From: Stephen Smalley <email@example.com> To: firstname.lastname@example.org Cc: email@example.com Subject: Re: [PATCH] libsepol,checkpolicy: remove use of hardcoded security class values Date: Thu, 16 Jan 2020 15:36:56 -0500 Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> On 1/16/20 3:34 PM, Stephen Smalley wrote: > On 1/16/20 3:01 PM, Stephen Smalley wrote: >> libsepol carried its own (outdated) copy of flask.h with the generated >> security class and initial SID values for use by the policy >> compiler and the forked copy of the security server code >> leveraged by tools such as audit2why. Convert libsepol and >> checkpolicy entirely to looking up class values from the policy, >> remove the SECCLASS_* definitions from its flask.h header, and move >> the header with its remaining initial SID definitions private to >> libsepol. While we are here, fix the sepol_compute_sid() logic to >> properly support features long since added to the policy and kernel, >> although there are no users of it other than checkpolicy -d (debug) >> and it is not exported to users of the shared library. There >> are still some residual differences between the kernel logic and >> libsepol. >> >> Signed-off-by: Stephen Smalley <firstname.lastname@example.org> > > I see that this fails travis-ci; looks like the problem is that it > trades using hardcoded values for SECCLASS_PROCESS and _DIR and the > PROCESS__TRANSITION/DYNTRANSITION permissions for requiring the strings > to be present in the policy and that isn't true of some test policies. > The kernel does require at least the process class and perms to be > present or it will reject the policy at load time presently (when it was > likewise converted long ago as part of dynamic class/perm support). > Options: > - Weaken the restrictions in libsepol's policydb_read and accept the > fact that the class/perm values may be zero subsequently within libsepol. > - Change the test policies to at least provide this minimal set. > > The "dir" class isn't currently mapped at load time by the kernel but it > unmaps it for genfs_sid() matching so it still expects it to be present. I guess if nothing else it ought to be conditional on SEPOL_TARGET_SELINUX to avoid breaking Xen policies.
prev parent reply index Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-01-16 20:01 Stephen Smalley 2020-01-16 20:34 ` Stephen Smalley 2020-01-16 20:36 ` Stephen Smalley [this message]
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
SELinux Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \ email@example.com public-inbox-index selinux Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.selinux AGPL code for this site: git clone https://public-inbox.org/public-inbox.git