PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB` 3 Flfz@s6ddlZddlZddlZddlZddljZddljZddlZddl Z ddl Z ddl Z dZ y:ddl Z iZejdkrxded<e je fdddeWnJyddlZeejd <Wn&ek rddlZeejd <YnXYnXd Zd ZdZd Zd ZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'iZ(de(d<de(d<de(d<de(d <de(d!<d"e(d#<d$e(d%<d&e(d'<d(e(d)<d(e(d*<d+e(d,<d+e(d-<d.e(d/<d0e(d1<iZ)e*d2e)d3<e*d4e)d5<e*d6e)d7<e*d8e)d9<e*d:e)d;<e*d<e)d=<e*d>e)d?<e*d@e)dA<iZ+d3e+dB<d5e+dC<d7e+dD<d9e+dE<d;e+dF<d=e+dG<d?e+dH<dAe+dI<da,da-da.da/da0ga1da2da3da4da5da6da7da8da9da:da;dada?da@daAdaBdaCdaDdJdKZEddMdNZFdOdPZGdQdRZHdSdTZIyeFZJeHeJWn6eKk rZLzejMd kreLWYddZL[LXnXddUdVZNdWdXZOddYdZZPd[d\ZQd]d^ZRd_d`ZSdadbZTdcddZUdedfZVdgdhZWgfdidjZXgfdkdlZYdmdnZZej[fdodpZ\ej[fdqdrZ]ej[fdsdtZ^ej[fdudvZ_dwdxZ`dydzZad{d|Zbd}d~ZcddZdddZeddZfddZgddZhddZiddZjddZkddZlddZmddZnddZoddZpddZqddZrddZsddZtddZuddZvddZwddZxddZyddZzddZ{ddZ|e|fddZ}ddZ~ddZddZddZddZddZddZdd„ZdddńZdddDŽZddɄZdd˄Zdd̈́ZddτZdS)Nzselinux-pythonTunicodez/usr/share/localezutf-8)Z localedirZcodeset_allowZ auditallowZ neverallowZ dontauditsourcetargetpermlistclassZ transitionZ role_allowZetc_tz/etcZtmp_tz/tmpZ unit_file_tz/usr/lib/systemd/systemz/lib/systemd/systemz/etc/systemd/systemZ var_cache_tz /var/cacheZ var_lib_tz/var/libZlog_tz/var/logZ var_run_tz/var/runz/runZ var_lock_tz /run/lockz /var/run/lockZ var_spool_tz /var/spoolZ content_tz/var/wwwz all filesaz regular filefZ directorydzcharacter devicecz block devicebz socket filesz symbolic linklz named pipepz--z-dz-cz-bz-sz-lz-pc Cs:|jddd}y t||fStk r4d|fSXdS)Nz/policy.rr)rsplitint ValueError)Z policy_path extensionr/usr/lib/python3.6/__init__.pypolicy_sortkeyys  r/c CsLy.|tj}tjd|}|jtd|dSYnXttddS)Nz%s.*)keyrzNo SELinux Policy installed)selinuxZselinux_binary_policy_pathglobsortrrr)rootpathpoliciesrrrget_installed_policys  r)cCs2tjdtj|f}|sdS|jtd|dS)z?Get the path to the policy file located in the given store namez%s%s/policy/policy.*N)r!rr")r$r#Z selinux_pathr%r)storer(rrrget_store_policys  r+c CsTdadadadadadadadadayt j |a Wnt t d|YnXdS)NzFailed to read %s policy file) all_domainsall_attributesbools all_types role_allowsZusersroles file_types port_typessetoolsZ SELinuxPolicy_polrr) policy_filerrrpolicys r7cCst|}|sdSt|dS)N)r+r7)r*r6rrrload_store_policysr8cCs|tkrZtjt}||_t|j}|rLt|dkrLd|_||_t|j}dd|DS|t krtj t}|rv||_dd|jDS|t krtj t}|r||_dd|jDS|t krFtjt}|rdd|jdD}t|d kr||_n t|dkr|d |d f|_tjr4d d|jDSd d|jDS|tkrtjt}|rf||_tjrd d|jDSdd|jDS|tkrtjt}|r||_dd|jDS|tkrtjt}|r||_dd|jDStddS)NrcssB|]:}ttt|jt|t|jttt|jdVqdS))aliasesnameZ permissive attributesN)listmapstrr9boolZ ispermissiver;).0xrrr szinfo..css:|]2}t|ttt|jttt|jdVqdS))r:r1typesN)r>r<r=expandrC)r@rArrrrBscss*|]"}t|ttt|jdVqdS))r:rCN)r>r<r=rD)r@rArrrrBscSsg|] }t|qSr)r)r@irrr szinfo..