subject:"RE\: CIL Typepermissive Symbol not inside parenthesis"

RE: CIL Typepermissive Symbol not inside parenthesis

2017-01-26 Thread Roberts, William C



> -Original Message-
> From: Roberts, William C
> Sent: Thursday, January 26, 2017 11:17 AM
> To: 'seandroid-list@tycho.nsa.gov' <seandroid-list@tycho.nsa.gov>
> Cc: 'Stephen Smalley' <s...@tycho.nsa.gov>; 'Nick Kralevich' 
> <n...@google.com>;
> 'seli...@tycho.nsa.gov' <seli...@tycho.nsa.gov>
> Subject: RE: CIL Typepermissive Symbol not inside parenthesis
> 
> 
> 
> > -Original Message-
> > From: Roberts, William C
> > Sent: Thursday, January 26, 2017 10:39 AM
> > To: seandroid-list@tycho.nsa.gov
> > Cc: 'Stephen Smalley' <s...@tycho.nsa.gov>; 'Nick Kralevich'
> > <n...@google.com>; seli...@tycho.nsa.gov
> > Subject: CIL Typepermissive Symbol not inside parenthesis
> >
> > Building for Hikey (Android) with a type permissive statement on
> > hci_attach, yields this error:
> >
> > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30
> > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_
> > policy_n
> > vr.cil
> > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/ma
> > pping
> > /current.cil
> > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no
> > nplat_
> > policy_nvr.cil  -o
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp )
> > && (out/host/linux-x86/bin/sepolicy-analyze
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> > permissive >
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi
> > ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s
> >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> > omains ]; then  echo \"==\" 1>&2;   echo
> \"ERROR:
> > permissive domains not allowed in user builds\" 1>&2;   echo
> \"List of
> > invalid domains:\" 1>&2;cat
> >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> > omains 1>&2;exit 1; fi ) && (mv
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )"
> > Symbol not inside parenthesis at line 1239 of
> > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no
> > nplat_
> > policy_nvr.cil
> >
> > To reproduce apply this patch to device/linaro/hikey:
> > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index
> > d87f444..1990d54 100644
> > --- a/sepolicy/hci_attach.te
> > +++ b/sepolicy/hci_attach.te
> > @@ -1,6 +1,8 @@
> >  type hci_attach, domain;
> >  type hci_attach_exec, exec_type, file_type;
> >
> > +permissive hci_attach;
> > +
> >  init_daemon_domain(hci_attach)
> >
> >  allow hci_attach kernel:system module_request;
> >
> > and build sepolicy
> >
> > make -j4 sepolicy
> >
> > I have no idea what's hgappening, but the statement looks different
> > than all the other CIL statements:
> >
> > Failing CIL snippet:
> >
> > (type hci_attach)
> > (roletype object_r hci_attach)
> > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r
> > hci_attach_exec) (type hci_attach_tmpfs)
> >
> >
> 
> Some of things call routines like cil_write_roletype() in write_ast.c, but 
> some just
> frpintf(CIL_). Are these features not implemented?
> 
> If I apply this hack it works:
> diff --git a/libsepol/cil/src/cil_write_ast.c 
> b/libsepol/cil/src/cil_write_ast.c
> index 4ebda6a..8a25680 100644
> --- a/libsepol/cil/src/cil_write_ast.c
> +++ b/libsepol/cil/src/cil_write_ast.c
> @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node
> *node, uint32_t *finished, void
> fprintf(cil_out, "CIL_TYPEBOUNDS ");
> break;
> case CIL_TYPEPERMISSIVE:
> -   fprintf(cil_out, "CIL_TYPEPERMISSIVE ");
> +   fprintf(cil_out, "(typepermissive hci_attach)\n");
> break;
> case CIL_TYPEATTRIBUTE:
> 
> The output looks ok from sepolicy-analyze:
> 
> $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su hci_attach

FYI This does not affect upstream SE Linux, it looks like Dan Cashman over at 
Google authored the file,
So ill drop common selinux mailing listr on further responses. I'll take a look 
at fixing this today...

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

RE: CIL Typepermissive Symbol not inside parenthesis

2017-01-26 Thread Roberts, William C



> -Original Message-
> From: Roberts, William C
> Sent: Thursday, January 26, 2017 10:39 AM
> To: seandroid-list@tycho.nsa.gov
> Cc: 'Stephen Smalley' ; 'Nick Kralevich' 
> ;
> seli...@tycho.nsa.gov
> Subject: CIL Typepermissive Symbol not inside parenthesis
> 
> Building for Hikey (Android) with a type permissive statement on hci_attach,
> yields this error:
> 
> /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30
> out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_n
> vr.cil
> out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/mapping
> /current.cil
> out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_
> policy_nvr.cil  -o
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) &&
> (out/host/linux-x86/bin/sepolicy-analyze
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> permissive >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains ) && (if [ \"userdebug\" = \"user\" -a -s
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains ]; thenecho \"==\" 1>&2;   echo 
> \"ERROR:
> permissive domains not allowed in user builds\" 1>&2; echo 
> \"List of
> invalid domains:\" 1>&2;  cat
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains 1>&2;  exit 1; fi ) && (mv
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )"
> Symbol not inside parenthesis at line 1239 of
> out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_
> policy_nvr.cil
> 
> To reproduce apply this patch to device/linaro/hikey:
> diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index
> d87f444..1990d54 100644
> --- a/sepolicy/hci_attach.te
> +++ b/sepolicy/hci_attach.te
> @@ -1,6 +1,8 @@
>  type hci_attach, domain;
>  type hci_attach_exec, exec_type, file_type;
> 
> +permissive hci_attach;
> +
>  init_daemon_domain(hci_attach)
> 
>  allow hci_attach kernel:system module_request;
> 
> and build sepolicy
> 
> make -j4 sepolicy
> 
> I have no idea what's hgappening, but the statement looks different than all 
> the
> other CIL statements:
> 
> Failing CIL snippet:
> 
> (type hci_attach)
> (roletype object_r hci_attach)
> CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r hci_attach_exec)
> (type hci_attach_tmpfs)
> 
> 

Some of things call routines like cil_write_roletype() in write_ast.c, but some 
just frpintf(CIL_). Are these features not implemented?

If I apply this hack it works:
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index 4ebda6a..8a25680 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node *node, 
uint32_t *finished, void
fprintf(cil_out, "CIL_TYPEBOUNDS ");
break;
case CIL_TYPEPERMISSIVE:
-   fprintf(cil_out, "CIL_TYPEPERMISSIVE ");
+   fprintf(cil_out, "(typepermissive hci_attach)\n");
break;
case CIL_TYPEATTRIBUTE:

The output looks ok from sepolicy-analyze:

$ sepolicy-analyze $OUT/root/sepolicy permissive
crash_dump
su
hci_attach

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

RE: CIL Typepermissive Symbol not inside parenthesis

RE: CIL Typepermissive Symbol not inside parenthesis

2 matches

Site Navigation

Mail list logo

Footer information