1#!/usr/bin/env python
2
3import argparse
4import policy
5
6parser = argparse.ArgumentParser(
7    description="SELinux policy rule search tool. Intended to have a similar "
8        + "API as sesearch, but simplified to use only code availabe in AOSP")
9parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
10parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
11tertypes = parser.add_argument_group("TE Rule Types")
12tertypes.add_argument("--allow", action="append_const",
13                    const="allow", dest="tertypes",
14                    help="Search allow rules.")
15expr = parser.add_argument_group("Expressions")
16expr.add_argument("-s", "--source",
17                  help="Source type/role of the TE/RBAC rule.")
18expr.add_argument("-t", "--target",
19                  help="Target type/role of the TE/RBAC rule.")
20expr.add_argument("-c", "--class", dest="tclass",
21                  help="Comma separated list of object classes")
22expr.add_argument("-p", "--perms", metavar="PERMS",
23                  help="Comma separated list of permissions.")
24
25args = parser.parse_args()
26
27if not args.tertypes:
28    parser.error("Must specify \"--allow\"")
29
30if not args.policy:
31    parser.error("Must include path to policy")
32if not args.libpath:
33    parser.error("Must include path to libsepolwrap library")
34
35if not (args.source or args.target or args.tclass or args.perms):
36    parser.error("Must something to filter on, e.g. --source, --target, etc.")
37
38pol = policy.Policy(args.policy, None, args.libpath)
39
40if args.source:
41    scontext = {args.source}
42else:
43    scontext = set()
44if args.target:
45    tcontext = {args.target}
46else:
47    tcontext = set()
48if args.tclass:
49    tclass = set(args.tclass.split(","))
50else:
51    tclass = set()
52if args.perms:
53    perms = set(args.perms.split(","))
54else:
55    perms = set()
56
57TERules = pol.QueryTERule(scontext=scontext,
58                       tcontext=tcontext,
59                       tclass=tclass,
60                       perms=perms)
61
62# format rules for printing
63rules = []
64for r in TERules:
65    if len(r.perms) > 1:
66        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
67                " ".join(r.perms) + " };")
68    else:
69        rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
70                " ".join(r.perms) + ";")
71
72for r in sorted(rules):
73    print r
74