Re: Policy capabilities: when to use and complications with using

On Tue, May 9, 2017 at 4:39 PM, Stephen Smalley wrote: > On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote: >> > On 05/03/2017 12:14 PM, Stephen Smalley wrote: >> > > >> > > 1) Should we investigate lighter weight support for policy >> > > capabilities, and if so, how? >> >>

[PATCH 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens

[PATCH 3/9] libsepol: Add Infiniband Pkey handling to CIL

From: Daniel Jurgens Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 19 libsepol/cil/src/cil_binary.c | 39

[PATCH 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 18 ++ libsepol/cil/src/cil_binary.c | 29

[PATCH 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- checkpolicy/policy_define.c| 70

[PATCH 9/9] semanage: Update man pages for infiniband

From: Daniel Jurgens Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 66 ++ python/semanage/semanage-ibpkey.8|

[PATCH 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- checkpolicy/checkpolicy.c | 20

[PATCH 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens ---

[PATCH 8/9] semanage: Update semanage to allow runtime labeling of ibendports

From: Daniel Jurgens Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel

[PATCH 0/9] SELinux user space support for Infiniband RDMA

From: Daniel Jurgens Infiniband applications access HW from user-space -- traffic is generated directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, which are associated directly with HW transport endpoints, are a natural choice for enforcing granular

Re: Policy capabilities: when to use and complications with using

On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote: > > On 05/03/2017 12:14 PM, Stephen Smalley wrote: > > > > > > 1) Should we investigate lighter weight support for policy > > > capabilities, and if so, how? > > I agree that not having to update userspace for each new policy > capability is a

[PATCH] selinux-testsuite: update mmap tests for map permission

If the map permission is defined, allow it in the mmap test policy for the existing mmap test domains, and introduce a new domain and test for testing that it is enforced. Signed-off-by: Stephen Smalley --- policy/Makefile | 4 policy/test_global.te | 4

Re: [PATCH 01/10] policycoreutils: fixfiles: tidy up usage(), manpage synopsis

On 09/05/17 19:28, James Carter wrote: We normally add a "signed-off-by" line to patches. Can I add "Signed-off-by: Alan Jenkins " to your patches? Jim Please do. Sorry, it looks like I forgot about that after the first few I sent here. I hope that's

Re: [PATCH 01/10] policycoreutils: fixfiles: tidy up usage(), manpage synopsis

We normally add a "signed-off-by" line to patches. Can I add "Signed-off-by: Alan Jenkins " to your patches? Jim On 05/07/2017 07:05 AM, Alan Jenkins wrote: Make sure usage() in fixfiles shows all the current options. It's printed when there's a user error,

Re: Policy capabilities: when to use and complications with using

On Thu, May 4, 2017 at 3:22 PM, Petr Lautrbach wrote: > On 05/04/2017 07:50 PM, Dominick Grift wrote: >> On Thu, May 04, 2017 at 07:42:40PM +0200, Dominick Grift wrote: >>> On Thu, May 04, 2017 at 11:50:15AM -0400, Paul Moore wrote: On Wed, May 3, 2017 at 12:51 PM,

Re: Policy capabilities: when to use and complications with using

On Wed, May 3, 2017 at 3:35 PM, James Carter wrote: > On 05/03/2017 12:14 PM, Stephen Smalley wrote: ... > I think that there are three cases to consider. (I am ignoring removing > checks and/or permissions.) > > Case 1: Additional checks using existing permissions > >

Re: Announcing SPAN: SELinux Policy Analysis Notebook

On Tue, May 09, 2017 at 06:47:55PM +0200, Dominick Grift wrote: > On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote: > > On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote: > > > > > > > On May 8, 2017, at 4:40 PM, Dominick Grift > > > > wrote: >

Re: [PATCH] Add attribute expansion options

On 05/04/2017 05:36 PM, Jeff Vander Stoep wrote: This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an

[PATCH] libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set

Commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 (Add attribute expansion options) adds an expandattribute rule to the policy.conf language which sets a type_datum flag. Currently the flag is used only when writing out CIL policy from a policy.conf. Make use of the flag when expanding policy to

Re: Announcing SPAN: SELinux Policy Analysis Notebook

On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote: > On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote: > > > > > On May 8, 2017, at 4:40 PM, Dominick Grift wrote: > > > > > > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote: > >

Re: [PATCH] libselinux: Fix CFLAGS definition

On Tue, May 9, 2017 at 7:54 AM, Stephen Smalley wrote: > commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: > support ANDROID_HOST=1 on Mac") split up warning flags in > CFLAGS based on compiler support in a manner that could lead to > including a subset that is

Re: Announcing SPAN: SELinux Policy Analysis Notebook

On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote: > > > On May 8, 2017, at 4:40 PM, Dominick Grift wrote: > > > > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote: > >> > >>> On May 8, 2017, at 3:49 PM, Dominick Grift

Re: Announcing SPAN: SELinux Policy Analysis Notebook

Karl MacMillan wrote: 5. any references to type attributes should be customizable: ie. process_types = ... filesystem_types = ... etc I do not consider Linux access vectors to be customizable, unlike types ,attributes, booleans, tunables etc) I know what you mean, but I have to point

Re: Announcing SPAN: SELinux Policy Analysis Notebook

> On May 8, 2017, at 5:47 PM, Dominick Grift wrote: > > On Mon, May 08, 2017 at 10:40:53PM +0200, Dominick Grift wrote: >> On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote: >>> On May 8, 2017, at 3:49 PM, Dominick Grift wrote:

Re: Announcing SPAN: SELinux Policy Analysis Notebook

> On May 8, 2017, at 4:40 PM, Dominick Grift wrote: > > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote: >> >>> On May 8, 2017, at 3:49 PM, Dominick Grift wrote: >>> >>> On Mon, May 08, 2017 at 03:36:21PM -0400, Karl MacMillan

[PATCH] libselinux: Fix CFLAGS definition

commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: support ANDROID_HOST=1 on Mac") split up warning flags in CFLAGS based on compiler support in a manner that could lead to including a subset that is invalid, e.g. upon make DESTDIR=/path/to/dest install. Fix it. Signed-off-by: Stephen