| Message ID | 20190417163731.3434-1-gary.tierney@fastmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | checkmodule: allow building modules of a specific version | expand |
On 4/17/19 12:37 PM, Gary Tierney wrote: > These changes come from a report by a user on the Freenode IRC channel that > they were unable to build policies for a machine that has an older version of > libsepol installed. > > A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, > and the output of a simple test is shown below: > > $ cat > test.te <<EOF > module test 1.0; > > require { > type domain; > type file_type; > class file { read write }; > } > > allow domain file_type : file { read write }; > EOF > $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te > $ checkpolicy/test/dismod test.mod > Reading policy... > ... snip ... > Binary policy module file loaded. > Module name: test > Module version: 1.0 > Policy version: 10 > > Worthy of note, however, is that these policy version numbers differ from those > used by the kernel policy format. > > Gary Tierney (2): > checkmodule: add support for specifying module policy version > dismod: print policy version of loaded modules > > checkpolicy/checkmodule.8 | 5 ++++- > checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- > checkpolicy/test/dismod.c | 4 ++-- > 3 files changed, 33 insertions(+), 5 deletions(-) > Acked-by: James Carter <jwcart2@tycho.nsa.gov>
On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: > > On 4/17/19 12:37 PM, Gary Tierney wrote: > > These changes come from a report by a user on the Freenode IRC channel that > > they were unable to build policies for a machine that has an older version of > > libsepol installed. > > > > A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, > > and the output of a simple test is shown below: > > > > $ cat > test.te <<EOF > > module test 1.0; > > > > require { > > type domain; > > type file_type; > > class file { read write }; > > } > > > > allow domain file_type : file { read write }; > > EOF > > $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te > > $ checkpolicy/test/dismod test.mod > > Reading policy... > > ... snip ... > > Binary policy module file loaded. > > Module name: test > > Module version: 1.0 > > Policy version: 10 > > > > Worthy of note, however, is that these policy version numbers differ from those > > used by the kernel policy format. > > > > Gary Tierney (2): > > checkmodule: add support for specifying module policy version > > dismod: print policy version of loaded modules > > > > checkpolicy/checkmodule.8 | 5 ++++- > > checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- > > checkpolicy/test/dismod.c | 4 ++-- > > 3 files changed, 33 insertions(+), 5 deletions(-) > > > > Acked-by: James Carter <jwcart2@tycho.nsa.gov> James there's a superfluous newline between strtol() and errno. > > -- > James Carter <jwcart2@tycho.nsa.gov> > National Security Agency
On 4/18/19 11:18 AM, William Roberts wrote: > On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: >> >> On 4/17/19 12:37 PM, Gary Tierney wrote: >>> These changes come from a report by a user on the Freenode IRC channel that >>> they were unable to build policies for a machine that has an older version of >>> libsepol installed. >>> >>> A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, >>> and the output of a simple test is shown below: >>> >>> $ cat > test.te <<EOF >>> module test 1.0; >>> >>> require { >>> type domain; >>> type file_type; >>> class file { read write }; >>> } >>> >>> allow domain file_type : file { read write }; >>> EOF >>> $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te >>> $ checkpolicy/test/dismod test.mod >>> Reading policy... >>> ... snip ... >>> Binary policy module file loaded. >>> Module name: test >>> Module version: 1.0 >>> Policy version: 10 >>> >>> Worthy of note, however, is that these policy version numbers differ from those >>> used by the kernel policy format. >>> >>> Gary Tierney (2): >>> checkmodule: add support for specifying module policy version >>> dismod: print policy version of loaded modules >>> >>> checkpolicy/checkmodule.8 | 5 ++++- >>> checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- >>> checkpolicy/test/dismod.c | 4 ++-- >>> 3 files changed, 33 insertions(+), 5 deletions(-) >>> >> >> Acked-by: James Carter <jwcart2@tycho.nsa.gov> > > James there's a superfluous newline between strtol() and errno. > Thanks, I missed that. I don't see the need for another version of the patches. I can fix that minor issue when I merge the patches tomorrow. >> >> -- >> James Carter <jwcart2@tycho.nsa.gov> >> National Security Agency >
On 4/18/19 1:49 PM, jwcart2 wrote: > On 4/18/19 11:18 AM, William Roberts wrote: >> On Thu, Apr 18, 2019 at 6:27 AM jwcart2 <jwcart2@tycho.nsa.gov> wrote: >>> >>> On 4/17/19 12:37 PM, Gary Tierney wrote: >>>> These changes come from a report by a user on the Freenode IRC channel that >>>> they were unable to build policies for a machine that has an older version of >>>> libsepol installed. >>>> >>>> A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, >>>> and the output of a simple test is shown below: >>>> >>>> $ cat > test.te <<EOF >>>> module test 1.0; >>>> >>>> require { >>>> type domain; >>>> type file_type; >>>> class file { read write }; >>>> } >>>> >>>> allow domain file_type : file { read write }; >>>> EOF >>>> $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te >>>> $ checkpolicy/test/dismod test.mod >>>> Reading policy... >>>> ... snip ... >>>> Binary policy module file loaded. >>>> Module name: test >>>> Module version: 1.0 >>>> Policy version: 10 >>>> >>>> Worthy of note, however, is that these policy version numbers differ from those >>>> used by the kernel policy format. >>>> >>>> Gary Tierney (2): >>>> checkmodule: add support for specifying module policy version >>>> dismod: print policy version of loaded modules >>>> >>>> checkpolicy/checkmodule.8 | 5 ++++- >>>> checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- >>>> checkpolicy/test/dismod.c | 4 ++-- >>>> 3 files changed, 33 insertions(+), 5 deletions(-) >>>> >>> >>> Acked-by: James Carter <jwcart2@tycho.nsa.gov> >> >> James there's a superfluous newline between strtol() and errno. >> > > Thanks, I missed that. > > I don't see the need for another version of the patches. I can fix that minor > issue when I merge the patches tomorrow. > Merged with the extra newline removed. >>> >>> -- >>> James Carter <jwcart2@tycho.nsa.gov> >>> National Security Agency >> > >
These changes come from a report by a user on the Freenode IRC channel that they were unable to build policies for a machine that has an older version of libsepol installed. A new `-c` option that mirrors checkpolicy's own has been added to checkmodule, and the output of a simple test is shown below: $ cat > test.te <<EOF module test 1.0; require { type domain; type file_type; class file { read write }; } allow domain file_type : file { read write }; EOF $ obj/usr/bin/checkmodule -m -M -c 10 -o test.mod test.te $ checkpolicy/test/dismod test.mod Reading policy... ... snip ... Binary policy module file loaded. Module name: test Module version: 1.0 Policy version: 10 Worthy of note, however, is that these policy version numbers differ from those used by the kernel policy format. Gary Tierney (2): checkmodule: add support for specifying module policy version dismod: print policy version of loaded modules checkpolicy/checkmodule.8 | 5 ++++- checkpolicy/checkmodule.c | 29 +++++++++++++++++++++++++++-- checkpolicy/test/dismod.c | 4 ++-- 3 files changed, 33 insertions(+), 5 deletions(-)