Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / selinux / 72a83a110ddc461d345c52003618c2fb040966d2 / . / policycoreutils / semanage / seobject.py
blob: 3a439b43705c60b5014fefc8a832cf7da6342f4b [file] [log] [blame]
#! /usr/bin/python -E
# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import pwd, grp, string, selinux, tempfile, os, re, sys, stat
from semanage import *;
PROGNAME = "policycoreutils"
import sepolgen.module as module
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
try:
gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1)
except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
import syslog
file_types = {}
file_types[""] = SEMANAGE_FCONTEXT_ALL;
file_types["all files"] = SEMANAGE_FCONTEXT_ALL;
file_types["--"] = SEMANAGE_FCONTEXT_REG;
file_types["regular file"] = SEMANAGE_FCONTEXT_REG;
file_types["-d"] = SEMANAGE_FCONTEXT_DIR;
file_types["directory"] = SEMANAGE_FCONTEXT_DIR;
file_types["-c"] = SEMANAGE_FCONTEXT_CHAR;
file_types["character device"] = SEMANAGE_FCONTEXT_CHAR;
file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK;
file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK;
file_types["-s"] = SEMANAGE_FCONTEXT_SOCK;
file_types["socket"] = SEMANAGE_FCONTEXT_SOCK;
file_types["-l"] = SEMANAGE_FCONTEXT_LINK;
file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK;
file_types["-p"] = SEMANAGE_FCONTEXT_PIPE;
file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE;
try:
import audit
class logger:
def __init__(self):
self.audit_fd = audit.audit_open()
def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""):
audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0], str(msg), name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success);
except:
class logger:
def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""):
if success == 1:
message = "Successful: "
else:
message = "Failed: "
message += " %s name=%s" % (msg, name)
if sename != "":
message += " sename=" + sename
if old_sename != "":
message += " old_sename=" + old_sename
if serole != "":
message += " role=" + serole
if old_serole != "":
message += " old_role=" + old_serole
if serange != "" and serange != None:
message += " MLSRange=" + serange
if old_serange != "" and old_serange != None:
message += " old_MLSRange=" + old_serange
syslog.syslog(message);
mylog = logger()
import xml.etree.ElementTree
booleans_dict = {}
try:
tree = xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
for l in tree.findall("layer"):
for m in l.findall("module"):
for b in m.findall("tunable"):
desc = b.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
for b in m.findall("bool"):
desc = b.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
for i in tree.findall("bool"):
desc = i.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
for i in tree.findall("tunable"):
desc = i.find("desc").find("p").text.strip("\n")
desc = re.sub("\n", " ", desc)
booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
except IOError, e:
#print _("Failed to translate booleans.\n%s") % e
pass
def boolean_desc(boolean):
if boolean in booleans_dict:
return _(booleans_dict[boolean][2])
else:
return boolean
def validate_level(raw):
sensitivity = "s[0-9]*"
category = "c[0-9]*"
cat_range = category + "(\." + category +")?"
categories = cat_range + "(\," + cat_range + ")*"
reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?"
return re.search("^" + reg +"$", raw)
def translate(raw, prepend = 1):
filler = "a:b:c:"
if prepend == 1:
context = "%s%s" % (filler, raw)
else:
context = raw
(rc, trans) = selinux.selinux_raw_to_trans_context(context)
if rc != 0:
return raw
if prepend:
trans = trans[len(filler):]
if trans == "":
return raw
else:
return trans
def untranslate(trans, prepend = 1):
filler = "a:b:c:"
if prepend == 1:
context = "%s%s" % (filler, trans)
else:
context = trans
(rc, raw) = selinux.selinux_trans_to_raw_context(context)
if rc != 0:
return trans
if prepend:
raw = raw[len(filler):]
if raw == "":
return trans
else:
return raw
class semanageRecords:
transaction = False
handle = None
def __init__(self, store):
global handle
self.sh = self.get_handle(store)
def get_handle(self, store):
global is_mls_enabled
if semanageRecords.handle:
return semanageRecords.handle
handle = semanage_handle_create()
if not handle:
raise ValueError(_("Could not create semanage handle"))
if not semanageRecords.transaction and store != "":
semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
semanageRecords.store = store
if not semanage_is_managed(handle):
semanage_handle_destroy(handle)
raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
rc = semanage_access_check(handle)
if rc < SEMANAGE_CAN_READ:
semanage_handle_destroy(handle)
raise ValueError(_("Cannot read policy store."))
rc = semanage_connect(handle)
if rc < 0:
semanage_handle_destroy(handle)
raise ValueError(_("Could not establish semanage connection"))
is_mls_enabled = semanage_mls_enabled(handle)
if is_mls_enabled < 0:
semanage_handle_destroy(handle)
raise ValueError(_("Could not test MLS enabled status"))
semanageRecords.handle = handle
return semanageRecords.handle
def deleteall(self):
raise ValueError(_("Not yet implemented"))
def start(self):
if semanageRecords.transaction:
raise ValueError(_("Semanage transaction already in progress"))
self.begin()
semanageRecords.transaction = True
def begin(self):
if semanageRecords.transaction:
return
rc = semanage_begin_transaction(self.sh)
if rc < 0:
raise ValueError(_("Could not start semanage transaction"))
def commit(self):
if semanageRecords.transaction:
return
rc = semanage_commit(self.sh)
if rc < 0:
raise ValueError(_("Could not commit semanage transaction"))
def finish(self):
if not semanageRecords.transaction:
raise ValueError(_("Semanage transaction not in progress"))
semanageRecords.transaction = False
self.commit()
class dontauditClass(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
def toggle(self, dontaudit):
if dontaudit not in [ "on", "off" ]:
raise ValueError(_("dontaudit requires either 'on' or 'off'"))
self.begin()
rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off")
self.commit()
class permissiveRecords(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
def get_all(self):
l = []
(rc, mlist, number) = semanage_module_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list SELinux modules"))
for i in range(number):
mod = semanage_module_list_nth(mlist, i)
name = semanage_module_get_name(mod)
if name and name.startswith("permissive_"):
l.append(name.split("permissive_")[1])
return l
def list(self, heading = 1, locallist = 0):
if heading:
print "\n%-25s\n" % (_("Permissive Types"))
for t in self.get_all():
print t
def add(self, type):
import glob
name = "permissive_%s" % type
dirname = "/var/lib/selinux"
os.chdir(dirname)
filename = "%s.te" % name
modtxt = """
module %s 1.0;
require {
type %s;
}
permissive %s;
""" % (name, type, type)
fd = open(filename, 'w')
fd.write(modtxt)
fd.close()
mc = module.ModuleCompiler()
mc.create_module_package(filename, 1)
fd = open("permissive_%s.pp" % type)
data = fd.read()
fd.close()
rc = semanage_module_install(self.sh, data, len(data));
if rc >= 0:
self.commit()
for root, dirs, files in os.walk("tmp", topdown = False):
for name in files:
os.remove(os.path.join(root, name))
for name in dirs:
os.rmdir(os.path.join(root, name))
os.removedirs("tmp")
for i in glob.glob("permissive_%s.*" % type):
os.remove(i)
if rc < 0:
raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
def delete(self, name):
for n in name.split():
rc = semanage_module_remove(self.sh, "permissive_%s" % n)
if rc < 0:
raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
self.commit()
def deleteall(self):
l = self.get_all()
if len(l) > 0:
all = " ".join(l)
self.delete(all)
class loginRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
def __add(self, name, sename, serange):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
else:
serange = untranslate(serange)
if sename == "":
sename = "user_u"
(rc, k) = semanage_seuser_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_seuser_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
raise ValueError(_("Login mapping for %s is already defined") % name)
if name[0] == '%':
try:
grp.getgrnam(name[1:])
except:
raise ValueError(_("Linux Group %s does not exist") % name[1:])
else:
try:
pwd.getpwnam(name)
except:
raise ValueError(_("Linux User %s does not exist") % name)
(rc, u) = semanage_seuser_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create login mapping for %s") % name)
rc = semanage_seuser_set_name(self.sh, u, name)
if rc < 0:
raise ValueError(_("Could not set name for %s") % name)
if serange != "":
rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
if rc < 0:
raise ValueError(_("Could not set MLS range for %s") % name)
rc = semanage_seuser_set_sename(self.sh, u, sename)
if rc < 0:
raise ValueError(_("Could not set SELinux user for %s") % name)
rc = semanage_seuser_modify_local(self.sh, k, u)
if rc < 0:
raise ValueError(_("Could not add login mapping for %s") % name)
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def add(self, name, sename, serange):
try:
self.begin()
self.__add(name, sename, serange)
self.commit()
except ValueError, error:
mylog.log(0, _("add SELinux user mapping"), name, sename, "", serange);
raise error
mylog.log(1, _("add SELinux user mapping"), name, sename, "", serange);
def __modify(self, name, sename = "", serange = ""):
if sename == "" and serange == "":
raise ValueError(_("Requires seuser or serange"))
(rc, k) = semanage_seuser_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_seuser_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if not exists:
raise ValueError(_("Login mapping for %s is not defined") % name)
(rc, u) = semanage_seuser_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query seuser for %s") % name)
oldserange = semanage_seuser_get_mlsrange(u)
oldsename = semanage_seuser_get_sename(u)
if serange != "":
semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
else:
serange = oldserange
if sename != "":
semanage_seuser_set_sename(self.sh, u, sename)
else:
