On 11/7/18 3:39 PM, Nicolas Iooss wrote:
On Tue, Nov 6, 2018 at 8:19 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote:
On 11/6/18 11:22 AM, Stephen Smalley wrote:
On 11/5/18 4:00 PM, Nicolas Iooss wrote:
When using checkpolicy to read a binary policy, permissive types are not
written in the output file. In order to reproduce this issue, a test
policy can be written from minimal.cil with the following commands:
$ cd secilc/test/
$ cp minimum.cil my_policy.cil
$ echo '(typepermissive TYPE)' >> my_policy.cil
$ secilc my_policy.cil
$ checkpolicy -bC -o /dev/stdout policy.31
# There is no "(typepermissive TYPE)" in checkpolicy output.
This is because TYPE_FLAGS_PERMISSIVE is added to typdatum->flags only
when loading a module, which uses the permissive flag in the type
properties. A kernel policy defines permissive types in a dedicated
bitmap, which gets loaded as p->permissive_map before the types are
loaded. Use this bitmap to mark permissive types in the loaded policy.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Or we could directly use the permissive_map in kernel_to_cil/kernel_to_conf?
I think that this is the more natural way to do it.
Jim
I agree. Please drop my patch and keep yours.
Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Merged my patch.
Thanks,
Jim
Thanks,
Nicolas
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
