From d5286d7169d13779dae3c745e55969a173634c33 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 14 Oct 2008 10:57:24 -0400 Subject: [PATCH] Genfscon 'dash' issue On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote: > I have checked policy_parse.y. It has following rule for genfscon: > > genfs_context_def : GENFSCON identifier path '-' identifier security_context_def > {if (define_genfs_context(1)) return -1;} > | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def > {if (define_genfs_context(1)) return -1;} > | GENFSCON identifier path security_context_def > {if (define_genfs_context(0)) return -1;} > > The rule for path definition (in policy_scan.l) has already included '-' (dash): > > "/"({alnum}|[_.-/])* { return(PATH); } > > In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed. > But it still produces an error if path definition is correct and includes '-'. > > Any ideas/patches how to fix grammar rules are welcomed. This looks like a bug in policy_scan.l - we are not escaping (via backslash) special characters in the pattern and thus the "-" (dash) is being interpreted rather than taken literally. The same would seemingly apply for "." (dot), and would seem relevant not only to PATH but also for IDENTIFIER. The patch below seems to fix this issue for me: --- checkpolicy/policy_scan.l | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 9bc6e107..b55c6598 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -207,8 +207,8 @@ policycap | POLICYCAP { return(POLICYCAP); } permissive | PERMISSIVE { return(PERMISSIVE); } -"/"({alnum}|[_.-/])* { return(PATH); } -{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); } +"/"({alnum}|[_\.\-/])* { return(PATH); } +{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {digit}+ { return(NUMBER); } {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); } {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }