checkpolicy does not forward (t1 == t2) constraint correctly

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* checkpolicy does not forward (t1 == t2) constraint correctly
@ 2020-03-17 20:09 Christian Göttsche
  2020-03-19 10:11 ` [PATCH] libsepol: set correct second argument of (t1 == t2) constraint Christian Göttsche
  2020-03-19 10:53 ` Christian Göttsche
  0 siblings, 2 replies; 5+ messages in thread
From: Christian Göttsche @ 2020-03-17 20:09 UTC (permalink / raw)
  To: selinux

Hi,

the following cil constraint works correctly:
    (constrain (kernel_service (create_files_as)) (eq t1 t2 ))

but the te-style constraint fails at load_policy time:
    constrain kernel_service create_files_as ( t1 == t2 );

with
    Invalid syntax
    Invalid constraint syntax
    Bad expression tree for constraint
    Bad constrain declaration at
/var/lib/selinux/debian/tmp/modules/100/base/cil:957
    /usr/sbin/semodule:  Failed!
    make: *** [Rules.modular:59: load] Error 1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] libsepol: set correct second argument of (t1 == t2) constraint
  2020-03-17 20:09 checkpolicy does not forward (t1 == t2) constraint correctly Christian Göttsche
@ 2020-03-19 10:11 ` Christian Göttsche
  2020-03-19 10:53 ` Christian Göttsche
  1 sibling, 0 replies; 5+ messages in thread
From: Christian Göttsche @ 2020-03-19 10:11 UTC (permalink / raw)
  To: selinux

Currently a constraint `t1 == t2` gets converted to the invalid cil syntax `(mlsconstrain (class_name (perm_name)) (eq t1 ))` and fails to be loaded into the kernel.

Fixes: 893851c0a146ef392b8d77de737d52245345129e ("policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL")
---
Does nobody ever used a constraint with this syntax ever ??

 libsepol/src/module_to_cil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 6fe7d336..a87bc15e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1745,7 +1745,7 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
 			case CEXPR_ROLE:                 attr1 = "r1"; attr2 = "r2"; break;
 			case CEXPR_ROLE | CEXPR_TARGET:  attr1 = "r2"; attr2 = "";   break;
 			case CEXPR_ROLE | CEXPR_XTARGET: attr1 = "r3"; attr2 = "";   break;
-			case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "";   break;
+			case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "t2"; break;
 			case CEXPR_TYPE | CEXPR_TARGET:  attr1 = "t2"; attr2 = "";   break;
 			case CEXPR_TYPE | CEXPR_XTARGET: attr1 = "t3"; attr2 = "";   break;
 			case CEXPR_L1L2:                 attr1 = "l1"; attr2 = "l2"; break;
-- 
2.26.0.rc2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH] libsepol: set correct second argument of (t1 == t2) constraint
  2020-03-17 20:09 checkpolicy does not forward (t1 == t2) constraint correctly Christian Göttsche
  2020-03-19 10:11 ` [PATCH] libsepol: set correct second argument of (t1 == t2) constraint Christian Göttsche
@ 2020-03-19 10:53 ` Christian Göttsche
  2020-03-19 17:50   ` James Carter
  1 sibling, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2020-03-19 10:53 UTC (permalink / raw)
  To: selinux

Currently a constraint `t1 == t2` gets converted to the invalid cil syntax `(mlsconstrain (class_name (perm_name)) (eq t1 ))` and fails to be loaded into the kernel.

Fixes: 893851c0a146ef392b8d77de737d52245345129e ("policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
Added Signed-off-by

 libsepol/src/module_to_cil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 6fe7d336..a87bc15e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1745,7 +1745,7 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
 			case CEXPR_ROLE:                 attr1 = "r1"; attr2 = "r2"; break;
 			case CEXPR_ROLE | CEXPR_TARGET:  attr1 = "r2"; attr2 = "";   break;
 			case CEXPR_ROLE | CEXPR_XTARGET: attr1 = "r3"; attr2 = "";   break;
-			case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "";   break;
+			case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "t2"; break;
 			case CEXPR_TYPE | CEXPR_TARGET:  attr1 = "t2"; attr2 = "";   break;
 			case CEXPR_TYPE | CEXPR_XTARGET: attr1 = "t3"; attr2 = "";   break;
 			case CEXPR_L1L2:                 attr1 = "l1"; attr2 = "l2"; break;
-- 
2.26.0.rc2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: set correct second argument of (t1 == t2) constraint
  2020-03-19 10:53 ` Christian Göttsche
@ 2020-03-19 17:50   ` James Carter
  2020-03-20 20:07     ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: James Carter @ 2020-03-19 17:50 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: SElinux list

On Thu, Mar 19, 2020 at 6:54 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Currently a constraint `t1 == t2` gets converted to the invalid cil syntax `(mlsconstrain (class_name (perm_name)) (eq t1 ))` and fails to be loaded into the kernel.
>
> Fixes: 893851c0a146ef392b8d77de737d52245345129e ("policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL")
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
> Added Signed-off-by
>
>  libsepol/src/module_to_cil.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 6fe7d336..a87bc15e 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -1745,7 +1745,7 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
>                         case CEXPR_ROLE:                 attr1 = "r1"; attr2 = "r2"; break;
>                         case CEXPR_ROLE | CEXPR_TARGET:  attr1 = "r2"; attr2 = "";   break;
>                         case CEXPR_ROLE | CEXPR_XTARGET: attr1 = "r3"; attr2 = "";   break;
> -                       case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "";   break;
> +                       case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "t2"; break;
>                         case CEXPR_TYPE | CEXPR_TARGET:  attr1 = "t2"; attr2 = "";   break;
>                         case CEXPR_TYPE | CEXPR_XTARGET: attr1 = "t3"; attr2 = "";   break;
>                         case CEXPR_L1L2:                 attr1 = "l1"; attr2 = "l2"; break;
> --
> 2.26.0.rc2
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] libsepol: set correct second argument of (t1 == t2) constraint
  2020-03-19 17:50   ` James Carter
@ 2020-03-20 20:07     ` James Carter
  0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2020-03-20 20:07 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: SElinux list

On Thu, Mar 19, 2020 at 1:50 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Thu, Mar 19, 2020 at 6:54 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Currently a constraint `t1 == t2` gets converted to the invalid cil syntax `(mlsconstrain (class_name (perm_name)) (eq t1 ))` and fails to be loaded into the kernel.
> >
> > Fixes: 893851c0a146ef392b8d77de737d52245345129e ("policycoreutils: add a HLL compiler to convert policy packages (.pp) to CIL")
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Applied.

Thanks,
Jim

> > ---
> > Added Signed-off-by
> >
> >  libsepol/src/module_to_cil.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> > index 6fe7d336..a87bc15e 100644
> > --- a/libsepol/src/module_to_cil.c
> > +++ b/libsepol/src/module_to_cil.c
> > @@ -1745,7 +1745,7 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp
> >                         case CEXPR_ROLE:                 attr1 = "r1"; attr2 = "r2"; break;
> >                         case CEXPR_ROLE | CEXPR_TARGET:  attr1 = "r2"; attr2 = "";   break;
> >                         case CEXPR_ROLE | CEXPR_XTARGET: attr1 = "r3"; attr2 = "";   break;
> > -                       case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "";   break;
> > +                       case CEXPR_TYPE:                 attr1 = "t1"; attr2 = "t2"; break;
> >                         case CEXPR_TYPE | CEXPR_TARGET:  attr1 = "t2"; attr2 = "";   break;
> >                         case CEXPR_TYPE | CEXPR_XTARGET: attr1 = "t3"; attr2 = "";   break;
> >                         case CEXPR_L1L2:                 attr1 = "l1"; attr2 = "l2"; break;
> > --
> > 2.26.0.rc2
> >

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-03-20 20:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-17 20:09 checkpolicy does not forward (t1 == t2) constraint correctly Christian Göttsche
2020-03-19 10:11 ` [PATCH] libsepol: set correct second argument of (t1 == t2) constraint Christian Göttsche
2020-03-19 10:53 ` Christian Göttsche
2020-03-19 17:50   ` James Carter
2020-03-20 20:07     ` James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).