From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
 by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id s72JKUx7016573
 for <selinux@tycho.nsa.gov>; Sat, 2 Aug 2014 15:20:30 -0400
Received: by mail-we0-f169.google.com with SMTP id u56so5790064wes.14
 for <selinux@tycho.nsa.gov>; Sat, 02 Aug 2014 12:20:34 -0700 (PDT)
Received: from siphos.be (ip-83-134-244-52.dsl.scarlet.be. [83.134.244.52])
 by mx.google.com with ESMTPSA id ge8sm21924316wib.4.2014.08.02.12.20.32
 for <selinux@tycho.nsa.gov>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 02 Aug 2014 12:20:33 -0700 (PDT)
Sender: Sven Vermeulen <sven.j.vermeulen@gmail.com>
Date: Sat, 2 Aug 2014 21:19:04 +0200
From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: selinux@tycho.nsa.gov
Subject: Debugging sepolgen-ifgen?
Message-ID: <20140802191904.GA7856@siphos.be>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
 <selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>

Hi all

I've noticed that on my system, for some interfaces, the results in
/var/lib/sepolgen/interface_info are missing file-specific feedback.

For instance, consider the kernel_rw_kernel_sysctl() interface, which is
coded as follows:

interface(`kernel_rw_kernel_sysctl',`
        gen_require(`
                type proc_t, sysctl_t, sysctl_kernel_t;
        ')

        rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t)

        list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')

In the interface_info file, I only find the following metadata about this
interface:

[InterfaceVector kernel_rw_kernel_sysctl $1:source ]
$1,sysctl_t,dir,getattr,open,search
$1,sysctl_kernel_t,dir,getattr,open,search
$1,proc_t,dir,getattr,open,search

Shouldn't this at least contain something like this?

$1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append 

Although not critical, it does result in audit2allow -R to not use
refpolicy-style interfaces when possible...

How can I debug this? I know the file is generated by sepolgen-ifgen, but
rerunning doesn't add in any file-related metadata and I'm totally oblivious
on how the parsing is done...

Wkr,
	Sven Vermeulen