selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Invalid output by secilc with constraints containing 4 nested OR and a single AND
@ 2020-07-29 19:05 bauen1
  2020-07-29 21:02 ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: bauen1 @ 2020-07-29 19:05 UTC (permalink / raw)
  To: selinux

Hello,
I've discovered that a constraint like

(constrain (file (open))
  (or
    (eq t1 exec_t) ; probably doesn't matter
    (or
      (eq t1 exec_t) ; probably doesn't matter
      (or
        (eq t1 exec_t) ; probably doesn't matter
        (or
          ; Making and the first argument to or will produce a valid policy
          (eq t1 exec_t)
          (and
            ; content probably doesn't matter
            (eq t1 exec_t)
            (eq t1 exec_t)
          )
        )
      )
    )
  )
)

allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it.

For example (using secilc/test/policy.cil):
$ file policy.32 
policy.32: SE Linux policy v32 8 symbols 9 ocons
$ seinfo policy.32 -x --constrain
Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported.

I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0)

I hope that this is enough information to reproduce the issue.

-- 
bauen1
https://dn42.bauen1.xyz/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Invalid output by secilc with constraints containing 4 nested OR and a single AND
  2020-07-29 19:05 Invalid output by secilc with constraints containing 4 nested OR and a single AND bauen1
@ 2020-07-29 21:02 ` James Carter
  2020-09-03 18:15   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2020-07-29 21:02 UTC (permalink / raw)
  To: bauen1; +Cc: selinux

On Wed, Jul 29, 2020 at 3:06 PM bauen1 <j2468h@googlemail.com> wrote:
>
> Hello,
> I've discovered that a constraint like
>
> (constrain (file (open))
>   (or
>     (eq t1 exec_t) ; probably doesn't matter
>     (or
>       (eq t1 exec_t) ; probably doesn't matter
>       (or
>         (eq t1 exec_t) ; probably doesn't matter
>         (or
>           ; Making and the first argument to or will produce a valid policy
>           (eq t1 exec_t)
>           (and
>             ; content probably doesn't matter
>             (eq t1 exec_t)
>             (eq t1 exec_t)
>           )
>         )
>       )
>     )
>   )
> )
>
> allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it.
>

I can confirm that this does cause secilc to create an invalid policy binary.

I will have to investigate.
Thanks,
Jim

> For example (using secilc/test/policy.cil):
> $ file policy.32
> policy.32: SE Linux policy v32 8 symbols 9 ocons
> $ seinfo policy.32 -x --constrain
> Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported.
>
> I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0)
>
> I hope that this is enough information to reproduce the issue.
>
> --
> bauen1
> https://dn42.bauen1.xyz/

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Invalid output by secilc with constraints containing 4 nested OR and a single AND
  2020-07-29 21:02 ` James Carter
@ 2020-09-03 18:15   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2020-09-03 18:15 UTC (permalink / raw)
  To: bauen1; +Cc: selinux

On Wed, Jul 29, 2020 at 5:02 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Jul 29, 2020 at 3:06 PM bauen1 <j2468h@googlemail.com> wrote:
> >
> > Hello,
> > I've discovered that a constraint like
> >
> > (constrain (file (open))
> >   (or
> >     (eq t1 exec_t) ; probably doesn't matter
> >     (or
> >       (eq t1 exec_t) ; probably doesn't matter
> >       (or
> >         (eq t1 exec_t) ; probably doesn't matter
> >         (or
> >           ; Making and the first argument to or will produce a valid policy
> >           (eq t1 exec_t)
> >           (and
> >             ; content probably doesn't matter
> >             (eq t1 exec_t)
> >             (eq t1 exec_t)
> >           )
> >         )
> >       )
> >     )
> >   )
> > )
> >
> > allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it.
> >
>
> I can confirm that this does cause secilc to create an invalid policy binary.
>
> I will have to investigate.

So the problem is that this constraint expression exceeds the depth
allowed by libsepol. An error should be given by CIL when the depth
reaches 5, but CIL was not correctly keeping track of the depth. A
patch will be sent shortly.

Thanks for reporting this.
Jim

> Thanks,
> Jim
>
> > For example (using secilc/test/policy.cil):
> > $ file policy.32
> > policy.32: SE Linux policy v32 8 symbols 9 ocons
> > $ seinfo policy.32 -x --constrain
> > Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported.
> >
> > I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0)
> >
> > I hope that this is enough information to reproduce the issue.
> >
> > --
> > bauen1
> > https://dn42.bauen1.xyz/

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-09-03 18:15 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 19:05 Invalid output by secilc with constraints containing 4 nested OR and a single AND bauen1
2020-07-29 21:02 ` James Carter
2020-09-03 18:15   ` James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).