Update with Miroslav patch to handle role attributes

- Update Translations - import sepolicy will only throw exception on missing policy iff selinux is enabled
2013-01-09 08:37:32 -05:00 · 2013-01-09 08:37:32 -05:00 · 422fcbbd1a
commit 422fcbbd1a
parent 6be5fbacb4
3 changed files with 1647 additions and 1418 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -12,3 +12,131 @@ index 73c60f6..d636091 100644
     boottime = time.strftime("%X", s)
     output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
                               stdout=subprocess.PIPE).communicate()[0]
+diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
+index a4adbd8..6a3019c 100644
+--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
+@@ -91,8 +91,10 @@ tokens = (
+     'CLASS',
+     #   types and attributes
+     'TYPEATTRIBUTE',
+    'ROLEATTRIBUTE',
+     'TYPE',
+     'ATTRIBUTE',
+    'ATTRIBUTE_ROLE',
+     'ALIAS',
+     'TYPEALIAS',
+     #   conditional policy
+@@ -153,8 +155,10 @@ reserved = {
+     'class' : 'CLASS',
+     # types and attributes
+     'typeattribute' : 'TYPEATTRIBUTE',
+    'roleattribute' : 'ROLEATTRIBUTE',
+     'type' : 'TYPE',
+     'attribute' : 'ATTRIBUTE',
+    'attribute_role' : 'ATTRIBUTE_ROLE',
+     'alias' : 'ALIAS',
+     'typealias' : 'TYPEALIAS',
+     # conditional policy
+@@ -489,6 +493,7 @@ def p_policy_stmt(p):
+                    | avrule_def
+                    | typerule_def
+                    | typeattribute_def
+                   | roleattribute_def
+                    | interface_call
+                    | role_def
+                    | role_allow
+@@ -496,6 +501,7 @@ def p_policy_stmt(p):
+                    | type_def
+                    | typealias_def
+                    | attribute_def
+                   | attribute_role_def
+                    | range_transition_def
+                    | role_transition_def
+                    | bool
+@@ -542,6 +548,7 @@ def p_require(p):
+     '''require : TYPE comma_list SEMI
+                | ROLE comma_list SEMI
+                | ATTRIBUTE comma_list SEMI
+               | ATTRIBUTE_ROLE comma_list SEMI
+                | CLASS comma_list SEMI
+                | BOOL comma_list SEMI
+     '''
+@@ -727,6 +734,11 @@ def p_attribute_def(p):
+     a = refpolicy.Attribute(p[2])
+     p[0] = a
+ 
+def p_attribute_role_def(p):
+	'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
+	a = refpolicy.Attribute_Role(p[2])
+	p[0] = a
+
+ def p_typealias_def(p):
+     'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
+     t = refpolicy.TypeAlias()
+@@ -819,6 +831,13 @@ def p_typeattribute_def(p):
+     t.attributes.update(p[3])
+     p[0] = t
+ 
+def p_roleattribute_def(p):
+    '''typeattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
+    t = refpolicy.RoleAttribute()
+    t.role = p[2]
+    t.roleattributes.update(p[3])
+    p[0] = t
+
+ def p_range_transition_def(p):
+     '''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
+                             | RANGE_TRANSITION names names names SEMI'''
+diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
+index 1399225..b07550a 100644
+--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
+@@ -117,6 +117,10 @@ class Node(PolicyBase):
+         """Iterate over all of the TypeAttribute children of this Interface."""
+         return itertools.ifilter(lambda x: isinstance(x, TypeAttribute), walktree(self))
+ 
+    def roleattributes(self):
+        """Iterate over all of the RoleAttribute children of this Interface."""
+        return itertools.ifilter(lambda x: isinstance(x, RoleAttribute), walktree(self))
+
+     def requires(self):
+         return itertools.ifilter(lambda x: isinstance(x, Require), walktree(self))
+ 
+@@ -356,6 +360,20 @@ class TypeAttribute(Leaf):
+     def to_string(self):
+         return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str())
+ 
+class RoleAttribute(Leaf):
+    """SElinux typeattribute statement.
+
+    This class represents a typeattribute statement.
+    """
+    def __init__(self, parent=None):
+        Leaf.__init__(self, parent)
+        self.role = ""
+        self.roleattributes = IdSet()
+
+    def to_string(self):
+        return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str())
+
+
+ class Role(Leaf):
+     def __init__(self, parent=None):
+         Leaf.__init__(self, parent)
+@@ -400,6 +418,15 @@ class Attribute(Leaf):
+     def to_string(self):
+         return "attribute %s;" % self.name
+ 
+class Attribute_Role(Leaf):
+    def __init__(self, name="", parent=None):
+        Leaf.__init__(self, parent)
+        self.name = name
+
+    def to_string(self):
+        return "attribute_role %s;" % self.name
+
+
+ # Classes representing rules
+ 
+ class AVRule(Leaf):
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 52%{?dist}
+Release: 53%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -338,6 +338,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :

 %changelog
+* Wed Jan 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-53
+- Update with Miroslav patch to handle role attributes
+- Update Translations
+- import sepolicy will only throw exception on missing policy iff selinux is enabled
+
 * Sat Jan 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-52
 - Update to latest patches from eparis/Upstream
 -    secon: add support for setrans color information in prompt output