When installed from virtualenv, setools fails to write into /usr/share/setools.
This fix uses sys.prefix to install data_files either system wide or inside the
virtualenv.
TypeQuery needed the permisive matching support to be complete. This made
PermissiveQuery redundant.
Made the permissive state an option, so enforcing types could be queried.
This fix removes "error: label 'fail' defined but not used [-Werror=unused-label]"
compilation errors. Exceptions handlers (fail label) where defined in swig, but no
exceptions where raised in the function, causing the compilation error.
* break apart classes that are overloaded (e.g. TypeAttr)
* move object class member function out of Rule subclasses, into Rule.
* Fix SWIG wrapper to make class member function for rules to be consistent
* Restructure queries to only have one output
* Fix portcon help info to be clearer about specifying ports
* Cover all functions with exception handling
Fully compare the lists rather than only counting objects.
Also fix comparison problem in Nodecon and Genfscon. In libqpol, the all
genfscons/nodecons iterators allocate new objects, so the pointer
comparison in PolicySymbol fails.
Python 3.3's IPv6Network constructor does not support an expanded netmask
for specifying the network, only CIDR. Convert all netmasks to CIDR.
The code does not verify that the orignal expanded netmask from the policy
is correct; it counts all set bits in the netmask.
Also add IPv6 NodeconQuery unit tests.
We always want the rule_weight to work, even in the face of unmapped
permissions. Other functions, e.g. for handling permission map editing
and saving may raise an exception.
Infoflow now will create a complete graph for the policy and then create
a subgraph to filter out nodes based on excluded types and edges based on
minimum weight. The main graph will only need to be rebuilt if there is
a change in the permission map. While this is a little more expensive for
seinfoflow, it should make interactive analysis in apol faster since
repeatedly deriving a subgraph will be faster than repeatedly rebuilding
the entire graph.
