PolicyDifference: implement TE rule difference

Closes #43

setools/diff/__init__.py

@@ -19,6 +19,7 @@
 from .commons import CommonDifference
 from .objclass import ObjClassDifference
 from .roles import RolesDifference
+from .terules import TERulesDifference
 from .types import TypesDifference
 
 __all__ = ['PolicyDifference']
@@ -27,6 +28,7 @@ __all__ = ['PolicyDifference']
 class PolicyDifference(CommonDifference,
                        ObjClassDifference,
                        RolesDifference,
+                       TERulesDifference,
                        TypesDifference):
 
     """

setools/diff/terules.py

@@ -0,0 +1,432 @@
+# Copyright 2015, Tresys Technology, LLC
+#
+# This file is part of SETools.
+#
+# SETools is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as
+# published by the Free Software Foundation, either version 2.1 of
+# the License, or (at your option) any later version.
+#
+# SETools is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with SETools.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+from collections import namedtuple
+
+from ..policyrep.exception import RuleNotConditional, RuleUseError, TERuleNoFilename
+
+from .conditional import ConditionalExprWrapper
+from .descriptors import DiffResultDescriptor
+from .difference import Difference, SymbolWrapper
+
+
+modified_avrule_record = namedtuple("modified_avrule", ["rule",
+                                                        "added_perms",
+                                                        "removed_perms",
+                                                        "matched_perms"])
+
+modified_terule_record = namedtuple("modified_terule", ["rule", "added_default", "removed_default"])
+
+
+class TERulesDifference(Difference):
+
+    """
+    Determine the difference in type enforcement rules
+    between two policies.
+    """
+
+    added_allows = DiffResultDescriptor("diff_allows")
+    removed_allows = DiffResultDescriptor("diff_allows")
+    modified_allows = DiffResultDescriptor("diff_allows")
+
+    added_auditallows = DiffResultDescriptor("diff_auditallows")
+    removed_auditallows = DiffResultDescriptor("diff_auditallows")
+    modified_auditallows = DiffResultDescriptor("diff_auditallows")
+
+    added_neverallows = DiffResultDescriptor("diff_neverallows")
+    removed_neverallows = DiffResultDescriptor("diff_neverallows")
+    modified_neverallows = DiffResultDescriptor("diff_neverallows")
+
+    added_dontaudits = DiffResultDescriptor("diff_dontaudits")
+    removed_dontaudits = DiffResultDescriptor("diff_dontaudits")
+    modified_dontaudits = DiffResultDescriptor("diff_dontaudits")
+
+    added_type_transitions = DiffResultDescriptor("diff_type_transitions")
+    removed_type_transitions = DiffResultDescriptor("diff_type_transitions")
+    modified_type_transitions = DiffResultDescriptor("diff_type_transitions")
+
+    added_type_changes = DiffResultDescriptor("diff_type_changes")
+    removed_type_changes = DiffResultDescriptor("diff_type_changes")
+    modified_type_changes = DiffResultDescriptor("diff_type_changes")
+
+    added_type_members = DiffResultDescriptor("diff_type_members")
+    removed_type_members = DiffResultDescriptor("diff_type_members")
+    modified_type_members = DiffResultDescriptor("diff_type_members")
+
+    # Lists of rules for each policy
+    _left_allows = None
+    _right_allows = None
+
+    _left_auditallows = None
+    _right_auditallows = None
+
+    _left_neverallows = None
+    _right_neverallows = None
+
+    _left_dontaudits = None
+    _right_dontaudits = None
+
+    _left_type_transitions = None
+    _right_type_transitions = None
+
+    _left_type_changes = None
+    _right_type_changes = None
+
+    _left_type_members = None
+    _right_type_members = None
+
+    def diff_allows(self):
+        """Generate the difference in allow rules between the policies."""
+
+        self.log.info(
+            "Generating allow differences from {0.left_policy} to {0.right_policy}".format(self))
+
+        if self._left_allows is None or self._right_allows is None:
+            self._create_rule_lists()
+
+        self.added_allows, self.removed_allows, self.modified_allows = self._diff_av_rules(
+            self._expand_generator(self._left_allows, AVRuleWrapper),
+            self._expand_generator(self._right_allows, AVRuleWrapper))
+
+    def diff_auditallows(self):
+        """Generate the difference in auditallow rules between the policies."""
+
+        self.log.info(
+            "Generating auditallow differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_auditallows is None or self._right_auditallows is None:
+            self._create_rule_lists()
+
+        self.added_auditallows, \
+            self.removed_auditallows, \
+            self.modified_auditallows = self._diff_av_rules(
+                self._expand_generator(self._left_auditallows, AVRuleWrapper),
+                self._expand_generator(self._right_auditallows, AVRuleWrapper))
+
+    def diff_neverallows(self):
+        """Generate the difference in neverallow rules between the policies."""
+
+        self.log.info(
+            "Generating neverallow differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_neverallows is None or self._right_neverallows is None:
+            self._create_rule_lists()
+
+        self.added_neverallows, \
+            self.removed_neverallows, \
+            self.modified_neverallows = self._diff_av_rules(
+                self._expand_generator(self._left_neverallows, AVRuleWrapper),
+                self._expand_generator(self._right_neverallows, AVRuleWrapper))
+
+    def diff_dontaudits(self):
+        """Generate the difference in dontaudit rules between the policies."""
+
+        self.log.info(
+            "Generating dontaudit differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_dontaudits is None or self._right_dontaudits is None:
+            self._create_rule_lists()
+
+        self.added_dontaudits, \
+            self.removed_dontaudits, \
+            self.modified_dontaudits = self._diff_av_rules(
+                self._expand_generator(self._left_dontaudits, AVRuleWrapper),
+                self._expand_generator(self._right_dontaudits, AVRuleWrapper))
+
+    def diff_type_transitions(self):
+        """Generate the difference in type_transition rules between the policies."""
+
+        self.log.info(
+            "Generating type_transition differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_type_transitions is None or self._right_type_transitions is None:
+            self._create_rule_lists()
+
+        self.added_type_transitions, \
+            self.removed_type_transitions, \
+            self.modified_type_transitions = self._diff_te_rules(
+                self._expand_generator(self._left_type_transitions, TERuleWrapper),
+                self._expand_generator(self._right_type_transitions, TERuleWrapper))
+
+    def diff_type_changes(self):
+        """Generate the difference in type_change rules between the policies."""
+
+        self.log.info(
+            "Generating type_change differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_type_changes is None or self._right_type_changes is None:
+            self._create_rule_lists()
+
+        self.added_type_changes, \
+            self.removed_type_changes, \
+            self.modified_type_changes = self._diff_te_rules(
+                self._expand_generator(self._left_type_changes, TERuleWrapper),
+                self._expand_generator(self._right_type_changes, TERuleWrapper))
+
+    def diff_type_members(self):
+        """Generate the difference in type_member rules between the policies."""
+
+        self.log.info(
+            "Generating type_member differences from {0.left_policy} to {0.right_policy}".
+            format(self))
+
+        if self._left_type_members is None or self._right_type_members is None:
+            self._create_rule_lists()
+
+        self.added_type_members, \
+            self.removed_type_members, \
+            self.modified_type_members = self._diff_te_rules(
+                self._expand_generator(self._left_type_members, TERuleWrapper),
+                self._expand_generator(self._right_type_members, TERuleWrapper))
+
+    #
+    # Internal functions
+    #
+    def _create_rule_lists(self):
+        """Create rule lists for both policies."""
+
+        self._left_allows = []
+        self._left_auditallows = []
+        self._left_neverallows = []
+        self._left_dontaudits = []
+        self._left_type_transitions = []
+        self._left_type_changes = []
+        self._left_type_members = []
+        for rule in self.left_policy.terules():
+            # do not expand yet, to keep memory
+            # use down as long as possible
+            if rule.ruletype == "allow":
+                self._left_allows.append(rule)
+            elif rule.ruletype == "auditallow":
+                self._left_auditallows.append(rule)
+            elif rule.ruletype == "neverallow":
+                self._left_neverallows.append(rule)
+            elif rule.ruletype == "dontaudit":
+                self._left_dontaudits.append(rule)
+            elif rule.ruletype == "type_transition":
+                self._left_type_transitions.append(rule)
+            elif rule.ruletype == "type_change":
+                self._left_type_changes.append(rule)
+            elif rule.ruletype == "type_member":
+                self._left_type_members.append(rule)
+            else:
+                raise TypeError("Unknown rule type: {0}".format(rule.ruletype))
+
+        self._right_allows = []
+        self._right_auditallows = []
+        self._right_neverallows = []
+        self._right_dontaudits = []
+        self._right_type_transitions = []
+        self._right_type_changes = []
+        self._right_type_members = []
+        for rule in self.right_policy.terules():
+            # do not expand yet, to keep memory
+            # use down as long as possible
+            if rule.ruletype == "allow":
+                self._right_allows.append(rule)
+            elif rule.ruletype == "auditallow":
+                self._right_auditallows.append(rule)
+            elif rule.ruletype == "neverallow":
+                self._right_neverallows.append(rule)
+            elif rule.ruletype == "dontaudit":
+                self._right_dontaudits.append(rule)
+            elif rule.ruletype == "type_transition":
+                self._right_type_transitions.append(rule)
+            elif rule.ruletype == "type_change":
+                self._right_type_changes.append(rule)
+            elif rule.ruletype == "type_member":
+                self._right_type_members.append(rule)
+            else:
+                raise TypeError("Unknown rule type: {0}".format(rule.ruletype))
+
+    @staticmethod
+    def _expand_generator(rule_list, Wrapper):
+        """Generator that yields a wrapped, expanded rule list."""
+        # this is to delay creating any containers
+        # as long as possible, since rule lists
+        # are typically massive.
+        for unexpanded_rule in rule_list:
+            for expanded_rule in unexpanded_rule.expand():
+                yield Wrapper(expanded_rule)
+
+    def _diff_av_rules(self, left_list, right_list):
+        """Common method for comparing access vector rules."""
+        added, removed, matched = self._set_diff(left_list, right_list)
+
+        modified = []
+
+        for left_rule, right_rule in matched:
+            # Criteria for modified rules
+            # 1. change to permissions
+            added_perms, removed_perms, matched_perms = self._set_diff(left_rule.perms,
+                                                                       right_rule.perms)
+
+            # the final set comprehension is to avoid having lists
+            # like [("perm1", "perm1"), ("perm2", "perm2")], as the
+            # matched_perms return from _set_diff is a set of tuples
+            if added_perms or removed_perms:
+                modified.append(modified_avrule_record(left_rule,
+                                                       added_perms,
+                                                       removed_perms,
+                                                       set(p[0] for p in matched_perms)))
+
+        return added, removed, modified
+
+    def _diff_te_rules(self, left_list, right_list):
+        """Common method for comparing type_* rules."""
+        added, removed, matched = self._set_diff(left_list, right_list)
+
+        modified = []
+
+        for left_rule, right_rule in matched:
+            # Criteria for modified rules
+            # 1. change to default type
+            if str(left_rule.default) != str(right_rule.default):
+                modified.append(modified_terule_record(left_rule,
+                                                       right_rule.default,
+                                                       left_rule.default))
+
+        return added, removed, modified
+
+    def _reset_diff(self):
+        """Reset diff results on policy changes."""
+        self.log.debug("Resetting TE rule differences")
+        self.added_allows = None
+        self.removed_allows = None
+        self.modified_allows = None
+        self.added_auditallows = None
+        self.removed_auditallows = None
+        self.modified_auditallows = None
+        self.added_neverallows = None
+        self.removed_neverallows = None
+        self.modified_neverallows = None
+        self.added_dontaudits = None
+        self.removed_dontaudits = None
+        self.modified_dontaudits = None
+        self.added_type_transitions = None
+        self.removed_type_transitions = None
+        self.modified_type_transitions = None
+        self.added_type_changes = None
+        self.removed_type_changes = None
+        self.modified_type_changes = None
+        self.added_type_members = None
+        self.removed_type_members = None
+        self.modified_type_members = None
+
+        # Sets of rules for each policy
+        self._left_allows = None
+        self._right_allows = None
+        self._left_auditallows = None
+        self._right_auditallows = None
+        self._left_neverallows = None
+        self._right_neverallows = None
+        self._left_dontaudits = None
+        self._right_dontaudits = None
+        self._left_type_transitions = None
+        self._right_type_transitions = None
+        self._left_type_changes = None
+        self._right_type_changes = None
+        self._left_type_members = None
+        self._right_type_members = None
+
+
+class AVRuleWrapper(object):
+
+    """Wrap access vector rules to allow set operations."""
+
+    def __init__(self, rule):
+        self.origin = rule
+        self.ruletype = rule.ruletype
+        self.source = SymbolWrapper(rule.source)
+        self.target = SymbolWrapper(rule.target)
+        self.tclass = SymbolWrapper(rule.tclass)
+        self.key = hash(rule)
+
+        try:
+            self.conditional = ConditionalExprWrapper(rule.conditional)
+            self.conditional_block = rule.conditional_block
+        except RuleNotConditional:
+            self.conditional = None
+            self.conditional_block = None
+
+    def __hash__(self):
+        return self.key
+
+    def __lt__(self, other):
+        return self.origin < other.origin
+
+    def __eq__(self, other):
+        # because TERuleDifference groups rules by ruletype,
+        # the ruletype always matches.
+        return self.source == other.source and \
+               self.target == other.target and \
+               self.tclass == other.tclass and \
+               self.conditional == other.conditional and \
+               self.conditional_block == other.conditional_block
+
+    def __ne__(self, other):
+        return not self == other
+
+
+class TERuleWrapper(object):
+
+    """Wrap type_* rules to allow set operations."""
+
+    def __init__(self, rule):
+        self.origin = rule
+        self.ruletype = rule.ruletype
+        self.source = SymbolWrapper(rule.source)
+        self.target = SymbolWrapper(rule.target)
+        self.tclass = SymbolWrapper(rule.tclass)
+        self.key = hash(rule)
+
+        try:
+            self.conditional = ConditionalExprWrapper(rule.conditional)
+            self.conditional_block = rule.conditional_block
+        except RuleNotConditional:
+            self.conditional = None
+            self.conditional_block = None
+
+        try:
+            self.filename = rule.filename
+        except (RuleUseError, TERuleNoFilename):
+            self.filename = None
+
+    def __hash__(self):
+        return self.key
+
+    def __lt__(self, other):
+        return self.origin < other.origin
+
+    def __eq__(self, other):
+        # because TERuleDifference groups rules by ruletype,
+        # the ruletype always matches.
+        return self.source == other.source and \
+               self.target == other.target and \
+               self.tclass == other.tclass and \
+               self.conditional == other.conditional and \
+               self.conditional_block == other.conditional_block and \
+               self.filename == self.filename
+
+    def __ne__(self, other):
+        return not self == other

tests/diff.py

@@ -19,8 +19,10 @@ import unittest
 
 from setools import SELinuxPolicy, PolicyDifference
 
+from .mixins import ValidateRule
 
-class PolicyDifferenceTest(unittest.TestCase):
+
+class PolicyDifferenceTest(ValidateRule, unittest.TestCase):
 
     """Policy difference tests."""
 
@@ -208,6 +210,532 @@ class PolicyDifferenceTest(unittest.TestCase):
         self.assertSetEqual(set(["new_com"]),
                             self.diff.modified_classes["modified_change_common"].added_perms)
 
+    #
+    # Allow rules
+    #
+    def test_added_allow_rules(self):
+        """Diff: added allow rules."""
+        rules = sorted(self.diff.added_allows)
+        self.assertEqual(5, len(rules))
+
+        # added rule with existing types
+        self.validate_rule(rules[0], "allow", "added_rule_source", "added_rule_target", "infoflow",
+                           set(["med_w"]))
+
+        # added rule with new type
+        self.validate_rule(rules[1], "allow", "added_type", "added_type", "infoflow2",
+                           set(["med_w"]))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[2], "allow", "move_from_bool", "move_from_bool", "infoflow4",
+                           set(["hi_r"]))
+
+        # rule moved into a conditional
+        self.validate_rule(rules[3], "allow", "move_to_bool", "move_to_bool", "infoflow4",
+                           set(["hi_w"]), cond="move_to_bool_b", cond_block=True)
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "allow", "system", "switch_block", "infoflow6",
+                           set(["hi_r"]), cond="switch_block_b", cond_block=False)
+
+    def test_removed_allow_rules(self):
+        """Diff: removed allow rules."""
+        rules = sorted(self.diff.removed_allows)
+        self.assertEqual(5, len(rules))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[0], "allow", "move_from_bool", "move_from_bool", "infoflow4",
+                           set(["hi_r"]), cond="move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[1], "allow", "move_to_bool", "move_to_bool", "infoflow4",
+                           set(["hi_w"]))
+
+        # removed rule with existing types
+        self.validate_rule(rules[2], "allow", "removed_rule_source", "removed_rule_target",
+                           "infoflow", set(["hi_r"]))
+
+        # removed rule with new type
+        self.validate_rule(rules[3], "allow", "removed_type", "removed_type", "infoflow3",
+                           set(["null"]))
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "allow", "system", "switch_block", "infoflow6",
+                           set(["hi_r"]), cond="switch_block_b", cond_block=True)
+
+    def test_modified_allow_rules(self):
+        """Diff: modified allow rules."""
+        l = sorted(self.diff.modified_allows)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("allow", rule.ruletype)
+        self.assertEqual("modified_rule_add_perms", rule.source)
+        self.assertEqual("modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set(["hi_w"]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set(["hi_r"]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("allow", rule.ruletype)
+        self.assertEqual("modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set(["super_r"]), added_perms)
+        self.assertSetEqual(set(["super_w"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("allow", rule.ruletype)
+        self.assertEqual("modified_rule_remove_perms", rule.source)
+        self.assertEqual("modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set(["low_r"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+    #
+    # Auditallow rules
+    #
+    def test_added_auditallow_rules(self):
+        """Diff: added auditallow rules."""
+        rules = sorted(self.diff.added_auditallows)
+        self.assertEqual(5, len(rules))
+
+        # added rule with existing types
+        self.validate_rule(rules[0], "auditallow", "aa_added_rule_source", "aa_added_rule_target",
+                           "infoflow", set(["med_w"]))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[1], "auditallow", "aa_move_from_bool", "aa_move_from_bool",
+                           "infoflow4", set(["hi_r"]))
+
+        # rule moved into a conditional
+        self.validate_rule(rules[2], "auditallow", "aa_move_to_bool", "aa_move_to_bool",
+                           "infoflow4", set(["hi_w"]), cond="aa_move_to_bool_b", cond_block=True)
+
+        # added rule with new type
+        self.validate_rule(rules[3], "auditallow", "added_type", "added_type", "infoflow7",
+                           set(["super_none"]))
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "auditallow", "system", "aa_switch_block", "infoflow6",
+                           set(["hi_r"]), cond="aa_switch_block_b", cond_block=False)
+
+    def test_removed_auditallow_rules(self):
+        """Diff: removed auditallow rules."""
+        rules = sorted(self.diff.removed_auditallows)
+        self.assertEqual(5, len(rules))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[0], "auditallow", "aa_move_from_bool", "aa_move_from_bool",
+                           "infoflow4", set(["hi_r"]), cond="aa_move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[1], "auditallow", "aa_move_to_bool", "aa_move_to_bool",
+                           "infoflow4", set(["hi_w"]))
+
+        # removed rule with existing types
+        self.validate_rule(rules[2], "auditallow", "aa_removed_rule_source",
+                           "aa_removed_rule_target", "infoflow", set(["hi_r"]))
+
+        # removed rule with new type
+        self.validate_rule(rules[3], "auditallow", "removed_type", "removed_type", "infoflow7",
+                           set(["super_unmapped"]))
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "auditallow", "system", "aa_switch_block", "infoflow6",
+                           set(["hi_r"]), cond="aa_switch_block_b", cond_block=True)
+
+    def test_modified_auditallow_rules(self):
+        """Diff: modified auditallow rules."""
+        l = sorted(self.diff.modified_auditallows)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("auditallow", rule.ruletype)
+        self.assertEqual("aa_modified_rule_add_perms", rule.source)
+        self.assertEqual("aa_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set(["hi_w"]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set(["hi_r"]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("auditallow", rule.ruletype)
+        self.assertEqual("aa_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("aa_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set(["super_r"]), added_perms)
+        self.assertSetEqual(set(["super_w"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("auditallow", rule.ruletype)
+        self.assertEqual("aa_modified_rule_remove_perms", rule.source)
+        self.assertEqual("aa_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set(["low_r"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+    #
+    # Dontaudit rules
+    #
+    def test_added_dontaudit_rules(self):
+        """Diff: added dontaudit rules."""
+        rules = sorted(self.diff.added_dontaudits)
+        self.assertEqual(5, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "dontaudit", "added_type", "added_type", "infoflow7",
+                           set(["super_none"]))
+
+        # added rule with existing types
+        self.validate_rule(rules[1], "dontaudit", "da_added_rule_source", "da_added_rule_target",
+                           "infoflow", set(["med_w"]))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[2], "dontaudit", "da_move_from_bool", "da_move_from_bool",
+                           "infoflow4", set(["hi_r"]))
+
+        # rule moved into a conditional
+        self.validate_rule(rules[3], "dontaudit", "da_move_to_bool", "da_move_to_bool",
+                           "infoflow4", set(["hi_w"]), cond="da_move_to_bool_b", cond_block=True)
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "dontaudit", "system", "da_switch_block", "infoflow6",
+                           set(["hi_r"]), cond="da_switch_block_b", cond_block=False)
+
+    def test_removed_dontaudit_rules(self):
+        """Diff: removed dontaudit rules."""
+        rules = sorted(self.diff.removed_dontaudits)
+        self.assertEqual(5, len(rules))
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[0], "dontaudit", "da_move_from_bool", "da_move_from_bool",
+                           "infoflow4", set(["hi_r"]), cond="da_move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[1], "dontaudit", "da_move_to_bool", "da_move_to_bool",
+                           "infoflow4", set(["hi_w"]))
+
+        # removed rule with existing types
+        self.validate_rule(rules[2], "dontaudit", "da_removed_rule_source",
+                           "da_removed_rule_target", "infoflow", set(["hi_r"]))
+
+        # removed rule with new type
+        self.validate_rule(rules[3], "dontaudit", "removed_type", "removed_type", "infoflow7",
+                           set(["super_both"]))
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[4], "dontaudit", "system", "da_switch_block", "infoflow6",
+                           set(["hi_r"]), cond="da_switch_block_b", cond_block=True)
+
+    def test_modified_dontaudit_rules(self):
+        """Diff: modified dontaudit rules."""
+        l = sorted(self.diff.modified_dontaudits)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("dontaudit", rule.ruletype)
+        self.assertEqual("da_modified_rule_add_perms", rule.source)
+        self.assertEqual("da_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set(["hi_w"]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set(["hi_r"]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("dontaudit", rule.ruletype)
+        self.assertEqual("da_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("da_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set(["super_r"]), added_perms)
+        self.assertSetEqual(set(["super_w"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("dontaudit", rule.ruletype)
+        self.assertEqual("da_modified_rule_remove_perms", rule.source)
+        self.assertEqual("da_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set(["low_r"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+    #
+    # Neverallow rules
+    #
+    def test_added_neverallow_rules(self):
+        """Diff: added neverallow rules."""
+        rules = sorted(self.diff.added_neverallows)
+        self.assertEqual(2, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "neverallow", "added_type", "added_type", "added_class",
+                           set(["new_class_perm"]))
+
+        # added rule with existing types
+        self.validate_rule(rules[1], "neverallow", "na_added_rule_source", "na_added_rule_target",
+                           "infoflow", set(["med_w"]))
+
+    def test_removed_neverallow_rules(self):
+        """Diff: removed neverallow rules."""
+        rules = sorted(self.diff.removed_neverallows)
+        self.assertEqual(2, len(rules))
+
+        # removed rule with existing types
+        self.validate_rule(rules[0], "neverallow", "na_removed_rule_source",
+                           "na_removed_rule_target", "infoflow", set(["hi_r"]))
+
+        # removed rule with new type
+        self.validate_rule(rules[1], "neverallow", "removed_type", "removed_type", "removed_class",
+                           set(["null_perm"]))
+
+    def test_modified_neverallow_rules(self):
+        """Diff: modified neverallow rules."""
+        l = sorted(self.diff.modified_neverallows)
+        self.assertEqual(3, len(l))
+
+        # add permissions
+        rule, added_perms, removed_perms, matched_perms = l[0]
+        self.assertEqual("neverallow", rule.ruletype)
+        self.assertEqual("na_modified_rule_add_perms", rule.source)
+        self.assertEqual("na_modified_rule_add_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertSetEqual(set(["hi_w"]), added_perms)
+        self.assertFalse(removed_perms)
+        self.assertSetEqual(set(["hi_r"]), matched_perms)
+
+        # add and remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[1]
+        self.assertEqual("neverallow", rule.ruletype)
+        self.assertEqual("na_modified_rule_add_remove_perms", rule.source)
+        self.assertEqual("na_modified_rule_add_remove_perms", rule.target)
+        self.assertEqual("infoflow2", rule.tclass)
+        self.assertSetEqual(set(["super_r"]), added_perms)
+        self.assertSetEqual(set(["super_w"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+        # remove permissions
+        rule, added_perms, removed_perms, matched_perms = l[2]
+        self.assertEqual("neverallow", rule.ruletype)
+        self.assertEqual("na_modified_rule_remove_perms", rule.source)
+        self.assertEqual("na_modified_rule_remove_perms", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertFalse(added_perms)
+        self.assertSetEqual(set(["low_r"]), removed_perms)
+        self.assertSetEqual(set(["low_w"]), matched_perms)
+
+    #
+    # Type_transition rules
+    #
+    def test_added_type_transition_rules(self):
+        """Diff: added type_transition rules."""
+        rules = sorted(self.diff.added_type_transitions)
+        self.assertEqual(5, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "type_transition", "added_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_transition", "system", "tt_switch_block", "infoflow6",
+                           "system", cond="tt_switch_block_b", cond_block=False)
+
+        # added rule with existing types
+        self.validate_rule(rules[2], "type_transition", "tt_added_rule_source",
+                           "tt_added_rule_target", "infoflow", "system")
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[3], "type_transition", "tt_move_from_bool", "system",
+                           "infoflow4", "system")
+
+        # rule moved into a conditional
+        self.validate_rule(rules[4], "type_transition", "tt_move_to_bool", "system",
+                           "infoflow3", "system", cond="tt_move_to_bool_b", cond_block=True)
+
+    def test_removed_type_transition_rules(self):
+        """Diff: removed type_transition rules."""
+        rules = sorted(self.diff.removed_type_transitions)
+        self.assertEqual(5, len(rules))
+
+        # removed rule with new type
+        self.validate_rule(rules[0], "type_transition", "removed_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_transition", "system", "tt_switch_block", "infoflow6",
+                           "system", cond="tt_switch_block_b", cond_block=True)
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[2], "type_transition", "tt_move_from_bool", "system",
+                           "infoflow4", "system", cond="tt_move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[3], "type_transition", "tt_move_to_bool", "system",
+                           "infoflow3", "system")
+
+        # removed rule with existing types
+        self.validate_rule(rules[4], "type_transition", "tt_removed_rule_source",
+                           "tt_removed_rule_target", "infoflow", "system")
+
+    def test_modified_type_transition_rules(self):
+        """Diff: modified type_transition rules."""
+        l = sorted(self.diff.modified_type_transitions)
+        self.assertEqual(1, len(l))
+
+        rule, added_default, removed_default = l[0]
+        self.assertEqual("type_transition", rule.ruletype)
+        self.assertEqual("tt_matched_source", rule.source)
+        self.assertEqual("system", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertEqual("tt_new_type", added_default)
+        self.assertEqual("tt_old_type", removed_default)
+
+    #
+    # Type_change rules
+    #
+    def test_added_type_change_rules(self):
+        """Diff: added type_change rules."""
+        rules = sorted(self.diff.added_type_changes)
+        self.assertEqual(5, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "type_change", "added_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_change", "system", "tc_switch_block", "infoflow6",
+                           "system", cond="tc_switch_block_b", cond_block=False)
+
+        # added rule with existing types
+        self.validate_rule(rules[2], "type_change", "tc_added_rule_source",
+                           "tc_added_rule_target", "infoflow", "system")
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[3], "type_change", "tc_move_from_bool", "system",
+                           "infoflow4", "system")
+
+        # rule moved into a conditional
+        self.validate_rule(rules[4], "type_change", "tc_move_to_bool", "system",
+                           "infoflow3", "system", cond="tc_move_to_bool_b", cond_block=True)
+
+    def test_removed_type_change_rules(self):
+        """Diff: removed type_change rules."""
+        rules = sorted(self.diff.removed_type_changes)
+        self.assertEqual(5, len(rules))
+
+        # removed rule with new type
+        self.validate_rule(rules[0], "type_change", "removed_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_change", "system", "tc_switch_block", "infoflow6",
+                           "system", cond="tc_switch_block_b", cond_block=True)
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[2], "type_change", "tc_move_from_bool", "system",
+                           "infoflow4", "system", cond="tc_move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[3], "type_change", "tc_move_to_bool", "system",
+                           "infoflow3", "system")
+
+        # removed rule with existing types
+        self.validate_rule(rules[4], "type_change", "tc_removed_rule_source",
+                           "tc_removed_rule_target", "infoflow", "system")
+
+    def test_modified_type_change_rules(self):
+        """Diff: modified type_change rules."""
+        l = sorted(self.diff.modified_type_changes)
+        self.assertEqual(1, len(l))
+
+        rule, added_default, removed_default = l[0]
+        self.assertEqual("type_change", rule.ruletype)
+        self.assertEqual("tc_matched_source", rule.source)
+        self.assertEqual("system", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertEqual("tc_new_type", added_default)
+        self.assertEqual("tc_old_type", removed_default)
+
+    #
+    # Type_member rules
+    #
+    def test_added_type_member_rules(self):
+        """Diff: added type_member rules."""
+        rules = sorted(self.diff.added_type_members)
+        self.assertEqual(5, len(rules))
+
+        # added rule with new type
+        self.validate_rule(rules[0], "type_member", "added_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_member", "system", "tm_switch_block", "infoflow6",
+                           "system", cond="tm_switch_block_b", cond_block=False)
+
+        # added rule with existing types
+        self.validate_rule(rules[2], "type_member", "tm_added_rule_source",
+                           "tm_added_rule_target", "infoflow", "system")
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[3], "type_member", "tm_move_from_bool", "system",
+                           "infoflow4", "system")
+
+        # rule moved into a conditional
+        self.validate_rule(rules[4], "type_member", "tm_move_to_bool", "system",
+                           "infoflow3", "system", cond="tm_move_to_bool_b", cond_block=True)
+
+    def test_removed_type_member_rules(self):
+        """Diff: removed type_member rules."""
+        rules = sorted(self.diff.removed_type_members)
+        self.assertEqual(5, len(rules))
+
+        # removed rule with new type
+        self.validate_rule(rules[0], "type_member", "removed_type", "system", "infoflow4",
+                           "system")
+
+        # rule moved from one conditional block to another (true to false)
+        self.validate_rule(rules[1], "type_member", "system", "tm_switch_block", "infoflow6",
+                           "system", cond="tm_switch_block_b", cond_block=True)
+
+        # rule moved out of a conditional
+        self.validate_rule(rules[2], "type_member", "tm_move_from_bool", "system",
+                           "infoflow4", "system", cond="tm_move_from_bool_b", cond_block=True)
+
+        # rule moved into a conditional
+        self.validate_rule(rules[3], "type_member", "tm_move_to_bool", "system",
+                           "infoflow3", "system")
+
+        # removed rule with existing types
+        self.validate_rule(rules[4], "type_member", "tm_removed_rule_source",
+                           "tm_removed_rule_target", "infoflow", "system")
+
+    def test_modified_type_member_rules(self):
+        """Diff: modified type_member rules."""
+        l = sorted(self.diff.modified_type_members)
+        self.assertEqual(1, len(l))
+
+        rule, added_default, removed_default = l[0]
+        self.assertEqual("type_member", rule.ruletype)
+        self.assertEqual("tm_matched_source", rule.source)
+        self.assertEqual("system", rule.target)
+        self.assertEqual("infoflow", rule.tclass)
+        self.assertEqual("tm_new_type", added_default)
+        self.assertEqual("tm_old_type", removed_default)
+
 
 class PolicyDifferenceTestNoDiff(unittest.TestCase):
 
@@ -264,3 +792,87 @@ class PolicyDifferenceTestNoDiff(unittest.TestCase):
     def test_modified_classes(self):
         """NoDiff: no modified classes."""
         self.assertFalse(self.diff.modified_classes)
+
+    def test_added_allows(self):
+        """NoDiff: no added allow rules."""
+        self.assertFalse(self.diff.added_allows)
+
+    def test_removed_allows(self):
+        """NoDiff: no removed allow rules."""
+        self.assertFalse(self.diff.removed_allows)
+
+    def test_modified_allows(self):
+        """NoDiff: no modified allow rules."""
+        self.assertFalse(self.diff.modified_allows)
+
+    def test_added_auditallows(self):
+        """NoDiff: no added auditallow rules."""
+        self.assertFalse(self.diff.added_auditallows)
+
+    def test_removed_auditallows(self):
+        """NoDiff: no removed auditallow rules."""
+        self.assertFalse(self.diff.removed_auditallows)
+
+    def test_modified_auditallows(self):
+        """NoDiff: no modified auditallow rules."""
+        self.assertFalse(self.diff.modified_auditallows)
+
+    def test_added_neverallows(self):
+        """NoDiff: no added neverallow rules."""
+        self.assertFalse(self.diff.added_neverallows)
+
+    def test_removed_neverallows(self):
+        """NoDiff: no removed neverallow rules."""
+        self.assertFalse(self.diff.removed_neverallows)
+
+    def test_modified_neverallows(self):
+        """NoDiff: no modified neverallow rules."""
+        self.assertFalse(self.diff.modified_neverallows)
+
+    def test_added_dontaudits(self):
+        """NoDiff: no added dontaudit rules."""
+        self.assertFalse(self.diff.added_dontaudits)
+
+    def test_removed_dontaudits(self):
+        """NoDiff: no removed dontaudit rules."""
+        self.assertFalse(self.diff.removed_dontaudits)
+
+    def test_modified_dontaudits(self):
+        """NoDiff: no modified dontaudit rules."""
+        self.assertFalse(self.diff.modified_dontaudits)
+
+    def test_added_type_transitions(self):
+        """NoDiff: no added type_transition rules."""
+        self.assertFalse(self.diff.added_type_transitions)
+
+    def test_removed_type_transitions(self):
+        """NoDiff: no removed type_transition rules."""
+        self.assertFalse(self.diff.removed_type_transitions)
+
+    def test_modified_type_transitions(self):
+        """NoDiff: no modified type_transition rules."""
+        self.assertFalse(self.diff.modified_type_transitions)
+
+    def test_added_type_changes(self):
+        """NoDiff: no added type_change rules."""
+        self.assertFalse(self.diff.added_type_changes)
+
+    def test_removed_type_changes(self):
+        """NoDiff: no removed type_change rules."""
+        self.assertFalse(self.diff.removed_type_changes)
+
+    def test_modified_type_changes(self):
+        """NoDiff: no modified type_change rules."""
+        self.assertFalse(self.diff.modified_type_changes)
+
+    def test_added_type_members(self):
+        """NoDiff: no added type_member rules."""
+        self.assertFalse(self.diff.added_type_members)
+
+    def test_removed_type_members(self):
+        """NoDiff: no removed type_member rules."""
+        self.assertFalse(self.diff.removed_type_members)
+
+    def test_modified_type_members(self):
+        """NoDiff: no modified type_member rules."""
+        self.assertFalse(self.diff.modified_type_members)

tests/diff_left.conf

@@ -142,6 +142,350 @@ role modified_add_type;
 role modified_remove_type;
 role modified_remove_type types { system };
 
+# Allow rule differences
+type matched_source;
+type matched_target;
+allow matched_source matched_target:infoflow hi_w;
+
+type removed_rule_source;
+type removed_rule_target;
+allow removed_rule_source removed_rule_target:infoflow hi_r;
+
+type added_rule_source;
+type added_rule_target;
+
+type modified_rule_add_perms;
+allow modified_rule_add_perms self:infoflow hi_r;
+
+type modified_rule_remove_perms;
+allow modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type modified_rule_add_remove_perms;
+allow modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+allow removed_type self:infoflow3 null;
+
+type move_to_bool;
+bool move_to_bool_b false;
+allow move_to_bool self:infoflow4 hi_w;
+
+type move_from_bool;
+bool move_from_bool_b false;
+if (move_from_bool_b) {
+allow move_from_bool self:infoflow4 hi_r;
+}
+
+type switch_block;
+bool switch_block_b false;
+if (switch_block_b) {
+allow system switch_block:infoflow5 hi_r;
+allow system switch_block:infoflow6 hi_r;
+} else {
+allow system switch_block:infoflow7 hi_r;
+}
+
+attribute match_rule_by_attr;
+type match_rule_by_attr_A_t, match_rule_by_attr;
+type match_rule_by_attr_B_t, match_rule_by_attr;
+allow match_rule_by_attr self:infoflow2 super_w;
+
+attribute unioned_perm_via_attr;
+type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+allow unioned_perm_via_attr self:infoflow2 super_w;
+allow unioned_perm_via_attr_A_t self:infoflow2 super_r;
+allow unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Auditallow rule differences
+type aa_matched_source;
+type aa_matched_target;
+auditallow aa_matched_source aa_matched_target:infoflow hi_w;
+
+type aa_removed_rule_source;
+type aa_removed_rule_target;
+auditallow aa_removed_rule_source aa_removed_rule_target:infoflow hi_r;
+
+type aa_added_rule_source;
+type aa_added_rule_target;
+
+type aa_modified_rule_add_perms;
+auditallow aa_modified_rule_add_perms self:infoflow hi_r;
+
+type aa_modified_rule_remove_perms;
+auditallow aa_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type aa_modified_rule_add_remove_perms;
+auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+auditallow removed_type self:infoflow7 super_unmapped;
+
+type aa_move_to_bool;
+bool aa_move_to_bool_b false;
+auditallow aa_move_to_bool self:infoflow4 hi_w;
+
+type aa_move_from_bool;
+bool aa_move_from_bool_b false;
+if (aa_move_from_bool_b) {
+auditallow aa_move_from_bool self:infoflow4 hi_r;
+}
+
+type aa_switch_block;
+bool aa_switch_block_b false;
+if (aa_switch_block_b) {
+auditallow system aa_switch_block:infoflow5 hi_r;
+auditallow system aa_switch_block:infoflow6 hi_r;
+} else {
+auditallow system aa_switch_block:infoflow7 hi_r;
+}
+
+attribute aa_match_rule_by_attr;
+type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
+type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
+auditallow aa_match_rule_by_attr self:infoflow2 super_w;
+
+attribute aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+auditallow aa_unioned_perm_via_attr self:infoflow2 super_w;
+auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Dontaudit rule differences
+type da_matched_source;
+type da_matched_target;
+dontaudit da_matched_source da_matched_target:infoflow hi_w;
+
+type da_removed_rule_source;
+type da_removed_rule_target;
+dontaudit da_removed_rule_source da_removed_rule_target:infoflow hi_r;
+
+type da_added_rule_source;
+type da_added_rule_target;
+
+type da_modified_rule_add_perms;
+dontaudit da_modified_rule_add_perms self:infoflow hi_r;
+
+type da_modified_rule_remove_perms;
+dontaudit da_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type da_modified_rule_add_remove_perms;
+dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+dontaudit removed_type self:infoflow7 super_both;
+
+type da_move_to_bool;
+bool da_move_to_bool_b false;
+dontaudit da_move_to_bool self:infoflow4 hi_w;
+
+type da_move_from_bool;
+bool da_move_from_bool_b false;
+if (da_move_from_bool_b) {
+dontaudit da_move_from_bool self:infoflow4 hi_r;
+}
+
+type da_switch_block;
+bool da_switch_block_b false;
+if (da_switch_block_b) {
+dontaudit system da_switch_block:infoflow5 hi_r;
+dontaudit system da_switch_block:infoflow6 hi_r;
+} else {
+dontaudit system da_switch_block:infoflow7 hi_r;
+}
+
+attribute da_match_rule_by_attr;
+type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
+type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
+dontaudit da_match_rule_by_attr self:infoflow2 super_w;
+
+attribute da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+dontaudit da_unioned_perm_via_attr self:infoflow2 super_w;
+dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# Neverallow rule differences
+type na_matched_source;
+type na_matched_target;
+neverallow na_matched_source na_matched_target:infoflow hi_w;
+
+type na_removed_rule_source;
+type na_removed_rule_target;
+neverallow na_removed_rule_source na_removed_rule_target:infoflow hi_r;
+
+type na_added_rule_source;
+type na_added_rule_target;
+
+type na_modified_rule_add_perms;
+neverallow na_modified_rule_add_perms self:infoflow hi_r;
+
+type na_modified_rule_remove_perms;
+neverallow na_modified_rule_remove_perms self:infoflow { low_r low_w };
+
+type na_modified_rule_add_remove_perms;
+neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_w };
+
+neverallow removed_type self:removed_class null_perm;
+
+attribute na_match_rule_by_attr;
+type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
+type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
+neverallow na_match_rule_by_attr self:infoflow2 super_w;
+
+attribute na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+neverallow na_unioned_perm_via_attr self:infoflow2 super_w;
+neverallow na_unioned_perm_via_attr_A_t self:infoflow2 super_r;
+neverallow na_unioned_perm_via_attr_B_t self:infoflow2 hi_w;
+
+# type_transition rule differences
+type tt_matched_source;
+type tt_matched_target;
+type_transition tt_matched_source tt_matched_target:infoflow system;
+
+type tt_removed_rule_source;
+type tt_removed_rule_target;
+type_transition tt_removed_rule_source tt_removed_rule_target:infoflow system;
+
+type tt_added_rule_source;
+type tt_added_rule_target;
+
+type tt_old_type;
+type tt_new_type;
+type_transition tt_matched_source system:infoflow tt_old_type;
+
+type_transition removed_type system:infoflow4 system;
+
+type tt_move_to_bool;
+bool tt_move_to_bool_b false;
+type_transition tt_move_to_bool system:infoflow3 system;
+
+type tt_move_from_bool;
+bool tt_move_from_bool_b false;
+if (tt_move_from_bool_b) {
+type_transition tt_move_from_bool system:infoflow4 system;
+}
+
+type tt_switch_block;
+bool tt_switch_block_b false;
+if (tt_switch_block_b) {
+type_transition system tt_switch_block:infoflow5 system;
+type_transition system tt_switch_block:infoflow6 system;
+} else {
+type_transition system tt_switch_block:infoflow7 system;
+}
+
+attribute tt_match_rule_by_attr;
+type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
+type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
+type_transition tt_match_rule_by_attr system:infoflow2 system;
+
+attribute tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
+type_transition tt_unioned_perm_via_attr system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_change rule differences
+type tc_matched_source;
+type tc_matched_target;
+type_change tc_matched_source tc_matched_target:infoflow system;
+
+type tc_removed_rule_source;
+type tc_removed_rule_target;
+type_change tc_removed_rule_source tc_removed_rule_target:infoflow system;
+
+type tc_added_rule_source;
+type tc_added_rule_target;
+
+type tc_old_type;
+type tc_new_type;
+type_change tc_matched_source system:infoflow tc_old_type;
+
+type_change removed_type system:infoflow4 system;
+
+type tc_move_to_bool;
+bool tc_move_to_bool_b false;
+type_change tc_move_to_bool system:infoflow3 system;
+
+type tc_move_from_bool;
+bool tc_move_from_bool_b false;
+if (tc_move_from_bool_b) {
+type_change tc_move_from_bool system:infoflow4 system;
+}
+
+type tc_switch_block;
+bool tc_switch_block_b false;
+if (tc_switch_block_b) {
+type_change system tc_switch_block:infoflow5 system;
+type_change system tc_switch_block:infoflow6 system;
+} else {
+type_change system tc_switch_block:infoflow7 system;
+}
+
+attribute tc_match_rule_by_attr;
+type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
+type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
+type_change tc_match_rule_by_attr system:infoflow2 system;
+
+attribute tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
+type_change tc_unioned_perm_via_attr system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_member rule differences
+type tm_matched_source;
+type tm_matched_target;
+type_member tm_matched_source tm_matched_target:infoflow system;
+
+type tm_removed_rule_source;
+type tm_removed_rule_target;
+type_member tm_removed_rule_source tm_removed_rule_target:infoflow system;
+
+type tm_added_rule_source;
+type tm_added_rule_target;
+
+type tm_old_type;
+type tm_new_type;
+type_member tm_matched_source system:infoflow tm_old_type;
+
+type_member removed_type system:infoflow4 system;
+
+type tm_move_to_bool;
+bool tm_move_to_bool_b false;
+type_member tm_move_to_bool system:infoflow3 system;
+
+type tm_move_from_bool;
+bool tm_move_from_bool_b false;
+if (tm_move_from_bool_b) {
+type_member tm_move_from_bool system:infoflow4 system;
+}
+
+type tm_switch_block;
+bool tm_switch_block_b false;
+if (tm_switch_block_b) {
+type_member system tm_switch_block:infoflow5 system;
+type_member system tm_switch_block:infoflow6 system;
+} else {
+type_member system tm_switch_block:infoflow7 system;
+}
+
+attribute tm_match_rule_by_attr;
+type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
+type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
+type_member tm_match_rule_by_attr system:infoflow2 system;
+
+attribute tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
+type_member tm_unioned_perm_via_attr system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
+
 ################################################################################
 
