KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17
System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64
User : nobody ( 99)
PHP Version : 5.2.17
Disable Function : NONE
Directory :  /proc/21573/root/usr/lib/python2.4/site-packages/setroubleshoot/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //proc/21573/root/usr/lib/python2.4/site-packages/setroubleshoot/audit_data.pyo
m
3Uc@sDddddddddgZdkZdkZdkZdkZdkZdkZd	kTd	kTd	k	Td	k
Td	kTeZ
d
ZdZeidZd
ZeidZdZdefdYZdefdYZdefdYZdfdYZdefdYZdfdYZdS(tderive_record_formattparse_audit_record_textt
AvcContexttAVCtAuditEventIDt
AuditEventtAuditRecordtAuditRecordReaderN(t*cCs.t|\}}}}t|||}|S(N(Rttexttparse_succeededtrecord_typetevent_idt	body_textRtaudit_record(R	R
R
RRR((t=/usr/lib/python2.4/site-packages/setroubleshoot/audit_data.pytaudit_record_from_text3scCsCtid|otiSntid|otiSntiS(Ns/audispd_events$s/audit_events$(tretsearchtsocket_pathRtTEXT_FORMATt
BINARY_FORMAT(R((RR:s
sL(host=(\S+)\s+)?(type=(\S+)\s+)?(msg=)?audit\(((\d+)\.(\d+):(\d+))\):\s*(.*)c
Cst}d}d}d}d}ti|}	|	dj	ot}|	ido|	id}n|	ido|	id}n|	idoXt
|	id}t
|	id}t
|	id}t||||}n|	id}n||||fS(Niiiiii	i
(tFalseR
tNonethostRRR
taudit_input_reRtinputtmatchtTruetgrouptinttsecondstmillitserialR(
RR
R
RRRRR R!R((RRSs&
s%audit\(((\d+)\.(\d+):(\d+))\):\s*(.*)cCst}d}d}ti|}|dj	o~t	}|i
doUt|i
d}t|i
d}t|i
d}t|||}n|i
d}n|||fS(Niiiii(RR
RRR
taudit_binary_input_reRRRRRRRR R!R(RR
R
RRR R!R((Rtparse_audit_binary_textps
cBstZhdhdd<<dhdd<<dhdd<<dhdd<<ZdZdZd	Zd
ZdZRS(NtusertXMLFormt	attributetrolettypetmlscCstt|it|tjo|id}t	|djoa|d|_
|d|_|d|_t	|djodi|d|_
qd|_
qndS(Nt:iiiits0(tsuperRtselft__init__R(tdatat
StringTypetsplittfieldstlenR$R'tjoinR)(R-R/R2((RR.s


cCs d|i|i|i|ifS(Ns%s:%s:%s:%s(R-R$R'R(R)(R-((Rt__str__scCstit|\}}|S(N(tselinuxtselinux_raw_to_trans_contexttstrR-trcttrans(R-R:R9((RtformatscCs|i|S(N(R-t__eq__tother(R-R=((Rt__ne__scCsEx>|iiD]-}t||t||jotSqqWtS(N(R-t	_xml_infotkeystnametgetattrR=RR(R-R=RA((RR<s
(t__name__t
__module__R?R.R5R;R>R<(((RRsN	
			cBstZhdhdd<de<<dhdd<de<<dhdd<de<<dhdd<<ZddZd	Zd
ZdZe	dZ
d
ZdZRS(NRR%R&timport_typecastR R!RcCsLtt|i||_||_||_|dj	o
||_ndS(N(	R,RR-R.RR R!RR(R-RR R!R((RR.s			
cCsp|i|ijotSn|i|ijotSn|i|ijotSn|i|ijotSntS(N(R-RR=RRR R!R(R-R=((RR<scCs|i|ijo)td|ii|i|ifnt|i|i}|djo|Snt|i	|i	}|djo|Snt|i
|i
}|djo|SndS(Ns?cannot compare two %s objects whose host values differ (%s!=%s)i(R-RR=t
ValueErrort	__class__RCtcmpRtresultR R!(R-R=RI((Rt__cmp__s)


cCs
ti|S(N(tcopyR-(R-((RRKscCst|i|idS(Nf1000.0(tfloatR-tsecR (R-((Rt<lambda>scCsd|i|i|ifS(Nsaudit(%d.%d:%d)(R-RR R!(R-((RR5scCsL|idjotSn|idjotSn|idjotSntS(N(R-RRRR R!R(R-((Rtis_valids(
RCRDRR?RR.R<RJRKtpropertyttimeR5RO(((RRsi				cBs+tZhdhdd<<dhdd<de<<dhdd<<dhdd<de<<Zd	Zd
ZeieZ	e
idZe
idZ
e
id
ZdddZdZdZdZdZdZdZdZdZdZdZdZdZRS(NRR%R&RtelementRER
tline_numberitiiiis([^ 	]+)\s*=\s*([^ 	]+)s$avc:\s+([^\s]+)\s+{([^}]+)}\s+for\s+s^a\d+$cCsNtt|i||_||_||_||_||_|i	dS(N(
R,RR-R.RRR
R2RSt_init_postprocess(R-RRR
R2RS((RR.s					cCst|dddjo|i|in|iddgjoy|iidpbti	i
|i}|oB|id}||id<|id}|i|id<qqndS(NR2RtUSER_AVCtseresultiitseperms(RBR-Rtset_fields_from_textR
RR2thas_keyRtavc_reRRRRWRXR1(R-RWRXR((RRUs
cCs
|iS(N(R-tto_host_text(R-((RR5scCs3d|_|iidjot|i_ndS(N(RR-RSRRtget_hostname(R-((Rtaudispd_rectifys	cCsL|iiptSn|idjotSn|idjotSntS(N(R-RRORRRtmessageR(R-((RROscCsddddddddd	d
ddd
dddg}xo|D]g}|ii|oN|idjo|djoq=n|i|}t|}||i|<q=q=W|idjoax^|ii	D]I\}}|i
i|o*|i|}t|}||i|<qqWndS(NtaccttcmdtcommtcwdR/tdirtexetfileRtkeytmsgRAtnewtocommoldtpathtwatchRtsaddrtEXECVE(tencoded_fieldstfieldR-R2RZRtvaluetaudit_msg_decodet
decoded_valuetitemstexec_arg_reR(R-RoRqRpRs((Rt
decode_fieldss 6

cCsdh|_xTtii|D]@}|id}|id}|i
d}||i|<qWdS(Niit"(R-R2Rtkey_value_pair_retfinditerR
RRRgRqtstrip(R-R
RqRgR((RRY.s	cCs|ii|S(N(R-R2tgetRA(R-RA((Rt	get_field7scCs1t|}titititi|i
|S(N(R3Rht
msg_lengthtstructtpackRtbinary_header_formattbinary_versiontbinary_header_sizeR-R(R-RhR}((Rtget_binary_header:scCsj|idjodSn|ii}|idig}|D]}|d||i|fqB~S(Ntt s%s=%s(R-R2RR@tsortR4t_[1]tk(R-R@RR((Rtfields_to_text?s

cCsd|i|i|ifS(Nstype=%s msg=%s: %s
(R-RRR
(R-((Rtto_textEscCsH|iidj	o'd|ii|i|i|ifSn|iSdS(Nshost=%s type=%s msg=%s: %s
(R-RRRRR
R(R-((RR\Hs'cCs'd|i|if}|i||S(Ns%s: %s(R-RR
trecordR(R-R((Rt	to_binaryOs(RCRDRRR?RRR~tcalcsizeRRtcompileRxR[RuRR.RUR5R^RORvRYR|RRRR\R(((RRs(`
												cBs/tZdZdZdZdZdZRS(NiicCs||_d|_d|_|i|ijo|i|_n@|i|ijo|i|_nt	d||i
ifdS(NRis unknown record format (%s) in %s(t
record_formatR-t
_input_bufferRSRt	feed_texttfeedRtfeed_binaryRFRGRC(R-R((RR.Ys			ccst|djodSn|i|7_xtot|itijodSntiti	|idti!\}}
}}ti|}t|i|jodSn|iti|!}	t|	\}}}|i||_|o ti|||ddfVq-q-WdS(Ni(R3tnew_dataR-RRRRR~tunpackRRRR}t	total_lenR	R#R
RR
taudittaudit_msg_type_to_nameR(R-RR
RRRR
R}RR	R((RRes$"
%c	cst|djodSn|i|7_d}|iid|}x|djo|id7_|d7}|i||!}t	|\}}}}|o|||d|ifVn|}|iid|}qHW|i||_dS(Nis
i(R3RR-RtstarttfindtendRStlineRR
RRR
R(	R-RR
RRRR
RR((RRs"

(RCRDRRR.RR(((RRUs
		!cBstZhdhdd<dd<de<<dhdd<de<<ZdZd	Zd
ZddZd
Z	e
dZdZdZ
ddZdZdZdZdZdZRS(NtrecordsR%RRtlistRRERcCs2tt|id|_g|_h|_dS(N(R,RR-R.RRRtrecord_types(R-((RR.s		cCsKt|dddjo
h|_nx|iD]}|i|q0WdS(NR(RBR-RRRRtprocess_record(R-R((RRUs


cCs|i}|id|i|i|idig}|D]}|t	|q?~dig}|i
D]}|d|qo~fS(Ns2%s: is_avc=%s, is_granted=%s: line_numbers=[%s]
%st,s
s    %s(R-tline_numbersRRtis_avct
is_grantedR4RtxR8RR(R-RRRR((RR5s	
s
cCs1|ig}|iD]}|t|q~S(N(t	separatorR4RR-RRR8(R-RRR((RR;scCs
t|iS(N(R3R-R(R-((Rtnum_recordsscCs3g}|iD]}|io||iqq~S(N(RR-RRRS(R-RR((RRNscCs!|ii||i|dS(N(R-RtappendRR(R-R((Rt
add_recordscCs|idjo9|ii|_t|ii|iid|_n4|i|ijp t	d|i|ifn|i
i|ig}|i|dS(Nf1000.0sBcannot add audit record to audit event, event_id mismatch %s != %s(R-RRRRKRLRR t	timestampRFRt
setdefaultRtrecord_listR(R-RR((RRs' cCsg}|djo
|i}n|i|}xJ|D]B}|ii|}|djoq6n|i||ifq6W|S(sNReturn list of (value, record_type) tuples.
        In other words return the value matching name for every record_type.
        If record_type is not specified then all records are searched.
        Note: it is possible to have more than one record of a given type
        thus it is always possible to have multiple values returned.N(
RtRRR-Rtget_records_of_typeRR2R{RARqRR((R-RARRRtRqR((RR|s


cCs1d}|ii|}|o|d}n|S(Ni(RRR-RR{R(R(R-R(RR((Rtget_record_of_types
cCs|ii|gS(N(R-RR{R((R-R(((RRscCs-|id}|p|id}n|S(NRRV(R-RR(R-R((Rtget_avc_recordscCs|idj	S(N(R-RR(R-((RRscCso|i}|djotSn|id}|djotSn|djotSnti	i
d|tS(NRWtdeniedtgranteds!unknown value for seresult ('%s')(R-Rt
avc_recordRRR2RWRtlogtavctwarn(R-RWR((RRs



(RCRDRRR?R.RUR5R;RRPRRRRR|RRRRR(((RRsE										cBs/tZdgZddgZddddgZdddddgZdddddgZdddd	gZd
dddddd	gZd
dddddddddd	gZ	dddd
dgZ
dddd
ddddgZdddd
dddgZd
dddddddd	d
dddddgZ
ddddgZdd
gZdgZdgZdd
dddgZdd
ddddgZdd
ddddgZd
ddddddd	d
ddddddgZdgZdgZddddgZddddgZdddddgZddddddgZddgZd
dddddd	ddddgZeidZ eidZ!e"dZ#dZ$dZ%dZ&dZ'dZ(dZ)dZ*dZ+d Z,d!Z-d"Z.d#Z/d$Z0d%Z1d&Z2d'Z3d(Z4RS()NRBtexecutetreadtlocktioctlRtlinktunlinktrenametcreatetsetattrtwriteRtadd_nametremove_nametreparenttrmdirtmounttremounttunmounts^(\w+):\[([^\]]*)\]s^(/proc/)(\d+)(.*)cCs||_||_|idjot|i_nh|_d|_d|_d|_	d|_
d|_d|_d|_
d|_d|_g|_g|_d|_|idS(N(taudit_eventR-tquery_environmentRRt	TimeStampttemplate_substitutionsttpathtspathtsourcet
source_pkgtaccesstscontextttcontextttclasstporttsrc_rpmsttgt_rpmsRt derive_avc_info_from_audit_event(R-RR((RR./s$															cCs
|iS(N(R-t
format_avc(R-((RR5DscCs_d}|d|i7}|d|i7}|d|i7}|d|i7}|d|i7}|S(NRsscontext=%s stcontext=%s s
access=%s s
tclass=%s s	tpath=%s (R	R-RRRRR(R-R	((RRGscCsE|idjotSnx&|iD]}||jotSq"q"WtS(sMReturns true if the AVC contains _any_ of the permissions in the access list.N(R-RRRtataccess_listR(R-RR((Rthas_any_access_inTs

cCsE|idjotSnx&|iD]}||jotSq"q"WtS(smReturns true if _every_ access in the AVC matches at
        least one of the permissions in the access list.N(R-RRRRRR(R-RR((Rtall_accesses_are_in^s

cCs3x,|D]$}ti||iotSqqWtS(N(t	type_listR(RRtcontextRR(R-RRR(((Rt__typeMatchis
cCs+|idjotSn|i|i|S(sReturns true if the type in the source context of the
        avc regular expression matches any of the types in the type list.N(R-RRRt_AVC__typeMatchR(R-R((Rtmatches_source_typesoscCs+|idjotSn|i|i|S(sReturns true if the type in the target context of the
        avc regular expression matches any of the types in the type list.N(R-RRRRR(R-R((Rtmatches_target_typesuscCs%|idjotSn|i|jS(N(R-RRRttclass_list(R-R((Rt
has_tclass_in|scCs|i|idS(N(R-tderive_environmental_infot%update_derived_template_substitutions(R-((Rtupdates
cCs%|idjotSn|itjS(N(R-RRRtstandard_directories(R-((Rtpath_is_not_standard_directoryscCsgd}d}|iid}|djo0|iid}|o|id}q[n|djo|iid}|dj	oi|iid}|djod|}q|djo%|djo
|}qd|}q|}qn|dj	oY|i
do|iid	|}qZ|i
i|}|o|id
}qZn||_dS(sDerive the target path.

        If path information is available the avc record will have a path field
        and no name field because the path field is more specific and supercedes
        name. The name field is typically the directory entry.

        For some special files the kernel embeds instance information
        into the file name. For example 'pipe:[1234]' or 'socket:[1234]'
        where the number inside the brackets is the inode number. The proc
        pseudo file system has the process pid embedded in the name, for
        example '/proc/1234/mem'. These numbers are ephemeral and do not
        contribute meaningful information for our reports. Plus we may use
        the path information to decide if an alert is identical to a
        previous alert, we coalesce them if they are. The presence of an
        instance specific number in the path confuses this comparision.
        For these reasons we strip any instance information out of the
        path,

        Example input and output:

        pipe:[1234]    --> pipe
        socket:[1234]  --> socket
        /proc/1234/fd  --> /proc/<pid>/fd
        ./foo          --> ./foo
        /etc/sysconfig --> /etc/sysconfig
        RktAVC_PATHRARRfs./%sRdt/s	\1<pid>\3iN(RRkRAR-RR|RRtavc_path_recordRt
startswithtproc_pid_instance_retsubtpipe_instance_path_reRRRR(R-RARkRRR((Rt
_set_tpaths4







cCsOd|_d|_d|_g|_d}}}}|i
i|_|i
i
d}
|iid|_t|itpt|iid|_nt|itpt|iid|_n|iid|_|iiddjo|iid|_n|iid|_|i|
o|
id}|
id	}|
id
}|
id}|dj	oh|dj	o[t|d}t|}ti|ti||_	ti|ti||_	qd|_	n|djo|iid	}n|djo|iid}n||_|o
||_n|o
||_n|i
i
d
}|o|id}	nd}	|i
id}xk|D]c}|id}t"i!i#|p|	o|ii$|q|ii$t"i!i%|	|qWg|_&g|_'|i
i(i)|_)dS(NtSYSCALLRXRRRtdesttsrcReRbtarchtsyscallitCWDRctPATHRA(*RR-RRRt
syscall_pathsReRbRRRRRRtsyscall_recordR|Rt
isinstanceRRRRRRRRtaudit_syscall_to_nametaudit_elf_to_machinet
cwd_recordRcRtpath_recordstpath_recordRktostisabsRR4RRRR(R-ReRRRRbRRkRRcR((RRsf				
"


	

#		cCs|io}|io7t|i|_|io|ii|iqKn|io.t|i}|o|i	i|qqndS(N(
R-RRt"get_rpm_nvr_by_file_path_temporaryRRRRtrpmR(R-R((RRs



cCs!|idjo
||_ndS(N(R-RRRk(R-Rk((Rtset_alt_path,scKs9x2|iD]$\}}|o||i|<q
q
WdS(N(tkwdsRtRgRqR-R(R-RRqRg((Rtset_template_substitutions0s
cCst|ii|id<t|ii|id<t|i|id<t|i|id<t|i|id<|idjod|id<nn|i
djot|i|id<nD|i
djo&ttii
|i|id<nd|id<t|i
|id	<|idjod|id
<n tdi|i|id
<t|i|id<t|i|id
<dS(NtSOURCE_TYPEtTARGET_TYPEtSOURCEtSOURCE_PATHtTARGET_PATHt
TARGET_DIRRdRftTARGET_CLASStACCESSRtSOURCE_PACKAGEtPORT_NUMBER(tescape_htmlR-RR(RRRRRRRRRktdirnameRR4RR(R-((RR5s$&
cCsNxG|iiD]6\}}|djott||i|<qqWdS(N(R-RRtRgRqRRtdefault_text(R-RqRg((Rtvalidate_template_substitutionsQs
(5RCRDtstat_file_permstx_file_permstr_file_permst
rx_file_permst
ra_file_permstlink_file_permstcreate_lnk_permstcreate_file_permstr_dir_permstrw_dir_permstra_dir_permstcreate_dir_permstmount_fs_permstsearch_dir_permstgetattr_dir_permstsetattr_dir_permstlist_dir_permstadd_entry_dir_permstdel_entry_dir_permstmanage_dir_permstgetattr_file_permstsetattr_file_permstread_file_permstappend_file_permstwrite_file_permst
rw_file_permstdelete_file_permstmanage_file_permsRRRRRR.R5RRRRRRRRRRRRRRRR(((RRs`	'3		3		'		
	
								K	J				(t__all__RRKRRR~R6ttypestsetroubleshoot.logtsetroubleshoot.utiltsetroubleshoot.html_utiltsetroubleshoot.xml_serializetget_standard_directoriesRRRRRRR"R#tXmlSerializeRRRRRR(R6RR~R1RRRR"RRR#RRRKRRRRRR((Rt?s0											(7pLg

Anon7 - 2021