From: paul.moore@hp.com (Paul Moore) Date: Thu, 19 Aug 2010 13:38:58 -0400 Subject: [refpolicy] Bug in postgresql_role() makes the lspp_test.pp unable to be inserted ? In-Reply-To: References: Message-ID: <1282239538.4115.29.camel@flek> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2010-08-19 at 12:37 +0000, TaurusHarry wrote: > Hi Paul, > > Enlightened by a similar > issue(https://partner-bugzilla.redhat.com/show_bug.cgi?id=607912) I > seems to find the root cause for the below failure when trying to > inserting the lspp_test.pp from the latest audit-test-2177 version to > the SELinux policy generated from refpolicy-2.20091117: > > [root/secadm_r/s0 at qemu-host selinux-policy]# semodule -i lspp_test.pp > libsepol.expand_terule_helper: conflicting TE rule for > (lspp_test_generic_t, sepgsql_db_t:db_table): old was > user_sepgsql_table_t, new is sepgsql_table_t > libsepol.expand_module: Error during expand > libsemanage.semanage_expand_sandbox: Expand module failed > semodule: Failed! > [root/secadm_r/s0 at qemu-host selinux-policy]# > > I guess there is a bug in the implementation of postgresql.te in > current refpolicy source code, the lspp_test_generic_t domains should > not be created by the userdom_unpriv_user_template() template, because > the postgresql_role() interface is called by the userdom_unpriv_u > ser_template() template: > > userdom_unpriv_user_template(lspp_test_generic) > > postgresql_role($1_r,$1_t): > typeattribute $2 sepgsql_client_type; > allow $2 user_sepgsql_table_t:db_table { getattr use > select update insert delete lock }; > > Which grants the lspp_test_generic_t domain some permissions on the > user_sepgsql_table_t type of file of the db_table class. > > However, please note that the postgresql_role() interface also adds > the lspp_test_generic_t domain into the sepgsql_client_type attribute, > which will be granted the same permissions as above on the > sepgsql_table_t type of file of the db_table class: > > services/postgresql.te: > allow sepgsql_client_type sepgsql_table_t:db_table { getattr use > select update insert delete lock }; > > Which will make the lspp _test.pp unable to be inserted: > libsepol.expand_terule_helper: conflicting TE rule for > (lspp_test_generic_t, sepgsql_db_t:db_table): old was > user_sepgsql_table_t, new is sepgsql_table_t > > In the error message above, the "old" refers to the allow rule > presented in the lspp_test.pp: > allow lspp_test_generic_t user_sepgsql_table_t:db_table ... > whereas the "new" refers to the allow rule presented by the > postgresql.pp installed into the current SELinux policy: > allow lspp_test_generic_t sepgsql_table_t:db_table ... > > So far this problem could be workaround by creating the lspp_test_* > domains by the userdom_admin_user_template() template, which won't > call the interface of postgresql_role(). Since the lspp_test.pp will > be used only when running the test cases provided by the audit-test > package to aid CAPP/LSPP certification and easily removed from the > SELinux policy store thereafter, this won't diminish the security > provided by SELinux. Do you have a patch you could share? It is always easier to evaluate an idea when you have the changes to look at ... -- paul moore linux @ hp