MLS + MCS?

All of lore.kernel.org
 help / color / mirror / Atom feed

* MLS + MCS?
@ 2006-11-02 15:48 Michael C Thompson
  2006-11-02 16:35 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Michael C Thompson @ 2006-11-02 15:48 UTC (permalink / raw)
  To: SE Linux

While writing some policy, I came across a situation that was causing 
the policy I was writing to be constructed in an invalid fashion. What 
was happening was this:

Using an old Makefile, my $(TYPE) was being generated as 
'strict-mls-mcs', which was causing the support template 'gen_context' 
to get completely confused.

The macro is defined thusly:

########################################
#
# gen_context(context,mls_sensitivity,[mcs_categories])
#
define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl

I'm wondering, how does this make sense? I'm unclear as to how having 
both mls_sensitivity and [mcs_catergories] defined in this way has meaning.

Because of having both '-mls' and '-mcs' in my $(TYPE), the invalid 
policy I was compiling ended up looking like this:
user:role:type:$2:s0:$3

It would seem to me that MLS and MCS are mutually exclusive, at least in 
this macro.

Thanks,
Mike

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: MLS + MCS?
  2006-11-02 15:48 MLS + MCS? Michael C Thompson
@ 2006-11-02 16:35 ` Christopher J. PeBenito
  2006-11-02 16:49   ` Michael C Thompson
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2006-11-02 16:35 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: SE Linux

On Thu, 2006-11-02 at 09:48 -0600, Michael C Thompson wrote:
> While writing some policy, I came across a situation that was causing 
> the policy I was writing to be constructed in an invalid fashion. What 
> was happening was this:
> 
> Using an old Makefile, my $(TYPE) was being generated as 
> 'strict-mls-mcs', which was causing the support template 'gen_context' 
> to get completely confused.
> 
> The macro is defined thusly:
[cut]
> I'm wondering, how does this make sense? I'm unclear as to how having 
> both mls_sensitivity and [mcs_catergories] defined in this way has meaning.
> 
> Because of having both '-mls' and '-mcs' in my $(TYPE), the invalid 
> policy I was compiling ended up looking like this:
> user:role:type:$2:s0:$3
> 
> It would seem to me that MLS and MCS are mutually exclusive, at least in 
> this macro.

Yes, they are mutually exclusive.  Sounds like the Makefile that redhat
has is making a mistake on setting TYPE; it has to figure out more than
the upstream refpolicy Makefiles need to because of the
redhat /usr/share/selinux/*/devel setup.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: MLS + MCS?
  2006-11-02 16:35 ` Christopher J. PeBenito
@ 2006-11-02 16:49   ` Michael C Thompson
  2006-11-02 18:58     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Michael C Thompson @ 2006-11-02 16:49 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: SE Linux

Christopher J. PeBenito wrote:
> On Thu, 2006-11-02 at 09:48 -0600, Michael C Thompson wrote:
>> While writing some policy, I came across a situation that was causing 
>> the policy I was writing to be constructed in an invalid fashion. What 
>> was happening was this:
>>
>> Using an old Makefile, my $(TYPE) was being generated as 
>> 'strict-mls-mcs', which was causing the support template 'gen_context' 
>> to get completely confused.
>>
>> The macro is defined thusly:
> [cut]
>> I'm wondering, how does this make sense? I'm unclear as to how having 
>> both mls_sensitivity and [mcs_catergories] defined in this way has meaning.
>>
>> Because of having both '-mls' and '-mcs' in my $(TYPE), the invalid 
>> policy I was compiling ended up looking like this:
>> user:role:type:$2:s0:$3
>>
>> It would seem to me that MLS and MCS are mutually exclusive, at least in 
>> this macro.
> 
> Yes, they are mutually exclusive.  Sounds like the Makefile that redhat
> has is making a mistake on setting TYPE; it has to figure out more than
> the upstream refpolicy Makefiles need to because of the
> redhat /usr/share/selinux/*/devel setup.

I have since switched to the last Makefile redhat provides and that 
resolves the problem I was having.

is there a better way to express the gen_context macro, or is this 
another case of m4 limitations? (I am not familiar with m4 at all btw)



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: MLS + MCS?
  2006-11-02 16:49   ` Michael C Thompson
@ 2006-11-02 18:58     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2006-11-02 18:58 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: SE Linux

On Thu, 2006-11-02 at 10:49 -0600, Michael C Thompson wrote:
> Christopher J. PeBenito wrote:
> > On Thu, 2006-11-02 at 09:48 -0600, Michael C Thompson wrote:
> >> While writing some policy, I came across a situation that was causing 
> >> the policy I was writing to be constructed in an invalid fashion. What 
> >> was happening was this:
> >>
> >> Using an old Makefile, my $(TYPE) was being generated as 
> >> 'strict-mls-mcs', which was causing the support template 'gen_context' 
> >> to get completely confused.
> >>
> >> The macro is defined thusly:
> > [cut]
> >> I'm wondering, how does this make sense? I'm unclear as to how having 
> >> both mls_sensitivity and [mcs_catergories] defined in this way has meaning.
> >>
> >> Because of having both '-mls' and '-mcs' in my $(TYPE), the invalid 
> >> policy I was compiling ended up looking like this:
> >> user:role:type:$2:s0:$3
> >>
> >> It would seem to me that MLS and MCS are mutually exclusive, at least in 
> >> this macro.
> > 
> > Yes, they are mutually exclusive.  Sounds like the Makefile that redhat
> > has is making a mistake on setting TYPE; it has to figure out more than
> > the upstream refpolicy Makefiles need to because of the
> > redhat /usr/share/selinux/*/devel setup.
> 
> I have since switched to the last Makefile redhat provides and that 
> resolves the problem I was having.
> 
> is there a better way to express the gen_context macro, or is this 
> another case of m4 limitations? (I am not familiar with m4 at all btw)

M4 doesn't really have any error handling since it is just a macro
language.  Since MLS and MCS are mutually exclusive, it hasn't been a
problem.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-11-02 18:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-11-02 15:48 MLS + MCS? Michael C Thompson
2006-11-02 16:35 ` Christopher J. PeBenito
2006-11-02 16:49   ` Michael C Thompson
2006-11-02 18:58     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.