On 26. 08. 21 15:21, Dominick Grift wrote:
Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
On 26. 08. 21 14:10, Dominick Grift wrote:
Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
Hi,
recent changes in block inheritance broke our use case where we use
block inheritance for generating container policies
(https://github.com/containers/udica/tree/main/udica/templates). Basically
the policy is composed by inheriting selected "template" blocks, all
of which inherit "container" block, so that they can use types defined
there.
Reproducer:
(block template1 (type t) )
(block template2 (blockinherit template1))
(block b (blockinherit template1) (blockinherit template2))
In this example there is no point in inheriting template1, because
template2 already inherits it.
(block template1
(type t))
(block template2
(blockinherit template1))
(block b (blockinherit template2)
(allow t t (file (read))))
semodule -i test.cil
seinfo -t b.t
Sure, but with more templates (as we have in udica) we get the same issue.
(block template1 (type t) )
(block template2 (blockinherit template1))
(block template3 (blockinherit template1))
(block b (blockinherit template2) (blockinherit template3))
This boils down to the same as above, yes.
# semodule -i test.cil
Re-declaration of type t
Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/400/test/cil:1
Failed to copy block contents into blockinherit
Failed to resolve AST
semodule: Failed!
Template2 and template3 mostly inherit template1 for the type defined
there (so that they can define rules containing the type).
#semodule -i test.cil
Re-declaration of type t
Previous declaration of type at
/var/lib/selinux/targeted/tmp/modules/400/test/cil:1
Failed to copy block contents into blockinherit
Failed to resolve AST
semodule: Failed!
This used to work just fine.
The following workaround seems to be working as intended, but I'm not
sure if it's the best approach. Types are only defined in template1
and the rest contains "optional" block, so that I can use types
defined in template1).
(block template1 (type t))
(block template2
(optional o
(allow t t ( file ( read )))
)
)
(block b (blockinherit template1) (blockinherit template2))
You can just do something like this:
(block template1 (type t))
(block template2 (blockinherit template1) (optional o (allow t t (file
(read))))
(block b (blockinherit template2))
semodule -i test.cil
sesearch -A -t b.t
With more templates, this break as well.
But the following works:
(block template1 (type t))
(block template2 (optional o (allow t t (file (read)))))
(block template3 (optional o (allow t t (file (write)))))
(block b (blockinherit template1) (blockinherit template2) (blockinherit template3))
#semodule -i test.cil
#sesearch -A -s b.t
allow b.t b.t:file { read write };
Again, I'm not sure if this is the best solution, just the only one I managed to get working.
Looks good enough to me (if it works then it works). I am just surprised that
the duplicate 'o' optional block is allowed.
Thanks, I'll use different names for the optional blocks just to be sure.
Duplicate type declarations are no longer allowed as you noticed, but
fortunately you do not need them.
Whether this eventually is the best solution probably depends on other
aspects of the policy and on the requirements.
Sure, I guess I just needed to know that I'm not doing something wrong.
Thank you.
Vit
Vit
#semodule -i test.cil
#sesearch -A -s b.t
allow b.t b.t:file read;
Any pointers would be appreciated.
Thank you.
Vit
