On Tue, May 30, 2017 at 12:43:25PM -0400, Steve Lawrence wrote: > On 05/30/2017 10:05 AM, Dominick Grift wrote: > > I have a typealias/typealiasactual in dssp2-standard at: > > > > https://github.com/DefenSec/dssp2-standard/blob/master/policy/system/rpm.cil#L18 > > > > This *works* > > > > However now i want to additionally associate "unconfined.user.subj" with "rpm_script_t" > > So i created a module: > > > > echo "(typealiasesactual rpm_script_t unconfined.user.subj)" > mytest.cil && semodule -i mytest.cil > > it returns (something along those lines): > > > > "subj is not an alias" > > > > however it seems as though the module did install. I cannot think of any simple way to determine whether it works as I cannot find any "seinfo --typealias" or sesearch "--typealiases" > > > > Anyway libsepol segfaults when i try to play more with this > > > > So I tried the following > > > > (typeattribute rpm_script_aliases_type_attribute) > > (typeattributeset rpm_script_aliases_type_attribute rpm.script.subj) > > (typeattributeset rpm_script_aliases_type_attribute unconfined.user.subj) > > > > (typealias rpm_script_t) > > (typealiasactual rpm_script_t rpm_script_aliases_type_attribute) > > > > This also return incoherent messages something like "invalid "." in ...", but it seems to install > > > > and after that everything just segfaults (libsepol), untill i remove my local customizations > > > > I dont know a better way to explain this but looks to me theres a serious bug in how typealiases are handled by libsepol: > > > > https://www.youtube.com/watch?v=qe-vqieu2jg > > > > The first argument to the typealiasactual statement must resolve to a > typealias, and the second argument must resolve to a type. In your above > CIL snipppet you have it resolving to an attribute, which is not > allowed. However, we weren't correctly checking these restrictions, > which could lead to segfaults and weird error messages. I've just sent a > patch that should fix this conditions and error out with helpful messages. Thanks a lot. Yes it should not have let me load that up because once that is loaded libsepol keeps segfaulting not matter what youre trying to load However thats not the whole story: just adding "(typealiasactual rpm_script_t unconfined.user.subj)" caused issues as well were it returned something along the lines of: "subj is not an alias" <- "subj" indicates to me that it only took the type and not the unconfined.user name space but rpm_script_t is a typealiases and unconfined.user.subj is a type, the only difference is that there was already another typealiasactual of "(typealiasactual rpm_script_t rpm.script.subj) I suspect that it for some reason in this scenario wasnt able to interpret unconfined.user.subj properly Also perculiar was it complaining about "." in identifiers Should I be able to associate two types with a single typealias like so?: (typealias foo) (typealiasactual foo bar) (typealiasactual foo baz) -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
