a qqe@sddlZddlZddlmZmZddlmZmZddlm Z ddl m Z m Z ddl mZmZddlmZdd lmZGd d d e e eZdS) N)IterableSet)CriteriaDescriptorCriteriaSetDescriptor)ConstraintUseError) MatchObjClassMatchPermission) AnyConstraintConstraintRuletype) PolicyQuery) match_in_setcseZdZUdZeedZeddZdZ e e d<eddZ dZ e e d<dZe e d <ed d ZdZe e d <dZe e d <d dfdd ZddZeedddZZS)ConstraintQuerya Query constraint rules, (mls)constrain/(mls)validatetrans. Parameter: policy The policy to query. Keyword Parameters/Class attributes: ruletype The list of rule type(s) to match. tclass The object class(es) to match. tclass_regex If true, use a regular expression for matching the rule's object class. perms The permission(s) to match. perms_equal If true, the permission set of the rule must exactly match the permissions criteria. If false, any set intersection will match. perms_regex If true, regular expression matching will be used on the permission names instead of set logic. role The name of the role to match in the constraint expression. role_indirect If true, members of an attribute will be matched rather than the attribute itself. role_regex If true, regular expression matching will be used on the role. type_ The name of the type/attribute to match in the constraint expression. type_indirect If true, members of an attribute will be matched rather than the attribute itself. type_regex If true, regular expression matching will be used on the type/attribute. user The name of the user to match in the constraint expression. user_regex If true, regular expression matching will be used on the user. ) enum_class user_regexZ lookup_userF role_regexZ lookup_roleT role_indirect type_regexZlookup_type_or_attr type_indirectN)returnc s(tt|j|fi|tt|_dS)N)superr__init__loggingZ getLogger__name__log)selfpolicykwargs __class__=/usr/lib64/python3.9/site-packages/setools/constraintquery.pyrAszConstraintQuery.__init__cCs4|r$t}|D]}||qn|}t|||S)ay Match roles/types/users in a constraint expression, optionally by expanding the contents of attributes. Parameters: expr The expression to match. criteria The criteria to match. indirect If attributes in the expression should be expanded. regex If regular expression matching should be used. )setupdateexpandr )rexprZcriteriaZindirectZregexobjitemr r r! _match_exprEs zConstraintQuery._match_exprc csB|jd||jd|||j||j|jd||jd||jd||jD]}|jr|j|jvrq|| |sq|z| |sWq|Wnt yYq|Yn0|j r| |jj|j |j|jsq||jr| |jj|j|j|jsq||jr6| |jj|jd|js6q||Vq|dS)z6Generator which yields all matching constraints rules.z-Generating constraint results from {0.policy}zRuletypes: {0.ruletype}z'User: {0.user!r}, regex: {0.user_regex}z'Role: {0.role!r}, regex: {0.role_regex}z(Type: {0.type_!r}, regex: {0.type_regex}FN)rinfoformatdebugZ_match_object_class_debugZ_match_perms_debugr constraintsruletypeZ_match_object_classZ _match_permsrroler(Z expressionZrolesrrtype_typesrruserZusersr)rcr r r!resultsZsP          zConstraintQuery.results)r __module__ __qualname____doc__rr r-rr1rbool__annotations__r.rrr/rrrr(rr r3 __classcell__r r rr!rs $         r)rretypingrrZ descriptorsrr exceptionrZmixinsrr Z policyrepr r queryr utilr rr r r r!s