From: Stephen Smalley <sds@tycho.nsa.gov>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] libsemanage: set selinux policy root to match semanage root or storename
Date: Mon, 19 Nov 2018 08:52:50 -0500 [thread overview]
Message-ID: <42f12202-0298-cbc7-2ce9-7cf6e7020049@tycho.nsa.gov> (raw)
In-Reply-To: <a29de7d8-7efb-f8ce-1c29-01dd4c43bb73@tycho.nsa.gov>
On 11/8/18 9:20 AM, Stephen Smalley wrote:
> On 11/7/18 3:45 PM, Nicolas Iooss wrote:
>> On Tue, Nov 6, 2018 at 8:18 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>
>>> As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B
>>> tries to use /etc/selinux/targeted/booleans.subs_dist. This is because
>>> it invokes the libselinux selinux_boolean_sub() interface, which uses
>>> the active/installed policy files rather than the libsemanage ones.
>>>
>>> To fix, we need to set the selinux policy root when either the semanage
>>> root or the semanage storename is set. When setting the semanage root,
>>> we need to prepend the semanage root to the selinux policy root. When
>>> setting the semanage storename, we need to replace the last component
>>> of the selinux policy root with the new storename.
>>>
>>> Test:
>>> strace semodule -p ~/policy-root -s minimum -n -B
>>>
>>> Before:
>>> openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist",
>>> O_RDONLY|O_CLOEXEC) = 5
>>>
>>> After:
>>> openat(AT_FDCWD,
>>> "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist",
>>> O_RDONLY|O_CLOEXEC) = 5
>>>
>>> Fixes https://github.com/SELinuxProject/selinux/issues/109
>>>
>>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>>> ---
>>> libsemanage/src/handle.c | 29 ++++++++++++++++++++++++++++-
>>> 1 file changed, 28 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
>>> index a6567bd4..c163e553 100644
>>> --- a/libsemanage/src/handle.c
>>> +++ b/libsemanage/src/handle.c
>>> @@ -43,8 +43,21 @@ static char *private_semanage_root = NULL;
>>>
>>> int semanage_set_root(const char *root)
>>> {
>>> + char *new_selinux_root = NULL;
>>> +
>>> + asprintf(&new_selinux_root, "%s%s", root,
>>> selinux_policy_root());
>>> + if (!new_selinux_root)
>>> + return -1;
>>
>> https://travis-ci.org/SELinuxProject/selinux/builds/451528669 failed
>> because the return value of asprintf needs to be checked instead of
>> new_selinux_root. http://man7.org/linux/man-pages/man3/asprintf.3.html
>> states:
>>
>> If memory allocation wasn't possible, or some other error occurs,
>> these functions will return -1, and the contents of strp are
>> undefined.
>>
>> [...]
>>
>>> +
>>> + char *newroot = NULL;
>>> + asprintf(&newroot, "%s%s", root, storename);
>>> + assert(newroot);
>>
>> Same here.
>
> Unfortunately there are more fundamental problems with the patch as
> well, e.g.
>
> 1) Mutating selinux_policy_root breaks the test of whether we are
> installing to the active store in semanage_install_final_tmp(), which
> will cause policy reloads to be triggered when performing an operation
> on a different store, a different root, or both.
>
> 2) semanage_select_store() is supposed to only modify the per-handle
> state. Changing selinux policy root is global state and would affect
> any other handles.
>
> 3) Multiple semanage_set_root() calls would yield the wrong result.
>
> 4) An allocation failure for private_semanage_root would leave the
> policy root modified.
>
> Not sure of the best approach here. Could possibly just modify the
> policy root around the selinux_boolean_sub() call and leave the rest
> unchanged...
I guess the underlying bug here is that booleans.subs_dist is not itself
managed via libsemanage. If it was managed and therefore lived within
the policy store, then libsemanage could access the appropriate
booleans.subs_dist file without using the libselinux interface at all,
and thus would not need to switch the selinux policy root. Moving
booleans.subs_dist to being a managed file however would be a more
substantial change. The short term fix might be to switch the selinux
policy root around the selinux_boolean_sub() call, with a longer term
fix of taking booleans.subs_dist to being a managed file.
prev parent reply other threads:[~2018-11-19 13:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-06 19:20 [PATCH] libsemanage: set selinux policy root to match semanage root or storename Stephen Smalley
2018-11-07 20:45 ` Nicolas Iooss
2018-11-08 14:20 ` Stephen Smalley
2018-11-19 13:52 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42f12202-0298-cbc7-2ce9-7cf6e7020049@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).