Re: [PATCH] libsepol: support for permissive types

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2008-03-11 at 14:46 -0400, Stephen Smalley wrote:
> On Tue, 2008-03-11 at 14:35 -0400, Eric Paris wrote:
> > On Tue, 2008-03-11 at 14:28 -0400, Stephen Smalley wrote:
> > > On Tue, 2008-03-11 at 09:59 -0400, Eric Paris wrote:

> > > Have you tested the handling of aliases, e.g. declare a type alias to a
> > > type in one module, then mark that type alias as permissive in another
> > > module, and confirm proper propagation of the permissive flag?
> > 
> > I tested declare a type in base and then in a module require that base
> > type, alias to that base type, and then permissive the alias.  Is there
> > a different between that and actually declaring the type in another
> > module?
> 
> The interesting case is when you declare the type and alias in one
> module, then use that alias as if it were a type in another module.
> Then checkmodule doesn't know that it is dealing with an alias while
> compiling the latter module, and the link/expand logic has to properly
> deal with it.  Same issue occurs for attributes.

Let me know if this is what you wanted tested:

******
module define_alias 1.0;

require {
	type type1_t;
}

type type_t;
typealias type_t alias alias_t;
*****
module perm_alias 1.0;

require {
	type alias_t;
}

permissive alias_t;
******
[root@dhcp231-146 perm]# semodule -s tmp -l
No modules.
[root@dhcp231-146 perm]# semodule -s tmp -i define_alias.pp
[root@dhcp231-146 perm]# semodule -s tmp -i perm_alias.pp
[root@dhcp231-146 perm]# semodule -s tmp -l
define_alias	1.0
perm_alias	1.0
******
[root@dhcp231-146 perm]# sedispol /etc/selinux/tmp/policy/policy.23 
Reading policy...
libsepol.policydb_index_others: security:  1 users, 2 roles, 4 types, 1 bools
libsepol.policydb_index_others: security: 2 sens, 2 cats
libsepol.policydb_index_others: security:  1 classes, 1 rules, 0 cond rules
binary policy file loaded

[snip]

Command ('m' for menu):  p
permissive sids:
	 type_t

Command ('m' for menu):  
*******

Looks like it worked to me.

-Eric


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux