#!/usr/bin/env python3 # Author: Chris PeBenito # # Copyright (C) 2006 Tresys Technology, LLC # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, version 2. import sys,getopt,re NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)") DEFAULT_INPUT_PACKET = "server_packet_t" DEFAULT_OUTPUT_PACKET = "client_packet_t" DEFAULT_MCS = "s0" DEFAULT_MLS = "s0" PACKET_INPUT = "_server_packet_t" PACKET_OUTPUT = "_client_packet_t" class Port: def __init__(self, proto, num, mls_sens): # protocol of the port self.proto = proto # port number self.num = num # MLS sensitivity self.mls_sens = mls_sens # MCS categories # not currently supported, so we always get s0 self.mcs_cats = DEFAULT_MCS class Packet: def __init__(self, prefix, ports): # prefix self.prefix = prefix # A list of Ports self.ports = ports def print_input_rules(packets,mls,mcs): line = "base -A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET if mls: line += ":"+DEFAULT_MLS elif mcs: line += ":"+DEFAULT_MCS print(line) for i in packets: for j in i.ports: line="base -A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT if mls: line += ":"+j.mls_sens elif mcs: line += ":"+j.mcs_cats print(line) print("post -A selinux_new_input -j CONNSECMARK --save") print("post -A selinux_new_input -j RETURN") def print_output_rules(packets,mls,mcs): line = "base -A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET if mls: line += ":"+DEFAULT_MLS elif mcs: line += ":"+DEFAULT_MCS print(line) for i in packets: for j in i.ports: line = "base -A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT if mls: line += ":"+j.mls_sens elif mcs: line += ":"+j.mcs_cats print(line) print("post -A selinux_new_output -j CONNSECMARK --save") print("post -A selinux_new_output -j RETURN") def parse_corenet(file_name): packets = [] corenet_te_in = open(file_name, "r") while True: corenet_line = corenet_te_in.readline() # If EOF has been reached: if not corenet_line: break if NETPORT.match(corenet_line): corenet_line = corenet_line.strip() # parse out the parameters openparen = corenet_line.find('(')+1 closeparen = corenet_line.find(')',openparen) parms = re.split('\W+',corenet_line[openparen:closeparen]) name = parms[0] del parms[0] ports = [] while len(parms) > 0: # add a port combination. ports.append(Port(parms[0],parms[1],parms[2])) del parms[:3] packets.append(Packet(name,ports)) corenet_te_in.close() return packets def print_netfilter_config(packets,mls,mcs): print("pre *mangle") print("pre :PREROUTING ACCEPT [0:0]") print("pre :INPUT ACCEPT [0:0]") print("pre :FORWARD ACCEPT [0:0]") print("pre :OUTPUT ACCEPT [0:0]") print("pre :POSTROUTING ACCEPT [0:0]") print("pre :selinux_input - [0:0]") print("pre :selinux_output - [0:0]") print("pre :selinux_new_input - [0:0]") print("pre :selinux_new_output - [0:0]") print("pre -A INPUT -j selinux_input") print("pre -A OUTPUT -j selinux_output") print("pre -A selinux_input -m state --state NEW -j selinux_new_input") print("pre -A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore") print("pre -A selinux_output -m state --state NEW -j selinux_new_output") print("pre -A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore") print_input_rules(packets,mls,mcs) print_output_rules(packets,mls,mcs) print("post COMMIT") mls = False mcs = False try: opts, paths = getopt.getopt(sys.argv[1:],'mc',['mls','mcs']) except getopt.GetoptError: print("Invalid options.") sys.exit(1) for o, a in opts: if o in ("-c","--mcs"): mcs = True if o in ("-m","--mls"): mls = True if len(paths) == 0: sys.stderr.write("Need a path for corenetwork.te.in!\n") sys.exit(1) elif len(paths) > 1: sys.stderr.write("Ignoring extra specified paths\n") packets=parse_corenet(paths[0]) print_netfilter_config(packets,mls,mcs)