chcon

chcon

[Russell Coker]

Steve, chcon needs access to /selinux/context, is there any problem in putting 
in a macro such as the following and using it for all user domains?

define(`can_check_context', `
allow $1 security_t:dir search;
allow $1 security_t:file { read write };
allow $1 security_t:security { check_context };
')

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: chcon

[Stephen Smalley]

On Tue, 2003-10-21 at 09:27, Russell Coker wrote:
> Steve, chcon needs access to /selinux/context, is there any problem in putting 
> in a macro such as the following and using it for all user domains?
> 
> define(`can_check_context', `
> allow $1 security_t:dir search;
> allow $1 security_t:file { read write };
> allow $1 security_t:security { check_context };
> ')

This is a recent change to chcon in Dan's SRPM; doesn't exist in the
coreutil-selinux patch from the last release. It isn't truly necessary,
as the context will be checked when it is passed to the kernel via
setfilecon and that call will fail if the context is invalid, so it is
only useful if there is some benefit to catching such errors earlier.

Even if it is worth retaining in chcon, I would suggest distinguishing
between an errno of ENOENT and an errno of EINVAL, as the former may
just indicate that selinuxfs wasn't mounted or the kernel was a
non-SELinux kernel (but could still have the xattr handlers), and
letting the chcon proceed in the former case.  Otherwise, you won't be
able to use chcon if selinuxfs is unmounted or using a non-SELinux
kernel that has the xattr handlers.  I should likely make the same
change to setfiles.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: chcon

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1378 bytes --]

Stephen Smalley wrote:

>On Tue, 2003-10-21 at 09:27, Russell Coker wrote:
>  
>
>>Steve, chcon needs access to /selinux/context, is there any problem in putting 
>>in a macro such as the following and using it for all user domains?
>>
>>define(`can_check_context', `
>>allow $1 security_t:dir search;
>>allow $1 security_t:file { read write };
>>allow $1 security_t:security { check_context };
>>')
>>    
>>
>
>This is a recent change to chcon in Dan's SRPM; doesn't exist in the
>coreutil-selinux patch from the last release. It isn't truly necessary,
>as the context will be checked when it is passed to the kernel via
>setfilecon and that call will fail if the context is invalid, so it is
>only useful if there is some benefit to catching such errors earlier.
>
>Even if it is worth retaining in chcon, I would suggest distinguishing
>between an errno of ENOENT and an errno of EINVAL, as the former may
>just indicate that selinuxfs wasn't mounted or the kernel was a
>non-SELinux kernel (but could still have the xattr handlers), and
>letting the chcon proceed in the former case.  Otherwise, you won't be
>able to use chcon if selinuxfs is unmounted or using a non-SELinux
>kernel that has the xattr handlers.  I should likely make the same
>change to setfiles.
>
>  
>
I have put out a new patch that does not do this anymore.  It has a 
simpler error mechanism.

Dan

[-- Attachment #2: Type: text/html, Size: 1807 bytes --]

Re: chcon

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 488 bytes --]

On Tue, 2003-10-21 at 14:39, Daniel J Walsh wrote:
> I have put out a new patch that does not do this anymore.  It has a
> simpler error mechanism.

I've applied the attached patch to setfiles so that it will proceed even
if selinuxfs is not mounted (e.g. on a non-SELinux kernel that has the
necessary xattr handlers), albeit without the ability to check the
contexts in the file contexts configuration for correctness.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: setfiles.patch --]
[-- Type: text/x-patch, Size: 631 bytes --]

diff -X /home/sds/dontdiff -ru selinux-usr/policycoreutils/setfiles/setfiles.c selinux-usr-cvs/policycoreutils/setfiles/setfiles.c
--- selinux-usr/policycoreutils/setfiles/setfiles.c	2003-10-20 11:26:17.000000000 -0400
+++ selinux-usr-cvs/policycoreutils/setfiles/setfiles.c	2003-10-21 11:22:44.000000000 -0400
@@ -872,7 +872,7 @@
 				spec[nspec].context = context;
 
 				if (strcmp(context, "<<none>>")) {
-					if (security_check_context(context) < 0) {
+					if (security_check_context(context) < 0 && errno != ENOENT) {
 						fprintf(stderr,
 							"%s:  invalid context %s on line number %d\n",
 							argv[0], context,