diff mbox series

[1/3] secilc/docs: selinuxuser actually takes a string not identifier

Message ID 4ad30dd7-ec19-e88a-848e-98de8af7a16b@gmail.com (mailing list archive)
State New, archived
Delegated to: Petr Lautrbach
Headers show
Series [1/3] secilc/docs: selinuxuser actually takes a string not identifier | expand

Commit Message

bauen1 Aug. 28, 2022, 12:14 p.m. UTC 
Update parameter table and add note to example.
This can very easily lead to confusion, because secilc does not reject
e.g. (selinuxuser "admin_1" admin low_low).

Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
---
  secilc/docs/cil_user_statements.md | 5 +++--
  1 file changed, 3 insertions(+), 2 deletions(-)

Comments

James Carter Aug. 30, 2022, 8:45 p.m. UTC | #1 
On Sun, Aug 28, 2022 at 8:18 AM bauen1 <j2468h@googlemail.com> wrote:
>
> Update parameter table and add note to example.
> This can very easily lead to confusion, because secilc does not reject
> e.g. (selinuxuser "admin_1" admin low_low).
>
> Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
> ---
>   secilc/docs/cil_user_statements.md | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> index d5674f12..45a52140 100644
> --- a/secilc/docs/cil_user_statements.md
> +++ b/secilc/docs/cil_user_statements.md
> @@ -429,7 +429,7 @@ Associates a GNU/Linux user to a previously declared [`user`](cil_user_statement
>   </tr>
>   <tr class="odd">
>   <td align="left"><p><code>user_id</code></p></td>
> -<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
> +<td align="left"><p>A <b>string</b> referencing a previously declared SELinux <code>user</code> identifier.</p></td>
>   </tr>
>   <tr class="even">
>   <td align="left"><p><code>userrange_id</code></p></td>
> @@ -445,7 +445,8 @@ This example will associate `unconfined.admin` user with a GNU / Linux user "`ad
>   ```secil
>       (block unconfined
>           (user admin)
> -        (selinuxuser admin_1 admin low_low)
> +        ; XXX: Because the user_id is a string, the fully qualified identifier needs to be used here:
> +        (selinuxuser "admin_1" "unconfined.admin" low_low)

I don't see this behavior.

The following:
(block b2
  (user user2_u)
  (userrole user2_u ROLE)
  (userlevel user2_u (SENS))
  (userrange user2_u ((SENS) (SENS (CAT))))
  (userprefix user2_u user2)
  (selinuxuser name2 user2_u ((SENS) (SENS (CAT))))
)
Gives me:
name2:b2.user2_u:SENS-SENS:CAT

It works with quotes as well, but it doesn't require them.

The following:
(block b3
  (user user3_u)
  (userrole user3_u ROLE)
  (userlevel user3_u (SENS))
  (userrange user3_u ((SENS) (SENS (CAT))))
  (userprefix user3_u user3)
  (selinuxuser "name3" "user3_u" ((SENS) (SENS (CAT))))
)
Gives me:
name3:b3.user3_u:SENS-SENS:CAT

Thanks,
Jim
James Carter Aug. 31, 2022, 11:56 a.m. UTC | #2 
On Tue, Aug 30, 2022 at 4:45 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Sun, Aug 28, 2022 at 8:18 AM bauen1 <j2468h@googlemail.com> wrote:
> >
> > Update parameter table and add note to example.
> > This can very easily lead to confusion, because secilc does not reject
> > e.g. (selinuxuser "admin_1" admin low_low).
> >
> > Signed-off-by: Jonathan Hettwer (bauen1) <j2468h@gmail.com>
> > ---
> >   secilc/docs/cil_user_statements.md | 5 +++--
> >   1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
> > index d5674f12..45a52140 100644
> > --- a/secilc/docs/cil_user_statements.md
> > +++ b/secilc/docs/cil_user_statements.md
> > @@ -429,7 +429,7 @@ Associates a GNU/Linux user to a previously declared [`user`](cil_user_statement
> >   </tr>
> >   <tr class="odd">
> >   <td align="left"><p><code>user_id</code></p></td>
> > -<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
> > +<td align="left"><p>A <b>string</b> referencing a previously declared SELinux <code>user</code> identifier.</p></td>
> >   </tr>
> >   <tr class="even">
> >   <td align="left"><p><code>userrange_id</code></p></td>
> > @@ -445,7 +445,8 @@ This example will associate `unconfined.admin` user with a GNU / Linux user "`ad
> >   ```secil
> >       (block unconfined
> >           (user admin)
> > -        (selinuxuser admin_1 admin low_low)
> > +        ; XXX: Because the user_id is a string, the fully qualified identifier needs to be used here:
> > +        (selinuxuser "admin_1" "unconfined.admin" low_low)
>
> I don't see this behavior.
>
> The following:
> (block b2
>   (user user2_u)
>   (userrole user2_u ROLE)
>   (userlevel user2_u (SENS))
>   (userrange user2_u ((SENS) (SENS (CAT))))
>   (userprefix user2_u user2)
>   (selinuxuser name2 user2_u ((SENS) (SENS (CAT))))
> )
> Gives me:
> name2:b2.user2_u:SENS-SENS:CAT
>
> It works with quotes as well, but it doesn't require them.
>
> The following:
> (block b3
>   (user user3_u)
>   (userrole user3_u ROLE)
>   (userlevel user3_u (SENS))
>   (userrange user3_u ((SENS) (SENS (CAT))))
>   (userprefix user3_u user3)
>   (selinuxuser "name3" "user3_u" ((SENS) (SENS (CAT))))
> )
> Gives me:
> name3:b3.user3_u:SENS-SENS:CAT
>
> Thanks,
> Jim

Attached is the policy I used to test and a program that calls
cil_selinuxusers_to_string().
Jim
bauen1 Aug. 31, 2022, 12:07 p.m. UTC | #3 
On 8/31/22 13:56, James Carter wrote:
> On Tue, Aug 30, 2022 at 4:45 PM James Carter <jwcart2@gmail.com> wrote:
>>
>> I don't see this behavior.
>>
>> The following:
>> (block b2
>>    (user user2_u)
>>    (userrole user2_u ROLE)
>>    (userlevel user2_u (SENS))
>>    (userrange user2_u ((SENS) (SENS (CAT))))
>>    (userprefix user2_u user2)
>>    (selinuxuser name2 user2_u ((SENS) (SENS (CAT))))
>> )
>> Gives me:
>> name2:b2.user2_u:SENS-SENS:CAT
>>
>> It works with quotes as well, but it doesn't require them.
>>
>> The following:
>> (block b3
>>    (user user3_u)
>>    (userrole user3_u ROLE)
>>    (userlevel user3_u (SENS))
>>    (userrange user3_u ((SENS) (SENS (CAT))))
>>    (userprefix user3_u user3)
>>    (selinuxuser "name3" "user3_u" ((SENS) (SENS (CAT))))
>> )
>> Gives me:
>> name3:b3.user3_u:SENS-SENS:CAT
>>
>> Thanks,
>> Jim
> 
> Attached is the policy I used to test and a program that calls
> cil_selinuxusers_to_string().
> Jim

Thanks, I'll take another look at this some time.
Obviously the other patches can be merged independently.
diff mbox series

Patch

diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
index d5674f12..45a52140 100644
--- a/secilc/docs/cil_user_statements.md
+++ b/secilc/docs/cil_user_statements.md
@@ -429,7 +429,7 @@  Associates a GNU/Linux user to a previously declared [`user`](cil_user_statement
  </tr>
  <tr class="odd">
  <td align="left"><p><code>user_id</code></p></td>
-<td align="left"><p>A previously declared SELinux <code>user</code> identifier.</p></td>
+<td align="left"><p>A <b>string</b> referencing a previously declared SELinux <code>user</code> identifier.</p></td>
  </tr>
  <tr class="even">
  <td align="left"><p><code>userrange_id</code></p></td>
@@ -445,7 +445,8 @@  This example will associate `unconfined.admin` user with a GNU / Linux user "`ad
  ```secil
      (block unconfined
          (user admin)
-        (selinuxuser admin_1 admin low_low)
+        ; XXX: Because the user_id is a string, the fully qualified identifier needs to be used here:
+        (selinuxuser "admin_1" "unconfined.admin" low_low)
      )
  ```