Re: Fwd: strange issue with name-base type trans

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Mar 04, 2020 at 01:53:47PM -0500, James Carter wrote:
> On Thu, Feb 27, 2020 at 2:51 PM Dominick Grift <dac.override@xxxxxxxxx> wrote:
> >
> > James Carter <jwcart2@xxxxxxxxx> writes:
> >
> > > Sorry, email problems has made life a bit difficult over the past
> > > week. Steve had to forward this to me.
> > >
> > > So far, I am unable to duplicate what you are seeing.
> >
> > You can try it with my dssp3 policy:
> >
> > git clone git://defensec.nl/dssp3.git
> > cd dssp3
> > [kcinimod@brutus dssp3 (master=)]$ secilc `find . -name "*.cil"`
> > [kcinimod@brutus dssp3 (master=)]$ sesearch policy.32 -T | grep sudo | grep tmp
> > type_transition sudo.subj file.log:file pam.faillog.log btmp;
> > type_transition sudo.subj file.tmp:file sudo.tmp;
> > [kcinimod@brutus dssp3 (master=)]$ sed -i 's/(call obj_type_transition_tmp_fixme (subj file))/(call obj_type_transition_tmp (subj file "*"))/' poli
> > cy/app/s/sudo.cil
> > [kcinimod@brutus dssp3 (master *=)]$ secilc `find . -name "*.cil"`
> > [kcinimod@brutus dssp3 (master *=)]$ sesearch policy.32 -T | grep sudo | grep tmp
> > type_transition sudo.subj file.log:file pam.faillog.log btmp;
> > type_transition sudo.subj file.tmp:file sudo.tmp ARG3;
> >
> > Note the "ARG3" in the latter result
> >
> 
> I found the problem. In dssp3/policy/user/user_runtimeuser.cil there
> is the following macro definition.

Thanks! I feel a little bad that it is a bug in my policy that brings this to light (and that I couldnt find the bug in the policy myself)
Hopefully this event will help improve things.

Thanks again

> 
>     (macro obj_type_transition_runtimeuser ((type ARG1)(class ARG2)(name ARG2))
>            (call .file.runtimeuser_obj_type_transition
>                  (ARG1 runtimeuser ARG2 ARG3)))
> 
> Notice that ARG2 is used twice and ARG3 is not actually an argument
> and is taken as a name.
> 
> There are a couple of bugs here. First, CIL should give an error for
> the duplicate argument names and, second, CIL should be checking if a
> name is actually a macro parameter before it checks whether that name
> is already in the name symbol table.
> 
> You were seeing what you saw because the macro above is never called
> but it does put ARG3 into the symbol table so that it is not
> recognized as a parameter later.
> 
> Jim

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux