Re: CIL namespaces and blockinheritfilter keyword.

2018-04-09 Thread Gary Tierney 

On Mon, Apr 09, 2018 at 01:41:12PM +0200, Lukas Vrabec wrote:

... snip ...

Those wiki pages on SELinuxProject/cil are now pretty out of date 
(you'll notice that some other statements mentioned there like 
`template` are not implemented as well).  The updated documentation is 
at https://github.com/SELinuxProject/selinux/tree/master/secilc/docs.



Hi Dominick,

Yes, This is one of the options to create hierarchy when the block on
top will have just minimum rules and every child block will append new
rules.

Unfortunately, this probably won't work in real world. Let's say that I
have this hierarchy and badlogger block contains several allow rules and
I want to inherit all of them except one, *BUT* I'm not SELinux policy
expert and don't know how hierarchy looks like. That's the reason why
I'm looking for blockinheritfilter.



I think it's more reasonable for someone not intimate with the policy to
familiarize themselves with the hierarchy/composition of a well structured
policy, rather than what they may need to disallow in a given scope (which may
come from other inherited blocks, calls to macros, or `in` statements scattered
across several policy modules).  This means they can compose their policy out
of high level building blocks rather than low level allow rules (which arguably
would require a policy expert to fully understand the implications of).

"blockinheritfilter" also seems to be at odds with the permission
whitelisting/deny-by-default model of SELinux by having the policy author
revoke permissions rather than permit them.

Thanks,
Gary.


However, we should go via creating block namespaces hierarchy as you
described if there are no plans to implement this feature.

Thanks,
Lukas.


--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.

Re: tomcat_t domain behavior

2017-03-14 Thread Gary Tierney 
On Tue, Mar 14, 2017 at 12:24:32PM +0900, 面和毅 wrote:
> Hi list,
> 
> I just found strange behavior on tomcat_t.
> (I checked Fedora25, CentOS7).
> 
> During PoC for CVE-2017-5638(I know RedHat products are
> not affected, just wanted to confirm SELinux behavior),
> I found that tomcat_t can read shadow_t file, access to
> admin_home_t directory, and so on.
> 
> I guess there is a suitable reason to allow those permission
> to tomcat_t, but I just want to confirm the reason.
> 
> - Quick test for tomcat_t -;
> I did just temporary test for checking tomcat_t behavior
> on Fedora25.
> 
> 1. I copied /bin/bash to /root/tomcat_shell.sh, and assigned
>context as "tomcat_exec_t".
> 
> [root@fedora25 ~]# ls -lZ /root/tomcat_shell.sh
> -rwxr-xr-x. 1 root root system_u:object_r:tomcat_exec_t:s0
> 1072008 Mar 14 11:53 /root/tomcat_shell.sh
> 
> 2. I added some cil policy just for this test.
> [root@fedora25 ~]# cat tomcat_sh.cil
> (typeattributeset entry_type tomcat_exec_t)
> (roletype unconfined_r tomcat_t)
> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
> 
> 3. load above module, and run tomcat_shell.sh
> [root@fedora25 ~]# semodule -i tomcat_sh.cil
> [root@fedora25 ~]# ./tomcat_shell.sh
> [root@fedora25 ~]# id -Z
> unconfined_u:unconfined_r:tomcat_t:s0-s0:c0.c1023
> 
> 4. access to shadow file, /root/ file, etc.
> [root@fedora25 ~]# cat /etc/shadow
> root:$6$h0wd.::0:9:7:::
> bin:*:17004:0:9:7:::
> daemon:*:17004:0:9:7:::
> --snip--
> [root@fedora25 ~]# cat /root/tomcat_sh.cil
> (typeattributeset entry_type tomcat_exec_t)
> (roletype unconfined_r tomcat_t)
> (typetransition unconfined_t tomcat_exec_t process tomcat_t)
> [root@fedora25 ~]# ls -lZ /root/tomcat_sh.cil
> -rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0
> 138 Mar 14 12:01 /root/tomcat_sh.cil
> - End -
> 
> So, can I ask the reason why we add these permission to tomcat_t?

These permissions aren't directly added to tomcat, they come from tomcat being 
an unconfined domain:
https://github.com/fedora-selinux/selinux-policy-contrib/blob/f25/tomcat.te#L21

$ sesearch -ACS -s tomcat_t -t shadow_t -c file -p read
Found 1 semantic av rules:
   allow files_unconfined_type file_type : file { ioctl read write create 
getattr setattr lock relabelfrom relabelto append unlink link rename execute 
swapon quotaon mounton execute_no_trans open audit_access } ; 

$ seinfo -ttomcat_t -x
   tomcat_t
  can_read_shadow_passwords
  can_write_shadow_passwords
  can_relabelto_shadow_passwords
  can_change_object_identity
  can_load_kernmodule
  can_load_policy
  can_setbool
  can_setenforce
  corenet_unconfined_type
  corenet_unlabeled_type
  devices_unconfined_type
  domain
  files_unconfined_type
  filesystem_unconfined_type
  kern_unconfined
  kernel_system_state_reader
  process_uncond_exempt
  selinux_unconfined_type
  storage_unconfined_type
  unconfined_domain_type
  dbusd_unconfined
  daemon
  syslog_client_type
  sepgsql_unconfined_type
  tomcat_domain
  userdom_filetrans_type
  x_domain
  xserver_unconfined_type

I don't see why Tomcat would need to be an unconfined domain, though.

> 
> Kind Regards,
> 
> OMO
> 
> 
> -- 
> Kazuki Omo: ka-...@sios.com
> OSS  Evangelist
> OSS Business Planning Dept.
> CISSP #366942
> http://www.secureoss.jp/
> Tel: +819026581386
> _______
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8


signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] security: selinux: allow changing labels for cgroupfs

2017-02-02 Thread Gary Tierney 
On Thu, Feb 02, 2017 at 03:42:28PM +0100, Antonio Murdaca wrote:
> This patch allows changing labels for cgroup mounts. Previously, running
> chcon on cgroupfs would throw an "Operation not supported". This patch
> specifically whitelist cgroupfs.
> 
> The patch could also allow containers to write only to the systemd cgroup
> for instance, while the other cgroups are kept with cgroup_t label.
> 
> Signed-off-by: Antonio Murdaca 
> ---
>  security/selinux/hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3b955c6..4e84211 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -480,6 +480,7 @@ static int selinux_is_sblabel_mnt(struct super_block *sb)
>   sbsec->behavior == SECURITY_FS_USE_NATIVE ||
>   /* Special handling. Genfs but also in-core setxattr handler */
>   !strcmp(sb->s_type->name, "sysfs") ||
> + !strcmp(sb->s_type->name, "cgroup") ||

Should we also include "cgroup2" here, since they are defined as 2
distinct filesystems? 
https://github.com/SELinuxProject/selinux-kernel/blob/master/kernel/cgroup.c#L2314-L2326

>   !strcmp(sb->s_type->name, "pstore") ||
>   !strcmp(sb->s_type->name, "debugfs") ||
>   !strcmp(sb->s_type->name, "tracefs") ||
> -- 
> 2.9.3
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libsepol/cil: remove avrules with no affected types

2016-12-07 Thread Gary Tierney 
On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libsepol 
> > policy in
> > __cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
> > prevent breaking anything from AOSP mentioned in
> > f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
> 
> James Carter is away for a few days, so this might be delayed in review.
> 

No problem.  I'll try and get the second part of this (removing typeattributes
which are only used in these dud avrules) to the list in time for reviewing
this.

