Re: secilc: is anyone able to confirm that type_change ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/09/2014 11:37 AM, Dominick Grift wrote:
> On Tue, 2014-07-08 at 15:21 -0400, Steve Lawrence wrote:
>> On 07/07/2014 10:45 AM, Dominick Grift wrote:
>>> On Mon, 2014-07-07 at 16:24 +0200, Dominick Grift wrote:
>>>> On Mon, 2014-07-07 at 10:00 -0400, Steve Lawrence wrote:
>>>>
>>>>> I can't reproduce the problem with my test policies. The typechange
>>>>> statements look like they are correctly inserted into the binary and I
>>>>> am seeing the expected type changes at runtime.
>>>>>
>>>>> Is this with your monogam policy?
>>>>>
>>>>
>>>> No, that one is no longer maintained.
>>>>
>>>> It is this very small base policy:
>>>>
>>>> https://github.com/doverride/e145
>>>>
>>>
>>> Note though, with that version, that there is no type_change rule from
>>> devpts_t to device_session_pts_t currently (so if you were to test this
>>> with sshd then it would be lacking the type change rule)
>>>
>>> Either insert that type_change rule manually or test it with the (local)
>>> login program since there is a type_change session_t
>>> device_tty_t:chr_file device_session_tty_t rule present.
>>>
>>> There is also a conditional type change rule for console_device_t to
>>> device_session_tty_t.
>>>
>>> I cannot imagine me having overlooked anything. Since there are only two
>>> domains (system_t and session_t), and both are virtually unconfined.
>>>
>>>
>>
>> Ok, finally managed to track down this issue. Turns out to be an
>> ordering problem. You have your classes listed in alphabetical order.
>> Order shouldn't matter with CIL and everything should work correctly,
>> and in most cases is does. However, we assign integer values to each
>> class based on the order we see them. So the first one we see gets value
>> 1, second gets 2, etc. If these values don't match up with what
>> userspace and the kernel expect them to be, things break.
>>
>> So the temporary solution is to reorder your class statements so that
>> they are in the order defined in flask.h [1] so they get the right values.
>>
>> The long term solution is to add a new statement to CIL (classorder,
>> similar to sidorder) that defines this order, allowing the class
>> definitions to appear in any order.
>>
>> Thanks,
>> - Steve
>>
>> [1]
>> https://github.com/SELinuxProject/selinux/blob/master/libselinux/include/selinux/flask.h
>>
>>
>>
> 
> That flask.h file in your url seems to be missing the kernel_service
> class? (is it outdated?)
> 
> I suspect that today's cilpolicy commit is also based on that
> (outdated?) flask.h file, so cilpolicy may fail to build due to missing
> kernel_service from classorder statement

We stopped updating flask.h and av_permissions.h in libselinux once the
dynamic class/perm mapping support was merged, only leaving the old
definitions intact for legacy code.

The kernel no longer cares about fixed values for the classes/perms; it
looks them up by name on policy load.


_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux