From: Stephen Smalley <sds@tycho.nsa.gov>
To: Chad Hanson <dahchanson@gmail.com>,
Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Vit Mojzis <vmojzis@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH 2/2] Fix mcstrans secolor examples
Date: Mon, 16 Sep 2019 15:44:51 -0400 [thread overview]
Message-ID: <772f365c-5719-c509-6605-c7416cd4b9e6@tycho.nsa.gov> (raw)
In-Reply-To: <7762a815-65b6-b57c-7c03-38303ccf1d25@tycho.nsa.gov>
On 9/13/19 11:33 AM, Stephen Smalley wrote:
> On 7/31/19 1:15 AM, Chad Hanson wrote:
>> I agree the secolor configuration file is lacking consistency. From a
>> historical MLS perspective, there were two special labels in many MLS
>> systems: SystemLow and SystemHigh. This would be "s0" (lowest
>> level/no categories) and "s15:c0.c1023" (highest level/all
>> categories) respectively. At these special levels, there was
>> traditionally no other category usage.
>>
>> I concur we either do the proposed change in this patch or just change
>> the "s0:c0.c1023" lines to just "s0" (SystemLow) to be consistent with
>> the "s15:c0.c1023" (SystemHigh) range that exists currently. They will
>> both provide the desired results.
>
> I see that these two patches were never merged and still apply. Does
> anyone have any objection to merging them both?
Both patches applied.
>
>>
>> -Chad
>>
>>
>> On Mon, Jul 29, 2019 at 5:41 PM Nicolas Iooss <nicolas.iooss@m4x.org>
>> wrote:
>>>
>>> On Tue, Jul 2, 2019 at 2:09 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>>>>
>>>> According to "check_dominance" function:
>>>> Range defined as "s15:c0.c1023" does not dominate any other range than
>>>> "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
>>>> While range defined as "s15-s15:c0.c1023" dominates all of the above.
>>>>
>>>> This is either a bug, or "s15:c0.c1023" should not be used in the
>>>> examples.
>>>
>>> Hello,
>>> I am not familiar with the concepts about range dominance, so I do not
>>> know whether this is a bug that should be fixed or if updating the
>>> examples is better. Can someone please review this?
>>>
>>> Cheers,
>>> Nicolas
>>>
>>>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>>>> ---
>>>> libselinux/man/man5/secolor.conf.5 | 4 ++--
>>>> libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
>>>> mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +-
>>>> mcstrans/share/examples/urcsts/secolor.conf | 2 +-
>>>> 4 files changed, 6 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/libselinux/man/man5/secolor.conf.5
>>>> b/libselinux/man/man5/secolor.conf.5
>>>> index b834577a..a3bf2da1 100644
>>>> --- a/libselinux/man/man5/secolor.conf.5
>>>> +++ b/libselinux/man/man5/secolor.conf.5
>>>> @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
>>>> .br
>>>> range s9\-s9:c0.c1023 = black orange
>>>> .br
>>>> -range s15:c0.c1023 = black yellow
>>>> +range s15\-s15:c0.c1023 = black yellow
>>>> .RE
>>>>
>>>> .sp
>>>> @@ -165,7 +165,7 @@ type xguest_t = black green
>>>> .br
>>>> user sysadm_u = white black
>>>> .br
>>>> -range s0:c0.c1023 = black white
>>>> +range s0-s0:c0.c1023 = black white
>>>> .br
>>>> user * = black white
>>>> .br
>>>> diff --git a/libselinux/man/ru/man5/secolor.conf.5
>>>> b/libselinux/man/ru/man5/secolor.conf.5
>>>> index 4c1236ae..bcae80c1 100644
>>>> --- a/libselinux/man/ru/man5/secolor.conf.5
>>>> +++ b/libselinux/man/ru/man5/secolor.conf.5
>>>> @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
>>>> .br
>>>> range s9\-s9:c0.c1023 = black orange
>>>> .br
>>>> -range s15:c0.c1023 = black yellow
>>>> +range s15\-s15:c0.c1023 = black yellow
>>>> .RE
>>>>
>>>> .sp
>>>> @@ -163,7 +163,7 @@ type xguest_t = black green
>>>> .br
>>>> user sysadm_u = white black
>>>> .br
>>>> -range s0:c0.c1023 = black white
>>>> +range s0\-s0:c0.c1023 = black white
>>>> .br
>>>> user * = black white
>>>> .br
>>>> diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf
>>>> b/mcstrans/share/examples/urcsts-via-include/secolor.conf
>>>> index d35b3c67..3b3f5430 100644
>>>> --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf
>>>> +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf
>>>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan
>>>> range s5-s5:c0.c1023 = white blue
>>>> range s7-s7:c0.c1023 = black red
>>>> range s9-s9:c0.c1023 = black orange
>>>> -range s15:c0.c1023 = black yellow
>>>> +range s15-s15:c0.c1023 = black yellow
>>>>
>>>> diff --git a/mcstrans/share/examples/urcsts/secolor.conf
>>>> b/mcstrans/share/examples/urcsts/secolor.conf
>>>> index d35b3c67..3b3f5430 100644
>>>> --- a/mcstrans/share/examples/urcsts/secolor.conf
>>>> +++ b/mcstrans/share/examples/urcsts/secolor.conf
>>>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan
>>>> range s5-s5:c0.c1023 = white blue
>>>> range s7-s7:c0.c1023 = black red
>>>> range s9-s9:c0.c1023 = black orange
>>>> -range s15:c0.c1023 = black yellow
>>>> +range s15-s15:c0.c1023 = black yellow
>>>>
>>>> --
>>>> 2.17.2
>>>>
>>>
>
prev parent reply other threads:[~2019-09-16 19:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 12:09 [PATCH 1/2] Revert "mcstransd select correct colour range." Vit Mojzis
2019-07-02 12:09 ` [PATCH 2/2] Fix mcstrans secolor examples Vit Mojzis
2019-07-29 21:41 ` Nicolas Iooss
2019-07-31 5:15 ` Chad Hanson
2019-09-13 15:33 ` Stephen Smalley
2019-09-16 19:44 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=772f365c-5719-c509-6605-c7416cd4b9e6@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=dahchanson@gmail.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
--cc=vmojzis@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.