On Sat, Sep 12, 2020 at 7:42 AM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Hi, > > My policy makes heavy use of neverallow statements and permissionsets. I wanted to optimize it by using classmappings. > > I've found that calling classmapping with an anonymous permissionset that results in an empty set breaks neverallow statements using those classmaps. > I think that this should be allowed. classmapping only ever adds permissions to a classmap, so if it is called with an empty permission set it should result in a no-op. > > A minimal reproducer follows: > > ; test.cil > > (user u) > (userrole u r) > (role r) > (roletype r t) > (type t) > > (sensitivity s0) > (sensitivityorder (s0)) > > (userlevel u (s0)) > (userrange u ((s0) (s0))) > > (sid kernel) > (sidorder (kernel)) > (context kernel_c (u r t ((s0) (s0)))) > (sidcontext kernel kernel_c) > > ;; Begin interesting stuff > > (class file (open read)) > (class dir (getattr search)) > (classorder (unordered file dir)) > > (type a) > (type b) > > (classmap testmap (internal)) > (classmapping testmap internal (file (not (open read)))) ; results in empty set > (classmapping testmap internal (dir (getattr))) > > (allow a b (testmap (internal))) > (neverallow a b (testmap (internal))) > > ; Results in 'allow a b:dir getattr;' but should have failed during Neverallow checks > Thanks for the report. The problem was that the expansion of the classmap was stopped when the empty classmapping was reached. I sent a patch to the list. Jim > -- > bauen1 > https://dn42.bauen1.xyz/
