Z@d~dZAddZBddZCddZDddZEddZFddZGddZHddZIddZJddZKddZLddZMddZNddZOddZPddZQddZRddZSddZTddZUddZVddZWddZXddZYddZZddZ[ddZ\ddZ]ddZ^ddZ_ddZ`ddZaddZbddÄZcddńZdddDŽZeddɄZfdd˄Zgdd̈́ZhddτZiddфZjddӄZkddՄZlddׄZmddلZnddۄZodd݄Zpdd߄ZqddZrddZsetufddZvdS)policycCsg|_i|_t|_g|_|tvr.ttd|sFttdt|z t|_WnXty~}zt dWYd}~n6d}~0t y}zt d|WYd}~n d}~00i|_ d|j d<d|j d<d|j d<d |j d <d |j d <d |j d <d|j d <d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d <d!|j d"<d#|j d$<d%|j d&<d'|j d(<d)|j d*<d+|j d,<d-|j d.<d/|j d0<d1|j d2<d3|j d4<d5|j d6<d7|j d8<d9|j d:<d;|j d<<d=|j d><d?|j d@<dA|j dB<dC|j dD<dE|j dF<dG|j dH<dI|j dJ<dK|j dL<dM|j dN<dO|j dP<dQ|j dR<dS|j dT<dU|j dV<dW|j dX<dY|j dZ<d[|j d\<d]|j d^<d_|j d`<da|j db<da|j dc<da|j dd<da|j de<df|j dg<df|j dh<df|j di<df|j dj<df|j dg<dk|j dl<dm|j dn<do|j dp<dq|j dr<ds|j dt<du|j dv<dw|j dx<dy|j dz<d{|j d|<d}|j d~<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<i|_ dgt g|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<i|_t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<gd|_|j|jf|j|jf|j|jf|j|j f|j!|j"f|j#|j$f|j%|j&f|j'|j(f|j)|j*f|j+|j(f|j,|j(f|j-|j.f|j/|j0ff |_1t23d|sttd|t4krd||_5n||_5||_6g|_7g|_8||_9d|_:d|_;dddgg|_dddgg|_?d|_@d|_Ad|_Bd|_Cd|_Dd|_Ed|_Fd|_Gd|_H|j9tItJfv|_K|j9tItJfv|_L|j9tItJfv|_Md|_Nd|_Oi|_Pi|_Qi|_Rg|_Sg|_Td|_Ud|_Vg|_Wg|_Xg|_Yg|_Zg|_[dS)Nz"You must enter a valid policy typez;You must enter a name for your policy module for your '%s'.z9Can not get port types, must be root for this informationzCan not get port typeszset_use_kerberos(True)Zopenlogzset_use_kerb_rcache(True)zset_use_syslog(True)zset_use_resolve(True)Z gethostbyZ getaddrinfoZ getnameinfoZkrbzset_manage_krb5_rcache(True)Zgss_accept_sec_contextZkrb5_verify_init_credsZ krb5_rd_reqZ __syslog_chkzset_use_uid(True)getpwnamgetpwuidzset_use_dbus(True)Zdbus_zset_use_pam(True)Zpam_zset_use_audit(True)zadd_process('fork')forkzadd_process('transition')Z transitionzadd_process('sigchld')Zsigchldzadd_process('sigkill')Zsigkillzadd_process('sigstop')Zsigstopzadd_process('signull')Zsignullzadd_process('ptrace')Zptracezadd_process('getsched')Zgetschedzadd_process('setsched')Zsetschedzadd_process('getsession')Z getsessionzadd_process('getpgid')getpgidzadd_process('setpgid')setpgidzadd_process('getcap')Zgetcapzadd_process('setcap')Zsetcapzadd_process('share')Zsharezadd_process('getattr')getattrzadd_process('setexec')Zsetexeczadd_process('setfscreate')Z setfscreatezadd_process('noatsecure')Z noatsecurezadd_process('siginh')Zsiginhzadd_process('signal_perms')killzadd_process('setrlimit')Z setrlimitzadd_process('rlimitinh')Z rlimitinhzadd_process('dyntransition')Z dyntransitionzadd_process('setcurrent')Z setcurrentzadd_process('execmem')Zexecmemzadd_process('execstack')Z execstackzadd_process('execheap')Zexecheapzadd_process('setkeycreate')Z setkeycreatezadd_process('setsockcreate')Z setsockcreatezadd_capability('chown')chownzadd_capability('dac_override')Z dac_overridez!add_capability('dac_read_search')Zdac_read_searchzadd_capability('fowner')Zfownerzadd_capability('fsetid')Zfsetidzadd_capability('setgid')setgidsetegid setresgidsetregidzadd_capability('setuid') setresuidsetuidseteuidsetreuidzadd_capability('setpcap')Zsetpcapz!add_capability('linux_immutable')Zlinux_immutablez"add_capability('net_bind_service')Znet_bind_servicezadd_capability('net_broadcast')Z net_broadcastzadd_capability('net_admin')Z net_adminzadd_capability('net_raw')Znet_rawzadd_capability('ipc_lock')Zipc_lockzadd_capability('ipc_owner')Z ipc_ownerzadd_capability('sys_module') sys_modulezadd_capability('sys_rawio')Z sys_rawiozadd_capability('sys_chroot')chrootZ sys_chrootzadd_capability('sys_ptrace')Z sys_ptracezadd_capability('sys_pacct')Z sys_pacctzadd_capability('sys_admin')ZmountZunshareZ sys_adminzadd_capability('sys_boot')Zsys_bootzadd_capability('sys_nice')Zsys_nicezadd_capability('sys_resource')Z sys_resourcezadd_capability('sys_time')Zsys_timez add_capability('sys_tty_config')Zsys_tty_configzadd_capability('mknod')mknodzadd_capability('lease')Zleasezadd_capability('audit_write')Z audit_writezadd_capability('audit_control')Z audit_controlzadd_capability('setfcap')Zsetfcapr/etcr/tmprr /usr/lib/systemd/system/lib/systemd/system/etc/systemd/systemr /var/cacher /var/libr /var/logr/var/runr /var/spoolZ_tmp_tZ _unit_file_tZ _var_cache_tZ _var_lib_tZ _var_log_tZ _var_run_tZ _var_spool_tZ_port_t) rmrrrtrnrrsrurvrqrorpz^[a-zA-Z0-9-_]+$zOName must be alphanumeric with no spaces. Consider using option "-n MODULENAME"zhttpd_%s_scriptrLF)\rpmsrRr all_rolestypesrGrOrr2r% RuntimeErrorsymbols DEFAULT_DIRSrrrr r r r rr DEFAULT_EXTr DEFAULT_KEYSgenerate_daemon_typesgenerate_daemon_rulesgenerate_dbusd_typesgenerate_dbusd_rulesgenerate_inetd_typesgenerate_inetd_rulesgenerate_cgi_typesgenerate_cgi_rulesgenerate_sandbox_typesgenerate_sandbox_rulesgenerate_userapp_typesgenerate_userapp_rulesgenerate_existing_user_typesgenerate_existing_user_rulesgenerate_min_login_user_typesgenerate_login_user_rulesgenerate_x_login_user_typesgenerate_x_login_user_rulesgenerate_login_user_typesgenerate_admin_user_typesgenerate_root_user_typesgenerate_root_user_rulesgenerate_new_typesgenerate_new_rules