Menu
▾
▴
selinux-commits — Commits to the subversion repo
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(24) |
Sep
(38) |
Oct
(29) |
Nov
(40) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(88) |
Feb
(66) |
Mar
(44) |
Apr
(104) |
May
(35) |
Jun
(34) |
Jul
(12) |
Aug
(42) |
Sep
(84) |
Oct
(34) |
Nov
(30) |
Dec
(22) |
| 2008 |
Jan
(60) |
Feb
(54) |
Mar
(32) |
Apr
(14) |
May
(16) |
Jun
(26) |
Jul
(22) |
Aug
(12) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ssm...@us...> - 2007-11-05 19:10:28
|
Revision: 2675
http://selinux.svn.sourceforge.net/selinux/?rev=2675&view=rev
Author: ssmalley
Date: 2007-11-05 11:10:24 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
applied r2672:2674 from trunk
Modified Paths:
--------------
branches/stable/1_0/libsemanage/src/semanage_store.c
branches/stable/1_0/libsepol/src/link.c
Modified: branches/stable/1_0/libsemanage/src/semanage_store.c
===================================================================
--- branches/stable/1_0/libsemanage/src/semanage_store.c 2007-11-05 19:09:04 UTC (rev 2674)
+++ branches/stable/1_0/libsemanage/src/semanage_store.c 2007-11-05 19:10:24 UTC (rev 2675)
@@ -547,7 +547,7 @@
free(namelist[i]);
}
free(namelist);
- if (remove(path) == -1) {
+ if (rmdir(path) == -1) {
return -4;
}
return 0;
Modified: branches/stable/1_0/libsepol/src/link.c
===================================================================
--- branches/stable/1_0/libsepol/src/link.c 2007-11-05 19:09:04 UTC (rev 2674)
+++ branches/stable/1_0/libsepol/src/link.c 2007-11-05 19:10:24 UTC (rev 2675)
@@ -695,6 +695,12 @@
return -1;
}
+ if (!strcmp(id, target_id)) {
+ ERR(state->handle, "%s: Self aliasing of %s.",
+ state->cur_mod_name, id);
+ return -1;
+ }
+
base_type = hashtab_search(state->base->p_types.table, id);
if (base_type == NULL) {
if (state->verbose)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:09:12
|
Revision: 2674
http://selinux.svn.sourceforge.net/selinux/?rev=2674&view=rev
Author: ssmalley
Date: 2007-11-05 11:09:04 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
Don't allow self aliasing of types, not that there is anything wrong with that.
Modified Paths:
--------------
trunk/libsepol/src/link.c
Modified: trunk/libsepol/src/link.c
===================================================================
--- trunk/libsepol/src/link.c 2007-11-05 19:08:25 UTC (rev 2673)
+++ trunk/libsepol/src/link.c 2007-11-05 19:09:04 UTC (rev 2674)
@@ -696,6 +696,12 @@
return -1;
}
+ if (!strcmp(id, target_id)) {
+ ERR(state->handle, "%s: Self aliasing of %s.",
+ state->cur_mod_name, id);
+ return -1;
+ }
+
base_type = hashtab_search(state->base->p_types.table, id);
if (base_type == NULL) {
if (state->verbose)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:08:29
|
Revision: 2673
http://selinux.svn.sourceforge.net/selinux/?rev=2673&view=rev
Author: ssmalley
Date: 2007-11-05 11:08:25 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
Calling remove() rather than rmdir() when we know we have a directory is pointless and causes errno to always be set to EISDIR, thereby confusing later error messages.
Modified Paths:
--------------
trunk/libsemanage/src/semanage_store.c
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2007-11-05 19:07:16 UTC (rev 2672)
+++ trunk/libsemanage/src/semanage_store.c 2007-11-05 19:08:25 UTC (rev 2673)
@@ -552,7 +552,7 @@
free(namelist[i]);
}
free(namelist);
- if (remove(path) == -1) {
+ if (rmdir(path) == -1) {
return -4;
}
return 0;
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:07:18
|
Revision: 2672
http://selinux.svn.sourceforge.net/selinux/?rev=2672&view=rev
Author: ssmalley
Date: 2007-11-05 11:07:16 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsemanage to version 1.10.8
Modified Paths:
--------------
branches/stable/1_0/libsemanage/ChangeLog
branches/stable/1_0/libsemanage/VERSION
Modified: branches/stable/1_0/libsemanage/ChangeLog
===================================================================
--- branches/stable/1_0/libsemanage/ChangeLog 2007-11-05 19:06:35 UTC (rev 2671)
+++ branches/stable/1_0/libsemanage/ChangeLog 2007-11-05 19:07:16 UTC (rev 2672)
@@ -1,3 +1,6 @@
+1.10.8 2007-11-05
+ * Allow handle unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
1.10.7 2007-09-27
* Improve reporting of system errors, e.g. full filesystem or read-only filesystem from Stephen Smalley.
Modified: branches/stable/1_0/libsemanage/VERSION
===================================================================
--- branches/stable/1_0/libsemanage/VERSION 2007-11-05 19:06:35 UTC (rev 2671)
+++ branches/stable/1_0/libsemanage/VERSION 2007-11-05 19:07:16 UTC (rev 2672)
@@ -1 +1 @@
-1.10.7
+1.10.8
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:06:42
|
Revision: 2671
http://selinux.svn.sourceforge.net/selinux/?rev=2671&view=rev
Author: ssmalley
Date: 2007-11-05 11:06:35 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsepol to version 1.16.10
Modified Paths:
--------------
branches/stable/1_0/libsepol/ChangeLog
branches/stable/1_0/libsepol/VERSION
Modified: branches/stable/1_0/libsepol/ChangeLog
===================================================================
--- branches/stable/1_0/libsepol/ChangeLog 2007-11-05 19:01:32 UTC (rev 2670)
+++ branches/stable/1_0/libsepol/ChangeLog 2007-11-05 19:06:35 UTC (rev 2671)
@@ -1,3 +1,6 @@
+1.16.10 2007-11-05
+ * Allow handle_unknown to be overridden by semanage.conf from Stephen Smalley.
+
1.16.9 2007-10-11
* Fixed bug in require checking from Stephen Smalley.
* Added user hierarchy checking from Todd Miller.
Modified: branches/stable/1_0/libsepol/VERSION
===================================================================
--- branches/stable/1_0/libsepol/VERSION 2007-11-05 19:01:32 UTC (rev 2670)
+++ branches/stable/1_0/libsepol/VERSION 2007-11-05 19:06:35 UTC (rev 2671)
@@ -1 +1 @@
-1.16.9
+1.16.10
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 19:01:34
|
Revision: 2670
http://selinux.svn.sourceforge.net/selinux/?rev=2670&view=rev
Author: ssmalley
Date: 2007-11-05 11:01:32 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
applied r2666:2667 from trunk
Modified Paths:
--------------
branches/stable/1_0/libsemanage/src/conf-parse.y
branches/stable/1_0/libsemanage/src/conf-scan.l
branches/stable/1_0/libsemanage/src/semanage_conf.h
branches/stable/1_0/libsemanage/src/semanage_store.c
branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
branches/stable/1_0/libsepol/include/sepol/policydb.h
branches/stable/1_0/libsepol/src/policydb_public.c
Modified: branches/stable/1_0/libsemanage/src/conf-parse.y
===================================================================
--- branches/stable/1_0/libsemanage/src/conf-parse.y 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsemanage/src/conf-parse.y 2007-11-05 19:01:32 UTC (rev 2670)
@@ -57,7 +57,7 @@
}
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
-%token LOAD_POLICY_START SETFILES_START GENHOMEDIRCON_START
+%token LOAD_POLICY_START SETFILES_START GENHOMEDIRCON_START HANDLE_UNKNOWN
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
%token <s> ARG
@@ -80,6 +80,7 @@
| file_mode
| save_previous
| save_linked
+ | handle_unknown
;
module_store: MODULE_STORE '=' ARG {
@@ -137,6 +138,18 @@
}
;
+handle_unknown: HANDLE_UNKNOWN '=' ARG {
+ if (strcasecmp($3, "deny") == 0) {
+ current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
+ } else if (strcasecmp($3, "reject") == 0) {
+ current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
+ } else if (strcasecmp($3, "allow") == 0) {
+ current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
+ } else {
+ yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
+ }
+ free($3);
+ }
command_block:
command_start external_opts BLOCK_END {
@@ -211,6 +224,7 @@
conf->store_path = strdup(basename(selinux_policy_root()));
conf->policyvers = sepol_policy_kern_vers_max();
conf->expand_check = 1;
+ conf->handle_unknown = -1;
conf->file_mode = 0644;
conf->save_previous = 0;
Modified: branches/stable/1_0/libsemanage/src/conf-scan.l
===================================================================
--- branches/stable/1_0/libsemanage/src/conf-scan.l 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsemanage/src/conf-scan.l 2007-11-05 19:01:32 UTC (rev 2670)
@@ -44,6 +44,7 @@
file-mode return FILE_MODE;
save-previous return SAVE_PREVIOUS;
save-linked return SAVE_LINKED;
+handle-unknown return HANDLE_UNKNOWN;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[genhomedircon]" return GENHOMEDIRCON_START;
Modified: branches/stable/1_0/libsemanage/src/semanage_conf.h
===================================================================
--- branches/stable/1_0/libsemanage/src/semanage_conf.h 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsemanage/src/semanage_conf.h 2007-11-05 19:01:32 UTC (rev 2670)
@@ -37,6 +37,7 @@
int expand_check;
int save_previous;
int save_linked;
+ int handle_unknown;
mode_t file_mode;
struct external_prog *load_policy;
struct external_prog *setfiles;
Modified: branches/stable/1_0/libsemanage/src/semanage_store.c
===================================================================
--- branches/stable/1_0/libsemanage/src/semanage_store.c 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsemanage/src/semanage_store.c 2007-11-05 19:01:32 UTC (rev 2670)
@@ -1628,6 +1628,8 @@
ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
goto err;
}
+ if (sh->conf->handle_unknown >= 0)
+ sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
*policydb = out;
return STATUS_SUCCESS;
Modified: branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsepol/include/sepol/policydb/policydb.h 2007-11-05 19:01:32 UTC (rev 2670)
@@ -602,9 +602,9 @@
#define POLICYDB_CONFIG_MLS 1
/* the config flags related to unknown classes/perms are bits 2 and 3 */
-#define DENY_UNKNOWN 0x00000000
-#define REJECT_UNKNOWN 0x00000002
-#define ALLOW_UNKNOWN 0x00000004
+#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN
+#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN
+#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN
#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
Modified: branches/stable/1_0/libsepol/include/sepol/policydb.h
===================================================================
--- branches/stable/1_0/libsepol/include/sepol/policydb.h 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsepol/include/sepol/policydb.h 2007-11-05 19:01:32 UTC (rev 2670)
@@ -83,6 +83,13 @@
*/
extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN 0
+#define SEPOL_REJECT_UNKNOWN 2
+#define SEPOL_ALLOW_UNKNOWN 4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+ unsigned int handle_unknown);
+
/*
* Read a policydb from a policy file.
* This automatically sets the type and version based on the
Modified: branches/stable/1_0/libsepol/src/policydb_public.c
===================================================================
--- branches/stable/1_0/libsepol/src/policydb_public.c 2007-11-05 18:54:58 UTC (rev 2669)
+++ branches/stable/1_0/libsepol/src/policydb_public.c 2007-11-05 19:01:32 UTC (rev 2670)
@@ -134,6 +134,24 @@
return 0;
}
+int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
+ unsigned int handle_unknown)
+{
+ struct policydb *p = &sp->p;
+
+ switch (handle_unknown) {
+ case SEPOL_DENY_UNKNOWN:
+ case SEPOL_REJECT_UNKNOWN:
+ case SEPOL_ALLOW_UNKNOWN:
+ break;
+ default:
+ return -1;
+ }
+
+ p->handle_unknown = handle_unknown;
+ return 0;
+}
+
int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
{
return policydb_read(&p->p, &pf->pf, 0);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 18:54:59
|
Revision: 2669
http://selinux.svn.sourceforge.net/selinux/?rev=2669&view=rev
Author: ssmalley
Date: 2007-11-05 10:54:58 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsemanage to version 2.0.13
Modified Paths:
--------------
trunk/libsemanage/ChangeLog
trunk/libsemanage/VERSION
Modified: trunk/libsemanage/ChangeLog
===================================================================
--- trunk/libsemanage/ChangeLog 2007-11-05 18:54:28 UTC (rev 2668)
+++ trunk/libsemanage/ChangeLog 2007-11-05 18:54:58 UTC (rev 2669)
@@ -1,3 +1,6 @@
+2.0.13 2007-11-05
+ * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
2.0.12 2007-10-05
* ustr cleanups from James Antill.
* Ensure that /root gets labeled even if using the default context from Dan Walsh.
Modified: trunk/libsemanage/VERSION
===================================================================
--- trunk/libsemanage/VERSION 2007-11-05 18:54:28 UTC (rev 2668)
+++ trunk/libsemanage/VERSION 2007-11-05 18:54:58 UTC (rev 2669)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 18:54:38
|
Revision: 2668
http://selinux.svn.sourceforge.net/selinux/?rev=2668&view=rev
Author: ssmalley
Date: 2007-11-05 10:54:28 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
updated libsepol to version 2.0.13
Modified Paths:
--------------
trunk/libsepol/ChangeLog
trunk/libsepol/VERSION
Modified: trunk/libsepol/ChangeLog
===================================================================
--- trunk/libsepol/ChangeLog 2007-11-05 18:53:56 UTC (rev 2667)
+++ trunk/libsepol/ChangeLog 2007-11-05 18:54:28 UTC (rev 2668)
@@ -1,3 +1,6 @@
+2.0.13 2007-11-05
+ * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
2.0.12 2007-10-11
* Fixed bug in require checking from Stephen Smalley.
* Added user hierarchy checking from Todd Miller.
Modified: trunk/libsepol/VERSION
===================================================================
--- trunk/libsepol/VERSION 2007-11-05 18:53:56 UTC (rev 2667)
+++ trunk/libsepol/VERSION 2007-11-05 18:54:28 UTC (rev 2668)
@@ -1 +1 @@
-2.0.12
+2.0.13
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-05 18:54:09
|
Revision: 2667
http://selinux.svn.sourceforge.net/selinux/?rev=2667&view=rev
Author: ssmalley
Date: 2007-11-05 10:53:56 -0800 (Mon, 05 Nov 2007)
Log Message:
-----------
Allow handle_unknown in base module to be overridden by semanage.conf.
Modified Paths:
--------------
trunk/libsemanage/src/conf-parse.y
trunk/libsemanage/src/conf-scan.l
trunk/libsemanage/src/semanage_conf.h
trunk/libsemanage/src/semanage_store.c
trunk/libsepol/include/sepol/policydb/policydb.h
trunk/libsepol/include/sepol/policydb.h
trunk/libsepol/src/policydb_public.c
Modified: trunk/libsemanage/src/conf-parse.y
===================================================================
--- trunk/libsemanage/src/conf-parse.y 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/conf-parse.y 2007-11-05 18:53:56 UTC (rev 2667)
@@ -57,7 +57,7 @@
}
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
-%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
+%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
%token PROG_PATH PROG_ARGS
%token <s> ARG
@@ -81,6 +81,7 @@
| save_previous
| save_linked
| disable_genhomedircon
+ | handle_unknown
;
module_store: MODULE_STORE '=' ARG {
@@ -139,16 +140,29 @@
;
disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
- if (strcasecmp($3, "false") == 0) {
- current_conf->disable_genhomedircon = 0;
- } else if (strcasecmp($3, "true") == 0) {
- current_conf->disable_genhomedircon = 1;
- } else {
- yyerror("disable-genhomedircon can only be 'true' or 'false'");
- }
- free($3);
- }
+ if (strcasecmp($3, "false") == 0) {
+ current_conf->disable_genhomedircon = 0;
+ } else if (strcasecmp($3, "true") == 0) {
+ current_conf->disable_genhomedircon = 1;
+ } else {
+ yyerror("disable-genhomedircon can only be 'true' or 'false'");
+ }
+ free($3);
+ }
+handle_unknown: HANDLE_UNKNOWN '=' ARG {
+ if (strcasecmp($3, "deny") == 0) {
+ current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
+ } else if (strcasecmp($3, "reject") == 0) {
+ current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
+ } else if (strcasecmp($3, "allow") == 0) {
+ current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
+ } else {
+ yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
+ }
+ free($3);
+ }
+
command_block:
command_start external_opts BLOCK_END {
if (new_external->path == NULL) {
@@ -214,6 +228,7 @@
conf->store_path = strdup(basename(selinux_policy_root()));
conf->policyvers = sepol_policy_kern_vers_max();
conf->expand_check = 1;
+ conf->handle_unknown = -1;
conf->file_mode = 0644;
conf->save_previous = 0;
Modified: trunk/libsemanage/src/conf-scan.l
===================================================================
--- trunk/libsemanage/src/conf-scan.l 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/conf-scan.l 2007-11-05 18:53:56 UTC (rev 2667)
@@ -45,6 +45,7 @@
save-previous return SAVE_PREVIOUS;
save-linked return SAVE_LINKED;
disable-genhomedircon return DISABLE_GENHOMEDIRCON;
+handle-unknown return HANDLE_UNKNOWN;
"[load_policy]" return LOAD_POLICY_START;
"[setfiles]" return SETFILES_START;
"[verify module]" return VERIFY_MOD_START;
Modified: trunk/libsemanage/src/semanage_conf.h
===================================================================
--- trunk/libsemanage/src/semanage_conf.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/semanage_conf.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -38,6 +38,7 @@
int save_previous;
int save_linked;
int disable_genhomedircon;
+ int handle_unknown;
mode_t file_mode;
struct external_prog *load_policy;
struct external_prog *setfiles;
Modified: trunk/libsemanage/src/semanage_store.c
===================================================================
--- trunk/libsemanage/src/semanage_store.c 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsemanage/src/semanage_store.c 2007-11-05 18:53:56 UTC (rev 2667)
@@ -1647,6 +1647,8 @@
ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
goto err;
}
+ if (sh->conf->handle_unknown >= 0)
+ sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
*policydb = out;
return STATUS_SUCCESS;
Modified: trunk/libsepol/include/sepol/policydb/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb/policydb.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/include/sepol/policydb/policydb.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -602,9 +602,9 @@
#define POLICYDB_CONFIG_MLS 1
/* the config flags related to unknown classes/perms are bits 2 and 3 */
-#define DENY_UNKNOWN 0x00000000
-#define REJECT_UNKNOWN 0x00000002
-#define ALLOW_UNKNOWN 0x00000004
+#define DENY_UNKNOWN SEPOL_DENY_UNKNOWN
+#define REJECT_UNKNOWN SEPOL_REJECT_UNKNOWN
+#define ALLOW_UNKNOWN SEPOL_ALLOW_UNKNOWN
#define POLICYDB_CONFIG_UNKNOWN_MASK (DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
Modified: trunk/libsepol/include/sepol/policydb.h
===================================================================
--- trunk/libsepol/include/sepol/policydb.h 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/include/sepol/policydb.h 2007-11-05 18:53:56 UTC (rev 2667)
@@ -83,6 +83,13 @@
*/
extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN 0
+#define SEPOL_REJECT_UNKNOWN 2
+#define SEPOL_ALLOW_UNKNOWN 4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+ unsigned int handle_unknown);
+
/*
* Read a policydb from a policy file.
* This automatically sets the type and version based on the
Modified: trunk/libsepol/src/policydb_public.c
===================================================================
--- trunk/libsepol/src/policydb_public.c 2007-11-01 20:15:48 UTC (rev 2666)
+++ trunk/libsepol/src/policydb_public.c 2007-11-05 18:53:56 UTC (rev 2667)
@@ -134,6 +134,24 @@
return 0;
}
+int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
+ unsigned int handle_unknown)
+{
+ struct policydb *p = &sp->p;
+
+ switch (handle_unknown) {
+ case SEPOL_DENY_UNKNOWN:
+ case SEPOL_REJECT_UNKNOWN:
+ case SEPOL_ALLOW_UNKNOWN:
+ break;
+ default:
+ return -1;
+ }
+
+ p->handle_unknown = handle_unknown;
+ return 0;
+}
+
int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
{
return policydb_read(&p->p, &pf->pf, 0);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 20:15:50
|
Revision: 2666
http://selinux.svn.sourceforge.net/selinux/?rev=2666&view=rev
Author: ssmalley
Date: 2007-11-01 13:15:48 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
updated checkpolicy to version 2.0.5
Modified Paths:
--------------
trunk/checkpolicy/ChangeLog
trunk/checkpolicy/VERSION
Modified: trunk/checkpolicy/ChangeLog
===================================================================
--- trunk/checkpolicy/ChangeLog 2007-11-01 20:14:36 UTC (rev 2665)
+++ trunk/checkpolicy/ChangeLog 2007-11-01 20:15:48 UTC (rev 2666)
@@ -1,3 +1,6 @@
+2.0.5 2007-11-01
+ * Merged remove use of REJECT and trailing context in lex rules; make ipv4 address parsing like ipv6 from James Carter.
+
2.0.4 2007-09-18
* Merged handle unknown policydb flag support from Eric Paris.
Adds new command line options -U {allow, reject, deny} for selecting
Modified: trunk/checkpolicy/VERSION
===================================================================
--- trunk/checkpolicy/VERSION 2007-11-01 20:14:36 UTC (rev 2665)
+++ trunk/checkpolicy/VERSION 2007-11-01 20:15:48 UTC (rev 2666)
@@ -1 +1 @@
-2.0.4
+2.0.5
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 20:14:37
|
Revision: 2665
http://selinux.svn.sourceforge.net/selinux/?rev=2665&view=rev
Author: ssmalley
Date: 2007-11-01 13:14:36 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
Author: James Carter
Email: jw...@ty...
