diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py index d636091..56919be 100644 --- a/sepolgen/src/sepolgen/audit.py +++ b/sepolgen/src/sepolgen/audit.py @@ -259,13 +259,13 @@ class AVCMessage(AuditMessage): raise ValueError("Error during access vector computation") if self.type == audit2why.CONSTRAINT: - self.data = [] + self.data = [ self.data ] if self.scontext.user != self.tcontext.user: - self.data.append("user") + self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user)) if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r": - self.data.append("role") + self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role)) if self.scontext.level != self.tcontext.level: - self.data.append("level") + self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level)) avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data) diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py index cc9f8ea..ce643e5 100644 --- a/sepolgen/src/sepolgen/policygen.py +++ b/sepolgen/src/sepolgen/policygen.py @@ -161,21 +161,21 @@ class PolicyGenerator: if self.explain: rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain))) if av.type == audit2why.ALLOW: - rule.comment += "#!!!! This avc is allowed in the current policy\n" + rule.comment += "\n#!!!! This avc is allowed in the current policy" if av.type == audit2why.DONTAUDIT: - rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" + rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy" if av.type == audit2why.BOOLEAN: if len(av.data) > 1: - rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data)) + rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data)) else: - rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0] + rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0] if av.type == audit2why.CONSTRAINT: - rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n" - rule.comment += "#Constraint rule: " - for reason in av.data: - rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason + rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n" + rule.comment += "#Constraint rule: \n\t" + av.data[0] + for reason in av.data[1:]: + rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason try: if ( av.type == audit2why.TERULE and @@ -189,9 +189,9 @@ class PolicyGenerator: if i not in self.domains: types.append(i) if len(types) == 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) elif len(types) >= 1: - rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) + rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types)) except: pass self.module.children.append(rule) diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py index 7b76261..a05d9d1 100644 --- a/sepolgen/src/sepolgen/refparser.py +++ b/sepolgen/src/sepolgen/refparser.py @@ -65,6 +65,7 @@ tokens = ( 'BAR', 'EXPL', 'EQUAL', + 'FILENAME', 'IDENTIFIER', 'NUMBER', 'PATH', @@ -249,11 +250,17 @@ def t_refpolicywarn(t): t.lexer.lineno += 1 def t_IDENTIFIER(t): - r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*' + r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*' # Handle any keywords t.type = reserved.get(t.value,'IDENTIFIER') return t +def t_FILENAME(t): + r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"' + # Handle any keywords + t.type = reserved.get(t.value,'FILENAME') + return t + def t_comment(t): r'\#.*\n' # Ignore all comments @@ -450,6 +457,7 @@ def p_interface_call_param(p): | nested_id_set | TRUE | FALSE + | FILENAME ''' # Intentionally let single identifiers pass through # List means set, non-list identifier @@ -461,6 +469,7 @@ def p_interface_call_param(p): def p_interface_call_param_list(p): '''interface_call_param_list : interface_call_param | interface_call_param_list COMMA interface_call_param + | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list ''' if len(p) == 2: p[0] = [p[1]] @@ -787,6 +796,7 @@ def p_avrule_def(p): def p_typerule_def(p): '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI + | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI | TYPE_CHANGE names names COLON names IDENTIFIER SEMI | TYPE_MEMBER names names COLON names IDENTIFIER SEMI @@ -800,6 +810,7 @@ def p_typerule_def(p): t.tgt_types = p[3] t.obj_classes = p[5] t.dest_type = p[6] + t.file_name = p[7] p[0] = t def p_bool(p):