Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: policy hierarchy patch
From: Darrel Goeddel <dgoeddel_at_TrustedCS.com>
Date: Mon, 11 Apr 2005 15:39:35 -0500
> On Thu, 2005-04-07 at 16:29 -0500, Darrel Goeddel wrote: > >>Joshua Brindle wrote: >> >>>On Thu, 2005-04-07 at 11:30 -0500, Darrel Goeddel wrote: >>> >>> >>>>Stephen Smalley wrote: >> >>>>>The original hierarchy patch also collapsed the identifier and >>>>>user_identifier together, thereby allowing "-" to occur in any >>>>>identifier. As a result, if someone specifies s0-s9 in the policy >>>>>without whitespace, it will be incorrectly interpreted as an attempt to >>>>>specify a level named "s0-s9". Further, nothing prevents someone from >>>>>defining a level or category name that includes a "-" presently. >>>>>Options are to revert the change from the original patch that collapsed >>>>>identifier and user_identifier together (only adding "." to identifier, >>>>>not "-") or to add further handling to the action routines to deal with >>>>>it. >>>>> >>> >>> > > Ok, here is a patch against cvs (includes Darrel's MLS changes). It > builds MLS and non-MLS policies with and without type and role > hierarchies so this should be good to go, let me know if there are any > other problems. > > Joshua Thanks for merging my changes into the main patch. I have a few additions in the attached patch, which is relative to your latest patch. I had a possible double free in define_category. I added back the declaration for is_valid_identifier in policy_scan.l to avoid a warning. I also removed including '-' as a valid character in the standard IDENTIFIER (this is what we were after, right?). There are a few tweaks to the policy Makefile. The first is changing "s9 : c0.c127" to "s9:c0.c127" - I thought that was a bit more readable. The second is changing MLS=n to MLS=y in the makefile when running the mlsconvert target. -- DarrelReceived on Mon 11 Apr 2005 - 16:41:42 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |