audit2allow: CIL output mode

New flag -C for audit2allow sets output format to CIL instead of
Policy Language.

Example:
;============= mozilla_t ==============

;!!!! This avc is allowed in the current policy
(allow mozilla_t user_sudo_t (fd (use)))

;============= user_t ==============

;!!!! This avc can be allowed using the boolean 'allow_execmem'
(allow user_t self (process (execmem)))
(allow user_t chromium_t (process (noatsecure rlimitinh siginh)))

;!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
;Constraint rule:
;       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u1 == unconfined_u -Fail-)  or (u1 == sysadm_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED

;       Possible cause is the source user (user_u) and target user (sysadm_u) are different.
(allow user_t user_home_dir_t (dir (getattr relabelto)))

Signed-off-by: Topi Miettinen <[email protected]>

---
v4: several fixes to issues found by James Carter
v3: fixed extended permissions syntax
v2: fix uninitialized variable detected by CI

python/audit2allow/audit2allow

@@ -75,6 +75,7 @@ class AuditToPolicy:
  help="generate policy with dontaudit rules")
  parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
  default=True, help="generate refpolicy style output")
+ parser.add_option("-C", "--cil", action="store_true", dest="cil", help="generate CIL output")
 
  parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
  default=False, help="do not generate refpolicy style output")
@@ -114,14 +115,17 @@ class AuditToPolicy:
  sys.stderr.write('error: module names must begin with a letter, optionally followed by letters, numbers, "-", "_", "."\n')
  sys.exit(2)
 
- # Make -M and -o conflict
+ # Make -M and -o or -C conflict
  if options.module_package:
  if options.output:
  sys.stderr.write("error: --module-package conflicts with --output\n")
  sys.exit(2)
  if options.module:
  sys.stderr.write("error: --module-package conflicts with --module\n")
  sys.exit(2)
+ if options.cil:
+ sys.stderr.write("error: --module-package conflicts with --cil\n")
+ sys.exit(2)
 
  self.__options = options
 
@@ -341,13 +345,21 @@ semodule -i {packagename}
  if self.__options.requires:
  g.set_gen_requires(True)
 
+ # CIL output
+ if self.__options.cil:
+ g.set_gen_cil(True)
+
  # Generate the policy
  g.add_access(self.__avs)
  g.add_role_types(self.__role_types)
 
  # Output
  writer = output.ModuleWriter()
 
+ # CIL output
+ if self.__options.cil:
+ writer.set_gen_cil(True)
+
  # Module package
  if self.__options.module_package:
  self.__output_modulepackage(writer, g)

python/audit2allow/audit2allow.1

@@ -74,6 +74,9 @@ Generate module/require output <modulename>
 .B "\-M <modulename>" 
 Generate loadable module package, conflicts with \-o
 .TP
+.B "\-C"
+Generate CIL output, conflicts with \-M
+.TP
 .B "\-p <policyfile>" | "\-\-policy <policyfile>"
 Policy file to use for analysis
 .TP

python/sepolgen/src/sepolgen/output.py

@@ -40,6 +40,7 @@ def __init__(self):
  self.module = None
  self.sort = True
  self.requires = True
+ self.gen_cil = False
 
  def write(self, module, fd):
  self.module = module
@@ -49,8 +50,12 @@ def write(self, module, fd):
 
  # FIXME - make this handle nesting
  for node, depth in refpolicy.walktree(self.module, showdepth=True):
+ node.set_gen_cil(self.gen_cil)
  fd.write("%s\n" % str(node))
 
+ def set_gen_cil(self, gen_cil):
+ self.gen_cil = gen_cil
+
 # Helper functions for sort_filter - this is all done old school
 # C style rather than with polymorphic methods because this sorting
 # is specific to output. It is not necessarily the comparison you

python/sepolgen/src/sepolgen/policygen.py

@@ -86,6 +86,8 @@ def __init__(self, module=None):
  self.xperms = False
 
  self.domains = None
+ self.gen_cil = False
+ self.comment_start = '#'
  def set_gen_refpol(self, if_set=None, perm_maps=None):
  """Set whether reference policy interfaces are generated.
 
@@ -128,6 +130,13 @@ def set_gen_xperms(self, xperms):
  """
  self.xperms = xperms
 
+ def set_gen_cil(self, gen_cil):
+ self.gen_cil = gen_cil
+ if gen_cil:
+ self.comment_start = ';'
+ else:
+ self.comment_start = '#'
+
  def __set_module_style(self):
  if self.ifgen:
  refpolicy = True
@@ -173,26 +182,27 @@ def __add_av_rule(self, av):
  rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
 
  if av.type == audit2why.ALLOW:
- rule.comment += "\n#!!!! This avc is allowed in the current policy"
+ rule.comment += "\n%s!!!! This avc is allowed in the current policy" % self.comment_start
 
  if av.xperms:
- rule.comment += "\n#!!!! This av rule may have been overridden by an extended permission av rule"
+ rule.comment += "\n%s!!!! This av rule may have been overridden by an extended permission av rule" % self.comment_start
 
  if av.type == audit2why.DONTAUDIT:
- rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
+ rule.comment += "\n%s!!!! This avc has a dontaudit rule in the current policy" % self.comment_start
 
  if av.type == audit2why.BOOLEAN:
  if len(av.data) > 1:
- rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join([x[0] for x in av.data])
+ rule.comment += "\n%s!!!! This avc can be allowed using one of the these booleans:\n%s %s" % (self.comment_start, self.comment_start, ", ".join([x[0] for x in av.data]))
  else:
- rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
+ rule.comment += "\n%s!!!! This avc can be allowed using the boolean '%s'" % (self.comment_start, av.data[0][0])
 
  if av.type == audit2why.CONSTRAINT:
- rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access."
- rule.comment += "\n#Constraint rule: "
- rule.comment += "\n#\t" + av.data[0]
+ rule.comment += "\n%s!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access." % self.comment_start
+ rule.comment += "\n%sConstraint rule: " % self.comment_start
+ rule.comment += "\n%s\t" % self.comment_start + av.data[0]
  for reason in av.data[1:]:
- rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
+ rule.comment += "\n%s" % self.comment_start
+ rule.comment += "\tPossible cause is the source %s and target %s are different." % reason
 
  try:
  if ( av.type == audit2why.TERULE and
@@ -206,9 +216,9 @@ def __add_av_rule(self, av):
  if i not in self.domains:
  types.append(i)
  if len(types) == 1:
- rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following type:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
  elif len(types) >= 1:
- rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ rule.comment += "\n%s!!!! The source type '%s' can write to a '%s' of the following types:\n%s %s\n" % (self.comment_start, av.src_type, av.obj_class, self.comment_start, ", ".join(types))
  except:
  pass