* Genfscon 'dash' issue
@ 2008-10-10 5:07 korkishko Tymur
2008-10-10 12:45 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: korkishko Tymur @ 2008-10-10 5:07 UTC (permalink / raw
To: SELinux
Hello!
I have Linux kernel 2.6.26 with a patch from NSA that allows genfscon support of security contexts for directories/files (others than / ).
I use genfscon to label files/directories on cramfs filesystem(read-only filesystem) that does not support xattr.
It seems that current genfscon implementation does not support “–“(dash) in path names. If I try to compile policy containing this line:
genfscon cramfs /usr/sbin/an-app user_u:system_r:my_app_t
I will get an syntax error from checkpolicy aboutusing “– “ (dash) in the path:
ERROR ‘invalid type app’ at token ‘genfscon’ on line...
So, could you please suggest a way to fix theissue with “– “ (dash) and genfscon?
Unfortunately, it is not possible to change “–“(dash) to “_” (underbar) in path names.
Kindest regards,
Tymur Korkishko
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Genfscon 'dash' issue
2008-10-10 5:07 korkishko Tymur
@ 2008-10-10 12:45 ` Stephen Smalley
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Smalley @ 2008-10-10 12:45 UTC (permalink / raw
To: k.tymur; +Cc: SELinux
On Fri, 2008-10-10 at 05:07 +0000, korkishko Tymur wrote:
> Hello!
>
> I have Linux kernel 2.6.26 with a patch from NSA that allows genfscon support of security contexts for directories/files (others than / ).
> I use genfscon to label files/directories on cramfs filesystem(read-only filesystem) that does not support xattr.
>
> It seems that current genfscon implementation does not support “–“(dash) in path names. If I try to compile policy containing this line:
> genfscon cramfs /usr/sbin/an-app user_u:system_r:my_app_t
>
> I will get an syntax error from checkpolicy aboutusing “– “ (dash) in the path:
> ERROR ‘invalid type app’ at token ‘genfscon’ on line...
>
> So, could you please suggest a way to fix theissue with “– “ (dash) and genfscon?
>
> Unfortunately, it is not possible to change “–“(dash) to “_” (underbar) in path names.
You'd have to change policy_parse.y in checkpolicy; at present, it
treats a "-" followed by an identifier as a file type flag (e.g. -d to
only match directories, -b to only match block device files, ...)
similar to the file_contexts specification.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Re: Genfscon 'dash' issue
@ 2008-10-14 2:00 korkishko Tymur
2008-10-14 14:57 ` Stephen Smalley
0 siblings, 1 reply; 6+ messages in thread
From: korkishko Tymur @ 2008-10-14 2:00 UTC (permalink / raw
To: Stephen Smalley; +Cc: korkishko Tymur, SELinux@tycho.nsa.gov
I have checked policy_parse.y. It has following rule for genfscon:
genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
{if (define_genfs_context(1)) return -1;}
| GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
{if (define_genfs_context(1)) return -1;}
| GENFSCON identifier path security_context_def
{if (define_genfs_context(0)) return -1;}
The rule for path definition (in policy_scan.l) has already included '-' (dash):
"/"({alnum}|[_.-/])* { return(PATH); }
In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
But it still produces an error if path definition is correct and includes '-'.
Any ideas/patches how to fix grammar rules are welcomed.
Tymur Korkishko
P.S.
Also if '--' or '-d' are available in genfscon with '-' in path name, policy compiler fails:
genfscon cramfs /usr/sbin/an-app -- user_u:system_r:my_app_t
genfscon cramfs /usr/sbin/an-app -d user_u:system_r:my_app_t
------- Original Message -------
Sender : Stephen Smalley<sds@tycho.nsa.gov>
Date : Oct 10, 2008 21:45 (GMT+09:00)
Title : Re: Genfscon 'dash' issue
On Fri, 2008-10-10 at 05:07 +0000, korkishko Tymur wrote:
> Hello!
>
> I have Linux kernel 2.6.26 with a patch from NSA that allows genfscon support of security contexts for directories/files (others than / ).
> I use genfscon to label files/directories on cramfs filesystem(read-only filesystem) that does not support xattr.
>
> It seems that current genfscon implementation does not support “–“(dash) in path names. If I try to compile policy containing this line:
> genfscon cramfs /usr/sbin/an-app user_u:system_r:my_app_t
>
> I will get an syntax error from checkpolicy aboutusing “– “ (dash) in the path:
> ERROR ‘invalid type app’ at token ‘genfscon’ on line...
>
> So, could you please suggest a way to fix theissue with “– “ (dash) and genfscon?
>
> Unfortunately, it is not possible to change “–“(dash) to “_” (underbar) in path names.
You'd have to change policy_parse.y in checkpolicy; at present, it
treats a "-" followed by an identifier as a file type flag (e.g. -d to
only match directories, -b to only match block device files, ...)
similar to the file_contexts specification.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Re: Genfscon 'dash' issue
2008-10-14 2:00 Re: Genfscon 'dash' issue korkishko Tymur
@ 2008-10-14 14:57 ` Stephen Smalley
2008-10-14 19:09 ` Joshua Brindle
2008-10-15 15:08 ` Joshua Brindle
0 siblings, 2 replies; 6+ messages in thread
From: Stephen Smalley @ 2008-10-14 14:57 UTC (permalink / raw
To: k.tymur; +Cc: SELinux@tycho.nsa.gov, Joshua Brindle
On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote:
> I have checked policy_parse.y. It has following rule for genfscon:
>
> genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
> {if (define_genfs_context(1)) return -1;}
> | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
> {if (define_genfs_context(1)) return -1;}
> | GENFSCON identifier path security_context_def
> {if (define_genfs_context(0)) return -1;}
>
> The rule for path definition (in policy_scan.l) has already included '-' (dash):
>
> "/"({alnum}|[_.-/])* { return(PATH); }
>
> In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
> But it still produces an error if path definition is correct and includes '-'.
>
> Any ideas/patches how to fix grammar rules are welcomed.
This looks like a bug in policy_scan.l - we are not escaping (via
backslash) special characters in the pattern and thus the "-" (dash) is
being interpreted rather than taken literally. The same would seemingly
apply for "." (dot), and would seem relevant not only to PATH but also
for IDENTIFIER. The patch below seems to fix this issue for me:
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 9bc6e10..b55c659 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -207,8 +207,8 @@ policycap |
POLICYCAP { return(POLICYCAP); }
permissive |
PERMISSIVE { return(PERMISSIVE); }
-"/"({alnum}|[_.-/])* { return(PATH); }
-{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
+"/"({alnum}|[_\.\-/])* { return(PATH); }
+{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{digit}+ { return(NUMBER); }
{digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: Genfscon 'dash' issue
2008-10-14 14:57 ` Stephen Smalley
@ 2008-10-14 19:09 ` Joshua Brindle
2008-10-15 15:08 ` Joshua Brindle
1 sibling, 0 replies; 6+ messages in thread
From: Joshua Brindle @ 2008-10-14 19:09 UTC (permalink / raw
To: Stephen Smalley; +Cc: k.tymur, SELinux@tycho.nsa.gov, Joshua Brindle
Stephen Smalley wrote:
> On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote:
>
>> I have checked policy_parse.y. It has following rule for genfscon:
>>
>> genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
>> {if (define_genfs_context(1)) return -1;}
>> | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
>> {if (define_genfs_context(1)) return -1;}
>> | GENFSCON identifier path security_context_def
>> {if (define_genfs_context(0)) return -1;}
>>
>> The rule for path definition (in policy_scan.l) has already included '-' (dash):
>>
>> "/"({alnum}|[_.-/])* { return(PATH); }
>>
>> In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
>> But it still produces an error if path definition is correct and includes '-'.
>>
>> Any ideas/patches how to fix grammar rules are welcomed.
>>
>
> This looks like a bug in policy_scan.l - we are not escaping (via
> backslash) special characters in the pattern and thus the "-" (dash) is
> being interpreted rather than taken literally. The same would seemingly
> apply for "." (dot), and would seem relevant not only to PATH but also
> for IDENTIFIER. The patch below seems to fix this issue for me:
>
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 9bc6e10..b55c659 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -207,8 +207,8 @@ policycap |
> POLICYCAP { return(POLICYCAP); }
> permissive |
> PERMISSIVE { return(PERMISSIVE); }
> -"/"({alnum}|[_.-/])* { return(PATH); }
> -{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
> +"/"({alnum}|[_\.\-/])* { return(PATH); }
> +{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> {digit}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>
>
merged in checkpolicy-2.0.18
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Genfscon 'dash' issue
2008-10-14 14:57 ` Stephen Smalley
2008-10-14 19:09 ` Joshua Brindle
@ 2008-10-15 15:08 ` Joshua Brindle
1 sibling, 0 replies; 6+ messages in thread
From: Joshua Brindle @ 2008-10-15 15:08 UTC (permalink / raw
To: Stephen Smalley; +Cc: k.tymur, SELinux@tycho.nsa.gov, Joshua Brindle
Stephen Smalley wrote:
> On Tue, 2008-10-14 at 02:00 +0000, korkishko Tymur wrote:
>
>> I have checked policy_parse.y. It has following rule for genfscon:
>>
>> genfs_context_def : GENFSCON identifier path '-' identifier security_context_def
>> {if (define_genfs_context(1)) return -1;}
>> | GENFSCON identifier path '-' '-' {insert_id("-", 0);} security_context_def
>> {if (define_genfs_context(1)) return -1;}
>> | GENFSCON identifier path security_context_def
>> {if (define_genfs_context(0)) return -1;}
>>
>> The rule for path definition (in policy_scan.l) has already included '-' (dash):
>>
>> "/"({alnum}|[_.-/])* { return(PATH); }
>>
>> In my understanding (maybe wrong), path is parsed first (and path might include '-') and only then separate '-' is parsed.
>> But it still produces an error if path definition is correct and includes '-'.
>>
>> Any ideas/patches how to fix grammar rules are welcomed.
>>
>
> This looks like a bug in policy_scan.l - we are not escaping (via
> backslash) special characters in the pattern and thus the "-" (dash) is
> being interpreted rather than taken literally. The same would seemingly
> apply for "." (dot), and would seem relevant not only to PATH but also
> for IDENTIFIER. The patch below seems to fix this issue for me:
>
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index 9bc6e10..b55c659 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -207,8 +207,8 @@ policycap |
> POLICYCAP { return(POLICYCAP); }
> permissive |
> PERMISSIVE { return(PERMISSIVE); }
> -"/"({alnum}|[_.-/])* { return(PATH); }
> -{letter}({alnum}|[_-])*([.]?({alnum}|[_-]))* { return(IDENTIFIER); }
> +"/"({alnum}|[_\.\-/])* { return(PATH); }
> +{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
> {digit}+ { return(NUMBER); }
> {digit}{1,3}(\.{digit}{1,3}){3} { return(IPV4_ADDR); }
> {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
>
>
It looks like I merged this a little hastily. According to the regex manual:
Character ranges can also be included in a character set, by writing two
characters with a - between them. Thus, [a-z] matches any lower-case
letter. Ranges may be intermixed freely with individual characters, as
in [a-z$%.], which matches any lower case letter or $, % or period.
Note that the usual special characters are not special any more inside a
character set. A completely different set of special characters exists
inside character sets: ], - and ^
Therefore \. in a character set means both '\' and '.' are allowed. The
standard way to add a dash to the character set is to put it last. I'll
update the patch when I have a chance.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-10-15 15:08 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-14 2:00 Re: Genfscon 'dash' issue korkishko Tymur
2008-10-14 14:57 ` Stephen Smalley
2008-10-14 19:09 ` Joshua Brindle
2008-10-15 15:08 ` Joshua Brindle
-- strict thread matches above, loose matches on Subject: below --
2008-10-10 5:07 korkishko Tymur
2008-10-10 12:45 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.