;>>>>
>>>>> This is a reimplementation of:
>>>>>
>>>>> /commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
>>>>> fix checkpolicy dontaudit compiler bug")
>>>>
>>>> extran
B:C p;
>> rule.
>>
>> This is a reimplementation of:
>> commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
>> fix checkpolicy dontaudit compiler bug")
>> that avoids the cumbersome pointer assignments on alloced.
>
> Thanks, applied bo
>>>>
>>>> The combining logic for dontaudit rules was wrong, causing
>>>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>>>> rule.
>>>>
>>>> This is a reimplementation of:
>>>>
>>>> /c
entation of:
> commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudit compiler bug")
> that avoids the cumbersome pointer assignments on alloced.
Thanks, applied both patches (revert and reimplementation).
>
> Reported-by: Nick Kralevich
> Signed-off-by: Wil
d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudit compiler bug")
> that avoids the cumbersome pointer assignments on alloced.
>
> Reported-by: Nick Kralevich
> Signed-off-by: William Roberts
> ---
> libsepol/src/expand.c | 10 ++
> 1 file changed,
On Nov 15, 2016 4:33 PM, "William Roberts" wrote:
>
>
>
> > memset(&avdatum, 0, sizeof avdatum);
> > + /*
> > +* AUDITDENY and DONTAUDIT are &= assigned, versus |=
for
> > +* others. Initialize the data accordingly.
> > +
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug&q
> memset(&avdatum, 0, sizeof avdatum);
> + /*
> +* AUDITDENY and DONTAUDIT are &= assigned, versus |= for
> +* others. Initialize the data accordingly.
> +*/
> + avdatum.data = (key->specified &
> +
wrong, causing
>>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>>> rule.
>>>
>>> This is a reimplementation of:
>>>
>>> /commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
>>> fix checkpolicy dontaudit co
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug&q
B:C p;
>> rule.
>>
>> This is a reimplementation of:
>>
>> /commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
>> fix checkpolicy dontaudit compiler bug")
>
> extraneous / and whitespace
>
>>
>> that avoids the cumbersom
tion of:
>
> /commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudit compiler bug")
extraneous / and whitespace
>
> that avoids the cumbersome pointer assignments on alloced.
>
> Reported-by: Nick Kralevich
> Signed-off-by: William Roberts
> ---
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug&qu
avoids the cumbersome
> pointer assignments on alloced.
s/6201bb532/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")/
>
> Reported-by: Nick Kralevich
> Signed-off-by: William Roberts
> ---
> libsepol/src/expan
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by:
B:C p;
>> rule.
>>
>> This is a reimplimation of 6201bb5e2 that avoids the cumbersome
>> pointer assignments on alloced.
>
> s/reimplimation/reimplementation/
> s/6201bb5e2/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudi
avoids the cumbersome
> pointer assignments on alloced.
s/reimplimation/reimplementation/
s/6201bb5e2/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")/
>
> Reported-by: Nick Kralevich
> Signed-off-by: William R
From: William Roberts
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplimation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by: Wi
On Nov 15, 2016 12:09, "Stephen Smalley" wrote:
>
> On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
> > From: Stephen Smalley
> >
> > The combining logic for dontaudit rules was wrong, causing
> > a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> > rule.
> >
> > This
;
> >> This is a reimplimation of 6201bb5e2 that avoids the cumbersome
> >> pointer assignments on alloced.
>
> s/reimplimation/reimplementation/
> s/6201bb532/commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
> fix checkpolicy dontaudit co
On 11/15/2016 02:40 PM, william.c.robe...@intel.com wrote:
> From: Stephen Smalley
>
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> This is a reimplimation of 6201bb5e2 that avoids the cumbersome
> poin
2b5bcc04d502d6fbc05c69d21d71 ("libsepol:
fix checkpolicy dontaudit compiler bug")/
>>
>> Reported-by: Nick Kralevich
>> Signed-off-by: William Roberts
>> ---
>> libsepol/src/expand.c | 21 ++---
>> 1 file changed, 14 insertions(+), 7 d
From: William Roberts
This reverts commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71.
