1*2d543d20SAndroid Build Coastguard Worker#!/usr/bin/python3 -EsI 2*2d543d20SAndroid Build Coastguard Worker# Authors: Karl MacMillan <[email protected]> 3*2d543d20SAndroid Build Coastguard Worker# Authors: Dan Walsh <[email protected]> 4*2d543d20SAndroid Build Coastguard Worker# 5*2d543d20SAndroid Build Coastguard Worker# Copyright (C) 2006-2013 Red Hat 6*2d543d20SAndroid Build Coastguard Worker# see file 'COPYING' for use and warranty information 7*2d543d20SAndroid Build Coastguard Worker# 8*2d543d20SAndroid Build Coastguard Worker# This program is free software; you can redistribute it and/or 9*2d543d20SAndroid Build Coastguard Worker# modify it under the terms of the GNU General Public License as 10*2d543d20SAndroid Build Coastguard Worker# published by the Free Software Foundation; version 2 only 11*2d543d20SAndroid Build Coastguard Worker# 12*2d543d20SAndroid Build Coastguard Worker# This program is distributed in the hope that it will be useful, 13*2d543d20SAndroid Build Coastguard Worker# but WITHOUT ANY WARRANTY; without even the implied warranty of 14*2d543d20SAndroid Build Coastguard Worker# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15*2d543d20SAndroid Build Coastguard Worker# GNU General Public License for more details. 16*2d543d20SAndroid Build Coastguard Worker# 17*2d543d20SAndroid Build Coastguard Worker# You should have received a copy of the GNU General Public License 18*2d543d20SAndroid Build Coastguard Worker# along with this program; if not, write to the Free Software 19*2d543d20SAndroid Build Coastguard Worker# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20*2d543d20SAndroid Build Coastguard Worker# 21*2d543d20SAndroid Build Coastguard Worker 22*2d543d20SAndroid Build Coastguard Workerimport sys 23*2d543d20SAndroid Build Coastguard Workerimport os 24*2d543d20SAndroid Build Coastguard Worker 25*2d543d20SAndroid Build Coastguard Workerimport sepolgen.audit as audit 26*2d543d20SAndroid Build Coastguard Workerimport sepolgen.policygen as policygen 27*2d543d20SAndroid Build Coastguard Workerimport sepolgen.interfaces as interfaces 28*2d543d20SAndroid Build Coastguard Workerimport sepolgen.output as output 29*2d543d20SAndroid Build Coastguard Workerimport sepolgen.objectmodel as objectmodel 30*2d543d20SAndroid Build Coastguard Workerimport sepolgen.defaults as defaults 31*2d543d20SAndroid Build Coastguard Workerimport sepolgen.module as module 32*2d543d20SAndroid Build Coastguard Workerfrom sepolgen.sepolgeni18n import _ 33*2d543d20SAndroid Build Coastguard Workerimport selinux.audit2why as audit2why 34*2d543d20SAndroid Build Coastguard Workerimport locale 35*2d543d20SAndroid Build Coastguard Workertry: 36*2d543d20SAndroid Build Coastguard Worker locale.setlocale(locale.LC_ALL, '') 37*2d543d20SAndroid Build Coastguard Workerexcept: 38*2d543d20SAndroid Build Coastguard Worker pass 39*2d543d20SAndroid Build Coastguard Worker 40*2d543d20SAndroid Build Coastguard Worker 41*2d543d20SAndroid Build Coastguard Workerclass AuditToPolicy: 42*2d543d20SAndroid Build Coastguard Worker VERSION = "%prog .1" 43*2d543d20SAndroid Build Coastguard Worker SYSLOG = "/var/log/messages" 44*2d543d20SAndroid Build Coastguard Worker 45*2d543d20SAndroid Build Coastguard Worker def __init__(self): 46*2d543d20SAndroid Build Coastguard Worker self.__options = None 47*2d543d20SAndroid Build Coastguard Worker self.__parser = None 48*2d543d20SAndroid Build Coastguard Worker self.__avs = None 49*2d543d20SAndroid Build Coastguard Worker 50*2d543d20SAndroid Build Coastguard Worker def __parse_options(self): 51*2d543d20SAndroid Build Coastguard Worker from optparse import OptionParser 52*2d543d20SAndroid Build Coastguard Worker 53*2d543d20SAndroid Build Coastguard Worker parser = OptionParser(version=self.VERSION) 54*2d543d20SAndroid Build Coastguard Worker parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False, 55*2d543d20SAndroid Build Coastguard Worker help="audit messages since last boot conflicts with -i") 56*2d543d20SAndroid Build Coastguard Worker parser.add_option("-a", "--all", action="store_true", dest="audit", default=False, 57*2d543d20SAndroid Build Coastguard Worker help="read input from audit log - conflicts with -i") 58*2d543d20SAndroid Build Coastguard Worker parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis") 59*2d543d20SAndroid Build Coastguard Worker parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, 60*2d543d20SAndroid Build Coastguard Worker help="read input from dmesg - conflicts with --all and --input") 61*2d543d20SAndroid Build Coastguard Worker parser.add_option("-i", "--input", dest="input", 62*2d543d20SAndroid Build Coastguard Worker help="read input from <input> - conflicts with -a") 63*2d543d20SAndroid Build Coastguard Worker parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False, 64*2d543d20SAndroid Build Coastguard Worker help="read input only after the last reload") 65*2d543d20SAndroid Build Coastguard Worker parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False, 66*2d543d20SAndroid Build Coastguard Worker help="generate require statements for rules") 67*2d543d20SAndroid Build Coastguard Worker parser.add_option("-m", "--module", dest="module", 68*2d543d20SAndroid Build Coastguard Worker help="set the module name - implies --requires") 69*2d543d20SAndroid Build Coastguard Worker parser.add_option("-M", "--module-package", dest="module_package", 70*2d543d20SAndroid Build Coastguard Worker help="generate a module package - conflicts with -o and -m") 71*2d543d20SAndroid Build Coastguard Worker parser.add_option("-o", "--output", dest="output", 72*2d543d20SAndroid Build Coastguard Worker help="append output to <filename>, conflicts with -M") 73*2d543d20SAndroid Build Coastguard Worker parser.add_option("-D", "--dontaudit", action="store_true", 74*2d543d20SAndroid Build Coastguard Worker dest="dontaudit", default=False, 75*2d543d20SAndroid Build Coastguard Worker help="generate policy with dontaudit rules") 76*2d543d20SAndroid Build Coastguard Worker parser.add_option("-R", "--reference", action="store_true", dest="refpolicy", 77*2d543d20SAndroid Build Coastguard Worker default=True, help="generate refpolicy style output") 78*2d543d20SAndroid Build Coastguard Worker parser.add_option("-C", "--cil", action="store_true", dest="cil", help="generate CIL output") 79*2d543d20SAndroid Build Coastguard Worker 80*2d543d20SAndroid Build Coastguard Worker parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy", 81*2d543d20SAndroid Build Coastguard Worker default=False, help="do not generate refpolicy style output") 82*2d543d20SAndroid Build Coastguard Worker parser.add_option("-v", "--verbose", action="store_true", dest="verbose", 83*2d543d20SAndroid Build Coastguard Worker default=False, help="explain generated output") 84*2d543d20SAndroid Build Coastguard Worker parser.add_option("-e", "--explain", action="store_true", dest="explain_long", 85*2d543d20SAndroid Build Coastguard Worker default=False, help="fully explain generated output") 86*2d543d20SAndroid Build Coastguard Worker parser.add_option("-t", "--type", help="only process messages with a type that matches this regex", 87*2d543d20SAndroid Build Coastguard Worker dest="type") 88*2d543d20SAndroid Build Coastguard Worker parser.add_option("--perm-map", dest="perm_map", help="file name of perm map") 89*2d543d20SAndroid Build Coastguard Worker parser.add_option("--interface-info", dest="interface_info", help="file name of interface information") 90*2d543d20SAndroid Build Coastguard Worker parser.add_option("-x", "--xperms", action="store_true", dest="xperms", 91*2d543d20SAndroid Build Coastguard Worker default=False, help="generate extended permission rules") 92*2d543d20SAndroid Build Coastguard Worker parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"), 93*2d543d20SAndroid Build Coastguard Worker help="Translates SELinux audit messages into a description of why the access was denied") 94*2d543d20SAndroid Build Coastguard Worker 95*2d543d20SAndroid Build Coastguard Worker options, args = parser.parse_args() 96*2d543d20SAndroid Build Coastguard Worker 97*2d543d20SAndroid Build Coastguard Worker # Make -d, -a, and -i conflict 98*2d543d20SAndroid Build Coastguard Worker if options.audit is True or options.boot: 99*2d543d20SAndroid Build Coastguard Worker if options.input is not None: 100*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --all/--boot conflicts with --input\n") 101*2d543d20SAndroid Build Coastguard Worker if options.dmesg is True: 102*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --all/--boot conflicts with --dmesg\n") 103*2d543d20SAndroid Build Coastguard Worker if options.input is not None and options.dmesg is True: 104*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --input conflicts with --dmesg\n") 105*2d543d20SAndroid Build Coastguard Worker 106*2d543d20SAndroid Build Coastguard Worker # Turn on requires generation if a module name is given. Also verify 107*2d543d20SAndroid Build Coastguard Worker # the module name. 108*2d543d20SAndroid Build Coastguard Worker if options.module: 109*2d543d20SAndroid Build Coastguard Worker name = options.module 110*2d543d20SAndroid Build Coastguard Worker else: 111*2d543d20SAndroid Build Coastguard Worker name = options.module_package 112*2d543d20SAndroid Build Coastguard Worker if name: 113*2d543d20SAndroid Build Coastguard Worker options.requires = True 114*2d543d20SAndroid Build Coastguard Worker if not module.is_valid_name(name): 115*2d543d20SAndroid Build Coastguard Worker sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n') 116*2d543d20SAndroid Build Coastguard Worker sys.exit(2) 117*2d543d20SAndroid Build Coastguard Worker 118*2d543d20SAndroid Build Coastguard Worker # Make -M and -o or -C conflict 119*2d543d20SAndroid Build Coastguard Worker if options.module_package: 120*2d543d20SAndroid Build Coastguard Worker if options.output: 121*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --module-package conflicts with --output\n") 122*2d543d20SAndroid Build Coastguard Worker sys.exit(2) 123*2d543d20SAndroid Build Coastguard Worker if options.module: 124*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --module-package conflicts with --module\n") 125*2d543d20SAndroid Build Coastguard Worker sys.exit(2) 126*2d543d20SAndroid Build Coastguard Worker if options.cil: 127*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("error: --module-package conflicts with --cil\n") 128*2d543d20SAndroid Build Coastguard Worker sys.exit(2) 129*2d543d20SAndroid Build Coastguard Worker 130*2d543d20SAndroid Build Coastguard Worker self.__options = options 131*2d543d20SAndroid Build Coastguard Worker 132*2d543d20SAndroid Build Coastguard Worker def __read_input(self): 133*2d543d20SAndroid Build Coastguard Worker parser = audit.AuditParser(last_load_only=self.__options.lastreload) 134*2d543d20SAndroid Build Coastguard Worker 135*2d543d20SAndroid Build Coastguard Worker filename = None 136*2d543d20SAndroid Build Coastguard Worker messages = None 137*2d543d20SAndroid Build Coastguard Worker f = None 138*2d543d20SAndroid Build Coastguard Worker 139*2d543d20SAndroid Build Coastguard Worker # Figure out what input we want 140*2d543d20SAndroid Build Coastguard Worker if self.__options.input is not None: 141*2d543d20SAndroid Build Coastguard Worker filename = self.__options.input 142*2d543d20SAndroid Build Coastguard Worker elif self.__options.dmesg: 143*2d543d20SAndroid Build Coastguard Worker messages = audit.get_dmesg_msgs() 144*2d543d20SAndroid Build Coastguard Worker elif self.__options.audit: 145*2d543d20SAndroid Build Coastguard Worker try: 146*2d543d20SAndroid Build Coastguard Worker messages = audit.get_audit_msgs() 147*2d543d20SAndroid Build Coastguard Worker except OSError as e: 148*2d543d20SAndroid Build Coastguard Worker sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) 149*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 150*2d543d20SAndroid Build Coastguard Worker elif self.__options.boot: 151*2d543d20SAndroid Build Coastguard Worker try: 152*2d543d20SAndroid Build Coastguard Worker messages = audit.get_audit_boot_msgs() 153*2d543d20SAndroid Build Coastguard Worker except OSError as e: 154*2d543d20SAndroid Build Coastguard Worker sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) 155*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 156*2d543d20SAndroid Build Coastguard Worker else: 157*2d543d20SAndroid Build Coastguard Worker # This is the default if no input is specified 158*2d543d20SAndroid Build Coastguard Worker f = sys.stdin 159*2d543d20SAndroid Build Coastguard Worker 160*2d543d20SAndroid Build Coastguard Worker # Get the input 161*2d543d20SAndroid Build Coastguard Worker if filename is not None: 162*2d543d20SAndroid Build Coastguard Worker try: 163*2d543d20SAndroid Build Coastguard Worker f = open(filename) 164*2d543d20SAndroid Build Coastguard Worker except IOError as e: 165*2d543d20SAndroid Build Coastguard Worker sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e))) 166*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 167*2d543d20SAndroid Build Coastguard Worker 168*2d543d20SAndroid Build Coastguard Worker if f is not None: 169*2d543d20SAndroid Build Coastguard Worker parser.parse_file(f) 170*2d543d20SAndroid Build Coastguard Worker f.close() 171*2d543d20SAndroid Build Coastguard Worker 172*2d543d20SAndroid Build Coastguard Worker if messages is not None: 173*2d543d20SAndroid Build Coastguard Worker parser.parse_string(messages) 174*2d543d20SAndroid Build Coastguard Worker 175*2d543d20SAndroid Build Coastguard Worker self.__parser = parser 176*2d543d20SAndroid Build Coastguard Worker 177*2d543d20SAndroid Build Coastguard Worker def __process_input(self): 178*2d543d20SAndroid Build Coastguard Worker if self.__options.type: 179*2d543d20SAndroid Build Coastguard Worker avcfilter = audit.AVCTypeFilter(self.__options.type) 180*2d543d20SAndroid Build Coastguard Worker self.__avs = self.__parser.to_access(avcfilter) 181*2d543d20SAndroid Build Coastguard Worker csfilter = audit.ComputeSidTypeFilter(self.__options.type) 182*2d543d20SAndroid Build Coastguard Worker self.__role_types = self.__parser.to_role(csfilter) 183*2d543d20SAndroid Build Coastguard Worker else: 184*2d543d20SAndroid Build Coastguard Worker self.__avs = self.__parser.to_access() 185*2d543d20SAndroid Build Coastguard Worker self.__role_types = self.__parser.to_role() 186*2d543d20SAndroid Build Coastguard Worker 187*2d543d20SAndroid Build Coastguard Worker def __load_interface_info(self): 188*2d543d20SAndroid Build Coastguard Worker # Load interface info file 189*2d543d20SAndroid Build Coastguard Worker if self.__options.interface_info: 190*2d543d20SAndroid Build Coastguard Worker fn = self.__options.interface_info 191*2d543d20SAndroid Build Coastguard Worker else: 192*2d543d20SAndroid Build Coastguard Worker fn = defaults.interface_info() 193*2d543d20SAndroid Build Coastguard Worker try: 194*2d543d20SAndroid Build Coastguard Worker fd = open(fn) 195*2d543d20SAndroid Build Coastguard Worker except: 196*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("could not open interface info [%s]\n" % fn) 197*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 198*2d543d20SAndroid Build Coastguard Worker 199*2d543d20SAndroid Build Coastguard Worker ifs = interfaces.InterfaceSet() 200*2d543d20SAndroid Build Coastguard Worker ifs.from_file(fd) 201*2d543d20SAndroid Build Coastguard Worker fd.close() 202*2d543d20SAndroid Build Coastguard Worker 203*2d543d20SAndroid Build Coastguard Worker # Also load perm maps 204*2d543d20SAndroid Build Coastguard Worker if self.__options.perm_map: 205*2d543d20SAndroid Build Coastguard Worker fn = self.__options.perm_map 206*2d543d20SAndroid Build Coastguard Worker else: 207*2d543d20SAndroid Build Coastguard Worker fn = defaults.perm_map() 208*2d543d20SAndroid Build Coastguard Worker try: 209*2d543d20SAndroid Build Coastguard Worker fd = open(fn) 210*2d543d20SAndroid Build Coastguard Worker except: 211*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("could not open perm map [%s]\n" % fn) 212*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 213*2d543d20SAndroid Build Coastguard Worker 214*2d543d20SAndroid Build Coastguard Worker perm_maps = objectmodel.PermMappings() 215*2d543d20SAndroid Build Coastguard Worker perm_maps.from_file(fd) 216*2d543d20SAndroid Build Coastguard Worker 217*2d543d20SAndroid Build Coastguard Worker return (ifs, perm_maps) 218*2d543d20SAndroid Build Coastguard Worker 219*2d543d20SAndroid Build Coastguard Worker def __output_modulepackage(self, writer, generator): 220*2d543d20SAndroid Build Coastguard Worker generator.set_module_name(self.__options.module_package) 221*2d543d20SAndroid Build Coastguard Worker filename = self.__options.module_package + ".te" 222*2d543d20SAndroid Build Coastguard Worker packagename = self.__options.module_package + ".pp" 223*2d543d20SAndroid Build Coastguard Worker 224*2d543d20SAndroid Build Coastguard Worker try: 225*2d543d20SAndroid Build Coastguard Worker fd = open(filename, "w") 226*2d543d20SAndroid Build Coastguard Worker except IOError as e: 227*2d543d20SAndroid Build Coastguard Worker sys.stderr.write("could not write output file: %s\n" % str(e)) 228*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 229*2d543d20SAndroid Build Coastguard Worker 230*2d543d20SAndroid Build Coastguard Worker writer.write(generator.get_module(), fd) 231*2d543d20SAndroid Build Coastguard Worker fd.close() 232*2d543d20SAndroid Build Coastguard Worker 233*2d543d20SAndroid Build Coastguard Worker mc = module.ModuleCompiler() 234*2d543d20SAndroid Build Coastguard Worker 235*2d543d20SAndroid Build Coastguard Worker try: 236*2d543d20SAndroid Build Coastguard Worker mc.create_module_package(filename, self.__options.refpolicy) 237*2d543d20SAndroid Build Coastguard Worker except RuntimeError as e: 238*2d543d20SAndroid Build Coastguard Worker print(e) 239*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 240*2d543d20SAndroid Build Coastguard Worker 241*2d543d20SAndroid Build Coastguard Worker sys.stdout.write( 242*2d543d20SAndroid Build Coastguard Worker"""******************** {important} *********************** 243*2d543d20SAndroid Build Coastguard Worker{text} 244*2d543d20SAndroid Build Coastguard Worker 245*2d543d20SAndroid Build Coastguard Workersemodule -i {packagename} 246*2d543d20SAndroid Build Coastguard Worker 247*2d543d20SAndroid Build Coastguard Worker""".format( 248*2d543d20SAndroid Build Coastguard Worker important=_("IMPORTANT"), 249*2d543d20SAndroid Build Coastguard Worker text=_("To make this policy package active, execute:"), 250*2d543d20SAndroid Build Coastguard Worker packagename=packagename 251*2d543d20SAndroid Build Coastguard Worker)) 252*2d543d20SAndroid Build Coastguard Worker 253*2d543d20SAndroid Build Coastguard Worker def __output_audit2why(self): 254*2d543d20SAndroid Build Coastguard Worker import selinux 255*2d543d20SAndroid Build Coastguard Worker try: 256*2d543d20SAndroid Build Coastguard Worker import sepolicy 257*2d543d20SAndroid Build Coastguard Worker except (ImportError, ValueError): 258*2d543d20SAndroid Build Coastguard Worker sepolicy = None 259*2d543d20SAndroid Build Coastguard Worker for i in self.__parser.avc_msgs: 260*2d543d20SAndroid Build Coastguard Worker rc = i.type 261*2d543d20SAndroid Build Coastguard Worker data = i.data 262*2d543d20SAndroid Build Coastguard Worker if rc >= 0: 263*2d543d20SAndroid Build Coastguard Worker print("%s\n\tWas caused by:" % i.message) 264*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.ALLOW: 265*2d543d20SAndroid Build Coastguard Worker print("\t\tUnknown - would be allowed by active policy") 266*2d543d20SAndroid Build Coastguard Worker print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") 267*2d543d20SAndroid Build Coastguard Worker print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") 268*2d543d20SAndroid Build Coastguard Worker continue 269*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.DONTAUDIT: 270*2d543d20SAndroid Build Coastguard Worker print("\t\tUnknown - should be dontaudit'd by active policy") 271*2d543d20SAndroid Build Coastguard Worker print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n") 272*2d543d20SAndroid Build Coastguard Worker print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n") 273*2d543d20SAndroid Build Coastguard Worker continue 274*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.BOOLEAN: 275*2d543d20SAndroid Build Coastguard Worker if len(data) > 1: 276*2d543d20SAndroid Build Coastguard Worker print("\tOne of the following booleans was set incorrectly.") 277*2d543d20SAndroid Build Coastguard Worker for b in data: 278*2d543d20SAndroid Build Coastguard Worker if sepolicy is not None: 279*2d543d20SAndroid Build Coastguard Worker print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0])) 280*2d543d20SAndroid Build Coastguard Worker print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])) 281*2d543d20SAndroid Build Coastguard Worker else: 282*2d543d20SAndroid Build Coastguard Worker print("\tThe boolean %s was set incorrectly. " % (data[0][0])) 283*2d543d20SAndroid Build Coastguard Worker if sepolicy is not None: 284*2d543d20SAndroid Build Coastguard Worker print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0])) 285*2d543d20SAndroid Build Coastguard Worker print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1])) 286*2d543d20SAndroid Build Coastguard Worker continue 287*2d543d20SAndroid Build Coastguard Worker 288*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.TERULE: 289*2d543d20SAndroid Build Coastguard Worker print("\t\tMissing type enforcement (TE) allow rule.\n") 290*2d543d20SAndroid Build Coastguard Worker print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n") 291*2d543d20SAndroid Build Coastguard Worker continue 292*2d543d20SAndroid Build Coastguard Worker 293*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.CONSTRAINT: 294*2d543d20SAndroid Build Coastguard Worker print() # !!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" 295*2d543d20SAndroid Build Coastguard Worker print("#Constraint rule:") 296*2d543d20SAndroid Build Coastguard Worker print("\n#\t" + data[0]) 297*2d543d20SAndroid Build Coastguard Worker for reason in data[1:]: 298*2d543d20SAndroid Build Coastguard Worker print("#\tPossible cause is the source %s and target %s are different.\n" % reason) 299*2d543d20SAndroid Build Coastguard Worker 300*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.RBAC: 301*2d543d20SAndroid Build Coastguard Worker print("\t\tMissing role allow rule.\n") 302*2d543d20SAndroid Build Coastguard Worker print("\t\tAdd an allow rule for the role pair.\n") 303*2d543d20SAndroid Build Coastguard Worker continue 304*2d543d20SAndroid Build Coastguard Worker 305*2d543d20SAndroid Build Coastguard Worker if rc == audit2why.BOUNDS: 306*2d543d20SAndroid Build Coastguard Worker print("\t\tTypebounds violation.\n") 307*2d543d20SAndroid Build Coastguard Worker print("\t\tAdd an allow rule for the parent type.\n") 308*2d543d20SAndroid Build Coastguard Worker continue 309*2d543d20SAndroid Build Coastguard Worker 310*2d543d20SAndroid Build Coastguard Worker audit2why.finish() 311*2d543d20SAndroid Build Coastguard Worker return 312*2d543d20SAndroid Build Coastguard Worker 313*2d543d20SAndroid Build Coastguard Worker def __output(self): 314*2d543d20SAndroid Build Coastguard Worker 315*2d543d20SAndroid Build Coastguard Worker if self.__options.audit2why: 316*2d543d20SAndroid Build Coastguard Worker try: 317*2d543d20SAndroid Build Coastguard Worker return self.__output_audit2why() 318*2d543d20SAndroid Build Coastguard Worker except RuntimeError as e: 319*2d543d20SAndroid Build Coastguard Worker print(e) 320*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 321*2d543d20SAndroid Build Coastguard Worker 322*2d543d20SAndroid Build Coastguard Worker g = policygen.PolicyGenerator() 323*2d543d20SAndroid Build Coastguard Worker 324*2d543d20SAndroid Build Coastguard Worker g.set_gen_dontaudit(self.__options.dontaudit) 325*2d543d20SAndroid Build Coastguard Worker 326*2d543d20SAndroid Build Coastguard Worker if self.__options.module: 327*2d543d20SAndroid Build Coastguard Worker g.set_module_name(self.__options.module) 328*2d543d20SAndroid Build Coastguard Worker 329*2d543d20SAndroid Build Coastguard Worker # Interface generation 330*2d543d20SAndroid Build Coastguard Worker if self.__options.refpolicy: 331*2d543d20SAndroid Build Coastguard Worker ifs, perm_maps = self.__load_interface_info() 332*2d543d20SAndroid Build Coastguard Worker g.set_gen_refpol(ifs, perm_maps) 333*2d543d20SAndroid Build Coastguard Worker 334*2d543d20SAndroid Build Coastguard Worker # Extended permissions 335*2d543d20SAndroid Build Coastguard Worker if self.__options.xperms: 336*2d543d20SAndroid Build Coastguard Worker g.set_gen_xperms(True) 337*2d543d20SAndroid Build Coastguard Worker 338*2d543d20SAndroid Build Coastguard Worker # Explanation 339*2d543d20SAndroid Build Coastguard Worker if self.__options.verbose: 340*2d543d20SAndroid Build Coastguard Worker g.set_gen_explain(policygen.SHORT_EXPLANATION) 341*2d543d20SAndroid Build Coastguard Worker if self.__options.explain_long: 342*2d543d20SAndroid Build Coastguard Worker g.set_gen_explain(policygen.LONG_EXPLANATION) 343*2d543d20SAndroid Build Coastguard Worker 344*2d543d20SAndroid Build Coastguard Worker # Requires 345*2d543d20SAndroid Build Coastguard Worker if self.__options.requires: 346*2d543d20SAndroid Build Coastguard Worker g.set_gen_requires(True) 347*2d543d20SAndroid Build Coastguard Worker 348*2d543d20SAndroid Build Coastguard Worker # CIL output 349*2d543d20SAndroid Build Coastguard Worker if self.__options.cil: 350*2d543d20SAndroid Build Coastguard Worker g.set_gen_cil(True) 351*2d543d20SAndroid Build Coastguard Worker 352*2d543d20SAndroid Build Coastguard Worker # Generate the policy 353*2d543d20SAndroid Build Coastguard Worker g.add_access(self.__avs) 354*2d543d20SAndroid Build Coastguard Worker g.add_role_types(self.__role_types) 355*2d543d20SAndroid Build Coastguard Worker 356*2d543d20SAndroid Build Coastguard Worker # Output 357*2d543d20SAndroid Build Coastguard Worker writer = output.ModuleWriter() 358*2d543d20SAndroid Build Coastguard Worker 359*2d543d20SAndroid Build Coastguard Worker # CIL output 360*2d543d20SAndroid Build Coastguard Worker if self.__options.cil: 361*2d543d20SAndroid Build Coastguard Worker writer.set_gen_cil(True) 362*2d543d20SAndroid Build Coastguard Worker 363*2d543d20SAndroid Build Coastguard Worker # Module package 364*2d543d20SAndroid Build Coastguard Worker if self.__options.module_package: 365*2d543d20SAndroid Build Coastguard Worker self.__output_modulepackage(writer, g) 366*2d543d20SAndroid Build Coastguard Worker else: 367*2d543d20SAndroid Build Coastguard Worker # File or stdout 368*2d543d20SAndroid Build Coastguard Worker if self.__options.module: 369*2d543d20SAndroid Build Coastguard Worker g.set_module_name(self.__options.module) 370*2d543d20SAndroid Build Coastguard Worker 371*2d543d20SAndroid Build Coastguard Worker if self.__options.output: 372*2d543d20SAndroid Build Coastguard Worker fd = open(self.__options.output, "a") 373*2d543d20SAndroid Build Coastguard Worker else: 374*2d543d20SAndroid Build Coastguard Worker fd = sys.stdout 375*2d543d20SAndroid Build Coastguard Worker writer.write(g.get_module(), fd) 376*2d543d20SAndroid Build Coastguard Worker 377*2d543d20SAndroid Build Coastguard Worker def main(self): 378*2d543d20SAndroid Build Coastguard Worker try: 379*2d543d20SAndroid Build Coastguard Worker self.__parse_options() 380*2d543d20SAndroid Build Coastguard Worker if self.__options.policy: 381*2d543d20SAndroid Build Coastguard Worker audit2why.init(self.__options.policy) 382*2d543d20SAndroid Build Coastguard Worker else: 383*2d543d20SAndroid Build Coastguard Worker audit2why.init() 384*2d543d20SAndroid Build Coastguard Worker 385*2d543d20SAndroid Build Coastguard Worker self.__read_input() 386*2d543d20SAndroid Build Coastguard Worker self.__process_input() 387*2d543d20SAndroid Build Coastguard Worker self.__output() 388*2d543d20SAndroid Build Coastguard Worker except KeyboardInterrupt: 389*2d543d20SAndroid Build Coastguard Worker sys.exit(0) 390*2d543d20SAndroid Build Coastguard Worker except ValueError as e: 391*2d543d20SAndroid Build Coastguard Worker print(e) 392*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 393*2d543d20SAndroid Build Coastguard Worker except IOError as e: 394*2d543d20SAndroid Build Coastguard Worker print(e) 395*2d543d20SAndroid Build Coastguard Worker sys.exit(1) 396*2d543d20SAndroid Build Coastguard Worker 397*2d543d20SAndroid Build Coastguard Workerif __name__ == "__main__": 398*2d543d20SAndroid Build Coastguard Worker app = AuditToPolicy() 399*2d543d20SAndroid Build Coastguard Worker app.main() 400