Stephen Smalley wrote: > On Sat, 2008-10-04 at 19:30 -0400, Joshua Brindle wrote: >> KaiGai Kohei wrote: >>> Joshua Brindle wrote: >>>> KaiGai Kohei wrote: >>>>> Joshua Brindle wrote: >>>>>> KaiGai Kohei wrote: >>>>>>> The attached patch for libsepol add suport for a new policy version >>>>>>> named as (MOD_)POLICYDB_VERSION_BOUNDARY. >>>>>>> Userspace hierarchy checks are reworked in this revision. >>>>>>> >>>> I'm seeing a couple problems. First when writing out the policy >>>> it doesn't seem to respect policyvers, I told it to generate >>>> a version 23 and it still made a 24. >>> Are you saying a configuration of "policy-version = 23" at semanage.conf >>> is ignored? I could not reproduce it in my environment. >>> Could you tell me the steps to reproduce it? >>> >>> I injected several printf()'s, but it shows a proper policyvers >>> which reflects semanage.conf correctly. >>> >>>> Second it is failing to downgrade the 24 to 23 since my kernel doesn't support 24. >> I'm not sure why this wasn't happening to you but from what I can tell the new patch was returning from type_write when an attribute was passed in, however the length of the table was not updated. This caused policydb_read to read over the edge of the type symbol table, resulting in badness. >> >> Rather than trying to calculate the length without attributes I just removed the attribute check. This causes attributes to be written for all versions, but this should not cause any problems at all. >> >> Do you have a problem with this Stephen? > > The problem with writing attributes to older policy versions is that > older kernels will then treat the attribute like any other type and > allow its use in a security context. Yes, I remembered that after I sent the first email.. doh -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
