
README for simplified policy XML support

1. Related commands
(1) seedit-spdl2xml
This programs reads simplified policy and export to XML format.

* Usage:
seedit-spdl2xml -i <simplified policy file>  -o <output filename>

* Example:
When you want to generate XML from default policy.
./seedit-spdl2xml -i /etc/selinux/seedit/src/policy/simplified_policy/all  -o test.xml
test.xml is XML format simplified policy

(2) seedit-xml2spdl
This program read XML format simplified policy and output simplified policy that seedit-converter can understand.

* Usage:
 seedit-xml2spdl -i <xml file> -o <output dir>

xml file is converted into simplified policy, output path is output dir.
If -o is omitted, simplified policy jointed together is displayed to stdout.

+ Example:
$ mkdir testdir
$ ./seedit-xml2spdl.py -i test.xml -o testdir
This read test.xml and  output simplified policy to testdir

$ ls testdir
acpid_t.a        hald_t.a    modutils_t.a    rpm_t.a       system_crond_t.a
automount_t.a    httpd_t.a   mount_t.a       run_init_t.a  user_r.a
cannaserver_t.a  init_t.a    mysqld_t.a      sendmail_t.a  webmin_t.a
crond_t.a        initrc_t.a  named_t.a       smbd_t.a      xfs_t.a
dbus_t.a         kernel_t.a  newrole_t.a     sshd_t.a      xinetd_t.a
dhcpcd_t.a       klogd_t.a   postfix_t.a     staff_r.a     xserver_t.a
gdm_t.a          login_t.a   proftpd_t.a     su_t.a
getty_t.a        lvm_t.a     restorecon_t.a  sysadm_r.a
global           mail_t.a    rpm_script_t.a  syslogd_t.a

Simplified policy is generated.


2. Syntax of xml format simplified policy

For detailed syntax, see  simplified_policy.dtd.
DTD is available at http://seedit.sourceforge.net/doc/simplified_policy.dtd .
And for meaning of SPDL description, see  Simplified Policy Manual at http://seedit.sourceforge.net/documents.html .

2.1 Basic structue, simplified_policy tag and domain tag

(1) <policy> tag
It is root tag.  Within the tag, <section> tag is repeated like below.
<policy>
<section id="global" type="domain">xxxx </domain>
<section id="httpd_t" type="domain">xxxx </domain>
<section id="sysadm_r" type="role">xxxx </domain>
....
</policy>

(2) <section> tag
Between domain tag, access control rule for corresponding domain is described.

* Attribute: 
	> id: domain or role name
	> type: "role" or "domain"
	     If "domain", value stored id is domain, if "role" value stored id is role

* Example
<section id="httpd_t" type="domain">
xxxxxxxx
</section>

Configuration xxxxx is  for domain "httpd_t".


<section id="sysadm_r" type="role">
xxxxxx 
</section>

Configuration xxxxxx is for role "sysadm_r"

.2 Tags to describe access control
(1) domaintrans tag
Corresponds to "domain_trasn" statement in SPDL.
Describes domain transision by parentdomain and entrypoint tag, like below.
<domaintrans>
<parentdomain>initrc_t</parentdomain>
<entrypoint>/usr/sbin/httpd</parentdomain>
</domaintrans>

(2) user tag
Corresponds to "user" statement of SPDL.
Specifies user name by value attribute like below.
<user>
<uname>root</uname>
</user>


(3) allowfile tag

There are three Attribute  
  - type: allow|deny|exclusive
  - only: yes|no
  - exclusive: yes|no

Corresponds to "allow" statement of SPDL.
Let's see how to describe allow statement in XML form.

a) allow <file> <permissions>
For example, allow /hoge r,s;
When "allow", use type="allow", and only="no"
and specify filename and permissions like below.
<allowfile only="no" type="allow">
<path>/hoge</path>
<permission>r</path>
<permission>s</permission>
</allowfile>
You must use one permission tag for one permission.
If you want to represent "allowonly" use attribute only="yes".
And if you want to represent "deny" use attribute type"deny".

b) allow <path> exclusive <label>
allow /etc exclusive etc_runtime_t;
will be following.

<allowfile type="exclusive">
<path>/etc</path>
<label>etc_runtime_t</label>
</allowfile>
Pay attention to type="exclusive"

c) allow <path> exclusive -all <permissions>
allow /etc exclusive -all r,s;
will be below.
<allowfile exclusive="yes">
<path>/etc</path>
<permission>r</permission>
<permission>s</permission>
</allowfile>

Be careful to exclusive="yes"


(4) allownet tag
You can specify option of allownet statement by "option" tag.
For example, 
<allownet>
<option>net</option>
</allownet>
means "allownet -net"
You can specify port number by port tag.

<allownet type="allow">
    <option>udp</option>
    <port>68</port>
</allownet>

Means "allownet -udp -port 68;"


(5) allowcom tag
Corresponds to "allowcom" statement of SPDL.

You can speficy type of IPC by option tag, 
target domain by domain tag, and permission by permission tag.

For example,
   <allowcom type="allow">
      <comment/>
      <option>sig</option>
      <domain>getty_t</domain>
      <permission>c</permission>
    </allowcom>
Means "allowcom -sig getty_t c;"

(6) allowproc tag
Corresponds to "allowproc" statement in SPDL.
You can specify "self" or "other" in option tag, target permisions
by permission tag.

For example,
<allowproc type="allow">
      <option>self</option>
      <permission>r</permission>
</allowproc>

Means "allowproc -self r;"

(7) allowfs tag
Corresponds to "allowfs" statement in SPDL.

You can specify name of filesystem by fs tag, and permissions by permission tags.
<allowfs type="allow">
     <fs>proc</fs>
     <permission>r</permission>
     <permission>s</permission>
</allowfs>
Means "allowfs proc r,s;"

And "allowfs exclusive" rule is written as following.
   <allowfs type="exclusive">
      <comment/>
      <fs>tmpfs</fs>
      <label>acpid_tmpfs_t</label>
    </allowfs>
Means, "allowfs tmpfs exclusive acpid_tmpfs_t;"

(8) allowtty, allowpts tag
Correspond to "allowtty,allowpts" statement in SPDL.
Target role can be specified by "role" tag, permissions by "permission" tags.
    <allowtty type="allow">
      <comment/>
      <role>general</role>
      <permission>change</permission>
    </allowtty>
Means, allowtty -change general;

   <allowpts type="allow">
      <permission>create</permission>
    </allowpts>
Means, "allowpts -create"
   <allowtty type="allow">
      <comment/>
      <role>general</role>
      <permission>r</permission>
    </allowtty>
Means allowtty general r;

(9) allowpriv,allowkernel, allowseop tags
Correspond to "allowpriv,allowkernel,allowseop" statement in SPDL.

Option can be specified by "option" tag.
    <allowkernel type="allow">
      <option>netlink</option>
    </allowkernel>
Means "allowkernel netlink;";


(10) comment tag 
Comment can be described in comment tag, at the begining of access control rule. 
This will do no effect to policy.
Described comment is included in simplified policy(that converted by seedit-xml2spdl).

For example,
    <allowkernel type="allow">
      <comment>#priviledges
</comment>
      <option>netlink</option>
    </allowkernel>

will be following in SPDL form.

#priviledges
allowkernel netlink;

