Translate old boolean names based on /etc/selinux/*/booleans.subs_dist
file. The translation is only attempted when "policy" was not specified
to avoid influencing queries of policies from other systems.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This checks for the nonexistance of allow rules that match the criteria
set in the check's options.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
These are various functions such as parsing comma separated strings,
looking up objects in the policy, and expanding attributes.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Since this is used to determine the file type, keep the reference. If
a genfscon does not have a filetype, this attribute will be None.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Cython coverage is only a problem when run through tox. Disable the coverage
target in Travis Ci until this can be addressed.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
The object class values have not been static for many years. This has only
worked because libsepol was similarly setting static class values. This
will soon be removed, see SELinuxProject/selinux#200.
Add file object classes to the unit tests where genfscons are used. The
classes are added in the same alignment as the static values since old
policies will have these class values.
Remove static class values from sepol.pxd.
Closes#39
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This is an invalid check as the permission sets can be disjoint when
redundant permissions are removed.
Identified by Jim Carter.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Jim Carter first figured out this bug in PR #33
In class AVRUle, when deriving an expanded rule remove the check for
permissions beings a subset of the original rule.
This is not a condition that holds when attributes are expanded.
Ex/
attribute a1;
attribute a2;
type t1;
typeatrribute t1 a1, a2;
allow a1 self: c1 p1;
allow a2 self: c1 p2;
In this case the expanded rule "allow t1 t1: c1 {p1 p2};" has permissions
that are not a subset of either the allow rule with a1 or the one with a2.
Change the check to a set-disjoint check to make sure there is some
intersection between the original rule permission set and the derived
permission set.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
The primary motivation for the change is to correctly handle redundant
rules. Recent changes in the SELinux toolchain added support for an
optimization that removes redundant rules from a policy. These are
conditional rules that are either already specified in unconditional
policy or rules using types that are also specified more generally
through an attribute. Since attributes are always expanded in sediff,
the second type of redundant rules are already effectively removed. But
redundant conditional rules show up as differences when a binary version
of a policy that has been optimized is compared to one that has not been.
A secondary motivation for the change is to reduce memory usage and diff
times. A modern Fedora policy cannot be diffed with a system with less than
32Gb of memory and it takes over four hours to complete.
With this change AV rules are processed by creating a data structure which
consists of nested dictionaries that store BOTH the left and the right
policies. All of the keys are interned strings to save space.
The basic structure is
rule_db[cond_exp][block_bool][src][tgt][tclass]=sides
where:
cond_exp is a boolean expression
block_bool is either true or false
src is the source type
tgt is the target type
tclass is the target class
sides is a namedtuple with "left" and "right" attributes
Each side is either None or another namedtuple with "perms" and
"orig_rule" attributes
perms is the set of permissions for this rule
orig_rule is the original unexpanded rule
These changes improve diff times and memory usage.
Without the change
Time Memory Usage
Older Fedora Policy 3 min 17 sec 4.5Gb
Recent Refpolicy 4 min 19 sec 6.0Gb
Recent Fedora Policy 4 hrs 9 min 31.9Gb
With the change
Time Memory Usage
Older Fedora Policy 28 sec 1.7Gb
Recent Refpolicy 34 sec 1.9Gb
Recent Fedora Policy 4 min 45 sec 7.7Gb
Also added a unit test to check that redundant rules are removed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Record the rule list and expanded rule statistics for determining if
memory size issues are due to rule size vs. something else.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
