Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / selinux / 849e7d5be78e1d6264141463562d1da68e5076d8 / . / policycoreutils / semanage / seobject.py
blob: ef88f825aa92e59d04e518da4e981b026011d57d [file] [log] [blame]
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1#! /usr/bin/python -E
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]2# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]3# see file 'COPYING' for use and warranty information
4#
5# semanage is a tool for managing SELinux configuration files
6#
7# This program is free software; you can redistribute it and/or
8# modify it under the terms of the GNU General Public License as
9# published by the Free Software Foundation; either version 2 of
10# the License, or (at your option) any later version.
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
20# 02111-1307 USA
21#
22#
23
Daniel J Walsh1f60e9b2009-08-19 16:57:11 -0400[diff] [blame]24import pwd, grp, string, selinux, tempfile, os, re, sys, stat
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]25from semanage import *;
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]26PROGNAME = "policycoreutils"
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]27import sepolgen.module as module
28
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]29import gettext
30gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
31gettext.textdomain(PROGNAME)
32try:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]33 gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]34except IOError:
35 import __builtin__
36 __builtin__.__dict__['_'] = unicode
37
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]38import syslog
39
40file_types = {}
41file_types[""] = SEMANAGE_FCONTEXT_ALL;
42file_types["all files"] = SEMANAGE_FCONTEXT_ALL;
43file_types["--"] = SEMANAGE_FCONTEXT_REG;
44file_types["regular file"] = SEMANAGE_FCONTEXT_REG;
45file_types["-d"] = SEMANAGE_FCONTEXT_DIR;
46file_types["directory"] = SEMANAGE_FCONTEXT_DIR;
47file_types["-c"] = SEMANAGE_FCONTEXT_CHAR;
48file_types["character device"] = SEMANAGE_FCONTEXT_CHAR;
49file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK;
50file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK;
51file_types["-s"] = SEMANAGE_FCONTEXT_SOCK;
52file_types["socket"] = SEMANAGE_FCONTEXT_SOCK;
53file_types["-l"] = SEMANAGE_FCONTEXT_LINK;
54file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK;
55file_types["-p"] = SEMANAGE_FCONTEXT_PIPE;
56file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE;
57
58try:
59 import audit
60 class logger:
61 def __init__(self):
62 self.audit_fd = audit.audit_open()
63
64 def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]65 audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0], str(msg), name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]66except:
67 class logger:
68 def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""):
69 if success == 1:
70 message = "Successful: "
71 else:
72 message = "Failed: "
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]73 message += " %s name=%s" % (msg, name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]74 if sename != "":
75 message += " sename=" + sename
76 if old_sename != "":
77 message += " old_sename=" + old_sename
78 if serole != "":
79 message += " role=" + serole
80 if old_serole != "":
81 message += " old_role=" + old_serole
82 if serange != "" and serange != None:
83 message += " MLSRange=" + serange
84 if old_serange != "" and old_serange != None:
85 message += " old_MLSRange=" + old_serange
86 syslog.syslog(message);
87
88mylog = logger()
89
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]90import xml.etree.ElementTree
91
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]92booleans_dict = {}
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]93try:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]94 tree = xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml")
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]95 for l in tree.findall("layer"):
96 for m in l.findall("module"):
97 for b in m.findall("tunable"):
98 desc = b.find("desc").find("p").text.strip("\n")
99 desc = re.sub("\n", " ", desc)
100 booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
101 for b in m.findall("bool"):
102 desc = b.find("desc").find("p").text.strip("\n")
103 desc = re.sub("\n", " ", desc)
104 booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc)
105 for i in tree.findall("bool"):
106 desc = i.find("desc").find("p").text.strip("\n")
107 desc = re.sub("\n", " ", desc)
108 booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
109 for i in tree.findall("tunable"):
110 desc = i.find("desc").find("p").text.strip("\n")
111 desc = re.sub("\n", " ", desc)
112 booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc)
113except IOError, e:
114 #print _("Failed to translate booleans.\n%s") % e
115 pass
116
117def boolean_desc(boolean):
118 if boolean in booleans_dict:
119 return _(booleans_dict[boolean][2])
120 else:
121 return boolean
122
123def validate_level(raw):
124 sensitivity = "s[0-9]*"
125 category = "c[0-9]*"
126 cat_range = category + "(\." + category +")?"
127 categories = cat_range + "(\," + cat_range + ")*"
128 reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?"
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]129 return re.search("^" + reg +"$", raw)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]130
131def translate(raw, prepend = 1):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]132 filler = "a:b:c:"
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]133 if prepend == 1:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]134 context = "%s%s" % (filler, raw)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]135 else:
136 context = raw
137 (rc, trans) = selinux.selinux_raw_to_trans_context(context)
138 if rc != 0:
139 return raw
140 if prepend:
141 trans = trans[len(filler):]
142 if trans == "":
143 return raw
144 else:
145 return trans
146
147def untranslate(trans, prepend = 1):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]148 filler = "a:b:c:"
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]149 if prepend == 1:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]150 context = "%s%s" % (filler, trans)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]151 else:
152 context = trans
153
154 (rc, raw) = selinux.selinux_trans_to_raw_context(context)
155 if rc != 0:
156 return trans
157 if prepend:
158 raw = raw[len(filler):]
159 if raw == "":
160 return trans
161 else:
162 return raw
163
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]164class semanageRecords:
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]165 transaction = False
Eric Paris3fd3a922011-07-10 12:15:36 +0200[diff] [blame]166 handle = None
167 def __init__(self, store):
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]168 global handle
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]169
Eric Paris3fd3a922011-07-10 12:15:36 +0200[diff] [blame]170 self.sh = self.get_handle(store)
171
172 def get_handle(self, store):
173 global is_mls_enabled
174
175 if semanageRecords.handle:
176 return semanageRecords.handle
177
178 handle = semanage_handle_create()
179 if not handle:
180 raise ValueError(_("Could not create semanage handle"))
181
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]182 if not semanageRecords.transaction and store != "":
Eric Paris3fd3a922011-07-10 12:15:36 +0200[diff] [blame]183 semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
184 semanageRecords.store = store
185
186 if not semanage_is_managed(handle):
187 semanage_handle_destroy(handle)
188 raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
189
190 rc = semanage_access_check(handle)
191 if rc < SEMANAGE_CAN_READ:
192 semanage_handle_destroy(handle)
193 raise ValueError(_("Cannot read policy store."))
