The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Also drop expanding of rules; just display the rules in their
original form. I think expansion was a relic of an older policy
version where we did not preserve attributes in the kernel policy.
In any event, it seems more useful to display the rules unmodified.
Change-Id: I85095a35cfb48138cd9cf01cde6dd0330e342c61
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
A number of places we used unsigned variables and compared them against
signed variables. This patch makes everything unsigned.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The output formatting had two items crammed together without a space.
Add a space.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
There was no way to print all of the role transition rules in dispol.
Add that support.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
The formatting of dismod/dispol display of filename trans rules didn't
make a lot of sense. Make them more like the original rules.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
