headers
Daniel J Walsh | 1 Nov 2011 20:25
Picon
Favicon
Gravatar

[PATCH 01/63] checkpolicy: the " is not part of the filename for


This patch looks good to me. acked.

From c3ba40d2e17186d702a6ea2b83e185603dafa06f Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Tue, 20 Sep 2011 09:52:57 -0400
Subject: [PATCH 01/63] checkpolicy: the " is not part of the filename for
 trans rules

Policy decided that all filenames needed to be wrapped in " in the
filename trans rules.  But we weren't doing anything with those in the
language syntax and instead just passed the " to the kernel as if the
filename in question were actually  \"file\".  Add the " to the policy
grammer.

Signed-off-by: Eric Paris <eparis@...>
---
 checkpolicy/policy_parse.y |    4 ++--
 checkpolicy/policy_scan.l  |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 49ac15f..1e3ef6f 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
 <at>  <at>  -353,7 +353,7  <at>  <at>  cond_rule_def           : cond_transition_def
 			| require_block
 			{ $$ = NULL; }
                         ;
(Continue reading)

Permalink | Reply | 3 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:38
Picon
Favicon
Gravatar

[PATCH 63/63] policycoreutils: restorecond: Add .local/share as a


This patch looks good to me. acked.

From 73b5b401c374b8fb9205c874ed38b800e03379ca Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Fri, 28 Oct 2011 16:45:04 -0400
Subject: [PATCH 63/63] policycoreutils: restorecond: Add .local/share as a
 directory to watch

Signed-off-by: Eric Paris <eparis@...>
---
 policycoreutils/restorecond/restorecond_user.conf |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf
index e0c2871..b4debed 100644
--- a/policycoreutils/restorecond/restorecond_user.conf
+++ b/policycoreutils/restorecond/restorecond_user.conf
 <at>  <at>  -5,3 +5,4  <at>  <at> 
 ~/.fonts/*
 ~/.cache/*
 ~/.config/*
+~/.local/share/*
--

-- 
1.7.7
Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:40
Picon
Favicon
Gravatar

[PATCH 62/63] libsepol: expand: do filename_trans type comparison on


This patch looks good to me. acked.

Currently used in Rawhide and soon will be in Fedora 16

From f09f957bbe3f1da326585aad44d1819041f84931 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@...>
Date: Mon, 31 Oct 2011 10:55:03 -0400
Subject: [PATCH 62/63] libsepol: expand: do filename_trans type comparison on
 mapped representation

The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of
rules already in policy.  This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem.  It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!

Signed-off-by: Eric Paris <eparis@...>
---
 libsepol/src/expand.c |   10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 2861776..493e478 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
 <at>  <at>  -1329,6 +1329,8  <at>  <at>  static int expand_filename_trans(expand_state_t *state,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:43
Picon
Favicon
Gravatar

[PATCH 61/63] checkpolicy: drop libsepol dynamic link in checkpolicy


   This patch looks good to me. acked.


From 666bc15a01809532f7834221246b08a30f92aeb0 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@...>
Date: Mon, 31 Oct 2011 10:48:38 -0400
Subject: [PATCH 61/63] checkpolicy: drop libsepol dynamic link in checkpolicy

Checkpolicy was using the static link to libsepol, but also defining a
dynamic link (that wasn't needed).  This confuses gdb.  Drop the dynamic
link request.

Signed-off-by: Eric Paris <eparis@...>
---
 checkpolicy/test/Makefile |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index fe1bf5d..0731e89 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
 <at>  <at>  -6,10 +6,10  <at>  <at>  BINDIR=$(PREFIX)/bin
 LIBDIR=$(PREFIX)/lib
 INCLUDEDIR ?= $(PREFIX)/include

-CFLAGS ?= -g -Wall -O2 -pipe
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
 override CFLAGS += -I$(INCLUDEDIR)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:44
Picon
Favicon
Gravatar

[PATCH 60/63] libsepol: Move ebitmap_* functions from mcstrans to


   This patch looks good to me. acked.


From 14f4ebb8d152a8c0105f824ef8188d35857a9775 Mon Sep 17 00:00:00 2001
From: Steve Lawrence <slawrence@...>
Date: Tue, 18 Oct 2011 08:34:41 -0400
Subject: [PATCH 60/63] libsepol: Move ebitmap_* functions from mcstrans to
 libsepol

This patches moves some ebitmap functions (and, xor, not, etc.) from
mcstrans into libsepol, where they really belong and could be used by
other applications (e.g. CIL)

Signed-off-by: Eric Paris <eparis@...>
---
 libsepol/include/sepol/policydb/ebitmap.h |    6 ++
 libsepol/src/ebitmap.c                    |   76 ++++++++++++++++++++++++
 libsepol/src/private.h                    |    3 +
 policycoreutils/mcstrans/src/mcstrans.c   |   91 ++---------------------------
 4 files changed, 91 insertions(+), 85 deletions(-)

diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h
index 410c15c..214da95 100644
--- a/libsepol/include/sepol/policydb/ebitmap.h
+++ b/libsepol/include/sepol/policydb/ebitmap.h
 <at>  <at>  -76,6 +76,12  <at>  <at>  static inline int ebitmap_node_get_bit(ebitmap_node_t * n, unsigned int bit)
 extern int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2);
 extern int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2);
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:46
Picon
Favicon
Gravatar

[PATCH 51/63] sepolgen: Return name field in avc data


   This patch looks good to me. acked.


From 1492548d0e4392138d9e683b60036a8fa64369ad Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Thu, 13 Oct 2011 13:28:35 -0400
Subject: [PATCH 51/63] sepolgen: Return name field in avc data

Signed-off-by: Eric Paris <eparis@...>
---
 sepolgen/src/sepolgen/audit.py |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
index e23725f..1b0a8e5 100644
--- a/sepolgen/src/sepolgen/audit.py
+++ b/sepolgen/src/sepolgen/audit.py
 <at>  <at>  -179,6 +179,7  <at>  <at>  class AVCMessage(AuditMessage):
         self.comm = ""
         self.exe = ""
         self.path = ""
+        self.name = ""
         self.accesses = []
         self.denial = True
         self.type = audit2why.TERULE
 <at>  <at>  -239,6 +240,8  <at>  <at>  class AVCMessage(AuditMessage):
                 self.comm = fields[1][1:-1]
             elif fields[0] == "exe":
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:46
Picon
Favicon
Gravatar

[PATCH 52/63] libselinux: maintain mode even if umask is tighter


   This patch looks good to me. acked.


From d83bfb48774dea79cdb27363953e371fa32366ac Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Thu, 20 Oct 2011 15:13:10 -0400
Subject: [PATCH 52/63] libselinux: maintain mode even if umask is tighter

When certain programs were run which created new files they would get
default permissions based on the current users umask.  However these
files should get the same permissions as those files which they
replaced.  Do that.

Patch from: Stephen Smalley

Signed-off-by: Eric Paris <eparis@...>
---
 libselinux/man/man3/selinux_check_access.3 |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
 create mode 100644 libselinux/man/man3/selinux_check_access.3

diff --git a/libselinux/man/man3/selinux_check_access.3 b/libselinux/man/man3/selinux_check_access.3
new file mode 100644
index 0000000..a60bca4
--- /dev/null
+++ b/libselinux/man/man3/selinux_check_access.3
 <at>  <at>  -0,0 +1  <at>  <at> 
+.so man3/security_compute_av.3
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:47
Picon
Favicon
Gravatar

[PATCH 54/63] libselinux: simple interface for access checks


   This patch looks good to me. acked.


From a3937807d751496b4a374c56429ba70b11fbfd5e Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Thu, 20 Oct 2011 15:14:08 -0400
Subject: [PATCH 54/63] libselinux: simple interface for access checks

Some programs, like passwd, need to do simeple one time access checks.
Rather than set up a full avc cache and use that infrastructure they
were directly using security_compute_av.  A problem with this approach
is the lack of audit on denials.  This patch creates a new interface
that is simple to use and which will still listen to things like
permissive and output audit messages on denials.

Signed-off-by: Eric Paris <eparis@...>
---
 libselinux/include/selinux/selinux.h      |   19 +++++++++++++++++
 libselinux/man/man3/security_compute_av.3 |    5 ++++
 libselinux/src/checkAccess.c              |   32 +++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+), 0 deletions(-)

diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index d766645..826ed71 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
 <at>  <at>  -513,6 +513,25  <at>  <at>  extern const char *selinux_colors_path(void);
 extern const char *selinux_netfilter_context_path(void);
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:47
Picon
Favicon
Gravatar

[PATCH 53/63] Checkin Stephen Smalley's Fix for making sure we


   This patch looks good to me. acked.


From 8e65dba033c4a963f5a15057e081e40324eed8d3 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Thu, 20 Oct 2011 15:13:17 -0400
Subject: [PATCH 53/63] Checkin Stephen Smalley's Fix for making sure we
 maintain the mode on files even if the umask is
 tighter then normal

---
 libsemanage/src/semanage_store.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index e322992..a223aa7 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
 <at>  <at>  -495,6 +495,7  <at>  <at>  static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
 	int in, out, retval = 0, amount_read, n, errsv = errno;
 	char tmp[PATH_MAX];
 	char buf[4192];
+	mode_t mask;

 	n = snprintf(tmp, PATH_MAX, "%s.tmp", dst);
 	if (n < 0 || n >= PATH_MAX)
 <at>  <at>  -506,13 +507,16  <at>  <at>  static int semanage_copy_file(const char *src, const char *dst, mode_t mode)
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel J Walsh | 1 Nov 2011 20:48
Picon
Favicon
Gravatar

[PATCH 56/63] libselinux: seusers: fix to handle large sets of


   This patch looks good to me. acked.


From bd744b6aa520e5ac4f253b6ed387086d9add09f8 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@...>
Date: Mon, 24 Oct 2011 13:47:36 -0400
Subject: [PATCH 56/63] libselinux: seusers: fix to handle large sets of
 groups

If a user was in too many groups the check_group function might not pass
a large enough buffer to getgrnam_r to handle things.  This could return
ERANGE which we then aborted.  Instead we should make the buffer larger and
try again.

Signed-off-by: Eric Paris <eparis@...>
---
 libselinux/src/seusers.c |   26 ++++++++++++++++++++------
 1 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index fc75cb6..b653cad 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
 <at>  <at>  -5,6 +5,7  <at>  <at> 
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <ctype.h>
+#include <errno.h>
(Continue reading)

Permalink | Reply | 0 comments |

Gmane