On Thu, 2006-04-27 at 22:17 +0300, Török Edwin wrote:
> On Wednesday 26 April 2006 22:26, Stephen Smalley wrote:
> > sediff of these two policies shows a _lot_ of differences, including 107
> > added types in the "bad" policy. Are you sure they are identical except
> > for linking unconfined? What is in that module (source)?
> >
> > I do see an allow unconfined_t security_t:security load_policy under a
> > different boolean in the "bad" policy; looks like a boolean mapping
> > problem at link time. We did see those when the optionals-in-base
> > support was first merged, so the Debian checkpolicy might have an issue
> > there, but that should have been resolved in 1.30.3 or newer, built
> > against libsepol 1.12.3 or newer.
> >
> I rebuilt the policy under FC5, with checkpolicy 1.30.3, and
> libsepol-1.12.4-1.fc5, checkpolicy-1.30.3-1.fc5, here it is
> http://edwintorok.googlepages.com/policy.20.
> Using sediff shows almost no difference to the bad policy (some te rules I
> removed, since they violated assertions), and the same 100+ differences to
> the good policy.
> Looking at this line:
> F + allow unconfined_t security_t : security { compute_member
> compute_user compute_create setenforce check_context setcheckreqprot
> compute_relabel setbool load_policy setsecparam compute_av }; [ allow_execmem
> allow_execstack && ]
>
> I tried setting allow_execmem and allow_execstack to true, and then I couldn't
> load policy anymore. Clearly, at linktime secure_mode_policyload was mapped
> to allow_execmem && allow_execstack.
> And AFAICT this bug it is still present in the latest checkpolicy+libsepol.
>
> Is there a bugtracker for selinux?
>
> (you said that a bug like this has been fixed, do you recall where that patch
> is?, it might be a good starting point on fixing this issue)
>
> Edwin
>
We have a patch that fixes this, but unfortunately it is part of a
larger patch that fixes several bugs and introduces a minor policy
module file format change. I'm trying to track down the exact part of
the larger patch that fixes this bug now and will hopefully have a
smaller patch soon.
Karl
--
Karl MacMillan
Tresys Technology
www.tresys.com
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Thu 27 Apr 2006 - 15:55:16 EDT
