This is obviously not a solution. The problem here is that m4 is being
used to perform string concatenation. The argument, which is a boolean,
is not being used like a boolean and this is a problem when you are
inferring data types.
The interface is not being used, so ignoring it doesn't cause a problem
for now.
---
policy/modules/kernel/selinux.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f8b357c..c1d0d98 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
# because of this statement, any module which
# calls this interface must be in the base module:
- genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+ #genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
')
########################################
--
James Carter <[email protected]>
National Security Agency
On 08/24/10 15:50, James Carter wrote:
> This is obviously not a solution. The problem here is that m4 is being
> used to perform string concatenation. The argument, which is a boolean,
> is not being used like a boolean and this is a problem when you are
> inferring data types.
>
> The interface is not being used, so ignoring it doesn't cause a problem
> for now.
If I'm not mistaken, Dan uses this in the Fedora policy. We've also
used this in internal Tresys projects.
> ---
> policy/modules/kernel/selinux.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> index f8b357c..c1d0d98 100644
> --- a/policy/modules/kernel/selinux.if
> +++ b/policy/modules/kernel/selinux.if
> @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
>
> # because of this statement, any module which
> # calls this interface must be in the base module:
> - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
> + #genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
> ')
>
> ########################################
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/25/2010 08:50 AM, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
>> This is obviously not a solution. The problem here is that m4 is being
>> used to perform string concatenation. The argument, which is a boolean,
>> is not being used like a boolean and this is a problem when you are
>> inferring data types.
>>
>> The interface is not being used, so ignoring it doesn't cause a problem
>> for now.
>
> If I'm not mistaken, Dan uses this in the Fedora policy. We've also
> used this in internal Tresys projects.
>
>> ---
>> policy/modules/kernel/selinux.if | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
>> index f8b357c..c1d0d98 100644
>> --- a/policy/modules/kernel/selinux.if
>> +++ b/policy/modules/kernel/selinux.if
>> @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
>>
>> # because of this statement, any module which
>> # calls this interface must be in the base module:
>> - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
>> + #genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
>> ')
>>
>> ########################################
>>
>
>
I used it but until we can define booleans in modules it is fairly useless.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkx1IQEACgkQrlYvE4MpobPzZACgqtxlXjXMcl5Dv8CJHfAlLULq
drAAoOJn7pieDHIqJ6zOB7LqRNtSWP7q
=W9Bp
-----END PGP SIGNATURE-----
On Wed, 2010-08-25 at 08:50 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > This is obviously not a solution. The problem here is that m4 is being
> > used to perform string concatenation. The argument, which is a boolean,
> > is not being used like a boolean and this is a problem when you are
> > inferring data types.
> >
> > The interface is not being used, so ignoring it doesn't cause a problem
> > for now.
>
> If I'm not mistaken, Dan uses this in the Fedora policy. We've also
> used this in internal Tresys projects.
>
I was afraid that someone was using it.
I guess we will have to support some sort of string concatenation in
CIL.
> > ---
> > policy/modules/kernel/selinux.if | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
> > index f8b357c..c1d0d98 100644
> > --- a/policy/modules/kernel/selinux.if
> > +++ b/policy/modules/kernel/selinux.if
> > @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
> >
> > # because of this statement, any module which
> > # calls this interface must be in the base module:
> > - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
> > + #genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
> > ')
> >
> > ########################################
> >
>
>
--
James Carter <[email protected]>
National Security Agency