Comments (3)
stephensmalley
commented on July 4, 2024
Also filename transitions are another area of divergence that could lead to differences in the binary policy image; as with range transitions, the kernel now loads them into a hashtab with deterministic order for the hash chains, whereas libsepol/checkpolicy use simple unordered lists.
from selinux.
stephensmalley
commented on July 4, 2024
CIL uses hashtabs for both, so possibly this will become moot and we only need to align the hashtabs in cil_binary.c to use the same parameters (number of buckets, hash function) as the kernel in order to make them consistent.
from selinux.
stephensmalley
commented on July 4, 2024
Fixed by commits 8fdb225 and 2e47b69. You still need to run both the policy file and the kernel-generated policy through checkpolicy as described in the commit messages before comparing, but this does permit fast and complete comparisons between the policy file and the kernel policy.
from selinux.
Related Issues (20)
- semanage_get_lock fails on NFSv4 filesystems HOT 1
- Python 3.11 support HOT 4
- manual setting HOT 2
- bad gpg signature HOT 4
- checkpolicy compilation error HOT 4
- selinux_restorecon.c comparison between signed and unsigned integer expressions
- Scope of boolean 'httpd_can_network_connect' & Django SELinux permissions
- libsepol:The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. HOT 4
- How Do I Select a Proper Number of Threads for Labeling? HOT 2
- Can use macro parameter for filecon path statment? HOT 1
- restore.c:(.text+0x229): undefined reference to `selinux_restorecon_parallel' HOT 1
- selinux-activate not working on RaspbianOS bullseye (version 11) HOT 1
- "semanage export" does not handle port definition modifications properly
- libselinux: off-by-one in setcon() family
- Question Regarding "semanage boolean": HOT 5
- Non-cached is_selinux_enabled() variant? HOT 1
- selinux 3.6 fails to compile against latest versions of musl HOT 1
- libselinux: selabel_digest -b x/media/db error HOT 1
- libsepol: new "all" op verifier in 3.6 does not check classcommon perms HOT 3
- Should ignoredirs apply to all subdirectories? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from selinux.