194
195 rc = semanage_connect(handle)
196 if rc < 0:
197 semanage_handle_destroy(handle)
198 raise ValueError(_("Could not establish semanage connection"))
199
200 is_mls_enabled = semanage_mls_enabled(handle)
201 if is_mls_enabled < 0:
202 semanage_handle_destroy(handle)
203 raise ValueError(_("Could not test MLS enabled status"))
204
205 semanageRecords.handle = handle
206 return semanageRecords.handle
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]207
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]208 def deleteall(self):
209 raise ValueError(_("Not yet implemented"))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]210
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]211 def start(self):
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]212 if semanageRecords.transaction:
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]213 raise ValueError(_("Semanage transaction already in progress"))
214 self.begin()
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]215 semanageRecords.transaction = True
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]216
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]217 def begin(self):
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]218 if semanageRecords.transaction:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]219 return
220 rc = semanage_begin_transaction(self.sh)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]221 if rc < 0:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]222 raise ValueError(_("Could not start semanage transaction"))
223 def commit(self):
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]224 if semanageRecords.transaction:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]225 return
226 rc = semanage_commit(self.sh)
227 if rc < 0:
228 raise ValueError(_("Could not commit semanage transaction"))
229
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]230 def finish(self):
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]231 if not semanageRecords.transaction:
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]232 raise ValueError(_("Semanage transaction not in progress"))
Eric Parisc3226eb2011-07-10 12:21:14 +0200[diff] [blame]233 semanageRecords.transaction = False
Daniel J Walsh35490f22009-04-10 17:14:47 -0400[diff] [blame]234 self.commit()
235
Daniel J Walsh5aa2efb2009-08-27 18:10:14 -0400[diff] [blame]236class dontauditClass(semanageRecords):
237 def __init__(self, store):
238 semanageRecords.__init__(self, store)
239
240 def toggle(self, dontaudit):
241 if dontaudit not in [ "on", "off" ]:
242 raise ValueError(_("dontaudit requires either 'on' or 'off'"))
243 self.begin()
244 rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off")
245 self.commit()
246
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]247class permissiveRecords(semanageRecords):
248 def __init__(self, store):
249 semanageRecords.__init__(self, store)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]250
251 def get_all(self):
252 l = []
253 (rc, mlist, number) = semanage_module_list(self.sh)
254 if rc < 0:
255 raise ValueError(_("Could not list SELinux modules"))
256
257 for i in range(number):
258 mod = semanage_module_list_nth(mlist, i)
259 name = semanage_module_get_name(mod)
260 if name and name.startswith("permissive_"):
261 l.append(name.split("permissive_")[1])
262 return l
263
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]264 def list(self, heading = 1, locallist = 0):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]265 if heading:
266 print "\n%-25s\n" % (_("Permissive Types"))
267 for t in self.get_all():
268 print t
269
270
271 def add(self, type):
Daniel J Walshb6a1a952009-04-10 19:17:47 -0400[diff] [blame]272 import glob
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]273 name = "permissive_%s" % type
274 dirname = "/var/lib/selinux"
275 os.chdir(dirname)
276 filename = "%s.te" % name
277 modtxt = """
278module %s 1.0;
279
280require {
281 type %s;
282}
283
284permissive %s;
285""" % (name, type, type)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]286 fd = open(filename, 'w')
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]287 fd.write(modtxt)
288 fd.close()
289 mc = module.ModuleCompiler()
290 mc.create_module_package(filename, 1)
291 fd = open("permissive_%s.pp" % type)
292 data = fd.read()
293 fd.close()
294
295 rc = semanage_module_install(self.sh, data, len(data));
Daniel J Walshb6a1a952009-04-10 19:17:47 -0400[diff] [blame]296 if rc >= 0:
297 self.commit()
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]298
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]299 for root, dirs, files in os.walk("tmp", topdown = False):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]300 for name in files:
301 os.remove(os.path.join(root, name))
302 for name in dirs:
303 os.rmdir(os.path.join(root, name))
Daniel J Walshb6a1a952009-04-10 19:17:47 -0400[diff] [blame]304 os.removedirs("tmp")
305 for i in glob.glob("permissive_%s.*" % type):
306 os.remove(i)
307 if rc < 0:
308 raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]309
310 def delete(self, name):
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]311 for n in name.split():
312 rc = semanage_module_remove(self.sh, "permissive_%s" % n)
313 if rc < 0:
314 raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
315
316 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]317
318 def deleteall(self):
319 l = self.get_all()
320 if len(l) > 0:
321 all = " ".join(l)
322 self.delete(all)
323
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]324class loginRecords(semanageRecords):
325 def __init__(self, store = ""):
326 semanageRecords.__init__(self, store)
327
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]328 def __add(self, name, sename, serange):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]329 if is_mls_enabled == 1:
330 if serange == "":
331 serange = "s0"
332 else:
333 serange = untranslate(serange)
334
335 if sename == "":
336 sename = "user_u"
337
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]338 (rc, k) = semanage_seuser_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]339 if rc < 0:
340 raise ValueError(_("Could not create a key for %s") % name)
341
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]342 (rc, exists) = semanage_seuser_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]343 if rc < 0:
344 raise ValueError(_("Could not check if login mapping for %s is defined") % name)
345 if exists:
346 raise ValueError(_("Login mapping for %s is already defined") % name)
347 if name[0] == '%':
348 try:
349 grp.getgrnam(name[1:])
350 except:
351 raise ValueError(_("Linux Group %s does not exist") % name[1:])
352 else:
353 try:
354 pwd.getpwnam(name)
355 except:
356 raise ValueError(_("Linux User %s does not exist") % name)
357
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]358 (rc, u) = semanage_seuser_create(self.sh)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]359 if rc < 0:
360 raise ValueError(_("Could not create login mapping for %s") % name)
361
362 rc = semanage_seuser_set_name(self.sh, u, name)
363 if rc < 0:
364 raise ValueError(_("Could not set name for %s") % name)
365
366 if serange != "":
367 rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
368 if rc < 0:
369 raise ValueError(_("Could not set MLS range for %s") % name)
370
371 rc = semanage_seuser_set_sename(self.sh, u, sename)
372 if rc < 0:
373 raise ValueError(_("Could not set SELinux user for %s") % name)
374
375 rc = semanage_seuser_modify_local(self.sh, k, u)
376 if rc < 0:
377 raise ValueError(_("Could not add login mapping for %s") % name)
378
379 semanage_seuser_key_free(k)
380 semanage_seuser_free(u)
381
382 def add(self, name, sename, serange):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]383 try:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]384 self.begin()
385 self.__add(name, sename, serange)
386 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]387
388 except ValueError, error:
389 mylog.log(0, _("add SELinux user mapping"), name, sename, "", serange);
390 raise error
391
392 mylog.log(1, _("add SELinux user mapping"), name, sename, "", serange);
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]393
394 def __modify(self, name, sename = "", serange = ""):
395 if sename == "" and serange == "":
396 raise ValueError(_("Requires seuser or serange"))
397
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]398 (rc, k) = semanage_seuser_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]399 if rc < 0:
400 raise ValueError(_("Could not create a key for %s") % name)
401
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]402 (rc, exists) = semanage_seuser_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]403 if rc < 0:
404 raise ValueError(_("Could not check if login mapping for %s is defined") % name)
405 if not exists:
406 raise ValueError(_("Login mapping for %s is not defined") % name)
407
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]408 (rc, u) = semanage_seuser_query(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]409 if rc < 0:
410 raise ValueError(_("Could not query seuser for %s") % name)
411
412 oldserange = semanage_seuser_get_mlsrange(u)
413 oldsename = semanage_seuser_get_sename(u)
414 if serange != "":
415 semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
416 else:
417 serange = oldserange
418
419 if sename != "":
420 semanage_seuser_set_sename(self.sh, u, sename)
421 else:
422 sename = oldsename
423
424 rc = semanage_seuser_modify_local(self.sh, k, u)
425 if rc < 0:
426 raise ValueError(_("Could not modify login mapping for %s") % name)
427
428 semanage_seuser_key_free(k)
429 semanage_seuser_free(u)
430
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]431 mylog.log(1, "modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]432
433 def modify(self, name, sename = "", serange = ""):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]434 try:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]435 self.begin()
436 self.__modify(name, sename, serange)
437 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]438
439 except ValueError, error:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]440 mylog.log(0, "modify selinux user mapping", name, sename, "", serange, "", "", "");
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]441 raise error
442
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]443 def __delete(self, name):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]444 (rc, k) = semanage_seuser_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]445 if rc < 0:
446 raise ValueError(_("Could not create a key for %s") % name)
447
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]448 (rc, exists) = semanage_seuser_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]449 if rc < 0:
450 raise ValueError(_("Could not check if login mapping for %s is defined") % name)
451 if not exists:
452 raise ValueError(_("Login mapping for %s is not defined") % name)
453
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]454 (rc, exists) = semanage_seuser_exists_local(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]455 if rc < 0:
456 raise ValueError(_("Could not check if login mapping for %s is defined") % name)
457 if not exists:
458 raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name)
459
460 rc = semanage_seuser_del_local(self.sh, k)
461 if rc < 0:
462 raise ValueError(_("Could not delete login mapping for %s") % name)
463
464 semanage_seuser_key_free(k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]465
466 def delete(self, name):
467 try:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]468 self.begin()
469 self.__delete(name)
470 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]471
472 except ValueError, error:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]473 mylog.log(0, "delete SELinux user mapping", name);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]474 raise error
475
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]476 mylog.log(1, "delete SELinux user mapping", name);
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]477
478 def get_all(self, locallist = 0):
479 ddict = {}
480 if locallist:
481 (rc, self.ulist) = semanage_seuser_list_local(self.sh)
482 else:
483 (rc, self.ulist) = semanage_seuser_list(self.sh)
484 if rc < 0:
485 raise ValueError(_("Could not list login mappings"))
486
487 for u in self.ulist:
488 name = semanage_seuser_get_name(u)
489 ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
490 return ddict
491
492 def list(self,heading = 1, locallist = 0):
493 ddict = self.get_all(locallist)
494 keys = ddict.keys()
495 keys.sort()
496 if is_mls_enabled == 1:
497 if heading:
498 print "\n%-25s %-25s %-25s\n" % (_("Login Name"), _("SELinux User"), _("MLS/MCS Range"))
499 for k in keys:
500 print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1]))
501 else:
502 if heading:
503 print "\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User"))
504 for k in keys:
505 print "%-25s %-25s" % (k, ddict[k][0])
506
507class seluserRecords(semanageRecords):
508 def __init__(self, store = ""):
509 semanageRecords.__init__(self, store)
510
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]511 def __add(self, name, roles, selevel, serange, prefix):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]512 if is_mls_enabled == 1:
513 if serange == "":
514 serange = "s0"
515 else:
516 serange = untranslate(serange)
517
518 if selevel == "":
519 selevel = "s0"
520 else:
521 selevel = untranslate(selevel)
522
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]523 if len(roles) < 1:
524 raise ValueError(_("You must add at least one role for %s") % name)
525
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]526 (rc, k) = semanage_user_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]527 if rc < 0:
528 raise ValueError(_("Could not create a key for %s") % name)
529
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]530 (rc, exists) = semanage_user_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]531 if rc < 0:
532 raise ValueError(_("Could not check if SELinux user %s is defined") % name)
533 if exists:
534 raise ValueError(_("SELinux user %s is already defined") % name)
535
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]536 (rc, u) = semanage_user_create(self.sh)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]537 if rc < 0:
538 raise ValueError(_("Could not create SELinux user for %s") % name)
539
540 rc = semanage_user_set_name(self.sh, u, name)
541 if rc < 0:
542 raise ValueError(_("Could not set name for %s") % name)
543
544 for r in roles:
545 rc = semanage_user_add_role(self.sh, u, r)
546 if rc < 0:
547 raise ValueError(_("Could not add role %s for %s") % (r, name))
548
549 if is_mls_enabled == 1:
550 rc = semanage_user_set_mlsrange(self.sh, u, serange)
551 if rc < 0:
552 raise ValueError(_("Could not set MLS range for %s") % name)
553
554 rc = semanage_user_set_mlslevel(self.sh, u, selevel)
555 if rc < 0:
556 raise ValueError(_("Could not set MLS level for %s") % name)
557 rc = semanage_user_set_prefix(self.sh, u, prefix)
558 if rc < 0:
559 raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]560 (rc, key) = semanage_user_key_extract(self.sh,u)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]561 if rc < 0:
562 raise ValueError(_("Could not extract key for %s") % name)
563
564 rc = semanage_user_modify_local(self.sh, k, u)
565 if rc < 0:
566 raise ValueError(_("Could not add SELinux user %s") % name)
567
568 semanage_user_key_free(k)
569 semanage_user_free(u)
570
571 def add(self, name, roles, selevel, serange, prefix):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]572 seroles = " ".join(roles)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]573 try:
574 self.begin()
575 self.__add( name, roles, selevel, serange, prefix)
576 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]577 except ValueError, error:
578 mylog.log(0,"add SELinux user record", name, name, seroles, serange)
579 raise error
580
581 mylog.log(1,"add SELinux user record", name, name, seroles, serange)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]582
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]583 def __modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]584 oldroles = ""
585 oldserange = ""
586 newroles = string.join(roles, ' ');
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]587 if prefix == "" and len(roles) == 0 and serange == "" and selevel == "":
588 if is_mls_enabled == 1:
589 raise ValueError(_("Requires prefix, roles, level or range"))
590 else:
591 raise ValueError(_("Requires prefix or roles"))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]592
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]593 (rc, k) = semanage_user_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]594 if rc < 0:
595 raise ValueError(_("Could not create a key for %s") % name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]596
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]597 (rc, exists) = semanage_user_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]598 if rc < 0:
599 raise ValueError(_("Could not check if SELinux user %s is defined") % name)
600 if not exists:
601 raise ValueError(_("SELinux user %s is not defined") % name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]602
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]603 (rc, u) = semanage_user_query(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]604 if rc < 0:
605 raise ValueError(_("Could not query user for %s") % name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]606
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]607 oldserange = semanage_user_get_mlsrange(u)
608 (rc, rlist) = semanage_user_get_roles(self.sh, u)
609 if rc >= 0:
610 oldroles = string.join(rlist, ' ');
611 newroles = newroles + ' ' + oldroles;
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]612
613
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]614 if serange != "":
615 semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
616 if selevel != "":
617 semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]618
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]619 if prefix != "":
620 semanage_user_set_prefix(self.sh, u, prefix)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]621
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]622 if len(roles) != 0:
623 for r in rlist:
624 if r not in roles:
625 semanage_user_del_role(u, r)
626 for r in roles:
627 if r not in rlist:
628 semanage_user_add_role(self.sh, u, r)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]629
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]630 rc = semanage_user_modify_local(self.sh, k, u)
631 if rc < 0:
632 raise ValueError(_("Could not modify SELinux user %s") % name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]633
634 semanage_user_key_free(k)
635 semanage_user_free(u)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]636
637 mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange)
638
639
640 def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""):
641 try:
642 self.begin()
643 self.__modify(name, roles, selevel, serange, prefix)
644 self.commit()
645
646 except ValueError, error:
647 mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "")
648 raise error
649
650 def __delete(self, name):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]651 (rc, k) = semanage_user_key_create(self.sh, name)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]652 if rc < 0:
653 raise ValueError(_("Could not create a key for %s") % name)
654
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]655 (rc, exists) = semanage_user_exists(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]656 if rc < 0:
657 raise ValueError(_("Could not check if SELinux user %s is defined") % name)
658 if not exists:
659 raise ValueError(_("SELinux user %s is not defined") % name)
660
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]661 (rc, exists) = semanage_user_exists_local(self.sh, k)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]662 if rc < 0:
663 raise ValueError(_("Could not check if SELinux user %s is defined") % name)
664 if not exists:
665 raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name)
666
667 rc = semanage_user_del_local(self.sh, k)
668 if rc < 0:
669 raise ValueError(_("Could not delete SELinux user %s") % name)
670
671 semanage_user_key_free(k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]672
673 def delete(self, name):
674 try:
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]675 self.begin()
676 self.__delete(name)
677 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]678
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]679 except ValueError, error:
680 mylog.log(0,"delete SELinux user record", name)
681 raise error
682
683 mylog.log(1,"delete SELinux user record", name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]684
685 def get_all(self, locallist = 0):
686 ddict = {}
687 if locallist:
688 (rc, self.ulist) = semanage_user_list_local(self.sh)
689 else:
690 (rc, self.ulist) = semanage_user_list(self.sh)
691 if rc < 0:
692 raise ValueError(_("Could not list SELinux users"))
693
694 for u in self.ulist:
695 name = semanage_user_get_name(u)
696 (rc, rlist) = semanage_user_get_roles(self.sh, u)
697 if rc < 0:
698 raise ValueError(_("Could not list roles for user %s") % name)
699
700 roles = string.join(rlist, ' ');
701 ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
702
703 return ddict
704
705 def list(self, heading = 1, locallist = 0):
706 ddict = self.get_all(locallist)
707 keys = ddict.keys()
708 keys.sort()
709 if is_mls_enabled == 1:
710 if heading:
711 print "\n%-15s %-10s %-10s %-30s" % ("", _("Labeling"), _("MLS/"), _("MLS/"))
712 print "%-15s %-10s %-10s %-30s %s\n" % (_("SELinux User"), _("Prefix"), _("MCS Level"), _("MCS Range"), _("SELinux Roles"))
713 for k in keys:
714 print "%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3])
715 else:
716 if heading:
717 print "%-15s %s\n" % (_("SELinux User"), _("SELinux Roles"))
718 for k in keys:
719 print "%-15s %s" % (k, ddict[k][3])
720
721class portRecords(semanageRecords):
722 def __init__(self, store = ""):
723 semanageRecords.__init__(self, store)
724
725 def __genkey(self, port, proto):
726 if proto == "tcp":
727 proto_d = SEMANAGE_PROTO_TCP
728 else:
729 if proto == "udp":
730 proto_d = SEMANAGE_PROTO_UDP
731 else:
732 raise ValueError(_("Protocol udp or tcp is required"))
733 if port == "":
734 raise ValueError(_("Port is required"))
735
736 ports = port.split("-")
737 if len(ports) == 1:
738 high = low = int(ports[0])
739 else:
740 low = int(ports[0])
741 high = int(ports[1])
742
Eric Paris849e7d52011-07-15 15:05:11 +0200[diff] [blame^]743 if high > 65535:
744 raise ValueError(_("Invalid Port"))
745
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]746 (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]747 if rc < 0:
748 raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
749 return ( k, proto_d, low, high )
750
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]751 def __add(self, port, proto, serange, type):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]752 if is_mls_enabled == 1:
753 if serange == "":
754 serange = "s0"
755 else:
756 serange = untranslate(serange)
757
758 if type == "":
759 raise ValueError(_("Type is required"))
760
761 ( k, proto_d, low, high ) = self.__genkey(port, proto)
762
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]763 (rc, exists) = semanage_port_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]764 if rc < 0:
765 raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
766 if exists:
767 raise ValueError(_("Port %s/%s already defined") % (proto, port))
768
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]769 (rc, p) = semanage_port_create(self.sh)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]770 if rc < 0:
771 raise ValueError(_("Could not create port for %s/%s") % (proto, port))
772
773 semanage_port_set_proto(p, proto_d)
774 semanage_port_set_range(p, low, high)
775 (rc, con) = semanage_context_create(self.sh)
776 if rc < 0:
777 raise ValueError(_("Could not create context for %s/%s") % (proto, port))
778
779 rc = semanage_context_set_user(self.sh, con, "system_u")
780 if rc < 0:
781 raise ValueError(_("Could not set user in port context for %s/%s") % (proto, port))
782
783 rc = semanage_context_set_role(self.sh, con, "object_r")
784 if rc < 0:
785 raise ValueError(_("Could not set role in port context for %s/%s") % (proto, port))
786
787 rc = semanage_context_set_type(self.sh, con, type)
788 if rc < 0:
789 raise ValueError(_("Could not set type in port context for %s/%s") % (proto, port))
790
791 if serange != "":
792 rc = semanage_context_set_mls(self.sh, con, serange)
793 if rc < 0:
794 raise ValueError(_("Could not set mls fields in port context for %s/%s") % (proto, port))
795
796 rc = semanage_port_set_con(self.sh, p, con)
797 if rc < 0:
798 raise ValueError(_("Could not set port context for %s/%s") % (proto, port))
799
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]800 rc = semanage_port_modify_local(self.sh, k, p)
801 if rc < 0:
802 raise ValueError(_("Could not add port %s/%s") % (proto, port))
803
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]804 semanage_context_free(con)
805 semanage_port_key_free(k)
806 semanage_port_free(p)
807
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]808 def add(self, port, proto, serange, type):
809 self.begin()
810 self.__add(port, proto, serange, type)
811 self.commit()
812
813 def __modify(self, port, proto, serange, setype):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]814 if serange == "" and setype == "":
815 if is_mls_enabled == 1:
816 raise ValueError(_("Requires setype or serange"))
817 else:
818 raise ValueError(_("Requires setype"))
819
820 ( k, proto_d, low, high ) = self.__genkey(port, proto)
821
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]822 (rc, exists) = semanage_port_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]823 if rc < 0:
824 raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
825 if not exists:
826 raise ValueError(_("Port %s/%s is not defined") % (proto,port))
827
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]828 (rc, p) = semanage_port_query(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]829 if rc < 0:
830 raise ValueError(_("Could not query port %s/%s") % (proto, port))
831
832 con = semanage_port_get_con(p)
833
834 if serange != "":
835 semanage_context_set_mls(self.sh, con, untranslate(serange))
836 if setype != "":
837 semanage_context_set_type(self.sh, con, setype)
838
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]839 rc = semanage_port_modify_local(self.sh, k, p)
840 if rc < 0:
841 raise ValueError(_("Could not modify port %s/%s") % (proto, port))
842
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]843 semanage_port_key_free(k)
844 semanage_port_free(p)
845
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]846 def modify(self, port, proto, serange, setype):
847 self.begin()
848 self.__modify(port, proto, serange, setype)
849 self.commit()
850
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]851 def deleteall(self):
852 (rc, plist) = semanage_port_list_local(self.sh)
853 if rc < 0:
854 raise ValueError(_("Could not list the ports"))
855
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]856 self.begin()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]857
858 for port in plist:
859 proto = semanage_port_get_proto(port)
860 proto_str = semanage_port_get_proto_str(proto)
861 low = semanage_port_get_low(port)
862 high = semanage_port_get_high(port)
863 port_str = "%s-%s" % (low, high)
864 ( k, proto_d, low, high ) = self.__genkey(port_str , proto_str)
865 if rc < 0:
866 raise ValueError(_("Could not create a key for %s") % port_str)
867
868 rc = semanage_port_del_local(self.sh, k)
869 if rc < 0:
870 raise ValueError(_("Could not delete the port %s") % port_str)
871 semanage_port_key_free(k)
872
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]873 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]874
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]875 def __delete(self, port, proto):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]876 ( k, proto_d, low, high ) = self.__genkey(port, proto)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]877 (rc, exists) = semanage_port_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]878 if rc < 0:
879 raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
880 if not exists:
881 raise ValueError(_("Port %s/%s is not defined") % (proto, port))
882
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]883 (rc, exists) = semanage_port_exists_local(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]884 if rc < 0:
885 raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
886 if not exists:
887 raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port))
888
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]889 rc = semanage_port_del_local(self.sh, k)
890 if rc < 0:
891 raise ValueError(_("Could not delete port %s/%s") % (proto, port))
892
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]893 semanage_port_key_free(k)
894
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]895 def delete(self, port, proto):
896 self.begin()
897 self.__delete(port, proto)
898 self.commit()
899
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]900 def get_all(self, locallist = 0):
901 ddict = {}
902 if locallist:
903 (rc, self.plist) = semanage_port_list_local(self.sh)
904 else:
905 (rc, self.plist) = semanage_port_list(self.sh)
906 if rc < 0:
907 raise ValueError(_("Could not list ports"))
908
909 for port in self.plist:
910 con = semanage_port_get_con(port)
911 ctype = semanage_context_get_type(con)
912 if ctype == "reserved_port_t":
913 continue
914 level = semanage_context_get_mls(con)
915 proto = semanage_port_get_proto(port)
916 proto_str = semanage_port_get_proto_str(proto)
917 low = semanage_port_get_low(port)
918 high = semanage_port_get_high(port)
Daniel J Walsh1f60e9b2009-08-19 16:57:11 -0400[diff] [blame]919 ddict[(low, high, proto_str)] = (ctype, level)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]920 return ddict
921
922 def get_all_by_type(self, locallist = 0):
923 ddict = {}
924 if locallist:
925 (rc, self.plist) = semanage_port_list_local(self.sh)
926 else:
927 (rc, self.plist) = semanage_port_list(self.sh)
928 if rc < 0:
929 raise ValueError(_("Could not list ports"))
930
931 for port in self.plist:
932 con = semanage_port_get_con(port)
933 ctype = semanage_context_get_type(con)
934 if ctype == "reserved_port_t":
935 continue
936 proto = semanage_port_get_proto(port)
937 proto_str = semanage_port_get_proto_str(proto)
938 low = semanage_port_get_low(port)
939 high = semanage_port_get_high(port)
940 if (ctype, proto_str) not in ddict.keys():
941 ddict[(ctype,proto_str)] = []
942 if low == high:
943 ddict[(ctype,proto_str)].append("%d" % low)
944 else:
945 ddict[(ctype,proto_str)].append("%d-%d" % (low, high))
946 return ddict
947
948 def list(self, heading = 1, locallist = 0):
949 if heading:
950 print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number"))
951 ddict = self.get_all_by_type(locallist)
952 keys = ddict.keys()
953 keys.sort()
954 for i in keys:
955 rec = "%-30s %-8s " % i
956 rec += "%s" % ddict[i][0]
957 for p in ddict[i][1:]:
958 rec += ", %s" % p
959 print rec
960
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]961class nodeRecords(semanageRecords):
962 def __init__(self, store = ""):
963 semanageRecords.__init__(self,store)
964
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]965 def __add(self, addr, mask, proto, serange, ctype):
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]966 if addr == "":
967 raise ValueError(_("Node Address is required"))
968
969 if mask == "":
970 raise ValueError(_("Node Netmask is required"))
971
972 if proto == "ipv4":
973 proto = 0
974 elif proto == "ipv6":
975 proto = 1
976 else:
977 raise ValueError(_("Unknown or missing protocol"))
978
979
980 if is_mls_enabled == 1:
981 if serange == "":
982 serange = "s0"
983 else:
984 serange = untranslate(serange)
985
986 if ctype == "":
987 raise ValueError(_("SELinux Type is required"))
988
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]989 (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]990 if rc < 0:
991 raise ValueError(_("Could not create key for %s") % addr)
992 if rc < 0:
993 raise ValueError(_("Could not check if addr %s is defined") % addr)
994
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]995 (rc, exists) = semanage_node_exists(self.sh, k)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]996 if exists:
997 raise ValueError(_("Addr %s already defined") % addr)
998
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]999 (rc, node) = semanage_node_create(self.sh)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1000 if rc < 0:
1001 raise ValueError(_("Could not create addr for %s") % addr)
1002
1003 rc = semanage_node_set_addr(self.sh, node, proto, addr)
1004 (rc, con) = semanage_context_create(self.sh)
1005 if rc < 0:
1006 raise ValueError(_("Could not create context for %s") % addr)
1007
1008 rc = semanage_node_set_mask(self.sh, node, proto, mask)
1009 if rc < 0:
1010 raise ValueError(_("Could not set mask for %s") % addr)
1011
1012
1013 rc = semanage_context_set_user(self.sh, con, "system_u")
1014 if rc < 0:
1015 raise ValueError(_("Could not set user in addr context for %s") % addr)
1016
1017 rc = semanage_context_set_role(self.sh, con, "object_r")
1018 if rc < 0:
1019 raise ValueError(_("Could not set role in addr context for %s") % addr)
1020
1021 rc = semanage_context_set_type(self.sh, con, ctype)
1022 if rc < 0:
1023 raise ValueError(_("Could not set type in addr context for %s") % addr)
1024
1025 if serange != "":
1026 rc = semanage_context_set_mls(self.sh, con, serange)
1027 if rc < 0:
1028 raise ValueError(_("Could not set mls fields in addr context for %s") % addr)
1029
1030 rc = semanage_node_set_con(self.sh, node, con)
1031 if rc < 0:
1032 raise ValueError(_("Could not set addr context for %s") % addr)
1033
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1034 rc = semanage_node_modify_local(self.sh, k, node)
1035 if rc < 0:
1036 raise ValueError(_("Could not add addr %s") % addr)
1037
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1038 semanage_context_free(con)
1039 semanage_node_key_free(k)
1040 semanage_node_free(node)
1041
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1042 def add(self, addr, mask, proto, serange, ctype):
1043 self.begin()
Chad Sellers32ae03e2009-11-19 14:32:42 -0500[diff] [blame]1044 self.__add(addr, mask, proto, serange, ctype)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1045 self.commit()
1046
1047 def __modify(self, addr, mask, proto, serange, setype):
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1048 if addr == "":
1049 raise ValueError(_("Node Address is required"))
1050
1051 if mask == "":
1052 raise ValueError(_("Node Netmask is required"))
1053 if proto == "ipv4":
1054 proto = 0
1055 elif proto == "ipv6":
1056 proto = 1
1057 else:
1058 raise ValueError(_("Unknown or missing protocol"))
1059
1060
1061 if serange == "" and setype == "":
1062 raise ValueError(_("Requires setype or serange"))
1063
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1064 (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1065 if rc < 0:
1066 raise ValueError(_("Could not create key for %s") % addr)
1067
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1068 (rc, exists) = semanage_node_exists(self.sh, k)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1069 if rc < 0:
1070 raise ValueError(_("Could not check if addr %s is defined") % addr)
1071 if not exists:
1072 raise ValueError(_("Addr %s is not defined") % addr)
1073
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1074 (rc, node) = semanage_node_query(self.sh, k)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1075 if rc < 0:
1076 raise ValueError(_("Could not query addr %s") % addr)
1077
1078 con = semanage_node_get_con(node)
1079
1080 if serange != "":
1081 semanage_context_set_mls(self.sh, con, untranslate(serange))
1082 if setype != "":
1083 semanage_context_set_type(self.sh, con, setype)
1084
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1085 rc = semanage_node_modify_local(self.sh, k, node)
1086 if rc < 0:
1087 raise ValueError(_("Could not modify addr %s") % addr)
1088
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1089 semanage_node_key_free(k)
1090 semanage_node_free(node)
1091
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1092 def modify(self, addr, mask, proto, serange, setype):
1093 self.begin()
1094 self.__modify(addr, mask, proto, serange, setype)
1095 self.commit()
1096
1097 def __delete(self, addr, mask, proto):
