KGRKJGETMRETU895U-589TY5MIGM5JGB5SDFESFREWTGR54TY
Server : Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.17
System : Linux localhost 2.6.18-419.el5 #1 SMP Fri Feb 24 22:47:42 UTC 2017 x86_64
User : nobody ( 99)
PHP Version : 5.2.17
Disable Function : NONE
Directory :  /usr/lib64/python2.4/site-packages/sepolgen/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/lib64/python2.4/site-packages/sepolgen/audit.pyc
mò
d&KRc@sîdkZdkZdkZd„Zd„Zdfd„ƒYZdefd„ƒYZdefd„ƒYZd	efd
„ƒYZdefd„ƒYZ	d
efd„ƒYZ
defd„ƒYZdfd„ƒYZdfd„ƒYZ
dS(NcCs8dk}|idddgd|iƒiƒd}|S(s
Obtain all of the avc and policy load messages from the audit
    log. This function uses ausearch and requires that the current
    process have sufficient rights to run ausearch.

    Returns:
       string contain all of the audit messages returned by ausearch.
    Ns/sbin/ausearchs-ms)AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_STARTtstdouti(t
subprocesstPopentPIPEtcommunicatetoutput(RR((t4/usr/lib64/python2.4/site-packages/sepolgen/audit.pytget_audit_msgss
	cCs2dk}|idgd|iƒiƒd}|S(s•Obtain all of the avc and policy load messages from /bin/dmesg.

    Returns:
       string contain all of the audit messages returned by dmesg.
    Ns
/bin/dmesgRi(RRRRR(RR((Rtget_dmesg_msgs's
	tAuditMessagecBs tZdZd„Zd„ZRS(sãBase class for all objects representing audit messages.

    AuditMessage is a base class for all audit messages and only
    provides storage for the raw message (as a string) and a
    parsing function that does nothing.
    cCs||_d|_dS(Nt(tmessagetselftheader(RR((Rt__init__;s	cCs†x|D]w}|idƒ}t|ƒdjo)|d djo||_dSqXqn|ddjo|d|_dSqqWdS(	sàParse a string that has been split into records by space into
        an audit message.

        This method should be overridden by subclasses. Error reporting
        should be done by raise ValueError exceptions.
        t=iisaudit(Nitmsgi(trecsRtsplittfieldstlenRR
(RRRR((Rtfrom_split_string?s	
(t__name__t
__module__t__doc__RR(((RR	4s	tInvalidMessagecBstZdZd„ZRS(sþClass representing invalid audit messages. This is used to differentiate
    between audit messages that aren't recognized (that should return None from
    the audit message parser) and a message that is recognized but is malformed
    in some way.
    cCsti||ƒdS(N(R	RRR(RR((RRZs(RRRR(((RRTstPathMessagecBs tZdZd„Zd„ZRS(s!Class representing a path messagecCsti||ƒd|_dS(NR
(R	RRRtpath(RR((RR_scCs{ti||ƒxd|D]\}|idƒ}t|ƒdjoqn|ddjo|ddd!|_dSqqWdS(NRiiRiiÿÿÿÿ(	R	RRRRRRRR(RRRR((RRcs(RRRRR(((RR]s	t
AVCMessagecBs)tZdZd„Zd„Zd„ZRS(skAVC message representing an access denial or granted message.

    This is a very basic class and does not represent all possible fields
    in an avc message. Currently the fields are:
       scontext - context for the source (process) that generated the message
       tcontext - context for the target
       tclass - object class for the target (only one)
       comm - the process name
       exe - the on-disc binary
       path - the path of the target
       access - list of accesses that were allowed or denied
       denial - boolean indicating whether this was a denial (True) or granted
          (False) message.

