Re: [PATCH v2] libsepol: add missing ibendport port validity check

On Tue, Oct 23, 2018 at 10:29 AM William Roberts wrote: > > On Mon, Oct 22, 2018 at 11:58 PM Ondrej Mosnacek wrote: > > > > The kernel checks if the port is in the range 1-255 when loading an > > ibenportcon rule. Add the same check to libsepol. > > > >

Re: [PATCH v2] libsepol: add missing ibendport port validity check

On Mon, Oct 22, 2018 at 11:58 PM Ondrej Mosnacek wrote: > > The kernel checks if the port is in the range 1-255 when loading an > ibenportcon rule. Add the same check to libsepol. > > Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling") > Signed-off-by: Ondrej Mosnacek > --- >

Re: [PATCH] libsepol: add missing ibendport port validity check

On Mon, Oct 22, 2018 at 1:18 AM Ondrej Mosnacek wrote: > > The kernel checks if the port is in the range 1-255 when loading an > ibenportcon rule. Add the same check to libsepol. > > Fixes: 118c0cd1038e ("libsepol: Add ibendport ocontext handling") > Signed-off-by: Ondrej Mosnacek > --- >

Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues

On Fri, Oct 19, 2018 at 7:28 AM Stephen Smalley wrote: > > On 10/18/2018 03:47 AM, Ondrej Mosnacek wrote: > > Do the LE conversions before doing the Infiniband-related range checks. > > The incorrect checks are otherwise causing a failure to load any policy > > with an ibendportcon rule on BE

Re: [PATCH v2] libsepol: fix endianity in ibpkey range checks

break; > + } > case OCON_IBENDPORT: > rc = next_entry(buf, fp, sizeof(uint32_t) * > 2); > if (rc < 0) > -- > 2.17.2 > Acked-by: William Roberts william.c.robe...@intel.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v4] selinux: policydb - fix byte order and alignment issues

On Thu, Oct 18, 2018 at 5:57 AM Ondrej Mosnacek wrote: > > Do the LE conversions before doing the Infiniband-related range checks. > The incorrect checks are otherwise causing a failure to load any policy > with an ibendportcon rule on BE systems. This can be reproduced by > running (on e.g.

Re: [PATCH v3] selinux: policydb - fix byte order and alignment issues

On Wed, Oct 17, 2018 at 7:19 AM Ondrej Mosnacek wrote: > > Do the LE conversions before doing the Infiniband-related range checks. > The incorrect checks are otherwise causing a failure to load any policy > with an ibendportcon rule on BE systems. This can be reproduced by > running (on e.g.

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

On Wed, Oct 17, 2018 at 2:21 PM Stephen Smalley wrote: > > On 10/17/2018 05:18 PM, Paul Moore wrote: > > On Wed, Oct 17, 2018 at 12:07 PM William Roberts > > wrote: > >> On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek > >> wrote: > >>> > &g

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek wrote: > > We need to convert from little-endian before dong range checks on the > ibpkey port numbers, otherwise we would be checking a wrong value. > > Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling") > Signed-off-by: Ondrej Mosnacek

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

On Wed, Oct 17, 2018 at 8:30 AM Stephen Smalley wrote: > > On 10/17/2018 10:46 AM, Ondrej Mosnacek wrote: > > We need to convert from little-endian before dong range checks on the > > ibpkey port numbers, otherwise we would be checking a wrong value. > > > > Fixes: 9fbb3112769a ("libsepol: Add

Re: [PATCH] libsepol: fix endianity in ibpkey range checks

On Wed, Oct 17, 2018 at 7:48 AM Ondrej Mosnacek wrote: > > We need to convert from little-endian before dong range checks on the > ibpkey port numbers, otherwise we would be checking a wrong value. > > Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling") > Signed-off-by: Ondrej Mosnacek

Re: Fix alias handling in sepolicy and semaange

I'm really not that familiar with the Python code to review this at the moment, perhaps Nicolas is? On Tue, Oct 16, 2018 at 1:27 AM Vit Mojzis wrote: > > Sepolicy and semanage do not work with aliases properly (aliases are > mostly treated as invalid types). Fix this by determining corresponding

Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

merged: https://github.com/SELinuxProject/selinux/pull/104 On Thu, Oct 11, 2018 at 4:58 PM William Roberts wrote: > > On Thu, Oct 11, 2018 at 5:37 AM James Carter wrote: > > > > [Resending because I originally only sent these to the new list] > > > > - Remo

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

Weird Gmail removed my text box for plain text mode in Gmail, re-sending since it got filtered out of the mailing list. On Mon, Oct 8, 2018 at 9:09 AM William Roberts wrote: > > Yuli, > If you respin this with just import error looks like its a go. > Bill > > On Fri, Oct 5

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

Yuli, If you respin this with just import error looks like its a go. Bill On Fri, Oct 5, 2018 at 12:53 PM Chris PeBenito wrote: > On 10/05/2018 10:32 AM, Jason Zaman wrote: > > On Fri, Oct 05, 2018 at 07:13:23AM -0700, William Roberts wrote: > >> On Thu, Oct 4, 201

Re: [PATCH] libsemanage: improve semanage_migrate_store import failure

On Thu, Oct 4, 2018 at 12:46 PM Yuli Khodorkovskiy < yuli.khodorkovs...@crunchydata.com> wrote: > The python module import error in semanage_migrate_store was misleading. > Before, it would print that the module is not installed, even though > it is in fact on the system. > > Now the python

Re: [PATCH] libselinux: fix selinux_restorecon() on non-SELinux hosts

On Wed, Sep 26, 2018 at 8:12 AM Stephen Smalley wrote: > The kernel only supports seclabel if it is >= 2.6.30 _and_ > SELinux is enabled, since seclabel is generated by SELinux > based partly on policy (e.g. is the filesystem type configured in policy > with a labeling behavior that supports

Re: [PATCH 1/2] whitespace and spelling cleanup

Both patches were applied: https://github.com/SELinuxProject/selinux/pull/100 On Mon, Sep 24, 2018 at 11:55 AM William Roberts wrote: > ack > > On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux < > selinux@tycho.nsa.gov> wrote: > >> Signed-off-by: Nick Kra

Re: [PATCH 2/2] secilc: better error handling

ack On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux < selinux@tycho.nsa.gov> wrote: > Fix a situation where the secilc command line tool could return success > even though the compilation failed. > > $ secilc /dev/null -o /dev/null -f /dev/null > Failure reading file: /dev/null >

Re: [PATCH 1/2] whitespace and spelling cleanup

ack On Mon, Sep 24, 2018 at 11:12 AM Nick Kralevich via Selinux < selinux@tycho.nsa.gov> wrote: > Signed-off-by: Nick Kralevich > --- > libsepol/include/sepol/errcodes.h | 2 +- > secilc/secilc.c | 14 +++--- > 2 files changed, 8 insertions(+), 8 deletions(-) > >

Re: [PATCH] secilc: better error handling

On Fri, Sep 21, 2018 at 5:12 PM Nick Kralevich via Selinux < selinux@tycho.nsa.gov> wrote: > Fix a situation where the secilc command line tool could return success > even though the compilation failed. > > $ secilc /dev/null -o /dev/null -f /dev/null > Failure reading file: /dev/null > $

Re: [PATCH] checkpolicy: remove extraneous policy build noise

merged: https://github.com/SELinuxProject/selinux/pull/99 On Wed, Sep 19, 2018 at 12:13 PM Nick Kralevich via Selinux < selinux@tycho.nsa.gov> wrote: > Reduce noise when calling the checkpolicy command line. In Android, this > creates unnecessary build noise which we'd like to avoid. > >

Re: [PATCH] checkpolicy: remove extraneous policy build noise

On Wed, Sep 19, 2018 at 12:36 PM Stephen Smalley wrote: > On 09/19/2018 03:21 PM, William Roberts wrote: > > Some people might be checking this output since it's been there so long, > > -s would be a good way to go. > > > > Alternatively, a way to bring back this infor

Re: [PATCH] checkpolicy: remove extraneous policy build noise

Some people might be checking this output since it's been there so long, -s would be a good way to go. Alternatively, a way to bring back this information via a verbose option -V could be considered. Either way, a simple logging mechanism analogous to LOGV/LOGW/LOGE could be useful, I wonder

Re: [PATCH 2/2] semanage: add a missing space in ibendport help

ack On Wed, Sep 5, 2018 at 2:53 PM Nicolas Iooss wrote: > Currently, in: > > # semanage ibendport --help > usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE > -z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE( > port ) | --deleteall | --extract

Re: [PATCH 3/3] python: remove semicolon from end of lines

Ack on these as well On Sun, Aug 19, 2018 at 11:49 AM, Nicolas Iooss wrote: > Python does not need to end a statement with a semicolon. Doing this > gets reported by linters such as flake8 ("E703 statement ends with a > semicolon"). > > Remove such semicolons in the code and enable this warning

Re: [PATCH 2/2] libsemanage: make pywrap-test.py compatible with Python 3

On Sun, Aug 19, 2018 at 1:53 AM, Nicolas Iooss wrote: > On Sat, Aug 18, 2018 at 8:43 PM William Roberts > wrote: > > > > Im assuming with your attention on the python side of the house we're > going to see a lot of > > formatting change patches heading the mai

Re: [PATCH 00/13] Fix some issues found by flake8

On Mon, Aug 6, 2018 at 1:26 PM, Nicolas Iooss wrote: > On Mon, Aug 6, 2018 at 5:05 PM, William Roberts > wrote: > > > > On Sat, Aug 4, 2018 at 12:47 PM, Nicolas Iooss > > wrote: > >> > >> Hi, > >> > >> I have been working on a scr

Re: [PATCH 00/13] Fix some issues found by flake8

On Sat, Aug 4, 2018 at 12:47 PM, Nicolas Iooss wrote: > Hi, > > I have been working on a script which uses flake8 to discover issues in > Python code. This led me to discover several issues which are fixed by > these patches. Distribution maintainers might be interested in > backporting some of

Re: [PATCH 1/1] mcstrans: fix memory leaks reported by clang's static analyzer

On Mon, Jul 2, 2018 at 11:38 AM, Nicolas Iooss wrote: > On Sun, Jul 1, 2018 at 10:51 PM, William Roberts > wrote: >> I see lots of repeating blocks, would it make more sense to goto an >> error label and free them then return -1? > > Both trans_context() and untrans_co

Re: [PATCH 1/1] restorecond: close the PID file if writing to it failed

On Sun, Jul 1, 2018 at 7:59 AM, Nicolas Iooss wrote: > write_pid_file() leaks a file descriptor to /var/run/restorecond.pid if > it fails to write the PID to it. Close the file before returning. > > Signed-off-by: Nicolas Iooss > --- > restorecond/restorecond.c | 1 + > 1 file changed, 1

Re: [PATCH 1/1] Travis-CI: use new location of refpolicy repository

On Sun, Jul 1, 2018 at 7:56 AM, Nicolas Iooss wrote: > refpolicy moved from github.com/TresysTechnology to > github.com/SELinuxProject. It is still used in sepolgen tests (they > build modules using Makefile.devel and build.conf) so update the > location of the repository. > > Signed-off-by:

Re: [PATCH 7/7] libsepol: destroy the copied va_list

ack On Sat, May 26, 2018 at 11:42 AM, Nicolas Iooss wrote: > va_copy()'s manpage [1] states: > > Each invocation of va_copy() must be matched by a corresponding > invocation of va_end() in the same function. > > create_str_helper() is using va_copy() without va_end(). Add the missing >

Re: [PATCH] libsemanage: prevent string overflow on final paths

On Tue, May 8, 2018 at 7:32 AM, Stephen Smalley wrote: > Verify that the final path does not exceed the size of the > buffer before copying. This can only occur if an alternate > path for the policy root and/or the policy store root has been > specified and if the resulting

Re: [PATCH 1/1] libsemanage: always check append_arg return value

Merged: https://github.com/SELinuxProject/selinux/pull/94 On Mon, Apr 23, 2018 at 9:50 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Sun, Apr 22, 2018 at 12:30 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: >> When split_args() calls append_arg(), the

Re: [PATCH 2/2] sestatus: free process and file contexts which are checked

Merged: https://github.com/SELinuxProject/selinux/pull/94 On Mon, Apr 23, 2018 at 9:54 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Sun, Apr 22, 2018 at 12:21 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: >> clang's static analyzer reports a potentia

Re: [PATCH] Revert "libselinux: verify file_contexts when using restorecon"

On Mon, Apr 23, 2018 at 9:55 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Fri, Apr 20, 2018 at 7:17 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> This reverts commit 814631d3aebaa041073a42c677c1ed62ce7830d5. >> As reported by Petr Lautrbach, this

Re: [PATCH 2/2] sestatus: free process and file contexts which are checked

On Sun, Apr 22, 2018 at 12:21 PM, Nicolas Iooss wrote: > clang's static analyzer reports a potential memory leak because the > buffers allocated in pc and fc are not freed in main(), in sestatus.c. > Free these buffers properly. > > Signed-off-by: Nicolas Iooss

Re: [PATCH 5/5] libselinux: remove unused variable usercon

On Mon, Apr 16, 2018 at 5:34 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 04/13/2018 08:40 PM, William Roberts wrote: >> In general this series looks fine. >> >> However, checkpatch.pl is complaining about DOS line endings in your patches: >> >>

Re: [PATCH 5/5] libselinux: remove unused variable usercon

In general this series looks fine. However, checkpatch.pl is complaining about DOS line endings in your patches: For example: ERROR: DOS line endings #325: FILE: libselinux/src/label_file.h:281: +^I^Iint alloc_stems = data->alloc_stems * 2 + 16;^M$ On Fri, Apr 13, 2018 at 1:34 PM, Nicolas

Re: [PATCH v3 0/2] restorecon context validation improvement

On Fri, Mar 30, 2018 at 11:59 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Thu, Mar 29, 2018 at 5:16 PM, Yuli Khodorkovskiy <ykh...@gmail.com> wrote: >> In permissive, if a bad label is written to a file_context file, >> restorecon will not verify t

Re: [PATCH v3 0/2] restorecon context validation improvement

On Thu, Mar 29, 2018 at 5:16 PM, Yuli Khodorkovskiy wrote: > In permissive, if a bad label is written to a file_context file, > restorecon will not verify the label before succesfully applying the > context. These patches fix validation of labels during restorecon > while not

Re: [PATCH v2 1/2] libselinux: verify file_contexts when using restorecon

On Thu, Mar 29, 2018 at 5:37 AM, Stephen Smalley wrote: > On 03/28/2018 11:40 PM, Yuli Khodorkovskiy wrote: >> In permissive mode, calling restorecon with a bad label in file_contexts >> does not verify the label's existence in the loaded policy. This >> results in any label

Re: [PATCH v2 0/2] restorecon context validation improvement

On Wed, Mar 28, 2018 at 8:40 PM, Yuli Khodorkovskiy wrote: > In permissive, if a bad label is written to a file_context file, > restorecon will not verify the label before succesfully applying the > context. These patches fix validation of labels during restorecon > while not

Re: [PATCH] libsemanage/direct_api.c: Fix iterating over array

On Mon, Mar 19, 2018 at 8:19 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Mon, Mar 19, 2018 at 7:46 AM, Vit Mojzis <vmoj...@redhat.com> wrote: >> Fix sizeof calculation in array iteration introduced by commit >> 6bb8282c4cf66e93daa9684dbe9c75bb6b1e09a7 >

Re: [PATCH v3] Resolve conflicts in expandattribute.

; >> This change deals with this scenario by resolving the value of the >> corresponding expandtypeattribute to false. The rationale behind this >> override is that true is used for reduce run-time lookups, while >> false is used for tests which must pass. >> >> Si

Re: [PATCH v2] Resolve conflicts in expandattribute.

On Thu, Mar 15, 2018 at 8:16 PM, Tri Vo wrote: > This commit resolves conflicts in values of expandattribute statements > in policy language and expandtypeattribute in CIL. > > For example, these statements resolve to false in policy language: > expandattribute hal_audio true;

Re: [PATCH] libsepol: Export sepol_polcap_getnum/name functions

merged: https://github.com/SELinuxProject/selinux/pull/85 On Thu, Mar 15, 2018 at 11:31 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Thu, Mar 15, 2018 at 11:01 AM, jwcart2 <jwca...@tycho.nsa.gov> wrote: >> On 03/08/2018 03:19 PM, Stephen Smalley

Re: [PATCH] libsepol: Export sepol_polcap_getnum/name functions

p.in >> +++ b/libsepol/src/libsepol.map.in >> @@ -56,4 +56,6 @@ LIBSEPOL_1.1 { >> sepol_module_policydb_to_cil; >> sepol_kernel_policydb_to_cil; >> sepol_kernel_policydb_to_conf; >> + sepol_polcap_getnum; >> + sepol_polcap_getname; >> } LIBSEPOL_1.0; >> Acked-by: William Roberts <william.c.robe...@intel.com>

Re: [PATCH] secilc: resolve conflicts in expandattribute.

On Wed, Mar 14, 2018 at 3:17 PM, Tri Vo wrote: > When Android combines multiple .cil files from system.img and vendor.img > it's possible to have conflicting expandattribute statements, e.g. > expandattribute hal_audio true; > expandattribute hal_audio false; Isn't this the

Re: Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

On Wed, Feb 28, 2018 at 11:39 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 02/28/2018 02:26 PM, William Roberts wrote: >> So peeking through the code base, I see: >> >> int semanage_direct_is_managed(semanage_handle_t * sh) >> { >> if (semanage_c

Re: [PATCH] libsemanage: Improve warning for installing disabled module

On Wed, Feb 28, 2018 at 9:44 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Wed, Feb 28, 2018 at 4:12 AM, Vit Mojzis <vmoj...@redhat.com> wrote: >> Resolves: rhbz#1337199 >> >> Signed-off-by: Vit Mojzis <vmoj...@redhat.com> >> --- >&

Re: [PATCH 2/3] libsemanage: remove access() check to make setuid programs work

On Wed, Feb 28, 2018 at 10:26 AM, Stephen Smalley wrote: > On 02/28/2018 05:15 AM, Vit Mojzis wrote: >> F_OK access checks only work properly as long as all directories along >> the path are accessible to real user running the program. >> Replace F_OK access checks by testing

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

ormer and test case and the same could be said for semanage_store_access_check I think this is a good time to roll in patch 4 and drop everything relying on semanage_store_access_check. Thoughts? On Wed, Feb 28, 2018 at 11:07 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Wed, Feb 2

Re: [PATCH 1/3] libsemanage: remove access() check to make setuid programs work

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis wrote: > access() uses real UID instead of effective UID which causes false > negative checks in setuid programs. Remove redundant access() checks > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431 > > Signed-off-by: Vit

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

On Wed, Feb 28, 2018 at 10:43 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 02/28/2018 01:24 PM, William Roberts wrote: >> Where is patch 2/2, I have yet to see it? >> >> Did something get screwy and is it: [PATCH] libsemanage: Improve >> warning for insta

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

Where is patch 2/2, I have yet to see it? Did something get screwy and is it: [PATCH] libsemanage: Improve warning for installing disabled module On Wed, Feb 28, 2018 at 9:50 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis <vmoj..

Re: [PATCH 2/3] libsemanage: remove access() check to make setuid programs work

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis wrote: > F_OK access checks only work properly as long as all directories along > the path are accessible to real user running the program. > Replace F_OK access checks by testing return value of open, write, etc. > > Fixes:

Re: [PATCH 3/3] libsemanage: replace access() checks to make setuid programs work

On Wed, Feb 28, 2018 at 2:15 AM, Vit Mojzis wrote: > access() uses real UID instead of effective UID which causes false > negative checks in setuid programs. > Replace access(,F_OK) (i.e. tests for file existence) by stat(). > And access(,R_OK) by fopen(,"r") > > Fixes:

Re: [PATCH] libsemanage: Improve warning for installing disabled module

On Wed, Feb 28, 2018 at 4:12 AM, Vit Mojzis wrote: > Resolves: rhbz#1337199 > > Signed-off-by: Vit Mojzis > --- > libsemanage/src/direct_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsemanage/src/direct_api.c

Re: Minor bash completion update for semanage ports

On Mon, Feb 12, 2018 at 5:58 PM, Lee Stubbs wrote: > Based on the semanage-port documentation, I believe the semanage ports type > bash autocompletion may be missing a '-'. Please see the attached patch file This isn't how we take patches on the list, please use git

Re: [PATCH] [RFC] sidtab: use memset vs loop for init

On Thu, Feb 8, 2018 at 8:51 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Thu, 2018-02-08 at 08:34 -0800, William Roberts wrote: >> On Thu, Feb 8, 2018 at 7:47 AM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> > On Thu, 2018-02-08 at 10:20 -0500, Pa

Re: [PATCH] [RFC] sidtab: use memset vs loop for init

On Thu, Feb 8, 2018 at 7:20 AM, Paul Moore <p...@paul-moore.com> wrote: > On Wed, Feb 7, 2018 at 6:46 PM, <william.c.robe...@intel.com> wrote: >> From: William Roberts <william.c.robe...@intel.com> >> >> Commit: >> 73ff5fc selinux: cache sidtab_contex

Re: [PATCH V3] libsemanage: Allow tmp files to be kept if a compile fails

Thanks, applied: https://github.com/SELinuxProject/selinux/pull/76 On Thu, Jan 25, 2018 at 10:49 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Thu, 2018-01-25 at 10:22 -0800, William Roberts wrote: >> On Wed, Jan 24, 2018 at 1:42 AM, Richard Haines >> <richard

Re: [PATCH V3] libsemanage: Allow tmp files to be kept if a compile fails

On Wed, Jan 24, 2018 at 1:42 AM, Richard Haines wrote: > Allow the tmp build files to be kept for debugging when a policy > build fails. > > Signed-off-by: Richard Haines > --- > V2 Changes: > Remove the retain-tmp flag and just

Re: [PATCH V2] libsemanage: Allow tmp files to be kept if a compile fails

On Mon, Jan 22, 2018 at 8:38 AM, Richard Haines wrote: > Allow the tmp build files to be kept for debugging when a policy > build fails. > > Signed-off-by: Richard Haines > --- > V2 Changes: > Remove the retain-tmp flag and just

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

Richard, are you going to respin this? On Tue, Jan 16, 2018 at 9:35 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote: >>> O

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote: >> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley >> <stephen.smal...@gmail.com> wrote: >> > On Jan 14, 2018 10:36 AM

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley wrote: > On Jan 14, 2018 10:36 AM, "Richard Haines" > wrote: > > Add new option to semanage.conf that allows the tmp build files > to be kept for debugging when building policy. > > >

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

On Mon, Jan 15, 2018 at 8:39 AM, Richard Haines <richard_c_hai...@btinternet.com> wrote: > On Mon, 2018-01-15 at 07:46 -0800, William Roberts wrote: >> On Sun, Jan 14, 2018 at 7:34 AM, Richard Haines >> <richard_c_hai...@btinternet.com> wrote: >> > Add new

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

On Sun, Jan 14, 2018 at 7:34 AM, Richard Haines wrote: > Add new option to semanage.conf that allows the tmp build files > to be kept for debugging when building policy. How do people know where the tmp files are, does something print it out or is it documented

Re: [PATCH] libselinux: Correct manpages regarding removable_context

On Wed, Jan 10, 2018 at 6:12 AM, Richard Haines wrote: > The selabel_media(5) man page incorrectly stated that the > removable_context(5) would be read if an selabel_lookup(3) > failed. Correct the man pages that fixes [1]. > > [1]

Re: [PATCH] libselinux: Correct manpages regarding removable_context

On Wed, Jan 10, 2018 at 6:12 AM, Richard Haines wrote: > The selabel_media(5) man page incorrectly stated that the > removable_context(5) would be read if an selabel_lookup(3) > failed. Correct the man pages that fixes [1]. > > [1]

Re: [PATCH v2] selinux: ensure the context is NUL terminated in security_context_to_sid_core()

On Fri, Dec 1, 2017 at 1:31 PM, Paul Moore wrote: > From: Paul Moore > > The syzbot/syzkaller automated tests found a problem in > security_context_to_sid_core() during early boot (before we load the > SELinux policy) where we could potentially feed

Re: [PATCH] libsemanage: properly check return value of iterate function

Thanks. Applied: https://github.com/SELinuxProject/selinux/pull/71 On Wed, Nov 22, 2017 at 7:09 AM, Jan Zarsky wrote: > Function dbase_llist_iterate iterates over records and checks return > value of iterate function. According to a manpage semanage_iterate(3), > handler can

Re: [PATCH] libsemanage: properly check return value of iterate function

On Mon, Nov 27, 2017 at 2:01 AM, Jan Zarsky wrote: > Function dbase_llist_iterate() iterates over records and checks return > value of iterate function. According to a manpage semanage_iterate(3), > handler can return value 1 for early exit. dbase_llist_iterate() > currently

Re: [PATCH] libsemanage: properly check return value of iterate function

On Wed, Nov 22, 2017 at 7:09 AM, Jan Zarsky wrote: > Function dbase_llist_iterate iterates over records and checks return > value of iterate function. According to a manpage semanage_iterate(3), > handler can return value 1 for early exit. dbase_llist_iterate > currently

Re: [PATCH 1/1] Travis-CI: try working around network issues by retrying downloads

On Tue, Oct 24, 2017 at 2:39 PM, Nicolas Iooss wrote: > Some Travis-CI builds failed because of issues when downloading > refpolicy files for sepolgen tests. Use curl's option --retry to make > the downloads work when the networking issues are only transient. > >

Re: travis CI

On Oct 24, 2017 13:05, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: On Tue, 2017-10-24 at 09:26 -0700, William Roberts wrote: > Error 52, which if it lines up with what I am reading is > CURLE_GOT_NOTHING > https://curl.haxx.se/libcurl/c/libcurl-errors.html > > Tha

Re: travis CI

Wed, 2017-10-18 at 19:30 -0700, William Roberts wrote: >> On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov> >> wrote: >> > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote: >> > > On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Ioo

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Mon, Oct 23, 2017 at 9:12 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Mon, Oct 23, 2017 at 8:57 AM, Dan Cashman <dcash...@android.com> wrote: >> On 10/20/2017 09:09 AM, William Roberts wrote: >>> >>> On Thu, Oct 19, 2017 at 3:12 PM, Nicolas

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Mon, Oct 23, 2017 at 8:57 AM, Dan Cashman <dcash...@android.com> wrote: > On 10/20/2017 09:09 AM, William Roberts wrote: >> >> On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss <nicolas.io...@m4x.org> >> wrote: >>> >>> On Thu, Oct 19, 2017 at 9:46

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Thu, Oct 19, 2017 at 3:12 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: > On Thu, Oct 19, 2017 at 9:46 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On Thu, 2017-10-19 at 14:27 -0400, Stephen Smalley wrote: >>> On Thu, 2017-10-19 at 09:25 -0700, William Ro

Re: [PATCH] libselinux: android: support exact match for a property key

On Fri, Oct 20, 2017 at 7:54 AM, Jeffrey Vander Stoep via Selinux wrote: > Please hold off on submission. We're discussing if this is really necessary. Yeah I'd like to hear about what issues the current longest match logic was causing in the commit message. > > On Thu,

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Thu, Oct 19, 2017 at 9:25 AM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote: >>> From: Dan Cashman <dcash...@goog

Re: [PATCH v3] selinux: libselinux: Enable multiple input files to selabel_open.

On Thu, Oct 19, 2017 at 7:26 AM, Stephen Smalley wrote: > On Tue, 2017-10-17 at 09:33 -0700, Daniel Cashman wrote: >> From: Dan Cashman >> >> The file_contexts labeling backend, specified in label_file.c, >> currently assumes >> that only one path will be

Re: travis CI

On Tue, Oct 17, 2017 at 12:50 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Tue, 2017-10-17 at 11:49 -0700, William Roberts wrote: >> On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.io...@m4x.org >> > wrote: >> > On Fri, Oct 13, 2017 at 1:50 A

Re: travis CI

On Sun, Oct 15, 2017 at 5:10 AM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: > On Fri, Oct 13, 2017 at 1:50 AM, William Roberts > <bill.c.robe...@gmail.com> wrote: >> On Thu, Oct 12, 2017 at 1:48 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >>> On

travis CI

I see a travis.yml file, recently modified by Nicolas, but I failed to find the Travis CI instance on travis.org, where is it? We should likely have it running on commits to the repo and PRs so we can have some independent way of verifying that our run of the tests was compromised by some env

Re: [PATCH] semodule-utils: remove semodule_deps

Applied: https://github.com/SELinuxProject/selinux/pull/65 On Tue, Oct 3, 2017 at 7:21 AM, Stephen Smalley wrote: > As discussed in https://github.com/SELinuxProject/selinux/issues/64, > semodule_deps has apparently been broken for a very long time for > binary modules and is

Re: [PATCH] semodule-utils: remove semodule_deps

On Tue, Oct 3, 2017 at 7:21 AM, Stephen Smalley wrote: > As discussed in https://github.com/SELinuxProject/selinux/issues/64, > semodule_deps has apparently been broken for a very long time for > binary modules and is completely irrelevant for CIL modules. If there > are any

Re: Labeling sysfs files

On Mon, Oct 2, 2017 at 2:54 PM, David Graziano wrote: > I'm trying to find a way of labeling specific files/directories in > sysfs that do not exist at boot time. I'm running an embedded SELinux > enabled system (4.1 series kernel) where at boot there is an

Re: [PATCH 1/2] libsemanage: Add support for listing fcontext.homedirs file

On Sun, Oct 1, 2017 at 8:43 AM, Vit Mojzis <vmoj...@redhat.com> wrote: > > > On 27.9.2017 19:04, William Roberts wrote: >> >> 2017-09-27 1:16 GMT-07:00 Vit Mojzis <vmoj...@redhat.com>: >>> >>> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id

Re: [PATCH 1/2] libsemanage: Add support for listing fcontext.homedirs file

2017-09-27 1:16 GMT-07:00 Vit Mojzis : > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1409813 > --- > libsemanage/include/semanage/fcontexts_policy.h | 4 > libsemanage/src/direct_api.c| 6 ++ > libsemanage/src/fcontexts_policy.c

Re: [PATCH 1/1] sepolicy: do not fail when file_contexts.local or .subs do not exist

On Mon, Sep 18, 2017 at 3:59 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Mon, Sep 18, 2017 at 2:32 PM, Nicolas Iooss <nicolas.io...@m4x.org> wrote: >> >> On a system without any file context customizations, "sepolicy gui" >> fails to load b

Re: [PATCH 1/1] sepolicy: do not fail when file_contexts.local or .subs do not exist

On Mon, Sep 18, 2017 at 2:32 PM, Nicolas Iooss wrote: > > On a system without any file context customizations, "sepolicy gui" > fails to load because it tries to read a non-existent file: > > FileNotFoundError: [Errno 2] No such file or directory: >

Re: [PATCH] selinux: libselinux: Enable multiple input files to selabel_open.

On Mon, Sep 11, 2017 at 11:04 AM, Daniel Cashman wrote: > From: Dan Cashman > > The file_contexts labeling backend, specified in label_file.c, currently > assumes > that only one path will be specified as an option to selabel_open(). The > split > of

Re: file_contexts non-ascii error

icy on first >> machine without renaming directory? Thank you. > > The check for non-ASCII characters was introduced by the following > commit: > > commit 2981e0ba3a869d12ed6f376581277847421db2e7 > Author: William Roberts <william.c.robe...@intel.com> > Date: Tue

Re: [PATCH v6 1/2] selinux: add brief info to policydb

On Wed, May 17, 2017 at 11:30 AM, Stephen Smalley wrote: > On Thu, 2017-05-18 at 02:09 +0900, Sebastien Buisson wrote: >> Add policybrief field to struct policydb. It holds a brief info >> of the policydb, made of colon separated name and value pairs >> that give information

Re: [PATCH v5 1/2] selinux: add brief info to policydb

On Wed, May 17, 2017 at 10:00 AM, Sebastien Buisson <sbuisson@gmail.com> wrote: > 2017-05-17 18:04 GMT+02:00 William Roberts <bill.c.robe...@gmail.com>: >> I'm assuming in the Lustre code you're going to call security_policy_brief(), >> how would the caller know h

  1   2   3   >