README for simplified policy XML support

1. Related commands
(1) seedit-export
This programs reads simplified policy and export to XML format.

* Usage:
seedit-export -i <simplified policy file>  -o <output filename>

* Example:
When you want to generate XML from default policy.
./seedit-export -i /etc/selinux/seedit/src/policy/simplified_policy/all  -o test.xml
test.xml is XML format simplified policy

(2) seedit-import
This program read XML format simplified policy and output simplified policy that seedit-converter can understand.

* Usage:
 seedit-import -i <xml file> -o <output dir>

xml file is converted into simplified policy, output path is output dir.
If -o is omitted, simplified policy jointed together is displayed to stdout.

+ Example:
$ mkdir testdir
$ ./seedit-import.py -i test.xml -o testdir
This read test.xml and  output simplified policy to testdir

$ ls testdir
acpid_t.a        hald_t.a    modutils_t.a    rpm_t.a       system_crond_t.a
automount_t.a    httpd_t.a   mount_t.a       run_init_t.a  user_r.a
cannaserver_t.a  init_t.a    mysqld_t.a      sendmail_t.a  webmin_t.a
crond_t.a        initrc_t.a  named_t.a       smbd_t.a      xfs_t.a
dbus_t.a         kernel_t.a  newrole_t.a     sshd_t.a      xinetd_t.a
dhcpcd_t.a       klogd_t.a   postfix_t.a     staff_r.a     xserver_t.a
gdm_t.a          login_t.a   proftpd_t.a     su_t.a
getty_t.a        lvm_t.a     restorecon_t.a  sysadm_r.a
global           mail_t.a    rpm_script_t.a  syslogd_t.a

Simplified policy is generated.


2. Syntax of xml format simplified policy

For detailed syntax, see  simplified_policy.dtd.
DTD is available at http://seedit.sourceforge.net/doc/simplified_policy.dtd .
And for meaning of SPDL description, see  Simplified Policy Manual at http://seedit.sourceforge.net/documents.html .

2.1 Basic structue, simplified_policy tag and domain tag

(1) <policy> tag
It is root tag.  Within the tag, <section> tag is repeated like below.
<policy>
<section id="global" type="domain">xxxx </domain>
<section id="httpd_t" type="domain">xxxx </domain>
<section id="sysadm_r" type="role">xxxx </domain>
....
</policy>

(2) <section> tag
Between domain tag, access control rule for corresponding domain is described.

* Attribute: 
	> id: domain or role name
	> type: "role" or "domain"
	     If "domain", value stored id is domain, if "role" value stored id is role

* Example
<section id="httpd_t" type="domain">
xxxxxxxx
</section>

Configuration xxxxx is  for domain "httpd_t".


<section id="sysadm_r" type="role">
xxxxxx 
</section>

Configuration xxxxxx is for role "sysadm_r"

.2 Tags to describe access control
(1) domaintrans tag
Corresponds to "domain_trasn" statement in SPDL.
Describes domain transision by parentdomain and entrypoint tag, like below.
<domaintrans>
<parentdomain value="initrc_t"/>
<entrypoint value="/usr/sbin/httpd"/>
</domaintrans>

(2) user tag
Corresponds to "user" statement of SPDL.
Specifies user name by value attribute like below.
<user value="root">


(3) allowfile tag

There are three Attribute  
  - type: allow|deny|exclusive
  - only: yes|no
  - exclusive: yes|no

Corresponds to "allow" statement of SPDL.
Let's see how to describe allow statement in XML form.

a) allow <file> <permissions>
For example, allow /hoge r,s;
When "allow", use type="allow", and only="no"
and specify filename and permissions like below.
<allowfile only="no" type="allow">
<path value="/hoge"/>
<permission value="r"/>
<permission value="s"/>
</allowfile>
You must use one permission tag for one permission.
If you want to represent "allowonly" use attribute only="yes".
And if you want to represent "deny" use attribute type"deny".

b) allow <path> exclusive <label>
allow /etc exclusive etc_runtime_t;
will be following.

<allowfile type="exclusive">
<path value="/etc"/>
<label value="etc_runtime_t"/>
</allowfile>
Pay attention to type="exclusive"

c) allow <path> exclusive -all <permissions>
allow /etc exclusive -all r,s;
will be below.
<allowfile exclusive="yes">
<path value="/etc"/>
<permission value="r"/>
<permission value="s"/>
</allowfile>

Be careful to exclusive="yes"


(4) allownet tag
You can specify option of allownet statement by "option" tag.
For example, 
<allownet>
<option value="net">
</allownet>
means "allownet -net"
You can specify port number by port tag.

<allownet type="allow">
    <option value="udp"/>
    <port value="68"/>
</allownet>

Means "allownet -udp -port 68;"


(5) allowcom tag
Corresponds to "allowcom" statement of SPDL.

You can speficy type of IPC by option tag, 
target domain by domain tag, and permission by permission tag.

For example,
   <allowcom type="allow">
      <comment/>
      <option value="sig"/>
      <domain value="getty_t"/>
      <permission value="c"/>
    </allowcom>
Means "allowcom -sig getty_t c;"

(6) allowproc tag
Corresponds to "allowproc" statement in SPDL.
You can specify "self" or "other" in option tag, target permisions
by permission tag.

For example,
<allowproc type="allow">
      <option value="self"/>
      <permission value="r"/>
</allowproc>

Means "allowproc -self r;"

(7) allowfs tag
Corresponds to "allowfs" statement in SPDL.

You can specify name of filesystem by fs tag, and permissions by permission tags.
<allowfs type="allow">
     <fs value="proc"/>
     <permission value="r"/>
     <permission value="s"/>
</allowfs>
Means "allowfs proc r,s;"

And "allowfs exclusive" rule is written as following.
   <allowfs type="exclusive">
      <comment/>
      <fs value="tmpfs"/>
      <label value="acpid_tmpfs_t"/>
    </allowfs>
Means, "allowfs tmpfs exclusive acpid_tmpfs_t;"

(8) allowtty, allowpts tag
Correspond to "allowtty,allowpts" statement in SPDL.
Target role can be specified by "role" tag, permissions by "permission" tags.
    <allowtty type="allow">
      <comment/>
      <role value="general"/>
      <permission value="change"/>
    </allowtty>
Means, allowtty -change general;

   <allowpts type="allow">
      <permission value="create"/>
    </allowpts>
Means, "allowpts -create"
   <allowtty type="allow">
      <comment/>
      <role value="general"/>
      <permission value="r"/>
    </allowtty>
Means allowtty general r;

(9) allowpriv,allowkernel, allowseop tags
Correspond to "allowpriv,allowkernel,allowseop" statement in SPDL.

Option can be specified by "option" tag.
    <allowkernel type="allow">
      <option value="netlink"/>
    </allowkernel>
Means "allowkernel netlink;";


(10) comment tag 
Comment can be described in comment tag, at the begining of access control rule. 
This will do no effect to policy.
Described comment is included in simplified policy(that converted by seedit-import).

For example,
    <allowkernel type="allow">
      <comment>#priviledges
</comment>
      <option value="netlink"/>
    </allowkernel>

will be following in SPDL form.

#priviledges
allowkernel netlink;