sename = oldsename
rc = semanage_seuser_modify_local(self.sh, k, u)
if rc < 0:
raise ValueError(_("Could not modify login mapping for %s") % name)
semanage_seuser_key_free(k)
semanage_seuser_free(u)
mylog.log(1, "modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange);
def modify(self, name, sename = "", serange = ""):
try:
self.begin()
self.__modify(name, sename, serange)
self.commit()
except ValueError, error:
mylog.log(0, "modify selinux user mapping", name, sename, "", serange, "", "", "");
raise error
def __delete(self, name):
(rc, k) = semanage_seuser_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_seuser_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if not exists:
raise ValueError(_("Login mapping for %s is not defined") % name)
(rc, exists) = semanage_seuser_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if not exists:
raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name)
rc = semanage_seuser_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete login mapping for %s") % name)
semanage_seuser_key_free(k)
def delete(self, name):
try:
self.begin()
self.__delete(name)
self.commit()
except ValueError, error:
mylog.log(0, "delete SELinux user mapping", name);
raise error
mylog.log(1, "delete SELinux user mapping", name);
def deleteall(self):
(rc, ulist) = semanage_seuser_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list login mappings"))
self.begin()
for u in ulist:
self.__delete(semanage_seuser_get_name(u))
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.ulist) = semanage_seuser_list_local(self.sh)
else:
(rc, self.ulist) = semanage_seuser_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list login mappings"))
for u in self.ulist:
name = semanage_seuser_get_name(u)
ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
return ddict
def list(self,heading = 1, locallist = 0):
ddict = self.get_all(locallist)
keys = ddict.keys()
keys.sort()
if is_mls_enabled == 1:
if heading:
print "\n%-25s %-25s %-25s\n" % (_("Login Name"), _("SELinux User"), _("MLS/MCS Range"))
for k in keys:
print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
else:
if heading:
print "\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User"))
for k in keys:
print "%-25s %-25s" % (k, ddict[k][0])
class seluserRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
def __add(self, name, roles, selevel, serange, prefix):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
else:
serange = untranslate(serange)
if selevel == "":
selevel = "s0"
else:
selevel = untranslate(selevel)
if len(roles) < 1:
raise ValueError(_("You must add at least one role for %s") % name)
(rc, k) = semanage_user_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_user_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if exists:
raise ValueError(_("SELinux user %s is already defined") % name)
(rc, u) = semanage_user_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
rc = semanage_user_set_name(self.sh, u, name)
if rc < 0:
raise ValueError(_("Could not set name for %s") % name)
for r in roles:
rc = semanage_user_add_role(self.sh, u, r)
if rc < 0:
raise ValueError(_("Could not add role %s for %s") % (r, name))
if is_mls_enabled == 1:
rc = semanage_user_set_mlsrange(self.sh, u, serange)
if rc < 0:
raise ValueError(_("Could not set MLS range for %s") % name)
rc = semanage_user_set_mlslevel(self.sh, u, selevel)
if rc < 0:
raise ValueError(_("Could not set MLS level for %s") % name)
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
(rc, key) = semanage_user_key_extract(self.sh,u)
if rc < 0:
raise ValueError(_("Could not extract key for %s") % name)
rc = semanage_user_modify_local(self.sh, k, u)
if rc < 0:
raise ValueError(_("Could not add SELinux user %s") % name)
semanage_user_key_free(k)
semanage_user_free(u)
def add(self, name, roles, selevel, serange, prefix):
seroles = " ".join(roles)
try:
self.begin()
self.__add( name, roles, selevel, serange, prefix)
self.commit()
except ValueError, error:
mylog.log(0,"add SELinux user record", name, name, seroles, serange)
raise error
mylog.log(1,"add SELinux user record", name, name, seroles, serange)
def __modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
oldroles = ""
oldserange = ""
newroles = string.join(roles, ' ');
if prefix == "" and len(roles) == 0 and serange == "" and selevel == "":
if is_mls_enabled == 1:
raise ValueError(_("Requires prefix, roles, level or range"))
else:
raise ValueError(_("Requires prefix or roles"))
(rc, k) = semanage_user_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_user_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if not exists:
raise ValueError(_("SELinux user %s is not defined") % name)
(rc, u) = semanage_user_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query user for %s") % name)
oldserange = semanage_user_get_mlsrange(u)
(rc, rlist) = semanage_user_get_roles(self.sh, u)
if rc >= 0:
oldroles = string.join(rlist, ' ');
newroles = newroles + ' ' + oldroles;
if serange != "":
semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
if selevel != "":
semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
if prefix != "":
semanage_user_set_prefix(self.sh, u, prefix)
if len(roles) != 0:
for r in rlist:
if r not in roles:
semanage_user_del_role(u, r)
for r in roles:
if r not in rlist:
semanage_user_add_role(self.sh, u, r)
rc = semanage_user_modify_local(self.sh, k, u)
if rc < 0:
raise ValueError(_("Could not modify SELinux user %s") % name)
semanage_user_key_free(k)
semanage_user_free(u)
mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange)
def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
try:
self.begin()
self.__modify(name, roles, selevel, serange, prefix)
self.commit()
except ValueError, error:
mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "")
raise error
def __delete(self, name):
(rc, k) = semanage_user_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_user_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if not exists:
raise ValueError(_("SELinux user %s is not defined") % name)
(rc, exists) = semanage_user_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if not exists:
raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name)
rc = semanage_user_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete SELinux user %s") % name)
semanage_user_key_free(k)
def delete(self, name):
try:
self.begin()
self.__delete(name)
self.commit()
except ValueError, error:
mylog.log(0,"delete SELinux user record", name)
raise error
mylog.log(1,"delete SELinux user record", name)
def deleteall(self):
(rc, ulist) = semanage_user_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list login mappings"))
self.begin()
for u in ulist:
self.__delete(semanage_user_get_name(u))
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.ulist) = semanage_user_list_local(self.sh)
else:
(rc, self.ulist) = semanage_user_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list SELinux users"))
for u in self.ulist:
name = semanage_user_get_name(u)
(rc, rlist) = semanage_user_get_roles(self.sh, u)
if rc < 0:
raise ValueError(_("Could not list roles for user %s") % name)
roles = string.join(rlist, ' ');
ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
return ddict
def list(self, heading = 1, locallist = 0):
ddict = self.get_all(locallist)
keys = ddict.keys()
keys.sort()
if is_mls_enabled == 1:
if heading:
print "\n%-15s %-10s %-10s %-30s" % ("", _("Labeling"), _("MLS/"), _("MLS/"))
print "%-15s %-10s %-10s %-30s %s\n" % (_("SELinux User"), _("Prefix"), _("MCS Level"), _("MCS Range"), _("SELinux Roles"))
for k in keys:
print "%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3])
else:
if heading:
print "%-15s %s\n" % (_("SELinux User"), _("SELinux Roles"))
for k in keys:
print "%-15s %s" % (k, ddict[k][3])
class portRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
def __genkey(self, port, proto):
if proto == "tcp":
proto_d = SEMANAGE_PROTO_TCP
else:
if proto == "udp":
proto_d = SEMANAGE_PROTO_UDP
else:
raise ValueError(_("Protocol udp or tcp is required"))
if port == "":
raise ValueError(_("Port is required"))
ports = port.split("-")
if len(ports) == 1:
high = low = int(ports[0])
else:
low = int(ports[0])
high = int(ports[1])
if high > 65535:
raise ValueError(_("Invalid Port"))
(rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
if rc < 0:
raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
return ( k, proto_d, low, high )
def __add(self, port, proto, serange, type):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
else:
serange = untranslate(serange)
if type == "":
raise ValueError(_("Type is required"))
( k, proto_d, low, high ) = self.__genkey(port, proto)
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if exists:
raise ValueError(_("Port %s/%s already defined") % (proto, port))
(rc, p) = semanage_port_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
semanage_port_set_proto(p, proto_d)
semanage_port_set_range(p, low, high)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create context for %s/%s") % (proto, port))
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in port context for %s/%s") % (proto, port))
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
raise ValueError(_("Could not set role in port context for %s/%s") % (proto, port))
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
raise ValueError(_("Could not set type in port context for %s/%s") % (proto, port))
if serange != "":
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
raise ValueError(_("Could not set mls fields in port context for %s/%s") % (proto, port))
rc = semanage_port_set_con(self.sh, p, con)
if rc < 0:
raise ValueError(_("Could not set port context for %s/%s") % (proto, port))
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
raise ValueError(_("Could not add port %s/%s") % (proto, port))
semanage_context_free(con)
semanage_port_key_free(k)
semanage_port_free(p)
def add(self, port, proto, serange, type):
self.begin()
self.__add(port, proto, serange, type)
self.commit()
def __modify(self, port, proto, serange, setype):
if serange == "" and setype == "":
if is_mls_enabled == 1:
raise ValueError(_("Requires setype or serange"))
else:
raise ValueError(_("Requires setype"))
( k, proto_d, low, high ) = self.__genkey(port, proto)
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
raise ValueError(_("Port %s/%s is not defined") % (proto,port))
(rc, p) = semanage_port_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query port %s/%s") % (proto, port))
con = semanage_port_get_con(p)
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
semanage_context_set_type(self.sh, con, setype)
rc = semanage_port_modify_local(self.sh, k, p)
if rc < 0:
