From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <521CD3CE.4030300@tycho.nsa.gov> Date: Tue, 27 Aug 2013 12:29:02 -0400 From: James Carter MIME-Version: 1.0 To: Steve Lawrence CC: Richard Haines , SELinux List Subject: Re: CIL constraint problem References: <51F6A808.5080204@tycho.nsa.gov> <1377189006.38963.YahooMailNeo@web87904.mail.ir2.yahoo.com> <521668CA.7040305@tycho.nsa.gov> <1377270346.9016.YahooMailNeo@web87904.mail.ir2.yahoo.com> <52177D45.60402@tycho.nsa.gov> <1377447310.98038.YahooMailNeo@web87903.mail.ir2.yahoo.com> <521CD1D7.1070505@tresys.com> In-Reply-To: <521CD1D7.1070505@tresys.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 08/27/2013 12:20 PM, Steve Lawrence wrote: > Yep, looks like we aren't expanding typeattributes in constraints. I have a fix > for the master branch on oss, but Jim has made a few changes to how constraints > work, so my patch doesn't apply cleanly. I'm also seeing a segfault on the nsa > branch with the simple test cil file (test/policy.cil), still looking into that. > I've attached the patch to the oss master branch if you'd like to give it a shot. > I am still looking at the previous bug with constraints and investigating perhaps the same segfault. Expanding typeattributes won't be hard I just hadn't realized that needed to be done for constraints. Hopefully, it won't take too long to resolve this. Jim > - Steve > > > On 08/25/2013 12:15 PM, Richard Haines wrote: >> I've been trying the constraints in CIL and found they were not being >> generated although I managed to fix this with the patch listed at the end. >> >> However there is still a problem that I have not managed to track down and >> that is where I use a typeattribute in the constraint. The following is an >> example CIL policy segment: >> >> ; Start >> (class file (execute_no_trans entrypoint execmod open audit_access)) >> (common file (ioctl read write create getattr setattr lock relabelfrom >> relabelto append unlink link rename execute swapon quotaon mounton)) >> (classcommon file file) >> (type ax_t) >> (type bx_t) >> (type cx_t) >> (typeattribute attribute_1) >> (typeattributeset attribute_1 ax_t) >> (typeattributeset attribute_1 bx_t) >> (typeattributeset attribute_1 cx_t) >> (constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1 >> ax_t)) (neq r1 r2))) >> ; End >> >> The policy statement generated by secilc (note the Tresys version does the same): >> constrain { file } { execute_no_trans } >> (( t2 == attribute_1 ) and ( t1 == ax_t ) or ( r1 != r2 )); >> >> However it should be: >> constrain { file } { execute_no_trans } >> (( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t ) or ( r1 != r2 )); >> >> >> Subject: [PATCH] Allow CIL to generate constraints >> >> Before this, no constraint statements were generated. >> --- >> src/cil_binary.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/src/cil_binary.c b/src/cil_binary.c >> index e31f589..bbbc534 100644 >> --- a/src/cil_binary.c >> +++ b/src/cil_binary.c >> @@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct >> cil_symtab_datum *datum) >> >> cil_list_for_each(curr, cil_constrain->classperms) { >> struct cil_classperms *classperms = curr->data; >> - if (classperms->flavor == CIL_CLASS) { >> + if (classperms->flavor == CIL_CLASSPERMS) { >> key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name; >> >> rc = cil_constrain_to_policydb_helper(pdb, key, >> classperms->r.cp.perms, expr); >> if (rc != SEPOL_OK) { >> goto exit; >> } >> - } else if (classperms->flavor == CIL_MAP_CLASS) { >> + } else if (classperms->flavor == CIL_MAP_CLASSPERMS) { >> struct cil_list_item *i = NULL; >> cil_list_for_each(i, classperms->r.mcp.perms) { >> struct cil_map_perm *cmp = i->data; >> > -- James Carter National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.