PNG  IHDRX cHRMz&u0`:pQ<bKGD pHYsodtIME MeqIDATxw]Wug^Qd˶ 6`!N:!@xI~)%7%@Bh&`lnjVF29gΨ4E$|>cɚ{gk= %,a KX%,a KX%,a KX%,a KX%,a KX%,a KX%, b` ǟzeאfp]<!SJmɤY޲ڿ,%c ~ع9VH.!Ͳz&QynֺTkRR.BLHi٪:l;@(!MԴ=žI,:o&N'Kù\vRmJ雵֫AWic H@" !: Cé||]k-Ha oݜ:y F())u]aG7*JV@J415p=sZH!=!DRʯvɱh~V\}v/GKY$n]"X"}t@ xS76^[bw4dsce)2dU0 CkMa-U5tvLƀ~mlMwfGE/-]7XAƟ`׮g ewxwC4\[~7@O-Q( a*XGƒ{ ՟}$_y3tĐƤatgvێi|K=uVyrŲlLӪuܿzwk$m87k( `múcE)"@rK( z4$D; 2kW=Xb$V[Ru819קR~qloѱDyįݎ*mxw]y5e4K@ЃI0A D@"BDk_)N\8͜9dz"fK0zɿvM /.:2O{ Nb=M=7>??Zuo32 DLD@D| &+֎C #B8ַ`bOb $D#ͮҪtx]%`ES`Ru[=¾!@Od37LJ0!OIR4m]GZRJu$‡c=%~s@6SKy?CeIh:[vR@Lh | (BhAMy=݃  G"'wzn޺~8ԽSh ~T*A:xR[ܹ?X[uKL_=fDȊ؂p0}7=D$Ekq!/t.*2ʼnDbŞ}DijYaȲ(""6HA;:LzxQ‘(SQQ}*PL*fc\s `/d'QXW, e`#kPGZuŞuO{{wm[&NBTiiI0bukcA9<4@SӊH*؎4U/'2U5.(9JuDfrޱtycU%j(:RUbArLֺN)udA':uGQN"-"Is.*+k@ `Ojs@yU/ H:l;@yyTn}_yw!VkRJ4P)~y#)r,D =ě"Q]ci'%HI4ZL0"MJy 8A{ aN<8D"1#IJi >XjX֔#@>-{vN!8tRݻ^)N_╗FJEk]CT՟ YP:_|H1@ CBk]yKYp|og?*dGvzنzӴzjֺNkC~AbZƷ`.H)=!QͷVTT(| u78y֮}|[8-Vjp%2JPk[}ԉaH8Wpqhwr:vWª<}l77_~{s۴V+RCģ%WRZ\AqHifɤL36: #F:p]Bq/z{0CU6ݳEv_^k7'>sq*+kH%a`0ԣisqにtү04gVgW΂iJiS'3w.w}l6MC2uԯ|>JF5`fV5m`Y**Db1FKNttu]4ccsQNnex/87+}xaUW9y>ͯ骵G{䩓Գ3+vU}~jJ.NFRD7<aJDB1#ҳgSb,+CS?/ VG J?|?,2#M9}B)MiE+G`-wo߫V`fio(}S^4e~V4bHOYb"b#E)dda:'?}׮4繏`{7Z"uny-?ǹ;0MKx{:_pÚmFמ:F " .LFQLG)Q8qN q¯¯3wOvxDb\. BKD9_NN &L:4D{mm o^tֽ:q!ƥ}K+<"m78N< ywsard5+Š²z~mnG)=}lYݧNj'QJS{S :UYS-952?&O-:W}(!6Mk4+>A>j+i|<<|;ر^߉=HE|V#F)Emm#}/"y GII웻Jі94+v뾧xu~5C95~ūH>c@덉pʃ1/4-A2G%7>m;–Y,cyyaln" ?ƻ!ʪ<{~h~i y.zZB̃/,雋SiC/JFMmBH&&FAbϓO^tubbb_hZ{_QZ-sύodFgO(6]TJA˯#`۶ɟ( %$&+V'~hiYy>922 Wp74Zkq+Ovn錄c>8~GqܲcWꂎz@"1A.}T)uiW4="jJ2W7mU/N0gcqܗOO}?9/wìXžΏ0 >֩(V^Rh32!Hj5`;O28؇2#ݕf3 ?sJd8NJ@7O0 b־?lldщ̡&|9C.8RTWwxWy46ah嘦mh٤&l zCy!PY?: CJyв]dm4ǜҐR޻RլhX{FƯanшQI@x' ao(kUUuxW_Ñ줮[w8 FRJ(8˼)_mQ _!RJhm=!cVmm ?sFOnll6Qk}alY}; "baӌ~M0w,Ggw2W:G/k2%R,_=u`WU R.9T"v,<\Ik޽/2110Ӿxc0gyC&Ny޽JҢrV6N ``یeA16"J³+Rj*;BϜkZPJaÍ<Jyw:NP8/D$ 011z֊Ⱳ3ι֘k1V_"h!JPIΣ'ɜ* aEAd:ݺ>y<}Lp&PlRfTb1]o .2EW\ͮ]38؋rTJsǏP@芎sF\> P^+dYJLbJ C-xϐn> ι$nj,;Ǖa FU *择|h ~izť3ᤓ`K'-f tL7JK+vf2)V'-sFuB4i+m+@My=O҈0"|Yxoj,3]:cо3 $#uŘ%Y"y죯LebqtҢVzq¼X)~>4L׶m~[1_k?kxֺQ`\ |ٛY4Ѯr!)N9{56(iNq}O()Em]=F&u?$HypWUeB\k]JɩSع9 Zqg4ZĊo oMcjZBU]B\TUd34ݝ~:7ڶSUsB0Z3srx 7`:5xcx !qZA!;%͚7&P H<WL!džOb5kF)xor^aujƍ7 Ǡ8/p^(L>ὴ-B,{ۇWzֺ^k]3\EE@7>lYBȝR.oHnXO/}sB|.i@ɥDB4tcm,@ӣgdtJ!lH$_vN166L__'Z)y&kH;:,Y7=J 9cG) V\hjiE;gya~%ks_nC~Er er)muuMg2;֫R)Md) ,¶ 2-wr#F7<-BBn~_(o=KO㭇[Xv eN_SMgSҐ BS헃D%g_N:/pe -wkG*9yYSZS.9cREL !k}<4_Xs#FmҶ:7R$i,fi!~' # !6/S6y@kZkZcX)%5V4P]VGYq%H1!;e1MV<!ϐHO021Dp= HMs~~a)ަu7G^];git!Frl]H/L$=AeUvZE4P\.,xi {-~p?2b#amXAHq)MWǾI_r`S Hz&|{ +ʖ_= (YS(_g0a03M`I&'9vl?MM+m~}*xT۲(fY*V4x@29s{DaY"toGNTO+xCAO~4Ϳ;p`Ѫ:>Ҵ7K 3}+0 387x\)a"/E>qpWB=1 ¨"MP(\xp߫́A3+J] n[ʼnӼaTbZUWb={~2ooKױӰp(CS\S筐R*JغV&&"FA}J>G֐p1ٸbk7 ŘH$JoN <8s^yk_[;gy-;߉DV{c B yce% aJhDȶ 2IdйIB/^n0tNtџdcKj4϶v~- CBcgqx9= PJ) dMsjpYB] GD4RDWX +h{y`,3ꊕ$`zj*N^TP4L:Iz9~6s) Ga:?y*J~?OrMwP\](21sZUD ?ܟQ5Q%ggW6QdO+\@ ̪X'GxN @'4=ˋ+*VwN ne_|(/BDfj5(Dq<*tNt1х!MV.C0 32b#?n0pzj#!38}޴o1KovCJ`8ŗ_"]] rDUy޲@ Ȗ-;xџ'^Y`zEd?0„ DAL18IS]VGq\4o !swV7ˣι%4FѮ~}6)OgS[~Q vcYbL!wG3 7띸*E Pql8=jT\꘿I(z<[6OrR8ºC~ډ]=rNl[g|v TMTղb-o}OrP^Q]<98S¤!k)G(Vkwyqyr޽Nv`N/e p/~NAOk \I:G6]4+K;j$R:Mi #*[AȚT,ʰ,;N{HZTGMoּy) ]%dHء9Պ䠬|<45,\=[bƟ8QXeB3- &dҩ^{>/86bXmZ]]yޚN[(WAHL$YAgDKp=5GHjU&99v簪C0vygln*P)9^͞}lMuiH!̍#DoRBn9l@ xA/_v=ȺT{7Yt2N"4!YN`ae >Q<XMydEB`VU}u]嫇.%e^ánE87Mu\t`cP=AD/G)sI"@MP;)]%fH9'FNsj1pVhY&9=0pfuJ&gޤx+k:!r˭wkl03׼Ku C &ѓYt{.O.zҏ z}/tf_wEp2gvX)GN#I ݭ߽v/ .& и(ZF{e"=V!{zW`, ]+LGz"(UJp|j( #V4, 8B 0 9OkRrlɱl94)'VH9=9W|>PS['G(*I1==C<5"Pg+x'K5EMd؞Af8lG ?D FtoB[je?