a h}@sZddlZddlZdZdZdZdZdZdZgdZeeeeeedZ Gdd d Z Gd d d e Z Gd d d e Z dsddZ dtddZduddZddZGdddeZGddde ZGddde ZGdd d ZGd!d"d"e ZGd#d$d$e ZGd%d&d&e ZGd'd(d(e ZGd)d*d*e ZGd+d,d,e ZGd-d.d.e ZGd/d0d0e ZGd1d2d2e ZGd3d4d4e ZGd5d6d6e Z Gd7d8d8e Z!Gd9d:d:e Z"Gd;d<dd>e Z$Gd?d@d@e Z%GdAdBdBe Z&GdCdDdDe Z'GdEdFdFe Z(GdGdHdHe Z)GdIdJdJe Z*GdKdLdLe Z+GdMdNdNe Z,GdOdPdPe Z-GdQdRdRe Z.GdSdTdTe Z/GdUdVdVe Z0dWdXZ1GdYdZdZe Z2Gd[d\d\e Z3Gd]d^d^e Z4Gd_d`d`e Z5Gdadbdbe Z6Gdcdddde Z7Gdedfdfe Z8Gdgdhdhe Z9Gdidjdje Z:Gdkdldle Z;GdmdndnZdS)vN)sourcetargetobjectZ permissionroleZ destinationc@seZdZdddZdS) PolicyBaseNcCsd|_d|_dSN)parentcommentselfr r6/usr/lib/python3.9/site-packages/sepolgen/refpolicy.py__init__5szPolicyBase.__init__)N)__name__ __module__ __qualname__rrrrrr 4sr c@seZdZdZd/ddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.ZdS)0NodeaBase class objects produced from parsing the reference policy. The Node class is used as the base class for any non-leaf object produced by parsing the reference policy. This object should contain a reference to its parent (or None for a top-level object) and 0 or more children. The general idea here is to have a very simple tree structure. Children are not separated out by type. Instead the tree structure represents fairly closely the real structure of the policy statements. The object should be iterable - by default over all children but subclasses are free to provide additional iterators over a subset of their childre (see Interface for example). NcCst||g|_dSr )r rchildrenrrrrrJs z Node.__init__cCs t|jSr )iterrrrrr__iter__Nsz Node.__iter__cCstddt|S)NcSs t|tSr ) isinstancerxrrrWzNode.nodes..filterwalktreerrrrnodesVsz Node.nodescCstddt|S)NcSs t|tSr )rModulerrrrrZr zNode.modules..r!rrrrmodulesYsz Node.modulescCstddt|S)NcSs t|tSr )r Interfacerrrrr]r z!Node.interfaces..r!rrrr interfaces\szNode.interfacescCstddt|S)NcSs t|tSr )rTemplaterrrrr`r z Node.templates..r!rrrr templates_szNode.templatescCstddt|S)NcSs t|tSr )r SupportMacrosrrrrrcr z%Node.support_macros..r!rrrrsupport_macrosbszNode.support_macroscCstddt|S)NcSs t|tSr )rModuleDeclarationrrrrrhr z*Node.module_declarations..r!rrrrmodule_declarationsgszNode.module_declarationscCstddt|S)NcSs t|tSr )r InterfaceCallrrrrrkr z&Node.interface_calls..r!rrrrinterface_callsjszNode.interface_callscCstddt|S)NcSs t|tSr )rAVRulerrrrrnr zNode.avrules..r!rrrravrulesmsz Node.avrulescCstddt|S)NcSs t|tSr )r AVExtRulerrrrrqr z!Node.avextrules..r!rrrr avextrulespszNode.avextrulescCstddt|S)NcSs t|tSr )rTypeRulerrrrrtr z Node.typerules..r!rrrr typerulessszNode.typerulescCstddt|S)NcSs t|tSr )r TypeBoundrrrrrwr z!Node.typebounds..r!rrrr typeboundsvszNode.typeboundscCstddt|S)zAIterate over all of the TypeAttribute children of this Interface.cSs t|tSr )r TypeAttributerrrrr{r z%Node.typeattributes..r!rrrrtypeattributesyszNode.typeattributescCstddt|S)zAIterate over all of the RoleAttribute children of this Interface.cSs t|tSr )r RoleAttributerrrrrr z%Node.roleattributes..r!rrrrroleattributes}szNode.roleattributescCstddt|S)NcSs t|tSr )rRequirerrrrrr zNode.requires..r!rrrrrequiressz Node.requirescCstddt|S)NcSs t|tSr )rRolerrrrrr zNode.roles..r!rrrrrolessz Node.rolescCstddt|S)NcSs t|tSr )r RoleAllowrrrrrr z"Node.role_allows..r!rrrr role_allowsszNode.role_allowscCstddt|S)NcSs t|tSr )rRoleTyperrrrrr z!Node.role_types..r!rrrr role_typesszNode.role_typescCs(|jrt|jd|S|SdSN rstr to_stringrrrr__str__sz Node.__str__cCsd|jj|fSNz<%s(%s)> __class__rrIrrrr__repr__sz Node.__repr__cCsdSNrrrrrrIszNode.to_string)N)rrr__doc__rrr$r&r(r*r,r.r0r2r4r6r8r:r<r>r@rBrDrJrNrIrrrrr9s. rc@s.eZdZd ddZddZddZdd ZdS) LeafNcCst||dSr )r rrrrrrsz Leaf.__init__cCs(|jrt|jd|S|SdSrErGrrrrrJsz Leaf.__str__cCsd|jj|fSrKrLrrrrrNsz Leaf.__repr__cCsdSrOrrrrrrIszLeaf.to_string)N)rrrrrJrNrIrrrrrRs rRTFc cs|r d}nd}|dfg}t|dkr||\}}|rB||fVn|Vt|trg}t|jd} | dkr|dust|j| |r||j| |df| d8} qd||qdS)aIterate over a Node and its Children. The walktree function iterates over a tree containing Nodes and leaf objects. The iteration can perform a depth first or a breadth first traversal of the tree (controlled by the depthfirst parameter. The passed in node will be returned. This function will only work correctly for trees - arbitrary graphs will likely cause infinite looping. rrN)lenpoprrrappendextend) nodeZ depthfirst showdepthtypeindexstackZcurdepthitemsirrrr#s"      r#ccs&|D]}|dust||r|VqdS)aIterate over the direct children of a Node. The walktree function iterates over the children of a Node. Unlike walktree it does note return the passed in node or the children of any Node objects (that is, it does not go beyond the current level in the tree). N)r)rXrZrrrrwalknodesr`{}cCsRt|}d}|dkrtdd|}|dkr2|S|dd|d|dSdS)zConvert a set (or any sequence type) into a string representation formatted to match SELinux space separated list conventions. For example the list ['read', 'write'] would be converted into: '{ read write }' rPrz"cannot convert 0 len set to string rNrT ValueErrorjoin)scontlrHrrrlist_to_space_strs rkcCs"t|}|dkrtdd|S)Nrz(cannot convert 0 len set to comma stringz, re)rhrjrrrlist_to_comma_strsrlc@s&eZdZdddZddZddZdS) IdSetNcCs&|rt||n t|d|_dS)NF)setrZ compliment)rlistrrrrs zIdSet.__init__cCs tt|Sr )rksortedrrrr to_space_strszIdSet.to_space_strcCs tt|Sr )rlrprrrr to_comma_strszIdSet.to_comma_str)N)rrrrrqrrrrrrrms rmc@s4eZdZdZd ddZddZddZd d d ZdS) SecurityContextz;An SELinux security context with optional MCS / MLS fields.NcCs:t||d|_d|_d|_d|_|dur6||dS)zCreate a SecurityContext object, optionally from a string. Parameters: [context] - string representing a security context. Same format as a string passed to the from_string method. rPN)rRruserr rZlevel from_string)rcontextr rrrr s zSecurityContext.__init__cCst|}|ddkr|d}|d}t|dkr@td||d|_|d|_|d|_t|dkrd|dd|_ nd|_ dS)zParse a string representing a context into a SecurityContext. The string should be in the standard format - e.g., 'user:role:type:level'. Raises ValueError if the string is not parsable as a security context. rr:rz)context string [%s] not in a valid formatrN) selinuxZselinux_trans_to_raw_contextsplitrTrfrtr rZrgru)rrwrawfieldsrrrrvs         zSecurityContext.from_stringcCs0|j|jko.|j|jko.|j|jko.|j|jkS)aCompare two SecurityContext objects - all fields must be exactly the the same for the comparison to work. It is possible for the level fields to be semantically the same yet syntactically different - in this case this function will return false. )rtr rZru)rotherrrr__eq__4s    zSecurityContext.__eq__cCs\|j|j|jg}|jdurF|dur:tdkrD|dqR||n ||jd|S)aReturn a string representing this security context. By default, the string will contiain a MCS / MLS level potentially from the default which is passed in if none was set. Arguments: default_level - the default level to use if self.level is an empty string. Returns: A string represening the security context in the form 'user:role:type:level'. NrZs0rx)rtr rZruryZis_selinux_mls_enabledrVrg)rZ default_levelr|rrrrI?s     zSecurityContext.to_string)NN)N)rrrrQrrvr~rIrrrrrs s   rsc@seZdZdZdddZdS) ObjectClassa"SELinux object class and permissions. This class is a basic representation of an SELinux object class - it does not represent separate common permissions - just the union of the common and class specific permissions. It is meant to be convenient for policy generation. rPNcCst||||_t|_dSr )rRrnamermpermsrrr rrrras zObjectClass.__init__)rPN)rrrrQrrrrrrYsrc@s<eZdZdZdddZddZddZdd d Zd d Zd S)XpermSeta)Extended permission set. This class represents one or more extended permissions represented by numeric values or ranges of values. The .complement attribute is used to specify all permission except those specified. Two xperm set can be merged using the .extend() method. FcCs||_g|_dSr ) complementranges)rrrrrrpszXpermSet.__init__cCs|jd}|t|jkr|dt|jkr|j|dd|j|ddkr|j|dt|j|d|j|ddf|j|<|j|d=qqq|d7}qdS)z0Ensure that ranges are not overlapping. rrN)rsortrTmax)rr_rrrZ__normalize_rangests $ zXpermSet.__normalize_rangescCs|j|j|dS)z%Add ranges from an xperm set N)rrW_XpermSet__normalize_rangesrrhrrrrWszXpermSet.extendNcCs(|dur |}|j||f|dS)z7Add value of range of values to the xperm set. N)rrVr)rZminimumZmaximumrrraddsz XpermSet.addcCsz|js dS|jrdnd}t|jdkrX|jdd|jddkrX|t|jddStdd|j}d|d|fS) NrPz~ rrcSs8|d|dkrt|dSdt|dt|dfS)Nrrz%s-%s)hexrrrrrr z$XpermSet.to_string..z%s{ %s }rd)rrrTrmaprg)rZcomplZvalsrrrrIs*zXpermSet.to_string)F)N) rrrrQrrrWrrIrrrrrfs   rc@s"eZdZdZdddZddZdS)r9z[SElinux typeattribute statement. This class represents a typeattribute statement. NcCst||d|_t|_dSrO)rRrrZrm attributesrrrrrs zTypeAttribute.__init__cCsd|j|jfS)Nztypeattribute %s %s;)rZrrrrrrrrIszTypeAttribute.to_string)NrrrrQrrIrrrrr9s r9c@s"eZdZdZdddZddZdS)r;z[SElinux roleattribute statement. This class represents a roleattribute statement. NcCst||d|_t|_dSrO)rRrr rmr<rrrrrs zRoleAttribute.__init__cCsd|j|jfS)Nzroleattribute %s %s;)r r<rrrrrrrIszRoleAttribute.to_string)Nrrrrrr;s r;c@seZdZdddZddZdS)r?NcCst||d|_t|_dSrOrRrr rmtypesrrrrrs z Role.__init__cCs&d}|jD]}|d|j|f7}q |SNrPzrole %s types %s; rr rrhtrrrrIs zRole.to_string)NrrrrrIrrrrr?s r?c@seZdZdddZddZdS)TyperPNcCs&t||||_t|_t|_dSr )rRrrrmraliasesrrrrrs z Type.__init__cCsRd|j}t|jdkr*|d|j}t|jdkrJ|d|j}|dS)Nztype %srzalias %s, %s;)rrTrrqrrrrrrrrIs  zType.to_string)rPNrrrrrrs rc@seZdZdddZddZdS) TypeAliasNcCst||d|_t|_dSrO)rRrrZrmrrrrrrs zTypeAlias.__init__cCsd|j|jfS)Nztypealias %s alias %s;)rZrrqrrrrrIszTypeAlias.to_string)Nrrrrrrs rc@seZdZdddZddZdS) AttributerPNcCst||||_dSr rRrrrrrrrs zAttribute.__init__cCs d|jS)Nz attribute %s;rrrrrrIszAttribute.to_string)rPNrrrrrrs rc@seZdZdddZddZdS)Attribute_RolerPNcCst||||_dSr rrrrrrs zAttribute_Role.__init__cCs d|jS)Nzattribute_role %s;rrrrrrIszAttribute_Role.to_string)rPNrrrrrrs rc@sBeZdZdZdZdZdZdZdddZd d Z d d Z d dZ dS)r1aSELinux access vector (AV) rule. The AVRule class represents all varieties of AV rules including allow, dontaudit, and auditallow (indicated by the flags self.ALLOW, self.DONTAUDIT, and self.AUDITALLOW respectively). The source and target types, object classes, and perms are all represented by sets containing strings. Sets are used to make it simple to add strings repeatedly while avoiding duplicates. No checking is done to make certain that the symbols are valid or consistent (e.g., perms that don't match the object classes). It is even possible to put invalid types like '$1' into the rules to allow storage of the reference policy interfaces. rrrrNcCsFt||t|_t|_t|_t|_|j|_|rB| |dSr ) rRrrm src_types tgt_types obj_classesrALLOW rule_typefrom_av)ravr rrrr s zAVRule.__init__cCsD|j|jkrdS|j|jkr dS|j|jkr0dS|j|jkr@dSdS)NZallowZ dontauditZ auditallowZ neverallow)rr DONTAUDIT AUDITALLOW NEVERALLOWrrrr__rule_type_strs    zAVRule.__rule_type_strcCsV|j|j|j|jkr(|jdn|j|j|j|j|j|jdS)zIAdd the access from an access vector to this allow rule. rN) rrsrc_typetgt_typerr obj_classrupdate)rrrrrrs  zAVRule.from_avcCs.d||j|j|j|jfS)zReturn a string representation of the rule that is a valid policy language representation (assuming that the types, object class, etc. are valie). %s %s %s:%s %s;)_AVRule__rule_type_strrrqrrrrrrrrI)s zAVRule.to_string)NN) rrrrQrrrrrrrrIrrrrr1s   r1c@sBeZdZdZdZdZdZdZdddZd d Z d d Z d dZ dS)r3ajExtended permission access vector rule. The AVExtRule class represents allowxperm, dontauditxperm, auditallowxperm, and neverallowxperm rules. The source and target types, and object classes are represented by sets containing strings. The operation is a single string, e.g. 'ioctl'. Extended permissions are represented by an XpermSet. rrrrNcCsNt||t|_t|_t|_|j|_t|_ ||_ |rJ| ||dSr ) rRrrmrrr ALLOWXPERMrrxperms operationr)rropr rrrrCs zAVExtRule.__init__cCsD|j|jkrdS|j|jkr dS|j|jkr0dS|j|jkr@dSdS)NZ allowxpermZdontauditxpermZauditallowxpermZneverallowxperm)rrDONTAUDITXPERMAUDITALLOWXPERMNEVERALLOWXPERMrrrrrNs    zAVExtRule.__rule_type_strcCsZ|j|j|j|jkr(|jdn|j|j|j|j||_|j||_dS)Nr) rrrrrrrrr)rrrrrrrXs zAVExtRule.from_avcCs2d||j|j|j|j|jfS)zReturn a string representation of the rule that is a valid policy language representation (assuming that the types, object class, etc. are valid). z%s %s %s:%s %s %s;)_AVExtRule__rule_type_strrrqrrrrrIrrrrrIbszAVExtRule.to_string)NNN) rrrrQrrrrrrrrIrrrrr34s    r3c@s6eZdZdZdZdZdZd ddZdd Zd d Z dS) r5zSELinux type rules. This class is very similar to the AVRule class, but is for representing the type rules (type_trans, type_change, and type_member). The major difference is the lack of perms and only and sing destination type. rrrNcCs6t||t|_t|_t|_d|_|j|_dSrO) rRrrmrrr dest_typeTYPE_TRANSITIONrrrrrrys  zTypeRule.__init__cCs(|j|jkrdS|j|jkr dSdSdS)NZtype_transitionZ type_changeZ type_member)rr TYPE_CHANGErrrrrs   zTypeRule.__rule_type_strcCs*d||j|j|j|jfS)Nr)_TypeRule__rule_type_strrrqrrrrrrrrIs zTypeRule.to_string)N) rrrrQrrZ TYPE_MEMBERrrrIrrrrr5ns r5c@s"eZdZdZdddZddZdS)r7zSSElinux typebound statement. This class represents a typebound statement. NcCst||d|_t|_dSrO)rRrrZrmrrrrrrs zTypeBound.__init__cCsd|j|jfS)Nztypebounds %s %s;)rZrrrrrrrrIszTypeBound.to_string)Nrrrrrr7s r7c@seZdZdddZddZdS)rANcCs t||t|_t|_dSr )rRrrm src_roles tgt_rolesrrrrrs zRoleAllow.__init__cCsd|j|jfS)Nz allow %s %s;)rrrrrrrrrIs zRoleAllow.to_string)NrrrrrrAs rAc@seZdZdddZddZdS)rCNcCst||d|_t|_dSrOrrrrrrs zRoleType.__init__cCs&d}|jD]}|d|j|f7}q |SrrrrrrrIs zRoleType.to_string)NrrrrrrCs rCc@seZdZdddZddZdS)r-NcCs"t||d|_d|_d|_dSNrPF)rRrrversion refpolicyrrrrrs zModuleDeclaration.__init__cCs*|jrd|j|jfSd|j|jfSdS)Nzpolicy_module(%s, %s)z module %s %s;)rrrrrrrrIszModuleDeclaration.to_string)Nrrrrrr-s r-c@seZdZdddZddZdS) ConditionalNcCst||g|_dSr rr cond_exprrrrrrs zConditional.__init__cCsdt|jddS)Nz[If %s]rPrPrirkrrrrrrIszConditional.to_string)Nrrrrrrs rc@seZdZdddZddZdS)BoolNcCst||d|_d|_dSr)rRrrstaterrrrrs z Bool.__init__cCs$d|j}|jr|dS|dSdS)Nzbool %s trueZfalse)rrrrrrrIs zBool.to_string)Nrrrrrrs rc@seZdZdddZddZdS) InitialSidNcCst||d|_d|_dSrO)rRrrrwrrrrZ__inits zInitialSid.__initcCsd|jt|jfS)Nz sid %s %s)rrHrwrrrrrIszInitialSid.to_string)N)rrrZ_InitialSid__initrIrrrrrs rc@seZdZdddZddZdS)GenfsConNcCs"t||d|_d|_d|_dSrO)rRr filesystempathrwrrrrrs zGenfsCon.__init__cCsd|j|jt|jfS)Nzgenfscon %s %s %s)rrrHrwrrrrrIszGenfsCon.to_string)Nrrrrrrs rc@s*eZdZdZdZdZd ddZddZdS) FilesystemUserrrNcCs$t|||j|_d|_d|_dSrO)rRrXATTRrZrrwrrrrrs zFilesystemUse.__init__cCsNd}|j|jkrd}n"|j|jkr(d}n|j|jkr8d}d||jt|jfS)NrPz fs_use_xattr z fs_use_trans z fs_use_task z %s %s %s;)rZrTRANSTASKrrHrwrrrrrIs   zFilesystemUse.to_string)N)rrrrrrrrIrrrrrs  rc@seZdZdddZddZdS)PortConNcCs"t||d|_d|_d|_dSrO)rRr port_type port_numberrwrrrrrs zPortCon.__init__cCsd|j|jt|jfS)Nzportcon %s %s %s)rrrHrwrrrrrIszPortCon.to_string)Nrrrrrrs rc@seZdZdddZddZdS)NodeConNcCs"t||d|_d|_d|_dSrO)rRrstartendrwrrrrr s zNodeCon.__init__cCsd|j|jt|jfS)Nznodecon %s %s %s)rrrHrwrrrrrIszNodeCon.to_string)Nrrrrrrs rc@seZdZdddZddZdS)NetifConNcCs"t||d|_d|_d|_dSrO)rRr interfaceinterface_contextpacket_contextrrrrrs zNetifCon.__init__cCsd|jt|jt|jfS)Nznetifcon %s %s %s)rrHrrrrrrrIszNetifCon.to_string)Nrrrrrrs rc@seZdZdddZddZdS)PirqConNcCst||d|_d|_dSrO)rRr pirq_numberrwrrrrrs zPirqCon.__init__cCsd|jt|jfS)Nz pirqcon %s %s)rrHrwrrrrrI"szPirqCon.to_string)Nrrrrrrs rc@seZdZdddZddZdS)IomemConNcCst||d|_d|_dSrO)rRr device_memrwrrrrr&s zIomemCon.__init__cCsd|jt|jfS)Nziomemcon %s %s)rrHrwrrrrrI+szIomemCon.to_string)Nrrrrrr%s rc@seZdZdddZddZdS) IoportConNcCst||d|_d|_dSrO)rRrioportrwrrrrr/s zIoportCon.__init__cCsd|jt|jfS)Nzioportcon %s %s)rrHrwrrrrrI4szIoportCon.to_string)Nrrrrrr.s rc@seZdZdddZddZdS) PciDeviceConNcCst||d|_d|_dSrO)rRrdevicerwrrrrr8s zPciDeviceCon.__init__cCsd|jt|jfS)Nzpcidevicecon %s %s)rrHrwrrrrrI=szPciDeviceCon.to_string)Nrrrrrr7s rc@seZdZdddZddZdS) DeviceTreeConNcCst||d|_d|_dSrO)rRrrrwrrrrrAs zDeviceTreeCon.__init__cCsd|jt|jfS)Nzdevicetreecon %s %s)rrHrwrrrrrIFszDeviceTreeCon.to_string)Nrrrrrr@s rcCsDt|ddD]2\}}d}t|D] }|d}q t|t|q dS)NT)rYrP )r#rangeprintrH)headrXr]rhr_rrr print_treeKs   rc@seZdZdddZddZdS)HeadersNcCst||dSr rrrrrrrTszHeaders.__init__cCsdS)Nz [Headers]rrrrrrIWszHeaders.to_string)NrrrrrrSs rc@seZdZdddZddZdS)r%NcCst||dSr rrrrrr\szModule.__init__cCsdSrOrrrrrrI_szModule.to_string)Nrrrrrr%[s r%c@s"eZdZdZdddZddZdS) r'zqA reference policy interface definition. This class represents a reference policy interface definition. rPNcCst||||_dSr rrrrrrrrgs zInterface.__init__cCs d|jS)Nz[Interface name: %s]rrrrrrIkszInterface.to_string)rPNrrrrrr'bs r'c@seZdZdddZddZdS) TunablePolicyNcCst||g|_dSr rrrrrros zTunablePolicy.__init__cCsdt|jddS)Nz[Tunable Policy %s]rrrrrrrrIsszTunablePolicy.to_string)Nrrrrrrns rc@seZdZdddZddZdS)r)rPNcCst||||_dSr rrrrrrws zTemplate.__init__cCs d|jS)Nz[Template name: %s]rrrrrrI{szTemplate.to_string)rPNrrrrrr)vs r)c@seZdZdddZddZdS)IfDefrPNcCst||||_dSr rrrrrrs zIfDef.__init__cCs d|jS)Nz[Ifdef name: %s]rrrrrrIszIfDef.to_string)rPNrrrrrr~s rc@s&eZdZd ddZddZddZdS) r/rPNcCs"t||||_g|_g|_dSr )rRrifnameargsZcomments)rrr rrrrs zInterfaceCall.__init__cCsR|j|jkrdSt|jt|jkr(dSt|j|jD]\}}||kr6dSq6dS)NFT)rrTrzip)rr}abrrrmatchess zInterfaceCall.matchescCs`d|j}d}|jD]B}t|tr,t|}n|}|dkrF|d|}n||}|d7}q|dS)Nz%s(rrr))rrrrork)rrhr_rrHrrrrIs     zInterfaceCall.to_string)rPN)rrrrrrIrrrrr/s  r/c@seZdZdddZddZdS)OptionalPolicyNcCst||dSr rrrrrrszOptionalPolicy.__init__cCsdS)Nz[Optional Policy]rrrrrrIszOptionalPolicy.to_string)Nrrrrrrs rc@s>eZdZdddZddZddZdd Zd d Zd d ZdS)r+NcCst||d|_dSr )rrrrrrrrs zSupportMacros.__init__cCsdS)Nz[Support Macros]rrrrrrIszSupportMacros.to_stringcCs@t}||jvr2||D]}|||qn |||Sr )rnrby_namer_SupportMacros__expand_permr)rpermrhprrrZ __expand_perms   zSupportMacros.__expand_permcCsBi|_|D]2}t}|jD]}|||q||j|j<q dSr )rrnrrrr)rrZ exp_permsrrrrZ __gen_maps  zSupportMacros.__gen_mapcCs|js||j|Sr r_SupportMacros__gen_maprrrrrrszSupportMacros.by_namecCs|js|||jvSr rrrrrhas_keyszSupportMacros.has_key)N) rrrrrIrrrrrrrrr+s   r+c@s&eZdZdddZddZddZdS) r=NcCs6t||t|_i|_t|_t|_t|_dSr )rRrrmrrr@datausersrrrrrs  zRequire.__init__cCs|j|t}||dSr )r setdefaultrmr)rrrrrrr add_obj_classszRequire.add_obj_classcCsg}|d|jD]}|d|q|jD]\}}|d||fq2|jD]}|d|qX|jD]}|d|qr|jD]}|d|q|dt|dkrd Sd |S) Nz require {z type %s;z class %s %s;z role %s;z bool %s;z user %s;rcrrPrF) rVrrr^rqr@rrrTrg)rrhrZrrr boolrtrrrrIs        zRequire.to_string)N)rrrrrrIrrrrr=s r=c@seZdZddZddZdS) ObjPermSetcCs||_t|_dSr )rrnrrrrrrszObjPermSet.__init__cCsd|j|jfS)Nzdefine(`%s', `%s'))rrrqrrrrrIszObjPermSet.to_stringNrrrrrrsrc@seZdZddZddZdS)ClassMapcCs||_||_dSr rr)rrrrrrrszClassMap.__init__cCs|jd|jS)Nz: rrrrrrIszClassMap.to_stringNrrrrrrsrc@s.eZdZd ddZddZddZdd ZdS) CommentNcCs|r ||_ng|_dSr )lines)rrjrrrr szComment.__init__cCs>t|jdkrdSg}|jD]}|d|qd|SdS)NrrP#rF)rTrrVrg)routlinerrrrIs  zComment.to_stringcCs.t|jr*|jD]}|dkr|j|qdSrO)rTrrV)rr}r rrrmerges  z Comment.mergecCs|Sr )rIrrrrrJ szComment.__str__)N)rrrrrIr rJrrrrrs  r)TFN)N)ra)?stringryZSRC_TYPEZTGT_TYPEZ OBJ_CLASSZPERMSZROLEZ DEST_TYPEZ field_to_strZ str_to_fieldr rrRr#r`rkrlrnrmrsrrr9r;r?rrrrr1r3r5r7rArCr-rrrrrrrrrrrrrrrr%r'rr)rr/rr+r=rrrrrrrs~a &  P <    @:!               !&$