Message ID | 20190702120905.9808-2-vmojzis@redhat.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] Revert "mcstransd select correct colour range." | expand |
On Tue, Jul 2, 2019 at 2:09 PM Vit Mojzis <vmojzis@redhat.com> wrote: > > According to "check_dominance" function: > Range defined as "s15:c0.c1023" does not dominate any other range than > "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). > While range defined as "s15-s15:c0.c1023" dominates all of the above. > > This is either a bug, or "s15:c0.c1023" should not be used in the > examples. Hello, I am not familiar with the concepts about range dominance, so I do not know whether this is a bug that should be fixed or if updating the examples is better. Can someone please review this? Cheers, Nicolas > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> > --- > libselinux/man/man5/secolor.conf.5 | 4 ++-- > libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- > mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +- > mcstrans/share/examples/urcsts/secolor.conf | 2 +- > 4 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 > index b834577a..a3bf2da1 100644 > --- a/libselinux/man/man5/secolor.conf.5 > +++ b/libselinux/man/man5/secolor.conf.5 > @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red > .br > range s9\-s9:c0.c1023 = black orange > .br > -range s15:c0.c1023 = black yellow > +range s15\-s15:c0.c1023 = black yellow > .RE > > .sp > @@ -165,7 +165,7 @@ type xguest_t = black green > .br > user sysadm_u = white black > .br > -range s0:c0.c1023 = black white > +range s0-s0:c0.c1023 = black white > .br > user * = black white > .br > diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 > index 4c1236ae..bcae80c1 100644 > --- a/libselinux/man/ru/man5/secolor.conf.5 > +++ b/libselinux/man/ru/man5/secolor.conf.5 > @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red > .br > range s9\-s9:c0.c1023 = black orange > .br > -range s15:c0.c1023 = black yellow > +range s15\-s15:c0.c1023 = black yellow > .RE > > .sp > @@ -163,7 +163,7 @@ type xguest_t = black green > .br > user sysadm_u = white black > .br > -range s0:c0.c1023 = black white > +range s0\-s0:c0.c1023 = black white > .br > user * = black white > .br > diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf > index d35b3c67..3b3f5430 100644 > --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf > +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf > @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan > range s5-s5:c0.c1023 = white blue > range s7-s7:c0.c1023 = black red > range s9-s9:c0.c1023 = black orange > -range s15:c0.c1023 = black yellow > +range s15-s15:c0.c1023 = black yellow > > diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf > index d35b3c67..3b3f5430 100644 > --- a/mcstrans/share/examples/urcsts/secolor.conf > +++ b/mcstrans/share/examples/urcsts/secolor.conf > @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan > range s5-s5:c0.c1023 = white blue > range s7-s7:c0.c1023 = black red > range s9-s9:c0.c1023 = black orange > -range s15:c0.c1023 = black yellow > +range s15-s15:c0.c1023 = black yellow > > -- > 2.17.2 >
I agree the secolor configuration file is lacking consistency. From a historical MLS perspective, there were two special labels in many MLS systems: SystemLow and SystemHigh. This would be "s0" (lowest level/no categories) and "s15:c0.c1023" (highest level/all categories) respectively. At these special levels, there was traditionally no other category usage. I concur we either do the proposed change in this patch or just change the "s0:c0.c1023" lines to just "s0" (SystemLow) to be consistent with the "s15:c0.c1023" (SystemHigh) range that exists currently. They will both provide the desired results. -Chad On Mon, Jul 29, 2019 at 5:41 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Tue, Jul 2, 2019 at 2:09 PM Vit Mojzis <vmojzis@redhat.com> wrote: > > > > According to "check_dominance" function: > > Range defined as "s15:c0.c1023" does not dominate any other range than > > "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). > > While range defined as "s15-s15:c0.c1023" dominates all of the above. > > > > This is either a bug, or "s15:c0.c1023" should not be used in the > > examples. > > Hello, > I am not familiar with the concepts about range dominance, so I do not > know whether this is a bug that should be fixed or if updating the > examples is better. Can someone please review this? > > Cheers, > Nicolas > > > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> > > --- > > libselinux/man/man5/secolor.conf.5 | 