v2 Add class support to the role_transition rule

v2 Add class support to the role_transition rule

[Harry Ciao]

Comments:
---------
The outstanding changes in v2 from v1 include:

1. The newly added class support in role_trans structure in both kernel
and libsepol have been renamed to "tclass";

2. The role_transition rule will be handled in a unified way for both
process class and non-process classes - roletr->type would always be
used to compare with tcontext->type, which is the type for the parent
directory accomodating the newly created object, or the program
executable type.


Testings I've done:
-------------------

0. Add below snippet into sysadm.te for testing:

   role_transition sysadm_r user_home_t:{ file dir } sysadm_r;
   role sysadm_r types user_home_t;
   
   gen_require(`
           type vlock_exec_t, vlock_t;
   ')
   role_transition sysadm_r vlock_exec_t system_r;
   
1. Verify that the dismod program could display the class field of the
   role_transition rule correctly:
   
   /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp 
   Reading policy...
   ......
   Command ('m' for menu):  7
   role transitions:
   --- begin avrule block ---
   decl 1:
   role transition  sysadm_r [vlock_exec_t] : [process] system_r
   role transition  sysadm_r [user_home_t] :{ [file] [dir] } sysadm_r
   --- begin avrule block ---
   decl 2:
   ......
   --- begin avrule block ---
   decl 342:
   
   Command ('m' for menu):  q
   /work/selinux/selinux/checkpolicy$ 
   
2. Further verify the binary reprensentation of the role_transition rule
   are correct, with the classes field *after* that of new_role in image:

   /work/selinux/refpolicy$ ls -l /etc/selinux/refpolicy-mls/policy/
   total 5728
   -rw-r--r--. 1 root root 5849662 2011-03-25 13:12 policy.26
   /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.26 > policy_26_xxd
   /work/selinux/refpolicy$ vim policy_26_xxd
   ......
   055c510:                                    0800  l.....S.........
   055c520: 0000 0300 0000 a006 0000 0b00 0000 0200  ................
   055c530: 0000 0300 0000 a103 0000 0b00 0000 0200  ................
   055c540: 0000 0800 0000 b707 0000 0b00 0000 0200  ................
   055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200  ................
   055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200  ................
   055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600  ................
   055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700  ................
   055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200  ................
   055c5a0: 0000 
   ......
   /work/selinux/refpolicy$ 

3. Run-time test one - verify that the role_transition rule works for
   non-process classes:

   [root/sysadm_r/s0@~]# sestatus 
   SELinux status:                 enabled
   SELinuxfs mount:                /selinux
   Current mode:                   enforcing
   Mode from config file:          enforcing
   Policy version:                 26
   Policy from config file:        refpolicy-mls
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# id -Z
   root:sysadm_r:sysadm_t:s0-s15:c0.c1023
   [root/sysadm_r/s0@~]# ls -Zd
   dr-xr-x---  root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# mkdir parent
   [root/sysadm_r/s0@~]# ls -Z
   drwxr-xr-x  root root root:object_r:user_home_t:s0     parent
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 dir
   root:sysadm_r:user_home_t:s0
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 file
   root:sysadm_r:user_home_t:s0
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 lnk_file
   root:object_r:user_home_t:s0
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# cd parent
   [root/sysadm_r/s0@parent]# mkdir dir
   [root/sysadm_r/s0@parent]# touch file
   [root/sysadm_r/s0@parent]# ln -s file file_lk
   [root/sysadm_r/s0@parent]# mkfifo pipe
   [root/sysadm_r/s0@parent]# 
   [root/sysadm_r/s0@parent]# ls -Z
   drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
   -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
   lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
   prw-r--r--  root root root:object_r:user_home_t:s0     pipe
   [root/sysadm_r/s0@parent]# 

4. Run-time test two - verify that the role_transition rule works for the
   process class:

   [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main 
   -rws--x--x  root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# seclow "setenforce 0"
   Password: 
   [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
   root:system_r:vlock_t:s0-s15:c0.c1023
   [root/sysadm_r/s0@~]# 
     
   [root/staff_r/s0@~]# vlock &
   [1] 743
   [root/staff_r/s0@~]# ps Z -C vlock-main
   LABEL                             PID TTY      STAT   TIME COMMAND
   root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T      0:00 /usr/sbin/vlock-main
   [1]+  Stopped                 vlock
   [root/staff_r/s0@~]# 
   
   [root/sysadm_r/s0@~]# vlock &
   [1] 759
   [root/sysadm_r/s0@~]# ps Z -C vlock-main
   LABEL                             PID TTY      STAT   TIME COMMAND
   root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T      0:00 /usr/sbin/vlock-main
   root:system_r:vlock_t:s0-s15:c0.c1023 759 ttyS0 T     0:00 /usr/sbin/vlock-main
   [1]+  Stopped                 vlock
   [root/sysadm_r/s0@~]# 
   
   (Note, "setenforce 0" is to shortcut the necessary user-role & role-type
    settings in sysadm.pp for system_r)
   
5. (TODO) restorecon doesn't take into account the role_transition rule
   for non-process class so far:

   [root/sysadm_r/s0@~]# cd parent/
   [root/sysadm_r/s0@parent]# 
   [root/sysadm_r/s0@parent]# ls -Z
   drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
   -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
   lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
   prw-r--r--  root root root:object_r:user_home_t:s0     pipe
   [root/sysadm_r/s0@parent]# 
   [root/sysadm_r/s0@parent]# restorecon . -R
   [root/sysadm_r/s0@parent]# 
   [root/sysadm_r/s0@parent]# ls -Z
   drwxr-xr-x  root root root:object_r:user_home_t:s0     dir
   -rw-r--r--  root root root:object_r:user_home_t:s0     file
   lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
   prw-r--r--  root root root:object_r:user_home_t:s0     pipe
   [root/sysadm_r/s0@parent]# 

6. Verify that SELinux kernel policydb_write > role_trans_write works well:

   [root/sysadm_r/s0@~]# setenforce 1
   [root/sysadm_r/s0@~]# sestatus 
   SELinux status:                 enabled
   SELinuxfs mount:                /selinux
   Current mode:                   enforcing
   Mode from config file:          enforcing
   Policy version:                 26
   Policy from config file:        refpolicy-mls
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# ls -l policy_read 
   -rw-r--r-- 1 root root 5849662 Mar 25 05:26 policy_read
   [root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/
   total 5732
   -rw-r--r-- 1 root root 5849662 Mar 25 05:15 policy.26
   [root/sysadm_r/s0@~]# 
   [root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
   [root/sysadm_r/s0@~]# vim policy_read_xxd 
   ......
   055c510:                                    0800  l.....S.........
   055c520: 0000 0300 0000 a006 0000 0b00 0000 0200  ................
   055c530: 0000 0300 0000 a103 0000 0b00 0000 0200  ................
   055c540: 0000 0800 0000 b707 0000 0b00 0000 0200  ................
   055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200  ................
   055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200  ................
   055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600  ................
   055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700  ................
   055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200  ................
   055c5a0: 0000 
   ......
   [root/sysadm_r/s0@~]# 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Harry Ciao]

If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.

