Attached is the third release of the flask policy parser. This is still very much experimental. New with this release is the ability to rewrite Refpolicy into the Common Intermediate Language (CIL). The resulting CIL can be processed to generate a policy.conf. There is no support yet for any of the interesting CIL features such as language transformations. The README has detailed instructions of how to use fpp. To generate CIL from Refpolicy: ./fpp.lua -o cil -p PATH_TO_REFPOLICY To generate policy.conf from CIL: ./fpp.lua -i cil -p cil_policy > policy.conf To generate policy.conf from Refpolicy: ./fpp.lua -p PATH_TO_REFPOLICY > policy.conf Also new with this release is a very rough search capability. So, for example, to find and show the trace for all allow statements where NetworkManager_t has file:read permission on passwd_t the following command is used: ./fpp_search.lua -p ../refpolicy "allow (equal 1 NetworkManager_t)(sub 2 passwd_t)(sub 3 (file (read)))" With the following output: Found matches for: allow (equal 1 NetworkManager_t) (sub 2 passwd_t) (sub 3 ((file (read)))) |-file ../refpolicy/policy/modules/services/networkmanager.te |-module networkmanager |-call domain_read_confined_domains_state at Line 100 |-macro domain_read_confined_domains_state at Line 620 in ../refpolicy/policy/modules/kernel/domain.if |-call read_files_pattern at Line 627 |-macro read_files_pattern at Line 97 in ../refpolicy/policy/support/file_patterns.spt \-(allow NetworkManager_t (domain - unconfined_domain_type) (file (read getattr lock ioctl open))) at Line 99 More details can be found in README. For now, merge_type, clone_type, and add and remove blocks, which were added in the previous release, are not supported. They (or something like them) will be supported again when CIL language transforms are added. -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency
Attachment:
fpp_20110308.tar.bz2
Description: application/bzip-compressed-tar