4 ++-- > > libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- > > mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +- > > mcstrans/share/examples/urcsts/secolor.conf | 2 +- > > 4 files changed, 6 insertions(+), 6 deletions(-) > > > > diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 > > index b834577a..a3bf2da1 100644 > > --- a/libselinux/man/man5/secolor.conf.5 > > +++ b/libselinux/man/man5/secolor.conf.5 > > @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red > > .br > > range s9\-s9:c0.c1023 = black orange > > .br > > -range s15:c0.c1023 = black yellow > > +range s15\-s15:c0.c1023 = black yellow > > .RE > > > > .sp > > @@ -165,7 +165,7 @@ type xguest_t = black green > > .br > > user sysadm_u = white black > > .br > > -range s0:c0.c1023 = black white > > +range s0-s0:c0.c1023 = black white > > .br > > user * = black white > > .br > > diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 > > index 4c1236ae..bcae80c1 100644 > > --- a/libselinux/man/ru/man5/secolor.conf.5 > > +++ b/libselinux/man/ru/man5/secolor.conf.5 > > @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red > > .br > > range s9\-s9:c0.c1023 = black orange > > .br > > -range s15:c0.c1023 = black yellow > > +range s15\-s15:c0.c1023 = black yellow > > .RE > > > > .sp > > @@ -163,7 +163,7 @@ type xguest_t = black green > > .br > > user sysadm_u = white black > > .br > > -range s0:c0.c1023 = black white > > +range s0\-s0:c0.c1023 = black white > > .br > > user * = black white > > .br > > diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf > > index d35b3c67..3b3f5430 100644 > > --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf > > +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf > > @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan > > range s5-s5:c0.c1023 = white blue > > range s7-s7:c0.c1023 = black red > > range s9-s9:c0.c1023 = black orange > > -range s15:c0.c1023 = black yellow > > +range s15-s15:c0.c1023 = black yellow > > > > diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf > > index d35b3c67..3b3f5430 100644 > > --- a/mcstrans/share/examples/urcsts/secolor.conf > > +++ b/mcstrans/share/examples/urcsts/secolor.conf > > @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan > > range s5-s5:c0.c1023 = white blue > > range s7-s7:c0.c1023 = black red > > range s9-s9:c0.c1023 = black orange > > -range s15:c0.c1023 = black yellow > > +range s15-s15:c0.c1023 = black yellow > > > > -- > > 2.17.2 > > >
On 7/31/19 1:15 AM, Chad Hanson wrote: > I agree the secolor configuration file is lacking consistency. From a > historical MLS perspective, there were two special labels in many MLS > systems: SystemLow and SystemHigh. This would be "s0" (lowest > level/no categories) and "s15:c0.c1023" (highest level/all > categories) respectively. At these special levels, there was > traditionally no other category usage. > > I concur we either do the proposed change in this patch or just change > the "s0:c0.c1023" lines to just "s0" (SystemLow) to be consistent with > the "s15:c0.c1023" (SystemHigh) range that exists currently. They will > both provide the desired results. I see that these two patches were never merged and still apply. Does anyone have any objection to merging them both? > > -Chad > > > On Mon, Jul 29, 2019 at 5:41 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: >> >> On Tue, Jul 2, 2019 at 2:09 PM Vit Mojzis <vmojzis@redhat.com> wrote: >>> >>> According to "check_dominance" function: >>> Range defined as "s15:c0.c1023" does not dominate any other range than >>> "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). >>> While range defined as "s15-s15:c0.c1023" dominates all of the above. >>> >>> This is either a bug, or "s15:c0.c1023" should not be used in the >>> examples. >> >> Hello, >> I am not familiar with the concepts about range dominance, so I do not >> know whether this is a bug that should be fixed or if updating the >> examples is better. Can someone please review this? >> >> Cheers, >> Nicolas >> >>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com> >>> --- >>> libselinux/man/man5/secolor.conf.5 | 4 ++-- >>> libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- >>> mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +- >>> mcstrans/share/examples/urcsts/secolor.conf | 2 +- >>> 4 files changed, 6 insertions(+), 6 deletions(-) >>> >>> diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 >>> index b834577a..a3bf2da1 100644 >>> --- a/libselinux/man/man5/secolor.conf.5 >>> +++ b/libselinux/man/man5/secolor.conf.5 >>> @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red >>> .br >>> range s9\-s9:c0.c1023 = black orange >>> .br >>> -range s15:c0.c1023 = black yellow >>> +range s15\-s15:c0.c1023 = black yellow >>> .RE >>> >>> .sp >>> @@ -165,7 +165,7 @@ type xguest_t = black green >>> .br >>> user sysadm_u = white black >>> .br >>> -range s0:c0.c1023 = black white >>> +range s0-s0:c0.c1023 = black white >>> .br >>> user * = black white >>> .br >>> diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 >>> index 4c1236ae..bcae80c1 100644 >>> --- a/libselinux/man/ru/man5/secolor.conf.5 >>> +++ b/libselinux/man/ru/man5/secolor.conf.5 >>> @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red >>> .br >>> range s9\-s9:c0.c1023 = black orange >>> .br >>> -range s15:c0.c1023 = black yellow >>> +range s15\-s15:c0.c1023 = black yellow >>> .RE >>> >>> .sp >>> @@ -163,7 +163,7 @@ type xguest_t = black green >>> .br >>> user sysadm_u = white black >>> .br >>> -range s0:c0.c1023 = black white >>> +range s0\-s0:c0.c1023 = black white >>> .br >>> user * = black white >>> .br >>> diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf >>> index d35b3c67..3b3f5430 100644 >>> --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf >>> +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf >>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan >>> range s5-s5:c0.c1023 = white blue >>> range s7-s7:c0.c1023 = black red >>> range s9-s9:c0.c1023 = black orange >>> -range s15:c0.c1023 = black yellow >>> +range s15-s15:c0.c1023 = black yellow >>> >>> diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf >>> index d35b3c67..3b3f5430 100644 >>> --- a/mcstrans/share/examples/urcsts/secolor.conf >>> +++ b/mcstrans/share/examples/urcsts/secolor.conf >>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan >>> range s5-s5:c0.c1023 = white blue >>> range s7-s7:c0.c1023 = black red >>> range s9-s9:c0.c1023 = black orange >>> -range s15:c0.c1023 = black yellow >>> +range s15-s15:c0.c1023 = black yellow >>> >>> -- >>> 2.17.2 >>> >>
On 9/13/19 11:33 AM, Stephen Smalley wrote: > On 7/31/19 1:15 AM, Chad Hanson wrote: >> I agree the secolor configuration file is lacking consistency. From a >> historical MLS perspective, there were two special labels in many MLS >> systems: SystemLow and SystemHigh. This would be "s0" (lowest >> level/no categories) and "s15:c0.c1023" (highest level/all >> categories) respectively. At these special levels, there was >> traditionally no other category usage. >> >> I concur we either do the proposed change in this patch or just change >> the "s0:c0.c1023" lines to just "s0" (SystemLow) to be consistent with >> the "s15:c0.c1023" (SystemHigh) range that exists currently. They will >> both provide the desired results. > > I see that these two patches were never merged and still apply. Does > anyone have any objection to merging them both? Both patches applied. > >> >> -Chad >> >> >> On Mon, Jul 29, 2019 at 5:41 PM Nicolas Iooss <nicolas.iooss@m4x.org> >> wrote: >>> >>> On Tue, Jul 2, 2019 at 2:09 PM Vit Mojzis <vmojzis@redhat.com> wrote: >>>> >>>> According to "check_dominance" function: >>>> Range defined as "s15:c0.c1023" does not dominate any other range than >>>> "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). >>>> While range defined as "s15-s15:c0.c1023" dominates all of the above. >>>> >>>> This is either a bug, or "s15:c0.c1023" should not be used in the >>>> examples. >>> >>> Hello, >>> I am not familiar with the concepts about range dominance, so I do not >>> know whether this is a bug that should be fixed or if updating the >>> examples is better. Can someone please review this? >>> >>> Cheers, >>> Nicolas >>> >>>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com> >>>> --- >>>> libselinux/man/man5/secolor.conf.5 | 4 ++-- >>>> libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- >>>> mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +- >>>> mcstrans/share/examples/urcsts/secolor.conf | 2 +- >>>> 4 files changed, 6 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/libselinux/man/man5/secolor.conf.5 >>>> b/libselinux/man/man5/secolor.conf.5 >>>> index b834577a..a3bf2da1 100644 >>>> --- a/libselinux/man/man5/secolor.conf.5 >>>> +++ b/libselinux/man/man5/secolor.conf.5 >>>> @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red >>>> .br >>>> range s9\-s9:c0.c1023 = black orange >>>> .br >>>> -range s15:c0.c1023 = black yellow >>>> +range s15\-s15:c0.c1023 = black yellow >>>> .RE >>>> >>>> .sp >>>> @@ -165,7 +165,7 @@ type xguest_t = black green >>>> .br >>>> user sysadm_u = white black >>>> .br >>>> -range s0:c0.c1023 = black white >>>> +range s0-s0:c0.c1023 = black white >>>> .br >>>> user * = black white >>>> .br >>>> diff --git a/libselinux/man/ru/man5/secolor.conf.5 >>>> b/libselinux/man/ru/man5/secolor.conf.5 >>>> index 4c1236ae..bcae80c1 100644 >>>> --- a/libselinux/man/ru/man5/secolor.conf.5 >>>> +++ b/libselinux/man/ru/man5/secolor.conf.5 >>>> @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red >>>> .br >>>> range s9\-s9:c0.c1023 = black orange >>>> .br >>>> -range s15:c0.c1023 = black yellow >>>> +range s15\-s15:c0.c1023 = black yellow >>>> .RE >>>> >>>> .sp >>>> @@ -163,7 +163,7 @@ type xguest_t = black green >>>> .br >>>> user sysadm_u = white black >>>> .br >>>> -range s0:c0.c1023 = black white >>>> +range s0\-s0:c0.c1023 = black white >>>> .br >>>> user * = black white >>>> .br >>>> diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf >>>> b/mcstrans/share/examples/urcsts-via-include/secolor.conf >>>> index d35b3c67..3b3f5430 100644 >>>> --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf >>>> +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf >>>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan >>>> range s5-s5:c0.c1023 = white blue >>>> range s7-s7:c0.c1023 = black red >>>> range s9-s9:c0.c1023 = black orange >>>> -range s15:c0.c1023 = black yellow >>>> +range s15-s15:c0.c1023 = black yellow >>>> >>>> diff --git a/mcstrans/share/examples/urcsts/secolor.conf >>>> b/mcstrans/share/examples/urcsts/secolor.conf >>>> index d35b3c67..3b3f5430 100644 >>>> --- a/mcstrans/share/examples/urcsts/secolor.conf >>>> +++ b/mcstrans/share/examples/urcsts/secolor.conf >>>> @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan >>>> range s5-s5:c0.c1023 = white blue >>>> range s7-s7:c0.c1023 = black red >>>> range s9-s9:c0.c1023 = black orange >>>> -range s15:c0.c1023 = black yellow >>>> +range s15-s15:c0.c1023 = black yellow >>>> >>>> -- >>>> 2.17.2 >>>> >>> >
diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5 index b834577a..a3bf2da1 100644 --- a/libselinux/man/man5/secolor.conf.5 +++ b/libselinux/man/man5/secolor.conf.5 @@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red .br range s9\-s9:c0.c1023 = black orange .br -range s15:c0.c1023 = black yellow +range s15\-s15:c0.c1023 = black yellow .RE .sp @@ -165,7 +165,7 @@ type xguest_t = black green .br user sysadm_u = white black .br -range s0:c0.c1023 = black white +range s0-s0:c0.c1023 = black white .br user * = black white .br diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5 index 4c1236ae..bcae80c1 100644 --- a/libselinux/man/ru/man5/secolor.conf.5 +++ b/libselinux/man/ru/man5/secolor.conf.5 @@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red .br range s9\-s9:c0.c1023 = black orange .br -range s15:c0.c1023 = black yellow +range s15\-s15:c0.c1023 = black yellow .RE .sp @@ -163,7 +163,7 @@ type xguest_t = black green .br user sysadm_u = white black .br -range s0:c0.c1023 = black white +range s0\-s0:c0.c1023 = black white .br user * = black white .br diff --git a/mcstrans/share/examples/urcsts-via-include/secolor.conf b/mcstrans/share/examples/urcsts-via-include/secolor.conf index d35b3c67..3b3f5430 100644 --- a/mcstrans/share/examples/urcsts-via-include/secolor.conf +++ b/mcstrans/share/examples/urcsts-via-include/secolor.conf @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan range s5-s5:c0.c1023 = white blue range s7-s7:c0.c1023 = black red range s9-s9:c0.c1023 = black orange -range s15:c0.c1023 = black yellow +range s15-s15:c0.c1023 = black yellow diff --git a/mcstrans/share/examples/urcsts/secolor.conf b/mcstrans/share/examples/urcsts/secolor.conf index d35b3c67..3b3f5430 100644 --- a/mcstrans/share/examples/urcsts/secolor.conf +++ b/mcstrans/share/examples/urcsts/secolor.conf @@ -17,5 +17,5 @@ range s3-s3:c0.c1023 = black tan range s5-s5:c0.c1023 = white blue range s7-s7:c0.c1023 = black red range s9-s9:c0.c1023 = black orange -range s15:c0.c1023 = black yellow +range s15-s15:c0.c1023 = black yellow
According to "check_dominance" function: Range defined as "s15:c0.c1023" does not dominate any other range than "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.). While range defined as "s15-s15:c0.c1023" dominates all of the above. This is either a bug, or "s15:c0.c1023" should not be used in the examples. Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- libselinux/man/man5/secolor.conf.5 | 4 ++-- libselinux/man/ru/man5/secolor.conf.5 | 4 ++-- mcstrans/share/examples/urcsts-via-include/secolor.conf | 2 +- mcstrans/share/examples/urcsts/secolor.conf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-)