On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote: > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote: > > > From: Karl MacMillan [mailto:kmacmillan@xxxxxxxxxxxxxxxxx] > > > > > > > > I looked at fixing this by changing genfscon to use > > > user_identifier > > > > > instead of identifier (they are the same except user_identifier > > > > > includes "-"). This made checkpolicy generate a syntax > > > error for all > > > > > genfscon statements - haven't tracked down what the > > > problem is. The > > > > > grammer still seems to be unambiguous. > > > > > > > > Use "user_id" instead. Otherwise, you'll get a syntax > > > error when the > > > > token is classified as an IDENTIFIER (first match) and the grammar > > > > says that it must be a USER_IDENTIFIER. > > > > > > Right as usual. > > > > > > > Maybe make user_id more generic as it is no longer only used for users.. > > Just making generic would make the user related parts of the grammar > harder to read. What about this: > > Index: trunk/checkpolicy/policy_parse.y > =================================================================== > --- trunk/checkpolicy/policy_parse.y (revision 2076) > +++ trunk/checkpolicy/policy_parse.y (working copy) > @@ -605,6 +605,8 @@ > ; > user_id : identifier > | user_identifier > + ; > +dash_id : user_id > ; > user_def : USER user_id ROLES names opt_mls_user ';' > {if (define_user()) return -1;} > @@ -679,11 +681,11 @@ > genfs_contexts : genfs_context_def > | genfs_contexts genfs_context_def > ; > -genfs_context_def : GENFSCON identifier path '-' identifier security_context_def > +genfs_context_def : GENFSCON dash_id path '-' identifier security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def > + | GENFSCON dash_id path '-' '-' {insert_id("-", 0);} security_context_def > {if (define_genfs_context(1)) return -1;} > - | GENFSCON identifier path security_context_def > + | GENFSCON dash_id path security_context_def > {if (define_genfs_context(0)) return -1;} > ; > ipv4_addr_def : number '.' number '.' number '.' number > > > Signed-off by: Karl MacMillan <kmacmillan@xxxxxxxxxxxxxxxxx> Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in: Index: checkpolicy/policy_scan.l =================================================================== --- checkpolicy/policy_scan.l (revision 2076) +++ checkpolicy/policy_scan.l (working copy) @@ -200,12 +200,11 @@ h2 | H2 { return(H2); } "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } -{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext)) +{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext)) return(IDENTIFIER); else REJECT; } -{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } {digit}{digit}* { return(NUMBER); } {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); } {version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); } Index: checkpolicy/policy_parse.y =================================================================== --- checkpolicy/policy_parse.y (revision 2076) +++ checkpolicy/policy_parse.y (working copy) @@ -190,7 +190,6 @@ %token NOT AND OR XOR %token CTRUE CFALSE %token IDENTIFIER -%token USER_IDENTIFIER %token NUMBER %token EQUALS %token NOTEQUAL @@ -522,13 +521,13 @@ | T1 op T2 { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); if ($$ == 0) return -1; } - | U1 op { if (insert_separator(1)) return -1; } user_names_push + | U1 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); if ($$ == 0) return -1; } - | U2 op { if (insert_separator(1)) return -1; } user_names_push + | U2 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); if ($$ == 0) return -1; } - | U3 op { if (insert_separator(1)) return -1; } user_names_push + | U3 op { if (insert_separator(1)) return -1; } names_push { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); if ($$ == 0) return -1; } | R1 op { if (insert_separator(1)) return -1; } names_push @@ -603,10 +602,7 @@ users : user_def | users user_def ; -user_id : identifier - | user_identifier - ; -user_def : USER user_id ROLES names opt_mls_user ';' +user_def : USER identifier ROLES names opt_mls_user ';' {if (define_user()) return -1;} ; opt_mls_user : LEVEL mls_level_def RANGE mls_range_def @@ -698,7 +694,7 @@ $$ = addr; } ; -security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def +security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def ; opt_mls_range_def : ':' mls_range_def | @@ -766,23 +762,6 @@ identifier : IDENTIFIER { if (insert_id(yytext,0)) return -1; } ; -user_identifier : USER_IDENTIFIER - { if (insert_id(yytext,0)) return -1; } - ; -user_identifier_push : USER_IDENTIFIER - { if (insert_id(yytext, 1)) return -1; } - ; -user_identifier_list_push : user_identifier_push - | identifier_list_push user_identifier_push - | user_identifier_list_push identifier_push - | user_identifier_list_push user_identifier_push - ; -user_names_push : names_push - | user_identifier_push - | '{' user_identifier_list_push '}' - | tilde_push user_identifier_push - | tilde_push '{' user_identifier_list_push '}' - ; path : PATH { if (insert_id(yytext,0)) return -1; } ; Builds svn refpolicy trunk with strict-mls, no change in policy.21. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
