Re: [PATCH 2/2] selinux: wrap AVC state

On Mon, 5 Mar 2018, Stephen Smalley wrote: > Wrap the AVC state within the selinux_state structure and > pass it explicitly to all AVC functions. The AVC private state > is encapsulated in a selinux_avc structure that is referenced > from the selinux_state. > > This change should have no effect

Re: [PATCH 1/2] selinux: wrap selinuxfs state

On Mon, 5 Mar 2018, Stephen Smalley wrote: > Move global selinuxfs state to a per-instance structure (selinux_fs_info), > and include a pointer to the selinux_state in this structure. > Pass this selinux_state to all security server operations, thereby > ensuring that each selinuxfs instance

[PATCH 1/3] libsepol: initialize tmp_key->ibdev_name if its allocation failed

In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name() fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is called to free the memory associated with tmp_key, which results in free() being called on uninitialized tmp_key->ibdev_name. This issue is reported by

[PATCH 2/3] libsepol: cil: show an error when cil_expr_to_string() fails

cil_tree_print_expr() calls cil_expr_to_string() in order to compute a string expression into expr_str. If this function fails, expr_str is left unitialized but its value is dereferenced with: cil_log(CIL_INFO, "%s)", expr_str); Prevent such an issue by checking cil_expr_to_string()'s return

[PATCH 3/3] libsemanage: silence clang static analyzer report

clang's static analyzer reports an out-of-bound array access in semanage_user_roles() when num_roles is zero, with the following statement: strcpy(roles,roles_arr[0]); When num_roles is zero, roles_arr[0] is not uninitialized and roles is the result of malloc(0) so this strcpy is dangerous.

[PATCH 2/2] selinux: wrap AVC state

Wrap the AVC state within the selinux_state structure and pass it explicitly to all AVC functions. The AVC private state is encapsulated in a selinux_avc structure that is referenced from the selinux_state. This change should have no effect on SELinux behavior or APIs (userspace or LSM).

[PATCH 1/2] selinux: wrap selinuxfs state

Move global selinuxfs state to a per-instance structure (selinux_fs_info), and include a pointer to the selinux_state in this structure. Pass this selinux_state to all security server operations, thereby ensuring that each selinuxfs instance presents a view of and acts as an interface to a

Re: libsepol policycap names

On 03/02/2018 01:49 PM, Chris PeBenito wrote: > I've been able to make SETools dynamically link to libsepol.  However, > one challenge is with policycap names.  They're static libsepol, with > nothing that exports them.  Can we either: > > * export the sepol_polcap_getname() function, or > * move

Re: [PATCH] selinux: Fix ltp test connect-syscall failure

On Fri, Mar 02, 2018 at 07:54:34PM +, Richard Haines wrote: > Fix the following error when running regression tests using LTP as follows: > cd /opt/ltp/ > cat runtest/syscalls |grep connect01>runtest/connect-syscall > ./runltp -pq -f connect-syscall > > Running tests... > connect011

[PATCH] selinux: Fix ltp test connect-syscall failure

Fix the following error when running regression tests using LTP as follows: cd /opt/ltp/ cat runtest/syscalls |grep connect01>runtest/connect-syscall ./runltp -pq -f connect-syscall Running tests... connect011 TPASS : bad file descriptor successful connect012 TPASS : invalid

Re: [PATCH] selinux: Fix ltp test connect-syscall failure

On Fri, Mar 2, 2018 at 2:54 PM, Richard Haines wrote: > Fix the following error when running regression tests using LTP as follows: > cd /opt/ltp/ > cat runtest/syscalls |grep connect01>runtest/connect-syscall > ./runltp -pq -f connect-syscall > > Running