* [PATCH 50/63] checkpolicy: parse for default_file_trans rules
@ 2011-11-01 19:45 Daniel J Walsh
2011-11-02 13:02 ` Steve Lawrence
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2011-11-01 19:45 UTC (permalink / raw)
To: eparis; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 350 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6wTHYACgkQrlYvE4MpobP/wwCePf+mpFHYQ/5uvtuYA1MYA8Yt
GEoAoLq+aavuux14a6NhsSpg/h2rR61Z
=fzsp
-----END PGP SIGNATURE-----
[-- Attachment #2: 0050-checkpolicy-parse-for-default_file_trans-rules.patch --]
[-- Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 50/63] checkpolicy: parse for default_file_trans rules
2011-11-01 19:45 [PATCH 50/63] checkpolicy: parse for default_file_trans rules Daniel J Walsh
@ 2011-11-02 13:02 ` Steve Lawrence
2011-11-02 13:17 ` Eric Paris
0 siblings, 1 reply; 3+ messages in thread
From: Steve Lawrence @ 2011-11-02 13:02 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: eparis, selinux
On 11/01/2011 03:45 PM, Daniel J Walsh wrote:
>
> OpenPGP: *Attachments to this message have not been signed or encrypted*
>
> ********* *BEGIN ENCRYPTED or SIGNED PART* *********
>
>
> This patch looks good to me. acked.
>
>
>
> ********** *END ENCRYPTED or SIGNED PART* **********
>
> 0050-checkpolicy-parse-for-default_file_trans-rules.patchFrom 8ead51a6d41f63b43726c617480593f6a8fd0899 Mon Sep 17 00:00:00 2001
> From: Eric Paris <eparis@redhat.com>
> Date: Fri, 14 Oct 2011 10:57:20 -0400
> Subject: [PATCH 50/63] checkpolicy: parse for default_file_trans rules
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
> checkpolicy/policy_define.c | 33 +++++++++++++++++++++++++++++++++
> checkpolicy/policy_define.h | 9 +++++++++
> checkpolicy/policy_parse.y | 21 ++++++++++++++++++++-
> checkpolicy/policy_scan.l | 8 +++++++-
> 4 files changed, 69 insertions(+), 2 deletions(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 1bf669c..838b6aa 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -327,6 +327,39 @@ int define_initial_sid(void)
> return -1;
> }
>
> +int define_default_file_trans(int component, int from)
> +{
> + char *id;
> + ebitmap_t e_tclasses;
> + class_datum_t *cladatum;
> +
> + if (pass == 1) {
> + while ((id = queue_remove(id_queue)))
> + free(id);
> + return 0;
> + }
> +
> + ebitmap_init(&e_tclasses);
> + while ((id = queue_remove(id_queue))) {
> + if (!is_id_in_scope(SYM_CLASSES, id)) {
> + yyerror2("class %s is not within scope", id);
> + return -1;
> + }
> + cladatum = hashtab_search(policydbp->p_classes.table, id);
> + if (!cladatum) {
> + yyerror2("unknown class %s", id);
> + return -1;
> + }
> + if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
> + yyerror("Out of memory");
> + return -1;
> + }
> + free(id);
> + }
> +
> + return 0;
> +}
> +
> int define_common_perms(void)
> {
> char *id = 0, *perm = 0;
> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
> index 92a9be7..c77e87d 100644
> --- a/checkpolicy/policy_define.h
> +++ b/checkpolicy/policy_define.h
> @@ -13,6 +13,14 @@
> #define TRUE 1
> #define FALSE 0
>
> +enum dft_enum {
> + DFT_USER,
> + DFT_ROLE,
> + DFT_LEVEL,
> + DFT_PROCESS,
> + DFT_PARENT,
> +};
> +
> avrule_t *define_cond_compute_type(int which);
> avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
> avrule_t *define_cond_te_avtab(int which);
> @@ -52,6 +60,7 @@ int define_role_types(void);
> int define_role_attr(void);
> int define_roleattribute(void);
> int define_filename_trans(void);
> +int define_default_file_trans(int componnt, int from);
> int define_sens(void);
> int define_te_avtab(int which);
> int define_typealias(void);
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 1e3ef6f..1107d79 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -143,6 +143,9 @@ typedef int (* require_func_t)();
> %token POLICYCAP
> %token PERMISSIVE
> %token FILESYSTEM
> +%token DEFAULT_FILE_TRANS
> +%token PROCESS
> +%token PARENT
>
> %left OR
> %left XOR
> @@ -160,7 +163,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
> opt_mls te_rbac users opt_constraints
> { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
> else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
> - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
> + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts default_file_trans_rules
> ;
> classes : class_def
> | classes class_def
> @@ -176,6 +179,22 @@ initial_sid_def : SID identifier
> ;
> access_vectors : opt_common_perms av_perms
> ;
> +default_file_trans_rules : default_file_trans_def
> + | default_file_trans_rules default_file_trans_def
> + ;
> +default_file_trans_def : DEFAULT_FILE_TRANS USER names PROCESS ';'
> + {if (define_default_file_trans(DFT_USER, DFT_PROCESS)) return -1;}
> + | DEFAULT_FILE_TRANS ROLE names PROCESS ';'
> + {if (define_default_file_trans(DFT_ROLE, DFT_PROCESS)) return -1;}
> + | DEFAULT_FILE_TRANS LEVEL names PROCESS ';'
> + {if (define_default_file_trans(DFT_LEVEL, DFT_PROCESS)) return -1;}
> + | DEFAULT_FILE_TRANS USER names PARENT ';'
> + {if (define_default_file_trans(DFT_USER, DFT_PARENT)) return -1;}
> + | DEFAULT_FILE_TRANS ROLE names PARENT ';'
> + {if (define_default_file_trans(DFT_ROLE, DFT_PARENT)) return -1;}
> + | DEFAULT_FILE_TRANS LEVEL names PARENT ';'
> + {if (define_default_file_trans(DFT_LEVEL, DFT_PARENT)) return -1;}
> + ;
> opt_common_perms : common_perms
> |
> ;
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 2ba5971..c6fd24c 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -219,6 +219,12 @@ h2 |
> H2 { return(H2); }
> policycap |
> POLICYCAP { return(POLICYCAP); }
> +process |
> +PROCESS { return(PROCESS); }
> +parent |
> +PARENT { return(PARENT); }
> +default_file_trans |
> +DEFAULT_FILE_TRANS { return(DEFAULT_FILE_TRANS); }
> permissive |
> PERMISSIVE { return(PERMISSIVE); }
> "/"({alnum}|[_\.\-/])* { return(PATH); }
> @@ -228,7 +234,7 @@ PERMISSIVE { return(PERMISSIVE); }
> {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> {alnum}* { return(FILENAME); }
> -\.({alnum}|[_\.\-])* { return(FILENAME); }
> +\.({alnum}|[_\.\-])+ { return(FILENAME); }
> {letter}+([-_\.]|{alnum})+ { return(FILENAME); }
> ([_\.]){alnum}+ { return(FILENAME); }
> #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> -- 1.7.7
This looks like this is the same patch sent to the list a couple of
weeks ago but with a couple of name changes (e.g. DT -> DFT,
default_trans -> default_file_trans), and there was still some
discussion on it. I believe it ended with "Eric is on vacation, we'll
see what he has to say when he gets back." Is this right?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 50/63] checkpolicy: parse for default_file_trans rules
2011-11-02 13:02 ` Steve Lawrence
@ 2011-11-02 13:17 ` Eric Paris
0 siblings, 0 replies; 3+ messages in thread
From: Eric Paris @ 2011-11-02 13:17 UTC (permalink / raw)
To: Steve Lawrence; +Cc: Daniel J Walsh, selinux
On Wed, 2011-11-02 at 09:02 -0400, Steve Lawrence wrote:
> On 11/01/2011 03:45 PM, Daniel J Walsh wrote:
> >
> > OpenPGP: *Attachments to this message have not been signed or encrypted*
> >
> > ********* *BEGIN ENCRYPTED or SIGNED PART* *********
> >
> >
> > This patch looks good to me. acked.
> >
> >
> >
> > ********** *END ENCRYPTED or SIGNED PART* **********
> >
> > 0050-checkpolicy-parse-for-default_file_trans-rules.patchFrom 8ead51a6d41f63b43726c617480593f6a8fd0899 Mon Sep 17 00:00:00 2001
> > From: Eric Paris <eparis@redhat.com>
> > Date: Fri, 14 Oct 2011 10:57:20 -0400
> > Subject: [PATCH 50/63] checkpolicy: parse for default_file_trans rules
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > ---
> > checkpolicy/policy_define.c | 33 +++++++++++++++++++++++++++++++++
> > checkpolicy/policy_define.h | 9 +++++++++
> > checkpolicy/policy_parse.y | 21 ++++++++++++++++++++-
> > checkpolicy/policy_scan.l | 8 +++++++-
> > 4 files changed, 69 insertions(+), 2 deletions(-)
> >
> > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > index 1bf669c..838b6aa 100644
> > --- a/checkpolicy/policy_define.c
> > +++ b/checkpolicy/policy_define.c
> > @@ -327,6 +327,39 @@ int define_initial_sid(void)
> > return -1;
> > }
> >
> > +int define_default_file_trans(int component, int from)
> > +{
> > + char *id;
> > + ebitmap_t e_tclasses;
> > + class_datum_t *cladatum;
> > +
> > + if (pass == 1) {
> > + while ((id = queue_remove(id_queue)))
> > + free(id);
> > + return 0;
> > + }
> > +
> > + ebitmap_init(&e_tclasses);
> > + while ((id = queue_remove(id_queue))) {
> > + if (!is_id_in_scope(SYM_CLASSES, id)) {
> > + yyerror2("class %s is not within scope", id);
> > + return -1;
> > + }
> > + cladatum = hashtab_search(policydbp->p_classes.table, id);
> > + if (!cladatum) {
> > + yyerror2("unknown class %s", id);
> > + return -1;
> > + }
> > + if (ebitmap_set_bit(&e_tclasses, cladatum->s.value - 1, TRUE)) {
> > + yyerror("Out of memory");
> > + return -1;
> > + }
> > + free(id);
> > + }
> > +
> > + return 0;
> > +}
> > +
> > int define_common_perms(void)
> > {
> > char *id = 0, *perm = 0;
> > diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
> > index 92a9be7..c77e87d 100644
> > --- a/checkpolicy/policy_define.h
> > +++ b/checkpolicy/policy_define.h
> > @@ -13,6 +13,14 @@
> > #define TRUE 1
> > #define FALSE 0
> >
> > +enum dft_enum {
> > + DFT_USER,
> > + DFT_ROLE,
> > + DFT_LEVEL,
> > + DFT_PROCESS,
> > + DFT_PARENT,
> > +};
> > +
> > avrule_t *define_cond_compute_type(int which);
> > avrule_t *define_cond_pol_list(avrule_t *avlist, avrule_t *stmt);
> > avrule_t *define_cond_te_avtab(int which);
> > @@ -52,6 +60,7 @@ int define_role_types(void);
> > int define_role_attr(void);
> > int define_roleattribute(void);
> > int define_filename_trans(void);
> > +int define_default_file_trans(int componnt, int from);
> > int define_sens(void);
> > int define_te_avtab(int which);
> > int define_typealias(void);
> > diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> > index 1e3ef6f..1107d79 100644
> > --- a/checkpolicy/policy_parse.y
> > +++ b/checkpolicy/policy_parse.y
> > @@ -143,6 +143,9 @@ typedef int (* require_func_t)();
> > %token POLICYCAP
> > %token PERMISSIVE
> > %token FILESYSTEM
> > +%token DEFAULT_FILE_TRANS
> > +%token PROCESS
> > +%token PARENT
> >
> > %left OR
> > %left XOR
> > @@ -160,7 +163,7 @@ base_policy : { if (define_policy(pass, 0) == -1) return -1; }
> > opt_mls te_rbac users opt_constraints
> > { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
> > else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
> > - initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts
> > + initial_sid_contexts opt_fs_contexts opt_fs_uses opt_genfs_contexts net_contexts opt_dev_contexts default_file_trans_rules
> > ;
> > classes : class_def
> > | classes class_def
> > @@ -176,6 +179,22 @@ initial_sid_def : SID identifier
> > ;
> > access_vectors : opt_common_perms av_perms
> > ;
> > +default_file_trans_rules : default_file_trans_def
> > + | default_file_trans_rules default_file_trans_def
> > + ;
> > +default_file_trans_def : DEFAULT_FILE_TRANS USER names PROCESS ';'
> > + {if (define_default_file_trans(DFT_USER, DFT_PROCESS)) return -1;}
> > + | DEFAULT_FILE_TRANS ROLE names PROCESS ';'
> > + {if (define_default_file_trans(DFT_ROLE, DFT_PROCESS)) return -1;}
> > + | DEFAULT_FILE_TRANS LEVEL names PROCESS ';'
> > + {if (define_default_file_trans(DFT_LEVEL, DFT_PROCESS)) return -1;}
> > + | DEFAULT_FILE_TRANS USER names PARENT ';'
> > + {if (define_default_file_trans(DFT_USER, DFT_PARENT)) return -1;}
> > + | DEFAULT_FILE_TRANS ROLE names PARENT ';'
> > + {if (define_default_file_trans(DFT_ROLE, DFT_PARENT)) return -1;}
> > + | DEFAULT_FILE_TRANS LEVEL names PARENT ';'
> > + {if (define_default_file_trans(DFT_LEVEL, DFT_PARENT)) return -1;}
> > + ;
> > opt_common_perms : common_perms
> > |
> > ;
> > diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> > index 2ba5971..c6fd24c 100644
> > --- a/checkpolicy/policy_scan.l
> > +++ b/checkpolicy/policy_scan.l
> > @@ -219,6 +219,12 @@ h2 |
> > H2 { return(H2); }
> > policycap |
> > POLICYCAP { return(POLICYCAP); }
> > +process |
> > +PROCESS { return(PROCESS); }
> > +parent |
> > +PARENT { return(PARENT); }
> > +default_file_trans |
> > +DEFAULT_FILE_TRANS { return(DEFAULT_FILE_TRANS); }
> > permissive |
> > PERMISSIVE { return(PERMISSIVE); }
> > "/"({alnum}|[_\.\-/])* { return(PATH); }
> > @@ -228,7 +234,7 @@ PERMISSIVE { return(PERMISSIVE); }
> > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
> > {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
> > {alnum}* { return(FILENAME); }
> > -\.({alnum}|[_\.\-])* { return(FILENAME); }
> > +\.({alnum}|[_\.\-])+ { return(FILENAME); }
> > {letter}+([-_\.]|{alnum})+ { return(FILENAME); }
> > ([_\.]){alnum}+ { return(FILENAME); }
> > #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
> > -- 1.7.7
>
> This looks like this is the same patch sent to the list a couple of
> weeks ago but with a couple of name changes (e.g. DT -> DFT,
> default_trans -> default_file_trans), and there was still some
> discussion on it. I believe it ended with "Eric is on vacation, we'll
> see what he has to say when he gets back." Is this right?
Yes. It won't get applied, I just forgot to pull it from my tree before
Dan took a look. It needs reworked.
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-11-02 13:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-01 19:45 [PATCH 50/63] checkpolicy: parse for default_file_trans rules Daniel J Walsh
2011-11-02 13:02 ` Steve Lawrence
2011-11-02 13:17 ` Eric Paris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.