selinux/libsepol
Yuli Khodorkovskiy 1e2b2e57e5 libsepol/cil: Do not allow categories/sensitivities inside blocks
Fixes https://github.com/SELinuxProject/cil/issues/2.

Sensitivities and categories generated from blocks use dots to indicate
namespacing. This could result in categories that contain ambiguous
ranges with categories declared in blocks.

Example:

    (category c0)
    (category c2)
    (block c0
        (category (c2))
        (filecon ... (s0 (c2)))
    )

The above policy results in the filecontext: ... s0:c0.c2. The categories c0.c2
could be interpreted as a range between c0 and c2 or it could be the namespaced
category c0.c2. Therefore, categories are no longer allowed inside blocks to
eliminate this ambiguity.

This patch also disallows sensitivites in blocks for consistency with category
behavior.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2015-05-27 14:00:01 -04:00
..
cil libsepol/cil: Do not allow categories/sensitivities inside blocks 2015-05-27 14:00:01 -04:00
include Add support for ioctl command whitelisting 2015-04-23 08:30:33 -04:00
man Laurent Bigonville patch to fix various minor manpage issues and correct section numbering. 2013-10-24 13:58:37 -04:00
src Replace fmemopen() with internal function in libsepol. 2015-05-08 10:58:09 -04:00
tests libsepol/tests: fix gcc -Warray-bounds warning 2014-10-02 09:56:45 -04:00
utils libsepol: Android/MacOS X build support 2012-06-28 11:21:15 -04:00
.gitignore libsepol: build cil into libsepol 2014-08-26 08:03:31 -04:00
Android.mk libsepol, secilc: Fix build for Android 2015-04-02 12:01:10 -04:00
ChangeLog Update libsepol ChangeLog. 2015-05-08 11:03:13 -04:00
COPYING initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00
Makefile libsepol: build cil into libsepol 2014-08-26 08:03:31 -04:00
VERSION Bump to final release 2015-02-02 09:38:10 -05:00