I finished porting dssp-base to dssp1-base, however when i try testing
it load_policy fails with ENOENT.
Even though load_policy returns error status the policy seems to be
loaded, except that it is not (or so it seems). When i reboot the system
freezes for whatever reason. Whether it is due to sy
On 11/14/2016 02:41 PM, Roberts, William C wrote:
>
>
>> -Original Message-
>> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Roberts,
>> William C
>> Sent: Monday, November 14, 2016 10:44 AM
>> To: Stephen Smalley ; selinux@tycho.nsa.gov
>> Subject: RE: [PATCH v2] libs
On 11/14/2016 03:41 PM, Jason Zaman wrote:
> These look pretty good to me. I have written most of the ebuilds for
> gentoo for these new packages but have not committed to the tree yet.
>
> There are a couple issues:
> 1) What is the license for each of the tarballs? there is no license or
> COPYI
On Mon, Nov 14, 2016 at 11:22 PM, Paul Moore wrote:
> We shouldn't need the spinlocks on the socket_post_create() and the
> socket_accept() hooks as the callers should still have exclusive
> access to the socket/inode at that point.
>
> I didn't check all the callers of the inode_init_security(),
On 11/15/2016 07:19 AM, Dominick Grift wrote:
> I finished porting dssp-base to dssp1-base, however when i try
> testing it load_policy fails with ENOENT.
>
> Even though load_policy returns error status the policy seems to
> be loaded, except that it is not (or so it seems). When i reboot
> the s
On 11/15/2016 09:47 AM, Stephen Smalley wrote:
> On 11/14/2016 03:41 PM, Jason Zaman wrote:
>> These look pretty good to me. I have written most of the ebuilds for
>> gentoo for these new packages but have not committed to the tree yet.
>>
>> There are a couple issues:
>> 1) What is the license for
On 11/15/2016 03:58 PM, Stephen Smalley wrote:
> On 11/15/2016 07:19 AM, Dominick Grift wrote:
>> I finished porting dssp-base to dssp1-base, however when i try
>> testing it load_policy fails with ENOENT.
>>
>> Even though load_policy returns error status the policy seems to
>> be loaded, except t
On 11/14/2016 06:58 PM, Nick Kralevich wrote:
> On Mon, Nov 14, 2016 at 9:48 AM, Stephen Smalley wrote:
>> The combining logic for dontaudit rules was wrong, causing
>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>> rule.
>>
>> Reported-by: Nick Kralevich
>> Signed-off-by: S
On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
> On 11/15/2016 03:58 PM, Stephen Smalley wrote:
> >
> > On 11/15/2016 07:19 AM, Dominick Grift wrote:
> > >
> > > I finished porting dssp-base to dssp1-base, however when i try
> > > testing it load_policy fails with ENOENT.
> > >
> > > E
On 11/15/2016 04:30 PM, Richard Haines wrote:
> On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
>> On 11/15/2016 03:58 PM, Stephen Smalley wrote:
>>>
>>> On 11/15/2016 07:19 AM, Dominick Grift wrote:
I finished porting dssp-base to dssp1-base, however when i try
testing it l
On 11/15/2016 10:35 AM, Dominick Grift wrote:
> On 11/15/2016 04:30 PM, Richard Haines wrote:
>> On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
>>> On 11/15/2016 03:58 PM, Stephen Smalley wrote:
On 11/15/2016 07:19 AM, Dominick Grift wrote:
>
> I finished porting dssp-
On 11/15/2016 04:42 PM, Stephen Smalley wrote:
> On 11/15/2016 10:35 AM, Dominick Grift wrote:
>> On 11/15/2016 04:30 PM, Richard Haines wrote:
>>> On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
On 11/15/2016 03:58 PM, Stephen Smalley wrote:
>
> On 11/15/2016 07:19 AM, Domini
On 11/15/2016 10:45 AM, Dominick Grift wrote:
> On 11/15/2016 04:42 PM, Stephen Smalley wrote:
>> On 11/15/2016 10:35 AM, Dominick Grift wrote:
>>> On 11/15/2016 04:30 PM, Richard Haines wrote:
On Tue, 2016-11-15 at 16:02 +0100, Dominick Grift wrote:
> On 11/15/2016 03:58 PM, Stephen Small
On 11/12/2016 03:20 PM, Laurent Bigonville wrote:
> From: Laurent Bigonville
>
> Signed-off-by: Laurent Bigonville
Thanks, applied both patches.
> ---
> policycoreutils/sepolicy/selinux_server.py | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policycoreutils/sep
On 11/11/2016 02:12 PM, Daniel Cashman wrote:
> From: dcashman
>
> Test: Untested patch.
> Bug: https://code.google.com/p/android/issues/detail?id=226519
> Change-Id: Icaf992ba1487098f2c4f16ac1017012f611281e9
> Signed-off-by: Daniel Cashman
Thanks, applied.
> ---
> libsepol/cil/src/cil_binary
On 11/14/2016 04:28 PM, Nicolas Iooss wrote:
> When linking with -Wl,-no-undefined in LDFLAGS (in order to find
> possible link-time errors), the Python wrapper module needs to be
> linked with the right libpython.so. This library is found using
> pkg-config in a new PYLIBS variable.
>
> Signed-of
On 11/14/2016 04:33 PM, Nicolas Iooss wrote:
> When running "make all" several times in the root directory of the
> project, the following lines always appear (and the command takes some
> seconds to complete on my system with a slow hard drive):
>
> xmlto man secilc.8.xml
> Note: Writing
On 11/14/2016 04:57 PM, Nicolas Iooss wrote:
> Using SWIG_fail in the Python SWIG wrappers makes the wrapping function
> destroy/free the memory which could have been dynamically allocated
> before calling the wrapped function. This thus prevents possible memory
> leaks in the wrappers of set*con()
On Tue, Nov 15, 2016 at 10:01:12AM -0500, Stephen Smalley wrote:
> On 11/15/2016 09:47 AM, Stephen Smalley wrote:
> > On 11/14/2016 03:41 PM, Jason Zaman wrote:
> >> These look pretty good to me. I have written most of the ebuilds for
> >> gentoo for these new packages but have not committed to the
For bit setting in constant time, one could always clear the bit(s) and or
in what you want. I think that logic might be applicable here. I could take
a stab at looking at it today, if no one has anything better by tomorrow
well just merge yours as is. Does that sound reasonable?
On Nov 15, 2016 0
I am looking for an SELinux configuration that uses CIPSO.
Ideally, it would be based on a readily available distro,
but I'm willing to perform semi-heroic acts if I have too.
I'm not in a position to develop it myself, nor would that
really suit my nefarious purposes. Thank you.
_
On Nov 15, 2016 09:30, "Nick Kralevich" wrote:
>
> Perhaps merge Stephen's change now, and address any changes in a
> followup? I'd like to get it merged into the selinux tree so I can
> merge the changes into the Android tree.
That's fine with me too.
>
> -- Nick
>
> On Tue, Nov 15, 2016 at 9:1
On 11/15/2016 12:28 PM, Casey Schaufler wrote:
> I am looking for an SELinux configuration that uses CIPSO.
> Ideally, it would be based on a readily available distro,
> but I'm willing to perform semi-heroic acts if I have too.
> I'm not in a position to develop it myself, nor would that
> really
On 11/15/2016 12:30 PM, Nick Kralevich wrote:
> Perhaps merge Stephen's change now, and address any changes in a
> followup? I'd like to get it merged into the selinux tree so I can
> merge the changes into the Android tree.
Yes, it is already merged.
>
> -- Nick
>
> On Tue, Nov 15, 2016 at 9:1
On Fri, Nov 11, 2016 at 9:51 AM, Nick Kralevich wrote:
> (apologies if you received this message twice. I believe the first
> message got stuck in a moderation queue somewhere)
>
> I'm trying to hunt down what appears to be a weird checkpolicy bug.
>
> On Android, we have a special SELinux domain
On 11/15/2016 10:14 AM, Stephen Smalley wrote:
> On 11/15/2016 12:28 PM, Casey Schaufler wrote:
>> I am looking for an SELinux configuration that uses CIPSO.
>> Ideally, it would be based on a readily available distro,
>> but I'm willing to perform semi-heroic acts if I have too.
>> I'm not in a po
On 11/15/2016 01:34 PM, Casey Schaufler wrote:
> On 11/15/2016 10:14 AM, Stephen Smalley wrote:
>> On 11/15/2016 12:28 PM, Casey Schaufler wrote:
>>> I am looking for an SELinux configuration that uses CIPSO.
>>> Ideally, it would be based on a readily available distro,
>>> but I'm willing to perfo
On 11/15/2016 10:43 AM, Stephen Smalley wrote:
> On 11/15/2016 01:34 PM, Casey Schaufler wrote:
>> On 11/15/2016 10:14 AM, Stephen Smalley wrote:
>>> On 11/15/2016 12:28 PM, Casey Schaufler wrote:
I am looking for an SELinux configuration that uses CIPSO.
Ideally, it would be based on a r
In continuing the recent discussions on the topics:
- [PATCH] libsepol: fix checkpolicy dontaudit compiler bug
- checkpolicy dontaudit compiler bug?
This is my proposed solution to the problem that avoids the
return via-pointer alloced approach.
Unfortunatly the proposed clear than set approa
From: Stephen Smalley
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplimation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by: Wi
From: William Roberts
This reverts commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71.
---
libsepol/src/expand.c | 16
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index d7adbf8..004a029 100644
--- a/libsepol/src/expan
I'm somewhat limited the next few days with just my phone for network
access, but the link below has some basic examples. The netlabelctl manpage
may also be helpful. Finally, as Stephen already pointed out, the
LSPP/audit-test project has some inter-machine CIPSO tests, but you will
have to do som
On 11/15/2016 03:11 PM, Stephen Smalley wrote:
> On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
>> From: Stephen Smalley
Also, you don't have to keep me as the author as the patch is a rewrite
after a revert.
>>
>> The combining logic for dontaudit rules was wrong, causing
>> a donta
On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
> From: Stephen Smalley
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplimation of 6201bb5e2 that avoids the cumbersome
> poin
On Nov 15, 2016 12:12, "Stephen Smalley" wrote:
>
> On 11/15/2016 03:11 PM, Stephen Smalley wrote:
> > On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
> >> From: Stephen Smalley
>
> Also, you don't have to keep me as the author as the patch is a rewrite
> after a revert.
I didn't real
On Nov 15, 2016 12:09, "Stephen Smalley" wrote:
>
> On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
> > From: Stephen Smalley
> >
> > The combining logic for dontaudit rules was wrong, causing
> > a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> > rule.
> >
> > This
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplimation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by: Wi
On 11/15/2016 04:06 PM, william.c.robe...@intel.com wrote:
> From: William Roberts
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplimation of 6201bb5e2 that avoids the cumbersome
> poin
On Tue, Nov 15, 2016 at 1:17 PM, Stephen Smalley wrote:
> On 11/15/2016 04:06 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts
>>
>> The combining logic for dontaudit rules was wrong, causing
>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>> rule.
>>
>> This i
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by:
On 11/15/2016 04:29 PM, william.c.robe...@intel.com wrote:
> From: William Roberts
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplementation of 6201bb5e2 that avoids the cumbersome
> p
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avo
On 11/15/2016 04:42 PM, william.c.robe...@intel.com wrote:
> From: William Roberts
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplementation of:
>
> /commit 6201bb5e258e2b5bcc04d502d6
Signed-off-by: Nicolas Iooss
---
libsemanage/src/dso.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libsemanage/src/dso.h b/libsemanage/src/dso.h
index 5c69aaef0090..8c9a0140871f 100644
--- a/libsemanage/src/dso.h
+++ b/libsemanage/src/dso.h
@@ -1,5 +1,5 @@
-#ifndef _SE
The flex skeleton often triggers compiler warnings; make these
non-fatal for building. We already do likewise for checkpolicy.
Signed-off-by: Stephen Smalley
---
libsepol/src/Makefile | 6 ++
1 file changed, 6 insertions(+)
diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index 7
On 11/15/2016 05:15 PM, Nicolas Iooss wrote:
> Signed-off-by: Nicolas Iooss
Thanks, applied
> ---
> libsemanage/src/dso.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libsemanage/src/dso.h b/libsemanage/src/dso.h
> index 5c69aaef0090..8c9a0140871f 100644
> --- a
On Tue, 15 Nov 2016 13:43:28 -0500
Stephen Smalley wrote:
> On 11/15/2016 01:34 PM, Casey Schaufler wrote:
> > On 11/15/2016 10:14 AM, Stephen Smalley wrote:
> >> On 11/15/2016 12:28 PM, Casey Schaufler wrote:
> >>> I am looking for an SELinux configuration that uses CIPSO.
