Fix a situation where the secilc command line tool could return success
even though the compilation failed.
$ secilc /dev/null -o /dev/null -f /dev/null
Failure reading file: /dev/null
$ echo $?
0
Signed-off-by: Nick Kralevich <nnk@google.com>
Since Darwin systems do not have GNU sed installed, the Darwin sed is
missing the "regexp-extended" flag needed to modify the secilc markdown
files before processing with pandoc.
A quick fix for Mac users is to `brew install gnu-sed` and to use gsed.
Signed-off-by: Yuli Khodorkovskiy <ykhodo@gmail.com>
Modify cil_gen_node() to check to see if the cil_db supports multiple
declarations, and if so, to check whether or not the
repeated symbol is eligible to share the existing, already-stored datum. The
only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of
which intall empty datums during AST building, so they automatically return
true.
Test: Build policy with multilpe type and attribute declarations, and
without. Policies are binary-identical.
Signed-off-by: Dan Cashman <dcashman@android.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
"roleattribute" was referencing "typeattributeset", but I believe it should be referencing "roleattributeset" instead.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.
Signed-off-by: Jason Zaman <jason@perfinion.com>
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
Added "-G, --expand_generated" option to specify that all automatically
generated attributes should be expanded and removed.
Added "-X, --expand_size <SIZE>" option to specify which attributes
are expanded when building a kernel policy. All attributes that have
less types assigned to it than SIZE will be expanded when writing AV
rules.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The program secil2conf uses the libsepol function
cil_write_policy_conf() to create a policy.conf file from CIL policy.
By default a file called "policy.conf" will be created, but the "-o"
option can be used to write to a different file. The "-M" option can
be used to override the mls statement in CIL. The "-P" option will
cause tunables to be treated as booleans.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When running "make all" several times in the root directory of the
project, the following lines always appear (and the command takes some
seconds to complete on my system with a slow hard drive):
xmlto man secilc.8.xml
Note: Writing secilc.8
This is because "make man" always builds secilc.8 even though
secilc.8.xml has not been modified. Introduce an intermediate target to
avoid this behavior.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This adds CIL and checkpolicy support for the (portcon dccp ...)
statement. The kernel already handles name_bind and name_connect
permissions for the dccp_socket class.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- Update libsepol dependency to 2.5
- Update Makefile to build the man page when just running 'make'
https://marc.info/?l=selinux&m=145220517200709&w=2
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Converting to github markdown allows for easier integration with the
SELinux project wiki and viewing of documentation directly on github without
creating PDFs or reading through DocBook XML.
The conversion of DocBook to github markdown would not format tables or
keyword links properly. By maintaining the documentation in github
markdown in the repository, the content is well formatted with a table of
contents when viewing in the github wiki or in the repository.
The migration from DocBook to github markdown was done using Pandoc and
manual fixups. Mappings of CIL keywords to headings that were lost in the DocBook
conversion were added back. An introduction and design philosphy was
also pulled from the SELinux project wiki to provide more cohesion
to the current documentation.
Running make will now convert the github markdown into PDF and HTML.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Resolves https://github.com/SELinuxProject/cil/issues/3
An 'unordered' keyword provides the ability to append classes to the current
list of ordered classes. This allows users to not need knowledge of existing
classes when creating a class and fixes dependencies on classes when removing a
module. This enables userspace object managers with custom objects to be
modularized.
If a class is declared in both an unordered and ordered statement, then the
ordered statement will supercede the unordered declaration.
Example usage:
; Appends new_class to the existing list of classes
(class new_class ())
(classorder (unordered new_class))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This adds a userattribute statement that may be used in userroles and
constraints. The syntax is the same as typeattributset.
Also, disallow roleattributes where roles are accepted in contexts.
Specify a userattribute
(userattribute foo)
Add users to the set foo
(userattributeset foo (u1 u2))
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Petr Lautrbach
Nick Kralevich via Selinux
Laurent Bigonville
Stephen Smalley
Yuli Khodorkovskiy
Dominick Grift
Marcus Folkesson
Dan Cashman
Grégoire Colbert
Jason Zaman
Richard Haines
James Carter
Nicolas Iooss
bowgotsai
Steve Lawrence
Yuli Khodorkovskiy