[PATCH v1 9/9] semanage: Update man pages for infiniband

From: Daniel Jurgens Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens --- python/semanage/semanage-ibendport.8 | 66 python/semanage/semanage-ibpkey.8| 66 pyt

[PATCH v1 6/9] libsepol: Add IB end port handling to CIL

From: Daniel Jurgens Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- v1: James Carter: - Add cil_resolve_ibendportcon prototype in cil_resolve_ast.h Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 18 ++

[PATCH v1 4/9] checkpolicy: Add support for ibendportcon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Check IB device name length when parsing policy. - Use strcmp vs strncmp to compare device names. Si

Re: [PATCH v4 1/2] selinux: add brief info to policydb

On Tue, 2017-05-16 at 03:22 +0900, Sebastien Buisson wrote: > Add policybrief field to struct policydb. It holds a brief info > of the policydb, made of colon separated name and value pairs > that give information about how the policy is applied in the > security module(s). > Note that the ordering

[PATCH v1 8/9] semanage: Update semanage to allow runtime labeling of ibendports

From: Daniel Jurgens Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel Jurgens --- v1: Jason

[PATCH v1 7/9] semanage: Update semanage to allow runtime labeling of Infiniband Pkeys

From: Daniel Jurgens Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens --- v1: Fixed semanage_pkey_exis

[PATCH v1 3/9] libsepol: Add Infiniband Pkey handling to CIL

From: Daniel Jurgens Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens --- libsepol/cil/src/cil.c | 19 + libsepol/cil/src/cil_binary.c | 39 + libsepol/cil/src/cil_binary.h | 12 +

[PATCH v1 1/9] checkpolicy: Add support for ibpkeycon labels

From: Daniel Jurgens Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Always use s6_addr instead of s6_addr32. -

[PATCH v1 0/9] SELinux user space support for Infiniband RDMA

From: Daniel Jurgens Infiniband applications access HW from user-space -- traffic is generated directly by HW, bypassing the kernel. Consequently, Infiniband Partitions, which are associated directly with HW transport endpoints, are a natural choice for enforcing granular mandatory access control

[PATCH v1 5/9] libsepol: Add ibendport ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed unused domain and type params from sepol_ibendport_sid. - Remove ibendp

[PATCH v1 2/9] libsepol: Add ibpkey ocontext handling

From: Daniel Jurgens Add support for reading, writing, and copying Infinabinda Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens --- v1: Stephen Smalley: - Removed domain and type params from sepol_ibpkey_sid. - Removed splen param from

Re: [PATCH 2/2] libselinux: close the subs file if fstat failed

On Fri, 2017-05-12 at 22:13 +0200, Nicolas Iooss wrote: > selabel_subs_init() returned without closing cfg when a call to > fstat() > failed. Fix this. > > Signed-off-by: Nicolas Iooss Thanks, applied both patches. > --- >  libselinux/src/label.c | 2 +- >  1 file changed, 1 insertion(+), 1 dele

[PATCH v4 1/2] selinux: add brief info to policydb

Add policybrief field to struct policydb. It holds a brief info of the policydb, made of colon separated name and value pairs that give information about how the policy is applied in the security module(s). Note that the ordering of the fields in the string may change. Policy brief is computed eve

[PATCH v4 2/2] selinux: expose policy brief via selinuxfs

Expose policy brief via selinuxfs. Signed-off-by: Sebastien Buisson --- security/selinux/selinuxfs.c | 26 ++ 1 file changed, 26 insertions(+) diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index e8fe914..2561f96 100644 --- a/security/selinux/se

[PATCH] libsepol,checkpolicy: add binary module support for xperms

Presently we support xperms rules in source policy and in CIL modules. The binary policy module format however was never extended for xperms. This limitation inhibits use of xperms in refpolicy-based policy modules (including the selinux-testsuite policy). Update libsepol to support linking, readi

Re: Possible use after free in selabel_subs_init

On Fri, 2017-05-12 at 15:02 -0700, William Roberts wrote: > > > On Fri, May 12, 2017 at 1:26 PM, Nicolas Iooss > wrote: > > Hi, > > > > Currently libselinux/src/label.c defines selabel_subs_init() like > > this [1]: > > > >     struct selabel_sub *selabel_subs_init(/* ... */) > >     { > >