Re: SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/04/2014 09:14 AM, Richard Haines wrote:
> I've been attempting to convert a monolithic policy (really a modular base policy with
> no modules) to CIL, however it fails with:
> 
> Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil
> 
> when running: semodule -s modular-test -i base.pp
> 
> 
> The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
> statement is ignored for the base policy:
> 
> 
>     case ROLE_ROLE:
>         if (scope == SCOPE_DECL) {
>             if (pdb->policy_type == SEPOL_POLICY_MOD) {
>                 // roles are defined twice, once in a module and once in base.
>                 // CIL doesn't allow duplicate declarations, so only take the
>                 // roles defined in the modules
>                 cil_println(indent, "(role %s)", key);
> 
> Question: Should these type of policies be supported, if so should the CIL compiler
> cope with duplicate role statements or the conversion service modified to remove duplicates.
> Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
> view the failed conversion.
> 
> I built the CIL module using pp directly  (cat base.pp | ./pp > base.cil), then added the
> (role ...) statement, this compiled okay using secilc.
> 

When working on a bug reported by Sven, we actually came across some
problems with how roles and roletypes are converted from pp to CIL.
We're working on those fixes now.

Regarding the duplicate role definition issue, it's kindof tricky. The
current pp2cil conversion doesn't know anything about other modules, so
it isn't capable of determining if two separate modules have a duplicate
role definition. So we either have to 1) allow duplicate role
definitions in CIL (though, we don't currently allow any duplicate
definitions of anything) or 2) consider policies that have duplicate
roles invalid. I don't really like either solution, need to think about
this some more...

As far as how to get better information for why a CIL module failed,
this is something we've thought about, and may be something we can
improve in the future. Right now you have to extract the HLL module from
the store and compile it your self. We're aware that's not particularly
user friendly.

- Steve


_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux