diff options
Diffstat (limited to 'lib/python2.7/site-packages/setools/userquery.py')
-rw-r--r-- | lib/python2.7/site-packages/setools/userquery.py | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/lib/python2.7/site-packages/setools/userquery.py b/lib/python2.7/site-packages/setools/userquery.py new file mode 100644 index 0000000..00910cf --- /dev/null +++ b/lib/python2.7/site-packages/setools/userquery.py @@ -0,0 +1,116 @@ +# Copyright 2014-2015, Tresys Technology, LLC +# +# This file is part of SETools. +# +# SETools is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as +# published by the Free Software Foundation, either version 2.1 of +# the License, or (at your option) any later version. +# +# SETools is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with SETools. If not, see +# <http://www.gnu.org/licenses/>. +# +import logging +import re + +from . import compquery +from .descriptors import CriteriaDescriptor, CriteriaSetDescriptor + + +class UserQuery(compquery.ComponentQuery): + + """ + Query SELinux policy users. + + Parameter: + policy The policy to query. + + Keyword Parameters/Class attributes: + name The user name to match. + name_regex If true, regular expression matching + will be used on the user names. + roles The attribute to match. + roles_equal If true, only types with role sets + that are equal to the criteria will + match. Otherwise, any intersection + will match. + roles_regex If true, regular expression matching + will be used on the role names instead + of set logic. + level The criteria to match the user's default level. + level_dom If true, the criteria will match if it dominates + the user's default level. + level_domby If true, the criteria will match if it is dominated + by the user's default level. + level_incomp If true, the criteria will match if it is incomparable + to the user's default level. + range_ The criteria to match the user's range. + range_subset If true, the criteria will match if it is a subset + of the user's range. + range_overlap If true, the criteria will match if it overlaps + any of the user's range. + range_superset If true, the criteria will match if it is a superset + of the user's range. + range_proper If true, use proper superset/subset operations. + No effect if not using set operations. + """ + + level = CriteriaDescriptor(lookup_function="lookup_level") + level_dom = False + level_domby = False + level_incomp = False + range_ = CriteriaDescriptor(lookup_function="lookup_range") + range_overlap = False + range_subset = False + range_superset = False + range_proper = False + roles = CriteriaSetDescriptor("roles_regex", "lookup_role") + roles_equal = False + roles_regex = False + + def results(self): + """Generator which yields all matching users.""" + self.log.info("Generating results from {0.policy}".format(self)) + self.log.debug("Name: {0.name!r}, regex: {0.name_regex}".format(self)) + self.log.debug("Roles: {0.roles!r}, regex: {0.roles_regex}, " + "eq: {0.roles_equal}".format(self)) + self.log.debug("Level: {0.level!r}, dom: {0.level_dom}, domby: {0.level_domby}, " + "incomp: {0.level_incomp}".format(self)) + self.log.debug("Range: {0.range_!r}, subset: {0.range_subset}, overlap: {0.range_overlap}, " + "superset: {0.range_superset}, proper: {0.range_proper}".format(self)) + + for user in self.policy.users(): + if not self._match_name(user): + continue + + if self.roles and not self._match_regex_or_set( + user.roles, + self.roles, + self.roles_equal, + self.roles_regex): + continue + + if self.level and not self._match_level( + user.mls_level, + self.level, + self.level_dom, + self.level_domby, + self.level_incomp): + continue + + if self.range_ and not self._match_range( + user.mls_range, + self.range_, + self.range_subset, + self.range_overlap, + self.range_superset, + self.range_proper): + continue + + yield user |