Bug 1680598 - libsepol doesn't work with labels where is "." character and no "_t" convention
Summary: libsepol doesn't work with labels where is "." character and no "_t" convention
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: libsepol
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1680601
TreeView+ depends on / blocked
 
Reported: 2019-02-25 12:00 UTC by Lukas Vrabec
Modified: 2019-08-26 13:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1680601 (view as bug list)
Environment:
Last Closed: 2019-08-26 13:14:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Lukas Vrabec 2019-02-25 12:00:27 UTC 
Description of problem:
If in source context is "." charakter and no "_t" convention, it's not possible to create local custom module using audit2allow. Based on the error msg it looks like the problem is in libsepol. 

For more info see:
https://github.com/containers/udica/issues/8

Version-Release number of selected component (if applicable):
libsepol-2.8-3.fc30.x86_64

How reproducible:
Always

Actual results:
[root@localhost ~]# audit2allow  -i avc -M test
compilation failed:
libsepol.hierarchy_add_type_callback: issuebug doesn't exist, mycontainer.process is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
/usr/bin/checkmodule:  loading policy configuration from test.te

Expected results:
audit2allow will generate custom local policy with source context" mycontainer.process
Comment 1 Lukas Vrabec 2019-02-25 12:33:39 UTC 
Adding steps to reproduce this issue:

# cat base_container.cil 
(block container
(type process)
(roletype system_r process)
(typeattributeset svirt_sandbox_domain (process ))
(typeattributeset container_domain (process ))
(allow process proc_type (file (getattr open read)))
(allow process cpu_online_t (file (getattr open read)))
)

# cat mycontainer.cil 
(block mycontainer
    (blockinherit container)
) 

# semodule -i base_container.cil mycontainer.cil 

# cat avc
type=AVC msg=audit(1542355385.172:634661): avc:  denied  { read } for  pid=5801 comm="passwd" capability=18  scontext=system_u:system_r:mycontainer.process:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

# audit2allow -i avc


#============= mycontainer.process ==============

#!!!! This avc has a dontaudit rule in the current policy


^^^ works


[root@localhost ~]# audit2allow -i avc -M mypolicy 
compilation failed:
libsepol.hierarchy_add_type_callback: mycontainer doesn't exist, mycontainer.process is an orphan
libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies
/usr/bin/checkmodule:  loading policy configuration from mypolicy.te


^^^ Broken
Comment 2 Lukas Vrabec 2019-02-25 12:36:19 UTC 
Fixing one command in previous comment: 

[root@localhost ~]# audit2allow -i avc


#============= mycontainer.process ==============

#!!!! This avc has a dontaudit rule in the current policy
allow mycontainer.process passwd_file_t:file read;
Comment 3 Ben Cotton 2019-08-13 16:47:49 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 4 Petr Lautrbach 2019-08-26 13:14:31 UTC 
The policy created by udica is written in CIL where '.' is used for relationship between namespaces while audit2allow uses SELinux policy language where '.' is used for relationship between types.

If audit2allow was able to generate CIL policy like '(allow bz1680601.process ssh_port_t (tcp_socket (name_bind)))' it would work just fine.

Also udica could be able to modify/update the generated policy based on AVC denial messages.
Note You need to log in before you can comment on or make changes to this bug.