refpolicywarn usage

All of lore.kernel.org
 help / color / mirror / Atom feed

* refpolicywarn usage
@ 2015-06-05 20:28 Ted Toth
  2015-06-08 13:11   ` [refpolicy] " Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Ted Toth @ 2015-06-05 20:28 UTC (permalink / raw)
  To: SELinux

I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
deprecated interface removing all of the previously defined policy.
However the interface is used in an 'optional' which then causes the
policy compilation to fail. What is the right way to handle this
situation?

Ted

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: refpolicywarn usage
  2015-06-05 20:28 refpolicywarn usage Ted Toth
@ 2015-06-08 13:11   ` Christopher J. PeBenito
  0 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2015-06-08 13:11 UTC (permalink / raw)
  To: Ted Toth, SELinux, refpolicy

On 6/5/2015 4:28 PM, Ted Toth wrote:
> I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
> deprecated interface removing all of the previously defined policy.
> However the interface is used in an 'optional' which then causes the
> policy compilation to fail. What is the right way to handle this
> situation?

This should go to the refpolicy list.

Refpolicywarn is an m4 macro, so it doesn't result in any policy.  If
you have an optional block with only one call to an interface that only
has a refpolicywarn in its implementation, it will result in an optional
with no rules inside.

We handle this in refpolicy by calling the new interface, e.g. if
interface X is being replaced by interface Y, in the implementation of X
we put a refpolicywarn message and call Y.  If there is no new
interface, you could put safe placeholder rules, such as a call to
dev_rw_null().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] refpolicywarn usage
@ 2015-06-08 13:11   ` Christopher J. PeBenito
  0 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2015-06-08 13:11 UTC (permalink / raw)
  To: refpolicy

On 6/5/2015 4:28 PM, Ted Toth wrote:
> I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
> deprecated interface removing all of the previously defined policy.
> However the interface is used in an 'optional' which then causes the
> policy compilation to fail. What is the right way to handle this
> situation?

This should go to the refpolicy list.

Refpolicywarn is an m4 macro, so it doesn't result in any policy.  If
you have an optional block with only one call to an interface that only
has a refpolicywarn in its implementation, it will result in an optional
with no rules inside.

We handle this in refpolicy by calling the new interface, e.g. if
interface X is being replaced by interface Y, in the implementation of X
we put a refpolicywarn message and call Y.  If there is no new
interface, you could put safe placeholder rules, such as a call to
dev_rw_null().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: refpolicywarn usage
  2015-06-08 13:11   ` [refpolicy] " Christopher J. PeBenito
@ 2015-06-08 14:42     ` Ted Toth
  -1 siblings, 0 replies; 5+ messages in thread
From: Ted Toth @ 2015-06-08 14:42 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: refpolicy, SELinux

So many lists so little time ... I'll post to the refpolicy list next time.
Simply adding:
gen_require(` type null_device_t; ')


did the trick.

On Mon, Jun 8, 2015 at 8:11 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On 6/5/2015 4:28 PM, Ted Toth wrote:
>> I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
>> deprecated interface removing all of the previously defined policy.
>> However the interface is used in an 'optional' which then causes the
>> policy compilation to fail. What is the right way to handle this
>> situation?
>
> This should go to the refpolicy list.
>
> Refpolicywarn is an m4 macro, so it doesn't result in any policy.  If
> you have an optional block with only one call to an interface that only
> has a refpolicywarn in its implementation, it will result in an optional
> with no rules inside.
>
> We handle this in refpolicy by calling the new interface, e.g. if
> interface X is being replaced by interface Y, in the implementation of X
> we put a refpolicywarn message and call Y.  If there is no new
> interface, you could put safe placeholder rules, such as a call to
> dev_rw_null().
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] refpolicywarn usage
@ 2015-06-08 14:42     ` Ted Toth
  0 siblings, 0 replies; 5+ messages in thread
From: Ted Toth @ 2015-06-08 14:42 UTC (permalink / raw)
  To: refpolicy

So many lists so little time ... I'll post to the refpolicy list next time.
Simply adding:
gen_require(` type null_device_t; ')


did the trick.

On Mon, Jun 8, 2015 at 8:11 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On 6/5/2015 4:28 PM, Ted Toth wrote:
>> I tried to use "refpolicywarn(`$0($*) has been deprecated.')" in a
>> deprecated interface removing all of the previously defined policy.
>> However the interface is used in an 'optional' which then causes the
>> policy compilation to fail. What is the right way to handle this
>> situation?
>
> This should go to the refpolicy list.
>
> Refpolicywarn is an m4 macro, so it doesn't result in any policy.  If
> you have an optional block with only one call to an interface that only
> has a refpolicywarn in its implementation, it will result in an optional
> with no rules inside.
>
> We handle this in refpolicy by calling the new interface, e.g. if
> interface X is being replaced by interface Y, in the implementation of X
> we put a refpolicywarn message and call Y.  If there is no new
> interface, you could put safe placeholder rules, such as a call to
> dev_rw_null().
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-06-08 14:42 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-05 20:28 refpolicywarn usage Ted Toth
2015-06-08 13:11 ` Christopher J. PeBenito
2015-06-08 13:11   ` [refpolicy] " Christopher J. PeBenito
2015-06-08 14:42   ` Ted Toth
2015-06-08 14:42     ` [refpolicy] " Ted Toth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.