On 11/11/2016 06:51 PM, Nick Kralevich wrote: > (apologies if you received this message twice. I believe the first > message got stuck in a moderation queue somewhere) > > I'm trying to hunt down what appears to be a weird checkpolicy bug. > > On Android, we have a special SELinux domain called "su". This domain > is intended to be used during debugging and is always in permissive > mode. To avoid generating a huge number of denials, we use a number of > "dontaudit" rules to suppress SELinux denials. > > See https://android.googlesource.com/platform/system/sepolicy/+/0e1cbf568a9cc3dd0b26ead68a79d1f22dcb3add/private/su.te > > Specifically, the following dontaudit rule is in that file: > > dontaudit su self:capability_class_set *; > > which expands out to: > > dontaudit su self:{ capability capability2 } *; > That should not work. AFAIK you cannot use the "*" with two different classes you would need to dontaudit su self:capability *; dontaudit su self:capability2 *; Maybe the other policy "bullhead" does not have the invalid dontaudit su self:capability_class_set *; rule > However, on one device in particular ("marlin"), we find that this > dontaudit rule is ineffective. It appears that the checkpolicy > compiler is ignoring the dontaudit statement. > > $ sesearch --dontaudit -s su -c capability,capability2 /tmp/marlin.sepolicy > dontaudit su su:capability sys_module; > dontaudit su su:capability2 { mac_admin mac_override wake_alarm > block_suspend syslog audit_read }; > > However, this isn't happening on the other device ("bullhead"), which > is compiled with a very similar policy: > > $ sesearch --dontaudit -s su -c capability,capability2 /tmp/bullhead.sepolicy > dontaudit su su:capability { setuid setfcap sys_chroot > net_bind_service sys_nice mknod fsetid kill net_admin sys_rawio > audit_control sys_pacct sys_resource sys_ptrace dac_read_search > sys_boot sys_admin audit_write net_raw setgid sys_time lease > dac_override net_broadcast linux_immutable fowner sys_tty_config > setpcap sys_module ipc_lock chown ipc_owner }; > dontaudit su su:capability2 { mac_admin mac_override wake_alarm > block_suspend syslog audit_read }; > > Steps to reproduce: > > 1) Download the following files and place them in /tmp > > http://kralevich.com/bullhead.policy.conf > http://kralevich.com/marlin.policy.conf > > 2) Run the following commands to compile the policy: > > checkpolicy -M -c 30 -o /tmp/bullhead.sepolicy /tmp/bullhead.policy.conf > checkpolicy -M -c 30 -o /tmp/marlin.sepolicy /tmp/marlin.policy.conf > > 3) Verify the dontaudit rules by running sesearch > > sesearch --dontaudit -s su -c capability,capability2 /tmp/marlin.sepolicy > sesearch --dontaudit -s su -c capability,capability2 /tmp/bullhead.sepolicy > > Expected: the output from the sesearch command above is identical for > each device. > > Actual: the output from the sesearch command differs. > > If anyone has any insight into this bug I'd appreciate it. > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.