jeffvanderstoep commented 8 years ago

I am building/installing tip-of-tree libsepol, libselinux and setools on a clean Ubuntu VM (no default Ubuntu selinux anything).

I am getting a strange error when using sesearch on a policy built in AOSP master with policy version 29 (i.e. no ioctl policy)

$ sesearch -A -s init -t device sepolicy clatd is an attribute

Which is a strange error because clatd is not an attribute.

ghost commented 8 years ago

Yes, known issue. I have hit that as well on Fedora (with CIL policy in my case)

jeffvanderstoep commented 8 years ago

Is this being worked on? Is there an ETA?

On Wed, Feb 3, 2016 at 11:50 AM doverride notifications@github.com wrote:

Yes, known issue. I have hit that as well on Fedora (with CIL policy in my case)

— Reply to this email directly or view it on GitHub https://github.com/TresysTechnology/setools/issues/94#issuecomment-179425054 .

pebenito commented 8 years ago

This is being worked, but having trouble reproducing it. I tried setting up a Rawhide system last week, since that's where @doverride saw it, but it appears rawhide is extra unstable right now (it wouldn't boot for me).

@jeffvanderstoep which version of Ubuntu? Also, to clarify "clean", it has no changes other than installing the HEAD SELinux userspace (libsepol, etc.)?

ghost commented 8 years ago

Should just work:

install a minimal fedora 23 server product
install "fedora-repos-rawhide" (dnf install fedora-repos-rawhide)
enable the rawhide repo in /etc/yum.repos.d and disable the f23 repos
dnf update && reboot

pebenito commented 8 years ago

@doverride that's precisely what I did and it wouldn't boot. I also tried Fedora 23 Workstation with the same result.

ghost commented 8 years ago

I see they're in the middle of a mass rebuild. You could try a nightly boot.iso as explained here:

https://fedoraproject.org/wiki/Releases/Rawhide

See the "Nightly images" section

jeffvanderstoep commented 8 years ago

Ubuntu 14.04

Clean meaning a fresh install and no "apt-get install" of any selinux tools (just to make sure I am linking against my own libsepol and libselinux and not the Ubuntu ones which seem to run considerably behind upstream).

One small patch to libselinux Makefile since I'm not installing libsepol headers:

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 79d50d2..22199eb 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -71,7 +71,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \

-Werror -Wno-aggregate-return -Wno-redundant-decls
```
   -Werror -Wno-aggregate-return -Wno-redundant-decls
```
-I../../libsepol/include

override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)

cd ~/ git clone https://github.com/SELinuxProject/selinux.git cd selinux/libsepol/src make DESTDIR=~/obj install cd ~/selinux patch -p1 < cd libselinux/src make DESTDIR=~/obj install install-pywrap

Likewise a patch to point setools to my libsepol and libselinux:

diff --git a/setup.py b/setup.py index ddc3e41..87721f0 100644 --- a/setup.py +++ b/setup.py @@ -64,7 +64,7 @@ except KeyError:

chooses dynamic libraries over static ones, so

 # this assumes that the static lib is in the same directory
 # as the dynamic lib.

dynamic_sepol = UnixCCompiler().find_library_file(['/usr/lib64', '/usr/lib'], 'sepol')
dynamic_sepol = UnixCCompiler().find_library_file(['/usr/local/google/home/jeffv/obj/usr/lib'], 'sepol') static_sepol = dynamic_sepol.replace(".so", ".a")

ext_py_mods = [Extension('setools.policyrep._qpol', @@ -105,7 +105,8 @@ ext_py_mods = [Extension('setools.policyrep._qpol', 'libqpol/util.c', 'libqpol/policy_parse.c', 'libqpol/policy_scan.c'],
include_dirs=['libqpol', 'libqpol/include'],
include_dirs=['libqpol', 'libqpol/include', '../selinux/libsepol/include', '../selinux/libselinux/include'],
library_dirs=['../obj/usr/lib'], libraries=['bz2', 'selinux', 'sepol'], extra_compile_args=['-Werror', '-Wextra', '-Waggregate-return' cd ~/ git clone https://github.com/TresysTechnology/setools.git cd setools patch -p1 < sudo python setup.py install

sesearch...

pebenito commented 8 years ago

I've been able to reproduce this. Richard Haines actually has a proposed fix as part of his v30 xperms and Xen patch set. This patch set is still under review/revision (see #73), but from some preliminary testing it seems to address the issue. I've extracted the fix for you to try out at pebenito/setools@f71d0052438f499f122859de77f8f9b40f66e206.

stevedlawrence commented 8 years ago

I can confirm that the extracted patch, pebenito/setools@f71d0052438f499f122859de77f8f9b40f66e206, makes sense and is necessary.

To make neverallow checking easier, commit SELinuxProject/selinux@88d09b69795de11401355d2fcc6459bdc3f8a8a6 changed the attr_type_map so that types were treated as if they were typeattributes containing only themselves. So ebitmaps that used to be empty now have a single bit set. This means the count == 0 check is no longer sufficient to guard against dealing with types in this function. Thus, the check of flavor is necessary to skip types and only inspect typeattributes.

Note that for correctness, the flavor check should probably be moved to before the ebitmap_for_each_bit function, since there is really no reason to count the number of bits set if the flavor is a type.

jeffvanderstoep commented 8 years ago

confirmed. Thanks!

OwlCyberDefense / setools

Error running sesearch #94

chooses dynamic libraries over static ones, so