[PATCH 1/2] libselinux/utils: add noreturn attribute to selinux_check_access's usage

When building libselinux, clang reports the following warning: selinux_check_access.c:8:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn] While at it, make progname const. Signed-off-by: Nicolas Iooss ---

[PATCH 2/2] libsepol: silence false-positive -Wwrite-strings warning

When compiling with -Wwrite-strings, the compiler complains about calling strs_add with a const char* value for a char* parameter (DEFAULT_OBJECT is defined to "object_r"). Silence this warning by casting the literal string to char*. Signed-off-by: Nicolas Iooss ---

Re: [PATCH v6 0/9] SELinux support for Infiniband RDMA

On 5/3/2017 9:41 AM, Paul Moore wrote: > On Wed, Nov 23, 2016 at 9:17 AM, Dan Jurgens wrote: >> From: Daniel Jurgens >> >> Infiniband applications access HW from user-space -- traffic is generated >> directly by HW, bypassing the kernel. Consequently,

Re: Policy capabilities: when to use and complications with using

On 05/03/2017 12:14 PM, Stephen Smalley wrote: Looking at adding a map permission for mmap [1], and thinking about whether it needs to be wrapped by a policy capability. On the one hand, we made the open permission depend on a policy capability, but on the other hand, we haven't done that for

Re: semanage: is __default__ login map required?

On Wed, 2017-05-03 at 15:14 -0400, Stephen Smalley wrote: > On Wed, 2017-05-03 at 13:36 -0400, Arnold, Paul C CTR USARMY PEO STRI > (US) wrote: > > I have been having problems mapping logins since removing > > __default__  > > from the policy.  Is the __default__ login map required in order > >

Re: semanage: is __default__ login map required?

On Wed, 2017-05-03 at 13:36 -0400, Arnold, Paul C CTR USARMY PEO STRI (US) wrote: > I have been having problems mapping logins since removing > __default__  > from the policy.  Is the __default__ login map required in order for  > semanage to set a new mapping? > > The error, specifically: > > $

semanage: is __default__ login map required?

I have been having problems mapping logins since removing __default__ from the policy. Is the __default__ login map required in order for semanage to set a new mapping? The error, specifically: $ sudo semanage login -a -s existing_u existing_login libsemanage.dbase_llist_query: could not

Re: Policy capabilities: when to use and complications with using

On Wed, 2017-05-03 at 18:51 +0200, Dominick Grift wrote: > On Wed, May 03, 2017 at 12:14:16PM -0400, Stephen Smalley wrote: > > Looking at adding a map permission for mmap [1], and thinking about > > whether it needs to be wrapped by a policy capability.  On the one > > hand, we made the open

Re: Policy capabilities: when to use and complications with using

On Wed, May 03, 2017 at 12:14:16PM -0400, Stephen Smalley wrote: > Looking at adding a map permission for mmap [1], and thinking about > whether it needs to be wrapped by a policy capability. On the one > hand, we made the open permission depend on a policy capability, but on > the other hand, we

Policy capabilities: when to use and complications with using

Looking at adding a map permission for mmap [1], and thinking about whether it needs to be wrapped by a policy capability. On the one hand, we made the open permission depend on a policy capability, but on the other hand, we haven't done that for other cases where we simply added a check of a new

Re: [PATCH v6 0/9] SELinux support for Infiniband RDMA

On Wed, Nov 23, 2016 at 9:17 AM, Dan Jurgens wrote: > From: Daniel Jurgens > > Infiniband applications access HW from user-space -- traffic is generated > directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, > which are associated

MLS on centos 7

Good evening sir, - I am working on CENTOS7 and has enabled mls on it, I want to make it in enforcing mood but I am getting 'SELinux is preventing ' logs in /var/log/directory at initial they were 262 and when I try to solve them denial logs are getting much as system is in running

[PATCH 15/19] dbus: Use text streams in selinux_server.py

subprocess.Popen called without universal_newlines=True opens stdin, stout and stderr as binary stream which cause problems with Python 3. Fixes: Traceback (most recent call last): File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 2773, in unconfined_toggle

[PATCH 19/19] sepolicy/gui: Update text strings to use better gettext templates

Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/gui.py | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py index 7f84b6f9..007c94a7 100644 ---

[PATCH 16/19] sepolicy: setools.*Query wants a list in ruletype

This fixes a problem introduced in 18410c86 where ruletype is specified as a string not a list. Fixes: >>> sepolicy.get_all_role_allows() Traceback (most recent call last): File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60, in lookup return cls(value) File

[PATCH 11/19] sepolicy: Don't return filter(), use [ ] notation instead

filter() changed it's behavior among python 2 and python 3 Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/__init__.py | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/python/sepolicy/sepolicy/__init__.py

[PATCH 08/19] sepolicy: We should be creating _exec interfaces when we create the domtrans interface

From: Dan Walsh Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/templates/executable.py | 21 - 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/templates/executable.py

[PATCH 09/19] Fix typo in executable.py template.

From: Miroslav Grepl Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/templates/executable.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/templates/executable.py

[PATCH 17/19] sepolicy: Fix several issues in 'sepolicy manpage -a'

Fixes: $ sepolicy manpage -a Traceback (most recent call last): File "/usr/bin/sepolicy", line 699, in args.func(args) File "/usr/bin/sepolicy", line 359, in manpage m = ManPage(domain, path, args.root, args.source_files, args.web) File

[PATCH 07/19] sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin

From: Miroslav Grepl Signed-off-by: Dan Walsh --- python/sepolicy/sepolicy/templates/executable.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/templates/executable.py

[PATCH 06/19] Fix up generation of application policy

From: Dan Walsh Signed-off-by: Dan Walsh --- python/sepolicy/sepolicy-generate.8 | 2 +- python/sepolicy/sepolicy/templates/executable.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy-generate.8

[PATCH 18/19] sepolicy: info() should provide attributes for a TYPE

"attributes" used to be there when sepolicy.info() used setools3 Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/__init__.py | 1 + python/sepolicy/sepolicy/manpage.py | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git

[PATCH 10/19] sepolicy: Adapt to new the semodule list output

semodule in policycoreutils-2.4 changed the list format. With this patch, org.selinux.semodule_list uses 'semodule --list=full' and the code using this was adapted to the new format. Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309 Fixes: File

[PATCH 05/19] policycoreutils/sepolicy: boolean.png is in help/

Fixes: (sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/sepolicy.glade

[PATCH 14/19] policycoreutils/sepolicy: Define our own cmp()

Fixes: Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in stripsort return cmp(val1, val2) NameError: name 'cmp' is not defined Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/gui.py | 10 -- 1

[PATCH 02/19] sepolicy: Fix spelling mistakes in commands in generated manpages

Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/manpage.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py index 3ebdfeb7..bd5a64ac 100755 ---

[PATCH 04/19] sepolicy: Move svirt man page out of libvirt into its own

From: Dan Walsh Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/manpage.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py index b268680a..4cebb299

[PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS separated domains

From: Dan Walsh Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/manpage.py | 13 + 1 file changed, 13 insertions(+) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py index 1af4295c..3ebdfeb7

[PATCH 03/19] sepolicy: Add manpages for typealiased types

From: Dan Walsh Signed-off-by: Petr Lautrbach --- python/sepolicy/sepolicy/manpage.py | 45 + 1 file changed, 45 insertions(+) diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py

Several sepolicy fixes from Fedora

Hi, this is set of sepolicy fixes we use in Fedora. There are basically 2 groups of patches: 1. fixes which was pushed to Fedora few years ago and probably have not been sent upstream [PATCH 01/19] policycoreutils/sepolicy: Add documentation for MCS [PATCH 02/19] sepolicy: Fix spelling