SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: policy hierarchy patch This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Darrel Goeddel <dgoeddel_at_TrustedCS.com> Date: Mon, 11 Apr 2005 15:39:35 -0500 Joshua Brindle wrote: > On Thu, 2005-04-07 at 16:29 -0500, Darrel Goeddel wrote: > >>Joshua Brindle wrote: >> >>>On Thu, 2005-04-07 at 11:30 -0500, Darrel Goeddel wrote: >>> >>> >>>>Stephen Smalley wrote: >> >>>>>The original hierarchy patch also collapsed the identifier and >>>>>user_identifier together, thereby allowing "-" to occur in any >>>>>identifier. As a result, if someone specifies s0-s9 in the policy >>>>>without whitespace, it will be incorrectly interpreted as an attempt to >>>>>specify a level named "s0-s9". Further, nothing prevents someone from >>>>>defining a level or category name that includes a "-" presently. >>>>>Options are to revert the change from the original patch that collapsed >>>>>identifier and user_identifier together (only adding "." to identifier, >>>>>not "-") or to add further handling to the action routines to deal with >>>>>it. >>>>> >>> >>> > > Ok, here is a patch against cvs (includes Darrel's MLS changes). It > builds MLS and non-MLS policies with and without type and role > hierarchies so this should be good to go, let me know if there are any > other problems. > > Joshua Thanks for merging my changes into the main patch. I have a few additions in the attached patch, which is relative to your latest patch. I had a possible double free in define_category. I added back the declaration for is_valid_identifier in policy_scan.l to avoid a warning. I also removed including '-' as a valid character in the standard IDENTIFIER (this is what we were after, right?). There are a few tweaks to the policy Makefile. The first is changing "s9 : c0.c127" to "s9:c0.c127" - I thought that was a bit more readable. The second is changing MLS=n to MLS=y in the makefile when running the mlsconvert target. -- Darrel -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. text/x-patch attachment: hier-mls-suppl.patch Received on Mon 11 Apr 2005 - 16:41:42 EDT This message: [ Message body ] Next message: Nigel Cunningham: "Re: getfattr works, but getfilecon doesn't" Previous message: James Carter: "Re: policy for afs server" In reply to: Joshua Brindle: "Re: policy hierarchy patch" Next in thread: Stephen Smalley: "Re: policy hierarchy patch" Reply: Stephen Smalley: "Re: policy hierarchy patch" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom