#!/usr/bin/env python # -*- coding: utf-8 -*- """ (c) 2008, 2009, 2010 Jens Kasten Python helper tool for automatic get and set attribute. """ import os import sys from subprocess import Popen, PIPE, call import logging from stat import * try: from header_rsbac import RsbacTargetType except ImportError, e: msg = str(e) logging.error(msg) print msg # sys.exit() # set global logging variables log_file = "rsbac.log" logging.basicConfig(level=logging.DEBUG, format='%(asctime)s %(levelname)s %(message)s', filename=log_file, filemode='w') #class Rsbac(RsbacTargetType): class Rsbac(object): def __init__(self): #RsbacTargetType.__init__(self) self.rsbac_proc = "/proc/rsbac-info/" self.module_on = [] self.module_off = [] # ISSOCK and ISBLK are not defined so using FILE insteed self.available_target_type = { 'S_ISREG': 'FILE', 'S_ISDIR': 'DIR', 'S_ISFIFO': 'FIFO', 'S_ISLNK': 'SYMLINK', 'S_ISCHR': 'DEV', 'S_ISSOCK': 'FILE', 'S_ISBLK': 'FILE' } self.module_attribute = { 'PAX': ['pax_flags'], 'FF': ['ff_flags'], 'MAC': ['security_level', 'mac_categories', 'mac_auto', 'mac_prop_trusted', 'mac_file_flags'], 'PM': ['pm_object_class', 'pm_tp', 'pm_object_type'], 'DAZ': ['daz_scanner', 'daz_do_scan'], 'RC': ['rc_type_fd', 'rc_force_role', 'rc_initial_role'], 'AUTH': ['auth_may_setuid', 'auth_may_set_cap', 'auth_learn'], 'GEN': ['log_array_low', 'log_array_high', 'log_program_based', 'symlink_add_remote_ip', 'symlink_add_uid', 'symlink_add_mac_level', 'symlink_add_rc_role', 'linux_dac_disable', 'vset', 'auid_exempt', 'fake_root_id'], 'CAP': ['min_caps', 'max_caps', 'cap_ld_env'], 'RES': ['res_min', 'res_max'], } # this module not used attr_[s|g]et_file_dir # RES modul temporarly disabled self.module_which_does_not_use_attr_get_set = ['ACL', 'JAIL', 'REG' , 'RES'] def is_rsbac(self): """ Simply check if proc directory has subdirectory rsbac. """ if os.path.isdir(self.rsbac_proc): return True def get_module(self): """ Deliver the rsbac module info as an dictonary. set self.module_on as list with all active module set self.module_off as list with all deactive module return rsbac_module """ result = {} module = {} try: if not self.is_rsbac(): msg = "RSBAC is not available." logging.error(msg) print msg return False path = os.path.join(self.rsbac_proc, "active") cmd = [which('cat'), path] rsbac_module = Popen(cmd, stdout=PIPE).communicate()[0] for line in rsbac_module.split('\n'): i = line.split(':') if len(i) > 1: if i[0] == "Module": j = i[1].strip(' ').split(' ') module[j[0]] = j[len(j)-1] result['Module'] = module else: result[i[0]] = i[1] for avaible_module, status in result['Module'].items(): if 'on' in status: self.module_on.append(avaible_module) else: self.module_off.append(avaible_module) logging.info(rsbac_module) return rsbac_module except KeyError, e: # appears when user is not privileged to access and result through this is empty msg = str(e) logging.error(msg) print msg except OSError, e: msg = str(e) logging.error(msg) print msg def attr_set_file_dir(self, program_name, attribute): pass def attr_get_file_dir(self, file_name): """ return all attribute on all available module """ # module ACL, JAIL use an other progam to obtain the attribute # so exclude them here if os.path.isfile(file_name): os.remove(file_name) fd = open(file_name, "a") file_name = which(file_name) prog_name = which('attr_get_file_dir') target_type = self.target_type(file_name) set_prog_name = which('attr_set_file_dir') # remove module which are not used this method for modul_not_used in self.module_which_does_not_use_attr_get_set: if modul_not_used in self.module_on: self.module_on.remove(modul_not_used) for modul in self.module_on: for attribute in self.module_attribute[modul]: cmd = [prog_name, modul, target_type, file_name, attribute] result = Popen(cmd, stdout=PIPE) attribute_value = result.communicate()[0] cmd_string = ' '.join([set_prog_name, modul, target_type, file_name, attribute, attribute_value]) fd.write(cmd_string) fd.close() def target_type(self, file_name): mode = os.stat(file_name)[ST_MODE] if S_ISREG(mode): target_type = self.available_target_type['S_ISREG'] elif S_ISCHR(mode): target_type = self.available_target_type['S_ISCHR'] elif S_ISLNK(mode): target_type = self.available_target_type['S_ISLNK'] elif S_ISDIR(mode): target_type = self.available_target_type['S_ISDIR'] elif S_ISFIFO(mode): target_type = self.available_target_type['S_ISFIFO'] elif S_ISBLK(mode): # not defined target_type = self.available_target_type['S_ISBLK'] elif S_ISSOCK(mode): # not defined target_type = self.available_target_type['S_ISSOCK'] return target_type def which( program_name): """ Function implements the linux which command in python. """ environ_path = os.environ['PATH'].split(':') for dir in environ_path: program_path = os.path.join(dir, program_name) if os.path.exists(program_path): msg = "Progam asked for absolute path for '%s'" % program_path logging.info(msg) return program_path msg = "Request for absolut path could not found: '%s'" % program_name logging.error(msg) def version(): """ Give the rsbac version and tools infos in a dictonary. Keys are Kernel, Tool, Tool-string """ version = {} result = [] tmp = [] try: program_name = "rsbac_version" cmd = [which(program_name)] result = Popen(cmd, stdout=PIPE) result = result.communicate()[0].strip("\n") result = result.split(",") except OSError, e: msg = str(e) logging.error(msg) print msg except AttributeError: # appears if executable is not found msg = "'%s' is not found in the environment path." % program_name logging.error(msg) print msg else: for i in result: tmp = i.split(":") version[tmp[0].strip(" ")] = tmp[1].strip(" ") logging.info(version) print version def main(): #print "rsbac-version-description: %s" % inspect.getdoc(Rsbac.version) version() rsbac = Rsbac() rsbac.get_module() rsbac.attr_get_file_dir("wine") if __name__ == "__main__": main() #vim: tabstop=4 expandtab shiftwidth=4