Acked-By: Jeff Vander Stoep <jeffv@xxxxxxxxxx>
On Tue, Mar 10, 2015 at 9:44 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
When the FILESYSTEM token was added to support filesystem names that
start with a digit (e.g. 9p), it was given higher precedence than
NUMBER and therefore all values specified in hex (with 0x prefix)
in policy will incorrectly match FILESYSTEM and yield a syntax error.
This breaks use of iomem ranges in Xen policy and will break ioctl
command ranges in a future SELinux policy version. Switch the
precedence. This does mean that you cannot currently have a filesystem
with a name that happens to be 0x followed by a hexval but hopefully
that isn't an issue.
Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
---
checkpolicy/policy_scan.l | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 3a73962..648e1d6 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -242,8 +242,8 @@ LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
-{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
+{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
--
1.9.3
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
