Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libsepol.validate_user_datum: Invalid user datum #577

Closed
freedom1b2830 opened this issue Jan 1, 2023 · 4 comments
Closed

libsepol.validate_user_datum: Invalid user datum #577

freedom1b2830 opened this issue Jan 1, 2023 · 4 comments

Comments

@freedom1b2830
Copy link
Contributor

is it really fixed?

Linux archlinux 6.1.1-arch1-1 #1 SMP PREEMPT_DYNAMIC Wed, 21 Dec 2022 22:27:55 +0000 x86_64 GNU/Linux

msg:

libsepol.validate_user_datum: Invalid user datum
libsepol.validate_datum_array_entries: Invalid datum array entries
libsepol.validate_policydb: Invalid policydb
/usr/bin/semodule_package:  Error while reading policy module from tmp/xserver.mod
make: *** [Rules.modular:98: xserver.pp] Ошибка 1

TYPE = mls
NAME = refpolicy-freedom1b2830
UNK_PERMS = deny
DIRECT_INITRC = n
SYSTEMD = y
MONOLITHIC = n
UBAC = n
CUSTOM_BUILDOPT =
MLS_SENS = 16
MLS_CATS = 1024
MCS_CATS = 1024
QUIET = n
WERROR = n

pacman -Ss selinux|grep -E --color "^s[-a-z0-9._/ ]+" -o

selinux/base-devel-selinux 1-1 
selinux/base-selinux 1-1 
selinux/checkpolicy 3.4-1 
selinux/coreutils-selinux 9.1-3 
selinux/cronie-selinux 1.6.1-1 
selinux/dbus-docs-selinux 1.14.4-1 
selinux/dbus-selinux 1.14.4-1 
selinux/findutils-selinux 4.9.0-1 
selinux/iproute2-selinux 6.1.0-3 
selinux/libselinux 3.4-1 
selinux/libsemanage 3.4-1 
selinux/libsepol 3.4-1 
selinux/logrotate-selinux 3.21.0-2 
selinux/mcstrans 3.4-1 
selinux/openssh-selinux 9.1p1-3 
selinux/pam-selinux 1.5.2-1 
selinux/pambase-selinux 20221020-1 
selinux/policycoreutils 3.4-1 
selinux/psmisc-selinux 23.6-1 
selinux/restorecond 3.4-1 
selinux/secilc 3.4-1 
selinux/selinux-alpm-hook 0.1-4 
selinux/selinux-dbus-config 3.4-1 
selinux/selinux-gui 3.4-1 
selinux/selinux-python 3.4-1 
selinux/selinux-refpolicy-arch 20220520-1 
selinux/selinux-refpolicy-git 
selinux/selinux-refpolicy-src 20220520-1 
selinux/selinux-sandbox 3.4-1 
selinux/semodule-utils 3.4-1 
selinux/setools 4.4.0-2 
selinux/shadow-selinux 4.12.3-2 
selinux/sudo-selinux 1.9.12.p1-1 
selinux/systemd-libs-selinux 252.3-1 
selinux/systemd-resolvconf-selinux 252.3-1 
selinux/systemd-selinux 252.3-1 
selinux/systemd-sysvcompat-selinux 252.3-1 
selinux/util-linux-libs-selinux 2.38.1-1 
selinux/util-linux-selinux 2.38.1-1
@cgzones
Copy link
Contributor

cgzones commented Jan 2, 2023

It is not fixed in any release (yet) but (at least) Debian and Fedora cherry-picked SELinuxProject/selinux@88a7033.

@freedom1b2830
Copy link
Contributor Author

Is it now possible to create an MLS policy?

@freedom1b2830
Copy link
Contributor Author

@cgzones
https://patchwork.kernel.org/project/selinux/patch/20220607150145.29757-1-cgzones@googlemail.com/
Do I understand correctly that these are the upcoming patches that will go into the kernel update?

@cgzones
Copy link
Contributor

cgzones commented Feb 8, 2023

No, not directly.
This patch will be part of the SELinux userland 3.5 release.

In the future I'd like to propose adding the validation into the kernel, to prevent loading ill-formed policies, e.g. SELinuxProject/selinux-testsuite#76. This is currently not a security issue, since loading a SELinux policy is a highly privileged operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cgzones @freedom1b2830