Re: CIL/SELinux Userspace Integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/07/2011 12:01 PM, Richard Haines wrote:

Thanks for the updates The deny_unknown, permissionset and generating policy.conf all worked okay.

I've had a couple of other minor problems:

1) I added a 'policycap' statement in a block. secilc processed the CIL statements but failed to gen the policy. I then moved it to the global namespace and then worked okay. I assume that policycap must always be in the global namespace.
There isn't anything in theory that requires the policycap statement to be global. However, putting a policycap in a block will namespace it, so this: 

  (block foo
      (policycap bar))
results in the policy capability "foo.bar". Right now, the only valid policy capabilities are "network_peer_controls" and "open_perms". So "foo.bar" as well as any namespaced policy cap will never work in practice. However, there is a bug that this error isn't check at the right spot. I've fixed this, so you should at least get a better error message now. 


2) Are there any known issues regarding typetransition rules as I'm having problems generating a policy. For example secilc will throw 'Error: Duplicate rule defined (line: xxx)'. I then comment out the typetransition statement (that actually looks okay) and it fails with another one, however semodule -i .. will compile it okay. In the end I can get both secilc and semodule to build the binary policy once I remove enough typetransition statements to keep both of them happy. (both seem to be happy with about 16 typetransition statements in policy but semodule can take a few more !!!)
No known issues with typetransitions. Can you send the policy you're having trouble with and I'll take a look? 


The policy consists of 10 CIL modules (files) with about 1,200 lines of CIL statements - but nothing complex just the SELinux Notebook moules I'm converting to CIL as an exercise.

I've had both problems on the original integration you sent plus the updates you pushed today (7th Dec).

Richard

--- On Wed, 7/12/11, Steve Lawrence<slawrence@xxxxxxxxxx>  wrote:


From: Steve Lawrence<slawrence@xxxxxxxxxx>
Subject: Re: CIL/SELinux Userspace Integration
To: "Richard Haines"<richard_c_haines@xxxxxxxxxxxxxx>
Cc: selinux@xxxxxxxxxxxxx
Date: Wednesday, 7 December, 2011, 13:32
On 12/03/2011 11:30 AM, Richard
Haines wrote:

Steve,

Thanks for this, it seems to work fine with the policy

samples I've been

using. I've had a couple of minor problems though:

1) A macro does not work with permissionset as one of

the parameters (all

      the other parameters worked

okay).




Thanks for finding this. Just pushed a commit that fixes
this.


2) Macro comments are not permitted. I notice they are

not present in the

      test files so has it been

dropped.




Yep. Macro comments have been dropped. I've updated it on
the wiki.


3) I could not find a way to generate the policy.conf

file. I set the

      DEBUG=1 in the CIL Makefile

like I used to but no file.




In selinux userspace, make DEBUG=1 doesn't define the DEBUG
macro that
the CIL code uses to enable debugging. You'll have to add
'-DDEBUG' to
the CFLAGS in the userspace Makefile to enable building of
the
policy.conf file.


4) To set deny_unknown in secilc.c required a 'U' in

the getopt line:



    getopt_long(argc, argv, "hvtU:MDc:",
.....




Thanks, fixed and pushed.


5) I could not load a new policy that had a boolean

and supporting

      statements in it. The actual

binary policy was fine (using apol), but

      load_policy had problems. I

started with a Fedora 16 base and added

      the new Integration code with

no problems. Is it a known problem as

      if not I'll check further.
      The errors I had when running

semodule with a boolean were (Note: I

      had already built a new base

policy (SELINUXTYPE=rch-test1) with no

      problems):


Hmmm, this is interesting. Both seinfo and apol are fine
with my
CIL-generated binary, but fails to load when I add
booleans. I also
generated a similar mdp policy.conf, ran checkpolicy, and
that failed to
load as well. sediff also shows the two binaries to be the
same.

I'll look into this more, but because of that, I'm thinking
this is a
kernel bug. If anyone else wants to look at it, I've
attached a simple
file that is the standard mdp.conf with a single boolean
defined, and
single conditional statement using that boolean. This
builds a binary
fine, and apol/seinfo have no problem with it, but fails to
load with
load_policy.








--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux