selinux-policy/policygentool

149 lines
4.0 KiB
Plaintext
Raw Normal View History

2006-02-03 14:59:07 +00:00
#! /usr/bin/env python
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# policygentool is a tool for the initial generation of SELinux policy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import os, sys, getopt
import seobject
import re
########################### Interface File #############################
interface="\n\
## <summary>TEMPLATETYPE policy</summary>\n\
## <desc>\n\
## <p>\n\
## More descriptive text about TEMPLATETYPE. The <desc>\n\
## tag can also use <p>, <ul>, and <ol>\n\
## html tags for formatting.\n\
## </p>\n\
## <p>\n\
## This policy supports the following TEMPLATETYPE features:\n\
## <ul>\n\
## <li>Feature A</li>\n\
## <li>Feature B</li>\n\
## <li>Feature C</li>\n\
## </ul>\n\
## </p>\n\
## </desc>\n\
#\n\
\n\
########################################\n\
## <summary>\n\
## Execute a domain transition to run TEMPLATETYPE.\n\
## </summary>\n\
## <param name=\"domain\">\n\
## Domain allowed to transition.\n\
## </param>\n\
#\n\
interface(`TEMPLATETYPE_domtrans',`\n\
gen_requires(`\n\
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
')\n\
\n\
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
\n\
allow $1 TEMPLATETYPE_t:fd use;\n\
allow TEMPLATETYPE_t $1:fd use;\n\
allow $1 TEMPLATETYPE_t:fifo_file rw_file_perms;\n\
allow $1 TEMPLATETYPE_t:process sigchld;\n\
')\n\
"
########################### Type Enforcement File #############################
te="\n\
policy_module(TEMPLATE,1.0.0)\n\
\n\
########################################\n\
#\n\
# Declarations\n\
#\n\
\n\
type TEMPLATETYPE_t;\n\
type TEMPLATETYPE_exec_t;\n\
domain_type(TEMPLATETYPE_t)\n\
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
\n\
########################################\n\
#\n\
# TEMPLATETYPE local policy\n\
#\n\
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
########################### File Context ##################################
fc="\n\
# TEMPLATETYPE executable will have:\n\
# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
# MLS sensitivity: s0\n\
# MCS categories: <none>\n\
\n\
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
"
def errorExit(error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
sys.stderr.flush()
sys.exit(1)
def write_te_file(module):
file="%s.te" % module
newte=re.sub("TEMPLATETYPE", module, te)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newte)
fd.close()
def write_if_file(module):
file="%s.if" % module
newif=re.sub("TEMPLATETYPE", module, interface)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newif)
fd.close()
def write_fc_file(module, executable):
file="%s.fc" % module
newfc=re.sub("TEMPLATETYPE", module, fc)
newfc=re.sub("EXECUTABLE", executable, newfc)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newfc)
fd.close()
def gen_policy(module, executable):
write_te_file(module)
write_if_file(module)
write_fc_file(module, executable)
if __name__ == '__main__':
def usage(message = ""):
print '%s ModuleName Executable' % sys.argv[0]
sys.exit(1)
if len(sys.argv) != 3:
usage()
gen_policy(sys.argv[1], sys.argv[2])