[PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range

uot;+index) for the initial sid. Signed-off-by: James Carter --- libsepol/src/kernel_to_cil.c| 42 + libsepol/src/kernel_to_common.h | 4 libsepol/src/kernel_to_conf.c | 42 + libsepol/src/module_to_cil

[PATCH 4/4] libsepol: Add two new Xen initial SIDs

Xen uses the initial SIDs domU and domDM in its toolstack, so it makes sense to add these to xen_sid_to_str[] in kernel_to_common.h Signed-off-by: James Carter --- libsepol/src/kernel_to_common.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/kernel_to_common.h b/libsepol

[PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c

Since the initial sid strings are defined in kernel_to_common.h, module_to_cil.c can use those and its initial sid string definitions can be removed. Signed-off-by: James Carter --- libsepol/src/module_to_cil.c | 59 +++- 1 file changed, 5 insertions(+), 54

[PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions

are less general and only work with strings, rename those functions from stack_* to strs_stack_*. Signed-off-by: James Carter --- libsepol/src/kernel_to_cil.c| 36 - libsepol/src/kernel_to_common.c | 10 - libsepol/src/kernel_to_common.h | 10

[PATCH 2/2] checkpolicy: Add option to sort ocontexts when creating a binary policy

o maintain backwards compatibility for anyone who might be depending on the unsorted behavior of checkpolicy. Signed-off-by: James Carter --- checkpolicy/checkpolicy.c | 22 +- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/checkpolicy/checkpolicy.c b/checkpolicy

[PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[Resending because I originally only sent these to the new list] - Removes some redundent definitions of initial sid name strings - Adds range checking when looking up an initial sid name string for an index - Adds two new Xen initial sids James Carter (4): libsepol: Rename kernel_to_common.c

[PATCH 1/2] libsepol: Create policydb_sort_ocontexts()

or policy.conf format. Signed-off-by: James Carter --- libsepol/include/sepol/policydb/policydb.h | 2 ++ libsepol/src/policydb.c| 5 + 2 files changed, 7 insertions(+) diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h

[PATCH 0/2] libsepol: Add ability to sort ocontexts in libsepol and add option to use it in checkpolicy

to sort ocontexts. James Carter (2): libsepol: Create policydb_sort_ocontexts() checkpolicy: Add option to sort ocontexts when creating a binary policy checkpolicy/checkpolicy.c | 22 +- libsepol/include/sepol/policydb/policydb.h | 2 ++ libsepol

[PATCH 1/1] libsepol/cil: Improve processing of context rules

of meta characters, the stem length, string length and file types are the same. Based on an initial patch by Pierre-Hugues Husson (p...@phh.me) Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil_post.c | 331 ++-- 1 file change

[PATCH] libsepol: Prevent freeing unitialized value in ibendport handling

v_name. This issue is reported by clang's static analyzer with the following message: ibendport_record.c:115:2: warning: 1st function call argument is an uninitialized value free(key->ibdev_name); ^ Signed-off-by: James Carter <jwca...@t

[PATCH] libsepol/cil: Create new keep field for type attribute sets

ermining whether the attribute is to be kept or if it should be expanded. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil.c | 1 + libsepol/cil/src/cil_binary.c| 8 libsepol/cil/src/cil_internal.h | 1 + libsepol/cil/src/cil_policy.c| 2 +- libse

[PATCH] libsepol/cil: Keep attributes used by generated attributes in neverallow rules

ch is used in a neverallow rule will be treated like it was used in a neverallow rule. This does not change the behavior of an expandtypeattribute rule for the attribute. That rule, if it exists, will take precedence. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src

[PATCH] Fixed bad reference in roleattribute

From: Grégoire Colbert "roleattribute" was referencing "typeattributeset", but I believe it should be referencing "roleattributeset" instead. --- secilc/docs/cil_role_statements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH v2] libsepol/cil: Fix bugs when writing policy.conf rules

The typebounds rules should end with a ";". The netifcon and nodecon rules should not end with a ";". The default rules are missing a "_". They should be "default_user", "default_role" and "default_type". Signed-off-by

[PATCH] libsepol/cil: Fix bugs when writing policy.conf rules

The typebounds rules should end with a ";". The netifcon and nodecon rules should not end with a ";". The default rules are missing a "_". They should be "default_usr", "default_role" and "default_type". Signed-off-by: James Carter <

[PATCH v2] libsepol: Fix neverallow bug when checking conditional policy

an additional bit set as well, these rules are not considered to match. The fix is to use a bitwise AND (&) to only check the desired bit. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- v2: Pay attention to precedence rules libsepol/src/assertion.c | 4 ++-- 1 file changed, 2 insert

[PATCH] libsepol: Fix neverallow bug when checking conditional policy

an additional bit set as well, these rules are not considered to match. The fix is to use a bitwise AND (&) to only check the desired bit. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/assertion.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/li

[PATCH 2/2 v2] libsepol: Fix module_to_cil's handling of type aliases

be at the end of the decl_ids list, so now only gather the last scope id. Also, when an alias is used in a module it is required as a type and it will appear in the sym_val_to_name table. When that occurs, just skip the alias when writing out types. Signed-off-by: James Carter <jwca...@tycho.nsa.

[PATCH 1/2 v2] libsepol: Clean up scope handling

checking if an identifier is enabled, only the last scope will be checked (Except for roles and users which allow multiple declarations, they will have to keep the old behavior.) Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- v2: Removed duplicate declaration libsepol/src/avrule_b

[PATCH 2/2] libsepol: Fix module_to_cil's handling of type aliases

be at the end of the decl_ids list, so now only gather the last scope id. Also, when an alias is used in a module it is required as a type and it will appear in the sym_val_to_name table. When that occurs, just skip the alias when writing out types. Signed-off-by: James Carter <jwca...@tycho.nsa.

[PATCH 1/2] libsepol: Clean up scope handling

checking if an identifier is enabled, only the last scope will be checked (Except for roles and users which allow multiple declarations, they will have to keep the old behavior.) Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/avrule_block.

Re: [PATCH v1 5/9] libsepol: Add ibendport ocontext handling

v1: Stephen Smalley: - Removed unused domain and type params from sepol_ibendport_sid. - Remove ibendport initial sid from ocontext_selinux_isid_to_cil - Check the length provide for the device name in ocontext_read_selinux - Used strcmp for dev_name comparison. James Carter: - Added ibendp

Re: [PATCH v1 2/9] libsepol: Add ibpkey ocontext handling

v1: Stephen Smalley: - Removed domain and type params from sepol_ibpkey_sid. - Removed splen param from sepol_ibpkey_sid, it never varied. - Removed extra XPERMS_IOCTL version from policydb_compat_info. - Confirm that low order bytes of IPv6 addr for subnet prefix is 0's. James Carter: - Added ibp

Re: [PATCH 5/9] libsepol: Add ibendport ocontext handling

return POLICYDB_ERROR; + + if (context_write(p, >context[0], fp)) + return POLICYDB_ERROR; + break; case OCON_PORT: buf[0] = c->u.port.protocol; buf[1] = c->u.port.low_port; -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: [PATCH 2/9] libsepol: Add ibpkey ocontext handling

buf[5] = cpu_to_le32(c->u.ibpkey.high_pkey); + + items = put_entry(buf, sizeof(uint32_t), 6, fp); + if (items != 6) + return POLICYDB_ERROR; + + if (context_write(p, >context[0], fp)) + return POLICYDB_ERROR; + break; case OCON_PORT: buf[0] = c->u.port.protocol; buf[1] = c->u.port.low_port; -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

[PATCH v2] libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set

to expand policy rules and remove all type associations for an attribute that has TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the policy, but have no types associated with it.) Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- v2 Just check if each attribute should be ex

Re: [PATCH 01/10] policycoreutils: fixfiles: tidy up usage(), manpage synopsis

.TP -.B \-l logfile -Save the output to the specified logfile -.TP .B \-F Force reset of context to match file_context for customizable files -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: [PATCH] Add attribute expansion options

244,6 +2244,17 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN cil_println(indent, "(typeattribute %s)", key); } + if (type->flags & TYPE_FLAGS_EXPAND_ATTR) { + cil_indent(indent); + cil_p

[PATCH] libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set

to expand policy rules and remove all type associations for an attribute that has TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the policy, but have no types associated with it.) Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/expand.

Re: [PATCH] Add attribute expansion options

struct policydb *pdb, struct avrule_block *UN cil_println(indent, "(typeattribute %s)", key); } + if (type->flags & TYPE_FLAGS_EXPAND_ATTR) { + cil_indent(indent); + cil_printf("(expandtypeattribute (%s) &quo

Re: [PATCH 1/6] Revert "policycoreutils: let output of `fixfiles` be redirected (as normal)"

-n $LOGFILE ]; then -echo $1 >> "$LOGFILE" +echo $1 >> $LOGFILE fi } # -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: Policy capabilities: when to use and complications with using

? Jim [1] https://github.com/SELinuxProject/selinux-kernel/issues/13 -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

On 04/12/2017 03:12 PM, Dominick Grift wrote: On Wed, Apr 12, 2017 at 02:20:32PM -0400, James Carter wrote: On 04/12/2017 09:35 AM, Dominick Grift wrote: On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote: On 04/12/2017 02:11 AM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53

[PATCH 1/2 v2] libsepol/cil: Add ability to expand some attributes in binary policy

will be included in the binary policy, it will be expanded when writing AV rules if it has less members than attrs_expand_size. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/include/cil/cil.h | 2 + libsepol/cil/src/cil.c | 12 ++ libsepol/c

[PATCH 2/2 v2] secilc: Add options to control the expansion of attributes

gned to it than SIZE will be expanded when writing AV rules. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- secilc/secil2conf.c | 2 ++ secilc/secilc.8.xml | 10 ++ secilc/secilc.c | 31 ++- 3 files changed, 42 insertions(+), 1 deletion(-) diff -

[PATCH 0/2 v2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

" U5 - Remove attributes with less than five members: "-X 5" v2: - Use "--expand-generated" and "--expand-size" as options for consistency. - Fixed bug in cil_post.c:__cil_post_db_attr_helper() where cil_typeattribute_used() would not be called if the attribute type bi

Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

On 04/12/2017 09:35 AM, Dominick Grift wrote: On Wed, Apr 12, 2017 at 09:26:17AM -0400, James Carter wrote: On 04/12/2017 02:11 AM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: The number of type attributes included in the binary policy is becomming

Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

On 04/12/2017 09:26 AM, James Carter wrote: On 04/12/2017 02:11 AM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: The number of type attributes included in the binary policy is becomming a performance issue in some cases. This patch set more aggressives

Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

On 04/12/2017 02:11 AM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53:41PM -0400, James Carter wrote: The number of type attributes included in the binary policy is becomming a performance issue in some cases. This patch set more aggressives removes attributes and gives the options

Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

On 04/11/2017 01:53 PM, James Carter wrote: The number of type attributes included in the binary policy is becomming a performance issue in some cases. This patch set more aggressives removes attributes and gives the options to expand and remove all auto-generated attributes and all

Re: [PATCH 1/2] libsepol/cil: Add ability to expand some attributes in binary policy

On 04/11/2017 02:46 PM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 08:37:22PM +0200, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote: Originally, all type attributes were expanded when building a binary policy. As the policy grew, binary policy sizes

Re: [PATCH 1/2] libsepol/cil: Add ability to expand some attributes in binary policy

On 04/11/2017 02:37 PM, Dominick Grift wrote: On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote: Originally, all type attributes were expanded when building a binary policy. As the policy grew, binary policy sizes became too large, so changes were made to keep attributes

[PATCH 1/2] libsepol/cil: Add ability to expand some attributes in binary policy

will be included in the binary policy, it will be expanded when writing AV rules if it has less members than attrs_expand_size. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/include/cil/cil.h | 2 + libsepol/cil/src/cil.c | 12 ++ libsepol/c

[PATCH 2/2] secilc: Add options to control the expansion of attributes

gned to it than SIZE will be expanded when writing AV rules. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- secilc/secil2conf.c | 2 ++ secilc/secilc.8.xml | 10 ++ secilc/secilc.c | 31 ++- 3 files changed, 42 insertions(+), 1 deletion(-) diff -

[PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

" U5 - Remove attributes with less than five members: "-X 5" James Carter (2): libsepol/cil: Add ability to expand some attributes in binary policy secilc: Add options to control the expansion of attributes libsepol/cil/include/cil/cil.h | 2 + libsepol/cil/src/cil.c

Re: [PATCH 0/3 v3] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

On 03/23/2017 12:48 PM, James Carter wrote: It would sometimes be helpful for debugging or verification purposes to be able to convert a binary policy to a human-readable form. This patchset adds libsepol functions that take a kernel policydb in and outputs either a CIL or policy.conf text

Re: [PATCH v2] libsepol: In module_to_cil create one attribute for each unique set

On 03/29/2017 02:58 PM, James Carter wrote: CIL does not allow type or role sets in certain rules (such as allow rules). It does, however, allow sets in typeattributeset and roleattributeset statements. Because of this, when module_to_cil translates a policy into CIL, it creates a new attribute

Re: [PATCH v2] libsepol: In module_to_cil create one attribute for each unique set

been busy working on another patch that should also help with an excessive number of attributes. Jim -- Nick On Wed, Mar 29, 2017 at 11:58 AM, James Carter <jwca...@tycho.nsa.gov> wrote: CIL does not allow type or role sets in certain rules (such as allow rules). It does, however, allo

Re: userspace object manager confused

On 03/31/2017 10:39 AM, Dominick Grift wrote: On Fri, Mar 31, 2017 at 10:30:22AM -0400, James Carter wrote: On 03/31/2017 10:17 AM, Dominick Grift wrote: On Fri, Mar 31, 2017 at 10:12:50AM -0400, James Carter wrote: On 03/31/2017 10:10 AM, Stephen Smalley wrote: On Fri, 2017-03-31 at 15:59

Re: userspace object manager confused

On 03/31/2017 10:17 AM, Dominick Grift wrote: On Fri, Mar 31, 2017 at 10:12:50AM -0400, James Carter wrote: On 03/31/2017 10:10 AM, Stephen Smalley wrote: On Fri, 2017-03-31 at 15:59 +0200, Dominick Grift wrote: On Fri, Mar 31, 2017 at 09:53:26AM -0400, Stephen Smalley wrote: On Fri, 2017-03

Re: userspace object manager confused

unordered classes to the existing class list, so I am not sure what is going on. Jim -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho

[PATCH v2] libsepol: In module_to_cil create one attribute for each unique set

-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/module_to_cil.c | 593 +-- 1 file changed, 283 insertions(+), 310 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 5c98c29..3f633fb 100644 --- a/libsep

Re: [PATCH 1/7] libsepol: do not dereference a NULL pointer when stack_init() fails

free(val1); + if (stack != NULL) { + while ((val1 = stack_pop(stack)) != NULL) { + free(val1); + } + stack_destroy(); } - stack_destroy(); - return rc; } -- James Carter <jwca...@tycho.n

Re: [PATCH] mcstrans: fix typo in mcstransd.8 man page

written by Dan Walsh <dwa...@redhat.com>. -The program was enhanced/rwwritten by Joe Nall <j...@nall.com>. +The program was enhanced/rewritten by Joe Nall <j...@nall.com>. .SH "FILES" /etc/selinux/{SELINUXTYPE}/setrans.conf -- James C

Re: [PATCH] libsepol/cil: Add hexadecimal support for Xen ioportcon statements

On 03/22/2017 03:01 PM, James Carter wrote: Add hexadecimal support for Xen ioportcon statements which was left out of commit c408c70. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> This has been applied. Jim --- libsepol/cil/src/cil_build_ast.c | 6 +++--- 1 file chan

Re: [PATCH 1/2] policycoreutils: fixfiles should handle path arguments more robustly

return fi if [ -n "${FILESYSTEMSRW}" ]; then @@ -400,7 +400,7 @@ else process $command else while [ -n "$1" ]; do - FILEPATH=$1 + FILEPATH="$1" process $command shift done -- James Carter <jwca...@tyc

Re: [PATCH 1/1] libsepol/cil: do not dereference a NULL pointer when calloc() fails

*list = l; - return 0; - -exit: - list_destroy(); - return rc; } static int list_prepend(struct list *list, void *data) -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa

Re: [PATCH 1/3] policycoreutils/setfiles: stdout messages don't need program prefix

out = stdout; + } else { + out = stderr; + fprintf(out, "%s: ", r_opts.progname); + } va_start(ap, fmt); rc = vfprintf(out, fmt, ap); va_end(ap); -- James Carter <jwca...@tycho.nsa.

[PATCH] libsepol: In module_to_cil create one attribute for each unique set

-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/module_to_cil.c | 593 +-- 1 file changed, 283 insertions(+), 310 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 6c33b94..4ea8a83 100644 --- a/libsep

[PATCH 3/3 v3] checkpolicy: Add options to convert binary policy to CIL or a policy.conf

Use the same option "-C" used to ouput CIL from a policy.conf, but now generate CIL from a binary policy instead of giving an error.i Use the option "-F" to generate a policy.conf file from a binary policy. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- chec

[PATCH 0/3 v3] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

in and validatetrans constraint rules for both CIL and policy.conf. - Write constraints in alphabetical order for both CIL and policy.conf - Now continously creating a policy.conf and then a binary produces an identical binary (although for CIL, secilc will remove unused attributes during the

[PATCH] libsepol/cil: Add hexadecimal support for Xen ioportcon statements

Add hexadecimal support for Xen ioportcon statements which was left out of commit c408c70. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil_build_ast.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libsepol/cil/src/cil_build_a

Re: [PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

On 03/21/2017 06:43 PM, Nicolas Iooss wrote: On Mon, Mar 20, 2017 at 4:40 PM, James Carter <jwca...@tycho.nsa.gov> wrote: It would sometimes be helpful for debugging or verification purposes to be able to convert a binary policy to a human-readable form. This patchset adds libsepol fun

Re: [PATCH 0/3] libsepol: Allow hexadecimal numbers in Xen context rules

On 03/20/2017 11:18 AM, James Carter wrote: Allow the use of hexadecimal numbers in iomemcon, ioportcon, and pcidevicecon statements. The use of hexadecimal numbers is often the natural choice for these rules. James Carter (3): libsepol/cil: Allow hexadecimal numbers in Xen context rules

Re: [PATCH 1/1] checkpolicy: dereference rangehead after checking it was not NULL

return -1; -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] checkpolicy: Fix minor memory leak in checkpolicy

On 03/20/2017 11:14 AM, James Carter wrote: sepol_set_sidtab() is called without calling sepol_sidtab_destroy(). This is not a big deal, since checkpolicy does not run for long, but it does add noise when checking for other, more important, leaks. Call sepol_sidtab_destroy() before exiting

Re: [PATCH 1/1] libsepol/cil: avoid freeing uninitialized values

return rc; } extra_args.db = db; -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing

Re: [PATCH 1/1] libsepol/cil: make reporting conflicting type transitions work

_str = typetrans->tgt_str; + trans.obj_str = typetrans->obj_str; + trans.result_str = typetrans->result_str; return __cil_type_rule_to_avtab(pdb, db, , cond_node, cond_flavor); } -- James Carter <jwca...@tycho.nsa.gov> Na

[PATCH 2/3 v2] libsepol: Add ability to convert binary policy to policy.conf file

. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/include/sepol/kernel_to_conf.h |5 + libsepol/src/kernel_to_conf.c | 3043 +++ libsepol/src/libsepol.map.in|1 + 3 files changed, 3049 insertions(+) create mode

[PATCH 1/3 v2] libsepol: Add ability to convert binary policy to CIL

-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/include/sepol/kernel_to_cil.h |5 + libsepol/src/kernel_to_cil.c | 3154 libsepol/src/kernel_to_common.c| 677 +++ libsepol/src/kernel_to_common.h| 114 ++ libsep

[PATCH 3/3 v2] checkpolicy: Add options to convert binary policy to CIL or a policy.conf

Use the same option "-C" used to ouput CIL from a policy.conf, but now generate CIL from a binary policy instead of giving an error. Use the option "-F" to generate a policy.conf file from a binary policy. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- chec

[PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

d kernel_to_cil.c so they are not accessed without initializaton if an error occurs. - Updated checkpolicy manpage to include the new option - Removed commented-out block from checkpolicy.c James Carter (3): libsepol: Add ability to convert binary policy to CIL libsepol: Add ability to convert binary p

[PATCH 2/3] libsepol: Update module_to_cil to output hexadecimal for Xen rules

When generating CIL, use hexadecimal numbers in ioportcon, iomemcon, and pcidevicecon statements. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/module_to_cil.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/libsepol/src/module_to_c

[PATCH 1/3] libsepol/cil: Allow hexadecimal numbers in Xen context rules

t;, base 8 if the string starts with "0", and base 10 otherwise. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil_build_ast.c | 30 +++--- libsepol/cil/src/cil_build_ast.h | 4 ++-- 2 files changed, 17 insertions(+), 17 deletions(-) dif

[PATCH 3/3] libsepol/cil: Use hexadecimal numbers when writing Xen rules

When writing a policy.conf file from CIL source, use hexadecimal numbers in ioportcon, iomemcon, and pcidevicecon rules. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil_policy.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/li

[PATCH] checkpolicy: Fix minor memory leak in checkpolicy

sepol_set_sidtab() is called without calling sepol_sidtab_destroy(). This is not a big deal, since checkpolicy does not run for long, but it does add noise when checking for other, more important, leaks. Call sepol_sidtab_destroy() before exiting if not in debug mode. Signed-off-by: James Carter

Re: [PATCH 0/3] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

On 03/11/2017 03:02 PM, Nicolas Iooss wrote: On Fri, Mar 10, 2017 at 8:49 PM, James Carter <jwca...@tycho.nsa.gov> wrote: It would sometimes be helpful for debugging or verification purposes to be able to convert a binary policy to a human-readable form. This patchset adds libsepol fun

Re: [PATCH 3/3] checkpolicy: Add options to convert binary policy to CIL or a policy.conf

On 03/10/2017 04:04 PM, Stephen Smalley wrote: On Fri, 2017-03-10 at 14:49 -0500, James Carter wrote: Use the same option "-C" used to ouput CIL from a policy.conf, but now generate CIL from a binary policy instead of giving an error. Use the option "-F" to generate a p

[PATCH 1/3] libsepol: Add ability to convert binary policy to CIL

-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/include/sepol/kernel_to_cil.h |5 + libsepol/src/kernel_to_cil.c | 3149 libsepol/src/kernel_to_common.c| 681 +++ libsepol/src/kernel_to_common.h| 110 ++ libsep

[PATCH 2/3] libsepol: Add ability to convert binary policy to policy.conf file

. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/include/sepol/kernel_to_conf.h |5 + libsepol/src/kernel_to_conf.c | 3014 +++ libsepol/src/libsepol.map.in|1 + 3 files changed, 3020 insertions(+) create mode

[PATCH 0/3] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

from a binary policy if using the "-C" option and to add the "-F" option to generate policy.conf text from a binary policy. Where possible rules are sorted in alphabetical or numerical order to aid in debugging. James Carter (3): libsepol: Add ability to convert binary poli

[PATCH 3/3] checkpolicy: Add options to convert binary policy to CIL or a policy.conf

Use the same option "-C" used to ouput CIL from a policy.conf, but now generate CIL from a binary policy instead of giving an error. Use the option "-F" to generate a policy.conf file from a binary policy. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- chec

Re: [PATCH 1/6] restorecond: add noreturn attribute to exitApp()

n__)); extern void read_config(int fd,const char *watch_file); extern int watch(int fd, const char *watch_file); -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe,

Re: [PATCH 1/6] semodule_package: do not leak memory when using -u or -s

free(file_contexts); free(outfile); free(module); + free(seusers); + free(user_extra); exit(0); } -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To

Re: Support for multiple types in typeattribute

ho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. -- James Carter <jwca...@tycho.nsa.gov>

Re: [PATCH] sepolgen: strip non-printable characters when parsing audit messages

;\x1c\x1d\x1e\x85") for x in line.split()] for i in rec: found = False if i == "avc:" or i == "message=avc:" or i == "msg='avc:": -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: [PATCH 1/1] libselinux, libsemanage: make PYPREFIX computation more robust

PYTHON ?= python -PYPREFIX ?= $(notdir $(PYTHON)) +PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" % sys.version_info[:2])') RUBY ?= ruby RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config -- James Carter <jwca...@tycho.nsa.gov> National Security Agency

Re: [PATCH 2/5] libsepol/cil: destroy bitmap when __cil_permx_str_to_int() fails

ebitmap_destroy(bitmap); goto exit; } return SEPOL_OK; exit: + ebitmap_destroy(bitmap); return rc; } -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.ns

Re: [PATCH] libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST

On 02/08/2017 11:17 AM, James Carter wrote: CIL uses separate cil_tree_node stacks for optionals and blocks to check for statements not allowed in optionals or blocks and to know which optional to disable when necessary. But these stacks were not being destroyed when exiting cil_resolve_ast

[PATCH] libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST

the stacks will be empty, but this is not the case when exiting with an error. Destroy both tree node stacks when exiting to ensure that they are empty. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/cil/src/cil_resolve_ast.c | 24 1 file changed, 16 inse

Re: [PATCH 1/1] libsepol/cil: fix type confusion in cil_copy_ast

cil_tree_log(NODE(data), CIL_ERR, "Note: conflicting declaration"); + rc = SEPOL_ERR; + goto exit; + } rc = cil_symtab_insert(symtab, ((struct cil_symtab_datum*)orig->data)->name,

Re: [PATCH 1/1] Introduce Travis-CI tests

ror: missing .gitignore entry for/p' | (! grep '^') + + # Clean up everything and show which file would be added to "make clean" + - make clean distclean + - |- +git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (

Re: [PATCH 1/8] libsepol: fix -Wwrite-strings warnings

os && (ebitmap_cardinality(pos) > 0); int has_negative = neg && (ebitmap_cardinality(neg) > 0); char **val_to_name; -- James Carter <jwca...@tycho.nsa.gov> National Security Agency ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 3/8] policycoreutils/semodule: hide -Wwrite-strings warnings

n" }; + const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" }; create_signal_handlers(); if (strcmp(basename(argv[0]), "genhomedircon") == 0) { argc = 3; - argv=genhomedirconargv; +

Re: [PATCH 0/5] checkpolicy: Cleanup declare and require functions

On 01/31/2017 02:41 PM, James Carter wrote: Cleanup declare and require functions in module_compiler.c to improve maintainability and clarity. Functionality is not changed. James Carter (5): checkpolicy: Create common function for type declares and requires checkpolicy: Create common

Re: [PATCH 0/5] checkpolicy: Cleanup declare and require functions

On 02/02/2017 06:19 PM, Nicolas Iooss wrote: On Tue, Jan 31, 2017 at 8:41 PM, James Carter <jwca...@tycho.nsa.gov <mailto:jwca...@tycho.nsa.gov>> wrote: Cleanup declare and require functions in module_compiler.c to improve maintainability and clarity. Functionality is

[PATCH 2/2] checkpolicy: Remove uneeded return check in require_symbol()

Since symtab_insert() no longer returns -2 in the case of a declaration of an identifier followed by a require of the same symbol, remove the uneeded check. Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- checkpolicy/module_compiler.c | 20 ++-- 1 file chan

[PATCH 1/2] libsepol: Return +1 when declaration is followed by a require

means returning +1). Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- libsepol/src/policydb.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 5b9b9f0..3cff6d2 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/poli

[PATCH 3/5] checkpolicy: Create common function for user declares and requires

Move common code out of declare_user() and require_user() into the new function create_user(). Signed-off-by: James Carter <jwca...@tycho.nsa.gov> --- checkpolicy/module_compiler.c | 224 +- 1 file changed, 114 insertions(+), 110 deletions(-) diff

[PATCH] checkpolicy: Improve check for identifier flavor mismatch

type in the same scope. There are no checks if the require comes first and there are no checks for roles. Check for an identifier flavor mismatch for both roles and types whenever a declaration or requirement tries to add an identifier that is already in the symtab. Signed-off-by: James Carter

  1   2   3   >