* [PATCH v2 0/1] supporting RBACSEP in genhomedircon @ 2016-10-06 11:09 Gary Tierney 2016-10-06 11:09 ` [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content Gary Tierney ` (3 more replies) 0 siblings, 4 replies; 9+ messages in thread From: Gary Tierney @ 2016-10-06 11:09 UTC (permalink / raw) To: selinux New version of the previous genhomedircon-rbacsep patch with some changes. A bit of a delay as I had to get in a libsepol/cil fix which was blocking this. 1. Remove semanage.conf option 2. Drop unrelated change 3. Adds a new homedir_role member to the genhomedircon_user struct. 4. Sets homedir_role if the SELinux users prefix is a valid role for that user. 5. Replaces all roles with homedir_role in context specifications if homedir_role is set. One issue that came up when writing these patches is that genhomedircon squashes logging [1] for some reason, which can result in no warning / info messages and an empty file_contexts.homedirs file if policy has been incorrectly configured. Can we get rid of this behavior or add a flag to conditionally enable logging? Dominick Grift helpfully created some test images that demo DSSP policy working with both RBACSEP and non-RBACEP: https://tfirg.asu.su/2016/10/03/garys-patches/ There are still some rough edges though, for example in policy you can't write a statement like: (userprefix id role) and put it in an abstract namespace, since it is interpreted as a literal: (block usersubj (blockabstract usersubj) (user id) (role role) (userrole id role) (userprefix id role)) (block wheel (blockinherit usersubj)) Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id might even just be id here, haven't checked if users are expanded or also taken as literals]. Though this is something I can look at later if all is well here. [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 Gary Tierney (1): genhomedircon: use userprefix as the role for homedir content libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) -- 2.4.11 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content 2016-10-06 11:09 [PATCH v2 0/1] supporting RBACSEP in genhomedircon Gary Tierney @ 2016-10-06 11:09 ` Gary Tierney 2016-10-06 13:53 ` Stephen Smalley 2016-10-06 12:17 ` [PATCH v2 0/1] supporting RBACSEP in genhomedircon Dominick Grift ` (2 subsequent siblings) 3 siblings, 1 reply; 9+ messages in thread From: Gary Tierney @ 2016-10-06 11:09 UTC (permalink / raw) To: selinux Treat a users prefix like a mapping to the role for file context specifications in users homedirs. This behavior is only applicable when the users prefix is the identifier of a role which is valid for the given user. If the prefix is not a valid role, then genhomedircon will write contexts out as normal. Additionally, this commit enables configuring RBACSEP in policy: (tunableif enable_rbacsep (true (userprefix user_u user_r) (false (userprefix user_u object_r)))) Signed-off-by: Gary Tierney <gary.tierney@gmx.com> --- libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index 3fc9e7a..0dd2b29 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -100,6 +100,7 @@ typedef struct user_entry { char *home; char *level; char *login; + char *homedir_role; struct user_entry *next; } genhomedircon_user_entry_t; @@ -177,6 +178,13 @@ static int ignore(const char *homedir) { return 0; } +static int prefix_is_homedir_role(const semanage_user_t *user, + const char *prefix) +{ + return strcmp(OBJECT_R, prefix) == 0 || + semanage_user_has_role(user, prefix); +} + static semanage_list_t *default_shell_list(void) { semanage_list_t *list = NULL; @@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out, goto fail; } + if (user->homedir_role && + sepol_context_set_role(sepolh, context, user->homedir_role) < 0) { + goto fail; + } + if (sepol_context_to_string(sepolh, context, &new_context_str) < 0) { goto fail; @@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val) static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, const char *u, const char *g, const char *sen, const char *pre, const char *h, const char *l, - const char *ln) + const char *ln, const char *hd_role) { genhomedircon_user_entry_t *temp = NULL; char *name = NULL; @@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, char *home = NULL; char *level = NULL; char *lname = NULL; + char *homedir_role = NULL; temp = malloc(sizeof(genhomedircon_user_entry_t)); if (!temp) @@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, lname = strdup(ln); if (!lname) goto cleanup; + if (hd_role) { + homedir_role = strdup(hd_role); + if (!homedir_role) + goto cleanup; + } temp->name = name; temp->uid = uid; @@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, temp->home = home; temp->level = level; temp->login = lname; + temp->homedir_role = homedir_role; temp->next = (*list); (*list) = temp; @@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, free(home); free(level); free(lname); + free(homedir_role); free(temp); return STATUS_ERR; } @@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list) free(temp->home); free(temp->level); free(temp->login); + free(temp->homedir_role); free(temp); } @@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s) const char *seuname = NULL; const char *prefix = NULL; const char *level = NULL; + const char *homedir_role = NULL; unsigned int i; int retval; int errors = 0; @@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s) level = FALLBACK_LEVEL; } + if (prefix_is_homedir_role(u, prefix)) { + homedir_role = prefix; + } + if (push_user_entry(&(s->fallback), FALLBACK_NAME, FALLBACK_UIDGID, FALLBACK_UIDGID, seuname, prefix, "", level, - FALLBACK_NAME) != 0) + FALLBACK_NAME, homedir_role) != 0) errors = STATUS_ERR; semanage_user_key_free(key); if (u) @@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s, struct passwd pwstorage, *pwent = NULL; const char *prefix = NULL; const char *level = NULL; + const char *homedir_role = NULL; char uid[11]; char gid[11]; @@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s, level = FALLBACK_LEVEL; } + if (prefix_is_homedir_role(user, prefix)) { + homedir_role = prefix; + } + retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent); if (retval != 0 || pwent == NULL) { if (retval != 0 && retval != ENOENT) { @@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s, } retval = push_user_entry(head, name, uid, gid, sename, prefix, - pwent->pw_dir, level, selogin); + pwent->pw_dir, level, selogin, homedir_role); cleanup: free(rbuf); return retval; -- 2.4.11 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content 2016-10-06 11:09 ` [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content Gary Tierney @ 2016-10-06 13:53 ` Stephen Smalley 0 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2016-10-06 13:53 UTC (permalink / raw) To: Gary Tierney, selinux On 10/06/2016 07:09 AM, Gary Tierney wrote: > Treat a users prefix like a mapping to the role for file context > specifications in users homedirs. This behavior is only applicable when > the users prefix is the identifier of a role which is valid for the > given user. If the prefix is not a valid role, then genhomedircon will > write contexts out as normal. > > Additionally, this commit enables configuring RBACSEP in policy: > > (tunableif enable_rbacsep > (true > (userprefix user_u user_r) > (false > (userprefix user_u object_r)))) Thanks, applied. > > Signed-off-by: Gary Tierney <gary.tierney@gmx.com> > --- > libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 35 insertions(+), 3 deletions(-) > > diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c > index 3fc9e7a..0dd2b29 100644 > --- a/libsemanage/src/genhomedircon.c > +++ b/libsemanage/src/genhomedircon.c > @@ -100,6 +100,7 @@ typedef struct user_entry { > char *home; > char *level; > char *login; > + char *homedir_role; > struct user_entry *next; > } genhomedircon_user_entry_t; > > @@ -177,6 +178,13 @@ static int ignore(const char *homedir) { > return 0; > } > > +static int prefix_is_homedir_role(const semanage_user_t *user, > + const char *prefix) > +{ > + return strcmp(OBJECT_R, prefix) == 0 || > + semanage_user_has_role(user, prefix); > +} > + > static semanage_list_t *default_shell_list(void) > { > semanage_list_t *list = NULL; > @@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out, > goto fail; > } > > + if (user->homedir_role && > + sepol_context_set_role(sepolh, context, user->homedir_role) < 0) { > + goto fail; > + } > + > if (sepol_context_to_string(sepolh, context, > &new_context_str) < 0) { > goto fail; > @@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val) > static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > const char *u, const char *g, const char *sen, > const char *pre, const char *h, const char *l, > - const char *ln) > + const char *ln, const char *hd_role) > { > genhomedircon_user_entry_t *temp = NULL; > char *name = NULL; > @@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > char *home = NULL; > char *level = NULL; > char *lname = NULL; > + char *homedir_role = NULL; > > temp = malloc(sizeof(genhomedircon_user_entry_t)); > if (!temp) > @@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > lname = strdup(ln); > if (!lname) > goto cleanup; > + if (hd_role) { > + homedir_role = strdup(hd_role); > + if (!homedir_role) > + goto cleanup; > + } > > temp->name = name; > temp->uid = uid; > @@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > temp->home = home; > temp->level = level; > temp->login = lname; > + temp->homedir_role = homedir_role; > temp->next = (*list); > (*list) = temp; > > @@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > free(home); > free(level); > free(lname); > + free(homedir_role); > free(temp); > return STATUS_ERR; > } > @@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list) > free(temp->home); > free(temp->level); > free(temp->login); > + free(temp->homedir_role); > free(temp); > } > > @@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s) > const char *seuname = NULL; > const char *prefix = NULL; > const char *level = NULL; > + const char *homedir_role = NULL; > unsigned int i; > int retval; > int errors = 0; > @@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s) > level = FALLBACK_LEVEL; > } > > + if (prefix_is_homedir_role(u, prefix)) { > + homedir_role = prefix; > + } > + > if (push_user_entry(&(s->fallback), FALLBACK_NAME, > FALLBACK_UIDGID, FALLBACK_UIDGID, > seuname, prefix, "", level, > - FALLBACK_NAME) != 0) > + FALLBACK_NAME, homedir_role) != 0) > errors = STATUS_ERR; > semanage_user_key_free(key); > if (u) > @@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s, > struct passwd pwstorage, *pwent = NULL; > const char *prefix = NULL; > const char *level = NULL; > + const char *homedir_role = NULL; > char uid[11]; > char gid[11]; > > @@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s, > level = FALLBACK_LEVEL; > } > > + if (prefix_is_homedir_role(user, prefix)) { > + homedir_role = prefix; > + } > + > retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent); > if (retval != 0 || pwent == NULL) { > if (retval != 0 && retval != ENOENT) { > @@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s, > } > > retval = push_user_entry(head, name, uid, gid, sename, prefix, > - pwent->pw_dir, level, selogin); > + pwent->pw_dir, level, selogin, homedir_role); > cleanup: > free(rbuf); > return retval; > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 11:09 [PATCH v2 0/1] supporting RBACSEP in genhomedircon Gary Tierney 2016-10-06 11:09 ` [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content Gary Tierney @ 2016-10-06 12:17 ` Dominick Grift 2016-10-06 13:29 ` Stephen Smalley 2016-10-06 14:56 ` James Carter 3 siblings, 0 replies; 9+ messages in thread From: Dominick Grift @ 2016-10-06 12:17 UTC (permalink / raw) To: selinux [-- Attachment #1.1: Type: text/plain, Size: 2355 bytes --] On 10/06/2016 01:09 PM, Gary Tierney wrote: > New version of the previous genhomedircon-rbacsep patch with some changes. A > bit of a delay as I had to get in a libsepol/cil fix which was blocking this. > > 1. Remove semanage.conf option > 2. Drop unrelated change > 3. Adds a new homedir_role member to the genhomedircon_user struct. > 4. Sets homedir_role if the SELinux users prefix is a valid role for that user. > 5. Replaces all roles with homedir_role in context specifications if homedir_role is set. > > One issue that came up when writing these patches is that genhomedircon > squashes logging [1] for some reason, which can result in no warning / info > messages and an empty file_contexts.homedirs file if policy has been > incorrectly configured. Can we get rid of this behavior or add a flag to > conditionally enable logging? > If we do that then i suspect that we can also use that for the messages where an seuser id cannot be found (e.g. that system_u, and gdm.id issue) > Dominick Grift helpfully created some test images that demo DSSP policy working > with both RBACSEP and non-RBACEP: > https://tfirg.asu.su/2016/10/03/garys-patches/ > > There are still some rough edges though, for example in policy you can't write a > statement like: (userprefix id role) and put it in an abstract namespace, > since it is interpreted as a literal: > > (block usersubj > (blockabstract usersubj) > (user id) > (role role) > (userrole id role) > (userprefix id role)) > > (block wheel > (blockinherit usersubj)) > > Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id > might even just be id here, haven't checked if users are expanded or also taken > as literals]. > > Though this is something I can look at later if all is well here. > > [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 > > Gary Tierney (1): > genhomedircon: use userprefix as the role for homedir content > > libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 35 insertions(+), 3 deletions(-) > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 648 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 11:09 [PATCH v2 0/1] supporting RBACSEP in genhomedircon Gary Tierney 2016-10-06 11:09 ` [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content Gary Tierney 2016-10-06 12:17 ` [PATCH v2 0/1] supporting RBACSEP in genhomedircon Dominick Grift @ 2016-10-06 13:29 ` Stephen Smalley 2016-10-06 14:56 ` James Carter 3 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2016-10-06 13:29 UTC (permalink / raw) To: Gary Tierney, selinux On 10/06/2016 07:09 AM, Gary Tierney wrote: > New version of the previous genhomedircon-rbacsep patch with some changes. A > bit of a delay as I had to get in a libsepol/cil fix which was blocking this. > > 1. Remove semanage.conf option > 2. Drop unrelated change > 3. Adds a new homedir_role member to the genhomedircon_user struct. > 4. Sets homedir_role if the SELinux users prefix is a valid role for that user. > 5. Replaces all roles with homedir_role in context specifications if homedir_role is set. > > One issue that came up when writing these patches is that genhomedircon > squashes logging [1] for some reason, which can result in no warning / info > messages and an empty file_contexts.homedirs file if policy has been > incorrectly configured. Can we get rid of this behavior or add a flag to > conditionally enable logging? I assume they did that because it is a non-fatal error and they didn't want to alarm the user unnecessarily. I guess the question though is when would this occur under normal conditions that would not signify a mistake in the policy that needs to be corrected. I'm open to dropping it and seeing if we see these errors in practice. > > Dominick Grift helpfully created some test images that demo DSSP policy working > with both RBACSEP and non-RBACEP: > https://tfirg.asu.su/2016/10/03/garys-patches/ > > There are still some rough edges though, for example in policy you can't write a > statement like: (userprefix id role) and put it in an abstract namespace, > since it is interpreted as a literal: > > (block usersubj > (blockabstract usersubj) > (user id) > (role role) > (userrole id role) > (userprefix id role)) > > (block wheel > (blockinherit usersubj)) > > Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id > might even just be id here, haven't checked if users are expanded or also taken > as literals]. > > Though this is something I can look at later if all is well here. > > [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 > > Gary Tierney (1): > genhomedircon: use userprefix as the role for homedir content > > libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 35 insertions(+), 3 deletions(-) > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 11:09 [PATCH v2 0/1] supporting RBACSEP in genhomedircon Gary Tierney ` (2 preceding siblings ...) 2016-10-06 13:29 ` Stephen Smalley @ 2016-10-06 14:56 ` James Carter 2016-10-06 15:29 ` Dominick Grift 3 siblings, 1 reply; 9+ messages in thread From: James Carter @ 2016-10-06 14:56 UTC (permalink / raw) To: Gary Tierney, selinux On 10/06/2016 07:09 AM, Gary Tierney wrote: > New version of the previous genhomedircon-rbacsep patch with some changes. A > bit of a delay as I had to get in a libsepol/cil fix which was blocking this. > > 1. Remove semanage.conf option > 2. Drop unrelated change > 3. Adds a new homedir_role member to the genhomedircon_user struct. > 4. Sets homedir_role if the SELinux users prefix is a valid role for that user. > 5. Replaces all roles with homedir_role in context specifications if homedir_role is set. > > One issue that came up when writing these patches is that genhomedircon > squashes logging [1] for some reason, which can result in no warning / info > messages and an empty file_contexts.homedirs file if policy has been > incorrectly configured. Can we get rid of this behavior or add a flag to > conditionally enable logging? > > Dominick Grift helpfully created some test images that demo DSSP policy working > with both RBACSEP and non-RBACEP: > https://tfirg.asu.su/2016/10/03/garys-patches/ > > There are still some rough edges though, for example in policy you can't write a > statement like: (userprefix id role) and put it in an abstract namespace, > since it is interpreted as a literal: > > (block usersubj > (blockabstract usersubj) > (user id) > (role role) > (userrole id role) > (userprefix id role)) > > (block wheel > (blockinherit usersubj)) > > Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id > might even just be id here, haven't checked if users are expanded or also taken > as literals]. > Users are fully qualified, so it is "wheel.id". It is true though that "role" in "(userprefix id role)" is taken as a string and is not expanded. The only identifiers that are fully qualified are those that will exist in the kernel policy and are stored in symbol tables. To get what you want you need to write: (block usersubj (blockabstract usersubj) (user id) (userlevel id (SENS)) (userrange id ((SENS)(SENS (CAT)))) (role role) (userrole id role)) (block wheel (blockinherit usersubj)) (userprefix wheel.id wheel.role) which is inconvenient. It seems to me that if the userprefix statement is allowed in a block, then it makes sense to fully qualify it, but I tend to see the prefix as a string, so it would make more sense to me to just not allow it in blocks. This makes more sense in the following example. (block userdecl (blockabstract userdecl) (user u) (userlevel u (SENS)) (userrange u ((SENS) (SENS (CAT)))) (role r) (userrole u r)) (block user (blockinherit userdecl)) (userprefix user.u user) Where user is acting like a true prefix for user user.u and role user.r. Jim > Though this is something I can look at later if all is well here. > > [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 > > Gary Tierney (1): > genhomedircon: use userprefix as the role for homedir content > > libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 35 insertions(+), 3 deletions(-) > -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 14:56 ` James Carter @ 2016-10-06 15:29 ` Dominick Grift 2016-10-06 16:49 ` James Carter 0 siblings, 1 reply; 9+ messages in thread From: Dominick Grift @ 2016-10-06 15:29 UTC (permalink / raw) To: selinux [-- Attachment #1.1: Type: text/plain, Size: 3766 bytes --] On 10/06/2016 04:56 PM, James Carter wrote: > On 10/06/2016 07:09 AM, Gary Tierney wrote: >> New version of the previous genhomedircon-rbacsep patch with some >> changes. A >> bit of a delay as I had to get in a libsepol/cil fix which was >> blocking this. >> >> 1. Remove semanage.conf option >> 2. Drop unrelated change >> 3. Adds a new homedir_role member to the genhomedircon_user struct. >> 4. Sets homedir_role if the SELinux users prefix is a valid role for >> that user. >> 5. Replaces all roles with homedir_role in context specifications if >> homedir_role is set. >> >> One issue that came up when writing these patches is that genhomedircon >> squashes logging [1] for some reason, which can result in no warning / >> info >> messages and an empty file_contexts.homedirs file if policy has been >> incorrectly configured. Can we get rid of this behavior or add a flag to >> conditionally enable logging? >> >> Dominick Grift helpfully created some test images that demo DSSP >> policy working >> with both RBACSEP and non-RBACEP: >> https://tfirg.asu.su/2016/10/03/garys-patches/ >> >> There are still some rough edges though, for example in policy you >> can't write a >> statement like: (userprefix id role) and put it in an abstract namespace, >> since it is interpreted as a literal: >> >> (block usersubj >> (blockabstract usersubj) >> (user id) >> (role role) >> (userrole id role) >> (userprefix id role)) >> >> (block wheel >> (blockinherit usersubj)) >> >> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) >> [wheel.id >> might even just be id here, haven't checked if users are expanded or >> also taken >> as literals]. >> > > Users are fully qualified, so it is "wheel.id". It is true though that > "role" in "(userprefix id role)" is taken as a string and is not > expanded. The only identifiers that are fully qualified are those that > will exist in the kernel policy and are stored in symbol tables. > > To get what you want you need to write: > > (block usersubj > (blockabstract usersubj) > (user id) > (userlevel id (SENS)) > (userrange id ((SENS)(SENS (CAT)))) > (role role) > (userrole id role)) > > (block wheel > (blockinherit usersubj)) > > (userprefix wheel.id wheel.role) > > which is inconvenient. It seems to me that if the userprefix statement > is allowed in a block, then it makes sense to fully qualify it, but I > tend to see the prefix as a string, so it would make more sense to me to > just not allow it in blocks. It use to be a string, but that is no longer true with this patch. It is a role now. In my view it should be treated as such > > This makes more sense in the following example. > > (block userdecl > (blockabstract userdecl) > (user u) > (userlevel u (SENS)) > (userrange u ((SENS) (SENS (CAT)))) > (role r) > (userrole u r)) > > (block user > (blockinherit userdecl)) > > (userprefix user.u user) > > Where user is acting like a true prefix for user user.u and role user.r. > > Jim > > >> Though this is something I can look at later if all is well here. >> >> [1] >> https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 >> >> >> Gary Tierney (1): >> genhomedircon: use userprefix as the role for homedir content >> >> libsemanage/src/genhomedircon.c | 38 >> +++++++++++++++++++++++++++++++++++--- >> 1 file changed, 35 insertions(+), 3 deletions(-) >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 648 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 15:29 ` Dominick Grift @ 2016-10-06 16:49 ` James Carter 2016-10-06 17:23 ` [SUSPECTED SPAM] [SUSPICIOUS MESSAGE] " Dominick Grift 0 siblings, 1 reply; 9+ messages in thread From: James Carter @ 2016-10-06 16:49 UTC (permalink / raw) To: Dominick Grift, selinux On 10/06/2016 11:29 AM, Dominick Grift wrote: > On 10/06/2016 04:56 PM, James Carter wrote: >> On 10/06/2016 07:09 AM, Gary Tierney wrote: >>> New version of the previous genhomedircon-rbacsep patch with some >>> changes. A >>> bit of a delay as I had to get in a libsepol/cil fix which was >>> blocking this. >>> >>> 1. Remove semanage.conf option >>> 2. Drop unrelated change >>> 3. Adds a new homedir_role member to the genhomedircon_user struct. >>> 4. Sets homedir_role if the SELinux users prefix is a valid role for >>> that user. >>> 5. Replaces all roles with homedir_role in context specifications if >>> homedir_role is set. >>> >>> One issue that came up when writing these patches is that genhomedircon >>> squashes logging [1] for some reason, which can result in no warning / >>> info >>> messages and an empty file_contexts.homedirs file if policy has been >>> incorrectly configured. Can we get rid of this behavior or add a flag to >>> conditionally enable logging? >>> >>> Dominick Grift helpfully created some test images that demo DSSP >>> policy working >>> with both RBACSEP and non-RBACEP: >>> https://tfirg.asu.su/2016/10/03/garys-patches/ >>> >>> There are still some rough edges though, for example in policy you >>> can't write a >>> statement like: (userprefix id role) and put it in an abstract namespace, >>> since it is interpreted as a literal: >>> >>> (block usersubj >>> (blockabstract usersubj) >>> (user id) >>> (role role) >>> (userrole id role) >>> (userprefix id role)) >>> >>> (block wheel >>> (blockinherit usersubj)) >>> >>> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) >>> [wheel.id >>> might even just be id here, haven't checked if users are expanded or >>> also taken >>> as literals]. >>> >> >> Users are fully qualified, so it is "wheel.id". It is true though that >> "role" in "(userprefix id role)" is taken as a string and is not >> expanded. The only identifiers that are fully qualified are those that >> will exist in the kernel policy and are stored in