On 08/27/2013 12:20 PM, Steve Lawrence wrote:
Yep, looks like we aren't expanding typeattributes in constraints. I have a fix for the master branch on oss, but Jim has made a few changes to how constraints work, so my patch doesn't apply cleanly. I'm also seeing a segfault on the nsa branch with the simple test cil file (test/policy.cil), still looking into that. I've attached the patch to the oss master branch if you'd like to give it a shot.
I am still looking at the previous bug with constraints and investigating perhaps the same segfault. Expanding typeattributes won't be hard I just hadn't realized that needed to be done for constraints. Hopefully, it won't take too long to resolve this.
Jim
- Steve On 08/25/2013 12:15 PM, Richard Haines wrote:I've been trying the constraints in CIL and found they were not being generated although I managed to fix this with the patch listed at the end. However there is still a problem that I have not managed to track down and that is where I use a typeattribute in the constraint. The following is an example CIL policy segment: ; Start (class file (execute_no_trans entrypoint execmod open audit_access)) (common file (ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename execute swapon quotaon mounton)) (classcommon file file) (type ax_t) (type bx_t) (type cx_t) (typeattribute attribute_1) (typeattributeset attribute_1 ax_t) (typeattributeset attribute_1 bx_t) (typeattributeset attribute_1 cx_t) (constrain (file (execute_no_trans)) (or (and (eq t2 attribute_1) (eq t1 ax_t)) (neq r1 r2))) ; End The policy statement generated by secilc (note the Tresys version does the same): constrain { file } { execute_no_trans } (( t2 == attribute_1 ) and ( t1 == ax_t ) or ( r1 != r2 )); However it should be: constrain { file } { execute_no_trans } (( t2 == { ax_t bx_t cx_t } ) and ( t1 == ax_t ) or ( r1 != r2 )); Subject: [PATCH] Allow CIL to generate constraints Before this, no constraint statements were generated. --- src/cil_binary.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cil_binary.c b/src/cil_binary.c index e31f589..bbbc534 100644 --- a/src/cil_binary.c +++ b/src/cil_binary.c @@ -1971,14 +1971,14 @@ int cil_constrain_to_policydb(policydb_t *pdb, struct cil_symtab_datum *datum) cil_list_for_each(curr, cil_constrain->classperms) { struct cil_classperms *classperms = curr->data; - if (classperms->flavor == CIL_CLASS) { + if (classperms->flavor == CIL_CLASSPERMS) { key = ((struct cil_symtab_datum *)classperms->r.cp.class)->name; rc = cil_constrain_to_policydb_helper(pdb, key, classperms->r.cp.perms, expr); if (rc != SEPOL_OK) { goto exit; } - } else if (classperms->flavor == CIL_MAP_CLASS) { + } else if (classperms->flavor == CIL_MAP_CLASSPERMS) { struct cil_list_item *i = NULL; cil_list_for_each(i, classperms->r.mcp.perms) { struct cil_map_perm *cmp = i->data;
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