-rrcss<|]4}|jjt|jt|jjt|jj|jjdVqdS))highprotocolrangetypelowN)portsrHr>rIcontextZrange_type_rL)r@rArrrrBscss2|]*}|jjt|jt|jj|jjdVqdS))rHrIrKrLN)rMrHr>rIrNrOrL)r@rArrrrBscss8|]0}t|jt|ttt|jt|jdVqdS))rJr:r1levelN)r>Z mls_ranger<r=r1Z mls_level)r@rArrrrBscss(|] }t|ttt|jdVqdS))r:r1N)r>r<r=r1)r@rArrrrB scss|]}t||jdVqdS))r:stateN)r>rQ)r@rArrrrBscss"|]}t|t|jdVqdS))r:rN)r>r<perms)r@rArrrrBsz Invalid type)TYPEr4Z TypeQueryr5r:r<resultslenaliasROLE RoleQuery ATTRIBUTEZTypeAttributeQueryPORTZ PortconQuerysplitrMmlsUSERZ UserQueryBOOLEANZ BoolQueryTCLASSZ ObjClassQueryr)setyper:qrTrMrrrinfosr                     rbc3Cs`t|jt|jt|jt|jd}yrQ)r@rrrrrFHsz)_setools_rule_to_dict..booleans conditionalfilename)r>ruletyper r tclassrfrerQZevaluateZconditional_blockAttributeErrorr<r=rRdefaultrg)ZrulerZ boolstatebooleanrcrrr_setools_rule_to_dict'sB rmc Cs|si}tttttttg}x&|D]}||kr"tddj|q"Wd}t |kr\t |t }d}t |krtt |t }d}t |krt |t j d}g}g}t|kr|jtt|kr|jtt|kr|jtt|kr|jtt|dkr.tjt||||d} t|kr|t| _|dd| jD7}t|krdd d g} tjt| |||d} t|krj|t| _|d d| jD7}t|krd g} tjt| |||d} x.| jD]"} |jt | jt | jd qW|S)NzType has to be in %s ,r)rhr r ricSsg|] }t|qSr)rm)r@rArrrrFszsearch..type_transitionZ type_changeZ type_membercSsg|] }t|qSr)rm)r@rArrrrFsr )r r )setALLOW AUDITALLOW NEVERALLOW DONTAUDIT TRANSITION ROLE_ALLOWrjoinSOURCEr>TARGETCLASSr[appendrUr4 TERuleQueryr5PERMSrRrT RBACRuleQueryr r ) rCZseinfoZ valid_typesr`r r riZtoretZtertypesraZrtypesZratypesrrrrsearchYsn               rcsi}g}ggy(ttfddtdd7Wn YnXy(ttfddtdd7Wn YnXtddtfddt}yHxB|D]:}|j|d|d |d fd ||kr|j|i}qWWntk r|SX|S) Ncs |dkS)Nr:r)rA)srcrrsz"get_conditionals..rr;cs |dkS)Nr:r)rA)destrrrscSs|S)Nr)yrrrrscs2|dko0|dko0tj|to0d|kS)Nr r rf)rqissubsetr~)rA) dest_listpermsrc_listrrrs  r rfrc)r rf)r<filterget_all_types_infor=get_all_allow_rulesupdater|KeyError)rrrirZtdictZtlistZallowsrEr)rrrrrrget_conditionalss.((     rcCsHd}x|D]}|ddr d}Pq Wtd|djttdd|fS) NFrfrTz-- Allowed %s [ %s ]z || cSsd|dd|ddfS)Nz%s=%drfrrr)rArrrrsz.get_conditionals_format_text..)rrxrqr=)ZcondrcrArrrget_conditionals_format_texts   rcCsttt|ddS)NrrC)r<rbrY)Z attributerrrget_types_from_attributesrc Csg}i}x&tD]}|jt|r|j|qWt}xN|D]F}y$||dt||df||<Wq<tk rg||<Yq|St}ddg}x|D]}|d|krdqRd |krv|d svqR|djd r|d|krqR|d|kr|d|kr|j|dqRx&t|dD]}||kr|j|qWqRWxP|D]H} y$|| d t|| d f|| <Wqt k r2g|| <YqXqW|S) Nopenwritefile)r rrrZ proc_typeZ sysctl_typer rc_trr) rrrrrUrendswithr|rrr) r`r2Z all_writesrrrr;rEtrrrrget_writable_filess:      $rcstjj|r|gSytjd|Wntd|gS|}|jdrX|dd d}tjj|yd dkrzd7Wntk rtdYnXy4tjd|fdd t fd d tj DSgSdS)Nz%s$zbad reg:z(/.*)?r r rztry failed got an IndexErrorcsg|]}j|r|qSr)match)r@rA)patrrrF(szfind_file..cs|S)Nr)rA)r'rrr(szfind_file..ir") osr'existsrecompileprintrdirname IndexErrorr=listdir)Zregrr)rr'r find_files,      &rcCsVt|}xH|jD]<}|jdr||krx$||D]}xt|D]}|SWq2WqWdS)N_exec_t)get_entrypointskeysrr)domain exclude_listZexecutable_filesexer'rrrrfind_all_files-src Cs`t}y@|jdrD||krDx(||dD]}xt|D]}|SWq(WWntk rZYnXdS)Nrr)rrrr)rrrr'rrrrfind_entrypoint_path7srcCsyZt|dF}x>|D]6}|j}|r|djd r|d|d||d<qWWdQRXWn0tk r}z|jtjkrzWYdd}~XnX|S)Nrr#r)Zequivmodify)rr[rOSErrorerrnoENOENT)Zedictfc_pathrfderrrrread_file_equivCs  ( rcCs"trtSiatt|dddatS)Nz.subsT)r)file_equiv_modifiedr)rrrrget_file_equiv_modifiedPs rcCs&trtSt|att|dddatS)Nz .subs_distF)r) file_equivrr)rrrrget_file_equivYs rcCstrtSgay&t|dd}|j}WdQRXWn.tk r`}z|jtjkrRgSd}~XnXxl|D]d}|j}t|dkrqhy4t|dkrt|d}nd}tj |d|fWqht k rYqhXqhWtS)Nz.localrrrrr) local_filesr readlinesrrrr[rUtrans_file_type_strr|r)rrfcrrErecrrrrget_local_file_pathsbs,     rcCstrtSt|d}|j}|jt|dd}||j7}|jiay*t|dd}||j7}WdQRXWn0tk r}z|jtjkrWYdd}~XnXx|D]}|j}yjt|dkrt |d}nd}|djdd}|tkr t|dj |d n|d g|d t|<WqYqXqWdd gitd <dd gitd<ddgitd<ddgitd<ddgitd<ddgitd<ddgitd<ddgitd<ddgitd<tS)Nrz .homedirsz.localrrr:rr)rrz all log filesZlogfilezall user tmp filesZ user_tmp_typezall user home filesZuser_home_typezall virtual image filesZvirt_image_typezBall files on file systems which do not support extended attributesZ noxattrfsz)all sandbox content in tmpfs file systemsZsandbox_tmpfs_typez&all user content in tmpfs file systemsZuser_tmpfs_typezall files on the system file_typezAuse this label for random content that will be shared using sambaZ samba_share_tr") rrrcloserrrr[rUrr|)rrrrrErrrrrrr~sJ       rc s<yfddttgddiDSttfk r6YnXdS)Ncsg|]}|dkr|qS)rdr)r@rA)r`rrrFsz(get_transitions_into..rprocess)rrv TypeErrorrj)r`r)r`rget_transitions_intos rc Cs0yttg|ddSttfk r*YnXdS)Nr)r r)rrvrrj)r`rrrget_transitionss rc Cs8yddttgd|iDSttfk r2YnXdS)NcSsg|]}|ddkr|qS)rrr)r@rArrrrFsz(get_file_transitions..r )rrvrrj)r`rrrget_file_transitionss rc Csdg}ttgd|i}xJ|D]B}d|kry(x"|dD]}||kr2|j|q2WWqYqXqW|S)Nr re)rrrr|)r`rlZboollistrrrrrrget_boolean_ruless  rcCstdS)NZ entry_type)rrrrrget_all_entrypointssrcs0tjttgdgdgd}fdd|jDS)Nr entrypoint)rhr rirRcs g|]}|jkrt|jqSr)r r>r )r@rA)r`rrrFsz(get_entrypoint_types..)r4r}r5rrrT)r`rar)r`rget_entrypoint_typess  rcshtj|djddy0ttfddttgddd}|d d Sttt fk rbYnXdS) Nrrrcs |dkS)Nr r)rA)rrrrsz$get_init_transtype..init_tr)r rrrd) r#Z getfileconr[r<rrrvrrjr)r' entrypointsr)rrget_init_transtypes$ rc Csbtjtdgddgd}g}xB|jD]6}y|j|kr@|j|jWq$tk rXw$Yq$Xq$W|S)Nrprr)rhr ri)r4r}r5rTrkr|r rj)rdrarrErrrget_init_entrypoints   rc Cstjtdgddgd}i}xd|jD]X}yrkr|r rj)rarrErdrrrget_init_entrypoints_strs   rcCsHy*tddttgd|dd}t|dSttfk rBYnXdS)NcSs|dS)Nrdr)rArrrr sz,get_init_entrypoint_target..rr)r r rr)r=rrvr<rr)rrrrrget_init_entrypoint_target s  rc Csbt}i}xRt|D]F}y$||dt||df||<Wqtk rXg||<YqXqW|S)Nrr)rrrr)r`rrrrrrrs$rc CsttdkrtSttj}y4t|}tj}|j|t |jj a|j Wn&t j jd|t jdYnXtjtS)Nrz#could not open interface info [%s] r)rUmethodsgen_interfacesdefaultsinterface_infor interfacesZ InterfaceSetZ from_filer<rrsysstderrrexitr%)fnrZifsrrr get_methodss   rcCstdkrddttDatS)NcSsg|] }|dqS)r:r)r@rArrrrF6sz!get_all_types..)r/rbrSrrrr get_all_types3srcCstdkrtttatS)N)all_types_infor<rbrSrrrrr9s rcCs&tdkr"ttttdddatS)NZ userdomainrrC) user_typesr<rbrYrrrrget_user_types?srcCsztrtSiatjttgd}xX|jD]L}t|j}t|j}|dks&|dkrPq&|tkrht|j |q&|gt|<q&WtS)N)rhZsystem_r) r0r4rr5rrrTr>r r r|)rarrZtgtrrrget_all_role_allowsFs  rcCszddl}g}tt}x^|D]V}|jdd|}t|dkrt|jdd|ddkr|d|kr|j|dqW|S)Nrz(.*)%sz_exec_t$z_initrc$)rsortedrfindallrUr|)rr,rCrEmrrrget_all_entrypoint_domainsZs   (rcCsyddlm}Wn tk r0ddlm}YnXtj}tj}y tj|j tj|j kr`dSWnt k rvYnXtj dkrt t dt|dddS)Nr)getstatusoutputzEYou must regenerate interface info by running /usr/bin/sepolgen-ifgenz/usr/bin/sepolgen-ifgenr)Zcommandsr ImportError subprocessrrheadersrstatst_mtimergetuidrrr)rZifilerrrrrfs  rcCstr ttfSiaiaxttD]}|d|dkr@t|d}ndt|dt|df}|d|dftkrt|d|dfj|n|gt|d|df<d|kr|d|dft|d|d|df<q|dt|d|d|df<qWttfS)NrLrHz%s-%srKrIrJ)portrecs portrecsbynumrbrZr>r|)rEZportrrr gen_port_dictxs("rcCs"tsttttdddatS)NrrrC)r,r<rbrYrrrrget_all_domainssrcCs(trtStjt}dd|jDatS)NcSs g|]}t|dkrt|qS)Zobject_r)r>)r@rArrrrFsz!get_all_roles..)r1r4rXr5rT)rarrr get_all_roless  rcCs@ts.)rr=rrrrr get_all_userssrcCs&trtSttttdddatS)NrrrC)r2r<rrbrYrrrrrsrcCs&trtSttttdddatS)NZ port_typerrC)r3r<rrbrYrrrrget_all_port_typessrcCststttatS)N)r.r<rbr^rrrr get_all_boolss r cCsdj|dt| jdS)Nrnr)rxrUr[)rZtrimrrr prettyprintsr cCs|S)Nr)rrrrmarkupsr cCsVd||}|jdr(|dt|dS|jdrD|dt|dS|jdr`|dt|dS|jdr||d t|dS|jd r|d t|d S|jd r|d t|d S|jd s|jdr|dS|jdr|dS|jdr|dt|dS|jdr|dt|dS|jdr:|dt|dS|jdrX|dt|dS|jdr~|d|dtd S|jdr|dt|dS|jdr|dt|dS|jdr|dt|dS|jd r|dt|d S|jd!r|d"t|d!S|jd#r2|d$t|d#S|jd%rP|d&t|d%S|jd'rn|d(t|d'S|jd)r|d*t|d'S|jd+r|d$t|d+S|jd,r|d-t|d,S|jd.r|d/t|d.S|jd0r|d1t|d0S|jd2r"|d3t|d2S|jd4r@|d1t|d4S|jd5r^|d1t|d5S|jd6r||d1t|d6S|jd5r|d7t|d5S|jd8r|d9t|d8S|jd:r|d;t|d8S|jd<r|d=t|d<S|jd>r|d?t|d>S|jd@r&|dAS|jdBrD|dCt|dBS|dDt|dES)FNz+Set files with the %s type, if you want to Z _var_run_tz8store the %s files under the /run or /var/run directory.Z_pid_tz,store the %s files under the /run directory.Z _var_lib_tz0store the %s files under the /var/lib directory.Z_var_tz,store the %s files under the /var directory.Z _var_spool_tz2store the %s files under the /var/spool directory.Z_spool_tZ_cache_tZ _var_cache_tz/store the files under the /var/cache directory.Z _keytab_tz)treat the files as kerberos keytab files.Z_lock_tzEtreat the files as %s lock data, stored under the /var/lock directoryZ_log_tzKtreat the data as %s log data, usually stored under the /var/log directory.Z _config_tzRtreat the files as %s configuration data, usually stored under the /etc directory.Z_conf_trz,transition an executable to the %s_t domain.Z_cgi_content_tz"treat the files as %s cgi content.Z _rw_content_tz)treat the files as %s read/write content.Z_rw_tZ_write_tZ_db_tz'treat the files as %s database content.Z _ra_content_tz*treat the files as %s read/append content.Z_cert_tz'treat the files as %s certificate data.Z_key_tztreat the files as %s key data.Z _secret_tz"treat the files as %s secret data.Z_ra_tZ_ro_tz(treat the files as %s read/only content.Z _modules_tztreat the files as %s modules.Z _content_tztreat the files as %s content.Z_state_tz!treat the files as %s state data.Z_files_tZ_file_tZ_data_tztreat the data as %s content.Z_tmp_tz1store %s temporary files in the /tmp directories.Z_etc_tz'store %s files in the /etc directories.Z_home_tz+store %s files in the users home directory.Z_tmpfs_tz&store %s files on a tmpfs file system.Z _unit_file_tz#treat files as a systemd unit file.Z _htaccess_tz#treat the file as a %s access file.ztreat the files as %s data.r)rr rU)rr Ztxtrrrget_descriptions                                     r cCs"tstttddttatS)NcSs|dS)Nr:r)rArrrrBsz$get_all_attributes..)r-r<rr=rbrYrrrrget_all_attributes?sr cCs"x|D]}||tkrdSqWdS)NFT)r~)dictrRrrrr_dict_has_permsFs  rcCspt}|jdr&t|}|dd}n|}|d|krBtd||ddkr`|dd d}n|d}||fS) Nrrzdomain %s_t does not existrrrr"r")rrrr)r`r, domainname short_namerrrrMs    rcCststtgatS)N)all_allow_rulesrrrrrrrr]s rcCs0ts,tjtddttgd}dd|jDatS)Nz.*T)rlZ boolean_regexrhcSsg|] }t|qSr)rm)r@rArrrrFhsz&get_all_bool_rules..)all_bool_rulesr4r}r5rrrurT)rarrrget_all_bool_rulescs   rcCststttgatS)N)all_transitionsr<rrvrrrrget_all_transitionsksrc sg}g}t\}}xtddtfddtD]}x|D]}t|tsNq>ytj|d}Wntk r||d}YnX|dj |s|dj |r|d|f|kr|d| f|kr|j |d|fq>|d|f|ko|d| f|kr>|j |d|fq>Wq4W||fS)NcSs|dS)Nrer)rArrrruszget_bools..csd|ko|dkS)Nrer r)rA)r`rrrusrr) rr=rr isinstancetupler#Zsecurity_get_boolean_activerrr|)r`r.Z domainboolsrrrErrcr)r`r get_boolsqs" $  ""rcCststjdatS)Nr)rer#Zsecurity_get_boolean_namesrrrrget_all_booleanss r#/usr/share/selinux/devel/policy.xmlc CsPytj|}|j}|jWn,tk rJt|}|j}|jYnX|S)N)gziprrrIOError)r'rrrrr policy_xmls  rc CstrtSddl}iay|jjjt|}x2|jdD]"}x|jdD]}xX|jdD]J}|jdjdjj d}t j dd|}|j d |j d |ft|j d <qZWxX|jd D]J}|jdjdjj d}t j dd|}|j d |j d |ft|j d <qWqJWxT|jd D]F}|jdjdjj d}t j dd|}d |j d |ft|j d <qWq8WxT|jdD]F}|jdjdjj d}t j dd|}d |j d |ft|j d <qlWWnt k rYnXtS) NrZlayermoduleZtunabledescrrrnr:Zdftvalr?global) booleans_dictZxml.etree.ElementTreeZetreeZ ElementTreeZ fromstringrrfindtextrrsubgetr)r'ZxmlZtreerrrr!rErrr gen_bool_dicts6$($$r(cCs*t}||krt||dStdSdS)Nrunknown)r(r)rlr#rrrboolean_categorysr*cCsJt}||krt||dS|jd}d|ddj|ddfSdS)NrrzAllow %s to %srrnr)r(rr[rx)rlr#r!rrr boolean_descs  r+cCsFd}y$td}|jj}WdQRXWntk r@d}YnX|S)Nrz/etc/system-releaseZMisc)rreadlinerstripr)Zsystem_releaserrrrget_os_versions  r.cCsPdadadadadadadadadada da da da da da dadadadadS)N)r-r,r/rer#r.rr2rrrrr3r0r1rrrrrrrreinits&r/)r)r )N)N)r)r)rr#r4r$Zsepolgen.defaultsrZsepolgen.interfacesrrrrrZPROGNAMEgettextkwargs version_infoZinstallbuiltinsr>__dict__rZ __builtin__rrSrWrYrZr]r^r_rrrsrtruryrzr~r{rvrwZ DEFAULT_DIRSrrrr5rrrrrr/rrr0rrr,r1rrr2r3r.r-rer#rrrrr)r+r7r8r6rrZis_selinux_enabledrbrmrrrrrrrrrrrZselinux_file_context_pathrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r r r r rrrrrrrrr(r*r+r.r/rrrrsZ                i2 H! $    .        ]