|
|
1e14e1d |
From 66afa88fd1411ca3999ecca5cf0798fdc2f65813 Mon Sep 17 00:00:00 2001
|
|
|
1e14e1d |
From: Vit Mojzis <vmojzis@redhat.com>
|
|
|
1e14e1d |
Date: Wed, 24 Jun 2020 17:49:14 +0200
|
|
|
1e14e1d |
Subject: [PATCH] Update to work with setools 4.3
|
|
|
1e14e1d |
|
|
|
1e14e1d |
* TERules cannot be altered from the outside any more
|
|
|
1e14e1d |
** Use derive_expanded to perform partial expansion
|
|
|
1e14e1d |
** Full expansion is now available via TERule.expand()
|
|
|
1e14e1d |
|
|
|
1e14e1d |
* "exception" module was moved from policyrep
|
|
|
1e14e1d |
|
|
|
1e14e1d |
* "typeattr" module was merged into policyrep
|
|
|
1e14e1d |
---
|
|
|
1e14e1d |
sepolicyanalysis/policy_data_collection.py | 34 ++++------------------
|
|
|
1e14e1d |
1 file changed, 6 insertions(+), 28 deletions(-)
|
|
|
1e14e1d |
|
|
|
1e14e1d |
diff --git a/sepolicyanalysis/policy_data_collection.py b/sepolicyanalysis/policy_data_collection.py
|
|
|
1e14e1d |
index 4bf45ce..3e3b9ea 100644
|
|
|
1e14e1d |
--- a/sepolicyanalysis/policy_data_collection.py
|
|
|
1e14e1d |
+++ b/sepolicyanalysis/policy_data_collection.py
|
|
|
1e14e1d |
@@ -51,32 +51,10 @@ def half_expand_rule(rule, expand_source):
|
|
|
1e14e1d |
expansion = rule.source.expand() if expand_source else rule.target.expand()
|
|
|
1e14e1d |
if expand_source:
|
|
|
1e14e1d |
for t in expansion:
|
|
|
1e14e1d |
- results.append(setools.policyrep.terule.expanded_te_rule_factory(rule, t, rule.target))
|
|
|
1e14e1d |
+ results.append(rule.derive_expanded(t, rule.target, rule.perms))
|
|
|
1e14e1d |
else:
|
|
|
1e14e1d |
for t in expansion:
|
|
|
1e14e1d |
- results.append(setools.policyrep.terule.expanded_te_rule_factory(rule, rule.source, t))
|
|
|
1e14e1d |
- return results
|
|
|
1e14e1d |
-
|
|
|
1e14e1d |
-# return set of rules where attributes were replaced by all types with given attribute
|
|
|
1e14e1d |
-def expand_rule(rule):
|
|
|
1e14e1d |
- results = []
|
|
|
1e14e1d |
-
|
|
|
1e14e1d |
- source_exp = rule.source.expand() if is_attribute(rule.source) else [rule.source]
|
|
|
1e14e1d |
- target_exp = rule.target.expand() if is_attribute(rule.target) else [rule.target]
|
|
|
1e14e1d |
-
|
|
|
1e14e1d |
- for source in source_exp:
|
|
|
1e14e1d |
- for target in target_exp:
|
|
|
1e14e1d |
- if isinstance(rule, setools.policyrep.terule.ExpandedTERule):
|
|
|
1e14e1d |
- #expanded_te_rule_factory ignores ExpandedTERules (doesn't set new source/target)
|
|
|
1e14e1d |
- newrule = setools.policyrep.terule.ExpandedTERule(rule.policy, rule.qpol_symbol)
|
|
|
1e14e1d |
- newrule.source = source
|
|
|
1e14e1d |
- newrule.target = target
|
|
|
1e14e1d |
- nwerule.origin = rule.origin
|
|
|
1e14e1d |
-
|
|
|
1e14e1d |
- else:
|
|
|
1e14e1d |
- newrule = setools.policyrep.terule.expanded_te_rule_factory(rule, source, target)
|
|
|
1e14e1d |
- results.append(newrule)
|
|
|
1e14e1d |
-
|
|
|
1e14e1d |
+ results.append(rule.derive_expanded(rule.source, t, rule.perms))
|
|
|
1e14e1d |
return results
|
|
|
1e14e1d |
|
|
|
1e14e1d |
# expand all rules in given iterable
|
|
|
1e14e1d |
@@ -90,7 +68,7 @@ def expand_rules(rules):
|
|
|
1e14e1d |
# discard rules corresponding to unconfined attributes
|
|
|
1e14e1d |
# TODO: add command line argument that switches this off - i.e. consider unconfined attributes
|
|
|
1e14e1d |
if (not is_unconfined_attr(rule.source)) and (not is_unconfined_attr(rule.target)):
|
|
|
1e14e1d |
- results.extend(expand_rule(rule))
|
|
|
1e14e1d |
+ results.extend(rule.expand())
|
|
|
1e14e1d |
|
|
|
1e14e1d |
return results
|
|
|
1e14e1d |
|
|
|
1e14e1d |
@@ -223,7 +201,7 @@ def filter_terules_boolean(rules, bool_state = None):
|
|
|
1e14e1d |
# return rules in agreement with boolean settings
|
|
|
1e14e1d |
results.append(rule)
|
|
|
1e14e1d |
|
|
|
1e14e1d |
- except setools.policyrep.exception.RuleNotConditional:
|
|
|
1e14e1d |
+ except setools.exception.RuleNotConditional:
|
|
|
1e14e1d |
# return all unconditional rules
|
|
|
1e14e1d |
results.append(rule)
|
|
|
1e14e1d |
|
|
|
1e14e1d |
@@ -256,12 +234,12 @@ def is_conditional(rule):
|
|
|
1e14e1d |
boolean = str(rule.conditional)
|
|
|
1e14e1d |
return boolean
|
|
|
1e14e1d |
|
|
|
1e14e1d |
- except setools.policyrep.exception.RuleNotConditional:
|
|
|
1e14e1d |
+ except setools.exception.RuleNotConditional:
|
|
|
1e14e1d |
False
|
|
|
1e14e1d |
|
|
|
1e14e1d |
# is given object of type "TypeAttribute" ?
|
|
|
1e14e1d |
def is_attribute(obj):
|
|
|
1e14e1d |
- return isinstance(obj, setools.policyrep.typeattr.TypeAttribute)
|
|
|
1e14e1d |
+ return isinstance(obj, setools.policyrep.TypeAttribute)
|
|
|
1e14e1d |
|
|
|
1e14e1d |
# is given object of type "TypeAttribute" which is considered unconfined ?
|
|
|
1e14e1d |
# TODO: refine -- limit to "strong" unconfined domains (associated with lots of privileges)
|
|
|
1e14e1d |
--
|
|
|
1e14e1d |
2.25.4
|
|
|
1e14e1d |
|