From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
To: xen-devel@lists.xensource.com
Cc: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: [PATCH 08/10] flask/policy: Policy build updates
Date: Tue, 31 Jan 2012 16:26:16 -0500 [thread overview]
Message-ID: <1328045178-30665-9-git-send-email-dgdegra@tycho.nsa.gov> (raw)
In-Reply-To: <1328045178-30665-1-git-send-email-dgdegra@tycho.nsa.gov>
Eliminate temporary files used in creating FLASK policy to improve error
reporting during policy build. Syntax errors now point to the file and
line number visible to the user, not the intermediate temporary file.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/Makefile | 61 +++----------------------
tools/flask/policy/policy/initial_sids | 12 +++++
tools/flask/policy/policy/modules/xen/xen.te | 10 ----
3 files changed, 20 insertions(+), 63 deletions(-)
create mode 100644 tools/flask/policy/policy/initial_sids
diff --git a/tools/flask/policy/Makefile b/tools/flask/policy/Makefile
index a27c813..5c25cbe 100644
--- a/tools/flask/policy/Makefile
+++ b/tools/flask/policy/Makefile
@@ -102,9 +102,8 @@ else
POLVER +=$(NAME).$(PV)
endif
-
-# determine the policy version and current kernel version if possible
-M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS) -D hide_broken_symptoms
+# Always define these because they are referenced even in non-MLS policy
+M4PARAM += -D mls_num_sens=$(MLS_SENS) -D mls_num_cats=$(MLS_CATS)
M4SUPPORT = $(wildcard $(POLDIR)/support/*.spt)
@@ -126,9 +125,9 @@ ALL_INTERFACES := $(ALL_MODULES:.te=.if)
ALL_TE_FILES := $(ALL_MODULES)
PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls
-POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints
+POST_TE_FILES := $(POLDIR)/users $(POLDIR)/constraints $(POLDIR)/initial_sids
-POLICY_SECTIONS := tmp/pre_te_files.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+POLICY_SECTIONS := $(PRE_TE_FILES) $(ALL_INTERFACES) $(GLOBALBOOL) $(GLOBALTUN) $(ALL_TE_FILES) $(POST_TE_FILES)
########################################
#
@@ -140,7 +139,7 @@ policy: $(POLVER)
install: $(LOADPATH)
-load: tmp/load
+load: .load_stamp
########################################
#
@@ -166,11 +165,11 @@ $(LOADPATH): policy.conf
#
# Load the binary policy
#
-tmp/load: reload
-reload: $(LOADPATH) $(FCPATH)
+.load_stamp: reload
+reload: $(LOADPATH)
@echo "Loading $(NAME) $(LOADPATH)"
$(QUIET) $(LOADPOLICY) $(LOADPATH)
- @touch tmp/load
+ @touch .load_stamp
########################################
#
@@ -181,50 +180,6 @@ policy.conf: $(POLICY_SECTIONS)
# checkpolicy can use the #line directives provided by -s for error reporting:
$(QUIET) m4 -D self_contained_policy $(M4PARAM) -s $^ > $@
-tmp/pre_te_files.conf: $(PRE_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/all_interfaces.conf: $(M4SUPPORT) $(ALL_INTERFACES)
-ifeq ($(ALL_INTERFACES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ | sed -e s/dollarsstar/\$$\*/g > $@
-
-tmp/all_te_files.conf: $(ALL_TE_FILES)
-ifeq ($(ALL_TE_FILES),)
- $(error No enabled modules! $(notdir $(MOD_CONF)) please create a modules.conf file)
-endif
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-tmp/post_te_files.conf: $(POST_TE_FILES)
- @test -d tmp || mkdir -p tmp
- $(QUIET) cat $^ > $@
-
-# extract attributes and put them first. extract post te stuff
-# like genfscon and put last. portcon, nodecon, and netifcon
-# is delayed since they are generated by m4
-tmp/all_attrs_types.conf tmp/all_post.conf: tmp/only_te_rules.conf
-tmp/only_te_rules.conf: tmp/all_te_files.conf tmp/post_te_files.conf
- $(QUIET) grep ^attribute tmp/all_te_files.conf > tmp/all_attrs_types.conf || true
- $(QUIET) grep '^type ' tmp/all_te_files.conf >> tmp/all_attrs_types.conf
- $(QUIET) cat tmp/post_te_files.conf > tmp/all_post.conf
- $(QUIET) grep '^sid ' tmp/all_te_files.conf >> tmp/all_post.conf || true
- $(QUIET) grep ^pirqcon tmp/all_te_files.conf >> \
- tmp/all_post.conf || true
- $(QUIET) grep ^ioportcon tmp/all_te_files.conf >> \
- tmp/all_post.conf || true
- $(QUIET) grep ^iomemcon tmp/all_te_files.conf >> \
- tmp/all_post.conf || true
- $(QUIET) grep ^pcidevicecon tmp/all_te_files.conf >> \
- tmp/all_post.conf || true
- $(QUIET) sed -r -e /^attribute/d -e '/^type /d' -e '/^sid /d' \
- -e "/^pirqcon/d" -e "/^pcidevicecon/d" -e "/^ioportcon/d" \
- -e "/^iomemcon/d" < tmp/all_te_files.conf \
- > tmp/only_te_rules.conf
-
########################################
#
# Remove the dontaudit rules from the policy.conf
diff --git a/tools/flask/policy/policy/initial_sids b/tools/flask/policy/policy/initial_sids
new file mode 100644
index 0000000..b70a54e
--- /dev/null
+++ b/tools/flask/policy/policy/initial_sids
@@ -0,0 +1,12 @@
+# Labels for initial SIDs
+
+sid xen gen_context(system_u:system_r:xen_t,s0)
+sid dom0 gen_context(system_u:system_r:dom0_t,s0)
+sid domxen gen_context(system_u:system_r:domxen_t,s0)
+sid domio gen_context(system_u:system_r:domio_t,s0)
+sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
+sid security gen_context(system_u:system_r:security_t,s0)
+sid irq gen_context(system_u:object_r:irq_t,s0)
+sid iomem gen_context(system_u:object_r:iomem_t,s0)
+sid ioport gen_context(system_u:object_r:ioport_t,s0)
+sid device gen_context(system_u:object_r:device_t,s0)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index c5e0883..ac52c3f 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -162,16 +162,6 @@ neverallow * ~event_type:event { create send status };
# Labels for initial SIDs and system role
#
################################################################################
-sid xen gen_context(system_u:system_r:xen_t,s0)
-sid dom0 gen_context(system_u:system_r:dom0_t,s0)
-sid domxen gen_context(system_u:system_r:domxen_t,s0)
-sid domio gen_context(system_u:system_r:domio_t,s0)
-sid unlabeled gen_context(system_u:system_r:unlabeled_t,s0)
-sid security gen_context(system_u:system_r:security_t,s0)
-sid irq gen_context(system_u:object_r:irq_t,s0)
-sid iomem gen_context(system_u:object_r:iomem_t,s0)
-sid ioport gen_context(system_u:object_r:ioport_t,s0)
-sid device gen_context(system_u:object_r:device_t,s0)
role system_r;
role system_r types { xen_type domain_type };
--
1.7.7.6
next prev parent reply other threads:[~2012-01-31 21:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-31 21:26 [PATCH 00/10] FLASK updates: MSI interrupts, cleanups Daniel De Graaf
2012-01-31 21:26 ` [PATCH 01/10] xsm: Add security labels to event-channel dump Daniel De Graaf
2012-01-31 21:26 ` [PATCH 02/10] xsm: Add security label to IRQ debug output Daniel De Graaf
2012-01-31 21:26 ` [PATCH 03/10] xsm/flask: Use PCI device label for PCI-MSI IRQs Daniel De Graaf
2012-01-31 21:26 ` [PATCH 04/10] xsm: Add xsm_map_domain_pirq hook Daniel De Graaf
2012-01-31 21:26 ` [PATCH 05/10] xsm: Use mapped IRQ not PIRQ in unmap_domain_pirq Daniel De Graaf
2012-01-31 21:26 ` [PATCH 06/10] xsm/flask: Improve error reporting for ocontexts Daniel De Graaf
2012-01-31 21:26 ` [PATCH 07/10] xsm/flask: Remove useless back pointers Daniel De Graaf
2012-01-31 21:26 ` Daniel De Graaf [this message]
2012-01-31 21:26 ` [PATCH 09/10] flask/policy: Add user and constraint examples Daniel De Graaf
2012-01-31 21:26 ` [PATCH 10/10] flask/policy: use declare_domain for dom0_t Daniel De Graaf
2012-02-01 19:09 ` [PATCH 0/8] XSM/FLASK updates part 2: booleans, stubdoms Daniel De Graaf
2012-02-01 19:09 ` [PATCH 1/8] xen/xsm: fix incorrect handling of XSM hook return Daniel De Graaf
2012-02-01 19:09 ` [PATCH 2/8] xsm/flask: allow policy booleans to be addressed by name Daniel De Graaf
2012-02-01 19:09 ` [PATCH 3/8] libflask: Add boolean manipulation functions Daniel De Graaf
2012-02-02 9:06 ` Ian Campbell
2012-02-02 14:28 ` Daniel De Graaf
2012-02-02 14:50 ` Ian Campbell
2012-02-02 15:22 ` Daniel De Graaf
2012-02-01 19:09 ` [PATCH 4/8] flask: add flask-{get,set}-bool tools Daniel De Graaf
2012-02-01 19:09 ` [PATCH 5/8] flask/policy: Add boolean example Daniel De Graaf
2012-02-01 19:09 ` [PATCH 6/8] libxl: Add device_model_stubdomain_seclabel Daniel De Graaf
2012-02-02 15:28 ` Keir Fraser
2012-02-09 18:25 ` Ian Jackson
2012-02-01 19:09 ` [PATCH 7/8] flask/policy: add device model types to example policy Daniel De Graaf
2012-02-09 18:25 ` Ian Jackson
2012-02-01 19:09 ` [PATCH 8/8] xsm/flask: Improve domain ID auditing in AVCs Daniel De Graaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328045178-30665-9-git-send-email-dgdegra@tycho.nsa.gov \
--to=dgdegra@tycho.nsa.gov \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).