Menu
▾
▴
[Selinux-commits] SF.net SVN: selinux: [2667] trunk
|
From: <ssm...@us...> - 2007-11-05 18:54:09
|
Revision: 2667
http://selinux.svn.sourceforge.net/selinux/?rev=2667&view=rev
Author: ssmalley
Date: 2007-11-05 10:53:56 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
Allow handle_unknown in base module to be overridden by semanage.conf.
Modified Paths:
--------------
trunk/libsemanage/src/conf-parse.y
trunk/libsemanage/src/conf-scan.l
trunk/libsemanage/src/semanage_conf.h
trunk/libsemanage/src/semanage_store.c
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/include/sepol/policydb.h
trunk/libsepol/src/policydb_public.c
Modified: trunk/libsemanage/src/conf-parse.y
===================================================================
--- trunk/libsemanage/src/conf-parse.y 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/conf-parse.y 2007-11-05 18:53:56 UTC (rev 2667)
@@ -57,7 +57,7 @@
}
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
-%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
+%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
%token <s> ARG
@@ -81,6 +81,7 @@
| save_previous
| save_linked
| disable_genhomedircon
+ | handle_unknown
;
module_store: MODULE_STORE '=' ARG {
@@ -139,16 +140,29 @@
;
disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
- if (strcasecmp($3, "false") == 0) {
- current_conf->disable_genhomedircon = 0;
- } else if (strcasecmp($3, "true") == 0) {
- current_conf->disable_genhomedircon = 1;
- } else {
- yyerror("disable-genhomedircon can only be 'true' or 'false'");
- }
- free($3);
- }
+ if (strcasecmp($3, "false") == 0) {
+ current_conf->disable_genhomedircon = 0;
+ } else if (strcasecmp($3, "true") == 0) {
+ current_conf->disable_genhomedircon = 1;
+ } else {
+ yyerror("disable-genhomedircon can only be 'true' or 'false'");
+ }
+ free($3);
+ }
+handle_unknown: HANDLE_UNKNOWN '=' ARG {
+ if (strcasecmp($3, "deny") == 0) {
+ current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
+ } else if (strcasecmp($3, "reject") == 0) {
+ current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
+ } else if (strcasecmp($3, "allow") == 0) {
+ current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
+ } else {
+ yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
+ }
+ free($3);
+ }
+
command_block:
command_start external_opts BLOCK_END {
if (new_external->path == NULL) {
@@ -214,6 +228,7 @@
conf->store_path = strdup(basename(selinux_policy_root()));
conf->policyvers = sepol_policy_kern_vers_max();
conf->expand_check = 1;
+ conf->handle_unknown = -1;
conf->file_mode = 0644;
conf->save_previous = 0;
Modified: trunk/libsemanage/src/conf-scan.l
===================================================================
--- trunk/libsemanage/src/conf-scan.l 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/conf-scan.l 2007-11-05 18:53:56 UTC (rev 2667)
@@ -45,6 +45,7 @@
save-previous return SAVE_PREVIOUS;
save-linked return SAVE_LINKED;
disable-genhomedircon return DISABLE_GENHOMEDIRCON;
+handle-unknown return HANDLE_UNKNOWN;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[verify module]" return VERIFY_MOD_START;
Modified: trunk/libsemanage/src/semanage_conf.h
===================================================================
--- trunk/libsemanage/src/semanage_conf.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/semanage_conf.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -38,6 +38,7 @@
int save_previous;
int save_linked;
int disable_genhomedircon;
+ int handle_unknown;
mode_t file_mode;
struct external_prog *load_policy;
struct external_prog *setfiles;
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/semanage_store.c 2007-11-05 18:53:56 UTC (rev 2667)
@@ -1647,6 +1647,8 @@
ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
goto err;
}
+ if (sh->conf->handle_unknown >= 0)
+ sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
*policydb = out;
return STATUS_SUCCESS;
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -602,9 +602,9 @@
#define POLICYDB_CONFIG_MLS 1
/* the config flags related to unknown classes/perms are bits 2 and 3 */
-#define DENY_UNKNOWN 0x00000000
-#define REJECT_UNKNOWN 0x00000002
-#define ALLOW_UNKNOWN 0x00000004
+#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN
+#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN
+#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN
#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
Modified: trunk/libsepol/include/sepol/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/include/sepol/policydb.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -83,6 +83,13 @@
*/
extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN 0
+#define SEPOL_REJECT_UNKNOWN 2
+#define SEPOL_ALLOW_UNKNOWN 4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+ unsigned int handle_unknown);
+
/*
* Read a policydb from a policy file.
* This automatically sets the type and version based on the
Modified: trunk/libsepol/src/policydb_public.c
===================================================================
--- trunk/libsepol/src/policydb_public.c 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/src/policydb_public.c 2007-11-05 18:53:56 UTC (rev 2667)
@@ -134,6 +134,24 @@
return 0;
}
+int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
+ unsigned int handle_unknown)
+{
+ struct policydb *p = &sp->p;
+
+ switch (handle_unknown) {
+ case SEPOL_DENY_UNKNOWN:
+ case SEPOL_REJECT_UNKNOWN:
+ case SEPOL_ALLOW_UNKNOWN:
+ break;
+ default:
+ return -1;
+ }
+
+ p->handle_unknown = handle_unknown;
+ return 0;
+}
+
int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
{
return policydb_read(&p->p, &pf->pf, 0);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
