selinux-policy/policygentool
2006-03-21 19:46:10 +00:00

298 lines
9.4 KiB
Python

#! /usr/bin/env python
# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# policygentool is a tool for the initial generation of SELinux policy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import os, sys, getopt
import re
########################### Interface File #############################
interface="""\
## <summary>policy for TEMPLATETYPE</summary>
########################################
## <summary>
## Execute a domain transition to run TEMPLATETYPE.
## </summary>
## <param name=\"domain\">
## Domain allowed to transition.
## </param>
#
interface(`TEMPLATETYPE_domtrans',`
gen_requires(`
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
')
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)
allow $1 TEMPLATETYPE_t:fd use;
allow TEMPLATETYPE_t $1:fd use;
allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;
allow TEMPLATETYPE_t $1:process sigchld;
')
"""
########################### Type Enforcement File #############################
te="""\
policy_module(TEMPLATETYPE,1.0.0)
########################################
#
# Declarations
#
type TEMPLATETYPE_t;
type TEMPLATETYPE_exec_t;
domain_type(TEMPLATETYPE_t)
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)
"""
te_pidfile="""
# pid files
type TEMPLATETYPE_var_run_t;
files_pid_file(TEMPLATETYPE_var_run_t)
"""
te_logfile="""
# log files
type TEMPLATETYPE_var_log_t;
logging_log_file(TEMPLATETYPE_var_log_t)
"""
te_libfile="""
# var/lib files
type TEMPLATETYPE_var_lib_t;
files_type(TEMPLATETYPE_var_lib_t)
"""
te_sep="""
########################################
#
# TEMPLATETYPE local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Some common macros (you might be able to remove some)
files_read_etc_files(TEMPLATETYPE_t)
libs_use_ld_so(TEMPLATETYPE_t)
libs_use_shared_libs(TEMPLATETYPE_t)
miscfiles_read_localization(TEMPLATETYPE_t)
## internal communication is often done using fifo and unix sockets.
allow TEMPLATETYPE_t self:fifo_file { read write };
allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
"""
te_pidfile2="""
# pid file
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:file manage_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:sock_file manage_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_run_t:dir rw_dir_perms;
files_pid_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_run_t, { file sock_file })
"""
te_logfile2="""
# log files
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:sock_file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_log_t,{ sock_file file dir })
"""
te_libfile2="""
# var/lib files for TEMPLATETYPE
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:sock_file create_file_perms;
allow TEMPLATETYPE_t TEMPLATETYPE_var_lib_t:dir create_dir_perms;
files_var_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t,{ file dir sock_file })
files_var_lib_filetrans(TEMPLATETYPE_t,TEMPLATETYPE_var_lib_t)
"""
te_network2="""
## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
corenet_non_ipsec_sendrecv(TEMPLATETYPE_t)
corenet_tcp_connect_http_port(TEMPLATETYPE_t)
#corenet_tcp_connect_all_ports(TEMPLATETYPE_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(TEMPLATETYPE_t)
#corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
allow TEMPLATETYPE_t self:tcp_socket { listen accept };
"""
te_initsc2="""
# Init script handling
init_use_fds(TEMPLATETYPE_t)
init_use_script_ptys(TEMPLATETYPE_t)
domain_use_interactive_fds(TEMPLATETYPE_t)
"""
########################### File Context ##################################
fc="""\
# TEMPLATETYPE executable will have:
# label: system_u:object_r:TEMPLATETYPE_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
"""
fc_pidfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
"""
fc_logfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_log_t,s0)
"""
fc_libfile="""\
FILENAME gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
"""
def errorExit(error):
sys.stderr.write("%s: " % sys.argv[0])
sys.stderr.write("%s\n" % error)