{k3zQ vZ;%Ɠ,]E>KZ+T/ EJxOZ1i #T<@ I}q9/t'zi(EMqw`mYkU6;[t4DPeckeM;H}_g pMww}k6#H㶏+b8雡Sxp)&C $@'b,fPߑt$RbJ'vznuS ~8='72_`{q纶|Q)Xk}cPz9p7O:'|G~8wx(a 0QCko|0ASD>Ip=4Q, d|F8RcU"/KM opKle M3#i0c%<7׿p&pZq[TR"BpqauIp$ 8~Ĩ!8Սx\ւdT>>Z40ks7 z2IQ}ItԀ<-%S⍤};zIb$I 5K}Q͙D8UguWE$Jh )cu4N tZl+[]M4k8֦Zeq֮M7uIqG 1==tLtR,ƜSrHYt&QP윯Lg' I,3@P'}'R˪e/%-Auv·ñ\> vDJzlӾNv5:|K/Jb6KI9)Zh*ZAi`?S {aiVDԲuy5W7pWeQJk֤#5&V<̺@/GH?^τZL|IJNvI:'P=Ϛt"¨=cud S Q.Ki0 !cJy;LJR;G{BJy޺[^8fK6)=yʊ+(k|&xQ2`L?Ȓ2@Mf 0C`6-%pKpm')c$׻K5[J*U[/#hH!6acB JA _|uMvDyk y)6OPYjœ50VT K}cǻP[ $:]4MEA.y)|B)cf-A?(e|lɉ#P9V)[9t.EiQPDѠ3ϴ;E:+Օ t ȥ~|_N2,ZJLt4! %ա]u {+=p.GhNcŞQI?Nd'yeh n7zi1DB)1S | S#ًZs2|Ɛy$F SxeX{7Vl.Src3E℃Q>b6G ўYCmtկ~=K0f(=LrAS GN'ɹ9<\!a`)֕y[uՍ[09` 9 +57ts6}b4{oqd+J5fa/,97J#6yν99mRWxJyѡyu_TJc`~W>l^q#Ts#2"nD1%fS)FU w{ܯ R{ ˎ󅃏џDsZSQS;LV;7 Od1&1n$ N /.q3~eNɪ]E#oM~}v֯FڦwyZ=<<>Xo稯lfMFV6p02|*=tV!c~]fa5Y^Q_WN|Vs 0ҘދU97OI'N2'8N֭fgg-}V%y]U4 峧p*91#9U kCac_AFңĪy뚇Y_AiuYyTTYЗ-(!JFLt›17uTozc. S;7A&&<ԋ5y;Ro+:' *eYJkWR[@F %SHWP 72k4 qLd'J "zB6{AC0ƁA6U.'F3:Ȅ(9ΜL;D]m8ڥ9}dU "v!;*13Rg^fJyShyy5auA?ɩGHRjo^]׽S)Fm\toy 4WQS@mE#%5ʈfFYDX ~D5Ϡ9tE9So_aU4?Ѽm%&c{n>.KW1Tlb}:j uGi(JgcYj0qn+>) %\!4{LaJso d||u//P_y7iRJ߬nHOy) l+@$($VFIQ9%EeKʈU. ia&FY̒mZ=)+qqoQn >L!qCiDB;Y<%} OgBxB!ØuG)WG9y(Ą{_yesuZmZZey'Wg#C~1Cev@0D $a@˲(.._GimA:uyw֬%;@!JkQVM_Ow:P.s\)ot- ˹"`B,e CRtaEUP<0'}r3[>?G8xU~Nqu;Wm8\RIkբ^5@k+5(By'L&'gBJ3ݶ!/㮻w҅ yqPWUg<e"Qy*167΃sJ\oz]T*UQ<\FԎ`HaNmڜ6DysCask8wP8y9``GJ9lF\G g's Nn͵MLN֪u$| /|7=]O)6s !ĴAKh]q_ap $HH'\1jB^s\|- W1:=6lJBqjY^LsPk""`]w)󭃈,(HC ?䔨Y$Sʣ{4Z+0NvQkhol6C.婧/u]FwiVjZka&%6\F*Ny#8O,22+|Db~d ~Çwc N:FuuCe&oZ(l;@ee-+Wn`44AMK➝2BRՈt7g*1gph9N) *"TF*R(#'88pm=}X]u[i7bEc|\~EMn}P瘊J)K.0i1M6=7'_\kaZ(Th{K*GJyytw"IO-PWJk)..axӝ47"89Cc7ĐBiZx 7m!fy|ϿF9CbȩV 9V-՛^pV̌ɄS#Bv4-@]Vxt-Z, &ֺ*diؠ2^VXbs֔Ìl.jQ]Y[47gj=幽ex)A0ip׳ W2[ᎇhuE^~q흙L} #-b۸oFJ_QP3r6jr+"nfzRJTUqoaۍ /$d8Mx'ݓ= OՃ| )$2mcM*cЙj}f };n YG w0Ia!1Q.oYfr]DyISaP}"dIӗթO67jqR ҊƐƈaɤGG|h;t]䗖oSv|iZqX)oalv;۩meEJ\!8=$4QU4Xo&VEĊ YS^E#d,yX_> ۘ-e\ "Wa6uLĜZi`aD9.% w~mB(02G[6y.773a7 /=o7D)$Z 66 $bY^\CuP. (x'"J60׿Y:Oi;F{w佩b+\Yi`TDWa~|VH)8q/=9!g߆2Y)?ND)%?Ǐ`k/sn:;O299yB=a[Ng 3˲N}vLNy;*?x?~L&=xyӴ~}q{qE*IQ^^ͧvü{Huu=R|>JyUlZV, B~/YF!Y\u_ݼF{_C)LD]m {H 0ihhadd nUkf3oٺCvE\)QJi+֥@tDJkB$1!Đr0XQ|q?d2) Ӣ_}qv-< FŊ߫%roppVBwü~JidY4:}L6M7f٬F "?71<2#?Jyy4뷢<_a7_=Q E=S1И/9{+93֮E{ǂw{))?maÆm(uLE#lïZ  ~d];+]h j?!|$F}*"4(v'8s<ŏUkm7^7no1w2ؗ}TrͿEk>p'8OB7d7R(A 9.*Mi^ͳ; eeUwS+C)uO@ =Sy]` }l8^ZzRXj[^iUɺ$tj))<sbDJfg=Pk_{xaKo1:-uyG0M ԃ\0Lvuy'ȱc2Ji AdyVgVh!{]/&}}ċJ#%d !+87<;qN޼Nفl|1N:8ya  8}k¾+-$4FiZYÔXk*I&'@iI99)HSh4+2G:tGhS^繿 Kتm0 вDk}֚+QT4;sC}rՅE,8CX-e~>G&'9xpW,%Fh,Ry56Y–hW-(v_,? ; qrBk4-V7HQ;ˇ^Gv1JVV%,ik;D_W!))+BoS4QsTM;gt+ndS-~:11Sgv!0qRVh!"Ȋ(̦Yl.]PQWgٳE'`%W1{ndΗBk|Ž7ʒR~,lnoa&:ü$ 3<a[CBݮwt"o\ePJ=Hz"_c^Z.#ˆ*x z̝grY]tdkP*:97YľXyBkD4N.C_[;F9`8& !AMO c `@BA& Ost\-\NX+Xp < !bj3C&QL+*&kAQ=04}cC!9~820G'PC9xa!w&bo_1 Sw"ܱ V )Yl3+ס2KoXOx]"`^WOy :3GO0g;%Yv㐫(R/r (s } u B &FeYZh0y> =2<Ϟc/ -u= c&׭,.0"g"7 6T!vl#sc>{u/Oh Bᾈ)۴74]x7 gMӒ"d]U)}" v4co[ ɡs 5Gg=XR14?5A}D "b{0$L .\4y{_fe:kVS\\O]c^W52LSBDM! C3Dhr̦RtArx4&agaN3Cf<Ԉp4~ B'"1@.b_/xQ} _߃҉/gٓ2Qkqp0շpZ2fԫYz< 4L.Cyυι1t@鎫Fe sYfsF}^ V}N<_`p)alٶ "(XEAVZ<)2},:Ir*#m_YӼ R%a||EƼIJ,,+f"96r/}0jE/)s)cjW#w'Sʯ5<66lj$a~3Kʛy 2:cZ:Yh))+a߭K::N,Q F'qB]={.]h85C9cr=}*rk?vwV렵ٸW Rs%}rNAkDv|uFLBkWY YkX מ|)1!$#3%y?pF<@<Rr0}: }\J [5FRxY<9"SQdE(Q*Qʻ)q1E0B_O24[U'],lOb ]~WjHޏTQ5Syu wq)xnw8~)c 쫬gٲߠ H% k5dƝk> kEj,0% b"vi2Wس_CuK)K{n|>t{P1򨾜j>'kEkƗBg*H%'_aY6Bn!TL&ɌOb{c`'d^{t\i^[uɐ[}q0lM˕G:‚4kb祔c^:?bpg… +37stH:0}en6x˟%/<]BL&* 5&fK9Mq)/iyqtA%kUe[ڛKN]Ě^,"`/ s[EQQm?|XJ߅92m]G.E΃ח U*Cn.j_)Tѧj̿30ڇ!A0=͜ar I3$C^-9#|pk!)?7.x9 @OO;WƝZBFU keZ75F6Tc6"ZȚs2y/1 ʵ:u4xa`C>6Rb/Yм)^=+~uRd`/|_8xbB0?Ft||Z\##|K 0>>zxv8۴吅q 8ĥ)"6>~\8:qM}#͚'ĉ#p\׶ l#bA?)|g g9|8jP(cr,BwV (WliVxxᡁ@0Okn;ɥh$_ckCgriv}>=wGzβ KkBɛ[˪ !J)h&k2%07δt}!d<9;I&0wV/ v 0<H}L&8ob%Hi|޶o&h1L|u֦y~󛱢8fٲUsւ)0oiFx2}X[zVYr_;N(w]_4B@OanC?gĦx>мgx>ΛToZoOMp>40>V Oy V9iq!4 LN,ˢu{jsz]|"R޻&'ƚ{53ўFu(<٪9:΋]B;)B>1::8;~)Yt|0(pw2N%&X,URBK)3\zz&}ax4;ǟ(tLNg{N|Ǽ\G#C9g$^\}p?556]/RP.90 k,U8/u776s ʪ_01چ|\N 0VV*3H鴃J7iI!wG_^ypl}r*jɤSR 5QN@ iZ#1ٰy;_\3\BQQ x:WJv츟ٯ$"@6 S#qe딇(/P( Dy~TOϻ<4:-+F`0||;Xl-"uw$Цi󼕝mKʩorz"mϺ$F:~E'ҐvD\y?Rr8_He@ e~O,T.(ފR*cY^m|cVR[8 JҡSm!ΆԨb)RHG{?MpqrmN>߶Y)\p,d#xۆWY*,l6]v0h15M˙MS8+EdI='LBJIH7_9{Caз*Lq,dt >+~ّeʏ?xԕ4bBAŚjﵫ!'\Ը$WNvKO}ӽmSşذqsOy?\[,d@'73'j%kOe`1.g2"e =YIzS2|zŐƄa\U,dP;jhhhaxǶ?КZ՚.q SE+XrbOu%\GتX(H,N^~]JyEZQKceTQ]VGYqnah;y$cQahT&QPZ*iZ8UQQM.qo/T\7X"u?Mttl2Xq(IoW{R^ ux*SYJ! 4S.Jy~ BROS[V|žKNɛP(L6V^|cR7i7nZW1Fd@ Ara{詑|(T*dN]Ko?s=@ |_EvF]׍kR)eBJc" MUUbY6`~V޴dJKß&~'d3i WWWWWW

F1l3 Manager

Current Directory: /usr/lib64/python2.7/site-packages/sepolgen
/usr/lib64/python2.7/site-packages/sepolgen/
Viewing File: /usr/lib64/python2.7/site-packages/sepolgen/refpolicy.py
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # # Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # import string import selinux # OVERVIEW # # This file contains objects and functions used to represent the reference # policy (including the headers, M4 macros, and policy language statements). # # This representation is very different from the semantic representation # used in libsepol. Instead, it is a more typical abstract representation # used by the first stage of compilers. It is basically a parse tree. # # This choice is intentional as it allows us to handle the unprocessed # M4 statements - including the $1 style arguments - and to more easily generate # the data structures that we need for policy generation. # # Constans for referring to fields SRC_TYPE = 0 TGT_TYPE = 1 OBJ_CLASS = 2 PERMS = 3 ROLE = 4 DEST_TYPE = 5 # String represenations of the above constants field_to_str = ["source", "target", "object", "permission", "role", "destination" ] str_to_field = { "source" : SRC_TYPE, "target" : TGT_TYPE, "object" : OBJ_CLASS, "permission" : PERMS, "role" : ROLE, "destination" : DEST_TYPE } # Base Classes class PolicyBase: def __init__(self, parent=None): self.parent = None self.comment = None class Node(PolicyBase): """Base class objects produced from parsing the reference policy. The Node class is used as the base class for any non-leaf object produced by parsing the reference policy. This object should contain a reference to its parent (or None for a top-level object) and 0 or more children. The general idea here is to have a very simple tree structure. Children are not separated out by type. Instead the tree structure represents fairly closely the real structure of the policy statements. The object should be iterable - by default over all children but subclasses are free to provide additional iterators over a subset of their childre (see Interface for example). """ def __init__(self, parent=None): PolicyBase.__init__(self, parent) self.children = [] def __iter__(self): return iter(self.children) # Not all of the iterators will return something on all Nodes, but # they won't explode either. Putting them here is just easier. # Top level nodes def nodes(self): return filter(lambda x: isinstance(x, Node), walktree(self)) def modules(self): return filter(lambda x: isinstance(x, Module), walktree(self)) def interfaces(self): return filter(lambda x: isinstance(x, Interface), walktree(self)) def templates(self): return filter(lambda x: isinstance(x, Template), walktree(self)) def support_macros(self): return filter(lambda x: isinstance(x, SupportMacros), walktree(self)) # Common policy statements def module_declarations(self): return filter(lambda x: isinstance(x, ModuleDeclaration), walktree(self)) def interface_calls(self): return filter(lambda x: isinstance(x, InterfaceCall), walktree(self)) def avrules(self): return filter(lambda x: isinstance(x, AVRule), walktree(self)) def typerules(self): return filter(lambda x: isinstance(x, TypeRule), walktree(self)) def typebounds(self): return filter(lambda x: isinstance(x, TypeBound), walktree(self)) def typeattributes(self): """Iterate over all of the TypeAttribute children of this Interface.""" return filter(lambda x: isinstance(x, TypeAttribute), walktree(self)) def roleattributes(self): """Iterate over all of the RoleAttribute children of this Interface.""" return filter(lambda x: isinstance(x, RoleAttribute), walktree(self)) def requires(self): return filter(lambda x: isinstance(x, Require), walktree(self)) def roles(self): return filter(lambda x: isinstance(x, Role), walktree(self)) def role_allows(self): return filter(lambda x: isinstance(x, RoleAllow), walktree(self)) def role_types(self): return filter(lambda x: isinstance(x, RoleType), walktree(self)) def __str__(self): if self.comment: return str(self.comment) + "\n" + self.to_string() else: return self.to_string() def __repr__(self): return "<%s(%s)>" % (self.__class__.__name__, self.to_string()) def to_string(self): return "" class Leaf(PolicyBase): def __init__(self, parent=None): PolicyBase.__init__(self, parent) def __str__(self): if self.comment: return str(self.comment) + "\n" + self.to_string() else: return self.to_string() def __repr__(self): return "<%s(%s)>" % (self.__class__.__name__, self.to_string()) def to_string(self): return "" # Utility functions def walktree(node, depthfirst=True, showdepth=False, type=None): """Iterate over a Node and its Children. The walktree function iterates over a tree containing Nodes and leaf objects. The iteration can perform a depth first or a breadth first traversal of the tree (controlled by the depthfirst paramater. The passed in node will be returned. This function will only work correctly for trees - arbitrary graphs will likely cause infinite looping. """ # We control depth first / versus breadth first by # how we pop items off of the node stack. if depthfirst: index = -1 else: index = 0 stack = [(node, 0)] while len(stack) > 0: cur, depth = stack.pop(index) if showdepth: yield cur, depth else: yield cur # If the node is not a Node instance it must # be a leaf - so no need to add it to the stack if isinstance(cur, Node): items = [] i = len(cur.children) - 1 while i >= 0: if type is None or isinstance(cur.children[i], type): items.append((cur.children[i], depth + 1)) i -= 1 stack.extend(items) def walknode(node, type=None): """Iterate over the direct children of a Node. The walktree function iterates over the children of a Node. Unlike walktree it does note return the passed in node or the children of any Node objects (that is, it does not go beyond the current level in the tree). """ for x in node: if type is None or isinstance(x, type): yield x def list_to_space_str(s, cont=('{', '}')): """Convert a set (or any sequence type) into a string representation formatted to match SELinux space separated list conventions. For example the list ['read', 'write'] would be converted into: '{ read write }' """ l = len(s) str = "" if l < 1: raise ValueError("cannot convert 0 len set to string") str = " ".join(s) if l == 1: return str else: return cont[0] + " " + str + " " + cont[1] def list_to_comma_str(s): l = len(s) if l < 1: raise ValueError("cannot conver 0 len set to comma string") return ", ".join(s) # Basic SELinux types class IdSet(set): def __init__(self, list=None): if list: set.__init__(self, list) else: set.__init__(self) self.compliment = False def to_space_str(self): return list_to_space_str(sorted(self)) def to_comma_str(self): return list_to_comma_str(sorted(self)) class SecurityContext(Leaf): """An SELinux security context with optional MCS / MLS fields.""" def __init__(self, context=None, parent=None): """Create a SecurityContext object, optionally from a string. Parameters: [context] - string representing a security context. Same format as a string passed to the from_string method. """ Leaf.__init__(self, parent) self.user = "" self.role = "" self.type = "" self.level = None if context is not None: self.from_string(context) def from_string(self, context): """Parse a string representing a context into a SecurityContext. The string should be in the standard format - e.g., 'user:role:type:level'. Raises ValueError if the string is not parsable as a security context. """ # try to translate the context string to raw form raw = selinux.selinux_trans_to_raw_context(context) if raw[0] == 0: context = raw[1] fields = context.split(":") if len(fields) < 3: raise ValueError("context string [%s] not in a valid format" % context) self.user = fields[0] self.role = fields[1] self.type = fields[2] if len(fields) > 3: # FUTURE - normalize level fields to allow more comparisons to succeed. self.level = ':'.join(fields[3:]) else: self.level = None def __eq__(self, other): """Compare two SecurityContext objects - all fields must be exactly the the same for the comparison to work. It is possible for the level fields to be semantically the same yet syntactically different - in this case this function will return false. """ return self.user == other.user and \ self.role == other.role and \ self.type == other.type and \ self.level == other.level def to_string(self, default_level=None): """Return a string representing this security context. By default, the string will contiain a MCS / MLS level potentially from the default which is passed in if none was set. Arguments: default_level - the default level to use if self.level is an empty string. Returns: A string represening the security context in the form 'user:role:type:level'. """ fields = [self.user, self.role, self.type] if self.level is None: if default_level is None: if selinux.is_selinux_mls_enabled() == 1: fields.append("s0") else: fields.append(default_level) else: fields.append(self.level) return ":".join(fields) class ObjectClass(Leaf): """SELinux object class and permissions. This class is a basic representation of an SELinux object class - it does not represent separate common permissions - just the union of the common and class specific permissions. It is meant to be convenient for policy generation. """ def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name self.perms = IdSet() # Basic statements class TypeAttribute(Leaf): """SElinux typeattribute statement. This class represents a typeattribute statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.attributes = IdSet() def to_string(self): return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str()) class RoleAttribute(Leaf): """SElinux roleattribute statement. This class represents a roleattribute statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.roleattributes = IdSet() def to_string(self): return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str()) class Role(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.types = IdSet() def to_string(self): s = "" for t in self.types: s += "role %s types %s;\n" % (self.role, t) return s class Type(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name self.attributes = IdSet() self.aliases = IdSet() def to_string(self): s = "type %s" % self.name if len(self.aliases) > 0: s = s + "alias %s" % self.aliases.to_space_str() if len(self.attributes) > 0: s = s + ", %s" % self.attributes.to_comma_str() return s + ";" class TypeAlias(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.aliases = IdSet() def to_string(self): return "typealias %s alias %s;" % (self.type, self.aliases.to_space_str()) class Attribute(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name def to_string(self): return "attribute %s;" % self.name class Attribute_Role(Leaf): def __init__(self, name="", parent=None): Leaf.__init__(self, parent) self.name = name def to_string(self): return "attribute_role %s;" % self.name # Classes representing rules class AVRule(Leaf): """SELinux access vector (AV) rule. The AVRule class represents all varieties of AV rules including allow, dontaudit, and auditallow (indicated by the flags self.ALLOW, self.DONTAUDIT, and self.AUDITALLOW respectively). The source and target types, object classes, and perms are all represented by sets containing strings. Sets are used to make it simple to add strings repeatedly while avoiding duplicates. No checking is done to make certain that the symbols are valid or consistent (e.g., perms that don't match the object classes). It is even possible to put invalid types like '$1' into the rules to allow storage of the reference policy interfaces. """ ALLOW = 0 DONTAUDIT = 1 AUDITALLOW = 2 NEVERALLOW = 3 def __init__(self, av=None, parent=None): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.perms = IdSet() self.rule_type = self.ALLOW if av: self.from_av(av) def __rule_type_str(self): if self.rule_type == self.ALLOW: return "allow" elif self.rule_type == self.DONTAUDIT: return "dontaudit" else: return "auditallow" def from_av(self, av): """Add the access from an access vector to this allow rule. """ self.src_types.add(av.src_type) if av.src_type == av.tgt_type: self.tgt_types.add("self") else: self.tgt_types.add(av.tgt_type) self.obj_classes.add(av.obj_class) self.perms.update(av.perms) def to_string(self): """Return a string representation of the rule that is a valid policy language representation (assuming that the types, object class, etc. are valie). """ return "%s %s %s:%s %s;" % (self.__rule_type_str(), self.src_types.to_space_str(), self.tgt_types.to_space_str(), self.obj_classes.to_space_str(), self.perms.to_space_str()) class TypeRule(Leaf): """SELinux type rules. This class is very similar to the AVRule class, but is for representing the type rules (type_trans, type_change, and type_member). The major difference is the lack of perms and only and sing destination type. """ TYPE_TRANSITION = 0 TYPE_CHANGE = 1 TYPE_MEMBER = 2 def __init__(self, parent=None): Leaf.__init__(self, parent) self.src_types = IdSet() self.tgt_types = IdSet() self.obj_classes = IdSet() self.dest_type = "" self.rule_type = self.TYPE_TRANSITION def __rule_type_str(self): if self.rule_type == self.TYPE_TRANSITION: return "type_transition" elif self.rule_type == self.TYPE_CHANGE: return "type_change" else: return "type_member" def to_string(self): return "%s %s %s:%s %s;" % (self.__rule_type_str(), self.src_types.to_space_str(), self.tgt_types.to_space_str(), self.obj_classes.to_space_str(), self.dest_type) class TypeBound(Leaf): """SElinux typebound statement. This class represents a typebound statement. """ def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = "" self.tgt_types = IdSet() def to_string(self): return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str()) class RoleAllow(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.src_roles = IdSet() self.tgt_roles = IdSet() def to_string(self): return "allow %s %s;" % (self.src_roles.to_comma_str(), self.tgt_roles.to_comma_str()) class