get_default_context_with_level seems to be broken in libselinux.

get_default_context_with_level seems to be broken in libselinux.

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 376 bytes --]

Bugzilla's 211827 224637 
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224637>

Show that the values after the comma are being dropped.

Adding the attached patch fixes the problem.

But I am not sure of the intended use of this code.  The current code 
does not work and looks like it never worked.  Was there an intention 
that this would work differently?


Dan



[-- Attachment #2: default_level.patch --]
[-- Type: text/x-patch, Size: 564 bytes --]

--- libselinux-1.33.4/src/get_context_list.c~	2007-01-11 14:01:23.000000000 -0500
+++ libselinux-1.33.4/src/get_context_list.c	2007-02-09 15:43:31.000000000 -0500
@@ -381,12 +381,16 @@
 {
 	security_context_t *conary;
 	int rc;
-
+	context_t con;
 	rc = get_ordered_context_list_with_level(user, level, fromcon, &conary);
 	if (rc <= 0)
 		return -1;
 
-	*newcon = strdup(conary[0]);
+	con = context_new(conary[0]);
+	context_range_set(con, level);
+	*newcon = strdup(context_str(con));
+	context_free(con);
+
 	freeconary(conary);
 	if (!(*newcon))
 		return -1;

Re: get_default_context_with_level seems to be broken in libselinux.

[Stephen Smalley]

On Mon, 2007-02-12 at 10:15 -0500, Daniel J Walsh wrote:
> Bugzilla's 211827 224637 
> <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224637>
> 
> Show that the values after the comma are being dropped.
> 
> Adding the attached patch fixes the problem.
> 
> But I am not sure of the intended use of this code.  The current code 
> does not work and looks like it never worked.  Was there an intention 
> that this would work differently?

If there is a bug, it needs to be fixed within
get_ordered_context_list_with_level, not here.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: get_default_context_with_level seems to be broken in libselinux.

[Stephen Smalley]

On Mon, 2007-02-12 at 11:16 -0500, Stephen Smalley wrote:
> On Mon, 2007-02-12 at 10:15 -0500, Daniel J Walsh wrote:
> > Bugzilla's 211827 224637 
> > <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224637>
> > 
> > Show that the values after the comma are being dropped.
> > 
> > Adding the attached patch fixes the problem.
> > 
> > But I am not sure of the intended use of this code.  The current code 
> > does not work and looks like it never worked.  Was there an intention 
> > that this would work differently?
> 
> If there is a bug, it needs to be fixed within
> get_ordered_context_list_with_level, not here.

Can you provide a test case to demonstrate the bug that doesn't involve
sshd, e.g. simple use of getdefaultcon from libselinux appears to work
as expected without your patch.
$ ./getdefaultcon -l s2:c0,c1 sds system_u:system_r:sshd_t:SystemLow-SystemHigh
./getdefaultcon: sds from system_u:system_r:sshd_t:SystemLow-SystemHigh
staff_u (null) s2:c0,c1 -> staff_u:staff_r:staff_t:Secret:A,B

Applying the patch and re-trying, the only visible difference is that
you end up with the untranslated level.  Is the problem in libselinux or
sshd (or mcstransd)?

Note that the current libselinux logic takes the provided level and puts
it into the fromcon before computing the set of reachable contexts so
that the levels are bounded by that level.  Rather than mutating the
level afterward.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: get_default_context_with_level seems to be broken in libselinux.

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2007-02-12 at 11:16 -0500, Stephen Smalley wrote:
>   
>> On Mon, 2007-02-12 at 10:15 -0500, Daniel J Walsh wrote:
>>     
>>> Bugzilla's 211827 224637 
>>> <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224637>
>>>
>>> Show that the values after the comma are being dropped.
>>>
>>> Adding the attached patch fixes the problem.
>>>
>>> But I am not sure of the intended use of this code.  The current code 
>>> does not work and looks like it never worked.  Was there an intention 
>>> that this would work differently?
>>>       
>> If there is a bug, it needs to be fixed within
>> get_ordered_context_list_with_level, not here.
>>     
>
> Can you provide a test case to demonstrate the bug that doesn't involve
> sshd, e.g. simple use of getdefaultcon from libselinux appears to work
> as expected without your patch.
> $ ./getdefaultcon -l s2:c0,c1 sds system_u:system_r:sshd_t:SystemLow-SystemHigh
> ./getdefaultcon: sds from system_u:system_r:sshd_t:SystemLow-SystemHigh
> staff_u (null) s2:c0,c1 -> staff_u:staff_r:staff_t:Secret:A,B
>
> Applying the patch and re-trying, the only visible difference is that
> you end up with the untranslated level.  Is the problem in libselinux or
> sshd (or mcstransd)?
>
> Note that the current libselinux logic takes the provided level and puts
> it into the fromcon before computing the set of reachable contexts so
> that the levels are bounded by that level.  Rather than mutating the
> level afterward.
>
>   
Ok, it looks like the problem is somewhere in the translation daemon, 
not in libselinux.

ssh works when mcstrans is stopped, fails when it is running.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.