On Wed, 16 Aug 2023 at 20:08, James Carter <jwcart2@xxxxxxxxx> wrote: > > On Wed, Aug 16, 2023 at 2:05 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > On Wed, Aug 16, 2023 at 1:53 PM Christian Göttsche > > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > > > On Wed, 16 Aug 2023 at 19:45, James Carter <jwcart2@xxxxxxxxx> wrote: > > > > > > > > On Tue, Aug 15, 2023 at 11:09 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > > > > > > > > > > James Carter <jwcart2@xxxxxxxxx> writes: > > > > > > > > > > > This patch series depends on the "Add support for notself and other to > > > > > > CIL" patch series from August 9th > > > > > > > > > > > > These patches add a deny rule to CIL. Deny rules will be processed after > > > > > > everything except for neverallow rules. Unlike neverallow rules, they > > > > > > remove the permissions in the deny rule rather than reporting an error. > > > > > > > > > > > > See the individual patches for an explanation of what they do. > > > > > > > > > > > > Patches 1-8 are unchanged from v3, see: > > > > > > https://lore.kernel.org/selinux/20230413193445.588395-1-jwcart2@xxxxxxxxx/ > > > > > > > > > > > > Previously, patch 9, as Daniel Burgener noted, did not do what it said it > > > > > > was going to do. Now it does. > > > > > > > > > > I've pushed all 16 into > > > > > https://github.com/bachradsusi/SELinuxProject-selinux/commits/notself-other-deny > > > > > and I'm building it in my COPR repo - > > > > > https://copr.fedorainfracloud.org/coprs/plautrba/selinux-patchwork/builds/ > > > > > > > > > > I've already run some tests and it looks good. > > > > > > > > > > For all 16 patches - together with notself and other serie: > > > > > > > > > > Acked-by: Petr Lautrbach <lautrbach@xxxxxxxxxx> > > > > > > > > > > > > > All 16 of the notself and deny patches have been merged. > > > > I did find a problem with an uninitialized return value at the last > > > > minute which I fixed before merging. > > > > Thanks to everyone who looked at or tested these patches. > > > > Jim > > > > > > I think the version in libsepol/src/libsepol.map.in in commit > > > "libsepol: Export the cil_write_post_ast function" should have been > > > updated to 3.6. > > > > > > > You are right. I was thinking that version 3.5 was the next release, > > not the previous one. > > Or is everything supposed to be version 3.5 until the next release? > This has always confused me. I don't think that we have been > consistent. > Jim If I read the documentation[1] correctly the version number tells in which version a symbol is available. For example dpkg should declare any package with an application using cil_write_post_ast() to depend on libsepol 3.6 (and not 3.5 where the symbol is not available). [1]: https://ftp.gnu.org/old-gnu/Manuals/ld-2.9.1/html_node/ld_25.html > > > > Thanks, > > Jim > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > > > > > > > > James Carter (9): > > > > > > libsepol/cil: Parse and add deny rule to AST, but do not process > > > > > > libsepol/cil: Add cil_list_is_empty macro > > > > > > libsepol/cil: Add cil_tree_node_remove function > > > > > > libsepol/cil: Process deny rules > > > > > > libsepol/cil: Add cil_write_post_ast function > > > > > > libsepol: Export the cil_write_post_ast function > > > > > > secilc/secil2tree: Add option to write CIL AST after post processing > > > > > > secilc/test: Add deny rule tests > > > > > > secilc/docs: Add deny rule to CIL documentation > > > > > > > > > > > > libsepol/cil/include/cil/cil.h | 1 + > > > > > > libsepol/cil/src/cil.c | 68 ++ > > > > > > libsepol/cil/src/cil_build_ast.c | 56 + > > > > > > libsepol/cil/src/cil_build_ast.h | 2 + > > > > > > libsepol/cil/src/cil_copy_ast.c | 19 + > > > > > > libsepol/cil/src/cil_copy_ast.h | 1 + > > > > > > libsepol/cil/src/cil_deny.c | 1413 ++++++++++++++++++++++++ > > > > > > libsepol/cil/src/cil_deny.h | 36 + > > > > > > libsepol/cil/src/cil_flavor.h | 1 + > > > > > > libsepol/cil/src/cil_internal.h | 10 + > > > > > > libsepol/cil/src/cil_list.h | 3 + > > > > > > libsepol/cil/src/cil_post.c | 7 + > > > > > > libsepol/cil/src/cil_reset_ast.c | 8 + > > > > > > libsepol/cil/src/cil_resolve_ast.c | 48 + > > > > > > libsepol/cil/src/cil_resolve_ast.h | 1 + > > > > > > libsepol/cil/src/cil_tree.c | 35 + > > > > > > libsepol/cil/src/cil_tree.h | 1 + > > > > > > libsepol/cil/src/cil_verify.c | 9 + > > > > > > libsepol/cil/src/cil_write_ast.c | 10 + > > > > > > libsepol/cil/src/cil_write_ast.h | 1 + > > > > > > libsepol/src/libsepol.map.in | 5 + > > > > > > secilc/docs/cil_access_vector_rules.md | 41 +- > > > > > > secilc/secil2tree.c | 8 +- > > > > > > secilc/test/deny_rule_test1.cil | 580 ++++++++++ > > > > > > secilc/test/deny_rule_test2.cil | 418 +++++++ > > > > > > 25 files changed, 2780 insertions(+), 2 deletions(-) > > > > > > create mode 100644 libsepol/cil/src/cil_deny.c > > > > > > create mode 100644 libsepol/cil/src/cil_deny.h > > > > > > create mode 100644 secilc/test/deny_rule_test1.cil > > > > > > create mode 100644 secilc/test/deny_rule_test2.cil > > > > > > > > > > > > -- > > > > > > 2.41.0 > > > > >
