* [PATCH 50/63] checkpolicy: parse for default_file_trans rules @ 2011-11-01 19:45 Daniel J Walsh 2011-11-02 13:02 ` Steve Lawrence 0 siblings, 1 reply; 3+ messages in thread From: Daniel J Walsh @ 2011-11-01 19:45 UTC (permalink / raw) To: eparis; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 350 bytes --] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6wTHYACgkQrlYvE4MpobP/wwCePf+mpFHYQ/5uvtuYA1MYA8Yt GEoAoLq+aavuux14a6NhsSpg/h2rR61Z =fzsp -----END PGP SIGNATURE----- [-- Attachment #2: 0050-checkpolicy-parse-for-default_file_trans-rules.patch --] [-- Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 50/63] checkpolicy: parse for default_file_trans rules 2011-11-01 19:45 [PATCH 50/63] checkpolicy: parse for default_file_trans rules Daniel J Walsh @ 2011-11-02 13:02 ` Steve Lawrence 2011-11-02 13:17 ` Eric Paris 0 siblings, 1 reply; 3+ messages in thread From: Steve Lawrence @ 2011-11-02 13:02 UTC (permalink / raw) To: Daniel J Walsh; +Cc: eparis, selinux On 11/01/2011 03:45 PM, Daniel J Walsh wrote: > > OpenPGP: *Attachments to this message have not been signed or encrypted* > > ********* *BEGIN ENCRYPTED or SIGNED PART* ********* > > > This patch looks good to me. acked. > > > > ********** *END ENCRYPTED or SIGNED PART* ********** > > 0050-checkpolicy-parse-for-default_file_trans-rules.patchFrom 8ead51a6d41f63b43726c617480593f6a8fd0899 Mon Sep 17 00:00:00 2001 > From: Eric Paris <eparis@redhat.com> > Date: Fri, 14 Oct 2011 10:57:20 -0400 > Subject: [PATCH 50/63] checkpolicy: parse for default_file_trans rules > > Signed-off-by: Eric Paris <eparis@redhat.com> > --- > checkpolicy/policy_define.c | 33 +++++++++++++++++++++++++++++++++ > checkpolicy/policy_define.h | 9 +++++++++ > checkpolicy/policy_parse.y | 21 ++++++++++++++++++++- > checkpolicy/policy_scan.l | 8 +++++++- > 4 files changed, 69 insertions(+), 2 deletions(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 1bf669c..838b6aa 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -327,6 +327,39 @@ int define_initial_sid(void) > return -1; > } > > +int define_default_file_trans(int component, int from) > +{ > + char *id; > + ebitmap_t e_tclasses; > + class_datum_t *cladatum; > + > + if (pass == 1) { > + while ((id = queue_remove(id_queue))) > + free(id); > + return 0; > + } > + > + ebitmap_init(&e_tclasses); > + while ((id = queue_remove(id_queue))) { > + if (!is_id_in_scope(SYM_CLASSES, id)) { > + yyerror2("class %s is not within scope", id); > + return -1; > + } > + cladatum = hashtab_search(policydbp->p_classes.table, id); > + if (!cladatum) { > + yyerror2("unknown class %s", id); > + return -1; > + } > + if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { > + yyerror("Out of memory"); > + return -1; > + } > + free(id); > + } > + > + return 0; > +} > + > int define_common_perms(void) > { > char *id = 0, *perm = 0; > diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h > index 92a9be7..c77e87d 100644 > --- a/checkpolicy/policy_define.h > +++ b/checkpolicy/policy_define.h > @@ -13,6 +13,14 @@ > #define TRUE 1 > #define FALSE 0 > > +enum dft_enum { > + DFT_USER, > + DFT_ROLE, > + DFT_LEVEL, > + DFT_PROCESS, > + DFT_PARENT, > +}; > + > avrule_t *define_cond_compute_type(int which); > avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); > avrule_t *define_cond_te_avtab(int which); > @@ -52,6 +60,7 @@ int define_role_types(void); > int define_role_attr(void); > int define_roleattribute(void); > int define_filename_trans(void); > +int define_default_file_trans(int componnt, int from); > int define_sens(void); > int define_te_avtab(int which); > int define_typealias(void); > diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y > index 1e3ef6f..1107d79 100644 > --- a/checkpolicy/policy_parse.y > +++ b/checkpolicy/policy_parse.y > @@ -143,6 +143,9 @@ typedef int (* require_func_t)(); > %token POLICYCAP > %token PERMISSIVE > %token FILESYSTEM > +%token DEFAULT_FILE_TRANS > +%token PROCESS > +%token PARENT > > %left OR > %left XOR > @@ -160,7 +163,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } > opt_mls te_rbac users opt_constraints > { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} > else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} > - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts > + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts default_file_trans_rules > ; > classes : class_def > | classes class_def > @@ -176,6 +179,22 @@ initial_sid_def : SID identifier > ; > access_vectors : opt_common_perms av_perms > ; > +default_file_trans_rules : default_file_trans_def > + | default_file_trans_rules default_file_trans_def > + ; > +default_file_trans_def : DEFAULT_FILE_TRANS USER names PROCESS ';' > + {if (define_default_file_trans(DFT_USER, DFT_PROCESS)) return -1;} > + | DEFAULT_FILE_TRANS ROLE names PROCESS ';' > + {if (define_default_file_trans(DFT_ROLE, DFT_PROCESS)) return -1;} > + | DEFAULT_FILE_TRANS LEVEL names PROCESS ';' > + {if (define_default_file_trans(DFT_LEVEL, DFT_PROCESS)) return -1;} > + | DEFAULT_FILE_TRANS USER names PARENT ';' > + {if (define_default_file_trans(DFT_USER, DFT_PARENT)) return -1;} > + | DEFAULT_FILE_TRANS ROLE names PARENT ';' > + {if (define_default_file_trans(DFT_ROLE, DFT_PARENT)) return -1;} > + | DEFAULT_FILE_TRANS LEVEL names PARENT ';' > + {if (define_default_file_trans(DFT_LEVEL, DFT_PARENT)) return -1;} > + ; > opt_common_perms : common_perms > | > ; > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > index 2ba5971..c6fd24c 100644 > --- a/checkpolicy/policy_scan.l > +++ b/checkpolicy/policy_scan.l > @@ -219,6 +219,12 @@ h2 | > H2 { return(H2); } > policycap | > POLICYCAP { return(POLICYCAP); } > +process | > +PROCESS { return(PROCESS); } > +parent | > +PARENT { return(PARENT); } > +default_file_trans | > +DEFAULT_FILE_TRANS { return(DEFAULT_FILE_TRANS); } > permissive | > PERMISSIVE { return(PERMISSIVE); } > "/"({alnum}|[_\.\-/])* { return(PATH); } > @@ -228,7 +234,7 @@ PERMISSIVE { return(PERMISSIVE); } > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > {alnum}* { return(FILENAME); } > -\.({alnum}|[_\.\-])* { return(FILENAME); } > +\.({alnum}|[_\.\-])+ { return(FILENAME); } > {letter}+([-_\.]|{alnum})+ { return(FILENAME); } > ([_\.]){alnum}+ { return(FILENAME); } > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > -- 1.7.7 This looks like this is the same patch sent to the list a couple of weeks ago but with a couple of name changes (e.g. DT -> DFT, default_trans -> default_file_trans), and there was still some discussion on it. I believe it ended with "Eric is on vacation, we'll see what he has to say when he gets back." Is this right? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 50/63] checkpolicy: parse for default_file_trans rules 2011-11-02 13:02 ` Steve Lawrence @ 2011-11-02 13:17 ` Eric Paris 0 siblings, 0 replies; 3+ messages in thread From: Eric Paris @ 2011-11-02 13:17 UTC (permalink / raw) To: Steve Lawrence; +Cc: Daniel J Walsh, selinux On Wed, 2011-11-02 at 09:02 -0400, Steve Lawrence wrote: > On 11/01/2011 03:45 PM, Daniel J Walsh wrote: > > > > OpenPGP: *Attachments to this message have not been signed or encrypted* > > > > ********* *BEGIN ENCRYPTED or SIGNED PART* ********* > > > > > > This patch looks good to me. acked. > > > > > > > > ********** *END ENCRYPTED or SIGNED PART* ********** > > > > 0050-checkpolicy-parse-for-default_file_trans-rules.patchFrom 8ead51a6d41f63b43726c617480593f6a8fd0899 Mon Sep 17 00:00:00 2001 > > From: Eric Paris <eparis@redhat.com> > > Date: Fri, 14 Oct 2011 10:57:20 -0400 > > Subject: [PATCH 50/63] checkpolicy: parse for default_file_trans rules > > > > Signed-off-by: Eric Paris <eparis@redhat.com> > > --- > > checkpolicy/policy_define.c | 33 +++++++++++++++++++++++++++++++++ > > checkpolicy/policy_define.h | 9 +++++++++ > > checkpolicy/policy_parse.y | 21 ++++++++++++++++++++- > > checkpolicy/policy_scan.l | 8 +++++++- > > 4 files changed, 69 insertions(+), 2 deletions(-) > > > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > > index 1bf669c..838b6aa 100644 > > --- a/checkpolicy/policy_define.c > > +++ b/checkpolicy/policy_define.c > > @@ -327,6 +327,39 @@ int define_initial_sid(void) > > return -1; > > } > > > > +int define_default_file_trans(int component, int from) > > +{ > > + char *id; > > + ebitmap_t e_tclasses; > > + class_datum_t *cladatum; > > + > > + if (pass == 1) { > > + while ((id = queue_remove(id_queue))) > > + free(id); > > + return 0; > > + } > > + > > + ebitmap_init(&e_tclasses); > > + while ((id = queue_remove(id_queue))) { > > + if (!is_id_in_scope(SYM_CLASSES, id)) { > > + yyerror2("class %s is not within scope", id); > > + return -1; > > + } > > + cladatum = hashtab_search(policydbp->p_classes.table, id); > > + if (!cladatum) { > > + yyerror2("unknown class %s", id); > > + return -1; > > + } > > + if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) { > > + yyerror("Out of memory"); > > + return -1; > > + } > > + free(id); > > + } > > + > > + return 0; > > +} > > + > > int define_common_perms(void) > > { > > char *id = 0, *perm = 0; > > diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h > > index 92a9be7..c77e87d 100644 > > --- a/checkpolicy/policy_define.h > > +++ b/checkpolicy/policy_define.h > > @@ -13,6 +13,14 @@ > > #define TRUE 1 > > #define FALSE 0 > > > > +enum dft_enum { > > + DFT_USER, > > + DFT_ROLE, > > + DFT_LEVEL, > > + DFT_PROCESS, > > + DFT_PARENT, > > +}; > > + > > avrule_t *define_cond_compute_type(int which); > > avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt); > > avrule_t *define_cond_te_avtab(int which); > > @@ -52,6 +60,7 @@ int define_role_types(void); > > int define_role_attr(void); > > int define_roleattribute(void); > > int define_filename_trans(void); > > +int define_default_file_trans(int componnt, int from); > > int define_sens(void); > > int define_te_avtab(int which); > > int define_typealias(void); > > diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y > > index 1e3ef6f..1107d79 100644 > > --- a/checkpolicy/policy_parse.y > > +++ b/checkpolicy/policy_parse.y > > @@ -143,6 +143,9 @@ typedef int (* require_func_t)(); > > %token POLICYCAP > > %token PERMISSIVE > > %token FILESYSTEM > > +%token DEFAULT_FILE_TRANS > > +%token PROCESS > > +%token PARENT > > > > %left OR > > %left XOR > > @@ -160,7 +163,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; } > > opt_mls te_rbac users opt_constraints > > { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;} > > else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}} > > - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts > > + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts default_file_trans_rules > > ; > > classes : class_def > > | classes class_def > > @@ -176,6 +179,22 @@ initial_sid_def : SID identifier > > ; > > access_vectors : opt_common_perms av_perms > > ; > > +default_file_trans_rules : default_file_trans_def > > + | default_file_trans_rules default_file_trans_def > > + ; > > +default_file_trans_def : DEFAULT_FILE_TRANS USER names PROCESS ';' > > + {if (define_default_file_trans(DFT_USER, DFT_PROCESS)) return -1;} > > + | DEFAULT_FILE_TRANS ROLE names PROCESS ';' > > + {if (define_default_file_trans(DFT_ROLE, DFT_PROCESS)) return -1;} > > + | DEFAULT_FILE_TRANS LEVEL names PROCESS ';' > > + {if (define_default_file_trans(DFT_LEVEL, DFT_PROCESS)) return -1;} > > + | DEFAULT_FILE_TRANS USER names PARENT ';' > > + {if (define_default_file_trans(DFT_USER, DFT_PARENT)) return -1;} > > + | DEFAULT_FILE_TRANS ROLE names PARENT ';' > > + {if (define_default_file_trans(DFT_ROLE, DFT_PARENT)) return -1;} > > + | DEFAULT_FILE_TRANS LEVEL names PARENT ';' > > + {if (define_default_file_trans(DFT_LEVEL, DFT_PARENT)) return -1;} > > + ; > > opt_common_perms : common_perms > > | > > ; > > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l > > index 2ba5971..c6fd24c 100644 > > --- a/checkpolicy/policy_scan.l > > +++ b/checkpolicy/policy_scan.l > > @@ -219,6 +219,12 @@ h2 | > > H2 { return(H2); } > > policycap | > > POLICYCAP { return(POLICYCAP); } > > +process | > > +PROCESS { return(PROCESS); } > > +parent | > > +PARENT { return(PARENT); } > > +default_file_trans | > > +DEFAULT_FILE_TRANS { return(DEFAULT_FILE_TRANS); } > > permissive | > > PERMISSIVE { return(PERMISSIVE); } > > "/"({alnum}|[_\.\-/])* { return(PATH); } > > @@ -228,7 +234,7 @@ PERMISSIVE { return(PERMISSIVE); } > > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } > > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } > > {alnum}* { return(FILENAME); } > > -\.({alnum}|[_\.\-])* { return(FILENAME); } > > +\.({alnum}|[_\.\-])+ { return(FILENAME); } > > {letter}+([-_\.]|{alnum})+ { return(FILENAME); } > > ([_\.]){alnum}+ { return(FILENAME); } > > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } > > -- 1.7.7 > > This looks like this is the same patch sent to the list a couple of > weeks ago but with a couple of name changes (e.g. DT -> DFT, > default_trans -> default_file_trans), and there was still some > discussion on it. I believe it ended with "Eric is on vacation, we'll > see what he has to say when he gets back." Is this right? Yes. It won't get applied, I just forgot to pull it from my tree before Dan took a look. It needs reworked. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-11-02 13:17 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-11-01 19:45 [PATCH 50/63] checkpolicy: parse for default_file_trans rules Daniel J Walsh 2011-11-02 13:02 ` Steve Lawrence 2011-11-02 13:17 ` Eric Paris
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.