* [PATCH] libsepol: Fully expand neverallowxperm rules
@ 2015-11-21 16:26 Richard Haines
2015-11-23 15:18 ` Jeffrey Vander Stoep
2015-11-24 21:39 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: Richard Haines @ 2015-11-21 16:26 UTC (permalink / raw)
To: selinux
Currently neverallowxperm rules will be resolved correctly when
building policy, however they are not detectable when using tools
such as an updated version of setools. This patch will allow
these to be viewed in the same way as neverallow rules are in a
text based kernel policy file (e.g. policy.conf).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
libsepol/src/expand.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 9047c6d..9cb7965 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle,
if (handle && handle->disable_dontaudit)
return EXPAND_RULE_SUCCESS;
spec = AVTAB_XPERMS_DONTAUDIT;
+ } else if (specified & AVRULE_XPERMS_NEVERALLOW) {
+ spec = AVTAB_XPERMS_NEVERALLOW;
} else {
assert(0); /* unreachable */
}
@@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle,
if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
return EXPAND_RULE_SUCCESS;
- if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
+ if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
return EXPAND_RULE_SUCCESS;
ebitmap_init(&stypes);
--
2.5.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol: Fully expand neverallowxperm rules
2015-11-21 16:26 [PATCH] libsepol: Fully expand neverallowxperm rules Richard Haines
@ 2015-11-23 15:18 ` Jeffrey Vander Stoep
2015-11-24 21:39 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Jeffrey Vander Stoep @ 2015-11-23 15:18 UTC (permalink / raw)
To: Richard Haines, selinux
[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]
Acked-by: Jeff Vander Stoep <jeffv@google.com>
On Sat, Nov 21, 2015 at 8:30 AM Richard Haines <
richard_c_haines@btinternet.com> wrote:
> Currently neverallowxperm rules will be resolved correctly when
> building policy, however they are not detectable when using tools
> such as an updated version of setools. This patch will allow
> these to be viewed in the same way as neverallow rules are in a
> text based kernel policy file (e.g. policy.conf).
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> libsepol/src/expand.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 9047c6d..9cb7965 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t *
> handle,
> if (handle && handle->disable_dontaudit)
> return EXPAND_RULE_SUCCESS;
> spec = AVTAB_XPERMS_DONTAUDIT;
> + } else if (specified & AVRULE_XPERMS_NEVERALLOW) {
> + spec = AVTAB_XPERMS_NEVERALLOW;
> } else {
> assert(0); /* unreachable */
> }
> @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t *
> handle,
>
> if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
> return EXPAND_RULE_SUCCESS;
> - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
> + if (!do_neverallow && source_rule->specified &
> AVRULE_XPERMS_NEVERALLOW)
> return EXPAND_RULE_SUCCESS;
>
> ebitmap_init(&stypes);
> --
> 2.5.0
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
[-- Attachment #2: Type: text/html, Size: 2779 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libsepol: Fully expand neverallowxperm rules
2015-11-21 16:26 [PATCH] libsepol: Fully expand neverallowxperm rules Richard Haines
2015-11-23 15:18 ` Jeffrey Vander Stoep
@ 2015-11-24 21:39 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2015-11-24 21:39 UTC (permalink / raw)
To: Richard Haines, selinux
On 11/21/2015 11:26 AM, Richard Haines wrote:
> Currently neverallowxperm rules will be resolved correctly when
> building policy, however they are not detectable when using tools
> such as an updated version of setools. This patch will allow
> these to be viewed in the same way as neverallow rules are in a
> text based kernel policy file (e.g. policy.conf).
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Thanks, applied.
> ---
> libsepol/src/expand.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 9047c6d..9cb7965 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1811,6 +1811,8 @@ static int expand_avrule_helper(sepol_handle_t * handle,
> if (handle && handle->disable_dontaudit)
> return EXPAND_RULE_SUCCESS;
> spec = AVTAB_XPERMS_DONTAUDIT;
> + } else if (specified & AVRULE_XPERMS_NEVERALLOW) {
> + spec = AVTAB_XPERMS_NEVERALLOW;
> } else {
> assert(0); /* unreachable */
> }
> @@ -1948,7 +1950,7 @@ static int convert_and_expand_rule(sepol_handle_t * handle,
>
> if (!do_neverallow && source_rule->specified & AVRULE_NEVERALLOW)
> return EXPAND_RULE_SUCCESS;
> - if (source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
> + if (!do_neverallow && source_rule->specified & AVRULE_XPERMS_NEVERALLOW)
> return EXPAND_RULE_SUCCESS;
>
> ebitmap_init(&stypes);
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-11-24 21:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-21 16:26 [PATCH] libsepol: Fully expand neverallowxperm rules Richard Haines
2015-11-23 15:18 ` Jeffrey Vander Stoep
2015-11-24 21:39 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.