| Message ID | 20200908085329.409762-1-dominick.grift@defensec.nl (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | James Carter |
| Headers | show |
| Series | [v2] cil_network_labeling_statements: fixes nodecon examples | expand |
On Tue, Sep 8, 2020 at 10:53 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet > Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737 > Add ipv6 example: https://tools.ietf.org/html/rfc3849 It seems that this patch slipped through the review process, as there could have been some confusion about the repository it was for. It seems to me that it is for https://github.com/SELinuxProject/selinux, and its contents looks good. Thanks! Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> If nobody complains, I will apply this patch tonight. Nicolas > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > I added a ip6 example because the old style netmask makes that a bit unclear. I know I will appreciate such an example later on. > > .../docs/cil_network_labeling_statements.md | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md > index 49a836c1..60aec80d 100644 > --- a/secilc/docs/cil_network_labeling_statements.md > +++ b/secilc/docs/cil_network_labeling_statements.md > @@ -145,12 +145,21 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme > (context context_1 (unconfined.user object_r unconfined.object low_low)) > (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) > > - (ipaddr netmask_1 255.255.255.0) > - (ipaddr ipv4_1 192.168.1.64) > + (ipaddr netmask_1 255.255.255.255) > + (ipaddr ipv4_1 192.0.2.64) > + > + (nodecon ipv4_1 netmask_1 context_2) > + (nodecon (192.0.2.64) (255.255.255.255) context_1) > + (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) > + > + (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0)))) > + > + (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0) > + (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0) > > - (nodecon netmask_1 ipv4_1 context_2) > - (nodecon (255.255.255.0) (192.168.1.64) context_1) > - (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) > + (nodecon ipv6_2 netmask_2 context_3) > + (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3) > + (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0)))) > > portcon > ------- > -- > 2.28.0 >
On Fri, Oct 2, 2020 at 9:01 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Tue, Sep 8, 2020 at 10:53 AM Dominick Grift > <dominick.grift@defensec.nl> wrote: > > > > The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet > > Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737 > > Add ipv6 example: https://tools.ietf.org/html/rfc3849 > > It seems that this patch slipped through the review process, as there > could have been some confusion about the repository it was for. It > seems to me that it is for https://github.com/SELinuxProject/selinux, > and its contents looks good. Thanks! > > Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org> > > If nobody complains, I will apply this patch tonight. > Nicolas Merged. Thanks! Nicolas > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > > --- > > I added a ip6 example because the old style netmask makes that a bit unclear. I know I will appreciate such an example later on. > > > > .../docs/cil_network_labeling_statements.md | 19 ++++++++++++++----- > > 1 file changed, 14 insertions(+), 5 deletions(-) > > > > diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md > > index 49a836c1..60aec80d 100644 > > --- a/secilc/docs/cil_network_labeling_statements.md > > +++ b/secilc/docs/cil_network_labeling_statements.md > > @@ -145,12 +145,21 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme > > (context context_1 (unconfined.user object_r unconfined.object low_low)) > > (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) > > > > - (ipaddr netmask_1 255.255.255.0) > > - (ipaddr ipv4_1 192.168.1.64) > > + (ipaddr netmask_1 255.255.255.255) > > + (ipaddr ipv4_1 192.0.2.64) > > + > > + (nodecon ipv4_1 netmask_1 context_2) > > + (nodecon (192.0.2.64) (255.255.255.255) context_1) > > + (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) > > + > > + (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0)))) > > + > > + (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0) > > + (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0) > > > > - (nodecon netmask_1 ipv4_1 context_2) > > - (nodecon (255.255.255.0) (192.168.1.64) context_1) > > - (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) > > + (nodecon ipv6_2 netmask_2 context_3) > > + (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3) > > + (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0)))) > > > > portcon > > ------- > > -- > > 2.28.0 > >
diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md index 49a836c1..60aec80d 100644 --- a/secilc/docs/cil_network_labeling_statements.md +++ b/secilc/docs/cil_network_labeling_statements.md @@ -145,12 +145,21 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme (context context_1 (unconfined.user object_r unconfined.object low_low)) (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2))) - (ipaddr netmask_1 255.255.255.0) - (ipaddr ipv4_1 192.168.1.64) + (ipaddr netmask_1 255.255.255.255) + (ipaddr ipv4_1 192.0.2.64) + + (nodecon ipv4_1 netmask_1 context_2) + (nodecon (192.0.2.64) (255.255.255.255) context_1) + (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) + + (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0)))) + + (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0) + (ipaddr ipv6_2 2001:db8:1:0:0:0:0:0) - (nodecon netmask_1 ipv4_1 context_2) - (nodecon (255.255.255.0) (192.168.1.64) context_1) - (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0))))) + (nodecon ipv6_2 netmask_2 context_3) + (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3) + (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0)))) portcon -------
The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737 Add ipv6 example: https://tools.ietf.org/html/rfc3849 Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- I added a ip6 example because the old style netmask makes that a bit unclear. I know I will appreciate such an example later on. .../docs/cil_network_labeling_statements.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-)