On Fri, 2017-06-09 at 14:52 +0200, Christian Göttsche wrote:
> 2017-06-09 14:45 GMT+02:00 Stephen Smalley :
> > Kernel version and config, particularly the CONFIG_SECURITY_SELINUX
> > ones? And are you using any other SELinux-related kernel command
> > line
> > option
On Fri, 2017-06-09 at 13:25 +0200, Laurent Bigonville wrote:
> Hello,
>
> I just got the following bugreport in debian that I've been able to
> reproduce myself:
>
> When booting with a kernel cmdline 'security=selinux' and a
> /etc/selinux/config setting 'SELINUX=disabled', dbus fails to start
On Wed, 2017-06-07 at 19:37 +0200, Dominick Grift wrote:
> Was it intentional to add icmp_socket class? Because this use to be
> rawip_socket. rawip_socket includes more than just icmp (IGMP/OSPF)
> but still I thought that the extended socket classes only applied to
> what is otherwise generic "so
t; be displayed for NFSv4.2 mounts mounted with the context= mount
> option.
>
> Signed-off-by: Scott Mayhew
Reviewed-by: Stephen Smalley
Tested-by: Stephen Smalley
Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/35
> ---
> fs/nfs/super.c| 17 ++
On Fri, 2017-06-02 at 22:01 +0200, Petr Lautrbach wrote:
> Fixes:
> $ sepolicy network -d httpd_t
>
> httpd_t: tcp name_connect
> Traceback (most recent call last):
> File /usr/bin/sepolicy, line 699, in
> args.func(args)
> File /usr/bin/sepolicy, line 319, in network
> _print_net(d,
On Fri, 2017-04-21 at 10:04 -0400, Stephen Smalley wrote:
> Hi,
>
> We plan to cut a 2.7-rc1 selinux userspace release in the next week
> or
> so. If you have any additional patches you want included in 2.7,
> please post them to the list soon.
This took longer than antici
On Thu, 2017-06-01 at 16:59 -0400, Scott Mayhew wrote:
> When an NFSv4 client performs a mount operation, it first mounts the
> NFSv4 root and then does path walk to the exported path and performs
> a
> submount on that, cloning the security mount options from the root's
> superblock to the submoun
.
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854
Reported-by: Russell Coker
Reported-by: Michael Biebl
Reported-by: Laurent Bigonville
Signed-off-by: Stephen Smalley
---
libselinux/src/label.c | 177 +---
libselinux/src/label_fil
On Thu, 2017-06-01 at 14:08 -0400, Stephen Smalley wrote:
> On Thu, 2017-06-01 at 10:55 -0400, Scott Mayhew wrote:
> > On Thu, 01 Jun 2017, Scott Mayhew wrote:
> >
> > > When an NFSv4 client performs a mount operation, it first mounts
> > > the
> > >
On Thu, 2017-06-01 at 10:46 -0400, Scott Mayhew wrote:
> When an NFSv4 client performs a mount operation, it first mounts the
> NFSv4 root and then does path walk to the exported path and performs
> a
> submount on that, cloning the security mount options from the root's
> superblock to the submoun
On Thu, 2017-06-01 at 10:55 -0400, Scott Mayhew wrote:
> On Thu, 01 Jun 2017, Scott Mayhew wrote:
>
> > When an NFSv4 client performs a mount operation, it first mounts
> > the
> > NFSv4 root and then does path walk to the exported path and
> > performs a
> > submount on that, cloning the security
On Tue, 2017-05-30 at 16:21 +0200, bernhard...@lsmod.de wrote:
> From: "Bernhard M. Wiedemann"
>
> when building packages (e.g. for openSUSE Linux)
> (random) filesystem order of input files
> influences ordering of functions in the output,
> thus without the patch, builds (in disposable VMs) wou
On Thu, 2017-06-01 at 15:37 +0200, Laurent Bigonville wrote:
> Le 01/06/17 à 15:24, Stephen Smalley a écrit :
> > On Thu, 2017-06-01 at 11:29 +0200, Laurent Bigonville wrote:
> > > Hello,
> > >
> > > While investigating a bug about systemd/udev not setting t
On Thu, 2017-06-01 at 09:24 -0400, Stephen Smalley wrote:
> On Thu, 2017-06-01 at 11:29 +0200, Laurent Bigonville wrote:
> > Hello,
> >
> > While investigating a bug about systemd/udev not setting the
> > proper
> > context on the hwdb.bin file, Michael Bie
On Thu, 2017-06-01 at 11:29 +0200, Laurent Bigonville wrote:
> Hello,
>
> While investigating a bug about systemd/udev not setting the proper
> context on the hwdb.bin file, Michael Biebl discovered that
> apparently
> the selabel_lookup_raw() function is not coping properly with paths
> with
>
) __THROW __attribute_malloc__ __wur;
^~
While we are here, fix a few other issues too.
