secilc bug - Dominick Grift

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: secilc bug
Date: Sat, 2 May 2015 17:03:00 +0200	[thread overview]
Message-ID: <20150502150259.GA15244@x131e> (raw)
In-Reply-To: <1430265211.2218.13.camel@linux.vnet.ibm.com>

[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]

Today i hit an bug in secilc, when compiled by policy with some modules excluded.

My policy is rather complex, and so i find the issue hard to explain but i will try:

In my github.com/doverride/laptop policy (the auth.cil module to be precise) i have a auth_pam_config_object_type() macro that
essentially associates the calling type with the auth_pam_config_object_type type attribute, which in turn is associated with
the auth_object_type attribute that is used to grant auth_admin() access to all "auth object types"

The auth_pam_config_object_type() macro is called in various modules for various third party pam config files.

For example, xserver maintains /etc/pam.d/xserver, which is associated with xserver_pam_config_t, and xserver_pam_config_t is
associated with auth_pam_config_object_type.

This is just one example.

By excluding the xserver.cil module, the whole auth_pam_config_object_type, and all rules associated with it vanishes.
I noticed today that on a system where i excluded xserver.cil i no longer had access to /etc/security/access.conf (which is
associated with pam_config_t, and pam_config_t is associated with auth_pam_config_object_type)

By reincluding the xserver.cil module , the rules that allow auth_admin() to maintain auth_object_type files reappeared.

To reproduce:

clone my "laptop" policy and build it

use "sesearch -A -s auth_admin_subject_type | grep auth_object_type" to confirm that auth_admin_subject_type is allowed
to maintain file objects associated with auth_object_type

Now exclude the xserver.cil module

use above sesearch command again and notice how the rules granting auth_admin_subject_type access to maintain file objects
associated with auth_object_type have vanished.

P.S:
Another really strange thing i noticed is that i have a compiled policy with a bunch of modules excluded that is bigger than
a policy with little or no modules excluded.

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

next prev parent reply	other threads:[~2015-05-02 15:03 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-02  2:49 [GIT PULL] SELinux patches for 4.1 Paul Moore
2015-04-02 12:32 ` James Morris
2015-04-02 21:18   ` Paul Moore
2015-04-03  2:45     ` James Morris
2015-04-03  9:04       ` Paul Moore
2015-04-03 15:07         ` James Morris
2015-04-03 22:22           ` Paul Moore
2015-04-04  0:49             ` James Morris
2015-04-04  2:36               ` Paul Moore
2015-04-05 23:14                 ` James Morris
2015-04-06 12:48                   ` Paul Moore
2015-04-06 14:04                     ` James Morris
2015-04-06 14:09                       ` James Morris
2015-04-07  0:43                       ` Paul Moore
2015-04-08 10:57                         ` James Morris
2015-04-08 11:04                           ` Paul Moore
2015-04-13  1:46                             ` James Morris
2015-04-23 22:06                               ` Paul Moore
2015-04-24  0:24                                 ` James Morris
2015-04-24 14:53                                   ` Paul Moore
2015-04-24 16:20                                     ` Casey Schaufler
2015-04-26 21:22                                       ` Paul Moore
2015-04-27  5:28                                         ` James Morris
2015-04-28 23:53                                           ` Mimi Zohar
2015-05-02 15:03                                             ` Dominick Grift [this message]
2015-05-03 10:50                                               ` secilc bug Dominick Grift
2015-05-04 15:19                                                 ` James Carter
2015-05-04 15:33                                                   ` Steve Lawrence
2015-05-04 15:44                                                     ` Dominick Grift
2015-05-04 15:46                                                       ` Dominick Grift
2015-05-04 15:37                                                   ` Dominick Grift
2015-08-03 19:21                                               ` Dominick Grift
2015-04-27  5:28                                     ` [GIT PULL] SELinux patches for 4.1 James Morris

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150502150259.GA15244@x131e \
    --to=dac.override@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.