symbol tables. >> >> To get what you want you need to write: >> >> (block usersubj >> (blockabstract usersubj) >> (user id) >> (userlevel id (SENS)) >> (userrange id ((SENS)(SENS (CAT)))) >> (role role) >> (userrole id role)) >> >> (block wheel >> (blockinherit usersubj)) >> >> (userprefix wheel.id wheel.role) >> >> which is inconvenient. It seems to me that if the userprefix statement >> is allowed in a block, then it makes sense to fully qualify it, but I >> tend to see the prefix as a string, so it would make more sense to me to >> just not allow it in blocks. > > It use to be a string, but that is no longer true with this patch. It is > a role now. In my view it should be treated as such This patch does not exactly make it a role. It treats it as a role if the prefix matches a valid role. The CIL compiler cannot assume that the prefix is a role. CIL could check to see if the prefix matches a role and fully qualify it if it does, but if it didn't match then it wouldn't be fully qualified and that doesn't seem like the desired behavior. Jim > >> >> This makes more sense in the following example. >> >> (block userdecl >> (blockabstract userdecl) >> (user u) >> (userlevel u (SENS)) >> (userrange u ((SENS) (SENS (CAT)))) >> (role r) >> (userrole u r)) >> >> (block user >> (blockinherit userdecl)) >> >> (userprefix user.u user) >> >> Where user is acting like a true prefix for user user.u and role user.r. >> >> Jim >> >> >>> Though this is something I can look at later if all is well here. >>> >>> [1] >>> https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572 >>> >>> >>> Gary Tierney (1): >>> genhomedircon: use userprefix as the role for homedir content >>> >>> libsemanage/src/genhomedircon.c | 38 >>> +++++++++++++++++++++++++++++++++++--- >>> 1 file changed, 35 insertions(+), 3 deletions(-) >>> >> >> > > > > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > -- James Carter <jwcart2@tycho.nsa.gov> National Security Agency ^ permalink raw reply [flat|nested] 9+ messages in thread
* [SUSPECTED SPAM] [SUSPICIOUS MESSAGE] Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon 2016-10-06 16:49 ` James Carter @ 2016-10-06 17:23 ` Dominick Grift 0 siblings, 0 replies; 9+ messages in thread From: Dominick Grift @ 2016-10-06 17:23 UTC (permalink / raw) To: James Carter, selinux [-- Attachment #1.1: Type: text/plain, Size: 5987 bytes --] On 10/06/2016 06:49 PM, James Carter wrote: > On 10/06/2016 11:29 AM, Dominick Grift wrote: >> On 10/06/2016 04:56 PM, James Carter wrote: >>> On 10/06/2016 07:09 AM, Gary Tierney wrote: >>>> New version of the previous genhomedircon-rbacsep patch with some >>>> changes. A >>>> bit of a delay as I had to get in a libsepol/cil fix which was >>>> blocking this. >>>> >>>> 1. Remove semanage.conf option >>>> 2. Drop unrelated change >>>> 3. Adds a new homedir_role member to the genhomedircon_user struct. >>>> 4. Sets homedir_role if the SELinux users prefix is a valid role for >>>> that user. >>>> 5. Replaces all roles with homedir_role in context specifications if >>>> homedir_role is set. >>>> >>>> One issue that came up when writing these patches is that genhomedircon >>>> squashes logging [1] for some reason, which can result in no warning / >>>> info >>>> messages and an empty file_contexts.homedirs file if policy has been >>>> incorrectly configured. Can we get rid of this behavior or add a >>>> flag to >>>> conditionally enable logging? >>>> >>>> Dominick Grift helpfully created some test images that demo DSSP >>>> policy working >>>> with both RBACSEP and non-RBACEP: >>>> https://secure-web.cisco.com/1em6l9je6cqcAfGQVqhiZiKLtU_K4PYkUi5VPpxqpiJ0xFDQJUnis-aED9BTadea2qheKi_0jaAflaiNJ6ocv9AJLowENdrpAIfdNAmv61QfkK7Qr23GGrqF2O80Zrc4fxNfK-JxffEi4s972g2yKtY3E2AE9JvP0FUv-DoidzmJjIO3AmbLgIXJjwVrcqLGn0zgqLpR7qomQI0GXEJt4Rasx3UCy7RWTLj_lBAwSJyl2pLwGqs6DnQpmhT5ne2upcAdAZdU8dxQmnXEHIokDLdfHJXySjUj9CFBW1-Tk_ao/https%3A%2F%2Ftfirg.asu.su%2F2016%2F10%2F03%2Fgarys-patches%2F >>>> >>>> There are still some rough edges though, for example in policy you >>>> can't write a >>>> statement like: (userprefix id role) and put it in an abstract >>>> namespace, >>>> since it is interpreted as a literal: >>>> >>>> (block usersubj >>>> (blockabstract usersubj) >>>> (user id) >>>> (role role) >>>> (userrole id role) >>>> (userprefix id role)) >>>> >>>> (block wheel >>>> (blockinherit usersubj)) >>>> >>>> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) >>>> [wheel.id >>>> might even just be id here, haven't checked if users are expanded or >>>> also taken >>>> as literals]. >>>> >>> >>> Users are fully qualified, so it is "wheel.id". It is true though that >>> "role" in "(userprefix id role)" is taken as a string and is not >>> expanded. The only identifiers that are fully qualified are those that >>> will exist in the kernel policy and are stored in symbol tables. >>> >>> To get what you want you need to write: >>> >>> (block usersubj >>> (blockabstract usersubj) >>> (user id) >>> (userlevel id (SENS)) >>> (userrange id ((SENS)(SENS (CAT)))) >>> (role role) >>> (userrole id role)) >>> >>> (block wheel >>> (blockinherit usersubj)) >>> >>> (userprefix wheel.id wheel.role) >>> >>> which is inconvenient. It seems to me that if the userprefix statement >>> is allowed in a block, then it makes sense to fully qualify it, but I >>> tend to see the prefix as a string, so it would make more sense to me to >>> just not allow it in blocks. >> >> It use to be a string, but that is no longer true with this patch. It is >> a role now. In my view it should be treated as such > > This patch does not exactly make it a role. It treats it as a role if > the prefix matches a valid role. The CIL compiler cannot assume that the > prefix is a role. CIL could check to see if the prefix matches a role > and fully qualify it if it does, but if it didn't match then it wouldn't > be fully qualified and that doesn't seem like the desired behavior. > Thanks for clarifying. Maybe we should then just leave it a "string". It is kind of a special "libsemanage" only thingy. So i don't really mind giving it the special "libsemanage" treatment in DSSP. It's not pretty in particular but it is not that ugly either. > Jim > >> >>> >>> This makes more sense in the following example. >>> >>> (block userdecl >>> (blockabstract userdecl) >>> (user u) >>> (userlevel u (SENS)) >>> (userrange u ((SENS) (SENS (CAT)))) >>> (role r) >>> (userrole u r)) >>> >>> (block user >>> (blockinherit userdecl)) >>> >>> (userprefix user.u user) >>> >>> Where user is acting like a true prefix for user user.u and role user.r. >>> >>> Jim >>> >>> >>>> Though this is something I can look at later if all is well here. >>>> >>>> [1] >>>> https://secure-web.cisco.com/1iokgtqyM7Itorx97YhxU8Y8BPLgnjhdbqw6zxi_8hNknLJZx7ewWbWlxADD-Yf0luWHa_y6s01T-ngCV3fJ_U6nEqsvl6lXoXC2dm2zkY0pNleYg5DKjNMpcc60QnNRbO6XqutpZW0wqX0S6P_71J-E8rijBcVKVU0Jn35ArI4axuTiHzajjpc7GNh7r-8CZ-nPQDDMhNpo8JAm79rLCLLMe6hIKimqLzrvU8zvY4VDs1MqXVTLK0OXmfHGle_Y1/https%3A%2F%2Fgithub.com%2FSELinuxProject%2Fselinux%2Fblob%2Fmaster%2Flibsemanage%2Fsrc%2Fgenhomedircon.c#L568-L572 >>>> >>>> >>>> >>>> Gary Tierney (1): >>>> genhomedircon: use userprefix as the role for homedir content >>>> >>>> libsemanage/src/genhomedircon.c | 38 >>>> +++++++++++++++++++++++++++++++++++--- >>>> 1 file changed, 35 insertions(+), 3 deletions(-) >>>> >>> >>> >> >> >> >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to >> Selinux-request@tycho.nsa.gov. >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://secure-web.cisco.com/1RffBy8ro4_7atpp_kZh99MO_w3OPOwZuDujOr9hNlZQvnt7Xt3YyBc3l7bFjyerbhwj6-l0IjtuC8T9e3o5TxP6MRQA5ViyYPsfKbh1KJJ2CilbEKrQcOalrlZKMeoO2R7Et_r85N0tADBP3mgB2lz-qE3UgR_oHuVVbasNViEcyWs57hVJPeLrW8GFXZnLKG6Qvjr6O6ir3KMTg820_UJNcKorXtXEYIkJI1UJ-1TOS-QUkr5hd8kL3JlRQWU1R/https%3A%2F%2Fsks-keyservers.net%2Fpks%2Flookup%3Fop%3Dget%26search%3D0x3B6C5F1D2C7B6B02 Dominick Grift [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 648 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2016-10-06 17:23 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2016-10-06 11:09 [PATCH v2 0/1] supporting RBACSEP in genhomedircon Gary Tierney 2016-10-06 11:09 ` [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content Gary Tierney 2016-10-06 13:53 ` Stephen Smalley 2016-10-06 12:17 ` [PATCH v2 0/1] supporting RBACSEP in genhomedircon Dominick Grift 2016-10-06 13:29 ` Stephen Smalley 2016-10-06 14:56 ` James Carter 2016-10-06 15:29 ` Dominick Grift 2016-10-06 16:49 ` James Carter 2016-10-06 17:23 ` [SUSPECTED SPAM] [SUSPICIOUS MESSAGE] " Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.