* Re: [PATCH v2] semanage: handle getprotobyname() failure case
[not found] <20200605081952.16278-1-toiwoton@gmail.com>
@ 2020-06-08 16:18 ` Stephen Smalley
2020-06-22 12:22 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-06-08 16:18 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> At least on Debian, /etc/protocols, which is used by
> socket.getprotobyname() to resolve protocols to names, does not
> contain an entry for "ipv4". In that case, set the protocol number
> used by audit logs for "ipv4" to a fixed value. To ensure audit log
> compatibility, let's use the same numeric value as Fedora: 4, which is
> actually understood by kernel as IP over IP.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
This looks fine to me but adding linux-audit mailing list to see if
they have any concerns. It appears to make no change to the audit
messages on Fedora.
> ---
> v2: don't change audit log format
> ---
> python/semanage/seobject.py | 27 +++++++++++++++++++--------
> 1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 6e0b87f2..6a14f7b4 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
> except:
> raise ValueError(_("Unknown or missing protocol"))
>
> - return newaddr, newmask, newprotocol
> + try:
> + audit_protocol = socket.getprotobyname(protocol)
> + except:
> + # Entry for "ipv4" not found in /etc/protocols on (at
> + # least) Debian? To ensure audit log compatibility, let's
> + # use the same numeric value as Fedora: 4, which is
> + # actually understood by kernel as IP over IP.
> + if (protocol == "ipv4"):
> + audit_protocol = socket.IPPROTO_IPIP
> + else:
> + raise ValueError(_("Unknown or missing protocol"))
> +
> + return newaddr, newmask, newprotocol, audit_protocol
>
> def __add(self, addr, mask, proto, serange, ctype):
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> if is_mls_enabled == 1:
> if serange == "":
> @@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
> + self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
>
> def add(self, addr, mask, proto, serange, ctype):
> self.begin()
> @@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
> self.commit()
>
> def __modify(self, addr, mask, proto, serange, setype):
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> if serange == "" and setype == "":
> raise ValueError(_("Requires setype or serange"))
> @@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
> semanage_node_key_free(k)
> semanage_node_free(node)
>
> - self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
> + self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
>
> def modify(self, addr, mask, proto, serange, setype):
> self.begin()
> @@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
> self.commit()
>
> def __delete(self, addr, mask, proto):
> -
> - addr, mask, proto = self.validate(addr, mask, proto)
> + addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
> (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
> if rc < 0:
> @@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
>
> semanage_node_key_free(k)
>
> - self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
> + self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
>
> def delete(self, addr, mask, proto):
> self.begin()
> --
> 2.26.2
>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
2020-06-08 16:18 ` [PATCH v2] semanage: handle getprotobyname() failure case Stephen Smalley
@ 2020-06-22 12:22 ` Stephen Smalley
2020-06-25 17:30 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-06-22 12:22 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >
> > At least on Debian, /etc/protocols, which is used by
> > socket.getprotobyname() to resolve protocols to names, does not
> > contain an entry for "ipv4". In that case, set the protocol number
> > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > compatibility, let's use the same numeric value as Fedora: 4, which is
> > actually understood by kernel as IP over IP.
> >
> > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>
> This looks fine to me but adding linux-audit mailing list to see if
> they have any concerns. It appears to make no change to the audit
> messages on Fedora.
Seeing no objections from linux-audit,
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
2020-06-22 12:22 ` Stephen Smalley
@ 2020-06-25 17:30 ` Stephen Smalley
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2020-06-25 17:30 UTC (permalink / raw)
To: Topi Miettinen, linux-audit; +Cc: SElinux list
On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> > >
> > > At least on Debian, /etc/protocols, which is used by
> > > socket.getprotobyname() to resolve protocols to names, does not
> > > contain an entry for "ipv4". In that case, set the protocol number
> > > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > > compatibility, let's use the same numeric value as Fedora: 4, which is
> > > actually understood by kernel as IP over IP.
> > >
> > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >
> > This looks fine to me but adding linux-audit mailing list to see if
> > they have any concerns. It appears to make no change to the audit
> > messages on Fedora.
>
> Seeing no objections from linux-audit,
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Applied.
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-06-25 17:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200605081952.16278-1-toiwoton@gmail.com>
2020-06-08 16:18 ` [PATCH v2] semanage: handle getprotobyname() failure case Stephen Smalley
2020-06-22 12:22 ` Stephen Smalley
2020-06-25 17:30 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).