PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB` 3 Flf@sddlZddlZddlZddlZddlZddlmZmZmZddlZddl Z ddl m Z ddl m Z ddl m Z ddl mZddl mZdd l mZdd l mZdd l mZdd l mZdd l mZddl mZddl mZddl mZddl mZddl mZddljZddljZdZyd.Z?iZ@eAd/e@e3<eAd0e@e4<eAd1e@e5<eAd2e@e6<eAd3e@e7<eAd4e@e8<eAd5e@e9<eAd6e@e:<eAd7e@e;<eAd8e@e<<eAd9e@e=<eAd:e@e><eAd;e@e?<dgZDd>d?ZEGd@dAdAZFdS)CN) get_all_typesget_all_attributes get_all_roles) executable)boolean)etc_rw) unit_file) var_cache) var_spool)var_lib)var_log)var_run)tmp)rw)network)script)spec)userzselinux-pythonTunicodez/usr/share/localezutf-8)Z localedirZcodeset_cCsF|d}|d}|d}|d|jdd}|jdd}|||gS)z6Given an RPM header return the package NVR as a stringnameversionrelease-.rr)split)ZhdrrrrZrelease_versionZ os_versionr/usr/lib/python3.6/generate.pyget_rpm_nvr_from_headerGs r c Cs`y>ddl}d}|j}|j|j|}x|D]}t|}Pq*WWntd|d}YnX|S)Nrz"Failed to retrieve rpm info for %s)rpmtsZdbMatchZ RPMTAG_NAMEr print)packager!Znvrr"Zmihrrrget_rpm_nvr_listRs    r&cCsi}xztjtjD]j}|ddks|ddks|ddks|ddks|ddkrTq|d|jdf||d|d |d f<qW|S) NtypeZreserved_port_tZport_tZhi_reserved_port_tZephemeral_port_tZunreserved_port_trangeZlowZhighprotocol)sepolicyinfoZPORTget)dictprrr get_all_portsbs     ,r/cCs6ddtjtjD}|jd|jd|j|S)NcSsg|] }|dqS)rr).0xrrr psz!get_all_users..Zsystem_uroot)r*r+USERremovesort)usersrrr get_all_usersos   r8z_admin$z_role$ zStandard Init DaemonzDBUS System DaemonzInternet Services DaemonzWeb Application/Script (CGI)ZSandboxzUser ApplicationzExisting Domain Typez Minimal Terminal Login User Rolez!Minimal X Windows Login User RolezDesktop Login User RolezAdministrator Login User Rolez Confined Root Administrator Rolez!Module information for a new typecCs>tj}|jtd}x |D]}|d|t|f7}qW|S)Nz Valid Types: z%2s: %s )poltypekeysr6r)rDmsgkrrrget_poltype_descs  rGc Cs|dkr gSd }yg}x|jdD]}|jd}t|dkr@tt|dkrft|d}t|d}n$t|d}t|d}||krtx4t||dD]"}|dks||krt|j|qWq"W|Stk rttd|YnXdS) Nr9,rrrz8Ports must be numbers or ranges of numbers from 1 to %d i)rlen ValueErrorintr(appendr)portsZmax_porttemparbeginendr.rrr verify_portss.      rUc@seZdZddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZdddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&dJdKZ'dLdMZ(dNdOZ)dPdQZ*dRdSZ+dTdUZ,dVdWZ-dXdYZ.dZd[Z/d\d]Z0d^d_Z1d`daZ2dbdcZ3dddeZ4dfdgZ5dhdiZ6djdkZ7dldmZ8dndoZ9dpdqZ:drdsZ;dtduZdzd{Z?d|d}Z@d~dZAddZBddZCddZDddZEddZFddZGddZHddZIddZJddZKddZLddZMddZNddZOddZPddZQddZRddZSddZTddZUddZVddZWddZXddZYddZZddZ[ddZ\ddZ]ddZ^ddZ_ddZ`ddZaddZbddÄZcddńZdddDŽZeddɄZfdd˄Zgdd̈́ZhddτZiddфZjddӄZkddՄZlddׄZmddلZnddۄZodd݄Zpdd߄ZqddZrddZsetjufddZvdS)policycCsg|_i|_t|_g|_|tkr.ttd|sFttdt|y t|_WnTtk r|}zt dWYdd}~Xn,t k r}zt d|WYdd}~XnXi|_ d|j d<d|j d<d|j d<d |j d <d |j d <d |j d <d|j d <d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d <d!|j d"<d#|j d$<d%|j d&<d'|j d(<d)|j d*<d+|j d,<d-|j d.