Strip trailing space(s) from 'NAME' being read from /etc/selinux/config as a trailing space in that name will cause a weird error during the make process for modules built out of tree. This is seen on current RedHat machines which have space in the 'SELINUXTYPE' variable.
Fix a "-Werror=implicit-fallthrough" compiler warning/error on
the switch statement.
This third version (v3) fixes a bug introduced in the first
version and improves the style over the second version.
Signed-off-by: Guido Trentalancia <guido at trentalancia.com>
Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.
Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.
This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Python 3.6 complains about the strings which are used as regular
expression in the support scripts:
File "support/segenxml.py", line 37
INTERFACE = re.compile("^\s*(interface|template)\(`(\w*)'")
^
SyntaxError: invalid escape sequence \s
When compiling modules using support/Makefile.devel (which is installed
in /usr/share/selinux/*/include/Makefile) with "make -j9", the build
fails because tmp/ does not exist.
Add the missing command to create tmp/ when running tmp/%.mod.fc target.
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=530178
When working on fc_sort to try to understand why using /usr/s?bin/... file
contexts has been reported not to work properly [1], I found it frustrating not
to be able to do "tmp/fc_sort my_filecontexts.fc" and see the result printed on
the screen. This patch implements this behavior by making optional the second
argument of fc_sort.
[1] commit 36e2216f8 of contrib repository,
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36e2216f82192660d063012e69281f27ba20864b
When running fc_sort on an empty context file, this program uses uninitialized
pointers when accessing to the elements of a list. On my system, it goes in a
very long loop (maybe infinite) because uninitialized fields in malloc'ed
structures happen to contain valid pointers in the heap.
This patch fixes this bug by initializing ->next and ->data fields before they
may be read.
This patch includes the necessary refactoring to support python 3.
Changes since v2
- Do not include contrib submodule (no relevant changes there)
- Update in pyplate to fix a failure with str/unicode in doc generation
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
system_r is required by the policy_module macro, which however will
be expanded as empty if the module is built into base.pp. system_r
is defined in the kernel.te, its definition should be moved to the
top of base.conf so that other modules copied earlier into base.conf
than kernel.te could reference system_r in their unconditional block
properly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
The initrc_context file uses the mls_systemhigh macro and needs to be properly
expanded based on the build.conf settings. Add makefile support to do this.
David Sugar
Guido Trentalancia
Daniel Jurgens
Nicolas Iooss
cgzones
Chris PeBenito
Rahul Chaudhry
Sean Placchetti
William Roberts
Chris PeBenito
Sven Vermeulen
Harry Ciao
KaiGai Kohei
Justin P. Mattock