]>
Commit | Line | Data |
---|---|---|
d24259b7 | 1 | #!/usr/bin/python |
d6c62e7d | 2 | |
d24259b7 CP |
3 | # Author: Chris PeBenito <cpebenito@tresys.com> |
4 | # | |
5 | # Copyright (C) 2006 Tresys Technology, LLC | |
6 | # This program is free software; you can redistribute it and/or modify | |
7 | # it under the terms of the GNU General Public License as published by | |
8 | # the Free Software Foundation, version 2. | |
9 | ||
10 | import sys,string,getopt,re | |
11 | ||
12 | NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)") | |
d6c62e7d | 13 | |
35a4b349 CP |
14 | DEFAULT_INPUT_PACKET = "server_packet_t" |
15 | DEFAULT_OUTPUT_PACKET = "client_packet_t" | |
d6d8b703 CP |
16 | DEFAULT_MCS = "s0" |
17 | DEFAULT_MLS = "s0" | |
18 | ||
d6c62e7d CP |
19 | PACKET_INPUT = "_server_packet_t" |
20 | PACKET_OUTPUT = "_client_packet_t" | |
21 | ||
d6c62e7d CP |
22 | class Port: |
23 | def __init__(self, proto, num, mls_sens, mcs_cats=""): | |
24 | # protocol of the port | |
25 | self.proto = proto | |
26 | ||
27 | # port number | |
28 | self.num = num | |
29 | ||
30 | # MLS sensitivity | |
31 | self.mls_sens = mls_sens | |
32 | ||
33 | # MCS categories | |
34 | # not currently supported, so we always get s0 | |
d6d8b703 | 35 | self.mcs_cats = DEFAULT_MCS |
d6c62e7d CP |
36 | |
37 | class Packet: | |
38 | def __init__(self, prefix, ports): | |
39 | # prefix | |
40 | self.prefix = prefix | |
41 | ||
42 | # A list of Ports | |
43 | self.ports = ports | |
44 | ||
d6d8b703 | 45 | def print_input_rules(packets,mls,mcs): |
5a7c06fd | 46 | line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET |
d6d8b703 CP |
47 | if mls: |
48 | line += ":"+DEFAULT_MLS | |
49 | elif mcs: | |
50 | line += ":"+DEFAULT_MCS | |
51 | ||
52 | print line | |
53 | ||
d6c62e7d CP |
54 | for i in packets: |
55 | for j in i.ports: | |
5a7c06fd | 56 | line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT |
d6d8b703 CP |
57 | if mls: |
58 | line += ":"+j.mls_sens | |
59 | elif mcs: | |
60 | line += ":"+j.mcs_cats | |
61 | print line | |
d6c62e7d | 62 | |
5a7c06fd CP |
63 | print "post -A selinux_new_input -j CONNSECMARK --save" |
64 | print "post -A selinux_new_input -j RETURN" | |
d6c62e7d | 65 | |
d6d8b703 | 66 | def print_output_rules(packets,mls,mcs): |
5a7c06fd | 67 | line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET |
d6d8b703 CP |
68 | if mls: |
69 | line += ":"+DEFAULT_MLS | |
70 | elif mcs: | |
71 | line += ":"+DEFAULT_MCS | |
72 | print line | |
73 | ||
d6c62e7d CP |
74 | for i in packets: |
75 | for j in i.ports: | |
5a7c06fd | 76 | line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT |
d6d8b703 CP |
77 | if mls: |
78 | line += ":"+j.mls_sens | |
79 | elif mcs: | |
80 | line += ":"+j.mcs_cats | |
81 | print line | |
d6c62e7d | 82 | |
5a7c06fd CP |
83 | print "post -A selinux_new_output -j CONNSECMARK --save" |
84 | print "post -A selinux_new_output -j RETURN" | |
d6c62e7d CP |
85 | |
86 | def parse_corenet(file_name): | |
d6d8b703 CP |
87 | packets = [] |
88 | ||
d6c62e7d CP |
89 | corenet_te_in = open(file_name, "r") |
90 | ||
91 | while True: | |
92 | corenet_line = corenet_te_in.readline() | |
93 | ||
94 | # If EOF has been reached: | |
95 | if not corenet_line: | |
96 | break | |
97 | ||
98 | if NETPORT.match(corenet_line): | |
99 | corenet_line = corenet_line.strip(); | |
100 | ||
101 | # parse out the parameters | |
d24259b7 CP |
102 | openparen = string.find(corenet_line,'(')+1 |
103 | closeparen = string.find(corenet_line,')',openparen) | |
d24259b7 | 104 | parms = re.split('\W+',corenet_line[openparen:closeparen]) |
d6c62e7d CP |
105 | name = parms[0] |
106 | del parms[0]; | |
107 | ||
108 | ports = [] | |
109 | while len(parms) > 0: | |
110 | # add a port combination. | |
111 | ports.append(Port(parms[0],parms[1],parms[2])) | |
112 | del parms[:3] | |
113 | ||
114 | packets.append(Packet(name,ports)) | |
115 | ||
116 | corenet_te_in.close() | |
117 | ||
d6d8b703 CP |
118 | return packets |
119 | ||
d24259b7 | 120 | def print_netfilter_config(packets,mls,mcs): |
5a7c06fd CP |
121 | print "pre *mangle" |
122 | print "pre :PREROUTING ACCEPT [0:0]" | |
123 | print "pre :INPUT ACCEPT [0:0]" | |
124 | print "pre :FORWARD ACCEPT [0:0]" | |
125 | print "pre :OUTPUT ACCEPT [0:0]" | |
126 | print "pre :POSTROUTING ACCEPT [0:0]" | |
127 | print "pre :selinux_input - [0:0]" | |
128 | print "pre :selinux_output - [0:0]" | |
129 | print "pre :selinux_new_input - [0:0]" | |
130 | print "pre :selinux_new_output - [0:0]" | |
131 | print "pre -A INPUT -j selinux_input" | |
132 | print "pre -A OUTPUT -j selinux_output" | |
133 | print "pre -A selinux_input -m state --state NEW -j selinux_new_input" | |
134 | print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" | |
135 | print "pre -A selinux_output -m state --state NEW -j selinux_new_output" | |
136 | print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore" | |
d6d8b703 CP |
137 | print_input_rules(packets,mls,mcs) |
138 | print_output_rules(packets,mls,mcs) | |
5a7c06fd | 139 | print "post COMMIT" |
d6c62e7d | 140 | |
d6d8b703 CP |
141 | mls = False |
142 | mcs = False | |
143 | ||
144 | try: | |
145 | opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs']) | |
146 | except getopt.GetoptError, error: | |
147 | print "Invalid options." | |
148 | sys.exit(1) | |
149 | ||
150 | for o, a in opts: | |
151 | if o in ("-c","--mcs"): | |
152 | mcs = True | |
153 | if o in ("-m","--mls"): | |
154 | mls = True | |
155 | ||
156 | if len(paths) == 0: | |
157 | sys.stderr.write("Need a path for corenetwork.te.in!\n") | |
158 | sys.exit(1) | |
159 | elif len(paths) > 1: | |
160 | sys.stderr.write("Ignoring extra specified paths\n") | |
161 | ||
162 | packets=parse_corenet(paths[0]) | |
d24259b7 | 163 | print_netfilter_config(packets,mls,mcs) |