tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
No description
924 commits 1 branch 0 tags 17 MiB
C 71.3%
Python 15.6%
Roff 9.1%
SWIG 1.1%
Makefile 1%
Other 1.9%
Find a file
Richard Haines 9eefe11b3a libsepol: V1 Allow constraint denials to be determined. 
Adds policy source defined 'type' or 'typeattribute' names to
constraints by adding additional structures (->type_names->types) to a
binary policy.
Before this change all typeattributes were expanded to lists of types
and added to the constraint under ->names. This made it difficult for
system admins to determine from the policy source what attribute
needed to be updated. To facilitate analysis of constraint failures
a new function has also been added, see sepol_compute_av_reason_buffer.

As additional structures have been added to policy, the policy version
is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a
corresponding kernel patch to handle the additional structures.

sepol_compute_av_reason_buffer is an extended version of
sepol_compute_av_reason. This will return a buffer with constraint
expression information, containing the constrain type, class, perms,
keywords etc.. It will also contain which constraint expr failed plus
the final outcome. The buffer MUST be free'd with free(3).

The type information output by sepol_compute_av_reason_buffer depends on
the policy version:
If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
whatever was in the original policy (type or attribute names).
If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
the types listed in the constraint (as no attribute information is
available in these versions).
For users and roles whatever policy version, only the names are listed
(as role attributes are not currently held in the constraint).

Also added are two functions that obtain the class and permissions
from a binary policy file that has been loaded for testing:
sepol_string_to_security_class
sepol_string_to_av_perm

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2013-10-29 08:49:51 -04:00
checkpolicy Update ChangeLogs and bump VERSIONs to an intermediate value. 2013-10-25 15:14:23 -04:00
libselinux Fix avc_has_perm() returns -1 even when SELinux is in permissive mode. 2013-10-28 16:52:50 -04:00
libsemanage Update ChangeLogs and bump VERSIONs to an intermediate value. 2013-10-25 15:14:23 -04:00
libsepol libsepol: V1 Allow constraint denials to be determined. 2013-10-29 08:49:51 -04:00
policycoreutils Make sure userdel cleans up after itself in test 2013-10-28 17:04:45 -04:00
scripts scripts: release: do not complain if release dir exists 2013-02-05 20:19:03 -05:00
sepolgen Update ChangeLogs and bump VERSIONs to an intermediate value. 2013-10-25 15:14:23 -04:00
.gitignore global: gitignore: add a couple of more editor backup filetypes 2013-02-01 12:14:57 -05:00
Makefile libselinux: additional makefile support for rubywrap 2012-06-28 11:21:16 -04:00
README Add a README with instructions on building. 2013-10-28 13:34:47 -04:00

README 

To build and install everything under a private directory, do:
make DESTDIR=/path/to/private install install-pywrap

To install as the default system libraries and binaries
(overwriting any previously installed ones - dangerous!), do:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

This may render your system unusable if the upstream SELinux userspace
lacks library functions or other dependencies relied upon by your
distribution.  If it breaks, you get to keep both pieces.