From: James Carter <jwcart2@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: Re: secilc: in segfault
Date: Wed, 9 Sep 2015 16:17:13 -0400 [thread overview]
Message-ID: <55F093C9.2080508@tycho.nsa.gov> (raw)
In-Reply-To: <20150903132041.GD2118@x250>
On 09/03/2015 09:20 AM, Dominick Grift wrote:
> On Thu, Sep 03, 2015 at 08:18:17AM -0400, James Carter wrote:
>> On 09/03/2015 05:48 AM, Dominick Grift wrote:
>>> Anyone tried "secilc test/in_test.cil" lately? It dumps core here.
>>>
>>> $ secilc test/in_test.cil
>>> Segmentation fault (core dumped)
>>>
>>>
>>
>> It works for me for the current master branch of SELinux userspace installed
>> locally. What version are you using?
>>
>> Jim
>>
>
> Ok so that turns out to be a bug in Fedora. However.
>
> I can still get secilc to segfault on "in". I wonder if the following is
> or should be supported:
>
> The scenario is: I want to simplify my macros by using
> blockabstracts/inherits to provide a single point of failure
>
> As a matter of test i made these two changes:
>
> https://github.com/DefenSec/dssp/commit/85ba6f1848118e16b5544052dc5764663b272262
> https://github.com/DefenSec/dssp-contrib/commit/77442e1e4658df99d1ce74732338a9c4ad80a6a3
>
> However this makes secilc segfault, and i do not see why.
>
This doesn't appear to be ONLY because of the "in" block. It still segfaults
even with moving everything inside the block and removing the "in" block.
It looks like one problem is with the use of a blockinherit inside a macro.
Blocks and blockinherits are not allowed to be used in macros. As we were fixing
CIL's name resolution last Fall we came to the conclusion that allowing both of
these would provide little benefit while causing a lot of potential problems.
But we are open to a discussion if you can provide a compelling use case.
Why not use something like this:
(block exec_blk
(blockabstract exec_blk)
(macro exec ((type ARG1))
(call can_exec (ARG1 cmd_file))))
(block auditctl
(blockinherit exec_blk))
(call auditctl.exec (some_type))
instead of:
(block exec_blk
(blockabstract exec_blk)
(call can_exec (ARG1 cmd_file)))
(block auditctl
(macro exec ((type ARG1))
(blockinherit exec_blk)))
(call auditctl.exec (some_type))
Jim
> I first thought it was because i was using "ARG1" in the blockabstract
> (see first commit). However that seems to not be the case.
>
> I am left wondering: what am i doing wrong here (obviously secilc should
> not segfault nevertheless)
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2015-09-09 20:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-03 9:48 secilc: in segfault Dominick Grift
2015-09-03 12:18 ` James Carter
2015-09-03 12:32 ` Dominick Grift
2015-09-03 12:40 ` Dominick Grift
2015-09-03 12:53 ` Petr Lautrbach
2015-09-03 13:04 ` Dominick Grift
2015-09-03 13:20 ` Dominick Grift
2015-09-09 20:17 ` James Carter [this message]
2015-09-09 20:45 ` Dominick Grift
2015-09-10 7:08 ` Dominick Grift
2015-09-10 13:37 ` Steve Lawrence
2015-09-11 16:02 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55F093C9.2080508@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.