search

SELinuxProject / selinux

This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs and patches should be submitted to selinux@vger.kernel.org
Other
1.33k stars 359 forks source link

libsepol: new "all" op verifier in 3.6 does not check classcommon perms #430

Closed bcressey closed 5 months ago

bcressey commented 6 months ago

The classcommon documentation gives this example:

(common ipc (create destroy getattr setattr read write associate unix_read unix_write))
(classcommon sem ipc)
(class sem ())

In my project I extend that with a classmap:

(classmap ipcs (use))
(classmapping ipcs use (sem (all)))

However, this is no longer accepted by the CIL verifier after e81c466bca9a06e2ada7d783fe31dd44c9e04432:

# semodule -B
Operator "all" used for sem which has no permissions associated with it at /var/lib/selinux/fortified/tmp/modules/100/class/cil:205
Error verifying class permissions for map class ipcs, permission use at /var/lib/selinux/fortified/tmp/modules/100/ipcs/cil:2
Failed to verify cil database
Failed to verify cil database
Post process failed
semodule:  Failed!

The "all" check does not traverse the class->common list and so does not find any permissions. I've created a small patch to add that traversal, which fixes the problem for my policy at least.

jwcart2 commented 6 months ago

Thanks for the report, it looks like your patch does fix the issue.

For your patch to be reviewed and accepted it must be sent to the selinux@vger.kernel.org mailing list. You can use git send-email to do that.

jwcart2 commented 6 months ago

Actually, I would like a bit more detail in the commit message, so I will take your patch and change the commit message (while giving you credit). Thanks again.

bcressey commented 5 months ago

Closing since this is merged. Thanks!