Re: How should I run genfscon in my module?

Re: How should I run genfscon in my module?

[Karl MacMillan]

On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote:
> On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
> > Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
> > > Right, that's a hard fix I think, dashes aren't allowed in
> > > identifiers and they are treated specially for use in MLS ranges..
> > 
> > Oh, that's really bad :( Without that line files on ntfs-3g filesystem 
> > have unlabeled_t type and I would need to give to many privileges to 
> > mount_t domain.
> > 
> > So there is no hope to fix it in the clean way?
> 
> File it as a bug against checkpolicy.  

I looked at fixing this by changing genfscon to use user_identifier
instead of identifier (they are the same except user_identifier includes
"-"). This made checkpolicy generate a syntax error for all genfscon
statements - haven't tracked down what the problem is. The grammer still
seems to be unambiguous.

I'll try to get back to it soon, but thought I would post this in case
someone knows what the issue is off the top of their head.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How should I run genfscon in my module?

[Stephen Smalley]

On Tue, 2006-10-31 at 16:48 -0500, Karl MacMillan wrote:
> On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote:
> > On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
> > > Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
> > > > Right, that's a hard fix I think, dashes aren't allowed in
> > > > identifiers and they are treated specially for use in MLS ranges..
> > > 
> > > Oh, that's really bad :( Without that line files on ntfs-3g filesystem 
> > > have unlabeled_t type and I would need to give to many privileges to 
> > > mount_t domain.
> > > 
> > > So there is no hope to fix it in the clean way?
> > 
> > File it as a bug against checkpolicy.  
> 
> I looked at fixing this by changing genfscon to use user_identifier
> instead of identifier (they are the same except user_identifier includes
> "-"). This made checkpolicy generate a syntax error for all genfscon
> statements - haven't tracked down what the problem is. The grammer still
> seems to be unambiguous.

Use "user_id" instead.  Otherwise, you'll get a syntax error when the
token is classified as an IDENTIFIER (first match) and the grammar says
that it must be a USER_IDENTIFIER.  
> 
> I'll try to get back to it soon, but thought I would post this in case
> someone knows what the issue is off the top of their head.
> 
> Karl
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: How should I run genfscon in my module?

[Karl MacMillan]

On Wed, 2006-11-01 at 08:32 -0500, Stephen Smalley wrote:
> On Tue, 2006-10-31 at 16:48 -0500, Karl MacMillan wrote:
> > On Tue, 2006-10-31 at 12:49 -0500, Stephen Smalley wrote:
> > > On Sun, 2006-10-29 at 21:06 +0100, Dawid Gajownik wrote:
> > > > Dnia 10/29/2006 06:33 PM, Użytkownik Joshua Brindle napisał:
> > > > > Right, that's a hard fix I think, dashes aren't allowed in
> > > > > identifiers and they are treated specially for use in MLS ranges..
> > > > 
> > > > Oh, that's really bad :( Without that line files on ntfs-3g filesystem 
> > > > have unlabeled_t type and I would need to give to many privileges to 
> > > > mount_t domain.
> > > > 
> > > > So there is no hope to fix it in the clean way?
> > > 
> > > File it as a bug against checkpolicy.  
> > 
> > I looked at fixing this by changing genfscon to use user_identifier
> > instead of identifier (they are the same except user_identifier includes
> > "-"). This made checkpolicy generate a syntax error for all genfscon
> > statements - haven't tracked down what the problem is. The grammer still
> > seems to be unambiguous.
> 
> Use "user_id" instead.  Otherwise, you'll get a syntax error when the
> token is classified as an IDENTIFIER (first match) and the grammar says
> that it must be a USER_IDENTIFIER.  

Right as usual.

Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	(revision 2076)
+++ trunk/checkpolicy/policy_parse.y	(working copy)
@@ -679,11 +679,11 @@
 genfs_contexts          : genfs_context_def
                         | genfs_contexts genfs_context_def
                         ;
-genfs_context_def	: GENFSCON identifier path '-' identifier security_context_def
+genfs_context_def	: GENFSCON user_id path '-' identifier security_context_def
 			{if (define_genfs_context(1)) return -1;}
-			| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
+			| GENFSCON user_id path '-' '-' {insert_id("-", 0);} security_context_def
 			{if (define_genfs_context(1)) return -1;}
-                        | GENFSCON identifier path security_context_def
+                        | GENFSCON user_id path security_context_def
 			{if (define_genfs_context(0)) return -1;}
 			;
 ipv4_addr_def		: number '.' number '.' number '.' number


Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Joshua Brindle]

> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> 
> > > I looked at fixing this by changing genfscon to use 
> user_identifier 
> > > instead of identifier (they are the same except user_identifier 
> > > includes "-"). This made checkpolicy generate a syntax 
> error for all 
> > > genfscon statements - haven't tracked down what the 
> problem is. The 
> > > grammer still seems to be unambiguous.
> > 
> > Use "user_id" instead.  Otherwise, you'll get a syntax 
> error when the 
> > token is classified as an IDENTIFIER (first match) and the grammar 
> > says that it must be a USER_IDENTIFIER.
> 
> Right as usual.
> 

Maybe make user_id more generic as it is no longer only used for users..


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Karl MacMillan]

On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> > 
> > > > I looked at fixing this by changing genfscon to use 
> > user_identifier 
> > > > instead of identifier (they are the same except user_identifier 
> > > > includes "-"). This made checkpolicy generate a syntax 
> > error for all 
> > > > genfscon statements - haven't tracked down what the 
> > problem is. The 
> > > > grammer still seems to be unambiguous.
> > > 
> > > Use "user_id" instead.  Otherwise, you'll get a syntax 
> > error when the 
> > > token is classified as an IDENTIFIER (first match) and the grammar 
> > > says that it must be a USER_IDENTIFIER.
> > 
> > Right as usual.
> > 
> 
> Maybe make user_id more generic as it is no longer only used for users..

Just making generic would make the user related parts of the grammar
harder to read. What about this:

Index: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y	(revision 2076)
+++ trunk/checkpolicy/policy_parse.y	(working copy)
@@ -605,6 +605,8 @@
 			;
 user_id			: identifier
 			| user_identifier
+                        ;
+dash_id                 : user_id
 			;
 user_def		: USER user_id ROLES names opt_mls_user ';'
 	                {if (define_user()) return -1;}
@@ -679,11 +681,11 @@
 genfs_contexts          : genfs_context_def
                         | genfs_contexts genfs_context_def
                         ;
-genfs_context_def	: GENFSCON identifier path '-' identifier security_context_def
+genfs_context_def	: GENFSCON dash_id path '-' identifier security_context_def
 			{if (define_genfs_context(1)) return -1;}
-			| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
+			| GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def
 			{if (define_genfs_context(1)) return -1;}
-                        | GENFSCON identifier path security_context_def
+                        | GENFSCON dash_id path security_context_def
 			{if (define_genfs_context(0)) return -1;}
 			;
 ipv4_addr_def		: number '.' number '.' number '.' number


Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Joshua Brindle]

> From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> 
> On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com]
> > > 
> > > > > I looked at fixing this by changing genfscon to use
> > > user_identifier
> > > > > instead of identifier (they are the same except 
> user_identifier 
> > > > > includes "-"). This made checkpolicy generate a syntax
> > > error for all
> > > > > genfscon statements - haven't tracked down what the
> > > problem is. The
> > > > > grammer still seems to be unambiguous.
> > > > 
> > > > Use "user_id" instead.  Otherwise, you'll get a syntax
> > > error when the
> > > > token is classified as an IDENTIFIER (first match) and 
> the grammar 
> > > > says that it must be a USER_IDENTIFIER.
> > > 
> > > Right as usual.
> > > 
> > 
> > Maybe make user_id more generic as it is no longer only 
> used for users..
> 
> Just making generic would make the user related parts of the 
> grammar harder to read. What about this:
> 

Fine.

> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk/checkpolicy/policy_parse.y	(revision 2076)
> +++ trunk/checkpolicy/policy_parse.y	(working copy)
> @@ -605,6 +605,8 @@
>  			;
>  user_id			: identifier
>  			| user_identifier
> +                        ;
> +dash_id                 : user_id
>  			;
>  user_def		: USER user_id ROLES names opt_mls_user ';'
>  	                {if (define_user()) return -1;} @@ 
> -679,11 +681,11 @@
>  genfs_contexts          : genfs_context_def
>                          | genfs_contexts genfs_context_def
>                          ;
> -genfs_context_def	: GENFSCON identifier path '-' 
> identifier security_context_def
> +genfs_context_def	: GENFSCON dash_id path '-' identifier 
> security_context_def
>  			{if (define_genfs_context(1)) return -1;}
> -			| GENFSCON identifier path '-' '-' 
> {insert_id("-", 0);} security_context_def
> +			| GENFSCON dash_id path '-' '-' 
> {insert_id("-", 0);} 
> +security_context_def
>  			{if (define_genfs_context(1)) return -1;}
> -                        | GENFSCON identifier path 
> security_context_def
> +                        | GENFSCON dash_id path security_context_def
>  			{if (define_genfs_context(0)) return -1;}
>  			;
>  ipv4_addr_def		: number '.' number '.' number 
> '.' number
> 
> 
> Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> 

Acked-By: Joshua Brindle <jbrindle@tresys.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Stephen Smalley]

On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> > > 
> > > > > I looked at fixing this by changing genfscon to use 
> > > user_identifier 
> > > > > instead of identifier (they are the same except user_identifier 
> > > > > includes "-"). This made checkpolicy generate a syntax 
> > > error for all 
> > > > > genfscon statements - haven't tracked down what the 
> > > problem is. The 
> > > > > grammer still seems to be unambiguous.
> > > > 
> > > > Use "user_id" instead.  Otherwise, you'll get a syntax 
> > > error when the 
> > > > token is classified as an IDENTIFIER (first match) and the grammar 
> > > > says that it must be a USER_IDENTIFIER.
> > > 
> > > Right as usual.
> > > 
> > 
> > Maybe make user_id more generic as it is no longer only used for users..
> 
> Just making generic would make the user related parts of the grammar
> harder to read. What about this:
> 
> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk/checkpolicy/policy_parse.y	(revision 2076)
> +++ trunk/checkpolicy/policy_parse.y	(working copy)
> @@ -605,6 +605,8 @@
>  			;
>  user_id			: identifier
>  			| user_identifier
> +                        ;
> +dash_id                 : user_id
>  			;
>  user_def		: USER user_id ROLES names opt_mls_user ';'
>  	                {if (define_user()) return -1;}
> @@ -679,11 +681,11 @@
>  genfs_contexts          : genfs_context_def
>                          | genfs_contexts genfs_context_def
>                          ;
> -genfs_context_def	: GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def	: GENFSCON dash_id path '-' identifier security_context_def
>  			{if (define_genfs_context(1)) return -1;}
> -			| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> +			| GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def
>  			{if (define_genfs_context(1)) return -1;}
> -                        | GENFSCON identifier path security_context_def
> +                        | GENFSCON dash_id path security_context_def
>  			{if (define_genfs_context(0)) return -1;}
>  			;
>  ipv4_addr_def		: number '.' number '.' number '.' number
> 
> 
> Signed-off by: Karl MacMillan <kmacmillan@mentalrootkit.com>

Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:

Index: checkpolicy/policy_scan.l
===================================================================
--- checkpolicy/policy_scan.l	(revision 2076)
+++ checkpolicy/policy_scan.l	(working copy)
@@ -200,12 +200,11 @@
 h2 |
 H2				{ return(H2); }
 "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
-{letter}({letter}|{digit}|_|".")*	{ if (is_valid_identifier(yytext)) 
+{letter}({letter}|{digit}|_|"."|"-")*	{ if (is_valid_identifier(yytext)) 
 						return(IDENTIFIER); 
 					  else 
 					  	REJECT;
 					}
-{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
 {digit}{digit}*                 { return(NUMBER); }
 {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")*	{ return(IPV6_ADDR); }
 {version}/([ \t\f]*;)           { return(VERSION_IDENTIFIER); }
Index: checkpolicy/policy_parse.y
===================================================================
--- checkpolicy/policy_parse.y	(revision 2076)
+++ checkpolicy/policy_parse.y	(working copy)
@@ -190,7 +190,6 @@
 %token NOT AND OR XOR
 %token CTRUE CFALSE
 %token IDENTIFIER
-%token USER_IDENTIFIER
 %token NUMBER
 %token EQUALS
 %token NOTEQUAL
@@ -522,13 +521,13 @@
 			| T1 op T2
 			{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
 			  if ($$ == 0) return -1; }
-			| U1 op { if (insert_separator(1)) return -1; } user_names_push
+			| U1 op { if (insert_separator(1)) return -1; } names_push
 			{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
 			  if ($$ == 0) return -1; }
-			| U2 op { if (insert_separator(1)) return -1; } user_names_push
+			| U2 op { if (insert_separator(1)) return -1; } names_push
 			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
 			  if ($$ == 0) return -1; }
-			| U3 op { if (insert_separator(1)) return -1; } user_names_push
+			| U3 op { if (insert_separator(1)) return -1; } names_push
 			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
 			  if ($$ == 0) return -1; }
 			| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -603,10 +602,7 @@
 users			: user_def
 			| users user_def
 			;
-user_id			: identifier
-			| user_identifier
-			;
-user_def		: USER user_id ROLES names opt_mls_user ';'
+user_def		: USER identifier ROLES names opt_mls_user ';'
 	                {if (define_user()) return -1;}
 			;
 opt_mls_user		: LEVEL mls_level_def RANGE mls_range_def
@@ -698,7 +694,7 @@
 			  $$ = addr;
 			}
     			;
-security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
+security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
 	                ;
 opt_mls_range_def	: ':' mls_range_def
 			|	
@@ -766,23 +762,6 @@
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
 			;
-user_identifier		: USER_IDENTIFIER
-			{ if (insert_id(yytext,0)) return -1; }
-			;
-user_identifier_push	: USER_IDENTIFIER
-			{ if (insert_id(yytext, 1)) return -1; }
-			;
-user_identifier_list_push : user_identifier_push
-			| identifier_list_push user_identifier_push
-			| user_identifier_list_push identifier_push
-			| user_identifier_list_push user_identifier_push
-			;
-user_names_push		: names_push
-			| user_identifier_push
-			| '{' user_identifier_list_push '}'
-			| tilde_push user_identifier_push
-			| tilde_push '{' user_identifier_list_push '}'
-			;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
 			;

Builds svn refpolicy trunk with strict-mls, no change in policy.21.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Karl MacMillan]

On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote:
> On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > > From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> > > > 
> > > > > > I looked at fixing this by changing genfscon to use 
> > > > user_identifier 
> > > > > > instead of identifier (they are the same except user_identifier 
> > > > > > includes "-"). This made checkpolicy generate a syntax 
> > > > error for all 
> > > > > > genfscon statements - haven't tracked down what the 
> > > > problem is. The 
> > > > > > grammer still seems to be unambiguous.
> > > > > 
> > > > > Use "user_id" instead.  Otherwise, you'll get a syntax 
> > > > error when the 
> > > > > token is classified as an IDENTIFIER (first match) and the grammar 
> > > > > says that it must be a USER_IDENTIFIER.
> > > > 
> > > > Right as usual.
> > > > 
> > > 
> > > Maybe make user_id more generic as it is no longer only used for users..
> > 
> > Just making generic would make the user related parts of the grammar
> > harder to read. What about this:

> Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:

That's fine with me - there is really no reason to disallow "-" in any
of the identifiers. Makes a lot of documentation wrong, but the docs
being more restrictive isn't a big deal.

