Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

audit2allow: CIL output mode #420

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion python/audit2allow/audit2allow
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ class AuditToPolicy:
help="generate policy with dontaudit rules")
parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
default=True, help="generate refpolicy style output")
parser.add_option("-C", "--cil", action="store_true", dest="cil", help="generate CIL output")

parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
default=False, help="do not generate refpolicy style output")
Expand Down Expand Up @@ -114,14 +115,17 @@ class AuditToPolicy:
sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n')
sys.exit(2)

# Make -M and -o conflict
# Make -M and -o or -C conflict
if options.module_package:
if options.output:
sys.stderr.write("error: --module-package conflicts with --output\n")
sys.exit(2)
if options.module:
sys.stderr.write("error: --module-package conflicts with --module\n")
sys.exit(2)
if options.cil:
sys.stderr.write("error: --module-package conflicts with --cil\n")
sys.exit(2)

self.__options = options

Expand Down Expand Up @@ -341,13 +345,21 @@ semodule -i {packagename}
if self.__options.requires:
g.set_gen_requires(True)

# CIL output
if self.__options.cil:
g.set_gen_cil(True)

# Generate the policy
g.add_access(self.__avs)
g.add_role_types(self.__role_types)

# Output
writer = output.ModuleWriter()

# CIL output
if self.__options.cil:
writer.set_gen_cil(True)

# Module package
if self.__options.module_package:
self.__output_modulepackage(writer, g)
Expand Down
3 changes: 3 additions & 0 deletions python/audit2allow/audit2allow.1
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,9 @@ Generate module/require output <modulename>
.B "\-M <modulename>"
Generate loadable module package, conflicts with \-o
.TP
.B "\-C"
Generate CIL output, conflicts with \-M
.TP
.B "\-p <policyfile>" | "\-\-policy <policyfile>"
Policy file to use for analysis
.TP
Expand Down
5 changes: 5 additions & 0 deletions python/sepolgen/src/sepolgen/output.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ def __init__(self):
self.module = None
self.sort = True
self.requires = True
self.gen_cil = False

def write(self, module, fd):
self.module = module
Expand All @@ -49,8 +50,12 @@ def write(self, module, fd):

# FIXME - make this handle nesting
for node, depth in refpolicy.walktree(self.module, showdepth=True):
node.set_gen_cil(self.gen_cil)
fd.write("%s\n" % str(node))

def set_gen_cil(self, gen_cil):
self.gen_cil = gen_cil

# Helper functions for sort_filter - this is all done old school
# C style rather than with polymorphic methods because this sorting
# is specific to output. It is not necessarily the comparison you
Expand Down
32 changes: 21 additions & 11 deletions python/sepolgen/src/sepolgen/policygen.py
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,8 @@ def __init__(self, module=None):
self.xperms = False

self.domains = None
self.gen_cil = False
self.comment_start = '#'
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.

Expand Down Expand Up @@ -128,6 +130,13 @@ def set_gen_xperms(self, xperms):
"""
self.xperms = xperms

def set_gen_cil(self, gen_cil):
self.gen_cil = gen_cil
if gen_cil:
self.comment_start = ';'
else:
self.comment_start = '#'

def __set_module_style(self):
if self.ifgen:
refpolicy = True
Expand Down Expand Up @@ -173,26 +182,27 @@ def __add_av_rule(self, av):
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))

if av.type == audit2why.ALLOW:
rule.comment += "\n#!!!! This avc is allowed in the current policy"
rule.comment += "\n%s!!!! This avc is allowed in the current policy" % self.comment_start

if av.xperms:
rule.comment += "\n#!!!! This av rule may have been overridden by an extended permission av rule"
rule.comment += "\n%s!!!! This av rule may have been overridden by an extended permission av rule" % self.comment_start

if av.type == audit2why.DONTAUDIT:
rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
rule.comment += "\n%s!!!! This avc has a dontaudit rule in the current policy" % self.comment_start

if av.type == audit2why.BOOLEAN:
if len(av.data) > 1:
rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join([x[0] for x in av.data])
rule.comment += "\n%s!!!! This avc can be allowed using one of the these booleans:\n%s %s" % (self.comment_start, self.comment_start, ", ".join([x[0] for x in av.data]))
else:
rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
rule.comment += "\n%s!!!! This avc can be allowed using the boolean '%s'" % (self.comment_start, av.data[0][0])

if av.type == audit2why.CONSTRAINT:
rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access."
rule.comment += "\n#Constraint rule: "
rule.comment += "\n#\t" + av.data[0]
rule.comment += "\n%s!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access." % self.comment_start
rule.comment += "\n%sConstraint rule: " % self.comment_start
rule.comment += "\n%s\t" % self.comment_start + av.data[0]
for reason in av.data[1:]:
rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
rule.comment += "\n%s" % self.comment_start
rule.comment += "\tPossible cause is the source %s and target %s are different." % reason

try:
if ( av.type == audit2why.TERULE and
Expand All @@ -206,9 +216,9 @@ def __add_av_rule(self, av):
if i not in self.domains:
types.append(i)
if len(types) == 1:
rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following type:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
elif len(types) >= 1:
rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following types:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
except:
pass

Expand Down
Loading
Loading