RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-04-11 04:01:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

policycoreutils/sepolgen: Add support for TYPEBOUNDS statement in INTERFACE policy files.

Browse Source 
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1319338

$ sepolgen-ifgen
/usr/share/selinux/devel/include/contrib/docker.if: Syntax error on line 503 docker_t [type=IDENTIFIER]
/usr/share/selinux/devel/include/roles/unconfineduser.if: Syntax error on line 706 unconfined_t [type=IDENTIFIER]

Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
This commit is contained in:
Miroslav Grepl 2016-03-21 21:36:52 +01:00 committed by Stephen Smalley
parent e93899c8f3
commit 9136e7a9bc
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sepolgen/src/sepolgen/refparser.py
View File

@ -113,6 +113,7 @@ tokens = (
'AUDITALLOW', 'AUDITALLOW',
'NEVERALLOW', 'NEVERALLOW',
'PERMISSIVE', 'PERMISSIVE',
'TYPEBOUNDS',
'TYPE_TRANSITION', 'TYPE_TRANSITION',
'TYPE_CHANGE', 'TYPE_CHANGE',
'TYPE_MEMBER', 'TYPE_MEMBER',
@ -178,6 +179,7 @@ reserved = {
'auditallow' : 'AUDITALLOW', 'auditallow' : 'AUDITALLOW',
'neverallow' : 'NEVERALLOW', 'neverallow' : 'NEVERALLOW',
'permissive' : 'PERMISSIVE', 'permissive' : 'PERMISSIVE',
'typebounds' : 'TYPEBOUNDS',
'type_transition' : 'TYPE_TRANSITION', 'type_transition' : 'TYPE_TRANSITION',
'type_change' : 'TYPE_CHANGE', 'type_change' : 'TYPE_CHANGE',
'type_member' : 'TYPE_MEMBER', 'type_member' : 'TYPE_MEMBER',
@ -502,6 +504,7 @@ def p_policy_stmt(p):
'''policy_stmt : gen_require '''policy_stmt : gen_require
| avrule_def | avrule_def
| typerule_def | typerule_def
| typebound_def
| typeattribute_def | typeattribute_def
| roleattribute_def | roleattribute_def
| interface_call | interface_call
@ -823,6 +826,13 @@ def p_typerule_def(p):
t.file_name = p[7] t.file_name = p[7]
p[0] = t p[0] = t
def p_typebound_def(p):
'''typebound_def : TYPEBOUNDS IDENTIFIER comma_list SEMI'''
t = refpolicy.TypeBound()
t.type = p[2]
t.tgt_types.update(p[3])
p[0] = t
def p_bool(p): def p_bool(p):
'''bool : BOOL IDENTIFIER TRUE SEMI '''bool : BOOL IDENTIFIER TRUE SEMI
| BOOL IDENTIFIER FALSE SEMI''' | BOOL IDENTIFIER FALSE SEMI'''

16
sepolgen/src/sepolgen/refpolicy.py
View File

@ -112,6 +112,9 @@ class Node(PolicyBase):
def typerules(self): def typerules(self):
return filter(lambda x: isinstance(x, TypeRule), walktree(self)) return filter(lambda x: isinstance(x, TypeRule), walktree(self))
def typebounds(self):
return filter(lambda x: isinstance(x, TypeBound), walktree(self))
def typeattributes(self): def typeattributes(self):
"""Iterate over all of the TypeAttribute children of this Interface.""" """Iterate over all of the TypeAttribute children of this Interface."""
return filter(lambda x: isinstance(x, TypeAttribute), walktree(self)) return filter(lambda x: isinstance(x, TypeAttribute), walktree(self))
@ -522,6 +525,19 @@ class TypeRule(Leaf):
self.tgt_types.to_space_str(), self.tgt_types.to_space_str(),
self.obj_classes.to_space_str(), self.obj_classes.to_space_str(),
self.dest_type) self.dest_type)
class TypeBound(Leaf):
"""SElinux typebound statement.
This class represents a typebound statement.
"""
def __init__(self, parent=None):
Leaf.__init__(self, parent)
self.type = ""
self.tgt_types = IdSet()
def to_string(self):
return "typebounds %s %s;" % (self.type, self.tgt_types.to_comma_str())
class RoleAllow(Leaf): class RoleAllow(Leaf):
def __init__(self, parent=None): def __init__(self, parent=None):