Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1 | #! /usr/bin/python -E |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 2 | # Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 3 | # see file 'COPYING' for use and warranty information |
| 4 | # |
| 5 | # semanage is a tool for managing SELinux configuration files |
| 6 | # |
| 7 | # This program is free software; you can redistribute it and/or |
| 8 | # modify it under the terms of the GNU General Public License as |
| 9 | # published by the Free Software Foundation; either version 2 of |
| 10 | # the License, or (at your option) any later version. |
| 11 | # |
| 12 | # This program is distributed in the hope that it will be useful, |
| 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 15 | # GNU General Public License for more details. |
| 16 | # |
| 17 | # You should have received a copy of the GNU General Public License |
| 18 | # along with this program; if not, write to the Free Software |
| 19 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA |
| 20 | # 02111-1307 USA |
| 21 | # |
| 22 | # |
| 23 | |
Daniel J Walsh | 1f60e9b | 2009-08-19 16:57:11 -0400 | [diff] [blame] | 24 | import pwd, grp, string, selinux, tempfile, os, re, sys, stat |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 25 | from semanage import *; |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 26 | PROGNAME = "policycoreutils" |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 27 | import sepolgen.module as module |
| 28 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 29 | import gettext |
| 30 | gettext.bindtextdomain(PROGNAME, "/usr/share/locale") |
| 31 | gettext.textdomain(PROGNAME) |
| 32 | try: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 33 | gettext.install(PROGNAME, localedir = "/usr/share/locale", unicode = 1) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 34 | except IOError: |
| 35 | import __builtin__ |
| 36 | __builtin__.__dict__['_'] = unicode |
| 37 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 38 | import syslog |
| 39 | |
| 40 | file_types = {} |
| 41 | file_types[""] = SEMANAGE_FCONTEXT_ALL; |
| 42 | file_types["all files"] = SEMANAGE_FCONTEXT_ALL; |
| 43 | file_types["--"] = SEMANAGE_FCONTEXT_REG; |
| 44 | file_types["regular file"] = SEMANAGE_FCONTEXT_REG; |
| 45 | file_types["-d"] = SEMANAGE_FCONTEXT_DIR; |
| 46 | file_types["directory"] = SEMANAGE_FCONTEXT_DIR; |
| 47 | file_types["-c"] = SEMANAGE_FCONTEXT_CHAR; |
| 48 | file_types["character device"] = SEMANAGE_FCONTEXT_CHAR; |
| 49 | file_types["-b"] = SEMANAGE_FCONTEXT_BLOCK; |
| 50 | file_types["block device"] = SEMANAGE_FCONTEXT_BLOCK; |
| 51 | file_types["-s"] = SEMANAGE_FCONTEXT_SOCK; |
| 52 | file_types["socket"] = SEMANAGE_FCONTEXT_SOCK; |
| 53 | file_types["-l"] = SEMANAGE_FCONTEXT_LINK; |
| 54 | file_types["symbolic link"] = SEMANAGE_FCONTEXT_LINK; |
| 55 | file_types["-p"] = SEMANAGE_FCONTEXT_PIPE; |
| 56 | file_types["named pipe"] = SEMANAGE_FCONTEXT_PIPE; |
| 57 | |
| 58 | try: |
| 59 | import audit |
| 60 | class logger: |
| 61 | def __init__(self): |
| 62 | self.audit_fd = audit.audit_open() |
| 63 | |
| 64 | def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 65 | audit.audit_log_semanage_message(self.audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0], str(msg), name, 0, sename, serole, serange, old_sename, old_serole, old_serange, "", "", "", success); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 66 | except: |
| 67 | class logger: |
| 68 | def log(self, success, msg, name = "", sename = "", serole = "", serange = "", old_sename = "", old_serole = "", old_serange = ""): |
| 69 | if success == 1: |
| 70 | message = "Successful: " |
| 71 | else: |
| 72 | message = "Failed: " |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 73 | message += " %s name=%s" % (msg, name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 74 | if sename != "": |
| 75 | message += " sename=" + sename |
| 76 | if old_sename != "": |
| 77 | message += " old_sename=" + old_sename |
| 78 | if serole != "": |
| 79 | message += " role=" + serole |
| 80 | if old_serole != "": |
| 81 | message += " old_role=" + old_serole |
| 82 | if serange != "" and serange != None: |
| 83 | message += " MLSRange=" + serange |
| 84 | if old_serange != "" and old_serange != None: |
| 85 | message += " old_MLSRange=" + old_serange |
| 86 | syslog.syslog(message); |
| 87 | |
| 88 | mylog = logger() |
| 89 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 90 | import xml.etree.ElementTree |
| 91 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 92 | booleans_dict = {} |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 93 | try: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 94 | tree = xml.etree.ElementTree.parse("/usr/share/selinux/devel/policy.xml") |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 95 | for l in tree.findall("layer"): |
| 96 | for m in l.findall("module"): |
| 97 | for b in m.findall("tunable"): |
| 98 | desc = b.find("desc").find("p").text.strip("\n") |
| 99 | desc = re.sub("\n", " ", desc) |
| 100 | booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc) |
| 101 | for b in m.findall("bool"): |
| 102 | desc = b.find("desc").find("p").text.strip("\n") |
| 103 | desc = re.sub("\n", " ", desc) |
| 104 | booleans_dict[b.get('name')] = (m.get("name"), b.get('dftval'), desc) |
| 105 | for i in tree.findall("bool"): |
| 106 | desc = i.find("desc").find("p").text.strip("\n") |
| 107 | desc = re.sub("\n", " ", desc) |
| 108 | booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc) |
| 109 | for i in tree.findall("tunable"): |
| 110 | desc = i.find("desc").find("p").text.strip("\n") |
| 111 | desc = re.sub("\n", " ", desc) |
| 112 | booleans_dict[i.get('name')] = (_("global"), i.get('dftval'), desc) |
| 113 | except IOError, e: |
| 114 | #print _("Failed to translate booleans.\n%s") % e |
| 115 | pass |
| 116 | |
| 117 | def boolean_desc(boolean): |
| 118 | if boolean in booleans_dict: |
| 119 | return _(booleans_dict[boolean][2]) |
| 120 | else: |
| 121 | return boolean |
| 122 | |
| 123 | def validate_level(raw): |
| 124 | sensitivity = "s[0-9]*" |
| 125 | category = "c[0-9]*" |
| 126 | cat_range = category + "(\." + category +")?" |
| 127 | categories = cat_range + "(\," + cat_range + ")*" |
| 128 | reg = sensitivity + "(-" + sensitivity + ")?" + "(:" + categories + ")?" |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 129 | return re.search("^" + reg +"$", raw) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 130 | |
| 131 | def translate(raw, prepend = 1): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 132 | filler = "a:b:c:" |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 133 | if prepend == 1: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 134 | context = "%s%s" % (filler, raw) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 135 | else: |
| 136 | context = raw |
| 137 | (rc, trans) = selinux.selinux_raw_to_trans_context(context) |
| 138 | if rc != 0: |
| 139 | return raw |
| 140 | if prepend: |
| 141 | trans = trans[len(filler):] |
| 142 | if trans == "": |
| 143 | return raw |
| 144 | else: |
| 145 | return trans |
| 146 | |
| 147 | def untranslate(trans, prepend = 1): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 148 | filler = "a:b:c:" |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 149 | if prepend == 1: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 150 | context = "%s%s" % (filler, trans) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 151 | else: |
| 152 | context = trans |
| 153 | |
| 154 | (rc, raw) = selinux.selinux_trans_to_raw_context(context) |
| 155 | if rc != 0: |
| 156 | return trans |
| 157 | if prepend: |
| 158 | raw = raw[len(filler):] |
| 159 | if raw == "": |
| 160 | return trans |
| 161 | else: |
| 162 | return raw |
| 163 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 164 | class semanageRecords: |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 165 | transaction = False |
Eric Paris | 3fd3a92 | 2011-07-10 12:15:36 +0200 | [diff] [blame] | 166 | handle = None |
| 167 | def __init__(self, store): |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 168 | global handle |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 169 | |
Eric Paris | 3fd3a92 | 2011-07-10 12:15:36 +0200 | [diff] [blame] | 170 | self.sh = self.get_handle(store) |
| 171 | |
| 172 | def get_handle(self, store): |
| 173 | global is_mls_enabled |
| 174 | |
| 175 | if semanageRecords.handle: |
| 176 | return semanageRecords.handle |
| 177 | |
| 178 | handle = semanage_handle_create() |
| 179 | if not handle: |
| 180 | raise ValueError(_("Could not create semanage handle")) |
| 181 | |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 182 | if not semanageRecords.transaction and store != "": |
Eric Paris | 3fd3a92 | 2011-07-10 12:15:36 +0200 | [diff] [blame] | 183 | semanage_select_store(handle, store, SEMANAGE_CON_DIRECT); |
| 184 | semanageRecords.store = store |
| 185 | |
| 186 | if not semanage_is_managed(handle): |
| 187 | semanage_handle_destroy(handle) |
| 188 | raise ValueError(_("SELinux policy is not managed or store cannot be accessed.")) |
| 189 | |
| 190 | rc = semanage_access_check(handle) |
| 191 | if rc < SEMANAGE_CAN_READ: |
| 192 | semanage_handle_destroy(handle) |
| 193 | raise ValueError(_("Cannot read policy store.")) |
| 194 | |
| 195 | rc = semanage_connect(handle) |
| 196 | if rc < 0: |
| 197 | semanage_handle_destroy(handle) |
| 198 | raise ValueError(_("Could not establish semanage connection")) |
| 199 | |
| 200 | is_mls_enabled = semanage_mls_enabled(handle) |
| 201 | if is_mls_enabled < 0: |
| 202 | semanage_handle_destroy(handle) |
| 203 | raise ValueError(_("Could not test MLS enabled status")) |
| 204 | |
| 205 | semanageRecords.handle = handle |
| 206 | return semanageRecords.handle |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 207 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 208 | def deleteall(self): |
| 209 | raise ValueError(_("Not yet implemented")) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 210 | |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 211 | def start(self): |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 212 | if semanageRecords.transaction: |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 213 | raise ValueError(_("Semanage transaction already in progress")) |
| 214 | self.begin() |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 215 | semanageRecords.transaction = True |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 216 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 217 | def begin(self): |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 218 | if semanageRecords.transaction: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 219 | return |
| 220 | rc = semanage_begin_transaction(self.sh) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 221 | if rc < 0: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 222 | raise ValueError(_("Could not start semanage transaction")) |
| 223 | def commit(self): |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 224 | if semanageRecords.transaction: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 225 | return |
| 226 | rc = semanage_commit(self.sh) |
| 227 | if rc < 0: |
| 228 | raise ValueError(_("Could not commit semanage transaction")) |
| 229 | |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 230 | def finish(self): |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 231 | if not semanageRecords.transaction: |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 232 | raise ValueError(_("Semanage transaction not in progress")) |
Eric Paris | c3226eb | 2011-07-10 12:21:14 +0200 | [diff] [blame] | 233 | semanageRecords.transaction = False |
Daniel J Walsh | 35490f2 | 2009-04-10 17:14:47 -0400 | [diff] [blame] | 234 | self.commit() |
| 235 | |
Daniel J Walsh | 5aa2efb | 2009-08-27 18:10:14 -0400 | [diff] [blame] | 236 | class dontauditClass(semanageRecords): |
| 237 | def __init__(self, store): |
| 238 | semanageRecords.__init__(self, store) |
| 239 | |
| 240 | def toggle(self, dontaudit): |
| 241 | if dontaudit not in [ "on", "off" ]: |
| 242 | raise ValueError(_("dontaudit requires either 'on' or 'off'")) |
| 243 | self.begin() |
| 244 | rc = semanage_set_disable_dontaudit(self.sh, dontaudit == "off") |
| 245 | self.commit() |
| 246 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 247 | class permissiveRecords(semanageRecords): |
| 248 | def __init__(self, store): |
| 249 | semanageRecords.__init__(self, store) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 250 | |
| 251 | def get_all(self): |
| 252 | l = [] |
| 253 | (rc, mlist, number) = semanage_module_list(self.sh) |
| 254 | if rc < 0: |
| 255 | raise ValueError(_("Could not list SELinux modules")) |
| 256 | |
| 257 | for i in range(number): |
| 258 | mod = semanage_module_list_nth(mlist, i) |
| 259 | name = semanage_module_get_name(mod) |
| 260 | if name and name.startswith("permissive_"): |
| 261 | l.append(name.split("permissive_")[1]) |
| 262 | return l |
| 263 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 264 | def list(self, heading = 1, locallist = 0): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 265 | if heading: |
| 266 | print "\n%-25s\n" % (_("Permissive Types")) |
| 267 | for t in self.get_all(): |
| 268 | print t |
| 269 | |
| 270 | |
| 271 | def add(self, type): |
Daniel J Walsh | b6a1a95 | 2009-04-10 19:17:47 -0400 | [diff] [blame] | 272 | import glob |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 273 | name = "permissive_%s" % type |
| 274 | dirname = "/var/lib/selinux" |
| 275 | os.chdir(dirname) |
| 276 | filename = "%s.te" % name |
| 277 | modtxt = """ |
| 278 | module %s 1.0; |
| 279 | |
| 280 | require { |
| 281 | type %s; |
| 282 | } |
| 283 | |
| 284 | permissive %s; |
| 285 | """ % (name, type, type) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 286 | fd = open(filename, 'w') |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 287 | fd.write(modtxt) |
| 288 | fd.close() |
| 289 | mc = module.ModuleCompiler() |
| 290 | mc.create_module_package(filename, 1) |
| 291 | fd = open("permissive_%s.pp" % type) |
| 292 | data = fd.read() |
| 293 | fd.close() |
| 294 | |
| 295 | rc = semanage_module_install(self.sh, data, len(data)); |
Daniel J Walsh | b6a1a95 | 2009-04-10 19:17:47 -0400 | [diff] [blame] | 296 | if rc >= 0: |
| 297 | self.commit() |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 298 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 299 | for root, dirs, files in os.walk("tmp", topdown = False): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 300 | for name in files: |
| 301 | os.remove(os.path.join(root, name)) |
| 302 | for name in dirs: |
| 303 | os.rmdir(os.path.join(root, name)) |
Daniel J Walsh | b6a1a95 | 2009-04-10 19:17:47 -0400 | [diff] [blame] | 304 | os.removedirs("tmp") |
| 305 | for i in glob.glob("permissive_%s.*" % type): |
| 306 | os.remove(i) |
| 307 | if rc < 0: |
| 308 | raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 309 | |
| 310 | def delete(self, name): |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 311 | for n in name.split(): |
| 312 | rc = semanage_module_remove(self.sh, "permissive_%s" % n) |
| 313 | if rc < 0: |
| 314 | raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name) |
| 315 | |
| 316 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 317 | |
| 318 | def deleteall(self): |
| 319 | l = self.get_all() |
| 320 | if len(l) > 0: |
| 321 | all = " ".join(l) |
| 322 | self.delete(all) |
| 323 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 324 | class loginRecords(semanageRecords): |
| 325 | def __init__(self, store = ""): |
| 326 | semanageRecords.__init__(self, store) |
| 327 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 328 | def __add(self, name, sename, serange): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 329 | if is_mls_enabled == 1: |
| 330 | if serange == "": |
| 331 | serange = "s0" |
| 332 | else: |
| 333 | serange = untranslate(serange) |
| 334 | |
| 335 | if sename == "": |
| 336 | sename = "user_u" |
| 337 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 338 | (rc, k) = semanage_seuser_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 339 | if rc < 0: |
| 340 | raise ValueError(_("Could not create a key for %s") % name) |
| 341 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 342 | (rc, exists) = semanage_seuser_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 343 | if rc < 0: |
| 344 | raise ValueError(_("Could not check if login mapping for %s is defined") % name) |
| 345 | if exists: |
| 346 | raise ValueError(_("Login mapping for %s is already defined") % name) |
| 347 | if name[0] == '%': |
| 348 | try: |
| 349 | grp.getgrnam(name[1:]) |
| 350 | except: |
| 351 | raise ValueError(_("Linux Group %s does not exist") % name[1:]) |
| 352 | else: |
| 353 | try: |
| 354 | pwd.getpwnam(name) |
| 355 | except: |
| 356 | raise ValueError(_("Linux User %s does not exist") % name) |
| 357 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 358 | (rc, u) = semanage_seuser_create(self.sh) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 359 | if rc < 0: |
| 360 | raise ValueError(_("Could not create login mapping for %s") % name) |
| 361 | |
| 362 | rc = semanage_seuser_set_name(self.sh, u, name) |
| 363 | if rc < 0: |
| 364 | raise ValueError(_("Could not set name for %s") % name) |
| 365 | |
| 366 | if serange != "": |
| 367 | rc = semanage_seuser_set_mlsrange(self.sh, u, serange) |
| 368 | if rc < 0: |
| 369 | raise ValueError(_("Could not set MLS range for %s") % name) |
| 370 | |
| 371 | rc = semanage_seuser_set_sename(self.sh, u, sename) |
| 372 | if rc < 0: |
| 373 | raise ValueError(_("Could not set SELinux user for %s") % name) |
| 374 | |
| 375 | rc = semanage_seuser_modify_local(self.sh, k, u) |
| 376 | if rc < 0: |
| 377 | raise ValueError(_("Could not add login mapping for %s") % name) |
| 378 | |
| 379 | semanage_seuser_key_free(k) |
| 380 | semanage_seuser_free(u) |
| 381 | |
| 382 | def add(self, name, sename, serange): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 383 | try: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 384 | self.begin() |
| 385 | self.__add(name, sename, serange) |
| 386 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 387 | |
| 388 | except ValueError, error: |
| 389 | mylog.log(0, _("add SELinux user mapping"), name, sename, "", serange); |
| 390 | raise error |
| 391 | |
| 392 | mylog.log(1, _("add SELinux user mapping"), name, sename, "", serange); |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 393 | |
| 394 | def __modify(self, name, sename = "", serange = ""): |
| 395 | if sename == "" and serange == "": |
| 396 | raise ValueError(_("Requires seuser or serange")) |
| 397 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 398 | (rc, k) = semanage_seuser_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 399 | if rc < 0: |
| 400 | raise ValueError(_("Could not create a key for %s") % name) |
| 401 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 402 | (rc, exists) = semanage_seuser_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 403 | if rc < 0: |
| 404 | raise ValueError(_("Could not check if login mapping for %s is defined") % name) |
| 405 | if not exists: |
| 406 | raise ValueError(_("Login mapping for %s is not defined") % name) |
| 407 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 408 | (rc, u) = semanage_seuser_query(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 409 | if rc < 0: |
| 410 | raise ValueError(_("Could not query seuser for %s") % name) |
| 411 | |
| 412 | oldserange = semanage_seuser_get_mlsrange(u) |
| 413 | oldsename = semanage_seuser_get_sename(u) |
| 414 | if serange != "": |
| 415 | semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) |
| 416 | else: |
| 417 | serange = oldserange |
| 418 | |
| 419 | if sename != "": |
| 420 | semanage_seuser_set_sename(self.sh, u, sename) |
| 421 | else: |
| 422 | sename = oldsename |
| 423 | |
| 424 | rc = semanage_seuser_modify_local(self.sh, k, u) |
| 425 | if rc < 0: |
| 426 | raise ValueError(_("Could not modify login mapping for %s") % name) |
| 427 | |
| 428 | semanage_seuser_key_free(k) |
| 429 | semanage_seuser_free(u) |
| 430 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 431 | mylog.log(1, "modify selinux user mapping", name, sename, "", serange, oldsename, "", oldserange); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 432 | |
| 433 | def modify(self, name, sename = "", serange = ""): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 434 | try: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 435 | self.begin() |
