* [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector
@ 2014-08-28 20:47 Steve Lawrence
2014-08-29 13:14 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Steve Lawrence @ 2014-08-28 20:47 UTC (permalink / raw)
To: SELinux List
mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
a permission access vector. However, av_permissions.h was deprecated, so
it does not have access to the constant. This updates mcstrans to use
string_to_av_perm() to get the value for context contains.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
---
policycoreutils/mcstrans/src/mcscolor.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/policycoreutils/mcstrans/src/mcscolor.c b/policycoreutils/mcstrans/src/mcscolor.c
index fdb7048..66f99d2 100644
--- a/policycoreutils/mcstrans/src/mcscolor.c
+++ b/policycoreutils/mcstrans/src/mcscolor.c
@@ -78,11 +78,12 @@ void finish_context_colors(void) {
static int check_dominance(const char *pattern, const char *raw) {
security_context_t ctx;
context_t con;
- unsigned int bit = CONTEXT__CONTAINS;
struct av_decision avd;
int rc = -1;
context_t my_tmp;
const char *raw_range;
+ security_class_t context_class = string_to_security_class("context");
+ access_vector_t context_contains_perm = string_to_av_perm(context_class, "contains");
con = context_new(raw);
if (!con)
@@ -108,11 +109,11 @@ static int check_dominance(const char *pattern, const char *raw) {
if (!raw)
goto out;
- rc = security_compute_av_raw(ctx, (security_context_t)raw, string_to_security_class("context"), bit, &avd);
+ rc = security_compute_av_raw(ctx, (security_context_t)raw, context_class, context_contains_perm, &avd);
if (rc)
goto out;
- rc = (bit & avd.allowed) != bit;
+ rc = (context_contains_perm & avd.allowed) != context_contains_perm;
out:
free(ctx);
context_free(my_tmp);
--
1.9.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector
2014-08-28 20:47 [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector Steve Lawrence
@ 2014-08-29 13:14 ` Stephen Smalley
2014-08-29 13:18 ` Steve Lawrence
0 siblings, 1 reply; 4+ messages in thread
From: Stephen Smalley @ 2014-08-29 13:14 UTC (permalink / raw)
To: Steve Lawrence, SELinux List
On 08/28/2014 04:47 PM, Steve Lawrence wrote:
> mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
> a permission access vector. However, av_permissions.h was deprecated, so
> it does not have access to the constant. This updates mcstrans to use
> string_to_av_perm() to get the value for context contains.
>
> Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
I guess we don't build mcstrans by default and thus this wasn't noticed
earlier?
> ---
> policycoreutils/mcstrans/src/mcscolor.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/policycoreutils/mcstrans/src/mcscolor.c b/policycoreutils/mcstrans/src/mcscolor.c
> index fdb7048..66f99d2 100644
> --- a/policycoreutils/mcstrans/src/mcscolor.c
> +++ b/policycoreutils/mcstrans/src/mcscolor.c
> @@ -78,11 +78,12 @@ void finish_context_colors(void) {
> static int check_dominance(const char *pattern, const char *raw) {
> security_context_t ctx;
> context_t con;
> - unsigned int bit = CONTEXT__CONTAINS;
> struct av_decision avd;
> int rc = -1;
> context_t my_tmp;
> const char *raw_range;
> + security_class_t context_class = string_to_security_class("context");
> + access_vector_t context_contains_perm = string_to_av_perm(context_class, "contains");
>
> con = context_new(raw);
> if (!con)
> @@ -108,11 +109,11 @@ static int check_dominance(const char *pattern, const char *raw) {
> if (!raw)
> goto out;
>
> - rc = security_compute_av_raw(ctx, (security_context_t)raw, string_to_security_class("context"), bit, &avd);
> + rc = security_compute_av_raw(ctx, (security_context_t)raw, context_class, context_contains_perm, &avd);
> if (rc)
> goto out;
>
> - rc = (bit & avd.allowed) != bit;
> + rc = (context_contains_perm & avd.allowed) != context_contains_perm;
> out:
> free(ctx);
> context_free(my_tmp);
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector
2014-08-29 13:14 ` Stephen Smalley
@ 2014-08-29 13:18 ` Steve Lawrence
2014-08-29 13:33 ` Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: Steve Lawrence @ 2014-08-29 13:18 UTC (permalink / raw)
To: Stephen Smalley, SELinux List
On 08/29/2014 09:14 AM, Stephen Smalley wrote:
> On 08/28/2014 04:47 PM, Steve Lawrence wrote:
>> mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
>> a permission access vector. However, av_permissions.h was deprecated, so
>> it does not have access to the constant. This updates mcstrans to use
>> string_to_av_perm() to get the value for context contains.
>>
>> Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
>> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> I guess we don't build mcstrans by default and thus this wasn't noticed
> earlier?
>
Yep. Any reason not to include it by default?
>> ---
>> policycoreutils/mcstrans/src/mcscolor.c | 7 ++++---
>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/policycoreutils/mcstrans/src/mcscolor.c b/policycoreutils/mcstrans/src/mcscolor.c
>> index fdb7048..66f99d2 100644
>> --- a/policycoreutils/mcstrans/src/mcscolor.c
>> +++ b/policycoreutils/mcstrans/src/mcscolor.c
>> @@ -78,11 +78,12 @@ void finish_context_colors(void) {
>> static int check_dominance(const char *pattern, const char *raw) {
>> security_context_t ctx;
>> context_t con;
>> - unsigned int bit = CONTEXT__CONTAINS;
>> struct av_decision avd;
>> int rc = -1;
>> context_t my_tmp;
>> const char *raw_range;
>> + security_class_t context_class = string_to_security_class("context");
>> + access_vector_t context_contains_perm = string_to_av_perm(context_class, "contains");
>>
>> con = context_new(raw);
>> if (!con)
>> @@ -108,11 +109,11 @@ static int check_dominance(const char *pattern, const char *raw) {
>> if (!raw)
>> goto out;
>>
>> - rc = security_compute_av_raw(ctx, (security_context_t)raw, string_to_security_class("context"), bit, &avd);
>> + rc = security_compute_av_raw(ctx, (security_context_t)raw, context_class, context_contains_perm, &avd);
>> if (rc)
>> goto out;
>>
>> - rc = (bit & avd.allowed) != bit;
>> + rc = (context_contains_perm & avd.allowed) != context_contains_perm;
>> out:
>> free(ctx);
>> context_free(my_tmp);
>>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector
2014-08-29 13:18 ` Steve Lawrence
@ 2014-08-29 13:33 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2014-08-29 13:33 UTC (permalink / raw)
To: Steve Lawrence, SELinux List, Daniel J Walsh
On 08/29/2014 09:18 AM, Steve Lawrence wrote:
> On 08/29/2014 09:14 AM, Stephen Smalley wrote:
>> On 08/28/2014 04:47 PM, Steve Lawrence wrote:
>>> mcstrans still uses CONTEXT__CONTAINS from av_permissions.h to calculate
>>> a permission access vector. However, av_permissions.h was deprecated, so
>>> it does not have access to the constant. This updates mcstrans to use
>>> string_to_av_perm() to get the value for context contains.
>>>
>>> Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
>>> Signed-off-by: Steve Lawrence <slawrence@tresys.com>
>>
>> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>>
>> I guess we don't build mcstrans by default and thus this wasn't noticed
>> earlier?
>>
>
> Yep. Any reason not to include it by default?
Not that I know of. Possibly just historical since it was originally
separate from policycoreutils and Fedora packages it separately?
>
>>> ---
>>> policycoreutils/mcstrans/src/mcscolor.c | 7 ++++---
>>> 1 file changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/policycoreutils/mcstrans/src/mcscolor.c b/policycoreutils/mcstrans/src/mcscolor.c
>>> index fdb7048..66f99d2 100644
>>> --- a/policycoreutils/mcstrans/src/mcscolor.c
>>> +++ b/policycoreutils/mcstrans/src/mcscolor.c
>>> @@ -78,11 +78,12 @@ void finish_context_colors(void) {
>>> static int check_dominance(const char *pattern, const char *raw) {
>>> security_context_t ctx;
>>> context_t con;
>>> - unsigned int bit = CONTEXT__CONTAINS;
>>> struct av_decision avd;
>>> int rc = -1;
>>> context_t my_tmp;
>>> const char *raw_range;
>>> + security_class_t context_class = string_to_security_class("context");
>>> + access_vector_t context_contains_perm = string_to_av_perm(context_class, "contains");
>>>
>>> con = context_new(raw);
>>> if (!con)
>>> @@ -108,11 +109,11 @@ static int check_dominance(const char *pattern, const char *raw) {
>>> if (!raw)
>>> goto out;
>>>
>>> - rc = security_compute_av_raw(ctx, (security_context_t)raw, string_to_security_class("context"), bit, &avd);
>>> + rc = security_compute_av_raw(ctx, (security_context_t)raw, context_class, context_contains_perm, &avd);
>>> if (rc)
>>> goto out;
>>>
>>> - rc = (bit & avd.allowed) != bit;
>>> + rc = (context_contains_perm & avd.allowed) != context_contains_perm;
>>> out:
>>> free(ctx);
>>> context_free(my_tmp);
>>>
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-08-29 13:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-28 20:47 [PATCH] policycoreutils: mcstrans: use string_to_av_perm() to calculate permission access vector Steve Lawrence
2014-08-29 13:14 ` Stephen Smalley
2014-08-29 13:18 ` Steve Lawrence
2014-08-29 13:33 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.