[idea] file contexts "alternate" keyword

[idea] file contexts "alternate" keyword

[Luke Kenneth Casson Leighton]

other possible uses of the "alternate" file context entries, made
available via a keyword extension:

mozilla, for file saving.

steven tweedie described a possible scenario in which a "helper" popup
program responded when mozilla tries to save a file.

by specifying a "keyword" e.g. "mozillahelperdownloadpasswordwasvalid"
at the end of a file context line, the helper program need only
add the appropriate keyword to the extendedmatchpathcon() function:

# this line ONLY gets activated if the mozilla helper program specifies
# the keyword to use it.
HOME_DIR/downloads/.+      ROLE_home_t mozillahelperdownloadpasswordwasvalid

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Erich Schubert]

Hi,

> # this line ONLY gets activated if the mozilla helper program specifies
> # the keyword to use it.
> HOME_DIR/downloads/.+      ROLE_home_t mozillahelperdownloadpasswordwasvalid

How do you find out later on if this was the case (for example on
relabel?)

Also i don't see your point at all. What can you do you cannot do using
an appropriate type for the "download helper" and rules?

(As i understood it you want the files downloaded with mozilla being
labeled differently?)

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 A man doesn't know what he knows until he knows what he doesn't know. //\
              Es lohnt sich nicht, die Augen aufzumachen,              V_/_
                     wenn der Kopf im Sand steckt.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Luke Kenneth Casson Leighton]

On Fri, Sep 03, 2004 at 09:47:21PM +0200, Erich Schubert wrote:
> Hi,
> 
> > # this line ONLY gets activated if the mozilla helper program specifies
> > # the keyword to use it.
> > HOME_DIR/downloads/.+      ROLE_home_t mozillahelperdownloadpasswordwasvalid
> 
> How do you find out later on if this was the case (for example on
> relabel?)
 
 mmmm.... good point!

 scratch that idea then.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Erich Schubert]

But this brings me to a different issue:
How about allowing multiple contexts for file_contexts?
Like the first hit being the default context, subsequent hits being
additional contexts that will not be *CHANGED* by setfiles?

Let's say i'm running a web server, my standard http files have a non-
executable context. When i install a cgi i chcon it manually to
an executable context (having a different role than the web server
and the necessary rights to do so).
Then the web server can execute my cgi.
Well, until i run setfiles, which might have been told to reset the
context to the non-executable type.

Or is there some nicer way to achieve this?

BTW: is there some trick to edit files in vim without having them change
their context to the directory default?
I have a couple of scripts in /usr/local/sbin with extra contexts,
whenever i change one i need to relabel it again afterwards.

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       The best things in life are free: Friendship and Love.       //\
              Denken ist oft schwerer, als man denkt.               V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Russell Coker]

On Sat, 4 Sep 2004 10:33, Erich Schubert <erich@debian.org> wrote:
> But this brings me to a different issue:
> How about allowing multiple contexts for file_contexts?
> Like the first hit being the default context, subsequent hits being
> additional contexts that will not be *CHANGED* by setfiles?

The current method is that the last "hit" is the one that is applied.

> Let's say i'm running a web server, my standard http files have a non-
> executable context. When i install a cgi i chcon it manually to
> an executable context (having a different role than the web server

This sounds like a reasonable feature request.  But we need a good way of 
implementing it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Erich Schubert]

Hi,

> This sounds like a reasonable feature request.  But we need a good way of 
> implementing it.

We could require that they have the exact same pattern and follow each
other in the file_contexts file.
Maybe adding some flag as suggested earlier, like "alternate".

/var/www(/.*)?      system_u:object_r:httpd_sys_script_exec_t  alternate
/var/www(/.*)?      system_u:object_r:httpd_sys_content_t

(maybe adding "default" to the second, to make it more userfriendly)

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
    Go away or i'll replace you with a very small shell script.     //\
           Es ist besser, geliebt und verloren zu haben,            V_/_
                   als niemals geliebt zu haben.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Luke Kenneth Casson Leighton]

On Sat, Sep 04, 2004 at 01:38:50PM +0200, Erich Schubert wrote:
> Hi,
> 
> > This sounds like a reasonable feature request.  But we need a good way of 
> > implementing it.
> 
> We could require that they have the exact same pattern and follow each
> other in the file_contexts file.
> Maybe adding some flag as suggested earlier, like "alternate".
> 
> /var/www(/.*)?      system_u:object_r:httpd_sys_script_exec_t  alternate
> /var/www(/.*)?      system_u:object_r:httpd_sys_content_t
> 
> (maybe adding "default" to the second, to make it more userfriendly)
 
 the solution to ensuring that a setfiles run (make relabel)
 is done correctly is to record, in a separate file/database
 (e.g.  file_context_alt_labels) what the present "fourth
 parameter" is.

 [a database would be better than a flat file].

 the index would need to be the regexp (e.g. /var/www/(/.*)?) and the
 data would need to be the "fourth parameter" (e.g. "alternate").

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Erich Schubert]

Hi,

> > /var/www(/.*)?      system_u:object_r:httpd_sys_script_exec_t  alternate
> > /var/www(/.*)?      system_u:object_r:httpd_sys_content_t
> > 
> > (maybe adding "default" to the second, to make it more userfriendly)
>  
>  the solution to ensuring that a setfiles run (make relabel)
>  is done correctly is to record, in a separate file/database
>  (e.g.  file_context_alt_labels) what the present "fourth
>  parameter" is.

I don't get what you are trying to say.
Are you suggesting to log additional labels for *each file* in a
separate database? Please don't even think of that!

>  the index would need to be the regexp (e.g. /var/www/(/.*)?) and the
>  data would need to be the "fourth parameter" (e.g. "alternate").

setfiles will read file_contexts anyway, why adding another "database"?
this just increases the possible causes for failures.

The context setting principle is simple:

like previously, step through the regexps. when the regexp matches,
update the "to-be" context for this file *unless* the old "to-be"
context is the current context of the file and the last matching regexp
was the same as this.
So the necessary code changes are just
- remembering which regexp matched last
- if-statement "previous regexp == current regexp"
- if-statement "old dest context == current file context"

We don't even need these additional labels. They would just make it
easier to understand / read.
We can just say that when identical rules exist, any of them may be
fulfilled, otherwise the file is relabeled to the last context
specified.

Greetings,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
      Go away or i'll replace you with a very small shell script.     //\
 Man kann sich auch in Gesellschaft anderer einsam fühlen. Weizsäcker V_/_



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Luke Kenneth Casson Leighton]

On Sat, Sep 04, 2004 at 04:13:19PM +0200, Erich Schubert wrote:
> Hi,
> 
> > > /var/www(/.*)?      system_u:object_r:httpd_sys_script_exec_t  alternate
> > > /var/www(/.*)?      system_u:object_r:httpd_sys_content_t
> > > 
> > > (maybe adding "default" to the second, to make it more userfriendly)
> >  
> >  the solution to ensuring that a setfiles run (make relabel)
> >  is done correctly is to record, in a separate file/database
> >  (e.g.  file_context_alt_labels) what the present "fourth
> >  parameter" is.
> 
> I don't get what you are trying to say.
> Are you suggesting to log additional labels for *each file* in a
> separate database? Please don't even think of that!
 
 each file, no, each entry in file_contexts for which an "alternate"
 other than the default has been requested, yes.

 a function in libselinux1 would be required which says:

    for the following regexp line "/var/www/(/.*)?", use the
     "alternate" line in file_contexts instead of the "default".


> >  the index would need to be the regexp (e.g. /var/www/(/.*)?) and the
> >  data would need to be the "fourth parameter" (e.g. "alternate").
> 
> setfiles will read file_contexts anyway, why adding another "database"?
> this just increases the possible causes for failures.
> 
> The context setting principle is simple:
> 
> like previously, step through the regexps. when the regexp matches,
> update the "to-be" context for this file *unless* the old "to-be"
> context is the current context of the file and the last matching regexp
> was the same as this.

 unfortunately for me, this sentence contains at least two ambiguities.

 i assume, by "like previously", that you mean "as is done at present,
 with the present libselinux1 (1.16 whatever) yes?"

 what is "the last matching regexp" and what is "this" in the above
 sentence?

 where does "the last matching regexp" come from?

> So the necessary code changes are just
> - remembering which regexp matched last
> - if-statement "previous regexp == current regexp"
> - if-statement "old dest context == current file context"
> 
> We don't even need these additional labels. They would just make it
> easier to understand / read.
> We can just say that when identical rules exist, any of them may be
> fulfilled, otherwise the file is relabeled to the last context
> specified.

 where and how do you record "the last context specified"?

 that is the bit i don't get.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [idea] file contexts "alternate" keyword

[Erich Schubert]

Hi,

>     for the following regexp line "/var/www/(/.*)?", use the
>      "alternate" line in file_contexts instead of the "default".

No it is not.

> > like previously, step through the regexps. when the regexp matches,
> > update the "to-be" context for this file *unless* the old "to-be"
> > context is the current context of the file and the last matching regexp
> > was the same as this.
> 
>  unfortunately for me, this sentence contains at least two ambiguities.
> 
>  i assume, by "like previously", that you mean "as is done at present,
>  with the present libselinux1 (1.16 whatever) yes?"

Like "setfiles" does for now. Quoting russel:
> The current method is that the last "hit" is the one that is applied.

>  what is "the last matching regexp" and what is "this" in the above
>  sentence?

the previous when processing the rules in the sequence they are stored
in the file_contexts file.
"this file" is the file to be relabeled. the other "this" is the
"currently considered regexp"

>  where does "the last matching regexp" come from?

from the sequence the rules are stored and processed.

> > So the necessary code changes are just
> > - remembering which regexp matched last
> > - if-statement "previous regexp == current regexp"
> > - if-statement "old dest context == current file context"
> > 
> > We don't even need these additional labels. They would just make it
> > easier to understand / read.
> > We can just say that when identical rules exist, any of them may be
> > fulfilled, otherwise the file is relabeled to the last context
> > specified.
> 
>  where and how do you record "the last context specified"?

the new matching regexp has a context. this is the one i'm talking
about... the "last matching context specified in file_contexts"

Greetings,
Erich Schubert
-- 
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
       The best things in life are free: Friendship and Love.       //\
      Ein Freund ist ein Geschenk, das man sich selbst macht.       V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.