Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh
On Tue, Nov 15, 2016 at 12:06 AM, William Robertswrote: > On Mon, Nov 14, 2016 at 3:00 PM, Nicolas Iooss > wrote: > > The SWIG wrapper already includes the header files using #include (look > at > > the beginning of libselinux/src/selinuxswig_python.i [1] for example). > The > > script exception.h reads the header files (through gcc -aux-info) to > > generate some SWIG code for almost every interface returning an integer > > (this code converts a negative return value to the raising of a Python > > OSError exception). > > > > In SWIG documentation [2] I have not found a way to automatically apply a > > %exception block to all functions matched by the pattern "it returns an > > integer". As you seem to believe I missed something, > > I don't think you did. > > could you please > > explain how you would proceed here? > > Yeah that script is just generating a bunch of interface code, I would > just remove that script > and write it by hand. The only downfall is that you would have to add > a stub if you add something > to the header file, but I don't consider that a downside, I prefer to > be explicit. Especially > considering they already had to put a function in the script to skip. > I don't think the script provides > much value. This kind of question is about the way maintainers want to manage the maintenance and development of the code. I understand the need to keep things simple, but how replacing the script with a "static file" (selinuxswig_python_exception.i, or its integration into selinuxswig_python.i) would keep working on the project simple or make it more complex is something I do not know. An alternative approach would be something like projects using autotools do: keep the script in the git tree but package releases with selinuxswig_python_exception.i (and semanage...exception.i) so that end users do not have to build it. Nicolas ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh
On Mon, Nov 14, 2016 at 3:00 PM, Nicolas Ioosswrote: > The SWIG wrapper already includes the header files using #include (look at > the beginning of libselinux/src/selinuxswig_python.i [1] for example). The > script exception.h reads the header files (through gcc -aux-info) to > generate some SWIG code for almost every interface returning an integer > (this code converts a negative return value to the raising of a Python > OSError exception). > > In SWIG documentation [2] I have not found a way to automatically apply a > %exception block to all functions matched by the pattern "it returns an > integer". As you seem to believe I missed something, I don't think you did. could you please > explain how you would proceed here? Yeah that script is just generating a bunch of interface code, I would just remove that script and write it by hand. The only downfall is that you would have to add a stub if you add something to the header file, but I don't consider that a downside, I prefer to be explicit. Especially considering they already had to put a function in the script to skip. I don't think the script provides much value. > > Nicolas > > [1] > https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/selinuxswig_python.i#L11 > [2] http://www.swig.org/Doc3.0/SWIGDocumentation.html > > > On Mon, Nov 14, 2016 at 11:15 PM, William Roberts > wrote: >> >> For a more long term solution, why not just give swig a header file >> (you can ifdef on SWIG for anything to omit), or write the interface >> file by hand. I ended up using a hybrid approach for one my projects >> (the build system is a mess): >> >> >> https://bitbucket.org/miniat/0x1-miniat/src/f84cb76ab0fbe645ee9c48d30221b29283745778/vm/src/miniat_python.i?at=master=file-view-default >> >> >> On Mon, Nov 14, 2016 at 1:57 PM, Nicolas Iooss >> wrote: >> > clang does not support -aux-info option. When exception.sh is run with >> > CC=clang, use gcc to build selinuxswig_python_exception.i and >> > semanageswig_python_exception.i. >> > >> > This does not solve the issue of building libselinux and libsemanage >> > Python wrappers on a system without gcc. However parsing the result of >> > "gcc -aux-info" is easier than parsing the header files so stay with >> > this command at least for now. >> > >> > Signed-off-by: Nicolas Iooss >> > --- >> > libselinux/src/exception.sh | 6 +- >> > libsemanage/src/exception.sh | 6 +- >> > 2 files changed, 10 insertions(+), 2 deletions(-) >> > >> > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh >> > index a58bf3f45778..a3ff83235ced 100755 >> > --- a/libselinux/src/exception.sh >> > +++ b/libselinux/src/exception.sh >> > @@ -15,6 +15,10 @@ echo " >> > ;; >> > esac >> > } >> > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < >> > ../include/selinux/selinux.h >> > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < >> > ../include/selinux/selinux.h >> > +then >> > +# clang does not support -aux-info so fall back to gcc >> > +gcc -x c -c -I../include - -aux-info temp.aux < >> > ../include/selinux/selinux.h >> > +fi >> > for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except >> > $i ; done >> > rm -f -- temp.aux -.o >> > diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh >> > index d18959cbe85d..a4095f4f8ba6 100644 >> > --- a/libsemanage/src/exception.sh >> > +++ b/libsemanage/src/exception.sh >> > @@ -9,6 +9,10 @@ echo " >> > } >> > " >> > } >> > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < >> > ../include/semanage/semanage.h >> > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < >> > ../include/semanage/semanage.h >> > +then >> > +# clang does not support -aux-info so fall back to gcc >> > +gcc -x c -c -I../include - -aux-info temp.aux < >> > ../include/semanage/semanage.h >> > +fi >> > for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; >> > done >> > rm -f -- temp.aux -.o >> > -- >> > 2.10.2 >> > >> > ___ >> > Selinux mailing list >> > Selinux@tycho.nsa.gov >> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >> > To get help, send an email containing "help" to >> > selinux-requ...@tycho.nsa.gov. >> >> >> >> -- >> Respectfully, >> >> William C Roberts > > -- Respectfully, William C Roberts ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh
The SWIG wrapper already includes the header files using #include (look at the beginning of libselinux/src/selinuxswig_python.i [1] for example). The script exception.h reads the header files (through gcc -aux-info) to generate some SWIG code for almost every interface returning an integer (this code converts a negative return value to the raising of a Python OSError exception). In SWIG documentation [2] I have not found a way to automatically apply a %exception block to all functions matched by the pattern "it returns an integer". As you seem to believe I missed something, could you please explain how you would proceed here? Nicolas [1] https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/selinuxswig_python.i#L11 [2] http://www.swig.org/Doc3.0/SWIGDocumentation.html On Mon, Nov 14, 2016 at 11:15 PM, William Robertswrote: > For a more long term solution, why not just give swig a header file > (you can ifdef on SWIG for anything to omit), or write the interface > file by hand. I ended up using a hybrid approach for one my projects > (the build system is a mess): > > https://bitbucket.org/miniat/0x1-miniat/src/f84cb76ab0fbe645ee9c48d30221b2 > 9283745778/vm/src/miniat_python.i?at=master=file-view-default > > > On Mon, Nov 14, 2016 at 1:57 PM, Nicolas Iooss > wrote: > > clang does not support -aux-info option. When exception.sh is run with > > CC=clang, use gcc to build selinuxswig_python_exception.i and > > semanageswig_python_exception.i. > > > > This does not solve the issue of building libselinux and libsemanage > > Python wrappers on a system without gcc. However parsing the result of > > "gcc -aux-info" is easier than parsing the header files so stay with > > this command at least for now. > > > > Signed-off-by: Nicolas Iooss > > --- > > libselinux/src/exception.sh | 6 +- > > libsemanage/src/exception.sh | 6 +- > > 2 files changed, 10 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh > > index a58bf3f45778..a3ff83235ced 100755 > > --- a/libselinux/src/exception.sh > > +++ b/libselinux/src/exception.sh > > @@ -15,6 +15,10 @@ echo " > > ;; > > esac > > } > > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > > +then > > +# clang does not support -aux-info so fall back to gcc > > +gcc -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > > +fi > > for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except > $i ; done > > rm -f -- temp.aux -.o > > diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh > > index d18959cbe85d..a4095f4f8ba6 100644 > > --- a/libsemanage/src/exception.sh > > +++ b/libsemanage/src/exception.sh > > @@ -9,6 +9,10 @@ echo " > > } > > " > > } > > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > > +then > > +# clang does not support -aux-info so fall back to gcc > > +gcc -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > > +fi > > for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done > > rm -f -- temp.aux -.o > > -- > > 2.10.2 > > > > ___ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > > > > -- > Respectfully, > > William C Roberts > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 4/4] selinux: Convert isec->lock into a spinlock
On Thu, Nov 10, 2016 at 4:18 PM, Andreas Gruenbacherwrote: > Convert isec->lock from a mutex into a spinlock. Instead of holding the > lock while sleeping in inode_doinit_with_dentry, set isec->initialized > to LABEL_PENDING and release the lock. Then, when the sid has been > determined, re-acquire the lock. If isec->initialized is still set to > LABEL_PENDING, set isec->sid; otherwise, the sid has been set by another > task (LABEL_INITIALIZED) or invalidated (LABEL_INVALID) in the meantime. > > This fixes a deadlock on gfs2 where > > * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds >isec->lock, and tries to acquire the inode's glock, and > > * another task is in do_xmote -> inode_go_inval -> >selinux_inode_invalidate_secctx, holds the inode's glock, and tries >to acquire isec->lock. > > Signed-off-by: Andreas Gruenbacher > --- > security/selinux/hooks.c | 108 > -- > security/selinux/include/objsec.h | 5 +- > 2 files changed, 72 insertions(+), 41 deletions(-) We shouldn't need the spinlocks on the socket_post_create() and the socket_accept() hooks as the callers should still have exclusive access to the socket/inode at that point. I didn't check all the callers of the inode_init_security(), but it looks like the same idea applies. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index cf5067e..4af31f1 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -231,7 +231,7 @@ static int inode_alloc_security(struct inode *inode) > if (!isec) > return -ENOMEM; > > - mutex_init(>lock); > + spin_lock_init(>lock); > INIT_LIST_HEAD(>list); > isec->inode = inode; > isec->sid = SECINITSID_UNLABELED; > @@ -1381,7 +1381,8 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > { > struct superblock_security_struct *sbsec = NULL; > struct inode_security_struct *isec = inode->i_security; > - u32 sid; > + u32 task_sid, sid = 0; > + u16 sclass; > struct dentry *dentry; > #define INITCONTEXTLEN 255 > char *context = NULL; > @@ -1391,7 +1392,7 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > if (isec->initialized == LABEL_INITIALIZED) > return 0; > > - mutex_lock(>lock); > + spin_lock(>lock); > if (isec->initialized == LABEL_INITIALIZED) > goto out_unlock; > > @@ -1410,12 +1411,18 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > goto out_unlock; > } > > + sclass = isec->sclass; > + task_sid = isec->task_sid; > + sid = isec->sid; > + isec->initialized = LABEL_PENDING; > + spin_unlock(>lock); > + > switch (sbsec->behavior) { > case SECURITY_FS_USE_NATIVE: > break; > case SECURITY_FS_USE_XATTR: > if (!(inode->i_opflags & IOP_XATTR)) { > - isec->sid = sbsec->def_sid; > + sid = sbsec->def_sid; > break; > } > /* Need a dentry, since the xattr API requires one. > @@ -1437,7 +1444,7 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > * inode_doinit with a dentry, before these inodes > could > * be used again by userspace. > */ > - goto out_unlock; > + goto out; > } > > len = INITCONTEXTLEN; > @@ -1445,7 +1452,7 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > if (!context) { > rc = -ENOMEM; > dput(dentry); > - goto out_unlock; > + goto out; > } > context[len] = '\0'; > rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, > context, len); > @@ -1456,14 +1463,14 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > rc = __vfs_getxattr(dentry, inode, > XATTR_NAME_SELINUX, NULL, 0); > if (rc < 0) { > dput(dentry); > - goto out_unlock; > + goto out; > } > len = rc; > context = kmalloc(len+1, GFP_NOFS); > if (!context) { > rc = -ENOMEM; > dput(dentry); > - goto out_unlock; > + goto out; >
Re: [PATCH 1/2] libselinux, libsemanage: fall back to gcc in exception.sh
For a more long term solution, why not just give swig a header file (you can ifdef on SWIG for anything to omit), or write the interface file by hand. I ended up using a hybrid approach for one my projects (the build system is a mess): https://bitbucket.org/miniat/0x1-miniat/src/f84cb76ab0fbe645ee9c48d30221b29283745778/vm/src/miniat_python.i?at=master=file-view-default On Mon, Nov 14, 2016 at 1:57 PM, Nicolas Ioosswrote: > clang does not support -aux-info option. When exception.sh is run with > CC=clang, use gcc to build selinuxswig_python_exception.i and > semanageswig_python_exception.i. > > This does not solve the issue of building libselinux and libsemanage > Python wrappers on a system without gcc. However parsing the result of > "gcc -aux-info" is easier than parsing the header files so stay with > this command at least for now. > > Signed-off-by: Nicolas Iooss > --- > libselinux/src/exception.sh | 6 +- > libsemanage/src/exception.sh | 6 +- > 2 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh > index a58bf3f45778..a3ff83235ced 100755 > --- a/libselinux/src/exception.sh > +++ b/libselinux/src/exception.sh > @@ -15,6 +15,10 @@ echo " > ;; > esac > } > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > +then > +# clang does not support -aux-info so fall back to gcc > +gcc -x c -c -I../include - -aux-info temp.aux < > ../include/selinux/selinux.h > +fi > for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; > done > rm -f -- temp.aux -.o > diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh > index d18959cbe85d..a4095f4f8ba6 100644 > --- a/libsemanage/src/exception.sh > +++ b/libsemanage/src/exception.sh > @@ -9,6 +9,10 @@ echo " > } > " > } > -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > +then > +# clang does not support -aux-info so fall back to gcc > +gcc -x c -c -I../include - -aux-info temp.aux < > ../include/semanage/semanage.h > +fi > for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done > rm -f -- temp.aux -.o > -- > 2.10.2 > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. -- Respectfully, William C Roberts ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/2] libselinux, libsemanage: swig: use SWIG_fail when an error occurs
Using SWIG_fail in the Python SWIG wrappers makes the wrapping function destroy/free the memory which could have been dynamically allocated before calling the wrapped function. This thus prevents possible memory leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(), etc. Signed-off-by: Nicolas Iooss--- libselinux/src/exception.sh | 2 +- libsemanage/src/exception.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh index a3ff83235ced..d6c8c71713ad 100755 --- a/libselinux/src/exception.sh +++ b/libselinux/src/exception.sh @@ -8,7 +8,7 @@ echo " \$action if (result < 0) { PyErr_SetFromErrno(PyExc_OSError); - return NULL; + SWIG_fail; } } " diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh index a4095f4f8ba6..97bc2ae879f2 100644 --- a/libsemanage/src/exception.sh +++ b/libsemanage/src/exception.sh @@ -4,7 +4,7 @@ echo " \$action if (result < 0) { PyErr_SetFromErrno(PyExc_OSError); - return NULL; + SWIG_fail; } } " -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] libselinux,libsemanage: fall back to gcc in exception.sh
clang does not support -aux-info option. When exception.sh is run with CC=clang, use gcc to build selinuxswig_python_exception.i and semanageswig_python_exception.i. This does not solve the issue of building libselinux and libsemanage Python wrappers on a system without gcc. However parsing the result of "gcc -aux-info" is easier than parsing the header files so stay with this command at least for now. Signed-off-by: Nicolas Iooss--- libselinux/src/exception.sh | 6 +- libsemanage/src/exception.sh | 6 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh index a58bf3f45778..a3ff83235ced 100755 --- a/libselinux/src/exception.sh +++ b/libselinux/src/exception.sh @@ -15,6 +15,10 @@ echo " ;; esac } -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h +then +# clang does not support -aux-info so fall back to gcc +gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h +fi for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux -.o diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh index d18959cbe85d..a4095f4f8ba6 100644 --- a/libsemanage/src/exception.sh +++ b/libsemanage/src/exception.sh @@ -9,6 +9,10 @@ echo " } " } -${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h +if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h +then +# clang does not support -aux-info so fall back to gcc +gcc -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h +fi for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux -.o -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/1] secilc: do not build secilc man page if it is up to date
When running "make all" several times in the root directory of the project, the following lines always appear (and the command takes some seconds to complete on my system with a slow hard drive): xmlto man secilc.8.xml Note: Writing secilc.8 This is because "make man" always builds secilc.8 even though secilc.8.xml has not been modified. Introduce an intermediate target to avoid this behavior. Signed-off-by: Nicolas Iooss--- secilc/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/secilc/Makefile b/secilc/Makefile index 9bea186ba0b9..40254ce44caf 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -25,7 +25,9 @@ $(SECILC): $(SECILC_OBJS) test: $(SECILC) ./$(SECILC) test/policy.cil -man: $(MANPAGE).xml +man: $(MANPAGE) + +$(MANPAGE): $(MANPAGE).xml $(XMLTO) man $(MANPAGE).xml install: all man -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 4/4] libselinux,libsemanage: link Python wrapper with Python
When linking with -Wl,-no-undefined in LDFLAGS (in order to find possible link-time errors), the Python wrapper module needs to be linked with the right libpython.so. This library is found using pkg-config in a new PYLIBS variable. Signed-off-by: Nicolas Iooss--- libselinux/src/Makefile | 5 +++-- libsemanage/src/Makefile | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 82a1010af2d8..928cc049cedb 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -13,6 +13,7 @@ LIBDIR ?= $(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) +PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"') @@ -131,7 +132,7 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR) + $(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) $(PYLIBS) -L$(LIBDIR) $(SWIGRUBYSO): $(SWIGRUBYLOBJ) $(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) $(RUBYLIBS) -L$(LIBDIR) @@ -154,7 +155,7 @@ $(AUDIT2WHYLOBJ): audit2why.c $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) - $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBSEPOLA) -L$(LIBDIR) + $(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBSEPOLA) $(PYLIBS) -L$(LIBDIR) %.o: %.c policy.h $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index 5c7bc6c6ea65..5176582f654d 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -13,6 +13,7 @@ LIBDIR ?= $(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) +PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -lruby"') @@ -79,7 +80,7 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT) $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $< $(SWIGSO): $(SWIGLOBJ) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage -L$(LIBDIR) + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lsemanage $(PYLIBS) -L$(LIBDIR) $(SWIGRUBYSO): $(SWIGRUBYLOBJ) $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lsemanage $(RUBYLIBS) -L$(LIBDIR) -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/4] libselinux,libsemanage: use Ruby to define RUBYINC
This makes building libselinux and libsemanage more robust on systems with several versions of Ruby installed: when building, only RUBY needs to be set, without wondering about PKG_CONFIG_PATH or other environment variables. Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but since previous Ruby versions are retired since 2015-02-23 this should not have any impact (https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/). While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to install the Ruby extension, like commit 1cd80faa53b6 ("libselinux: versioned ruby pkg-config and query vendorarchdir properly") did for libselinux. My main motivation with this patch is to make the build configuration easier to define on Travis-CI or other continuous integration platforms. Signed-off-by: Nicolas Iooss--- libselinux/src/Makefile | 3 +-- libsemanage/src/Makefile | 6 ++ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 76efe49586c0..4fe1f7002181 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -14,8 +14,7 @@ SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYSITEDIR ?= $(DESTDIR)$(shell $(PYTHON) -c 'import site; print(site.getsitepackages()[0])') -RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') -RUBYINC ?= $(shell $(PKG_CONFIG) --exists ruby-$(RUBYLIBVER) && $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER) || $(PKG_CONFIG) --cflags ruby) +RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') LIBBASE ?= $(shell basename $(LIBDIR)) LIBSEPOLA ?= $(LIBDIR)/libsepol.a diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index cd29a8abf5ab..c646f274cbc1 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -15,10 +15,8 @@ INCLUDEDIR ?= $(PREFIX)/include PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])') PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER) -RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")') -RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM') -RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER)) -RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM) +RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') +RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') LIBBASE=$(shell basename $(LIBDIR)) -- 2.10.2 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 3/4] selinux: Clean up initialization of isec->sclass
On Thu, Nov 10, 2016 at 4:18 PM, Andreas Gruenbacherwrote: > Now that isec->initialized == LABEL_INITIALIZED implies that > isec->sclass is valid, skip such inodes immediately in > inode_doinit_with_dentry. > > For the remaining inodes, initialize isec->sclass at the beginning of > inode_doinit_with_dentry to simplify the code. > > Signed-off-by: Andreas Gruenbacher > --- > security/selinux/hooks.c | 10 -- > 1 file changed, 4 insertions(+), 6 deletions(-) Merged, thanks. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index e4527d9..cf5067e 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1389,12 +1389,15 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > int rc = 0; > > if (isec->initialized == LABEL_INITIALIZED) > - goto out; > + return 0; > > mutex_lock(>lock); > if (isec->initialized == LABEL_INITIALIZED) > goto out_unlock; > > + if (isec->sclass == SECCLASS_FILE) > + isec->sclass = inode_mode_to_security_class(inode->i_mode); > + > sbsec = inode->i_sb->s_security; > if (!(sbsec->flags & SE_SBINITIALIZED)) { > /* Defer initialization until selinux_complete_init, > @@ -1512,7 +1515,6 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > isec->sid = sbsec->sid; > > /* Try to obtain a transition SID. */ > - isec->sclass = inode_mode_to_security_class(inode->i_mode); > rc = security_transition_sid(isec->task_sid, sbsec->sid, > isec->sclass, NULL, ); > if (rc) > @@ -1548,7 +1550,6 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > */ > if (!dentry) > goto out_unlock; > - isec->sclass = > inode_mode_to_security_class(inode->i_mode); > rc = selinux_genfs_get_sid(dentry, isec->sclass, >sbsec->flags, ); > dput(dentry); > @@ -1563,9 +1564,6 @@ static int inode_doinit_with_dentry(struct inode > *inode, struct dentry *opt_dent > > out_unlock: > mutex_unlock(>lock); > -out: > - if (isec->sclass == SECCLASS_FILE) > - isec->sclass = inode_mode_to_security_class(inode->i_mode); > return rc; > } > > -- > 2.7.4 > -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: fix subdir build and usage of cmdline CFLAGS
On Mon, Nov 14, 2016 at 06:31:09PM +, Roberts, William C wrote: > > > > -Original Message- > > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > > Sent: Monday, November 14, 2016 10:12 AM > > To: selinux@tycho.nsa.gov > > Cc: Roberts, William C; Stephen Smalley > > > > Subject: [PATCH] libselinux: fix subdir build and usage of cmdline CFLAGS > > > > commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: > > support ANDROID_HOST=1 on Mac") broke the ability to run make in the src > > subdirectory of libselinux (because OS and COMPILER were not defined) and > > also > > caused some warning flags that could be overridden via command-line CFLAGS > > to > > be mandatory. Fix it. > > Ack. > > It would be nice if we could avoid the duplication running repent throughout > these make files, > maybe include a file that has the definitions/callable functions for all of > this stuff? I just noticed some weirdness in a bunch of the makefiles too. Some of the variables randomly default to different things depending on the package. including a base makefile would be nice but the problem is when packaged up they are separate tarballs. We'd probably need to unify everything and duplicate it in each of the subdirs and then the release script should diff them and make sure there are no discrepancies before release. > > > > > Signed-off-by: Stephen Smalley > > --- > > libselinux/src/Makefile | 12 ++-- > > libselinux/utils/Makefile | 10 +- > > 2 files changed, 19 insertions(+), 3 deletions(-) > > > > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index > > 24946ce..76efe49 100644 > > --- a/libselinux/src/Makefile > > +++ b/libselinux/src/Makefile > > @@ -23,6 +23,14 @@ LIBSEPOLA ?= $(LIBDIR)/libsepol.a VERSION = $(shell cat > > ../VERSION) LIBVERSION = 1 > > > > +OS ?= $(shell uname) > > + > > +ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) COMPILER ?= gcc else > > +COMPILER ?= clang endif > > + > > LIBA=libselinux.a > > TARGET=libselinux.so > > LIBPC=libselinux.pc > > @@ -67,12 +75,12 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat- > > security -Winit-self -Wmissi LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,- > > z,relro > > > > ifeq ($(COMPILER), gcc) > > -override CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat - > > Wsync-nand \ > > +CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat > > +-Wsync-nand \ > > -Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc - > > Wsuggest-attribute=const \ > > -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines > > -Wjump-misses-init \ > > -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -Wp,- > > D_FORTIFY_SOURCE=2 else -override CFLAGS += -Wunused-command-line- > > argument > > +CFLAGS += -Wunused-command-line-argument > > endif > > > > ifeq ($(OS), Darwin) > > diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index > > a4f9903..7744184 100644 > > --- a/libselinux/utils/Makefile > > +++ b/libselinux/utils/Makefile > > @@ -5,6 +5,14 @@ USRBINDIR ?= $(PREFIX)/sbin SBINDIR ?= $(DESTDIR)/sbin > > INCLUDEDIR ?= $(PREFIX)/include > > > > +OS ?= $(shell uname) > > + > > +ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) COMPILER ?= gcc else > > +COMPILER ?= clang endif > > + > > MAX_STACK_SIZE=8192 > > CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self - > > Wmissing-include-dirs \ > >-Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer- > > arith \ @@ -26,7 +34,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k - > > Wformat-security -Winit-self -Wmissi LD_SONAME_FLAGS=-soname,$(LIBSO),- > > z,defs,-z,relro > > > > ifeq ($(COMPILER), gcc) > > -override CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand - > > Wcoverage-mismatch \ > > +CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand > > +-Wcoverage-mismatch \ > > -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest- > > attribute=const \ > > -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines > > -Wjump-misses-init \ > > -Wno-suggest-attribute=pure -Wno-suggest-attribute=const > > -- > > 2.7.4 > > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 2/4] proc: Pass file mode to proc_pid_make_inode
On Thu, Nov 10, 2016 at 4:18 PM, Andreas Gruenbacherwrote: > Pass the file mode of the proc inode to be created to > proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode > before calling security_task_to_inode. This allows selinux to set > isec->sclass right away without introducing "half-initialized" inode > security structs. > > Signed-off-by: Andreas Gruenbacher > --- > fs/proc/base.c | 23 +-- > fs/proc/fd.c | 6 ++ > fs/proc/internal.h | 2 +- > fs/proc/namespaces.c | 3 +-- > security/selinux/hooks.c | 1 + > 5 files changed, 14 insertions(+), 21 deletions(-) Seems reasonable, merged. > diff --git a/fs/proc/base.c b/fs/proc/base.c > index ca651ac..6eae4d0 100644 > --- a/fs/proc/base.c > +++ b/fs/proc/base.c > @@ -1664,7 +1664,8 @@ const struct inode_operations > proc_pid_link_inode_operations = { > > /* building an inode */ > > -struct inode *proc_pid_make_inode(struct super_block * sb, struct > task_struct *task) > +struct inode *proc_pid_make_inode(struct super_block * sb, > + struct task_struct *task, umode_t mode) > { > struct inode * inode; > struct proc_inode *ei; > @@ -1678,6 +1679,7 @@ struct inode *proc_pid_make_inode(struct super_block * > sb, struct task_struct *t > > /* Common stuff */ > ei = PROC_I(inode); > + inode->i_mode = mode; > inode->i_ino = get_next_ino(); > inode->i_mtime = inode->i_atime = inode->i_ctime = > current_time(inode); > inode->i_op = _def_inode_operations; > @@ -2004,7 +2006,9 @@ proc_map_files_instantiate(struct inode *dir, struct > dentry *dentry, > struct proc_inode *ei; > struct inode *inode; > > - inode = proc_pid_make_inode(dir->i_sb, task); > + inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK | > + ((mode & FMODE_READ ) ? S_IRUSR : 0) | > + ((mode & FMODE_WRITE) ? S_IWUSR : 0)); > if (!inode) > return -ENOENT; > > @@ -2013,12 +2017,6 @@ proc_map_files_instantiate(struct inode *dir, struct > dentry *dentry, > > inode->i_op = _map_files_link_inode_operations; > inode->i_size = 64; > - inode->i_mode = S_IFLNK; > - > - if (mode & FMODE_READ) > - inode->i_mode |= S_IRUSR; > - if (mode & FMODE_WRITE) > - inode->i_mode |= S_IWUSR; > > d_set_d_op(dentry, _map_files_dentry_operations); > d_add(dentry, inode); > @@ -2372,12 +2370,11 @@ static int proc_pident_instantiate(struct inode *dir, > struct inode *inode; > struct proc_inode *ei; > > - inode = proc_pid_make_inode(dir->i_sb, task); > + inode = proc_pid_make_inode(dir->i_sb, task, p->mode); > if (!inode) > goto out; > > ei = PROC_I(inode); > - inode->i_mode = p->mode; > if (S_ISDIR(inode->i_mode)) > set_nlink(inode, 2);/* Use getattr to fix if necessary */ > if (p->iop) > @@ -3059,11 +3056,10 @@ static int proc_pid_instantiate(struct inode *dir, > { > struct inode *inode; > > - inode = proc_pid_make_inode(dir->i_sb, task); > + inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | > S_IXUGO); > if (!inode) > goto out; > > - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; > inode->i_op = _tgid_base_inode_operations; > inode->i_fop = _tgid_base_operations; > inode->i_flags|=S_IMMUTABLE; > @@ -3352,11 +3348,10 @@ static int proc_task_instantiate(struct inode *dir, > struct dentry *dentry, struct task_struct *task, const void *ptr) > { > struct inode *inode; > - inode = proc_pid_make_inode(dir->i_sb, task); > + inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | > S_IXUGO); > > if (!inode) > goto out; > - inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; > inode->i_op = _tid_base_inode_operations; > inode->i_fop = _tid_base_operations; > inode->i_flags|=S_IMMUTABLE; > diff --git a/fs/proc/fd.c b/fs/proc/fd.c > index d21dafe..4274f83 100644 > --- a/fs/proc/fd.c > +++ b/fs/proc/fd.c > @@ -183,14 +183,13 @@ proc_fd_instantiate(struct inode *dir, struct dentry > *dentry, > struct proc_inode *ei; > struct inode *inode; > > - inode = proc_pid_make_inode(dir->i_sb, task); > + inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK); > if (!inode) > goto out; > > ei = PROC_I(inode); > ei->fd = fd; > > - inode->i_mode = S_IFLNK; > inode->i_op = _pid_link_inode_operations; > inode->i_size = 64; > > @@ -322,14 +321,13 @@ proc_fdinfo_instantiate(struct inode *dir, struct > dentry *dentry, > struct proc_inode *ei; > struct inode *inode; > > -
Re: [RFC] Split up policycoreutils
On Tue, Nov 08, 2016 at 02:42:31PM -0500, Stephen Smalley wrote: > On 10/31/2016 02:05 PM, Stephen Smalley wrote: > > On 10/21/2016 01:47 PM, Stephen Smalley wrote: > >> Hi, > >> > >> policycoreutils started life as a small set of utilities that were > >> necessary or at least widely used in production on a SELinux system. > >> Over time though it has grown to include many optional components, and > >> even within a given subdirectory (e.g. sepolicy) there seem to be a > >> number of components that should be optional (e.g. the dbus service). > >> I'd like to propose that we move a number of components out of > >> policycoreutils into their own top-level subdirectory (possibly grouping > >> some of the related ones together). > >> > >> Some possible components to move and the rationale for doing so include: > >> > >> - gui: not required for operation. Unsure if this is even used outside > >> of Fedora, or how widely it is used within Fedora compared to the > >> command line tools. Packaged separately by Fedora as part of > >> policycoreutils-gui. > >> > >> - mcstrans: not required for operation outside of MLS environments (and > >> even there, only if using that label encoding functionality), not built > >> by default even upstream (omitted from policycoreutils/Makefile). > >> Packaged separately in Fedora as mcstrans. > >> > >> - restorecond: not required for operation, adds dbus and glib > >> dependencies, largely obsoleted by name-based type transition support in > >> the kernel. Packaged separately in Fedora as policycoreutils-restorecond. > >> > >> - sandbox: not required for basic operation of SELinux. Packaged > >> separately by Fedora as policycoreutils-sandbox. > >> restorecond > >> - semodule_deps/expand/link: developer tools only, not required for > >> operation, unlike semodule. Packaged separately by Fedora as part of > >> policycoreutils-devel. > >> > >> - sepolicy/{org.selinux*,selinux_client.py,selinux_server.py}: D-BUS > >> service for managing SELinux, not required for basic operation, not > >> desirable in high security environments. Packaged separately by Fedora > >> as part of policycoreutils-gui. Could perhaps be combined with the gui > >> above, although I think they are logically distinct. > >> > >> We could of course go further, but those seem to be the most obvious > >> candidates. > >> > >> Thoughts? > > > > For discussion purposes, I've pushed a splitpolicycoreutils branch that > > moves the above components and others identified in the discussion > > thread, and makes it easy to omit the non-core components from the > > build. Take a look and see what you think. Known issues: > > > > - I did not deal with splitting the policycoreutils/po files and moving > > them around. Not sure what the best way to handle that is. > > > > - python/sepolicy likely needs further rearrangement. I am unclear on > > the purpose/use of the desktop file and pixmaps; if those are only for > > the gui, then they can be moved to gui/, but I don't understand why they > > are called sepolicy* or located here. Also, should > > python/sepolicy/sepolicy/sedbus.py be moved over to dbus/ or stay here? > > Dan? > > > > - dbus/selinux_client.py (formerly > > policycoreutils/sepolicy/selinux_client.py) seems like leftover testing > > cruft. Remove? > > > > - restorecond presently reuses source code directly from setfiles, so > > building it as a separate package may be a nuisance. OTOH, I'm not > > entirely clear on whether restorecond needs to be kept around at all > > anymore? > > > > - policycoreutils/sepolgen-ifgen contains a single C program, > > sepolgen-ifgen-attr-helper, that is only used by > > python/audit2allow/sepolgen-ifgen. Any reason to not just coalesce it > > into python/audit2allow even though it is not python itself? > > > > - After the restructuring, the only script left in policycoreutils is > > fixfiles. Technically, that's not required for production either as one > > can always just run setfiles or restorecon directly, but distros seem to > > rely on it. Is it worth moving just to free policycoreutils of any bash > > dependencies, and if so, where? > > > > - I moved policycoreutils/semodule_{deps,expand,link} into a new > > semodule-utils directory. This might however be slightly confusing > > since semodule and semodule_package remain in policycoreutils since they > > are required and not merely for developers. Feel free to suggest > > another name or structure. Actually, I guess semodule_package might be > > optional now with CIL, so perhaps that one can be moved too. > > I've made further changes on the splitpolicycoreutils branch based on > the discussion (as well as rebasing it on latest master). This is a > call for final comments or objections before merging it to master. With > the current branch, we will have the following source tar files in a > release: > > Unchanged: > * libsepol > * libselinux > * libsemanage > * checkpolicy > * secilc > >
RE: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug
> -Original Message- > From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Roberts, > William C > Sent: Monday, November 14, 2016 10:44 AM > To: Stephen Smalley; selinux@tycho.nsa.gov > Subject: RE: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug > > > > > -Original Message- > > From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of > > Stephen Smalley > > Sent: Monday, November 14, 2016 9:48 AM > > To: selinux@tycho.nsa.gov > > Cc: Stephen Smalley > > Subject: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug > > > > The combining logic for dontaudit rules was wrong, causing a dontaudit > > A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. > > > > Reported-by: Nick Kralevich > > Signed-off-by: Stephen Smalley > > --- > > libsepol/src/expand.c | 16 > > 1 file changed, 12 insertions(+), 4 deletions(-) > > > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index > > 004a029..d7adbf8 > > 100644 > > --- a/libsepol/src/expand.c > > +++ b/libsepol/src/expand.c > > @@ -1604,7 +1604,8 @@ static int expand_range_trans(expand_state_t * > > state, static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, > >avtab_t * avtab, avtab_key_t * key, > >cond_av_list_t ** cond, > > - av_extended_perms_t *xperms) > > + av_extended_perms_t *xperms, > > + char *alloced) > > { > > avtab_ptr_t node; > > avtab_datum_t avdatum; > > @@ -1658,6 +1659,11 @@ static avtab_ptr_t > > find_avtab_node(sepol_handle_t * handle, > > nl->next = *cond; > > *cond = nl; > > } > > + if (alloced) > > + *alloced = 1; > > + } else { > > + if (alloced) > > + *alloced = 0; > > } > > > > return node; > > @@ -1750,7 +1756,7 @@ static int expand_terule_helper(sepol_handle_t * > > handle, > > return EXPAND_RULE_CONFLICT; > > } > > > > - node = find_avtab_node(handle, avtab, , cond, NULL); > > + node = find_avtab_node(handle, avtab, , cond, NULL, > > NULL); > > if (!node) > > return -1; > > if (enabled) { > > @@ -1790,6 +1796,7 @@ static int expand_avrule_helper(sepol_handle_t * > > handle, > > class_perm_node_t *cur; > > uint32_t spec = 0; > > unsigned int i; > > + char alloced; > > > > if (specified & AVRULE_ALLOWED) { > > spec = AVTAB_ALLOWED; > > @@ -1824,7 +1831,8 @@ static int expand_avrule_helper(sepol_handle_t * > > handle, > > avkey.target_class = cur->tclass; > > avkey.specified = spec; > > > > - node = find_avtab_node(handle, avtab, , cond, > > extended_perms); > > + node = find_avtab_node(handle, avtab, , cond, > > + extended_perms, ); > > if (!node) > > return EXPAND_RULE_ERROR; > > if (enabled) { > > @@ -1850,7 +1858,7 @@ static int expand_avrule_helper(sepol_handle_t * > > handle, > > */ > > avdatump->data &= cur->data; > > } else if (specified & AVRULE_DONTAUDIT) { > > - if (avdatump->data) > > + if (!alloced) > > avdatump->data &= ~cur->data; > > else > > avdatump->data = ~cur->data; > > This seems awkward to me. If the insertion created a new empty node why > wouldn't !avdump->data be true (note the addition of the not operator)? I misstated that a bit, but the !avdump->data was the else case. I am really saying why didn't this work before? In my mind, we don't care if its allocated we care if it's set or not. > > Or perhaps a mechanism to actual set the data on allocation, this way the > logic is > Just &=. > > > -- > > 2.7.4 > > > > ___ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > selinux-requ...@tycho.nsa.gov. > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
RE: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug
> -Original Message- > From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Stephen > Smalley > Sent: Monday, November 14, 2016 9:48 AM > To: selinux@tycho.nsa.gov > Cc: Stephen Smalley> Subject: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug > > The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C > *; > rule to be clobbered by a dontaudit A B:C p; rule. > > Reported-by: Nick Kralevich > Signed-off-by: Stephen Smalley > --- > libsepol/src/expand.c | 16 > 1 file changed, 12 insertions(+), 4 deletions(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index > 004a029..d7adbf8 > 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -1604,7 +1604,8 @@ static int expand_range_trans(expand_state_t * state, > static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, > avtab_t * avtab, avtab_key_t * key, > cond_av_list_t ** cond, > -av_extended_perms_t *xperms) > +av_extended_perms_t *xperms, > +char *alloced) > { > avtab_ptr_t node; > avtab_datum_t avdatum; > @@ -1658,6 +1659,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * > handle, > nl->next = *cond; > *cond = nl; > } > + if (alloced) > + *alloced = 1; > + } else { > + if (alloced) > + *alloced = 0; > } > > return node; > @@ -1750,7 +1756,7 @@ static int expand_terule_helper(sepol_handle_t * > handle, > return EXPAND_RULE_CONFLICT; > } > > - node = find_avtab_node(handle, avtab, , cond, NULL); > + node = find_avtab_node(handle, avtab, , cond, NULL, > NULL); > if (!node) > return -1; > if (enabled) { > @@ -1790,6 +1796,7 @@ static int expand_avrule_helper(sepol_handle_t * > handle, > class_perm_node_t *cur; > uint32_t spec = 0; > unsigned int i; > + char alloced; > > if (specified & AVRULE_ALLOWED) { > spec = AVTAB_ALLOWED; > @@ -1824,7 +1831,8 @@ static int expand_avrule_helper(sepol_handle_t * > handle, > avkey.target_class = cur->tclass; > avkey.specified = spec; > > - node = find_avtab_node(handle, avtab, , cond, > extended_perms); > + node = find_avtab_node(handle, avtab, , cond, > +extended_perms, ); > if (!node) > return EXPAND_RULE_ERROR; > if (enabled) { > @@ -1850,7 +1858,7 @@ static int expand_avrule_helper(sepol_handle_t * > handle, >*/ > avdatump->data &= cur->data; > } else if (specified & AVRULE_DONTAUDIT) { > - if (avdatump->data) > + if (!alloced) > avdatump->data &= ~cur->data; > else > avdatump->data = ~cur->data; This seems awkward to me. If the insertion created a new empty node why wouldn't !avdump->data be true (note the addition of the not operator)? Or perhaps a mechanism to actual set the data on allocation, this way the logic is Just &=. > -- > 2.7.4 > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 1/1] libsemanage: semanage_seuser_key_create: copy name
On 11/12/2016 07:05 AM, Nicolas Iooss wrote: > When removing a login using semanage with Python 3 the following error > occurs: > > # semanage login -l | grep my_user > my_user user_u > > # semanage login --delete my_user > ValueError: Login mapping for my_user is not defined > > This is due to a use-after-free in the swig-generated code for python3 > bindings. > > Copy the user name in semanage_seuser_key_create() and free it in > semanage_seuser_key_free(), like commit eac6f1f1b512 ("libsepol: > sepol_{bool|iface|user}_key_create: copy name") did. Thanks, applied. > > Signed-off-by: Nicolas Iooss> --- > libsemanage/src/seuser_record.c | 11 --- > 1 file changed, 8 insertions(+), 3 deletions(-) > > diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c > index 8823b1ed1c7b..1ed459486228 100644 > --- a/libsemanage/src/seuser_record.c > +++ b/libsemanage/src/seuser_record.c > @@ -33,7 +33,7 @@ struct semanage_seuser { > > struct semanage_seuser_key { > /* This user's name */ > - const char *name; > + char *name; > }; > > int semanage_seuser_key_create(semanage_handle_t * handle, > @@ -48,7 +48,12 @@ int semanage_seuser_key_create(semanage_handle_t * handle, > ERR(handle, "out of memory, could not create seuser key"); > return STATUS_ERR; > } > - tmp_key->name = name; > + tmp_key->name = strdup(name); > + if (!tmp_key->name) { > + ERR(handle, "out of memory, could not create seuser key"); > + free(tmp_key); > + return STATUS_ERR; > + } > > *key_ptr = tmp_key; > return STATUS_SUCCESS; > @@ -75,7 +80,7 @@ hidden_def(semanage_seuser_key_extract) > > void semanage_seuser_key_free(semanage_seuser_key_t * key) > { > - > + free(key->name); > free(key); > } > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libselinux: fix subdir build and usage of cmdline CFLAGS
commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: support ANDROID_HOST=1 on Mac") broke the ability to run make in the src subdirectory of libselinux (because OS and COMPILER were not defined) and also caused some warning flags that could be overridden via command-line CFLAGS to be mandatory. Fix it. Signed-off-by: Stephen Smalley--- libselinux/src/Makefile | 12 ++-- libselinux/utils/Makefile | 10 +- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 24946ce..76efe49 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -23,6 +23,14 @@ LIBSEPOLA ?= $(LIBDIR)/libsepol.a VERSION = $(shell cat ../VERSION) LIBVERSION = 1 +OS ?= $(shell uname) + +ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) +COMPILER ?= gcc +else +COMPILER ?= clang +endif + LIBA=libselinux.a TARGET=libselinux.so LIBPC=libselinux.pc @@ -67,12 +75,12 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro ifeq ($(COMPILER), gcc) -override CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nand \ +CFLAGS += -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nand \ -Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -Wp,-D_FORTIFY_SOURCE=2 else -override CFLAGS += -Wunused-command-line-argument +CFLAGS += -Wunused-command-line-argument endif ifeq ($(OS), Darwin) diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index a4f9903..7744184 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -5,6 +5,14 @@ USRBINDIR ?= $(PREFIX)/sbin SBINDIR ?= $(DESTDIR)/sbin INCLUDEDIR ?= $(PREFIX)/include +OS ?= $(shell uname) + +ifeq ($(shell $(CC) -v 2>&1 | grep "clang"),) +COMPILER ?= gcc +else +COMPILER ?= clang +endif + MAX_STACK_SIZE=8192 CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \ -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \ @@ -26,7 +34,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro ifeq ($(COMPILER), gcc) -override CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand -Wcoverage-mismatch \ +CFLAGS += -fipa-pure-const -Wpacked-bitfield-compat -Wsync-nand -Wcoverage-mismatch \ -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \ -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \ -Wno-suggest-attribute=pure -Wno-suggest-attribute=const -- 2.7.4 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug
The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. Reported-by: Nick KralevichSigned-off-by: Stephen Smalley --- libsepol/src/expand.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 004a029..d7adbf8 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1604,7 +1604,8 @@ static int expand_range_trans(expand_state_t * state, static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, avtab_t * avtab, avtab_key_t * key, cond_av_list_t ** cond, - av_extended_perms_t *xperms) + av_extended_perms_t *xperms, + char *alloced) { avtab_ptr_t node; avtab_datum_t avdatum; @@ -1658,6 +1659,11 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle, nl->next = *cond; *cond = nl; } + if (alloced) + *alloced = 1; + } else { + if (alloced) + *alloced = 0; } return node; @@ -1750,7 +1756,7 @@ static int expand_terule_helper(sepol_handle_t * handle, return EXPAND_RULE_CONFLICT; } - node = find_avtab_node(handle, avtab, , cond, NULL); + node = find_avtab_node(handle, avtab, , cond, NULL, NULL); if (!node) return -1; if (enabled) { @@ -1790,6 +1796,7 @@ static int expand_avrule_helper(sepol_handle_t * handle, class_perm_node_t *cur; uint32_t spec = 0; unsigned int i; + char alloced; if (specified & AVRULE_ALLOWED) { spec = AVTAB_ALLOWED; @@ -1824,7 +1831,8 @@ static int expand_avrule_helper(sepol_handle_t * handle, avkey.target_class = cur->tclass; avkey.specified = spec; - node = find_avtab_node(handle, avtab, , cond, extended_perms); + node = find_avtab_node(handle, avtab, , cond, + extended_perms, ); if (!node) return EXPAND_RULE_ERROR; if (enabled) { @@ -1850,7 +1858,7 @@ static int expand_avrule_helper(sepol_handle_t * handle, */ avdatump->data &= cur->data; } else if (specified & AVRULE_DONTAUDIT) { - if (avdatump->data) + if (!alloced) avdatump->data &= ~cur->data; else avdatump->data = ~cur->data; -- 2.7.4 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libsepol: fix checkpolicy dontaudit compiler bug
On 11/14/2016 10:59 AM, Stephen Smalley wrote: > The combining logic for dontaudit rules was wrong, causing > a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; > rule. > > Reported-by: Nick Kralevich> Signed-off-by: Stephen Smalley Sorry, that's not correct either. NAKing my own patch. > --- > libsepol/src/expand.c | 5 + > 1 file changed, 1 insertion(+), 4 deletions(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index 004a029..cdfb792 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -1850,10 +1850,7 @@ static int expand_avrule_helper(sepol_handle_t * > handle, >*/ > avdatump->data &= cur->data; > } else if (specified & AVRULE_DONTAUDIT) { > - if (avdatump->data) > - avdatump->data &= ~cur->data; > - else > - avdatump->data = ~cur->data; > + avdatump->data &= ~cur->data; > } else if (specified & AVRULE_XPERMS) { > xperms = avdatump->xperms; > if (!xperms) { > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libsepol: fix checkpolicy dontaudit compiler bug
The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. Reported-by: Nick KralevichSigned-off-by: Stephen Smalley --- libsepol/src/expand.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 004a029..cdfb792 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -1850,10 +1850,7 @@ static int expand_avrule_helper(sepol_handle_t * handle, */ avdatump->data &= cur->data; } else if (specified & AVRULE_DONTAUDIT) { - if (avdatump->data) - avdatump->data &= ~cur->data; - else - avdatump->data = ~cur->data; + avdatump->data &= ~cur->data; } else if (specified & AVRULE_XPERMS) { xperms = avdatump->xperms; if (!xperms) { -- 2.7.4 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Security: selinux - Improvement in code readability when
On Fri, Nov 11, 2016 at 3:48 AM, Shailendra Vermawrote: > From: "Shailendra Verma" > > There is no need to call kfree() if memdup_user() fails, as no memory > was allocated and the error in the error-valued pointer should be returned. > > Signed-off-by: Shailendra Verma > --- > security/selinux/selinuxfs.c |5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Hello Shailendra, Thank you for your patch, but I prefer the readability of the code as it currently stands. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Security: selinux - Improvement in code readability when
From: "Shailendra Verma"There is no need to call kfree() if memdup_user() fails, as no memory was allocated and the error in the error-valued pointer should be returned. Signed-off-by: Shailendra Verma --- security/selinux/selinuxfs.c |5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 72c145d..b6d0a23 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -1166,7 +1166,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, length = -EINVAL; if (sscanf(page, "%d", _value) != 1) - goto out; + goto out1; if (new_value) new_value = 1; @@ -1174,9 +1174,10 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf, bool_pending_values[index] = new_value; length = count; +out1: + kfree(page); out: mutex_unlock(_mutex); - kfree(page); return length; } -- 1.7.9.5 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [SECILC] does not seem to filter redundant attributes and rules
On 11/14/2016 11:11 AM, Dominick Grift wrote: > On 11/09/2016 03:52 PM, James Carter wrote: >> On 11/09/2016 07:40 AM, Dominick Grift wrote: >>> I am in the process of a DSSP rewrite, taking a different approach this >>> time. >>> >>> However I encountered something that seems suboptimal: >>> >>> SECILC seems to not filter redundant attributes and rules >>> >>> Example i have a type attribute and it has rules associated with it. >>> However, the type attribute is not associated with any types. >>> >>> I was hoping that SECILC would be smart enough to determine that it >>> might as well filter both the type attribute as well as the rules >>> associated with it. >>> >>> To reproduce: >>> >>> git clone https://github.com/DefenSec/dssp1-base.git >>> cd dssp1-base >>> secilc `ls *.cil` >>> sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30 >>> seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30 >>> >>> >>> Am i expecting the impossible by expecting SECILC to be smart enough to >>> determine that something is redundant, and that it can be filtered out >>> until it becomes applicable? >>> >>> >> >> I don't think that it would be too hard to remove attributes that have >> no types associated with them along with rules containing those >> attributes. I have this nagging feeling, though, that there is a reason >> that we didn't do that. I'll have to think about it a bit. >> >> Jim > > Have you given this some thought? > > I suspect this could have significant impact. > > consider the following: > > CIL encourages the use of attributes to the fullest extent, and with > dssp1 i have taken this to heart. > > This should make dssp1 very scale-able. The more an identifier is used > the greater the potential benefit. > > Attributes and templates are at the heart of dssp1 and if the dssp1 > model turns out to work (it is still a work in progress and I dont quite > see where this is eventually taking me) then this would be a very > welcome feature. > > If you want to see the current state of dssp1: > > git clone https://github.com/DefenSec/dssp1-base.git > cd dssp1-base > secilc `ls *.cil` > seinfo policy.30 Here is a 10 minute demo that tries to explain the benefits and the current drawbacks of this approach (for anyone interested) https://www.youtube.com/watch?v=MdqjVgjXvM8 > >> >> >>> >>> ___ >>> Selinux mailing list >>> Selinux@tycho.nsa.gov >>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >>> To get help, send an email containing "help" to >>> selinux-requ...@tycho.nsa.gov. >>> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02 Dominick Grift signature.asc Description: OpenPGP digital signature ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.