From: "Christian Göttsche" <cgzones@googlemail.com>
To: SElinux list <selinux@vger.kernel.org>
Subject: Role attributes in traditional language constraints
Date: Wed, 10 Mar 2021 18:09:09 +0100 [thread overview]
Message-ID: <CAJ2a_Dd_tccbWwA_S8nnRvpAVJW8EcrU3t3R7e=McThsx0L13w@mail.gmail.com> (raw)
Hi list,
I am using in my RefPolicy based policy constraints containing role-attributes:
attribute_role unpriv_roles;
...
constrain ...
r1 != unpriv_role
This worked fine so far and the language specification [1][2] permits
the usage of type attributes (by using them in the examples) and
states not differences between `t1 op names` and `r1 op names`.
Today I debugged a crash of seinfo(1) on generated binary policies of mine.
`seinfo path/to/build/policy --constrain` segfaults at [3], when run
on a build binary policy.
These binary policies are generated by the RefPolicy target `make
validate`, running either semodule_link(8) and semodule_expand(8)
(modular build) or checkpolicy(8) (monolithic build).
Running `seinfo --constrain`, using the currently loaded kernel
policy, works fine and shows the expanded roles in the according
constrain (e.g. `r1 != { user_r guest_r ... }`).
On further testing I noticed that on Fedora 34 with libsepol 3.2
building such policies fails entirely:
...
Validating policy file contexts.
libsepol.validate_constraint_nodes: Invalid constraint expr
libsepol.validate_class_datum: Invalid class datum
libsepol.validate_datum_arrays: Invalid datum arrays
libsepol.validate_policydb: Invalid policydb
libsepol.sepol_set_policydb_from_file: can't read binary policy: Success
Error reading policy tmp/policy.bin: Success
make: *** [Rules.modular:215: validate] Error 255
This seems to be caused by [4].
From my point of view this is a regression:
Role-attributes in constraints worked prior libsepol 3.2, work in CIL
and are not explicitly disallowed by the language specification.
`validate_constraint_nodes()`[5] should accept attribute_role identifiers.
To fix the original seinfo crash, I'd like to ask whether setools
should accept role-attribute identifiers in compiled binary policies,
or if semodule_expand(8) and checkpolicy(8) should expand them at
build-time (currently they are expanded at load-time (load_policy(8)).
Best regards,
Christian Göttsche
[1]: https://selinuxproject.org/page/ConstraintStatements
[2]: https://github.com/SELinuxProject/selinux-notebook/blob/main/src/constraint_statements.md#constraint-statements
[3]: https://github.com/SELinuxProject/setools/blob/master/setools/policyrep/role.pxi#L34
[4]: https://github.com/SELinuxProject/selinux/commit/0861c659b59cb106bad1b1d0c9f511a7140a1023
[5]: https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/policydb_validate.c#L170
next reply other threads:[~2021-03-10 17:10 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 17:09 Christian Göttsche [this message]
2021-03-10 18:08 ` Role attributes in traditional language constraints James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJ2a_Dd_tccbWwA_S8nnRvpAVJW8EcrU3t3R7e=McThsx0L13w@mail.gmail.com' \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).