From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 References: <41fbbd99-00ef-3953-1049-acf975ae6ffa@tycho.nsa.gov> <4e7d4090-e271-b904-c5bb-24f69304625d@tycho.nsa.gov> <85bb9bec-2bda-34fa-1f7d-256470c4f38c@tycho.nsa.gov> In-Reply-To: From: Ted Toth Date: Tue, 11 Sep 2018 15:59:44 -0500 Message-ID: To: Stephen Smalley Cc: SELinux , Paul Moore , Daniel J Walsh Content-Type: multipart/alternative; boundary="0000000000008e451105759ec169" Subject: Re: MLS dominance check behavior on el7 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: --0000000000008e451105759ec169 Content-Type: text/plain; charset="UTF-8" That's awesome and now it's got me thinking about other classes/permissions that we could implement. Can cil macros can be referenced in .te/.if files? On Tue, Sep 11, 2018 at 2:27 PM Stephen Smalley wrote: > On 09/11/2018 02:49 PM, Ted Toth wrote: > > Yes I too noticed the translate permission but couldn't find any info > > related to it intended purpose. Regarding CIL unfortunately I have zero > > experience with it but I've installed the compiler and started reading > > through https://github.com/SELinuxProject/cil/wiki (any other pointers > > to useful info would be appreciated). I have written lots of policy > > would it be possible to add a class/permissions/mlsconstraints in an > > old-fashion policy module? > > The older binary modules didn't support those kinds of statements > outside of the base module. Try this: > $ cat > mcstrans.cil < ; define a mcstrans class with one permission color_use > (class mcstrans (color_use)) > ; allow all domains mcstrans color_use permission to themselves > (allow domain self (mcstrans (color_use))) > ; only allow mcstrans color_use permission when h1 dominates h2 > (mlsconstrain (mcstrans (color_use)) (dom h1 h2)) > ; append the new mcstrans class to the end after all others > (classorder (unordered mcstrans)) > EOF > > $ sudo semodule -i mcstrans.cil > > Then try performing permission checks with "mcstrans" as your class and > "color_use" as your permission, between a domain and itself, with > different levels. > > > > > On Tue, Sep 11, 2018 at 1:27 PM Stephen Smalley > > wrote: > > > > On 09/11/2018 10:41 AM, Stephen Smalley wrote: > > > On 09/10/2018 06:30 PM, Ted Toth wrote: > > >> mcstrans mcscolor.c also uses the same logic I'd been using to > > check > > >> dominance so this too will no longer function as expected on > > el7. Do > > >> you any suggestions for doing a 'generic' (one not tied to a > > specific > > >> resource class) dominance check in lieu of context contains? > > > > > > You should probably define your own permission with its own > > constraint > > > to avoid depending on the base policy's particular constraint > > > definitions. Certainly for your own code. For mcstrans, mcscolor > > > probably ought to be switched to using at least a separate > > permission in > > > the context class if not its own class to avoid overloading the > > meaning > > > with pam_selinux's usage (or vice versa, but likely harder to > change > > > pam_selinux at this point). > > > > > > It is possible to define an entirely new class, its permissions, > > and its > > > mls constraints via a CIL module IIUC, without needing to change > the > > > base policy. > > > > > > I don't think you can add a permission to an existing class via a > > CIL > > > module currently, unfortunately, so you can't just extend the > > context > > > class without modifying the base policy. So it may be easier to > > define > > > an entirely new class. > > > > > > The class and permission ought to be specific to the usage. For > > > example, mcstrans could have its own class (mcstrans) with its own > > > permissions (e.g. color_match or color_use or ...) that abstract > > away > > > the logical check being performed. Dominance checks performed for > > > different reasons