Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
lunch && make -j
repo upload .
Test: compiles and boots
Change-Id: I26d19e9a6e0a8899e77b5d53b23a6dac19a3d8e9
Currently checkpolicy can produce binary policies for earlier policy versions
to provide support for building policies on one machine and loading/analyzing
them on another machine with an earlier version of the kernel or libsepol,
respectively. However, checkmodule was lacking this capability.
This commit adds an identical `-c` flag that can be passed to checkmodule that
will build a modular policy file of the specified version.
Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
lunch && make -j
repo upload .
Test: compiles and boots
Change-Id: I75ccf5307012a2517c0fdf13bea806e10b8b8595
Additionally, resolve build time errors due to
c19395d722
libselinux: selinux_set_mapping: fix handling of unknown classes/perm
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
lunch && make -j
repo upload .
Test: device boots and no obvious problems.
Change-Id: Ib3a6c086ceadaeaaaf35498d53b2b3e3ad5b8945
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: device compiles and boots
Change-Id: If92a0b5e99e69ac0434197fa848b736b9cf0bf77
- Add description of -S option
- Sort the option descriptions based on the synopsis
- Add missing options to synopsis
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: device boots and no obvious problems.
Change-Id: I6beff804808e92d1002ead226c7d5c702f373cdc
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: Android compiles and no obvious problems.
Change-Id: I526e8c09eb7cb7f73fe771fd1295bb406514589b
Add an option, specified by "-S" or "--sort", to sort the ocontexts
before writing out the binary policy.
Binary policies created by semanage and secilc are always sorted, so
this option allows checkpolicy to be consistent with those. It has
not been made the default to maintain backwards compatibility for
anyone who might be depending on the unsorted behavior of checkpolicy.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
In particular, this merges in
https://github.com/SELinuxProject/selinux/pull/99 , which makes Android
builds quieter.
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: compiles/boots no problems.
Bug: 115998215
Change-Id: I0be55971cfc0c18722ff0ac755864b1b4b6657e0
Reduce noise when calling the checkpolicy command line. In Android, this
creates unnecessary build noise which we'd like to avoid.
https://en.wikipedia.org/wiki/Unix_philosophy
Rule of Silence
Developers should design programs so that they do not print
unnecessary output. This rule aims to allow other programs
and developers to pick out the information they need from a
program's output without having to parse verbosity.
An alternative approach would be to add a -s (silent) option to these
tools, or to have the Android build system redirect stdout to /dev/null.
Signed-off-by: Nick Kralevich <nnk@google.com>
Followed the following steps:
# In repo client
cd external/selinux
repo sync .
repo start mymerge .
git merge aosp/upstream-master --no-ff # resolve any conflicts
repo upload .
Test: compiles/boots no problems.
Change-Id: I4cd9f73fbbb818ef7fa07ff8dd183f8a7e892345
require_class() allocate memory for its variable "class_datum_t *datum"
and calls symtab_init(&datum->permissions, PERM_SYMTAB_SIZE). If this
second call fails, datum is not freed.
Fix this memory leak.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.
For example, these statements resolve to false in policy language:
expandattribute hal_audio true;
expandattribute hal_audio false;
Similarly, in CIL these also resolve to false.
(expandtypeattribute (hal_audio) true)
(expandtypeattribute (hal_audio) false)
A warning will be issued on this conflict.
Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.
This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.
Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
* Use -Wno-error= to keep existing warnings to fix later.
Bug: 66996870
Test: build with WITH_TIDY=1
Change-Id: I0e84d5fb2ae2ae68a687a0b6b81eb64a983db57c
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.
Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin
After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Add support for reading, writing, and copying Infiniband Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Presently we support xperms rules in source policy and in CIL modules.
The binary policy module format however was never extended for xperms.
This limitation inhibits use of xperms in refpolicy-based policy modules
(including the selinux-testsuite policy). Update libsepol to support
linking, reading, and writing a new binary policy module version that
supports xperms rules. Update dismod to display xperms rules in binary
policy modules.
Also, to support use of a non-base binary policy module with a newer
version on a system using a base policy module with an older version,
automatically upgrade the version during module linking. This facilitates
usage of newer features in non-base modules without requiring rebuilding
the base module.
Tests:
1. Add an allowxperms rule to the selinux-testsuite policy and
confirm that it is properly written to the binary policy module
(displayed by dismod), converted to CIL (the latter was already supported),
and included in the kernel policy (via dispol and kernel test).
2. Use semodule_link and semodule_expand to manually link and expand
all of the .pp files via libsepol, and confirm that the allowxperms rule
is correctly propagated to the kernel policy. This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
s6_addr32 is not portable; use s6_addr instead.
This obviates the need for #ifdef __APPLE__ conditionals in these cases.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.
Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)
Never expand an attribute example:
expandattribute { bar } false;
CIL example:
(expandtypeattribute (bar) false)
Adding the annotations directly to policy was chosen over other
methods as it is consistent with how targeted runtime optimizations
are specified in other languages. For example, in C the "inline"
command.
Motivation
expandattribute true:
Android has been moving away from a monolithic policy binary to
a two part split policy representing the Android platform and the
underlying vendor-provided hardware interface. The goal is a stable
API allowing these two parts to be updated independently of each
other. Attributes provide an important mechanism for compatibility.
For example, when the vendor provides a HAL for the platform,
permissions needed by clients of the HAL can be granted to an
attribute. Clients need only be assigned the attribute and do not
need to be aware of the underlying types and permissions being
granted.
Inheriting permissions via attribute creates a convenient mechanism
for independence between vendor and platform policy, but results
in the creation of many attributes, and the potential for performance
issues when processes are clients of many HALs. [1] Annotating these
attributes for expansion at compile time allows us to retain the
compatibility benefits of using attributes without the performance
costs. [2]
expandattribute false:
Commit 0be23c3f15 added the capability to aggresively remove unused
attributes. This is generally useful as too many attributes assigned
to a type results in lengthy policy look up times when there is a
cache miss. However, removing attributes can also result in loss of
information used in external tests. On Android, we're considering
stripping neverallow rules from on-device policy. This is consistent
with the kernel policy binary which also did not contain neverallows.
Removing neverallow rules results in a 5-10% decrease in on-device
policy build and load and a policy size decrease of ~250k. Neverallow
rules are still asserted at build time and during device
certification (CTS). If neverallow rules are absent when secilc is
run, some attributes are being stripped from policy and neverallow
tests in CTS may be violated. [3] This change retains the aggressive
attribute stripping behavior but adds an override mechanism to
preserve attributes marked as necessary.
[1] https://github.com/SELinuxProject/cil/issues/9
[2] Annotating all HAL client attributes for expansion resulted in
system_server's dropping from 19 attributes to 8. Because these
attributes were not widely applied to other types, the final
policy size change was negligible.
[3] data_file_type and service_manager_type are stripped from AOSP
policy when using secilc's -G option. This impacts 11 neverallow
tests in CTS.
Test: Build and boot Marlin with all hal_*_client attributes marked
for expansion. Verify (using seinfo and sesearch) that permissions
are correctly expanded from attributes to types.
Test: Mark types being stripped by secilc with "preserve" and verify
that they are retained in policy and applied to the same types.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
Please see go/android-upstream for merging a remote tracking branch into
Android. Automatic replication is already enabled for external/selinux.
This just merges those changes into Android's master branch.
The following patches are included in this merge:
7fe9a7be libsepol/cil: use __cil_ordered_lists_destroy() to free unordered_classorder_lists
602385d7 libsepol/cil: free the first operand if the second one is invalid
9feaf038 libsepol/cil: do not leak left-hand side of an invalid constraint
95e5c103 libsepol/cil: free bitmaps in cil_level_equals()
a2d40aae libsepol/cil: Move initialization of bitmap in __cil_permx_to_bitmap()
1cd3e1a4 libselinux, libsemanage: make PYPREFIX computation more robust
ed51e23f sepolgen: strip non-printable characters when parsing audit messages
32288896 semodule_package: do not leak memory when using -u or -s
ddaf0afe libsepol/cil: do not dereference args before checking it was not null
4176a292 libsemanage: never call memcpy with a NULL value
ccfbd9aa libsemanage/tests: include libsepol headers from $DESTDIR
6305bfbc mcstrans: do not dereference color_str if it is NULL
ded385d3 libselinux: initialize temp value in SWIG wrapper to prevent freeing garbage
43b24f01 libsepol: Define cgroup_seclabel policy capability
e720859f restorecond: add noreturn attribute to exitApp()
ef61dd7d checkpolicy: add noreturn attribute to usage()
840a7c91 secilc: add noreturn attribute to usage()
2f8926f7 mcstrans: add noreturn attribute to usage()
28a6a560 semodule-utils: add noreturn attribute to usage()
cd20f9c2 policycoreutils: add noreturn attribute to usage()
718bc4bc python/sepolicy: fix obtaining domain name in HTMLManPages
fba9d010 Python 3.6 invalid escape sequence deprecation fixes
317743bb python/semanage: fix export of fcontext socket entries
08648145 libsepol/cil: make reporting conflicting type transitions work
6707526f libsepol/cil: avoid freeing uninitialized values
9087bb9c checkpolicy: dereference rangehead after checking it was not NULL
dd11ab6f checkpolicy: Fix minor memory leak in checkpolicy
c408c70b libsepol/cil: Allow hexadecimal numbers in Xen context rules
526d0dad libsepol: Update module_to_cil to output hexadecimal for Xen rules
da2f2316 libsepol/cil: Use hexadecimal numbers when writing Xen rules
af0ce03e libsepol/cil: Add hexadecimal support for Xen ioportcon statements
4ccc267f mcstrans: fix typo in mcstransd.8 man page
6e3c3595 libsepol/cil: do not dereference a NULL pointer when calloc() fails
8c662db9 policycoreutils: fixfiles should handle path arguments more robustly
d0fafe03 policycoreutils: fixfiles: handle unexpected spaces in command
1da6fb06 policycoreutils/setfiles: stdout messages don't need program prefix
1ac883f1 policycoreutils/setfiles: don't scramble stdout and stderr together
5ed45797 policycoreutils: fixfiles: remove useless use of cat
a83f1cfd libsepol: do not dereference a NULL pointer when stack_init() fails
76f8c04c libsepol: make process_boolean() fail on invalid lines
b6579d26 libsepol: constify sepol_genbools()'s boolpath parameter
b251dbba libsepol: fix use-after-free in sepol_user_clone()
0438d5c4 libsemanage: do not close uninitialized file descriptors
85da6194 libsemanage: do not dereference a NULL pointer when calloc() fails
03298a22 libsemanage: genhomedircon: fix possible double-free
70a480bf libsepol: Add ability to convert binary policy to CIL
0a08fd1e libsepol: Add ability to convert binary policy to policy.conf file
13c27d6c checkpolicy: Add options to convert binary policy to CIL or a policy.conf
92f22e19 libsepol: In module_to_cil create one attribute for each unique set
Bug: 36508258
Test: code compiles and device boots, no obvious problems.
Change-Id: Id4b3df6aa651eca267f4fc28af1cfeb8825218c0
Use the same option "-C" used to ouput CIL from a policy.conf, but now
generate CIL from a binary policy instead of giving an error.i
Use the option "-F" to generate a policy.conf file from a binary policy.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
sepol_set_sidtab() is called without calling sepol_sidtab_destroy().
This is not a big deal, since checkpolicy does not run for long, but
it does add noise when checking for other, more important, leaks.
Call sepol_sidtab_destroy() before exiting if not in debug mode.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Please see go/android-upstream for merging a remote tracking branch into
Android. Automatic replication is already enabled for external/selinux.
This just merges those changes into Android's master branch.
Changes in this merge:
1cd972fc libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname
5b0ad2f0 libsemanage: genhomedircon: consider SEMANAGE_FCONTEXT_DIR in fcontext_matches()
baee7238 semanage, sepolicy: make tests not fail on systems without SELinux
dcd135cc Re-link programs after libsepol.a is updated
fd9e5ef7 libsepol: use constant keys in hashtab functions
ebe24ad2 libsepol: verify the right variable after calling calloc()
69ec21ce libsepol: remove useless assignments
6351fed5 libselinux: always free catalog in db_init()
6c853f3f libselinux: fix argument order in get_default_context_with_rolelevel() doc
cdc653a4 policycoreutils/hll/pp: Fix pp crash when processing base module
4a05e95f libsepol compilation fixes for macOS.
aa1a8a3c checkpolicy: always free id in define_type()
0a0d0552 checkpolicy: fix memory leaks in define_filename_trans()
42658e72 checkpolicy: add a missing free(id) in define_roleattribute()
7da9bc00 checkpolicy: do not leak memory when a class is not found in an avrule
ac7899fc policycoreutils: let output of `fixfiles` be redirected (as normal)
bd4ffeb4 policycoreutils/setfiles: set up a logging callback for libselinux
b88c4a47 libselinux: disable filespec hash table stats on non-debug builds
05abcb1d libselinux/src/regex.c: support old compilers for the endian check
1ef665cb libsepol: fix pp module to cil nodecon statement
b9213c7f libselinux: selinux_restorecon.3 man page typo fix
454768f5 setfiles: Fix setfiles progress indicator
cfea3971 policycoreutils: remove deprecated -o option from fixfiles verify
daaaf28b checkpolicy: Create common function for type declares and requires
bd057680 checkpolicy: Create common function for role declares and requires
a141c0d1 checkpolicy: Create common function for user declares and requires
a7a06789 checkpolicy: Cleanup error messages
d676e7ce checkpolicy: Move common require and declare code into new function
b6f3e008 checkpolicy: Improve check for identifier flavor mismatch
8adbd615 libsepol: Return +1 when declaration is followed by a require
5d56c267 checkpolicy: Remove uneeded return check in require_symbol()
192153db checkpolicy: Make print_error_msg() static
d6b5b037 libsepol: fix -Wwrite-strings warnings
a51b30ae libsemanage: make lang_ext parameter const in semanage_direct_write_langext()
2f94ac47 policycoreutils/hll/pp: fix -Wwrite-strings warnings
0df0b25d mcstrans: fix -Wwrite-strings warnings
9c770fe8 semodule_deps: hide -Wwrite-strings warnings
c33fd02d libsepol/tests: fix -Wwrite-strings warnings
68a4203f libsemanage/tests: fix -Wwrite-strings warnings
1f312a92 policycoreutils/semodule: fix -Wwrite-strings warnings
eeafde13 libsepol/cil: fix type confusion in cil_copy_ast
c9adfe2d Introduce Travis-CI tests
9edcf28a libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST
Test: device boots and no obvious problems.
Change-Id: I4163a68b8b72c6d4e089803862a4998e0bd09e85
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
An identifier flavor mismatch occurs when an identifier is
declared or required as a regular role or type in one place but as
an attribute in another place.
Currently there is only a check for an identifier flavor mismatch
when a type has already been declared and there is a require of
the same type in the same scope. There are no checks if the require
comes first and there are no checks for roles.
Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Move common code from declare_symbol() and require_symbol() to a new
function named create_symbol().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Move common code out of declare_role() and require_role_or_attribute()
into the new function create_role().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Move common code out of declare_type() and require_type_or_attribute()
into the new function create_type().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:
module ckpol_leaktest 1.0.0;
require {type TYPE1;}
allow TYPE1 self:process fork;
clang memory sanitier output is:
=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27
Indirect leak of 18 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
#1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When parsing type_transition statements with names, the memory allocated
by the type set bitmaps of variable stypes and ttypes was never freed.
Call type_set_destroy() to free this memory and, while at it, make the
function exits without leaking memory when exiting with an error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In function define_type(), some error conditions between "id =
queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)"
returned without freeing id. Fix theses memory leaks.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.
While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This merge was generated by following the instructions at
go/upstream-maintainers
Contains the following commits:
4791a99d python: Fix some typos
31fcd66d python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui
d479baa8 libsepol: Define extended_socket_class policy capability
ef387e88 python/sepolicy/sepolicy: Cleanup of gui code
8fe1b0ca python/sepolicy/sepolicy: optimise sepolicy gui loading
fc3d8cea selinux(8): fix display of man page references
7179fd87 man: standardize spacing with pointers in prototypes
af18b86e libsepol/cil: remove avrules with no affected types
bec41c4f policycoreutils/setfiles: Mention customizable types in restorecon man page
e51b2338 libsemanage/tests: make "make test" fail when a CUnit test fails
9e0cf6ec libsemanage/tests: make tests standalone
fd6bc593 libsemanage/tests: test more cases of semanage_split*()
a228bb37 libsemanage: simplify string utilities functions
57a3b1b4 libsemanage: add semanage_str_replace() utility function
300b8ad4 libsemanage: genhomedircon: drop ustr dependency
920ee9ee libsemanage: remove ustr library from Makefiles, README and pkg-config
055d14a9 libselinux/utils: do not create an empty /sbin directory
5db4537f libselinux: Fix unitialized variable compiler warnings
0abc25a3 libsemanage: Fix unitialized variable compiler warnings
c3b8d4aa libsepol/tests: fix -Wsometimes-uninitialized clang warnings
c39289c9 libsepol/tests: fix some memory leaks
da002468 checkpolicy: free id in define_port_context()
6ef96094 checkpolicy: fix memory leaks in genfscon statements parsing
47f61b0e checkpolicy: do not leak queue elements in queue_destroy()
c1ba8311 checkpolicy: free id where it was leaked
aa115d00 policycoreutils/restorecond: Decrease loglevel of termination message
58fb53bc libsemanage: genhomedircon: remove duplicated test condition
1004a3b3 libsemanage: increment the right index variable in for loop
0399ec64 libselinux: Generate SWIG wrappers for selinux_restorecon()
14f07097 libselinux: Rewrite restorecon() python method
d7b0941e checkpolicy: fix memory usage in define_bool_tunable()
d4923b49 libsepol: make capability index an unsigned int
3c85f9f1 libselinux: include errno.h instead of sys/errno.h
61f760b7 checkpolicy: always include ctypes.h
c667b33a mcstransd: fix and reorder includes
62f05898 policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
0e67689d restorecon manpage: link back to fixfiles
d66c54e2 libselinux: selinux_restorecon: only log no default label warning if recursive
6a2e352d libselinux: replace all malloc + memset by calloc in android label backend.
90889884 policy_define.c: don't free memory returned from queue_head()
Test: Device boots and no obvious problems
Change-Id: I726d5a6329061f1946ad056c52b42c9c4fb2b92b
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.
This causes the following policy generation errors on Android:
FAILED:
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
/bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
are supported' at token ';' on line 6784:
#line 241
} };
checkpolicy: error(s) encountered while parsing configuration
because the value of "id" in:
id = queue_remove(id_queue);
if (strcmp(id,"ioctl") == 0) {
...
} else {
yyerror("only ioctl extended permissions are supported");
...
}
is now garbage.
This is a partial revert of the following commit:
c1ba8311 checkpolicy: free id where it was leaked
Signed-off-by: Nick Kralevich <nnk@google.com>
The prototype of isdigit() is provided by ctypes.h header. Without
including this file, gcc fails to build checkpolicy using musl libc:
checkpolicy.c: In function ‘main’:
checkpolicy.c:705:8: error: implicit declaration of function
‘isdigit’ [-Werror=implicit-function-declaration]
if (isdigit(ans[0])) {
^~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.
Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.
The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.
Fix these leaks by calling free() appropriately.
These leaks have been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Variable id is almost never freed in define_port_context().
This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Changes included in this merge:
9872b04a libsepol: check decl_id bounds before using it
fb237459 libsepol: detect duplicated symbol IDs
a206297e mcstrans/utils: make "make all" use $DESTDIR
527380a1 libsepol/tests: use LDFLAGS when linking
1c187d79 checkpolicy: remove -lfl from LDLIBS
ab270850 libsepol,libsemanage: write file name in flex output
c034875c policycoreutils/sepolicy/gui: fix current selinux state radiobutton
cf8625be libsepol: do not #include <sys/cdefs.h>
dd8d5671 libselinux: avcstat: Clean up redundant condition
fff90bd2 libsepol: sepol_av_to_string: clear static buffer
7e09f584 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
041e0010 python/sepolicy/sepolicy/gui: Fix getting python lib path
86e568c2 python/semanage/semanage: Unify argument handling
3fe4499f libsepol/cil: Add ability to write policy.conf file from CIL AST
93e677d8 secilc: Add secil2conf which creates a policy.conf from CIL policy
9e81e611 libsepol: Fix neverallow checking to also check the other types when self is included in a target type set.
468a0dba seobject: Handle python error returns correctly
Test: Android compiles and the device boots
Change-Id: I3ceb4d0ff9ee96d6347d33e6351e4846a8f37038
When building checkpolicy/test, the linker reports the following error:
cc dispol.o -lfl /usr/src/selinux/DESTDIR/usr/lib/libsepol.a
-L/usr/src/selinux/DESTDIR/usr/lib -o dispol
/usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libfl.so:
undefined reference to `yylex'
collect2: error: ld returned 1 exit status
According to flex documentation
(https://github.com/westes/flex/blob/master/doc/flex.texi), -lfl is used
to provide an implementation for yywrap(). However every flex file now
uses "%option noyywrap", which makes -lfl no longer mandatory. Remove
this option from checkpolicy Makefiles.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Changes included in this merge:
1e605e99 fix semanage fcontext help message
86bad3db libsepol: do not modify p->p_roles.nprim in role_set_expand
73313a75 libsepol: do not check decl->symtab[i].nprim
75b14a5d libsepol: ebitmap: reject loading bitmaps with incorrect high bit
bb96e130 enabled.c: Remove stdio_ext.h header
044f6ef1 procattr.c: Use __ANDROID__ instead of ANDROID
6f32d87a Merge pull request #35 from cgzones/semanage_fcontext_description
2e47b69c libsepol: do not write object_r types to policy file
8fdb2255 libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
Test: code compiles / device boots
Change-Id: I094fefb8b04433ba8a42f1786e6f999b35351512
range transition and name-based type transition rules were originally
simple unordered lists. They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.
With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy. To do so, you can run the following sequence of commands:
checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2
Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries. There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commits included in this merge:
2e4d0bc8 Move policycoreutils/gui to gui.
4cc80867 Move policycoreutils/mcstrans to mcstrans.
00be1363 Move policycoreutils/restorecond to restorecond.
97bf196c Move policycoreutils/sandbox to sandbox.
63e6dba9 Move policycoreutils/sepolicy dbus service files to dbus.
48dc2326 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
c9c97d6e Move policycoreutils/semodule_{deps,expand,link} to semodule-utils.
3dcdc463 Make it easy to omit optional components.
fe740954 Build mcstrans.
233fe333 mcstrans: Add .gitignore file
eeba5952 mcstrans: Add a relabel target.
50be5fcc Move sepolicy desktop and png files to gui.
b97d959a Move policycoreutils/sepolgen-ifgen into python/audit2allow.
6e4bb702 mcstrans: fix clang warnings
1c8505da Update release script for the new structure.
f0cc9543 Fix release script for packages that need prefixes.
6bd0b553 Add VERSION files for new components
65f5868c Move policycoreutils/semodule_package to semodule-utils.
44801294 restorecond: break source dependency on policycoreutils/setfiles
f0e61d33 Fix release script
25c167a6 Add COPYING files for new subdirs.
618a64ae semodule-utils: Drop -lselinux from Makefiles.
30cbe52c mcstrans: Fix Werror=shadow errors
089000ad mcstrans: take LIBDIR from args, dont guess
9123b38c Add stub make test targets to new subdirs
62cb9fc1 mcstrans: Add utils gitignore
c094ca96 restorecond: Add gitignore
7935dee8 Drop ChangeLog files
07ba7c68 mcstrans: Fix signed/unsigned warnings
af9f477f policydb.h: use AVTAB macros to avoid duplications
dcd473d5 expand_avrule_helper: cleanup
4129eb49 expand_terule_helper: cleanups
945bc885 sandbox: make test not fail on systems without SELinux
a441d510 mcstrans: fix global "make install"
489dd595 libselinux: audit2why: remove unused module_state structure
9140de74 libselinux, libsemanage: use Python-specific .so extension
a609434b libselinux: normalize enforce values from the kernel
49bfee85 checkpolicy: treat -self as an error
8f9057c2 label_file.h: actually use the results of compat_validate
Test: device boots with no obvious problems.
Change-Id: Ie0631d36bdfcbab4cd35d3f115e88e5e5b7ecf70
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.
This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.
This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also clean up some LOCAL_C_INCLUDES as it should be included
by LOCAL_EXPORT_C_INCLUDE_DIRS from libsepol.
BUG=31366888
Change-Id: I0e21279097f0635761672b838ad26861fc49e9ea
This fixes most of the errors reported in "make -C libsepol test":
./libsepol-tests
CUnit - A unit testing framework for C - Version 2.1-3
http://cunit.sourceforge.net/
Suite: cond
Test: cond_expr_equal ...passed
Suite: linker
Test: linker_indexes ...passed
Test: linker_types ...passed
Test: linker_roles ...
role o1_b_role_1 has 0 types, 1 expected
role o1_b_role_1 has 0 types, 1 expected
role o1_m1_role_1 has 0 types, 1 expected
sym g_b_role_2 has 1 decls, 2 expected
Role o1_b_role_2 had type o1_b_type_1 not in types array
role o1_b_role_2 has 0 types, 1 expected
Role g_b_role_4 had type g_m1_type_2 not in types array
role g_b_role_4 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o3_b_role_1 has 0 types, 1 expected
role o4_b_role_1 has 0 types, 1 expected
Role o4_b_role_1 had type g_m1_type_1 not in types array
FAILED
1. test-common.c:216 - found == len
2. test-common.c:216 - found == len
3. test-common.c:216 - found == len
4. test-common.c:43 - scope->decl_ids_len == len
5. test-common.c:52 - found == 1
6. test-common.c:213 - new == 1
7. test-common.c:216 - found == len
8. test-common.c:213 - new == 1
9. test-common.c:216 - found == len
10. test-common.c:216 - found == len
11. test-common.c:216 - found == len
12. test-common.c:216 - found == len
13. test-common.c:213 - new == 1
Test: linker_cond ...passed
Suite: expander
Test: expander_indexes ...passed
Test: expander_attr_mapping ...passed
Test: expander_role_mapping ...passed
Test: expander_user_mapping ...passed
Test: expander_alias ...passed
Suite: deps
Test: deps_modreq_global ...passed
Test: deps_modreq_opt ...passed
Suite: downgrade
Test: downgrade ...passed
Run Summary: Type Total Ran Passed Failed Inactive
suites 5 5 n/a 0 0
tests 13 13 12 1 0
asserts 1269 1269 1256 13 n/a
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
checkpolicy currently imposes arbitrary limits on pathnames used
in genfscon and other statements. This prevents specifying certain
paths in /proc such as those containing comma (,) characters.
Generalize the PATH, QPATH, and FILENAME patterns to support most
legal pathnames.
For simplicity, we do not support pathnames containing newlines or
quotes.
Reported-by: Inamdar Sharif <isharif@nvidia.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Originally checkmodule stated that it wrote to the input file instead of
to the output file.
Reported-By: Milos Malik <mmalik@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Commit 3895fbbe0c ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP Protocol Number 33 to IPPROTO_DCCP.
[1] https://android-review.googlesource.com/#/c/219568/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is different than its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.
Because of this, have checkmodule fail when compiling a module and
the output base filename is different than the module name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Now the build system generate .c for .l/.y files and we don't need the
yacc_flags hack.
Bug: 26492989
Change-Id: Iacc9924a69f9e3d11305a7ef6046ce536885b546
Neverallow rules for ioctl extended permissions will pass in two
cases:
1. If extended permissions exist for the source-target-class set
the test will pass if the neverallow values are excluded.
2. If extended permissions do not exist for the source-target-class
set the test will pass if the ioctl permission is not granted.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
While yacc is treated as C++, the cflags still need to be applied
where apropriate because this project is mostly C.
Change-Id: I29ad91946caa10a077891099c2c9b94e377d8c92
While we build these as C, to the build system they are technically
C++ and are subject to the global CPPFLAGS. Set LOCAL_CPPFLAGS here
instead of LOCAL_CFLAGS so we can be sure we override anything
provided by the build system.
Bug: http://b/23043421
Change-Id: Ie2284f3500bcd593781fc31cb6833d2cb3bc5020
checkpolicy was directly assigning type sets rather than using
type_set_cpy() and therefore creating pointer aliases to the
same type set from multiple filename-based type transition rules
if they specified multiple classes. This would then yield a double
free when destroying the rules afterward and a segmentation fault.
Fix it to use type_set_cpy().
Reported-by: William C Roberts <william.c.roberts@intel.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Fixes compiler warnings all similar to the following:
host C: checkpolicy <= external/selinux/checkpolicy/policy_define.c
external/selinux/checkpolicy/policy_define.c:1572:2: warning: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Wsign-compare]
ebitmap_for_each_bit(&tclasses, node, i) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
external/selinux/checkpolicy/../libsepol/include/sepol/policydb/ebitmap.h:76:39: note: expanded from macro 'ebitmap_for_each_bit'
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
^ ~~~~~~~~~~~~~~~~~
Signed-off-by: Nick Kralevich <nnk@google.com>
--089e013a1a2abb8ecf0518469d04
Content-Type: text/plain; charset=UTF-8
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
<div dir="ltr"><div>assert() only prevents -Wreturn-type from firing if asserts are</div><div>enabled. Use abort() so we don't do unexpected things even if we use</div><div>-UNDEBUG.</div></div>
From b53ad041daa53f511baccc860b6fe6993590aa87 Mon Sep 17 00:00:00 2001
From: Dan Albert <danalbert@google.com>
Date: Wed, 10 Jun 2015 17:01:23 -0700
Subject: [PATCH] Fix -Wreturn-type issues.
To: selinux@tycho.nsa.gov
Cc: nnk@google.com,
sds@tycho.nsa.gov
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
Also drop expanding of rules; just display the rules in their
original form. I think expansion was a relic of an older policy
version where we did not preserve attributes in the kernel policy.
In any event, it seems more useful to display the rules unmodified.
Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.
Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901
The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.
This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.
Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Add support to checkpolicy and checkmodule for generating CIL as their
output.
Add new options "-C" and "--cil" to specify CIL as the output format.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
In order to support paths containing spaces or other characters, allow a
quoted string with these characters to be parsed as a path in addition
to the existing unquoted string.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
When the FILESYSTEM token was added to support filesystem names that
start with a digit (e.g. 9p), it was given higher precedence than
NUMBER and therefore all values specified in hex (with 0x prefix)
in policy will incorrectly match FILESYSTEM and yield a syntax error.
This breaks use of iomem ranges in Xen policy and will break ioctl
command ranges in a future SELinux policy version. Switch the
precedence. This does mean that you cannot currently have a filesystem
with a name that happens to be 0x followed by a hexval but hopefully
that isn't an issue.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
