Re: Problem building CIL module with new class

[Dominick Grift <dac.override@gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/17/2016 04:25 PM, Richard Haines wrote:
> Using Fedora 23 targeted policy.
> 
> Problem: When adding a new class via the CIL module listed below, 
> the allow rule is not being resolved if the new class references a 
> common set of permissions.
> 
> Viewing with apol shows that the new class has been allocated the 
> unique and common permissions, however the allow rule is missing.
> 
> Note 1: If the 'all' expression is replaced in the 
> 'classpermissionset' with the actual permissions, then the allow 
> rule is resolved.
> 
> Note 2: If I use the latest 2.5 libsepol with the (classorder 
> (unordered sctp_socket)) statement I get the same result.
> 
> The example CIL policy module is: 
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; (classorder (proxy 
> sctp_socket))  ; 'proxy' is the last class defined in F-23 ; and 
> required when using libsepol 2.4
> 
> (classcommon sctp_socket socket) (class sctp_socket (node_bind 
> name_connect association bindx_add bindx_rem connectx peeloff 
> set_addr set_params))
> 
> (classpermission sctp_socket_all_perms) (classpermissionset 
> sctp_socket_all_perms (sctp_socket (all)))
> 
> (allow unconfined_t self sctp_socket_all_perms) 
> ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
> 
> And is built with the following command:
> 
> semodule --priority 400 -i sctp_test_module.cil

Maybe it is related to semodule? Seems to work fine when tested with DSS
P:

https://www.youtube.com/watch?v=NYMoPUNTqes

[root@void kcinimod]# rpm -qa | grep libselinux
libselinux-2.4-4.fc23.x86_64
libselinux-utils-2.4-4.fc23.x86_64
libselinux-python3-2.4-4.fc23.x86_64
libselinux-2.4-4.fc23.i686
[root@void kcinimod]# rpm -qa | grep libsepol
libsepol-2.5-9999.gitb3b5ede.fc24.x86_64
[root@void kcinimod]# rpm -qa | grep setools
setools-4.0-9999.gitac4f846.fc23.x86_64
setools-gui-4.0-9999.gitac4f846.fc23.x86_64
[root@void kcinimod]# rpm -qa | grep secilc
secilc-2.5-9999.gitb3b5ede.fc24.x86_64

> 
> Any ideas !!! Richard 
> _______________________________________________ Selinux mailing 
> list Selinux@tycho.nsa.gov To unsubscribe, send email to 
> Selinux-leave@tycho.nsa.gov. To get help, send an email containing 
> "help" to Selinux-request@tycho.nsa.gov.
> 


- -- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGcBAEBCAAGBQJW6tOvAAoJECV0jlU3+UdpijYL+gPumCA7OVEC4MlZ7gqBj7+P
EXaWX7MKUC4FUdyKljd416/l1aj0y5m3ihKmx/Iiyk9ZJim//BIQCoKtySXooo3w
RmAIFx1vRd3qet88W9L9zhfq+q+wPnXSOBsbBwSylVQdC5dLMtxYnZwAgm1Jraxp
LRw92wz5rn1OS33M5+/v7sLwfP5sx8yakoD//DN2hJO0FmOmrbB+/I77iXMjoIjH
jDIKSqBufS4IgQO+xN5a42hjfzxVlhrKX4wCDaafagkQQBOQpD4Il5xHx70ZzE55
mvVzyCyIGZ8QpVGM4MhyaKIvXPwffCFNwivCSPjiEz5AMDc2IbbNDEb4cH6br7SR
4DCHyGWwyO3QhbW2BALGFp3mH4lYoFNyetRE6xVKqDYf6OZ5jLJaQZwqHuUpSkvG
XGb3fzLsSFFQo/0X8Et9yGLyvsFNf/Gb5K85mYOSKDhYFMQ9ZIL56rQKK+GXZtrA
+54icfOw1f8laVISosIuoCX4T/W5U+4ap90bpHbdRQ==
=r/id
-----END PGP SIGNATURE-----