diff options
Diffstat (limited to 'recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch')
-rw-r--r-- | recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch new file mode 100644 index 0000000..f01cc3a --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-pp-builtin-roles.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | libsepol: with pp to CIL, always write auditadm_r and secadm_r roles to the base module | ||
2 | |||
3 | In fedora and refpolicy, the auditadm_r and secadm_r roles can be in | ||
4 | either the base module or a non-base module, or they could be in both. | ||
5 | This means that it is possible for duplicate role declarations to exist. | ||
6 | CIL does not allow duplicate declarations of anything, but there is no | ||
7 | way for the pp compiler to know if the roles are declared in which | ||
8 | module, or if they are in both when compiling a single module. This | ||
9 | means we cannot use the same hack that we use for user_r, staff_r, etc., | ||
10 | to generate CIL role declarations (i.e. only create role declarations | ||
11 | for these when defined in base). | ||
12 | |||
13 | So only for these two roles, always declare them as part of base, | ||
14 | regardless of where or if they are defined. This means that turning off | ||
15 | the auditadm module will never remove the auditamd_r role (likewise for | ||
16 | secadm), whereas right now, in some cases it would. This also means that | ||
17 | role allow rules will still exist for these roles even with the modules | ||
18 | removed. However, this is okay because the roles would not have any | ||
19 | types associated with them so no access would be allowed. | ||
20 | |||
21 | Signed-off-by: Steve Lawrence <slawrence@tresys.com> | ||
22 | Reported-by: Miroslav Grepl <mgrepl@redhat.com> | ||
23 | |||
24 | Index: policycoreutils-2.4/hll/pp/pp.c | ||
25 | =================================================================== | ||
26 | --- policycoreutils-2.4.orig/hll/pp/pp.c | ||
27 | +++ policycoreutils-2.4/hll/pp/pp.c | ||
28 | @@ -2000,7 +2000,10 @@ static int role_to_cil(int indent, struc | ||
29 | !strcmp(key, "sysadm_r") || | ||
30 | !strcmp(key, "system_r") || | ||
31 | !strcmp(key, "unconfined_r")); | ||
32 | - if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || !is_base_role) { | ||
33 | + int is_builtin_role = (!strcmp(key, "auditadm_r") || | ||
34 | + !strcmp(key, "secadm_r")); | ||
35 | + if ((is_base_role && pdb->policy_type == SEPOL_POLICY_BASE) || | ||
36 | + (!is_base_role && !is_builtin_role)) { | ||
37 | cil_println(indent, "(role %s)", key); | ||
38 | } | ||
39 | } | ||
40 | @@ -3594,6 +3597,17 @@ static int generate_default_object(void) | ||
41 | return 0; | ||
42 | } | ||
43 | |||
44 | +static int generate_builtin_roles(void) | ||
45 | +{ | ||
46 | + // due to inconsistentencies between policies and CIL not allowing | ||
47 | + // duplicate roles, some roles are always created, regardless of if they | ||
48 | + // are declared in modules or not | ||
49 | + cil_println(0, "(role auditadm_r)"); | ||
50 | + cil_println(0, "(role secadm_r)"); | ||
51 | + | ||
52 | + return 0; | ||
53 | +} | ||
54 | + | ||
55 | static int generate_gen_require_attribute(void) | ||
56 | { | ||
57 | cil_println(0, "(typeattribute " GEN_REQUIRE_ATTR ")"); | ||
58 | @@ -3678,6 +3692,12 @@ static int module_package_to_cil(struct | ||
59 | if (rc != 0) { | ||
60 | goto exit; | ||
61 | } | ||
62 | + | ||
63 | + // roles that can exist in base, non-base module or both | ||
64 | + rc = generate_builtin_roles(); | ||
65 | + if (rc != 0) { | ||
66 | + goto exit; | ||
67 | + } | ||
68 | |||
69 | // default attribute to be used to mimic gen_require in CIL | ||
70 | rc = generate_gen_require_attribute(); | ||