On Thu, May 28, 2020 at 8:52 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Currently sepolgen-ifgen parses a gen_tunable statement as interface
> and reports in verbose mode:
>
> Missing interface definition for gen_tunable
>
> Add grammar for gen_tunable statements in the refparser
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
> index 2e521a0f..f3e0ae87 100644
> --- a/python/sepolgen/src/sepolgen/refparser.py
> +++ b/python/sepolgen/src/sepolgen/refparser.py
> @@ -126,6 +126,7 @@ tokens = (
> 'GEN_REQ',
> 'TEMPLATE',
> 'GEN_CONTEXT',
> + 'GEN_TUNABLE',
> # m4
> 'IFELSE',
> 'IFDEF',
> @@ -192,6 +193,7 @@ reserved = {
> 'gen_require' : 'GEN_REQ',
> 'template' : 'TEMPLATE',
> 'gen_context' : 'GEN_CONTEXT',
> + 'gen_tunable' : 'GEN_TUNABLE',
> # M4
> 'ifelse' : 'IFELSE',
> 'ifndef' : 'IFNDEF',
> @@ -518,6 +520,7 @@ def p_policy_stmt(p):
> | range_transition_def
> | role_transition_def
> | bool
> + | gen_tunable
> | define
> | initial_sid
> | genfscon
> @@ -844,6 +847,17 @@ def p_bool(p):
> b.state = False
> p[0] = b
>
> +def p_gen_tunable(p):
> + '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
> + | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
Looks like you need to also support the case where no quoting is
performed. Otherwise, I still see syntax errors, e.g.
/usr/share/selinux/refpolicy/include/services/apache.if: Syntax error
on line 35 allow_httpd_$1_script_anon_write [type=IDENTIFIER]
35: gen_tunable(allow_httpd_$1_script_anon_write, false)
