Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

policyrep: add prefix/suffix matching to filename type transitions #108

Closed

Conversation

JurajMarcin
Copy link

Currently, filename transitions are stored separately from other type enforcement rules and only support exact name matching. However, in practice, the names contain variable parts. This leads to many duplicated rules in the policy that differ only in the part of the name, or it is even impossible to cover all possible combinations.

This patch reflects changes in libsepol implemented in this patch.

The patch adds additional filename transition tables to policydb structure for prefix and suffix rules and updates the functions that access them.

This is a new reimplemented version of the feature, as the previous version was not accepted by the SELinux kernel upstream.

Reviewed-by: Ondrej Mosnacek omosnace@redhat.com

@@ -476,11 +476,13 @@ cdef class FileNameTERule(BaseTERule):
cdef:
Type dft
readonly str filename
uint32_t match_type
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This won't be visible in Python code, only in cython code. It needs the readonly qualifier. By making it visible, I think it should change to a PolicyEnum object.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, sorry for a late reply.

I have changed the type for a new PolicyEnum subclass that I have created and updated usages of it.

Currently, filename transitions are stored separately from other type
enforcement rules and only support exact name matching. However, in
practice, the names contain variable parts. This leads to many
duplicated rules in the policy that differ only in the part of the name,
or it is even impossible to cover all possible combinations.

This patch reflects changes in libsepol implemented in this patch [1].

The patch adds additional filename transition tables to policydb
structure for prefix and suffix rules and updates the functions that
access them.

[1]: https://lore.kernel.org/selinux/20231108103345.4014148-1-juraj@jurajmarcin.com/

Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Copy link

This PR has not had any recent activity. It will be closed in 7 days if it makes no further progress.

@github-actions github-actions bot added the stale Issue/PR has not had any activity. label Feb 13, 2024
Copy link

Closing stale PR.

@github-actions github-actions bot closed this Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
stale Issue/PR has not had any activity.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants