1#!/usr/bin/env python
2# Copyright 2014-2015, Tresys Technology, LLC
3#
4# This file is part of SETools.
5#
6# SETools is free software: you can redistribute it and/or modify
7# it under the terms of the GNU General Public License as published by
8# the Free Software Foundation, either version 2 of the License, or
9# (at your option) any later version.
10#
11# SETools is distributed in the hope that it will be useful,
12# but WITHOUT ANY WARRANTY; without even the implied warranty of
13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14# GNU General Public License for more details.
15#
16# You should have received a copy of the GNU General Public License
17# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
18#
19
20from __future__ import print_function
21import setools
22import argparse
23import sys
24import logging
25
26
27def expand_attr(attr):
28    """Render type and role attributes."""
29    items = "\n\t".join(sorted(str(i) for i in attr.expand()))
30    contents = items if items else "<empty attribute>"
31    return "{0}\n\t{1}".format(attr.statement(), contents)
32
33parser = argparse.ArgumentParser(
34    description="SELinux policy information tool.")
35parser.add_argument("--version", action="version", version=setools.__version__)
36parser.add_argument("policy", help="Path to the SELinux policy to query.", nargs="?")
37parser.add_argument("-x", "--expand", action="store_true",
38                    help="Print additional information about the specified components.")
39parser.add_argument("--flat",  help="Print without item count nor indentation.",
40                    dest="flat", default=False, action="store_true")
41parser.add_argument("-v", "--verbose", action="store_true",
42                    help="Print extra informational messages")
43parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")
44
45queries = parser.add_argument_group("Component Queries")
46queries.add_argument("-a", "--attribute",  help="Print type attributes.", dest="typeattrquery",
47                     nargs='?', const=True, metavar="ATTR")
48queries.add_argument("-b", "--bool", help="Print Booleans.", dest="boolquery",
49                     nargs='?', const=True, metavar="BOOL")
50queries.add_argument("-c", "--class", help="Print object classes.", dest="classquery",
51                     nargs='?', const=True, metavar="CLASS")
52queries.add_argument("-r", "--role", help="Print roles.", dest="rolequery",
53                     nargs='?', const=True, metavar="ROLE")
54queries.add_argument("-t", "--type", help="Print types.", dest="typequery",
55                     nargs='?', const=True, metavar="TYPE")
56queries.add_argument("-u", "--user", help="Print users.", dest="userquery",
57                     nargs='?', const=True, metavar="USER")
58queries.add_argument("--category", help="Print MLS categories.", dest="mlscatsquery",
59                     nargs='?', const=True, metavar="CAT")
60queries.add_argument("--common", help="Print common permission set.", dest="commonquery",
61                     nargs='?', const=True, metavar="COMMON")
62queries.add_argument("--constrain", help="Print constraints.", dest="constraintquery",
63                     nargs='?', const=True, metavar="CLASS")
64queries.add_argument("--default", help="Print default_* rules.", dest="defaultquery",
65                     nargs='?', const=True, metavar="CLASS")
66queries.add_argument("--fs_use", help="Print fs_use statements.", dest="fsusequery",
67                     nargs='?', const=True, metavar="FS_TYPE")
68queries.add_argument("--genfscon", help="Print genfscon statements.", dest="genfsconquery",
69                     nargs='?', const=True, metavar="FS_TYPE")
70queries.add_argument("--initialsid", help="Print initial SIDs (contexts).", dest="initialsidquery",
71                     nargs='?', const=True, metavar="NAME")
72queries.add_argument("--netifcon", help="Print netifcon statements.", dest="netifconquery",
73                     nargs='?', const=True, metavar="DEVICE")
74queries.add_argument("--nodecon", help="Print nodecon statements.", dest="nodeconquery",
75                     nargs='?', const=True, metavar="ADDR")
76queries.add_argument("--permissive", help="Print permissive types.", dest="permissivequery",
77                     nargs='?', const=True, metavar="TYPE")
78queries.add_argument("--polcap", help="Print policy capabilities.", dest="polcapquery",
79                     nargs='?', const=True, metavar="NAME")
80queries.add_argument("--portcon", help="Print portcon statements.", dest="portconquery",
81                     nargs='?', const=True, metavar="PORTNUM[-PORTNUM]")
82queries.add_argument("--sensitivity", help="Print MLS sensitivities.", dest="mlssensquery",
83                     nargs='?', const=True, metavar="SENS")
84queries.add_argument("--typebounds", help="Print typebounds statements.", dest="typeboundsquery",
85                     nargs='?', const=True, metavar="BOUND_TYPE")
86queries.add_argument("--validatetrans", help="Print validatetrans.", dest="validatetransquery",
87                     nargs='?', const=True, metavar="CLASS")
88queries.add_argument("--all", help="Print all of the above.  On a Xen policy, the Xen components "
89                     "will also be printed", dest="all", default=False, action="store_true")
90
91xen = parser.add_argument_group("Xen Component Queries")
92xen.add_argument("--ioportcon", help="Print all ioportcon statements.", dest="ioportconquery",
93                 default=False, action="store_true")
94xen.add_argument("--iomemcon", help="Print all iomemcon statements.", dest="iomemconquery",
95                 default=False, action="store_true")
96xen.add_argument("--pcidevicecon", help="Print all pcidevicecon statements.",
97                 dest="pcideviceconquery", default=False, action="store_true")
98xen.add_argument("--pirqcon", help="Print all pirqcon statements.", dest="pirqconquery",
99                 default=False, action="store_true")
100xen.add_argument("--devicetreecon", help="Print all devicetreecon statements.",
101                 dest="devicetreeconquery", default=False, action="store_true")
102
103
104args = parser.parse_args()
105
106if args.debug:
107    logging.basicConfig(level=logging.DEBUG,
108                        format='%(asctime)s|%(levelname)s|%(name)s|%(message)s')
109elif args.verbose:
110    logging.basicConfig(level=logging.INFO, format='%(message)s')
111else:
112    logging.basicConfig(level=logging.WARNING, format='%(message)s')
113
114try:
115    p = setools.SELinuxPolicy(args.policy)
116    components = []
117
118    if args.boolquery or args.all:
119        q = setools.BoolQuery(p)
120        if isinstance(args.boolquery, str):
121            q.name = args.boolquery
122
123        components.append(("Booleans", q, lambda x: x.statement()))
124
125    if args.mlscatsquery or args.all:
126        q = setools.CategoryQuery(p)
127        if isinstance(args.mlscatsquery, str):
128            q.name = args.mlscatsquery
129
130        components.append(("Categories", q, lambda x: x.statement()))
131
132    if args.classquery or args.all:
133        q = setools.ObjClassQuery(p)
134        if isinstance(args.classquery, str):
135            q.name = args.classquery
136
137        components.append(("Classes", q, lambda x: x.statement()))
138
139    if args.commonquery or args.all:
140        q = setools.CommonQuery(p)
141        if isinstance(args.commonquery, str):
142            q.name = args.commonquery
143
144        components.append(("Commons", q, lambda x: x.statement()))
145
146    if args.constraintquery or args.all:
147        q = setools.ConstraintQuery(p, ruletype=["constrain", "mlsconstrain"])
148        if isinstance(args.constraintquery, str):
149            q.tclass = [args.constraintquery]
150
151        components.append(("Constraints", q, lambda x: x.statement()))
152
153    if args.defaultquery or args.all:
154        q = setools.DefaultQuery(p)
155        if isinstance(args.defaultquery, str):
156            q.tclass = [args.defaultquery]
157
158        components.append(("Default rules", q, lambda x: x.statement()))
159
160    if args.fsusequery or args.all:
161        q = setools.FSUseQuery(p)
162        if isinstance(args.fsusequery, str):
163            q.fs = args.fsusequery
164
165        components.append(("Fs_use", q, lambda x: x.statement()))
166
167    if args.genfsconquery or args.all:
168        q = setools.GenfsconQuery(p)
169        if isinstance(args.genfsconquery, str):
170            q.fs = args.genfsconquery
171
172        components.append(("Genfscon", q, lambda x: x.statement()))
173
174    if args.initialsidquery or args.all:
175        q = setools.InitialSIDQuery(p)
