a z f @sJddlZddlZddlZddlZddlZddlZddlZddlZddlTdZ ddl Z ddl m Z ddl mZddlZzFddlZiZejdkrded<eje fd d ied diZejZWnHzddlZeejd <Wn$eyddlZeejd <Yn0Yn0ddlZiZeed <eed<eed<eed<eed<eed<e ed<e ed<e ed<e!ed<e!ed<e!ed<e"ed<e"ed<e"ed<e#ed<e#ed<e#ed<e$ed<e$ed <e$ed!<e%ed"<e%ed#<e%ed$<ddddddd d"d%Z&d&d&d'd(d)d*d+d,dd- Z'z(ddl(Z(e()e(*Gd.d/d/Z+Wn&e,efyLGd0d/d/Z+Yn0Gd1d2d2Z-d3d4Z.dTd6d7Z/dUd8d9Z0Gd:d;d;Z1Gdd?d?e1Z3Gd@dAdAe1Z4GdBdCdCe1Z5GdDdEdEe1Z6GdFdGdGe1Z7GdHdIdIe1Z8GdJdKdKe1Z9GdLdMdMe1Z:GdNdOdOe1Z;GdPdQdQe1Zr+r+r, log_removeslogger.log_removec Cs&|j|jtjt|ddddgdS)Nsemanager )r(r4r&r$ZAUDIT_USER_MAC_CONFIG_CHANGEr7r*r8r+r+r, log_changeslogger.log_changecCsH|jD]}tj||gq|jD]}tj||gq"g|_g|_dSr#)r'r$Zaudit_log_semanage_messager(Zaudit_log_user_comm_message)r*successrr+r+r,commits    logger.commitN)r r r r r r r )r r r r r r r __name__ __module__ __qualname__r-r@rCrGrJr+r+r+r,r"ls   r"c@s8eZdZddZd ddZdddZdd Zd d Zd S)r"cCs g|_dSr#)r'r)r+r+r,r-sr.r c Csd||f} |dkr | d|7} |dkr4| d|7} |dkrH| d|7} |dkr\| d|7} |dkrx|durx| d|7} |dkr|dur| d|7} |j| dS) Nz %s name=%sr z sename=z oldsename=z role=z old_role=z MLSRange=z old_MLSRange=r'r4) r*r8r9r0r:r;r<r=r>messager+r+r,r@s       rAc Cs|||||||||dSr#)r@rBr+r+r,rCsrDcCs|jd|dS)Nz %srPrFr+r+r,rGsrHcCs4|dkrd}nd}|jD]}ttj||qdS)Nz Successful: zFailed: )r'syslogZLOG_INFO)r*rIrQrr+r+r,rJs  rKN)r r r r r r r )r r r r r r r rLr+r+r+r,r"s   c@s0eZdZd ddZd ddZddZdd Zd S) nullloggerr c CsdSr#r+rBr+r+r,r@sznulllogger.logc CsdSr#r+rBr+r+r,rCsznulllogger.log_removecCsdSr#r+rFr+r+r,rGsznulllogger.log_changecCsdSr#r+)r*rIr+r+r,rJsznulllogger.commitN)r r r r r r r )r r r r r r r )rMrNrOr@rCrGrJr+r+r+r,rTs  rTcCsXd}d}|d|d}|d|d}|d|dd|d}td |d |S) Nzs[0-9]*zc[0-9]*z(\.z)?z(\,z)*z(-z(:^$)research)rawZ sensitivitycategoryZ cat_range categoriesZregr+r+r,validate_levels r\rRcCs`d}|dkrd||f}n|}t|\}}|dkr8|S|rL|t|d}|dkrX|S|SdSNza:b:c:rR%s%srr )selinuxZselinux_raw_to_trans_contextlen)rYprependfillercontextrctransr+r+r, translatesrfcCs`d}|dkrd||f}n|}t|\}}|dkr8|S|rL|t|d}|dkrX|S|SdSr])r_Zselinux_trans_to_raw_contextr`)rerarbrcrdrYr+r+r, untranslatesrgc@sfeZdZdZdZdZdZdddZddZddZ d d Z d d Z d dZ ddZ ddZddZdS)semanageRecordsFNcCs|rt|tr||_n||_t|dd|_|js>t|dd|_||j|_t \}}|jdksl|j|krvt |_ n,t |jtdt|jft|_ dS)NnoreloadFstorer r^) isinstancer7rjargsgetattrri get_handleshr_selinux_getpolicytyper"mylogsepolicyZload_store_policyZselinux_set_policy_rootZ selinux_pathrT)r*rlrdZ localstorer+r+r,r-s    zsemanageRecords.__init__cCs | |_dSr#)ri)r*loadr+r+r, set_reload szsemanageRecords.set_reloadcCstjr tjSt}|s"ttdtjsB|dkrBt||t|t_t |s^t |ttdt |}|t krt |ttdt |}|dkrt |ttdt|atdkrt |ttd|t_tjS)Nz Could not create semanage handler z:SELinux policy is not managed or store cannot be accessed.zCannot read policy store.rz'Could not establish semanage connectionz!Could not test MLS enabled status)rhhandleZsemanage_handle_create ValueErrorr transactionZsemanage_select_storeZSEMANAGE_CON_DIRECTrjZsemanage_is_managedZsemanage_handle_destroyZsemanage_access_checkZSEMANAGE_CAN_READZsemanage_connectZsemanage_mls_enabledis_mls_enabled)r*rjrurdr+r+r,rns2      zsemanageRecords.get_handlecCsttddSNzNot yet implementedrvr r)r+r+r, deleteall3szsemanageRecords.deleteallcCs$tjrttd|dt_dS)Nz(Semanage transaction already in progressT)rhrwrvr beginr)r+r+r,start6s zsemanageRecords.startcCs,tjr dSt|j}|dkr(ttddS)Nrz$Could not start semanage transaction)rhrwZsemanage_begin_transactionrorvr r*rdr+r+r,r|<s  zsemanageRecords.begincCsttddSryrzr)r+r+r, customizedCszsemanageRecords.customizedcCsVtjr dS|jrt|jdt|j}|dkrF|jdtt d|jddS)Nrz%Could not commit semanage transactionrR) rhrwriZsemanage_set_reloadroZsemanage_commitrqrJrvr r~r+r+r,rJFs    zsemanageRecords.commitcCs$tjsttddt_|dS)Nz$Semanage transaction not in progressF)rhrwrvr rJr)r+r+r,finishRs zsemanageRecords.finish)N)rMrNrOrwrurjrlr-rtrnr{r}r|rrJrr+r+r+r,rhs $ rhc@sPeZdZdddZddZddZdd d Zd d ZddZddZ ddZ dS) moduleRecordsNcCst||dSr#rhr-r*rlr+r+r,r-[szmoduleRecords.__init__c Csg}t|j\}}}|dkr(ttdt|D]}t||}t|j|\}}|dkrbttdt|j|\}}|dkrttdt|j|\}} |dkrttdt |j|\}} |dkrttd| ||| | fq0|j ddd d |j d dd |S) NrCould not list SELinux moduleszCould not get module namezCould not get module enabledzCould not get module priorityzCould not get module lang_extcSs|dS)Nrr+tr+r+r,zz'moduleRecords.get_all..T)keyreversecSs|dSNrr+rr+r+r,r{r)r) Zsemanage_module_list_allrorvr r3semanage_module_list_nthZsemanage_module_info_get_nameZ semanage_module_info_get_enabledZ!semanage_module_info_get_priorityZ!semanage_module_info_get_lang_extr4sort) r*rrdmlistnumberimodr9ZenabledpriorityZlang_extr+r+r,get_all^s,       zmoduleRecords.get_allcCs0|}t|dkrgSdddd|DDS)NrcSsg|]}d|dqS)z-d %srr+.0xr+r+r, rz,moduleRecords.customized..cSsg|]}|ddkr|qSrRrr+rrr+r+r,rr)rr`)r*allr+r+r,r~s zmoduleRecords.customizedrRrcCs|}t|dkrdS|r:tdtdtdtdf|D]D}|ddkrXtd}n |r^q>d}td |d|d |d |fq>dS) Nrz %-25s %-9s %s z Module NameZPriorityZLanguagerRZDisabledr z%-25s %-9s %-5s %sr)rr`printr )r*heading locallistrrZdisabledr+r+r,lists   zmoduleRecords.listcCs`tj|sttd|t|j|}|dkr@ttd|t|j|}|dkr\|dS)NzModule does not exist: %s r3Invalid priority %d (needs to be between 1 and 999)) ospathexistsrvr semanage_set_default_priorityroZsemanage_module_install_filerJ)r*rrrdr+r+r,adds   zmoduleRecords.addcCs|D]}t|j\}}|dkr.ttdt|j||}|dkrPttdt|j||}|dkr|r|ttd|qttd|q|dS)NrzCould not create module keyzCould not set module key namezCould not enable module %szCould not disable module %s)splitZsemanage_module_key_createrorvr Zsemanage_module_key_set_nameZsemanage_module_set_enabledrJ)r*moduleenablemrdrr+r+r, set_enableds   zmoduleRecords.set_enabledcCsjt|j|}|dkr$ttd||D]0}t|j|}|dkr,|dkr,ttd|q,|dS)Nrrz*Could not remove module %s (remove failed))rrorvr rsemanage_module_removerJ)r*rrrdrr+r+r,deletes   zmoduleRecords.deletecCs6dddd|DD}|D]}||dq dS)NcSsg|] }|dqS)rr+rr+r+r,rrz+moduleRecords.deleteall..cSsg|]}|ddkr|qSrr+rr+r+r,rrT)rr)r*rrr+r+r,r{szmoduleRecords.deleteall)N)rRr) rMrNrOr-rrrrrrr{r+r+r+r,rYs     rc@seZdZdddZddZdS)dontauditClassNcCst||dSr#rrr+r+r,r-szdontauditClass.__init__cCs8|dvrttd|t|j|dk|dS)N)onoffz'dontaudit requires either 'on' or 'off'r)rvr r|Zsemanage_set_disable_dontauditrorJ)r*Z dontauditr+r+r,toggles  zdontauditClass.toggle)N)rMrNrOr-rr+r+r+r,rs rc@sHeZdZdddZddZddZdd d Zd d ZddZddZ dS)permissiveRecordsNcCst||dSr#rrr+r+r,r-szpermissiveRecords.__init__cCsng}t|j\}}}|dkr(ttdt|D]8}t||}t|}|r0|dr0|| ddq0|S)NrrZ permissive_rR) Zsemanage_module_listrorvr r3rZsemanage_module_get_name startswithr4r)r*rrdrrrrr9r+r+r,rs   zpermissiveRecords.get_allcCsddt|DS)NcSsg|] }d|qS)z-a %sr+rr+r+r,rrz0permissiveRecords.customized..)sortedrr)r+r+r,rszpermissiveRecords.customizedrRrcCsddddttjDD}t|dkr0dS|rDtdtd|}|D]}||vrPt|qPt|dkrvdS|rtdtd|D] }t|qdS)NcSsg|] }|dqS)r9r+)ryr+r+r,rrz*permissiveRecords.list..cSsg|]}|dr|qS)Z permissiver+rr+r+r,rrrz %-25s zBuiltin Permissive TypeszCustomized Permissive Types)rrinfoZTYPEr`rr r)r*rrrrrr+r+r,rs    zpermissiveRecords.listcCsRd|}d|}t|j|t||d}|dkr6||dkrNttd|dS)N permissive_%sz(typepermissive %s)Zcilrz?Could not set permissive domain %s (module installation failed))Zsemanage_module_installror`rJrvr )r*typer9Zmodtxtrdr+r+r,rszpermissiveRecords.addcCsB|D],}t|jd|}|dkrttd|q|dS)Nrrz5Could not remove permissive domain %s (remove failed))rrrorvr rJ)r*r9nrdr+r+r,rs  zpermissiveRecords.deletecCs,|}t|dkr(d|}||dS)Nr )rr`joinr)r*rrr+r+r,r{ s  zpermissiveRecords.deleteall)N)rRr) rMrNrOr-rrrrrr{r+r+r+r,rs    rc@s~eZdZdddZddZddZdd Zd d d Zd!d dZddZ ddZ ddZ ddZ d"ddZ ddZd#ddZdS)$ loginRecordsNcCs(t||d|_d|_d|_d|_dSr#)rhr-r<r>r0r;rr+r+r,r-s  zloginRecords.__init__c Cst|\}|_|_|dkr d}t|j}||j\}\}}||\}\}} tdkrn|dkrjt|}n|}t |j |\}} |dkrt t d||ddkrzt |ddWn$t t d|ddYn0n,zt|Wnt t d|Yn0t|j \}} |dkr4t t d |t|j | |}|dkr\t t d |tdkr|dkrt|j | |}|dkrt t d |t|j | |}|dkrt t d |t|j | | }|dkrt t d |t| t| dS)Nr Zuser_urRrCould not create a key for %s%zLinux Group %s does not existzLinux User %s does not existz%Could not create login mapping for %sCould not set name for %sCould not set MLS range for %sz!Could not set SELinux user for %sz"Could not add login mapping for %s)r_getseuserbynamer<r>seluserRecordsrlgetrxrgsemanage_seuser_key_createrorvr grpgetgrnampwdgetpwnamZsemanage_seuser_createZsemanage_seuser_set_namesemanage_seuser_set_mlsrangesemanage_seuser_set_senamesemanage_seuser_modify_localsemanage_seuser_key_freesemanage_seuser_free) r*r9r0r;recuserrecr3rdr=r:kur+r+r,__addsP         zloginRecords.__addc CszzL|||r4ttd|||||n|||||Wn(tyt}z|WYd}~n d}~00dS)Nz:Login mapping for %s is already defined, modifying instead)r|_loginRecords__existsrr _loginRecords__modify_loginRecords__addrJrvr*r9r0r;errorr+r+r,rSs  zloginRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)Nrr2Could not check if login mapping for %s is defined)rrorvr semanage_seuser_existsrr*r9rdrrr+r+r,__existsaszloginRecords.__existsr c Cst|\}|_|_|dkr0|dkr0ttdt|j}||j\}\}}|dkrj||\}\}} n|} |dkr~||_ n||_ t |j |\}} |dkrttd|t |j | \}} |dkrttd|| sttd|t |j | \}} |dkrttd|t| |_t| |_tdkrL|dkrLt|j | t||dkrlt|j | |||_n|j|_t|j | | }|dkrttd |t| t| dS) Nr zRequires seuser or serangerrr#Login mapping for %s is not definedzCould not query seuser for %srRz%Could not modify login mapping for %s)r_rr<r>rvr rrlrr;rrorZsemanage_seuser_querysemanage_seuser_get_mlsrangesemanage_seuser_get_senamerxrrgrr0rrr) r*r9r0r;rrr3rdr=r:rrrr+r+r,__modifymsF       zloginRecords.__modifyc CsPz"||||||Wn(tyJ}z|WYd}~n d}~00dSr#)r|rrJrvrr+r+r,modifys  zloginRecords.modifyc Cs*t|\}|_|_t|j}||j\}\}}t|j|\}}|dkrZt t d|t |j|\}}|dkrt t d||st t d|t |j|\}}|dkrt t d||st t d|t |j|}|dkrt t d|t|td\}|_|_||j\}\}} dS)Nrrrrzrrlrrrorvr rZsemanage_seuser_exists_localZsemanage_seuser_del_localrr0r;) r*r9rrr3rdr=rrr:r+r+r,__deletes,  zloginRecords.__deletec CsLz||||Wn(tyF}z|WYd}~n d}~00dSr#)r|_loginRecords__deleterJrvr*r9rr+r+r,rs   zloginRecords.deletec Cs|t|j\}}|dkr"ttdz,||D]}|t|q0|Wn(tyv}z|WYd}~n d}~00dSNrCould not list login mappings)semanage_seuser_list_localrorvr r|rsemanage_seuser_get_namerJr*rdulistrrr+r+r,r{s  zloginRecords.deleteallc Csi}td|_t|jD]z\}}}||jkr|D]`}zHt|d|}|d}| |d|d|df||<Wq6t yYq60q6q|S)Nz/logins/:rRrr) r_Zselinux_policy_root logins_pathrwalkopenreadrstriprclose IndexError)r*ddictrdirsfilesr9fdrr+r+r,get_all_loginss   zloginRecords.get_all_loginsrcCsli}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]"}t|}t|t|df||<qD|S)Nrrr) rrorZsemanage_seuser_listrvr rrr)r*rrrdrr9r+r+r,rs  zloginRecords.get_allcCspg}|d}t|D]P}||drP|d||d||d|fq|d||d|fq|S)NTrRz-a -s %s -r '%s' %srz -a -s %s %srrkeysr4r*rrrr+r+r,rs  &zloginRecords.customizedrRc Cs@||}|}t|}t|}t|dkrFt|dkrFdStdkr|rvtdtdtdtdtdf|D]0}||}td||dt|d|d fqzt|rtd |j |D]0}||}td||dt|d|d fqnB|rtd tdtdf|D]}td |||dfqdS) NrrRz %-20s %-20s %-20s %s z Login Name SELinux Userz MLS/MCS RangeZServicez%-20s %-20s %-20s %srz Local customization in %sz %-25s %-25s z %-25s %-25s) rrrrr`rxrr rfr) r*rrrZldictZlkeysrrrr+r+r,rs*   $&(zloginRecords.list)N)r r )r r )r)rRr)rMrNrOr-rrrrrrrr{rrrrr+r+r+r,rs 6 2     rc@seZdZdddZddZddZdd Zd d Zgd d d fd dZgd d d fddZ ddZ ddZ ddZ d ddZ ddZd!ddZdS)"rNcCst||dSr#rrr+r+r,r-szseluserRecords.__init__cCst|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t|j|\}}|dkrxttd|t|}t|j|}t|t |||fS)Nrr-Could not check if SELinux user %s is definedCould not query user for %s) semanage_user_key_createrorvr semanage_user_existssemanage_user_querysemanage_user_get_mlsrangesemanage_user_get_rolessemanage_user_key_freesemanage_user_free)r*r9rdrrrr;r:r+r+r,r"s zseluserRecords.getc Cstdkr4|dkrd}nt|}|dkr,d}nt|}t|dkrPttd|t|j|\}}|dkrxttd|t|j\}}|dkrttd|t|j||}|dkrttd||D]0} t |j|| }|dkrttd j | |d qtdkrTt |j||}|dkr,ttd |t |j||}|dkrTttd |t |j||}|dkrttd j | |dt|j|\}} |dkrttd|t|j||}|dkrttd|t|t||jjd|d||ddS)NrRr s0z%You must add at least one role for %srrz$Could not create SELinux user for %srz$Could not add role {role} for {name})r2r9rzCould not set MLS level for %sz(Could not add prefix {prefix} for {role})r2prefixzCould not extract key for %szCould not add SELinux user %sseuserr1)r0r:r;)rxrgr`rvr rroZsemanage_user_createZsemanage_user_set_namesemanage_user_add_roleformatsemanage_user_set_mlsrangesemanage_user_set_mlslevelsemanage_user_set_prefixZsemanage_user_key_extractsemanage_user_modify_localrrrqr@r) r*r9rolesselevelr;rrdrrrrr+r+r,r2sR       zseluserRecords.__addc CszT|||r8ttd|||||||n|||||||Wn4ty}z|jd|WYd}~n d}~00dS)Nz5SELinux user %s is already defined, modifying insteadr) r|_seluserRecords__existsrr _seluserRecords__modify_seluserRecords__addrJrvrqr*r9rrr;rrr+r+r,ris   zseluserRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)Nrrr)rrorvr rrrr+r+r,rvszseluserRecords.__existsr c Cs8d}d}d|}|dkrXt|dkrX|dkrX|dkrXtdkrLttdn ttdt|j|\} } | dkrttd|t|j| \} } | dkrttd|| sttd |t|j| \} } | dkrttd |t | }t |j| \} } | dkrd| }tdkr6|dkr6t |j| t |tdkr\|dkr\t |j| t ||dkrtt|j| |t|dkr| D]}||vrt| |q|D]}|| vrt|j| |qt|j| | } | dkrttd |t| t| d |}d |}|jjd ||||||ddS)Nr rrrRz&Requires prefix, roles, level or rangezRequires prefix or rolesrrSELinux user %s is not definedrz Could not modify SELinux user %sr1r)r0r<r:r;r=r>)rr`rxrvr rrorrrrr rgr r Zsemanage_user_del_rolerr rrrrqr@)r*r9rrr;rr=r>Znewrolesrdrrrrlistrr2r+r+r,rsV $       zseluserRecords.__modifyc Cs`z&||||||||Wn4tyZ}z|jd|WYd}~n d}~00dSr)r|rrJrvrqrr+r+r,rs  zseluserRecords.modifyc Cs8t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd||sdttd|t|j|\}}|dkrttd||sttd|t|j|\}}|dkrttd|t|}t|j|\}}d |}t |j|}|dkrttd|t |t ||j jd |||d dS) Nrrrrz7SELinux user %s is defined in policy, cannot be deletedrr1z Could not delete SELinux user %sr)r<r>r=)rrorvr rZsemanage_user_exists_localrrrrZsemanage_user_del_localrrrqrC) r*r9rdrrrr>rr=r+r+r,rs2   zseluserRecords.__deletec CsXz||||Wn4tyR}z|jd|WYd}~n d}~00dSr)r|_seluserRecords__deleterJrvrqrr+r+r,rs   zseluserRecords.deletec Cst|j\}}|dkr"ttdz,||D]}|t|q0|Wn4ty}z|jd|WYd}~n d}~00dSr) semanage_user_list_localrorvr r|rsemanage_user_get_namerJrqrr+r+r,r{s   zseluserRecords.deleteallrcCsi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]^}t|}t|j|\}}|dkrxttd|d|}t |t |t ||f|t|<qD|S)NrzCould not list SELinux usersz Could not list roles for user %sr) rrorZsemanage_user_listrvr rrrZsemanage_user_get_prefixZsemanage_user_get_mlslevelr)r*rrrdrr9rrr+r+r,rs   "zseluserRecords.get_allcCsg}|d}t|D]f}||ds6||drf|d||d||d||d|fq|d||d|fq|S)NTrRrz-a -L %s -r %s -R '%s' %srz -a -R '%s' %srrr+r+r,rs 0zseluserRecords.customizedrRc Cs||}t|dkrdSt|}tdkr|r|tddtdtdtdftdtdtd td td td f|D]B}td |||dt||dt||d||dfqn>|rtdtdtd f|D]}td|||dfqdS)NrrRz %-15s %-10s %-10s %-30sr ZLabelingzMLS/z%-15s %-10s %-10s %-30s %s rZPrefixz MCS Levelz MCS Rangez SELinux Rolesz%-15s %-10s %-10s %-30s %srrz %-15s %s z%-15s %s)rr`rrrxrr rfr*rrrrrr+r+r,rs    *BzseluserRecords.list)N)r)rRr)rMrNrOr-rrrrrrrrr{rrrr+r+r+r,rs 7  8 !   rc@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ portRecordsNcCsHt||z$ttttjddd|_WntyBYn0dS)NZ port_typertypes)rhr-rrrr ATTRIBUTE valid_types RuntimeErrorrr+r+r,r-1s  $ zportRecords.__init__c Csttttd}||vr$||}n ttd|dkrDttdt|tr\| dd}n|f}t |dkrt |d}}nt |d}t |d}|dkrttd t |j |||\}} |dkrttd j||d | |||fS) N)ZtcpZudpZsctpZdccpz0Protocol has to be one of udp, tcp, dccp or sctpr zPort is requiredr/rRrz Invalid Portz)Could not create a key for {proto}/{port}protoport)ZSEMANAGE_PROTO_TCPZSEMANAGE_PROTO_UDPZSEMANAGE_PROTO_SCTPZSEMANAGE_PROTO_DCCPrrvr rkr7rr`intZsemanage_port_key_createror ) r*r#r"Z protocolsproto_dZportshighlowrdrr+r+r,__genkey8s.         zportRecords.__genkeyc Cs>tdkr|dkrd}nt|}|dkr2ttdt|}||jvrVttd||||\}}}}t|j \} } | dkrttdj ||dt | |t | ||t |j \} } | dkrttd j ||dt|j | d } | dkrttd j ||dt|j | d } | dkr4ttd j ||dt|j | |} | dkrbttdj ||dtdkr|dkrt|j | |} | dkrttdj ||dt|j | | } | dkrttdj ||dt|j || } | dkrttdj ||dt| t|t| |jd|t|d d ||fdS)NrRr rType is required'Type %s is invalid, must be a port typerz(Could not create port for {proto}/{port}r!z+Could not create context for {proto}/{port}system_uz5Could not set user in port context for {proto}/{port}object_rz5Could not set role in port context for {proto}/{port}z5Could not set type in port context for {proto}/{port}z;Could not set mls fields in port context for {proto}/{port}z-Could not set port context for {proto}/{port}z!Could not add port {proto}/{port}z8resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s)rxrgrvr rrget_real_type_namer_portRecords__genkeyZsemanage_port_createror Zsemanage_port_set_protoZsemanage_port_set_rangesemanage_context_createsemanage_context_set_usersemanage_context_set_rolesemanage_context_set_typesemanage_context_set_mlsZsemanage_port_set_consemanage_port_modify_localsemanage_context_freesemanage_port_key_freesemanage_port_freerqrGrgetprotobyname) r*r#r"r;rrr%r'r&rdrconr+r+r,rXsR           zportRecords.__addcCsX||||rror Zsemanage_port_querysemanage_port_get_conr3rgr2r4r6r7rqrGrr8) r*r#r"r;setyperr%r'r&rdrrr9r+r+r,rs:      zportRecords.__modifycCs$|||||||dSr#)r|r;rJ)r*r#r"r;rDr+r+r,rszportRecords.modifyc Cst|j\}}|dkr"ttd||D]}t|}t|}t|}t|}d||f}| ||\} } }}|dkrttd|t |j| }|dkrttd|t | ||kr|}|j d|t|fq.|dS)NrzCould not list the ports%s-%srzCould not delete the port %s&resrc=port op=delete lport=%s proto=%s)semanage_port_list_localrorvr r|semanage_port_get_protosemanage_port_get_proto_strsemanage_port_get_lowsemanage_port_get_highr.semanage_port_del_localr6rqrGrr8rJ) r*rdplistr#r" proto_strr'r&Zport_strrr%r+r+r,r{s*   zportRecords.deleteallc Cs|||\}}}}t|j|\}}|dkrBttdj||d|s\ttdj||dt|j|\}}|dkrttdj||d|sttdj||dt|j|}|dkrttdj||dt||j d|t |fdS)Nrr=r!rBz;Port {proto}/{port} is defined in policy, cannot be deletedz$Could not delete port {proto}/{port}rF) r.r>rorvr r Zsemanage_port_exists_localrLr6rqrGrr8r?r+r+r,rs  zportRecords.__deletecCs |||||dSr#)r|_portRecords__deleterJ)r*r#r"r+r+r,rs zportRecords.deleterc Csi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]N}t|}t|}t|}t |}t |} t |} t |} ||f|| | | f<qD|S)NrCould not list ports) rGrorMsemanage_port_listrvr rCsemanage_context_get_typesemanage_context_get_mlsrHrIrJrK) r*rrrdr#r9ctypelevelr"rNr'r&r+r+r,r s   zportRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]}t|}t|}t|}t |}t |} t |} ||f| vrg|||f<| | kr|||f d| qD|||f d| | fqD|S)NrrPz%dz%d-%d)rGrorMrQrvr rCrRrHrIrJrKrr4) r*rrrdr#r9rTr"rNr'r&r+r+r,get_all_by_type!s&   zportRecords.get_all_by_typecCsg}|d}t|D]}|d|dkr6|dnd|d|df}||dr|d||d||d|d|fq|d||d|d|fq|S)NTrrRrEz-a -t %s -r '%s' -p %s %srz-a -t %s -p %s %srr*rrrr#r+r+r,r9s , ,"zportRecords.customizedrRcCs||}t|dkrdSt|}|rHtdtdtdtdf|D]J}d|}|d||d7}||ddD]}|d |7}q|t|qLdS) Nrz%-30s %-8s %s zSELinux Port TypeZProto Port Numberz %-30s %-8s %srR, %s)rVr`rrrr r*rrrrrrrr+r+r,rDs   zportRecords.list)N)r)r)rRr)rMrNrOrr-r.r<rr:r;rr{rOrrrVrrr+r+r+r,r-s  :  *   rc@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ ibpkeyRecordsNcCsTt||z6ttt|jdgd}tdd|D|_ Wn Yn0dS)NZ ibpkey_typeattrscss|]}t|VqdSr#r7rr+r+r, [rz)ibpkeyRecords.__init__..) rhr-rrrrget_store_policyrjrresultsrr*rlqr+r+r,r-Ws  zibpkeyRecords.__init__cCs|dkrttd|d}t|dkr>t|dd}}nt|dd}t|dd}|dkrnttdt|j|||\}}|dkrttdj||d ||||fS) Nr zSubnet Prefix is requiredr/rRrr z Invalid Pkeyz1Could not create a key for {subnet_prefix}/{pkey} subnet_prefixpkey)rvr rr`r$Zsemanage_ibpkey_key_createror )r*rgrfZpkeysr&r'rdrr+r+r,r(_s    zibpkeyRecords.__genkeyc Cs tdkr|dkrd}nt|}|dkr2ttdt|}||jvrVttd||||\}}}}t|j \}} |dkrttdj ||dt |j | |t | ||t |j \}} |dkrttd j ||dt|j | d }|dkr ttd j ||dt|j | d }|dkr8ttd j ||dt|j | |}|dkrfttdj ||dtdkr|dkrt|j | |}|dkrttdj ||dt|j | | }|dkrttdj ||dt|j || }|dkrttdj ||dt| t|t| dS)NrRr rr))Type %s is invalid, must be a ibpkey typerz2Could not create ibpkey for {subnet_prefix}/{pkey}rez3Could not create context for {subnet_prefix}/{pkey}r+z?Could not set user in ibpkey context for {subnet_prefix}/{pkey}r,z?Could not set role in ibpkey context for {subnet_prefix}/{pkey}z?Could not set type in ibpkey context for {subnet_prefix}/{pkey}zECould not set mls fields in ibpkey context for {subnet_prefix}/{pkey}z7Could not set ibpkey context for {subnet_prefix}/{pkey}z+Could not add ibpkey {subnet_prefix}/{pkey})rxrgrvr rrr-r_ibpkeyRecords__genkeyZsemanage_ibpkey_createror Z!semanage_ibpkey_set_subnet_prefixZsemanage_ibpkey_set_ranger/r0r1r2r3Zsemanage_ibpkey_set_consemanage_ibpkey_modify_localr5semanage_ibpkey_key_freesemanage_ibpkey_free) r*rgrfr;rrr'r&rdrr9r+r+r,rrsP          zibpkeyRecords.__addcCsX||||rttd|jD]X}t|}t|}|dkrbqDt|}t |j|\}}t |} t |} ||f|| | |f<qD|S)NrCould not list ibpkeysZreserved_ibpkey_t) rurorMsemanage_ibpkey_listrvr rtrRrSrvrwrx) r*rrrdrzr9rTrUrfr'r&r+r+r,rs"  zibpkeyRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]}t|}t|}t|j|\}}t |}t |} ||f| vrg|||f<|| kr|||f d|qD|||f d|| fqD|S)Nrr|0x%xz 0x%x-0x%x) rurorMr}rvr rtrRrvrwrxrr4) r*rrrdrzr9rTrfr'r&r+r+r,rV-s$   zibpkeyRecords.get_all_by_typecCsg}|d}t|D]}|d|dkr6|dnd|d|df}||dr|d||d||d|d|fq|d||d|d|fq|S)NTrrRrEz-a -t %s -r '%s' -x %s %srz-a -t %s -x %s %srrWr+r+r,rDs , ,"zibpkeyRecords.customizedrRcCs||}|}t|dkr"dS|rDtdtdtdtdft|D]J}d|}|d||d7}||ddD]}|d |7}q|t|qLdS) Nr%-30s %-18s %s zSELinux IB Pkey TypeZ Subnet_Prefixz Pkey Number %-30s %-18s rYrRrZrVrr`rr rr[r+r+r,rPs   zibpkeyRecords.list)N)r)r)rRr)rMrNrOrr-rirorrmrnrr{r{rrrVrrr+r+r+r,r\Ss 8  &   r\c@seZdZgZd ddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ d!ddZd"ddZddZd#ddZdS)$ibendportRecordsNcCsTt||z6ttt|jdgd}tdd|D|_ Wn Yn0dS)NZibendport_typer]css|]}t|VqdSr#r_rr+r+r,r`grz,ibendportRecords.__init__..) rhr-rrrrrarjsetrbrrcr+r+r,r-cs  zibendportRecords.__init__cCsr|dkrttdt|}|dks,|dkr8ttdt|j||\}}|dkrhttdj||d|||fS) Nr zIB device name is requiredrRzInvalid Port Numberrz=Could not create a key for ibendport {ibdev_name}/{ibendport} ibdev_name ibendport)rvr r$Zsemanage_ibendport_key_createror )r*rrr#rdrr+r+r,r(ks  zibendportRecords.__genkeyc Cstdkr|dkrd}nt|}|dkr2ttdt|}||jvrVttd||||\}}}t|j \}}|dkrttdj ||dt |j ||t ||t |j \}} |dkrttd j ||dt|j | d }|dkrttd j ||dt|j | d }|dkr4ttd j ||dt|j | |}|dkrbttdj ||dtdkr|dkrt|j | |}|dkrttdj ||dt|j || }|dkrttdj ||dt|j ||}|dkrttdj ||dt| t|t|dS)NrRr rr)-Type %s is invalid, must be an ibendport typerz2Could not create ibendport for {ibdev_name}/{port}rr#z/Could not create context for {ibendport}/{port}r+z?Could not set user in ibendport context for {ibdev_name}/{port}r,z?Could not set role in ibendport context for {ibdev_name}/{port}z?Could not set type in ibendport context for {ibdev_name}/{port}zECould not set mls fields in ibendport context for {ibdev_name}/{port}z7Could not set ibendport context for {ibdev_name}/{port}z+Could not add ibendport {ibdev_name}/{port})rxrgrvr rrr-r_ibendportRecords__genkeyZsemanage_ibendport_createror Z!semanage_ibendport_set_ibdev_nameZsemanage_ibendport_set_portr/r0r1r2r3Zsemanage_ibendport_set_consemanage_ibendport_modify_localr5semanage_ibendport_key_freesemanage_ibendport_free) r*rrr;rrr#rdrr9r+r+r,rysP          zibendportRecords.__addcCsX||||rttd|jD]N}t|}t|}|dkrbqDt|}t |j|\}}t |} ||f|| |f<qD|S)NrCould not list ibendportsZreserved_ibendport_t) rrorMsemanage_ibendport_listrvr rrRrSrr) r*rrrdrr9rTrUrr#r+r+r,rs   zibendportRecords.get_allc Csi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]^}t|}t|}t|j|\}}t |}||f| vrg|||f<|||f d|qD|S)Nrrr~) rrorMrrvr rrRrrrr4) r*rrrdrr9rTrr#r+r+r,rV0s   z ibendportRecords.get_all_by_typec Csg}|d}t|D]d}||drZ|d||d||d|d|dfq|d||d|d|dfq|S)NTrRz-a -t %s -r '%s' -z %s %srz-a -t %s -z %s %srrr+r+r,rCs  0&zibendportRecords.customizedrRcCs||}|}t|dkr"dS|rDtdtdtdtdft|D]J}d|}|d||d7}||ddD]}|d |7}q|t|qLdS) NrrzSELinux IB End Port TypezIB Device NamerXrrYrRrZrr[r+r+r,rNs   zibendportRecords.list)N)r)r)rRr)rMrNrOrr-rrrrrrr{rrrrVrrr+r+r+r,r_s 7  &   rc@s~eZdZgZdddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ dddZddZd ddZdS)! nodeRecordsNcCsRt||ddg|_z$ttttjddd|_WntyLYn0dS)Nipv4Zipv6Z node_typerr) rhr-protocolrrrrrrrrr+r+r,r-as   $ znodeRecords.__init__c Cs|}|}d}|dkr ttdt|dks8|ddkrdt||}t|j}t|j}d|j}z|j |}WnttdYn0zt |}Wn(|dkrt j }n ttdYn0||||fS)Nr zNode Address is requiredrrzipv%dzUnknown or missing protocolr)rvr r` ipaddressZ ip_networkr7Znetwork_addressZnetmaskversionrindexrr8Z IPPROTO_IPIP) r*addrmaskrZnewaddrZnewmaskZ newprotocolrZaudit_protocolr+r+r,validateis*    znodeRecords.validatec Csf||||\}}}}tdkr4|dkr,d}nt|}|dkrHttdt|}||jvrlttd|t|j |||\}}|dkrttd|t |j \}} |dkrttd|t | |t |j | ||}t |j \}} |dkrttd |t|j | ||}|dkr(ttd |t|j | d }|dkrPttd |t|j | d }|dkrxttd|t|j | |}|dkrttd|tdkr|dkrt|j | |}|dkrttd|t|j | | }|dkrttd|t|j || }|dkr,ttd|t| t|t| |jd|||d d ||fdS)NrRr rzSELinux node type is required'Type %s is invalid, must be a node typerCould not create key for %szCould not create addr for %sCould not create context for %szCould not set mask for %sr+z)Could not set user in addr context for %sr,z)Could not set role in addr context for %sz)Could not set type in addr context for %sz/Could not set mls fields in addr context for %sz!Could not set addr context for %szCould not add addr %szCresrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s)rrxrgrvr rrr-rsemanage_node_key_createroZsemanage_node_createZsemanage_node_set_protoZsemanage_node_set_addrr/Zsemanage_node_set_maskr0r1r2r3Zsemanage_node_set_consemanage_node_modify_localr5semanage_node_key_freesemanage_node_freerqrG) r*rrr"r;rT audit_protordrnoder9r+r+r,rs^           znodeRecords.__addcCsX|||||r:ttd|||||||n|||||||dS)Nz*Addr %s already defined, modifying instead)r|_nodeRecords__existsrr _nodeRecords__modify_nodeRecords__addrJ)r*rrr"r;rTr+r+r,rs znodeRecords.addcCsv||||\}}}}t|j|||\}}|dkrBttd|t|j|\}}|dkrjttd|t||S)Nrr%Could not check if addr %s is defined)rrrorvr semanage_node_existsrr*rrr"rrdrrr+r+r,rsznodeRecords.__existsc Cs||||\}}}}|dkr2|dkr2ttdt|}|rZ||jvrZttd|t|j|||\}}|dkrttd|t|j|\}} |dkrttd|| sttd|t |j|\}} |dkrttd|t | } t d kr|dkrt |j| t ||dkr0t|j| |t|j|| }|dkrXttd |t|t| |jd |||d d ||fdS)Nr r@rrrrAddr %s is not definedzCould not query addr %srRzCould not modify addr %szFresrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%sr+r,)rrvr rrr-rrrorZsemanage_node_querysemanage_node_get_conrxr3rgr2rrrrqrG) r*rrr"r;rDrrdrrrr9r+r+r,rs8    znodeRecords.__modifycCs&||||||||dSr#)r|rrJ)r*rrr"r;rDr+r+r,r sznodeRecords.modifycCs||||\}}}}t|j|||\}}|dkrBttd|t|j|\}}|dkrjttd||s~ttd|t|j|\}}|dkrttd||sttd|t|j|}|dkrttd|t||j d|||fdS)Nrrrrz/Addr %s is defined in policy, cannot be deletedzCould not delete addr %sz1resrc=node op=delete laddr=%s netmask=%s proto=%s) rrrorvr rZsemanage_node_exists_localZsemanage_node_del_localrrqrGrr+r+r,rs& znodeRecords.__deletecCs"||||||dSr#)r|_nodeRecords__deleterJ)r*rrr"r+r+r,r,sznodeRecords.deletecCspt|j\}}|dkr"ttd||D]4}|t|j|dt|j|d|jt |q.| dS)Nrz!Could not deleteall node mappingsrR) semanage_node_list_localrorvr r|rsemanage_node_get_addrsemanage_node_get_maskrsemanage_node_get_protorJ)r*rdZnlistrr+r+r,r{1s 2znodeRecords.deleteallrc Csi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]`}t|}t|j|}t|j|}|j t |}t |t |t |t|f||d|d|f<qD|S)NrzCould not list addrsrR)rroilistZsemanage_node_listrvr rrrrrsemanage_context_get_usersemanage_context_get_rolerRrS) r*rrrdrr9rrr"r+r+r,r;s    0znodeRecords.get_allc Csg}|d}t|D]p}||dr`|d|d|d||d||d|dfq|d|d|d||d|dfq|S)NTrz-a -M %s -p %s -t %s -r '%s' %srRrrz-a -M %s -p %s -t %s %srrr+r+r,rMs  6,znodeRecords.customizedrRc Cs||}t|dkrdSt|}|r6tddtr|D]n}d}|D]}|dt|}qJtd|d|d|d||d||d||dt||d d fq>nF|D]@}td |d|d|d||d||d||dfqdS) Nrz%-18s %-18s %-5s %-5s )z IP AddressZNetmaskProtocolContextr  z%-18s %-18s %-5s %s:%s:%s:%s rRrrFz%-18s %-18s %-5s %s:%s:%s )rr`rrrrxr7rf)r*rrrrrvalfieldsr+r+r,rWs    PznodeRecords.list)N)r)rRr)rMrNrOrr-rrrrrrrrr{rrrr+r+r+r,r]s "B (  rc@sreZdZdddZddZddZdd Zd d Zd d ZddZ ddZ ddZ dddZ ddZ dddZdS)interfaceRecordsNcCst||dSr#rrr+r+r,r-lszinterfaceRecords.__init__cCstdkr|dkrd}nt|}|dkr2ttdt|j|\}}|dkrZttd|t|j\}}|dkrttd|t|j||}t|j\}}|dkrttd|t |j|d }|dkrttd |t |j|d }|dkrttd |t |j||}|dkr*ttd |tdkrf|dkrft |j||}|dkrfttd|t |j||}|dkrttd|t|j||}|dkrttd|t|j||}|dkrttd|t|t|t||jd|d d ||fdS)NrRr rSELinux Type is requiredrrz!Could not create interface for %srr+z.Could not set user in interface context for %sr,z.Could not set role in interface context for %sz.Could not set type in interface context for %sz4Could not set mls fields in interface context for %sz&Could not set interface context for %sz$Could not set message context for %szCould not add interface %sz4resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s)rxrgrvr semanage_iface_key_createroZsemanage_iface_createZsemanage_iface_set_namer/r0r1r2r3Zsemanage_iface_set_ifconZsemanage_iface_set_msgconsemanage_iface_modify_localr5semanage_iface_key_freesemanage_iface_freerqrG)r* interfacer;rTrdrifacer9r+r+r,rosT       zinterfaceRecords.__addcCsL|||r2ttd|||||n|||||dS)Nz/Interface %s already defined, modifying instead)r|_interfaceRecords__existsrr _interfaceRecords__modify_interfaceRecords__addrJ)r*rr;rTr+r+r,rs  zinterfaceRecords.addcCs\t|j|\}}|dkr(ttd|t|j|\}}|dkrPttd|t||S)Nrr*Could not check if interface %s is defined)rrorvr semanage_iface_existsrr*rrdrrr+r+r,rszinterfaceRecords.__existsc Cs>|dkr|dkrttdt|j|\}}|dkrDttd|t|j|\}}|dkrlttd||sttd|t|j|\}}|dkrttd|t|}tdkr|dkrt|j|t ||dkrt |j||t |j||}|dkrttd |t |t ||jd |d d ||fdS) Nr r@rrrInterface %s is not definedzCould not query interface %srRzCould not modify interface %sz7resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%sr+r,)rvr rrorZsemanage_iface_querysemanage_iface_get_ifconrxr3rgr2rrrrqrG) r*rr;rDrdrrrr9r+r+r,rs0  zinterfaceRecords.__modifycCs"||||||dSr#)r|rrJ)r*rr;rDr+r+r,rszinterfaceRecords.modifycCst|j|\}}|dkr(ttd|t|j|\}}|dkrPttd||sdttd|t|j|\}}|dkrttd||sttd|t|j|}|dkrttd|t||j d|dS)Nrrrrz4Interface %s is defined in policy, cannot be deletedzCould not delete interface %sz"resrc=interface op=delete netif=%s) rrorvr rZsemanage_iface_exists_localZsemanage_iface_del_localrrqrGrr+r+r,rs$ zinterfaceRecords.__deletecCs||||dSr#)r|_interfaceRecords__deleterJ)r*rr+r+r,rs zinterfaceRecords.deletecCsNt|j\}}|dkr"ttd||D]}|t|q.|dS)Nrz(Could not delete all interface mappings)semanage_iface_list_localrorvr r|rsemanage_iface_get_namerJ)r*rdrrr+r+r,r{ s zinterfaceRecords.deleteallrcCszi}|rt|j\}|_nt|j\}|_|dkr>ttd|jD]0}t|}t|t|t |t |f|t |<qD|S)NrzCould not list interfaces) rrorZsemanage_iface_listrvr rrrrRrSr)r*rrrdrr9r+r+r,r s  &zinterfaceRecords.get_allcCspg}|d}t|D]P}||drP|d||d||d|fq|d||d|fq|S)NTrz-a -t %s -r '%s' %srz -a -t %s %srrr+r+r,r s  &zinterfaceRecords.customizedrRc Cs||}t|dkrdSt|}|rBtdtdtdftr|D]@}td|||d||d||dt||dd fqJn6|D]0}td |||d||d||dfqdS) Nrz %-30s %s zSELinux Interfacerz%-30s %s:%s:%s:%s rRrrFz%-30s %s:%s:%s )rr`rrrr rxrfrr+r+r,r& s   @zinterfaceRecords.list)N)r)rRr)rMrNrOr-rrrrrrrr{rrrr+r+r+r,rjs :  "  rc@seZdZgZd(ddZddZddZdd Zd)d d Zd dZ d*ddZ d+ddZ ddZ ddZ ddZddZddZddZd,d!d"Zd#d$Zd-d&d'ZdS).fcontextRecordsNcCsvt||zLttttjddd|_|jttttjddd7_WntyjYn0i|_i|_ d|_ z`t t d}|D]<}|}t|dkrq|drq|\}}||j|<q|WntyYn0zjt t d}|D]F}|}t|dkr(q |dr8q |\}}||j |<q |WntypYn0dS)NZ file_typerrZ device_nodeFr#)rhr-rrrrrrrequiv equiv_dist equal_indrr_selinux_file_context_subs_path readlinesstripr`rrrIOErrorZ#selinux_file_context_subs_dist_path)r*rlrrtarget substituter+r+r,r-: sF  ,            zfcontextRecords.__init__cCs|jrt}d|}t|d}|jD]}|d||j|fq*|zt |t |t j Wn Yn0t ||d|_t |dS)Nz%s.tmpwz%s %s F)rr_rrrrwriterrchmodstatST_MODErenamerhrJ)r*Z subs_fileZtmpfilerrr+r+r,rJ` s  zfcontextRecords.commitc CsD||dkr,|ddkr,ttd||dkrP|ddkrPttd|||jvrttd|||j|<d|_|jdt d|d t d |d f| dS| ||j|j fD]6}|D],}||drttd ||||fqq|jd t d|d t d |d f||j|<d|_| dS) Nrz=Target %s is not valid. Target is not allowed to end with '/'zESubstitute %s is not valid. Substitute is not allowed to end with '/'z:Equivalence class for %s already exists, modifying insteadT$resrc=fcontext op=modify-equal %s %ssglobrtglobz4File spec %s conflicts with equivalency rule '%s %s'z!resrc=fcontext op=add-equal %s %s)r|rvr rrrrrqrGr$audit_encode_nv_stringrJrrr)r*rrfdictrr+r+r, add_equalp s* ( ( zfcontextRecords.add_equalc Csj|||jvr&ttd|||j|<d|_|jdt d|dt d|df| dS)Nz'Equivalence class for %s does not existTrrrr) r|rrrvr rrqrGr$rrJ)r*rrr+r+r, modify_equal s (zfcontextRecords.modify_equalr+cCst|j\}}|dkr&ttd||dkr2d}t|j||}|dkrXttd|t|j|d}|dkr~ttd|tdkrt|j|d }|dkrttd ||S) Nrrr r+z)Could not set user in file context for %sr,z)Could not set role in file context for %srRr/Could not set mls fields in file context for %s)r/rorvr r0r1rxr3)r*rrrdr9r+r+r, createcon s zfcontextRecords.createconcCs|dks|ddkr"ttd|ddkr>1Type %s is invalid, must be a file or device typerrz$Could not create file context for %sz)Could not set type in file context for %sr!Could not set file context for %sz!Could not add file context for %sr+z6resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%srr,)rrxrgrvr rrr-rsemanage_fcontext_key_createro file_typesZsemanage_fcontext_createZsemanage_fcontext_set_exprrr2r3semanage_fcontext_set_conZsemanage_fcontext_set_typesemanage_fcontext_modify_localr5semanage_fcontext_key_freesemanage_fcontext_freerqrGr$rftype_to_audit) r*rrftyper;rrdrfcontextr9r+r+r,r sN          zfcontextRecords.__addcCsV||||r8ttd|||||||n|||||||dS)Nz6File context for %s already defined, modifying instead)r|_fcontextRecords__existsrr _fcontextRecords__modify_fcontextRecords__addrJ)r*rrrr;rr+r+r,r s  zfcontextRecords.addcCst|j|t|\}}|dkr.ttd|t|j|\}}|dkrVttd||st|j|\}}|dkrttd|t||S)Nrr1Could not check if file context for %s is defined)rrorrvr semanage_fcontext_existssemanage_fcontext_exists_localrr*rrrdrrr+r+r,r szfcontextRecords.__existsc Cs|dkr$|dkr$|dkr$ttd|dvrPt|}||jvrPttd|||t|j|t|\}}|dkrttd|t |j|\}}|dkrttd||rzt |j|\}} Wn"t yttd|Yn0nzt |j|\}}|dkrttd||s.ttd |zt |j|\}} Wn$t yfttd|Yn0|d krt| } | dur||} td kr|dkrt|j| t||dkrt|j| ||dkrt|j| |t|j| | }|dkr6ttd |n(t|j| d}|dkr6ttd |t|j|| }|dkr^ttd |t|t| |sxd}|jdtd|dt||d||fdS)Nr z"Requires setype, serange or seuser)r rrrrrz#Could not query file context for %s"File context for %s is not definedrrRrz$Could not modify file context for %sr+z9resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%srr,)rvr rrr-rrrrorrZsemanage_fcontext_queryOSErrorrZsemanage_fcontext_query_localsemanage_fcontext_get_conrrxr3rgr0r2rrrrrqrGr$rr) r*rrDrr;rrdrrrr9r+r+r,r sf              zfcontextRecords.__modifycCs&||||||||dSr#)r|rrJ)r*rrDrr;rr+r+r,rL szfcontextRecords.modifyc Cst|j\}}|dkr"ttd||D]}t|}t|}t|}t|j|t |\}}|dkrxttd|t |j|}|dkrttd|t ||j dtd|dtt|fq.i|_d|_|dS)Nrz Could not list the file contextsrz$Could not delete the file context %s$resrc=fcontext op=delete %s ftype=%srT)semanage_fcontext_list_localrorvr r|semanage_fcontext_get_exprsemanage_fcontext_get_typesemanage_fcontext_get_type_strrrsemanage_fcontext_del_localrrqrGr$rrfile_type_str_to_optionrrrJ)r*rdflistrrr ftype_strrr+r+r,r{Q s&  (zfcontextRecords.deleteallcCs:||jvr>|j|d|_|jdtd|ddSt|j |t |\}}|dkrlt t d|t |j |\}}|dkrt t d||st|j |\}}|dkrt t d||rt t d|nt t d|t|j |}|dkr t t d |t||jd td|dt|fdS) NTz!resrc=fcontext op=delete-equal %srrrrz;File context for %s is defined in policy, cannot be deletedrz$Could not delete file context for %sr )rrpoprrqrGr$rrrorrvr rrrrrrr+r+r,rk s.   zfcontextRecords.__deletecCs |||||dSr#)r|_fcontextRecords__deleterJ)r*rrr+r+r,r s zfcontextRecords.deleterc Cs|rt|j\}|_nt|j\}|_|dkr:ttdt|j\}}|dkr\ttdt|j\}}|dkr~ttd|j|7_|j|7_i}|jD]Z}t|}t|}t |} t |} | rt | t | t | t| f||| f<q| ||| f<q|S)NrzCould not list file contextsz1Could not list file contexts for home directoriesz"Could not list local file contexts)r rorZsemanage_fcontext_listrvr Zsemanage_fcontext_list_homedirsr rrr rrrRrS) r*rrdZ fchomedirsZfclocalrrexprrrr9r+r+r,r s.    &zfcontextRecords.get_allc Csg}|d}|D]t}||r||drb|dt|d||d||d|dfq|dt|d||d|dfqt|jr|jD]}|d|j||fq|S) NTrz-a -f %s -t %s -r '%s' '%s'rRrrz-a -f %s -t %s '%s'z -a -e %s %s)rrr4rr`r)r*r fcon_dictrrr+r+r,r s   4* zfcontextRecords.customizedrRc Cs||}t|dkr|r:tdtdtdtdf|rH|}n t|}|D]}||rtrtd|d|d||d||d||dt||d d fn6td |d|d||d||d||dfqXtd |d|dfqXt|jrN|sN|r&ttd |jD]}td||j|fq0t|j r|rlttd|j D]}td||j |fqvdS)Nrz%-50s %-18s %s zSELinux fcontextrrz%-50s %-18s %s:%s:%s:%s rRrrFz%-50s %-18s %s:%s:%s z%-50s %-18s <>z, SELinux Distribution fcontext Equivalence z%s = %sz% SELinux Local fcontext Equivalence ) rr`rr rrrxrfrr)r*rrrZfkeysrrr+r+r,r s0   H8    zfcontextRecords.list)N)r+)r r r+)r r r+)r)rRr)rMrNrOrr-rJrrrrrrrrrr{rrrrrr+r+r+r,r6 s$ &  6 C! rc@sleZdZdddZddZdddZd d Zd d Zd dZdddZ ddZ ddZ ddZ dddZ dS)booleanRecordsNcCst||i|_d|jd<d|jd<d|jd<d|jd<d|jd<d|jd<zt\}|_t\}}Wng|_d}Yn0|jd ks|j|krd |_nd |_dS) NrRZTRUErZFALSEZONZOFF10r TF) rhr-dictr_Zsecurity_get_boolean_namescurrent_booleansrprj modify_local)r*rlrdZptyper+r+r,r- s"        zbooleanRecords.__init__cCsNt|}t|j|\}}|dkr2ttd|t|j|\}}|dkrZttd||snttd|t|j|\}}|dkrttd|||j vrt ||j |nttdd |j |j r||jvrt|j||}|dkrttd|t|j||}|dkr:ttd |t|t|dS) Nrr(Could not check if boolean %s is definedBoolean %s is not definedzCould not query file context %sz0You must specify one of the following values: %sz, z(Could not set active value of boolean %szCould not modify boolean %s)r_selinux_boolean_subsemanage_bool_key_createrorvr semanage_bool_existsZsemanage_bool_queryupperrZsemanage_bool_set_valuerrrrZsemanage_bool_set_activeZsemanage_bool_modify_localsemanage_bool_key_freeZsemanage_bool_free)r*r9valuerdrrrr+r+r,Z__mod s0   zbooleanRecords.__modFc Cs||rt|}|dD]j}|}t|dkrttd|jD]t}g}t|}|t||j r||j vr|t ||t |n||d||d|||<qD|Sr-)r.ror/Zsemanage_bool_listrvr r0r4Zsemanage_bool_get_valuerrr_Zsecurity_get_boolean_pendingZsecurity_get_boolean_active)r*rrrdr1r%r9r+r+r,rV s"   zbooleanRecords.get_allcCst|}t|Sr#)r_r rrZ boolean_descr,r+r+r,get_descm s zbooleanRecords.get_desccCst|}t|Sr#)r_r rrZboolean_categoryr,r+r+r, get_categoryq s zbooleanRecords.get_categorycCsFg}|d}t|D]&}||r|d||d|fq|S)NTz -m -%s %srrrr+r+r,ru s  zbooleanRecords.customizedTc Cstdtdf}|rT||}t|D]$}||r*td|||dfq*dS||}t|dkrndS|rtdtdtdtd td ft|D]>}||rtd ||||d|||d||fqdS) Nrrz%s=%srrz%-30s %s %s %s zSELinux booleanStateZDefaultZ Descriptionz%-30s (%-5s,%5s) %s)r rrrrr`r2)r*rrr*Zon_offrrr+r+r,r} s   $zbooleanRecords.list)N)NF)r)TFF)rMrNrOr-r)rr+rr{rr2r3rrr+r+r+r,r s   r)rR)rR)>rrr_rrWr5rrrEZPROGNAMErrZsetools.policyreprZsetools.typequeryrrgettextkwargs version_info translationrr builtinsr7__dict__ ImportErrorZ __builtin__rrSrZSEMANAGE_FCONTEXT_ALLZSEMANAGE_FCONTEXT_REGZSEMANAGE_FCONTEXT_DIRZSEMANAGE_FCONTEXT_CHARZSEMANAGE_FCONTEXT_BLOCKZSEMANAGE_FCONTEXT_SOCKZSEMANAGE_FCONTEXT_LINKZSEMANAGE_FCONTEXT_PIPErrr$Z audit_closer%r"r rTr\rfrgrhrrrrrrr\rrrrrr+r+r+r,s        $$  ik C (M.