On 09/10/2015 12:56 PM, Yuli Khodorkovskiy wrote:
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
= NULL;
int start_new_range;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help
linux-requ...@tycho.nsa.gov.
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "
On 09/03/2015 09:20 AM, Dominick Grift wrote:
On Thu, Sep 03, 2015 at 08:18:17AM -0400, James Carter wrote:
On 09/03/2015 05:48 AM, Dominick Grift wrote:
Anyone tried "secilc test/in_test.cil" lately? It dumps core here.
$ secilc test/in_test.cil
Segmentation fault (core dumped)
classpermissionset *orig = data;
struct cil_classpermissionset *new = NULL;
+ cil_classpermissionset_init();
+
new->set_str = orig->set_str;
cil_copy_classperms_list(orig->classperms, >classperms);
--
James Carter <jwca...@tycho.
On 09/23/2015 06:39 PM, Roberts, William C wrote:
How would one find all the attributes of a type with libsepol, can someone
point me to any relevant structures or functions?
The policydb_t structure has type_attr_map field which maps types to an ebitmap
of attributes.
Jim
--
James
(db, node);
break;
+ case CIL_AVRULEX:
+ rc = __cil_verify_avrulex(node);
+ break;
+ case CIL_PERMISSIONX:
+ rc = __cil_verify_permissionx(node->data, node);
+
On 12/01/2015 10:38 AM, Steve Lawrence wrote:
Add a new statement, neverallowx, which has the same syntax as allowx:
(neverallowx foo bar (ioctl file (0x2000 20FF)))
This should be: (neverallowx foo bar (ioctl file (range 0x2000 0x20FF)))
(allowx foo bar (ioctl file (0x20A0))) ; this
a FreeBSD license and you are free to upload and
share that (and any translation) from your website under that license.
Thanks for your interest in CIL and your work!
Jim
Kind Regards,
OMO
--
James Carter <jwca...@tycho.nsa.gov>
National Security
ions.level or self.__options.session:
- return
-
if self.__options.homedir:
selinux.chcon(self.__options.homedir, self.__filecon,
recursive=True)
self.__homedir = self.__options.homedir
--
James Carter <jwca...@
; 1:
+parser_args = sys.argv[1:]
else:
-args = parser.parse_args()
+parser_args = ["-h"]
+args = parser.parse_args(args=parser_args)
args.func(args)
sys.exit(0)
except ValueError, e:
permissiveParser.add_argument('type', nargs='?', default=None,
help=_('type'))
+permissiveParser.add_argument('type', nargs='+', default=None,
help=_('type'))
permissiveParser.set_defaults(func=handlePermissive)
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
age/semanage-port.8
+++ b/policycoreutils/semanage/semanage-port.8
@@ -53,7 +53,7 @@ Protocol for the specified port (tcp|udp) or internet
protocol version for the s
.SH EXAMPLE
.nf
-List all port defitions
+List all port definitions
# semanage port \-l
Allow Apache to listen on tcp port 81
,$(sort $(wildcard $(CILDIR)/src/*.c))
$(CIL_GENERATED)))
override CFLAGS += -I$(CILDIR)/include
endif
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe,
);
printf(" -X,--priority=PRIORITYset priority for following operations
(1-999)\n");
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscr
fails. Nothing crazy
happened though. I don't currently have a rawhide machine to try it on.
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to seli
that there was a difference.
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help"
_perms -= common->num_perms;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
re are now only two checks and the base filename is used in the
warning message, it no longer made sense to create common helper functions
in libsepol.
James Carter (2):
policycoreutils/hll/pp: Warn if module name different than output
filename
checkpolicy: Warn if module name different t
to it by its filename.
Because of this, provide a warning message when converting a policy
package to CIL and the output filename is different than the module
name.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
policycoreutils/hll/pp/pp.c | 33 +
me
- Since there are now only two checks and the base filename is used in the
warning message, it no longer made sense to create common helper functions
in libsepol.
Changes from v2:
- Check if strdup() returns NULL
- Have checkmodule fail rather than give a warning
James Carter (2):
policycoreut
to it by its filename.
Because of this, have checkmodule fail when compiling a module and
the output base filename is different than the module name.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/checkmodule.c | 20
1 file changed, 20 insertions(+)
On 04/08/2016 11:02 AM, James Carter wrote:
Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is not the same as its base filename because older
SELinux userspaces will refer to the module by its module
.B sefcontext_compile
-writes the compiled prce file with the
+writes the compiled pcre file with the
.B .bin
suffix appended (e.g. \fIinputfile\fB.bin\fR).
.SH OPTIONS
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Since the usual convention is for the module name to be same as the
base filename of the module, provide a warning message if they are
different. Also warn if the output filename is different than the
module name.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/checkmo
The function sepol_module_check_name_matches_filename() compares
the module name with a filename (after stripping off path and file
extension) and returns 0 if they match. The function
sepol_module_get_name() returns the name of the module.
Signed-off-by: James Carter <jwca...@tycho.nsa.
filename.
When converting a policy package to CIL warn if the module name is
different from the pp filename or the CIL filename.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
policycoreutils/hll/pp/pp.c | 29 +
1 file changed, 25 insertions(+), 4 del
On 03/25/2016 02:48 PM, Stephen Smalley wrote:
On 03/25/2016 02:04 PM, James Carter wrote:
Since the usual convention is for the module name to be same as the
base filename of the module, provide a warning message if they are
different. Also warn if the output filename is different than
On 04/20/2016 10:47 AM, Steve Lawrence wrote:
On 04/19/2016 10:26 AM, James Carter wrote:
Provide more detailed log messages containing all relevant CIL and
high-level language source file information through cil_tree_log().
cil_tree_log() uses two new functions: cil_tree_get_next_path
On 04/29/2016 04:06 PM, Stephen Smalley wrote:
On 04/29/2016 03:53 PM, James Carter wrote:
The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop
On 04/29/2016 02:26 PM, Stephen Smalley wrote:
On 04/29/2016 01:47 PM, James Carter wrote:
The attribute to type map is used to get all of the types that are
asociated with an attribute. To make neverallow and bounds checking
easier it was convienent to map a type to itself. However, CIL
A:unix_stream_socket ;
to also be allowed in policy.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/hierarchy.c | 17 +
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/libsepol/src/hierarchy.c b/libsepol/src/hierarchy.c
index b24b39e..778541a
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_post.c | 27 +++
libsepol/src/module_to_cil.c | 8 +---
2 files changed, 32 insertions(+), 3 deletions(-)
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index a694b33
On 05/06/2016 03:39 PM, Roberts, William C wrote:
-Original Message-
From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Roberts,
William C
Sent: Friday, May 6, 2016 12:25 PM
To: William Roberts <bill.c.robe...@gmail.com>; James Carter
<jwca...@tycho.nsa.gov>
On 05/06/2016 04:06 PM, Roberts, William C wrote:
-Original Message-
From: James Carter [mailto:jwca...@tycho.nsa.gov]
Sent: Friday, May 6, 2016 12:47 PM
To: Roberts, William C <william.c.robe...@intel.com>; William Roberts
<bill.c.robe...@gmail.com>
Cc: selinux@tycho.nsa
On 05/05/2016 12:15 PM, Steve Lawrence wrote:
On 05/04/2016 04:41 PM, James Carter wrote:
This patch set adds support for tracking original file and line numbers for
better
error reporting when a high-level language is translated into CIL. It then uses
that support to provide better error
Use some of the functionality recently added to support high-level
language line marking to track the CIL filename.
The goal is to eventually remove the path field from the tree node
struct and offset the addtion of the hll_line field.
Signed-off-by: James Carter <jwca...@tycho.nsa.
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil.c | 3 +-
libsepol/cil/src/cil_binary.c
ng the AST from the associated macro or block.
James Carter (6):
libsepol/cil: Add high-level language line marking support
libsepol/cil: Store CIL filename in parse tree and AST
libsepol/cil: Add cil_tree_log() and supporting functions
libsepol/cil: Replace cil_log() calls with ci
11 of foo.hll) (from line 2 of
bar.hll)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_tree.c | 86 +
libsepol/cil/src/cil_tree.h | 4 +++
2 files changed, 90 insertions(+)
diff --git a/libsepol/cil/src/cil_tr
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil.c | 3 +-
libsepol/cil/src/cil_binary.c
is not saved in pp files, so there is no benefit
for policy modules.)
This is only done for neverallow rules currently.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 8
1 file changed, 8 insertions(+)
diff --git a/libsepol/src/module_to_c
11 of foo.hll) (from line 2 of
bar.hll)
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_tree.c | 76 +
libsepol/cil/src/cil_tree.h | 4 +++
2 files changed, 80 insertions(+)
diff --git a/libsepol/cil/src/cil_tr
Remove path field from cil_tree_node struct and all references
to it in CIL. This will reduce memory usage by 5%.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_binary.c| 14 +-
libsepol/cil/src/cil_build_ast.c | 2 --
libsepol/c
Use some of the functionality recently added to support high-level
language line marking to track the CIL filename.
The goal is to eventually remove the path field from the tree node
struct and offset the addtion of the hll_line field.
Signed-off-by: James Carter <jwca...@tycho.nsa.
of providing a quick match anytime the
attributes are the same.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_find.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_find.c b/libsepol/cil/src/cil_find.c
index 7
that if a match is not found (there should always be a match)
a seg fault will not occur.
To reduce the amount of error reporting, only print a trace of a
matching rule if it is different from the previous one.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_binary.
For both neverallow and bounds checking keep neverallow and bounds
failures separate from program faults.
Have secilc exit with an error (and fail to build a binary policy)
when bounds checks fail.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_binary.
On 04/13/2016 03:19 PM, James Carter wrote:
Dan Walsh found a bug that resulted in a seg fault while working on docker
policy.
Steve Smalley was able to reproduce and find out where it was occuring in
secilc.
This patch set fixes that bug and makes other improvements in the bounds
Dan Walsh found a bug that resulted in a seg fault while working on docker
policy.
Steve Smalley was able to reproduce and find out where it was occuring in
secilc.
This patch set fixes that bug and makes other improvements in the bounds and
neverallow checking.
James Carter (3):
libsepol
not been installed.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_resolve_ast.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c
b/libsepol/cil/src/cil_resolve_ast.c
index 70e4462..8348d57
p": 6,
+ "udp": 17,
"ipv4": 4,
"ipv6": 41}
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@t
e) < 0)
goto err;
+ return STATUS_SUCCESS;
}
}
break;
--
James Carter <jwca...@tycho.nsa.gov>
National
.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
--
James Carter <jwca...@tycho.nsa.gov>
N
t;Could not delete the file context %s") %
target)
semanage_fcontext_key_free(k)
+self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
(audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
self.equiv = {}
self.equal_ind = True
self.commit()
@@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
if target in self.equiv.keys():
self.equiv.pop(target)
self.equal_ind = True
+
+self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" %
(audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
return
(rc, k) = semanage_fcontext_key_create(self.sh, target,
file_types[ftype])
@@ -1996,6 +2069,8 @@ class fcontextRecords(semanageRecords):
semanage_fcontext_key_free(k)
+self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
(audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
def delete(self, target, ftype):
self.begin()
self.__delete(target, ftype)
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
e(newcat, objects, login_ind):
for f in objects:
cmd = "%s %s" % (cmd, f)
-rc = subprocess.getstatusoutput(cmd)
+rc = getstatusoutput(cmd)
if rc[0] != 0:
print(rc[1])
errors += 1
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
val_to_struct[i]->flavor ==
TYPE_ATTRIB) {
if (ebitmap_union
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.n
PREFCTEMPFILE}
fi
}
@@ -222,7 +223,7 @@ if [ ! -z "$PREFC" ]; then
exit $?
fi
if [ ! -z "$BOOTTIME" ]; then
-newer $BOOTTIME
+newer $BOOTTIME $*
exit $?
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
--
James Carter &l
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
--
James Carter <jwca...@tycho.nsa.gov>
National
*errors = STATUS_ERR;
- break;
- }
}
cleanup:
- free(rbuf);
if (*errors) {
for (; head; pop_user_entry()) {
/* the pop function takes care of all the cleanup
_
] libsepol: fix unitialized jmp and invalid dereference
[PATCH v4 7/7] libsepol: fix overflow and 0 length allocations
Applied all patches.
Thanks,
Jim
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selin
On 01/31/2017 02:41 PM, James Carter wrote:
Cleanup declare and require functions in module_compiler.c to improve
maintainability and clarity. Functionality is not changed.
James Carter (5):
checkpolicy: Create common function for type declares and requires
checkpolicy: Create common
Move common code out of declare_user() and require_user() into the
new function create_user().
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 224 +-
1 file changed, 114 insertions(+), 110 deletions(-)
diff
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
check
type in the same scope. There are no checks if the require
comes first and there are no checks for roles.
Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.
Signed-off-by: James Carter
Move common code out of declare_role() and require_role_or_attribute()
into the new function create_role().
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 252 ++
1 file changed, 130 insertions(+), 122 del
Cleanup declare and require functions in module_compiler.c to improve
maintainability and clarity. Functionality is not changed.
James Carter (5):
checkpolicy: Create common function for type declares and requires
checkpolicy: Create common function for role declares and requires
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 20 ++--
1 file chan
means
returning +1).
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/src/policydb.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 5b9b9f0..3cff6d2 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/poli
ror: missing .gitignore entry for/p'
| (! grep '^')
+
+ # Clean up everything and show which file would be added to "make clean"
+ - make clean distclean
+ - |-
+git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make
clean distclean" did not remove /' | (
the stacks will be empty, but this is not the case
when exiting with an error.
Destroy both tree node stacks when exiting to ensure that they are
empty.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_resolve_ast.c | 24
1 file changed, 16 inse
cil_tree_log(NODE(data), CIL_ERR, "Note: conflicting
declaration");
+ rc = SEPOL_ERR;
+ goto exit;
+ }
rc = cil_symtab_insert(symtab, ((struct
cil_symtab_datum*)orig->data)->name,
n" };
+ const char *genhomedirconargv[] = { "genhomedircon", "-B", "-n" };
create_signal_handlers();
if (strcmp(basename(argv[0]), "genhomedircon") == 0) {
argc = 3;
- argv=genhomedirconargv;
+
os && (ebitmap_cardinality(pos) > 0);
int has_negative = neg && (ebitmap_cardinality(neg) > 0);
char **val_to_name;
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
On 02/02/2017 06:19 PM, Nicolas Iooss wrote:
On Tue, Jan 31, 2017 at 8:41 PM, James Carter <jwca...@tycho.nsa.gov
<mailto:jwca...@tycho.nsa.gov>> wrote:
Cleanup declare and require functions in module_compiler.c to improve
maintainability and clarity. Functionality is
On 01/21/2017 08:58 AM, Nicolas Iooss wrote:
On Wed, Jan 18, 2017 at 9:53 PM, James Carter <jwca...@tycho.nsa.gov
<mailto:jwca...@tycho.nsa.gov>> wrote:
Nicolas Iooss discovered that requiring a type in an optional block
after the type has already been declared in another op
(id);
return -1;
}
if (attr->flavor != TYPE_ATTRIB) {
yyerror2("%s is a type, not an attribute", id);
+ free(id);
return -1;
}
--
James Car
goto exit;
}
- cil_printf("(nodecon %s %s ", addr, mask);
+ cil_printf("(nodecon (%s) (%s) ", addr, mask);
context_to_cil(pdb, >context[0]);
--
James Car
On 02/08/2017 11:17 AM, James Carter wrote:
CIL uses separate cil_tree_node stacks for optionals and blocks to
check for statements not allowed in optionals or blocks and to know
which optional to disable when necessary. But these stacks were not
being destroyed when exiting cil_resolve_ast
ho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
--
James Carter <jwca...@tycho.nsa.gov>
ebitmap_destroy(bitmap);
goto exit;
}
return SEPOL_OK;
exit:
+ ebitmap_destroy(bitmap);
return rc;
}
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.ns
;\x1c\x1d\x1e\x85") for x in line.split()]
for i in rec:
found = False
if i == "avc:" or i == "message=avc:" or i == "msg='avc:":
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
PYTHON ?= python
-PYPREFIX ?= $(notdir $(PYTHON))
+PYPREFIX ?= $(shell $(PYTHON) -c 'import sys;print("python-%d.%d" %
sys.version_info[:2])')
RUBY ?= ruby
RUBYPREFIX ?= $(notdir $(RUBY))
PKG_CONFIG ?= pkg-config
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
tly older version of fedora policy to fail to
build. I am looking at refactoring declare_type() and require_type() and will
try to fix the memory leak and other issues at the same time.
Jim
+ }
} else {
/* error occurred (can't have duplicate type declarations) */
ype_datum_destroy(typdatum);
+ free(typdatum);
+ return NULL;
+ }
} else {
/* error occurred (can't have duplicate type
declarations) */
free(id);
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
On 01/18/2017 03:58 PM, Dominick Grift wrote:
On 01/18/2017 09:53 PM, James Carter wrote:
Nicolas Iooss discovered that requiring a type in an optional block
after the type has already been declared in another optional block
results in a duplicate declaration error.
from what i have been
which is
interpreted as a duplicate declaration error.
The function should return 1 instead which means that they symbol was not
added and needs to be freed later.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
checkpolicy/module_compiler.c | 16 +++-
1 file chan
On 01/19/2017 04:22 PM, Dominick Grift wrote:
On 01/19/2017 06:21 PM, Stephen Smalley wrote:
On Wed, 2017-01-18 at 21:58 +0100, Dominick Grift wrote:
On 01/18/2017 09:53 PM, James Carter wrote:
Nicolas Iooss discovered that requiring a type in an optional block
after the type has already
RS] = tmp_ptr;
+ policydb->p_user_val_to_name[policydb->p_users.nprim] = NULL;
/* Need to copy the user name */
name = strdup(cname);
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
if (zero_or_saturated(len))
+ goto bad;
if ((p->version = malloc(len + 1)) == NULL) {
goto bad;
}
diff --git a/libsepol/src/private.h b/libsepol/src/private.h
index 9c700c9..0beb4d4 100644
--- a/libsepol/src
free(file_contexts);
free(outfile);
free(module);
+ free(seusers);
+ free(user_extra);
exit(0);
}
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To
ue, cil_rule, cond_node, cond_flavor);
if (rc != SEPOL_OK) goto exit;
}
}
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "hel
On 09/09/2016 08:29 AM, James Carter wrote:
On 09/08/2016 04:37 PM, Daniel Cashman wrote:
On 09/08/2016 01:30 PM, Daniel Cashman wrote:
From: dcashman <dcash...@android.com>
cil_gen_policy() appears to exist to generate a policy.conf corresponding to the
original SELinux HLL from a
becoming more invasive (similar to the 5th patch in this set) and
less bug-fix-like.
Thank You,
Dan
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux
9,9 +417,9 @@ int main(int argc, char **argv)
} else if (argc == 1)
usage(argv[0]);
- /* Set selabel_open options. Always request a digest. */
+ /* Set selabel_open options. */
r_opts.selabel_opt_validate = (ctx_validate ? (char *)1 : NULL);
- r_opts.selabel_o
--
James Carter <jwca...@tycho.nsa.gov>
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
On 09/25/2016 05:41 PM, Petr Lautrbach wrote:
On Fri, Sep 23, 2016 at 01:37:26PM -0400, James Carter wrote:
On 09/23/2016 12:05 PM, Petr Lautrbach wrote:
On 09/23/2016 05:31 PM, James Carter wrote:
On 09/23/2016 05:23 AM, Petr Lautrbach wrote:
When a user installs a module, the filename
arning: SELinux userspace will refer to
the module from %s as %s rather than %s\n", ifile, cil_name, mod_name);
+ fprintf(stderr, "Warning: SELinux userspace will refer to
the module from %s as %s rather than %s\n", ifile, mod_name, cil_name);
]
/usr/bin/secilc[0x40273b]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x77657291]
/usr/bin/secilc[0x402f7a]
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_build_ast.c | 9 +
li
On 09/29/2016 02:38 PM, Steve Lawrence wrote:
On 09/29/2016 02:07 PM, James Carter wrote:
Fixes bug found by Nicolas Iooss as described below in the way suggested by
Steve Lawrence.
Nicolass reported:
When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability
1 - 100 of 231 matches
Mail list logo
