Attached is my first crack at the argparse version of semanage. Right
now it just parses the command line and spits out the dictionary raw.
Please mess around with the command line and make sure that it behaves
how you would expect. Some of the names in the dictionary are a bit
weird and I'm having trouble getting sensible semantics for fcontext -e
but it should be parsing the command lines properly. Also not all of the
help text is in place yet. If you want to add some help text either send
it to me in an email or send me a patch and I'll apply it to my repo. I
still need to commit the latest changes to my github account but once I
do you should be able to get the same file from my semanage-argparse
repo on github. After we're sure that the parsing works as we'd like and
the help messages are sensible to people I'll work on gluing this
frontend back onto the seobject class that semanage uses to do that
actual policy store manipulations.
Dave
#! /usr/bin/python -Es
import sys,argparse
class seParser(argparse.ArgumentParser):
def error(self, message):
if len(sys.argv) == 2:
self.print_help()
sys.exit(2)
self.print_usage()
self.exit(2, ('%s: error: %s\n') % (self.prog, message))
def setupLoginParser(subparsers, parents):
loginParser = subparsers.add_parser('login', help='Manage login mappings between linux users and SELinux confined users', parents=parents)
loginParser.add_argument('-s', '--seuser', nargs=1, required=True, help='SELinux user name')
loginParser.add_argument('-r', '--range', nargs=1, help='''MLS/MCS Security Range (MLS/MCS Systems only)
SELinux Range for SELinux login mapping
defaults to the SELinux user record range.
SELinux Range for SELinux user defaults to s0.''')
loginParser.add_argument('login', help='login_name | %%groupname')
def setupUserParser(subparsers, parents):
userParser = subparsers.add_parser('user', help='Manage SELinux confined users (Roles and levels for an SELinux user)', parents=parents)
userParser.add_argument('-L', '--level', nargs=1, help='XXX:Add level text')
userParser.add_argument('-r', '--range', nargs=1, help='XXX:Add range text')
userParser.add_argument('-R', '--roles', nargs=1, help='XXX:Add roles text')
userParser.add_argument('-P', '--prefix', nargs=1, help='XXX:Add prefix text')
userParser.add_argument('selinux_name', help='selinux_name')
def setupPortParser(subparsers,parents):
portParser = subparsers.add_parser('port', help='Manage network port type definiteions', parents=parents)
portParser.add_argument('-t', '--type', nargs=1, help='XXX:Add type text')
portParser.add_argument('-r', '--range', nargs=1, help='XXX:Add range text')
portParser.add_argument('-p', '--proto', nargs=1, help='XXX:Add proto text')
portParser.add_argument('port', help='port | port_range')
def setupInterfaceParser(subparsers,parents):
interfaceParser = subparsers.add_parser('interface', help='Manage network interface type definitions', parents=parents)
interfaceParser.add_argument('-t', '--type', nargs=1, help='XXX:Add type text')
interfaceParser.add_argument('-r', '--range', nargs=1, help='XXX:Add range text')
interfaceParser.add_argument('interface', help='interface_spec')
def setupModuleParser(subparsers,parents):
moduleParser = subparsers.add_parser('module', help='Manage SELinux policy modules', parents=parents, conflict_handler='resolve')
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
mgroup.add_argument('-a', '--add', dest='action', action='store_const', const='add', help='Add a record of the specified object type')
mgroup.add_argument('-d', '--delete', dest='action', action='store_const', const='delete', help='Delete a record of the specified object type')
mgroup.add_argument('-m', '--modify', dest='action', choices=['enable', 'disable'], help='Enable or Disable specified module')
mgroup.add_argument('-l', '--list', dest='action', action='store_const', const='list', help='List records of the specified object type')
moduleParser.add_argument('-N', '--noreload', action='store_true', help='Do not reload the policy after commit')
moduleParser.add_argument('module_name', help='Name of the module to act on')
def setupNodeParser(subparsers,parents):
nodeParser = subparsers.add_parser('node', help='Manage network node type definitions', parents=parents)
nodeParser.add_argument('-M', '--mask', nargs=1, help='XXX:Add mask text')
nodeParser.add_argument('-t', '--type', nargs=1, help='XXX:Add type text')
nodeParser.add_argument('-r', '--range', nargs=1, help='XXX:Add range text')
nodeParser.add_argument('-p', '--proto', nargs=1, help='XXX:Add proto text')
nodeParser.add_argument('node', help='node')
def setupFcontextParser(subparsers,parents):
fcontextParser = subparsers.add_parser('fcontext', help='Manage file context mapping definitions', parents=parents)
fcontextParser.add_argument('-e', '--equal', nargs=1, help='''Substitute target path with sourcepath when generating default
label. This is used with fcontext. Requires source and target
path arguments. The context labeling for the target subtree is
made equivalent to that defined for the source.''')
fcontextParser.add_argument('-f', '--ftype', nargs=1, help='''File Type. This is used with fcontext. Requires a file type
as shown in the mode field by ls, e.g. use -d to match only
directories or -- to match only regular files.''')
fcontextParser.add_argument('-s', '--seuser', nargs=1,help='SELinux user name')
fcontextParser.add_argument('-t', '--type', nargs=1, help='SELinux Type for the object')
fcontextParser.add_argument('-r', '--range', nargs=1, help='''MLS/MCS Security Range (MLS/MCS Systems only) SELinux Range for
SELinux login mapping defaults to the SELinux user record range.
SELinux Range for SELinux user defaults to s0.''')
fcontextParser.add_argument('target', help='target')
def setupBooleanParser(subparsers,parents):
booleanParser = subparsers.add_parser('boolean', help='Manage booleans to selectively enable functionality', parents=parents)
boolGroup = booleanParser.add_mutually_exclusive_group(required=True)
boolGroup.add_argument('-1', '--on', dest='state', action='store_const', const='on', help='XXX: Add text')
boolGroup.add_argument('-0', '--off', dest='state', action='store_const', const='off', help='XXX: Add text')
booleanParser.add_argument('-F', '--file', nargs=1, dest='filename', help="XXX: Add text")
booleanParser.add_argument('boolean', help='boolean | boolean_file')
def setupPermissiveParser(subparsers):
permissiveParser = subparsers.add_parser('permissive', help='Manage process type enforcement mode')
pgroup = permissiveParser.add_mutually_exclusive_group(required=True)
pgroup.add_argument('-a', '--add', dest='action', action='store_const', const='add', help='Add a record of the specified object type')
pgroup.add_argument('-d', '--delete', dest='action', action='store_const', const='delete', help='Delete a record of the specified object type')
pgroup.add_argument('-l', '--list', dest='action', action='store_const', const='list', help='List records of the specified object type')
permissiveParser.add_argument('-n', '--noheading', action='store_true', help='Do not print heading when listing the speicied object type')
permissiveParser.add_argument('-D', '--deleteall', action='store_true', help='Remove all local customizations for the specified object type')
permissiveParser.add_argument('-N', '--noreload', action='store_true', help='Do not reload the policy after commit')
permissiveParser.add_argument('type', help='type')
def setupDontauditParser(subparsers):
dontauditParser = subparsers.add_parser('dontaudit', help='Disable/Enable dontaudit rules in policy')
dontauditParser.add_argument('-S', '--store', nargs=1, help='Select an alternate SELinux Policy Store to manage')
dontauditParser.add_argument('action', choices=["on", "off"])
def createCommandParser():
commandParser = seParser(prog='semanage',
formatter_class=argparse.ArgumentDefaultsHelpFormatter,
description='''semanage is used to configure certain elements
of SELinux policy with-out requiring modification
to or recompilation from policy source.''')
#Create the parent parser which is use to handle valid_everyone arguments
everyoneParser = argparse.ArgumentParser(add_help=False)
egroup = everyoneParser.add_mutually_exclusive_group(required=True)
egroup.add_argument('-a', '--add', dest='action', action='store_const', const='add', help='Add a record of the specified object type')
egroup.add_argument('-d', '--delete', dest='action', action='store_const', const='delete', help='Delete a record of the specified object type')
egroup.add_argument('-m', '--modify', dest='action', action='store_const', const='modify', help='Modify a record of the specified object type')
egroup.add_argument('-l', '--list', dest='action', action='store_const', const='list', help='List records of the specified object type')
everyoneParser.add_argument('-n', '--noheading', action='store_true', help='Do not print heading when listing the speicied object type')
everyoneParser.add_argument('-S', '--store', nargs=1, help='Select an alternate SELinux Policy Store to manage')
#Create the parent parser for valid_local arguments
localParser = argparse.ArgumentParser(add_help=False)
lgroup = localParser.add_argument_group()
lgroup.add_argument('-E', '--extract', action='store_true', help='XXX: Not exactly sure what this does ask Dan')
lgroup.add_argument('-C', '--locallist', action='store_true', help='List only locally defined settings, not base policy settings')
lgroup.add_argument('-D', '--deleteall', action='store_true', help='Remove all local customizations for the specified object type')
lgroup.add_argument('-N', '--noreload', action='store_true', help='Do not reload the policy after commit')
#To add a new subcommand define the parser for it in a function above and call it here.
subparsers = commandParser.add_subparsers(dest='subcommand')
setupLoginParser(subparsers, [everyoneParser,localParser])
setupUserParser(subparsers, [everyoneParser,localParser])
setupPortParser(subparsers, [everyoneParser,localParser])
setupInterfaceParser(subparsers, [everyoneParser,localParser])
setupModuleParser(subparsers, [])
setupNodeParser(subparsers, [everyoneParser,localParser])
setupFcontextParser(subparsers, [everyoneParser,localParser])
setupBooleanParser(subparsers, [everyoneParser,localParser])
setupPermissiveParser(subparsers)
setupDontauditParser(subparsers)
return commandParser
if __name__ == '__main__':
commandParser = createCommandParser()
if len(sys.argv) < 2:
commandParser.print_help()
exit(1)
args = commandParser.parse_args()
print args