From mboxrd@z Thu Jan 1 00:00:00 1970 From: qingtao.cao@windriver.com (Harry Ciao) Date: Tue, 28 Feb 2012 18:41:21 +0800 Subject: [refpolicy] [v0 PATCH 1/1] Copy role declarations to the top of base.conf or policy.conf In-Reply-To: <1330425185-10025-1-git-send-email-qingtao.cao@windriver.com> References: <1330425185-10025-1-git-send-email-qingtao.cao@windriver.com> Message-ID: <4F4CAF51.2030501@windriver.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Chirst, I am a rookie about regexp, were I able to match just the role rule but skip the role-types rule in one regexp, I would have combined the two steps of "get_role_rules" and "remove_role_types" into one, and properly comment out the original role declaration, which so far has not been commented off but duplicated to the top of base.conf or policy.conf, where I have taken the advantage of the fact that multiple declarations for a role identifier are tolerated by the compiler. Such improvement is a must-have given that role-types no longer is used to define roles, and a module built into base.pp which also defines a role could be sorted after other modules which could reference the same role in the role-types rule. Thanks, Harry On 02/28/2012 06:33 PM, Harry Ciao wrote: > Now that the role-types rule is no longer used to define a role, > role declarations should be bumped to the top of base.conf or > policy.conf along with other declarations. Otherwise the compiler > could complain an unknown role when its reference occurs before its > first declaration. > > Signed-off-by: Harry Ciao > --- > Makefile | 2 ++ > Rules.modular | 6 ++++-- > Rules.monolithic | 6 ++++-- > support/get_role_rules.sed | 13 +++++++++++++ > 4 files changed, 23 insertions(+), 4 deletions(-) > create mode 100644 support/get_role_rules.sed > > diff --git a/Makefile b/Makefile > index 5a43919..dda0e11 100644 > --- a/Makefile > +++ b/Makefile > @@ -100,6 +100,8 @@ genperm := $(PYTHON) -E $(support)/genclassperms.py > fcsort := $(tmpdir)/fc_sort > setbools := $(AWK) -f $(support)/set_bools_tuns.awk > get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed > +get_role_rules := $(SED) -r -f $(support)/get_role_rules.sed > +remove_role_types := $(SED) -e '/^[[:blank:]]*\[[:blank:]]*.*\/d' > comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed > gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py > m4iferror := $(support)/iferror.m4 > diff --git a/Rules.modular b/Rules.modular > index 313d837..78ef24b 100644 > --- a/Rules.modular > +++ b/Rules.modular > @@ -13,7 +13,7 @@ base_mod := $(tmpdir)/base.mod > > users_extra := $(tmpdir)/users_extra > > -base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf > +base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/all_role_decls.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf > > base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) > base_te_files := $(base_mods) > @@ -157,8 +157,10 @@ $(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf > > # extract attributes and put them first. extract post te stuff > # like genfscon and put last. > -$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf > +$(tmpdir)/all_attrs_types.conf $(tmpdir)/all_role_decls.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf > $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT)> $(tmpdir)/all_attrs_types.conf > + $(verbose) $(get_role_rules) $(tmpdir)/all_te_files.conf | $(SORT)> $(tmpdir)/all_role_rules.conf > + $(verbose) $(remove_role_types) $(tmpdir)/all_role_rules.conf | $(SORT) -u> $(tmpdir)/all_role_decls.conf > $(verbose) cat $(tmpdir)/post_te_files.conf> $(tmpdir)/all_post.conf > # these have to run individually because order matters: > $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf>> $(tmpdir)/all_post.conf || true > diff --git a/Rules.monolithic b/Rules.monolithic > index 7c4d035..33f9aa6 100644 > --- a/Rules.monolithic > +++ b/Rules.monolithic > @@ -35,7 +35,7 @@ all_fc_files := $(all_modules:.te=.fc) > pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) > post_te_files := $(user_files) $(poldir)/constraints > > -policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf > +policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/all_role_decls.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf > > # search layer dirs for source files > vpath %.te $(all_layers) > @@ -144,8 +144,10 @@ $(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf > > # extract attributes and put them first. extract post te stuff > # like genfscon and put last. > -$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf > +$(tmpdir)/all_attrs_types.conf $(tmpdir)/all_role_decls.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf > $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT)> $(tmpdir)/all_attrs_types.conf > + $(verbose) $(get_role_rules) $(tmpdir)/all_te_files.conf | $(SORT)> $(tmpdir)/all_role_rules.conf > + $(verbose) $(remove_role_types) $(tmpdir)/all_role_rules.conf | $(SORT) -u> $(tmpdir)/all_role_decls.conf > $(verbose) cat $(tmpdir)/post_te_files.conf> $(tmpdir)/all_post.conf > # these have to run individually because order matters: > $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf>> $(tmpdir)/all_post.conf || true > diff --git a/support/get_role_rules.sed b/support/get_role_rules.sed > new file mode 100644 > index 0000000..9485cfc > --- /dev/null > +++ b/support/get_role_rules.sed > @@ -0,0 +1,13 @@ > +#n > +# print out role declarations and role types rules > +# that are not inside require and optional blocks. > + > +/require \{/,/} # end require/b nextline > +/optional \{/,/} # end optional/b nextline > + > +/^[[:blank:]]*\[[:blank:]]+/{ > + s/^[[:blank:]]+// > + p > +} > + > +:nextline