diff --git a/autotests/html/usr.bin.apparmor-profile-test.html b/autotests/html/usr.bin.apparmor-profile-test.html
--- a/autotests/html/usr.bin.apparmor-profile-test.html
+++ b/autotests/html/usr.bin.apparmor-profile-test.html
@@ -136,7 +136,7 @@
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit rss <= infinity,
# Change Profile rules
change_profile unsafe /** -> [^u/]**,
diff --git a/autotests/reference/test.cil.ref b/autotests/reference/test.cil.ref
--- a/autotests/reference/test.cil.ref
+++ b/autotests/reference/test.cil.ref
@@ -43,7 +43,7 @@
; filecon
(filecon "/system/bin/run-as" file runas_exec_context)
-(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
+(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
(filecon "/data/local/mine" dir ())
(classcommon file any dir)
(file any dir)
@@ -63,9 +63,9 @@
(allow process httpd.object (file (read write)))
; Paths
-"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
-"/pa\12th.*a+b?"
-/usr/hi\"esc\032esc\*3es{2,2}ds
+"/system/(foo|bar)/[^/]*/(hi){2,6}(.*)?"
+"/pa\12th.*a+b?"
+/usr/hi\"esc\032esc\*3es{2,2}ds
"/data/(open "
"/data/[open "
diff --git a/autotests/reference/test.fc.ref b/autotests/reference/test.fc.ref
--- a/autotests/reference/test.fc.ref
+++ b/autotests/reference/test.fc.ref
@@ -2,46 +2,46 @@
# Syntax of 'file_contexts' file and other SELinux configuration files:
-/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
+/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0
/.* system_u:object_r:default_t:s0
/sys(/.*)? system_u:object_r:sysfs_t:s0
/xen(/.*)? system_u:object_r:xen_image_t:s1
-/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
-/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
+/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
+/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
/tmp/.* <>
/root(/.*)? system_u:object_r:admin_home_t:s0
-/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
-/run/.*\.*pid <>
-/mnt/[^/]*/.* <>
+/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
+/run/.*\.*pid <>
+/mnt/[^/]*/.* <>
/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s5-s6:c0
/dev/(misc/)?psaux -c system_u:object_r:mouse_device_t:s0-s3:c0.c5
HOME_DIR/.+ system_u:object_r:user_home_t:s0
-HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
-HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
+HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0
-/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
-/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
-/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
+/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
+/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
+/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
/etc/ppp(/.*)? -- system_u:object_r:pppd_etc_rw_t:s0
/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/usr/lib(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
/dev/shm/.* <>
-/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
+/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0.s3
/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
-/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
-/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0
+/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
+/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0
# Syntax of *.fc files, from the SELinux reference policy:
/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0,c0)
-/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
-HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
+/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
+HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,c1)
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
@@ -53,7 +53,7 @@
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`init_systemd',`
- /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
+ /run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')
# Tests
@@ -67,11 +67,11 @@
/hello(world
/hello[wo
-/path[^0-8]+
-/path(hello|bye)
+/path[^0-8]+
+/path(hello|bye)
/path.*a+b?
-/path\wa\Wa\sa\da\ba\Ba\(a
-/usr/hi\"esc\sesc\032esc\*3esds
+/path\wa\Wa\sa\da\ba\Ba\(a
+/usr/hi\"esc\sesc\032esc\*3esds
# Security contexts
user:role
diff --git a/autotests/reference/usr.bin.apparmor-profile-test.ref b/autotests/reference/usr.bin.apparmor-profile-test.ref
--- a/autotests/reference/usr.bin.apparmor-profile-test.ref
+++ b/autotests/reference/usr.bin.apparmor-profile-test.ref
@@ -5,59 +5,59 @@
include
# Variable assignment
-@{FOO_LIB}=/usr/lib{,32,64}/foo
+@{FOO_LIB}=/usr/lib{,32,64}/foo
@{USER_DIR} = @{HOME}/Public @{HOME}/Desktop
@{USER_DIR} += @{HOME}/Hello
# Profile for /usr/bin/foo
-/usr/bin/foo (attach_disconnected, enforce) {
+/usr/bin/foo (attach_disconnected, enforce) {
include
include
#include
#include
#include"/etc/apparmor.d/abstractions/ubuntu-konsole"
include "/etc/apparmor.d/abstractions/openssl"
- /{,**/} r,# Read only directories
+ /{,**/} r,# Read only directories
- owner /{home,media,mnt,srv,net}/** r,
- owner @{USER_DIR}/** rw,
- audit deny owner /**/* mx,
- /**.[tT][xX][tT] r, # txt
+ owner /{home,media,mnt,srv,net}/** r,
+ owner @{USER_DIR}/** rw,
+ audit deny owner /**/* mx,
+ /**.[tT][xX][tT] r, # txt
- owner file @{HOME}/.local/share/foo/{,**} rwkl,
- owner @{HOME}/.config/foo/{,**} rwk,
- owner @{HOME}/.config/* rw,
- owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
- owner @{HOME}/.cache/foo/{,**} rwk,
+ owner file @{HOME}/.local/share/foo/{,**} rwkl,
+ owner @{HOME}/.config/foo/{,**} rwk,
+ owner @{HOME}/.config/* rw,
+ owner @{HOME}/.config/*.[a-zA-Z0-9]* rwk,
+ owner @{HOME}/.cache/foo/{,**} rwk,
- "/usr/share/**" r,
- "/var/lib/flatpak/exports/share/**" r,
- "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
+ "/usr/share/**" r,
+ "/var/lib/flatpak/exports/share/**" r,
+ "/var/lib/flatpak/app/**/export/share/applications/*.desktop" r,
allow file /etc/nsswitch.conf r,
allow /etc/fstab r,
/etc/udev/udev.conf r,
- /etc/xdg/** r,
+ /etc/xdg/** r,
/etc/xdg/Trolltech.conf k,
- deny /etc/xdg/{autostart,systemd}/** r,
- deny /boot/** rwlkmx,
+ deny /etc/xdg/{autostart,systemd}/** r,
+ deny /boot/** rwlkmx,
- owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
- /sys/devices/**/uevent r,
+ owner @{PROC}/@{pid}/{cmdline,mountinfo,mounts,stat,status,vmstat} r,
+ /sys/devices/**/uevent r,
/usr/bin/foo ixr,
/usr/bin/dolphin PUx,
- /usr/bin/* Pixr,
+ /usr/bin/* Pixr,
/usr/bin/khelpcenter Cx -> sanitized_helper,
/usr/bin/helloworld Cxr ->
hello_world,
- /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
- @{FOO_LIB}/{,**} mr,
+ /usr/lib{,32,64}/{,@{multiarch}/}qt5/plugins/{,**/}*.so m,
+ @{FOO_LIB}/{,**} mr,
- audit deny /dev/{audio,video}* rwlkmx,
+ audit deny /dev/{audio,video}* rwlkmx,
# Dbus rules
dbus (send)
@@ -69,12 +69,12 @@
=system
=/org/freedesktop/NetworkManager
=org.freedesktop.NetworkManager
- ={Introspect,state}
- =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
+ ={Introspect,state}
+ =(name=(org.freedesktop.NetworkManager|org.freedesktop.DBus)),
dbus (send)
=session
- =/org/gnome/GConf/Database/*
- ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
+ =/org/gnome/GConf/Database/*
+ ={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
dbus (bind)
=system
=org.bluez,
@@ -84,17 +84,17 @@
signal (send, receive) =(int exists rtmin+8) =/usr/lib/hello/world//foo-helper,
# Child profile
- profile hello_world {
+ profile hello_world {
# File rules (three different ways)
- file /usr/lib{,32,64}/helloworld/**.so mr,
- /usr/lib{,32,64}/helloworld/** r,
- rk /usr/lib{,32,64}/helloworld/hello,file,
+ file /usr/lib{,32,64}/helloworld/**.so mr,
+ /usr/lib{,32,64}/helloworld/** r,
+ rk /usr/lib{,32,64}/helloworld/hello,file,
# Link rules (two ways)
l /foo1 -> /bar,
link /foo2 -> bar,
link /foo3 to bar,
- link subset /link* -> /**,
+ link subset /link* -> /**,
# Network rules
network inet6 tcp, #Allow access to tcp only for inet6 addresses
@@ -108,10 +108,10 @@
capability sys_chroot,
# Mount rules
- mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
- mount in (rw, bind) / -> /run/hellowordd/*.mnt,
- mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
- umount /home/*/helloworld/,
+ mount =(rw bind remount nodev noexec) =ecryptfs /home/*/.helloworld/ -> /home/*/helloworld/,
+ mount in (rw, bind) / -> /run/hellowordd/*.mnt,
+ mount =read-only =btrfs /dev/sd[a-z][1-9]* -> /media/*/*,
+ umount /home/*/helloworld/,
# Pivot Root rules
pivot_root =/mnt/root/old/ /mnt/root/,
@@ -122,36 +122,36 @@
ptrace (read, trace, tracedby) =/usr/lib/hello/helloword,
# Unix rules
- unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
+ unix (connect receive send) =(stream) =(label=unconfined addr=@/tmp/ibus/dbus-*),
unix (send,receive) =(stream) =0 =(addr=none),
unix =(label=@{profile_name},addr=@helloworld),
# Rlimit rule
set rlimit data <= 100M,
set rlimit nproc <= 10,
set rlimit memlock <= 2GB,
- set rlimit rss <= infinity,
+ set rlimit rss <= infinity,
# Change Profile rules
- change_profile unsafe /** -> [^u/]**,
- change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
+ change_profile unsafe /** -> [^u/]**,
+ change_profile unsafe /** -> {u,un,unc,unco,uncon,unconf,unconfi,unconfin,unconfine},
change_profile /bin/bash ->
new_profile,
# Alias
alias /usr/ -> /mnt/usr/,
- }
+ }
# Hat
- ^foo-helper {
+ ^foo-helper {
network unix stream,
unix stream,
- /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
+ /usr/hi\"esc\x23esc\032esc\*es\{esc\ rw r, # Escape expressions
# Text after a variable is highlighted as path
file /my/path r,
@{FOO_LIB}file r,
@{FOO_LIB}#my/path r, #Comment
- }
-}
+ }
+}
diff --git a/data/syntax/apparmor.xml b/data/syntax/apparmor.xml
--- a/data/syntax/apparmor.xml
+++ b/data/syntax/apparmor.xml
@@ -1,10 +1,14 @@
-
-
-
+
+
+
+
+
+
+
]>
- flags
+ - xattrs
- audit
- - complain
- - enforce
- - mediate_deleted
- - attach_disconnected
- - chroot_relative
- - chroot_attach
- - chroot_no_attach
- - delegate_deleted
- - no_attach_disconnected
- - namespace_relative
+ - enforce
- complain
+ - mediate_deleted
- delegate_deleted
+ - attach_disconnected
- no_attach_disconnected
+ - chroot_relative
- namespace_relative
+ - chroot_attach
- chroot_no_attach
@@ -99,104 +100,63 @@
- audit
-
+
- - audit_control
- - audit_read
- - audit_write
- - block_suspend
- - chown
- - dac_override
- - dac_read_search
- - fowner
- - fsetid
- - ipc_lock
- - ipc_owner
- - kill
- - lease
- - linux_immutable
- - mac_admin
- - mac_override
- - mknod
- - net_admin
- - net_bind_service
- - net_broadcast
- - net_raw
- - setgid
- - setfcap
- - setpcap
- - setuid
- - sys_admin
- - sys_boot
- - sys_chroot
- - sys_module
- - sys_nice
- - sys_pacct
- - sys_ptrace
- - sys_rawio
- - sys_resource
- - sys_time
- - sys_tty_config
- - syslog
- - wake_alarm
+ - audit_control
- audit_read
+ - audit_write
- block_suspend
+ - chown
- dac_override
+ - dac_read_search
- fowner
+ - fsetid
- ipc_lock
+ - ipc_owner
- kill
+ - lease
- linux_immutable
+ - mac_admin
- mac_override
+ - mknod
- net_admin
+ - net_bind_service
- net_broadcast
+ - net_raw
- setgid
+ - setfcap
- setpcap
+ - setuid
- sys_admin
+ - sys_boot
- sys_chroot
+ - sys_module
- sys_nice
+ - sys_pacct
- sys_ptrace
+ - sys_rawio
- sys_resource
+ - sys_time
- sys_tty_config
+ - syslog
- wake_alarm
- - inet
- - ax25
- - ipx
- - appletalk
- - netrom
- - bridge
- - atmpvc
- - x25
- - inet6
- - rose
- - netbeui
- - security
- - key
- - packet
- - ash
- - econet
- - atmsvc
- - sna
- - irda
- - pppox
- - wanpipe
- - bluetooth
- - netlink
- - rds
- - llc
- - can
- - tipc
- - iucv
- - rxrpc
- - isdn
- - phonet
- - ieee802154
- - caif
- - alg
- - nfc
- - vsock
- - mpls
- - ib
- - kcm
- - smc
+ - inet
- ax25
+ - ipx
- appletalk
+ - netrom
- bridge
+ - atmpvc
- x25
+ - inet6
- rose
+ - netbeui
- security
+ - key
- packet
+ - ash
- econet
+ - atmsvc
- sna
+ - irda
- pppox
+ - wanpipe
- bluetooth
+ - netlink
- rds
+ - llc
- can
+ - tipc
- iucv
+ - rxrpc
- isdn
+ - phonet
- ieee802154
+ - caif
- alg
+ - nfc
- vsock
+ - mpls
- ib
+ - kcm
- smc
- - stream
- - dgram
- - seqpacket
- - rdm
+ - stream
- dgram
+ - seqpacket
- rdm
- raw
@@ -209,157 +169,73 @@
to avoid conflicts with the 'unix' rule name. -->
- unix
-
+
- - fstype
- - vfstype
- - options
- - option
+ - fstype
- vfstype
+ - options
- option
- - r
- - w
- - rw
- - ro
- - read-only
- - suid
- - nosuid
- - dev
- - nodev
- - exec
- - noexec
- - sync
- - async
- - remount
- - mand
- - nomand
- - dirsync
- - atime
- - noatime
- - diratime
- - nodiratime
- - bind
- - B
- - move
- - M
- - rbind
- - R
- - verbose
- - silent
- - loud
- - acl
- - noacl
- - unbindable
- - make-unbindable
- - runbindable
- - make-runbindable
- - private
- - make-private
- - rprivate
- - make-rprivate
- - slave
- - make-slave
- - rslave
- - make-rslave
- - shared
- - make-shared
- - rshared
- - make-rshared
- - relatime
- - norelatime
- - iversion
- - noiversion
- - strictatime
- - user
- - nouser
+ - r
- w
+ - rw
- ro
+ - read-only
- suid
+ - nosuid
- dev
+ - nodev
- exec
+ - noexec
- sync
+ - async
- remount
+ - mand
- nomand
+ - dirsync
- atime
+ - noatime
- diratime
+ - nodiratime
- bind
+ - B
- move
+ - M
- rbind
+ - R
- verbose
+ - silent
- loud
+ - acl
- noacl
+ - unbindable
- make-unbindable
+ - runbindable
- make-runbindable
+ - private
- make-private
+ - rprivate
- make-rprivate
+ - slave
- make-slave
+ - rslave
- make-rslave
+ - shared
- make-shared
+ - rshared
- make-rshared
+ - relatime
- norelatime
+ - iversion
- noiversion
+ - strictatime
- user
+ - nouser
- - autofs
- - bdev
- - bpf
- - cachefs
- - cgroup
- - cgroup2
- - cifs
- - coherent
- - configfs
- - cpuset
- - cramfs
- - debugfs
- - devfs
- - devpts
- - devtmpfs
- - ecryptfs
- - efs
- - fuse
- - fuseblk
- - fusectl
- - hugetlbfs
- - iso9660
- - kernfs
- - mqueue
- - pipefs
- - proc
- - procfs
- - pstore
- - ramfs
- - romfs
- - rootfs
- - securityfs
- - selinuxfs
- - sockfs
- - specfs
- - squashfs
- - swapfs
- - sysfs
- - sysv
- - tmpfs
- - usbfs
- - vfat
+ - autofs
- bdev
- bpf
+ - cachefs
- cgroup
- cgroup2
+ - cifs
- coherent
- configfs
+ - cpuset
- cramfs
- debugfs
+ - devfs
- devpts
- devtmpfs
+ - ecryptfs
- efs
- fuse
+ - fuseblk
- fusectl
- hugetlbfs
+ - iso9660
- kernfs
- mqueue
+ - pipefs
- proc
- procfs
+ - pstore
- ramfs
- romfs
+ - rootfs
- securityfs
- selinuxfs
+ - sockfs
- specfs
- squashfs
+ - swapfs
- sysfs
- sysv
+ - tmpfs
- usbfs
- vfat
- - adfs
- - affs
- - apfs
- - btrfs
- - coda
- - exfat
- - ext2
- - ext3
- - ext4
- - f2fs
- - fatx
- - hfs
- - hfsplus
- - hpfs
- - jfs
- - lvm2
- - minix
- - msdos
- - ncpfs
- - nilfs
- - nilfs2
- - nfs
- - nfs4
- - ntfs
- - ntfs-3g
- - openzfs
- - qnx4
- - qnx6
- - reiser4
- - reiserfs
- - smbfs
- - swap
- - tracefs
- - ubifs
- - udf
- - ufs
- - umsdos
- - urefs
- - xenix
- - xfs
- - zfs
+ - adfs
- affs
- apfs
+ - btrfs
- coda
- exfat
+ - ext2
- ext3
- ext4
+ - f2fs
- fatx
- hfs
+ - hfsplus
- hpfs
- jfs
+ - lvm2
- minix
- msdos
+ - ncpfs
- nilfs
- nilfs2
+ - nfs
- nfs4
- ntfs
+ - ntfs-3g
- openzfs
- qnx4
+ - qnx6
- reiser4
- reiserfs
+ - smbfs
- swap
- tracefs
+ - ubifs
- udf
- ufs
+ - umsdos
- urefs
- xenix
+ - xfs
- zfs
@@ -386,39 +262,17 @@
- - bus
- - hup
- - int
- - quit
- - ill
- - trap
- - abrt
- - fpe
- - kill
- - usr1
- - segv
- - usr2
- - pipe
- - alrm
- - term
- - stkflt
- - chld
- - cont
- - stop
- - stp
- - ttin
- - ttou
- - urg
- - xcpu
- - xfsz
- - vtalrm
- - prof
- - winch
- - io
- - pwr
- - sys
- - emt
- - exists
+ - bus
- hup
- int
+ - quit
- ill
- trap
+ - abrt
- fpe
- kill
+ - usr1
- segv
- usr2
+ - pipe
- alrm
- term
+ - stkflt
- chld
- cont
+ - stop
- stp
- ttin
+ - ttou
- urg
- xcpu
+ - xfsz
- vtalrm
- prof
+ - winch
- io
- pwr
+ - sys
- emt
- exists
@@ -428,74 +282,51 @@
- - peer
- - bus
- - path
- - interface
- - member
- - name
+ - peer
- bus
+ - path
- interface
+ - member
- name
- name
- label
- - send
- - receive
- - bind
- - eavesdrop
+ - send
- receive
+ - bind
- eavesdrop
- system
- session
- - peer
- - set
- - label
- - type
- - protocol
- - addr
- - attr
- - opt
+ - peer
- set
+ - label
- type
+ - protocol
- addr
+ - attr
- opt
- - send
- - receive
- - bind
- - create
- - listen
- - accept
- - connect
- - shutdown
- - getattr
- - setattr
- - getopt
- - setopt
+ - send
- receive
+ - bind
- create
+ - listen
- accept
+ - connect
- shutdown
+ - getattr
- setattr
+ - getopt
- setopt
- - cpu
- - fsize
- - data
- - stack
- - core
- - rss
- - nofile
- - ofile
- - as
- - nproc
- - memlock
- - locks
- - sigpending
- - msgqueue
- - nice
- - rtprio
+ - cpu
- fsize
+ - data
- stack
+ - core
- rss
+ - nofile
- ofile
+ - as
- nproc
+ - memlock
- locks
+ - sigpending
- msgqueue
+ - nice
- rtprio
- rttime
@@ -509,6 +340,11 @@
- safe
- unsafe
+
+
+ - if
+ - exists
+
@@ -525,151 +361,90 @@
- profile_name
- - HOME
- - HOMEDIRS
- - multiarch
- - pid
- - pids
- - PROC
- - securityfs
- - apparmorfs
- - sys
- - tid
- - XDG_DESKTOP_DIR
- - XDG_DOWNLOAD_DIR
- - XDG_TEMPLATES_DIR
- - XDG_PUBLICSHARE_DIR
- - XDG_DOCUMENTS_DIR
- - XDG_MUSIC_DIR
- - XDG_PICTURES_DIR
- - XDG_VIDEOS_DIR
+ - HOME
- HOMEDIRS
+ - multiarch
- pid
+ - pids
- PROC
+ - securityfs
- apparmorfs
+ - sys
- tid
+ - XDG_DESKTOP_DIR
- XDG_DOWNLOAD_DIR
+ - XDG_TEMPLATES_DIR
- XDG_PUBLICSHARE_DIR
+ - XDG_DOCUMENTS_DIR
- XDG_MUSIC_DIR
+ - XDG_PICTURES_DIR
- XDG_VIDEOS_DIR
- - abstractions/
- - apache2-common
- - aspell
- - audio
- - authentication
- - base
- - bash
- - consoles
- - cups-client
- - dbus
- - dbus-accessibility
- - dbus-accessibility-strict
- - dbus-session
- - dbus-session-strict
- - dbus-strict
- - dconf
- - dovecot-common
- - enchant
- - fcitx
- - fcitx-strict
- - fonts
- - freedesktop.org
- - gnome
- - gnupg
- - ibus
- - kde
- - kerberosclient
- - launchpad-integration
- - ldapclient
- - libpam-systemd
- - likewise
- - mdns
- - mir
- - mozc
- - mysql
- - nameservice
- - nis
- - nvidia
- - openssl
- - orbit2
- - p11-kit
- - perl
- - php
- - php5
- - postfix-common
- - private-files
- - private-files-strict
- - python
- - ruby
- - samba
- - smbpass
- - ssl_certs
- - ssl_keys
- - svn-repositories
- - ubuntu-bittorrent-clients
- - ubuntu-browsers
- - ubuntu-console-browsers
- - ubuntu-console-email
- - ubuntu-email
- - ubuntu-feed-readers
- - ubuntu-gnome-terminal
- - ubuntu-helpers
- - ubuntu-konsole
- - ubuntu-media-players
- - ubuntu-unity7-base
- - ubuntu-unity7-launcher
- - ubuntu-unity7-messaging
- - ubuntu-xterm
- - user-download
- - user-mail
- - user-manpages
- - user-tmp
- - user-write
- - video
- - wayland
- - web-data
- - winbind
- - wutmp
- - X
- - xad
- - xdg-desktop
+ - abstractions/
- apache2-common
+ - aspell
- audio
+ - authentication
- base
+ - bash
- consoles
+ - cups-client
- dbus
+ - dbus-accessibility
- dbus-accessibility-strict
+ - dbus-session
- dbus-session-strict
+ - dbus-strict
- dconf
+ - dri-common
- dri-enumerate
+ - dovecot-common
- enchant
+ - fcitx
- fcitx-strict
+ - fonts
- freedesktop.org
+ - gnome
- gnupg
+ - ibus
- kde
+ - kerberosclient
- launchpad-integration
+ - ldapclient
- libpam-systemd
+ - likewise
- mdns
+ - mir
- mozc
+ - mysql
- nameservice
+ - nis
- nvidia
+ - openssl
- orbit2
+ - p11-kit
- perl
+ - php
- php5
+ - postfix-common
- python
+ - private-files
- private-files-strict
+ - ruby
- samba
+ - smbpass
- svn-repositories
+ - ssl_certs
- ssl_keys
+ - ubuntu-browsers
- ubuntu-bittorrent-clients
+ - ubuntu-console-email
- ubuntu-console-browsers
+ - ubuntu-email
- ubuntu-feed-readers
+ - ubuntu-helpers
- ubuntu-gnome-terminal
+ - ubuntu-konsole
- ubuntu-media-players
+ - ubuntu-unity7-base
- ubuntu-unity7-launcher
+ - ubuntu-xterm
- ubuntu-unity7-messaging
+ - user-download
- user-mail
+ - user-manpages
- user-tmp
+ - user-write
- video
+ - wayland
- web-data
+ - winbind
- wutmp
+ - X
- xad
+ - xdg-desktop
- - ubuntu-browsers.d/
- - java
- - mailto
- - multimedia
- - plugins-common
- - productivity
- - text-editors
- - ubuntu-integration
- - ubuntu-integration-xul
- - user-files
+ - ubuntu-browsers.d/
- java
+ - mailto
- multimedia
+ - plugins-common
- productivity
+ - text-editors
- user-files
+ - ubuntu-integration
- ubuntu-integration-xul
- - apparmor_api/
- - change_profile
- - examine
- - find_mountpoint
- - introspect
- - is_enabled
+ - apparmor_api/
- change_profile
+ - examine
- find_mountpoint
+ - introspect
- is_enabled
- - tunables/
- - alias
- - apparmorfs
- - dovecot
- - global
- - home
- - kernelvars
- - multiarch
- - ntpd
- - proc
- - securityfs
- - sys
+ - tunables/
- alias
+ - apparmorfs
- dovecot
+ - global
- home
+ - kernelvars
- multiarch
+ - ntpd
- proc
+ - securityfs
- sys
- xdg-user-dirs
- - home.d/
- - multiarch.d/
- - xdg-user-dirs.d/
- - site.local
+ - home.d/
- multiarch.d/
+ - xdg-user-dirs.d/
- site.local
- local/
- True
- False
+
+ - infinity
+
- unspec
- none
@@ -719,13 +494,13 @@
+
-
-
-
+
+
-
-
+
+
@@ -749,10 +524,9 @@
+
-
-
@@ -762,16 +536,24 @@
-
-
+
+
+
+
+
+
+
+
+
+
@@ -801,18 +583,21 @@
-
-
+
+
+
+
+
+
-
-
+
@@ -822,13 +607,20 @@
+
+
+
+
+
-
+
-
-
+
+
+
+
@@ -842,80 +634,75 @@
-
-
-
+
-
-
+
+
+
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
+
-
+
-
+
+
+
-
+
@@ -927,10 +714,19 @@
-
+
+
+
+
+
+
+
+
+
+
@@ -1054,9 +850,9 @@
-
+
-
+
@@ -1106,38 +902,40 @@
-
-
-
+
+
+
-
+
+
+
-
+
-
-
+
+
+
+
-
-
-
-
-
-
+
+
+
+
@@ -1148,6 +946,18 @@
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1167,46 +977,47 @@
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
-
-
-
+
-
+
+
+
-
-
-
@@ -1221,18 +1032,19 @@
-
+
-
-
+
+
-
+
+
@@ -1242,56 +1054,42 @@
-
+
-
-
+
+
-
+
-
+
-
-
+
+
-
+
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
@@ -1308,47 +1106,47 @@
-
-
+
+
-
+
-
-
+
+
-
-
-
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
-
+
-
-
-
-
-
-
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
diff --git a/data/syntax/selinux-cil.xml b/data/syntax/selinux-cil.xml
--- a/data/syntax/selinux-cil.xml
+++ b/data/syntax/selinux-cil.xml
@@ -3,7 +3,7 @@
[
-
+
]>
- - accept
- - acceptfrom
- - access
- - acquire_svc
- - add
- - add_child
- - add_color
- - add_glyph
- - add_name
- - admin
- - append
- - associate
- - attach_queue
- - audit_access
- - audit_control
- - audit_read
- - audit_write
- - bell
- - bind
- - blend
- - block_suspend
- - call
- - check_context
- - chfn
- - chown
- - chsh
- - compute_av
- - compute_create
- - compute_member
- - compute_relabel
- - compute_user
- - connect
- - connectto
- - contains
- - copy
- - create
- - create_files_as
- - crontab
- - dac_override
- - dac_read_search
- - dccp_recv
- - dccp_send
- - debug
- - delete
- - destroy
- - disable
- - drop
- - dyntransition
- - egress
- - enable
- - enforce_dest
- - enqueue
- - entrypoint
- - execheap
- - execmem
- - execmod
- - execstack
- - execute
- - execute_no_trans
- - expand
- - export
- - flow_in
- - flow_out
- - force_cursor
- - fork
- - forward_in
- - forward_out
- - fowner
- - freeze
- - fsetid
- - get_param
- - get_property
- - get_value
- - getattr
- - getcap
- - getfocus
- - getgrp
- - gethost
- - getopt
- - getpgid
- - getpwd
- - getrlimit
- - getsched
- - getserv
- - getsession
- - getstat
- - grab
- - halt
- - hide
- - hide_cursor
- - impersonate
- - implement
- - import
- - ingress
- - insert
- - install
- - install_module
- - ioctl
- - ipc_info
- - ipc_lock
- - ipc_owner
- - kill
- - lease
- - link
- - linux_immutable
- - list_child
- - list_property
- - listen
- - load_module
- - load_policy
- - lock
- - mac_admin
- - mac_override
- - manage
- - manage_subnet
- - map
- - mknod
- - mmap_zero
- - module_load
- - module_request
- - mount
- - mounton
- - name_bind
- - name_connect
- - net_admin
- - net_bind_service
- - net_broadcast
- - net_raw
- - newconn
- - next_value
- - nlmsg_read
- - nlmsg_readpriv
- - nlmsg_relay
- - nlmsg_tty_audit
- - nlmsg_write
- - nnp_transition
- - noatsecure
- - node_bind
- - nosuid_transition
- - open
- - override
- - passwd
- - paste
- - paste_after_confirm
- - polmatch
- - ptrace
- - query
- - quotaget
- - quotamod
- - quotaon
- - rawip_recv
- - rawip_send
- - read
- - read_policy
- - reboot
- - receive
- - record
- - recv
- - recv_msg
- - recvfrom
- - relabelfrom
- - relabelto
- - reload
- - remount
- - remove
- - remove_child
- - remove_color
- - remove_glyph
- - remove_name
- - rename
- - reparent
- - rlimitinh
- - rmdir
- - rootok
- - saver_getattr
- - saver_hide
- - saver_setattr
- - saver_show
- - search
- - select
- - send
- - send_msg
- - sendto
- - set_context_mgr
- - set_param
- - set_property
- - set_value
- - setattr
- - setbool
- - setcap
- - setcheckreqprot
- - setcontext
- - setcurrent
- - setenforce
- - setexec
- - setfcap
- - setfocus
- - setfscreate
- - setgid
- - setkeycreate
- - setopt
- - setpcap
- - setpgid
- - setrlimit
- - setsched
- - setsecparam
- - setsockcreate
- - setuid
- - share
- - shmemgrp
- - shmemhost
- - shmempwd
- - shmemserv
- - show
- - show_cursor
- - shutdown
- - sigchld
- - siginh
- - sigkill
- - signal
- - signull
- - sigstop
- - start
- - status
- - stop
- - swapon
- - sys_admin
- - sys_boot
- - sys_chroot
- - sys_module
- - sys_nice
- - sys_pacct
- - sys_ptrace
- - sys_rawio
- - sys_resource
- - sys_time
- - sys_tty_config
- - syslog
- - syslog_console
- - syslog_mod
- - syslog_read
- - tcp_recv
- - tcp_send
- - transfer
- - transition
- - translate
- - udp_recv
- - udp_send
- - uninstall
- - unix_read
- - unix_write
- - unlink
- - unmount
- - update
- - use
- - use_as_override
- - validate_trans
- - view
- - wake_alarm
- - write
+ - accept
- acceptfrom
- access
+ - acquire_svc
- add
- add_child
+ - add_color
- add_glyph
- add_name
+ - admin
- append
- associate
+ - attach_queue
- audit_access
- audit_control
+ - audit_read
- audit_write
- bell
+ - bind
- blend
- block_suspend
+ - call
- check_context
- chfn
+ - chown
- chsh
- compute_av
+ - compute_create
- compute_member
- compute_relabel
+ - compute_user
- connect
- connectto
+ - contains
- copy
- create
+ - create_files_as
- crontab
- dac_override
+ - dac_read_search
- dccp_recv
- dccp_send
+ - debug
- delete
- destroy
+ - disable
- drop
- dyntransition
+ - egress
- enable
- enforce_dest
+ - enqueue
- entrypoint
- execheap
+ - execmem
- execmod
- execstack
+ - execute
- execute_no_trans
- expand
+ - export
- flow_in
- flow_out
+ - force_cursor
- fork
- forward_in
+ - forward_out
- fowner
- freeze
+ - fsetid
- get_param
- get_property
+ - get_value
- getattr
- getcap
+ - getfocus
- getgrp
- gethost
+ - getopt
- getpgid
- getpwd
+ - getrlimit
- getsched
- getserv
+ - getsession
- getstat
- grab
+ - halt
- hide
- hide_cursor
+ - impersonate
- implement
- import
+ - ingress
- insert
- install
+ - install_module
- ioctl
- ipc_info
+ - ipc_lock
- ipc_owner
- kill
+ - lease
- link
- linux_immutable
+ - list_child
- list_property
- listen
+ - load_module
- load_policy
- lock
+ - mac_admin
- mac_override
- manage
+ - manage_subnet
- map
- mknod
+ - mmap_zero
- module_load
- module_request
+ - mount
- mounton
- name_bind
+ - name_connect
- net_admin
- net_bind_service
+ - net_broadcast
- net_raw
- newconn
+ - next_value
- nlmsg_read
- nlmsg_readpriv
+ - nlmsg_relay
- nlmsg_tty_audit
- nlmsg_write
+ - nnp_transition
- noatsecure
- node_bind
+ - nosuid_transition
- open
- override
+ - passwd
- paste
- paste_after_confirm
+ - polmatch
- ptrace
- query
+ - quotaget
- quotamod
- quotaon
+ - rawip_recv
- rawip_send
- read
+ - read_policy
- reboot
- receive
+ - record
- recv
- recv_msg
+ - recvfrom
- relabelfrom
- relabelto
+ - reload
- remount
- remove
+ - remove_child
- remove_color
- remove_glyph
+ - remove_name
- rename
- reparent
+ - rlimitinh
- rmdir
- rootok
+ - saver_getattr
- saver_hide
- saver_setattr
+ - saver_show
- search
- select
+ - send
- send_msg
- sendto
+ - set_context_mgr
- set_param
- set_property
+ - set_value
- setattr
- setbool
+ - setcap
- setcheckreqprot
- setcontext
+ - setcurrent
- setenforce
- setexec
+ - setfcap
- setfocus
- setfscreate
+ - setgid
- setkeycreate
- setopt
+ - setpcap
- setpgid
- setrlimit
+ - setsched
- setsecparam
- setsockcreate
+ - setuid
- share
- shmemgrp
+ - shmemhost
- shmempwd
- shmemserv
+ - show
- show_cursor
- shutdown
+ - sigchld
- siginh
- sigkill
+ - signal
- signull
- sigstop
+ - start
- status
- stop
+ - swapon
- sys_admin
- sys_boot
+ - sys_chroot
- sys_module
- sys_nice
+ - sys_pacct
- sys_ptrace
- sys_rawio
+ - sys_resource
- sys_time
- sys_tty_config
+ - syslog
- syslog_console
- syslog_mod
+ - syslog_read
- tcp_recv
- tcp_send
+ - transfer
- transition
- translate
+ - udp_recv
- udp_send
- uninstall
+ - unix_read
- unix_write
- unlink
+ - unmount
- update
- use
+ - use_as_override
- validate_trans
- view
+ - wake_alarm
- write
- - autofs
- - bdev
- - bpf
- - cachefs
- - cgroup
- - cgroup2
- - cifs
- - coherent
- - configfs
- - cpuset
- - cramfs
- - debugfs
- - devfs
- - devpts
- - devtmpfs
- - ecryptfs
- - efs
- - fuse
- - fuseblk
- - fusectl
- - hugetlbfs
- - iso9660
- - kernfs
- - mqueue
- - pipefs
- - proc
- - procfs
- - pstore
- - ramfs
- - romfs
- - rootfs
- - securityfs
- - selinuxfs
- - sockfs
- - specfs
- - squashfs
- - swapfs
- - sysfs
- - sysv
- - tmpfs
- - usbfs
- - vfat
+ - autofs
- bdev
- bpf
+ - cachefs
- cgroup
- cgroup2
+ - cifs
- coherent
- configfs
+ - cpuset
- cramfs
- debugfs
+ - devfs
- devpts
- devtmpfs
+ - ecryptfs
- efs
- fuse
+ - fuseblk
- fusectl
- hugetlbfs
+ - iso9660
- kernfs
- mqueue
+ - pipefs
- proc
- procfs
+ - pstore
- ramfs
- romfs
+ - rootfs
- securityfs
- selinuxfs
+ - sockfs
- specfs
- squashfs
+ - swapfs
- sysfs
- sysv
+ - tmpfs
- usbfs
- vfat
- - adfs
- - affs
- - apfs
- - btrfs
- - coda
- - exfat
- - ext2
- - ext3
- - ext4
- - f2fs
- - fatx
- - hfs
- - hfsplus
- - hpfs
- - jfs
- - lvm2
- - minix
- - msdos
- - ncpfs
- - nilfs
- - nilfs2
- - nfs
- - nfs4
- - ntfs-3g
- - qnx4
- - qnx6
- - reiser4
- - reiserfs
- - smbfs
- - swap
- - tracefs
- - ubifs
- - udf
- - ufs
- - umsdos
- - urefs
- - xenix
- - xfs
+ - adfs
- affs
- apfs
+ - btrfs
- coda
- exfat
+ - ext2
- ext3
- ext4
+ - f2fs
- fatx
- hfs
+ - hfsplus
- hpfs
- jfs
+ - lvm2
- minix
- msdos
+ - ncpfs
- nilfs
- nilfs2
+ - nfs
- nfs4
- ntfs
+ - ntfs-3g
- qnx4
- qnx6
+ - reiser4
- reiserfs
- smbfs
+ - swap
- tracefs
- ubifs
+ - udf
- ufs
- umsdos
+ - urefs
- xenix
- xfs
- zfs
@@ -659,8 +435,7 @@
-
-
+
@@ -671,27 +446,28 @@
-
+
-
+
+
@@ -768,6 +544,7 @@
+
@@ -871,54 +648,63 @@
-
+
-
+
-
-
-
+
+
+
+
+
-
+
-
+
-
+
+
+
+
-
+
+
-
+
+
+
+
@@ -954,12 +740,12 @@
-
-
-
-
-
-
+
+
+
+
+
+
diff --git a/data/syntax/selinux-fc.xml b/data/syntax/selinux-fc.xml
--- a/data/syntax/selinux-fc.xml
+++ b/data/syntax/selinux-fc.xml
@@ -28,12 +28,14 @@
==========================================================================================
Change log:
+ * Version 2 [15-Mar-2018, by Nibaldo G.]:
+ - Small optimizations. Improvements in paths & PCRE Regex highlighting.
* Version 1 [26-Jan-2018, by Nibaldo González]:
- Initial version.
-->
-
-
-
-
+
-
+
-
-
+
-
+
+
+
+
+
-
+
-
-
-
+
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
@@ -136,54 +139,62 @@
-
-
-
+
+
+
+
-
-
-
+
+
+
+
+
-
+
-
-
+
-
+
-
+
-
+
+
+
+
-
+
-
-
+
+
-
+
-
+
+
+
+
@@ -203,12 +214,12 @@
-
-
-
-
-
-
+
+
+
+
+
+