> > 
> > Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
> > ---
> >  libsepol/cil/src/cil_binary.c | 47 
> > +++
> >  1 file changed, 47 insertions(+)
> > 
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index d33981b..3aa350a 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1411,6 +1411,48 @@ exit:
> > return rc;
> >  }
> >  
> > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> > +{
> > +   struct cil_tree_node *node = NULL;
> > +   struct cil_typeattribute *attrib = NULL;
> > +
> > +   if (src->fqn == CIL_KEY_SELF) {
> > +   return CIL_FALSE;
> > +   }
> > +
> > +   node = src->nodes->head->data;
> > +
> > +   if (node->flavor != CIL_TYPEATTRIBUTE) {
> > +   return CIL_FALSE;
> > +   }
> > +
> > +   attrib = (struct cil_typeattribute *) src;
> > +   return ebitmap_cardinality(attrib->types) == 0;
> > +}
> > +
> > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> > +{
> > +   struct cil_symtab_datum *src = cil_avrule->src;
> > +   struct cil_symtab_datum *tgt = cil_avrule->tgt;
> > +
> > +   // Don't remove neverallow rules so they are written to
> > +   // the resulting policy and can be checked by tools in
> > +   // AOSP.
> > +   if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> > +   return CIL_FALSE;
> > +   }
> > +
> > +   if (__cil_type_datum_is_unused_attrib(src)) {
> > +   return CIL_TRUE;
> > +   }
> > +
> > +   if (__cil_type_datum_is_unused_attrib(tgt)) {
> > +   return CIL_TRUE;
> > +   }
> > +
> > +   return CIL_FALSE;
> > +}
> > +
> >  int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct 
> > cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> >  {
> > int rc = SEPOL_ERR;
> > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const 
> > struct cil_db *db, struct cil_a
> > goto exit;
> > }
> >  
> > +   if (__cil_avrule_can_remove(cil_avrule)) {
> > +   rc = SEPOL_OK;
> > +   goto exit;
> > +   }
> > +
> > src = cil_avrule->src;
> > tgt = cil_avrule->tgt;
> >  
> > 
> 

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8


signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] cil: remove avrules that have no associated types

2016-12-07 Thread Gary Tierney 
This is a minor improvement to the CIL -> policydb code which will remove
unused AV rules.  In the past you could create 2 type attributes like so:

(typeattribute x)
(typeattribute y)
(type z)
(typeattributeset y z)

And an avrule (which would be kept in the resulting policydb):

(allow x y (process (transition)))

Now the avrule would be removed, since the source of the rule has
no associated types.  Similarly, the rule would have been removed if the
target had no associated types when the source does.  The exception to this
rule is neverallows, since AOSP checks for them in their resulting policy.conf.

There's a small difference in fedora-selinux:

[root@localhost ~]# sesearch -ACS original.30  | head -1
Found 101204 semantic av rules:
[root@localhost ~]# sesearch -ACS modified.30  | head -1
Found 101030 semantic av rules:

And a more noticeable difference with Dominick Grift's dssp1:

[root@localhost ~]# sesearch -ACS dssp_original.30 | head -1
Found 11270 semantic av rules:
[root@localhost ~]# sesearch -ACS dssp_modified.30 | head -1
Found 2574 semantic av rules:

Gary Tierney (1):
  libsepol/cil: remove avrules with no affected types

 libsepol/cil/src/cil_binary.c | 47 +++
 1 file changed, 47 insertions(+)

-- 
2.4.11

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] libsepol/cil: remove avrules with no affected types

2016-12-07 Thread Gary Tierney 
Adds a check for avrules with type attributes that have a bitmap cardinality
of 0 (i.e., no types in their set) before adding them to the libsepol policy in
__cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
prevent breaking anything from AOSP mentioned in
f9927d9370f90bd9d975ff933fe107ec4f93a9ac.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsepol/cil/src/cil_binary.c | 47 +++
 1 file changed, 47 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d33981b..3aa350a 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1411,6 +1411,48 @@ exit:
return rc;
 }
 
+static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
+{
+   struct cil_tree_node *node = NULL;
+   struct cil_typeattribute *attrib = NULL;
+
+   if (src->fqn == CIL_KEY_SELF) {
+   return CIL_FALSE;
+   }
+
+   node = src->nodes->head->data;
+
+   if (node->flavor != CIL_TYPEATTRIBUTE) {
+   return CIL_FALSE;
+   }
+
+   attrib = (struct cil_typeattribute *) src;
+   return ebitmap_cardinality(attrib->types) == 0;
+}
+
+static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
+{
+   struct cil_symtab_datum *src = cil_avrule->src;
+   struct cil_symtab_datum *tgt = cil_avrule->tgt;
+
+   // Don't remove neverallow rules so they are written to
+   // the resulting policy and can be checked by tools in
+   // AOSP.
+   if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
+   return CIL_FALSE;
+   }
+
+   if (__cil_type_datum_is_unused_attrib(src)) {
+   return CIL_TRUE;
+   }
+
+   if (__cil_type_datum_is_unused_attrib(tgt)) {
+   return CIL_TRUE;
+   }
+
+   return CIL_FALSE;
+}
+
 int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct 
cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
 {
int rc = SEPOL_ERR;
@@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct 
cil_db *db, struct cil_a
goto exit;
}
 
+   if (__cil_avrule_can_remove(cil_avrule)) {
+   rc = SEPOL_OK;
+   goto exit;
+   }
+
src = cil_avrule->src;
tgt = cil_avrule->tgt;
 
-- 
2.4.11

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Filtering an avtab in libsepol

2016-12-06 Thread Gary Tierney 

Hi,

I've been working on optimizing out AV rules with no applicable types as 
well as unused attributes to trim down the size of a policy which uses 
CIL blocks and attributes extensively.  Looking into the avtab code (and 
how creating a new avtab is implemented in expand.c) I have a question:


Does the following suffice for taking an existing avtab and creating a 
new one with all of its elements?  Or do I need to consider 
avtab_insert_nonunique() like expand.c does?  If I'm following the 
expand_avtab() code correctly, I'd think I'd need to consider conditional 
avtabs in the following code:


static int copy_avtab_map_fn(avtab_key_t *key, avtab_datum_t *datum,
 void *args)
{
avtab_t *avtab = (avtab_t *) args;

return avtab_insert(avtab, key, datum);
}

static int copy_avtab(avtab_t *avtab, avtab_t **out)
{
avtab_t *tmp = NULL;
if (avtab_init(tmp)) {
return POLICYDB_ERROR;
}

if (avtab_alloc(tmp, MAX_AVTAB_SIZE)) {
return POLICYDB_ERROR;
}

if (avtab_map(avtab, copy_avtab_map_fn, tmp)) {
return POLICYDB_ERROR;
}

*out = tmp;
return POLICYDB_SUCCESS;
}

Is that the right idea?

Thanks.

--
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8 


signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [SECILC] does not seem to filter redundant attributes and rules

2016-11-09 Thread Gary Tierney 
On Wed, Nov 09, 2016 at 09:52:35AM -0500, James Carter wrote:
> On 11/09/2016 07:40 AM, Dominick Grift wrote:
> >I am in the process of a DSSP rewrite, taking a different approach this
> >time.
> >
> >However I encountered something that seems suboptimal:
> >
> >SECILC seems to not filter redundant attributes and rules
> >
> >Example i have a type attribute and it has rules associated with it.
> >However, the type attribute is not associated with any types.
> >
> >I was hoping that SECILC would be smart enough to determine that it
> >might as well filter both the type attribute as well as the rules
> >associated with it.
> >
> >To reproduce:
> >
> >git clone https://github.com/DefenSec/dssp1-base.git
> >cd dssp1-base
> >secilc `ls *.cil`
> >sesearch -ASCT -s lib.ld_so.read_files_subj_type_attribute policy.30
> >seinfo -xalib.ld_so.read_files_subj_type_attribute policy.30
> >
> >
> >Am i expecting the impossible by expecting SECILC to be smart enough to
> >determine that something is redundant, and that it can be filtered out
> >until it becomes applicable?
> >
> >
> 
> I don't think that it would be too hard to remove attributes that have no
> types associated with them along with rules containing those attributes. I
> have this nagging feeling, though, that there is a reason that we didn't do
> that. I'll have to think about it a bit.
> 
> Jim
>

I had a hack 'n' slash attempt at this earlier for just avrules by adding
naive checks in avrule_write (libsepol/src/write.c) to check if both the
source and target type_set bitmaps have a cardinality of 0, though couldn't
help but think I was missing something else.  That didn't work in any case,
and didn't seem like the codepath is ever hit when a CIL policy is
written to disk (maybe it's only module policy avrule_write is called for?).

Any hints on where I can start prodding?  Would be nice to get an idea of how
the binary policy is serialized too.
> 
> >
> >___
> >Selinux mailing list
> >Selinux@tycho.nsa.gov
> >To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> >To get help, send an email containing "help" to 
> >selinux-requ...@tycho.nsa.gov.
> >
> 
> 
> -- 
> James Carter <jwca...@tycho.nsa.gov>
> National Security Agency
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8


signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2 1/1] libsepol/cil: create user and role caches when building binary policy

2016-10-03 Thread Gary Tierney 
Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsepol/cil/src/cil_binary.c  | 13 +
 libsepol/include/sepol/policydb/policydb.h |  8 
 2 files changed, 21 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index cc73648..5402272 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -4794,6 +4794,19 @@ int cil_binary_create_allocated_pdb(const struct cil_db 
*db, sepol_policydb_t *p
 
}
 
+   /* This pre-expands the roles and users for context validity checking */
+   if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb)) {
+   cil_log(CIL_INFO, "Failure creating roles cache");
+   rc = SEPOL_ERR;
+   goto exit;
+}
+
+   if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb)) {
+   cil_log(CIL_INFO, "Failure creating users cache");
+   rc = SEPOL_ERR;
+   goto exit;
+   }
+
rc = SEPOL_OK;
 
 exit:
diff --git a/libsepol/include/sepol/policydb/policydb.h 
b/libsepol/include/sepol/policydb/policydb.h
index 26cec13..d99fcf4 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
 extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
 unsigned int verbose);
 
+extern int policydb_role_cache(hashtab_key_t key,
+  hashtab_datum_t datum,
+  void *arg);
+
+extern int policydb_user_cache(hashtab_key_t key,
+  hashtab_datum_t datum,
+  void *arg);
+
 extern int policydb_reindex_users(policydb_t * p);
 
 extern void policydb_destroy(policydb_t * p);
-- 
2.4.11

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] libsepol/cil: create user and role caches when building binary policy

2016-10-03 Thread Gary Tierney 
On Mon, Oct 03, 2016 at 11:46:19AM +0100, Gary Tierney wrote:
> Pre-expands the role and user caches used in context validation when
> conerting a cildb to a binary policydb.  This is currently only done
> when loading a binary policy and prevents context validation from
> working correctly with a newly built policy (i.e., when semanage builds
> a new policy and then runs genhomedircon).
> 
> Also adds declarations for the hashtable mapping functions used:
> policydb_role_cache and policydb_user_cache().
> 
> Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
> ---
>  libsepol/cil/src/cil_binary.c  | 7 +++
>  libsepol/include/sepol/policydb/policydb.h | 8 
>  2 files changed, 15 insertions(+)
> 
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index cc73648..200101e 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -4794,6 +4794,13 @@ int cil_binary_create_allocated_pdb(const struct 
> cil_db *db, sepol_policydb_t *p
>  
>   }
>  
> + /* This pre-expands the roles and users for context validity checking */
> + if (hashtab_map(pdb->p_roles.table, policydb_role_cache, pdb))
> + return -1;
> +
> + if (hashtab_map(pdb->p_users.table, policydb_user_cache, pdb))
> + return -1;
> +
>   rc = SEPOL_OK;
>  
>  exit:
> diff --git a/libsepol/include/sepol/policydb/policydb.h 
> b/libsepol/include/sepol/policydb/policydb.h
> index 26cec13..d99fcf4 100644
> --- a/libsepol/include/sepol/policydb/policydb.h
> +++ b/libsepol/include/sepol/policydb/policydb.h
> @@ -608,6 +608,14 @@ extern int policydb_index_bools(policydb_t * p);
>  extern int policydb_index_others(sepol_handle_t * handle, policydb_t * p,
>unsigned int verbose);
>  
> +extern int policydb_role_cache(hashtab_key_t key,
> +hashtab_datum_t datum,
> +void *arg);
> +
> +extern int policydb_user_cache(hashtab_key_t key,
> +hashtab_datum_t datum,
> +void *arg);
> +
>  extern int policydb_reindex_users(policydb_t * p);
>  
>  extern void policydb_destroy(policydb_t * p);
> -- 
> 2.4.11
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Ah, that return should be a goto.  Sending a v2.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8


signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 0/1] libsepol/cil: create role/user caches for context validation

2016-10-03 Thread Gary Tierney 
This patch sets up the role/user caches used in context_is_valid() when a cildb
is compiled to a binary policy.  Previously, it seems like these would only
available when a binary policy had been loaded from file as opposed to rebuilt
from source.

Gary Tierney (1):
  libsepol/cil: create user and role caches when building binary policy

 libsepol/cil/src/cil_binary.c  | 7 +++
 libsepol/include/sepol/policydb/policydb.h | 8 
 2 files changed, 15 insertions(+)

-- 
2.4.11

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] genhomedircon: support policies using RBACSEP

2016-09-23 Thread Gary Tierney 

On Fri, Sep 23, 2016 at 03:36:47PM -0400, Stephen Smalley wrote:

On 09/23/2016 10:28 AM, Gary Tierney wrote:

Introduces support for generating homedir/user contexts for policies
that implement RBACSEP.  The support works by taking the prefix of a
logins seuser and replacing the role field in their context
specifications with the prefix.  A new option "genhomedircon-rbacsep"
was added to /etc/selinux/semanage.conf to allow toggling this behavior.


The user prefix was previously used as a prefix for types, e.g. you
could have:
HOME_DIR/\.gnupg(/.+)?  system_u:object_r:ROLE_gpg_secret_t
and get it replaced with:
/home/[^/]+/\.gnupg(/.+)?   system_u:object_r:user_gpg_secret_t
/root/\.gnupg(/.+)? system_u:object_r:sysadm_gpg_secret_t

So I guess you could use it for the role field too, but for consistency
you would want it to be:
HOME_DIR/\.gnupg(/.+)?  system_u:ROLE_r:ROLE_gpg_secret_t

and the prefix would still just be "user".



That would work for us currently with refpolicy, but if I write a 
similar CIL statement:


(filecon "HOME_DIR/\.gnupg(/.+)?" (system_u ROLE_r ROLE_gpg_secret_t))

Then I get a compile error because secilc thinks ROLE_r is the name of 
the role.  I don't think there's any way to work around this in CIL.




The user prefix can be set from both standard kernel policy and CIL:

CIL:
(user user_u)
(role user_r)
(userrole user_u user_r)
(userprefix user_u user_r)

kernel policy language:
role user_r;
user user_u roles { user_r } prefix user_r;

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/conf-parse.y| 14 +-
 libsemanage/src/conf-scan.l |  1 +
 libsemanage/src/genhomedircon.c | 30 +-
 libsemanage/src/semanage_conf.h |  1 +
 4 files changed, 44 insertions(+), 2 deletions(-)


diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 3fc9e7a..98f9ebd 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -857,7 +866,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
int errors = 0;

retval = semanage_seuser_list(s->h_semanage, _list, );
-   if (retval < 0 || (nseusers < 1)) {
+   if (retval < 0 || (nseusers < 2)) {


Why did this test change?



My mistake, didn't intend to include that in this patch.

 		/* if there are no users, this function can't do any other 
 		work */

return errors;
}
@@ -886,6 +895,17 @@ static int setup_fallback_user(genhomedircon_settings_t * 
s)
level = FALLBACK_LEVEL;
}

+   if (u && s->h_semanage->conf->genhomedircon_rbacsep &&
+   !semanage_user_has_role(u, prefix)) {


I don't think you want to use prefix alone here, since it may be a
prefix rather than a role name.

The kernel policy contains the list of authorized roles for the user, so
libsepol could export that, but that won't tell you anything about a
default.

libselinux get_default_context() and friends are context-sensitive (the
result depends on the caller's context, such that it may differ for
login vs sshd vs gdm and even among multiple distinct instances of any
of these, e.g. if they have different levels), so I don't think you can
use those.

I don't think we presently provide a good way to find this information,
which is why we added the user prefix in the first place.  But it is
intended to be a prefix, not a role.


Do you have any suggestions on how this information could be configured? 
I toyed with extending the policy language to support something like a 
"userhomedirrole" statement, but didn't look too much into what the 
implications of that would be.  That doesn't seem too suitable either 
since it'd only be used by genhomedircon.


I agree that the prefix isn't really suitable and this is more of a hack 
than a good solution (I forgot to include RFC in the subject!), though 
I'm unsure what the next step would be in creating a good solution for 
this.  Any input would be appreciated.




signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 1/1] genhomedircon: support policies using RBACSEP

2016-09-23 Thread Gary Tierney 
On Fri, Sep 23, 2016 at 03:28:44PM +0100, Gary Tierney wrote:
> Introduces support for generating homedir/user contexts for policies
> that implement RBACSEP.  The support works by taking the prefix of a
> logins seuser and replacing the role field in their context
> specifications with the prefix.  A new option "genhomedircon-rbacsep"
> was added to /etc/selinux/semanage.conf to allow toggling this behavior.
> 
> The user prefix can be set from both standard kernel policy and CIL:
> 
> CIL:
> (user user_u)
> (role user_r)
> (userrole user_u user_r)
> (userprefix user_u user_r)
> 
> kernel policy language:
> role user_r;
> user user_u roles { user_r } prefix user_r;
> 
> Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
> ---
>  libsemanage/src/conf-parse.y| 14 +-
>  libsemanage/src/conf-scan.l |  1 +
>  libsemanage/src/genhomedircon.c | 30 +-
>  libsemanage/src/semanage_conf.h |  1 +
>  4 files changed, 44 insertions(+), 2 deletions(-)
> 
> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> index b527e89..d2112d2 100644
> --- a/libsemanage/src/conf-parse.y
> +++ b/libsemanage/src/conf-parse.y
> @@ -61,7 +61,7 @@ static int parse_errors;
>  
>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED 
> TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START 
> DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL GENHOMEDIRCON_RBACSEP
>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>  %token PROG_PATH PROG_ARGS
>  %token  ARG
> @@ -95,6 +95,7 @@ single_opt: module_store
>   |   bzip_blocksize
>   |   bzip_small
>   |   remove_hll
> + |   genhomedircon_rbacsep
>  ;
>  
>  module_store:   MODULE_STORE '=' ARG {
> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
>   free($3);
>  }
>  
> +genhomedircon_rbacsep:  GENHOMEDIRCON_RBACSEP'=' ARG {
> + if (strcasecmp($3, "false") == 0) {
> + current_conf->genhomedircon_rbacsep = 0;
> + } else if (strcasecmp($3, "true") == 0) {
> + current_conf->genhomedircon_rbacsep = 1;
> + } else {
> + yyerror("genhomedircon-rbacsep can only be 'true' or 'false'");
> + }
> + free($3);
> +}
> +
>  command_block: 
>  command_start external_opts BLOCK_END  {
>  if (new_external->path == NULL) {
> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> index 607bbf0..114098c 100644
> --- a/libsemanage/src/conf-scan.l
> +++ b/libsemanage/src/conf-scan.l
> @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
>  bzip-blocksize   return BZIP_BLOCKSIZE;
>  bzip-small   return BZIP_SMALL;
>  remove-hll   return REMOVE_HLL;
> +genhomedircon-rbacsepreturn GENHOMEDIRCON_RBACSEP;
>  "[load_policy]"   return LOAD_POLICY_START;
>  "[setfiles]"  return SETFILES_START;
>  "[sefcontext_compile]"  return SEFCONTEXT_COMPILE_START;
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 3fc9e7a..98f9ebd 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -71,6 +71,10 @@
>  #define COMMENT_USER_HOME_CONTEXT "\n\n#\n# Home Context for user %s" \
>   "\n#\n\n"
>  
> +#define WARNING_RBACSEP_INVALID_ROLE  "genhomedircon-rbacsep is enabled, " \
> + "but the user prefix of " \
> + "'%s' for %s is not a valid role.  Skipping user."
> +
>  /* placeholders used in the template file
> which are searched for and replaced */
>  #define TEMPLATE_HOME_ROOT "HOME_ROOT"
> @@ -638,6 +642,11 @@ static int write_contexts(genhomedircon_settings_t *s, 
> FILE *out,
>   goto fail;
>   }
>  
> + if (s->h_semanage->conf->genhomedircon_rbacsep &&
> + sepol_context_set_role(sepolh, context, user->prefix) < 0) {
> + goto fail;
> + }
> +
>   if (sepol_context_to_string(sepolh, context,
>   _context_str) < 0) {
>   goto fail;
> @@ -857,7 +866,7 @@ static int setup_fallback_user(genhomedircon_settings_t * 
> s)
>   int errors = 0;
>  
>

[PATCH v2 1/1] genhomedircon: remove hardcoded refpolicy strings

2016-09-21 Thread Gary Tierney 
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 87 +++--
 1 file changed, 74 insertions(+), 13 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index cce3884..3fc9e7a 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -82,9 +82,6 @@
 #define TEMPLATE_USERNAME "%{USERNAME}"
 #define TEMPLATE_USERID "%{USERID}"
 
-#define TEMPLATE_SEUSER "system_u"
-#define TEMPLATE_LEVEL "s0"
-
 #define FALLBACK_SENAME "user_u"
 #define FALLBACK_PREFIX "user"
 #define FALLBACK_LEVEL "s0"
@@ -92,6 +89,8 @@
 #define FALLBACK_UIDGID "[0-9]+"
 #define DEFAULT_LOGIN "__default__"
 
+#define CONTEXT_NONE "<>"
+
 typedef struct user_entry {
char *name;
char *uid;
@@ -599,14 +598,81 @@ static int write_replacements(genhomedircon_settings_t * 
s, FILE * out,
return STATUS_ERR;
 }
 
+static int write_contexts(genhomedircon_settings_t *s, FILE *out,
+ semanage_list_t *tpl, const replacement_pair_t *repl,
+ const genhomedircon_user_entry_t *user)
+{
+   Ustr *line = USTR_NULL;
+   sepol_context_t *context = NULL;
+   char *new_context_str = NULL;
+
+   for (; tpl; tpl = tpl->next) {
+   line = replace_all(tpl->data, repl);
+   if (!line) {
+   goto fail;
+   }
+
+   const char *old_context_str = extract_context(line);
+   if (!old_context_str) {
+   goto fail;
+   }
+
+   if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
+   if (check_line(s, line) == STATUS_SUCCESS &&
+   !ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+
+   continue;
+   }
+
+   sepol_handle_t *sepolh = s->h_semanage->sepolh;
+
+   if (sepol_context_from_string(sepolh, old_context_str,
+ ) < 0) {
+   goto fail;
+   }
+
+   if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
+   sepol_context_set_mls(sepolh, context, user->level) < 0) {
+   goto fail;
+   }
+
+   if (sepol_context_to_string(sepolh, context,
+   _context_str) < 0) {
+   goto fail;
+   }
+
+   if (!ustr_replace_cstr(, old_context_str,
+  new_context_str, 1)) {
+   goto fail;
+   }
+
+   if (check_line(s, line) == STATUS_SUCCESS) {
+   if (!ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+   }
+
+   ustr_sc_free();
+   sepol_context_free(context);
+   free(new_context_str);
+   }
+
+   return STATUS_SUCCESS;
+fail:
+   ustr_sc_free();
+   sepol_context_free(context);
+   free(new_context_str);
+   return STATUS_ERR;
+}
+
 static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
  semanage_list_t * tpl, const 
genhomedircon_user_entry_t *user)
 {
replacement_pair_t repl[] = {
-   {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-   {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
{NULL, NULL}
};
 
@@ -618,7 +684,7 @@ static int write_home_dir_context(genhomedircon_settings_t 
* s, FILE * out,
return STATUS_ERR;
}
 
-   return write_replacements(s, out, tpl, repl);
+   return write_contexts(s, out, tpl, repl, user);
 }
 
 static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
@@ -640,11 +706,10 @@ static int 
write_username_context(genhomedircon_settings_t * s, FILE * out,
{.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
{.search_for = TEMPLATE_USERID,.replace_with = user->uid},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-   {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{NULL, NULL}
};
 
-   return write_r

[PATCH v2 0/1] genhomedircon: remove hardcoded refpolicy strings

2016-09-21 Thread Gary Tierney 
Second iteration of my previous genhomedircon patch.  The issue with context
specifications as "<>" is fixed and libselinux calls are replaced with
their respective libsepol calls.

I've filed a new BZ for Fedora's system_u login here:
https://bugzilla.redhat.com/show_bug.cgi?id=1378204

Gary Tierney (1):
  genhomedircon: remove hardcoded refpolicy strings

 libsemanage/src/genhomedircon.c | 87 +++--
 1 file changed, 74 insertions(+), 13 deletions(-)

-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings

2016-09-06 Thread Gary Tierney 

On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:

On 09/06/2016 09:48 AM, Gary Tierney wrote:

Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 79 ++---
 1 file changed, 66 insertions(+), 13 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index cce3884..cca97f6 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -20,6 +20,7 @@
  *  02110-1301  USA
  */

+#include 


I think we likely want to use the sepol/context_record.h (already
included here) functions instead.  Those are already in use by
libsemanage.  I agree it is confusing and not helped by the fact that we
lack man pages for most sepol functions.  Sorry.



Thanks, wasn't aware of those.  Will update to use the libsepol API.


 #include 
 #include 
 #include 
@@ -82,9 +83,6 @@
 #define TEMPLATE_USERNAME "%{USERNAME}"
 #define TEMPLATE_USERID "%{USERID}"

-#define TEMPLATE_SEUSER "system_u"
-#define TEMPLATE_LEVEL "s0"
-
 #define FALLBACK_SENAME "user_u"
 #define FALLBACK_PREFIX "user"
 #define FALLBACK_LEVEL "s0"
@@ -92,6 +90,8 @@
 #define FALLBACK_UIDGID "[0-9]+"
 #define DEFAULT_LOGIN "__default__"

+#define CONTEXT_NONE "<>"
+
 typedef struct user_entry {
char *name;
char *uid;
@@ -599,14 +599,72 @@ static int write_replacements(genhomedircon_settings_t * 
s, FILE * out,
return STATUS_ERR;
 }

+static int write_user_replacements(genhomedircon_settings_t *s, FILE *out,
+ semanage_list_t *tpl, const replacement_pair_t *repl,
+ const genhomedircon_user_entry_t *user)
+{
+   Ustr *line = USTR_NULL;
+   context_t context = NULL;
+
+   for (; tpl; tpl = tpl->next) {
+   line = replace_all(tpl->data, repl);
+   if (!line) {
+   goto fail;
+   }
+
+   const char *old_context_str = extract_context(line);
+   if (!old_context_str) {
+   goto fail;
+   }
+
+   if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
+   if (check_line(s, line) &&
+   !ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+
+   continue;
+   }
+
+   context = context_new(old_context_str);


sepol_context_from_string()


+   if (!context) {
+   goto fail;
+   }
+
+   if (context_user_set(context, user->sename) != 0 ||


sepol_context_set_user()


+   context_range_set(context, user->level) != 0) {


sepol_context_set_mls()


+   goto fail;
+   }
+
+   const char *new_context_str = context_str(context);


sepol_context_to_string()


+   if (!ustr_replace_cstr(, old_context_str,
+  new_context_str, 1)) {
+   goto fail;
+   }
+
+   if (check_line(s, line) == STATUS_SUCCESS) {
+   if (!ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+   }
+
+   ustr_sc_free();
+   context_free(context);


sepol_context_free()


+   }
+
+   return STATUS_SUCCESS;
+fail:
+   ustr_sc_free();
+   context_free(context);
+   return STATUS_ERR;
+}
+
 static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
  semanage_list_t * tpl, const 
genhomedircon_user_entry_t *user)
 {
replacement_pair_t repl[] = {
-   {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-   {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
{NULL, NULL}
};

@@ -618,7 +676,7 @@ static int write_home_dir_context(genhomedircon_settings_t 
* s, FILE * out,
return STATUS_ERR;
}

-   return write_replacements(s, out, tpl, repl);
+   return write_user_replacements(s, out, tpl, repl, user);
 }

 static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
@@ -640,11 +698,10 @@ static int 
write_username_context(genhomedircon_settings_t * s, FILE * out,
{.search_for = TEMPLATE_USERNAME,.replace_with = user->name},

[PATCH] genhomedircon: remove hardcoded refpolicy strings

2016-09-06 Thread Gary Tierney 
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 79 ++---
 1 file changed, 66 insertions(+), 13 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index cce3884..cca97f6 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -20,6 +20,7 @@
  *  02110-1301  USA
  */
 
+#include 
 #include 
 #include 
 #include 
@@ -82,9 +83,6 @@
 #define TEMPLATE_USERNAME "%{USERNAME}"
 #define TEMPLATE_USERID "%{USERID}"
 
-#define TEMPLATE_SEUSER "system_u"
-#define TEMPLATE_LEVEL "s0"
-
 #define FALLBACK_SENAME "user_u"
 #define FALLBACK_PREFIX "user"
 #define FALLBACK_LEVEL "s0"
@@ -92,6 +90,8 @@
 #define FALLBACK_UIDGID "[0-9]+"
 #define DEFAULT_LOGIN "__default__"
 
+#define CONTEXT_NONE "<>"
+
 typedef struct user_entry {
char *name;
char *uid;
@@ -599,14 +599,72 @@ static int write_replacements(genhomedircon_settings_t * 
s, FILE * out,
return STATUS_ERR;
 }
 
+static int write_user_replacements(genhomedircon_settings_t *s, FILE *out,
+ semanage_list_t *tpl, const replacement_pair_t *repl,
+ const genhomedircon_user_entry_t *user)
+{
+   Ustr *line = USTR_NULL;
+   context_t context = NULL;
+
+   for (; tpl; tpl = tpl->next) {
+   line = replace_all(tpl->data, repl);
+   if (!line) {
+   goto fail;
+   }
+
+   const char *old_context_str = extract_context(line);
+   if (!old_context_str) {
+   goto fail;
+   }
+
+   if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
+   if (check_line(s, line) &&
+   !ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+
+   continue;
+   }
+
+   context = context_new(old_context_str);
+   if (!context) {
+   goto fail;
+   }
+
+   if (context_user_set(context, user->sename) != 0 ||
+   context_range_set(context, user->level) != 0) {
+   goto fail;
+   }
+
+   const char *new_context_str = context_str(context);
+   if (!ustr_replace_cstr(, old_context_str,
+  new_context_str, 1)) {
+   goto fail;
+   }
+
+   if (check_line(s, line) == STATUS_SUCCESS) {
+   if (!ustr_io_putfileline(, out)) {
+   goto fail;
+   }
+   }
+
+   ustr_sc_free();
+   context_free(context);
+   }
+
+   return STATUS_SUCCESS;
+fail:
+   ustr_sc_free();
+   context_free(context);
+   return STATUS_ERR;
+}
+
 static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
  semanage_list_t * tpl, const 
genhomedircon_user_entry_t *user)
 {
replacement_pair_t repl[] = {
-   {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-   {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
{NULL, NULL}
};
 
@@ -618,7 +676,7 @@ static int write_home_dir_context(genhomedircon_settings_t 
* s, FILE * out,
return STATUS_ERR;
}
 
-   return write_replacements(s, out, tpl, repl);
+   return write_user_replacements(s, out, tpl, repl, user);
 }
 
 static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
@@ -640,11 +698,10 @@ static int 
write_username_context(genhomedircon_settings_t * s, FILE * out,
{.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
{.search_for = TEMPLATE_USERID,.replace_with = user->uid},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-   {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{NULL, NULL}
};
 
-   return write_replacements(s, out, tpl, repl);
+   return write_user_replacements(s, out, tpl, repl, user);
 }
 
 static int write_user_context(genhomedircon_settings_t * s, FILE * out,
@@ -653,11 +710,10 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
r

[PATCH] remove system_u and s0 hardcoded strings

2016-09-06 Thread Gary Tierney 
This patch removes the search and replacement for "system_u" and "s0" by instead
looking for a valid context and replacing the user and MLS/MCS range where
appropriate.  This allows using genhomedircon with alternative policies that
don't name the system seuser "system_u" or declare users in a CIL namespace /
container.

This is also a slight behavior change, but should be functionally equivalent to
before for existing policies. In refpolicy we have no homedir contexts without
system_u as the user or s0 as the level:

> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 's0' | grep -Evc 
> '^#'
0
> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 'system_u' | grep 
> -Evc '^#'
0

Gary Tierney (1):
  genhomedircon: remove hardcoded refpolicy strings

 libsemanage/src/genhomedircon.c | 79 ++---
 1 file changed, 66 insertions(+), 13 deletions(-)

-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 0/2] genhomedircon: add support for %group syntax

2016-08-23 Thread Gary Tierney 
On Tue, Aug 23, 2016 at 08:54:17AM -0400, Stephen Smalley wrote:
> On 08/22/2016 04:22 PM, Gary Tierney wrote:
> > From: Gary Tierney <selinux@tycho.nsa.gov>
> > 
> > Re-spin of my original patch that adds support for logins mapped using the
> > group %syntax to genhomedircon.  This version includes fixes for the issues
> > raised by Jason and splits the bugfix into a separate commit.
> > 
> > There was a bit of confusion about the MLS level, I think, since 
> > semanage-user
> > supports a default MLS level and not semanage-login.  So it wouldn't be 
> > possible
> > for a login to have a more specific level than the fallback login in that 
> > case.
> > Though the bugfix still addresses an issue with home directories outside of
> > /home / LU_HOMEDIRCETORY and is required for the second commit.
> 
> semanage login can set a more limited range for a Linux user than what
> is allowed for the SELinux user.  Thus, you can have a single SELinux
> user that is authorized for a wider range but narrow its scope on a
> per-Linux-user basis via semanage login.
> 
> > 
> > Gary Tierney (2):
> >   genhomedircon: generate contexts for logins mapped to the default user
> >   genhomedircon: add support for %group syntax
> > 
> >  libsemanage/src/genhomedircon.c | 314 
> > +++-
> >  1 file changed, 243 insertions(+), 71 deletions(-)
> > 
> 

Yes, it's possible for a more specific range, and not level.  Though, the   
 
current behavior of genhomedircon is to replace any instance of "s0" with the   
 
users (semanage-user) level.  Should the range of the login be used here 
instead?
I'm unsure about this.  
 

 
Also, there's an identical v3 of this patch above to get rid of the erroneous   
         
committer / signed-off-by / author information in this patch.  Sorry about  
 
that.

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get=0x706ED76585AA79D8
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v3 0/2] genhomedircon: add support for %group syntax

2016-08-22 Thread Gary Tierney 
Re-spin of my original patch that adds support for logins mapped using the
%group syntax to genhomedircon.  This version includes fixes for the issues
raised by Jason and splits the bugfix into a separate commit.

There was a bit of confusion about the MLS level, I think, since semanage-user
supports a default MLS level and not semanage-login.  So it wouldn't be possible
for a login to have a more specific level than the fallback login in that case.
Though the bugfix still addresses an issue with home directories outside of
/home / LU_HOMEDIRCETORY and is required for the second commit.

Gary Tierney (2):
  genhomedircon: generate contexts for logins mapped to the default user
  genhomedircon: add support for %group syntax

 libsemanage/src/genhomedircon.c | 314 +++-
 1 file changed, 243 insertions(+), 71 deletions(-)

-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v3 2/2] genhomedircon: add support for %group syntax

2016-08-22 Thread Gary Tierney 
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 311 +++-
 1 file changed, 243 insertions(+), 68 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 698b907..cce3884 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -48,6 +48,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 /* paths used in get_home_dirs() */
 #define PATH_ETC_USERADD "/etc/default/useradd"
@@ -98,6 +100,7 @@ typedef struct user_entry {
char *prefix;
char *home;
char *level;
+   char *login;
struct user_entry *next;
 } genhomedircon_user_entry_t;
 
@@ -486,6 +489,11 @@ static int USER_CONTEXT_PRED(const char *string)
return (int)(strstr(string, TEMPLATE_USER) != NULL);
 }
 
+static int STR_COMPARATOR(const void *a, const void *b)
+{
+   return strcmp((const char *) a, (const char *) b);
+}
+
 /* make_tempate
  * @param  s the settings holding the paths to various files
  * @param  predfunction pointer to function to use as filter for slurp
@@ -652,6 +660,24 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
return write_replacements(s, out, tpl, repl);
 }
 
+static int seuser_sort_func(const void *arg1, const void *arg2)
+{
+   const semanage_seuser_t **u1 = (const semanage_seuser_t **) arg1;
+   const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;;
+   const char *name1 = semanage_seuser_get_name(*u1);
+   const char *name2 = semanage_seuser_get_name(*u2);
+
+   if (name1[0] == '%' && name2[0] == '%') {
+   return 0;
+   } else if (name1[0] == '%') {
+   return 1;
+   } else if (name2[0] == '%') {
+   return -1;
+   }
+
+   return strcmp(name1, name2);
+}
+
 static int user_sort_func(semanage_user_t ** arg1, semanage_user_t ** arg2)
 {
return strcmp(semanage_user_get_name(*arg1),
@@ -665,7 +691,8 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
 
 static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
   const char *u, const char *g, const char *sen,
-  const char *pre, const char *h, const char *l)
+  const char *pre, const char *h, const char *l,
+  const char *ln)
 {
genhomedircon_user_entry_t *temp = NULL;
char *name = NULL;
@@ -675,6 +702,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
char *prefix = NULL;
char *home = NULL;
char *level = NULL;
+   char *lname = NULL;
 
temp = malloc(sizeof(genhomedircon_user_entry_t));
if (!temp)
@@ -700,6 +728,9 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
level = strdup(l);
if (!level)
goto cleanup;
+   lname = strdup(ln);
+   if (!lname)
+   goto cleanup;
 
temp->name = name;
temp->uid = uid;
@@ -708,6 +739,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
temp->prefix = prefix;
temp->home = home;
temp->level = level;
+   temp->login = lname;
temp->next = (*list);
(*list) = temp;
 
@@ -721,6 +753,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
free(prefix);
free(home);
free(level);
+   free(lname);
free(temp);
return STATUS_ERR;
 }
@@ -741,6 +774,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** 
list)
free(temp->prefix);
free(temp->home);
free(temp->level);
+   free(temp->login);
free(temp);
 }
 
@@ -790,7 +824,8 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 
if (push_user_entry(&(s->fallback), FALLBACK_NAME,
FALLBACK_UIDGID, FALLBACK_UIDGID,
-   seuname, prefix, "", level) != 0)
+   seuname, prefix, "", level,
+   FALLBACK_NAME) != 0)
errors = STATUS_ERR;

[PATCH v3 1/2] genhomedircon: generate contexts for logins mapped to the default user

2016-08-22 Thread Gary Tierney 
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index c5ea436..698b907 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -853,9 +853,6 @@ static genhomedircon_user_entry_t 
*get_users(genhomedircon_settings_t * s,
seuname = semanage_seuser_get_sename(seuser_list[i]);
name = semanage_seuser_get_name(seuser_list[i]);
 
-   if (strcmp(name,"root") && strcmp(seuname, s->fallback->sename) 
== 0)
-   continue;
-
if (strcmp(name, DEFAULT_LOGIN) == 0)
continue;
 
-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 2/2] genhomedircon: add support for %group syntax

2016-08-22 Thread Gary Tierney 

On Mon, Aug 22, 2016 at 09:23:01PM +0100, Gary Tierney wrote:

From: Gary Tierney <selinux@tycho.nsa.gov>

semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <selinux@tycho.nsa.gov>
---
libsemanage/src/genhomedircon.c | 311 +++-
1 file changed, 243 insertions(+), 68 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 698b907..cce3884 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -48,6 +48,8 @@
#include 
#include 
#include 
+#include 
+#include 

/* paths used in get_home_dirs() */
#define PATH_ETC_USERADD "/etc/default/useradd"
@@ -98,6 +100,7 @@ typedef struct user_entry {
char *prefix;
char *home;
char *level;
+   char *login;
struct user_entry *next;
} genhomedircon_user_entry_t;

@@ -486,6 +489,11 @@ static int USER_CONTEXT_PRED(const char *string)
return (int)(strstr(string, TEMPLATE_USER) != NULL);
}

+static int STR_COMPARATOR(const void *a, const void *b)
+{
+   return strcmp((const char *) a, (const char *) b);
+}
+
/* make_tempate
 * @param   s the settings holding the paths to various files
 * @param   predfunction pointer to function to use as filter for slurp
@@ -652,6 +660,24 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
return write_replacements(s, out, tpl, repl);
}

+static int seuser_sort_func(const void *arg1, const void *arg2)
+{
+   const semanage_seuser_t **u1 = (const semanage_seuser_t **) arg1;
+   const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;;
+   const char *name1 = semanage_seuser_get_name(*u1);
+   const char *name2 = semanage_seuser_get_name(*u2);
+
+   if (name1[0] == '%' && name2[0] == '%') {
+   return 0;
+   } else if (name1[0] == '%') {
+   return 1;
+   } else if (name2[0] == '%') {
+   return -1;
+   }
+
+   return strcmp(name1, name2);
+}
+
static int user_sort_func(semanage_user_t ** arg1, semanage_user_t ** arg2)
{
return strcmp(semanage_user_get_name(*arg1),
@@ -665,7 +691,8 @@ static int name_user_cmp(char *key, semanage_user_t ** val)

static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
   const char *u, const char *g, const char *sen,
-  const char *pre, const char *h, const char *l)
+  const char *pre, const char *h, const char *l,
+  const char *ln)
{
genhomedircon_user_entry_t *temp = NULL;
char *name = NULL;
@@ -675,6 +702,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
char *prefix = NULL;
char *home = NULL;
char *level = NULL;
+   char *lname = NULL;

temp = malloc(sizeof(genhomedircon_user_entry_t));
if (!temp)
@@ -700,6 +728,9 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
level = strdup(l);
if (!level)
goto cleanup;
+   lname = strdup(ln);
+   if (!lname)
+   goto cleanup;

temp->name = name;
temp->uid = uid;
@@ -708,6 +739,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
temp->prefix = prefix;
temp->home = home;
temp->level = level;
+   temp->login = lname;
temp->next = (*list);
(*list) = temp;

@@ -721,6 +753,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
free(prefix);
free(home);
free(level);
+   free(lname);
free(temp);
return STATUS_ERR;
}
@@ -741,6 +774,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** 
list)
free(temp->prefix);
free(temp->home);
free(temp->level);
+   free(temp->login);
free(temp);
}

@@ -790,7 +824,8 @@ static int setup_fallback_user(genhomedircon_settings_t * s)

if (push_user_entry(&(s->fallback), FALLBACK_NAME,
FALLBACK_UIDGID, FALLBACK_UIDGID,
-   seuname, prefix, "", level) != 0)
+   seuname, prefix, "", level,
+

[PATCH 1/2] genhomedircon: generate contexts for logins mapped to the default user

2016-08-22 Thread Gary Tierney 
From: Gary Tierney <selinux@tycho.nsa.gov>

Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.

Signed-off-by: Gary Tierney <selinux@tycho.nsa.gov>
---
 libsemanage/src/genhomedircon.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index c5ea436..698b907 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -853,9 +853,6 @@ static genhomedircon_user_entry_t 
*get_users(genhomedircon_settings_t * s,
seuname = semanage_seuser_get_sename(seuser_list[i]);
name = semanage_seuser_get_name(seuser_list[i]);
 
-   if (strcmp(name,"root") && strcmp(seuname, s->fallback->sename) 
== 0)
-   continue;
-
if (strcmp(name, DEFAULT_LOGIN) == 0)
continue;
 
-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/2] genhomedircon: add support for %group syntax

2016-08-22 Thread Gary Tierney 
From: Gary Tierney <selinux@tycho.nsa.gov>

semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <selinux@tycho.nsa.gov>
---
 libsemanage/src/genhomedircon.c | 311 +++-
 1 file changed, 243 insertions(+), 68 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 698b907..cce3884 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -48,6 +48,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 /* paths used in get_home_dirs() */
 #define PATH_ETC_USERADD "/etc/default/useradd"
@@ -98,6 +100,7 @@ typedef struct user_entry {
char *prefix;
char *home;
char *level;
+   char *login;
struct user_entry *next;
 } genhomedircon_user_entry_t;
 
@@ -486,6 +489,11 @@ static int USER_CONTEXT_PRED(const char *string)
return (int)(strstr(string, TEMPLATE_USER) != NULL);
 }
 
+static int STR_COMPARATOR(const void *a, const void *b)
+{
+   return strcmp((const char *) a, (const char *) b);
+}
+
 /* make_tempate
  * @param  s the settings holding the paths to various files
  * @param  predfunction pointer to function to use as filter for slurp
@@ -652,6 +660,24 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
return write_replacements(s, out, tpl, repl);
 }
 
+static int seuser_sort_func(const void *arg1, const void *arg2)
+{
+   const semanage_seuser_t **u1 = (const semanage_seuser_t **) arg1;
+   const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;;
+   const char *name1 = semanage_seuser_get_name(*u1);
+   const char *name2 = semanage_seuser_get_name(*u2);
+
+   if (name1[0] == '%' && name2[0] == '%') {
+   return 0;
+   } else if (name1[0] == '%') {
+   return 1;
+   } else if (name2[0] == '%') {
+   return -1;
+   }
+
+   return strcmp(name1, name2);
+}
+
 static int user_sort_func(semanage_user_t ** arg1, semanage_user_t ** arg2)
 {
return strcmp(semanage_user_get_name(*arg1),
@@ -665,7 +691,8 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
 
 static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
   const char *u, const char *g, const char *sen,
-  const char *pre, const char *h, const char *l)
+  const char *pre, const char *h, const char *l,
+  const char *ln)
 {
genhomedircon_user_entry_t *temp = NULL;
char *name = NULL;
@@ -675,6 +702,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
char *prefix = NULL;
char *home = NULL;
char *level = NULL;
+   char *lname = NULL;
 
temp = malloc(sizeof(genhomedircon_user_entry_t));
if (!temp)
@@ -700,6 +728,9 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
level = strdup(l);
if (!level)
goto cleanup;
+   lname = strdup(ln);
+   if (!lname)
+   goto cleanup;
 
temp->name = name;
temp->uid = uid;
@@ -708,6 +739,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
temp->prefix = prefix;
temp->home = home;
temp->level = level;
+   temp->login = lname;
temp->next = (*list);
(*list) = temp;
 
@@ -721,6 +753,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
free(prefix);
free(home);
free(level);
+   free(lname);
free(temp);
return STATUS_ERR;
 }
@@ -741,6 +774,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** 
list)
free(temp->prefix);
free(temp->home);
free(temp->level);
+   free(temp->login);
free(temp);
 }
 
@@ -790,7 +824,8 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 
if (push_user_entry(&(s->fallback), FALLBACK_NAME,
FALLBACK_UIDGID, FALLBACK_UIDGID,
-   seuname, prefix, "", level) != 0)
+   seuname, prefix, "", level,
+   FALLBACK_NAME) != 0)

[PATCH 0/2] genhomedircon: add support for %group syntax

2016-08-22 Thread Gary Tierney 
From: Gary Tierney <selinux@tycho.nsa.gov>

Re-spin of my original patch that adds support for logins mapped using the
group %syntax to genhomedircon.  This version includes fixes for the issues
raised by Jason and splits the bugfix into a separate commit.

There was a bit of confusion about the MLS level, I think, since semanage-user
supports a default MLS level and not semanage-login.  So it wouldn't be possible
for a login to have a more specific level than the fallback login in that case.
Though the bugfix still addresses an issue with home directories outside of
/home / LU_HOMEDIRCETORY and is required for the second commit.

Gary Tierney (2):
  genhomedircon: generate contexts for logins mapped to the default user
  genhomedircon: add support for %group syntax

 libsemanage/src/genhomedircon.c | 314 +++-
 1 file changed, 243 insertions(+), 71 deletions(-)

-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] genhomedircon: add support for %group syntax

2016-08-16 Thread Gary Tierney 
Hi Stephen,

Replied inline below.

On Mon, Aug 15, 2016 at 03:58:44PM -0400, Stephen Smalley wrote:
> On 07/27/2016 05:25 PM, Gary Tierney wrote:
> > semanage-login supports login mappings using the %group syntax, but
> > genhomedircon does not expand groups to the users belonging to them.
> > 
> > This commit adds support for generating home directory contexts for login
> > mappings using the group syntax and adds error reporting for handling cases
> > where there is ambiguity due to a user belonging to multiple groups mapped 
> > by
> > semanage-login. If a login mapping is added for the user which belongs to
> > multiple groups it will take precedence and resolve the ambiguity issue.
> 
> Sorry for the long delay in responding.  One question/comment below.
> 
> > Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
> > ---
> >  libsemanage/src/genhomedircon.c | 319 
> > +++-
> >  1 file changed, 247 insertions(+), 72 deletions(-)
> > 
> > diff --git a/libsemanage/src/genhomedircon.c 
> > b/libsemanage/src/genhomedircon.c
> > index c5ea436..2955b19 100644
> > --- a/libsemanage/src/genhomedircon.c
> > +++ b/libsemanage/src/genhomedircon.c
> > @@ -838,94 +1064,43 @@ static genhomedircon_user_entry_t 
> > *get_users(genhomedircon_settings_t * s,
> > nusers = 0;
> > }
> >  
> > +   qsort(seuser_list, nseusers, sizeof(semanage_seuser_t *),
> > + _sort_func);
> > qsort(user_list, nusers, sizeof(semanage_user_t *),
> >   (int (*)(const void *, const void *))_sort_func);
> >  
> > -   /* Allocate space for the getpwnam_r buffer */
> > -   rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
> > -   if (rbuflen <= 0)
> > -   goto cleanup;
> > -   rbuf = malloc(rbuflen);
> > -   if (rbuf == NULL)
> > -   goto cleanup;
> > -
> > for (i = 0; i < nseusers; i++) {
> > seuname = semanage_seuser_get_sename(seuser_list[i]);
> > name = semanage_seuser_get_name(seuser_list[i]);
> >  
> > -   if (strcmp(name,"root") && strcmp(seuname, s->fallback->sename) 
> > == 0)
> > -   continue;
> > -
> 
> This appears to change the behavior of genhomedircon in general, not
> just with respect to %group handling.  Was this intentional?
> I'm not necessarily opposed to this change, but I am unclear on the
> implications.  It seems that previously genhomedircon would not generate
> file_contexts.homedirs entries for users who were mapped to the fallback
> seuser, with an exception for root for /root labeling.  With this
> change, they will have entries added.
>

Hmm, yes, you're right. This is a mistake. We do need to skip this
conditional however, so we can check if a user already has a mapping 
when we're expanding the members of a group.

To prevent this from happening it should suffice to check if the user that
we're writing contexts for shares an sename with the __default__ mapping, 
and if so, simply skip writing contexts for that user.  We can do this check
inside write_gen_home_dir_contexts() like so:

https://github.com/garyttierney/selinux/commit/ebdb7f225ddbd5f311b2db75f68e2896285a5090#diff-b298746a257be78548f69d5d296dcd09R1140

An alternative fix would be to prevent these users from being added to
the `genhomedircon_user_entry_t` stack in the first place, and have 
get_group_users() search the seusers list for a login mapping which matches
the group members username, skipping the group member if a match is found.

Any thoughts on either of these solutions?

> > if (strcmp(name, DEFAULT_LOGIN) == 0)
> > continue;
> >  
> > if (strcmp(name, TEMPLATE_SEUSER) == 0)
> > continue;
> >  
> > -   /* %groupname syntax */
> > -   if (name[0] == '%')
> > -   continue;
> > -
> > /* find the user structure given the name */
> > -   u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t 
> > *),
> > +   u = bsearch(seuname, user_list, nusers,
> > +   sizeof(semanage_user_t *),
> > (int (*)(const void *, const void *))
> > _user_cmp);
> > -   if (u) {
> > -   prefix = semanage_user_get_prefix(*u);
> > -   level = semanage_user_get_mlslevel(*u);
> > -   if (!level)
> > -   level = FALLBACK_LEVEL;
> > -   } else {
> > -   prefix = n

[PATCH] genhomedircon: add support for %group syntax

2016-07-27 Thread Gary Tierney 
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 319 +++-
 1 file changed, 247 insertions(+), 72 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index c5ea436..2955b19 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -48,6 +48,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 /* paths used in get_home_dirs() */
 #define PATH_ETC_USERADD "/etc/default/useradd"
@@ -98,6 +100,10 @@ typedef struct user_entry {
char *prefix;
char *home;
char *level;
+
+   // The login identifier that was used
+   // in semanage-login / seusers
+   char *login;
struct user_entry *next;
 } genhomedircon_user_entry_t;
 
@@ -486,6 +492,11 @@ static int USER_CONTEXT_PRED(const char *string)
return (int)(strstr(string, TEMPLATE_USER) != NULL);
 }
 
+static int STR_COMPARATOR(const void *a, const void *b)
+{
+   return strcmp((const char *) a, (const char *) b);
+}
+
 /* make_tempate
  * @param  s the settings holding the paths to various files
  * @param  predfunction pointer to function to use as filter for slurp
@@ -652,6 +663,24 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
return write_replacements(s, out, tpl, repl);
 }
 
+static int seuser_sort_func(const void *arg1, const void *arg2)
+{
+   const semanage_seuser_t **u1 = (const semanage_seuser_t **) arg1;
+   const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;;
+   const char *name1 = semanage_seuser_get_name(*u1);
+   const char *name2 = semanage_seuser_get_name(*u2);
+
+   if (name1[0] == '%' && name2[0] == '%') {
+   return 0;
+   } else if (name1[0] == '%') {
+   return 1;
+   } else if (name2[0] == '%') {
+   return -1;
+   }
+
+   return strcmp(name1, name2);
+}
+
 static int user_sort_func(semanage_user_t ** arg1, semanage_user_t ** arg2)
 {
return strcmp(semanage_user_get_name(*arg1),
@@ -665,7 +694,8 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
 
 static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
   const char *u, const char *g, const char *sen,
-  const char *pre, const char *h, const char *l)
+  const char *pre, const char *h, const char *l,
+  const char *ln)
 {
genhomedircon_user_entry_t *temp = NULL;
char *name = NULL;
@@ -675,6 +705,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
char *prefix = NULL;
char *home = NULL;
char *level = NULL;
+   char *lname = NULL;
 
temp = malloc(sizeof(genhomedircon_user_entry_t));
if (!temp)
@@ -700,6 +731,9 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
level = strdup(l);
if (!level)
goto cleanup;
+   lname = strdup(ln);
+   if (!lname)
+   goto cleanup;
 
temp->name = name;
temp->uid = uid;
@@ -708,6 +742,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
temp->prefix = prefix;
temp->home = home;
temp->level = level;
+   temp->login = lname;
temp->next = (*list);
(*list) = temp;
 
@@ -721,6 +756,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** 
list, const char *n,
free(prefix);
free(home);
free(level);
+   free(lname);
free(temp);
return STATUS_ERR;
 }
@@ -741,6 +777,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** 
list)
free(temp->prefix);
free(temp->home);
free(temp->level);
+   free(temp->login);
free(temp);
 }
 
@@ -790,7 +827,8 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 
if (push_user_entry(&(s->fallback), FALLBACK_NAME,
FALLBACK_UIDGID, FALLBACK_UIDGID,
-   seuname, prefix, "", level) != 0)
+   seuname, prefix, "", level,
+

genhomedircon: some issues with a custom policy

2016-07-23 Thread Gary Tierney 
Hi,

There are a few issues I've run into with genhomedircon and a custom policy
(i.e., not based on refpolicy), 2 of which prevent me from using genhomedircon,
and 1 small issue which I can work around.

The first main issue is that my custom policy doesn't use "system_u" as the
system user identifier (instead it is "sys.id").  So when genhomedircon writes
out contexts for my login they are still associated with sys.id because
genhomedircon only does a simple search and replace for the default refpolicy
system user identifier "system_u".  I had look at existing contexts in
homedir_templates for refpolicy, fedora-selinux and the custom policy I'm using
and it seems like it'd be safe enough to replace the SELinux user in all the
HOMEDIR and USER context specifications regardless of if it matches "system_u".
Would this be a reasonable approach?

The second issue is RBACSEP in my policy.  There's currently no way for
genhomedircon to know which role to associate with a logins file context specs
if RBACSEP is used.  I noticed that genhomedircon will replace "ROLE" in context
specs with whatever the SELinux users prefix is so I've currently hacked
genhomedircon.c to replace the role in each context with whatever the users
prefix is and have some policy like this:

(in wheel
(tunableif enable_rbacsep
(true
(userprefix id wheel.role

This makes sure all logins associated with wheel.id get a role of "wheel.role"
in their generated context specs. This seems like a bit of a hack since
historically the users prefix has been used for a prefix in a type identifier.
Any suggestions on how this should be handled?

The third and smallest issue is that semanage-login supports login identifiers
with the %groupname format but genhomedircon doesn't expand them to the groups
members.  I currently expand groups to their members in genhomedircon and treat
a user belonging to 2 groups listed in seusers as an error.  Would a patch be
accepted for this functionality?

Thanks,
Gary.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.