secilc: classmappings do not work

secilc: classmappings do not work

[Dominick Grift]

I wanted to try out some of the less common features of cil after
studying the cil reference guide but its been a bumpy ride.

Anyhow classmappings do not work

I have for example this one

(clasmap dirs (list))

(classmapping dirs list
    read_lnk_file_perms
    list_dir_perms
)

The read_lnk_file_perms and list_dir_perms are classpermissionsets
(which work nicely)

Only the first entry works (in this example read_lnk_file_perms)
The other entries (like in this example list_dir_perms) do not make it
to the resulting policy

I have also tried this with straight rules instead of
classpermissionsets (same result)

Re: secilc: classmappings do not work

[James Carter]

On 05/16/2014 08:14 AM, Dominick Grift wrote:
> I wanted to try out some of the less common features of cil after
> studying the cil reference guide but its been a bumpy ride.
>
> Anyhow classmappings do not work
>
> I have for example this one
>
> (clasmap dirs (list))
>
> (classmapping dirs list
>      read_lnk_file_perms
>      list_dir_perms
> )
>
> The read_lnk_file_perms and list_dir_perms are classpermissionsets
> (which work nicely)
>
> Only the first entry works (in this example read_lnk_file_perms)
> The other entries (like in this example list_dir_perms) do not make it
> to the resulting policy
>
> I have also tried this with straight rules instead of
> classpermissionsets (same result)
>

It will work if it is written as:

(classmapping dirs list
       ((read_lnk_file_perms)
       (list_dir_perms))
)

There is a bit of awkwardness to lists of class-permissions. All of the 
following are acceptable:

1. SETNAME
2. (CLASS (PERM1 PERM2 ...))
3. ((CLASS (PERM1 PERM2 ...)) (SETNAME) ...)

We allow case 2 because it is the common case for allow rules, but because of 
case 2, if you have more than a single class-permission, everything must be 
enclosed in parenthesis.

We are planning to change the syntax, but I haven't gotten around to doing it yet.

The new syntax would only allow cases 1 and 2. If you want to assign more than 
one class-permission to a classmap, classpermissionset, or rule you would just 
use multiple rules.

So your classmapping would be:

(classmapping dirs list
       read_lnk_file_perms
)

(classmapping dirs list
       list_dir_perms
)

Would this new syntax make more sense to you?

Currently, if you tried this, the first classmapping would be dropped.

Of course, secilc is not helping in your case because it is not giving any 
indication of an error and is just silently dropping the second classpermissionset.

Also note that currently classmaps cannot be used in nametypetransition, 
rangetransition, type_rule, roletransition, validatetrans, default_user, 
default_role, default_type, or default_range rules.

Jim

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: secilc: classmappings do not work

[James Carter]

On 05/16/2014 10:20 AM, James Carter wrote:

>
> Also note that currently classmaps cannot be used in nametypetransition,
> rangetransition, type_rule, roletransition, validatetrans, default_user,
> default_role, default_type, or default_range rules.
>

I forgot to mention that I am currently working on this and should release a fix 
soon.


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: secilc: classmappings do not work

[Richard Haines]

Just been testing the latest fix for expanding classmapping and found that if the
classes are unique, then it works okay. If there are repeated classes then I get
this error in the example below when the binary is being generated:
"Type default labeling for class binder already specified"


(class binder (impersonate call set_context_mgr transfer receive))
(class property_service (set))
(class zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith specifyseinfo))

(classpermissionset cps_zygote_1 (zygote (not (specifyids))))

; This works fine in the defaultuser statement:
(classmap single_set_classes (single_set))
(classmapping single_set_classes single_set
    (
        (binder (all))
        (property_service (set))
        (zygote (not (specifycapabilities)))
    )
)


; However with multiple classmapping secilc fails due to repeat classes:
(classmap multiple_set_classes (set_1 set_2 set_3))

(classmapping multiple_set_classes set_1
    (
        (binder (all))
        (property_service (set))
        (zygote (not (specifycapabilities)))
    )
)

(classmapping multiple_set_classes set_2
    (
        (binder (impersonate call set_context_mgr transfer))
        (zygote (specifyids specifyrlimits specifycapabilities specifyinvokewith))
    )
)

