|
Daniel J Walsh |
de82d8 |
#! /usr/bin/env python
|
|
Daniel J Walsh |
de82d8 |
# Copyright (C) 2006 Red Hat
|
|
Daniel J Walsh |
de82d8 |
# see file 'COPYING' for use and warranty information
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
# policygentool is a tool for the initial generation of SELinux policy
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
# This program is free software; you can redistribute it and/or
|
|
Daniel J Walsh |
de82d8 |
# modify it under the terms of the GNU General Public License as
|
|
Daniel J Walsh |
de82d8 |
# published by the Free Software Foundation; either version 2 of
|
|
Daniel J Walsh |
de82d8 |
# the License, or (at your option) any later version.
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
# This program is distributed in the hope that it will be useful,
|
|
Daniel J Walsh |
de82d8 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Daniel J Walsh |
de82d8 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Daniel J Walsh |
de82d8 |
# GNU General Public License for more details.
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
# You should have received a copy of the GNU General Public License
|
|
Daniel J Walsh |
de82d8 |
# along with this program; if not, write to the Free Software
|
|
Daniel J Walsh |
de82d8 |
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
|
Daniel J Walsh |
de82d8 |
# 02111-1307 USA
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
#
|
|
Daniel J Walsh |
de82d8 |
import os, sys, getopt
|
|
Daniel J Walsh |
de82d8 |
import seobject
|
|
Daniel J Walsh |
de82d8 |
import re
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
########################### Interface File #############################
|
|
Daniel J Walsh |
de82d8 |
interface="\n\
|
|
Daniel J Walsh |
faa80b |
## <summary>policy for TEMPLATETYPE</summary>\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
########################################\n\
|
|
Daniel J Walsh |
de82d8 |
## <summary>\n\
|
|
Daniel J Walsh |
de82d8 |
## Execute a domain transition to run TEMPLATETYPE.\n\
|
|
Daniel J Walsh |
de82d8 |
## </summary>\n\
|
|
Daniel J Walsh |
de82d8 |
## <param name=\"domain\">\n\
|
|
Daniel J Walsh |
de82d8 |
## Domain allowed to transition.\n\
|
|
Daniel J Walsh |
de82d8 |
## </param>\n\
|
|
Daniel J Walsh |
de82d8 |
#\n\
|
|
Daniel J Walsh |
de82d8 |
interface(`TEMPLATETYPE_domtrans',`\n\
|
|
Daniel J Walsh |
de82d8 |
gen_requires(`\n\
|
|
Daniel J Walsh |
de82d8 |
type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
|
|
Daniel J Walsh |
de82d8 |
')\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
allow $1 TEMPLATETYPE_t:fd use;\n\
|
|
Daniel J Walsh |
de82d8 |
allow TEMPLATETYPE_t $1:fd use;\n\
|
|
Daniel J Walsh |
faa80b |
allow TEMPLATETYPE_t:$1:fifo_file rw_file_perms;\n\
|
|
Daniel J Walsh |
faa80b |
allow TEMPLATETYPE_t $1:process sigchld;\n\
|
|
Daniel J Walsh |
de82d8 |
')\n\
|
|
Daniel J Walsh |
de82d8 |
"
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
########################### Type Enforcement File #############################
|
|
Daniel J Walsh |
de82d8 |
te="\n\
|
|
Daniel J Walsh |
b28beb |
policy_module(TEMPLATETYPE,1.0.0)\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
########################################\n\
|
|
Daniel J Walsh |
de82d8 |
#\n\
|
|
Daniel J Walsh |
de82d8 |
# Declarations\n\
|
|
Daniel J Walsh |
de82d8 |
#\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
type TEMPLATETYPE_t;\n\
|
|
Daniel J Walsh |
de82d8 |
type TEMPLATETYPE_exec_t;\n\
|
|
Daniel J Walsh |
de82d8 |
domain_type(TEMPLATETYPE_t)\n\
|
|
Daniel J Walsh |
de82d8 |
init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
########################################\n\
|
|
Daniel J Walsh |
de82d8 |
#\n\
|
|
Daniel J Walsh |
de82d8 |
# TEMPLATETYPE local policy\n\
|
|
Daniel J Walsh |
de82d8 |
#\n\
|
|
Daniel J Walsh |
de82d8 |
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
########################### File Context ##################################
|
|
Daniel J Walsh |
de82d8 |
fc="\n\
|
|
Daniel J Walsh |
de82d8 |
# TEMPLATETYPE executable will have:\n\
|
|
Daniel J Walsh |
de82d8 |
# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
|
|
Daniel J Walsh |
de82d8 |
# MLS sensitivity: s0\n\
|
|
Daniel J Walsh |
de82d8 |
# MCS categories: <none>\n\
|
|
Daniel J Walsh |
de82d8 |
\n\
|
|
Daniel J Walsh |
de82d8 |
EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
|
|
Daniel J Walsh |
de82d8 |
"
|
|
Daniel J Walsh |
de82d8 |
def errorExit(error):
|
|
Daniel J Walsh |
de82d8 |
sys.stderr.write("%s: " % sys.argv[0])
|
|
Daniel J Walsh |
de82d8 |
sys.stderr.write("%s\n" % error)
|
|
Daniel J Walsh |
de82d8 |
sys.stderr.flush()
|
|
Daniel J Walsh |
de82d8 |
sys.exit(1)
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
def write_te_file(module):
|
|
Daniel J Walsh |
de82d8 |
file="%s.te" % module
|
|
Daniel J Walsh |
de82d8 |
newte=re.sub("TEMPLATETYPE", module, te)
|
|
Daniel J Walsh |
de82d8 |
if os.path.exists(file):
|
|
Daniel J Walsh |
de82d8 |
errorExit("%s already exists" % file)
|
|
Daniel J Walsh |
de82d8 |
fd = open(file, 'w')
|
|
Daniel J Walsh |
de82d8 |
fd.write(newte)
|
|
Daniel J Walsh |
de82d8 |
fd.close()
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
def write_if_file(module):
|
|
Daniel J Walsh |
de82d8 |
file="%s.if" % module
|
|
Daniel J Walsh |
de82d8 |
newif=re.sub("TEMPLATETYPE", module, interface)
|
|
Daniel J Walsh |
de82d8 |
if os.path.exists(file):
|
|
Daniel J Walsh |
de82d8 |
errorExit("%s already exists" % file)
|
|
Daniel J Walsh |
de82d8 |
fd = open(file, 'w')
|
|
Daniel J Walsh |
de82d8 |
fd.write(newif)
|
|
Daniel J Walsh |
de82d8 |
fd.close()
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
def write_fc_file(module, executable):
|
|
Daniel J Walsh |
de82d8 |
file="%s.fc" % module
|
|
Daniel J Walsh |
de82d8 |
newfc=re.sub("TEMPLATETYPE", module, fc)
|
|
Daniel J Walsh |
de82d8 |
newfc=re.sub("EXECUTABLE", executable, newfc)
|
|
Daniel J Walsh |
de82d8 |
if os.path.exists(file):
|
|
Daniel J Walsh |
de82d8 |
errorExit("%s already exists" % file)
|
|
Daniel J Walsh |
de82d8 |
fd = open(file, 'w')
|
|
Daniel J Walsh |
de82d8 |
fd.write(newfc)
|
|
Daniel J Walsh |
de82d8 |
fd.close()
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
def gen_policy(module, executable):
|
|
Daniel J Walsh |
de82d8 |
write_te_file(module)
|
|
Daniel J Walsh |
de82d8 |
write_if_file(module)
|
|
Daniel J Walsh |
de82d8 |
write_fc_file(module, executable)
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
if __name__ == '__main__':
|
|
Daniel J Walsh |
de82d8 |
def usage(message = ""):
|
|
Daniel J Walsh |
de82d8 |
print '%s ModuleName Executable' % sys.argv[0]
|
|
Daniel J Walsh |
de82d8 |
sys.exit(1)
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
if len(sys.argv) != 3:
|
|
Daniel J Walsh |
de82d8 |
usage()
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
gen_policy(sys.argv[1], sys.argv[2])
|
|
Daniel J Walsh |
de82d8 |
|
|
Daniel J Walsh |
de82d8 |
|