1#!/usr/bin/python 2# Copyright 2014-2015, Tresys Technology, LLC 3# 4# This file is part of SETools. 5# 6# SETools is free software: you can redistribute it and/or modify 7# it under the terms of the GNU General Public License as published by 8# the Free Software Foundation, either version 2 of the License, or 9# (at your option) any later version. 10# 11# SETools is distributed in the hope that it will be useful, 12# but WITHOUT ANY WARRANTY; without even the implied warranty of 13# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14# GNU General Public License for more details. 15# 16# You should have received a copy of the GNU General Public License 17# along with SETools. If not, see <http://www.gnu.org/licenses/>. 18# 19 20from __future__ import print_function 21import setools 22import argparse 23import sys 24import logging 25 26 27def expand_attr(attr): 28 """Render type and role attributes.""" 29 items = "\n\t".join(sorted(str(i) for i in attr.expand())) 30 contents = items if items else "<empty set>" 31 return "{0}\n\t{1}".format(attr.statement(), contents) 32 33parser = argparse.ArgumentParser( 34 description="SELinux policy information tool.") 35parser.add_argument("--version", action="version", version=setools.__version__) 36parser.add_argument("policy", help="Path to the SELinux policy to query.", nargs="?") 37parser.add_argument("-x", "--expand", action="store_true", 38 help="Print additional information about the specified components.") 39parser.add_argument("--flat", help="Print without item count nor indentation.", 40 dest="flat", default=False, action="store_true") 41parser.add_argument("-v", "--verbose", action="store_true", 42 help="Print extra informational messages") 43parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.") 44 45queries = parser.add_argument_group("Component Queries") 46queries.add_argument("-a", "--attribute", help="Print type attributes.", dest="typeattrquery", 47 nargs='?', const=True, metavar="ATTR") 48queries.add_argument("-b", "--bool", help="Print Booleans.", dest="boolquery", 49 nargs='?', const=True, metavar="BOOL") 50queries.add_argument("-c", "--class", help="Print object classes.", dest="classquery", 51 nargs='?', const=True, metavar="CLASS") 52queries.add_argument("-r", "--role", help="Print roles.", dest="rolequery", 53 nargs='?', const=True, metavar="ROLE") 54queries.add_argument("-t", "--type", help="Print types.", dest="typequery", 55 nargs='?', const=True, metavar="TYPE") 56queries.add_argument("-u", "--user", help="Print users.", dest="userquery", 57 nargs='?', const=True, metavar="USER") 58queries.add_argument("--category", help="Print MLS categories.", dest="mlscatsquery", 59 nargs='?', const=True, metavar="CAT") 60queries.add_argument("--common", help="Print common permission set.", dest="commonquery", 61 nargs='?', const=True, metavar="COMMON") 62queries.add_argument("--constrain", help="Print constraints.", dest="constraintquery", 63 nargs='?', const=True, metavar="CLASS") 64queries.add_argument("--fs_use", help="Print fs_use statements.", dest="fsusequery", 65 nargs='?', const=True, metavar="FS_TYPE") 66queries.add_argument("--genfscon", help="Print genfscon statements.", dest="genfsconquery", 67 nargs='?', const=True, metavar="FS_TYPE") 68queries.add_argument("--initialsid", help="Print initial SIDs (contexts).", dest="initialsidquery", 69 nargs='?', const=True, metavar="NAME") 70queries.add_argument("--netifcon", help="Print netifcon statements.", dest="netifconquery", 71 nargs='?', const=True, metavar="DEVICE") 72queries.add_argument("--nodecon", help="Print nodecon statements.", dest="nodeconquery", 73 nargs='?', const=True, metavar="ADDR") 74queries.add_argument("--permissive", help="Print permissive types.", dest="permissivequery", 75 nargs='?', const=True, metavar="TYPE") 76queries.add_argument("--polcap", help="Print policy capabilities.", dest="polcapquery", 77 nargs='?', const=True, metavar="NAME") 78queries.add_argument("--portcon", help="Print portcon statements.", dest="portconquery", 79 nargs='?', const=True, metavar="PORTNUM[-PORTNUM]") 80queries.add_argument("--sensitivity", help="Print MLS sensitivities.", dest="mlssensquery", 81 nargs='?', const=True, metavar="SENS") 82queries.add_argument("--validatetrans", help="Print validatetrans.", dest="validatetransquery", 83 nargs='?', const=True, metavar="CLASS") 84queries.add_argument("--all", help="Print all of the above.", 85 dest="all", default=False, action="store_true") 86 87args = parser.parse_args() 88 89if args.debug: 90 logging.basicConfig(level=logging.DEBUG, 91 format='%(asctime)s|%(levelname)s|%(name)s|%(message)s') 92elif args.verbose: 93 logging.basicConfig(level=logging.INFO, format='%(message)s') 94else: 95 logging.basicConfig(level=logging.WARNING, format='%(message)s') 96 97try: 98 p = setools.SELinuxPolicy(args.policy) 99 components = [] 100 101 if args.boolquery or args.all: 102 q = setools.BoolQuery(p) 103 if isinstance(args.boolquery, str): 104 q.name = args.boolquery 105 106 components.append(("Booleans", q, lambda x: x.statement())) 107 108 if args.mlscatsquery or args.all: 109 q = setools.CategoryQuery(p) 110 if isinstance(args.mlscatsquery, str): 111 q.name = args.mlscatsquery 112 113 components.append(("Categories", q, lambda x: x.statement())) 114 115 if args.classquery or args.all: 116 q = setools.ObjClassQuery(p) 117 if isinstance(args.classquery, str): 118 q.name = args.classquery 119 120 components.append(("Classes", q, lambda x: x.statement())) 121 122 if args.commonquery or args.all: 123 q = setools.CommonQuery(p) 124 if isinstance(args.commonquery, str): 125 q.name = args.commonquery 126 127 components.append(("Commons", q, lambda x: x.statement())) 128 129 if args.constraintquery or args.all: 130 q = setools.ConstraintQuery(p, ruletype=["constrain", "mlsconstrain"]) 131 if isinstance(args.constraintquery, str): 132 q.tclass = [args.constraintquery] 133 134 components.append(("Constraints", q, lambda x: x.statement())) 135 136 if args.fsusequery or args.all: 137 q = setools.FSUseQuery(p) 138 if isinstance(args.fsusequery, str): 139 q.fs = args.fsusequery 140 141 components.append(("Fs_use", q, lambda x: x.statement())) 142 143 if args.genfsconquery or args.all: 144 q = setools.GenfsconQuery(p) 145 if isinstance(args.genfsconquery, str): 146 q.fs = args.genfsconquery 147 148 components.append(("Genfscon", q, lambda x: x.statement())) 149 150 if args.initialsidquery or args.all: 151 q = setools.InitialSIDQuery(p) 152 if isinstance(args.initialsidquery, str): 153 q.name = args.initialsidquery 154 155 components.append(("Initial SIDs", q, lambda x: x.statement())) 156 157 if args.netifconquery or args.all: 158 q = setools.NetifconQuery(p) 159 if isinstance(args.netifconquery, str): 160 q.name = args.netifconquery 161 162 components.append(("Netifcon", q, lambda x: x.statement())) 163 164 if args.nodeconquery or args.all: 165 q = setools.NodeconQuery(p) 166 if isinstance(args.nodeconquery, str): 167 q.network = args.nodeconquery 168 169 components.append(("Nodecon", q, lambda x: x.statement())) 170 171 if args.permissivequery or args.all: 172 q = setools.TypeQuery(p, permissive=True, match_permissive=True) 173 if isinstance(args.permissivequery, str): 174 q.name = args.permissivequery 175 176 components.append(("Permissive Types", q, lambda x: x.statement())) 177 178 if args.polcapquery or args.all: 179 q = setools.PolCapQuery(p) 180 if isinstance(args.polcapquery, str): 181 q.name = args.polcapquery 182 183 components.append(("Polcap", q, lambda x: x.statement())) 184 185 if args.portconquery or args.all: 186 q = setools.PortconQuery(p) 187 if isinstance(args.portconquery, str): 188 try: 189 ports = [int(i) for i in args.portconquery.split("-")] 190 except ValueError: 191 parser.error("Enter a port number or range, e.g. 22 or 6000-6020") 192 193 if len(ports) == 2: 194 q.ports = ports 195 elif len(ports) == 1: 196 q.ports = (ports[0], ports[0]) 197 else: 198 parser.error("Enter a port number or range, e.g. 22 or 6000-6020") 199 200 components.append(("Portcon", q, lambda x: x.statement())) 201 202 if args.rolequery or args.all: 203 q = setools.RoleQuery(p) 204 if isinstance(args.rolequery, str): 205 q.name = args.rolequery 206 207 components.append(("Roles", q, lambda x: x.statement())) 208 209 if args.mlssensquery or args.all: 210 q = setools.SensitivityQuery(p) 211 if isinstance(args.mlssensquery, str): 212 q.name = args.mlssensquery 213 214 components.append(("Sensitivities", q, lambda x: x.statement())) 215 216 if args.typequery or args.all: 217 q = setools.TypeQuery(p) 218 if isinstance(args.typequery, str): 219 q.name = args.typequery 220 221 components.append(("Types", q, lambda x: x.statement())) 222 223 if args.typeattrquery or args.all: 224 q = setools.TypeAttributeQuery(p) 225 if isinstance(args.typeattrquery, str): 226 q.name = args.typeattrquery 227 228 components.append(("Type Attributes", q, expand_attr)) 229 230 if args.userquery or args.all: 231 q = setools.UserQuery(p) 232 if isinstance(args.userquery, str): 233 q.name = args.userquery 234 235 components.append(("Users", q, lambda x: x.statement())) 236 237 if args.validatetransquery or args.all: 238 q = setools.ConstraintQuery(p, ruletype=["validatetrans", "mlsvalidatetrans"]) 239 if isinstance(args.validatetransquery, str): 240 q.tclass = [args.validatetransquery] 241 242 components.append(("Validatetrans", q, lambda x: x.statement())) 243 244 if (not components or args.all) and not args.flat: 245 mls = "enabled" if p.mls else "disabled" 246 247 print("Statistics for policy file: {0}".format(p)) 248 print("Policy Version: {0} (MLS {1})".format(p.version, mls)) 249 print(" Classes: {0:7} Permissions: {1:7}".format( 250 p.class_count, p.permission_count)) 251 print(" Sensitivities: {0:7} Categories: {1:7}".format( 252 p.level_count, p.category_count)) 253 print(" Types: {0:7} Attributes: {1:7}".format( 254 p.type_count, p.type_attribute_count)) 255 print(" Users: {0:7} Roles: {1:7}".format( 256 p.user_count, p.role_count)) 257 print(" Booleans: {0:7} Cond. Expr.: {1:7}".format( 258 p.boolean_count, p.conditional_count)) 259 print(" Allow: {0:7} Neverallow: {1:7}".format( 260 p.allow_count, p.neverallow_count)) 261 print(" Auditallow: {0:7} Dontaudit: {1:7}".format( 262 p.auditallow_count, p.dontaudit_count)) 263 print(" Type_trans: {0:7} Type_change: {1:7}".format( 264 p.type_transition_count, p.type_change_count)) 265 print(" Type_member: {0:7} Range_trans: {1:7}".format( 266 p.type_member_count, p.range_transition_count)) 267 print(" Role allow: {0:7} Role_trans: {1:7}".format( 268 p.role_allow_count, p.role_transition_count)) 269 print(" Constraints: {0:7} Validatetrans: {1:7}".format( 270 p.constraint_count, p.validatetrans_count)) 271 print(" MLS Constrain: {0:7} MLS Val. Tran: {1:7}".format( 272 p.mlsconstraint_count, p.mlsvalidatetrans_count)) 273 print(" Initial SIDs: {0:7} Fs_use: {1:7}".format( 274 p.initialsids_count, p.fs_use_count)) 275 print(" Genfscon: {0:7} Portcon: {1:7}".format( 276 p.genfscon_count, p.portcon_count)) 277 print(" Netifcon: {0:7} Nodecon: {1:7}".format( 278 p.netifcon_count, p.nodecon_count)) 279 print(" Permissives: {0:7} Polcap: {1:7}".format( 280 p.permissives_count, p.polcap_count)) 281 282 for desc, component, expander in components: 283 results = sorted(component.results()) 284 if not args.flat: 285 print("\n{0}: {1}".format(desc, len(results))) 286 for item in results: 287 result = expander(item) if args.expand else item 288 strfmt = " {0}" if not args.flat else "{0}" 289 print(strfmt.format(result)) 290 291except Exception as err: 292 if args.debug: 293 import traceback 294 traceback.print_exc() 295 else: 296 print(err) 297 298 sys.exit(-1) 299