From 9cbd404ceb6c87483a4b8b2718b8d9ed8e4e6b56 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 30 Sep 2011 09:20:16 -0400
Subject: [PATCH] sepolgen: Ignore permissive qualifier if found in an
 interface

During Rawhide releases we change all "unconfined_domains" to
permissive domains in order to find new AVC messages without breaking
rawhide boxes.  The way we do this is changing the unconfined_domain
interface and putting permissive $1; in it.  sepolgen does not like
this and blows up the build.  This patch tells sepolgen to ignore the
permissive in an interface.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
---
 sepolgen/src/sepolgen/refparser.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 1a2eec8b..955784da 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -109,6 +109,7 @@ tokens = (
     'DONTAUDIT',
     'AUDITALLOW',
     'NEVERALLOW',
+    'PERMISSIVE',
     'TYPE_TRANSITION',
     'TYPE_CHANGE',
     'TYPE_MEMBER',
@@ -170,6 +171,7 @@ reserved = {
     'dontaudit' : 'DONTAUDIT',
     'auditallow' : 'AUDITALLOW',
     'neverallow' : 'NEVERALLOW',
+    'permissive' : 'PERMISSIVE',
     'type_transition' : 'TYPE_TRANSITION',
     'type_change' : 'TYPE_CHANGE',
     'type_member' : 'TYPE_MEMBER',
@@ -490,6 +492,7 @@ def p_policy_stmt(p):
                    | interface_call
                    | role_def
                    | role_allow
+                   | permissive
                    | type_def
                    | typealias_def
                    | attribute_def
@@ -747,6 +750,10 @@ def p_role_allow(p):
     r.tgt_roles = p[3]
     p[0] = r
 
+def p_permissive(p):
+    'permissive : PERMISSIVE names SEMI'
+    t.skip(1)
+
 def p_avrule_def(p):
     '''avrule_def : ALLOW names names COLON names names SEMI
                   | DONTAUDIT names names COLON names names SEMI