From 66afa88fd1411ca3999ecca5cf0798fdc2f65813 Mon Sep 17 00:00:00 2001

From: Vit Mojzis <vmojzis@redhat.com>

Date: Wed, 24 Jun 2020 17:49:14 +0200

Subject: [PATCH] Update to work with setools 4.3

* TERules cannot be altered from the outside any more

** Use derive_expanded to perform partial expansion

** Full expansion is now available via TERule.expand()

* "exception" module was moved from policyrep

* "typeattr" module was merged into policyrep

---

 sepolicyanalysis/policy_data_collection.py | 34 ++++------------------

 1 file changed, 6 insertions(+), 28 deletions(-)

diff --git a/sepolicyanalysis/policy_data_collection.py b/sepolicyanalysis/policy_data_collection.py

index 4bf45ce..3e3b9ea 100644

--- a/sepolicyanalysis/policy_data_collection.py

+++ b/sepolicyanalysis/policy_data_collection.py

@@ -51,32 +51,10 @@ def half_expand_rule(rule, expand_source):

 	expansion = rule.source.expand() if expand_source else rule.target.expand()

 	if expand_source:

 		for t in expansion:

-			results.append(setools.policyrep.terule.expanded_te_rule_factory(rule, t, rule.target))

+			results.append(rule.derive_expanded(t, rule.target, rule.perms))

 	else:

 		for t in expansion:

-			results.append(setools.policyrep.terule.expanded_te_rule_factory(rule, rule.source, t))

-	return results

-

-# return set of rules where attributes were replaced by all types with given attribute

-def expand_rule(rule):

-	results = []

-

-	source_exp = rule.source.expand() if is_attribute(rule.source) else [rule.source]

-	target_exp = rule.target.expand() if is_attribute(rule.target) else [rule.target]

-

-	for source in source_exp:

-		for target in target_exp:

-			if isinstance(rule, setools.policyrep.terule.ExpandedTERule):

-				#expanded_te_rule_factory ignores ExpandedTERules (doesn't set new source/target)

-				newrule = setools.policyrep.terule.ExpandedTERule(rule.policy, rule.qpol_symbol)

-				newrule.source = source

-				newrule.target = target

-				nwerule.origin = rule.origin

-

-			else:	

-				newrule = setools.policyrep.terule.expanded_te_rule_factory(rule, source, target)

-			results.append(newrule)

-

+			results.append(rule.derive_expanded(rule.source, t, rule.perms))

 	return results

 # expand all rules in given iterable

@@ -90,7 +68,7 @@ def expand_rules(rules):

 			# discard rules corresponding to unconfined attributes 

 			# TODO: add command line argument that switches this off - i.e. consider unconfined attributes

 			if (not is_unconfined_attr(rule.source)) and (not is_unconfined_attr(rule.target)): 

-				results.extend(expand_rule(rule))

+				results.extend(rule.expand())

 	return results

@@ -223,7 +201,7 @@ def filter_terules_boolean(rules, bool_state = None):

 				# return rules in agreement with boolean settings

 				results.append(rule)

-		except setools.policyrep.exception.RuleNotConditional:

+		except setools.exception.RuleNotConditional:

 			# return all unconditional rules

 			results.append(rule)

@@ -256,12 +234,12 @@ def is_conditional(rule):

 			boolean = str(rule.conditional)

 		return boolean

-	except setools.policyrep.exception.RuleNotConditional:

+	except setools.exception.RuleNotConditional:

 		False

 # is given object of type "TypeAttribute" ?

 def is_attribute(obj):

-	return isinstance(obj, setools.policyrep.typeattr.TypeAttribute)

+	return isinstance(obj, setools.policyrep.TypeAttribute)

 # is given object of type "TypeAttribute" which is considered unconfined ?

 # TODO: refine -- limit to "strong" unconfined domains (associated with lots of privileges)

-- 

2.25.4