From patchwork Tue Jul 26 16:53:08 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Lawrence X-Patchwork-Id: 9248469 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6CEAB607D8 for ; Tue, 26 Jul 2016 16:57:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B5E626B39 for ; Tue, 26 Jul 2016 16:57:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4C28826D08; Tue, 26 Jul 2016 16:57:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5A56726B39 for ; Tue, 26 Jul 2016 16:57:29 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.28,425,1464652800"; d="scan'208";a="15945800" IronPort-PHdr: =?us-ascii?q?9a23=3A9mZ8bBRWLi28uzpjsN4g6LTfqNpsv+yvbD5Q0YIu?= =?us-ascii?q?jvd0So/mwa64bBON2/xhgRfzUJnB7Loc0qyN4vimBzdLsMnJmUtBWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4?= =?us-ascii?q?Ov7yUtaLyZ/mj6bsoNaCPE1hv3mUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD89pozcNLUL37cqIkVvQYSW1+ayFm2dfv/SXn?= =?us-ascii?q?YUPPoyJEEzZerh0dOCXh7RfnTt/VszDm/r5m1S2bO9DmZawlUjSlqaFwQVnnjz?= =?us-ascii?q?lRZBAj92SCsdB9kq8ThBu+vRF5yIOcNJqRPeVkc6XWcPsGX2daT90XXCtEVNDv?= =?us-ascii?q?J7ATBvYMaL4L57L2oEED+F7nXFGh?= X-IPAS-Result: =?us-ascii?q?A2FoCABDlZdX/wHyM5BeHoMhgVIGumsjh0BMAQEBAQEBAgJ?= =?us-ascii?q?aJ4IyBAESAYIaAiQTFCAOAwkCFykICAMBLRUXCAsFGASIELlzhiqIXxEBhXcFi?= =?us-ascii?q?ByHLYlojnsCiWmFUgJIj11UgT8MeIFRUocHDRcHGAF+AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 26 Jul 2016 16:56:03 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6QGrpET030744; Tue, 26 Jul 2016 12:54:16 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u6QGrk4O074436 for ; Tue, 26 Jul 2016 12:53:46 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u6QGrjP5030739 for ; Tue, 26 Jul 2016 12:53:46 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DICACXlJdXbau/HtheHoMhgVIGtmmEDBSHRUwBAQEBAQETDRUIhVKCEBOIMZwBnXSGKo5oBYgchy2JaI57Ao87AkiPXYITgQSBUVKHBysYAX4BAQE X-IPAS-Result: A1DICACXlJdXbau/HtheHoMhgVIGtmmEDBSHRUwBAQEBAQETDRUIhVKCEBOIMZwBnXSGKo5oBYgchy2JaI57Ao87AkiPXYITgQSBUVKHBysYAX4BAQE X-IronPort-AV: E=Sophos;i="5.28,425,1464667200"; d="scan'208";a="5603617" Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov) ([10.208.41.36]) by goalie.tycho.ncsc.mil with ESMTP; 26 Jul 2016 12:53:43 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3A/YABzhzqaMJ3MGvXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e0VIJqq85mqBkHD//Il1AaPBtSDrawfwLuJ+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?= =?us-ascii?q?d7yzRNWZ3pv//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?= =?us-ascii?q?1XwWR1OQDbxE6ktY+YtaRu+CVIuv8n69UIEeCjJ/x5HvRkC2EdHkQ04tD7/T3C?= =?us-ascii?q?VhfHsmARVmQQjwpgHxnO7Ba8WIz49CT9qLwu9jOdOJjNUb0qVHyG5rhxRRnjhW?= =?us-ascii?q?9TLDow73vajMd9pL5BrQmwvFp0xIuCM9LdD+Z3Yq6IJYBSfmFGRMsEEnUZWo4?= =?us-ascii?q?=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FICABDlZdXbau/HtheHoMhgVIGtmmED?= =?us-ascii?q?BSHRUwBAQEBAQECAg8NFQhIgjIEARIBgkCCEBOIMZt+nXWGKo5oBYgchy2JaI5?= =?us-ascii?q?7Ao87AkiPXYITgQSBUVKHBysYAX4BAQE?= X-IPAS-Result: =?us-ascii?q?A0FICABDlZdXbau/HtheHoMhgVIGtmmEDBSHRUwBAQEBAQE?= =?us-ascii?q?CAg8NFQhIgjIEARIBgkCCEBOIMZt+nXWGKo5oBYgchy2JaI57Ao87AkiPXYITg?= =?us-ascii?q?QSBUVKHBysYAX4BAQE?= X-IronPort-AV: E=Sophos;i="5.28,425,1464652800"; d="scan'208";a="15945656" Received: from exchange10.columbia.tresys.com ([216.30.191.171]) by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/AES256-SHA; 26 Jul 2016 16:53:31 +0000 Received: from amos.localdomain (24.126.114.98) by Exchange10.columbia.tresys.com (192.168.243.126) with Microsoft SMTP Server (TLS) id 14.1.438.0; Tue, 26 Jul 2016 12:53:11 -0400 From: Steve Lawrence To: SELinux List Subject: [PATCH] libsepol/cil: Ignore object_r in userrole mappings when creating policy binary Date: Tue, 26 Jul 2016 12:53:08 -0400 Message-ID: <1469551988-23131-1-git-send-email-slawrence@tresys.com> X-Mailer: git-send-email 2.5.5 MIME-Version: 1.0 X-Originating-IP: [24.126.114.98] X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Commit 77779d2ca, which added support for userattributes in CIL, accidentally removed code that ignored object_r when adding userrole mappings to the policydb. This meant that running commands like `semanage user -l` would incorrectly show object_r. This patch adds that code back in. Note that CIL requires that these mappings exist to properly validate file contexts, so pp2cil's behavior of creating these mappings is not modified. Signed-off-by: Steve Lawrence --- libsepol/cil/src/cil_binary.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 5d03127..46fea4b 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -754,6 +754,12 @@ int cil_userrole_to_policydb(policydb_t *pdb, const struct cil_db *db, struct ci goto exit; } + if (sepol_role->s.value == 1) { + // role is object_r, ignore it since it is implicitly associated + // with all users + continue; + } + if (ebitmap_set_bit(&sepol_user->roles.roles, sepol_role->s.value - 1, 1)) { cil_log(CIL_INFO, "Failed to set role bit for user\n"); rc = SEPOL_ERR;