From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 25 Aug 2016 18:49:16 -0400
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <1472118421.22976.10.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
	<1472118421.22976.10.camel@trentalancia.net>
Message-ID: <7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/25/16 05:47, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have more information on this problem.
>
> On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
>> On 08/24/16 17:55, Guido Trentalancia wrote:
>>>
>>> Hello Christopher.
>>>
>>> I have more detailed information about this problem...
>>>
>>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
>>>>
>>>> On 08/23/16 08:44, Guido Trentalancia wrote:
>>>>>
>>>>>
>>>>> Hello Christopher !
>>>>>
>>>>> Thanks for providing your valuable feedback.
>>>>>
>>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
>>>>>>
>>>>>>
>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> +		type dconf_t, dconf_exec_t, dconf_home_t;
>>>>>>> +		type at_spi_t, at_spi_exec_t;
>>>>>>>  		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
>>>>>>>  		type gconf_home_t;
>>>>>>> +		type gnome_settings_t,
>>>>>>> gnome_settings_exec_t;
>>>>>>> +		type gnome_settings_daemon_t,
>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>> +		type gnome_settings_schemas_t;
>>>>>>> +		type gkeyringd_exec_t,
>>>>>>> gnome_keyring_home_t,
>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>> +		type mime_info_t;
>>>>>>> +		type user_dbusd_t;
>>>>>>
>>>>>> This dbus type cannot be referenced directly in this module.
>>>>>
>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>> caller,
>>>>> then
>>>>> it doesn't compile for some reason which is not yet clear to
>>>>> me.
>>>>>
>>>>> Any idea ?
>>>>
>>>> The $1_dbusd_t rules need to be contained in the dbus module, not
>>>> the
>>>> gnome module.  Beyond that, it's tough to say what the problem
>>>> is,
>>>> without knowing the error messages.
>>>
>>> Suppose to have the following additional dbus interface:
>>>
>>> #######################################
>>> ## <summary>
>>> ##      Make a domain transition from a
>>> ##      given source domain to the
>>> ##      DBUS session bus domain using
>>> ##      the DBUS executable file type.
>>> ## </summary>
>>> ## <param name="role_prefix">
>>> ##      <summary>
>>> ##      The prefix of the user role (e.g., user
>>> ##      is the prefix for user_r).
>>> ##      </summary>
>>> ## </param>
>>> ## <param name="domain">
>>> ##      <summary>
>>> ##      Domain allowed access.
>>> ##      </summary>
>>> ## </param>
>>> #
>>> interface(`dbus_domain_transition_session_bus',`
>>>         gen_require(`
>>>                 type dbusd_exec_t;
>>>                 type $1_dbusd_t;
>>>         ')
>>>
>>>         allow $2 dbusd_exec_t:file exec_file_perms;
>>>         domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>> ')
>>>
>>> and suppose that it is called by the following statement:
>>>
>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>
>>> where $1 = "user".
>>>
>>> During policy load, the following error is generated:
>>>
>>> Conflicting type rules
>>> Binary policy creation failed at line 29393 of
>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>> Failed to generate binary
>>> /usr/sbin/semodule:  Failed!
>>> make: *** [Rules.modular:58: load] Error 1
>>>
>>> The temporary file is deleted automatically and cannot be
>>> inspected.
>>>
>>> I hope it is clear now...
>>>
>>> Do you have an idea ? It's the only thing missing before all the
>>> dbus
>>> rules are moved from the gnome to the dbus module and I can create
>>> a
>>> new version of this important patch.
>>
>> It's not so helpful unfortunately.  My guess is that it is a
>> conflicting
>> type_transition.  Unfortunately the compiler error message isn't
>> helpful.
>
> I have tested and your guess is correct !
>
> The above interface expands as follows:
>
> interface(`dbus_domain_transition_session_bus',`
>         allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
>
>         domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
> #        type_transition $2 dbusd_exec_t:process $1_dbusd_t;
>
>         allow $1_dbusd_t $2:fd use;
>         allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
>         allow $1_dbusd_t $2:process sigchld;
> ')
>
> The line that has been commented out (type_transition) is the
> problematic rule which leads to the "conflicting type rules" error upon
> loading the policy.
>
> Such rule comes from the domain_auto_transition_pattern provided by
> support/misc_patterns.spt.
>
> However, if I hardcode "user" instead of "$1", the type_transition
> works fine. I suspect, it stops functioning when $1 is replaced by
> "sysadm" or "staff".
>
> If I do manually substitute the two and try to recompile, the following
> happens:
>
> $1=sysadm ==> staff.te doesn't compile (unknown type error)
>
> $1=staff ==> sysadm.te doesn't compile (unknown type error)
>
> In some way, it sounds like a bug or some sort of limitation of the
> actual policy... Can you shed some light ?

I'm not clear why you would see unknown types.  You have to inspect the 
intermediate files.  I believe if you add them to a .SECONDARY entry in 
the Makefile/Rules.*, it will not delete them when they're done.  I'd be 
fine taking that patch too, so intermediate files are never deleted.


-- 
Chris PeBenito