problem with "-" in libraries

problem with "-" in libraries

[Debian User]

Im developing a policy for a cramfs based selinux system. I cant specify the 
contexts for libraries with a "-" in the names like "libpthread-0.9.11.so". 
Checkpolicy does not accept such names int genfs_contexts. I am trying to work 
around this by recompiling everything using modified library names. Can the 
checkpolicy compiler be modified to accept this names? 

Is there a way to make a setfiles like program for genfs_contexts? Im 
considering writing software to that. 

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: problem with "-" in libraries

[Stephen Smalley]

On Sat, 6 Jul 2002, Debian User wrote:

> Im developing a policy for a cramfs based selinux system. I cant specify the
> contexts for libraries with a "-" in the names like "libpthread-0.9.11.so".
> Checkpolicy does not accept such names int genfs_contexts. I am trying to work
> around this by recompiling everything using modified library names. Can the
> checkpolicy compiler be modified to accept this names?

This is a bug in the checkpolicy scanner's definition of a path token.
We'll fix it.

> Is there a way to make a setfiles like program for genfs_contexts? Im
> considering writing software to that.

I'm not sure what you mean.  If you want genfs_contexts to be more like
the file_contexts configuration, then you need something like regex(3)
in the kernel security server to perform regular expression matching.
genfs_contexts is part of the kernel policy configuration, and is used
for filesystems that do not support persistent label mappings or one of
the fixed schemes.  setfiles is an application program that creates or
updates persistent label mappings in filesystems that support them.  It
doesn't make sense to have a setfiles-like program for genfs_contexts.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[patch] Re: problem with "-" in libraries

[Stephen Smalley]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 611 bytes --]


On Sat, 6 Jul 2002, Debian User wrote:

> Im developing a policy for a cramfs based selinux system. I cant specify the
> contexts for libraries with a "-" in the names like "libpthread-0.9.11.so".
> Checkpolicy does not accept such names int genfs_contexts. I am trying to work
> around this by recompiling everything using modified library names. Can the
> checkpolicy compiler be modified to accept this names?

The attached patch fixes the checkpolicy scanner to accept "-" in path
tokens.  This patch has also been committed to the sourceforge CVS tree.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com



[-- Attachment #2: Type: TEXT/PLAIN, Size: 727 bytes --]

Index: module/checkpolicy/policy_scan.l
===================================================================
RCS file: /cvsroot/selinux/nsa/selinux/module/checkpolicy/policy_scan.l,v
retrieving revision 1.5
diff -u -r1.5 policy_scan.l
--- module/checkpolicy/policy_scan.l	3 Jul 2002 20:39:47 -0000	1.5
+++ module/checkpolicy/policy_scan.l	8 Jul 2002 12:17:16 -0000
@@ -130,7 +130,7 @@
 T1				{ return(T1); }
 t2 |
 T2				{ return(T2); }
-"/"({letter}|{digit}|_|"."|"/")*	{ return(PATH); }
+"/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
 {letter}({letter}|{digit}|_)*	{ return(IDENTIFIER); }
 {digit}{digit}*                 { return(NUMBER); }
 #[^\n]*                         { /* delete comments */ }

Re: [patch] Re: problem with "-" in libraries

[Debian User]

Stephen Smalley wrote:

>On Sat, 6 Jul 2002, Debian User wrote:
>
>  
>
>>Im developing a policy for a cramfs based selinux system. I cant specify the
>>contexts for libraries with a "-" in the names like "libpthread-0.9.11.so".
>>Checkpolicy does not accept such names int genfs_contexts. I am trying to work
>>around this by recompiling everything using modified library names. Can the
>>checkpolicy compiler be modified to accept this names?
>>    
>>
>
>The attached patch fixes the checkpolicy scanner to accept "-" in path
>tokens.  This patch has also been committed to the sourceforge CVS tree.
>  
>
Will apply thanks. I discovered that genfs_context  are used as 
prefixes. My policy worked somewhat by specifying only the names before 
the dash. I was able to make my system work but this is much better.

>--
>Stephen D. Smalley, NAI Labs
>ssmalley@nai.com
>
>
>  
>
>------------------------------------------------------------------------
>
>Index: module/checkpolicy/policy_scan.l
>===================================================================
>RCS file: /cvsroot/selinux/nsa/selinux/module/checkpolicy/policy_scan.l,v
>retrieving revision 1.5
>diff -u -r1.5 policy_scan.l
>--- module/checkpolicy/policy_scan.l	3 Jul 2002 20:39:47 -0000	1.5
>+++ module/checkpolicy/policy_scan.l	8 Jul 2002 12:17:16 -0000
>@@ -130,7 +130,7 @@
> T1				{ return(T1); }
> t2 |
> T2				{ return(T2); }
>-"/"({letter}|{digit}|_|"."|"/")*	{ return(PATH); }
>+"/"({letter}|{digit}|_|"."|"-"|"/")*	{ return(PATH); }
> {letter}({letter}|{digit}|_)*	{ return(IDENTIFIER); }
> {digit}{digit}*                 { return(NUMBER); }
> #[^\n]*                         { /* delete comments */ }
>  
>




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.