Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* Re: [PATCH v2] semanage: handle getprotobyname() failure case
       [not found] <20200605081952.16278-1-toiwoton@gmail.com>
@ 2020-06-08 16:18 ` Stephen Smalley
  2020-06-22 12:22   ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-06-08 16:18 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
>
> At least on Debian, /etc/protocols, which is used by
> socket.getprotobyname() to resolve protocols to names, does not
> contain an entry for "ipv4". In that case, set the protocol number
> used by audit logs for "ipv4" to a fixed value. To ensure audit log
> compatibility, let's use the same numeric value as Fedora: 4, which is
> actually understood by kernel as IP over IP.
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>

This looks fine to me but adding linux-audit mailing list to see if
they have any concerns.  It appears to make no change to the audit
messages on Fedora.

> ---
> v2: don't change audit log format
> ---
>  python/semanage/seobject.py | 27 +++++++++++++++++++--------
>  1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index 6e0b87f2..6a14f7b4 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1870,10 +1870,22 @@ class nodeRecords(semanageRecords):
>          except:
>              raise ValueError(_("Unknown or missing protocol"))
>
> -        return newaddr, newmask, newprotocol
> +        try:
> +            audit_protocol = socket.getprotobyname(protocol)
> +        except:
> +            # Entry for "ipv4" not found in /etc/protocols on (at
> +            # least) Debian? To ensure audit log compatibility, let's
> +            # use the same numeric value as Fedora: 4, which is
> +            # actually understood by kernel as IP over IP.
> +            if (protocol == "ipv4"):
> +                audit_protocol = socket.IPPROTO_IPIP
> +            else:
> +                raise ValueError(_("Unknown or missing protocol"))
> +
> +        return newaddr, newmask, newprotocol, audit_protocol
>
>      def __add(self, addr, mask, proto, serange, ctype):
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          if is_mls_enabled == 1:
>              if serange == "":
> @@ -1942,7 +1954,7 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> -        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", ctype, serange))
> +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", ctype, serange))
>
>      def add(self, addr, mask, proto, serange, ctype):
>          self.begin()
> @@ -1950,7 +1962,7 @@ class nodeRecords(semanageRecords):
>          self.commit()
>
>      def __modify(self, addr, mask, proto, serange, setype):
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          if serange == "" and setype == "":
>              raise ValueError(_("Requires setype or serange"))
> @@ -1987,7 +1999,7 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
>
> -        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, socket.getprotobyname(self.protocol[proto]), "system_u", "object_r", setype, serange))
> +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, audit_proto, "system_u", "object_r", setype, serange))
>
>      def modify(self, addr, mask, proto, serange, setype):
>          self.begin()
> @@ -1995,8 +2007,7 @@ class nodeRecords(semanageRecords):
>          self.commit()
>
>      def __delete(self, addr, mask, proto):
> -
> -        addr, mask, proto = self.validate(addr, mask, proto)
> +        addr, mask, proto, audit_proto = self.validate(addr, mask, proto)
>
>          (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
>          if rc < 0:
> @@ -2020,7 +2031,7 @@ class nodeRecords(semanageRecords):
>
>          semanage_node_key_free(k)
>
> -        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, socket.getprotobyname(self.protocol[proto])))
> +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, audit_proto))
>
>      def delete(self, addr, mask, proto):
>          self.begin()
> --
> 2.26.2
>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] semanage: handle getprotobyname() failure case
  2020-06-08 16:18 ` [PATCH v2] semanage: handle getprotobyname() failure case Stephen Smalley
@ 2020-06-22 12:22   ` Stephen Smalley
  2020-06-25 17:30     ` Stephen Smalley
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2020-06-22 12:22 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> >
> > At least on Debian, /etc/protocols, which is used by
> > socket.getprotobyname() to resolve protocols to names, does not
> > contain an entry for "ipv4". In that case, set the protocol number
> > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > compatibility, let's use the same numeric value as Fedora: 4, which is
> > actually understood by kernel as IP over IP.
> >
> > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
>
> This looks fine to me but adding linux-audit mailing list to see if
> they have any concerns.  It appears to make no change to the audit
> messages on Fedora.

Seeing no objections from linux-audit,

Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2] semanage: handle getprotobyname() failure case
  2020-06-22 12:22   ` Stephen Smalley
@ 2020-06-25 17:30     ` Stephen Smalley
  0 siblings, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2020-06-25 17:30 UTC (permalink / raw)
  To: Topi Miettinen, linux-audit; +Cc: SElinux list

On Mon, Jun 22, 2020 at 8:22 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Mon, Jun 8, 2020 at 12:18 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, Jun 5, 2020 at 4:24 AM Topi Miettinen <toiwoton@gmail.com> wrote:
> > >
> > > At least on Debian, /etc/protocols, which is used by
> > > socket.getprotobyname() to resolve protocols to names, does not
> > > contain an entry for "ipv4". In that case, set the protocol number
> > > used by audit logs for "ipv4" to a fixed value. To ensure audit log
> > > compatibility, let's use the same numeric value as Fedora: 4, which is
> > > actually understood by kernel as IP over IP.
> > >
> > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> >
> > This looks fine to me but adding linux-audit mailing list to see if
> > they have any concerns.  It appears to make no change to the audit
> > messages on Fedora.
>
> Seeing no objections from linux-audit,
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20200605081952.16278-1-toiwoton@gmail.com>
2020-06-08 16:18 ` [PATCH v2] semanage: handle getprotobyname() failure case Stephen Smalley
2020-06-22 12:22   ` Stephen Smalley
2020-06-25 17:30     ` Stephen Smalley

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git