• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Code Overview
2=============
3
4The source for Sepolgen is divided into the python library (sepolgen)
5and tools (e.g., audit2allow).
6
7The library is structured to give flexibility to the application using
8it - it avoids assumptions and close coupling of components where
9possible. The audit2allow application demonstrates how to hook the
10components together.
11
12There is a test suite in the test subdirectory. The run-tests.py
13script will run all of the tests.
14
15The library is is divided into several functional areas:
16
17Reference Policy Representation (sepolgen.refpolicy)
18-------------------------------------------------------------
19
20Objects for representing policies and the reference policy
21interfaces. Includes basic components (security contexts, allow rules,
22etc.) and reference policy specific components (interfaces, modules,
23etc.).
24
25This representation can be used as output from the parser to represent
26the reference policy interfaces. It can also be used to generate
27policy by building up the relevant data structures and then outputting
28them. See sepolgen.policygen and sepolgen.output for information on how
29this can be done.
30
31Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching)
32-------------------------------------------------------------
33
34Objects and algorithms for representing access and sets of access in
35an abstract way and searching that access. The basic concept is that
36of an access vector (source type, target type, object class, and
37permissions). These can be grouped into sets without overlapping
38access. Access vectors and access vector sets can be matched against
39other access vectors - this forms the backbone of how we turn audit
40messages into interface calls.
41
42The highest-level form of access represented in interfaces - which
43includes algorithms to turn the raw output of the parser into access
44vector sets representing the access allowed by each interface.
45
46Parsing (sepolgen.refparser)
47-------------------------------------------------------------
48
49Parser for reference policy "headers" - i.e.,
50/usr/share/selinux/devel/include. This uses the LGPL parsing library
51[PLY](http://www.dabeaz.com/ply/) which is included in the source
52distribution in the files lex.py and yacc.py. It may be necessary to
53switch to a more powerful parsing library in the future, but for now
54this is fast and easy.
55
56Audit Messages (sepolgen.audit)
57-------------------------------------------------------------
58
59Infrastructure for parsing SELinux related messages as produced by the
60audit system. This is not a general purpose audit parsing library - it
61is only meant to capture SELinux messages - primarily access vector
62cache (AVC) messages and policy load messages.
63
64Policy Generation (sepolgen.policygen and sepolgen.output)
65-------------------------------------------------------------
66
67Infrastructure for generating policy based on required access. This
68deliberately only loosely coupled to the audit parsing to allow
69required accesses to be feed in from anywhere.
70
71Object Model (sepolgen.objectmodel)
72-------------------------------------------------------------
73
74Information about the SELinux object classes. This is semantic
75information about the object classes - including information flow. It
76is separated to keep the core from being concerned about the details
77of the object classes.
78