HEX
Server: Apache
System: Linux 185.122.168.184.host.secureserver.net 5.14.0-570.52.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Oct 15 06:39:08 EDT 2025 x86_64
User: barbeatleanalyti (1024)
PHP: 8.1.33
Disabled: NONE
$ pwd: /lib/python3.9/site-packages/setroubleshoot/__pycache__/
Upload Files
File: //lib/python3.9/site-packages/setroubleshoot/__pycache__/audit_data.cpython-39.pyc
a

U+e��@slddlmZddlZddlmZddlZgd�ZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlTddlmZddlTddlTddlTddlTdZdd�Zd	d
�Zdd�Ze�d
�Zdd�Ze�d�Zdd�ZddlZdd�ZGdd�de �Z!Gdd�de �Z"Gdd�de �Z#Gdd�d�Z$Gdd�de �Z%Gdd �d e&�Z'Gd!d"�d"�Z(d#d$�Z)dS)%�)�absolute_importN)�range)	�derive_record_format�parse_audit_record_text�
AvcContext�AVC�AuditEventID�
AuditEvent�AuditRecord�AuditRecordReader�compute_avcs)�*�cCs||k||kS�N�)�x�yrr�=/usr/lib/python3.9/site-packages/setroubleshoot/audit_data.py�<lambda>7�rcCs t|�\}}}}t|||�}|Sr)rr
)�text�parse_succeeded�record_type�event_id�	body_text�audit_recordrrr�audit_record_from_text=srcCs*t�d|�rtjSt�d|�r$tjStjS)Nz/audispd_events$z/audit_events$)�re�searchr�TEXT_FORMAT�
BINARY_FORMAT)Zsocket_pathrrrrEs
rzL(node=(\S+)\s+)?(type=(\S+)\s+)?(msg=)?audit\(((\d+)\.(\d+):(\d+))\):\s*(.*)c
Cs�d}d}d}d}d}t�|�}|dur�d}|�d�r>|�d�}|�d�rR|�d�}|�d�r�t|�d��}t|�d��}t|�d��}	t|||	|�}|�d	�}||||fS)
NFT������	�
)�audit_input_rer�group�intr)
�inputr�hostrrr�match�seconds�milli�serialrrrr^s&






rz%audit\(((\d+)\.(\d+):(\d+))\):\s*(.*)cCsvd}d}d}t�|�}|durld}|�d�rbt|�d��}t|�d��}t|�d��}t|||�}|�d�}|||fS)NFT�r!rr"�)�audit_binary_input_rerr)r*r)r+rrrr-r.r/r0rrr�parse_audit_binary_text|s


r4cCs"|rdd�|D�}||krdSdS)NcSsg|]}|tjvr|�qSr)�string�	printable��.0rrrr�
<listcomp>�rzprintable.<locals>.<listcomp>TFr)�sZ
filtered_pathrrrr6�s
r6csZeZdZddiddiddiddid�Z�fdd�Zdd�Zdd	�Zd
d�Zdd
�Z�Z	S)r�XMLForm�	attribute��user�role�type�mlscsztt|���t|tj�rv|�d�}t|�dkrv|d|_|d|_	|d|_
t|�dkrpd�|dd��|_nd|_dS)N�:rrr1r!Zs0)
�superr�__init__�
isinstance�sixZstring_types�split�lenr>r?r@�joinrA)�self�data�fields��	__class__rrrD�s



zAvcContext.__init__cCsd|j|j|j|jfS)Nz%s:%s:%s:%sr=�rJrrr�__str__�szAvcContext.__str__cCst�t|��\}}|Sr)�selinuxZselinux_raw_to_trans_context�str)rJ�rcZtransrrr�format�szAvcContext.formatcCs|�|�Sr)�__eq__�rJ�otherrrr�__ne__�szAvcContext.__ne__cCs2t|j���D]}t||�t||�krdSqdS�NFT)�list�	_xml_info�keys�getattr)rJrW�namerrrrU�szAvcContext.__eq__)
�__name__�
__module__�__qualname__r[rDrPrTrXrU�
__classcell__rrrMrr�s�
rcsveZdZded�ded�ded�ddid�Zd�fdd�	Zdd	�Zd
d�Zdd
�Ze	dd��Z
dd�Zdd�Z�Z
S)rr<�r;�import_typecastr;)r.r/r0r,Ncs2tt|���||_||_||_|dur.||_dSr)rCrrDr.r/r0r,)rJr.r/r0r,rMrrrD�szAuditEventID.__init__cCsD|j|jkrdS|j|jkr dS|j|jkr0dS|j|jkr@dSdSrY)r,r.r/r0rVrrrrU�szAuditEventID.__eq__cCsb|j|jkr&td|jj|j|jf��|j|jkr>|j|jkS|j|jkrV|j|jkS|j|jkS)Nz?cannot compare two %s objects whose host values differ (%s!=%s))r,�
ValueErrorrNr_r.r/r0rVrrr�__lt__�s�zAuditEventID.__lt__cCsddl}|�|�S�Nr)�copy)rJrhrrrrh�szAuditEventID.copycCst|j�|jdS)N�@�@)�floatZsecr/rOrrrr�rzAuditEventID.<lambda>cCsd|j|j|jfS)Nzaudit(%d.%d:%d)�r.r/r0rOrrrrP�szAuditEventID.__str__cCs.|jdurdS|jdurdS|jdur*dSdSrYrkrOrrr�is_valid�s


zAuditEventID.is_valid)N)r_r`rar*r[rDrUrfrh�property�timerPrlrbrrrMrr�s�rcs�eZdZddided�ddided�d�ZdZdZe�	e�Z
e�d�Z
e�d	�Ze�d
�Zd*�fdd
�	Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Z�ZS)+r
r;r<�elementrc)rrr�line_numberrZiiiiz([^ \t]+)\s*=\s*([^ \t]+)z$avc:\s+([^\s]+)\s+{([^}]+)}\s+for\s+z^a\d+$Ncs8tt|���||_||_||_||_||_|��dSr)	rCr
rDrrrrLrp�_init_postprocess)rJrrrrLrprMrrrDszAuditRecord.__init__cCsrt|dd�dur|�|j�|jdvrnd|jvrntj�|j�}|rn|�d�}||jd<|�d�}|�	�|jd<dS)NrL�rZUSER_AVCZ1400Z1107�seresultr1r!�seperms)
r]�set_fields_from_textrrrLr
�avc_rerr)rG)rJr-rsrtrrrrqs




zAuditRecord._init_postprocesscCs|��Sr)�to_host_textrOrrrrP(szAuditRecord.__str__cCs d|_|jjdurt�|j_dSr)rprr,Zget_hostnamerOrrr�audispd_rectify+szAuditRecord.audispd_rectifycCs.|j��sdS|jdurdS|jdur*dSdSrY)rrlr�messagerOrrrrl0s


zAuditRecord.is_validcCs4|jd}|dkrdS|dkr"dStj�d|�dS)NrsZdeniedFZgrantedTz!unknown value for seresult ('%s'))rL�logZavc�warn)rJrsrrr�
is_granted9s
zAuditRecord.is_grantedcCs�gd�}|D]>}||jvr|jdkr.|dkr.q|j|}t|�}||j|<q|jdkr�t|j���D]0\}}|j�|�rd|j|}t|�}||j|<qddS)N)Zacct�cmd�comm�cwdrK�dir�exe�filer,�key�msgr^�newZocommold�pathZwatchrZsaddrZEXECVE)rLrZaudit_msg_decoderZ�items�exec_arg_rer)rJZencoded_fieldsZfield�valueZ
decoded_valuerrr�
decode_fieldsBs



zAuditRecord.decode_fieldscCsFz0tjddkr|�d�WSt�|��d�WSWn|YS0dS)Nrr�hexzutf-8)�sys�version_info�decode�	bytearray�fromhex�rJr�rrr�
translate_hexVszAuditRecord.translate_hexc	Csg|_i|_tj�|�D]�}|�d�}|�d�}|�d�}z�|dkr^t�t	|d��}t�
|�}|dvr�|�d��d�s�|�|�}|dkr�zt
jtt	|��}WnYn0|dkr�t�t	|�t���}|r�|}Wnty�Yn0||j|<|j�|�qdS)	Nr1r!�"�arch�)r^r�r~r}r�r�exit�syscall)�
fields_ordrLr
�key_value_pair_re�finditerr)�strip�auditZaudit_elf_to_machiner*Zaudit_machine_to_name�
startswithr��errno�	errorcode�absZaudit_syscall_to_nameZaudit_detect_machinere�append)rJrr-r�r��iZsyscall_namerrrrues4





z AuditRecord.set_fields_from_textcCs|j�|�Sr)rL�get)rJr^rrr�	get_field�szAuditRecord.get_fieldcCs"t|�}t�tjtjtj|j|�Sr)rH�struct�packr
�binary_header_format�binary_version�binary_header_sizer)rJr��
msg_lengthrrr�get_binary_header�s
�zAuditRecord.get_binary_headercsj�jdurdS�jdkr4d�j�jd��j�f}nd�j�jf}|d��fdd��jD��d7}|S)	N�rz#type=%s msg=%s: avc: denied { %s } � ztype=%s msg=%s: csg|]}d|�j|f�qS)z%s=%s)rL)r8�krOrrr9�rz.AuditRecord.fields_to_text.<locals>.<listcomp>�
)rLrrrI�accessr�)rJ�bufrrOr�fields_to_text�s

"zAuditRecord.fields_to_textcCsd|j|j|jfS)Nztype=%s msg=%s: %s
)rrrrOrrr�to_text�szAuditRecord.to_textcCs2|jjdur&d|jj|j|j|jfS|��SdS)Nznode=%s type=%s msg=%s: %s
)rr,rrr�rOrrrrw�s
�zAuditRecord.to_host_textcCsd|j|jf}|�|�|S)Nz%s: %s)rrr��rJ�recordrrr�	to_binary�szAuditRecord.to_binary)NN) r_r`rarr*r[r�r�r��calcsizer�r�compiler�rvr�rDrqrPrxrlr|r�r�rur�r�r�r�rwr�rbrrrMrr
s4�




		"
r
c@s,eZdZdZdZdd�Zdd�Zdd�Zd	S)
rr1r!cCsV||_d|_d|_|j|jkr(|j|_n*|j|jkr>|j|_ntd||j	j
f��dS)Nr�rz unknown record format (%s) in %s)�
record_format�
_input_bufferrpr�	feed_textZfeedr �feed_binaryrerNr_)rJr�rrrrD�s

zAuditRecordReader.__init__ccs�t|�dkrdS|j|7_t|j�tjkr2dSt�tj|jdtj��\}}}}tj|}t|j�|krpdS|jtj|�}t|�\}}	}
|j|d�|_|rt�	|�|	|
ddfVqdSrg)
rHr�r
r�r��unpackr�r4r�Zaudit_msg_type_to_name)rJ�new_datar�r�rr�Z	total_lenrrrrrrrr��s$	��

zAuditRecordReader.feed_binaryc	cs�t|�dkrdS|j|7_d}|j�d|�}|dkr�|jd7_|d7}|j||�}t|�\}}}}|r�|||d|jfV|}|j�d|�}q0|j|d�|_dS)Nrr�r1)rHr��findrpr)	rJr��start�end�linerrrrrrrr��s zAuditRecordReader.feed_textN)r_r`rar rrDr�r�rrrrr�s
!rcs�eZdZdded�ded�d�Z�fdd�Zdd	�Zd
d�Zd$d
d�Z	dd�Z
edd��Zdd�Z
dd�Zd%dd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Z�ZS)&r	ror)r;rZrdrc)�recordsrcs*tt|���d|_g|_i|_d|_dSr)rCr	rDrr��record_types�	timestamprOrMrrrD�s
zAuditEvent.__init__cCs0t|dd�duri|_|jD]}|�|�qdS)Nr�)r]r�r��process_recordr�rrrrqs
zAuditEvent._init_postprocessc	CsL|j}|��d|j|��|��d�dd�|D��d�dd�|jD��fS)Nz2%s: is_avc=%s, is_granted=%s: line_numbers=[%s]
%s�,cSsg|]}t|��qSr�rRr7rrrr9rz&AuditEvent.__str__.<locals>.<listcomp>r�cSsg|]}d|�qS)z    %sr�r8r�rrrr9r)�line_numbers�sortr�is_avcr|rIr�)rJr�rrrrPs��zAuditEvent.__str__r�cCs|�dd�|jD��S)NcSsg|]}t|��qSrr�r�rrrr9rz%AuditEvent.format.<locals>.<listcomp>)rIr�)rJ�	separatorrrrrTszAuditEvent.formatcCs
t|j�Sr)rHr�rOrrr�num_recordsszAuditEvent.num_recordscCsdd�|jD�S)NcSsg|]}|jr|j�qSr)rpr�rrrr9rz'AuditEvent.<lambda>.<locals>.<listcomp>)r�rOrrrrrzAuditEvent.<lambda>cCs|j�|�|�|�dSr)r�r�r�r�rrr�
add_recordszAuditEvent.add_recordcCsp|jdur2|j��|_t|jj�|jjd|_n |j|jksRtd|j|jf��|j�|j	g�}|�
|�dS)NrizBcannot add audit record to audit event, event_id mismatch %s != %s)rrhrjr.r/r�rer��
setdefaultrr�)rJr�Zrecord_listrrrr�s

�zAuditEvent.process_recordNcCsRg}|dur|j}n
|�|�}|D]*}|j�|�}|dur<q"|�||jf�q"|S)aNReturn list of (value, record_type) tuples.
        In other words return the value matching name for every record_type.
        If record_type is not specified then all records are searched.
        Note: it is possible to have more than one record of a given type
        thus it is always possible to have multiple values returned.N)r��get_records_of_typerLr�r�r@)rJr^rr�r�r�r�rrrr�+s
zAuditEvent.get_fieldcCs d}|j�|�}|r|d}|Srg�r�r�)rJr@r�r�rrr�get_record_of_type?s
zAuditEvent.get_record_of_typecCs|j�|g�Srr�)rJr@rrrr�FszAuditEvent.get_records_of_typecCs$dD]}|�|�}|r|SqdS)Nrr)r�)rJrr�rrr�get_avc_recordIs
zAuditEvent.get_avc_recordcCs|��duSr)r�rOrrrr�OszAuditEvent.is_avccCs:d}dD],}|�|�}|D]}|��s.dSd}qq|S)NFrrT)r�r|)rJZall_grantedrr�r�rrrr|Rs
zAuditEvent.is_granted)r�)N)r_r`rar
rr[rDrqrPrTr�rmr�r�r�r�r�r�r�r�r|rbrrrMrr	�s"
�

r	c@seZdZdS)�AVCErrorN)r_r`rarrrrr�asr�c@s�eZdZdgZddgZgd�Zgd�Zgd�Zgd�Zgd�Z	gd�Z
gd	�Zgd
�Zgd�Z
gd�Zgd
�ZddgZdgZdgZgd�Zgd�Zgd�Zgd�ZdgZdgZgd�Zgd�Zgd�Zgd�ZddgZgd�Ze� d�Z!e� d�Z"dFdd�Z#d d!�Z$d"d#�Z%d$d%�Z&d&d'�Z'd(d)�Z(d*d+�Z)d,d-�Z*d.d/�Z+d0d1�Z,d2d3�Z-d4d5�Z.d6d7�Z/d8d9�Z0d:d;�Z1d<d=�Z2d>d?�Z3d@dA�Z4dBdC�Z5dDdE�Z6dS)Grr]�execute)�open�readr]�lock�ioctl)r�r�r]r�r�r�)r�r�r�r]r�r�)r]�link�unlink�rename)�creater�r]�setattrr�r�r�)r�r�r�r�r]r��writer�r�r�r�r�)r�r�r]r�rr�)	r�r�r]r�rr��add_name�remove_namer�)r�r�r]r�rr�r�r�)r�r�r�r]r�r�r�r�r�r�rr�r��reparentr��rmdir)ZmountZremountZunmountr]rr�)r�r]rr�r�r�)r�r]rr�r�r�r�)r�r]rr�r�r�r�)r�r�r]r�r�r�r�r�r�rr�r�r�r�r�r�)r�r]r�r�r�)r�r]r�r�r�)r�r]r�r�r�r�)r�r]r�r�r�r�r�r�)r�r�r]r�r�r�r�r�r�r�r�r�z^(\w+):\[([^\]]*)\]z^(/proc/)(\d+)(.*)NTcCs�||_||_i|_d|_d|_d|_d|_d|_d|_d|_	d|_
d|_g|_g|_
d|_d|_d|_d|_d|_g|_|�|�dSr)�audit_event�query_environment�template_substitutions�tpath�spath�source�
source_pkgr��scontext�tcontext�tclass�port�src_rpms�tgt_rpmsr,�pid�kmodr��why�bools� derive_avc_info_from_audit_event)rJr��
avc_recordr�rrrrD�s*zAVC.__init__cCs|��Sr)�
format_avcrOrrrrP�szAVC.__str__cCsNd}|d|j7}|d|j7}|d|j7}|d|j7}|d|j7}|S)Nr�zscontext=%s ztcontext=%s z
access=%s z
tclass=%s z	tpath=%s )r�r�r�r�r�)rJrrrrr��szAVC.format_avccCs,|jdurdS|jD]}||vrdSqdS)zMReturns true if the AVC contains _any_ of the permissions in the access list.NFT�r��rJZaccess_list�arrr�has_any_access_in�s

zAVC.has_any_access_incCs,|jdurdS|jD]}||vrdSqdS)zmReturns true if _every_ access in the AVC matches at
        least one of the permissions in the access list.NFTr�r�rrr�all_accesses_are_in�s

zAVC.all_accesses_are_inc
Cs�t�t�}|��t�}|��g}dd�dd�ttgt|jjt	|j
t|ji�D�D�}|}|D]$}||vrb|�
ttt|��d�qb|D]}||vr�||vr�|�|�q�|��|S)NcSsg|]}|t�qSr)ZTARGETr7rrrr9�rz,AVC.allowed_target_types.<locals>.<listcomp>cSsg|]}|dr|�qS)Zenabledr)r8rrrrr9�r�types)Zget_all_file_typesZget_all_port_typesr�Zget_all_attributesr�ALLOW�SOURCEr�r@ZCLASSr�ZPERMSr��extend�next�infoZ	ATTRIBUTEr�)rJZ	all_typesZall_attributesZ
allowed_typesZwtypesr��trrr�allowed_target_types�s 4zAVC.allowed_target_typescCsB|�dg�r>z$|jr.t|j�t@tjkr.WdSWnYn0dS)Nr�TF)r��a1r*�	O_ACCMODE�os�O_RDONLYrOrrr�open_with_write�s
zAVC.open_with_writecCs"|D]}t�||j�rdSqdS)NTF)rr-r@)rJ�context�	type_listr@rrrZ__typeMatch�szAVC.__typeMatchcCs|jdurdS|�|j|�S)zReturns true if the type in the source context of the
        avc regular expression matches any of the types in the type list.NF)r��_AVC__typeMatch�rJrrrr�matches_source_types�s
zAVC.matches_source_typescCs|jdurdS|�|j|�S)zReturns true if the type in the target context of the
        avc regular expression matches any of the types in the type list.NF)r�r
rrrr�matches_target_types�s
zAVC.matches_target_typescCs|jdurdS|j|vS)NF)r�)rJZtclass_listrrr�
has_tclass_in�s
zAVC.has_tclass_incCs|��|��dSr)�derive_environmental_info�%update_derived_template_substitutionsrOrrr�updatesz
AVC.updatecCst|j�Sr)�is_standard_directoryr�rOrrr�path_is_not_standard_directorysz"AVC.path_is_not_standard_directoryc	Cs�|j�d�}|j�d�}|j�d�}|dur�|j�d�}|D]D}|�d�}|rX|dkrXq<|�d�}|r<|r<|dkr<|�|�r<q�q<|r�tj�|�s�|dur�tj�|�r�tj�tj�	||��}|du�r"|j�d�}|du�r"|j�d�}|d	kr�d
|}n(|dk�r|dk�r|}nd
|}n|}|du�r�|dk�r|�rg}	�z�d
}
|j�d�}tj�
d|��rvt�d|�j}
t
|�}tdd�}
|
���d�D]�}|��}t|��r�|dd
dk�r�zP|
d
k�s�t�|d
�j|
k�rt
t�|d�j�|k�r|	�|dd��Wnt�y(Y�q�Yn0�q�|
��t|	�dk�rR|	d
d}n�t|	�dk�r�|	D]�}|d
d|k�s�|d|k�r�|d}�q�nJz4|
d
k�r�t�|d
�j|
k�r�|d}W�q�Wnt�y�Yn0�qdWn.t�yd}Ynt�yd}Yn0n�|�d�dk�r�|�r�d
dl}ddd|g}zl|j||jdd�}t
|�}|�d�D]B}z&t
t�|�j�|k�r�|}W�q�Wnt�y�Yn0�qlWnt�y�Yn0|du�r$tj�|��r�|j�d|�}n4|j� |�}|�r|j!}|d
dk�r$d |�"d�}||_#|j#du�r~|j!d!k�rJd"|_#n4|j!d#k�sb|j!d$k�rtt$d%�|j%|_#n
t$d&�|_#dS)'a�Derive the target path.

        If path information is available the avc record will have a path field
        and no name field because the path field is more specific and supersedes
        name. The name field is typically the directory entry.

        For some special files the kernel embeds instance information
        into the file name. For example 'pipe:[1234]' or 'socket:[1234]'
        where the number inside the brackets is the inode number. The proc
        pseudo file system has the process pid embedded in the name, for
        example '/proc/1234/mem'. These numbers are ephemeral and do not
        contribute meaningful information for our reports. Plus we may use
        the path information to decide if an alert is identical to a
        previous alert, we coalesce them if they are. The presence of an
        instance specific number in the path confuses this comparison.
        For these reasons we strip any instance information out of the
        path,

        Example input and output:

        pipe:[1234]    --> pipe
        socket:[1234]  --> socket
        /proc/1234/fd  --> /proc/<pid>/fd
        ./foo          --> ./foo
        /etc/sysconfig --> /etc/sysconfig
        r^r��inoN�PATHZnametypeZPARENTr�r��%sr��/r�devz/dev/z/proc/mounts�rr�r1rz/dev/%sr!zunknown mountpointFZlocatez-bz\%sT)�stderrZuniversal_newlinesz	\1<pid>\3��@Z
filesystemr�Z
udp_socketZ
tcp_socketzport %sZUnknown)&r�r�r�r��endswithrr��isabs�normpathrI�exists�lstat�st_rdevr*r�r�rGrH�stat�st_inor��OSError�close�	TypeErrorr��
subprocessZcheck_outputZSTDOUT�	Exception�proc_pid_instance_re�sub�pipe_instance_path_rerr�r�r��_r�)rJrr^r�ZinodestrZavc_path_recordsZavc_path_recordrr��matchesZdev_rdevrr�fdr�rr+Zcommand�outputr�r-rrr�
_set_tpaths�

$







:  �
zAVC._set_tpathc
Cs�d|_d|_d|_d|_d|_g|_d}}}}|r@||_n|j��|_|j�	d�}|j�
d�|_t|j
t�s�t|j�
d��|_
t|jt�s�t|j�
d��|_|j�
d�|_|j�
d�dur�|j�
d�|_n|j�
d�|_|j�
d	�|_|j�
d
�|_|�r<|�
d�}|�
d�}|�
d
�|_|�
d�dk|_|�
d�|_|du�rR|j�
d�}|du�rh|j�
d�}||_|�r|||_n|�r�|j|_|j�s�|j|_|j�s�|j
j|_|j�	d�}|�r�|�
d�}nd}|�|�|j�d�}	|	D]H}
|
�
d�}tj�|��s
|�s|j�|�n|j�tj�||���q�g|_g|_|jjj |_ t!�"t#|j
�t#|j�t#|j�|j�\|_$}|j$t!j%k�r�t&t'd�|j��|j$t!j(k�r�t&t'd�|j��|j$t!j)k�r�t&t'd���|j$t!j*k�r�t&t'd�|j��|j$t!j+k�rt&t'd�|j��|j$t!j,k�r.t&t'd�|j��|j$t!j-k�rNt&t'd�|j��|j$t!j.k�rht&t'd���|j$t!j/k�r|||_0dS)NFZSYSCALLrtr�r�r��dest�srcr�r�r�r~r��successZyesrZCWDrrr^z8%s 
**** Recorded AVC is allowed in current policy ****
zh%s 
**** Recorded AVC is dontaudited in current policy. 'semodule -B' will turn on dontaudit rules ****
zMust call policy_init firstz.%s 
**** Invalid AVC: bad target context ****
z.%s 
**** Invalid AVC: bad source context ****
z*%s 
**** Invalid AVC: bad type class ****
z*%s 
**** Invalid AVC: bad permission ****
z&Error during access vector computation)1r�r�r�rr7Z
syscall_pathsr�r�r�r�r�r�rEr�rr�r�r�r�r�r�r@r4r�rr�r!r�rIr�r�rr,�	audit2whyZanalyzerRr�r�r�r0Z	DONTAUDITZNOPOLICYZBADTCONZBADSCONZ	BADTCLASSZBADPERMZ
BADCOMPUTEZBOOLEANr�)
rJr�r�r~r�r�Zsyscall_recordZ
cwd_recordrZpath_recordsZpath_recordr�r�rrrr��s�






*z$AVC.derive_avc_info_from_audit_eventcCsT|jrP|jr,t|j�|_|jr,|j�|j�t|j�sPt|j�}|rP|j�|�dSr)	r�r�Zget_package_nvr_by_file_pathr�r�r�rr�r�)rJZrpmrrrrs

zAVC.derive_environmental_infocCs|jdur||_dSr)r�r�rrr�set_alt_paths
zAVC.set_alt_pathcKs(t|���D]\}}|r||j|<qdSr)rZr�r�)rJ�kwdsr�r�rrr�set_template_substitutionsszAVC.set_template_substitutionscCsVt|jj�|jd<t|jj�|jd<t|j�|jd<t|j�|jd<|jrdt�ddt|j��|jd<t|j	�|jd<|j	r�t�ddt|j	��|jd	<|j	dur�d|jd
<nJ|j
dkr�t|j	�|jd
<n.|j
dkr�ttj�
|j	��|jd
<n
d|jd
<t|j
�|jd
<|jdu�rd|jd<ntd�|j��|jd<t|j�|jd<t|j�|jd<dS)NZSOURCE_TYPEZTARGET_TYPErZSOURCE_PATHr��.ZFIX_SOURCE_PATHZTARGET_PATHZFIX_TARGET_PATHZ
TARGET_DIRr�r�ZTARGET_CLASSZACCESSZSOURCE_PACKAGEZPORT_NUMBER)�escape_htmlr�r@r�r�r�r�rr.r�r�rr��dirnamer�rIr�r�rOrrrr$s,



z)AVC.update_derived_template_substitutionscCs6t|j���D]"\}}|durtt|��|j|<qdSr)rZr�r�r=Zdefault_text)rJr�r�rrr�validate_template_substitutionsCsz#AVC.validate_template_substitutions)NT)7r_r`raZstat_file_permsZx_file_permsZr_file_permsZ
rx_file_permsZ
ra_file_permsZlink_file_permsZcreate_lnk_permsZcreate_file_permsZr_dir_permsZrw_dir_permsZra_dir_permsZcreate_dir_permsZmount_fs_permsZsearch_dir_permsZgetattr_dir_permsZsetattr_dir_permsZlist_dir_permsZadd_entry_dir_permsZdel_entry_dir_permsZmanage_dir_permsZgetattr_file_permsZsetattr_file_permsZread_file_permsZappend_file_permsZwrite_file_permsZ
rw_file_permsZdelete_file_permsZmanage_file_permsrr�r/r-rDrPr�r�r�rr
r
rrrrrr4r�rr9r;rr?rrrrresf



	"frcCs�g}zndD]d}|�|�}|D]P}z|�t||��Wqtyj}z|�|jd|�WYd}~qd}~00qq
WnRty�}z:ddl}ddl}|�|jd|�t|�	��WYd}~n
d}~00|S)Nrrrrz!Unable to process audit event: %s)
r�r�rr��syslogZLOG_ERRr,�	tracebackZsyslog_trace�
format_exc)r�Zavcsrr�r��er@rArrrrJs
0"r)*Z
__future__rrFZ	six.movesrr��__all__r�r�rr�rrQ�base64r�Zselinux.audit2whyr8Zsetroubleshoot.utilZsetroubleshoot.html_utilZsetroubleshoot.xml_serializeZsepolicyr�cmprrr�r(rr3r4r5r6ZXmlSerializerrr
rr	r,r�rrrrrr�<module>sP


)<*Mjh
@ Telegram