Re: [PATCH v2 1/3] sepolgen: parse gen_tunable as bool

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Thu, 28 May 2020 16:51:54 +0200

Am Do., 28. Mai 2020 um 16:23 Uhr schrieb Stephen Smalley
<stephen.smalley.work@xxxxxxxxx>:
>
> On Thu, May 28, 2020 at 8:52 AM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Currently sepolgen-ifgen parses a gen_tunable statement as interface
> > and reports in verbose mode:
> >
> >     Missing interface definition for gen_tunable
> >
> > Add grammar for gen_tunable statements in the refparser
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > ---
> >  python/sepolgen/src/sepolgen/refparser.py | 14 ++++++++++++++
> >  1 file changed, 14 insertions(+)
> >
> > diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
> > index 2e521a0f..f3e0ae87 100644
> > --- a/python/sepolgen/src/sepolgen/refparser.py
> > +++ b/python/sepolgen/src/sepolgen/refparser.py
> > @@ -126,6 +126,7 @@ tokens = (
> >      'GEN_REQ',
> >      'TEMPLATE',
> >      'GEN_CONTEXT',
> > +    'GEN_TUNABLE',
> >      #   m4
> >      'IFELSE',
> >      'IFDEF',
> > @@ -192,6 +193,7 @@ reserved = {
> >      'gen_require' : 'GEN_REQ',
> >      'template' : 'TEMPLATE',
> >      'gen_context' : 'GEN_CONTEXT',
> > +    'gen_tunable' : 'GEN_TUNABLE',
> >      # M4
> >      'ifelse' : 'IFELSE',
> >      'ifndef' : 'IFNDEF',
> > @@ -518,6 +520,7 @@ def p_policy_stmt(p):
> >                     | range_transition_def
> >                     | role_transition_def
> >                     | bool
> > +                   | gen_tunable
> >                     | define
> >                     | initial_sid
> >                     | genfscon
> > @@ -844,6 +847,17 @@ def p_bool(p):
> >          b.state = False
> >      p[0] = b
> >
> > +def p_gen_tunable(p):
> > +    '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
> > +                   | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
>
> Looks like you need to also support the case where no quoting is
> performed.  Otherwise, I still see syntax errors, e.g.
> /usr/share/selinux/refpolicy/include/services/apache.if: Syntax error
> on line 35 allow_httpd_$1_script_anon_write [type=IDENTIFIER]
>
> 35: gen_tunable(allow_httpd_$1_script_anon_write, false)

I tried to avoid that by modifying Refpolicy[1], but I can include the
additional grammar.

[1]: https://github.com/SELinuxProject/refpolicy/pull/201