]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - support/gennetfilter.py
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Makefile: Fix check for current git tag.
[people/stevee/selinux-policy.git] / support / gennetfilter.py
1 #!/usr/bin/python
2
3 # Author: Chris PeBenito <cpebenito@tresys.com>
4 #
5 # Copyright (C) 2006 Tresys Technology, LLC
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation, version 2.
9
10 import sys,string,getopt,re
11
12 NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
13
14 DEFAULT_INPUT_PACKET = "server_packet_t"
15 DEFAULT_OUTPUT_PACKET = "client_packet_t"
16 DEFAULT_MCS = "s0"
17 DEFAULT_MLS = "s0"
18
19 PACKET_INPUT = "_server_packet_t"
20 PACKET_OUTPUT = "_client_packet_t"
21
22 class Port:
23 def __init__(self, proto, num, mls_sens, mcs_cats=""):
24 # protocol of the port
25 self.proto = proto
26
27 # port number
28 self.num = num
29
30 # MLS sensitivity
31 self.mls_sens = mls_sens
32
33 # MCS categories
34 # not currently supported, so we always get s0
35 self.mcs_cats = DEFAULT_MCS
36
37 class Packet:
38 def __init__(self, prefix, ports):
39 # prefix
40 self.prefix = prefix
41
42 # A list of Ports
43 self.ports = ports
44
45 def print_input_rules(packets,mls,mcs):
46 line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
47 if mls:
48 line += ":"+DEFAULT_MLS
49 elif mcs:
50 line += ":"+DEFAULT_MCS
51
52 print line
53
54 for i in packets:
55 for j in i.ports:
56 line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
57 if mls:
58 line += ":"+j.mls_sens
59 elif mcs:
60 line += ":"+j.mcs_cats
61 print line
62
63 print "post -A selinux_new_input -j CONNSECMARK --save"
64 print "post -A selinux_new_input -j RETURN"
65
66 def print_output_rules(packets,mls,mcs):
67 line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
68 if mls:
69 line += ":"+DEFAULT_MLS
70 elif mcs:
71 line += ":"+DEFAULT_MCS
72 print line
73
74 for i in packets:
75 for j in i.ports:
76 line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
77 if mls:
78 line += ":"+j.mls_sens
79 elif mcs:
80 line += ":"+j.mcs_cats
81 print line
82
83 print "post -A selinux_new_output -j CONNSECMARK --save"
84 print "post -A selinux_new_output -j RETURN"
85
86 def parse_corenet(file_name):
87 packets = []
88
89 corenet_te_in = open(file_name, "r")
90
91 while True:
92 corenet_line = corenet_te_in.readline()
93
94 # If EOF has been reached:
95 if not corenet_line:
96 break
97
98 if NETPORT.match(corenet_line):
99 corenet_line = corenet_line.strip();
100
101 # parse out the parameters
102 openparen = string.find(corenet_line,'(')+1
103 closeparen = string.find(corenet_line,')',openparen)
104 parms = re.split('\W+',corenet_line[openparen:closeparen])
105 name = parms[0]
106 del parms[0];
107
108 ports = []
109 while len(parms) > 0:
110 # add a port combination.
111 ports.append(Port(parms[0],parms[1],parms[2]))
112 del parms[:3]
113
114 packets.append(Packet(name,ports))
115
116 corenet_te_in.close()
117
118 return packets
119
120 def print_netfilter_config(packets,mls,mcs):
121 print "pre *mangle"
122 print "pre :PREROUTING ACCEPT [0:0]"
123 print "pre :INPUT ACCEPT [0:0]"
124 print "pre :FORWARD ACCEPT [0:0]"
125 print "pre :OUTPUT ACCEPT [0:0]"
126 print "pre :POSTROUTING ACCEPT [0:0]"
127 print "pre :selinux_input - [0:0]"
128 print "pre :selinux_output - [0:0]"
129 print "pre :selinux_new_input - [0:0]"
130 print "pre :selinux_new_output - [0:0]"
131 print "pre -A INPUT -j selinux_input"
132 print "pre -A OUTPUT -j selinux_output"
133 print "pre -A selinux_input -m state --state NEW -j selinux_new_input"
134 print "pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
135 print "pre -A selinux_output -m state --state NEW -j selinux_new_output"
136 print "pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
137 print_input_rules(packets,mls,mcs)
138 print_output_rules(packets,mls,mcs)
139 print "post COMMIT"
140
141 mls = False
142 mcs = False
143
144 try:
145 opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs'])
146 except getopt.GetoptError, error:
147 print "Invalid options."
148 sys.exit(1)
149
150 for o, a in opts:
151 if o in ("-c","--mcs"):
152 mcs = True
153 if o in ("-m","--mls"):
154 mls = True
155
156 if len(paths) == 0:
157 sys.stderr.write("Need a path for corenetwork.te.in!\n")
158 sys.exit(1)
159 elif len(paths) > 1:
160 sys.stderr.write("Ignoring extra specified paths\n")
161
162 packets=parse_corenet(paths[0])
163 print_netfilter_config(packets,mls,mcs)
The IPFire selinux policy.