ought to use different permissions so that one > can > > > distinguish what TE pairs are allowed them. > > > > > > Your code could likewise define and use its own class and > permission. > > > > > > Does that make sense? > > > > BTW, I noticed there is another permission ("translate") defined in > the > > context class and its constraint is ((h1 dom h2) or (t1 == > > mlstranslate)). I would have guessed that it was intended as a > > front-end service check over what processes could request context > > translations from mcstrans or what contexts they could translate, > but I > > don't see it being used in mcstrans anywhere. Is this a legacy thing > > from early setransd/mcstransd days? There is a TODO comment in > > mcstrans > > process_request() that suggests there was an intent to perform a > > dominance check between the requester context and the specified > > context, > > but that's not implemented. Appears to be allowed in current policy > > for > > all domains to the setrans_t domain itself. > > > > > > > >> > > >> Ted > > >> > > >> On Mon, Sep 10, 2018 at 1:19 PM Ted Toth > > > >> >> wrote: > > >> > > >> Understood, thanks. > > >> > > >> On Mon, Sep 10, 2018 at 12:46 PM Stephen Smalley > > > > >> >> > wrote: > > >> > > >> On 09/10/2018 01:13 PM, Ted Toth wrote: > > >> > We currently have code running on el6 that does a MLS > > >> dominance check by > > >> > calling security_compute_av_raw with the security > > object class > > >> > SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as > > you can > > >> see in the > > >> > python code below. When I run this code on el6 s1 > > dominates > > >> s0 however > > >> > when I run the same code on el7 s1 does not dominate > > s0. On > > >> both systems > > >> > the file read dominance check works as expected. Can > > anyone > > >> help me > > >> > understand why the context contains check does not > > work the > > >> same on both > > >> > systems? > > >> > > >> That would depend entirely on how the constraint is > > written in > > >> the > > >> policy. I assume this is with the -mls policy on both? > > seinfo > > >> --constrain | grep -C1 context would show you the > > constraint > > >> in the > > >> kernel policy. > > >> > > >> Looks like refpolicy defines it as: > > >> mlsconstrain context contains > > >> (( h1 dom h2 ) and ( l1 domby l2)); > > >> > > >> The 2nd part of the constraint was introduced by: > > >> commit 4c365f4a6a6f933dd13b0127e03f832c6a6cf8fc > > >> Author: Harry Ciao > > > >> > >> > > >> Date: Tue Feb 15 10:16:32 2011 +0800 > > >> > > >> l1 domby l2 for contains MLS constraint > > >> > > >> As identified by Stephan Smalley, the current MLS > > >> constraint for the > > >> contains permission of the context class should > > consider > > >> the current > > >> level of a user along with the clearance level so > that > > >> mls_systemlow > > >> is no longer considered contained in > mls_systemhigh. > > >> > > >> Signed-off-by: Harry Ciao > > > > >> > >> > > >> > > >> This was to prevent a user from logging in at a level > > below their > > >> authorized range, in the unusual scenario where the > > user's low > > >> level was > > >> not s0/systemlow. > > >> > > >> > > > >> > Ted > > >> > > > >> > > > >> > > >> > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > >> > > >> > > > >> > import selinux > > >> > > > >> > SECCLASS_CONTEXT = > > selinux.string_to_security_class("context") > > >> > CONTEXT__CONTAINS = > > >> selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains") > > >> > SECCLASS_FILE = > selinux.string_to_security_class("file") > > >> > FILE__READ = selinux.string_to_av_perm(SECCLASS_FILE, > > "read") > > >> > > > >> > raw_con1 = "user_u:user_r:user_t:s1" > > >> > raw_con2 = "user_u:user_r:user_t:s0" > > >> > > > >> > avd = selinux.av_decision() > > >> > selinux.avc_reset() > > >> > try: > > >> > rc = selinux.security_compute_av_raw(raw_con1, > > raw_con2, > > >> > SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd) > > >> > if rc < 0: > > >> > print("selinux.security_compute_av_raw > > failed for %s > > >> %s" % > > >> > (raw_con1, raw_con2)) > > >> > if (avd.allowed & CONTEXT__CONTAINS) == > > >> CONTEXT__CONTAINS: > > >> > print("%s dominates %s" % (raw_con1, > raw_con2)) > > >> > else: > > >> > print("%s does not dominate %s" % (raw_con1, > > >> raw_con2)) > > >> > except OSError, ex: > > >> > print "exception calling > > >> selinux.security_compute_av_raw", ex > > >> > > > >> > avd = selinux.av_decision() > > >> > selinux.avc_reset() > > >> > try: > > >> > rc = selinux.security_compute_av_raw(raw_con1, > > raw_con2, > > >> > SECCLASS_FILE, FILE__READ, avd) > > >> > if rc < 0: > > >> > print("selinux.security_compute_av_raw > > failed for %s > > >> %s" % > > >> > (raw_con1, raw_con2)) > > >> > if (avd.allowed & FILE__READ) == FILE__READ: > > >> > print("%s dominates %s" % (raw_con1, > raw_con2)) > > >> > else: > > >> > print("%s does not dominate %s" % (raw_con1, > > >> raw_con2)) > > >> > > > >> > except OSError: > > >> > print "exception calling > > >> selinux.security_compute_av_raw", ex > > >> > > > >> > > > >> > > > >> > _______________________________________________ > > >> > Selinux mailing list > > >> > Selinux@tycho.nsa.gov > > > > > >> > To unsubscribe, send email to > > Selinux-leave@tycho.nsa.gov > > >> > >. > > >> > To get help, send an email containing "help" to > > >> Selinux-request@tycho.nsa.gov Selinux-request@tycho.nsa.gov> > > >> > >. > > >> > > > >> > > > > > > > --0000000000008e451105759ec169 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That's awesome and now it's got me thinking about = other classes/permissions that we could implement. Can cil macros can be re= ferenced in .te/.if files?=C2=A0


On Tue, Sep 11, 2018 at 2:27 PM Stephen Smalley &= lt;sds@tycho.nsa.gov> wrote:
On 09/11/2018 02:49 PM, Ted Toth wrot= e:
> Yes I too noticed the translate permission but couldn't find any i= nfo
> related to it intended purpose. Regarding CIL unfortunately I have zer= o
> experience with it but I've installed the compiler and started rea= ding
> through https://github.com/SELinuxProject/cil/wiki (any other pointers
> to useful info would be appreciated). I have written lots of policy > would it be possible to add a class/permissions/mlsconstraints in an <= br> > old-fashion policy module?

The older binary modules didn't support those kinds of statements
outside of the base module.=C2=A0 Try this:
$ cat > mcstrans.cil <<EOF
; define a mcstrans class with one permission color_use
(class mcstrans (color_use))
; allow all domains mcstrans color_use permission to themselves
(allow domain self (mcstrans (color_use)))
; only allow mcstrans color_use permission when h1 dominates h2
(mlsconstrain (mcstrans (color_use)) (dom h1 h2))
; append the new mcstrans class to the end after all others
(classorder (unordered mcstrans))
EOF

$ sudo semodule -i mcstrans.cil

Then try performing permission checks with "mcstrans" as your cla= ss and
"color_use" as your permission, between a domain and itself, with=
different levels.

>
> On Tue, Sep 11, 2018 at 1:27 PM Stephen Smalley <sds@tycho.nsa.gov
> <mailto:sds@= tycho.nsa.gov>> wrote:
>
>=C2=A0 =C2=A0 =C2=A0On 09/11/2018 10:41 AM, Stephen Smalley wrote:
>=C2=A0 =C2=A0 =C2=A0 > On 09/10/2018 06:30 PM, Ted Toth wrote:
>=C2=A0 =C2=A0 =C2=A0 >> mcstrans mcscolor.c also uses the same lo= gic I'd been using to
>=C2=A0 =C2=A0 =C2=A0check
>=C2=A0 =C2=A0 =C2=A0 >> dominance so this too will no longer func= tion as expected on
>=C2=A0 =C2=A0 =C2=A0el7. Do
>=C2=A0 =C2=A0 =C2=A0 >> you any suggestions for doing a 'gene= ric' (one not tied to a
>=C2=A0 =C2=A0 =C2=A0specific
>=C2=A0 =C2=A0 =C2=A0 >> resource class) dominance check in lieu o= f context contains?
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > You should probably define your own permissio= n with its own
>=C2=A0 =C2=A0 =C2=A0constraint
>=C2=A0 =C2=A0 =C2=A0 > to avoid depending on the base policy's p= articular constraint
>=C2=A0 =C2=A0 =C2=A0 > definitions.=C2=A0 Certainly for your own cod= e.=C2=A0 For mcstrans, mcscolor
>=C2=A0 =C2=A0 =C2=A0 > probably ought to be switched to using at lea= st a separate
>=C2=A0 =C2=A0 =C2=A0permission in
>=C2=A0 =C2=A0 =C2=A0 > the context class if not its own class to avo= id overloading the
>=C2=A0 =C2=A0 =C2=A0meaning
>=C2=A0 =C2=A0 =C2=A0 > with pam_selinux's usage (or vice versa, = but likely harder to change
>=C2=A0 =C2=A0 =C2=A0 > pam_selinux at this point).
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > It is possible to define an entirely new clas= s, its permissions,
>=C2=A0 =C2=A0 =C2=A0and its
>=C2=A0 =C2=A0 =C2=A0 > mls constraints via a CIL module IIUC, withou= t needing to change the
>=C2=A0 =C2=A0 =C2=A0 > base policy.
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > I don't think you can add a permission to= an existing class via a
>=C2=A0 =C2=A0 =C2=A0CIL
>=C2=A0 =C2=A0 =C2=A0 > module currently, unfortunately, so you can&#= 39;t just extend the
>=C2=A0 =C2=A0 =C2=A0context
>=C2=A0 =C2=A0 =C2=A0 > class without modifying the base policy.=C2= =A0 So it may be easier to
>=C2=A0 =C2=A0 =C2=A0define
>=C2=A0 =C2=A0 =C2=A0 > an entirely new class.
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > The class and permission ought to be specific= to the usage.=C2=A0 For
>=C2=A0 =C2=A0 =C2=A0 > example, mcstrans could have its own class (m= cstrans) with its own
>=C2=A0 =C2=A0 =C2=A0 > permissions (e.g. color_match or color_use or= ...) that abstract
>=C2=A0 =C2=A0 =C2=A0away
>=C2=A0 =C2=A0 =C2=A0 > the logical check being performed.=C2=A0 Domi= nance checks performed for
>=C2=A0 =C2=A0 =C2=A0 > different reasons ought to use different perm= issions so that one can
>=C2=A0 =C2=A0 =C2=A0 > distinguish what TE pairs are allowed them. >=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > Your code could likewise define and use its o= wn class and permission.
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 > Does that make sense?
>
>=C2=A0 =C2=A0 =C2=A0BTW, I noticed there is another permission ("t= ranslate") defined in the
>=C2=A0 =C2=A0 =C2=A0context class and its constraint is ((h1 dom h2) or= (t1 =3D=3D
>=C2=A0 =C2=A0 =C2=A0mlstranslate)).=C2=A0 I would have guessed that it = was intended as a
>=C2=A0 =C2=A0 =C2=A0front-end service check over what processes could r= equest context
>=C2=A0 =C2=A0 =C2=A0translations from mcstrans or what contexts they co= uld translate, but I
>=C2=A0 =C2=A0 =C2=A0don't see it being used in mcstrans anywhere.= =C2=A0 Is this a legacy thing
>=C2=A0 =C2=A0 =C2=A0from early setransd/mcstransd days?=C2=A0 There is = a TODO comment in
>=C2=A0 =C2=A0 =C2=A0mcstrans
>=C2=A0 =C2=A0 =C2=A0process_request() that suggests there was an intent= to perform a
>=C2=A0 =C2=A0 =C2=A0dominance check between the requester context and t= he specified
>=C2=A0 =C2=A0 =C2=A0context,
>=C2=A0 =C2=A0 =C2=A0but that's not implemented.=C2=A0 Appears to be= allowed in current policy
>=C2=A0 =C2=A0 =C2=A0for
>=C2=A0 =C2=A0 =C2=A0all domains to the setrans_t domain itself.
>
>=C2=A0 =C2=A0 =C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> Ted
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> On Mon, Sep 10, 2018 at 1:19 PM Ted Toth = <txtoth@gmail.com<= /a>
>=C2=A0 =C2=A0 =C2=A0<mailto:txtoth@gmail.com>
>=C2=A0 =C2=A0 =C2=A0 >> <mailto:txtoth@gmail.com <mailto:txtoth@gmail.com>>> wrote:<= br> >=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0 Understood, thanks. >=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0 On Mon, Sep 10, 2018 a= t 12:46 PM Stephen Smalley
>=C2=A0 =C2=A0 =C2=A0<sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0 <mailto:sds@tycho.nsa.gov <mailt= o:sds@tycho.nsa.gov<= /a>>>> wrote:
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 On 09/10/2018 01:13 PM, Ted Toth wrote:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > We currently have code running on el6 that does a MLS
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 dominance check by
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > calling security_compute_av_raw with the security
>=C2=A0 =C2=A0 =C2=A0object class
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > SECCLASS_CONTEXT with permission CONTEXT__CONTAINS as
>=C2=A0 =C2=A0 =C2=A0you can
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 see in the
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > python code below. When I run this code on el6 s1
>=C2=A0 =C2=A0 =C2=A0dominates
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 s0 however
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > when I run the same code on el7 s1 does not dominate
>=C2=A0 =C2=A0 =C2=A0s0. On
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 both systems
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > the file read dominance check works as expected. Can
>=C2=A0 =C2=A0 =C2=A0anyone
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 help me
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > understand why the context contains check does not
>=C2=A0 =C2=A0 =C2=A0work the
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 same on both
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > systems?
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 That would depend entirely on how the constraint is
>=C2=A0 =C2=A0 =C2=A0written in
>=C2=A0 =C2=A0 =C2=A0 >> the
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 policy.=C2=A0 I assume this is with the -mls policy on both?
>=C2=A0 =C2=A0 =C2=A0seinfo
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 --constrain | grep -C1 context would show you the
>=C2=A0 =C2=A0 =C2=A0constraint
>=C2=A0 =C2=A0 =C2=A0 >> in the
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 kernel policy.
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Looks like refpolicy defines it as:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 mlsconstrain context contains
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(( h1 dom h2 ) and ( l1 domby l= 2));
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 The 2nd part of the constraint was introduced by:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 commit 4c365f4a6a6f933dd13b0127e03f832c6a6cf8fc
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Author: Harry Ciao <qingtao.cao@windriver.com
>=C2=A0 =C2=A0 =C2=A0<mailto:qingtao.cao@windriver.com>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 <mailto:qingtao.cao@windriver.com
>=C2=A0 =C2=A0 =C2=A0<mailto:qingtao.cao@windriver.com>>>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 Date:=C2=A0 =C2=A0Tue Feb 15 10:16:32 2011 +0800
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0l1 domby l2 for contains MLS constraint
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0As identified by Stephan Smalley, the current= MLS
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 constraint for the
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0contains permission of the context class shou= ld
>=C2=A0 =C2=A0 =C2=A0consider
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 the current
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0level of a user along with the clearance leve= l so that
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 mls_systemlow
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0is no longer considered contained in mls_syst= emhigh.
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 =C2=A0 =C2=A0 =C2=A0Signed-off-by: Harry Ciao
>=C2=A0 =C2=A0 =C2=A0<qingtao.cao@windriver.com <mailto:qingtao.cao@windriver.com&= gt;
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 <mailto:qingtao.cao@windriver.com
>=C2=A0 =C2=A0 =C2=A0<mailto:qingtao.cao@windriver.com>>>
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 This was to prevent a user from logging in at a level
>=C2=A0 =C2=A0 =C2=A0below their
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 authorized range, in the unusual scenario where the
>=C2=A0 =C2=A0 =C2=A0user's low
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 level was
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 not s0/systemlow.
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > Ted
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0---------------------------------------------------= ---------------------------------------------------------------------------= ---------------------------------------------------------------------------=
>
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > import selinux
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > SECCLASS_CONTEXT =3D
>=C2=A0 =C2=A0 =C2=A0selinux.string_to_security_class("context"= ;)
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > CONTEXT__CONTAINS =3D
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 selinux.string_to_av_perm(SECCLASS_CONTEXT, "contains")
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > SECCLASS_FILE =3D selinux.string_to_security_class("fil= e")
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > FILE__READ =3D selinux.string_to_av_perm(SECCLASS_FILE,
>=C2=A0 =C2=A0 =C2=A0"read")
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > raw_con1 =3D "user_u:user_r:user_t:s1"
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > raw_con2 =3D "user_u:user_r:user_t:s0"
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > avd =3D selinux.av_decision()
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > selinux.avc_reset()
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > try:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 rc =3D selinux.security_compute_av_raw(r= aw_con1,
>=C2=A0 =C2=A0 =C2=A0raw_con2,
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > SECCLASS_CONTEXT, CONTEXT__CONTAINS, avd)
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 if rc < 0:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("selinux.securi= ty_compute_av_raw
>=C2=A0 =C2=A0 =C2=A0failed for %s
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 %s" %
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > (raw_con1, raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 if (avd.allowed & CONTEXT__CONTAINS)= =3D=3D
>=C2=A0 =C2=A0 =C2=A0 >> CONTEXT__CONTAINS:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("%s dominates %= s" % (raw_con1, raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 else:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("%s does not do= minate %s" % (raw_con1,
>=C2=A0 =C2=A0 =C2=A0 >> raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > except OSError, ex:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 print "exception calling
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 selinux.security_compute_av_raw", ex
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > avd =3D selinux.av_decision()
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > selinux.avc_reset()
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > try:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 rc =3D selinux.security_compute_av_raw(r= aw_con1,
>=C2=A0 =C2=A0 =C2=A0raw_con2,
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > SECCLASS_FILE, FILE__READ, avd)
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 if rc < 0:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("selinux.securi= ty_compute_av_raw
>=C2=A0 =C2=A0 =C2=A0failed for %s
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 %s" %
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > (raw_con1, raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 if (avd.allowed & FILE__READ) =3D=3D= FILE__READ:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("%s dominates %= s" % (raw_con1, raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 else:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 print("%s does not do= minate %s" % (raw_con1,
>=C2=A0 =C2=A0 =C2=A0 >> raw_con2))
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > except OSError:
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >=C2=A0 =C2=A0 =C2=A0 print "exception calling
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 selinux.security_compute_av_raw", ex
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > _______________________________________________
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > Selinux mailing list
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > S= elinux@tycho.nsa.gov <mailto:Selinux@tycho.nsa.gov>
>=C2=A0 =C2=A0 =C2=A0<mailto:Selinux@tycho.nsa.gov <mailto:Selinux@tycho.nsa.gov>> >=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > To unsubscribe, send email to
>=C2=A0 =C2=A0 =C2=A0Selinux-leave@tycho.nsa.gov <mailto:Selinux-leave@tycho.nsa.gov<= /a>>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 <mailto:Selinux-leave@tycho.nsa.gov
>=C2=A0 =C2=A0 =C2=A0<mailto:Selinux-leave@tycho.nsa.gov>>.
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 > To get help, send an email containing "help" to >=C2=A0 =C2=A0 =C2=A0 >> Selinux-request@tycho.nsa.gov <mailto:Selinux-requ= est@tycho.nsa.gov>
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 <mailto:Selinux-request@tycho.nsa.gov
>=C2=A0 =C2=A0 =C2=A0<mailto:Selinux-request@tycho.nsa.gov>>.
>=C2=A0 =C2=A0 =C2=A0 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 >
>=C2=A0 =C2=A0 =C2=A0 >>
>=C2=A0 =C2=A0 =C2=A0 >
>

--0000000000008e451105759ec169--