{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":52531037,"defaultBranch":"main","name":"selinux","ownerLogin":"cgzones","currentUserCanPush":false,"isFork":true,"isEmpty":false,"createdAt":"2016-02-25T14:27:47.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/6131885?v=4","public":true,"private":false,"isOrgOwned":false},"refInfo":{"name":"","listCacheKey":"v0:1716633163.0","currentOid":""},"activityList":{"items":[{"before":"804e52b7f8a3c8649615211a961ef8189fe73f39","after":"9ef1a83563c19eae5a09836623de91e66a640554","ref":"refs/heads/main","pushedAt":"2024-06-08T16:02:03.000Z","pushType":"push","commitsCount":5,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"Update VERSIONs to 3.7-rc2 for release.\n\nSigned-off-by: Petr Lautrbach <lautrbach@redhat.com>","shortMessageHtmlLink":"Update VERSIONs to 3.7-rc2 for release."}},{"before":"d514dc67df52d3f8ef35ef9458175ec2cdd69daf","after":null,"ref":"refs/heads/nodecon","pushedAt":"2024-05-25T10:32:43.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"}},{"before":"1f173f8efab8e9931898d924057bd0ea8da759b7","after":"804e52b7f8a3c8649615211a961ef8189fe73f39","ref":"refs/heads/main","pushedAt":"2024-05-25T10:31:08.000Z","pushType":"push","commitsCount":7,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"checkpolicy: support CIDR notation for nodecon statements\n\nSupport the Classless Inter-Domain Routing (CIDR) notation for IP\naddresses with their associated network masks in nodecon statements.\nThe two following statements are equivalent:\n\n    nodecon 10.8.0.0 255.255.0.0 USER1:ROLE1:TYPE1\n    nodecon 10.8.0.0/16          USER1:ROLE1:TYPE1\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>\nAcked-by: James Carter <jwcart2@gmail.com>","shortMessageHtmlLink":"checkpolicy: support CIDR notation for nodecon statements"}},{"before":null,"after":"96ed2f39f9a15c73e0c4905d2bb27648475cd044","ref":"refs/heads/ebitmap_node_vec","pushedAt":"2024-05-13T16:49:21.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libsepol: store ebitmap nodes in vector instead of linked list","shortMessageHtmlLink":"libsepol: store ebitmap nodes in vector instead of linked list"}},{"before":"a34d6566b74e37dc90a7a41626c03263876a5e10","after":"d514dc67df52d3f8ef35ef9458175ec2cdd69daf","ref":"refs/heads/nodecon","pushedAt":"2024-05-08T17:03:04.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"checkpolicy: support CIDR notation for nodecon statements\n\nSupport the Classless Inter-Domain Routing (CIDR) notation for IP\naddresses with their associated network masks in nodecon statements.\nThe two following statements are equivalent:\n\n    nodecon 10.8.0.0 255.255.0.0 USER1:ROLE1:TYPE1\n    nodecon 10.8.0.0/16          USER1:ROLE1:TYPE1\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"checkpolicy: support CIDR notation for nodecon statements"}},{"before":null,"after":"a34d6566b74e37dc90a7a41626c03263876a5e10","ref":"refs/heads/nodecon","pushedAt":"2024-05-08T13:35:18.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"checkpolicy: support CIDR notation for nodecon statements\n\nSupport the Classless Inter-Domain Routing (CIDR) notation for IP\naddresses with their associated network masks in nodecon statements.\nThe two following statements are equivalent:\n\n    nodecon 10.8.0.0 255.255.0.0 USER1:ROLE1:TYPE1\n    nodecon 10.8.0.0/16          USER1:ROLE1:TYPE1\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"checkpolicy: support CIDR notation for nodecon statements"}},{"before":"d08c9bc79d85110205a478250571a33e7d1f95f0","after":null,"ref":"refs/heads/z37_github","pushedAt":"2024-05-03T15:35:27.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"}},{"before":"e81a05a5050354261049cc7b5987372e763fc5f4","after":"1f173f8efab8e9931898d924057bd0ea8da759b7","ref":"refs/heads/main","pushedAt":"2024-05-03T15:34:50.000Z","pushType":"push","commitsCount":12,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)\n\nlibsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function \"cil_malloc\".\nlibsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: \"mls_level\" = storage returned from \"cil_malloc(24UL)\".\nlibsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource \"mls_level\" is not freed or pointed-to in \"mls_level_init\".\nlibsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource \"mls_level\" is not freed or pointed-to in \"mls_level_cpy\".\nlibsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable \"mls_level\" going out of scope leaks the storage it points to.\n\nSigned-off-by: Vit Mojzis <vmojzis@redhat.com>\nAcked-by: James Carter <jwcart2@gmail.com>","shortMessageHtmlLink":"libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)"}},{"before":"8883f6d93cf0c3ec6b57d4358c5cb2dac9240ccf","after":"63e6cee90c58b3b60749c8e783eb06f98b622c22","ref":"refs/heads/z35_segregate_attributes","pushedAt":"2024-04-29T20:34:00.