From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 30 Nov 2010 10:13:04 -0500 Subject: [refpolicy] Side effects for the comments in the .if files? In-Reply-To: References: Message-ID: <4CF51480.7000903@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/22/10 06:11, HarryCiao wrote: > Hi SELinux expert, > > I seems to run into something that I could not understand - the comment > in the .if file would have an impact on how the .pp files is compiled. > Sometime the comments in the .if file may block the interfaces called to > be properly parsed, and if all comments are removed, then the called > interfaces could be parsed correctly to grant the desired permissions > for the calling domain. > > For example, in my v5-samhain.pp implementation(please refer to another > separate email), the samhain_service_template() calls > userdom_use_user_terminals($1_t) in the end, but I am very surprised to > find that the samhain_t lacks privileges to access user_devpts_t when > deployed on the target. However, if all comments are removed in > samhain_service_template(), then the call to > userdom_use_user_terminals($1_t) could actually take effect, and I could > verify following lines added to tmp/samhain.tmp: > > + ; type user_tty_device_t, user_devpts_t; > +#line 38 > + > +#line 38 > + } # end require > +#line 38 > + > +#line 38 > + > +#line 38 > + > +#line 38 > + allow samhain_t user_tty_device_t:chr_file { getattr open read > write append ioctl }; > +#line 38 > + allow samhain_t user_devpts_t:chr_file { getattr open read write > append ioctl }; > +#line 38 > > Moreover, comments in the .te files do not seem to have such side > effect, they only do in the .if files. What's going on here? Is there > dark magic and anything particular I should watch out when using > comments in the .if files? The only issue I can think of is if you accidentally use a m4 quote in a comment. For example a line like this: # don't do this If this is in an interface, the apostraphe (') will be interpreted as the end of the block, which typically means the interface will end prematurely. However, userdom_use_user_terminals() does not have any comment issues, so I'm unsure why you're seeing an issue. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com