From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] libselinux: Add security_reject_unknown(3) man page
Date: Tue, 05 Mar 2019 10:12:10 +0100 [thread overview]
Message-ID: <pjdzhq9n0r9.fsf@redhat.com> (raw)
In-Reply-To: <1a98677c-7e70-b965-04fb-7ac01fa6c5d6@tycho.nsa.gov>
Stephen Smalley <sds@tycho.nsa.gov> writes:
> On 3/4/19 11:37 AM, Petr Lautrbach wrote:
>> Commit c19395d7 added a new interface security_reject_unknown()
>> which needs to
>> be documented.
>>
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>> libselinux/man/man3/security_getenforce.3 | 9 ++++++++-
>> libselinux/man/man3/security_reject_unknown.3 | 1 +
>> 2 files changed, 9 insertions(+), 1 deletion(-)
>> create mode 100644
>> libselinux/man/man3/security_reject_unknown.3
>>
>> diff --git a/libselinux/man/man3/security_getenforce.3
>> b/libselinux/man/man3/security_getenforce.3
>> index 29cf3de7..8d72afb6 100644
>> --- a/libselinux/man/man3/security_getenforce.3
>> +++ b/libselinux/man/man3/security_getenforce.3
>> @@ -1,6 +1,7 @@
>> .TH "security_getenforce" "3" "1 January 2004"
>> "russell@coker.com.au" "SELinux API documentation"
>> .SH "NAME"
>> -security_getenforce, security_setenforce,
>> security_deny_unknown, security_get_checkreqprot\- get or set
>> the enforcing state of SELinux
>> +security_getenforce, security_setenforce,
>> security_deny_unknown, security_reject_unknown,
>> +security_get_checkreqprot\- get or set the enforcing state of
>> SELinux
>> .
>> .SH "SYNOPSIS"
>> .B #include <selinux/selinux.h>
>> @@ -11,6 +12,8 @@ security_getenforce, security_setenforce,
>> security_deny_unknown, security_get_ch
>> .sp
>> .B int security_deny_unknown(void);
>> .sp
>> +.B int security_reject_unknown(void);
>> +.sp
>> .B int security_get_checkreqprot(void);
>> .
>> .SH "DESCRIPTION"
>> @@ -27,6 +30,10 @@ returned.
>> returns 0 if SELinux treats policy queries on undefined
>> object classes or
>> permissions as being allowed, 1 if such queries are denied,
>> and \-1 on error.
>> +.BR security_reject_unknown ()
>> +returns 0 if SELinux allows to load a policy which doesn't
>> define all object
>> +classes and permissions, 1 if loading such policy is rejected,
>> and \-1 on error.
>
> s/all object classes and permissions/all kernel object classes
> and permissions/
>
> A policy can still be loaded if it is missing userspace object
> classes and
> permissions regardless of security_reject_unknown(), although
> the object manager
> may later encounter a failure upon selinux_set_mapping(), which
> internally calls
> security_reject_unknown() to decide how to proceed, or direct
> attempts to lookup
> the class or permission via string_to_security_class() or
> string_to_av_perm().
I'll update the text.
> I don't know of anyone building policies with handle_unknown ==
> reject so it is
> unlikely that anyone is testing this case. deny is the default.
> allow is set
> in Fedora/RHEL. Android uses deny.
We're considering to use handle_unknown = reject for nightly
builds
to detect whether there's a new kernel class or permission defined
in
kernel which is not covered by policy.
>> +
>> .BR security_get_checkreqprot ()
>> can be used to determine whether SELinux is configured to
>> check the
>> protection requested by the application or the actual
>> protection that will
>> diff --git a/libselinux/man/man3/security_reject_unknown.3
>> b/libselinux/man/man3/security_reject_unknown.3
>> new file mode 100644
>> index 00000000..d59e5c2c
>> --- /dev/null
>> +++ b/libselinux/man/man3/security_reject_unknown.3
>> @@ -0,0 +1 @@
>> +.so man3/security_getenforce.3
>>
next prev parent reply other threads:[~2019-03-05 9:12 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-04 16:37 [PATCH] libselinux: Add security_reject_unknown(3) man page Petr Lautrbach
2019-03-04 18:23 ` Stephen Smalley
2019-03-05 9:12 ` Petr Lautrbach [this message]
2019-03-05 9:35 ` [PATCH v2] " Petr Lautrbach
2019-03-05 15:44 ` Stephen Smalley
2019-03-06 12:56 ` Petr Lautrbach
2019-03-06 12:58 ` [PATCH v3] " Petr Lautrbach
2019-03-06 13:26 ` Stephen Smalley
2019-03-11 15:48 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=pjdzhq9n0r9.fsf@redhat.com \
--to=plautrba@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).