If kernel policy version is < 26, then the class field would be default
to the process class.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/include/security.h |    3 ++-
 security/selinux/ss/policydb.c      |   14 ++++++++++++++
 security/selinux/ss/policydb.h      |    3 ++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 348eb00..bfc5218 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -30,13 +30,14 @@
 #define POLICYDB_VERSION_PERMISSIVE	23
 #define POLICYDB_VERSION_BOUNDARY	24
 #define POLICYDB_VERSION_FILENAME_TRANS	25
+#define POLICYDB_VERSION_ROLETRANS	26
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
 #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
 #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
 #else
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_FILENAME_TRANS
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
 #endif
 
 /* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index e7b850a..fd62c50 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
 		.sym_num	= SYM_NUM,
 		.ocon_num	= OCON_NUM,
 	},
+	{
+		.version	= POLICYDB_VERSION_ROLETRANS,
+		.sym_num	= SYM_NUM,
+		.ocon_num	= OCON_NUM,
+	},
 };
 
 static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
 		tr->role = le32_to_cpu(buf[0]);
 		tr->type = le32_to_cpu(buf[1]);
 		tr->new_role = le32_to_cpu(buf[2]);
+		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+			rc = next_entry(buf, fp, sizeof(u32));
+			if (rc)
+				goto bad;
+			tr->tclass = le32_to_cpu(buf[0]);
+		} else
+			tr->tclass = p->process_class;
+
 		if (!policydb_role_isvalid(p, tr->role) ||
 		    !policydb_type_isvalid(p, tr->type) ||
+		    !policydb_class_isvalid(p, tr->tclass) ||
 		    !policydb_role_isvalid(p, tr->new_role))
 			goto bad;
 		ltr = tr;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 732ea4a..801175f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -72,7 +72,8 @@ struct role_datum {
 
 struct role_trans {
 	u32 role;		/* current role */
-	u32 type;		/* program executable type */
+	u32 type;		/* program executable type, or new object type */
+	u32 tclass;		/* process class, or new object class */
 	u32 new_role;		/* new role */
 	struct role_trans *next;
 };
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 1/5] Userspace: add class to role_trans & role_trans_rule

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/include/sepol/policydb/policydb.h |   12 ++++++++----
 libsepol/src/policydb.c                    |   21 +++++++++++++++++++++
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index e8991e2..94b8609 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -124,7 +124,8 @@ typedef struct role_datum {
 
 typedef struct role_trans {
 	uint32_t role;		/* current role */
-	uint32_t type;		/* program executable type */
+	uint32_t type;		/* program executable type, or new object type */
+	uint32_t tclass;	/* process class, or new object class */
 	uint32_t new_role;	/* new role */
 	struct role_trans *next;
 } role_trans_t;
@@ -234,7 +235,8 @@ typedef struct avrule {
 
 typedef struct role_trans_rule {
 	role_set_t roles;	/* current role */
-	type_set_t types;	/* program executable type */
+	type_set_t types;	/* program executable type, or new object type */
+	ebitmap_t classes;	/* process class, or new object class */
 	uint32_t new_role;	/* new role */
 	struct role_trans_rule *next;
 } role_trans_rule_t;
@@ -630,10 +632,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define POLICYDB_VERSION_POLCAP		22
 #define POLICYDB_VERSION_PERMISSIVE	23
 #define POLICYDB_VERSION_BOUNDARY	24
+#define POLICYDB_VERSION_ROLETRANS	26
 
 /* Range of policy versions we understand*/
 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
 
 /* Module versions and specific changes*/
 #define MOD_POLICYDB_VERSION_BASE		4
@@ -645,9 +648,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
 #define MOD_POLICYDB_VERSION_PERMISSIVE		8
 #define MOD_POLICYDB_VERSION_BOUNDARY		9
 #define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS	10
+#define MOD_POLICYDB_VERSION_ROLETRANS		12
 
 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLETRANS
 
 #define POLICYDB_CONFIG_MLS    1
 
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 5c0081f..53a7eef 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -137,6 +137,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_KERN,
+	 .version = POLICYDB_VERSION_ROLETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_BASE,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -186,6 +193,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
 	{
+	 .type = POLICY_BASE,
+	 .version = MOD_POLICYDB_VERSION_ROLETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = OCON_NODE6 + 1,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
+	{
 	 .type = POLICY_MOD,
 	 .version = MOD_POLICYDB_VERSION_BASE,
 	 .sym_num = SYM_NUM,
@@ -234,6 +248,13 @@ static struct policydb_compat_info policydb_compat[] = {
 	 .ocon_num = 0,
 	 .target_platform = SEPOL_TARGET_SELINUX,
 	},
+	{
+	 .type = POLICY_MOD,
+	 .version = MOD_POLICYDB_VERSION_ROLETRANS,
+	 .sym_num = SYM_NUM,
+	 .ocon_num = 0,
+	 .target_platform = SEPOL_TARGET_SELINUX,
+	},
 };
 
 #if 0
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 2/3] SELinux: Compute role in newcontext for all classes

[Harry Ciao]

From: Harry Ciao <harrytaurus200@hotmail.com>

Apply role_transition rules for all kinds of classes.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/ss/services.c |   20 +++++++++-----------
 1 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d..03f7a47 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1484,17 +1484,15 @@ static int security_compute_sid(u32 ssid,
 				      tcontext->type, tclass, qstr);
 
 	/* Check for class-specific changes. */
-	if  (tclass == policydb.process_class) {
-		if (specified & AVTAB_TRANSITION) {
-			/* Look for a role transition rule. */
-			for (roletr = policydb.role_tr; roletr;
-			     roletr = roletr->next) {
-				if (roletr->role == scontext->role &&
-				    roletr->type == tcontext->type) {
-					/* Use the role transition rule. */
-					newcontext.role = roletr->new_role;
-					break;
-				}
+	if (specified & AVTAB_TRANSITION) {
+		/* Look for a role transition rule. */
+		for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
+			if ((roletr->role == scontext->role) &&
+			    (roletr->type == tcontext->type) &&
+			    (roletr->tclass == tclass)) {
+				/* Use the role transition rule. */
+				newcontext.role = roletr->new_role;
+				break;
 			}
 		}
 	}
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 2/5] Userspace: role_transition parser to handle class field

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/policy_define.c |   89 ++++++++++++++++++++++++++++++++-----------
 checkpolicy/policy_define.h |    2 +-
 checkpolicy/policy_parse.y  |    4 +-
 3 files changed, 71 insertions(+), 24 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 82ab44c..5e99b30 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
 	return 0;
 }
 
-int define_role_trans(void)
+int define_role_trans(int class_specified)
 {
 	char *id;
 	role_datum_t *role;
 	role_set_t roles;
 	type_set_t types;
-	ebitmap_t e_types, e_roles;
-	ebitmap_node_t *tnode, *rnode;
+	class_datum_t *cladatum;
+	ebitmap_t e_types, e_roles, e_classes;
+	ebitmap_node_t *tnode, *rnode, *cnode;
 	struct role_trans *tr = NULL;
 	struct role_trans_rule *rule = NULL;
-	unsigned int i, j;
+	unsigned int i, j, k;
 	int add = 1;
 
 	if (pass == 1) {
@@ -2068,6 +2069,9 @@ int define_role_trans(void)
 			free(id);
 		while ((id = queue_remove(id_queue)))
 			free(id);
+		if (class_specified)
+			while ((id = queue_remove(id_queue)))
+				free(id);
 		id = queue_remove(id_queue);
 		free(id);
 		return 0;
@@ -2077,6 +2081,7 @@ int define_role_trans(void)
 	ebitmap_init(&e_roles);
 	type_set_init(&types);
 	ebitmap_init(&e_types);
+	ebitmap_init(&e_classes);
 
 	while ((id = queue_remove(id_queue))) {
 		if (set_roles(&roles, id))
@@ -2088,6 +2093,35 @@ int define_role_trans(void)
 			return -1;
 	}
 
+	if (class_specified) {
+		while ((id = queue_remove(id_queue))) {
+			if (!is_id_in_scope(SYM_CLASSES, id)) {
+				yyerror2("class %s is not within scope", id);
+				free(id);
+				return -1;
+			}
+			cladatum = hashtab_search(policydbp->p_classes.table,
+						  id);
+			if (!cladatum) {
+				yyerror2("unknow class %s", id);
+				return -1;
+			}
+
+			ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+			free(id);
+		}
+	} else {
+		cladatum = hashtab_search(policydbp->p_classes.table,
+					  "process");
+		if (!cladatum) {
+			yyerror2("could not find process class for "
+				 "legacy role_transition statement");
+			return -1;
+		}
+
+		ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+	}
+
 	id = (char *)queue_remove(id_queue);
 	if (!id) {
 		yyerror("no new role in transition definition?");
@@ -2117,27 +2151,37 @@ int define_role_trans(void)
 		ebitmap_for_each_bit(&e_types, tnode, j) {
 			if (!ebitmap_node_get_bit(tnode, j))
 				continue;
-
-			for (tr = policydbp->role_tr; tr; tr = tr->next) {
-				if (tr->role == (i + 1) && tr->type == (j + 1)) {
-					yyerror2("duplicate role transition for (%s,%s)",
-					      role_val_to_name(i + 1),
-					      policydbp->p_type_val_to_name[j]);
-					goto bad;
+			ebitmap_for_each_bit(&e_classes, cnode, k) {
+				if (!ebitmap_node_get_bit(cnode, k))
+					continue;
+				for (tr = policydbp->role_tr; tr;
+				     tr = tr->next) {
+					if (tr->role == (i + 1) &&
+					    tr->type == (j + 1) &&
+					    tr->tclass == (k + 1)) {
+						yyerror2("duplicate role "
+							 "transition for "
+							 "(%s,%s,%s)",
+							 role_val_to_name(i+1),
+							 policydbp->p_type_val_to_name[j],
+							 policydbp->p_class_val_to_name[k]);
+						goto bad;
+					}
 				}
-			}
 
-			tr = malloc(sizeof(struct role_trans));
-			if (!tr) {
-				yyerror("out of memory");
-				return -1;
+				tr = malloc(sizeof(struct role_trans));
+				if (!tr) {
+					yyerror("out of memory");
+					return -1;
+				}
+				memset(tr, 0, sizeof(struct role_trans));
+				tr->role = i + 1;
+				tr->type = j + 1;
+				tr->tclass = k + 1;
+				tr->new_role = role->s.value;
+				tr->next = policydbp->role_tr;
+				policydbp->role_tr = tr;
 			}
-			memset(tr, 0, sizeof(struct role_trans));
-			tr->role = i + 1;
-			tr->type = j + 1;
-			tr->new_role = role->s.value;
-			tr->next = policydbp->role_tr;
-			policydbp->role_tr = tr;
 		}
 	}
 	/* Now add the real rule */
@@ -2149,6 +2193,7 @@ int define_role_trans(void)
 	memset(rule, 0, sizeof(struct role_trans_rule));
 	rule->roles = roles;
 	rule->types = types;
+	rule->classes = e_classes;
 	rule->new_role = role->s.value;
 
 	append_role_trans(rule);
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 5ac6667..2f7a78f 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -45,7 +45,7 @@ int define_ioport_context(unsigned long low, unsigned long high);
 int define_pcidevice_context(unsigned long device);
 int define_range_trans(int class_specified);
 int define_role_allow(void);
-int define_role_trans(void);
+int define_role_trans(int class_specified);
 int define_role_types(void);
 int define_sens(void);
 int define_te_avtab(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 8d1bc37..8c29e2b 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -417,7 +417,9 @@ role_type_def		: ROLE identifier TYPES names ';'
 role_dominance		: DOMINANCE '{' roles '}'
 			;
 role_trans_def		: ROLE_TRANSITION names names identifier ';'
-			{if (define_role_trans()) return -1; }
+			{if (define_role_trans(0)) return -1; }
+			| ROLE_TRANSITION names names ':' names identifier ';'
+			{if (define_role_trans(1)) return -1;}
 			;
 role_allow_def		: ALLOW names names ';'
 			{if (define_role_allow()) return -1; }
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Harry Ciao]

If kernel policy version is >= 26, then write the class field of the
role_trans structure into the binary reprensentation.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 security/selinux/ss/policydb.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index fd62c50..a493eae 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
 	return 0;
 }
 
-static int role_trans_write(struct role_trans *r, void *fp)
+static int role_trans_write(struct policydb *p, void *fp)
 {
+	struct role_trans *r = p->role_tr;
 	struct role_trans *tr;
 	u32 buf[3];
 	size_t nel;
@@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
 		rc = put_entry(buf, sizeof(u32), 3, fp);
 		if (rc)
 			return rc;
+		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+			buf[0] = cpu_to_le32(tr->tclass);
+			rc = put_entry(buf, sizeof(u32), 1, fp);
+			if (rc)
+				return rc;
+		}
 	}
 
 	return 0;
@@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
 	if (rc)
 		return rc;
 
-	rc = role_trans_write(p->role_tr, fp);
+	rc = role_trans_write(p, fp);
 	if (rc)
 		return rc;
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 3/5] Userspace: handle the class field in role_trans struct

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Add the class support to various functions that handle role_trans
structure.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/policydb.c |   14 ++++++++++++--
 libsepol/src/write.c    |   22 ++++++++++++++++++++--
 2 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 53a7eef..1f414f9 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2124,12 +2124,15 @@ static int type_read(policydb_t * p
 	return -1;
 }
 
-int role_trans_read(role_trans_t ** t, struct policy_file *fp)
+int role_trans_read(policydb_t *p, struct policy_file *fp)
 {
+	role_trans_t **t = &p->role_tr;
 	unsigned int i;
 	uint32_t buf[3], nel;
 	role_trans_t *tr, *ltr;
 	int rc;
+	int new_roletr = (p->policy_type == POLICY_KERN &&
+			  p->policyvers >= POLICYDB_VERSION_ROLETRANS);
 
 	rc = next_entry(buf, fp, sizeof(uint32_t));
 	if (rc < 0)
@@ -2152,6 +2155,13 @@ int role_trans_read(role_trans_t ** t, struct policy_file *fp)
 		tr->role = le32_to_cpu(buf[0]);
 		tr->type = le32_to_cpu(buf[1]);
 		tr->new_role = le32_to_cpu(buf[2]);
+		if (new_roletr) {
+			rc = next_entry(buf, fp, sizeof(uint32_t));
+			if (rc < 0)
+				return -1;
+			tr->tclass = le32_to_cpu(buf[0]);
+		} else
+			tr->tclass = SECCLASS_PROCESS;
 		ltr = tr;
 	}
 	return 0;
@@ -3472,7 +3482,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
 		if (r_policyvers >= POLICYDB_VERSION_BOOL)
 			if (cond_read_list(p, &p->cond_list, fp))
 				goto bad;
-		if (role_trans_read(&p->role_tr, fp))
+		if (role_trans_read(p, fp))
 			goto bad;
 		if (role_allow_read(&p->role_allow, fp))
 			goto bad;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 00c605f..764200d 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -462,11 +462,15 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	return POLICYDB_SUCCESS;
 }
 
-static int role_trans_write(role_trans_t * r, struct policy_file *fp)
+static int role_trans_write(policydb_t *p, struct policy_file *fp)
 {
+	role_trans_t *r = p->role_tr;
 	role_trans_t *tr;
 	uint32_t buf[3];
 	size_t nel, items;
+	int new_roletr = (p->policy_type == POLICY_KERN &&
+			  p->policyvers >= POLICYDB_VERSION_ROLETRANS);
+	int warning_issued = 0;
 
 	nel = 0;
 	for (tr = r; tr; tr = tr->next)
@@ -476,12 +480,26 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp)
 	if (items != 1)
 		return POLICYDB_ERROR;
 	for (tr = r; tr; tr = tr->next) {
+		if (!new_roletr && tr->tclass != SECCLASS_PROCESS) {
+			if (!warning_issued)
+				WARN(fp->handle, "Discarding role_transition "
+				     "rules for security classes other than "
+				     "\"process\"");
+			warning_issued = 1;
+			continue;
+		}
 		buf[0] = cpu_to_le32(tr->role);
 		buf[1] = cpu_to_le32(tr->type);
 		buf[2] = cpu_to_le32(tr->new_role);
 		items = put_entry(buf, sizeof(uint32_t), 3, fp);
 		if (items != 3)
 			return POLICYDB_ERROR;
+		if (new_roletr) {
+			buf[0] = cpu_to_le32(tr->tclass);
+			items = put_entry(buf, sizeof(uint32_t), 1, fp);
+			if (items != 1)
+				return POLICYDB_ERROR;
+		}
 	}
 
 	return POLICYDB_SUCCESS;
@@ -1815,7 +1833,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
 			if (cond_write_list(p, p->cond_list, fp))
 				return POLICYDB_ERROR;
 		}
-		if (role_trans_write(p->role_tr, fp))
+		if (role_trans_write(p, fp))
 			return POLICYDB_ERROR;
 		if (role_allow_write(p->role_allow, fp))
 			return POLICYDB_ERROR;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 4/5] Userspace: handle the class in role_trans_rule

[Harry Ciao]

From: Harry Ciao <harrytaurus2002@hotmail.com>

Add class support to various functions to handle role_trans_rule_t
structures.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c   |   94 +++++++++++++++++++++++++----------------------
 libsepol/src/link.c     |   14 +++++++
 libsepol/src/policydb.c |    5 ++
 libsepol/src/write.c    |    2 +
 4 files changed, 71 insertions(+), 44 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 16d6bcb..8539f88 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1146,11 +1146,11 @@ static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules)
 
 static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 {
-	unsigned int i, j;
+	unsigned int i, j, k;
 	role_trans_t *n, *l, *cur_trans;
 	role_trans_rule_t *cur;
 	ebitmap_t roles, types;
-	ebitmap_node_t *rnode, *tnode;
+	ebitmap_node_t *rnode, *tnode, *cnode;
 
 	/* start at the end of the list */
 	for (l = state->out->role_tr; l && l->next; l = l->next) ;
@@ -1175,51 +1175,57 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 			ebitmap_for_each_bit(&types, tnode, j) {
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;
+				ebitmap_for_each_bit(&cur->classes, cnode, k) {
+					if (!ebitmap_node_get_bit(cnode, k))
+						continue;
 
-				cur_trans = state->out->role_tr;
-				while (cur_trans) {
-					if ((cur_trans->role == i + 1) &&
-					    (cur_trans->type == j + 1)) {
-						if (cur_trans->new_role ==
-						    cur->new_role) {
-							break;
-						} else {
-							ERR(state->handle,
-							    "Conflicting role trans rule %s %s : %s",
-							    state->out->
-							    p_role_val_to_name
-							    [i],
-							    state->out->
-							    p_type_val_to_name
-							    [j],
-							    state->out->
-							    p_role_val_to_name
-							    [cur->new_role -
-							     1]);
-							return -1;
+					cur_trans = state->out->role_tr;
+					while (cur_trans) {
+						if ((cur_trans->role ==
+								i + 1) &&
+						    (cur_trans->type ==
+								j + 1) &&
+						    (cur_trans->tclass ==
+								k + 1)) {
+							if (cur_trans->
+							    new_role ==
+								cur->new_role) {
+								break;
+							} else {
+								ERR(state->handle,
+									"Conflicting role trans rule %s %s : %s %s",
+									state->out->p_role_val_to_name[i],
+									state->out->p_type_val_to_name[j],
+									state->out->p_class_val_to_name[k],
+									state->out->p_role_val_to_name[cur->new_role - 1]);
+								return -1;
+							}
 						}
+						cur_trans = cur_trans->next;
 					}
-					cur_trans = cur_trans->next;
-				}
-				if (cur_trans)
-					continue;
+					if (cur_trans)
+						continue;
 
-				n = (role_trans_t *)
-				    malloc(sizeof(role_trans_t));
-				if (!n) {
-					ERR(state->handle, "Out of memory!");
-					return -1;
-				}
-				memset(n, 0, sizeof(role_trans_t));
-				n->role = i + 1;
-				n->type = j + 1;
-				n->new_role = state->rolemap[cur->new_role - 1];
-				if (l) {
-					l->next = n;
-				} else {
-					state->out->role_tr = n;
+					n = (role_trans_t *)
+						malloc(sizeof(role_trans_t));
+					if (!n) {
+						ERR(state->handle,
+							"Out of memory!");
+						return -1;
+					}
+					memset(n, 0, sizeof(role_trans_t));
+					n->role = i + 1;
+					n->type = j + 1;
+					n->tclass = k + 1;
+					n->new_role = state->rolemap
+							[cur->new_role - 1];
+					if (l)
+						l->next = n;
+					else
+						state->out->role_tr = n;
+
+					l = n;
 				}
-				l = n;
 			}
 		}
 
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index d03e599..e33db0f 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -1246,6 +1246,8 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 				policy_module_t * module, link_state_t * state)
 {
 	role_trans_rule_t *cur, *new_rule = NULL, *tail;
+	unsigned int i;
+	ebitmap_node_t *cnode;
 
 	cur = list;
 	tail = *dst;
@@ -1267,6 +1269,18 @@ static int copy_role_trans_list(role_trans_rule_t * list,
 			goto cleanup;
 		}
 
+		ebitmap_for_each_bit(&cur->classes, cnode, i) {
+			if (ebitmap_node_get_bit(cnode, i)) {
+				assert(module->map[SYM_CLASSES][i]);
+				if (ebitmap_set_bit(&new_rule->classes,
+						    module->
+						    map[SYM_CLASSES][i] - 1,
+						    1)) {
+					goto cleanup;
+				}
+			}
+		}
+
 		new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1];
 
 		if (*dst == NULL) {
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 1f414f9..bbf3c88 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -434,6 +434,7 @@ void role_trans_rule_init(role_trans_rule_t * x)
 	memset(x, 0, sizeof(*x));
 	role_set_init(&x->roles);
 	type_set_init(&x->types);
+	ebitmap_init(&x->classes);
 }
 
 void role_trans_rule_destroy(role_trans_rule_t * x)
@@ -441,6 +442,7 @@ void role_trans_rule_destroy(role_trans_rule_t * x)
 	if (x != NULL) {
 		role_set_destroy(&x->roles);
 		type_set_destroy(&x->types);
+		ebitmap_destroy(&x->classes);
 	}
 }
 
@@ -2956,6 +2958,9 @@ static int role_trans_rule_read(role_trans_rule_t ** r, struct policy_file *fp)
 		if (type_set_read(&tr->types, fp))
 			return -1;
 
+		if (ebitmap_read(&tr->classes, fp))
+			return -1;
+
 		rc = next_entry(buf, fp, sizeof(uint32_t));
 		if (rc < 0)
 			return -1;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 764200d..f9d59b6 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1464,6 +1464,8 @@ static int role_trans_rule_write(role_trans_rule_t * t, struct policy_file *fp)
 			return POLICYDB_ERROR;
 		if (type_set_write(&tr->types, fp))
 			return POLICYDB_ERROR;
+		if (ebitmap_write(&tr->classes, fp))
+			return POLICYDB_ERROR;
 		buf[0] = cpu_to_le32(tr->new_role);
 		items = put_entry(buf, sizeof(uint32_t), 1, fp);
 		if (items != 1)
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v2 PATCH 5/5] Userspace: display the class in role_transition rule

[Harry Ciao]

Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/test/dismod.c |   27 ++++++++++++++++++++++++++-
 1 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 4d31597..33a29e4 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -451,13 +451,38 @@ void display_initial_sids(policydb_t * p, FILE * fp)
 #endif
 }
 
+void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+{
+	int i, num = 0;
+
+	for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+		if (!ebitmap_get_bit(classes, i))
+			continue;
+		num++;
+		if (num > 1) {
+			fprintf(fp, "{");
+			break;
+		}
+	}
+
+	for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+		if (ebitmap_get_bit(classes, i))
+			display_id(p, fp, SYM_CLASSES, i, "");
+	}
+
+	if (num > 1)
+		fprintf(fp, " }");
+}
+
 void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
 {
 	for (; tr; tr = tr->next) {
 		fprintf(fp, "role transition ");
 		display_mod_role_set(&tr->roles, p, fp);
 		display_type_set(&tr->types, 0, p, fp);
-		display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
+		fprintf(fp, " :");
+		display_class_set(&tr->classes, p, fp);
+		display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
 		fprintf(fp, "\n");
 	}
 }
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Stephen Smalley]

On Fri, 2011-03-25 at 13:52 +0800, Harry Ciao wrote:
> If kernel policy version is >= 26, then write the class field of the
> role_trans structure into the binary reprensentation.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>

Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>

for the 3 kernel patches.

> ---
>  security/selinux/ss/policydb.c |   11 +++++++++--
>  1 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index fd62c50..a493eae 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
>  	return 0;
>  }
>  
> -static int role_trans_write(struct role_trans *r, void *fp)
> +static int role_trans_write(struct policydb *p, void *fp)
>  {
> +	struct role_trans *r = p->role_tr;
>  	struct role_trans *tr;
>  	u32 buf[3];
>  	size_t nel;
> @@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
>  		rc = put_entry(buf, sizeof(u32), 3, fp);
>  		if (rc)
>  			return rc;
> +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> +			buf[0] = cpu_to_le32(tr->tclass);
> +			rc = put_entry(buf, sizeof(u32), 1, fp);
> +			if (rc)
> +				return rc;
> +		}
>  	}
>  
>  	return 0;
> @@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
>  	if (rc)
>  		return rc;
>  
> -	rc = role_trans_write(p->role_tr, fp);
> +	rc = role_trans_write(p, fp);
>  	if (rc)
>  		return rc;
>  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 3/3] SELinux: Write class field in role_trans_write.

[Eric Paris]

On Fri, 2011-03-25 at 12:50 -0400, Stephen Smalley wrote:
> On Fri, 2011-03-25 at 13:52 +0800, Harry Ciao wrote:
> > If kernel policy version is >= 26, then write the class field of the
> > role_trans structure into the binary reprensentation.
> > 
> > Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> 
> Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
> 
> for the 3 kernel patches.

All 3 applied to:
http://git.infradead.org/users/eparis/selinux.git

> 
> > ---
> >  security/selinux/ss/policydb.c |   11 +++++++++--
> >  1 files changed, 9 insertions(+), 2 deletions(-)
> > 
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index fd62c50..a493eae 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
> >  	return 0;
> >  }
> >  
> > -static int role_trans_write(struct role_trans *r, void *fp)
> > +static int role_trans_write(struct policydb *p, void *fp)
> >  {
> > +	struct role_trans *r = p->role_tr;
> >  	struct role_trans *tr;
> >  	u32 buf[3];
> >  	size_t nel;
> > @@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
> >  		rc = put_entry(buf, sizeof(u32), 3, fp);
> >  		if (rc)
> >  			return rc;
> > +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> > +			buf[0] = cpu_to_le32(tr->tclass);
> > +			rc = put_entry(buf, sizeof(u32), 1, fp);
> > +			if (rc)
> > +				return rc;
> > +		}
> >  	}
> >  
> >  	return 0;
> > @@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
> >  	if (rc)
> >  		return rc;
> >  
> > -	rc = role_trans_write(p->role_tr, fp);
> > +	rc = role_trans_write(p, fp);
> >  	if (rc)
> >  		return rc;
> >  
> 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule

[Joshua Brindle]

I've reviewed the 5 userspace patches and they look good. I'll wait until 
someone (Steve Lawrence?) actually compiles and tests before acking.

Harry Ciao wrote:
> Add support to display the class field in the role_transition rule
> in the checkpolicy/test/dismod program.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   checkpolicy/test/dismod.c |   27 ++++++++++++++++++++++++++-
>   1 files changed, 26 insertions(+), 1 deletions(-)
>
> diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
> index 4d31597..33a29e4 100644
> --- a/checkpolicy/test/dismod.c
> +++ b/checkpolicy/test/dismod.c
> @@ -451,13 +451,38 @@ void display_initial_sids(policydb_t * p, FILE * fp)
>   #endif
>   }
>
> +void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
> +{
> +	int i, num = 0;
> +
> +	for (i = ebitmap_startbit(classes); i<  ebitmap_length(classes); i++) {
> +		if (!ebitmap_get_bit(classes, i))
> +			continue;
> +		num++;
> +		if (num>  1) {
> +			fprintf(fp, "{");
> +			break;
> +		}
> +	}
> +
> +	for (i = ebitmap_startbit(classes); i<  ebitmap_length(classes); i++) {
> +		if (ebitmap_get_bit(classes, i))
> +			display_id(p, fp, SYM_CLASSES, i, "");
> +	}
> +
> +	if (num>  1)
> +		fprintf(fp, " }");
> +}
> +
>   void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
>   {
>   	for (; tr; tr = tr->next) {
>   		fprintf(fp, "role transition ");
>   		display_mod_role_set(&tr->roles, p, fp);
>   		display_type_set(&tr->types, 0, p, fp);
> -		display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
> +		fprintf(fp, " :");
> +		display_class_set(&tr->classes, p, fp);
> +		display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
>   		fprintf(fp, "\n");
>   	}
>   }

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Eric Paris]

On Fri, 2011-03-25 at 13:51 +0800, Harry Ciao wrote:
> If kernel policy version is >= 26, then the binary representation of
> the role_trans structure supports specifying the class for the current
> subject or the newly created object.
> 
> If kernel policy version is < 26, then the class field would be default
> to the process class.
> 
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
>  security/selinux/include/security.h |    3 ++-
>  security/selinux/ss/policydb.c      |   14 ++++++++++++++
>  security/selinux/ss/policydb.h      |    3 ++-
>  3 files changed, 18 insertions(+), 2 deletions(-)
> 
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 348eb00..bfc5218 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -30,13 +30,14 @@
>  #define POLICYDB_VERSION_PERMISSIVE	23
>  #define POLICYDB_VERSION_BOUNDARY	24
>  #define POLICYDB_VERSION_FILENAME_TRANS	25
> +#define POLICYDB_VERSION_ROLETRANS	26
>  
>  /* Range of policy versions we understand*/
>  #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
>  #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>  #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>  #else
> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_FILENAME_TRANS
> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
>  #endif
>  
>  /* Mask for just the mount related flags */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index e7b850a..fd62c50 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
>  		.sym_num	= SYM_NUM,
>  		.ocon_num	= OCON_NUM,
>  	},
> +	{
> +		.version	= POLICYDB_VERSION_ROLETRANS,
> +		.sym_num	= SYM_NUM,
> +		.ocon_num	= OCON_NUM,
> +	},
>  };
>  
>  static struct policydb_compat_info *policydb_lookup_compat(int version)
> @@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
>  		tr->role = le32_to_cpu(buf[0]);
>  		tr->type = le32_to_cpu(buf[1]);
>  		tr->new_role = le32_to_cpu(buf[2]);
> +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> +			rc = next_entry(buf, fp, sizeof(u32));
> +			if (rc)
> +				goto bad;
> +			tr->tclass = le32_to_cpu(buf[0]);
> +		} else
> +			tr->tclass = p->process_class;


This doesn't work as p->process_class isn't set until about 100 lines
later.  This means that a policy.X < 26 always fails on the next test
since policydb_class_isvalid(p, 0) is going to fail.  I can try to find
a way to handle this tomorrow, but hopefully you will find something
sooner!

Thanks!
-Eric

> +
>  		if (!policydb_role_isvalid(p, tr->role) ||
>  		    !policydb_type_isvalid(p, tr->type) ||
> +		    !policydb_class_isvalid(p, tr->tclass) ||
>  		    !policydb_role_isvalid(p, tr->new_role))
>  			goto bad;
>  		ltr = tr;
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 732ea4a..801175f 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -72,7 +72,8 @@ struct role_datum {
>  
>  struct role_trans {
>  	u32 role;		/* current role */
> -	u32 type;		/* program executable type */
> +	u32 type;		/* program executable type, or new object type */
> +	u32 tclass;		/* process class, or new object class */
>  	u32 new_role;		/* new role */
>  	struct role_trans *next;
>  };



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure

[Harry Ciao]

Eric Paris 写道:
> On Fri, 2011-03-25 at 13:51 +0800, Harry Ciao wrote:
>   
>> If kernel policy version is >= 26, then the binary representation of
>> the role_trans structure supports specifying the class for the current
>> subject or the newly created object.
>>
>> If kernel policy version is < 26, then the class field would be default
>> to the process class.
>>
>> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
>> ---
>>  security/selinux/include/security.h |    3 ++-
>>  security/selinux/ss/policydb.c      |   14 ++++++++++++++
>>  security/selinux/ss/policydb.h      |    3 ++-
>>  3 files changed, 18 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
>> index 348eb00..bfc5218 100644
>> --- a/security/selinux/include/security.h
>> +++ b/security/selinux/include/security.h
>> @@ -30,13 +30,14 @@
>>  #define POLICYDB_VERSION_PERMISSIVE	23
>>  #define POLICYDB_VERSION_BOUNDARY	24
>>  #define POLICYDB_VERSION_FILENAME_TRANS	25
>> +#define POLICYDB_VERSION_ROLETRANS	26
>>  
>>  /* Range of policy versions we understand*/
>>  #define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE
>>  #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>>  #define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>>  #else
>> -#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_FILENAME_TRANS
>> +#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_ROLETRANS
>>  #endif
>>  
>>  /* Mask for just the mount related flags */
>> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
>> index e7b850a..fd62c50 100644
>> --- a/security/selinux/ss/policydb.c
>> +++ b/security/selinux/ss/policydb.c
>> @@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
>>  		.sym_num	= SYM_NUM,
>>  		.ocon_num	= OCON_NUM,
>>  	},
>> +	{
>> +		.version	= POLICYDB_VERSION_ROLETRANS,
>> +		.sym_num	= SYM_NUM,
>> +		.ocon_num	= OCON_NUM,
>> +	},
>>  };
>>  
>>  static struct policydb_compat_info *policydb_lookup_compat(int version)
>> @@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
>>  		tr->role = le32_to_cpu(buf[0]);
>>  		tr->type = le32_to_cpu(buf[1]);
>>  		tr->new_role = le32_to_cpu(buf[2]);
>> +		if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
>> +			rc = next_entry(buf, fp, sizeof(u32));
>> +			if (rc)
>> +				goto bad;
>> +			tr->tclass = le32_to_cpu(buf[0]);
>> +		} else
>> +			tr->tclass = p->process_class;
>>     
>
>
> This doesn't work as p->process_class isn't set until about 100 lines
> later.  This means that a policy.X < 26 always fails on the next test
> since policydb_class_isvalid(p, 0) is going to fail.  I can try to find
> a way to handle this tomorrow, but hopefully you will find something
> sooner!
>
> Thanks!
> -Eric
>
>   

Argh, you are right! I should have tried to boot up an older version
policy image with the udpated kernel. After a quick glance I think we
could fix this problem by bumping the setting of p->process_class before
reading role_transition rules, since all symtabs would have been read
from the policy image.

I will get back to you after I finish the test later. Thanks!

Cheers,
Harry

>> +
>>  		if (!policydb_role_isvalid(p, tr->role) ||
>>  		    !policydb_type_isvalid(p, tr->type) ||
>> +		    !policydb_class_isvalid(p, tr->tclass) ||
>>  		    !policydb_role_isvalid(p, tr->new_role))
>>  			goto bad;
>>  		ltr = tr;
>> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
>> index 732ea4a..801175f 100644
>> --- a/security/selinux/ss/policydb.h
>> +++ b/security/selinux/ss/policydb.h
>> @@ -72,7 +72,8 @@ struct role_datum {
>>  
>>  struct role_trans {
>>  	u32 role;		/* current role */
>> -	u32 type;		/* program executable type */
>> +	u32 type;		/* program executable type, or new object type */
>> +	u32 tclass;		/* process class, or new object class */
>>  	u32 new_role;		/* new role */
>>  	struct role_trans *next;
>>  };
>>     
>
>
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: v2 Add class support to the role_transition rule

[Steve Lawrence]

