SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Skip Research Menus

Research Menu

Research Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: [patch] libsepol: clarify and reduce neverallow error reporting This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] [ Replies ] From: Brian M. Williams <bwilliams_at_tresys.com> Date: Mon, 3 Dec 2007 15:29:53 -0500 >-----Original Message----- >From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Stephen Smalley >Sent: Thursday, November 29, 2007 9:52 AM >To: selinux@tycho.nsa.gov >Cc: Daniel J Walsh; Joshua Brindle >Subject: [patch] libsepol: clarify and reduce neverallow error reporting > >Alter the error reporting for neverallow failures to be clearer, i.e. >use the word neverallow instead of assertion and don't report a line number >if we don't have that information, and bail on the first such error rather >than flooding the user with multiple ones, since any such error is fatal. Bailing after the first neverallow will make it much harder to write policy IMHO. I have used neverallows in the past to define security goals for custom systems and there be 20+ violations to the neverallows after I first define them. Now I might have to compile the policy 20+ times in order to clean up each neverallow which can be a very time consuming task. > >Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > >--- > > libsepol/src/assertion.c \| 47 ++++++++++++++++++++++++++++------------------- > 1 file changed, 28 insertions(+), 19 deletions(-) > >Index: trunk/libsepol/src/assertion.c >=================================================================== >--- trunk/libsepol/src/assertion.c (revision 2690) >+++ trunk/libsepol/src/assertion.c (working copy) >@@ -59,11 +59,21 @@ > return 0; > > err: >- ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };", >- line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], >- p->p_class_val_to_name[curperm->class - 1], >- sepol_av_to_string(p, curperm->class, >- node->datum.data & curperm->data)); >+ if (line) { >+ ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };", >+ line, p->p_type_val_to_name[stype], >+ p->p_type_val_to_name[ttype], >+ p->p_class_val_to_name[curperm->class - 1], >+ sepol_av_to_string(p, curperm->class, >+ node->datum.data & curperm->data)); >+ } else { >+ ERR(handle, "neverallow violated by allow %s %s:%s {%s };", >+ p->p_type_val_to_name[stype], >+ p->p_type_val_to_name[ttype], >+ p->p_class_val_to_name[curperm->class - 1], >+ sepol_av_to_string(p, curperm->class, >+ node->datum.data & curperm->data)); >+ } > return -1; > } > >@@ -74,7 +84,7 @@ > avtab_t te_avtab, te_cond_avtab; > ebitmap_node_t snode, tnode; > unsigned int i, j; >- int errors = 0; >+ int rc; > > if (!avrules) { > / Since assertions are stored in avrules, if it is NULL* >@@ -111,32 +121,31 @@ > if (a->flags & RULE_SELF) { > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, i, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > ebitmap_for_each_bit(ttypes, tnode, j) { > if (!ebitmap_node_get_bit(tnode, j)) > continue; > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, j, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > } > } > >- if (errors) { >- ERR(handle, "%d assertion violations occured", errors); >- avtab_destroy(&te_avtab); >- avtab_destroy(&te_cond_avtab); >- return -1; >- } >- >+ rc = 0; >+out: > avtab_destroy(&te_avtab); > avtab_destroy(&te_cond_avtab); >- return 0; >+ return rc; > > oom: >- ERR(handle, "Out of memory - unable to check assertions"); >+ ERR(handle, "Out of memory - unable to check neverallows"); > return -1; > } > >-- >Stephen Smalley >National Security Agency > > >-- >This message was distributed to subscribers of the selinux mailing list. >If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with >the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Mon 3 Dec 2007 - 15:30:06 EST This message: [ Message body ] Next message: Stephen Smalley: "RE: [patch] libsepol: clarify and reduce neverallow error reporting" Previous message: Daniel J Walsh: "Re: libsemanage patch" In reply to: Stephen Smalley: "[patch] libsepol: clarify and reduce neverallow error reporting" Next in thread: Stephen Smalley: "RE: [patch] libsepol: clarify and reduce neverallow error reporting" Reply: Stephen Smalley: "RE: [patch] libsepol: clarify and reduce neverallow error reporting" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom