Re: CIL constraint problem

[James Carter <jwcart2@tycho.nsa.gov>]

On 08/27/2013 12:20 PM, Steve Lawrence wrote:
> Yep, looks like we aren't expanding typeattributes in constraints. I have a fix
> for the master branch on oss, but Jim has made a few changes to how constraints
> work, so my patch doesn't apply cleanly. I'm also seeing a segfault on the nsa
> branch with the simple test cil file (test/policy.cil), still looking into that.
> I've attached the patch to the oss master branch if you'd like to give it a shot.
>

I am still looking at the previous bug with constraints and investigating 
perhaps the same segfault. Expanding typeattributes won't be hard I just hadn't 
realized that needed to be done for constraints. Hopefully, it won't take too 
long to resolve this.

Jim

> - Steve
>
>
> On 08/25/2013 12:15 PM, Richard Haines wrote:
>> I've been trying the constraints in CIL and found they were not being
>> generated although I managed to fix this with the patch listed at the end.
>>
>> However there is still a problem that I have not managed to track down and
>> that is where I use a typeattribute in the constraint. The following is an
>> example CIL policy segment:
>>
>> ; Start
>> (class file (execute_no_trans entrypoint execmod open audit_access))
>> (common file (ioctl read write create getattr setattr lock relabelfrom
>>      relabelto append unlink link rename execute swapon quotaon mounton))
>> (classcommon file file)
>> (type  ax_t)
>> (type  bx_t)
>> (type  cx_t)
>> (typeattribute attribute_1)
>> (typeattributeset attribute_1 ax_t)
>> (typeattributeset attribute_1 bx_t)
>> (typeattributeset attribute_1 cx_t)
>> (constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1
>> ax_t)) (neq r1 r2)))
>> ; End
>>
>> The policy statement generated by secilc (note the Tresys version does the same):
>> constrain { file } { execute_no_trans }
>>      (( t2 == attribute_1  ) and ( t1 == ax_t  ) or ( r1 != r2 ));
>>
>> However it should be:
>> constrain { file } { execute_no_trans }
>>      (( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t  ) or ( r1 != r2 ));
>>
>>
>> Subject: [PATCH] Allow CIL to generate constraints
>>
>> Before this, no constraint statements were generated.
>> ---
>>   src/cil_binary.c | 4 ++--
>>   1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/cil_binary.c b/src/cil_binary.c
>> index e31f589..bbbc534 100644
>> --- a/src/cil_binary.c
>> +++ b/src/cil_binary.c
>> @@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct
>> cil_symtab_datum *datum)
>>
>>       cil_list_for_each(curr, cil_constrain->classperms) {
>>           struct cil_classperms *classperms = curr->data;
>> -        if (classperms->flavor == CIL_CLASS) {
>> +        if (classperms->flavor == CIL_CLASSPERMS) {
>>               key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name;
>>
>>               rc = cil_constrain_to_policydb_helper(pdb, key,
>> classperms->r.cp.perms, expr);
>>               if (rc != SEPOL_OK) {
>>                   goto exit;
>>               }
>> -        } else if (classperms->flavor == CIL_MAP_CLASS) {
>> +        } else if (classperms->flavor == CIL_MAP_CLASSPERMS) {
>>               struct cil_list_item *i = NULL;
>>               cil_list_for_each(i, classperms->r.mcp.perms) {
>>                   struct cil_map_perm *cmp = i->data;
>>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.