On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
>
> The patch could also allow containers to write
#366942
> http://www.secureoss.jp/
> Tel: +819026581386
> _______
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "h
Hi,
There are a few issues I've run into with genhomedircon and a custom policy
(i.e., not based on refpolicy), 2 of which prevent me from using genhomedircon,
and 1 small issue which I can work around.
The first main issue is that my custom policy doesn't use "system_u" as the
system user identi
there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 319
Hi Stephen,
Replied inline below.
On Mon, Aug 15, 2016 at 03:58:44PM -0400, Stephen Smalley wrote:
> On 07/27/2016 05:25 PM, Gary Tierney wrote:
> > semanage-login supports login mappings using the %group syntax, but
> > genhomedircon does not expand groups to the users be
On Tue, Aug 16, 2016 at 01:13:02PM -0400, Stephen Smalley wrote:
On 08/16/2016 11:59 AM, Gary Tierney wrote:
Hi Stephen,
Replied inline below.
On Mon, Aug 15, 2016 at 03:58:44PM -0400, Stephen Smalley wrote:
On 07/27/2016 05:25 PM, Gary Tierney wrote:
semanage-login supports login mappings
From: Gary Tierney
Re-spin of my original patch that adds support for logins mapped using the
group %syntax to genhomedircon. This version includes fixes for the issues
raised by Jason and splits the bugfix into a separate commit.
There was a bit of confusion about the MLS level, I think
From: Gary Tierney
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having
From: Gary Tierney
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for
On Mon, Aug 22, 2016 at 09:23:01PM +0100, Gary Tierney wrote:
From: Gary Tierney
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.
This commit adds support for generating home directory contexts for login
file_contexts.homedirs entries.
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index c5ea436..698b907 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src
ommit.
Gary Tierney (2):
genhomedircon: generate contexts for logins mapped to the default user
genhomedircon: add support for %group syntax
libsemanage/src/genhomedircon.c | 314 +++-
1 file changed, 243 insertions(+), 71 deletions(-)
--
there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 311
On Tue, Aug 23, 2016 at 08:54:17AM -0400, Stephen Smalley wrote:
> On 08/22/2016 04:22 PM, Gary Tierney wrote:
> > From: Gary Tierney
> >
> > Re-spin of my original patch that adds support for logins mapped using the
> > group %syntax to genhomedircon. This version in
| xargs grep -h 'HOME_DIR' | grep -v 's0' | grep -Evc
> '^#'
0
> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 'system_u' | grep
> -Evc '^#'
0
Gary Tierney (1):
genhomedircon: remove hardcoded refpolicy
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 79 +
On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
On 09/06/2016 09:48 AM, Gary Tierney wrote:
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every
Second iteration of my previous genhomedircon patch. The issue with context
specifications as "<>" is fixed and libselinux calls are replaced with
their respective libsepol calls.
I've filed a new BZ for Fedora's system_u login here:
https://bugzilla.redhat.com/sho
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 87 +
r } prefix user_r;
Signed-off-by: Gary Tierney
---
libsemanage/src/conf-parse.y| 14 +-
libsemanage/src/conf-scan.l | 1 +
libsemanage/src/genhomedircon.c | 30 +-
libsemanage/src/semanage_conf.h | 1 +
4 files changed, 44 insertions(+), 2 deletion
;s any better options for supporting RBACSEP in home dir
context generation.
There was some previous discussion about this here for reference:
http://oss.tresys.com/pipermail/refpolicy/2011-August/004417.html
Gary Tierney (1):
genhomedircon: support policies using RBACSEP
libsemanage/sr
On Fri, Sep 23, 2016 at 03:28:44PM +0100, Gary Tierney wrote:
> Introduces support for generating homedir/user contexts for policies
> that implement RBACSEP. The support works by taking the prefix of a
> logins seuser and replacing the role field in their context
> specifications wit
On Fri, Sep 23, 2016 at 03:36:47PM -0400, Stephen Smalley wrote:
On 09/23/2016 10:28 AM, Gary Tierney wrote:
Introduces support for generating homedir/user contexts for policies
that implement RBACSEP. The support works by taking the prefix of a
logins seuser and replacing the role field in
en Smalley wrote:
> >>>> On 09/23/2016 10:28 AM, Gary Tierney wrote:
> >>>>> Introduces support for generating homedir/user contexts
> >>>>> for policies that implement RBACSEP. The support works by
> >>>>> taking the prefix of a
This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy. Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.
Gary Tierney (1):
libsepol/cil: create user and
runs genhomedircon).
Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().
Signed-off-by: Gary Tierney
---
libsepol/cil/src/cil_binary.c | 7 +++
libsepol/include/sepol/policydb/policydb.h | 8
2 files changed
On Mon, Oct 03, 2016 at 11:46:19AM +0100, Gary Tierney wrote:
> Pre-expands the role and user caches used in context validation when
> conerting a cildb to a binary policydb. This is currently only done
> when loading a binary policy and prevents context validation from
> working corr
This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy. Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.
Gary Tierney (1):
libsepol/cil: create user and
runs genhomedircon).
Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().
Signed-off-by: Gary Tierney
---
libsepol/cil/src/cil_binary.c | 13 +
libsepol/include/sepol/policydb/policydb.h | 8
2 files
omething I can look at later if all is well here.
[1]
https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
Gary Tierney (1):
genhomedircon: use userprefix as the role for homedir content
libsemanage/src/genhomedir
as normal.
Additionally, this commit enables configuring RBACSEP in policy:
(tunableif enable_rbacsep
(true
(userprefix user_u user_r)
(false
(userprefix user_u object_r
Signed-off-by: Gary Tierney
---
libsemanage/src/genhomedircon.c | 38
get help, send an email containing "help" to
> >selinux-requ...@tycho.nsa.gov.
> >
>
>
> --
> James Carter
> National Security Agency
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscri
}
*out = tmp;
return POLICYDB_SUCCESS;
}
Is that the right idea?
Thanks.
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
signature.asc
De
On Tue, Dec 06, 2016 at 12:53:00PM -0500, Stephen Smalley wrote:
> On 12/06/2016 12:00 PM, Gary Tierney wrote:
> > Hi,
> >
> > I've been working on optimizing out AV rules with no applicable
> > types as well as unused attributes to trim down the size of a
>
On Tue, Dec 06, 2016 at 01:06:28PM -0500, Stephen Smalley wrote:
On 12/06/2016 12:53 PM, Stephen Smalley wrote:
On 12/06/2016 12:00 PM, Gary Tierney wrote:
Hi,
I've been working on optimizing out AV rules with no applicable
types as well as unused attributes to trim down the size of a
p
f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
Signed-off-by: Gary Tierney
---
libsepol/cil/src/cil_binary.c | 47 +++
1 file changed, 47 insertions(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d33981b..3aa350a 100644
--- a/libsepol/cil/src
Grift's dssp1:
[root@localhost ~]# sesearch -ACS dssp_original.30 | head -1
Found 11270 semantic av rules:
[root@localhost ~]# sesearch -ACS dssp_modified.30 | head -1
Found 2574 semantic av rules:
Gary Tierney (1):
libsepol/cil: remove avrules with no affected types
libsepol/cil/src/cil_
On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libsepol
On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote:
... snip ...
Those wiki pages on SELinuxProject/cil are now pretty out of date
(you'll notice that some other statements mentioned there like
`template` are not implemented as well). The updated documentation is
at https://github.
39 matches
Mail list logo
