From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 25 Aug 2016 18:49:16 -0400 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <1472118421.22976.10.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> <1472075733.19800.4.camel@trentalancia.net> <1472118421.22976.10.camel@trentalancia.net> Message-ID: <7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/25/16 05:47, Guido Trentalancia wrote: > Hello Christopher. > > I have more information on this problem. > > On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote: >> On 08/24/16 17:55, Guido Trentalancia wrote: >>> >>> Hello Christopher. >>> >>> I have more detailed information about this problem... >>> >>> On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote: >>>> >>>> On 08/23/16 08:44, Guido Trentalancia wrote: >>>>> >>>>> >>>>> Hello Christopher ! >>>>> >>>>> Thanks for providing your valuable feedback. >>>>> >>>>> On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote: >>>>>> >>>>>> >>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> + type dconf_t, dconf_exec_t, dconf_home_t; >>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>> type gconfd_t, gconfd_exec_t, gconf_tmp_t; >>>>>>> type gconf_home_t; >>>>>>> + type gnome_settings_t, >>>>>>> gnome_settings_exec_t; >>>>>>> + type gnome_settings_daemon_t, >>>>>>> gnome_settings_daemon_exec_t; >>>>>>> + type gnome_settings_schemas_t; >>>>>>> + type gkeyringd_exec_t, >>>>>>> gnome_keyring_home_t, >>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>> + type mime_info_t; >>>>>>> + type user_dbusd_t; >>>>>> >>>>>> This dbus type cannot be referenced directly in this module. >>>>> >>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>> caller, >>>>> then >>>>> it doesn't compile for some reason which is not yet clear to >>>>> me. >>>>> >>>>> Any idea ? >>>> >>>> The $1_dbusd_t rules need to be contained in the dbus module, not >>>> the >>>> gnome module. Beyond that, it's tough to say what the problem >>>> is, >>>> without knowing the error messages. >>> >>> Suppose to have the following additional dbus interface: >>> >>> ####################################### >>> ## >>> ## Make a domain transition from a >>> ## given source domain to the >>> ## DBUS session bus domain using >>> ## the DBUS executable file type. >>> ## >>> ## >>> ## >>> ## The prefix of the user role (e.g., user >>> ## is the prefix for user_r). >>> ## >>> ## >>> ## >>> ## >>> ## Domain allowed access. >>> ## >>> ## >>> # >>> interface(`dbus_domain_transition_session_bus',` >>> gen_require(` >>> type dbusd_exec_t; >>> type $1_dbusd_t; >>> ') >>> >>> allow $2 dbusd_exec_t:file exec_file_perms; >>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>> ') >>> >>> and suppose that it is called by the following statement: >>> >>> dbus_domain_transition_session_bus($1, at_spi_t) >>> >>> where $1 = "user". >>> >>> During policy load, the following error is generated: >>> >>> Conflicting type rules >>> Binary policy creation failed at line 29393 of >>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>> Failed to generate binary >>> /usr/sbin/semodule: Failed! >>> make: *** [Rules.modular:58: load] Error 1 >>> >>> The temporary file is deleted automatically and cannot be >>> inspected. >>> >>> I hope it is clear now... >>> >>> Do you have an idea ? It's the only thing missing before all the >>> dbus >>> rules are moved from the gnome to the dbus module and I can create >>> a >>> new version of this important patch. >> >> It's not so helpful unfortunately. My guess is that it is a >> conflicting >> type_transition. Unfortunately the compiler error message isn't >> helpful. > > I have tested and your guess is correct ! > > The above interface expands as follows: > > interface(`dbus_domain_transition_session_bus',` > allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; > > domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) > # type_transition $2 dbusd_exec_t:process $1_dbusd_t; > > allow $1_dbusd_t $2:fd use; > allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; > allow $1_dbusd_t $2:process sigchld; > ') > > The line that has been commented out (type_transition) is the > problematic rule which leads to the "conflicting type rules" error upon > loading the policy. > > Such rule comes from the domain_auto_transition_pattern provided by > support/misc_patterns.spt. > > However, if I hardcode "user" instead of "$1", the type_transition > works fine. I suspect, it stops functioning when $1 is replaced by > "sysadm" or "staff". > > If I do manually substitute the two and try to recompile, the following > happens: > > $1=sysadm ==> staff.te doesn't compile (unknown type error) > > $1=staff ==> sysadm.te doesn't compile (unknown type error) > > In some way, it sounds like a bug or some sort of limitation of the > actual policy... Can you shed some light ? I'm not clear why you would see unknown types. You have to inspect the intermediate files. I believe if you add them to a .SECONDARY entry in the Makefile/Rules.*, it will not delete them when they're done. I'd be fine taking that patch too, so intermediate files are never deleted. -- Chris PeBenito