13:0 )=ˆZƒ›Ù«{‹„„-i[D<†ªo_’I|¥‰ÓMjqØ‚¦ð¬÷ÂÉÝ=‹mŽÍJÄ@ Ç_%ìLd©½xQØÂ%mS:0ÛŒIÆa}zÛº{óøÿä÷UEà3ÃCÓ·øMŠ&“ÓP’ÃÉE’ažóÓ#ÆKõ°Šû”¿JT¶ý!ÊòZz†óÛNB#ëf «Õ¥]v).Ýsx&àk5.æ”Ð_÷ʽm`’YÉE¼Op•¤üorb2†byC0+O/‡Ù=k­áF¹`ªxhï¤7ÊÏøC:6Hí†EfÑjôùÎG¾.Â/ìí;„2"?ˆl–äY>”T†»ÕÀ5q°)‹FÿÌ ƒq°½ÃÊv?# Authors: Karl MacMillan # # Copyright (C) 2006 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; version 2 only # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # """ This module provides knowledge object classes and permissions. It should be used to keep this knowledge from leaking into the more generic parts of the policy generation. """ # Objects that can be implicitly typed - these objects do # not _have_ to be implicitly typed (e.g., sockets can be # explicitly labeled), but they often are. # # File is in this list for /proc/self # # This list is useful when dealing with rules that have a # type (or param) used as both a subject and object. For # example: # # allow httpd_t httpd_t : socket read; # # This rule makes sense because the socket was (presumably) created # by a process with the type httpd_t. implicitly_typed_objects = ["socket", "fd", "process", "file", "lnk_file", "fifo_file", "dbus", "capability", "unix_stream_socket"] #:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: # #Information Flow # # All of the permissions in SELinux can be described in terms of # information flow. For example, a read of a file is a flow of # information from that file to the process reading. Viewing # permissions in these terms can be used to model a varity of # security properties. # # Here we have some infrastructure for understanding permissions # in terms of information flow # #:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: # Information flow deals with information either flowing from a subject # to and object ("write") or to a subject from an object ("read"). Read # or write is described from the subject point-of-view. It is also possible # for a permission to represent both a read and write (though the flow is # typical asymettric in terms of bandwidth). It is also possible for # permission to not flow information (meaning that the result is pure # side-effect). # # The following constants are for representing the directionality # of information flow. FLOW_NONE = 0 FLOW_READ = 1 FLOW_WRITE = 2 FLOW_BOTH = FLOW_READ | FLOW_WRITE # These are used by the parser and for nice disply of the directions str_to_dir = { "n" : FLOW_NONE, "r" : FLOW_READ, "w" : FLOW_WRITE, "b" : FLOW_BOTH } dir_to_str = { FLOW_NONE : "n", FLOW_READ : "r", FLOW_WRITE : "w", FLOW_BOTH : "b" } class PermMap: """A mapping between a permission and its information flow properties. PermMap represents the information flow properties of a single permission including the direction (read, write, etc.) and an abstract representation of the bandwidth of the flow (weight). """ def __init__(self, perm, dir, weight): self.perm = perm self.dir = dir self.weight = weight def __repr__(self): return "" % (self.perm, dir_to_str[self.dir], self.weight) class PermMappings: """The information flow properties of a set of object