[PATCH 83/84] sepolgen: understand role attributes

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


   This patch looks good to me. acked.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD+qZcACgkQrlYvE4MpobPdUgCfbrKolS3XRNBoraZ8Ga4CIgmU
Di8An1IJbiGLLki4ZQYViMlVi3K+X3Zh
=FEfg
-----END PGP SIGNATURE-----

>From cb566e64f85c0f3964f3d94fc126f011d330c1db Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@xxxxxxxxxx>
Date: Wed, 9 Jan 2013 10:15:59 -0500
Subject: [PATCH 83/84] sepolgen: understand role attributes

Parse and handle rele attributes in sepolgen.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 sepolgen/src/sepolgen/refparser.py | 19 +++++++++++++++++++
 sepolgen/src/sepolgen/refpolicy.py | 27 +++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index a4adbd8..7b76261 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -91,8 +91,10 @@ tokens = (
     'CLASS',
     #   types and attributes
     'TYPEATTRIBUTE',
+    'ROLEATTRIBUTE',
     'TYPE',
     'ATTRIBUTE',
+    'ATTRIBUTE_ROLE',
     'ALIAS',
     'TYPEALIAS',
     #   conditional policy
@@ -153,8 +155,10 @@ reserved = {
     'class' : 'CLASS',
     # types and attributes
     'typeattribute' : 'TYPEATTRIBUTE',
+    'roleattribute' : 'ROLEATTRIBUTE',
     'type' : 'TYPE',
     'attribute' : 'ATTRIBUTE',
+    'attribute_role' : 'ATTRIBUTE_ROLE',
     'alias' : 'ALIAS',
     'typealias' : 'TYPEALIAS',
     # conditional policy
@@ -489,6 +493,7 @@ def p_policy_stmt(p):
                    | avrule_def
                    | typerule_def
                    | typeattribute_def
+                   | roleattribute_def
                    | interface_call
                    | role_def
                    | role_allow
@@ -496,6 +501,7 @@ def p_policy_stmt(p):
                    | type_def
                    | typealias_def
                    | attribute_def
+                   | attribute_role_def
                    | range_transition_def
                    | role_transition_def
                    | bool
@@ -542,6 +548,7 @@ def p_require(p):
     '''require : TYPE comma_list SEMI
                | ROLE comma_list SEMI
                | ATTRIBUTE comma_list SEMI
+               | ATTRIBUTE_ROLE comma_list SEMI
                | CLASS comma_list SEMI
                | BOOL comma_list SEMI
     '''
@@ -727,6 +734,11 @@ def p_attribute_def(p):
     a = refpolicy.Attribute(p[2])
     p[0] = a
 
+def p_attribute_role_def(p):
+	'attribute_role_def : ATTRIBUTE_ROLE IDENTIFIER SEMI'
+	a = refpolicy.Attribute_Role(p[2])
+	p[0] = a
+
 def p_typealias_def(p):
     'typealias_def : TYPEALIAS IDENTIFIER ALIAS names SEMI'
     t = refpolicy.TypeAlias()
@@ -819,6 +831,13 @@ def p_typeattribute_def(p):
     t.attributes.update(p[3])
     p[0] = t
 
+def p_roleattribute_def(p):
+    '''roleattribute_def : ROLEATTRIBUTE IDENTIFIER comma_list SEMI'''
+    t = refpolicy.RoleAttribute()
+    t.role = p[2]
+    t.roleattributes.update(p[3])
+    p[0] = t
+
 def p_range_transition_def(p):
     '''range_transition_def : RANGE_TRANSITION names names COLON names mls_range_def SEMI
                             | RANGE_TRANSITION names names names SEMI'''
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index 1399225..8ad64a9 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -117,6 +117,10 @@ class Node(PolicyBase):
         """Iterate over all of the TypeAttribute children of this Interface."""
         return itertools.ifilter(lambda x: isinstance(x, TypeAttribute), walktree(self))
 
+    def roleattributes(self):
+        """Iterate over all of the RoleAttribute children of this Interface."""
+        return itertools.ifilter(lambda x: isinstance(x, RoleAttribute), walktree(self))
+
     def requires(self):
         return itertools.ifilter(lambda x: isinstance(x, Require), walktree(self))
 
@@ -356,6 +360,20 @@ class TypeAttribute(Leaf):
     def to_string(self):
         return "typeattribute %s %s;" % (self.type, self.attributes.to_comma_str())
 
+class RoleAttribute(Leaf):
+    """SElinux roleattribute statement.
+
+    This class represents a roleattribute statement.
+    """
+    def __init__(self, parent=None):
+        Leaf.__init__(self, parent)
+        self.role = ""
+        self.roleattributes = IdSet()
+
+    def to_string(self):
+        return "roleattribute %s %s;" % (self.role, self.roleattributes.to_comma_str())
+
+
 class Role(Leaf):
     def __init__(self, parent=None):
         Leaf.__init__(self, parent)
@@ -400,6 +418,15 @@ class Attribute(Leaf):
     def to_string(self):
         return "attribute %s;" % self.name
 
+class Attribute_Role(Leaf):
+    def __init__(self, name="", parent=None):
+        Leaf.__init__(self, parent)
+        self.name = name
+
+    def to_string(self):
+        return "attribute_role %s;" % self.name
+
+
 # Classes representing rules
 
 class AVRule(Leaf):
-- 
1.8.1