| 436 | self.__modify(name, sename, serange) |
| 437 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 438 | |
| 439 | except ValueError, error: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 440 | mylog.log(0, "modify selinux user mapping", name, sename, "", serange, "", "", ""); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 441 | raise error |
| 442 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 443 | def __delete(self, name): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 444 | (rc, k) = semanage_seuser_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 445 | if rc < 0: |
| 446 | raise ValueError(_("Could not create a key for %s") % name) |
| 447 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 448 | (rc, exists) = semanage_seuser_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 449 | if rc < 0: |
| 450 | raise ValueError(_("Could not check if login mapping for %s is defined") % name) |
| 451 | if not exists: |
| 452 | raise ValueError(_("Login mapping for %s is not defined") % name) |
| 453 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 454 | (rc, exists) = semanage_seuser_exists_local(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 455 | if rc < 0: |
| 456 | raise ValueError(_("Could not check if login mapping for %s is defined") % name) |
| 457 | if not exists: |
| 458 | raise ValueError(_("Login mapping for %s is defined in policy, cannot be deleted") % name) |
| 459 | |
| 460 | rc = semanage_seuser_del_local(self.sh, k) |
| 461 | if rc < 0: |
| 462 | raise ValueError(_("Could not delete login mapping for %s") % name) |
| 463 | |
| 464 | semanage_seuser_key_free(k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 465 | |
| 466 | def delete(self, name): |
| 467 | try: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 468 | self.begin() |
| 469 | self.__delete(name) |
| 470 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 471 | |
| 472 | except ValueError, error: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 473 | mylog.log(0, "delete SELinux user mapping", name); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 474 | raise error |
| 475 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 476 | mylog.log(1, "delete SELinux user mapping", name); |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 477 | |
| 478 | def get_all(self, locallist = 0): |
| 479 | ddict = {} |
| 480 | if locallist: |
| 481 | (rc, self.ulist) = semanage_seuser_list_local(self.sh) |
| 482 | else: |
| 483 | (rc, self.ulist) = semanage_seuser_list(self.sh) |
| 484 | if rc < 0: |
| 485 | raise ValueError(_("Could not list login mappings")) |
| 486 | |
| 487 | for u in self.ulist: |
| 488 | name = semanage_seuser_get_name(u) |
| 489 | ddict[name] = (semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u)) |
| 490 | return ddict |
| 491 | |
| 492 | def list(self,heading = 1, locallist = 0): |
| 493 | ddict = self.get_all(locallist) |
| 494 | keys = ddict.keys() |
| 495 | keys.sort() |
| 496 | if is_mls_enabled == 1: |
| 497 | if heading: |
| 498 | print "\n%-25s %-25s %-25s\n" % (_("Login Name"), _("SELinux User"), _("MLS/MCS Range")) |
| 499 | for k in keys: |
| 500 | print "%-25s %-25s %-25s" % (k, ddict[k][0], translate(ddict[k][1])) |
| 501 | else: |
| 502 | if heading: |
| 503 | print "\n%-25s %-25s\n" % (_("Login Name"), _("SELinux User")) |
| 504 | for k in keys: |
| 505 | print "%-25s %-25s" % (k, ddict[k][0]) |
| 506 | |
| 507 | class seluserRecords(semanageRecords): |
| 508 | def __init__(self, store = ""): |
| 509 | semanageRecords.__init__(self, store) |
| 510 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 511 | def __add(self, name, roles, selevel, serange, prefix): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 512 | if is_mls_enabled == 1: |
| 513 | if serange == "": |
| 514 | serange = "s0" |
| 515 | else: |
| 516 | serange = untranslate(serange) |
| 517 | |
| 518 | if selevel == "": |
| 519 | selevel = "s0" |
| 520 | else: |
| 521 | selevel = untranslate(selevel) |
| 522 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 523 | if len(roles) < 1: |
| 524 | raise ValueError(_("You must add at least one role for %s") % name) |
| 525 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 526 | (rc, k) = semanage_user_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 527 | if rc < 0: |
| 528 | raise ValueError(_("Could not create a key for %s") % name) |
| 529 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 530 | (rc, exists) = semanage_user_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 531 | if rc < 0: |
| 532 | raise ValueError(_("Could not check if SELinux user %s is defined") % name) |
| 533 | if exists: |
| 534 | raise ValueError(_("SELinux user %s is already defined") % name) |
| 535 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 536 | (rc, u) = semanage_user_create(self.sh) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 537 | if rc < 0: |
| 538 | raise ValueError(_("Could not create SELinux user for %s") % name) |
| 539 | |
| 540 | rc = semanage_user_set_name(self.sh, u, name) |
| 541 | if rc < 0: |
| 542 | raise ValueError(_("Could not set name for %s") % name) |
| 543 | |
| 544 | for r in roles: |
| 545 | rc = semanage_user_add_role(self.sh, u, r) |
| 546 | if rc < 0: |
| 547 | raise ValueError(_("Could not add role %s for %s") % (r, name)) |
| 548 | |
| 549 | if is_mls_enabled == 1: |
| 550 | rc = semanage_user_set_mlsrange(self.sh, u, serange) |
| 551 | if rc < 0: |
| 552 | raise ValueError(_("Could not set MLS range for %s") % name) |
| 553 | |
| 554 | rc = semanage_user_set_mlslevel(self.sh, u, selevel) |
| 555 | if rc < 0: |
| 556 | raise ValueError(_("Could not set MLS level for %s") % name) |
| 557 | rc = semanage_user_set_prefix(self.sh, u, prefix) |
| 558 | if rc < 0: |
| 559 | raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 560 | (rc, key) = semanage_user_key_extract(self.sh,u) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 561 | if rc < 0: |
| 562 | raise ValueError(_("Could not extract key for %s") % name) |
| 563 | |
| 564 | rc = semanage_user_modify_local(self.sh, k, u) |
| 565 | if rc < 0: |
| 566 | raise ValueError(_("Could not add SELinux user %s") % name) |
| 567 | |
| 568 | semanage_user_key_free(k) |
| 569 | semanage_user_free(u) |
| 570 | |
| 571 | def add(self, name, roles, selevel, serange, prefix): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 572 | seroles = " ".join(roles) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 573 | try: |
| 574 | self.begin() |
| 575 | self.__add( name, roles, selevel, serange, prefix) |
| 576 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 577 | except ValueError, error: |
| 578 | mylog.log(0,"add SELinux user record", name, name, seroles, serange) |
| 579 | raise error |
| 580 | |
| 581 | mylog.log(1,"add SELinux user record", name, name, seroles, serange) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 582 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 583 | def __modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 584 | oldroles = "" |
| 585 | oldserange = "" |
| 586 | newroles = string.join(roles, ' '); |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 587 | if prefix == "" and len(roles) == 0 and serange == "" and selevel == "": |
| 588 | if is_mls_enabled == 1: |
| 589 | raise ValueError(_("Requires prefix, roles, level or range")) |
| 590 | else: |
| 591 | raise ValueError(_("Requires prefix or roles")) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 592 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 593 | (rc, k) = semanage_user_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 594 | if rc < 0: |
| 595 | raise ValueError(_("Could not create a key for %s") % name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 596 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 597 | (rc, exists) = semanage_user_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 598 | if rc < 0: |
| 599 | raise ValueError(_("Could not check if SELinux user %s is defined") % name) |
| 600 | if not exists: |
| 601 | raise ValueError(_("SELinux user %s is not defined") % name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 602 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 603 | (rc, u) = semanage_user_query(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 604 | if rc < 0: |
| 605 | raise ValueError(_("Could not query user for %s") % name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 606 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 607 | oldserange = semanage_user_get_mlsrange(u) |
| 608 | (rc, rlist) = semanage_user_get_roles(self.sh, u) |
| 609 | if rc >= 0: |
| 610 | oldroles = string.join(rlist, ' '); |
| 611 | newroles = newroles + ' ' + oldroles; |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 612 | |
| 613 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 614 | if serange != "": |
| 615 | semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) |
| 616 | if selevel != "": |
| 617 | semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 618 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 619 | if prefix != "": |
| 620 | semanage_user_set_prefix(self.sh, u, prefix) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 621 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 622 | if len(roles) != 0: |
| 623 | for r in rlist: |
| 624 | if r not in roles: |
| 625 | semanage_user_del_role(u, r) |
| 626 | for r in roles: |
| 627 | if r not in rlist: |
| 628 | semanage_user_add_role(self.sh, u, r) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 629 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 630 | rc = semanage_user_modify_local(self.sh, k, u) |
| 631 | if rc < 0: |
| 632 | raise ValueError(_("Could not modify SELinux user %s") % name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 633 | |
| 634 | semanage_user_key_free(k) |
| 635 | semanage_user_free(u) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 636 | |
| 637 | mylog.log(1,"modify SELinux user record", name, "", newroles, serange, "", oldroles, oldserange) |
| 638 | |
| 639 | |
| 640 | def modify(self, name, roles = [], selevel = "", serange = "", prefix = ""): |
| 641 | try: |
| 642 | self.begin() |
| 643 | self.__modify(name, roles, selevel, serange, prefix) |
| 644 | self.commit() |
| 645 | |
| 646 | except ValueError, error: |
