From patchwork Thu Sep 22 15:17:32 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Zaman X-Patchwork-Id: 9345523 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 5F73C6077A for ; Thu, 22 Sep 2016 15:20:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4FC001FF27 for ; Thu, 22 Sep 2016 15:20:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4450C2A695; Thu, 22 Sep 2016 15:20:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7E3BA1FF27 for ; Thu, 22 Sep 2016 15:20:27 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,378,1470700800"; d="scan'208";a="19469757" IronPort-PHdr: =?us-ascii?q?9a23=3Ao40mZxXOOWamwg8q84ZbTMGgklbV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZhCAt8tkgFKBZ4jH8fUM07OQ6PG6HzRcqsbc+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLshrr0o8GYM1gArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Loc7coIbYHWN+R9FOQZX3waNDUu6cnqswTT?= =?us-ascii?q?ZRee7XsbFGMNm1xHBBaWwgv9W8LTuzD9sKJP0SyTO4WiT7kvXjKK96pxRh7uiS?= =?us-ascii?q?ABcTU+9TeE2YRLkKtHrUf59FREyInObdTQbaJz?= X-IPAS-Result: =?us-ascii?q?A2FlBgDJ9eNX/wHyM5BeHQEFAQsBGQYMgn0TAQEBAQEegVO?= =?us-ascii?q?6dSCBe4V0TAEBAQEBAQEBAgECWyeCMgQDEwV5Wz0CAQMBAg8oBgEBDCAMAgMJA?= =?us-ascii?q?QEXKQgIAwEtAwEFAQsRDgsFGAQBiCkBoQOBMj4yilaFMAEBBYgoCBCEF4p6EQG?= =?us-ascii?q?Feo45dopLj2hliHElhW+PIjGBEVSDC4IHZQGFO3iBJwEBAQ?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 22 Sep 2016 15:20:19 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8MFKHSf015851; Thu, 22 Sep 2016 11:20:18 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8MFIL9n125856 for ; Thu, 22 Sep 2016 11:18:21 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8MFIKYJ015304 for ; Thu, 22 Sep 2016 11:18:20 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BgAgBR9eNXesTAVdFeHAEBBAEBCgEBgygTAQEBAQGBcbZphBOGHgKBaEwBAgEBAQEBAhMBAQkLDAgZhRECAQMSLgEBNwEPUTQBBQEcGSKIKQGhAIEyPjKKVoUwAQEFh38BAQEBAQUCARwIEIQXjXQLgweOOXaKS49oZYhxhhSPIjGBEYNfggdlAYdaAQEB X-IPAS-Result: A1BgAgBR9eNXesTAVdFeHAEBBAEBCgEBgygTAQEBAQGBcbZphBOGHgKBaEwBAgEBAQEBAhMBAQkLDAgZhRECAQMSLgEBNwEPUTQBBQEcGSKIKQGhAIEyPjKKVoUwAQEFh38BAQEBAQUCARwIEIQXjXQLgweOOXaKS49oZYhxhhSPIjGBEYNfggdlAYdaAQEB X-IronPort-AV: E=Sophos;i="5.30,378,1470715200"; d="scan'208";a="5722217" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 22 Sep 2016 11:18:19 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AV1GXih1mV1exGKrWsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?segVKPad9pjvdHbS+e9qxAeQG96KsbQc16GG7ujJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL2PbrnD61zMOABK3bVMz?= =?us-ascii?q?fbWvXNaOxJTqn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?= =?us-ascii?q?5fxGdvOE7B102kvpT4r9Zf9HFLtvYg8dNQebnrdKQ/C7pDBXIpNH5mytfssEzh?= =?us-ascii?q?RBCI4DMuW2AflFIcAQHe6xfSRprrvCr8t+17niKdOJulHvgPRT2+4vIzG1fTgy?= =?us-ascii?q?AdOmth/Q=3D=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EoBABR9eNXesTAVdFeHAEBBAEBCgEBG?= =?us-ascii?q?QYMgn0TAQEBAQGBcbZphBOCFIQKAoFoTAEBAQEBAQEBAgECEAEBCQsMCBkvgjI?= =?us-ascii?q?YgQBbPQIBAxIuAQE3AQ9RNAEFARwZIogpAaEAgTI+MopWhTABAQWHfwEBAQEBB?= =?us-ascii?q?QIBHAgQhBeNdAuDB445dopLj2hliHGGFI8iMYERg1+CB2UBh1oBAQE?= X-IPAS-Result: =?us-ascii?q?A0EoBABR9eNXesTAVdFeHAEBBAEBCgEBGQYMgn0TAQEBAQG?= =?us-ascii?q?BcbZphBOCFIQKAoFoTAEBAQEBAQEBAgECEAEBCQsMCBkvgjIYgQBbPQIBAxIuA?= =?us-ascii?q?QE3AQ9RNAEFARwZIogpAaEAgTI+MopWhTABAQWHfwEBAQEBBQIBHAgQhBeNdAu?= =?us-ascii?q?DB445dopLj2hliHGGFI8iMYERg1+CB2UBh1oBAQE?= X-IronPort-AV: E=Sophos;i="5.30,378,1470700800"; d="scan'208";a="17864376" Received: from mail-pf0-f196.google.com ([209.85.192.196]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 22 Sep 2016 15:18:18 +0000 Received: by mail-pf0-f196.google.com with SMTP id n24so3940653pfb.3 for ; Thu, 22 Sep 2016 08:18:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jSwO/VaLz2RWaaJbbtCpfqn0JHu2L5gmvV874/2C7sg=; b=heTYFh2I3X0OpbT7yknrvEulLE+AumiLP9DxTkvAq7ZrNbWJaSk7Xh2JNzfGdcAoxu fGxh6cI/OJYSR9sWFcjxAXksQNqQ59sZEFz9KoWmX44O2bQ4bRfRq+s6rDC7phc4BGSz bvJcA9ySaVKye6RkWSEDDNaRdcwM6WEL68Ltx7720EFfaY2GgcXcFg6Ozo30aiMYnAlW kMFw141jZTyTlhFvtNE4PS1Cg3v6u5z+1qK1gRGnlXJq1B1QEBuN5C7vwJzL/7/KWGfi kleZbPVB4sQVNk0iF9D7DT/rJtTbZJMM701h/NuW4uqeagYiGIRSvmKXW1iooOXwM863 mqVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jSwO/VaLz2RWaaJbbtCpfqn0JHu2L5gmvV874/2C7sg=; b=Osa3k1fqEYorUDagtAT6OdRQ9EOEBNkDm94Txj6NiNvstfboozkaRImk2CpYpBcUFc 9Y3I9pV3nXaaPuBr3ehV6MrpUZoMpDNjxhhJghO72hCjlte0dDvi5Y2bnuz7GDY+nkEQ TXYX1VbVMZvGipuMCMIZDytUyTDaVrUGfQpO5M2+DiNbY3BbG+xoCdtwExL9EdbvHfGQ XiGnZkh369Z52coADFs50xC12x3UBf+Z61yF3BJER8l4tcLltomDDpOCcFIyljRwPSlT XKya+TurJckJgbKKwyqNF94YB5Ijx4jm+ll0KuQuAhqdkuu1ypu6dMiSdn1IjaqHnd+P nNaA== X-Gm-Message-State: AE9vXwNPoS2ssLPUAydBPduuNUT2Gx+fVqVEqwQ/gXhxcfWbUsUvvmed3EakxqoZfCzM0g== X-Received: by 10.98.47.132 with SMTP id v126mr4106486pfv.152.1474557497779; Thu, 22 Sep 2016 08:18:17 -0700 (PDT) Received: from localhost ([2404:e800:e600:57b:e014:183:951f:342c]) by smtp.gmail.com with ESMTPSA id r7sm4952163pfk.49.2016.09.22.08.18.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Sep 2016 08:18:17 -0700 (PDT) From: Jason Zaman To: selinux@tycho.nsa.gov Subject: [PATCH 6/7] sepolicy: make search() use setools4 api Date: Thu, 22 Sep 2016 23:17:32 +0800 Message-Id: <1474557453-14379-7-git-send-email-jason@perfinion.com> X-Mailer: git-send-email 2.7.3 In-Reply-To: <1474557453-14379-1-git-send-email-jason@perfinion.com> References: <1474557453-14379-1-git-send-email-jason@perfinion.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Signed-off-by: Jason Zaman --- policycoreutils/sepolicy/sepolicy/__init__.py | 122 ++++++++++++++++++++++---- 1 file changed, 107 insertions(+), 15 deletions(-) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py index a3ab10c..b00ec81 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -249,23 +249,115 @@ def info(setype, name=None): raise ValueError("Invalid type") -def search(types, info={}): - seinfo = info - valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW] +def _setools_rule_to_dict(rule): + d = { + 'type': str(rule.ruletype), + 'source': str(rule.source), + 'target': str(rule.target), + 'class': str(rule.tclass), + } + + try: + enabled = bool(rule.qpol_symbol.is_enabled(rule.policy)) + except AttributeError: + enabled = True + + if isinstance(rule, setools.policyrep.terule.AVRule): + d['enabled'] = enabled + + try: + d['permlist'] = list(map(str, rule.perms)) + except setools.policyrep.exception.RuleUseError: + pass + + try: + d['transtype'] = str(rule.default) + except setools.policyrep.exception.RuleUseError: + pass + + try: + d['boolean'] = [(str(rule.conditional), enabled)] + except (AttributeError, setools.policyrep.exception.RuleNotConditional): + pass + + try: + d['filename'] = rule.filename + except (AttributeError, + setools.policyrep.exception.RuleNotConditional, + setools.policyrep.exception.TERuleNoFilename): + pass + + return d + + +def search(types, seinfo=None): + if not seinfo: + seinfo = {} + valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]) for setype in types: if setype not in valid_types: - raise ValueError("Type has to be in %s" % valid_types) - seinfo[setype] = True - - perms = [] - if PERMS in seinfo: - perms = info[PERMS] - seinfo[PERMS] = ",".join(seinfo[PERMS]) - - dict_list = _policy.search(seinfo) - if dict_list and len(perms) != 0: - dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list) - return dict_list + raise ValueError("Type has to be in %s" % " ".join(valid_types)) + + source = None + if SOURCE in seinfo: + source = str(seinfo[SOURCE]) + + target = None + if TARGET in seinfo: + target = str(seinfo[TARGET]) + + tclass = None + if CLASS in seinfo: + tclass = str(seinfo[CLASS]).split(',') + + toret = [] + + tertypes = [] + if ALLOW in types: + tertypes.append(ALLOW) + if NEVERALLOW in types: + tertypes.append(NEVERALLOW) + if AUDITALLOW in types: + tertypes.append(AUDITALLOW) + + if len(tertypes) > 0: + q = setools.TERuleQuery(_pol, + ruletype=tertypes, + source=source, + target=target, + tclass=tclass) + + if PERMS in seinfo: + q.perms = seinfo[PERMS] + + toret += [_setools_rule_to_dict(x) for x in q.results()] + + if TRANSITION in types: + rtypes = ['type_transition', 'type_change', 'type_member'] + q = setools.TERuleQuery(_pol, + ruletype=rtypes, + source=source, + target=target, + tclass=tclass) + + if PERMS in seinfo: + q.perms = seinfo[PERMS] + + toret += [_setools_rule_to_dict(x) for x in q.results()] + + if ROLE_ALLOW in types: + ratypes = ['allow'] + q = setools.RBACRuleQuery(_pol, + ruletype=ratypes, + source=source, + target=target, + tclass=tclass) + + for r in q.results(): + toret.append({'source': str(r.source), + 'target': str(r.target)}) + + return toret def get_conditionals(src, dest, tclass, perm):