Re: [PATCH 11/13] selinux: Cleanup printk logging in netif
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/netif.c | 11 ---
> 1 file changed, 4 insertions(+), 7 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/netif.c b/security/selinux/netif.c
> index ac65f7417413..8c738c189942 100644
> --- a/security/selinux/netif.c
> +++ b/security/selinux/netif.c
> @@ -145,9 +145,8 @@ static int sel_netif_sid_slow(struct net *ns, int
> ifindex, u32 *sid)
>
> dev = dev_get_by_index(ns, ifindex);
> if (unlikely(dev == NULL)) {
> - printk(KERN_WARNING
> - "SELinux: failure in sel_netif_sid_slow(),"
> - " invalid network interface (%d)\n", ifindex);
> + pr_warn("SELinux: failure in %s(), invalid network interface
> (%d)\n",
> + __func__, ifindex);
> return -ENOENT;
> }
>
> @@ -177,10 +176,8 @@ static int sel_netif_sid_slow(struct net *ns, int
> ifindex, u32 *sid)
> spin_unlock_bh(_netif_lock);
> dev_put(dev);
> if (unlikely(ret)) {
> - printk(KERN_WARNING
> - "SELinux: failure in sel_netif_sid_slow(),"
> - " unable to determine network interface label (%d)\n",
> - ifindex);
> + pr_warn("SELinux: failure in %s(), unable to determine
> network interface label (%d)\n",
> + __func__, ifindex);
> kfree(new);
> }
> return ret;
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 12/13] selinux: Cleanup printk logging in avc
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/avc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Merged, thanks.
> diff --git a/security/selinux/avc.c b/security/selinux/avc.c
> index f3aedf077509..635e5c1e3e48 100644
> --- a/security/selinux/avc.c
> +++ b/security/selinux/avc.c
> @@ -650,7 +650,7 @@ static int avc_latest_notif_update(struct selinux_avc
> *avc,
> spin_lock_irqsave(_lock, flag);
> if (is_insert) {
> if (seqno < avc->avc_cache.latest_notif) {
> - printk(KERN_WARNING "SELinux: avc: seqno %d <
> latest_notif %d\n",
> + pr_warn("SELinux: avc: seqno %d < latest_notif %d\n",
>seqno, avc->avc_cache.latest_notif);
> ret = -EAGAIN;
> }
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 10/13] selinux: Cleanup printk logging in netport
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/netport.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/netport.c b/security/selinux/netport.c
> index 9ed4c5064a5e..7a141cadbffc 100644
> --- a/security/selinux/netport.c
> +++ b/security/selinux/netport.c
> @@ -173,9 +173,8 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum,
> u32 *sid)
> out:
> spin_unlock_bh(_netport_lock);
> if (unlikely(ret)) {
> - printk(KERN_WARNING
> - "SELinux: failure in sel_netport_sid_slow(),"
> - " unable to determine network port label\n");
> + pr_warn("SELinux: failure in %s(), unable to determine
> network port label\n",
> + __func__);
> kfree(new);
> }
> return ret;
> --
> 2.15.1
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 13/13] selinux: Cleanup printk logging in netnode
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/netnode.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
> index 6dd89b89bc1f..afa0d432436b 100644
> --- a/security/selinux/netnode.c
> +++ b/security/selinux/netnode.c
> @@ -238,9 +238,8 @@ static int sel_netnode_sid_slow(void *addr, u16 family,
> u32 *sid)
> out:
> spin_unlock_bh(_netnode_lock);
> if (unlikely(ret)) {
> - printk(KERN_WARNING
> - "SELinux: failure in sel_netnode_sid_slow(),"
> - " unable to determine network node label\n");
> + pr_warn("SELinux: failure in %s(), unable to determine
> network node label\n",
> + __func__);
> kfree(new);
> }
> return ret;
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 09/13] selinux: Cleanup printk logging in sidtab
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/sidtab.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c
> index 5be31b7af225..fd75a12fa8fc 100644
> --- a/security/selinux/ss/sidtab.c
> +++ b/security/selinux/ss/sidtab.c
> @@ -214,8 +214,7 @@ int sidtab_context_to_sid(struct sidtab *s,
> }
> sid = s->next_sid++;
> if (context->len)
> - printk(KERN_INFO
> - "SELinux: Context %s is not valid (left unmapped).\n",
> + pr_info("SELinux: Context %s is not valid (left
> unmapped).\n",
>context->str);
> ret = sidtab_insert(s, sid, context);
> if (ret)
> @@ -253,7 +252,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag)
> }
> }
>
> - printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest "
> + pr_debug("%s: %d entries and %d/%d buckets used, longest "
>"chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE,
>max_chain_len);
> }
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 08/13] selinux: Cleanup printk logging in netlink
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/netlink.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Merged, thanks.
> diff --git a/security/selinux/netlink.c b/security/selinux/netlink.c
> index 828fb6a4e941..8a8a72507437 100644
> --- a/security/selinux/netlink.c
> +++ b/security/selinux/netlink.c
> @@ -94,7 +94,7 @@ static void selnl_notify(int msgtype, void *data)
> out_kfree_skb:
> kfree_skb(skb);
> oom:
> - printk(KERN_ERR "SELinux: OOM in %s\n", __func__);
> + pr_err("SELinux: OOM in %s\n", __func__);
> goto out;
> }
>
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 07/13] selinux: Cleanup printk logging in selinuxfs
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/selinuxfs.c | 10 +-
> 1 file changed, 5 insertions(+), 5 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index c0cadbc5f85c..2adfade99945 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -620,7 +620,7 @@ static ssize_t sel_write_context(struct file *file, char
> *buf, size_t size)
>
> length = -ERANGE;
> if (len > SIMPLE_TRANSACTION_LIMIT) {
> - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
> + pr_err("SELinux: %s: context size (%u) exceeds "
> "payload max\n", __func__, len);
> goto out;
> }
> @@ -956,7 +956,7 @@ static ssize_t sel_write_create(struct file *file, char
> *buf, size_t size)
>
> length = -ERANGE;
> if (len > SIMPLE_TRANSACTION_LIMIT) {
> - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
> + pr_err("SELinux: %s: context size (%u) exceeds "
> "payload max\n", __func__, len);
> goto out;
> }
> @@ -1147,7 +1147,7 @@ static ssize_t sel_write_member(struct file *file, char
> *buf, size_t size)
>
> length = -ERANGE;
> if (len > SIMPLE_TRANSACTION_LIMIT) {
> - printk(KERN_ERR "SELinux: %s: context size (%u) exceeds "
> + pr_err("SELinux: %s: context size (%u) exceeds "
> "payload max\n", __func__, len);
> goto out;
> }
> @@ -1996,7 +1996,7 @@ static int sel_fill_super(struct super_block *sb, void
> *data, int silent)
> goto err;
> return 0;
> err:
> - printk(KERN_ERR "SELinux: %s: failed while creating inodes\n",
> + pr_err("SELinux: %s: failed while creating inodes\n",
> __func__);
>
> selinux_fs_info_free(sb);
> @@ -2046,7 +2046,7 @@ static int __init init_sel_fs(void)
>
> selinux_null.mnt = selinuxfs_mount = kern_mount(_fs_type);
> if (IS_ERR(selinuxfs_mount)) {
> - printk(KERN_ERR "selinuxfs: could not mount!\n");
> + pr_err("selinuxfs: could not mount!\n");
> err = PTR_ERR(selinuxfs_mount);
> selinuxfs_mount = NULL;
> }
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: 'setsebool -P' works but throws errors; changes not permanent
On Mon, 18 Jun 2018 19:44:10 + Mike Hughes wrote: > We use Yubikey for two-factor ssh authentication which requires enabling a > Boolean called "authlogin_yubikey". It has been working fine until a few > weeks ago. Errors appear when attempting to set the policy: > > -- > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > authlogin_yubikey --> off > > [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > libsepol.context_from_record: type gpio_device_t is not defined > libsepol.context_from_record: could not create context structure > libsepol.context_from_string: could not create context structure > libsepol.sepol_context_to_sid: could not convert > system_u:object_r:gpio_device_t:s0 to sid > invalid context system_u:object_r:gpio_device_t:s0 > > [Cent-7:root@my_server home]# getsebool authlogin_yubikey > authlogin_yubikey --> on > --- > > The system accepts two-factor while the above is set to "on". After some > undetermined time (or immediately after a reboot) the Boolean toggles off. > This can be confirmed since semanage shows that the default is still set to > "off": > > -- > [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > SELinux booleanState Default Description > ... > authlogin_yubikey (on , off) Allow authlogin to yubikey > -- > > It looks similar to the following bug on Fedora: > https://bugzilla.redhat.com/show_bug.cgi?id=1559174 -- Jalus Bilieyich ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
RE: 'setsebool -P' works but throws errors; changes not permanent
> -Original Message- > From: Stephen Smalley > Sent: Tuesday, June 19, 2018 07:39 > > On 06/18/2018 04:33 PM, Mike Hughes wrote: > >> -Original Message- > >> From: Stephen Smalley > >> Sent: Monday, June 18, 2018 15:28 > >> On 06/18/2018 03:44 PM, Mike Hughes wrote: > >>> We use Yubikey for two-factor ssh authentication which requires enabling > >>> a Boolean > >> called “authlogin_yubikey”. It has been working fine until a few weeks > >> ago. Errors > appear > >> when attempting to set the policy: > >>> > >>> -- > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> off > >>> > >>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on > >>> libsepol.context_from_record: type gpio_device_t is not defined > >>> libsepol.context_from_record: could not create context structure > >>> libsepol.context_from_string: could not create context structure > >>> libsepol.sepol_context_to_sid: could not convert > >>> system_u:object_r:gpio_device_t:s0 to > >> sid > >>> invalid context system_u:object_r:gpio_device_t:s0 > >> > >> Sounds like your policy is in an inconsistent internal state (somewhere > >> you have a > context > >> with gpio_device_t but the type isn't defined in the policy). > >> > >> What's your policy version? And did it perhaps fail during %post when it > >> was updated - > >> check yum.log? > > > > Nothing stands out to me in yum.log > > There would have been error messages during the update of the > selinux-policy-targeted > package. > > You didn't mention your policy version. On an updated CentOS 7 VM, I see: > $ rpm -q selinux-policy-targeted > selinux-policy-targeted-3.13.1-192.el7_5.3.noarch > > And it has gpio_device_t defined: > $ seinfo -t | grep gpio_device_t > gpio_device_t > > And this type is used in file_contexts: > $ semanage fcontext -l | grep gpio_device_t > /dev/gpiochip[0-9]+ character device > system_u:object_r:gpio_device_t:s0 Thank you for the suggestions. I received the same responses, though the last one needed to be run as root. > > > > > > >> Does semodule -B fail? > > > > No, it completes without error: > > > > -- > > [Cent-7:root@my_server ~]# semodule -B > > [Cent-7:root@ my_server ~]# echo $? > > 0 > > [Cent-7:root@ my_server ~]# > > -- > >> > >> Might have to move aside your policy and reinstall it. > > > > How might one accomplish this? > > You could try first to just reinstall the package, e.g. yum reinstall > selinux-policy- > targeted. This appears to have resolved the issue. After reinstalling the policy setsebool does not throw errors and ' semanage boolean -l ' indicates that the default state is set to "on": -- [Cent-7:root@my_server ~]# getsebool authlogin_yubikey authlogin_yubikey --> off [Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on [Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey" authlogin_yubikey (on , on) Allow authlogin to yubikey -- > > If that doesn't resolve it, then export any local customizations you have and > move aside > your active policy store and try again, ala > semanage export -f exports > mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old > yum reinstall selinux-policy-targeted > > Then check that everything in the exports file is something you want to > preserve, and if > so, re-import it. > cat exports > semanage import -f exports > > If that doesn't resolve it, you could move aside the entire policy tree and > try again, ala > mv /etc/selinux/targeted /etc/selinux/targeted.old > yum reinstall selinux-policy-targeted > > And then re-import your exports if desired/appropriate. > > You may also have to re-insert any local policy modules you have defined; I > don't think > export/import handles modules, just other changes. Thank you for the sledgehammers! I'll keep these around for next time. -Mike > >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey > >>> authlogin_yubikey --> on > >>> --- > >>> > >>> The system accepts two-factor while the above is set to “on”. After some > >>> undetermined > >> time (or immediately after a reboot) the Boolean toggles off. This can be > >> confirmed > since > >> semanage shows that the default is still set to “off”: > >>> > >>> -- > >>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" > >>> SELinux boolean State Default Description > >>> ... > >>> authlogin_yubikey (on , off) Allow authlogin to yubikey > >>> -- > >>> > >>> It looks similar to the following bug on Fedora: > >>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 06/13] selinux: Cleanup printk logging in services
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/services.c | 71
> +-
> 1 file changed, 35 insertions(+), 36 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 8057e19dc15f..9ad9b6c2f0a7 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -136,8 +136,7 @@ static int selinux_set_mapping(struct policydb *pol,
>
> p_out->value = string_to_security_class(pol, p_in->name);
> if (!p_out->value) {
> - printk(KERN_INFO
> - "SELinux: Class %s not defined in policy.\n",
> + pr_info("SELinux: Class %s not defined in policy.\n",
>p_in->name);
> if (pol->reject_unknown)
> goto err;
> @@ -156,8 +155,7 @@ static int selinux_set_mapping(struct policydb *pol,
> p_out->perms[k] = string_to_av_perm(pol, p_out->value,
> p_in->perms[k]);
> if (!p_out->perms[k]) {
> - printk(KERN_INFO
> - "SELinux: Permission %s in class %s
> not defined in policy.\n",
> + pr_info("SELinux: Permission %s in class %s
> not defined in policy.\n",
>p_in->perms[k], p_in->name);
> if (pol->reject_unknown)
> goto err;
> @@ -170,7 +168,7 @@ static int selinux_set_mapping(struct policydb *pol,
> }
>
> if (print_unknown_handle)
> - printk(KERN_INFO "SELinux: the above unknown classes and
> permissions will be %s\n",
> + pr_info("SELinux: the above unknown classes and permissions
> will be %s\n",
>pol->allow_unknown ? "allowed" : "denied");
>
> out_map->size = i;
> @@ -644,7 +642,7 @@ static void context_struct_compute_av(struct policydb
> *policydb,
>
> if (unlikely(!tclass || tclass > policydb->p_classes.nprim)) {
> if (printk_ratelimit())
> - printk(KERN_WARNING "SELinux: Invalid class %hu\n",
> tclass);
> + pr_warn("SELinux: Invalid class %hu\n", tclass);
> return;
> }
>
> @@ -793,7 +791,7 @@ static int security_compute_validatetrans(struct
> selinux_state *state,
>
> ocontext = sidtab_search(sidtab, oldsid);
> if (!ocontext) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
> + pr_err("SELinux: %s: unrecognized SID %d\n",
> __func__, oldsid);
> rc = -EINVAL;
> goto out;
> @@ -801,7 +799,7 @@ static int security_compute_validatetrans(struct
> selinux_state *state,
>
> ncontext = sidtab_search(sidtab, newsid);
> if (!ncontext) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
> + pr_err("SELinux: %s: unrecognized SID %d\n",
> __func__, newsid);
> rc = -EINVAL;
> goto out;
> @@ -809,7 +807,7 @@ static int security_compute_validatetrans(struct
> selinux_state *state,
>
> tcontext = sidtab_search(sidtab, tasksid);
> if (!tcontext) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
> + pr_err("SELinux: %s: unrecognized SID %d\n",
> __func__, tasksid);
> rc = -EINVAL;
> goto out;
> @@ -883,7 +881,7 @@ int security_bounded_transition(struct selinux_state
> *state,
> rc = -EINVAL;
> old_context = sidtab_search(sidtab, old_sid);
> if (!old_context) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
> + pr_err("SELinux: %s: unrecognized SID %u\n",
>__func__, old_sid);
> goto out;
> }
> @@ -891,7 +889,7 @@ int security_bounded_transition(struct selinux_state
> *state,
> rc = -EINVAL;
> new_context = sidtab_search(sidtab, new_sid);
> if (!new_context) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %u\n",
> + pr_err("SELinux: %s: unrecognized SID %u\n",
>__func__, new_sid);
> goto out;
> }
> @@ -1040,14 +1038,14 @@ void security_compute_xperms_decision(struct
> selinux_state *state,
>
> scontext = sidtab_search(sidtab, ssid);
> if (!scontext) {
> - printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
> + pr_err("SELinux:
Re: [PATCH 05/13] selinux: Cleanup printk logging in avtab
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/avtab.c | 51
> +++--
> 1 file changed, 26 insertions(+), 25 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c
> index a2c9148b0662..c0417cf17fee 100644
> --- a/security/selinux/ss/avtab.c
> +++ b/security/selinux/ss/avtab.c
> @@ -338,7 +338,7 @@ int avtab_alloc(struct avtab *h, u32 nrules)
> h->nel = 0;
> h->nslot = nslot;
> h->mask = mask;
> - printk(KERN_DEBUG "SELinux: %d avtab hash slots, %d rules.\n",
> + pr_debug("SELinux: %d avtab hash slots, %d rules.\n",
>h->nslot, nrules);
> return 0;
> }
> @@ -368,7 +368,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
> }
> }
>
> - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
> + pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
>"longest chain length %d sum of chain length^2 %llu\n",
>tag, h->nel, slots_used, h->nslot, max_chain_len,
>chain2_len_sum);
> @@ -407,18 +407,18 @@ int avtab_read_item(struct avtab *a, void *fp, struct
> policydb *pol,
> if (vers < POLICYDB_VERSION_AVTAB) {
> rc = next_entry(buf32, fp, sizeof(u32));
> if (rc) {
> - printk(KERN_ERR "SELinux: avtab: truncated entry\n");
> + pr_err("SELinux: avtab: truncated entry\n");
> return rc;
> }
> items2 = le32_to_cpu(buf32[0]);
> if (items2 > ARRAY_SIZE(buf32)) {
> - printk(KERN_ERR "SELinux: avtab: entry overflow\n");
> + pr_err("SELinux: avtab: entry overflow\n");
> return -EINVAL;
>
> }
> rc = next_entry(buf32, fp, sizeof(u32)*items2);
> if (rc) {
> - printk(KERN_ERR "SELinux: avtab: truncated entry\n");
> + pr_err("SELinux: avtab: truncated entry\n");
> return rc;
> }
> items = 0;
> @@ -426,19 +426,19 @@ int avtab_read_item(struct avtab *a, void *fp, struct
> policydb *pol,
> val = le32_to_cpu(buf32[items++]);
> key.source_type = (u16)val;
> if (key.source_type != val) {
> - printk(KERN_ERR "SELinux: avtab: truncated source
> type\n");
> + pr_err("SELinux: avtab: truncated source type\n");
> return -EINVAL;
> }
> val = le32_to_cpu(buf32[items++]);
> key.target_type = (u16)val;
> if (key.target_type != val) {
> - printk(KERN_ERR "SELinux: avtab: truncated target
> type\n");
> + pr_err("SELinux: avtab: truncated target type\n");
> return -EINVAL;
> }
> val = le32_to_cpu(buf32[items++]);
> key.target_class = (u16)val;
> if (key.target_class != val) {
> - printk(KERN_ERR "SELinux: avtab: truncated target
> class\n");
> + pr_err("SELinux: avtab: truncated target class\n");
> return -EINVAL;
> }
>
> @@ -446,16 +446,16 @@ int avtab_read_item(struct avtab *a, void *fp, struct
> policydb *pol,
> enabled = (val & AVTAB_ENABLED_OLD) ? AVTAB_ENABLED : 0;
>
> if (!(val & (AVTAB_AV | AVTAB_TYPE))) {
> - printk(KERN_ERR "SELinux: avtab: null entry\n");
> + pr_err("SELinux: avtab: null entry\n");
> return -EINVAL;
> }
> if ((val & AVTAB_AV) &&
> (val & AVTAB_TYPE)) {
> - printk(KERN_ERR "SELinux: avtab: entry has both
> access vectors and types\n");
> + pr_err("SELinux: avtab: entry has both access vectors
> and types\n");
> return -EINVAL;
> }
> if (val & AVTAB_XPERMS) {
> - printk(KERN_ERR "SELinux: avtab: entry has extended
> permissions\n");
> + pr_err("SELinux: avtab: entry has extended
> permissions\n");
> return -EINVAL;
> }
>
> @@ -470,7 +470,8 @@ int avtab_read_item(struct avtab *a, void *fp, struct
> policydb *pol,
> }
>
> if (items != items2) {
> - printk(KERN_ERR "SELinux: avtab: entry only had %d
> items, expected %d\n", items2, items);
> + pr_err("SELinux: avtab: entry
Re: [PATCH 02/13] selinux: Cleanup printk logging in ebitmap
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/ebitmap.c | 15 +++
> 1 file changed, 7 insertions(+), 8 deletions(-)
Merged, thanks.
> diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
> index 5ae8c61b75bf..8f624f80055b 100644
> --- a/security/selinux/ss/ebitmap.c
> +++ b/security/selinux/ss/ebitmap.c
> @@ -362,7 +362,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
> count = le32_to_cpu(buf[2]);
>
> if (mapunit != BITS_PER_U64) {
> - printk(KERN_ERR "SELinux: ebitmap: map size %u does not "
> + pr_err("SELinux: ebitmap: map size %u does not "
>"match my size %zd (high bit was %d)\n",
>mapunit, BITS_PER_U64, e->highbit);
> goto bad;
> @@ -383,19 +383,19 @@ int ebitmap_read(struct ebitmap *e, void *fp)
> for (i = 0; i < count; i++) {
> rc = next_entry(, fp, sizeof(u32));
> if (rc < 0) {
> - printk(KERN_ERR "SELinux: ebitmap: truncated map\n");
> + pr_err("SELinux: ebitmap: truncated map\n");
> goto bad;
> }
> startbit = le32_to_cpu(startbit);
>
> if (startbit & (mapunit - 1)) {
> - printk(KERN_ERR "SELinux: ebitmap start bit (%d) is "
> + pr_err("SELinux: ebitmap start bit (%d) is "
>"not a multiple of the map unit size (%u)\n",
>startbit, mapunit);
> goto bad;
> }
> if (startbit > e->highbit - mapunit) {
> - printk(KERN_ERR "SELinux: ebitmap start bit (%d) is "
> + pr_err("SELinux: ebitmap start bit (%d) is "
>"beyond the end of the bitmap (%u)\n",
>startbit, (e->highbit - mapunit));
> goto bad;
> @@ -405,8 +405,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
> struct ebitmap_node *tmp;
> tmp = kmem_cache_zalloc(ebitmap_node_cachep,
> GFP_KERNEL);
> if (!tmp) {
> - printk(KERN_ERR
> - "SELinux: ebitmap: out of memory\n");
> + pr_err("SELinux: ebitmap: out of memory\n");
> rc = -ENOMEM;
> goto bad;
> }
> @@ -418,7 +417,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
> e->node = tmp;
> n = tmp;
> } else if (startbit <= n->startbit) {
> - printk(KERN_ERR "SELinux: ebitmap: start bit %d"
> + pr_err("SELinux: ebitmap: start bit %d"
>" comes after start bit %d\n",
>startbit, n->startbit);
> goto bad;
> @@ -426,7 +425,7 @@ int ebitmap_read(struct ebitmap *e, void *fp)
>
> rc = next_entry(, fp, sizeof(u64));
> if (rc < 0) {
> - printk(KERN_ERR "SELinux: ebitmap: truncated map\n");
> + pr_err("SELinux: ebitmap: truncated map\n");
> goto bad;
> }
> map = le64_to_cpu(map);
> --
> 2.15.1
>
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 04/13] selinux: Cleanup printk logging in hooks
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/hooks.c | 68
> +++-
> 1 file changed, 33 insertions(+), 35 deletions(-)
Merged, thank you.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 4cafe6a19167..3ab9687ac4c8 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -531,7 +531,7 @@ static int sb_finish_set_opts(struct super_block *sb)
>the first boot of the SELinux kernel before we have
>assigned xattr values to the filesystem. */
> if (!(root_inode->i_opflags & IOP_XATTR)) {
> - printk(KERN_WARNING "SELinux: (dev %s, type %s) has
> no "
> + pr_warn("SELinux: (dev %s, type %s) has no "
>"xattr support\n", sb->s_id, sb->s_type->name);
> rc = -EOPNOTSUPP;
> goto out;
> @@ -540,11 +540,11 @@ static int sb_finish_set_opts(struct super_block *sb)
> rc = __vfs_getxattr(root, root_inode, XATTR_NAME_SELINUX,
> NULL, 0);
> if (rc < 0 && rc != -ENODATA) {
> if (rc == -EOPNOTSUPP)
> - printk(KERN_WARNING "SELinux: (dev %s, type "
> + pr_warn("SELinux: (dev %s, type "
>"%s) has no security xattr handler\n",
>sb->s_id, sb->s_type->name);
> else
> - printk(KERN_WARNING "SELinux: (dev %s, type "
> + pr_warn("SELinux: (dev %s, type "
>"%s) getxattr errno %d\n", sb->s_id,
>sb->s_type->name, -rc);
> goto out;
> @@ -743,7 +743,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> goto out;
> }
> rc = -EINVAL;
> - printk(KERN_WARNING "SELinux: Unable to set superblock
> options "
> + pr_warn("SELinux: Unable to set superblock options "
> "before the security server is initialized\n");
> goto out;
> }
> @@ -785,7 +785,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> mount_options[i], ,
> GFP_KERNEL);
> if (rc) {
> - printk(KERN_WARNING "SELinux:
> security_context_str_to_sid"
> + pr_warn("SELinux: security_context_str_to_sid"
>"(%s) failed for (dev %s, type %s) errno=%d\n",
>mount_options[i], sb->s_id, name, rc);
> goto out;
> @@ -861,8 +861,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> */
> rc = security_fs_use(_state, sb);
> if (rc) {
> - printk(KERN_WARNING
> - "%s: security_fs_use(%s) returned %d\n",
> + pr_warn("%s: security_fs_use(%s) returned %d\n",
> __func__, sb->s_type->name, rc);
> goto out;
> }
> @@ -948,7 +947,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> if (sbsec->behavior != SECURITY_FS_USE_XATTR &&
> sbsec->behavior != SECURITY_FS_USE_NATIVE) {
> rc = -EINVAL;
> - printk(KERN_WARNING "SELinux: defcontext option is "
> + pr_warn("SELinux: defcontext option is "
>"invalid for this filesystem type\n");
> goto out;
> }
> @@ -970,7 +969,7 @@ static int selinux_set_mnt_opts(struct super_block *sb,
> return rc;
> out_double_mount:
> rc = -EINVAL;
> - printk(KERN_WARNING "SELinux: mount invalid. Same superblock,
> different "
> + pr_warn("SELinux: mount invalid. Same superblock, different "
>"security settings for (dev %s, type %s)\n", sb->s_id, name);
> goto out;
> }
> @@ -999,7 +998,7 @@ static int selinux_cmp_sb_context(const struct
> super_block *oldsb,
> }
> return 0;
> mismatch:
> - printk(KERN_WARNING "SELinux: mount invalid. Same superblock, "
> + pr_warn("SELinux: mount invalid. Same superblock, "
> "different security settings for (dev %s, "
> "type %s)\n", newsb->s_id, newsb->s_type->name);
> return -EBUSY;
> @@ -1107,7 +1106,7 @@ static int selinux_parse_opts_str(char
Re: [PATCH 03/13] selinux: Cleanup printk logging in policydb
On Tue, Jun 19, 2018 at 12:45 PM Joe Perches wrote:
>
> On Tue, 2018-06-19 at 12:41 -0400, Paul Moore wrote:
> > On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
> > wrote:
> > >
> > > Replace printk with pr_* to avoid checkpatch warnings and
> > > replace KERN_CONT with 2 longer prints.
