[PATCH 40/84] policycoreutils: semanage: seobject verify policy types

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Tue, 22 Jan 2013 09:48:19 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


   This patch looks good to me. acked.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD+prMACgkQrlYvE4MpobOZtQCfUMOcA9kx9OXvlkzi3jvImdb6
uhIAnjbuLIPAIANg+5DMAft1bi8z3lO8
=Vh/u
-----END PGP SIGNATURE-----
>From 92d36a4a87057888b06a009ed7c8f1a1fd730bf6 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Mon, 19 Nov 2012 12:28:38 -0500
Subject: [PATCH 40/84] policycoreutils: semanage: seobject verify policy types
 before allowing you to assign them.

We should check that a type is a valid before assigning it with
semanage.  Aka we should just that a type is a port type before assigning it
to a port, or a valid user type before assigning it to a user.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 policycoreutils/semanage/seobject.py | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 83d04b1..d9432d2 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -924,6 +924,8 @@ class seluserRecords(semanageRecords):
 				print "%-15s %s" % (k, ddict[k][3])
 
 class portRecords(semanageRecords):
+	valid_types =  sepolicy.info(sepolicy.ATTRIBUTE,"port_type")[0]["types"]
+
 	def __init__(self, store = ""):
 		semanageRecords.__init__(self, store)
 
@@ -963,6 +965,9 @@ class portRecords(semanageRecords):
 		if type == "":
 			raise ValueError(_("Type is required"))
 
+		if type not in self.valid_types:
+			raise ValueError(_("Type %s is invalid, must be a port type") % type)
+
 		( k, proto_d, low, high ) = self.__genkey(port, proto)			
 
 		(rc, exists) = semanage_port_exists(self.sh, k)
@@ -1022,6 +1027,9 @@ class portRecords(semanageRecords):
 			else:
 				raise ValueError(_("Requires setype"))
 
+		if setype and setype not in self.valid_types:
+			raise ValueError(_("Type %s is invalid, must be a port type") % setype)
+
 		( k, proto_d, low, high ) = self.__genkey(port, proto)
 
 		(rc, exists) = semanage_port_exists(self.sh, k)
@@ -1179,6 +1187,8 @@ class portRecords(semanageRecords):
 			print rec
 
 class nodeRecords(semanageRecords):
+       valid_types =  sepolicy.info(sepolicy.ATTRIBUTE,"node_type")[0]["types"]
+
        def __init__(self, store = ""):
                semanageRecords.__init__(self,store)
                self.protocol = ["ipv4", "ipv6"]
@@ -1218,7 +1228,10 @@ class nodeRecords(semanageRecords):
                                serange = untranslate(serange)
 
                if ctype == "":
-                       raise ValueError(_("SELinux Type is required"))
+                       raise ValueError(_("SELinux node type is required"))
+
+	       if ctype not in self.valid_types:
+		       raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
 
                (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
                if rc < 0:
@@ -1285,6 +1298,9 @@ class nodeRecords(semanageRecords):
                if serange == "" and setype == "":
                        raise ValueError(_("Requires setype or serange"))
 
+	       if setype and setype not in self.valid_types:
+		       raise ValueError(_("Type %s is invalid, must be a node type") % setype)
+
                (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
                if rc < 0:
                        raise ValueError(_("Could not create key for %s") % addr)
@@ -1593,6 +1609,9 @@ class interfaceRecords(semanageRecords):
 				print "%-30s %s:%s:%s " % (k,ddict[k][0], ddict[k][1],ddict[k][2])
 			
 class fcontextRecords(semanageRecords):
+	valid_types =  sepolicy.info(sepolicy.ATTRIBUTE,"file_type")[0]["types"]
+	valid_types +=  sepolicy.info(sepolicy.ATTRIBUTE,"device_node")[0]["types"]
+
 	def __init__(self, store = ""):
 		semanageRecords.__init__(self, store)
                 self.equiv = {}
@@ -1707,6 +1726,9 @@ class fcontextRecords(semanageRecords):
 		if type == "":
 			raise ValueError(_("SELinux Type is required"))
 
+		if type not in self.valid_types:
+			raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
+
 		(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
 		if rc < 0:
 			raise ValueError(_("Could not create key for %s") % target)
@@ -1763,6 +1785,9 @@ class fcontextRecords(semanageRecords):
 	def __modify(self, target, setype, ftype, serange, seuser):
 		if serange == "" and setype == "" and seuser == "":
 			raise ValueError(_("Requires setype, serange or seuser"))
+		if setype and setype not in self.valid_types:
+			raise ValueError(_("Type %s is invalid, must be a port type") % setype)
+
                 self.validate(target)
 
 		(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
-- 
1.8.1





