[secilc] typeattributeset with "and" expression does not work

[secilc] typeattributeset with "and" expression does not work

[Dominick Grift]

(type foo)
(typeattribute bar)
(typeattribute baz)
(typeattributeset bar (and baz foo))

It compiles but neither bar, nor baz gets associated with type foo

Also, i still have that weird boolean issue where, even though sesearch
shows the rules are loaded and enabled, SELinux still blocks the access

Re: [secilc] typeattributeset with "and" expression does not work

[Steve Lawrence]

On 04/22/2014 01:56 PM, Dominick Grift wrote:
> (type foo)
> (typeattribute bar)
> (typeattribute baz)
> (typeattributeset bar (and baz foo))
> 
> It compiles but neither bar, nor baz gets associated with type foo
> 

This is because 'and' is similar to the set intersection of baz and foo.
But baz is empty, so the intersection of baz and foo is nothing,
resulting in nothing being added to the bar attribute.

You probably want the union of baz and foo? Replacing 'and' with 'or'
would make it so bar would be associated with foo and everything
associated with baz.

> Also, i still have that weird boolean issue where, even though sesearch
> shows the rules are loaded and enabled, SELinux still blocks the access

I think we actually fixed this about an hour ago. Give it a shot, let us
know if it's actually fixed.

Thanks for the feedback!
- Steve

Re: [secilc] typeattributeset with "and" expression does not work

[Dominick Grift]

On Tue, 2014-04-22 at 15:03 -0400, Steve Lawrence wrote:
> On 04/22/2014 01:56 PM, Dominick Grift wrote:
> > (type foo)
> > (typeattribute bar)
> > (typeattribute baz)
> > (typeattributeset bar (and baz foo))
> > 
> > It compiles but neither bar, nor baz gets associated with type foo
> > 
> 
> This is because 'and' is similar to the set intersection of baz and foo.
> But baz is empty, so the intersection of baz and foo is nothing,
> resulting in nothing being added to the bar attribute.
> 
> You probably want the union of baz and foo? Replacing 'and' with 'or'
> would make it so bar would be associated with foo and everything
> associated with baz.

Impressive, what i am looking for is actually very simple.

I just want to know how i can associate more than a single type
attribute to a specified type in a single statement, that is possible.

(type foo)
(typeattribute bar)
(typeattribute baz)

The equivalent of:

(typeattributeset bar foo)
(typeattributeset baz foo)

In a single statement instead of two

> > Also, i still have that weird boolean issue where, even though sesearch
> > shows the rules are loaded and enabled, SELinux still blocks the access
> 
> I think we actually fixed this about an hour ago. Give it a shot, let us
> know if it's actually fixed.

Nice, i will try with up-to-date secilc tomorrow

> Thanks for the feedback!
> - Steve
> 
> 

Re: [secilc] typeattributeset with "and" expression does not work

[Steve Lawrence]

On 04/22/2014 03:33 PM, Dominick Grift wrote:
> On Tue, 2014-04-22 at 15:03 -0400, Steve Lawrence wrote:
>> On 04/22/2014 01:56 PM, Dominick Grift wrote:
>>> (type foo)
>>> (typeattribute bar)
>>> (typeattribute baz)
>>> (typeattributeset bar (and baz foo))
>>>
>>> It compiles but neither bar, nor baz gets associated with type foo
>>>
>>
>> This is because 'and' is similar to the set intersection of baz and foo.
>> But baz is empty, so the intersection of baz and foo is nothing,
>> resulting in nothing being added to the bar attribute.
>>
>> You probably want the union of baz and foo? Replacing 'and' with 'or'
>> would make it so bar would be associated with foo and everything
>> associated with baz.
> 
> Impressive, what i am looking for is actually very simple.
> 
> I just want to know how i can associate more than a single type
> attribute to a specified type in a single statement, that is possible.
> 
> (type foo)
> (typeattribute bar)
> (typeattribute baz)
> 
> The equivalent of:
> 
> (typeattributeset bar foo)
> (typeattributeset baz foo)
> 
> In a single statement instead of two
> 

Unfortunately, there is no way to associate a single type/attribute with
multiple attributes in a single statement. CIL is a pretty verbose language.

>>> Also, i still have that weird boolean issue where, even though sesearch
>>> shows the rules are loaded and enabled, SELinux still blocks the access
>>
>> I think we actually fixed this about an hour ago. Give it a shot, let us
>> know if it's actually fixed.
> 
> Nice, i will try with up-to-date secilc tomorrow
> 
>> Thanks for the feedback!
>> - Steve
>>
>>
> 
> 

Re: [secilc] typeattributeset with "and" expression does not work

[Dominick Grift]

On Tue, 2014-04-22 at 15:44 -0400, Steve Lawrence wrote:

> >>> Also, i still have that weird boolean issue where, even though sesearch
> >>> shows the rules are loaded and enabled, SELinux still blocks the access
> >>
> >> I think we actually fixed this about an hour ago. Give it a shot, let us
> >> know if it's actually fixed.
> > 
> > Nice, i will try with up-to-date secilc tomorrow

Current head does not fix the boolean issue, i just verified and the
issue is still there
 
> >> Thanks for the feedback!
> >> - Steve
> >>
> >>
> > 
> > 
> 

Re: [secilc] typeattributeset with "and" expression does not work

[Dominick Grift]

On Tue, 2014-04-22 at 22:39 +0200, Dominick Grift wrote:
> On Tue, 2014-04-22 at 15:44 -0400, Steve Lawrence wrote:
> 
> > >>> Also, i still have that weird boolean issue where, even though sesearch
> > >>> shows the rules are loaded and enabled, SELinux still blocks the access
> > >>
> > >> I think we actually fixed this about an hour ago. Give it a shot, let us
> > >> know if it's actually fixed.
> > > 
> > > Nice, i will try with up-to-date secilc tomorrow
> 
> Current head does not fix the boolean issue, i just verified and the
> issue is still there

Actually it partly works (but it did before as well)

Its the conditional capability permissions that do not work

i have for example a set of consitional rules:

(allow ARG1 security_t (security load_policy))
(allow ARG1 security_t (file (write)))

The file write works but the security load_policy does not work

Re: [secilc] typeattributeset with "and" expression does not work

[Dominick Grift]

On Tue, 2014-04-22 at 22:44 +0200, Dominick Grift wrote:
> On Tue, 2014-04-22 at 22:39 +0200, Dominick Grift wrote:
> > On Tue, 2014-04-22 at 15:44 -0400, Steve Lawrence wrote:
> > 
> > > >>> Also, i still have that weird boolean issue where, even though sesearch
> > > >>> shows the rules are loaded and enabled, SELinux still blocks the access
> > > >>
> > > >> I think we actually fixed this about an hour ago. Give it a shot, let us
> > > >> know if it's actually fixed.
> > > > 
> > > > Nice, i will try with up-to-date secilc tomorrow
> > 
> > Current head does not fix the boolean issue, i just verified and the
> > issue is still there
> 
> Actually it partly works (but it did before as well)
> 
> Its the conditional capability permissions that do not work
> 
> i have for example a set of consitional rules:
> 
> (allow ARG1 security_t (security load_policy))
> (allow ARG1 security_t (file (write)))
> 
> The file write works but the security load_policy does not work
> 

The latest commit seems to have fixed the conditional issue at long
last, thaanks!!