===== Python tools =====

Common default options:
<code>
  -h --help             Shows help!
  -v --version          Shows RSBAC_NR (Version 1.3.0pre eg)
  -V                    Specify old version to upgrade things from. (like acl_grant, etc)
  -T --transaction ta   Specify a transaction number to operate on (can also use env var RSBAC_TA)
  -d --device           Specify which device to use (major:minor) (FIXME Do we really need it ?)
  -R --recursive        Does the action recursively
</code>


Tools to set,get, or modify attributes on objects.

=== MODULES: ===
MODULES are always one of GEN, MAC, PM, FF, RC, DAZ, PAX, AUTH. (UM ?)

We need a dictionary that can output ordered lists of MODULES for the user to know wtf he's doing there. This list should be generated from the bindings if possible. Checking /proc/rsbac-info/active if the MODULE is available before displaying it, else mark it disabled:

  Modules supported by this kernel:
  AUTH
  RC

  Modules not supported by this kernel:
  MAC
  ..

=== TARGETS: ===
TARGETS are target-types, usually one of FILE, DIR, FIFO, SYMLINK, DEV (FIXME can't we always us FD autoselect ?) or... USER, GROUP, PROCESS or... NETDEV, NETTEMP,NETOBJ or... IPC

We need a dictionary that can output ordered lists of TARGETS for the user to know wtf he's doing there. This list should be generated from the bindings if possible.

  Targets list:
  FILE, DIR, FIFO, SYMLINK, DEV
  USER, GROUP, PROCESS
  ...

=== ATTRIBUTES: ===
ATTRIBUTES are usually A_log_array_low, A_rc_type, A_auth_may_setuid, A_.... see types.h
Of course bindings remove the "A_" and just ask for the value, like "auth_may_setuid 1"


We need a dictionary that can output ordered lists of TARGETS for the user to know wtf he's doing there. This list should be generated from the bindings if possible.

  Attributes list:
  auth_may_setuid
  auth_may_setcap

  rc_type
  rc_..

  ...

OPTIONS:
OPTIONS are switches, including the default common options, but including also:

<code>
  -a --add           Adds something ?
  -r --remove        Remove something ?
  -s --set           Set something ?
  -t --ttl           TTL if supported:
-t +300 (relative, for 300 seconds)
-t +02:20 (relative, til 2h 20 later)
-t 02:20 (absolute, today at 2h20)
-t +15:02:20 (in 15d..)
</code>


===== Tool list =====
  * attr_mod MODULE [OPTIONS] OBJECT TARGET ATTRIBUTE value

e.g.: set a file attribute: attr_util AUTH -s /bin/login FD auth_may_setuid 1

e.g.: view log attribute for user: attr_util GEN root USER log_user_based

e.g.: set log attribute for user: attr_util GEN -s root USER log_user_based SEARCH 1

e.g.: change PaX flags: attr_util PAX -Rs /opt FD PMeRxS

===== "policy" tool ===== 

  * Able to restore policy from simple config files
  * Able to include per package config files as well, in a compatible manner with above
  * Able to read the policy by different means (plugins), like, flat, xml, 
  * Able to simplify per package configurations to inherited global settings in some clever way:
<code>
  ==>> /usr/bin inheritance, class executable
  ==>> /etc/ inheritance, class config
  /usr/bin/chess <= Class executable not applied
  /etc/chess.conf <= Class config not applied
  /usr/bin/ping <= Class Executable+Net ==> only class net applied
</code>
  * Able to load per path and per package (eg policy /proc at mount)

Policy representation:

  * Needs to be concise (clear, precise)
  * Easy for the user (not a list of rules only)
  * Logical to maintain (per module ? what if some modules are on and others off ?)
  * Support classes (executables, scripts, libraries, ...)