* Debugging sepolgen-ifgen?
@ 2014-08-02 19:19 Sven Vermeulen
2014-08-04 17:07 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Sven Vermeulen @ 2014-08-02 19:19 UTC (permalink / raw)
To: selinux
Hi all
I've noticed that on my system, for some interfaces, the results in
/var/lib/sepolgen/interface_info are missing file-specific feedback.
For instance, consider the kernel_rw_kernel_sysctl() interface, which is
coded as follows:
interface(`kernel_rw_kernel_sysctl',`
gen_require(`
type proc_t, sysctl_t, sysctl_kernel_t;
')
rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')
In the interface_info file, I only find the following metadata about this
interface:
[InterfaceVector kernel_rw_kernel_sysctl $1:source ]
$1,sysctl_t,dir,getattr,open,search
$1,sysctl_kernel_t,dir,getattr,open,search
$1,proc_t,dir,getattr,open,search
Shouldn't this at least contain something like this?
$1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append
Although not critical, it does result in audit2allow -R to not use
refpolicy-style interfaces when possible...
How can I debug this? I know the file is generated by sepolgen-ifgen, but
rerunning doesn't add in any file-related metadata and I'm totally oblivious
on how the parsing is done...
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Debugging sepolgen-ifgen? 2014-08-02 19:19 Debugging sepolgen-ifgen? Sven Vermeulen @ 2014-08-04 17:07 ` Stephen Smalley 2014-08-04 21:44 ` Daniel J Walsh 0 siblings, 1 reply; 7+ messages in thread From: Stephen Smalley @ 2014-08-04 17:07 UTC (permalink / raw) To: Sven Vermeulen, selinux, Daniel J Walsh On 08/02/2014 03:19 PM, Sven Vermeulen wrote: > Hi all > > I've noticed that on my system, for some interfaces, the results in > /var/lib/sepolgen/interface_info are missing file-specific feedback. > > For instance, consider the kernel_rw_kernel_sysctl() interface, which is > coded as follows: > > interface(`kernel_rw_kernel_sysctl',` > gen_require(` > type proc_t, sysctl_t, sysctl_kernel_t; > ') > > rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) > > list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) > ') > > In the interface_info file, I only find the following metadata about this > interface: > > [InterfaceVector kernel_rw_kernel_sysctl $1:source ] > $1,sysctl_t,dir,getattr,open,search > $1,sysctl_kernel_t,dir,getattr,open,search > $1,proc_t,dir,getattr,open,search > > Shouldn't this at least contain something like this? > > $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append > > Although not critical, it does result in audit2allow -R to not use > refpolicy-style interfaces when possible... > > How can I debug this? I know the file is generated by sepolgen-ifgen, but > rerunning doesn't add in any file-related metadata and I'm totally oblivious > on how the parsing is done... Not sure about that beyond the -d -v options. However, this appears to be a regression; despite encountering some syntax errors during parsing, sepolgen-ifgen from 21030423 generates a more accurate vector: [InterfaceVector kernel_rw_kernel_sysctl $1:source ] $1,sysctl_t,dir,getattr,open,search $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open $1,proc_t,dir,getattr,open,search while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. Seems to have been broken by: commit 17cc87e56b0241688c119f774f103622b002e0ae Author: Dan Walsh <dwalsh@redhat.com> Date: Wed Oct 9 17:01:35 2013 -0400 sepolgen did not work with filename transitions. This patch adds support for it. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Debugging sepolgen-ifgen? 2014-08-04 17:07 ` Stephen Smalley @ 2014-08-04 21:44 ` Daniel J Walsh 2014-08-05 13:09 ` Stephen Smalley 0 siblings, 1 reply; 7+ messages in thread From: Daniel J Walsh @ 2014-08-04 21:44 UTC (permalink / raw) To: Stephen Smalley, Sven Vermeulen, selinux On 08/04/2014 01:07 PM, Stephen Smalley wrote: > On 08/02/2014 03:19 PM, Sven Vermeulen wrote: >> Hi all >> >> I've noticed that on my system, for some interfaces, the results in >> /var/lib/sepolgen/interface_info are missing file-specific feedback. >> >> For instance, consider the kernel_rw_kernel_sysctl() interface, which is >> coded as follows: >> >> interface(`kernel_rw_kernel_sysctl',` >> gen_require(` >> type proc_t, sysctl_t, sysctl_kernel_t; >> ') >> >> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) >> >> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) >> ') >> >> In the interface_info file, I only find the following metadata about this >> interface: >> >> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >> $1,sysctl_t,dir,getattr,open,search >> $1,sysctl_kernel_t,dir,getattr,open,search >> $1,proc_t,dir,getattr,open,search >> >> Shouldn't this at least contain something like this? >> >> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append >> >> Although not critical, it does result in audit2allow -R to not use >> refpolicy-style interfaces when possible... >> >> How can I debug this? I know the file is generated by sepolgen-ifgen, but >> rerunning doesn't add in any file-related metadata and I'm totally oblivious >> on how the parsing is done... > Not sure about that beyond the -d -v options. > However, this appears to be a regression; despite encountering some syntax errors during parsing, > sepolgen-ifgen from 21030423 generates a more accurate vector: > > [InterfaceVector kernel_rw_kernel_sysctl $1:source ] > $1,sysctl_t,dir,getattr,open,search > $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append > $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open > $1,proc_t,dir,getattr,open,search > > while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. > > Seems to have been broken by: > > commit 17cc87e56b0241688c119f774f103622b002e0ae > Author: Dan Walsh <dwalsh@redhat.com> > Date: Wed Oct 9 17:01:35 2013 -0400 > > sepolgen did not work with filename transitions. > > This patch adds support for it. > > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > I don't see anything obviously wrong with that patch? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Debugging sepolgen-ifgen? 2014-08-04 21:44 ` Daniel J Walsh @ 2014-08-05 13:09 ` Stephen Smalley 2014-08-25 19:18 ` Steve Lawrence 2014-08-27 17:20 ` Karl MacMillan 0 siblings, 2 replies; 7+ messages in thread From: Stephen Smalley @ 2014-08-05 13:09 UTC (permalink / raw) To: Daniel J Walsh, Sven Vermeulen, selinux, Karl MacMillan On 08/04/2014 05:44 PM, Daniel J Walsh wrote: > > On 08/04/2014 01:07 PM, Stephen Smalley wrote: >> On 08/02/2014 03:19 PM, Sven Vermeulen wrote: >>> Hi all >>> >>> I've noticed that on my system, for some interfaces, the results in >>> /var/lib/sepolgen/interface_info are missing file-specific feedback. >>> >>> For instance, consider the kernel_rw_kernel_sysctl() interface, which is >>> coded as follows: >>> >>> interface(`kernel_rw_kernel_sysctl',` >>> gen_require(` >>> type proc_t, sysctl_t, sysctl_kernel_t; >>> ') >>> >>> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) >>> >>> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) >>> ') >>> >>> In the interface_info file, I only find the following metadata about this >>> interface: >>> >>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >>> $1,sysctl_t,dir,getattr,open,search >>> $1,sysctl_kernel_t,dir,getattr,open,search >>> $1,proc_t,dir,getattr,open,search >>> >>> Shouldn't this at least contain something like this? >>> >>> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append >>> >>> Although not critical, it does result in audit2allow -R to not use >>> refpolicy-style interfaces when possible... >>> >>> How can I debug this? I know the file is generated by sepolgen-ifgen, but >>> rerunning doesn't add in any file-related metadata and I'm totally oblivious >>> on how the parsing is done... >> Not sure about that beyond the -d -v options. >> However, this appears to be a regression; despite encountering some syntax errors during parsing, >> sepolgen-ifgen from 21030423 generates a more accurate vector: >> >> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >> $1,sysctl_t,dir,getattr,open,search >> $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append >> $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open >> $1,proc_t,dir,getattr,open,search >> >> while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. >> >> Seems to have been broken by: >> >> commit 17cc87e56b0241688c119f774f103622b002e0ae >> Author: Dan Walsh <dwalsh@redhat.com> >> Date: Wed Oct 9 17:01:35 2013 -0400 >> >> sepolgen did not work with filename transitions. >> >> This patch adds support for it. >> >> >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >> >> > I don't see anything obviously wrong with that patch? If I revert that one patch, it works. I don't know offhand what the underlying issue is, but I'd guess you are introducing an ambiguity into the grammar. I do notice that the definitions of IDENTIFIER and FILENAME do not match the ones in checkpolicy policy_scan.l; I do not know why that is. I also notice that whereas bison reports no warnings on the checkpolicy policy_parse.y grammar, sepolgen-ifgen -d reports 669 shift/reduce conflicts before your patch and 671 shift/reduce conflicts afterward; neither seems very good... ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Debugging sepolgen-ifgen? 2014-08-05 13:09 ` Stephen Smalley @ 2014-08-25 19:18 ` Steve Lawrence 2014-08-26 11:13 ` Daniel J Walsh 2014-08-27 17:20 ` Karl MacMillan 1 sibling, 1 reply; 7+ messages in thread From: Steve Lawrence @ 2014-08-25 19:18 UTC (permalink / raw) To: Stephen Smalley, Daniel J Walsh, Sven Vermeulen, selinux, Karl MacMillan On 08/05/2014 09:09 AM, Stephen Smalley wrote: > On 08/04/2014 05:44 PM, Daniel J Walsh wrote: >> >> On 08/04/2014 01:07 PM, Stephen Smalley wrote: >>> On 08/02/2014 03:19 PM, Sven Vermeulen wrote: >>>> Hi all >>>> >>>> I've noticed that on my system, for some interfaces, the results in >>>> /var/lib/sepolgen/interface_info are missing file-specific feedback. >>>> >>>> For instance, consider the kernel_rw_kernel_sysctl() interface, which is >>>> coded as follows: >>>> >>>> interface(`kernel_rw_kernel_sysctl',` >>>> gen_require(` >>>> type proc_t, sysctl_t, sysctl_kernel_t; >>>> ') >>>> >>>> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) >>>> >>>> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) >>>> ') >>>> >>>> In the interface_info file, I only find the following metadata about this >>>> interface: >>>> >>>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >>>> $1,sysctl_t,dir,getattr,open,search >>>> $1,sysctl_kernel_t,dir,getattr,open,search >>>> $1,proc_t,dir,getattr,open,search >>>> >>>> Shouldn't this at least contain something like this? >>>> >>>> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append >>>> >>>> Although not critical, it does result in audit2allow -R to not use >>>> refpolicy-style interfaces when possible... >>>> >>>> How can I debug this? I know the file is generated by sepolgen-ifgen, but >>>> rerunning doesn't add in any file-related metadata and I'm totally oblivious >>>> on how the parsing is done... >>> Not sure about that beyond the -d -v options. >>> However, this appears to be a regression; despite encountering some syntax errors during parsing, >>> sepolgen-ifgen from 21030423 generates a more accurate vector: >>> >>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >>> $1,sysctl_t,dir,getattr,open,search >>> $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append >>> $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open >>> $1,proc_t,dir,getattr,open,search >>> >>> while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. >>> >>> Seems to have been broken by: >>> >>> commit 17cc87e56b0241688c119f774f103622b002e0ae >>> Author: Dan Walsh <dwalsh@redhat.com> >>> Date: Wed Oct 9 17:01:35 2013 -0400 >>> >>> sepolgen did not work with filename transitions. >>> >>> This patch adds support for it. >>> >>> >>> >>> >>> _______________________________________________ >>> Selinux mailing list >>> Selinux@tycho.nsa.gov >>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >>> >>> >> I don't see anything obviously wrong with that patch? > > If I revert that one patch, it works. I don't know offhand what the > underlying issue is, but I'd guess you are introducing an ambiguity into > the grammar. I do notice that the definitions of IDENTIFIER and > FILENAME do not match the ones in checkpolicy policy_scan.l; I do not > know why that is. I also notice that whereas bison reports no warnings > on the checkpolicy policy_parse.y grammar, sepolgen-ifgen -d reports 669 > shift/reduce conflicts before your patch and 671 shift/reduce conflicts > afterward; neither seems very good... Looking at the patch that seems to have caused the problem, it makes the following change: @@ -461,6 +469,7 @@ def p_interface_call_param(p): def p_interface_call_param_list(p): '''interface_call_param_list : interface_call_param | interface_call_param_list COMMA interface_call_param + | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list ''' if len(p) == 2: p[0] = [p[1]] For some reason, it adds a new pattern to the interface_call_param_list pattern, which is "list, param, list". To me, this doesn't seem necessary. The first two patterns should cover all combinations of interface call parameters. And reverting this hunk gives the same InterfaceVector as with the patch reverted. So it seems like the right fix. Dan, any idea why this hunk was added? Thanks, - Steve ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Debugging sepolgen-ifgen? 2014-08-25 19:18 ` Steve Lawrence @ 2014-08-26 11:13 ` Daniel J Walsh 0 siblings, 0 replies; 7+ messages in thread From: Daniel J Walsh @ 2014-08-26 11:13 UTC (permalink / raw) To: Steve Lawrence, Stephen Smalley, Sven Vermeulen, selinux, Karl MacMillan On 08/25/2014 03:18 PM, Steve Lawrence wrote: > On 08/05/2014 09:09 AM, Stephen Smalley wrote: >> On 08/04/2014 05:44 PM, Daniel J Walsh wrote: >>> On 08/04/2014 01:07 PM, Stephen Smalley wrote: >>>> On 08/02/2014 03:19 PM, Sven Vermeulen wrote: >>>>> Hi all >>>>> >>>>> I've noticed that on my system, for some interfaces, the results in >>>>> /var/lib/sepolgen/interface_info are missing file-specific feedback. >>>>> >>>>> For instance, consider the kernel_rw_kernel_sysctl() interface, which is >>>>> coded as follows: >>>>> >>>>> interface(`kernel_rw_kernel_sysctl',` >>>>> gen_require(` >>>>> type proc_t, sysctl_t, sysctl_kernel_t; >>>>> ') >>>>> >>>>> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) >>>>> >>>>> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) >>>>> ') >>>>> >>>>> In the interface_info file, I only find the following metadata about this >>>>> interface: >>>>> >>>>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >>>>> $1,sysctl_t,dir,getattr,open,search >>>>> $1,sysctl_kernel_t,dir,getattr,open,search >>>>> $1,proc_t,dir,getattr,open,search >>>>> >>>>> Shouldn't this at least contain something like this? >>>>> >>>>> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append >>>>> >>>>> Although not critical, it does result in audit2allow -R to not use >>>>> refpolicy-style interfaces when possible... >>>>> >>>>> How can I debug this? I know the file is generated by sepolgen-ifgen, but >>>>> rerunning doesn't add in any file-related metadata and I'm totally oblivious >>>>> on how the parsing is done... >>>> Not sure about that beyond the -d -v options. >>>> However, this appears to be a regression; despite encountering some syntax errors during parsing, >>>> sepolgen-ifgen from 21030423 generates a more accurate vector: >>>> >>>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >>>> $1,sysctl_t,dir,getattr,open,search >>>> $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append >>>> $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open >>>> $1,proc_t,dir,getattr,open,search >>>> >>>> while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. >>>> >>>> Seems to have been broken by: >>>> >>>> commit 17cc87e56b0241688c119f774f103622b002e0ae >>>> Author: Dan Walsh <dwalsh@redhat.com> >>>> Date: Wed Oct 9 17:01:35 2013 -0400 >>>> >>>> sepolgen did not work with filename transitions. >>>> >>>> This patch adds support for it. >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Selinux mailing list >>>> Selinux@tycho.nsa.gov >>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >>>> >>>> >>> I don't see anything obviously wrong with that patch? >> If I revert that one patch, it works. I don't know offhand what the >> underlying issue is, but I'd guess you are introducing an ambiguity into >> the grammar. I do notice that the definitions of IDENTIFIER and >> FILENAME do not match the ones in checkpolicy policy_scan.l; I do not >> know why that is. I also notice that whereas bison reports no warnings >> on the checkpolicy policy_parse.y grammar, sepolgen-ifgen -d reports 669 >> shift/reduce conflicts before your patch and 671 shift/reduce conflicts >> afterward; neither seems very good... > Looking at the patch that seems to have caused the problem, it makes the > following change: > > @@ -461,6 +469,7 @@ def p_interface_call_param(p): > def p_interface_call_param_list(p): > '''interface_call_param_list : interface_call_param > | interface_call_param_list COMMA > interface_call_param > + | interface_call_param_list COMMA > interface_call_param COMMA interface_call_param_list > ''' > if len(p) == 2: > p[0] = [p[1]] > > For some reason, it adds a new pattern to the interface_call_param_list > pattern, which is "list, param, list". To me, this doesn't seem > necessary. The first two patterns should cover all combinations of > interface call parameters. And reverting this hunk gives the same > InterfaceVector as with the patch reverted. So it seems like the right fix. > > Dan, any idea why this hunk was added? > > Thanks, > - Steve If you remove it and the command succeeds I am happy. Most of these changes were made to just stop the application from blowing up. If we get better accuracy on matches and the code does not break, It is a win win. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Debugging sepolgen-ifgen? 2014-08-05 13:09 ` Stephen Smalley 2014-08-25 19:18 ` Steve Lawrence @ 2014-08-27 17:20 ` Karl MacMillan 1 sibling, 0 replies; 7+ messages in thread From: Karl MacMillan @ 2014-08-27 17:20 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE Linux [-- Attachment #1: Type: text/plain, Size: 3763 bytes --] FWIW, most of the shift / reduce conflicts are because the grammar really is ambiguous (since we are trying to parse both the selinux policy language and the m4 additions on top of that). While in an ideal world those would be cleaned up so that we would at least choose what to do in the ambiguous cases it just never seemed worthwhile to me. Karl On Tue, Aug 5, 2014 at 9:09 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On 08/04/2014 05:44 PM, Daniel J Walsh wrote: > > > > On 08/04/2014 01:07 PM, Stephen Smalley wrote: > >> On 08/02/2014 03:19 PM, Sven Vermeulen wrote: > >>> Hi all > >>> > >>> I've noticed that on my system, for some interfaces, the results in > >>> /var/lib/sepolgen/interface_info are missing file-specific feedback. > >>> > >>> For instance, consider the kernel_rw_kernel_sysctl() interface, which > is > >>> coded as follows: > >>> > >>> interface(`kernel_rw_kernel_sysctl',` > >>> gen_require(` > >>> type proc_t, sysctl_t, sysctl_kernel_t; > >>> ') > >>> > >>> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, > sysctl_kernel_t) > >>> > >>> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) > >>> ') > >>> > >>> In the interface_info file, I only find the following metadata about > this > >>> interface: > >>> > >>> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] > >>> $1,sysctl_t,dir,getattr,open,search > >>> $1,sysctl_kernel_t,dir,getattr,open,search > >>> $1,proc_t,dir,getattr,open,search > >>> > >>> Shouldn't this at least contain something like this? > >>> > >>> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append > >>> > >>> Although not critical, it does result in audit2allow -R to not use > >>> refpolicy-style interfaces when possible... > >>> > >>> How can I debug this? I know the file is generated by sepolgen-ifgen, > but > >>> rerunning doesn't add in any file-related metadata and I'm totally > oblivious > >>> on how the parsing is done... > >> Not sure about that beyond the -d -v options. > >> However, this appears to be a regression; despite encountering some > syntax errors during parsing, > >> sepolgen-ifgen from 21030423 generates a more accurate vector: > >> > >> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] > >> $1,sysctl_t,dir,getattr,open,search > >> $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append > >> $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open > >> $1,proc_t,dir,getattr,open,search > >> > >> while sepolgen-ifgen from 20131030_4 generates the reduced set you have > above. > >> > >> Seems to have been broken by: > >> > >> commit 17cc87e56b0241688c119f774f103622b002e0ae > >> Author: Dan Walsh <dwalsh@redhat.com> > >> Date: Wed Oct 9 17:01:35 2013 -0400 > >> > >> sepolgen did not work with filename transitions. > >> > >> This patch adds support for it. > >> > >> > >> > >> > >> _______________________________________________ > >> Selinux mailing list > >> Selinux@tycho.nsa.gov > >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > >> To get help, send an email containing "help" to > Selinux-request@tycho.nsa.gov. > >> > >> > > I don't see anything obviously wrong with that patch? > > If I revert that one patch, it works. I don't know offhand what the > underlying issue is, but I'd guess you are introducing an ambiguity into > the grammar. I do notice that the definitions of IDENTIFIER and > FILENAME do not match the ones in checkpolicy policy_scan.l; I do not > know why that is. I also notice that whereas bison reports no warnings > on the checkpolicy policy_parse.y grammar, sepolgen-ifgen -d reports 669 > shift/reduce conflicts before your patch and 671 shift/reduce conflicts > afterward; neither seems very good... > [-- Attachment #2: Type: text/html, Size: 5172 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-08-27 17:20 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-08-02 19:19 Debugging sepolgen-ifgen? Sven Vermeulen 2014-08-04 17:07 ` Stephen Smalley 2014-08-04 21:44 ` Daniel J Walsh 2014-08-05 13:09 ` Stephen Smalley 2014-08-25 19:18 ` Steve Lawrence 2014-08-26 11:13 ` Daniel J Walsh 2014-08-27 17:20 ` Karl MacMillan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.