help: 2 conditional expressions in refpolicy must match?

help: 2 conditional expressions in refpolicy must match?

[蔡嘉勇]

while i am testing refpolicy conditional expression by switching
monolic and module compile mode, i found a strange thing. following is
the steps i took:

step 1: add a new boolean to policy
   in policy/global_tunables:
     gen_tunable(user_ping,false)
     gen_tunable(test_ping,false)

step 2: modify conditional expression
    in policy/modules/admin/netutils.if:

interface(`netutils_run_ping_cond',`
        gen_require(`
                type ping_t;
                bool user_ping;
                bool test_ping;
        ')

        role $2 types ping_t;

        if ( test_ping && user_ping ) {
                netutils_domtrans_ping($1)
                allow ping_t $3:chr_file rw_term_perms;
        }
')

then i try to build policy in monolic and module mode, i use apol to
check binary policy. monolinc is ok, it shows the conditional rules
exactly, while modules building boolean test_ping  is in the policy,
but the rules are lost!!!!

furthermore a more strange thing came, that  if I modify the interface
netutils_run_traceroute_cond in the same file
policy/modules/admin/netutils.if  like following:
interface(`netutils_run_traceroute_cond',`
        gen_require(`
                type traceroute_t;
                bool user_ping;
                bool test_ping;
        ')

        role $2 types traceroute_t;

        if( user_ping && test_ping ) {
                netutils_domtrans_traceroute($1)
                allow traceroute_t $3:chr_file rw_term_perms;
        }
')

then rebuild module policy, conditional av rules are ok. if i make 2
conditional expressions different, conditional av rule still lost!

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: help: 2 conditional expressions in refpolicy must match?

[Karl MacMillan]

²Ì¼ÎÓ wrote:
> while i am testing refpolicy conditional expression by switching
> monolic and module compile mode, i found a strange thing. following is
> the steps i took:
> 
> step 1: add a new boolean to policy
>   in policy/global_tunables:
>     gen_tunable(user_ping,false)
>     gen_tunable(test_ping,false)
> 
> step 2: modify conditional expression
>    in policy/modules/admin/netutils.if:
> 
> interface(`netutils_run_ping_cond',`
>        gen_require(`
>                type ping_t;
>                bool user_ping;
>                bool test_ping;
>        ')
> 
>        role $2 types ping_t;
> 
>        if ( test_ping && user_ping ) {
>                netutils_domtrans_ping($1)
>                allow ping_t $3:chr_file rw_term_perms;
>        }
> ')
> 
> then i try to build policy in monolic and module mode, i use apol to
> check binary policy. monolinc is ok, it shows the conditional rules
> exactly, while modules building boolean test_ping  is in the policy,
> but the rules are lost!!!!
> 

How are you checking that the rules are lost? Linking and expanding the 
module and then loading in Apol? Could you use the dismod and dispol 
programs in the checkpolicy/test directory of the source distribution to 
verify this? Also, what versions of the checkpolicy/checkmodule, 
libsepol, are you using? Some very old versions exhibited this sort of 
behavior, but it is not likely you are using those.

Thanks - Karl




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.