    An example audit message generated from the audit daemon looks like (line breaks
    added):
       'type=AVC msg=audit(1155568085.407:10877): avc:  denied  { search } for
       pid=677 comm="python" name="modules" dev=dm-0 ino=13716388
       scontext=user_u:system_r:setroubleshootd_t:s0
       tcontext=system_u:object_r:modules_object_t:s0 tclass=dir'

    An example audit message stored in syslog (not processed by the audit daemon - line
    breaks added):
       'Sep 12 08:26:43 dhcp83-5 kernel: audit(1158064002.046:4): avc:  denied  { read }
       for  pid=2 496 comm="bluez-pin" name=".gdm1K3IFT" dev=dm-0 ino=3601333
       scontext=user_u:system_r:bluetooth_helper_t:s0-s0:c0
       tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
    cCshti||ƒtiƒ|_tiƒ|_d|_d|_	d|_
d|_g|_t
|_dS(NR
(R	RRRt	refpolicytSecurityContexttscontextttcontextttclasstcommtexeRtaccessestTruetdenial(RR((RR‹s					cCsµt}|}|t|ƒdjotd|iƒ‚nxR|t|ƒjo>||djot	}Pn|i
i||ƒ|d}q=W|ptd|iƒ‚n|dS(Nis#AVC message in invalid format [%s]
t}(tFalsetfound_closetstarttiRRt
ValueErrorRRR%R$tappend(RRR*R+R)((Rt__parse_access–scCsÛti||ƒt}t}t}t}xut	t
|ƒƒD]a}||djo#|i||dƒ}t
}q;n||djo
t|_n||idƒ}t
|ƒdjoq;n|ddjo ti|dƒ|_t
}q;|ddjo ti|dƒ|_t
}q;|dd	jo|d|_t
}q;|dd
jo|ddd!|_q;|ddjo|ddd!|_q;q;W|p|p|p|otd
|iƒ‚ndS(Nt{itgrantedRiiRR R!R"iÿÿÿÿR#s#AVC message in invalid format [%s]
(R	RRRR(t	found_srct	found_tgttfound_classtfound_accesstrangeRR+t_AVCMessage__parse_accessR%R&RRRRRR R!R"R#R,R(RRR1R+RR3R2R4((RR¬s>




 (RRRRR6R(((RRns		tPolicyLoadMessagecBstZdZd„ZRS(s6Audit message indicating that the policy was reloaded.cCsti||ƒdS(N(R	RRR(RR((RRÓs(RRRR(((RR7ÑstDaemonStartMessagecBs tZdZd„Zd„ZRS(s3Audit message indicating that a daemon was started.cCsti||ƒt|_dS(N(R	RRRR(tauditd(RR((RRØscCs.ti||ƒd|jo
t|_ndS(NR9(R	RRRR%R9(RR((RRÜs
(RRRRR(((RR8Ös	tComputeSidMessagecBs tZdZd„Zd„ZRS(s†Audit message indicating that a sid was not valid.

    Compute sid messages are generated on attempting to create a security
    context that is not valid. Security contexts are invalid if the role is
    not authorized for the user or the type is not authorized for the role.

    This class does not store all of the fields from the compute sid message -
    just the type and role.
    cCs&ti||ƒd|_d|_dS(NR
(R	RRRttypetrole(RR((RRìs	cCs²ti||ƒh}xI|D]A}|idƒ}t|ƒdjoqn|d||d<qWy6t	i
|dƒi|_t	i
|dƒi|_Wnt
dƒ‚nXdS(NRiiiRR s;Split string does not represent a valid compute sid message(R	RRRtdictR+RttRRRR<R;R,(RRR+R=R>((RRñs(RRRRR(((RR:âs		tAuditParsercBs_tZdZed„Zd„Zd„Zd„Zd„Zd„Z	d„Z
eed„Z
RS(	s»Parser for audit messages.

    This class parses audit messages and stores them according to their message
    type. This is not a general purpose audit message parser - it only extracts
    selinux related messages.

    Each audit messages are stored in one of four lists:
       avc_msgs - avc denial or granted messages. Messages are stored in
          AVCMessage objects.
       comput_sid_messages - invalid sid messages. Messages are stored in
          ComputSidMessage objects.
       invalid_msgs - selinux related messages that are not valid. Messages
          are stored in InvalidMessageObjects.
       policy_load_messages - policy load messages. Messages are stored in
          PolicyLoadMessage objects.

