Today i hit an bug in secilc, when compiled by policy with some modules excluded. My policy is rather complex, and so i find the issue hard to explain but i will try: In my github.com/doverride/laptop policy (the auth.cil module to be precise) i have a auth_pam_config_object_type() macro that essentially associates the calling type with the auth_pam_config_object_type type attribute, which in turn is associated with the auth_object_type attribute that is used to grant auth_admin() access to all "auth object types" The auth_pam_config_object_type() macro is called in various modules for various third party pam config files. For example, xserver maintains /etc/pam.d/xserver, which is associated with xserver_pam_config_t, and xserver_pam_config_t is associated with auth_pam_config_object_type. This is just one example. By excluding the xserver.cil module, the whole auth_pam_config_object_type, and all rules associated with it vanishes. I noticed today that on a system where i excluded xserver.cil i no longer had access to /etc/security/access.conf (which is associated with pam_config_t, and pam_config_t is associated with auth_pam_config_object_type) By reincluding the xserver.cil module , the rules that allow auth_admin() to maintain auth_object_type files reappeared. To reproduce: clone my "laptop" policy and build it use "sesearch -A -s auth_admin_subject_type | grep auth_object_type" to confirm that auth_admin_subject_type is allowed to maintain file objects associated with auth_object_type Now exclude the xserver.cil module use above sesearch command again and notice how the rules granting auth_admin_subject_type access to maintain file objects associated with auth_object_type have vanished. P.S: Another really strange thing i noticed is that i have a compiled policy with a bunch of modules excluded that is bigger than a policy with little or no modules excluded. -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift
Attachment:
pgpPgy9jWkXZd.pgp
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
