On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote:
... snip ...
Those wiki pages on SELinuxProject/cil are now pretty out of date
(you'll notice that some other statements mentioned there like
`template` are not implemented as well). The updated documentation is
at
.secureoss.jp/
> Tel: +819026581386
> _______
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help&quo
On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
>
> The patch could also allow containers to
On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libse
t's dssp1:
[root@localhost ~]# sesearch -ACS dssp_original.30 | head -1
Found 11270 semantic av rules:
[root@localhost ~]# sesearch -ACS dssp_modified.30 | head -1
Found 2574 semantic av rules:
Gary Tierney (1):
libsepol/cil: remove avrules with no affected types
libsepol/cil/src/cil_binary.c |
in
f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsepol/cil/src/cil_binary.c | 47 +++
1 file changed, 47 insertions(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d33981b..3aa350a
= tmp;
return POLICYDB_SUCCESS;
}
Is that the right idea?
Thanks.
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8
signature.asc
Description: PGP signature
o
> >selinux-requ...@tycho.nsa.gov.
> >
>
>
> --
> James Carter <jwca...@tycho.nsa.gov>
> National Security Agency
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@
and then runs genhomedircon).
Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsepol/cil/src/cil_binary.c | 13 +
libsepol/include/sepol/policydb/poli
On Mon, Oct 03, 2016 at 11:46:19AM +0100, Gary Tierney wrote:
> Pre-expands the role and user caches used in context validation when
> conerting a cildb to a binary policydb. This is currently only done
> when loading a binary policy and prevents context validation from
> worki
This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy. Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.
Gary Tierney (1):
libsepol/cil: create user
On Fri, Sep 23, 2016 at 03:36:47PM -0400, Stephen Smalley wrote:
On 09/23/2016 10:28 AM, Gary Tierney wrote:
Introduces support for generating homedir/user contexts for policies
that implement RBACSEP. The support works by taking the prefix of a
logins seuser and replacing the role field
On Fri, Sep 23, 2016 at 03:28:44PM +0100, Gary Tierney wrote:
> Introduces support for generating homedir/user contexts for policies
> that implement RBACSEP. The support works by taking the prefix of a
> logins seuser and replacing the role field in their context
> specifications wit
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsemanag
Second iteration of my previous genhomedircon patch. The issue with context
specifications as "<>" is fixed and libselinux calls are replaced with
their respective libsepol calls.
I've filed a new BZ for Fedora's system_u login here:
https://bugzilla.redhat.com/show_bug.cgi?
On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
On 09/06/2016 09:48 AM, Gary Tierney wrote:
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for eve
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsemanag
'HOME_DIR' | grep -v 's0' | grep -Evc
> '^#'
0
> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 'system_u' | grep
> -Evc '^#'
0
Gary Tierney (1):
genhomedircon: remove hardcoded refpolicy strings
libsemanage/src/genhomedircon.c | 79 ++---
On Tue, Aug 23, 2016 at 08:54:17AM -0400, Stephen Smalley wrote:
> On 08/22/2016 04:22 PM, Gary Tierney wrote:
> > From: Gary Tierney <selinux@tycho.nsa.gov>
> >
> > Re-spin of my original patch that adds support for logins mapped using the
> > group %synta
.
Gary Tierney (2):
genhomedircon: generate contexts for logins mapped to the default user
genhomedircon: add support for %group syntax
libsemanage/src/genhomedircon.c | 314 +++-
1 file changed, 243 insertions(+), 71 deletions(-)
--
2.7.4
there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsemana
file_contexts.homedirs entries.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsemanage/src/genhomedircon.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index c5ea436..698b907 100644
--- a/libsemanage/src/genhomedi
On Mon, Aug 22, 2016 at 09:23:01PM +0100, Gary Tierney wrote:
From: Gary Tierney <selinux@tycho.nsa.gov>
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generatin
From: Gary Tierney <selinux@tycho.nsa.gov>
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the a
From: Gary Tierney <selinux@tycho.nsa.gov>
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generating home directory contexts for login
mappings using the group syntax an
From: Gary Tierney <selinux@tycho.nsa.gov>
Re-spin of my original patch that adds support for logins mapped using the
group %syntax to genhomedircon. This version includes fixes for the issues
raised by Jason and splits the bugfix into a separate commit.
There was a bit of confusion
Hi Stephen,
Replied inline below.
On Mon, Aug 15, 2016 at 03:58:44PM -0400, Stephen Smalley wrote:
> On 07/27/2016 05:25 PM, Gary Tierney wrote:
> > semanage-login supports login mappings using the %group syntax, but
> > genhomedircon does not expand groups to the users be
there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
libsemana
Hi,
There are a few issues I've run into with genhomedircon and a custom policy
(i.e., not based on refpolicy), 2 of which prevent me from using genhomedircon,
and 1 small issue which I can work around.
The first main issue is that my custom policy doesn't use "system_u" as the
system user
29 matches
Mail list logo