From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Petr Lautrbach <plautrba@redhat.com>,
selinux@vger.kernel.org,
"Christopher J. PeBenito" <pebenito@ieee.org>,
stephen.smalley.work@gmail.com
Subject: Re: [PATCH v4] libsepol, checkpolicy: remove use of hardcoded security class values
Date: Thu, 12 Mar 2020 07:53:14 +0100 [thread overview]
Message-ID: <pjdimjaawth.fsf@redhat.com> (raw)
In-Reply-To: <431cc5f6-e666-e875-a4fd-4d98b414d82f@tycho.nsa.gov>
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 1/29/20 7:52 AM, Petr Lautrbach wrote:
>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>
>>> On 1/26/20 5:57 AM, Petr Lautrbach wrote:
>>>>
>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>
>>>>> libsepol carried its own (outdated) copy of flask.h with the generated
>>>>> security class and initial SID values for use by the policy
>>>>> compiler and the forked copy of the security server code
>>>>> leveraged by tools such as audit2why. Convert libsepol and
>>>>> checkpolicy entirely to looking up class values from the policy,
>>>>> remove the SECCLASS_* definitions from its flask.h header, and move
>>>>> the header with its remaining initial SID definitions private to
>>>>> libsepol. While we are here, fix the sepol_compute_sid() logic to
>>>>> properly support features long since added to the policy and kernel,
>>>>> although there are no users of it other than checkpolicy -d (debug)
>>>>> and it is not exported to users of the shared library. There
>>>>> are still some residual differences between the kernel logic and
>>>>> libsepol.
>>>>>
>>>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>>>
>>>>
>>>> The only problem I found running tests on this is related to SETools
>>>> https://github.com/SELinuxProject/selinux/pull/200#issuecomment-577745225
>>>>
>>>> Acked-by: Petr Lautrbach <plautrba@redhat.com>
>>>
>>> Thanks. I guess the question is whether we should wait to merge it until
>>> setools has a corresponding fix ready or go ahead.
>> https://github.com/SELinuxProject/setools/issues/39
>> Lets wait until there's a response from Christopher.
>
> setools issue has been resolved, so this should now be mergeable.
Applied, thanks.
prev parent reply other threads:[~2020-03-12 6:53 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-21 18:40 [PATCH v4] libsepol,checkpolicy: remove use of hardcoded security class values Stephen Smalley
2020-01-26 10:57 ` Petr Lautrbach
2020-01-27 13:58 ` [PATCH v4] libsepol, checkpolicy: " Stephen Smalley
2020-01-29 12:52 ` Petr Lautrbach
[not found] ` <431cc5f6-e666-e875-a4fd-4d98b414d82f@tycho.nsa.gov>
2020-03-12 6:53 ` Petr Lautrbach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pjdimjaawth.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=pebenito@ieee.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).