How should I run genfscon in my module?
Stephen Smalley
sds at tycho.nsa.gov
Wed Nov 1 18:18:58 UTC 2006
On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote:
> On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote:
> > > From: Karl MacMillan [mailto:kmacmillan at mentalrootkit.com]
> > >
> > > > > I looked at fixing this by changing genfscon to use
> > > user_identifier
> > > > > instead of identifier (they are the same except user_identifier
> > > > > includes "-"). This made checkpolicy generate a syntax
> > > error for all
> > > > > genfscon statements - haven't tracked down what the
> > > problem is. The
> > > > > grammer still seems to be unambiguous.
> > > >
> > > > Use "user_id" instead. Otherwise, you'll get a syntax
> > > error when the
> > > > token is classified as an IDENTIFIER (first match) and the grammar
> > > > says that it must be a USER_IDENTIFIER.
> > >
> > > Right as usual.
> > >
> >
> > Maybe make user_id more generic as it is no longer only used for users..
>
> Just making generic would make the user related parts of the grammar
> harder to read. What about this:
>
> Index: trunk/checkpolicy/policy_parse.y
> ===================================================================
> --- trunk/checkpolicy/policy_parse.y (revision 2076)
> +++ trunk/checkpolicy/policy_parse.y (working copy)
> @@ -605,6 +605,8 @@
> ;
> user_id : identifier
> | user_identifier
> + ;
> +dash_id : user_id
> ;
> user_def : USER user_id ROLES names opt_mls_user ';'
> {if (define_user()) return -1;}
> @@ -679,11 +681,11 @@
> genfs_contexts : genfs_context_def
> | genfs_contexts genfs_context_def
> ;
> -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> +genfs_context_def : GENFSCON dash_id path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> + | GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> - | GENFSCON identifier path security_context_def
> + | GENFSCON dash_id path security_context_def
> {if (define_genfs_context(0)) return -1;}
> ;
> ipv4_addr_def : number '.' number '.' number '.' number
>
>
> Signed-off by: Karl MacMillan <kmacmillan at mentalrootkit.com>
Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in:
Index: checkpolicy/policy_scan.l
===================================================================
--- checkpolicy/policy_scan.l (revision 2076)
+++ checkpolicy/policy_scan.l (working copy)
@@ -200,12 +200,11 @@
h2 |
H2 { return(H2); }
"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext))
+{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
return(IDENTIFIER);
else
REJECT;
}
-{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); }
{digit}{digit}* { return(NUMBER); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
Index: checkpolicy/policy_parse.y
===================================================================
--- checkpolicy/policy_parse.y (revision 2076)
+++ checkpolicy/policy_parse.y (working copy)
@@ -190,7 +190,6 @@
%token NOT AND OR XOR
%token CTRUE CFALSE
%token IDENTIFIER
-%token USER_IDENTIFIER
%token NUMBER
%token EQUALS
%token NOTEQUAL
@@ -522,13 +521,13 @@
| T1 op T2
{ $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
if ($$ == 0) return -1; }
- | U1 op { if (insert_separator(1)) return -1; } user_names_push
+ | U1 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
if ($$ == 0) return -1; }
- | U2 op { if (insert_separator(1)) return -1; } user_names_push
+ | U2 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2);
if ($$ == 0) return -1; }
- | U3 op { if (insert_separator(1)) return -1; } user_names_push
+ | U3 op { if (insert_separator(1)) return -1; } names_push
{ $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2);
if ($$ == 0) return -1; }
| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -603,10 +602,7 @@
users : user_def
| users user_def
;
-user_id : identifier
- | user_identifier
- ;
-user_def : USER user_id ROLES names opt_mls_user ';'
+user_def : USER identifier ROLES names opt_mls_user ';'
{if (define_user()) return -1;}
;
opt_mls_user : LEVEL mls_level_def RANGE mls_range_def
@@ -698,7 +694,7 @@
$$ = addr;
}
;
-security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def
+security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
|
@@ -766,23 +762,6 @@
identifier : IDENTIFIER
{ if (insert_id(yytext,0)) return -1; }
;
-user_identifier : USER_IDENTIFIER
- { if (insert_id(yytext,0)) return -1; }
- ;
-user_identifier_push : USER_IDENTIFIER
- { if (insert_id(yytext, 1)) return -1; }
- ;
-user_identifier_list_push : user_identifier_push
- | identifier_list_push user_identifier_push
- | user_identifier_list_push identifier_push
- | user_identifier_list_push user_identifier_push
- ;
-user_names_push : names_push
- | user_identifier_push
- | '{' user_identifier_list_push '}'
- | tilde_push user_identifier_push
- | tilde_push '{' user_identifier_list_push '}'
- ;
path : PATH
{ if (insert_id(yytext,0)) return -1; }
;
Builds svn refpolicy trunk with strict-mls, no change in policy.21.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list