Subject: checkpolicy: Remove use of REJECT and trailing context in lex rules; make ipv4 address processing like ipv6
Date: Wed, 31 Oct 2007 15:43:45 -0400
This is a patch to remove the use of REJECT and trailing context in the
lex rules. To help accomplish this, it also makes ipv4 address
processing like ipv6 address processing.
It improves policy compile times on my laptop from ~95sec to ~85sec.
REJECT was used to reject an identifier if it had two consecutive "."s
or one at the end. The new rule should prevent both of these conditions
without the use of REJECT and the is_valid_identifier function.
Trailing context was used in the rule to identify the module version.
Without the trailing context, the rule would match ipv4 addresses. A
rule for ipv4 addresses was added to eliminate the need for the use of
trailing context and to allow ipv4 addresses to be handled in a manner
similar to ipv6 addresses.
Finally, the alnum character class was defined and some minor cleanup
was done.
I am, by the way, surprised by the rule to match the module version.
It is "[0-9]+(\.[A-Za-z0-9_.]*)?" when I would have expected something
like "[0-9]+(\.[0-9]+){0,2}". I assumed that there is a reason why it
is like this and left it alone.
Signed off by: James Carter <jw...@ty...>
Modified Paths:
--------------
trunk/checkpolicy/policy_parse.y
trunk/checkpolicy/policy_scan.l
Modified: trunk/checkpolicy/policy_parse.y
===================================================================
--- trunk/checkpolicy/policy_parse.y 2007-11-01 16:51:46 UTC (rev 2664)
+++ trunk/checkpolicy/policy_parse.y 2007-11-01 20:14:36 UTC (rev 2665)
@@ -122,7 +122,7 @@
static int define_fs_context(unsigned int major, unsigned int minor);
static int define_port_context(unsigned int low, unsigned int high);
static int define_netif_context(void);
-static int define_ipv4_node_context(unsigned int addr, unsigned int mask);
+static int define_ipv4_node_context(void);
static int define_ipv6_node_context(void);
typedef int (* require_func_t)();
@@ -195,6 +195,7 @@
%token NUMBER
%token EQUALS
%token NOTEQUAL
+%token IPV4_ADDR
%token IPV6_ADDR
%token MODULE VERSION_IDENTIFIER REQUIRE OPTIONAL
@@ -654,7 +655,7 @@
| node_contexts node_context_def
;
node_context_def : NODECON ipv4_addr_def ipv4_addr_def security_context_def
- {if (define_ipv4_node_context($2,$3)) return -1;}
+ {if (define_ipv4_node_context()) return -1;}
| NODECON ipv6_addr ipv6_addr security_context_def
{if (define_ipv6_node_context()) return -1;}
;
@@ -684,18 +685,9 @@
| GENFSCON identifier path security_context_def
{if (define_genfs_context(0)) return -1;}
;
-ipv4_addr_def : number '.' number '.' number '.' number
- {
- unsigned int addr;
- unsigned char *p = ((unsigned char *)&addr);
-
- p[0] = $1 & 0xff;
- p[1] = $3 & 0xff;
- p[2] = $5 & 0xff;
- p[3] = $7 & 0xff;
- $$ = addr;
- }
- ;
+ipv4_addr_def : IPV4_ADDR
+ { if (insert_id(yytext,0)) return -1; }
+ ;
security_context_def : identifier ':' identifier ':' identifier opt_mls_range_def
;
opt_mls_range_def : ':' mls_range_def
@@ -4184,27 +4176,63 @@
return 0;
}
-static int define_ipv4_node_context(unsigned int addr, unsigned int mask)
-{
+static int define_ipv4_node_context()
+{
+ char *id;
+ int rc = 0;
+ struct in_addr addr, mask;
ocontext_t *newc, *c, *l, *head;
if (pass == 1) {
+ free(queue_remove(id_queue));
+ free(queue_remove(id_queue));
parse_security_context(NULL);
- if (mlspol)
- free(queue_remove(id_queue));
- return 0;
+ goto out;
}
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &addr);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 address");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
+ id = queue_remove(id_queue);
+ if (!id) {
+ yyerror("failed to read ipv4 address");
+ rc = -1;
+ goto out;
+ }
+
+ rc = inet_pton(AF_INET, id, &mask);
+ free(id);
+ if (rc < 1) {
+ yyerror("failed to parse ipv4 mask");
+ if (rc == 0)
+ rc = -1;
+ goto out;
+ }
+
newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
- return -1;
+ rc = -1;
+ goto out;
}
+
memset(newc, 0, sizeof(ocontext_t));
+ newc->u.node.addr = addr.s_addr;
+ newc->u.node.mask = mask.s_addr;
- newc->u.node.addr = addr;
- newc->u.node.mask = mask;
-
if (parse_security_context(&newc->context[0])) {
free(newc);
return -1;
@@ -4224,8 +4252,9 @@
l->next = newc;
else
policydbp->ocontexts[OCON_NODE] = newc;
-
- return 0;
+ rc = 0;
+out:
+ return rc;
}
static int define_ipv6_node_context(void)
Modified: trunk/checkpolicy/policy_scan.l
===================================================================
--- trunk/checkpolicy/policy_scan.l 2007-11-01 16:51:46 UTC (rev 2664)
+++ trunk/checkpolicy/policy_scan.l 2007-11-01 20:14:36 UTC (rev 2665)
@@ -31,7 +31,6 @@
static char linebuf[2][255];
static unsigned int lno = 0;
int yywarn(char *msg);
-static int is_valid_identifier(char *id);
char source_file[255];
unsigned long source_lineno = 1;
@@ -46,8 +45,8 @@
%array
letter [A-Za-z]
digit [0-9]
+alnum [a-zA-Z0-9]
hexval [0-9A-Fa-f]
-version [0-9]+(\.[A-Za-z0-9_.]*)?
%%
\n.* { strncpy(linebuf[lno], yytext+1, 255);
@@ -199,17 +198,14 @@
H1 { return(H1); }
h2 |
H2 { return(H2); }
-"/"({letter}|{digit}|_|"."|"-"|"/")* { return(PATH); }
-{letter}({letter}|{digit}|_|"."|"-")* { if (is_valid_identifier(yytext))
- return(IDENTIFIER);
- else
- REJECT;
- }
-{digit}{digit}* { return(NUMBER); }
-{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|":"|".")* { return(IPV6_ADDR); }
-{version}/([ \t\f]*;) { return(VERSION_IDENTIFIER); }
+"/"({alnum}|[_.-/])* { return(PATH); }
+{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
+{digit}+ { return(NUMBER); }
+{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
+{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
+{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { source_lineno = 1; strncpy(source_file, yytext+9, 255); source_file[strlen(source_file)-1] = '\0'; }
-#line[ ]{digit}{digit}* { source_lineno = atoi(yytext+6)-1; }
+#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
"==" { return(EQUALS); }
@@ -263,17 +259,3 @@
linebuf[0], linebuf[1]);
return 0;
}
-
-static int is_valid_identifier(char *id) {
- if ((strrchr(id, '.')) != NULL) {
- if (strstr(id, "..") != NULL) {
- /* identifier has consecutive '.' */
- return 0;
- }
- if (id[strlen(id) - 1] == '.') {
- /* identifier ends in '.' */
- return 0;
- }
- }
- return 1;
-}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 16:51:48
|
Revision: 2664
http://selinux.svn.sourceforge.net/selinux/?rev=2664&view=rev
Author: ssmalley
Date: 2007-11-01 09:51:46 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
updated libselinux to version 2.0.40
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-11-01 16:51:10 UTC (rev 2663)
+++ trunk/libselinux/ChangeLog 2007-11-01 16:51:46 UTC (rev 2664)
@@ -1,3 +1,6 @@
+2.0.40 2007-11-01
+ * Merged refactored AVC netlink code from Eamon Walsh.
+
2.0.39 2007-10-19
* Merged new X label namespaces from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-11-01 16:51:10 UTC (rev 2663)
+++ trunk/libselinux/VERSION 2007-11-01 16:51:46 UTC (rev 2664)
@@ -1 +1 @@
-2.0.39
+2.0.40
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-11-01 16:51:15
|
Revision: 2663
http://selinux.svn.sourceforge.net/selinux/?rev=2663&view=rev
Author: ssmalley
Date: 2007-11-01 09:51:10 -0700 (Thu, 01 Nov 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: refactor AVC netlink code
Date: Wed, 24 Oct 2007 14:31:41 -0400
This patch removes duplication in the AVC netlink code
by introducing helper functions.
Did some basic testing and confirmed that messages are
received and processed.
More patches to follow.
Signed-off-by: Eamon Walsh <ew...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/avc_internal.c
Modified: trunk/libselinux/src/avc_internal.c
===================================================================
--- trunk/libselinux/src/avc_internal.c 2007-10-19 19:59:08 UTC (rev 2662)
+++ trunk/libselinux/src/avc_internal.c 2007-11-01 16:51:10 UTC (rev 2663)
@@ -89,221 +89,146 @@
close(fd);
}
-int avc_netlink_check_nb(void)
+static int avc_netlink_receive(char *buf, unsigned buflen)
{
int rc;
struct sockaddr_nl nladdr;
socklen_t nladdrlen = sizeof nladdr;
- char buf[1024];
- struct nlmsghdr *nlh;
+ struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
- while (1) {
- rc = recvfrom(fd, buf, sizeof(buf), 0,
- (struct sockaddr *)&nladdr, &nladdrlen);
- if (rc < 0) {
- if (errno == EINTR)
- continue;
- if (errno != EAGAIN) {
- avc_log("%s: socket error during read: %d\n",
- avc_prefix, errno);
- } else {
- errno = 0;
- rc = 0;
- }
- goto out;
- }
+ rc = recvfrom(fd, buf, buflen, 0, (struct sockaddr *)&nladdr,
+ &nladdrlen);
+ if (rc < 0)
+ return rc;
- if (nladdrlen != sizeof nladdr) {
- avc_log
- ("%s: warning: netlink address truncated, len %d?\n",
- avc_prefix, nladdrlen);
- rc = -1;
- goto out;
- }
+ if (nladdrlen != sizeof nladdr) {
+ avc_log("%s: warning: netlink address truncated, len %d?\n",
+ avc_prefix, nladdrlen);
+ return -1;
+ }
- if (nladdr.nl_pid) {
- avc_log
- ("%s: warning: received spoofed netlink packet from: %d\n",
- avc_prefix, nladdr.nl_pid);
- continue;
- }
+ if (nladdr.nl_pid) {
+ avc_log("%s: warning: received spoofed netlink packet from: %d\n",
+ avc_prefix, nladdr.nl_pid);
+ return -1;
+ }
- if (rc == 0) {
- avc_log("%s: warning: received EOF on socket\n",
- avc_prefix);
- goto out;
- }
+ if (rc == 0) {
+ avc_log("%s: warning: received EOF on netlink socket\n",
+ avc_prefix);
+ errno = EBADFD;
+ return -1;
+ }
- nlh = (struct nlmsghdr *)buf;
+ if (nlh->nlmsg_flags & MSG_TRUNC || nlh->nlmsg_len > (unsigned)rc) {
+ avc_log("%s: warning: incomplete netlink message\n",
+ avc_prefix);
+ return -1;
+ }
- if (nlh->nlmsg_flags & MSG_TRUNC
- || nlh->nlmsg_len > (unsigned)rc) {
- avc_log("%s: warning: incomplete netlink message\n",
- avc_prefix);
- goto out;
- }
+ return 0;
+}
- rc = 0;
- switch (nlh->nlmsg_type) {
- case NLMSG_ERROR:{
- struct nlmsgerr *err = NLMSG_DATA(nlh);
+static int avc_netlink_process(char *buf)
+{
+ int rc;
+ struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
- /* Netlink ack */
- if (err->error == 0)
- break;
+ switch (nlh->nlmsg_type) {
+ case NLMSG_ERROR:{
+ struct nlmsgerr *err = NLMSG_DATA(nlh);
- errno = -err->error;
- avc_log("%s: netlink error: %d\n", avc_prefix,
- errno);
- rc = -1;
- goto out;
- }
+ /* Netlink ack */
+ if (err->error == 0)
+ break;
- case SELNL_MSG_SETENFORCE:{
- struct selnl_msg_setenforce *msg =
- NLMSG_DATA(nlh);
- avc_log
- ("%s: received setenforce notice (enforcing=%d)\n",
- avc_prefix, msg->val);
- avc_enforcing = msg->val;
- if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
- avc_log
- ("%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- goto out;
- }
- break;
- }
+ errno = -err->error;
+ avc_log("%s: netlink error: %d\n", avc_prefix, errno);
+ return -1;
+ }
- case SELNL_MSG_POLICYLOAD:{
- struct selnl_msg_policyload *msg =
- NLMSG_DATA(nlh);
- avc_log
- ("%s: received policyload notice (seqno=%d)\n",
- avc_prefix, msg->seqno);
- rc = avc_ss_reset(msg->seqno);
- if (rc < 0) {
- avc_log
- ("%s: cache reset returned %d (errno %d)\n",
- avc_prefix, rc, errno);
- goto out;
- }
- break;
- }
+ case SELNL_MSG_SETENFORCE:{
+ struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
+ avc_log("%s: received setenforce notice (enforcing=%d)\n",
+ avc_prefix, msg->val);
+ avc_enforcing = msg->val;
+ if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+ avc_log("%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
+ }
+ break;
+ }
- default:
- avc_log("%s: warning: unknown netlink message %d\n",
- avc_prefix, nlh->nlmsg_type);
+ case SELNL_MSG_POLICYLOAD:{
+ struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
+ avc_log("%s: received policyload notice (seqno=%d)\n",
+ avc_prefix, msg->seqno);
+ rc = avc_ss_reset(msg->seqno);
+ if (rc < 0) {
+ avc_log("%s: cache reset returned %d (errno %d)\n",
+ avc_prefix, rc, errno);
+ return rc;
}
+ break;
}
- out:
- return rc;
+
+ default:
+ avc_log("%s: warning: unknown netlink message %d\n",
+ avc_prefix, nlh->nlmsg_type);
+ }
+ return 0;
}
-/* run routine for the netlink listening thread */
-void avc_netlink_loop(void)
+int avc_netlink_check_nb(void)
{
- int ret;
- struct sockaddr_nl nladdr;
- socklen_t nladdrlen = sizeof nladdr;
+ int rc;
char buf[1024];
- struct nlmsghdr *nlh;
while (1) {
- ret =
- recvfrom(fd, buf, sizeof(buf), 0,
- (struct sockaddr *)&nladdr, &nladdrlen);
- if (ret < 0) {
- if (errno == EINTR)
+ errno = 0;
+ rc = avc_netlink_receive(buf, sizeof(buf));
+ if (rc < 0) {
+ if (errno == EWOULDBLOCK)
+ return 0;
+ if (errno == 0 || errno == EINTR)
continue;
- avc_log("%s: netlink thread: recvfrom: error %d\n",
- avc_prefix, errno);
- goto out;
+ else {
+ avc_log("%s: netlink recvfrom: error %d\n",
+ avc_prefix, errno);
+ return rc;
+ }
}
- if (nladdrlen != sizeof nladdr) {
- avc_log
- ("%s: warning: netlink address truncated, len %d?\n",
- avc_prefix, nladdrlen);
- ret = -1;
- goto out;
- }
+ (void)avc_netlink_process(buf);
+ }
+ return 0;
+}
- if (nladdr.nl_pid) {
- avc_log
- ("%s: warning: received spoofed netlink packet from: %d\n",
- avc_prefix, nladdr.nl_pid);
- continue;
- }
+/* run routine for the netlink listening thread */
+void avc_netlink_loop(void)
+{
+ int rc;
+ char buf[1024];
- if (ret == 0) {
- avc_log("%s: netlink thread: received EOF on socket\n",
- avc_prefix);
- goto out;
- }
-
- nlh = (struct nlmsghdr *)buf;
-
- if (nlh->nlmsg_flags & MSG_TRUNC
- || nlh->nlmsg_len > (unsigned)ret) {
- avc_log
- ("%s: netlink thread: incomplete netlink message\n",
- avc_prefix);
- goto out;
- }
-
- switch (nlh->nlmsg_type) {
- case NLMSG_ERROR:{
- struct nlmsgerr *err = NLMSG_DATA(nlh);
-
- /* Netlink ack */
- if (err->error == 0)
- break;
-
- avc_log("%s: netlink thread: msg: error %d\n",
- avc_prefix, -err->error);
- goto out;
- }
-
- case SELNL_MSG_SETENFORCE:{
- struct selnl_msg_setenforce *msg =
- NLMSG_DATA(nlh);
- avc_log
- ("%s: received setenforce notice (enforcing=%d)\n",
- avc_prefix, msg->val);
- avc_enforcing = msg->val;
- if (avc_enforcing && (ret = avc_ss_reset(0)) < 0) {
- avc_log
- ("%s: cache reset returned %d (errno %d)\n",
- avc_prefix, ret, errno);
- goto out;
- }
+ while (1) {
+ errno = 0;
+ rc = avc_netlink_receive(buf, sizeof(buf));
+ if (rc < 0) {
+ if (errno == 0 || errno == EINTR)
+ continue;
+ else {
+ avc_log("%s: netlink recvfrom: error %d\n",
+ avc_prefix, errno);
break;
}
-
- case SELNL_MSG_POLICYLOAD:{
- struct selnl_msg_policyload *msg =
- NLMSG_DATA(nlh);
- avc_log
- ("%s: received policyload notice (seqno=%d)\n",
- avc_prefix, msg->seqno);
- ret = avc_ss_reset(msg->seqno);
- if (ret < 0) {
- avc_log
- ("%s: netlink thread: cache reset returned %d (errno %d)\n",
- avc_prefix, ret, errno);
- goto out;
- }
- break;
- }
-
- default:
- avc_log
- ("%s: netlink thread: warning: unknown msg type %d\n",
- avc_prefix, nlh->nlmsg_type);
}
+
+ rc = avc_netlink_process(buf);
+ if (rc < 0)
+ break;
}
- out:
+
close(fd);
avc_netlink_trouble = 1;
avc_log("%s: netlink thread: errors encountered, terminating\n",
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-10-19 19:59:09
|
Revision: 2662
http://selinux.svn.sourceforge.net/selinux/?rev=2662&view=rev
Author: ewalsh
Date: 2007-10-19 12:59:08 -0700 (Fri, 19 Oct 2007)
Log Message:
-----------
updated libselinux to version 2.0.39
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-10-19 19:58:28 UTC (rev 2661)
+++ trunk/libselinux/ChangeLog 2007-10-19 19:59:08 UTC (rev 2662)
@@ -1,3 +1,6 @@
+2.0.39 2007-10-19
+ * Merged new X label namespaces from Eamon Walsh.
+
2.0.38 2007-10-15
* Bux fix and minor refactoring in string representation code.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-10-19 19:58:28 UTC (rev 2661)
+++ trunk/libselinux/VERSION 2007-10-19 19:59:08 UTC (rev 2662)
@@ -1 +1 @@
-2.0.38
+2.0.39
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-10-19 19:58:30
|
Revision: 2661
http://selinux.svn.sourceforge.net/selinux/?rev=2661&view=rev
Author: ewalsh
Date: 2007-10-19 12:58:28 -0700 (Fri, 19 Oct 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: add "event" type to X contexts backend
Date: Fri, 19 Oct 2007 15:39:38 -0400
Here is a revised version of the patch that adds not one but two
backends, one for X event names and one for X "selections" which
are the clipboard objects used in cut & paste.
This is so the X Flask module can support labeling these objects
based on their names.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/include/selinux/label.h
trunk/libselinux/src/label_x.c
Modified: trunk/libselinux/include/selinux/label.h
===================================================================
--- trunk/libselinux/include/selinux/label.h 2007-10-15 16:49:14 UTC (rev 2660)
+++ trunk/libselinux/include/selinux/label.h 2007-10-19 19:58:28 UTC (rev 2661)
@@ -111,6 +111,8 @@
#define SELABEL_X_PROP 1
#define SELABEL_X_EXT 2
#define SELABEL_X_CLIENT 3
+#define SELABEL_X_EVENT 4
+#define SELABEL_X_SELN 5
#ifdef __cplusplus
Modified: trunk/libselinux/src/label_x.c
===================================================================
--- trunk/libselinux/src/label_x.c 2007-10-15 16:49:14 UTC (rev 2660)
+++ trunk/libselinux/src/label_x.c 2007-10-19 19:58:28 UTC (rev 2661)
@@ -65,9 +65,13 @@
data->spec_arr[data->nspec].type = SELABEL_X_EXT;
else if (!strcmp(type, "client"))
data->spec_arr[data->nspec].type = SELABEL_X_CLIENT;
+ else if (!strcmp(type, "event"))
+ data->spec_arr[data->nspec].type = SELABEL_X_EVENT;
+ else if (!strcmp(type, "selection"))
+ data->spec_arr[data->nspec].type = SELABEL_X_SELN;
else {
selinux_log(SELINUX_WARNING,
- "%s: line %d has invalid file type %s\n",
+ "%s: line %d has invalid object type %s\n",
path, lineno, type);
return 0;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-10-15 16:49:15
|
Revision: 2660
http://selinux.svn.sourceforge.net/selinux/?rev=2660&view=rev
Author: ewalsh
Date: 2007-10-15 09:49:14 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
updated libselinux to version 2.0.38
Modified Paths:
--------------
trunk/libselinux/ChangeLog
trunk/libselinux/VERSION
Modified: trunk/libselinux/ChangeLog
===================================================================
--- trunk/libselinux/ChangeLog 2007-10-15 16:45:19 UTC (rev 2659)
+++ trunk/libselinux/ChangeLog 2007-10-15 16:49:14 UTC (rev 2660)
@@ -1,3 +1,6 @@
+2.0.38 2007-10-15
+ * Bux fix and minor refactoring in string representation code.
+
2.0.37 2007-10-05
* Merged selinux_get_callback, avc_open, empty string mapping from Eamon Walsh.
Modified: trunk/libselinux/VERSION
===================================================================
--- trunk/libselinux/VERSION 2007-10-15 16:45:19 UTC (rev 2659)
+++ trunk/libselinux/VERSION 2007-10-15 16:49:14 UTC (rev 2660)
@@ -1 +1 @@
-2.0.37
+2.0.38
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-10-15 16:45:22
|
Revision: 2659
http://selinux.svn.sourceforge.net/selinux/?rev=2659&view=rev
Author: ewalsh
Date: 2007-10-15 09:45:19 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
Refactor string_to_av_perm() code to only require the real, kernel class
value in the compat function.
Modified Paths:
--------------
trunk/libselinux/src/stringrep.c
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-10-15 16:38:04 UTC (rev 2658)
+++ trunk/libselinux/src/stringrep.c 2007-10-15 16:45:19 UTC (rev 2659)
@@ -329,12 +329,11 @@
return 0;
}
-static access_vector_t string_to_av_perm_compat(security_class_t tclass, const char *s)
+static access_vector_t string_to_av_perm_compat(security_class_t kclass, const char *s)
{
const uint16_t *common_pts_idx = 0;
access_vector_t perm, common_base = 0;
unsigned int i;
- security_class_t kclass = unmap_class(tclass);
for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
if (av_inherit[i].tclass == kclass) {
@@ -352,7 +351,7 @@
if (strcmp
(s,
common_perm_to_string_data.str + common_pts_idx[i]) == 0)
- return map_perm(tclass, perm);
+ return perm;
perm <<= 1;
i++;
}
@@ -361,7 +360,7 @@
if ((av_perm_to_string[i].tclass == kclass) &&
(strcmp(s, (av_perm_to_string_data.str
+ av_perm_to_string[i].nameidx)) == 0))
- return map_perm(tclass, av_perm_to_string[i].value);
+ return av_perm_to_string[i].value;
}
errno = EINVAL;
@@ -443,7 +442,7 @@
security_class_t kclass = unmap_class(tclass);
if (obj_class_compat)
- return string_to_av_perm_compat(tclass,s);
+ return map_perm(tclass, string_to_av_perm_compat(kclass, s));
node = get_class_cache_entry_value(kclass);
if (node != NULL) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ew...@us...> - 2007-10-15 16:38:08
|
Revision: 2658
http://selinux.svn.sourceforge.net/selinux/?rev=2658&view=rev
Author: ewalsh
Date: 2007-10-15 09:38:04 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
Author: Eamon Walsh
Email: ew...@ty...
Subject: libselinux: stringrep / mapping fix
Date: Thu, 11 Oct 2007 13:10:28 -0400
On one of the paths through security_class_to_string, the unmapping is
done twice. Same with security_av_perm_to_string.
Signed-off-by: Eamon Walsh <ew...@ty...>
Acked-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libselinux/src/stringrep.c
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-10-15 14:53:37 UTC (rev 2657)
+++ trunk/libselinux/src/stringrep.c 2007-10-15 16:38:04 UTC (rev 2658)
@@ -370,8 +370,6 @@
static const char *security_class_to_string_compat(security_class_t tclass)
{
- tclass = unmap_class(tclass);
-
if (tclass > 0 && tclass < NCLASSES)
return class_to_string_data.str + class_to_string[tclass];
@@ -386,9 +384,6 @@
access_vector_t common_base = 0;
unsigned int i;
- av = unmap_perm(tclass, av);
- tclass = unmap_class(tclass);
-
if (!av)
return NULL;
@@ -466,10 +461,11 @@
{
struct discover_class_node *node;
+ tclass = unmap_class(tclass);
+
if (obj_class_compat)
return security_class_to_string_compat(tclass);
- tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (node == NULL)
return security_class_to_string_compat(tclass);
@@ -483,11 +479,12 @@
struct discover_class_node *node;
size_t i;
+ av = unmap_perm(tclass, av);
+ tclass = unmap_class(tclass);
+
if (obj_class_compat)
return security_av_perm_to_string_compat(tclass,av);
- av = unmap_perm(tclass, av);
- tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (av && node)
for (i = 0; i<MAXVECTORS; i++)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-15 14:53:46
|
Revision: 2657
http://selinux.svn.sourceforge.net/selinux/?rev=2657&view=rev
Author: ssmalley
Date: 2007-10-15 07:53:37 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
updated policycoreutils to version 1.34.14
Modified Paths:
--------------
branches/stable/1_0/policycoreutils/ChangeLog
branches/stable/1_0/policycoreutils/VERSION
Modified: branches/stable/1_0/policycoreutils/ChangeLog
===================================================================
--- branches/stable/1_0/policycoreutils/ChangeLog 2007-10-15 14:53:16 UTC (rev 2656)
+++ branches/stable/1_0/policycoreutils/ChangeLog 2007-10-15 14:53:37 UTC (rev 2657)
@@ -1,3 +1,6 @@
+1.34.14 2007-10-15
+ * Fix semodule option handling from Dan Walsh.
+
1.34.13 2007-09-27
* Improve semodule reporting of system errors from Stephen Smalley.
Modified: branches/stable/1_0/policycoreutils/VERSION
===================================================================
--- branches/stable/1_0/policycoreutils/VERSION 2007-10-15 14:53:16 UTC (rev 2656)
+++ branches/stable/1_0/policycoreutils/VERSION 2007-10-15 14:53:37 UTC (rev 2657)
@@ -1 +1 @@
-1.34.13
+1.34.14
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-15 14:53:28
|
Revision: 2656
http://selinux.svn.sourceforge.net/selinux/?rev=2656&view=rev
Author: ssmalley
Date: 2007-10-15 07:53:16 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
updated policycoreutils to version 2.0.31
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2007-10-15 14:51:54 UTC (rev 2655)
+++ trunk/policycoreutils/ChangeLog 2007-10-15 14:53:16 UTC (rev 2656)
@@ -1,3 +1,6 @@
+2.0.31 2007-10-15
+ * Fix semodule option handling from Dan Walsh.
+
2.0.30 2007-10-11
* Add deleteall support for ports and fcontexts in semanage from Dan Walsh.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2007-10-15 14:51:54 UTC (rev 2655)
+++ trunk/policycoreutils/VERSION 2007-10-15 14:53:16 UTC (rev 2656)
@@ -1 +1 @@
-2.0.30
+2.0.31
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-15 14:51:56
|
Revision: 2655
http://selinux.svn.sourceforge.net/selinux/?rev=2655&view=rev
Author: ssmalley
Date: 2007-10-15 07:51:54 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
applied r2652:2654 from trunk
Modified Paths:
--------------
branches/stable/1_0/policycoreutils/semodule/semodule.c
Modified: branches/stable/1_0/policycoreutils/semodule/semodule.c
===================================================================
--- branches/stable/1_0/policycoreutils/semodule/semodule.c 2007-10-15 14:50:41 UTC (rev 2654)
+++ branches/stable/1_0/policycoreutils/semodule/semodule.c 2007-10-15 14:51:54 UTC (rev 2655)
@@ -249,11 +249,12 @@
* arguments as args. Will allow 'semodule -i *.pp' to
* work as expected.
*/
- if (commands[num_commands - 1].mode == INSTALL_M) {
+
+ if (commands && commands[num_commands - 1].mode == INSTALL_M) {
mode = INSTALL_M;
- } else if (commands[num_commands - 1].mode == UPGRADE_M) {
+ } else if (commands && commands[num_commands - 1].mode == UPGRADE_M) {
mode = UPGRADE_M;
- } else if (commands[num_commands - 1].mode == REMOVE_M) {
+ } else if (commands && commands[num_commands - 1].mode == REMOVE_M) {
mode = REMOVE_M;
} else {
fprintf(stderr, "unknown additional arguments:\n");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-15 14:50:44
|
Revision: 2654
http://selinux.svn.sourceforge.net/selinux/?rev=2654&view=rev
Author: ssmalley
Date: 2007-10-15 07:50:41 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
Revert unintentional commit.
Modified Paths:
--------------
trunk/libselinux/src/stringrep.c
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-10-15 14:49:13 UTC (rev 2653)
+++ trunk/libselinux/src/stringrep.c 2007-10-15 14:50:41 UTC (rev 2654)
@@ -370,6 +370,8 @@
static const char *security_class_to_string_compat(security_class_t tclass)
{
+ tclass = unmap_class(tclass);
+
if (tclass > 0 && tclass < NCLASSES)
return class_to_string_data.str + class_to_string[tclass];
@@ -384,6 +386,9 @@
access_vector_t common_base = 0;
unsigned int i;
+ av = unmap_perm(tclass, av);
+ tclass = unmap_class(tclass);
+
if (!av)
return NULL;
@@ -461,11 +466,10 @@
{
struct discover_class_node *node;
- tclass = unmap_class(tclass);
-
if (obj_class_compat)
return security_class_to_string_compat(tclass);
+ tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (node == NULL)
return security_class_to_string_compat(tclass);
@@ -479,12 +483,11 @@
struct discover_class_node *node;
size_t i;
- av = unmap_perm(tclass, av);
- tclass = unmap_class(tclass);
-
if (obj_class_compat)
return security_av_perm_to_string_compat(tclass,av);
+ av = unmap_perm(tclass, av);
+ tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (av && node)
for (i = 0; i<MAXVECTORS; i++)
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-15 14:49:15
|
Revision: 2653
http://selinux.svn.sourceforge.net/selinux/?rev=2653&view=rev
Author: ssmalley
Date: 2007-10-15 07:49:13 -0700 (Mon, 15 Oct 2007)
Log Message:
-----------
Author: Daniel J Walsh
Email: dw...@re...
Subject: Fix semodule option handling
Date: Thu, 11 Oct 2007 16:03:18 -0400
semodule -B lksjdlj
will blow up.
Acked-by: Joshua Brindle <me...@ma...>
Modified Paths:
--------------
trunk/libselinux/src/stringrep.c
trunk/policycoreutils/semodule/semodule.c
Modified: trunk/libselinux/src/stringrep.c
===================================================================
--- trunk/libselinux/src/stringrep.c 2007-10-11 20:35:12 UTC (rev 2652)
+++ trunk/libselinux/src/stringrep.c 2007-10-15 14:49:13 UTC (rev 2653)
@@ -370,8 +370,6 @@
static const char *security_class_to_string_compat(security_class_t tclass)
{
- tclass = unmap_class(tclass);
-
if (tclass > 0 && tclass < NCLASSES)
return class_to_string_data.str + class_to_string[tclass];
@@ -386,9 +384,6 @@
access_vector_t common_base = 0;
unsigned int i;
- av = unmap_perm(tclass, av);
- tclass = unmap_class(tclass);
-
if (!av)
return NULL;
@@ -466,10 +461,11 @@
{
struct discover_class_node *node;
+ tclass = unmap_class(tclass);
+
if (obj_class_compat)
return security_class_to_string_compat(tclass);
- tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (node == NULL)
return security_class_to_string_compat(tclass);
@@ -483,11 +479,12 @@
struct discover_class_node *node;
size_t i;
+ av = unmap_perm(tclass, av);
+ tclass = unmap_class(tclass);
+
if (obj_class_compat)
return security_av_perm_to_string_compat(tclass,av);
- av = unmap_perm(tclass, av);
- tclass = unmap_class(tclass);
node = get_class_cache_entry_value(tclass);
if (av && node)
for (i = 0; i<MAXVECTORS; i++)
Modified: trunk/policycoreutils/semodule/semodule.c
===================================================================
--- trunk/policycoreutils/semodule/semodule.c 2007-10-11 20:35:12 UTC (rev 2652)
+++ trunk/policycoreutils/semodule/semodule.c 2007-10-15 14:49:13 UTC (rev 2653)
@@ -249,11 +249,12 @@
* arguments as args. Will allow 'semodule -i *.pp' to
* work as expected.
*/
- if (commands[num_commands - 1].mode == INSTALL_M) {
+
+ if (commands && commands[num_commands - 1].mode == INSTALL_M) {
mode = INSTALL_M;
- } else if (commands[num_commands - 1].mode == UPGRADE_M) {
+ } else if (commands && commands[num_commands - 1].mode == UPGRADE_M) {
mode = UPGRADE_M;
- } else if (commands[num_commands - 1].mode == REMOVE_M) {
+ } else if (commands && commands[num_commands - 1].mode == REMOVE_M) {
mode = REMOVE_M;
} else {
fprintf(stderr, "unknown additional arguments:\n");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-11 20:35:15
|
Revision: 2652
http://selinux.svn.sourceforge.net/selinux/?rev=2652&view=rev
Author: ssmalley
Date: 2007-10-11 13:35:12 -0700 (Thu, 11 Oct 2007)
Log Message:
-----------
updated libsepol to version 1.16.9
Modified Paths:
--------------
branches/stable/1_0/libsepol/ChangeLog
branches/stable/1_0/libsepol/VERSION
Modified: branches/stable/1_0/libsepol/ChangeLog
===================================================================
--- branches/stable/1_0/libsepol/ChangeLog 2007-10-11 20:28:52 UTC (rev 2651)
+++ branches/stable/1_0/libsepol/ChangeLog 2007-10-11 20:35:12 UTC (rev 2652)
@@ -1,3 +1,7 @@
+1.16.9 2007-10-11
+ * Fixed bug in require checking from Stephen Smalley.
+ * Added user hierarchy checking from Todd Miller.
+
1.16.8 2007-09-27
* Merged support for the handle_unknown policydb flag from Eric Paris.
Modified: branches/stable/1_0/libsepol/VERSION
===================================================================
--- branches/stable/1_0/libsepol/VERSION 2007-10-11 20:28:52 UTC (rev 2651)
+++ branches/stable/1_0/libsepol/VERSION 2007-10-11 20:35:12 UTC (rev 2652)
@@ -1 +1 @@
-1.16.8
+1.16.9
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2007-10-11 20:28:53
|
Revision: 2651
http://selinux.svn.sourceforge.net/selinux/?rev=2651&view=rev
Author: ssmalley
Date: 2007-10-11 13:28:52 -0700 (Thu, 11 Oct 2007)
Log Message:
-----------
updated policycoreutils to version 2.0.30
Modified Paths:
--------------
trunk/policycoreutils/ChangeLog
trunk/policycoreutils/VERSION
Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog 2007-10-11 20:26:57 UTC (rev 2650)
+++ trunk/policycoreutils/ChangeLog 2007-10-11 20:28:52 UTC (rev 2651)
@@ -1,3 +1,6 @@
+2.0.30 2007-10-11
+ * Add deleteall support for ports and fcontexts in semanage from Dan Walsh.
+
2.0.29 2007-10-05
* Add genhomedircon script to invoke semodule -Bn from Dan Walsh.
Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION 2007-10-11 20:26:57 UTC (rev 2650)
+++ trunk/policycoreutils/VERSION 2007-10-11 20:28:52 UTC (rev 2651)
@@ -1 +1 @@
-2.0.29
+2.0.30
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
