[PATCH] libsepol: support the handle_unknown config flag

[PATCH] libsepol: support the handle_unknown config flag

[Eric Paris]

Update the policydb definition to contain a handle_unknown flag.  Change
libsepol to copy the handle_unknown config flag from the base policy to
the final binary policy.  Also makes libsepol properly read and write
the flag which dealing with policy modules.

Signed-off-by: Eric Paris <eparis@redhat.com>

diff -Naupr libsepol-2.0.4/include/sepol/policydb/policydb.h libsepol-2.0.4.new/include/sepol/policydb/policydb.h
--- libsepol-2.0.4/include/sepol/policydb/policydb.h	2007-06-21 05:17:02.000000000 -0400
+++ libsepol-2.0.4.new/include/sepol/policydb/policydb.h	2007-07-31 16:14:13.000000000 -0400
@@ -469,6 +469,8 @@ typedef struct policydb {
 	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
 
 	unsigned policyvers;
+
+	unsigned handle_unknown;
 } policydb_t;
 
 struct sepol_policydb {
@@ -599,6 +601,13 @@ extern int policydb_write(struct policyd
 
 #define POLICYDB_CONFIG_MLS    1
 
+/* the config flags related to unknown classes/perms are bits 2 and 3 */
+#define DENY_UNKNOWN	0x00000000
+#define REJECT_UNKNOWN	0x00000002
+#define ALLOW_UNKNOWN 	0x00000004
+
+#define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
+
 #define OBJECT_R "object_r"
 #define OBJECT_R_VAL 1
 
diff -Naupr libsepol-2.0.4/src/expand.c libsepol-2.0.4.new/src/expand.c
--- libsepol-2.0.4/src/expand.c	2007-06-21 05:17:01.000000000 -0400
+++ libsepol-2.0.4.new/src/expand.c	2007-07-27 18:32:39.000000000 -0400
@@ -2248,6 +2248,7 @@ int expand_module(sepol_handle_t * handl
 
 	/* Copy mls state from base to out */
 	out->mls = base->mls;
+	out->handle_unknown = base->handle_unknown;
 
 	if ((state.typemap =
 	     (uint32_t *) calloc(state.base->p_types.nprim,
diff -Naupr libsepol-2.0.4/src/policydb.c libsepol-2.0.4.new/src/policydb.c
--- libsepol-2.0.4/src/policydb.c	2007-06-21 05:17:01.000000000 -0400
+++ libsepol-2.0.4.new/src/policydb.c	2007-07-31 16:17:53.000000000 -0400
@@ -3057,6 +3057,8 @@ int policydb_read(policydb_t * p, struct
 		p->mls = 0;
 	}
 
+	p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
+
 	bufindex++;
 
 	info = policydb_lookup_compat(r_policyvers, policy_type);
diff -Naupr libsepol-2.0.4/src/write.c libsepol-2.0.4.new/src/write.c
--- libsepol-2.0.4/src/write.c	2007-06-21 05:17:01.000000000 -0400
+++ libsepol-2.0.4.new/src/write.c	2007-07-31 16:18:49.000000000 -0400
@@ -1534,6 +1534,8 @@ int policydb_write(policydb_t * p, struc
 	if (p->mls)
 		config |= POLICYDB_CONFIG_MLS;
 
+	config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
+
 	/* Write the magic number and string identifiers. */
 	items = 0;
 	if (p->policy_type == POLICY_KERN) {



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libsepol: support the handle_unknown config flag

[Stephen Smalley]

On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
> Update the policydb definition to contain a handle_unknown flag.  Change
> libsepol to copy the handle_unknown config flag from the base policy to
> the final binary policy.  Also makes libsepol properly read and write
> the flag which dealing with policy modules.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

Here is a patch on top of yours that allows you to override the base
module setting via semanage.conf, handle-unknown = [deny,reject,allow].

---

 libsemanage/src/conf-parse.y               |   35 ++++++++++++++++++++---------
 libsemanage/src/conf-scan.l                |    1 
 libsemanage/src/semanage_conf.h            |    1 
 libsemanage/src/semanage_store.c           |    2 +
 libsepol/include/sepol/policydb.h          |    7 +++++
 libsepol/include/sepol/policydb/policydb.h |    6 ++--
 libsepol/src/policydb_public.c             |   18 ++++++++++++++
 7 files changed, 57 insertions(+), 13 deletions(-)

diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-parse.y trunk/libsemanage/src/conf-parse.y
--- eric/libsemanage/src/conf-parse.y	2007-08-23 16:11:02.000000000 -0400
+++ trunk/libsemanage/src/conf-parse.y	2007-08-23 16:03:20.000000000 -0400
@@ -57,7 +57,7 @@
 }
 
 %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
-%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
+%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
 %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
 %token PROG_PATH PROG_ARGS
 %token <s> ARG
@@ -81,6 +81,7 @@
         |       save_previous
         |       save_linked
         |       disable_genhomedircon
+        |       handle_unknown
         ;
 
 module_store:   MODULE_STORE '=' ARG {
@@ -139,15 +140,28 @@
         ;
 
 disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
-								if (strcasecmp($3, "false") == 0) {
-										current_conf->disable_genhomedircon = 0;
-									} else if (strcasecmp($3, "true") == 0) {
-										current_conf->disable_genhomedircon = 1;
-									} else {
-										yyerror("disable-genhomedircon can only be 'true' or 'false'");
-									}
-									free($3);
-					  }
+	if (strcasecmp($3, "false") == 0) {
+		current_conf->disable_genhomedircon = 0;
+	} else if (strcasecmp($3, "true") == 0) {
+		current_conf->disable_genhomedircon = 1;
+	} else {
+		yyerror("disable-genhomedircon can only be 'true' or 'false'");
+	}
+	free($3);
+ }
+
+handle_unknown: HANDLE_UNKNOWN '=' ARG {
+	if (strcasecmp($3, "deny") == 0) {
+		current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
+	} else if (strcasecmp($3, "reject") == 0) {
+		current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
+	} else if (strcasecmp($3, "allow") == 0) {
+		current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
+	} else {
+		yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
+	}
+	free($3);
+ }
 
 command_block: 
                 command_start external_opts BLOCK_END  {
@@ -214,6 +228,7 @@
 	conf->store_path = strdup(basename(selinux_policy_root()));
 	conf->policyvers = sepol_policy_kern_vers_max();
 	conf->expand_check = 1;
+	conf->handle_unknown = -1;
 	conf->file_mode = 0644;
 
 	conf->save_previous = 0;
diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-scan.l trunk/libsemanage/src/conf-scan.l
--- eric/libsemanage/src/conf-scan.l	2007-08-23 16:11:02.000000000 -0400
+++ trunk/libsemanage/src/conf-scan.l	2007-08-23 15:53:28.000000000 -0400
@@ -45,6 +45,7 @@
 save-previous     return SAVE_PREVIOUS;
 save-linked       return SAVE_LINKED;
 disable-genhomedircon return DISABLE_GENHOMEDIRCON;
+handle-unknown    return HANDLE_UNKNOWN;
 "[load_policy]"   return LOAD_POLICY_START;
 "[setfiles]"      return SETFILES_START;
 "[verify module]" return VERIFY_MOD_START;
diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_conf.h trunk/libsemanage/src/semanage_conf.h
--- eric/libsemanage/src/semanage_conf.h	2007-08-23 16:11:02.000000000 -0400
+++ trunk/libsemanage/src/semanage_conf.h	2007-08-23 15:53:53.000000000 -0400
@@ -38,6 +38,7 @@
 	int save_previous;
 	int save_linked;
 	int disable_genhomedircon;
+	int handle_unknown;
 	mode_t file_mode;
 	struct external_prog *load_policy;
 	struct external_prog *setfiles;
diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_store.c trunk/libsemanage/src/semanage_store.c
--- eric/libsemanage/src/semanage_store.c	2007-08-23 16:11:02.000000000 -0400
+++ trunk/libsemanage/src/semanage_store.c	2007-08-23 16:21:53.000000000 -0400
@@ -1619,6 +1619,8 @@
 		ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
 		goto err;
 	}
+	if (sh->conf->handle_unknown >= 0)
+		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
 
 	*policydb = out;
 	return STATUS_SUCCESS;
diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/include/sepol/policydb/policydb.h
--- eric/libsepol/include/sepol/policydb/policydb.h	2007-08-23 16:11:32.000000000 -0400
+++ trunk/libsepol/include/sepol/policydb/policydb.h	2007-08-23 15:36:06.000000000 -0400
@@ -602,9 +602,9 @@
 #define POLICYDB_CONFIG_MLS    1
 
 /* the config flags related to unknown classes/perms are bits 2 and 3 */
-#define DENY_UNKNOWN	0x00000000
-#define REJECT_UNKNOWN	0x00000002
-#define ALLOW_UNKNOWN 	0x00000004
+#define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
+#define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
+#define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
 
 #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
 
diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb.h trunk/libsepol/include/sepol/policydb.h
--- eric/libsepol/include/sepol/policydb.h	2007-08-23 16:11:04.000000000 -0400
+++ trunk/libsepol/include/sepol/policydb.h	2007-08-23 16:27:02.000000000 -0400
@@ -83,6 +83,13 @@
  */
 extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
 
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN	    0
+#define SEPOL_REJECT_UNKNOWN	    2
+#define SEPOL_ALLOW_UNKNOWN	    4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+					     unsigned int handle_unknown);
+
 /* 
  * Read a policydb from a policy file.
  * This automatically sets the type and version based on the 
diff -X /home/sds/dontdiff -ru eric/libsepol/src/policydb_public.c trunk/libsepol/src/policydb_public.c
--- eric/libsepol/src/policydb_public.c	2007-08-23 16:11:04.000000000 -0400
+++ trunk/libsepol/src/policydb_public.c	2007-08-23 16:27:40.000000000 -0400
@@ -134,6 +134,24 @@
 	return 0;
 }
 
+int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
+				      unsigned int handle_unknown)
+{
+	struct policydb *p = &sp->p;
+
+	switch (handle_unknown) {
+	case SEPOL_DENY_UNKNOWN:
+	case SEPOL_REJECT_UNKNOWN:
+	case SEPOL_ALLOW_UNKNOWN:
+		break;
+	default:
+		return -1;
+	}
+
+	p->handle_unknown = handle_unknown;		
+	return 0;
+}
+
 int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
 {
 	return policydb_read(&p->p, &pf->pf, 0);

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libsepol: support the handle_unknown config flag

[Stephen Smalley]

On Thu, 2007-08-23 at 16:27 -0400, Stephen Smalley wrote:
> On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
> > Update the policydb definition to contain a handle_unknown flag.  Change
> > libsepol to copy the handle_unknown config flag from the base policy to
> > the final binary policy.  Also makes libsepol properly read and write
> > the flag which dealing with policy modules.
> > 
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> 
> Here is a patch on top of yours that allows you to override the base
> module setting via semanage.conf, handle-unknown = [deny,reject,allow].

Need to make a final decision on this patch - benefit is that the end
user can alter the allow/reject/deny behavior for unknown classes/perms
without rebuilding their base module, which is also precisely what
worries people about it ;)  Could be used by a user to select deny or
reject if the distro defaults to allow (e.g. Fedora) for the purpose of
"tightening" the system or to select allow if the distro defaults to
deny or reject for the purpose of relaxing the system.

> 
> ---
> 
>  libsemanage/src/conf-parse.y               |   35 ++++++++++++++++++++---------
>  libsemanage/src/conf-scan.l                |    1 
>  libsemanage/src/semanage_conf.h            |    1 
>  libsemanage/src/semanage_store.c           |    2 +
>  libsepol/include/sepol/policydb.h          |    7 +++++
>  libsepol/include/sepol/policydb/policydb.h |    6 ++--
>  libsepol/src/policydb_public.c             |   18 ++++++++++++++
>  7 files changed, 57 insertions(+), 13 deletions(-)
> 
> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-parse.y trunk/libsemanage/src/conf-parse.y
> --- eric/libsemanage/src/conf-parse.y	2007-08-23 16:11:02.000000000 -0400
> +++ trunk/libsemanage/src/conf-parse.y	2007-08-23 16:03:20.000000000 -0400
> @@ -57,7 +57,7 @@
>  }
>  
>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
> -%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
> +%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>  %token PROG_PATH PROG_ARGS
>  %token <s> ARG
> @@ -81,6 +81,7 @@
>          |       save_previous
>          |       save_linked
>          |       disable_genhomedircon
> +        |       handle_unknown
>          ;
>  
>  module_store:   MODULE_STORE '=' ARG {
> @@ -139,15 +140,28 @@
>          ;
>  
>  disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
> -								if (strcasecmp($3, "false") == 0) {
> -										current_conf->disable_genhomedircon = 0;
> -									} else if (strcasecmp($3, "true") == 0) {
> -										current_conf->disable_genhomedircon = 1;
> -									} else {
> -										yyerror("disable-genhomedircon can only be 'true' or 'false'");
> -									}
> -									free($3);
> -					  }
> +	if (strcasecmp($3, "false") == 0) {
> +		current_conf->disable_genhomedircon = 0;
> +	} else if (strcasecmp($3, "true") == 0) {
> +		current_conf->disable_genhomedircon = 1;
> +	} else {
> +		yyerror("disable-genhomedircon can only be 'true' or 'false'");
> +	}
> +	free($3);
> + }
> +
> +handle_unknown: HANDLE_UNKNOWN '=' ARG {
> +	if (strcasecmp($3, "deny") == 0) {
> +		current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
> +	} else if (strcasecmp($3, "reject") == 0) {
> +		current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
> +	} else if (strcasecmp($3, "allow") == 0) {
> +		current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
> +	} else {
> +		yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
> +	}
> +	free($3);
> + }
>  
>  command_block: 
>                  command_start external_opts BLOCK_END  {
> @@ -214,6 +228,7 @@
>  	conf->store_path = strdup(basename(selinux_policy_root()));
>  	conf->policyvers = sepol_policy_kern_vers_max();
>  	conf->expand_check = 1;
> +	conf->handle_unknown = -1;
>  	conf->file_mode = 0644;
>  
>  	conf->save_previous = 0;
> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-scan.l trunk/libsemanage/src/conf-scan.l
> --- eric/libsemanage/src/conf-scan.l	2007-08-23 16:11:02.000000000 -0400
> +++ trunk/libsemanage/src/conf-scan.l	2007-08-23 15:53:28.000000000 -0400
> @@ -45,6 +45,7 @@
>  save-previous     return SAVE_PREVIOUS;
>  save-linked       return SAVE_LINKED;
>  disable-genhomedircon return DISABLE_GENHOMEDIRCON;
> +handle-unknown    return HANDLE_UNKNOWN;
>  "[load_policy]"   return LOAD_POLICY_START;
>  "[setfiles]"      return SETFILES_START;
>  "[verify module]" return VERIFY_MOD_START;
> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_conf.h trunk/libsemanage/src/semanage_conf.h
> --- eric/libsemanage/src/semanage_conf.h	2007-08-23 16:11:02.000000000 -0400
> +++ trunk/libsemanage/src/semanage_conf.h	2007-08-23 15:53:53.000000000 -0400
> @@ -38,6 +38,7 @@
>  	int save_previous;
>  	int save_linked;
>  	int disable_genhomedircon;
> +	int handle_unknown;
>  	mode_t file_mode;
>  	struct external_prog *load_policy;
>  	struct external_prog *setfiles;
> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_store.c trunk/libsemanage/src/semanage_store.c
> --- eric/libsemanage/src/semanage_store.c	2007-08-23 16:11:02.000000000 -0400
> +++ trunk/libsemanage/src/semanage_store.c	2007-08-23 16:21:53.000000000 -0400
> @@ -1619,6 +1619,8 @@
>  		ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
>  		goto err;
>  	}
> +	if (sh->conf->handle_unknown >= 0)
> +		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
>  
>  	*policydb = out;
>  	return STATUS_SUCCESS;
> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/include/sepol/policydb/policydb.h
> --- eric/libsepol/include/sepol/policydb/policydb.h	2007-08-23 16:11:32.000000000 -0400
> +++ trunk/libsepol/include/sepol/policydb/policydb.h	2007-08-23 15:36:06.000000000 -0400
> @@ -602,9 +602,9 @@
>  #define POLICYDB_CONFIG_MLS    1
>  
>  /* the config flags related to unknown classes/perms are bits 2 and 3 */
> -#define DENY_UNKNOWN	0x00000000
> -#define REJECT_UNKNOWN	0x00000002
> -#define ALLOW_UNKNOWN 	0x00000004
> +#define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
> +#define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
> +#define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
>  
>  #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
>  
> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb.h trunk/libsepol/include/sepol/policydb.h
> --- eric/libsepol/include/sepol/policydb.h	2007-08-23 16:11:04.000000000 -0400
> +++ trunk/libsepol/include/sepol/policydb.h	2007-08-23 16:27:02.000000000 -0400
> @@ -83,6 +83,13 @@
>   */
>  extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
>  
> +/* Set how to handle unknown class/perms. */
> +#define SEPOL_DENY_UNKNOWN	    0
> +#define SEPOL_REJECT_UNKNOWN	    2
> +#define SEPOL_ALLOW_UNKNOWN	    4
> +extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
> +					     unsigned int handle_unknown);
> +
>  /* 
>   * Read a policydb from a policy file.
>   * This automatically sets the type and version based on the 
> diff -X /home/sds/dontdiff -ru eric/libsepol/src/policydb_public.c trunk/libsepol/src/policydb_public.c
> --- eric/libsepol/src/policydb_public.c	2007-08-23 16:11:04.000000000 -0400
> +++ trunk/libsepol/src/policydb_public.c	2007-08-23 16:27:40.000000000 -0400
> @@ -134,6 +134,24 @@
>  	return 0;
>  }
>  
> +int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
> +				      unsigned int handle_unknown)
> +{
> +	struct policydb *p = &sp->p;
> +
> +	switch (handle_unknown) {
> +	case SEPOL_DENY_UNKNOWN:
> +	case SEPOL_REJECT_UNKNOWN:
> +	case SEPOL_ALLOW_UNKNOWN:
> +		break;
> +	default:
> +		return -1;
> +	}
> +
> +	p->handle_unknown = handle_unknown;		
> +	return 0;
> +}
> +
>  int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
>  {
>  	return policydb_read(&p->p, &pf->pf, 0);
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libsepol: support the handle_unknown config flag

