secilc-3.1-3

- Rebuilt with libsepol.so.2 - cil_network_labeling_statements: fixes nodecon examples - cil_access_vector_rules: allowx, auditallowx and dontauditx fixes - secilc/docs: document expandtypeattribute - Update the cil docs to match the current behaviour.
2020-11-20 15:35:49 +01:00 · 2020-11-20 15:35:49 +01:00 · da4f4cfdbe
parent e38b29d94e
commit da4f4cfdbe
5 changed files with 329 additions and 2 deletions
--- a/0001-Update-the-cil-docs-to-match-the-current-behaviour.patch
+++ b/0001-Update-the-cil-docs-to-match-the-current-behaviour.patch
@ -0,0 +1,89 @@
+From fbe1e526dc01f6797428c88e24881fdc3d3ec6e8 Mon Sep 17 00:00:00 2001
+From: bauen1 <j2468h@googlemail.com>
+Date: Thu, 9 Jul 2020 10:36:36 +0200
+Subject: [PATCH] Update the cil docs to match the current behaviour.
+
+Some features where dropped or change since the docs were last updated.
+
+Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ secilc/docs/cil_call_macro_statements.md | 6 ++++--
+ secilc/docs/cil_container_statements.md  | 2 +-
+ secilc/docs/cil_reference_guide.md       | 2 +-
+ secilc/docs/cil_user_statements.md       | 2 +-
+ 4 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/secilc/docs/cil_call_macro_statements.md b/secilc/docs/cil_call_macro_statements.md
+index 17c46ed9c893..98b703687e44 100644
+--- a/secilc/docs/cil_call_macro_statements.md
+++ b/secilc/docs/cil_call_macro_statements.md
+@@ -44,7 +44,7 @@ macro
+ 
+ Declare a macro in the current namespace with its associated parameters. The macro identifier is used by the [`call`](cil_call_macro_statements.md#call) statement to instantiate the macro and resolve any parameters. The call statement may be within the body of a macro.
+ 
+-Note that when resolving macros the callers namespace is not checked, only the following places:
+When resolving macros the following places are checked in this order:
+ 
+ -   Items defined inside the macro
+ 
+@@ -52,6 +52,8 @@ Note that when resolving macros the callers namespace is not checked, only the f
+ 
+ -   Items defined in the same namespace of the macro
+ 
+-   Items defined in the callers namespace
+
+ -   Items defined in the global namespace
+ 
+ **Statement definition:**
+@@ -80,7 +82,7 @@ Note that when resolving macros the callers namespace is not checked, only the f
+ <tr class="odd">
+ <td align="left"><p><code>param_type</code></p></td>
+ <td align="left"><p>Zero or more parameters that are passed to the macro. The <code>param_type</code> is a keyword used to determine the declaration type (e.g. <code>type</code>, <code>class</code>, <code>categoryset</code>).</p>
+-<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>block</code>, <code>name</code> (a string), <code>classmap</code></p></td>
+<p>The list of valid <code>param_type</code> entries are: <code>type</code>, <code>typealias</code>, <code>role</code>, <code>user</code>, <code>sensitivity</code>, <code>sensitivityalias</code>, <code>category</code>, <code>categoryalias</code>, <code>categoryset</code> (named or anonymous), <code>level</code> (named or anonymous), <code>levelrange</code> (named or anonymous), <code>class</code>, <code>classpermission</code> (named or anonymous), <code>ipaddr</code> (named or anonymous), <code>name</code> (a string), <code>classmap</code></p></td>
+ </tr>
+ <tr class="even">
+ <td align="left"><p><code>param_id</code></p></td>
+diff --git a/secilc/docs/cil_container_statements.md b/secilc/docs/cil_container_statements.md
+index a570cb235d7c..58b3224de211 100644
+--- a/secilc/docs/cil_container_statements.md
+++ b/secilc/docs/cil_container_statements.md
+@@ -254,7 +254,7 @@ This example will instantiate the optional block `ext_gateway.move_file` into po
+ in
+ --
+ 
+-Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements.
+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
+ 
+ **Statement definition:**
+ 
+diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
+index 1b1fccca5faa..3e33c5f74283 100644
+--- a/secilc/docs/cil_reference_guide.md
+++ b/secilc/docs/cil_reference_guide.md
+@@ -176,7 +176,7 @@ Should the symbol not be prefixed with a dot, the current namespace would be sea
+ Expressions
+ -----------
+ 
+-Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`validatetrans`](cil_constraint_statements.md#validatetrans)
+Expressions may occur in the following CIL statements: [`booleanif`](cil_conditional_statements.md#booleanif), [`tunableif`](cil_conditional_statements.md#tunableif), [`classpermissionset`](cil_class_and_permission_statements.md#classpermissionset), [`typeattributeset`](cil_type_statements.md#typeattributeset), [`roleattributeset`](cil_role_statements.md#roleattributeset), [`categoryset`](cil_mls_labeling_statements.md#categoryset), [`constrain`](cil_constraint_statements.md#constrain), [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain), [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans)
+ 
+ CIL expressions use the [prefix](http://www.cs.man.ac.uk/~pjj/cs212/fix.html) or Polish notation and may be nested (note that the kernel policy language uses postfix or reverse Polish notation). The syntax is as follows, where the parenthesis are part of the syntax:
+ 
+diff --git a/secilc/docs/cil_user_statements.md b/secilc/docs/cil_user_statements.md
+index bbd76eff8645..26e45510405d 100644
+--- a/secilc/docs/cil_user_statements.md
+++ b/secilc/docs/cil_user_statements.md
+@@ -260,7 +260,7 @@ This example will associate `unconfined.user` with a named [`levelrange`](cil_ml
+     (categoryorder (c0 c1))
+     (sensitivity s0)
+     (sensitivity s1)
+-    (dominance (s0 s1))
+    (sensitivityorder (s0 s1))
+     (sensitivitycategory s0 (c0 c1))
+     (level systemLow (s0))
+     (level systemHigh (s0 (c0 c1)))
+-- 
+2.29.2
+
--- a/0002-secilc-docs-document-expandtypeattribute.patch
+++ b/0002-secilc-docs-document-expandtypeattribute.patch
@ -0,0 +1,91 @@
+From 9e9b8103400badc09ba98c66044e5ca57cc80446 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Wed, 5 Aug 2020 21:48:23 +0200
+Subject: [PATCH] secilc/docs: document expandtypeattribute
+
+This was added for Androids Treble in 2017.
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ secilc/docs/README.md              |  1 +
+ secilc/docs/cil_type_statements.md | 51 ++++++++++++++++++++++++++++++
+ 2 files changed, 52 insertions(+)
+
+diff --git a/secilc/docs/README.md b/secilc/docs/README.md
+index 3f1838e63be1..efab2a71bbf3 100644
+--- a/secilc/docs/README.md
+++ b/secilc/docs/README.md
+@@ -126,6 +126,7 @@ CIL (Common Intermediate Language)
+   * [typealiasactual](cil_type_statements.md#typealiasactual)
+   * [typeattribute](cil_type_statements.md#typeattribute)
+   * [typeattributeset](cil_type_statements.md#typeattributeset)
+  * [expandtypeattribute](cil_type_statements.md#expandtypeattribute)
+   * [typebounds](cil_type_statements.md#typebounds)
+   * [typechange](cil_type_statements.md#typechange)
+   * [typemember](cil_type_statements.md#typemember)
+diff --git a/secilc/docs/cil_type_statements.md b/secilc/docs/cil_type_statements.md
+index f9dd3a7697ae..432cede5df53 100644
+--- a/secilc/docs/cil_type_statements.md
+++ b/secilc/docs/cil_type_statements.md
+@@ -213,6 +213,57 @@ This example is equivalent to `{ domain -kernel.process -ueventd.process -init.p
+         )
+     )
+ 
+expandtypeattribute
+-------------------
+
+Overrides the compiler defaults for the expansion of one or more
+previously declared [`typeattribute`](cil_type_statements.md#typeattribute)
+identifiers.
+
+This rule gives more control over type attribute expansion and
+removal. When the value is true, all rules involving the type
+attribute will be expanded and the type attribute will be removed from
+the policy. When the value is false, the type attribute will not be
+removed from the policy, even if the default expand rules or "-X"
+option cause the rules involving the type attribute to be expanded.
+
+**Statement definition:**
+
+    (expandtypeattribute typeattribute_id expand_value)
+
+**Where:**
+
+<table>
+<colgroup>
+<col width="25%" />
+<col width="75%" />
+</colgroup>
+<tbody>
+<tr class="odd">
+<td align="left"><p><code>expandtypeattribute</code></p></td>
+<td align="left"><p>The <code>expandtypeattribute</code> keyword.</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p><code>typeattribute_id</code></p></td>
+<td align="left"><p>One or more previously declared <code>typeattribute</code> identifiers. Multiple entries consist of a space separated list enclosed in parentheses '()'.</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p><code>expand_value</code></p></td>
+<td align="left"><p>Either true or false.</p></td>
+</tr>
+</tbody>
+</table>
+
+**Examples:**
+
+This example uses the expandtypeattribute statement to forcibly expand a previously declared `domain` type attribute.
+
+    (expandtypeattribute domain true)
+
+This example uses the expandtypeattribute statement to not expand previously declared `file_type` and `port_type` type attributes regardless of compiler defaults.
+
+    (expandtypeattribute (file_type port_type) false)
+
+ typebounds
+ ----------
+ 
+-- 
+2.29.2
+
--- a/0003-cil_access_vector_rules-allowx-auditallowx-and-donta.patch
+++ b/0003-cil_access_vector_rules-allowx-auditallowx-and-donta.patch
@ -0,0 +1,88 @@
+From eefa5511ddfa674e79ce4e5f4e55e565f2a92d57 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Sat, 12 Sep 2020 15:14:11 +0200
+Subject: [PATCH] cil_access_vector_rules: allowx, auditallowx and dontauditx
+ fixes
+
+allowx requires a equivalent "allow ioctl" rule to be present
+auditallowx requires a equivalent "auditallow" ioctl rule to be present
+dontauditx requires atleast one equivalent "allowx" rule to be present (can be a random irrelevant ioctlcmd)
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+---
+ secilc/docs/cil_access_vector_rules.md | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md
+index 9c03c71001d4..683cc28cd8de 100644
+--- a/secilc/docs/cil_access_vector_rules.md
+++ b/secilc/docs/cil_access_vector_rules.md
+@@ -238,6 +238,8 @@ allowx
+ 
+ Specifies the access allowed between a source and target type using extended permissions. Unlike the [`allow`](cil_access_vector_rules.md#allow) statement, the statements [`validatetrans`](cil_constraint_statements.md#validatetrans), [`mlsvalidatetrans`](cil_constraint_statements.md#mlsvalidatetrans), [`constrain`](cil_constraint_statements.md#constrain), and [`mlsconstrain`](cil_constraint_statements.md#mlsconstrain) do not limit accesses granted by [`allowx`](cil_access_vector_rules.md#allowx).
+ 
+Note that for this to work there must *also* be valid equivalent [`allow`](cil_access_vector_rules.md#allow) rules present.
+
+ **Rule definition:**
+ 
+     (allowx source_id target_id|self permissionx_id)
+@@ -274,18 +276,21 @@ Specifies the access allowed between a source and target type using extended per
+ 
+ These examples show a selection of possible permutations of [`allowx`](cil_access_vector_rules.md#allowx) rules:
+ 
+    (allow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite
+     (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
+ 
+     (permissionx ioctl_nodebug (ioctl udp_socket (not (range 0x4000 0x4010))))
+    (allow type_3 type_4 (udp_socket (ioctl))) ;; pre-requisite
+     (allowx type_3 type_4 ioctl_nodebug)
+ 
+ 
+-
+ auditallowx
+ -----------
+ 
+ Audit the access rights defined if there is a valid [`allowx`](cil_access_vector_rules.md#allowx) rule. It does NOT allow access, it only audits the event.
+ 
+Note that for this to work there must *also* be valid equivalent [`auditallow`](cil_access_vector_rules.md#auditallow) rules present.
+
+ **Rule definition:**
+ 
+     (auditallowx source_id target_id|self permissionx_id)
+@@ -324,6 +329,7 @@ This example will log an audit event whenever the corresponding [`allowx`](cil_a
+ 
+     (allowx type_1 type_2 (ioctl tcp_socket (range 0x2000 0x20FF)))
+ 
+    (auditallow type_1 type_2 (tcp_socket (ioctl))) ;; pre-requisite
+     (auditallowx type_1 type_2 (ioctl tcp_socket (range 0x2005 0x2010)))
+ 
+ 
+@@ -332,6 +338,8 @@ dontauditx
+ 
+ Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
+ 
+Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
+
+ Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
+ 
+ **Rule definition:**
+@@ -370,6 +378,7 @@ Note that these rules can be omitted by the CIL compiler command line parameter
+ 
+ This example will not audit the denied access:
+ 
+    (allowx type_1 type_2 (ioctl tcp_socket (0x1))) ;; pre-requisite, just some irrelevant random ioctl
+     (dontauditx type_1 type_2 (ioctl tcp_socket (range 0x3000 0x30FF)))
+ 
+ 
+@@ -392,7 +401,7 @@ Note that these rules can be over-ridden by the CIL compiler command line parame
+ </colgroup>
+ <tbody>
+ <tr class="odd">
+-<td align="left"><p><code>neverallows</code></p></td>
+<td align="left"><p><code>neverallowx</code></p></td>
+ <td align="left"><p>The <code>neverallowx</code> keyword.</p></td>
+ </tr>
+ <tr class="even">
+-- 
+2.29.2
+
--- a/0004-cil_network_labeling_statements-fixes-nodecon-exampl.patch
+++ b/0004-cil_network_labeling_statements-fixes-nodecon-exampl.patch
@ -0,0 +1,48 @@
+From e8bcdb84dc0937b65ca1e9167b436b21375b96ab Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Tue, 8 Sep 2020 10:53:29 +0200
+Subject: [PATCH] cil_network_labeling_statements: fixes nodecon examples
+
+The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet
+Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737
+Add ipv6 example: https://tools.ietf.org/html/rfc3849
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+---
+ .../docs/cil_network_labeling_statements.md   | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/secilc/docs/cil_network_labeling_statements.md b/secilc/docs/cil_network_labeling_statements.md
+index 49a836c16c55..60aec80d7988 100644
+--- a/secilc/docs/cil_network_labeling_statements.md
+++ b/secilc/docs/cil_network_labeling_statements.md
+@@ -145,12 +145,21 @@ These examples show named and anonymous [`nodecon`](cil_network_labeling_stateme
+     (context context_1 (unconfined.user object_r unconfined.object low_low))
+     (context context_2 (unconfined.user object_r unconfined.object (systemlow level_2)))
+ 
+-    (ipaddr netmask_1 255.255.255.0)
+-    (ipaddr ipv4_1 192.168.1.64)
+    (ipaddr netmask_1 255.255.255.255)
+    (ipaddr ipv4_1 192.0.2.64)
+
+    (nodecon ipv4_1 netmask_1 context_2)
+    (nodecon (192.0.2.64) (255.255.255.255) context_1)
+    (nodecon (192.0.2.64) netmask_1 (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
+
+    (context context_3 (sys.id sys.role my48prefix.node ((s0)(s0))))
+
+    (ipaddr netmask_2 ffff:ffff:ffff:0:0:0:0:0)
+    (ipaddr ipv6_2  2001:db8:1:0:0:0:0:0)
+ 
+-    (nodecon netmask_1 ipv4_1 context_2)
+-    (nodecon (255.255.255.0) (192.168.1.64) context_1)
+-    (nodecon netmask_1 (192.168.1.64) (unconfined.user object_r unconfined.object ((s0) (s0 (c0)))))
+    (nodecon ipv6_2 netmask_2 context_3)
+    (nodecon (2001:db8:1:0:0:0:0:0) (ffff:ffff:ffff:0:0:0:0:0) context_3)
+    (nodecon (2001:db8:1:0:0:0:0:0) netmask_2 (sys.id sys.role my48prefix.node ((s0)(s0))))
+ 
+ portcon
+ -------
+-- 
+2.29.2
+
--- a/secilc.spec
+++ b/secilc.spec
@ -1,8 +1,8 @@
-%global libsepolver 3.1
+%global libsepolver 3.1-5

 Name:           secilc
 Version:        3.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The SELinux CIL Compiler

 License:        BSD
@ -11,6 +11,10 @@ Source0:        https://github.com/SELinuxProject/selinux/releases/download/2020
 # fedora-selinux/selinux: git format-patch -N secilc-3.1 -- secilc
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
+Patch0001: 0001-Update-the-cil-docs-to-match-the-current-behaviour.patch
+Patch0002: 0002-secilc-docs-document-expandtypeattribute.patch
+Patch0003: 0003-cil_access_vector_rules-allowx-auditallowx-and-donta.patch
+Patch0004: 0004-cil_network_labeling_statements-fixes-nodecon-exampl.patch
 # Patch list end
 BuildRequires:  gcc
 BuildRequires:  libsepol-static >= %{libsepolver}, dblatex, flex, xmlto, pandoc-pdf, texlive-mdwtools
@ -62,6 +66,13 @@ make %{?_smp_mflags} DESTDIR="%{buildroot}" SBINDIR="%{buildroot}%{_sbindir}" LI
 %license COPYING

 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-3
+- Rebuilt with libsepol.so.2
+- cil_network_labeling_statements: fixes nodecon examples
+- cil_access_vector_rules: allowx, auditallowx and dontauditx fixes
+- secilc/docs: document expandtypeattribute
+- Update the cil docs to match the current behaviour.
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild