On 09/08/2016 01:30 PM, Daniel Cashman wrote:
> From: dcashman
>
> cil_gen_policy() appears to exist to generate a policy.conf corresponding to
> the
> original SELinux HLL from a cil_db struct. All of
> libsepol/cil/src/cil_policy.c
> appears to exist to support this
From: dcashman
The current cil_expr_to_policy() does not properly hanlde the case where
CIL_OP is at the beginning of an expression. Create a new function,
cil_constraint_expr_to_policy() rather than modifying the original,
since the expression syntax for constraint
From: dcashman
cil_flavor enums stored in cil_list_items are not pointers, but rather
the actual enum value. Remove pointer dereferences on this value to
avoid segfaults.
Signed-off-by: Daniel Cashman
---
libsepol/cil/src/cil_policy.c | 6 +++---
1
From: dcashman
cil_gen_policy() prints a sensitivityorder{}; output statement when
generating its policy.conf file from CIL policy. This omits the
sensitivity declarations, however, and should instead be represented as
a sid declaration block followed by a dominance
> > > +static FILE *open_file(const char *path, const char *suffix,
> > > +char *save_path, size_t len, struct stat *sb) {
> > > + unsigned i;
> > > + int rc;
> > > + char stack_path[len];
> >
> > Ew, what is this? C99 magic. Probably just make it PATH_MAX and be
> > done with it.
>
>
> -Original Message-
> From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> Sent: Thursday, September 8, 2016 12:41 PM
> To: Roberts, William C ; selinux@tycho.nsa.gov;
> seandroid-l...@tycho.nsa.gov; jwca...@tycho.nsa.gov
> Subject: Re: [PATCH v2] libselinux:
On Thu, Sep 08, 2016 at 06:59:13PM +, Daniel Jurgens wrote:
> >> Net has variety of means of enforcement, one of which is controlling
> >> access to ports , which is the most like what
> >> I'm doing here.
> > No, the analog the tcp/udp,port number is
> I should have been
On 09/08/2016 03:30 PM, Roberts, William C wrote:
>
>
+ /* Append any given suffix */
+ char *to = stpcpy([current_size], ".");
>>>
>>> Simpler as:
>>> char *to = current + current_size;
>>> *to++ = '.';
>>
>> I don't think this is simpler, but I'll do it.
>
> Doing that as
> > > + /* Append any given suffix */
> > > + char *to = stpcpy([current_size], ".");
> >
> > Simpler as:
> > char *to = current + current_size;
> > *to++ = '.';
>
> I don't think this is simpler, but I'll do it.
Doing that as is gets us this:
==26050== Conditional jump or move depends
On 9/8/2016 1:38 PM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 05:47:46PM +, Liran Liss wrote:
>
>> This patch-set enables partition-based isolation for Infiniband networks in
>> a very intuitive manner, that's it.
>> IB partitions don't have anything to do with VLANs.
> You guys need
On Thu, Sep 08, 2016 at 10:19:48AM -0600, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote:
>
> > It would have to include the port, but idea of using a device name
> > for this is pretty ugly. makes it very easy to
> > write a policy
On 9/8/2016 1:36 PM, Jason Gunthorpe wrote:
> On Thu, Sep 08, 2016 at 04:44:36PM +, Daniel Jurgens wrote:
>
>> Net has variety of means of enforcement, one of which is controlling
>> access to ports , which is the most like what
>> I'm doing here.
> No, the analog the tcp/udp,port number is
> -Original Message-
> From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> Sent: Thursday, September 8, 2016 8:15 AM
> To: Roberts, William C ; selinux@tycho.nsa.gov;
> seandroid-l...@tycho.nsa.gov; jwca...@tycho.nsa.gov
> Subject: Re: [PATCH v2] libselinux:
> -Original Message-
> From: Janis Danisevskis [mailto:jda...@android.com]
> Sent: Thursday, September 8, 2016 8:52 AM
> To: selinux@tycho.nsa.gov; seandroid-l...@tycho.nsa.gov; s...@tycho.nsa.gov;
> jwca...@tycho.nsa.gov
> Cc: Janis Danisevskis ; Roberts, William C
>
On Thu, Sep 08, 2016 at 05:47:46PM +, Liran Liss wrote:
> This patch-set enables partition-based isolation for Infiniband networks in a
> very intuitive manner, that's it.
> IB partitions don't have anything to do with VLANs.
You guys need to do a better job at supporting the whole
On Thu, Sep 08, 2016 at 04:44:36PM +, Daniel Jurgens wrote:
> Net has variety of means of enforcement, one of which is controlling
> access to ports , which is the most like what
> I'm doing here.
No, the analog the tcp/udp,port number is
> It will work like any other
On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote:
> On 9/7/2016 7:01 PM, ira.weiny wrote:
> > On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote:
> >> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote:
> >>
> >>> I think to control access to a VLAN for RoCE
On Thu, Sep 08, 2016 at 02:12:48PM +, Daniel Jurgens wrote:
> It would have to include the port, but idea of using a device name
> for this is pretty ugly. makes it very easy to
> write a policy that can be deployed widely.
> could require many
From: Janis Danisevskis
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.
As of this patch libselinux
On 09/06/2016 08:07 PM, william.c.robe...@intel.com wrote:
> From: William Roberts
>
> The current process_file() code will open the file
> twice on the case of a binary file, correct this.
>
> The general flow through process_file() was a bit
> difficult to read,
On 9/7/2016 7:01 PM, ira.weiny wrote:
> On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote:
>> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote:
>>
>>> I think to control access to a VLAN for RoCE there would have to
>>> labels for GIDs, since that's how you select which
On Tue, Sep 06, 2016 at 03:55:48PM -0600, Jason Gunthorpe wrote:
> On Tue, Sep 06, 2016 at 08:35:56PM +, Daniel Jurgens wrote:
>
> > I think to control access to a VLAN for RoCE there would have to
> > labels for GIDs, since that's how you select which VLAN to use.
>
> Since people are
22 matches
Mail list logo