How should I run genfscon in my module?

Stephen Smalley sds at tycho.nsa.gov
Fri Nov 3 17:53:06 UTC 2006 

On Thu, 2006-11-02 at 10:22 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote:
> > On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com] 
> > > > > 
> > > > > > > I looked at fixing this by changing genfscon to use 
> > > > > user_identifier 
> > > > > > > instead of identifier (they are the same except user_identifier 
> > > > > > > includes "-"). This made checkpolicy generate a syntax 
> > > > > error for all 
> > > > > > > genfscon statements - haven't tracked down what the 
> > > > > problem is. The 
> > > > > > > grammer still seems to be unambiguous.
> > > > > > 
> > > > > > Use "user_id" instead.  Otherwise, you'll get a syntax 
> > > > > error when the 
> > > > > > token is classified as an IDENTIFIER (first match) and the grammar 
> > > > > > says that it must be a USER_IDENTIFIER.
> > > > > 
> > > > > Right as usual.
> > > > > 
> > > > 
> > > > Maybe make user_id more generic as it is no longer only used for users..
> > > 
> > > Just making generic would make the user related parts of the grammar
> > > harder to read. What about this:
> 
> > Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
> 
> That's fine with me - there is really no reason to disallow "-" in any
> of the identifiers. Makes a lot of documentation wrong, but the docs
> being more restrictive isn't a big deal.

Only possible reason would be to avoid ambiguity in MLS ranges (e.g.
s0-s0:c0.c255), but we already have that problem in checkpolicy from
USER_IDENTIFIER, which is why one has to use spaces around the - in the
range.  So it would only matter is someone put a - in a sensitivity or
category name.

> 
> > 
> > Index: checkpolicy/policy_scan.l
> > ===================================================================
> > --- checkpolicy/policy_scan.l	(revision 2076)
> > +++ checkpolicy/policy_scan.l	(working copy)
> > @@ -200,12 +200,11 @@
> >  h2 |
> >  H2				{ return(H2); }
> >  "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
> > -{letter}({letter}|{digit}|_|".")*	{ if (is_valid_identifier(yytext)) 
> > +{letter}({letter}|{digit}|_|"."|"-")*	{ if (is_valid_identifier(yytext)) 
> >  						return(IDENTIFIER); 
> >  					  else 
> >  					  	REJECT;
> >  					}
> > -{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
> >  {digit}{digit}*                 { return(NUMBER); }
> >  {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")*	{ return(IPV6_ADDR); }
> >  {version}/([ \t\f]*;)           { return(VERSION_IDENTIFIER); }
> > Index: checkpolicy/policy_parse.y
> > ===================================================================
> > --- checkpolicy/policy_parse.y	(revision 2076)
> > +++ checkpolicy/policy_parse.y	(working copy)
> > @@ -190,7 +190,6 @@
> >  %token NOT AND OR XOR
> >  %token CTRUE CFALSE
> >  %token IDENTIFIER
> > -%token USER_IDENTIFIER
> >  %token NUMBER
> >  %token EQUALS
> >  %token NOTEQUAL
> > @@ -522,13 +521,13 @@
> >  			| T1 op T2
> >  			{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U1 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U1 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U2 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U2 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
> >  			  if ($$ == 0) return -1; }
> > -			| U3 op { if (insert_separator(1)) return -1; } user_names_push
> > +			| U3 op { if (insert_separator(1)) return -1; } names_push
> >  			{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
> >  			  if ($$ == 0) return -1; }
> >  			| R1 op { if (insert_separator(1)) return -1; } names_push
> > @@ -603,10 +602,7 @@
> >  users			: user_def
> >  			| users user_def
> >  			;
> > -user_id			: identifier
> > -			| user_identifier
> > -			;
> > -user_def		: USER user_id ROLES names opt_mls_user ';'
> > +user_def		: USER identifier ROLES names opt_mls_user ';'
> >  	                {if (define_user()) return -1;}
> >  			;
> >  opt_mls_user		: LEVEL mls_level_def RANGE mls_range_def
> > @@ -698,7 +694,7 @@
> >  			  $$ = addr;
> >  			}
> >      			;
> > -security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
> > +security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
> >  	                ;
> >  opt_mls_range_def	: ':' mls_range_def
> >  			|	
> > @@ -766,23 +762,6 @@
> >  identifier		: IDENTIFIER
> >  			{ if (insert_id(yytext,0)) return -1; }
> >  			;
> > -user_identifier		: USER_IDENTIFIER
> > -			{ if (insert_id(yytext,0)) return -1; }
> > -			;
> > -user_identifier_push	: USER_IDENTIFIER
> > -			{ if (insert_id(yytext, 1)) return -1; }
> > -			;
> > -user_identifier_list_push : user_identifier_push
> > -			| identifier_list_push user_identifier_push
> > -			| user_identifier_list_push identifier_push
> > -			| user_identifier_list_push user_identifier_push
> > -			;
> > -user_names_push		: names_push
> > -			| user_identifier_push
> > -			| '{' user_identifier_list_push '}'
> > -			| tilde_push user_identifier_push
> > -			| tilde_push '{' user_identifier_list_push '}'
> > -			;
> >  path     		: PATH
> >  			{ if (insert_id(yytext,0)) return -1; }
> >  			;
> > 
> > Builds svn refpolicy trunk with strict-mls, no change in policy.21.
> > 
> 
> Acked-by: Karl MacMillan <kmacmillan at mentalrootkit.com>
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list