在 tunable_policy 宏中使用可选时出现 SELinux 语法错误
TLDR:我尝试使用的界面包含一些“Optional_policy”宏。在 tunable_policy 宏中使用它(或任何形式的“可选”)会导致语法错误。完成此任务的正确方法是什么?请参阅下面的更新。
长版本:我是 SELinux 的新手,目前正在开发一个模块来限制 Debian 上的用户应用程序。我想做的一件事是添加一个布尔值来切换网络访问。我使用类似于以下内容的内容创建了一个基本策略模块:
sepolicy generate --application -n mymodule /usr/share/foo/foo
我向生成的模块添加了一个新的可调参数。
gen_tunable(mymodule_use_network,false)
tunable_policy(`mymodule_use_network',`
sysnet_dns_name_resolve(mymodule_t)
')
上面显示的接口调用是由 sepolicy 生成的,我只是将其移至 tunable_policy 宏中。一旦我让 DNS 工作起来,我就会将其余的网络权限移入。
我已经尝试过直接使用 optional_policy 宏和普通的可选语句。当使用生成的脚本构建和加载我的模块时,我在所有情况下都会得到以下输出:
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile mymodule.pp
Compiling default mymodule module
mymodule.te:65:ERROR 'syntax error' at token 'optional' on line 4858:
optional {
#line 65
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:166: tmp/mymodule.mod] Error 1
+ exit
我注意到定义这些宏的文件有一个关于注释行和 m4 的辅助函数,但我不知道它在做什么。我的问题是这样吗?作为解决方法,我可以将界面的内容复制到我的宏中,但这达不到目的。我在这里缺少什么?这确实是预期的情况,并且参考策略中没有其他可调参数包含嵌套的可选语句吗?
更新:我将其归结为以下 if/可选语句组合。根据 SELinux Notebook 可选语句是在策略模块中的 if 语句中有效,所以我真的很茫然。
if(`mymodule_use_network'){
optional {
require {
type fonts_t;
}
allow mymodule_t fonts_t:dir getattr;
}
}
TLDR: An interface I'm trying to use contains a few "optional_policy" macros. Using it (or any form of "optional") inside a tunable_policy macro results in a syntax error. What is the correct way to accomplish this? See update below.
Long Version: I'm new to SELinux and currently working on a module to constrain a user application on Debian. One of the things I'd like to do is add a boolean to toggle network access. I created a basic policy module using the something similar to the following:
sepolicy generate --application -n mymodule /usr/share/foo/foo
I added a new tunable to the generated module.
gen_tunable(mymodule_use_network,false)
tunable_policy(`mymodule_use_network',`
sysnet_dns_name_resolve(mymodule_t)
')
The interface call shown above was generated by sepolicy and I just moved it into the tunable_policy macro. Once I get the DNS working I'll move the rest of the network permissions in.
I have experimented using both the optional_policy macro and the plain optional statement directly. When using the generated script to build and load my module I get the following output in all cases:
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile mymodule.pp
Compiling default mymodule module
mymodule.te:65:ERROR 'syntax error' at token 'optional' on line 4858:
optional {
#line 65
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [/usr/share/selinux/devel/include/Makefile:166: tmp/mymodule.mod] Error 1
+ exit
I have noticed that the file that defines these macros has a helper function regarding commented lines and m4, but I have no idea what it's doing. Is something like that my issue here? As a workaround I can copy the contents of the interface into my macro but that defeats the purpose. What am I missing here? Is it really the case that this is expected and no other tunable in the reference policy contains a nested optional statement?
Update:I've boiled it down to the following if/optional statement combination. According to the SELinux Notebook optional statements are valid within if statements in policy modules so I'm really at a loss.
if(`mymodule_use_network'){
optional {
require {
type fonts_t;
}
allow mymodule_t fonts_t:dir getattr;
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
实际上,现在才开始明白,根据文档,条件中不允许使用“可选”语句。
解决方法是用“可选”来包装“tunable_policy”、“if”或“booleanif”构造。
本机模块策略,例如:
或 refpolicy,类似:
或本机通用中间语言:
Actually, it only now starts to sink in here that according to documentation "optional" statement is not allowed in conditionals.
A workaround is to wrap the "tunable_policy","if" or "booleanif" construct with an "optional" instead.
native module policy, something like:
or refpolicy, something along the lines of:
or native common intermediate language:
也许语法错误?你的东西看起来不像 编译
器告诉你什么?
但请注意,并非所有语句都可以在条件中使用。例如,不允许您在条件中声明/关联类型属性。确保您在条件中调用的任何接口都不会声明/关联类型属性(或任何其他不允许的内容)
顺便说一句:
sysnet_dns_name_resolve()实际上并不是可选的。这有点令人困惑,因为您本质上使用两种策略语言(引用策略抽象和本机模块策略)“”特定于引用策略(准确地说,引用策略使用 M4)这不是本机模块策略用途。
Syntax error maybe? Your stuff does not look like what is documented
What is the compiler telling you?
Do note though that not all statements are allowed in conditionals. You are for example not allowed to declare/associate type attributes in conditionals. Ensure that any interfaces you call in conditionals do not declare/associate type attributes (or any other things that aren't allowed)
By the way:
sysnet_dns_name_resolve()is not realistically optional.It is kind of confusing because you are essentially using two policy languages (the reference policy abstraction and the native module policy) The `' is specific to reference policy (refpolicies' use of M4 to be precise) That is not something that native module policy uses.