Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRE: [patch] libsepol: clarify and reduce neverallow error reporting
From: Brian M. Williams <bwilliams_at_tresys.com>
Date: Mon, 3 Dec 2007 15:29:53 -0500
Bailing after the first neverallow will make it much harder to write policy IMHO. I have used neverallows in the past to define security goals for custom systems and there be 20+ violations to the neverallows after I first define them. Now I might have to compile the policy 20+ times in order to clean up each neverallow which can be a very time consuming task.
> ++++++++++++++++++++++++++++------------------- > 1 file changed, 28 insertions(+), 19 deletions(-) > >Index: trunk/libsepol/src/assertion.c >=================================================================== >--- trunk/libsepol/src/assertion.c (revision 2690) >+++ trunk/libsepol/src/assertion.c (working copy) >@@ -59,11 +59,21 @@ > return 0; > > err: >- ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };", >- line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype],> } > >@@ -74,7 +84,7 @@ > avtab_t te_avtab, te_cond_avtab; > ebitmap_node_t *snode, *tnode; > unsigned int i, j; >- int errors = 0; >+ int rc; > > if (!avrules) { > /* Since assertions are stored in avrules, if it is NULL >@@ -111,32 +121,31 @@ > if (a->flags & RULE_SELF) { > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, i, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > ebitmap_for_each_bit(ttypes, tnode, j) { > if (!ebitmap_node_get_bit(tnode, j)) > continue; > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, j, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > } > } > >- if (errors) { >- ERR(handle, "%d assertion violations occured", errors); >- avtab_destroy(&te_avtab); >- avtab_destroy(&te_cond_avtab); >- return -1; >- } >- >+ rc = 0; >+out: > avtab_destroy(&te_avtab); > avtab_destroy(&te_cond_avtab); >- return 0; >+ return rc; > > oom: >- ERR(handle, "Out of memory - unable to check assertions"); >+ ERR(handle, "Out of memory - unable to check neverallows"); > return -1; > } > >-- >Stephen Smalley >National Security Agency > > >-- >This message was distributed to subscribers of the selinux mailing list. >If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 3 Dec 2007 - 15:30:06 EST |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |