uot;+index) for the initial sid.
Signed-off-by: James Carter
---
libsepol/src/kernel_to_cil.c| 42 +
libsepol/src/kernel_to_common.h | 4
libsepol/src/kernel_to_conf.c | 42 +
libsepol/src/module_to_cil
Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h
Signed-off-by: James Carter
---
libsepol/src/kernel_to_common.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol
Since the initial sid strings are defined in kernel_to_common.h,
module_to_cil.c can use those and its initial sid string definitions
can be removed.
Signed-off-by: James Carter
---
libsepol/src/module_to_cil.c | 59 +++-
1 file changed, 5 insertions(+), 54
are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.
Signed-off-by: James Carter
---
libsepol/src/kernel_to_cil.c| 36 -
libsepol/src/kernel_to_common.c | 10 -
libsepol/src/kernel_to_common.h | 10
o maintain backwards compatibility for
anyone who might be depending on the unsorted behavior of checkpolicy.
Signed-off-by: James Carter
---
checkpolicy/checkpolicy.c | 22 +-
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy
[Resending because I originally only sent these to the new list]
- Removes some redundent definitions of initial sid name strings
- Adds range checking when looking up an initial sid name string for an index
- Adds two new Xen initial sids
James Carter (4):
libsepol: Rename kernel_to_common.c
or policy.conf format.
Signed-off-by: James Carter
---
libsepol/include/sepol/policydb/policydb.h | 2 ++
libsepol/src/policydb.c| 5 +
2 files changed, 7 insertions(+)
diff --git a/libsepol/include/sepol/policydb/policydb.h
b/libsepol/include/sepol/policydb/policydb.h
to sort ocontexts.
James Carter (2):
libsepol: Create policydb_sort_ocontexts()
checkpolicy: Add option to sort ocontexts when creating a binary
policy
checkpolicy/checkpolicy.c | 22 +-
libsepol/include/sepol/policydb/policydb.h | 2 ++
libsepol
of meta
characters, the stem length, string length and file types are the same.
Based on an initial patch by Pierre-Hugues Husson (p...@phh.me)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_post.c | 331 ++--
1 file change
v_name.
This issue is reported by clang's static analyzer with the following
message:
ibendport_record.c:115:2: warning: 1st function call argument is an
uninitialized value
free(key->ibdev_name);
^
Signed-off-by: James Carter <jwca...@t
ermining whether
the attribute is to be kept or if it should be expanded.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil.c | 1 +
libsepol/cil/src/cil_binary.c| 8
libsepol/cil/src/cil_internal.h | 1 +
libsepol/cil/src/cil_policy.c| 2 +-
libse
ch is used in a neverallow rule will be treated
like it was used in a neverallow rule.
This does not change the behavior of an expandtypeattribute rule for
the attribute. That rule, if it exists, will take precedence.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src
From: Grégoire Colbert
"roleattribute" was referencing "typeattributeset", but I believe it should be
referencing "roleattributeset" instead.
---
secilc/docs/cil_role_statements.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
The typebounds rules should end with a ";".
The netifcon and nodecon rules should not end with a ";".
The default rules are missing a "_". They should be "default_user",
"default_role" and "default_type".
Signed-off-by
The typebounds rules should end with a ";".
The netifcon and nodecon rules should not end with a ";".
The default rules are missing a "_". They should be "default_usr",
"default_role" and "default_type".
Signed-off-by: James Carter <
an additional bit set as well, these rules are not
considered to match.
The fix is to use a bitwise AND (&) to only check the desired bit.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
v2: Pay attention to precedence rules
libsepol/src/assertion.c | 4 ++--
1 file changed, 2 insert
an additional bit set as well, these rules are not
considered to match.
The fix is to use a bitwise AND (&) to only check the desired bit.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/assertion.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/li
be at the end of the decl_ids list, so now only gather
the last scope id.
Also, when an alias is used in a module it is required as a type and
it will appear in the sym_val_to_name table. When that occurs, just
skip the alias when writing out types.
Signed-off-by: James Carter <jwca...@tycho.nsa.
checking if an identifier is enabled, only the last scope will
be checked (Except for roles and users which allow multiple declarations,
they will have to keep the old behavior.)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
v2: Removed duplicate declaration
libsepol/src/avrule_b
be at the end of the decl_ids list, so now only gather
the last scope id.
Also, when an alias is used in a module it is required as a type and
it will appear in the sym_val_to_name table. When that occurs, just
skip the alias when writing out types.
Signed-off-by: James Carter <jwca...@tycho.nsa.
checking if an identifier is enabled, only the last scope will
be checked (Except for roles and users which allow multiple declarations,
they will have to keep the old behavior.)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/avrule_block.
v1:
Stephen Smalley:
- Removed unused domain and type params from sepol_ibendport_sid.
- Remove ibendport initial sid from ocontext_selinux_isid_to_cil
- Check the length provide for the device name in ocontext_read_selinux
- Used strcmp for dev_name comparison.
James Carter:
- Added ibendp
v1:
Stephen Smalley:
- Removed domain and type params from sepol_ibpkey_sid.
- Removed splen param from sepol_ibpkey_sid, it never varied.
- Removed extra XPERMS_IOCTL version from policydb_compat_info.
- Confirm that low order bytes of IPv6 addr for subnet prefix is 0's.
James Carter:
- Added ibp
return POLICYDB_ERROR;
+
+ if (context_write(p, >context[0], fp))
+ return POLICYDB_ERROR;
+ break;
case OCON_PORT:
buf[0] = c->u.port.protocol;
buf[1] = c->u.port.low_port;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
buf[5] = cpu_to_le32(c->u.ibpkey.high_pkey);
+
+ items = put_entry(buf, sizeof(uint32_t), 6, fp);
+ if (items != 6)
+ return POLICYDB_ERROR;
+
+ if (context_write(p, >context[0], fp))
+ return POLICYDB_ERROR;
+ break;
case OCON_PORT:
buf[0] = c->u.port.protocol;
buf[1] = c->u.port.low_port;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
to expand policy rules
and remove all type associations for an attribute that has
TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the
policy, but have no types associated with it.)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
v2 Just check if each attribute should be ex
.TP
-.B \-l logfile
-Save the output to the specified logfile
-.TP
.B \-F
Force reset of context to match file_context for customizable files
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
244,6 +2244,17 @@ static int type_to_cil(int indent, struct policydb *pdb,
struct avrule_block *UN
cil_println(indent, "(typeattribute %s)", key);
}
+ if (type->flags & TYPE_FLAGS_EXPAND_ATTR) {
+ cil_indent(indent);
+ cil_p
to expand policy rules
and remove all type associations for an attribute that has
TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the
policy, but have no types associated with it.)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/expand.
struct policydb *pdb,
struct avrule_block *UN
cil_println(indent, "(typeattribute %s)", key);
}
+ if (type->flags & TYPE_FLAGS_EXPAND_ATTR) {
+ cil_indent(indent);
+ cil_printf("(expandtypeattribute (%s) &quo
-n $LOGFILE ]; then
-echo $1 >> "$LOGFILE"
+echo $1 >> $LOGFILE
fi
}
#
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
?
Jim
[1] https://github.com/SELinuxProject/selinux-kernel/issues/13
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
On 04/12/2017 03:12 PM, Dominick Grift wrote:
On Wed, Apr 12, 2017 at 02:20:32PM -0400, James Carter wrote:
On 04/12/2017 09:35 AM, Dominick Grift wrote:
On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote:
On 04/12/2017 02:11 AM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53
will be
included in the binary policy, it will be expanded when writing AV
rules if it has less members than attrs_expand_size.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/include/cil/cil.h | 2 +
libsepol/cil/src/cil.c | 12 ++
libsepol/c
gned to it than SIZE will be expanded when writing AV
rules.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
secilc/secil2conf.c | 2 ++
secilc/secilc.8.xml | 10 ++
secilc/secilc.c | 31 ++-
3 files changed, 42 insertions(+), 1 deletion(-)
diff -
"
U5 - Remove attributes with less than five members: "-X 5"
v2:
- Use "--expand-generated" and "--expand-size" as options for consistency.
- Fixed bug in cil_post.c:__cil_post_db_attr_helper() where
cil_typeattribute_used() would not be called if the attribute type bi
On 04/12/2017 09:35 AM, Dominick Grift wrote:
On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote:
On 04/12/2017 02:11 AM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote:
The number of type attributes included in the binary policy is becomming
On 04/12/2017 09:26 AM, James Carter wrote:
On 04/12/2017 02:11 AM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote:
The number of type attributes included in the binary policy is becomming a
performance issue in some cases.
This patch set more aggressives
On 04/12/2017 02:11 AM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote:
The number of type attributes included in the binary policy is becomming a
performance issue in some cases.
This patch set more aggressives removes attributes and gives the options
On 04/11/2017 01:53 PM, James Carter wrote:
The number of type attributes included in the binary policy is becomming a
performance issue in some cases.
This patch set more aggressives removes attributes and gives the options to
expand and remove all auto-generated attributes and all
On 04/11/2017 02:46 PM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 08:37:22PM +0200, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote:
Originally, all type attributes were expanded when building a binary
policy. As the policy grew, binary policy sizes
On 04/11/2017 02:37 PM, Dominick Grift wrote:
On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote:
Originally, all type attributes were expanded when building a binary
policy. As the policy grew, binary policy sizes became too large, so
changes were made to keep attributes
will be
included in the binary policy, it will be expanded when writing AV
rules if it has less members than attrs_expand_size.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/include/cil/cil.h | 2 +
libsepol/cil/src/cil.c | 12 ++
libsepol/c
gned to it than SIZE will be expanded when writing AV
rules.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
secilc/secil2conf.c | 2 ++
secilc/secilc.8.xml | 10 ++
secilc/secilc.c | 31 ++-
3 files changed, 42 insertions(+), 1 deletion(-)
diff -
"
U5 - Remove attributes with less than five members: "-X 5"
James Carter (2):
libsepol/cil: Add ability to expand some attributes in binary policy
secilc: Add options to control the expansion of attributes
libsepol/cil/include/cil/cil.h | 2 +
libsepol/cil/src/cil.c
On 03/23/2017 12:48 PM, James Carter wrote:
It would sometimes be helpful for debugging or verification purposes to be able
to convert
a binary policy to a human-readable form.
This patchset adds libsepol functions that take a kernel policydb in and
outputs either
a CIL or policy.conf text
On 03/29/2017 02:58 PM, James Carter wrote:
CIL does not allow type or role sets in certain rules (such as allow
rules). It does, however, allow sets in typeattributeset and
roleattributeset statements. Because of this, when module_to_cil
translates a policy into CIL, it creates a new attribute
been busy working on another patch that should also help with an
excessive number of attributes.
Jim
-- Nick
On Wed, Mar 29, 2017 at 11:58 AM, James Carter <jwca...@tycho.nsa.gov> wrote:
CIL does not allow type or role sets in certain rules (such as allow
rules). It does, however, allo
On 03/31/2017 10:39 AM, Dominick Grift wrote:
On Fri, Mar 31, 2017 at 10:30:22AM -0400, James Carter wrote:
On 03/31/2017 10:17 AM, Dominick Grift wrote:
On Fri, Mar 31, 2017 at 10:12:50AM -0400, James Carter wrote:
On 03/31/2017 10:10 AM, Stephen Smalley wrote:
On Fri, 2017-03-31 at 15:59
On 03/31/2017 10:17 AM, Dominick Grift wrote:
On Fri, Mar 31, 2017 at 10:12:50AM -0400, James Carter wrote:
On 03/31/2017 10:10 AM, Stephen Smalley wrote:
On Fri, 2017-03-31 at 15:59 +0200, Dominick Grift wrote:
On Fri, Mar 31, 2017 at 09:53:26AM -0400, Stephen Smalley wrote:
On Fri, 2017-03
unordered classes to the existing class list, so I am not sure what
is going on.
Jim
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho
-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 593 +--
1 file changed, 283 insertions(+), 310 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 5c98c29..3f633fb 100644
--- a/libsep
free(val1);
+ if (stack != NULL) {
+ while ((val1 = stack_pop(stack)) != NULL) {
+ free(val1);
+ }
+ stack_destroy();
}
- stack_destroy();
-
return rc;
}
--
James Carter <jwca...@tycho.n
written by Dan Walsh <dwa...@redhat.com>.
-The program was enhanced/rwwritten by Joe Nall <j...@nall.com>.
+The program was enhanced/rewritten by Joe Nall <j...@nall.com>.
.SH "FILES"
/etc/selinux/{SELINUXTYPE}/setrans.conf
--
James C
On 03/22/2017 03:01 PM, James Carter wrote:
Add hexadecimal support for Xen ioportcon statements which was
left out of commit c408c70.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
This has been applied.
Jim
---
libsepol/cil/src/cil_build_ast.c | 6 +++---
1 file chan
return
fi
if [ -n "${FILESYSTEMSRW}" ]; then
@@ -400,7 +400,7 @@ else
process $command
else
while [ -n "$1" ]; do
- FILEPATH=$1
+ FILEPATH="$1"
process $command
shift
done
--
James Carter <jwca...@tyc
*list = l;
-
return 0;
-
-exit:
- list_destroy();
- return rc;
}
static int list_prepend(struct list *list, void *data)
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa
out = stdout;
+ } else {
+ out = stderr;
+ fprintf(out, "%s: ", r_opts.progname);
+ }
va_start(ap, fmt);
rc = vfprintf(out, fmt, ap);
va_end(ap);
--
James Carter <jwca...@tycho.nsa.
-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 593 +--
1 file changed, 283 insertions(+), 310 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 6c33b94..4ea8a83 100644
--- a/libsep
Use the same option "-C" used to ouput CIL from a policy.conf, but now
generate CIL from a binary policy instead of giving an error.i
Use the option "-F" to generate a policy.conf file from a binary policy.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
chec
in and validatetrans constraint rules for both
CIL and policy.conf.
- Write constraints in alphabetical order for both CIL and policy.conf
- Now continously creating a policy.conf and then a binary produces an
identical binary (although for CIL, secilc will remove unused attributes during
the
Add hexadecimal support for Xen ioportcon statements which was
left out of commit c408c70.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_build_ast.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libsepol/cil/src/cil_build_a
On 03/21/2017 06:43 PM, Nicolas Iooss wrote:
On Mon, Mar 20, 2017 at 4:40 PM, James Carter <jwca...@tycho.nsa.gov> wrote:
It would sometimes be helpful for debugging or verification purposes to be able
to convert
a binary policy to a human-readable form.
This patchset adds libsepol fun
On 03/20/2017 11:18 AM, James Carter wrote:
Allow the use of hexadecimal numbers in iomemcon, ioportcon, and
pcidevicecon statements. The use of hexadecimal numbers is often
the natural choice for these rules.
James Carter (3):
libsepol/cil: Allow hexadecimal numbers in Xen context rules
return -1;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
On 03/20/2017 11:14 AM, James Carter wrote:
sepol_set_sidtab() is called without calling sepol_sidtab_destroy().
This is not a big deal, since checkpolicy does not run for long, but
it does add noise when checking for other, more important, leaks.
Call sepol_sidtab_destroy() before exiting
return rc;
}
extra_args.db = db;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing
_str = typetrans->tgt_str;
+ trans.obj_str = typetrans->obj_str;
+ trans.result_str = typetrans->result_str;
return __cil_type_rule_to_avtab(pdb, db, , cond_node,
cond_flavor);
}
--
James Carter <jwca...@tycho.nsa.gov>
Na
.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/include/sepol/kernel_to_conf.h |5 +
libsepol/src/kernel_to_conf.c | 3043 +++
libsepol/src/libsepol.map.in|1 +
3 files changed, 3049 insertions(+)
create mode
-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/include/sepol/kernel_to_cil.h |5 +
libsepol/src/kernel_to_cil.c | 3154
libsepol/src/kernel_to_common.c| 677 +++
libsepol/src/kernel_to_common.h| 114 ++
libsep
Use the same option "-C" used to ouput CIL from a policy.conf, but now
generate CIL from a binary policy instead of giving an error.
Use the option "-F" to generate a policy.conf file from a binary policy.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
chec
d kernel_to_cil.c so they are not accessed without
initializaton if an error occurs.
- Updated checkpolicy manpage to include the new option
- Removed commented-out block from checkpolicy.c
James Carter (3):
libsepol: Add ability to convert binary policy to CIL
libsepol: Add ability to convert binary p
When generating CIL, use hexadecimal numbers in ioportcon,
iomemcon, and pcidevicecon statements.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/libsepol/src/module_to_c
t;, base 8 if the
string starts with "0", and base 10 otherwise.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_build_ast.c | 30 +++---
libsepol/cil/src/cil_build_ast.h | 4 ++--
2 files changed, 17 insertions(+), 17 deletions(-)
dif
When writing a policy.conf file from CIL source, use hexadecimal
numbers in ioportcon, iomemcon, and pcidevicecon rules.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_policy.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/li
sepol_set_sidtab() is called without calling sepol_sidtab_destroy().
This is not a big deal, since checkpolicy does not run for long, but
it does add noise when checking for other, more important, leaks.
Call sepol_sidtab_destroy() before exiting if not in debug mode.
Signed-off-by: James Carter
On 03/11/2017 03:02 PM, Nicolas Iooss wrote:
On Fri, Mar 10, 2017 at 8:49 PM, James Carter <jwca...@tycho.nsa.gov> wrote:
It would sometimes be helpful for debugging or verification purposes to be able
to convert
a binary policy to a human-readable form.
This patchset adds libsepol fun
On 03/10/2017 04:04 PM, Stephen Smalley wrote:
On Fri, 2017-03-10 at 14:49 -0500, James Carter wrote:
Use the same option "-C" used to ouput CIL from a policy.conf, but
now
generate CIL from a binary policy instead of giving an error.
Use the option "-F" to generate a p
-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/include/sepol/kernel_to_cil.h |5 +
libsepol/src/kernel_to_cil.c | 3149
libsepol/src/kernel_to_common.c| 681 +++
libsepol/src/kernel_to_common.h| 110 ++
libsep
.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/include/sepol/kernel_to_conf.h |5 +
libsepol/src/kernel_to_conf.c | 3014 +++
libsepol/src/libsepol.map.in|1 +
3 files changed, 3020 insertions(+)
create mode
from a binary policy if using the
"-C" option
and to add the "-F" option to generate policy.conf text from a binary policy.
Where possible rules are sorted in alphabetical or numerical order to aid in
debugging.
James Carter (3):
libsepol: Add ability to convert binary poli
Use the same option "-C" used to ouput CIL from a policy.conf, but now
generate CIL from a binary policy instead of giving an error.
Use the option "-F" to generate a policy.conf file from a binary policy.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
chec
n__));
extern void read_config(int fd,const char *watch_file);
extern int watch(int fd, const char *watch_file);
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe,
free(file_contexts);
free(outfile);
free(module);
+ free(seusers);
+ free(user_extra);
exit(0);
}
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To
ho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
--
James Carter <jwca...@tycho.nsa.gov>
;\x1c\x1d\x1e\x85") for x in line.split()]
for i in rec:
found = False
if i == "avc:" or i == "message=avc:" or i == "msg='avc:":
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
PYTHON ?= python
-PYPREFIX ?= $(notdir $(PYTHON))
+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" %
sys.version_info[:2])')
RUBY ?= ruby
RUBYPREFIX ?= $(notdir $(RUBY))
PKG_CONFIG ?= pkg-config
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
ebitmap_destroy(bitmap);
goto exit;
}
return SEPOL_OK;
exit:
+ ebitmap_destroy(bitmap);
return rc;
}
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.ns
On 02/08/2017 11:17 AM, James Carter wrote:
CIL uses separate cil_tree_node stacks for optionals and blocks to
check for statements not allowed in optionals or blocks and to know
which optional to disable when necessary. But these stacks were not
being destroyed when exiting cil_resolve_ast
the stacks will be empty, but this is not the case
when exiting with an error.
Destroy both tree node stacks when exiting to ensure that they are
empty.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_resolve_ast.c | 24
1 file changed, 16 inse
cil_tree_log(NODE(data), CIL_ERR, "Note: conflicting
declaration");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
rc = cil_symtab_insert(symtab, ((struct
cil_symtab_datum*)orig->data)->name,
ror: missing .gitignore entry for/p'
| (! grep '^')
+
+ # Clean up everything and show which file would be added to "make clean"
+ - make clean distclean
+ - |-
+git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make
clean distclean" did not remove /' | (
os && (ebitmap_cardinality(pos) > 0);
int has_negative = neg && (ebitmap_cardinality(neg) > 0);
char **val_to_name;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
n" };
+ const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" };
create_signal_handlers();
if (strcmp(basename(argv[0]), "genhomedircon") == 0) {
argc = 3;
- argv=genhomedirconargv;
+
On 01/31/2017 02:41 PM, James Carter wrote:
Cleanup declare and require functions in module_compiler.c to improve
maintainability and clarity. Functionality is not changed.
James Carter (5):
checkpolicy: Create common function for type declares and requires
checkpolicy: Create common
On 02/02/2017 06:19 PM, Nicolas Iooss wrote:
On Tue, Jan 31, 2017 at 8:41 PM, James Carter <jwca...@tycho.nsa.gov
<mailto:jwca...@tycho.nsa.gov>> wrote:
Cleanup declare and require functions in module_compiler.c to improve
maintainability and clarity. Functionality is
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 20 ++--
1 file chan
means
returning +1).
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/policydb.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 5b9b9f0..3cff6d2 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/poli
Move common code out of declare_user() and require_user() into the
new function create_user().
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 224 +-
1 file changed, 114 insertions(+), 110 deletions(-)
diff
type in the same scope. There are no checks if the require
comes first and there are no checks for roles.
Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.
Signed-off-by: James Carter
1 - 100 of 231 matches
Mail list logo