[PATCH v2 0/1] supporting RBACSEP in genhomedircon

[PATCH v2 0/1] supporting RBACSEP in genhomedircon

[Gary Tierney]

New version of the previous genhomedircon-rbacsep patch with some changes.  A
bit of a delay as I had to get in a libsepol/cil fix which was blocking this.

1. Remove semanage.conf option
2. Drop unrelated change
3. Adds a new homedir_role member to the genhomedircon_user struct.
4. Sets homedir_role if the SELinux users prefix is a valid role for that user.
5. Replaces all roles with homedir_role in context specifications if homedir_role is set.

One issue that came up when writing these patches is that genhomedircon
squashes logging [1] for some reason, which can result in no warning / info
messages and an empty file_contexts.homedirs file if policy has been
incorrectly configured.  Can we get rid of this behavior or add a flag to
conditionally enable logging?

Dominick Grift helpfully created some test images that demo DSSP policy working
with both RBACSEP and non-RBACEP:
https://tfirg.asu.su/2016/10/03/garys-patches/

There are still some rough edges though, for example in policy you can't write a
statement like: (userprefix id role) and put it in an abstract namespace,
since it is interpreted as a literal:

(block usersubj
    (blockabstract usersubj)
    (user id)
    (role role)
    (userrole id role)
    (userprefix id role))

(block wheel
    (blockinherit usersubj))

Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id
might even just be id here, haven't checked if users are expanded or also taken
as literals].

Though this is something I can look at later if all is well here.

[1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572

Gary Tierney (1):
  genhomedircon: use userprefix as the role for homedir content

 libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

-- 
2.4.11

[PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content

[Gary Tierney]

Treat a users prefix like a mapping to the role for file context
specifications in users homedirs.  This behavior is only applicable when
the users prefix is the identifier of a role which is valid for the
given user.  If the prefix is not a valid role, then genhomedircon will
write contexts out as normal.

Additionally, this commit enables configuring RBACSEP in policy:

(tunableif enable_rbacsep
    (true
        (userprefix user_u user_r)
    (false
        (userprefix user_u object_r))))

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 3fc9e7a..0dd2b29 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -100,6 +100,7 @@ typedef struct user_entry {
 	char *home;
 	char *level;
 	char *login;
+	char *homedir_role;
 	struct user_entry *next;
 } genhomedircon_user_entry_t;
 
@@ -177,6 +178,13 @@ static int ignore(const char *homedir) {
 	return 0;
 }
 
+static int prefix_is_homedir_role(const semanage_user_t *user,
+				  const char *prefix)
+{
+	return strcmp(OBJECT_R, prefix) == 0 ||
+		semanage_user_has_role(user, prefix);
+}
+
 static semanage_list_t *default_shell_list(void)
 {
 	semanage_list_t *list = NULL;
@@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
 			goto fail;
 		}
 
+		if (user->homedir_role &&
+		    sepol_context_set_role(sepolh, context, user->homedir_role) < 0) {
+			goto fail;
+		}
+
 		if (sepol_context_to_string(sepolh, context,
 					    &new_context_str) < 0) {
 			goto fail;
@@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
 static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 			   const char *u, const char *g, const char *sen,
 			   const char *pre, const char *h, const char *l,
-			   const char *ln)
+			   const char *ln, const char *hd_role)
 {
 	genhomedircon_user_entry_t *temp = NULL;
 	char *name = NULL;
@@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	char *home = NULL;
 	char *level = NULL;
 	char *lname = NULL;
+	char *homedir_role = NULL;
 
 	temp = malloc(sizeof(genhomedircon_user_entry_t));
 	if (!temp)
@@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	lname = strdup(ln);
 	if (!lname)
 		goto cleanup;
+	if (hd_role) {
+		homedir_role = strdup(hd_role);
+		if (!homedir_role)
+			goto cleanup;
+	}
 
 	temp->name = name;
 	temp->uid = uid;
@@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	temp->home = home;
 	temp->level = level;
 	temp->login = lname;
+	temp->homedir_role = homedir_role;
 	temp->next = (*list);
 	(*list) = temp;
 
@@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	free(home);
 	free(level);
 	free(lname);
+	free(homedir_role);
 	free(temp);
 	return STATUS_ERR;
 }
@@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list)
 	free(temp->home);
 	free(temp->level);
 	free(temp->login);
+	free(temp->homedir_role);
 	free(temp);
 }
 
@@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 	const char *seuname = NULL;
 	const char *prefix = NULL;
 	const char *level = NULL;
+	const char *homedir_role = NULL;
 	unsigned int i;
 	int retval;
 	int errors = 0;
@@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 					level = FALLBACK_LEVEL;
 			}
 
+			if (prefix_is_homedir_role(u, prefix)) {
+				homedir_role = prefix;
+			}
+
 			if (push_user_entry(&(s->fallback), FALLBACK_NAME,
 					    FALLBACK_UIDGID, FALLBACK_UIDGID,
 					    seuname, prefix, "", level,
-					    FALLBACK_NAME) != 0)
+					    FALLBACK_NAME, homedir_role) != 0)
 				errors = STATUS_ERR;
 			semanage_user_key_free(key);
 			if (u)
@@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s,
 	struct passwd pwstorage, *pwent = NULL;
 	const char *prefix = NULL;
 	const char *level = NULL;
+	const char *homedir_role = NULL;
 	char uid[11];
 	char gid[11];
 
@@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s,
 		level = FALLBACK_LEVEL;
 	}
 
+	if (prefix_is_homedir_role(user, prefix)) {
+		homedir_role = prefix;
+	}
+
 	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
 	if (retval != 0 || pwent == NULL) {
 		if (retval != 0 && retval != ENOENT) {
@@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s,
 	}
 
 	retval = push_user_entry(head, name, uid, gid, sename, prefix,
-				pwent->pw_dir, level, selogin);
+				pwent->pw_dir, level, selogin, homedir_role);
 cleanup:
 	free(rbuf);
 	return retval;
-- 
2.4.11

Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 2355 bytes --]

On 10/06/2016 01:09 PM, Gary Tierney wrote:
> New version of the previous genhomedircon-rbacsep patch with some changes.  A
> bit of a delay as I had to get in a libsepol/cil fix which was blocking this.
> 
> 1. Remove semanage.conf option
> 2. Drop unrelated change
> 3. Adds a new homedir_role member to the genhomedircon_user struct.
> 4. Sets homedir_role if the SELinux users prefix is a valid role for that user.
> 5. Replaces all roles with homedir_role in context specifications if homedir_role is set.
> 
> One issue that came up when writing these patches is that genhomedircon
> squashes logging [1] for some reason, which can result in no warning / info
> messages and an empty file_contexts.homedirs file if policy has been
> incorrectly configured.  Can we get rid of this behavior or add a flag to
> conditionally enable logging?
> 

If we do that then i suspect that we can also use that for the messages
where an seuser id cannot be found (e.g. that system_u, and gdm.id issue)

> Dominick Grift helpfully created some test images that demo DSSP policy working
> with both RBACSEP and non-RBACEP:
> https://tfirg.asu.su/2016/10/03/garys-patches/
> 
> There are still some rough edges though, for example in policy you can't write a
> statement like: (userprefix id role) and put it in an abstract namespace,
> since it is interpreted as a literal:
> 
> (block usersubj
>     (blockabstract usersubj)
>     (user id)
>     (role role)
>     (userrole id role)
>     (userprefix id role))
> 
> (block wheel
>     (blockinherit usersubj))
> 
> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id
> might even just be id here, haven't checked if users are expanded or also taken
> as literals].
> 
> Though this is something I can look at later if all is well here.
> 
> [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
> 
> Gary Tierney (1):
>   genhomedircon: use userprefix as the role for homedir content
> 
>  libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[Stephen Smalley]

On 10/06/2016 07:09 AM, Gary Tierney wrote:
> New version of the previous genhomedircon-rbacsep patch with some changes.  A
> bit of a delay as I had to get in a libsepol/cil fix which was blocking this.
> 
> 1. Remove semanage.conf option
> 2. Drop unrelated change
> 3. Adds a new homedir_role member to the genhomedircon_user struct.
> 4. Sets homedir_role if the SELinux users prefix is a valid role for that user.
> 5. Replaces all roles with homedir_role in context specifications if homedir_role is set.
> 
> One issue that came up when writing these patches is that genhomedircon
> squashes logging [1] for some reason, which can result in no warning / info
> messages and an empty file_contexts.homedirs file if policy has been
> incorrectly configured.  Can we get rid of this behavior or add a flag to
> conditionally enable logging?

I assume they did that because it is a non-fatal error and they didn't
want to alarm the user unnecessarily.  I guess the question though is
when would this occur under normal conditions that would not signify a
mistake in the policy that needs to be corrected.  I'm open to dropping
it and seeing if we see these errors in practice.

> 
> Dominick Grift helpfully created some test images that demo DSSP policy working
> with both RBACSEP and non-RBACEP:
> https://tfirg.asu.su/2016/10/03/garys-patches/
> 
> There are still some rough edges though, for example in policy you can't write a
> statement like: (userprefix id role) and put it in an abstract namespace,
> since it is interpreted as a literal:
> 
> (block usersubj
>     (blockabstract usersubj)
>     (user id)
>     (role role)
>     (userrole id role)
>     (userprefix id role))
> 
> (block wheel
>     (blockinherit usersubj))
> 
> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id
> might even just be id here, haven't checked if users are expanded or also taken
> as literals].
> 
> Though this is something I can look at later if all is well here.
> 
> [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
> 
> Gary Tierney (1):
>   genhomedircon: use userprefix as the role for homedir content
> 
>  libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 

Re: [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content

[Stephen Smalley]

On 10/06/2016 07:09 AM, Gary Tierney wrote:
> Treat a users prefix like a mapping to the role for file context
> specifications in users homedirs.  This behavior is only applicable when
> the users prefix is the identifier of a role which is valid for the
> given user.  If the prefix is not a valid role, then genhomedircon will
> write contexts out as normal.
> 
> Additionally, this commit enables configuring RBACSEP in policy:
> 
> (tunableif enable_rbacsep
>     (true
>         (userprefix user_u user_r)
>     (false
>         (userprefix user_u object_r))))

Thanks, applied.

> 
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> ---
>  libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 3fc9e7a..0dd2b29 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -100,6 +100,7 @@ typedef struct user_entry {
>  	char *home;
>  	char *level;
>  	char *login;
> +	char *homedir_role;
>  	struct user_entry *next;
>  } genhomedircon_user_entry_t;
>  
> @@ -177,6 +178,13 @@ static int ignore(const char *homedir) {
>  	return 0;
>  }
>  
> +static int prefix_is_homedir_role(const semanage_user_t *user,
> +				  const char *prefix)
> +{
> +	return strcmp(OBJECT_R, prefix) == 0 ||
> +		semanage_user_has_role(user, prefix);
> +}
> +
>  static semanage_list_t *default_shell_list(void)
>  {
>  	semanage_list_t *list = NULL;
> @@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
>  			goto fail;
>  		}
>  
> +		if (user->homedir_role &&
> +		    sepol_context_set_role(sepolh, context, user->homedir_role) < 0) {
> +			goto fail;
> +		}
> +
>  		if (sepol_context_to_string(sepolh, context,
>  					    &new_context_str) < 0) {
>  			goto fail;
> @@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
>  static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  			   const char *u, const char *g, const char *sen,
>  			   const char *pre, const char *h, const char *l,
> -			   const char *ln)
> +			   const char *ln, const char *hd_role)
>  {
>  	genhomedircon_user_entry_t *temp = NULL;
>  	char *name = NULL;
> @@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	char *home = NULL;
>  	char *level = NULL;
>  	char *lname = NULL;
> +	char *homedir_role = NULL;
>  
>  	temp = malloc(sizeof(genhomedircon_user_entry_t));
>  	if (!temp)
> @@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	lname = strdup(ln);
>  	if (!lname)
>  		goto cleanup;
> +	if (hd_role) {
> +		homedir_role = strdup(hd_role);
> +		if (!homedir_role)
> +			goto cleanup;
> +	}
>  
>  	temp->name = name;
>  	temp->uid = uid;
> @@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	temp->home = home;
>  	temp->level = level;
>  	temp->login = lname;
> +	temp->homedir_role = homedir_role;
>  	temp->next = (*list);
>  	(*list) = temp;
>  
> @@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	free(home);
>  	free(level);
>  	free(lname);
> +	free(homedir_role);
>  	free(temp);
>  	return STATUS_ERR;
>  }
> @@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list)
>  	free(temp->home);
>  	free(temp->level);
>  	free(temp->login);
> +	free(temp->homedir_role);
>  	free(temp);
>  }
>  
> @@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
>  	const char *seuname = NULL;
>  	const char *prefix = NULL;
>  	const char *level = NULL;
> +	const char *homedir_role = NULL;
>  	unsigned int i;
>  	int retval;
>  	int errors = 0;
> @@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
>  					level = FALLBACK_LEVEL;
>  			}
>  
> +			if (prefix_is_homedir_role(u, prefix)) {
> +				homedir_role = prefix;
> +			}
> +
>  			if (push_user_entry(&(s->fallback), FALLBACK_NAME,
>  					    FALLBACK_UIDGID, FALLBACK_UIDGID,
>  					    seuname, prefix, "", level,
> -					    FALLBACK_NAME) != 0)
> +					    FALLBACK_NAME, homedir_role) != 0)
>  				errors = STATUS_ERR;
>  			semanage_user_key_free(key);
>  			if (u)
> @@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s,
>  	struct passwd pwstorage, *pwent = NULL;
>  	const char *prefix = NULL;
>  	const char *level = NULL;
> +	const char *homedir_role = NULL;
>  	char uid[11];
>  	char gid[11];
>  
> @@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s,
>  		level = FALLBACK_LEVEL;
>  	}
>  
> +	if (prefix_is_homedir_role(user, prefix)) {
> +		homedir_role = prefix;
> +	}
> +
>  	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
>  	if (retval != 0 || pwent == NULL) {
>  		if (retval != 0 && retval != ENOENT) {
> @@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s,
>  	}
>  
>  	retval = push_user_entry(head, name, uid, gid, sename, prefix,
> -				pwent->pw_dir, level, selogin);
> +				pwent->pw_dir, level, selogin, homedir_role);
>  cleanup:
>  	free(rbuf);
>  	return retval;
> 

Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[James Carter]

On 10/06/2016 07:09 AM, Gary Tierney wrote:
> New version of the previous genhomedircon-rbacsep patch with some changes.  A
> bit of a delay as I had to get in a libsepol/cil fix which was blocking this.
>
> 1. Remove semanage.conf option
> 2. Drop unrelated change
> 3. Adds a new homedir_role member to the genhomedircon_user struct.
> 4. Sets homedir_role if the SELinux users prefix is a valid role for that user.
> 5. Replaces all roles with homedir_role in context specifications if homedir_role is set.
>
> One issue that came up when writing these patches is that genhomedircon
> squashes logging [1] for some reason, which can result in no warning / info
> messages and an empty file_contexts.homedirs file if policy has been
> incorrectly configured.  Can we get rid of this behavior or add a flag to
> conditionally enable logging?
>
> Dominick Grift helpfully created some test images that demo DSSP policy working
> with both RBACSEP and non-RBACEP:
> https://tfirg.asu.su/2016/10/03/garys-patches/
>
> There are still some rough edges though, for example in policy you can't write a
> statement like: (userprefix id role) and put it in an abstract namespace,
> since it is interpreted as a literal:
>
> (block usersubj
>     (blockabstract usersubj)
>     (user id)
>     (role role)
>     (userrole id role)
>     (userprefix id role))
>
> (block wheel
>     (blockinherit usersubj))
>
> Which leaves us with a (userid, prefix) tuple of (wheel.id, role) [wheel.id
> might even just be id here, haven't checked if users are expanded or also taken
> as literals].
>

Users are fully qualified, so it is "wheel.id". It is true though that "role" in 
"(userprefix id role)" is taken as a string and is not expanded. The only 
identifiers that are fully qualified are those that will exist in the kernel 
policy and are stored in symbol tables.

To get what you want you need to write:

(block usersubj
     (blockabstract usersubj)
     (user id)
     (userlevel id (SENS))
     (userrange id ((SENS)(SENS (CAT))))
     (role role)
     (userrole id role))

(block wheel
     (blockinherit usersubj))

(userprefix wheel.id wheel.role)

which is inconvenient. It seems to me that if the userprefix statement is 
allowed in a block, then it makes sense to fully qualify it, but I tend to see 
the prefix as a string, so it would make more sense to me to just not allow it 
in blocks.

This makes more sense in the following example.

(block userdecl
     (blockabstract userdecl)
     (user u)
     (userlevel u (SENS))
     (userrange u ((SENS) (SENS (CAT))))
     (role r)
     (userrole u r))

(block user
     (blockinherit userdecl))

(userprefix user.u user)

Where user is acting like a true prefix for user user.u and role user.r.

Jim


> Though this is something I can look at later if all is well here.
>
> [1] https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
>
> Gary Tierney (1):
>   genhomedircon: use userprefix as the role for homedir content
>
>  libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 3766 bytes --]

On 10/06/2016 04:56 PM, James Carter wrote:
> On 10/06/2016 07:09 AM, Gary Tierney wrote:
>> New version of the previous genhomedircon-rbacsep patch with some
>> changes.  A
>> bit of a delay as I had to get in a libsepol/cil fix which was
>> blocking this.
>>
>> 1. Remove semanage.conf option
>> 2. Drop unrelated change
>> 3. Adds a new homedir_role member to the genhomedircon_user struct.
>> 4. Sets homedir_role if the SELinux users prefix is a valid role for
>> that user.
>> 5. Replaces all roles with homedir_role in context specifications if
>> homedir_role is set.
>>
>> One issue that came up when writing these patches is that genhomedircon
>> squashes logging [1] for some reason, which can result in no warning /
>> info
>> messages and an empty file_contexts.homedirs file if policy has been
>> incorrectly configured.  Can we get rid of this behavior or add a flag to
>> conditionally enable logging?
>>
>> Dominick Grift helpfully created some test images that demo DSSP
>> policy working
>> with both RBACSEP and non-RBACEP:
>> https://tfirg.asu.su/2016/10/03/garys-patches/
>>
>> There are still some rough edges though, for example in policy you
>> can't write a
>> statement like: (userprefix id role) and put it in an abstract namespace,
>> since it is interpreted as a literal:
>>
>> (block usersubj
>>     (blockabstract usersubj)
>>     (user id)
>>     (role role)
>>     (userrole id role)
>>     (userprefix id role))
>>
>> (block wheel
>>     (blockinherit usersubj))
>>
>> Which leaves us with a (userid, prefix) tuple of (wheel.id, role)
>> [wheel.id
>> might even just be id here, haven't checked if users are expanded or
>> also taken
>> as literals].
>>
> 
> Users are fully qualified, so it is "wheel.id". It is true though that
> "role" in "(userprefix id role)" is taken as a string and is not
> expanded. The only identifiers that are fully qualified are those that
> will exist in the kernel policy and are stored in symbol tables.
> 
> To get what you want you need to write:
> 
> (block usersubj
>     (blockabstract usersubj)
>     (user id)
>     (userlevel id (SENS))
>     (userrange id ((SENS)(SENS (CAT))))
>     (role role)
>     (userrole id role))
> 
> (block wheel
>     (blockinherit usersubj))
> 
> (userprefix wheel.id wheel.role)
> 
> which is inconvenient. It seems to me that if the userprefix statement
> is allowed in a block, then it makes sense to fully qualify it, but I
> tend to see the prefix as a string, so it would make more sense to me to
> just not allow it in blocks.

It use to be a string, but that is no longer true with this patch. It is
a role now. In my view it should be treated as such

> 
> This makes more sense in the following example.
> 
> (block userdecl
>     (blockabstract userdecl)
>     (user u)
>     (userlevel u (SENS))
>     (userrange u ((SENS) (SENS (CAT))))
>     (role r)
>     (userrole u r))
> 
> (block user
>     (blockinherit userdecl))
> 
> (userprefix user.u user)
> 
> Where user is acting like a true prefix for user user.u and role user.r.
> 
> Jim
> 
> 
>> Though this is something I can look at later if all is well here.
>>
>> [1]
>> https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
>>
>>
>> Gary Tierney (1):
>>   genhomedircon: use userprefix as the role for homedir content
>>
>>  libsemanage/src/genhomedircon.c | 38
>> +++++++++++++++++++++++++++++++++++---
>>  1 file changed, 35 insertions(+), 3 deletions(-)
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]

Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[James Carter]

On 10/06/2016 11:29 AM, Dominick Grift wrote:
> On 10/06/2016 04:56 PM, James Carter wrote:
>> On 10/06/2016 07:09 AM, Gary Tierney wrote:
>>> New version of the previous genhomedircon-rbacsep patch with some
>>> changes.  A
>>> bit of a delay as I had to get in a libsepol/cil fix which was
>>> blocking this.
>>>
>>> 1. Remove semanage.conf option
>>> 2. Drop unrelated change
>>> 3. Adds a new homedir_role member to the genhomedircon_user struct.
>>> 4. Sets homedir_role if the SELinux users prefix is a valid role for
>>> that user.
>>> 5. Replaces all roles with homedir_role in context specifications if
>>> homedir_role is set.
>>>
>>> One issue that came up when writing these patches is that genhomedircon
>>> squashes logging [1] for some reason, which can result in no warning /
>>> info
>>> messages and an empty file_contexts.homedirs file if policy has been
>>> incorrectly configured.  Can we get rid of this behavior or add a flag to
>>> conditionally enable logging?
>>>
>>> Dominick Grift helpfully created some test images that demo DSSP
>>> policy working
>>> with both RBACSEP and non-RBACEP:
>>> https://tfirg.asu.su/2016/10/03/garys-patches/
>>>
>>> There are still some rough edges though, for example in policy you
>>> can't write a
>>> statement like: (userprefix id role) and put it in an abstract namespace,
>>> since it is interpreted as a literal:
>>>
>>> (block usersubj
>>>     (blockabstract usersubj)
>>>     (user id)
>>>     (role role)
>>>     (userrole id role)
>>>     (userprefix id role))
>>>
>>> (block wheel
>>>     (blockinherit usersubj))
>>>
>>> Which leaves us with a (userid, prefix) tuple of (wheel.id, role)
>>> [wheel.id
>>> might even just be id here, haven't checked if users are expanded or
>>> also taken
>>> as literals].
>>>
>>
>> Users are fully qualified, so it is "wheel.id". It is true though that
>> "role" in "(userprefix id role)" is taken as a string and is not
>> expanded. The only identifiers that are fully qualified are those that
>> will exist in the kernel policy and are stored in symbol tables.
>>
>> To get what you want you need to write:
>>
>> (block usersubj
>>     (blockabstract usersubj)
>>     (user id)
>>     (userlevel id (SENS))
>>     (userrange id ((SENS)(SENS (CAT))))
>>     (role role)
>>     (userrole id role))
>>
>> (block wheel
>>     (blockinherit usersubj))
>>
>> (userprefix wheel.id wheel.role)
>>
>> which is inconvenient. It seems to me that if the userprefix statement
>> is allowed in a block, then it makes sense to fully qualify it, but I
>> tend to see the prefix as a string, so it would make more sense to me to
>> just not allow it in blocks.
>
> It use to be a string, but that is no longer true with this patch. It is
> a role now. In my view it should be treated as such

This patch does not exactly make it a role. It treats it as a role if the prefix 
matches a valid role. The CIL compiler cannot assume that the prefix is a role. 
CIL could check to see if the prefix matches a role and fully qualify it if it 
does, but if it didn't match then it wouldn't be fully qualified and that 
doesn't seem like the desired behavior.

Jim

>
>>
>> This makes more sense in the following example.
>>
>> (block userdecl
>>     (blockabstract userdecl)
>>     (user u)
>>     (userlevel u (SENS))
>>     (userrange u ((SENS) (SENS (CAT))))
>>     (role r)
>>     (userrole u r))
>>
>> (block user
>>     (blockinherit userdecl))
>>
>> (userprefix user.u user)
>>
>> Where user is acting like a true prefix for user user.u and role user.r.
>>
>> Jim
>>
>>
>>> Though this is something I can look at later if all is well here.
>>>
>>> [1]
>>> https://github.com/SELinuxProject/selinux/blob/master/libsemanage/src/genhomedircon.c#L568-L572
>>>
>>>
>>> Gary Tierney (1):
>>>   genhomedircon: use userprefix as the role for homedir content
>>>
>>>  libsemanage/src/genhomedircon.c | 38
>>> +++++++++++++++++++++++++++++++++++---
>>>  1 file changed, 35 insertions(+), 3 deletions(-)
>>>
>>
>>
>
>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

[SUSPECTED SPAM] [SUSPICIOUS MESSAGE] Re: [PATCH v2 0/1] supporting RBACSEP in genhomedircon

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 5987 bytes --]

On 10/06/2016 06:49 PM, James Carter wrote:
> On 10/06/2016 11:29 AM, Dominick Grift wrote:
>> On 10/06/2016 04:56 PM, James Carter wrote:
>>> On 10/06/2016 07:09 AM, Gary Tierney wrote:
>>>> New version of the previous genhomedircon-rbacsep patch with some
>>>> changes.  A
>>>> bit of a delay as I had to get in a libsepol/cil fix which was
>>>> blocking this.
>>>>
>>>> 1. Remove semanage.conf option
>>>> 2. Drop unrelated change
>>>> 3. Adds a new homedir_role member to the genhomedircon_user struct.
>>>> 4. Sets homedir_role if the SELinux users prefix is a valid role for
>>>> that user.
>>>> 5. Replaces all roles with homedir_role in context specifications if
>>>> homedir_role is set.
>>>>
>>>> One issue that came up when writing these patches is that genhomedircon
>>>> squashes logging [1] for some reason, which can result in no warning /
>>>> info
>>>> messages and an empty file_contexts.homedirs file if policy has been
>>>> incorrectly configured.  Can we get rid of this behavior or add a
>>>> flag to
>>>> conditionally enable logging?
>>>>
>>>> Dominick Grift helpfully created some test images that demo DSSP
>>>> policy working
>>>> with both RBACSEP and non-RBACEP:
>>>> https://secure-web.cisco.com/1em6l9je6cqcAfGQVqhiZiKLtU_K4PYkUi5VPpxqpiJ0xFDQJUnis-aED9BTadea2qheKi_0jaAflaiNJ6ocv9AJLowENdrpAIfdNAmv61QfkK7Qr23GGrqF2O80Zrc4fxNfK-JxffEi4s972g2yKtY3E2AE9JvP0FUv-DoidzmJjIO3AmbLgIXJjwVrcqLGn0zgqLpR7qomQI0GXEJt4Rasx3UCy7RWTLj_lBAwSJyl2pLwGqs6DnQpmhT5ne2upcAdAZdU8dxQmnXEHIokDLdfHJXySjUj9CFBW1-Tk_ao/https%3A%2F%2Ftfirg.asu.su%2F2016%2F10%2F03%2Fgarys-patches%2F
>>>>
>>>> There are still some rough edges though, for example in policy you
>>>> can't write a
>>>> statement like: (userprefix id role) and put it in an abstract
>>>> namespace,
>>>> since it is interpreted as a literal:
>>>>
>>>> (block usersubj
>>>>     (blockabstract usersubj)
>>>>     (user id)
>>>>     (role role)
>>>>     (userrole id role)
>>>>     (userprefix id role))
>>>>
>>>> (block wheel
>>>>     (blockinherit usersubj))
>>>>
>>>> Which leaves us with a (userid, prefix) tuple of (wheel.id, role)
>>>> [wheel.id
>>>> might even just be id here, haven't checked if users are expanded or
>>>> also taken
>>>> as literals].
>>>>
>>>
>>> Users are fully qualified, so it is "wheel.id". It is true though that
>>> "role" in "(userprefix id role)" is taken as a string and is not
>>> expanded. The only identifiers that are fully qualified are those that
>>> will exist in the kernel policy and are stored in symbol tables.
>>>
>>> To get what you want you need to write:
>>>
>>> (block usersubj
>>>     (blockabstract usersubj)
>>>     (user id)
>>>     (userlevel id (SENS))
>>>     (userrange id ((SENS)(SENS (CAT))))
>>>     (role role)
>>>     (userrole id role))
>>>
>>> (block wheel
>>>     (blockinherit usersubj))
>>>
>>> (userprefix wheel.id wheel.role)
>>>
>>> which is inconvenient. It seems to me that if the userprefix statement
>>> is allowed in a block, then it makes sense to fully qualify it, but I
>>> tend to see the prefix as a string, so it would make more sense to me to
>>> just not allow it in blocks.
>>
>> It use to be a string, but that is no longer true with this patch. It is
>> a role now. In my view it should be treated as such
> 
> This patch does not exactly make it a role. It treats it as a role if
> the prefix matches a valid role. The CIL compiler cannot assume that the
> prefix is a role. CIL could check to see if the prefix matches a role
> and fully qualify it if it does, but if it didn't match then it wouldn't
> be fully qualified and that doesn't seem like the desired behavior.
> 

Thanks for clarifying. Maybe we should then just leave it a "string". It
is kind of a special "libsemanage" only thingy. So i don't really mind
giving it the special "libsemanage" treatment in DSSP. It's not pretty
in particular but it is not that ugly either.

> Jim
> 
>>
>>>
>>> This makes more sense in the following example.
>>>
>>> (block userdecl
>>>     (blockabstract userdecl)
>>>     (user u)
>>>     (userlevel u (SENS))
>>>     (userrange u ((SENS) (SENS (CAT))))
>>>     (role r)
>>>     (userrole u r))
>>>
>>> (block user
>>>     (blockinherit userdecl))
>>>
>>> (userprefix user.u user)
>>>
>>> Where user is acting like a true prefix for user user.u and role user.r.
>>>
>>> Jim
>>>
>>>
>>>> Though this is something I can look at later if all is well here.
>>>>
>>>> [1]
>>>> https://secure-web.cisco.com/1iokgtqyM7Itorx97YhxU8Y8BPLgnjhdbqw6zxi_8hNknLJZx7ewWbWlxADD-Yf0luWHa_y6s01T-ngCV3fJ_U6nEqsvl6lXoXC2dm2zkY0pNleYg5DKjNMpcc60QnNRbO6XqutpZW0wqX0S6P_71J-E8rijBcVKVU0Jn35ArI4axuTiHzajjpc7GNh7r-8CZ-nPQDDMhNpo8JAm79rLCLLMe6hIKimqLzrvU8zvY4VDs1MqXVTLK0OXmfHGle_Y1/https%3A%2F%2Fgithub.com%2FSELinuxProject%2Fselinux%2Fblob%2Fmaster%2Flibsemanage%2Fsrc%2Fgenhomedircon.c#L568-L572
>>>>
>>>>
>>>>
>>>> Gary Tierney (1):
>>>>   genhomedircon: use userprefix as the role for homedir content
>>>>
>>>>  libsemanage/src/genhomedircon.c | 38
>>>> +++++++++++++++++++++++++++++++++++---
>>>>  1 file changed, 35 insertions(+), 3 deletions(-)
>>>>
>>>
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://secure-web.cisco.com/1RffBy8ro4_7atpp_kZh99MO_w3OPOwZuDujOr9hNlZQvnt7Xt3YyBc3l7bFjyerbhwj6-l0IjtuC8T9e3o5TxP6MRQA5ViyYPsfKbh1KJJ2CilbEKrQcOalrlZKMeoO2R7Et_r85N0tADBP3mgB2lz-qE3UgR_oHuVVbasNViEcyWs57hVJPeLrW8GFXZnLKG6Qvjr6O6ir3KMTg820_UJNcKorXtXEYIkJI1UJ-1TOS-QUkr5hd8kL3JlRQWU1R/https%3A%2F%2Fsks-keyservers.net%2Fpks%2Flookup%3Fop%3Dget%26search%3D0x3B6C5F1D2C7B6B02
Dominick Grift


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]