8fdb2255215a1f1488b613737b5fbffb873d8376 |
|
23-Nov-2016 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs range transition and name-based type transition rules were originally simple unordered lists. They were converted to hashtabs in the kernel by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range transition list to a hashtab") and by commit 2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based create rules in a hashtable"), but left unchanged in libsepol and checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs as the kernel for the range transitions and name-based type transitions. With this change and the preceding one, it is possible to directly compare a policy file generated by libsepol/checkpolicy and the kernel-generated /sys/fs/selinux/policy pseudo file after normalizing them both through checkpolicy. To do so, you can run the following sequence of commands: checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1 checkpolicy -M -b /sys/fs/selinux/policy -o policy.2 cmp policy.1 policy.2 Normalizing the two files via checkpolicy is still necessary to ensure consistent ordering of the avtab entries. There may still be potential for other areas of difference, e.g. xperms entries may lack a well-defined order. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
286df12fd98e0715761e2294ef93b6f208d2436a |
|
20-Jun-2016 |
Petr Lautrbach <plautrba@redhat.com> |
checkpolicy: Fix typos in test/dispol Reported-By: Milos Malik <mmalik@redhat.com> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
99fc177b5af4e1e8855d42d2d01cb93ac7f9d14b |
|
18-Sep-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add neverallow support for ioctl extended permissions Neverallow rules for ioctl extended permissions will pass in two cases: 1. If extended permissions exist for the source-target-class set the test will pass if the neverallow values are excluded. 2. If extended permissions do not exist for the source-target-class set the test will pass if the ioctl permission is not granted. Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Acked-by: Nick Kralevich <nnk@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
915fa8f08f4f9a4c437ee8280a4e641872ea59dd |
|
12-Jun-2015 |
Jeff Vander Stoep <jeffv@google.com> |
checkpolicy: switch operations to extended perms The ioctl operations code is being renamed to the more generic "extended permissions." This commit brings the policy compiler up to date with the kernel patch. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
/external/selinux/checkpolicy/test/dispol.c
|
7f1ec68362a36f1a63350295f2f9f7f420a55996 |
|
28-Apr-2015 |
Jeff Vander Stoep <jeffv@google.com> |
dispol: display operations as ranges Displays operations ranges more concisely. E.g. { 0x8901-0x8930 } instead of { 0x8901 0x8902 0x8903 0x8904 80x8905 0x0806 ... 0x8930 } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
6dafd3ded969e66d56586fe49754db3d6f3bd38c |
|
23-Apr-2015 |
Stephen Smalley <sds@tycho.nsa.gov> |
dispol: Extend to display operations. Also drop expanding of rules; just display the rules in their original form. I think expansion was a relic of an older policy version where we did not preserve attributes in the kernel policy. In any event, it seems more useful to display the rules unmodified. Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
0551fb1080249d89811c888f4f09f1ae49bb4bc6 |
|
26-Feb-2015 |
Emre Can Kucukoglu <eckucukoglu@gmail.com> |
checkpolicy: fgets function warnings fix for dismod and dispol Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/checkpolicy/test/dispol.c
|
c4a4a1a7ed42c167a7d4bae06a1fffa8c6c9cb8d |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
Fix gcc -Wstrict-prototypes warnings In C, defining a function with () means "any number of parameters", not "no parameter". Use (void) instead where applicable and add unused parameters when needed. Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
7dcb7a594698124940d148f00f85be90c6757d7f |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix most gcc -Wwrite-strings warnings Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
44d8a2fed985858669d415ebe028d71768dd6652 |
|
03-Nov-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: dis* fixed signed vs unsigned errors A number of places we used unsigned variables and compared them against signed variables. This patch makes everything unsigned. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
e759841c08eb97bf7c8f7cd3197fe7758cd4cba6 |
|
18-Aug-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: fix spacing in output message The output formatting had two items crammed together without a space. Add a space. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
aec2e0265cabe74730d8950aae21be31f632337f |
|
20-Apr-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: dispol: print role transition rules There was no way to print all of the role transition rules in dispol. Add that support. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
f1b004bf7d2453bda1a8076270f5c56b7ad90f56 |
|
20-Apr-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: fix dispol/dismod display for filename trans rules The formatting of dismod/dispol display of filename trans rules didn't make a lot of sense. Make them more like the original rules. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/test/dispol.c
|
516cb2a264448421bff692f47f61e8cf2a74237e |
|
28-Mar-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: add support for using last path component in type transition rules This patch adds support for using the last path component as part of the information in making labeling decisions for new objects. A example rule looks like so: type_transition unconfined_t etc_t:file system_conf_t eric; This rule says if unconfined_t creates a file in a directory labeled etc_t and the last path component is "eric" (no globbing, no matching magic, just exact strcmp) it should be labeled system_conf_t. The kernel and policy representation does not have support for such rules in conditionals, and thus policy explicitly notes that fact if such a rule is added to a conditional. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/test/dispol.c
|
13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/checkpolicy/test/dispol.c
|