RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-22 23:26:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
674 Commits 8 Branches 22 Tags 3.8 MiB
b7b313a086
Commit Graph

159 Commits

Author SHA1 Message Date
Chris PeBenito
4ecd6d00a5 Implement TypeAttributeQuery. 
closes #13
closes #14
 2015-03-16 10:46:33 -04:00
Chris PeBenito
f4b1b68195 Rename type attribute interfaces. 
Make sure they reflect that they are for type rather than role attributes.
 2015-03-16 10:38:43 -04:00
Chris PeBenito
46392c752b Add tests for MLS factory functions on MLS-disabled policy. 2015-03-15 15:01:46 -04:00
Chris PeBenito
e3f2a98c43 Merge validatetrans into constraints in policyrep. 2015-03-14 14:52:58 -04:00
Chris PeBenito
a24a59ee08 Revise policyrep exceptions. 
Add exception for objects that have no corresponding statement, such
as conditional expressions and MLS ranges.

Rename InvalidRuleUse to RuleUseError.
 2015-03-12 12:45:20 -04:00
Chris PeBenito
1657d9d09e Change SELinuxPolicy unit test 001 to output notice to stderr. 
Qpol prints out a parse error to stderr.  Put the message about this being
expected on stderr too, to sync up the messages.
 2015-03-12 10:48:41 -04:00
Chris PeBenito
14aa57c669 Implement role/type/user criteria unit tests for ConstraintQuery 
closes #7
closes #8
closes #9
 2015-03-12 09:27:36 -04:00
Chris PeBenito
8812f02411 Implement part of ConstraintQuery. 
Still requires criteria on the constraint expression.

closes #6
closes #12
 2015-03-08 14:50:43 -04:00
Chris PeBenito
ac19359b71 Implement SensitivityQuery 
closes #19
closes #20
 2015-03-07 11:16:59 -05:00
Chris PeBenito
0aacb700da Fix alias handling for sensitivities and categories. 
If there are aliases, qpol includes those in the counts.
 2015-03-07 11:06:24 -05:00
Chris PeBenito
17758ad5e9 Clean up imports 2015-03-07 09:45:17 -05:00
Chris PeBenito
e55764700c Refactor MLS-related objects. 
Drop the "MLS" prepended to category, sensitivity, level, and range
objects.
 2015-03-07 09:39:01 -05:00
Chris PeBenito
0b295755de Distinguish policy syntax errors from other OS errors, eg ENOENT. 
The policy parser does not set errno, so the libqpol code assumes the
errors from parser code are always invalid syntax, rather than something
else like out of memory.  This may not always be the case, but any other
kind of error is unlikely (and likely catastrophic)
 2015-03-06 10:44:32 -05:00
Chris PeBenito
320c5e60f2 Implement MLSCategoryQuery. 
closes #21
 2015-03-06 09:19:35 -05:00
Chris PeBenito
ee6e4fa12f Add binary policy SELinuxPolicy tests. 2015-03-05 12:16:37 -05:00
Chris PeBenito
e6db6eaa90 Adjust SELinuxPolicy item count tests to remove overlaps. 
Eliminates the chance that the items are accidentally getting the right
answer by counting one of the overlapping items (e.g. by copy-paste error
in the code)
 2015-03-04 12:17:13 -05:00
Chris PeBenito
f7f0b96a6b Fix conditional rules in SELinuxPolicy test policy. 
Adjust so no optimization can be made (with a theoretical future
optimizing compiler)
 2015-03-04 12:16:50 -05:00
Chris PeBenito
af3c5b5e3e Add SELinuxPolicy test cases. 
Created a test policy with prime number counts of everything so there
should be no accidental correct answers.
 2015-03-03 13:18:29 -05:00
Chris PeBenito
7e8ea8438c Implement level and range criteria for UserQuery. 2015-03-02 09:15:22 -05:00
Chris PeBenito
f472d6c912 Break up tests in policrep/mls. 2015-02-28 10:59:53 -05:00
Chris PeBenito
1352888dc0 Add additional DTA and infoflow rules for self loop testing. 
An edge from a node going back to itself should be ignored.
 2015-02-28 10:11:13 -05:00
Chris PeBenito
175b7c167f Implement range matching in MLSRuleQuery. 
Skip adding all of the range matching options in sesearch for now, as it
already has a large number of CLI options.

closes #5
 2015-02-25 14:17:38 -05:00
Chris PeBenito
9939f5241e Implement MLS range tests on several context-based queries. 2015-02-24 15:50:08 -05:00
Chris PeBenito
fa02fdfbb5 ContextQuery: implement range matching criteria. 
Implement unit tests on FSUseQuery for initial testing.

closes #22
 2015-02-24 09:44:12 -05:00
Chris PeBenito
a8d7f740b2 Change range constructor to use regular levels instead of semantic ones. 
This affords better error reporting since levels can be invalid for
several reasons.

