From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 27 Aug 2016 19:08:16 +0200
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
Message-ID: <1472317696.28955.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

On Wed, 24/08/2016 at 18.10 -0400, Chris PeBenito wrote:
> On 08/24/16 17:55, Guido Trentalancia wrote:
> > 
> > Hello Christopher.
> > 
> > I have more detailed information about this problem...
> > 
> > On Tue, 23/08/2016 at 19.02 -0400, Chris PeBenito wrote:
> > > 
> > > On 08/23/16 08:44, Guido Trentalancia wrote:
> > > > 
> > > > 
> > > > Hello Christopher !
> > > > 
> > > > Thanks for providing your valuable feedback.
> > > > 
> > > > On Mon, 22/08/2016 at 21.15 -0400, Chris PeBenito wrote:
> > > > > 
> > > > > 
> > > > > On 08/22/16 15:39, Guido Trentalancia wrote:
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > +		type dconf_t, dconf_exec_t, dconf_home_t;
> > > > > > +		type at_spi_t, at_spi_exec_t;
> > > > > > ?		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
> > > > > > ?		type gconf_home_t;
> > > > > > +		type gnome_settings_t,
> > > > > > gnome_settings_exec_t;
> > > > > > +		type gnome_settings_daemon_t,
> > > > > > gnome_settings_daemon_exec_t;
> > > > > > +		type gnome_settings_schemas_t;
> > > > > > +		type gkeyringd_exec_t,
> > > > > > gnome_keyring_home_t,
> > > > > > gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
> > > > > > +		type mime_info_t;
> > > > > > +		type user_dbusd_t;
> > > > > 
> > > > > This dbus type cannot be referenced directly in this module.
> > > > 
> > > > If $1_dbusd_t is used to get the role/type prefix from the
> > > > caller,
> > > > then
> > > > it doesn't compile for some reason which is not yet clear to
> > > > me.
> > > > 
> > > > Any idea ?
> > > 
> > > The $1_dbusd_t rules need to be contained in the dbus module, not
> > > the
> > > gnome module.??Beyond that, it's tough to say what the problem
> > > is,
> > > without knowing the error messages.
> > 
> > Suppose to have the following additional dbus interface:
> > 
> > #######################################
> > ## <summary>
> > ##??????Make a domain transition from a
> > ##??????given source domain to the
> > ##??????DBUS session bus domain using
> > ##??????the DBUS executable file type.
> > ## </summary>
> > ## <param name="role_prefix">
> > ##??????<summary>
> > ##??????The prefix of the user role (e.g., user
> > ##??????is the prefix for user_r).
> > ##??????</summary>
> > ## </param>
> > ## <param name="domain">
> > ##??????<summary>
> > ##??????Domain allowed access.
> > ##??????</summary>
> > ## </param>
> > #
> > interface(`dbus_domain_transition_session_bus',`
> > ????????gen_require(`
> > ????????????????type dbusd_exec_t;
> > ????????????????type $1_dbusd_t;
> > ????????')
> > 
> > ????????allow $2 dbusd_exec_t:file exec_file_perms;
> > ????????domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
> > ')
> > 
> > and suppose that it is called by the following statement:
> > 
> > dbus_domain_transition_session_bus($1, at_spi_t)
> > 
> > where $1 = "user".
> > 
> > During policy load, the following error is generated:
> > 
> > Conflicting type rules
> > Binary policy creation failed at line 29393 of
> > /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
> > Failed to generate binary
> > /usr/sbin/semodule:??Failed!
> > make: *** [Rules.modular:58: load] Error 1
> > 
> > The temporary file is deleted automatically and cannot be
> > inspected.
> > 
> > I hope it is clear now...
> > 
> > Do you have an idea ? It's the only thing missing before all the
> > dbus
> > rules are moved from the gnome to the dbus module and I can create
> > a
> > new version of this important patch.
> 
> It's not so helpful unfortunately.??My guess is that it is a
> conflicting?
> type_transition.??Unfortunately the compiler error message isn't
> helpful.

I have just posted a patch on the SELinux mailing list to produce a
more meaningful error message for conflicting type rules, see the
following thread:

[PATCH] libsepol: Produce more meaningful error messages for
conflicting type rules

In this case, the conflicting type rule is:

scontext=at_spi_t
tcontext=dbusd_exec_t
tclass=process
result=sysadm_dbusd_t

which confirms the previous debugging results (it's the type_transition
rule).

Another one is similar, with scontext=gnome_settings_t.

What I suspect is that when it compiles, it quadruplicates the type
transition for each of user, staff, sysadm and xguest, thus leading to
conflicting rules.

Therefore, the solution might be to use a common static name for the
domain (for example, "session_dbusd_t" instead of "$1_dbusd_t").

Regards,

Guido