* [PATCH V2 1/7] notebook: Minor formatting fixes
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:05 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 2/7] object_classes_permissions.md: Correct the context object class entry Richard Haines
` (5 subsequent siblings)
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/bounds_rules.md | 2 +-
src/class_permission_statements.md | 2 +-
src/libselinux_functions.md | 14 +++++++-------
3 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/bounds_rules.md b/src/bounds_rules.md
index 6def780..650f817 100644
--- a/src/bounds_rules.md
+++ b/src/bounds_rules.md
@@ -41,7 +41,7 @@ The *type* or *typealias* identifier of the parent domain.
*bounded_domain*
One or more *type* or *typealias* identifiers of the child domains.
-Multiple entries consist of a comma ',' separated list.</td>
+Multiple entries consist of a comma ',' separated list.
**The statement is valid in:**
diff --git a/src/class_permission_statements.md b/src/class_permission_statements.md
index 264e022..63e7262 100644
--- a/src/class_permission_statements.md
+++ b/src/class_permission_statements.md
@@ -160,7 +160,7 @@ A previously declared *common* identifier.
*perm_set*
One or more optional permission identifiers in a space separated list enclosed
-within braces \'\{\}\'.</td>
+within braces \'\{\}\'.
Note: There must be at least one *common_set* or one *perm_set* defined within
the statement.
diff --git a/src/libselinux_functions.md b/src/libselinux_functions.md
index b06018a..54b5d70 100644
--- a/src/libselinux_functions.md
+++ b/src/libselinux_functions.md
@@ -167,7 +167,7 @@ The SID mapping is not affected. Return 0 on success, -1 with errno set on error
Log SID table statistics. Log a message with information about the size and
distribution of the SID table. The audit callback is used to print the message.
-avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h*
+*avc_sid_to_context*, *avc_sid_to_context_raw* - *avc.h*
Get copy of context corresponding to SID. Return a copy of the security context
corresponding to the input sid in the memory referenced by *ctx*. The caller is
@@ -522,21 +522,21 @@ only the *scon* domain.
*security_compute_create*, *security_compute_create_raw* - *selinux.h*
-Compute a labeling decision and set *newcon to refer to it.
+Compute a labeling decision and set *\*newcon* to refer to it.
Caller must free via ***freecon**(3)*.
*security_compute_create_name*, *security_compute_create_name_raw* - *selinux.h*
-This is identical to* ***security_compute_create**(3)* but also takes the name
+This is identical to ***security_compute_create**(3)* but also takes the name
of the new object in creation as an argument.
When a *type_transition* rule on the given class and the *scon* / *tcon* pair
-has an object name extension, *newcon* will be returned according to the policy.
+has an object name extension, *\*newcon* will be returned according to the policy.
Note that this interface is only supported on the kernels 2.6.40 or later.
For older kernels the object name is ignored.
*security_compute_member*, *security_compute_member_raw* - *selinux.h*
-Compute a polyinstantiation member decision and set *newcon to refer to it.
+Compute a polyinstantiation member decision and set *\*newcon* to refer to it.
Caller must free via ***freecon**(3)*.
*security_compute_relabel*, *security_compute_relabel_raw* - *selinux.h*
@@ -544,7 +544,7 @@ Caller must free via ***freecon**(3)*.
Compute a relabeling decision and set *\*newcon* to refer to it.
Caller must free via ***freecon**(3)*.
-*security_compute_user*, security_compute_user_raw* (deprecated) - *selinux.h*
+*security_compute_user*, *security_compute_user_raw* (deprecated) - *selinux.h*
Compute the set of reachable user contexts and set *\*con* to refer to the
NULL-terminated array of contexts. Caller must free via ***freeconary**(3)*.
@@ -918,7 +918,7 @@ Return path to the securetty_types file under the policy root directory.
*selinux_sepgsql_context_path* - *selinux.h*
-*Return path to *sepgsql_context* file under the policy root directory.
+Return path to *sepgsql_context* file under the policy root directory.
*selinux_set_callback* - *selinux.h*
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 2/7] object_classes_permissions.md: Correct the context object class entry
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
2021-12-08 12:16 ` [PATCH V2 1/7] notebook: Minor formatting fixes Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:09 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 3/7] object_classes_permissions.md: Deprecate lockdown class Richard Haines
` (4 subsequent siblings)
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Clarify the intent of 'contains' and 'translate' permissions.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/object_classes_permissions.md | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index bbc703d..b092a9b 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -3081,21 +3081,18 @@ Manage the D-BUS Messaging service that is required to run various services.
### *context*
-Support for the translation daemon ***mcstransd**(8)*. These permissions are
-required to allow translation and querying of level and ranges for MCS and
-MLS systems.
+These permissions are used for SELinux configuration file context entries
+and context translations for MCS/MLS policy.
**Permissions** - 2 unique permissions:
*contains*
-- Calculate a MLS/MCS subset - Required to check what the configuration
- file contains.
+- Check configuration file contains a valid context entry.
*translate*
-- Translate a raw MLS/MCS label - Required to allow a domain to translate
- contexts.
+- Translate a raw label to a meaningful text string.
### *service*
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 3/7] object_classes_permissions.md: Deprecate lockdown class
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
2021-12-08 12:16 ` [PATCH V2 1/7] notebook: Minor formatting fixes Richard Haines
2021-12-08 12:16 ` [PATCH V2 2/7] object_classes_permissions.md: Correct the context object class entry Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:10 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 4/7] policy_config_files.md: Update openrc_contexts contents Richard Haines
` (3 subsequent siblings)
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Add text regarding the removal of lockdown hooks from kernel 5.16.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/object_classes_permissions.md | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md
index b092a9b..4ad8520 100644
--- a/src/object_classes_permissions.md
+++ b/src/object_classes_permissions.md
@@ -70,7 +70,7 @@
- [Performance Event Object Class](#performance-event-object-class)
- [*perf_event*](#perf_event)
- [Lockdown Object Class](#lockdown-object-class)
- - [*lockdown*](#lockdown)
+ - [*lockdown* (Deprecated)](#lockdown-deprecated)
- [IPC Object Classes](#ipc-object-classes)
- [*ipc* (Deprecated)](#ipc-deprecated)
- [*sem*](#sem)
@@ -1674,15 +1674,15 @@ Control ***perf**(1)* events
## Lockdown Object Class
-Note: If the *lockdown* LSM is enabled alongside SELinux, then the
-lockdown access control will take precedence over the SELinux lockdown
-implementation.
+The *lockdown* class and associated SELinux LSM hook (added in kernel 5.6),
+have been removed from kernel 5.16 for the reasons discussed in
+<https://lore.kernel.org/selinux/163292547664.17566.8479687865641275719.stgit@olly/>.
-### *lockdown*
+### *lockdown* (Deprecated)
Stop userspace extracting/modify kernel data.
-**Permissions** - 6 unique permissions:
+**Permissions** - 2 unique permissions:
*confidentiality*
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 4/7] policy_config_files.md: Update openrc_contexts contents
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
` (2 preceding siblings ...)
2021-12-08 12:16 ` [PATCH V2 3/7] object_classes_permissions.md: Deprecate lockdown class Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:11 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 5/7] policy_config_files.md: Update openssh_contexts contents Richard Haines
` (2 subsequent siblings)
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
This config file will only be present if openrc is installed.
See https://github.com/OpenRC/openrc
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/policy_config_files.md | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index d186b98..4b2c091 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -680,12 +680,34 @@ matching of network packets - Never been used.
## *contexts/openrc_contexts*
-**To be determined**
+OpenRC is a dependency-based init system that works with the system-provided
+*init* program, normally */sbin/init*. This config file will only be present
+if *openrc* is installed, see
+[**https://github.com/OpenRC/openrc**](https://github.com/OpenRC/openrc)
**The file format is as follows:**
+```
+run_init=[domain]
+```
+
+**Where:**
+
+*run_init*
+
+- The keyword *run_init*. Note that there must not be any spaces around
+ the '=' sign.
+
+*domain*
+
+- The domain type for the process.
+
**Example file contents:**
+```
+run_init=run_init_t
+```
+
**Supporting libselinux API functions are:**
- ***selinux_context_path**(3)*
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 5/7] policy_config_files.md: Update openssh_contexts contents
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
` (3 preceding siblings ...)
2021-12-08 12:16 ` [PATCH V2 4/7] policy_config_files.md: Update openrc_contexts contents Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:12 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 6/7] policy_config_files.md: Update snapperd_contexts contents Richard Haines
2021-12-08 12:16 ` [PATCH V2 7/7] title.md: Clarify example code location Richard Haines
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Used by openssh for privilege separated processes in the
preauthentication phase.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/policy_config_files.md | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 4b2c091..0db80b4 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -715,10 +715,26 @@ run_init=run_init_t
## *contexts/openssh_contexts*
-**To be determined**
+Used by *openssh* (***ssh**(1)*) for privilege separated processes in the
+preauthentication phase. This is a Red Hat specific policy configuration file.
**The file format is as follows:**
+```
+privsep_preauth=[domain]
+```
+
+**Where:**
+
+*privsep_preauth*
+
+- The keyword *privsep_preauth*
+
+*domain*
+
+- The domain type for the privilege separated processes in the
+ preauthentication phase.
+
**Example file contents:**
```
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 6/7] policy_config_files.md: Update snapperd_contexts contents
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
` (4 preceding siblings ...)
2021-12-08 12:16 ` [PATCH V2 5/7] policy_config_files.md: Update openssh_contexts contents Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:13 ` Paul Moore
2021-12-08 12:16 ` [PATCH V2 7/7] title.md: Clarify example code location Richard Haines
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Used by snapper(8) for filesystem snapshot management.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/policy_config_files.md | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/policy_config_files.md b/src/policy_config_files.md
index 0db80b4..c87cdfd 100644
--- a/src/policy_config_files.md
+++ b/src/policy_config_files.md
@@ -816,10 +816,26 @@ db_schema *.* system_u:object_r:sepgsql_schema_t:s0
## *contexts/snapperd_contexts*
-**To be determined**
+Used by ***snapper**(8)* for filesystem snapshot management to set an SELinux
+context on ***btrfs**(8)* subvolumes. This is a Red Hat specific policy
+configuration file.
**The file format is as follows:**
+```
+snapperd_data = user:role:type[:range]
+```
+
+**Where:**
+
+*snapperd_data*
+
+- The keyword *snapperd_data*
+
+*user:role:type[:range]*
+
+- The security context including the MLS / MCS *level* or *range* if applicable.
+
**Example file contents:**
```
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH V2 7/7] title.md: Clarify example code location
2021-12-08 12:16 [PATCH V2 0/7] Various SELinux Notebook updates Richard Haines
` (5 preceding siblings ...)
2021-12-08 12:16 ` [PATCH V2 6/7] policy_config_files.md: Update snapperd_contexts contents Richard Haines
@ 2021-12-08 12:16 ` Richard Haines
2021-12-08 20:14 ` Paul Moore
6 siblings, 1 reply; 15+ messages in thread
From: Richard Haines @ 2021-12-08 12:16 UTC (permalink / raw)
To: selinux; +Cc: paul, Richard Haines
Clarify that the example code is not embedded, but linked.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
src/title.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/title.md b/src/title.md
index caf5b41..03c5795 100644
--- a/src/title.md
+++ b/src/title.md
@@ -82,6 +82,13 @@ Android.
**Object Classes and Permissions** - Describes the SELinux object
classes and permissions.
+#### Notebook Examples
+
+The Notebook examples are not embedded into any of the document formats
+described in
+**<https://github.com/SELinuxProject/selinux-notebook/blob/main/BUILD.md>**,
+however they will have links to them in their build directories.
+
### Updated Editions
The SELinux Notebook is being maintained as part of the SELinux project, more
--
2.33.1
^ permalink raw reply related [flat|nested] 15+ messages in thread