* v2 Add class support to the role_transition rule
@ 2011-03-25 5:51 Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
` (8 more replies)
0 siblings, 9 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:51 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
Comments:
---------
The outstanding changes in v2 from v1 include:
1. The newly added class support in role_trans structure in both kernel
and libsepol have been renamed to "tclass";
2. The role_transition rule will be handled in a unified way for both
process class and non-process classes - roletr->type would always be
used to compare with tcontext->type, which is the type for the parent
directory accomodating the newly created object, or the program
executable type.
Testings I've done:
-------------------
0. Add below snippet into sysadm.te for testing:
role_transition sysadm_r user_home_t:{ file dir } sysadm_r;
role sysadm_r types user_home_t;
gen_require(`
type vlock_exec_t, vlock_t;
')
role_transition sysadm_r vlock_exec_t system_r;
1. Verify that the dismod program could display the class field of the
role_transition rule correctly:
/work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp
Reading policy...
......
Command ('m' for menu): 7
role transitions:
--- begin avrule block ---
decl 1:
role transition sysadm_r [vlock_exec_t] : [process] system_r
role transition sysadm_r [user_home_t] :{ [file] [dir] } sysadm_r
--- begin avrule block ---
decl 2:
......
--- begin avrule block ---
decl 342:
Command ('m' for menu): q
/work/selinux/selinux/checkpolicy$
2. Further verify the binary reprensentation of the role_transition rule
are correct, with the classes field *after* that of new_role in image:
/work/selinux/refpolicy$ ls -l /etc/selinux/refpolicy-mls/policy/
total 5728
-rw-r--r--. 1 root root 5849662 2011-03-25 13:12 policy.26
/work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.26 > policy_26_xxd
/work/selinux/refpolicy$ vim policy_26_xxd
......
055c510: 0800 l.....S.........
055c520: 0000 0300 0000 a006 0000 0b00 0000 0200 ................
055c530: 0000 0300 0000 a103 0000 0b00 0000 0200 ................
055c540: 0000 0800 0000 b707 0000 0b00 0000 0200 ................
055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200 ................
055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200 ................
055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600 ................
055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700 ................
055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200 ................
055c5a0: 0000
......
/work/selinux/refpolicy$
3. Run-time test one - verify that the role_transition rule works for
non-process classes:
[root/sysadm_r/s0@~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 26
Policy from config file: refpolicy-mls
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
[root/sysadm_r/s0@~]# ls -Zd
dr-xr-x--- root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# mkdir parent
[root/sysadm_r/s0@~]# ls -Z
drwxr-xr-x root root root:object_r:user_home_t:s0 parent
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 dir
root:sysadm_r:user_home_t:s0
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 file
root:sysadm_r:user_home_t:s0
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 lnk_file
root:object_r:user_home_t:s0
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# cd parent
[root/sysadm_r/s0@parent]# mkdir dir
[root/sysadm_r/s0@parent]# touch file
[root/sysadm_r/s0@parent]# ln -s file file_lk
[root/sysadm_r/s0@parent]# mkfifo pipe
[root/sysadm_r/s0@parent]#
[root/sysadm_r/s0@parent]# ls -Z
drwxr-xr-x root root root:sysadm_r:user_home_t:s0 dir
-rw-r--r-- root root root:sysadm_r:user_home_t:s0 file
lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
prw-r--r-- root root root:object_r:user_home_t:s0 pipe
[root/sysadm_r/s0@parent]#
4. Run-time test two - verify that the role_transition rule works for the
process class:
[root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main
-rws--x--x root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# seclow "setenforce 0"
Password:
[root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
root:system_r:vlock_t:s0-s15:c0.c1023
[root/sysadm_r/s0@~]#
[root/staff_r/s0@~]# vlock &
[1] 743
[root/staff_r/s0@~]# ps Z -C vlock-main
LABEL PID TTY STAT TIME COMMAND
root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T 0:00 /usr/sbin/vlock-main
[1]+ Stopped vlock
[root/staff_r/s0@~]#
[root/sysadm_r/s0@~]# vlock &
[1] 759
[root/sysadm_r/s0@~]# ps Z -C vlock-main
LABEL PID TTY STAT TIME COMMAND
root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T 0:00 /usr/sbin/vlock-main
root:system_r:vlock_t:s0-s15:c0.c1023 759 ttyS0 T 0:00 /usr/sbin/vlock-main
[1]+ Stopped vlock
[root/sysadm_r/s0@~]#
(Note, "setenforce 0" is to shortcut the necessary user-role & role-type
settings in sysadm.pp for system_r)
5. (TODO) restorecon doesn't take into account the role_transition rule
for non-process class so far:
[root/sysadm_r/s0@~]# cd parent/
[root/sysadm_r/s0@parent]#
[root/sysadm_r/s0@parent]# ls -Z
drwxr-xr-x root root root:sysadm_r:user_home_t:s0 dir
-rw-r--r-- root root root:sysadm_r:user_home_t:s0 file
lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
prw-r--r-- root root root:object_r:user_home_t:s0 pipe
[root/sysadm_r/s0@parent]#
[root/sysadm_r/s0@parent]# restorecon . -R
[root/sysadm_r/s0@parent]#
[root/sysadm_r/s0@parent]# ls -Z
drwxr-xr-x root root root:object_r:user_home_t:s0 dir
-rw-r--r-- root root root:object_r:user_home_t:s0 file
lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
prw-r--r-- root root root:object_r:user_home_t:s0 pipe
[root/sysadm_r/s0@parent]#
6. Verify that SELinux kernel policydb_write > role_trans_write works well:
[root/sysadm_r/s0@~]# setenforce 1
[root/sysadm_r/s0@~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 26
Policy from config file: refpolicy-mls
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# ls -l policy_read
-rw-r--r-- 1 root root 5849662 Mar 25 05:26 policy_read
[root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/
total 5732
-rw-r--r-- 1 root root 5849662 Mar 25 05:15 policy.26
[root/sysadm_r/s0@~]#
[root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
[root/sysadm_r/s0@~]# vim policy_read_xxd
......
055c510: 0800 l.....S.........
055c520: 0000 0300 0000 a006 0000 0b00 0000 0200 ................
055c530: 0000 0300 0000 a103 0000 0b00 0000 0200 ................
055c540: 0000 0800 0000 b707 0000 0b00 0000 0200 ................
055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200 ................
055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200 ................
055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600 ................
055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700 ................
055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200 ................
055c5a0: 0000
......
[root/sysadm_r/s0@~]#
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
@ 2011-03-25 5:51 ` Harry Ciao
2011-04-06 23:04 ` Eric Paris
2011-03-25 5:51 ` [v2 PATCH 1/5] Userspace: add class to role_trans & role_trans_rule Harry Ciao
` (7 subsequent siblings)
8 siblings, 1 reply; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:51 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
If kernel policy version is >= 26, then the binary representation of
the role_trans structure supports specifying the class for the current
subject or the newly created object.
If kernel policy version is < 26, then the class field would be default
to the process class.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
security/selinux/include/security.h | 3 ++-
security/selinux/ss/policydb.c | 14 ++++++++++++++
security/selinux/ss/policydb.h | 3 ++-
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 348eb00..bfc5218 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -30,13 +30,14 @@
#define POLICYDB_VERSION_PERMISSIVE 23
#define POLICYDB_VERSION_BOUNDARY 24
#define POLICYDB_VERSION_FILENAME_TRANS 25
+#define POLICYDB_VERSION_ROLETRANS 26
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
#define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
#else
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
#endif
/* Mask for just the mount related flags */
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index e7b850a..fd62c50 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
.sym_num = SYM_NUM,
.ocon_num = OCON_NUM,
},
+ {
+ .version = POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NUM,
+ },
};
static struct policydb_compat_info *policydb_lookup_compat(int version)
@@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
tr->role = le32_to_cpu(buf[0]);
tr->type = le32_to_cpu(buf[1]);
tr->new_role = le32_to_cpu(buf[2]);
+ if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+ rc = next_entry(buf, fp, sizeof(u32));
+ if (rc)
+ goto bad;
+ tr->tclass = le32_to_cpu(buf[0]);
+ } else
+ tr->tclass = p->process_class;
+
if (!policydb_role_isvalid(p, tr->role) ||
!policydb_type_isvalid(p, tr->type) ||
+ !policydb_class_isvalid(p, tr->tclass) ||
!policydb_role_isvalid(p, tr->new_role))
goto bad;
ltr = tr;
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 732ea4a..801175f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -72,7 +72,8 @@ struct role_datum {
struct role_trans {
u32 role; /* current role */
- u32 type; /* program executable type */
+ u32 type; /* program executable type, or new object type */
+ u32 tclass; /* process class, or new object class */
u32 new_role; /* new role */
struct role_trans *next;
};
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 1/5] Userspace: add class to role_trans & role_trans_rule
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
@ 2011-03-25 5:51 ` Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 2/3] SELinux: Compute role in newcontext for all classes Harry Ciao
` (6 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:51 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
From: Harry Ciao <harrytaurus2002@hotmail.com>
Introduce the class support to role_trans and role_trans_rule
structures, which could be the subject class("process") or the
class that the newly created object belongs to.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
libsepol/include/sepol/policydb/policydb.h | 12 ++++++++----
libsepol/src/policydb.c | 21 +++++++++++++++++++++
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
index e8991e2..94b8609 100644
--- a/libsepol/include/sepol/policydb/policydb.h
+++ b/libsepol/include/sepol/policydb/policydb.h
@@ -124,7 +124,8 @@ typedef struct role_datum {
typedef struct role_trans {
uint32_t role; /* current role */
- uint32_t type; /* program executable type */
+ uint32_t type; /* program executable type, or new object type */
+ uint32_t tclass; /* process class, or new object class */
uint32_t new_role; /* new role */
struct role_trans *next;
} role_trans_t;
@@ -234,7 +235,8 @@ typedef struct avrule {
typedef struct role_trans_rule {
role_set_t roles; /* current role */
- type_set_t types; /* program executable type */
+ type_set_t types; /* program executable type, or new object type */
+ ebitmap_t classes; /* process class, or new object class */
uint32_t new_role; /* new role */
struct role_trans_rule *next;
} role_trans_rule_t;
@@ -630,10 +632,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define POLICYDB_VERSION_POLCAP 22
#define POLICYDB_VERSION_PERMISSIVE 23
#define POLICYDB_VERSION_BOUNDARY 24
+#define POLICYDB_VERSION_ROLETRANS 26
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_BOUNDARY
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
@@ -645,9 +648,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define MOD_POLICYDB_VERSION_PERMISSIVE 8
#define MOD_POLICYDB_VERSION_BOUNDARY 9
#define MOD_POLICYDB_VERSION_BOUNDARY_ALIAS 10
+#define MOD_POLICYDB_VERSION_ROLETRANS 12
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_BOUNDARY_ALIAS
+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_ROLETRANS
#define POLICYDB_CONFIG_MLS 1
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 5c0081f..53a7eef 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -137,6 +137,13 @@ static struct policydb_compat_info policydb_compat[] = {
.target_platform = SEPOL_TARGET_SELINUX,
},
{
+ .type = POLICY_KERN,
+ .version = POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -186,6 +193,13 @@ static struct policydb_compat_info policydb_compat[] = {
.target_platform = SEPOL_TARGET_SELINUX,
},
{
+ .type = POLICY_BASE,
+ .version = MOD_POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = OCON_NODE6 + 1,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
+ {
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
.sym_num = SYM_NUM,
@@ -234,6 +248,13 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
},
+ {
+ .type = POLICY_MOD,
+ .version = MOD_POLICYDB_VERSION_ROLETRANS,
+ .sym_num = SYM_NUM,
+ .ocon_num = 0,
+ .target_platform = SEPOL_TARGET_SELINUX,
+ },
};
#if 0
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 2/3] SELinux: Compute role in newcontext for all classes
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/5] Userspace: add class to role_trans & role_trans_rule Harry Ciao
@ 2011-03-25 5:51 ` Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 2/5] Userspace: role_transition parser to handle class field Harry Ciao
` (5 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:51 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
From: Harry Ciao <harrytaurus200@hotmail.com>
Apply role_transition rules for all kinds of classes.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
security/selinux/ss/services.c | 20 +++++++++-----------
1 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 3e7544d..03f7a47 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1484,17 +1484,15 @@ static int security_compute_sid(u32 ssid,
tcontext->type, tclass, qstr);
/* Check for class-specific changes. */
- if (tclass == policydb.process_class) {
- if (specified & AVTAB_TRANSITION) {
- /* Look for a role transition rule. */
- for (roletr = policydb.role_tr; roletr;
- roletr = roletr->next) {
- if (roletr->role == scontext->role &&
- roletr->type == tcontext->type) {
- /* Use the role transition rule. */
- newcontext.role = roletr->new_role;
- break;
- }
+ if (specified & AVTAB_TRANSITION) {
+ /* Look for a role transition rule. */
+ for (roletr = policydb.role_tr; roletr; roletr = roletr->next) {
+ if ((roletr->role == scontext->role) &&
+ (roletr->type == tcontext->type) &&
+ (roletr->tclass == tclass)) {
+ /* Use the role transition rule. */
+ newcontext.role = roletr->new_role;
+ break;
}
}
}
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 2/5] Userspace: role_transition parser to handle class field
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (2 preceding siblings ...)
2011-03-25 5:51 ` [v2 PATCH 2/3] SELinux: Compute role in newcontext for all classes Harry Ciao
@ 2011-03-25 5:51 ` Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 3/3] SELinux: Write class field in role_trans_write Harry Ciao
` (4 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:51 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
From: Harry Ciao <harrytaurus2002@hotmail.com>
Handle the class field in the role_transition rule. If no class is
specified, then it would be set to the "process" class by default.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
checkpolicy/policy_define.c | 89 ++++++++++++++++++++++++++++++++-----------
checkpolicy/policy_define.h | 2 +-
checkpolicy/policy_parse.y | 4 +-
3 files changed, 71 insertions(+), 24 deletions(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 82ab44c..5e99b30 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -2050,17 +2050,18 @@ static int set_roles(role_set_t * set, char *id)
return 0;
}
-int define_role_trans(void)
+int define_role_trans(int class_specified)
{
char *id;
role_datum_t *role;
role_set_t roles;
type_set_t types;
- ebitmap_t e_types, e_roles;
- ebitmap_node_t *tnode, *rnode;
+ class_datum_t *cladatum;
+ ebitmap_t e_types, e_roles, e_classes;
+ ebitmap_node_t *tnode, *rnode, *cnode;
struct role_trans *tr = NULL;
struct role_trans_rule *rule = NULL;
- unsigned int i, j;
+ unsigned int i, j, k;
int add = 1;
if (pass == 1) {
@@ -2068,6 +2069,9 @@ int define_role_trans(void)
free(id);
while ((id = queue_remove(id_queue)))
free(id);
+ if (class_specified)
+ while ((id = queue_remove(id_queue)))
+ free(id);
id = queue_remove(id_queue);
free(id);
return 0;
@@ -2077,6 +2081,7 @@ int define_role_trans(void)
ebitmap_init(&e_roles);
type_set_init(&types);
ebitmap_init(&e_types);
+ ebitmap_init(&e_classes);
while ((id = queue_remove(id_queue))) {
if (set_roles(&roles, id))
@@ -2088,6 +2093,35 @@ int define_role_trans(void)
return -1;
}
+ if (class_specified) {
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ free(id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ id);
+ if (!cladatum) {
+ yyerror2("unknow class %s", id);
+ return -1;
+ }
+
+ ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+ free(id);
+ }
+ } else {
+ cladatum = hashtab_search(policydbp->p_classes.table,
+ "process");
+ if (!cladatum) {
+ yyerror2("could not find process class for "
+ "legacy role_transition statement");
+ return -1;
+ }
+
+ ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE);
+ }
+
id = (char *)queue_remove(id_queue);
if (!id) {
yyerror("no new role in transition definition?");
@@ -2117,27 +2151,37 @@ int define_role_trans(void)
ebitmap_for_each_bit(&e_types, tnode, j) {
if (!ebitmap_node_get_bit(tnode, j))
continue;
-
- for (tr = policydbp->role_tr; tr; tr = tr->next) {
- if (tr->role == (i + 1) && tr->type == (j + 1)) {
- yyerror2("duplicate role transition for (%s,%s)",
- role_val_to_name(i + 1),
- policydbp->p_type_val_to_name[j]);
- goto bad;
+ ebitmap_for_each_bit(&e_classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
+ for (tr = policydbp->role_tr; tr;
+ tr = tr->next) {
+ if (tr->role == (i + 1) &&
+ tr->type == (j + 1) &&
+ tr->tclass == (k + 1)) {
+ yyerror2("duplicate role "
+ "transition for "
+ "(%s,%s,%s)",
+ role_val_to_name(i+1),
+ policydbp->p_type_val_to_name[j],
+ policydbp->p_class_val_to_name[k]);
+ goto bad;
+ }
}
- }
- tr = malloc(sizeof(struct role_trans));
- if (!tr) {
- yyerror("out of memory");
- return -1;
+ tr = malloc(sizeof(struct role_trans));
+ if (!tr) {
+ yyerror("out of memory");
+ return -1;
+ }
+ memset(tr, 0, sizeof(struct role_trans));
+ tr->role = i + 1;
+ tr->type = j + 1;
+ tr->tclass = k + 1;
+ tr->new_role = role->s.value;
+ tr->next = policydbp->role_tr;
+ policydbp->role_tr = tr;
}
- memset(tr, 0, sizeof(struct role_trans));
- tr->role = i + 1;
- tr->type = j + 1;
- tr->new_role = role->s.value;
- tr->next = policydbp->role_tr;
- policydbp->role_tr = tr;
}
}
/* Now add the real rule */
@@ -2149,6 +2193,7 @@ int define_role_trans(void)
memset(rule, 0, sizeof(struct role_trans_rule));
rule->roles = roles;
rule->types = types;
+ rule->classes = e_classes;
rule->new_role = role->s.value;
append_role_trans(rule);
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index 5ac6667..2f7a78f 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -45,7 +45,7 @@ int define_ioport_context(unsigned long low, unsigned long high);
int define_pcidevice_context(unsigned long device);
int define_range_trans(int class_specified);
int define_role_allow(void);
-int define_role_trans(void);
+int define_role_trans(int class_specified);
int define_role_types(void);
int define_sens(void);
int define_te_avtab(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 8d1bc37..8c29e2b 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -417,7 +417,9 @@ role_type_def : ROLE identifier TYPES names ';'
role_dominance : DOMINANCE '{' roles '}'
;
role_trans_def : ROLE_TRANSITION names names identifier ';'
- {if (define_role_trans()) return -1; }
+ {if (define_role_trans(0)) return -1; }
+ | ROLE_TRANSITION names names ':' names identifier ';'
+ {if (define_role_trans(1)) return -1;}
;
role_allow_def : ALLOW names names ';'
{if (define_role_allow()) return -1; }
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 3/3] SELinux: Write class field in role_trans_write.
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (3 preceding siblings ...)
2011-03-25 5:51 ` [v2 PATCH 2/5] Userspace: role_transition parser to handle class field Harry Ciao
@ 2011-03-25 5:52 ` Harry Ciao
2011-03-25 16:50 ` Stephen Smalley
2011-03-25 5:52 ` [v2 PATCH 3/5] Userspace: handle the class field in role_trans struct Harry Ciao
` (3 subsequent siblings)
8 siblings, 1 reply; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:52 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
If kernel policy version is >= 26, then write the class field of the
role_trans structure into the binary reprensentation.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
security/selinux/ss/policydb.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index fd62c50..a493eae 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
return 0;
}
-static int role_trans_write(struct role_trans *r, void *fp)
+static int role_trans_write(struct policydb *p, void *fp)
{
+ struct role_trans *r = p->role_tr;
struct role_trans *tr;
u32 buf[3];
size_t nel;
@@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
rc = put_entry(buf, sizeof(u32), 3, fp);
if (rc)
return rc;
+ if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
+ buf[0] = cpu_to_le32(tr->tclass);
+ rc = put_entry(buf, sizeof(u32), 1, fp);
+ if (rc)
+ return rc;
+ }
}
return 0;
@@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
if (rc)
return rc;
- rc = role_trans_write(p->role_tr, fp);
+ rc = role_trans_write(p, fp);
if (rc)
return rc;
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 3/5] Userspace: handle the class field in role_trans struct
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (4 preceding siblings ...)
2011-03-25 5:52 ` [v2 PATCH 3/3] SELinux: Write class field in role_trans_write Harry Ciao
@ 2011-03-25 5:52 ` Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 4/5] Userspace: handle the class in role_trans_rule Harry Ciao
` (2 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:52 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
From: Harry Ciao <harrytaurus2002@hotmail.com>
Add the class support to various functions that handle role_trans
structure.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
libsepol/src/policydb.c | 14 ++++++++++++--
libsepol/src/write.c | 22 ++++++++++++++++++++--
2 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 53a7eef..1f414f9 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2124,12 +2124,15 @@ static int type_read(policydb_t * p
return -1;
}
-int role_trans_read(role_trans_t ** t, struct policy_file *fp)
+int role_trans_read(policydb_t *p, struct policy_file *fp)
{
+ role_trans_t **t = &p->role_tr;
unsigned int i;
uint32_t buf[3], nel;
role_trans_t *tr, *ltr;
int rc;
+ int new_roletr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_ROLETRANS);
rc = next_entry(buf, fp, sizeof(uint32_t));
if (rc < 0)
@@ -2152,6 +2155,13 @@ int role_trans_read(role_trans_t ** t, struct policy_file *fp)
tr->role = le32_to_cpu(buf[0]);
tr->type = le32_to_cpu(buf[1]);
tr->new_role = le32_to_cpu(buf[2]);
+ if (new_roletr) {
+ rc = next_entry(buf, fp, sizeof(uint32_t));
+ if (rc < 0)
+ return -1;
+ tr->tclass = le32_to_cpu(buf[0]);
+ } else
+ tr->tclass = SECCLASS_PROCESS;
ltr = tr;
}
return 0;
@@ -3472,7 +3482,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
if (r_policyvers >= POLICYDB_VERSION_BOOL)
if (cond_read_list(p, &p->cond_list, fp))
goto bad;
- if (role_trans_read(&p->role_tr, fp))
+ if (role_trans_read(p, fp))
goto bad;
if (role_allow_read(&p->role_allow, fp))
goto bad;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 00c605f..764200d 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -462,11 +462,15 @@ static int cat_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
return POLICYDB_SUCCESS;
}
-static int role_trans_write(role_trans_t * r, struct policy_file *fp)
+static int role_trans_write(policydb_t *p, struct policy_file *fp)
{
+ role_trans_t *r = p->role_tr;
role_trans_t *tr;
uint32_t buf[3];
size_t nel, items;
+ int new_roletr = (p->policy_type == POLICY_KERN &&
+ p->policyvers >= POLICYDB_VERSION_ROLETRANS);
+ int warning_issued = 0;
nel = 0;
for (tr = r; tr; tr = tr->next)
@@ -476,12 +480,26 @@ static int role_trans_write(role_trans_t * r, struct policy_file *fp)
if (items != 1)
return POLICYDB_ERROR;
for (tr = r; tr; tr = tr->next) {
+ if (!new_roletr && tr->tclass != SECCLASS_PROCESS) {
+ if (!warning_issued)
+ WARN(fp->handle, "Discarding role_transition "
+ "rules for security classes other than "
+ "\"process\"");
+ warning_issued = 1;
+ continue;
+ }
buf[0] = cpu_to_le32(tr->role);
buf[1] = cpu_to_le32(tr->type);
buf[2] = cpu_to_le32(tr->new_role);
items = put_entry(buf, sizeof(uint32_t), 3, fp);
if (items != 3)
return POLICYDB_ERROR;
+ if (new_roletr) {
+ buf[0] = cpu_to_le32(tr->tclass);
+ items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ if (items != 1)
+ return POLICYDB_ERROR;
+ }
}
return POLICYDB_SUCCESS;
@@ -1815,7 +1833,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
if (cond_write_list(p, p->cond_list, fp))
return POLICYDB_ERROR;
}
- if (role_trans_write(p->role_tr, fp))
+ if (role_trans_write(p, fp))
return POLICYDB_ERROR;
if (role_allow_write(p->role_allow, fp))
return POLICYDB_ERROR;
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 4/5] Userspace: handle the class in role_trans_rule
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (5 preceding siblings ...)
2011-03-25 5:52 ` [v2 PATCH 3/5] Userspace: handle the class field in role_trans struct Harry Ciao
@ 2011-03-25 5:52 ` Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 5/5] Userspace: display the class in role_transition rule Harry Ciao
2011-04-12 13:31 ` v2 Add class support to the " Steve Lawrence
8 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:52 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
From: Harry Ciao <harrytaurus2002@hotmail.com>
Add class support to various functions to handle role_trans_rule_t
structures.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
libsepol/src/expand.c | 94 +++++++++++++++++++++++++----------------------
libsepol/src/link.c | 14 +++++++
libsepol/src/policydb.c | 5 ++
libsepol/src/write.c | 2 +
4 files changed, 71 insertions(+), 44 deletions(-)
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 16d6bcb..8539f88 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1146,11 +1146,11 @@ static int copy_role_allows(expand_state_t * state, role_allow_rule_t * rules)
static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
{
- unsigned int i, j;
+ unsigned int i, j, k;
role_trans_t *n, *l, *cur_trans;
role_trans_rule_t *cur;
ebitmap_t roles, types;
- ebitmap_node_t *rnode, *tnode;
+ ebitmap_node_t *rnode, *tnode, *cnode;
/* start at the end of the list */
for (l = state->out->role_tr; l && l->next; l = l->next) ;
@@ -1175,51 +1175,57 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
ebitmap_for_each_bit(&types, tnode, j) {
if (!ebitmap_node_get_bit(tnode, j))
continue;
+ ebitmap_for_each_bit(&cur->classes, cnode, k) {
+ if (!ebitmap_node_get_bit(cnode, k))
+ continue;
- cur_trans = state->out->role_tr;
- while (cur_trans) {
- if ((cur_trans->role == i + 1) &&
- (cur_trans->type == j + 1)) {
- if (cur_trans->new_role ==
- cur->new_role) {
- break;
- } else {
- ERR(state->handle,
- "Conflicting role trans rule %s %s : %s",
- state->out->
- p_role_val_to_name
- [i],
- state->out->
- p_type_val_to_name
- [j],
- state->out->
- p_role_val_to_name
- [cur->new_role -
- 1]);
- return -1;
+ cur_trans = state->out->role_tr;
+ while (cur_trans) {
+ if ((cur_trans->role ==
+ i + 1) &&
+ (cur_trans->type ==
+ j + 1) &&
+ (cur_trans->tclass ==
+ k + 1)) {
+ if (cur_trans->
+ new_role ==
+ cur->new_role) {
+ break;
+ } else {
+ ERR(state->handle,
+ "Conflicting role trans rule %s %s : %s %s",
+ state->out->p_role_val_to_name[i],
+ state->out->p_type_val_to_name[j],
+ state->out->p_class_val_to_name[k],
+ state->out->p_role_val_to_name[cur->new_role - 1]);
+ return -1;
+ }
}
+ cur_trans = cur_trans->next;
}
- cur_trans = cur_trans->next;
- }
- if (cur_trans)
- continue;
+ if (cur_trans)
+ continue;
- n = (role_trans_t *)
- malloc(sizeof(role_trans_t));
- if (!n) {
- ERR(state->handle, "Out of memory!");
- return -1;
- }
- memset(n, 0, sizeof(role_trans_t));
- n->role = i + 1;
- n->type = j + 1;
- n->new_role = state->rolemap[cur->new_role - 1];
- if (l) {
- l->next = n;
- } else {
- state->out->role_tr = n;
+ n = (role_trans_t *)
+ malloc(sizeof(role_trans_t));
+ if (!n) {
+ ERR(state->handle,
+ "Out of memory!");
+ return -1;
+ }
+ memset(n, 0, sizeof(role_trans_t));
+ n->role = i + 1;
+ n->type = j + 1;
+ n->tclass = k + 1;
+ n->new_role = state->rolemap
+ [cur->new_role - 1];
+ if (l)
+ l->next = n;
+ else
+ state->out->role_tr = n;
+
+ l = n;
}
- l = n;
}
}
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index d03e599..e33db0f 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -1246,6 +1246,8 @@ static int copy_role_trans_list(role_trans_rule_t * list,
policy_module_t * module, link_state_t * state)
{
role_trans_rule_t *cur, *new_rule = NULL, *tail;
+ unsigned int i;
+ ebitmap_node_t *cnode;
cur = list;
tail = *dst;
@@ -1267,6 +1269,18 @@ static int copy_role_trans_list(role_trans_rule_t * list,
goto cleanup;
}
+ ebitmap_for_each_bit(&cur->classes, cnode, i) {
+ if (ebitmap_node_get_bit(cnode, i)) {
+ assert(module->map[SYM_CLASSES][i]);
+ if (ebitmap_set_bit(&new_rule->classes,
+ module->
+ map[SYM_CLASSES][i] - 1,
+ 1)) {
+ goto cleanup;
+ }
+ }
+ }
+
new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1];
if (*dst == NULL) {
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 1f414f9..bbf3c88 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -434,6 +434,7 @@ void role_trans_rule_init(role_trans_rule_t * x)
memset(x, 0, sizeof(*x));
role_set_init(&x->roles);
type_set_init(&x->types);
+ ebitmap_init(&x->classes);
}
void role_trans_rule_destroy(role_trans_rule_t * x)
@@ -441,6 +442,7 @@ void role_trans_rule_destroy(role_trans_rule_t * x)
if (x != NULL) {
role_set_destroy(&x->roles);
type_set_destroy(&x->types);
+ ebitmap_destroy(&x->classes);
}
}
@@ -2956,6 +2958,9 @@ static int role_trans_rule_read(role_trans_rule_t ** r, struct policy_file *fp)
if (type_set_read(&tr->types, fp))
return -1;
+ if (ebitmap_read(&tr->classes, fp))
+ return -1;
+
rc = next_entry(buf, fp, sizeof(uint32_t));
if (rc < 0)
return -1;
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 764200d..f9d59b6 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1464,6 +1464,8 @@ static int role_trans_rule_write(role_trans_rule_t * t, struct policy_file *fp)
return POLICYDB_ERROR;
if (type_set_write(&tr->types, fp))
return POLICYDB_ERROR;
+ if (ebitmap_write(&tr->classes, fp))
+ return POLICYDB_ERROR;
buf[0] = cpu_to_le32(tr->new_role);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [v2 PATCH 5/5] Userspace: display the class in role_transition rule
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (6 preceding siblings ...)
2011-03-25 5:52 ` [v2 PATCH 4/5] Userspace: handle the class in role_trans_rule Harry Ciao
@ 2011-03-25 5:52 ` Harry Ciao
2011-03-28 21:28 ` Joshua Brindle
2011-04-12 17:43 ` Daniel J Walsh
2011-04-12 13:31 ` v2 Add class support to the " Steve Lawrence
8 siblings, 2 replies; 17+ messages in thread
From: Harry Ciao @ 2011-03-25 5:52 UTC (permalink / raw)
To: sds, jmorris, eparis; +Cc: selinux
Add support to display the class field in the role_transition rule
in the checkpolicy/test/dismod program.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
checkpolicy/test/dismod.c | 27 ++++++++++++++++++++++++++-
1 files changed, 26 insertions(+), 1 deletions(-)
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 4d31597..33a29e4 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -451,13 +451,38 @@ void display_initial_sids(policydb_t * p, FILE * fp)
#endif
}
+void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+{
+ int i, num = 0;
+
+ for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+ if (!ebitmap_get_bit(classes, i))
+ continue;
+ num++;
+ if (num > 1) {
+ fprintf(fp, "{");
+ break;
+ }
+ }
+
+ for (i = ebitmap_startbit(classes); i < ebitmap_length(classes); i++) {
+ if (ebitmap_get_bit(classes, i))
+ display_id(p, fp, SYM_CLASSES, i, "");
+ }
+
+ if (num > 1)
+ fprintf(fp, " }");
+}
+
void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
{
for (; tr; tr = tr->next) {
fprintf(fp, "role transition ");
display_mod_role_set(&tr->roles, p, fp);
display_type_set(&tr->types, 0, p, fp);
- display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
+ fprintf(fp, " :");
+ display_class_set(&tr->classes, p, fp);
+ display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
fprintf(fp, "\n");
}
}
--
1.7.0.4
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 3/3] SELinux: Write class field in role_trans_write.
2011-03-25 5:52 ` [v2 PATCH 3/3] SELinux: Write class field in role_trans_write Harry Ciao
@ 2011-03-25 16:50 ` Stephen Smalley
2011-03-28 18:30 ` Eric Paris
0 siblings, 1 reply; 17+ messages in thread
From: Stephen Smalley @ 2011-03-25 16:50 UTC (permalink / raw)
To: Harry Ciao; +Cc: jmorris, eparis, selinux
On Fri, 2011-03-25 at 13:52 +0800, Harry Ciao wrote:
> If kernel policy version is >= 26, then write the class field of the
> role_trans structure into the binary reprensentation.
>
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
for the 3 kernel patches.
> ---
> security/selinux/ss/policydb.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index fd62c50..a493eae 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
> return 0;
> }
>
> -static int role_trans_write(struct role_trans *r, void *fp)
> +static int role_trans_write(struct policydb *p, void *fp)
> {
> + struct role_trans *r = p->role_tr;
> struct role_trans *tr;
> u32 buf[3];
> size_t nel;
> @@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
> rc = put_entry(buf, sizeof(u32), 3, fp);
> if (rc)
> return rc;
> + if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> + buf[0] = cpu_to_le32(tr->tclass);
> + rc = put_entry(buf, sizeof(u32), 1, fp);
> + if (rc)
> + return rc;
> + }
> }
>
> return 0;
> @@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
> if (rc)
> return rc;
>
> - rc = role_trans_write(p->role_tr, fp);
> + rc = role_trans_write(p, fp);
> if (rc)
> return rc;
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 3/3] SELinux: Write class field in role_trans_write.
2011-03-25 16:50 ` Stephen Smalley
@ 2011-03-28 18:30 ` Eric Paris
0 siblings, 0 replies; 17+ messages in thread
From: Eric Paris @ 2011-03-28 18:30 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Harry Ciao, jmorris, eparis, selinux
On Fri, 2011-03-25 at 12:50 -0400, Stephen Smalley wrote:
> On Fri, 2011-03-25 at 13:52 +0800, Harry Ciao wrote:
> > If kernel policy version is >= 26, then write the class field of the
> > role_trans structure into the binary reprensentation.
> >
> > Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
>
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> for the 3 kernel patches.
All 3 applied to:
http://git.infradead.org/users/eparis/selinux.git
>
> > ---
> > security/selinux/ss/policydb.c | 11 +++++++++--
> > 1 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index fd62c50..a493eae 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -2535,8 +2535,9 @@ static int cat_write(void *vkey, void *datum, void *ptr)
> > return 0;
> > }
> >
> > -static int role_trans_write(struct role_trans *r, void *fp)
> > +static int role_trans_write(struct policydb *p, void *fp)
> > {
> > + struct role_trans *r = p->role_tr;
> > struct role_trans *tr;
> > u32 buf[3];
> > size_t nel;
> > @@ -2556,6 +2557,12 @@ static int role_trans_write(struct role_trans *r, void *fp)
> > rc = put_entry(buf, sizeof(u32), 3, fp);
> > if (rc)
> > return rc;
> > + if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> > + buf[0] = cpu_to_le32(tr->tclass);
> > + rc = put_entry(buf, sizeof(u32), 1, fp);
> > + if (rc)
> > + return rc;
> > + }
> > }
> >
> > return 0;
> > @@ -3267,7 +3274,7 @@ int policydb_write(struct policydb *p, void *fp)
> > if (rc)
> > return rc;
> >
> > - rc = role_trans_write(p->role_tr, fp);
> > + rc = role_trans_write(p, fp);
> > if (rc)
> > return rc;
> >
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule
2011-03-25 5:52 ` [v2 PATCH 5/5] Userspace: display the class in role_transition rule Harry Ciao
@ 2011-03-28 21:28 ` Joshua Brindle
2011-04-12 17:43 ` Daniel J Walsh
1 sibling, 0 replies; 17+ messages in thread
From: Joshua Brindle @ 2011-03-28 21:28 UTC (permalink / raw)
To: Harry Ciao; +Cc: sds, jmorris, eparis, selinux, Stephen Lawrence
I've reviewed the 5 userspace patches and they look good. I'll wait until
someone (Steve Lawrence?) actually compiles and tests before acking.
Harry Ciao wrote:
> Add support to display the class field in the role_transition rule
> in the checkpolicy/test/dismod program.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
> checkpolicy/test/dismod.c | 27 ++++++++++++++++++++++++++-
> 1 files changed, 26 insertions(+), 1 deletions(-)
>
> diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
> index 4d31597..33a29e4 100644
> --- a/checkpolicy/test/dismod.c
> +++ b/checkpolicy/test/dismod.c
> @@ -451,13 +451,38 @@ void display_initial_sids(policydb_t * p, FILE * fp)
> #endif
> }
>
> +void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
> +{
> + int i, num = 0;
> +
> + for (i = ebitmap_startbit(classes); i< ebitmap_length(classes); i++) {
> + if (!ebitmap_get_bit(classes, i))
> + continue;
> + num++;
> + if (num> 1) {
> + fprintf(fp, "{");
> + break;
> + }
> + }
> +
> + for (i = ebitmap_startbit(classes); i< ebitmap_length(classes); i++) {
> + if (ebitmap_get_bit(classes, i))
> + display_id(p, fp, SYM_CLASSES, i, "");
> + }
> +
> + if (num> 1)
> + fprintf(fp, " }");
> +}
> +
> void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
> {
> for (; tr; tr = tr->next) {
> fprintf(fp, "role transition ");
> display_mod_role_set(&tr->roles, p, fp);
> display_type_set(&tr->types, 0, p, fp);
> - display_id(p, fp, SYM_ROLES, tr->new_role - 1, " :");
> + fprintf(fp, " :");
> + display_class_set(&tr->classes, p, fp);
> + display_id(p, fp, SYM_ROLES, tr->new_role - 1, "");
> fprintf(fp, "\n");
> }
> }
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure
2011-03-25 5:51 ` [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
@ 2011-04-06 23:04 ` Eric Paris
2011-04-07 3:00 ` Harry Ciao
0 siblings, 1 reply; 17+ messages in thread
From: Eric Paris @ 2011-04-06 23:04 UTC (permalink / raw)
To: Harry Ciao; +Cc: sds, jmorris, eparis, selinux
On Fri, 2011-03-25 at 13:51 +0800, Harry Ciao wrote:
> If kernel policy version is >= 26, then the binary representation of
> the role_trans structure supports specifying the class for the current
> subject or the newly created object.
>
> If kernel policy version is < 26, then the class field would be default
> to the process class.
>
> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
> ---
> security/selinux/include/security.h | 3 ++-
> security/selinux/ss/policydb.c | 14 ++++++++++++++
> security/selinux/ss/policydb.h | 3 ++-
> 3 files changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
> index 348eb00..bfc5218 100644
> --- a/security/selinux/include/security.h
> +++ b/security/selinux/include/security.h
> @@ -30,13 +30,14 @@
> #define POLICYDB_VERSION_PERMISSIVE 23
> #define POLICYDB_VERSION_BOUNDARY 24
> #define POLICYDB_VERSION_FILENAME_TRANS 25
> +#define POLICYDB_VERSION_ROLETRANS 26
>
> /* Range of policy versions we understand*/
> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
> #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
> #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
> #else
> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
> #endif
>
> /* Mask for just the mount related flags */
> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index e7b850a..fd62c50 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
> .sym_num = SYM_NUM,
> .ocon_num = OCON_NUM,
> },
> + {
> + .version = POLICYDB_VERSION_ROLETRANS,
> + .sym_num = SYM_NUM,
> + .ocon_num = OCON_NUM,
> + },
> };
>
> static struct policydb_compat_info *policydb_lookup_compat(int version)
> @@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
> tr->role = le32_to_cpu(buf[0]);
> tr->type = le32_to_cpu(buf[1]);
> tr->new_role = le32_to_cpu(buf[2]);
> + if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
> + rc = next_entry(buf, fp, sizeof(u32));
> + if (rc)
> + goto bad;
> + tr->tclass = le32_to_cpu(buf[0]);
> + } else
> + tr->tclass = p->process_class;
This doesn't work as p->process_class isn't set until about 100 lines
later. This means that a policy.X < 26 always fails on the next test
since policydb_class_isvalid(p, 0) is going to fail. I can try to find
a way to handle this tomorrow, but hopefully you will find something
sooner!
Thanks!
-Eric
> +
> if (!policydb_role_isvalid(p, tr->role) ||
> !policydb_type_isvalid(p, tr->type) ||
> + !policydb_class_isvalid(p, tr->tclass) ||
> !policydb_role_isvalid(p, tr->new_role))
> goto bad;
> ltr = tr;
> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
> index 732ea4a..801175f 100644
> --- a/security/selinux/ss/policydb.h
> +++ b/security/selinux/ss/policydb.h
> @@ -72,7 +72,8 @@ struct role_datum {
>
> struct role_trans {
> u32 role; /* current role */
> - u32 type; /* program executable type */
> + u32 type; /* program executable type, or new object type */
> + u32 tclass; /* process class, or new object class */
> u32 new_role; /* new role */
> struct role_trans *next;
> };
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure
2011-04-06 23:04 ` Eric Paris
@ 2011-04-07 3:00 ` Harry Ciao
0 siblings, 0 replies; 17+ messages in thread
From: Harry Ciao @ 2011-04-07 3:00 UTC (permalink / raw)
To: Eric Paris; +Cc: sds, jmorris, eparis, selinux
Eric Paris 写道:
> On Fri, 2011-03-25 at 13:51 +0800, Harry Ciao wrote:
>
>> If kernel policy version is >= 26, then the binary representation of
>> the role_trans structure supports specifying the class for the current
>> subject or the newly created object.
>>
>> If kernel policy version is < 26, then the class field would be default
>> to the process class.
>>
>> Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
>> ---
>> security/selinux/include/security.h | 3 ++-
>> security/selinux/ss/policydb.c | 14 ++++++++++++++
>> security/selinux/ss/policydb.h | 3 ++-
>> 3 files changed, 18 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
>> index 348eb00..bfc5218 100644
>> --- a/security/selinux/include/security.h
>> +++ b/security/selinux/include/security.h
>> @@ -30,13 +30,14 @@
>> #define POLICYDB_VERSION_PERMISSIVE 23
>> #define POLICYDB_VERSION_BOUNDARY 24
>> #define POLICYDB_VERSION_FILENAME_TRANS 25
>> +#define POLICYDB_VERSION_ROLETRANS 26
>>
>> /* Range of policy versions we understand*/
>> #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
>> #ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX
>> #define POLICYDB_VERSION_MAX CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE
>> #else
>> -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_FILENAME_TRANS
>> +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS
>> #endif
>>
>> /* Mask for just the mount related flags */
>> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
>> index e7b850a..fd62c50 100644
>> --- a/security/selinux/ss/policydb.c
>> +++ b/security/selinux/ss/policydb.c
>> @@ -128,6 +128,11 @@ static struct policydb_compat_info policydb_compat[] = {
>> .sym_num = SYM_NUM,
>> .ocon_num = OCON_NUM,
>> },
>> + {
>> + .version = POLICYDB_VERSION_ROLETRANS,
>> + .sym_num = SYM_NUM,
>> + .ocon_num = OCON_NUM,
>> + },
>> };
>>
>> static struct policydb_compat_info *policydb_lookup_compat(int version)
>> @@ -2302,8 +2307,17 @@ int policydb_read(struct policydb *p, void *fp)
>> tr->role = le32_to_cpu(buf[0]);
>> tr->type = le32_to_cpu(buf[1]);
>> tr->new_role = le32_to_cpu(buf[2]);
>> + if (p->policyvers >= POLICYDB_VERSION_ROLETRANS) {
>> + rc = next_entry(buf, fp, sizeof(u32));
>> + if (rc)
>> + goto bad;
>> + tr->tclass = le32_to_cpu(buf[0]);
>> + } else
>> + tr->tclass = p->process_class;
>>
>
>
> This doesn't work as p->process_class isn't set until about 100 lines
> later. This means that a policy.X < 26 always fails on the next test
> since policydb_class_isvalid(p, 0) is going to fail. I can try to find
> a way to handle this tomorrow, but hopefully you will find something
> sooner!
>
> Thanks!
> -Eric
>
>
Argh, you are right! I should have tried to boot up an older version
policy image with the udpated kernel. After a quick glance I think we
could fix this problem by bumping the setting of p->process_class before
reading role_transition rules, since all symtabs would have been read
from the policy image.
I will get back to you after I finish the test later. Thanks!
Cheers,
Harry
>> +
>> if (!policydb_role_isvalid(p, tr->role) ||
>> !policydb_type_isvalid(p, tr->type) ||
>> + !policydb_class_isvalid(p, tr->tclass) ||
>> !policydb_role_isvalid(p, tr->new_role))
>> goto bad;
>> ltr = tr;
>> diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
>> index 732ea4a..801175f 100644
>> --- a/security/selinux/ss/policydb.h
>> +++ b/security/selinux/ss/policydb.h
>> @@ -72,7 +72,8 @@ struct role_datum {
>>
>> struct role_trans {
>> u32 role; /* current role */
>> - u32 type; /* program executable type */
>> + u32 type; /* program executable type, or new object type */
>> + u32 tclass; /* process class, or new object class */
>> u32 new_role; /* new role */
>> struct role_trans *next;
>> };
>>
>
>
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: v2 Add class support to the role_transition rule
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
` (7 preceding siblings ...)
2011-03-25 5:52 ` [v2 PATCH 5/5] Userspace: display the class in role_transition rule Harry Ciao
@ 2011-04-12 13:31 ` Steve Lawrence
8 siblings, 0 replies; 17+ messages in thread
From: Steve Lawrence @ 2011-04-12 13:31 UTC (permalink / raw)
To: Harry Ciao; +Cc: sds, jmorris, eparis, selinux
On 03/25/2011 01:51 AM, Harry Ciao wrote:
> Comments:
> ---------
> The outstanding changes in v2 from v1 include:
>
> 1. The newly added class support in role_trans structure in both kernel
> and libsepol have been renamed to "tclass";
>
> 2. The role_transition rule will be handled in a unified way for both
> process class and non-process classes - roletr->type would always be
> used to compare with tcontext->type, which is the type for the parent
> directory accomodating the newly created object, or the program
> executable type.
>
>
> Testings I've done:
> -------------------
>
> 0. Add below snippet into sysadm.te for testing:
>
> role_transition sysadm_r user_home_t:{ file dir } sysadm_r;
> role sysadm_r types user_home_t;
>
> gen_require(`
> type vlock_exec_t, vlock_t;
> ')
> role_transition sysadm_r vlock_exec_t system_r;
>
> 1. Verify that the dismod program could display the class field of the
> role_transition rule correctly:
>
> /work/selinux/selinux/checkpolicy$ test/dismod /work/selinux/refpolicy/sysadm.pp
> Reading policy...
> ......
> Command ('m' for menu): 7
> role transitions:
> --- begin avrule block ---
> decl 1:
> role transition sysadm_r [vlock_exec_t] : [process] system_r
> role transition sysadm_r [user_home_t] :{ [file] [dir] } sysadm_r
> --- begin avrule block ---
> decl 2:
> ......
> --- begin avrule block ---
> decl 342:
>
> Command ('m' for menu): q
> /work/selinux/selinux/checkpolicy$
>
> 2. Further verify the binary reprensentation of the role_transition rule
> are correct, with the classes field *after* that of new_role in image:
>
> /work/selinux/refpolicy$ ls -l /etc/selinux/refpolicy-mls/policy/
> total 5728
> -rw-r--r--. 1 root root 5849662 2011-03-25 13:12 policy.26
> /work/selinux/refpolicy$ xxd /etc/selinux/refpolicy-mls/policy/policy.26 > policy_26_xxd
> /work/selinux/refpolicy$ vim policy_26_xxd
> ......
> 055c510: 0800 l.....S.........
> 055c520: 0000 0300 0000 a006 0000 0b00 0000 0200 ................
> 055c530: 0000 0300 0000 a103 0000 0b00 0000 0200 ................
> 055c540: 0000 0800 0000 b707 0000 0b00 0000 0200 ................
> 055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200 ................
> 055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200 ................
> 055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600 ................
> 055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700 ................
> 055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200 ................
> 055c5a0: 0000
> ......
> /work/selinux/refpolicy$
>
> 3. Run-time test one - verify that the role_transition rule works for
> non-process classes:
>
> [root/sysadm_r/s0@~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 26
> Policy from config file: refpolicy-mls
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# id -Z
> root:sysadm_r:sysadm_t:s0-s15:c0.c1023
> [root/sysadm_r/s0@~]# ls -Zd
> dr-xr-x--- root root root:object_r:user_home_dir_t:s0-s15:c0.c1023 .
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# mkdir parent
> [root/sysadm_r/s0@~]# ls -Z
> drwxr-xr-x root root root:object_r:user_home_t:s0 parent
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 dir
> root:sysadm_r:user_home_t:s0
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 file
> root:sysadm_r:user_home_t:s0
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 root:object_r:user_home_t:s0 lnk_file
> root:object_r:user_home_t:s0
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# cd parent
> [root/sysadm_r/s0@parent]# mkdir dir
> [root/sysadm_r/s0@parent]# touch file
> [root/sysadm_r/s0@parent]# ln -s file file_lk
> [root/sysadm_r/s0@parent]# mkfifo pipe
> [root/sysadm_r/s0@parent]#
> [root/sysadm_r/s0@parent]# ls -Z
> drwxr-xr-x root root root:sysadm_r:user_home_t:s0 dir
> -rw-r--r-- root root root:sysadm_r:user_home_t:s0 file
> lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
> prw-r--r-- root root root:object_r:user_home_t:s0 pipe
> [root/sysadm_r/s0@parent]#
>
> 4. Run-time test two - verify that the role_transition rule works for the
> process class:
>
> [root/sysadm_r/s0@~]# ls -Z /usr/sbin/vlock-main
> -rws--x--x root root system_u:object_r:vlock_exec_t:s0 /usr/sbin/vlock-main
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# seclow "setenforce 0"
> Password:
> [root/sysadm_r/s0@~]# compute_create root:sysadm_r:sysadm_t:s0-s15:c0.c1023 system_u:object_r:vlock_exec_t:s0 process
> root:system_r:vlock_t:s0-s15:c0.c1023
> [root/sysadm_r/s0@~]#
>
> [root/staff_r/s0@~]# vlock &
> [1] 743
> [root/staff_r/s0@~]# ps Z -C vlock-main
> LABEL PID TTY STAT TIME COMMAND
> root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T 0:00 /usr/sbin/vlock-main
> [1]+ Stopped vlock
> [root/staff_r/s0@~]#
>
> [root/sysadm_r/s0@~]# vlock &
> [1] 759
> [root/sysadm_r/s0@~]# ps Z -C vlock-main
> LABEL PID TTY STAT TIME COMMAND
> root:staff_r:vlock_t:s0-s15:c0.c1023 743 pts/0 T 0:00 /usr/sbin/vlock-main
> root:system_r:vlock_t:s0-s15:c0.c1023 759 ttyS0 T 0:00 /usr/sbin/vlock-main
> [1]+ Stopped vlock
> [root/sysadm_r/s0@~]#
>
> (Note, "setenforce 0" is to shortcut the necessary user-role & role-type
> settings in sysadm.pp for system_r)
>
> 5. (TODO) restorecon doesn't take into account the role_transition rule
> for non-process class so far:
>
> [root/sysadm_r/s0@~]# cd parent/
> [root/sysadm_r/s0@parent]#
> [root/sysadm_r/s0@parent]# ls -Z
> drwxr-xr-x root root root:sysadm_r:user_home_t:s0 dir
> -rw-r--r-- root root root:sysadm_r:user_home_t:s0 file
> lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
> prw-r--r-- root root root:object_r:user_home_t:s0 pipe
> [root/sysadm_r/s0@parent]#
> [root/sysadm_r/s0@parent]# restorecon . -R
> [root/sysadm_r/s0@parent]#
> [root/sysadm_r/s0@parent]# ls -Z
> drwxr-xr-x root root root:object_r:user_home_t:s0 dir
> -rw-r--r-- root root root:object_r:user_home_t:s0 file
> lrwxrwxrwx root root root:object_r:user_home_t:s0 file_lk -> file
> prw-r--r-- root root root:object_r:user_home_t:s0 pipe
> [root/sysadm_r/s0@parent]#
>
> 6. Verify that SELinux kernel policydb_write > role_trans_write works well:
>
> [root/sysadm_r/s0@~]# setenforce 1
> [root/sysadm_r/s0@~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 26
> Policy from config file: refpolicy-mls
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# ls -l policy_read
> -rw-r--r-- 1 root root 5849662 Mar 25 05:26 policy_read
> [root/sysadm_r/s0@~]# ls -l /etc/selinux/refpolicy-mls/policy/
> total 5732
> -rw-r--r-- 1 root root 5849662 Mar 25 05:15 policy.26
> [root/sysadm_r/s0@~]#
> [root/sysadm_r/s0@~]# xxd policy_read > policy_read_xxd
> [root/sysadm_r/s0@~]# vim policy_read_xxd
> ......
> 055c510: 0800 l.....S.........
> 055c520: 0000 0300 0000 a006 0000 0b00 0000 0200 ................
> 055c530: 0000 0300 0000 a103 0000 0b00 0000 0200 ................
> 055c540: 0000 0800 0000 b707 0000 0b00 0000 0200 ................
> 055c550: 0000 0800 0000 a70a 0000 0b00 0000 0200 ................
> 055c560: 0000 0a00 0000 db00 0000 0b00 0000 0200 ................
> 055c570: 0000 0a00 0000 8e05 0000 0a00 0000 0600 ................
> 055c580: 0000 0a00 0000 8e05 0000 0a00 0000 0700 ................
> 055c590: 0000 0c00 0000 9209 0000 0b00 0000 0200 ................
> 055c5a0: 0000
> ......
> [root/sysadm_r/s0@~]#
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
All 5 userspace patches applied in libsepol-2.0.43 and checkpolicy-2.0.24
Thanks!
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule
2011-03-25 5:52 ` [v2 PATCH 5/5] Userspace: display the class in role_transition rule Harry Ciao
2011-03-28 21:28 ` Joshua Brindle
@ 2011-04-12 17:43 ` Daniel J Walsh
2011-04-12 18:03 ` Eric Paris
1 sibling, 1 reply; 17+ messages in thread
From: Daniel J Walsh @ 2011-04-12 17:43 UTC (permalink / raw)
To: Harry Ciao; +Cc: sds, jmorris, eparis, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch is blowing up in Fedora.
semodule -s mls -b /usr/share/selinux/mls/base.pp.bz2
security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
libsepol.sepol_module_package_read: invalid module in module package (at
section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/mls/modules/tmp/modules/dbadm.pp. (No such file or directory).
semodule: Failed!
semodule -i mykernel.pp
security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
libsepol.sepol_module_package_read: invalid module in module package (at
section 0) (No such file or directory).
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/targeted/modules/tmp/modules/dbadm.pp. (No such file or
directory).
semodule: Failed!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk2kj0AACgkQrlYvE4MpobOsRgCgiPRH/ttp1VmeRfuQMnD76xzF
3VYAoMp26ILjzC1+tAQqf35gEknnp+Z1
=c8Km
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [v2 PATCH 5/5] Userspace: display the class in role_transition rule
2011-04-12 17:43 ` Daniel J Walsh
@ 2011-04-12 18:03 ` Eric Paris
0 siblings, 0 replies; 17+ messages in thread
From: Eric Paris @ 2011-04-12 18:03 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Harry Ciao, sds, jmorris, selinux
I'm betting on:
src/write.c::role_trans_rule_write() which does:
+ if (ebitmap_write(&tr->classes, fp))
+ return POLICYDB_ERROR;
But I'd think that would need to be conditionalized on a policy
version that supports role trans....
-Eric
On Tue, Apr 12, 2011 at 1:43 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This patch is blowing up in Fedora.
>
>
>
> semodule -s mls -b /usr/share/selinux/mls/base.pp.bz2
> security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
> libsepol.sepol_module_package_read: invalid module in module package (at
> section 0) (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/mls/modules/tmp/modules/dbadm.pp. (No such file or directory).
> semodule: Failed!
>
>
> semodule -i mykernel.pp
> security: ebitmap: map size 2 does not match my size 64 (high bit was 1)
> libsepol.sepol_module_package_read: invalid module in module package (at
> section 0) (No such file or directory).
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/targeted/modules/tmp/modules/dbadm.pp. (No such file or
> directory).
> semodule: Failed!
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk2kj0AACgkQrlYvE4MpobOsRgCgiPRH/ttp1VmeRfuQMnD76xzF
> 3VYAoMp26ILjzC1+tAQqf35gEknnp+Z1
> =c8Km
> -----END PGP SIGNATURE-----
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2011-04-12 18:03 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-03-25 5:51 v2 Add class support to the role_transition rule Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/3] SELinux: Add class support to the role_trans structure Harry Ciao
2011-04-06 23:04 ` Eric Paris
2011-04-07 3:00 ` Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 1/5] Userspace: add class to role_trans & role_trans_rule Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 2/3] SELinux: Compute role in newcontext for all classes Harry Ciao
2011-03-25 5:51 ` [v2 PATCH 2/5] Userspace: role_transition parser to handle class field Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 3/3] SELinux: Write class field in role_trans_write Harry Ciao
2011-03-25 16:50 ` Stephen Smalley
2011-03-28 18:30 ` Eric Paris
2011-03-25 5:52 ` [v2 PATCH 3/5] Userspace: handle the class field in role_trans struct Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 4/5] Userspace: handle the class in role_trans_rule Harry Ciao
2011-03-25 5:52 ` [v2 PATCH 5/5] Userspace: display the class in role_transition rule Harry Ciao
2011-03-28 21:28 ` Joshua Brindle
2011-04-12 17:43 ` Daniel J Walsh
2011-04-12 18:03 ` Eric Paris
2011-04-12 13:31 ` v2 Add class support to the " Steve Lawrence
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.