raise ValueError(_("Could not modify port %s/%s") % (proto, port))
semanage_port_key_free(k)
semanage_port_free(p)
def modify(self, port, proto, serange, setype):
self.begin()
self.__modify(port, proto, serange, setype)
self.commit()
def deleteall(self):
(rc, plist) = semanage_port_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list the ports"))
self.begin()
for port in plist:
proto = semanage_port_get_proto(port)
proto_str = semanage_port_get_proto_str(proto)
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
port_str = "%s-%s" % (low, high)
( k, proto_d, low, high ) = self.__genkey(port_str , proto_str)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % port_str)
rc = semanage_port_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete the port %s") % port_str)
semanage_port_key_free(k)
self.commit()
def __delete(self, port, proto):
( k, proto_d, low, high ) = self.__genkey(port, proto)
(rc, exists) = semanage_port_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
raise ValueError(_("Port %s/%s is not defined") % (proto, port))
(rc, exists) = semanage_port_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port))
rc = semanage_port_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete port %s/%s") % (proto, port))
semanage_port_key_free(k)
def delete(self, port, proto):
self.begin()
self.__delete(port, proto)
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.plist) = semanage_port_list_local(self.sh)
else:
(rc, self.plist) = semanage_port_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list ports"))
for port in self.plist:
con = semanage_port_get_con(port)
ctype = semanage_context_get_type(con)
if ctype == "reserved_port_t":
continue
level = semanage_context_get_mls(con)
proto = semanage_port_get_proto(port)
proto_str = semanage_port_get_proto_str(proto)
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
ddict[(low, high, proto_str)] = (ctype, level)
return ddict
def get_all_by_type(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.plist) = semanage_port_list_local(self.sh)
else:
(rc, self.plist) = semanage_port_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list ports"))
for port in self.plist:
con = semanage_port_get_con(port)
ctype = semanage_context_get_type(con)
if ctype == "reserved_port_t":
continue
proto = semanage_port_get_proto(port)
proto_str = semanage_port_get_proto_str(proto)
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
if (ctype, proto_str) not in ddict.keys():
ddict[(ctype,proto_str)] = []
if low == high:
ddict[(ctype,proto_str)].append("%d" % low)
else:
ddict[(ctype,proto_str)].append("%d-%d" % (low, high))
return ddict
def list(self, heading = 1, locallist = 0):
if heading:
print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number"))
ddict = self.get_all_by_type(locallist)
keys = ddict.keys()
keys.sort()
for i in keys:
rec = "%-30s %-8s " % i
rec += "%s" % ddict[i][0]
for p in ddict[i][1:]:
rec += ", %s" % p
print rec
class nodeRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self,store)
def __add(self, addr, mask, proto, serange, ctype):
if addr == "":
raise ValueError(_("Node Address is required"))
if mask == "":
raise ValueError(_("Node Netmask is required"))
if proto == "ipv4":
proto = 0
elif proto == "ipv6":
proto = 1
else:
raise ValueError(_("Unknown or missing protocol"))
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
else:
serange = untranslate(serange)
if ctype == "":
raise ValueError(_("SELinux Type is required"))
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
(rc, exists) = semanage_node_exists(self.sh, k)
if exists:
raise ValueError(_("Addr %s already defined") % addr)
(rc, node) = semanage_node_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create addr for %s") % addr)
rc = semanage_node_set_addr(self.sh, node, proto, addr)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create context for %s") % addr)
rc = semanage_node_set_mask(self.sh, node, proto, mask)
if rc < 0:
raise ValueError(_("Could not set mask for %s") % addr)
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in addr context for %s") % addr)
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
raise ValueError(_("Could not set role in addr context for %s") % addr)
rc = semanage_context_set_type(self.sh, con, ctype)
if rc < 0:
raise ValueError(_("Could not set type in addr context for %s") % addr)
if serange != "":
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
rc = semanage_node_set_con(self.sh, node, con)
if rc < 0:
raise ValueError(_("Could not set addr context for %s") % addr)
rc = semanage_node_modify_local(self.sh, k, node)
if rc < 0:
raise ValueError(_("Could not add addr %s") % addr)
semanage_context_free(con)
semanage_node_key_free(k)
semanage_node_free(node)
def add(self, addr, mask, proto, serange, ctype):
self.begin()
self.__add(addr, mask, proto, serange, ctype)
self.commit()
def __modify(self, addr, mask, proto, serange, setype):
if addr == "":
raise ValueError(_("Node Address is required"))
if mask == "":
raise ValueError(_("Node Netmask is required"))
if proto == "ipv4":
proto = 0
elif proto == "ipv6":
proto = 1
else:
raise ValueError(_("Unknown or missing protocol"))
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
(rc, exists) = semanage_node_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
if not exists:
raise ValueError(_("Addr %s is not defined") % addr)
(rc, node) = semanage_node_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query addr %s") % addr)
con = semanage_node_get_con(node)
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
semanage_context_set_type(self.sh, con, setype)
rc = semanage_node_modify_local(self.sh, k, node)
if rc < 0:
raise ValueError(_("Could not modify addr %s") % addr)
semanage_node_key_free(k)
semanage_node_free(node)
def modify(self, addr, mask, proto, serange, setype):
self.begin()
self.__modify(addr, mask, proto, serange, setype)
self.commit()
def __delete(self, addr, mask, proto):
if addr == "":
raise ValueError(_("Node Address is required"))
if mask == "":
raise ValueError(_("Node Netmask is required"))
if proto == "ipv4":
proto = 0
elif proto == "ipv6":
proto = 1
else:
raise ValueError(_("Unknown or missing protocol"))
(rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
if rc < 0:
raise ValueError(_("Could not create key for %s") % addr)
(rc, exists) = semanage_node_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
if not exists:
raise ValueError(_("Addr %s is not defined") % addr)
(rc, exists) = semanage_node_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
if not exists:
raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
rc = semanage_node_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete addr %s") % addr)
semanage_node_key_free(k)
def delete(self, addr, mask, proto):
self.begin()
self.__delete(addr, mask, proto)
self.commit()
def deleteall(self):
(rc, nlist) = semanage_node_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not deleteall node mappings"))
self.begin()
for node in nlist:
self.__delete(semanage_node_get_addr(self.sh, node)[1], semanage_node_get_mask(self.sh, node)[1], self.protocol[semanage_node_get_proto(node)])
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist :
(rc, self.ilist) = semanage_node_list_local(self.sh)
else:
(rc, self.ilist) = semanage_node_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list addrs"))
for node in self.ilist:
con = semanage_node_get_con(node)
addr = semanage_node_get_addr(self.sh, node)
mask = semanage_node_get_mask(self.sh, node)
proto = semanage_node_get_proto(node)
if proto == 0:
proto = "ipv4"
elif proto == 1:
proto = "ipv6"
ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
return ddict
def list(self, heading = 1, locallist = 0):
if heading:
print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")
ddict = self.get_all(locallist)
keys = ddict.keys()
keys.sort()
if is_mls_enabled:
for k in keys:
val = ''
for fields in k:
val = val + '\t' + str(fields)
print "%-18s %-18s %-5s %s:%s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
else:
for k in keys:
print "%-18s %-18s %-5s %s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2])
class interfaceRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
def __add(self, interface, serange, ctype):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
else:
serange = untranslate(serange)
if ctype == "":
raise ValueError(_("SELinux Type is required"))
(rc, k) = semanage_iface_key_create(self.sh, interface)
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
(rc, exists) = semanage_iface_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if exists:
raise ValueError(_("Interface %s already defined") % interface)
(rc, iface) = semanage_iface_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
rc = semanage_iface_set_name(self.sh, iface, interface)
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create context for %s") % interface)
rc = semanage_context_set_user(self.sh, con, "system_u")
if rc < 0:
raise ValueError(_("Could not set user in interface context for %s") % interface)
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
raise ValueError(_("Could not set role in interface context for %s") % interface)
rc = semanage_context_set_type(self.sh, con, ctype)
if rc < 0:
raise ValueError(_("Could not set type in interface context for %s") % interface)
if serange != "":
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
raise ValueError(_("Could not set mls fields in interface context for %s") % interface)
rc = semanage_iface_set_ifcon(self.sh, iface, con)
if rc < 0:
raise ValueError(_("Could not set interface context for %s") % interface)
rc = semanage_iface_set_msgcon(self.sh, iface, con)
if rc < 0:
raise ValueError(_("Could not set message context for %s") % interface)
rc = semanage_iface_modify_local(self.sh, k, iface)
if rc < 0:
raise ValueError(_("Could not add interface %s") % interface)
semanage_context_free(con)
semanage_iface_key_free(k)
semanage_iface_free(iface)
def add(self, interface, serange, ctype):
self.begin()
self.__add(interface, serange, ctype)
self.commit()
def __modify(self, interface, serange, setype):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
(rc, k) = semanage_iface_key_create(self.sh, interface)
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
(rc, exists) = semanage_iface_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
raise ValueError(_("Interface %s is not defined") % interface)
(rc, iface) = semanage_iface_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query interface %s") % interface)
con = semanage_iface_get_ifcon(iface)
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if setype != "":
semanage_context_set_type(self.sh, con, setype)
rc = semanage_iface_modify_local(self.sh, k, iface)
if rc < 0:
raise ValueError(_("Could not modify interface %s") % interface)
semanage_iface_key_free(k)
semanage_iface_free(iface)
def modify(self, interface, serange, setype):
self.begin()
self.__modify(interface, serange, setype)
self.commit()
def __delete(self, interface):
(rc, k) = semanage_iface_key_create(self.sh, interface)
if rc < 0:
raise ValueError(_("Could not create key for %s") % interface)
(rc, exists) = semanage_iface_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
raise ValueError(_("Interface %s is not defined") % interface)
(rc, exists) = semanage_iface_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface)
rc = semanage_iface_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete interface %s") % interface)
semanage_iface_key_free(k)
def delete(self, interface):
self.begin()
self.__delete(interface)
self.commit()
def deleteall(self):
(rc, ulist) = semanage_iface_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not delete all interface mappings"))
self.begin()
for i in ulist:
self.__delete(semanage_iface_get_name(i))
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.ilist) = semanage_iface_list_local(self.sh)
else:
(rc, self.ilist) = semanage_iface_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list interfaces"))
for interface in self.ilist:
con = semanage_iface_get_ifcon(interface)
ddict[semanage_iface_get_name(interface)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
return ddict
def list(self, heading = 1, locallist = 0):
if heading:
print "%-30s %s\n" % (_("SELinux Interface"), _("Context"))
ddict = self.get_all(locallist)
keys = ddict.keys()
keys.sort()
if is_mls_enabled:
for k in keys:
print "%-30s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
else:
for k in keys:
print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
class fcontextRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
def createcon(self, target, seuser = "system_u"):
(rc, con) = semanage_context_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create context for %s") % target)
if seuser == "":
seuser = "system_u"
rc = semanage_context_set_user(self.sh, con, seuser)
if rc < 0:
raise ValueError(_("Could not set user in file context for %s") % target)
rc = semanage_context_set_role(self.sh, con, "object_r")
if rc < 0:
raise ValueError(_("Could not set role in file context for %s") % target)
if is_mls_enabled == 1:
rc = semanage_context_set_mls(self.sh, con, "s0")
if rc < 0:
raise ValueError(_("Could not set mls fields in file context for %s") % target)
return con
def validate(self, target):
if target == "" or target.find("\n") >= 0:
raise ValueError(_("Invalid file specification"))
def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
self.validate(target)
if is_mls_enabled == 1:
serange = untranslate(serange)
if type == "":
raise ValueError(_("SELinux Type is required"))
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
raise ValueError(_("Could not create key for %s") % target)
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
raise ValueError(_("File context for %s already defined") % target)
(rc, fcontext) = semanage_fcontext_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
if type != "<<none>>":
con = self.createcon(target, seuser)
rc = semanage_context_set_type(self.sh, con, type)
if rc < 0:
raise ValueError(_("Could not set type in file context for %s") % target)
if serange != "":
rc = semanage_context_set_mls(self.sh, con, serange)
if rc < 0:
raise ValueError(_("Could not set mls fields in file context for %s") % target)
rc = semanage_fcontext_set_con(self.sh, fcontext, con)
if rc < 0:
raise ValueError(_("Could not set file context for %s") % target)
semanage_fcontext_set_type(fcontext, file_types[ftype])
rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
if rc < 0:
raise ValueError(_("Could not add file context for %s") % target)
if type != "<<none>>":
semanage_context_free(con)
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
self.begin()
self.__add(target, type, ftype, serange, seuser)
self.commit()
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))
self.validate(target)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
(rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
if rc < 0:
(rc, fcontext) = semanage_fcontext_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query file context for %s") % target)
if setype != "<<none>>":
con = semanage_fcontext_get_con(fcontext)
if con == None:
con = self.createcon(target)
if serange != "":
semanage_context_set_mls(self.sh, con, untranslate(serange))
if seuser != "":
semanage_context_set_user(self.sh, con, seuser)
if setype != "":
semanage_context_set_type(self.sh, con, setype)
rc = semanage_fcontext_set_con(self.sh, fcontext, con)
if rc < 0:
raise ValueError(_("Could not set file context for %s") % target)
else:
rc = semanage_fcontext_set_con(self.sh, fcontext, None)
if rc < 0:
raise ValueError(_("Could not set file context for %s") % target)
rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
if rc < 0:
raise ValueError(_("Could not modify file context for %s") % target)
semanage_fcontext_key_free(k)
semanage_fcontext_free(fcontext)
def modify(self, target, setype, ftype, serange, seuser):
self.begin()
self.__modify(target, setype, ftype, serange, seuser)
self.commit()
def deleteall(self):
(rc, flist) = semanage_fcontext_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list the file contexts"))
self.begin()
for fcontext in flist:
target = semanage_fcontext_get_expr(fcontext)
ftype = semanage_fcontext_get_type(fcontext)
ftype_str = semanage_fcontext_get_type_str(ftype)
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str])
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
rc = semanage_fcontext_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
self.commit()
def __delete(self, target, ftype):
(rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
raise ValueError(_("File context for %s is defined in policy, cannot be deleted") % target)
else:
raise ValueError(_("File context for %s is not defined") % target)
rc = semanage_fcontext_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete file context for %s") % target)
semanage_fcontext_key_free(k)
def delete(self, target, ftype):
self.begin()
self.__delete( target, ftype)
self.commit()
def get_all(self, locallist = 0):
if locallist:
(rc, self.flist) = semanage_fcontext_list_local(self.sh)
else:
(rc, self.flist) = semanage_fcontext_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list file contexts"))
(rc, fclocal) = semanage_fcontext_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list local file contexts"))
self.flist += fclocal
ddict = {}
for fcontext in self.flist:
expr = semanage_fcontext_get_expr(fcontext)
ftype = semanage_fcontext_get_type(fcontext)
ftype_str = semanage_fcontext_get_type_str(ftype)
con = semanage_fcontext_get_con(fcontext)
if con:
ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
else:
ddict[(expr, ftype_str)] = con
return ddict
def list(self, heading = 1, locallist = 0 ):
if heading:
print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
fcon_dict = self.get_all(locallist)
keys = fcon_dict.keys()
keys.sort()
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False))
else:
print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
else:
print "%-50s %-18s <<None>>" % (k[0], k[1])
class booleanRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
self.dict = {}
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
self.dict["ON"] = 1
self.dict["OFF"] = 0
self.dict["1"] = 1
self.dict["0"] = 0
def __mod(self, name, value):
(rc, k) = semanage_bool_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_bool_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
raise ValueError(_("Boolean %s is not defined") % name)
(rc, b) = semanage_bool_query(self.sh, k)
if rc < 0:
raise ValueError(_("Could not query file context %s") % name)
if value.upper() in self.dict:
semanage_bool_set_value(b, self.dict[value.upper()])
else:
raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
rc = semanage_bool_set_active(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not set active value of boolean %s") % name)
rc = semanage_bool_modify_local(self.sh, k, b)
if rc < 0:
raise ValueError(_("Could not modify boolean %s") % name)
semanage_bool_key_free(k)
semanage_bool_free(b)
def modify(self, name, value = None, use_file = False):
self.begin()
if use_file:
fd = open(name)
for b in fd.read().split("\n"):
b = b.strip()
if len(b) == 0:
continue
try:
boolname, val = b.split("=")
except ValueError:
raise ValueError(_("Bad format %s: Record %s" % ( name, b) ))
self.__mod(boolname.strip(), val.strip())
fd.close()
else:
self.__mod(name, value)
self.commit()
def __delete(self, name):
(rc, k) = semanage_bool_key_create(self.sh, name)
if rc < 0:
raise ValueError(_("Could not create a key for %s") % name)
(rc, exists) = semanage_bool_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
raise ValueError(_("Boolean %s is not defined") % name)
(rc, exists) = semanage_bool_exists_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name)
rc = semanage_bool_del_local(self.sh, k)
if rc < 0:
raise ValueError(_("Could not delete boolean %s") % name)
semanage_bool_key_free(k)
def delete(self, name):
self.begin()
self.__delete(name)
self.commit()
def deleteall(self):
(rc, self.blist) = semanage_bool_list_local(self.sh)
if rc < 0:
raise ValueError(_("Could not list booleans"))
self.begin()
for boolean in self.blist:
name = semanage_bool_get_name(boolean)
self.__delete(name)
self.commit()
def get_all(self, locallist = 0):
ddict = {}
if locallist:
(rc, self.blist) = semanage_bool_list_local(self.sh)
else:
(rc, self.blist) = semanage_bool_list(self.sh)
if rc < 0:
raise ValueError(_("Could not list booleans"))
for boolean in self.blist:
value = []
name = semanage_bool_get_name(boolean)
value.append(semanage_bool_get_value(boolean))
value.append(selinux.security_get_boolean_pending(name))
value.append(selinux.security_get_boolean_active(name))
ddict[name] = value
return ddict
def get_desc(self, boolean):
return boolean_desc(boolean)
def get_category(self, boolean):
if boolean in booleans_dict:
return _(booleans_dict[boolean][0])
else:
return _("unknown")
def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"), _("on"))
if use_file:
ddict = self.get_all(locallist)
keys = ddict.keys()
for k in keys:
if ddict[k]:
print "%s=%s" % (k, ddict[k][2])
return
if heading:
print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
ddict = self.get_all(locallist)
keys = ddict.keys()
for k in keys:
if ddict[k]:
print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))