On Tue, May 9, 2017 at 4:39 PM, Stephen Smalley wrote:
> On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote:
>> > On 05/03/2017 12:14 PM, Stephen Smalley wrote:
>> > >
>> > > 1) Should we investigate lighter weight support for policy
>> > > capabilities, and if so, how?
>>
>>
From: Daniel Jurgens
Update libsepol and libsemanage to work with pkey records. Add local
storage for new and modified pkey records in pkeys.local. Update semanage
to parse the pkey command options to add, modify, and delete pkeys.
Signed-off-by: Daniel Jurgens
From: Daniel Jurgens
Add Infiniband pkey parsing, symbol table management, and policy
generation to CIL.
Signed-off-by: Daniel Jurgens
---
libsepol/cil/src/cil.c | 19
libsepol/cil/src/cil_binary.c | 39
From: Daniel Jurgens
Add IB end port parsing, symbol table management, and policy generation
to CIL.
Signed-off-by: Daniel Jurgens
---
libsepol/cil/src/cil.c | 18 ++
libsepol/cil/src/cil_binary.c | 29
From: Daniel Jurgens
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.
Signed-off-by: Daniel Jurgens
---
checkpolicy/policy_define.c| 70
From: Daniel Jurgens
Update the main man page and add specific pages for ibpkeys and
ibendports.
Signed-off-by: Daniel Jurgens
---
python/semanage/semanage-ibendport.8 | 66 ++
python/semanage/semanage-ibpkey.8|
From: Daniel Jurgens
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.
Signed-off-by: Daniel Jurgens
---
checkpolicy/checkpolicy.c | 20
From: Daniel Jurgens
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.
Signed-off-by: Daniel Jurgens
---
From: Daniel Jurgens
Update libsepol and libsemanage to work with ibendport records. Add local
storage for new and modified ibendport records in ibendports.local.
Update semanage to parse the ibendport command options to add, modify,
and delete them.
Signed-off-by: Daniel
From: Daniel Jurgens
Infiniband applications access HW from user-space -- traffic is generated
directly by HW, bypassing the kernel. Consequently, Infiniband Partitions,
which are associated directly with HW transport endpoints, are a natural
choice for enforcing granular
On Tue, 2017-05-09 at 13:49 -0400, Paul Moore wrote:
> > On 05/03/2017 12:14 PM, Stephen Smalley wrote:
> > >
> > > 1) Should we investigate lighter weight support for policy
> > > capabilities, and if so, how?
>
> I agree that not having to update userspace for each new policy
> capability is a
If the map permission is defined, allow it in the mmap test policy
for the existing mmap test domains, and introduce a new domain and test
for testing that it is enforced.
Signed-off-by: Stephen Smalley
---
policy/Makefile | 4
policy/test_global.te | 4
On 09/05/17 19:28, James Carter wrote:
We normally add a "signed-off-by" line to patches. Can I add
"Signed-off-by: Alan Jenkins " to
your patches?
Jim
Please do. Sorry, it looks like I forgot about that after the first few
I sent here.
I hope that's
We normally add a "signed-off-by" line to patches. Can I add "Signed-off-by:
Alan Jenkins " to your patches?
Jim
On 05/07/2017 07:05 AM, Alan Jenkins wrote:
Make sure usage() in fixfiles shows all the current options.
It's printed when there's a user error,
On Thu, May 4, 2017 at 3:22 PM, Petr Lautrbach wrote:
> On 05/04/2017 07:50 PM, Dominick Grift wrote:
>> On Thu, May 04, 2017 at 07:42:40PM +0200, Dominick Grift wrote:
>>> On Thu, May 04, 2017 at 11:50:15AM -0400, Paul Moore wrote:
On Wed, May 3, 2017 at 12:51 PM,
On Wed, May 3, 2017 at 3:35 PM, James Carter wrote:
> On 05/03/2017 12:14 PM, Stephen Smalley wrote:
...
> I think that there are three cases to consider. (I am ignoring removing
> checks and/or permissions.)
>
> Case 1: Additional checks using existing permissions
>
>
On Tue, May 09, 2017 at 06:47:55PM +0200, Dominick Grift wrote:
> On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote:
> > On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
> > >
> > > > On May 8, 2017, at 4:40 PM, Dominick Grift
> > > > wrote:
>
On 05/04/2017 05:36 PM, Jeff Vander Stoep wrote:
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.
Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)
Never expand an
Commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 (Add attribute
expansion options) adds an expandattribute rule to the policy.conf
language which sets a type_datum flag. Currently the flag is used
only when writing out CIL policy from a policy.conf.
Make use of the flag when expanding policy to
On Tue, May 09, 2017 at 06:15:43PM +0200, Dominick Grift wrote:
> On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
> >
> > > On May 8, 2017, at 4:40 PM, Dominick Grift wrote:
> > >
> > > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> >
On Tue, May 9, 2017 at 7:54 AM, Stephen Smalley wrote:
> commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux:
> support ANDROID_HOST=1 on Mac") split up warning flags in
> CFLAGS based on compiler support in a manner that could lead to
> including a subset that is
On Tue, May 09, 2017 at 11:21:23AM -0400, Karl MacMillan wrote:
>
> > On May 8, 2017, at 4:40 PM, Dominick Grift wrote:
> >
> > On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
> >>
> >>> On May 8, 2017, at 3:49 PM, Dominick Grift
Karl MacMillan wrote:
5. any references to type attributes should be customizable: ie. process_types
= ... filesystem_types = ... etc
I do not consider Linux access vectors to be customizable, unlike types
,attributes, booleans, tunables etc)
I know what you mean, but I have to point
> On May 8, 2017, at 5:47 PM, Dominick Grift wrote:
>
> On Mon, May 08, 2017 at 10:40:53PM +0200, Dominick Grift wrote:
>> On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
>>>
On May 8, 2017, at 3:49 PM, Dominick Grift wrote:
> On May 8, 2017, at 4:40 PM, Dominick Grift wrote:
>
> On Mon, May 08, 2017 at 04:09:16PM -0400, Karl MacMillan wrote:
>>
>>> On May 8, 2017, at 3:49 PM, Dominick Grift wrote:
>>>
>>> On Mon, May 08, 2017 at 03:36:21PM -0400, Karl MacMillan
commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux:
support ANDROID_HOST=1 on Mac") split up warning flags in
CFLAGS based on compiler support in a manner that could lead to
including a subset that is invalid, e.g. upon
make DESTDIR=/path/to/dest install. Fix it.
Signed-off-by: Stephen
26 matches
Mail list logo