 #users

tests/diff_right.conf

@@ -142,6 +142,350 @@ role modified_add_type types { system };
 
 role modified_remove_type;
 
+# Allow rule differences
+type matched_source;
+type matched_target;
+allow matched_source matched_target:infoflow hi_w;
+
+type removed_rule_source;
+type removed_rule_target;
+
+type added_rule_source;
+type added_rule_target;
+allow added_rule_source added_rule_target:infoflow med_w;
+
+type modified_rule_add_perms;
+allow modified_rule_add_perms self:infoflow { hi_r hi_w };
+
+type modified_rule_remove_perms;
+allow modified_rule_remove_perms self:infoflow low_w;
+
+type modified_rule_add_remove_perms;
+allow modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
+
+allow added_type self:infoflow2 med_w;
+
+type move_to_bool;
+bool move_to_bool_b false;
+if (move_to_bool_b) {
+allow move_to_bool self:infoflow4 hi_w;
+}
+
+type move_from_bool;
+bool move_from_bool_b false;
+allow move_from_bool self:infoflow4 hi_r;
+
+type switch_block;
+bool switch_block_b false;
+if (switch_block_b) {
+allow system switch_block:infoflow5 hi_r;
+} else {
+allow system switch_block:infoflow6 hi_r;
+allow system switch_block:infoflow7 hi_r;
+}
+
+attribute match_rule_by_attr;
+type match_rule_by_attr_A_t, match_rule_by_attr;
+type match_rule_by_attr_B_t, match_rule_by_attr;
+allow match_rule_by_attr_A_t self:infoflow2 super_w;
+allow match_rule_by_attr_B_t self:infoflow2 super_w;
+
+attribute unioned_perm_via_attr;
+type unioned_perm_via_attr_A_t, unioned_perm_via_attr;
+type unioned_perm_via_attr_B_t, unioned_perm_via_attr;
+allow unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+allow unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+
+# Auditallow rule differences
+type aa_matched_source;
+type aa_matched_target;
+auditallow aa_matched_source aa_matched_target:infoflow hi_w;
+
+type aa_removed_rule_source;
+type aa_removed_rule_target;
+
+type aa_added_rule_source;
+type aa_added_rule_target;
+auditallow aa_added_rule_source aa_added_rule_target:infoflow med_w;
+
+type aa_modified_rule_add_perms;
+auditallow aa_modified_rule_add_perms self:infoflow { hi_r hi_w };
+
+type aa_modified_rule_remove_perms;
+auditallow aa_modified_rule_remove_perms self:infoflow low_w;
+
+type aa_modified_rule_add_remove_perms;
+auditallow aa_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
+
+auditallow added_type self:infoflow7 super_none;
+
+type aa_move_to_bool;
+bool aa_move_to_bool_b false;
+if (aa_move_to_bool_b) {
+auditallow aa_move_to_bool self:infoflow4 hi_w;
+}
+
+type aa_move_from_bool;
+bool aa_move_from_bool_b false;
+auditallow aa_move_from_bool self:infoflow4 hi_r;
+
+type aa_switch_block;
+bool aa_switch_block_b false;
+if (aa_switch_block_b) {
+auditallow system aa_switch_block:infoflow5 hi_r;
+} else {
+auditallow system aa_switch_block:infoflow6 hi_r;
+auditallow system aa_switch_block:infoflow7 hi_r;
+}
+
+attribute aa_match_rule_by_attr;
+type aa_match_rule_by_attr_A_t, aa_match_rule_by_attr;
+type aa_match_rule_by_attr_B_t, aa_match_rule_by_attr;
+auditallow aa_match_rule_by_attr_A_t self:infoflow2 super_w;
+auditallow aa_match_rule_by_attr_B_t self:infoflow2 super_w;
+
+attribute aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_A_t, aa_unioned_perm_via_attr;
+type aa_unioned_perm_via_attr_B_t, aa_unioned_perm_via_attr;
+auditallow aa_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+auditallow aa_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+
+# Dontaudit rule differences
+type da_matched_source;
+type da_matched_target;
+dontaudit da_matched_source da_matched_target:infoflow hi_w;
+
+type da_removed_rule_source;
+type da_removed_rule_target;
+
+type da_added_rule_source;
+type da_added_rule_target;
+dontaudit da_added_rule_source da_added_rule_target:infoflow med_w;
+
+type da_modified_rule_add_perms;
+dontaudit da_modified_rule_add_perms self:infoflow { hi_r hi_w };
+
+type da_modified_rule_remove_perms;
+dontaudit da_modified_rule_remove_perms self:infoflow low_w;
+
+type da_modified_rule_add_remove_perms;
+dontaudit da_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
+
+dontaudit added_type self:infoflow7 super_none;
+
+type da_move_to_bool;
+bool da_move_to_bool_b false;
+if (da_move_to_bool_b) {
+dontaudit da_move_to_bool self:infoflow4 hi_w;
+}
+
+type da_move_from_bool;
+bool da_move_from_bool_b false;
+dontaudit da_move_from_bool self:infoflow4 hi_r;
+
+type da_switch_block;
+bool da_switch_block_b false;
+if (da_switch_block_b) {
+dontaudit system da_switch_block:infoflow5 hi_r;
+} else {
+dontaudit system da_switch_block:infoflow6 hi_r;
+dontaudit system da_switch_block:infoflow7 hi_r;
+}
+
+attribute da_match_rule_by_attr;
+type da_match_rule_by_attr_A_t, da_match_rule_by_attr;
+type da_match_rule_by_attr_B_t, da_match_rule_by_attr;
+dontaudit da_match_rule_by_attr_A_t self:infoflow2 super_w;
+dontaudit da_match_rule_by_attr_B_t self:infoflow2 super_w;
+
+attribute da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_A_t, da_unioned_perm_via_attr;
+type da_unioned_perm_via_attr_B_t, da_unioned_perm_via_attr;
+dontaudit da_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+dontaudit da_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+
+# Neverallow rule differences
+type na_matched_source;
+type na_matched_target;
+neverallow na_matched_source na_matched_target:infoflow hi_w;
+
+type na_removed_rule_source;
+type na_removed_rule_target;
+
+type na_added_rule_source;
+type na_added_rule_target;
+neverallow na_added_rule_source na_added_rule_target:infoflow med_w;
+
+type na_modified_rule_add_perms;
+neverallow na_modified_rule_add_perms self:infoflow { hi_r hi_w };
+
+type na_modified_rule_remove_perms;
+neverallow na_modified_rule_remove_perms self:infoflow low_w;
+
+type na_modified_rule_add_remove_perms;
+neverallow na_modified_rule_add_remove_perms self:infoflow2 { low_w super_r };
+
+neverallow added_type self:added_class new_class_perm;
+
+attribute na_match_rule_by_attr;
+type na_match_rule_by_attr_A_t, na_match_rule_by_attr;
+type na_match_rule_by_attr_B_t, na_match_rule_by_attr;
+neverallow na_match_rule_by_attr_A_t self:infoflow2 super_w;
+neverallow na_match_rule_by_attr_B_t self:infoflow2 super_w;
+
+attribute na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_A_t, na_unioned_perm_via_attr;
+type na_unioned_perm_via_attr_B_t, na_unioned_perm_via_attr;
+neverallow na_unioned_perm_via_attr_A_t self:infoflow2 { super_w super_r };
+neverallow na_unioned_perm_via_attr_B_t self:infoflow2 { super_w hi_w };
+
+# type_transition rule differences
+type tt_matched_source;
+type tt_matched_target;
+type_transition tt_matched_source tt_matched_target:infoflow system;
+
+type tt_removed_rule_source;
+type tt_removed_rule_target;
+
+type tt_added_rule_source;
+type tt_added_rule_target;
+type_transition tt_added_rule_source tt_added_rule_target:infoflow system;
+
+type tt_old_type;
+type tt_new_type;
+type_transition tt_matched_source system:infoflow tt_new_type;
+
+type_transition added_type system:infoflow4 system;
+
+type tt_move_to_bool;
+bool tt_move_to_bool_b false;
+if (tt_move_to_bool_b) {
+type_transition tt_move_to_bool system:infoflow3 system;
+}
+
+type tt_move_from_bool;
+bool tt_move_from_bool_b false;
+type_transition tt_move_from_bool system:infoflow4 system;
+
+type tt_switch_block;
+bool tt_switch_block_b false;
+if (tt_switch_block_b) {
+type_transition system tt_switch_block:infoflow5 system;
+} else {
+type_transition system tt_switch_block:infoflow6 system;
+type_transition system tt_switch_block:infoflow7 system;
+}
+
+attribute tt_match_rule_by_attr;
+type tt_match_rule_by_attr_A_t, tt_match_rule_by_attr;
+type tt_match_rule_by_attr_B_t, tt_match_rule_by_attr;
+type_transition tt_match_rule_by_attr system:infoflow2 system;
+
+attribute tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_A_t, tt_unioned_perm_via_attr;
+type tt_unioned_perm_via_attr_B_t, tt_unioned_perm_via_attr;
+type_transition tt_unioned_perm_via_attr system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_transition tt_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_change rule differences
+type tc_matched_source;
+type tc_matched_target;
+type_change tc_matched_source tc_matched_target:infoflow system;
+
+type tc_removed_rule_source;
+type tc_removed_rule_target;
+
+type tc_added_rule_source;
+type tc_added_rule_target;
+type_change tc_added_rule_source tc_added_rule_target:infoflow system;
+
+type tc_old_type;
+type tc_new_type;
+type_change tc_matched_source system:infoflow tc_new_type;
+
+type_change added_type system:infoflow4 system;
+
+type tc_move_to_bool;
+bool tc_move_to_bool_b false;
+if (tc_move_to_bool_b) {
+type_change tc_move_to_bool system:infoflow3 system;
+}
+
+type tc_move_from_bool;
+bool tc_move_from_bool_b false;
+type_change tc_move_from_bool system:infoflow4 system;
+
+type tc_switch_block;
+bool tc_switch_block_b false;
+if (tc_switch_block_b) {
+type_change system tc_switch_block:infoflow5 system;
+} else {
+type_change system tc_switch_block:infoflow6 system;
+type_change system tc_switch_block:infoflow7 system;
+}
+
+attribute tc_match_rule_by_attr;
+type tc_match_rule_by_attr_A_t, tc_match_rule_by_attr;
+type tc_match_rule_by_attr_B_t, tc_match_rule_by_attr;
+type_change tc_match_rule_by_attr system:infoflow2 system;
+
+attribute tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_A_t, tc_unioned_perm_via_attr;
+type tc_unioned_perm_via_attr_B_t, tc_unioned_perm_via_attr;
+type_change tc_unioned_perm_via_attr system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_change tc_unioned_perm_via_attr_B_t system:infoflow2 system;
+
+# type_member rule differences
+type tm_matched_source;
+type tm_matched_target;
+type_member tm_matched_source tm_matched_target:infoflow system;
+
+type tm_removed_rule_source;
+type tm_removed_rule_target;
+
+type tm_added_rule_source;
+type tm_added_rule_target;
+type_member tm_added_rule_source tm_added_rule_target:infoflow system;
+
+type tm_old_type;
+type tm_new_type;
+type_member tm_matched_source system:infoflow tm_new_type;
+
+type_member added_type system:infoflow4 system;
+
+type tm_move_to_bool;
+bool tm_move_to_bool_b false;
+if (tm_move_to_bool_b) {
+type_member tm_move_to_bool system:infoflow3 system;
+}
+
+type tm_move_from_bool;
+bool tm_move_from_bool_b false;
+type_member tm_move_from_bool system:infoflow4 system;
+
+type tm_switch_block;
+bool tm_switch_block_b false;
+if (tm_switch_block_b) {
+type_member system tm_switch_block:infoflow5 system;
+} else {
+type_member system tm_switch_block:infoflow6 system;
+type_member system tm_switch_block:infoflow7 system;
+}
+
+attribute tm_match_rule_by_attr;
+type tm_match_rule_by_attr_A_t, tm_match_rule_by_attr;
+type tm_match_rule_by_attr_B_t, tm_match_rule_by_attr;
+type_member tm_match_rule_by_attr system:infoflow2 system;
+
+attribute tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_A_t, tm_unioned_perm_via_attr;
+type tm_unioned_perm_via_attr_B_t, tm_unioned_perm_via_attr;
+type_member tm_unioned_perm_via_attr system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_A_t system:infoflow2 system;
+type_member tm_unioned_perm_via_attr_B_t system:infoflow2 system;
+
 ################################################################################
 
 #users

tests/mixins.py

@@ -26,7 +26,8 @@ class ValidateRule(unittest.TestCase):
 
     """Mixin for validating policy rules."""
 
-    def validate_rule(self, rule, ruletype, source, target, tclass, last_item, cond=None):
+    def validate_rule(self, rule, ruletype, source, target, tclass, last_item, cond=None,
+                      cond_block=None):
         """Validate a rule."""
         self.assertEqual(ruletype, rule.ruletype)
         self.assertEqual(source, rule.source)
@@ -43,3 +44,6 @@ class ValidateRule(unittest.TestCase):
             self.assertEqual(cond, rule.conditional)
         else:
             self.assertRaises(RuleNotConditional, getattr, rule, "conditional")
+
+        if cond_block is not None:
+            self.assertEqual(cond_block, rule.conditional_block)