How to verify my policy?

2016-10-17 Thread peng fei 
I want to achieve the result that just allow jd process to open and read
/data/audit/log/audit.log.
For this target, I add some rules in policy file.
And after that, I want to verify my policy. So, I create a test.c to read
/data/audit/log/audit.log. Using gcc to build the test.c to executable
test.The file test.c and test is in /home/pengfei.
-
My modify policy are as follows:
--
First,
add new type in file.te
#/data/audit/log/audit.log
type sec_file, file_type, data_file_type;
#/home/test
type jd_exec, file_type;
--
add the contexts in the file_contexts
/data/audit/log/audit.log   u:object_r:sec_file:s0
/home/pengfei/test u:object_r:jd_exec:s0
--
add rule in jd.te
allow jd sec_file:file {read, open };
allow jd  jd_exec:file rx_file_perms;
-
How can I verify my policy? Can I create a executable file to imitate jd.
How to assign the  conte

Please help me. Thanks advance.
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

how to verify my policy?

2016-10-17 Thread peng fei 
I want to add some policy.
--
add a new type in file.te
#/data/audit/log/audit.log
type sec_file, file_type, data_file_type;
#/home/test
type jd_exec;
--
add the contexts in the file_contexts
/data/audit/log/audit.log   u:object_r:sec_file:s0
/home/pengfei/test

--
add rule in jd.te
allow jd sec_file:file r_file_perms;
allow jd  jd_exec:file rx_file_perms;
___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 8/8] libselinux: add booleans.c to ANDROID_HOST=y recipe

2016-10-17 Thread william . c . roberts 
From: William Roberts 

We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.

Signed-off-by: William Roberts 
---
 libselinux/src/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 7a1ae05..ccd8442 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -100,7 +100,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
-DNO_X_BACKEND \
-DBUILD_HOST
 SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \
-   matchpathcon.c setrans_client.c sha1.c
+   matchpathcon.c setrans_client.c sha1.c booleans.c
 else
 DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
 SRCS:= $(filter-out label_backends_android.c, $(SRCS))
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 4/8] libselinux: fix required alignment for sha1.c on mac

2016-10-17 Thread william . c . roberts 
From: William Roberts 

When building on mac with ANDROID_HOST=y, clang complains:
sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 
'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
CHAR64LONG16*   block = (CHAR64LONG16*) workspace;

Rather then casting the bytearray to the CHAR64LONG16 union,
just create a stack workspace of type CHAR64LONG16.

This will prevent alignment issues with the data accesses.

Signed-off-by: William Roberts 
---
 libselinux/src/sha1.c | 12 +---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
index 5f02af8..9bcbb6e 100644
--- a/libselinux/src/sha1.c
+++ b/libselinux/src/sha1.c
@@ -8,8 +8,14 @@
 //  Modified by WaterJuice retaining Public Domain license.
 //
 //  This is free and unencumbered software released into the public domain - 
June 2013 waterjuice.org
-//  Modified to stop symbols being exported for libselinux shared library - 
October 2015
+//  Modified to:
+//- stop symbols being exported for libselinux shared library - October 
2015
 //Richard 
Haines 
+//- Not cast the workspace from a byte array to a CHAR64LONG16 due to 
allignment isses.
+//  Fixes:
+//sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') 
to 'CHAR64LONG16 *' increases required alignment from 1 to 4 
[-Werror,-Wcast-align]
+// CHAR64LONG16*   block = (CHAR64LONG16*) workspace;
+// William 
Roberts 
 
///
 
 
///
@@ -69,8 +75,8 @@ void
 uint32_tc;
 uint32_td;
 uint32_te;
-uint8_t workspace[64];
-CHAR64LONG16*   block = (CHAR64LONG16*) workspace;
+CHAR64LONG16workspace;
+CHAR64LONG16*   block = 
 
 memcpy( block, buffer, 64 );
 
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 1/8] libsepol/cil: disable symver on Mac builds

2016-10-17 Thread william . c . roberts 
From: William Roberts 

symver does not work on Mac, so like Android, just
disable it.

Signed-off-by: William Roberts 
---
 libsepol/cil/src/dso.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/cil/src/dso.h b/libsepol/cil/src/dso.h
index a06e349..64a162c 100644
--- a/libsepol/cil/src/dso.h
+++ b/libsepol/cil/src/dso.h
@@ -1,7 +1,7 @@
 #ifndef _SEPOL_DSO_H
 #define _SEPOL_DSO_H   1
 
-#if !defined(SHARED) || defined(ANDROID)
+#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__)
 #define DISABLE_SYMVER 1
 #endif
 
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 7/8] libselinux: DISABLE_BOOL move to include headers

2016-10-17 Thread william . c . roberts 
From: William Roberts 

Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.

Signed-off-by: William Roberts 
---
 libselinux/src/booleans.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c
index cbb0610..ba9d934 100644
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@@ -5,6 +5,8 @@
  *   Dan Walsh  - Added security_load_booleans().
  */
 
+#ifndef DISABLE_BOOL
+
 #include 
 #include 
 #include 
@@ -25,8 +27,6 @@
 
 #define SELINUX_BOOL_DIR "/booleans/"
 
-#ifndef DISABLE_BOOL
-
 static int filename_select(const struct dirent *d)
 {
if (d->d_name[0] == '.'
@@ -561,6 +561,10 @@ int security_load_booleans(char *path)
 }
 
 #else
+
+#include 
+#include "selinux_internal.h"
+
 int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
SELboolean * boollist __attribute__((unused)),
int permanent __attribute__((unused)))
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 5/8] libselinux/utils: add noreturn to sefcontext_compile

2016-10-17 Thread william . c . roberts 
From: William Roberts 

When building on mac, one encounters this error:
sefcontext_compile.c:270:1: error: function 'usage' could be declared with 
attribute 'noreturn' [-Werror,-Wmissing-noreturn]

To correct this, add the attribute noreturn to the function.

Signed-off-by: William Roberts 
---
 libselinux/utils/sefcontext_compile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 6b564b4..54600e2 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -266,7 +266,7 @@ static void free_specs(struct saved_data *data)
memset(data, 0, sizeof(*data));
 }
 
-static void usage(const char *progname)
+static __attribute__ ((__noreturn__)) void usage(const char *progname)
 {
fprintf(stderr,
"usage: %s [-o out_file] [-p policy_file] fc_file\n"
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

[PATCH 2/8] libsepol: build on mac

2016-10-17 Thread william . c . roberts 
From: William Roberts 

Correct the build issues on mac, mostly flags for tools.
libsepol and cil now build completley on Mac with a
simple make command.

Signed-off-by: William Roberts 
---
 libsepol/src/Makefile | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index b0c901f..7856213 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -30,6 +30,13 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard 
$(CILDIR)/src/*.c)) $(CIL_
 override CFLAGS += -I$(CILDIR)/include
 endif
 
+LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=$(LIBMAP),-z,defs
+
+OS := $(shell uname)
+ifeq ($(OS), Darwin)
+LD_SONAME_FLAGS=-install_name,$(LIBSO)
+LDFLAGS += -undefined dynamic_lookup
+endif
 
 all: $(LIBA) $(LIBSO) $(LIBPC)
 
@@ -39,7 +46,7 @@ $(LIBA):  $(OBJS)
$(RANLIB) $@
 
 $(LIBSO): $(LOBJS) $(LIBMAP)
-   $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $(LOBJS) 
-Wl,-soname,$(LIBSO),--version-script=$(LIBMAP),-z,defs
+   $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $(LOBJS) -Wl,$(LD_SONAME_FLAGS)
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
-- 
1.9.1

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.