| 8fdb2255215a1f1488b613737b5fbffb873d8376 |
|
23-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
range transition and name-based type transition rules were originally
simple unordered lists. They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.
With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy. To do so, you can run the following sequence of commands:
checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2
Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries. There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
| 286df12fd98e0715761e2294ef93b6f208d2436a |
|
20-Jun-2016 |
Petr Lautrbach <plautrba@redhat.com> |
checkpolicy: Fix typos in test/dispol
Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 99fc177b5af4e1e8855d42d2d01cb93ac7f9d14b |
|
18-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add neverallow support for ioctl extended permissions
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
set the test will pass if the ioctl permission is not granted.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
| 915fa8f08f4f9a4c437ee8280a4e641872ea59dd |
|
12-Jun-2015 |
Jeff Vander Stoep <jeffv@google.com> |
checkpolicy: switch operations to extended perms
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 7f1ec68362a36f1a63350295f2f9f7f420a55996 |
|
28-Apr-2015 |
Jeff Vander Stoep <jeffv@google.com> |
dispol: display operations as ranges
Displays operations ranges more concisely. E.g.
{ 0x8901-0x8930 }
instead of
{ 0x8901 0x8902 0x8903 0x8904 80x8905 0x0806 ... 0x8930 }
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
| 6dafd3ded969e66d56586fe49754db3d6f3bd38c |
|
23-Apr-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
dispol: Extend to display operations.
Also drop expanding of rules; just display the rules in their
original form. I think expansion was a relic of an older policy
version where we did not preserve attributes in the kernel policy.
In any event, it seems more useful to display the rules unmodified.
Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
| 0551fb1080249d89811c888f4f09f1ae49bb4bc6 |
|
26-Feb-2015 |
Emre Can Kucukoglu <eckucukoglu@gmail.com> |
checkpolicy: fgets function warnings fix for dismod and dispol
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
| c4a4a1a7ed42c167a7d4bae06a1fffa8c6c9cb8d |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
Fix gcc -Wstrict-prototypes warnings
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 7dcb7a594698124940d148f00f85be90c6757d7f |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 44d8a2fed985858669d415ebe028d71768dd6652 |
|
03-Nov-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: dis* fixed signed vs unsigned errors
A number of places we used unsigned variables and compared them against
signed variables. This patch makes everything unsigned.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
| e759841c08eb97bf7c8f7cd3197fe7758cd4cba6 |
|
18-Aug-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: fix spacing in output message
The output formatting had two items crammed together without a space.
Add a space.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
| aec2e0265cabe74730d8950aae21be31f632337f |
|
20-Apr-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: dispol: print role transition rules
There was no way to print all of the role transition rules in dispol.
Add that support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
| f1b004bf7d2453bda1a8076270f5c56b7ad90f56 |
|
20-Apr-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: fix dispol/dismod display for filename trans rules
The formatting of dismod/dispol display of filename trans rules didn't
make a lot of sense. Make them more like the original rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 516cb2a264448421bff692f47f61e8cf2a74237e |
|
28-Mar-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: add support for using last path component in type transition rules
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/checkpolicy/test/dispol.c
|