|
Chris PeBenito |
17de1b |
#!/usr/bin/python
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# Author: Chris PeBenito <cpebenito@tresys.com>
|
|
Chris PeBenito |
17de1b |
#
|
|
Chris PeBenito |
17de1b |
# Copyright (C) 2006 Tresys Technology, LLC
|
|
Chris PeBenito |
17de1b |
# This program is free software; you can redistribute it and/or modify
|
|
Chris PeBenito |
17de1b |
# it under the terms of the GNU General Public License as published by
|
|
Chris PeBenito |
17de1b |
# the Free Software Foundation, version 2.
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
import sys,string,getopt,re
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
DEFAULT_INPUT_PACKET = "server_packet_t"
|
|
Chris PeBenito |
17de1b |
DEFAULT_OUTPUT_PACKET = "client_packet_t"
|
|
Chris PeBenito |
17de1b |
DEFAULT_MCS = "s0"
|
|
Chris PeBenito |
17de1b |
DEFAULT_MLS = "s0"
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
PACKET_INPUT = "_server_packet_t"
|
|
Chris PeBenito |
17de1b |
PACKET_OUTPUT = "_client_packet_t"
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
class Port:
|
|
Chris PeBenito |
17de1b |
def __init__(self, proto, num, mls_sens, mcs_cats=""):
|
|
Chris PeBenito |
17de1b |
# protocol of the port
|
|
Chris PeBenito |
17de1b |
self.proto = proto
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# port number
|
|
Chris PeBenito |
17de1b |
self.num = num
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# MLS sensitivity
|
|
Chris PeBenito |
17de1b |
self.mls_sens = mls_sens
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# MCS categories
|
|
Chris PeBenito |
17de1b |
# not currently supported, so we always get s0
|
|
Chris PeBenito |
17de1b |
self.mcs_cats = DEFAULT_MCS
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
class Packet:
|
|
Chris PeBenito |
17de1b |
def __init__(self, prefix, ports):
|
|
Chris PeBenito |
17de1b |
# prefix
|
|
Chris PeBenito |
17de1b |
self.prefix = prefix
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# A list of Ports
|
|
Chris PeBenito |
17de1b |
self.ports = ports
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
def print_input_rules(packets,mls,mcs):
|
|
Chris PeBenito |
5a7c06 |
line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
|
|
Chris PeBenito |
17de1b |
if mls:
|
|
Chris PeBenito |
17de1b |
line += ":"+DEFAULT_MLS
|
|
Chris PeBenito |
17de1b |
elif mcs:
|
|
Chris PeBenito |
17de1b |
line += ":"+DEFAULT_MCS
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
print line
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
for i in packets:
|
|
Chris PeBenito |
17de1b |
for j in i.ports:
|
|
Chris PeBenito |
5a7c06 |
line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
|
|
Chris PeBenito |
17de1b |
if mls:
|
|
Chris PeBenito |
17de1b |
line += ":"+j.mls_sens
|
|
Chris PeBenito |
17de1b |
elif mcs:
|
|
Chris PeBenito |
17de1b |
line += ":"+j.mcs_cats
|
|
Chris PeBenito |
17de1b |
print line
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
5a7c06 |
print "post -A selinux_new_input -j CONNSECMARK --save"
|
|
Chris PeBenito |
5a7c06 |
print "post -A selinux_new_input -j RETURN"
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
def print_output_rules(packets,mls,mcs):
|
|
Chris PeBenito |
5a7c06 |
line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
|
|
Chris PeBenito |
17de1b |
if mls:
|
|
Chris PeBenito |
17de1b |
line += ":"+DEFAULT_MLS
|
|
Chris PeBenito |
17de1b |
elif mcs:
|
|
Chris PeBenito |
17de1b |
line += ":"+DEFAULT_MCS
|
|
Chris PeBenito |
17de1b |
print line
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
for i in packets:
|
|
Chris PeBenito |
17de1b |
for j in i.ports:
|
|
Chris PeBenito |
5a7c06 |
line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
|
|
Chris PeBenito |
17de1b |
if mls:
|
|
Chris PeBenito |
17de1b |
line += ":"+j.mls_sens
|
|
Chris PeBenito |
17de1b |
elif mcs:
|
|
Chris PeBenito |
17de1b |
line += ":"+j.mcs_cats
|
|
Chris PeBenito |
17de1b |
print line
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
5a7c06 |
print "post -A selinux_new_output -j CONNSECMARK --save"
|
|
Chris PeBenito |
5a7c06 |
print "post -A selinux_new_output -j RETURN"
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
def parse_corenet(file_name):
|
|
Chris PeBenito |
17de1b |
packets = []
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corenet_te_in = open(file_name, "r")
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
while True:
|
|
Chris PeBenito |
17de1b |
corenet_line = corenet_te_in.readline()
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# If EOF has been reached:
|
|
Chris PeBenito |
17de1b |
if not corenet_line:
|
|
Chris PeBenito |
17de1b |
break
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
if NETPORT.match(corenet_line):
|
|
Chris PeBenito |
17de1b |
corenet_line = corenet_line.strip();
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
# parse out the parameters
|
|
Chris PeBenito |
17de1b |
openparen = string.find(corenet_line,'(')+1
|
|
Chris PeBenito |
17de1b |
closeparen = string.find(corenet_line,')',openparen)
|
|
Chris PeBenito |
17de1b |
parms = re.split('\W+',corenet_line[openparen:closeparen])
|
|
Chris PeBenito |
17de1b |
name = parms[0]
|
|
Chris PeBenito |
17de1b |
del parms[0];
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
ports = []
|
|
Chris PeBenito |
17de1b |
while len(parms) > 0:
|
|
Chris PeBenito |
17de1b |
# add a port combination.
|
|
Chris PeBenito |
17de1b |
ports.append(Port(parms[0],parms[1],parms[2]))
|
|
Chris PeBenito |
17de1b |
del parms[:3]
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
packets.append(Packet(name,ports))
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
corenet_te_in.close()
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
return packets
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
def print_netfilter_config(packets,mls,mcs):
|
|
Chris PeBenito |
5a7c06 |
print "pre *mangle"
|
|
Chris PeBenito |
5a7c06 |
print "pre :PREROUTING ACCEPT [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :INPUT ACCEPT [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :FORWARD ACCEPT [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :OUTPUT ACCEPT [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :POSTROUTING ACCEPT [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :selinux_input - [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :selinux_output - [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :selinux_new_input - [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre :selinux_new_output - [0:0]"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A INPUT -j selinux_input"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A OUTPUT -j selinux_output"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
|
|
Chris PeBenito |
5a7c06 |
print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
|
|
Chris PeBenito |
17de1b |
print_input_rules(packets,mls,mcs)
|
|
Chris PeBenito |
17de1b |
print_output_rules(packets,mls,mcs)
|
|
Chris PeBenito |
5a7c06 |
print "post COMMIT"
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
mls = False
|
|
Chris PeBenito |
17de1b |
mcs = False
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
try:
|
|
Chris PeBenito |
17de1b |
opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
|
|
Chris PeBenito |
17de1b |
except getopt.GetoptError, error:
|
|
Chris PeBenito |
17de1b |
print "Invalid options."
|
|
Chris PeBenito |
17de1b |
sys.exit(1)
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
for o, a in opts:
|
|
Chris PeBenito |
17de1b |
if o in ("-c","--mcs"):
|
|
Chris PeBenito |
17de1b |
mcs = True
|
|
Chris PeBenito |
17de1b |
if o in ("-m","--mls"):
|
|
Chris PeBenito |
17de1b |
mls = True
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
if len(paths) == 0:
|
|
Chris PeBenito |
17de1b |
sys.stderr.write("Need a path for corenetwork.te.in!\n")
|
|
Chris PeBenito |
17de1b |
sys.exit(1)
|
|
Chris PeBenito |
17de1b |
elif len(paths) > 1:
|
|
Chris PeBenito |
17de1b |
sys.stderr.write("Ignoring extra specified paths\n")
|
|
Chris PeBenito |
17de1b |
|
|
Chris PeBenito |
17de1b |
packets=parse_corenet(paths[0])
|
|
Chris PeBenito |
17de1b |
print_netfilter_config(packets,mls,mcs)
|