Re: [SEMANAGE][SEPOL] Enable ports

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Joshua Brindle <jbrindle@tresys.com>
Cc: SELinux List <SELinux@tycho.nsa.gov>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	dwalsh@redhat.com
Subject: Re: [SEMANAGE][SEPOL] Enable ports
Date: Mon, 02 Jan 2006 13:51:06 -0500	[thread overview]
Message-ID: <43B9761A.3070504@cornell.edu> (raw)
In-Reply-To: <43B97823.3080201@tresys.com>

>
>>
>> This brings up an interesting point - if ordering of records matters, 
>> then some thought should go into which way iterate() loops over the 
>> records... (and what order list() returns). Currently for files, the 
>> ordering is backwards to what appears in the file (not sure what 
>> policydb does).
>>
>
> This should be fixed. the policy parser (policy_parse.y) currently 
> preserves the order exactly as specified, with errors in the case of 
> duplicate or shadowed entries.

I think the order in policy should be correct after my list reversal 
patch (see other patches).
The order in the on-disk file is irrelevant for ports - it's just an 
implementation detail of the library.
More detail on this in my other message in response to File Contexts APIs.

>
> I think a good workaround for now is to only expose exact port 
> labeling via libsemanage, that way you can prepend them to the 
> policydb list and not worry about sorting, etc. If the user needs to 
> set multiple ports the client can expose that functionality, and 
> limited intelligence can be added there (error checking and such). the 
> policydb portcons would still have ranges so the fallbacks (1-1024, 
> etc) would still be there.
I think sorting should work after the list reversal patch. It has some 
drawbacks as I've pointed out there, but should work. Adding the 
"limited intelligence" with respect to error checking is much more 
difficult in libsemanage, and I've wasted lots of time on this. It's 
easier to do in the client.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2006-01-02 18:51 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-12-24  2:08 [SEMANAGE][SEPOL] Enable ports Ivan Gyurdiev
2006-01-02 18:59 ` Joshua Brindle
2006-01-02 18:51   ` Ivan Gyurdiev [this message]
2006-01-03  7:23     ` Ivan Gyurdiev
2006-01-03 16:28       ` Joshua Brindle
2006-01-03 14:35         ` Ivan Gyurdiev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43B9761A.3070504@cornell.edu \
    --to=ivg2@cornell.edu \
    --cc=SELinux@tycho.nsa.gov \
    --cc=dwalsh@redhat.com \
    --cc=jbrindle@tresys.com \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.