> > >
> > > Signed-off-by: Peter Enderborg
> > > ---
> > > security/selinux/ss/policydb.c | 91
> > > +-
> > > 1 file changed, 46 insertions(+), 45 deletions(-)
> >
> > Merged, thank you. While removing the separate KERN_CONT message
> > introduces some duplication, I think that's the right thing to do.
> >
> > > diff --git a/security/selinux/ss/policydb.c
> > > b/security/selinux/ss/policydb.c
> []
> > > @@ -504,7 +504,7 @@ static void hash_eval(struct hashtab *h, const char
> > > *hash_name)
> > > struct hashtab_info info;
> > >
> > > hashtab_stat(h, );
> > > - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets
> > > used, "
> > > + pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
> > >"longest chain length %d\n", hash_name, h->nel,
> > >info.slots_used, h->size, info.max_chain_len);
> > > }
> > > @@ -533,15 +533,17 @@ static int policydb_index(struct policydb *p)
> > > {
> > > int i, rc;
> > >
> > > - printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d
> > > bools",
> > > - p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
> > > p->p_bools.nprim);
> > > if (p->mls_enabled)
> > > - printk(KERN_CONT ", %d sens, %d cats", p->p_levels.nprim,
> > > - p->p_cats.nprim);
> > > - printk(KERN_CONT "\n");
> > > + pr_debug("SELinux: %d users, %d roles, %d types, %d
> > > bools, %d sens, %d cats",
> > > +p->p_users.nprim, p->p_roles.nprim,
> > > p->p_types.nprim,
> > > +p->p_bools.nprim, p->p_levels.nprim,
> > > p->p_cats.nprim);
> > > + else
> > > + pr_debug("SELinux: %d users, %d roles, %d types, %d
> > > bools",
> > > +p->p_users.nprim, p->p_roles.nprim,
> > > p->p_types.nprim,
> > > +p->p_bools.nprim);
>
> This lost the terminating newline on each pr_debug
Good catch. I haven't pushed to selinux/next yet, and this is pretty
minor, so I'll just fix that up in the merge.
--
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 03/13] selinux: Cleanup printk logging in policydb
On Tue, 2018-06-19 at 12:41 -0400, Paul Moore wrote:
> On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
> wrote:
> >
> > Replace printk with pr_* to avoid checkpatch warnings and
> > replace KERN_CONT with 2 longer prints.
> >
> > Signed-off-by: Peter Enderborg
> > ---
> > security/selinux/ss/policydb.c | 91
> > +-
> > 1 file changed, 46 insertions(+), 45 deletions(-)
>
> Merged, thank you. While removing the separate KERN_CONT message
> introduces some duplication, I think that's the right thing to do.
>
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
[]
> > @@ -504,7 +504,7 @@ static void hash_eval(struct hashtab *h, const char
> > *hash_name)
> > struct hashtab_info info;
> >
> > hashtab_stat(h, );
> > - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used,
> > "
> > + pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
> >"longest chain length %d\n", hash_name, h->nel,
> >info.slots_used, h->size, info.max_chain_len);
> > }
> > @@ -533,15 +533,17 @@ static int policydb_index(struct policydb *p)
> > {
> > int i, rc;
> >
> > - printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d
> > bools",
> > - p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
> > p->p_bools.nprim);
> > if (p->mls_enabled)
> > - printk(KERN_CONT ", %d sens, %d cats", p->p_levels.nprim,
> > - p->p_cats.nprim);
> > - printk(KERN_CONT "\n");
> > + pr_debug("SELinux: %d users, %d roles, %d types, %d bools,
> > %d sens, %d cats",
> > +p->p_users.nprim, p->p_roles.nprim,
> > p->p_types.nprim,
> > +p->p_bools.nprim, p->p_levels.nprim,
> > p->p_cats.nprim);
> > + else
> > + pr_debug("SELinux: %d users, %d roles, %d types, %d bools",
> > +p->p_users.nprim, p->p_roles.nprim,
> > p->p_types.nprim,
> > +p->p_bools.nprim);
This lost the terminating newline on each pr_debug
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 03/13] selinux: Cleanup printk logging in policydb
On Tue, Jun 12, 2018 at 4:09 AM Peter Enderborg
wrote:
>
> Replace printk with pr_* to avoid checkpatch warnings and
> replace KERN_CONT with 2 longer prints.
>
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/policydb.c | 91
> +-
> 1 file changed, 46 insertions(+), 45 deletions(-)
Merged, thank you. While removing the separate KERN_CONT message
introduces some duplication, I think that's the right thing to do.
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 6e8c8056d7ad..4e82c5fcd1a1 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -504,7 +504,7 @@ static void hash_eval(struct hashtab *h, const char
> *hash_name)
> struct hashtab_info info;
>
> hashtab_stat(h, );
> - printk(KERN_DEBUG "SELinux: %s: %d entries and %d/%d buckets used, "
> + pr_debug("SELinux: %s: %d entries and %d/%d buckets used, "
>"longest chain length %d\n", hash_name, h->nel,
>info.slots_used, h->size, info.max_chain_len);
> }
> @@ -533,15 +533,17 @@ static int policydb_index(struct policydb *p)
> {
> int i, rc;
>
> - printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools",
> - p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
> p->p_bools.nprim);
> if (p->mls_enabled)
> - printk(KERN_CONT ", %d sens, %d cats", p->p_levels.nprim,
> - p->p_cats.nprim);
> - printk(KERN_CONT "\n");
> + pr_debug("SELinux: %d users, %d roles, %d types, %d bools,
> %d sens, %d cats",
> +p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
> +p->p_bools.nprim, p->p_levels.nprim,
> p->p_cats.nprim);
> + else
> + pr_debug("SELinux: %d users, %d roles, %d types, %d bools",
> +p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim,
> +p->p_bools.nprim);
>
> - printk(KERN_DEBUG "SELinux: %d classes, %d rules\n",
> - p->p_classes.nprim, p->te_avtab.nel);
> + pr_debug("SELinux: %d classes, %d rules\n",
> +p->p_classes.nprim, p->te_avtab.nel);
>
> #ifdef DEBUG_HASHES
> avtab_hash_eval(>te_avtab, "rules");
> @@ -897,7 +899,7 @@ int policydb_load_isids(struct policydb *p, struct sidtab
> *s)
>
> rc = sidtab_init(s);
> if (rc) {
> - printk(KERN_ERR "SELinux: out of memory on SID table
> init\n");
> + pr_err("SELinux: out of memory on SID table init\n");
> goto out;
> }
>
> @@ -905,14 +907,14 @@ int policydb_load_isids(struct policydb *p, struct
> sidtab *s)
> for (c = head; c; c = c->next) {
> rc = -EINVAL;
> if (!c->context[0].user) {
> - printk(KERN_ERR "SELinux: SID %s was never
> defined.\n",
> + pr_err("SELinux: SID %s was never defined.\n",
> c->u.name);
> goto out;
> }
>
> rc = sidtab_insert(s, c->sid[0], >context[0]);
> if (rc) {
> - printk(KERN_ERR "SELinux: unable to load initial SID
> %s.\n",
> + pr_err("SELinux: unable to load initial SID %s.\n",
> c->u.name);
> goto out;
> }
> @@ -1005,13 +1007,13 @@ static int mls_read_range_helper(struct mls_range *r,
> void *fp)
> rc = -EINVAL;
> items = le32_to_cpu(buf[0]);
> if (items > ARRAY_SIZE(buf)) {
> - printk(KERN_ERR "SELinux: mls: range overflow\n");
> + pr_err("SELinux: mls: range overflow\n");
> goto out;
> }
>
> rc = next_entry(buf, fp, sizeof(u32) * items);
> if (rc) {
> - printk(KERN_ERR "SELinux: mls: truncated range\n");
> + pr_err("SELinux: mls: truncated range\n");
> goto out;
> }
>
> @@ -1023,19 +1025,19 @@ static int mls_read_range_helper(struct mls_range *r,
> void *fp)
>
> rc = ebitmap_read(>level[0].cat, fp);
> if (rc) {
> - printk(KERN_ERR "SELinux: mls: error reading low
> categories\n");
> + pr_err("SELinux: mls: error reading low categories\n");
> goto out;
> }
> if (items > 1) {
> rc = ebitmap_read(>level[1].cat, fp);
> if (rc) {
> - printk(KERN_ERR "SELinux: mls: error reading high
> categories\n");
> + pr_err("SELinux: mls: error reading high
> categories\n");
> goto bad_high;
> }
> } else {
> rc = ebitmap_cpy(>level[1].cat, >level[0].cat);
> if (rc) {
> -
Re: [PATCH 01/13] selinux: Cleanup printk logging in conditional
On Wed, Jun 13, 2018 at 2:23 AM peter enderborg wrote: > On 06/12/2018 04:38 PM, Joe Perches wrote: > > On Tue, 2018-06-12 at 10:09 +0200, Peter Enderborg wrote: > >> Replace printk with pr_* to avoid checkpatch warnings. > > I believe it would be nicer to remove the > > "SELinux: " prefix embbeded in each format > > and use a specific > > > > #define pr_fmt(fmt) "SELinux: " fmt > > > > to automatically prefix these formats. > > I cant argument about that, however some of the warnings and debug prints in > this set does not have this > so it will then change the actual output. (And I also think that they should > have a the prefix, but I don't > know why they don't) So I am not sure if it appropriate for a cleanup patch, > it supposed to have no functional change. As others have mentioned, I think this patch is still a step forward so I'm going to go ahead and merge it; thanks Peter. As far as the prefix, or lack of, is concerned, that's probably an oversight that we should fix at some point, but we would need to look at each instance to verify. -- paul moore www.paul-moore.com ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: is_selinux_enabled() after chroot()
On Mon, Jun 18, 2018 at 04:06:11PM -0400, Stephen Smalley wrote:
> On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> > Hello,
> >
> > libselinux sets selinut_mnt and has_selinux_config only in its constructor
> > and
> > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> > enabled. But it doesn't work correctly when you use chroot() to a directory
> > without /proc
> > and /sys/fs/selinux mounted as it was discovered in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1321375
> >
> > In this case, is_selinux_enabled() after chroot() returns true while in a
> > new
> > program run from chrooted process it returns false. It can be demonstrated
> > by
> > the steps below.
> >
> > The solution could be to check if selinux_mnt still exists whenever a
> > function
> > depending on this is called. Would this be acceptable?
>
> You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG
> in is_selinux_enabled()?
Yes. I was thinking about something like this:
@@ -16,7 +16,7 @@ int is_selinux_enabled(void)
#ifdef ANDROID
return (selinux_mnt ? 1 : 0);
#else
- return (selinux_mnt && has_selinux_config);
+ return (selinux_mnt && (access(selinux_mnt, F_OK) == 0) &&
has_selinux_config);
#endif
}
But the problem seems to be more complex and it would probably be better to fix
it on a callers side - mount /sys/fs/selinux and /proc into chroots or do all
SELinux checks before chroot().
> Could potentially trigger a permission check that wasn't previously required,
> thereby breaking existing policies.
> Caller might just be checking to see if SELinux is enabled before using
> interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and
> therefore didn't previously need permissions to selinuxfs or
> /etc/selinux/config.
> So, possible but you'd need to make sure you don't break anything.
> Definitely don't want that changed in Android.
> >
> >
> >
> >
> > $ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
> >
> > $ cat > test_libselinux.c < > #include
> > #include
> > #include
> > #include
> > #include
> >
> > int main(int argc, char *argv[]) {
> > pid_t pid;
> > int wstatus;
> >
> > if (argc > 1) {
> > printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> > return 0;
> > }
> > if (chroot("/var/lib/machines/example") != 0)
> > return -1;
> >
> > printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> > printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> > printf("/etc/selinux/config exists: %d\n\n",
> > access("/etc/selinux/config", F_OK));
> >
> > if ((pid = fork()) == 0 ) {
> > execv("./test_is_selinux_enabled", (char *[]){
> > "./test_is_selinux_enabled", "chrooted", NULL});
> > }
> >
> > wait();
> > return 0;
> > }
> > EOF
> >
> > $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> >
> > $ sudo ./test_is_selinux_enabled
> > SELinux in process after chroot(): 1
> > /sys/fs/selinux exists: -1
> > /etc/selinux/config exists: -1
> >
> > SELinux in chrooted process: 0
> >
> >
> >
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> > selinux-requ...@tycho.nsa.gov.
> >
>
signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: 'setsebool -P' works but throws errors; changes not permanent
On 06/18/2018 04:33 PM, Mike Hughes wrote: >> -Original Message- >> From: Stephen Smalley >> Sent: Monday, June 18, 2018 15:28 >> To: Mike Hughes ; selinux@tycho.nsa.gov >> Subject: Re: 'setsebool -P' works but throws errors; changes not permanent >> >> On 06/18/2018 03:44 PM, Mike Hughes wrote: >>> We use Yubikey for two-factor ssh authentication which requires enabling a >>> Boolean >> called “authlogin_yubikey”. It has been working fine until a few weeks ago. >> Errors appear >> when attempting to set the policy: >>> >>> >>> >>> -- >>> >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey >>> >>> authlogin_yubikey --> off >>> >>> >>> >>> [Cent-7:root@my_server home]# setsebool -P authlogin_yubikey on >>> >>> libsepol.context_from_record: type gpio_device_t is not defined >>> >>> libsepol.context_from_record: could not create context structure >>> >>> libsepol.context_from_string: could not create context structure >>> >>> libsepol.sepol_context_to_sid: could not convert >>> system_u:object_r:gpio_device_t:s0 to >> sid >>> >>> invalid context system_u:object_r:gpio_device_t:s0 >> >> Sounds like your policy is in an inconsistent internal state (somewhere you >> have a context >> with gpio_device_t but the type isn't defined in the policy). >> >> What's your policy version? And did it perhaps fail during %post when it >> was updated - >> check yum.log? > > Nothing stands out to me in yum.log There would have been error messages during the update of the selinux-policy-targeted package. You didn't mention your policy version. On an updated CentOS 7 VM, I see: $ rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-192.el7_5.3.noarch And it has gpio_device_t defined: $ seinfo -t | grep gpio_device_t gpio_device_t And this type is used in file_contexts: $ semanage fcontext -l | grep gpio_device_t /dev/gpiochip[0-9]+ character device system_u:object_r:gpio_device_t:s0 > > >> Does semodule -B fail? > > No, it completes without error: > > -- > [Cent-7:root@my_server ~]# semodule -B > [Cent-7:root@ my_server ~]# echo $? > 0 > [Cent-7:root@ my_server ~]# > -- >> >> Might have to move aside your policy and reinstall it. > > How might one accomplish this? You could try first to just reinstall the package, e.g. yum reinstall selinux-policy-targeted. If that doesn't resolve it, then export any local customizations you have and move aside your active policy store and try again, ala semanage export -f exports mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old yum reinstall selinux-policy-targeted Then check that everything in the exports file is something you want to preserve, and if so, re-import it. cat exports semanage import -f exports If that doesn't resolve it, you could move aside the entire policy tree and try again, ala mv /etc/selinux/targeted /etc/selinux/targeted.old yum reinstall selinux-policy-targeted And then re-import your exports if desired/appropriate. You may also have to re-insert any local policy modules you have defined; I don't think export/import handles modules, just other changes. > >>> >>> [Cent-7:root@my_server home]# getsebool authlogin_yubikey >>> >>> authlogin_yubikey --> on >>> >>> --- >>> >>> >>> >>> The system accepts two-factor while the above is set to “on”. After some >>> undetermined >> time (or immediately after a reboot) the Boolean toggles off. This can be >> confirmed since >> semanage shows that the default is still set to “off”: >>> >>> >>> >>> -- >>> >>> [Cent-7:root@my_server ~]# semanage boolean -l | grep "authlogin_yubikey" >>> >>> SELinux boolean State Default Description >>> >>> ... >>> >>> authlogin_yubikey (on , off) Allow authlogin to yubikey >>> >>> -- >>> >>> >>> >>> It looks similar to the following bug on Fedora: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1559174 > > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
