mirror of
https://github.com/SELinuxProject/setools
synced 2025-03-25 04:26:28 +00:00
Chris PeBenito
parent
64043865e4
commit
b1b1a36ae2
87
sediff
87
sediff
@ -70,6 +70,14 @@ mlsrule = parser.add_argument_group("MLS rule differences")
|
||||
mlsrule.add_argument("--range_trans", action="store_true",
|
||||
help="Print range_transition rule differences")
|
||||
|
||||
constrain = parser.add_argument_group("Constraint differences")
|
||||
constrain.add_argument("--constrain", action="store_true", help="Print constrain differences")
|
||||
constrain.add_argument("--mlsconstrain", action="store_true", help="Print mlsconstrain differences")
|
||||
constrain.add_argument("--validatetrans", action="store_true",
|
||||
help="Print validatetrans differences")
|
||||
constrain.add_argument("--mlsvalidatetrans", action="store_true",
|
||||
help="Print mlsvalidatetrans differences")
|
||||
|
||||
labeling = parser.add_argument_group("labeling statement differences")
|
||||
labeling.add_argument("--initialsid", action="store_true", help="Print initial SID differences")
|
||||
labeling.add_argument("--fs_use", action="store_true", help="Print fs_use_* differences")
|
||||
@ -92,7 +100,8 @@ all_differences = not any((args.class_, args.common, args.type_, args.attribute,
|
||||
args.type_trans, args.type_change, args.type_member, args.role_allow,
|
||||
args.role_trans, args.range_trans, args.initialsid, args.genfscon,
|
||||
args.netifcon, args.nodecon, args.portcon, args.fs_use, args.polcap,
|
||||
args.property, args.default))
|
||||
args.property, args.default, args.constrain, args.mlsconstrain,
|
||||
args.validatetrans, args.mlsvalidatetrans))
|
||||
|
||||
if args.debug:
|
||||
logging.basicConfig(level=logging.DEBUG,
|
||||
@ -797,6 +806,82 @@ try:
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.constrain:
|
||||
if diff.added_constrains or diff.removed_constrains or args.constrain:
|
||||
print("Constraints ({0} Added, {1} Removed)".format(
|
||||
len(diff.added_constrains), len(diff.removed_constrains)))
|
||||
|
||||
if diff.added_constrains and not args.stats:
|
||||
print(" Added Constraints: {0}".format(
|
||||
len(diff.added_constrains)))
|
||||
for r in sorted(diff.added_constrains):
|
||||
print(" + {0}".format(r))
|
||||
|
||||
if diff.removed_constrains and not args.stats:
|
||||
print(" Removed Constraints: {0}".format(
|
||||
len(diff.removed_constrains)))
|
||||
for r in sorted(diff.removed_constrains):
|
||||
print(" - {0}".format(r))
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.mlsconstrain:
|
||||
if diff.added_mlsconstrains or diff.removed_mlsconstrains or args.mlsconstrain:
|
||||
print("MLS Constraints ({0} Added, {1} Removed)".format(
|
||||
len(diff.added_mlsconstrains), len(diff.removed_mlsconstrains)))
|
||||
|
||||
if diff.added_mlsconstrains and not args.stats:
|
||||
print(" Added MLS Constraints: {0}".format(
|
||||
len(diff.added_mlsconstrains)))
|
||||
for r in sorted(diff.added_mlsconstrains):
|
||||
print(" + {0}".format(r))
|
||||
|
||||
if diff.removed_mlsconstrains and not args.stats:
|
||||
print(" Removed MLS Constraints: {0}".format(
|
||||
len(diff.removed_mlsconstrains)))
|
||||
for r in sorted(diff.removed_mlsconstrains):
|
||||
print(" - {0}".format(r))
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.validatetrans:
|
||||
if diff.added_validatetrans or diff.removed_validatetrans or args.validatetrans:
|
||||
print("Validatetrans ({0} Added, {1} Removed)".format(
|
||||
len(diff.added_validatetrans), len(diff.removed_validatetrans)))
|
||||
|
||||
if diff.added_validatetrans and not args.stats:
|
||||
print(" Added Validatetrans: {0}".format(
|
||||
len(diff.added_validatetrans)))
|
||||
for r in sorted(diff.added_validatetrans):
|
||||
print(" + {0}".format(r))
|
||||
|
||||
if diff.removed_validatetrans and not args.stats:
|
||||
print(" Removed Validatetrans: {0}".format(
|
||||
len(diff.removed_validatetrans)))
|
||||
for r in sorted(diff.removed_validatetrans):
|
||||
print(" - {0}".format(r))
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.mlsvalidatetrans:
|
||||
if diff.added_mlsvalidatetrans or diff.removed_mlsvalidatetrans or args.mlsvalidatetrans:
|
||||
print("MLS Validatetrans ({0} Added, {1} Removed)".format(
|
||||
len(diff.added_mlsvalidatetrans), len(diff.removed_mlsvalidatetrans)))
|
||||
|
||||
if diff.added_mlsvalidatetrans and not args.stats:
|
||||
print(" Added MLS Validatetrans: {0}".format(
|
||||
len(diff.added_mlsvalidatetrans)))
|
||||
for r in sorted(diff.added_mlsvalidatetrans):
|
||||
print(" + {0}".format(r))
|
||||
|
||||
if diff.removed_mlsvalidatetrans and not args.stats:
|
||||
print(" Removed MLS Validatetrans: {0}".format(
|
||||
len(diff.removed_mlsvalidatetrans)))
|
||||
for r in sorted(diff.removed_mlsvalidatetrans):
|
||||
print(" - {0}".format(r))
|
||||
|
||||
print()
|
||||
|
||||
if all_differences or args.initialsid:
|
||||
if diff.added_initialsids or diff.removed_initialsids or diff.modified_initialsids \
|
||||
or args.initialsid:
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
#
|
||||
from .bool import BooleansDifference
|
||||
from .commons import CommonDifference
|
||||
from .constraints import ConstraintsDifference
|
||||
from .default import DefaultsDifference
|
||||
from .fsuse import FSUsesDifference
|
||||
from .genfscon import GenfsconsDifference
|
||||
@ -43,6 +44,7 @@ __all__ = ['PolicyDifference']
|
||||
class PolicyDifference(BooleansDifference,
|
||||
CategoriesDifference,
|
||||
CommonDifference,
|
||||
ConstraintsDifference,
|
||||
DefaultsDifference,
|
||||
FSUsesDifference,
|
||||
GenfsconsDifference,
|
||||
|
||||
220
setools/diff/constraints.py
Normal file
220
setools/diff/constraints.py
Normal file
@ -0,0 +1,220 @@
|
||||
# Copyright 2016, Tresys Technology, LLC
|
||||
#
|
||||
# This file is part of SETools.
|
||||
#
|
||||
# SETools is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Lesser General Public License as
|
||||
# published by the Free Software Foundation, either version 2.1 of
|
||||
# the License, or (at your option) any later version.
|
||||
#
|
||||
# SETools is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU Lesser General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU Lesser General Public
|
||||
# License along with SETools. If not, see
|
||||
# <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
from collections import namedtuple
|
||||
|
||||
from .descriptors import DiffResultDescriptor
|
||||
from .difference import Difference, SymbolWrapper, Wrapper
|
||||
|
||||
|
||||
class ConstraintsDifference(Difference):
|
||||
|
||||
"""
|
||||
Determine the difference in constraints between two policies.
|
||||
|
||||
Since the compiler does not union constraints, there may be multiple
|
||||
constraints with the same ruletype, object class, and permission
|
||||
set, so constraints can only be added or removed, not modified.
|
||||
|
||||
The constraint expressions are compared only on a basic level.
|
||||
Expressions that are logically equivalent but are structurally
|
||||
different, for example, by associativity, will be considered
|
||||
different. Type and role attributes are also not expanded,
|
||||
so if there are changes to attribute members, it will not
|
||||
be reflected as a difference.
