Add permissive type query.

libapol/__init__.py

@@ -32,6 +32,7 @@ import rolequery
 import userquery
 import boolquery
 import polcapquery
+import permissivequery
 
 # Rule Queries
 import terulequery

libapol/permissivequery.py

@@ -0,0 +1,51 @@
+# Copyright 2014, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+import re
+
+import compquery
+
+
+class PermissiveQuery(compquery.ComponentQuery):
+
+    """Query permissive types"""
+
+    def __init__(self, policy,
+                 name="", name_regex=False):
+        """
+        Parameters:
+        name        The name of the policy capability to match.
+        name_regex  If true, regular expression matching will
+                    be used for matching the name.
+        """
+
+        self.policy = policy
+        self.set_name(name, regex=name_regex)
+
+    def results(self):
+        """Generator which yields all matching permissive types."""
+
+        for t in self.policy.permissives():
+            if self.name and not self._match_regex(
+                    t,
+                    self.name,
+                    self.name_regex,
+                    self.name_cmp):
+                continue
+
+            yield t

tests/__init__.py

@@ -20,6 +20,7 @@ import commonquery
 import dta
 import objclassquery
 import polcapquery
+import permissivequery
 import infoflow
 import terulequery
 import rbacrulequery

tests/permissivequery.conf

@@ -0,0 +1,135 @@
+class infoflow
+class infoflow2
+class infoflow3
+class infoflow4
+class infoflow5
+class infoflow6
+class infoflow7
+
+sid kernel
+sid security
+
+common infoflow
+{
+	low_w
+	med_w
+	hi_w
+	low_r
+	med_r
+	hi_r
+}
+
+class infoflow
+inherits infoflow
+
+class infoflow2
+inherits infoflow
+{
+	super_w
+	super_r
+}
+
+class infoflow3
+{
+	null
+}
+
+class infoflow4
+inherits infoflow
+
+class infoflow5
+inherits infoflow
+
+class infoflow6
+inherits infoflow
+
+class infoflow7
+inherits infoflow
+{
+	super_w
+	super_r
+	super_none
+	super_both
+	super_unmapped
+}
+
+sensitivity low_s;
+sensitivity medium_s alias med;
+sensitivity high_s;
+
+dominance { low_s med high_s }
+
+category here;
+category there;
+category elsewhere alias lost;
+
+#level decl
+level low_s:here.there;
+level med:here, elsewhere;
+level high_s:here.lost;
+
+#some constraints
+mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
+
+attribute mls_exempt;
+
+type system;
+role system;
+role system types system;
+
+################################################################################
+# Type enforcement declarations and rules
+
+########################################
+#
+# Type Query
+#
+
+# test 1
+# name: test1
+# attrs: unset
+# alias: unset
+type test1;
+type test1a;
+permissive test1;
+
+
+# test 2
+# name: test2(a|b)$ regex
+type test2a;
+type test2b;
+type test2c alias test2alias;
+type test2aFAIL;
+permissive test2a;
+permissive test2b;
+permissive test2aFAIL;
+
+################################################################################
+
+#users
+user system roles system level med range low_s - high_s:here.lost;
+
+#normal constraints
+constrain infoflow hi_w (u1 == u2);
+
+#isids
+sid kernel system:system:system:medium_s:here
+sid security system:system:system:high_s:lost
+
+#fs_use
+fs_use_trans devpts system:object_r:system:low_s;
+fs_use_xattr ext3 system:object_r:system:low_s;
+fs_use_task pipefs system:object_r:system:low_s;
+
+#genfscon
+genfscon proc / system:object_r:system:med
+genfscon proc /sys system:object_r:system:low_s
+genfscon selinuxfs / system:object_r:system:high_s:here.there
+
+portcon tcp 80 system:object_r:system:low_s
+
+netifcon eth0 system:object_r:system:low_s system:object_r:system:low_s
+
+nodecon 127.0.0.1 255.255.255.255 system:object_r:system:low_s:here
+nodecon ::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff system:object_r:system:low_s:here
+

tests/permissivequery.py

@@ -0,0 +1,53 @@
+# Copyright 2014, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 2 of the License, or
+# (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with SETools.  If not, see <http://www.gnu.org/licenses/>.
+#
+import unittest
+
+from libapol import SELinuxPolicy
+from libapol.permissivequery import PermissiveQuery
+
+
+class PolCapQueryTest(unittest.TestCase):
+
+    def setUp(self):
+        self.p = SELinuxPolicy("tests/permissivequery.conf")
+
+    def test_000_unset(self):
+        """Policy capability query with no criteria"""
+        # query with no parameters gets all permissives
+        for numtypes, t in enumerate(self.p.permissives(), start=1):
+            pass
+
+        q = PermissiveQuery(self.p)
+        for q_numtypes, t in enumerate(q.results(), start=1):
+            pass
+
+        self.assertEqual(numtypes, q_numtypes)
+
+    def test_001_name_exact(self):
+        """Permissive query with exact match"""
+        q = PermissiveQuery(self.p, name="test1", name_regex=False)
+
+        types = sorted(str(t) for t in q.results())
+        self.assertListEqual(["test1"], types)
+
+    def test_002_name_regex(self):
+        """Permissive query query with regex match"""
+        q = PermissiveQuery(self.p, name="test2(a|b)$", name_regex=True)
+
+        types = sorted(str(t) for t in q.results())
+        self.assertListEqual(["test2a", "test2b"], types)