From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 28 Aug 2016 14:29:13 -0400
Subject: [refpolicy] [PATCH v4] Update for the gnome policy and file
	contexts
In-Reply-To: <1472250062.29538.1.camel@trentalancia.net>
References: <1471099545.21480.27.camel@trentalancia.net>
	<1471296811.28802.0.camel@trentalancia.net>
	<1471704772.17584.9.camel@trentalancia.net>
	<1471894798.19333.1.camel@trentalancia.net>
	<e24eaac7-5277-23b5-f5db-d1a286920a9b@ieee.org>
	<1471956294.17467.4.camel@trentalancia.net>
	<d4e37b0e-79de-eee1-fa40-7888b5802591@ieee.org>
	<1472075733.19800.4.camel@trentalancia.net>
	<cb9a9019-2e69-dde1-e3cb-aa4382f3f589@ieee.org>
	<1472118421.22976.10.camel@trentalancia.net>
	<7849dd75-bc63-f964-68b8-e4573f32852e@ieee.org>
	<1472250062.29538.1.camel@trentalancia.net>
Message-ID: <44c1b2b8-debd-669a-5cdf-08bc2e539999@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/26/16 18:21, Guido Trentalancia wrote:
> Hello Christopher.
>
> On Thu, 25/08/2016 at 18.49 -0400, Chris PeBenito wrote:
>
> [...]
>
>>>>>>>> On 08/22/16 15:39, Guido Trentalancia wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> +		type dconf_t, dconf_exec_t,
>>>>>>>>> dconf_home_t;
>>>>>>>>> +		type at_spi_t, at_spi_exec_t;
>>>>>>>>>  		type gconfd_t, gconfd_exec_t,
>>>>>>>>> gconf_tmp_t;
>>>>>>>>>  		type gconf_home_t;
>>>>>>>>> +		type gnome_settings_t,
>>>>>>>>> gnome_settings_exec_t;
>>>>>>>>> +		type gnome_settings_daemon_t,
>>>>>>>>> gnome_settings_daemon_exec_t;
>>>>>>>>> +		type gnome_settings_schemas_t;
>>>>>>>>> +		type gkeyringd_exec_t,
>>>>>>>>> gnome_keyring_home_t,
>>>>>>>>> gnome_keyring_cache_home_t, gnome_keyring_tmp_t;
>>>>>>>>> +		type mime_info_t;
>>>>>>>>> +		type user_dbusd_t;
>>>>>>>>
>>>>>>>> This dbus type cannot be referenced directly in this
>>>>>>>> module.
>>>>>>>
>>>>>>> If $1_dbusd_t is used to get the role/type prefix from the
>>>>>>> caller,
>>>>>>> then
>>>>>>> it doesn't compile for some reason which is not yet clear
>>>>>>> to
>>>>>>> me.
>>>>>>>
>>>>>>> Any idea ?
>>>>>>
>>>>>> The $1_dbusd_t rules need to be contained in the dbus module,
>>>>>> not
>>>>>> the
>>>>>> gnome module.  Beyond that, it's tough to say what the
>>>>>> problem
>>>>>> is,
>>>>>> without knowing the error messages.
>>>>>
>>>>> Suppose to have the following additional dbus interface:
>>>>>
>>>>> #######################################
>>>>> ## <summary>
>>>>> ##      Make a domain transition from a
>>>>> ##      given source domain to the
>>>>> ##      DBUS session bus domain using
>>>>> ##      the DBUS executable file type.
>>>>> ## </summary>
>>>>> ## <param name="role_prefix">
>>>>> ##      <summary>
>>>>> ##      The prefix of the user role (e.g., user
>>>>> ##      is the prefix for user_r).
>>>>> ##      </summary>
>>>>> ## </param>
>>>>> ## <param name="domain">
>>>>> ##      <summary>
>>>>> ##      Domain allowed access.
>>>>> ##      </summary>
>>>>> ## </param>
>>>>> #
>>>>> interface(`dbus_domain_transition_session_bus',`
>>>>>         gen_require(`
>>>>>                 type dbusd_exec_t;
>>>>>                 type $1_dbusd_t;
>>>>>         ')
>>>>>
>>>>>         allow $2 dbusd_exec_t:file exec_file_perms;
>>>>>         domtrans_pattern($2, dbusd_exec_t, $1_dbusd_t)
>>>>> ')
>>>>>
>>>>> and suppose that it is called by the following statement:
>>>>>
>>>>> dbus_domain_transition_session_bus($1, at_spi_t)
>>>>>
>>>>> where $1 = "user".
>>>>>
>>>>> During policy load, the following error is generated:
>>>>>
>>>>> Conflicting type rules
>>>>> Binary policy creation failed at line 29393 of
>>>>> /var/lib/selinux/refpolicy-06082016/tmp/modules/400/sysadm/cil
>>>>> Failed to generate binary
>>>>> /usr/sbin/semodule:  Failed!
>>>>> make: *** [Rules.modular:58: load] Error 1
>>>>>
>>>>> The temporary file is deleted automatically and cannot be
>>>>> inspected.
>>>>>
>>>>> I hope it is clear now...
>>>>>
>>>>> Do you have an idea ? It's the only thing missing before all
>>>>> the
>>>>> dbus
>>>>> rules are moved from the gnome to the dbus module and I can
>>>>> create
>>>>> a
>>>>> new version of this important patch.
>>>>
>>>> It's not so helpful unfortunately.  My guess is that it is a
>>>> conflicting
>>>> type_transition.  Unfortunately the compiler error message isn't
>>>> helpful.
>>>
>>> I have tested and your guess is correct !
>>>
>>> The above interface expands as follows:
>>>
>>> interface(`dbus_domain_transition_session_bus',`
>>>         allow $1_dbusd_t dbusd_exec_t:file exec_file_perms;
>>>
>>>         domain_transition_pattern($2,dbusd_exec_t,$1_dbusd_t)
>>> #        type_transition $2 dbusd_exec_t:process $1_dbusd_t;
>>>
>>>         allow $1_dbusd_t $2:fd use;
>>>         allow $1_dbusd_t $2:fifo_file rw_fifo_file_perms;
>>>         allow $1_dbusd_t $2:process sigchld;
>>> ')
>>>
>>> The line that has been commented out (type_transition) is the
>>> problematic rule which leads to the "conflicting type rules" error
>>> upon
>>> loading the policy.
>>>
>>> Such rule comes from the domain_auto_transition_pattern provided by
>>> support/misc_patterns.spt.
>>>
>>> However, if I hardcode "user" instead of "$1", the type_transition
>>> works fine. I suspect, it stops functioning when $1 is replaced by
>>> "sysadm" or "staff".
>>>
>>> If I do manually substitute the two and try to recompile, the
>>> following
>>> happens:
>>>
>>> $1=sysadm ==> staff.te doesn't compile (unknown type error)
>>>
>>> $1=staff ==> sysadm.te doesn't compile (unknown type error)
>>>
>>> In some way, it sounds like a bug or some sort of limitation of the
>>> actual policy... Can you shed some light ?
>>
>> I'm not clear why you would see unknown types.  You have to inspect
>> the
>> intermediate files.  I believe if you add them to a .SECONDARY entry
>> in
>> the Makefile/Rules.*, it will not delete them when they're done.  I'd
>> be
>> fine taking that patch too, so intermediate files are never deleted.
>
> I think the files that you mention are stored in the "tmp" subdirectory
> of the policy source.
>
> I don't think there is a need to modify the Makefile or Rules.* files.
>
> The "Conflicting type rules" error comes from libsepol when one tries
> to load the policy using semodule (called by the policy Makefile).
>
> What semodule deleted (/var/lib/selinux/refpolicy-
> 06082016/tmp/modules/400/sysadm/cil) might be a binary file generated
> by libsepol. In any case, it has nothing to do with the policy
> Makefile.
>
> Unfortunately, I have checked the temporary files in the "tmp"
> subdirectory of the build tree, but the only difference between the
> working version and the non-working version is that the static
> hardcoded "user" string ("user_dbusd_t") in the type_transition rule is
> replaced by "staff", "sysadm" or "xguest" ("staff_dbusd_t" and so on).
>
> I noticed that the dbus_role_template is also using that variable type
> ($1_dbusd_t, where $1 is normally either "user", "staff", "sysadm" or
> "xguest").
>
> The problem seems to be that the $1_dbusd_t type defined by the
> dbus_role_template conflicts with the type defined by the new interface
> that is required by gnome (it conflicts with the type_transition rule).
>
> I believe this is a bug or some sort of limitation of the existing
> policy... Do you know how to fix it ?

The dbus module is where *_dbusd_t should be declared, so *_dbusd_t 
declarations in a gnome module are incorrect.  The only other issue that 
I can think of is in the past, if you required a type and then later 
declared it in the same file, that would hit a compiler limitation/bug 
that would (incorrectly) call it a duplicate type declaration.

In terms of type_transition you'd have to inspect the intermediate file 
that is used to compile the binary to try to see where the conflict is. 
It may also be a conflict across multiple modules, which would make it 
more difficult to uncover.



-- 
Chris PeBenito