* CIL typealiases
@ 2020-05-28 11:12 Dominick Grift
2020-05-28 13:19 ` James Carter
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-05-28 11:12 UTC (permalink / raw)
To: selinux
tl;dr typalias (and possibly typealiasactual) statement does not like periods
systemd plans to consolidate systemd-udevd and udevadm and so I was
looking to consolidate the policy. For compatibility I wanted to add a
(typealias .udev.udevadm.exec) and (typealiasactual .udev.udevadm.exec
.udev.daemon.exec)
That reminded me that it does not like the period name space
delimiter in at least the typealias statement.
Example:
[root@brutus ~]# echo "(block test (type test1) (typealias test2.test1)
(typealiasactual test2.test1 test.test1))" > mytest.cil
[root@brutus ~]# semodule -vvv -i mytest.cil
<snip>
Building AST from Parse Tree
Invalid character "." in test2.test1
Invalid name
Failed to create node
Bad typealias declaration at
/var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
Problem at /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
Failed to build ast
semodule: Failed!
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL typealiases
2020-05-28 11:12 CIL typealiases Dominick Grift
@ 2020-05-28 13:19 ` James Carter
2020-05-28 13:28 ` Dominick Grift
0 siblings, 1 reply; 4+ messages in thread
From: James Carter @ 2020-05-28 13:19 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list
On Thu, May 28, 2020 at 7:21 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
>
> tl;dr typalias (and possibly typealiasactual) statement does not like periods
>
> systemd plans to consolidate systemd-udevd and udevadm and so I was
> looking to consolidate the policy. For compatibility I wanted to add a
> (typealias .udev.udevadm.exec) and (typealiasactual .udev.udevadm.exec
> .udev.daemon.exec)
>
> That reminded me that it does not like the period name space
> delimiter in at least the typealias statement.
>
> Example:
>
> [root@brutus ~]# echo "(block test (type test1) (typealias test2.test1)
> (typealiasactual test2.test1 test.test1))" > mytest.cil
> [root@brutus ~]# semodule -vvv -i mytest.cil
>
> <snip>
> Building AST from Parse Tree
> Invalid character "." in test2.test1
> Invalid name
> Failed to create node
> Bad typealias declaration at
> /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
> Problem at /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
> Failed to build ast
> semodule: Failed!
>
CIL doesn't like "." in any name used in a declaration.
If you want an alias with a "." in it, then use blocks.
(block udev
(block daemon
(type exec)
)
(block udevadm
(typealias exec)
(typealiasactual exec .udev.daemon.exec)
)
)
Or something like that.
Jim
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL typealiases
2020-05-28 13:19 ` James Carter
@ 2020-05-28 13:28 ` Dominick Grift
2020-05-28 13:36 ` James Carter
0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2020-05-28 13:28 UTC (permalink / raw)
To: James Carter; +Cc: SElinux list
On 5/28/20 3:19 PM, James Carter wrote:
> On Thu, May 28, 2020 at 7:21 AM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>>
>> tl;dr typalias (and possibly typealiasactual) statement does not like periods
>>
>> systemd plans to consolidate systemd-udevd and udevadm and so I was
>> looking to consolidate the policy. For compatibility I wanted to add a
>> (typealias .udev.udevadm.exec) and (typealiasactual .udev.udevadm.exec
>> .udev.daemon.exec)
>>
>> That reminded me that it does not like the period name space
>> delimiter in at least the typealias statement.
>>
>> Example:
>>
>> [root@brutus ~]# echo "(block test (type test1) (typealias test2.test1)
>> (typealiasactual test2.test1 test.test1))" > mytest.cil
>> [root@brutus ~]# semodule -vvv -i mytest.cil
>>
>> <snip>
>> Building AST from Parse Tree
>> Invalid character "." in test2.test1
>> Invalid name
>> Failed to create node
>> Bad typealias declaration at
>> /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
>> Problem at /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
>> Failed to build ast
>> semodule: Failed!
>>
>
> CIL doesn't like "." in any name used in a declaration.
>
> If you want an alias with a "." in it, then use blocks.
> (block udev
> (block daemon
> (type exec)
> )
> (block udevadm
> (typealias exec)
> (typealiasactual exec .udev.daemon.exec)
> )
> )
>
> Or something like that.
Right, thanks that works and sorry about that. Feels like deja vu, must
have not been the first time I encountered this.
Feels kind of un-intuitive but makes perfect sense thinking about it.
Just need to get used to it.
>
> Jim
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CIL typealiases
2020-05-28 13:28 ` Dominick Grift
@ 2020-05-28 13:36 ` James Carter
0 siblings, 0 replies; 4+ messages in thread
From: James Carter @ 2020-05-28 13:36 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list
On Thu, May 28, 2020 at 9:28 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
>
>
> On 5/28/20 3:19 PM, James Carter wrote:
> > On Thu, May 28, 2020 at 7:21 AM Dominick Grift
> > <dominick.grift@defensec.nl> wrote:
> >>
> >>
> >> tl;dr typalias (and possibly typealiasactual) statement does not like periods
> >>
> >> systemd plans to consolidate systemd-udevd and udevadm and so I was
> >> looking to consolidate the policy. For compatibility I wanted to add a
> >> (typealias .udev.udevadm.exec) and (typealiasactual .udev.udevadm.exec
> >> .udev.daemon.exec)
> >>
> >> That reminded me that it does not like the period name space
> >> delimiter in at least the typealias statement.
> >>
> >> Example:
> >>
> >> [root@brutus ~]# echo "(block test (type test1) (typealias test2.test1)
> >> (typealiasactual test2.test1 test.test1))" > mytest.cil
> >> [root@brutus ~]# semodule -vvv -i mytest.cil
> >>
> >> <snip>
> >> Building AST from Parse Tree
> >> Invalid character "." in test2.test1
> >> Invalid name
> >> Failed to create node
> >> Bad typealias declaration at
> >> /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
> >> Problem at /var/lib/selinux/mydssp3-mcs/tmp/modules/400/mytest/cil:1
> >> Failed to build ast
> >> semodule: Failed!
> >>
> >
> > CIL doesn't like "." in any name used in a declaration.
> >
> > If you want an alias with a "." in it, then use blocks.
> > (block udev
> > (block daemon
> > (type exec)
> > )
> > (block udevadm
> > (typealias exec)
> > (typealiasactual exec .udev.daemon.exec)
> > )
> > )
> >
> > Or something like that.
>
> Right, thanks that works and sorry about that. Feels like deja vu, must
> have not been the first time I encountered this.
>
> Feels kind of un-intuitive but makes perfect sense thinking about it.
> Just need to get used to it.
>
I had forgotten myself until I looked at the code. It is obvious in
hindsight though, because if CIL allowed ".", then it would have
trouble trying to resolve the name, because it would expect a block.
Thanks for the report anyway. You do a great job of finding all of the
corner cases in CIL. CIL has been greatly helped by all of your
reports.
Jim
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-28 13:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-28 11:12 CIL typealiases Dominick Grift
2020-05-28 13:19 ` James Carter
2020-05-28 13:28 ` Dominick Grift
2020-05-28 13:36 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).