Re: policy hierarchy patch

[Darrel Goeddel <dgoeddel@TrustedCS.com>]

[-- Attachment #1: Type: text/plain, Size: 1786 bytes --]

Joshua Brindle wrote:
> On Thu, 2005-04-07 at 16:29 -0500, Darrel Goeddel wrote:
> 
>>Joshua Brindle wrote:
>>
>>>On Thu, 2005-04-07 at 11:30 -0500, Darrel Goeddel wrote:
>>>
>>>
>>>>Stephen Smalley wrote:
>>
>>>>>The original hierarchy patch also collapsed the identifier and
>>>>>user_identifier together, thereby allowing "-" to occur in any
>>>>>identifier.  As a result, if someone specifies s0-s9 in the policy
>>>>>without whitespace, it will be incorrectly interpreted as an attempt to
>>>>>specify a level named "s0-s9".  Further, nothing prevents someone from
>>>>>defining a level or category name that includes a "-" presently.
>>>>>Options are to revert the change from the original patch that collapsed
>>>>>identifier and user_identifier together (only adding "." to identifier,
>>>>>not "-") or to add further handling to the action routines to deal with
>>>>>it.
>>>>>
>>>
>>>
> 
> Ok, here is a patch against cvs (includes Darrel's MLS changes). It
> builds MLS and non-MLS policies with and without type and role
> hierarchies so this should be good to go, let me know if there are any
> other problems.
> 
> Joshua

Thanks for merging my changes into the main patch.  I have a few additions in 
the attached patch, which is relative to your latest patch.

I had a possible double free in define_category.  I added back the declaration 
for is_valid_identifier in policy_scan.l to avoid a warning.  I also removed 
including '-' as a valid character in the standard IDENTIFIER (this is what we 
were after, right?).  There are a few tweaks to the policy Makefile.  The first 
is changing "s9 : c0.c127" to "s9:c0.c127" - I thought that was a bit more 
readable.  The second is changing MLS=n to MLS=y in the makefile when running 
the mlsconvert target.

-- 

Darrel

[-- Attachment #2: hier-mls-suppl.patch --]
[-- Type: text/x-patch, Size: 2155 bytes --]

diff -ruNp hier2/checkpolicy/policy_parse.y hier2-dgo/checkpolicy/policy_parse.y
--- hier2/checkpolicy/policy_parse.y	2005-04-11 14:22:07.964067426 -0500
+++ hier2-dgo/checkpolicy/policy_parse.y	2005-04-11 14:32:19.078544643 -0500
@@ -1325,7 +1325,6 @@ static int define_category(void)
 
 	while ((id = queue_remove(id_queue))) {
 		if (id_has_dot(id)) {
-			free(id);
 			yyerror("category aliases may not contain periods");
 			goto bad_alias;
 		}
diff -ruNp hier2/checkpolicy/policy_scan.l hier2-dgo/checkpolicy/policy_scan.l
--- hier2/checkpolicy/policy_scan.l	2005-04-11 14:22:07.965067174 -0500
+++ hier2-dgo/checkpolicy/policy_scan.l	2005-04-11 14:40:20.299361117 -0500
@@ -25,6 +25,7 @@
 static char linebuf[2][255];
 static unsigned int lno = 0;
 int yywarn(char *msg);
+static int is_valid_identifier(char *id);
 
 char source_file[255];
 unsigned long source_lineno = 1;
@@ -185,7 +186,7 @@ H1				{ return(H1); }
 h2 |
 H2				{ return(H2); }
 "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
-{letter}({letter}|{digit}|_|"."|"-")*({letter}|{digit})	{ if (is_valid_identifier(yytext)) 
+{letter}({letter}|{digit}|_|".")*({letter}|{digit})	{ if (is_valid_identifier(yytext)) 
 						return(IDENTIFIER); 
 					  else 
 					  	REJECT;
diff -ruNp hier2/policy/Makefile hier2-dgo/policy/Makefile
--- hier2/policy/Makefile	2005-04-11 14:22:07.969066167 -0500
+++ hier2-dgo/policy/Makefile	2005-04-11 14:31:14.108728717 -0500
@@ -327,8 +327,11 @@ mlsconvert: 
 	done
 	@for file in $(USER_FILES); do \
 		echo "Converting $$file"; \
-		sed -e 's/;/ level s0 range s0 - s9 : c0.c127;/' $$file > $$file.new && \
+		sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \
 		mv $$file.new $$file; \
 	done
-	@sed -e '/sid kernel/s/s0/s0 - s9 : c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+	@echo "Enabling MLS in the Makefile"
+	@sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
+	@mv Makefile.new Makefile
 	@echo "Done"