The usage of snprintf was wrong and unnecessary; we just allocated
the string to be the right size, so we should just fill it.
Signed-off-by: Stephen Smalley
---
libsepol/src/module_to_cil.c | 40
th, namelist[i]->d_name);
^~~~~~
Signed-off-by: Stephen Smalley
---
libsemanage/src/semanage_store.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 5642772..6158d08 100644
--- a/libsem
may fall through
[-Wimplicit-fallthrough=]
if (file == NULL) file = "cil";
^
modules.c:605:3: note: here
case SEMANAGE_MODULE_PATH_LANG_EXT:
^~~~
Signed-off-by: Stephen Smalley
---
libselinux/src/regex.c| 4
libsemanage/src/modules.c | 2 ++
libsepol/cil/
On Tue, 2017-05-30 at 23:37 +0200, Nicolas Iooss wrote:
> On Tue, May 30, 2017 at 9:13 PM, James Carter
> wrote:
> > Currently, when checking if an identifier is enabled, each scope in
> > the decl_ids list is checked. This means that if any block that
> > requires the identifier is enabled, then
On Tue, 2017-05-30 at 15:40 -0400, J . Bruce Fields wrote:
> On Tue, May 30, 2017 at 10:38:45AM -0400, Stephen Smalley wrote:
> > On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> > > On Fri, 26 May 2017, Stephen Smalley wrote:
> > >
> > > > On Thu,
On Tue, 2017-05-30 at 17:40 +, Daniel Jurgens wrote:
> On 5/30/2017 12:05 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-30 at 19:34 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens
> > >
> > > New tests for Infiniband endports. Most users do not have
n the new subdir.
>
> Signed-off-by: Daniel Jurgens
>
> ---
> v1:
> - Synchronize interface names with refpolicy changes.
> - Allowed access to unlabeled pkeys vs default pkey, default pkey is
> no
> longer labeled in the refpolicy.
>
> v2:
> Stephen Smalley:
From: "Bernhard M. Wiedemann"
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.
See https://reproducible-builds.org/ for why this matte
On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> On Fri, 26 May 2017, Stephen Smalley wrote:
>
> > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> > > When the client traverses from filesystem exported without the
> > > "security_lab
On Tue, 2017-05-30 at 16:26 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Signed-off-by: Daniel Jurgens
Thanks, applied.
> ---
> python/semanage/semanage-ibendport.8 | 2 +-
> python/semanage/semanage-ibpkey.8| 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --gi
On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote:
> From: Paul Moore
>
> Signed-off-by: Paul Moore
> ---
> tools/check-syntax | 86
>
> 1 file changed, 66 insertions(+), 20 deletions(-)
>
> diff --git a/tools/check-syntax b/tools/check
On Mon, 2017-05-29 at 14:53 -0400, Richard Guy Briggs wrote:
> Hi,
>
> On kernel Access Vector Cache (AVC) initialization, there is an audit
> KERNEL
> type message logged to announce this fact.
>
> The general format of audit messages are label=value pair
> fields. Steve Grubb
> has been a
On Fri, 2017-05-26 at 12:16 -0400, Paul Moore wrote:
> On Fri, May 26, 2017 at 12:15 PM, Stephen Smalley
> wrote:
> > On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote:
> > > From: Paul Moore
> > >
> > > The results of running './tools/check-syntax
On Fri, 2017-05-26 at 11:58 -0400, Paul Moore wrote:
> From: Paul Moore
>
> The results of running './tools/check-syntax -f' across the repo.
>
> Signed-off-by: Paul Moore
> ---
> tests/cap_userns/userns_child_exec.c | 455 ++
>
> tests/mmap/mprotect_stack_thr
On Fri, 2017-05-26 at 11:28 -0400, Scott Mayhew wrote:
> On Fri, 26 May 2017, Stephen Smalley wrote:
>
> > On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> > > When the client traverses from filesystem exported without the
> > > "security_lab
On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> Red Hat QE reported that chcon fails over NFSv4.2 on recent kernels.
> The problem is related to how filesystems are mounted in NFSv4.
What kernel version and what is a reproducer for the problem? I don't
seem to see it on e.g. Fedora 25 wi
On Fri, 2017-05-26 at 16:09 +0200, Petr Lautrbach wrote:
> Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and
> spaces
> in indentation what makes python3.6 unhappy.
Thanks, applied, and also fixed up print statements -> functions.
>
> Signed-off-by: Petr Lautrbach
> ---
> libsema
Signed-off-by: Stephen Smalley
---
python/semanage/seobject.py | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index c97a9f0..70fd192 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
On Thu, 2017-05-25 at 17:07 -0400, Scott Mayhew wrote:
> When the client traverses from filesystem exported without the
> "security_label" option to one exported with the "security_label"
> option, it needs to pass SECURITY_LSM_NATIVE_LABELS to
> security_sb_set_mnt_opts() so that the new superbloc
On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> New tests for Infiniband endports. Most users do not have infiniband
> hardware, and if they do the device names can vary. There is a
> configuration file for enabling the tests and setting environment
> specific co
On Wed, 2017-05-24 at 17:18 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> New tests for infiniband pkeys. Most users don't have Infiniband
> hardware, and if they do the pkey configuration is not standardized.
> There is a configuration file for enabling the test and setting
> environment
e file and mmap
test policies to avoid incorrect denials of map permission
(either ones that cause a test that should succeed to fail,
or ones that would prevent the test from reaching a later
permission check that is being tested).
Signed-off-by: Stephen Smalley
---
policy/test_file.te | 2
May 25, 2017 at 2:21 AM Dominick Grift m> wrote:
> > On Thu, May 25, 2017 at 07:49:19AM +0200, Dominick Grift wrote:
> > > On Wed, May 24, 2017 at 04:11:44PM -0400, Stephen Smalley wrote:
> > > > On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote:
&g
On Mon, 2017-05-22 at 23:45 +0200, Nicolas Iooss wrote:
> When a function called by sepol_module_policydb_to_cil() fails before
> role_list_create() has been called, role_list is still NULL but is
> dereferenced in role_list_destroy(). Here is a gdb session on hll/pp:
>
> Unknown value for han
On Mon, 2017-05-22 at 16:08 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Update the main man page and add specific pages for ibpkeys and
> ibendports.
Thanks, applied all nine. I did notice that you left Dan Walsh as the
author of the man pages you added though; feel free to submit a pa
On Wed, 2017-05-24 at 16:53 +0200, Dominick Grift wrote:
> On Wed, May 24, 2017 at 04:33:16PM +0200, Dominick Grift wrote:
> > On Wed, May 24, 2017 at 04:22:08PM +0200, Petr Lautrbach wrote:
> > > For the motivation see
> > > https://marc.info/?l=selinux&m=149435307518336&w=2
> >
> > Thanks! I ena
On Wed, 2017-05-24 at 14:08 +0200, Dominick Grift wrote:
> I was looking again at ioctl whitelisting, and excuse me if I
> overlooked some documentation, but I am having a hard time
> implementing this.
> what I did was I just wanted to basically test blacklisting a single
> ioctl (no particular on
On Sat, 2017-05-20 at 12:11 +0200, Nicolas Iooss wrote:
> When allocating an array with calloc(), the first argument usually is
> the number of items and the second one the size of an item. Doing so
> silences a warning reported by clang's static analyzer:
>
> kernel_to_cil.c:2050:14: warning:
On Tue, 2017-05-23 at 18:29 +0200, Sebastien Buisson wrote:
> Hi,
>
> 2017-05-18 23:49 GMT+02:00 Paul Moore :
> > My apologies to you and Sebastien for not reviewing these patches
> > sooner.
>
> It is ok, no problem.
> Thanks for all the advice from you and Stephen. I will try to take
> all
> th
On Mon, 2017-05-22 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > > On Mon, May 2
On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift > > ai
> > > l.
> > &
On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift > l.
> > com> wrote:
> > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> On Mon, May 22, 2017 at 11:23 AM, Dominick Grift com> wrote:
> > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
>
On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > rela
On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> related
> to Apache httpd that I just can't figure out. I have always been
> able
> to tune policy or alter a boolean, this one has me stumped!
>
> What I am trying to do: I
7;labeling_behaviors'
> is not needed and will not be emitted
> [-Werror,-Wunneeded-internal-declaration]
>
> Signed-off-by: Matthias Kaehlcke
Acked-by: Stephen Smalley
> ---
> security/selinux/hooks.c | 16
> 1 file changed, 16 deletions(-
On Fri, 2017-05-19 at 11:09 -0400, Paul Moore wrote:
> On Thu, May 18, 2017 at 3:07 PM, Matthias Kaehlcke
> wrote:
> > The array is only referenced in an ARRAY_SIZE() statement. Adding
> > the
> > attribute fixes the following warning when building with clang:
> >
> > security/selinux/hooks.c:338
, and delete pkeys.
>
> Signed-off-by: Daniel Jurgens
>
> ---
> v1:
> Fixed semanage_pkey_exists -> semanage_ibpkey_exists in delete flow
> in
> seobject.py
>
> Stephen Smalley:
> - Subnet prefix can't vary in size always 16 bytes, remove size
> field.
On Fri, 2017-05-19 at 14:22 +0200, Vit Mojzis wrote:
> On 5.5.2017 22:32, Stephen Smalley wrote:
> > On Fri, 2017-05-05 at 14:49 +0200, Vit Mojzis wrote:
> > > access() uses real UID instead of effective UID which causes
> > > false
> > > negative checks in s
extended_socket_class=1
SELinux: policy capability always_check_network=0
SELinux: policy capability cgroup_seclabel=0
SELinux: unknown policy capability 5
Resolves: https://github.com/SELinuxProject/selinux-kernel/issues/32
Signed-off-by: Stephen Smalley
---
security/selinux/include/security.h
On Thu, 2017-05-18 at 12:45 -0400, Stephen Smalley wrote:
> On Thu, 2017-05-18 at 12:04 -0400, Paul Moore wrote:
> > On Fri, May 12, 2017 at 12:41 PM, Stephen Smalley > v>
> > wrote:
> > > open permission is currently only defined for files in the kernel
> &
On Thu, 2017-05-18 at 12:04 -0400, Paul Moore wrote:
> On Fri, May 12, 2017 at 12:41 PM, Stephen Smalley
> wrote:
> > open permission is currently only defined for files in the kernel
> > (COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS).
> > Construction of
> >
On Thu, 2017-05-18 at 10:01 -0400, Stephen Smalley wrote:
> On Wed, 2017-05-17 at 18:19 -0400, Paul Moore wrote:
> > On Wed, May 17, 2017 at 1:09 PM, Sebastien Buisson
> > wrote:
> > > Add policybrief field to struct policydb. It holds a brief info
> > > of the
On Wed, 2017-05-17 at 18:19 -0400, Paul Moore wrote:
> On Wed, May 17, 2017 at 1:09 PM, Sebastien Buisson
> wrote:
> > Add policybrief field to struct policydb. It holds a brief info
> > of the policydb, made of colon separated name and value pairs
> > that give information about how the policy is
On Wed, 2017-05-17 at 22:53 +0200, Nicolas Iooss wrote:
> Since commit 58962eb3d847 ("libsepol,checkpolicy: add binary module
> support for xperms") function display_avrule() has been using its "p"
> argument even though it was previously marked unused. This makes
> clang
> report:
>
> policyd
On Wed, 2017-05-17 at 22:51 +0200, Nicolas Iooss wrote:
> Memory allocation failures in selabel_subs_init() should be fatal,
> contrary to failures which come from the non-existence of the
> substitution files (subs or subs_dist).
>
> Modify selabel_subs_init()'s prototype in order to return the e
On Wed, 2017-05-17 at 22:57 +0200, Nicolas Iooss wrote:
> On Wed, May 17, 2017 at 10:53 PM, Nicolas Iooss g> wrote:
> > Since commit 58962eb3d847 ("libsepol,checkpolicy: add binary module
> > support for xperms") function display_avrule() has been using its
> > "p"
> > argument even though it was
On Wed, 2017-05-17 at 15:39 -0400, Paul Moore wrote:
> On Wed, May 17, 2017 at 9:17 AM, Stephen Smalley
> wrote:
> > On Tue, 2017-05-16 at 17:19 -0400, Paul Moore wrote:
> > > On Tue, May 16, 2017 at 5:11 PM, Stephen Smalley > > ov>
> > > wrote:
>
>
On Thu, 2017-05-18 at 02:09 +0900, Sebastien Buisson wrote:
> Add policybrief field to struct policydb. It holds a brief info
> of the policydb, made of colon separated name and value pairs
> that give information about how the policy is applied in the
> security module(s).
> Note that the ordering
On Wed, 2017-05-17 at 16:59 +0200, Sebastien Buisson wrote:
> 2017-05-16 22:40 GMT+02:00 Stephen Smalley :
> > > + strcpy(*brief, policydb.policybrief);
> > > + /* *len is the length of the output string */
> > > + *len = policybrief_len - 1;
> >
or the kernel.
Signed-off-by: Stephen Smalley
---
policy/Makefile | 6 ++
policy/test_ioctl_xperms.te | 18 ++
tests/ioctl/test| 33 +++--
3 files changed, 55 insertions(+), 2 deletions(-)
create mode 100644
On Tue, 2017-05-16 at 17:19 -0400, Paul Moore wrote:
> On Tue, May 16, 2017 at 5:11 PM, Stephen Smalley
> wrote:
> > On Tue, 2017-05-16 at 16:56 -0400, Paul Moore wrote:
> > > On Fri, May 12, 2017 at 12:44 PM, Stephen Smalley > > gov>
> > > wrote:
kernel policy. This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.
Signed-off-by: Stephen Smalley
---
v2 updates the dismod code to convert the av_extended_perms_t structure
from the avrule to an equivalent avtab_extended_perms_t structure
On Tue, 2017-05-16 at 16:56 -0400, Paul Moore wrote:
> On Fri, May 12, 2017 at 12:44 PM, Stephen Smalley
> wrote:
> > Log the state of SELinux policy capabilities when a policy is
> > loaded.
> > For each policy capability known to the kernel, log an
> > information
On Tue, 2017-05-16 at 18:51 +0900, Sebastien Buisson wrote:
> Add policybrief field to struct policydb. It holds a brief info
> of the policydb, made of colon separated name and value pairs
> that give information about how the policy is applied in the
> security module(s).
> Note that the ordering
On Tue, 2017-05-16 at 19:34 +, Daniel Jurgens wrote:
> On 5/16/2017 2:30 PM, Stephen Smalley wrote:
> > On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens
> > >
> > > Update libsepol and libsemanage to work with pkey record
, and delete pkeys.
>
> Signed-off-by: Daniel Jurgens
>
> ---
> v1:
> Fixed semanage_pkey_exists -> semanage_ibpkey_exists in delete flow
> in
> seobject.py
>
> Stephen Smalley:
> - Subnet prefix can't vary in size always 16 bytes, remove size
> field.
, and delete pkeys.
>
> Signed-off-by: Daniel Jurgens
>
> ---
> v1:
> Fixed semanage_pkey_exists -> semanage_ibpkey_exists in delete flow
> in
> seobject.py
>
> Stephen Smalley:
> - Subnet prefix can't vary in size always 16 bytes, remove size
> field.
On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add checkpolicy support for scanning and parsing ibendportcon labels.
> Also create a new ocontext for IB end ports.
>
> Signed-off-by: Daniel Jurgens
>
> ---
> v1:
> Stephen Sma
On Tue, 2017-05-16 at 14:43 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
> > From: Daniel Jurgens
> >
> > Add support for reading, writing, and copying Infinabinda Pkey
>
> Infiniband
>
> > ocontext
> > data. A
On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add support for reading, writing, and copying Infinabinda Pkey
Infiniband
> ocontext
> data. Also add support for querying a Pkey sid to checkpolicy.
>
> Signed-off-by: Daniel Jurgens
>
d-off-by: Daniel Jurgens
>
> ---
> v1:
> Stephen Smalley:
> - Always use s6_addr instead of s6_addr32.
> - Add comment about POLICYDB_VERSION_INFINIBAND being linux specific.
>
> Signed-off-by: Daniel Jurgens
> ---
> checkpolicy/policy_define.c
On Tue, 2017-05-16 at 03:22 +0900, Sebastien Buisson wrote:
> Add policybrief field to struct policydb. It holds a brief info
> of the policydb, made of colon separated name and value pairs
> that give information about how the policy is applied in the
> security module(s).
> Note that the ordering
On Fri, 2017-05-12 at 22:13 +0200, Nicolas Iooss wrote:
> selabel_subs_init() returned without closing cfg when a call to
> fstat()
> failed. Fix this.
>
> Signed-off-by: Nicolas Iooss
Thanks, applied both patches.
> ---
> libselinux/src/label.c | 2 +-
> 1 file changed, 1 insertion(+), 1 dele
kernel policy. This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.
Signed-off-by: Stephen Smalley
---
checkpolicy/test/dismod.c | 9
libsepol/include/sepol/policydb/policydb.h | 3 +-
libsepol/src/link.c
On Fri, 2017-05-12 at 15:02 -0700, William Roberts wrote:
>
>
> On Fri, May 12, 2017 at 1:26 PM, Nicolas Iooss > wrote:
> > Hi,
> >
> > Currently libselinux/src/label.c defines selabel_subs_init() like
> > this [1]:
> >
> > struct selabel_sub *selabel_subs_init(/* ... */)
> > {
> >
On Thu, 2017-05-11 at 22:51 +, Daniel Jurgens wrote:
> On 5/10/2017 2:22 PM, Stephen Smalley wrote:
> > On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> > > From: Daniel Jurgens
> > >
> > >
> > > libsepol/src/ibpkeys.c
-by: Stephen Smalley
---
v2 drops the Resolves line since I think we are not supposed to include
bug tracking info in upstream kernel commit messages (correct me if wrong).
security/selinux/include/security.h | 2 ++
security/selinux/selinuxfs.c| 13 ++---
security/selinux/ss
-by: Stephen Smalley
---
security/selinux/hooks.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e67a526..dd356ed 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2063,8 +2063,9
On Fri, 2017-05-05 at 09:14 -0400, Stephen Smalley wrote:
> Add a map permission check on mmap so that we can distinguish memory
> mapped
> access (since it has different implications for revocation). When a
> file
> is opened and then read or written via syscalls like
> read
: #32
Signed-off-by: Stephen Smalley
---
security/selinux/include/security.h | 2 ++
security/selinux/selinuxfs.c| 13 ++---
security/selinux/ss/services.c | 23 +++
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/security/selinux/include
On Thu, 2017-05-11 at 16:50 -0700, Tom Cherry via Selinux wrote:
> This check is not specific to Android devices. If libselinux were
> used
> with Bionic on a normal Linux system this check would still be
> needed.
