SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: selinux@vger.kernel.org
Cc: jwcart2@tycho.nsa.gov
Subject: Re: [PATCH] libsepol,checkpolicy: remove use of hardcoded security class values
Date: Thu, 16 Jan 2020 15:36:56 -0500
Message-ID: <f27dc451-ea30-cdd2-8784-80448318fedb@tycho.nsa.gov> (raw)
In-Reply-To: <81187899-b56a-1b97-4dc5-e1d09e78320b@tycho.nsa.gov>

On 1/16/20 3:34 PM, Stephen Smalley wrote:
> On 1/16/20 3:01 PM, Stephen Smalley wrote:
>> libsepol carried its own (outdated) copy of flask.h with the generated
>> security class and initial SID values for use by the policy
>> compiler and the forked copy of the security server code
>> leveraged by tools such as audit2why.  Convert libsepol and
>> checkpolicy entirely to looking up class values from the policy,
>> remove the SECCLASS_* definitions from its flask.h header, and move
>> the header with its remaining initial SID definitions private to
>> libsepol.  While we are here, fix the sepol_compute_sid() logic to
>> properly support features long since added to the policy and kernel,
>> although there are no users of it other than checkpolicy -d (debug)
>> and it is not exported to users of the shared library.  There
>> are still some residual differences between the kernel logic and
>> libsepol.
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> 
> I see that this fails travis-ci; looks like the problem is that it 
> trades using hardcoded values for SECCLASS_PROCESS and _DIR and the 
> PROCESS__TRANSITION/DYNTRANSITION permissions for requiring the strings 
> to be present in the policy and that isn't true of some test policies. 
> The kernel does require at least the process class and perms to be 
> present or it will reject the policy at load time presently (when it was 
> likewise converted long ago as part of dynamic class/perm support). 
> Options:
> - Weaken the restrictions in libsepol's policydb_read and accept the 
> fact that the class/perm values may be zero subsequently within libsepol.
> - Change the test policies to at least provide this minimal set.
> 
> The "dir" class isn't currently mapped at load time by the kernel but it 
> unmaps it for genfs_sid() matching so it still expects it to be present.

I guess if nothing else it ought to be conditional on 
SEPOL_TARGET_SELINUX to avoid breaking Xen policies.


      reply index

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 20:01 Stephen Smalley
2020-01-16 20:34 ` Stephen Smalley
2020-01-16 20:36   ` Stephen Smalley [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f27dc451-ea30-cdd2-8784-80448318fedb@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=jwcart2@tycho.nsa.gov \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git