176        if isinstance(args.initialsidquery, str):
177            q.name = args.initialsidquery
178
179        components.append(("Initial SIDs", q, lambda x: x.statement()))
180
181    if args.netifconquery or args.all:
182        q = setools.NetifconQuery(p)
183        if isinstance(args.netifconquery, str):
184            q.name = args.netifconquery
185
186        components.append(("Netifcon", q, lambda x: x.statement()))
187
188    if args.nodeconquery or args.all:
189        q = setools.NodeconQuery(p)
190        if isinstance(args.nodeconquery, str):
191            q.network = args.nodeconquery
192
193        components.append(("Nodecon", q, lambda x: x.statement()))
194
195    if args.permissivequery or args.all:
196        q = setools.TypeQuery(p, permissive=True, match_permissive=True)
197        if isinstance(args.permissivequery, str):
198            q.name = args.permissivequery
199
200        components.append(("Permissive Types", q, lambda x: x.statement()))
201
202    if args.polcapquery or args.all:
203        q = setools.PolCapQuery(p)
204        if isinstance(args.polcapquery, str):
205            q.name = args.polcapquery
206
207        components.append(("Polcap", q, lambda x: x.statement()))
208
209    if args.portconquery or args.all:
210        q = setools.PortconQuery(p)
211        if isinstance(args.portconquery, str):
212            try:
213                ports = [int(i) for i in args.portconquery.split("-")]
214            except ValueError:
215                parser.error("Enter a port number or range, e.g. 22 or 6000-6020")
216
217            if len(ports) == 2:
218                q.ports = ports
219            elif len(ports) == 1:
220                q.ports = (ports[0], ports[0])
221            else:
222                parser.error("Enter a port number or range, e.g. 22 or 6000-6020")
223
224        components.append(("Portcon", q, lambda x: x.statement()))
225
226    if args.rolequery or args.all:
227        q = setools.RoleQuery(p)
228        if isinstance(args.rolequery, str):
229            q.name = args.rolequery
230
231        components.append(("Roles", q, lambda x: x.statement()))
232
233    if args.mlssensquery or args.all:
234        q = setools.SensitivityQuery(p)
235        if isinstance(args.mlssensquery, str):
236            q.name = args.mlssensquery
237
238        components.append(("Sensitivities", q, lambda x: x.statement()))
239
240    if args.typeboundsquery or args.all:
241        q = setools.BoundsQuery(p, ruletype=["typebounds"])
242        if isinstance(args.typeboundsquery, str):
243            q.child = args.typeboundsquery
244
245        components.append(("Typebounds", q, lambda x: x.statement()))
246
247    if args.typequery or args.all:
248        q = setools.TypeQuery(p)
249        if isinstance(args.typequery, str):
250            q.name = args.typequery
251
252        components.append(("Types", q, lambda x: x.statement()))
253
254    if args.typeattrquery or args.all:
255        q = setools.TypeAttributeQuery(p)
256        if isinstance(args.typeattrquery, str):
257            q.name = args.typeattrquery
258
259        components.append(("Type Attributes", q, expand_attr))
260
261    if args.userquery or args.all:
262        q = setools.UserQuery(p)
263        if isinstance(args.userquery, str):
264            q.name = args.userquery
265
266        components.append(("Users", q, lambda x: x.statement()))
267
268    if args.validatetransquery or args.all:
269        q = setools.ConstraintQuery(p, ruletype=["validatetrans", "mlsvalidatetrans"])
270        if isinstance(args.validatetransquery, str):
271            q.tclass = [args.validatetransquery]
272
273        components.append(("Validatetrans", q, lambda x: x.statement()))
274
275    if p.target_platform == "xen":
276        if args.ioportconquery or args.all:
277            q = setools.IoportconQuery(p)
278            components.append(("Ioportcon", q, lambda x: x.statement()))
279
280        if args.iomemconquery or args.all:
281            q = setools.IomemconQuery(p)
282            components.append(("Iomemcon", q, lambda x: x.statement()))
283
284        if args.pcideviceconquery or args.all:
285            q = setools.PcideviceconQuery(p)
286            components.append(("Pcidevicecon", q, lambda x: x.statement()))
287
288        if args.pirqconquery or args.all:
289            q = setools.PirqconQuery(p)
290            components.append(("Pirqcon", q, lambda x: x.statement()))
291
292        if args.devicetreeconquery or args.all:
293            q = setools.DevicetreeconQuery(p)
294            components.append(("Devicetreecon", q, lambda x: x.statement()))
295
296    if (not components or args.all) and not args.flat:
297        mls = "enabled" if p.mls else "disabled"
298
299        print("Statistics for policy file: {0}".format(p))
300        print("Policy Version:             {0} (MLS {1})".format(p.version, mls))
301        print("Target Policy:              {0}".format(p.target_platform))
302        print("Handle unknown classes:     {0}".format(p.handle_unknown))
303        print("  Classes:         {0:7}    Permissions:     {1:7}".format(
304            p.class_count, p.permission_count))
305        print("  Sensitivities:   {0:7}    Categories:      {1:7}".format(
306            p.level_count, p.category_count))
307        print("  Types:           {0:7}    Attributes:      {1:7}".format(
308            p.type_count, p.type_attribute_count))
309        print("  Users:           {0:7}    Roles:           {1:7}".format(
310            p.user_count, p.role_count))
311        print("  Booleans:        {0:7}    Cond. Expr.:     {1:7}".format(
312            p.boolean_count, p.conditional_count))
313        print("  Allow:           {0:7}    Neverallow:      {1:7}".format(
314            p.allow_count, p.neverallow_count))
315        print("  Auditallow:      {0:7}    Dontaudit:       {1:7}".format(
316            p.auditallow_count, p.dontaudit_count))
317        print("  Type_trans:      {0:7}    Type_change:     {1:7}".format(
318            p.type_transition_count, p.type_change_count))
319        print("  Type_member:     {0:7}    Range_trans:     {1:7}".format(
320            p.type_member_count, p.range_transition_count))
321        print("  Role allow:      {0:7}    Role_trans:      {1:7}".format(
322            p.role_allow_count, p.role_transition_count))
323        print("  Constraints:     {0:7}    Validatetrans:   {1:7}".format(
324            p.constraint_count, p.validatetrans_count))
325        print("  MLS Constrain:   {0:7}    MLS Val. Tran:   {1:7}".format(
326            p.mlsconstraint_count, p.mlsvalidatetrans_count))
327        print("  Permissives:     {0:7}    Polcap:          {1:7}".format(
328            p.permissives_count, p.polcap_count))
329        print("  Defaults:        {0:7}    Typebounds:      {1:7}".format(
330            p.default_count, p.typebounds_count))
331
332        if p.target_platform == "selinux":
333            print("  Allowxperm:      {0:7}    Neverallowxperm: {1:7}".format(
334                p.allowxperm_count, p.neverallowxperm_count))
335            print("  Auditallowxperm: {0:7}    Dontauditxperm:  {1:7}".format(
336                p.auditallowxperm_count, p.dontauditxperm_count))
337            print("  Initial SIDs:    {0:7}    Fs_use:          {1:7}".format(
338                p.initialsids_count, p.fs_use_count))
339            print("  Genfscon:        {0:7}    Portcon:         {1:7}".format(
340                p.genfscon_count, p.portcon_count))
341            print("  Netifcon:        {0:7}    Nodecon:         {1:7}".format(
342                p.netifcon_count, p.nodecon_count))
343        elif p.target_platform == "xen":
344            print("  Initial SIDs:    {0:7}    Devicetreecon    {1:7}".format(
345                p.initialsids_count, p.devicetreecon_count))
346            print("  Iomemcon:        {0:7}    Ioportcon:       {1:7}".format(
347                p.iomemcon_count, p.ioportcon_count))
348            print("  Pcidevicecon:    {0:7}    Pirqcon:         {1:7}".format(
349                p.pcidevicecon_count, p.pirqcon_count))
350
351    for desc, component, expander in components:
352        results = sorted(component.results())
353        if not args.flat:
354            print("\n{0}: {1}".format(desc, len(results)))
355        for item in results:
356            result = expander(item) if args.expand else item
357            strfmt = "   {0}" if not args.flat else "{0}"
358            print(strfmt.format(result))
359
360except Exception as err:
361    if args.debug:
362        logging.exception(str(err))
363    else:
364        print(err)
365
366    sys.exit(1)
367