On 03/25/2011 01:51 AM, Harry Ciao wrote:
> Comments:
> ---------
> The outstanding changes in v2 from v1 include:
> 
> 1. The newly added class support in role_trans structure in both kernel
> and libsepol have been renamed to "tclass";
> 
> 2. The role_transition rule will be handled in a unified way for both
> process class and non-process classes - roletr->type would always be
> used to compare with tcontext->type, which is the type for the parent
> directory accomodating the newly created object, or the program
> executable type.
> 
> 
> Testings I've done:
> -------------------
> 
> 0. Add below snippet into sysadm.te for testing:
> 
>    role_transition sysadm_r user_home_t:{ file dir } sysadm_r;
>    role sysadm_r types user_home_t;
>    
>    gen_require(`
>            type vlock_exec_t, vlock_t;
>    ')
>    role_transition sysadm_r vlock_exec_t system_r;
>    
> 1. Verify that the dismod program could display the class field of the
>    role_transition rule correctly:
>    
>    /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp 
>    Reading policy...
>    ......
>    Command ('m' for menu):  7
>    role transitions:
>    --- begin avrule block ---
>    decl 1:
>    role transition  sysadm_r [vlock_exec_t] : [process] system_r
>    role transition  sysadm_r [user_home_t] :{ [file] [dir] } sysadm_r
>    --- begin avrule block ---
>    decl 2:
>    ......
>    --- begin avrule block ---
>    decl 342:
>    
>    Command ('m' for menu):  q
>    /work/selinux/selinux/checkpolicy$ 
>    
> 2. Further verify the binary reprensentation of the role_transition rule
>    are correct, with the classes field *after* that of new_role in image:
> 
>    /work/selinux/refpolicy$ ls -l /etc/selinux/refpolicy-mls/policy/
>    total 5728
>    -rw-r--r--. 1 root root 5849662 2011-03-25 13:12 policy.26
>    /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.26 > policy_26_xxd
>    /work/selinux/refpolicy$ vim policy_26_xxd
>    ......
>    055c510:                                    0800  l.....S.........
>    055c520: 0000 0300 0000 a006 0000 0b00 0000 0200  ................
>    055c530: 0000 0300 0000 a103 0000 0b00 0000 0200  ................
>    055c540: 0000 0800 0000 b707 0000 0b00 0000 0200  ................
>    055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200  ................
>    055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200  ................
>    055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600  ................
>    055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700  ................
>    055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200  ................
>    055c5a0: 0000 
>    ......
>    /work/selinux/refpolicy$ 
> 
> 3. Run-time test one - verify that the role_transition rule works for
>    non-process classes:
> 
>    [root/sysadm_r/s0@~]# sestatus 
>    SELinux status:                 enabled
>    SELinuxfs mount:                /selinux
>    Current mode:                   enforcing
>    Mode from config file:          enforcing
>    Policy version:                 26
>    Policy from config file:        refpolicy-mls
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# id -Z
>    root:sysadm_r:sysadm_t:s0-s15:c0.c1023
>    [root/sysadm_r/s0@~]# ls -Zd
>    dr-xr-x---  root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# mkdir parent
>    [root/sysadm_r/s0@~]# ls -Z
>    drwxr-xr-x  root root root:object_r:user_home_t:s0     parent
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 dir
>    root:sysadm_r:user_home_t:s0
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 file
>    root:sysadm_r:user_home_t:s0
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 lnk_file
>    root:object_r:user_home_t:s0
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# cd parent
>    [root/sysadm_r/s0@parent]# mkdir dir
>    [root/sysadm_r/s0@parent]# touch file
>    [root/sysadm_r/s0@parent]# ln -s file file_lk
>    [root/sysadm_r/s0@parent]# mkfifo pipe
>    [root/sysadm_r/s0@parent]# 
>    [root/sysadm_r/s0@parent]# ls -Z
>    drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>    -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>    lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
>    prw-r--r--  root root root:object_r:user_home_t:s0     pipe
>    [root/sysadm_r/s0@parent]# 
> 
> 4. Run-time test two - verify that the role_transition rule works for the
>    process class:
> 
>    [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main 
>    -rws--x--x  root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# seclow "setenforce 0"
>    Password: 
>    [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
>    root:system_r:vlock_t:s0-s15:c0.c1023
>    [root/sysadm_r/s0@~]# 
>      
>    [root/staff_r/s0@~]# vlock &
>    [1] 743
>    [root/staff_r/s0@~]# ps Z -C vlock-main
>    LABEL                             PID TTY      STAT   TIME COMMAND
>    root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T      0:00 /usr/sbin/vlock-main
>    [1]+  Stopped                 vlock
>    [root/staff_r/s0@~]# 
>    
>    [root/sysadm_r/s0@~]# vlock &
>    [1] 759
>    [root/sysadm_r/s0@~]# ps Z -C vlock-main
>    LABEL                             PID TTY      STAT   TIME COMMAND
>    root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T      0:00 /usr/sbin/vlock-main
>    root:system_r:vlock_t:s0-s15:c0.c1023 759 ttyS0 T     0:00 /usr/sbin/vlock-main
>    [1]+  Stopped                 vlock
>    [root/sysadm_r/s0@~]# 
>    
>    (Note, "setenforce 0" is to shortcut the necessary user-role & role-type
>     settings in sysadm.pp for system_r)
>    
> 5. (TODO) restorecon doesn't take into account the role_transition rule
>    for non-process class so far:
> 
>    [root/sysadm_r/s0@~]# cd parent/
>    [root/sysadm_r/s0@parent]# 
>    [root/sysadm_r/s0@parent]# ls -Z
>    drwxr-xr-x  root root root:sysadm_r:user_home_t:s0     dir
>    -rw-r--r--  root root root:sysadm_r:user_home_t:s0     file
>    lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
>    prw-r--r--  root root root:object_r:user_home_t:s0     pipe
>    [root/sysadm_r/s0@parent]# 
>    [root/sysadm_r/s0@parent]# restorecon . -R
>    [root/sysadm_r/s0@parent]# 
>    [root/sysadm_r/s0@parent]# ls -Z
>    drwxr-xr-x  root root root:object_r:user_home_t:s0     dir
>    -rw-r--r--  root root root:object_r:user_home_t:s0     file
>    lrwxrwxrwx  root root root:object_r:user_home_t:s0     file_lk -> file
>    prw-r--r--  root root root:object_r:user_home_t:s0     pipe
>    [root/sysadm_r/s0@parent]# 
> 
> 6. Verify that SELinux kernel policydb_write > role_trans_write works well:
> 
>    [root/sysadm_r/s0@~]# setenforce 1
>    [root/sysadm_r/s0@~]# sestatus 
>    SELinux status:                 enabled
>    SELinuxfs mount:                /selinux
>    Current mode:                   enforcing
>    Mode from config file:          enforcing
>    Policy version:                 26
>    Policy from config file:        refpolicy-mls
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# ls -l policy_read 
>    -rw-r--r-- 1 root root 5849662 Mar 25 05:26 policy_read
>    [root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/
>    total 5732
>    -rw-r--r-- 1 root root 5849662 Mar 25 05:15 policy.26
>    [root/sysadm_r/s0@~]# 
>    [root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
>    [root/sysadm_r/s0@~]# vim policy_read_xxd 
>    ......
>    055c510:                                    0800  l.....S.........
>    055c520: 0000 0300 0000 a006 0000 0b00 0000 0200  ................
>    055c530: 0000 0300 0000 a103 0000 0b00 0000 0200  ................
>    055c540: 0000 0800 0000 b707 0000 0b00 0000 0200  ................
>    055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200  ................
>    055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200  ................
>    055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600  ................
>    055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700  ................
>    055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200  ................
>    055c5a0: 0000 
>    ......
>    [root/sysadm_r/s0@~]# 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

All 5 userspace patches applied in libsepol-2.0.43 and checkpolicy-2.0.24

Thanks!

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This patch is blowing up in Fedora.



semodule -s mls -b /usr/share/selinux/mls/base.pp.bz2
security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
libsepol.sepol_module_package_read: invalid module in module package (at
section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/mls/modules/tmp/modules/dbadm.pp. (No such file or directory).
semodule:  Failed!


semodule -i mykernel.pp
security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
libsepol.sepol_module_package_read: invalid module in module package (at
section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/targeted/modules/tmp/modules/dbadm.pp. (No such file or
directory).
semodule:  Failed!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2kj0AACgkQrlYvE4MpobOsRgCgiPRH/ttp1VmeRfuQMnD76xzF
3VYAoMp26ILjzC1+tAQqf35gEknnp+Z1
=c8Km
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule

[Eric Paris]

I'm betting on:

src/write.c::role_trans_rule_write() which does:
+               if (ebitmap_write(&tr->classes, fp))
+                       return POLICYDB_ERROR;

But I'd think that would need to be conditionalized on a policy
version that supports role trans....

-Eric

On Tue, Apr 12, 2011 at 1:43 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This patch is blowing up in Fedora.
>
>
>
> semodule -s mls -b /usr/share/selinux/mls/base.pp.bz2
> security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
> libsepol.sepol_module_package_read: invalid module in module package (at
> section 0) (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/mls/modules/tmp/modules/dbadm.pp. (No such file or directory).
> semodule:  Failed!
>
>
> semodule -i mykernel.pp
> security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
> libsepol.sepol_module_package_read: invalid module in module package (at
> section 0) (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/targeted/modules/tmp/modules/dbadm.pp. (No such file or
> directory).
> semodule:  Failed!
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2kj0AACgkQrlYvE4MpobOsRgCgiPRH/ttp1VmeRfuQMnD76xzF
> 3VYAoMp26ILjzC1+tAQqf35gEknnp+Z1
> =c8Km
> -----END PGP SIGNATURE-----
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.