date:20170126

Re: Where to troubleshoot and ask questions?

2017-01-26 Thread Thomas Mueller



Am 27.01.2017 um 02:08 schrieb Bassam Alsanie:
> I am wondering if there is a place to ask questions related to SELinux
> policy development.


* refpol...@oss.tresys.com (Archives
http://oss.tresys.com/mailman/listinfo/refpolicy)
* irc #selinux channel on freenode (also available as "webapp":
https://webchat.freenode.net/?channels=%23selinux )

- Thomas
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Where to troubleshoot and ask questions?

2017-01-26 Thread Bassam Alsanie

I am wondering if there is a place to ask questions related to SELinux
policy development.

Thank you
Bassam
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

RE: CIL Typepermissive Symbol not inside parenthesis

2017-01-26 Thread Roberts, William C



> -Original Message-
> From: Roberts, William C
> Sent: Thursday, January 26, 2017 10:39 AM
> To: seandroid-l...@tycho.nsa.gov
> Cc: 'Stephen Smalley' ; 'Nick Kralevich' 
> ;
> selinux@tycho.nsa.gov
> Subject: CIL Typepermissive Symbol not inside parenthesis
> 
> Building for Hikey (Android) with a type permissive statement on hci_attach,
> yields this error:
> 
> /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30
> out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_n
> vr.cil
> out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/mapping
> /current.cil
> out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_
> policy_nvr.cil  -o
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) &&
> (out/host/linux-x86/bin/sepolicy-analyze
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> permissive >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains ) && (if [ \"userdebug\" = \"user\" -a -s
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains ]; thenecho \"==\" 1>&2;   echo 
> \"ERROR:
> permissive domains not allowed in user builds\" 1>&2; echo 
> \"List of
> invalid domains:\" 1>&2;  cat
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> omains 1>&2;  exit 1; fi ) && (mv
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )"
> Symbol not inside parenthesis at line 1239 of
> out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_
> policy_nvr.cil
> 
> To reproduce apply this patch to device/linaro/hikey:
> diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index
> d87f444..1990d54 100644
> --- a/sepolicy/hci_attach.te
> +++ b/sepolicy/hci_attach.te
> @@ -1,6 +1,8 @@
>  type hci_attach, domain;
>  type hci_attach_exec, exec_type, file_type;
> 
> +permissive hci_attach;
> +
>  init_daemon_domain(hci_attach)
> 
>  allow hci_attach kernel:system module_request;
> 
> and build sepolicy
> 
> make -j4 sepolicy
> 
> I have no idea what's hgappening, but the statement looks different than all 
> the
> other CIL statements:
> 
> Failing CIL snippet:
> 
> (type hci_attach)
> (roletype object_r hci_attach)
> CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r hci_attach_exec)
> (type hci_attach_tmpfs)
> 
> 

Some of things call routines like cil_write_roletype() in write_ast.c, but some 
just frpintf(CIL_). Are these features not implemented?

If I apply this hack it works:
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index 4ebda6a..8a25680 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node *node, 
uint32_t *finished, void
fprintf(cil_out, "CIL_TYPEBOUNDS ");
break;
case CIL_TYPEPERMISSIVE:
-   fprintf(cil_out, "CIL_TYPEPERMISSIVE ");
+   fprintf(cil_out, "(typepermissive hci_attach)\n");
break;
case CIL_TYPEATTRIBUTE:

The output looks ok from sepolicy-analyze:

$ sepolicy-analyze $OUT/root/sepolicy permissive
crash_dump
su
hci_attach

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

RE: CIL Typepermissive Symbol not inside parenthesis

2017-01-26 Thread Roberts, William C



> -Original Message-
> From: Roberts, William C
> Sent: Thursday, January 26, 2017 11:17 AM
> To: 'seandroid-l...@tycho.nsa.gov' 
> Cc: 'Stephen Smalley' ; 'Nick Kralevich' 
> ;
> 'selinux@tycho.nsa.gov' 
> Subject: RE: CIL Typepermissive Symbol not inside parenthesis
> 
> 
> 
> > -Original Message-
> > From: Roberts, William C
> > Sent: Thursday, January 26, 2017 10:39 AM
> > To: seandroid-l...@tycho.nsa.gov
> > Cc: 'Stephen Smalley' ; 'Nick Kralevich'
> > ; selinux@tycho.nsa.gov
> > Subject: CIL Typepermissive Symbol not inside parenthesis
> >
> > Building for Hikey (Android) with a type permissive statement on
> > hci_attach, yields this error:
> >
> > /bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30
> > out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_
> > policy_n
> > vr.cil
> > out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/ma
> > pping
> > /current.cil
> > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no
> > nplat_
> > policy_nvr.cil  -o
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp )
> > && (out/host/linux-x86/bin/sepolicy-analyze
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> > permissive >
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permi
> > ssived omains ) && (if [ \"userdebug\" = \"user\" -a -s
> >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> > omains ]; then  echo \"==\" 1>&2;   echo
> \"ERROR:
> > permissive domains not allowed in user builds\" 1>&2;   echo
> \"List of
> > invalid domains:\" 1>&2;cat
> >
> out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissived
> > omains 1>&2;exit 1; fi ) && (mv
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp
> > out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )"
> > Symbol not inside parenthesis at line 1239 of
> > out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/no
> > nplat_
> > policy_nvr.cil
> >
> > To reproduce apply this patch to device/linaro/hikey:
> > diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index
> > d87f444..1990d54 100644
> > --- a/sepolicy/hci_attach.te
> > +++ b/sepolicy/hci_attach.te
> > @@ -1,6 +1,8 @@
> >  type hci_attach, domain;
> >  type hci_attach_exec, exec_type, file_type;
> >
> > +permissive hci_attach;
> > +
> >  init_daemon_domain(hci_attach)
> >
> >  allow hci_attach kernel:system module_request;
> >
> > and build sepolicy
> >
> > make -j4 sepolicy
> >
> > I have no idea what's hgappening, but the statement looks different
> > than all the other CIL statements:
> >
> > Failing CIL snippet:
> >
> > (type hci_attach)
> > (roletype object_r hci_attach)
> > CIL_TYPEPERMISSIVE (type hci_attach_exec) (roletype object_r
> > hci_attach_exec) (type hci_attach_tmpfs)
> >
> >
> 
> Some of things call routines like cil_write_roletype() in write_ast.c, but 
> some just
> frpintf(CIL_). Are these features not implemented?
> 
> If I apply this hack it works:
> diff --git a/libsepol/cil/src/cil_write_ast.c 
> b/libsepol/cil/src/cil_write_ast.c
> index 4ebda6a..8a25680 100644
> --- a/libsepol/cil/src/cil_write_ast.c
> +++ b/libsepol/cil/src/cil_write_ast.c
> @@ -1255,7 +1255,7 @@ int __cil_write_node_helper(struct cil_tree_node
> *node, uint32_t *finished, void
> fprintf(cil_out, "CIL_TYPEBOUNDS ");
> break;
> case CIL_TYPEPERMISSIVE:
> -   fprintf(cil_out, "CIL_TYPEPERMISSIVE ");
> +   fprintf(cil_out, "(typepermissive hci_attach)\n");
> break;
> case CIL_TYPEATTRIBUTE:
> 
> The output looks ok from sepolicy-analyze:
> 
> $ sepolicy-analyze $OUT/root/sepolicy permissive crash_dump su hci_attach

FYI This does not affect upstream SE Linux, it looks like Dan Cashman over at 
Google authored the file,
So ill drop common selinux mailing listr on further responses. I'll take a look 
at fixing this today...

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

CIL Typepermissive Symbol not inside parenthesis

2017-01-26 Thread Roberts, William C

Building for Hikey (Android) with a type permissive statement on hci_attach, 
yields this error:

/bin/bash -c "(out/host/linux-x86/bin/secilc -M true -c 30 
out/target/product/hikey/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
 
out/target/product/hikey/obj/ETC/mapping_sepolicy.cil_intermediates/mapping/current.cil
 
out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_nvr.cil
  -o out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp ) && 
(out/host/linux-x86/bin/sepolicy-analyze 
out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp permissive 
> 
out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains
 ) && (if [ \"userdebug\" = \"user\" -a -s 
out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains
 ]; then echo \"==\" 1>&2;   echo \"ERROR: 
permissive domains not allowed in user builds\" 1>&2; echo \"List 
of invalid domains:\" 1>&2; cat 
out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.permissivedomains
 1>&2;exit 1; fi ) && (mv
  out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy.tmp 
out/target/product/hikey/obj/ETC/sepolicy_intermediates/sepolicy )"
Symbol not inside parenthesis at line 1239 of 
out/target/product/hikey/obj/ETC/nonplat_sepolicy.cil_intermediates/nonplat_policy_nvr.cil

To reproduce apply this patch to device/linaro/hikey:
diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te
index d87f444..1990d54 100644
--- a/sepolicy/hci_attach.te
+++ b/sepolicy/hci_attach.te
@@ -1,6 +1,8 @@
 type hci_attach, domain;
 type hci_attach_exec, exec_type, file_type;
 
+permissive hci_attach;
+
 init_daemon_domain(hci_attach)
 
 allow hci_attach kernel:system module_request;

and build sepolicy

make -j4 sepolicy

I have no idea what's hgappening, but the statement looks different than all 
the other CIL statements:

Failing CIL snippet:

(type hci_attach)
(roletype object_r hci_attach)
CIL_TYPEPERMISSIVE (type hci_attach_exec)
(roletype object_r hci_attach_exec)
(type hci_attach_tmpfs)






___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v6 0/9] SELinux support for Infiniband RDMA

2017-01-26 Thread Paul Moore

On Wed, Jan 25, 2017 at 12:25 PM, Doug Ledford  wrote:
> On Wed, 2017-01-25 at 02:58 -0500, Paul Moore wrote:
>> On Tue, Jan 24, 2017 at 4:40 PM, Doug Ledford 
>> wrote:
>> >
>> > On Tue, 2016-12-13 at 17:17 -0500, Paul Moore wrote:
>> > >
>> > > On Tue, Dec 13, 2016 at 11:25 AM, Daniel Jurgens > > > x.co
>> > > m> wrote:
>> > > >
>> > > >
>> > > > On 12/13/2016 9:01 AM, Stephen Smalley wrote:
>> > > > >
>> > > > >
>> > > > > For the LSM/SELinux bits,
>> > > > > Acked-by: Stephen Smalley 
>> > > > >
>> > > > > Note that there will be a merge conflict on classmap.h due to
>> > > > > commits in
>> > > > > the selinux next branch, but that should be easy to resolve.
>> > > > >
>> > > > > We'll need the patches for the selinux userspace and
>> > > > > refpolicy.
>> > > >
>> > > > Thanks Stephen, I need to rebase the user space and do some
>> > > > patch
>> > > > breakup.  I'll start on that soon.
>> > >
>> > > Sorry, I haven't had a chance to look at v6, but considering all
>> > > our
>> > > discussions on the previous versions I don't expect any issues
>> > > from
>> > > me.  I was hoping for some more generic hooks/controls, but that
>> > > doesn't look to be possible given the nature of RDMA.  I also
>> > > want to
>> > > mention again the need for tests; we've talked about this in the
>> > > past
>> > > and while it isn't possible to run the tests without IB hardware,
>> > > I
>> > > would like to see us merge tests into the selinux-testsuite so
>> > > that
>> > > those who do have the required h/w available could run the tests.
>> > >
>> > > Assuming we can sort out the SELinux userspace and and tests by
>> > > the
>> > > end of January, I see no reason why this couldn't go in for
>> > > v4.11.
>> >
>> > Daniel, can you work with people on the userspace and tests?  I'll
>> > pull
>> > this into a branch (I assume by Paul's and Stephen's comments that
>> > they
>> > expect it to go through my tree) ready to go, but hold actually
>> > submitting it in the merge window until I've heard more from you
>> > all
>> > that userspace is ready.
>>
>> I don't have a problem pulling this in via the SELinux tree, assuming
>> you are okay with that Doug.  I'm just waiting to see tests for the
>> selinux-testsuite first.
>
> When I tried to apply the patchset, the conflicts started on the very
> first file of the very first patch.  It can go through your tree, but I
> suspect there will be lots of conflicts that way as this upcoming
> release has been touching the cache area of the IB stack and so does
> this code.  There might be significant SELinux conflicts too, I don't
> know, but we know there are IB ones so far.

My apologies, I should have been more clear.  What I meant to say is
that I have no objection to merging this patchset via the SELinux
tree, in principle.  If there are significant merge conflicts they
will need to be resolved first; I have no problem dealing with small
fixups as part of the merge process, but any substantial changes would
need a respin.  Also, while I haven't looked at this latest patchset,
I would still want to review it for obvious reasons, although having
discussed previous drafts in detail I don't expect to see anything
objectionable.

However, my biggest concern remains the lack of working tests; without
those this patchset doesn't get my ACK.  We need to have some basic
method of regression testing this, even if it does require IB
hardware, to have any hope of maintaining this long term.

-- 
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Where to troubleshoot and ask questions?

Where to troubleshoot and ask questions?

RE: CIL Typepermissive Symbol not inside parenthesis

RE: CIL Typepermissive Symbol not inside parenthesis

CIL Typepermissive Symbol not inside parenthesis

Re: [PATCH v6 0/9] SELinux support for Infiniband RDMA

6 matches

Site Navigation

Mail list logo

Footer information