/usr/bin/sedta is in setools 4.0.1-6.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 | #!/usr/bin/python3
# Copyright 2014-2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with SETools. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import print_function
import sys
import argparse
import logging
import setools
def print_transition(trans):
if trans.transition:
print("Domain transition rule(s):")
for t in trans.transition:
print(t)
if trans.setexec:
print("\nSet execution context rule(s):")
for s in trans.setexec:
print(s)
for entrypoint in trans.entrypoints:
print("\nEntrypoint {0}:".format(entrypoint.name))
print("\tDomain entrypoint rule(s):")
for e in entrypoint.entrypoint:
print("\t{0}".format(e))
print("\n\tFile execute rule(s):")
for e in entrypoint.execute:
print("\t{0}".format(e))
if entrypoint.type_transition:
print("\n\tType transition rule(s):")
for t in entrypoint.type_transition:
print("\t{0}".format(t))
print()
if trans.dyntransition:
print("Dynamic transition rule(s):")
for d in trans.dyntransition:
print(d)
print("\nSet current process context rule(s):")
for s in trans.setcurrent:
print(s)
print()
print()
parser = argparse.ArgumentParser(
description="SELinux policy domain transition analysis tool.",
epilog="If no analysis is selected, all forward transitions out of the source will be printed.")
parser.add_argument("--version", action="version", version=setools.__version__)
parser.add_argument("-p", "--policy", help="Path to SELinux policy to analyze.")
parser.add_argument("-s", "--source", help="Source type of the analysis.", required=True)
parser.add_argument("-t", "--target", help="Target type of the analysis.")
parser.add_argument("--stats", action="store_true",
help="Display statistics at the end of the analysis.")
parser.add_argument("-v", "--verbose", action="store_true",
help="Print extra informational messages")
parser.add_argument("--debug", action="store_true", dest="debug", help="Enable debugging.")
alg = parser.add_argument_group("Analysis algorithm")
alg.add_argument("-S", "--shortest_path", action="store_true",
help="Calculate all shortest paths.")
alg.add_argument("-A", "--all_paths", type=int, metavar="MAX_STEPS",
help="Calculate all paths, with the specified maximum path length. (Expensive)")
opts = parser.add_argument_group("Analysis options")
opts.add_argument("-r", "--reverse", action="store_true", default=False,
help="Perform a reverse DTA.")
opts.add_argument("-l", "--limit_trans", default=0, type=int,
help="Limit to the specified number of transitions. Default is unlimited.")
opts.add_argument("exclude", help="List of excluded types in the analysis.", nargs="*")
args = parser.parse_args()
if not args.target and (args.shortest_path or args.all_paths):
parser.error("The target type must be specified to determine a path.")
if args.target and not (args.shortest_path or args.all_paths):
parser.error("An algorithm must be specified to determine a path.")
if args.debug:
logging.basicConfig(level=logging.DEBUG,
format='%(asctime)s|%(levelname)s|%(name)s|%(message)s')
elif args.verbose:
logging.basicConfig(level=logging.INFO, format='%(message)s')
else:
logging.basicConfig(level=logging.WARNING, format='%(message)s')
try:
p = setools.SELinuxPolicy(args.policy)
g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
if args.shortest_path or args.all_paths:
if args.shortest_path:
paths = g.all_shortest_paths(args.source, args.target)
else:
paths = g.all_paths(args.source, args.target, args.all_paths)
i = 0
for i, path in enumerate(paths, start=1):
print("Domain transition path {0}:".format(i))
for stepnum, step in enumerate(path, start=1):
print("Step {0}: {1} -> {2}\n".format(stepnum, step.source, step.target))
print_transition(step)
if args.limit_trans and i >= args.limit_trans:
break
print(i, "domain transition path(s) found.")
else: # single transition
transitions = g.transitions(args.source)
i = 0
for i, step in enumerate(transitions, start=1):
print("Transition {0}: {1} -> {2}\n".format(i, step.source, step.target))
print_transition(step)
if args.limit_trans and i >= args.limit_trans:
break
print(i, "domain transition(s) found.")
if args.stats:
print("\nGraph statistics:")
print(g.get_stats())
except Exception as err:
if args.debug:
logging.exception(str(err))
else:
print(err)
sys.exit(1)
|