On Tue, Jan 28, 2020 at 02:00:08PM +0000, Lawrence, Stephen wrote: > Looks to be an ordering issue with how we verify classmaps when they are > nested. If you define (classmap common_appletalk_socket ...) before > (classmap all_sockets ...), you'll get this error error: > > Map class common_appletalk_socket does not have a classmapping for > common_readwrite_socket_perms > Map class common_appletalk_socket does not have a classmapping for > common_create_socket_perms > > So you're just missing the mapping for common_appletalk_sockets. > > The right fix for the segfault isn't immediately clear to me--might need > to change some orderings or maybe even add another verify pass? But > adding the mapping should resolve your segfault for now. > Thanks. My bad: overlooked... > > On 1/28/20 7:25 AM, Dominick Grift wrote: > > In trying to reduce points of failure in my policy I encountered another segfault > > > > I want to centralize common permissions, for example common create and common read/write socket perms: > > > > 872 (classmap all_sockets | > > 873 (common_create_socket_perms common_readwrite_socket_perms)) | > > 874 | > > 875 (classmap common_alg_socket | > > 876 (common_create_socket_perms common_readwrite_socket_perms)) | > > 877 (classmap common_appletalk_socket | > > 878 (common_create_socket_perms common_readwrite_socket_perms)) | > > 879 | > > 880 (classmapping | > > 881 all_sockets | > > 882 common_create_socket_perms | > > 883 (common_alg_socket | > > 884 (common_create_socket_perms))) | > > 885 | > > 886 (classmapping | > > 887 all_sockets | > > 888 common_create_socket_perms | > > 889 (common_appletalk_socket | > > 890 (common_create_socket_perms))) | > > 891 | > > 892 (classmapping | > > 893 all_sockets | > > 894 common_readwrite_socket_perms | > > 895 (common_alg_socket | > > 896 (common_readwrite_socket_perms))) | > > 897 | > > 898 (classmapping | > > 899 all_sockets | > > 900 common_readwrite_socket_perms | > > 901 (common_appletalk_socket | > > 902 (common_readwrite_socket_perms))) | > > 903 | > > 904 (classmapping | > > 905 common_alg_socket | > > 906 common_create_socket_perms | > > 907 (alg_socket | > > 908 (append bind connect create getattr getopt ioctl read setattr setopt shutdown| > > 909 write))) | > > 910 | > > 911 (classmapping | > > 912 common_alg_socket | > > 913 common_readwrite_socket_perms | > > 914 (alg_socket | > > 915 (append bind connect getattr getopt ioctl read setattr setopt shutdown | > > 916 write))) | > > 917 | > > 918 (classpermission create_alg_socket_perms) | > > 919 | > > 920 (classpermissionset | > > 921 create_alg_socket_perms | > > 922 (common_alg_socket | > > 923 (common_create_socket_perms))) | > > 924 | > > 925 (classpermission readwrite_alg_socket_perms) | > > 926 | > > 927 (classpermissionset | > > 928 readwrite_alg_socket_perms | > > 929 (common_alg_socket | > > 930 (common_readwrite_socket_perms))) | > > > > <snip> > > Building AST from Parse Tree > > Destroying Parse Tree > > Resolving AST > > Qualifying Names > > Compile post process > > make: *** [Makefile:21: policy.32] Segmentation fault (core dumped) > > > -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