RoleType(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.role = "" self.types = IdSet() def to_string(self): s = "" for t in self.types: s += "role %s types %s;\n" % (self.role, t) return s class ModuleDeclaration(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.version = "" self.refpolicy = False def to_string(self): if self.refpolicy: return "policy_module(%s, %s)" % (self.name, self.version) else: return "module %s %s;" % (self.name, self.version) class Conditional(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.cond_expr = [] def to_string(self): return "[If %s]" % list_to_space_str(self.cond_expr, cont=("", "")) class Bool(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.state = False def to_string(self): s = "bool %s " % self.name if s.state: return s + "true" else: return s + "false" class InitialSid(Leaf): def __init(self, parent=None): Leaf.__init__(self, parent) self.name = "" self.context = None def to_string(self): return "sid %s %s" % (self.name, str(self.context)) class GenfsCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.filesystem = "" self.path = "" self.context = None def to_string(self): return "genfscon %s %s %s" % (self.filesystem, self.path, str(self.context)) class FilesystemUse(Leaf): XATTR = 1 TRANS = 2 TASK = 3 def __init__(self, parent=None): Leaf.__init__(self, parent) self.type = self.XATTR self.filesystem = "" self.context = None def to_string(self): s = "" if self.type == XATTR: s = "fs_use_xattr " elif self.type == TRANS: s = "fs_use_trans " elif self.type == TASK: s = "fs_use_task " return "%s %s %s;" % (s, self.filesystem, str(self.context)) class PortCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.port_type = "" self.port_number = "" self.context = None def to_string(self): return "portcon %s %s %s" % (self.port_type, self.port_number, str(self.context)) class NodeCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.start = "" self.end = "" self.context = None def to_string(self): return "nodecon %s %s %s" % (self.start, self.end, str(self.context)) class NetifCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.interface = "" self.interface_context = None self.packet_context = None def to_string(self): return "netifcon %s %s %s" % (self.interface, str(self.interface_context), str(self.packet_context)) class PirqCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.pirq_number = "" self.context = None def to_string(self): return "pirqcon %s %s" % (self.pirq_number, str(self.context)) class IomemCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.device_mem = "" self.context = None def to_string(self): return "iomemcon %s %s" % (self.device_mem, str(self.context)) class IoportCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.ioport = "" self.context = None def to_string(self): return "ioportcon %s %s" % (self.ioport, str(self.context)) class PciDeviceCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.device = "" self.context = None def to_string(self): return "pcidevicecon %s %s" % (self.device, str(self.context)) class DeviceTreeCon(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.path = "" self.context = None def to_string(self): return "devicetreecon %s %s" % (self.path, str(self.context)) # Reference policy specific types def print_tree(head): for node, depth in walktree(head, showdepth=True): s = "" for i in range(depth): s = s + "\t" print(s + str(node)) class Headers(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "[Headers]" class Module(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "" class Interface(Node): """A reference policy interface definition. This class represents a reference policy interface definition. """ def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Interface name: %s]" % self.name class TunablePolicy(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.cond_expr = [] def to_string(self): return "[Tunable Policy %s]" % list_to_space_str(self.cond_expr, cont=("", "")) class Template(Node): def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Template name: %s]" % self.name class IfDef(Node): def __init__(self, name="", parent=None): Node.__init__(self, parent) self.name = name def to_string(self): return "[Ifdef name: %s]" % self.name class InterfaceCall(Leaf): def __init__(self, ifname="", parent=None): Leaf.__init__(self, parent) self.ifname = ifname self.args = [] self.comments = [] def matches(self, other): if self.ifname != other.ifname: return False if len(self.args) != len(other.args): return False for a,b in zip(self.args, other.args): if a != b: return False return True def to_string(self): s = "%s(" % self.ifname i = 0 for a in self.args: if isinstance(a, list): str = list_to_space_str(a) else: str = a if i != 0: s = s + ", %s" % str else: s = s + str i += 1 return s + ")" class OptionalPolicy(Node): def __init__(self, parent=None): Node.__init__(self, parent) def to_string(self): return "[Optional Policy]" class SupportMacros(Node): def __init__(self, parent=None): Node.__init__(self, parent) self.map = None def to_string(self): return "[Support Macros]" def __expand_perm(self, perm): # Recursive expansion - the assumption is that these # are ordered correctly so that no macro is used before # it is defined s = set() if perm in self.map: for p in self.by_name(perm): s.update(self.__expand_perm(p)) else: s.add(perm) return s def __gen_map(self): self.map = {} for x in self: exp_perms = set() for perm in x.perms: exp_perms.update(self.__expand_perm(perm)) self.map[x.name] = exp_perms def by_name(self, name): if not self.map: self.__gen_map() return self.map[name] def has_key(self, name): if not self.map: self.__gen_map() return name in self.map class Require(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent) self.types = IdSet() self.obj_classes = { } self.roles = IdSet() self.data = IdSet() self.users = IdSet() def add_obj_class(self, obj_class, perms): p = self.obj_classes.setdefault(obj_class, IdSet()) p.update(perms) def to_string(self): s = [] s.append("require {") for type in self.types: s.append("\ttype %s;" % type) for obj_class, perms in self.obj_classes.items(): s.append("\tclass %s %s;" % (obj_class, perms.to_space_str())) for role in self.roles: s.append("\trole %s;" % role) for bool in self.data: s.append("\tbool %s;" % bool) for user in self.users: s.append("\tuser %s;" % user) s.append("}") # Handle empty requires if len(s) == 2: return "" return "\n".join(s) class ObjPermSet: def __init__(self, name): self.name = name self.perms = set() def to_string(self): return "define(`%s', `%s')" % (self.name, self.perms.to_space_str()) class ClassMap: def __init__(self, obj_class, perms): self.obj_class = obj_class self.perms = perms def to_string(self): return self.obj_class + ": " + self.perms class Comment: def __init__(self, l=None): if l: self.lines = l else: self.lines = [] def to_string(self): # If there are no lines, treat this as a spacer between # policy statements and return a new line. if len(self.lines) == 0: return "" else: out = [] for line in self.lines: out.append("#" + line) return "\n".join(out) def merge(self, other): if len(other.lines): for line in other.lines: if line != "": self.lines.append(line) def __str__(self): return self.to_string()
webs 1.0 - Enhanced UI