KaiGai Kohei wrote: > Joshua Brindle wrote: >> KaiGai Kohei wrote: >>> Joshua Brindle wrote: >>>> KaiGai Kohei wrote: >>>>> Joshua Brindle wrote: >>>>>> KaiGai Kohei wrote: >>>>>>> The attached patch for libsepol add suport for a new policy version >>>>>>> named as (MOD_)POLICYDB_VERSION_BOUNDARY. >>>>>>> Userspace hierarchy checks are reworked in this revision. >>>>>>> >>>> I'm seeing a couple problems. First when writing out the policy >>>> it doesn't seem to respect policyvers, I told it to generate >>>> a version 23 and it still made a 24. >>> Are you saying a configuration of "policy-version = 23" at semanage.conf >>> is ignored? I could not reproduce it in my environment. >>> Could you tell me the steps to reproduce it? >>> >>> I injected several printf()'s, but it shows a proper policyvers >>> which reflects semanage.conf correctly. >>> >>>> Second it is failing to downgrade the 24 to 23 since my kernel doesn't support 24. >> I'm not sure why this wasn't happening to you but from what I can tell the new patch >> was returning from type_write when an attribute was passed in, however the length of >> the table was not updated. This caused policydb_read to read over the edge of the type >> symbol table, resulting in badness. > > Hmm.... > It seems to me what you pointed out is a bug of my patch. It prevents to deliver > actual number of type/attribute symbols to policy file, but it is unclear why does > it makes libsepol ignore the policyvers. > (I guess it may be a separated matter.) > >> Rather than trying to calculate the length without attributes I just removed >> the attribute check. This causes attributes to be written for all versions, >> but this should not cause any problems at all. > > The reason why I injected such an ad-hoc code is that we cannot decide the policy > version written when type_attr_remove() is invoked. > Is it impossible to move it to policydb_write()? > It is invoked after the policyvers is fixed by caller. It isn't impossible. You are going to have to make it walk to type symbol table to calculate the length without attributes, then write that length instead of the total symtab length. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
