diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py --- nsasepolgen/src/sepolgen/access.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/access.py 2008-06-23 07:04:21.000000000 -0400 @@ -295,3 +295,32 @@ perms[av.obj_class] = s s.update(av.perms) return perms + +class RoleTypeSet: + """A non-overlapping set of role type statements. + + This clas allows the incremental addition of role type statements and + maintains a non-overlapping list of statements. + """ + def __init__(self): + """Initialize an access vector set.""" + self.role_types = {} + + def __iter__(self): + """Iterate over all of the unique role allows statements in the set.""" + for role_type in self.role_types.values(): + yield role_type + + def __len__(self): + """Return the unique number of role allow statements.""" + return len(self.roles) + + def add(self, role, type): + if self.role_types.has_key(role): + role_type = self.role_types[role] + else: + role_type = refpolicy.RoleType() + role_type.role = role + self.role_types[role] = role_type + + role_type.types.add(type) diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py --- nsasepolgen/src/sepolgen/audit.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py 2008-06-23 07:05:23.000000000 -0400 @@ -235,20 +235,21 @@ """ def __init__(self, message): AuditMessage.__init__(self, message) - self.type = "" - self.role = "" + self.invalid_context = refpolicy.SecurityContext() + self.scontext = refpolicy.SecurityContext() + self.tcontext = refpolicy.SecurityContext() + self.tclass = "" def from_split_string(self, recs): AuditMessage.from_split_string(self, recs) - dict={} - for i in recs: - t = i.split('=') - if len(t) < 2: - continue - dict[t[0]]=t[1] + if len(recs) < 10: + raise ValueError("Split string does not represent a valid compute sid message") + try: - self.role = refpolicy.SecurityContext(dict["scontext"]).role - self.type = refpolicy.SecurityContext(dict["tcontext"]).type + self.invalid_context = refpolicy.SecurityContext(recs[5]) + self.scontext = refpolicy.SecurityContext(recs[7].split("=")[1]) + self.tcontext = refpolicy.SecurityContext(recs[8].split("=")[1]) + self.tclass = recs[9].split("=")[1] except: raise ValueError("Split string does not represent a valid compute sid message") def output(self): @@ -405,7 +406,7 @@ self.__post_process() def to_role(self, role_filter=None): - """Return list of SELINUX_ERR messages matching the specified filter + """Return RoleAllowSet statements matching the specified filter Filter out types that match the filer, or all roles @@ -416,13 +417,12 @@ Access vector set representing the denied access in the audit logs parsed by this object. """ - roles = [] - if role_filter: - for selinux_err in self.compute_sid_msgs: - if role_filter.filter(selinux_err): - roles.append(selinux_err) - return roles - return self.compute_sid_msgs + role_types = access.RoleTypeSet() + for cs in self.compute_sid_msgs: + if not role_filter or role_filter.filter(cs): + role_types.add(cs.invalid_context.role, cs.invalid_context.type) + + return role_types def to_access(self, avc_filter=None, only_denials=True): """Convert the audit logs access into a an access vector set. @@ -454,7 +454,7 @@ avc.accesses, avc) return av_set -class TypeFilter: +class AVCTypeFilter: def __init__(self, regex): self.regex = re.compile(regex) @@ -465,4 +465,17 @@ return True return False +class ComputeSidTypeFilter: + def __init__(self, regex): + self.regex = re.compile(regex) + + def filter(self, avc): + if self.regex.match(avc.invalid_context.type): + return True + if self.regex.match(avc.scontext.type): + return True + if self.regex.match(avc.tcontext.type): + return True + return False + diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/output.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py --- nsasepolgen/src/sepolgen/output.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/output.py 2008-06-23 07:04:31.000000000 -0400 @@ -101,6 +101,8 @@ else: return id_set_cmp(a.src_types, [b.args[0]]) +def role_type_cmp(a, b): + return cmp(a.role, b.role) def sort_filter(module): """Sort and group the output for readability. @@ -146,6 +148,18 @@ c.extend(sep_rules) + + ras = [] + ras.extend(node.role_types()) + ras.sort(role_type_cmp) + if len(ras): + comment = refpolicy.Comment() + comment.lines.append("============= ROLES ==============") + c.append(comment) + + + c.extend(ras) + # Everything else for child in node.children: if child not in c: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py --- nsasepolgen/src/sepolgen/policygen.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/policygen.py 2008-06-23 07:04:36.000000000 -0400 @@ -167,6 +167,13 @@ if self.gen_requires: gen_requires(self.module) + def add_role_types(self, role_type_set): + for role_type in role_type_set: + self.module.children.append(role_type) + + # Generate the requires + if self.gen_requires: + gen_requires(self.module) def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION): """Explain why a policy statement was generated. @@ -334,8 +341,12 @@ # can actually figure those out. r.types.add(arg) - r.types.discard("self") + for role_type in node.role_types(): + r.roles.add(role_type.role) + r.types.update(role_type.types) + r.types.discard("self") + node.children.insert(0, r) # FUTURE - this is untested on modules with any sort of diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py --- nsasepolgen/src/sepolgen/refparser.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py 2008-06-23 07:05:23.000000000 -0400 @@ -919,7 +919,7 @@ def list_headers(root): modules = [] support_macros = None - blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"] + blacklist = ["uml.if", "thunderbird.if"] for dirpath, dirnames, filenames in os.walk(root): for name in filenames: diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py --- nsasepolgen/src/sepolgen/refpolicy.py 2008-06-12 23:25:26.000000000 -0400 +++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refpolicy.py 2008-06-23 07:04:47.000000000 -0400 @@ -122,6 +122,12 @@ def roles(self): return itertools.ifilter(lambda x: isinstance(x, Role), walktree(self)) + def role_allows(self): + return itertools.ifilter(lambda x: isinstance(x, RoleAllow), walktree(self)) + + def role_types(self): + return itertools.ifilter(lambda x: isinstance(x, RoleType), walktree(self)) + def __str__(self): if self.comment: return str(self.comment) + "\n" + self.to_string() @@ -494,6 +500,15 @@ return "allow %s %s;" % (self.src_roles.to_comma_str(), self.tgt_roles.to_comma_str()) +class RoleType(Leaf): + def __init__(self, parent=None): + Leaf.__init__(self, parent) + self.role = "" + self.types = IdSet() + + def to_string(self): + return "role %s types %s;" % (self.role, self.types.to_comma_str()) + class ModuleDeclaration(Leaf): def __init__(self, parent=None): Leaf.__init__(self, parent)