On 04/16/2018 11:30 AM, William Roberts wrote:
On Mon, Apr 16, 2018 at 5:34 AM, Stephen Smalley wrote:
On 04/13/2018 08:40 PM, William Roberts wrote:
In general this series looks fine.
However, checkpatch.pl is complaining about DOS line endings in your patches:
For
On 04/09/2018 08:07 AM, Dominick Grift wrote:
On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote:
On 04/09/2018 10:41 AM, Dominick Grift wrote:
On Mon, Apr 09, 2018 at 09:55:23AM +0200, Dominick Grift wrote:
On Sun, Apr 08, 2018 at 11:00:53PM +0200, Lukas Vrabec wrote:
Hi All,
I'm
The selpoltools are a collection of policy tools for SELinux. It works on
Refpolicy-based policies or a collection of policy files. Right now the only
useful tool is spt_lint.lua.
You can find selpoltools at:
https://github.com/jwcart2/selpoltools
See README.md for the very simple build
On 03/30/2018 01:33 PM, Jeffrey Vander Stoep wrote:
On Thu, Mar 29, 2018 at 1:06 PM, James Carter wrote:
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon,
and devicetreecon rules.
Pierre-Hugues Husson, I've tested and everything seems to work as I expect it,
but does this meet your needs?
Jim
On 03/29/2018 04:06 PM, James Carter wrote:
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon,
On 03/22/2018 07:04 PM, Pierre-Hugues Husson wrote:
From: Pierre-Hugues Husson
Currently secilc doesn't deal with duplicate genfscon rules
This commit fixes this, and implements multiple_decls behaviour.
To reduce the code changes, the compare function returns in its LSB
On 03/19/2018 02:47 PM, Pierre-Hugues Husson wrote:
secilc has a multiple_decls option to allow for multiple type
declarations.
The next step is to allow multiple samples of the same rules.
This commit does this on genfscon
One usecase is Android/Project Treble:
With Project Treble, vendor
On 03/08/2018 04:34 PM, Nicolas Iooss wrote:
On Wed, Mar 7, 2018 at 4:05 PM, James Carter wrote:
Nicolas Iooss reports:
In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name()
fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is
called to
On 03/15/2018 01:09 PM, jwcart2 wrote:
On 03/11/2018 12:22 PM, Richard Haines via Selinux wrote:
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.
Signed-off-by: Richard Haines <richard_c_hai...@btinternet.com>
Acked-by: James Carter
On 03/16/2018 11:23 AM, William Roberts wrote:
On Thu, Mar 15, 2018 at 8:16 PM, Tri Vo wrote:
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.
For example, these statements resolve to false in policy
On 03/11/2018 12:22 PM, Richard Haines via Selinux wrote:
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.
Signed-off-by: Richard Haines
Acked-by: James Carter
---
checkpolicy/checkpolicy.c
On 03/05/2018 05:58 PM, Nicolas Iooss wrote:
In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name()
fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is
called to free the memory associated with tmp_key, which results in
free() being called on uninitialized
On 03/05/2018 05:58 PM, Nicolas Iooss wrote:
cil_tree_print_expr() calls cil_expr_to_string() in order to compute a
string expression into expr_str. If this function fails, expr_str is
left unitialized but its value is dereferenced with:
cil_log(CIL_INFO, "%s)", expr_str);
Prevent such an
On 01/09/2018 12:32 PM, Daniel Walsh wrote:
Or SECCOMP for that matter. From my limited reading, I have not seen what an
application needs to access to trigger this vulnerabiltiy. Is this just using
standard SYSCALLS, that we could not block without breaking the applications?
Anyone have
On 11/14/2017 07:44 PM, Daniel Cashman wrote:
From: Dan Cashman
When using cil_db multiple_decls, the different cil_attribute nodes
all point to the same underlying cil_attribute struct. This leads
to problems, though, when modifying the used value in the struct.
On 09/03/2017 08:19 AM, Nicolas Iooss wrote:
When compiling libsepol with clang and some warning flags, the compiler
complains about the way IPv6 addresses are initialized:
kernel_to_cil.c:2795:35: error: suggest braces around initialization
of subobject [-Werror,-Wmissing-braces]
On 08/30/2017 03:38 PM, James Carter wrote:
In order to reduce policy size, CIL removes attributes that are not used
by a policy rule in the generated binary policy. However, CIL keeps
attributes used by neverallow rules (which are checked at compile time
and not in the binary policy) even if
On 08/29/2017 12:32 PM, Daniel Cashman wrote:
From: Dan Cashman
Modify cil_gen_node() to check to see if the cil_db supports multiple
declarations, and if so, to check whether or not the
repeated symbol is eligible to share the existing, already-stored datum. The
only
On 08/25/2017 05:46 AM, Jan Zarsky wrote:
In cil_strpool_destroy(), cil_strpool_tab is freed but it is not reset to NULL.
When cil_strpool_init() is called again it assumes that cil_strpool_tab was
already initialized. Other functions then work with invalid data.
Signed-off-by: Jan Zarsky
On 08/17/2017 02:04 PM, Daniel Cashman wrote:
From: Dan Cashman
In Android O, the SELinux policy was split from a monolithic policy
created at build-time for each device into two main components, one
on /system and one on /vendor, which get combined at boot. This
On 08/17/2017 02:04 PM, Daniel Cashman wrote:
From: Dan Cashman
Signed-off-by: Dan Cashman
Change-Id: I5a72f2e6c339baee8ebc07e3e9176296320e2c80
---
libsepol/cil/include/cil/cil.h | 1 +
libsepol/cil/src/cil.c | 5 +
On 07/26/2017 11:04 AM, Daniel Cashman wrote:
From: Dan Cashman
Signed-off-by: Daniel Cashman
Applied.
Thanks,
Jim
---
libsepol/cil/include/cil/cil.h | 7 +++
1 file changed, 7 insertions(+)
diff --git a/libsepol/cil/include/cil/cil.h
On 06/14/2017 02:23 PM, James Carter wrote:
The typebounds rules should end with a ";".
The netifcon and nodecon rules should not end with a ";".
The default rules are missing a "_". They should be "default_user",
"default_role" and "default_type".
Signed-off-by: James Carter
On 06/14/2017 01:56 PM, Dominick Grift wrote:
On Wed, Jun 14, 2017 at 01:39:07PM -0400, James Carter wrote:
The typebounds rules should end with a ";".
The netifcon and nodecon rules should not end with a ";".
The default rules are missing a "_". They should be "default_usr",
"default_role"
On 06/12/2017 04:31 AM, Richard Haines wrote:
CIL updates to support the InfiniBand development.
Signed-off-by: Richard Haines
I was just thinking about doing this myself. Applied.
Thanks,
Jim
---
secilc/docs/Makefile | 1 +
On 06/12/2017 04:31 AM, Richard Haines wrote:
Fix named ibendportcon context not resolving correctly.
Signed-off-by: Richard Haines
Applied.
Thanks,
Jim
---
libsepol/cil/src/cil_build_ast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff
On 05/10/2017 04:25 PM, James Carter wrote:
Commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 (Add attribute
expansion options) adds an expandattribute rule to the policy.conf
language which sets a type_datum flag. Currently the flag is used
only when writing out CIL policy from a policy.conf.
On 06/02/2017 07:21 AM, Steve Lawrence wrote:
This prevented cil_resolve_name() from returning an actual thing when a
name resolved to an alias. This appears to have only affected resolution
dealing with sensitivity and category aliases. Type aliases were not
affected since places that dealt
On 05/31/2017 04:14 PM, Stephen Smalley wrote:
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older
On 05/30/2017 03:13 PM, James Carter wrote:
Currently, when checking if an identifier is enabled, each scope in
the decl_ids list is checked. This means that if any block that
requires the identifier is enabled, then the identifier will be treated
as being declared.
Now, declarations will be
On 05/31/2017 04:06 PM, Nicolas Iooss wrote:
Assigning NULL to handle does not perform anything useful and clang
complains about this:
ibendports.c:122:2: error: 'handle' was marked unused but was used
[-Werror,-Wused-but-marked-unused]
handle = NULL;
^
On 05/31/2017 04:06 PM, Nicolas Iooss wrote:
---
libsepol/cil/src/cil_build_ast.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 0a9a5e57491a..7fcee61042c5 100644
---
On 05/30/2017 12:32 PM, Steve Lawrence wrote:
- Set rc to SEPOL_ERR if the alias part of an aliasactual statement
does not resolve to the correct alias flavor (e.g. typealias, senalias,
catalias)
- Add an error check if the actual part of an aliasactual statement
does not resolve to the
33 matches
Mail list logo