On Fri, May 22, 2020 at 10:55 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Type alias rules are not written out when converting a binary kernel
> policy to a policy.conf. The problem is that type aliases are not in
> the type_val_to_struct array and that is what is being used to find
> the aliases.
>
> Since type aliases are only in the types hashtable, walk that to
> find the type aliases.
>
> Fixed the syntax of the typalias rule which requires "alias" to come
> between the type and the aliases (ex/ typealias TYPE alias ALIAS;).
>
> Fixes: 0a08fd1e69797d6a ("libsepol: Add ability to convert binary
> policy to policy.conf file")
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
This fixes the missing alias problem, so:
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
However, in testing these, I noticed that if I do the following:
checkpolicy -MF -o policy.conf -b /etc/selinux/targeted/policy/policy.32
checkpolicy -MC -o policy.cil -b /etc/selinux/targeted/policy/policy.32
checkpolicy -M -o policyfromconf policy.conf
secilc -o policyfromcil policy.cil
checkpolicy -M -o policyfromkernel -b /etc/selinux/targeted/policy.32
then the three policyfrom* files differ in length and contents.
Decompiling them all via checkpolicy -MF (or -MC) and diff'ing those
(since sediff takes too long) appears to suggest differences from
attribute removal (odd since I thought you reverted that), redundant
rule removal (isn't that off by default too?), and portcon ordering
(by protocol).
Optimally we should able to regenerate the same kernel policy from all
three (although we might need to run the kernel policy through
checkpolicy to normalize ordering).
