| Message ID | 20211027181210.1019597-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Fix/add optional file type handling for genfscon rules | expand |
On Wed, Oct 27, 2021 at 5:32 PM James Carter <jwcart2@gmail.com> wrote: > > genfscon rules have always supported an optional file type, but when > the ability for writing a policy.conf file from a kernel policy was > added to libsepol it did not include that support. Support for the > optional file type was also left out of CIL genfscon rules. > > This patch set fixes these problems. > > Patch 1 adds support for writing the optional file type in genfscon rules > when writing a policy.conf file from a kernel policy. > > Patches 2-4 adds support in CIL for handling an optional file type > in genfscon rules, updates the CIL documentation, and adds support > when writing out CIL from a kernel policy or module as well. > > James Carter (4): > libsepol: Add support for file types in writing out policy.conf > libsepol/cil: Allow optional file type in genfscon rules > secilc/docs: Document the optional file type for genfscon rules > libsepol: Write out genfscon file type when writing out CIL policy > > libsepol/cil/src/cil_binary.c | 39 +++++++++++++++++++ > libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++-- > libsepol/cil/src/cil_internal.h | 1 + > libsepol/src/kernel_to_cil.c | 35 ++++++++++++++++- > libsepol/src/kernel_to_conf.c | 35 ++++++++++++++++- > libsepol/src/module_to_cil.c | 27 ++++++++++++- > secilc/docs/cil_file_labeling_statements.md | 10 ++++- > 7 files changed, 179 insertions(+), 11 deletions(-) Something here breaks on the selinux-testsuite policy: 3231# Run the test suite 3232# 3233make test 3234make -C policy load 3235make[1]: Entering directory '/root/selinux-testsuite/policy' 3236# Test for "expand-check = 0" in /etc/selinux/semanage.conf 3237# General policy build 3238make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' 3239Compiling targeted test_policy module 3240Creating targeted test_policy.pp policy package 3241rm tmp/test_policy.mod tmp/test_policy.mod.fc 3242make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' 3243# General policy load 3244domain_fd_use --> on 3245/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_userfaultfd.cil test_add_levels.cil test_glblub.cil 3246What is going on? 3247Failed to generate binary 3248/usr/sbin/semodule: Failed! 3249make[1]: *** [Makefile:189: load] Error 1 3250make[1]: Leaving directory '/root/selinux-testsuite/policy' 3251make: *** [Makefile:7: test] Error 2 3252Error: Process completed with exit code 2.
On Thu, Nov 4, 2021 at 9:09 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Wed, Oct 27, 2021 at 5:32 PM James Carter <jwcart2@gmail.com> wrote: > > > > genfscon rules have always supported an optional file type, but when > > the ability for writing a policy.conf file from a kernel policy was > > added to libsepol it did not include that support. Support for the > > optional file type was also left out of CIL genfscon rules. > > > > This patch set fixes these problems. > > > > Patch 1 adds support for writing the optional file type in genfscon rules > > when writing a policy.conf file from a kernel policy. > > > > Patches 2-4 adds support in CIL for handling an optional file type > > in genfscon rules, updates the CIL documentation, and adds support > > when writing out CIL from a kernel policy or module as well. > > > > James Carter (4): > > libsepol: Add support for file types in writing out policy.conf > > libsepol/cil: Allow optional file type in genfscon rules > > secilc/docs: Document the optional file type for genfscon rules > > libsepol: Write out genfscon file type when writing out CIL policy > > > > libsepol/cil/src/cil_binary.c | 39 +++++++++++++++++++ > > libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++-- > > libsepol/cil/src/cil_internal.h | 1 + > > libsepol/src/kernel_to_cil.c | 35 ++++++++++++++++- > > libsepol/src/kernel_to_conf.c | 35 ++++++++++++++++- > > libsepol/src/module_to_cil.c | 27 ++++++++++++- > > secilc/docs/cil_file_labeling_statements.md | 10 ++++- > > 7 files changed, 179 insertions(+), 11 deletions(-) > > Something here breaks on the selinux-testsuite policy: > > 3231# Run the test suite > 3232# > 3233make test > 3234make -C policy load > 3235make[1]: Entering directory '/root/selinux-testsuite/policy' > 3236# Test for "expand-check = 0" in /etc/selinux/semanage.conf > 3237# General policy build > 3238make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' > 3239Compiling targeted test_policy module > 3240Creating targeted test_policy.pp policy package > 3241rm tmp/test_policy.mod tmp/test_policy.mod.fc > 3242make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' > 3243# General policy load > 3244domain_fd_use --> on > 3245/usr/sbin/semodule -i test_policy/test_policy.pp > test_mlsconstrain.cil test_overlay_defaultrange.cil > test_userfaultfd.cil test_add_levels.cil test_glblub.cil > 3246What is going on? > 3247Failed to generate binary > 3248/usr/sbin/semodule: Failed! > 3249make[1]: *** [Makefile:189: load] Error 1 > 3250make[1]: Leaving directory '/root/selinux-testsuite/policy' > 3251make: *** [Makefile:7: test] Error 2 > 3252Error: Process completed with exit code 2. Hello, This error happens because cil_genfscon_init() does not initialize ->file_type, and cil_genfscon_to_policydb() then reads an uninitialized value. The attached patch (on top of this series) fixed the CI for me. Cheers, Nicolas
On Mon, Nov 8, 2021 at 4:46 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Thu, Nov 4, 2021 at 9:09 PM Stephen Smalley > <stephen.smalley.work@gmail.com> wrote: > > > > On Wed, Oct 27, 2021 at 5:32 PM James Carter <jwcart2@gmail.com> wrote: > > > > > > genfscon rules have always supported an optional file type, but when > > > the ability for writing a policy.conf file from a kernel policy was > > > added to libsepol it did not include that support. Support for the > > > optional file type was also left out of CIL genfscon rules. > > > > > > This patch set fixes these problems. > > > > > > Patch 1 adds support for writing the optional file type in genfscon rules > > > when writing a policy.conf file from a kernel policy. > > > > > > Patches 2-4 adds support in CIL for handling an optional file type > > > in genfscon rules, updates the CIL documentation, and adds support > > > when writing out CIL from a kernel policy or module as well. > > > > > > James Carter (4): > > > libsepol: Add support for file types in writing out policy.conf > > > libsepol/cil: Allow optional file type in genfscon rules > > > secilc/docs: Document the optional file type for genfscon rules > > > libsepol: Write out genfscon file type when writing out CIL policy > > > > > > libsepol/cil/src/cil_binary.c | 39 +++++++++++++++++++ > > > libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++-- > > > libsepol/cil/src/cil_internal.h | 1 + > > > libsepol/src/kernel_to_cil.c | 35 ++++++++++++++++- > > > libsepol/src/kernel_to_conf.c | 35 ++++++++++++++++- > > > libsepol/src/module_to_cil.c | 27 ++++++++++++- > > > secilc/docs/cil_file_labeling_statements.md | 10 ++++- > > > 7 files changed, 179 insertions(+), 11 deletions(-) > > > > Something here breaks on the selinux-testsuite policy: > > > > 3231# Run the test suite > > 3232# > > 3233make test > > 3234make -C policy load > > 3235make[1]: Entering directory '/root/selinux-testsuite/policy' > > 3236# Test for "expand-check = 0" in /etc/selinux/semanage.conf > > 3237# General policy build > > 3238make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' > > 3239Compiling targeted test_policy module > > 3240Creating targeted test_policy.pp policy package > > 3241rm tmp/test_policy.mod tmp/test_policy.mod.fc > > 3242make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' > > 3243# General policy load > > 3244domain_fd_use --> on > > 3245/usr/sbin/semodule -i test_policy/test_policy.pp > > test_mlsconstrain.cil test_overlay_defaultrange.cil > > test_userfaultfd.cil test_add_levels.cil test_glblub.cil > > 3246What is going on? > > 3247Failed to generate binary > > 3248/usr/sbin/semodule: Failed! > > 3249make[1]: *** [Makefile:189: load] Error 1 > > 3250make[1]: Leaving directory '/root/selinux-testsuite/policy' > > 3251make: *** [Makefile:7: test] Error 2 > > 3252Error: Process completed with exit code 2. > > Hello, > > This error happens because cil_genfscon_init() does not initialize > ->file_type, and cil_genfscon_to_policydb() then reads an > uninitialized value. The attached patch (on top of this series) fixed > the CI for me. > > Cheers, > Nicolas Thanks for finding the problem. There is a few other additions that are needed, so a v2 will be coming. Jim