subject:"\[PATCH 0\/3 v2\] libsepol and checkpolicy\: Output CIL or policy.conf from kernel policy"

Re: [PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

2017-03-22 Thread James Carter


On 03/21/2017 06:43 PM, Nicolas Iooss wrote:

On Mon, Mar 20, 2017 at 4:40 PM, James Carter  wrote:

It would sometimes be helpful for debugging or verification purposes to be able 
to convert
a binary policy to a human-readable form.

This patchset adds libsepol functions that take a kernel policydb in and 
outputs either
a CIL or policy.conf text.

Checkpolicy is modified to generate CIL text from a binary policy if using the 
"-C" option
and to add the "-F" option to generate policy.conf text from a binary policy.

Where possible rules are sorted in alphabetical or numerical order to aid in 
debugging.

Changes from v1:
- Moved __attribute__((format(printf...))) for printf-like functions to 
kernel_to_common.h
- Incorporated patch from Nicolas Iooss to make const char* variables where 
appropriate
- Fixed conditional block formatting problems when generating policy.conf
- Initialize mls_constraints and non_mls_constraints to NULL in 
kernel_to_conf.c and kernel_to_cil.c so they are not accessed without 
initializaton if an error occurs.
- Updated checkpolicy manpage to include the new option
- Removed commented-out block from checkpolicy.c

James Carter (3):
  libsepol: Add ability to convert binary policy to CIL
  libsepol: Add ability to convert binary policy to policy.conf file
  checkpolicy: Add options to convert binary policy to CIL or a
policy.conf


Hello,

I have tested this new version and it worked quite fine on my system.
It also builds without any trouble on Travis-CI
(https://travis-ci.org/fishilico/selinux/builds/213586224).

After performing some tests, I quickly read the CIL policy generated
with "checkpolicy -bC" and found:

(booleanif (and git_cgi_enable_homedirs use_nfs_home_dirs)
(true
(allow httpd_git_script_t nfs_t (dir (getattr search open)))
(allow httpd_git_script_t nfs_t (dir (ioctl read getattr lock
search open)))
(allow httpd_git_script_t nfs_t (dir (ioctl read getattr lock
search open)))
(allow httpd_git_script_t nfs_t (file (ioctl read getattr lock open)))
(allow httpd_git_script_t nfs_t (filesystem (getattr)))
)
(false(dontaudit httpd_git_script_t nfs_t (file (ioctl
read getattr lock open)))
)
)

There is a missing "\n" after "(false" on line 2059 of kernel_to_cil.c
(function write_cond_nodes_to_cil).



Not sure how I missed that.


Moreover when trying to compile with secilc the resulting file, I get
"Bad userrange declaration" on a line which contains "(userrange root
systemlow systemlow)" (this is a non-MLS policy). There are missing
parentheses around the levels when generating userrange statements in
write_user_decl_rules_to_cil().



I guess I have been too focused on testing MLS policies.


By iterating cycles of secilc and checkpolicy -bC, it appears that the
roletypes statements get generated with alphabetical order of roles,
but a random order for types (which is the order in the binary policy
file if I understand the code correctly). Would it be possible to sort
them in alphabetical order too? I guess a "struct strs"-based
construction similar to what write_cond_av_list_to_cil() does can be
used, even though I have not taken time to test this yet.



I do sort the types when generating a policy.conf. I should do them for CIL as 
well.


Thanks for the review and comments.

Jim


Cheers,
Nicolas




--
James Carter 
National Security Agency
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

2017-03-21 Thread Nicolas Iooss

On Mon, Mar 20, 2017 at 4:40 PM, James Carter  wrote:
> It would sometimes be helpful for debugging or verification purposes to be 
> able to convert
> a binary policy to a human-readable form.
>
> This patchset adds libsepol functions that take a kernel policydb in and 
> outputs either
> a CIL or policy.conf text.
>
> Checkpolicy is modified to generate CIL text from a binary policy if using 
> the "-C" option
> and to add the "-F" option to generate policy.conf text from a binary policy.
>
> Where possible rules are sorted in alphabetical or numerical order to aid in 
> debugging.
>
> Changes from v1:
> - Moved __attribute__((format(printf...))) for printf-like functions to 
> kernel_to_common.h
> - Incorporated patch from Nicolas Iooss to make const char* variables where 
> appropriate
> - Fixed conditional block formatting problems when generating policy.conf
> - Initialize mls_constraints and non_mls_constraints to NULL in 
> kernel_to_conf.c and kernel_to_cil.c so they are not accessed without 
> initializaton if an error occurs.
> - Updated checkpolicy manpage to include the new option
> - Removed commented-out block from checkpolicy.c
>
> James Carter (3):
>   libsepol: Add ability to convert binary policy to CIL
>   libsepol: Add ability to convert binary policy to policy.conf file
>   checkpolicy: Add options to convert binary policy to CIL or a
> policy.conf

Hello,

I have tested this new version and it worked quite fine on my system.
It also builds without any trouble on Travis-CI
(https://travis-ci.org/fishilico/selinux/builds/213586224).

After performing some tests, I quickly read the CIL policy generated
with "checkpolicy -bC" and found:

(booleanif (and git_cgi_enable_homedirs use_nfs_home_dirs)
(true
(allow httpd_git_script_t nfs_t (dir (getattr search open)))
(allow httpd_git_script_t nfs_t (dir (ioctl read getattr lock
search open)))
(allow httpd_git_script_t nfs_t (dir (ioctl read getattr lock
search open)))
(allow httpd_git_script_t nfs_t (file (ioctl read getattr lock open)))
(allow httpd_git_script_t nfs_t (filesystem (getattr)))
)
(false(dontaudit httpd_git_script_t nfs_t (file (ioctl
read getattr lock open)))
)
)

There is a missing "\n" after "(false" on line 2059 of kernel_to_cil.c
(function write_cond_nodes_to_cil).

Moreover when trying to compile with secilc the resulting file, I get
"Bad userrange declaration" on a line which contains "(userrange root
systemlow systemlow)" (this is a non-MLS policy). There are missing
parentheses around the levels when generating userrange statements in
write_user_decl_rules_to_cil().

By iterating cycles of secilc and checkpolicy -bC, it appears that the
roletypes statements get generated with alphabetical order of roles,
but a random order for types (which is the order in the binary policy
file if I understand the code correctly). Would it be possible to sort
them in alphabetical order too? I guess a "struct strs"-based
construction similar to what write_cond_av_list_to_cil() does can be
used, even though I have not taken time to test this yet.

Cheers,
Nicolas

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

2017-03-20 Thread James Carter

It would sometimes be helpful for debugging or verification purposes to be able 
to convert
a binary policy to a human-readable form.

This patchset adds libsepol functions that take a kernel policydb in and 
outputs either
a CIL or policy.conf text.

Checkpolicy is modified to generate CIL text from a binary policy if using the 
"-C" option
and to add the "-F" option to generate policy.conf text from a binary policy.

Where possible rules are sorted in alphabetical or numerical order to aid in 
debugging.

Changes from v1:
- Moved __attribute__((format(printf...))) for printf-like functions to 
kernel_to_common.h
- Incorporated patch from Nicolas Iooss to make const char* variables where 
appropriate
- Fixed conditional block formatting problems when generating policy.conf
- Initialize mls_constraints and non_mls_constraints to NULL in 
kernel_to_conf.c and kernel_to_cil.c so they are not accessed without 
initializaton if an error occurs.
- Updated checkpolicy manpage to include the new option
- Removed commented-out block from checkpolicy.c

James Carter (3):
  libsepol: Add ability to convert binary policy to CIL
  libsepol: Add ability to convert binary policy to policy.conf file
  checkpolicy: Add options to convert binary policy to CIL or a
policy.conf

 checkpolicy/checkpolicy.8   |5 +-
 checkpolicy/checkpolicy.c   |   55 +-
 libsepol/include/sepol/kernel_to_cil.h  |5 +
 libsepol/include/sepol/kernel_to_conf.h |5 +
 libsepol/src/kernel_to_cil.c| 3154 +++
 libsepol/src/kernel_to_common.c |  677 +++
 libsepol/src/kernel_to_common.h |  114 ++
 libsepol/src/kernel_to_conf.c   | 3043 +
 libsepol/src/libsepol.map.in|2 +
 9 files changed, 7041 insertions(+), 19 deletions(-)
 create mode 100644 libsepol/include/sepol/kernel_to_cil.h
 create mode 100644 libsepol/include/sepol/kernel_to_conf.h
 create mode 100644 libsepol/src/kernel_to_cil.c
 create mode 100644 libsepol/src/kernel_to_common.c
 create mode 100644 libsepol/src/kernel_to_common.h
 create mode 100644 libsepol/src/kernel_to_conf.c

-- 
2.7.4

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

Re: [PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

[PATCH 0/3 v2] libsepol and checkpolicy: Output CIL or policy.conf from kernel policy

3 matches

Site Navigation

Mail list logo

Footer information