>
> Signed-off-by: Tom Cherry
Thanks, applied. This was actually switched from A
On Thu, 2017-05-11 at 08:56 -0700, Casey Schaufler wrote:
> On 5/11/2017 5:59 AM, Sebastien Buisson wrote:
> > Add policybrief field to struct policydb. It holds a brief info
> > of the policydb, in the following form:
> > <0 or 1 for enforce>:<0 or 1 for checkreqprot>:=
> > Policy brief is compute
On Thu, 2017-05-11 at 21:59 +0900, Sebastien Buisson wrote:
> Add policybrief field to struct policydb. It holds a brief info
> of the policydb, in the following form:
> <0 or 1 for enforce>:<0 or 1 for checkreqprot>:=
> Policy brief is computed every time the policy is loaded, and when
> enforce o
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Update libsepol and libsemanage to work with pkey records. Add local
> storage for new and modified pkey records in pkeys.local. Update
> semanage
> to parse the pkey command options to add, modify, and delete pkeys.
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add support for reading, writing, and copying IB end port ocontext
> data.
> Also add support for querying a IB end port sid to checkpolicy.
>
> Signed-off-by: Daniel Jurgens
> ---
> checkpolicy/checkpolicy.c
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add checkpolicy support for scanning and parsing ibendportcon labels.
> Also create a new ocontext for IB end ports.
>
> Signed-off-by: Daniel Jurgens
> ---
> checkpolicy/policy_define.c| 70
> ++
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add support for reading, writing, and copying Infinabinda Pkey
s/Infinabinda/Infiniband/
> ocontext
> data. Also add support for querying a Pkey sid to checkpolicy.
>
> Signed-off-by: Daniel Jurgens
> ---
> che
On Tue, 2017-05-09 at 23:50 +0300, Dan Jurgens wrote:
> From: Daniel Jurgens
>
> Add checkpolicy support for scanning and parsing ibpkeycon labels.
> Also
> create a new ocontext for Infiniband Pkeys and define a new policydb
> version for infiniband support.
>
> Signed-off-by: Daniel Jurgens
>
s6_addr32 is not portable; use s6_addr instead.
This obviates the need for #ifdef __APPLE__ conditionals in these cases.
Signed-off-by: Stephen Smalley
---
checkpolicy/policy_define.c | 6 --
libsepol/src/node_record.c | 8
2 files changed, 14 deletions(-)
diff --git a
On Tue, 2017-05-09 at 17:44 -0400, Paul Moore wrote:
> On Tue, May 9, 2017 at 4:39 PM, Stephen Smalley
> wrote:
> > On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote:
> > > > On 05/03/2017 12:14 PM, Stephen Smalley wrote:
> > > > >
> > > > &g
On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote:
> > On 05/03/2017 12:14 PM, Stephen Smalley wrote:
> > >
> > > 1) Should we investigate lighter weight support for policy
> > > capabilities, and if so, how?
>
> I agree that not having to update userspac
If the map permission is defined, allow it in the mmap test policy
for the existing mmap test domains, and introduce a new domain and test
for testing that it is enforced.
Signed-off-by: Stephen Smalley
---
policy/Makefile | 4
policy/test_global.te | 4
policy/test_mmap.te
commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux:
support ANDROID_HOST=1 on Mac") split up warning flags in
CFLAGS based on compiler support in a manner that could lead to
including a subset that is invalid, e.g. upon
make DESTDIR=/path/to/dest install. Fix it.
Signed-off-b
On Sat, 2017-05-06 at 15:08 +0200, Christian Göttsche via Selinux
wrote:
> Show the current active checkreqprot state in sestatus
Thanks, applied. Please add a signed-off-by line in the future.
> ---
> policycoreutils/sestatus/sestatus.8 | 2 ++
> policycoreutils/sestatus/sestatus.c | 14 +
501 - 600 of 1507 matches
Mail list logo