• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#! /usr/bin/python -Es
2# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
3# Authors: Dan Walsh <dwalsh@redhat.com>
4#
5# Copyright (C) 2006-2013  Red Hat
6# see file 'COPYING' for use and warranty information
7#
8# This program is free software; you can redistribute it and/or
9# modify it under the terms of the GNU General Public License as
10# published by the Free Software Foundation; version 2 only
11#
12# This program is distributed in the hope that it will be useful,
13# but WITHOUT ANY WARRANTY; without even the implied warranty of
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15# GNU General Public License for more details.
16#
17# You should have received a copy of the GNU General Public License
18# along with this program; if not, write to the Free Software
19# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20#
21
22import sys
23import os
24
25import sepolgen.audit as audit
26import sepolgen.policygen as policygen
27import sepolgen.interfaces as interfaces
28import sepolgen.output as output
29import sepolgen.objectmodel as objectmodel
30import sepolgen.defaults as defaults
31import sepolgen.module as module
32from sepolgen.sepolgeni18n import _
33import selinux.audit2why as audit2why
34import locale
35try:
36    locale.setlocale(locale.LC_ALL, '')
37except:
38    pass
39
40
41class AuditToPolicy:
42    VERSION = "%prog .1"
43    SYSLOG = "/var/log/messages"
44
45    def __init__(self):
46        self.__options = None
47        self.__parser = None
48        self.__avs = None
49
50    def __parse_options(self):
51        from optparse import OptionParser
52
53        parser = OptionParser(version=self.VERSION)
54        parser.add_option("-b", "--boot", action="store_true", dest="boot", default=False,
55                          help="audit messages since last boot conflicts with -i")
56        parser.add_option("-a", "--all", action="store_true", dest="audit", default=False,
57                          help="read input from audit log - conflicts with -i")
58        parser.add_option("-p", "--policy", dest="policy", default=None, help="Policy file to use for analysis")
59        parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
60                          help="read input from dmesg - conflicts with --all and --input")
61        parser.add_option("-i", "--input", dest="input",
62                          help="read input from <input> - conflicts with -a")
63        parser.add_option("-l", "--lastreload", action="store_true", dest="lastreload", default=False,
64                          help="read input only after the last reload")
65        parser.add_option("-r", "--requires", action="store_true", dest="requires", default=False,
66                          help="generate require statements for rules")
67        parser.add_option("-m", "--module", dest="module",
68                          help="set the module name - implies --requires")
69        parser.add_option("-M", "--module-package", dest="module_package",
70                          help="generate a module package - conflicts with -o and -m")
71        parser.add_option("-o", "--output", dest="output",
72                          help="append output to <filename>, conflicts with -M")
73        parser.add_option("-D", "--dontaudit", action="store_true",
74                          dest="dontaudit", default=False,
75                          help="generate policy with dontaudit rules")
76        parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
77                          default=True, help="generate refpolicy style output")
78
79        parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
80                          default=False, help="do not generate refpolicy style output")
81        parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
82                          default=False, help="explain generated output")
83        parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
84                          default=False, help="fully explain generated output")
85        parser.add_option("-t", "--type", help="only process messages with a type that matches this regex",
86                          dest="type")
87        parser.add_option("--perm-map", dest="perm_map", help="file name of perm map")
88        parser.add_option("--interface-info", dest="interface_info", help="file name of interface information")
89        parser.add_option("--debug", dest="debug", action="store_true", default=False,
90                          help="leave generated modules for -M")
91        parser.add_option("-w", "--why", dest="audit2why", action="store_true", default=(os.path.basename(sys.argv[0]) == "audit2why"),
92                          help="Translates SELinux audit messages into a description of why the access was denied")
93
94        options, args = parser.parse_args()
95
96        # Make -d, -a, and -i conflict
97        if options.audit is True or options.boot:
98            if options.input is not None:
99                sys.stderr.write("error: --all/--boot conflicts with --input\n")
100            if options.dmesg is True:
101                sys.stderr.write("error: --all/--boot conflicts with --dmesg\n")
102        if options.input is not None and options.dmesg is True:
103            sys.stderr.write("error: --input conflicts with --dmesg\n")
104
105        # Turn on requires generation if a module name is given. Also verify
106        # the module name.
107        if options.module:
108            name = options.module
109        else:
110            name = options.module_package
111        if name:
112            options.requires = True
113            if not module.is_valid_name(name):
114                sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n')
115                sys.exit(2)
116
117        # Make -M and -o conflict
118        if options.module_package:
119            if options.output:
120                sys.stderr.write("error: --module-package conflicts with --output\n")
121                sys.exit(2)
122            if options.module:
123                sys.stderr.write("error: --module-package conflicts with --module\n")
124                sys.exit(2)
125
126        self.__options = options
127
128    def __read_input(self):
129        parser = audit.AuditParser(last_load_only=self.__options.lastreload)
130
131        filename = None
132        messages = None
133        f = None
134
135        # Figure out what input we want
136        if self.__options.input is not None:
137            filename = self.__options.input
138        elif self.__options.dmesg:
139            messages = audit.get_dmesg_msgs()
140        elif self.__options.audit:
141            try:
142                messages = audit.get_audit_msgs()
143            except OSError as e:
144                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
145                sys.exit(1)
146        elif self.__options.boot:
147            try:
148                messages = audit.get_audit_boot_msgs()
149            except OSError as e:
150                sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
151                sys.exit(1)
152        else:
153            # This is the default if no input is specified
154            f = sys.stdin
155
156        # Get the input
157        if filename is not None:
158            try:
159                f = open(filename)
160            except IOError as e:
161                sys.stderr.write('could not open file %s - "%s"\n' % (filename, str(e)))
162                sys.exit(1)
163
164        if f is not None:
165            parser.parse_file(f)
166            f.close()
167
168        if messages is not None:
169            parser.parse_string(messages)
170
171        self.__parser = parser
172
173    def __process_input(self):
174        if self.__options.type:
175            avcfilter = audit.AVCTypeFilter(self.__options.type)
176            self.__avs = self.__parser.to_access(avcfilter)
177            csfilter = audit.ComputeSidTypeFilter(self.__options.type)
178            self.__role_types = self.__parser.to_role(csfilter)
179        else:
180            self.__avs = self.__parser.to_access()
181            self.__role_types = self.__parser.to_role()
182
183    def __load_interface_info(self):
184        # Load interface info file
185        if self.__options.interface_info:
186            fn = self.__options.interface_info
187        else:
188            fn = defaults.interface_info()
189        try:
190            fd = open(fn)
191        except:
192            sys.stderr.write("could not open interface info [%s]\n" % fn)
193            sys.exit(1)
194
195        ifs = interfaces.InterfaceSet()
196        ifs.from_file(fd)
197        fd.close()
198
199        # Also load perm maps
200        if self.__options.perm_map:
201            fn = self.__options.perm_map
202        else:
203            fn = defaults.perm_map()
204        try:
205            fd = open(fn)
206        except:
207            sys.stderr.write("could not open perm map [%s]\n" % fn)
208            sys.exit(1)
209
210        perm_maps = objectmodel.PermMappings()
211        perm_maps.from_file(fd)
212
213        return (ifs, perm_maps)
214
215    def __output_modulepackage(self, writer, generator):
216        generator.set_module_name(self.__options.module_package)
217        filename = self.__options.module_package + ".te"
218        packagename = self.__options.module_package + ".pp"
219
220        try:
221            fd = open(filename, "w")
222        except IOError as e:
223            sys.stderr.write("could not write output file: %s\n" % str(e))
224            sys.exit(1)
225
226        writer.write(generator.get_module(), fd)
227        fd.close()
228
229        mc = module.ModuleCompiler()
230
231        try:
232            mc.create_module_package(filename, self.__options.refpolicy)
233        except RuntimeError as e:
234            print(e)
235            sys.exit(1)
236
237        sys.stdout.write(_("******************** IMPORTANT ***********************\n"))
238        sys.stdout.write((_("To make this policy package active, execute:" +
239                            "\n\nsemodule -i %s\n\n") % packagename))
240
241    def __output_audit2why(self):
242        import selinux
243        import sepolicy
244        for i in self.__parser.avc_msgs:
245            rc = i.type
246            data = i.data
247            if rc >= 0:
248                print("%s\n\tWas caused by:" % i.message)
249            if rc == audit2why.ALLOW:
250                print("\t\tUnknown - would be allowed by active policy")
251                print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n")
252                print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n")
253                continue
254            if rc == audit2why.DONTAUDIT:
255                print("\t\tUnknown - should be dontaudit'd by active policy")
256                print("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n")
257                print("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n")
258                continue
259            if rc == audit2why.BOOLEAN:
260                if len(data) > 1:
261                    print("\tOne of the following booleans was set incorrectly.")
262                    for b in data:
263                        print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(b[0]))
264                        print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1]))
265                else:
266                    print("\tThe boolean %s was set incorrectly. " % (data[0][0]))
267                    print("\tDescription:\n\t%s\n" % sepolicy.boolean_desc(data[0][0]))
268                    print("\tAllow access by executing:\n\t# setsebool -P %s %d" % (data[0][0], data[0][1]))
269                continue
270
271            if rc == audit2why.TERULE:
272                print("\t\tMissing type enforcement (TE) allow rule.\n")
273                print("\t\tYou can use audit2allow to generate a loadable module to allow this access.\n")
274                continue
275
276            if rc == audit2why.CONSTRAINT:
277                print()  # !!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.\n"
278                print("#Constraint rule:")
279                print("\n#\t" + data[0])
280                for reason in data[1:]:
281                    print("#\tPossible cause is the source %s and target %s are different.\n" % reason)
282
283            if rc == audit2why.RBAC:
284                print("\t\tMissing role allow rule.\n")
285                print("\t\tAdd an allow rule for the role pair.\n")
286                continue
287
288            if rc == audit2why.BOUNDS:
289                print("\t\tTypebounds violation.\n")
290                print("\t\tAdd an allow rule for the parent type.\n")
291                continue
292
293        audit2why.finish()
294        return
295
296    def __output(self):
297
298        if self.__options.audit2why:
299            try:
300                return self.__output_audit2why()
301            except RuntimeError as e:
302                print(e)
303                sys.exit(1)
304
305        g = policygen.PolicyGenerator()
306
307        g.set_gen_dontaudit(self.__options.dontaudit)
308
309        if self.__options.module:
310            g.set_module_name(self.__options.module)
311
312        # Interface generation
313        if self.__options.refpolicy:
314            ifs, perm_maps = self.__load_interface_info()
315            g.set_gen_refpol(ifs, perm_maps)
316
317        # Explanation
318        if self.__options.verbose:
319            g.set_gen_explain(policygen.SHORT_EXPLANATION)
320        if self.__options.explain_long:
321            g.set_gen_explain(policygen.LONG_EXPLANATION)
322
323        # Requires
324        if self.__options.requires:
325            g.set_gen_requires(True)
326
327        # Generate the policy
328        g.add_access(self.__avs)
329        g.add_role_types(self.__role_types)
330
331        # Output
332        writer = output.ModuleWriter()
333
334        # Module package
335        if self.__options.module_package:
336            self.__output_modulepackage(writer, g)
337        else:
338            # File or stdout
339            if self.__options.module:
340                g.set_module_name(self.__options.module)
341
342            if self.__options.output:
343                fd = open(self.__options.output, "a")
344            else:
345                fd = sys.stdout
346            writer.write(g.get_module(), fd)
347
348    def main(self):
349        try:
350            self.__parse_options()
351            if self.__options.policy:
352                audit2why.init(self.__options.policy)
353            else:
354                audit2why.init()
355
356            self.__read_input()
357            self.__process_input()
358            self.__output()
359        except KeyboardInterrupt:
360            sys.exit(0)
361        except ValueError as e:
362            print(e)
363            sys.exit(1)
364        except IOError as e:
365            print(e)
366            sys.exit(1)
367
368if __name__ == "__main__":
369    app = AuditToPolicy()
370    app.main()
371