1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
| #!/bin/bash
# init
execName=$(basename $0)
tmpDir=$(mktemp -d /tmp/$execName.XXXXXX)
tmpFile=$tmpDir/$execName
# manage arguments
if [[ $# != 1 ]]
then
echo "Usage: $execName <Type_Enforcement_file>"
exit 1
fi
dstDir=$(dirname $1)
dstFile=$(basename $1)
dstFile=${dstFile%.te}
if [[ ! -s $1 ]]
then
echo "WARNING: <Type_Enforcement_file> non-existent or empty, creating it..."
touch $1
fi
cp $1 $tmpFile.te.src
# create new type enforcement file from audit file
audit2allow -m local -l -i /var/log/audit/audit.log > $tmpFile.te.add
# set header file
echo "
module local 1.0;
require {" > $tmpFile.te.new
# format and merge type lines
awk '
/^[[:space:]]*type / \
{
sub("^[[:space:]]*", " ")
print
}' $tmpFile.te.src > $tmpFile.type.src
awk '
/^[[:space:]]*type / \
{
sub("^[[:space:]]*", " ")
print
}' $tmpFile.te.add > $tmpFile.type.add
sort -u -k 2,2 $tmpFile.type.src $tmpFile.type.add >> $tmpFile.te.new
# format and merge class lines
awk '
/^[[:space:]]*class / \
{
sub("^[[:space:]]*", " ")
if ($0 !~ "[{}]")
{
$2=$2 " {"
if (length($NF) == 1) $NF="}" $NF
else sub(".$", " };", $NF)
}
print
}' $tmpFile.te.src | sort -k 3,3 > $tmpFile.class.src
awk '
/^[[:space:]]*class / \
{
sub("^[[:space:]]*", " ")
if ($0 !~ "[{}]")
{
$2=$2 " {"
if (length($NF) == 1) {$NF="}" $NF}
else {sub(".$", " };", $NF)}
}
print
}' $tmpFile.te.add | sort -k 3,3 > $tmpFile.class.add
[[ ! -s $tmpFile.class.src ]] && cp $tmpFile.class.add $tmpFile.class.src
while read srcLine
do
options=$(echo "$srcLine" | awk '
BEGIN {OFS="\n"}
{
for (i=4; i<NF; i++) {print $i}
}')
className=$(echo "$srcLine" | awk '{print $2}')
addOptions=$(awk -v c=$className '
BEGIN {OFS="\n"}
$2 == c \
{
for (i=4; i<NF; i++) {print $i}
}' $tmpFile.class.add)
[[ -n $addOptions ]] && options+=$'\n'$addOptions
line=" class $className { $(echo "$options" | sort -u | tr "\n" " ")};"
echo "$line" >> $tmpFile.te.new
done < $tmpFile.class.src
# close require block
echo "}" >> $tmpFile.te.new
# sort rules and format options
awk '
/^allow / \
{
if ($4 !~ "^{")
{
$4="{ " $4
sub(".$", " };", $NF)
}
print
}' $tmpFile.te.src $tmpFile.te.add |
sort -k 2,3 > $tmpFile.te.rules
# merge rules with same first three fields
cp -f $tmpFile.te.rules $tmpFile.te.rules.to.merge
> $tmpFile.te.rules.merged
while read ruleLine
do
selector=$(echo $ruleLine | cut -d " " -f 1-3)
options=$(awk -v s="$selector" '
BEGIN {OFS="\n"}
{
if ($0 ~ "^"s) {for (i=5; i<NF; i++) {print $i}}
}' $tmpFile.te.rules.to.merge)
mergedOptions=$(echo "$options" | sort -u | tr "\n" " ")
echo "$selector { $mergedOptions };" >> $tmpFile.te.rules.merged
sed -i '/^'"$selector"'/d' $tmpFile.te.rules.to.merge
done < $tmpFile.te.rules
sort -u -k 1,3 $tmpFile.te.rules.merged > $tmpFile.te.rules.uniq
# format rules by blocks
awk '
{
if ($2 != prevApp)
{
prevApp=$2
printf "\n#============= %s ==============\n", $2
}
print
}' $tmpFile.te.rules.uniq >> $tmpFile.te.new
# compile file
checkmodule -M -m -o $tmpFile.mod $tmpFile.te.new
# create policy package file
semodule_package -o $tmpFile.pp -m $tmpFile.mod
# replace policy package file
cp -f $tmpFile.pp $dstDir/$dstFile.pp
# replace type enforcement file
cp -f $tmpFile.te.new $dstDir/$dstFile.te
# clean temp dir up
rm -rf $tmpDir
# tell the next step to do, to install updated SELinux rules
echo "Now, run the command 'semodule -i $dstDir/$dstFile.pp'" |
Partager