PolicyDifference: implement policy properties diff

Closes #62
2025-02-21 22:46:50 +00:00 · 2016-01-23 09:57:29 -05:00 · 2016-01-23 09:57:29 -05:00 · 008c698bfe
commit 008c698bfe
parent b5351f7104
4 changed files with 83 additions and 1 deletions
--- a/14
+++ b/14
@ -79,6 +79,8 @@ labeling.add_argument("--nodecon", action="store_true", help="Print nodecon diff
 labeling.add_argument("--portcon", action="store_true", help="Print portcon differences")

 other = parser.add_argument_group("other differences")
+other.add_argument("--property", action="store_true",
+                   help="Print policy property differences (handle_unknown, version, MLS)")
 other.add_argument("--polcap", action="store_true", help="Print policy capability differences")

 args = parser.parse_args()
@ -88,7 +90,8 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
                           args.allow, args.neverallow, args.auditallow, args.dontaudit,
                           args.type_trans, args.type_change, args.type_member, args.role_allow,
                           args.role_trans, args.range_trans, args.initialsid, args.genfscon,
-                           args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap))
+                           args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap,
+                           args.property))

 if args.debug:
    logging.basicConfig(level=logging.DEBUG,
@ -103,6 +106,15 @@ try:
    p2 = setools.SELinuxPolicy(args.POLICY2[0])
    diff = setools.PolicyDifference(p1, p2)

+    if all_differences or args.property:
+        print("Policy Properties ({0} Modified)".format(len(diff.modified_properties)))
+
+        if diff.modified_properties and not args.stats:
+            for name, added, removed in sorted(diff.modified_properties):
+                print("      * {0} +{1} -{2}".format(name, added, removed))
+
+        print()
+
    if all_differences or args.common:
        if diff.added_commons or diff.removed_commons or diff.modified_commons or args.common:
            print("Commons ({0} Added, {1} Removed, {2} Modified)".format(
--- a/setools/diff/init.py
+++ b/setools/diff/init.py
@ -28,6 +28,7 @@ from .nodecon import NodeconsDifference
 from .objclass import ObjClassDifference
 from .polcap import PolCapsDifference
 from .portcon import PortconsDifference
+from .properties import PropertiesDifference
 from .rbacrules import RBACRulesDifference
 from .roles import RolesDifference
 from .terules import TERulesDifference
@ -51,6 +52,7 @@ class PolicyDifference(BooleansDifference,
                       ObjClassDifference,
                       PolCapsDifference,
                       PortconsDifference,
+                       PropertiesDifference,
                       RBACRulesDifference,
                       RolesDifference,
                       SensitivitiesDifference,
--- a/setools/diff/properties.py
+++ b/setools/diff/properties.py
@ -0,0 +1,64 @@
+# Copyright 2016, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+from collections import namedtuple
+
+from .descriptors import DiffResultDescriptor
+from .difference import Difference
+
+
+modified_properties_record = namedtuple("modified_property", ["property", "added", "removed"])
+
+
+class PropertiesDifference(Difference):
+
+    """
+    Determine the difference in policy properties
+    (unknown permissions, MLS, etc.) between two policies.
+    """
+
+    modified_properties = DiffResultDescriptor("diff_properties")
+
+    def diff_properties(self):
+        self.modified_properties = []
+
+        if self.left_policy.handle_unknown != self.right_policy.handle_unknown:
+            self.modified_properties.append(
+                modified_properties_record("handle_unknown",
+                                           self.right_policy.handle_unknown,
+                                           self.left_policy.handle_unknown))
+
+        if self.left_policy.mls != self.right_policy.mls:
+            self.modified_properties.append(
+                modified_properties_record("MLS",
+                                           self.right_policy.mls,
+                                           self.left_policy.mls))
+
+        if self.left_policy.version != self.right_policy.version:
+            self.modified_properties.append(
+                modified_properties_record("version",
+                                           self.right_policy.version,
+                                           self.left_policy.version))
+
+    #
+    # Internal functions
+    #
+    def _reset_diff(self):
+        """Reset diff results on policy changes."""
+        self.log.debug("Resetting property differences")
+        self.modified_properties = None
--- a/tests/diff.py
+++ b/tests/diff.py
@ -1610,3 +1610,7 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
    def test_modified_portcons(self):
        """NoDiff: no modified portcons."""
        self.assertFalse(self.diff.modified_portcons)
+
+    def test_modified_properties(self):
+        """NoDiff: no modified properties."""
+        self.assertFalse(self.diff.modified_properties)