SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query

SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query

[Richard Haines]

I've been attempting to convert a monolithic policy (really a modular base policy with
no modules) to CIL, however it fails with:

Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil

when running: semodule -s modular-test -i base.pp


The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
statement is ignored for the base policy:


    case ROLE_ROLE:
        if (scope == SCOPE_DECL) {
            if (pdb->policy_type == SEPOL_POLICY_MOD) {
                // roles are defined twice, once in a module and once in base.
                // CIL doesn't allow duplicate declarations, so only take the
                // roles defined in the modules
                cil_println(indent, "(role %s)", key);

Question: Should these type of policies be supported, if so should the CIL compiler
cope with duplicate role statements or the conversion service modified to remove duplicates.
Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
view the failed conversion.

I built the CIL module using pp directly  (cat base.pp | ./pp > base.cil), then added the
(role ...) statement, this compiled okay using secilc.


Richard

Re: SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query

[Steve Lawrence]

On 09/04/2014 09:14 AM, Richard Haines wrote:
> I've been attempting to convert a monolithic policy (really a modular base policy with
> no modules) to CIL, however it fails with:
> 
> Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil
> 
> when running: semodule -s modular-test -i base.pp
> 
> 
> The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
> statement is ignored for the base policy:
> 
> 
>     case ROLE_ROLE:
>         if (scope == SCOPE_DECL) {
>             if (pdb->policy_type == SEPOL_POLICY_MOD) {
>                 // roles are defined twice, once in a module and once in base.
>                 // CIL doesn't allow duplicate declarations, so only take the
>                 // roles defined in the modules
>                 cil_println(indent, "(role %s)", key);
> 
> Question: Should these type of policies be supported, if so should the CIL compiler
> cope with duplicate role statements or the conversion service modified to remove duplicates.
> Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
> view the failed conversion.
> 
> I built the CIL module using pp directly  (cat base.pp | ./pp > base.cil), then added the
> (role ...) statement, this compiled okay using secilc.
> 

When working on a bug reported by Sven, we actually came across some
problems with how roles and roletypes are converted from pp to CIL.
We're working on those fixes now.

Regarding the duplicate role definition issue, it's kindof tricky. The
current pp2cil conversion doesn't know anything about other modules, so
it isn't capable of determining if two separate modules have a duplicate
role definition. So we either have to 1) allow duplicate role
definitions in CIL (though, we don't currently allow any duplicate
definitions of anything) or 2) consider policies that have duplicate
roles invalid. I don't really like either solution, need to think about
this some more...

As far as how to get better information for why a CIL module failed,
this is something we've thought about, and may be something we can
improve in the future. Right now you have to extract the HLL module from
the store and compile it your self. We're aware that's not particularly
user friendly.

- Steve

Re: SELinux Userspace Release 2014-08-26-rc2 HLL/CIL query

[James Carter]

On 09/04/2014 09:44 AM, Steve Lawrence wrote:
> On 09/04/2014 09:14 AM, Richard Haines wrote:
>> I've been attempting to convert a monolithic policy (really a modular base policy with
>> no modules) to CIL, however it fails with:
>>
>> Failed to resolve roletype statement at XX of /var/lib/selinux/modular-test/tmp/modules/400/base/cil
>>
>> when running: semodule -s modular-test -i base.pp
>>
>>
>> The cause of this appears to be the following in policycoreutils/hll/pp/pp.c where the role
>> statement is ignored for the base policy:
>>
>>
>>      case ROLE_ROLE:
>>          if (scope == SCOPE_DECL) {
>>              if (pdb->policy_type == SEPOL_POLICY_MOD) {
>>                  // roles are defined twice, once in a module and once in base.
>>                  // CIL doesn't allow duplicate declarations, so only take the
>>                  // roles defined in the modules
>>                  cil_println(indent, "(role %s)", key);
>>
>> Question: Should these type of policies be supported, if so should the CIL compiler
>> cope with duplicate role statements or the conversion service modified to remove duplicates.
>> Also there is a bug in that the CIL module is deleted from the tmp directory so you cannot
>> view the failed conversion.
>>
>> I built the CIL module using pp directly  (cat base.pp | ./pp > base.cil), then added the
>> (role ...) statement, this compiled okay using secilc.
>>
>
> When working on a bug reported by Sven, we actually came across some
> problems with how roles and roletypes are converted from pp to CIL.
> We're working on those fixes now.
>
> Regarding the duplicate role definition issue, it's kindof tricky. The
> current pp2cil conversion doesn't know anything about other modules, so
> it isn't capable of determining if two separate modules have a duplicate
> role definition. So we either have to 1) allow duplicate role
> definitions in CIL (though, we don't currently allow any duplicate
> definitions of anything) or 2) consider policies that have duplicate
> roles invalid. I don't really like either solution, need to think about
> this some more...
>

I don't want to allow duplicate declarations as a normal part of CIL, but maybe 
there could be a command line option that would just display a warning and 
ignore a duplicate declaration. I will have to think about the ramifications of 
this. I am worried that there will be corner cases were the generated kernel 
policy will be different depending on which duplicate is ignored.

> As far as how to get better information for why a CIL module failed,
> this is something we've thought about, and may be something we can
> improve in the future. Right now you have to extract the HLL module from
> the store and compile it your self. We're aware that's not particularly
> user friendly.
>
> - Steve
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency