1Code Overview 2============= 3 4The source for Sepolgen is divided into the python library (sepolgen) 5and tools (e.g., audit2allow). 6 7The library is structured to give flexibility to the application using 8it - it avoids assumptions and close coupling of components where 9possible. The audit2allow application demonstrates how to hook the 10components together. 11 12There is a test suite in the test subdirectory. The run-tests.py 13script will run all of the tests. 14 15The library is is divided into several functional areas: 16 17Reference Policy Representation (sepolgen.refpolicy) 18------------------------------------------------------------- 19 20Objects for representing policies and the reference policy 21interfaces. Includes basic components (security contexts, allow rules, 22etc.) and reference policy specific components (interfaces, modules, 23etc.). 24 25This representation can be used as output from the parser to represent 26the reference policy interfaces. It can also be used to generate 27policy by building up the relevent data structures and then outputting 28them. See sepolgen.policygen and sepolgen.output for information on how 29this can be done. 30 31Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching) 32------------------------------------------------------------- 33 34Objects and algorithms for representing access and sets of access in 35an abstract way and searching that access. The basic concept is that 36of an access vector (source type, target type, object class, and 37permissions). These can be grouped into sets without overlapping 38access. Access vectors and access vector sets can be matched against 39other access vectors - this forms the backbone of how we turn audit 40messages into interface calls. 41 42The highest-level form of access represented in interfaces - which 43includes algorithms to turn the raw output of the parser into access 44vector sets representing the access allowed by each interface. 45 46Parsing (sepolgen.refparser) 47------------------------------------------------------------- 48 49Parser for reference policy "headers" - i.e., 50/usr/share/selinux/devel/include. This uses the LGPL parsing library 51[PLY](http://www.dabeaz.com/ply/) which is included in the source 52distribution in the files lex.py and yacc.py. It may be necessary to 53switch to a more powerful parsing library in the future, but for now 54this is fast and easy. 55 56Audit Messages (sepolgen.audit) 57------------------------------------------------------------- 58 59Infrastructure for parsing SELinux related messages as produced by the 60audit system. This is not a general purpose audit parsing library - it 61is only meant to capture SELinux messages - primarily access vector 62cache (AVC) messages and policy load messages. 63 64Policy Generation (sepolgen.policygen and sepolgen.output) 65------------------------------------------------------------- 66 67Infrastructure for generating policy based on required access. This 68deliberately only loosely coupled to the audit parsing to allow 69required accesses to be feed in from anywhere. 70 71Object Model (sepolgen.objectmodel) 72------------------------------------------------------------- 73 74Information about the SELinux object classes. This is semantic 75information about the object classes - including information flow. It 76is separated to keep the core from being concerned about the details 77of the object classes. 78 79[selist]: http://www.nsa.gov/research/selinux/info/list.cfm 80