529366 – SELinux 2.4 userspace does not correctly parse policies

Bug 529366 - SELinux 2.4 userspace does not correctly parse policies

Summary: SELinux 2.4 userspace does not correctly parse policies

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Jason Zaman

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	529146 529150 529326
	Show dependency tree

Reported:	2014-11-15 18:43 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-05-10 10:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2014-11-15 18:43:03 UTC

The SELinux policies are stored in *.pp files. With the 2.4 userspace (up to 2.4_rc6 for now) these files are then converted into CIL files before they are loaded.

A recently discovered issue shows that the interpretation of the *.pp files is lacking some important transformations. For instance, a role type assignment (like "role staff_r types xauth_t") is not transformed into a CIL role type assignment (like "(roletype staff_r xauth_t)"), making domain transitions become invalid (invalid context).

This also results in code running in the parent (userdomain) which is most likely an incorrect result.

Reproducible: Always

Comment 1 Jason Zaman gentoo-dev

2014-11-19 20:28:04 UTC

A patch for this has been posted. It seems to fix the issues on my machine.

http://marc.info/?l=selinux&m=141641949310942&w=2

Comment 2 Jason Zaman gentoo-dev

2014-11-22 13:04:20 UTC

in the tree, sys-apps/policycoreutils-2.4_rc6-r1

Comment 3 Jason Zaman gentoo-dev

2015-05-10 10:19:34 UTC

2.4 userland is stable now