> >>> Ideally, it
On Tue, Nov 15, 2016 at 11:21 PM, Stephen Smalley wrote:
> The flex skeleton often triggers compiler warnings; make these
> non-fatal for building. We already do likewise for checkpolicy.
>
For information, I am using flex 2.6.1 on my system and the generated code
triggers -Wsign-compare warnin
While fuzzing hll/pp, the fuzzer (AFL) crafted a policy which triggered
the following message without making the policy loading fail (the
program crashed with a segmentation fault later):
security: ebitmap: map size 192 does not match my size 64 (high bit
was 0)
This is because ebitmap_re
When fuzzing hll/pp inputs, a policy module where the value of
scope->decl_ids_len has been modified to zero makes the program abort
(when it has been compiled without -DNDEBUG).
Change the behavior to report an error message instead. This eases
fuzzing functions like policydb_read().
Signed-off-
When hll/pp loads a policy file which has been modified so that the
nprim field of one of its non-empty symbol table was changed to zero, it
crashes with a segmentation fault. A quick analysis leads to
"p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
*));" in policydb_index_o
On 11/15/2016 2:36 PM, Harry Waddell wrote:
> On Tue, 15 Nov 2016 13:43:28 -0500
> Stephen Smalley wrote:
>
>> On 11/15/2016 01:34 PM, Casey Schaufler wrote:
>>> On 11/15/2016 10:14 AM, Stephen Smalley wrote:
On 11/15/2016 12:28 PM, Casey Schaufler wrote:
> I am looking for an SELinux
On Tue, Nov 15, 2016 at 1:53 PM, Stephen Smalley wrote:
> On 11/15/2016 04:42 PM, william.c.robe...@intel.com wrote:
>> From: William Roberts
>>
>> The combining logic for dontaudit rules was wrong, causing
>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>> rule.
>>
>> This i
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avoids
On Tue, Nov 15, 2016 at 3:21 PM, William Roberts
wrote:
> On Tue, Nov 15, 2016 at 1:53 PM, Stephen Smalley wrote:
>> On 11/15/2016 04:42 PM, william.c.robe...@intel.com wrote:
>>> From: William Roberts
>>>
>>> The combining logic for dontaudit rules was wrong, causing
>>> a dontaudit A B:C *; ru
On Tue, 15 Nov 2016 15:07:34 -0800
Casey Schaufler wrote:
> On 11/15/2016 2:36 PM, Harry Waddell wrote:
> > On Tue, 15 Nov 2016 13:43:28 -0500
> > Stephen Smalley wrote:
> >
> >> On 11/15/2016 01:34 PM, Casey Schaufler wrote:
> >>> On 11/15/2016 10:14 AM, Stephen Smalley wrote:
> On
> memset(&avdatum, 0, sizeof avdatum);
> + /*
> +* AUDITDENY and DONTAUDIT are &= assigned, versus |= for
> +* others. Initialize the data accordingly.
> +*/
> + avdatum.data = (key->specified &
> +
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avoids
On 11/15/2016 3:52 PM, Harry Waddell wrote:
> On Tue, 15 Nov 2016 15:07:34 -0800
> Casey Schaufler wrote:
>
>> On 11/15/2016 2:36 PM, Harry Waddell wrote:
>>> On Tue, 15 Nov 2016 13:43:28 -0500
>>> Stephen Smalley wrote:
>>>
On 11/15/2016 01:34 PM, Casey Schaufler wrote:
> On 11/15/2
On Nov 15, 2016 4:33 PM, "William Roberts" wrote:
>
>
>
> > memset(&avdatum, 0, sizeof avdatum);
> > + /*
> > +* AUDITDENY and DONTAUDIT are &= assigned, versus |=
for
> > +* others. Initialize the data accordingly.
> > +
On Nov 15, 2016 4:43 PM, wrote:
>
> From: William Roberts
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplementation of:
> commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> f
61 matches
Mail list logo
