RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,015 Commits 4 Branches 681 Tags 21 MiB
Commit Graph

4 Commits

Author SHA1 Message Date
Nicolas Iooss dcd135cc06 Re-link programs after libsepol.a is updated 
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.

While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 2017-01-18 16:41:34 -05:00
Stephen Smalley 7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures 
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2016-11-29 15:53:59 -05:00
Stephen Smalley b97d959a6a Move policycoreutils/sepolgen-ifgen into python/audit2allow. 
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2016-11-16 11:19:51 -05:00
Stephen Smalley 48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. 
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 2016-11-16 11:19:50 -05:00