> -----Original Message----- > From: Roberts, William C > Sent: Thursday, January 26, 2017 11:17 AM > To: 'seandroid-list@xxxxxxxxxxxxx' <seandroid-list@xxxxxxxxxxxxx> > Cc: 'Stephen Smalley' <sds@xxxxxxxxxxxxx>; 'Nick Kralevich' <nnk@xxxxxxxxxx>; > 'selinux@xxxxxxxxxxxxx' <selinux@xxxxxxxxxxxxx> > Subject: RE: CIL Typepermissive Symbol not inside parenthesis > > > > > -----Original Message----- > > From: Roberts, William C > > Sent: Thursday, January 26, 2017 10:39 AM > > To: seandroid-list@xxxxxxxxxxxxx > > Cc: 'Stephen Smalley' <sds@xxxxxxxxxxxxx>; 'Nick Kralevich' > > <nnk@xxxxxxxxxx>; selinux@xxxxxxxxxxxxx > > Subject: CIL Typepermissive Symbol not inside parenthesis > > > > Building for Hikey (Android) with a type permissive statement on > > hci_attach, yields this error: > > > > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 > > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_ > > policy_n > > vr.cil > > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/ma > > pping > > /current.cil > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no > > nplat_ > > policy_nvr.cil -o > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) > > && (out/host/linux-x86/bin/sepolicy-analyze > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > permissive > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi > > ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > > omains ]; then echo \"==========\" 1>&2; echo > \"ERROR: > > permissive domains not allowed in user builds\" 1>&2; echo > \"List of > > invalid domains:\" 1>&2; cat > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > > omains 1>&2; exit 1; fi ) && (mv > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" > > Symbol not inside parenthesis at line 1239 of > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no > > nplat_ > > policy_nvr.cil > > > > To reproduce apply this patch to device/linaro/hikey: > > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index > > d87f444..1990d54 100644 > > --- a/sepolicy/hci_attach.te > > +++ b/sepolicy/hci_attach.te > > @@ -1,6 +1,8 @@ > > type hci_attach, domain; > > type hci_attach_exec, exec_type, file_type; > > > > +permissive hci_attach; > > + > > init_daemon_domain(hci_attach) > > > > allow hci_attach kernel:system module_request; > > > > and build sepolicy > > > > make -j4 sepolicy > > > > I have no idea what's hgappening, but the statement looks different > > than all the other CIL statements: > > > > Failing CIL snippet: > > > > (type hci_attach) > > (roletype object_r hci_attach) > > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r > > hci_attach_exec) (type hci_attach_tmpfs) > > > > > > Some of things call routines like cil_write_roletype() in write_ast.c, but some just > frpintf(CIL_<CAPS>). Are these features not implemented? > > If I apply this hack it works: > diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c > index 4ebda6a..8a25680 100644 > --- a/libsepol/cil/src/cil_write_ast.c > +++ b/libsepol/cil/src/cil_write_ast.c > @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node > *node, uint32_t *finished, void > fprintf(cil_out, "CIL_TYPEBOUNDS "); > break; > case CIL_TYPEPERMISSIVE: > - fprintf(cil_out, "CIL_TYPEPERMISSIVE "); > + fprintf(cil_out, "(typepermissive hci_attach)\n"); > break; > case CIL_TYPEATTRIBUTE: > > The output looks ok from sepolicy-analyze: > > $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su hci_attach FYI This does not affect upstream SE Linux, it looks like Dan Cashman over at Google authored the file, So ill drop common selinux mailing listr on further responses. I'll take a look at fixing this today... _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
