Joshua Brindle | 13cd4c8 | 2008-08-19 15:30:36 -0400 | [diff] [blame] | 1 | Code Overview |
| 2 | ============= |
| 3 | |
| 4 | The source for Sepolgen is divided into the python library (sepolgen) |
| 5 | and tools (e.g., audit2allow). |
| 6 | |
| 7 | The library is structured to give flexibility to the application using |
| 8 | it - it avoids assumptions and close coupling of components where |
| 9 | possible. The audit2allow application demonstrates how to hook the |
| 10 | components together. |
| 11 | |
| 12 | There is a test suite in the test subdirectory. The run-tests.py |
| 13 | script will run all of the tests. |
| 14 | |
| 15 | The library is is divided into several functional areas: |
| 16 | |
| 17 | Reference Policy Representation (sepolgen.refpolicy) |
| 18 | ------------------------------------------------------------- |
| 19 | |
| 20 | Objects for representing policies and the reference policy |
| 21 | interfaces. Includes basic components (security contexts, allow rules, |
| 22 | etc.) and reference policy specific components (interfaces, modules, |
| 23 | etc.). |
| 24 | |
| 25 | This representation can be used as output from the parser to represent |
| 26 | the reference policy interfaces. It can also be used to generate |
| 27 | policy by building up the relevent data structures and then outputting |
| 28 | them. See sepolgen.policygen and sepolgen.output for information on how |
| 29 | this can be done. |
| 30 | |
| 31 | Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching) |
| 32 | ------------------------------------------------------------- |
| 33 | |
| 34 | Objects and algorithms for representing access and sets of access in |
| 35 | an abstract way and searching that access. The basic concept is that |
| 36 | of an access vector (source type, target type, object class, and |
| 37 | permissions). These can be grouped into sets without overlapping |
| 38 | access. Access vectors and access vector sets can be matched against |
| 39 | other access vectors - this forms the backbone of how we turn audit |
| 40 | messages into interface calls. |
| 41 | |
| 42 | The highest-level form of access represented in interfaces - which |
| 43 | includes algorithms to turn the raw output of the parser into access |
| 44 | vector sets representing the access allowed by each interface. |
| 45 | |
| 46 | Parsing (sepolgen.refparser) |
| 47 | ------------------------------------------------------------- |
| 48 | |
| 49 | Parser for reference policy "headers" - i.e., |
| 50 | /usr/share/selinux/devel/include. This uses the LGPL parsing library |
| 51 | [PLY](http://www.dabeaz.com/ply/) which is included in the source |
| 52 | distribution in the files lex.py and yacc.py. It may be necessary to |
| 53 | switch to a more powerful parsing library in the future, but for now |
| 54 | this is fast and easy. |
| 55 | |
| 56 | Audit Messages (sepolgen.audit) |
| 57 | ------------------------------------------------------------- |
| 58 | |
| 59 | Infrastructure for parsing SELinux related messages as produced by the |
| 60 | audit system. This is not a general purpose audit parsing library - it |
| 61 | is only meant to capture SELinux messages - primarily access vector |
| 62 | cache (AVC) messages and policy load messages. |
| 63 | |
| 64 | Policy Generation (sepolgen.policygen and sepolgen.output) |
| 65 | ------------------------------------------------------------- |
| 66 | |
| 67 | Infrastructure for generating policy based on required access. This |
| 68 | deliberately only loosely coupled to the audit parsing to allow |
| 69 | required accesses to be feed in from anywhere. |
| 70 | |
| 71 | Object Model (sepolgen.objectmodel) |
| 72 | ------------------------------------------------------------- |
| 73 | |
| 74 | Information about the SELinux object classes. This is semantic |
| 75 | information about the object classes - including information flow. It |
| 76 | is separated to keep the core from being concerned about the details |
| 77 | of the object classes. |
| 78 | |
| 79 | [selist]: http://www.nsa.gov/selinux/info/list.cfm |