[selinux-policy: 1464/3172] initial commit of netfilter config generator tool, still needs work on mls/mcs side.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:11:55 UTC 2010
commit d6c62e7df79f9d59cee75bac2de81e3f2f1526f0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed May 24 21:27:52 2006 +0000
initial commit of netfilter config generator tool, still needs work on mls/mcs side.
refpolicy/support/gennetfilter.py | 105 +++++++++++++++++++++++++++++++++++++
1 files changed, 105 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/support/gennetfilter.py b/refpolicy/support/gennetfilter.py
new file mode 100644
index 0000000..ca9532a
--- /dev/null
+++ b/refpolicy/support/gennetfilter.py
@@ -0,0 +1,105 @@
+import re
+
+NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*$")
+
+DEFAULT_PACKET = "packet_t"
+PACKET_INPUT = "_server_packet_t"
+PACKET_OUTPUT = "_client_packet_t"
+
+packets = []
+
+class Port:
+ def __init__(self, proto, num, mls_sens, mcs_cats=""):
+ # protocol of the port
+ self.proto = proto
+
+ # port number
+ self.num = num
+
+ # MLS sensitivity
+ self.mls_sens = mls_sens
+
+ # MCS categories
+ # not currently supported, so we always get s0
+ if mcs_cats == "":
+ self.mcs_cats = "s0"
+ else
+ self.mcs_cats = "s0:"+mcs_cats
+
+class Packet:
+ def __init__(self, prefix, ports):
+ # prefix
+ self.prefix = prefix
+
+ # A list of Ports
+ self.ports = ports
+
+def print_input_rules():
+ print "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+ for i in packets:
+ for j in i.ports:
+ output_line="-A selinux_new_input -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_INPUT
+
+ print "-A selinux_new_input -j CONNSECMARK --save"
+ print "-A selinux_new_input -j RETURN"
+
+def print_output_rules():
+ print "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+ for i in packets:
+ for j in i.ports:
+ print "-A selinux_new_output -p "+j.proto+" --dport "+j.num+" -j SECMARK --selctx system_u:object_r:"+i.prefix+PACKET_OUTPUT
+
+ print "-A selinux_new_output -j CONNSECMARK --save"
+ print "-A selinux_new_output -j RETURN"
+
+def parse_corenet(file_name):
+ corenet_te_in = open(file_name, "r")
+
+ while True:
+ corenet_line = corenet_te_in.readline()
+
+ # If EOF has been reached:
+ if not corenet_line:
+ break
+
+ if NETPORT.match(corenet_line):
+ corenet_line = corenet_line.strip();
+
+ # parse out the parameters
+ parms = re.split('\W+',corenet_line[13:-1])
+ name = parms[0]
+ del parms[0];
+
+ ports = []
+ while len(parms) > 0:
+ # add a port combination.
+ ports.append(Port(parms[0],parms[1],parms[2]))
+ del parms[:3]
+
+ packets.append(Packet(name,ports))
+
+ corenet_te_in.close()
+
+def write_netfilter_config():
+ print "*mangle"
+ print ":PREROUTING ACCEPT [0:0]"
+ print ":INPUT ACCEPT [0:0]"
+ print ":FORWARD ACCEPT [0:0]"
+ print ":OUTPUT ACCEPT [0:0]"
+ print ":POSTROUTING ACCEPT [0:0]"
+ print ":selinux_input [0:0]"
+ print ":selinux_output [0:0]"
+ print ":selinux_new_input [0:0]"
+ print ":selinux_new_output [0:0]"
+ print "-A INPUT -j selinux_input"
+ print "-A OUTPUT -j selinux_output"
+ print "-A selinux_input -m state --state NEW -j selinux_new_input"
+ print "-A selinux_input -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print "-A selinux_output -m state --state NEW -j selinux_new_output"
+ print "-A selinux_output -m state --state RELATED,ESTABLISHED -j CONNSECMARK --restore"
+ print_input_rules()
+ print_output_rules()
+ print "COMMIT"
+
+parse_corenet("policy/modules/kernel/corenetwork.te.in")
+write_netfilter_config()
More information about the scm-commits
mailing list