| 647 | mylog.log(0,"modify SELinux user record", name, "", " ".join(roles), serange, "", "", "") |
| 648 | raise error |
| 649 | |
| 650 | def __delete(self, name): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 651 | (rc, k) = semanage_user_key_create(self.sh, name) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 652 | if rc < 0: |
| 653 | raise ValueError(_("Could not create a key for %s") % name) |
| 654 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 655 | (rc, exists) = semanage_user_exists(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 656 | if rc < 0: |
| 657 | raise ValueError(_("Could not check if SELinux user %s is defined") % name) |
| 658 | if not exists: |
| 659 | raise ValueError(_("SELinux user %s is not defined") % name) |
| 660 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 661 | (rc, exists) = semanage_user_exists_local(self.sh, k) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 662 | if rc < 0: |
| 663 | raise ValueError(_("Could not check if SELinux user %s is defined") % name) |
| 664 | if not exists: |
| 665 | raise ValueError(_("SELinux user %s is defined in policy, cannot be deleted") % name) |
| 666 | |
| 667 | rc = semanage_user_del_local(self.sh, k) |
| 668 | if rc < 0: |
| 669 | raise ValueError(_("Could not delete SELinux user %s") % name) |
| 670 | |
| 671 | semanage_user_key_free(k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 672 | |
| 673 | def delete(self, name): |
| 674 | try: |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 675 | self.begin() |
| 676 | self.__delete(name) |
| 677 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 678 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 679 | except ValueError, error: |
| 680 | mylog.log(0,"delete SELinux user record", name) |
| 681 | raise error |
| 682 | |
| 683 | mylog.log(1,"delete SELinux user record", name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 684 | |
| 685 | def get_all(self, locallist = 0): |
| 686 | ddict = {} |
| 687 | if locallist: |
| 688 | (rc, self.ulist) = semanage_user_list_local(self.sh) |
| 689 | else: |
| 690 | (rc, self.ulist) = semanage_user_list(self.sh) |
| 691 | if rc < 0: |
| 692 | raise ValueError(_("Could not list SELinux users")) |
| 693 | |
| 694 | for u in self.ulist: |
| 695 | name = semanage_user_get_name(u) |
| 696 | (rc, rlist) = semanage_user_get_roles(self.sh, u) |
| 697 | if rc < 0: |
| 698 | raise ValueError(_("Could not list roles for user %s") % name) |
| 699 | |
| 700 | roles = string.join(rlist, ' '); |
| 701 | ddict[semanage_user_get_name(u)] = (semanage_user_get_prefix(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles) |
| 702 | |
| 703 | return ddict |
| 704 | |
| 705 | def list(self, heading = 1, locallist = 0): |
| 706 | ddict = self.get_all(locallist) |
| 707 | keys = ddict.keys() |
| 708 | keys.sort() |
| 709 | if is_mls_enabled == 1: |
| 710 | if heading: |
| 711 | print "\n%-15s %-10s %-10s %-30s" % ("", _("Labeling"), _("MLS/"), _("MLS/")) |
| 712 | print "%-15s %-10s %-10s %-30s %s\n" % (_("SELinux User"), _("Prefix"), _("MCS Level"), _("MCS Range"), _("SELinux Roles")) |
| 713 | for k in keys: |
| 714 | print "%-15s %-10s %-10s %-30s %s" % (k, ddict[k][0], translate(ddict[k][1]), translate(ddict[k][2]), ddict[k][3]) |
| 715 | else: |
| 716 | if heading: |
| 717 | print "%-15s %s\n" % (_("SELinux User"), _("SELinux Roles")) |
| 718 | for k in keys: |
| 719 | print "%-15s %s" % (k, ddict[k][3]) |
| 720 | |
| 721 | class portRecords(semanageRecords): |
| 722 | def __init__(self, store = ""): |
| 723 | semanageRecords.__init__(self, store) |
| 724 | |
| 725 | def __genkey(self, port, proto): |
| 726 | if proto == "tcp": |
| 727 | proto_d = SEMANAGE_PROTO_TCP |
| 728 | else: |
| 729 | if proto == "udp": |
| 730 | proto_d = SEMANAGE_PROTO_UDP |
| 731 | else: |
| 732 | raise ValueError(_("Protocol udp or tcp is required")) |
| 733 | if port == "": |
| 734 | raise ValueError(_("Port is required")) |
| 735 | |
| 736 | ports = port.split("-") |
| 737 | if len(ports) == 1: |
| 738 | high = low = int(ports[0]) |
| 739 | else: |
| 740 | low = int(ports[0]) |
| 741 | high = int(ports[1]) |
| 742 | |
Eric Paris | 849e7d5 | 2011-07-15 15:05:11 +0200 | [diff] [blame^] | 743 | if high > 65535: |
| 744 | raise ValueError(_("Invalid Port")) |
| 745 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 746 | (rc, k) = semanage_port_key_create(self.sh, low, high, proto_d) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 747 | if rc < 0: |
| 748 | raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) |
| 749 | return ( k, proto_d, low, high ) |
| 750 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 751 | def __add(self, port, proto, serange, type): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 752 | if is_mls_enabled == 1: |
| 753 | if serange == "": |
| 754 | serange = "s0" |
| 755 | else: |
| 756 | serange = untranslate(serange) |
| 757 | |
| 758 | if type == "": |
| 759 | raise ValueError(_("Type is required")) |
| 760 | |
| 761 | ( k, proto_d, low, high ) = self.__genkey(port, proto) |
| 762 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 763 | (rc, exists) = semanage_port_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 764 | if rc < 0: |
| 765 | raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) |
| 766 | if exists: |
| 767 | raise ValueError(_("Port %s/%s already defined") % (proto, port)) |
| 768 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 769 | (rc, p) = semanage_port_create(self.sh) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 770 | if rc < 0: |
| 771 | raise ValueError(_("Could not create port for %s/%s") % (proto, port)) |
| 772 | |
| 773 | semanage_port_set_proto(p, proto_d) |
| 774 | semanage_port_set_range(p, low, high) |
| 775 | (rc, con) = semanage_context_create(self.sh) |
| 776 | if rc < 0: |
| 777 | raise ValueError(_("Could not create context for %s/%s") % (proto, port)) |
| 778 | |
| 779 | rc = semanage_context_set_user(self.sh, con, "system_u") |
| 780 | if rc < 0: |
| 781 | raise ValueError(_("Could not set user in port context for %s/%s") % (proto, port)) |
| 782 | |
| 783 | rc = semanage_context_set_role(self.sh, con, "object_r") |
| 784 | if rc < 0: |
| 785 | raise ValueError(_("Could not set role in port context for %s/%s") % (proto, port)) |
| 786 | |
| 787 | rc = semanage_context_set_type(self.sh, con, type) |
| 788 | if rc < 0: |
| 789 | raise ValueError(_("Could not set type in port context for %s/%s") % (proto, port)) |
| 790 | |
| 791 | if serange != "": |
| 792 | rc = semanage_context_set_mls(self.sh, con, serange) |
| 793 | if rc < 0: |
| 794 | raise ValueError(_("Could not set mls fields in port context for %s/%s") % (proto, port)) |
| 795 | |
| 796 | rc = semanage_port_set_con(self.sh, p, con) |
| 797 | if rc < 0: |
| 798 | raise ValueError(_("Could not set port context for %s/%s") % (proto, port)) |
| 799 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 800 | rc = semanage_port_modify_local(self.sh, k, p) |
| 801 | if rc < 0: |
| 802 | raise ValueError(_("Could not add port %s/%s") % (proto, port)) |
| 803 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 804 | semanage_context_free(con) |
| 805 | semanage_port_key_free(k) |
| 806 | semanage_port_free(p) |
| 807 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 808 | def add(self, port, proto, serange, type): |
| 809 | self.begin() |
| 810 | self.__add(port, proto, serange, type) |
| 811 | self.commit() |
| 812 | |
| 813 | def __modify(self, port, proto, serange, setype): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 814 | if serange == "" and setype == "": |
| 815 | if is_mls_enabled == 1: |
| 816 | raise ValueError(_("Requires setype or serange")) |
| 817 | else: |
| 818 | raise ValueError(_("Requires setype")) |
| 819 | |
| 820 | ( k, proto_d, low, high ) = self.__genkey(port, proto) |
| 821 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 822 | (rc, exists) = semanage_port_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 823 | if rc < 0: |
| 824 | raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) |
| 825 | if not exists: |
| 826 | raise ValueError(_("Port %s/%s is not defined") % (proto,port)) |
| 827 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 828 | (rc, p) = semanage_port_query(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 829 | if rc < 0: |
| 830 | raise ValueError(_("Could not query port %s/%s") % (proto, port)) |
| 831 | |
| 832 | con = semanage_port_get_con(p) |
| 833 | |
| 834 | if serange != "": |
| 835 | semanage_context_set_mls(self.sh, con, untranslate(serange)) |
| 836 | if setype != "": |
| 837 | semanage_context_set_type(self.sh, con, setype) |
| 838 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 839 | rc = semanage_port_modify_local(self.sh, k, p) |
| 840 | if rc < 0: |
| 841 | raise ValueError(_("Could not modify port %s/%s") % (proto, port)) |
| 842 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 843 | semanage_port_key_free(k) |
| 844 | semanage_port_free(p) |
| 845 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 846 | def modify(self, port, proto, serange, setype): |
| 847 | self.begin() |
| 848 | self.__modify(port, proto, serange, setype) |
| 849 | self.commit() |
| 850 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 851 | def deleteall(self): |
| 852 | (rc, plist) = semanage_port_list_local(self.sh) |
| 853 | if rc < 0: |
| 854 | raise ValueError(_("Could not list the ports")) |
| 855 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 856 | self.begin() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 857 | |
| 858 | for port in plist: |
| 859 | proto = semanage_port_get_proto(port) |
| 860 | proto_str = semanage_port_get_proto_str(proto) |
| 861 | low = semanage_port_get_low(port) |
| 862 | high = semanage_port_get_high(port) |
| 863 | port_str = "%s-%s" % (low, high) |
| 864 | ( k, proto_d, low, high ) = self.__genkey(port_str , proto_str) |
| 865 | if rc < 0: |
| 866 | raise ValueError(_("Could not create a key for %s") % port_str) |
| 867 | |
| 868 | rc = semanage_port_del_local(self.sh, k) |
| 869 | if rc < 0: |
| 870 | raise ValueError(_("Could not delete the port %s") % port_str) |
| 871 | semanage_port_key_free(k) |
| 872 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 873 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 874 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 875 | def __delete(self, port, proto): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 876 | ( k, proto_d, low, high ) = self.__genkey(port, proto) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 877 | (rc, exists) = semanage_port_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 878 | if rc < 0: |
| 879 | raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) |
| 880 | if not exists: |
| 881 | raise ValueError(_("Port %s/%s is not defined") % (proto, port)) |
| 882 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 883 | (rc, exists) = semanage_port_exists_local(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 884 | if rc < 0: |
| 885 | raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) |
| 886 | if not exists: |
| 887 | raise ValueError(_("Port %s/%s is defined in policy, cannot be deleted") % (proto, port)) |
| 888 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 889 | rc = semanage_port_del_local(self.sh, k) |
| 890 | if rc < 0: |
| 891 | raise ValueError(_("Could not delete port %s/%s") % (proto, port)) |
| 892 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 893 | semanage_port_key_free(k) |
| 894 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 895 | def delete(self, port, proto): |
| 896 | self.begin() |
| 897 | self.__delete(port, proto) |
| 898 | self.commit() |
| 899 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 900 | def get_all(self, locallist = 0): |
| 901 | ddict = {} |
| 902 | if locallist: |
| 903 | (rc, self.plist) = semanage_port_list_local(self.sh) |
| 904 | else: |
| 905 | (rc, self.plist) = semanage_port_list(self.sh) |
| 906 | if rc < 0: |
| 907 | raise ValueError(_("Could not list ports")) |
| 908 | |
| 909 | for port in self.plist: |
| 910 | con = semanage_port_get_con(port) |
| 911 | ctype = semanage_context_get_type(con) |
| 912 | if ctype == "reserved_port_t": |
| 913 | continue |
| 914 | level = semanage_context_get_mls(con) |
| 915 | proto = semanage_port_get_proto(port) |
| 916 | proto_str = semanage_port_get_proto_str(proto) |
| 917 | low = semanage_port_get_low(port) |
| 918 | high = semanage_port_get_high(port) |
Daniel J Walsh | 1f60e9b | 2009-08-19 16:57:11 -0400 | [diff] [blame] | 919 | ddict[(low, high, proto_str)] = (ctype, level) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 920 | return ddict |
| 921 | |
| 922 | def get_all_by_type(self, locallist = 0): |
| 923 | ddict = {} |
| 924 | if locallist: |
| 925 | (rc, self.plist) = semanage_port_list_local(self.sh) |
| 926 | else: |
| 927 | (rc, self.plist) = semanage_port_list(self.sh) |
| 928 | if rc < 0: |
| 929 | raise ValueError(_("Could not list ports")) |
| 930 | |
| 931 | for port in self.plist: |
| 932 | con = semanage_port_get_con(port) |
| 933 | ctype = semanage_context_get_type(con) |
| 934 | if ctype == "reserved_port_t": |
| 935 | continue |
| 936 | proto = semanage_port_get_proto(port) |
| 937 | proto_str = semanage_port_get_proto_str(proto) |
| 938 | low = semanage_port_get_low(port) |
| 939 | high = semanage_port_get_high(port) |
| 940 | if (ctype, proto_str) not in ddict.keys(): |
| 941 | ddict[(ctype,proto_str)] = [] |
| 942 | if low == high: |
| 943 | ddict[(ctype,proto_str)].append("%d" % low) |
| 944 | else: |
| 945 | ddict[(ctype,proto_str)].append("%d-%d" % (low, high)) |
| 946 | return ddict |
| 947 | |
| 948 | def list(self, heading = 1, locallist = 0): |
| 949 | if heading: |
| 950 | print "%-30s %-8s %s\n" % (_("SELinux Port Type"), _("Proto"), _("Port Number")) |
| 951 | ddict = self.get_all_by_type(locallist) |
| 952 | keys = ddict.keys() |
| 953 | keys.sort() |
| 954 | for i in keys: |
| 955 | rec = "%-30s %-8s " % i |
| 956 | rec += "%s" % ddict[i][0] |
| 957 | for p in ddict[i][1:]: |
| 958 | rec += ", %s" % p |
| 959 | print rec |
| 960 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 961 | class nodeRecords(semanageRecords): |
| 962 | def __init__(self, store = ""): |
| 963 | semanageRecords.__init__(self,store) |
| 964 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 965 | def __add(self, addr, mask, proto, serange, ctype): |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 966 | if addr == "": |
| 967 | raise ValueError(_("Node Address is required")) |
| 968 | |
| 969 | if mask == "": |
| 970 | raise ValueError(_("Node Netmask is required")) |
| 971 | |
| 972 | if proto == "ipv4": |
| 973 | proto = 0 |
| 974 | elif proto == "ipv6": |
| 975 | proto = 1 |
| 976 | else: |
| 977 | raise ValueError(_("Unknown or missing protocol")) |
| 978 | |
| 979 | |
| 980 | if is_mls_enabled == 1: |
| 981 | if serange == "": |
| 982 | serange = "s0" |
| 983 | else: |
| 984 | serange = untranslate(serange) |
| 985 | |
| 986 | if ctype == "": |
| 987 | raise ValueError(_("SELinux Type is required")) |
| 988 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 989 | (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 990 | if rc < 0: |
| 991 | raise ValueError(_("Could not create key for %s") % addr) |
| 992 | if rc < 0: |
| 993 | raise ValueError(_("Could not check if addr %s is defined") % addr) |
| 994 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 995 | (rc, exists) = semanage_node_exists(self.sh, k) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 996 | if exists: |
| 997 | raise ValueError(_("Addr %s already defined") % addr) |
| 998 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 999 | (rc, node) = semanage_node_create(self.sh) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1000 | if rc < 0: |
| 1001 | raise ValueError(_("Could not create addr for %s") % addr) |
| 1002 | |
| 1003 | rc = semanage_node_set_addr(self.sh, node, proto, addr) |
| 1004 | (rc, con) = semanage_context_create(self.sh) |
| 1005 | if rc < 0: |
| 1006 | raise ValueError(_("Could not create context for %s") % addr) |
| 1007 | |
| 1008 | rc = semanage_node_set_mask(self.sh, node, proto, mask) |
| 1009 | if rc < 0: |
| 1010 | raise ValueError(_("Could not set mask for %s") % addr) |
| 1011 | |
| 1012 | |
| 1013 | rc = semanage_context_set_user(self.sh, con, "system_u") |
| 1014 | if rc < 0: |
| 1015 | raise ValueError(_("Could not set user in addr context for %s") % addr) |
| 1016 | |
| 1017 | rc = semanage_context_set_role(self.sh, con, "object_r") |
| 1018 | if rc < 0: |
| 1019 | raise ValueError(_("Could not set role in addr context for %s") % addr) |
| 1020 | |
| 1021 | rc = semanage_context_set_type(self.sh, con, ctype) |
| 1022 | if rc < 0: |
| 1023 | raise ValueError(_("Could not set type in addr context for %s") % addr) |
| 1024 | |
| 1025 | if serange != "": |
| 1026 | rc = semanage_context_set_mls(self.sh, con, serange) |
| 1027 | if rc < 0: |
| 1028 | raise ValueError(_("Could not set mls fields in addr context for %s") % addr) |
| 1029 | |
| 1030 | rc = semanage_node_set_con(self.sh, node, con) |
| 1031 | if rc < 0: |
| 1032 | raise ValueError(_("Could not set addr context for %s") % addr) |
| 1033 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1034 | rc = semanage_node_modify_local(self.sh, k, node) |
| 1035 | if rc < 0: |
| 1036 | raise ValueError(_("Could not add addr %s") % addr) |
| 1037 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1038 | semanage_context_free(con) |
| 1039 | semanage_node_key_free(k) |
| 1040 | semanage_node_free(node) |
| 1041 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1042 | def add(self, addr, mask, proto, serange, ctype): |
| 1043 | self.begin() |
Chad Sellers | 32ae03e | 2009-11-19 14:32:42 -0500 | [diff] [blame] | 1044 | self.__add(addr, mask, proto, serange, ctype) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1045 | self.commit() |
| 1046 | |
| 1047 | def __modify(self, addr, mask, proto, serange, setype): |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1048 | if addr == "": |
| 1049 | raise ValueError(_("Node Address is required")) |
| 1050 | |
| 1051 | if mask == "": |
| 1052 | raise ValueError(_("Node Netmask is required")) |
| 1053 | if proto == "ipv4": |
| 1054 | proto = 0 |
| 1055 | elif proto == "ipv6": |
| 1056 | proto = 1 |
| 1057 | else: |
| 1058 | raise ValueError(_("Unknown or missing protocol")) |
| 1059 | |
| 1060 | |
| 1061 | if serange == "" and setype == "": |
| 1062 | raise ValueError(_("Requires setype or serange")) |
| 1063 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1064 | (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1065 | if rc < 0: |
| 1066 | raise ValueError(_("Could not create key for %s") % addr) |
| 1067 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1068 | (rc, exists) = semanage_node_exists(self.sh, k) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1069 | if rc < 0: |
| 1070 | raise ValueError(_("Could not check if addr %s is defined") % addr) |
| 1071 | if not exists: |
| 1072 | raise ValueError(_("Addr %s is not defined") % addr) |
| 1073 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1074 | (rc, node) = semanage_node_query(self.sh, k) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1075 | if rc < 0: |
| 1076 | raise ValueError(_("Could not query addr %s") % addr) |
| 1077 | |
| 1078 | con = semanage_node_get_con(node) |
| 1079 | |
| 1080 | if serange != "": |
| 1081 | semanage_context_set_mls(self.sh, con, untranslate(serange)) |
| 1082 | if setype != "": |
| 1083 | semanage_context_set_type(self.sh, con, setype) |
| 1084 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1085 | rc = semanage_node_modify_local(self.sh, k, node) |
| 1086 | if rc < 0: |
| 1087 | raise ValueError(_("Could not modify addr %s") % addr) |
| 1088 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1089 | semanage_node_key_free(k) |
| 1090 | semanage_node_free(node) |
| 1091 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1092 | def modify(self, addr, mask, proto, serange, setype): |
| 1093 | self.begin() |
| 1094 | self.__modify(addr, mask, proto, serange, setype) |
| 1095 | self.commit() |
| 1096 | |
| 1097 | def __delete(self, addr, mask, proto): |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1098 | if addr == "": |
| 1099 | raise ValueError(_("Node Address is required")) |
| 1100 | |
| 1101 | if mask == "": |
| 1102 | raise ValueError(_("Node Netmask is required")) |
| 1103 | |
| 1104 | if proto == "ipv4": |
| 1105 | proto = 0 |
| 1106 | elif proto == "ipv6": |
| 1107 | proto = 1 |
| 1108 | else: |
| 1109 | raise ValueError(_("Unknown or missing protocol")) |
| 1110 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1111 | (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1112 | if rc < 0: |
| 1113 | raise ValueError(_("Could not create key for %s") % addr) |
| 1114 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1115 | (rc, exists) = semanage_node_exists(self.sh, k) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1116 | if rc < 0: |
| 1117 | raise ValueError(_("Could not check if addr %s is defined") % addr) |
| 1118 | if not exists: |
| 1119 | raise ValueError(_("Addr %s is not defined") % addr) |
| 1120 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1121 | (rc, exists) = semanage_node_exists_local(self.sh, k) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1122 | if rc < 0: |
| 1123 | raise ValueError(_("Could not check if addr %s is defined") % addr) |
| 1124 | if not exists: |
| 1125 | raise ValueError(_("Addr %s is defined in policy, cannot be deleted") % addr) |
| 1126 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1127 | rc = semanage_node_del_local(self.sh, k) |
| 1128 | if rc < 0: |
| 1129 | raise ValueError(_("Could not delete addr %s") % addr) |
| 1130 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1131 | semanage_node_key_free(k) |
| 1132 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1133 | def delete(self, addr, mask, proto): |
| 1134 | self.begin() |
| 1135 | self.__delete(addr, mask, proto) |
| 1136 | self.commit() |
| 1137 | |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1138 | def get_all(self, locallist = 0): |
| 1139 | ddict = {} |
| 1140 | if locallist : |
| 1141 | (rc, self.ilist) = semanage_node_list_local(self.sh) |
| 1142 | else: |
| 1143 | (rc, self.ilist) = semanage_node_list(self.sh) |
| 1144 | if rc < 0: |
| 1145 | raise ValueError(_("Could not list addrs")) |
| 1146 | |
| 1147 | for node in self.ilist: |
| 1148 | con = semanage_node_get_con(node) |
| 1149 | addr = semanage_node_get_addr(self.sh, node) |
| 1150 | mask = semanage_node_get_mask(self.sh, node) |
| 1151 | proto = semanage_node_get_proto(node) |
| 1152 | if proto == 0: |
| 1153 | proto = "ipv4" |
| 1154 | elif proto == 1: |
| 1155 | proto = "ipv6" |
| 1156 | ddict[(addr[1], mask[1], proto)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) |
| 1157 | |
| 1158 | return ddict |
| 1159 | |
| 1160 | def list(self, heading = 1, locallist = 0): |
| 1161 | if heading: |
| 1162 | print "%-18s %-18s %-5s %-5s\n" % ("IP Address", "Netmask", "Protocol", "Context") |
Stephen Smalley | 55fe3db | 2008-08-26 09:36:09 -0400 | [diff] [blame] | 1163 | ddict = self.get_all(locallist) |
Christian Kuester | 49706ad | 2008-08-14 09:32:16 +0200 | [diff] [blame] | 1164 | keys = ddict.keys() |
| 1165 | keys.sort() |
| 1166 | if is_mls_enabled: |
| 1167 | for k in keys: |
| 1168 | val = '' |
| 1169 | for fields in k: |
| 1170 | val = val + '\t' + str(fields) |
| 1171 | print "%-18s %-18s %-5s %s:%s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False)) |
| 1172 | else: |
| 1173 | for k in keys: |
| 1174 | print "%-18s %-18s %-5s %s:%s:%s " % (k[0],k[1],k[2],ddict[k][0], ddict[k][1],ddict[k][2]) |
| 1175 | |
| 1176 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1177 | class interfaceRecords(semanageRecords): |
| 1178 | def __init__(self, store = ""): |
| 1179 | semanageRecords.__init__(self, store) |
| 1180 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1181 | def __add(self, interface, serange, ctype): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1182 | if is_mls_enabled == 1: |
| 1183 | if serange == "": |
| 1184 | serange = "s0" |
| 1185 | else: |
| 1186 | serange = untranslate(serange) |
| 1187 | |
| 1188 | if ctype == "": |
| 1189 | raise ValueError(_("SELinux Type is required")) |
| 1190 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1191 | (rc, k) = semanage_iface_key_create(self.sh, interface) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1192 | if rc < 0: |
| 1193 | raise ValueError(_("Could not create key for %s") % interface) |
| 1194 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1195 | (rc, exists) = semanage_iface_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1196 | if rc < 0: |
| 1197 | raise ValueError(_("Could not check if interface %s is defined") % interface) |
| 1198 | if exists: |
| 1199 | raise ValueError(_("Interface %s already defined") % interface) |
| 1200 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1201 | (rc, iface) = semanage_iface_create(self.sh) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1202 | if rc < 0: |
| 1203 | raise ValueError(_("Could not create interface for %s") % interface) |
| 1204 | |
| 1205 | rc = semanage_iface_set_name(self.sh, iface, interface) |
| 1206 | (rc, con) = semanage_context_create(self.sh) |
| 1207 | if rc < 0: |
| 1208 | raise ValueError(_("Could not create context for %s") % interface) |
| 1209 | |
| 1210 | rc = semanage_context_set_user(self.sh, con, "system_u") |
| 1211 | if rc < 0: |
| 1212 | raise ValueError(_("Could not set user in interface context for %s") % interface) |
| 1213 | |
| 1214 | rc = semanage_context_set_role(self.sh, con, "object_r") |
| 1215 | if rc < 0: |
| 1216 | raise ValueError(_("Could not set role in interface context for %s") % interface) |
| 1217 | |
| 1218 | rc = semanage_context_set_type(self.sh, con, ctype) |
| 1219 | if rc < 0: |
| 1220 | raise ValueError(_("Could not set type in interface context for %s") % interface) |
| 1221 | |
| 1222 | if serange != "": |
| 1223 | rc = semanage_context_set_mls(self.sh, con, serange) |
| 1224 | if rc < 0: |
| 1225 | raise ValueError(_("Could not set mls fields in interface context for %s") % interface) |
| 1226 | |
| 1227 | rc = semanage_iface_set_ifcon(self.sh, iface, con) |
| 1228 | if rc < 0: |
| 1229 | raise ValueError(_("Could not set interface context for %s") % interface) |
| 1230 | |
| 1231 | rc = semanage_iface_set_msgcon(self.sh, iface, con) |
| 1232 | if rc < 0: |
| 1233 | raise ValueError(_("Could not set message context for %s") % interface) |
| 1234 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1235 | rc = semanage_iface_modify_local(self.sh, k, iface) |
| 1236 | if rc < 0: |
| 1237 | raise ValueError(_("Could not add interface %s") % interface) |
| 1238 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1239 | semanage_context_free(con) |
| 1240 | semanage_iface_key_free(k) |
| 1241 | semanage_iface_free(iface) |
| 1242 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1243 | def add(self, interface, serange, ctype): |
| 1244 | self.begin() |
| 1245 | self.__add(interface, serange, ctype) |
| 1246 | self.commit() |
| 1247 | |
| 1248 | def __modify(self, interface, serange, setype): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1249 | if serange == "" and setype == "": |
| 1250 | raise ValueError(_("Requires setype or serange")) |
| 1251 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1252 | (rc, k) = semanage_iface_key_create(self.sh, interface) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1253 | if rc < 0: |
| 1254 | raise ValueError(_("Could not create key for %s") % interface) |
| 1255 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1256 | (rc, exists) = semanage_iface_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1257 | if rc < 0: |
| 1258 | raise ValueError(_("Could not check if interface %s is defined") % interface) |
| 1259 | if not exists: |
| 1260 | raise ValueError(_("Interface %s is not defined") % interface) |
| 1261 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1262 | (rc, iface) = semanage_iface_query(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1263 | if rc < 0: |
| 1264 | raise ValueError(_("Could not query interface %s") % interface) |
| 1265 | |
| 1266 | con = semanage_iface_get_ifcon(iface) |
| 1267 | |
| 1268 | if serange != "": |
| 1269 | semanage_context_set_mls(self.sh, con, untranslate(serange)) |
| 1270 | if setype != "": |
| 1271 | semanage_context_set_type(self.sh, con, setype) |
| 1272 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1273 | rc = semanage_iface_modify_local(self.sh, k, iface) |
| 1274 | if rc < 0: |
| 1275 | raise ValueError(_("Could not modify interface %s") % interface) |
| 1276 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1277 | semanage_iface_key_free(k) |
| 1278 | semanage_iface_free(iface) |
| 1279 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1280 | def modify(self, interface, serange, setype): |
| 1281 | self.begin() |
| 1282 | self.__modify(interface, serange, setype) |
| 1283 | self.commit() |
| 1284 | |
| 1285 | def __delete(self, interface): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1286 | (rc, k) = semanage_iface_key_create(self.sh, interface) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1287 | if rc < 0: |
| 1288 | raise ValueError(_("Could not create key for %s") % interface) |
| 1289 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1290 | (rc, exists) = semanage_iface_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1291 | if rc < 0: |
| 1292 | raise ValueError(_("Could not check if interface %s is defined") % interface) |
| 1293 | if not exists: |
| 1294 | raise ValueError(_("Interface %s is not defined") % interface) |
| 1295 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1296 | (rc, exists) = semanage_iface_exists_local(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1297 | if rc < 0: |
| 1298 | raise ValueError(_("Could not check if interface %s is defined") % interface) |
| 1299 | if not exists: |
| 1300 | raise ValueError(_("Interface %s is defined in policy, cannot be deleted") % interface) |
| 1301 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1302 | rc = semanage_iface_del_local(self.sh, k) |
| 1303 | if rc < 0: |
| 1304 | raise ValueError(_("Could not delete interface %s") % interface) |
| 1305 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1306 | semanage_iface_key_free(k) |
| 1307 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1308 | def delete(self, interface): |
| 1309 | self.begin() |
| 1310 | self.__delete(interface) |
| 1311 | self.commit() |
| 1312 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1313 | def get_all(self, locallist = 0): |
| 1314 | ddict = {} |
| 1315 | if locallist: |
| 1316 | (rc, self.ilist) = semanage_iface_list_local(self.sh) |
| 1317 | else: |
| 1318 | (rc, self.ilist) = semanage_iface_list(self.sh) |
| 1319 | if rc < 0: |
| 1320 | raise ValueError(_("Could not list interfaces")) |
| 1321 | |
| 1322 | for interface in self.ilist: |
| 1323 | con = semanage_iface_get_ifcon(interface) |
| 1324 | ddict[semanage_iface_get_name(interface)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) |
| 1325 | |
| 1326 | return ddict |
| 1327 | |
| 1328 | def list(self, heading = 1, locallist = 0): |
| 1329 | if heading: |
| 1330 | print "%-30s %s\n" % (_("SELinux Interface"), _("Context")) |
| 1331 | ddict = self.get_all(locallist) |
| 1332 | keys = ddict.keys() |
| 1333 | keys.sort() |
| 1334 | if is_mls_enabled: |
| 1335 | for k in keys: |
| 1336 | print "%-30s %s:%s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2], translate(ddict[k][3], False)) |
| 1337 | else: |
| 1338 | for k in keys: |
| 1339 | print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2]) |
| 1340 | |
| 1341 | class fcontextRecords(semanageRecords): |
| 1342 | def __init__(self, store = ""): |
| 1343 | semanageRecords.__init__(self, store) |
| 1344 | |
| 1345 | def createcon(self, target, seuser = "system_u"): |
| 1346 | (rc, con) = semanage_context_create(self.sh) |
| 1347 | if rc < 0: |
| 1348 | raise ValueError(_("Could not create context for %s") % target) |
| 1349 | if seuser == "": |
| 1350 | seuser = "system_u" |
| 1351 | |
| 1352 | rc = semanage_context_set_user(self.sh, con, seuser) |
| 1353 | if rc < 0: |
| 1354 | raise ValueError(_("Could not set user in file context for %s") % target) |
| 1355 | |
| 1356 | rc = semanage_context_set_role(self.sh, con, "object_r") |
| 1357 | if rc < 0: |
| 1358 | raise ValueError(_("Could not set role in file context for %s") % target) |
| 1359 | |
| 1360 | if is_mls_enabled == 1: |
| 1361 | rc = semanage_context_set_mls(self.sh, con, "s0") |
| 1362 | if rc < 0: |
| 1363 | raise ValueError(_("Could not set mls fields in file context for %s") % target) |
| 1364 | |
| 1365 | return con |
| 1366 | |
| 1367 | def validate(self, target): |
| 1368 | if target == "" or target.find("\n") >= 0: |
| 1369 | raise ValueError(_("Invalid file specification")) |
| 1370 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1371 | def __add(self, target, type, ftype = "", serange = "", seuser = "system_u"): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1372 | self.validate(target) |
| 1373 | |
| 1374 | if is_mls_enabled == 1: |
| 1375 | serange = untranslate(serange) |
| 1376 | |
| 1377 | if type == "": |
| 1378 | raise ValueError(_("SELinux Type is required")) |
| 1379 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1380 | (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1381 | if rc < 0: |
| 1382 | raise ValueError(_("Could not create key for %s") % target) |
| 1383 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1384 | (rc, exists) = semanage_fcontext_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1385 | if rc < 0: |
| 1386 | raise ValueError(_("Could not check if file context for %s is defined") % target) |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1387 | |
| 1388 | if not exists: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1389 | (rc, exists) = semanage_fcontext_exists_local(self.sh, k) |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1390 | if rc < 0: |
| 1391 | raise ValueError(_("Could not check if file context for %s is defined") % target) |
| 1392 | |
| 1393 | if exists: |
| 1394 | raise ValueError(_("File context for %s already defined") % target) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1395 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1396 | (rc, fcontext) = semanage_fcontext_create(self.sh) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1397 | if rc < 0: |
| 1398 | raise ValueError(_("Could not create file context for %s") % target) |
| 1399 | |
| 1400 | rc = semanage_fcontext_set_expr(self.sh, fcontext, target) |
| 1401 | if type != "<<none>>": |
| 1402 | con = self.createcon(target, seuser) |
| 1403 | |
| 1404 | rc = semanage_context_set_type(self.sh, con, type) |
| 1405 | if rc < 0: |
| 1406 | raise ValueError(_("Could not set type in file context for %s") % target) |
| 1407 | |
| 1408 | if serange != "": |
| 1409 | rc = semanage_context_set_mls(self.sh, con, serange) |
| 1410 | if rc < 0: |
| 1411 | raise ValueError(_("Could not set mls fields in file context for %s") % target) |
| 1412 | rc = semanage_fcontext_set_con(self.sh, fcontext, con) |
| 1413 | if rc < 0: |
| 1414 | raise ValueError(_("Could not set file context for %s") % target) |
| 1415 | |
| 1416 | semanage_fcontext_set_type(fcontext, file_types[ftype]) |
| 1417 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1418 | rc = semanage_fcontext_modify_local(self.sh, k, fcontext) |
| 1419 | if rc < 0: |
| 1420 | raise ValueError(_("Could not add file context for %s") % target) |
| 1421 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1422 | if type != "<<none>>": |
| 1423 | semanage_context_free(con) |
| 1424 | semanage_fcontext_key_free(k) |
| 1425 | semanage_fcontext_free(fcontext) |
| 1426 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1427 | def add(self, target, type, ftype = "", serange = "", seuser = "system_u"): |
| 1428 | self.begin() |
| 1429 | self.__add(target, type, ftype, serange, seuser) |
| 1430 | self.commit() |
| 1431 | |
| 1432 | def __modify(self, target, setype, ftype, serange, seuser): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1433 | if serange == "" and setype == "" and seuser == "": |
| 1434 | raise ValueError(_("Requires setype, serange or seuser")) |
| 1435 | self.validate(target) |
| 1436 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1437 | (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1438 | if rc < 0: |
| 1439 | raise ValueError(_("Could not create a key for %s") % target) |
| 1440 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1441 | (rc, exists) = semanage_fcontext_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1442 | if rc < 0: |
| 1443 | raise ValueError(_("Could not check if file context for %s is defined") % target) |
| 1444 | if not exists: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1445 | (rc, exists) = semanage_fcontext_exists_local(self.sh, k) |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1446 | if not exists: |
| 1447 | raise ValueError(_("File context for %s is not defined") % target) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1448 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1449 | (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1450 | if rc < 0: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1451 | (rc, fcontext) = semanage_fcontext_query(self.sh, k) |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1452 | if rc < 0: |
| 1453 | raise ValueError(_("Could not query file context for %s") % target) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1454 | |
| 1455 | if setype != "<<none>>": |
| 1456 | con = semanage_fcontext_get_con(fcontext) |
| 1457 | |
| 1458 | if con == None: |
| 1459 | con = self.createcon(target) |
| 1460 | |
| 1461 | if serange != "": |
| 1462 | semanage_context_set_mls(self.sh, con, untranslate(serange)) |
| 1463 | if seuser != "": |
| 1464 | semanage_context_set_user(self.sh, con, seuser) |
| 1465 | |
| 1466 | if setype != "": |
| 1467 | semanage_context_set_type(self.sh, con, setype) |
| 1468 | |
| 1469 | rc = semanage_fcontext_set_con(self.sh, fcontext, con) |
| 1470 | if rc < 0: |
| 1471 | raise ValueError(_("Could not set file context for %s") % target) |
| 1472 | else: |
| 1473 | rc = semanage_fcontext_set_con(self.sh, fcontext, None) |
| 1474 | if rc < 0: |
| 1475 | raise ValueError(_("Could not set file context for %s") % target) |
| 1476 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1477 | rc = semanage_fcontext_modify_local(self.sh, k, fcontext) |
| 1478 | if rc < 0: |
| 1479 | raise ValueError(_("Could not modify file context for %s") % target) |
| 1480 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1481 | semanage_fcontext_key_free(k) |
| 1482 | semanage_fcontext_free(fcontext) |
| 1483 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1484 | def modify(self, target, setype, ftype, serange, seuser): |
| 1485 | self.begin() |
| 1486 | self.__modify(target, setype, ftype, serange, seuser) |
| 1487 | self.commit() |
| 1488 | |
| 1489 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1490 | def deleteall(self): |
| 1491 | (rc, flist) = semanage_fcontext_list_local(self.sh) |
| 1492 | if rc < 0: |
| 1493 | raise ValueError(_("Could not list the file contexts")) |
| 1494 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1495 | self.begin() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1496 | |
| 1497 | for fcontext in flist: |
| 1498 | target = semanage_fcontext_get_expr(fcontext) |
| 1499 | ftype = semanage_fcontext_get_type(fcontext) |
| 1500 | ftype_str = semanage_fcontext_get_type_str(ftype) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1501 | (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype_str]) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1502 | if rc < 0: |
| 1503 | raise ValueError(_("Could not create a key for %s") % target) |
| 1504 | |
| 1505 | rc = semanage_fcontext_del_local(self.sh, k) |
| 1506 | if rc < 0: |
| 1507 | raise ValueError(_("Could not delete the file context %s") % target) |
| 1508 | semanage_fcontext_key_free(k) |
| 1509 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1510 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1511 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1512 | def __delete(self, target, ftype): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1513 | (rc,k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) |
| 1514 | if rc < 0: |
| 1515 | raise ValueError(_("Could not create a key for %s") % target) |
| 1516 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1517 | (rc, exists) = semanage_fcontext_exists_local(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1518 | if rc < 0: |
| 1519 | raise ValueError(_("Could not check if file context for %s is defined") % target) |
| 1520 | if not exists: |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1521 | (rc, exists) = semanage_fcontext_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1522 | if rc < 0: |
| 1523 | raise ValueError(_("Could not check if file context for %s is defined") % target) |
| 1524 | if exists: |
| 1525 | raise ValueError(_("File context for %s is defined in policy, cannot be deleted") % target) |
| 1526 | else: |
| 1527 | raise ValueError(_("File context for %s is not defined") % target) |
| 1528 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1529 | rc = semanage_fcontext_del_local(self.sh, k) |
| 1530 | if rc < 0: |
| 1531 | raise ValueError(_("Could not delete file context for %s") % target) |
| 1532 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1533 | semanage_fcontext_key_free(k) |
| 1534 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1535 | def delete(self, target, ftype): |
| 1536 | self.begin() |
| 1537 | self.__delete( target, ftype) |
| 1538 | self.commit() |
| 1539 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1540 | def get_all(self, locallist = 0): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1541 | if locallist: |
| 1542 | (rc, self.flist) = semanage_fcontext_list_local(self.sh) |
| 1543 | else: |
| 1544 | (rc, self.flist) = semanage_fcontext_list(self.sh) |
| 1545 | if rc < 0: |
| 1546 | raise ValueError(_("Could not list file contexts")) |
| 1547 | |
| 1548 | (rc, fclocal) = semanage_fcontext_list_local(self.sh) |
| 1549 | if rc < 0: |
| 1550 | raise ValueError(_("Could not list local file contexts")) |
| 1551 | |
| 1552 | self.flist += fclocal |
| 1553 | |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1554 | ddict = {} |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1555 | for fcontext in self.flist: |
| 1556 | expr = semanage_fcontext_get_expr(fcontext) |
| 1557 | ftype = semanage_fcontext_get_type(fcontext) |
| 1558 | ftype_str = semanage_fcontext_get_type_str(ftype) |
| 1559 | con = semanage_fcontext_get_con(fcontext) |
| 1560 | if con: |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1561 | ddict[(expr, ftype_str)] = (semanage_context_get_user(con), semanage_context_get_role(con), semanage_context_get_type(con), semanage_context_get_mls(con)) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1562 | else: |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1563 | ddict[(expr, ftype_str)] = con |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1564 | |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1565 | return ddict |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1566 | |
| 1567 | def list(self, heading = 1, locallist = 0 ): |
| 1568 | if heading: |
| 1569 | print "%-50s %-18s %s\n" % (_("SELinux fcontext"), _("type"), _("Context")) |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1570 | fcon_dict = self.get_all(locallist) |
| 1571 | keys = fcon_dict.keys() |
| 1572 | keys.sort() |
| 1573 | for k in keys: |
| 1574 | if fcon_dict[k]: |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1575 | if is_mls_enabled: |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1576 | print "%-50s %-18s %s:%s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1], fcon_dict[k][2], translate(fcon_dict[k][3],False)) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1577 | else: |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1578 | print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1579 | else: |
Joshua Brindle | 1f4d94f | 2008-11-07 19:20:39 -0500 | [diff] [blame] | 1580 | print "%-50s %-18s <<None>>" % (k[0], k[1]) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1581 | |
| 1582 | class booleanRecords(semanageRecords): |
| 1583 | def __init__(self, store = ""): |
| 1584 | semanageRecords.__init__(self, store) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1585 | self.dict = {} |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1586 | self.dict["TRUE"] = 1 |
| 1587 | self.dict["FALSE"] = 0 |
| 1588 | self.dict["ON"] = 1 |
| 1589 | self.dict["OFF"] = 0 |
| 1590 | self.dict["1"] = 1 |
| 1591 | self.dict["0"] = 0 |
| 1592 | |
| 1593 | def __mod(self, name, value): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1594 | (rc, k) = semanage_bool_key_create(self.sh, name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1595 | if rc < 0: |
| 1596 | raise ValueError(_("Could not create a key for %s") % name) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1597 | (rc, exists) = semanage_bool_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1598 | if rc < 0: |
| 1599 | raise ValueError(_("Could not check if boolean %s is defined") % name) |
| 1600 | if not exists: |
| 1601 | raise ValueError(_("Boolean %s is not defined") % name) |
| 1602 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1603 | (rc, b) = semanage_bool_query(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1604 | if rc < 0: |
| 1605 | raise ValueError(_("Could not query file context %s") % name) |
| 1606 | |
| 1607 | if value.upper() in self.dict: |
| 1608 | semanage_bool_set_value(b, self.dict[value.upper()]) |
| 1609 | else: |
| 1610 | raise ValueError(_("You must specify one of the following values: %s") % ", ".join(self.dict.keys()) ) |
| 1611 | |
| 1612 | rc = semanage_bool_set_active(self.sh, k, b) |
| 1613 | if rc < 0: |
| 1614 | raise ValueError(_("Could not set active value of boolean %s") % name) |
| 1615 | rc = semanage_bool_modify_local(self.sh, k, b) |
| 1616 | if rc < 0: |
| 1617 | raise ValueError(_("Could not modify boolean %s") % name) |
| 1618 | semanage_bool_key_free(k) |
| 1619 | semanage_bool_free(b) |
| 1620 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1621 | def modify(self, name, value = None, use_file = False): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1622 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1623 | self.begin() |
| 1624 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1625 | if use_file: |
| 1626 | fd = open(name) |
| 1627 | for b in fd.read().split("\n"): |
| 1628 | b = b.strip() |
| 1629 | if len(b) == 0: |
| 1630 | continue |
| 1631 | |
| 1632 | try: |
| 1633 | boolname, val = b.split("=") |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1634 | except ValueError: |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1635 | raise ValueError(_("Bad format %s: Record %s" % ( name, b) )) |
| 1636 | self.__mod(boolname.strip(), val.strip()) |
| 1637 | fd.close() |
| 1638 | else: |
| 1639 | self.__mod(name, value) |
| 1640 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1641 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1642 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1643 | def __delete(self, name): |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1644 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1645 | (rc, k) = semanage_bool_key_create(self.sh, name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1646 | if rc < 0: |
| 1647 | raise ValueError(_("Could not create a key for %s") % name) |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1648 | (rc, exists) = semanage_bool_exists(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1649 | if rc < 0: |
| 1650 | raise ValueError(_("Could not check if boolean %s is defined") % name) |
| 1651 | if not exists: |
| 1652 | raise ValueError(_("Boolean %s is not defined") % name) |
| 1653 | |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1654 | (rc, exists) = semanage_bool_exists_local(self.sh, k) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1655 | if rc < 0: |
| 1656 | raise ValueError(_("Could not check if boolean %s is defined") % name) |
| 1657 | if not exists: |
| 1658 | raise ValueError(_("Boolean %s is defined in policy, cannot be deleted") % name) |
| 1659 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1660 | rc = semanage_bool_del_local(self.sh, k) |
| 1661 | if rc < 0: |
| 1662 | raise ValueError(_("Could not delete boolean %s") % name) |
| 1663 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1664 | semanage_bool_key_free(k) |
| 1665 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1666 | def delete(self, name): |
| 1667 | self.begin() |
| 1668 | self.__delete(name) |
| 1669 | self.commit() |
| 1670 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1671 | def deleteall(self): |
| 1672 | (rc, self.blist) = semanage_bool_list_local(self.sh) |
| 1673 | if rc < 0: |
| 1674 | raise ValueError(_("Could not list booleans")) |
| 1675 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1676 | self.begin() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1677 | |
| 1678 | for boolean in self.blist: |
| 1679 | name = semanage_bool_get_name(boolean) |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1680 | self.__delete(name) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1681 | |
Joshua Brindle | f33c230 | 2008-09-07 18:53:26 -0400 | [diff] [blame] | 1682 | self.commit() |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1683 | |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1684 | def get_all(self, locallist = 0): |
| 1685 | ddict = {} |
| 1686 | if locallist: |
| 1687 | (rc, self.blist) = semanage_bool_list_local(self.sh) |
| 1688 | else: |
| 1689 | (rc, self.blist) = semanage_bool_list(self.sh) |
| 1690 | if rc < 0: |
| 1691 | raise ValueError(_("Could not list booleans")) |
| 1692 | |
| 1693 | for boolean in self.blist: |
| 1694 | value = [] |
| 1695 | name = semanage_bool_get_name(boolean) |
| 1696 | value.append(semanage_bool_get_value(boolean)) |
| 1697 | value.append(selinux.security_get_boolean_pending(name)) |
| 1698 | value.append(selinux.security_get_boolean_active(name)) |
| 1699 | ddict[name] = value |
| 1700 | |
| 1701 | return ddict |
| 1702 | |
| 1703 | def get_desc(self, boolean): |
| 1704 | return boolean_desc(boolean) |
| 1705 | |
| 1706 | def get_category(self, boolean): |
| 1707 | if boolean in booleans_dict: |
| 1708 | return _(booleans_dict[boolean][0]) |
| 1709 | else: |
| 1710 | return _("unknown") |
| 1711 | |
| 1712 | def list(self, heading = True, locallist = False, use_file = False): |
Daniel J Walsh | 8ad29a2 | 2009-06-28 12:32:40 -0400 | [diff] [blame] | 1713 | on_off = (_("off"), _("on")) |
Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1714 | if use_file: |
| 1715 | ddict = self.get_all(locallist) |
| 1716 | keys = ddict.keys() |
| 1717 | for k in keys: |
| 1718 | if ddict[k]: |
| 1719 | print "%s=%s" % (k, ddict[k][2]) |
| 1720 | return |
| 1721 | if heading: |
| 1722 | print "%-40s %s\n" % (_("SELinux boolean"), _("Description")) |
| 1723 | ddict = self.get_all(locallist) |
| 1724 | keys = ddict.keys() |
| 1725 | for k in keys: |
| 1726 | if ddict[k]: |
| 1727 | print "%-30s -> %-5s %s" % (k, on_off[ddict[k][2]], self.get_desc(k)) |
| 1728 | |