On Thu, 2006-11-02 at 10:22 -0500, Karl MacMillan wrote: > On Wed, 2006-11-01 at 13:18 -0500, Stephen Smalley wrote: > > On Wed, 2006-11-01 at 11:09 -0500, Karl MacMillan wrote: > > > On Wed, 2006-11-01 at 10:27 -0500, Joshua Brindle wrote: > > > > > From: Karl MacMillan [mailto:kmacmillan@xxxxxxxxxxxxxxxxx] > > > > > > > > > > > > I looked at fixing this by changing genfscon to use > > > > > user_identifier > > > > > > > instead of identifier (they are the same except user_identifier > > > > > > > includes "-"). This made checkpolicy generate a syntax > > > > > error for all > > > > > > > genfscon statements - haven't tracked down what the > > > > > problem is. The > > > > > > > grammer still seems to be unambiguous. > > > > > > > > > > > > Use "user_id" instead. Otherwise, you'll get a syntax > > > > > error when the > > > > > > token is classified as an IDENTIFIER (first match) and the grammar > > > > > > says that it must be a USER_IDENTIFIER. > > > > > > > > > > Right as usual. > > > > > > > > > > > > > Maybe make user_id more generic as it is no longer only used for users.. > > > > > > Just making generic would make the user related parts of the grammar > > > harder to read. What about this: > > > Why not just fold USER_IDENTIFIER back into IDENTIFIER? As in: > > That's fine with me - there is really no reason to disallow "-" in any > of the identifiers. Makes a lot of documentation wrong, but the docs > being more restrictive isn't a big deal. Only possible reason would be to avoid ambiguity in MLS ranges (e.g. s0-s0:c0.c255), but we already have that problem in checkpolicy from USER_IDENTIFIER, which is why one has to use spaces around the - in the range. So it would only matter is someone put a - in a sensitivity or category name. > > > > > Index: checkpolicy/policy_scan.l > > =================================================================== > > --- checkpolicy/policy_scan.l (revision 2076) > > +++ checkpolicy/policy_scan.l (working copy) > > @@ -200,12 +200,11 @@ > > h2 | > > H2 { return(H2); } > > "/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); } > > -{letter}({letter}|{digit}|_|".")* { if (is_valid_identifier(yytext)) > > +{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext)) > > return(IDENTIFIER); > > else > > REJECT; > > } > > -{letter}({letter}|{digit}|_|"."|"-")* { return(USER_IDENTIFIER); } > > {digit}{digit}* { return(NUMBER); } > > {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); } > > {version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); } > > Index: checkpolicy/policy_parse.y > > =================================================================== > > --- checkpolicy/policy_parse.y (revision 2076) > > +++ checkpolicy/policy_parse.y (working copy) > > @@ -190,7 +190,6 @@ > > %token NOT AND OR XOR > > %token CTRUE CFALSE > > %token IDENTIFIER > > -%token USER_IDENTIFIER > > %token NUMBER > > %token EQUALS > > %token NOTEQUAL > > @@ -522,13 +521,13 @@ > > | T1 op T2 > > { $$ = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2); > > if ($$ == 0) return -1; } > > - | U1 op { if (insert_separator(1)) return -1; } user_names_push > > + | U1 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, CEXPR_USER, $2); > > if ($$ == 0) return -1; } > > - | U2 op { if (insert_separator(1)) return -1; } user_names_push > > + | U2 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), $2); > > if ($$ == 0) return -1; } > > - | U3 op { if (insert_separator(1)) return -1; } user_names_push > > + | U3 op { if (insert_separator(1)) return -1; } names_push > > { $$ = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), $2); > > if ($$ == 0) return -1; } > > | R1 op { if (insert_separator(1)) return -1; } names_push > > @@ -603,10 +602,7 @@ > > users : user_def > > | users user_def > > ; > > -user_id : identifier > > - | user_identifier > > - ; > > -user_def : USER user_id ROLES names opt_mls_user ';' > > +user_def : USER identifier ROLES names opt_mls_user ';' > > {if (define_user()) return -1;} > > ; > > opt_mls_user : LEVEL mls_level_def RANGE mls_range_def > > @@ -698,7 +694,7 @@ > > $$ = addr; > > } > > ; > > -security_context_def : user_id ':' identifier ':' identifier opt_mls_range_def > > +security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def > > ; > > opt_mls_range_def : ':' mls_range_def > > | > > @@ -766,23 +762,6 @@ > > identifier : IDENTIFIER > > { if (insert_id(yytext,0)) return -1; } > > ; > > -user_identifier : USER_IDENTIFIER > > - { if (insert_id(yytext,0)) return -1; } > > - ; > > -user_identifier_push : USER_IDENTIFIER > > - { if (insert_id(yytext, 1)) return -1; } > > - ; > > -user_identifier_list_push : user_identifier_push > > - | identifier_list_push user_identifier_push > > - | user_identifier_list_push identifier_push > > - | user_identifier_list_push user_identifier_push > > - ; > > -user_names_push : names_push > > - | user_identifier_push > > - | '{' user_identifier_list_push '}' > > - | tilde_push user_identifier_push > > - | tilde_push '{' user_identifier_list_push '}' > > - ; > > path : PATH > > { if (insert_id(yytext,0)) return -1; } > > ; > > > > Builds svn refpolicy trunk with strict-mls, no change in policy.21. > > > > Acked-by: Karl MacMillan <kmacmillan@xxxxxxxxxxxxxxxxx> > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