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"secilc/test: add disjoint attributes rule\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>\n---\nv4:\n   rename to disjointattributes","shortMessageHtmlLink":"secilc/test: add disjoint attributes rule"}},{"before":"8f1ab0fa36a0954a4bb4467b81511f556ef7ba83","after":"8883f6d93cf0c3ec6b57d4358c5cb2dac9240ccf","ref":"refs/heads/z35_segregate_attributes","pushedAt":"2024-04-29T20:09:06.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"secilc/test: add disjoint attributes rule\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>\n---\nv4:\n   rename to disjointattributes","shortMessageHtmlLink":"secilc/test: add disjoint attributes rule"}},{"before":"2d99cc223ea4de69008a5ab368e295c8b477c67f","after":"8298ca22a665c123b6e6979ac63cadf22a02d440","ref":"refs/heads/codeql","pushedAt":"2024-04-29T17:03:24.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"[DO NOT MERGE] drop other CI pipelines","shortMessageHtmlLink":"[DO NOT MERGE] drop other CI pipelines"}},{"before":null,"after":"d08c9bc79d85110205a478250571a33e7d1f95f0","ref":"refs/heads/z37_github","pushedAt":"2024-04-08T15:36:15.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"github: bump Python and Ruby versions\n\nBump the maximum Python version to 3.12 and the maximum Ruby version to\n3.3 in the GitHub CI.\n\nAlso bump the setup-python action to v5.\n\nSince Python 3.12 dropped setuptools, install manually.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"github: bump Python and Ruby versions"}},{"before":"70eb747df681779af906fb02fd667ea3a505e6a3","after":"816e9dc89f1238b015c70b0c7111abc8aa8a5f0c","ref":"refs/heads/newrole_paranoid","pushedAt":"2024-04-08T15:29:22.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"newrole: use ROWHAMMER resistant values\n\nUse values for success and failure that are more resistant to bit flips,\nto harden against potential ROWHAMMER attacks.\nInspired by [1].\n\n[1]: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"newrole: use ROWHAMMER resistant values"}},{"before":"6ef869e058357dd580b4a26cbe655956c9097e18","after":"70eb747df681779af906fb02fd667ea3a505e6a3","ref":"refs/heads/newrole_paranoid","pushedAt":"2024-04-08T15:28:54.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"newrole: use ROWHAMMER resistant values\n\nUse values for success and failure that are more resistent to bit flips,\nto harden against potential ROWHAMMER attacks.\nInspired by [1].\n\n[1]: https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"newrole: use ROWHAMMER resistant values"}},{"before":"41570f13158390e2f000a82fd6ce9e77024aa3fa","after":"6ef869e058357dd580b4a26cbe655956c9097e18","ref":"refs/heads/newrole_paranoid","pushedAt":"2024-04-08T15:18:24.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"newrole: use ROWHAMMER resistant values\n\nSee https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"newrole: use ROWHAMMER resistant values"}},{"before":null,"after":"41570f13158390e2f000a82fd6ce9e77024aa3fa","ref":"refs/heads/newrole_paranoid","pushedAt":"2024-04-08T15:09:57.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"newrole: use ROWHAMMER resistant values\n\nSee https://github.com/sudo-project/sudo/commit/7873f8334c8d31031f8cfa83bd97ac6029309e4f\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"newrole: use ROWHAMMER resistant values"}},{"before":"0aee56dd55691ac1ca84d9f6bd1ae038be7c6a72","after":"d8915d082196c54af47d3f837e903184e78f110c","ref":"refs/heads/secilc_dev","pushedAt":"2024-04-08T14:55:46.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"more verbose resolve errors\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"more verbose resolve errors"}},{"before":"617e895db12b45c683eacffa5149da55cc1c7ffa","after":null,"ref":"refs/heads/wip","pushedAt":"2024-04-08T14:21:47.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"}},{"before":null,"after":"1b26e7e1c356d79b9149aaa77d2631a80df03c50","ref":"refs/heads/cond_xperm","pushedAt":"2024-04-05T13:23:13.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libsepol/cil: add support for xperms in conditional policies\n\nAdd support for extended permission rules in conditional policies.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libsepol/cil: add support for xperms in conditional policies"}},{"before":"39b3cc51350a4ba670f9f38493311ec316e4d84d","after":"e81a05a5050354261049cc7b5987372e763fc5f4","ref":"refs/heads/main","pushedAt":"2024-04-04T16:34:02.000Z","pushType":"push","commitsCount":10,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libsepol: constify function pointer arrays\n\nThe function pointer arrays are never changed, declare them const.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>\nAcked-by: James Carter <jwcart2@gmail.com>","shortMessageHtmlLink":"libsepol: constify function pointer arrays"}},{"before":"e97d7758c6c3bf48882ff38b17ae9e35ec91f9a9","after":"8731a53ab126d6c83847df0ae490faaba1493b2c","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-04T16:33:14.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to drop hard dependency on libpcre2\n\nCurrently libselinux links to libpcre2.  The regex library is used in\nthe file backend of the selabel database for file context path matching.\n\nSome client applications using libselinux might not use that selabel\nfunctionality, but they still require to load libpcre2.  Examples are\ndbus-broker and sshd (where openssh only uses the selabel interfaces to\ncreate ~/.ssh with the default context).\n\nAdd a build time option, USE_PCRE2_DLSYM, to drop the hard dependency on\nlibpcre2 and only load it, if actually needed, at runtime via dlopen(3).\nSince loading the database for the file backend takes a couple of\nmilliseconds performance is not a concern.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to drop hard dependency on libpcre2"}},{"before":"d23efa9646b84c35739f223ce937c2a1bd21d47b","after":"e97d7758c6c3bf48882ff38b17ae9e35ec91f9a9","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-04T16:26:24.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to drop hard dependency on libpcre2\n\nCurrently libselinux links to libpcre2.  The regex library is used in\nthe file backend of the selabel database for file context path matching.\n\nSome client applications using libselinux might not use that selabel\nfunctionality, but they still require to load libpcre2.  Examples are\ndbus-broker and sshd (where openssh only uses the selabel interfaces to\ncreate ~/.ssh with the default context).\n\nAdd a build time option, USE_PCRE2_DLSYM, to drop the hard dependency on\nlibpcre2 and only load it, if actually needed, at runtime via dlopen(3).\nSince loading the database for the file backend takes a couple of\nmilliseconds performance is not a concern.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to drop hard dependency on libpcre2"}},{"before":"bb06806aab55ca3bdb903b20182686796cebb7c0","after":"d23efa9646b84c35739f223ce937c2a1bd21d47b","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-04T16:23:22.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to drop hard dependency on libpcre2\n\nCurrently libselinux links to libpcre2.  The regex library is used in\nthe file backend of the selabel database for file context path matching.\n\nSome client applications using libselinux might not use that selabel\nfunctionality, but they still require to load libpcre2.  Examples are\ndbus-broker and sshd (where openssh only uses the selabel interfaces to\ncreate ~/.ssh with the default context).\n\nAdd a build time option, USE_PCRE2_DLSYM, to drop the hard dependency on\nlibpcre2 and only load it, if actually needed, at runtime via dlopen(3).\nSince loading the database for the file backend takes a couple of\nmilliseconds performance is not a concern.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to drop hard dependency on libpcre2"}},{"before":"f795772001a1eec4dee1fde0885c92b86a053a1d","after":"bb06806aab55ca3bdb903b20182686796cebb7c0","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-04T16:18:15.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to drop hard dependency on libpcre2\n\nCurrently libselinux links to libpcre2.  The regex library is used in\nthe file backend of the selabel database for file context path matching.\n\nSome client applications using libselinux might not use that selabel\nfunctionality, but they still require to load libpcre2.  Examples are\ndbus-broker and sshd (where openssh only uses the selabel interfaces to\ncreate ~/.ssh with the default context).\n\nAdd a build time option, USE_PCRE2_DLSYM, to drop the hard dependency on\nlibpcre2 and only load it, if actually needed, at runtime via dlopen(3).\nSince loading the database for the file backend takes a couple of\nmilliseconds performance is not a concern.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to drop hard dependency on libpcre2"}},{"before":"571618f9596dac1606ac91231c16ccb2c569d2f3","after":"f795772001a1eec4dee1fde0885c92b86a053a1d","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-04T16:06:13.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to drop hard dependency on libpcre2\n\nCurrently libselinux links to libpcre2.  The regex library is used in\nthe file backend of the selabel database for file context path matching.\n\nSome client applications using libselinux might not use that selabel\nfunctionality, but they still require to load libpcre2.  Examples are\ndbus-broker and sshd (where openssh only uses the selabel interfaces to\ncreate ~/.ssh with the default context).\n\nAdd a build time option, USE_PCRE2_DLSYM, to drop the hard dependency on\nlibpcre2 and only load it, if actually needed, at runtime via dlopen(3).\nSince loading the database for the file backend takes a couple of\nmilliseconds performance is not a concern.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to drop hard dependency on libpcre2"}},{"before":null,"after":"571618f9596dac1606ac91231c16ccb2c569d2f3","ref":"refs/heads/pcre2_dlsym","pushedAt":"2024-04-03T18:57:41.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: add build time option to load libpcre2 at runtime\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: add build time option to load libpcre2 at runtime"}},{"before":"5937e9bd26acc13103df38651683d0389bca6ecb","after":"39b3cc51350a4ba670f9f38493311ec316e4d84d","ref":"refs/heads/main","pushedAt":"2024-03-27T22:19:48.000Z","pushType":"push","commitsCount":3,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"checkpolicy: handle unprintable token\n\nIn case the erroneous token is unprintable, e.g. a control character,\nprint its hex value instead.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>\nAcked-by: James Carter <jwcart2@gmail.com>","shortMessageHtmlLink":"checkpolicy: handle unprintable token"}},{"before":"8c9d2d656b35e913f33f723aaaf90cc4ee71a335","after":"5937e9bd26acc13103df38651683d0389bca6ecb","ref":"refs/heads/main","pushedAt":"2024-03-22T14:29:04.000Z","pushType":"push","commitsCount":14,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"audit2allow: CIL output mode\n\nNew flag -C for audit2allow sets output format to CIL instead of\nPolicy Language.\n\nExample:\n;============= mozilla_t ==============\n\n;!!!! This avc is allowed in the current policy\n(allow mozilla_t user_sudo_t (fd (use)))\n\n;============= user_t ==============\n\n;!!!! This avc can be allowed using the boolean 'allow_execmem'\n(allow user_t self (process (execmem)))\n(allow user_t chromium_t (process (noatsecure rlimitinh siginh)))\n\n;!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.\n;Constraint rule:\n;       constrain dir { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton audit_access open execmod watch watch_mount watch_sb watch_with_perm watch_reads add_name remove_name reparent search rmdir } ((u1 == u2 -Fail-)  or (u1 == system_u -Fail-)  or (u1 == unconfined_u -Fail-)  or (u1 == sysadm_u -Fail-)  or (u2 == system_u -Fail-)  or (t1 != ubac_constrained_type -Fail-)  or (t2 != ubac_constrained_type -Fail-)  or (t1 == ubacfile -Fail-) ); Constraint DENIED\n\n;       Possible cause is the source user (user_u) and target user (sysadm_u) are different.\n(allow user_t user_home_dir_t (dir (getattr relabelto)))\n\nSigned-off-by: Topi Miettinen <toiwoton@gmail.com>\nAcked-by: James Carter <jwcart2@gmail.com>","shortMessageHtmlLink":"audit2allow: CIL output mode"}},{"before":"f07e4c3b66416f6337d6a2ea1e0d69555f8704ad","after":"090af7e6510edb90f4e7df55346e5023ac190b66","ref":"refs/heads/label_lookup_perf","pushedAt":"2024-03-11T17:19:40.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: support parallel selabel_lookup(3)\n\nSupport the parallel usage of the translated label lookup via\nselabel_lookup(3) in multi threaded applications by locking the step\nof computing the translated context and the validation state.\n\nA potential use case might can usage from a Rust application via FFI.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: support parallel selabel_lookup(3)"}},{"before":"3d57563d160c96296dfac8993cdb339b51d832ca","after":"f07e4c3b66416f6337d6a2ea1e0d69555f8704ad","ref":"refs/heads/label_lookup_perf","pushedAt":"2024-03-11T16:31:33.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"cgzones","name":null,"path":"/cgzones","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6131885?s=80&v=4"},"commit":{"message":"libselinux: support parallel selabel_lookup(3)\n\nSupport the parallel usage of the translated label lookup via\nselabel_lookup(3) in multi threaded applications by locking the step\nof computing the translated context and the validation state.\n\nA potential use case might can usage from a Rust application via FFI.\n\nSigned-off-by: Christian Göttsche <cgzones@googlemail.com>","shortMessageHtmlLink":"libselinux: support parallel selabel_lookup(3)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEX_w5eAA","startCursor":null,"endCursor":null}},"title":"Activity · cgzones/selinux"}