sepolgen: Ignore permissive qualifier if found in an interface

During Rawhide releases we change all "unconfined_domains" to permissive domains in order to find new AVC messages without breaking rawhide boxes. The way we do this is changing the unconfined_domain interface and putting permissive $1; in it. sepolgen does not like this and blows up the build. This patch tells sepolgen to ignore the permissive in an interface. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2025-01-16 18:30:45 +00:00 · 2011-09-30 09:20:16 -04:00 · 2011-09-30 09:20:16 -04:00 · 9cbd404ceb
commit 9cbd404ceb
parent 10fb8fdbb1
1 changed files with 7 additions and 0 deletions
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@ -109,6 +109,7 @@ tokens = (
    'DONTAUDIT',
    'AUDITALLOW',
    'NEVERALLOW',
+    'PERMISSIVE',
    'TYPE_TRANSITION',
    'TYPE_CHANGE',
    'TYPE_MEMBER',
@ -170,6 +171,7 @@ reserved = {
    'dontaudit' : 'DONTAUDIT',
    'auditallow' : 'AUDITALLOW',
    'neverallow' : 'NEVERALLOW',
+    'permissive' : 'PERMISSIVE',
    'type_transition' : 'TYPE_TRANSITION',
    'type_change' : 'TYPE_CHANGE',
    'type_member' : 'TYPE_MEMBER',
@ -490,6 +492,7 @@ def p_policy_stmt(p):
                   | interface_call
                   | role_def
                   | role_allow
+                   | permissive
                   | type_def
                   | typealias_def
                   | attribute_def
@ -747,6 +750,10 @@ def p_role_allow(p):
    r.tgt_roles = p[3]
    p[0] = r

+def p_permissive(p):
+    'permissive : PERMISSIVE names SEMI'
+    t.skip(1)
+
 def p_avrule_def(p):
    '''avrule_def : ALLOW names names COLON names names SEMI
                  | DONTAUDIT names names COLON names names SEMI