On Thu, Aug 26, 2021 at 9:21 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > Vit Mojzis <vmojzis@xxxxxxxxxx> writes: > > > On 26. 08. 21 14:10, Dominick Grift wrote: > >> Vit Mojzis <vmojzis@xxxxxxxxxx> writes: > >> > >>> Hi, > >>> recent changes in block inheritance broke our use case where we use > >>> block inheritance for generating container policies > >>> (https://github.com/containers/udica/tree/main/udica/templates). Basically > >>> the policy is composed by inheriting selected "template" blocks, all > >>> of which inherit "container" block, so that they can use types defined > >>> there. > >>> > >>> Reproducer: > >>> (block template1 (type t) ) > >>> (block template2 (blockinherit template1)) > >>> (block b (blockinherit template1) (blockinherit template2)) > >> In this example there is no point in inheriting template1, because > >> template2 already inherits it. > >> > >> (block template1 > >> (type t)) > >> (block template2 > >> (blockinherit template1)) > >> (block b (blockinherit template2) > >> (allow t t (file (read)))) > >> > >> semodule -i test.cil > >> seinfo -t b.t > > Sure, but with more templates (as we have in udica) we get the same issue. > > > > (block template1 (type t) ) > > (block template2 (blockinherit template1)) > > (block template3 (blockinherit template1)) > > (block b (blockinherit template2) (blockinherit template3)) > > This boils down to the same as above, yes. > > > > > # semodule -i test.cil > > Re-declaration of type t > > Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/400/test/cil:1 > > Failed to copy block contents into blockinherit > > Failed to resolve AST > > semodule: Failed! > > > > > > Template2 and template3 mostly inherit template1 for the type defined > > there (so that they can define rules containing the type). > > > >> > >>> #semodule -i test.cil > >>> Re-declaration of type t > >>> Previous declaration of type at > >>> /var/lib/selinux/targeted/tmp/modules/400/test/cil:1 > >>> Failed to copy block contents into blockinherit > >>> Failed to resolve AST > >>> semodule: Failed! > >>> > >>> This used to work just fine. > >>> > >>> The following workaround seems to be working as intended, but I'm not > >>> sure if it's the best approach. Types are only defined in template1 > >>> and the rest contains "optional" block, so that I can use types > >>> defined in template1). > >>> > >>> (block template1 (type t)) > >>> (block template2 > >>> (optional o > >>> (allow t t ( file ( read ))) > >>> ) > >>> ) > >>> (block b (blockinherit template1) (blockinherit template2)) > >> You can just do something like this: > >> > >> (block template1 (type t)) > >> (block template2 (blockinherit template1) (optional o (allow t t (file > >> (read)))) > >> (block b (blockinherit template2)) > >> semodule -i test.cil > >> sesearch -A -t b.t > > With more templates, this break as well. > > > > But the following works: > > > > (block template1 (type t)) > > (block template2 (optional o (allow t t (file (read))))) > > (block template3 (optional o (allow t t (file (write))))) > > (block b (blockinherit template1) (blockinherit template2) (blockinherit template3)) > > > > #semodule -i test.cil > > #sesearch -A -s b.t > > allow b.t b.t:file { read write }; > > > > Again, I'm not sure if this is the best solution, just the only one I managed to get working. > > Looks good enough to me (if it works then it works). I am just surprised that > the duplicate 'o' optional block is allowed. > Duplicate optional blocks are allowed unless an in-statement refers to one of them, because that is the only time the name matters. > Duplicate type declarations are no longer allowed as you noticed, but > fortunately you do not need them. > Duplicate types are allowed when using secilc with the "-m" option. Unfortunately, that doesn't help when using semodule. It would probably be possible to add the option if necessary. Jim > Whether this eventually is the best solution probably depends on other > aspects of the policy and on the requirements. > > > > > Vit > > > >>> #semodule -i test.cil > >>> #sesearch -A -s b.t > >>> allow b.t b.t:file read; > >>> > >>> Any pointers would be appreciated. > >>> > >>> Thank you. > >>> > >>> Vit > >>> > > > > -- > gpg --locate-keys dominick.grift@xxxxxxxxxxx > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift
