* CIL: another segfault producer
@ 2020-01-28 12:25 Dominick Grift
2020-01-28 14:00 ` Lawrence, Stephen
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2020-01-28 12:25 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 5650 bytes --]
In trying to reduce points of failure in my policy I encountered another segfault
I want to centralize common permissions, for example common create and common read/write socket perms:
872 (classmap all_sockets |
873 (common_create_socket_perms common_readwrite_socket_perms)) |
874 |
875 (classmap common_alg_socket |
876 (common_create_socket_perms common_readwrite_socket_perms)) |
877 (classmap common_appletalk_socket |
878 (common_create_socket_perms common_readwrite_socket_perms)) |
879 |
880 (classmapping |
881 all_sockets |
882 common_create_socket_perms |
883 (common_alg_socket |
884 (common_create_socket_perms))) |
885 |
886 (classmapping |
887 all_sockets |
888 common_create_socket_perms |
889 (common_appletalk_socket |
890 (common_create_socket_perms))) |
891 |
892 (classmapping |
893 all_sockets |
894 common_readwrite_socket_perms |
895 (common_alg_socket |
896 (common_readwrite_socket_perms))) |
897 |
898 (classmapping |
899 all_sockets |
900 common_readwrite_socket_perms |
901 (common_appletalk_socket |
902 (common_readwrite_socket_perms))) |
903 |
904 (classmapping |
905 common_alg_socket |
906 common_create_socket_perms |
907 (alg_socket |
908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown|
909 write))) |
910 |
911 (classmapping |
912 common_alg_socket |
913 common_readwrite_socket_perms |
914 (alg_socket |
915 (append bind connect getattr getopt ioctl read setattr setopt shutdown |
916 write))) |
917 |
918 (classpermission create_alg_socket_perms) |
919 |
920 (classpermissionset |
921 create_alg_socket_perms |
922 (common_alg_socket |
923 (common_create_socket_perms))) |
924 |
925 (classpermission readwrite_alg_socket_perms) |
926 |
927 (classpermissionset |
928 readwrite_alg_socket_perms |
929 (common_alg_socket |
930 (common_readwrite_socket_perms))) |
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
Qualifying Names
Compile post process
make: *** [Makefile:21: policy.32] Segmentation fault (core dumped)
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CIL: another segfault producer
2020-01-28 12:25 CIL: another segfault producer Dominick Grift
@ 2020-01-28 14:00 ` Lawrence, Stephen
2020-01-28 16:25 ` Dominick Grift
0 siblings, 1 reply; 3+ messages in thread
From: Lawrence, Stephen @ 2020-01-28 14:00 UTC (permalink / raw)
To: selinux@vger.kernel.org
Looks to be an ordering issue with how we verify classmaps when they are
nested. If you define (classmap common_appletalk_socket ...) before
(classmap all_sockets ...), you'll get this error error:
Map class common_appletalk_socket does not have a classmapping for
common_readwrite_socket_perms
Map class common_appletalk_socket does not have a classmapping for
common_create_socket_perms
So you're just missing the mapping for common_appletalk_sockets.
The right fix for the segfault isn't immediately clear to me--might need
to change some orderings or maybe even add another verify pass? But
adding the mapping should resolve your segfault for now.
On 1/28/20 7:25 AM, Dominick Grift wrote:
> In trying to reduce points of failure in my policy I encountered another segfault
>
> I want to centralize common permissions, for example common create and common read/write socket perms:
>
> 872 (classmap all_sockets |
> 873 (common_create_socket_perms common_readwrite_socket_perms)) |
> 874 |
> 875 (classmap common_alg_socket |
> 876 (common_create_socket_perms common_readwrite_socket_perms)) |
> 877 (classmap common_appletalk_socket |
> 878 (common_create_socket_perms common_readwrite_socket_perms)) |
> 879 |
> 880 (classmapping |
> 881 all_sockets |
> 882 common_create_socket_perms |
> 883 (common_alg_socket |
> 884 (common_create_socket_perms))) |
> 885 |
> 886 (classmapping |
> 887 all_sockets |
> 888 common_create_socket_perms |
> 889 (common_appletalk_socket |
> 890 (common_create_socket_perms))) |
> 891 |
> 892 (classmapping |
> 893 all_sockets |
> 894 common_readwrite_socket_perms |
> 895 (common_alg_socket |
> 896 (common_readwrite_socket_perms))) |
> 897 |
> 898 (classmapping |
> 899 all_sockets |
> 900 common_readwrite_socket_perms |
> 901 (common_appletalk_socket |
> 902 (common_readwrite_socket_perms))) |
> 903 |
> 904 (classmapping |
> 905 common_alg_socket |
> 906 common_create_socket_perms |
> 907 (alg_socket |
> 908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown|
> 909 write))) |
> 910 |
> 911 (classmapping |
> 912 common_alg_socket |
> 913 common_readwrite_socket_perms |
> 914 (alg_socket |
> 915 (append bind connect getattr getopt ioctl read setattr setopt shutdown |
> 916 write))) |
> 917 |
> 918 (classpermission create_alg_socket_perms) |
> 919 |
> 920 (classpermissionset |
> 921 create_alg_socket_perms |
> 922 (common_alg_socket |
> 923 (common_create_socket_perms))) |
> 924 |
> 925 (classpermission readwrite_alg_socket_perms) |
> 926 |
> 927 (classpermissionset |
> 928 readwrite_alg_socket_perms |
> 929 (common_alg_socket |
> 930 (common_readwrite_socket_perms))) |
>
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> Qualifying Names
> Compile post process
> make: *** [Makefile:21: policy.32] Segmentation fault (core dumped)
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CIL: another segfault producer
2020-01-28 14:00 ` Lawrence, Stephen
@ 2020-01-28 16:25 ` Dominick Grift
0 siblings, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2020-01-28 16:25 UTC (permalink / raw)
To: Lawrence, Stephen; +Cc: selinux@vger.kernel.org
[-- Attachment #1: Type: text/plain, Size: 6797 bytes --]
On Tue, Jan 28, 2020 at 02:00:08PM +0000, Lawrence, Stephen wrote:
> Looks to be an ordering issue with how we verify classmaps when they are
> nested. If you define (classmap common_appletalk_socket ...) before
> (classmap all_sockets ...), you'll get this error error:
>
> Map class common_appletalk_socket does not have a classmapping for
> common_readwrite_socket_perms
> Map class common_appletalk_socket does not have a classmapping for
> common_create_socket_perms
>
> So you're just missing the mapping for common_appletalk_sockets.
>
> The right fix for the segfault isn't immediately clear to me--might need
> to change some orderings or maybe even add another verify pass? But
> adding the mapping should resolve your segfault for now.
>
Thanks. My bad: overlooked...
>
> On 1/28/20 7:25 AM, Dominick Grift wrote:
> > In trying to reduce points of failure in my policy I encountered another segfault
> >
> > I want to centralize common permissions, for example common create and common read/write socket perms:
> >
> > 872 (classmap all_sockets |
> > 873 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 874 |
> > 875 (classmap common_alg_socket |
> > 876 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 877 (classmap common_appletalk_socket |
> > 878 (common_create_socket_perms common_readwrite_socket_perms)) |
> > 879 |
> > 880 (classmapping |
> > 881 all_sockets |
> > 882 common_create_socket_perms |
> > 883 (common_alg_socket |
> > 884 (common_create_socket_perms))) |
> > 885 |
> > 886 (classmapping |
> > 887 all_sockets |
> > 888 common_create_socket_perms |
> > 889 (common_appletalk_socket |
> > 890 (common_create_socket_perms))) |
> > 891 |
> > 892 (classmapping |
> > 893 all_sockets |
> > 894 common_readwrite_socket_perms |
> > 895 (common_alg_socket |
> > 896 (common_readwrite_socket_perms))) |
> > 897 |
> > 898 (classmapping |
> > 899 all_sockets |
> > 900 common_readwrite_socket_perms |
> > 901 (common_appletalk_socket |
> > 902 (common_readwrite_socket_perms))) |
> > 903 |
> > 904 (classmapping |
> > 905 common_alg_socket |
> > 906 common_create_socket_perms |
> > 907 (alg_socket |
> > 908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown|
> > 909 write))) |
> > 910 |
> > 911 (classmapping |
> > 912 common_alg_socket |
> > 913 common_readwrite_socket_perms |
> > 914 (alg_socket |
> > 915 (append bind connect getattr getopt ioctl read setattr setopt shutdown |
> > 916 write))) |
> > 917 |
> > 918 (classpermission create_alg_socket_perms) |
> > 919 |
> > 920 (classpermissionset |
> > 921 create_alg_socket_perms |
> > 922 (common_alg_socket |
> > 923 (common_create_socket_perms))) |
> > 924 |
> > 925 (classpermission readwrite_alg_socket_perms) |
> > 926 |
> > 927 (classpermissionset |
> > 928 readwrite_alg_socket_perms |
> > 929 (common_alg_socket |
> > 930 (common_readwrite_socket_perms))) |
> >
> > <snip>
> > Building AST from Parse Tree
> > Destroying Parse Tree
> > Resolving AST
> > Qualifying Names
> > Compile post process
> > make: *** [Makefile:21: policy.32] Segmentation fault (core dumped)
> >
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-28 16:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-28 12:25 CIL: another segfault producer Dominick Grift
2020-01-28 14:00 ` Lawrence, Stephen
2020-01-28 16:25 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.