WOnder93/find_redundant_rules.py

## find_redundant_rules.py
#!/usr/bin/python3

import setools
from collections import defaultdict

def build_ddict(p):
    res = {}
    for t in p.types():
        res[str(t)] = [str(t)] + [str(a) for a in t.attributes()]

    exp = dict((str(a), frozenset(str(b) for b in a.expand()))
               for a in p.typeattributes())
    for a in exp:
        res[a] = [a] + [b for b in exp if exp[b] >= exp[a]]
    return res

def hash_rules(rules):
    res = defaultdict(list)
    for r in rules:
        src = str(r.source)
        tgt = str(r.target)
        cls = str(r.tclass)
        res[(src, tgt, cls)].append(r)
    return res

def covby_cond(r1, r2):
    # r2 covers r1 iff r2 is unconditional or they are both conditional
    # on the same condition
    return not hasattr(r2, 'conditional') or \
        (hasattr(r1, 'conditional') and \
         r2.conditional == r1.conditional and \
         r2.conditional_block == r1.conditional_block)

def covby_allow(r1, r2):
    return (r2.perms & r1.perms) == r1.perms and covby_cond(r1, r2)

def covby_ft(r1, r2):
    return r1.filename == r2.filename and covby_cond(r1, r2)

def covby_tt(r1, r2):
    return covby_cond(r1, r2)

def analyze_rules(ddict, rules, covby_func):
    rule_dict = hash_rules(rules)
    total_covered = 0
    total_processed = 0
    for r1 in rules:
        covered = False
        cls = str(r1.tclass)
        for src in ddict[str(r1.source)]:
            for tgt in ddict[str(r1.target)]:
                for r2 in rule_dict[(src, tgt, cls)]:
                    if r1 != r2 and covby_func(r1, r2):
                        print(str(r2))
                        covered = True
        if covered:
            total_covered += 1
            print('cover')
            print(str(r1))
            print('so far {0} of {1} rules are redundant'.format(total_covered, total_processed))
            print('===')
        total_processed += 1
    print('{0}/{1} redundant rules in total'.format(total_covered, total_processed))

print('Loading policy...')
p = setools.SELinuxPolicy()
print('Indexing attributes...')
ddict = build_ddict(p)

print('Sorting rules...')
rules_allow = []
rules_tt = []
rules_ft = []
for r in p.terules():
    if hasattr(r, 'filename'):
        rules_ft.append(r)
    elif hasattr(r, 'perms'):
        if r.ruletype == setools.TERuletype.allow:
            rules_allow.append(r)
    else:
        if r.ruletype == setools.TERuletype.type_transition:
            rules_tt.append(r)

print('Analyzing allow rules...')
analyze_rules(ddict, rules_allow, covby_allow)
#print('Analyzing filename transition rules...')
#analyze_rules(ddict, rules_ft, covby_ft)
#print('Analyzing type transition rules...')
#analyze_rules(ddict, rules_ft, covby_tt)
	#!/usr/bin/python3

	import setools
	from collections import defaultdict

	def build_ddict(p):
	res = {}
	for t in p.types():
	res[str(t)] = [str(t)] + [str(a) for a in t.attributes()]

	exp = dict((str(a), frozenset(str(b) for b in a.expand()))
	for a in p.typeattributes())
	for a in exp:
	res[a] = [a] + [b for b in exp if exp[b] >= exp[a]]
	return res

	def hash_rules(rules):
	res = defaultdict(list)
	for r in rules:
	src = str(r.source)
	tgt = str(r.target)
	cls = str(r.tclass)
	res[(src, tgt, cls)].append(r)
	return res

	def covby_cond(r1, r2):
	# r2 covers r1 iff r2 is unconditional or they are both conditional
	# on the same condition
	return not hasattr(r2, 'conditional') or \
	(hasattr(r1, 'conditional') and \
	r2.conditional == r1.conditional and \
	r2.conditional_block == r1.conditional_block)

	def covby_allow(r1, r2):
	return (r2.perms & r1.perms) == r1.perms and covby_cond(r1, r2)

	def covby_ft(r1, r2):
	return r1.filename == r2.filename and covby_cond(r1, r2)

	def covby_tt(r1, r2):
	return covby_cond(r1, r2)

	def analyze_rules(ddict, rules, covby_func):
	rule_dict = hash_rules(rules)
	total_covered = 0
	total_processed = 0
	for r1 in rules:
	covered = False
	cls = str(r1.tclass)
	for src in ddict[str(r1.source)]:
	for tgt in ddict[str(r1.target)]:
	for r2 in rule_dict[(src, tgt, cls)]:
	if r1 != r2 and covby_func(r1, r2):
	print(str(r2))
	covered = True
	if covered:
	total_covered += 1
	print('cover')
	print(str(r1))
	print('so far {0} of {1} rules are redundant'.format(total_covered, total_processed))
	print('===')
	total_processed += 1
	print('{0}/{1} redundant rules in total'.format(total_covered, total_processed))

	print('Loading policy...')
	p = setools.SELinuxPolicy()
	print('Indexing attributes...')
	ddict = build_ddict(p)

	print('Sorting rules...')
	rules_allow = []
	rules_tt = []
	rules_ft = []
	for r in p.terules():
	if hasattr(r, 'filename'):
	rules_ft.append(r)
	elif hasattr(r, 'perms'):
	if r.ruletype == setools.TERuletype.allow:
	rules_allow.append(r)
	else:
	if r.ruletype == setools.TERuletype.type_transition:
	rules_tt.append(r)

	print('Analyzing allow rules...')
	analyze_rules(ddict, rules_allow, covby_allow)
	#print('Analyzing filename transition rules...')
	#analyze_rules(ddict, rules_ft, covby_ft)
	#print('Analyzing type transition rules...')
	#analyze_rules(ddict, rules_ft, covby_tt)