diff options
Diffstat (limited to 'lib/python2.7/site-packages/setools/policyrep/terule.py')
-rw-r--r-- | lib/python2.7/site-packages/setools/policyrep/terule.py | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/lib/python2.7/site-packages/setools/policyrep/terule.py b/lib/python2.7/site-packages/setools/policyrep/terule.py new file mode 100644 index 0000000..d8a9e94 --- /dev/null +++ b/lib/python2.7/site-packages/setools/policyrep/terule.py @@ -0,0 +1,155 @@ +# Copyright 2014, Tresys Technology, LLC +# +# This file is part of SETools. +# +# SETools is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as +# published by the Free Software Foundation, either version 2.1 of +# the License, or (at your option) any later version. +# +# SETools is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with SETools. If not, see +# <http://www.gnu.org/licenses/>. +# +from . import exception +from . import qpol +from . import rule +from . import typeattr +from . import boolcond + + +def te_rule_factory(policy, symbol): + """Factory function for creating TE rule objects.""" + + if isinstance(symbol, qpol.qpol_avrule_t): + return AVRule(policy, symbol) + elif isinstance(symbol, (qpol.qpol_terule_t, qpol.qpol_filename_trans_t)): + return TERule(policy, symbol) + else: + raise TypeError("TE rules cannot be looked-up.") + + +def validate_ruletype(types): + """Validate TE Rule types.""" + for t in types: + if t not in ["allow", "auditallow", "dontaudit", "neverallow", + "type_transition", "type_member", "type_change"]: + raise exception.InvalidTERuleType("{0} is not a valid TE rule type.".format(t)) + + +class BaseTERule(rule.PolicyRule): + + """A type enforcement rule.""" + + @property + def source(self): + """The rule's source type/attribute.""" + return typeattr.type_or_attr_factory(self.policy, self.qpol_symbol.source_type(self.policy)) + + @property + def target(self): + """The rule's target type/attribute.""" + return typeattr.type_or_attr_factory(self.policy, self.qpol_symbol.target_type(self.policy)) + + @property + def filename(self): + raise NotImplementedError + + @property + def conditional(self): + """The rule's conditional expression.""" + try: + return boolcond.condexpr_factory(self.policy, self.qpol_symbol.cond(self.policy)) + except (AttributeError, ValueError): + # AttributeError: name filetrans rules cannot be conditional + # so no member function + # ValueError: The rule is not conditional + raise exception.RuleNotConditional + + +class AVRule(BaseTERule): + + """An access vector type enforcement rule.""" + + def __str__(self): + rule_string = "{0.ruletype} {0.source} {0.target}:{0.tclass} ".format( + self) + + perms = self.perms + + # allow/dontaudit/auditallow/neverallow rules + if len(perms) > 1: + rule_string += "{{ {0} }};".format(' '.join(perms)) + else: + # convert to list since sets cannot be indexed + rule_string += "{0};".format(list(perms)[0]) + + try: + rule_string += " [ {0} ]".format(self.conditional) + except exception.RuleNotConditional: + pass + + return rule_string + + @property + def perms(self): + """The rule's permission set.""" + return set(self.qpol_symbol.perm_iter(self.policy)) + + @property + def default(self): + """The rule's default type.""" + raise exception.RuleUseError("{0} rules do not have a default type.".format(self.ruletype)) + + @property + def filename(self): + raise exception.RuleUseError("{0} rules do not have file names".format(self.ruletype)) + + +class TERule(BaseTERule): + + """A type_* type enforcement rule.""" + + def __str__(self): + rule_string = "{0.ruletype} {0.source} {0.target}:{0.tclass} {0.default}".format(self) + + try: + rule_string += " \"{0}\";".format(self.filename) + except (exception.TERuleNoFilename, exception.RuleUseError): + # invalid use for type_change/member + rule_string += ";" + + try: + rule_string += " [ {0} ]".format(self.conditional) + except exception.RuleNotConditional: + pass + + return rule_string + + @property + def perms(self): + """The rule's permission set.""" + raise exception.RuleUseError( + "{0} rules do not have a permission set.".format(self.ruletype)) + + @property + def default(self): + """The rule's default type.""" + return typeattr.type_factory(self.policy, self.qpol_symbol.default_type(self.policy)) + + @property + def filename(self): + """The type_transition rule's file name.""" + try: + return self.qpol_symbol.filename(self.policy) + except AttributeError: + if self.ruletype == "type_transition": + raise exception.TERuleNoFilename + else: + raise exception.RuleUseError("{0} rules do not have file names". + format(self.ruletype)) |