* [PATCH] libselinux: add selinux_openssh_contexts_path()
@ 2015-05-21 16:14 Petr Lautrbach
2015-05-21 16:24 ` Dominick Grift
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Petr Lautrbach @ 2015-05-21 16:14 UTC (permalink / raw)
To: selinux
openssh in Fedora uses "sshd_net_t" type for privilege separated
processes in the preauthentication phase. Similarly, openssh portable uses
"sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
Therefore selinux_openssh_contexts_path() was created to get a path where sshd
can get a correct types prepared by a distribution or an administrator.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
libselinux/include/selinux/selinux.h | 1 +
libselinux/src/file_path_suffixes.h | 1 +
libselinux/src/selinux_config.c | 12 ++++++++++--
libselinux/src/selinux_internal.h | 1 +
4 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index d0eb5c6..4beb170 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void);
extern const char *selinux_lxc_contexts_path(void);
extern const char *selinux_x_context_path(void);
extern const char *selinux_sepgsql_context_path(void);
+extern const char *selinux_openssh_contexts_path(void);
extern const char *selinux_systemd_contexts_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_securetty_types_path(void);
diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
index 3c92424..d1f9b48 100644
--- a/libselinux/src/file_path_suffixes.h
+++ b/libselinux/src/file_path_suffixes.h
@@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
+ S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index 0a80141..bec5f3b 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -48,8 +48,9 @@
#define FILE_CONTEXT_SUBS_DIST 25
#define LXC_CONTEXTS 26
#define BOOLEAN_SUBS 27
-#define SYSTEMD_CONTEXTS 28
-#define NEL 29
+#define OPENSSH_CONTEXTS 28
+#define SYSTEMD_CONTEXTS 29
+#define NEL 30
/* Part of one-time lazy init */
static pthread_once_t once = PTHREAD_ONCE_INIT;
@@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
hidden_def(selinux_lxc_contexts_path)
+const char *selinux_openssh_contexts_path(void)
+{
+ return get_path(OPENSSH_CONTEXTS);
+}
+
+hidden_def(selinux_openssh_contexts_path)
+
const char *selinux_systemd_contexts_path(void)
{
return get_path(SYSTEMD_CONTEXTS);
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 0abf1b4..844e408 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(selinux_media_context_path)
hidden_proto(selinux_x_context_path)
hidden_proto(selinux_sepgsql_context_path)
+ hidden_proto(selinux_openssh_contexts_path)
hidden_proto(selinux_systemd_contexts_path)
hidden_proto(selinux_path)
hidden_proto(selinux_check_passwd_access)
--
2.4.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:14 [PATCH] libselinux: add selinux_openssh_contexts_path() Petr Lautrbach
@ 2015-05-21 16:24 ` Dominick Grift
2015-05-21 16:53 ` Dominick Grift
2015-05-21 16:31 ` Dominick Grift
2015-05-21 17:12 ` Stephen Smalley
2 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2015-05-21 16:24 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 4424 bytes --]
On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote:
> openssh in Fedora uses "sshd_net_t" type for privilege separated
> processes in the preauthentication phase. Similarly, openssh portable uses
> "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
> Therefore selinux_openssh_contexts_path() was created to get a path where sshd
> can get a correct types prepared by a distribution or an administrator.
I requested this feature and i am using this feature in my personal policy. So hereby my ACK for what it is worth.
However:
That SYSTEMD_CONTEXTS though, that must have been a mistake?
I do not believe that this is used or that it is needed/wanted.
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> libselinux/include/selinux/selinux.h | 1 +
> libselinux/src/file_path_suffixes.h | 1 +
> libselinux/src/selinux_config.c | 12 ++++++++++--
> libselinux/src/selinux_internal.h | 1 +
> 4 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index d0eb5c6..4beb170 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void);
> extern const char *selinux_lxc_contexts_path(void);
> extern const char *selinux_x_context_path(void);
> extern const char *selinux_sepgsql_context_path(void);
> +extern const char *selinux_openssh_contexts_path(void);
> extern const char *selinux_systemd_contexts_path(void);
> extern const char *selinux_contexts_path(void);
> extern const char *selinux_securetty_types_path(void);
> diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
> index 3c92424..d1f9b48 100644
> --- a/libselinux/src/file_path_suffixes.h
> +++ b/libselinux/src/file_path_suffixes.h
> @@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
> S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
> S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
> S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
> + S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
> S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
> S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> index 0a80141..bec5f3b 100644
> --- a/libselinux/src/selinux_config.c
> +++ b/libselinux/src/selinux_config.c
> @@ -48,8 +48,9 @@
> #define FILE_CONTEXT_SUBS_DIST 25
> #define LXC_CONTEXTS 26
> #define BOOLEAN_SUBS 27
> -#define SYSTEMD_CONTEXTS 28
> -#define NEL 29
> +#define OPENSSH_CONTEXTS 28
> +#define SYSTEMD_CONTEXTS 29
> +#define NEL 30
>
> /* Part of one-time lazy init */
> static pthread_once_t once = PTHREAD_ONCE_INIT;
> @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
>
> hidden_def(selinux_lxc_contexts_path)
>
> +const char *selinux_openssh_contexts_path(void)
> +{
> + return get_path(OPENSSH_CONTEXTS);
> +}
> +
> +hidden_def(selinux_openssh_contexts_path)
> +
> const char *selinux_systemd_contexts_path(void)
> {
> return get_path(SYSTEMD_CONTEXTS);
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 0abf1b4..844e408 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(selinux_media_context_path)
> hidden_proto(selinux_x_context_path)
> hidden_proto(selinux_sepgsql_context_path)
> + hidden_proto(selinux_openssh_contexts_path)
> hidden_proto(selinux_systemd_contexts_path)
> hidden_proto(selinux_path)
> hidden_proto(selinux_check_passwd_access)
> --
> 2.4.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:14 [PATCH] libselinux: add selinux_openssh_contexts_path() Petr Lautrbach
2015-05-21 16:24 ` Dominick Grift
@ 2015-05-21 16:31 ` Dominick Grift
2015-05-21 17:07 ` Petr Lautrbach
2015-05-21 17:12 ` Stephen Smalley
2 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2015-05-21 16:31 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 4254 bytes --]
On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote:
> openssh in Fedora uses "sshd_net_t" type for privilege separated
> processes in the preauthentication phase. Similarly, openssh portable uses
> "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
> Therefore selinux_openssh_contexts_path() was created to get a path where sshd
> can get a correct types prepared by a distribution or an administrator.
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
> libselinux/include/selinux/selinux.h | 1 +
> libselinux/src/file_path_suffixes.h | 1 +
> libselinux/src/selinux_config.c | 12 ++++++++++--
> libselinux/src/selinux_internal.h | 1 +
> 4 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index d0eb5c6..4beb170 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void);
> extern const char *selinux_lxc_contexts_path(void);
> extern const char *selinux_x_context_path(void);
> extern const char *selinux_sepgsql_context_path(void);
> +extern const char *selinux_openssh_contexts_path(void);
> extern const char *selinux_systemd_contexts_path(void);
> extern const char *selinux_contexts_path(void);
> extern const char *selinux_securetty_types_path(void);
> diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
> index 3c92424..d1f9b48 100644
> --- a/libselinux/src/file_path_suffixes.h
> +++ b/libselinux/src/file_path_suffixes.h
> @@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
> S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
> S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
> S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
> + S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
> S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
> S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> index 0a80141..bec5f3b 100644
> --- a/libselinux/src/selinux_config.c
> +++ b/libselinux/src/selinux_config.c
> @@ -48,8 +48,9 @@
> #define FILE_CONTEXT_SUBS_DIST 25
> #define LXC_CONTEXTS 26
> #define BOOLEAN_SUBS 27
> -#define SYSTEMD_CONTEXTS 28
> -#define NEL 29
> +#define OPENSSH_CONTEXTS 28
> +#define SYSTEMD_CONTEXTS 29
> +#define NEL 30
How come openssh_context becomes version 28 and systemd_contexts changes from 28 to 29?
>
> /* Part of one-time lazy init */
> static pthread_once_t once = PTHREAD_ONCE_INIT;
> @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
>
> hidden_def(selinux_lxc_contexts_path)
>
> +const char *selinux_openssh_contexts_path(void)
> +{
> + return get_path(OPENSSH_CONTEXTS);
> +}
> +
> +hidden_def(selinux_openssh_contexts_path)
> +
> const char *selinux_systemd_contexts_path(void)
> {
> return get_path(SYSTEMD_CONTEXTS);
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 0abf1b4..844e408 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(selinux_media_context_path)
> hidden_proto(selinux_x_context_path)
> hidden_proto(selinux_sepgsql_context_path)
> + hidden_proto(selinux_openssh_contexts_path)
> hidden_proto(selinux_systemd_contexts_path)
> hidden_proto(selinux_path)
> hidden_proto(selinux_check_passwd_access)
> --
> 2.4.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:24 ` Dominick Grift
@ 2015-05-21 16:53 ` Dominick Grift
2015-05-21 18:02 ` Stephen Smalley
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2015-05-21 16:53 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 5142 bytes --]
On Thu, May 21, 2015 at 06:24:41PM +0200, Dominick Grift wrote:
> On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote:
> > openssh in Fedora uses "sshd_net_t" type for privilege separated
> > processes in the preauthentication phase. Similarly, openssh portable uses
> > "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
> > Therefore selinux_openssh_contexts_path() was created to get a path where sshd
> > can get a correct types prepared by a distribution or an administrator.
>
> I requested this feature and i am using this feature in my personal policy. So hereby my ACK for what it is worth.
>
> However:
>
> That SYSTEMD_CONTEXTS though, that must have been a mistake?
As far as i am concerned this commit should be reverted:
https://github.com/SELinuxProject/selinux/commit/ce2a8848ad45e375cfdb58cebe28bc12431bb3db
I just did a grep -ri systemd_contexts in the systemd repository and nothing returned. I also cannot place that commit message.
>
> I do not believe that this is used or that it is needed/wanted.
>
> >
> > Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> > ---
> > libselinux/include/selinux/selinux.h | 1 +
> > libselinux/src/file_path_suffixes.h | 1 +
> > libselinux/src/selinux_config.c | 12 ++++++++++--
> > libselinux/src/selinux_internal.h | 1 +
> > 4 files changed, 13 insertions(+), 2 deletions(-)
> >
> > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> > index d0eb5c6..4beb170 100644
> > --- a/libselinux/include/selinux/selinux.h
> > +++ b/libselinux/include/selinux/selinux.h
> > @@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void);
> > extern const char *selinux_lxc_contexts_path(void);
> > extern const char *selinux_x_context_path(void);
> > extern const char *selinux_sepgsql_context_path(void);
> > +extern const char *selinux_openssh_contexts_path(void);
> > extern const char *selinux_systemd_contexts_path(void);
> > extern const char *selinux_contexts_path(void);
> > extern const char *selinux_securetty_types_path(void);
> > diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
> > index 3c92424..d1f9b48 100644
> > --- a/libselinux/src/file_path_suffixes.h
> > +++ b/libselinux/src/file_path_suffixes.h
> > @@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
> > S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
> > S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
> > S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
> > + S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> > S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
> > S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
> > S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> > diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> > index 0a80141..bec5f3b 100644
> > --- a/libselinux/src/selinux_config.c
> > +++ b/libselinux/src/selinux_config.c
> > @@ -48,8 +48,9 @@
> > #define FILE_CONTEXT_SUBS_DIST 25
> > #define LXC_CONTEXTS 26
> > #define BOOLEAN_SUBS 27
> > -#define SYSTEMD_CONTEXTS 28
> > -#define NEL 29
> > +#define OPENSSH_CONTEXTS 28
> > +#define SYSTEMD_CONTEXTS 29
> > +#define NEL 30
> >
> > /* Part of one-time lazy init */
> > static pthread_once_t once = PTHREAD_ONCE_INIT;
> > @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
> >
> > hidden_def(selinux_lxc_contexts_path)
> >
> > +const char *selinux_openssh_contexts_path(void)
> > +{
> > + return get_path(OPENSSH_CONTEXTS);
> > +}
> > +
> > +hidden_def(selinux_openssh_contexts_path)
> > +
> > const char *selinux_systemd_contexts_path(void)
> > {
> > return get_path(SYSTEMD_CONTEXTS);
> > diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> > index 0abf1b4..844e408 100644
> > --- a/libselinux/src/selinux_internal.h
> > +++ b/libselinux/src/selinux_internal.h
> > @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
> > hidden_proto(selinux_media_context_path)
> > hidden_proto(selinux_x_context_path)
> > hidden_proto(selinux_sepgsql_context_path)
> > + hidden_proto(selinux_openssh_contexts_path)
> > hidden_proto(selinux_systemd_contexts_path)
> > hidden_proto(selinux_path)
> > hidden_proto(selinux_check_passwd_access)
> > --
> > 2.4.1
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
> --
> 02DFF788
> 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
> http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
> Dominick Grift
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:31 ` Dominick Grift
@ 2015-05-21 17:07 ` Petr Lautrbach
0 siblings, 0 replies; 8+ messages in thread
From: Petr Lautrbach @ 2015-05-21 17:07 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2626 bytes --]
Dne 21.5.2015 v 18:31 Dominick Grift napsal(a):
>> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
>> index 0a80141..bec5f3b 100644
>> --- a/libselinux/src/selinux_config.c
>> +++ b/libselinux/src/selinux_config.c
>> @@ -48,8 +48,9 @@
>> #define FILE_CONTEXT_SUBS_DIST 25
>> #define LXC_CONTEXTS 26
>> #define BOOLEAN_SUBS 27
>> -#define SYSTEMD_CONTEXTS 28
>> -#define NEL 29
>> +#define OPENSSH_CONTEXTS 28
>> +#define SYSTEMD_CONTEXTS 29
>> +#define NEL 30
>
> How come openssh_context becomes version 28 and systemd_contexts changes from 28 to 29?
It's just internal "index" in static file_path_suffixes_data. Since it's
not exported and it's used only in libselinux/src/selinux_config.c,
the idea was to have it an alphabetic order therefore it's put before
SYSTEMD_CONTEXTS.
Maybe it would be better to just add a new values to the end of list.
Petr
>
>>
>> /* Part of one-time lazy init */
>> static pthread_once_t once = PTHREAD_ONCE_INIT;
>> @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
>>
>> hidden_def(selinux_lxc_contexts_path)
>>
>> +const char *selinux_openssh_contexts_path(void)
>> +{
>> + return get_path(OPENSSH_CONTEXTS);
>> +}
>> +
>> +hidden_def(selinux_openssh_contexts_path)
>> +
>> const char *selinux_systemd_contexts_path(void)
>> {
>> return get_path(SYSTEMD_CONTEXTS);
>> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
>> index 0abf1b4..844e408 100644
>> --- a/libselinux/src/selinux_internal.h
>> +++ b/libselinux/src/selinux_internal.h
>> @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
>> hidden_proto(selinux_media_context_path)
>> hidden_proto(selinux_x_context_path)
>> hidden_proto(selinux_sepgsql_context_path)
>> + hidden_proto(selinux_openssh_contexts_path)
>> hidden_proto(selinux_systemd_contexts_path)
>> hidden_proto(selinux_path)
>> hidden_proto(selinux_check_passwd_access)
>> --
>> 2.4.1
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Petr Lautrbach
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:14 [PATCH] libselinux: add selinux_openssh_contexts_path() Petr Lautrbach
2015-05-21 16:24 ` Dominick Grift
2015-05-21 16:31 ` Dominick Grift
@ 2015-05-21 17:12 ` Stephen Smalley
2 siblings, 0 replies; 8+ messages in thread
From: Stephen Smalley @ 2015-05-21 17:12 UTC (permalink / raw)
To: Petr Lautrbach, selinux
On 05/21/2015 12:14 PM, Petr Lautrbach wrote:
> openssh in Fedora uses "sshd_net_t" type for privilege separated
> processes in the preauthentication phase. Similarly, openssh portable uses
> "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
> Therefore selinux_openssh_contexts_path() was created to get a path where sshd
> can get a correct types prepared by a distribution or an administrator.
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Thanks, applied.
> ---
> libselinux/include/selinux/selinux.h | 1 +
> libselinux/src/file_path_suffixes.h | 1 +
> libselinux/src/selinux_config.c | 12 ++++++++++--
> libselinux/src/selinux_internal.h | 1 +
> 4 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
> index d0eb5c6..4beb170 100644
> --- a/libselinux/include/selinux/selinux.h
> +++ b/libselinux/include/selinux/selinux.h
> @@ -543,6 +543,7 @@ extern const char *selinux_virtual_image_context_path(void);
> extern const char *selinux_lxc_contexts_path(void);
> extern const char *selinux_x_context_path(void);
> extern const char *selinux_sepgsql_context_path(void);
> +extern const char *selinux_openssh_contexts_path(void);
> extern const char *selinux_systemd_contexts_path(void);
> extern const char *selinux_contexts_path(void);
> extern const char *selinux_securetty_types_path(void);
> diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
> index 3c92424..d1f9b48 100644
> --- a/libselinux/src/file_path_suffixes.h
> +++ b/libselinux/src/file_path_suffixes.h
> @@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
> S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
> S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
> S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
> + S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
> S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
> S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
> S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
> diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
> index 0a80141..bec5f3b 100644
> --- a/libselinux/src/selinux_config.c
> +++ b/libselinux/src/selinux_config.c
> @@ -48,8 +48,9 @@
> #define FILE_CONTEXT_SUBS_DIST 25
> #define LXC_CONTEXTS 26
> #define BOOLEAN_SUBS 27
> -#define SYSTEMD_CONTEXTS 28
> -#define NEL 29
> +#define OPENSSH_CONTEXTS 28
> +#define SYSTEMD_CONTEXTS 29
> +#define NEL 30
>
> /* Part of one-time lazy init */
> static pthread_once_t once = PTHREAD_ONCE_INIT;
> @@ -491,6 +492,13 @@ const char *selinux_lxc_contexts_path(void)
>
> hidden_def(selinux_lxc_contexts_path)
>
> +const char *selinux_openssh_contexts_path(void)
> +{
> + return get_path(OPENSSH_CONTEXTS);
> +}
> +
> +hidden_def(selinux_openssh_contexts_path)
> +
> const char *selinux_systemd_contexts_path(void)
> {
> return get_path(SYSTEMD_CONTEXTS);
> diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
> index 0abf1b4..844e408 100644
> --- a/libselinux/src/selinux_internal.h
> +++ b/libselinux/src/selinux_internal.h
> @@ -83,6 +83,7 @@ hidden_proto(selinux_mkload_policy)
> hidden_proto(selinux_media_context_path)
> hidden_proto(selinux_x_context_path)
> hidden_proto(selinux_sepgsql_context_path)
> + hidden_proto(selinux_openssh_contexts_path)
> hidden_proto(selinux_systemd_contexts_path)
> hidden_proto(selinux_path)
> hidden_proto(selinux_check_passwd_access)
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 16:53 ` Dominick Grift
@ 2015-05-21 18:02 ` Stephen Smalley
2015-05-21 18:14 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: Stephen Smalley @ 2015-05-21 18:02 UTC (permalink / raw)
To: selinux, dac.override
On 05/21/2015 12:53 PM, Dominick Grift wrote:
> On Thu, May 21, 2015 at 06:24:41PM +0200, Dominick Grift wrote:
>> On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote:
>>> openssh in Fedora uses "sshd_net_t" type for privilege separated
>>> processes in the preauthentication phase. Similarly, openssh portable uses
>>> "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
>>> Therefore selinux_openssh_contexts_path() was created to get a path where sshd
>>> can get a correct types prepared by a distribution or an administrator.
>>
>> I requested this feature and i am using this feature in my personal policy. So hereby my ACK for what it is worth.
>>
>> However:
>>
>> That SYSTEMD_CONTEXTS though, that must have been a mistake?
>
> As far as i am concerned this commit should be reverted:
>
> https://github.com/SELinuxProject/selinux/commit/ce2a8848ad45e375cfdb58cebe28bc12431bb3db
>
> I just did a grep -ri systemd_contexts in the systemd repository and nothing returned. I also cannot place that commit message.
>
>>
>> I do not believe that this is used or that it is needed/wanted.
We can remove it as a separate change, but only if there are no users,
even in legacy distributions, as otherwise it would be an ABI break.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] libselinux: add selinux_openssh_contexts_path()
2015-05-21 18:02 ` Stephen Smalley
@ 2015-05-21 18:14 ` Dominick Grift
0 siblings, 0 replies; 8+ messages in thread
From: Dominick Grift @ 2015-05-21 18:14 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 1642 bytes --]
On Thu, May 21, 2015 at 02:02:10PM -0400, Stephen Smalley wrote:
> On 05/21/2015 12:53 PM, Dominick Grift wrote:
> > On Thu, May 21, 2015 at 06:24:41PM +0200, Dominick Grift wrote:
> >> On Thu, May 21, 2015 at 06:14:22PM +0200, Petr Lautrbach wrote:
> >>> openssh in Fedora uses "sshd_net_t" type for privilege separated
> >>> processes in the preauthentication phase. Similarly, openssh portable uses
> >>> "sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
> >>> Therefore selinux_openssh_contexts_path() was created to get a path where sshd
> >>> can get a correct types prepared by a distribution or an administrator.
> >>
> >> I requested this feature and i am using this feature in my personal policy. So hereby my ACK for what it is worth.
> >>
> >> However:
> >>
> >> That SYSTEMD_CONTEXTS though, that must have been a mistake?
> >
> > As far as i am concerned this commit should be reverted:
> >
> > https://github.com/SELinuxProject/selinux/commit/ce2a8848ad45e375cfdb58cebe28bc12431bb3db
> >
> > I just did a grep -ri systemd_contexts in the systemd repository and nothing returned. I also cannot place that commit message.
> >
> >>
> >> I do not believe that this is used or that it is needed/wanted.
>
> We can remove it as a separate change, but only if there are no users,
> even in legacy distributions, as otherwise it would be an ABI break.
>
>
I do not believe this was ever used. Am i right, Dan?
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-21 18:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-21 16:14 [PATCH] libselinux: add selinux_openssh_contexts_path() Petr Lautrbach
2015-05-21 16:24 ` Dominick Grift
2015-05-21 16:53 ` Dominick Grift
2015-05-21 18:02 ` Stephen Smalley
2015-05-21 18:14 ` Dominick Grift
2015-05-21 16:31 ` Dominick Grift
2015-05-21 17:07 ` Petr Lautrbach
2015-05-21 17:12 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.