* any reason why a class mapping is not able to solve permissionx?
@ 2020-01-17 17:34 Dominick Grift
2020-01-17 18:24 ` Dominick Grift
0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2020-01-17 17:34 UTC (permalink / raw)
To: selinux
For example this:
(permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
(classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
(classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
(allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
Say's:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
Failed to resolve classmapping statement at policy/base/class_maps.cil:994
Problem at policy/base/class_maps.cil:994
Pass 14 of resolution failed
Failed to resolve ast
Failed to compile cildb: -2
make: *** [Makefile:30: policy.32] Error 254
Am i doing something wrong or is this unsupported?
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: any reason why a class mapping is not able to solve permissionx?
2020-01-17 17:34 any reason why a class mapping is not able to solve permissionx? Dominick Grift
@ 2020-01-17 18:24 ` Dominick Grift
2020-01-17 18:36 ` [Non-DoD Source] " jwcart2
2020-01-21 16:26 ` jwcart2
0 siblings, 2 replies; 6+ messages in thread
From: Dominick Grift @ 2020-01-17 18:24 UTC (permalink / raw)
To: selinux
On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> For example this:
>
> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>
> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>
> Say's:
>
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> Problem at policy/base/class_maps.cil:994
> Pass 14 of resolution failed
> Failed to resolve ast
> Failed to compile cildb: -2
> make: *** [Makefile:30: policy.32] Error 254
>
> Am i doing something wrong or is this unsupported?
Are we supposed to be able to use allowx rules in macros?
This works when the tunable is set false:
(tunable no_mac_addr true)
(block bla1
(blockinherit system_agent_template)
(macro stuff ((type ARG1))
(tunableif no_mac_addr
(true
(allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
(allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
(false
(allow ARG1 self create_tcp_stream_socket_perms)))))
(block blah2
(blockinherit system_agent_template)
(call bla1.stuff (subj)))
But when the tunable is set true:
<snip>
Building AST from Parse Tree
Destroying Parse Tree
Resolving AST
make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?
2020-01-17 18:24 ` Dominick Grift
@ 2020-01-17 18:36 ` jwcart2
2020-01-21 16:26 ` jwcart2
1 sibling, 0 replies; 6+ messages in thread
From: jwcart2 @ 2020-01-17 18:36 UTC (permalink / raw)
To: Dominick Grift, selinux
On 1/17/20 1:24 PM, Dominick Grift wrote:
> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>> For example this:
>>
>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>>
>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>
>> Say's:
>>
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>> Problem at policy/base/class_maps.cil:994
>> Pass 14 of resolution failed
>> Failed to resolve ast
>> Failed to compile cildb: -2
>> make: *** [Makefile:30: policy.32] Error 254
>>
>> Am i doing something wrong or is this unsupported?
>
Class maps only support normal permissions, they do not support extended
permissions.
> Are we supposed to be able to use allowx rules in macros?
>
allowx rules are allowed in macros. I will see if I can reproduce the error
below and figure out what's going wrong.
Jim
> This works when the tunable is set false:
>
> (tunable no_mac_addr true)
>
> (block bla1
> (blockinherit system_agent_template)
>
> (macro stuff ((type ARG1))
> (tunableif no_mac_addr
> (true
> (allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
> (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
> (false
> (allow ARG1 self create_tcp_stream_socket_perms)))))
>
> (block blah2
> (blockinherit system_agent_template)
>
> (call bla1.stuff (subj)))
>
> But when the tunable is set true:
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?
2020-01-17 18:24 ` Dominick Grift
2020-01-17 18:36 ` [Non-DoD Source] " jwcart2
@ 2020-01-21 16:26 ` jwcart2
2020-01-23 20:41 ` jwcart2
1 sibling, 1 reply; 6+ messages in thread
From: jwcart2 @ 2020-01-21 16:26 UTC (permalink / raw)
To: Dominick Grift, selinux
On 1/17/20 1:24 PM, Dominick Grift wrote:
> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>> For example this:
>>
>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and (all) (not (0x8927)))))
>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR alg_socket_ioctl_except_SIOCGIFHWADDR)
>>
>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>
>> Say's:
>>
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>> Problem at policy/base/class_maps.cil:994
>> Pass 14 of resolution failed
>> Failed to resolve ast
>> Failed to compile cildb: -2
>> make: *** [Makefile:30: policy.32] Error 254
>>
>> Am i doing something wrong or is this unsupported?
>
> Are we supposed to be able to use allowx rules in macros?
>
Yes, allowx rules can be used in macros.
> This works when the tunable is set false:
>
> (tunable no_mac_addr true)
>
> (block bla1
> (blockinherit system_agent_template)
>
> (macro stuff ((type ARG1))
> (tunableif no_mac_addr
> (true
> (allow ARG1 self create_except_ioctl_tcp_stream_socket_perms)
> (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
> (false
> (allow ARG1 self create_tcp_stream_socket_perms)))))
>
> (block blah2
> (blockinherit system_agent_template)
>
> (call bla1.stuff (subj)))
>
> But when the tunable is set true:
> <snip>
> Building AST from Parse Tree
> Destroying Parse Tree
> Resolving AST
> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
>
Still trying to figure out the exact issue, but it is the use of the named
permissionx that is causing the seg fault.
Jim
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?
2020-01-21 16:26 ` jwcart2
@ 2020-01-23 20:41 ` jwcart2
2020-01-23 21:15 ` Dominick Grift
0 siblings, 1 reply; 6+ messages in thread
From: jwcart2 @ 2020-01-23 20:41 UTC (permalink / raw)
To: Dominick Grift, selinux
On 1/21/20 11:26 AM, jwcart2 wrote:
> On 1/17/20 1:24 PM, Dominick Grift wrote:
>> On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
>>> For example this:
>>>
>>> (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl alg_socket (and
>>> (all) (not (0x8927)))))
>>> (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
>>> (classmapping all_sockets ioctl_except_SIOCGIFHWADDR
>>> alg_socket_ioctl_except_SIOCGIFHWADDR)
>>>
>>> (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
>>>
>>> Say's:
>>>
>>> <snip>
>>> Building AST from Parse Tree
>>> Destroying Parse Tree
>>> Resolving AST
>>> Failed to resolve classmapping statement at policy/base/class_maps.cil:994
>>> Problem at policy/base/class_maps.cil:994
>>> Pass 14 of resolution failed
>>> Failed to resolve ast
>>> Failed to compile cildb: -2
>>> make: *** [Makefile:30: policy.32] Error 254
>>>
>>> Am i doing something wrong or is this unsupported?
>>
>> Are we supposed to be able to use allowx rules in macros?
>>
>
> Yes, allowx rules can be used in macros.
>
>> This works when the tunable is set false:
>>
>> (tunable no_mac_addr true)
>>
>> (block bla1
>> (blockinherit system_agent_template)
>>
>> (macro stuff ((type ARG1))
>> (tunableif no_mac_addr
>> (true
>> (allow ARG1 self
>> create_except_ioctl_tcp_stream_socket_perms)
>> (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
>> (false
>> (allow ARG1 self create_tcp_stream_socket_perms)))))
>>
>> (block blah2
>> (blockinherit system_agent_template)
>>
>> (call bla1.stuff (subj)))
>>
>> But when the tunable is set true:
>> <snip>
>> Building AST from Parse Tree
>> Destroying Parse Tree
>> Resolving AST
>> make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
>>
>
> Still trying to figure out the exact issue, but it is the use of the named
> permissionx that is causing the seg fault.
>
There was an error in the code to copy a permissionx. I sent a patch to the list
to fix this issue.
Jim
> Jim
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Non-DoD Source] Re: any reason why a class mapping is not able to solve permissionx?
2020-01-23 20:41 ` jwcart2
@ 2020-01-23 21:15 ` Dominick Grift
0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2020-01-23 21:15 UTC (permalink / raw)
To: jwcart2; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]
On Thu, Jan 23, 2020 at 03:41:30PM -0500, jwcart2 wrote:
> On 1/21/20 11:26 AM, jwcart2 wrote:
> > On 1/17/20 1:24 PM, Dominick Grift wrote:
> > > On Fri, Jan 17, 2020 at 06:34:48PM +0100, Dominick Grift wrote:
> > > > For example this:
> > > >
> > > > (permissionx alg_socket_ioctl_except_SIOCGIFHWADDR (ioctl
> > > > alg_socket (and (all) (not (0x8927)))))
> > > > (classmap all_sockets (ioctl_except_SIOCGIFHWADDR))
> > > > (classmapping all_sockets ioctl_except_SIOCGIFHWADDR
> > > > alg_socket_ioctl_except_SIOCGIFHWADDR)
> > > >
> > > > (allowx a self (all_sockets (ioctl_except_SIOCGIFHWADDR)))
> > > >
> > > > Say's:
> > > >
> > > > <snip>
> > > > Building AST from Parse Tree
> > > > Destroying Parse Tree
> > > > Resolving AST
> > > > Failed to resolve classmapping statement at policy/base/class_maps.cil:994
> > > > Problem at policy/base/class_maps.cil:994
> > > > Pass 14 of resolution failed
> > > > Failed to resolve ast
> > > > Failed to compile cildb: -2
> > > > make: *** [Makefile:30: policy.32] Error 254
> > > >
> > > > Am i doing something wrong or is this unsupported?
> > >
> > > Are we supposed to be able to use allowx rules in macros?
> > >
> >
> > Yes, allowx rules can be used in macros.
> >
> > > This works when the tunable is set false:
> > >
> > > (tunable no_mac_addr true)
> > >
> > > (block bla1
> > > (blockinherit system_agent_template)
> > >
> > > (macro stuff ((type ARG1))
> > > (tunableif no_mac_addr
> > > (true
> > > (allow ARG1 self
> > > create_except_ioctl_tcp_stream_socket_perms)
> > > (allowx ARG1 self tcp_socket_ioctl_except_SIOCGIFHWADDR))
> > > (false
> > > (allow ARG1 self create_tcp_stream_socket_perms)))))
> > >
> > > (block blah2
> > > (blockinherit system_agent_template)
> > >
> > > (call bla1.stuff (subj)))
> > >
> > > But when the tunable is set true:
> > > <snip>
> > > Building AST from Parse Tree
> > > Destroying Parse Tree
> > > Resolving AST
> > > make: *** [Makefile:30: policy.32] Segmentation fault (core dumped)
> > >
> >
> > Still trying to figure out the exact issue, but it is the use of the
> > named permissionx that is causing the seg fault.
> >
>
> There was an error in the code to copy a permissionx. I sent a patch to the
> list to fix this issue.
> Jim
Thanks!
>
> > Jim
> >
>
>
> --
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-23 21:16 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-17 17:34 any reason why a class mapping is not able to solve permissionx? Dominick Grift
2020-01-17 18:24 ` Dominick Grift
2020-01-17 18:36 ` [Non-DoD Source] " jwcart2
2020-01-21 16:26 ` jwcart2
2020-01-23 20:41 ` jwcart2
2020-01-23 21:15 ` Dominick Grift
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).