Re: [SEMANAGE][SEPOL] Enable ports

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: Joshua Brindle <jbrindle@tresys.com>,
	SELinux List <SELinux@tycho.nsa.gov>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	dwalsh@redhat.com
Subject: Re: [SEMANAGE][SEPOL] Enable ports
Date: Tue, 03 Jan 2006 02:23:41 -0500	[thread overview]
Message-ID: <43BA267D.2010905@cornell.edu> (raw)
In-Reply-To: <43B9761A.3070504@cornell.edu>

> . Adding the "limited intelligence" with respect to error checking is 
> much more difficult in libsemanage, and I've wasted lots of time on 
> this. It's easier to do in the client.

Actually.... not true. It's difficult to add at the key level, but error 
checks and warnings and things like that will easily go into a verify 
run on commit (or possibly in sepol). So, now I think I'll focus on:

- seuser validation (mls range valid, mls range subset of selinux user, 
possibly move Unix user check into lib?)
- file context validation (context valid, maybe regexp valid?)
    It should be possible to do those two now, after new additions to 
libsepol interface.

- ports error checking (warn on shadowing, things like that)
- also, did you know that if you originally put a file with duplicate 
records in semanage, it would stay that way, and semanage wouldn't 
complain (it does no duplicate checking when reading in the file - not 
sure if that's a problem).

Also, there's issues with the API, which I posted about on 
SELinux-dev@tresys - if API changes are still allowed I'm considering 
removing the set function, changing the behavior of add, and compare for 
each record. See "API message still ok" for details.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2006-01-03  7:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-12-24  2:08 [SEMANAGE][SEPOL] Enable ports Ivan Gyurdiev
2006-01-02 18:59 ` Joshua Brindle
2006-01-02 18:51   ` Ivan Gyurdiev
2006-01-03  7:23     ` Ivan Gyurdiev [this message]
2006-01-03 16:28       ` Joshua Brindle
2006-01-03 14:35         ` Ivan Gyurdiev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=43BA267D.2010905@cornell.edu \
    --to=ivg2@cornell.edu \
    --cc=SELinux@tycho.nsa.gov \
    --cc=dwalsh@redhat.com \
    --cc=jbrindle@tresys.com \
    --cc=sds@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.