* Port of audit2allow to python
@ 2005-11-15 16:13 Daniel J Walsh
2005-11-15 18:46 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2005-11-15 16:13 UTC (permalink / raw)
To: Stephen Smalley, SE Linux
[-- Attachment #1: Type: text/plain, Size: 50 bytes --]
Next step add reference policy generation.
--
[-- Attachment #2: audit2allow.py --]
[-- Type: text/x-python, Size: 3458 bytes --]
#! /usr/bin/env python
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
# Audit2allow is a rewrite of prior perl script.
#
# Based off original audit2allow perl script: which credits
# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu)
# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp)
#
#
#
import commands, sys, os, pwd, string, getopt, re
class allow:
def __init__(self, source, target, seclass, access):
self.source=source
self.target=target
self.seclass=seclass
self.access=[]
self.add(access)
def add(self, access):
for i in access:
if i not in self.access:
self.access.append(i)
def getAccess(self):
if len(self.access) == 1:
return self.access[0]
else:
self.access.sort()
ret="{"
for i in self.access:
ret=ret + " " + i
ret=ret+" }"
return ret
def out(self):
ret="allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess())
return ret
def gettarget(self):
if self.source == self.target:
return "self"
else:
return self.target
class allowRecords:
def __init__(self, input, last_reload=0):
self.last_reload=last_reload
self.allowRules={}
line = input.read()
avc=[]
while line:
rec=line.split()
for i in rec:
if i=="avc:" :
self.add(avc)
avc=[i]
else:
avc.append(i)
line = input.read()
def add(self,avc):
scon=""
tcon=""
seclass=""
access=[]
if "granted" in avc and "load_policy" in avc:
if self.last_reload:
self.allowRules={}
return
for i in range (0, len(avc)):
t=avc[i].split('=')
if t[0]=="scontext":
scon=t[1].split(":")[2]
continue
if t[0]=="tcontext":
tcon=t[1].split(":")[2]
continue
if t[0]=="tclass":
seclass=t[1]
continue
if avc[i]=="{":
i=i+1
while i<len(avc) and avc[i] != "}":
access.append(avc[i])
i=i+1
if scon=="" or tcon =="" or seclass=="":
return
if (scon, tcon, seclass) in self.allowRules.keys():
self.allowRules[(scon, tcon, seclass)].add(access)
else:
self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass, access)
def out(self):
rec=""
for i in self.allowRules.keys():
rec=rec+self.allowRules[i].out()+"\n"
return rec
def usage():
print 'audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]\n\
-d read input from output of /bin/dmesg\n\
-v verbose output\n\
-l read input only after last \"load_policy\"\n\
-i read input from <inputfile>\n\
-o append output to <outputfile>\n'
sys.exit(1)
#
# This script will generate home dir file context
# based off the homedir_template file, entries in the password file, and
#
try:
last_reload=0
input=sys.stdin
output=sys.stdout
gopts, cmds = getopt.getopt(sys.argv[1:], 'do:hli:', ['help',
'last_reload='])
for o,a in gopts:
if o == '--last_reload' or o == "-l":
last_reload=1
if o == "-i":
input=open(a, "r")
if o == '--help':
usage()
if o == "-d":
input=os.popen("/bin/dmesg", "r")
if o == "-o":
output=open(a, "a")
if len(cmds) != 0:
usage()
out=allowRecords(input, last_reload)
output.write(out.out())
except getopt.error, error:
errorExit(string.join("Options Error ", error))
except ValueError, error:
errorExit(string.join("ValueError ", error))
except IndexError, error:
errorExit("IndexError")
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Port of audit2allow to python
2005-11-15 16:13 Port of audit2allow to python Daniel J Walsh
@ 2005-11-15 18:46 ` Stephen Smalley
2005-11-15 18:57 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2005-11-15 18:46 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Tue, 2005-11-15 at 11:13 -0500, Daniel J Walsh wrote:
> Next step add reference policy generation.
Doesn't yield the same output as the old perl script, even after sorting
both outputs to avoid ordering issues.
Looks like the new script is incorrectly adding allow rules for:
- security_compute_sid errors, and
- avc: granted messages
But the new script appears to be more consistent about using curly
brackets for multiple permissions.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Port of audit2allow to python
2005-11-15 18:46 ` Stephen Smalley
@ 2005-11-15 18:57 ` Stephen Smalley
2005-11-16 6:05 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2005-11-15 18:57 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
On Tue, 2005-11-15 at 13:46 -0500, Stephen Smalley wrote:
> On Tue, 2005-11-15 at 11:13 -0500, Daniel J Walsh wrote:
> > Next step add reference policy generation.
>
> Doesn't yield the same output as the old perl script, even after sorting
> both outputs to avoid ordering issues.
>
> Looks like the new script is incorrectly adding allow rules for:
> - security_compute_sid errors, and
> - avc: granted messages
Also, the new script doesn't appear to support the -v option yet
(collects up the auxiliary audit information like the comm= and name=
information and saves it in comment lines after each allow rule). Not
sure how crucial that is, or whether we should be saving the audit event
id instead so that people can use ausearch to query the corresponding
system call audit record easily.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Port of audit2allow to python
2005-11-15 18:57 ` Stephen Smalley
@ 2005-11-16 6:05 ` Daniel J Walsh
0 siblings, 0 replies; 4+ messages in thread
From: Daniel J Walsh @ 2005-11-16 6:05 UTC (permalink / raw)
To: Stephen Smalley; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 901 bytes --]
Stephen Smalley wrote:
> On Tue, 2005-11-15 at 13:46 -0500, Stephen Smalley wrote:
>
>> On Tue, 2005-11-15 at 11:13 -0500, Daniel J Walsh wrote:
>>
>>> Next step add reference policy generation.
>>>
>> Doesn't yield the same output as the old perl script, even after sorting
>> both outputs to avoid ordering issues.
>>
>> Looks like the new script is incorrectly adding allow rules for:
>> - security_compute_sid errors, and
>> - avc: granted messages
>>
>
> Also, the new script doesn't appear to support the -v option yet
> (collects up the auxiliary audit information like the comm= and name=
> information and saves it in comment lines after each allow rule). Not
> sure how crucial that is, or whether we should be saving the audit event
> id instead so that people can use ausearch to query the corresponding
> system call audit record easily.
>
>
Another pass.
--
[-- Attachment #2: audit2allow.py --]
[-- Type: text/x-python, Size: 4276 bytes --]
#! /usr/bin/env python
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
# Audit2allow is a rewrite of prior perl script.
#
# Based off original audit2allow perl script: which credits
# newrules.pl, Copyright (C) 2001 Justin R. Smith (jsmith@mcs.drexel.edu)
# 2003 Oct 11: Add -l option by Yuichi Nakamura(ynakam@users.sourceforge.jp)
#
#
#
import commands, sys, os, pwd, string, getopt, re
class allow:
def __init__(self, source, target, seclass):
self.source=source
self.target=target
self.seclass=seclass
self.avcinfo={}
def add(self, avc):
for a in avc[0]:
if a not in self.avcinfo.keys():
self.avcinfo[a]=[]
self.avcinfo[a].append(avc[1:])
def getAccess(self):
if len(self.avcinfo.keys()) == 1:
for i in self.avcinfo.keys():
return i
else:
keys=self.avcinfo.keys()
keys.sort()
ret="{"
for i in keys:
ret=ret + " " + i
ret=ret+" }"
return ret
def out(self, verbose=0):
ret=""
ret=ret+"allow %s %s:%s %s;" % (self.source, self.gettarget(), self.seclass, self.getAccess())
if verbose:
keys=self.avcinfo.keys()
keys.sort()
for i in keys:
for x in self.avcinfo[i]:
ret=ret+"\n#TYPE=AVC MSG=%s COMM=%s NAME=%s\t: " % x
ret=ret + i
return ret
def gettarget(self):
if self.source == self.target:
return "self"
else:
return self.target
class allowRecords:
def __init__(self, input, last_reload=0, verbose=0):
self.last_reload=last_reload
self.allowRules={}
line = input.read()
avc=[]
while line:
rec=line.split()
for i in rec:
if i=="avc:" or i=="message=avc:":
self.add(avc)
avc=[i]
else:
avc.append(i)
line = input.read()
def add(self,avc):
scon=""
tcon=""
seclass=""
comm=""
name=""
msg=""
access=[]
if "security_compute_sid" in avc:
return
if "granted" in avc:
if "load_policy" in avc and self.last_reload:
self.allowRules={}
return
for i in range (0, len(avc)):
t=avc[i].split('=')
if t[0]=="scontext":
scon=t[1].split(":")[2]
continue
if t[0]=="tcontext":
tcon=t[1].split(":")[2]
continue
if t[0]=="tclass":
seclass=t[1]
continue
if t[0]=="comm":
comm=t[1]
continue
if t[0]=="name":
name=t[1]
continue
if t[0]=="msg":
msg=t[1]
continue
if avc[i]=="{":
i=i+1
while i<len(avc) and avc[i] != "}":
access.append(avc[i])
i=i+1
if scon=="" or tcon =="" or seclass=="":
return
if (scon, tcon, seclass) not in self.allowRules.keys():
self.allowRules[(scon, tcon, seclass)]=allow(scon, tcon, seclass)
self.allowRules[(scon, tcon, seclass)].add((access, msg, comm, name ))
def outModule(self):
contexts=[]
class=[]
for i in self.allowRules.keys():
if i[0] not in contexts:
contexts.append(i[0])
if i[1] not in contexts:
contexts.append(i[1])
if i[2] not in class:
class.append(i[1])
def out(self):
rec=""
for i in self.allowRules.keys():
rec=rec+self.allowRules[i].out(verbose)+"\n"
return rec
def usage():
print 'audit2allow [-d] [-v] [-l] [-i <inputfile> ] [-o <outputfile>]\n\
-d read input from output of /bin/dmesg\n\
-v verbose output\n\
-l read input only after last \"load_policy\"\n\
-i read input from <inputfile>\n\
-o append output to <outputfile>\n'
sys.exit(1)
#
# This script will generate home dir file context
# based off the homedir_template file, entries in the password file, and
#
try:
last_reload=0
input=sys.stdin
output=sys.stdout
verbose=0
gopts, cmds = getopt.getopt(sys.argv[1:], 'vdo:hli:', ['help',
'last_reload='])
for o,a in gopts:
if o == '--last_reload' or o == "-l":
last_reload=1
if o == "-v":
verbose=1
if o == "-i":
input=open(a, "r")
if o == '--help':
usage()
if o == "-d":
input=os.popen("/bin/dmesg", "r")
if o == "-o":
output=open(a, "a")
if len(cmds) != 0:
usage()
out=allowRecords(input, last_reload, verbose)
output.write(out.out())
except getopt.error, error:
errorExit(string.join("Options Error ", error))
except ValueError, error:
errorExit(string.join("ValueError ", error))
except IndexError, error:
errorExit("IndexError")
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-11-16 6:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-15 16:13 Port of audit2allow to python Daniel J Walsh
2005-11-15 18:46 ` Stephen Smalley
2005-11-15 18:57 ` Stephen Smalley
2005-11-16 6:05 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.