[refpolicy] Side effects for the comments in the .if files?

HarryCiao harrytaurus2002 at hotmail.com
Sat Dec 4 06:57:18 CST 2010




> Date: Tue, 30 Nov 2010 10:13:04 -0500
> From: cpebenito at tresys.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Side effects for the comments in the .if files?
> 
> On 11/22/10 06:11, HarryCiao wrote:
> > Hi SELinux expert,
> > 
> > I seems to run into something that I could not understand - the comment
> > in the .if file would have an impact on how the .pp files is compiled.
> > Sometime the comments in the .if file may block the interfaces called to
> > be properly parsed, and if all comments are removed, then the called
> > interfaces could be parsed correctly to grant the desired permissions
> > for the calling domain.
> > 
> > For example, in my v5-samhain.pp implementation(please refer to another
> > separate email), the samhain_service_template() calls
> > userdom_use_user_terminals($1_t) in the end, but I am very surprised to
> > find that the samhain_t lacks privileges to access user_devpts_t when
> > deployed on the target. However, if all comments are removed in
> > samhain_service_template(), then the call to
> > userdom_use_user_terminals($1_t) could actually take effect, and I could
> > verify following lines added to tmp/samhain.tmp:
> > 
> > +             ;   type user_tty_device_t, user_devpts_t;
> > +#line 38
> > +       
> > +#line 38
> > +               } # end require
> > +#line 38
> > +       
> > +#line 38
> > +
> > +#line 38
> > +
> > +#line 38
> > +       allow samhain_t user_tty_device_t:chr_file { getattr open read
> > write append ioctl };
> > +#line 38
> > +       allow samhain_t user_devpts_t:chr_file { getattr open read write
> > append ioctl };
> > +#line 38
> > 
> > Moreover, comments in the .te files do not seem to have such side
> > effect, they only do in the .if files. What's going on here? Is there
> > dark magic and anything particular I should watch out when using
> > comments in the .if files?
> 
> The only issue I can think of is if you accidentally use a m4 quote in a
> comment.  For example a line like this:
> 
> # don't do this
> 
> If this is in an interface, the apostraphe (') will be interpreted as
> the end of the block, which typically means the interface will end
> prematurely.  However, userdom_use_user_terminals() does not have any
> comment issues, so I'm unsure why you're seeing an issue.
> 

Hi Chris,

You are damn right about this! It turns out I used to have used two apostrophes such as "Samhain's pid" or "other filesystem's attribute", once I have them removed the .if file could be parsed correctly!

Thank you very much!

Best regards,
Harry 


> -- 
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20101204/3b4c9ac5/attachment.html 


More information about the refpolicy mailing list