From patchwork Thu Sep 22 15:17:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jason Zaman X-Patchwork-Id: 9345517 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0AD036077A for ; Thu, 22 Sep 2016 15:18:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF11C2AB8E for ; Thu, 22 Sep 2016 15:18:52 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E393C2ABA8; Thu, 22 Sep 2016 15:18:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 578912AB8E for ; Thu, 22 Sep 2016 15:18:50 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,378,1470700800"; d="scan'208";a="19469580" IronPort-PHdr: =?us-ascii?q?9a23=3ArkmeIxZQ5i5VwZRbwPNu8iv/LSx+4OfEezUN459i?= =?us-ascii?q?sYplN5qZpci9bnLW6fgltlLVR4KTs6sC0LuM9fi8Ejxdqb+681k6OKRWUBEEjc?= =?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?= =?us-ascii?q?IaytQ8iJ3p7xj7z5q8CbSj4LrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYe?= =?us-ascii?q?VcyDAgD1uSmxHh+pX4p8Y7oGxtofZpy+psGeW/Jvx5HvRkC2E9PmQ04tD7nQXS?= =?us-ascii?q?RguIoH0HWyMZlQQbLRLC6UTYV4z2tGPIv+903mHOP8TtSrYcQTm44aZtSRjuzi?= =?us-ascii?q?wAMmhqoynslsVsgfcD81qarBtlztuROdmY?= X-IPAS-Result: =?us-ascii?q?A2ElBgDJ9eNX/wHyM5BeHAEBBAEBCgEBGAEFAQsBgn0TAQE?= =?us-ascii?q?BAQEegVO6eB2Be4V0TAEBAQEBAQEBAgECWyeCMgQDEwV5Wz0CAQMBAg8oBgEBD?= =?us-ascii?q?CAMAgMJAQEXKQgIAwEtAwEFAQsRDgsFGAQBiCkBoQOBMj4yilaFMAEBBYgoCBC?= =?us-ascii?q?EF4p6EQGFeog0B4V+dkSKB49oZYEHh2olDIVjjyIxgRFUgwuCB2UBhTt4gScBA?= =?us-ascii?q?QE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 22 Sep 2016 15:18:31 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8MFI5Vx015288; Thu, 22 Sep 2016 11:18:11 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8MFI3Ta125850 for ; Thu, 22 Sep 2016 11:18:03 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8MFI2iC015286 for ; Thu, 22 Sep 2016 11:18:02 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1BhAgBR9eNXesLAVdFeHAEFAQsBgykTAQEBAQGBcbZphBOGHgKBaEwBAgEBAQEBAhMBAQkLDAgZhRECAQMSLgEBNwEPUTQBBQEcGSKIKQGhAIEyPjKKVoUwAQEFh38BAQEBBgIBHAgQhBeNdAuDB4g0B4V+dkSKB49oZYEHh2oxhWOPIjGBEYVmZQGHWgEBAQ X-IPAS-Result: A1BhAgBR9eNXesLAVdFeHAEFAQsBgykTAQEBAQGBcbZphBOGHgKBaEwBAgEBAQEBAhMBAQkLDAgZhRECAQMSLgEBNwEPUTQBBQEcGSKIKQGhAIEyPjKKVoUwAQEFh38BAQEBBgIBHAgQhBeNdAuDB4g0B4V+dkSKB49oZYEHh2oxhWOPIjGBEYVmZQGHWgEBAQ X-IronPort-AV: E=Sophos;i="5.30,378,1470715200"; d="scan'208";a="5722214" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 22 Sep 2016 11:18:01 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AJMAC2B95Z1SCpP9uRHKM819IXTAuvvDOBiVQ1KB9?= =?us-ascii?q?0OgcTK2v8tzYMVDF4r011RmSDN+ds64P27eempujcFRI2YyGvnEGfc4EfD4+ou?= =?us-ascii?q?JSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47AblHf6ke/8SQVUk2mc1Ek?= =?us-ascii?q?fKKtRsWC0oye7KObw9XreQJGhT6wM/tZDS6dikHvjPQQmpZoMa0ryxHE8TNicu?= =?us-ascii?q?VSwn50dxrIx06vrpT4wJk26ClUuvQ85+ZcQK76eOI+VrUeAzM4YE4v48i+lxDY?= =?us-ascii?q?Sg3H1HIZW2NexhhBGA/DxAn3RJnwtCr9sKx23yzMbp6+dqw9RTn3t/QjcxTvki?= =?us-ascii?q?pSbzM=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0EoBABR9eNXesLAVdFeHAEBBAEBCgEBG?= =?us-ascii?q?QYMgn0TAQEBAQGBcbZphBOCFIQKAoFoTAEBAQEBAQEBAgECEAEBCQsMCBkvgjI?= =?us-ascii?q?YgQBbPQIBAxIuAQE3AQ9RNAEFARwZIogpAaEAgTI+MopWhTABAQWHfwEBAQEGA?= =?us-ascii?q?gEcCBCEF410C4MHiDQHhX52RIoHj2hlgQeHajGFY48iMYERg1+CB2UBh1oBAQE?= X-IPAS-Result: =?us-ascii?q?A0EoBABR9eNXesLAVdFeHAEBBAEBCgEBGQYMgn0TAQEBAQG?= =?us-ascii?q?BcbZphBOCFIQKAoFoTAEBAQEBAQEBAgECEAEBCQsMCBkvgjIYgQBbPQIBAxIuA?= =?us-ascii?q?QE3AQ9RNAEFARwZIogpAaEAgTI+MopWhTABAQWHfwEBAQEGAgEcCBCEF410C4M?= =?us-ascii?q?HiDQHhX52RIoHj2hlgQeHajGFY48iMYERg1+CB2UBh1oBAQE?= X-IronPort-AV: E=Sophos;i="5.30,378,1470700800"; d="scan'208";a="17864358" Received: from mail-pf0-f194.google.com ([209.85.192.194]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES128-GCM-SHA256; 22 Sep 2016 15:18:00 +0000 Received: by mail-pf0-f194.google.com with SMTP id q2so3941243pfj.0 for ; Thu, 22 Sep 2016 08:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=perfinion-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FtceWSZnTJDxWoLkrnJjj96mgwo8UmppWUCtwSn+LOI=; b=Nea0ZaNHZXHteorpgPLY0LJnhPF0nc6MOrXJBgEN5s9fa3wJUrK/JIMejssijfjsn8 MjxBGgqskNs9V6r87pGeKQQ0lzKDZIKJJ1XZmWGTu7Yifz/nFoTmyA6BI/xEzkK+upmq HdYDsZ61xfCsQgRxcaxYZWYBu03z91aZFoBheKeKh2LUPdllB7qVWKj9AnYyprLVtbIW JH147daFWpOBcY3FOBoGHwKBQK1OZG62smA/09mIiQTl6hqUfYR7sCJuVid2xXe+RjGF QwHgNl84Q2Lw2dm5zGePjORTderCKCIbFEOwrIxgzgXA0IynAcoTDmGBvP9RW8GBCj+V dHZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FtceWSZnTJDxWoLkrnJjj96mgwo8UmppWUCtwSn+LOI=; b=KGvEnuSbKxFCS1kotc0VymmB2J6emtJadY07Kk7KqvbR5FH6NDHpKxEIHlt2sar8Po zGmVRop0GClXf85JX3oRZ/mYEU7BsnvLMc5DFqihT4W6zPz7YCyNHCl3658GAYEaGIz5 FeI8lh0nRsb/axQvpxbUuufM9hR3Wihjb4sBiP7bt3rGGy77e+kOxNwcqY5kMMgGKCk+ gSqMK0E7J0G9LeNIyQGEbRPgE74Vn+WWti++R80Vbg1OMIE2F5ZM6BXcb6bxiZUwU35I dTBUVHURBRGRqvH+6WfNyHHVYOR/TTWIjA5ECUtc5agrhGwTNH+e3syf+NMNJAe0zIDn 2xSQ== X-Gm-Message-State: AE9vXwPvikoLbiOFDffXbtSHNWaqNVdWjQxdju/xj9jRzUWJHt5XvykUR3di68EzmlX3PA== X-Received: by 10.98.53.65 with SMTP id c62mr4147804pfa.66.1474557479368; Thu, 22 Sep 2016 08:17:59 -0700 (PDT) Received: from localhost ([2404:e800:e600:57b:e014:183:951f:342c]) by smtp.gmail.com with ESMTPSA id w63sm4961110pfk.43.2016.09.22.08.17.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Sep 2016 08:17:58 -0700 (PDT) From: Jason Zaman To: selinux@tycho.nsa.gov Subject: [PATCH 1/7] sepolicy: rearrange vars together at the top Date: Thu, 22 Sep 2016 23:17:27 +0800 Message-Id: <1474557453-14379-2-git-send-email-jason@perfinion.com> X-Mailer: git-send-email 2.7.3 In-Reply-To: <1474557453-14379-1-git-send-email-jason@perfinion.com> References: <1474557453-14379-1-git-send-email-jason@perfinion.com> X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP This has no functional or code changes other than grouping lines together for clarity. Signed-off-by: Jason Zaman --- policycoreutils/sepolicy/sepolicy/__init__.py | 229 ++++++++++++-------------- 1 file changed, 106 insertions(+), 123 deletions(-) diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py index c8d3b90..4d9d6ad 100644 --- a/policycoreutils/sepolicy/sepolicy/__init__.py +++ b/policycoreutils/sepolicy/sepolicy/__init__.py @@ -51,6 +51,112 @@ TRANSITION = 'transition' ROLE_ALLOW = 'role_allow' +# Autofill for adding files ************************* +DEFAULT_DIRS = {} +DEFAULT_DIRS["/etc"] = "etc_t" +DEFAULT_DIRS["/tmp"] = "tmp_t" +DEFAULT_DIRS["/usr/lib/systemd/system"] = "unit_file_t" +DEFAULT_DIRS["/lib/systemd/system"] = "unit_file_t" +DEFAULT_DIRS["/etc/systemd/system"] = "unit_file_t" +DEFAULT_DIRS["/var/cache"] = "var_cache_t" +DEFAULT_DIRS["/var/lib"] = "var_lib_t" +DEFAULT_DIRS["/var/log"] = "log_t" +DEFAULT_DIRS["/var/run"] = "var_run_t" +DEFAULT_DIRS["/run"] = "var_run_t" +DEFAULT_DIRS["/run/lock"] = "var_lock_t" +DEFAULT_DIRS["/var/run/lock"] = "var_lock_t" +DEFAULT_DIRS["/var/spool"] = "var_spool_t" +DEFAULT_DIRS["/var/www"] = "content_t" + +file_type_str = {} +file_type_str["a"] = _("all files") +file_type_str["f"] = _("regular file") +file_type_str["d"] = _("directory") +file_type_str["c"] = _("character device") +file_type_str["b"] = _("block device") +file_type_str["s"] = _("socket file") +file_type_str["l"] = _("symbolic link") +file_type_str["p"] = _("named pipe") + +trans_file_type_str = {} +trans_file_type_str[""] = "a" +trans_file_type_str["--"] = "f" +trans_file_type_str["-d"] = "d" +trans_file_type_str["-c"] = "c" +trans_file_type_str["-b"] = "b" +trans_file_type_str["-s"] = "s" +trans_file_type_str["-l"] = "l" +trans_file_type_str["-p"] = "p" + +# cache the lookup results +file_equiv_modified = None +file_equiv = None +local_files = None +fcdict = None +methods = [] +all_types = None +user_types = None +role_allows = None +portrecs = None +portrecsbynum = None +all_domains = None +roles = None +selinux_user_list = None +login_mappings = None +file_types = None +port_types = None +bools = None +all_attributes = None +booleans = None +booleans_dict = None + + +def get_installed_policy(root="/"): + try: + path = root + selinux.selinux_binary_policy_path() + policies = glob.glob("%s.*" % path) + policies.sort() + return policies[-1] + except: + pass + raise ValueError(_("No SELinux Policy installed")) + + +def policy(policy_file): + global all_domains + global all_attributes + global bools + global all_types + global role_allows + global users + global roles + global file_types + global port_types + all_domains = None + all_attributes = None + bools = None + all_types = None + role_allows = None + users = None + roles = None + file_types = None + port_types = None + global _pol + + try: + _policy.policy(policy_file) + except: + raise ValueError(_("Failed to read %s policy file") % policy_file) + + +try: + policy_file = get_installed_policy() + policy(policy_file) +except ValueError as e: + if selinux.is_selinux_enabled() == 1: + raise e + + def info(setype, name=None): dict_list = _policy.info(setype, name) return dict_list @@ -107,26 +213,6 @@ def get_conditionals_format_text(cond): def get_types_from_attribute(attribute): return info(ATTRIBUTE, attribute)[0]["types"] -file_type_str = {} -file_type_str["a"] = _("all files") -file_type_str["f"] = _("regular file") -file_type_str["d"] = _("directory") -file_type_str["c"] = _("character device") -file_type_str["b"] = _("block device") -file_type_str["s"] = _("socket file") -file_type_str["l"] = _("symbolic link") -file_type_str["p"] = _("named pipe") - -trans_file_type_str = {} -trans_file_type_str[""] = "a" -trans_file_type_str["--"] = "f" -trans_file_type_str["-d"] = "d" -trans_file_type_str["-c"] = "c" -trans_file_type_str["-b"] = "b" -trans_file_type_str["-s"] = "s" -trans_file_type_str["-l"] = "l" -trans_file_type_str["-p"] = "p" - def get_file_types(setype): flist = [] @@ -209,18 +295,14 @@ def find_file(reg): def find_all_files(domain, exclude_list=[]): - all_entrypoints = [] executable_files = get_entrypoints(domain) for exe in executable_files.keys(): if exe.endswith("_exec_t") and exe not in exclude_list: for path in executable_files[exe]: for f in find_file(path): return f - #all_entrypoints.append(f) return None -#return all_entrypoints - def find_entrypoint_path(exe, exclude_list=[]): fcdict = get_fcdict() @@ -243,8 +325,6 @@ def read_file_equiv(edict, fc_path, modify): edict[f[0]] = {"equiv": f[1], "modify": modify} return edict -file_equiv_modified = None - def get_file_equiv_modified(fc_path=selinux.selinux_file_context_path()): global file_equiv_modified @@ -254,8 +334,6 @@ def get_file_equiv_modified(fc_path=selinux.selinux_file_context_path()): file_equiv_modified = read_file_equiv(file_equiv_modified, fc_path + ".subs", modify=True) return file_equiv_modified -file_equiv = None - def get_file_equiv(fc_path=selinux.selinux_file_context_path()): global file_equiv @@ -265,8 +343,6 @@ def get_file_equiv(fc_path=selinux.selinux_file_context_path()): file_equiv = read_file_equiv(file_equiv, fc_path + ".subs_dist", modify=False) return file_equiv -local_files = None - def get_local_file_paths(fc_path=selinux.selinux_file_context_path()): global local_files @@ -291,8 +367,6 @@ def get_local_file_paths(fc_path=selinux.selinux_file_context_path()): pass return local_files -fcdict = None - def get_fcdict(fc_path=selinux.selinux_file_context_path()): global fcdict @@ -431,19 +505,6 @@ def get_entrypoints(setype): return mpaths -def get_installed_policy(root="/"): - try: - path = root + selinux.selinux_binary_policy_path() - policies = glob.glob("%s.*" % path) - policies.sort() - return policies[-1] - except: - pass - raise ValueError(_("No SELinux Policy installed")) - -methods = [] - - def get_methods(): global methods if len(methods) > 0: @@ -464,8 +525,6 @@ def get_methods(): methods.sort() return methods -all_types = None - def get_all_types(): global all_types @@ -473,8 +532,6 @@ def get_all_types(): all_types = map(lambda x: x['name'], info(TYPE)) return all_types -user_types = None - def get_user_types(): global user_types @@ -482,8 +539,6 @@ def get_user_types(): user_types = info(ATTRIBUTE, "userdomain")[0]["types"] return user_types -role_allows = None - def get_all_role_allows(): global role_allows @@ -513,9 +568,6 @@ def get_all_entrypoint_domains(): all_domains.append(m[0]) return all_domains -portrecs = None -portrecsbynum = None - def gen_interfaces(): import commands @@ -558,8 +610,6 @@ def gen_port_dict(): return (portrecs, portrecsbynum) -all_domains = None - def get_all_domains(): global all_domains @@ -567,8 +617,6 @@ def get_all_domains(): all_domains = info(ATTRIBUTE, "domain")[0]["types"] return all_domains -roles = None - def get_all_roles(): global roles @@ -579,8 +627,6 @@ def get_all_roles(): roles.sort() return roles -selinux_user_list = None - def get_selinux_users(): global selinux_user_list @@ -590,8 +636,6 @@ def get_selinux_users(): x['range'] = "".join(x['range'].split(" ")) return selinux_user_list -login_mappings = None - def get_login_mappings(): global login_mappings @@ -616,8 +660,6 @@ def get_all_users(): users.sort() return users -file_types = None - def get_all_file_types(): global file_types @@ -627,8 +669,6 @@ def get_all_file_types(): file_types.sort() return file_types -port_types = None - def get_all_port_types(): global port_types @@ -638,8 +678,6 @@ def get_all_port_types(): port_types.sort() return port_types -bools = None - def get_all_bools(): global bools @@ -655,23 +693,6 @@ def prettyprint(f, trim): def markup(f): return f -# Autofill for adding files ************************* -DEFAULT_DIRS = {} -DEFAULT_DIRS["/etc"] = "etc_t" -DEFAULT_DIRS["/tmp"] = "tmp_t" -DEFAULT_DIRS["/usr/lib/systemd/system"] = "unit_file_t" -DEFAULT_DIRS["/lib/systemd/system"] = "unit_file_t" -DEFAULT_DIRS["/etc/systemd/system"] = "unit_file_t" -DEFAULT_DIRS["/var/cache"] = "var_cache_t" -DEFAULT_DIRS["/var/lib"] = "var_lib_t" -DEFAULT_DIRS["/var/log"] = "log_t" -DEFAULT_DIRS["/var/run"] = "var_run_t" -DEFAULT_DIRS["/run"] = "var_run_t" -DEFAULT_DIRS["/run/lock"] = "var_lock_t" -DEFAULT_DIRS["/var/run/lock"] = "var_lock_t" -DEFAULT_DIRS["/var/spool"] = "var_spool_t" -DEFAULT_DIRS["/var/www"] = "content_t" - def get_description(f, markup=markup): @@ -765,8 +786,6 @@ def get_description(f, markup=markup): return txt + "treat the files as %s data." % prettyprint(f, "_t") -all_attributes = None - def get_all_attributes(): global all_attributes @@ -775,38 +794,6 @@ def get_all_attributes(): return all_attributes -def policy(policy_file): - global all_domains - global all_attributes - global bools - global all_types - global role_allows - global users - global roles - global file_types - global port_types - all_domains = None - all_attributes = None - bools = None - all_types = None - role_allows = None - users = None - roles = None - file_types = None - port_types = None - try: - _policy.policy(policy_file) - except: - raise ValueError(_("Failed to read %s policy file") % policy_file) - -try: - policy_file = get_installed_policy() - policy(policy_file) -except ValueError as e: - if selinux.is_selinux_enabled() == 1: - raise e - - def _dict_has_perms(dict, perms): for perm in perms: if perm not in dict[PERMS]: @@ -849,8 +836,6 @@ def get_bools(setype): bools.append((b[0], enabled)) return (domainbools, bools) -booleans = None - def get_all_booleans(): global booleans @@ -858,8 +843,6 @@ def get_all_booleans(): booleans = selinux.security_get_boolean_names()[1] return booleans -booleans_dict = None - def policy_xml(path="/usr/share/selinux/devel/policy.xml"): try: