From patchwork Thu Oct 11 12:35:41 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 10636601 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 366D216B1 for ; Thu, 11 Oct 2018 12:35:50 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2BB512B45F for ; Thu, 11 Oct 2018 12:35:50 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1F4FE2B461; Thu, 11 Oct 2018 12:35:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from uhil19pa11.eemsg.mail.mil (uhil19pa11.eemsg.mail.mil [214.24.21.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4B77D2B45F for ; Thu, 11 Oct 2018 12:35:48 +0000 (UTC) X-EEMSG-check-008: 345366175|UHIL19PA11_EEMSG_MP9.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by uhil19pa11.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 11 Oct 2018 12:35:47 +0000 X-IronPort-AV: E=Sophos;i="5.54,368,1534809600"; d="scan'208";a="19290050" IronPort-PHdr: 9a23:FV8otRB74yoPJAhRwgVfUyQJP3N1i/DPJgcQr6AfoPdwSPn7pcqwAkXT6L1XgUPTWs2DsrQY07WQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDiwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/Vjq476dvVRTmliEJOTAk+23Tk8B8kr5XrBenqhdiwYDbfZuVOeJ+cK3Dc90URm1PUNtJVyFDH4+xYYQAAPYOM+lGtInwvEcOoBmkCAWwHu7j1iFEi3nr1qM6yeQhFgTG0RQkEd0UtXTbss71P7oMXO+v1qnI0SvMb+lL0jr66ojJfAwuruuWXbJsb8bc0lUvFgPZgVWQrozpJTWV1v8XvGSB4OpgUvyvhnchpgpsoTav3t8hhpTGi48a0FzJ9Th1zJwrKdC3VkJ3e8OoHZ1NvC+ALYR2WNktQ2RwtSY/zb0JpIC0cTARyJQi2x7fc/uHc5WU4h77VOaePzN4hHV9dbKjnRmy60mgyvDnVsWuzFZLrjZKktnLtnwX0Rzc9tOHRedn8kek2DaP0xjf6uBCIU8qiarWM4Mtz7E/m5YJsUnPAzX6lFv5gaOIbEko5/Ck6+H9bbXnop+cOZV0igb7Mqk2gcywH+A4MgkIX2iG9uWwzabs/UrkQLVMkvI5jLLZvYvGJcUbuqG5AwhV3pwl6xakFTiqytsYnX4ZLF5dYhKIk5DpO03SIPD/Ffq/gVOskDFxyPDaPr3uGJPNI2PBkLfme7Z97lRTyBEvzd9B/ZJUEasNIPXpWk/+rNbYFAM2MxSow+b7D9VwzoEeWWCVDaCFM6PSqliI5uQuI+mSf4IVtjL9K+Uq5vH1kH85n0MdfbSz0ZsQcnC4EexsI1+Fbnr0ntcBDWAKsxImTOP0k1KNTzhTZ3euX6I7/Tw7CZypApndSYy3h7yBxii7FIVMZm9aElCMDWvod4KcVvgRbyKSJMlhnSEaWrilSo8szguhuxHgy7pgNObU/TcYtZ373thv++LTjQ0y9SBzD8mF3WCNTmV0nmYWSD8sx61/r1JyxUqE0ahimfNYDcZT5/RLUggkKZHc0/Z2C9foWgLOZt2JUkqpQs26ATEtSdI829wObFx+G9WlkxDOxCmqDKUWl7yMGZw46KXc32L+J8xl0XbJyLEhj0U6QstILWCpnLNw9xLSB4HXiUWUjLylergZ3CLX82eD12WOtllCUAFsSaXFQWwfZkzOoNvl/EzCS6GhCa87MgpBzs6PMbBKZcHojVpYQvfjJNXebHirl2e2GxmI2quGbJD2dGUFwCXdFE8EnhgJ/XmbKAczHSiho2fRDTB0E1LgfV/s+/FkqHynVk800x2Kb0p52rqu9B4Vn/ucS+gP3r8foychrTJ0HVi4393MDdqMvQxhc7tAYdkl+ldIyXrZtxBhPpynN61jiEQRcwBrv0zwzRV3EZ5NkdY0o3Mw1wVyNKeY3ElGdzOC0pD6IqfXJXXq/BCzd67W3UnT0NCX+qcL7PQ3tU7jsRqzGUU86XVn1MNZ03yG5pXFFAASS47+Ul4r9xhmoLHXejQy55/O2n12KqS7rjjC29c1C+Q/0RagY81TMKWaGw/uC8caHdShKPQ2m1i1aRIJJP5S9K8oMMO6cPuGwrSnM/pgnDKhi2RH75tw0kaN9yp6UOHIxZEFz+uf3gudWDf2lE2hvdzvmYBYeTESGXKyySzlBI5Keq1+ZJ0LBnmqI822wNV+mpHsVmVD9F67BlMG3s6pdgaJb1Dn2w1fy1gXq2S9mSSk1zx0jy0prq2H0SzUxOTicB4HNXBRRGZ+ilftL5O5j8sHXEe0dAgljhyl5Vz1x6JDvqRwM3HTQVtUfyjxN2xiUbW/tryZY8NU65MnryNXUP+6YV+EVr7xuRwa0znsH2FG3jA0aymquonlnxx9kG+dNGx8rGfdec5u3RfQ/trcReJP0TocXyR4lCLXCUamP9my59mUjJDDsv2kV229SJJTfy7rzZmPtCSl/2FqBwOwn+yrkN39DQc6yTP718VtVSjQshb8ZJTk2r+kMeJhY0ZoBEXw68xkFYFiioEwno0f2WAGhpWJ+noKiX/zPs9G2aL6d3cCWT8Lw8LV4QT81k1sNHSJy5j+VnWHzctrf8O6bX8O2iIh88BKD7+Z7L9EnCtxvFW1tgfRYf9znjcT1/Qu9GIag+EOuAoo0CqRGLYSEldEPSb0jRSH88i+rLlLZGaoabWw2lBxnda9DLGFpwFRQ3j5dYk/Ei939MVwKkrM0Gf06oHmZtbfcc4TugeTkxfagOhfMIgxmeYShSp7JWL9umUoy+shghxq2ZG1opSHK3l3862jGRNYMCP6Z98I+j7xl6lehtiZ05qpHpp/BjUBRIHoQu6wEDIOqfTnMB6DEDMmqniFBLXfBhWQ6EF6r3LICJCmLGuYK2Uczdl4QxmdPkNfihgOXDomhp45ChyqxMv5fUhi/T8d4Vr4qhpXyuJ0LBnzSHzfqxm0ZTsuU5iQMh5W7gBE50fIPs2T9f58HiFC/p28twyBMGKaaB5UDWESXUyEAUrvPr605dnP6+KYHPaxL+PSYbWSruxTT+yHxZOg0oth+TaBLdiAMWd5AP06wEVDW2p1G8PDmzUAUyYXjT7Cb9aHpBeg/S16tsK/8PTrWQL34ouPD7pSMclx9B2thKeDNvKQhDxnJjpC0ZMM33DIwqAF3FEOkyFuayWtEbMYuCHTVKLfgLVXDx8Aay5oLMtH9bg83ghWOc7DjtP6zKJ3geAvB1dCT1zhldmjZdYWLGGlKFPHGEGLOayAJTLV2c73ZbixSb5XjOVPqx2/ozCbE1TgPjSCjTXpUQ6gMf1UhiGBIBNeoJ29cgpqCWX7VtLpdAa7P8Ftgj0s3bI0hmjHOnUdMThmbkxNqbOQ7TtCgvphG21N9HxlIveYmyyB9enXNo4Wsed3AiRzj+9V/W41y6VU7C5ZX/x4gzHdrsR0o1GhnOiP0SRoXwZTqjZRhYKLoUVjNb/f9pZeRXbO5AgN4nmICxQWu9tlDcXiu6RXytjViq3zLjZD89XP8MsTAcjUNdiLMH07MRrmADTUFhcKTSa3NWHDgExQiOqS+WORrpg7rJjshZUPR6RHW1wyE/MVFl5qHMceIJttWDMrj6KbhtYS5XWitBnRWNlavpffW/2PHfrvLTGZjb9YZxcV2r74M5ocNpf6201jbVl6mp7GG0zOUtBRuidhdBM7oF1R8HhiSW0+w17lagKo4H8UCf60nh43hxBjbuQs9Dbj+Uw4KkDMpCQujEk7gc/ljiyJcD7tMKewWplbBDDwt0gwLpz0XR56bQiynExiMzfEQahegqB7emBqkgDcv4JDGfBBTaFeZh8f2+2Xbe0y0VtAsiWn2VNH5ezdBJR5igQqd4WhoGhd1AJ9ctE1P7fQK7BTzllQnK6OuTWo1u8pyg8EO0kN6H+SeDIPuEEQLLkmISuo8fBs6QyFnztDY3ACWeM3rPxw6k4zPP+NwD7n075GNk++LfefL7+Dt2jGi8GIXks61lkUmEld4bh2zcAjflKIWEAt1rSeCw8EOtbFKQFRa8pS9WbcfTySserT3Z11P5+xFufyTe+BrKwUmF6rHB41H4QQ6cQMBoOs31vCLcfgN7EI0gkt5B7xK1WbEvtJfBOLkDEIo8G7zZ930oldJi0TAWpnKyW346zbpgk0j/qfRN02eGsVXpMYNnIqX823gyBYs25cAzm30+IZzQmC4CX/pinLDTnzccRsa+mOaRNrEtG29i0187Kqhl7P7pXeO2b6OMxnutDV8+MapIiIC+9VTbl7vEfRgIdZSGasU2HTFd61IIXwZJQ3bdDuDHa1TEC/gSovT8jtJNatMrSIgQbwSIZMt4mb2CosNdWzFzEZHxdwqfoO5Kd7ZQ0EeJo0fwLntx45N6ykOweY09OuQ2m3JTtRVflfwv2wZ6ZLwCo0cu+61HwgQ4kgwOmt7E4NQosGjhLFyPaiZoleUDTzFWdHdwXJuyU5i3BrNvwuzecn3BPIrV4cPiiXdOxubWxJpM08CU+XIXptEGY4QUGTjZbb6A62w78S5zddn8pT0eBdsnj+uYHQbSmxV6O1spXarTAgbcQ4rKJsK4DjJNWJtI/GlDzFUJbQqhGFUDK9F/dClNhQOjhXQP9UlmEkIswLoo9B6VIwVssnPLxOBrIsqqqtaTp+Ai4Y1TUZWJ+Y3Dwenue83KPXlguNf5s/MRwLqpFCj8ABXC5xZyMRuLWsV57Kl2OeTGgEPhsT5xxW5A0cjo9wYvzl4I3QQZ9U0D5Wv+h7XTbXFpRz7Fv7TXyWgULkR/q/leypwRhSw+jo0tUBXx5/E0ddzf5MlkQ0MLF3N7UQvonSvzCTe0P1oH7hxem7KFRf0sDba1r4DI/ZumXmSS0c5WcYRYlRx3HDDZ4SiRZ2aL43pFVQJ4CrYlr+5yY6yIt3Ara1Tt2rx1I5rXYcXSiqDdtBC+ZisF3JRD1peZerqI/qO59KWG9f5IWdq0tFkEVqKyO5y4BTK9tK4j4XWDhAuyudscC3SM1e3c92E54MLct+u3jnHqNEI4Kdo3osurzg0nXZ4SwzsE+mxDWvHK+1V+BZ8HcYGgUnPWSerVQgAPU3/2fO6F/NtEt0/+BBCriJk0pxvC53HopSCTZRyXClM1NzQWFJs+VHKaTVd8hcTOc3ZRK0JhMxC+Up302T8kFyh3v5ZDZytgRC8SDHQwY0TTUVgqvqmTAGqMGnODoaRolNbTo/bybKNRibmSFRvBZQcU1qXY4WAspd8bEBwYRU5tbCSVqrKSwdWhxiMhk10ftZlU5GqkmYeCbdDQSydfnVqR13Yd2RrNO1I/Tl4QdHkJ3ovPo/96UZSH2sgRetTszGr4/gqt2KsVODdKL/M+26fX/BQybDgAu1hbclFZbK+TbcMBZVKpl903okYoPhBXTNPRtYO6IRP1BbWrxiadVavuBaYNdpeKIS+a9oBh+KXR3vF5Kyo/lBNFbcXyzeLz+G8uy9v43c8aDdRfLnZsyWyHbNW7h3MYti6TnnB7fq1pdT+kv32/h37Ex1VUPLMzufo9T9OAwE+NOudkz4vp0mBTnWGot/kGLxxkFccMoaWzal8JUDyJJX8nnwS+N40lTrsOJI6rlk7ZI67KxuycipO6jdM+lasVVgAhiOHApm7JItAHJwR2pJeO8eNO/RfbgFjcDps+33D7YY6AGJ9OxZZ9rHIFvBmsqmBjGHVxNEmAYBqTgHLgqTzPOFg7V7Sdq5quj51EMt5EK+Lh0cwLBu+4iE4KyIq/HTbxfLyrgEQKfqTNvprrswo0OS+eEklLkWd2xzYg2oDO8dVsoHyWf716wqzCUsE8TYH7L74/NDUn00nz36l5B6BVUWFeseHaCX8oRGgmc4h+vZO8UZcq9egWaPDgeoHKINx3Ct6iuXJnRlgx7V3hH/RGO89ln2ojFiTSvL1dfjnVJfVqOrCkdKQyqpJUh4vSuNPArvtNr3v7454102MmzgqdKCiWqgOLJRH83kJ9ycIDI5pEwWjJ0vXNOv3Z0UGdunLNcX7n5+cuPU63m3nC9Zv6dHm43e79mU+vXJB3agibaXq7GQxD9Fy3g4uko/5sqnNvHU6N2AW+6o2HoJTydjpwvBWAa4qr7FoFAaN0yL1FzGmYIQMdFfw3Y4ylvq5O49T9Iv7A9eDJrPZ+sepTDvPzv52VmfY9YwViiQzTRXGlb1HEJjGKg73mLwvd7GmW3W+1I2Wol6b1bnigBvD4UkNUIt70Aawi8CEQgOahCbC6qlBUb/IosHUkgDbwqI3L6gdqcxw0Jz3qul5PXPYuxkG6oNKvFdgxaVk1dFHJIWrbYTQKl4e19a6K7XuhbiBJb6UPT8knowL/K1SNhA8c8Fr3si/hq/Rx245JdN8bkbjJGIdrZabpXXvcF87kJn5TsReSxXhBhwkQm1UecGpODs+tLbqoan6v6yVKYxQOUa7xY1B3xkj5vxnF8sv8ra1+JdSo3Jk4Tw7hpBI3mQuIbVyxN8M/YBK5q3fLZ88HUKPy8eJ3YQMteNc/k85zViMC7P51xDHswMeckYM9TTlgxOjE3mRq1T/NLBGlCEE4dza9wo723vxTAx8Js8VPvg6TCvKZDb7lFNJO9DjD53mdLDvucVx/3SBDIQ4XmDZBh/2jmCxIWVC/bs4eWMz8nZV1YcESEqU4ddJTyC+Qu8S+qrlZXpVB2b6svygJI4aUKRSWa9nKMfsqZDCeRAkDn03iBCFoDpgPKYq9is53FUtl1AC4l+9gDFGKNDPpV7PhT4i8arRkhgBiflfsHbaAYusvKMxugQ++V+K1f+ZYgDLxIGzrL67mBVThFvSL7tpVuZW/geZN54R/PFtHxV7phgK6AXNliHuJPqtitIqEwxAAIxc78woDlaeVXPkQBWQKv0pqAPihEdUd94vk9MH3i8OGQg6DrbBuxpi/yKBfgU9CiDZrIBXl8uMS5kRR6xnpJ0dOiHh/dC50FPmy5m6NMjySBrXlPouzLnrrgRgxo86bq4s3MHonUDQeKAxXSbQW5fxegH2P9PQ03p7kaxNTxZNIY= X-IPAS-Result: A2C6AAAkQ79b/wHyM5BiHAEBAQQBAQcEAQGBUwUBAQsBgVkqgWUojGqLV0wBAQEBAQEGijWOABSBXC8TAYM/hVghNgsNAQMBAQEBAQECAWwogjYkgmcCNxQgCwMDCQJABQMIAwEtFR8LBRgEgkA/gXUNp06Ed4RihyWEIIEQgQeDdoR5ARIBbIULAoEoAY1Kjx0GA4lnhmILF5ARl1sCL2RxKwgCGClKgR6BToJOjiNTewEBiSaCPgEB Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 11 Oct 2018 12:35:46 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCZMaL028159; Thu, 11 Oct 2018 08:35:26 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w9BCZIkl030942 for ; Thu, 11 Oct 2018 08:35:18 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCZHD7028155; Thu, 11 Oct 2018 08:35:17 -0400 From: James Carter To: selinux@vger.kernel.org Date: Thu, 11 Oct 2018 08:35:41 -0400 Message-Id: <20181011123543.14822-1-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.17.1 Subject: [PATCH 0/2] libsepol: Add ability to sort ocontexts in libsepol and add option to use it in checkpolicy X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP [Resending because I originally only sent these to the new list] ocontexts (initial sids, fs_use_*, genfscon, portcon, etc) are sorted by libsemanage when using policy modules and by libsepol when using CIL, but they are not sorted by checkpolicy when creating a policy from a policy.conf. Checkpolicy's behavior allows control over the ordering which determines the matching order for portcons and other ocontext rules, but there are times when that specific control is not desired. This patch set exposes an internal ocontext sorting function and adds a command line option to checkpolicy to sort ocontexts. James Carter (2): libsepol: Create policydb_sort_ocontexts() checkpolicy: Add option to sort ocontexts when creating a binary policy checkpolicy/checkpolicy.c | 22 +++++++++++++++++----- libsepol/include/sepol/policydb/policydb.h | 2 ++ libsepol/src/policydb.c | 5 +++++ 3 files changed, 24 insertions(+), 5 deletions(-)