SELinux Archive on
 help / color / Atom feed
From: Stephen Smalley <>
Subject: Re: [PATCH] libsepol,checkpolicy: remove use of hardcoded security class values
Date: Thu, 16 Jan 2020 15:36:56 -0500
Message-ID: <> (raw)
In-Reply-To: <>

On 1/16/20 3:34 PM, Stephen Smalley wrote:
> On 1/16/20 3:01 PM, Stephen Smalley wrote:
>> libsepol carried its own (outdated) copy of flask.h with the generated
>> security class and initial SID values for use by the policy
>> compiler and the forked copy of the security server code
>> leveraged by tools such as audit2why.  Convert libsepol and
>> checkpolicy entirely to looking up class values from the policy,
>> remove the SECCLASS_* definitions from its flask.h header, and move
>> the header with its remaining initial SID definitions private to
>> libsepol.  While we are here, fix the sepol_compute_sid() logic to
>> properly support features long since added to the policy and kernel,
>> although there are no users of it other than checkpolicy -d (debug)
>> and it is not exported to users of the shared library.  There
>> are still some residual differences between the kernel logic and
>> libsepol.
>> Signed-off-by: Stephen Smalley <>
> I see that this fails travis-ci; looks like the problem is that it 
> trades using hardcoded values for SECCLASS_PROCESS and _DIR and the 
> PROCESS__TRANSITION/DYNTRANSITION permissions for requiring the strings 
> to be present in the policy and that isn't true of some test policies. 
> The kernel does require at least the process class and perms to be 
> present or it will reject the policy at load time presently (when it was 
> likewise converted long ago as part of dynamic class/perm support). 
> Options:
> - Weaken the restrictions in libsepol's policydb_read and accept the 
> fact that the class/perm values may be zero subsequently within libsepol.
> - Change the test policies to at least provide this minimal set.
> The "dir" class isn't currently mapped at load time by the kernel but it 
> unmaps it for genfs_sid() matching so it still expects it to be present.

I guess if nothing else it ought to be conditional on 
SEPOL_TARGET_SELINUX to avoid breaking Xen policies.

      reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 20:01 Stephen Smalley
2020-01-16 20:34 ` Stephen Smalley
2020-01-16 20:36   ` Stephen Smalley [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone