From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux@vger.kernel.org
Subject: Re: any reason why a class mapping is not able to solve permissionx?
Date: Fri, 17 Jan 2020 19:24:05 +0100 [thread overview]
Message-ID: <20200117182405.GA182181@brutus.lan> (raw)
In-Reply-To: <20200117173448.GA166208@brutus.lan>
On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> For example this:
>
> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>
> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>
> Say's:
>
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> Problem at policy/base/class_maps.cil:994
> Pass 14 of resolution failed
> Failed to resolve ast
> Failed to compile cildb: -2
> make: *** [Makefile:30: policy.32] Error 254
>
> Am i doing something wrong or is this unsupported?
Are we supposed to be able to use allowx rules in macros?
This works when the tunable is set false:
(tunable no_mac_addr true)
(block bla1
(blockinherit system_agent_template)
(macro stuff ((type ARG1))
(tunableif no_mac_addr
(true
(allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
(allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
(false
(allow ARG1 self create_tcp_stream_socket_perms)))))
(block blah2
(blockinherit system_agent_template)
(call bla1.stuff (subj)))
But when the tunable is set true:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
next prev parent reply other threads:[~2020-01-17 18:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-17 17:34 any reason why a class mapping is not able to solve permissionx? Dominick Grift
2020-01-17 18:24 ` Dominick Grift [this message]
2020-01-17 18:36 ` [Non-DoD Source] " jwcart2
2020-01-21 16:26 ` jwcart2
2020-01-23 20:41 ` jwcart2
2020-01-23 21:15 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200117182405.GA182181@brutus.lan \
--to=dominick.grift@defensec.nl \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.