Move permissive query into type query

TypeQuery needed the permisive matching support to be complete. This made
PermissiveQuery redundant.

Made the permissive state an option, so enforcing types could be queried.

setools/__init__.py

@@ -1,5 +1,5 @@
 """The SETools SELinux policy analysis library."""
-# Copyright 2014, Tresys Technology, LLC
+# Copyright 2014-2015, Tresys Technology, LLC
 #
 # This file is part of SETools.
 #
@@ -35,7 +35,6 @@ from . import rolequery
 from . import userquery
 from . import boolquery
 from . import polcapquery
-from . import permissivequery
 
 # Rule Queries
 from . import terulequery

setools/permissivequery.py

@@ -1,51 +0,0 @@
-# Copyright 2014, Tresys Technology, LLC
-#
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Lesser General Public License as
-# published by the Free Software Foundation, either version 2.1 of
-# the License, or (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with SETools.  If not, see
-# <http://www.gnu.org/licenses/>.
-#
-import re
-
-from . import compquery
-
-
-class PermissiveQuery(compquery.ComponentQuery):
-
-    """Query permissive types"""
-
-    def __init__(self, policy,
-                 name="", name_regex=False):
-        """
-        Parameters:
-        name        The name of the permissive type to match.
-        name_regex  If true, regular expression matching will
-                    be used for matching the name.
-        """
-
-        self.policy = policy
-        self.set_name(name, regex=name_regex)
-
-    def results(self):
-        """Generator which yields all matching permissive types."""
-
-        for t in self.policy.permissives():
-            if self.name and not self._match_regex(
-                    t,
-                    self.name,
-                    self.name_regex,
-                    self.name_cmp):
-                continue
-
-            yield t

setools/typequery.py

@@ -1,4 +1,4 @@
-# Copyright 2014, Tresys Technology, LLC
+# Copyright 2014-2015, Tresys Technology, LLC
 #
 # This file is part of SETools.
 #
@@ -28,30 +28,34 @@ class TypeQuery(compquery.ComponentQuery):
     def __init__(self, policy,
                  name="", name_regex=False,
                  alias="", alias_regex=False,
-                 attrs=set(), attrs_equal=False, attrs_regex=False):
+                 attrs=set(), attrs_equal=False, attrs_regex=False,
+                 permissive=False, match_permissive=False):
         """
         Parameter:
-        policy	     The policy to query.
-        name         The type name to match.
-        name_regex   If true, regular expression matching
-                     will be used on the type names.
-        alias        The alias name to match.
-        alias_regex  If true, regular expression matching
-                     will be used on the alias names.
-        attrs        The attribute to match.
-        attrs_equal  If true, only types with attribute sets
-                     that are equal to the criteria will
-                     match.  Otherwise, any intersection
-                     will match.
-        attrs_regex  If true, regular expression matching
-                     will be used on the attribute names instead
-                     of set logic.
+        policy	            The policy to query.
+        name                The type name to match.
+        name_regex          If true, regular expression matching
+                            will be used on the type names.
+        alias               The alias name to match.
+        alias_regex         If true, regular expression matching
+                            will be used on the alias names.
+        attrs               The attribute to match.
+        attrs_equal         If true, only types with attribute sets
+                            that are equal to the criteria will
+                            match.  Otherwise, any intersection
+                            will match.
+        attrs_regex         If true, regular expression matching
+                            will be used on the attribute names instead
+                            of set logic.
+        match_permissive    If true, the permissive state will be matched.
+        permissive          The permissive state to match.
         """
 
         self.policy = policy
         self.set_name(name, regex=name_regex)
         self.set_alias(alias, regex=alias_regex)
         self.set_attrs(attrs, regex=attrs_regex, equal=attrs_equal)
+        self.set_permissive(match_permissive, permissive=permissive)
 
     def results(self):
         """Generator which yields all matching types."""
@@ -79,6 +83,9 @@ class TypeQuery(compquery.ComponentQuery):
                     self.attrs_cmp):
                 continue
 
+            if self.match_permissive and t.ispermissive != self.permissive:
+                continue
+
             yield t
 
     def set_alias(self, alias, **opts):
@@ -141,3 +148,24 @@ class TypeQuery(compquery.ComponentQuery):
             self.attrs_cmp = re.compile(self.attrs)
         else:
             self.attrs_cmp = None
+
+    def set_permissive(self, match, **opts):
+        """
+        Set if the permissive state should be matched.
+
+        Parameter:
+        match       If true, the permissive state will be matched.
+        permissive  If true, permissive types will match, otherwise
+                    enforcing types will match.
+
+        Exceptions:
+        NameError   Invalid keyword option.
+        """
+
+        self.match_permissive = bool(match)
+
+        for k in list(opts.keys()):
+            if k == "permissive":
+                self.permissive = bool(opts[k])
+            else:
+                raise NameError("Invalid permissive option: {0}".format(k))

tests/__init__.py

@@ -1,4 +1,4 @@
-# Copyright 2014, Tresys Technology, LLC
+# Copyright 2014-2015, Tresys Technology, LLC
 #
 # This file is part of SETools.
 #
@@ -26,7 +26,6 @@ from . import netifconquery
 from . import nodeconquery
 from . import objclassquery
 from . import polcapquery
-from . import permissivequery
 from . import infoflow
 from . import terulequery
 from . import rbacrulequery

tests/permissivequery.conf

@@ -1,135 +0,0 @@
-class infoflow
-class infoflow2
-class infoflow3
-class infoflow4
-class infoflow5
-class infoflow6
-class infoflow7
-
-sid kernel
-sid security
-
-common infoflow
-{
-	low_w
-	med_w
-	hi_w
-	low_r
-	med_r
-	hi_r
-}
-
-class infoflow
-inherits infoflow
-
-class infoflow2
-inherits infoflow
-{
-	super_w
-	super_r
-}
-
-class infoflow3
-{
-	null
-}
-
-class infoflow4
-inherits infoflow
-
-class infoflow5
-inherits infoflow
-
-class infoflow6
-inherits infoflow
-
-class infoflow7
-inherits infoflow
-{
-	super_w
-	super_r
-	super_none
-	super_both
-	super_unmapped
-}
-
-sensitivity low_s;
-sensitivity medium_s alias med;
-sensitivity high_s;
-
-dominance { low_s med high_s }
-
-category here;
-category there;
-category elsewhere alias lost;
-
-#level decl
-level low_s:here.there;
-level med:here, elsewhere;
-level high_s:here.lost;
-
-#some constraints
-mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
-
-attribute mls_exempt;
-
-type system;
-role system;
-role system types system;
-
-################################################################################
-# Type enforcement declarations and rules
-
-########################################
-#
-# Type Query
-#
-
-# test 1
-# name: test1
-# attrs: unset
-# alias: unset
-type test1;
-type test1a;
-permissive test1;
-
-
-# test 2
-# name: test2(a|b)$ regex
-type test2a;
-type test2b;
-type test2c alias test2alias;
-type test2aFAIL;
-permissive test2a;
-permissive test2b;
-permissive test2aFAIL;
-
-################################################################################
-
-#users
-user system roles system level med range low_s - high_s:here.lost;
-
-#normal constraints
-constrain infoflow hi_w (u1 == u2);
-
-#isids
-sid kernel system:system:system:medium_s:here
-sid security system:system:system:high_s:lost
-
-#fs_use
-fs_use_trans devpts system:object_r:system:low_s;
-fs_use_xattr ext3 system:object_r:system:low_s;
-fs_use_task pipefs system:object_r:system:low_s;
-
-#genfscon
-genfscon proc / system:object_r:system:med
-genfscon proc /sys system:object_r:system:low_s
-genfscon selinuxfs / system:object_r:system:high_s:here.there
-
-portcon tcp 80 system:object_r:system:low_s
-
-netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
-
-nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
-nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
-

tests/permissivequery.py

@@ -1,51 +0,0 @@
-# Copyright 2014, Tresys Technology, LLC
-#
-# This file is part of SETools.
-#
-# SETools is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 2 of the License, or
-# (at your option) any later version.
-#
-# SETools is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
-#
-import unittest
-
-from setools import SELinuxPolicy
-from setools.permissivequery import PermissiveQuery
-
-
-class PolCapQueryTest(unittest.TestCase):
-
-    def setUp(self):
-        self.p = SELinuxPolicy("tests/permissivequery.conf")
-
-    def test_000_unset(self):
-        """Policy capability query with no criteria"""
-        # query with no parameters gets all permissives
-        types = sorted(self.p.permissives())
-
-        q = PermissiveQuery(self.p)
-        q_types = sorted(q.results())
-
-        self.assertListEqual(types, q_types)
-
-    def test_001_name_exact(self):
-        """Permissive query with exact match"""
-        q = PermissiveQuery(self.p, name="test1", name_regex=False)
-
-        types = sorted(str(t) for t in q.results())
-        self.assertListEqual(["test1"], types)
-
-    def test_002_name_regex(self):
-        """Permissive query query with regex match"""
-        q = PermissiveQuery(self.p, name="test2(a|b)$", name_regex=True)
-
-        types = sorted(str(t) for t in q.results())
-        self.assertListEqual(["test2a", "test2b"], types)

tests/typequery.conf

@@ -158,6 +158,14 @@ type test21t1 alias { test21a test21c };
 type test21t2 alias { test21b test21d };
 type test21t3 alias { test21e test21f };
 
+# test 30
+# name: test30
+# attrs: unset
+# alias: unset
+type test30;
+type test30a;
+permissive test30;
+
 ################################################################################
 
 #users

tests/typequery.py

@@ -1,4 +1,4 @@
-# Copyright 2014, Tresys Technology, LLC
+# Copyright 2014-2015, Tresys Technology, LLC
 #
 # This file is part of SETools.
 #
@@ -86,3 +86,10 @@ class TypeQueryTest(unittest.TestCase):
 
         types = sorted(str(t) for t in q.results())
         self.assertListEqual(["test21t1", "test21t2"], types)
+
+    def test_030_permissive(self):
+        """Type query with permissive match"""
+        q = TypeQuery(self.p, match_permissive=True, permissive=True)
+
+        types = sorted(str(t) for t in q.results())
+        self.assertListEqual(["test30"], types)