* Fix memory leak in qpol_semantic_level
* Add unit tests
 2015-02-22 09:24:39 -05:00
Chris PeBenito
ceb6736962 Implement included/excluded classes/permissions in PermissionMap. 
closes #24
 2015-02-16 16:31:18 -05:00
Chris PeBenito
bdb47c7241 PEP8 fixes for unit test code. 
Except max line length of 100.
 2015-02-12 14:34:49 -05:00
Chris PeBenito
de8bbb88b0 Implement boolean criteria for TE rule query. 
Match rules based on the Booleans in the rule's conditional expression.

closes #4
 2015-02-11 09:24:09 -05:00
Chris PeBenito
79100ae6a2 Rename/move coveragerc. 
Enables running coverage as: coverage run setup.py test
 2015-02-07 20:56:54 -05:00
Chris PeBenito
da44b3592b DTA: implement excluded types and reverse analysis. 
closes #25
closes #26
 2015-02-07 15:07:40 -05:00
Chris PeBenito
0b2782b0a2 Add coverage.py configuration. 2015-02-03 08:08:35 -05:00
Chris PeBenito
2418619e2a Move permissive query into type query 
TypeQuery needed the permisive matching support to be complete. This made
PermissiveQuery redundant.

Made the permissive state an option, so enforcing types could be queried.
 2015-01-31 12:10:11 -05:00
Chris PeBenito
5127caf8ae Implement file type criteria for GenfsconQuery. 2014-11-29 10:24:41 -05:00
Chris PeBenito
8ba3cf16f5 Change all unit tests for "unset" query to use full comparison. 
Fully compare the lists rather than only counting objects.

Also fix comparison problem in Nodecon and Genfscon. In libqpol, the all
genfscons/nodecons iterators allocate new objects, so the pointer
comparison in PolicySymbol fails.
 2014-11-25 13:24:36 -05:00
Chris PeBenito
9fec147c52 Implement portcon query. 2014-11-24 22:08:34 -05:00
Chris PeBenito
448305f2ef Add NodeconQuery functions for matching on IP version. 2014-11-12 13:39:36 -05:00
Chris PeBenito
4798e10706 Work around IPv6Network constructor expanded netmask issue. 
Python 3.3's IPv6Network constructor does not support an expanded netmask
for specifying the network, only CIDR.  Convert all netmasks to CIDR.

The code does not verify that the orignal expanded netmask from the policy
is correct; it counts all set bits in the netmask.

Also add IPv6 NodeconQuery unit tests.
 2014-11-10 20:14:33 -05:00
Chris PeBenito
8a07be100f Implement infoflow subgraph to handle min weight and excluded types. 
Infoflow now will create a complete graph for the policy and then create
a subgraph to filter out nodes based on excluded types and edges based on
minimum weight.  The main graph will only need to be rebuilt if there is
a change in the permission map.  While this is a little more expensive for
seinfoflow, it should make interactive analysis in apol faster since
repeatedly deriving a subgraph will be faster than repeatedly rebuilding
the entire graph.
 2014-11-09 20:00:01 -05:00
Chris PeBenito
7b617bf938 Switch DTA to use TypeAttr objects in the graph instead of strings. 2014-11-09 13:57:35 -05:00
Chris PeBenito
5be254a309 Change infoflow to use TypeAttr objects rather than string representations 
This will also catch invalid types passed in for analysis.
 2014-11-09 11:27:38 -05:00
Chris PeBenito
669bc5194a Implement NodeconQuery. 2014-11-08 22:40:42 -05:00
Chris PeBenito
248df414ab Add MLSRuleQuery unit tests. 
Turns out the rules are always expanded, so indirect options had
no effect.
 2014-11-06 19:59:02 -05:00
Chris PeBenito
fc597fed99 Add nodecon query. 
It could use IPv6 tests, but those have the same code paths as IPv4.
 2014-11-05 13:09:35 -05:00
Chris PeBenito
2842962942 Add FSUseQuery. 2014-11-03 13:50:06 -05:00
Chris PeBenito
4e7aeed9ff Implement genfscon query. 2014-11-02 10:47:30 -05:00
Chris PeBenito
be32a92f79 Python 3: fix manual generator consuming 2014-10-29 21:51:19 -04:00
Chris PeBenito
1ece6b0c11 Python 3: fix dict .keys() usage. 2014-10-29 21:50:43 -04:00
Chris PeBenito
43e9019193 Use relative imports for submodules. 
Needed for Python 3.x.
 2014-10-25 08:07:11 -04:00
Chris PeBenito
109ba68a92 Rename libapol package to setools. 2014-10-24 21:23:13 -04:00
Chris PeBenito
8649a761fa Add additional dta and infoflow test policy. 
Get full test coverage on graph building functions.
 2014-10-13 10:53:13 -04:00
Chris PeBenito
cf0c64a757 Add initial SID query unit tests. 2014-10-10 10:28:09 -04:00
Chris PeBenito
61e0a852e5 Add permissive type query. 2014-10-02 14:29:07 -04:00
Chris PeBenito
04c18218b2 Add RBAC rule query unit tests. 2014-10-02 11:37:28 -04:00
Chris PeBenito
4e995cc13f Convert unit tests over to assertListEqual where possible. 
It makes determining what's wrong easier since it has a diff-style
output.  Also put the expected list first, so the diff style makes sense.
 2014-08-01 10:52:17 -04:00
Chris PeBenito
997be5787b Implement object class and commons queries. 2014-08-01 08:56:29 -04:00
Chris PeBenito
3cdb59cdd0 Fix rolequery unit test for PEP8. 2014-07-21 13:45:09 -04:00
Chris PeBenito
917327f345 Implement role query. 2014-07-21 13:26:30 -04:00
Chris PeBenito
8ea6da9c2f Add user implementation and user query. 
TODOL: MLS default level and range criteria
 2014-07-17 09:39:06 -04:00
Chris PeBenito
39505d0295 Initial public release. 2014-07-08 14:28:55 -04:00