Updated SELinux release

Updated SELinux release

[Stephen Smalley]

An updated SELinux release is available from
http://www.nsa.gov/selinux/.  This release is based on Linux 2.6.8.1. 
The stable SELinux kernel now includes revalidation of the controlling
tty upon domain transitions.  The SELinux NFSv3 enhancements now include
revalidation of the inode security attributes from the server.  The core
checkpolicy logic has been moved into libsepol, a library for binary
policy manipulation.  Improved support for using policy booleans has
been integrated into load_policy and init, and many compile-time policy
tunables have been converted to runtime policy booleans.  Updated
userland patches and SRPMS have been merged from the Fedora Core 3
development tree.  A number of contributed patches have been merged for
the example policy and the policy core utilities. 

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

conflict between libselinux and libsepol

[Colin Walters]

On Thu, 2004-08-19 at 15:01 -0400, Stephen Smalley wrote:

> The core checkpolicy logic has been moved into libsepol, a library for binary
> policy manipulation.  

There appears to be a conflict between the headers from this and
libselinux, so an application can't presently include both (I am working
on a patch to setfiles which needs this).  Specifically, "struct
av_decision" is defined in both selinux/selinux.h and
sepol/flask_types.h.

Perhaps libselinux should be modified to depend on libsepol, and include
the definition from flask_types.h in selinux.h?





--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Thu, 2004-08-19 at 23:25, Colin Walters wrote:
> On Thu, 2004-08-19 at 15:01 -0400, Stephen Smalley wrote:
> 
> > The core checkpolicy logic has been moved into libsepol, a library for binary
> > policy manipulation.  
> 
> There appears to be a conflict between the headers from this and
> libselinux, so an application can't presently include both (I am working
> on a patch to setfiles which needs this).  Specifically, "struct
> av_decision" is defined in both selinux/selinux.h and
> sepol/flask_types.h.
> 
> Perhaps libselinux should be modified to depend on libsepol, and include
> the definition from flask_types.h in selinux.h?

I'd rather keep them independent, as they serve different purposes
(types for the binary policy vs. types for the SELinux API) and may
diverge over time.  Simplest fix would be to add a distinguishing prefix
to the sepol types to avoid namespace conflicts.  But I'm a bit curious
about why setfiles would need libsepol at all, as it normally does not
have anything to do with binary policies.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 1037 bytes --]

On Fri, 2004-08-20 at 07:48 -0400, Stephen Smalley wrote:

> I'd rather keep them independent, as they serve different purposes
> (types for the binary policy vs. types for the SELinux API) and may
> diverge over time.  

Ok.

> Simplest fix would be to add a distinguishing prefix
> to the sepol types to avoid namespace conflicts.  

That makes sense.  I'll wait for you to fix this, since it is mostly
search-and-replace, and a patch for it would be rather huge :)

> But I'm a bit curious
> about why setfiles would need libsepol at all, as it normally does not
> have anything to do with binary policies.

Well, one problem we ran into yesterday is that the content of
file_contexts is not easily verified to ensure there are no undefined
types.  During an installation, setfiles would abort after 10 errors by
default.  What we want to do is verify the content during a policy
package build, to ensure this doesn't happen again.

I'm attaching my (obviously untested) patch to setfiles, I think it will
work once sepol is fixed.



[-- Attachment #2: policycoreutils-setfiles-validate.patch --]
[-- Type: text/x-patch, Size: 3735 bytes --]

--- policycoreutils-1.15.7/setfiles/setfiles.c.setfiles-validate	2004-08-16 07:57:40.000000000 -0400
+++ policycoreutils-1.15.7/setfiles/setfiles.c	2004-08-19 22:56:30.011752264 -0400
@@ -12,8 +12,9 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-o filename ] spec_file pathname...
+ * setfiles [-dnpqsvW] [-c policy] [-o filename ] spec_file pathname...
  * 
+ * -c   Verify the specification file using a binary policy
  * -d   Show what specification matched each file.
  * -n	Do not change any file labels.
  * -q   Be quiet (suppress non-error output).
@@ -66,6 +67,7 @@
 #define __USE_XOPEN_EXTENDED 1	/* nftw */
 #include <ftw.h>
 #include <limits.h>
+#include <sepol/services.h>
 #include <selinux/selinux.h>
 
 static int add_assoc = 1;
@@ -74,6 +76,7 @@
 /*
  * Command-line options.
  */
+static char *policyfile = NULL;
 static int debug = 0;
 static int change = 1;
 static int quiet = 0;
@@ -483,7 +486,8 @@
 {
 	fprintf(stderr,
 		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name);
+		"usage:  %s [-c policyfile] spec_file\n"
+		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -696,8 +700,33 @@
 	rootpathlen = len;
 }
 
+void validate_context(const char *context, const char *progname,
+		      int lineno)
+{
+	security_id_t sid;
+	int valid = 1;
+
+	if (policyfile && sepol_context_to_sid ((char *) context, strlen(context),
+						&sid) < 0) {
+		valid = 0;
+	} else if (security_check_context((char *) context) < 0 && errno != ENOENT) {
+		valid = 0;
+		inc_err();
+	}
+
+	if (!valid) {
+		fprintf(stderr, "%s:  invalid context %s on line number %d\n",
+			progname, context, lineno);
+
+		/* Exit immediately if we're in checking mode. */
+		if (policyfile)
+			exit(1);
+	}
+}
+
 int main(int argc, char **argv)
 {
+	policydb_t *policy;
 	FILE *fp;
 	/* 
 	   For now switching up to BUFSIZ, but this should be allocated
@@ -711,8 +740,43 @@
 	spec_t *spec_copy;
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "dnqrsvWo:")) > 0) {
+	while ((opt = getopt(argc, argv, "c:dnqrsvWo:")) > 0) {
 		switch (opt) {
+		case 'c':
+		{
+			struct policy_file fp;
+			policyfile = optarg;
+
+			if ((policy = malloc(sizeof(policydb_t))) == NULL) {
+				fprintf(stderr, "%s:  insufficient memory for policy load\n", argv[0]);
+				exit(1);
+			}
+
+			if (policydb_init(policy) < 0) {
+				fprintf(stderr, "Error initializing policy\n");
+				exit(1);
+			}
+
+			fp.fp = fopen(policyfile,"r");
+			if (!fp.fp) {
+				fprintf(stderr, "Error opening %s: %s\n", 
+					policyfile, strerror(errno));
+				exit(1);
+			}
+
+			fp.type = PF_USE_STDIO;
+			if (policydb_read (policy, &fp, 0) < 0) {
+				fprintf(stderr, "Error reading policy %s\n", policyfile);
+				exit(1);
+			}
+
+			if (sepol_set_policydb (policy) < 0) {
+				fprintf(stderr, "Error setting policy %s\n", policyfile);
+				exit(1);
+			}
+			
+			break;
+		}
 		case 'd':
 			debug = 1;
 			break;
@@ -760,7 +824,10 @@
 		}
 	}
 
-	if (use_stdin) {
+	if (policyfile) {
+		if (optind != (argc - 1))
+			usage(argv[0]);
+	} else if (use_stdin) {
 		if (optind != (argc - 1)) {
 			/* Cannot mix with pathname arguments. */
 			usage(argv[0]);
@@ -904,13 +971,7 @@
 				spec_arr[nspec].context = context;
 
 				if (strcmp(context, "<<none>>")) {
-					if (security_check_context(context) < 0 && errno != ENOENT) {
-						fprintf(stderr,
-							"%s:  invalid context %s on line number %d\n",
-							argv[0], context,
-							lineno);
-						inc_err();
-					}
+					validate_context(context, argv[0], lineno);
 				}
 
 				/* Determine if specification has 

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Fri, 2004-08-20 at 10:52, Colin Walters wrote:
> Well, one problem we ran into yesterday is that the content of
> file_contexts is not easily verified to ensure there are no undefined
> types.  During an installation, setfiles would abort after 10 errors by
> default.  What we want to do is verify the content during a policy
> package build, to ensure this doesn't happen again.
> 
> I'm attaching my (obviously untested) patch to setfiles, I think it will
> work once sepol is fixed.

The shared libsepol only exports interfaces listed in libsepol.map (and
declared by convention in sepol/sepol.h), presently just the genbools
functions.  The static libsepol library exports all global symbols.  I
envision two very different classes of consumers of libsepol:

- Programs like checkpolicy that are tightly coupled to the binary
policy internals.  Such programs will need to change for any nontrivial
changes to the binary policy internals.  A stable library ABI for such
programs would be rather difficult to provide and maintain, so they must
link with the static libsepol.

- Programs like load_policy (and setfiles, in your example) that only
need simple interfaces for abstract binary policy queries or transforms,
like the genbools transforms or a context validation query.  We can
provide a stable ABI for such programs, so they can use the shared
libsepol.

Hence, I would recommend that we add a function to libsepol to provide a
higher level interface for context validation against a given binary
policy, add it to libsepol.map, and declare the prototype in sepol.h for
use by setfiles.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Stephen Smalley]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

On Fri, 2004-08-20 at 11:24, Stephen Smalley wrote:
> Hence, I would recommend that we add a function to libsepol to provide a
> higher level interface for context validation against a given binary
> policy, add it to libsepol.map, and declare the prototype in sepol.h for
> use by setfiles.

Patch for libsepol attached, along with a sample program.  I'll add it
to the sourceforge CVS.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

[-- Attachment #2: libsepol-chkcon.patch --]
[-- Type: text/x-patch, Size: 3677 bytes --]

Index: libsepol/include/sepol/sepol.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/include/sepol/sepol.h,v
retrieving revision 1.3
diff -u -r1.3 sepol.h
--- libsepol/include/sepol/sepol.h	10 Aug 2004 14:45:39 -0000	1.3
+++ libsepol/include/sepol/sepol.h	20 Aug 2004 18:45:46 -0000
@@ -2,6 +2,7 @@
 #define _SEPOL_H_
 
 #include <sys/types.h>
+#include <stdio.h>
 
 /* Given an existing binary policy (starting at 'data', with length 'len')
    and a boolean configuration file named by 'boolpath', rewrite the binary
@@ -17,5 +18,11 @@
    Returns 0 upon success or -1 otherwise. */
 extern int sepol_genbools_array(void *data, size_t len, char **names, int *values, int nel);
 
+/* Set internal policydb from a file for subsequent service calls. */
+extern int sepol_set_policydb_from_file(FILE *fp);
+
+/* Check context validity against currently set binary policy. */
+extern int sepol_check_context(char *context);
+
 
 #endif
Index: libsepol/src/libsepol.map
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/libsepol.map,v
retrieving revision 1.1
diff -u -r1.1 libsepol.map
--- libsepol/src/libsepol.map	10 Aug 2004 18:54:38 -0000	1.1
+++ libsepol/src/libsepol.map	20 Aug 2004 18:46:54 -0000
@@ -1,4 +1,4 @@
 {
-  global: sepol_genbools*;
+  global: sepol_genbools*; sepol_set_policydb_from_file; sepol_check_context;
   local: *;
 };
Index: libsepol/src/private.h
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/private.h,v
retrieving revision 1.2
diff -u -r1.2 private.h
--- libsepol/src/private.h	11 Aug 2004 16:06:24 -0000	1.2
+++ libsepol/src/private.h	20 Aug 2004 18:53:35 -0000
@@ -39,7 +39,7 @@
 	switch (fp->type) {
 	case PF_USE_STDIO:
 		nread = fread(buffer, bytes, 1, fp->fp);
-		if (nread != bytes)
+		if (nread != 1)
 			return NULL;
 		break;
 	case PF_USE_MEMORY:
Index: libsepol/src/services.c
===================================================================
RCS file: /nfshome/pal/CVS/selinux-usr/libsepol/src/services.c,v
retrieving revision 1.5
diff -u -r1.5 services.c
--- libsepol/src/services.c	11 Aug 2004 14:57:07 -0000	1.5
+++ libsepol/src/services.c	20 Aug 2004 18:52:35 -0000
@@ -56,6 +56,21 @@
 	return 0;
 }
 
+int sepol_set_policydb_from_file(FILE *fp) 
+{
+	struct policy_file pf;
+	pf.fp = fp;
+	pf.type = PF_USE_STDIO;
+	if (policydb_read(&mypolicydb, &pf, 0)) {
+		fprintf(stderr, "Can't read binary policy:  %s\n",
+			strerror(errno));
+		return -1;
+	}
+	policydb = &mypolicydb;
+	return 0;
+}
+
+
 /*
  * The largest sequence number that has been used when
  * providing an access decision to the access vector cache.
@@ -399,7 +414,8 @@
 	char *scontextp, *p, oldc;
 	int rc = 0;
 
-	*sid = SECSID_NULL;
+	if (sid)
+		*sid = SECSID_NULL;
 
 	/* Copy the string so that we can modify the copy as we parse it.
 	   The string should already by null terminated, but we append a
@@ -414,7 +430,6 @@
 	scontext2[scontext_len] = 0;
 
 	context_init(&context);
-	*sid = SECSID_NULL;
 
 	/* Parse the security context. */
 
@@ -484,13 +499,19 @@
 		goto out;
 	}
 	/* Obtain the new sid. */
-	rc = sepol_sidtab_context_to_sid(sidtab, &context, sid);
+	if (sid)
+		rc = sepol_sidtab_context_to_sid(sidtab, &context, sid);
 out:
 	context_destroy(&context);
 	free(scontext2);
 	return rc;
 }
 
+int sepol_check_context(char *context) 
+{
+	return sepol_context_to_sid(context, strlen(context)+1, NULL);
+}
+
 static inline int compute_sid_handle_invalid_context(
 	context_struct_t *scontext,
 	context_struct_t *tcontext,

[-- Attachment #3: chkcon.c --]
[-- Type: text/x-csrc, Size: 758 bytes --]

#include <sepol/sepol.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

void usage(char *progname)
{
	printf("usage:  %s policy context\n", progname);
	exit(1);
}

int main(int argc, char **argv)
{
	FILE *fp;

	if (argc != 3) 
		usage(argv[0]);

	fp = fopen(argv[1], "r");
	if (!fp) {
		fprintf(stderr, "Can't open '%s':  %s\n",
			argv[1], strerror(errno));
		exit(1);
	}
	if (sepol_set_policydb_from_file(fp) < 0) {
		fprintf(stderr, "Error while processing %s:  %s\n",
			argv[1], strerror(errno));
		exit(1);
	}
	fclose(fp);

	if (sepol_check_context(argv[2]) < 0) {
		fprintf(stderr, "%s is not valid\n",argv[2]);
		exit(1);		
	}

	printf("%s is valid\n", argv[2]);
	exit(0);
}

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1.1: Type: text/plain, Size: 527 bytes --]

On Fri, 2004-08-20 at 15:00 -0400, Stephen Smalley wrote:
> On Fri, 2004-08-20 at 11:24, Stephen Smalley wrote:
> > Hence, I would recommend that we add a function to libsepol to provide a
> > higher level interface for context validation against a given binary
> > policy, add it to libsepol.map, and declare the prototype in sepol.h for
> > use by setfiles.
> 
> Patch for libsepol attached, along with a sample program.  I'll add it
> to the sourceforge CVS.

Cool.  Here's an updated patch against setfiles.



[-- Attachment #1.2: policycoreutils-setfiles-validate.patch --]
[-- Type: text/x-patch, Size: 3691 bytes --]

--- policycoreutils-1.15.7/setfiles/setfiles.c.setfiles-validate	2004-08-16 07:57:40.000000000 -0400
+++ policycoreutils-1.15.7/setfiles/setfiles.c	2004-08-20 15:24:56.273197408 -0400
@@ -12,8 +12,9 @@
  * the user.  The program does not cross file system boundaries.
  *
  * USAGE:
- * setfiles [-dnpqsvW] [-o filename ] spec_file pathname...
+ * setfiles [-dnpqsvW] [-c policy] [-o filename ] spec_file pathname...
  * 
+ * -c   Verify the specification file using a binary policy
  * -d   Show what specification matched each file.
  * -n	Do not change any file labels.
  * -q   Be quiet (suppress non-error output).
@@ -66,6 +67,7 @@
 #define __USE_XOPEN_EXTENDED 1	/* nftw */
 #include <ftw.h>
 #include <limits.h>
+#include <sepol/sepol.h>
 #include <selinux/selinux.h>
 
 static int add_assoc = 1;
@@ -74,6 +76,7 @@
 /*
  * Command-line options.
  */
+static char *policyfile = NULL;
 static int debug = 0;
 static int change = 1;
 static int quiet = 0;
@@ -483,7 +486,8 @@
 {
 	fprintf(stderr,
 		"usage:  %s [-dnqvW] [-o filename] spec_file pathname...\n"
-		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name);
+		"usage:  %s [-c policyfile] spec_file\n"
+		"usage:  %s -s [-dnqvW] [-o filename ] spec_file\n", name, name, name);
 	exit(1);
 }
 
@@ -696,6 +700,28 @@
 	rootpathlen = len;
 }
 
+void validate_context(const char *context, const char *progname,
+		      int lineno)
+{
+	int valid = 1;
+
+	if (policyfile && sepol_check_context ((char *) context) < 0) {
+		valid = 0;
+	} else if (security_check_context((char *) context) < 0 && errno != ENOENT) {
+		valid = 0;
+		inc_err();
+	}
+
+	if (!valid) {
+		fprintf(stderr, "%s:  invalid context %s on line number %d\n",
+			progname, context, lineno);
+
+		/* Exit immediately if we're in checking mode. */
+		if (policyfile)
+			exit(1);
+	}
+}
+
 int main(int argc, char **argv)
 {
 	FILE *fp;
@@ -711,8 +737,30 @@
 	spec_t *spec_copy;
 
 	/* Process any options. */
-	while ((opt = getopt(argc, argv, "dnqrsvWo:")) > 0) {
+	while ((opt = getopt(argc, argv, "c:dnqrsvWo:")) > 0) {
 		switch (opt) {
+		case 'c':
+		{
+			FILE *policystream;
+			
+			policyfile = optarg;
+
+			policystream = fopen(policyfile,"r");
+			if (!policystream) {
+				fprintf(stderr, "Error opening %s: %s\n", 
+					policyfile, strerror(errno));
+				exit(1);
+			}
+
+			if (sepol_set_policydb_from_file(policystream) < 0) {
+				fprintf(stderr, "Error reading policy %s: %s\n", policyfile,
+					strerror(errno));
+				exit(1);
+			}
+			fclose(policystream);
+			
+			break;
+		}
 		case 'd':
 			debug = 1;
 			break;
@@ -760,7 +808,10 @@
 		}
 	}
 
-	if (use_stdin) {
+	if (policyfile) {
+		if (optind != (argc - 1))
+			usage(argv[0]);
+	} else if (use_stdin) {
 		if (optind != (argc - 1)) {
 			/* Cannot mix with pathname arguments. */
 			usage(argv[0]);
@@ -904,13 +955,7 @@
 				spec_arr[nspec].context = context;
 
 				if (strcmp(context, "<<none>>")) {
-					if (security_check_context(context) < 0 && errno != ENOENT) {
-						fprintf(stderr,
-							"%s:  invalid context %s on line number %d\n",
-							argv[0], context,
-							lineno);
-						inc_err();
-					}
+					validate_context(context, argv[0], lineno);
 				}
 
 				/* Determine if specification has 
--- policycoreutils-1.15.7/setfiles/Makefile~	2004-08-16 07:57:40.000000000 -0400
+++ policycoreutils-1.15.7/setfiles/Makefile	2004-08-20 15:26:51.504679560 -0400
@@ -5,7 +5,7 @@
 
 CFLAGS = -Wall
 override CFLAGS += -D_FILE_OFFSET_BITS=64
-LDLIBS += -lselinux 
+LDLIBS += -lselinux -lsepol
 
 all: setfiles
 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1.1: Type: text/plain, Size: 765 bytes --]

On Fri, 2004-08-20 at 15:37 -0400, Colin Walters wrote:
> On Fri, 2004-08-20 at 15:00 -0400, Stephen Smalley wrote:
> > On Fri, 2004-08-20 at 11:24, Stephen Smalley wrote:
> > > Hence, I would recommend that we add a function to libsepol to provide a
> > > higher level interface for context validation against a given binary
> > > policy, add it to libsepol.map, and declare the prototype in sepol.h for
> > > use by setfiles.
> > 
> > Patch for libsepol attached, along with a sample program.  I'll add it
> > to the sourceforge CVS.

And a patch for the policy Makefile to cause it to verify the file
contexts under the "policy" target.  I think this makes sense because
conceptually the file contexts is part of the whole system security
policy.

[-- Attachment #1.2: policy-fc-validate.patch --]
[-- Type: text/x-patch, Size: 469 bytes --]

--- policy-1.15.16/Makefile~	2004-08-20 15:41:32.251785648 -0400
+++ policy-1.15.16/Makefile	2004-08-20 15:41:37.883929432 -0400
@@ -88,7 +88,9 @@
 # Note: Can't use install, so not sure how to deal with mode, user, and group
 #	other than by default.
 
-policy: $(POLICYVER)
+policy: $(POLICYVER) $(FC)
+	@echo "Validating file_contexts ..."
+	setfiles -c $(POLICYVER) $(FC)
 
 $(POLICYVER):  policy.conf $(CHECKPOLICY)
 	$(CHECKPOLICY) -o $@ policy.conf

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: conflict between libselinux and libsepol

[Joshua Brindle]

Colin Walters wrote:

>On Fri, 2004-08-20 at 15:37 -0400, Colin Walters wrote:
>  
>
>>On Fri, 2004-08-20 at 15:00 -0400, Stephen Smalley wrote:
>>    
>>
>>>On Fri, 2004-08-20 at 11:24, Stephen Smalley wrote:
>>>      
>>>
>>>>Hence, I would recommend that we add a function to libsepol to provide a
>>>>higher level interface for context validation against a given binary
>>>>policy, add it to libsepol.map, and declare the prototype in sepol.h for
>>>>use by setfiles.
>>>>        
>>>>
>>>Patch for libsepol attached, along with a sample program.  I'll add it
>>>to the sourceforge CVS.
>>>      
>>>
>
>And a patch for the policy Makefile to cause it to verify the file
>contexts under the "policy" target.  I think this makes sense because
>conceptually the file contexts is part of the whole system security
>policy.
>  
>
>  
>
How is this the case at all? Conceptually the file contexts is *not* 
part of the system policy, afaik that is a major design feature of 
SELinux, that the enforcement and labeling is totally seperate (with the 
exception of ocontext stuff ofcourse)

I believe this is the case, unless Steve disagrees ofcourse :)

Joshua

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 657 bytes --]

On Fri, 2004-08-20 at 18:54 -0400, Joshua Brindle wrote:

> How is this the case at all? Conceptually the file contexts is *not* 
> part of the system policy, afaik that is a major design feature of 
> SELinux, that the enforcement and labeling is totally seperate (with the 
> exception of ocontext stuff ofcourse)

This is all unrelated to enforcement, which is still entirely separate.

As for labeling - it is still a separate step to apply labels.  All this
patch is doing is ensuring by default that your labels don't conflict
with the policy.  If people feel strongly about it we can move it to a
separate "check" target or something.


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Fri, 2004-08-20 at 18:54, Joshua Brindle wrote:
> How is this the case at all? Conceptually the file contexts is *not* 
> part of the system policy, afaik that is a major design feature of 
> SELinux, that the enforcement and labeling is totally seperate (with the 
> exception of ocontext stuff ofcourse)
> 
> I believe this is the case, unless Steve disagrees ofcourse :)

Colin's patch is simply to allow verification of a file_contexts
configuration against a given policy at policy build time.  That is
reasonable.

On a side note, the file contexts configuration has become an aspect of
the runtime "policy" in the broader sense, since it is now used during
normal system operation for things like rpm, udev, restorecon, etc
rather than only for system installation and major policy upgrades.  But
it is not part of the kernel policy.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Fri, 2004-08-20 at 16:54, Colin Walters wrote:
> And a patch for the policy Makefile to cause it to verify the file
> contexts under the "policy" target.  I think this makes sense because
> conceptually the file contexts is part of the whole system security
> policy.

Committed, with s/setfiles/$(SETFILES)/.
Note however that the 'policy' target is not used in common practice
once the policy is installed, so if someone does local customization and
does a make (== make install by default), it won't be validated in this
manner.  The spec file does a 'make policy' in the %build, so it will
perform such validation, but manual usage of the policy target is
typically limited to testing/development.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1: Type: text/plain, Size: 964 bytes --]

On Mon, 2004-08-23 at 11:15 -0400, Stephen Smalley wrote:
> On Fri, 2004-08-20 at 16:54, Colin Walters wrote:
> > And a patch for the policy Makefile to cause it to verify the file
> > contexts under the "policy" target.  I think this makes sense because
> > conceptually the file contexts is part of the whole system security
> > policy.
> 
> Committed, with s/setfiles/$(SETFILES)/.

Great, thanks.

> Note however that the 'policy' target is not used in common practice
> once the policy is installed, so if someone does local customization and
> does a make (== make install by default), it won't be validated in this
> manner.  The spec file does a 'make policy' in the %build, so it will
> perform such validation, but manual usage of the policy target is
> typically limited to testing/development.

My personal habit has always been to do "make policy && make reload".
But maybe we should move the validation to the $(FCPATH) target?


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Mon, 2004-08-23 at 11:29, Colin Walters wrote:
> My personal habit has always been to do "make policy && make reload".
> But maybe we should move the validation to the $(FCPATH) target?

You likely actually want it to occur on some intermediate target that
depends on both $(LOADPATH) and $(FCPATH) and rewrite the install and
reload targets to depend on that intermediate target, so that validation
always occurs on an updated (policy, file_contexts) pair.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Stephen Smalley]

On Fri, 2004-08-20 at 15:37, Colin Walters wrote:
> Here's an updated patch against setfiles.

Likely bug:  if the context is valid in the specified binary policy but
not in the currently loaded policy on a SELinux system, then it fails
the validation check since you fall through to the
security_check_context call even if policyfile is set.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: conflict between libselinux and libsepol

[Colin Walters]

[-- Attachment #1.1: Type: text/plain, Size: 474 bytes --]

On Mon, 2004-08-23 at 15:23 -0400, Stephen Smalley wrote:
> On Fri, 2004-08-20 at 15:37, Colin Walters wrote:
> > Here's an updated patch against setfiles.
> 
> Likely bug:  if the context is valid in the specified binary policy but
> not in the currently loaded policy on a SELinux system, then it fails
> the validation check since you fall through to the
> security_check_context call even if policyfile is set.

Ah, good catch.  This should fix that then.



[-- Attachment #1.2: setfiles-fix-fix.patch --]
[-- Type: text/x-patch, Size: 488 bytes --]

--- policycoreutils-1.15.7/setfiles/setfiles.c~	2004-08-20 15:27:42.000000000 -0400
+++ policycoreutils-1.15.7/setfiles/setfiles.c	2004-08-23 15:29:26.496809832 -0400
@@ -705,8 +705,8 @@
 {
 	int valid = 1;
 
-	if (policyfile && sepol_check_context ((char *) context) < 0) {
-		valid = 0;
+	if (policyfile) {
+		valid = (sepol_check_context ((char *) context) >= 0);
 	} else if (security_check_context((char *) context) < 0 && errno != ENOENT) {
 		valid = 0;
 		inc_err();

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]