Infrastructure/fedora-infrastructure
1
0
Fork 0
Code Issues 70 Pull requests Projects Releases Packages Wiki Activity Actions

Make the selinux-overlord.py more efficient

Browse source
This commit is contained in:
Luke Macken 2009-10-13 14:43:18 -04:00
parent c903712a26
commit d30ed1b1b3
1 changed files with 24 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

53
scripts/selinux/selinux-overlord.py
View file

@ -36,7 +36,6 @@ class SELinuxOverlord(Overlord):
self.minion_glob = minions self.minion_glob = minions
def get_selinux_status(self): def get_selinux_status(self):
""" Get the SELinux status of all minions """
results = self.command.run('/usr/sbin/getenforce') results = self.command.run('/usr/sbin/getenforce')
for minion, result in results.iteritems(): for minion, result in results.iteritems():
@ -44,26 +43,21 @@ class SELinuxOverlord(Overlord):
print "[%s] Error: %s" % (minion, result) print "[%s] Error: %s" % (minion, result)
else: else:
self.selinux_status[result[stdout].strip()].append(minion) self.selinux_status[result[stdout].strip()].append(minion)
self.selinux_minions[minion] = {}
for key in self.selinux_status: for key in self.selinux_status:
self.selinux_status[key].sort() self.selinux_status[key].sort()
return self.selinux_status return self.selinux_status
def get_selinux_denials(self): def get_selinux_denials(self, minion):
""" Return all AVC denials from this week """ overlord = Overlord(minion)
if len(self.selinux_minions): return overlord.command.run('ausearch -m AVC -ts this-week --input-logs')[minion]
for minion, result in self.selinux_minions.iteritems():
yield minion, result
else:
results = self.command.run('ausearch -m AVC -ts this-week --input-logs')
for minion, result in results.iteritems():
self.selinux_minions[minion] = result
yield minion, result
def dump_selinux_denials(self): def dump_selinux_denials(self):
""" Write out all SELinux denials for all minions """ """ Write out all SELinux denials for all minions """
for minion, result in self.get_selinux_denials(): for minion in self.selinux_minions:
result = self.get_selinux_denials(minion)
if not result[status]: if not result[status]:
out = file(minion, 'w') out = file(minion, 'w')
out.write(result[stdout]) out.write(result[stdout])
@ -78,16 +72,17 @@ class SELinuxOverlord(Overlord):
print "[%s] Problem running ausearch: %r" % (minion, result) print "[%s] Problem running ausearch: %r" % (minion, result)
def get_enforced_denials(self): def get_enforced_denials(self):
""" Print all denials from SELinux-enforcing minions """ """ Get a quick list of SELinux denials on enforced hosts """
for minion, result in self.get_selinux_denials(): for minion in self.selinux_status['Enforcing']:
if minion not in self.selinux_status['Enforcing']: overlord = Overlord(minion)
continue audit2allow = overlord.command.run('audit2allow -la')
if not result[status]: for m, r in audit2allow.iteritems():
overlord = Overlord(minion) if r[stdout].strip():
audit2allow = overlord.command.run('audit2allow -la') print "[%s]\n%s\n" % (m, r[stdout])
for m, r in audit2allow.iteritems(): audit2allow = overlord.command.run('audit2allow -l -i /var/log/messages')
if r[stdout].strip(): for m, r in audit2allow.iteritems():
print "[%s]\n%s\n" % (m, r[stdout]) if r[stdout].strip():
print "[%s]\n%s\n" % (m, r[stdout])
def upgrade_policy(self): def upgrade_policy(self):
""" Update the SELinux policy across the given minions """ """ Update the SELinux policy across the given minions """
@ -102,10 +97,10 @@ class SELinuxOverlord(Overlord):
print "Upgrading SELinux policy..." print "Upgrading SELinux policy..."
job_id = async_client.command.run('yum -y update selinux*') job_id = async_client.command.run('yum -y update selinux*')
running = True running = True
while running: while running:
time.sleep(20) time.sleep(20)
return_code, results = async_client.job_status(job_id) return_code, results = async_client.job_status(job_id)
if return_code == jobthing.JOB_ID_RUNNING: if return_code == jobthing.JOB_ID_RUNNING:
continue continue
@ -129,7 +124,7 @@ class SELinuxOverlord(Overlord):
if __name__ == '__main__': if __name__ == '__main__':
parser = OptionParser('usage: %prog [options] [minion(s)]') parser = OptionParser('usage: %prog [options] [minion1[;minion2]]')
parser.add_option('-s', '--status', action='store_true', dest='status', parser.add_option('-s', '--status', action='store_true', dest='status',
help='Display the SELinux status of all minions') help='Display the SELinux status of all minions')
parser.add_option('-e', '--enforced-denials', action='store_true', parser.add_option('-e', '--enforced-denials', action='store_true',
@ -143,9 +138,9 @@ if __name__ == '__main__':
minions = len(args) > 0 and ';'.join(args) or '*' minions = len(args) > 0 and ';'.join(args) or '*'
overlord = SELinuxOverlord(minions) overlord = SELinuxOverlord(minions)
if opts.status or opts.enforced_denials: print "Determining SELinux status on minions: %s" % minions
print "Determining SELinux status on minions: %s" % minions pprint(overlord.get_selinux_status())
pprint(overlord.get_selinux_status())
if opts.enforced_denials: if opts.enforced_denials:
print "Finding enforced SELinux denials..." print "Finding enforced SELinux denials..."
overlord.get_enforced_denials() overlord.get_enforced_denials()