Stephen Smalley wrote:
On 10/20/2015 09:42 AM, Joshua Brindle wrote:
Stephen Smalley wrote:
Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety
Stephen Smalley wrote:
Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety of GPL-licensed
programs. Fedora seems to view this as falling under the
Steve Lawrence wrote:
I believe this patch, or something similar, was sent to the list in the
past and was rejected. Passing in a NULL context is considered invalid
use, similar to strdup/strcmp/etc. and is a bug in the calling process.
It isn't unreasonable for an API to indicate invalid
Dominick Grift wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Mon, Jan 04, 2016 at 05:30:31PM +0100, Dominick Grift wrote:
On Mon, Jan 04, 2016 at 09:23:54AM -0500, Joshua Brindle wrote:
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b
John Chludzinski wrote:
What are the issues with XWindows and CLIP? Why is CLIP XWindow-less?
CLIP strives to be a minimal system suited to secure solutions and does
not come with software not necessary for such systems (e.g., cross
domain solutions).
Is there something inherently
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brin...@quarksecurity.com>
---
libsepol/src/services.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/services.c b/li
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces
Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle <brin...@quarksecurity.com>
---
libselinux/src/audit2why.c | 8
1 file chan
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brin...@quarksecurity.com>
---
libsepol/src/services.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/services.c b/li
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces
Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
---
libselinux/src/audit2why.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git
Joshua Brindle wrote:
Bail before running off the end of the class index
This one correctly goes all the way to the end of the classes index, the
last version did not.
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle<brin...@quarksecurity.
Joshua Brindle wrote:
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces
Hrm, this solved my original problem which was that I was getting the
wrong answer back from audit2why (classes in my policy that weren't in
the system
Stephen Smalley wrote:
On 06/03/2016 11:17 AM, Joshua Brindle wrote:
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle<brin...@quarksecurity.com>
Applied this one and then rewrote it to use hashtab_
Richard Haines wrote:
Commit 3895fbbe0cf2ec52d6b6eda66084b6e9f8d88fb2 ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP
William Roberts wrote:
On Fri, Sep 23, 2016 at 6:10 PM, Joshua Brindle
<brin...@quarksecurity.com> wrote:
william.c.robe...@intel.com wrote:
The patches below fix some warnings reported by Josh Brindle on
the libsepol build.
Josh can you test these and see if those three warning g
william.c.robe...@intel.com wrote:
The patches below fix some warnings reported by Josh Brindle on
the libsepol build.
Josh can you test these and see if those three warning go away
and give an ack if they are ok?
[PATCH 1/3] libsepol: fix unused variable 'size' on mac build
[PATCH 2/3]
William Roberts wrote:
On Sep 22, 2016 9:18 PM, "Jeffrey Vander Stoep" wrote:
Remember to test on the Mac build. About a year ago I moved the host side
tools over to upstream libselinux, but had to revert because it broke the
Mac build in multiple places. Since then Richard
William Roberts wrote:
On Sep 28, 2016 17:07, "Joshua Brindle"<brin...@quarksecurity.com> wrote:
William Roberts wrote:
On Sep 28, 2016 16:54, "Joshua Brindle"<brin...@quarksecurity.com>
wrote:
Joshua Brindle wrote:
William Roberts wrote:
From com
William Roberts wrote:
On Sep 28, 2016 16:54, "Joshua Brindle"<brin...@quarksecurity.com> wrote:
Joshua Brindle wrote:
William Roberts wrote:
From commit 35d702 on
https://github.com/williamcroberts/selinux/tree/fix-mac
I have a branch that is building on my elcapitan mac
Dennis Sherrell wrote:
In a thread ending with Nick Kravelich's contact infirmation, it was
written:
"
If you write top secret data it should stay top secret even if you're
writing to a folder that is normally reserved for secret data, or perhaps
mixed data. Iirc it uses the MLS of the process
Karl MacMillan wrote:
5. any references to type attributes should be customizable: ie. process_types
= ... filesystem_types = ... etc
I do not consider Linux access vectors to be customizable, unlike types
,attributes, booleans, tunables etc)
I know what you mean, but I have to point
Dominick Grift wrote:
The idea is nice, unfortunately its inflexible and it has hard-references to
reference policy all-over. It has potential but it is still rough.
Of course, it is an analysis of a refpolicy-based policy. If you want to
analyze a different policy (e.g., Android or
Dominick Grift wrote:
On Sun, May 07, 2017 at 11:22:00AM -0400, Joshua Brindle wrote:the
Dominick Grift wrote:
The idea is nice, unfortunately its inflexible and it has hard-references to
reference policy all-over. It has potential but it is still rough.
Of course, it is an analysis
Stephen Smalley wrote:
Add a map permission check on mmap so that we can distinguish memory mapped
access (since it has different implications for revocation). When a file
is opened and then read or written via syscalls like read(2)/write(2),
we revalidate access on each read/write operation via
masoom alam wrote:
Hi every one,
Do we have some thing like the mentioned subject documented?
Thank you.
Probably one of the better catalogued set of malware stopped by SELinux,
which shows various ways SELinux mitigated the attacks, is The Case For
SEAndroid from Stephen Smalley:
On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley wrote:
> On 09/10/2018 06:30 PM, Ted Toth wrote:
>>
>> mcstrans mcscolor.c also uses the same logic I'd been using to check
>> dominance so this too will no longer function as expected on el7. Do you any
>> suggestions for doing a 'generic' (one
On Tue, Sep 11, 2018 at 1:33 PM, Stephen Smalley wrote:
> On 09/11/2018 12:53 PM, Joshua Brindle wrote:
>>
>> On Tue, Sep 11, 2018 at 10:41 AM, Stephen Smalley
>> wrote:
>>>
>>> On 09/10/2018 06:30 PM, Ted Toth wrote:
>>>>
>>>>
&
26 matches
Mail list logo