]>
git.ipfire.org Git - people/stevee/selinux-policy.git/blob - support/gennetfilter.py
3 # Author: Chris PeBenito <cpebenito@tresys.com>
5 # Copyright (C) 2006 Tresys Technology, LLC
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation, version 2.
10 import sys
,string
,getopt
,re
12 NETPORT
= re
.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
14 DEFAULT_INPUT_PACKET
= "server_packet_t"
15 DEFAULT_OUTPUT_PACKET
= "client_packet_t"
19 PACKET_INPUT
= "_server_packet_t"
20 PACKET_OUTPUT
= "_client_packet_t"
23 def __init__(self
, proto
, num
, mls_sens
, mcs_cats
=""):
24 # protocol of the port
31 self
.mls_sens
= mls_sens
34 # not currently supported, so we always get s0
35 self
.mcs_cats
= DEFAULT_MCS
38 def __init__(self
, prefix
, ports
):
45 def print_input_rules(packets
,mls
,mcs
):
46 line
= "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
48 line
+= ":"+DEFAULT_MLS
50 line
+= ":"+DEFAULT_MCS
56 line
="base -A selinux_new_input -p "+j
.proto
+" --dport "+j
.num
+" -j SECMARK --selctx system_u:object_r:"+i
.prefix
+PACKET_INPUT
58 line
+= ":"+j
.mls_sens
60 line
+= ":"+j
.mcs_cats
63 print "post -A selinux_new_input -j CONNSECMARK --save"
64 print "post -A selinux_new_input -j RETURN"
66 def print_output_rules(packets
,mls
,mcs
):
67 line
= "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
69 line
+= ":"+DEFAULT_MLS
71 line
+= ":"+DEFAULT_MCS
76 line
= "base -A selinux_new_output -p "+j
.proto
+" --dport "+j
.num
+" -j SECMARK --selctx system_u:object_r:"+i
.prefix
+PACKET_OUTPUT
78 line
+= ":"+j
.mls_sens
80 line
+= ":"+j
.mcs_cats
83 print "post -A selinux_new_output -j CONNSECMARK --save"
84 print "post -A selinux_new_output -j RETURN"
86 def parse_corenet(file_name
):
89 corenet_te_in
= open(file_name
, "r")
92 corenet_line
= corenet_te_in
.readline()
94 # If EOF has been reached:
98 if NETPORT
.match(corenet_line
):
99 corenet_line
= corenet_line
.strip();
101 # parse out the parameters
102 openparen
= string
.find(corenet_line
,'(')+1
103 closeparen
= string
.find(corenet_line
,')',openparen
)
104 parms
= re
.split('\W+',corenet_line
[openparen
:closeparen
])
109 while len(parms
) > 0:
110 # add a port combination.
111 ports
.append(Port(parms
[0],parms
[1],parms
[2]))
114 packets
.append(Packet(name
,ports
))
116 corenet_te_in
.close()
120 def print_netfilter_config(packets
,mls
,mcs
):
122 print "pre :PREROUTING ACCEPT [0:0]"
123 print "pre :INPUT ACCEPT [0:0]"
124 print "pre :FORWARD ACCEPT [0:0]"
125 print "pre :OUTPUT ACCEPT [0:0]"
126 print "pre :POSTROUTING ACCEPT [0:0]"
127 print "pre :selinux_input - [0:0]"
128 print "pre :selinux_output - [0:0]"
129 print "pre :selinux_new_input - [0:0]"
130 print "pre :selinux_new_output - [0:0]"
131 print "pre -A INPUT -j selinux_input"
132 print "pre -A OUTPUT -j selinux_output"
133 print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
134 print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
135 print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
136 print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
137 print_input_rules(packets
,mls
,mcs
)
138 print_output_rules(packets
,mls
,mcs
)
145 opts
, paths
= getopt
.getopt(sys
.argv
[1:],'mc',['mls','mcs'])
146 except getopt
.GetoptError
, error
:
147 print "Invalid options."
151 if o
in ("-c","--mcs"):
153 if o
in ("-m","--mls"):
157 sys
.stderr
.write("Need a path for corenetwork.te.in!\n")
160 sys
.stderr
.write("Ignoring extra specified paths\n")
162 packets
=parse_corenet(paths
[0])
163 print_netfilter_config(packets
,mls
,mcs
)