On 09/04/2014 09:44 AM, Steve Lawrence wrote:
On 09/04/2014 09:14 AM, Richard Haines wrote:I've been attempting to convert a monolithic policy (really a modular base policy with no modules) to CIL, however it fails with: Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil when running: semodule -s modular-test -i base.pp The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role statement is ignored for the base policy: case ROLE_ROLE: if (scope == SCOPE_DECL) { if (pdb->policy_type == SEPOL_POLICY_MOD) { // roles are defined twice, once in a module and once in base. // CIL doesn't allow duplicate declarations, so only take the // roles defined in the modules cil_println(indent, "(role %s)", key); Question: Should these type of policies be supported, if so should the CIL compiler cope with duplicate role statements or the conversion service modified to remove duplicates. Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot view the failed conversion. I built the CIL module using pp directly (cat base.pp | ./pp > base.cil), then added the (role ...) statement, this compiled okay using secilc.When working on a bug reported by Sven, we actually came across some problems with how roles and roletypes are converted from pp to CIL. We're working on those fixes now. Regarding the duplicate role definition issue, it's kindof tricky. The current pp2cil conversion doesn't know anything about other modules, so it isn't capable of determining if two separate modules have a duplicate role definition. So we either have to 1) allow duplicate role definitions in CIL (though, we don't currently allow any duplicate definitions of anything) or 2) consider policies that have duplicate roles invalid. I don't really like either solution, need to think about this some more...
I don't want to allow duplicate declarations as a normal part of CIL, but maybe there could be a command line option that would just display a warning and ignore a duplicate declaration. I will have to think about the ramifications of this. I am worried that there will be corner cases were the generated kernel policy will be different depending on which duplicate is ignored.
As far as how to get better information for why a CIL module failed, this is something we've thought about, and may be something we can improve in the future. Right now you have to extract the HLL module from the store and compile it your self. We're aware that's not particularly user friendly. - Steve _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
