From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <53DFFEB8.1040403@redhat.com> Date: Mon, 04 Aug 2014 17:44:24 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Stephen Smalley , Sven Vermeulen , selinux@tycho.nsa.gov Subject: Re: Debugging sepolgen-ifgen? References: <20140802191904.GA7856@siphos.be> <53DFBDDC.4090508@tycho.nsa.gov> In-Reply-To: <53DFBDDC.4090508@tycho.nsa.gov> Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 08/04/2014 01:07 PM, Stephen Smalley wrote: > On 08/02/2014 03:19 PM, Sven Vermeulen wrote: >> Hi all >> >> I've noticed that on my system, for some interfaces, the results in >> /var/lib/sepolgen/interface_info are missing file-specific feedback. >> >> For instance, consider the kernel_rw_kernel_sysctl() interface, which is >> coded as follows: >> >> interface(`kernel_rw_kernel_sysctl',` >> gen_require(` >> type proc_t, sysctl_t, sysctl_kernel_t; >> ') >> >> rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) >> >> list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) >> ') >> >> In the interface_info file, I only find the following metadata about this >> interface: >> >> [InterfaceVector kernel_rw_kernel_sysctl $1:source ] >> $1,sysctl_t,dir,getattr,open,search >> $1,sysctl_kernel_t,dir,getattr,open,search >> $1,proc_t,dir,getattr,open,search >> >> Shouldn't this at least contain something like this? >> >> $1,sysctl_kernel_t,file,write,getattr,lock,open,ioctl,append >> >> Although not critical, it does result in audit2allow -R to not use >> refpolicy-style interfaces when possible... >> >> How can I debug this? I know the file is generated by sepolgen-ifgen, but >> rerunning doesn't add in any file-related metadata and I'm totally oblivious >> on how the parsing is done... > Not sure about that beyond the -d -v options. > However, this appears to be a regression; despite encountering some syntax errors during parsing, > sepolgen-ifgen from 21030423 generates a more accurate vector: > > [InterfaceVector kernel_rw_kernel_sysctl $1:source ] > $1,sysctl_t,dir,getattr,open,search > $1,sysctl_kernel_t,file,write,getattr,read,lock,open,ioctl,append > $1,sysctl_kernel_t,dir,search,read,lock,ioctl,getattr,open > $1,proc_t,dir,getattr,open,search > > while sepolgen-ifgen from 20131030_4 generates the reduced set you have above. > > Seems to have been broken by: > > commit 17cc87e56b0241688c119f774f103622b002e0ae > Author: Dan Walsh > Date: Wed Oct 9 17:01:35 2013 -0400 > > sepolgen did not work with filename transitions. > > This patch adds support for it. > > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > I don't see anything obviously wrong with that patch?