[refpolicy] Side effects for the comments in the .if files?

Christopher J. PeBenito cpebenito at tresys.com
Tue Nov 30 09:13:04 CST 2010 

On 11/22/10 06:11, HarryCiao wrote:
> Hi SELinux expert,
> 
> I seems to run into something that I could not understand - the comment
> in the .if file would have an impact on how the .pp files is compiled.
> Sometime the comments in the .if file may block the interfaces called to
> be properly parsed, and if all comments are removed, then the called
> interfaces could be parsed correctly to grant the desired permissions
> for the calling domain.
> 
> For example, in my v5-samhain.pp implementation(please refer to another
> separate email), the samhain_service_template() calls
> userdom_use_user_terminals($1_t) in the end, but I am very surprised to
> find that the samhain_t lacks privileges to access user_devpts_t when
> deployed on the target. However, if all comments are removed in
> samhain_service_template(), then the call to
> userdom_use_user_terminals($1_t) could actually take effect, and I could
> verify following lines added to tmp/samhain.tmp:
> 
> +             ;   type user_tty_device_t, user_devpts_t;
> +#line 38
> +       
> +#line 38
> +               } # end require
> +#line 38
> +       
> +#line 38
> +
> +#line 38
> +
> +#line 38
> +       allow samhain_t user_tty_device_t:chr_file { getattr open read
> write append ioctl };
> +#line 38
> +       allow samhain_t user_devpts_t:chr_file { getattr open read write
> append ioctl };
> +#line 38
> 
> Moreover, comments in the .te files do not seem to have such side
> effect, they only do in the .if files. What's going on here? Is there
> dark magic and anything particular I should watch out when using
> comments in the .if files?

The only issue I can think of is if you accidentally use a m4 quote in a
comment.  For example a line like this:

# don't do this

If this is in an interface, the apostraphe (') will be interpreted as
the end of the block, which typically means the interface will end
prematurely.  However, userdom_use_user_terminals() does not have any
comment issues, so I'm unsure why you're seeing an issue.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

More information about the refpolicy mailing list