Re: secilc: in segfault

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/03/2015 09:20 AM, Dominick Grift wrote:

On Thu, Sep 03, 2015 at 08:18:17AM -0400, James Carter wrote:

On 09/03/2015 05:48 AM, Dominick Grift wrote:

Anyone tried "secilc test/in_test.cil" lately? It dumps core here.

$ secilc test/in_test.cil
Segmentation fault (core dumped)




It works for me for the current master branch of SELinux userspace installed
locally. What version are you using?

Jim



Ok so that turns out to be a bug in Fedora. However.

I can still get secilc to segfault on "in". I wonder if the following is
or should be supported:

The scenario is: I want to simplify my macros by using
blockabstracts/inherits to provide a single point of failure

As a matter of test i made these two changes:

https://github.com/DefenSec/dssp/commit/85ba6f1848118e16b5544052dc5764663b272262
https://github.com/DefenSec/dssp-contrib/commit/77442e1e4658df99d1ce74732338a9c4ad80a6a3

However this makes secilc segfault, and i do not see why.
This doesn't appear to be ONLY because of the "in" block. It still segfaults even with moving everything inside the block and removing the "in" block.
It looks like one problem is with the use of a blockinherit inside a macro. Blocks and blockinherits are not allowed to be used in macros. As we were fixing CIL's name resolution last Fall we came to the conclusion that allowing both of these would provide little benefit while causing a lot of potential problems. But we are open to a discussion if you can provide a compelling use case. 

Why not use something like this:

(block exec_blk
	(blockabstract exec_blk)
	(macro exec ((type ARG1))
	       (call can_exec (ARG1 cmd_file))))

(block auditctl
	(blockinherit exec_blk))

(call auditctl.exec (some_type))

instead of:

(block exec_blk
	(blockabstract exec_blk)
	(call can_exec (ARG1 cmd_file)))

(block auditctl
  	(macro exec ((type ARG1))
		(blockinherit exec_blk)))

(call auditctl.exec (some_type))


Jim


I first thought it was because i was using "ARG1" in the blockabstract
(see first commit). However that seems to not be the case.

I am left wondering: what am i doing wrong here (obviously secilc should
not segfault nevertheless)




--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux