Sorry, email problems has made life a bit difficult over the past
week. Steve had to forward this to me.
So far, I am unable to duplicate what you are seeing.
I tried to create policy similar to what you are doing, but I am
getting the correct results. The following is what I tested (the
attached policy is the full policy).
(macro trans_base ((type ARG1)(type ARG2)(type ARG3)(class ARG4)(name ARG5))
(typetransition ARG1 ARG2 ARG4 ARG5 ARG3)
)
(block b0
(type t0)
(macro trans_add1 ((type ARG1)(type ARG2)(class ARG3)(name ARG4))
(call trans_base (ARG1 t0 ARG2 ARG3 ARG4))
)
)
(block b1
(type t1a)
(type t1b)
(type t1c)
(type t1d)
)
(in b1
(macro trans_parent1a ((type ARG1)(class ARG2))
(call .b0.trans_add1 (ARG1 t1a ARG2 "thisworks1a"))
)
(macro trans_parent2a ((type ARG1)(class ARG2)(name ARG3))
(call .b0.trans_add1 (ARG1 t1b ARG2 ARG3))
)
)
(call .b1.trans_parent1a (.b1.t1c CLASS))
(call .b1.trans_parent2a (.b1.t1d CLASS "thisdoesntwork2a"))
I then compiled and decompiled the policy:
secilc -v -v -v -o test3.bin typetransition_problem_3.cil
checkpolicy -b -C -o test3.cil test3.bin
In test3.cil, there is the following typetransition rules (which are
as they should be):
(typetransition b1.t1c b0.t0 CLASS thisworks1a b1.t1a)
(typetransition b1.t1d b0.t0 CLASS thisdoesntwork2a b1.t1b)
I must be doing something slightly different from what your policy is
doing and I could use help in figuring out what that might be.
Jim
---------- Forwarded message ---------
From: Dominick Grift <dominick.grift@xxxxxxxxxxx>
Date: Mon, Feb 24, 2020 at 12:07 PM
Subject: strange issue with name-base type trans
To: <selinux@xxxxxxxxxxxxxxx>
The scenario:
(in user
(macro obj_type_transition_mytmp1 ((type ARG1)(class ARG2))
(call .file.tmp_obj_type_transition (ARG1 tmp ARG2 "thisworks")))
(macro obj_type_transition_mytmp2 ((type ARG1)(class ARG2)(name ARG3))
(call .file.tmp_obj_type_transition (ARG1 tmp ARG2 ARG3))))
(call .user.obj_type_transition_mytmp1 (user.subj chr_file))
(call .user.obj_type_transition_mytmp2 (user.subj chr_file "thisdoesntwork"))
The outcome:
[root@myguest ~]# sesearch -T -s user.subj -c chr_file,blk_file | grep tmp
type_transition user.subj file.tmp:chr_file user.tmp ARG3;
type_transition user.subj file.tmp:chr_file user.tmp thisworks;
[root@myguest ~]# uname -a
Linux myguest 5.5.5-200.fc31.x86_64 #1 SMP Wed Feb 19 23:28:07 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
[root@myguest ~]# rpm -qa libsepol
libsepol-3.0-3.fc32.x86_64
[root@myguest ~]# rpm -qa libselinux
libselinux-3.0-3.fc32.x86_64
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Attachment:
typetransition_problem_3.cil
Description: Binary data
