* typechange silently dropped in some cases
@ 2021-03-29 16:28 Dominick Grift
2021-03-29 17:13 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2021-03-29 16:28 UTC (permalink / raw)
To: selinux
typechange rules expect three types: sourcetype loginterminaltype
targettype
1. you can use typeattributes for loginterminaltype fine
2. if you try to use typeattributes for targettype then cil wil refuse
to build it with a helpful message along the lines of: targettype cannot
be typeattribute
3. if you try to use typeattributes for sourcetype then cil wil not
refuse to build it but it will result in the rule not being added
scenario 3 is obviously less than optimal. although it would have been
nice if you could use typeattributes for not just loginterminaltype, it
should probably atleast fail to build with a helpful message such as in
scenario 2 when you try to use a type attribute for source type.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: typechange silently dropped in some cases
2021-03-29 16:28 typechange silently dropped in some cases Dominick Grift
@ 2021-03-29 17:13 ` James Carter
2021-03-29 17:40 ` Dominick Grift
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2021-03-29 17:13 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list
On Mon, Mar 29, 2021 at 12:29 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
>
> typechange rules expect three types: sourcetype loginterminaltype
> targettype
>
> 1. you can use typeattributes for loginterminaltype fine
> 2. if you try to use typeattributes for targettype then cil wil refuse
> to build it with a helpful message along the lines of: targettype cannot
> be typeattribute
> 3. if you try to use typeattributes for sourcetype then cil wil not
> refuse to build it but it will result in the rule not being added
>
> scenario 3 is obviously less than optimal. although it would have been
> nice if you could use typeattributes for not just loginterminaltype, it
> should probably atleast fail to build with a helpful message such as in
> scenario 2 when you try to use a type attribute for source type.
I am not seeing that behavior.
I took a minimal CIL policy and added the following lines:
(type t1a)
(type t1b)
(type t2a)
(type t2b)
(type t3)
(typeattribute a1)
(typeattributeset a1 (t1a t1b))
(typeattribute a2)
(typeattributeset a2 (t2a t2b))
(typealias ta3)
(typealiasactual ta3 t3)
(typechange a1 a2 CLASS ta3)
After running:
secilc -o test.bin typeclass.cil
checkpolicy -C -b -o test.bin.cil test.bin
I get the following typechange rules:
(typechange t1a t2a CLASS t3)
(typechange t1a t2b CLASS t3)
(typechange t1b t2a CLASS t3)
(typechange t1b t2b CLASS t3)
Maybe there is something else going on?
Thanks,
Jim
>
> --
> gpg --locate-keys dominick.grift@defensec.nl
> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
> Dominick Grift
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: typechange silently dropped in some cases
2021-03-29 17:13 ` James Carter
@ 2021-03-29 17:40 ` Dominick Grift
0 siblings, 0 replies; 3+ messages in thread
From: Dominick Grift @ 2021-03-29 17:40 UTC (permalink / raw)
To: James Carter; +Cc: SElinux list
James Carter <jwcart2@gmail.com> writes:
> On Mon, Mar 29, 2021 at 12:29 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>>
>> typechange rules expect three types: sourcetype loginterminaltype
>> targettype
>>
>> 1. you can use typeattributes for loginterminaltype fine
>> 2. if you try to use typeattributes for targettype then cil wil refuse
>> to build it with a helpful message along the lines of: targettype cannot
>> be typeattribute
>> 3. if you try to use typeattributes for sourcetype then cil wil not
>> refuse to build it but it will result in the rule not being added
>>
>> scenario 3 is obviously less than optimal. although it would have been
>> nice if you could use typeattributes for not just loginterminaltype, it
>> should probably atleast fail to build with a helpful message such as in
>> scenario 2 when you try to use a type attribute for source type.
>
> I am not seeing that behavior.
>
> I took a minimal CIL policy and added the following lines:
> (type t1a)
> (type t1b)
> (type t2a)
> (type t2b)
> (type t3)
> (typeattribute a1)
> (typeattributeset a1 (t1a t1b))
> (typeattribute a2)
> (typeattributeset a2 (t2a t2b))
> (typealias ta3)
> (typealiasactual ta3 t3)
> (typechange a1 a2 CLASS ta3)
>
> After running:
> secilc -o test.bin typeclass.cil
> checkpolicy -C -b -o test.bin.cil test.bin
>
> I get the following typechange rules:
> (typechange t1a t2a CLASS t3)
> (typechange t1a t2b CLASS t3)
> (typechange t1b t2a CLASS t3)
> (typechange t1b t2b CLASS t3)
>
>
> Maybe there is something else going on?
Sorry, nevermind. it does work...
>
> Thanks,
> Jim
>
>>
>> --
>> gpg --locate-keys dominick.grift@defensec.nl
>> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
>> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
>> Dominick Grift
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-29 17:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-29 16:28 typechange silently dropped in some cases Dominick Grift
2021-03-29 17:13 ` James Carter
2021-03-29 17:40 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.