SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: policy hierarchy patch This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Stephen Smalley <sds_at_tycho.nsa.gov> Date: Wed, 13 Apr 2005 12:16:12 -0400 On Wed, 2005-04-06 at 16:38 -0500, Darrel Goeddel wrote: > There is a slightly modified behavior with this patch. Previously, if you > specified a category that did not exist (or was not allowed to be associated > with the specified sensitivity) in a context or rule with mls portions, the > compiler would issue a warning and keep on chugging. This generated a perfectly > nice policy, but you may not be getting what you wanted due to a typo or > misconfiguration because you missed a warning. The compiler now treats these > circumstances as errors just as if you tried to use a type that does not exist > in an allow rule. Just to clarify, anytime the compiler calls yyerror (which it was doing for these errors), it was incrementing policydb_errors, and checkpolicy checks policydb_errors after yyparse() returns and bails out at that point if it is non-zero. Hence, the compiler wasn't treating them as just warnings, but was proceeding to parse the rest of the policy since the error didn't prevent continued processing (e.g. so that if you had several such errors, they would all get reported in one pass rather than having to repeatedly fix-and-compile, fix-and-compile, ...). -- Stephen Smalley <sds@tycho.nsa.gov> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 13 Apr 2005 - 12:34:35 EDT This message: [ Message body ] Next message: Stephen Smalley: "Re: policy hierarchy patch" Previous message: Lorenzo Hernández García-Hierro: "Re: selinux-policy-targeted (1:1.22-2) available" In reply to: Darrel Goeddel: "Re: policy hierarchy patch" Next in thread: Stephen Smalley: "Re: policy hierarchy patch" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom