[PATCH] Modify audit2why analyze function to use loaded policy

2016-06-02 Thread Joshua Brindle 
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces

Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
---
 libselinux/src/audit2why.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 12745b3..abe1701 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
if (rc < 0)
RETURN(BADTCON)
 
-   tclass = string_to_security_class(tclassstr);
-   if (!tclass)
+   rc = sepol_string_to_security_class(tclassstr, );
+   if (rc < 0)
RETURN(BADTCLASS)
 
/* Convert the permission list to an AV. */
@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self 
__attribute__((unused)) , PyObject *args
permstr = PyString_AsString( strObj );
 #endif

-   perm = string_to_av_perm(tclass, permstr);
-   if (!perm)
+   rc = sepol_string_to_av_perm(tclass, permstr, );
+   if (rc < 0)
RETURN(BADPERM)
 
av |= perm;
-- 
2.1.0

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: XWindows and CLIP?

2016-06-02 Thread Joshua Brindle 

John Chludzinski wrote:

What are the issues with XWindows and CLIP? Why is CLIP XWindow-less?


CLIP strives to be a minimal system suited to secure solutions and does 
not come with software not necessary for such systems (e.g., cross 
domain solutions).



Is there something inherently unsecure with the XWindow client/server
model?


Xorg manages interactions between programs running under X itself and is 
therefore an object manager (similar to how an RDBMS is an object 
manager that manages rows and tables).


There is work to extend SELinux controls to Xorg (XACE) but without 
using XACE and X SELinux policy you cannot meaningfully manage 
information flow between X applications uses SELinux.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

2016-06-02 Thread Paul Moore 
On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalley  wrote:
> On 06/01/2016 03:18 PM, Eric Dumazet wrote:
>> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote:
>>> Hello,
>>>
>>> I'm currently trying to debug a problem with 4.7-rc1 and labeled
>>> networking over UDP.  I'm having some difficulty with the latest
>>> 4.7-rc1 builds on my test system at the moment so I haven't been able
>>> to concisely identify the problem, but looking through the commits in
>>> 4.7-rc1 I think there may be a problem with the following:
>>>
>>>   commit e6afc8ace6dd5cef5e812f26c72579da8806f5ac
>>>   Author: samanthakumar 
>>>   Date:   Tue Apr 5 12:41:15 2016 -0400
>>>
>>>udp: remove headers from UDP packets before queueing
>>>
>>>Remove UDP transport headers before queueing packets for reception.
>>>This change simplifies a follow-up patch to add MSG_PEEK support.
>>>
>>>Signed-off-by: Sam Kumar 
>>>Signed-off-by: Willem de Bruijn 
>>>Signed-off-by: David S. Miller 
>>>
>>> ... it appears that this commit changes things so that sk_filter() is
>>> only called when sk->sk_filter is not NULL.  While this is fine for
>>> the traditional socket filter case, it causes problems with LSMs that
>>> make use of security_sock_rcv_skb() to enforce per-packet access
>>> controls.
>>>
>>> Hopefully I'll get 4.7-rc1 booting soon and I can do a proper
>>> bisection test around this patch, but I wanted to mention this now in
>>> case others are seeing the same problem.
>>
>> Thanks for the report. Please try following fix.
>>
>> sk_filter() got additional features like the skb_pfmemalloc() things and
>> security_sock_rcv_skb()
>
> This resolved the SELinux regression for me.
>
> Tested-by: Stephen Smalley 

The patch works for me too.  Eric, are you going to send this to DaveM
(assuming he isn't listening in on this thread and picking it up
himself)?

Tested-by: Paul Moore 

>> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
>> index d56c0559b477..0ff31d97d485 100644
>> --- a/net/ipv4/udp.c
>> +++ b/net/ipv4/udp.c
>> @@ -1618,12 +1618,12 @@ int udp_queue_rcv_skb(struct sock *sk, struct 
>> sk_buff *skb)
>>   }
>>   }
>>
>> - if (rcu_access_pointer(sk->sk_filter)) {
>> - if (udp_lib_checksum_complete(skb))
>> + if (rcu_access_pointer(sk->sk_filter) &&
>> + udp_lib_checksum_complete(skb))
>>   goto csum_error;
>> - if (sk_filter(sk, skb))
>> - goto drop;
>> - }
>> +
>> + if (sk_filter(sk, skb))
>> + goto drop;
>>
>>   udp_csum_pull_header(skb);
>>   if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
>> index 2da1896af934..f421c9f23c5b 100644
>> --- a/net/ipv6/udp.c
>> +++ b/net/ipv6/udp.c
>> @@ -653,12 +653,12 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct 
>> sk_buff *skb)
>>   }
>>   }
>>
>> - if (rcu_access_pointer(sk->sk_filter)) {
>> - if (udp_lib_checksum_complete(skb))
>> - goto csum_error;
>> - if (sk_filter(sk, skb))
>> - goto drop;
>> - }
>> + if (rcu_access_pointer(sk->sk_filter) &&
>> + udp_lib_checksum_complete(skb))
>> + goto csum_error;
>> +
>> + if (sk_filter(sk, skb))
>> + goto drop;
>>
>>   udp_csum_pull_header(skb);
>>   if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>>
>>

-- 
paul moore
www.paul-moore.com
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

XWindows and CLIP?

2016-06-02 Thread John Chludzinski 

What are the issues with XWindows and CLIP? Why is CLIP XWindow-less?

Is there something inherently unsecure with the XWindow client/server 
model?

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [RFC 1/2] selinux: Stop looking up dentries from inodes

2016-06-02 Thread Andreas Gruenbacher 
On Wed, Jun 1, 2016 at 3:44 PM, Stephen Smalley  wrote:
> On 05/31/2016 11:22 AM, Andreas Gruenbacher wrote:
>> With that fixed, could you possibly put this change to test?
>
> Falls over during boot in generic_getxattr(), which still needs a
> non-NULL dentry in the work.selinux branch.

dentry->d_sb needs to be changed to inode->i_sb there.

> Is there a reason that this being done separately from work.xattr?

I don't know how much work.xattr will shift still (and what I can
still add there), and this change is unrelated, at least so far.

> Also, if we aren't going to call d_find_alias() there, we can likely
> also drop the dget() and dput().

Ah, yes. I'll remove those, thanks.

Andreas
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Sort object files for deterministic linking order

2016-06-02 Thread Laurent Bigonville 
From: Laurent Bigonville 

This patch is part of the Debian effort to make the build reproducible

Thank to Reiner Herrmann  for the patches

Signed-off-by: Laurent Bigonville 
---
 libselinux/src/Makefile  | 2 +-
 libsemanage/src/Makefile | 2 +-
 libsepol/src/Makefile| 8 
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index ac9a5d6..d94163e 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -49,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y)
 endif
 
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
-SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
+SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard 
*.c)))
 
 MAX_STACK_SIZE=32768
 
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index d6c3f0f..96ee652 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -52,7 +52,7 @@ SWIGRUBYSO=$(RUBYPREFIX)_semanage.so
 LIBSO=$(TARGET).$(LIBVERSION)
 
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) semanageswig_python_exception.i
-SRCS= $(filter-out $(GENERATED),$(wildcard *.c))
+SRCS= $(filter-out $(GENERATED),$(sort $(wildcard *.c)))
 
 OBJS= $(patsubst %.c,%.o,$(SRCS)) conf-scan.o conf-parse.o
 LOBJS= $(patsubst %.c,%.lo,$(SRCS)) conf-scan.lo conf-parse.lo
diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index c0c3274..b0c901f 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -18,15 +18,15 @@ TARGET=libsepol.so
 LIBPC=libsepol.pc
 LIBMAP=libsepol.map
 LIBSO=$(TARGET).$(LIBVERSION)
-OBJS= $(patsubst %.c,%.o,$(wildcard *.c))
-LOBJS= $(patsubst %.c,%.lo,$(wildcard *.c))
+OBJS= $(patsubst %.c,%.o,$(sort $(wildcard *.c)))
+LOBJS= $(patsubst %.c,%.lo,$(sort $(wildcard *.c)))
 CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-format-attribute -O2
 
 override CFLAGS += -I. -I../include -D_GNU_SOURCE
 
 ifneq ($(DISABLE_CIL),y)
-OBJS += $(sort $(patsubst %.c,%.o,$(wildcard $(CILDIR)/src/*.c) 
$(CIL_GENERATED)))
-LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) 
$(CIL_GENERATED)))
+OBJS += $(sort $(patsubst %.c,%.o,$(sort $(wildcard $(CILDIR)/src/*.c)) 
$(CIL_GENERATED)))
+LOBJS += $(sort $(patsubst %.c,%.lo,$(sort $(wildcard $(CILDIR)/src/*.c)) 
$(CIL_GENERATED)))
 override CFLAGS += -I$(CILDIR)/include
 endif
 
-- 
2.8.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.