e4bbd7cfa8
These are the tools that the Fedora team uses to build new policy. sepolgen is a console app that will take an executable and generate policy based on the RPM specification and using nm -D to analyze the application. We have found it very useful for generating quick policy to get the policy writer working quickly. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
750 lines
32 KiB
Python
750 lines
32 KiB
Python
#!/usr/bin/python -Es
|
|
#
|
|
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
|
|
#
|
|
# Dan Walsh <dwalsh@redhat.com>
|
|
#
|
|
# Copyright (C) 2007-2011 Red Hat
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
#
|
|
import signal
|
|
import string
|
|
import gtk
|
|
import gtk.glade
|
|
import os
|
|
import gobject
|
|
import gnome
|
|
import sys
|
|
import polgen
|
|
import re
|
|
|
|
|
|
##
|
|
## I18N
|
|
##
|
|
PROGNAME="policycoreutils"
|
|
|
|
import gettext
|
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
|
gettext.textdomain(PROGNAME)
|
|
try:
|
|
gettext.install(PROGNAME,
|
|
localedir="/usr/share/locale",
|
|
unicode=False,
|
|
codeset = 'utf-8')
|
|
except IOError:
|
|
import __builtin__
|
|
__builtin__.__dict__['_'] = unicode
|
|
|
|
gnome.program_init("SELinux Policy Generation Tool", "5")
|
|
|
|
version = "1.0"
|
|
|
|
sys.path.append('/usr/share/system-config-selinux')
|
|
sys.path.append('.')
|
|
|
|
# From John Hunter http://www.daa.com.au/pipermail/pygtk/2003-February/004454.html
|
|
def foreach(model, path, iter, selected):
|
|
selected.append(model.get_value(iter, 0))
|
|
|
|
##
|
|
## Pull in the Glade file
|
|
##
|
|
if os.access("polgen.glade", os.F_OK):
|
|
xml = gtk.glade.XML ("polgen.glade", domain=PROGNAME)
|
|
else:
|
|
xml = gtk.glade.XML ("/usr/share/system-config-selinux/polgen.glade", domain=PROGNAME)
|
|
|
|
FILE = 1
|
|
DIR = 2
|
|
|
|
class childWindow:
|
|
START_PAGE = 0
|
|
SELECT_TYPE_PAGE = 0
|
|
APP_PAGE = 1
|
|
EXISTING_USER_PAGE = 2
|
|
TRANSITION_PAGE = 3
|
|
USER_TRANSITION_PAGE = 4
|
|
ADMIN_PAGE = 5
|
|
ROLE_PAGE = 6
|
|
IN_NET_PAGE = 7
|
|
OUT_NET_PAGE = 8
|
|
COMMON_APPS_PAGE = 9
|
|
FILES_PAGE = 10
|
|
BOOLEAN_PAGE = 11
|
|
SELECT_DIR_PAGE = 12
|
|
FINISH_PAGE = 12
|
|
|
|
def __init__(self):
|
|
self.xml = xml
|
|
self.notebook = xml.get_widget ("notebook")
|
|
self.label_dict = {}
|
|
self.tooltip_dict = {}
|
|
label = xml.get_widget ("select_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_user_roles_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_dir_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_domain_admin_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_in_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_out_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_common_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_manages_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("select_booleans_label")
|
|
self.label_dict[label] = label.get_text()
|
|
|
|
label = xml.get_widget ("existing_user_treeview")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("transition_treeview")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_tcp_all_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_tcp_reserved_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_tcp_unreserved_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_tcp_entry")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_udp_all_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_udp_reserved_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_udp_unreserved_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("in_udp_entry")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("out_tcp_entry")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("out_udp_entry")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("out_tcp_all_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("out_udp_all_checkbutton")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("boolean_treeview")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
label = xml.get_widget ("write_treeview")
|
|
self.tooltip_dict[label] = label.get_tooltip_text()
|
|
|
|
try:
|
|
self.all_types = polgen.get_all_types()
|
|
self.all_modules = polgen.get_all_modules()
|
|
self.all_roles = polgen.get_all_roles()
|
|
self.all_users = polgen.get_all_users()
|
|
except RuntimeError, e:
|
|
self.all_types = []
|
|
self.all_modules = []
|
|
self.all_roles = []
|
|
self.all_users = []
|
|
self.error(str(e))
|
|
|
|
self.name=""
|
|
xml.signal_connect("on_delete_clicked", self.delete)
|
|
xml.signal_connect("on_delete_boolean_clicked", self.delete_boolean)
|
|
xml.signal_connect("on_exec_select_clicked", self.exec_select)
|
|
xml.signal_connect("on_init_script_select_clicked", self.init_script_select)
|
|
xml.signal_connect("on_add_clicked", self.add)
|
|
xml.signal_connect("on_add_boolean_clicked", self.add_boolean)
|
|
xml.signal_connect("on_add_dir_clicked", self.add_dir)
|
|
xml.signal_connect("on_about_clicked", self.on_about_clicked)
|
|
xml.get_widget ("cancel_button").connect("clicked",self.quit)
|
|
self.forward_button = xml.get_widget ("forward_button")
|
|
self.forward_button.connect("clicked",self.forward)
|
|
self.back_button = xml.get_widget ("back_button")
|
|
self.back_button.connect("clicked",self.back)
|
|
|
|
self.boolean_dialog = xml.get_widget ("boolean_dialog")
|
|
self.boolean_name_entry = xml.get_widget ("boolean_name_entry")
|
|
self.boolean_description_entry = xml.get_widget ("boolean_description_entry")
|
|
|
|
self.pages={}
|
|
for i in polgen.USERS:
|
|
self.pages[i] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ]
|
|
self.pages[polgen.RUSER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.ADMIN_PAGE, self.USER_TRANSITION_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ]
|
|
self.pages[polgen.LUSER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ]
|
|
self.pages[polgen.SANDBOX] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE]
|
|
self.pages[polgen.EUSER] = [ self.SELECT_TYPE_PAGE, self.EXISTING_USER_PAGE, self.TRANSITION_PAGE, self.ROLE_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ]
|
|
|
|
for i in polgen.APPLICATIONS:
|
|
self.pages[i] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE]
|
|
self.pages[polgen.USER] = [ self.SELECT_TYPE_PAGE, self.APP_PAGE, self.USER_TRANSITION_PAGE, self.IN_NET_PAGE, self.OUT_NET_PAGE, self.COMMON_APPS_PAGE, self.FILES_PAGE, self.BOOLEAN_PAGE, self.SELECT_DIR_PAGE ]
|
|
|
|
self.current_page = 0
|
|
self.back_button.set_sensitive(0)
|
|
|
|
self.network_buttons = {}
|
|
|
|
self.in_tcp_all_checkbutton = xml.get_widget ("in_tcp_all_checkbutton")
|
|
self.in_tcp_reserved_checkbutton = xml.get_widget ("in_tcp_reserved_checkbutton")
|
|
self.in_tcp_unreserved_checkbutton = xml.get_widget ("in_tcp_unreserved_checkbutton")
|
|
self.in_tcp_entry = self.xml.get_widget("in_tcp_entry")
|
|
self.network_buttons[self.in_tcp_all_checkbutton] = [ self.in_tcp_reserved_checkbutton, self.in_tcp_unreserved_checkbutton, self.in_tcp_entry ]
|
|
|
|
|
|
self.out_tcp_all_checkbutton = xml.get_widget ("out_tcp_all_checkbutton")
|
|
self.out_tcp_reserved_checkbutton = xml.get_widget ("out_tcp_reserved_checkbutton")
|
|
self.out_tcp_unreserved_checkbutton = xml.get_widget ("out_tcp_unreserved_checkbutton")
|
|
self.out_tcp_entry = self.xml.get_widget("out_tcp_entry")
|
|
|
|
self.network_buttons[self.out_tcp_all_checkbutton] = [ self.out_tcp_entry ]
|
|
|
|
self.in_udp_all_checkbutton = xml.get_widget ("in_udp_all_checkbutton")
|
|
self.in_udp_reserved_checkbutton = xml.get_widget ("in_udp_reserved_checkbutton")
|
|
self.in_udp_unreserved_checkbutton = xml.get_widget ("in_udp_unreserved_checkbutton")
|
|
self.in_udp_entry = self.xml.get_widget("in_udp_entry")
|
|
|
|
self.network_buttons[self.in_udp_all_checkbutton] = [ self.in_udp_reserved_checkbutton, self.in_udp_unreserved_checkbutton, self.in_udp_entry ]
|
|
|
|
self.out_udp_all_checkbutton = xml.get_widget ("out_udp_all_checkbutton")
|
|
self.out_udp_entry = self.xml.get_widget("out_udp_entry")
|
|
self.network_buttons[self.out_udp_all_checkbutton] = [ self.out_udp_entry ]
|
|
|
|
for b in self.network_buttons.keys():
|
|
b.connect("clicked",self.network_all_clicked)
|
|
|
|
self.boolean_treeview = self.xml.get_widget("boolean_treeview")
|
|
self.boolean_store = gtk.ListStore(gobject.TYPE_STRING,gobject.TYPE_STRING)
|
|
self.boolean_treeview.set_model(self.boolean_store)
|
|
self.boolean_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Name"), gtk.CellRendererText(), text = 0)
|
|
self.boolean_treeview.append_column(col)
|
|
col = gtk.TreeViewColumn(_("Description"), gtk.CellRendererText(), text = 1)
|
|
self.boolean_treeview.append_column(col)
|
|
|
|
self.role_treeview = self.xml.get_widget("role_treeview")
|
|
self.role_store = gtk.ListStore(gobject.TYPE_STRING)
|
|
self.role_treeview.set_model(self.role_store)
|
|
self.role_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE)
|
|
self.role_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Role"), gtk.CellRendererText(), text = 0)
|
|
self.role_treeview.append_column(col)
|
|
|
|
self.existing_user_treeview = self.xml.get_widget("existing_user_treeview")
|
|
self.existing_user_store = gtk.ListStore(gobject.TYPE_STRING)
|
|
self.existing_user_treeview.set_model(self.existing_user_store)
|
|
self.existing_user_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Existing_User"), gtk.CellRendererText(), text = 0)
|
|
self.existing_user_treeview.append_column(col)
|
|
|
|
for i in self.all_roles:
|
|
iter = self.role_store.append()
|
|
self.role_store.set_value(iter, 0, i[:-2])
|
|
|
|
self.in_tcp_reserved_checkbutton = xml.get_widget ("in_tcp_reserved_checkbutton")
|
|
|
|
self.transition_treeview = self.xml.get_widget("transition_treeview")
|
|
self.transition_store = gtk.ListStore(gobject.TYPE_STRING)
|
|
self.transition_treeview.set_model(self.transition_store)
|
|
self.transition_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE)
|
|
self.transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0)
|
|
self.transition_treeview.append_column(col)
|
|
|
|
self.user_transition_treeview = self.xml.get_widget("user_transition_treeview")
|
|
self.user_transition_store = gtk.ListStore(gobject.TYPE_STRING)
|
|
self.user_transition_treeview.set_model(self.user_transition_store)
|
|
self.user_transition_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE)
|
|
self.user_transition_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0)
|
|
self.user_transition_treeview.append_column(col)
|
|
|
|
for i in self.all_users:
|
|
iter = self.user_transition_store.append()
|
|
self.user_transition_store.set_value(iter, 0, i[:-2])
|
|
iter = self.existing_user_store.append()
|
|
self.existing_user_store.set_value(iter, 0, i[:-2])
|
|
|
|
self.admin_treeview = self.xml.get_widget("admin_treeview")
|
|
self.admin_store = gtk.ListStore(gobject.TYPE_STRING)
|
|
self.admin_treeview.set_model(self.admin_store)
|
|
self.admin_treeview.get_selection().set_mode(gtk.SELECTION_MULTIPLE)
|
|
self.admin_store.set_sort_column_id(0, gtk.SORT_ASCENDING)
|
|
col = gtk.TreeViewColumn(_("Application"), gtk.CellRendererText(), text = 0)
|
|
self.admin_treeview.append_column(col)
|
|
|
|
for i in polgen.methods:
|
|
m = re.findall("(.*)%s" % polgen.USER_TRANSITION_INTERFACE, i)
|
|
if len(m) > 0:
|
|
if "%s_exec_t" % m[0] in self.all_types:
|
|
iter = self.transition_store.append()
|
|
self.transition_store.set_value(iter, 0, m[0])
|
|
continue
|
|
|
|
m = re.findall("(.*)%s" % polgen.ADMIN_TRANSITION_INTERFACE, i)
|
|
if len(m) > 0:
|
|
iter = self.admin_store.append()
|
|
self.admin_store.set_value(iter, 0, m[0])
|
|
continue
|
|
|
|
def confine_application(self):
|
|
return self.get_type() in polgen.APPLICATIONS
|
|
|
|
def forward(self, arg):
|
|
type = self.get_type()
|
|
if self.current_page == self.START_PAGE:
|
|
self.back_button.set_sensitive(1)
|
|
|
|
if self.pages[type][self.current_page] == self.SELECT_TYPE_PAGE:
|
|
if self.on_select_type_page_next():
|
|
return
|
|
|
|
if self.pages[type][self.current_page] == self.IN_NET_PAGE:
|
|
if self.on_in_net_page_next():
|
|
return
|
|
|
|
if self.pages[type][self.current_page] == self.OUT_NET_PAGE:
|
|
if self.on_out_net_page_next():
|
|
return
|
|
|
|
if self.pages[type][self.current_page] == self.APP_PAGE:
|
|
if self.on_name_page_next():
|
|
return
|
|
|
|
if self.pages[type][self.current_page] == self.EXISTING_USER_PAGE:
|
|
if self.on_existing_user_page_next():
|
|
return
|
|
|
|
if self.pages[type][self.current_page] == self.SELECT_DIR_PAGE:
|
|
outputdir = self.output_entry.get_text()
|
|
if not os.path.isdir(outputdir):
|
|
self.error(_("%s must be a directory") % outputdir )
|
|
return False
|
|
|
|
if self.pages[type][self.current_page] == self.FINISH_PAGE:
|
|
self.generate_policy()
|
|
self.xml.get_widget ("cancel_button").set_label(gtk.STOCK_CLOSE)
|
|
else:
|
|
self.current_page = self.current_page + 1
|
|
self.notebook.set_current_page(self.pages[type][self.current_page])
|
|
if self.pages[type][self.current_page] == self.FINISH_PAGE:
|
|
self.forward_button.set_label(gtk.STOCK_APPLY)
|
|
|
|
def back(self,arg):
|
|
type = self.get_type()
|
|
if self.pages[type][self.current_page] == self.FINISH_PAGE:
|
|
self.forward_button.set_label(gtk.STOCK_GO_FORWARD)
|
|
|
|
self.current_page = self.current_page - 1
|
|
self.notebook.set_current_page(self.pages[type][self.current_page])
|
|
if self.pages[type][self.current_page] == self.START_PAGE:
|
|
self.back_button.set_sensitive(0)
|
|
|
|
def network_all_clicked(self, button):
|
|
active = button.get_active()
|
|
for b in self.network_buttons[button]:
|
|
b.set_sensitive(not active)
|
|
|
|
def verify(self, message, title="" ):
|
|
dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
|
|
gtk.BUTTONS_YES_NO,
|
|
message)
|
|
dlg.set_title(title)
|
|
dlg.set_position(gtk.WIN_POS_MOUSE)
|
|
dlg.show_all()
|
|
rc = dlg.run()
|
|
dlg.destroy()
|
|
return rc
|
|
|
|
def info(self, message):
|
|
dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
|
|
gtk.BUTTONS_OK,
|
|
message)
|
|
dlg.set_position(gtk.WIN_POS_MOUSE)
|
|
dlg.show_all()
|
|
dlg.run()
|
|
dlg.destroy()
|
|
|
|
def error(self, message):
|
|
dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_ERROR,
|
|
gtk.BUTTONS_CLOSE,
|
|
message)
|
|
dlg.set_position(gtk.WIN_POS_MOUSE)
|
|
dlg.show_all()
|
|
dlg.run()
|
|
dlg.destroy()
|
|
|
|
def get_name(self):
|
|
if self.existing_user_radiobutton.get_active():
|
|
store, iter = self.existing_user_treeview.get_selection().get_selected()
|
|
if iter == None:
|
|
raise ValueError(_("You must select a user"))
|
|
return store.get_value(iter, 0)
|
|
else:
|
|
return self.name_entry.get_text()
|
|
|
|
def get_type(self):
|
|
if self.sandbox_radiobutton.get_active():
|
|
return polgen.SANDBOX
|
|
if self.cgi_radiobutton.get_active():
|
|
return polgen.CGI
|
|
if self.user_radiobutton.get_active():
|
|
return polgen.USER
|
|
if self.init_radiobutton.get_active():
|
|
return polgen.DAEMON
|
|
if self.dbus_radiobutton.get_active():
|
|
return polgen.DBUS
|
|
if self.inetd_radiobutton.get_active():
|
|
return polgen.INETD
|
|
if self.login_user_radiobutton.get_active():
|
|
return polgen.LUSER
|
|
if self.admin_user_radiobutton.get_active():
|
|
return polgen.AUSER
|
|
if self.xwindows_user_radiobutton.get_active():
|
|
return polgen.XUSER
|
|
if self.terminal_user_radiobutton.get_active():
|
|
return polgen.TUSER
|
|
if self.root_user_radiobutton.get_active():
|
|
return polgen.RUSER
|
|
if self.existing_user_radiobutton.get_active():
|
|
return polgen.EUSER
|
|
|
|
def generate_policy(self, *args):
|
|
outputdir = self.output_entry.get_text()
|
|
try:
|
|
my_policy=polgen.policy(self.get_name(), self.get_type())
|
|
|
|
iter= self.boolean_store.get_iter_first()
|
|
while(iter):
|
|
my_policy.add_boolean(self.boolean_store.get_value(iter, 0), self.boolean_store.get_value(iter, 1))
|
|
iter= self.boolean_store.iter_next(iter)
|
|
|
|
if self.get_type() in polgen.APPLICATIONS:
|
|
my_policy.set_program(self.exec_entry.get_text())
|
|
my_policy.gen_symbols()
|
|
|
|
my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
|
|
my_policy.set_use_tmp(self.tmp_checkbutton.get_active() == 1)
|
|
my_policy.set_use_uid(self.uid_checkbutton.get_active() == 1)
|
|
my_policy.set_use_pam(self.pam_checkbutton.get_active() == 1)
|
|
|
|
my_policy.set_use_dbus(self.dbus_checkbutton.get_active() == 1)
|
|
my_policy.set_use_audit(self.audit_checkbutton.get_active() == 1)
|
|
my_policy.set_use_terminal(self.terminal_checkbutton.get_active() == 1)
|
|
my_policy.set_use_mail(self.mail_checkbutton.get_active() == 1)
|
|
if self.get_type() is polgen.DAEMON:
|
|
my_policy.set_init_script(self.init_script_entry.get_text())
|
|
if self.get_type() == polgen.USER:
|
|
selected = []
|
|
self.user_transition_treeview.get_selection().selected_foreach(foreach, selected)
|
|
my_policy.set_transition_users(selected)
|
|
else:
|
|
if self.get_type() == polgen.RUSER:
|
|
selected = []
|
|
self.admin_treeview.get_selection().selected_foreach(foreach, selected)
|
|
my_policy.set_admin_domains(selected)
|
|
selected = []
|
|
self.user_transition_treeview.get_selection().selected_foreach(foreach, selected)
|
|
my_policy.set_transition_users(selected)
|
|
else:
|
|
selected = []
|
|
self.transition_treeview.get_selection().selected_foreach(foreach, selected)
|
|
my_policy.set_transition_domains(selected)
|
|
|
|
selected = []
|
|
self.role_treeview.get_selection().selected_foreach(foreach, selected)
|
|
my_policy.set_admin_roles(selected)
|
|
|
|
my_policy.set_in_tcp(self.in_tcp_all_checkbutton.get_active(), self.in_tcp_reserved_checkbutton.get_active(), self.in_tcp_unreserved_checkbutton.get_active(), self.in_tcp_entry.get_text())
|
|
my_policy.set_in_udp(self.in_udp_all_checkbutton.get_active(), self.in_udp_reserved_checkbutton.get_active(), self.in_udp_unreserved_checkbutton.get_active(), self.in_udp_entry.get_text())
|
|
my_policy.set_out_tcp(self.out_tcp_all_checkbutton.get_active(), self.out_tcp_entry.get_text())
|
|
my_policy.set_out_udp(self.out_udp_all_checkbutton.get_active(), self.out_udp_entry.get_text())
|
|
|
|
iter= self.store.get_iter_first()
|
|
while(iter):
|
|
if self.store.get_value(iter, 1) == FILE:
|
|
my_policy.add_file(self.store.get_value(iter, 0))
|
|
else:
|
|
my_policy.add_dir(self.store.get_value(iter, 0))
|
|
iter= self.store.iter_next(iter)
|
|
|
|
self.info(my_policy.generate(outputdir))
|
|
return False
|
|
except ValueError, e:
|
|
self.error(e.message)
|
|
|
|
def delete(self, args):
|
|
store, iter = self.view.get_selection().get_selected()
|
|
if iter != None:
|
|
store.remove(iter)
|
|
self.view.get_selection().select_path ((0,))
|
|
|
|
def delete_boolean(self, args):
|
|
store, iter = self.boolean_treeview.get_selection().get_selected()
|
|
if iter != None:
|
|
store.remove(iter)
|
|
self.boolean_treeview.get_selection().select_path ((0,))
|
|
|
|
def add_boolean(self,type):
|
|
self.boolean_name_entry.set_text("")
|
|
self.boolean_description_entry.set_text("")
|
|
rc = self.boolean_dialog.run()
|
|
self.boolean_dialog.hide()
|
|
if rc == gtk.RESPONSE_CANCEL:
|
|
return
|
|
iter = self.boolean_store.append()
|
|
self.boolean_store.set_value(iter, 0, self.boolean_name_entry.get_text())
|
|
self.boolean_store.set_value(iter, 1, self.boolean_description_entry.get_text())
|
|
|
|
def __add(self,type):
|
|
rc = self.file_dialog.run()
|
|
self.file_dialog.hide()
|
|
if rc == gtk.RESPONSE_CANCEL:
|
|
return
|
|
for i in self.file_dialog.get_filenames():
|
|
iter = self.store.append()
|
|
self.store.set_value(iter, 0, i)
|
|
self.store.set_value(iter, 1, type)
|
|
|
|
def exec_select(self, args):
|
|
self.file_dialog.set_select_multiple(0)
|
|
self.file_dialog.set_title(_("Select executable file to be confined."))
|
|
self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN)
|
|
self.file_dialog.set_current_folder("/usr/sbin")
|
|
rc = self.file_dialog.run()
|
|
self.file_dialog.hide()
|
|
if rc == gtk.RESPONSE_CANCEL:
|
|
return
|
|
self.exec_entry.set_text(self.file_dialog.get_filename())
|
|
|
|
def init_script_select(self, args):
|
|
self.file_dialog.set_select_multiple(0)
|
|
self.file_dialog.set_title(_("Select init script file to be confined."))
|
|
self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN)
|
|
self.file_dialog.set_current_folder("/etc/rc.d/init.d")
|
|
rc = self.file_dialog.run()
|
|
self.file_dialog.hide()
|
|
if rc == gtk.RESPONSE_CANCEL:
|
|
return
|
|
self.init_script_entry.set_text(self.file_dialog.get_filename())
|
|
|
|
def add(self, args):
|
|
self.file_dialog.set_title(_("Select file(s) that confined application creates or writes"))
|
|
self.file_dialog.set_current_folder("/")
|
|
self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_OPEN)
|
|
self.file_dialog.set_select_multiple(1)
|
|
self.__add(FILE)
|
|
|
|
def add_dir(self, args):
|
|
self.file_dialog.set_title(_("Select directory(s) that the confined application owns and writes into"))
|
|
self.file_dialog.set_current_folder("/")
|
|
self.file_dialog.set_select_multiple(1)
|
|
self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SELECT_FOLDER)
|
|
self.__add(DIR)
|
|
|
|
def on_about_clicked(self, args):
|
|
dlg = xml.get_widget ("about_dialog")
|
|
dlg.run ()
|
|
dlg.hide ()
|
|
|
|
def quit(self, args):
|
|
gtk.main_quit()
|
|
|
|
def setupScreen(self):
|
|
# Bring in widgets from glade file.
|
|
self.mainWindow = self.xml.get_widget("main_window")
|
|
self.druid = self.xml.get_widget("druid")
|
|
self.type = 0
|
|
self.name_entry = self.xml.get_widget("name_entry")
|
|
self.name_entry.connect("insert_text",self.on_name_entry_changed)
|
|
self.name_entry.connect("focus_out_event",self.on_focus_out_event)
|
|
self.exec_entry = self.xml.get_widget("exec_entry")
|
|
self.exec_button = self.xml.get_widget("exec_button")
|
|
self.init_script_entry = self.xml.get_widget("init_script_entry")
|
|
self.init_script_button = self.xml.get_widget("init_script_button")
|
|
self.output_entry = self.xml.get_widget("output_entry")
|
|
self.output_entry.set_text(os.getcwd())
|
|
self.xml.get_widget("output_button").connect("clicked",self.output_button_clicked)
|
|
|
|
self.xwindows_user_radiobutton = self.xml.get_widget("xwindows_user_radiobutton")
|
|
self.terminal_user_radiobutton = self.xml.get_widget("terminal_user_radiobutton")
|
|
self.root_user_radiobutton = self.xml.get_widget("root_user_radiobutton")
|
|
self.login_user_radiobutton = self.xml.get_widget("login_user_radiobutton")
|
|
self.admin_user_radiobutton = self.xml.get_widget("admin_user_radiobutton")
|
|
self.existing_user_radiobutton = self.xml.get_widget("existing_user_radiobutton")
|
|
|
|
self.user_radiobutton = self.xml.get_widget("user_radiobutton")
|
|
self.init_radiobutton = self.xml.get_widget("init_radiobutton")
|
|
self.inetd_radiobutton = self.xml.get_widget("inetd_radiobutton")
|
|
self.dbus_radiobutton = self.xml.get_widget("dbus_radiobutton")
|
|
self.cgi_radiobutton = self.xml.get_widget("cgi_radiobutton")
|
|
self.sandbox_radiobutton = self.xml.get_widget("sandbox_radiobutton")
|
|
self.tmp_checkbutton = self.xml.get_widget("tmp_checkbutton")
|
|
self.uid_checkbutton = self.xml.get_widget("uid_checkbutton")
|
|
self.pam_checkbutton = self.xml.get_widget("pam_checkbutton")
|
|
self.dbus_checkbutton = self.xml.get_widget("dbus_checkbutton")
|
|
self.audit_checkbutton = self.xml.get_widget("audit_checkbutton")
|
|
self.terminal_checkbutton = self.xml.get_widget("terminal_checkbutton")
|
|
self.mail_checkbutton = self.xml.get_widget("mail_checkbutton")
|
|
self.syslog_checkbutton = self.xml.get_widget("syslog_checkbutton")
|
|
self.view = self.xml.get_widget("write_treeview")
|
|
self.file_dialog = self.xml.get_widget("filechooserdialog")
|
|
|
|
self.store = gtk.ListStore(gobject.TYPE_STRING, gobject.TYPE_INT)
|
|
self.view.set_model(self.store)
|
|
col = gtk.TreeViewColumn("", gtk.CellRendererText(), text = 0)
|
|
col.set_resizable(True)
|
|
self.view.append_column(col)
|
|
self.view.get_selection().select_path ((0,))
|
|
|
|
def output_button_clicked(self, *args):
|
|
self.file_dialog.set_title(_("Select directory to generate policy files in"))
|
|
self.file_dialog.set_action(gtk.FILE_CHOOSER_ACTION_SELECT_FOLDER)
|
|
self.file_dialog.set_select_multiple(0)
|
|
rc = self.file_dialog.run()
|
|
self.file_dialog.hide()
|
|
if rc == gtk.RESPONSE_CANCEL:
|
|
return
|
|
self.output_entry.set_text(self.file_dialog.get_filename())
|
|
|
|
def on_name_entry_changed(self, entry, text, size, position):
|
|
if text.find(" ") >= 0:
|
|
entry.emit_stop_by_name("insert_text")
|
|
|
|
def on_focus_out_event(self, entry, third):
|
|
name = entry.get_text()
|
|
if self.name != name:
|
|
if name in self.all_types:
|
|
if self.verify(_("Type %s_t already defined in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
|
|
entry.set_text("")
|
|
return False
|
|
if name in self.all_modules:
|
|
if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
|
|
entry.set_text("")
|
|
return False
|
|
|
|
file = "/etc/rc.d/init.d/" + name
|
|
if os.path.isfile(file) and self.init_script_entry.get_text() == "":
|
|
self.init_script_entry.set_text(file)
|
|
|
|
file = "/usr/sbin/" + name
|
|
if os.path.isfile(file) and self.exec_entry.get_text() == "":
|
|
self.exec_entry.set_text(file)
|
|
|
|
self.name = name
|
|
return False
|
|
|
|
def on_in_net_page_next(self, *args):
|
|
try:
|
|
polgen.verify_ports(self.in_tcp_entry.get_text())
|
|
polgen.verify_ports(self.in_udp_entry.get_text())
|
|
except ValueError, e:
|
|
self.error(e.message)
|
|
return True
|
|
|
|
def on_out_net_page_next(self, *args):
|
|
try:
|
|
polgen.verify_ports(self.out_tcp_entry.get_text())
|
|
polgen.verify_ports(self.out_udp_entry.get_text())
|
|
except ValueError, e:
|
|
self.error(e.message)
|
|
return True
|
|
|
|
def on_select_type_page_next(self, *args):
|
|
self.exec_entry.set_sensitive(self.confine_application())
|
|
self.exec_button.set_sensitive(self.confine_application())
|
|
self.init_script_entry.set_sensitive(self.init_radiobutton.get_active())
|
|
self.init_script_button.set_sensitive(self.init_radiobutton.get_active())
|
|
|
|
def on_existing_user_page_next(self, *args):
|
|
store, iter = self.view.get_selection().get_selected()
|
|
if iter != None:
|
|
self.error(_("You must select a user"))
|
|
return True
|
|
|
|
def on_name_page_next(self, *args):
|
|
name=self.name_entry.get_text()
|
|
if not name.isalnum():
|
|
self.error(_("You must add a name made up of letters and numbers and containing no spaces."))
|
|
return True
|
|
|
|
for i in self.label_dict:
|
|
text = '<b>%s</b>' % (self.label_dict[i] % ("'" + name + "'"))
|
|
i.set_markup(text)
|
|
|
|
for i in self.tooltip_dict:
|
|
text = self.tooltip_dict[i] % ("'" + name + "'")
|
|
i.set_tooltip_text(text)
|
|
|
|
if self.confine_application():
|
|
exe = self.exec_entry.get_text()
|
|
if exe == "":
|
|
self.error(_("You must enter a executable"))
|
|
return True
|
|
policy=polgen.policy(name, self.get_type())
|
|
policy.set_program(exe)
|
|
policy.gen_writeable()
|
|
policy.gen_symbols()
|
|
for f in policy.files.keys():
|
|
iter = self.store.append()
|
|
self.store.set_value(iter, 0, f)
|
|
self.store.set_value(iter, 1, FILE)
|
|
|
|
for f in policy.dirs.keys():
|
|
iter = self.store.append()
|
|
self.store.set_value(iter, 0, f)
|
|
self.store.set_value(iter, 1, DIR)
|
|
self.tmp_checkbutton.set_active(policy.use_tmp)
|
|
self.uid_checkbutton.set_active(policy.use_uid)
|
|
self.pam_checkbutton.set_active(policy.use_pam)
|
|
self.dbus_checkbutton.set_active(policy.use_dbus)
|
|
self.audit_checkbutton.set_active(policy.use_audit)
|
|
self.terminal_checkbutton.set_active(policy.use_terminal)
|
|
self.mail_checkbutton.set_active(policy.use_mail)
|
|
self.syslog_checkbutton.set_active(policy.use_syslog)
|
|
|
|
def stand_alone(self):
|
|
desktopName = _("Configue SELinux")
|
|
|
|
self.setupScreen()
|
|
self.mainWindow.connect("destroy", self.quit)
|
|
|
|
self.mainWindow.show_all()
|
|
gtk.main()
|
|
|
|
if __name__ == "__main__":
|
|
signal.signal (signal.SIGINT, signal.SIG_DFL)
|
|
|
|
app = childWindow()
|
|
app.stand_alone()
|