Re: Facing problem while running the audit2allow command

2018-02-15 Thread Stephen Smalley 
On Thu, 2018-02-15 at 10:30 +0530, Aman Sharma wrote:
> Hi All,
> 
> I am getting one issue while running the command audit2allow and
> below is the 
> logs for the same :
> 
> After switching back to lower version, running "audit2allow -a"
> command show below errors repeteadly and the command does not
> return: 
> libsepol.context_from_record: invalid security context:
> "sysadm_u:system_r:unconfined_java_t:s0-s0:c0.c1023" 
> libsepol.context_from_record: could not create context structure 
> libsepol.context_from_string: could not create context structure 
> libsepol.sepol_context_to_sid: could not convert
> sysadm_u:system_r:unconfined_java_t:s0-s0:c0.c1023 to sid 
> libsepol.context_from_record: invalid security context:
> "sysadm_u:system_r:unconfined_java_t:s0-s0:c0.c1023" 
> libsepol.context_from_record: could not create context structure 
> libsepol.context_from_string: could not create context structure 
> libsepol.sepol_context_to_sid: could not convert
> sysadm_u:system_r:unconfined_java_t:s0-s0:c0.c1023 to sid 
> libsepol.context_from_record: invalid security context:
> "sysadm_u:system_r:unconfined_java_t:s0-s0:c0.c1023" 
> libsepol.context_from_record: could not create context structure 
> libsepol.context_from_string: could not create context structure 
> 
> And also Unconfined is disabled in my System and I am suspecting that
> after disabling , I am getting the above errors. Can anybody help me
> on this.
> 
> Please let me know if any comments are there.

This is normal; you have old audit records from when your policy
included unconfined, and now that you have removed unconfined,
audit2allow can't process those audit records.  However, it won't stop
working; it just continues to process any remaining audit records that
are valid.  You can delete your old audit logs if you want to avoid the
noise.  Or you can feed audit2allow only recent audit records, e.g.
ausearch -m AVC -ts today | audit2allow
to process today's audit records.

[PATCH] Describe multiple-decls in secilc.8.xml

2018-02-15 Thread Dominick Grift 
Signed-off-by: Dominick Grift 
---
 secilc/secilc.8.xml | 5 +
 1 file changed, 5 insertions(+)

diff --git a/secilc/secilc.8.xml b/secilc/secilc.8.xml
index 4c779b64..e08a9624 100644
--- a/secilc/secilc.8.xml
+++ b/secilc/secilc.8.xml
@@ -75,6 +75,11 @@
 Treat tunables as booleans.
  
 
+ 
+-m, --multiple-decls
+Allow some statements to be 
re-declared.
+ 
+
  
 -N, --disable-neverallow
 Do not check neverallow rules.
-- 
2.16.1

Re: [PATCH V6 0/4] Add SELinux SCTP protocol support

2018-02-15 Thread Neil Horman 
On Wed, Feb 14, 2018 at 02:19:03PM -0500, Paul Moore wrote:
> On Tue, Feb 13, 2018 at 3:52 PM, Richard Haines
>  wrote:
> > These patches have been built on Fedora 27 with kernel-4.16.0-0.rc1 plus
> > the following userspace patches to enable testing:
> >
> > 1) Updates to libsepol 2.7 to support the sctp portcon statement.
> >The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  selinux-Add-support-for-the-SCTP-portcon-keyword.patch
> >
> > 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
> >selinux-testsuite/README.sctp for details. The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  selinux-testsuite-Add-SCTP-test-support.patch
> >
> > 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
> >sctp_test. It also contains a minor patch for test_1_to_1_connect.c
> >as when CIPSO/CALIPSO configured, NetLabel returns a different error
> >code for illegal addresses in test 5. The patch is available from:
> >  http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >  lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
> >
> > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
> >
> > All SCTP regression tests "./sctp-tests run" run correctly in enforcing
> > mode. These tests are obtained from: https://github.com/sctp/sctp-tests
> >
> > The selinux-testsuite patch also adds remote tests (that need some manual
> > configuration). These are useful for testing CIPSO/CALIPSO over a network
> > with a number of categories to produce large ip option fields with various
> > message sizes forcing fragmentation etc..
> >
> > Changes since RFC Patch:
> > Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
> > as re-engineered. However this patchset will require the NetLabel
> > patch at [1] to fully run the SCTP selinux-testsuite.
> >
> > V1 Changes:
> > PATCH 1/4
> > Remove unused parameter from security_sctp_assoc_request().
> > Reformat and update LSM-sctp.rst documentation.
> > PATCH 2/4
> > Add variables and RCU locks as requested in [2] to support IP options.
> > PATCH 3/4
> > Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
> > and sctp_sf_do_5_2_4_dupcook().
> > Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
> > no longer required.
> > PATCH 4/4
> > Reformat and update SELinux-sctp.rst documentation.
> > Remove bindx and connectx permissions.
> > Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
> > utilise helpers for code reuse.
> > Add spinlock to selinux_sctp_assoc_request().
> > Remove unused parameter from security_sctp_assoc_request().
> > Use address->sa_family == AF_INET in *_bind and *_connect to ensure
> > correct address type.
> > Minor cleanups.
> >
> > V2 Changes:
> > PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
> > PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
> >
> > V3 Changes:
> > PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
> > Marcelo
> >
> > V4 Changes:
> > PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
> > lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
> > PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
> > selinux_netlbl_socket_connect_locked() and move description comments to
> > selinux_sctp_bind_connect()
> >
> > V5 Change: Rework selinux_netlbl_socket_connect() and
> > selinux_netlbl_socket_connect_locked as requested by Paul.
> >
> > V6 Changes:
> > Rework SCTP patches 2/4 and 3/4 as there have been major SCTP updates since
> > kernel 4.14.
> >
> > [1] https://marc.info/?l=selinux=151061619115945=2
> > [2] https://marc.info/?l=selinux=150962470215797=2
> > [3] https://marc.info/?l=selinux=151198281817779=2
> >
> > Richard Haines (4):
> >   security: Add support for SCTP security hooks
> >   sctp: Add ip option support
> >   sctp: Add LSM hooks
> >   selinux: Add SCTP support
> 
> Marcelo, or any other SCTP folks, do the SCTP changes still look okay
> to you?  I'd like to merge these into the selinux/next tree by the end
> of the week ...
> 
I had a few comments that I just posted.
Neil

> -- 
> paul moore
> www.paul-moore.com
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: [PATCH V6 2/4] sctp: Add ip option support

2018-02-15 Thread Neil Horman 
On Tue, Feb 13, 2018 at 08:54:44PM +, Richard Haines wrote:
> Add ip option support to allow LSM security modules to utilise CIPSO/IPv4
> and CALIPSO/IPv6 services.
> 
> Signed-off-by: Richard Haines 
> ---
>  include/net/sctp/sctp.h|  4 +++-
>  include/net/sctp/structs.h |  2 ++
>  net/sctp/chunk.c   | 12 +++-
>  net/sctp/ipv6.c| 42 +++---
>  net/sctp/output.c  |  5 -
>  net/sctp/protocol.c| 36 
>  net/sctp/socket.c  | 14 ++
>  7 files changed, 97 insertions(+), 18 deletions(-)
> 
> diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
> index f7ae6b0..25c5c87 100644
> --- a/include/net/sctp/sctp.h
> +++ b/include/net/sctp/sctp.h
> @@ -441,9 +441,11 @@ static inline int sctp_list_single_entry(struct 
> list_head *head)
>  static inline int sctp_frag_point(const struct sctp_association *asoc, int 
> pmtu)
>  {
>   struct sctp_sock *sp = sctp_sk(asoc->base.sk);
> + struct sctp_af *af = sp->pf->af;
>   int frag = pmtu;
>  
> - frag -= sp->pf->af->net_header_len;
> + frag -= af->ip_options_len(asoc->base.sk);
> + frag -= af->net_header_len;
>   frag -= sizeof(struct sctphdr) + sctp_datachk_len(>stream);
>  
>   if (asoc->user_frag)
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 03e92dd..ead5fce 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -491,6 +491,7 @@ struct sctp_af {
>   void(*ecn_capable)(struct sock *sk);
>   __u16   net_header_len;
>   int sockaddr_len;
> + int (*ip_options_len)(struct sock *sk);
>   sa_family_t sa_family;
>   struct list_head list;
>  };
> @@ -515,6 +516,7 @@ struct sctp_pf {
>   int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
>   void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
>   void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
> + void (*copy_ip_options)(struct sock *sk, struct sock *newsk);
>   struct sctp_af *af;
>  };
>  
> diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
> index 991a530..d5c0ef7 100644
> --- a/net/sctp/chunk.c
> +++ b/net/sctp/chunk.c
> @@ -154,7 +154,6 @@ static void sctp_datamsg_assign(struct sctp_datamsg *msg, 
> struct sctp_chunk *chu
>   chunk->msg = msg;
>  }
>  
> -
>  /* A data chunk can have a maximum payload of (2^16 - 20).  Break
>   * down any such message into smaller chunks.  Opportunistically, fragment
>   * the chunks down to the current MTU constraints.  We may get refragmented
> @@ -171,6 +170,8 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>   struct list_head *pos, *temp;
>   struct sctp_chunk *chunk;
>   struct sctp_datamsg *msg;
> + struct sctp_sock *sp;
> + struct sctp_af *af;
>   int err;
>  
>   msg = sctp_datamsg_new(GFP_KERNEL);
> @@ -189,9 +190,11 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>   /* This is the biggest possible DATA chunk that can fit into
>* the packet
>*/
> - max_data = asoc->pathmtu -
> -sctp_sk(asoc->base.sk)->pf->af->net_header_len -
> -sizeof(struct sctphdr) - sctp_datachk_len(>stream);
> + sp = sctp_sk(asoc->base.sk);
> + af = sp->pf->af;
> + max_data = asoc->pathmtu - af->net_header_len -
> +sizeof(struct sctphdr) - sctp_datachk_len(>stream) -
> +af->ip_options_len(asoc->base.sk);
>   max_data = SCTP_TRUNC4(max_data);
>  
>   /* If the the peer requested that we authenticate DATA chunks
> @@ -211,7 +214,6 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct 
> sctp_association *asoc,
>  
>   /* Set first_len and then account for possible bundles on first frag */
>   first_len = max_data;
> -
>   /* Check to see if we have a pending SACK and try to let it be bundled
>* with this message.  Do this if we don't have any data queued already.
>* To check that, look at out_qlen and retransmit list.
> diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
> index e35d4f7..0b0f895 100644
> --- a/net/sctp/ipv6.c
> +++ b/net/sctp/ipv6.c
> @@ -427,6 +427,38 @@ static void sctp_v6_copy_addrlist(struct list_head 
> *addrlist,
>   rcu_read_unlock();
>  }
>  
> +/* Copy over any ip options */
> +static void sctp_v6_copy_ip_options(struct sock *sk, struct sock *newsk)
> +{
> + struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
> + struct ipv6_txoptions *opt;
> +
> + newnp = inet6_sk(newsk);
> +
> + rcu_read_lock();
> + opt = rcu_dereference(np->opt);
> + if (opt)
> + opt = ipv6_dup_options(newsk, opt);
do you want to print a warning here in the event the allocation
for the dup operation fails?

> + RCU_INIT_POINTER(newnp->opt, opt);

Re: Rework of makefiles v5

2018-02-15 Thread Marcus Folkesson 
Hi Nicolas,

First of all, thank you for your review.

On Wed, Feb 14, 2018 at 08:19:44PM +0100, Nicolas Iooss wrote:
> On Wed, Feb 14, 2018 at 10:57 AM, Marcus Folkesson
>  wrote:
> > I have updated the patchset.
> >
> > The biggest change is that $(DESTDIR) is now used in the
> > install stage only.
> >
> > Also some overidden CFLAGS/LDFLAGS has been removed since we now have
> > explicit build rules.
> >
> > I have moved the changelog into patches.
> >
> > Please test to compile with:
> > make DESTDIR=/tmp/myroot PREFIX=/myusr install
> > or
> > make DESTDIR=/tmp/myroot install
> >
> > Thanks for all feedback.
> >
> > Best regards
> > Marcus Folkesson
> >
> 
> Hi,
> Thanks for this update! Here are three comments on this patchset:
> 
> * you forgot a $(DESTDIR) occurrence in patch 7.

Good catch!

> * .travis.yml needs a simple patch to fix the value of PYSITEDIR. I
> will send it later.

Please do.

> * While reading the Makefile after patch 15, I have been surprised by
> "LIBDIR ?= $(DESTDIR)$(PREFIX)/lib", with DESTDIR. As this variable is
> not exported, it works fine as it is, but it might be cleaner to
> define it as "LIBDIR ?= $(PREFIX)/lib" and to use $(DESTDIR) in the
> following lines. This point may be addressed in a follow-up commit
> after the patchset has been merged.

I agree.
I also think it could be part of a follow-up commit. I will take a note.

> 
> As the patchset looks almost ready to be merged, I have created
> https://github.com/SELinuxProject/selinux/pull/79 with a modified
> patch 7 and my patch for .travis.yml. This pull request holds the
> commits I plan to apply in a few days if no other maintainer disagrees
> with this.

Ok, then I will not come up with a v6 that fixes your feedback for patch
#7.

> 
> Best,
> Nicolas
> 

Best regards
Marcus Folkesson


signature.asc
Description: PGP signature