|
||||
"""
|
||||
|
||||
added_constrains = DiffResultDescriptor("diff_constrains")
|
||||
removed_constrains = DiffResultDescriptor("diff_constrains")
|
||||
|
||||
added_mlsconstrains = DiffResultDescriptor("diff_mlsconstrains")
|
||||
removed_mlsconstrains = DiffResultDescriptor("diff_mlsconstrains")
|
||||
|
||||
added_validatetrans = DiffResultDescriptor("diff_validatetrans")
|
||||
removed_validatetrans = DiffResultDescriptor("diff_validatetrans")
|
||||
|
||||
added_mlsvalidatetrans = DiffResultDescriptor("diff_mlsvalidatetrans")
|
||||
removed_mlsvalidatetrans = DiffResultDescriptor("diff_mlsvalidatetrans")
|
||||
|
||||
# Lists of rules for each policy
|
||||
_left_constrains = None
|
||||
_right_constrains = None
|
||||
|
||||
_left_mlsconstrains = None
|
||||
_right_mlsconstrains = None
|
||||
|
||||
_left_validatetrans = None
|
||||
_right_validatetrans = None
|
||||
|
||||
_left_mlsvalidatetrans = None
|
||||
_right_mlsvalidatetrans = None
|
||||
|
||||
def diff_constrains(self):
|
||||
"""Generate the difference in constraint rules between the policies."""
|
||||
|
||||
self.log.info("Generating constraint differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_constrains is None or self._right_constrains is None:
|
||||
self._create_constrain_lists()
|
||||
|
||||
self.added_constrains, self.removed_constrains, _ = self._set_diff(
|
||||
(ConstraintWrapper(c) for c in self._left_constrains),
|
||||
(ConstraintWrapper(c) for c in self._right_constrains))
|
||||
|
||||
def diff_mlsconstrains(self):
|
||||
"""Generate the difference in MLS constraint rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating MLS constraint differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_mlsconstrains is None or self._right_mlsconstrains is None:
|
||||
self._create_constrain_lists()
|
||||
|
||||
self.added_mlsconstrains, self.removed_mlsconstrains, _ = self._set_diff(
|
||||
(ConstraintWrapper(c) for c in self._left_mlsconstrains),
|
||||
(ConstraintWrapper(c) for c in self._right_mlsconstrains))
|
||||
|
||||
def diff_validatetrans(self):
|
||||
"""Generate the difference in validatetrans rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating validatetrans differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_validatetrans is None or self._right_validatetrans is None:
|
||||
self._create_constrain_lists()
|
||||
|
||||
self.added_validatetrans, self.removed_validatetrans, _ = self._set_diff(
|
||||
(ConstraintWrapper(c) for c in self._left_validatetrans),
|
||||
(ConstraintWrapper(c) for c in self._right_validatetrans))
|
||||
|
||||
def diff_mlsvalidatetrans(self):
|
||||
"""Generate the difference in MLS validatetrans rules between the policies."""
|
||||
|
||||
self.log.info(
|
||||
"Generating mlsvalidatetrans differences from {0.left_policy} to {0.right_policy}".
|
||||
format(self))
|
||||
|
||||
if self._left_mlsvalidatetrans is None or self._right_mlsvalidatetrans is None:
|
||||
self._create_constrain_lists()
|
||||
|
||||
self.added_mlsvalidatetrans, self.removed_mlsvalidatetrans, _ = self._set_diff(
|
||||
(ConstraintWrapper(c) for c in self._left_mlsvalidatetrans),
|
||||
(ConstraintWrapper(c) for c in self._right_mlsvalidatetrans))
|
||||
|
||||
#
|
||||
# Internal functions
|
||||
#
|
||||
def _create_constrain_lists(self):
|
||||
"""Create rule lists for both policies."""
|
||||
self._left_constrains = []
|
||||
self._left_mlsconstrains = []
|
||||
self._left_validatetrans = []
|
||||
self._left_mlsvalidatetrans = []
|
||||
for rule in self.left_policy.constraints():
|
||||
if rule.ruletype == "constrain":
|
||||
self._left_constrains.append(rule)
|
||||
elif rule.ruletype == "mlsconstrain":
|
||||
self._left_mlsconstrains.append(rule)
|
||||
elif rule.ruletype == "validatetrans":
|
||||
self._left_validatetrans.append(rule)
|
||||
elif rule.ruletype == "mlsvalidatetrans":
|
||||
self._left_mlsvalidatetrans.append(rule)
|
||||
else:
|
||||
self.log.error("Unknown rule type: {0} (This is an SETools bug)".
|
||||
format(rule.ruletype))
|
||||
|
||||
self._right_constrains = []
|
||||
self._right_mlsconstrains = []
|
||||
self._right_validatetrans = []
|
||||
self._right_mlsvalidatetrans = []
|
||||
for rule in self.right_policy.constraints():
|
||||
if rule.ruletype == "constrain":
|
||||
self._right_constrains.append(rule)
|
||||
elif rule.ruletype == "mlsconstrain":
|
||||
self._right_mlsconstrains.append(rule)
|
||||
elif rule.ruletype == "validatetrans":
|
||||
self._right_validatetrans.append(rule)
|
||||
elif rule.ruletype == "mlsvalidatetrans":
|
||||
self._right_mlsvalidatetrans.append(rule)
|
||||
else:
|
||||
self.log.error("Unknown rule type: {0} (This is an SETools bug)".
|
||||
format(rule.ruletype))
|
||||
|
||||
def _reset_diff(self):
|
||||
"""Reset diff results on policy changes."""
|
||||
self.log.debug("Resetting all constraints differences")
|
||||
self.added_constrains = None
|
||||
self.removed_constrains = None
|
||||
self.added_mlsconstrains = None
|
||||
self.removed_mlsconstrains = None
|
||||
self.added_validatetrans = None
|
||||
self.removed_validatetrans = None
|
||||
self.added_mlsvalidatetrans = None
|
||||
self.removed_mlsvalidatetrans = None
|
||||
|
||||
# Sets of rules for each policy
|
||||
self._left_constrains = None
|
||||
self._left_mlsconstrains = None
|
||||
self._left_validatetrans = None
|
||||
self._left_mlsvalidatetrans = None
|
||||
self._right_constrains = None
|
||||
self._right_mlsconstrains = None
|
||||
self._right_validatetrans = None
|
||||
self._right_mlsvalidatetrans = None
|
||||
|
||||
|
||||
class ConstraintWrapper(Wrapper):
|
||||
|
||||
"""Wrap constraints for diff purposes."""
|
||||
|
||||
def __init__(self, rule):
|
||||
self.origin = rule
|
||||
self.ruletype = rule.ruletype
|
||||
self.tclass = SymbolWrapper(rule.tclass)
|
||||
|
||||
try:
|
||||
self.perms = rule.perms
|
||||
except AttributeError:
|
||||
# (mls)validatetrans
|
||||
self.perms = None
|
||||
|
||||
self.key = hash(rule)
|
||||
|
||||
self.expr = []
|
||||
for op in rule.postfix_expression():
|
||||
if isinstance(op, frozenset):
|
||||
# lists of types/users/roles
|
||||
self.expr.append(frozenset(SymbolWrapper(item) for item in op))
|
||||
else:
|
||||
# strings in the expression such as u1/r1/t1 or "=="
|
||||
self.expr.append(op)
|
||||
|
||||
def __hash__(self):
|
||||
return self.key
|
||||
|
||||
def __lt__(self, other):
|
||||
return self.key < other.key
|
||||
|
||||
def __eq__(self, other):
|
||||
return self.ruletype == other.ruletype and \
|
||||
self.tclass == other.tclass and \
|
||||
self.perms == other.perms and \
|
||||
self.expr == other.expr
|
||||
240
tests/diff.py
240
tests/diff.py
@ -1349,6 +1349,178 @@ class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
|
||||
self.assertIsNone(added_range)
|
||||
self.assertIsNone(removed_range)
|
||||
|
||||
#
|
||||
# constrains
|
||||
#
|
||||
def test_added_constrains(self):
|
||||
"""Diff: added constrains."""
|
||||
l = sorted(self.diff.added_constrains)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
constrain = l[0]
|
||||
self.assertEqual("constrain", constrain.ruletype)
|
||||
self.assertEqual("infoflow3", constrain.tclass)
|
||||
self.assertSetEqual(set(["null"]), constrain.perms)
|
||||
self.assertListEqual(["u1", "u2", "!="], constrain.postfix_expression())
|
||||
|
||||
constrain = l[1]
|
||||
self.assertEqual("constrain", constrain.ruletype)
|
||||
self.assertEqual("infoflow5", constrain.tclass)
|
||||
self.assertSetEqual(set(["hi_r"]), constrain.perms)
|
||||
self.assertListEqual(
|
||||
['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '!=', 'or'],
|
||||
constrain.postfix_expression())
|
||||
|
||||
def test_removed_constrains(self):
|
||||
"""Diff: removed constrains."""
