From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <stephen.smalley@gmail.com>
Cc: Joshua Brindle <jbrindle@tresys.com>, selinux@tycho.nsa.gov
Subject: Re: hierarchy_check_constraints() needs reworks?
Date: Fri, 25 Jul 2008 09:39:14 +0900 [thread overview]
Message-ID: <488920B2.8030408@ak.jp.nec.com> (raw)
In-Reply-To: <1216898673.3881.4.camel@sulphur>
Stephen Smalley wrote:
> On Thu, 2008-07-24 at 14:38 +0900, KaiGai Kohei wrote:
>> I found out that hierarchy_check_constraints() in libsepol
>> does not work correctly, as follows:
>>
>> ---- example: foo.te ----
>> module foo 1.0;
>>
>> require {
>> class file { read write getattr setattr ioctl };
>> };
>>
>> type src;
>> type src.child;
>> type tgt;
>>
>> allow src tgt : file { read write };
>> allow src.child tgt : file { read write getattr setattr };
>> ----------
>> [root@fedora9 kaigai]# checkmodule -m -M foo.te -o foo.mod
>> checkmodule: loading policy configuration from foo.te
>> checkmodule: policy configuration loaded
>> checkmodule: writing binary representation (version 8) to foo.mod
>> [root@fedora9 kaigai]# /usr/sbin/semodule -i foo.pp
>
> Check /etc/selinux/semanage.conf to see if you have expand-check=1 set;
> otherwise, there is no hierarchy checking or neverallow checking
> occurring there. Disabled by default in Fedora due to the overhead and
> the view that it should be handled at policy build time rather than
> insertion time. refpolicy has a make validate target that runs
> semodule_link followed by semodule_expand manually.
Thanks for your information.
I could get an expected behavior under expand-check=1.
[root@fedora9 ~]# semodule -i ~kaigai/foo.pp
libsepol.check_avtab_hierarchy_callback: hierarchy violation between types sbj.child and tgt : file { getattr setattr }
libsepol.hierarchy_check_constraints: 1 total errors found during hierarchy check
libsemanage.semanage_expand_sandbox: Expand module failed
semodule: Failed!
[root@fedora9 ~]#
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-07-25 0:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-24 5:38 hierarchy_check_constraints() needs reworks? KaiGai Kohei
2008-07-24 11:24 ` Stephen Smalley
2008-07-24 18:22 ` Mapping Linux GROUP to an SELinux user ? Hasan Rezaul-CHR010
2008-07-25 1:05 ` Stephen Smalley
2008-07-28 23:41 ` Karl MacMillan
2008-07-29 13:37 ` Daniel J Walsh
2008-07-25 0:39 ` KaiGai Kohei [this message]
2008-07-24 14:40 ` hierarchy_check_constraints() needs reworks? Joshua Brindle
2008-07-25 2:31 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=488920B2.8030408@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=jbrindle@tresys.com \
--cc=selinux@tycho.nsa.gov \
--cc=stephen.smalley@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.