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1098 if addr == "":
1099 raise ValueError(_("Node Address is required"))
1100
1101 if mask == "":
1102 raise ValueError(_("Node Netmask is required"))
1103
1104 if proto == "ipv4":
1105 proto = 0
1106 elif proto == "ipv6":
1107 proto = 1
1108 else:
1109 raise ValueError(_("Unknown or missing protocol"))
1110
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1111 (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1112 if rc < 0:
1113 raise ValueError(_("Could not create key for %s") % addr)
1114
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1115 (rc, exists) = semanage_node_exists(self.sh, k)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1116 if rc < 0:
1117 raise ValueError(_("Could not check if addr %s is defined") % addr)
1118 if not exists:
1119 raise ValueError(_("Addr %s is not defined") % addr)
1120
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1121 (rc, exists) = semanage_node_exists_local(self.sh, k)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1122 if rc < 0:
1123 raise ValueError(_("Could not check if addr %s is defined") % addr)
1124 if not exists:
1125 raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr)
1126
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1127 rc = semanage_node_del_local(self.sh, k)
1128 if rc < 0:
1129 raise ValueError(_("Could not delete addr %s") % addr)
1130
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1131 semanage_node_key_free(k)
1132
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1133 def delete(self, addr, mask, proto):
1134 self.begin()
1135 self.__delete(addr, mask, proto)
1136 self.commit()
1137
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1138 def get_all(self, locallist = 0):
1139 ddict = {}
1140 if locallist :
1141 (rc, self.ilist) = semanage_node_list_local(self.sh)
1142 else:
1143 (rc, self.ilist) = semanage_node_list(self.sh)
1144 if rc < 0:
1145 raise ValueError(_("Could not list addrs"))
1146
1147 for node in self.ilist:
1148 con = semanage_node_get_con(node)
1149 addr = semanage_node_get_addr(self.sh, node)
1150 mask = semanage_node_get_mask(self.sh, node)
1151 proto = semanage_node_get_proto(node)
1152 if proto == 0:
1153 proto = "ipv4"
1154 elif proto == 1:
1155 proto = "ipv6"
1156 ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
1157
1158 return ddict
1159
1160 def list(self, heading = 1, locallist = 0):
1161 if heading:
1162 print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context")
Stephen Smalley55fe3db2008-08-26 09:36:09 -0400[diff] [blame]1163 ddict = self.get_all(locallist)
Christian Kuester49706ad2008-08-14 09:32:16 +0200[diff] [blame]1164 keys = ddict.keys()
1165 keys.sort()
1166 if is_mls_enabled:
1167 for k in keys:
1168 val = ''
1169 for fields in k:
1170 val = val + '\t' + str(fields)
1171 print "%-18s %-18s %-5s %s:%s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
1172 else:
1173 for k in keys:
1174 print "%-18s %-18s %-5s %s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2])
1175
1176
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1177class interfaceRecords(semanageRecords):
1178 def __init__(self, store = ""):
1179 semanageRecords.__init__(self, store)
1180
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1181 def __add(self, interface, serange, ctype):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1182 if is_mls_enabled == 1:
1183 if serange == "":
1184 serange = "s0"
1185 else:
1186 serange = untranslate(serange)
1187
1188 if ctype == "":
1189 raise ValueError(_("SELinux Type is required"))
1190
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1191 (rc, k) = semanage_iface_key_create(self.sh, interface)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1192 if rc < 0:
1193 raise ValueError(_("Could not create key for %s") % interface)
1194
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1195 (rc, exists) = semanage_iface_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1196 if rc < 0:
1197 raise ValueError(_("Could not check if interface %s is defined") % interface)
1198 if exists:
1199 raise ValueError(_("Interface %s already defined") % interface)
1200
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1201 (rc, iface) = semanage_iface_create(self.sh)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1202 if rc < 0:
1203 raise ValueError(_("Could not create interface for %s") % interface)
1204
1205 rc = semanage_iface_set_name(self.sh, iface, interface)
1206 (rc, con) = semanage_context_create(self.sh)
1207 if rc < 0:
1208 raise ValueError(_("Could not create context for %s") % interface)
1209
1210 rc = semanage_context_set_user(self.sh, con, "system_u")
1211 if rc < 0:
1212 raise ValueError(_("Could not set user in interface context for %s") % interface)
1213
1214 rc = semanage_context_set_role(self.sh, con, "object_r")
1215 if rc < 0:
1216 raise ValueError(_("Could not set role in interface context for %s") % interface)
1217
1218 rc = semanage_context_set_type(self.sh, con, ctype)
1219 if rc < 0:
1220 raise ValueError(_("Could not set type in interface context for %s") % interface)
1221
1222 if serange != "":
1223 rc = semanage_context_set_mls(self.sh, con, serange)
1224 if rc < 0:
1225 raise ValueError(_("Could not set mls fields in interface context for %s") % interface)
1226
1227 rc = semanage_iface_set_ifcon(self.sh, iface, con)
1228 if rc < 0:
1229 raise ValueError(_("Could not set interface context for %s") % interface)
1230
1231 rc = semanage_iface_set_msgcon(self.sh, iface, con)
1232 if rc < 0:
1233 raise ValueError(_("Could not set message context for %s") % interface)
1234
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1235 rc = semanage_iface_modify_local(self.sh, k, iface)
1236 if rc < 0:
1237 raise ValueError(_("Could not add interface %s") % interface)
1238
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1239 semanage_context_free(con)
1240 semanage_iface_key_free(k)
1241 semanage_iface_free(iface)
1242
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1243 def add(self, interface, serange, ctype):
1244 self.begin()
1245 self.__add(interface, serange, ctype)
1246 self.commit()
1247
1248 def __modify(self, interface, serange, setype):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1249 if serange == "" and setype == "":
1250 raise ValueError(_("Requires setype or serange"))
1251
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1252 (rc, k) = semanage_iface_key_create(self.sh, interface)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1253 if rc < 0:
1254 raise ValueError(_("Could not create key for %s") % interface)
1255
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1256 (rc, exists) = semanage_iface_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1257 if rc < 0:
1258 raise ValueError(_("Could not check if interface %s is defined") % interface)
1259 if not exists:
1260 raise ValueError(_("Interface %s is not defined") % interface)
1261
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1262 (rc, iface) = semanage_iface_query(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1263 if rc < 0:
1264 raise ValueError(_("Could not query interface %s") % interface)
1265
1266 con = semanage_iface_get_ifcon(iface)
1267
1268 if serange != "":
1269 semanage_context_set_mls(self.sh, con, untranslate(serange))
1270 if setype != "":
1271 semanage_context_set_type(self.sh, con, setype)
1272
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1273 rc = semanage_iface_modify_local(self.sh, k, iface)
1274 if rc < 0:
1275 raise ValueError(_("Could not modify interface %s") % interface)
1276
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1277 semanage_iface_key_free(k)
1278 semanage_iface_free(iface)
1279
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1280 def modify(self, interface, serange, setype):
1281 self.begin()
1282 self.__modify(interface, serange, setype)
1283 self.commit()
1284
1285 def __delete(self, interface):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1286 (rc, k) = semanage_iface_key_create(self.sh, interface)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1287 if rc < 0:
1288 raise ValueError(_("Could not create key for %s") % interface)
1289
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1290 (rc, exists) = semanage_iface_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1291 if rc < 0:
1292 raise ValueError(_("Could not check if interface %s is defined") % interface)
1293 if not exists:
1294 raise ValueError(_("Interface %s is not defined") % interface)
1295
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1296 (rc, exists) = semanage_iface_exists_local(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1297 if rc < 0:
1298 raise ValueError(_("Could not check if interface %s is defined") % interface)
1299 if not exists:
1300 raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface)
1301
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1302 rc = semanage_iface_del_local(self.sh, k)
1303 if rc < 0:
1304 raise ValueError(_("Could not delete interface %s") % interface)
1305
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1306 semanage_iface_key_free(k)
1307
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1308 def delete(self, interface):
1309 self.begin()
1310 self.__delete(interface)
1311 self.commit()
1312
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1313 def get_all(self, locallist = 0):
1314 ddict = {}
1315 if locallist:
1316 (rc, self.ilist) = semanage_iface_list_local(self.sh)
1317 else:
1318 (rc, self.ilist) = semanage_iface_list(self.sh)
1319 if rc < 0:
1320 raise ValueError(_("Could not list interfaces"))
1321
1322 for interface in self.ilist:
1323 con = semanage_iface_get_ifcon(interface)
1324 ddict[semanage_iface_get_name(interface)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
1325
1326 return ddict
1327
1328 def list(self, heading = 1, locallist = 0):
1329 if heading:
1330 print "%-30s %s\n" % (_("SELinux Interface"), _("Context"))
1331 ddict = self.get_all(locallist)
1332 keys = ddict.keys()
1333 keys.sort()
1334 if is_mls_enabled:
1335 for k in keys:
1336 print "%-30s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False))
1337 else:
1338 for k in keys:
1339 print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
1340
1341class fcontextRecords(semanageRecords):
1342 def __init__(self, store = ""):
1343 semanageRecords.__init__(self, store)
1344
1345 def createcon(self, target, seuser = "system_u"):
1346 (rc, con) = semanage_context_create(self.sh)
1347 if rc < 0:
1348 raise ValueError(_("Could not create context for %s") % target)
1349 if seuser == "":
1350 seuser = "system_u"
1351
1352 rc = semanage_context_set_user(self.sh, con, seuser)
1353 if rc < 0:
1354 raise ValueError(_("Could not set user in file context for %s") % target)
1355
1356 rc = semanage_context_set_role(self.sh, con, "object_r")
1357 if rc < 0:
1358 raise ValueError(_("Could not set role in file context for %s") % target)
1359
1360 if is_mls_enabled == 1:
1361 rc = semanage_context_set_mls(self.sh, con, "s0")
1362 if rc < 0:
1363 raise ValueError(_("Could not set mls fields in file context for %s") % target)
1364
1365 return con
1366
1367 def validate(self, target):
1368 if target == "" or target.find("\n") >= 0:
1369 raise ValueError(_("Invalid file specification"))
1370
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1371 def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1372 self.validate(target)
1373
1374 if is_mls_enabled == 1:
1375 serange = untranslate(serange)
1376
1377 if type == "":
1378 raise ValueError(_("SELinux Type is required"))
1379
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1380 (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1381 if rc < 0:
1382 raise ValueError(_("Could not create key for %s") % target)
1383
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1384 (rc, exists) = semanage_fcontext_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1385 if rc < 0:
1386 raise ValueError(_("Could not check if file context for %s is defined") % target)
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1387
1388 if not exists:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1389 (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1390 if rc < 0:
1391 raise ValueError(_("Could not check if file context for %s is defined") % target)
1392
1393 if exists:
1394 raise ValueError(_("File context for %s already defined") % target)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1395
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1396 (rc, fcontext) = semanage_fcontext_create(self.sh)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1397 if rc < 0:
1398 raise ValueError(_("Could not create file context for %s") % target)
1399
1400 rc = semanage_fcontext_set_expr(self.sh, fcontext, target)
1401 if type != "<<none>>":
1402 con = self.createcon(target, seuser)
1403
1404 rc = semanage_context_set_type(self.sh, con, type)
1405 if rc < 0:
1406 raise ValueError(_("Could not set type in file context for %s") % target)
1407
1408 if serange != "":
1409 rc = semanage_context_set_mls(self.sh, con, serange)
1410 if rc < 0:
1411 raise ValueError(_("Could not set mls fields in file context for %s") % target)
1412 rc = semanage_fcontext_set_con(self.sh, fcontext, con)
1413 if rc < 0:
1414 raise ValueError(_("Could not set file context for %s") % target)
1415
1416 semanage_fcontext_set_type(fcontext, file_types[ftype])
1417
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1418 rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
1419 if rc < 0:
1420 raise ValueError(_("Could not add file context for %s") % target)
1421
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1422 if type != "<<none>>":
1423 semanage_context_free(con)
1424 semanage_fcontext_key_free(k)
1425 semanage_fcontext_free(fcontext)
1426
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1427 def add(self, target, type, ftype = "", serange = "", seuser = "system_u"):
1428 self.begin()
1429 self.__add(target, type, ftype, serange, seuser)
1430 self.commit()
1431
1432 def __modify(self, target, setype, ftype, serange, seuser):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1433 if serange == "" and setype == "" and seuser == "":
1434 raise ValueError(_("Requires setype, serange or seuser"))
1435 self.validate(target)
1436
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1437 (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1438 if rc < 0:
1439 raise ValueError(_("Could not create a key for %s") % target)
1440
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1441 (rc, exists) = semanage_fcontext_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1442 if rc < 0:
1443 raise ValueError(_("Could not check if file context for %s is defined") % target)
1444 if not exists:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1445 (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1446 if not exists:
1447 raise ValueError(_("File context for %s is not defined") % target)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1448
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1449 (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1450 if rc < 0:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1451 (rc, fcontext) = semanage_fcontext_query(self.sh, k)
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1452 if rc < 0:
1453 raise ValueError(_("Could not query file context for %s") % target)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1454
1455 if setype != "<<none>>":
1456 con = semanage_fcontext_get_con(fcontext)
1457
1458 if con == None:
1459 con = self.createcon(target)
1460
1461 if serange != "":
1462 semanage_context_set_mls(self.sh, con, untranslate(serange))
1463 if seuser != "":
1464 semanage_context_set_user(self.sh, con, seuser)
1465
1466 if setype != "":
1467 semanage_context_set_type(self.sh, con, setype)
1468
1469 rc = semanage_fcontext_set_con(self.sh, fcontext, con)
1470 if rc < 0:
1471 raise ValueError(_("Could not set file context for %s") % target)
1472 else:
1473 rc = semanage_fcontext_set_con(self.sh, fcontext, None)
1474 if rc < 0:
1475 raise ValueError(_("Could not set file context for %s") % target)
1476
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1477 rc = semanage_fcontext_modify_local(self.sh, k, fcontext)
1478 if rc < 0:
1479 raise ValueError(_("Could not modify file context for %s") % target)
1480
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1481 semanage_fcontext_key_free(k)
1482 semanage_fcontext_free(fcontext)
1483
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1484 def modify(self, target, setype, ftype, serange, seuser):
1485 self.begin()
1486 self.__modify(target, setype, ftype, serange, seuser)
1487 self.commit()
1488
1489
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1490 def deleteall(self):
1491 (rc, flist) = semanage_fcontext_list_local(self.sh)
1492 if rc < 0:
1493 raise ValueError(_("Could not list the file contexts"))
1494
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1495 self.begin()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1496
1497 for fcontext in flist:
1498 target = semanage_fcontext_get_expr(fcontext)
1499 ftype = semanage_fcontext_get_type(fcontext)
1500 ftype_str = semanage_fcontext_get_type_str(ftype)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1501 (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str])
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1502 if rc < 0:
1503 raise ValueError(_("Could not create a key for %s") % target)
1504
1505 rc = semanage_fcontext_del_local(self.sh, k)
1506 if rc < 0:
1507 raise ValueError(_("Could not delete the file context %s") % target)
1508 semanage_fcontext_key_free(k)
1509
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1510 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1511
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1512 def __delete(self, target, ftype):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1513 (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
1514 if rc < 0:
1515 raise ValueError(_("Could not create a key for %s") % target)
1516
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1517 (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1518 if rc < 0:
1519 raise ValueError(_("Could not check if file context for %s is defined") % target)
1520 if not exists:
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1521 (rc, exists) = semanage_fcontext_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1522 if rc < 0:
1523 raise ValueError(_("Could not check if file context for %s is defined") % target)
1524 if exists:
1525 raise ValueError(_("File context for %s is defined in policy, cannot be deleted") % target)
1526 else:
1527 raise ValueError(_("File context for %s is not defined") % target)
1528
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1529 rc = semanage_fcontext_del_local(self.sh, k)
1530 if rc < 0:
1531 raise ValueError(_("Could not delete file context for %s") % target)
1532
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1533 semanage_fcontext_key_free(k)
1534
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1535 def delete(self, target, ftype):
1536 self.begin()
1537 self.__delete( target, ftype)
1538 self.commit()
1539
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1540 def get_all(self, locallist = 0):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1541 if locallist:
1542 (rc, self.flist) = semanage_fcontext_list_local(self.sh)
1543 else:
1544 (rc, self.flist) = semanage_fcontext_list(self.sh)
1545 if rc < 0:
1546 raise ValueError(_("Could not list file contexts"))
1547
1548 (rc, fclocal) = semanage_fcontext_list_local(self.sh)
1549 if rc < 0:
1550 raise ValueError(_("Could not list local file contexts"))
1551
1552 self.flist += fclocal
1553
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1554 ddict = {}
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1555 for fcontext in self.flist:
1556 expr = semanage_fcontext_get_expr(fcontext)
1557 ftype = semanage_fcontext_get_type(fcontext)
1558 ftype_str = semanage_fcontext_get_type_str(ftype)
1559 con = semanage_fcontext_get_con(fcontext)
1560 if con:
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1561 ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1562 else:
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1563 ddict[(expr, ftype_str)] = con
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1564
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1565 return ddict
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1566
1567 def list(self, heading = 1, locallist = 0 ):
1568 if heading:
1569 print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context"))
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1570 fcon_dict = self.get_all(locallist)
1571 keys = fcon_dict.keys()
1572 keys.sort()
1573 for k in keys:
1574 if fcon_dict[k]:
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1575 if is_mls_enabled:
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1576 print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1577 else:
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1578 print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1579 else:
Joshua Brindle1f4d94f2008-11-07 19:20:39 -0500[diff] [blame]1580 print "%-50s %-18s <<None>>" % (k[0], k[1])
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1581
1582class booleanRecords(semanageRecords):
1583 def __init__(self, store = ""):
1584 semanageRecords.__init__(self, store)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1585 self.dict = {}
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1586 self.dict["TRUE"] = 1
1587 self.dict["FALSE"] = 0
1588 self.dict["ON"] = 1
1589 self.dict["OFF"] = 0
1590 self.dict["1"] = 1
1591 self.dict["0"] = 0
1592
1593 def __mod(self, name, value):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1594 (rc, k) = semanage_bool_key_create(self.sh, name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1595 if rc < 0:
1596 raise ValueError(_("Could not create a key for %s") % name)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1597 (rc, exists) = semanage_bool_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1598 if rc < 0:
1599 raise ValueError(_("Could not check if boolean %s is defined") % name)
1600 if not exists:
1601 raise ValueError(_("Boolean %s is not defined") % name)
1602
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1603 (rc, b) = semanage_bool_query(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1604 if rc < 0:
1605 raise ValueError(_("Could not query file context %s") % name)
1606
1607 if value.upper() in self.dict:
1608 semanage_bool_set_value(b, self.dict[value.upper()])
1609 else:
1610 raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) )
1611
1612 rc = semanage_bool_set_active(self.sh, k, b)
1613 if rc < 0:
1614 raise ValueError(_("Could not set active value of boolean %s") % name)
1615 rc = semanage_bool_modify_local(self.sh, k, b)
1616 if rc < 0:
1617 raise ValueError(_("Could not modify boolean %s") % name)
1618 semanage_bool_key_free(k)
1619 semanage_bool_free(b)
1620
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1621 def modify(self, name, value = None, use_file = False):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1622
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1623 self.begin()
1624
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1625 if use_file:
1626 fd = open(name)
1627 for b in fd.read().split("\n"):
1628 b = b.strip()
1629 if len(b) == 0:
1630 continue
1631
1632 try:
1633 boolname, val = b.split("=")
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1634 except ValueError:
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1635 raise ValueError(_("Bad format %s: Record %s" % ( name, b) ))
1636 self.__mod(boolname.strip(), val.strip())
1637 fd.close()
1638 else:
1639 self.__mod(name, value)
1640
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1641 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1642
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1643 def __delete(self, name):
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1644
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1645 (rc, k) = semanage_bool_key_create(self.sh, name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1646 if rc < 0:
1647 raise ValueError(_("Could not create a key for %s") % name)
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1648 (rc, exists) = semanage_bool_exists(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1649 if rc < 0:
1650 raise ValueError(_("Could not check if boolean %s is defined") % name)
1651 if not exists:
1652 raise ValueError(_("Boolean %s is not defined") % name)
1653
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1654 (rc, exists) = semanage_bool_exists_local(self.sh, k)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1655 if rc < 0:
1656 raise ValueError(_("Could not check if boolean %s is defined") % name)
1657 if not exists:
1658 raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name)
1659
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1660 rc = semanage_bool_del_local(self.sh, k)
1661 if rc < 0:
1662 raise ValueError(_("Could not delete boolean %s") % name)
1663
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1664 semanage_bool_key_free(k)
1665
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1666 def delete(self, name):
1667 self.begin()
1668 self.__delete(name)
1669 self.commit()
1670
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1671 def deleteall(self):
1672 (rc, self.blist) = semanage_bool_list_local(self.sh)
1673 if rc < 0:
1674 raise ValueError(_("Could not list booleans"))
1675
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1676 self.begin()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1677
1678 for boolean in self.blist:
1679 name = semanage_bool_get_name(boolean)
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1680 self.__delete(name)
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1681
Joshua Brindlef33c2302008-09-07 18:53:26 -0400[diff] [blame]1682 self.commit()
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1683
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1684 def get_all(self, locallist = 0):
1685 ddict = {}
1686 if locallist:
1687 (rc, self.blist) = semanage_bool_list_local(self.sh)
1688 else:
1689 (rc, self.blist) = semanage_bool_list(self.sh)
1690 if rc < 0:
1691 raise ValueError(_("Could not list booleans"))
1692
1693 for boolean in self.blist:
1694 value = []
1695 name = semanage_bool_get_name(boolean)
1696 value.append(semanage_bool_get_value(boolean))
1697 value.append(selinux.security_get_boolean_pending(name))
1698 value.append(selinux.security_get_boolean_active(name))
1699 ddict[name] = value
1700
1701 return ddict
1702
1703 def get_desc(self, boolean):
1704 return boolean_desc(boolean)
1705
1706 def get_category(self, boolean):
1707 if boolean in booleans_dict:
1708 return _(booleans_dict[boolean][0])
1709 else:
1710 return _("unknown")
1711
1712 def list(self, heading = True, locallist = False, use_file = False):
Daniel J Walsh8ad29a22009-06-28 12:32:40 -0400[diff] [blame]1713 on_off = (_("off"), _("on"))
Joshua Brindle13cd4c82008-08-19 15:30:36 -0400[diff] [blame]1714 if use_file:
1715 ddict = self.get_all(locallist)
1716 keys = ddict.keys()
1717 for k in keys:
1718 if ddict[k]:
1719 print "%s=%s" % (k, ddict[k][2])
1720 return
1721 if heading:
1722 print "%-40s %s\n" % (_("SELinux boolean"), _("Description"))
1723 ddict = self.get_all(locallist)
1724 keys = ddict.keys()
1725 for k in keys:
1726 if ddict[k]:
1727 print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k))
1728