More problems with bounds checking.

Discussion:

Daniel Walsh

2018-01-09 15:45:48 UTC

For some reason semodule will not allow me to install container.pp.
I
am trying to have type bounds from container_runtime_t to spc_t to
container_t.

Any reason this isn't on list?

Nope bad habit. I will send this to the list.

BTW, if you apply my "Generalize support for NNP/nosuid SELinux domain
transitions" kernel patch (or use a kernel that includes it, >= 4.14)
and enable the nnp_nosuid_transition policy capability, you shouldn't
have to use type bounds at all anymore.

I start with no type bounds.
# seinfo --typebounds
Typebounds: 0
During the install it tells me spc_t is already bound by a parent,
no
clue what parent. And cil file does not exist when command
completes.

Yes, that's a real pain. To work around it, I will often run
/usr/libexec/selinux/hll/pp on the pp file to generate the cil file so
/usr/libexec/selinux/hll/pp container.pp container.cil
vi container.cil

# semodule -X 400 -i container.pp
Type spc_t already bound by parent at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:35
Bad bounds statement at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:1583
semodule: Failed!
I have only the two commands added.
# grep typebounds container.te
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;
This is what is generated in the tmp file.
# grep typebounds.* tmp/container.tmp
     #    unconfined_exec_typebounds(container_runtime_exec_t)
     #    unconfined_exec_typebounds(container_auth_exec_t)
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;

Daniel Walsh

2018-01-09 16:48:49 UTC

Permalink

Lukas Vrabec informs me that their is a new allow rule nnp_transition

allow container_runtime_t spc_t:process2 nnp_transition;

Which allows me to get rid of all of the typebounds cruft. Very nice.
And will be supported in RHEL7.5 release.

Post by Daniel Walsh

For some reason semodule will not allow me to install container.pp.
I
am trying to have type bounds from container_runtime_t to spc_t to
container_t.

Any reason this isn't on list?

Nope bad habit. I will send this to the list.

# semodule -X 400 -i container.pp
Type spc_t already bound by parent at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:35
Bad bounds statement at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:1583
semodule: Failed!
I have only the two commands added.
# grep typebounds container.te
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;
This is what is generated in the tmp file.
# grep typebounds.* tmp/container.tmp
      # unconfined_exec_typebounds(container_runtime_exec_t)
      #    unconfined_exec_typebounds(container_auth_exec_t)
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;

Stephen Smalley

2018-01-09 17:20:31 UTC

Permalink

Post by Daniel Walsh
Lukas Vrabec informs me that their is a new allow rule nnp_transition
allow container_runtime_t spc_t:process2 nnp_transition;
Which allows me to get rid of all of the typebounds cruft. Very
nice.
And will be supported in RHEL7.5 release.

Yes, that's based on the patch I mentioned below. Note that the policy
must enable the nnp_nosuid_transition policy capability in order for
this to work, and this requires an updated libsepol that defines it.

Post by Daniel Walsh

For some reason semodule will not allow me to install
container.pp.
I
am trying to have type bounds from container_runtime_t to spc_t to
container_t.

Any reason this isn't on list?

Nope bad habit. I will send this to the list.

# semodule -X 400 -i container.pp
Type spc_t already bound by parent at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:35
Bad bounds statement at
/var/lib/selinux/targeted/tmp/modules/400/container/cil:1583
semodule: Failed!
I have only the two commands added.
# grep typebounds container.te
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;
This is what is generated in the tmp file.
# grep typebounds.* tmp/container.tmp
      # unconfined_exec_typebounds(container_runtime_exec_t)
      #    unconfined_exec_typebounds(container_auth_exec_t)
# Added to make typebounds check work.
# typebounds container_runtime_exec_t exec_type;
# typebounds container_runtime_exec_t mountpoint;
#    unconfined_typebounds(container_runtime_t)
typebounds container_runtime_t spc_t;
typebounds spc_t container_t;

Continue reading on narkive:

Search results for 'More problems with bounds checking.' (Questions and Answers)

replies

How do I check the bounds on a 2d matrix?

started 2011-07-11 17:01:27 UTC

programming & design

replies

I have a internet connection of MTNL, it says that speed is 256kbps. But their is a problem?

started 2008-06-03 08:15:32 UTC

software

replies

Why doesn't C++ provide bound checking on array operations and if the programmer want to do it,?