selinux

mirror of https://github.com/topjohnwu/selinux.git synced 2025-03-02 08:27:04 +00:00

History

James Carter beb01ceb49 libsepol/cil: Refactored CIL neverallow checking and reporting.

Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.

Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
  (neverallow typeset4 self (memprotect (mmap_zero)))
    <root>
    booleanif at line 152094 of cil.conf.neverallow
    true at line 152095 of cil.conf.neverallow
    allow at line 152096 of cil.conf.neverallow
      (allow ada_t self (memprotect (mmap_zero)))

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

2015-06-22 10:03:16 -04:00

cil

libsepol/cil: Refactored CIL neverallow checking and reporting.

2015-06-22 10:03:16 -04:00

include

libsepol: Refactored bounds (hierarchy) checking code

2015-06-22 09:44:55 -04:00

man

Laurent Bigonville patch to fix various minor manpage issues and correct section numbering.

2013-10-24 13:58:37 -04:00

src

libsepol: Refactored bounds (hierarchy) checking code