[Eric Paris]

On Tue, 2007-09-18 at 16:00 -0400, Stephen Smalley wrote:
> On Thu, 2007-08-23 at 16:27 -0400, Stephen Smalley wrote:
> > On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
> > > Update the policydb definition to contain a handle_unknown flag.  Change
> > > libsepol to copy the handle_unknown config flag from the base policy to
> > > the final binary policy.  Also makes libsepol properly read and write
> > > the flag which dealing with policy modules.
> > > 
> > > Signed-off-by: Eric Paris <eparis@redhat.com>
> > 
> > Here is a patch on top of yours that allows you to override the base
> > module setting via semanage.conf, handle-unknown = [deny,reject,allow].
> 
> Need to make a final decision on this patch - benefit is that the end
> user can alter the allow/reject/deny behavior for unknown classes/perms
> without rebuilding their base module, which is also precisely what
> worries people about it ;)  Could be used by a user to select deny or
> reject if the distro defaults to allow (e.g. Fedora) for the purpose of
> "tightening" the system or to select allow if the distro defaults to
> deny or reject for the purpose of relaxing the system.

I vote 'yeah' and lets make sure the kernel audits the message
correctly.  If the certification types really feel we need an old and
new value (still this is at policy load time) I'm sure I can find some
way to do it.

