* initial_sid context via libsepol
@ 2016-03-04 21:16 Roberts, William C
2016-03-05 14:43 ` Richard Haines
0 siblings, 1 reply; 16+ messages in thread
From: Roberts, William C @ 2016-03-04 21:16 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 625 bytes --]
How can one obtain the same value as /sys/fs/selinux/initial_contexts/file via libsepol?
I've been digging around libsepol and its not quite clear to me.
It looks as though the record is here:
context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0];
context_struct_t *b = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[1];
printf("%u\n", a->type);
printf("%u\n",b->type);
Prints:
185
0
Not sure if this is right, and how to format the context struct to a string. I didn't see any helpers.
Thanks,
Bill
[-- Attachment #2: Type: text/html, Size: 3359 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-04 21:16 initial_sid context via libsepol Roberts, William C
@ 2016-03-05 14:43 ` Richard Haines
2016-03-07 15:41 ` Richard Haines
0 siblings, 1 reply; 16+ messages in thread
From: Richard Haines @ 2016-03-05 14:43 UTC (permalink / raw)
To: Roberts, William C, selinux
[-- Attachment #1: Type: text/plain, Size: 1067 bytes --]
On Friday, 4 March 2016, 21:18, "Roberts, William C" <william.c.roberts@intel.com> wrote:
>
>
>
>
>How can one obtain the same value as /sys/fs/selinux/initial_contexts/file via libsepol?
>
>I’ve been digging around libsepol and its not quite clear to me.
>
>It looks as though the record is here:
> context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0];
> context_struct_t *b = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[1];
>
> printf("%u\n", a->type);
> printf("%u\n",b->type);
>
>Prints:
>185
>0
>
>Not sure if this is right, and how to format the context struct to a string. I didn’t see any helpers.
>
>
I've attached an example, hope it's useful
>
>
>Thanks,
>Bill
>_______________________________________________
>Selinux mailing list
>Selinux@tycho.nsa.gov
>To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: display-initial-sid-info.c --]
[-- Type: text/x-csrc, Size: 4145 bytes --]
/* gcc display-initial-sid-info.c -o display-initial-sid-info -lselinux /usr/lib64/libsepol.a */
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sepol/policydb/policydb.h>
/* load_policy taken from sepolicy-analyze.c */
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf)
{
int fd;
struct stat sb;
void *map;
int ret;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno));
return 1;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno));
close(fd);
return 1;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno));
close(fd);
return 1;
}
policy_file_init(pf);
pf->type = PF_USE_MEMORY;
pf->data = map;
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "Could not initialize policydb!\n");
close(fd);
munmap(map, sb.st_size);
return 1;
}
ret = policydb_read(policydb, pf, 0);
if (ret) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
close(fd);
munmap(map, sb.st_size);
return 1;
}
return 0;
}
/* The initial SID names are not available when loading a binary policy.
* They need to be taken from the policy 'initial_sids' file. However
* they tend to be common so setools uses a table like this:
*/
static const char *const sidnames[] = {
/* I've made them print neat & tidy, tidy & neat !!!*/
"kernel ",
"security ",
"unlabeled ",
"fs ",
"file ",
"file_labels ",
"init ",
"any_socket ",
"port ",
"netif ",
"netmsg ",
"node ",
"igmp_packet ",
"icmp_socket ",
"tcp_socket ",
"sysctl_modprobe",
"sysctl ",
"sysctl_fs ",
"sysctl_kernel ",
"sysctl_net ",
"sysctl_net_unix",
"sysctl_vm ",
"sysctl_dev ",
"kmod ",
"policy ",
"scmp_packet ",
"devnull "
};
/* This is reworked from libsepol/src/mls.c mls_compute_context_len() to print the MLS components.
* Best seen on /etc/selinux/mls/policy/policy.29
*/
void mls_print(const policydb_t *policydb, ocontext_t *cur)
{
unsigned int i, l, range;
ebitmap_node_t *cnode;
if (!policydb->mls)
return;
for (l = 0; l < 2; l++) {
range = 0;
printf(":%s", policydb->p_sens_val_to_name[cur->context[0].range.level[l].sens - 1]);
ebitmap_for_each_bit(&cur->context[0].range.level[l].cat, cnode, i) {
if (ebitmap_node_get_bit(cnode, i)) {
if (range) {
range++;
continue;
}
printf(":%s", policydb->p_cat_val_to_name[i]);
range++;
} else {
if (range > 1)
printf(",%s",policydb->p_cat_val_to_name[i - 1]);
range = 0;
}
}
/* Handle case where last category is the end of range */
if (range > 1)
printf(".%s",policydb->p_cat_val_to_name[i - 1]);
if (l == 0) {
if (mls_level_eq(&cur->context[0].range.level[0], &cur->context[0].range.level[1]))
break;
}
}
}
int main(int argc, char **argv)
{
char *policy;
struct policy_file pf;
policydb_t policydb;
ocontext_t *cur;
int entry = 0;
if (argc < 2) {
printf("Need binary policy file:\n");
printf("\t%s policy_file\n", argv[0]);
exit(1);
}
policy = argv[1];
if (load_policy(policy, &policydb, &pf))
exit(1);
/* Count entries */
for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next)
entry++;
printf("There are %d initial sids in the policy\n\n", entry);
entry = 0;
printf("SID Name Context\n");
for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) {
printf("%2d %s %s:%s:%s",
cur->sid[0],
sidnames[entry],
policydb.p_user_val_to_name[cur->context[0].user - 1],
policydb.p_role_val_to_name[cur->context[0].role - 1],
policydb.p_type_val_to_name[cur->context[0].type - 1]);
mls_print(&policydb, cur);
printf("\n");
entry++;
}
exit(0);
}
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-05 14:43 ` Richard Haines
@ 2016-03-07 15:41 ` Richard Haines
2016-03-07 18:44 ` Stephen Smalley
0 siblings, 1 reply; 16+ messages in thread
From: Richard Haines @ 2016-03-07 15:41 UTC (permalink / raw)
To: Roberts, William C, selinux
[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]
> On Saturday, 5 March 2016, 14:48, Richard Haines <richard_c_haines@btinternet.com> wrote:
> >
>
>
>
> On Friday, 4 March 2016, 21:18, "Roberts, William C"
> <william.c.roberts@intel.com> wrote:
>
>
>>
>>
>>
>>
>> How can one obtain the same value as /sys/fs/selinux/initial_contexts/file
> via libsepol?
>>
>> I’ve been digging around libsepol and its not quite clear to me.
>>
>> It looks as though the record is here:
>> context_struct_t *a = &((policydb_t
> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>> context_struct_t *b = &((policydb_t
> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>
>> printf("%u\n", a->type);
>> printf("%u\n",b->type);
>>
>> Prints:
>> 185
>> 0
>>
>> Not sure if this is right, and how to format the context struct to a string.
> I didn’t see any helpers.
>>
>
>>
> I've attached an example, hope it's useful
I've updated the example with more detail and display SID name using SID value not counter.
>
>>
>>
>> Thanks,
>> Bill
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>>
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: display-initial-sid-info.c --]
[-- Type: text/x-csrc, Size: 5971 bytes --]
/* gcc display-initial-sid-info.c -o display-initial-sid-info libsepol.a */
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <stdbool.h>
#include <sepol/policydb/policydb.h>
/* load_policy taken from sepolicy-analyze.c */
int load_policy(char *filename, policydb_t *policydb, struct policy_file *pf)
{
int fd;
struct stat sb;
void *map;
int ret;
fd = open(filename, O_RDONLY);
if (fd < 0) {
fprintf(stderr, "Can't open '%s': %s\n", filename, strerror(errno));
return 1;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr, "Can't stat '%s': %s\n", filename, strerror(errno));
close(fd);
return 1;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr, "Can't mmap '%s': %s\n", filename, strerror(errno));
close(fd);
return 1;
}
policy_file_init(pf);
pf->type = PF_USE_MEMORY;
pf->data = map;
pf->len = sb.st_size;
if (policydb_init(policydb)) {
fprintf(stderr, "Could not initialize policydb!\n");
close(fd);
munmap(map, sb.st_size);
return 1;
}
ret = policydb_read(policydb, pf, 0);
if (ret) {
fprintf(stderr, "error(s) encountered while parsing configuration\n");
close(fd);
munmap(map, sb.st_size);
return 1;
}
return 0;
}
/* The initial SID names are not currently available in a binary policy (March '16).
* They really need to be taken from the policy 'initial_sids' file. However for the
* Reference Policy they tend to be common so setools uses a table like the one below.
*
* WARNING: If you have a custom kernel/policy that changes these, then update
* this table (e.g. Xen has a different set as shown in the 'xen_sidnames' table).
*
* Note 1: The kernel builds the /sys/fs/selinux/initial_contexts entries using the
* contents of the kernel's security/selinux/include/initial_sid_to_string.h
* file (see kernel source security/selinux/selinuxfs.c and ss/services.c).
* The 'initial_sid_to_string.h' file can be generated by the Reference
* Policy source build script policy/flask/flask.py as it builds userspace
* and kernel headers based on policy (however most of the headers it
* generates are not required by newer kernels or SELinux userspace services).
*
* Note 2: There is a ToDo for "Dynamic discovery of initial SIDs" at:
* https://github.com/SELinuxProject/selinux/wiki/Kernel-Todo
*/
static const char *const linux_sidnames[] = {
/* I've made them print neat & tidy, tidy & neat !!!*/
"null",
"kernel ",
"security ",
"unlabeled ",
"fs ",
"file ",
"file_labels ",
"init ",
"any_socket ",
"port ",
"netif ",
"netmsg ",
"node ",
"igmp_packet ",
"icmp_socket ",
"tcp_socket ",
"sysctl_modprobe",
"sysctl ",
"sysctl_fs ",
"sysctl_kernel ",
"sysctl_net ",
"sysctl_net_unix",
"sysctl_vm ",
"sysctl_dev ",
"kmod ",
"policy ",
"scmp_packet ",
"devnull "
};
static const char *const xen_sidnames[] = {
"null",
"xen ",
"dom0 ",
"domio ",
"domxen ",
"unlabeled",
"security ",
"ioport ",
"iomem ",
"irq ",
"device "
};
/* This is reworked from libsepol/src/mls.c mls_compute_context_len() to print the MLS components.
* Best seen using MLS policy e.g. /etc/selinux/mls/policy/policy.29
*/
void mls_print(const policydb_t *policydb, ocontext_t *cur)
{
unsigned int i, l, range;
ebitmap_node_t *cnode;
if (!policydb->mls)
return;
for (l = 0; l < 2; l++) {
range = 0;
printf(":%s", policydb->p_sens_val_to_name[cur->context[0].range.level[l].sens - 1]);
ebitmap_for_each_bit(&cur->context[0].range.level[l].cat, cnode, i) {
if (ebitmap_node_get_bit(cnode, i)) {
if (range) {
range++;
continue;
}
printf(":%s", policydb->p_cat_val_to_name[i]);
range++;
} else {
if (range > 1)
printf(",%s",policydb->p_cat_val_to_name[i - 1]);
range = 0;
}
}
/* Handle case where last category is the end of range */
if (range > 1)
printf(".%s", policydb->p_cat_val_to_name[i - 1]);
if (l == 0) {
if (mls_level_eq(&cur->context[0].range.level[0], &cur->context[0].range.level[1]))
break;
}
}
}
int main(int argc, char **argv)
{
char *policy;
struct policy_file pf;
policydb_t policydb;
ocontext_t *cur;
int entry = 0;
bool have_names = false;
if (argc < 2) {
printf("Need binary policy file:\n");
printf("\t%s policy_file\n", argv[0]);
exit(1);
}
policy = argv[1];
if (load_policy(policy, &policydb, &pf))
exit(1);
/* Count entries and check if first entry has a name present in policy,
* if so all entries would be named. However, currently these are not
* present in a binary policy)
*/
for (cur = policydb.ocontexts[OCON_ISID]; cur != NULL; cur = cur->next) {
if (entry == 0 && cur->u.name)
have_names = true;
entry++;
}
printf("\nThere are %d initial sids in this %s policy.\n", entry, policydb.target_platform ? "Xen" : "SELinux");
printf("The ISID \"Name\" has been extracted from %s.\n\n",
have_names ? "the policy" : "an internal list that may be incorrect");
printf("SID Name Context\n");
for (cur = policydb.ocontexts[OCON_ISID], entry = 0; cur != NULL; cur = cur->next) {
printf("0x%08x %s %s:%s:%s",
cur->sid[0],
/* Initial SID names are not in policy but check just in case, else use the list for the platform */
cur->u.name ? cur->u.name : policydb.target_platform ? xen_sidnames[cur->sid[0]] : linux_sidnames[cur->sid[0]],
policydb.p_user_val_to_name[cur->context[0].user - 1],
policydb.p_role_val_to_name[cur->context[0].role - 1],
policydb.p_type_val_to_name[cur->context[0].type - 1]);
mls_print(&policydb, cur);
printf("\n");
}
exit(0);
}
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-07 15:41 ` Richard Haines
@ 2016-03-07 18:44 ` Stephen Smalley
2016-03-07 20:32 ` Stephen Smalley
0 siblings, 1 reply; 16+ messages in thread
From: Stephen Smalley @ 2016-03-07 18:44 UTC (permalink / raw)
To: Richard Haines, Roberts, William C, selinux
On 03/07/2016 10:41 AM, Richard Haines wrote:
>
>
>
>
>
>> On Saturday, 5 March 2016, 14:48, Richard Haines <richard_c_haines@btinternet.com> wrote:
>>>
>>
>>
>>
>> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>> <william.c.roberts@intel.com> wrote:
>>
>>
>>>
>>>
>>>
>>>
>>> How can one obtain the same value as /sys/fs/selinux/initial_contexts/file
>> via libsepol?
>>>
>>> I’ve been digging around libsepol and its not quite clear to me.
>>>
>>> It looks as though the record is here:
>>> context_struct_t *a = &((policydb_t
>> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>> context_struct_t *b = &((policydb_t
>> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>
>>> printf("%u\n", a->type);
>>> printf("%u\n",b->type);
>>>
>>> Prints:
>>> 185
>>> 0
>>>
>>> Not sure if this is right, and how to format the context struct to a string.
>> I didn’t see any helpers.
>>>
>>
>>>
>
>> I've attached an example, hope it's useful
>
> I've updated the example with more detail and display SID name using SID value not counter.
>
Any particular reason you didn't use sepol_sid_to_context()?
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-07 18:44 ` Stephen Smalley
@ 2016-03-07 20:32 ` Stephen Smalley
2016-03-08 1:32 ` William Roberts
0 siblings, 1 reply; 16+ messages in thread
From: Stephen Smalley @ 2016-03-07 20:32 UTC (permalink / raw)
To: Richard Haines, Roberts, William C, selinux
On 03/07/2016 01:44 PM, Stephen Smalley wrote:
> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>
>>
>>
>>
>>
>>> On Saturday, 5 March 2016, 14:48, Richard Haines
>>> <richard_c_haines@btinternet.com> wrote:
>>>>
>>>
>>>
>>>
>>> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>> <william.c.roberts@intel.com> wrote:
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> How can one obtain the same value as
>>>> /sys/fs/selinux/initial_contexts/file
>>> via libsepol?
>>>>
>>>> I’ve been digging around libsepol and its not quite clear to me.
>>>>
>>>> It looks as though the record is here:
>>>> context_struct_t *a = &((policydb_t
>>> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>>> context_struct_t *b = &((policydb_t
>>> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>>
>>>> printf("%u\n", a->type);
>>>> printf("%u\n",b->type);
>>>>
>>>> Prints:
>>>> 185
>>>> 0
>>>>
>>>> Not sure if this is right, and how to format the context struct to a
>>>> string.
>>> I didn’t see any helpers.
>>>>
>>>
>>>>
>>
>>> I've attached an example, hope it's useful
>>
>> I've updated the example with more detail and display SID name using
>> SID value not counter.
>>
>
> Any particular reason you didn't use sepol_sid_to_context()?
I guess context_to_string() on the context structure would work better
for your purposes. sepol_sid_to_context() would require loading the
sidtab via policydb_load_isids() and setting the internal policydb to
the one you loaded via sepol_set_policydb().
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-07 20:32 ` Stephen Smalley
@ 2016-03-08 1:32 ` William Roberts
2016-03-08 13:12 ` Richard Haines
2016-03-08 13:42 ` Stephen Smalley
0 siblings, 2 replies; 16+ messages in thread
From: William Roberts @ 2016-03-08 1:32 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Richard Haines, Roberts, William C, selinux
[-- Attachment #1: Type: text/plain, Size: 2640 bytes --]
On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>
>> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>
>>>
>>>
>>>
>>>
>>>
>>> On Saturday, 5 March 2016, 14:48, Richard Haines
>>>> <richard_c_haines@btinternet.com> wrote:
>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>>> <william.c.roberts@intel.com> wrote:
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> How can one obtain the same value as
>>>>> /sys/fs/selinux/initial_contexts/file
>>>>>
>>>> via libsepol?
>>>>
>>>>>
>>>>> I’ve been digging around libsepol and its not quite clear to me.
>>>>>
>>>>> It looks as though the record is here:
>>>>> context_struct_t *a = &((policydb_t
>>>>>
>>>> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>>>
>>>>> context_struct_t *b = &((policydb_t
>>>>>
>>>> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>>
>>>>>
>>>>> printf("%u\n", a->type);
>>>>> printf("%u\n",b->type);
>>>>>
>>>>> Prints:
>>>>> 185
>>>>> 0
>>>>>
>>>>> Not sure if this is right, and how to format the context struct to a
>>>>> string.
>>>>>
>>>> I didn’t see any helpers.
>>>>
>>>>>
>>>>>
>>>>
>>>>>
>>> I've attached an example, hope it's useful
>>>>
>>>
>>> I've updated the example with more detail and display SID name using
>>> SID value not counter.
>>>
>>>
>> Any particular reason you didn't use sepol_sid_to_context()?
>>
>
> I guess context_to_string() on the context structure would work better for
> your purposes. sepol_sid_to_context() would require loading the sidtab
> via policydb_load_isids() and setting the internal policydb to the one you
> loaded via sepol_set_policydb().
Seems as though its not exported api, but it does indeed print something:
code:
char *s;
size_t len;
context_struct_t *a = &((policydb_t
*)pol.db)->ocontexts[OCON_ISID]->context[0];
int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len);
printf("rc: %d\n", rc);
printf("con: %s\n", s);
prints:
rc: 0
con: u:object_r:null_device:s0
However, I am after the initial sid for file, which this isn't it... is it
in the ocontexts array under a different index?
Bill
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
--
Respectfully,
William C Roberts
[-- Attachment #2: Type: text/html, Size: 6229 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-08 1:32 ` William Roberts
@ 2016-03-08 13:12 ` Richard Haines
2016-03-08 13:35 ` Richard Haines
2016-03-08 13:49 ` Christopher J. PeBenito
2016-03-08 13:42 ` Stephen Smalley
1 sibling, 2 replies; 16+ messages in thread
From: Richard Haines @ 2016-03-08 13:12 UTC (permalink / raw)
To: William Roberts; +Cc: selinux, Stephen Smalley
On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com> wrote:
>
>
>
>
>
>
>On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
>On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>
>>On 03/07/2016 10:41 AM, Richard Haines wrote:
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>On Saturday, 5 March 2016, 14:48, Richard Haines
>>>>><richard_c_haines@btinternet.com> wrote:
>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>>>><william.c.roberts@intel.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>How can one obtain the same value as
>>>>>>/sys/fs/selinux/initial_contexts/file
>>>>>>
via libsepol?
>>>>>
>>>>>
>>>>>>I’ve been digging around libsepol and its not quite clear to me.
>>>>>>
>>>>>>It looks as though the record is here:
>>>>>> context_struct_t *a = &((policydb_t
>>>>>>
*)pol.db)->ocontexts[OCON_ISID]->context[0];
>>>>>
>>>>> context_struct_t *b = &((policydb_t
>>>>>>
*)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>>>
>>>>>
>>>>>> printf("%u\n", a->type);
>>>>>> printf("%u\n",b->type);
>>>>>>
>>>>>>Prints:
>>>>>>185
>>>>>>0
>>>>>>
>>>>>>Not sure if this is right, and how to format the context struct to a
>>>>>>string.
>>>>>>
I didn’t see any helpers.
>>>>>
>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>>
>>>>
>>>>I've attached an example, hope it's useful
>>>>>
>>>>I've updated the example with more detail and display SID name using
>>>>SID value not counter.
>>>>
>>>>
>>>Any particular reason you didn't use sepol_sid_to_context()?
>>>
>>
I guess context_to_string() on the context structure would work better for your purposes. sepol_sid_to_context() would require loading the sidtab via policydb_load_isids() and setting the internal policydb to the one you loaded via sepol_set_policydb().
>
>
>
>
>Seems as though its not exported api, but it does indeed print something:
>
>code:
>char *s;
>size_t len;
>context_struct_t *a = &((policydb_t *)pol.db)->ocontexts[OCON_ISID]->context[0];
>
>
>int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len);
>
>
>printf("rc: %d\n", rc);
>printf("con: %s\n", s);
>
>
>prints:
> rc: 0
> con: u:object_r:null_device:s0
>
>
>However, I am after the initial sid for file, which this isn't it... is it in the ocontexts array under a different index?
>
>From what I can see the only ways for you to get the context of a specifically
named initial sid, is to:
1) If working on the active policy then read /sys/fs/selinux/initial_contexts
for the specific name.
2) If working on a binary policy that has been loaded by libsepol for
investigation, then I guess the official answer would be "you cannot do
this", simply because the names are not held in the binary policy.
What you could do is:
a) Load the initial_sid_to_string.h or the policy initial_sids file and search
through it for a match. This will give the offset and would (by magic) give
the initial SID value (e.g. "file" = 5) as it just so happens that the
initial SIDs start at '1' in a standard SELinux system. You can then obtain
the context string.
b) Or you could just say they start at 1 and I know "file" is the 5th entry !!
c) Modify policy, kernel etc. to add the names.
Unless someone knows another way !!!!
>
>Bill
>
>
>>
>>_______________________________________________
>>Selinux mailing list
>>Selinux@tycho.nsa.gov
>>To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>
>
>
>
>--
>
>Respectfully,
>
>William C Roberts
>
>
>
>
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-08 13:12 ` Richard Haines
@ 2016-03-08 13:35 ` Richard Haines
2016-03-08 13:49 ` Christopher J. PeBenito
1 sibling, 0 replies; 16+ messages in thread
From: Richard Haines @ 2016-03-08 13:35 UTC (permalink / raw)
To: William Roberts; +Cc: Stephen Smalley, selinux
> On Tuesday, 8 March 2016, 13:17, Richard Haines <richard_c_haines@btinternet.com> wrote:
> >
>
>
>
> On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com>
> wrote:
>
>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov>
> wrote:
>>
>> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>>
>>> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Saturday, 5 March 2016, 14:48, Richard Haines
>>>>>> <richard_c_haines@btinternet.com> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> On Friday, 4 March 2016, 21:18, "Roberts, William
> C"
>>>>>> <william.c.roberts@intel.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> How can one obtain the same value as
>>>>>>> /sys/fs/selinux/initial_contexts/file
>>>>>>>
> via libsepol?
>>>>>>
>>>>>>
>>>>>>> I’ve been digging around libsepol and its not quite
> clear to me.
>>>>>>>
>>>>>>> It looks as though the record is here:
>>>>>>> context_struct_t *a = &((policydb_t
>>>>>>>
> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>>>>>
>>>>>> context_struct_t *b = &((policydb_t
>>>>>>>
> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>>>>>
>>>>>>
>>>>>>> printf("%u\n",
> a->type);
>>>>>>>
> printf("%u\n",b->type);
>>>>>>>
>>>>>>> Prints:
>>>>>>> 185
>>>>>>> 0
>>>>>>>
>>>>>>> Not sure if this is right, and how to format the context
> struct to a
>>>>>>> string.
>>>>>>>
> I didn’t see any helpers.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>
>>>>> I've attached an example, hope it's useful
>>>>>>
>>>>> I've updated the example with more detail and display SID
> name using
>>>>> SID value not counter.
>>>>>
>>>>>
>>>> Any particular reason you didn't use sepol_sid_to_context()?
>>>>
>>>
> I guess context_to_string() on the context structure would work better for your
> purposes. sepol_sid_to_context() would require loading the sidtab via
> policydb_load_isids() and setting the internal policydb to the one you loaded
> via sepol_set_policydb().
>>
>>
>>
>>
>> Seems as though its not exported api, but it does indeed print something:
>>
>> code:
>> char *s;
>> size_t len;
>> context_struct_t *a = &((policydb_t
> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>
>>
>> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s,
> &len);
>>
>>
>> printf("rc: %d\n", rc);
>> printf("con: %s\n", s);
>>
>>
>> prints:
>> rc: 0
>> con: u:object_r:null_device:s0
>>
>>
>> However, I am after the initial sid for file, which this isn't it... is
> it in the ocontexts array under a different index?
>
>>
>
> From what I can see the only ways for you to get the context of a specifically
> named initial sid, is to:
>
> 1) If working on the active policy then read /sys/fs/selinux/initial_contexts
> for the specific name.
>
> 2) If working on a binary policy that has been loaded by libsepol for
> investigation, then I guess the official answer would be "you cannot do
> this", simply because the names are not held in the binary policy.
>
> What you could do is:
>
> a) Load the initial_sid_to_string.h or the policy initial_sids file and search
> through it for a match. This will give the offset and would (by magic) give
> the initial SID value (e.g. "file" = 5) as it just so happens that the
> initial SIDs start at '1' in a standard SELinux system. You can then
> obtain
> the context string.
Sorry missed the bit about using the offset as the index for matching
the cur->sid[0] value that would then allow the correct context to be
retrieved.
>
> b) Or you could just say they start at 1 and I know "file" is the 5th
> entry !!
>
> c) Modify policy, kernel etc. to add the names.
>
> Unless someone knows another way !!!!
>
>>
>> Bill
>>
>>
>>>
>>> _______________________________________________
>>> Selinux mailing list
>>> Selinux@tycho.nsa.gov
>>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>>> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>>>
>>
>>
>>
>> --
>>
>> Respectfully,
>>
>> William C Roberts
>
>>
>>
>>
>>
>>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-08 1:32 ` William Roberts
2016-03-08 13:12 ` Richard Haines
@ 2016-03-08 13:42 ` Stephen Smalley
2016-03-09 5:18 ` William Roberts
1 sibling, 1 reply; 16+ messages in thread
From: Stephen Smalley @ 2016-03-08 13:42 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On 03/07/2016 08:32 PM, William Roberts wrote:
>
>
> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>> wrote:
>
> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>
> On 03/07/2016 10:41 AM, Richard Haines wrote:
>
>
>
>
>
>
> On Saturday, 5 March 2016, 14:48, Richard Haines
> <richard_c_haines@btinternet.com
> <mailto:richard_c_haines@btinternet.com>> wrote:
>
>
>
>
>
> On Friday, 4 March 2016, 21:18, "Roberts, William C"
> <william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>> wrote:
>
>
>
>
>
>
> How can one obtain the same value as
> /sys/fs/selinux/initial_contexts/file
>
> via libsepol?
>
>
> I’ve been digging around libsepol and its not quite
> clear to me.
>
> It looks as though the record is here:
> context_struct_t *a = &((policydb_t
>
> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>
> context_struct_t *b = &((policydb_t
>
> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>
>
> printf("%u\n", a->type);
> printf("%u\n",b->type);
>
> Prints:
> 185
> 0
>
> Not sure if this is right, and how to format the
> context struct to a
> string.
>
> I didn’t see any helpers.
>
>
>
>
>
> I've attached an example, hope it's useful
>
>
> I've updated the example with more detail and display SID
> name using
> SID value not counter.
>
>
> Any particular reason you didn't use sepol_sid_to_context()?
>
>
> I guess context_to_string() on the context structure would work
> better for your purposes. sepol_sid_to_context() would require
> loading the sidtab via policydb_load_isids() and setting the
> internal policydb to the one you loaded via sepol_set_policydb().
>
>
>
> Seems as though its not exported api, but it does indeed print something:
> code:
> char *s;
> size_t len;
> context_struct_t *a = &((policydb_t
> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>
> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s, &len);
>
> printf("rc: %d\n", rc);
> printf("con: %s\n", s);
>
> prints:
> rc: 0
> con: u:object_r:null_device:s0
>
> However, I am after the initial sid for file, which this isn't it... is
> it in the ocontexts array under a different index?
ocontext[OCON_ISID] points to the head of a linked list of initial SIDs,
with the values in ->sid[0] and the context structures in ->context[0].
Richard's sample program showed you how to walk it and print out all
the entries. The symbolic names themselves aren't in the policydb, as
he noted; you can grab it from the kernel source
(linux/security/selinux/include/initial_sid_to_string.h) or from the
refpolicy (run make in refpolicy/policy/flask and grab
kernel/initial_sid_to_string.h).
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-08 13:12 ` Richard Haines
2016-03-08 13:35 ` Richard Haines
@ 2016-03-08 13:49 ` Christopher J. PeBenito
1 sibling, 0 replies; 16+ messages in thread
From: Christopher J. PeBenito @ 2016-03-08 13:49 UTC (permalink / raw)
To: Richard Haines, William Roberts; +Cc: Stephen Smalley, selinux
On 3/8/2016 8:12 AM, Richard Haines wrote:
> On Tuesday, 8 March 2016, 1:32, William Roberts <bill.c.roberts@gmail.com> wrote:
>> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>>>> On Saturday, 5 March 2016, 14:48, Richard Haines
>>>>>> <richard_c_haines@btinternet.com> wrote:
>>>>>> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>>>>> <william.c.roberts@intel.com> wrote:
>>>>>>>
>>>>>>> How can one obtain the same value as
>>>>>>> /sys/fs/selinux/initial_contexts/file via libsepol?
>>>>>>
>
> From what I can see the only ways for you to get the context of a specifically
> named initial sid, is to:
>
> 1) If working on the active policy then read /sys/fs/selinux/initial_contexts
> for the specific name.
>
> 2) If working on a binary policy that has been loaded by libsepol for
> investigation, then I guess the official answer would be "you cannot do
> this", simply because the names are not held in the binary policy.
>
> What you could do is:
>
> a) Load the initial_sid_to_string.h or the policy initial_sids file and search
> through it for a match. This will give the offset and would (by magic) give
> the initial SID value (e.g. "file" = 5) as it just so happens that the
> initial SIDs start at '1' in a standard SELinux system. You can then obtain
> the context string.
>
> b) Or you could just say they start at 1 and I know "file" is the 5th entry !!
>
> c) Modify policy, kernel etc. to add the names.
>
> Unless someone knows another way !!!!
I realize this is about libsepol, but if you happen to have setools3
available, it can also retrieve this information, e.g.
$ seinfo --initialsid=node -x
node: system_u:object_r:node_t:s0
So in your program you could use the libapol library functions and look
it up in /sys/fs/selinux/policy.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-08 13:42 ` Stephen Smalley
@ 2016-03-09 5:18 ` William Roberts
2016-03-09 14:09 ` Stephen Smalley
0 siblings, 1 reply; 16+ messages in thread
From: William Roberts @ 2016-03-09 5:18 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 4096 bytes --]
On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov> wrote:
>
> On 03/07/2016 08:32 PM, William Roberts wrote:
>>
>>
>>
>> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov
>> <mailto:sds@tycho.nsa.gov>> wrote:
>>
>> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>
>> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>
>>
>>
>>
>>
>>
>> On Saturday, 5 March 2016, 14:48, Richard Haines
>> <richard_c_haines@btinternet.com
>> <mailto:richard_c_haines@btinternet.com>> wrote:
>>
>>
>>
>>
>>
>> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>> <william.c.roberts@intel.com
>> <mailto:william.c.roberts@intel.com>> wrote:
>>
>>
>>
>>
>>
>>
>> How can one obtain the same value as
>> /sys/fs/selinux/initial_contexts/file
>>
>> via libsepol?
>>
>>
>> I’ve been digging around libsepol and its not quite
>> clear to me.
>>
>> It looks as though the record is here:
>> context_struct_t *a = &((policydb_t
>>
>> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>
>> context_struct_t *b = &((policydb_t
>>
>> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>
>>
>> printf("%u\n", a->type);
>> printf("%u\n",b->type);
>>
>> Prints:
>> 185
>> 0
>>
>> Not sure if this is right, and how to format the
>> context struct to a
>> string.
>>
>> I didn’t see any helpers.
>>
>>
>>
>>
>>
>> I've attached an example, hope it's useful
>>
>>
>> I've updated the example with more detail and display SID
>> name using
>> SID value not counter.
>>
>>
>> Any particular reason you didn't use sepol_sid_to_context()?
>>
>>
>> I guess context_to_string() on the context structure would work
>> better for your purposes. sepol_sid_to_context() would require
>> loading the sidtab via policydb_load_isids() and setting the
>> internal policydb to the one you loaded via sepol_set_policydb().
>>
>>
>>
>> Seems as though its not exported api, but it does indeed print something:
>> code:
>> char *s;
>> size_t len;
>> context_struct_t *a = &((policydb_t
>> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>
>> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s,
&len);
>>
>> printf("rc: %d\n", rc);
>> printf("con: %s\n", s);
>>
>> prints:
>> rc: 0
>> con: u:object_r:null_device:s0
>>
>> However, I am after the initial sid for file, which this isn't it... is
>> it in the ocontexts array under a different index?
>
>
> ocontext[OCON_ISID] points to the head of a linked list of initial SIDs,
with the values in ->sid[0] and the context structures in ->context[0].
Richard's sample program showed you how to walk it and print out all the
entries. The symbolic names themselves aren't in the policydb, as he
noted; you can grab it from the kernel source
(linux/security/selinux/include/initial_sid_to_string.h) or from the
refpolicy (run make in refpolicy/policy/flask and grab
kernel/initial_sid_to_string.h).
I was hoping there was something I was missing between what you were
posting and Richards sample. Looks like it's all by ordinal, so
(conjecturing here) initial sid ordering must match the kernel header
ordering as far as I can tell, is that right?
Something must remap it in the kernel from initial sid to class.
I was hoping there would be a clean way to grab this from the policy for
use in fs_config tools under build, but just hard coding the default
context string seems to be the best approach.
>
[-- Attachment #2: Type: text/html, Size: 6074 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-09 5:18 ` William Roberts
@ 2016-03-09 14:09 ` Stephen Smalley
2016-03-09 15:37 ` William Roberts
2016-03-09 15:42 ` Stephen Smalley
0 siblings, 2 replies; 16+ messages in thread
From: Stephen Smalley @ 2016-03-09 14:09 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On 03/09/2016 12:18 AM, William Roberts wrote:
>
> On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>> wrote:
> >
> > On 03/07/2016 08:32 PM, William Roberts wrote:
> >>
> >>
> >>
> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@tycho.nsa.gov>
> >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote:
> >>
> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
> >>
> >> On 03/07/2016 10:41 AM, Richard Haines wrote:
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Saturday, 5 March 2016, 14:48, Richard Haines
> >> <richard_c_haines@btinternet.com
> <mailto:richard_c_haines@btinternet.com>
> >> <mailto:richard_c_haines@btinternet.com
> <mailto:richard_c_haines@btinternet.com>>> wrote:
> >>
> >>
> >>
> >>
> >>
> >> On Friday, 4 March 2016, 21:18, "Roberts, William C"
> >> <william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>
> >> <mailto:william.c.roberts@intel.com
> <mailto:william.c.roberts@intel.com>>> wrote:
> >>
> >>
> >>
> >>
> >>
> >>
> >> How can one obtain the same value as
> >> /sys/fs/selinux/initial_contexts/file
> >>
> >> via libsepol?
> >>
> >>
> >> I’ve been digging around libsepol and its not quite
> >> clear to me.
> >>
> >> It looks as though the record is here:
> >> context_struct_t *a =
> &((policydb_t
> >>
> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
> >>
> >> context_struct_t *b =
> &((policydb_t
> >>
> >> *)pol.db)->ocontexts[OCON_ISID]->context[1];
> >>
> >>
> >> printf("%u\n", a->type);
> >> printf("%u\n",b->type);
> >>
> >> Prints:
> >> 185
> >> 0
> >>
> >> Not sure if this is right, and how to format the
> >> context struct to a
> >> string.
> >>
> >> I didn’t see any helpers.
> >>
> >>
> >>
> >>
> >>
> >> I've attached an example, hope it's useful
> >>
> >>
> >> I've updated the example with more detail and display SID
> >> name using
> >> SID value not counter.
> >>
> >>
> >> Any particular reason you didn't use sepol_sid_to_context()?
> >>
> >>
> >> I guess context_to_string() on the context structure would work
> >> better for your purposes. sepol_sid_to_context() would require
> >> loading the sidtab via policydb_load_isids() and setting the
> >> internal policydb to the one you loaded via sepol_set_policydb().
> >>
> >>
> >>
> >> Seems as though its not exported api, but it does indeed print
> something:
> >> code:
> >> char *s;
> >> size_t len;
> >> context_struct_t *a = &((policydb_t
> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
> >>
> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s,
> &len);
> >>
> >> printf("rc: %d\n", rc);
> >> printf("con: %s\n", s);
> >>
> >> prints:
> >> rc: 0
> >> con: u:object_r:null_device:s0
> >>
> >> However, I am after the initial sid for file, which this isn't it... is
> >> it in the ocontexts array under a different index?
> >
> >
> > ocontext[OCON_ISID] points to the head of a linked list of initial
> SIDs, with the values in ->sid[0] and the context structures in
> ->context[0]. Richard's sample program showed you how to walk it and
> print out all the entries. The symbolic names themselves aren't in the
> policydb, as he noted; you can grab it from the kernel source
> (linux/security/selinux/include/initial_sid_to_string.h) or from the
> refpolicy (run make in refpolicy/policy/flask and grab
> kernel/initial_sid_to_string.h).
>
> I was hoping there was something I was missing between what you were
> posting and Richards sample. Looks like it's all by ordinal, so
> (conjecturing here) initial sid ordering must match the kernel header
> ordering as far as I can tell, is that right?
>
> Something must remap it in the kernel from initial sid to class.
>
> I was hoping there would be a clean way to grab this from the policy for
> use in fs_config tools under build, but just hard coding the default
> context string seems to be the best approach.
I don't know what you are doing, but the initial SID context is not what
you want for fs_config. You want the result of selabel_lookup(), just
as is done by system/extras/ext4_utils to label files in the generated
images.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-09 14:09 ` Stephen Smalley
@ 2016-03-09 15:37 ` William Roberts
2016-03-09 17:12 ` William Roberts
2016-03-09 15:42 ` Stephen Smalley
1 sibling, 1 reply; 16+ messages in thread
From: William Roberts @ 2016-03-09 15:37 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 2077 bytes --]
>
> <snip>
>> SIDs, with the values in ->sid[0] and the context structures in
>> ->context[0]. Richard's sample program showed you how to walk it and
>> print out all the entries. The symbolic names themselves aren't in the
>> policydb, as he noted; you can grab it from the kernel source
>> (linux/security/selinux/include/initial_sid_to_string.h) or from the
>> refpolicy (run make in refpolicy/policy/flask and grab
>> kernel/initial_sid_to_string.h).
>>
>> I was hoping there was something I was missing between what you were
>> posting and Richards sample. Looks like it's all by ordinal, so
>> (conjecturing here) initial sid ordering must match the kernel header
>> ordering as far as I can tell, is that right?
>>
>> Something must remap it in the kernel from initial sid to class.
>>
>> I was hoping there would be a clean way to grab this from the policy for
>> use in fs_config tools under build, but just hard coding the default
>> context string seems to be the best approach.
>>
>
> I don't know what you are doing, but the initial SID context is not what
> you want for fs_config. You want the result of selabel_lookup(), just as
> is done by system/extras/ext4_utils to label files in the generated images.
>
>
>
>
I came accross this in build/tools/fs_config/fs_config.c:
char* secontext;
if (selabel_lookup(sehnd, &secontext, full_name, ( mode | (is_dir ?
S_IFDIR : S_IFREG)))) {
secontext = strdup("u:object_r:unlabeled:s0");
}
printf(" selabel=%s", secontext);
free(full_name);
freecon(secontext);
commit 0eb17d944704b3eb140bb9dded299d3be3aed77e
Author: Nick Kralevich <nnk@google.com>
I was just poking around at things to figure out what the intent is.
I am assuming I have something like /foobar, it will fail on labeling since
their is no match. At which point
you would want to default to the initial sid for file.
I was investigating how difficult it would be to not hardcode this value
and retrieve it from sepol, which seems
like more work than its worth.
--
Respectfully,
William C Roberts
[-- Attachment #2: Type: text/html, Size: 3646 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-09 14:09 ` Stephen Smalley
2016-03-09 15:37 ` William Roberts
@ 2016-03-09 15:42 ` Stephen Smalley
2016-03-09 15:45 ` William Roberts
1 sibling, 1 reply; 16+ messages in thread
From: Stephen Smalley @ 2016-03-09 15:42 UTC (permalink / raw)
To: William Roberts; +Cc: selinux
On 03/09/2016 09:09 AM, Stephen Smalley wrote:
> On 03/09/2016 12:18 AM, William Roberts wrote:
>>
>> On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov
>> <mailto:sds@tycho.nsa.gov>> wrote:
>> >
>> > On 03/07/2016 08:32 PM, William Roberts wrote:
>> >>
>> >>
>> >>
>> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov
>> <mailto:sds@tycho.nsa.gov>
>> >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote:
>> >>
>> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>> >>
>> >> On 03/07/2016 10:41 AM, Richard Haines wrote:
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Saturday, 5 March 2016, 14:48, Richard Haines
>> >> <richard_c_haines@btinternet.com
>> <mailto:richard_c_haines@btinternet.com>
>> >> <mailto:richard_c_haines@btinternet.com
>> <mailto:richard_c_haines@btinternet.com>>> wrote:
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>> >> <william.c.roberts@intel.com
>> <mailto:william.c.roberts@intel.com>
>> >> <mailto:william.c.roberts@intel.com
>> <mailto:william.c.roberts@intel.com>>> wrote:
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> How can one obtain the same value as
>> >> /sys/fs/selinux/initial_contexts/file
>> >>
>> >> via libsepol?
>> >>
>> >>
>> >> I’ve been digging around libsepol and its not
>> quite
>> >> clear to me.
>> >>
>> >> It looks as though the record is here:
>> >> context_struct_t *a =
>> &((policydb_t
>> >>
>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>> >>
>> >> context_struct_t *b =
>> &((policydb_t
>> >>
>> >> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>> >>
>> >>
>> >> printf("%u\n", a->type);
>> >> printf("%u\n",b->type);
>> >>
>> >> Prints:
>> >> 185
>> >> 0
>> >>
>> >> Not sure if this is right, and how to format the
>> >> context struct to a
>> >> string.
>> >>
>> >> I didn’t see any helpers.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> I've attached an example, hope it's useful
>> >>
>> >>
>> >> I've updated the example with more detail and display SID
>> >> name using
>> >> SID value not counter.
>> >>
>> >>
>> >> Any particular reason you didn't use sepol_sid_to_context()?
>> >>
>> >>
>> >> I guess context_to_string() on the context structure would work
>> >> better for your purposes. sepol_sid_to_context() would require
>> >> loading the sidtab via policydb_load_isids() and setting the
>> >> internal policydb to the one you loaded via sepol_set_policydb().
>> >>
>> >>
>> >>
>> >> Seems as though its not exported api, but it does indeed print
>> something:
>> >> code:
>> >> char *s;
>> >> size_t len;
>> >> context_struct_t *a = &((policydb_t
>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>> >>
>> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s,
>> &len);
>> >>
>> >> printf("rc: %d\n", rc);
>> >> printf("con: %s\n", s);
>> >>
>> >> prints:
>> >> rc: 0
>> >> con: u:object_r:null_device:s0
>> >>
>> >> However, I am after the initial sid for file, which this isn't
>> it... is
>> >> it in the ocontexts array under a different index?
>> >
>> >
>> > ocontext[OCON_ISID] points to the head of a linked list of initial
>> SIDs, with the values in ->sid[0] and the context structures in
>> ->context[0]. Richard's sample program showed you how to walk it and
>> print out all the entries. The symbolic names themselves aren't in the
>> policydb, as he noted; you can grab it from the kernel source
>> (linux/security/selinux/include/initial_sid_to_string.h) or from the
>> refpolicy (run make in refpolicy/policy/flask and grab
>> kernel/initial_sid_to_string.h).
>>
>> I was hoping there was something I was missing between what you were
>> posting and Richards sample. Looks like it's all by ordinal, so
>> (conjecturing here) initial sid ordering must match the kernel header
>> ordering as far as I can tell, is that right?
>>
>> Something must remap it in the kernel from initial sid to class.
>>
>> I was hoping there would be a clean way to grab this from the policy for
>> use in fs_config tools under build, but just hard coding the default
>> context string seems to be the best approach.
>
> I don't know what you are doing, but the initial SID context is not what
> you want for fs_config. You want the result of selabel_lookup(), just
> as is done by system/extras/ext4_utils to label files in the generated
> images.
Oh, I see - you are trying to replace the hardcoded
"u:object_r:unlabeled:s0" fallback in fs_config.c when selabel_lookup()
fails. Worthy goal, but I don't think trying to use an initial SID
context is the right approach. I guess the question is whether
selabel_lookup() failure ought to just be a hard error for fs_config; if
the file does not match any expression in file_contexts, then that
reflects a gap in the file_contexts configuration that should be filled.
We don't actually want any files with the unlabeled context; the rules
for unlabeled in the policy are just for upgrading from pre-SELinux
devices with unlabeled /data.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-09 15:42 ` Stephen Smalley
@ 2016-03-09 15:45 ` William Roberts
0 siblings, 0 replies; 16+ messages in thread
From: William Roberts @ 2016-03-09 15:45 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
[-- Attachment #1: Type: text/plain, Size: 6620 bytes --]
On Wed, Mar 9, 2016 at 7:42 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 03/09/2016 09:09 AM, Stephen Smalley wrote:
>
>> On 03/09/2016 12:18 AM, William Roberts wrote:
>>
>>>
>>> On Mar 8, 2016 05:41, "Stephen Smalley" <sds@tycho.nsa.gov
>>> <mailto:sds@tycho.nsa.gov>> wrote:
>>> >
>>> > On 03/07/2016 08:32 PM, William Roberts wrote:
>>> >>
>>> >>
>>> >>
>>> >> On Mon, Mar 7, 2016 at 12:32 PM, Stephen Smalley <sds@tycho.nsa.gov
>>> <mailto:sds@tycho.nsa.gov>
>>> >> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>> wrote:
>>> >>
>>> >> On 03/07/2016 01:44 PM, Stephen Smalley wrote:
>>> >>
>>> >> On 03/07/2016 10:41 AM, Richard Haines wrote:
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Saturday, 5 March 2016, 14:48, Richard Haines
>>> >> <richard_c_haines@btinternet.com
>>> <mailto:richard_c_haines@btinternet.com>
>>> >> <mailto:richard_c_haines@btinternet.com
>>> <mailto:richard_c_haines@btinternet.com>>> wrote:
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Friday, 4 March 2016, 21:18, "Roberts, William C"
>>> >> <william.c.roberts@intel.com
>>> <mailto:william.c.roberts@intel.com>
>>> >> <mailto:william.c.roberts@intel.com
>>> <mailto:william.c.roberts@intel.com>>> wrote:
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> How can one obtain the same value as
>>> >> /sys/fs/selinux/initial_contexts/file
>>> >>
>>> >> via libsepol?
>>> >>
>>> >>
>>> >> I’ve been digging around libsepol and its not
>>> quite
>>> >> clear to me.
>>> >>
>>> >> It looks as though the record is here:
>>> >> context_struct_t *a =
>>> &((policydb_t
>>> >>
>>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>> >>
>>> >> context_struct_t *b =
>>> &((policydb_t
>>> >>
>>> >> *)pol.db)->ocontexts[OCON_ISID]->context[1];
>>> >>
>>> >>
>>> >> printf("%u\n", a->type);
>>> >> printf("%u\n",b->type);
>>> >>
>>> >> Prints:
>>> >> 185
>>> >> 0
>>> >>
>>> >> Not sure if this is right, and how to format the
>>> >> context struct to a
>>> >> string.
>>> >>
>>> >> I didn’t see any helpers.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> I've attached an example, hope it's useful
>>> >>
>>> >>
>>> >> I've updated the example with more detail and display SID
>>> >> name using
>>> >> SID value not counter.
>>> >>
>>> >>
>>> >> Any particular reason you didn't use sepol_sid_to_context()?
>>> >>
>>> >>
>>> >> I guess context_to_string() on the context structure would work
>>> >> better for your purposes. sepol_sid_to_context() would require
>>> >> loading the sidtab via policydb_load_isids() and setting the
>>> >> internal policydb to the one you loaded via sepol_set_policydb().
>>> >>
>>> >>
>>> >>
>>> >> Seems as though its not exported api, but it does indeed print
>>> something:
>>> >> code:
>>> >> char *s;
>>> >> size_t len;
>>> >> context_struct_t *a = &((policydb_t
>>> >> *)pol.db)->ocontexts[OCON_ISID]->context[0];
>>> >>
>>> >> int rc = context_to_string(pol.handle, (policydb_t *)pol.db, a, &s,
>>> &len);
>>> >>
>>> >> printf("rc: %d\n", rc);
>>> >> printf("con: %s\n", s);
>>> >>
>>> >> prints:
>>> >> rc: 0
>>> >> con: u:object_r:null_device:s0
>>> >>
>>> >> However, I am after the initial sid for file, which this isn't
>>> it... is
>>> >> it in the ocontexts array under a different index?
>>> >
>>> >
>>> > ocontext[OCON_ISID] points to the head of a linked list of initial
>>> SIDs, with the values in ->sid[0] and the context structures in
>>> ->context[0]. Richard's sample program showed you how to walk it and
>>> print out all the entries. The symbolic names themselves aren't in the
>>> policydb, as he noted; you can grab it from the kernel source
>>> (linux/security/selinux/include/initial_sid_to_string.h) or from the
>>> refpolicy (run make in refpolicy/policy/flask and grab
>>> kernel/initial_sid_to_string.h).
>>>
>>> I was hoping there was something I was missing between what you were
>>> posting and Richards sample. Looks like it's all by ordinal, so
>>> (conjecturing here) initial sid ordering must match the kernel header
>>> ordering as far as I can tell, is that right?
>>>
>>> Something must remap it in the kernel from initial sid to class.
>>>
>>> I was hoping there would be a clean way to grab this from the policy for
>>> use in fs_config tools under build, but just hard coding the default
>>> context string seems to be the best approach.
>>>
>>
>> I don't know what you are doing, but the initial SID context is not what
>> you want for fs_config. You want the result of selabel_lookup(), just
>> as is done by system/extras/ext4_utils to label files in the generated
>> images.
>>
>
> Oh, I see - you are trying to replace the hardcoded
> "u:object_r:unlabeled:s0" fallback in fs_config.c when selabel_lookup()
> fails. Worthy goal, but I don't think trying to use an initial SID context
> is the right approach. I guess the question is whether selabel_lookup()
> failure ought to just be a hard error for fs_config; if the file does not
> match any expression in file_contexts, then that reflects a gap in the
> file_contexts configuration that should be filled. We don't actually want
> any files with the unlabeled context; the rules for unlabeled in the policy
> are just for upgrading from pre-SELinux devices with unlabeled /data.
>
Yeah I was trying to understand why its not a hard failure. I was thinking
at boot the fc would relabel it, but it would be the same fc as packaged in
the ota afaik. I think the easiest would be just ask nick what his
intentions were here and what corner case he was trying to cover. I haven't
been able to get it to take that path in fs_config.c
I noticed this when doing this work:
https://android-review.googlesource.com/#/q/topic:fs-config
--
Respectfully,
William C Roberts
[-- Attachment #2: Type: text/html, Size: 9749 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: initial_sid context via libsepol
2016-03-09 15:37 ` William Roberts
@ 2016-03-09 17:12 ` William Roberts
0 siblings, 0 replies; 16+ messages in thread
From: William Roberts @ 2016-03-09 17:12 UTC (permalink / raw)
To: Nick Kralevich; +Cc: selinux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 1065 bytes --]
>
> <snip>
>
> I came accross this in build/tools/fs_config/fs_config.c:
>
>
> char* secontext;
> if (selabel_lookup(sehnd, &secontext, full_name, ( mode | (is_dir ?
> S_IFDIR : S_IFREG)))) {
> secontext = strdup("u:object_r:unlabeled:s0");
> }
>
> printf(" selabel=%s", secontext);
> free(full_name);
> freecon(secontext);
>
>
> commit 0eb17d944704b3eb140bb9dded299d3be3aed77e
> Author: Nick Kralevich <nnk@google.com>
>
> I was just poking around at things to figure out what the intent is.
>
> I am assuming I have something like /foobar, it will fail on labeling
> since their is no match. At which point
> you would want to default to the initial sid for file.
>
> I was investigating how difficult it would be to not hardcode this value
> and retrieve it from sepol, which seems
> like more work than its worth.
>
>
>
Nick this popped up in a discussion recently. I was wondering if you could
shed light on the error path for selabel_loookup() and the conditions
that occur when it takes said path?
Thanks,
Bill
[-- Attachment #2: Type: text/html, Size: 2807 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-03-09 17:12 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-04 21:16 initial_sid context via libsepol Roberts, William C
2016-03-05 14:43 ` Richard Haines
2016-03-07 15:41 ` Richard Haines
2016-03-07 18:44 ` Stephen Smalley
2016-03-07 20:32 ` Stephen Smalley
2016-03-08 1:32 ` William Roberts
2016-03-08 13:12 ` Richard Haines
2016-03-08 13:35 ` Richard Haines
2016-03-08 13:49 ` Christopher J. PeBenito
2016-03-08 13:42 ` Stephen Smalley
2016-03-09 5:18 ` William Roberts
2016-03-09 14:09 ` Stephen Smalley
2016-03-09 15:37 ` William Roberts
2016-03-09 17:12 ` William Roberts
2016-03-09 15:42 ` Stephen Smalley
2016-03-09 15:45 ` William Roberts
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.