From: "Christian Göttsche" <cgzones@googlemail.com>
To: Vit Mojzis <vmojzis@redhat.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] checkpolicy: Allow attribute assignment to attributes
Date: Mon, 23 Jun 2025 12:56:11 +0200 (GMT+02:00) [thread overview]
Message-ID: <f20586e8-cf08-4d17-8ebc-3b2cf2dd2eb8@googlemail.com> (raw)
In-Reply-To: <20250623102726.3818713-1-vmojzis@redhat.com>
Jun 23, 2025 12:27:47 Vit Mojzis <vmojzis@redhat.com>:
> Allow "typeattribute <attribute> <attribute>" to pass checkpolicy,
> since (typeattributeset <attribute> <attribute>) is valid in CIL.
>
> Fixes:
> $ cat myattributetest.te
> policy_module(attributetest, 1.0.0)
>
> gen_require(`
> attribute domain;
> ')
>
> attribute myattribute;
>
> typeattribute myattribute domain;
>
> $ make -f /usr/share/selinux/devel/Makefile attributetest.pp 2 ↵
> Compiling targeted attributetest module
> attributetest.te:9:ERROR 'unknown type myattribute' at token ';' on line 3418:
> typeattribute myattribute domain;
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
> After some simple tests with CIL policies, it seems that attribute
> assignment works as expected. Is there a reason checkpolicy does not
> recognise it?
Did you test that all types associated with myattribute are the also associated with domain?
>
> $ cat a.cil
> (typeattribute a)
> (typeattribute b)
> (typeattribute c)
> (type mytype_t)
> (typeattributeset a b)
> (typeattributeset b c)
> (typeattributeset c mytype_t)
> (allow a user_home_t (dir (getattr open search)))
> (allow b tmp_t (dir (getattr open search)))
> (allow c etc_t (dir (getattr open search)))
>
> $semodule -i a.cil
>
> $sesearch -A -s mytype_t
> allow a user_home_t:dir { getattr open search };
> allow b tmp_t:dir { getattr open search };
> allow c etc_t:dir { getattr open search };
>
> $seinfo -xa a
>
> Type Attributes: 1
> attribute a;
> mytype_t
>
>
> checkpolicy/policy_define.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index 4e0ddcc6..be788e8e 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1440,7 +1440,7 @@ int define_typeattribute(void)
> return -1;
> }
> t = hashtab_search(policydbp->p_types.table, id);
> - if (!t || t->flavor == TYPE_ATTRIB) {
> + if (!t) {
> yyerror2("unknown type %s", id);
> free(id);
> return -1;
> --
> 2.49.0
next prev parent reply other threads:[~2025-06-23 10:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-23 10:25 [PATCH] checkpolicy: Allow attribute assignment to attributes Vit Mojzis
2025-06-23 10:56 ` Christian Göttsche [this message]
2025-06-23 11:28 ` Vit Mojzis
2025-06-23 18:06 ` James Carter
2025-06-23 18:21 ` James Carter
2025-06-23 19:24 ` Vit Mojzis
2025-07-16 14:16 ` [PATCH] secilc: Add test for " Vit Mojzis
2025-08-04 17:03 ` [PATCH v2] " Vit Mojzis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f20586e8-cf08-4d17-8ebc-3b2cf2dd2eb8@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
--cc=vmojzis@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).