|
||||
l = sorted(self.diff.removed_constrains)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
constrain = l[0]
|
||||
self.assertEqual("constrain", constrain.ruletype)
|
||||
self.assertEqual("infoflow4", constrain.tclass)
|
||||
self.assertSetEqual(set(["hi_w"]), constrain.perms)
|
||||
self.assertListEqual(["u1", "u2", "!="], constrain.postfix_expression())
|
||||
|
||||
constrain = l[1]
|
||||
self.assertEqual("constrain", constrain.ruletype)
|
||||
self.assertEqual("infoflow5", constrain.tclass)
|
||||
self.assertSetEqual(set(["hi_r"]), constrain.perms)
|
||||
self.assertListEqual(
|
||||
['u1', 'u2', '==', 'r1', 'r2', '==', 'and', 't1', set(["system"]), '==', 'or'],
|
||||
constrain.postfix_expression())
|
||||
|
||||
#
|
||||
# mlsconstrains
|
||||
#
|
||||
def test_added_mlsconstrains(self):
|
||||
"""Diff: added mlsconstrains."""
|
||||
l = sorted(self.diff.added_mlsconstrains)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
mlsconstrain = l[0]
|
||||
self.assertEqual("mlsconstrain", mlsconstrain.ruletype)
|
||||
self.assertEqual("infoflow3", mlsconstrain.tclass)
|
||||
self.assertSetEqual(set(["null"]), mlsconstrain.perms)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and',
|
||||
't1', set(["mls_exempt"]), '!=', 'or'],
|
||||
mlsconstrain.postfix_expression())
|
||||
|
||||
mlsconstrain = l[1]
|
||||
self.assertEqual("mlsconstrain", mlsconstrain.ruletype)
|
||||
self.assertEqual("infoflow5", mlsconstrain.tclass)
|
||||
self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'domby', 'h1', 'h2', 'incomp',
|
||||
'and', 't1', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsconstrain.postfix_expression())
|
||||
|
||||
def test_removed_mlsconstrains(self):
|
||||
"""Diff: removed mlsconstrains."""
|
||||
l = sorted(self.diff.removed_mlsconstrains)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
mlsconstrain = l[0]
|
||||
self.assertEqual("mlsconstrain", mlsconstrain.ruletype)
|
||||
self.assertEqual("infoflow4", mlsconstrain.tclass)
|
||||
self.assertSetEqual(set(["hi_w"]), mlsconstrain.perms)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'domby', 'h1', 'h2', 'domby', 'and',
|
||||
't1', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsconstrain.postfix_expression())
|
||||
|
||||
mlsconstrain = l[1]
|
||||
self.assertEqual("mlsconstrain", mlsconstrain.ruletype)
|
||||
self.assertEqual("infoflow5", mlsconstrain.tclass)
|
||||
self.assertSetEqual(set(["hi_r"]), mlsconstrain.perms)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'domby', 'h1', 'h2', 'dom', 'and', 't1', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsconstrain.postfix_expression())
|
||||
|
||||
#
|
||||
# validatetrans
|
||||
#
|
||||
def test_added_validatetrans(self):
|
||||
"""Diff: added validatetrans."""
|
||||
l = sorted(self.diff.added_validatetrans)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
validatetrans = l[0]
|
||||
self.assertEqual("validatetrans", validatetrans.ruletype)
|
||||
self.assertEqual("infoflow3", validatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['t1', 't2', '==', 't3', set(["system"]), '==', 'or'],
|
||||
validatetrans.postfix_expression())
|
||||
|
||||
validatetrans = l[1]
|
||||
self.assertEqual("validatetrans", validatetrans.ruletype)
|
||||
self.assertEqual("infoflow5", validatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['u1', 'u2', '!=', 'r1', 'r2', '==', 'and', 't3', set(["system"]), '==', 'or'],
|
||||
validatetrans.postfix_expression())
|
||||
|
||||
def test_removed_validatetrans(self):
|
||||
"""Diff: removed validatetrans."""
|
||||
l = sorted(self.diff.removed_validatetrans)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
validatetrans = l[0]
|
||||
self.assertEqual("validatetrans", validatetrans.ruletype)
|
||||
self.assertEqual("infoflow4", validatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['u1', 'u2', '==', 't3', set(["system"]), '==', 'or'],
|
||||
validatetrans.postfix_expression())
|
||||
|
||||
validatetrans = l[1]
|
||||
self.assertEqual("validatetrans", validatetrans.ruletype)
|
||||
self.assertEqual("infoflow5", validatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['u1', 'u2', '==', 'r1', 'r2', '!=', 'and', 't3', set(["system"]), '==', 'or'],
|
||||
validatetrans.postfix_expression())
|
||||
|
||||
#
|
||||
# mlsvalidatetrans
|
||||
#
|
||||
def test_added_mlsvalidatetrans(self):
|
||||
"""Diff: added mlsvalidatetrans."""
|
||||
l = sorted(self.diff.added_mlsvalidatetrans)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
mlsvalidatetrans = l[0]
|
||||
self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype)
|
||||
self.assertEqual("infoflow3", mlsvalidatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsvalidatetrans.postfix_expression())
|
||||
|
||||
mlsvalidatetrans = l[1]
|
||||
self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype)
|
||||
self.assertEqual("infoflow5", mlsvalidatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'incomp', 'h1', 'h2', 'domby',
|
||||
'and', 't3', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsvalidatetrans.postfix_expression())
|
||||
|
||||
def test_removed_mlsvalidatetrans(self):
|
||||
"""Diff: removed mlsvalidatetrans."""
|
||||
l = sorted(self.diff.removed_mlsvalidatetrans)
|
||||
self.assertEqual(2, len(l))
|
||||
|
||||
mlsvalidatetrans = l[0]
|
||||
self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype)
|
||||
self.assertEqual("infoflow4", mlsvalidatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', '==', 'h1', 'h2', '==', 'and', 't3', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsvalidatetrans.postfix_expression())
|
||||
|
||||
mlsvalidatetrans = l[1]
|
||||
self.assertEqual("mlsvalidatetrans", mlsvalidatetrans.ruletype)
|
||||
self.assertEqual("infoflow5", mlsvalidatetrans.tclass)
|
||||
self.assertListEqual(
|
||||
['l1', 'l2', 'dom', 'h1', 'h2', 'dom', 'and', 't3', set(["mls_exempt"]), '==', 'or'],
|
||||
mlsvalidatetrans.postfix_expression())
|
||||
|
||||
|
||||
class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
|
||||
@ -1695,6 +1867,38 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
|
||||
"""NoDiff: no modified defaults."""
|
||||
self.assertFalse(self.diff.modified_defaults)
|
||||
|
||||
def test_added_constrains(self):
|
||||
"""NoDiff: no added constrains."""
|
||||
self.assertFalse(self.diff.added_constrains)
|
||||
|
||||
def test_removed_constrains(self):
|
||||
"""NoDiff: no removed constrains."""
|
||||
self.assertFalse(self.diff.removed_constrains)
|
||||
|
||||
def test_added_mlsconstrains(self):
|
||||
"""NoDiff: no added mlsconstrains."""
|
||||
self.assertFalse(self.diff.added_mlsconstrains)
|
||||
|
||||
def test_removed_mlsconstrains(self):
|
||||
"""NoDiff: no removed mlsconstrains."""
|
||||
self.assertFalse(self.diff.removed_mlsconstrains)
|
||||
|
||||
def test_added_validatetrans(self):
|
||||
"""NoDiff: no added validatetrans."""
|
||||
self.assertFalse(self.diff.added_validatetrans)
|
||||
|
||||
def test_removed_validatetrans(self):
|
||||
"""NoDiff: no removed validatetrans."""
|
||||
self.assertFalse(self.diff.removed_validatetrans)
|
||||
|
||||
def test_added_mlsvalidatetrans(self):
|
||||
"""NoDiff: no added mlsvalidatetrans."""
|
||||
self.assertFalse(self.diff.added_mlsvalidatetrans)
|
||||
|
||||
def test_removed_mlsvalidatetrans(self):
|
||||
"""NoDiff: no removed mlsvalidatetrans."""
|
||||
self.assertFalse(self.diff.removed_mlsvalidatetrans)
|
||||
|
||||
|
||||
class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
|
||||
|
||||
@ -2054,3 +2258,39 @@ class PolicyDifferenceTestMLStoStandard(unittest.TestCase):
|
||||
def test_modified_defaults(self):
|
||||
"""MLSvsStandardDiff: no defaults modified."""
|
||||
self.assertFalse(self.diff.modified_defaults)
|
||||
|
||||
def test_added_constraints(self):
|
||||
"""MLSvsStandardDiff: no added constraints."""
|
||||
self.assertFalse(self.diff.added_constrains)
|
||||
|
||||
def test_removed_constraints(self):
|
||||
"""MLSvsStandardDiff: no removed constraints."""
|
||||
self.assertFalse(self.diff.removed_constrains)
|
||||
|
||||
def test_added_validatetrans(self):
|
||||
"""MLSvsStandardDiff: no added validatetrans."""
|
||||
self.assertFalse(self.diff.added_validatetrans)
|
||||
|
||||
def test_removed_validatetrans(self):
|
||||
"""MLSvsStandardDiff: no removed validatetrans."""
|
||||
self.assertFalse(self.diff.removed_validatetrans)
|
||||
|
||||
def test_added_mlsconstraints(self):
|
||||
"""MLSvsStandardDiff: no added mlsconstraints."""
|
||||
self.assertFalse(self.diff.added_mlsconstrains)
|
||||
|
||||
def test_removed_mlsconstraints(self):
|
||||
"""MLSvsStandardDiff: all mlsconstraints removed."""
|
||||
self.assertEqual(
|
||||
sum(1 for m in self.diff.left_policy.constraints() if m.ruletype == "mlsconstrain"),
|
||||
len(self.diff.removed_mlsconstrains))
|
||||
|
||||
def test_added_mlsvalidatetrans(self):
|
||||
"""MLSvsStandardDiff: no added mlsvalidatetrans."""
|
||||
self.assertFalse(self.diff.added_mlsvalidatetrans)
|
||||
|
||||
def test_removed_mlsvalidatetrans(self):
|
||||
"""MLSvsStandardDiff: all mlsvalidatetrans removed."""
|
||||
self.assertEqual(
|
||||
sum(1 for m in self.diff.left_policy.constraints() if m.ruletype == "mlsvalidatetrans"),
|
||||
len(self.diff.removed_mlsvalidatetrans))
|
||||
|
||||
@ -151,9 +151,28 @@ level s44:c0.c4;
|
||||
level s45:c0.c4;
|
||||
level s47:c0.c4;
|
||||
|
||||
#some constraints
|
||||
# matching mls constraints
|
||||
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
||||
|
||||
# added mls constraint
|
||||
|
||||
# removed mls constraint
|
||||
mlsconstrain infoflow4 hi_w ((l1 domby l2 and h1 domby h2) or (t1 == mls_exempt));
|
||||
|
||||
# remove/add mls constraint (expression change)
|
||||
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 dom h2) or (t1 == mls_exempt));
|
||||
|
||||
# matching mls validatetrans
|
||||
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);
|
||||
|
||||
# added mls validatetrans
|
||||
|
||||
# removed mls validatetrans
|
||||
mlsvalidatetrans infoflow4 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);
|
||||
|
||||
# remove/add mls validatetrans (expression change)
|
||||
mlsvalidatetrans infoflow5 ((l1 dom l2 and h1 dom h2) or (t3 == mls_exempt));
|
||||
|
||||
attribute mls_exempt;
|
||||
attribute an_attr;
|
||||
attribute removed_attr;
|
||||
@ -631,8 +650,31 @@ user modified_remove_role roles { system removed_role } level s2 range s2;
|
||||
user modified_change_level roles system level s2:c0 range s2:c0 - s2:c0,c1;
|
||||
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c3;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
# matching constraints
|
||||
constrain infoflow hi_w (u1 == u2 or t1 == system);
|
||||
constrain infoflow hi_w (t1 == t2 or t1 == system);
|
||||
constrain infoflow hi_r (r1 == r2 or t1 == system);
|
||||
|
||||
# added constraint
|
||||
|
||||
# removed constraint
|
||||
constrain infoflow4 hi_w (u1 != u2);
|
||||
|
||||
# remove/add constraint (expression change)
|
||||
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system));
|
||||
|
||||
# matching validatetrans
|
||||
validatetrans infoflow (u1 == u2 or t3 == system);
|
||||
validatetrans infoflow (r1 == r2 or t3 == system);
|
||||
validatetrans infoflow2 (u1 == u2 or t3 == system);
|
||||
|
||||
# added validatetrans
|
||||
|
||||
# removed validatetrans
|
||||
validatetrans infoflow4 (u1 == u2 or t3 == system);
|
||||
|
||||
# remove/add validatetrans (expression change)
|
||||
validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system:s0
|
||||
|
||||
@ -572,8 +572,31 @@ user modified_remove_role roles { system removed_role };
|
||||
user modified_change_level roles system;
|
||||
user modified_change_range roles system;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
# matching constraints
|
||||
constrain infoflow hi_w (u1 == u2 or t1 == system);
|
||||
constrain infoflow hi_w (t1 == t2 or t1 == system);
|
||||
constrain infoflow hi_r (r1 == r2 or t1 == system);
|
||||
|
||||
# added constraint
|
||||
|
||||
# removed constraint
|
||||
constrain infoflow4 hi_w (u1 != u2);
|
||||
|
||||
# remove/add constraint (expression change)
|
||||
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 == system));
|
||||
|
||||
# matching validatetrans
|
||||
validatetrans infoflow (u1 == u2 or t3 == system);
|
||||
validatetrans infoflow (r1 == r2 or t3 == system);
|
||||
validatetrans infoflow2 (u1 == u2 or t3 == system);
|
||||
|
||||
# added validatetrans
|
||||
|
||||
# removed validatetrans
|
||||
validatetrans infoflow4 (u1 == u2 or t3 == system);
|
||||
|
||||
# remove/add validatetrans (expression change)
|
||||
validatetrans infoflow5 ((u1 == u2 and r1 != r2) or (t3 == system));
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system
|
||||
|
||||
@ -151,9 +151,28 @@ level s44:c0.c4;
|
||||
level s45:c0.c4;
|
||||
level s46:c0.c4;
|
||||
|
||||
#some constraints
|
||||
# matching mls constraints
|
||||
mlsconstrain infoflow hi_r ((l1 dom l2) or (t1 == mls_exempt));
|
||||
|
||||
# added mls constraint
|
||||
mlsconstrain infoflow3 null ((l1 domby l2 and h1 domby h2) or (t1 != mls_exempt));
|
||||
|
||||
# removed mls constraint
|
||||
|
||||
# remove/add mls constraint (expression change)
|
||||
mlsconstrain infoflow5 hi_r ((l1 domby l2 and h1 incomp h2) or (t1 == mls_exempt));
|
||||
|
||||
# matching mls validatetrans
|
||||
mlsvalidatetrans infoflow (h1 == h2 or t3 == system);
|
||||
|
||||
# added mls validatetrans
|
||||
mlsvalidatetrans infoflow3 ((l1 == l2 and h1 == h2) or t3 == mls_exempt);
|
||||
|
||||
# removed mls validatetrans
|
||||
|
||||
# remove/add mls validatetrans (expression change)
|
||||
mlsvalidatetrans infoflow5 ((l1 incomp l2 and h1 domby h2) or (t3 == mls_exempt));
|
||||
|
||||
attribute mls_exempt;
|
||||
attribute an_attr;
|
||||
attribute added_attr;
|
||||
@ -631,8 +650,31 @@ user modified_remove_role roles system level s2 range s2;
|
||||
user modified_change_level roles system level s2:c1 range s2:c1 - s2:c0,c1;
|
||||
user modified_change_range roles system level s3:c1 range s3:c1 - s3:c1.c4;
|
||||
|
||||
#normal constraints
|
||||
constrain infoflow hi_w (u1 == u2);
|
||||
# matching constraints
|
||||
constrain infoflow hi_w (u1 == u2 or t1 == system);
|
||||
constrain infoflow hi_w (t1 == t2 or t1 == system);
|
||||
constrain infoflow hi_r (r1 == r2 or t1 == system);
|
||||
|
||||
# added constraint
|
||||
constrain infoflow3 null (u1 != u2);
|
||||
|
||||
# removed constraint
|
||||
|
||||
# remove/add constraint (expression change)
|
||||
constrain infoflow5 hi_r ((u1 == u2 and r1 == r2) or (t1 != system));
|
||||
|
||||
# matching validatetrans
|
||||
validatetrans infoflow (u1 == u2 or t3 == system);
|
||||
validatetrans infoflow (r1 == r2 or t3 == system);
|
||||
validatetrans infoflow2 (u1 == u2 or t3 == system);
|
||||
|
||||
# added validatetrans
|
||||
validatetrans infoflow3 (t1 == t2 or t3 == system);
|
||||
|
||||
# removed validatetrans
|
||||
|
||||
# remove/add validatetrans (expression change)
|
||||
validatetrans infoflow5 ((u1 != u2 and r1 == r2) or (t3 == system));
|
||||
|
||||
#isids
|
||||
sid kernel system:system:system:s0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user