Go to file
James Carter f2b5aae4aa libsepol: Fix neverallow bug when checking conditional policy
Commit 9e6840e refactored neverallow checking. In the process a bug
was introduced that causes enabled conditional rules to be skipped.
The bug is that the avtab key is checked by comparing the specified
field of the key to the value AVTAB_ALLOWED. Since enabled conditional
rules have an additional bit set as well, these rules are not
considered to match.

The fix is to use a bitwise AND (&) to only check the desired bit.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-14 11:05:11 -04:00
checkpolicy Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
dbus Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
gui Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
libselinux Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
libsemanage Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
libsepol libsepol: Fix neverallow bug when checking conditional policy 2017-06-14 11:05:11 -04:00
mcstrans Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
policycoreutils Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
python Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
restorecond Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
sandbox Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
scripts Fix release script 2016-11-16 11:19:51 -05:00
secilc secilc: Update test policy and documentation for Infiniband 2017-06-12 11:13:31 -04:00
semodule-utils Update VERSION files for 2.7-rc1 release. 2017-06-09 10:36:06 -04:00
.gitignore restorecond: Add gitignore 2016-11-16 11:20:05 -05:00
.travis.yml libsemanage/tests: include libsepol headers from $DESTDIR 2017-03-01 10:42:34 -05:00
CleanSpec.mk Add empty top level Android.mk / CleanSpec.mk files 2015-04-16 07:54:09 -04:00
Makefile Add includes for DESTDIR only in root Makefile 2017-04-25 08:31:10 -04:00
README libsepol compilation fixes for macOS. 2017-01-20 13:19:57 -05:00

Please submit all bug reports and patches to selinux@tycho.nsa.gov.
Subscribe via selinux-join@tycho.nsa.gov.

Build dependencies on Fedora:
yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig xmlto redhat-rpm-config

To build and install everything under a private directory, run:
make DESTDIR=~/obj install install-pywrap

To install as the default system libraries and binaries
(overwriting any previously installed ones - dangerous!),
on x86_64, run:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
or on x86 (32-bit), run:
make install install-pywrap relabel

This may render your system unusable if the upstream SELinux userspace
lacks library functions or other dependencies relied upon by your
distribution.  If it breaks, you get to keep both pieces.

To install libsepol on macOS (mainly for policy analysis):
cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install

This requires GNU coreutils (brew install coreutils).