SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: James Carter <jwcart2@gmail.com>
To: bauen1 <j2468h@googlemail.com>
Cc: selinux <selinux@vger.kernel.org>
Subject: Re: Invalid output by secilc with constraints containing 4 nested OR and a single AND
Date: Thu, 3 Sep 2020 14:15:16 -0400
Message-ID: <CAP+JOzQ81pinste0dpC1n93GVzrQNOds+YCEVpqsrJpamPg_mA@mail.gmail.com> (raw)
In-Reply-To: <CAP+JOzSHRcBQp_3ntqiKiG_fjx0fab6zGCC8F6j50zkB8ac-Bw@mail.gmail.com>

On Wed, Jul 29, 2020 at 5:02 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Jul 29, 2020 at 3:06 PM bauen1 <j2468h@googlemail.com> wrote:
> >
> > Hello,
> > I've discovered that a constraint like
> >
> > (constrain (file (open))
> >   (or
> >     (eq t1 exec_t) ; probably doesn't matter
> >     (or
> >       (eq t1 exec_t) ; probably doesn't matter
> >       (or
> >         (eq t1 exec_t) ; probably doesn't matter
> >         (or
> >           ; Making and the first argument to or will produce a valid policy
> >           (eq t1 exec_t)
> >           (and
> >             ; content probably doesn't matter
> >             (eq t1 exec_t)
> >             (eq t1 exec_t)
> >           )
> >         )
> >       )
> >     )
> >   )
> > )
> >
> > allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it.
> >
>
> I can confirm that this does cause secilc to create an invalid policy binary.
>
> I will have to investigate.

So the problem is that this constraint expression exceeds the depth
allowed by libsepol. An error should be given by CIL when the depth
reaches 5, but CIL was not correctly keeping track of the depth. A
patch will be sent shortly.

Thanks for reporting this.
Jim

> Thanks,
> Jim
>
> > For example (using secilc/test/policy.cil):
> > $ file policy.32
> > policy.32: SE Linux policy v32 8 symbols 9 ocons
> > $ seinfo policy.32 -x --constrain
> > Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported.
> >
> > I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0)
> >
> > I hope that this is enough information to reproduce the issue.
> >
> > --
> > bauen1
> > https://dn42.bauen1.xyz/

      reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-29 19:05 bauen1
2020-07-29 21:02 ` James Carter
2020-09-03 18:15   ` James Carter [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAP+JOzQ81pinste0dpC1n93GVzrQNOds+YCEVpqsrJpamPg_mA@mail.gmail.com \
    --to=jwcart2@gmail.com \
    --cc=j2468h@googlemail.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git