Hi SELinux expert,
I seems to run into something that I could not understand - the comment in the .if file would have an impact on how the .pp files is compiled. Sometime the comments in the .if file may block the interfaces called to be properly parsed, and if all comments are removed, then the called interfaces could be parsed correctly to grant the desired permissions for the calling domain.
For example, in my v5-samhain.pp implementation(please refer to another separate email), the samhain_service_template() calls userdom_use_user_terminals($1_t) in the end, but I am very surprised to find that the samhain_t lacks privileges to access user_devpts_t when deployed on the target. However, if all comments are removed in samhain_service_template(), then the call to userdom_use_user_terminals($1_t) could actually take effect, and I could verify following lines added to tmp/samhain.tmp:
+ type user_tty_device_t, user_devpts_t;
+#line 38
+
+#line 38
+ } # end require
+#line 38
+
+#line 38
+
+#line 38
+
+#line 38
+ allow samhain_t user_tty_device_t:chr_file { getattr open read write append ioctl };
+#line 38
+ allow samhain_t user_devpts_t:chr_file { getattr open read write append ioctl };
+#line 38
Moreover, comments in the .te files do not seem to have such side effect, they only do in the .if files. What's going on here? Is there dark magic and anything particular I should watch out when using comments in the .if files?
Thanks a lot for your ideas!
Best regards,
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101122/963b9fbd/attachment.html
On 11/22/10 06:11, HarryCiao wrote:
> Hi SELinux expert,
>
> I seems to run into something that I could not understand - the comment
> in the .if file would have an impact on how the .pp files is compiled.
> Sometime the comments in the .if file may block the interfaces called to
> be properly parsed, and if all comments are removed, then the called
> interfaces could be parsed correctly to grant the desired permissions
> for the calling domain.
>
> For example, in my v5-samhain.pp implementation(please refer to another
> separate email), the samhain_service_template() calls
> userdom_use_user_terminals($1_t) in the end, but I am very surprised to
> find that the samhain_t lacks privileges to access user_devpts_t when
> deployed on the target. However, if all comments are removed in
> samhain_service_template(), then the call to
> userdom_use_user_terminals($1_t) could actually take effect, and I could
> verify following lines added to tmp/samhain.tmp:
>
> + ; type user_tty_device_t, user_devpts_t;
> +#line 38
> +
> +#line 38
> + } # end require
> +#line 38
> +
> +#line 38
> +
> +#line 38
> +
> +#line 38
> + allow samhain_t user_tty_device_t:chr_file { getattr open read
> write append ioctl };
> +#line 38
> + allow samhain_t user_devpts_t:chr_file { getattr open read write
> append ioctl };
> +#line 38
>
> Moreover, comments in the .te files do not seem to have such side
> effect, they only do in the .if files. What's going on here? Is there
> dark magic and anything particular I should watch out when using
> comments in the .if files?
The only issue I can think of is if you accidentally use a m4 quote in a
comment. For example a line like this:
# don't do this
If this is in an interface, the apostraphe (') will be interpreted as
the end of the block, which typically means the interface will end
prematurely. However, userdom_use_user_terminals() does not have any
comment issues, so I'm unsure why you're seeing an issue.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
> Date: Tue, 30 Nov 2010 10:13:04 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Side effects for the comments in the .if files?
>
> On 11/22/10 06:11, HarryCiao wrote:
> > Hi SELinux expert,
> >
> > I seems to run into something that I could not understand - the comment
> > in the .if file would have an impact on how the .pp files is compiled.
> > Sometime the comments in the .if file may block the interfaces called to
> > be properly parsed, and if all comments are removed, then the called
> > interfaces could be parsed correctly to grant the desired permissions
> > for the calling domain.
> >
> > For example, in my v5-samhain.pp implementation(please refer to another
> > separate email), the samhain_service_template() calls
> > userdom_use_user_terminals($1_t) in the end, but I am very surprised to
> > find that the samhain_t lacks privileges to access user_devpts_t when
> > deployed on the target. However, if all comments are removed in
> > samhain_service_template(), then the call to
> > userdom_use_user_terminals($1_t) could actually take effect, and I could
> > verify following lines added to tmp/samhain.tmp:
> >
> > + ; type user_tty_device_t, user_devpts_t;
> > +#line 38
> > +
> > +#line 38
> > + } # end require
> > +#line 38
> > +
> > +#line 38
> > +
> > +#line 38
> > +
> > +#line 38
> > + allow samhain_t user_tty_device_t:chr_file { getattr open read
> > write append ioctl };
> > +#line 38
> > + allow samhain_t user_devpts_t:chr_file { getattr open read write
> > append ioctl };
> > +#line 38
> >
> > Moreover, comments in the .te files do not seem to have such side
> > effect, they only do in the .if files. What's going on here? Is there
> > dark magic and anything particular I should watch out when using
> > comments in the .if files?
>
> The only issue I can think of is if you accidentally use a m4 quote in a
> comment. For example a line like this:
>
> # don't do this
>
> If this is in an interface, the apostraphe (') will be interpreted as
> the end of the block, which typically means the interface will end
> prematurely. However, userdom_use_user_terminals() does not have any
> comment issues, so I'm unsure why you're seeing an issue.
>
Hi Chris,
You are damn right about this! It turns out I used to have used two apostrophes such as "Samhain's pid" or "other filesystem's attribute", once I have them removed the .if file could be parsed correctly!
Thank you very much!
Best regards,
Harry
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101204/3b4c9ac5/attachment.html