[PATCH v2 0/3] Add support for extracting modules

[PATCH v2 0/3] Add support for extracting modules

[Yuli Khodorkovskiy]

This patchset adds support for extracting modules from the module store as hll
or cil to the current working directory. This also adds a function to the
libsemanage API to extract modules and fixes a memory leak discovered while
implementing this functionality.

Changes from v1:
- Add fallback behavior if a module does not exist at the default priority when
extracting with semodule.

Yuli Khodorkovskiy (3):
  libsemanage: Add ability to extract modules
  libsemanage: Fix null pointer dereference in
    semanage_module_key_destroy
  policycoreutils/semodule: update semodule to allow extracting modules

 libsemanage/include/semanage/modules.h |  17 ++
 libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
 libsemanage/src/libsemanage.map        |   1 +
 libsemanage/src/modules.c              |  23 ++-
 libsemanage/src/policy.h               |   8 +
 libsemanage/src/semanageswig_python.i  |   5 +
 policycoreutils/semodule/semodule.8    |  14 ++
 policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
 8 files changed, 416 insertions(+), 108 deletions(-)

-- 
1.9.3

[PATCH v2 1/3] libsemanage: Add ability to extract modules

[Yuli Khodorkovskiy]

Add semanage_module_extract() to extract a module as CIL or HLL. The
function takes a module name and whether to extract as CIL or HLL.

If a CIL file is requested, but does not exist, semanage_module_extract()
will compile the HLL to CIL and cache the CIL in the store as well as
extract the module. A module that was installed from a CIL file will export
as CIL when the HLL version of the file is requested.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
---
 libsemanage/include/semanage/modules.h |  17 ++
 libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
 libsemanage/src/libsemanage.map        |   1 +
 libsemanage/src/modules.c              |  17 ++
 libsemanage/src/policy.h               |   8 +
 libsemanage/src/semanageswig_python.i  |   5 +
 6 files changed, 256 insertions(+), 102 deletions(-)

diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h
index 4267bd2..4b93e54 100644
--- a/libsemanage/include/semanage/modules.h
+++ b/libsemanage/include/semanage/modules.h
@@ -24,6 +24,7 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <semanage/handle.h>
+#include <sys/types.h>
 
 typedef struct semanage_module_key semanage_module_key_t;
 
@@ -41,6 +42,22 @@ int semanage_module_remove(semanage_handle_t *, char *module_name);
    modules, only name at this time */
 typedef struct semanage_module_info semanage_module_info_t;
 
+/* Look up a module using @modkey. The module's raw data is returned as a
+ * @mapped_data blob and size of the mapped_data is returned as @data_len.
+ * @modinfo contains additional information which can be used by the caller such
+ * as the high level language extension of @mapped_data.
+ *
+ * On success, the caller is responsible for unmapping @mapped_data with munmap(),
+ * destroying @modinfo with semanage_module_info_destroy(), and freeing @modinfo.
+ *
+ * Returns 0 on success and -1 on error.
+ */
+int semanage_module_extract(semanage_handle_t *sh,
+				 semanage_module_key_t *modkey,
+				 int extract_cil,
+				 void **mapped_data,
+				 size_t *data_len,
+				 semanage_module_info_t **modinfo);
 int semanage_module_list(semanage_handle_t *,
 			 semanage_module_info_t **, int *num_modules);
 void semanage_module_info_datum_destroy(semanage_module_info_t *);
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index b11f2ba..90a7b22 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -66,6 +66,12 @@ static int semanage_direct_commit(semanage_handle_t * sh);
 static int semanage_direct_install(semanage_handle_t * sh, char *data,
 				   size_t data_len, const char *module_name, const char *lang_ext);
 static int semanage_direct_install_file(semanage_handle_t * sh, const char *module_name);
+static int semanage_direct_extract(semanage_handle_t * sh,
+					   semanage_module_key_t *modkey,
+					   int extract_cil,
+					   void **mapped_data,
+					   size_t *data_len,
+					   semanage_module_info_t **modinfo);
 static int semanage_direct_remove(semanage_handle_t * sh, char *module_name);
 static int semanage_direct_list(semanage_handle_t * sh,
 				semanage_module_info_t ** modinfo,
@@ -100,6 +106,7 @@ static struct semanage_policy_table direct_funcs = {
 	.begin_trans = semanage_direct_begintrans,
 	.commit = semanage_direct_commit,
 	.install = semanage_direct_install,
+	.extract = semanage_direct_extract,
 	.install_file = semanage_direct_install_file,
 	.remove = semanage_direct_remove,
 	.list = semanage_direct_list,
@@ -496,15 +503,32 @@ exit:
  * the file into '*data'.
  * Returns the total number of bytes in memory .
  * Returns -1 if file could not be opened or mapped. */
-static ssize_t map_file(semanage_handle_t *sh, int fd, char **data,
+static ssize_t map_file(semanage_handle_t *sh, const char *path, char **data,
 			int *compressed)
 {
 	ssize_t size = -1;
 	char *uncompress;
-	if ((size = bunzip(sh, fdopen(fd, "r"), &uncompress)) > 0) {
+	int fd = -1;
+	FILE *file = NULL;
+
+	fd = open(path, O_RDONLY);
+	if (fd == -1) {
+		ERR(sh, "Unable to open %s\n", path);
+		return -1;
+	}
+
+	file = fdopen(fd, "r");
+	if (file == NULL) {
+		ERR(sh, "Unable to open %s\n", path);
+		close(fd);
+		return -1;
+	}
+
+	if ((size = bunzip(sh, file, &uncompress)) > 0) {
 		*data = mmap(0, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0);
 		if (*data == MAP_FAILED) {
 			free(uncompress);
+			fclose(file);
 			return -1;
 		} else {
 			memcpy(*data, uncompress, size);
@@ -523,6 +547,8 @@ static ssize_t map_file(semanage_handle_t *sh, int fd, char **data,
 		*compressed = 0;
 	} 
 
+	fclose(file);
+
 	return size;
 }
 
@@ -886,9 +912,8 @@ cleanup:
 	return ret;
 }
 
-static int semanage_compile_hll(semanage_handle_t *sh,
-				semanage_module_info_t *modinfos,
-				int num_modinfos)
+static int semanage_compile_module(semanage_handle_t *sh,
+				semanage_module_info_t *modinfo)
 {
 	char cil_path[PATH_MAX];
 	char hll_path[PATH_MAX];
@@ -901,125 +926,132 @@ static int semanage_compile_hll(semanage_handle_t *sh,
 	ssize_t hll_data_len = 0;
 	ssize_t bzip_status;
 	int status = 0;
-	int i, compressed;
-	int in_fd = -1;
+	int compressed;
 	size_t cil_data_len;
 	size_t err_data_len;
 
-	assert(sh);
-	assert(modinfos);
+	if (!strcasecmp(modinfo->lang_ext, "cil")) {
+		goto cleanup;
+	}
 
-	for (i = 0; i < num_modinfos; i++) {
-		if (!strcasecmp(modinfos[i].lang_ext, "cil")) {
-			continue;
-		}
+	status = semanage_get_hll_compiler_path(sh, modinfo->lang_ext, &compiler_path);
+	if (status != 0) {
+		goto cleanup;
+	}
 
-		status = semanage_module_get_path(
-				sh,
-				&modinfos[i],
-				SEMANAGE_MODULE_PATH_CIL,
-				cil_path,
-				sizeof(cil_path));
-		if (status != 0) {
-			goto cleanup;
+	status = semanage_module_get_path(
+			sh,
+			modinfo,
+			SEMANAGE_MODULE_PATH_CIL,
+			cil_path,
+			sizeof(cil_path));
+	if (status != 0) {
+		goto cleanup;
+	}
+
+	status = semanage_module_get_path(
+			sh,
+			modinfo,
+			SEMANAGE_MODULE_PATH_HLL,
+			hll_path,
+			sizeof(hll_path));
+	if (status != 0) {
+		goto cleanup;
+	}
+
+	if ((hll_data_len = map_file(sh, hll_path, &hll_data, &compressed)) <= 0) {
+		ERR(sh, "Unable to read file %s\n", hll_path);
+		status = -1;
+		goto cleanup;
+	}
+
+	status = semanage_pipe_data(sh, compiler_path, hll_data, (size_t)hll_data_len, &cil_data, &cil_data_len, &err_data, &err_data_len);
+	if (err_data_len > 0) {
+		for (start = end = err_data; end < err_data + err_data_len; end++) {
+			if (*end == '\n') {
+				fprintf(stderr, "%s: ", modinfo->name);
+				fwrite(start, 1, end - start + 1, stderr);
+				start = end + 1;
+			}
 		}
 
-		if (semanage_get_ignore_module_cache(sh) == 0 &&
-			access(cil_path, F_OK) == 0) {
-			continue;
+		if (end != start) {
+			fprintf(stderr, "%s: ", modinfo->name);
+			fwrite(start, 1, end - start, stderr);
+			fprintf(stderr, "\n");
 		}
+	}
+	if (status != 0) {
+		goto cleanup;
+	}
+
+	bzip_status = bzip(sh, cil_path, cil_data, cil_data_len);
+	if (bzip_status == -1) {
+		ERR(sh, "Failed to bzip %s\n", cil_path);
+		status = -1;
+		goto cleanup;
+	}
 
-		status = semanage_get_hll_compiler_path(sh, modinfos[i].lang_ext, &compiler_path);
+	if (sh->conf->remove_hll == 1) {
+		status = unlink(hll_path);
 		if (status != 0) {
+			ERR(sh, "Error while removing HLL file %s: %s", hll_path, strerror(errno));
 			goto cleanup;
 		}
 
-		status = semanage_module_get_path(
-				sh,
-				&modinfos[i],
-				SEMANAGE_MODULE_PATH_HLL,
-				hll_path,
-				sizeof(hll_path));
+		status = semanage_direct_write_langext(sh, "cil", modinfo);
 		if (status != 0) {
 			goto cleanup;
 		}
+	}
 
-		if ((in_fd = open(hll_path, O_RDONLY)) == -1) {
-			ERR(sh, "Unable to open %s\n", hll_path);
-			status = -1;
-			goto cleanup;
-		}
+cleanup:
+	if (hll_data_len > 0) {
+		munmap(hll_data, hll_data_len);
+	}
+	free(cil_data);
+	free(err_data);
+	free(compiler_path);
 
-		if ((hll_data_len = map_file(sh, in_fd, &hll_data, &compressed)) <= 0) {
-			ERR(sh, "Unable to read file %s\n", hll_path);
-			status = -1;
-			goto cleanup;
-		}
+	return status;
+}
 
-		if (in_fd >= 0) close(in_fd);
-		in_fd = -1;
+static int semanage_compile_hll_modules(semanage_handle_t *sh,
+				semanage_module_info_t *modinfos,
+				int num_modinfos)
+{
+	int status = 0;
+	int i;
+	char cil_path[PATH_MAX];
 
-		status = semanage_pipe_data(sh, compiler_path, hll_data, (size_t)hll_data_len, &cil_data, &cil_data_len, &err_data, &err_data_len);
-		if (err_data_len > 0) {
-			for (start = end = err_data; end < err_data + err_data_len; end++) {
-				if (*end == '\n') {
-					fprintf(stderr, "%s: ", modinfos[i].name);
-					fwrite(start, 1, end - start + 1, stderr);
-					start = end + 1;
-				}
-			}
+	assert(sh);
+	assert(modinfos);
 
-			if (end != start) {
-				fprintf(stderr, "%s: ", modinfos[i].name);
-				fwrite(start, 1, end - start, stderr);
-				fprintf(stderr, "\n");
-			}
-		}
+	for (i = 0; i < num_modinfos; i++) {
+		status = semanage_module_get_path(
+				sh,
+				&modinfos[i],
+				SEMANAGE_MODULE_PATH_CIL,
+				cil_path,
+				sizeof(cil_path));
 		if (status != 0) {
 			goto cleanup;
 		}
 
-		if (sh->conf->remove_hll == 1) {
-			status = unlink(hll_path);
-			if (status != 0) {
-				ERR(sh, "Error while removing HLL file %s: %s", hll_path, strerror(errno));
-				goto cleanup;
-			}
-
-			status = semanage_direct_write_langext(sh, "cil", &modinfos[i]);
-			if (status != 0) {
-				goto cleanup;
-			}
+		if (semanage_get_ignore_module_cache(sh) == 0 &&
+				access(cil_path, F_OK) == 0) {
+			continue;
 		}
 
-		bzip_status = bzip(sh, cil_path, cil_data, cil_data_len);
-		if (bzip_status == -1) {
-			ERR(sh, "Failed to bzip %s\n", cil_path);
-			status = -1;
+		status = semanage_compile_module(sh, &modinfos[i]);
+		if (status < 0) {
 			goto cleanup;
 		}
-
-		if (hll_data_len > 0) munmap(hll_data, hll_data_len);
-		hll_data_len = 0;
-
-		free(cil_data);
-		free(err_data);
-		free(compiler_path);
-		cil_data = NULL;
-		err_data = NULL;
-		compiler_path = NULL;
-		cil_data_len = 0;
-		err_data_len = 0;
 	}
 
 	status = 0;
 
 cleanup:
-	if (hll_data_len > 0) munmap(hll_data, hll_data_len);
-	if (in_fd >= 0) close(in_fd);
-	free(cil_data);
-	free(err_data);
-	free(compiler_path);
 	return status;
 }
 
@@ -1179,7 +1211,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 			goto cleanup;
 		}
 
-		retval = semanage_compile_hll(sh, modinfos, num_modinfos);
+		retval = semanage_compile_hll_modules(sh, modinfos, num_modinfos);
 		if (retval < 0) {
 			ERR(sh, "Failed to compile hll files into cil files.\n");
 			goto cleanup;
@@ -1492,19 +1524,12 @@ static int semanage_direct_install_file(semanage_handle_t * sh,
 	char *data = NULL;
 	ssize_t data_len = 0;
 	int compressed = 0;
-	int in_fd = -1;
 	char *path = NULL;
 	char *filename;
 	char *lang_ext = NULL;
 	char *separator;
 
-	if ((in_fd = open(install_filename, O_RDONLY)) == -1) {
-		ERR(sh, "Unable to open %s: %s\n", install_filename, strerror(errno));
-		retval = -1;
-		goto cleanup;
-	}
-
-	if ((data_len = map_file(sh, in_fd, &data, &compressed)) <= 0) {
+	if ((data_len = map_file(sh, install_filename, &data, &compressed)) <= 0) {
 		ERR(sh, "Unable to read file %s\n", install_filename);
 		retval = -1;
 		goto cleanup;
@@ -1545,15 +1570,96 @@ static int semanage_direct_install_file(semanage_handle_t * sh,
 	retval = semanage_direct_install(sh, data, data_len, filename, lang_ext);
 
 cleanup:
-	if (in_fd != -1) {
-		close(in_fd);
-	}
 	if (data_len > 0) munmap(data, data_len);
 	free(path);
 
 	return retval;
 }
 
+static int semanage_direct_extract(semanage_handle_t * sh,
+				   semanage_module_key_t *modkey,
+				   int extract_cil,
+				   void **mapped_data,
+				   size_t *data_len,
+				   semanage_module_info_t **modinfo)
+{
+	char module_path[PATH_MAX];
+	char input_file[PATH_MAX];
+	enum semanage_module_path_type file_type;
+	int rc = -1;
+	semanage_module_info_t *_modinfo = NULL;
+	ssize_t _data_len;
+	char *_data;
+	int compressed;
+
+	/* get path of module */
+	rc = semanage_module_get_path(
+			sh,
+			(const semanage_module_info_t *)modkey,
+			SEMANAGE_MODULE_PATH_NAME,
+			module_path,
+			sizeof(module_path));
+	if (rc != 0) {
+		goto cleanup;
+	}
+
+	if (access(module_path, F_OK) != 0) {
+		ERR(sh, "Module does not exist: %s", module_path);
+		rc = -1;
+		goto cleanup;
+	}
+
+	rc = semanage_module_get_module_info(sh,
+			modkey,
+			&_modinfo);
+	if (rc != 0) {
+		goto cleanup;
+	}
+
+	if (extract_cil || strcmp(_modinfo->lang_ext, "cil") == 0) {
+		file_type = SEMANAGE_MODULE_PATH_CIL;
+	} else {
+		file_type = SEMANAGE_MODULE_PATH_HLL;
+	}
+
+	/* get path of what to extract */
+	rc = semanage_module_get_path(
+			sh,
+			_modinfo,
+			file_type,
+			input_file,
+			sizeof(input_file));
+	if (rc != 0) {
+		goto cleanup;
+	}
+
+	if (extract_cil == 1 && strcmp(_modinfo->lang_ext, "cil") && access(input_file, F_OK) != 0) {
+		rc = semanage_compile_module(sh, _modinfo);
+		if (rc < 0) {
+			goto cleanup;
+		}
+	}
+
+	_data_len = map_file(sh, input_file, &_data, &compressed);
+	if (_data_len <= 0) {
+		ERR(sh, "Error mapping file: %s", input_file);
+		rc = -1;
+		goto cleanup;
+	}
+
+	*modinfo = _modinfo;
+	*data_len = (size_t)_data_len;
+	*mapped_data = _data;
+
+cleanup:
+	if (rc != 0) {
+		semanage_module_info_destroy(sh, _modinfo);
+		free(_modinfo);
+	}
+
+	return rc;
+}
+
 /* Removes a module from the sandbox.  Returns 0 on success, -1 if out
  * of memory, -2 if module not found or could not be removed. */
 static int semanage_direct_remove(semanage_handle_t * sh, char *module_name)
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index 70f57f9..34b553d 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -30,6 +30,7 @@ LIBSEMANAGE_1.0 {
 LIBSEMANAGE_1.1 {
   global:
 	  semanage_module_install;
+	  semanage_module_extract;
 	  semanage_get_hll_compiler_path;
 	  semanage_get_ignore_module_cache;
 	  semanage_set_ignore_module_cache;
diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
index d29c346..131f502 100644
--- a/libsemanage/src/modules.c
+++ b/libsemanage/src/modules.c
@@ -142,6 +142,23 @@ int semanage_module_install_file(semanage_handle_t * sh,
 	return sh->funcs->install_file(sh, module_name);
 }
 
+int semanage_module_extract(semanage_handle_t * sh,
+				 semanage_module_key_t *modkey,
+				 int extract_cil,
+				 void **mapped_data,
+				 size_t *data_len,
+				 semanage_module_info_t **modinfo) {
+	if (sh->funcs->extract == NULL) {
+		ERR(sh,
+		    "No get function defined for this connection type.");
+		return -1;
+	} else if (!sh->is_connected) {
+		ERR(sh, "Not connected.");
+		return -1;
+	}
+	return sh->funcs->extract(sh, modkey, extract_cil, mapped_data, data_len, modinfo);
+}
+
 /* Legacy function that remains to preserve ABI
  * compatibility. Please use semanage_module_install instead.
  */
diff --git a/libsemanage/src/policy.h b/libsemanage/src/policy.h
index c5aec38..f127156 100644
--- a/libsemanage/src/policy.h
+++ b/libsemanage/src/policy.h
@@ -52,6 +52,14 @@ struct semanage_policy_table {
 	/* Install a policy module */
 	int (*install_file) (struct semanage_handle *, const char *);
 
+	/* Extract a policy module */
+	int (*extract) (struct semanage_handle *,
+				 semanage_module_key_t *,
+				 int extract_cil,
+				 void **,
+				 size_t *,
+				 semanage_module_info_t **);
+
 	/* Remove a policy module */
 	int (*remove) (struct semanage_handle *, char *);
 
diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i
index 06b9408..1346b2e 100644
--- a/libsemanage/src/semanageswig_python.i
+++ b/libsemanage/src/semanageswig_python.i
@@ -23,6 +23,7 @@
 %header %{
 	#include <stdlib.h>
 	#include <semanage/semanage.h>
+	#include <sys/mman.h>
 
 	#define STATUS_SUCCESS 0
 	#define STATUS_ERR -1
@@ -103,6 +104,10 @@
 %apply int *OUTPUT { unsigned int * };
 %apply int *OUTPUT { uint16_t * };
 
+%include <cstring.i>
+/* This is needed to properly mmaped binary data in SWIG */
+%cstring_output_allocate_size(void **mapped_data, size_t *data_len, munmap(*$1, *$2));
+
 %typemap(in, numinputs=0) char **(char *temp=NULL) {
 	$1 = &temp;
 }
-- 
1.9.3

[PATCH v2 2/3] libsemanage: Fix null pointer dereference in semanage_module_key_destroy

[Yuli Khodorkovskiy]

If modkey is NULL, semanage_module_key_destroy() would still try to
initialize a modkey after freeing it.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
---
 libsemanage/src/modules.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
index 131f502..90c5e49 100644
--- a/libsemanage/src/modules.c
+++ b/libsemanage/src/modules.c
@@ -690,10 +690,12 @@ int semanage_module_key_destroy(semanage_handle_t *sh,
 {
 	assert(sh);
 
-	if (modkey) {
-		free(modkey->name);
+	if (!modkey) {
+		return 0;
 	}
 
+	free(modkey->name);
+
 	return semanage_module_key_init(sh, modkey);
 }
 
-- 
1.9.3

[PATCH v2 3/3] policycoreutils/semodule: update semodule to allow extracting modules

[Yuli Khodorkovskiy]

Add --extract/-E, --cil/-c, and --hll/-H to extract modules. If -c/-H
are not provided, the module will be output as HLL by default. Only
--cil or --hll (which will use the lang_ext in the semodule store) are valid
options to use with -E. The module is written to the current working directory
as <module_name>.<lang_ext>.

If a module exists as HLL and is exported as CIL, it will first compile into
CIL and cache to the module store. Once compiled, exporting will
continue.

If no priority is provided when extracting a module, then extraction at
the default priority, 400, will be attempted. If the module does not
exist at the default priority, then it will be exported at the highest
existing priority.

Examples:

Extract the wireshark module in a .cil format. If the module only exists
as HLL on the system, the module will be compiled into CIL and placed
into the module store. This command will then write wireshark.cil to the CWD.

    semodule --cil --extract wireshark

Extract the wireshark module in HLL format. Since the original HLL file
was a policy package, a wireshark.pp will be written to the CWD.

    semodule -E wireshark

Extract the wireshark module as CIL and HLL and extract the puppet
module as CIL at priority 400.

    semodule --hll -E wireshark --cil -E wireshark -X 400 --cil -E puppet

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
---
 policycoreutils/semodule/semodule.8 |  14 ++++
 policycoreutils/semodule/semodule.c | 146 +++++++++++++++++++++++++++++++++++-
 2 files changed, 156 insertions(+), 4 deletions(-)

diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
index dde0efb..9cd04e7 100644
--- a/policycoreutils/semodule/semodule.8
+++ b/policycoreutils/semodule/semodule.8
@@ -41,6 +41,11 @@ remove existing module
 .B  \-l,\-\-list-modules=[KIND]
 display list of installed modules (other than base)
 .TP
+.B  \-E,\-\-extract=MODULE_PKG
+Extract a module from the store as an HLL or CIL file to the current directory.
+A module is extracted as HLL by default. The name of the module written is
+<module-name>.<lang_ext>
+.TP
 .B  KIND:
 .TP
 standard
@@ -81,6 +86,12 @@ Use an alternate path for the policy store root
 .TP
 .B  \-v,\-\-verbose     
 be verbose
+.TP
+.B  \-c,\-\-cil
+Extract module as a CIL file. This only affects the \-\-extract option.
+.TP
+.B  \-H,\-\-hll
+Extract module as an HLL file. This only affects the \-\-extract option.
 
 .SH EXAMPLE
 .nf
@@ -108,6 +119,9 @@ $ semodule \-l full
 $ semodule \-B \-p "/tmp"
 # Set an alternate path for the policy store root
 $ semodule \-B \-S "/tmp/var/lib/selinux"
+# Write the HLL version of puppet and the CIL version of wireshark
+# modules at priority 400 to the current working directory
+$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll
 .fi
 
 .SH SEE ALSO
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index baff057..bcfaa2b 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -20,16 +20,17 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <libgen.h>
+#include <limits.h>
 
 #include <semanage/modules.h>
 
 enum client_modes {
-	NO_MODE, INSTALL_M, REMOVE_M,
+	NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
 	LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
 };
 /* list of modes in which one ought to commit afterwards */
 static const int do_commit[] = {
-	0, 1, 1,
+	0, 1, 1, 0, 0, 0,
 	0, 0, 0, 1, 1,
 };
 
@@ -49,10 +50,12 @@ static int disable_dontaudit;
 static int preserve_tunables;
 static int ignore_module_cache;
 static uint16_t priority;
+static int priority_set = 0;
 
 static semanage_handle_t *sh = NULL;
 static char *store;
 static char *store_root;
+int extract_cil = 0;
 
 extern char *optarg;
 extern int optind;
@@ -130,6 +133,7 @@ static void usage(char *progname)
 	printf("  -X,--priority=PRIORITY    set priority for following operations (1-999)\n");
 	printf("  -e,--enable=MODULE_NAME   enable module\n");
 	printf("  -d,--disable=MODULE_NAME  disable module\n");
+	printf("  -E,--extract=MODULE_NAME  extract module\n");
 	printf("Other options:\n");
 	printf("  -s,--store	   name of the store to operate on\n");
 	printf("  -N,-n,--noreload do not reload policy after commit\n");
@@ -140,6 +144,8 @@ static void usage(char *progname)
 	printf("  -C,--ignore-module-cache	Rebuild CIL modules compiled from HLL files\n");
 	printf("  -p,--path        use an alternate path for the policy root\n");
 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
+	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
+	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -175,6 +181,9 @@ static void parse_command_line(int argc, char **argv)
 		{"base", required_argument, NULL, 'b'},
 		{"help", 0, NULL, 'h'},
 		{"install", required_argument, NULL, 'i'},
+		{"extract", required_argument, NULL, 'E'},
+		{"cil", 0, NULL, 'c'},
+		{"hll", 0, NULL, 'H'},
 		{"list-modules", optional_argument, NULL, 'l'},
 		{"verbose", 0, NULL, 'v'},
 		{"remove", required_argument, NULL, 'r'},
@@ -192,13 +201,15 @@ static void parse_command_line(int argc, char **argv)
 		{"store-path", required_argument, NULL, 'S'},
 		{NULL, 0, NULL, 0}
 	};
+	int extract_selected = 0;
+	int cil_hll_set = 0;
 	int i;
 	verbose = 0;
 	reload = 0;
 	no_reload = 0;
 	priority = 400;
 	while ((i =
-		getopt_long(argc, argv, "s:b:hi:l::vqr:u:RnNBDCPX:e:d:p:S:", opts,
+		getopt_long(argc, argv, "s:b:hi:l::vqr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
 			    NULL)) != -1) {
 		switch (i) {
 		case 'b':
@@ -211,6 +222,18 @@ static void parse_command_line(int argc, char **argv)
 		case 'i':
 			set_mode(INSTALL_M, optarg);
 			break;
+		case 'E':
+			set_mode(EXTRACT_M, optarg);
+			extract_selected = 1;
+			break;
+		case 'c':
+			set_mode(CIL_M, NULL);
+			cil_hll_set = 1;
+			break;
+		case 'H':
+			set_mode(HLL_M, NULL);
+			cil_hll_set = 1;
+			break;
 		case 'l':
 			set_mode(LIST_M, optarg);
 			break;
@@ -281,10 +304,15 @@ static void parse_command_line(int argc, char **argv)
 		usage(argv[0]);
 		exit(1);
 	}
+	if (extract_selected == 0 && cil_hll_set == 1) {
+		fprintf(stderr, "--cil and --hll require a module to export with the --extract option.\n");
+		usage(argv[0]);
+		exit(1);
+	}
 
 	if (optind < argc) {
 		int mode;
-		/* if -i/u/r was the last command treat any remaining
+		/* if -i/u/r/E was the last command treat any remaining
 		 * arguments as args. Will allow 'semodule -i *.pp' to
 		 * work as expected.
 		 */
@@ -293,6 +321,8 @@ static void parse_command_line(int argc, char **argv)
 			mode = INSTALL_M;
 		} else if (commands && commands[num_commands - 1].mode == REMOVE_M) {
 			mode = REMOVE_M;
+		} else if (commands && commands[num_commands - 1].mode == EXTRACT_M) {
+			mode = EXTRACT_M;
 		} else {
 			fprintf(stderr, "unknown additional arguments:\n");
 			while (optind < argc)
@@ -389,6 +419,113 @@ int main(int argc, char *argv[])
 				    semanage_module_install_file(sh, mode_arg);
 				break;
 			}
+		case EXTRACT_M:{
+				semanage_module_info_t *extract_info = NULL;
+				semanage_module_key_t *modkey = NULL;
+				uint16_t curr_priority;
+				void *data = NULL;
+				size_t data_len = 0;
+				char output_path[PATH_MAX];
+				const char *output_name = NULL;
+				const char *lang_ext = NULL;
+				int rlen;
+				FILE *output_fd = NULL;
+
+				result = semanage_module_key_create(sh, &modkey);
+				if (result != 0) {
+					goto cleanup_extract;
+				}
+
+				result = semanage_module_key_set_name(sh, modkey, mode_arg);
+				if (result != 0) {
+					goto cleanup_extract;
+				}
+
+				if (priority_set == 0) {
+					result = semanage_module_get_module_info(sh, modkey, &extract_info);
+					if (result != 0) {
+						goto cleanup_extract;
+					}
+
+					semanage_module_info_get_priority(sh, extract_info, &curr_priority);
+					printf("Module '%s' does not exist at the default priority '%d'. "
+							"Extracting at highest existing priority '%d'.\n", mode_arg, priority, curr_priority);
+					priority = curr_priority;
+				}
+
+				result  = semanage_module_key_set_priority(sh, modkey, priority);
+				if (result != 0) {
+					goto cleanup_extract;
+				}
+
+				if (verbose) {
+					printf
+						("Attempting to extract module '%s':\n",
+							mode_arg);
+				}
+				result = semanage_module_extract(sh, modkey, extract_cil, &data, &data_len, &extract_info);
+				if (result != 0) {
+					goto cleanup_extract;
+				}
+
+				if (extract_cil) {
+					lang_ext = "cil";
+				} else {
+					result = semanage_module_info_get_lang_ext(sh, extract_info, &lang_ext);
+					if (result != 0) {
+						goto cleanup_extract;
+					}
+				}
+
+				result = semanage_module_info_get_name(sh, extract_info, &output_name);
+				if (result != 0) {
+					goto cleanup_extract;
+				}
+
+				rlen = snprintf(output_path, PATH_MAX, "%s.%s", output_name, lang_ext);
+				if (rlen < 0 || rlen >= PATH_MAX) {
+					fprintf(stderr, "%s: Failed to generate output path.\n", argv[0]);
+					result = -1;
+					goto cleanup_extract;
+				}
+
+				if (access(output_path, F_OK) == 0) {
+					fprintf(stderr, "%s: %s is already extracted with extension %s.\n", argv[0], mode_arg, lang_ext);
+					result = -1;
+					goto cleanup_extract;
+				}
+
+				output_fd = fopen(output_path, "w");
+				if (output_fd == NULL) {
+					fprintf(stderr, "%s: Unable to open %s\n", argv[0], output_path);
+					result = -1;
+					goto cleanup_extract;
+				}
+
+				if (fwrite(data, 1, data_len, output_fd) < data_len) {
+					fprintf(stderr, "%s: Unable to write to %s\n", argv[0], output_path);
+					result = -1;
+					goto cleanup_extract;
+				}
+cleanup_extract:
+				if (output_fd != NULL) {
+					fclose(output_fd);
+				}
+				if (data_len > 0) {
+					munmap(data, data_len);
+				}
+				semanage_module_info_destroy(sh, extract_info);
+				free(extract_info);
+				semanage_module_key_destroy(sh, modkey);
+				free(modkey);
+				break;
+			}
+		case CIL_M:
+				extract_cil = 1;
+				break;
+		case HLL_M:
+				extract_cil = 0;
+				break;
 		case REMOVE_M:{
 				if (verbose) {
 					printf
@@ -515,6 +652,7 @@ cleanup_list:
 		case PRIORITY_M:{
 				char *endptr = NULL;
 				priority = (uint16_t)strtoul(mode_arg, &endptr, 10);
+				priority_set = 1;
 
 				if ((result = semanage_set_default_priority(sh, priority)) != 0) {
 					fprintf(stderr,
-- 
1.9.3

Re: [PATCH v2 0/3] Add support for extracting modules

[James Carter]

On 08/06/2015 10:30 AM, Yuli Khodorkovskiy wrote:
> This patchset adds support for extracting modules from the module store as hll
> or cil to the current working directory. This also adds a function to the
> libsemanage API to extract modules and fixes a memory leak discovered while
> implementing this functionality.
>
> Changes from v1:
> - Add fallback behavior if a module does not exist at the default priority when
> extracting with semodule.
>

Thanks, applied.

> Yuli Khodorkovskiy (3):
>    libsemanage: Add ability to extract modules
>    libsemanage: Fix null pointer dereference in
>      semanage_module_key_destroy
>    policycoreutils/semodule: update semodule to allow extracting modules
>
>   libsemanage/include/semanage/modules.h |  17 ++
>   libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
>   libsemanage/src/libsemanage.map        |   1 +
>   libsemanage/src/modules.c              |  23 ++-
>   libsemanage/src/policy.h               |   8 +
>   libsemanage/src/semanageswig_python.i  |   5 +
>   policycoreutils/semodule/semodule.8    |  14 ++
>   policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
>   8 files changed, 416 insertions(+), 108 deletions(-)
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH v2 0/3] Add support for extracting modules

[Sven Vermeulen]

Will you provide a patch to the reference policy to allow semanage_t
to write into all kinds of directories?

I personally see little value in this patch, as everything is readily
accessible on the file system. Users who want to extract policies with
semodule will now encounter policy issues where semanage_t is not
allowed to write into the current working directory (depending where
the user is at):

   allow semanage_t tmp_t : dir { ioctl read write getattr lock
add_name remove_name search open } ;
   allow semanage_t selinux_config_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
   allow semanage_t default_context_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
   allow semanage_t file_context_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;
   allow semanage_t semanage_store_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
   allow semanage_t semanage_tmp_t : dir { ioctl read write create
getattr setattr lock unlink link rename add_name remove_name reparent
search rmdir open } ;
   allow semanage_t policy_config_t : dir { ioctl read write getattr
lock add_name remove_name search open } ;

Wkr,
  Sven Vermeulen

On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
<ykhodorkovskiy@tresys.com> wrote:
> This patchset adds support for extracting modules from the module store as hll
> or cil to the current working directory. This also adds a function to the
> libsemanage API to extract modules and fixes a memory leak discovered while
> implementing this functionality.
>
> Changes from v1:
> - Add fallback behavior if a module does not exist at the default priority when
> extracting with semodule.
>
> Yuli Khodorkovskiy (3):
>   libsemanage: Add ability to extract modules
>   libsemanage: Fix null pointer dereference in
>     semanage_module_key_destroy
>   policycoreutils/semodule: update semodule to allow extracting modules
>
>  libsemanage/include/semanage/modules.h |  17 ++
>  libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
>  libsemanage/src/libsemanage.map        |   1 +
>  libsemanage/src/modules.c              |  23 ++-
>  libsemanage/src/policy.h               |   8 +
>  libsemanage/src/semanageswig_python.i  |   5 +
>  policycoreutils/semodule/semodule.8    |  14 ++
>  policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
>  8 files changed, 416 insertions(+), 108 deletions(-)
>
> --
> 1.9.3
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: [PATCH v2 0/3] Add support for extracting modules

[Stephen Smalley]

On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
> Will you provide a patch to the reference policy to allow semanage_t
> to write into all kinds of directories?
> 
> I personally see little value in this patch, as everything is readily
> accessible on the file system. Users who want to extract policies with
> semodule will now encounter policy issues where semanage_t is not
> allowed to write into the current working directory (depending where
> the user is at):

Directly accessing files under /var/lib/selinux is not very
user-friendly or maintainable, as how the files are arranged and stored
is an implementation detail of libsemanage.

The change allows users a new workflow in which they can readily extract
a module (whether locally created or distro-provided), modify it, and
then re-install it (and automatically have their modified version
installed at higher priority, and thereby not clobber the
distro-provided one or be clobbered by subsequent policy updates.

semanage is already given userdom_read_user_home_content_files() and
userdom_read_user_tmp_files() in order to support semodule -i from
either of those locations, so broadening that to userdom_manage doesn't
seem too onerous.

Also, the situation doesn't seem terribly different from the already
existing semanage export facility, which takes a -f output_file option.

> 
>    allow semanage_t tmp_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
>    allow semanage_t selinux_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>    allow semanage_t default_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>    allow semanage_t file_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>    allow semanage_t semanage_store_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
>    allow semanage_t semanage_tmp_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
>    allow semanage_t policy_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> 
> Wkr,
>   Sven Vermeulen
> 
> On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
> <ykhodorkovskiy@tresys.com> wrote:
>> This patchset adds support for extracting modules from the module store as hll
>> or cil to the current working directory. This also adds a function to the
>> libsemanage API to extract modules and fixes a memory leak discovered while
>> implementing this functionality.
>>
>> Changes from v1:
>> - Add fallback behavior if a module does not exist at the default priority when
>> extracting with semodule.
>>
>> Yuli Khodorkovskiy (3):
>>   libsemanage: Add ability to extract modules
>>   libsemanage: Fix null pointer dereference in
>>     semanage_module_key_destroy
>>   policycoreutils/semodule: update semodule to allow extracting modules
>>
>>  libsemanage/include/semanage/modules.h |  17 ++
>>  libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
>>  libsemanage/src/libsemanage.map        |   1 +
>>  libsemanage/src/modules.c              |  23 ++-
>>  libsemanage/src/policy.h               |   8 +
>>  libsemanage/src/semanageswig_python.i  |   5 +
>>  policycoreutils/semodule/semodule.8    |  14 ++
>>  policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
>>  8 files changed, 416 insertions(+), 108 deletions(-)
>>
>> --
>> 1.9.3
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> 

Re: [PATCH v2 0/3] Add support for extracting modules

[Joshua Brindle]

Stephen Smalley wrote:
> On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
>> Will you provide a patch to the reference policy to allow semanage_t
>> to write into all kinds of directories?
>>
>> I personally see little value in this patch, as everything is readily
>> accessible on the file system. Users who want to extract policies with
>> semodule will now encounter policy issues where semanage_t is not
>> allowed to write into the current working directory (depending where
>> the user is at):
>
> Directly accessing files under /var/lib/selinux is not very
> user-friendly or maintainable, as how the files are arranged and stored
> is an implementation detail of libsemanage.
>

Agreed, policy could (and maybe should) completely prevent users from 
messing around there, lest they corrupt something.

> The change allows users a new workflow in which they can readily extract
> a module (whether locally created or distro-provided), modify it, and
> then re-install it (and automatically have their modified version
> installed at higher priority, and thereby not clobber the
> distro-provided one or be clobbered by subsequent policy updates.
>
> semanage is already given userdom_read_user_home_content_files() and
> userdom_read_user_tmp_files() in order to support semodule -i from
> either of those locations, so broadening that to userdom_manage doesn't
> seem too onerous.
>
> Also, the situation doesn't seem terribly different from the already
> existing semanage export facility, which takes a -f output_file option.
>

Alternatively the module could always be output to stdout and then 
piping it to a file would use the users (or shells) domain rather than 
semanage_t.

There is definitely an integrity violation with having such a privileged 
program read from user directories but I suppose that ship has sailed.

>>     allow semanage_t tmp_t : dir { ioctl read write getattr lock
>> add_name remove_name search open } ;
>>     allow semanage_t selinux_config_t : dir { ioctl read write getattr
>> lock add_name remove_name search open } ;
>>     allow semanage_t default_context_t : dir { ioctl read write getattr
>> lock add_name remove_name search open } ;
>>     allow semanage_t file_context_t : dir { ioctl read write getattr
>> lock add_name remove_name search open } ;
>>     allow semanage_t semanage_store_t : dir { ioctl read write create
>> getattr setattr lock unlink link rename add_name remove_name reparent
>> search rmdir open } ;
>>     allow semanage_t semanage_tmp_t : dir { ioctl read write create
>> getattr setattr lock unlink link rename add_name remove_name reparent
>> search rmdir open } ;
>>     allow semanage_t policy_config_t : dir { ioctl read write getattr
>> lock add_name remove_name search open } ;
>>
>> Wkr,
>>    Sven Vermeulen
>>
>> On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
>> <ykhodorkovskiy@tresys.com>  wrote:
>>> This patchset adds support for extracting modules from the module store as hll
>>> or cil to the current working directory. This also adds a function to the
>>> libsemanage API to extract modules and fixes a memory leak discovered while
>>> implementing this functionality.
>>>
>>> Changes from v1:
>>> - Add fallback behavior if a module does not exist at the default priority when
>>> extracting with semodule.
>>>
>>> Yuli Khodorkovskiy (3):
>>>    libsemanage: Add ability to extract modules
>>>    libsemanage: Fix null pointer dereference in
>>>      semanage_module_key_destroy
>>>    policycoreutils/semodule: update semodule to allow extracting modules
>>>
>>>   libsemanage/include/semanage/modules.h |  17 ++
>>>   libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
>>>   libsemanage/src/libsemanage.map        |   1 +
>>>   libsemanage/src/modules.c              |  23 ++-
>>>   libsemanage/src/policy.h               |   8 +
>>>   libsemanage/src/semanageswig_python.i  |   5 +
>>>   policycoreutils/semodule/semodule.8    |  14 ++
>>>   policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
>>>   8 files changed, 416 insertions(+), 108 deletions(-)
>>>
>>> --
>>> 1.9.3
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: [PATCH v2 0/3] Add support for extracting modules

[James Carter]

On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
> Will you provide a patch to the reference policy to allow semanage_t
> to write into all kinds of directories?
>

In Fedora, semanage_t is unconfined, so I hadn't thought about policy, but you 
are right, new policy is needed.

> I personally see little value in this patch, as everything is readily
> accessible on the file system. Users who want to extract policies with
> semodule will now encounter policy issues where semanage_t is not
> allowed to write into the current working directory (depending where
> the user is at):
>

But this patch is nice in that you don't have to know what priority the module 
is at and it uncompresses it for you.

I don't think that we need to worry about writing into anything other then a 
home and tmp directories.

Using
userdom_manage_user_home_content_files(semanage_t)
userdom_manage_user_tmp_files(semanage_t)

instead of
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)

should get us most of the way there, shouldn't it?

Jim

>     allow semanage_t tmp_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
>     allow semanage_t selinux_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>     allow semanage_t default_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>     allow semanage_t file_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>     allow semanage_t semanage_store_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
>     allow semanage_t semanage_tmp_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
>     allow semanage_t policy_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>
> Wkr,
>    Sven Vermeulen
>
> On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
> <ykhodorkovskiy@tresys.com> wrote:
>> This patchset adds support for extracting modules from the module store as hll
>> or cil to the current working directory. This also adds a function to the
>> libsemanage API to extract modules and fixes a memory leak discovered while
>> implementing this functionality.
>>
>> Changes from v1:
>> - Add fallback behavior if a module does not exist at the default priority when
>> extracting with semodule.
>>
>> Yuli Khodorkovskiy (3):
>>    libsemanage: Add ability to extract modules
>>    libsemanage: Fix null pointer dereference in
>>      semanage_module_key_destroy
>>    policycoreutils/semodule: update semodule to allow extracting modules
>>
>>   libsemanage/include/semanage/modules.h |  17 ++
>>   libsemanage/src/direct_api.c           | 310 ++++++++++++++++++++++-----------
>>   libsemanage/src/libsemanage.map        |   1 +
>>   libsemanage/src/modules.c              |  23 ++-
>>   libsemanage/src/policy.h               |   8 +
>>   libsemanage/src/semanageswig_python.i  |   5 +
>>   policycoreutils/semodule/semodule.8    |  14 ++
>>   policycoreutils/semodule/semodule.c    | 146 +++++++++++++++-
>>   8 files changed, 416 insertions(+), 108 deletions(-)
>>
>> --
>> 1.9.3
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH v2 0/3] Add support for extracting modules

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 761 bytes --]

On Fri, Aug 07, 2015 at 09:37:06AM -0400, Joshua Brindle wrote:
> 
> There is definitely an integrity violation with having such a privileged
> program read from user directories but I suppose that ship has sailed.
> 

generic user content, to me, is meant to be the share-able, and widely accessible user content (compared to private user content types) and if anything in home or /tmp is sharable/accessible it should be them

when protecting the user content, things that shouldnt be sharable or be widely accessible should get a private user content type.

In my personal policy, i dont make a fuss about stuff manage generic user content (if they need it ofcourse). However i do make it a point to give any sensitive user content a private type

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH v2 0/3] Add support for extracting modules

[Christopher J. PeBenito]

On 8/7/2015 9:37 AM, Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
>>> Will you provide a patch to the reference policy to allow semanage_t
>>> to write into all kinds of directories?
>>>
>>> I personally see little value in this patch, as everything is readily
>>> accessible on the file system. Users who want to extract policies with
>>> semodule will now encounter policy issues where semanage_t is not
>>> allowed to write into the current working directory (depending where
>>> the user is at):
>>
>> Directly accessing files under /var/lib/selinux is not very
>> user-friendly or maintainable, as how the files are arranged and stored
>> is an implementation detail of libsemanage.
>>
> 
> Agreed, policy could (and maybe should) completely prevent users from
> messing around there, lest they corrupt something.

This is generally enforced in refpolicy, though a couple privileged
domains (eg package managers) can access it.

>> The change allows users a new workflow in which they can readily extract
>> a module (whether locally created or distro-provided), modify it, and
>> then re-install it (and automatically have their modified version
>> installed at higher priority, and thereby not clobber the
>> distro-provided one or be clobbered by subsequent policy updates.
>>
>> semanage is already given userdom_read_user_home_content_files() and
>> userdom_read_user_tmp_files() in order to support semodule -i from
>> either of those locations, so broadening that to userdom_manage doesn't
>> seem too onerous.
>>
>> Also, the situation doesn't seem terribly different from the already
>> existing semanage export facility, which takes a -f output_file option.
>>
> 
> Alternatively the module could always be output to stdout and then
> piping it to a file would use the users (or shells) domain rather than
> semanage_t.
>
> There is definitely an integrity violation with having such a privileged
> program read from user directories but I suppose that ship has sailed.

It's a side effect of the UBAC implementation, as all the users have the
same types for their home directory contents, but with different seusers.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com