#! /usr/bin/python -Es
# Copyright (C) 2012 Red Hat
# see file 'COPYING' for use and warranty information
#
# setrans is a tool for analyzing process transistions in SELinux policy
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
# 02111-1307 USA
#
#
import sys
import seobject
import setools
search=setools.sesearch
seinfo=setools.seinfo
portRec = seobject.portRecords()
portrecs = portRec.get_all_by_type()
portrecsbynum = portRec.get_all()
port_types = setools.seinfo(setools.ATTRIBUTE,"port_type")[0]["types"]
def get_types(src, tclass, perm):
allows=search([setools.ALLOW],{setools.SCONTEXT:src,setools.CLASS:tclass, setools.PERMS:perm})
nlist=[]
if allows:
for i in map(lambda y: y[setools.TCONTEXT], filter(lambda x: set(perm).issubset(x[setools.PERMS]), allows)):
if i not in nlist:
nlist.append(i)
return nlist
def get_network_connect(src, protocol, perm):
d={}
tlist = get_types(src, "%s_socket" % protocol, [perm])
if len(tlist) > 0:
if "port_type" in tlist:
d[(src,protocol,perm)] = ["all ports"]
return d
d[(src,protocol,perm)] = []
for i in tlist:
if i == "ephemeral_port_type":
if "unreserved_port_type" in tlist:
continue
i = "ephemeral_port_t"
if i == "unreserved_port_t":
if "unreserved_port_type" in tlist:
continue
if "port_t" in tlist:
continue
if i == "port_t":
d[(src,protocol,perm)].append("all ports with out defined types")
elif i == "unreserved_port_type":
d[(src,protocol,perm)].append("%s: all ports > 1024" % i)
elif i == "reserved_port_type":
d[(src,protocol,perm)].append("%s: all ports < 1024" % i)
elif i == "rpc_port_type":
d[(src,protocol,perm)].append("%s: all ports > 500 and < 1024" % i)
else:
try:
d[(src,protocol,perm)].append("%s: %s" % (i, ",".join(portrecs[(i, protocol)])))
except KeyError:
pass
return d
def print_net(src, protocol, perm):
portdict = get_network_connect(src, protocol, perm)
if len(portdict) > 0:
print "%s: %s %s" % (src, protocol, perm)
for p in portdict:
for recs in portdict[p]:
print "\t" + recs
if __name__ == '__main__':
setype = sys.argv[1]
if setype.isdigit():
port = int(setype)
found = False
for i in portrecsbynum:
if i[0] <= port and port <= i[1]:
if i[0] == i[1]:
range = i[0]
else:
range = "%s-%s" % (i[0], i[1])
found = True
print "%s: %s %s %s" % (setype, i[2], portrecsbynum[i][0], range)
if not found:
if port < 500:
print "Undefined reserved port type"
else:
print "Undefined port type"
elif setype in port_types:
if (setype,'tcp') in portrecs.keys():
print "%s: tcp: %s" % (setype, ",".join(portrecs[setype,'tcp']))
if (setype,'udp') in portrecs.keys():
print "%s: udp: %s" % (setype, ",".join(portrecs[setype,'udp']))
else:
print_net(setype, "tcp", "name_connect")
for net in ("tcp", "udp"):
print_net(setype, net, "name_bind")