Role attributes in traditional language constraints

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list,

I am using in my RefPolicy based policy constraints containing role-attributes:

    attribute_role unpriv_roles;
    ...
    constrain ...
        r1 != unpriv_role

This worked fine so far and the language specification [1][2] permits
the usage of type attributes (by using them in the examples) and
states not differences between `t1 op names` and `r1 op names`.

Today I debugged a crash of seinfo(1) on generated binary policies of mine.
`seinfo path/to/build/policy --constrain` segfaults at [3], when run
on a build binary policy.
These binary policies are generated by the RefPolicy target `make
validate`, running either semodule_link(8) and semodule_expand(8)
(modular build) or checkpolicy(8) (monolithic build).

Running `seinfo --constrain`, using the currently loaded kernel
policy, works fine and shows the expanded roles in the according
constrain (e.g. `r1 != { user_r guest_r ... }`).

On further testing I noticed that on Fedora 34 with libsepol 3.2
building such policies fails entirely:

    ...
    Validating policy file contexts.
    libsepol.validate_constraint_nodes: Invalid constraint expr
    libsepol.validate_class_datum: Invalid class datum
    libsepol.validate_datum_arrays: Invalid datum arrays
    libsepol.validate_policydb: Invalid policydb
    libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
    Error reading policy tmp/policy.bin: Success
    make: *** [Rules.modular:215: validate] Error 255

This seems to be caused by [4].

>From my point of view this is a regression:
Role-attributes in constraints worked prior libsepol 3.2, work in CIL
and are not explicitly disallowed by the language specification.
`validate_constraint_nodes()`[5] should accept attribute_role identifiers.

To fix the original seinfo crash, I'd like to ask whether setools
should accept role-attribute identifiers in compiled binary policies,
or if semodule_expand(8) and checkpolicy(8) should expand them at
build-time (currently they are expanded at load-time (load_policy(8)).

Best regards,
    Christian Göttsche


[1]: https://selinuxproject.org/page/ConstraintStatements
[2]: https://github.com/SELinuxProject/selinux-notebook/blob/main/src/constraint_statements.md#constraint-statements
[3]: https://github.com/SELinuxProject/setools/blob/master/setools/policyrep/role.pxi#L34
[4]: https://github.com/SELinuxProject/selinux/commit/0861c659b59cb106bad1b1d0c9f511a7140a1023
[5]: https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/policydb_validate.c#L170
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux