Re: [PATCH 0/5] Fix some cil_gen_policy() bugs.

On 09/08/2016 01:30 PM, Daniel Cashman wrote: > From: dcashman > > cil_gen_policy() appears to exist to generate a policy.conf corresponding to > the > original SELinux HLL from a cil_db struct. All of > libsepol/cil/src/cil_policy.c > appears to exist to support this

[PATCH 5/5] libsepol: cil: Add cil_constraint_expr_to_policy()

From: dcashman The current cil_expr_to_policy() does not properly hanlde the case where CIL_OP is at the beginning of an expression. Create a new function, cil_constraint_expr_to_policy() rather than modifying the original, since the expression syntax for constraint

[PATCH 4/5] libsepol: cil: Fix CIL_OP data assignment.

From: dcashman cil_flavor enums stored in cil_list_items are not pointers, but rather the actual enum value. Remove pointer dereferences on this value to avoid segfaults. Signed-off-by: Daniel Cashman --- libsepol/cil/src/cil_policy.c | 6 +++--- 1

[PATCH 3/5] libsepol: cil: Replace sensitivityorder statement.

From: dcashman cil_gen_policy() prints a sensitivityorder{}; output statement when generating its policy.conf file from CIL policy. This omits the sensitivity declarations, however, and should instead be represented as a sid declaration block followed by a dominance

RE: [PATCH v2] libselinux: clean up process file

> > > +static FILE *open_file(const char *path, const char *suffix, > > > +char *save_path, size_t len, struct stat *sb) { > > > + unsigned i; > > > + int rc; > > > + char stack_path[len]; > > > > Ew, what is this? C99 magic. Probably just make it PATH_MAX and be > > done with it. > >

RE: [PATCH v2] libselinux: clean up process file

> -Original Message- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Thursday, September 8, 2016 12:41 PM > To: Roberts, William C ; selinux@tycho.nsa.gov; > seandroid-l...@tycho.nsa.gov; jwca...@tycho.nsa.gov > Subject: Re: [PATCH v2] libselinux:

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 06:59:13PM +, Daniel Jurgens wrote: > >> Net has variety of means of enforcement, one of which is controlling > >> access to ports , which is the most like what > >> I'm doing here. > > No, the analog the tcp/udp,port number is > I should have been

Re: [PATCH v2] libselinux: clean up process file

On 09/08/2016 03:30 PM, Roberts, William C wrote: > > + /* Append any given suffix */ + char *to = stpcpy([current_size], "."); >>> >>> Simpler as: >>> char *to = current + current_size; >>> *to++ = '.'; >> >> I don't think this is simpler, but I'll do it. > > Doing that as

RE: [PATCH v2] libselinux: clean up process file

> > > + /* Append any given suffix */ > > > + char *to = stpcpy([current_size], "."); > > > > Simpler as: > > char *to = current + current_size; > > *to++ = '.'; > > I don't think this is simpler, but I'll do it. Doing that as is gets us this: ==26050== Conditional jump or move depends

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On 9/8/2016 1:38 PM, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 05:47:46PM +, Liran Liss wrote: > >> This patch-set enables partition-based isolation for Infiniband networks in >> a very intuitive manner, that's it. >> IB partitions don't have anything to do with VLANs. > You guys need

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 10:19:48AM -0600, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote: > > > It would have to include the port, but idea of using a device name > > for this is pretty ugly. makes it very easy to > > write a policy

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On 9/8/2016 1:36 PM, Jason Gunthorpe wrote: > On Thu, Sep 08, 2016 at 04:44:36PM +, Daniel Jurgens wrote: > >> Net has variety of means of enforcement, one of which is controlling >> access to ports , which is the most like what >> I'm doing here. > No, the analog the tcp/udp,port number is

RE: [PATCH v2] libselinux: clean up process file

> -Original Message- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Thursday, September 8, 2016 8:15 AM > To: Roberts, William C ; selinux@tycho.nsa.gov; > seandroid-l...@tycho.nsa.gov; jwca...@tycho.nsa.gov > Subject: Re: [PATCH v2] libselinux:

RE: [PATCH] libselinux: add support for pcre2

> -Original Message- > From: Janis Danisevskis [mailto:jda...@android.com] > Sent: Thursday, September 8, 2016 8:52 AM > To: selinux@tycho.nsa.gov; seandroid-l...@tycho.nsa.gov; s...@tycho.nsa.gov; > jwca...@tycho.nsa.gov > Cc: Janis Danisevskis ; Roberts, William C >

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 05:47:46PM +, Liran Liss wrote: > This patch-set enables partition-based isolation for Infiniband networks in a > very intuitive manner, that's it. > IB partitions don't have anything to do with VLANs. You guys need to do a better job at supporting the whole

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 04:44:36PM +, Daniel Jurgens wrote: > Net has variety of means of enforcement, one of which is controlling > access to ports , which is the most like what > I'm doing here. No, the analog the tcp/udp,port number is > It will work like any other

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote: > On 9/7/2016 7:01 PM, ira.weiny wrote: > > On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote: > >> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote: > >> > >>> I think to control access to a VLAN for RoCE

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote: > It would have to include the port, but idea of using a device name > for this is pretty ugly. makes it very easy to > write a policy that can be deployed widely. > could require many

[PATCH] libselinux: add support for pcre2

From: Janis Danisevskis This patch moves all pcre1/2 dependencies into the new files regex.h and regex.c implementing the common denominator of features needed by libselinux. The compiler flag -DUSE_PCRE2 toggles between the used implementations. As of this patch libselinux

Re: [PATCH v2] libselinux: clean up process file

On 09/06/2016 08:07 PM, william.c.robe...@intel.com wrote: > From: William Roberts > > The current process_file() code will open the file > twice on the case of a binary file, correct this. > > The general flow through process_file() was a bit > difficult to read,

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On 9/7/2016 7:01 PM, ira.weiny wrote: > On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote: >> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote: >> >>> I think to control access to a VLAN for RoCE there would have to >>> labels for GIDs, since that's how you select which

Re: [PATCH v3 0/9] SELinux support for Infiniband RDMA

On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote: > On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote: > > > I think to control access to a VLAN for RoCE there would have to > > labels for GIDs, since that's how you select which VLAN to use. > > Since people are