(classmapping multiple_set_classes set_3
    (
        (cps_zygote_1)
        (binder (impersonate call set_context_mgr))
    )
)

(defaultuser (single_set_classes) source)

; The defaulttype statement gives the following error:
;;; Type default labeling for class binder already specified
(defaulttype (multiple_set_classes) target)





----- Original Message -----
> From: James Carter <jwcart2@tycho.nsa.gov>
> To: Dominick Grift <dominick.grift@gmail.com>; selinux <selinux@tycho.nsa.gov>
> Cc: 
> Sent: Friday, 16 May 2014, 15:38
> Subject: Re: secilc: classmappings do not work
> 
> On 05/16/2014 10:20 AM, James Carter wrote:
> 
>> 
>>  Also note that currently classmaps cannot be used in nametypetransition,
>>  rangetransition, type_rule, roletransition, validatetrans, default_user,
>>  default_role, default_type, or default_range rules.
>> 
> 
> I forgot to mention that I am currently working on this and should release a fix 
> 
> soon.
> 
> 
> -- 
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> Selinux-request@tycho.nsa.gov.
> 

Re: secilc: classmappings do not work

[James Carter]

On 05/20/2014 11:57 AM, Richard Haines wrote:
> Just been testing the latest fix for expanding classmapping and found that if the
> classes are unique, then it works okay. If there are repeated classes then I get
> this error in the example below when the binary is being generated:
> "Type default labeling for class binder already specified"
>
>

OK. This has been fixed and pushed to bitbucket.

I have also pushed the new syntax for classpermissionsets and classmappings.

Class-permission sets are now declared with a classpermission statement and the 
set is defined with one or more classpermissionset statements.

Example:
     (classpermission foo)
     (classpermissionset foo (file (not execute)))
     (classpermissionset foo (char (read write)))


One or more classmapping statements are now used to define a class map instead 
of a list of class and permissions.

Example:
     (classmap bar baz)
     (classmapping bar baz (file (not execute)))
     (classmapping bar baz (char (read write)))


Neither a classpermissionset nor a classmapping are now allowed to have a list 
of class and permissions.

Now illegal syntax:

(classpermissionset foo ((file (not execute)) (char (read write))))

If anyone has suggestions on the syntax and statement names of CIL, now would be 
a good time to bring them up while we still have the flexibility to change things.

Jim

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: secilc: classmappings do not work

[Steve Lawrence]

On 05/21/2014 02:36 PM, James Carter wrote:
> On 05/20/2014 11:57 AM, Richard Haines wrote:
>> Just been testing the latest fix for expanding classmapping and found
>> that if the
>> classes are unique, then it works okay. If there are repeated classes
>> then I get
>> this error in the example below when the binary is being generated:
>> "Type default labeling for class binder already specified"
>>
>>
> 
> OK. This has been fixed and pushed to bitbucket.
> 
> I have also pushed the new syntax for classpermissionsets and
> classmappings.
> 
> Class-permission sets are now declared with a classpermission statement
> and the set is defined with one or more classpermissionset statements.
> 
> Example:
>     (classpermission foo)
>     (classpermissionset foo (file (not execute)))
>     (classpermissionset foo (char (read write)))
> 
> 
> One or more classmapping statements are now used to define a class map
> instead of a list of class and permissions.
> 
> Example:
>     (classmap bar baz)

One minor correction. I think the syntax for classmap is:

  (classmap bar (baz))

which allows you to define multiple classmap permissions, e.g.

  (classmap bar (baz qaz raz))

>     (classmapping bar baz (file (not execute)))
>     (classmapping bar baz (char (read write)))
> 
> 
> Neither a classpermissionset nor a classmapping are now allowed to have
> a list of class and permissions.
> 
> Now illegal syntax:
> 
> (classpermissionset foo ((file (not execute)) (char (read write))))
> 
> If anyone has suggestions on the syntax and statement names of CIL, now
> would be a good time to bring them up while we still have the
> flexibility to change things.
> 
> Jim
> 

Re: secilc: classmappings do not work

[James Carter]

On 05/21/2014 03:01 PM, Steve Lawrence wrote:
> On 05/21/2014 02:36 PM, James Carter wrote:
>> On 05/20/2014 11:57 AM, Richard Haines wrote:
>>> Just been testing the latest fix for expanding classmapping and found
>>> that if the
>>> classes are unique, then it works okay. If there are repeated classes
>>> then I get
>>> this error in the example below when the binary is being generated:
>>> "Type default labeling for class binder already specified"
>>>
>>>
>>
>> OK. This has been fixed and pushed to bitbucket.
>>
>> I have also pushed the new syntax for classpermissionsets and
>> classmappings.
>>
>> Class-permission sets are now declared with a classpermission statement
>> and the set is defined with one or more classpermissionset statements.
>>
>> Example:
>>      (classpermission foo)
>>      (classpermissionset foo (file (not execute)))
>>      (classpermissionset foo (char (read write)))
>>
>>
>> One or more classmapping statements are now used to define a class map
>> instead of a list of class and permissions.
>>
>> Example:
>>      (classmap bar baz)
>
> One minor correction. I think the syntax for classmap is:
>
>    (classmap bar (baz))
>
> which allows you to define multiple classmap permissions, e.g.
>
>    (classmap bar (baz qaz raz))
>
>>      (classmapping bar baz (file (not execute)))
>>      (classmapping bar baz (char (read write)))
>>
>>

Yes, you're right.



-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: secilc: classmappings do not work

[Dominick Grift]

On Fri, 2014-05-16 at 10:20 -0400, James Carter wrote:
> On 05/16/2014 08:14 AM, Dominick Grift wrote:
> > I wanted to try out some of the less common features of cil after
> > studying the cil reference guide but its been a bumpy ride.
> >
> > Anyhow classmappings do not work
> >
> > I have for example this one
> >
> > (clasmap dirs (list))
> >
> > (classmapping dirs list
> >      read_lnk_file_perms
> >      list_dir_perms
> > )
> >
> > The read_lnk_file_perms and list_dir_perms are classpermissionsets
> > (which work nicely)
> >
> > Only the first entry works (in this example read_lnk_file_perms)
> > The other entries (like in this example list_dir_perms) do not make it
> > to the resulting policy
> >
> > I have also tried this with straight rules instead of
> > classpermissionsets (same result)
> >
> 
> It will work if it is written as:
> 
> (classmapping dirs list
>        ((read_lnk_file_perms)
>        (list_dir_perms))
> )
> 
> There is a bit of awkwardness to lists of class-permissions. All of the 
> following are acceptable:
> 
> 1. SETNAME
> 2. (CLASS (PERM1 PERM2 ...))
> 3. ((CLASS (PERM1 PERM2 ...)) (SETNAME) ...)
> 
> We allow case 2 because it is the common case for allow rules, but because of 
> case 2, if you have more than a single class-permission, everything must be 
> enclosed in parenthesis.
> 
> We are planning to change the syntax, but I haven't gotten around to doing it yet.
> 
> The new syntax would only allow cases 1 and 2. If you want to assign more than 
> one class-permission to a classmap, classpermissionset, or rule you would just 
> use multiple rules.
> 
> So your classmapping would be:
> 
> (classmapping dirs list
>        read_lnk_file_perms
> )
> 
> (classmapping dirs list
>        list_dir_perms
> )
> 
> Would this new syntax make more sense to you?

Yes i suppose it would as i actually wanted to try that (eventually i
did not bother to try it though since i just trusted the cil reference
guide which made no mention of it.

For now i will try the temporary solution with the extra parens, and
make a note to adjust as soon as a more permanent solution becomes
available

Re: secilc: classmappings do not work

[Richard Haines]

>> 
>>  Would this new syntax make more sense to you?
> 
> Yes i suppose it would as i actually wanted to try that (eventually i
> did not bother to try it though since i just trusted the cil reference
> guide which made no mention of it.

Please be aware that the CIL Reference Guide is first draft and there
are some errors in it. These are the known ones:
1) The 2nd defaultuser title should be 'defaulttype'.
2) Optionals do support the filename typetransition statement.
3) Need to rewrite the classmap/classmapping sections and state format
    will be changing.
4) Anonymous classpermissionsets now allow expressions.
5) classmap can now be used in defaultuser etc. statements as
   mentioned in previous email (although just reported a small problem).

If anyone finds errors or the examples need expanding then please let me
know as I plan to keep it updated as the compiler progresses

Richard