^c@sLddlZddlZddlmZddlmZddlmZdZdZdZd fd YZ d e fd YZ d e fdYZ ddl j Z iZde fdYZde fdYZde fdYZde fdYZdfdYZdfdYZdfdYZdS(iNi(t refpolicy(taccess(tutilcCsddl}ddl}tdd}t|jjd}|j|j|j|}|jd|}|jd|}|j dd d d ||gd |j j d}t j rt j|}n|S( s Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. iNs /proc/uptimetris%xs%Xs/sbin/ausearchs-ms5AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERRs-tststdout(t subprocessttimetopentfloattreadtsplittcloset localtimetstrftimetPopentPIPEt communicateRtPY3t decode_input(RRtfdtofftstbootdatetboottimetoutput((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_audit_boot_msgss   cCsVddl}|jdddgd|jjd}tjrRtj|}n|S(s Obtain all of the avc and policy load messages from the audit log. This function uses ausearch and requires that the current process have sufficient rights to run ausearch. Returns: string contain all of the audit messages returned by ausearch. iNs/sbin/ausearchs-ms5AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERRRi(RRRRRRR(RR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_audit_msgs2s   cCsPddl}|jdgd|jjd}tjrLtj|}n|S(sObtain all of the avc and policy load messages from /bin/dmesg. Returns: string contain all of the audit messages returned by dmesg. iNs /bin/dmesgRi(RRRRRRR(RR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytget_dmesg_msgsAs   t AuditMessagecBs eZdZdZdZRS(sBase class for all objects representing audit messages. AuditMessage is a base class for all audit messages and only provides storage for the raw message (as a string) and a parsing function that does nothing. cCs||_d|_dS(Nt(tmessagetheader(tselfR((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt__init__Ws cCszxs|D]k}|jd}t|dkrQ|d dkr||_dSqn|ddkr|d|_dSqWdS( sParse a string that has been split into records by space into an audit message. This method should be overridden by subclasses. Error reporting should be done by raise ValueError exceptions. t=iisaudit(Nitmsgi(R tlenR(R trecsR#tfields((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pytfrom_split_string[s   (t__name__t __module__t__doc__R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRPs tInvalidMessagecBseZdZdZRS(sClass representing invalid audit messages. This is used to differentiate between audit messages that aren't recognized (that should return None from the audit message parser) and a message that is recognized but is malformed in some way. cCstj||dS(N(RR!(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!vs(R(R)R*R!(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR+pst PathMessagecBs eZdZdZdZRS(s!Class representing a path messagecCstj||d|_dS(NR(RR!tpath(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!{scCsttj||x]|D]U}|jd}t|dkrDqn|ddkr|ddd!|_dSqWdS(NR"iiR-ii(RR'R R$R-(R R%R#R&((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR's (R(R)R*R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR,ys t AVCMessagecBs2eZdZdZdZdZdZRS(skAVC message representing an access denial or granted message. This is a very basic class and does not represent all possible fields in an avc message. Currently the fields are: scontext - context for the source (process) that generated the message tcontext - context for the target tclass - object class for the target (only one) comm - the process name exe - the on-disc binary path - the path of the target access - list of accesses that were allowed or denied denial - boolean indicating whether this was a denial (True) or granted (False) message. An example audit message generated from the audit daemon looks like (line breaks added): 'type=AVC msg=audit(1155568085.407:10877): avc: denied { search } for pid=677 comm="python" name="modules" dev=dm-0 ino=13716388 scontext=user_u:system_r:setroubleshootd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir' An example audit message stored in syslog (not processed by the audit daemon - line breaks added): 'Sep 12 08:26:43 dhcp83-5 kernel: audit(1158064002.046:4): avc: denied { read } for pid=2 496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333 scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file cCstj||tj|_tj|_d|_d|_d|_d|_ d|_ d|_ g|_ t |_tj|_dS(NR(RR!RtSecurityContexttscontextttcontextttclasstcommtexeR-tnametinotaccessestTruetdenialt audit2whytTERULEttype(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!s        cCst}|}|t|dkr8td|jnxN|t|kr||dkrgt}Pn|jj|||d}q;W|std|jn|dS(Nis#AVC message in invalid format [%s] t}(tFalseR$t ValueErrorRR8R7tappend(R R%tstartt found_closeti((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt__parse_accessscCs>tj||t}t}t}t}xtt|D]}||dkrs|j||d}t}q;n||dkrt|_n||jd}t|dkrq;n|ddkrt j |d|_ t}q;|ddkrt j |d|_ t}q;|dd kr>|d|_ t}q;|dd kre|ddd !|_q;|dd kr|ddd !|_q;|dd kr|ddd !|_q;|ddkr|ddd !|_q;|ddkr;|d|_q;q;W| s| s| s| r0td|jn|jdS(Nt{itgrantedR"iiR0R1R2R3iR4R5R-R6s#AVC message in invalid format [%s] (RR'R>trangeR$t_AVCMessage__parse_accessR8R9R RR/R0R1R2R3R4R5R-R6R?Rtanalyze(R R%t found_srct found_tgtt found_classt found_accessRCR&((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR'sJ     cCs|jj}|jj}t|j}g|_|||j|ftjkrt|||j|f\|_ |_n9t j |||j|j\|_ |_|j t j krt j |_ n|j t jkrtd|n|j t jkrtd|n|j t jkr<td|jn|j t jkrmtddj|jn|j t jkrtdn|j t jkr|jg|_|jj|jjkr|jjd|jjd|jjfn|jj|jjkrK|jjdkrK|jjd |jjd |jjfn|jj|jjkr|jjd |jjd |jjfqn|j |jft|||j|ftauditd(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!#scCs,tj||d|kr(t|_ndS(NRb(RR'R8Rb(R R%((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR''s (R(R)R*R!R'(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRa!s tComputeSidMessagecBs)eZdZdZdZdZRS(sAudit message indicating that a sid was not valid. Compute sid messages are generated on attempting to create a security context that is not valid. Security contexts are invalid if the role is not authorized for the user or the type is not authorized for the role. This class does not store all of the fields from the compute sid message - just the type and role. cCsJtj||tj|_tj|_tj|_d|_dS(NR(RR!RR/tinvalid_contextR0R1R2(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!7s cCstj||t|dkr1tdnyztj|d|_tj|djdd|_tj|djdd|_ |djdd|_ WntdnXdS( Ni s;Split string does not represent a valid compute sid messageiiR"iii ( RR'R$R?RR/RdR R0R1R2(R R%((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR'>s##cCsd|j|jfS(Nsrole %s types %s; (R]R<(R ((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRJs(R(R)R*R!R'R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRc-s   t AuditParsercBseZdZedZdZdZdZdZdZ dZ d dZ d Z d Zd Zd ed ZRS(sParser for audit messages. This class parses audit messages and stores them according to their message type. This is not a general purpose audit message parser - it only extracts selinux related messages. Each audit messages are stored in one of four lists: avc_msgs - avc denial or granted messages. Messages are stored in AVCMessage objects. comput_sid_messages - invalid sid messages. Messages are stored in ComputSidMessage objects. invalid_msgs - selinux related messages that are not valid. Messages are stored in InvalidMessageObjects. policy_load_messages - policy load messages. Messages are stored in PolicyLoadMessage objects. These lists will be reset when a policy load message is seen if AuditParser.last_load_only is set to true. It is assumed that messages are fed to the parser in chronological order - time stamps are not parsed. cCs|j||_dS(N(t_AuditParser__initializetlast_load_only(R Rg((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!es cCsVg|_g|_g|_g|_g|_i|_t|_i|_|j dS(N( tavc_msgstcompute_sid_msgst invalid_msgstpolicy_load_msgst path_msgst by_headerR>tcheck_input_filet inode_dictt_AuditParser__store_base_types(R ((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt __initializeis        c CsPg|jD]}|jd^q }x!|D]}t}|dks_|dks_|dkrtt|}t}n|dkrt|}t}no|dks|dkrt|}t}nB|dkrt|}t}n!|d krtt }t}n|r/t|_ y|j |Wnt k rCt |}nX|Sq/WdS( Nssavc:s message=avc:s msg='avc:ssecurity_compute_sid:stype=MAC_POLICY_LOADs type=1403s type=AVC_PATHstype=DAEMON_START(R tstripR>R.R8RcR`R,RatlistRnR'R?R+tNone(R tlinetxtrecRCtfoundR#((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyt __parse_lines4( $               cCse|j|}|dkrdSt|trG|jr|jqnt|tr|jru|jru|jn|jj |nt|t r|j j |nft|t r|j j |nDt|tr|jj |n"t|tr|jj |n|jdkra|j|jkrK|j|jj |qa|g|j|jR!RfRzRRRRRtRRRpRR8R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyReOs   $ %  $  t AVCTypeFiltercBseZdZdZRS(cCstj||_dS(N(tretcompiletregex(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!\scCs<|jj|jjrtS|jj|jjr8tStS(N(RtmatchR0R<R8R1R>(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR_s (R(R)R!R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR[s tComputeSidTypeFiltercBseZdZdZRS(cCstj||_dS(N(RRR(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyR!gscCsX|jj|jjrtS|jj|jjr8tS|jj|jjrTtStS(N(RRRdR<R8R0R1R>(R R((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRjs(R(R)R!R(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyRfs (RRRRRRRRRRR+R,tselinux.audit2whyR:RSR.R`RaRcReRR(((s4/usr/lib64/python2.7/site-packages/sepolgen/audit.pyts(        "