DEFAULT_TYPESrematchCGIr file_name capabilities processesr* initscriptprogramin_tcpin_udpout_tcpout_udp use_resolveuse_tmpuse_uid use_syslog use_kerberosmanage_krb5_rcacheuse_pamuse_dbus use_auditEUSERNEWTYPEuse_etcuse_localizationuse_fd use_terminaluse_mailbooleansfilesdirsfound_tcp_portsfound_udp_ports need_tcp_type need_udp_type admin_domainsexisting_domainstransition_domainstransition_usersroles)selfrr*er r r!__init__sf                                                                                                                   zpolicy.__init__cCs(|tp&|tp&|tp&t|tdkSNr)ALLRESERVED UNRESERVEDrNPORTS)rlr r r!Z __isnetsetszpolicy.__isnetsetcCs ||_dSN)r)rrr r r!set_admin_domainsszpolicy.set_admin_domainscCs ||_dSr)r)rrr r r!set_existing_domainsszpolicy.set_existing_domainscCs ||_dSr)r)rrr r r!set_admin_rolesszpolicy.set_admin_rolescCs ||_dSr)r)rrr r r!set_transition_domainsszpolicy.set_transition_domainscCs ||_dSr)r)rrr r r!set_transition_usersszpolicy.set_transition_userscCs ||jSr)_policy__isnetsetrrr r r! use_in_udpszpolicy.use_in_udpcCs ||jSr)rrrr r r! use_out_udpszpolicy.use_out_udpcCs|p|Sr)rrrr r r!use_udpszpolicy.use_udpcCs ||jSr)rrrr r r! use_in_tcpszpolicy.use_in_tcpcCs ||jSr)rrrr r r! use_out_tcpszpolicy.use_out_tcpcCs|p|Sr)rrrr r r!use_tcpszpolicy.use_tcpcCs|p|Sr)rrrr r r! use_networkszpolicy.use_networktcpcCsF|jD]6\}}}||kr ||kr ||kr |j|||fSq dSr)rRrH)rportr,rVrWr1r r r! find_portszpolicy.find_portcCs |jtvrttd||_dS)Nz0User Role types can not be assigned executables.)r* APPLICATIONSrOrr)rrr r r! set_programs  zpolicy.set_programcCs |jtkrttd||_dS)Nz(Only Daemon apps can use an init script.)r*DAEMONrOrr)rrr r r!set_init_scripts  zpolicy.set_init_scriptcCs|||t|g|_dSr)rXrrallZreservedZ unreservedrRr r r! set_in_tcpszpolicy.set_in_tcpcCs|||t|g|_dSr)rXrrr r r! set_in_udpszpolicy.set_in_udpcCs|ddt|g|_dSNF)rXrrrrRr r r! set_out_tcpszpolicy.set_out_tcpcCs|ddt|g|_dSr)rXrrr r r! set_out_udpszpolicy.set_out_udpcCs"t|turttd||_dS)Nz$use_resolve must be a boolean value )r*boolrOrrrvalr r r!set_use_resolves  zpolicy.set_use_resolvecCs"t|turttd||_dS)Nz#use_syslog must be a boolean value )r*rrOrrrr r r!set_use_syslogs  zpolicy.set_use_syslogcCs"t|turttd||_dS)Nz%use_kerberos must be a boolean value )r*rrOrrrr r r!set_use_kerbeross  zpolicy.set_use_kerberoscCs"t|turttd||_dS)Nz+manage_krb5_rcache must be a boolean value )r*rrOrrrr r r!set_manage_krb5_rcaches  zpolicy.set_manage_krb5_rcachecCs|du|_dSNT)rrr r r! set_use_pamszpolicy.set_use_pamcCs|du|_dSr)rrr r r! set_use_dbusszpolicy.set_use_dbuscCs|du|_dSr)rrr r r! set_use_auditszpolicy.set_use_auditcCs|du|_dSr)rrr r r! set_use_etcszpolicy.set_use_etccCs|du|_dSr)rrr r r!set_use_localizationszpolicy.set_use_localizationcCs|du|_dSr)rrr r r! set_use_fdszpolicy.set_use_fdcCs|du|_dSr)rrr r r!set_use_terminalszpolicy.set_use_terminalcCs|du|_dSr)rrr r r! set_use_mailszpolicy.set_use_mailcCsB|jtvrttd|r0|jdddng|jdd<dS)Nz'USER Types automatically get a tmp typernr)r*USERSrOrr|rQrr r r! set_use_tmps   zpolicy.set_use_tmpcCs|du|_dSr)rrr r r! set_use_uidszpolicy.set_use_uidcCs |jrtd|jtjSdSdSN TEMPLATETYPErL)rrsubrrZ te_uid_rulesrr r r!generate_uid_rulesszpolicy.generate_uid_rulescCs |jrtd|jtjSdSdSr)rrrrrZte_syslog_rulesrr r r!generate_syslog_rulesszpolicy.generate_syslog_rulescCs |jrtd|jtjSdSdSr)rrrrrZte_resolve_rulesrr r r!generate_resolve_rulesszpolicy.generate_resolve_rulescCs |jrtd|jtjSdSdSr)rrrrrZte_kerberos_rulesrr r r!generate_kerberos_rulesszpolicy.generate_kerberos_rulescCs |jrtd|jtjSdSdSr)rrrrrZte_manage_krb5_rcache_rulesrr r r!!generate_manage_krb5_rcache_rules sz(policy.generate_manage_krb5_rcache_rulescCs d}|jrtd|jtj}|SNrLr)rrrrrZ te_pam_rulesrnewter r r!generate_pam_rules&szpolicy.generate_pam_rulescCs d}|jrtd|jtj}|Sr)rrrrrZte_audit_rulesrr r r!generate_audit_rules,szpolicy.generate_audit_rulescCs d}|jrtd|jtj}|Sr)rrrrrZ te_etc_rulesrr r r!generate_etc_rules2szpolicy.generate_etc_rulescCs d}|jrtd|jtj}|Sr)rrrrrZ te_fd_rulesrr r r!generate_fd_rules8szpolicy.generate_fd_rulescCs d}|jrtd|jtj}|Sr)rrrrrZte_localization_rulesrr r r!generate_localization_rules>sz"policy.generate_localization_rulescCs*d}|jtkr&|jr&td|jtj}|Sr)r*DBUSrrrrrZ te_dbus_rulesrr r r!generate_dbus_rulesDszpolicy.generate_dbus_rulescCs d}|jrtd|jtj}|Sr)rrrrrZ te_mail_rulesrr r r!generate_mail_rulesJszpolicy.generate_mail_rulescCsFd}d|||f}|tvr.d||jf}nd||j|||f}|S)NrLzcorenet_%s_%s_%sz %s(%s_t) zD gen_require(` type %s_t; ') allow %s_t %s_t:%s_socket name_%s; )r-Z get_methodsr)rr,action port_namelinemethodr r r!generate_network_actionPs zpolicy.generate_network_actioncCsZ|jtD]X}|t|d}|dur.d|_q |ddd}|dd|}||jvr |j|q |jtD]X}|t|d}|durd|_qn|ddd}|dd|}||jvrn|j|qn|j tD]X}|t|d}|durd|_ q|ddd}|dd|}||j vr|j |q|j dusD|jdurVt d|jtjSd S) NrTrZbindZconnectudprrL)rrrrPrrrrQrrrrrrrrte_types)riZrecrrr r r!generate_network_types^s6   zpolicy.generate_network_typescCsZ|jD]4}||dkr|j|d||j|Sq|jdd||jdS)Nrrr)r|findrQ)rfiledr r r!Z __find_paths  zpolicy.__find_pathcCs||jvr|j|dSr)rrQ)rZ capabilityr r r!add_capabilitys zpolicy.add_capabilitycCs ||_dSr)ry)rryr r r! set_typesszpolicy.set_typescCs||jvr|j|dSr)rrQ)rZprocessr r r! add_processs zpolicy.add_processcCs||j|<dSr)r)rr descriptionr r r! add_booleanszpolicy.add_booleancCs|||j|<dSr)_policy__find_pathrrrr r r!add_fileszpolicy.add_filecCs|||j|<dSr)rrr r r r!add_dirszpolicy.add_dircCs6d}|jt|jdkr2d|jd|jf}|S)NrLrz#allow %s_t self:capability { %s };  )rr:rNrjoinrr r r!generate_capabilitiess  zpolicy.generate_capabilitiescCs6d}|jt|jdkr2d|jd|jf}|S)NrLrz allow %s_t self:process { %s }; r#)rr:rNrr$rr r r!generate_processs  zpolicy.generate_processcCsd}|rd}|td|jtj7}|r|d7}|td|jtj7}|r|td|jtj 7}|j rt |j t dkr|td|jtj7}|j rt |jt dkr|td|jtj7}|j tr|td|jtj7}|j tr |td|jtj7}|j tr.|td|jtj7}|jtrP|td|jtj7}|jtrr|td|jtj7}|jtr|td|jtj7}|jD]}||7}q|r|d7}|td|jtj7}|jr|td|jtj7}|r|td|jtj 7}|j!tr2|td|jtj"7}|j!trT|td|jtj#7}|j!trv|td|jtj$7}|j%D]}||7}q||S)NrL rr)&rrrrrZ te_networkrZte_tcprZ te_in_tcprrNrrZte_in_need_port_tcprZte_out_need_port_tcprZte_in_all_ports_tcprZte_in_reserved_ports_tcprZte_in_unreserved_ports_tcpZte_out_all_ports_tcpZte_out_reserved_ports_tcpZte_out_unreserved_ports_tcprrZte_udprZte_in_need_port_udprZ te_in_udprZte_in_all_ports_udpZte_in_reserved_ports_udpZte_in_unreserved_ports_udpr)rrrr r r!generate_network_rulessV                 zpolicy.generate_network_rulescCs|d}|jD](}td|jtj}|td||7}q |jtkrx|jD]2}td|jt j }|td| dd|7}qD|S)NrLr APPLICATIONr8_ur) rrrrrZte_transition_rulesr*r8rrZ te_run_rulesr)rrapprurSr r r!generate_transition_ruless   z policy.generate_transition_rulescCsd}|jtkrz|jD]`}|dd}|d}|jD]>}td|tj}||j vr`t|d|}|td||7}q4q|S|jt kr|td|j tj 7}|jD](}td|j tj}|td||7}q|j D]D}|dd}|d|j vrtd|j tj}|td ||7}q|S) NrL_tr_rrZsystem_rr)r*r8)r*rrrrrrrZte_admin_domain_rulesrxRUSERrZte_admin_rulesrZte_admin_trans_rules)rrrrroler+rr,r r r!generate_admin_ruless,       zpolicy.generate_admin_rulescCs d}|jrtd|jtj}|Sr)rrrrrZ if_dbus_rulesrnewifr r r!generate_dbus_ifszpolicy.generate_dbus_ifcCs(d}|jtkr|Std|jtj}|Sr)r*SANDBOXrrrrZif_sandbox_rulesr3r r r!generate_sandbox_ifs  zpolicy.generate_sandbox_ifcCsd}d}|jdkr>|td|jtj7}|td|jtj7}|jD]Z}t|j |ddkrD|td|j|j |dj 7}|td|j|j |dj 7}qD|dkrtd|jtj }||7}|td|jtj 7}||7}|td|jtj7}|SdSNrLrrrr=)rrrrrZif_initscript_admin_typesZif_initscript_adminr~rNr|Zif_admin_typesZif_admin_rulesZif_begin_adminZif_middle_adminZ if_end_admin)rr4Znewtypesrretr r r!generate_admin_ifs"   "zpolicy.generate_admin_ifcCstd|jtjSNr)rrrr te_cgi_typesrr r r!r5szpolicy.generate_cgi_typescCstd|jtjSr;)rrrrte_sandbox_typesrr r r!r8szpolicy.generate_sandbox_typescCstd|jtjSr;)rrrrZte_userapp_typesrr r r!r;szpolicy.generate_userapp_typescCstd|jtjSr;)rrrrZte_inetd_typesrr r r!r>szpolicy.generate_inetd_typescCstd|jtjSr;)rrrrZte_dbusd_typesrr r r!rAszpolicy.generate_dbusd_typescCstd|jtjSr;)rrrrZte_min_login_user_typesrr r r!rDsz$policy.generate_min_login_user_typescCstd|jtjSr;)rrrrZte_login_user_typesrr r r!rGsz policy.generate_login_user_typescCstd|jtjSr;)rrrrZte_admin_user_typesrr r r!rJsz policy.generate_admin_user_typescCst|jdkr$ttdt|jtd|jt j }|d7}|jD]8}|d|7}| ddd}||j vrD|d|7}qD|d 7}|S) Nrz,'%s' policy modules require existing domainsrz gen_require(`z type %s;r.r/z role %s;z ') ) rNrrOrrGr*rrrrZte_existing_user_typesrrx)rrrr1r r r!rMs  z#policy.generate_existing_user_typescCstd|jtjSr;)rrrrZte_x_login_user_typesrr r r!r_sz"policy.generate_x_login_user_typescCstd|jtjSr;)rrrrZte_root_user_typesrr r r!rbszpolicy.generate_root_user_typesc Csd}t|jdkrttd|jD]^}|jD]R}||r.t||dt| |td|dt| |j|j 7}q$q.q$t r|dkrg}|jD]}| |qttdd ||S)NrLrzType field requiredrz3You need to define a new type which ends with: %sz ) rNryrOrr}endswithr%rrrrrQr$)rrtrZ default_extr r r!res    (   zpolicy.generate_new_typescCsdS)NrLr rr r r!ryszpolicy.generate_new_rulescCs6td|jtj}|jdkr2|td|jtj7}|Sr)rrrrZte_daemon_typesrZte_initscript_typesrr r r!r|s zpolicy.generate_daemon_typescCs |jrtd|jtjSdSdSr)rrrrrrrr r r!generate_tmp_typesszpolicy.generate_tmp_typescCs<d}|jD],}td|tj}|td|j||7}q |S)NrLBOOLEANZ DESCRIPTION)rrrrZ te_boolean)rrbrr r r!generate_booleanss  zpolicy.generate_booleanscCs(d}|jD]}|td|tj7}q |S)NrLrA)rrrrte_rules)rrrBr r r!generate_boolean_ruless zpolicy.generate_boolean_rulescCstd|jtjSr;)rrrrr=rr r r!generate_sandbox_teszpolicy.generate_sandbox_tecCstd|jtjSr;)rrrrr<rr r r!generate_cgi_teszpolicy.generate_cgi_tecCstd|jtj}|Sr;)rrrrZte_daemon_rulesr3r r r!rszpolicy.generate_daemon_rulesc Csld}|jD]\}|jD]P}||r|dt| d}|td|dt| |j|j7}q qq |S)NrLr.r)ryr}r>rNrrif_rules)rr4r?rZreqtyper r r!generate_new_type_ifs   (zpolicy.generate_new_type_ifcCstd|jtjSr;)rrrrZte_login_user_rulesrr r r!rsz policy.generate_login_user_rulescCstd|jtj}|Sr;)rrrrZte_existing_user_rules)rZnerulesr r r!rsz#policy.generate_existing_user_rulescCstd|jtjSr;)rrrrZte_x_login_user_rulesrr r r!rsz"policy.generate_x_login_user_rulescCstd|jtj}|Sr;)rrrrZte_root_user_rulesrr r r!rszpolicy.generate_root_user_rulescCstd|jtjSr;)rrrrZte_userapp_rulesrr r r!rszpolicy.generate_userapp_rulescCstd|jtjSr;)rrrrZte_inetd_rulesrr r r!rszpolicy.generate_inetd_rulescCstd|jtjSr;)rrrrZte_dbusd_rulesrr r r!rszpolicy.generate_dbusd_rulescCs |jrtd|jtjSdSdSr)rrrrrrDrr r r!generate_tmp_rulesszpolicy.generate_tmp_rulescCsd}|td|jtj7}|Sr)rrrrZ te_cgi_rulesrr r r!rszpolicy.generate_cgi_rulescCsd}|td|jtj7}|Sr)rrrrZte_sandbox_rulesrr r r!rszpolicy.generate_sandbox_rulescCsRd}|js|jtkr&td|jtj}|jtt t t fvrN|td|jtj 7}|Sr) rr*r8rrrrZif_user_program_rulesTUSERXUSERAUSERLUSERZif_role_change_rulesr3r r r!generate_user_ifs zpolicy.generate_user_ifc Cs>d}|td|jtj7}|jr6|td|jtj7}|jdkrV|td|jtj7}|j D]}t |j |ddkr\|td|j|j |dj 7}|j |dD]J}t j|rtt |tjr|td|j|j |dj7}q\qq\||7}||7}||7}||7}||7}||7}|Sr8)rrrrZif_heading_rulesrZif_program_rulesrZif_initscript_rulesr~rNr|rHospathexistsstatS_ISSOCKST_MODEZif_stream_rulesrOr5r:r7rIr)rr4rrr r r! generate_ifs(   "       zpolicy.generate_ifcCs|j|jdSrrr*rr r r!generate_default_typesszpolicy.generate_default_typescCs&|j|jdr"|j|jdSdS)NrrLrWrr r r!generate_default_rulesszpolicy.generate_default_rulescCsd}|jttttfvrd}t|jdkr|td|j t j 7}|td|j t j 7}|jD](}td|j t j }|td||7}qZ|S)NrLrrZROLE)r*rKrLrMrNrNrrrrrZ te_sudo_rulesZte_newrole_rulesZte_roles_rules)rrrr1rr r r!generate_roles_ruless zpolicy.generate_roles_rulesc Cs|}|jD]L}t|j|ddkr|jtks:|dkr|td|j|j|dj 7}q|jt krt|d|j7}|| 7}|| 7}|| 7}||7}||7}||7}||7}|jD]>}t|j|ddkr|jt krLd}|jD]H}|td|dd d |j|dj7}|td |jd |7}qn |td|j|j|dj7}|j|dD]}tj|rztt|tjrz|jt kr|jD],}|td|dd |j|dj7}qn |td|j|j|dj7}qΐqzq||7}||7}||7}||7}||7}|| 7}||!7}||"7}||#7}||$7}||%7}||&7}||'7}||(7}||)7}||*7}||+7}|S) Nrrrrr=z@ ######################################## # # %s local policy # rLZTEMPLATETYPE_trr.ZTEMPLATETYPE_rw_tZ_rw_t),rXr~rNr|r*rrrrrrr%r&rr@rCrYrErrDrPrQrRrSrTrUZte_stream_rulesrJr(rrrrrrr rrZr r-r2r rr)rrrZ newte_tmpdomainrr r r! generate_tesb "           * &  ,                   zpolicy.generate_tecCsd}g}|jD]}tj|rVtt|tjrVt d|j |j|dj }nt d|j |j|dj }t d||}| t d|j|d|q|jD]L}t d|j |j|dj}t d||}| t d|j|d|q|jttgvrt|dkrtjS|jttttgvrH|jsHttd|jrxt d|jtj}| t d|j ||jdkrt d|jtj}| t d|j ||d |}|S) NrLrr=FILENAMEZFILETYPErz      zpolicy.generate_speccCs2d||jf}t|d}||||S)Nz%s/%s_selinux.specw)ropenwritergclose)rout_dirZspecfilefdr r r! write_specs  zpolicy.write_speccCs2d||jf}t|d}||||S)Nz%s/%s.terh)rrirjr\rk)rrlZtefilermr r r!write_tes  zpolicy.write_tecCs>d||jf}t|d}|||t|d|S)Nz%s/%s.shrhi)rrirjrdrkrPchmod)rrlZshfilermr r r!write_shs   zpolicy.write_shcCs2d||jf}t|d}||||S)Nz%s/%s.ifrh)rrirjrVrk)rrlZiffilermr r r!write_ifs  zpolicy.write_ifcCs2d||jf}t|d}||||S)Nz%s/%s.fcrh)rrirjr`rk)rrlZfcfilermr r r!write_fcs  zpolicy.write_fcc CsBddl}|}||jdd|j}|}|j|jd}|D]}|j |j |j D]F}|j D]:}|dkr|qn||rntj|r||qn||qnqd|}|j|jd}|D]T} | j D]H}|j D]<}|dkrq||rtj|r ||q||qqqqLWdn1s40YdS)NrT)Zload_system_repo)rrm)Zprovides)dnfZBaseZread_all_reposZ fill_sackZsackqueryZ availablefilterrrwrQrrr| startswithrPrQisfiler!r"Z source_name) rrtbaseruZpqpkgfnamerBsqZbpkgr r r!Z__extract_rpmss8            zpolicy.__extract_rpmsc Csz |WntyYn0tjd|jrB|d|jtjd|jrd|d|jtjd|jr|d|jtjd|jr|d|jtjd|jr|d|jtjd|jr| d|jg}|j D]}g}z|j |dd d }Wnt y4YqYn0|j |dD]"}| |rD||nqDqDt|d kr|D]>}||j vr|j|=n||j vrx|j|=nqxqxtt|j |dt||j |d<qdS) Nz/var/run/%s.pidz /var/run/%sz /var/log/%sz/var/log/%s.logz /var/lib/%sz/etc/rc.d/init.d/%sz/etc/rc\.d/init\.d/%srr/)_policy__extract_rpms ImportErrorrPrQrxrr!isdirr"rr|rH IndexErrorrwrQrNrrlistset)rZ temp_basepathr1Z temp_dirsrr r r! gen_writeablesF        zpolicy.gen_writeablecCs|jtvrdStj|js2tjd|jdSt d|j}| D],}|j D] }| |rXtd|j |qXqN|dS)Nzl *************************************** Warning %s does not exist *************************************** znm -D %s | grep Uzself.%s)r*rrPrQrRrsysstderrrjpopenreadrr{rwexecrk)rrmsrBr r r! gen_symbolsIs   zpolicy.gen_symbolscCstd}|d||tdf7}|d||tdf7}|d||tdf7}|jtkr|d||tdf7}|d||tdf7}|S)NzCreated the following files: z%s # %s zType Enforcement filezInterface filezFile Contexts filez Spec filez Setup Script)rrorrrsr*rrnrq)rrloutr r r!generate[s zpolicy.generateN)r)w__name__ __module__ __qualname__rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r r rrrrrrrr!r"r%r&r(r-r2r5r7r:rrrrrrrrrrrrrrr@rCrErFrGrrIrrrrrrrrJrrrOrVrXrYrZr\r`rbrdrgrnrorqrrrsr~rrrPgetcwdrr r r r!rYsB  &8    >##*$3rY)GrPrrSrr-rrrreZ templatesrrrr r r r r rrrrrrrZsepolgen.interfacesZ interfacesZsepolgen.defaultsdefaultsZPROGNAMEgettextkwargs version_info translationr?rbuiltinsstr__dict__rZ __builtin__rr"r)r2r<rrrrZADMIN_TRANSITION_INTERFACEZUSER_TRANSITION_INTERFACErr ZINETDrr6r8rrKrLrNrMr0rrGrKrrrXrYr r r r!s