From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 27 Aug 2016 00:21:02 +0200 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> <1472075733.19800.4.camel@trentalancia.net> <1472118421.22976.10.camel@trentalancia.net> <7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org> Message-ID: <1472250062.29538.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher. On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote: [...] > > > > > > > On 08/22/16 15:39, Guido Trentalancia wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > + type dconf_t, dconf_exec_t, > > > > > > > > dconf_home_t; > > > > > > > > + type at_spi_t, at_spi_exec_t; > > > > > > > > ? type gconfd_t, gconfd_exec_t, > > > > > > > > gconf_tmp_t; > > > > > > > > ? type gconf_home_t; > > > > > > > > + type gnome_settings_t, > > > > > > > > gnome_settings_exec_t; > > > > > > > > + type gnome_settings_daemon_t, > > > > > > > > gnome_settings_daemon_exec_t; > > > > > > > > + type gnome_settings_schemas_t; > > > > > > > > + type gkeyringd_exec_t, > > > > > > > > gnome_keyring_home_t, > > > > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t; > > > > > > > > + type mime_info_t; > > > > > > > > + type user_dbusd_t; > > > > > > > > > > > > > > This dbus type cannot be referenced directly in this > > > > > > > module. > > > > > > > > > > > > If $1_dbusd_t is used to get the role/type prefix from the > > > > > > caller, > > > > > > then > > > > > > it doesn't compile for some reason which is not yet clear > > > > > > to > > > > > > me. > > > > > > > > > > > > Any idea ? > > > > > > > > > > The $1_dbusd_t rules need to be contained in the dbus module, > > > > > not > > > > > the > > > > > gnome module.??Beyond that, it's tough to say what the > > > > > problem > > > > > is, > > > > > without knowing the error messages. > > > > > > > > Suppose to have the following additional dbus interface: > > > > > > > > ####################################### > > > > ## > > > > ##??????Make a domain transition from a > > > > ##??????given source domain to the > > > > ##??????DBUS session bus domain using > > > > ##??????the DBUS executable file type. > > > > ## > > > > ## > > > > ##?????? > > > > ##??????The prefix of the user role (e.g., user > > > > ##??????is the prefix for user_r). > > > > ##?????? > > > > ## > > > > ## > > > > ##?????? > > > > ##??????Domain allowed access. > > > > ##?????? > > > > ## > > > > # > > > > interface(`dbus_domain_transition_session_bus',` > > > > ????????gen_require(` > > > > ????????????????type dbusd_exec_t; > > > > ????????????????type $1_dbusd_t; > > > > ????????') > > > > > > > > ????????allow $2 dbusd_exec_t:file exec_file_perms; > > > > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) > > > > ') > > > > > > > > and suppose that it is called by the following statement: > > > > > > > > dbus_domain_transition_session_bus($1, at_spi_t) > > > > > > > > where $1 = "user". > > > > > > > > During policy load, the following error is generated: > > > > > > > > Conflicting type rules > > > > Binary policy creation failed at line 29393 of > > > > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil > > > > Failed to generate binary > > > > /usr/sbin/semodule:??Failed! > > > > make: *** [Rules.modular:58: load] Error 1 > > > > > > > > The temporary file is deleted automatically and cannot be > > > > inspected. > > > > > > > > I hope it is clear now... > > > > > > > > Do you have an idea ? It's the only thing missing before all > > > > the > > > > dbus > > > > rules are moved from the gnome to the dbus module and I can > > > > create > > > > a > > > > new version of this important patch. > > > > > > It's not so helpful unfortunately.??My guess is that it is a > > > conflicting > > > type_transition.??Unfortunately the compiler error message isn't > > > helpful. > > > > I have tested and your guess is correct ! > > > > The above interface expands as follows: > > > > interface(`dbus_domain_transition_session_bus',` > > ????????allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; > > > > ????????domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) > > #????????type_transition $2 dbusd_exec_t:process $1_dbusd_t; > > > > ????????allow $1_dbusd_t $2:fd use; > > ????????allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; > > ????????allow $1_dbusd_t $2:process sigchld; > > ') > > > > The line that has been commented out (type_transition) is the > > problematic rule which leads to the "conflicting type rules" error > > upon > > loading the policy. > > > > Such rule comes from the domain_auto_transition_pattern provided by > > support/misc_patterns.spt. > > > > However, if I hardcode "user" instead of "$1", the type_transition > > works fine. I suspect, it stops functioning when $1 is replaced by > > "sysadm" or "staff". > > > > If I do manually substitute the two and try to recompile, the > > following > > happens: > > > > $1=sysadm ==> staff.te doesn't compile (unknown type error) > > > > $1=staff ==> sysadm.te doesn't compile (unknown type error) > > > > In some way, it sounds like a bug or some sort of limitation of the > > actual policy... Can you shed some light ? > > I'm not clear why you would see unknown types.??You have to inspect > the? > intermediate files.??I believe if you add them to a .SECONDARY entry > in? > the Makefile/Rules.*, it will not delete them when they're done.??I'd > be? > fine taking that patch too, so intermediate files are never deleted. I think the files that you mention are stored in the "tmp" subdirectory of the policy source. I don't think there is a need to modify the Makefile or Rules.* files. The "Conflicting type rules" error comes from libsepol when one tries to load the policy using semodule (called by the policy Makefile). What semodule deleted (/var/lib/selinux/refpolicy- 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated by libsepol. In any case, it has nothing to do with the policy Makefile. Unfortunately, I have checked the temporary files in the "tmp" subdirectory of the build tree, but the only difference between the working version and the non-working version is that the static hardcoded "user" string ("user_dbusd_t") in the type_transition rule is replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on). I noticed that the dbus_role_template is also using that variable type ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or "xguest"). The problem seems to be that the $1_dbusd_t type defined by the dbus_role_template conflicts with the type defined by the new interface that is required by gnome (it conflicts with the type_transition rule). I believe this is a bug or some sort of limitation of the existing policy... Do you know how to fix it ? Regards, Guido