* SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query
@ 2014-09-04 13:14 Richard Haines
2014-09-04 13:44 ` Steve Lawrence
0 siblings, 1 reply; 3+ messages in thread
From: Richard Haines @ 2014-09-04 13:14 UTC (permalink / raw)
To: selinux list
I've been attempting to convert a monolithic policy (really a modular base policy with
no modules) to CIL, however it fails with:
Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil
when running: semodule -s modular-test -i base.pp
The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
statement is ignored for the base policy:
case ROLE_ROLE:
if (scope == SCOPE_DECL) {
if (pdb->policy_type == SEPOL_POLICY_MOD) {
// roles are defined twice, once in a module and once in base.
// CIL doesn't allow duplicate declarations, so only take the
// roles defined in the modules
cil_println(indent, "(role %s)", key);
Question: Should these type of policies be supported, if so should the CIL compiler
cope with duplicate role statements or the conversion service modified to remove duplicates.
Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
view the failed conversion.
I built the CIL module using pp directly (cat base.pp | ./pp > base.cil), then added the
(role ...) statement, this compiled okay using secilc.
Richard
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query 2014-09-04 13:14 SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query Richard Haines @ 2014-09-04 13:44 ` Steve Lawrence 2014-09-04 14:32 ` James Carter 0 siblings, 1 reply; 3+ messages in thread From: Steve Lawrence @ 2014-09-04 13:44 UTC (permalink / raw) To: Richard Haines, selinux list On 09/04/2014 09:14 AM, Richard Haines wrote: > I've been attempting to convert a monolithic policy (really a modular base policy with > no modules) to CIL, however it fails with: > > Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil > > when running: semodule -s modular-test -i base.pp > > > The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role > statement is ignored for the base policy: > > > case ROLE_ROLE: > if (scope == SCOPE_DECL) { > if (pdb->policy_type == SEPOL_POLICY_MOD) { > // roles are defined twice, once in a module and once in base. > // CIL doesn't allow duplicate declarations, so only take the > // roles defined in the modules > cil_println(indent, "(role %s)", key); > > Question: Should these type of policies be supported, if so should the CIL compiler > cope with duplicate role statements or the conversion service modified to remove duplicates. > Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot > view the failed conversion. > > I built the CIL module using pp directly (cat base.pp | ./pp > base.cil), then added the > (role ...) statement, this compiled okay using secilc. > When working on a bug reported by Sven, we actually came across some problems with how roles and roletypes are converted from pp to CIL. We're working on those fixes now. Regarding the duplicate role definition issue, it's kindof tricky. The current pp2cil conversion doesn't know anything about other modules, so it isn't capable of determining if two separate modules have a duplicate role definition. So we either have to 1) allow duplicate role definitions in CIL (though, we don't currently allow any duplicate definitions of anything) or 2) consider policies that have duplicate roles invalid. I don't really like either solution, need to think about this some more... As far as how to get better information for why a CIL module failed, this is something we've thought about, and may be something we can improve in the future. Right now you have to extract the HLL module from the store and compile it your self. We're aware that's not particularly user friendly. - Steve ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query 2014-09-04 13:44 ` Steve Lawrence @ 2014-09-04 14:32 ` James Carter 0 siblings, 0 replies; 3+ messages in thread From: James Carter @ 2014-09-04 14:32 UTC (permalink / raw) To: Steve Lawrence, Richard Haines, selinux list On 09/04/2014 09:44 AM, Steve Lawrence wrote: > On 09/04/2014 09:14 AM, Richard Haines wrote: >> I've been attempting to convert a monolithic policy (really a modular base policy with >> no modules) to CIL, however it fails with: >> >> Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil >> >> when running: semodule -s modular-test -i base.pp >> >> >> The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role >> statement is ignored for the base policy: >> >> >> case ROLE_ROLE: >> if (scope == SCOPE_DECL) { >> if (pdb->policy_type == SEPOL_POLICY_MOD) { >> // roles are defined twice, once in a module and once in base. >> // CIL doesn't allow duplicate declarations, so only take the >> // roles defined in the modules >> cil_println(indent, "(role %s)", key); >> >> Question: Should these type of policies be supported, if so should the CIL compiler >> cope with duplicate role statements or the conversion service modified to remove duplicates. >> Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot >> view the failed conversion. >> >> I built the CIL module using pp directly (cat base.pp | ./pp > base.cil), then added the >> (role ...) statement, this compiled okay using secilc. >> > > When working on a bug reported by Sven, we actually came across some > problems with how roles and roletypes are converted from pp to CIL. > We're working on those fixes now. > > Regarding the duplicate role definition issue, it's kindof tricky. The > current pp2cil conversion doesn't know anything about other modules, so > it isn't capable of determining if two separate modules have a duplicate > role definition. So we either have to 1) allow duplicate role > definitions in CIL (though, we don't currently allow any duplicate > definitions of anything) or 2) consider policies that have duplicate > roles invalid. I don't really like either solution, need to think about > this some more... > I don't want to allow duplicate declarations as a normal part of CIL, but maybe there could be a command line option that would just display a warning and ignore a duplicate declaration. I will have to think about the ramifications of this. I am worried that there will be corner cases were the generated kernel policy will be different depending on which duplicate is ignored. > As far as how to get better information for why a CIL module failed, > this is something we've thought about, and may be something we can > improve in the future. Right now you have to extract the HLL module from > the store and compile it your self. We're aware that's not particularly > user friendly. > > - Steve > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > > -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-09-04 14:32 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-09-04 13:14 SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query Richard Haines 2014-09-04 13:44 ` Steve Lawrence 2014-09-04 14:32 ` James Carter
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.