>-----Original Message----- >From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-selinux@xxxxxxxxxxxxx] On Behalf Of Stephen Smalley >Sent: Thursday, November 29, 2007 9:52 AM >To: selinux@xxxxxxxxxxxxx >Cc: Daniel J Walsh; Joshua Brindle >Subject: [patch] libsepol: clarify and reduce neverallow error reporting > >Alter the error reporting for neverallow failures to be clearer, i.e. >use the word neverallow instead of assertion and don't report a line number >if we don't have that information, and bail on the first such error rather >than flooding the user with multiple ones, since any such error is fatal. Bailing after the first neverallow will make it much harder to write policy IMHO. I have used neverallows in the past to define security goals for custom systems and there be 20+ violations to the neverallows after I first define them. Now I might have to compile the policy 20+ times in order to clean up each neverallow which can be a very time consuming task. > >Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > >--- > > libsepol/src/assertion.c | 47 ++++++++++++++++++++++++++++------------------- > 1 file changed, 28 insertions(+), 19 deletions(-) > >Index: trunk/libsepol/src/assertion.c >=================================================================== >--- trunk/libsepol/src/assertion.c (revision 2690) >+++ trunk/libsepol/src/assertion.c (working copy) >@@ -59,11 +59,21 @@ > return 0; > > err: >- ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };", >- line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], >- p->p_class_val_to_name[curperm->class - 1], >- sepol_av_to_string(p, curperm->class, >- node->datum.data & curperm->data)); >+ if (line) { >+ ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };", >+ line, p->p_type_val_to_name[stype], >+ p->p_type_val_to_name[ttype], >+ p->p_class_val_to_name[curperm->class - 1], >+ sepol_av_to_string(p, curperm->class, >+ node->datum.data & curperm->data)); >+ } else { >+ ERR(handle, "neverallow violated by allow %s %s:%s {%s };", >+ p->p_type_val_to_name[stype], >+ p->p_type_val_to_name[ttype], >+ p->p_class_val_to_name[curperm->class - 1], >+ sepol_av_to_string(p, curperm->class, >+ node->datum.data & curperm->data)); >+ } > return -1; > } > >@@ -74,7 +84,7 @@ > avtab_t te_avtab, te_cond_avtab; > ebitmap_node_t *snode, *tnode; > unsigned int i, j; >- int errors = 0; >+ int rc; > > if (!avrules) { > /* Since assertions are stored in avrules, if it is NULL >@@ -111,32 +121,31 @@ > if (a->flags & RULE_SELF) { > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, i, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > ebitmap_for_each_bit(ttypes, tnode, j) { > if (!ebitmap_node_get_bit(tnode, j)) > continue; > if (check_assertion_helper > (handle, p, &te_avtab, &te_cond_avtab, i, j, >- a->perms, a->line)) >- errors++; >+ a->perms, a->line)) { >+ rc = -1; >+ goto out; >+ } > } > } > } > >- if (errors) { >- ERR(handle, "%d assertion violations occured", errors); >- avtab_destroy(&te_avtab); >- avtab_destroy(&te_cond_avtab); >- return -1; >- } >- >+ rc = 0; >+out: > avtab_destroy(&te_avtab); > avtab_destroy(&te_cond_avtab); >- return 0; >+ return rc; > > oom: >- ERR(handle, "Out of memory - unable to check assertions"); >+ ERR(handle, "Out of memory - unable to check neverallows"); > return -1; > } > >-- >Stephen Smalley >National Security Agency > > >-- >This message was distributed to subscribers of the selinux mailing list. >If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
