selinux/sepolgen/HACKING - nest-cam/4320010/selinux - Git at Google

 Code Overview
 =============

 The source for Sepolgen is divided into the python library (sepolgen)
 and tools (e.g., audit2allow).

 The library is structured to give flexibility to the application using
 it - it avoids assumptions and close coupling of components where
 possible. The audit2allow application demonstrates how to hook the
 components together.

 There is a test suite in the test subdirectory. The run-tests.py
 script will run all of the tests.

 The library is is divided into several functional areas:

 Reference Policy Representation (sepolgen.refpolicy)
 -------------------------------------------------------------

 Objects for representing policies and the reference policy
 interfaces. Includes basic components (security contexts, allow rules,
 etc.) and reference policy specific components (interfaces, modules,
 etc.).

 This representation can be used as output from the parser to represent
 the reference policy interfaces. It can also be used to generate
 policy by building up the relevent data structures and then outputting
 them. See sepolgen.policygen and sepolgen.output for information on how
 this can be done.

 Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching)
 -------------------------------------------------------------

 Objects and algorithms for representing access and sets of access in
 an abstract way and searching that access. The basic concept is that
 of an access vector (source type, target type, object class, and
 permissions). These can be grouped into sets without overlapping
 access. Access vectors and access vector sets can be matched against
 other access vectors - this forms the backbone of how we turn audit
 messages into interface calls.

 The highest-level form of access represented in interfaces - which
 includes algorithms to turn the raw output of the parser into access
 vector sets representing the access allowed by each interface.

 Parsing (sepolgen.refparser)
 -------------------------------------------------------------

 Parser for reference policy "headers" - i.e.,
 /usr/share/selinux/devel/include. This uses the LGPL parsing library
 [PLY](http://www.dabeaz.com/ply/) which is included in the source
 distribution in the files lex.py and yacc.py. It may be necessary to
 switch to a more powerful parsing library in the future, but for now
 this is fast and easy.

 Audit Messages (sepolgen.audit)
 -------------------------------------------------------------

 Infrastructure for parsing SELinux related messages as produced by the
 audit system. This is not a general purpose audit parsing library - it
 is only meant to capture SELinux messages - primarily access vector
 cache (AVC) messages and policy load messages.

 Policy Generation (sepolgen.policygen and sepolgen.output)
 -------------------------------------------------------------

 Infrastructure for generating policy based on required access. This
 deliberately only loosely coupled to the audit parsing to allow
 required accesses to be feed in from anywhere.

 Object Model (sepolgen.objectmodel)
 -------------------------------------------------------------

 Information about the SELinux object classes. This is semantic
 information about the object classes - including information flow. It
 is separated to keep the core from being concerned about the details
 of the object classes.

 [selist]: http://www.nsa.gov/research/selinux/info/list.cfm
	Code Overview
	=============

	The source for Sepolgen is divided into the python library (sepolgen)
	and tools (e.g., audit2allow).

	The library is structured to give flexibility to the application using
	it - it avoids assumptions and close coupling of components where
	possible. The audit2allow application demonstrates how to hook the
	components together.

	There is a test suite in the test subdirectory. The run-tests.py
	script will run all of the tests.

	The library is is divided into several functional areas:

	Reference Policy Representation (sepolgen.refpolicy)
	-------------------------------------------------------------

	Objects for representing policies and the reference policy
	interfaces. Includes basic components (security contexts, allow rules,
	etc.) and reference policy specific components (interfaces, modules,
	etc.).

	This representation can be used as output from the parser to represent
	the reference policy interfaces. It can also be used to generate
	policy by building up the relevent data structures and then outputting
	them. See sepolgen.policygen and sepolgen.output for information on how
	this can be done.

	Access (sepolgen.access, sepolgen.interfaces, sepolgen.matching)
	-------------------------------------------------------------

	Objects and algorithms for representing access and sets of access in
	an abstract way and searching that access. The basic concept is that
	of an access vector (source type, target type, object class, and
	permissions). These can be grouped into sets without overlapping
	access. Access vectors and access vector sets can be matched against
	other access vectors - this forms the backbone of how we turn audit
	messages into interface calls.

	The highest-level form of access represented in interfaces - which
	includes algorithms to turn the raw output of the parser into access
	vector sets representing the access allowed by each interface.

	Parsing (sepolgen.refparser)
	-------------------------------------------------------------

	Parser for reference policy "headers" - i.e.,
	/usr/share/selinux/devel/include. This uses the LGPL parsing library
	[PLY](http://www.dabeaz.com/ply/) which is included in the source
	distribution in the files lex.py and yacc.py. It may be necessary to
	switch to a more powerful parsing library in the future, but for now
	this is fast and easy.

	Audit Messages (sepolgen.audit)
	-------------------------------------------------------------

	Infrastructure for parsing SELinux related messages as produced by the
	audit system. This is not a general purpose audit parsing library - it
	is only meant to capture SELinux messages - primarily access vector
	cache (AVC) messages and policy load messages.

	Policy Generation (sepolgen.policygen and sepolgen.output)
	-------------------------------------------------------------

	Infrastructure for generating policy based on required access. This
	deliberately only loosely coupled to the audit parsing to allow
	required accesses to be feed in from anywhere.

	Object Model (sepolgen.objectmodel)
	-------------------------------------------------------------

	Information about the SELinux object classes. This is semantic
	information about the object classes - including information flow. It
	is separated to keep the core from being concerned about the details
	of the object classes.

	[selist]: http://www.nsa.gov/research/selinux/info/list.cfm