On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> For example this:
>
> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>
> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>
> Say's:
>
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> Problem at policy/base/class_maps.cil:994
> Pass 14 of resolution failed
> Failed to resolve ast
> Failed to compile cildb: -2
> make: *** [Makefile:30: policy.32] Error 254
>
> Am i doing something wrong or is this unsupported?
Are we supposed to be able to use allowx rules in macros?
This works when the tunable is set false:
(tunable no_mac_addr true)
(block bla1
(blockinherit system_agent_template)
(macro stuff ((type ARG1))
(tunableif no_mac_addr
(true
(allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
(allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
(false
(allow ARG1 self create_tcp_stream_socket_perms)))))
(block blah2
(blockinherit system_agent_template)
(call bla1.stuff (subj)))
But when the tunable is set true:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
