From: Filippo Bonazzi <filippo.bonazzi@aalto.fi>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>,
Elena Reshetova <elena.reshetova@gmail.com>,
"SELinux@tycho.nsa.gov" <SELinux@tycho.nsa.gov>
Subject: Re: setoolsv4: tracking origin of a policy element
Date: Tue, 10 Nov 2015 17:45:16 +0200 [thread overview]
Message-ID: <5642110C.2080607@aalto.fi> (raw)
In-Reply-To: <562E2796.8000308@tresys.com>
>> given a certain rule or attribute, it would be great to know in what source file it was defined.
> Past versions of SETools supported that, but it has not yet been a priority for v4.
Which previous version(s) of SETools supported origin file/line information?
I have scoured the setools3 libqpol source files for this, and I have
found that the file/line information from the m4 synclines is parsed by
Lex at libqpol/src/policy_scan.l:272-273. However, this information is
only used in the yyerror and yywarn functions, and is not actually
propagated in the policy.
Furthermore, I have searched the SELinux libsepol source files to see
where that information could be saved, and I found that only the avrule
data structure (libsepol/include/sepol/policydb/policydb.h:258) supports
saving origin file/line information in the source_filename(:287) and
source_line(:288) fields.
All other rules, attributes, types etc. do not contain this information.
How could one then parse, save and expose origin file/line information
for all or most policy elements?
Thank you
Filippo Bonazzi
On 10/26/2015 03:16 PM, Christopher J. PeBenito wrote:
> On 10/26/2015 7:20 AM, Elena Reshetova wrote:
>> While looking into the policy parser from setools v4, we noticed one
>> thing that is missing: origin of a policy element. For example, given a
>> certain rule or attribute, it would be great to know in what source file
>> it was defined.
>>
>> In Android you can find this information by looking at produced
>> policy.conf and its comment lines that indicate source file. However I
>> don't know if it is the same for desktop selinux policy.
>>
>> Would it be acceptable to have this information as part of python class
>> representing the parsed policy? It would be really useful for tools like
>> policy linter, because it would be very much needed to point to the
> That would be acceptable. Past versions of SETools supported that, but
> it has not yet been a priority for v4.
>
next prev parent reply other threads:[~2015-11-10 15:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-26 11:20 setoolsv4: tracking origin of a policy element Elena Reshetova
2015-10-26 13:16 ` Christopher J. PeBenito
2015-11-10 15:45 ` Filippo Bonazzi [this message]
2015-11-10 16:33 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5642110C.2080607@aalto.fi \
--to=filippo.bonazzi@aalto.fi \
--cc=SELinux@tycho.nsa.gov \
--cc=cpebenito@tresys.com \
--cc=elena.reshetova@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.