From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 28 Aug 2016 14:29:13 -0400 Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file contexts In-Reply-To: <1472250062.29538.1.camel@trentalancia.net> References: <1471099545.21480.27.camel@trentalancia.net> <1471296811.28802.0.camel@trentalancia.net> <1471704772.17584.9.camel@trentalancia.net> <1471894798.19333.1.camel@trentalancia.net> <1471956294.17467.4.camel@trentalancia.net> <1472075733.19800.4.camel@trentalancia.net> <1472118421.22976.10.camel@trentalancia.net> <7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org> <1472250062.29538.1.camel@trentalancia.net> Message-ID: <44c1b2b8-debd-669a-5cdf-08bc2e539999@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/26/16 18:21, Guido Trentalancia wrote: > Hello Christopher. > > On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote: > > [...] > >>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> + type dconf_t, dconf_exec_t, >>>>>>>>> dconf_home_t; >>>>>>>>> + type at_spi_t, at_spi_exec_t; >>>>>>>>> type gconfd_t, gconfd_exec_t, >>>>>>>>> gconf_tmp_t; >>>>>>>>> type gconf_home_t; >>>>>>>>> + type gnome_settings_t, >>>>>>>>> gnome_settings_exec_t; >>>>>>>>> + type gnome_settings_daemon_t, >>>>>>>>> gnome_settings_daemon_exec_t; >>>>>>>>> + type gnome_settings_schemas_t; >>>>>>>>> + type gkeyringd_exec_t, >>>>>>>>> gnome_keyring_home_t, >>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t; >>>>>>>>> + type mime_info_t; >>>>>>>>> + type user_dbusd_t; >>>>>>>> >>>>>>>> This dbus type cannot be referenced directly in this >>>>>>>> module. >>>>>>> >>>>>>> If $1_dbusd_t is used to get the role/type prefix from the >>>>>>> caller, >>>>>>> then >>>>>>> it doesn't compile for some reason which is not yet clear >>>>>>> to >>>>>>> me. >>>>>>> >>>>>>> Any idea ? >>>>>> >>>>>> The $1_dbusd_t rules need to be contained in the dbus module, >>>>>> not >>>>>> the >>>>>> gnome module. Beyond that, it's tough to say what the >>>>>> problem >>>>>> is, >>>>>> without knowing the error messages. >>>>> >>>>> Suppose to have the following additional dbus interface: >>>>> >>>>> ####################################### >>>>> ## >>>>> ## Make a domain transition from a >>>>> ## given source domain to the >>>>> ## DBUS session bus domain using >>>>> ## the DBUS executable file type. >>>>> ## >>>>> ## >>>>> ## >>>>> ## The prefix of the user role (e.g., user >>>>> ## is the prefix for user_r). >>>>> ## >>>>> ## >>>>> ## >>>>> ## >>>>> ## Domain allowed access. >>>>> ## >>>>> ## >>>>> # >>>>> interface(`dbus_domain_transition_session_bus',` >>>>> gen_require(` >>>>> type dbusd_exec_t; >>>>> type $1_dbusd_t; >>>>> ') >>>>> >>>>> allow $2 dbusd_exec_t:file exec_file_perms; >>>>> domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t) >>>>> ') >>>>> >>>>> and suppose that it is called by the following statement: >>>>> >>>>> dbus_domain_transition_session_bus($1, at_spi_t) >>>>> >>>>> where $1 = "user". >>>>> >>>>> During policy load, the following error is generated: >>>>> >>>>> Conflicting type rules >>>>> Binary policy creation failed at line 29393 of >>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil >>>>> Failed to generate binary >>>>> /usr/sbin/semodule: Failed! >>>>> make: *** [Rules.modular:58: load] Error 1 >>>>> >>>>> The temporary file is deleted automatically and cannot be >>>>> inspected. >>>>> >>>>> I hope it is clear now... >>>>> >>>>> Do you have an idea ? It's the only thing missing before all >>>>> the >>>>> dbus >>>>> rules are moved from the gnome to the dbus module and I can >>>>> create >>>>> a >>>>> new version of this important patch. >>>> >>>> It's not so helpful unfortunately. My guess is that it is a >>>> conflicting >>>> type_transition. Unfortunately the compiler error message isn't >>>> helpful. >>> >>> I have tested and your guess is correct ! >>> >>> The above interface expands as follows: >>> >>> interface(`dbus_domain_transition_session_bus',` >>> allow $1_dbusd_t dbusd_exec_t:file exec_file_perms; >>> >>> domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t) >>> # type_transition $2 dbusd_exec_t:process $1_dbusd_t; >>> >>> allow $1_dbusd_t $2:fd use; >>> allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms; >>> allow $1_dbusd_t $2:process sigchld; >>> ') >>> >>> The line that has been commented out (type_transition) is the >>> problematic rule which leads to the "conflicting type rules" error >>> upon >>> loading the policy. >>> >>> Such rule comes from the domain_auto_transition_pattern provided by >>> support/misc_patterns.spt. >>> >>> However, if I hardcode "user" instead of "$1", the type_transition >>> works fine. I suspect, it stops functioning when $1 is replaced by >>> "sysadm" or "staff". >>> >>> If I do manually substitute the two and try to recompile, the >>> following >>> happens: >>> >>> $1=sysadm ==> staff.te doesn't compile (unknown type error) >>> >>> $1=staff ==> sysadm.te doesn't compile (unknown type error) >>> >>> In some way, it sounds like a bug or some sort of limitation of the >>> actual policy... Can you shed some light ? >> >> I'm not clear why you would see unknown types. You have to inspect >> the >> intermediate files. I believe if you add them to a .SECONDARY entry >> in >> the Makefile/Rules.*, it will not delete them when they're done. I'd >> be >> fine taking that patch too, so intermediate files are never deleted. > > I think the files that you mention are stored in the "tmp" subdirectory > of the policy source. > > I don't think there is a need to modify the Makefile or Rules.* files. > > The "Conflicting type rules" error comes from libsepol when one tries > to load the policy using semodule (called by the policy Makefile). > > What semodule deleted (/var/lib/selinux/refpolicy- > 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated > by libsepol. In any case, it has nothing to do with the policy > Makefile. > > Unfortunately, I have checked the temporary files in the "tmp" > subdirectory of the build tree, but the only difference between the > working version and the non-working version is that the static > hardcoded "user" string ("user_dbusd_t") in the type_transition rule is > replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on). > > I noticed that the dbus_role_template is also using that variable type > ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or > "xguest"). > > The problem seems to be that the $1_dbusd_t type defined by the > dbus_role_template conflicts with the type defined by the new interface > that is required by gnome (it conflicts with the type_transition rule). > > I believe this is a bug or some sort of limitation of the existing > policy... Do you know how to fix it ? The dbus module is where *_dbusd_t should be declared, so *_dbusd_t declarations in a gnome module are incorrect. The only other issue that I can think of is in the past, if you required a type and then later declared it in the same file, that would hit a compiler limitation/bug that would (incorrectly) call it a duplicate type declaration. In terms of type_transition you'd have to inspect the intermediate file that is used to compile the binary to try to see where the conflict is. It may also be a conflict across multiple modules, which would make it more difficult to uncover. -- Chris PeBenito