Skip to content
This repository has been archived by the owner on Jun 18, 2018. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
setools: APOL Add default_objects and CIL policy namespaces tabs
Add support for default_object rules and displaying CIL namespaces
with any users, roles, types, classes, booleans, sens & cats declared.

Fixed generating file index on File Contexts tab where it would hang
forever if broken links/files (mainly when generating indexs for Android)

Also enhanced the previous features in te_rules and types tabs.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
  • Loading branch information
stevedlawrence committed Apr 25, 2014
1 parent 0aa68c9 commit eefba53
Show file tree
Hide file tree
Showing 28 changed files with 1,543 additions and 72 deletions.
26 changes: 26 additions & 0 deletions ChangeLog
@@ -1,3 +1,29 @@
2014-04-14 Richard Haines <richard_c_haines@btinternet.com>

* Updates to apol and the libapol/libqpol libraries to support
new policy statements and rules to version 29 (Note the features
for loading source code (policy.conf etc.) have not been updated
to support the new statements and rules.
These are the enhancements and bug fixes:
* Add permissive type and typebound support to Types tab.
* Add new Constraints tab to search all constraint statements.
* Add new Bounds tab to search for userbound, rolebound and
typebound statements.
* Add new policy capabilities tab.
* Add filename type_transition support on TE Rules tab.
* Add new Default Object tab to support defaultuser, defaultrole,
defaulttype and defaultrange rules.
* Add new Namespaces tab to list CIL namespaces. This will also
show any users, roles, types, classes, booleans, sensitivities
and categories declared in each namespace.
* Update Query/Policy Summary page to show the number of new
rules added plus the policy handle_unknown flag.
* Fixed File Contexts tab to stop hang when building the fc
index when broken links/files found (libsefs).
* Fixed Booleans tab to display CIL namespace booleans.
* Updated apol_help.txt to reflect the changes made plus how to
load the running policy.

2014-01-16 Chris PeBenito <cpebenito@tresys.com>
* Fix bug preventing sediffx from starting.

Expand Down
2 changes: 2 additions & 0 deletions apol/Makefile.am
Expand Up @@ -35,6 +35,7 @@ EXTRA_DIST = \
constraints_tab.tcl \
context_dialog.tcl \
context_selector.tcl \
default_objects_tab.tcl \
directflow_module.tcl \
domaintrans_module.tcl \
file_contexts_tab.tcl \
Expand All @@ -45,6 +46,7 @@ EXTRA_DIST = \
initial_sids_tab.tcl \
level_dialog.tcl \
mls_tab.tcl \
namespaces_tab.tcl \
netcontexts_tab.tcl \
open_policy_dialog.tcl \
perms_map.tcl \
Expand Down
35 changes: 32 additions & 3 deletions apol/apol_help.txt
Expand Up @@ -29,7 +29,7 @@ not report line numbers when searching monolithic binary polices.

Apol provides compatibility with the current and previous policy
syntax. It supports analysis of monolithic policy versions 12 to the
current version 21 and modular policy versions 5 and 6.
current version 29 and modular policy versions to 17.

See setools/ChangeLog for a list of new features in this release. See
setools/KNOWN_BUGS for a list of current bugs.
Expand All @@ -40,7 +40,12 @@ Menus
Use 'Open' from the File menu to open a valid policy. The policy may
be monolithic or be composed of a base linked with multiple modules.
Only one policy can be open at a time; opening a second policy will
result in the first being closed.
result in the first being closed. Note: If the kernel supports reading
the currently loaded policy, then select "monolithic" and set the
"Policy filename" path to either:
/selinux/policy
or
/sys/fs/selinux/policy

The Query menu allows the user to save or load a query for a TE Rules
search or for an analysis module listed on the Analysis tab. Saving a
Expand Down Expand Up @@ -85,6 +90,8 @@ relate the core components of an SELinux policy.
to search for types and/or attributes using a POSIX-style regular
expression.

Permissive and bound types may also be searched.

Classes/Perms tab
-----------------
Use the Classes/Perms tab to view and search object classes, common
Expand Down Expand Up @@ -149,6 +156,23 @@ relate the core components of an SELinux policy.
Select the FS Contexts tab to search filesystem-based contexts
(fs_use_ and genfscon statements) defined in the policy.

Policy Capabilities tab
---------------
Select the Policy Capabilities tab to display policy capabilities
defined in the policy.

Policy Namespaces tab
---------------
Select the Policy Namespaces tab to display the namespaces defined
in the policy. For policies with a single namespace there will be
one namespace displayed: "GLOBAL-NS". For policies that can define
multiple namespaces (e.g CIL), all namespaces will be displayed
including "GLOBAL-NS".
If the namespace entry is double clicked then a list of Users, Roles,
Types, Attributes, Classes and Booleans applicable to that namespace
will be displayed (also if MLS enabled the Sensitivities and
Categories will also be shown).


Policy Rules tabs
-----------------
Expand Down Expand Up @@ -326,13 +350,18 @@ rules in a policy based on selected search criteria.

Range Transition Rules tab
--------------------------
Select the Range Transition Rules tab to search to search
Select the Range Transition Rules tab to search for
range_transition rules by source and target types and by the MLS
range. There are three options when searching for ranges; find
exact matches to the entered range, find rules that have ranges
that contain the entered range, or find rules that have ranges
within the entered range.

Bounds Rules tab
--------------------------
Select the Bounds Rules tab to search for userbound, rolebound or
typebound rules by parent or child types.


File Contexts tab
-----------------
Expand Down
3 changes: 0 additions & 3 deletions apol/bounds_tab.tcl
Expand Up @@ -95,7 +95,6 @@ proc Apol_Bounds::close {} {

proc Apol_Bounds::getTextWidget {} {
variable widgets
# return $widgets(results).tb
}

#### private functions below ####
Expand Down Expand Up @@ -237,7 +236,6 @@ proc Apol_Bounds::_toggleCheckbutton {cb w name1 name2 ops} {
}
}


# callback invoked when the user changes which Bounds rule to search
proc Apol_Bounds::_ruleChanged {name1 name2 ops} {
variable vals
Expand All @@ -256,7 +254,6 @@ proc Apol_Bounds::_searchBounds {} {
return
}


if {$vals(rule_selection) == "user"} {
Apol_Bounds::_searchUserBounds
return
Expand Down

0 comments on commit eefba53

Please sign in to comment.