-Eric
> 
> > 
> > ---
> > 
> >  libsemanage/src/conf-parse.y               |   35 ++++++++++++++++++++---------
> >  libsemanage/src/conf-scan.l                |    1 
> >  libsemanage/src/semanage_conf.h            |    1 
> >  libsemanage/src/semanage_store.c           |    2 +
> >  libsepol/include/sepol/policydb.h          |    7 +++++
> >  libsepol/include/sepol/policydb/policydb.h |    6 ++--
> >  libsepol/src/policydb_public.c             |   18 ++++++++++++++
> >  7 files changed, 57 insertions(+), 13 deletions(-)
> > 
> > diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-parse.y trunk/libsemanage/src/conf-parse.y
> > --- eric/libsemanage/src/conf-parse.y	2007-08-23 16:11:02.000000000 -0400
> > +++ trunk/libsemanage/src/conf-parse.y	2007-08-23 16:03:20.000000000 -0400
> > @@ -57,7 +57,7 @@
> >  }
> >  
> >  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
> > -%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
> > +%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
> >  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
> >  %token PROG_PATH PROG_ARGS
> >  %token <s> ARG
> > @@ -81,6 +81,7 @@
> >          |       save_previous
> >          |       save_linked
> >          |       disable_genhomedircon
> > +        |       handle_unknown
> >          ;
> >  
> >  module_store:   MODULE_STORE '=' ARG {
> > @@ -139,15 +140,28 @@
> >          ;
> >  
> >  disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
> > -								if (strcasecmp($3, "false") == 0) {
> > -										current_conf->disable_genhomedircon = 0;
> > -									} else if (strcasecmp($3, "true") == 0) {
> > -										current_conf->disable_genhomedircon = 1;
> > -									} else {
> > -										yyerror("disable-genhomedircon can only be 'true' or 'false'");
> > -									}
> > -									free($3);
> > -					  }
> > +	if (strcasecmp($3, "false") == 0) {
> > +		current_conf->disable_genhomedircon = 0;
> > +	} else if (strcasecmp($3, "true") == 0) {
> > +		current_conf->disable_genhomedircon = 1;
> > +	} else {
> > +		yyerror("disable-genhomedircon can only be 'true' or 'false'");
> > +	}
> > +	free($3);
> > + }
> > +
> > +handle_unknown: HANDLE_UNKNOWN '=' ARG {
> > +	if (strcasecmp($3, "deny") == 0) {
> > +		current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
> > +	} else if (strcasecmp($3, "reject") == 0) {
> > +		current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
> > +	} else if (strcasecmp($3, "allow") == 0) {
> > +		current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
> > +	} else {
> > +		yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
> > +	}
> > +	free($3);
> > + }
> >  
> >  command_block: 
> >                  command_start external_opts BLOCK_END  {
> > @@ -214,6 +228,7 @@
> >  	conf->store_path = strdup(basename(selinux_policy_root()));
> >  	conf->policyvers = sepol_policy_kern_vers_max();
> >  	conf->expand_check = 1;
> > +	conf->handle_unknown = -1;
> >  	conf->file_mode = 0644;
> >  
> >  	conf->save_previous = 0;
> > diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-scan.l trunk/libsemanage/src/conf-scan.l
> > --- eric/libsemanage/src/conf-scan.l	2007-08-23 16:11:02.000000000 -0400
> > +++ trunk/libsemanage/src/conf-scan.l	2007-08-23 15:53:28.000000000 -0400
> > @@ -45,6 +45,7 @@
> >  save-previous     return SAVE_PREVIOUS;
> >  save-linked       return SAVE_LINKED;
> >  disable-genhomedircon return DISABLE_GENHOMEDIRCON;
> > +handle-unknown    return HANDLE_UNKNOWN;
> >  "[load_policy]"   return LOAD_POLICY_START;
> >  "[setfiles]"      return SETFILES_START;
> >  "[verify module]" return VERIFY_MOD_START;
> > diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_conf.h trunk/libsemanage/src/semanage_conf.h
> > --- eric/libsemanage/src/semanage_conf.h	2007-08-23 16:11:02.000000000 -0400
> > +++ trunk/libsemanage/src/semanage_conf.h	2007-08-23 15:53:53.000000000 -0400
> > @@ -38,6 +38,7 @@
> >  	int save_previous;
> >  	int save_linked;
> >  	int disable_genhomedircon;
> > +	int handle_unknown;
> >  	mode_t file_mode;
> >  	struct external_prog *load_policy;
> >  	struct external_prog *setfiles;
> > diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_store.c trunk/libsemanage/src/semanage_store.c
> > --- eric/libsemanage/src/semanage_store.c	2007-08-23 16:11:02.000000000 -0400
> > +++ trunk/libsemanage/src/semanage_store.c	2007-08-23 16:21:53.000000000 -0400
> > @@ -1619,6 +1619,8 @@
> >  		ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
> >  		goto err;
> >  	}
> > +	if (sh->conf->handle_unknown >= 0)
> > +		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
> >  
> >  	*policydb = out;
> >  	return STATUS_SUCCESS;
> > diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/include/sepol/policydb/policydb.h
> > --- eric/libsepol/include/sepol/policydb/policydb.h	2007-08-23 16:11:32.000000000 -0400
> > +++ trunk/libsepol/include/sepol/policydb/policydb.h	2007-08-23 15:36:06.000000000 -0400
> > @@ -602,9 +602,9 @@
> >  #define POLICYDB_CONFIG_MLS    1
> >  
> >  /* the config flags related to unknown classes/perms are bits 2 and 3 */
> > -#define DENY_UNKNOWN	0x00000000
> > -#define REJECT_UNKNOWN	0x00000002
> > -#define ALLOW_UNKNOWN 	0x00000004
> > +#define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
> > +#define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
> > +#define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
> >  
> >  #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
> >  
> > diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb.h trunk/libsepol/include/sepol/policydb.h
> > --- eric/libsepol/include/sepol/policydb.h	2007-08-23 16:11:04.000000000 -0400
> > +++ trunk/libsepol/include/sepol/policydb.h	2007-08-23 16:27:02.000000000 -0400
> > @@ -83,6 +83,13 @@
> >   */
> >  extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
> >  
> > +/* Set how to handle unknown class/perms. */
> > +#define SEPOL_DENY_UNKNOWN	    0
> > +#define SEPOL_REJECT_UNKNOWN	    2
> > +#define SEPOL_ALLOW_UNKNOWN	    4
> > +extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
> > +					     unsigned int handle_unknown);
> > +
> >  /* 
> >   * Read a policydb from a policy file.
> >   * This automatically sets the type and version based on the 
> > diff -X /home/sds/dontdiff -ru eric/libsepol/src/policydb_public.c trunk/libsepol/src/policydb_public.c
> > --- eric/libsepol/src/policydb_public.c	2007-08-23 16:11:04.000000000 -0400
> > +++ trunk/libsepol/src/policydb_public.c	2007-08-23 16:27:40.000000000 -0400
> > @@ -134,6 +134,24 @@
> >  	return 0;
> >  }
> >  
> > +int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
> > +				      unsigned int handle_unknown)
> > +{
> > +	struct policydb *p = &sp->p;
> > +
> > +	switch (handle_unknown) {
> > +	case SEPOL_DENY_UNKNOWN:
> > +	case SEPOL_REJECT_UNKNOWN:
> > +	case SEPOL_ALLOW_UNKNOWN:
> > +		break;
> > +	default:
> > +		return -1;
> > +	}
> > +
> > +	p->handle_unknown = handle_unknown;		
> > +	return 0;
> > +}
> > +
> >  int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
> >  {
> >  	return policydb_read(&p->p, &pf->pf, 0);
> > 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libsepol: support the handle_unknown config flag

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> On Tue, 2007-09-18 at 16:00 -0400, Stephen Smalley wrote:
>> On Thu, 2007-08-23 at 16:27 -0400, Stephen Smalley wrote:
>>> On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
>>>> Update the policydb definition to contain a handle_unknown flag.  Change
>>>> libsepol to copy the handle_unknown config flag from the base policy to
>>>> the final binary policy.  Also makes libsepol properly read and write
>>>> the flag which dealing with policy modules.
>>>>
>>>> Signed-off-by: Eric Paris <eparis@redhat.com>
>>> Here is a patch on top of yours that allows you to override the base
>>> module setting via semanage.conf, handle-unknown = [deny,reject,allow].
>> Need to make a final decision on this patch - benefit is that the end
>> user can alter the allow/reject/deny behavior for unknown classes/perms
>> without rebuilding their base module, which is also precisely what
>> worries people about it ;)  Could be used by a user to select deny or
>> reject if the distro defaults to allow (e.g. Fedora) for the purpose of
>> "tightening" the system or to select allow if the distro defaults to
>> deny or reject for the purpose of relaxing the system.
> 
> I vote 'yeah' and lets make sure the kernel audits the message
> correctly.  If the certification types really feel we need an old and
> new value (still this is at policy load time) I'm sure I can find some
> way to do it.
> 
> -Eric
>>> ---
>>>
>>>  libsemanage/src/conf-parse.y               |   35 ++++++++++++++++++++---------
>>>  libsemanage/src/conf-scan.l                |    1 
>>>  libsemanage/src/semanage_conf.h            |    1 
>>>  libsemanage/src/semanage_store.c           |    2 +
>>>  libsepol/include/sepol/policydb.h          |    7 +++++
>>>  libsepol/include/sepol/policydb/policydb.h |    6 ++--
>>>  libsepol/src/policydb_public.c             |   18 ++++++++++++++
>>>  7 files changed, 57 insertions(+), 13 deletions(-)
>>>
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-parse.y trunk/libsemanage/src/conf-parse.y
>>> --- eric/libsemanage/src/conf-parse.y	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/conf-parse.y	2007-08-23 16:03:20.000000000 -0400
>>> @@ -57,7 +57,7 @@
>>>  }
>>>  
>>>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
>>> -%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON
>>> +%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN
>>>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>>>  %token PROG_PATH PROG_ARGS
>>>  %token <s> ARG
>>> @@ -81,6 +81,7 @@
>>>          |       save_previous
>>>          |       save_linked
>>>          |       disable_genhomedircon
>>> +        |       handle_unknown
>>>          ;
>>>  
>>>  module_store:   MODULE_STORE '=' ARG {
>>> @@ -139,15 +140,28 @@
>>>          ;
>>>  
>>>  disable_genhomedircon: DISABLE_GENHOMEDIRCON '=' ARG {
>>> -								if (strcasecmp($3, "false") == 0) {
>>> -										current_conf->disable_genhomedircon = 0;
>>> -									} else if (strcasecmp($3, "true") == 0) {
>>> -										current_conf->disable_genhomedircon = 1;
>>> -									} else {
>>> -										yyerror("disable-genhomedircon can only be 'true' or 'false'");
>>> -									}
>>> -									free($3);
>>> -					  }
>>> +	if (strcasecmp($3, "false") == 0) {
>>> +		current_conf->disable_genhomedircon = 0;
>>> +	} else if (strcasecmp($3, "true") == 0) {
>>> +		current_conf->disable_genhomedircon = 1;
>>> +	} else {
>>> +		yyerror("disable-genhomedircon can only be 'true' or 'false'");
>>> +	}
>>> +	free($3);
>>> + }
>>> +
>>> +handle_unknown: HANDLE_UNKNOWN '=' ARG {
>>> +	if (strcasecmp($3, "deny") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
>>> +	} else if (strcasecmp($3, "reject") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_REJECT_UNKNOWN;
>>> +	} else if (strcasecmp($3, "allow") == 0) {
>>> +		current_conf->handle_unknown = SEPOL_ALLOW_UNKNOWN;
>>> +	} else {
>>> +		yyerror("handle-unknown can only be 'deny', 'reject' or 'allow'");
>>> +	}
>>> +	free($3);
>>> + }
>>>  
>>>  command_block: 
>>>                  command_start external_opts BLOCK_END  {
>>> @@ -214,6 +228,7 @@
>>>  	conf->store_path = strdup(basename(selinux_policy_root()));
>>>  	conf->policyvers = sepol_policy_kern_vers_max();
>>>  	conf->expand_check = 1;
>>> +	conf->handle_unknown = -1;
>>>  	conf->file_mode = 0644;
>>>  
>>>  	conf->save_previous = 0;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/conf-scan.l trunk/libsemanage/src/conf-scan.l
>>> --- eric/libsemanage/src/conf-scan.l	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/conf-scan.l	2007-08-23 15:53:28.000000000 -0400
>>> @@ -45,6 +45,7 @@
>>>  save-previous     return SAVE_PREVIOUS;
>>>  save-linked       return SAVE_LINKED;
>>>  disable-genhomedircon return DISABLE_GENHOMEDIRCON;
>>> +handle-unknown    return HANDLE_UNKNOWN;
>>>  "[load_policy]"   return LOAD_POLICY_START;
>>>  "[setfiles]"      return SETFILES_START;
>>>  "[verify module]" return VERIFY_MOD_START;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_conf.h trunk/libsemanage/src/semanage_conf.h
>>> --- eric/libsemanage/src/semanage_conf.h	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/semanage_conf.h	2007-08-23 15:53:53.000000000 -0400
>>> @@ -38,6 +38,7 @@
>>>  	int save_previous;
>>>  	int save_linked;
>>>  	int disable_genhomedircon;
>>> +	int handle_unknown;
>>>  	mode_t file_mode;
>>>  	struct external_prog *load_policy;
>>>  	struct external_prog *setfiles;
>>> diff -X /home/sds/dontdiff -ru eric/libsemanage/src/semanage_store.c trunk/libsemanage/src/semanage_store.c
>>> --- eric/libsemanage/src/semanage_store.c	2007-08-23 16:11:02.000000000 -0400
>>> +++ trunk/libsemanage/src/semanage_store.c	2007-08-23 16:21:53.000000000 -0400
>>> @@ -1619,6 +1619,8 @@
>>>  		ERR(sh, "Unknown/Invalid policy version %d.", policyvers);
>>>  		goto err;
>>>  	}
>>> +	if (sh->conf->handle_unknown >= 0)
>>> +		sepol_policydb_set_handle_unknown(out, sh->conf->handle_unknown);
>>>  
>>>  	*policydb = out;
>>>  	return STATUS_SUCCESS;
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb/policydb.h trunk/libsepol/include/sepol/policydb/policydb.h
>>> --- eric/libsepol/include/sepol/policydb/policydb.h	2007-08-23 16:11:32.000000000 -0400
>>> +++ trunk/libsepol/include/sepol/policydb/policydb.h	2007-08-23 15:36:06.000000000 -0400
>>> @@ -602,9 +602,9 @@
>>>  #define POLICYDB_CONFIG_MLS    1
>>>  
>>>  /* the config flags related to unknown classes/perms are bits 2 and 3 */
>>> -#define DENY_UNKNOWN	0x00000000
>>> -#define REJECT_UNKNOWN	0x00000002
>>> -#define ALLOW_UNKNOWN 	0x00000004
>>> +#define DENY_UNKNOWN	SEPOL_DENY_UNKNOWN
>>> +#define REJECT_UNKNOWN	SEPOL_REJECT_UNKNOWN
>>> +#define ALLOW_UNKNOWN 	SEPOL_ALLOW_UNKNOWN
>>>  
>>>  #define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
>>>  
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/include/sepol/policydb.h trunk/libsepol/include/sepol/policydb.h
>>> --- eric/libsepol/include/sepol/policydb.h	2007-08-23 16:11:04.000000000 -0400
>>> +++ trunk/libsepol/include/sepol/policydb.h	2007-08-23 16:27:02.000000000 -0400
>>> @@ -83,6 +83,13 @@
>>>   */
>>>  extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
>>>  
>>> +/* Set how to handle unknown class/perms. */
>>> +#define SEPOL_DENY_UNKNOWN	    0
>>> +#define SEPOL_REJECT_UNKNOWN	    2
>>> +#define SEPOL_ALLOW_UNKNOWN	    4
>>> +extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
>>> +					     unsigned int handle_unknown);
>>> +
>>>  /* 
>>>   * Read a policydb from a policy file.
>>>   * This automatically sets the type and version based on the 
>>> diff -X /home/sds/dontdiff -ru eric/libsepol/src/policydb_public.c trunk/libsepol/src/policydb_public.c
>>> --- eric/libsepol/src/policydb_public.c	2007-08-23 16:11:04.000000000 -0400
>>> +++ trunk/libsepol/src/policydb_public.c	2007-08-23 16:27:40.000000000 -0400
>>> @@ -134,6 +134,24 @@
>>>  	return 0;
>>>  }
>>>  
>>> +int sepol_policydb_set_handle_unknown(sepol_policydb_t * sp,
>>> +				      unsigned int handle_unknown)
>>> +{
>>> +	struct policydb *p = &sp->p;
>>> +
>>> +	switch (handle_unknown) {
>>> +	case SEPOL_DENY_UNKNOWN:
>>> +	case SEPOL_REJECT_UNKNOWN:
>>> +	case SEPOL_ALLOW_UNKNOWN:
>>> +		break;
>>> +	default:
>>> +		return -1;
>>> +	}
>>> +
>>> +	p->handle_unknown = handle_unknown;		
>>> +	return 0;
>>> +}
>>> +
>>>  int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf)
>>>  {
>>>  	return policydb_read(&p->p, &pf->pf, 0);
>>>
> 

I doubt anyone would ever change it like just about everything else in
this file.  So put me in the abstain category.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFG8DIhrlYvE4MpobMRAsTQAJoDQU2woPDp1/QImyzoqAKdGutp3ACgn84D
1yHcqUySRzqb9JRTqsbvow0=
=6ZZI
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH] libsepol: support the handle_unknown config flag

[Stephen Smalley]

On Wed, 2007-08-01 at 11:52 -0400, Eric Paris wrote:
> Update the policydb definition to contain a handle_unknown flag.  Change
> libsepol to copy the handle_unknown config flag from the base policy to
> the final binary policy.  Also makes libsepol properly read and write
> the flag which dealing with policy modules.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

Thanks, merged as of libsepol 2.0.10.
> 
> diff -Naupr libsepol-2.0.4/include/sepol/policydb/policydb.h libsepol-2.0.4.new/include/sepol/policydb/policydb.h
> --- libsepol-2.0.4/include/sepol/policydb/policydb.h	2007-06-21 05:17:02.000000000 -0400
> +++ libsepol-2.0.4.new/include/sepol/policydb/policydb.h	2007-07-31 16:14:13.000000000 -0400
> @@ -469,6 +469,8 @@ typedef struct policydb {
>  	ebitmap_t *attr_type_map;	/* not saved in the binary policy */
>  
>  	unsigned policyvers;
> +
> +	unsigned handle_unknown;
>  } policydb_t;
>  
>  struct sepol_policydb {
> @@ -599,6 +601,13 @@ extern int policydb_write(struct policyd
>  
>  #define POLICYDB_CONFIG_MLS    1
>  
> +/* the config flags related to unknown classes/perms are bits 2 and 3 */
> +#define DENY_UNKNOWN	0x00000000
> +#define REJECT_UNKNOWN	0x00000002
> +#define ALLOW_UNKNOWN 	0x00000004
> +
> +#define POLICYDB_CONFIG_UNKNOWN_MASK	(DENY_UNKNOWN | REJECT_UNKNOWN | ALLOW_UNKNOWN)
> +
>  #define OBJECT_R "object_r"
>  #define OBJECT_R_VAL 1
>  
> diff -Naupr libsepol-2.0.4/src/expand.c libsepol-2.0.4.new/src/expand.c
> --- libsepol-2.0.4/src/expand.c	2007-06-21 05:17:01.000000000 -0400
> +++ libsepol-2.0.4.new/src/expand.c	2007-07-27 18:32:39.000000000 -0400
> @@ -2248,6 +2248,7 @@ int expand_module(sepol_handle_t * handl
>  
>  	/* Copy mls state from base to out */
>  	out->mls = base->mls;
> +	out->handle_unknown = base->handle_unknown;
>  
>  	if ((state.typemap =
>  	     (uint32_t *) calloc(state.base->p_types.nprim,
> diff -Naupr libsepol-2.0.4/src/policydb.c libsepol-2.0.4.new/src/policydb.c
> --- libsepol-2.0.4/src/policydb.c	2007-06-21 05:17:01.000000000 -0400
> +++ libsepol-2.0.4.new/src/policydb.c	2007-07-31 16:17:53.000000000 -0400
> @@ -3057,6 +3057,8 @@ int policydb_read(policydb_t * p, struct
>  		p->mls = 0;
>  	}
>  
> +	p->handle_unknown = buf[bufindex] & POLICYDB_CONFIG_UNKNOWN_MASK;
> +
>  	bufindex++;
>  
>  	info = policydb_lookup_compat(r_policyvers, policy_type);
> diff -Naupr libsepol-2.0.4/src/write.c libsepol-2.0.4.new/src/write.c
> --- libsepol-2.0.4/src/write.c	2007-06-21 05:17:01.000000000 -0400
> +++ libsepol-2.0.4.new/src/write.c	2007-07-31 16:18:49.000000000 -0400
> @@ -1534,6 +1534,8 @@ int policydb_write(policydb_t * p, struc
>  	if (p->mls)
>  		config |= POLICYDB_CONFIG_MLS;
>  
> +	config |= (POLICYDB_CONFIG_UNKNOWN_MASK & p->handle_unknown);
> +
>  	/* Write the magic number and string identifiers. */
>  	items = 0;
>  	if (p->policy_type == POLICY_KERN) {
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.