neverallow rules and self negation

neverallow rules and self negation

[Nick Kralevich]

Consider the following rules:

  attribute foo;
  type asdf, foo;
  type asdf2, foo;
  allow asdf self:dir search;
  neverallow foo { foo -self }:dir search;

This particular policy fails to compile with the following error:

libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
policy.conf) violated by allow asdf asdf:dir { search };
libsepol.check_assertions: 1 neverallow failures occurred

The intent of the neverallow rule is to prohibit cross domain access
to some resource, but allow access within the same domain. Something
like:

  neverallow asdf { foo -asdf }:dir search;
  neverallow asdf2 { foo -asdf2 }:dir search;

1) Is the behavior described above a bug or working as intended?
2) Is there a way to write a neverallow rule where the target uses
"-self", and if so, what does it mean?

-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

Re: neverallow rules and self negation

[Stephen Smalley]

On 11/07/2015 11:29 PM, Nick Kralevich wrote:
> Consider the following rules:
>
>    attribute foo;
>    type asdf, foo;
>    type asdf2, foo;
>    allow asdf self:dir search;
>    neverallow foo { foo -self }:dir search;
>
> This particular policy fails to compile with the following error:
>
> libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
> policy.conf) violated by allow asdf asdf:dir { search };
> libsepol.check_assertions: 1 neverallow failures occurred
>
> The intent of the neverallow rule is to prohibit cross domain access
> to some resource, but allow access within the same domain. Something
> like:
>
>    neverallow asdf { foo -asdf }:dir search;
>    neverallow asdf2 { foo -asdf2 }:dir search;
>
> 1) Is the behavior described above a bug or working as intended?
> 2) Is there a way to write a neverallow rule where the target uses
> "-self", and if so, what does it mean?

It doesn't look to me as if "-self" has ever been supported correctly 
either by the checkpolicy parser or by the libsepol neverallow/assertion 
checker.  So, it's a bug, but not sure how involved a fix will be 
(beyond just having checkpolicy reject it in the first place).

Re: neverallow rules and self negation

[James Carter]

On 11/07/2015 11:29 PM, Nick Kralevich wrote:
> Consider the following rules:
>
>    attribute foo;
>    type asdf, foo;
>    type asdf2, foo;
>    allow asdf self:dir search;
>    neverallow foo { foo -self }:dir search;
>
> This particular policy fails to compile with the following error:
>
> libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
> policy.conf) violated by allow asdf asdf:dir { search };
> libsepol.check_assertions: 1 neverallow failures occurred
>
> The intent of the neverallow rule is to prohibit cross domain access
> to some resource, but allow access within the same domain. Something
> like:
>
>    neverallow asdf { foo -asdf }:dir search;
>    neverallow asdf2 { foo -asdf2 }:dir search;
>
> 1) Is the behavior described above a bug or working as intended?

Self is a little special and I am not sure that anyone has ever considered using 
self in a negation like that. I will have to take a look and see what it would 
take to allow this usage.

> 2) Is there a way to write a neverallow rule where the target uses
> "-self", and if so, what does it mean?
>

I think that it would mean what you intend it to mean.

allow asdf self:dir search; # Allowed
allow asdf asdf:dir search; # Allowed
allow asdf asdf2:dir search; # Not allowed

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: neverallow rules and self negation

[Nick Kralevich]

Is there a place where we track SELinux bugs?

-- Nick

On Mon, Nov 9, 2015 at 6:30 AM, James Carter <jwcart2@tycho.nsa.gov> wrote:
>
> Self is a little special and I am not sure that anyone has ever considered using self in a negation like that. I will have to take a look and see what it would take to allow this usage.


-- 
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037

Re: neverallow rules and self negation

[Joshua Brindle]

Nick Kralevich wrote:
> Is there a place where we track SELinux bugs?

It looks like that got disabled on github somehow.

I've re-enabled it here:

https://github.com/SELinuxProject/selinux/issues

>
> -- Nick
>
> On Mon, Nov 9, 2015 at 6:30 AM, James Carter<jwcart2@tycho.nsa.gov>  wrote:
>> Self is a little special and I am not sure that anyone has ever considered using self in a negation like that. I will have to take a look and see what it would take to allow this usage.
>
>