From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 25 Aug 2016 11:47:01 +0200
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
Message-ID: <1472118421.22976.10.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

I have more information on this problem.

On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
> On 08/24/16 17:55, Guido Trentalancia wrote:
> > 
> > Hello Christopher.
> > 
> > I have more detailed information about this problem...
> > 
> > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
> > > 
> > > On 08/23/16 08:44, Guido Trentalancia wrote:
> > > > 
> > > > 
> > > > Hello Christopher !
> > > > 
> > > > Thanks for providing your valuable feedback.
> > > > 
> > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> > > > > 
> > > > > 
> > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > +		type dconf_t, dconf_exec_t, dconf_home_t;
> > > > > > +		type at_spi_t, at_spi_exec_t;
> > > > > > ?		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > > > > > ?		type gconf_home_t;
> > > > > > +		type gnome_settings_t,
> > > > > > gnome_settings_exec_t;
> > > > > > +		type gnome_settings_daemon_t,
> > > > > > gnome_settings_daemon_exec_t;
> > > > > > +		type gnome_settings_schemas_t;
> > > > > > +		type gkeyringd_exec_t,
> > > > > > gnome_keyring_home_t,
> > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > +		type mime_info_t;
> > > > > > +		type user_dbusd_t;
> > > > > 
> > > > > This dbus type cannot be referenced directly in this module.
> > > > 
> > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > caller,
> > > > then
> > > > it doesn't compile for some reason which is not yet clear to
> > > > me.
> > > > 
> > > > Any idea ?
> > > 
> > > The $1_dbusd_t rules need to be contained in the dbus module, not
> > > the
> > > gnome module.??Beyond that, it's tough to say what the problem
> > > is,
> > > without knowing the error messages.
> > 
> > Suppose to have the following additional dbus interface:
> > 
> > #######################################
> > ## <summary>
> > ##??????Make a domain transition from a
> > ##??????given source domain to the
> > ##??????DBUS session bus domain using
> > ##??????the DBUS executable file type.
> > ## </summary>
> > ## <param name="role_prefix">
> > ##??????<summary>
> > ##??????The prefix of the user role (e.g., user
> > ##??????is the prefix for user_r).
> > ##??????</summary>
> > ## </param>
> > ## <param name="domain">
> > ##??????<summary>
> > ##??????Domain allowed access.
> > ##??????</summary>
> > ## </param>
> > #
> > interface(`dbus_domain_transition_session_bus',`
> > ????????gen_require(`
> > ????????????????type dbusd_exec_t;
> > ????????????????type $1_dbusd_t;
> > ????????')
> > 
> > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > ')
> > 
> > and suppose that it is called by the following statement:
> > 
> > dbus_domain_transition_session_bus($1, at_spi_t)
> > 
> > where $1 = "user".
> > 
> > During policy load, the following error is generated:
> > 
> > Conflicting type rules
> > Binary policy creation failed at line 29393 of
> > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > Failed to generate binary
> > /usr/sbin/semodule:??Failed!
> > make: *** [Rules.modular:58: load] Error 1
> > 
> > The temporary file is deleted automatically and cannot be
> > inspected.
> > 
> > I hope it is clear now...
> > 
> > Do you have an idea ? It's the only thing missing before all the
> > dbus
> > rules are moved from the gnome to the dbus module and I can create
> > a
> > new version of this important patch.
> 
> It's not so helpful unfortunately.??My guess is that it is a
> conflicting?
> type_transition.??Unfortunately the compiler error message isn't
> helpful.

I have tested and your guess is correct !

The above interface expands as follows:

interface(`dbus_domain_transition_session_bus',`
        allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;

        domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
#        type_transition $2 dbusd_exec_t:process $1_dbusd_t;

        allow $1_dbusd_t $2:fd use;
        allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
        allow $1_dbusd_t $2:process sigchld;
')

The line that has been commented out (type_transition) is the
problematic rule which leads to the "conflicting type rules" error upon
loading the policy.

Such rule comes from the domain_auto_transition_pattern provided by
support/misc_patterns.spt.

However, if I hardcode "user" instead of "$1", the type_transition
works fine. I suspect, it stops functioning when $1 is replaced by
"sysadm" or "staff".

If I do manually substitute the two and try to recompile, the following
happens:

$1=sysadm ==> staff.te doesn't compile (unknown type error)

$1=staff ==> sysadm.te doesn't compile (unknown type error)

In some way, it sounds like a bug or some sort of limitation of the
actual policy... Can you shed some light ?

Best regards,

Guido