> 
> Index: checkpolicy/policy_scan.l
> ===================================================================
> --- checkpolicy/policy_scan.l	(revision 2076)
> +++ checkpolicy/policy_scan.l	(working copy)
> @@ -200,12 +200,11 @@
>  h2 |
>  H2				{ return(H2); }
>  "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
> -{letter}({letter}|{digit}|_|".")*	{ if (is_valid_identifier(yytext)) 
> +{letter}({letter}|{digit}|_|"."|"-")*	{ if (is_valid_identifier(yytext)) 
>  						return(IDENTIFIER); 
>  					  else 
>  					  	REJECT;
>  					}
> -{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
>  {digit}{digit}*                 { return(NUMBER); }
>  {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")*	{ return(IPV6_ADDR); }
>  {version}/([ \t\f]*;)           { return(VERSION_IDENTIFIER); }
> Index: checkpolicy/policy_parse.y
> ===================================================================
> --- checkpolicy/policy_parse.y	(revision 2076)
> +++ checkpolicy/policy_parse.y	(working copy)
> @@ -190,7 +190,6 @@
>  %token NOT AND OR XOR
>  %token CTRUE CFALSE
>  %token IDENTIFIER
> -%token USER_IDENTIFIER
>  %token NUMBER
>  %token EQUALS
>  %token NOTEQUAL
> @@ -522,13 +521,13 @@
>  			| T1 op T2
>  			{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
>  			  if ($$ == 0) return -1; }
> -			| U1 op { if (insert_separator(1)) return -1; } user_names_push
> +			| U1 op { if (insert_separator(1)) return -1; } names_push
>  			{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
>  			  if ($$ == 0) return -1; }
> -			| U2 op { if (insert_separator(1)) return -1; } user_names_push
> +			| U2 op { if (insert_separator(1)) return -1; } names_push
>  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
>  			  if ($$ == 0) return -1; }
> -			| U3 op { if (insert_separator(1)) return -1; } user_names_push
> +			| U3 op { if (insert_separator(1)) return -1; } names_push
>  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
>  			  if ($$ == 0) return -1; }
>  			| R1 op { if (insert_separator(1)) return -1; } names_push
> @@ -603,10 +602,7 @@
>  users			: user_def
>  			| users user_def
>  			;
> -user_id			: identifier
> -			| user_identifier
> -			;
> -user_def		: USER user_id ROLES names opt_mls_user ';'
> +user_def		: USER identifier ROLES names opt_mls_user ';'
>  	                {if (define_user()) return -1;}
>  			;
>  opt_mls_user		: LEVEL mls_level_def RANGE mls_range_def
> @@ -698,7 +694,7 @@
>  			  $$ = addr;
>  			}
>      			;
> -security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
> +security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
>  	                ;
>  opt_mls_range_def	: ':' mls_range_def
>  			|	
> @@ -766,23 +762,6 @@
>  identifier		: IDENTIFIER
>  			{ if (insert_id(yytext,0)) return -1; }
>  			;
> -user_identifier		: USER_IDENTIFIER
> -			{ if (insert_id(yytext,0)) return -1; }
> -			;
> -user_identifier_push	: USER_IDENTIFIER
> -			{ if (insert_id(yytext, 1)) return -1; }
> -			;
> -user_identifier_list_push : user_identifier_push
> -			| identifier_list_push user_identifier_push
> -			| user_identifier_list_push identifier_push
> -			| user_identifier_list_push user_identifier_push
> -			;
> -user_names_push		: names_push
> -			| user_identifier_push
> -			| '{' user_identifier_list_push '}'
> -			| tilde_push user_identifier_push
> -			| tilde_push '{' user_identifier_list_push '}'
> -			;
>  path     		: PATH
>  			{ if (insert_id(yytext,0)) return -1; }
>  			;
> 
> Builds svn refpolicy trunk with strict-mls, no change in policy.21.
> 

Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: How should I run genfscon in my module?

[Stephen Smalley]

On Thu, 2006-11-02 at 10:22 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote:
> > On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > > > From: Karl MacMillan [mailto:kmacmillan@mentalrootkit.com] 
> > > > > 
> > > > > > > I looked at fixing this by changing genfscon to use 
> > > > > user_identifier 
> > > > > > > instead of identifier (they are the same except user_identifier 
> > > > > > > includes "-"). This made checkpolicy generate a syntax 
> > > > > error for all 
> > > > > > > genfscon statements - haven't tracked down what the 
> > > > > problem is. The 
> > > > > > > grammer still seems to be unambiguous.
> > > > > > 
> > > > > > Use "user_id" instead.  Otherwise, you'll get a syntax 
> > > > > error when the 
> > > > > > token is classified as an IDENTIFIER (first match) and the grammar 
> > > > > > says that it must be a USER_IDENTIFIER.
> > > > > 
> > > > > Right as usual.
> > > > > 
> > > > 
> > > > Maybe make user_id more generic as it is no longer only used for users..
> > > 
> > > Just making generic would make the user related parts of the grammar
> > > harder to read. What about this:
> 
> > Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
> 
> That's fine with me - there is really no reason to disallow "-" in any
> of the identifiers. Makes a lot of documentation wrong, but the docs
> being more restrictive isn't a big deal.

Only possible reason would be to avoid ambiguity in MLS ranges (e.g.
s0-s0:c0.c255), but we already have that problem in checkpolicy from
USER_IDENTIFIER, which is why one has to use spaces around the - in the
range.  So it would only matter is someone put a - in a sensitivity or
category name.

> 
> > 
> > Index: checkpolicy/policy_scan.l
> > ===================================================================
> > --- checkpolicy/policy_scan.l	(revision 2076)
> > +++ checkpolicy/policy_scan.l	(working copy)
> > @@ -200,12 +200,11 @@
> >  h2 |
> >  H2				{ return(H2); }
> >  "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
> > -{letter}({letter}|{digit}|_|".")*	{ if (is_valid_identifier(yytext)) 
> > +{letter}({letter}|{digit}|_|"."|"-")*	{ if (is_valid_identifier(yytext)) 
> >  						return(IDENTIFIER); 
> >  					  else 
> >  					  	REJECT;
> >  					}
> > -{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
> >  {digit}{digit}*                 { return(NUMBER); }
> >  {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")*	{ return(IPV6_ADDR); }
> >  {version}/([ \t\f]*;)           { return(VERSION_IDENTIFIER); }
> > Index: checkpolicy/policy_parse.y
> > ===================================================================
> > --- checkpolicy/policy_parse.y	(revision 2076)
> > +++ checkpolicy/policy_parse.y	(working copy)
> > @@ -190,7 +190,6 @@
> >  %token NOT AND OR XOR
> >  %token CTRUE CFALSE
> >  %token IDENTIFIER
> > -%token USER_IDENTIFIER
> >  %token NUMBER
> >  %token EQUALS
> >  %token NOTEQUAL
> > @@ -522,13 +521,13 @@
> >  			| T1 op T2
> >  			{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U1 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U1 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U2 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U2 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U3 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U3 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
> >  			  if ($$ == 0) return -1; }
> >  			| R1 op { if (insert_separator(1)) return -1; } names_push
> > @@ -603,10 +602,7 @@
> >  users			: user_def
> >  			| users user_def
> >  			;
> > -user_id			: identifier
> > -			| user_identifier
> > -			;
> > -user_def		: USER user_id ROLES names opt_mls_user ';'
> > +user_def		: USER identifier ROLES names opt_mls_user ';'
> >  	                {if (define_user()) return -1;}
> >  			;
> >  opt_mls_user		: LEVEL mls_level_def RANGE mls_range_def
> > @@ -698,7 +694,7 @@
> >  			  $$ = addr;
> >  			}
> >      			;
> > -security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
> > +security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
> >  	                ;
> >  opt_mls_range_def	: ':' mls_range_def
> >  			|	
> > @@ -766,23 +762,6 @@
> >  identifier		: IDENTIFIER
> >  			{ if (insert_id(yytext,0)) return -1; }
> >  			;
> > -user_identifier		: USER_IDENTIFIER
> > -			{ if (insert_id(yytext,0)) return -1; }
> > -			;
> > -user_identifier_push	: USER_IDENTIFIER
> > -			{ if (insert_id(yytext, 1)) return -1; }
> > -			;
> > -user_identifier_list_push : user_identifier_push
> > -			| identifier_list_push user_identifier_push
> > -			| user_identifier_list_push identifier_push
> > -			| user_identifier_list_push user_identifier_push
> > -			;
> > -user_names_push		: names_push
> > -			| user_identifier_push
> > -			| '{' user_identifier_list_push '}'
> > -			| tilde_push user_identifier_push
> > -			| tilde_push '{' user_identifier_list_push '}'
> > -			;
> >  path     		: PATH
> >  			{ if (insert_id(yytext,0)) return -1; }
> >  			;
> > 
> > Builds svn refpolicy trunk with strict-mls, no change in policy.21.
> > 
> 
> Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com>
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.