|
Packit |
f2ed7b |
Code Overview
|
|
Packit |
f2ed7b |
=============
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
The source for Sepolgen is divided into the python library (sepolgen)
|
|
Packit |
f2ed7b |
and tools (e.g., audit2allow).
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
The library is structured to give flexibility to the application using
|
|
Packit |
f2ed7b |
it - it avoids assumptions and close coupling of components where
|
|
Packit |
f2ed7b |
possible. The audit2allow application demonstrates how to hook the
|
|
Packit |
f2ed7b |
components together.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
There is a test suite in the test subdirectory. The run-tests.py
|
|
Packit |
f2ed7b |
script will run all of the tests.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
The library is is divided into several functional areas:
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Reference Policy Representation (sepolgen.refpolicy)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Objects for representing policies and the reference policy
|
|
Packit |
f2ed7b |
interfaces. Includes basic components (security contexts, allow rules,
|
|
Packit |
f2ed7b |
etc.) and reference policy specific components (interfaces, modules,
|
|
Packit |
f2ed7b |
etc.).
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
This representation can be used as output from the parser to represent
|
|
Packit |
f2ed7b |
the reference policy interfaces. It can also be used to generate
|
|
Packit |
f2ed7b |
policy by building up the relevent data structures and then outputting
|
|
Packit |
f2ed7b |
them. See sepolgen.policygen and sepolgen.output for information on how
|
|
Packit |
f2ed7b |
this can be done.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Objects and algorithms for representing access and sets of access in
|
|
Packit |
f2ed7b |
an abstract way and searching that access. The basic concept is that
|
|
Packit |
f2ed7b |
of an access vector (source type, target type, object class, and
|
|
Packit |
f2ed7b |
permissions). These can be grouped into sets without overlapping
|
|
Packit |
f2ed7b |
access. Access vectors and access vector sets can be matched against
|
|
Packit |
f2ed7b |
other access vectors - this forms the backbone of how we turn audit
|
|
Packit |
f2ed7b |
messages into interface calls.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
The highest-level form of access represented in interfaces - which
|
|
Packit |
f2ed7b |
includes algorithms to turn the raw output of the parser into access
|
|
Packit |
f2ed7b |
vector sets representing the access allowed by each interface.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Parsing (sepolgen.refparser)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Parser for reference policy "headers" - i.e.,
|
|
Packit |
f2ed7b |
/usr/share/selinux/devel/include. This uses the LGPL parsing library
|
|
Packit |
f2ed7b |
[PLY](http://www.dabeaz.com/ply/) which is included in the source
|
|
Packit |
f2ed7b |
distribution in the files lex.py and yacc.py. It may be necessary to
|
|
Packit |
f2ed7b |
switch to a more powerful parsing library in the future, but for now
|
|
Packit |
f2ed7b |
this is fast and easy.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Audit Messages (sepolgen.audit)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Infrastructure for parsing SELinux related messages as produced by the
|
|
Packit |
f2ed7b |
audit system. This is not a general purpose audit parsing library - it
|
|
Packit |
f2ed7b |
is only meant to capture SELinux messages - primarily access vector
|
|
Packit |
f2ed7b |
cache (AVC) messages and policy load messages.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Policy Generation (sepolgen.policygen and sepolgen.output)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Infrastructure for generating policy based on required access. This
|
|
Packit |
f2ed7b |
deliberately only loosely coupled to the audit parsing to allow
|
|
Packit |
f2ed7b |
required accesses to be feed in from anywhere.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Object Model (sepolgen.objectmodel)
|
|
Packit |
f2ed7b |
-------------------------------------------------------------
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
Information about the SELinux object classes. This is semantic
|
|
Packit |
f2ed7b |
information about the object classes - including information flow. It
|
|
Packit |
f2ed7b |
is separated to keep the core from being concerned about the details
|
|
Packit |
f2ed7b |
of the object classes.
|
|
Packit |
f2ed7b |
|
|
Packit |
f2ed7b |
[selist]: http://www.nsa.gov/research/selinux/info/list.cfm
|