SElinux newbie seeks starter paper(s)

SElinux newbie seeks starter paper(s)

[Michael Zimmermann]

Hi list,

as a SElinux newbie I'm feeling a little bit lost with 
those rather technical papers in the SElinux documentation.

Are there some starter docs available? My goal is to
use SElinux on SuSE 8.0, but any more basic/practical
info would also be appreciated.

Thanks for any pointers and/or comments.

Michael
-- 
Michael Zimmermann  (http://vegaa.de)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Carsten Grohmann]

Hi Michael,

for SuSE you will don't need other papers as the original docs.
To install you can use the README (selinux/README) in the actuell SELinux 
package. Some patches could help you to compile the utilities. You can 
found they on my homepage http://www.carstengrohmann.de (only german).
The additional SuSE-rules on my homepage are not current and complett. Send 
me a mail, if you need it.

Carsten

Am Sonntag, 22. September 2002 22:12 schrieb Michael Zimmermann:
> Hi list,
>
> as a SElinux newbie I'm feeling a little bit lost with
> those rather technical papers in the SElinux documentation.
>
> Are there some starter docs available? My goal is to
> use SElinux on SuSE 8.0, but any more basic/practical
> info would also be appreciated.
>
> Thanks for any pointers and/or comments.
>
> Michael

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Russell Coker]

On Sun, 22 Sep 2002 23:50, Carsten Grohmann wrote:
> You can
> found they on my homepage http://www.carstengrohmann.de (only german).

Perhaps it might be worth-while to establish a mailing list for 
German-language SE Linux discussions?

I think that a community of German SE Linux users is starting to develop, it's 
not just the two of you, there's the people who attended my tutorial and 
presentation at Linux Kongress as well.

I think that many of the people who attended my tutorial might be nervous 
about posting questions to this forum both from being afraid of asking a 
silly question, and from fear of being misunderstood through language issues 
on an English-language list.

Carsten, you have a good grasp of SE Linux, you would be able to advise new 
German users on a German-language list, and then if you don't know the answer 
to a question they would not feel foolish about asking here.

Interested?  If so we need a location for the list, AFAIK none of the NSA 
people speak German so I doubt that they'll want to host it.  I could host 
(*) it, but having a German list hosted in Australia might not make much 
sense.  Anyone got a good Mailman machine in Germany for the task?



Russell Coker

(*)  My server that is used for the selinux-talk mailing list has suffered an 
undetermined hardware failure (suspected network hardware).  I had plans to 
move the list off it anyway, so I am moving those plans forward.  I should 
have the list going again at a new home with better hardware in a few days.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Michael Zimmermann]

Thanks for your welcome,

At Montag, 23. September 2002 01:33 Russell Coker wrote:
> Perhaps it might be worth-while to establish a mailing list for
> German-language SE Linux discussions?

If you find that useful, I'm ready to host a mailing list and
a site. I'm running a professional redundant server configuration
in Germany anyway.


Greetings
-- 
Michael Zimmermann  (http://vegaa.de)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Tom]

On Mon, Sep 23, 2002 at 01:33:13AM +0200, Russell Coker wrote:
> Perhaps it might be worth-while to establish a mailing list for 
> German-language SE Linux discussions?
> 
> I think that a community of German SE Linux users is starting to develop, it's 
> not just the two of you, there's the people who attended my tutorial and 
> presentation at Linux Kongress as well.

Three of you. :)


> Carsten, you have a good grasp of SE Linux, you would be able to advise new 
> German users on a German-language list, and then if you don't know the answer 
> to a question they would not feel foolish about asking here.
> 
> Interested?  If so we need a location for the list, AFAIK none of the NSA 
> people speak German so I doubt that they'll want to host it.  I could host 
> (*) it, but having a German list hosted in Australia might not make much 
> sense.  Anyone got a good Mailman machine in Germany for the task?

Yes, I've got mailman running and am currently serving half a dozen or
so mailing lists from it. If there's interest, I could easily add an
selinux-german list.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Carsten Grohmann]

Am Montag, 23. September 2002 01:33 schrieb Russell Coker:
> On Sun, 22 Sep 2002 23:50, Carsten Grohmann wrote:
> > You can
> > found they on my homepage http://www.carstengrohmann.de (only german).
>
> Perhaps it might be worth-while to establish a mailing list for
> German-language SE Linux discussions?

It's a good idea. Let's start.

> Carsten, you have a good grasp of SE Linux, you would be able to advise
> new German users on a German-language list, and then if you don't know
> the answer to a question they would not feel foolish about asking here.

I am happy about this ;-)

Carsten

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Deutsche Liste

[Michael Zimmermann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Carsten,

ich setze gerade die Liste auf. Wundere Dich also nicht über
die Mail, die Du bekommen hast, weil ich Dich als Listenowner
eingetragen habe. .o)
Wenn ich fertig bin, sage ich Bescheid.

Listenadresse: selinux-de@vegaa.de


Da wir ja mehr miteinander zu tun haben werden, möchte
ich mich kurz vorstellen. Ein Bild von mir findest Du
in meinem beruflichen Profil auf:
http://vegaa.de/kurzprofil.doc


Gruss
Michael
- -- 
Michael Zimmermann  (http://vegaa.de)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9jutl72vu22ltWBERAmgfAJ9cZUDHWCIB0bM/5gXw3Xc9JdjuwACfa4AO
uQBFfDkOub/QIqLMJuO57iI=
=ZzVg
-----END PGP SIGNATURE-----


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Stephen Smalley]

On Sun, 22 Sep 2002, Michael Zimmermann wrote:

> as a SElinux newbie I'm feeling a little bit lost with
> those rather technical papers in the SElinux documentation.
>
> Are there some starter docs available?

Not really.  I would recommend skimming through the two published papers
available from http://www.nsa.gov/selinux/docs.html, and skimming through
the Configuring the SELinux Policy report available both from that page
and in the SELinux archive (selinux/doc/policy).  Tresys Technology has
written a few policy whitepapers, available from their site
http://www.tresys.com/selinux, but I think that they were based on an
older release of SELinux, and haven't tracked more recent developments.

We would welcome contributions of HOWTO-style documents.  In creating such
documents, please don't start from scratch; you should be able to leverage
some of the content of the existing papers and reports.  The published
papers and older technical reports were originally written in LaTeX, and
the newer technical reports were written in DocBook.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SElinux newbie seeks starter paper(s)

[Tom]

On Mon, Sep 23, 2002 at 08:22:23AM -0400, Stephen Smalley wrote:
> We would welcome contributions of HOWTO-style documents.  In creating such
> documents, please don't start from scratch; you should be able to leverage
> some of the content of the existing papers and reports.  The published
> papers and older technical reports were originally written in LaTeX, and
> the newer technical reports were written in DocBook.

I've long thought about doing some kind of intro document. I have given
an in-house tutorial for people with zero prior knowledge already and
will be doing a second one around next week. I will at the very collect
my notes on them in some kind of document.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: SElinux newbie seeks starter paper(s)

[Frank Mayer]

We've also been trying to put together a FAQ and hopefully will post
something in the next couple of weeks.  Frank

PS- Steve is correct, our primer papers are dated (circa March 02
release).  Much of the discussion of syntax and semantics remain valid,
but the description of the policy source file structure is obviously no
longer valid. 

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov 
> [mailto:owner-selinux@tycho.nsa.gov] On Behalf Of Stephen Smalley
> Sent: Monday, September 23, 2002 8:22 AM
> To: Michael Zimmermann
> Cc: selinux@tycho.nsa.gov
> Subject: Re: SElinux newbie seeks starter paper(s)
> 
> 
> 
> On Sun, 22 Sep 2002, Michael Zimmermann wrote:
> 
> > as a SElinux newbie I'm feeling a little bit lost with
> > those rather technical papers in the SElinux documentation.
> >
> > Are there some starter docs available?
> 
> Not really.  I would recommend skimming through the two 
> published papers available from 
> http://www.nsa.gov/selinux/docs.html, and > skimming through 
> the Configuring the SELinux Policy report available both from 
> that page and in the SELinux archive (selinux/doc/policy).  
> Tresys Technology has written a few policy whitepapers, 
> available from their site http://www.tresys.com/selinux, but 
> I think that they were based on an older release of SELinux, 
> and haven't tracked more recent developments.
> 
> We would welcome contributions of HOWTO-style documents.  In 
> creating such documents, please don't start from scratch; you 
> should be able to leverage some of the content of the 
> existing papers and reports.  The published papers and older 
> technical reports were originally written in LaTeX, and the 
> newer technical reports were written in DocBook.
> 
> --
> Stephen D. Smalley, NAI Labs
> ssmalley@nai.com
> 
> 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux 
> mailing list. If you no longer wish to subscribe, send mail 
> to majordomo@tycho.nsa.gov with the words "unsubscribe 
> selinux" without quotes as the message.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

checkpolicy and login names

[david caplan]

We just ran across the case where we were trying to add a login name with a
'.' in it.  When we tried to add the user to the policy, checkpolicy choked
on the '.' in the id.  The parser expects an Identifier, which is defined to
be a letter followed by a combination of letter|digit|_ of any length.

Is there a compelling reason that this definition can't be changed?  I'm not
sure if changing it would cause problems elsewhere in the policy mechanism.
There don't appear to be problems with using '.'s and '-'s in login names as
far as RedHat/Linux is concerned. I can't find any "standard" definition for
what are valid characters in a login name.  Some applications, such as ps,
that have problems with the characters just use the uid instead.  Others,
such as sendmail/pop and ssh, don't have a problem (at least in the versions
we're using).

david


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: checkpolicy and login names

[Stephen Smalley]

On Tue, 24 Sep 2002, david caplan wrote:

> We just ran across the case where we were trying to add a login name with a
> '.' in it.  When we tried to add the user to the policy, checkpolicy choked
> on the '.' in the id.  The parser expects an Identifier, which is defined to
> be a letter followed by a combination of letter|digit|_ of any length.
>
> Is there a compelling reason that this definition can't be changed?  I'm not
> sure if changing it would cause problems elsewhere in the policy mechanism.
> There don't appear to be problems with using '.'s and '-'s in login names as
> far as RedHat/Linux is concerned. I can't find any "standard" definition for
> what are valid characters in a login name.  Some applications, such as ps,
> that have problems with the characters just use the uid instead.  Others,
> such as sendmail/pop and ssh, don't have a problem (at least in the versions
> we're using).

No, we can certainly extend the checkpolicy scanner to accept more general
strings for identifiers.  The only restriction for a user name would be
that you can't use a colon, since that is a field separator in the
security context.  Feel free to submit a patch.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: checkpolicy and login names

[Russell Coker]

On Tue, 24 Sep 2002 16:32, david caplan wrote:
> We just ran across the case where we were trying to add a login name with a
> '.' in it.  When we tried to add the user to the policy, checkpolicy choked
> on the '.' in the id.  The parser expects an Identifier, which is defined
> to be a letter followed by a combination of letter|digit|_ of any length.

What about "chown user.group file"?  I think that alone is a good enough 
reason not to want to have a '.' in a user-name.

Of course there does not have to be any mapping between user-names and SE 
identities, and the SE identities should not be limited in the same way as 
Unix account names for this reason.

I could imagine a model where you might have Unixname.something as the SE 
identity...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: checkpolicy and login names

[david caplan]

chown will accept ':' or '.' as a separator when you want to specify a
group.  In the case where there is a conflict between username and group
name, it will defer to the username.  For example, if I have users foo and
foo.bar and a group bar:

chown foo.bar file

will only change the owner on file to foo.bar.  If I wanted to change it to
foo with group bar I have to use:

chown foo:bar file

It accepts foo.bar.bar to change the ownership to foo.bar and the group to
bar.  If one had a bar.bar group as well, then you'd have to enter

chown foo:bar.bar

[I think I got that right :-)]

I admit it's confusing, but it (chown) seems to be built to handle this.  It
appears, though I can find no documentation on this, that the "standard" for
a username is that it starts with a letter (upper or lower) and can be
followed by [a-zA-Z0-9._-]*

david

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On
> Behalf Of Russell Coker
> Sent: Tuesday, September 24, 2002 1:00 PM
> To: david caplan; selinux@tycho.nsa.gov
> Subject: Re: checkpolicy and login names
>
>
> On Tue, 24 Sep 2002 16:32, david caplan wrote:
> > We just ran across the case where we were trying to add a login
> name with a
> > '.' in it.  When we tried to add the user to the policy,
> checkpolicy choked
> > on the '.' in the id.  The parser expects an Identifier, which
> is defined
> > to be a letter followed by a combination of letter|digit|_ of
> any length.
>
> What about "chown user.group file"?  I think that alone is a good enough
> reason not to want to have a '.' in a user-name.
>
> Of course there does not have to be any mapping between user-names and SE
> identities, and the SE identities should not be limited in the
> same way as
> Unix account names for this reason.
>
> I could imagine a model where you might have Unixname.something as the SE
> identity...
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: checkpolicy and login names [patch]

[Frank Mayer]

[-- Attachment #1: Type: text/plain, Size: 310 bytes --]

Attached is a patch to checkpolicy that expands the syntax of user names
to include "." and "-" characters.  User names are now a distinct syntax
(actually a superset) from other identifiers.  One should be able to add
more character to what's allowed in user names without impacting other
identifiers.  Frank

[-- Attachment #2: cp.patch --]
[-- Type: application/octet-stream, Size: 2876 bytes --]

diff -ruN checkpolicy/policy_parse.y checkpolicy.new/policy_parse.y
--- checkpolicy/policy_parse.y	Thu Sep 26 13:43:16 2002
+++ checkpolicy.new/policy_parse.y	Thu Sep 26 13:41:49 2002
@@ -99,6 +99,7 @@
 %token U1 U2 R1 R2 T1 T2
 %token NOT AND OR 
 %token IDENTIFIER
+%token USER_IDENTIFIER
 %token NUMBER
 %token EQUALS
 %token NOTEQUAL
@@ -322,10 +323,10 @@
 			| T1 op T2
 			{ $$ = (int) define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
 			  if ($$ == 0) return -1; }
-			| U1 op { if (insert_separator(1)) return -1; } names_push
+			| U1 op { if (insert_separator(1)) return -1; } user_names_push
 			{ $$ = (int) define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
 			  if ($$ == 0) return -1; }
-			| U2 op { if (insert_separator(1)) return -1; } names_push
+			| U2 op { if (insert_separator(1)) return -1; } user_names_push
 			{ $$ = (int) define_cexpr(CEXPR_NAMES, CEXPR_USER | CEXPR_TARGET, $2);
 			  if ($$ == 0) return -1; }
 			| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -377,7 +378,10 @@
 users			: user_def
 			| users user_def
 			;
-user_def		: USER identifier ROLES names opt_user_ranges ';'
+user_id			: identifier
+			| user_identifier
+			;
+user_def		: USER user_id ROLES names opt_user_ranges ';'
 	                {if (define_user()) return -1;}
 			;
 opt_user_ranges		: RANGES user_ranges 
@@ -470,7 +474,7 @@
 			  $$ = addr;
 			}
     			;
-security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
+security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
 	                ;
 opt_mls_range_def	: ':' mls_range_def
 			|	
@@ -536,6 +540,21 @@
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+user_identifier		: USER_IDENTIFIER
+			{ if (insert_id(yytext,0)) return -1; }
+			;
+user_identifier_push	: USER_IDENTIFIER
+			{ if (insert_id(yytext, 1)) return -1; }
+			;
+useridentifier_list_push : user_identifier_push
+			| identifier_list_push user_identifier_push
+			;
+user_names_push		: names_push
+			| user_identifier_push
+			| '{' useridentifier_list_push '}'
+			| tilde_push user_identifier_push
+			| tilde_push '{' useridentifier_list_push '}'
+			;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
 			;
diff -ruN checkpolicy/policy_scan.l checkpolicy.new/policy_scan.l
--- checkpolicy/policy_scan.l	Thu Sep 26 13:43:17 2002
+++ checkpolicy.new/policy_scan.l	Thu Sep 26 13:41:49 2002
@@ -132,6 +132,7 @@
 T2				{ return(T2); }
 "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
 {letter}({letter}|{digit}|_)*	{ return(IDENTIFIER); }
+{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
 {digit}{digit}*                 { return(NUMBER); }
 #[^\n]*                         { /* delete comments */ }
 [ \t\f]+			{ /* delete whitespace */ }

RE: checkpolicy and login names [patch]

[Frank Mayer]

> Attached is a patch to checkpolicy that expands the syntax of 
> user names to include "." and "-" characters.  User names are 
> now a distinct syntax (actually a superset) from other 
> identifiers.  One should be able to add more character to 
> what's allowed in user names without impacting other 
> identifiers.  Frank

I just noticed a small error in the patch that doesn't have a simple
fix; please ignore the patch until I can fix it.  Sorry Frank 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: checkpolicy and login names [patch]

[Frank Mayer]

Ok, correct patch is attached.  The cexpr_prim stuff is a little tricky;
hopefully I got it right in this patch!  Frank

> -----Original Message-----
> From: Frank Mayer [mailto:mayerf@tresys.com] 
> Sent: Thursday, September 26, 2002 2:22 PM
> To: 'Frank Mayer'; selinux@tycho.nsa.gov
> Cc: 'David Caplan'
> Subject: RE: checkpolicy and login names [patch]
> 
> 
> > Attached is a patch to checkpolicy that expands the syntax of
> > user names to include "." and "-" characters.  User names are 
> > now a distinct syntax (actually a superset) from other 
> > identifiers.  One should be able to add more character to 
> > what's allowed in user names without impacting other 
> > identifiers.  Frank
> 
> I just noticed a small error in the patch that doesn't have a 
> simple fix; please ignore the patch until I can fix it.  Sorry Frank 
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: checkpolicy and login names [patch]

[Frank Mayer]

[-- Attachment #1: Type: text/plain, Size: 192 bytes --]

> Ok, correct patch is attached.  The cexpr_prim stuff is a 
> little tricky; hopefully I got it right in this patch!  Frank

It's just not my day.  I left the attachment off my last message.

[-- Attachment #2: cp.patch --]
[-- Type: application/octet-stream, Size: 2982 bytes --]

diff -ruN checkpolicy/policy_parse.y checkpolicy.new/policy_parse.y
--- checkpolicy/policy_parse.y	Thu Sep 26 14:39:14 2002
+++ checkpolicy.new/policy_parse.y	Thu Sep 26 14:24:48 2002
@@ -99,6 +99,7 @@
 %token U1 U2 R1 R2 T1 T2
 %token NOT AND OR 
 %token IDENTIFIER
+%token USER_IDENTIFIER
 %token NUMBER
 %token EQUALS
 %token NOTEQUAL
@@ -322,10 +323,10 @@
 			| T1 op T2
 			{ $$ = (int) define_cexpr(CEXPR_ATTR, CEXPR_TYPE, $2);
 			  if ($$ == 0) return -1; }
-			| U1 op { if (insert_separator(1)) return -1; } names_push
+			| U1 op { if (insert_separator(1)) return -1; } user_names_push
 			{ $$ = (int) define_cexpr(CEXPR_NAMES, CEXPR_USER, $2);
 			  if ($$ == 0) return -1; }
-			| U2 op { if (insert_separator(1)) return -1; } names_push
+			| U2 op { if (insert_separator(1)) return -1; } user_names_push
 			{ $$ = (int) define_cexpr(CEXPR_NAMES, CEXPR_USER | CEXPR_TARGET, $2);
 			  if ($$ == 0) return -1; }
 			| R1 op { if (insert_separator(1)) return -1; } names_push
@@ -377,7 +378,10 @@
 users			: user_def
 			| users user_def
 			;
-user_def		: USER identifier ROLES names opt_user_ranges ';'
+user_id			: identifier
+			| user_identifier
+			;
+user_def		: USER user_id ROLES names opt_user_ranges ';'
 	                {if (define_user()) return -1;}
 			;
 opt_user_ranges		: RANGES user_ranges 
@@ -470,7 +474,7 @@
 			  $$ = addr;
 			}
     			;
-security_context_def	: identifier ':' identifier ':' identifier opt_mls_range_def
+security_context_def	: user_id ':' identifier ':' identifier opt_mls_range_def
 	                ;
 opt_mls_range_def	: ':' mls_range_def
 			|	
@@ -536,6 +540,23 @@
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
 			;
+user_identifier		: USER_IDENTIFIER
+			{ if (insert_id(yytext,0)) return -1; }
+			;
+user_identifier_push	: USER_IDENTIFIER
+			{ if (insert_id(yytext, 1)) return -1; }
+			;
+user_identifier_list_push : user_identifier_push
+			| identifier_list_push user_identifier_push
+			| user_identifier_list_push identifier_push
+			| user_identifier_list_push user_identifier_push
+			;
+user_names_push		: names_push
+			| user_identifier_push
+			| '{' user_identifier_list_push '}'
+			| tilde_push user_identifier_push
+			| tilde_push '{' user_identifier_list_push '}'
+			;
 path     		: PATH
 			{ if (insert_id(yytext,0)) return -1; }
 			;
diff -ruN checkpolicy/policy_scan.l checkpolicy.new/policy_scan.l
--- checkpolicy/policy_scan.l	Thu Sep 26 14:39:14 2002
+++ checkpolicy.new/policy_scan.l	Thu Sep 26 14:19:29 2002
@@ -132,6 +132,7 @@
 T2				{ return(T2); }
 "/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
 {letter}({letter}|{digit}|_)*	{ return(IDENTIFIER); }
+{letter}({letter}|{digit}|_|"."|"-")*	{ return(USER_IDENTIFIER); }
 {digit}{digit}*                 { return(NUMBER); }
 #[^\n]*                         { /* delete comments */ }
 [ \t\f]+			{ /* delete whitespace */ }

RE: checkpolicy and login names [patch]

[Stephen Smalley]

Thanks, merged.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: checkpolicy and login names

[Russell Coker]

On Wed, 25 Sep 2002 11:27, Brian May wrote:
> On Tue, Sep 24, 2002 at 07:00:20PM +0200, Russell Coker wrote:
> > On Tue, 24 Sep 2002 16:32, david caplan wrote:
> > > We just ran across the case where we were trying to add a login name
> > > with a '.' in it.  When we tried to add the user to the policy,
> > > checkpolicy choked on the '.' in the id.  The parser expects an
> > > Identifier, which is defined to be a letter followed by a combination
> > > of letter|digit|_ of any length.
> >
> > What about "chown user.group file"?  I think that alone is a good enough
> > reason not to want to have a '.' in a user-name.
>
> ns has a number of userids with '.' in them.
>
> Required for cgi-wrap I think.

Oh yes, I forgot about that.  If you want to have a DNS domain name as a Unix 
account name (needed for cgiwrap and some other wrapper programs for cgi-bin 
scripts) then you need the dots.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.