    These lists will be reset when a policy load message is seen if
    AuditParser.last_load_only is set to true. It is assumed that messages
    are fed to the parser in chronological order - time stamps are not
    parsed.
    cCs|iƒ||_dS(N(Rt_AuditParser__initializetlast_load_only(RRA((RRs
cCs:g|_g|_g|_g|_g|_h|_dS(N(Rtavc_msgstcompute_sid_msgstinvalid_msgstpolicy_load_msgst	path_msgst	by_header(R((Rt__initializes					cCs2|iƒ}x|D]}t}|djp|djp
|djot|ƒ}t}n|djot	|ƒ}t}nj|djot
|ƒ}t}nG|djot|ƒ}t}n$|djott
ƒ}t}n|o;y|i|ƒWntj
ot|ƒ}nX|SqqWdS(Nsavc:smessage=avc:s	msg='avc:ssecurity_compute_sid:stype=MAC_POLICY_LOADs
type=AVC_PATHstype=DAEMON_START(tlineRtrecR+R(tfoundRRR%R:R7RR8tlistRR,RtNone(RRIR+RKRRJ((Rt__parse_line0s4'








cCs‚|i|ƒ}|djodSnt|tƒo|io|iƒq&n×t|t	ƒo6|i
o|io|iƒn|ii|ƒn‘t|t
ƒo|ii|ƒnmt|tƒo|ii|ƒnIt|tƒo|ii|ƒn%t|tƒo|ii|ƒn|idjoH|ii|iƒo|i|ii|ƒq~|g|i|i<ndS(NR
(Rt_AuditParser__parse_lineRIRRMt
isinstanceR7RAR@R8R9RER-RRBR:RCRRDRRFR
RGthas_key(RRIR((Rt__parseQs,

cCs±xª|iiƒD]™}g}d}xI|D]A}t|t	ƒo
|}q)t|t
ƒo|i|ƒq)q)Wt|ƒdjo(|o!x|D]}|i|_qWqqWdS(Ni(RRGtvaluestvaluetavcRMRRRPRRR-Rta(RRVRTRRRU((Rt__post_processvs
cCsB|iƒ}x%|o|i|ƒ|iƒ}qW|iƒdS(spParse the contents of a file object. This method can be called
        multiple times (along with parse_string).N(tinputtreadlineRIRt_AuditParser__parset_AuditParser__post_process(RRXRI((Rt
parse_fileƒs
cCs;|idƒ}x|D]}|i|ƒqW|iƒdS(s§Parse a string containing audit messages - messages should
        be separated by new lines. This method can be called multiple
        times (along with parse_file).s
N(RXRtlinestlRRZR[(RRXR]R^((Rtparse_stringŒscCs·tiƒ}x¤|iD]™}|itjo|oqn|oC|i
|ƒo/|i|ii
|ii
|i|i|ƒq¯q|i|ii
|ii
|i|i|ƒqW|S(s‚Convert the audit logs access into a an access vector set.

        Convert the audit logs into an access vector set, optionally
        filtering the restults with the passed in filter object.

        Filter objects are object instances with a .filter method
        that takes and access vector and returns True if the message
        should be included in the final output and False otherwise.

        Params:
           avc_filter - [optional] Filter object used to filter the
              output.
        Returns:
           Access vector set representing the denied access in the
           audit logs parsed by this object.
        N(taccesstAccessVectorSettav_setRRBRUR&R%tonly_denialst
avc_filtertfiltertaddRR;R R!R$(RRdRcRbRU((Rt	to_access•s
(RRRR(RR@RORZR[R\R_RMR%Rg(((RR?s		!	%	
				t
TypeFiltercBstZd„Zd„ZRS(NcCsti|ƒ|_dS(N(tretcompiletregexR(RRk((RR´scCsF|ii|iiƒotSn|ii|iiƒotSntS(N(	RRktmatchRURR;R%R R((RRU((RRe·s
(RRRRe(((RRh³s	(RR`RiRRR	RRRR7R8R:R?Rh(RRRR	RRR?R8R`RiR7RhRR:((Rt?s				
	
 	c²

Anon7 - 2021