1 Code Overview 2 ============= 3 4 The source for Sepolgen is divided into the python library (sepolgen) 5 and tools (e.g., audit2allow). 6 7 The library is structured to give flexibility to the application using 8 it - it avoids assumptions and close coupling of components where 9 possible. The audit2allow application demonstrates how to hook the 10 components together. 11 12 There is a test suite in the test subdirectory. The run-tests.py 13 script will run all of the tests. 14 15 The library is is divided into several functional areas: 16 17 Reference Policy Representation (sepolgen.refpolicy) 18 ------------------------------------------------------------- 19 20 Objects for representing policies and the reference policy 21 interfaces. Includes basic components (security contexts, allow rules, 22 etc.) and reference policy specific components (interfaces, modules, 23 etc.). 24 25 This representation can be used as output from the parser to represent 26 the reference policy interfaces. It can also be used to generate 27 policy by building up the relevent data structures and then outputting 28 them. See sepolgen.policygen and sepolgen.output for information on how 29 this can be done. 30 31 Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching) 32 ------------------------------------------------------------- 33 34 Objects and algorithms for representing access and sets of access in 35 an abstract way and searching that access. The basic concept is that 36 of an access vector (source type, target type, object class, and 37 permissions). These can be grouped into sets without overlapping 38 access. Access vectors and access vector sets can be matched against 39 other access vectors - this forms the backbone of how we turn audit 40 messages into interface calls. 41 42 The highest-level form of access represented in interfaces - which 43 includes algorithms to turn the raw output of the parser into access 44 vector sets representing the access allowed by each interface. 45 46 Parsing (sepolgen.refparser) 47 ------------------------------------------------------------- 48 49 Parser for reference policy "headers" - i.e., 50 /usr/share/selinux/devel/include. This uses the LGPL parsing library 51 [PLY](http://www.dabeaz.com/ply/) which is included in the source 52 distribution in the files lex.py and yacc.py. It may be necessary to 53 switch to a more powerful parsing library in the future, but for now 54 this is fast and easy. 55 56 Audit Messages (sepolgen.audit) 57 ------------------------------------------------------------- 58 59 Infrastructure for parsing SELinux related messages as produced by the 60 audit system. This is not a general purpose audit parsing library - it 61 is only meant to capture SELinux messages - primarily access vector 62 cache (AVC) messages and policy load messages. 63 64 Policy Generation (sepolgen.policygen and sepolgen.output) 65 ------------------------------------------------------------- 66 67 Infrastructure for generating policy based on required access. This 68 deliberately only loosely coupled to the audit parsing to allow 69 required accesses to be feed in from anywhere. 70 71 Object Model (sepolgen.objectmodel) 72 ------------------------------------------------------------- 73 74 Information about the SELinux object classes. This is semantic 75 information about the object classes - including information flow. It 76 is separated to keep the core from being concerned about the details 77 of the object classes. 78 79 [selist]: http://www.nsa.gov/research/selinux/info/list.cfm 80
