On Thu, Nov 4, 2021 at 9:09 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Wed, Oct 27, 2021 at 5:32 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > genfscon rules have always supported an optional file type, but when
> > the ability for writing a policy.conf file from a kernel policy was
> > added to libsepol it did not include that support. Support for the
> > optional file type was also left out of CIL genfscon rules.
> >
> > This patch set fixes these problems.
> >
> > Patch 1 adds support for writing the optional file type in genfscon rules
> > when writing a policy.conf file from a kernel policy.
> >
> > Patches 2-4 adds support in CIL for handling an optional file type
> > in genfscon rules, updates the CIL documentation, and adds support
> > when writing out CIL from a kernel policy or module as well.
> >
> > James Carter (4):
> > libsepol: Add support for file types in writing out policy.conf
> > libsepol/cil: Allow optional file type in genfscon rules
> > secilc/docs: Document the optional file type for genfscon rules
> > libsepol: Write out genfscon file type when writing out CIL policy
> >
> > libsepol/cil/src/cil_binary.c | 39 +++++++++++++++++++
> > libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++--
> > libsepol/cil/src/cil_internal.h | 1 +
> > libsepol/src/kernel_to_cil.c | 35 ++++++++++++++++-
> > libsepol/src/kernel_to_conf.c | 35 ++++++++++++++++-
> > libsepol/src/module_to_cil.c | 27 ++++++++++++-
> > secilc/docs/cil_file_labeling_statements.md | 10 ++++-
> > 7 files changed, 179 insertions(+), 11 deletions(-)
>
> Something here breaks on the selinux-testsuite policy:
>
> 3231# Run the test suite
> 3232#
> 3233make test
> 3234make -C policy load
> 3235make[1]: Entering directory '/root/selinux-testsuite/policy'
> 3236# Test for "expand-check = 0" in /etc/selinux/semanage.conf
> 3237# General policy build
> 3238make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
> 3239Compiling targeted test_policy module
> 3240Creating targeted test_policy.pp policy package
> 3241rm tmp/test_policy.mod tmp/test_policy.mod.fc
> 3242make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
> 3243# General policy load
> 3244domain_fd_use --> on
> 3245/usr/sbin/semodule -i test_policy/test_policy.pp
> test_mlsconstrain.cil test_overlay_defaultrange.cil
> test_userfaultfd.cil test_add_levels.cil test_glblub.cil
> 3246What is going on?
> 3247Failed to generate binary
> 3248/usr/sbin/semodule: Failed!
> 3249make[1]: *** [Makefile:189: load] Error 1
> 3250make[1]: Leaving directory '/root/selinux-testsuite/policy'
> 3251make: *** [Makefile:7: test] Error 2
> 3252Error: Process completed with exit code 2.
Hello,
This error happens because cil_genfscon_init() does not initialize
->file_type, and cil_genfscon_to_policydb() then reads an
uninitialized value. The attached patch (on top of this series) fixed
the CI for me.
Cheers,
Nicolas
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 4cc7f87fa947..b210772cfdb7 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -2576,6 +2576,7 @@ void cil_genfscon_init(struct cil_genfscon **genfscon)
(*genfscon)->path_str = NULL;
(*genfscon)->context_str = NULL;
(*genfscon)->context = NULL;
+ (*genfscon)->file_type = 0; /* FIXME: "0" seems to mean "not initialized" but is not a value for enum cil_filecon_types. CIL_FILECON_ANY could be better? */
}
void cil_pirqcon_init(struct cil_pirqcon **pirqcon)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 5c4b70f70353..29fb165e8352 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3494,13 +3494,13 @@ int cil_genfscon_to_policydb(policydb_t *pdb, struct cil_sort *genfscons)
class_name = "lnk_file";
break;
default:
- fprintf(stderr, "What is going on?\n");
+ cil_log(CIL_ERR, "genfscon used an unknown file type: %u\n", cil_genfscon->file_type);
rc = SEPOL_ERR;
goto exit;
}
class_datum = hashtab_search(pdb->p_classes.table, class_name);
if (!class_datum) {
- fprintf(stderr, "What is going on?\n");
+ cil_log(CIL_ERR, "genfscon used a class which was not found in the policy: %s\n", class_name);
rc = SEPOL_ERR;
goto exit;
}
