On Wed, Mar 04, 2020 at 01:53:47PM -0500, James Carter wrote: > On Thu, Feb 27, 2020 at 2:51 PM Dominick Grift <dac.override@xxxxxxxxx> wrote: > > > > James Carter <jwcart2@xxxxxxxxx> writes: > > > > > Sorry, email problems has made life a bit difficult over the past > > > week. Steve had to forward this to me. > > > > > > So far, I am unable to duplicate what you are seeing. > > > > You can try it with my dssp3 policy: > > > > git clone git://defensec.nl/dssp3.git > > cd dssp3 > > [kcinimod@brutus dssp3 (master=)]$ secilc `find . -name "*.cil"` > > [kcinimod@brutus dssp3 (master=)]$ sesearch policy.32 -T | grep sudo | grep tmp > > type_transition sudo.subj file.log:file pam.faillog.log btmp; > > type_transition sudo.subj file.tmp:file sudo.tmp; > > [kcinimod@brutus dssp3 (master=)]$ sed -i 's/(call obj_type_transition_tmp_fixme (subj file))/(call obj_type_transition_tmp (subj file "*"))/' poli > > cy/app/s/sudo.cil > > [kcinimod@brutus dssp3 (master *=)]$ secilc `find . -name "*.cil"` > > [kcinimod@brutus dssp3 (master *=)]$ sesearch policy.32 -T | grep sudo | grep tmp > > type_transition sudo.subj file.log:file pam.faillog.log btmp; > > type_transition sudo.subj file.tmp:file sudo.tmp ARG3; > > > > Note the "ARG3" in the latter result > > > > I found the problem. In dssp3/policy/user/user_runtimeuser.cil there > is the following macro definition. Thanks! I feel a little bad that it is a bug in my policy that brings this to light (and that I couldnt find the bug in the policy myself) Hopefully this event will help improve things. Thanks again > > (macro obj_type_transition_runtimeuser ((type ARG1)(class ARG2)(name ARG2)) > (call .file.runtimeuser_obj_type_transition > (ARG1 runtimeuser ARG2 ARG3))) > > Notice that ARG2 is used twice and ARG3 is not actually an argument > and is taken as a name. > > There are a couple of bugs here. First, CIL should give an error for > the duplicate argument names and, second, CIL should be checking if a > name is actually a macro parameter before it checks whether that name > is already in the name symbol table. > > You were seeing what you saw because the macro above is never called > but it does put ARG3 into the symbol table so that it is not > recognized as a parameter later. > > Jim -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
Attachment:
signature.asc
Description: PGP signature