On Wed, May 27, 2020 at 10:23 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Fri, May 22, 2020 at 10:55 AM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > Type alias rules are not written out when converting a binary kernel
> > policy to a policy.conf. The problem is that type aliases are not in
> > the type_val_to_struct array and that is what is being used to find
> > the aliases.
> >
> > Since type aliases are only in the types hashtable, walk that to
> > find the type aliases.
> >
> > Fixed the syntax of the typalias rule which requires "alias" to come
> > between the type and the aliases (ex/ typealias TYPE alias ALIAS;).
> >
> > Fixes: 0a08fd1e69797d6a ("libsepol: Add ability to convert binary
> > policy to policy.conf file")
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> This fixes the missing alias problem, so:
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
>
> However, in testing these, I noticed that if I do the following:
> checkpolicy -MF -o policy.conf -b /etc/selinux/targeted/policy/policy.32
> checkpolicy -MC -o policy.cil -b /etc/selinux/targeted/policy/policy.32
> checkpolicy -M -o policyfromconf policy.conf
> secilc -o policyfromcil policy.cil
> checkpolicy -M -o policyfromkernel -b /etc/selinux/targeted/policy.32
>
> then the three policyfrom* files differ in length and contents.
> Decompiling them all via checkpolicy -MF (or -MC) and diff'ing those
> (since sediff takes too long) appears to suggest differences from
> attribute removal (odd since I thought you reverted that), redundant
> rule removal (isn't that off by default too?), and portcon ordering
> (by protocol).
> Optimally we should able to regenerate the same kernel policy from all
> three (although we might need to run the kernel policy through
> checkpolicy to normalize ordering).
Interesting. I thought that we had mostly fixed the ordering issues. I
will take a look at this.
Jim
