Re: Where to troubleshoot and ask questions?
Am 27.01.2017 um 02:08 schrieb Bassam Alsanie: > I am wondering if there is a place to ask questions related to SELinux > policy development. * refpol...@oss.tresys.com (Archives http://oss.tresys.com/mailman/listinfo/refpolicy) * irc #selinux channel on freenode (also available as "webapp": https://webchat.freenode.net/?channels=%23selinux ) - Thomas ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Where to troubleshoot and ask questions?
I am wondering if there is a place to ask questions related to SELinux policy development. Thank you Bassam ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
RE: CIL Typepermissive Symbol not inside parenthesis
> -Original Message- > From: Roberts, William C > Sent: Thursday, January 26, 2017 10:39 AM > To: seandroid-l...@tycho.nsa.gov > Cc: 'Stephen Smalley'; 'Nick Kralevich' > ; > selinux@tycho.nsa.gov > Subject: CIL Typepermissive Symbol not inside parenthesis > > Building for Hikey (Android) with a type permissive statement on hci_attach, > yields this error: > > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_n > vr.cil > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/mapping > /current.cil > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_ > policy_nvr.cil -o > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) && > (out/host/linux-x86/bin/sepolicy-analyze > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > permissive > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > omains ) && (if [ \"userdebug\" = \"user\" -a -s > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > omains ]; thenecho \"==\" 1>&2; echo > \"ERROR: > permissive domains not allowed in user builds\" 1>&2; echo > \"List of > invalid domains:\" 1>&2; cat > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > omains 1>&2; exit 1; fi ) && (mv > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" > Symbol not inside parenthesis at line 1239 of > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_ > policy_nvr.cil > > To reproduce apply this patch to device/linaro/hikey: > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index > d87f444..1990d54 100644 > --- a/sepolicy/hci_attach.te > +++ b/sepolicy/hci_attach.te > @@ -1,6 +1,8 @@ > type hci_attach, domain; > type hci_attach_exec, exec_type, file_type; > > +permissive hci_attach; > + > init_daemon_domain(hci_attach) > > allow hci_attach kernel:system module_request; > > and build sepolicy > > make -j4 sepolicy > > I have no idea what's hgappening, but the statement looks different than all > the > other CIL statements: > > Failing CIL snippet: > > (type hci_attach) > (roletype object_r hci_attach) > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r hci_attach_exec) > (type hci_attach_tmpfs) > > Some of things call routines like cil_write_roletype() in write_ast.c, but some just frpintf(CIL_). Are these features not implemented? If I apply this hack it works: diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c index 4ebda6a..8a25680 100644 --- a/libsepol/cil/src/cil_write_ast.c +++ b/libsepol/cil/src/cil_write_ast.c @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node *node, uint32_t *finished, void fprintf(cil_out, "CIL_TYPEBOUNDS "); break; case CIL_TYPEPERMISSIVE: - fprintf(cil_out, "CIL_TYPEPERMISSIVE "); + fprintf(cil_out, "(typepermissive hci_attach)\n"); break; case CIL_TYPEATTRIBUTE: The output looks ok from sepolicy-analyze: $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su hci_attach ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
RE: CIL Typepermissive Symbol not inside parenthesis
> -Original Message- > From: Roberts, William C > Sent: Thursday, January 26, 2017 11:17 AM > To: 'seandroid-l...@tycho.nsa.gov'> Cc: 'Stephen Smalley' ; 'Nick Kralevich' > ; > 'selinux@tycho.nsa.gov' > Subject: RE: CIL Typepermissive Symbol not inside parenthesis > > > > > -Original Message- > > From: Roberts, William C > > Sent: Thursday, January 26, 2017 10:39 AM > > To: seandroid-l...@tycho.nsa.gov > > Cc: 'Stephen Smalley' ; 'Nick Kralevich' > > ; selinux@tycho.nsa.gov > > Subject: CIL Typepermissive Symbol not inside parenthesis > > > > Building for Hikey (Android) with a type permissive statement on > > hci_attach, yields this error: > > > > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 > > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_ > > policy_n > > vr.cil > > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/ma > > pping > > /current.cil > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no > > nplat_ > > policy_nvr.cil -o > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) > > && (out/host/linux-x86/bin/sepolicy-analyze > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > permissive > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi > > ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > > omains ]; then echo \"==\" 1>&2; echo > \"ERROR: > > permissive domains not allowed in user builds\" 1>&2; echo > \"List of > > invalid domains:\" 1>&2;cat > > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived > > omains 1>&2;exit 1; fi ) && (mv > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp > > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" > > Symbol not inside parenthesis at line 1239 of > > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no > > nplat_ > > policy_nvr.cil > > > > To reproduce apply this patch to device/linaro/hikey: > > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index > > d87f444..1990d54 100644 > > --- a/sepolicy/hci_attach.te > > +++ b/sepolicy/hci_attach.te > > @@ -1,6 +1,8 @@ > > type hci_attach, domain; > > type hci_attach_exec, exec_type, file_type; > > > > +permissive hci_attach; > > + > > init_daemon_domain(hci_attach) > > > > allow hci_attach kernel:system module_request; > > > > and build sepolicy > > > > make -j4 sepolicy > > > > I have no idea what's hgappening, but the statement looks different > > than all the other CIL statements: > > > > Failing CIL snippet: > > > > (type hci_attach) > > (roletype object_r hci_attach) > > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r > > hci_attach_exec) (type hci_attach_tmpfs) > > > > > > Some of things call routines like cil_write_roletype() in write_ast.c, but > some just > frpintf(CIL_). Are these features not implemented? > > If I apply this hack it works: > diff --git a/libsepol/cil/src/cil_write_ast.c > b/libsepol/cil/src/cil_write_ast.c > index 4ebda6a..8a25680 100644 > --- a/libsepol/cil/src/cil_write_ast.c > +++ b/libsepol/cil/src/cil_write_ast.c > @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node > *node, uint32_t *finished, void > fprintf(cil_out, "CIL_TYPEBOUNDS "); > break; > case CIL_TYPEPERMISSIVE: > - fprintf(cil_out, "CIL_TYPEPERMISSIVE "); > + fprintf(cil_out, "(typepermissive hci_attach)\n"); > break; > case CIL_TYPEATTRIBUTE: > > The output looks ok from sepolicy-analyze: > > $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su hci_attach FYI This does not affect upstream SE Linux, it looks like Dan Cashman over at Google authored the file, So ill drop common selinux mailing listr on further responses. I'll take a look at fixing this today... ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
CIL Typepermissive Symbol not inside parenthesis
Building for Hikey (Android) with a type permissive statement on hci_attach, yields this error: /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/mapping/current.cil out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_nvr.cil -o out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) && (out/host/linux-x86/bin/sepolicy-analyze out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ) && (if [ \"userdebug\" = \"user\" -a -s out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains ]; then echo \"==\" 1>&2; echo \"ERROR: permissive domains not allowed in user builds\" 1>&2; echo \"List of invalid domains:\" 1>&2; cat out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains 1>&2;exit 1; fi ) && (mv out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )" Symbol not inside parenthesis at line 1239 of out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_nvr.cil To reproduce apply this patch to device/linaro/hikey: diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index d87f444..1990d54 100644 --- a/sepolicy/hci_attach.te +++ b/sepolicy/hci_attach.te @@ -1,6 +1,8 @@ type hci_attach, domain; type hci_attach_exec, exec_type, file_type; +permissive hci_attach; + init_daemon_domain(hci_attach) allow hci_attach kernel:system module_request; and build sepolicy make -j4 sepolicy I have no idea what's hgappening, but the statement looks different than all the other CIL statements: Failing CIL snippet: (type hci_attach) (roletype object_r hci_attach) CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r hci_attach_exec) (type hci_attach_tmpfs) ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v6 0/9] SELinux support for Infiniband RDMA
On Wed, Jan 25, 2017 at 12:25 PM, Doug Ledfordwrote: > On Wed, 2017-01-25 at 02:58 -0500, Paul Moore wrote: >> On Tue, Jan 24, 2017 at 4:40 PM, Doug Ledford >> wrote: >> > >> > On Tue, 2016-12-13 at 17:17 -0500, Paul Moore wrote: >> > > >> > > On Tue, Dec 13, 2016 at 11:25 AM, Daniel Jurgens > > > x.co >> > > m> wrote: >> > > > >> > > > >> > > > On 12/13/2016 9:01 AM, Stephen Smalley wrote: >> > > > > >> > > > > >> > > > > For the LSM/SELinux bits, >> > > > > Acked-by: Stephen Smalley >> > > > > >> > > > > Note that there will be a merge conflict on classmap.h due to >> > > > > commits in >> > > > > the selinux next branch, but that should be easy to resolve. >> > > > > >> > > > > We'll need the patches for the selinux userspace and >> > > > > refpolicy. >> > > > >> > > > Thanks Stephen, I need to rebase the user space and do some >> > > > patch >> > > > breakup. I'll start on that soon. >> > > >> > > Sorry, I haven't had a chance to look at v6, but considering all >> > > our >> > > discussions on the previous versions I don't expect any issues >> > > from >> > > me. I was hoping for some more generic hooks/controls, but that >> > > doesn't look to be possible given the nature of RDMA. I also >> > > want to >> > > mention again the need for tests; we've talked about this in the >> > > past >> > > and while it isn't possible to run the tests without IB hardware, >> > > I >> > > would like to see us merge tests into the selinux-testsuite so >> > > that >> > > those who do have the required h/w available could run the tests. >> > > >> > > Assuming we can sort out the SELinux userspace and and tests by >> > > the >> > > end of January, I see no reason why this couldn't go in for >> > > v4.11. >> > >> > Daniel, can you work with people on the userspace and tests? I'll >> > pull >> > this into a branch (I assume by Paul's and Stephen's comments that >> > they >> > expect it to go through my tree) ready to go, but hold actually >> > submitting it in the merge window until I've heard more from you >> > all >> > that userspace is ready. >> >> I don't have a problem pulling this in via the SELinux tree, assuming >> you are okay with that Doug. I'm just waiting to see tests for the >> selinux-testsuite first. > > When I tried to apply the patchset, the conflicts started on the very > first file of the very first patch. It can go through your tree, but I > suspect there will be lots of conflicts that way as this upcoming > release has been touching the cache area of the IB stack and so does > this code. There might be significant SELinux conflicts too, I don't > know, but we know there are IB ones so far. My apologies, I should have been more clear. What I meant to say is that I have no objection to merging this patchset via the SELinux tree, in principle. If there are significant merge conflicts they will need to be resolved first; I have no problem dealing with small fixups as part of the merge process, but any substantial changes would need a respin. Also, while I haven't looked at this latest patchset, I would still want to review it for obvious reasons, although having discussed previous drafts in detail I don't expect to see anything objectionable. However, my biggest concern remains the lack of working tests; without those this patchset doesn't get my ACK. We need to have some basic method of regression testing this, even if it does require IB hardware, to have any hope of maintaining this long term. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.