problems using setcon()

problems using setcon()

[Kodungallur Varma]

Hi all,

   I am trying to dynamically change the context of my program by
using the setcon() function. I have a simple program that tries to do
that but the setcon() function always returns -1 for the input in the
program.

#include <stdio.h>
#include <selinux/selinux.h>

int main()
{
       int i;
       char str[100];
       strcpy(str,"system_u:object_r:libselinux_test_t");
       i = setcon((security_context_t) str);
       if(i == 0)
       {
               printf("changed to new context..\n");
       }
       else if(i == -1)
       {
               printf("error..setcon() returned -1\n");
       }
       else
       {
               printf("unknown result\n");
       }
       return 1;
}

libselinux_test_t is the domain in which I want this program to run. I
have the following policy for that:

-----------
     daemon_domain(libselinux_test_t)

     type libselinux_test_t, domain, privlog;
     role user_r types libselinux_test_t;

     type libselinux_test_dir_t, file_type, sysadmfile;
     type libselinux_test_exec_t, file_type, sysadmfile, exec_type;

    domain_auto_trans(user_t, libselinux_test_exec_t, libselinux_test_t)

    allow libselinux_test_t sshd_t:fd use;
------------

as I am in user_t domain when I execute the program, the program
starts in the user_t domain. but as there is that domain_auto_trans()
into the libselinux_test_t domain, setcon() into that domain soulldnt
fail for the invalid domain reasons.

I dont have any avc: denied messages as the setcon fails. my belief is
that I am passing bad arguements to setcon().

could someone please point out where the problem is. also I tried to
print out the domain of the current process using getcon(), but I have
some problem. could someone let me know how to print that out, rather
that viewing it using ps axZ.

thanx a lot in advance..

Ram


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problems using setcon()

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1009 bytes --]

* Kodungallur Varma <ramgwu@gmail.com> [2005-03-09 05:33]:
> Hi all,
> 
>  I am trying to dynamically change the context of my program by
> using the setcon() function. I have a simple program that tries to do
> that but the setcon() function always returns -1 for the input in the
> program.
> 
> #include <stdio.h>
> #include <selinux/selinux.h>
> 
> int main()
> {
>    int i;
>    char str[100];
>    strcpy(str,"system_u:object_r:libselinux_test_t");
                 ^^^^^^^^^^^^^^^^^
Your Problem is here. object_r cannot be used for any domains. Further,
you can't change users (from user_u to system_u) unless you are
specifically authorized.
If you use "user_u:user_r:libselinux_test_t" you should be able to get
it to work (you'll need some additional permissions as dyntransition is
not covered by domain_auto_trans())

HTH,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: problems using setcon()

[Kodungallur Varma]

all,

       I came to know that I cant simply cast a string into a security
identifier as shown below. insted I found out that I have to use
security_compute_create(). I found a relevant conversation in the
mailing list:
----------------------------
On Tue, 2005-02-15 at 17:53, Luke Kenneth Casson Leighton wrote:
> on the setcon(), because i happened to be in sshd_privsep_t, and because
> i happened to be setting the context to user_t, and because it was
> sshd_exec_t doing the setting, i expect an "automatic" transition
> to occur to sshd_privsep_user_t.

That makes no sense.  If you want to compute a derived context to pass
to the setcon() call, you can use security_compute_create() to get one
from policy, e.g. see the corresponding logic in rpm_execcon(3) in
libselinux.
---------------------------

I have absolutely no idea how the security_compute_create() works or
ho to use it. all I need ot do is to dynamically change context into a
domain for which the type enforcement policy file has been written.
the man pages for security_compute_create() has very little
information on how and where to use it. is there an example of how we
can use it? also is rpm_execcon(3) relevant in this context.

any help on this would be great. thank you in advance.

Ram

On Wed, 9 Mar 2005 09:46:56 +0100, Thomas Bleher
<bleher@informatik.uni-muenchen.de> wrote:
> * Kodungallur Varma <ramgwu@gmail.com> [2005-03-09 05:33]:
> > Hi all,
> >
> >  I am trying to dynamically change the context of my program by
> > using the setcon() function. I have a simple program that tries to do
> > that but the setcon() function always returns -1 for the input in the
> > program.
> >
> > #include <stdio.h>
> > #include <selinux/selinux.h>
> >
> > int main()
> > {
> >    int i;
> >    char str[100];
> >    strcpy(str,"system_u:object_r:libselinux_test_t");
>                  ^^^^^^^^^^^^^^^^^
> Your Problem is here. object_r cannot be used for any domains. Further,
> you can't change users (from user_u to system_u) unless you are
> specifically authorized.
> If you use "user_u:user_r:libselinux_test_t" you should be able to get
> it to work (you'll need some additional permissions as dyntransition is
> not covered by domain_auto_trans())
> 
> HTH,
> Thomas
> 
> --
> http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
> GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7
> 
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problems using setcon()

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

On Fri, 2005-03-11 at 21:35 -0500, Kodungallur Varma wrote:
>        I came to know that I cant simply cast a string into a security
> identifier as shown below. insted I found out that I have to use
> security_compute_create().

No, you can directly construct context strings; you just have to ensure
that they are valid contexts or the kernel will reject them.  The
easiest approach is to use getcon() to get the current context, then use
the context_new(), context_type_set(), context_str() functions to create
a context string with a modified type field, and then call setcon() on
the resulting context string.  security_compute_create() is appropriate
when you want to get a context based on a type_transition rule in the
policy (for an exec-based process transition or a file creation), but
that is not what you are doing.  Sample program below should work for
you, assuming appropriate policy and a kernel that supports dynamic
context transitions (>= 2.6.11 for the mainline kernel).  Policy would
need can_setcon() for the domain and allow <olddomain>
<newdomain>:process dyntransition; (the domain_auto_trans rules are for
exec-based transitions only).

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency

[-- Attachment #2: setconexample.c --]
[-- Type: text/x-csrc, Size: 879 bytes --]

#include <stdio.h>
#include <selinux/selinux.h>
#include <selinux/context.h>

int main(int argc, char **argv)
{
	int rc;
	security_context_t scon;
	context_t con;

	if (argc != 2) {
		fprintf(stderr, "usage: %s newtype\n", argv[0]);
		exit(1);
	}

	rc = getcon(&scon);
	if (rc < 0) {
		perror("getcon");
		exit(1);
	}
	con = context_new(scon);
	freecon(scon);
	rc = context_type_set(con, argv[1]);
	if (rc) {
		perror("context_type_set");
		exit(1);
	}
	scon = context_str(con);
	if (!scon) {
		perror("context_str");
		exit(1);
	}
	if (security_check_context(scon) < 0) {
		fprintf(stderr, "%s is not a valid context in the policy\n",
			scon);
		exit(1);
	}
	rc = setcon(scon);
	if (rc < 0) {
		perror("setcon");
		exit(1);
	}
	context_free(con);
	scon = NULL;
	rc = getcon(&scon);
	if (rc < 0) {
		perror("getcon");
		exit(1);
	}
	printf("Changed to %s\n", scon);
	exit(0);
}

Re: problems using setcon()

[Kodungallur Varma]

Hi Stephen and all,

       the following setconexample.c(attachment) really did help me,
but I have one more issue. I dont have the context_str() function. I
installed the 2.6.11.5 kernel and tried to apply patches mentioned in
the NSA website. I updated to the checkpolicy-1.22, libselinux-1.22,
policycoreutils-1.22, ibsepol-1.4. I dont know if I am supposed to
upgrade to the above.  I wanted to update to apply the patch-2.6.11.6.
but I could not execute it and I dont know how to apply it. I wonder
why I dont have just the context_str().

also, when I make load from the directory
/etc/selinux/strict/src/policy/, I have the following errors:

Validating file_contexts ...
/usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.19
/etc/selinux/strict/contexts/files/file_contexts
/usr/sbin/load_policy /etc/selinux/strict/policy/policy.19
sepol_genusers: Can't load system.users:  No such file or directory
/usr/sbin/load_policy:  Error while setting user configuration from
/etc/selinux/strict/users//{local.users,system.users}:  No such file
or directory
/usr/sbin/load_policy:  security_load_policy failed
make: *** [tmp/load] Error 3

why is the above occuring?? 

any help would do a great deal to completion of my thesis. thanx in advance..

Ram


On Mon, 14 Mar 2005 10:06:12 -0500, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Fri, 2005-03-11 at 21:35 -0500, Kodungallur Varma wrote:
> >        I came to know that I cant simply cast a string into a security
> > identifier as shown below. insted I found out that I have to use
> > security_compute_create().
> 
> No, you can directly construct context strings; you just have to ensure
> that they are valid contexts or the kernel will reject them.  The
> easiest approach is to use getcon() to get the current context, then use
> the context_new(), context_type_set(), context_str() functions to create
> a context string with a modified type field, and then call setcon() on
> the resulting context string.  security_compute_create() is appropriate
> when you want to get a context based on a type_transition rule in the
> policy (for an exec-based process transition or a file creation), but
> that is not what you are doing.  Sample program below should work for
> you, assuming appropriate policy and a kernel that supports dynamic
> context transitions (>= 2.6.11 for the mainline kernel).  Policy would
> need can_setcon() for the domain and allow <olddomain>
> <newdomain>:process dyntransition; (the domain_auto_trans rules are for
> exec-based transitions only).
> 
> --
> Stephen Smalley <sds@tycho.nsa.gov>
> National Security Agency
> 
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problems using setcon()

[Stephen Smalley]

On Mon, 2005-03-28 at 22:55 -0500, Kodungallur Varma wrote:
>        the following setconexample.c(attachment) really did help me,
> but I have one more issue. I dont have the context_str() function.

What do you mean?  It is defined in libselinux.  You do need to link
with -lselinux, obviously, e.g.
	gcc -lselinux -o setconexample setconexample.c
context_str() is defined in libselinux/src/context.c, along with the
other context functions.

>  I
> installed the 2.6.11.5 kernel and tried to apply patches mentioned in
> the NSA website.

Any kernel >= 2.6.11 should be fine for using setcon().

>  I updated to the checkpolicy-1.22, libselinux-1.22,
> policycoreutils-1.22, ibsepol-1.4. I dont know if I am supposed to
> upgrade to the above.

You only needed to have a libselinux that included setcon.  Not sure
whether the stock FC3 libselinux included it or not.  You didn't need to
update the rest.

>   I wanted to update to apply the patch-2.6.11.6.
> but I could not execute it and I dont know how to apply it.

They are relative to 2.6.11, right?

>  I wonder
> why I dont have just the context_str().

Yes, that doesn't make any sense to me either.

> also, when I make load from the directory
> /etc/selinux/strict/src/policy/, I have the following errors:
> 
> Validating file_contexts ...
> /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.19
> /etc/selinux/strict/contexts/files/file_contexts
> /usr/sbin/load_policy /etc/selinux/strict/policy/policy.19
> sepol_genusers: Can't load system.users:  No such file or directory
> /usr/sbin/load_policy:  Error while setting user configuration from
> /etc/selinux/strict/users//{local.users,system.users}:  No such file
> or directory
> /usr/sbin/load_policy:  security_load_policy failed
> make: *** [tmp/load] Error 3
> 
> why is the above occuring?? 

You updated checkpolicy, libsepol and policycoreutils but didn't update
your policy.  Bad idea.  Either update your policy or roll back the
others.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problems using setcon()

[Kodungallur Varma]

thanx a lot..the program worked. however I need to change the policy
file(.te) often and so I need to make load it. I am unable to do that
at the moment due to the problem that I updated the following without
updating my policy:

checkpolicy-1.22
libsepol-1.4
policycoreutils-1.22

how do I uninstall them?? also I tried the alternative to update my
policy by doing:
"yum install selinux-policy-strict-sources" and "yum install
selinux-policy-targeted-sources". the targeted version was updated,
but strict had "nothing to do". seems like it is up to date. I couldnt
"make load" after I updated as the same problem(same error) persisted.

could someone point out how to uninstall the above three packages. 

thanx..
Ram


On Tue, 29 Mar 2005 09:37:08 -0500, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2005-03-28 at 22:55 -0500, Kodungallur Varma wrote:
> >        the following setconexample.c(attachment) really did help me,
> > but I have one more issue. I dont have the context_str() function.
> 
> What do you mean?  It is defined in libselinux.  You do need to link
> with -lselinux, obviously, e.g.
>         gcc -lselinux -o setconexample setconexample.c
> context_str() is defined in libselinux/src/context.c, along with the
> other context functions.
> 
> >  I
> > installed the 2.6.11.5 kernel and tried to apply patches mentioned in
> > the NSA website.
> 
> Any kernel >= 2.6.11 should be fine for using setcon().
> 
> >  I updated to the checkpolicy-1.22, libselinux-1.22,
> > policycoreutils-1.22, ibsepol-1.4. I dont know if I am supposed to
> > upgrade to the above.
> 
> You only needed to have a libselinux that included setcon.  Not sure
> whether the stock FC3 libselinux included it or not.  You didn't need to
> update the rest.
> 
> >   I wanted to update to apply the patch-2.6.11.6.
> > but I could not execute it and I dont know how to apply it.
> 
> They are relative to 2.6.11, right?
> 
> >  I wonder
> > why I dont have just the context_str().
> 
> Yes, that doesn't make any sense to me either.
> 
> > also, when I make load from the directory
> > /etc/selinux/strict/src/policy/, I have the following errors:
> >
> > Validating file_contexts ...
> > /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.19
> > /etc/selinux/strict/contexts/files/file_contexts
> > /usr/sbin/load_policy /etc/selinux/strict/policy/policy.19
> > sepol_genusers: Can't load system.users:  No such file or directory
> > /usr/sbin/load_policy:  Error while setting user configuration from
> > /etc/selinux/strict/users//{local.users,system.users}:  No such file
> > or directory
> > /usr/sbin/load_policy:  security_load_policy failed
> > make: *** [tmp/load] Error 3
> >
> > why is the above occuring??
> 
> You updated checkpolicy, libsepol and policycoreutils but didn't update
> your policy.  Bad idea.  Either update your policy or roll back the
> others.
> 
> --
> Stephen Smalley <sds@tycho.nsa.gov>
> National Security Agency
> 
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problems using setcon()

[Stephen Smalley]

On Tue, 2005-03-29 at 22:41 -0500, Kodungallur Varma wrote:
> thanx a lot..the program worked. however I need to change the policy
> file(.te) often and so I need to make load it. I am unable to do that
> at the moment due to the problem that I updated the following without
> updating my policy:
> 
> checkpolicy-1.22
> libsepol-1.4
> policycoreutils-1.22
> 
> how do I uninstall them??

You can grab the older checkpolicy, libsepol, and policycoreutils
packages from FC3 and re-install them with rpm -Uvh --oldpackage.

>  also I tried the alternative to update my
> policy by doing:
> "yum install selinux-policy-strict-sources" and "yum install
> selinux-policy-targeted-sources". the targeted version was updated,
> but strict had "nothing to do". seems like it is up to date.

You would need to update to the rawhide (FC4 development) policy; FC3
policy doesn't include these changes.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

attributes on the other end of a network connection

[Kodungallur Varma]

Hi all,

        I have a basic client and a server program. my server has the
capability to setcon() to a new domain, the client domain precisely.
my server needs to find the domain and user name of the client user(my
client tries to get a tcp connection first). I heard there is a
function which gives the context and attributes of the other end,
given the attributes got at the servers end and vice-versa. I dont
know where exactly to look for that function capability, but I am
starting in the libselinux library. for security reasons, my client
also needs to be able to execute this function to get the attributes
of the server, just to know that it is connecting to the right server.
if anyone knows about any such function, please pass on to me. thanx a lot..

Ram

On 3/30/05, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2005-03-29 at 22:41 -0500, Kodungallur Varma wrote:
> > thanx a lot..the program worked. however I need to change the policy
> > file(.te) often and so I need to make load it. I am unable to do that
> > at the moment due to the problem that I updated the following without
> > updating my policy:
> >
> > checkpolicy-1.22
> > libsepol-1.4
> > policycoreutils-1.22
> >
> > how do I uninstall them??
> 
> You can grab the older checkpolicy, libsepol, and policycoreutils
> packages from FC3 and re-install them with rpm -Uvh --oldpackage.
> 
> >  also I tried the alternative to update my
> > policy by doing:
> > "yum install selinux-policy-strict-sources" and "yum install
> > selinux-policy-targeted-sources". the targeted version was updated,
> > but strict had "nothing to do". seems like it is up to date.
> 
> You would need to update to the rawhide (FC4 development) policy; FC3
> policy doesn't include these changes.
> 
> --
> Stephen Smalley <sds@tycho.nsa.gov>
> National Security Agency
> 
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: attributes on the other end of a network connection

[James Morris]

On Tue, 19 Apr 2005, Kodungallur Varma wrote:

> Hi all,
> 
>         I have a basic client and a server program. my server has the
> capability to setcon() to a new domain, the client domain precisely.
> my server needs to find the domain and user name of the client user(my
> client tries to get a tcp connection first). I heard there is a
> function which gives the context and attributes of the other end,
> given the attributes got at the servers end and vice-versa.


The function you're looking for is getpeercon(3), which only currently 
works on Unix sockets.


- James
-- 
James Morris
<jmorris@redhat.com>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: attributes on the other end of a network connection

[Stephen Smalley]

On Tue, 2005-04-19 at 22:09 -0400, Kodungallur Varma wrote:
> Hi all,
> 
>         I have a basic client and a server program. my server has the
> capability to setcon() to a new domain, the client domain precisely.
> my server needs to find the domain and user name of the client user(my
> client tries to get a tcp connection first). I heard there is a
> function which gives the context and attributes of the other end,
> given the attributes got at the servers end and vice-versa. I dont
> know where exactly to look for that function capability, but I am
> starting in the libselinux library. for security reasons, my client
> also needs to be able to execute this function to get the attributes
> of the server, just to know that it is connecting to the right server.
> if anyone knows about any such function, please pass on to me. thanx a lot..

That requires some form of labeled networking support, which doesn't
exist in the mainline SELinux presently.  Older SELinux had an
experimental labeled networking implementation (Selopt) by James Morris
based on CIPSO/FIPS188 options, but the necessary security hooks and
fields weren't accepted into mainline Linux.  Trent Jaeger of IBM has
implemented implicit packet labeling based on IPSEC SA, and I believe
that there is work ongoing to provide such an interface using that
support, but that hasn't been merged yet.  getpeercon(3) is the existing
interface, but only works for Unix domain stream sockets presently, as
James noted.  

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: attributes on the other end of a network connection

[Kodungallur Varma]

Hi Stephen and all,

         is there any way to determine if a particular operation is
permitted given a security identifier (security_context_t)? basically
I want a function or a way to determine if any process/user in the
domain returned by the getpeercon() is allowed to do an operation, say
socket connect for example.

thanx..
Ram

On 4/20/05, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Tue, 2005-04-19 at 22:09 -0400, Kodungallur Varma wrote:
> > Hi all,
> >
> >         I have a basic client and a server program. my server has the
> > capability to setcon() to a new domain, the client domain precisely.
> > my server needs to find the domain and user name of the client user(my
> > client tries to get a tcp connection first). I heard there is a
> > function which gives the context and attributes of the other end,
> > given the attributes got at the servers end and vice-versa. I dont
> > know where exactly to look for that function capability, but I am
> > starting in the libselinux library. for security reasons, my client
> > also needs to be able to execute this function to get the attributes
> > of the server, just to know that it is connecting to the right server.
> > if anyone knows about any such function, please pass on to me. thanx a lot..
> 
> That requires some form of labeled networking support, which doesn't
> exist in the mainline SELinux presently.  Older SELinux had an
> experimental labeled networking implementation (Selopt) by James Morris
> based on CIPSO/FIPS188 options, but the necessary security hooks and
> fields weren't accepted into mainline Linux.  Trent Jaeger of IBM has
> implemented implicit packet labeling based on IPSEC SA, and I believe
> that there is work ongoing to provide such an interface using that
> support, but that hasn't been merged yet.  getpeercon(3) is the existing
> interface, but only works for Unix domain stream sockets presently, as
> James noted.
> 
> --
> Stephen Smalley <sds@tycho.nsa.gov>
> National Security Agency
> 
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: attributes on the other end of a network connection

[Stephen Smalley]

On Wed, 2005-05-04 at 11:30 -0400, Kodungallur Varma wrote:
> Hi Stephen and all,
> 
>          is there any way to determine if a particular operation is
> permitted given a security identifier (security_context_t)? basically
> I want a function or a way to determine if any process/user in the
> domain returned by the getpeercon() is allowed to do an operation, say
> socket connect for example.

Yes.  There are two interfaces for doing this:
1) avc_has_perm(3).  This performs permission checks based on SIDs
(obtained via avc_context_to_sid(3)) and caches the results for
subsequent permission checks.   You need to invoke avc_init(3) to
perform initial setup.  These functions are part of the interface to the
userspace AVC (access vector cache), which is the userspace equivalent
to the kernel AVC used by the SELinux module for its permission
checking.  The userspace AVC is discussed in the selinux-doc/uavc
report.  See dbus for an example of using this interface.
2) security_compute_av(3).  This is the lower level interface for
computing an access vector (set of permissions) based on contexts,
without any caching of decisions.  It requires no setup to use, and may
be simpler if you don't need caching of the decisions for performance.
Internally, avc_has_perm(3) ends up calling this interface if the
decision is not already in the cache.  Example callers include:
- libselinux/src/checkAccess.c
- libselinux/utils/compute_av.c
- SELinux patch for cron

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.