From: Steve Lawrence <slawrence@tresys.com>
To: Harry Ciao <qingtao.cao@windriver.com>
Cc: <cpebenito@tresys.com>, <method@manicmethod.com>,
<selinux@tycho.nsa.gov>
Subject: Re: [v0 PATCH 1/1] Only call role_fix_callback for base.p_roles during expansion.
Date: Thu, 11 Aug 2011 10:05:09 -0400 [thread overview]
Message-ID: <4E43E195.5090202@tresys.com> (raw)
In-Reply-To: <1312279433-2866-2-git-send-email-qingtao.cao@windriver.com>
On 08/02/2011 06:03 AM, Harry Ciao wrote:
> expand_role_attributes() would merge the sub role attribute's roles
> ebitmap into that of the parent, then clear it off from the parent's
> roles ebitmap. This supports the assertion in role_fix_callback() that
> any role attribute's roles ebitmap contains just regular roles.
>
> expand_role_attribute() works on base.p_roles table but not any
> block/decl's p_roles table, so the above assertion in role_fix_callback
> could fail when it is called for block/decl and some role attribute is
> added into another.
>
> Since the effect of get_local_role() would have been complemented by
> the populate_roleattributes() at the end of the link phase, there is
> no needs(and wrong) to call role_fix_callback() for block/decl in the
> expand phase.
>
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
> libsepol/src/expand.c | 3 ---
> 1 files changed, 0 insertions(+), 3 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index b42acbe..96ed473 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2832,9 +2832,6 @@ int expand_module(sepol_handle_t * handle,
> if (hashtab_map
> (decl->p_roles.table, role_copy_callback, &state))
> goto cleanup;
> - if (hashtab_map
> - (decl->p_roles.table, role_fix_callback, &state))
> - goto cleanup;
>
> /* copy users */
> if (hashtab_map
This looks good, and I'm fine with committing this.
However, I did find what appears to be an unrelated problem. It looks
like the role attributes are getting written to the policy db as if they
were roles. I don't think this will break anything (I think), but
considering that the kernel doesn't know anything about role_attributes,
it seems odd to me that they are in the binary.
Note: I found this by looking at a downgraded policy.24 in apol, so this
could potentially be a downgrade issue. But from looking at the code, I
believe role attributes are being written as if they're roles.
- Steve
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-08-11 14:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-02 10:03 v0 Only call role_fix_callback for base.p_roles during expansion Harry Ciao
2011-08-02 10:03 ` [v0 PATCH 1/1] " Harry Ciao
2011-08-11 14:05 ` Steve Lawrence [this message]
2011-08-11 20:30 ` Eric Paris
2011-08-12 2:35 ` Harry Ciao
2011-08-12 2:47 ` Joshua Brindle
2011-08-12 2:54 ` Harry Ciao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E43E195.5090202@tresys.com \
--to=slawrence@tresys.com \
--cc=cpebenito@tresys.com \
--cc=method@manicmethod.com \
--cc=qingtao.cao@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.