audit2ref helpful tool for writing some reference policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* audit2ref helpful tool for writing some reference policy
@ 2006-02-09 20:44 Daniel J Walsh
  0 siblings, 0 replies; only message in thread
From: Daniel J Walsh @ 2006-02-09 20:44 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1001 bytes --]

Little tool to search reference policy to match audit2allow rule

Reads stdin and attempts to find matches in reference policy for allow 
rules.

audit2allow -i /var/log/audit/audit.log | python audit2ref

Problem right now is it comes up with two many matches, sometimes misses 
altogether.

Useful experiment with Awk and regular expressions.

 echo "allow abx_t httpd_log_t:file read;" | python audit2ref
# Replace next allow rule with one of the following
# allow abx_t httpd_log_t:file read

gen_require(`apache', `
        apache_read_log(abx_t)
')

echo "allow abx_t var_log_t:file read;" | python audit2ref
# Replace next allow rule with one of the following
# allow abx_t var_log_t:file read

gen_require(`logging', `
        logging_read_generic_logs(abx_t)
        logging_write_generic_logs(abx_t)
        logging_rw_generic_logs(abx_t)
        logging_manage_generic_logs(abx_t)
')

 echo "allow abx_t avahi_exec_t:file execute;" | python audit2ref
allow abx_t avahi_exec_t:file execute


[-- Attachment #2: audit2ref --]
[-- Type: text/plain, Size: 3483 bytes --]

import sys, commands, os, re

obj="(\{[^\}]*\}|[^ \t:]*)"
allow_regexp="allow[ \t]+%s[ \t]*%s[ \t]*:[ \t]*%s[ \t]*%s" % (obj, obj, obj, obj)

class accessTrans:
    def __init__(self):
        self.dict={}
        fd=open("/usr/share/selinux/refpolicy/include/obj_perm_sets.spt")
        records=fd.read().split("\n")
        regexp="^define *\(`([^']*)' *, *` *\{([^}]*)}'"
        for r in records:
            m=re.match(regexp,r)
            if m!=None:
                self.dict[m.groups()[0]] = m.groups()[1].split()
        fd.close()
    def get(self, var):
        l=[]
        for v in var:
            if v in self.dict.keys():
                l += self.dict[v]
            else:
                if v not in ("{", "}"):
                    l.append(v)
        return l

class interfaces:
    def __init__(self):
        self.dict={}
        trans=accessTrans()
        awk_file="extract-interface.awk"
        if os.path.exists(awk_file):
            rc=commands.getstatusoutput("awk -f %s /usr/share/selinux/refpolicy/include/*.if" % awk_file) 
        else:
            rc=commands.getstatusoutput("awk -f /usr/share/selinux/refpolicy/%s /usr/share/selinux/refpolicy/include/*.if" % awk_file)
        if rc[0] == 0:
            regexp="([^ \t]*)[ \t]+([^ \t]*)[ \t]+%s" % allow_regexp
            records=rc[1].split("\n")
            for r in records:
                m=re.match(regexp,r)
                if m==None:
                    continue
                else:
                    val=m.groups()
                file=os.path.basename(val[0]).split(".")[0]
                iface=val[1]
                Scon=val[2].split()
                Tcon=val[3].split()
                Class=val[4].split()
                Access=trans.get(val[5].split())
                for s in Scon:
                    for t in Tcon:
                        for c in Class:
                            if (s, t, c) not in self.dict.keys():
                                self.dict[(s, t, c)]=[]
                            self.dict[(s, t, c)].append((Access, file, iface))
    def out(self):
        keys=self.dict.keys()
        keys.sort()
        for k in keys:
            print k
            for i in self.dict[k]:
                print "\t", i
                
    def match(self, Scon, Tcon, Class, Access):
        keys=self.dict.keys()
        if (Scon, Tcon, Class) in keys:
            return self.dict[(Scon, Tcon, Class)]
        if ("$1", Tcon, Class) in keys:
            return self.dict[("$1", Tcon, Class)]
        if (Scon, "$1", Class) in keys:
            return self.dict[("$1", Tcon, Class)]
        else:
            return None
        
iface=interfaces()
dict={}
dict["__allow_rules__"]=[]
rec=sys.stdin.readline()
while len(rec):
	r=rec.strip(";\n")
        m=re.match(allow_regexp,r)
        if m==None:
            continue
        else:
            val=m.groups()
        Scon=val[0]
        Tcon=val[1]
        Class=val[2]
        Access=val[3]
        m=iface.match(Scon,Tcon,Class,Access)
        if m == None:
            print  r
        else:
            file=m[0][1]
            print"# Replace next allow rule with one of the following\n# %s "% r
            print "\ngen_require(`%s', `" % m[0][1]
            for i in m:
                if file != i[1]:
                    print "')\ngen_require(`%s', `" % i[1]
                    file = i[1]
                print "\t%s(%s)" % (i[2], Scon)
            print "')"

	rec=sys.stdin.readline()


[-- Attachment #3: extract-interface.awk --]
[-- Type: text/plain, Size: 442 bytes --]

/^[[:blank:]]*interface[[:blank:]]*\(/ {
        IFACEFILE=FILENAME
	IFACENAME = gensub("^[[:blank:]]*interface[[:blank:]]*\\(`?","","g",$0);
	IFACENAME = gensub("'?,.*$","","g",IFACENAME);
}

/^[[:blank:]]*allow[[:blank:]]+.*;[[:blank:]]*$/ {

  if ((length(IFACENAME) > 0) && (IFACEFILE == FILENAME)){
		ALLOW = gensub("^[[:blank:]]*","","g",$0)
		ALLOW = gensub(";[[:blank:]]*$","","g",$0)
		print FILENAME "\t" IFACENAME "\t" ALLOW;
	}
}

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2006-02-09 20:43 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-09 20:44 audit2ref helpful tool for writing some reference policy Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.