---
libsepol/src/expand.c | 16
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index d7adbf8..004a029 100644
--- a/libsepol/src/expan
From: Stephen Smalley
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplimation of 6201bb5e2 that avoids the cumbersome
pointer assignments on alloced.
Reported-by: Nick Kralevich
Signed-off-by: Wi
In continuing the recent discussions on the topics:
- [PATCH] libsepol: fix checkpolicy dontaudit compiler bug
- checkpolicy dontaudit compiler bug?
This is my proposed solution to the problem that avoids the
return via-pointer alloced approach.
Unfortunatly the proposed clear than set
On Fri, Nov 11, 2016 at 9:51 AM, Nick Kralevich wrote:
> (apologies if you received this message twice. I believe the first
> message got stuck in a moderation queue somewhere)
>
> I'm trying to hunt down what appears to be a weird checkpolicy bug.
>
> On Android, we have a special SELinux domain
t; -Original Message-
>>>>> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of
>>>>> Roberts,
>>>>> William C
>>>>> Sent: Monday, November 14, 2016 10:44 AM
>>>>> To: Stephen Smalley ; selinux@tycho
t;
> >> >
> >> >> -Original Message-
> >> >> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of
> >> >> Roberts,
> >> >> William C
> >> >> Sent: Monday, November 14, 2016 10:44 AM
> >> >
ent: Monday, November 14, 2016 10:44 AM
> >> To: Stephen Smalley ; selinux@tycho.nsa.gov
> >> Subject: RE: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug
> >>
> >>
> >>
> >>> -Original Message-
> >>> From: Sel
On 11/14/2016 06:58 PM, Nick Kralevich wrote:
> On Mon, Nov 14, 2016 at 9:48 AM, Stephen Smalley wrote:
>> The combining logic for dontaudit rules was wrong, causing
>> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
>> rule.
>>
>> Reported-by: Nick Kralevich
>> Signed-off-by: S
ho.nsa.gov
>> Subject: RE: [PATCH v2] libsepol: fix checkpolicy dontaudit compiler bug
>>
>>
>>
>>> -Original Message-
>>> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of
>>> Stephen Smalley
>>> Sent: Monday, Novembe
> -Original Message-
> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Roberts,
> William C
> Sent: Monday, November 14, 2016 10:44 AM
> To: Stephen Smalley ; selinux@tycho.nsa.gov
> Subject: RE: [PATCH v2] libsepol: fix checkpolicy dont
> -Original Message-
> From: Selinux [mailto:selinux-boun...@tycho.nsa.gov] On Behalf Of Stephen
> Smalley
> Sent: Monday, November 14, 2016 9:48 AM
> To: selinux@tycho.nsa.gov
> Cc: Stephen Smalley
> Subject: [PATCH v2] libsepol: fix checkpolicy dontaudit
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
Reported-by: Nick Kralevich
Signed-off-by: Stephen Smalley
---
libsepol/src/expand.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff -
On 11/14/2016 10:59 AM, Stephen Smalley wrote:
> The combining logic for dontaudit rules was wrong, causing
> a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
> rule.
>
> Reported-by: Nick Kralevich
> Signed-off-by: Stephen Smalley
Sorry, that's not correct either. NAKing my o
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
Reported-by: Nick Kralevich
Signed-off-by: Stephen Smalley
---
libsepol/src/expand.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/libsepo
Looks like it is being triggered by the dontaudit domain self:capability
sys_module; rule in the marlin sepolicy/domain.te file. dontaudit rule
merging differs since they are converted to auditdeny vectors. Likely a bug
in checkpolicy but will have to look at the logic.
On Nov 11, 2016 1:12 PM, "N
On Fri, Nov 11, 2016 at 9:59 AM, Dominick Grift wrote:
>> Specifically, the following dontaudit rule is in that file:
>>
>> dontaudit su self:capability_class_set *;
>>
>> which expands out to:
>>
>> dontaudit su self:{ capability capability2 } *;
>>
>
> That should not work. AFAIK you cannot
On 11/11/2016 06:51 PM, Nick Kralevich wrote:
> (apologies if you received this message twice. I believe the first
> message got stuck in a moderation queue somewhere)
>
> I'm trying to hunt down what appears to be a weird checkpolicy bug.
>
> On Android, we have a special SELinux domain called "
39 matches
Mail list logo
