[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: XML Policy Files
From: "Mark Westerman" <mark.westerman () westcam ! com>
Date: 2002-12-23 21:30:45
[Download RAW message or body]
To All:
This is the xml policy work that has been completed so far by Westcam. The real \
examination of outside parties needs to be in the selinux-schema.xsd this will be \
the basis of our work. Any policy xml file that conforms to the selinux-schema should \
work with any xml policy enabled program.
files:
Makefile used to build the te2xml program
te2xml-main.c The main program.
te2xml.l Lex parser ( unmodified policy_parse.l)
te2xml.y Bision grammar file to output xml policy file
selinux-schema.xsd Policy XML Schema file
rulefiletxt.xsl XLST Style sheet that will convert xml policy
file to te files.
External:
I use xerces-2.1.0 and Xalan-1.4 for verification of the programs, schema and
XLST style sheets. PParse is from the xerces-2.1.0 sample programs
Verification process used after makes
"You will have to modify the te2xml-main.c to point to the location of
the schema file"
cp <you policy.conf file> .
./te2xml policy.conf > policy.xml
PParse -n -v=always -s policy.xml
Xalan -o policy-xml.conf policy.xml rulefiletxt.xsl
checkpolicy -o policy.12 policy.conf
checkpolicy policy-xml.12 policy-xml.conf
md5sum policy.12 policy-xml.12
The md5sums of policy.12 and policy-xml.12 where the same. This is the
initial verification that the whole transformation process work.
TODO:
add -s <schema> to te2xml-main so the location of the
schema file can be specified
add (fix) -o so an output filename can be input for
te2xml-main.
Build a style sheet that will build a policy.xml from many different
file.
Currently MACROS ARE NOT SUPPORTED !!!!!!!!
Currently MLS IS NOT FULLY SUPPORTED !!!!!!!!
Feedback is much appreciated
Mark Westerman
PS: A graphical documentation of the schema will posted somewhere
soon.
["Makefile" (application/octet-stream)]
["rulefiletxt.xsl" (text/xml)]
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" \
xmlns:fo="http://www.w3.org/1999/XSL/Format"> <xsl:output method="text"/>
<xsl:template match="/">
<xsl:apply-templates select="rulefile"/>
<xsl:for-each select="rulefile">
<xsl:call-template name="main">
<xsl:with-param name="topnode" select="current()"/>
</xsl:call-template>
</xsl:for-each>
</xsl:template>
<xsl:template name="main">
<xsl:param name="topnode" select="node()"/>
<xsl:for-each select="node()">
<dt>
<xsl:choose>
<xsl:when test="name() = 'genfscon' or
name() = 'fs_use_psid' or
name() = 'fs_use_trans' or
name() = 'fs_use_task' or
name() = 'nodecon' or
name() = 'dontaudit' or
name() = 'auditdeny' or
name() = 'auditallow' or
name() = 'allow' or
name() = 'neverallow' or
name() = 'netifcon' or
name() = 'portcon' or
name() = 'fscon' or
name() = 'sid' or
name() = 'classrule' or
name() = 'comment' or
name() = 'common' or
name() = 'sensitivity' or
name() = 'dominance' or
name() = 'category' or
name() = 'level' or
name() = 'attribute' or
name() = 'type' or
name() = 'type_transition' or
name() = 'type_member' or
name() = 'type_change' or
name() = 'role' or
name() = 'user' or
name () = 'constrain'
">
<xsl:apply-templates select="current()"/>
</xsl:when>
<xsl:when test="name() = 'commentgroup'">
<xsl:apply-templates select="comment"/>
<xsl:call-template name="main">
<xsl:with-param name="topenode" select="current()"/>
</xsl:call-template>
</xsl:when>
<xsl:otherwise/>
<xsl:text>
</xsl:text>
</xsl:choose>
</dt>
</xsl:for-each>
</xsl:template>
<xsl:template match="type_transition | type_member | type_change">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="source"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="target"/>
<xsl:if test="count(class) > 0">
<xsl:value-of select="': '"/>
</xsl:if>
<xsl:apply-templates select="class"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="common">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:if test="count(permbase) > 0">
<xsl:apply-templates select="permbase"/>
</xsl:if>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="constrain">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="class"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="perms"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="cexpr"/>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="cexpr">
<xsl:for-each select="node()">
<xsl:if test="name()='parengroup'">
<xsl:value-of select="' ( '"/>
<xsl:apply-templates select="cexpr"/>
<xsl:value-of select="' ) '"/>
</xsl:if>
<xsl:if test="name()='cexprprim'">
<xsl:apply-templates select="current()"/>
</xsl:if>
<xsl:if test="name()='or'">
<xsl:value-of select="' or '"/>
</xsl:if>
<xsl:if test="name()='and'">
<xsl:value-of select="' and '"/>
</xsl:if>
</xsl:for-each>
</xsl:template>
<xsl:template match="or | and ">
<xsl:value-of select="name()"/>
</xsl:template>
<xsl:template match="cexprprim">
<xsl:for-each select="node()">
<xsl:choose>
<xsl:when test="name() = 'op'">
<xsl:apply-templates select="current()"/>
</xsl:when>
<xsl:when test="name() = 'or'">
<xsl:value-of select="'or'"/>
</xsl:when>
<xsl:when test="name() = 'and'">
<xsl:value-of select="'and'"/>
</xsl:when>
<xsl:when test="name() = 'roleop'">
<xsl:apply-templates select="current()"/>
</xsl:when>
<xsl:when test="name() = 'names'">
<xsl:value-of select="' '"/>
<xsl:apply-templates select="current()"/>
<xsl:value-of select="' '"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="' '"/>
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
</xsl:template>
<xsl:template match="roleop">
<xsl:if test="count(op) > 0 ">
<xsl:apply-templates select="op"/>
</xsl:if>
<xsl:if test="count(op) = 0">
<xsl:value-of select="' '"/>
<xsl:for-each select="node()">
<xsl:choose>
<xsl:when test="name()='equal'">
<xsl:value-of select="' == '"/>
</xsl:when>
<xsl:when test="name()='notequal'">
<xsl:value-of select="' != '"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="name()"/>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
<xsl:value-of select="' '"/>
</xsl:if>
</xsl:template>
<xsl:template match="op">
<xsl:for-each select="node()">
<xsl:value-of select="' '"/>
<xsl:if test="name() = 'equal'">
<xsl:value-of select="' == '"/>
</xsl:if>
<xsl:if test="name()='notequal'">
<xsl:value-of select="' != '"/>
</xsl:if>
<xsl:value-of select="' '"/>
</xsl:for-each>
</xsl:template>
<xsl:template match="role | user">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:if test="name() = 'role'">
<xsl:value-of select="' types '"/>
<xsl:apply-templates select="types"/>
</xsl:if>
<xsl:if test="name()= 'user'">
<xsl:value-of select="' roles '"/>
<xsl:apply-templates select="roles"/>
</xsl:if>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="type">
<xsl:for-each select="node()">
<xsl:choose >
<xsl:when test="position() = 1">
<xsl:value-of select="'type '"/>
<xsl:value-of select="node()"/>
<xsl:value-of select="' '"/>
</xsl:when>
<xsl:when test="name() = 'alias'">
<xsl:if test="count(identifier) > 1 ">
<xsl:value-of select="'alias { '"/>
</xsl:if>
<xsl:if test="count(identifier) = 1 ">
<xsl:value-of select="'alias '"/>
</xsl:if>
<xsl:for-each select="node()">
<xsl:value-of select="node()"/>
<xsl:value-of select="' '"/>
</xsl:for-each>
<xsl:if test="count(identifier) > 1 ">
<xsl:value-of select="' } '"/>
</xsl:if>
</xsl:when>
<xsl:when test="position() != last()">
<xsl:if test="name() = 'identifier'">
<xsl:if test="position() != 2">
<xsl:value-of select="', '"/>
</xsl:if>
<xsl:value-of select="node()"/>
</xsl:if>
</xsl:when>
</xsl:choose>
</xsl:for-each >
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="attribute">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:for-each select="node()">
<xsl:value-of select="node()"/>
</xsl:for-each>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="level">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier[1]"/>
<xsl:value-of select="' '"/>
<xsl:if test="count(identifier) > 1">
<xsl:value-of select="':'"/>
<xsl:for-each select="identifier">
<xsl:if test="position() > 1">
<xsl:value-of select="node()"/>
<xsl:if test="position() != last()">
<xsl:value-of select="' ,'"/>
</xsl:if>
</xsl:if>
</xsl:for-each>
</xsl:if>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="dominance">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="identifier"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="sensitivity | category">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:if test="count(alias) > 0">
<xsl:value-of select="' alias '"/>
<xsl:apply-templates select="alias"/>
</xsl:if>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="netifcon">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context[1]"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context[2]"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="portcon">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="number[1]"/>
<xsl:if test="count(number) > 1">
<xsl:value-of select="'-'"/>
<xsl:value-of select="number[2]"/>
</xsl:if>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="sid">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:if test="count(security_context) > 0">
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context"/>
</xsl:if>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="classrule">
<xsl:value-of select="'class'"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:if test="count(inherits) > 0">
<xsl:value-of select="' '"/>
<xsl:apply-templates select="inherits"/>
</xsl:if>
<xsl:if test="count(permbase) > 0">
<xsl:apply-templates select="permbase"/>
</xsl:if>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="permbase">
<xsl:value-of select="'
'"/>
<xsl:value-of select="'{'"/>
<xsl:value-of select="'
'"/>
<xsl:for-each select="identifier">
<xsl:value-of select="' '"/>
<xsl:value-of select="node()"/>
<xsl:value-of select="'
'"/>
</xsl:for-each>
<xsl:value-of select="'}'"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="inherits">
<xsl:value-of select="'
'"/>
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
</xsl:template>
<xsl:template match="comment">
<xsl:value-of select="'# '"/>
<xsl:value-of select="node()"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="fscon">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="number[1]"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="number[2]"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context[1]"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context[2]"/>
</xsl:template>
<xsl:template match="nodecon">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="ip4address"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="ip4mask"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="genfscon">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:value-of select="path"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="file_type"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context"/>
<xsl:value-of select="'
'"/>
</xsl:template>
<xsl:template match="fs_use_psid">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="identifier"/>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="fs_use_trans | fs_use_task">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="identifier"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="security_context"/>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="identifier">
<xsl:value-of select="node()"/>
</xsl:template>
<xsl:template match="source| target | class | permission | alias | types | roles | \
perms | names "> <xsl:if test="count(not) > 0">
<xsl:value-of select="'~'"/>
</xsl:if>
<xsl:if test="count(identifier) > 1">
<xsl:value-of select="'{'"/>
<xsl:value-of select="' '"/>
</xsl:if>
<xsl:for-each select="node()">
<xsl:value-of select="node()"/>
<xsl:if test="position() != last()">
<xsl:value-of select="' '"/>
</xsl:if>
<xsl:if test="name() = 'any'">
<xsl:value-of select="'*'"/>
</xsl:if>
</xsl:for-each>
<xsl:if test="count(identifier) > 1">
<xsl:value-of select="'}'"/>
</xsl:if>
</xsl:template>
<xsl:template match="not">
<xsl:if test="count(identifier) > 1">
<xsl:value-of select="'{'"/>
<xsl:value-of select="' '"/>
</xsl:if>
<xsl:for-each select="node()">
<xsl:value-of select="node()"/>
<xsl:if test="position() != last()">
<xsl:value-of select="' '"/>
</xsl:if>
<xsl:if test="name() = 'any'">
<xsl:value-of select="'*'"/>
</xsl:if>
</xsl:for-each>
<xsl:if test="count(identifier) > 1">
<xsl:value-of select="'}'"/>
</xsl:if>
</xsl:template>
<xsl:template match="allow | auditdeny | dontaudit | auditallow | neverallow">
<xsl:value-of select="name()"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="source"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="target"/>
<xsl:if test="count(class) > 0">
<xsl:value-of select="': '"/>
</xsl:if>
<xsl:apply-templates select="class"/>
<xsl:value-of select="' '"/>
<xsl:apply-templates select="permission"/>
<xsl:value-of select="' ;
'"/>
</xsl:template>
<xsl:template match="file_type">
<xsl:value-of select="'-'"/>
<xsl:for-each select="node()">
<xsl:choose>
<xsl:when test="name()='any'">
<xsl:value-of select="'-'"/>
</xsl:when>
<xsl:otherwise>
<xsl:value-of select="name()"/>
</xsl:otherwise>
</xsl:choose>
</xsl:for-each>
</xsl:template>
<xsl:template match="security_context" name="security_context">
<xsl:for-each select="identifier">
<xsl:value-of select="node()"/>
<xsl:if test="position() != last()">
<xsl:value-of select="':'"/>
</xsl:if>
</xsl:for-each>
</xsl:template>
<xsl:template match="rulefile" name="rulefile">
#
# File: <xsl:value-of select="@filename"/>
# Author: <xsl:value-of select="fileinfo/author"/>
#
# Information: <xsl:value-of select="fileinfo/comment"/>
#
</xsl:template>
</xsl:stylesheet>
["selinux-schema.xsd" (application/octet-stream)]
["te2xml-main.c" (application/octet-stream)]
/*
*
* This file is a portion of the xml-selinux project
*
* Copyright (C) 1999-2002 Westcam, Inc. All Rights Reserved.
* Distributed under GPL version 2.
*
* Author: Mark Westerman <mark.westerman@westcam.com>
*
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <getopt.h>
extern char *optarg;
extern int optind;
extern FILE *yyin;
extern int yyparse(void);
extern void yyrestart(FILE *);
void usage(char *progname)
{
printf("usage: %s -o output_file] [input_file]\n", progname);
exit(1);
}
int main(int argc, char **argv)
{
char *outfile = NULL,ch,*file = NULL,*rootnode;
while ((ch = getopt(argc, argv, "o")) != EOF) {
switch (ch) {
case 'o':
outfile = optarg;
break;
default:
usage(argv[0]);
}
}
if (optind != argc) {
file = argv[optind++];
if (optind != argc)
usage(argv[0]);
}
if(file == NULL)
{
rootnode = "stdin";
yyin = stdin;
}
else
{
yyin = fopen(file, "r");
rootnode = file;
}
if (!yyin) {
fprintf(stderr, "%s: unable to open %s\n", argv[0],
file);
exit(1);
}
printf("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n");
printf("<!-- Created by te2xml Copywrite Westcam. Inc. Licensed under GPL -->\n");
printf("<rulefile xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
xsi:noNamespaceSchemaLocation=\'/root/xml-selinux/selinux-schema.xsd\' \
filename=\"%s\">\n",rootnode); yyparse();
fclose(yyin);
printf("</rulefile>\n");
}
/* FLASK */
["te2xml.l" (application/octet-stream)]
["te2xml.y" (application/octet-stream)]
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic