RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-03-25 04:26:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

PolicyDifference: implement TE rule difference

Browse Source 
Closes #43
This commit is contained in:
Chris PeBenito 2016-01-02 18:17:39 -05:00
parent c1ebfeb3e7
commit c913989f8c
6 changed files with 1740 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
setools/diff/__init__.py
View File

@ -19,6 +19,7 @@
from .commons import CommonDifference
from .objclass import ObjClassDifference
from .roles import RolesDifference
from .terules import TERulesDifference
from .types import TypesDifference
__all__ = ['PolicyDifference']
@ -27,6 +28,7 @@ __all__ = ['PolicyDifference']
class PolicyDifference(CommonDifference,
ObjClassDifference,
RolesDifference,
TERulesDifference,
TypesDifference):
"""

432
setools/diff/terules.py Normal file
View File

@ -0,0 +1,432 @@
# Copyright 2015, Tresys Technology, LLC
#
# This file is part of SETools.
#
# SETools is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as
# published by the Free Software Foundation, either version 2.1 of
# the License, or (at your option) any later version.
#
# SETools is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with SETools. If not, see
# <http://www.gnu.org/licenses/>.
#
from collections import namedtuple
from ..policyrep.exception import RuleNotConditional, RuleUseError, TERuleNoFilename
from .conditional import ConditionalExprWrapper
from .descriptors import DiffResultDescriptor
from .difference import Difference, SymbolWrapper
modified_avrule_record = namedtuple("modified_avrule", ["rule",
"added_perms",
"removed_perms",
"matched_perms"])
modified_terule_record = namedtuple("modified_terule", ["rule", "added_default", "removed_default"])
class TERulesDifference(Difference):
"""
Determine the difference in type enforcement rules
between two policies.
"""
added_allows = DiffResultDescriptor("diff_allows")
removed_allows = DiffResultDescriptor("diff_allows")
modified_allows = DiffResultDescriptor("diff_allows")
added_auditallows = DiffResultDescriptor("diff_auditallows")
removed_auditallows = DiffResultDescriptor("diff_auditallows")
modified_auditallows = DiffResultDescriptor("diff_auditallows")
added_neverallows = DiffResultDescriptor("diff_neverallows")
removed_neverallows = DiffResultDescriptor("diff_neverallows")
modified_neverallows = DiffResultDescriptor("diff_neverallows")
added_dontaudits = DiffResultDescriptor("diff_dontaudits")
removed_dontaudits = DiffResultDescriptor("diff_dontaudits")
modified_dontaudits = DiffResultDescriptor("diff_dontaudits")
added_type_transitions = DiffResultDescriptor("diff_type_transitions")
removed_type_transitions = DiffResultDescriptor("diff_type_transitions")
modified_type_transitions = DiffResultDescriptor("diff_type_transitions")
added_type_changes = DiffResultDescriptor("diff_type_changes")
removed_type_changes = DiffResultDescriptor("diff_type_changes")
modified_type_changes = DiffResultDescriptor("diff_type_changes")
added_type_members = DiffResultDescriptor("diff_type_members")
removed_type_members = DiffResultDescriptor("diff_type_members")
modified_type_members = DiffResultDescriptor("diff_type_members")
# Lists of rules for each policy
_left_allows = None
_right_allows = None
_left_auditallows = None
_right_auditallows = None
_left_neverallows = None
_right_neverallows = None
_left_dontaudits = None
_right_dontaudits = None
_left_type_transitions = None
_right_type_transitions = None
_left_type_changes = None
_right_type_changes = None
_left_type_members = None
_right_type_members = None
def diff_allows(self):
"""Generate the difference in allow rules between the policies."""
self.log.info(
"Generating allow differences from {0.left_policy} to {0.right_policy}".format(self))
if self._left_allows is None or self._right_allows is None:
self._create_rule_lists()
self.added_allows, self.removed_allows, self.modified_allows = self._diff_av_rules(
self._expand_generator(self._left_allows, AVRuleWrapper),
self._expand_generator(self._right_allows, AVRuleWrapper))
def diff_auditallows(self):
"""Generate the difference in auditallow rules between the policies."""
self.log.info(
"Generating auditallow differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_auditallows is None or self._right_auditallows is None:
self._create_rule_lists()
self.added_auditallows, \
self.removed_auditallows, \
self.modified_auditallows = self._diff_av_rules(
self._expand_generator(self._left_auditallows, AVRuleWrapper),
self._expand_generator(self._right_auditallows, AVRuleWrapper))
def diff_neverallows(self):
"""Generate the difference in neverallow rules between the policies."""
self.log.info(
"Generating neverallow differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_neverallows is None or self._right_neverallows is None:
self._create_rule_lists()
self.added_neverallows, \
self.removed_neverallows, \
self.modified_neverallows = self._diff_av_rules(
self._expand_generator(self._left_neverallows, AVRuleWrapper),
self._expand_generator(self._right_neverallows, AVRuleWrapper))
def diff_dontaudits(self):
"""Generate the difference in dontaudit rules between the policies."""
self.log.info(
"Generating dontaudit differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_dontaudits is None or self._right_dontaudits is None:
self._create_rule_lists()
self.added_dontaudits, \
self.removed_dontaudits, \
self.modified_dontaudits = self._diff_av_rules(
self._expand_generator(self._left_dontaudits, AVRuleWrapper),
self._expand_generator(self._right_dontaudits, AVRuleWrapper))
def diff_type_transitions(self):
"""Generate the difference in type_transition rules between the policies."""
self.log.info(
"Generating type_transition differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_type_transitions is None or self._right_type_transitions is None:
self._create_rule_lists()
self.added_type_transitions, \
self.removed_type_transitions, \
self.modified_type_transitions = self._diff_te_rules(
self._expand_generator(self._left_type_transitions, TERuleWrapper),
self._expand_generator(self._right_type_transitions, TERuleWrapper))
def diff_type_changes(self):
"""Generate the difference in type_change rules between the policies."""
self.log.info(
"Generating type_change differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_type_changes is None or self._right_type_changes is None:
self._create_rule_lists()
self.added_type_changes, \
self.removed_type_changes, \
self.modified_type_changes = self._diff_te_rules(
self._expand_generator(self._left_type_changes, TERuleWrapper),
self._expand_generator(self._right_type_changes, TERuleWrapper))
def diff_type_members(self):
"""Generate the difference in type_member rules between the policies."""
self.log.info(
"Generating type_member differences from {0.left_policy} to {0.right_policy}".
format(self))
if self._left_type_members is None or self._right_type_members is None:
self._create_rule_lists()
self.added_type_members, \
self.removed_type_members, \
self.modified_type_members = self._diff_te_rules(
self._expand_generator(self._left_type_members, TERuleWrapper),
self._expand_generator(self._right_type_members, TERuleWrapper))
#
# Internal functions
#
def _create_rule_lists(self):
"""Create rule lists for both policies."""
self._left_allows = []
self._left_auditallows = []
self._left_neverallows = []
self._left_dontaudits = []
self._left_type_transitions = []
self._left_type_changes = []
self._left_type_members = []
for rule in self.left_policy.terules():
# do not expand yet, to keep memory
# use down as long as possible
if rule.ruletype == "allow":
self._left_allows.append(rule)
elif rule.ruletype == "auditallow":
self._left_auditallows.append(rule)
elif rule.ruletype == "neverallow":
self._left_neverallows.append(rule)
elif rule.ruletype == "dontaudit":
self._left_dontaudits.append(rule)
elif rule.ruletype == "type_transition":
self._left_type_transitions.append(rule)
elif rule.ruletype == "type_change":
self._left_type_changes.append(rule)
elif rule.ruletype == "type_member":
self._left_type_members.append(rule)
else:
raise TypeError("Unknown rule type: {0}".format(rule.ruletype))
self._right_allows = []
self._right_auditallows = []
self._right_neverallows = []
self._right_dontaudits = []
self._right_type_transitions = []
self._right_type_changes = []
self._right_type_members = []
for rule in self.right_policy.terules():
# do not expand yet, to keep memory
# use down as long as possible
if rule.ruletype == "allow":
self._right_allows.append(rule)
elif rule.ruletype == "auditallow":
self._right_auditallows.append(rule)
elif rule.ruletype == "neverallow":
self._right_neverallows.append(rule)
elif rule.ruletype == "dontaudit":
self._right_dontaudits.append(rule)
elif rule.ruletype == "type_transition":
self._right_type_transitions.append(rule)
elif rule.ruletype == "type_change":
self._right_type_changes.append(rule)
elif rule.ruletype == "type_member":
self._right_type_members.append(rule)
else:
raise TypeError("Unknown rule type: {0}".format(rule.ruletype))
@staticmethod
def _expand_generator(rule_list, Wrapper):
"""Generator that yields a wrapped, expanded rule list."""
# this is to delay creating any containers
# as long as possible, since rule lists
# are typically massive.
for unexpanded_rule in rule_list:
for expanded_rule in unexpanded_rule.expand():
yield Wrapper(expanded_rule)
def _diff_av_rules(self, left_list, right_list):
"""Common method for comparing access vector rules."""
added, removed, matched = self._set_diff(left_list, right_list)
modified = []
for left_rule, right_rule in matched:
# Criteria for modified rules
# 1. change to permissions
added_perms, removed_perms, matched_perms = self._set_diff(left_rule.perms,
right_rule.perms)
# the final set comprehension is to avoid having lists
# like [("perm1", "perm1"), ("perm2", "perm2")], as the
# matched_perms return from _set_diff is a set of tuples
if added_perms or removed_perms:
modified.append(modified_avrule_record(left_rule,
added_perms,
removed_perms,
set(p[0] for p in matched_perms)))
return added, removed, modified
def _diff_te_rules(self, left_list, right_list):
"""Common method for comparing type_* rules."""
added, removed, matched = self._set_diff(left_list, right_list)
modified = []
for left_rule, right_rule in matched:
# Criteria for modified rules
# 1. change to default type
if str(left_rule.default) != str(right_rule.default):
modified.append(modified_terule_record(left_rule,
right_rule.default,
left_rule.default))
return added, removed, modified
def _reset_diff(self):
"""Reset diff results on policy changes."""
self.log.debug("Resetting TE rule differences")
self.added_allows = None
self.removed_allows = None
self.modified_allows = None
self.added_auditallows = None
self.removed_auditallows = None
self.modified_auditallows = None
self.added_neverallows = None
self.removed_neverallows = None
self.modified_neverallows = None
self.added_dontaudits = None
self.removed_dontaudits = None
self.modified_dontaudits = None
self.added_type_transitions = None
self.removed_type_transitions = None
self.modified_type_transitions = None
self.added_type_changes = None
self.removed_type_changes = None
self.modified_type_changes = None
self.added_type_members = None
self.removed_type_members = None
self.modified_type_members = None
# Sets of rules for each policy
self._left_allows = None
self._right_allows = None
self._left_auditallows = None
self._right_auditallows = None
self._left_neverallows = None
self._right_neverallows = None
self._left_dontaudits = None
self._right_dontaudits = None
self._left_type_transitions = None
self._right_type_transitions = None
self._left_type_changes = None
self._right_type_changes = None
self._left_type_members = None
self._right_type_members = None
class AVRuleWrapper(object):
"""Wrap access vector rules to allow set operations."""
def __init__(self, rule):
self.origin = rule
self.ruletype = rule.ruletype
self.source = SymbolWrapper(rule.source)
self.target = SymbolWrapper(rule.target)
self.tclass = SymbolWrapper(rule.tclass)
self.key = hash(rule)
try:
self.conditional = ConditionalExprWrapper(rule.conditional)
self.conditional_block = rule.conditional_block
except RuleNotConditional:
self.conditional = None
self.conditional_block = None
def __hash__(self):
return self.key
def __lt__(self, other):
return self.origin < other.origin
def __eq__(self, other):
# because TERuleDifference groups rules by ruletype,
# the ruletype always matches.
return self.source == other.source and \
self.target == other.target and \
self.tclass == other.tclass and \
self.conditional == other.conditional and \
self.conditional_block == other.conditional_block
def __ne__(self, other):
return not self == other
class TERuleWrapper(object):
"""Wrap type_* rules to allow set operations."""
def __init__(self, rule):
self.origin = rule
self.ruletype = rule.ruletype
self.source = SymbolWrapper(rule.source)
self.target = SymbolWrapper(rule.target)
self.tclass = SymbolWrapper(rule.tclass)
self.key = hash(rule)
try:
self.conditional = ConditionalExprWrapper(rule.conditional)
self.conditional_block = rule.conditional_block
except RuleNotConditional:
self.conditional = None
self.conditional_block = None
try:
self.filename = rule.filename
except (RuleUseError, TERuleNoFilename):
self.filename = None
def __hash__(self):
return self.key
def __lt__(self, other):
return self.origin < other.origin
def __eq__(self, other):
# because TERuleDifference groups rules by ruletype,
# the ruletype always matches.
return self.source == other.source and \
self.target == other.target and \
self.tclass == other.tclass and \
self.conditional == other.conditional and \
self.conditional_block == other.conditional_block and \
self.filename == self.filename
def __ne__(self, other):
return not self == other

614
tests/diff.py
View File

@ -19,8 +19,10 @@ import unittest
from setools import SELinuxPolicy, PolicyDifference
from .mixins import ValidateRule
class PolicyDifferenceTest(unittest.TestCase):
class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
"""Policy difference tests."""
@ -208,6 +210,532 @@ class PolicyDifferenceTest(unittest.TestCase):
self.assertSetEqual(set(["new_com"]),
self.diff.modified_classes["modified_change_common"].added_perms)
#
# Allow rules
#
def test_added_allow_rules(self):
"""Diff: added allow rules."""
rules = sorted(self.diff.added_allows)
self.assertEqual(5, len(rules))
# added rule with existing types
self.validate_rule(rules[0], "allow", "added_rule_source", "added_rule_target", "infoflow",
set(["med_w"]))
# added rule with new type
self.validate_rule(rules[1], "allow", "added_type", "added_type", "infoflow2",
set(["med_w"]))
# rule moved out of a conditional
self.validate_rule(rules[2], "allow", "move_from_bool", "move_from_bool", "infoflow4",
set(["hi_r"]))
# rule moved into a conditional
self.validate_rule(rules[3], "allow", "move_to_bool", "move_to_bool", "infoflow4",
set(["hi_w"]), cond="move_to_bool_b", cond_block=True)
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "allow", "system", "switch_block", "infoflow6",
set(["hi_r"]), cond="switch_block_b", cond_block=False)
def test_removed_allow_rules(self):
"""Diff: removed allow rules."""
rules = sorted(self.diff.removed_allows)
self.assertEqual(5, len(rules))
# rule moved out of a conditional
self.validate_rule(rules[0], "allow", "move_from_bool", "move_from_bool", "infoflow4",
set(["hi_r"]), cond="move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[1], "allow", "move_to_bool", "move_to_bool", "infoflow4",
set(["hi_w"]))
# removed rule with existing types
self.validate_rule(rules[2], "allow", "removed_rule_source", "removed_rule_target",
"infoflow", set(["hi_r"]))
# removed rule with new type
self.validate_rule(rules[3], "allow", "removed_type", "removed_type", "infoflow3",
set(["null"]))
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "allow", "system", "switch_block", "infoflow6",
set(["hi_r"]), cond="switch_block_b", cond_block=True)
def test_modified_allow_rules(self):
"""Diff: modified allow rules."""
l = sorted(self.diff.modified_allows)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual("allow", rule.ruletype)
self.assertEqual("modified_rule_add_perms", rule.source)
self.assertEqual("modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set(["hi_w"]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set(["hi_r"]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual("allow", rule.ruletype)
self.assertEqual("modified_rule_add_remove_perms", rule.source)
self.assertEqual("modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set(["super_r"]), added_perms)
self.assertSetEqual(set(["super_w"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual("allow", rule.ruletype)
self.assertEqual("modified_rule_remove_perms", rule.source)
self.assertEqual("modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set(["low_r"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
#
# Auditallow rules
#
def test_added_auditallow_rules(self):
"""Diff: added auditallow rules."""
rules = sorted(self.diff.added_auditallows)
self.assertEqual(5, len(rules))
# added rule with existing types
self.validate_rule(rules[0], "auditallow", "aa_added_rule_source", "aa_added_rule_target",
"infoflow", set(["med_w"]))
# rule moved out of a conditional
self.validate_rule(rules[1], "auditallow", "aa_move_from_bool", "aa_move_from_bool",
"infoflow4", set(["hi_r"]))
# rule moved into a conditional
self.validate_rule(rules[2], "auditallow", "aa_move_to_bool", "aa_move_to_bool",
"infoflow4", set(["hi_w"]), cond="aa_move_to_bool_b", cond_block=True)
# added rule with new type
self.validate_rule(rules[3], "auditallow", "added_type", "added_type", "infoflow7",
set(["super_none"]))
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "auditallow", "system", "aa_switch_block", "infoflow6",
set(["hi_r"]), cond="aa_switch_block_b", cond_block=False)
def test_removed_auditallow_rules(self):
"""Diff: removed auditallow rules."""
rules = sorted(self.diff.removed_auditallows)
self.assertEqual(5, len(rules))
# rule moved out of a conditional
self.validate_rule(rules[0], "auditallow", "aa_move_from_bool", "aa_move_from_bool",
"infoflow4", set(["hi_r"]), cond="aa_move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[1], "auditallow", "aa_move_to_bool", "aa_move_to_bool",
"infoflow4", set(["hi_w"]))
# removed rule with existing types
self.validate_rule(rules[2], "auditallow", "aa_removed_rule_source",
"aa_removed_rule_target", "infoflow", set(["hi_r"]))
# removed rule with new type
self.validate_rule(rules[3], "auditallow", "removed_type", "removed_type", "infoflow7",
set(["super_unmapped"]))
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "auditallow", "system", "aa_switch_block", "infoflow6",
set(["hi_r"]), cond="aa_switch_block_b", cond_block=True)
def test_modified_auditallow_rules(self):
"""Diff: modified auditallow rules."""
l = sorted(self.diff.modified_auditallows)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual("auditallow", rule.ruletype)
self.assertEqual("aa_modified_rule_add_perms", rule.source)
self.assertEqual("aa_modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set(["hi_w"]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set(["hi_r"]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual("auditallow", rule.ruletype)
self.assertEqual("aa_modified_rule_add_remove_perms", rule.source)
self.assertEqual("aa_modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set(["super_r"]), added_perms)
self.assertSetEqual(set(["super_w"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual("auditallow", rule.ruletype)
self.assertEqual("aa_modified_rule_remove_perms", rule.source)
self.assertEqual("aa_modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set(["low_r"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
#
# Dontaudit rules
#
def test_added_dontaudit_rules(self):
"""Diff: added dontaudit rules."""
rules = sorted(self.diff.added_dontaudits)
self.assertEqual(5, len(rules))
# added rule with new type
self.validate_rule(rules[0], "dontaudit", "added_type", "added_type", "infoflow7",
set(["super_none"]))
# added rule with existing types
self.validate_rule(rules[1], "dontaudit", "da_added_rule_source", "da_added_rule_target",
"infoflow", set(["med_w"]))
# rule moved out of a conditional
self.validate_rule(rules[2], "dontaudit", "da_move_from_bool", "da_move_from_bool",
"infoflow4", set(["hi_r"]))
# rule moved into a conditional
self.validate_rule(rules[3], "dontaudit", "da_move_to_bool", "da_move_to_bool",
"infoflow4", set(["hi_w"]), cond="da_move_to_bool_b", cond_block=True)
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "dontaudit", "system", "da_switch_block", "infoflow6",
set(["hi_r"]), cond="da_switch_block_b", cond_block=False)
def test_removed_dontaudit_rules(self):
"""Diff: removed dontaudit rules."""
rules = sorted(self.diff.removed_dontaudits)
self.assertEqual(5, len(rules))
# rule moved out of a conditional
self.validate_rule(rules[0], "dontaudit", "da_move_from_bool", "da_move_from_bool",
"infoflow4", set(["hi_r"]), cond="da_move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[1], "dontaudit", "da_move_to_bool", "da_move_to_bool",
"infoflow4", set(["hi_w"]))
# removed rule with existing types
self.validate_rule(rules[2], "dontaudit", "da_removed_rule_source",
"da_removed_rule_target", "infoflow", set(["hi_r"]))
# removed rule with new type
self.validate_rule(rules[3], "dontaudit", "removed_type", "removed_type", "infoflow7",
set(["super_both"]))
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[4], "dontaudit", "system", "da_switch_block", "infoflow6",
set(["hi_r"]), cond="da_switch_block_b", cond_block=True)
def test_modified_dontaudit_rules(self):
"""Diff: modified dontaudit rules."""
l = sorted(self.diff.modified_dontaudits)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual("dontaudit", rule.ruletype)
self.assertEqual("da_modified_rule_add_perms", rule.source)
self.assertEqual("da_modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set(["hi_w"]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set(["hi_r"]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual("dontaudit", rule.ruletype)
self.assertEqual("da_modified_rule_add_remove_perms", rule.source)
self.assertEqual("da_modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set(["super_r"]), added_perms)
self.assertSetEqual(set(["super_w"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual("dontaudit", rule.ruletype)
self.assertEqual("da_modified_rule_remove_perms", rule.source)
self.assertEqual("da_modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set(["low_r"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
#
# Neverallow rules
#
def test_added_neverallow_rules(self):
"""Diff: added neverallow rules."""
rules = sorted(self.diff.added_neverallows)
self.assertEqual(2, len(rules))
# added rule with new type
self.validate_rule(rules[0], "neverallow", "added_type", "added_type", "added_class",
set(["new_class_perm"]))
# added rule with existing types
self.validate_rule(rules[1], "neverallow", "na_added_rule_source", "na_added_rule_target",
"infoflow", set(["med_w"]))
def test_removed_neverallow_rules(self):
"""Diff: removed neverallow rules."""
rules = sorted(self.diff.removed_neverallows)
self.assertEqual(2, len(rules))
# removed rule with existing types
self.validate_rule(rules[0], "neverallow", "na_removed_rule_source",
"na_removed_rule_target", "infoflow", set(["hi_r"]))
# removed rule with new type
self.validate_rule(rules[1], "neverallow", "removed_type", "removed_type", "removed_class",
set(["null_perm"]))
def test_modified_neverallow_rules(self):
"""Diff: modified neverallow rules."""
l = sorted(self.diff.modified_neverallows)
self.assertEqual(3, len(l))
# add permissions
rule, added_perms, removed_perms, matched_perms = l[0]
self.assertEqual("neverallow", rule.ruletype)
self.assertEqual("na_modified_rule_add_perms", rule.source)
self.assertEqual("na_modified_rule_add_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertSetEqual(set(["hi_w"]), added_perms)
self.assertFalse(removed_perms)
self.assertSetEqual(set(["hi_r"]), matched_perms)
# add and remove permissions
rule, added_perms, removed_perms, matched_perms = l[1]
self.assertEqual("neverallow", rule.ruletype)
self.assertEqual("na_modified_rule_add_remove_perms", rule.source)
self.assertEqual("na_modified_rule_add_remove_perms", rule.target)
self.assertEqual("infoflow2", rule.tclass)
self.assertSetEqual(set(["super_r"]), added_perms)
self.assertSetEqual(set(["super_w"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
# remove permissions
rule, added_perms, removed_perms, matched_perms = l[2]
self.assertEqual("neverallow", rule.ruletype)
self.assertEqual("na_modified_rule_remove_perms", rule.source)
self.assertEqual("na_modified_rule_remove_perms", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertFalse(added_perms)
self.assertSetEqual(set(["low_r"]), removed_perms)
self.assertSetEqual(set(["low_w"]), matched_perms)
#
# Type_transition rules
#
def test_added_type_transition_rules(self):
"""Diff: added type_transition rules."""
rules = sorted(self.diff.added_type_transitions)
self.assertEqual(5, len(rules))
# added rule with new type
self.validate_rule(rules[0], "type_transition", "added_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_transition", "system", "tt_switch_block", "infoflow6",
"system", cond="tt_switch_block_b", cond_block=False)
# added rule with existing types
self.validate_rule(rules[2], "type_transition", "tt_added_rule_source",
"tt_added_rule_target", "infoflow", "system")
# rule moved out of a conditional
self.validate_rule(rules[3], "type_transition", "tt_move_from_bool", "system",
"infoflow4", "system")
# rule moved into a conditional
self.validate_rule(rules[4], "type_transition", "tt_move_to_bool", "system",
"infoflow3", "system", cond="tt_move_to_bool_b", cond_block=True)
def test_removed_type_transition_rules(self):
"""Diff: removed type_transition rules."""
rules = sorted(self.diff.removed_type_transitions)
self.assertEqual(5, len(rules))
# removed rule with new type
self.validate_rule(rules[0], "type_transition", "removed_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_transition", "system", "tt_switch_block", "infoflow6",
"system", cond="tt_switch_block_b", cond_block=True)
# rule moved out of a conditional
self.validate_rule(rules[2], "type_transition", "tt_move_from_bool", "system",
"infoflow4", "system", cond="tt_move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[3], "type_transition", "tt_move_to_bool", "system",
"infoflow3", "system")
# removed rule with existing types
self.validate_rule(rules[4], "type_transition", "tt_removed_rule_source",
"tt_removed_rule_target", "infoflow", "system")
def test_modified_type_transition_rules(self):
"""Diff: modified type_transition rules."""
l = sorted(self.diff.modified_type_transitions)
self.assertEqual(1, len(l))
rule, added_default, removed_default = l[0]
self.assertEqual("type_transition", rule.ruletype)
self.assertEqual("tt_matched_source", rule.source)
self.assertEqual("system", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertEqual("tt_new_type", added_default)
self.assertEqual("tt_old_type", removed_default)
#
# Type_change rules
#
def test_added_type_change_rules(self):
"""Diff: added type_change rules."""
rules = sorted(self.diff.added_type_changes)
self.assertEqual(5, len(rules))
# added rule with new type
self.validate_rule(rules[0], "type_change", "added_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_change", "system", "tc_switch_block", "infoflow6",
"system", cond="tc_switch_block_b", cond_block=False)
# added rule with existing types
self.validate_rule(rules[2], "type_change", "tc_added_rule_source",
"tc_added_rule_target", "infoflow", "system")
# rule moved out of a conditional
self.validate_rule(rules[3], "type_change", "tc_move_from_bool", "system",
"infoflow4", "system")
# rule moved into a conditional
self.validate_rule(rules[4], "type_change", "tc_move_to_bool", "system",
"infoflow3", "system", cond="tc_move_to_bool_b", cond_block=True)
def test_removed_type_change_rules(self):
"""Diff: removed type_change rules."""
rules = sorted(self.diff.removed_type_changes)
self.assertEqual(5, len(rules))
# removed rule with new type
self.validate_rule(rules[0], "type_change", "removed_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_change", "system", "tc_switch_block", "infoflow6",
"system", cond="tc_switch_block_b", cond_block=True)
# rule moved out of a conditional
self.validate_rule(rules[2], "type_change", "tc_move_from_bool", "system",
"infoflow4", "system", cond="tc_move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[3], "type_change", "tc_move_to_bool", "system",
"infoflow3", "system")
# removed rule with existing types
self.validate_rule(rules[4], "type_change", "tc_removed_rule_source",
"tc_removed_rule_target", "infoflow", "system")
def test_modified_type_change_rules(self):
"""Diff: modified type_change rules."""
l = sorted(self.diff.modified_type_changes)
self.assertEqual(1, len(l))
rule, added_default, removed_default = l[0]
self.assertEqual("type_change", rule.ruletype)
self.assertEqual("tc_matched_source", rule.source)
self.assertEqual("system", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertEqual("tc_new_type", added_default)
self.assertEqual("tc_old_type", removed_default)
#
# Type_member rules
#
def test_added_type_member_rules(self):
"""Diff: added type_member rules."""
rules = sorted(self.diff.added_type_members)
self.assertEqual(5, len(rules))
# added rule with new type
self.validate_rule(rules[0], "type_member", "added_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_member", "system", "tm_switch_block", "infoflow6",
"system", cond="tm_switch_block_b", cond_block=False)
# added rule with existing types
self.validate_rule(rules[2], "type_member", "tm_added_rule_source",
"tm_added_rule_target", "infoflow", "system")
# rule moved out of a conditional
self.validate_rule(rules[3], "type_member", "tm_move_from_bool", "system",
"infoflow4", "system")
# rule moved into a conditional
self.validate_rule(rules[4], "type_member", "tm_move_to_bool", "system",
"infoflow3", "system", cond="tm_move_to_bool_b", cond_block=True)
def test_removed_type_member_rules(self):
"""Diff: removed type_member rules."""
rules = sorted(self.diff.removed_type_members)
self.assertEqual(5, len(rules))
# removed rule with new type
self.validate_rule(rules[0], "type_member", "removed_type", "system", "infoflow4",
"system")
# rule moved from one conditional block to another (true to false)
self.validate_rule(rules[1], "type_member", "system", "tm_switch_block", "infoflow6",
"system", cond="tm_switch_block_b", cond_block=True)
# rule moved out of a conditional
self.validate_rule(rules[2], "type_member", "tm_move_from_bool", "system",
"infoflow4", "system", cond="tm_move_from_bool_b", cond_block=True)
# rule moved into a conditional
self.validate_rule(rules[3], "type_member", "tm_move_to_bool", "system",
"infoflow3", "system")
# removed rule with existing types
self.validate_rule(rules[4], "type_member", "tm_removed_rule_source",
"tm_removed_rule_target", "infoflow", "system")
def test_modified_type_member_rules(self):
"""Diff: modified type_member rules."""
l = sorted(self.diff.modified_type_members)
self.assertEqual(1, len(l))
rule, added_default, removed_default = l[0]
self.assertEqual("type_member", rule.ruletype)
self.assertEqual("tm_matched_source", rule.source)
self.assertEqual("system", rule.target)
self.assertEqual("infoflow", rule.tclass)
self.assertEqual("tm_new_type", added_default)
self.assertEqual("tm_old_type", removed_default)
class PolicyDifferenceTestNoDiff(unittest.TestCase):
@ -264,3 +792,87 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
def test_modified_classes(self):
"""NoDiff: no modified classes."""
self.assertFalse(self.diff.modified_classes)
def test_added_allows(self):
"""NoDiff: no added allow rules."""
self.assertFalse(self.diff.added_allows)
def test_removed_allows(self):
"""NoDiff: no removed allow rules."""
self.assertFalse(self.diff.removed_allows)
def test_modified_allows(self):
"""NoDiff: no modified allow rules."""
self.assertFalse(self.diff.modified_allows)
def test_added_auditallows(self):
"""NoDiff: no added auditallow rules."""
self.assertFalse(self.diff.added_auditallows)
def test_removed_auditallows(self):
"""NoDiff: no removed auditallow rules."""
self.assertFalse(self.diff.removed_auditallows)
def test_modified_auditallows(self):
"""NoDiff: no modified auditallow rules."""
self.assertFalse(self.diff.modified_auditallows)
def test_added_neverallows(self):
"""NoDiff: no added neverallow rules."""
self.assertFalse(self.diff.added_neverallows)
def test_removed_neverallows(self):
"""NoDiff: no removed neverallow rules."""
self.assertFalse(self.diff.removed_neverallows)
def test_modified_neverallows(self):
"""NoDiff: no modified neverallow rules."""
self.assertFalse(self.diff.modified_neverallows)
def test_added_dontaudits(self):
"""NoDiff: no added dontaudit rules."""
self.assertFalse(self.diff.added_dontaudits)
def test_removed_dontaudits(self):
"""NoDiff: no removed dontaudit rules."""
self.assertFalse(self.diff.removed_dontaudits)
def test_modified_dontaudits(self):
"""NoDiff: no modified dontaudit rules."""
self.assertFalse(self.diff.modified_dontaudits)
def test_added_type_transitions(self):
"""NoDiff: no added type_transition rules."""
self.assertFalse(self.diff.added_type_transitions)
def test_removed_type_transitions(self):
"""NoDiff: no removed type_transition rules."""
self.assertFalse(self.diff.removed_type_transitions)
def test_modified_type_transitions(self):
"""NoDiff: no modified type_transition rules."""
self.assertFalse(self.diff.modified_type_transitions)
def test_added_type_changes(self):
"""NoDiff: no added type_change rules."""
self.assertFalse(self.diff.added_type_changes)
def test_removed_type_changes(self):
"""NoDiff: no removed type_change rules."""
self.assertFalse(self.diff.removed_type_changes)
def test_modified_type_changes(self):
"""NoDiff: no modified type_change rules."""
self.assertFalse(self.diff.modified_type_changes)
def test_added_type_members(self):
"""NoDiff: no added type_member rules."""
self.assertFalse(self.diff.added_type_members)
def test_removed_type_members(self):
"""NoDiff: no removed type_member rules."""
self.assertFalse(self.diff.removed_type_members)
def test_modified_type_members(self):
"""NoDiff: no modified type_member rules."""
self.assertFalse(self.diff.modified_type_members)

344
tests/diff_left.conf
View File

@ -142,6 +142,350 @@ role modified_add_type;
role modified_remove_type;
role modified_remove_type types { system };
# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;
type removed_rule_source;
type removed_rule_target;
allow removed_rule_source removed_rule_target:infoflow hi_r;
type added_rule_source;
type added_rule_target;
type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow hi_r;
type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow { low_r low_w };
type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
allow removed_type self:infoflow3 null;
type move_to_bool;
bool move_to_bool_b false;
allow move_to_bool self:infoflow4 hi_w;
type move_from_bool;
bool move_from_bool_b false;
if (move_from_bool_b) {
allow move_from_bool self:infoflow4 hi_r;
}
type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
allow system switch_block:infoflow6 hi_r;
} else {
allow system switch_block:infoflow7 hi_r;
}
attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr self:infoflow2 super_w;
attribute unioned_perm_via_attr;
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
allow unioned_perm_via_attr self:infoflow2 super_w;
allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
type aa_removed_rule_source;
type aa_removed_rule_target;
auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
type aa_added_rule_source;
type aa_added_rule_target;
type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow hi_r;
type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
auditallow removed_type self:infoflow7 super_unmapped;
type aa_move_to_bool;
bool aa_move_to_bool_b false;
auditallow aa_move_to_bool self:infoflow4 hi_w;
type aa_move_from_bool;
bool aa_move_from_bool_b false;
if (aa_move_from_bool_b) {
auditallow aa_move_from_bool self:infoflow4 hi_r;
}
type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
auditallow system aa_switch_block:infoflow6 hi_r;
} else {
auditallow system aa_switch_block:infoflow7 hi_r;
}
attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr self:infoflow2 super_w;
attribute aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;
type da_removed_rule_source;
type da_removed_rule_target;
dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
type da_added_rule_source;
type da_added_rule_target;
type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow hi_r;
type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
dontaudit removed_type self:infoflow7 super_both;
type da_move_to_bool;
bool da_move_to_bool_b false;
dontaudit da_move_to_bool self:infoflow4 hi_w;
type da_move_from_bool;
bool da_move_from_bool_b false;
if (da_move_from_bool_b) {
dontaudit da_move_from_bool self:infoflow4 hi_r;
}
type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
dontaudit system da_switch_block:infoflow6 hi_r;
} else {
dontaudit system da_switch_block:infoflow7 hi_r;
}
attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr self:infoflow2 super_w;
attribute da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;
type na_removed_rule_source;
type na_removed_rule_target;
neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
type na_added_rule_source;
type na_added_rule_target;
type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow hi_r;
type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
neverallow removed_type self:removed_class null_perm;
attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr self:infoflow2 super_w;
attribute na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;
type tt_removed_rule_source;
type tt_removed_rule_target;
type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
type tt_added_rule_source;
type tt_added_rule_target;
type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_old_type;
type_transition removed_type system:infoflow4 system;
type tt_move_to_bool;
bool tt_move_to_bool_b false;
type_transition tt_move_to_bool system:infoflow3 system;
type tt_move_from_bool;
bool tt_move_from_bool_b false;
if (tt_move_from_bool_b) {
type_transition tt_move_from_bool system:infoflow4 system;
}
type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
type_transition system tt_switch_block:infoflow6 system;
} else {
type_transition system tt_switch_block:infoflow7 system;
}
attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;
attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;
type tc_removed_rule_source;
type tc_removed_rule_target;
type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
type tc_added_rule_source;
type tc_added_rule_target;
type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_old_type;
type_change removed_type system:infoflow4 system;
type tc_move_to_bool;
bool tc_move_to_bool_b false;
type_change tc_move_to_bool system:infoflow3 system;
type tc_move_from_bool;
bool tc_move_from_bool_b false;
if (tc_move_from_bool_b) {
type_change tc_move_from_bool system:infoflow4 system;
}
type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
type_change system tc_switch_block:infoflow6 system;
} else {
type_change system tc_switch_block:infoflow7 system;
}
attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;
attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;
type tm_removed_rule_source;
type tm_removed_rule_target;
type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
type tm_added_rule_source;
type tm_added_rule_target;
type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_old_type;
type_member removed_type system:infoflow4 system;
type tm_move_to_bool;
bool tm_move_to_bool_b false;
type_member tm_move_to_bool system:infoflow3 system;
type tm_move_from_bool;
bool tm_move_from_bool_b false;
if (tm_move_from_bool_b) {
type_member tm_move_from_bool system:infoflow4 system;
}
type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
type_member system tm_switch_block:infoflow6 system;
} else {
type_member system tm_switch_block:infoflow7 system;
}
attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;
attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
################################################################################
#users

344
tests/diff_right.conf
View File

@ -142,6 +142,350 @@ role modified_add_type types { system };
role modified_remove_type;
# Allow rule differences
type matched_source;
type matched_target;
allow matched_source matched_target:infoflow hi_w;
type removed_rule_source;
type removed_rule_target;
type added_rule_source;
type added_rule_target;
allow added_rule_source added_rule_target:infoflow med_w;
type modified_rule_add_perms;
allow modified_rule_add_perms self:infoflow { hi_r hi_w };
type modified_rule_remove_perms;
allow modified_rule_remove_perms self:infoflow low_w;
type modified_rule_add_remove_perms;
allow modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
allow added_type self:infoflow2 med_w;
type move_to_bool;
bool move_to_bool_b false;
if (move_to_bool_b) {
allow move_to_bool self:infoflow4 hi_w;
}
type move_from_bool;
bool move_from_bool_b false;
allow move_from_bool self:infoflow4 hi_r;
type switch_block;
bool switch_block_b false;
if (switch_block_b) {
allow system switch_block:infoflow5 hi_r;
} else {
allow system switch_block:infoflow6 hi_r;
allow system switch_block:infoflow7 hi_r;
}
attribute match_rule_by_attr;
type match_rule_by_attr_A_t, match_rule_by_attr;
type match_rule_by_attr_B_t, match_rule_by_attr;
allow match_rule_by_attr_A_t self:infoflow2 super_w;
allow match_rule_by_attr_B_t self:infoflow2 super_w;
attribute unioned_perm_via_attr;
type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
allow unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
allow unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
# Auditallow rule differences
type aa_matched_source;
type aa_matched_target;
auditallow aa_matched_source aa_matched_target:infoflow hi_w;
type aa_removed_rule_source;
type aa_removed_rule_target;
type aa_added_rule_source;
type aa_added_rule_target;
auditallow aa_added_rule_source aa_added_rule_target:infoflow med_w;
type aa_modified_rule_add_perms;
auditallow aa_modified_rule_add_perms self:infoflow { hi_r hi_w };
type aa_modified_rule_remove_perms;
auditallow aa_modified_rule_remove_perms self:infoflow low_w;
type aa_modified_rule_add_remove_perms;
auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
auditallow added_type self:infoflow7 super_none;
type aa_move_to_bool;
bool aa_move_to_bool_b false;
if (aa_move_to_bool_b) {
auditallow aa_move_to_bool self:infoflow4 hi_w;
}
type aa_move_from_bool;
bool aa_move_from_bool_b false;
auditallow aa_move_from_bool self:infoflow4 hi_r;
type aa_switch_block;
bool aa_switch_block_b false;
if (aa_switch_block_b) {
auditallow system aa_switch_block:infoflow5 hi_r;
} else {
auditallow system aa_switch_block:infoflow6 hi_r;
auditallow system aa_switch_block:infoflow7 hi_r;
}
attribute aa_match_rule_by_attr;
type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;
attribute aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
# Dontaudit rule differences
type da_matched_source;
type da_matched_target;
dontaudit da_matched_source da_matched_target:infoflow hi_w;
type da_removed_rule_source;
type da_removed_rule_target;
type da_added_rule_source;
type da_added_rule_target;
dontaudit da_added_rule_source da_added_rule_target:infoflow med_w;
type da_modified_rule_add_perms;
dontaudit da_modified_rule_add_perms self:infoflow { hi_r hi_w };
type da_modified_rule_remove_perms;
dontaudit da_modified_rule_remove_perms self:infoflow low_w;
type da_modified_rule_add_remove_perms;
dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
dontaudit added_type self:infoflow7 super_none;
type da_move_to_bool;
bool da_move_to_bool_b false;
if (da_move_to_bool_b) {
dontaudit da_move_to_bool self:infoflow4 hi_w;
}
type da_move_from_bool;
bool da_move_from_bool_b false;
dontaudit da_move_from_bool self:infoflow4 hi_r;
type da_switch_block;
bool da_switch_block_b false;
if (da_switch_block_b) {
dontaudit system da_switch_block:infoflow5 hi_r;
} else {
dontaudit system da_switch_block:infoflow6 hi_r;
dontaudit system da_switch_block:infoflow7 hi_r;
}
attribute da_match_rule_by_attr;
type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;
attribute da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
# Neverallow rule differences
type na_matched_source;
type na_matched_target;
neverallow na_matched_source na_matched_target:infoflow hi_w;
type na_removed_rule_source;
type na_removed_rule_target;
type na_added_rule_source;
type na_added_rule_target;
neverallow na_added_rule_source na_added_rule_target:infoflow med_w;
type na_modified_rule_add_perms;
neverallow na_modified_rule_add_perms self:infoflow { hi_r hi_w };
type na_modified_rule_remove_perms;
neverallow na_modified_rule_remove_perms self:infoflow low_w;
type na_modified_rule_add_remove_perms;
neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
neverallow added_type self:added_class new_class_perm;
attribute na_match_rule_by_attr;
type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;
attribute na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
neverallow na_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
neverallow na_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
# type_transition rule differences
type tt_matched_source;
type tt_matched_target;
type_transition tt_matched_source tt_matched_target:infoflow system;
type tt_removed_rule_source;
type tt_removed_rule_target;
type tt_added_rule_source;
type tt_added_rule_target;
type_transition tt_added_rule_source tt_added_rule_target:infoflow system;
type tt_old_type;
type tt_new_type;
type_transition tt_matched_source system:infoflow tt_new_type;
type_transition added_type system:infoflow4 system;
type tt_move_to_bool;
bool tt_move_to_bool_b false;
if (tt_move_to_bool_b) {
type_transition tt_move_to_bool system:infoflow3 system;
}
type tt_move_from_bool;
bool tt_move_from_bool_b false;
type_transition tt_move_from_bool system:infoflow4 system;
type tt_switch_block;
bool tt_switch_block_b false;
if (tt_switch_block_b) {
type_transition system tt_switch_block:infoflow5 system;
} else {
type_transition system tt_switch_block:infoflow6 system;
type_transition system tt_switch_block:infoflow7 system;
}
attribute tt_match_rule_by_attr;
type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
type_transition tt_match_rule_by_attr system:infoflow2 system;
attribute tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
type_transition tt_unioned_perm_via_attr system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_change rule differences
type tc_matched_source;
type tc_matched_target;
type_change tc_matched_source tc_matched_target:infoflow system;
type tc_removed_rule_source;
type tc_removed_rule_target;
type tc_added_rule_source;
type tc_added_rule_target;
type_change tc_added_rule_source tc_added_rule_target:infoflow system;
type tc_old_type;
type tc_new_type;
type_change tc_matched_source system:infoflow tc_new_type;
type_change added_type system:infoflow4 system;
type tc_move_to_bool;
bool tc_move_to_bool_b false;
if (tc_move_to_bool_b) {
type_change tc_move_to_bool system:infoflow3 system;
}
type tc_move_from_bool;
bool tc_move_from_bool_b false;
type_change tc_move_from_bool system:infoflow4 system;
type tc_switch_block;
bool tc_switch_block_b false;
if (tc_switch_block_b) {
type_change system tc_switch_block:infoflow5 system;
} else {
type_change system tc_switch_block:infoflow6 system;
type_change system tc_switch_block:infoflow7 system;
}
attribute tc_match_rule_by_attr;
type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
type_change tc_match_rule_by_attr system:infoflow2 system;
attribute tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
type_change tc_unioned_perm_via_attr system:infoflow2 system;
type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
# type_member rule differences
type tm_matched_source;
type tm_matched_target;
type_member tm_matched_source tm_matched_target:infoflow system;
type tm_removed_rule_source;
type tm_removed_rule_target;
type tm_added_rule_source;
type tm_added_rule_target;
type_member tm_added_rule_source tm_added_rule_target:infoflow system;
type tm_old_type;
type tm_new_type;
type_member tm_matched_source system:infoflow tm_new_type;
type_member added_type system:infoflow4 system;
type tm_move_to_bool;
bool tm_move_to_bool_b false;
if (tm_move_to_bool_b) {
type_member tm_move_to_bool system:infoflow3 system;
}
type tm_move_from_bool;
bool tm_move_from_bool_b false;
type_member tm_move_from_bool system:infoflow4 system;
type tm_switch_block;
bool tm_switch_block_b false;
if (tm_switch_block_b) {
type_member system tm_switch_block:infoflow5 system;
} else {
type_member system tm_switch_block:infoflow6 system;
type_member system tm_switch_block:infoflow7 system;
}
attribute tm_match_rule_by_attr;
type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
type_member tm_match_rule_by_attr system:infoflow2 system;
attribute tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
type_member tm_unioned_perm_via_attr system:infoflow2 system;
type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
################################################################################
#users

6
tests/mixins.py
View File

@ -26,7 +26,8 @@ class ValidateRule(unittest.TestCase):
"""Mixin for validating policy rules."""
def validate_rule(self, rule, ruletype, source, target, tclass, last_item, cond=None):
def validate_rule(self, rule, ruletype, source, target, tclass, last_item, cond=None,
cond_block=None):
"""Validate a rule."""
self.assertEqual(ruletype, rule.ruletype)
self.assertEqual(source, rule.source)
@ -43,3 +44,6 @@ class ValidateRule(unittest.TestCase):
self.assertEqual(cond, rule.conditional)
else:
self.assertRaises(RuleNotConditional, getattr, rule, "conditional")
if cond_block is not None:
self.assertEqual(cond_block, rule.conditional_block)