* [PATCH 51/67] libsepol: Preserve tunables when required by semodule
@ 2011-09-15 19:54 Daniel J Walsh
2011-09-16 4:55 ` Guido Trentalancia
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2011-09-15 19:54 UTC (permalink / raw)
To: eparis; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5yV/4ACgkQrlYvE4MpobPXdQCeOTiLhF/U8qUdlMk5F0ZZvNhS
LXkAn1f2NBX+bqe7X6aFAw8Cbvyp1g2x
=vIAs
-----END PGP SIGNATURE-----
[-- Attachment #2: 0051-libsepol-Preserve-tunables-when-required-by-semodule.patch --]
[-- Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 51/67] libsepol: Preserve tunables when required by semodule
2011-09-15 19:54 [PATCH 51/67] libsepol: Preserve tunables when required by semodule Daniel J Walsh
@ 2011-09-16 4:55 ` Guido Trentalancia
2011-09-16 14:25 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Guido Trentalancia @ 2011-09-16 4:55 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: eparis, selinux
On Thu, 2011-09-15 at 15:54 -0400, Daniel J Walsh wrote:
> From f2a839faa71dac0bc575615bfe0aafca94a00892 Mon Sep 17 00:00:00 2001
> From: Harry Ciao <qingtao.cao@windriver.com>
> Date: Thu, 1 Sep 2011 11:29:47 +0800
> Subject: [PATCH 51/67] libsepol: Preserve tunables when required by
> semodule
> program.
>
> If the "-P/--preserve_tunables" option is set for the semodule
> program,
> the preserve_tunables flag in sepol_handle_t would be set, then all
> tunables
> would be treated as booleans by having their TUNABLE flag bit cleared,
> resulting in all tunables if-else conditionals preserved for raw
> policy.
>
> Note, such option would invalidate the logic to double-check if
> tunables
> ever mix with booleans in one expression, so skip the call to assert()
> when this option is passed.
>
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
> libsepol/src/expand.c | 36 ++++++++++++++++++++++++------------
> 1 files changed, 24 insertions(+), 12 deletions(-)
Hello Dan.
The new option seems not fully enabled yet by parsing the option and
setting the preserve_tunables flag appropriately in main().
Is it going to be enabled elsewhere ?
Guido
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 51/67] libsepol: Preserve tunables when required by semodule
2011-09-16 4:55 ` Guido Trentalancia
@ 2011-09-16 14:25 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2011-09-16 14:25 UTC (permalink / raw)
To: Guido Trentalancia; +Cc: eparis, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/16/2011 12:55 AM, Guido Trentalancia wrote:
> On Thu, 2011-09-15 at 15:54 -0400, Daniel J Walsh wrote:
>> From f2a839faa71dac0bc575615bfe0aafca94a00892 Mon Sep 17 00:00:00
>> 2001 From: Harry Ciao <qingtao.cao@windriver.com> Date: Thu, 1
>> Sep 2011 11:29:47 +0800 Subject: [PATCH 51/67] libsepol: Preserve
>> tunables when required by semodule program.
>>
>> If the "-P/--preserve_tunables" option is set for the semodule
>> program, the preserve_tunables flag in sepol_handle_t would be
>> set, then all tunables would be treated as booleans by having
>> their TUNABLE flag bit cleared, resulting in all tunables if-else
>> conditionals preserved for raw policy.
>>
>> Note, such option would invalidate the logic to double-check if
>> tunables ever mix with booleans in one expression, so skip the
>> call to assert() when this option is passed.
>>
>> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
>> Signed-off-by: Eric Paris <eparis@redhat.com> ---
>> libsepol/src/expand.c | 36
>> ++++++++++++++++++++++++------------ 1 files changed, 24
>> insertions(+), 12 deletions(-)
>
> Hello Dan.
>
> The new option seems not fully enabled yet by parsing the option
> and setting the preserve_tunables flag appropriately in main().
>
> Is it going to be enabled elsewhere ?
>
> Guido
>
I actually have not started to play with this stuff yet, I am still
concerned about the audit2why being able to figure out which
boolean/tunable would be able to allow the access. I am fine with it
for people who do not care about this technology and just want smaller
policy. Meaning I am not sure what we are missing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5zXGUACgkQrlYvE4MpobPf8gCfZAfBBZ32jOxz+fMxZ5d3GgcP
RL8An1tuvX6Q2FayFvAJ1jGkbITU3Dpu
=cfic
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-09-16 14:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-15 19:54 [PATCH 51/67] libsepol: Preserve tunables when required by semodule Daniel J Walsh
2011-09-16 4:55 ` Guido Trentalancia
2011-09-16 14:25 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.