How should I run genfscon in my module?
Stephen Smalley
sds at tycho.nsa.gov
Fri Nov 3 17:53:06 UTC 2006
On Thu, 2006-11-02 at 10:22 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote:
> > On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com]
> > > > >
> > > > > > > I looked at fixing this by changing genfscon to use
> > > > > user_identifier
> > > > > > > instead of identifier (they are the same except user_identifier
> > > > > > > includes "-"). This made checkpolicy generate a syntax
> > > > > error for all
> > > > > > > genfscon statements - haven't tracked down what the
> > > > > problem is. The
> > > > > > > grammer still seems to be unambiguous.
> > > > > >
> > > > > > Use "user_id" instead. Otherwise, you'll get a syntax
> > > > > error when the
> > > > > > token is classified as an IDENTIFIER (first match) and the grammar
> > > > > > says that it must be a USER_IDENTIFIER.
> > > > >
> > > > > Right as usual.
> > > > >
> > > >
> > > > Maybe make user_id more generic as it is no longer only used for users..
> > >
> > > Just making generic would make the user related parts of the grammar
> > > harder to read. What about this:
>
> > Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
>
> That's fine with me - there is really no reason to disallow "-" in any
> of the identifiers. Makes a lot of documentation wrong, but the docs
> being more restrictive isn't a big deal.
Only possible reason would be to avoid ambiguity in MLS ranges (e.g.
s0-s0:c0.c255), but we already have that problem in checkpolicy from
USER_IDENTIFIER, which is why one has to use spaces around the - in the
range. So it would only matter is someone put a - in a sensitivity or
category name.
>
> >
> > Index: checkpolicy/policy_scan.l
> > ===================================================================
> > --- checkpolicy/policy_scan.l (revision 2076)
> > +++ checkpolicy/policy_scan.l (working copy)
> > @@ -200,12 +200,11 @@
> > h2 |
> > H2 { return(H2); }
> > "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
> > -{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext))
> > +{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
> > return(IDENTIFIER);
> > else
> > REJECT;
> > }
> > -{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
> > {digit}{digit}* { return(NUMBER); }
> > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
> > {version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
> > Index: checkpolicy/policy_parse.y
> > ===================================================================
> > --- checkpolicy/policy_parse.y (revision 2076)
> > +++ checkpolicy/policy_parse.y (working copy)
> > @@ -190,7 +190,6 @@
> > %token NOT AND OR XOR
> > %token CTRUE CFALSE
> > %token IDENTIFIER
> > -%token USER_IDENTIFIER
> > %token NUMBER
> > %token EQUALS
> > %token NOTEQUAL
> > @@ -522,13 +521,13 @@
> > | T1 op T2
> > { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
> > if ($$ == 0) return -1; }
> > - | U1 op { if (insert_separator(1)) return -1; } user_names_push
> > + | U1 op { if (insert_separator(1)) return -1; } names_push
> > { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
> > if ($$ == 0) return -1; }
> > - | U2 op { if (insert_separator(1)) return -1; } user_names_push
> > + | U2 op { if (insert_separator(1)) return -1; } names_push
> > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
> > if ($$ == 0) return -1; }
> > - | U3 op { if (insert_separator(1)) return -1; } user_names_push
> > + | U3 op { if (insert_separator(1)) return -1; } names_push
> > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
> > if ($$ == 0) return -1; }
> > | R1 op { if (insert_separator(1)) return -1; } names_push
> > @@ -603,10 +602,7 @@
> > users : user_def
> > | users user_def
> > ;
> > -user_id : identifier
> > - | user_identifier
> > - ;
> > -user_def : USER user_id ROLES names opt_mls_user ';'
> > +user_def : USER identifier ROLES names opt_mls_user ';'
> > {if (define_user()) return -1;}
> > ;
> > opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
> > @@ -698,7 +694,7 @@
> > $$ = addr;
> > }
> > ;
> > -security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def
> > +security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
> > ;
> > opt_mls_range_def : ':' mls_range_def
> > |
> > @@ -766,23 +762,6 @@
> > identifier : IDENTIFIER
> > { if (insert_id(yytext,0)) return -1; }
> > ;
> > -user_identifier : USER_IDENTIFIER
> > - { if (insert_id(yytext,0)) return -1; }
> > - ;
> > -user_identifier_push : USER_IDENTIFIER
> > - { if (insert_id(yytext, 1)) return -1; }
> > - ;
> > -user_identifier_list_push : user_identifier_push
> > - | identifier_list_push user_identifier_push
> > - | user_identifier_list_push identifier_push
> > - | user_identifier_list_push user_identifier_push
> > - ;
> > -user_names_push : names_push
> > - | user_identifier_push
> > - | '{' user_identifier_list_push '}'
> > - | tilde_push user_identifier_push
> > - | tilde_push '{' user_identifier_list_push '}'
> > - ;
> > path : PATH
> > { if (insert_id(yytext,0)) return -1; }
> > ;
> >
> > Builds svn refpolicy trunk with strict-mls, no change in policy.21.
> >
>
> Acked-by: Karl MacMillan <kmacmillan at mentalrootkit.com>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list