From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 25 Aug 2010 08:59:36 -0400
Subject: [refpolicy] [m4-isms patch 4/6] Remove basic_ubac_conditions
 macro
In-Reply-To: <1282679445.14992.34.camel@moss-lions.epoch.ncsc.mil>
References: <1282679445.14992.34.camel@moss-lions.epoch.ncsc.mil>
Message-ID: <4C7513B8.4030706@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/24/10 15:50, James Carter wrote:
> The macro basic_ubac_conditions is an example of using an m4 macro to
> manipulate text rather than as an interface.  Removing it makes the
> constraints file easier to parse.

I suppose this is ok, though it would be nice to have a way to keep the 
policy reuse there.

> ---
>   policy/constraints |   29 +++++++++++++++--------------
>   1 file changed, 15 insertions(+), 14 deletions(-)
>
> diff --git a/policy/constraints b/policy/constraints
> index 155883b..b901c9f 100644
> --- a/policy/constraints
> +++ b/policy/constraints
> @@ -25,21 +25,15 @@
>   # name_list : name | name_list name
>   #
>
> -define(`basic_ubac_conditions',`
> -       ifdef(`enable_ubac',`
> -               u1 == u2
> -               or u1 == system_u
> -               or u2 == system_u
> -               or t1 != ubac_constrained_type
> -               or t2 != ubac_constrained_type
> -       ')
> -')
> -
>   define(`basic_ubac_constraint',`
>          ifdef(`enable_ubac',`
>                  constrain $1 all_$1_perms
>                  (
> -                       basic_ubac_conditions
> +                       u1 == u2
> +                       or u1 == system_u
> +                       or u2 == system_u
> +                       or t1 != ubac_constrained_type
> +                       or t2 != ubac_constrained_type
>                  );
>          ')
>   ')
> @@ -48,7 +42,11 @@ define(`exempted_ubac_constraint',`
>          ifdef(`enable_ubac',`
>                  constrain $1 all_$1_perms
>                  (
> -                       basic_ubac_conditions
> +                       u1 == u2
> +                       or u1 == system_u
> +                       or u2 == system_u
> +                       or t1 != ubac_constrained_type
> +                       or t2 != ubac_constrained_type
>                          or t1 == $2
>                  );
>          ')
> @@ -82,7 +80,11 @@ constrain dir_file_class_set { create relabelto relabelfrom }
>   ifdef(`enable_ubac',`
>          constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
>          (
> -               basic_ubac_conditions
> +               u1 == u2
> +               or u1 == system_u
> +               or u2 == system_u
> +               or t1 != ubac_constrained_type
> +               or t2 != ubac_constrained_type
>                  or t1 == ubacproc
>          );
>   ')
> @@ -241,5 +243,4 @@ basic_ubac_constraint(peer)
>
>
>   undefine(`basic_ubac_constraint')
> -undefine(`basic_ubac_conditions')
>   undefine(`exempted_ubac_constraint')
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com