Re: [PATCH v3] libsemanage: remove lock files
Hello. On Wed, 26/04/2017 at 08.56 -0400, Stephen Smalley wrote: > On Wed, 2017-04-26 at 20:03 +0800, Jason Zaman wrote: > > On Tue, Apr 25, 2017 at 10:35:17PM +0200, Guido Trentalancia wrote: > > > Do not use flock() for file locking, but instead use generic text > > > files > > > that keep track of the process ID (PID) of the locking process. > > > > > > Remove semanage read and transaction lock files upon releasing > > > them. > > > > > > This third version fixes a bug in the previous version and also > > > applies > > > cleanly to the latest git tree. > > > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > > --- > > > src/Makefile |2 > > > src/semanage_store.c | 214 > > > +- > > > - > > > 2 files changed, 160 insertions(+), 56 deletions(-) > > > > > > --- a/src/Makefile2017-04-25 22:27:38.10427 +0200 > > > +++ b/src/Makefile2017-04-25 22:28:58.512555098 +0200 > > > @@ -91,7 +91,7 @@ $(LIBA): $(OBJS) > > > $(RANLIB) $@ > > > > > > $(LIBSO): $(LOBJS) > > > - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol > > > -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version- > > > script=libsemanage.map,-z,defs > > > + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lm -lsepol > > > -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version- > > > script=libsemanage.map,-z,defs > > > ln -sf $@ $(TARGET) > > > > > > $(LIBPC): $(LIBPC).in ../VERSION > > > --- a/src/semanage_store.c2017-04-20 16:30:21.218209972 > > > +0200 > > > +++ b/src/semanage_store.c2017-04-25 22:24:35.883556172 > > > +0200 > > > @@ -45,6 +45,8 @@ typedef struct dbase_policydb dbase_t; > > > #include > > > #include > > > #include > > > +#include > > > +#include > > > #include > > > #include > > > #include > > > @@ -52,11 +54,24 @@ typedef struct dbase_policydb dbase_t; > > > #include > > > #include > > > #include > > > +#include > > > #include > > > #include > > > #include > > > #include > > > > > > +#include > > > + > > > +#ifndef CONFIG_BASE_SMALL > > > +#define CONFIG_BASE_SMALL 0 > > > +#endif > > > + > > > +#include > > > + > > > +#ifndef PID_MAX_DEFAULT > > > +#define PID_MAX_DEFAULT 32768 > > > +#endif > > > + > > > #include "debug.h" > > > #include "utilities.h" > > > > > > @@ -76,6 +91,8 @@ enum semanage_file_defs { > > > static char > > > *semanage_paths[SEMANAGE_NUM_STORES][SEMANAGE_STORE_NUM_PATHS]; > > > static char *semanage_files[SEMANAGE_NUM_FILES] = { NULL }; > > > static int semanage_paths_initialized = 0; > > > +static int pid_max; > > > +static ssize_t pid_max_length; > > > > > > /* These are paths relative to the bottom of the module store */ > > > static const char *semanage_relative_files[SEMANAGE_NUM_FILES] = > > > { > > > @@ -427,8 +442,23 @@ cleanup: > > > int semanage_check_init(semanage_handle_t *sh, const char > > > *prefix) > > > { > > > int rc; > > > + int fd; > > > + char root[PATH_MAX]; > > > + ssize_t amount_read; > > > + > > > if (semanage_paths_initialized == 0) { > > > - char root[PATH_MAX]; > > > + pid_max = PID_MAX_DEFAULT; > > > + pid_max_length = ceil(log10(PID_MAX_DEFAULT + > > > 1)); > > > + > > > + fd = open("/proc/sys/kernel/pid_max", O_RDONLY); > > > + if (fd > 0) { > > > + char sysctlstring[pid_max_length]; > > > + amount_read = read(fd, sysctlstring, > > > pid_max_length); > > > + if (amount_read > 0) { > > > + pid_max = atoi(sysctlstring); > > > + pid_max_length = > > > ceil(log10(pid_max + 1)); > > > + } > > > + } > > > > > > rc = snprintf(root, > > > sizeof(root), > > > @@ -528,16 +558,23 @@ char *semanage_conf_path(void) > > > > > > /*
[PATCH v3] libsemanage: remove lock files
Do not use flock() for file locking, but instead use generic text files that keep track of the process ID (PID) of the locking process. Remove semanage read and transaction lock files upon releasing them. This third version fixes a bug in the previous version and also applies cleanly to the latest git tree. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- src/Makefile |2 src/semanage_store.c | 214 +-- 2 files changed, 160 insertions(+), 56 deletions(-) --- a/src/Makefile 2017-04-25 22:27:38.10427 +0200 +++ b/src/Makefile 2017-04-25 22:28:58.512555098 +0200 @@ -91,7 +91,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lm -lsepol -laudit -lselinux -lbz2 -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION --- a/src/semanage_store.c 2017-04-20 16:30:21.218209972 +0200 +++ b/src/semanage_store.c 2017-04-25 22:24:35.883556172 +0200 @@ -45,6 +45,8 @@ typedef struct dbase_policydb dbase_t; #include #include #include +#include +#include #include #include #include @@ -52,11 +54,24 @@ typedef struct dbase_policydb dbase_t; #include #include #include +#include #include #include #include #include +#include + +#ifndef CONFIG_BASE_SMALL +#define CONFIG_BASE_SMALL 0 +#endif + +#include + +#ifndef PID_MAX_DEFAULT +#define PID_MAX_DEFAULT 32768 +#endif + #include "debug.h" #include "utilities.h" @@ -76,6 +91,8 @@ enum semanage_file_defs { static char *semanage_paths[SEMANAGE_NUM_STORES][SEMANAGE_STORE_NUM_PATHS]; static char *semanage_files[SEMANAGE_NUM_FILES] = { NULL }; static int semanage_paths_initialized = 0; +static int pid_max; +static ssize_t pid_max_length; /* These are paths relative to the bottom of the module store */ static const char *semanage_relative_files[SEMANAGE_NUM_FILES] = { @@ -427,8 +442,23 @@ cleanup: int semanage_check_init(semanage_handle_t *sh, const char *prefix) { int rc; + int fd; + char root[PATH_MAX]; + ssize_t amount_read; + if (semanage_paths_initialized == 0) { - char root[PATH_MAX]; + pid_max = PID_MAX_DEFAULT; + pid_max_length = ceil(log10(PID_MAX_DEFAULT + 1)); + + fd = open("/proc/sys/kernel/pid_max", O_RDONLY); + if (fd > 0) { + char sysctlstring[pid_max_length]; + amount_read = read(fd, sysctlstring, pid_max_length); + if (amount_read > 0) { + pid_max = atoi(sysctlstring); + pid_max_length = ceil(log10(pid_max + 1)); + } + } rc = snprintf(root, sizeof(root), @@ -528,16 +558,23 @@ char *semanage_conf_path(void) / functions that create module store ***/ -/* Check that the semanage store exists. If 'create' is non-zero then - * create the directories. Returns 0 if module store exists (either - * already or just created), -1 if does not exist or could not be - * read, or -2 if it could not create the store. */ +/* Check that the semanage store exists and that the read lock can be + * taken. If 'create' is non-zero then it creates the directories + * and the lock file. Returns 0 if the module store exists (either + * already or just created) and the read lock can be taken, -1 if it + * does not exist or it is not possible to read from it, or -2 if it + * could not create the store or it could not take the lock file. */ int semanage_create_store(semanage_handle_t * sh, int create) { struct stat sb; int mode_mask = R_OK | W_OK | X_OK; const char *path = semanage_files[SEMANAGE_ROOT]; int fd; + pid_t pid, lock_pid; + char *pid_string, *lock_pid_string; + size_t pid_length; + ssize_t pid_bytes; + int invalid_lock = 0; if (stat(path, ) == -1) { if (errno == ENOENT && create) { @@ -607,24 +644,81 @@ int semanage_create_store(semanage_handl return -1; } } + pid = getpid(); + pid_string = malloc(pid_max_length * sizeof(char)); + sprintf(pid_string, "%d", pid); + pid_length = strlen(pid_string); path = semanage_files[SEMANAGE_READ_LOCK]; if (stat(path, ) == -1) { if (errno == ENOENT && create) { if ((fd = creat(path, S_IRUSR | S_IWUSR)) == -1) { ERR(sh, "Cou
Re: [PATCH] libsemanage: remove lock files
Also, another major benefit of not using flock() comes when using NFS (probably a very rare circumstance, but not entirely impossibile). It is possible to use the presence of a file (with the same name) to indicate an "active" lock: such file should store the PID of the process that is requiring the lock. If a lock is found with a PID that does not exist, then such lock is considered invalid and it is removed. That is it really... Regards, Guido On the 24th of April 2017 19:51:27 CEST, Guido Trentalancia <gu...@trentalancia.net> wrote: >Yes, we already discussed this possibile race condition. > >Usually there is only one system administrator operating on the >semanage store, nevertheless it's worth having a robust locking >mechanism... > >This patch either needs further work to avoid using flock() and instead >using a simpler file lock mechanism with the added benefit of having a >cleaner filesystem without confusing stale files around or we just drop >the patch given it is not essential to keep things working. > >Regards, > >Guido > >On the 24th of April 2017 14:08:22 CEST, Alan Jenkins ><alan.christopher.jenk...@gmail.com> wrote: >>*expands thread >> >>Sorry, I see this has already been addressed. >> >> >>On 24/04/17 13:06, Alan Jenkins wrote: >>> On 20/04/17 15:38, Guido Trentalancia wrote: >>>> Remove semanage read and transaction lock files upon releasing >>>> them. >>> >>> What prevents this sequence? >>> >>> A release lock >>> B acquire lock >>> A unlink lock file >>> C create lock file >>> C acquire lock >>> >>>> Signed-off-by: Guido Trentalancia >>>> <guido-d1bseh+szqhuxeb9wql...@public.gmane.org> >>>> --- >>>> src/semanage_store.c |2 ++ >>>> 1 file changed, 2 insertions(+) >>>> >>>> diff -pruN a/src/semanage_store.c b/src/semanage_store.c >>>> --- a/src/semanage_store.c2016-10-14 17:31:26.0 +0200 >>>> +++ b/src/semanage_store.c2017-04-03 09:32:24.093627962 +0200 >>>> @@ -1904,6 +1904,7 @@ void semanage_release_trans_lock(semanag >>>> close(sh->u.direct.translock_file_fd); >>>> sh->u.direct.translock_file_fd = -1; >>>> } >>>> +unlink(semanage_files[SEMANAGE_TRANS_LOCK]); >>>> errno = errsv; >>>> } >>>> @@ -1917,6 +1918,7 @@ void semanage_release_active_lock(semana >>>> close(sh->u.direct.activelock_file_fd); >>>> sh->u.direct.activelock_file_fd = -1; >>>> } >>>> +unlink(semanage_files[SEMANAGE_READ_LOCK]); >>>> errno = errsv; >>>> } >>> >>> >>>
Re: [PATCH] libsemanage: remove lock files
Yes, we already discussed this possibile race condition. Usually there is only one system administrator operating on the semanage store, nevertheless it's worth having a robust locking mechanism... This patch either needs further work to avoid using flock() and instead using a simpler file lock mechanism with the added benefit of having a cleaner filesystem without confusing stale files around or we just drop the patch given it is not essential to keep things working. Regards, Guido On the 24th of April 2017 14:08:22 CEST, Alan Jenkins <alan.christopher.jenk...@gmail.com> wrote: >*expands thread > >Sorry, I see this has already been addressed. > > >On 24/04/17 13:06, Alan Jenkins wrote: >> On 20/04/17 15:38, Guido Trentalancia wrote: >>> Remove semanage read and transaction lock files upon releasing >>> them. >> >> What prevents this sequence? >> >> A release lock >> B acquire lock >> A unlink lock file >> C create lock file >> C acquire lock >> >>> Signed-off-by: Guido Trentalancia >>> <guido-d1bseh+szqhuxeb9wql...@public.gmane.org> >>> --- >>> src/semanage_store.c |2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff -pruN a/src/semanage_store.c b/src/semanage_store.c >>> --- a/src/semanage_store.c2016-10-14 17:31:26.0 +0200 >>> +++ b/src/semanage_store.c2017-04-03 09:32:24.093627962 +0200 >>> @@ -1904,6 +1904,7 @@ void semanage_release_trans_lock(semanag >>> close(sh->u.direct.translock_file_fd); >>> sh->u.direct.translock_file_fd = -1; >>> } >>> +unlink(semanage_files[SEMANAGE_TRANS_LOCK]); >>> errno = errsv; >>> } >>> @@ -1917,6 +1918,7 @@ void semanage_release_active_lock(semana >>> close(sh->u.direct.activelock_file_fd); >>> sh->u.direct.activelock_file_fd = -1; >>> } >>> +unlink(semanage_files[SEMANAGE_READ_LOCK]); >>> errno = errsv; >>> } >> >> >>
Re: [PATCH] libsemanage: remove lock files
Yes, I think you are right, it might lead to a race condition because it uses flock() already. It is better to leave things as they are. Please skip this patch ! Regards, Guido > On the 20th of April 2017 at 17.56 Stephen Smalley <s...@tycho.nsa.gov> wrote: > > > On Thu, 2017-04-20 at 17:45 +0200, Guido Trentalancia wrote: > > Hello Stephen. > > > > Usually, when a lock file is released, the corresponding file is > > removed from the filesystem for keeping it clean and tidy. > > > > I might be wrong... But why not ? > > > > If nothing is handling the semanage store, then there shouldn't be a > > reason for keeping it locked. The presence of a lock file, usually > > means that the lock is active. > > libsemanage doesn't use the lock files that way; it just uses them as > the object for flock() operations. So the presence of the lock file > means nothing. Removing it just means it will have to be re-created on > the next operation. Not fundamentally opposed, but someone would need > to validate that it doesn't cause any issues. It's been that way > forever. Maybe the original Tresys authors of this code have an > opinion on it.
Re: [PATCH] libsemanage: remove lock files
Hello and thanks for getting back. If it doesn't have any side-effect (as it should), then I think it's preferable that the filesystem is kept clean. It can be confusing too: because lock files are generally considered "active" when present in the filesystem. Well, you've heard my opinion and you have the very simple patch now. Feel free to do whatever you and the authors like with it... Regards, Guido > On the 20th of April 2017 at 17.56 Stephen Smalley <s...@tycho.nsa.gov> wrote: > > > On Thu, 2017-04-20 at 17:45 +0200, Guido Trentalancia wrote: > > Hello Stephen. > > > > Usually, when a lock file is released, the corresponding file is > > removed from the filesystem for keeping it clean and tidy. > > > > I might be wrong... But why not ? > > > > If nothing is handling the semanage store, then there shouldn't be a > > reason for keeping it locked. The presence of a lock file, usually > > means that the lock is active. > > libsemanage doesn't use the lock files that way; it just uses them as > the object for flock() operations. So the presence of the lock file > means nothing. Removing it just means it will have to be re-created on > the next operation. Not fundamentally opposed, but someone would need > to validate that it doesn't cause any issues. It's been that way > forever. Maybe the original Tresys authors of this code have an > opinion on it.
Re: [PATCH] libsemanage: remove lock files
Hello Stephen. Usually, when a lock file is released, the corresponding file is removed from the filesystem for keeping it clean and tidy. I might be wrong... But why not ? If nothing is handling the semanage store, then there shouldn't be a reason for keeping it locked. The presence of a lock file, usually means that the lock is active. Regards, Guido > On the 20th of April 2017 alle 17.44 Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > > On Thu, 2017-04-20 at 16:38 +0200, Guido Trentalancia wrote: > > Remove semanage read and transaction lock files upon releasing > > them. > > Why? > > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > --- > > src/semanage_store.c |2 ++ > > 1 file changed, 2 insertions(+) > > > > diff -pruN a/src/semanage_store.c b/src/semanage_store.c > > --- a/src/semanage_store.c 2016-10-14 17:31:26.0 +0200 > > +++ b/src/semanage_store.c 2017-04-03 09:32:24.093627962 +0200 > > @@ -1904,6 +1904,7 @@ void semanage_release_trans_lock(semanag > > close(sh->u.direct.translock_file_fd); > > sh->u.direct.translock_file_fd = -1; > > } > > + unlink(semanage_files[SEMANAGE_TRANS_LOCK]); > > errno = errsv; > > } > > > > @@ -1917,6 +1918,7 @@ void semanage_release_active_lock(semana > > close(sh->u.direct.activelock_file_fd); > > sh->u.direct.activelock_file_fd = -1; > > } > > + unlink(semanage_files[SEMANAGE_READ_LOCK]); > > errno = errsv; > > }
[PATCH] libsemanage: remove lock files
Remove semanage read and transaction lock files upon releasing them. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- src/semanage_store.c |2 ++ 1 file changed, 2 insertions(+) diff -pruN a/src/semanage_store.c b/src/semanage_store.c --- a/src/semanage_store.c 2016-10-14 17:31:26.0 +0200 +++ b/src/semanage_store.c 2017-04-03 09:32:24.093627962 +0200 @@ -1904,6 +1904,7 @@ void semanage_release_trans_lock(semanag close(sh->u.direct.translock_file_fd); sh->u.direct.translock_file_fd = -1; } + unlink(semanage_files[SEMANAGE_TRANS_LOCK]); errno = errsv; } @@ -1917,6 +1918,7 @@ void semanage_release_active_lock(semana close(sh->u.direct.activelock_file_fd); sh->u.direct.activelock_file_fd = -1; } + unlink(semanage_files[SEMANAGE_READ_LOCK]); errno = errsv; }
Re: [PATCH v2] libsemanage: special handling of the identity reserved to system objects
Hello Jason, yes, you are right it's an obsolete problem in the Reference Policy. I was working on an obsolete git tree... Regards, Guido On the 10th of January 2017 14:14:44 CET, Jason Zaman <ja...@perfinion.com> wrote: >On Tue, Jan 10, 2017 at 02:11:24PM +0100, Guido Trentalancia wrote: >> Hello. >> >> I am not using the Fedora policy, but in Reference Policy, if I >comment out the line containing "system_u" in the files >config/appconfig-{standard,mcs,mls}/seusers then the problem >disappears... > >They were removed from refpolicy months ago: >https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511 >you should git pull or something. > >-- Jason > >> >> Regards, >> >> Guido >> >> Il 10 gennaio 2017 09:09:57 CET, Petr Lautrbach <plaut...@redhat.com> >ha scritto: >> >On 01/09/2017 07:51 PM, Stephen Smalley wrote: >> >> On Mon, 2017-01-09 at 19:46 +0100, Guido Trentalancia wrote: >> >>> Hello, >> >>> >> >>> the patch has been motivated by the fact that libsemanage >currently >> >>> searches for the user "system_u" in the passwd file and reports >> >"user >> >>> system_u not in passwd file". >> >> >> >> Don't shoot the messenger. That warning is because the Fedora >policy >> >> wrongly has system_u in its seusers/login mapping as a login name. > >> >We >> >> should fix it there instead by removing that entry, which should >not >> >be >> >> needed. >> > >> >This is supposed to be fixed in selinux-policy-3.13.1-219.fc25 >> > >> >Currently there's no plan to backport it to Fedora 24 as >genhomedircon >> >in Fedora 24 still uses hardcoded system_u. >> > >> > >> >>> >> >>> Also, I have considered the notes in the file policy/users from >> >>> Reference Policy. >> >>> >> >>> Finally, the prefix for system_u is wrongly set to "user_u" (it >> >>> shouldn't have it). >> >>> >> >>> I have tested the patch and it seems to work fine. >> >>> >> >>> I hope it helps. >> >>> >> >>> Kind regards, >> >>> >> >>> Guido Trentalancia >> >>> >> >>> On the 9th of January 2017 19:39:10 CET, Stephen Smalley >> ><sds@tycho.n >> >>> sa.gov> wrote: >> >>>> >> >>>> On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote: >> >>>>> >> >>>>> The following patch makes sure that the SELinux identity >> >>>>> reserved for system processes and objects is skipped >> >>>>> when adding users. >> >>>>> >> >>>>> A warning is produced when a Unix identity is found to be >> >>>>> equal to the SELinux user identity for system processes >> >>>>> and objects. >> >>>>> >> >>>>> This patch also avoids creating an extra record for a user >> >>>>> if there is no prefix. >> >>>> >> >>>> What problem are you encountering that motivated this patch? >> >>>> What is a test case for this problem? >> >>>> What is the behavior before and after this patch? >> >>>> >> >>>>> >> >>>>> >> >>>>> Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> >> >>>>> --- >> >>>>> include/semanage/user_record.h |2 ++ >> >>>>> src/genhomedircon.c| 23 +++ >> >>>>> src/user_extra_record.c| 39 >> >>>>> --- >> >>>>> src/user_record.c | 40 >+- >> >>>>> >> >>>>> -- >> >>>>> 4 files changed, 78 insertions(+), 26 deletions(-) >> >>>>> >> >>>>> diff -pru a/include/semanage/user_record.h >> >>>>> b/include/semanage/user_record.h >> >>>>> --- a/include/semanage/user_record.h 2016-10-14 >> >>>>> 17:31:26.0 +0200 >> >>>>> +++ b/include/semanage/user_record.h 2016-12-28 >
Re: [PATCH v2] libsemanage: special handling of the identity reserved to system objects
Hello, the patch has been motivated by the fact that libsemanage currently searches for the user "system_u" in the passwd file and reports "user system_u not in passwd file". Also, I have considered the notes in the file policy/users from Reference Policy. Finally, the prefix for system_u is wrongly set to "user_u" (it shouldn't have it). I have tested the patch and it seems to work fine. I hope it helps. Kind regards, Guido Trentalancia On the 9th of January 2017 19:39:10 CET, Stephen Smalley <s...@tycho.nsa.gov> wrote: >On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote: >> The following patch makes sure that the SELinux identity >> reserved for system processes and objects is skipped >> when adding users. >> >> A warning is produced when a Unix identity is found to be >> equal to the SELinux user identity for system processes >> and objects. >> >> This patch also avoids creating an extra record for a user >> if there is no prefix. > >What problem are you encountering that motivated this patch? >What is a test case for this problem? >What is the behavior before and after this patch? > >> >> Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> >> --- >> include/semanage/user_record.h |2 ++ >> src/genhomedircon.c| 23 +++ >> src/user_extra_record.c| 39 >> --- >> src/user_record.c | 40 +- >> -- >> 4 files changed, 78 insertions(+), 26 deletions(-) >> >> diff -pru a/include/semanage/user_record.h >> b/include/semanage/user_record.h >> --- a/include/semanage/user_record.h 2016-10-14 >> 17:31:26.0 +0200 >> +++ b/include/semanage/user_record.h 2016-12-28 >> 23:22:50.848589870 +0100 >> @@ -6,6 +6,8 @@ >> #include >> #include >> >> +#define SYS_OBJECTS_USERID "system_u" >> + >> struct semanage_user; >> typedef struct semanage_user semanage_user_t; >> >> diff -pru a/src/genhomedircon.c b/src/genhomedircon.c >> --- a/src/genhomedircon.c2016-10-14 17:31:26.0 +0200 >> +++ b/src/genhomedircon.c2016-12-29 17:50:10.781727455 +0100 >> @@ -181,6 +181,9 @@ static int ignore(const char *homedir) { >> static int prefix_is_homedir_role(const semanage_user_t *user, >> const char *prefix) >> { >> +if (!prefix) >> +return 0; >> + >> return strcmp(OBJECT_R, prefix) == 0 || >> semanage_user_has_role(user, prefix); >> } >> @@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin >> homedir_role = prefix; >> } >> >> +/* There should be no Unix identity corresponding >> + * to SELinux user reserved for system processes >> + * and objects */ >> retval = getpwnam_r(name, , rbuf, rbuflen, >> ); >> -if (retval != 0 || pwent == NULL) { >> -if (retval != 0 && retval != ENOENT) { >> +if (strcmp(name, SYS_OBJECTS_USERID)) { >> +if (retval != 0 || pwent == NULL) { >> +if (retval != 0 && retval != ENOENT) { >> +goto cleanup; >> +} >> + >> +WARN(s->h_semanage, >> + "user %s not in password file", name); >> +retval = STATUS_SUCCESS; >> goto cleanup; >> } >> +} else { >> +if (retval) >> +WARN(s->h_semanage, >> + "There should be no Unix identity >> \"%s\" !", SYS_OBJECTS_USERID); >> >> -WARN(s->h_semanage, >> - "user %s not in password file", name); >> retval = STATUS_SUCCESS; >> goto cleanup; >> } >> diff -pru a/src/user_extra_record.c b/src/user_extra_record.c >> --- a/src/user_extra_record.c2016-10-14 17:31:26.0 >> +0200 >> +++ b/src/user_extra_record.c2016-12-29 17:17:26.168737139 >> +0100 >> @@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra >> semanage_user_key_t ** >> key_ptr) >> { >> >> -if (semanage_user_key_create(handle, user_extra->name, >> key_ptr) < 0) >> -goto err; >> +if (user_extra) >> +
[PATCH v2] libsemanage: special handling of the identity reserved to system objects
The following patch makes sure that the SELinux identity reserved for system processes and objects is skipped when adding users. A warning is produced when a Unix identity is found to be equal to the SELinux user identity for system processes and objects. This patch also avoids creating an extra record for a user if there is no prefix. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- include/semanage/user_record.h |2 ++ src/genhomedircon.c| 23 +++ src/user_extra_record.c| 39 --- src/user_record.c | 40 +--- 4 files changed, 78 insertions(+), 26 deletions(-) diff -pru a/include/semanage/user_record.h b/include/semanage/user_record.h --- a/include/semanage/user_record.h2016-10-14 17:31:26.0 +0200 +++ b/include/semanage/user_record.h2016-12-28 23:22:50.848589870 +0100 @@ -6,6 +6,8 @@ #include #include +#define SYS_OBJECTS_USERID "system_u" + struct semanage_user; typedef struct semanage_user semanage_user_t; diff -pru a/src/genhomedircon.c b/src/genhomedircon.c --- a/src/genhomedircon.c 2016-10-14 17:31:26.0 +0200 +++ b/src/genhomedircon.c 2016-12-29 17:50:10.781727455 +0100 @@ -181,6 +181,9 @@ static int ignore(const char *homedir) { static int prefix_is_homedir_role(const semanage_user_t *user, const char *prefix) { + if (!prefix) + return 0; + return strcmp(OBJECT_R, prefix) == 0 || semanage_user_has_role(user, prefix); } @@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin homedir_role = prefix; } + /* There should be no Unix identity corresponding +* to SELinux user reserved for system processes +* and objects */ retval = getpwnam_r(name, , rbuf, rbuflen, ); - if (retval != 0 || pwent == NULL) { - if (retval != 0 && retval != ENOENT) { + if (strcmp(name, SYS_OBJECTS_USERID)) { + if (retval != 0 || pwent == NULL) { + if (retval != 0 && retval != ENOENT) { + goto cleanup; + } + + WARN(s->h_semanage, +"user %s not in password file", name); + retval = STATUS_SUCCESS; goto cleanup; } + } else { + if (retval) + WARN(s->h_semanage, +"There should be no Unix identity \"%s\" !", SYS_OBJECTS_USERID); - WARN(s->h_semanage, -"user %s not in password file", name); retval = STATUS_SUCCESS; goto cleanup; } diff -pru a/src/user_extra_record.c b/src/user_extra_record.c --- a/src/user_extra_record.c 2016-10-14 17:31:26.0 +0200 +++ b/src/user_extra_record.c 2016-12-29 17:17:26.168737139 +0100 @@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra semanage_user_key_t ** key_ptr) { - if (semanage_user_key_create(handle, user_extra->name, key_ptr) < 0) - goto err; + if (user_extra) + if (semanage_user_key_create(handle, user_extra->name, key_ptr) < 0) + goto err; return STATUS_SUCCESS; @@ -54,7 +55,10 @@ static int semanage_user_extra_compare(c const char *name; semanage_user_key_unpack(key, ); - return strcmp(user_extra->name, name); + if (user_extra) + return strcmp(user_extra->name, name); + else + return 1; } static int semanage_user_extra_compare2(const semanage_user_extra_t * @@ -63,7 +67,10 @@ static int semanage_user_extra_compare2( user_extra2) { - return strcmp(user_extra->name, user_extra2->name); + if (user_extra && user_extra2) + return strcmp(user_extra->name, user_extra2->name); + else + return 1; } static int semanage_user_extra_compare2_qsort(const semanage_user_extra_t ** @@ -72,7 +79,10 @@ static int semanage_user_extra_compare2_ user_extra2) { - return strcmp((*user_extra)->name, (*user_extra2)->name); + if (*user_extra && *user_extra2) + return strcmp((*user_extra)->name, (*user_extra2)->name); + else + return 1; } /* Name */ @@ -80,7 +90,10 @@ hidden const char *semanage_user_extra_g user_extra) { - return user_extra->name; + if (user_extra) + return user_extra->name;
Re: libsemanage: special handling of the identity reserved to system objects
On Thu, 29/12/2016 at 10.30 +0100, Dominick Grift wrote: > On 12/29/2016 12:05 AM, Guido Trentalancia wrote: > > > > The following patch makes sure that the SELinux identity > > reserved for system processes and objects is skipped > > when adding users and that no prefix is associated to it. > > > > A warning is produced when a Unix identity is found to be > > equal to the SELinux user identity for system processes > > and objects. > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > --- > > include/semanage/user_record.h |2 ++ > > src/genhomedircon.c| 20 > > src/user_record.c | 15 --- > > 3 files changed, 30 insertions(+), 7 deletions(-) > > > > diff -pru libsemanage-2.6-orig/include/semanage/user_record.h > > libsemanage-2.6/include/semanage/user_record.h > > --- libsemanage-2.6-orig/include/semanage/user_record.h 2016 > > -10-14 17:31:26.0 +0200 > > +++ libsemanage-2.6/include/semanage/user_record.h 2016-12- > > 28 23:22:50.848589870 +0100 > > @@ -6,6 +6,8 @@ > > #include > > #include > > > > +#define SYS_OBJECTS_USERID "system_u" > > SELinux is supposed to be a flexible and customizable framework that > allow for fine-grained mandatory access control. > > hard-coding customizable identifiers is frowned upon by some of us No one likes hard-coding identifiers but, at the moment, I can't easily think of a better alternative. I have created an improved version of this patch that I am going to post. If you have a better idea on how to determine the identity reserved for system objects in libsemanage without hard-coding the identifier, please let me know and I will eventually improve this patch... > > + > > struct semanage_user; > > typedef struct semanage_user semanage_user_t; > > > > diff -pru libsemanage-2.6-orig/src/genhomedircon.c libsemanage- > > 2.6/src/genhomedircon.c > > --- libsemanage-2.6-orig/src/genhomedircon.c2016-10-14 > > 17:31:26.0 +0200 > > +++ libsemanage-2.6/src/genhomedircon.c 2016-12-28 > > 23:34:38.510319855 +0100 > > @@ -998,14 +998,26 @@ static int add_user(genhomedircon_settin > > homedir_role = prefix; > > } > > > > + /* There should be no Unix identity corresponding > > + * to SELinux user reserved for system processes > > + * and objects */ > > retval = getpwnam_r(name, , rbuf, rbuflen, > > ); > > - if (retval != 0 || pwent == NULL) { > > - if (retval != 0 && retval != ENOENT) { > > + if (strcmp(name, SYS_OBJECTS_USERID)) { > > + if (retval != 0 || pwent == NULL) { > > + if (retval != 0 && retval != ENOENT) { > > + goto cleanup; > > + } > > + > > + WARN(s->h_semanage, > > + "user %s not in password file", > > name); > > + retval = STATUS_SUCCESS; > > goto cleanup; > > } > > + } else { > > + if (retval) > > + WARN(s->h_semanage, > > + "There should be no Unix identity > > \"%s\" !", SYS_OBJECTS_USERID); > > > > - WARN(s->h_semanage, > > - "user %s not in password file", name); > > retval = STATUS_SUCCESS; > > goto cleanup; > > } > > diff -pru libsemanage-2.6-orig/src/user_record.c libsemanage- > > 2.6/src/user_record.c > > --- libsemanage-2.6-orig/src/user_record.c 2016-10-14 > > 17:31:26.0 +0200 > > +++ libsemanage-2.6/src/user_record.c 2016-12-28 > > 23:30:51.59423 +0100 > > @@ -348,9 +348,18 @@ hidden int semanage_user_join(semanage_h > > if (semanage_user_extra_set_name(handle, tmp_user- > > >extra, name) > > < 0) > > goto err; > > - if (semanage_user_extra_set_prefix > > - (handle, tmp_user->extra, "user") < 0) > > - goto err; > > + > > + /* The user identity reserved for system processes > > + * and objects shall have no prefix */ > > + if (strcmp(name, SYS_OBJECTS_USERID)) { > > + if (semanage_user_extra_set_prefix > > + (handle, tmp_user->extra, "user") < 0) > > + goto err; > > + } else { > > + if (semanage_user_extra_set_prefix > > + (handle, tmp_user->extra, "") < 0) > > + goto err; > > + } > > } > > > > if (semanage_user_set_name(handle, tmp_user, name) < 0) > > ___ Regards, Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
libsemanage: special handling of the identity reserved to system objects
The following patch makes sure that the SELinux identity reserved for system processes and objects is skipped when adding users and that no prefix is associated to it. A warning is produced when a Unix identity is found to be equal to the SELinux user identity for system processes and objects. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- include/semanage/user_record.h |2 ++ src/genhomedircon.c| 20 src/user_record.c | 15 --- 3 files changed, 30 insertions(+), 7 deletions(-) diff -pru libsemanage-2.6-orig/include/semanage/user_record.h libsemanage-2.6/include/semanage/user_record.h --- libsemanage-2.6-orig/include/semanage/user_record.h 2016-10-14 17:31:26.0 +0200 +++ libsemanage-2.6/include/semanage/user_record.h 2016-12-28 23:22:50.848589870 +0100 @@ -6,6 +6,8 @@ #include #include +#define SYS_OBJECTS_USERID "system_u" + struct semanage_user; typedef struct semanage_user semanage_user_t; diff -pru libsemanage-2.6-orig/src/genhomedircon.c libsemanage-2.6/src/genhomedircon.c --- libsemanage-2.6-orig/src/genhomedircon.c2016-10-14 17:31:26.0 +0200 +++ libsemanage-2.6/src/genhomedircon.c 2016-12-28 23:34:38.510319855 +0100 @@ -998,14 +998,26 @@ static int add_user(genhomedircon_settin homedir_role = prefix; } + /* There should be no Unix identity corresponding +* to SELinux user reserved for system processes +* and objects */ retval = getpwnam_r(name, , rbuf, rbuflen, ); - if (retval != 0 || pwent == NULL) { - if (retval != 0 && retval != ENOENT) { + if (strcmp(name, SYS_OBJECTS_USERID)) { + if (retval != 0 || pwent == NULL) { + if (retval != 0 && retval != ENOENT) { + goto cleanup; + } + + WARN(s->h_semanage, +"user %s not in password file", name); + retval = STATUS_SUCCESS; goto cleanup; } + } else { + if (retval) + WARN(s->h_semanage, +"There should be no Unix identity \"%s\" !", SYS_OBJECTS_USERID); - WARN(s->h_semanage, -"user %s not in password file", name); retval = STATUS_SUCCESS; goto cleanup; } diff -pru libsemanage-2.6-orig/src/user_record.c libsemanage-2.6/src/user_record.c --- libsemanage-2.6-orig/src/user_record.c 2016-10-14 17:31:26.0 +0200 +++ libsemanage-2.6/src/user_record.c 2016-12-28 23:30:51.59423 +0100 @@ -348,9 +348,18 @@ hidden int semanage_user_join(semanage_h if (semanage_user_extra_set_name(handle, tmp_user->extra, name) < 0) goto err; - if (semanage_user_extra_set_prefix - (handle, tmp_user->extra, "user") < 0) - goto err; + + /* The user identity reserved for system processes +* and objects shall have no prefix */ + if (strcmp(name, SYS_OBJECTS_USERID)) { + if (semanage_user_extra_set_prefix + (handle, tmp_user->extra, "user") < 0) + goto err; + } else { + if (semanage_user_extra_set_prefix + (handle, tmp_user->extra, "") < 0) + goto err; + } } if (semanage_user_set_name(handle, tmp_user, name) < 0) ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH 2/2] libsemanage: fix optimized compile errors
Hello. Because of the default compiler flag "-Werror", warnings are treated as errors and therefore they break the compile process. It's not a major issue, of course, but it's much better if it is fixed so that it is not annoying people building with optimization. I used gcc version 6.2.0. I don't know how other compilers or gcc versions react to those compiler flags... Because they have no side-effect, I simply recommend applying the patches. That's all I can say. I hope it helps. On Mon, 26/12/2016 at 21.30 +0100, Nicolas Iooss wrote: > On Fri, Dec 23, 2016 at 4:19 PM, Guido Trentalancia <guido@trentalanc > ia.net> wrote: > > Fix compile errors when using the "-O -Werror" flags on gcc6. > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > --- > > src/direct_api.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff -pru libsemanage-2.6-orig/src/direct_api.c libsemanage- > > 2.6/src/direct_api.c > > --- libsemanage-2.6-orig/src/direct_api.c 2016-10-14 > > 17:31:26.0 +0200 > > +++ libsemanage-2.6/src/direct_api.c 2016-12-23 > > 15:22:50.101297993 +0100 > > @@ -955,8 +955,8 @@ static int semanage_compile_module(seman > > ssize_t bzip_status; > > int status = 0; > > int compressed; > > - size_t cil_data_len; > > - size_t err_data_len; > > + size_t cil_data_len = 0; > > + size_t err_data_len = 0; > > > > if (!strcasecmp(modinfo->lang_ext, "cil")) { > > goto cleanup; > > Hello, > From a package maintainer perspective (ie. someone who reads the git > log in order to find patchs which need to be backported), it would be > nice if the patch description would state whether this fixes a real > error which went undetected in the previous releases, or whether this > silents a false-positive warning from the compiler. > In this case, gcc is having hard time to find out whether > semanage_pipe_data() initializes *out_data_len and *err_data_len > parameters when this function is called by semanage_compile_module(). > So it seems to be a false-positive. If you confirm this analysis and > send a second revision, could you please add this information to the > description? > > Cheers, > Nicolas Regards, Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] libselinux: fix optimized compile errors
Fix compile errors when using the "-O3 -Werror" flags on gcc6. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- src/fgetfilecon.c |2 +- src/getfilecon.c |2 +- src/lgetfilecon.c |2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff -pru libselinux-2.6-orig/src/fgetfilecon.c libselinux-2.6/src/fgetfilecon.c --- libselinux-2.6-orig/src/fgetfilecon.c 2016-10-14 17:31:26.0 +0200 +++ libselinux-2.6/src/fgetfilecon.c2016-12-23 15:19:23.642205413 +0100 @@ -53,7 +53,7 @@ hidden_def(fgetfilecon_raw) int fgetfilecon(int fd, char ** context) { - char * rcontext; + char * rcontext = NULL; int ret; *context = NULL; diff -pru libselinux-2.6-orig/src/getfilecon.c libselinux-2.6/src/getfilecon.c --- libselinux-2.6-orig/src/getfilecon.c2016-10-14 17:31:26.0 +0200 +++ libselinux-2.6/src/getfilecon.c 2016-12-23 15:19:39.849448184 +0100 @@ -54,7 +54,7 @@ hidden_def(getfilecon_raw) int getfilecon(const char *path, char ** context) { int ret; - char * rcontext; + char * rcontext = NULL; *context = NULL; diff -pru libselinux-2.6-orig/src/lgetfilecon.c libselinux-2.6/src/lgetfilecon.c --- libselinux-2.6-orig/src/lgetfilecon.c 2016-10-14 17:31:26.0 +0200 +++ libselinux-2.6/src/lgetfilecon.c2016-12-23 15:19:52.489637524 +0100 @@ -54,7 +54,7 @@ hidden_def(lgetfilecon_raw) int lgetfilecon(const char *path, char ** context) { int ret; - char * rcontext; + char * rcontext = NULL; *context = NULL; ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v2] selinux: support distinctions among all network address families
Hello. On Wed, 07/12/2016 at 08.25 -0500, Stephen Smalley wrote: > On 12/06/2016 07:13 PM, Paul Moore wrote: [...] > > You mentioned IGMP previously, if we have a class for ICMP, it > > seems > > reasonable to have one for IGMP, don't you think? Although this > > does > > spiral a bit if we consider all the IPPROTO* protocols. > > I thought about it, but the kernel does not provide IGMP sockets per > se, > unlike ICMP or SCTP sockets (i.e. ipv4/af_inet.c:inetsw_array[] > defines > an entry for SOCK_DGRAM, IPPROTO_ICMP and sctp/protocol.c defines and > registers inet_protosw entries for SOCK_STREAM, IPPROTO_SCTP and > SOCK_SEQPACKET, IPPROTO_SCTP; there is no equivalent for IGMP unless > I > missed it). So IGMP sockets are just raw IP sockets with a > particular > protocol value; they have no stream, seqpacket, or dgram semantics, > and > it is unclear it is worthwhile to distinguish them in policy. I suppose distinguishing IGMP packets brings little benefit in terms of security. Regards, Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [RFC][PATCH] selinux: support distinctions among all network address families
Hello Stephen. Glad to hear that this is making its way into the kernel ! On Thu, 01/12/2016 at 10.07 -0500, Stephen Smalley wrote: > Extend SELinux to support distinctions among all network address > families > implemented by the kernel by defining new socket security classes > and mapping to them. Otherwise, many sockets are mapped to the > generic > socket class and are indistinguishable in policy. This has come up > previously with regard to selectively allowing access to bluetooth > sockets, > and more recently with regard to selectively allowing access to > AF_ALG > sockets. Guido Trentalancia submitted a patch that took a similar > approach > to add only support for distinguishing AF_ALG sockets, but this > generalizes > his approach to handle all address families implemented by the > kernel. > Socket security classes were not defined for AF_* values that are > reserved > but unimplemented in the kernel, e.g. AF_NETBEUI, AF_SECURITY, > AF_ECONET, > AF_SNA, AF_WANPIPE. > > Backward compatibility is provided by only enabling the finer-grained > socket classes if a new policy capability is set in the policy; older > policies will behave as before. The legacy redhat1 policy capability > that was only ever used in testing within Fedora for ptrace_child > is reclaimed for this purpose; as far as I can tell, this policy > capability is not enabled in any supported distro policy. > > Add a pair of conditional compilation guards to detect when new AF_* > values > are added so that we can update SELinux accordingly rather than > having to > belatedly update it long after new address families are introduced. > > Signed-off-by: Stephen Smalley <s...@tycho.nsa.gov> > --- > security/selinux/hooks.c| 67 > + > security/selinux/include/classmap.h | 62 > ++ > security/selinux/include/security.h | 3 +- > security/selinux/selinuxfs.c| 2 +- > security/selinux/ss/services.c | 3 ++ > 5 files changed, 135 insertions(+), 2 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 98a2e92..1ee2172 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -1342,6 +1342,73 @@ static inline u16 > socket_type_to_security_class(int family, int type, int protoc > return SECCLASS_APPLETALK_SOCKET; > } > > + if (!selinux_policycap_extsockclass) > + return SECCLASS_SOCKET; > + The only suggestion I have to make is that, in my opinion, it might read better and it might be easier to maintain in the future, if the above is rewritten as follows: if (selinux_policycap_extsockclass) { switch (family) { ... } } and the return statement at the end of the function is retained. That way, it is possible to easily add other similar policy capabilities in the future, by just plugging in similar if statements ! Other than that, it looks fine to me and I have no other suggestions to make about this patch. > + switch (family) { > + case PF_AX25: > + return SECCLASS_AX25_SOCKET; > + case PF_IPX: > + return SECCLASS_IPX_SOCKET; > + case PF_NETROM: > + return SECCLASS_NETROM_SOCKET; > + case PF_BRIDGE: > + return SECCLASS_BRIDGE_SOCKET; > + case PF_ATMPVC: > + return SECCLASS_ATMPVC_SOCKET; > + case PF_X25: > + return SECCLASS_X25_SOCKET; > + case PF_ROSE: > + return SECCLASS_ROSE_SOCKET; > + case PF_DECnet: > + return SECCLASS_DECNET_SOCKET; > + case PF_ATMSVC: > + return SECCLASS_ATMSVC_SOCKET; > + case PF_RDS: > + return SECCLASS_RDS_SOCKET; > + case PF_IRDA: > + return SECCLASS_IRDA_SOCKET; > + case PF_PPPOX: > + return SECCLASS_PPPOX_SOCKET; > + case PF_LLC: > + return SECCLASS_LLC_SOCKET; > + case PF_IB: > + return SECCLASS_IB_SOCKET; > + case PF_MPLS: > + return SECCLASS_MPLS_SOCKET; > + case PF_CAN: > + return SECCLASS_CAN_SOCKET; > + case PF_TIPC: > + return SECCLASS_TIPC_SOCKET; > + case PF_BLUETOOTH: > + return SECCLASS_BLUETOOTH_SOCKET; > + case PF_IUCV: > + return SECCLASS_IUCV_SOCKET; > + case PF_RXRPC: > + return SECCLASS_RXRPC_SOCKET; > + case PF_ISDN: > + return SECCLASS_ISDN_SOCKET; > + case PF_PHONET: > + return SECCLASS_PHONET_SOCKET; > + case PF_IEEE802154: > + return SECCLASS_IEEE802154_SOCKET; > +
Re: [PATCH] libsepol: Produce more meaningful error messages for conflicting type rules
Hello. I received no feedback on this. I still believe it is a very useful patch, because at the moment it is very hard to track down the error from the error message. Guido On Sat, 27/08/2016 at 14.44 +0200, Guido Trentalancia wrote: > Produce more meaningful error messages when conflicting type > rules are found by libsepol. > > Fixes Debian bug #832331 (https://bugs.debian.org/832331). > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > --- > cil/src/cil_binary.c |8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > --- libsepol-2.5/cil/src/cil_binary.c 2016-02-23 > 17:31:41.0 +0100 > +++ libsepol-2.5-conflicting_type_rules/cil/src/cil_binary.c 2 > 016-08-27 14:31:44.307988662 +0200 > @@ -973,7 +973,7 @@ avtab_datum_t *cil_cond_av_list_search(a > return NULL; > } > > -int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t > src, uint32_t tgt, uint32_t obj, uint32_t res, cond_node_t > *cond_node, enum cil_flavor cond_flavor) > +int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t > src, uint32_t tgt, uint32_t obj, uint32_t res, struct cil_type_rule > *cil_rule, cond_node_t *cond_node, enum cil_flavor cond_flavor) > { > int rc = SEPOL_OK; > avtab_key_t avtab_key; > @@ -1008,7 +1008,7 @@ int __cil_insert_type_rule(policydb_t *p > * non-duplicate rule using the same key. > */ > if (existing->datum.data != res) { > - cil_log(CIL_ERR, "Conflicting type > rules\n"); > + cil_log(CIL_ERR, "Conflicting type rules > (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, > cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str); > rc = SEPOL_ERR; > } > goto exit; > @@ -1034,7 +1034,7 @@ int __cil_insert_type_rule(policydb_t *p > search_datum = > cil_cond_av_list_search(_key, other_list); > if (search_datum == NULL) { > if (existing->datum.data != res) { > - cil_log(CIL_ERR, > "Conflicting type rules\n"); > + cil_log(CIL_ERR, > "Conflicting type rules (scontext=%s tcontext=%s tclass=%s > result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule- > >obj_str, cil_rule->result_str); > rc = SEPOL_ERR; > goto exit; > } > @@ -1093,7 +1093,7 @@ int __cil_type_rule_to_avtab(policydb_t > rc = > __cil_get_sepol_class_datum(pdb, DATUM(c->data), _obj); > if (rc != SEPOL_OK) goto exit; > > - rc = __cil_insert_type_rule(pdb, > kind, sepol_src->s.value, sepol_tgt->s.value, sepol_obj->s.value, > sepol_result->s.value, cond_node, cond_flavor); > + rc = __cil_insert_type_rule(pdb, > kind, sepol_src->s.value, sepol_tgt->s.value, sepol_obj->s.value, > sepol_result->s.value, cil_rule, cond_node, cond_flavor); > if (rc != SEPOL_OK) goto exit; > } > } ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v5] Build the SELinux testsuite on systems using the Reference Policy
Hello Stephen. Thanks very much for applying the patch. Guido On Thu, 01/09/2016 at 08.38 -0400, Stephen Smalley wrote: > On 08/26/2016 02:36 PM, Guido Trentalancia wrote: > > > > Sorry about that ! I did not test it properly because I was hitting > > a > > problem with the policy... > > > > The following one should work, although it's slightly noisy... > > > > Fix the Makefile in the policy subdirectory of the SELinux > > testsuite > > so that it builds correctly on the standard Reference Policy which > > does not have the same booleans available on Red Hat. > > > > Previous versions were not working within the Makefile. > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > Thanks, applied. > > > > --- > > policy/Makefile |4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016 > > -08-23 20:50:08.527633728 +0200 > > +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08- > > 26 20:33:01.677418513 +0200 > > @@ -68,7 +69,7 @@ load_rhel: all > > > > load_general: all > > # General policy load > > - /usr/sbin/setsebool allow_domain_fd_use=0 > > + @-/usr/sbin/setsebool allow_domain_fd_use=0 > > $(SEMODULE) -i test_policy/test_policy.pp > > > > unload_rhel: > > @@ -77,7 +78,7 @@ unload_rhel: > > > > unload_general: > > # General policy unload > > - /usr/sbin/setsebool allow_domain_fd_use=1 > > + @-/usr/sbin/setsebool allow_domain_fd_use=1 > > $(SEMODULE) -r test_policy > > > > clean: > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libsepol: Produce more meaningful error messages for conflicting type rules
Produce more meaningful error messages when conflicting type rules are found by libsepol. Fixes Debian bug #832331 (https://bugs.debian.org/832331). Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- cil/src/cil_binary.c |8 1 file changed, 4 insertions(+), 4 deletions(-) --- libsepol-2.5/cil/src/cil_binary.c 2016-02-23 17:31:41.0 +0100 +++ libsepol-2.5-conflicting_type_rules/cil/src/cil_binary.c2016-08-27 14:31:44.307988662 +0200 @@ -973,7 +973,7 @@ avtab_datum_t *cil_cond_av_list_search(a return NULL; } -int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, uint32_t tgt, uint32_t obj, uint32_t res, cond_node_t *cond_node, enum cil_flavor cond_flavor) +int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, uint32_t tgt, uint32_t obj, uint32_t res, struct cil_type_rule *cil_rule, cond_node_t *cond_node, enum cil_flavor cond_flavor) { int rc = SEPOL_OK; avtab_key_t avtab_key; @@ -1008,7 +1008,7 @@ int __cil_insert_type_rule(policydb_t *p * non-duplicate rule using the same key. */ if (existing->datum.data != res) { - cil_log(CIL_ERR, "Conflicting type rules\n"); + cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str); rc = SEPOL_ERR; } goto exit; @@ -1034,7 +1034,7 @@ int __cil_insert_type_rule(policydb_t *p search_datum = cil_cond_av_list_search(_key, other_list); if (search_datum == NULL) { if (existing->datum.data != res) { - cil_log(CIL_ERR, "Conflicting type rules\n"); + cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str); rc = SEPOL_ERR; goto exit; } @@ -1093,7 +1093,7 @@ int __cil_type_rule_to_avtab(policydb_t rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), _obj); if (rc != SEPOL_OK) goto exit; - rc = __cil_insert_type_rule(pdb, kind, sepol_src->s.value, sepol_tgt->s.value, sepol_obj->s.value, sepol_result->s.value, cond_node, cond_flavor); + rc = __cil_insert_type_rule(pdb, kind, sepol_src->s.value, sepol_tgt->s.value, sepol_obj->s.value, sepol_result->s.value, cil_rule, cond_node, cond_flavor); if (rc != SEPOL_OK) goto exit; } } ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v5] Build the SELinux testsuite on systems using the Reference Policy
Sorry about that ! I did not test it properly because I was hitting a problem with the policy... The following one should work, although it's slightly noisy... Fix the Makefile in the policy subdirectory of the SELinux testsuite so that it builds correctly on the standard Reference Policy which does not have the same booleans available on Red Hat. Previous versions were not working within the Makefile. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- policy/Makefile |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-26 20:33:01.677418513 +0200 @@ -68,7 +69,7 @@ load_rhel: all load_general: all # General policy load - /usr/sbin/setsebool allow_domain_fd_use=0 + @-/usr/sbin/setsebool allow_domain_fd_use=0 $(SEMODULE) -i test_policy/test_policy.pp unload_rhel: @@ -77,7 +78,7 @@ unload_rhel: unload_general: # General policy unload - /usr/sbin/setsebool allow_domain_fd_use=1 + @-/usr/sbin/setsebool allow_domain_fd_use=1 $(SEMODULE) -r test_policy clean: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v3] Build the SELinux testsuite on systems using the Reference Policy
Fix the Makefile in the policy subdirectory of the SELinux testsuite so that it builds correctly on the standard Reference Policy which does not have the same booleans available on Red Hat. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- policy/Makefile |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-26 19:37:13.195088500 +0200 @@ -68,7 +69,7 @@ load_rhel: all load_general: all # General policy load - /usr/sbin/setsebool allow_domain_fd_use=0 + /usr/sbin/getsebool allow_domain_fd_use > /dev/null && /usr/sbin/setsebool allow_domain_fd_use=0 || : $(SEMODULE) -i test_policy/test_policy.pp unload_rhel: @@ -77,7 +78,7 @@ unload_rhel: unload_general: # General policy unload - /usr/sbin/setsebool allow_domain_fd_use=1 + /usr/sbin/getsebool allow_domain_fd_use > /dev/null && /usr/sbin/setsebool allow_domain_fd_use=1 || : $(SEMODULE) -r test_policy clean: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] Build the SELinux testsuite on systems using the Reference Policy
Fix the Makefile in the policy subdirectory of the SELinux testsuite so that it builds correctly on the standard Reference Policy which does not have the same booleans available on Red Hat. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- policy/Makefile |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-24 14:38:08.987455031 +0200 @@ -68,7 +68,7 @@ load_rhel: all load_general: all # General policy load - /usr/sbin/setsebool allow_domain_fd_use=0 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=0 || : $(SEMODULE) -i test_policy/test_policy.pp unload_rhel: @@ -77,7 +77,7 @@ unload_rhel: unload_general: # General policy unload - /usr/sbin/setsebool allow_domain_fd_use=1 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=1 || : $(SEMODULE) -r test_policy clean: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] Build the SELinux testsuite on systems using the Reference Policy
Fix the Makefile in the policy subdirectory of the SELinux testsuite so that it builds correctly on the standard Reference Policy which does not have the same booleans available on Red Hat. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- policy/Makefile |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-24 14:38:08.987455031 +0200 @@ -68,7 +68,7 @@ load_rhel: all load_general: all # General policy load - /usr/sbin/setsebool allow_domain_fd_use=0 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=0 || : $(SEMODULE) -i test_policy/test_policy.pp unload_rhel: @@ -77,7 +77,7 @@ unload_rhel: unload_general: # General policy unload - /usr/sbin/setsebool allow_domain_fd_use=1 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=1 || : $(SEMODULE) -r test_policy clean: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Build the SELinux testsuite on systems using the Reference Policy
Fix the Makefile in the policy subdirectory of the SELinux testsuite so that it builds correctly on the standard Reference Policy which does not have the same booleans available on Red Hat. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- policy/Makefile |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-24 14:38:08.987455031 +0200 @@ -68,7 +68,7 @@ load_rhel: all load_general: all # General policy load - /usr/sbin/setsebool allow_domain_fd_use=0 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=0 $(SEMODULE) -i test_policy/test_policy.pp unload_rhel: @@ -77,7 +77,7 @@ unload_rhel: unload_general: # General policy unload - /usr/sbin/setsebool allow_domain_fd_use=1 + /usr/sbin/getsebool -a | grep -q allow_domain_fd_use && /usr/sbin/setsebool allow_domain_fd_use=1 $(SEMODULE) -r test_policy clean: ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH v5] Classify AF_ALG sockets
This patch for the SELinux testsuite aims to add a very simple test for sockets in the AF_ALG namespace. However, I met some problems while trying to run it, so testing is needed. policy/Makefile |2 - policy/test_alg_socket.te | 25 + tests/alg_socket/Makefile |5 +++ tests/alg_socket/client.c | 66 ++ tests/alg_socket/test | 22 +++ 5 files changed, 119 insertions(+), 1 deletion(-) diff -pruN selinux-testsuite-git-23082016-orig/policy/Makefile selinux-testsuite-git-23082016/policy/Makefile --- selinux-testsuite-git-23082016-orig/policy/Makefile 2016-08-23 20:50:08.527633728 +0200 +++ selinux-testsuite-git-23082016/policy/Makefile 2016-08-24 00:56:38.114854854 +0200 @@ -20,7 +20,7 @@ TARGETS = \ test_task_create.te test_task_getpgid.te test_task_getsched.te \ test_task_getsid.te test_task_setpgid.te test_task_setsched.te \ test_transition.te test_inet_socket.te test_unix_socket.te \ - test_wait.te test_mmap.te + test_alg_socket.te test_wait.te test_mmap.te ifeq ($(shell [ $(POL_VERS) -ge 24 ] && echo true),true) TARGETS += test_bounds.te diff -pruN selinux-testsuite-git-23082016-orig/policy/test_alg_socket.te selinux-testsuite-git-23082016/policy/test_alg_socket.te --- selinux-testsuite-git-23082016-orig/policy/test_alg_socket.te 1970-01-01 01:00:00.0 +0100 +++ selinux-testsuite-git-23082016/policy/test_alg_socket.te2016-08-24 00:31:51.588695889 +0200 @@ -0,0 +1,25 @@ +# +# +# Policy for testing sockets in +# the AF_ALG namespace (Crypto +# API). +# + +attribute algsocketdomain; + +# Domain for client process. +type test_alg_socket_client_t; +domain_type(test_alg_socket_client_t) +unconfined_runs_test(test_alg_socket_client_t) +typeattribute test_alg_socket_client_t testdomain; +typeattribute test_alg_socket_client_t algsocketdomain; + +# client can bind socket. +allow test_alg_socket_client_t self:alg_socket bind; + +# client can request to load a kernel module +kernel_request_load_module(algsocketdomain) + +# Allow all of these domains to be entered from the sysadm domain. +miscfiles_domain_entry_test_files(algsocketdomain) +userdom_sysadm_entry_spec_domtrans_to(algsocketdomain) diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/client.c selinux-testsuite-git-23082016/tests/alg_socket/client.c --- selinux-testsuite-git-23082016-orig/tests/alg_socket/client.c 1970-01-01 01:00:00.0 +0100 +++ selinux-testsuite-git-23082016/tests/alg_socket/client.c2016-08-24 00:58:47.075516771 +0200 @@ -0,0 +1,66 @@ +#include +#include +#include +#include +#include +#include + +void usage(char *progname) +{ + fprintf(stderr, + "usage: %s [succeed|fail]\n", + progname); + exit(1); +} + +int +main(int argc, char **argv) +{ + int succeed; + int sock; + + if (argc != 2) + usage(argv[0]); + + if (!strcmp(argv[1], "succeed")) + succeed = 1; + else if (!strcmp(argv[1], "fail")) + succeed = 0; + else + usage(argv[0]); + + sock = socket(AF_ALG, SOCK_SEQPACKET, 0); + if (sock < 0) { + perror("socket"); + exit(1); + } + + if (succeed == 1) { + struct sockaddr_alg sa_good = { + .salg_family = AF_ALG, + .salg_type = "hash", + .salg_name = "sha256", + }; + + if (bind(sock, (struct sockaddr *) _good, sizeof(sa_good)) < 0) { + perror("bind (algorithm available)"); + close(sock); + exit(1); + } + } else { + struct sockaddr_alg sa_bad = { + .salg_family = AF_ALG, + .salg_type = "hash", + .salg_name = "NOTAVAILABLE", + }; + + if (bind(sock, (struct sockaddr *) _bad, sizeof(sa_bad)) < 0) { + perror("bind (algorithm not available)"); + close(sock); + exit(1); + } + } + + close(sock); + exit(0); +} diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/Makefile selinux-testsuite-git-23082016/tests/alg_socket/Makefile --- selinux-testsuite-git-23082016-orig/tests/alg_socket/Makefile 1970-01-01 01:00:00.0 +0100 +++ selinux-testsuite-git-23082016/tests/alg_socket/Makefile2016-08-23 23:07:46.866079516 +0200 @@ -0,0 +1,5 @@ +TARGETS=client + +all: $(TARGETS) +clean: + rm -f $(TARGETS) diff -pruN selinux-testsuite-git-23082016-orig/tests/alg_socket/test selinux-testsuite-git-23082016/tests/alg_socket/test --- selinux-testsuite-git-23082016-orig/tests/alg_socket/test 1970-01-01
[PATCH] Update libsepol to support the policy capability for AF_ALG sockets
Update libsepol with the new policy capability needed to classify sockets in the AF_ALG namespace (Crypto API). Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- include/sepol/policydb/polcaps.h |1 + src/polcaps.c|1 + 2 files changed, 2 insertions(+) diff -pru libsepol-git-23082016/include/sepol/policydb/polcaps.h libsepol-git-23082016-alg_socket/include/sepol/policydb/polcaps.h --- libsepol-git-23082016/include/sepol/policydb/polcaps.h 2016-08-23 17:08:58.690837319 +0200 +++ libsepol-git-23082016-alg_socket/include/sepol/policydb/polcaps.h 2016-08-23 17:13:52.794644956 +0200 @@ -11,6 +11,7 @@ enum { POLICYDB_CAPABILITY_OPENPERM, POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_ALGSOCKET, /* Crypto API socket namespace */ __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff -pru libsepol-git-23082016/src/polcaps.c libsepol-git-23082016-alg_socket/src/polcaps.c --- libsepol-git-23082016/src/polcaps.c 2016-08-23 17:08:58.696837395 +0200 +++ libsepol-git-23082016-alg_socket/src/polcaps.c 2016-08-23 17:11:49.145026939 +0200 @@ -10,6 +10,7 @@ static const char *polcap_names[] = { "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */ "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ + "alg_socket", /* POLICYDB_CAPABILITY_ALGSOCKET (Crypto API socket namespace) */ NULL }; ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v5] Classify AF_ALG sockets
Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- security/selinux/hooks.c|5 + security/selinux/include/classmap.h |2 ++ security/selinux/include/security.h |2 ++ security/selinux/selinuxfs.c|3 ++- security/selinux/ss/services.c |6 +- 5 files changed, 16 insertions(+), 2 deletions(-) diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c --- linux-4.7.2-orig/security/selinux/hooks.c 2016-08-22 22:31:27.737767819 +0200 +++ linux-4.7.2/security/selinux/hooks.c2016-08-22 22:40:29.102526024 +0200 @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + if (selinux_policycap_algsocket) + return SECCLASS_ALG_SOCKET; + else + return SECCLASS_SOCKET; } return SECCLASS_SOCKET; diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h --- linux-4.7.2-orig/security/selinux/include/classmap.h2016-08-22 22:31:27.754768030 +0200 +++ linux-4.7.2/security/selinux/include/classmap.h 2016-08-22 22:32:14.795355585 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h --- linux-4.7.2-orig/security/selinux/include/security.h2016-03-14 05:28:54.0 +0100 +++ linux-4.7.2/security/selinux/include/security.h 2016-08-22 22:53:57.911660238 +0200 @@ -75,6 +75,7 @@ enum { POLICYDB_CAPABILITY_OPENPERM, POLICYDB_CAPABILITY_REDHAT1, POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_ALGSOCKET, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -82,6 +83,7 @@ enum { extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_alwaysnetwork; +extern int selinux_policycap_algsocket; /* * type_datum properties diff -pru linux-4.7.2-orig/security/selinux/selinuxfs.c linux-4.7.2/security/selinux/selinuxfs.c --- linux-4.7.2-orig/security/selinux/selinuxfs.c 2016-03-14 05:28:54.0 +0100 +++ linux-4.7.2/security/selinux/selinuxfs.c2016-08-23 14:19:43.945217071 +0200 @@ -46,7 +46,8 @@ static char *policycap_names[] = { "network_peer_controls", "open_perms", "redhat1", - "always_check_network" + "always_check_network", + "alg_socket" }; unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c --- linux-4.7.2-orig/security/selinux/ss/services.c 2016-08-05 21:27:22.275588616 +0200 +++ linux-4.7.2/security/selinux/ss/services.c 2016-08-23 14:33:19.85535 +0200 @@ -26,9 +26,10 @@ * * Added support for bounds domain and audit messaged on masked permissions * - * Updated: Guido Trentalancia <gu...@trentalancia.com> + * Updated: Guido Trentalancia <gu...@trentalancia.net> * * Added support for runtime switching of the policy type + * Added support for classifying the AF_ALG sockets (Crypto API) * * Copyright (C) 2008, 2009 NEC Corporation * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. @@ -73,6 +74,7 @@ int selinux_policycap_netpeer; int selinux_policycap_openperm; int selinux_policycap_alwaysnetwork; +int selinux_policycap_algsocket; static DEFINE_RWLOCK(policy_rwlock); @@ -2016,6 +2018,8 @@ static void security_load_policycaps(voi POLICYDB_CAPABILITY_OPENPERM); selinux_policycap_alwaysnetwork = ebitmap_get_bit(, POLICYDB_CAPABILITY_ALWAYSNETWORK); + selinux_policycap_algsocket = ebitmap_get_bit(, + POLICYDB_CAPABILITY_ALGSOCKET); } static int security_preserve_bools(struct policydb *p);
Re: [PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket)
Hello Paul. Thanks for providing your feedback. On Mon, 22/08/2016 at 16.17 -0400, Paul Moore wrote: > On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia > <gu...@trentalancia.net> wrote: > > > > Modify the SELinux kernel code so that it is able to classify > > sockets with > > the new AF_ALG namespace (used for the user-space interface to the > > kernel > > Crypto API). > > > > A companion patch has been created for the Reference Policy and it > > will be > > posted to its mailing list, once this patch is merged. > > > > Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> > > --- > > security/selinux/hooks.c|5 +++-- > > security/selinux/include/classmap.h |2 ++ > > 2 files changed, 5 insertions(+), 2 deletions(-) > > > > --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 > > 18:20:52.788066467 +0200 > > +++ linux-4.7.1/security/selinux/hooks.c2016-08-21 > > 18:23:48.603479911 +0200 > > @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit > > return SECCLASS_KEY_SOCKET; > > case PF_APPLETALK: > > return SECCLASS_APPLETALK_SOCKET; > > + case PF_ALG: > > + return SECCLASS_ALG_SOCKET; > > } > > Because this patch changes the object class for existing permission > checks you will need to wrap this with a policy capability, see > selinux_policycap_netpeer for an example. I have posted a revised version of the patch (v4). By the way, I think libsepol needs to be patched too. And, of course, the Reference Policy (the patch is ready). -- Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket)
Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- security/selinux/hooks.c|5 +++-- security/selinux/include/classmap.h |2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200 +++ linux-4.7.1/security/selinux/hooks.c2016-08-21 18:23:48.603479911 +0200 @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + return SECCLASS_ALG_SOCKET; } return SECCLASS_SOCKET; --- linux-4.7.1-orig/security/selinux/include/classmap.h2016-08-18 17:39:50.639133429 +0200 +++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-21 18:30:00.306088371 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket
Hello Paul. On Sat, 20/08/2016 at 23.24 -0400, Paul Moore wrote: > On Sat, Aug 20, 2016 at 3:09 PM, Guido Trentalancia > <gu...@trentalancia.net> wrote: > > > > Hello Paul! > > > > The message subject used in the Reference Policy mailing list is: > > "Update the lvm module" and it's one of the most recent posting. > > > > I haven't tried yet reproducing the problem outside of the system > > bootup. > > > > I believe it happens when cryptsetup uses the user-space interface > > to the kernel Crypto API. > > > > Do you have any idea on the reason why the class is being marked as > > "socket" instead of "unix_stream_socket" (for sequential packet > > socket)? > > Thanks for the pointer to the thread; that helped. > > As far as the socket class is concerned, I wonder if cryptsetup is > using an AF_ALG socket? Some quick Googling of the cryptsetup source > repo indicates this may be the case. We don't currently have a > specific object class for the AF_ALG socket family so it would appear > as the generic socket class. There has been a misunderstanding between the socket namespace and style. Indeed, I was missing something ! I have now posted a new version of the patch (v2) which should properly classify the new socket type. Best regards, Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket
Hello Paul. On Sat, 20/08/2016 at 23.24 -0400, Paul Moore wrote: > On Sat, Aug 20, 2016 at 3:09 PM, Guido Trentalancia > <gu...@trentalancia.net> wrote: > > > > Hello Paul! > > > > The message subject used in the Reference Policy mailing list is: > > "Update the lvm module" and it's one of the most recent posting. > > > > I haven't tried yet reproducing the problem outside of the system > > bootup. > > > > I believe it happens when cryptsetup uses the user-space interface > > to the kernel Crypto API. > > > > Do you have any idea on the reason why the class is being marked as > > "socket" instead of "unix_stream_socket" (for sequential packet > > socket)? > > Thanks for the pointer to the thread; that helped. > > As far as the socket class is concerned, I wonder if cryptsetup is > using an AF_ALG socket? Some quick Googling of the cryptsetup source > repo indicates this may be the case. We don't currently have a > specific object class for the AF_ALG socket family so it would appear > as the generic socket class. There has been a misunderstanding between the socket namespace and style. Indeed, I was missing something ! I have now posted a new version of the patch (v2) which should properly classify the new socket type. Best regards, Guido ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH v2] Differentiate between Unix Stream Socket and Sequential Packet Socket
Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia <gu...@trentalancia.net> --- security/selinux/hooks.c|5 +++-- security/selinux/include/classmap.h |2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200 +++ linux-4.7.1/security/selinux/hooks.c2016-08-21 18:23:48.603479911 +0200 @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + return SECCLASS_ALG_SOCKET; } return SECCLASS_SOCKET; --- linux-4.7.1-orig/security/selinux/include/classmap.h2016-08-18 17:39:50.639133429 +0200 +++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-21 18:30:00.306088371 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, "connectto", NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket
Hello Paul! The message subject used in the Reference Policy mailing list is: "Update the lvm module" and it's one of the most recent posting. I haven't tried yet reproducing the problem outside of the system bootup. I believe it happens when cryptsetup uses the user-space interface to the kernel Crypto API. Do you have any idea on the reason why the class is being marked as "socket" instead of "unix_stream_socket" (for sequential packet socket)? Best regards, Guido On the 20th august 2016 20:44:45 CEST, Paul Moore <pmo...@redhat.com> wrote: >On Sat, Aug 20, 2016 at 1:39 PM, Guido Trentalancia ><gu...@trentalancia.net> wrote: >> Hello Paul, >> >> thanks for getting back on this. >> >> The patch follows a recent discussion with Christopher PeBenito on >the Reference Policy mailing list. > >Which patch/thread (what was the subject line)? I have seen a lot of >patches and discussion between you and Chris lately (thanks for your >contributions!) but I haven't followed them very closely. > >> Christopher suggested to modify the actual code. >> >> I suppose it provides a better insight during code analysis on the >type of socket connections being made and a more fine-grained control >of permissions being granted or denied to the policy designer. > >The only value I can see to this change would be if we needed to >differentiate between AF_UNIX stream and seqpacket connections, and to >be honest I don't see the difference being that important. As I said >before, we need to understand what you are trying to solve and how it >is only possible with this change. The unspecified problem you are >seeing below wont be resolved by this patch (as you already >mentioned). > >> For some reason however, I have seen code using the SOCK_SEQPACKET >type and executed immediately after policy load (possibly from >initramfs, before switchroot) showing up in the log files as using an >unspecified socket type. I have explained already to Christopher that >this patch won't change such behavior... > >Yes, that should be unrelated to this change. Are you able to >reproduce the above problem reliably? ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.