sys.stderr.flush()
sys.exit(1)
def write_te_file(module, pidfile, logfile, libfile, network, initsc):
file="%s.te" % module
newte=re.sub("TEMPLATETYPE", module, te)
if pidfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile)
if logfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile)
if libfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile)
newte= newte + re.sub("TEMPLATETYPE", module, te_sep)
if pidfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_pidfile2)
if logfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_logfile2)
if libfile:
newte= newte + re.sub("TEMPLATETYPE", module, te_libfile2)
if network:
newte= newte + re.sub("TEMPLATETYPE", module, te_network2)
if initsc:
newte= newte + re.sub("TEMPLATETYPE", module, te_initsc2)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newte)
fd.close()
def write_if_file(module):
file="%s.if" % module
newif=re.sub("TEMPLATETYPE", module, interface)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newif)
fd.close()
def write_fc_file(module, executable, pidfile, logfile, libfile):
file="%s.fc" % module
temp=re.sub("TEMPLATETYPE", module, fc)
newfc=re.sub("EXECUTABLE", executable, temp)
if pidfile:
temp=re.sub("TEMPLATETYPE", module, fc_pidfile)
newfc=newfc + re.sub("FILENAME", pidfile, temp)
if logfile:
temp=re.sub("TEMPLATETYPE", module, fc_logfile)
newfc=newfc + re.sub("FILENAME", logfile, temp)
if libfile:
temp=re.sub("TEMPLATETYPE", module, fc_libfile)
newfc=newfc + re.sub("FILENAME", libfile, temp)
if os.path.exists(file):
errorExit("%s already exists" % file)
fd = open(file, 'w')
fd.write(newfc)
fd.close()
def gen_policy(module, executable, pidfile, logfile, libfile, initsc, network):
write_te_file(module, pidfile, logfile, libfile, initsc, network)
write_if_file(module)
write_fc_file(module, executable, pidfile, logfile, libfile)
if __name__ == '__main__':
def usage(message = ""):
print '%s ModuleName Executable' % sys.argv[0]
sys.exit(1)
if len(sys.argv) != 3:
usage()
print """\n
This tool generate three files for policy development, A Type Enforcement (te)
file, a File Context (fc), and a Interface File(if). Most of the policy rules
will be written in the te file. Use the File Context file to associate file
paths with security context. Use the interface rules to allow other protected
domains to interact with the newly defined domains.
After generating these files use the /usr/share/selinux/devel/Makefile to
compile your policy package. Then use the semodule tool to load it.
# /usr/share/selinux/devel/policygentool myapp /usr/bin/myapp
# make -f /usr/share/selinux/devel/Makefile
# semodule -l myapp.pp
# restorecon -R -v /usr/bin/myapp "all files defined in myapp.fc"
Now you can turn on permissive mode, start your application and avc messages
will be generated. You can use audit2allow to help translate the avc messages
into policy.
# setenforce 0
# service myapp start
# audit2allow -R -i /var/log/audit/audit.log
Return to continue:"""
sys.stdin.readline().rstrip()
print 'If the module uses pidfiles, what is the pidfile called?'
pidfile = sys.stdin.readline().rstrip()
if pidfile == "":
pidfile = None
print 'If the module uses logfiles, where are they stored?'
logfile = sys.stdin.readline().rstrip()
if logfile == "":
logfile = None
print 'If the module has var/lib files, where are they stored?'
libfile = sys.stdin.readline().rstrip()
if libfile == "":
libfile = None
print 'Does the module have a init script? [yN]'
initsc = sys.stdin.readline().rstrip()
if initsc == "" or initsc == "n" or initsc == "N":
initsc = False
elif initsc == "y" or initsc == "Y":
initsc = True
else:
raise "Please answer with 'y' or 'n'!"
print 'Does the module use the network? [yN]'
network = sys.stdin.readline().rstrip()
if network == "" or network == "n" or network == "N":
network = False
elif network == "y" or network == "Y":
network = True
else:
raise "Please answer with 'y' or 'n'!"
gen_policy(
module=sys.argv[1],
executable=sys.argv[2],
pidfile=pidfile,
logfile=logfile,
libfile=libfile,
initsc=initsc,
network=network
)