Bug 1680598
Summary: | libsepol doesn't work with labels where is "." character and no "_t" convention | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Lukas Vrabec <lvrabec> | |
Component: | libsepol | Assignee: | Petr Lautrbach <plautrba> | |
Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 31 | CC: | dwalsh, plautrba, vmojzis | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1680601 (view as bug list) | Environment: | ||
Last Closed: | 2019-08-26 13:14:31 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1680601 |
Description
Lukas Vrabec
2019-02-25 12:00:27 UTC
Adding steps to reproduce this issue: # cat base_container.cil (block container (type process) (roletype system_r process) (typeattributeset svirt_sandbox_domain (process )) (typeattributeset container_domain (process )) (allow process proc_type (file (getattr open read))) (allow process cpu_online_t (file (getattr open read))) ) # cat mycontainer.cil (block mycontainer (blockinherit container) ) # semodule -i base_container.cil mycontainer.cil # cat avc type=AVC msg=audit(1542355385.172:634661): avc: denied { read } for pid=5801 comm="passwd" capability=18 scontext=system_u:system_r:mycontainer.process:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 # audit2allow -i avc #============= mycontainer.process ============== #!!!! This avc has a dontaudit rule in the current policy ^^^ works [root@localhost ~]# audit2allow -i avc -M mypolicy compilation failed: libsepol.hierarchy_add_type_callback: mycontainer doesn't exist, mycontainer.process is an orphan libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies /usr/bin/checkmodule: loading policy configuration from mypolicy.te ^^^ Broken Fixing one command in previous comment: [root@localhost ~]# audit2allow -i avc #============= mycontainer.process ============== #!!!! This avc has a dontaudit rule in the current policy allow mycontainer.process passwd_file_t:file read; This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'. The policy created by udica is written in CIL where '.' is used for relationship between namespaces while audit2allow uses SELinux policy language where '.' is used for relationship between types. If audit2allow was able to generate CIL policy like '(allow bz1680601.process ssh_port_t (tcp_socket (name_bind)))' it would work just fine. Also udica could be able to modify/update the generated policy based on AVC denial messages. |