Fixes for sepolgen to parse Fedora 9 Policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* Fixes for sepolgen to parse Fedora 9 Policy
@ 2007-12-19 10:27 Daniel J Walsh
  2007-12-19 15:29 ` Karl MacMillan
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2007-12-19 10:27 UTC (permalink / raw)
  To: Karl MacMillan, SE Linux

[-- Attachment #1: Type: text/plain, Size: 603 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


      Handle ifelse statements - Not sure if how we want to handle this,
 right now just pass
      Handle refpolicywarn inside of define - Just removing the line
      Add init.if and inetd.if into parse - They seem to work
      Add parse_file to syntax error message - Easier to debug policy
problems
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHaPH+rlYvE4MpobMRAt0GAJ0Tors5vz+YB25VfBrADMxTtkKnFwCeJi7w
SmJjRXtLVJkg4rA6HuL1UmY=
=Bavy
-----END PGP SIGNATURE-----

[-- Attachment #2: diffsepol --]
[-- Type: text/plain, Size: 3351 bytes --]

diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-19 05:21:44.000000000 -0500
@@ -118,6 +118,7 @@
     'TEMPLATE',
     'GEN_CONTEXT',
     #   m4
+    'IFELSE',
     'IFDEF',
     'IFNDEF',
     'DEFINE'
@@ -174,6 +175,7 @@
     'template' : 'TEMPLATE',
     'gen_context' : 'GEN_CONTEXT',
     # M4
+    'ifelse' : 'IFELSE',
     'ifndef' : 'IFNDEF',
     'ifdef' : 'IFDEF',
     'define' : 'DEFINE'
@@ -220,6 +222,12 @@
     # Ignore all comments
     t.lexer.lineno += 1
 
+def t_refpolicywarn1(t):
+    r'define.*refpolicywarn\(.*\n'
+    # Ignore refpolicywarn statements - they sometimes
+    # contain text that we can't parse.
+    t.skip(1)
+
 def t_refpolicywarn(t):
     r'refpolicywarn\(.*\n'
     # Ignore refpolicywarn statements - they sometimes
@@ -258,6 +266,7 @@
 m = None
 #   error is either None (indicating no error) or a string error message.
 error = None
+parse_file = ""
 #   spt is the support macros (e.g., obj/perm sets) - it is an instance of
 #     refpolicy.SupportMacros and should always be present during parsing
 #     though it may not contain any macros.
@@ -382,6 +391,19 @@
         collect(p[12], x, val=False)
     p[0] = [x]
 
+def p_ifelse(p):
+    '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+    '''
+#    x = refpolicy.IfDef(p[4])
+#    v = True
+#    collect(p[8], x, val=v)
+#    if len(p) > 12:
+#        collect(p[12], x, val=False)
+#    p[0] = [x]
+    pass
+
+
 def p_ifdef(p):
     '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
              | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
@@ -446,6 +468,7 @@
               | optional_policy
               | tunable_policy
               | ifdef
+              | ifelse
               | conditional
     '''
     p[0] = p[1]
@@ -844,7 +867,8 @@
 
 def p_error(tok):
     global error
-    error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
+    global parse_file
+    error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
     print error
 
 def prep_spt(spt):
@@ -892,7 +916,7 @@
 def list_headers(root):
     modules = []
     support_macros = None
-    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
+    blacklist = ["uml.if", "thunderbird.if"]
 
     for dirpath, dirnames, filenames in os.walk(root):
         for name in filenames:
@@ -941,12 +965,14 @@
             output.write(msg)
 
     def parse_file(f, module, spt=None):
+        global parse_file
         if debug:
             o("parsing file %s\n" % f)
         try:
             fd = open(f)
             txt = fd.read()
             fd.close()
+            parse_file = f
             parse(txt, module, spt, debug)
         except IOError, e:
             return

[-- Attachment #3: diffsepol.sig --]
[-- Type: application/octet-stream, Size: 64 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fixes for sepolgen to parse Fedora 9 Policy
  2007-12-19 10:27 Fixes for sepolgen to parse Fedora 9 Policy Daniel J Walsh
@ 2007-12-19 15:29 ` Karl MacMillan
  2007-12-19 17:57   ` Daniel J Walsh
  0 siblings, 1 reply; 4+ messages in thread
From: Karl MacMillan @ 2007-12-19 15:29 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Wed, 2007-12-19 at 05:27 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
>       Handle ifelse statements - Not sure if how we want to handle this,
>  right now just pass

That's probably fine for now.

>       Handle refpolicywarn inside of define - Just removing the line

Chris - for what it's worth, these things are almost impossible to parse
correctly.

>       Add init.if and inetd.if into parse - They seem to work

But old versions definitely don't, so you would be breaking on old
policies.

>       Add parse_file to syntax error message - Easier to debug policy
> problems

Can you resend without the blacklist changes?

Karl

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iD8DBQFHaPH+rlYvE4MpobMRAt0GAJ0Tors5vz+YB25VfBrADMxTtkKnFwCeJi7w
> SmJjRXtLVJkg4rA6HuL1UmY=
> =Bavy
> -----END PGP SIGNATURE-----
> plain text document attachment (diffsepol)
> diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py
> --- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
> +++ policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-19 05:21:44.000000000 -0500
> @@ -118,6 +118,7 @@
>      'TEMPLATE',
>      'GEN_CONTEXT',
>      #   m4
> +    'IFELSE',
>      'IFDEF',
>      'IFNDEF',
>      'DEFINE'
> @@ -174,6 +175,7 @@
>      'template' : 'TEMPLATE',
>      'gen_context' : 'GEN_CONTEXT',
>      # M4
> +    'ifelse' : 'IFELSE',
>      'ifndef' : 'IFNDEF',
>      'ifdef' : 'IFDEF',
>      'define' : 'DEFINE'
> @@ -220,6 +222,12 @@
>      # Ignore all comments
>      t.lexer.lineno += 1
>  
> +def t_refpolicywarn1(t):
> +    r'define.*refpolicywarn\(.*\n'
> +    # Ignore refpolicywarn statements - they sometimes
> +    # contain text that we can't parse.
> +    t.skip(1)
> +
>  def t_refpolicywarn(t):
>      r'refpolicywarn\(.*\n'
>      # Ignore refpolicywarn statements - they sometimes
> @@ -258,6 +266,7 @@
>  m = None
>  #   error is either None (indicating no error) or a string error message.
>  error = None
> +parse_file = ""
>  #   spt is the support macros (e.g., obj/perm sets) - it is an instance of
>  #     refpolicy.SupportMacros and should always be present during parsing
>  #     though it may not contain any macros.
> @@ -382,6 +391,19 @@
>          collect(p[12], x, val=False)
>      p[0] = [x]
>  
> +def p_ifelse(p):
> +    '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
> +              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
> +    '''
> +#    x = refpolicy.IfDef(p[4])
> +#    v = True
> +#    collect(p[8], x, val=v)
> +#    if len(p) > 12:
> +#        collect(p[12], x, val=False)
> +#    p[0] = [x]
> +    pass
> +
> +
>  def p_ifdef(p):
>      '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
>               | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
> @@ -446,6 +468,7 @@
>                | optional_policy
>                | tunable_policy
>                | ifdef
> +              | ifelse
>                | conditional
>      '''
>      p[0] = p[1]
> @@ -844,7 +867,8 @@
>  
>  def p_error(tok):
>      global error
> -    error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
> +    global parse_file
> +    error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
>      print error
>  
>  def prep_spt(spt):
> @@ -892,7 +916,7 @@
>  def list_headers(root):
>      modules = []
>      support_macros = None
> -    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
> +    blacklist = ["uml.if", "thunderbird.if"]
>  
>      for dirpath, dirnames, filenames in os.walk(root):
>          for name in filenames:
> @@ -941,12 +965,14 @@
>              output.write(msg)
>  
>      def parse_file(f, module, spt=None):
> +        global parse_file
>          if debug:
>              o("parsing file %s\n" % f)
>          try:
>              fd = open(f)
>              txt = fd.read()
>              fd.close()
> +            parse_file = f
>              parse(txt, module, spt, debug)
>          except IOError, e:
>              return


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fixes for sepolgen to parse Fedora 9 Policy
  2007-12-19 15:29 ` Karl MacMillan
@ 2007-12-19 17:57   ` Daniel J Walsh
  2007-12-19 18:18     ` Karl MacMillan
  0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2007-12-19 17:57 UTC (permalink / raw)
  To: Karl MacMillan; +Cc: SE Linux

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok although, I think we should fix the policy to not cause this app to
blow up.  When I give my talks about writing policy, it does not
translate the handling of the utmp file properly because of this.

What policies were broken.  I plan on back porting this change to Fedora 8.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHaVuRrlYvE4MpobMRAigBAJ0SUVmge8RhL/YWJmoY1XlyobuQ/gCglIlu
vrfdXvF99tOLkRCCI5AlM9M=
=PKFt
-----END PGP SIGNATURE-----

[-- Attachment #2: sepolgen.diff --]
[-- Type: text/plain, Size: 3056 bytes --]

diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py	2007-09-13 08:21:11.000000000 -0400
+++ policycoreutils-2.0.32/sepolgen-1.0.10/src/sepolgen/refparser.py	2007-12-19 05:21:44.000000000 -0500
@@ -118,6 +118,7 @@
     'TEMPLATE',
     'GEN_CONTEXT',
     #   m4
+    'IFELSE',
     'IFDEF',
     'IFNDEF',
     'DEFINE'
@@ -174,6 +175,7 @@
     'template' : 'TEMPLATE',
     'gen_context' : 'GEN_CONTEXT',
     # M4
+    'ifelse' : 'IFELSE',
     'ifndef' : 'IFNDEF',
     'ifdef' : 'IFDEF',
     'define' : 'DEFINE'
@@ -220,6 +222,12 @@
     # Ignore all comments
     t.lexer.lineno += 1
 
+def t_refpolicywarn1(t):
+    r'define.*refpolicywarn\(.*\n'
+    # Ignore refpolicywarn statements - they sometimes
+    # contain text that we can't parse.
+    t.skip(1)
+
 def t_refpolicywarn(t):
     r'refpolicywarn\(.*\n'
     # Ignore refpolicywarn statements - they sometimes
@@ -258,6 +266,7 @@
 m = None
 #   error is either None (indicating no error) or a string error message.
 error = None
+parse_file = ""
 #   spt is the support macros (e.g., obj/perm sets) - it is an instance of
 #     refpolicy.SupportMacros and should always be present during parsing
 #     though it may not contain any macros.
@@ -382,6 +391,19 @@
         collect(p[12], x, val=False)
     p[0] = [x]
 
+def p_ifelse(p):
+    '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+    '''
+#    x = refpolicy.IfDef(p[4])
+#    v = True
+#    collect(p[8], x, val=v)
+#    if len(p) > 12:
+#        collect(p[12], x, val=False)
+#    p[0] = [x]
+    pass
+
+
 def p_ifdef(p):
     '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
              | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
@@ -446,6 +468,7 @@
               | optional_policy
               | tunable_policy
               | ifdef
+              | ifelse
               | conditional
     '''
     p[0] = p[1]
@@ -844,7 +867,8 @@
 
 def p_error(tok):
     global error
-    error = "Syntax error on line %d %s [type=%s]" % (tok.lineno, tok.value, tok.type)
+    global parse_file
+    error = "%s: Syntax error on line %d %s [type=%s]" % (parse_file, tok.lineno, tok.value, tok.type)
     print error
 
 def prep_spt(spt):
@@ -941,12 +965,14 @@
             output.write(msg)
 
     def parse_file(f, module, spt=None):
+        global parse_file
         if debug:
             o("parsing file %s\n" % f)
         try:
             fd = open(f)
             txt = fd.read()
             fd.close()
+            parse_file = f
             parse(txt, module, spt, debug)
         except IOError, e:
             return

[-- Attachment #3: sepolgen.diff.sig --]
[-- Type: application/octet-stream, Size: 65 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fixes for sepolgen to parse Fedora 9 Policy
  2007-12-19 17:57   ` Daniel J Walsh
@ 2007-12-19 18:18     ` Karl MacMillan
  0 siblings, 0 replies; 4+ messages in thread
From: Karl MacMillan @ 2007-12-19 18:18 UTC (permalink / raw)
  To: Daniel J Walsh; +Cc: SE Linux

On Wed, 2007-12-19 at 12:57 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ok although, I think we should fix the policy to not cause this app to
> blow up.  When I give my talks about writing policy, it does not
> translate the handling of the utmp file properly because of this.
> 

But how can we? We're talking about old policies in the wild.

What I really want to do is to always parse everything and just catch
exceptions. The problem is that the parser internal state gets screwed
on some parse errors - haven't been able to track down the problem.

> What policies were broken.  I plan on back porting this change to Fedora 8.

I don't have the exact policy versions. For the Fedora 8 supplied
version it should be fine to drop the blacklist, but not in the upstream
version.

Karl

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-12-19 18:19 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-12-19 10:27 Fixes for sepolgen to parse Fedora 9 Policy Daniel J Walsh
2007-12-19 15:29 ` Karl MacMillan
2007-12-19 17:57   ` Daniel J Walsh
2007-12-19 18:18     ` Karl MacMillan

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.