* [PATCH 1/2] sepolgen: print extended permissions in hexadecimal
@ 2020-08-19 15:05 Christian Göttsche
2020-08-19 15:05 ` [PATCH 2/2] sepolgen: sort extended rules like normal ones Christian Göttsche
2020-08-24 13:44 ` [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Stephen Smalley
0 siblings, 2 replies; 5+ messages in thread
From: Christian Göttsche @ 2020-08-19 15:05 UTC (permalink / raw)
To: selinux
All tools like ausearch(8) or sesearch(1) and online documentation[1]
use hexadecimal values for extended permissions.
Hence use them, e.g. for audit2allow output, as well.
[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
python/sepolgen/src/sepolgen/refpolicy.py | 5 ++---
python/sepolgen/tests/test_access.py | 10 +++++-----
python/sepolgen/tests/test_refpolicy.py | 12 ++++++------
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 43cecfc7..74763687 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -407,10 +407,9 @@ class XpermSet():
# print single value without braces
if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
- return compl + str(self.ranges[0][0])
+ return compl + hex(self.ranges[0][0])
- vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
- self.ranges)
+ vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
return "%s{ %s }" % (compl, " ".join(vals))
diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
index 73a5407d..623588e0 100644
--- a/python/sepolgen/tests/test_access.py
+++ b/python/sepolgen/tests/test_access.py
@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def text_merge_xperm2(self):
"""Test merging AV that does not contain xperms with AV that does"""
@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_diff_op(self):
"""Test merging two AVs that contain xperms with different operation"""
@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
- self.assertEqual(a.xperms["asdf"].to_string(), "23")
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+ self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
def test_merge_xperm_same_op(self):
"""Test merging two AVs that contain xperms with same operation"""
@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
a.merge(b)
self.assertEqual(list(a.perms), ["read"])
self.assertEqual(list(a.xperms.keys()), ["ioctl"])
- self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
+ self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
class TestUtilFunctions(unittest.TestCase):
def test_is_idparam(self):
diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
index 4b50c8aa..c7219fd5 100644
--- a/python/sepolgen/tests/test_refpolicy.py
+++ b/python/sepolgen/tests/test_refpolicy.py
@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
a.complement = True
self.assertEqual(a.to_string(), "")
a.add(1234)
- self.assertEqual(a.to_string(), "~ 1234")
+ self.assertEqual(a.to_string(), "~ 0x4d2")
a.complement = False
- self.assertEqual(a.to_string(), "1234")
+ self.assertEqual(a.to_string(), "0x4d2")
a.add(2345)
- self.assertEqual(a.to_string(), "{ 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
a.complement = True
- self.assertEqual(a.to_string(), "~ { 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
a.add(42,64)
- self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
a.complement = False
- self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
+ self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
class TestSecurityContext(unittest.TestCase):
def test_init(self):
--
2.28.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] sepolgen: sort extended rules like normal ones
2020-08-19 15:05 [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Christian Göttsche
@ 2020-08-19 15:05 ` Christian Göttsche
2020-08-24 13:46 ` Stephen Smalley
2020-08-24 13:44 ` [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Stephen Smalley
1 sibling, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2020-08-19 15:05 UTC (permalink / raw)
To: selinux
Currently:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
Changed:
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t ptmx_t:chr_file ioctl;
allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t sshd_devpts_t:chr_file ioctl;
allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow sshd_t user_devpts_t:chr_file ioctl;
allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
#============= user_t ==============
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t devtty_t:chr_file ioctl;
allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
#!!!! This avc is allowed in the current policy
#!!!! This av rule may have been overridden by an extended permission av rule
allow user_t user_devpts_t:chr_file ioctl;
allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
python/sepolgen/src/sepolgen/output.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
index 3a21b64c..aeeaafc8 100644
--- a/python/sepolgen/src/sepolgen/output.py
+++ b/python/sepolgen/src/sepolgen/output.py
@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
return ret
# At this point, who cares - just return something
- return cmp(len(a.perms), len(b.perms))
+ return 0
# Compare two interface calls
def ifcall_cmp(a, b):
@@ -100,7 +100,7 @@ def rule_cmp(a, b):
else:
return id_set_cmp([a.args[0]], b.src_types)
else:
- if isinstance(b, refpolicy.AVRule):
+ if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
return avrule_cmp(a,b)
else:
return id_set_cmp(a.src_types, [b.args[0]])
@@ -130,6 +130,7 @@ def sort_filter(module):
# we assume is the first argument for interfaces).
rules = []
rules.extend(node.avrules())
+ rules.extend(node.avextrules())
rules.extend(node.interface_calls())
rules.sort(key=util.cmp_to_key(rule_cmp))
--
2.28.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] sepolgen: print extended permissions in hexadecimal
2020-08-19 15:05 [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Christian Göttsche
2020-08-19 15:05 ` [PATCH 2/2] sepolgen: sort extended rules like normal ones Christian Göttsche
@ 2020-08-24 13:44 ` Stephen Smalley
1 sibling, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2020-08-24 13:44 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Wed, Aug 19, 2020 at 11:06 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> All tools like ausearch(8) or sesearch(1) and online documentation[1]
> use hexadecimal values for extended permissions.
> Hence use them, e.g. for audit2allow output, as well.
>
> [1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] sepolgen: sort extended rules like normal ones
2020-08-19 15:05 ` [PATCH 2/2] sepolgen: sort extended rules like normal ones Christian Göttsche
@ 2020-08-24 13:46 ` Stephen Smalley
2020-08-26 18:23 ` Stephen Smalley
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2020-08-24 13:46 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Wed, Aug 19, 2020 at 11:07 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Currently:
>
> #============= sshd_t ==============
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t ptmx_t:chr_file ioctl;
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t sshd_devpts_t:chr_file ioctl;
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t user_devpts_t:chr_file ioctl;
>
> #============= user_t ==============
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow user_t devtty_t:chr_file ioctl;
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow user_t user_devpts_t:chr_file ioctl;
> allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
> allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
> allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
> allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
> allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
>
> Changed:
>
> #============= sshd_t ==============
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t ptmx_t:chr_file ioctl;
> allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t sshd_devpts_t:chr_file ioctl;
> allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow sshd_t user_devpts_t:chr_file ioctl;
> allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
>
> #============= user_t ==============
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow user_t devtty_t:chr_file ioctl;
> allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
>
> #!!!! This avc is allowed in the current policy
> #!!!! This av rule may have been overridden by an extended permission av rule
> allow user_t user_devpts_t:chr_file ioctl;
> allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] sepolgen: sort extended rules like normal ones
2020-08-24 13:46 ` Stephen Smalley
@ 2020-08-26 18:23 ` Stephen Smalley
0 siblings, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2020-08-26 18:23 UTC (permalink / raw)
To: Christian Göttsche; +Cc: SElinux list
On Mon, Aug 24, 2020 at 9:46 AM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Aug 19, 2020 at 11:07 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Currently:
> >
> > #============= sshd_t ==============
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t ptmx_t:chr_file ioctl;
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t sshd_devpts_t:chr_file ioctl;
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t user_devpts_t:chr_file ioctl;
> >
> > #============= user_t ==============
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow user_t devtty_t:chr_file ioctl;
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow user_t user_devpts_t:chr_file ioctl;
> > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
> > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
> > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
> > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
> > allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
> >
> > Changed:
> >
> > #============= sshd_t ==============
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t ptmx_t:chr_file ioctl;
> > allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t sshd_devpts_t:chr_file ioctl;
> > allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow sshd_t user_devpts_t:chr_file ioctl;
> > allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
> >
> > #============= user_t ==============
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow user_t devtty_t:chr_file ioctl;
> > allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
> >
> > #!!!! This avc is allowed in the current policy
> > #!!!! This av rule may have been overridden by an extended permission av rule
> > allow user_t user_devpts_t:chr_file ioctl;
> > allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Both applied.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-26 18:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-19 15:05 [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Christian Göttsche
2020-08-19 15:05 ` [PATCH 2/2] sepolgen: sort extended rules like normal ones Christian Göttsche
2020-08-24 13:46 ` Stephen Smalley
2020-08-26 18:23 ` Stephen Smalley
2020-08-24 13:44 ` [PATCH 1/2] sepolgen: print extended permissions in hexadecimal Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).