SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Joshua Brindle <joshua.brindle@crunchydata.com>
To: jwcart2 <jwcart2@tycho.nsa.gov>
Cc: selinux@vger.kernel.org, Steve Smalley <sds@tycho.nsa.gov>
Subject: Re: [Non-DoD Source] [PATCH] Add default_range glblub support
Date: Thu, 29 Aug 2019 15:25:48 -0400
Message-ID: <CAGB+Vh41FrvMOs2MoONi23gmve0i3oz3m70Fbitkj629EiMBHg@mail.gmail.com> (raw)
In-Reply-To: <d6b2555e-fbda-b3e2-d451-a6e9500e3646@tycho.nsa.gov>

On Thu, Aug 29, 2019 at 3:12 PM jwcart2 <jwcart2@tycho.nsa.gov> wrote:
>
> On 8/26/19 10:20 AM, Joshua Brindle wrote:
> > Policy developers can set a default_range default to glblub and
> > computed contexts will be the intersection of the ranges of the
> > source and target contexts. For example, one can add a default with
> > this cil:
> >
> > (defaultrange db_table glblub);
> >
> > and then test using the compute_create utility:
> >
> > $ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
> > system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
> >
>
> It would be nice to say what glblub means and to have an example for checkpolicy
> as well.
>

Can do.

<snip>
> > --- a/libsepol/cil/src/cil_policy.c
> > +++ b/libsepol/cil/src/cil_policy.c
> > @@ -834,6 +834,9 @@ static void cil_default_ranges_to_policy(FILE *out, struct cil_list *defaults)
> >               case CIL_DEFAULT_TARGET_LOW_HIGH:
> >                       fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_LOW_HIGH);
> >                       break;
> > +             case CIL_DEFAULT_GLBLUB:
> > +                     fprintf(out," %s %s", CIL_KEY_TARGET, CIL_KEY_GLBLUB);
>
> I think you just want fprintf(out," %s", CIL_KEY_GLBLUB);

Yea, you are right. I wonder why this even works then?

<snip>

> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -673,6 +673,9 @@ static int write_default_range_to_conf(FILE *out, char *class_name, class_datum_
> >       case DEFAULT_TARGET_LOW_HIGH:
> >               dft = "target low-high";
> >               break;
> > +     case DEFAULT_GLBLUB:
> > +             dft = "glblub";
> > +             break;
> >       default:
> >               sepol_log_err("Unknown default type value: %i", class->default_range);
> >               return -1;
>
> You need to update kernel_to_cil.c as well.

Good catch. As a side note changing the policy has many more touch
points than it use to (this is my first time making an update that
include CIL). Is there some checklist or developer readme or something
available?

Also, it isn't clear how to test all the combinations. I did add:

Add via CIL module (which combos does that test?)
Add to exported CIL base (is that really the same as above?)
Add to .te base

What would I have needed to do to see that kernel_to_cil.c hadn't been updated?

<snip>

> > --- a/libsepol/src/write.c
> > +++ b/libsepol/src/write.c
> > @@ -46,6 +46,11 @@
> >   #include "private.h"
> >   #include "mls.h"
> >
> > +#define glblub_version ((p->policy_type == POLICY_KERN && \
> > +                  p->policyvers >= POLICYDB_VERSION_GLBLUB) || \
> > +                 (p->policy_type == POLICY_BASE && \
> > +                  p->policyvers >= MOD_POLICYDB_VERSION_GLBLUB))
> > +
> >   struct policy_data {
> >       struct policy_file *fp;
> >       struct policydb *p;
> > @@ -1034,6 +1039,13 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
> >            p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) {
> >               buf[0] = cpu_to_le32(cladatum->default_user);
> >               buf[1] = cpu_to_le32(cladatum->default_role);
> > +             if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) {
> > +                     WARN(fp->handle,
> > +                             "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
> > +                             p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
> > +                             p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
> > +                        cladatum->default_range = 0;
> > +                }
> >               buf[2] = cpu_to_le32(cladatum->default_range);
> >               items = put_entry(buf, sizeof(uint32_t), 3, fp);
> >               if (items != 3)
> >
>
> Everything else looks ok, but I haven't tested it yet.

Thanks. You can test using the test suite as well, I'm impressed that
adding a bunch of sensitivities to an mcs policy works as well as it
does!

  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-26 14:20 Joshua Brindle
2019-08-29 19:14 ` [Non-DoD Source] " jwcart2
2019-08-29 19:25   ` Joshua Brindle [this message]
2019-08-29 20:12     ` jwcart2

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGB+Vh41FrvMOs2MoONi23gmve0i3oz3m70Fbitkj629EiMBHg@mail.gmail.com \
    --to=joshua.brindle@crunchydata.com \
    --cc=jwcart2@tycho.nsa.gov \
    --cc=sds@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox