I've been trying the constraints in CIL and found they were not being
generated although I managed to fix this with the patch listed at the end.
However there is still a problem that I have not managed to track down and
that is where I use a typeattribute in the constraint. The following is an
example CIL policy segment:
; Start
(class file (execute_no_trans entrypoint execmod open audit_access))
(common file (ioctl read write create getattr setattr lock relabelfrom
relabelto append unlink link rename execute swapon quotaon mounton))
(classcommon file file)
(type ax_t)
(type bx_t)
(type cx_t)
(typeattribute attribute_1)
(typeattributeset attribute_1 ax_t)
(typeattributeset attribute_1 bx_t)
(typeattributeset attribute_1 cx_t)
(constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1 ax_t)) (neq r1 r2)))
; End
The policy statement generated by secilc (note the Tresys version does the same):
constrain { file } { execute_no_trans }
(( t2 == attribute_1 ) and ( t1 == ax_t ) or ( r1 != r2 ));
However it should be:
constrain { file } { execute_no_trans }
(( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t ) or ( r1 != r2 ));
Subject: [PATCH] Allow CIL to generate constraints
Before this, no constraint statements were generated.
---
src/cil_binary.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/cil_binary.c b/src/cil_binary.c
index e31f589..bbbc534 100644
--- a/src/cil_binary.c
+++ b/src/cil_binary.c
@@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct cil_symtab_datum *datum)
cil_list_for_each(curr, cil_constrain->classperms) {
struct cil_classperms *classperms = curr->data;
- if (classperms->flavor == CIL_CLASS) {
+ if (classperms->flavor == CIL_CLASSPERMS) {
key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name;
rc = cil_constrain_to_policydb_helper(pdb, key, classperms->r.cp.perms, expr);
if (rc != SEPOL_OK) {
goto exit;
}
- } else if (classperms->flavor == CIL_MAP_CLASS) {
+ } else if (classperms->flavor == CIL_MAP_CLASSPERMS) {
struct cil_list_item *i = NULL;
cil_list_for_each(i, classperms->r.mcp.perms) {
struct cil_map_perm *cmp = i->data;
--
1.7.11.7
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
