* neverallow rules and self negation
@ 2015-11-08 4:29 Nick Kralevich
2015-11-09 14:28 ` Stephen Smalley
2015-11-09 14:30 ` James Carter
0 siblings, 2 replies; 5+ messages in thread
From: Nick Kralevich @ 2015-11-08 4:29 UTC (permalink / raw)
To: SELinux
Consider the following rules:
attribute foo;
type asdf, foo;
type asdf2, foo;
allow asdf self:dir search;
neverallow foo { foo -self }:dir search;
This particular policy fails to compile with the following error:
libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
policy.conf) violated by allow asdf asdf:dir { search };
libsepol.check_assertions: 1 neverallow failures occurred
The intent of the neverallow rule is to prohibit cross domain access
to some resource, but allow access within the same domain. Something
like:
neverallow asdf { foo -asdf }:dir search;
neverallow asdf2 { foo -asdf2 }:dir search;
1) Is the behavior described above a bug or working as intended?
2) Is there a way to write a neverallow rule where the target uses
"-self", and if so, what does it mean?
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: neverallow rules and self negation
2015-11-08 4:29 neverallow rules and self negation Nick Kralevich
@ 2015-11-09 14:28 ` Stephen Smalley
2015-11-09 14:30 ` James Carter
1 sibling, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2015-11-09 14:28 UTC (permalink / raw)
To: Nick Kralevich, SELinux
On 11/07/2015 11:29 PM, Nick Kralevich wrote:
> Consider the following rules:
>
> attribute foo;
> type asdf, foo;
> type asdf2, foo;
> allow asdf self:dir search;
> neverallow foo { foo -self }:dir search;
>
> This particular policy fails to compile with the following error:
>
> libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
> policy.conf) violated by allow asdf asdf:dir { search };
> libsepol.check_assertions: 1 neverallow failures occurred
>
> The intent of the neverallow rule is to prohibit cross domain access
> to some resource, but allow access within the same domain. Something
> like:
>
> neverallow asdf { foo -asdf }:dir search;
> neverallow asdf2 { foo -asdf2 }:dir search;
>
> 1) Is the behavior described above a bug or working as intended?
> 2) Is there a way to write a neverallow rule where the target uses
> "-self", and if so, what does it mean?
It doesn't look to me as if "-self" has ever been supported correctly
either by the checkpolicy parser or by the libsepol neverallow/assertion
checker. So, it's a bug, but not sure how involved a fix will be
(beyond just having checkpolicy reject it in the first place).
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: neverallow rules and self negation
2015-11-08 4:29 neverallow rules and self negation Nick Kralevich
2015-11-09 14:28 ` Stephen Smalley
@ 2015-11-09 14:30 ` James Carter
2015-11-12 20:07 ` Nick Kralevich
1 sibling, 1 reply; 5+ messages in thread
From: James Carter @ 2015-11-09 14:30 UTC (permalink / raw)
To: Nick Kralevich, SELinux
On 11/07/2015 11:29 PM, Nick Kralevich wrote:
> Consider the following rules:
>
> attribute foo;
> type asdf, foo;
> type asdf2, foo;
> allow asdf self:dir search;
> neverallow foo { foo -self }:dir search;
>
> This particular policy fails to compile with the following error:
>
> libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
> policy.conf) violated by allow asdf asdf:dir { search };
> libsepol.check_assertions: 1 neverallow failures occurred
>
> The intent of the neverallow rule is to prohibit cross domain access
> to some resource, but allow access within the same domain. Something
> like:
>
> neverallow asdf { foo -asdf }:dir search;
> neverallow asdf2 { foo -asdf2 }:dir search;
>
> 1) Is the behavior described above a bug or working as intended?
Self is a little special and I am not sure that anyone has ever considered using
self in a negation like that. I will have to take a look and see what it would
take to allow this usage.
> 2) Is there a way to write a neverallow rule where the target uses
> "-self", and if so, what does it mean?
>
I think that it would mean what you intend it to mean.
allow asdf self:dir search; # Allowed
allow asdf asdf:dir search; # Allowed
allow asdf asdf2:dir search; # Not allowed
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: neverallow rules and self negation
2015-11-09 14:30 ` James Carter
@ 2015-11-12 20:07 ` Nick Kralevich
2015-11-13 15:30 ` Joshua Brindle
0 siblings, 1 reply; 5+ messages in thread
From: Nick Kralevich @ 2015-11-12 20:07 UTC (permalink / raw)
To: James Carter; +Cc: SELinux
Is there a place where we track SELinux bugs?
-- Nick
On Mon, Nov 9, 2015 at 6:30 AM, James Carter <jwcart2@tycho.nsa.gov> wrote:
>
> Self is a little special and I am not sure that anyone has ever considered using self in a negation like that. I will have to take a look and see what it would take to allow this usage.
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-11-13 15:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-08 4:29 neverallow rules and self negation Nick Kralevich
2015-11-09 14:28 ` Stephen Smalley
2015-11-09 14:30 ` James Carter
2015-11-12 20:07 ` Nick Kralevich
2015-11-13 15:30 ` Joshua Brindle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.