RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-02-28 18:11:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

checker/util: Change lists from comma-separated to space-separated.

Browse Source 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This commit is contained in:
Chris PeBenito 2020-07-25 10:47:58 -04:00
parent 58475daba2
commit df5bf03d20
6 changed files with 41 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
man/sechecker.1
View File

@ -74,10 +74,10 @@ Criteria options:
The source type/attribute criteria for the query.
.IP "target = <type or type attribute>"
The target type/attribute criteria for the query.
.IP "tclass = <type or type attribute>[, ....]"
A comma-separated list of object class criteria for the query.
.IP "perms = <type or type attribute>[, ....]"
A comma-separated list of permissions for the query.
.IP "tclass = <type or type attribute>[ ....]"
A space-separated list of object class criteria for the query.
.IP "perms = <type or type attribute>[ ....]"
A space-separated list of permissions for the query.
.PP
\fBA least one of the above options must be set in this check.\fR
@ -85,11 +85,11 @@ A comma-separated list of permissions for the query.
.PP
Additional Options:
.IP "exempt_source = <type or type attribute>[, ....]"
A comma-separated list of types and type attributes. Rules with these
.IP "exempt_source = <type or type attribute>[ ....]"
A space-separated list of types and type attributes. Rules with these
as the source will be ignored. This is optional.
.IP "exempt_target = <type or type attribute>[, ....]"
A comma-separated list of types and type attributes. Rules with these
.IP "exempt_target = <type or type attribute>[ ....]"
A space-separated list of types and type attributes. Rules with these
as the target will be ignored. This is optional.
.SH "EMPTY TYPE ATTRIBUTE ASSERTION"
@ -111,15 +111,15 @@ The check_type is \fBro_execs\fR.
.PP
Options:
.IP "exempt_file = <type or type attribute>[, ....]"
A comma-separated list of types and type attributes. These
.IP "exempt_file = <type or type attribute>[ ....]"
A space-separated list of types and type attributes. These
will not be considered executable. This is optional.
.IP "exempt_exec_domain = <type or type attribute>[, ....]"
A comma-separated list of types and type attributes. Rules with these
.IP "exempt_exec_domain = <type or type attribute>[ ....]"
A space-separated list of types and type attributes. Rules with these
as the source will be ignored if they allow file execute permission.
This is optional.
.IP "exempt_write_domain = <type or type attribute>[, ....]"
A comma-separated list of types and type attributes. Rules with these
.IP "exempt_write_domain = <type or type attribute>[ ....]"
A space-separated list of types and type attributes. Rules with these
as the source will be ignored if they allow file write or append permissions
on types determined executable. This is optional.

20
setools/checker/util.py
View File

@ -25,11 +25,11 @@ from ..util import validate_perms_any
def config_list_to_class(policy, config):
"""
Convert a comma separated string into a set of object classes.
Convert a space separated string into a set of object classes.
Parameters:
policy A SELinuxPolicy
config A str with a comma-separated set of object classes.
config A str with a space-separated set of object classes.
Return: Frozenset containing policy objects in the config.
"""
@ -37,7 +37,7 @@ def config_list_to_class(policy, config):
return frozenset()
try:
tclass = frozenset(policy.lookup_class(c.strip()) for c in config.split(","))
tclass = frozenset(policy.lookup_class(c) for c in config.split(" ") if c)
except InvalidClass as e:
raise InvalidCheckValue("Invalid tclass setting: {}".format(e)) from e
@ -46,11 +46,11 @@ def config_list_to_class(policy, config):
def config_list_to_perms(policy, config, tclass=None):
"""
Convert a comma separated string into a set of permissions.
Convert a space separated string into a set of permissions.
Parameters:
policy A SELinuxPolicy
config A str with a comma-separated set of permissions.
config A str with a space-separated set of permissions.
Keyword Parameters:
tclass A container of ObjClass. If specified, the perms must be valid
@ -63,7 +63,7 @@ def config_list_to_perms(policy, config, tclass=None):
return frozenset()
try:
perms = frozenset(p.strip() for p in config.split(","))
perms = frozenset(i for i in config.split(" ") if i)
validate_perms_any(perms, tclass=tclass, policy=policy)
except InvalidPermission as e:
raise InvalidCheckValue("Invalid perms setting: {}".format(e)) from e
@ -93,12 +93,12 @@ def config_to_type_or_attr(policy, config):
def config_list_to_types_or_attrs(log, policy, config, strict=True, expand=False):
"""
Convert a comma separated string into a set of types/type attributes.
Convert a space separated string into a set of types/type attributes.
Parameters:
log A logging object.
policy A SELinuxPolicy
config A str with a comma-separated set of types/type attributes.
config A str with a space-separated set of types/type attributes.
Keyword Parameters:
strict Bool, if True policy lookup errors will be a configuration error.
@ -113,9 +113,9 @@ def config_list_to_types_or_attrs(log, policy, config, strict=True, expand=False
return frozenset()
ret = set()
for item in config.split(","):
for item in (i for i in config.split(" ") if i):
try:
obj = policy.lookup_type_or_attr(item.strip())
obj = policy.lookup_type_or_attr(item)
if expand:
ret.update(obj.expand())
else:

12
tests/checker/assertte.py
View File

@ -82,7 +82,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_exempt_source(self):
"""Test exempt_source setting."""
config = {"source": "system",
"exempt_source": " exempt_src1 , exempt_src2 "}
"exempt_source": " exempt_src1 exempt_src2 "}
check = AssertTE(self.p, "test_exempt_source", config)
# exempt_src2 is an attr
@ -94,7 +94,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_source_missing_ignored(self):
"""Test exempt_source missing type is ignroed."""
config = {"source": "system",
"exempt_source": "FAIL, exempt_src2"}
"exempt_source": "FAIL exempt_src2"}
check = AssertTE(self.p, "test_source_missing_ignored", config)
# exempt_src2 is an attr
@ -105,7 +105,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_exempt_target(self):
"""Test exempt_target setting."""
config = {"target": "system",
"exempt_target": " exempt_tgt1 , exempt_tgt2 "}
"exempt_target": " exempt_tgt1 exempt_tgt2 "}
check = AssertTE(self.p, "test_exempt_target", config)
# exempt_tgt2 is an attr
@ -117,7 +117,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_target_missing_ignored(self):
"""Test exempt_target missing type is ignroed."""
config = {"target": "system",
"exempt_target": "FAIL, exempt_tgt2"}
"exempt_target": "FAIL exempt_tgt2"}
check = AssertTE(self.p, "test_target_missing_ignored", config)
# exempt_tgt2 is an attr
@ -127,7 +127,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_tclass(self):
"""Test tclass setting."""
config = {"tclass": "infoflow3, infoflow2"}
config = {"tclass": "infoflow3 infoflow2"}
check = AssertTE(self.p, "test_tclass", config)
expected = set((self.p.lookup_class("infoflow3"),
@ -142,7 +142,7 @@ class AssertTETest(mixins.ValidateRule, unittest.TestCase):
def test_perms(self):
"""Test perms setting."""
config = {"perms": " hi_w, super_r "}
config = {"perms": " hi_w super_r "}
check = AssertTE(self.p, "test_perms", config)
expected = set(("hi_w", "super_r"))

2
tests/checker/checker-valid.ini
View File

@ -7,7 +7,7 @@ attr = empty_source_attr
desc = read only executables test
check_type = ro_execs
exempt_exec_domain = unconfined
exempt_write_domain = domain1, domain2, unconfined
exempt_write_domain = domain1 domain2 unconfined
[assertte]
check_type = assert_te

4
tests/checker/roexec.py
View File

@ -96,7 +96,7 @@ class ReadOnlyExecutablesTest(unittest.TestCase):
"""Test for passing."""
with open("/dev/null", "w") as fd:
config = {"exempt_exec_domain": "unconfined",
"exempt_write_domain": "domain1, domain2, unconfined"}
"exempt_write_domain": "domain1 domain2 unconfined"}
check = ReadOnlyExecutables(self.p, "test_pass", config)
check.output = fd
result = check.run()
@ -108,7 +108,7 @@ class ReadOnlyExecutablesTest(unittest.TestCase):
with open("/dev/null", "w") as fd:
config = {"exempt_exec_domain": "unconfined",
"exempt_file": "execfile2",
"exempt_write_domain": "domain1, unconfined"}
"exempt_write_domain": "domain1 unconfined"}
check = ReadOnlyExecutables(self.p, "test_pass2", config)
check.output = fd
result = check.run()

16
tests/checker/util.py
View File

@ -43,7 +43,7 @@ class CheckerUtilTest(unittest.TestCase):
expected = set((self.p.lookup_class("infoflow"),
self.p.lookup_class("infoflow2")))
result = util.config_list_to_class(self.p, " infoflow , infoflow2 ")
result = util.config_list_to_class(self.p, " infoflow infoflow2 ")
self.assertIsInstance(result, frozenset)
self.assertSetEqual(expected, result)
@ -63,13 +63,13 @@ class CheckerUtilTest(unittest.TestCase):
util.config_list_to_class(self.p, "FAIL")
with self.assertRaises(InvalidCheckValue):
util.config_list_to_class(self.p, "infoflow, FAIL")
util.config_list_to_class(self.p, "infoflow FAIL")
def test_config_list_to_perms_no_class(self):
"""Test config_list_to_perms() success with no classes set."""
expected = set(("hi_w", "null"))
result = util.config_list_to_perms(self.p, " hi_w , null ", tclass=None)
result = util.config_list_to_perms(self.p, " hi_w null ", tclass=None)
self.assertIsInstance(result, frozenset)
self.assertSetEqual(expected, result)
@ -86,7 +86,7 @@ class CheckerUtilTest(unittest.TestCase):
def test_config_list_to_perms_no_class_fail(self):
"""Test config_list_to_perms() failure with no classes set."""
with self.assertRaises(InvalidCheckValue):
util.config_list_to_perms(self.p, " hi_w , null , invalid_perm ", tclass=None)
util.config_list_to_perms(self.p, " hi_w null invalid_perm ", tclass=None)
def test_config_list_to_perms_class(self):
"""Test config_list_to_perms() success with classes set."""
@ -94,7 +94,7 @@ class CheckerUtilTest(unittest.TestCase):
self.p.lookup_class("infoflow3")))
expected = set(("super_r", "null"))
result = util.config_list_to_perms(self.p, " super_r , null ", tclass=classes)
result = util.config_list_to_perms(self.p, " super_r null ", tclass=classes)
self.assertIsInstance(result, frozenset)
self.assertSetEqual(expected, result)
@ -118,7 +118,7 @@ class CheckerUtilTest(unittest.TestCase):
with self.assertRaises(InvalidCheckValue):
# super_none isn't in either class
util.config_list_to_perms(self.p, " super_none , null ", tclass=classes)
util.config_list_to_perms(self.p, " super_none null ", tclass=classes)
def test_config_to_type_or_attr(self):
"""Test config_to_type_or_attr() success."""
@ -148,7 +148,7 @@ class CheckerUtilTest(unittest.TestCase):
expected = set((self.p.lookup_type("test1"),
self.p.lookup_typeattr("test10c")))
result = util.config_list_to_types_or_attrs(self.log, self.p, " test1, test10c ")
result = util.config_list_to_types_or_attrs(self.log, self.p, " test1 test10c ")
self.assertIsInstance(result, frozenset)
self.assertSetEqual(expected, result)
@ -160,7 +160,7 @@ class CheckerUtilTest(unittest.TestCase):
self.p.lookup_type("test10t5"),
self.p.lookup_type("test10t7")))
result = util.config_list_to_types_or_attrs(self.log, self.p, " test1, test10c ",
result = util.config_list_to_types_or_attrs(self.log, self.p, " test1 test10c ",
expand=True)
self.assertIsInstance(result, frozenset)
self.assertSetEqual(expected, result)