Is it possible to assign different labels to symbolic links and actual files?

Is it possible to assign different labels to symbolic links and actual files?

[Sam Gandhi]

Hello,

I am working on a embedded platform and we have busybox on this device.

What we would like to do do is assign diffrent labels to various
busybox links. What we have seen when running things on JFFS2 when I
label a symbolic link, the actual file gets the label, but the link
itself doesn't (according to ls -lZ output).  We have seen similar
behaviour with files on tmpfs as well.

ls -lZ
-rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X

Is there no way to assign different label to symlink and actual files?
Is this file-system specific issue? Are there any file-system that
support assigning seperate labels to symlink and actual file?

-Sam

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2011 04:46 PM, Sam Gandhi wrote:
> Hello,
> 
> I am working on a embedded platform and we have busybox on this device.
> 
> What we would like to do do is assign diffrent labels to various
> busybox links. What we have seen when running things on JFFS2 when I
> label a symbolic link, the actual file gets the label, but the link
> itself doesn't (according to ls -lZ output).  We have seen similar
> behaviour with files on tmpfs as well.
> 
> ls -lZ
> -rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
> lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X
> 
> Is there no way to assign different label to symlink and actual files?
> Is this file-system specific issue? Are there any file-system that
> support assigning seperate labels to symlink and actual file?
> 
> -Sam
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
Yes you can label symbolic links differently then their targets, how are
you assiging the labels?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3cHhEACgkQrlYvE4MpobO8zwCggnEFXtPOvDRDjwbYAtXXOILI
ndMAniDZL6F6jfm+OqiNrSCre9eYuC/K
=O7bS
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1630 bytes --]



On Tue, 2011-05-24 at 13:46 -0700, Sam Gandhi wrote:

> Is there no way to assign different label to symlink and actual files?
> Is this file-system specific issue? Are there any file-system that
> support assigning seperate labels to symlink and actual file?

You can assign different labels to symbolic links and other type of
files.

When you specify a file context for a particular file you can specify
the nature of the file

This is just like you would normally get attributes "of files"

The bits start with any of these
- (file)
d (dir)
l (link file)
s (socket)
p (pipe)
c (character file)
b (block file)

So when you specify a context for a single file you would:

semanage fcontext -a -t mytype_t /path/myfile

That is the default behaviour.

I suspect this will yield the same result:

semanage fcontext -a -t mytype_t -f -- /path/myfile

If you use a file content file you would:

/path/myfile -- gen_context(system_u:object_r:mytype_t, s0)

Note the --, it means this is a single file

Now lets specify a symlink

semanage fcontext -a -t mylnk_t -f -l /path/link

or with a file context file

/path/link -l gen_context(system_u:object_r:mylnk_t, s0)

other examples

/path/fifo -p gen_context(system_u:object_r:mypipe_t, s0)
/path/mycharacterfile -c gen_context(system_u:object_r:mycharfile_t, s0)
/path/myblockfile -b gen_context(system_u:object_r:myblkfile_t, s0)
/path/mysocket -s gen_context(system_u:object_r:mysockfile_t, s0)

note though that restoring the context of lnk files can be confusing.
chcon also have a special option (-h) for symlinks.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Is it possible to assign different labels to symbolic links and actual files?

[Guido Trentalancia]

On Tue, 2011-05-24 at 13:46 -0700, Sam Gandhi wrote:
> Hello,
> 
> I am working on a embedded platform and we have busybox on this device.
> 
> What we would like to do do is assign diffrent labels to various
> busybox links. What we have seen when running things on JFFS2 when I
> label a symbolic link, the actual file gets the label, but the link
> itself doesn't (according to ls -lZ output).  We have seen similar
> behaviour with files on tmpfs as well.
> 
> ls -lZ
> -rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
> lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X
> 
> Is there no way to assign different label to symlink and actual files?

chcon -h
semanage -f -l
-l in policy file contexts

> Is this file-system specific issue? Are there any file-system that
> support assigning seperate labels to symlink and actual file?

It depends on the userspace code and/or the policy as explained above.

> -Sam

Regards,

Guido


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Sam Gandhi]

On Tue, May 24, 2011 at 2:07 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/24/2011 04:46 PM, Sam Gandhi wrote:
>> Hello,
>>
>> I am working on a embedded platform and we have busybox on this device.
>>
>> What we would like to do do is assign diffrent labels to various
>> busybox links. What we have seen when running things on JFFS2 when I
>> label a symbolic link, the actual file gets the label, but the link
>> itself doesn't (according to ls -lZ output).  We have seen similar
>> behaviour with files on tmpfs as well.
>>
>> ls -lZ
>> -rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
>> lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X
>>
>> Is there no way to assign different label to symlink and actual files?
>> Is this file-system specific issue? Are there any file-system that
>> support assigning seperate labels to symlink and actual file?
>>
>> -Sam
>>
>> --

>>
>>
> Yes you can label symbolic links differently then their targets, how are
> you assiging the labels?
>

I am using setfilecon program found in package
On tmpfs file I did :

cd /tmp/
touch X
ln -s X Y
setfilecon system_u:object_r:myfile_t Y

And I see ls -lZ output as I shown above which shows /tmp/X has the
myfile_t label and not Y

I can't really use tools like semanage 'cause I can't install python
on this system. I will try to "reverse" engineer what semanage does
and how it handles symlink v/s regular files.

-Sam


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Russell Coker]

On Wed, 25 May 2011, Sam Gandhi <samgandhi9@gmail.com> wrote:
> I am working on a embedded platform and we have busybox on this device.
> 
> What we would like to do do is assign diffrent labels to various
> busybox links. What we have seen when running things on JFFS2 when I
> label a symbolic link, the actual file gets the label, but the link
> itself doesn't (according to ls -lZ output).  We have seen similar
> behaviour with files on tmpfs as well.

SE Linux supports assigning a different label to the sym-link, but that only 
matters when access checks are performed for reading/following the sym-link.  
When it comes to actually running the program the link label means little.

If you want to use labels to determine domain transitions then you can't use 
the sym-link label.  You need to either have a wrapper program that is labeled 
to give the domain transition which then executes busybox, or to have several 
copies of busybox which aggregate only programs which deserve the same domain.

http://doc.coker.com.au/papers/porting-se-linux-hand-held-devices/

You could probably benefit from some of the suggestions I made in the above 
paper.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Sam Gandhi]

Hello Russell,

On Tue, May 24, 2011 at 3:53 PM, Russell Coker <russell@coker.com.au> wrote:
> On Wed, 25 May 2011, Sam Gandhi <samgandhi9@gmail.com> wrote:
>> I am working on a embedded platform and we have busybox on this device.
>>
>> What we would like to do do is assign diffrent labels to various
>> busybox links. What we have seen when running things on JFFS2 when I
>> label a symbolic link, the actual file gets the label, but the link
>> itself doesn't (according to ls -lZ output).  We have seen similar
>> behaviour with files on tmpfs as well.
>
> SE Linux supports assigning a different label to the sym-link, but that only
> matters when access checks are performed for reading/following the sym-link.
> When it comes to actually running the program the link label means little.
>
> If you want to use labels to determine domain transitions then you can't use
> the sym-link label.  You need to either have a wrapper program that is labeled
> to give the domain transition which then executes busybox, or to have several
> copies of busybox which aggregate only programs which deserve the same domain.
>
> http://doc.coker.com.au/papers/porting-se-linux-hand-held-devices/

That is fantastic! What is described in your paper is, exactly what I
was looking to do.

Thank you SO much.

-Sam


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/24/2011 05:46 PM, Sam Gandhi wrote:
> On Tue, May 24, 2011 at 2:07 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 05/24/2011 04:46 PM, Sam Gandhi wrote:
>>> Hello,
>>>
>>> I am working on a embedded platform and we have busybox on this device.
>>>
>>> What we would like to do do is assign diffrent labels to various
>>> busybox links. What we have seen when running things on JFFS2 when I
>>> label a symbolic link, the actual file gets the label, but the link
>>> itself doesn't (according to ls -lZ output).  We have seen similar
>>> behaviour with files on tmpfs as well.
>>>
>>> ls -lZ
>>> -rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
>>> lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X
>>>
>>> Is there no way to assign different label to symlink and actual files?
>>> Is this file-system specific issue? Are there any file-system that
>>> support assigning seperate labels to symlink and actual file?
>>>
>>> -Sam
>>>
>>> --
> 
>>>
>>>
>> Yes you can label symbolic links differently then their targets, how are
>> you assiging the labels?
>>
> 
> I am using setfilecon program found in package
> On tmpfs file I did :
> 
> cd /tmp/
> touch X
> ln -s X Y
> setfilecon system_u:object_r:myfile_t Y
> 
> And I see ls -lZ output as I shown above which shows /tmp/X has the
> myfile_t label and not Y
> 
> I can't really use tools like semanage 'cause I can't install python
> on this system. I will try to "reverse" engineer what semanage does
> and how it handles symlink v/s regular files.
> 
> -Sam
Use chcon instead of setfilecon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3c7wEACgkQrlYvE4MpobNYAACgvI/CIEJ1AuXBYFVM0wMAtFae
qpgAniOIEfmzeMrOgav+8oRIigT/AhNJ
=9kUk
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Russell Coker]

On Wed, 25 May 2011, Sam Gandhi <samgandhi9@gmail.com> wrote:
> cd tmp
> touch X
> ln -s X Y
> setfilecon system_u:object_r:myfile_t Y
> 
> And I see ls -lZ output as I shown above which shows /tmp/X has the
> myfile_t label and not Y

Don't use setfilecon, use chcon which has a -h option to label symlinks.

> I can't really use tools like semanage 'cause I can't install python
> on this system. I will try to "reverse" engineer what semanage does
> and how it handles symlink v/s regular files.

I think that most people who do embedded stuff prepare their image on a 
workstation or server and label it there.  The setfiles program has the -r 
option which is good for this.

If you are going to label it on the device then you might consider modifying 
setfiles to output a shell script that runs chcon on all the files.  That 
shouldn't be too hard to do.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is it possible to assign different labels to symbolic links and actual files?

[Stephen Smalley]

On Tue, 2011-05-24 at 14:46 -0700, Sam Gandhi wrote:
> On Tue, May 24, 2011 at 2:07 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 05/24/2011 04:46 PM, Sam Gandhi wrote:
> >> Hello,
> >>
> >> I am working on a embedded platform and we have busybox on this device.
> >>
> >> What we would like to do do is assign diffrent labels to various
> >> busybox links. What we have seen when running things on JFFS2 when I
> >> label a symbolic link, the actual file gets the label, but the link
> >> itself doesn't (according to ls -lZ output).  We have seen similar
> >> behaviour with files on tmpfs as well.
> >>
> >> ls -lZ
> >> -rw-r--r--        1         0 Jan  1 00:12 system_u:object_r:myfile_t X
> >> lrwxrwxrwx    1         1 Jan  1 00:13 user_u:object_r:tmpfs_t          Y -> X
> >>
> >> Is there no way to assign different label to symlink and actual files?
> >> Is this file-system specific issue? Are there any file-system that
> >> support assigning seperate labels to symlink and actual file?
> >>
> >> -Sam
> >>
> >> --
> 
> >>
> >>
> > Yes you can label symbolic links differently then their targets, how are
> > you assiging the labels?
> >
> 
> I am using setfilecon program found in package
> On tmpfs file I did :
> 
> cd /tmp/
> touch X
> ln -s X Y
> setfilecon system_u:object_r:myfile_t Y
> 
> And I see ls -lZ output as I shown above which shows /tmp/X has the
> myfile_t label and not Y
> 
> I can't really use tools like semanage 'cause I can't install python
> on this system. I will try to "reverse" engineer what semanage does
> and how it handles symlink v/s regular files.

Just change setfilecon to call lsetfilecon() instead of setfilecon().
Or use setfiles or chcon instead.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.