Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 529366

Summary: SELinux 2.4 userspace does not correctly parse policies
Product: Gentoo Linux Reporter: Sven Vermeulen (RETIRED) <swift>
Component: SELinuxAssignee: Jason Zaman <perfinion>
Status: RESOLVED FIXED    
Severity: major CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 529146, 529150, 529326    

Description Sven Vermeulen (RETIRED) gentoo-dev 2014-11-15 18:43:03 UTC 
The SELinux policies are stored in *.pp files. With the 2.4 userspace (up to 2.4_rc6 for now) these files are then converted into CIL files before they are loaded.

A recently discovered issue shows that the interpretation of the *.pp files is lacking some important transformations. For instance, a role type assignment (like "role staff_r types xauth_t") is not transformed into a CIL role type assignment (like "(roletype staff_r xauth_t)"), making domain transitions become invalid (invalid context).

This also results in code running in the parent (userdomain) which is most likely an incorrect result.

Reproducible: Always
Comment 1 Jason Zaman gentoo-dev 2014-11-19 20:28:04 UTC 
A patch for this has been posted. It seems to fix the issues on my machine.

http://marc.info/?l=selinux&m=141641949310942&w=2
Comment 2 Jason Zaman gentoo-dev 2014-11-22 13:04:20 UTC 
in the tree, sys-apps/policycoreutils-2.4_rc6-r1
Comment 3 Jason Zaman gentoo-dev 2015-05-10 10:19:34 UTC 
2.4 userland is stable now