Menu
▾
▴
|
From: <ssm...@us...> - 2007-08-21 15:13:30
|
Revision: 2520
http://selinux.svn.sourceforge.net/selinux/?rev=2520&view=rev
Author: ssmalley
Date: 2007-08-21 08:13:25 -0700 (Tue, 21 Aug 2007)
Log Message:
-----------
Bug fix: checkpolicy/checkmodule call these functions with a NULL handle.
Modified Paths:
--------------
trunk/libsepol/src/expand.c
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2007-08-16 19:23:53 UTC (rev 2519)
+++ trunk/libsepol/src/expand.c 2007-08-21 15:13:25 UTC (rev 2520)
@@ -1367,7 +1367,7 @@
} else if (specified & AVRULE_AUDITDENY) {
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_DONTAUDIT) {
- if (handle->disable_dontaudit)
+ if (handle && handle->disable_dontaudit)
return EXPAND_RULE_SUCCESS;
spec = AVTAB_AUDITDENY;
} else if (specified & AVRULE_NEVERALLOW) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-05-27 20:06:26
|
Revision: 2887
http://selinux.svn.sourceforge.net/selinux/?rev=2887&view=rev
Author: ssmalley
Date: 2008-05-27 13:06:24 -0700 (Tue, 27 May 2008)
Log Message:
-----------
Remove nonsensical tests of !(&...\.node) - they are always false.
Modified Paths:
--------------
trunk/libsepol/src/expand.c
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2008-05-27 20:03:37 UTC (rev 2886)
+++ trunk/libsepol/src/expand.c 2008-05-27 20:06:24 UTC (rev 2887)
@@ -544,9 +544,6 @@
role_datum_t *role = (role_datum_t *) datum;
expand_state_t *state = (expand_state_t *) data;
- if (!(&role->dominates.node))
- return 0;
-
if (map_ebitmap(&role->dominates, &mapped_roles, state->rolemap))
return -1;
@@ -619,11 +616,6 @@
}
}
- if (!(&new_role->dominates.node)) {
- ebitmap_init(&new_role->dominates);
- }
-
-
/* The dominates bitmap is going to be wrong for the moment,
* we'll come back later and remap them, after we are sure all
* the roles have been added */
@@ -642,10 +634,6 @@
return -1;
}
- if (!(&new_role->types.types.node)) {
- ebitmap_init(&new_role->types.types);
- }
-
if (ebitmap_union(&new_role->types.types, &tmp_union_types)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union_types);
@@ -820,10 +808,6 @@
return -1;
}
- if (!(&new_user->roles.roles.node)) {
- ebitmap_init(&new_user->roles.roles);
- }
-
if (ebitmap_union(&new_user->roles.roles, &tmp_union)) {
ERR(state->handle, "Out of memory!");
ebitmap_destroy(&tmp_union);
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <ssm...@us...> - 2008-06-13 14:13:49
|
Revision: 2909
http://selinux.svn.sourceforge.net/selinux/?rev=2909&view=rev
Author: ssmalley
Date: 2008-06-13 07:13:46 -0700 (Fri, 13 Jun 2008)
Log Message:
-----------
Author: Stephen Smalley
Email: sd...@ty...
Subject: libsepol segfault when module requires a user not in base
Date: Fri, 13 Jun 2008 10:11:06 -0400
On Thu, 2008-06-12 at 17:21 -0400, Eric Paris wrote:
> checkpolicy-2.0.16-2.fc10.x86_64
> libsepol-2.0.30-1.fc10.x86_64
>
> Program terminated with signal 11, Segmentation fault.
> [New process 6347]
> #0 0x000000000041a155 in mls_semantic_level_expand ()
> (gdb) bt
> #0 0x000000000041a155 in mls_semantic_level_expand ()
> #1 0x000000000041a3f9 in mls_semantic_range_expand ()
> #2 0x000000000040dd0d in policydb_user_cache ()
> #3 0x000000000040417e in hashtab_map ()
> #4 0x000000000040d829 in policydb_index_others ()
> #5 0x00000000004082e1 in link_modules ()
> #6 0x00000000004036a7 in main (argc=<value optimized out>, argv=0x7fffe894e178) at dismod.c:761
> (gdb) quit
>
> base.conf:
> **********
> class class1
> sid sid1
> class class1
> {
> perm1
> perm2
> }
> sensitivity s0;
> dominance { s0 }
> category c0; category c1; category c2; category c3;
> category c4; category c5; category c6; category c7;
> category c8; category c9; category c10; category c11;
> category c12; category c13; category c14; category c15;
> category c16; category c17; category c18; category c19;
> category c20; category c21; category c22; category c23;
> level s0:c0.c23;
> mlsconstrain class1 { perm1 perm2 }
> ( h1 dom h2 );
> attribute attr1;
> type type1_t;
> type type2_t;
> role role1_r types { type1_t type2_t };
> role role2_r types { type1_t type2_t };
> allow type1_t type2_t: class1 { perm1 };
> allow role1_r role2_r;
> bool bool1 true;
> user user1_u roles { role1_r } level s0 range s0 - s0:c0.c23;
> sid sid1 user1_u:role1_r:type1_t:s0
> fs_use_xattr ext2 user1_u:role1_r:type1_t:s0;
> genfscon proc / user1_u:role1_r:type1_t:s0
> nodecon ::1 FFFF:FFFF:FFFF:FFFF:: user1_u:role1_r:type1_t:s0
>
> badmodule.te:
> *************
> module badmodule 1.0.0;
> require {
> user baduser_u;
> type type2_t;
> type type1_t;
> class class1 perm1;
> }
>
> allow type1_t type2_t : class1 perm1;
>
> ************
> checkmodule -M -o base.mod base.conf
> checkmodule -M -m -o badmodule.mod badmodule.te
> sedismod base.mod
> #l
> #badmodule.mod
>
> ***BOOM***
Interestingly doesn't occur on F9 for me, so likely a side effect of the
user/role remapping support leading to earlier indexing/caching.
Seems like the same issue as we had with mls_level_convert() in link.
Patch below restores the correct behavior.
Signed-off-by: Stephen Smalley <sd...@ty...>
Modified Paths:
--------------
trunk/libsepol/src/expand.c
Modified: trunk/libsepol/src/expand.c
===================================================================
--- trunk/libsepol/src/expand.c 2008-06-11 18:10:07 UTC (rev 2908)
+++ trunk/libsepol/src/expand.c 2008-06-13 14:13:46 UTC (rev 2909)
@@ -656,6 +656,10 @@
if (!p->mls)
return 0;
+ /* Required not declared. */
+ if (!sl->sens)
+ return 0;
+
l->sens = sl->sens;
levdatum = (level_datum_t *) hashtab_search(p->p_levels.table,
p->p_sens_val_to_name[l->
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