<d/|j d0<d1|j d2<d3|j d4<d5|j d6<d7|j d8<d9|j d:<d;|j d<<d=|j d><d?|j d@<dA|j dB<dC|j dD<dE|j dF<dG|j dH<dI|j dJ<dK|j dL<dM|j dN<dO|j dP<dQ|j dR<dS|j dT<dU|j dV<dW|j dX<dY|j dZ<d[|j d\<d]|j d^<d_|j d`<da|j db<da|j dc<da|j dd<da|j de<df|j dg<df|j dh<df|j di<df|j dj<df|j dg<dk|j dl<dm|j dn<do|j dp<dq|j dr<ds|j dt<du|j dv<dw|j dx<dy|j dz<d{|j d|<d}|j d~<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<d|j d<i|_ dgt g|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<dgtg|j d<i|_t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<t|jd<dddddddddddg |_|j|jf|j|jf|j|jf|j|j f|j!|j"f|j#|j$f|j%|j&f|j'|j(f|j)|j*f|j+|j(f|j,|j(f|j-|j.f|j/|j0ff |_1t2j3d|sttd|t4krd||_5n||_5||_6g|_7g|_8||_9d|_:d|_;dddgg|_dddgg|_?d|_@d|_Ad|_Bd|_Cd|_Dd|_Ed|_Fd|_Gd|_H|j9tItJgk|_K|j9tItJgk|_L|j9tItJgk|_Md|_Nd|_Oi|_Pi|_Qi|_Rg|_Sg|_Td|_Ud|_Vg|_Wg|_Xg|_Yg|_Zg|_[dS)Nz"You must enter a valid policy typez;You must enter a name for your policy module for your '%s'.z9Can not get port types, must be root for this informationzCan not get port typeszset_use_kerberos(True)Zopenlogzset_use_kerb_rcache(True)zset_use_syslog(True)zset_use_resolve(True)Z gethostbyZ getaddrinfoZ getnameinfoZkrbzset_manage_krb5_rcache(True)Zgss_accept_sec_contextZkrb5_verify_init_credsZ krb5_rd_reqZ __syslog_chkzset_use_uid(True)getpwnamgetpwuidzset_use_dbus(True)Zdbus_zset_use_pam(True)Zpam_zset_use_audit(True)zadd_process('fork')forkzadd_process('transition')Z transitionzadd_process('sigchld')Zsigchldzadd_process('sigkill')Zsigkillzadd_process('sigstop')Zsigstopzadd_process('signull')Zsignullzadd_process('ptrace')Zptracezadd_process('getsched')Zgetschedzadd_process('setsched')Zsetschedzadd_process('getsession')Z getsessionzadd_process('getpgid')getpgidzadd_process('setpgid')setpgidzadd_process('getcap')Zgetcapzadd_process('setcap')Zsetcapzadd_process('share')Zsharezadd_process('getattr')getattrzadd_process('setexec')Zsetexeczadd_process('setfscreate')Z setfscreatezadd_process('noatsecure')Z noatsecurezadd_process('siginh')Zsiginhzadd_process('signal_perms')killzadd_process('setrlimit')Z setrlimitzadd_process('rlimitinh')Z rlimitinhzadd_process('dyntransition')Z dyntransitionzadd_process('setcurrent')Z setcurrentzadd_process('execmem')Zexecmemzadd_process('execstack')Z execstackzadd_process('execheap')Zexecheapzadd_process('setkeycreate')Z setkeycreatezadd_process('setsockcreate')Z setsockcreatezadd_capability('chown')chownzadd_capability('dac_override')Z dac_overridez!add_capability('dac_read_search')Zdac_read_searchzadd_capability('fowner')Zfownerzadd_capability('fsetid')Zfsetidzadd_capability('setgid')setgidsetegid setresgidsetregidzadd_capability('setuid') setresuidsetuidseteuidsetreuidzadd_capability('setpcap')Zsetpcapz!add_capability('linux_immutable')Zlinux_immutablez"add_capability('net_bind_service')Znet_bind_servicezadd_capability('net_broadcast')Z net_broadcastzadd_capability('net_admin')Z net_adminzadd_capability('net_raw')Znet_rawzadd_capability('ipc_lock')Zipc_lockzadd_capability('ipc_owner')Z ipc_ownerzadd_capability('sys_module') sys_modulezadd_capability('sys_rawio')Z sys_rawiozadd_capability('sys_chroot')chrootZ sys_chrootzadd_capability('sys_ptrace')Z sys_ptracezadd_capability('sys_pacct')Z sys_pacctzadd_capability('sys_admin')ZmountZunshareZ sys_adminzadd_capability('sys_boot')Zsys_bootzadd_capability('sys_nice')Zsys_nicezadd_capability('sys_resource')Z sys_resourcezadd_capability('sys_time')Zsys_timez add_capability('sys_tty_config')Zsys_tty_configzadd_capability('mknod')mknodzadd_capability('lease')Zleasezadd_capability('audit_write')Z audit_writezadd_capability('audit_control')Z audit_controlzadd_capability('setfcap')Zsetfcaprz/etcrz/tmprr z/usr/lib/systemd/systemz/lib/systemd/systemz/etc/systemd/systemr z /var/cacher z/var/libr z/var/logrz/var/runr z /var/spoolZ_tmp_tZ _unit_file_tZ _var_cache_tZ _var_lib_tZ _var_log_tZ _var_run_tZ _var_spool_tZ_port_tz^[a-zA-Z0-9-_]+$zQName must be alpha numberic with no spaces. Consider using option "-n MODULENAME"zhttpd_%s_scriptrHF)\rpmsrOr all_rolestypesrCrLrr/r# RuntimeErrorsymbols DEFAULT_DIRSrrrr r r r rr DEFAULT_EXTr DEFAULT_KEYSgenerate_daemon_typesgenerate_daemon_rulesgenerate_dbusd_typesgenerate_dbusd_rulesgenerate_inetd_typesgenerate_inetd_rulesgenerate_cgi_typesgenerate_cgi_rulesgenerate_sandbox_typesgenerate_sandbox_rulesgenerate_userapp_typesgenerate_userapp_rulesgenerate_existing_user_typesgenerate_existing_user_rulesgenerate_min_login_user_typesgenerate_login_user_rulesgenerate_x_login_user_typesgenerate_x_login_user_rulesgenerate_login_user_typesgenerate_admin_user_typesgenerate_root_user_typesgenerate_root_user_rulesgenerate_new_typesgenerate_new_rules DEFAULT_TYPESrematchCGIr file_name capabilities processesr' initscriptprogramin_tcpin_udpout_tcpout_udp use_resolveuse_tmpuse_uid use_syslog use_kerberosmanage_krb5_rcacheuse_pamuse_dbus use_auditEUSERNEWTYPEuse_etcuse_localizationuse_fd use_terminaluse_mailbooleansfilesdirsfound_tcp_portsfound_udp_ports need_tcp_type need_udp_type admin_domainsexisting_domainstransition_domainstransition_usersroles)selfrr'errr__init__sd                                                                                                                zpolicy.__init__cCs(|tp&|tp&|tp&t|tdkS)Nr)ALLRESERVED UNRESERVEDrKPORTS)rlrrrZ __isnetsetszpolicy.__isnetsetcCs ||_dS)N)r)rrrrrset_admin_domainsszpolicy.set_admin_domainscCs ||_dS)N)r)rrrrrset_existing_domainsszpolicy.set_existing_domainscCs ||_dS)N)r)rrrrrset_admin_rolesszpolicy.set_admin_rolescCs ||_dS)N)r)rrrrrset_transition_domainsszpolicy.set_transition_domainscCs ||_dS)N)r)rrrrrset_transition_usersszpolicy.set_transition_userscCs |j|jS)N)_policy__isnetsetr)rrrr use_in_udpszpolicy.use_in_udpcCs |j|jS)N)rr)rrrr use_out_udpszpolicy.use_out_udpcCs|jp|jS)N)rr)rrrruse_udpszpolicy.use_udpcCs |j|jS)N)rr)rrrr use_in_tcpszpolicy.use_in_tcpcCs |j|jS)N)rr)rrrr use_out_tcpszpolicy.use_out_tcpcCs|jp|jS)N)rr)rrrruse_tcpszpolicy.use_tcpcCs|jp|jS)N)rr)rrrr use_networkszpolicy.use_networktcpcCsFx@|jjD]2\}}}||kr ||kr ||kr |j|||fSq WdS)N)rOrD)rZportr)rSrTr.rrr find_portszpolicy.find_portcCs |jtkrttd||_dS)Nz0User Role types can not be assigned executables.)r' APPLICATIONSrLrr)rrrrr set_programs  zpolicy.set_programcCs |jtkrttd||_dS)Nz)Only Daemon apps can use an init script..)r'DAEMONrLrr)rrrrrset_init_scripts  zpolicy.set_init_scriptcCs|||t|g|_dS)N)rUr)rallreserved unreservedrOrrr set_in_tcpszpolicy.set_in_tcpcCs|||t|g|_dS)N)rUr)rrrrrOrrr set_in_udpszpolicy.set_in_udpcCs|ddt|g|_dS)NF)rUr)rrrOrrr set_out_tcpszpolicy.set_out_tcpcCs|ddt|g|_dS)NF)rUr)rrrOrrr set_out_udpszpolicy.set_out_udpcCs"t|tk rttd||_dS)Nz$use_resolve must be a boolean value )r'boolrLrr)rvalrrrset_use_resolves  zpolicy.set_use_resolvecCs"t|tk rttd||_dS)Nz#use_syslog must be a boolean value )r'rrLrr)rrrrrset_use_syslogs  zpolicy.set_use_syslogcCs"t|tk rttd||_dS)Nz%use_kerberos must be a boolean value )r'rrLrr)rrrrrset_use_kerbeross  zpolicy.set_use_kerberoscCs"t|tk rttd||_dS)Nz+manage_krb5_rcache must be a boolean value )r'rrLrr)rrrrrset_manage_krb5_rcaches  zpolicy.set_manage_krb5_rcachecCs|dk|_dS)NT)r)rrrrr set_use_pamszpolicy.set_use_pamcCs|dk|_dS)NT)r)rrrrr set_use_dbusszpolicy.set_use_dbuscCs|dk|_dS)NT)r)rrrrr set_use_auditszpolicy.set_use_auditcCs|dk|_dS)NT)r)rrrrr set_use_etcszpolicy.set_use_etccCs|dk|_dS)NT)r)rrrrrset_use_localizationszpolicy.set_use_localizationcCs|dk|_dS)NT)r)rrrrr set_use_fdszpolicy.set_use_fdcCs|dk|_dS)NT)r)rrrrrset_use_terminalszpolicy.set_use_terminalcCs|dk|_dS)NT)r)rrrrr set_use_mailszpolicy.set_use_mailcCsB|jtkrttd|r0|jddjdng|jdd<dS)Nz'USER Types automatically get a tmp typez/tmpr)r'USERSrLrrorN)rrrrr set_use_tmps   zpolicy.set_use_tmpcCs|dk|_dS)NT)r)rrrrr set_use_uidszpolicy.set_use_uidcCs |jrtjd|jtjSdSdS)N TEMPLATETYPErH)rrsubrrZ te_uid_rules)rrrrgenerate_uid_rulesszpolicy.generate_uid_rulescCs |jrtjd|jtjSdSdS)NrrH)rrrrrZte_syslog_rules)rrrrgenerate_syslog_rulesszpolicy.generate_syslog_rulescCs |jrtjd|jtjSdSdS)NrrH)rrrrrZte_resolve_rules)rrrrgenerate_resolve_rulesszpolicy.generate_resolve_rulescCs |jrtjd|jtjSdSdS)NrrH)rrrrrZte_kerberos_rules)rrrrgenerate_kerberos_rulesszpolicy.generate_kerberos_rulescCs |jrtjd|jtjSdSdS)NrrH)rrrrrZte_manage_krb5_rcache_rules)rrrr!generate_manage_krb5_rcache_rules sz(policy.generate_manage_krb5_rcache_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZ te_pam_rules)rnewterrrgenerate_pam_rules&szpolicy.generate_pam_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZte_audit_rules)rrrrrgenerate_audit_rules,szpolicy.generate_audit_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZ te_etc_rules)rrrrrgenerate_etc_rules2szpolicy.generate_etc_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZ te_fd_rules)rrrrrgenerate_fd_rules8szpolicy.generate_fd_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZte_localization_rules)rrrrrgenerate_localization_rules>sz"policy.generate_localization_rulescCs*d}|jtkr&|jr&tjd|jtj}|S)NrHr)r'DBUSrrrrrZ te_dbus_rules)rrrrrgenerate_dbus_rulesDszpolicy.generate_dbus_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZ te_mail_rules)rrrrrgenerate_mail_rulesJszpolicy.generate_mail_rulescCsFd}d|||f}|tjkr.d||jf}nd||j|||f}|S)NrHzcorenet_%s_%s_%sz %s(%s_t) zD gen_require(` type %s_t; ') allow %s_t %s_t:%s_socket name_%s; )r*Z get_methodsr)rr)action port_namelinemethodrrrgenerate_network_actionPs  zpolicy.generate_network_actioncCshxf|jtD]X}|jt|d}|dkr0d|_q |ddd }|jdd|}||jkr |jj|q Wxf|jtD]X}|jt|d}|dkrd|_qt|ddd }|jdd|}||jkrt|jj|qtWxh|j tD]Z}|jt|d}|dkrd|_ q|ddd }|jdd|}||j kr|j j|qW|j dksR|jdkrdt j d|jtjSd S) NrTrr9ZbindZconnectudprrHrr)rrrrMrrrrNrrrrrrrrte_types)riZrecrrrrrgenerate_network_types^s6    zpolicy.generate_network_typescCsZx:|jD]0}|j|dkr|j|dj||j|SqW|jddj||jdS)Nrrr)rofindrN)rfiledrrrZ __find_paths  zpolicy.__find_pathcCs||jkr|jj|dS)N)rrN)rZ capabilityrrradd_capabilitys zpolicy.add_capabilitycCs ||_dS)N)rl)rrlrrr set_typesszpolicy.set_typescCs||jkr|jj|dS)N)rrN)rZprocessrrr add_processs zpolicy.add_processcCs||j|<dS)N)r)rr descriptionrrr add_booleanszpolicy.add_booleancCs|j||j|<dS)N)_policy__find_pathr)rrrrradd_fileszpolicy.add_filecCs|j||j|<dS)N)rr)rrrrradd_dirszpolicy.add_dircCs6d}|jjt|jdkr2d|jdj|jf}|S)NrHrz#allow %s_t self:capability { %s };  )rr6rKrjoin)rrrrrgenerate_capabilitiess  zpolicy.generate_capabilitiescCs6d}|jjt|jdkr2d|jdj|jf}|S)NrHrz allow %s_t self:process { %s }; r )rr6rKrr )rrrrrgenerate_processs  zpolicy.generate_processcCsd}|jrd}|tjd|jtj7}|jr|d7}|tjd|jtj7}|jr|tjd|jtj 7}|j rt |j t dkr|tjd|jtj7}|j rt |jt dkr|tjd|jtj7}|j tr|tjd|jtj7}|j tr |tjd|jtj7}|j tr.|tjd|jtj7}|jtrP|tjd|jtj7}|jtrr|tjd|jtj7}|jtr|tjd|jtj7}x|jD]}||7}qW|jr|d7}|tjd|jtj7}|jr|tjd|jtj7}|jr|tjd|jtj 7}|j!tr6|tjd|jtj"7}|j!trX|tjd|jtj#7}|j!trz|tjd|jtj$7}x|j%D]}||7}qW|S)NrH rr)&rrrrrZ te_networkrZte_tcprZ te_in_tcprrKrrZte_in_need_port_tcprZte_out_need_port_tcprZte_in_all_ports_tcprZte_in_reserved_ports_tcprZte_in_unreserved_ports_tcpZte_out_all_ports_tcpZte_out_reserved_ports_tcpZte_out_unreserved_ports_tcprrZte_udprZte_in_need_port_udprZ te_in_udprZte_in_all_ports_udpZte_in_reserved_ports_udpZte_in_unreserved_ports_udpr)rrrrrrgenerate_network_rulessV               zpolicy.generate_network_rulescCsd}x2|jD](}tjd|jtj}|tjd||7}q W|jtkrx<|jD]2}tjd|jt j }|tjd|j dd|7}qJW|S)NrHr APPLICATIONr4_ur) rrrrrZte_transition_rulesr'r4rrZ te_run_rulesr)rrapprurPrrrgenerate_transition_ruless    z policy.generate_transition_rulescCs,d}|jtkrxn|jD]d}|jdd}|d}xH|jD]>}tjd|tj}||j krdtj|d|}|tjd||7}q8WqW|S|jt kr(|tjd|j tj 7}x2|jD](}tjd|j tj}|tjd||7}qWxN|j D]D}|jdd}|d|j krtjd|j tj}|tjd ||7}qW|S) NrH_tr_rrZsystem_rrrr4)r'rrrrrrrZte_admin_domain_rulesrkRUSERrZte_admin_rulesrZte_admin_trans_rules)rrrrrolerrrrrrgenerate_admin_ruless,       zpolicy.generate_admin_rulescCs d}|jrtjd|jtj}|S)NrHr)rrrrrZ if_dbus_rules)rnewifrrrgenerate_dbus_ifszpolicy.generate_dbus_ifcCs(d}|jtkr|Stjd|jtj}|S)NrHr)r'SANDBOXrrrrZif_sandbox_rules)rrrrrgenerate_sandbox_ifs  zpolicy.generate_sandbox_ifcCsd}d}|jdkr>|tjd|jtj7}|tjd|jtj7}xd|jD]Z}t|j |ddkrF|tjd|j|j |dj 7}|tjd|j|j |dj 7}qFW|dkrtjd|jtj }||7}|tjd|jtj 7}||7}|tjd|jtj7}|SdS)NrHrrrr9)rrrrrZif_initscript_admin_typesZif_initscript_adminrqrKroZif_admin_typesZif_admin_rulesZif_begin_adminZif_middle_adminZ if_end_admin)rrZnewtypesrretrrrgenerate_admin_ifs"   $zpolicy.generate_admin_ifcCstjd|jtjS)Nr)rrrr te_cgi_types)rrrrrx5szpolicy.generate_cgi_typescCstjd|jtjS)Nr)rrrrte_sandbox_types)rrrrrz8szpolicy.generate_sandbox_typescCstjd|jtjS)Nr)rrrrZte_userapp_types)rrrrr|;szpolicy.generate_userapp_typescCstjd|jtjS)Nr)rrrrZte_inetd_types)rrrrrv>szpolicy.generate_inetd_typescCstjd|jtjS)Nr)rrrrZte_dbusd_types)rrrrrtAszpolicy.generate_dbusd_typescCstjd|jtjS)Nr)rrrrZte_min_login_user_types)rrrrrDsz$policy.generate_min_login_user_typescCstjd|jtjS)Nr)rrrrZte_login_user_types)rrrrrGsz policy.generate_login_user_typescCstjd|jtjS)Nr)rrrrZte_admin_user_types)rrrrrJsz policy.generate_admin_user_typescCst|jdkr$ttdt|jtjd|jt j }|d7}xB|jD]8}|d|7}|j ddd}||j krF|d|7}qFW|d 7}|S) Nrz,'%s' policy modules require existing domainsrz gen_require(`z type %s;rrz role %s;z ') ) rKrrLrrCr'rrrrZte_existing_user_typesrrk)rrrrrrrr~Ms   z#policy.generate_existing_user_typescCstjd|jtjS)Nr)rrrrZte_x_login_user_types)rrrrr_sz"policy.generate_x_login_user_typescCstjd|jtjS)Nr)rrrrZte_root_user_types)rrrrrbszpolicy.generate_root_user_typesc Csd}t|jdkrttdxj|jD]`}xZ|jD]P}|j|r2t||dt| |tjd|dt| |j|j 7}Pq2Wq&Wt r|dkrg}x|jD]}|j |qWttddj ||S)NrHrzType field requiredrz3You need to define a new type which ends with: %sz ) rKrlrLrrpendswithr#rrrrrNr )rrtrZ default_extrrrres    (   zpolicy.generate_new_typescCsdS)NrHr)rrrrryszpolicy.generate_new_rulescCs6tjd|jtj}|jdkr2|tjd|jtj7}|S)NrrH)rrrrZte_daemon_typesrZte_initscript_types)rrrrrrr|s zpolicy.generate_daemon_typescCs |jrtjd|jtjSdSdS)NrrH)rrrrrr)rrrrgenerate_tmp_typesszpolicy.generate_tmp_typescCs@d}x6|jD],}tjd|tj}|tjd|j||7}q W|S)NrHBOOLEANZ DESCRIPTION)rrrrZ te_boolean)rrbrrrrgenerate_booleanss  zpolicy.generate_booleanscCs,d}x"|jD]}|tjd|tj7}q W|S)NrHr&)rrrrte_rules)rrr'rrrgenerate_boolean_ruless zpolicy.generate_boolean_rulescCstjd|jtjS)Nr)rrrrr")rrrrgenerate_sandbox_teszpolicy.generate_sandbox_tecCstjd|jtjS)Nr)rrrrr!)rrrrgenerate_cgi_teszpolicy.generate_cgi_tecCstjd|jtj}|S)Nr)rrrrZte_daemon_rules)rrrrrrsszpolicy.generate_daemon_rulesc Csrd}xh|jD]^}xX|jD]N}|j|r|dt| d}|tjd|dt| |j|j7}PqWq W|S)NrHrr)rlrpr#rKrrif_rules)rrr$rZreqtyperrrgenerate_new_type_ifs   ( zpolicy.generate_new_type_ifcCstjd|jtjS)Nr)rrrrZte_login_user_rules)rrrrrsz policy.generate_login_user_rulescCstjd|jtj}|S)Nr)rrrrZte_existing_user_rules)rZnerulesrrrrsz#policy.generate_existing_user_rulescCstjd|jtjS)Nr)rrrrZte_x_login_user_rules)rrrrrsz"policy.generate_x_login_user_rulescCstjd|jtj}|S)Nr)rrrrZte_root_user_rules)rrrrrrszpolicy.generate_root_user_rulescCstjd|jtjS)Nr)rrrrZte_userapp_rules)rrrrr}szpolicy.generate_userapp_rulescCstjd|jtjS)Nr)rrrrZte_inetd_rules)rrrrrwszpolicy.generate_inetd_rulescCstjd|jtjS)Nr)rrrrZte_dbusd_rules)rrrrruszpolicy.generate_dbusd_rulescCs |jrtjd|jtjSdSdS)NrrH)rrrrrr))rrrrgenerate_tmp_rulesszpolicy.generate_tmp_rulescCsd}|tjd|jtj7}|S)NrHr)rrrrZ te_cgi_rules)rrrrrryszpolicy.generate_cgi_rulescCsd}|tjd|jtj7}|S)NrHr)rrrrZte_sandbox_rules)rrrrrr{szpolicy.generate_sandbox_rulescCsRd}|js|jtkr&tjd|jtj}|jtt t t fkrN|tjd|jtj 7}|S)NrHr) rr'r4rrrrZif_user_program_rulesTUSERXUSERAUSERLUSERZif_role_change_rules)rrrrrgenerate_user_ifs zpolicy.generate_user_ifcCsDd}|tjd|jtj7}|jr6|tjd|jtj7}|jdkrV|tjd|jtj7}x|j D]}t |j |ddkr^|tjd|j|j |dj 7}xZ|j |dD]H}t jj|rtjt j|tjr|tjd|j|j |dj7}PqWq^W||j7}||j7}||j7}||j7}||j7}||j7}|S)NrHrrrr9)rrrrZif_heading_rulesrZif_program_rulesrZif_initscript_rulesrqrKror-ospathexistsstatS_ISSOCKST_MODEZif_stream_rulesr4rr rr.r)rrrrrrr generate_ifs(   "        zpolicy.generate_ifcCs|j|jdS)Nr)rr')rrrrgenerate_default_typesszpolicy.generate_default_typescCs&|j|jdr"|j|jdSdS)NrrH)rr')rrrrgenerate_default_rulesszpolicy.generate_default_rulescCsd}|jttttfkrd}t|jdkr|tjd|j t j 7}|tjd|j t j 7}x2|jD](}tjd|j t j }|tjd||7}q\W|S)NrHrrZROLE)r'r0r1r2r3rKrrrrrZ te_sudo_rulesZte_newrole_rulesZte_roles_rules)rrrrrrrrgenerate_roles_ruless zpolicy.generate_roles_rulesc Cs|j}xV|jD]L}t|j|ddkr|jtks<|dkr|tjd|j|j|dj 7}qW|jt krx|d|j7}||j 7}||j 7}||j 7}||j7}||j7}||j7}||j7}xT|jD]H}t|j|ddkr|jt krXd}xt|jD]H}|tjd|dd d |j|dj7}|tjd |jd |7}q Wn |tjd|j|j|dj7}x|j|dD]}tjj|rtjtj|tjr|jt krxX|jD],}|tjd|dd |j|dj7}qWn |tjd|j|j|dj7}PqWqW||j7}||j7}||j7}||j7}||j7}||j 7}||j!7}||j"7}||j#7}||j$7}||j%7}||j&7}||j'7}||j(7}||j)7}||j*7}||j+7}|S)Nrrrrr9z@ ######################################## # # %s local policy # rHZTEMPLATETYPE_trZTEMPLATETYPE_rw_tZ_rw_trr),r<rqrKror'rrrrrrr rrr%r(r=r*rr)r5r6r7r8r9r:Zte_stream_rulesr/rrrrrrrrrr>rrrrrr)rrrZ newte_tmpZdomainrrrr generate_tes` $           *  &  .                   zpolicy.generate_tecCsd}g}x|jjD]}tjj|rXtjtj|tjrXtj d|j |j|dj }ntj d|j |j|dj }tj d||}|j tj d|j|d|qWxZ|jjD]L}tj d|j |j|dj}tj d||}|j tj d|j|d|qW|jttgkr&t|dkr&tjS|jttttgkrR|j rRttd|jrtj d|jtj}|j tj d|j ||jdkrtj d|jtj}|j tj d|j ||jd j|}|S) NrHrr9FILENAMEZFILETYPErz      zpolicy.generate_speccCs2d||jf}t|d}|j|j|j|S)Nz%s/%s_selinux.specw)ropenwriterRclose)rout_dirZspecfilefdrrr write_specs  zpolicy.write_speccCs2d||jf}t|d}|j|j|j|S)Nz%s/%s.terS)rrTrUr?rV)rrWZtefilerXrrrwrite_tes  zpolicy.write_tecCs>d||jf}t|d}|j|j|jtj|d|S)Nz%s/%s.shrSi)rrTrUrOrVr5chmod)rrWZshfilerXrrrwrite_shs   zpolicy.write_shcCs2d||jf}t|d}|j|j|j|S)Nz%s/%s.ifrS)rrTrUr;rV)rrWZiffilerXrrrwrite_ifs  zpolicy.write_ifcCs2d||jf}t|d}|j|j|j|S)Nz%s/%s.fcrS)rrTrUrBrV)rrWZfcfilerXrrrwrite_fcs  zpolicy.write_fcc CsDddl}|j(}|j|jdd|jj}|j}|j|jd}x|D]}|j j |j xT|j D]J}xD|j D]:}|dkrqt|j|rttjj|r|j|qt|j|qtWqhW|j}|j|jd}xd|D]\} xV| j D]L}xF|j D]<}|dkrq|j|rtjj|r|j|q|j|qWqWqWqNWWdQRXdS)NrT)Zload_system_repo)rz/etc)Zprovides)dnfZBaseZread_all_reposZ fill_sackZsackqueryZ availablefilterrrjrNrrro startswithr5r6isfiler r Z source_name) rr_baser`ZpqZpkgZfnamer'ZsqZbpkgrrrZ__extract_rpmss8              zpolicy.__extract_rpmscCsy |jWntk r YnXtjjd|jrD|jd|jtjjd|jrf|jd|jtjjd|jr|jd|jtjjd|jr|jd|jtjjd|jr|jd|jtjjd|jr|j d|jg}x|j j D]}g}y|j |dd d }Wnt k r8wYnXx4|j |dD]"}|j |rJ|j|nqJqJWt|d krxF|D]>}||jj kr|j|=n||jj kr|j|=nqqWtt|j |dt||j |d<qWdS) Nz/var/run/%s.pidz /var/run/%sz /var/log/%sz/var/log/%s.logz /var/lib/%sz/etc/rc.d/init.d/%sz/etc/rc\.d/init\.d/%srr/)_policy__extract_rpms ImportErrorr5r6rcrr isdirr rrorD IndexErrorrbrNrKrrlistset)rZ temp_basepathr.Z temp_dirsrrrr gen_writeablesF         zpolicy.gen_writeablecCs|jtkrdStjj|js2tjjd|jdStj d|j}x@|j j D]0}x*|j D] }|j |r\td|j |q\WqPW|jdS)Nzl *************************************** Warning %s does not exist *************************************** znm -D %s | grep Uzself.%s)r'rr5r6r7rsysstderrrUpopenreadrrnrbexecrV)rrXsr'rrr gen_symbolsJs    zpolicy.gen_symbolscCsd}|d|j|tdf7}|d|j|tdf7}|d|j|tdf7}|jtkrtjddddkr|d|j|tdf7}|d|j |tdf7}|S)NzCreated the following files: z%s # %s zType Enforcement filezInterface filezFile Contexts filer)rErFrGrHrIrJrKz Spec filez Setup Script)rFrGrHrIrJrK) rZrr]r^r'rrMrNrYr\)rrWoutrrrgenerate\s zpolicy.generateN)r)w__name__ __module__ __qualname__rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r r rrrrrrr rxrzr|rvrtrrrr~rrrrrrr%r(r*r+r,rsr.rrrrr}rwrur/ryr{r4r;r<r=r>r?rBrDrOrRrYrZr\r]r^rfrlrsr5getcwdrurrrrrVsB  &8    >#$*$3rV)r)Gr5rmr8rr*rrrrQrMZ templatesrrrr r r r r rrrrrrrZsepolgen.interfacesZ interfacesZsepolgen.defaultsZdefaultsZPROGNAMEgettextkwargs version_infoZinstallbuiltinsstr__dict__rgZ __builtin__rr r&r/r8rrrrZADMIN_TRANSITION_INTERFACEZUSER_TRANSITION_INTERFACErrZINETDrrr4rr0r1r3r2rrrCrrGrrrUrVrrrrs